npm - @agentlensai/server - Versions diffs - 0.10.0 → 0.13.0 - Mend

@agentlensai/server 0.10.0 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (807) hide show

package/LICENSE +21 -0
package/dist/cloud/auth/api-key-middleware.d.ts +66 -0
package/dist/cloud/auth/api-key-middleware.d.ts.map +1 -0
package/dist/cloud/auth/api-key-middleware.js +147 -0
package/dist/cloud/auth/api-key-middleware.js.map +1 -0
package/dist/cloud/auth/api-keys.d.ts +90 -0
package/dist/cloud/auth/api-keys.d.ts.map +1 -0
package/dist/cloud/auth/api-keys.js +162 -0
package/dist/cloud/auth/api-keys.js.map +1 -0
package/dist/cloud/auth/audit-log.d.ts +66 -0
package/dist/cloud/auth/audit-log.d.ts.map +1 -0
package/dist/cloud/auth/audit-log.js +92 -0
package/dist/cloud/auth/audit-log.js.map +1 -0
package/dist/cloud/auth/auth-service.d.ts +77 -0
package/dist/cloud/auth/auth-service.d.ts.map +1 -0
package/dist/cloud/auth/auth-service.js +229 -0
package/dist/cloud/auth/auth-service.js.map +1 -0
package/dist/cloud/auth/brute-force.d.ts +36 -0
package/dist/cloud/auth/brute-force.d.ts.map +1 -0
package/dist/cloud/auth/brute-force.js +67 -0
package/dist/cloud/auth/brute-force.js.map +1 -0
package/dist/cloud/auth/index.d.ts +11 -0
package/dist/cloud/auth/index.d.ts.map +1 -0
package/dist/cloud/auth/index.js +11 -0
package/dist/cloud/auth/index.js.map +1 -0
package/dist/cloud/auth/jwt.d.ts +34 -0
package/dist/cloud/auth/jwt.d.ts.map +1 -0
package/dist/cloud/auth/jwt.js +68 -0
package/dist/cloud/auth/jwt.js.map +1 -0
package/dist/cloud/auth/oauth.d.ts +37 -0
package/dist/cloud/auth/oauth.d.ts.map +1 -0
package/dist/cloud/auth/oauth.js +120 -0
package/dist/cloud/auth/oauth.js.map +1 -0
package/dist/cloud/auth/passwords.d.ts +25 -0
package/dist/cloud/auth/passwords.d.ts.map +1 -0
package/dist/cloud/auth/passwords.js +50 -0
package/dist/cloud/auth/passwords.js.map +1 -0
package/dist/cloud/auth/rbac.d.ts +51 -0
package/dist/cloud/auth/rbac.d.ts.map +1 -0
package/dist/cloud/auth/rbac.js +89 -0
package/dist/cloud/auth/rbac.js.map +1 -0
package/dist/cloud/auth/tokens.d.ts +18 -0
package/dist/cloud/auth/tokens.d.ts.map +1 -0
package/dist/cloud/auth/tokens.js +29 -0
package/dist/cloud/auth/tokens.js.map +1 -0
package/dist/cloud/billing/billing-service.d.ts +44 -0
package/dist/cloud/billing/billing-service.d.ts.map +1 -0
package/dist/cloud/billing/billing-service.js +153 -0
package/dist/cloud/billing/billing-service.js.map +1 -0
package/dist/cloud/billing/index.d.ts +11 -0
package/dist/cloud/billing/index.d.ts.map +1 -0
package/dist/cloud/billing/index.js +11 -0
package/dist/cloud/billing/index.js.map +1 -0
package/dist/cloud/billing/invoice-service.d.ts +57 -0
package/dist/cloud/billing/invoice-service.d.ts.map +1 -0
package/dist/cloud/billing/invoice-service.js +123 -0
package/dist/cloud/billing/invoice-service.js.map +1 -0
package/dist/cloud/billing/plan-management.d.ts +46 -0
package/dist/cloud/billing/plan-management.d.ts.map +1 -0
package/dist/cloud/billing/plan-management.js +157 -0
package/dist/cloud/billing/plan-management.js.map +1 -0
package/dist/cloud/billing/quota-enforcement.d.ts +53 -0
package/dist/cloud/billing/quota-enforcement.d.ts.map +1 -0
package/dist/cloud/billing/quota-enforcement.js +143 -0
package/dist/cloud/billing/quota-enforcement.js.map +1 -0
package/dist/cloud/billing/stripe-client.d.ts +142 -0
package/dist/cloud/billing/stripe-client.d.ts.map +1 -0
package/dist/cloud/billing/stripe-client.js +174 -0
package/dist/cloud/billing/stripe-client.js.map +1 -0
package/dist/cloud/billing/trial-service.d.ts +47 -0
package/dist/cloud/billing/trial-service.d.ts.map +1 -0
package/dist/cloud/billing/trial-service.js +104 -0
package/dist/cloud/billing/trial-service.js.map +1 -0
package/dist/cloud/billing/usage-metering.d.ts +83 -0
package/dist/cloud/billing/usage-metering.d.ts.map +1 -0
package/dist/cloud/billing/usage-metering.js +174 -0
package/dist/cloud/billing/usage-metering.js.map +1 -0
package/dist/cloud/ingestion/backpressure.d.ts +107 -0
package/dist/cloud/ingestion/backpressure.d.ts.map +1 -0
package/dist/cloud/ingestion/backpressure.js +134 -0
package/dist/cloud/ingestion/backpressure.js.map +1 -0
package/dist/cloud/ingestion/batch-writer.d.ts +115 -0
package/dist/cloud/ingestion/batch-writer.d.ts.map +1 -0
package/dist/cloud/ingestion/batch-writer.js +319 -0
package/dist/cloud/ingestion/batch-writer.js.map +1 -0
package/dist/cloud/ingestion/dlq-manager.d.ts +116 -0
package/dist/cloud/ingestion/dlq-manager.d.ts.map +1 -0
package/dist/cloud/ingestion/dlq-manager.js +244 -0
package/dist/cloud/ingestion/dlq-manager.js.map +1 -0
package/dist/cloud/ingestion/event-queue.d.ts +105 -0
package/dist/cloud/ingestion/event-queue.d.ts.map +1 -0
package/dist/cloud/ingestion/event-queue.js +185 -0
package/dist/cloud/ingestion/event-queue.js.map +1 -0
package/dist/cloud/ingestion/gateway.d.ts +68 -0
package/dist/cloud/ingestion/gateway.d.ts.map +1 -0
package/dist/cloud/ingestion/gateway.js +197 -0
package/dist/cloud/ingestion/gateway.js.map +1 -0
package/dist/cloud/ingestion/index.d.ts +7 -0
package/dist/cloud/ingestion/index.d.ts.map +1 -0
package/dist/cloud/ingestion/index.js +7 -0
package/dist/cloud/ingestion/index.js.map +1 -0
package/dist/cloud/ingestion/rate-limiter.d.ts +73 -0
package/dist/cloud/ingestion/rate-limiter.d.ts.map +1 -0
package/dist/cloud/ingestion/rate-limiter.js +153 -0
package/dist/cloud/ingestion/rate-limiter.js.map +1 -0
package/dist/cloud/middleware/validate-org-access.d.ts +14 -0
package/dist/cloud/middleware/validate-org-access.d.ts.map +1 -0
package/dist/cloud/middleware/validate-org-access.js +38 -0
package/dist/cloud/middleware/validate-org-access.js.map +1 -0
package/dist/cloud/migrate.d.ts +45 -0
package/dist/cloud/migrate.d.ts.map +1 -0
package/dist/cloud/migrate.js +147 -0
package/dist/cloud/migrate.js.map +1 -0
package/dist/cloud/migration/export-import.d.ts +56 -0
package/dist/cloud/migration/export-import.d.ts.map +1 -0
package/dist/cloud/migration/export-import.js +289 -0
package/dist/cloud/migration/export-import.js.map +1 -0
package/dist/cloud/migration/index.d.ts +5 -0
package/dist/cloud/migration/index.d.ts.map +1 -0
package/dist/cloud/migration/index.js +5 -0
package/dist/cloud/migration/index.js.map +1 -0
package/dist/cloud/org-service.d.ts +68 -0
package/dist/cloud/org-service.d.ts.map +1 -0
package/dist/cloud/org-service.js +169 -0
package/dist/cloud/org-service.js.map +1 -0
package/dist/cloud/partition-maintenance.d.ts +29 -0
package/dist/cloud/partition-maintenance.d.ts.map +1 -0
package/dist/cloud/partition-maintenance.js +96 -0
package/dist/cloud/partition-maintenance.js.map +1 -0
package/dist/cloud/retention/index.d.ts +7 -0
package/dist/cloud/retention/index.d.ts.map +1 -0
package/dist/cloud/retention/index.js +7 -0
package/dist/cloud/retention/index.js.map +1 -0
package/dist/cloud/retention/partition-management.d.ts +61 -0
package/dist/cloud/retention/partition-management.d.ts.map +1 -0
package/dist/cloud/retention/partition-management.js +167 -0
package/dist/cloud/retention/partition-management.js.map +1 -0
package/dist/cloud/retention/retention-job.d.ts +70 -0
package/dist/cloud/retention/retention-job.d.ts.map +1 -0
package/dist/cloud/retention/retention-job.js +160 -0
package/dist/cloud/retention/retention-job.js.map +1 -0
package/dist/cloud/retention/retention-policy.d.ts +27 -0
package/dist/cloud/retention/retention-policy.d.ts.map +1 -0
package/dist/cloud/retention/retention-policy.js +36 -0
package/dist/cloud/retention/retention-policy.js.map +1 -0
package/dist/cloud/routes/api-key-routes.d.ts +38 -0
package/dist/cloud/routes/api-key-routes.d.ts.map +1 -0
package/dist/cloud/routes/api-key-routes.js +84 -0
package/dist/cloud/routes/api-key-routes.js.map +1 -0
package/dist/cloud/routes/audit-routes.d.ts +36 -0
package/dist/cloud/routes/audit-routes.d.ts.map +1 -0
package/dist/cloud/routes/audit-routes.js +47 -0
package/dist/cloud/routes/audit-routes.js.map +1 -0
package/dist/cloud/routes/billing-routes.d.ts +51 -0
package/dist/cloud/routes/billing-routes.d.ts.map +1 -0
package/dist/cloud/routes/billing-routes.js +114 -0
package/dist/cloud/routes/billing-routes.js.map +1 -0
package/dist/cloud/routes/index.d.ts +13 -0
package/dist/cloud/routes/index.d.ts.map +1 -0
package/dist/cloud/routes/index.js +98 -0
package/dist/cloud/routes/index.js.map +1 -0
package/dist/cloud/routes/onboarding-routes.d.ts +34 -0
package/dist/cloud/routes/onboarding-routes.d.ts.map +1 -0
package/dist/cloud/routes/onboarding-routes.js +58 -0
package/dist/cloud/routes/onboarding-routes.js.map +1 -0
package/dist/cloud/routes/org-routes.d.ts +80 -0
package/dist/cloud/routes/org-routes.d.ts.map +1 -0
package/dist/cloud/routes/org-routes.js +153 -0
