@agentlensai/server 0.7.0 → 0.9.0

package/dist/db/anonymous-id-manager.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Anonymous ID Manager (Phase 4 — Story 1.4)
+ *
+ * Manages rotating anonymous agent IDs with 24h rotation.
+ * Old IDs are kept for audit trail purposes.
+ */
+import type { SqliteDb } from './index.js';
+export interface AnonymousIdManagerOptions {
+    /** Override for current time (useful for testing) */
+    now?: () => Date;
+}
+export declare class AnonymousIdManager {
+    private readonly db;
+    private readonly now;
+    constructor(db: SqliteDb, options?: AnonymousIdManagerOptions);
+    /**
+     * H4 FIX: Hash the agentId before storing in the DB so that if the DB
+     * is compromised, agentId → anonymousId mapping is not directly readable.
+     */
+    private hashAgentId;
+    /**
+     * Get the current anonymous ID for a tenant+agent pair,
+     * or create/rotate one if needed.
+     *
+     * - Lazy creation: first call creates the ID
+     * - 24h rotation: after expiry, a new ID is created
+     * - Old IDs are kept for audit trail
+     */
+    getOrRotateAnonymousId(tenantId: string, agentId: string): string;
+    /**
+     * Get all historical anonymous IDs for a tenant+agent (for audit).
+     */
+    getAuditTrail(tenantId: string, agentId: string): Array<{
+        anonymousAgentId: string;
+        validFrom: string;
+        validUntil: string;
+    }>;
+    /**
+     * Get the anonymous contributor ID for a tenant (not agent-specific).
+     * Used for lesson sharing where the contributor is the tenant.
+     */
+    getOrRotateContributorId(tenantId: string): string;
+}
+//# sourceMappingURL=anonymous-id-manager.d.ts.map

package/dist/db/anonymous-id-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"anonymous-id-manager.d.ts","sourceRoot":"","sources":["../../src/db/anonymous-id-manager.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAS3C,MAAM,WAAW,yBAAyB;IACxC,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;CAClB;AAED,qBAAa,kBAAkB;IAI3B,OAAO,CAAC,QAAQ,CAAC,EAAE;IAHrB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAa;gBAGd,EAAE,EAAE,QAAQ,EAC7B,OAAO,CAAC,EAAE,yBAAyB;IAKrC;;;OAGG;IACH,OAAO,CAAC,WAAW;IAMnB;;;;;;;OAOG;IACH,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM;IA0CjE;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,KAAK,CAAC;QACtD,gBAAgB,EAAE,MAAM,CAAC;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IAkBF;;;OAGG;IACH,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;CAGnD"}

