@astragenie/astramemory-local 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (493) hide show
  1. package/CHANGELOG.md +341 -0
  2. package/README.md +419 -0
  3. package/dist/backup/retention.d.ts +15 -0
  4. package/dist/backup/retention.js +62 -0
  5. package/dist/backup/retention.js.map +1 -0
  6. package/dist/backup/snapshot.d.ts +21 -0
  7. package/dist/backup/snapshot.js +55 -0
  8. package/dist/backup/snapshot.js.map +1 -0
  9. package/dist/backup/verify.d.ts +23 -0
  10. package/dist/backup/verify.js +77 -0
  11. package/dist/backup/verify.js.map +1 -0
  12. package/dist/budget/tracker.d.ts +58 -0
  13. package/dist/budget/tracker.js +102 -0
  14. package/dist/budget/tracker.js.map +1 -0
  15. package/dist/capture/codex.d.ts +63 -0
  16. package/dist/capture/codex.js +0 -0
  17. package/dist/capture/codex.js.map +1 -0
  18. package/dist/cli/backup.d.ts +1 -0
  19. package/dist/cli/backup.js +112 -0
  20. package/dist/cli/backup.js.map +1 -0
  21. package/dist/cli/budget.d.ts +7 -0
  22. package/dist/cli/budget.js +44 -0
  23. package/dist/cli/budget.js.map +1 -0
  24. package/dist/cli/capture.d.ts +10 -0
  25. package/dist/cli/capture.js +113 -0
  26. package/dist/cli/capture.js.map +1 -0
  27. package/dist/cli/consolidate.d.ts +16 -0
  28. package/dist/cli/consolidate.js +146 -0
  29. package/dist/cli/consolidate.js.map +1 -0
  30. package/dist/cli/doctor.d.ts +1 -0
  31. package/dist/cli/doctor.js +54 -0
  32. package/dist/cli/doctor.js.map +1 -0
  33. package/dist/cli/entity-backfill.d.ts +10 -0
  34. package/dist/cli/entity-backfill.js +46 -0
  35. package/dist/cli/entity-backfill.js.map +1 -0
  36. package/dist/cli/hook-install.d.ts +45 -0
  37. package/dist/cli/hook-install.js +77 -0
  38. package/dist/cli/hook-install.js.map +1 -0
  39. package/dist/cli/index.d.ts +2 -0
  40. package/dist/cli/index.js +312 -0
  41. package/dist/cli/index.js.map +1 -0
  42. package/dist/cli/init.d.ts +16 -0
  43. package/dist/cli/init.js +431 -0
  44. package/dist/cli/init.js.map +1 -0
  45. package/dist/cli/mcp-stdio.d.ts +18 -0
  46. package/dist/cli/mcp-stdio.js +67 -0
  47. package/dist/cli/mcp-stdio.js.map +1 -0
  48. package/dist/cli/memory.d.ts +15 -0
  49. package/dist/cli/memory.js +52 -0
  50. package/dist/cli/memory.js.map +1 -0
  51. package/dist/cli/open-runtime-db.d.ts +15 -0
  52. package/dist/cli/open-runtime-db.js +37 -0
  53. package/dist/cli/open-runtime-db.js.map +1 -0
  54. package/dist/cli/pair.d.ts +29 -0
  55. package/dist/cli/pair.js +64 -0
  56. package/dist/cli/pair.js.map +1 -0
  57. package/dist/cli/providers.d.ts +10 -0
  58. package/dist/cli/providers.js +97 -0
  59. package/dist/cli/providers.js.map +1 -0
  60. package/dist/cli/queue-purge.d.ts +5 -0
  61. package/dist/cli/queue-purge.js +92 -0
  62. package/dist/cli/queue-purge.js.map +1 -0
  63. package/dist/cli/queue.d.ts +29 -0
  64. package/dist/cli/queue.js +73 -0
  65. package/dist/cli/queue.js.map +1 -0
  66. package/dist/cli/rebuild.d.ts +15 -0
  67. package/dist/cli/rebuild.js +70 -0
  68. package/dist/cli/rebuild.js.map +1 -0
  69. package/dist/cli/reembed-dim.d.ts +21 -0
  70. package/dist/cli/reembed-dim.js +199 -0
  71. package/dist/cli/reembed-dim.js.map +1 -0
  72. package/dist/cli/reinstall.d.ts +1 -0
  73. package/dist/cli/reinstall.js +205 -0
  74. package/dist/cli/reinstall.js.map +1 -0
  75. package/dist/cli/restore.d.ts +1 -0
  76. package/dist/cli/restore.js +167 -0
  77. package/dist/cli/restore.js.map +1 -0
  78. package/dist/cli/retag.d.ts +14 -0
  79. package/dist/cli/retag.js +62 -0
  80. package/dist/cli/retag.js.map +1 -0
  81. package/dist/cli/search.d.ts +66 -0
  82. package/dist/cli/search.js +174 -0
  83. package/dist/cli/search.js.map +1 -0
  84. package/dist/cli/serve.d.ts +9 -0
  85. package/dist/cli/serve.js +364 -0