package/dist/cloud/routes/org-routes.js.map +1 -0
package/dist/cloud/routes/usage-routes.d.ts +18 -0
package/dist/cloud/routes/usage-routes.d.ts.map +1 -0
package/dist/cloud/routes/usage-routes.js +66 -0
package/dist/cloud/routes/usage-routes.js.map +1 -0
package/dist/cloud/storage/adapter.d.ts +102 -0
package/dist/cloud/storage/adapter.d.ts.map +1 -0
package/dist/cloud/storage/adapter.js +21 -0
package/dist/cloud/storage/adapter.js.map +1 -0
package/dist/cloud/storage/index.d.ts +8 -0
package/dist/cloud/storage/index.d.ts.map +1 -0
package/dist/cloud/storage/index.js +7 -0
package/dist/cloud/storage/index.js.map +1 -0
package/dist/cloud/storage/postgres-adapter.d.ts +34 -0
package/dist/cloud/storage/postgres-adapter.d.ts.map +1 -0
package/dist/cloud/storage/postgres-adapter.js +544 -0
package/dist/cloud/storage/postgres-adapter.js.map +1 -0
package/dist/cloud/storage/sqlite-adapter.d.ts +29 -0
package/dist/cloud/storage/sqlite-adapter.d.ts.map +1 -0
package/dist/cloud/storage/sqlite-adapter.js +176 -0
package/dist/cloud/storage/sqlite-adapter.js.map +1 -0
package/dist/cloud/tenant-pool.d.ts +49 -0
package/dist/cloud/tenant-pool.d.ts.map +1 -0
package/dist/cloud/tenant-pool.js +61 -0
package/dist/cloud/tenant-pool.js.map +1 -0
package/dist/config.d.ts +33 -1
package/dist/config.d.ts.map +1 -1
package/dist/config.js +71 -1
package/dist/config.js.map +1 -1
package/dist/db/api-key-lookup.d.ts +25 -0
package/dist/db/api-key-lookup.d.ts.map +1 -0
package/dist/db/api-key-lookup.js +38 -0
package/dist/db/api-key-lookup.js.map +1 -0
package/dist/db/connection.postgres.d.ts +44 -0
package/dist/db/connection.postgres.d.ts.map +1 -0
package/dist/db/connection.postgres.js +79 -0
package/dist/db/connection.postgres.js.map +1 -0
package/dist/db/cost-budget-store.d.ts +30 -0
package/dist/db/cost-budget-store.d.ts.map +1 -0
package/dist/db/cost-budget-store.js +201 -0
package/dist/db/cost-budget-store.js.map +1 -0
package/dist/db/drizzle/0000_initial.sql +336 -0
package/dist/db/drizzle/0001_indexes.sql +20 -0
package/dist/db/drizzle/0002_pgvector.sql +19 -0
package/dist/db/drizzle/drizzle/0000_initial.sql +336 -0
package/dist/db/drizzle/drizzle/0001_indexes.sql +20 -0
package/dist/db/drizzle/drizzle/0002_pgvector.sql +19 -0
package/dist/db/drizzle/drizzle/meta/0000_snapshot.json +2593 -0
package/dist/db/drizzle/drizzle/meta/_journal.json +27 -0
package/dist/db/drizzle/meta/0000_snapshot.json +2593 -0
package/dist/db/drizzle/meta/_journal.json +27 -0
package/dist/db/embedding-store.d.ts +2 -1
package/dist/db/embedding-store.d.ts.map +1 -1
package/dist/db/embedding-store.interface.d.ts +19 -0
package/dist/db/embedding-store.interface.d.ts.map +1 -0
package/dist/db/embedding-store.interface.js +7 -0
package/dist/db/embedding-store.interface.js.map +1 -0
package/dist/db/embedding-store.js +3 -1
package/dist/db/embedding-store.js.map +1 -1
package/dist/db/eval-store.d.ts +88 -0
package/dist/db/eval-store.d.ts.map +1 -0
package/dist/db/eval-store.js +408 -0
package/dist/db/eval-store.js.map +1 -0
package/dist/db/guardrail-store.d.ts +9 -0
package/dist/db/guardrail-store.d.ts.map +1 -1
package/dist/db/guardrail-store.js +57 -3
package/dist/db/guardrail-store.js.map +1 -1
package/dist/db/index.d.ts +7 -0
package/dist/db/index.d.ts.map +1 -1
package/dist/db/index.js +4 -12
package/dist/db/index.js.map +1 -1
package/dist/db/migrate.d.ts +5 -22
package/dist/db/migrate.d.ts.map +1 -1
package/dist/db/migrate.js +7 -637
package/dist/db/migrate.js.map +1 -1
package/dist/db/migrate.postgres.d.ts +16 -0
package/dist/db/migrate.postgres.d.ts.map +1 -0
package/dist/db/migrate.postgres.js +23 -0
package/dist/db/migrate.postgres.js.map +1 -0
package/dist/db/migrate.sqlite.d.ts +26 -0
package/dist/db/migrate.sqlite.d.ts.map +1 -0
package/dist/db/migrate.sqlite.js +920 -0
package/dist/db/migrate.sqlite.js.map +1 -0
package/dist/db/postgres-embedding-store.d.ts +23 -0
package/dist/db/postgres-embedding-store.d.ts.map +1 -0
package/dist/db/postgres-embedding-store.js +218 -0
package/dist/db/postgres-embedding-store.js.map +1 -0
package/dist/db/postgres-store.d.ts +80 -0
package/dist/db/postgres-store.d.ts.map +1 -0
package/dist/db/postgres-store.js +910 -0
package/dist/db/postgres-store.js.map +1 -0
package/dist/db/prompt-store.d.ts +57 -0
package/dist/db/prompt-store.d.ts.map +1 -0
package/dist/db/prompt-store.js +300 -0
package/dist/db/prompt-store.js.map +1 -0
package/dist/db/repositories/agent-repository.d.ts +21 -0
package/dist/db/repositories/agent-repository.d.ts.map +1 -0
package/dist/db/repositories/agent-repository.js +142 -0
package/dist/db/repositories/agent-repository.js.map +1 -0
package/dist/db/repositories/alert-repository.d.ts +27 -0
package/dist/db/repositories/alert-repository.d.ts.map +1 -0
package/dist/db/repositories/alert-repository.js +164 -0
package/dist/db/repositories/alert-repository.js.map +1 -0
package/dist/db/repositories/analytics-repository.d.ts +24 -0
package/dist/db/repositories/analytics-repository.d.ts.map +1 -0
package/dist/db/repositories/analytics-repository.js +147 -0
package/dist/db/repositories/analytics-repository.js.map +1 -0
package/dist/db/repositories/event-repository.d.ts +81 -0
package/dist/db/repositories/event-repository.d.ts.map +1 -0
package/dist/db/repositories/event-repository.js +331 -0
package/dist/db/repositories/event-repository.js.map +1 -0
package/dist/db/repositories/notification-channel-repository.d.ts +28 -0
package/dist/db/repositories/notification-channel-repository.d.ts.map +1 -0
package/dist/db/repositories/notification-channel-repository.js +151 -0
package/dist/db/repositories/notification-channel-repository.js.map +1 -0
package/dist/db/repositories/session-repository.d.ts +26 -0
package/dist/db/repositories/session-repository.d.ts.map +1 -0
package/dist/db/repositories/session-repository.js +240 -0
package/dist/db/repositories/session-repository.js.map +1 -0
package/dist/db/schema.postgres.d.ts +4681 -0
package/dist/db/schema.postgres.d.ts.map +1 -0
package/dist/db/schema.postgres.js +458 -0
package/dist/db/schema.postgres.js.map +1 -0
package/dist/db/schema.sqlite.d.ts +2221 -671
package/dist/db/schema.sqlite.d.ts.map +1 -1
package/dist/db/schema.sqlite.js +137 -2
package/dist/db/schema.sqlite.js.map +1 -1
package/dist/db/services/retention-service.d.ts +13 -0
package/dist/db/services/retention-service.d.ts.map +1 -0
package/dist/db/services/retention-service.js +48 -0
package/dist/db/services/retention-service.js.map +1 -0
package/dist/db/shared/query-helpers.d.ts +32 -0
package/dist/db/shared/query-helpers.d.ts.map +1 -0
package/dist/db/shared/query-helpers.js +180 -0
package/dist/db/shared/query-helpers.js.map +1 -0
package/dist/db/sqlite-store.d.ts +48 -55
package/dist/db/sqlite-store.d.ts.map +1 -1
package/dist/db/sqlite-store.js +78 -945
package/dist/db/sqlite-store.js.map +1 -1
package/dist/db/tenant-scoped-store.d.ts +18 -1
package/dist/db/tenant-scoped-store.d.ts.map +1 -1
package/dist/db/tenant-scoped-store.js +6 -0
package/dist/db/tenant-scoped-store.js.map +1 -1
package/dist/index.d.ts +28 -14
package/dist/index.d.ts.map +1 -1
package/dist/index.js +432 -97
package/dist/index.js.map +1 -1
package/dist/lib/alert-engine.d.ts +10 -0
package/dist/lib/alert-engine.d.ts.map +1 -1
package/dist/lib/alert-engine.js +73 -20
package/dist/lib/alert-engine.js.map +1 -1
package/dist/lib/audit-verify.d.ts +40 -0
package/dist/lib/audit-verify.d.ts.map +1 -0
package/dist/lib/audit-verify.js +128 -0
package/dist/lib/audit-verify.js.map +1 -0
package/dist/lib/audit.d.ts +37 -0
package/dist/lib/audit.d.ts.map +1 -0
package/dist/lib/audit.js +59 -0
package/dist/lib/audit.js.map +1 -0
package/dist/lib/budget-engine.d.ts +26 -0
package/dist/lib/budget-engine.d.ts.map +1 -0
package/dist/lib/budget-engine.js +201 -0
package/dist/lib/budget-engine.js.map +1 -0
package/dist/lib/compliance-export.d.ts +41 -0
package/dist/lib/compliance-export.d.ts.map +1 -0
package/dist/lib/compliance-export.js +124 -0
package/dist/lib/compliance-export.js.map +1 -0
package/dist/lib/compliance-report.d.ts +87 -0
package/dist/lib/compliance-report.d.ts.map +1 -0
package/dist/lib/compliance-report.js +148 -0
package/dist/lib/compliance-report.js.map +1 -0
package/dist/lib/context/retrieval.d.ts +5 -3
package/dist/lib/context/retrieval.d.ts.map +1 -1
package/dist/lib/context/retrieval.js +5 -2
package/dist/lib/context/retrieval.js.map +1 -1
package/dist/lib/cost-anomaly-detector.d.ts +23 -0
package/dist/lib/cost-anomaly-detector.d.ts.map +1 -0
package/dist/lib/cost-anomaly-detector.js +108 -0
package/dist/lib/cost-anomaly-detector.js.map +1 -0
package/dist/lib/db-resilience.d.ts +15 -0
package/dist/lib/db-resilience.d.ts.map +1 -0
package/dist/lib/db-resilience.js +49 -0