package/dist/db/anonymous-id-manager.js

@@ -0,0 +1,90 @@
+/**
+ * Anonymous ID Manager (Phase 4 — Story 1.4)
+ *
+ * Manages rotating anonymous agent IDs with 24h rotation.
+ * Old IDs are kept for audit trail purposes.
+ */
+import { eq, and, gte } from 'drizzle-orm';
+import { randomUUID, createHash } from 'crypto';
+import * as schema from './schema.sqlite.js';
+/** Duration of anonymous ID validity (24 hours in milliseconds) */
+const ROTATION_INTERVAL_MS = 24 * 60 * 60 * 1000;
+/** Salt for hashing agent IDs in the anonymous ID map (H4 fix) */
+const ANON_ID_HASH_SALT = 'agentlens-anon-id-salt-v1';
+export class AnonymousIdManager {
+    db;
+    now;
+    constructor(db, options) {
+        this.db = db;
+        this.now = options?.now ?? (() => new Date());
+    }
+    /**
+     * H4 FIX: Hash the agentId before storing in the DB so that if the DB
+     * is compromised, agentId → anonymousId mapping is not directly readable.
+     */
+    hashAgentId(tenantId, agentId) {
+        return createHash('sha256')
+            .update(`${ANON_ID_HASH_SALT}:${tenantId}:${agentId}`)
+            .digest('hex');
+    }
+    /**
+     * Get the current anonymous ID for a tenant+agent pair,
+     * or create/rotate one if needed.
+     *
+     * - Lazy creation: first call creates the ID
+     * - 24h rotation: after expiry, a new ID is created
+     * - Old IDs are kept for audit trail
+     */
+    getOrRotateAnonymousId(tenantId, agentId) {
+        const now = this.now();
+        const nowIso = now.toISOString();
+        // H4 FIX: Store hashed agentId to prevent de-anonymization if DB is compromised
+        const hashedAgentId = this.hashAgentId(tenantId, agentId);
+        // Find a valid (non-expired) anonymous ID
+        const existing = this.db
+            .select()
+            .from(schema.anonymousIdMap)
+            .where(and(eq(schema.anonymousIdMap.tenantId, tenantId), eq(schema.anonymousIdMap.agentId, hashedAgentId), gte(schema.anonymousIdMap.validUntil, nowIso)))
+            .get();
+        if (existing) {
+            return existing.anonymousAgentId;
+        }
+        // Create a new anonymous ID with 24h validity
+        const newId = randomUUID();
+        const validUntil = new Date(now.getTime() + ROTATION_INTERVAL_MS);
+        this.db
+            .insert(schema.anonymousIdMap)
+            .values({
+            tenantId,
+            agentId: hashedAgentId,
+            anonymousAgentId: newId,
+            validFrom: nowIso,
+            validUntil: validUntil.toISOString(),
+        })
+            .run();
+        return newId;
+    }
+    /**
+     * Get all historical anonymous IDs for a tenant+agent (for audit).
+     */
+    getAuditTrail(tenantId, agentId) {
+        const hashedAgentId = this.hashAgentId(tenantId, agentId);
+        return this.db
+            .select({
+            anonymousAgentId: schema.anonymousIdMap.anonymousAgentId,
+            validFrom: schema.anonymousIdMap.validFrom,
+            validUntil: schema.anonymousIdMap.validUntil,
+        })
+            .from(schema.anonymousIdMap)
+            .where(and(eq(schema.anonymousIdMap.tenantId, tenantId), eq(schema.anonymousIdMap.agentId, hashedAgentId)))
+            .all();
+    }
+    /**
+     * Get the anonymous contributor ID for a tenant (not agent-specific).
+     * Used for lesson sharing where the contributor is the tenant.
+     */
+    getOrRotateContributorId(tenantId) {
+        return this.getOrRotateAnonymousId(tenantId, '__contributor__');
+    }
+}
+//# sourceMappingURL=anonymous-id-manager.js.map

package/dist/db/anonymous-id-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"anonymous-id-manager.js","sourceRoot":"","sources":["../../src/db/anonymous-id-manager.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEhD,OAAO,KAAK,MAAM,MAAM,oBAAoB,CAAC;AAE7C,mEAAmE;AACnE,MAAM,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEjD,kEAAkE;AAClE,MAAM,iBAAiB,GAAG,2BAA2B,CAAC;AAOtD,MAAM,OAAO,kBAAkB;IAIV;IAHF,GAAG,CAAa;IAEjC,YACmB,EAAY,EAC7B,OAAmC;QADlB,OAAE,GAAF,EAAE,CAAU;QAG7B,IAAI,CAAC,GAAG,GAAG,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;IAED;;;OAGG;IACK,WAAW,CAAC,QAAgB,EAAE,OAAe;QACnD,OAAO,UAAU,CAAC,QAAQ,CAAC;aACxB,MAAM,CAAC,GAAG,iBAAiB,IAAI,QAAQ,IAAI,OAAO,EAAE,CAAC;aACrD,MAAM,CAAC,KAAK,CAAC,CAAC;IACnB,CAAC;IAED;;;;;;;OAOG;IACH,sBAAsB,CAAC,QAAgB,EAAE,OAAe;QACtD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAEjC,gFAAgF;QAChF,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAE1D,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE;aACrB,MAAM,EAAE;aACR,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;aAC3B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAC5C,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,aAAa,CAAC,EAChD,GAAG,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,MAAM,CAAC,CAC9C,CACF;aACA,GAAG,EAAE,CAAC;QAET,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC,gBAAgB,CAAC;QACnC,CAAC;QAED,8CAA8C;QAC9C,MAAM,KAAK,GAAG,UAAU,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,oBAAoB,CAAC,CAAC;QAElE,IAAI,CAAC,EAAE;aACJ,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC;aAC7B,MAAM,CAAC;YACN,QAAQ;YACR,OAAO,EAAE,aAAa;YACtB,gBAAgB,EAAE,KAAK;YACvB,SAAS,EAAE,MAAM;YACjB,UAAU,EAAE,UAAU,CAAC,WAAW,EAAE;SACrC,CAAC;aACD,GAAG,EAAE,CAAC;QAET,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,QAAgB,EAAE,OAAe;QAK7C,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC1D,OAAO,IAAI,CAAC,EAAE;aACX,MAAM,CAAC;YACN,gBAAgB,EAAE,MAAM,CAAC,cAAc,CAAC,gBAAgB;YACxD,SAAS,EAAE,MAAM,CAAC,cAAc,CAAC,SAAS;YAC1C,UAAU,EAAE,MAAM,CAAC,cAAc,CAAC,UAAU;SAC7C,CAAC;aACD,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;aAC3B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAC5C,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,aAAa,CAAC,CACjD,CACF;aACA,GAAG,EAAE,CAAC;IACX,CAAC;IAED;;;OAGG;IACH,wBAAwB,CAAC,QAAgB;QACvC,OAAO,IAAI,CAAC,sBAAsB,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;IAClE,CAAC;CACF"}