package/dist/lib/db-resilience.js.map +1 -0
package/dist/lib/diagnostics/cache.d.ts +29 -0
package/dist/lib/diagnostics/cache.d.ts.map +1 -0
package/dist/lib/diagnostics/cache.js +88 -0
package/dist/lib/diagnostics/cache.js.map +1 -0
package/dist/lib/diagnostics/context-builder.d.ts +41 -0
package/dist/lib/diagnostics/context-builder.d.ts.map +1 -0
package/dist/lib/diagnostics/context-builder.js +135 -0
package/dist/lib/diagnostics/context-builder.js.map +1 -0
package/dist/lib/diagnostics/index.d.ts +34 -0
package/dist/lib/diagnostics/index.d.ts.map +1 -0
package/dist/lib/diagnostics/index.js +223 -0
package/dist/lib/diagnostics/index.js.map +1 -0
package/dist/lib/diagnostics/llm-client.d.ts +24 -0
package/dist/lib/diagnostics/llm-client.d.ts.map +1 -0
package/dist/lib/diagnostics/llm-client.js +42 -0
package/dist/lib/diagnostics/llm-client.js.map +1 -0
package/dist/lib/diagnostics/prompt-templates.d.ts +18 -0
package/dist/lib/diagnostics/prompt-templates.d.ts.map +1 -0
package/dist/lib/diagnostics/prompt-templates.js +144 -0
package/dist/lib/diagnostics/prompt-templates.js.map +1 -0
package/dist/lib/diagnostics/providers/anthropic.d.ts +8 -0
package/dist/lib/diagnostics/providers/anthropic.d.ts.map +1 -0
package/dist/lib/diagnostics/providers/anthropic.js +79 -0
package/dist/lib/diagnostics/providers/anthropic.js.map +1 -0
package/dist/lib/diagnostics/providers/openai.d.ts +8 -0
package/dist/lib/diagnostics/providers/openai.d.ts.map +1 -0
package/dist/lib/diagnostics/providers/openai.js +70 -0
package/dist/lib/diagnostics/providers/openai.js.map +1 -0
package/dist/lib/diagnostics/providers/types.d.ts +23 -0
package/dist/lib/diagnostics/providers/types.d.ts.map +1 -0
package/dist/lib/diagnostics/providers/types.js +5 -0
package/dist/lib/diagnostics/providers/types.js.map +1 -0
package/dist/lib/diagnostics/response-parser.d.ts +60 -0
package/dist/lib/diagnostics/response-parser.d.ts.map +1 -0
package/dist/lib/diagnostics/response-parser.js +55 -0
package/dist/lib/diagnostics/response-parser.js.map +1 -0
package/dist/lib/diagnostics/types.d.ts +60 -0
package/dist/lib/diagnostics/types.d.ts.map +1 -0
package/dist/lib/diagnostics/types.js +7 -0
package/dist/lib/diagnostics/types.js.map +1 -0
package/dist/lib/embeddings/index.d.ts +6 -3
package/dist/lib/embeddings/index.d.ts.map +1 -1
package/dist/lib/embeddings/index.js +7 -15
package/dist/lib/embeddings/index.js.map +1 -1
package/dist/lib/embeddings/worker.d.ts +2 -2
package/dist/lib/embeddings/worker.d.ts.map +1 -1
package/dist/lib/embeddings/worker.js +3 -1
package/dist/lib/embeddings/worker.js.map +1 -1
package/dist/lib/error-sanitizer.d.ts +28 -0
package/dist/lib/error-sanitizer.d.ts.map +1 -0
package/dist/lib/error-sanitizer.js +106 -0
package/dist/lib/error-sanitizer.js.map +1 -0
package/dist/lib/eval/index.d.ts +15 -0
package/dist/lib/eval/index.d.ts.map +1 -0
package/dist/lib/eval/index.js +24 -0
package/dist/lib/eval/index.js.map +1 -0
package/dist/lib/eval/runner.d.ts +28 -0
package/dist/lib/eval/runner.d.ts.map +1 -0
package/dist/lib/eval/runner.js +260 -0
package/dist/lib/eval/runner.js.map +1 -0
package/dist/lib/eval/scorers/contains.d.ts +10 -0
package/dist/lib/eval/scorers/contains.d.ts.map +1 -0
package/dist/lib/eval/scorers/contains.js +33 -0
package/dist/lib/eval/scorers/contains.js.map +1 -0
package/dist/lib/eval/scorers/exact-match.d.ts +10 -0
package/dist/lib/eval/scorers/exact-match.d.ts.map +1 -0
package/dist/lib/eval/scorers/exact-match.js +33 -0
package/dist/lib/eval/scorers/exact-match.js.map +1 -0
package/dist/lib/eval/scorers/index.d.ts +20 -0
package/dist/lib/eval/scorers/index.d.ts.map +1 -0
package/dist/lib/eval/scorers/index.js +19 -0
package/dist/lib/eval/scorers/index.js.map +1 -0
package/dist/lib/eval/scorers/llm-judge.d.ts +22 -0
package/dist/lib/eval/scorers/llm-judge.d.ts.map +1 -0
package/dist/lib/eval/scorers/llm-judge.js +79 -0
package/dist/lib/eval/scorers/llm-judge.js.map +1 -0
package/dist/lib/eval/scorers/regex.d.ts +10 -0
package/dist/lib/eval/scorers/regex.d.ts.map +1 -0
package/dist/lib/eval/scorers/regex.js +36 -0
package/dist/lib/eval/scorers/regex.js.map +1 -0
package/dist/lib/guardrails/actions.d.ts +6 -0
package/dist/lib/guardrails/actions.d.ts.map +1 -1
package/dist/lib/guardrails/actions.js +82 -0
package/dist/lib/guardrails/actions.js.map +1 -1
package/dist/lib/guardrails/conditions.d.ts +47 -0
package/dist/lib/guardrails/conditions.d.ts.map +1 -1
package/dist/lib/guardrails/conditions.js +55 -10
package/dist/lib/guardrails/conditions.js.map +1 -1
package/dist/lib/guardrails/content-engine.d.ts +19 -0
package/dist/lib/guardrails/content-engine.d.ts.map +1 -0
package/dist/lib/guardrails/content-engine.js +154 -0
package/dist/lib/guardrails/content-engine.js.map +1 -0
package/dist/lib/guardrails/engine.d.ts +33 -0
package/dist/lib/guardrails/engine.d.ts.map +1 -1
package/dist/lib/guardrails/engine.js +37 -2
package/dist/lib/guardrails/engine.js.map +1 -1
package/dist/lib/guardrails/scanners/base-scanner.d.ts +23 -0
package/dist/lib/guardrails/scanners/base-scanner.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/base-scanner.js +7 -0
package/dist/lib/guardrails/scanners/base-scanner.js.map +1 -0
package/dist/lib/guardrails/scanners/patterns/pii-patterns.d.ts +13 -0
package/dist/lib/guardrails/scanners/patterns/pii-patterns.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/patterns/pii-patterns.js +49 -0
package/dist/lib/guardrails/scanners/patterns/pii-patterns.js.map +1 -0
package/dist/lib/guardrails/scanners/patterns/secret-patterns.d.ts +6 -0
package/dist/lib/guardrails/scanners/patterns/secret-patterns.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/patterns/secret-patterns.js +69 -0
package/dist/lib/guardrails/scanners/patterns/secret-patterns.js.map +1 -0
package/dist/lib/guardrails/scanners/pii-scanner.d.ts +10 -0
package/dist/lib/guardrails/scanners/pii-scanner.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/pii-scanner.js +57 -0
package/dist/lib/guardrails/scanners/pii-scanner.js.map +1 -0
package/dist/lib/guardrails/scanners/scanner-registry.d.ts +14 -0
package/dist/lib/guardrails/scanners/scanner-registry.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/scanner-registry.js +51 -0
package/dist/lib/guardrails/scanners/scanner-registry.js.map +1 -0
package/dist/lib/guardrails/scanners/secrets-scanner.d.ts +9 -0
package/dist/lib/guardrails/scanners/secrets-scanner.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/secrets-scanner.js +47 -0
package/dist/lib/guardrails/scanners/secrets-scanner.js.map +1 -0
package/dist/lib/logger.d.ts +8 -0
package/dist/lib/logger.d.ts.map +1 -0
package/dist/lib/logger.js +31 -0
package/dist/lib/logger.js.map +1 -0
package/dist/lib/lore-client.d.ts +128 -0
package/dist/lib/lore-client.d.ts.map +1 -0
package/dist/lib/lore-client.js +188 -0
package/dist/lib/lore-client.js.map +1 -0
package/dist/lib/mesh-client.d.ts +31 -0
package/dist/lib/mesh-client.d.ts.map +1 -0
package/dist/lib/mesh-client.js +72 -0
package/dist/lib/mesh-client.js.map +1 -0
package/dist/lib/notifications/grouping-buffer.d.ts +25 -0
package/dist/lib/notifications/grouping-buffer.d.ts.map +1 -0
package/dist/lib/notifications/grouping-buffer.js +73 -0
package/dist/lib/notifications/grouping-buffer.js.map +1 -0
package/dist/lib/notifications/provider.d.ts +10 -0
package/dist/lib/notifications/provider.d.ts.map +1 -0
package/dist/lib/notifications/provider.js +5 -0
package/dist/lib/notifications/provider.js.map +1 -0
package/dist/lib/notifications/providers/email.d.ts +14 -0
package/dist/lib/notifications/providers/email.d.ts.map +1 -0
package/dist/lib/notifications/providers/email.js +88 -0
package/dist/lib/notifications/providers/email.js.map +1 -0
package/dist/lib/notifications/providers/pagerduty.d.ts +16 -0
package/dist/lib/notifications/providers/pagerduty.d.ts.map +1 -0
package/dist/lib/notifications/providers/pagerduty.js +94 -0
package/dist/lib/notifications/providers/pagerduty.js.map +1 -0
package/dist/lib/notifications/providers/slack.d.ts +14 -0
package/dist/lib/notifications/providers/slack.d.ts.map +1 -0
package/dist/lib/notifications/providers/slack.js +106 -0
package/dist/lib/notifications/providers/slack.js.map +1 -0
package/dist/lib/notifications/providers/webhook.d.ts +16 -0
package/dist/lib/notifications/providers/webhook.d.ts.map +1 -0
package/dist/lib/notifications/providers/webhook.js +78 -0
package/dist/lib/notifications/providers/webhook.js.map +1 -0
package/dist/lib/notifications/router.d.ts +30 -0
package/dist/lib/notifications/router.d.ts.map +1 -0
package/dist/lib/notifications/router.js +137 -0
package/dist/lib/notifications/router.js.map +1 -0
package/dist/lib/notifications/ssrf.d.ts +13 -0