package/dist/db/capability-store.d.ts

@@ -0,0 +1,78 @@
+/**
+ * Capability Registry Store (Story 5.1)
+ *
+ * CRUD operations for the capability_registry table with tenant isolation.
+ */
+import type { SqliteDb } from './index.js';
+import { type TaskType } from '@agentlensai/core';
+/** Input for creating/updating a capability */
+export interface CapabilityInput {
+    taskType: string;
+    customType?: string;
+    inputSchema: Record<string, unknown>;
+    outputSchema: Record<string, unknown>;
+    inputMimeTypes?: string[];
+    outputMimeTypes?: string[];
+    qualityMetrics?: Record<string, unknown>;
+    estimatedLatencyMs?: number;
+    estimatedCostUsd?: number;
+    maxInputBytes?: number;
+    scope?: 'internal' | 'public';
+}
+/** Parsed capability returned from store */
+export interface Capability {
+    id: string;
+    tenantId: string;
+    agentId: string;
+    taskType: TaskType;
+    customType?: string;
+    inputSchema: Record<string, unknown>;
+    outputSchema: Record<string, unknown>;
+    qualityMetrics: Record<string, unknown>;
+    estimatedLatencyMs?: number;
+    estimatedCostUsd?: number;
+    maxInputBytes?: number;
+    scope: 'internal' | 'public';
+    enabled: boolean;
+    acceptDelegations: boolean;
+    inboundRateLimit: number;
+    outboundRateLimit: number;
+    createdAt: string;
+    updatedAt: string;
+}
+export declare class ValidationError extends Error {
+    constructor(message: string);
+}
+export declare class CapabilityStore {
+    private readonly db;
+    constructor(db: SqliteDb);
+    /**
+     * Validate capability input and throw ValidationError on problems.
+     */
+    private validate;
+    /**
+     * Create a new capability registration.
+     */
+    create(tenantId: string, agentId: string, input: CapabilityInput): Capability;
+    /**
+     * Get a capability by ID (tenant-scoped).
+     */
+    getById(tenantId: string, id: string): Capability | null;
+    /**
+     * List all capabilities for an agent (tenant-scoped).
+     */
+    listByAgent(tenantId: string, agentId: string): Capability[];
+    /**
+     * Update a capability by ID (tenant-scoped).
+     */
+    update(tenantId: string, id: string, input: Partial<CapabilityInput>): Capability;
+    /**
+     * Delete a capability by ID (tenant-scoped).
+     */
+    delete(tenantId: string, id: string): boolean;
+    /**
+     * Delete all capabilities for an agent (tenant-scoped).
+     */
+    deleteByAgent(tenantId: string, agentId: string): number;
+}
+//# sourceMappingURL=capability-store.d.ts.map

package/dist/db/capability-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability-store.d.ts","sourceRoot":"","sources":["../../src/db/capability-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAE3C,OAAO,EAAc,KAAK,QAAQ,EAA+B,MAAM,mBAAmB,CAAC;AAY3F,+CAA+C;AAC/C,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACzC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,UAAU,GAAG,QAAQ,CAAC;CAC/B;AAED,4CAA4C;AAC5C,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACxC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,UAAU,GAAG,QAAQ,CAAC;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAuCD,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,eAAe;IACd,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,QAAQ;IAEzC;;OAEG;IACH,OAAO,CAAC,QAAQ;IAgChB;;OAEG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,UAAU;IA6B7E;;OAEG;IACH,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI;IASxD;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,UAAU,EAAE;IAc5D;;OAEG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU;IAoCjF;;OAEG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO;IAQ7C;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM;CAYzD"}

package/dist/db/capability-store.js

@@ -0,0 +1,201 @@
+/**
+ * Capability Registry Store (Story 5.1)
+ *
+ * CRUD operations for the capability_registry table with tenant isolation.
+ */
+import { randomUUID } from 'node:crypto';
+import { eq, and } from 'drizzle-orm';
+import { capabilityRegistry } from './schema.sqlite.js';
+import { TASK_TYPES } from '@agentlensai/core';
+import { NotFoundError } from './errors.js';
+/** Valid task types as a Set for fast lookup */
+const VALID_TASK_TYPES = new Set(TASK_TYPES);
+/** Regex for customType validation: alphanumeric + hyphens, max 64 chars */
+const CUSTOM_TYPE_REGEX = /^[a-zA-Z0-9-]{1,64}$/;
+function rowToCapability(row) {
+    return {
+        id: row.id,
+        tenantId: row.tenantId,
+        agentId: row.agentId,
+        taskType: row.taskType,
+        customType: row.customType ?? undefined,
+        inputSchema: JSON.parse(row.inputSchema),
+        outputSchema: JSON.parse(row.outputSchema),
+        qualityMetrics: JSON.parse(row.qualityMetrics),
+        estimatedLatencyMs: row.estimatedLatencyMs ?? undefined,
+        estimatedCostUsd: row.estimatedCostUsd ?? undefined,
+        maxInputBytes: row.maxInputBytes ?? undefined,
+        scope: row.scope,
+        enabled: row.enabled,
+        acceptDelegations: row.acceptDelegations,
+        inboundRateLimit: row.inboundRateLimit,
+        outboundRateLimit: row.outboundRateLimit,
+        createdAt: row.createdAt,
+        updatedAt: row.updatedAt,
+    };
+}
+/**
+ * Validate a JSON Schema object (basic validation).
+ * Must be a non-null object with a "type" property.
+ */
+function validateJsonSchema(schema, label) {
+    if (schema === null || schema === undefined || typeof schema !== 'object' || Array.isArray(schema)) {
+        throw new ValidationError(`${label} must be a JSON Schema object`);
+    }
+    const s = schema;
+    if (!s.type && !s.$ref && !s.oneOf && !s.anyOf && !s.allOf && !s.properties && !s.enum) {
+        throw new ValidationError(`${label} must be a valid JSON Schema (missing type or schema keyword)`);
+    }
+}
+export class ValidationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ValidationError';
+    }
+}
+export class CapabilityStore {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    /**
+     * Validate capability input and throw ValidationError on problems.
+     */
+    validate(input) {
+        // Validate taskType
+        if (!VALID_TASK_TYPES.has(input.taskType)) {
+            throw new ValidationError(`Invalid taskType "${input.taskType}". Must be one of: ${TASK_TYPES.join(', ')}`);
+        }
+        // Validate customType format if provided
+        if (input.customType !== undefined && input.customType !== null) {
+            if (!CUSTOM_TYPE_REGEX.test(input.customType)) {
+                throw new ValidationError('customType must be 1-64 characters, alphanumeric and hyphens only');
+            }
+        }
+        // customType is required when taskType is 'custom'
+        if (input.taskType === 'custom' && !input.customType) {
+            throw new ValidationError('customType is required when taskType is "custom"');
+        }
+        // Validate input/output schemas
+        validateJsonSchema(input.inputSchema, 'inputSchema');
+        validateJsonSchema(input.outputSchema, 'outputSchema');
+        // Validate scope if provided
+        if (input.scope !== undefined && input.scope !== 'internal' && input.scope !== 'public') {
+            throw new ValidationError('scope must be "internal" or "public"');
+        }
+    }
+    /**
+     * Create a new capability registration.
+     */
+    create(tenantId, agentId, input) {
+        this.validate(input);
+        const now = new Date().toISOString();
+        const id = randomUUID();
+        this.db
+            .insert(capabilityRegistry)
+            .values({
+            id,
+            tenantId,
+            agentId,
+            taskType: input.taskType,
+            customType: input.customType ?? null,
+            inputSchema: JSON.stringify(input.inputSchema),