package/dist/lib/notifications/ssrf.d.ts.map +1 -0
package/dist/lib/notifications/ssrf.js +37 -0
package/dist/lib/notifications/ssrf.js.map +1 -0
package/dist/lib/optimization/analyzers/model-downgrade.d.ts +15 -0
package/dist/lib/optimization/analyzers/model-downgrade.d.ts.map +1 -0
package/dist/lib/optimization/analyzers/model-downgrade.js +58 -0
package/dist/lib/optimization/analyzers/model-downgrade.js.map +1 -0
package/dist/lib/optimization/analyzers/prompt-optimization.d.ts +17 -0
package/dist/lib/optimization/analyzers/prompt-optimization.d.ts.map +1 -0
package/dist/lib/optimization/analyzers/prompt-optimization.js +160 -0
package/dist/lib/optimization/analyzers/prompt-optimization.js.map +1 -0
package/dist/lib/optimization/analyzers/types.d.ts +23 -0
package/dist/lib/optimization/analyzers/types.d.ts.map +1 -0
package/dist/lib/optimization/analyzers/types.js +5 -0
package/dist/lib/optimization/analyzers/types.js.map +1 -0
package/dist/lib/optimization/classifier.d.ts +4 -3
package/dist/lib/optimization/classifier.d.ts.map +1 -1
package/dist/lib/optimization/classifier.js +15 -9
package/dist/lib/optimization/classifier.js.map +1 -1
package/dist/lib/optimization/cost-optimizer.d.ts +21 -0
package/dist/lib/optimization/cost-optimizer.d.ts.map +1 -0
package/dist/lib/optimization/cost-optimizer.js +114 -0
package/dist/lib/optimization/cost-optimizer.js.map +1 -0
package/dist/lib/optimization/engine.d.ts.map +1 -1
package/dist/lib/optimization/engine.js +45 -6
package/dist/lib/optimization/engine.js.map +1 -1
package/dist/lib/optimization/forecast.d.ts +39 -0
package/dist/lib/optimization/forecast.d.ts.map +1 -0
package/dist/lib/optimization/forecast.js +128 -0
package/dist/lib/optimization/forecast.js.map +1 -0
package/dist/lib/secrets.d.ts +30 -0
package/dist/lib/secrets.d.ts.map +1 -0
package/dist/lib/secrets.js +103 -0
package/dist/lib/secrets.js.map +1 -0
package/dist/lib/threshold-monitor.d.ts +53 -0
package/dist/lib/threshold-monitor.d.ts.map +1 -0
package/dist/lib/threshold-monitor.js +112 -0
package/dist/lib/threshold-monitor.js.map +1 -0
package/dist/middleware/audit.d.ts +16 -0
package/dist/middleware/audit.d.ts.map +1 -0
package/dist/middleware/audit.js +16 -0
package/dist/middleware/audit.js.map +1 -0
package/dist/middleware/auth-errors.d.ts +67 -0
package/dist/middleware/auth-errors.d.ts.map +1 -0
package/dist/middleware/auth-errors.js +84 -0
package/dist/middleware/auth-errors.js.map +1 -0
package/dist/middleware/auth.d.ts +5 -2
package/dist/middleware/auth.d.ts.map +1 -1
package/dist/middleware/auth.js +44 -17
package/dist/middleware/auth.js.map +1 -1
package/dist/middleware/body-limit.d.ts +9 -0
package/dist/middleware/body-limit.d.ts.map +1 -0
package/dist/middleware/body-limit.js +15 -0
package/dist/middleware/body-limit.js.map +1 -0
package/dist/middleware/cors-config.d.ts +30 -0
package/dist/middleware/cors-config.d.ts.map +1 -0
package/dist/middleware/cors-config.js +55 -0
package/dist/middleware/cors-config.js.map +1 -0
package/dist/middleware/rate-limit.d.ts +9 -0
package/dist/middleware/rate-limit.d.ts.map +1 -0
package/dist/middleware/rate-limit.js +56 -0
package/dist/middleware/rate-limit.js.map +1 -0
package/dist/middleware/rbac.d.ts +30 -0
package/dist/middleware/rbac.d.ts.map +1 -0
package/dist/middleware/rbac.js +87 -0
package/dist/middleware/rbac.js.map +1 -0
package/dist/middleware/security-headers.d.ts +12 -0
package/dist/middleware/security-headers.d.ts.map +1 -0
package/dist/middleware/security-headers.js +57 -0
package/dist/middleware/security-headers.js.map +1 -0
package/dist/middleware/unified-auth.d.ts +49 -0
package/dist/middleware/unified-auth.d.ts.map +1 -0
package/dist/middleware/unified-auth.js +246 -0
package/dist/middleware/unified-auth.js.map +1 -0
package/dist/middleware/validation.d.ts +31 -0
package/dist/middleware/validation.d.ts.map +1 -0
package/dist/middleware/validation.js +45 -0
package/dist/middleware/validation.js.map +1 -0
package/dist/routes/alerts.d.ts.map +1 -1
package/dist/routes/alerts.js +4 -3
package/dist/routes/alerts.js.map +1 -1
package/dist/routes/analytics.d.ts +2 -1
package/dist/routes/analytics.d.ts.map +1 -1
package/dist/routes/analytics.js +175 -95
package/dist/routes/analytics.js.map +1 -1
package/dist/routes/api-keys.d.ts +5 -0
package/dist/routes/api-keys.d.ts.map +1 -1
package/dist/routes/api-keys.js +89 -8
package/dist/routes/api-keys.js.map +1 -1
package/dist/routes/audit-verify.d.ts +12 -0
package/dist/routes/audit-verify.d.ts.map +1 -0
package/dist/routes/audit-verify.js +73 -0
package/dist/routes/audit-verify.js.map +1 -0
package/dist/routes/audit.d.ts +4 -6
package/dist/routes/audit.d.ts.map +1 -1
package/dist/routes/audit.js +54 -157
package/dist/routes/audit.js.map +1 -1
package/dist/routes/auth.d.ts +21 -0
package/dist/routes/auth.d.ts.map +1 -0
package/dist/routes/auth.js +235 -0
package/dist/routes/auth.js.map +1 -0
package/dist/routes/benchmarks.d.ts.map +1 -1
package/dist/routes/benchmarks.js +63 -11
package/dist/routes/benchmarks.js.map +1 -1
package/dist/routes/capabilities-top.d.ts.map +1 -1
package/dist/routes/capabilities-top.js +1 -4
package/dist/routes/capabilities-top.js.map +1 -1
package/dist/routes/capabilities.d.ts.map +1 -1
package/dist/routes/capabilities.js +1 -7
package/dist/routes/capabilities.js.map +1 -1
package/dist/routes/compliance.d.ts +17 -0
package/dist/routes/compliance.d.ts.map +1 -0
package/dist/routes/compliance.js +151 -0
package/dist/routes/compliance.js.map +1 -0
package/dist/routes/config.d.ts +1 -13
package/dist/routes/config.d.ts.map +1 -1
package/dist/routes/context.d.ts.map +1 -1
package/dist/routes/context.js +6 -5
package/dist/routes/context.js.map +1 -1
package/dist/routes/cost-budgets.d.ts +20 -0
package/dist/routes/cost-budgets.d.ts.map +1 -0
package/dist/routes/cost-budgets.js +194 -0
package/dist/routes/cost-budgets.js.map +1 -0
package/dist/routes/delegation.d.ts.map +1 -1
package/dist/routes/delegation.js +67 -41
package/dist/routes/delegation.js.map +1 -1
package/dist/routes/delegations-top.d.ts.map +1 -1
package/dist/routes/delegations-top.js +1 -3
package/dist/routes/delegations-top.js.map +1 -1
package/dist/routes/diagnose.d.ts +16 -0
package/dist/routes/diagnose.d.ts.map +1 -0
package/dist/routes/diagnose.js +82 -0
package/dist/routes/diagnose.js.map +1 -0
package/dist/routes/discovery.d.ts.map +1 -1
package/dist/routes/discovery.js +50 -38
package/dist/routes/discovery.js.map +1 -1
package/dist/routes/eval.d.ts +24 -0
package/dist/routes/eval.d.ts.map +1 -0
package/dist/routes/eval.js +281 -0
package/dist/routes/eval.js.map +1 -0
package/dist/routes/events.d.ts.map +1 -1
package/dist/routes/events.js +11 -6
package/dist/routes/events.js.map +1 -1
package/dist/routes/guardrails.d.ts +2 -1
package/dist/routes/guardrails.d.ts.map +1 -1
package/dist/routes/guardrails.js +85 -14
package/dist/routes/guardrails.js.map +1 -1
package/dist/routes/health.d.ts +14 -11
package/dist/routes/health.d.ts.map +1 -1
package/dist/routes/health.js +181 -61
package/dist/routes/health.js.map +1 -1
package/dist/routes/lore-proxy.d.ts +13 -0
package/dist/routes/lore-proxy.d.ts.map +1 -0
package/dist/routes/lore-proxy.js +229 -0
package/dist/routes/lore-proxy.js.map +1 -0
package/dist/routes/mesh-proxy.d.ts +7 -0
package/dist/routes/mesh-proxy.d.ts.map +1 -0
package/dist/routes/mesh-proxy.js +94 -0
package/dist/routes/mesh-proxy.js.map +1 -0
package/dist/routes/notifications.d.ts +19 -0
package/dist/routes/notifications.d.ts.map +1 -0
package/dist/routes/notifications.js +129 -0
package/dist/routes/notifications.js.map +1 -0
package/dist/routes/optimize.d.ts.map +1 -1
package/dist/routes/optimize.js +44 -0
package/dist/routes/optimize.js.map +1 -1
package/dist/routes/otlp.d.ts +17 -0
package/dist/routes/otlp.d.ts.map +1 -0
package/dist/routes/otlp.js +544 -0
package/dist/routes/otlp.js.map +1 -0
package/dist/routes/prompts.d.ts +21 -0
package/dist/routes/prompts.d.ts.map +1 -0
package/dist/routes/prompts.js +173 -0
package/dist/routes/prompts.js.map +1 -0
package/dist/routes/recall.d.ts.map +1 -1
package/dist/routes/recall.js +6 -4
package/dist/routes/recall.js.map +1 -1
package/dist/routes/replay.d.ts.map +1 -1
package/dist/routes/replay.js +2 -1
package/dist/routes/replay.js.map +1 -1
package/dist/routes/server-info.d.ts +9 -0
package/dist/routes/server-info.d.ts.map +1 -0
package/dist/routes/server-info.js +18 -0
package/dist/routes/server-info.js.map +1 -0
package/dist/routes/sessions.d.ts +7 -7
package/dist/routes/sessions.d.ts.map +1 -1
package/dist/routes/sessions.js +112 -35
package/dist/routes/sessions.js.map +1 -1
package/dist/routes/stats.d.ts.map +1 -1
package/dist/routes/stats.js +40 -0
package/dist/routes/stats.js.map +1 -1
package/dist/routes/stream.d.ts +2 -2
package/dist/routes/stream.d.ts.map +1 -1
package/dist/routes/stream.js +7 -11
package/dist/routes/stream.js.map +1 -1
package/dist/routes/tenant-helper.d.ts +15 -10
package/dist/routes/tenant-helper.d.ts.map +1 -1
package/dist/routes/tenant-helper.js +36 -22
package/dist/routes/tenant-helper.js.map +1 -1
package/dist/routes/trust.d.ts.map +1 -1
package/dist/routes/trust.js +1 -3
package/dist/routes/trust.js.map +1 -1
package/dist/schemas/api-keys.d.ts +11 -0
package/dist/schemas/api-keys.d.ts.map +1 -0
package/dist/schemas/api-keys.js +10 -0
package/dist/schemas/api-keys.js.map +1 -0
package/dist/schemas/common.d.ts +34 -0
package/dist/schemas/common.d.ts.map +1 -0
package/dist/schemas/common.js +43 -0
package/dist/schemas/common.js.map +1 -0
package/dist/schemas/delegation.d.ts +23 -0
package/dist/schemas/delegation.d.ts.map +1 -0
package/dist/schemas/delegation.js +22 -0
package/dist/schemas/delegation.js.map +1 -0
package/dist/schemas/discovery.d.ts +17 -0
package/dist/schemas/discovery.d.ts.map +1 -0
package/dist/schemas/discovery.js +15 -0
package/dist/schemas/discovery.js.map +1 -0
package/dist/schemas/health.d.ts +75 -0
package/dist/schemas/health.d.ts.map +1 -0
package/dist/schemas/health.js +55 -0
package/dist/schemas/health.js.map +1 -0
package/dist/schemas/index.d.ts +6 -0
package/dist/schemas/index.d.ts.map +1 -0
package/dist/schemas/index.js +6 -0
package/dist/schemas/index.js.map +1 -0
package/dist/schemas/sessions.d.ts +67 -0
package/dist/schemas/sessions.d.ts.map +1 -0
package/dist/schemas/sessions.js +58 -0
package/dist/schemas/sessions.js.map +1 -0
package/dist/services/delegation-service.d.ts +1 -4
package/dist/services/delegation-service.d.ts.map +1 -1
package/dist/services/delegation-service.js +5 -31
package/dist/services/delegation-service.js.map +1 -1
package/package.json +29 -19
package/dist/db/lesson-store.d.ts +0 -57
package/dist/db/lesson-store.d.ts.map +0 -1
package/dist/db/lesson-store.js +0 -217
package/dist/db/lesson-store.js.map +0 -1
package/dist/lib/embeddings/local.d.ts +0 -15
package/dist/lib/embeddings/local.d.ts.map +0 -1
package/dist/lib/embeddings/local.js +0 -65
package/dist/lib/embeddings/local.js.map +0 -1
package/dist/lib/redaction/human-review-layer.d.ts +0 -37
package/dist/lib/redaction/human-review-layer.d.ts.map +0 -1
package/dist/lib/redaction/human-review-layer.js +0 -62
package/dist/lib/redaction/human-review-layer.js.map +0 -1
package/dist/lib/redaction/index.d.ts +0 -12
package/dist/lib/redaction/index.d.ts.map +0 -1
package/dist/lib/redaction/index.js +0 -12
package/dist/lib/redaction/index.js.map +0 -1
package/dist/lib/redaction/pii-detection-layer.d.ts +0 -30
package/dist/lib/redaction/pii-detection-layer.d.ts.map +0 -1
package/dist/lib/redaction/pii-detection-layer.js +0 -183
package/dist/lib/redaction/pii-detection-layer.js.map +0 -1
package/dist/lib/redaction/pipeline.d.ts +0 -26
package/dist/lib/redaction/pipeline.d.ts.map +0 -1
package/dist/lib/redaction/pipeline.js +0 -91
package/dist/lib/redaction/pipeline.js.map +0 -1
package/dist/lib/redaction/secret-detection-layer.d.ts +0 -10
package/dist/lib/redaction/secret-detection-layer.d.ts.map +0 -1
package/dist/lib/redaction/secret-detection-layer.js +0 -79
package/dist/lib/redaction/secret-detection-layer.js.map +0 -1
package/dist/lib/redaction/secret-patterns.d.ts +0 -29
package/dist/lib/redaction/secret-patterns.d.ts.map +0 -1
package/dist/lib/redaction/secret-patterns.js +0 -133
package/dist/lib/redaction/secret-patterns.js.map +0 -1
package/dist/lib/redaction/semantic-denylist-layer.d.ts +0 -10
package/dist/lib/redaction/semantic-denylist-layer.d.ts.map +0 -1
package/dist/lib/redaction/semantic-denylist-layer.js +0 -64
package/dist/lib/redaction/semantic-denylist-layer.js.map +0 -1
package/dist/lib/redaction/tenant-deidentification-layer.d.ts +0 -10
package/dist/lib/redaction/tenant-deidentification-layer.d.ts.map +0 -1
package/dist/lib/redaction/tenant-deidentification-layer.js +0 -64
package/dist/lib/redaction/tenant-deidentification-layer.js.map +0 -1
package/dist/lib/redaction/url-path-scrubbing-layer.d.ts +0 -14
package/dist/lib/redaction/url-path-scrubbing-layer.d.ts.map +0 -1
package/dist/lib/redaction/url-path-scrubbing-layer.js +0 -156
package/dist/lib/redaction/url-path-scrubbing-layer.js.map +0 -1
package/dist/routes/community.d.ts +0 -24
package/dist/routes/community.d.ts.map +0 -1
package/dist/routes/community.js +0 -272
package/dist/routes/community.js.map +0 -1
package/dist/routes/lessons.d.ts +0 -19
package/dist/routes/lessons.d.ts.map +0 -1
package/dist/routes/lessons.js +0 -164
package/dist/routes/lessons.js.map +0 -1
package/dist/routes/redaction-test.d.ts +0 -14
package/dist/routes/redaction-test.d.ts.map +0 -1
package/dist/routes/redaction-test.js +0 -33
package/dist/routes/redaction-test.js.map +0 -1
package/dist/services/community-service.d.ts +0 -283
package/dist/services/community-service.d.ts.map +0 -1
package/dist/services/community-service.js +0 -816
package/dist/services/community-service.js.map +0 -1

package/dist/index.js CHANGED Viewed

@@ -6,6 +6,8 @@
  * - startServer() — standalone entry point that creates DB + starts listening
  */
 import { Hono } from 'hono';
+import { OpenAPIHono } from '@hono/zod-openapi';
+import { apiReference } from '@scalar/hono-api-reference';
 import { cors } from 'hono/cors';
 import { logger } from 'hono/logger';
 import { serve } from '@hono/node-server';
@@ -13,8 +15,15 @@ import { serveStatic } from '@hono/node-server/serve-static';
 import { readFileSync, existsSync } from 'node:fs';
 import { resolve, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
-import { getConfig } from './config.js';
+import { BearerAuthScheme } from './schemas/common.js';
+import { getConfig, validateConfig } from './config.js';
 import { authMiddleware } from './middleware/auth.js';
+import { unifiedAuthMiddleware } from './middleware/unified-auth.js';
+import { requireCategory, requireMethodCategory, requireCategoryByMethod } from './middleware/rbac.js';
+import { otlpAuthRequired as otlpAuthRequiredError, otlpInvalidToken } from './middleware/auth-errors.js';
+import { securityHeadersMiddleware } from './middleware/security-headers.js';
+import { sanitizeErrorMessage, getErrorStatus } from './lib/error-sanitizer.js';
+import { buildCorsOptions } from './middleware/cors-config.js';
 import { apiKeysRoutes } from './routes/api-keys.js';
 import { eventsRoutes } from './routes/events.js';
 import { sessionsRoutes } from './routes/sessions.js';
@@ -22,18 +31,23 @@ import { agentsRoutes } from './routes/agents.js';
 import { statsRoutes } from './routes/stats.js';
 import { configRoutes } from './routes/config.js';
 import { alertsRoutes } from './routes/alerts.js';
+import { notificationRoutes } from './routes/notifications.js';
+import { NotificationChannelRepository } from './db/repositories/notification-channel-repository.js';
+import { NotificationRouter } from './lib/notifications/router.js';
 import { ingestRoutes } from './routes/ingest.js';
 import { analyticsRoutes } from './routes/analytics.js';
 import { streamRoutes } from './routes/stream.js';
-import { lessonsRoutes } from './routes/lessons.js';
 import { reflectRoutes } from './routes/reflect.js';
 import { recallRoutes } from './routes/recall.js';
 import { contextRoutes } from './routes/context.js';
 import { optimizeRoutes } from './routes/optimize.js';
-import { registerHealthRoutes } from './routes/health.js';
+import { healthRoutes } from './routes/health.js';
+import { diagnoseRoutes } from './routes/diagnose.js';
 import { registerReplayRoutes } from './routes/replay.js';
 import { benchmarkRoutes } from './routes/benchmarks.js';
+import { promptRoutes } from './routes/prompts.js';
 import { guardrailRoutes } from './routes/guardrails.js';
+import { evalRoutes } from './routes/eval.js';
 import { capabilityRoutes } from './routes/capabilities.js';
 import { capabilityTopRoutes } from './routes/capabilities-top.js';
 import { discoveryRoutes } from './routes/discovery.js';
@@ -41,12 +55,27 @@ import { delegationRoutes } from './routes/delegation.js';
 import { delegationTopRoutes } from './routes/delegations-top.js';
 import { trustRoutes } from './routes/trust.js';
 import { LocalPoolTransport } from './services/delegation-service.js';
-import { redactionTestRoutes } from './routes/redaction-test.js';
-import { communityRoutes } from './routes/community.js';
+import { loreProxyRoutes, loreCommunityProxyRoutes } from './routes/lore-proxy.js';
+import { createLoreAdapter } from './lib/lore-client.js';
+import { meshProxyRoutes } from './routes/mesh-proxy.js';
+import { RemoteMeshAdapter } from './lib/mesh-client.js';