+            outputSchema: JSON.stringify(input.outputSchema),
+            qualityMetrics: JSON.stringify(input.qualityMetrics ?? {}),
+            estimatedLatencyMs: input.estimatedLatencyMs ?? null,
+            estimatedCostUsd: input.estimatedCostUsd ?? null,
+            maxInputBytes: input.maxInputBytes ?? null,
+            scope: input.scope ?? 'internal',
+            createdAt: now,
+            updatedAt: now,
+        })
+            .run();
+        return this.getById(tenantId, id);
+    }
+    /**
+     * Get a capability by ID (tenant-scoped).
+     */
+    getById(tenantId, id) {
+        const row = this.db
+            .select()
+            .from(capabilityRegistry)
+            .where(and(eq(capabilityRegistry.id, id), eq(capabilityRegistry.tenantId, tenantId)))
+            .get();
+        return row ? rowToCapability(row) : null;
+    }
+    /**
+     * List all capabilities for an agent (tenant-scoped).
+     */
+    listByAgent(tenantId, agentId) {
+        const rows = this.db
+            .select()
+            .from(capabilityRegistry)
+            .where(and(eq(capabilityRegistry.tenantId, tenantId), eq(capabilityRegistry.agentId, agentId)))
+            .all();
+        return rows.map(rowToCapability);
+    }
+    /**
+     * Update a capability by ID (tenant-scoped).
+     */
+    update(tenantId, id, input) {
+        const existing = this.getById(tenantId, id);
+        if (!existing) {
+            throw new NotFoundError(`Capability ${id} not found`);
+        }
+        // Merge with existing for validation
+        const merged = {
+            taskType: input.taskType ?? existing.taskType,
+            customType: input.customType !== undefined ? input.customType : existing.customType,
+            inputSchema: input.inputSchema ?? existing.inputSchema,
+            outputSchema: input.outputSchema ?? existing.outputSchema,
+            scope: input.scope ?? existing.scope,
+        };
+        this.validate(merged);
+        const updates = { updatedAt: new Date().toISOString() };
+        if (input.taskType !== undefined)
+            updates.taskType = input.taskType;
+        if (input.customType !== undefined)
+            updates.customType = input.customType;
+        if (input.inputSchema !== undefined)
+            updates.inputSchema = JSON.stringify(input.inputSchema);
+        if (input.outputSchema !== undefined)
+            updates.outputSchema = JSON.stringify(input.outputSchema);
+        if (input.qualityMetrics !== undefined)
+            updates.qualityMetrics = JSON.stringify(input.qualityMetrics);
+        if (input.estimatedLatencyMs !== undefined)
+            updates.estimatedLatencyMs = input.estimatedLatencyMs;
+        if (input.estimatedCostUsd !== undefined)
+            updates.estimatedCostUsd = input.estimatedCostUsd;
+        if (input.maxInputBytes !== undefined)
+            updates.maxInputBytes = input.maxInputBytes;
+        if (input.scope !== undefined)
+            updates.scope = input.scope;
+        this.db
+            .update(capabilityRegistry)
+            .set(updates)
+            .where(and(eq(capabilityRegistry.id, id), eq(capabilityRegistry.tenantId, tenantId)))
+            .run();
+        return this.getById(tenantId, id);
+    }
+    /**
+     * Delete a capability by ID (tenant-scoped).
+     */
+    delete(tenantId, id) {
+        const result = this.db
+            .delete(capabilityRegistry)
+            .where(and(eq(capabilityRegistry.id, id), eq(capabilityRegistry.tenantId, tenantId)))
+            .run();
+        return result.changes > 0;
+    }
+    /**
+     * Delete all capabilities for an agent (tenant-scoped).
+     */
+    deleteByAgent(tenantId, agentId) {
+        const result = this.db
+            .delete(capabilityRegistry)
+            .where(and(eq(capabilityRegistry.tenantId, tenantId), eq(capabilityRegistry.agentId, agentId)))
+            .run();
+        return result.changes;
+    }
+}
+//# sourceMappingURL=capability-store.js.map