+import { otlpRoutes } from './routes/otlp.js';
+import { authRoutes } from './routes/auth.js';
+import { authRateLimit, apiRateLimit } from './middleware/rate-limit.js';
+import { apiBodyLimit } from './middleware/body-limit.js';
 import { auditRoutes } from './routes/audit.js';
+import { cloudOrgRoutes } from './cloud/routes/index.js';
+import { auditVerifyRoutes } from './routes/audit-verify.js';
+import { complianceRoutes } from './routes/compliance.js';
+import { createAuditLogger, cleanupAuditLogs } from './lib/audit.js';
+import { auditMiddleware } from './middleware/audit.js';
 import { GuardrailEngine } from './lib/guardrails/engine.js';
 import { GuardrailStore } from './db/guardrail-store.js';
-import { setAgentStore } from './lib/guardrails/actions.js';
+import { ContentGuardrailEngine } from './lib/guardrails/content-engine.js';
+import { setAgentStore, setNotificationRouter } from './lib/guardrails/actions.js';
+import { BudgetEngine } from './lib/budget-engine.js';
+import { CostAnomalyDetector } from './lib/cost-anomaly-detector.js';
+import { costBudgetRoutes } from './routes/cost-budgets.js';
 import { createDb } from './db/index.js';
 import { runMigrations } from './db/migrate.js';
 import { SqliteEventStore } from './db/sqlite-store.js';
@@ -55,9 +84,12 @@ import { eventBus } from './lib/event-bus.js';
 import { EmbeddingWorker } from './lib/embeddings/worker.js';
 import { EmbeddingStore } from './db/embedding-store.js';
 import { SessionSummaryStore } from './db/session-summary-store.js';
+import { createLogger } from './lib/logger.js';
+const log = createLogger('Server');
 // Re-export everything consumers may need
-export { getConfig } from './config.js';
+export { getConfig, validateConfig } from './config.js';
 export { authMiddleware, hashApiKey } from './middleware/auth.js';
+export { buildCorsOptions } from './middleware/cors-config.js';
 export { apiKeysRoutes } from './routes/api-keys.js';
 export { eventsRoutes } from './routes/events.js';
 export { sessionsRoutes } from './routes/sessions.js';
@@ -68,7 +100,6 @@ export { alertsRoutes } from './routes/alerts.js';
 export { ingestRoutes, verifyWebhookSignature } from './routes/ingest.js';
 export { analyticsRoutes } from './routes/analytics.js';
 export { streamRoutes } from './routes/stream.js';
-export { lessonsRoutes } from './routes/lessons.js';
 export { reflectRoutes } from './routes/reflect.js';
 export { recallRoutes } from './routes/recall.js';
 export { optimizeRoutes } from './routes/optimize.js';
@@ -82,17 +113,27 @@ export { AlertEngine } from './lib/alert-engine.js';
 export { eventBus } from './lib/event-bus.js';
 export { createDb, createTestDb } from './db/index.js';
 export { runMigrations } from './db/migrate.js';
-export { LessonStore } from './db/lesson-store.js';
 export { SessionSummaryStore } from './db/session-summary-store.js';
 export { contextRoutes } from './routes/context.js';
-export { registerHealthRoutes } from './routes/health.js';
+export { auditRoutes } from './routes/audit.js';
+export { createAuditLogger, cleanupAuditLogs, maskSensitive } from './lib/audit.js';
+export { validateBody, formatZodErrors } from './middleware/validation.js';
+export { apiBodyLimit } from './middleware/body-limit.js';
+export { auditMiddleware } from './middleware/audit.js';
+export { healthRoutes, registerHealthRoutes } from './routes/health.js';
 export { ContextRetriever } from './lib/context/retrieval.js';
-export { communityRoutes } from './routes/community.js';
-export { CommunityService, LocalCommunityPoolTransport, computeSimpleEmbedding } from './services/community-service.js';
+export { loreProxyRoutes, loreCommunityProxyRoutes } from './routes/lore-proxy.js';
+export { createLoreAdapter, RemoteLoreAdapter, LocalLoreAdapter, LoreError } from './lib/lore-client.js';
+export { meshProxyRoutes } from './routes/mesh-proxy.js';
+export { RemoteMeshAdapter, MeshError } from './lib/mesh-client.js';
+export { otlpRoutes } from './routes/otlp.js';
 export { guardrailRoutes } from './routes/guardrails.js';
 export { GuardrailEngine } from './lib/guardrails/engine.js';
 export { GuardrailStore } from './db/guardrail-store.js';
-export { RedactionPipeline, SecretDetectionLayer, PIIDetectionLayer, UrlPathScrubbingLayer, TenantDeidentificationLayer, SemanticDenyListLayer, HumanReviewLayer, } from './lib/redaction/index.js';
+export { BudgetEngine } from './lib/budget-engine.js';
+export { CostAnomalyDetector } from './lib/cost-anomaly-detector.js';
+export { CostBudgetStore } from './db/cost-budget-store.js';
+export { costBudgetRoutes } from './routes/cost-budgets.js';
 // ─── Dashboard SPA helpers ───────────────────────────────────
 /**
  * Resolve the dashboard dist/ directory path.
@@ -144,14 +185,34 @@ function getDashboardIndexHtml() {
  * @param store - IEventStore implementation for data access
  * @param config - Optional partial config override (defaults from env)
  */
-export function createApp(store, config) {
+export async function createApp(store, config) {
     const resolvedConfig = { ...getConfig(), ...config };
-    const app = new Hono();
+    const app = new OpenAPIHono({
+        defaultHook: (result, c) => {
+            if (!result.success) {
+                return c.json({
+                    error: 'Validation failed',
+                    status: 400,
+                    details: result.error.issues.map((i) => ({
+                        path: i.path.map(String).join('.'),
+                        message: i.message,
+                    })),
+                }, 400);
+            }
+        },
+    });
+    // Register Bearer auth security scheme for OpenAPI [F13-S1]
+    app.openAPIRegistry.registerComponent('securitySchemes', 'Bearer', BearerAuthScheme);
+    // ─── Security headers (position 1 — must be first) ────
+    app.use('*', securityHeadersMiddleware());
     // ─── Global error handler ──────────────────────────────
     app.onError((err, c) => {
-        console.error('Unhandled error:', err);
-        const status = err.status ?? 500;
-        return c.json({ error: err.message || 'Internal server error', status }, status);
+        const status = getErrorStatus(err);
+        if (status >= 500) {
+            log.error('Unhandled error', { error: err instanceof Error ? err.message : String(err) });
+        }
+        const message = sanitizeErrorMessage(err);
+        return c.json({ error: message, status }, status);
     });
     // ─── 404 handler — API routes return JSON, others get SPA fallback ──
     app.notFound((c) => {
@@ -172,63 +233,120 @@ export function createApp(store, config) {
         return c.json({ error: 'Not found', status: 404 }, 404);
     });
     // ─── Middleware on /api/* ──────────────────────────────
-    app.use('/api/*', cors({ origin: resolvedConfig.corsOrigin }));
+    app.use('/api/*', cors(buildCorsOptions({
+        corsOrigins: resolvedConfig.corsOrigins ?? resolvedConfig.corsOrigin,
+        nodeEnv: process.env['NODE_ENV'],
+    })));
     app.use('/api/*', logger());
+    // ─── SH-3: Body size limit (1MB default) ────────────────
+    app.use('/api/*', apiBodyLimit);
+    // ─── Rate limiting: API endpoints ──────────────────────
+    app.use('/api/*', apiRateLimit);
     // ─── Health check (no auth) ────────────────────────────
-    app.get('/api/health', (c) => {
-        return c.json({ status: 'ok', version: '0.1.0' });
+    app.get('/api/health', async (c) => {
+        const result = { status: 'ok', version: '0.1.0' };
+        // DB health check — works for both SQLite and Postgres
+        if (config?.pgSql) {
+            const { postgresHealthCheck } = await import('./db/index.js');
+            result.db = await postgresHealthCheck(config.pgSql);
+        }
+        else if (config?.db) {
+            // SQLite health check
+            const start = performance.now();
+            try {
+                config.db.run((await import('drizzle-orm')).sql `SELECT 1`);
+                result.db = { ok: true, latencyMs: Math.round(performance.now() - start) };
+            }
+            catch {
+                result.db = { ok: false, latencyMs: Math.round(performance.now() - start) };
+            }
+        }
+        return c.json(result);
+    });
+    // ─── Feature flags (no auth — dashboard needs before login) ──
+    app.get('/api/config/features', (c) => {
+        return c.json({ lore: resolvedConfig.loreEnabled, mesh: resolvedConfig.meshEnabled });
     });
     // ─── SSE stream (authenticates via Bearer header or ?token= query param) ──
     // Mounted before auth middleware — handles its own auth internally for EventSource compat.