package/dist/db/capability-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability-store.js","sourceRoot":"","sources":["../../src/db/capability-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAEtC,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,UAAU,EAA8C,MAAM,mBAAmB,CAAC;AAC3F,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,gDAAgD;AAChD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS,UAAU,CAAC,CAAC;AAErD,4EAA4E;AAC5E,MAAM,iBAAiB,GAAG,sBAAsB,CAAC;AA0CjD,SAAS,eAAe,CAAC,GAAkB;IACzC,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,QAAQ,EAAE,GAAG,CAAC,QAAoB;QAClC,UAAU,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;QACvC,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAA4B;QACnE,YAAY,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAA4B;QACrE,cAAc,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAA4B;QACzE,kBAAkB,EAAE,GAAG,CAAC,kBAAkB,IAAI,SAAS;QACvD,gBAAgB,EAAE,GAAG,CAAC,gBAAgB,IAAI,SAAS;QACnD,aAAa,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;QAC7C,KAAK,EAAE,GAAG,CAAC,KAA8B;QACzC,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;QACxC,gBAAgB,EAAE,GAAG,CAAC,gBAAgB;QACtC,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;QACxC,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,SAAS,EAAE,GAAG,CAAC,SAAS;KACzB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,MAAe,EAAE,KAAa;IACxD,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,SAAS,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnG,MAAM,IAAI,eAAe,CAAC,GAAG,KAAK,+BAA+B,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,CAAC,GAAG,MAAiC,CAAC;IAC5C,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvF,MAAM,IAAI,eAAe,CAAC,GAAG,KAAK,+DAA+D,CAAC,CAAC;IACrG,CAAC;AACH,CAAC;AAED,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,OAAO,eAAe;IACG;IAA7B,YAA6B,EAAY;QAAZ,OAAE,GAAF,EAAE,CAAU;IAAG,CAAC;IAE7C;;OAEG;IACK,QAAQ,CAAC,KAAsB;QACrC,oBAAoB;QACpB,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,eAAe,CACvB,qBAAqB,KAAK,CAAC,QAAQ,sBAAsB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACjF,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,IAAI,KAAK,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;YAChE,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC9C,MAAM,IAAI,eAAe,CACvB,mEAAmE,CACpE,CAAC;YACJ,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YACrD,MAAM,IAAI,eAAe,CAAC,kDAAkD,CAAC,CAAC;QAChF,CAAC;QAED,gCAAgC;QAChC,kBAAkB,CAAC,KAAK,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;QACrD,kBAAkB,CAAC,KAAK,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;QAEvD,6BAA6B;QAC7B,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,KAAK,UAAU,IAAI,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxF,MAAM,IAAI,eAAe,CAAC,sCAAsC,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,QAAgB,EAAE,OAAe,EAAE,KAAsB;QAC9D,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAErB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;QAExB,IAAI,CAAC,EAAE;aACJ,MAAM,CAAC,kBAAkB,CAAC;aAC1B,MAAM,CAAC;YACN,EAAE;YACF,QAAQ;YACR,OAAO;YACP,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;YACpC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC;YAC9C,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,YAAY,CAAC;YAChD,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,cAAc,IAAI,EAAE,CAAC;YAC1D,kBAAkB,EAAE,KAAK,CAAC,kBAAkB,IAAI,IAAI;YACpD,gBAAgB,EAAE,KAAK,CAAC,gBAAgB,IAAI,IAAI;YAChD,aAAa,EAAE,KAAK,CAAC,aAAa,IAAI,IAAI;YAC1C,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,UAAU;YAChC,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;SACf,CAAC;aACD,GAAG,EAAE,CAAC;QAET,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAE,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,QAAgB,EAAE,EAAU;QAClC,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,kBAAkB,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;aACpF,GAAG,EAAE,CAAC;QACT,OAAO,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,QAAgB,EAAE,OAAe;QAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACzC,EAAE,CAAC,kBAAkB,CAAC,OAAO,EAAE,OAAO,CAAC,CACxC,CACF;aACA,GAAG,EAAE,CAAC;QACT,OAAO,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,QAAgB,EAAE,EAAU,EAAE,KAA+B;QAClE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC5C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,aAAa,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QACxD,CAAC;QAED,qCAAqC;QACrC,MAAM,MAAM,GAAoB;YAC9B,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ;YAC7C,UAAU,EAAE,KAAK,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU;YACnF,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,QAAQ,CAAC,WAAW;YACtD,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,QAAQ,CAAC,YAAY;YACzD,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,QAAQ,CAAC,KAAK;SACrC,CAAC;QACF,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAEtB,MAAM,OAAO,GAA4B,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QACjF,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS;YAAE,OAAO,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;QACpE,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS;YAAE,OAAO,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;QAC1E,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS;YAAE,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAC7F,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;YAAE,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAChG,IAAI,KAAK,CAAC,cAAc,KAAK,SAAS;YAAE,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QACtG,IAAI,KAAK,CAAC,kBAAkB,KAAK,SAAS;YAAE,OAAO,CAAC,kBAAkB,GAAG,KAAK,CAAC,kBAAkB,CAAC;QAClG,IAAI,KAAK,CAAC,gBAAgB,KAAK,SAAS;YAAE,OAAO,CAAC,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,CAAC;QAC5F,IAAI,KAAK,CAAC,aAAa,KAAK,SAAS;YAAE,OAAO,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;QACnF,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS;YAAE,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;QAE3D,IAAI,CAAC,EAAE;aACJ,MAAM,CAAC,kBAAkB,CAAC;aAC1B,GAAG,CAAC,OAAO,CAAC;aACZ,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,kBAAkB,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;aACpF,GAAG,EAAE,CAAC;QAET,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAE,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,QAAgB,EAAE,EAAU;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE;aACnB,MAAM,CAAC,kBAAkB,CAAC;aAC1B,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,kBAAkB,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;aACpF,GAAG,EAAE,CAAC;QACT,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,QAAgB,EAAE,OAAe;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE;aACnB,MAAM,CAAC,kBAAkB,CAAC;aAC1B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACzC,EAAE,CAAC,kBAAkB,CAAC,OAAO,EAAE,OAAO,CAAC,CACxC,CACF;aACA,GAAG,EAAE,CAAC;QACT,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;CACF"}