-    app.route('/api/stream', streamRoutes(config?.db, resolvedConfig.authDisabled));
+    app.route('/api/stream', streamRoutes(config?.apiKeyLookup, resolvedConfig.authDisabled));
     // ─── Webhook ingest (no API key auth — uses HMAC signature verification) ──
     app.route('/api/events/ingest', ingestRoutes(store, {
         agentgateWebhookSecret: process.env['AGENTGATE_WEBHOOK_SECRET'],
         formbridgeWebhookSecret: process.env['FORMBRIDGE_WEBHOOK_SECRET'],
     }));
-    // ─── Auth middleware on protected routes ───────────────
-    // We need the db reference for auth key lookup
+    // ─── Rate limiting: auth endpoints ─────────────────────
+    app.use('/auth/*', authRateLimit);
+    // ─── OIDC Auth routes (no API key auth — handles own auth) ──
+    {
+        const authDb = config?.db;
+        if (authDb) {
+            const { loadOidcConfig } = await import('agentkit-auth');
+            const oidcConfig = loadOidcConfig();
+            if (oidcConfig) {
+                const jwtSecret = process.env['JWT_SECRET'];
+                if (!jwtSecret && process.env['NODE_ENV'] === 'production') {
+                    throw new Error('JWT_SECRET must be set in production. Refusing to start with default secret.');
+                }
+                if (!jwtSecret) {
+                    log.warn('JWT_SECRET not set — using insecure default. Do NOT use in production.');
+                }
+                app.route('/auth', authRoutes(authDb, {
+                    oidcConfig,
+                    authConfig: {
+                        oidc: null,
+                        jwt: {
+                            secret: jwtSecret ?? 'dev-secret-change-me',
+                            accessTokenTtlSeconds: Number(process.env['JWT_ACCESS_TTL'] ?? 900),
+                            refreshTokenTtlSeconds: Number(process.env['JWT_REFRESH_TTL'] ?? 604800),
+                        },
+                        authDisabled: resolvedConfig.authDisabled,
+                    },
+                }));
+            }
+        }
+    }
+    // ─── Fallback auth endpoints when auth is disabled ─────
+    if (resolvedConfig.authDisabled) {
+        app.get('/auth/me', (c) => c.json({ authMode: 'api-key-only' }, 200));
+    }
+    // ─── Auth middleware on protected routes [F2-S3] ───────
+    // Fail-closed: single catch-all for /api/* with public routes registered above.
     const db = config?.db;
     if (!db && !resolvedConfig.authDisabled) {
         throw new Error('createApp() requires a `db` option when auth is enabled. ' +
             'Either provide a database or set authDisabled: true.');
     }
-    if (db) {
-        app.use('/api/keys/*', authMiddleware(db, resolvedConfig.authDisabled));
-        // Protect event endpoints but exclude webhook ingest (uses HMAC auth instead)
-        app.use('/api/events/*', async (c, next) => {
-            const path = new URL(c.req.url).pathname;
-            if (path.startsWith('/api/events/ingest'))
-                return next();
-            return authMiddleware(db, resolvedConfig.authDisabled)(c, next);
-        });
-        app.use('/api/sessions/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/agents/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/stats/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/config/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/analytics/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/alerts/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/lessons/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/reflect/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/reflect', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/recall/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/recall', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/context/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/context', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/optimize/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/optimize', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/benchmarks/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/benchmarks', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/health/overview', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/health/history', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/guardrails/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/guardrails', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/capabilities/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/capabilities', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/delegations/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/delegations', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/discovery/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/discovery', authMiddleware(db, resolvedConfig.authDisabled));
+    {
+        const authLookup = config?.apiKeyLookup ?? db ?? null;
+        const authConfig = {
+            authDisabled: resolvedConfig.authDisabled,
+            jwtSecret: process.env['JWT_SECRET'],
+        };
+        // ── Unified auth catch-all (replaces 40+ individual app.use calls) ──
+        app.use('/api/*', unifiedAuthMiddleware(authLookup, authConfig));
+        // ── RBAC enforcement per architecture §3.3 ──────────
+        // Manage-level routes (owner, admin only)
+        const manageGuard = requireCategory('manage');
+        app.use('/api/keys/*', manageGuard);
+        app.use('/api/keys', manageGuard);
+        app.use('/api/audit/*', manageGuard);
+        app.use('/api/audit', manageGuard);
+        app.use('/api/compliance/*', manageGuard);
+        app.use('/api/compliance', manageGuard);
+        const configGuard = requireCategoryByMethod({ GET: 'read', PUT: 'manage', PATCH: 'manage' });
+        app.use('/api/config/*', configGuard);
+        app.use('/api/config', configGuard);
+        const guardrailGuard = requireCategoryByMethod({ GET: 'read', POST: 'manage', PUT: 'manage', DELETE: 'manage' });
+        app.use('/api/guardrails/*', guardrailGuard);
+        app.use('/api/guardrails', guardrailGuard);
+        // Default safety net: GET = read (all roles), mutations = write (member+)
+        app.use('/api/*', requireMethodCategory());
+        // ── Audit middleware (after auth — has access to auth context) ──
+        if (db) {
+            const auditLogger = createAuditLogger(db);
+            app.use('/api/*', auditMiddleware(auditLogger));
+        }
     }
     // ─── Routes ────────────────────────────────────────────
     if (db) {
@@ -242,8 +360,8 @@ export function createApp(store, config) {
     // (otherwise the sessions sub-app catches /api/sessions/* first)
     registerReplayRoutes(app, store);
     app.route('/api/sessions', sessionsRoutes(store));
-    // Health routes registered directly on main app (before generic agents routes)
-    registerHealthRoutes(app, store, db);
+    // Health routes [F13-S2] — factory pattern, mounted at /api
+    app.route('/api', healthRoutes(store, db));
     if (db) {
         const { app: discApp } = discoveryRoutes(db);
         app.route('/api/agents', discApp);
@@ -258,12 +376,29 @@ export function createApp(store, config) {
     app.route('/api/stats', statsRoutes(store));
     if (db) {
         app.route('/api/config', configRoutes(db));
-        app.route('/api/analytics', analyticsRoutes(store, db));
+        app.route('/api/analytics', analyticsRoutes(store, db, config?.pgDb));
     }
     app.route('/api/alerts', alertsRoutes(store));
-    if (db) {
-        app.route('/api/lessons', lessonsRoutes(db, { embeddingWorker: config?.embeddingWorker ?? null }));
+    // Feature 12: Notification channels
+    const notifRepo = db ? new NotificationChannelRepository(db) : null;
+    const notifRouter = notifRepo ? new NotificationRouter(notifRepo) : null;
+    if (notifRepo && notifRouter) {
+        app.route('/api/notifications', notificationRoutes(notifRepo, notifRouter));
+    }
+    let loreAdapter = null;
+    if (resolvedConfig.loreEnabled) {
+        try {
+            loreAdapter = createLoreAdapter(resolvedConfig);
+        }
+        catch (err) {
+            log.warn(`Lore adapter init failed: ${err instanceof Error ? err.message : err}`);
+        }
+    }
+    if (loreAdapter) {
+        app.route('/api/lessons', loreProxyRoutes(loreAdapter));
     }
+    // ─── AI Diagnostics (Feature 18) ───────────────────────
+    app.route('/api', diagnoseRoutes(store));
     // ─── Reflect / Pattern Analysis ────────────────────────
     app.route('/api/reflect', reflectRoutes(store));
     // ─── Optimize / Cost Recommendations ──────────────────
@@ -271,11 +406,20 @@ export function createApp(store, config) {
     // ─── Benchmarks / A/B Testing ─────────────────────────
     if (db) {
         app.route('/api/benchmarks', benchmarkRoutes(store, db));
+        app.route('/api/prompts', promptRoutes(db));
+        app.route('/api/eval', evalRoutes(db));
     }
     // ─── Guardrails / Proactive Guardrails ────────────────
     if (db) {
         const gStore = new GuardrailStore(db);
-        app.route('/api/guardrails', guardrailRoutes(gStore));
+        const contentEngine = new ContentGuardrailEngine(gStore);
+        app.route('/api/guardrails', guardrailRoutes(gStore, contentEngine));
+    }
+    // ─── Cost Budgets (Feature 5) ─────────────────────────
+    if (db) {
+        const cBudgetEngine = new BudgetEngine(store, db);
+        const budgetStore = cBudgetEngine.getStore();
+        app.route('/api/cost-budgets', costBudgetRoutes(budgetStore, store, cBudgetEngine));
     }
     // ─── Recall / Semantic Search ─────────────────────────
     {
@@ -299,17 +443,103 @@ export function createApp(store, config) {
         const { app: discTopApp } = discoveryRoutes(db);
         app.route('/api/discovery', discTopApp);
     }
-    // ─── Community Sharing (Stories 4.1–4.3) ────────────────
+    // ─── Audit Log (SH-2) ──────────────────────────────────
     if (db) {
-        app.use('/api/community/*', authMiddleware(db, resolvedConfig.authDisabled));
-        app.use('/api/community', authMiddleware(db, resolvedConfig.authDisabled));
-        const { app: communityApp } = communityRoutes(db);
-        app.route('/api/community', communityApp);
-        // Audit routes (Story 7.4)
-        app.route('/api/community/audit', auditRoutes(db));
-    }
-    // ─── Redaction Test (Story 2.4) ────────────────────────
-    app.route('/api/community/redaction', redactionTestRoutes());
+        app.route('/api/audit', auditRoutes(db));
+        app.route('/api/audit/verify', auditVerifyRoutes(db, resolvedConfig.auditSigningKey));
+        app.route('/api/compliance', complianceRoutes(db, resolvedConfig.auditSigningKey, {
+            retentionDays: resolvedConfig.retentionDays,
+        }));
+    }
+    // ─── Cloud org routes with org access validation [F6-fix] ──
+    if (config?.pgSql) {
+        const cloudDb = {
+            async query(sql, params) {
+                const result = await config.pgSql.unsafe(sql, params);
+                return { rows: Array.from(result) };
+            },
+        };
+        app.route('/api/cloud/orgs', cloudOrgRoutes({ db: cloudDb }));
+    }
+    // ─── Community Sharing (Stories 4.1–4.3) ────────────────
+    // Auth is handled by the unified catch-all above.
+    if (loreAdapter) {
+        app.route('/api/community', loreCommunityProxyRoutes(loreAdapter));
+    }
+    // ─── Mesh Proxy (agentkit-mesh) ─────────────────────────
+    // Auth is handled by the unified catch-all above.
+    if (resolvedConfig.meshEnabled && resolvedConfig.meshUrl) {
+        const meshAdapter = new RemoteMeshAdapter(resolvedConfig.meshUrl);
+        app.route('/api/mesh', meshProxyRoutes(meshAdapter));
+    }
+    // ─── OTLP HTTP Receiver [F2-S5] ─────────────────────────
+    // Default: no auth (standard OTel convention). Opt-in via env vars.