package/dist/db/guardrail-store.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Guardrail Store (v0.8.0 — Story 1.2)
+ *
+ * CRUD operations for guardrail rules, runtime state, and trigger history.
+ * All operations are tenant-scoped.
+ */
+import type { SqliteDb } from './index.js';
+import type { GuardrailRule, GuardrailState, GuardrailTriggerHistory } from '@agentlensai/core';
+export declare class GuardrailStore {
+    private readonly db;
+    constructor(db: SqliteDb);
+    createRule(rule: GuardrailRule): void;
+    getRule(tenantId: string, ruleId: string): GuardrailRule | null;
+    listRules(tenantId: string, agentId?: string): GuardrailRule[];
+    listEnabledRules(tenantId: string, agentId?: string): GuardrailRule[];
+    updateRule(tenantId: string, ruleId: string, updates: Partial<GuardrailRule>): boolean;
+    deleteRule(tenantId: string, ruleId: string): boolean;
+    getState(tenantId: string, ruleId: string): GuardrailState | null;
+    upsertState(state: GuardrailState): void;
+    insertTrigger(trigger: GuardrailTriggerHistory): void;
+    listTriggerHistory(tenantId: string, opts?: {
+        ruleId?: string;
+        limit?: number;
+        offset?: number;
+    }): {
+        triggers: GuardrailTriggerHistory[];
+        total: number;
+    };
+    getRecentTriggers(tenantId: string, ruleId: string, limit?: number): GuardrailTriggerHistory[];
+    private _mapRule;
+    private _mapState;
+    private _mapTrigger;
+}
+//# sourceMappingURL=guardrail-store.d.ts.map

package/dist/db/guardrail-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guardrail-store.d.ts","sourceRoot":"","sources":["../../src/db/guardrail-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EACd,uBAAuB,EACxB,MAAM,mBAAmB,CAAC;AAE3B,qBAAa,cAAc;IACb,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,QAAQ;IAIzC,UAAU,CAAC,IAAI,EAAE,aAAa,GAAG,IAAI;IAkBrC,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI;IAO/D,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,aAAa,EAAE;IAa9D,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,aAAa,EAAE;IAkBrE,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,OAAO;IAuBtF,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO;IAarD,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI;IAOjE,WAAW,CAAC,KAAK,EAAE,cAAc,GAAG,IAAI;IAexC,aAAa,CAAC,OAAO,EAAE,uBAAuB,GAAG,IAAI;IAcrD,kBAAkB,CAChB,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAC1D;QAAE,QAAQ,EAAE,uBAAuB,EAAE,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE;IA0CzD,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,GAAE,MAAU,GAAG,uBAAuB,EAAE;IAajG,OAAO,CAAC,QAAQ;IAmBhB,OAAO,CAAC,SAAS;IAWjB,OAAO,CAAC,WAAW;CAapB"}