+    if (resolvedConfig.otlpAuthRequired) {
+        // Full unified auth on OTLP endpoints
+        const authLookup = config?.apiKeyLookup ?? db ?? null;
+        app.use('/v1/*', unifiedAuthMiddleware(authLookup, {
+            authDisabled: resolvedConfig.authDisabled,
+            jwtSecret: process.env['JWT_SECRET'],
+        }));
+    }
+    else if (resolvedConfig.otlpAuthToken) {
+        // Simple bearer token check
+        const { createMiddleware } = await import('hono/factory');
+        app.use('/v1/*', createMiddleware(async (c, next) => {
+            const authHeader = c.req.header('Authorization');
+            if (!authHeader?.startsWith('Bearer ')) {
+                return otlpAuthRequiredError(c);
+            }
+            const token = authHeader.slice(7);
+            if (token !== resolvedConfig.otlpAuthToken) {
+                return otlpInvalidToken(c);
+            }
+            return next();
+        }));
+    }
+    app.route('/v1', otlpRoutes(store, resolvedConfig));
+    // ─── Server Info (Feature 10, Story 10.1) ─────────────
+    {
+        const features = [
+            'sessions', 'agents', 'alerts', 'analytics', 'stats',
+            'recall', 'reflect', 'optimize', 'context', 'health',
+            'replay', 'benchmarks', 'guardrails', 'discovery', 'delegation',
+            'cost-budgets', 'trust', 'lessons',
+        ];
+        const { serverInfoRoutes } = await import('./routes/server-info.js');
+        app.route('/api/server-info', serverInfoRoutes(features));
+    }
+    // ─── OpenAPI Spec & Documentation [F13-S1] ────────────
+    app.doc('/api/openapi.json', {
+        openapi: '3.1.0',
+        info: {
+            title: 'AgentLens API',
+            version: '0.12.1',
+            description: 'Observability, governance, and orchestration for AI agents.',
+            license: { name: 'MIT' },
+        },
+        servers: [
+            { url: 'http://localhost:3000', description: 'Local development' },
+        ],
+        security: [{ Bearer: [] }],
+        tags: [
+            { name: 'Sessions', description: 'Agent session lifecycle and queries' },
+            { name: 'Events', description: 'Event ingestion and retrieval' },
+            { name: 'Agents', description: 'Agent management and health' },
+            { name: 'Auth', description: 'Authentication and API keys' },
+            { name: 'Analytics', description: 'Metrics, costs, and statistics' },
+            { name: 'Alerts', description: 'Alert rules and history' },
+            { name: 'Intelligence', description: 'Reflect, recall, context, optimize' },
+            { name: 'Trust & Governance', description: 'Trust scores, guardrails, cost budgets' },
+            { name: 'Multi-Agent', description: 'Discovery, delegation, capabilities, mesh' },
+            { name: 'Observability', description: 'Health, benchmarks, audit' },
+            { name: 'Platform', description: 'Config, OTLP, streaming, webhooks' },
+        ],
+    });
+    app.get('/api/docs', apiReference({
+        url: '/api/openapi.json',
+        theme: 'kepler',
+    }));
     // ─── Dashboard SPA static assets ──────────────────────
     const dashboardRoot = getDashboardRoot();
     if (dashboardRoot) {
@@ -322,46 +552,151 @@ export function createApp(store, config) {
  * Creates the database, runs migrations, and starts listening.
  */
 export async function startServer() {
+    // SH-7: Resolve secrets from env / file / ARN before anything reads process.env
+    const { resolveAllSecrets } = await import('./lib/secrets.js');
+    await resolveAllSecrets();
     const config = getConfig();
+    validateConfig(config);
     // Create and initialize database
-    const db = createDb({ databasePath: config.dbPath });
+    // For Postgres, we need the raw sql client for shutdown & health checks
+    let pgSql;
+    let pgDb;
+    let store;
+    let db;
+    // SQLite is always created for auxiliary features (api_keys, audit, guardrails, etc.)
+    // Even when PG is the primary event/embedding store
+    db = createDb({ databasePath: config.dbPath });
     runMigrations(db);
-    const store = new SqliteEventStore(db);
+    if (config.storageBackend === 'postgres') {
+        const { createPostgresConnection, verifyPostgresConnection } = await import('./db/connection.postgres.js');
+        const conn = createPostgresConnection();
+        await verifyPostgresConnection(conn.sql); // fail fast if unreachable
+        pgSql = conn.sql;
+        pgDb = conn.db;
+        const { runPostgresMigrations } = await import('./db/migrate.postgres.js');
+        await runPostgresMigrations(pgDb);
+        const { PostgresEventStore } = await import('./db/postgres-store.js');
+        store = new PostgresEventStore(pgDb);
+        // Warn about silent SQLite → PG switch for existing Docker Compose users
+        log.warn('STORAGE_BACKEND=postgres is now active. Previous SQLite data at ' +
+            `${config.dbPath} is not automatically migrated.`);
+        log.info('Database: PostgreSQL');
+    }
+    else {
+        store = new SqliteEventStore(db);
+        log.info(`Database: SQLite (${config.dbPath})`);
+    }
     // Create embedding service & worker (optional — fail-safe)
     let embeddingService = null;
     let embeddingWorker = null;
-    try {
-        const { createEmbeddingService } = await import('./lib/embeddings/index.js');
-        embeddingService = createEmbeddingService();
-        const embeddingStore = new EmbeddingStore(db);
-        embeddingWorker = new EmbeddingWorker(embeddingService, embeddingStore);
-        embeddingWorker.start();
-        console.log(`  Embeddings: enabled (${embeddingService.modelName})`);
+    if (process.env.DISABLE_EMBEDDINGS) {
+        log.info('Embeddings: disabled (DISABLE_EMBEDDINGS set)');
     }
-    catch (err) {
-        console.log(`  Embeddings: disabled (${err instanceof Error ? err.message : 'unknown error'})`);
+    else {
+        try {
+            const { createEmbeddingService } = await import('./lib/embeddings/index.js');
+            embeddingService = createEmbeddingService();
+            let embeddingStore;
+            if (config.storageBackend === 'postgres' && pgDb) {
+                const { PostgresEmbeddingStore } = await import('./db/postgres-embedding-store.js');
+                const pgEmbeddingStore = new PostgresEmbeddingStore(pgDb);
+                await pgEmbeddingStore.initialize();
+                embeddingStore = pgEmbeddingStore;
+            }
+            else {
+                embeddingStore = new EmbeddingStore(db);
+            }
+            embeddingWorker = new EmbeddingWorker(embeddingService, embeddingStore);
+            embeddingWorker.start();
+            log.info(`Embeddings: enabled (${embeddingService.modelName})`);
+        }
+        catch (err) {
+            log.info(`Embeddings: disabled (${err instanceof Error ? err.message : 'unknown error'})`);
+        }
     }
     // Create app with db reference for auth
-    const app = createApp(store, { ...config, db, embeddingService, embeddingWorker });
+    // Create API key lookup for auth (uses SQLite for auxiliary features in both modes)
+    const { SqliteApiKeyLookup } = await import('./db/api-key-lookup.js');
+    const apiKeyLookup = new SqliteApiKeyLookup(db);
+    const app = await createApp(store, { ...config, db, apiKeyLookup, embeddingService, embeddingWorker, pgSql, pgDb });
     // Start listening
-    console.log(`AgentLens server starting on port ${config.port}`);
-    console.log(`  Auth: ${config.authDisabled ? 'DISABLED (dev mode)' : 'enabled'}`);
-    console.log(`  CORS origin: ${config.corsOrigin}`);
-    console.log(`  Database: ${config.dbPath}`);
-    // Start alert evaluation engine
-    const alertEngine = new AlertEngine(store);
+    log.info(`AgentLens server starting on port ${config.port}`);
+    log.info(`Auth: ${config.authDisabled ? 'DISABLED (dev mode)' : 'enabled'}`);
+    log.info(`CORS origin: ${config.corsOrigin}`);
+    // Audit log retention cleanup (SH-2)
+    {
+        const auditRetentionDays = parseInt(process.env['AUDIT_RETENTION_DAYS'] ?? '90', 10);
+        if (auditRetentionDays > 0) {
+            try {
+                const deleted = cleanupAuditLogs(db, auditRetentionDays);
+                if (deleted > 0) {
+                    log.info(`Audit log cleanup: removed ${deleted} entries older than ${auditRetentionDays} days`);
+                }
+            }
+            catch (err) {
+                log.warn(`Audit log cleanup failed: ${err instanceof Error ? err.message : err}`);
+            }
+        }
+    }
+    // Start alert evaluation engine — wire notification router if db is available
+    const notifRepoForEngine = db ? new NotificationChannelRepository(db) : null;
+    const notifRouterForEngine = notifRepoForEngine ? new NotificationRouter(notifRepoForEngine) : null;
+    const alertEngine = new AlertEngine(store, { notificationRouter: notifRouterForEngine ?? undefined });
     alertEngine.start();
     // Start guardrail evaluation engine (v0.8.0)
     // Wire the agent store so pause_agent/downgrade_model actions can UPDATE the agents table (B1)
     setAgentStore(store);
+    if (notifRouterForEngine)
+        setNotificationRouter(notifRouterForEngine);
     const guardrailEngine = new GuardrailEngine(store, db);
     guardrailEngine.start();
-    console.log('  Guardrails: enabled');
-    serve({
+    log.info('Guardrails: enabled');
+    // Start budget engine and anomaly detector (Feature 5)
+    const budgetEngine = new BudgetEngine(store, db);
+    budgetEngine.start();
+    const anomalyDetector = new CostAnomalyDetector(store, budgetEngine.getStore());
+    anomalyDetector.start();
+    log.info('Cost budgets & anomaly detection: enabled');
+    // M-11 FIX: Graceful shutdown for engines, workers, HTTP server, and PG pool
+    let httpServer;
+    let shuttingDown = false;
+    const shutdown = async () => {
+        if (shuttingDown)
+            return;
+        shuttingDown = true;
+        log.info('Shutting down...');
+        // 1. Stop accepting new requests
+        if (httpServer) {
+            httpServer.close(() => log.info('HTTP server closed'));
+        }
+        // 2. Stop engines and workers
+        alertEngine.stop();
+        guardrailEngine.stop();
+        if (embeddingWorker)
+            embeddingWorker.stop();
+        // 3. Drain PG pool (5s timeout)
+        if (pgSql) {
+            try {
+                log.info('Draining PostgreSQL connection pool...');
+                await Promise.race([
+                    pgSql.end({ timeout: 5 }),
+                    new Promise((resolve) => setTimeout(resolve, 5000)),
+                ]);
+                log.info('PostgreSQL pool drained');
+            }
+            catch (err) {
+                log.warn(`PG pool drain error: ${err instanceof Error ? err.message : err}`);
+            }
+        }
+        process.exit(0);
+    };
+    process.on('SIGTERM', shutdown);
+    process.on('SIGINT', shutdown);
+    httpServer = serve({
         fetch: app.fetch,
         port: config.port,
     }, (info) => {
-        console.log(`AgentLens server listening on http://localhost:${info.port}`);
+        log.info(`AgentLens server listening on http://localhost:${info.port}`);
     });
     return app;
 }