  86. package/dist/cli/serve.js.map +1 -0
  87. package/dist/cli/service.d.ts +1 -0
  88. package/dist/cli/service.js +121 -0
  89. package/dist/cli/service.js.map +1 -0
  90. package/dist/cli/sync.d.ts +15 -0
  91. package/dist/cli/sync.js +61 -0
  92. package/dist/cli/sync.js.map +1 -0
  93. package/dist/cli/token.d.ts +24 -0
  94. package/dist/cli/token.js +77 -0
  95. package/dist/cli/token.js.map +1 -0
  96. package/dist/cli/wait-health.d.ts +4 -0
  97. package/dist/cli/wait-health.js +23 -0
  98. package/dist/cli/wait-health.js.map +1 -0
  99. package/dist/config/config.d.ts +127 -0
  100. package/dist/config/config.js +38 -0
  101. package/dist/config/config.js.map +1 -0
  102. package/dist/config/datadir.d.ts +30 -0
  103. package/dist/config/datadir.js +65 -0
  104. package/dist/config/datadir.js.map +1 -0
  105. package/dist/config/loader.d.ts +23 -0
  106. package/dist/config/loader.js +102 -0
  107. package/dist/config/loader.js.map +1 -0
  108. package/dist/config/migrate-dirs.d.ts +36 -0
  109. package/dist/config/migrate-dirs.js +132 -0
  110. package/dist/config/migrate-dirs.js.map +1 -0
  111. package/dist/config/persist-envs.d.ts +23 -0
  112. package/dist/config/persist-envs.js +119 -0
  113. package/dist/config/persist-envs.js.map +1 -0
  114. package/dist/config/resolve-runtime.d.ts +19 -0
  115. package/dist/config/resolve-runtime.js +53 -0
  116. package/dist/config/resolve-runtime.js.map +1 -0
  117. package/dist/config/secrets.d.ts +28 -0
  118. package/dist/config/secrets.js +38 -0
  119. package/dist/config/secrets.js.map +1 -0
  120. package/dist/config/sync-settings.d.ts +16 -0
  121. package/dist/config/sync-settings.js +34 -0
  122. package/dist/config/sync-settings.js.map +1 -0
  123. package/dist/config/writer.d.ts +19 -0
  124. package/dist/config/writer.js +121 -0
  125. package/dist/config/writer.js.map +1 -0
  126. package/dist/consolidate/consolidate.d.ts +80 -0
  127. package/dist/consolidate/consolidate.js +0 -0
  128. package/dist/consolidate/consolidate.js.map +1 -0
  129. package/dist/consolidate/proposals.d.ts +35 -0
  130. package/dist/consolidate/proposals.js +66 -0
  131. package/dist/consolidate/proposals.js.map +1 -0
  132. package/dist/contracts/atom-wire.d.ts +48 -0
  133. package/dist/contracts/atom-wire.js +55 -0
  134. package/dist/contracts/atom-wire.js.map +1 -0
  135. package/dist/contracts/embed.d.ts +41 -0
  136. package/dist/contracts/embed.js +20 -0
  137. package/dist/contracts/embed.js.map +1 -0
  138. package/dist/contracts/index.d.ts +5 -0
  139. package/dist/contracts/index.js +6 -0
  140. package/dist/contracts/index.js.map +1 -0
  141. package/dist/contracts/job.d.ts +113 -0
  142. package/dist/contracts/job.js +32 -0
  143. package/dist/contracts/job.js.map +1 -0
  144. package/dist/contracts/llm.d.ts +30 -0
  145. package/dist/contracts/llm.js +2 -0
  146. package/dist/contracts/llm.js.map +1 -0
  147. package/dist/contracts/memory.d.ts +47 -0
  148. package/dist/contracts/memory.js +5 -0
  149. package/dist/contracts/memory.js.map +1 -0
  150. package/dist/contracts/vector.d.ts +29 -0
  151. package/dist/contracts/vector.js +2 -0
  152. package/dist/contracts/vector.js.map +1 -0
  153. package/dist/distill/flatten-turns.d.ts +1 -0
  154. package/dist/distill/flatten-turns.js +50 -0
  155. package/dist/distill/flatten-turns.js.map +1 -0
  156. package/dist/distill/pipeline.d.ts +45 -0
  157. package/dist/distill/pipeline.js +113 -0
  158. package/dist/distill/pipeline.js.map +1 -0
  159. package/dist/distill/prompts/extract.d.ts +122 -0
  160. package/dist/distill/prompts/extract.js +67 -0
  161. package/dist/distill/prompts/extract.js.map +1 -0
  162. package/dist/distill/stages/01-cleanup.d.ts +9 -0
  163. package/dist/distill/stages/01-cleanup.js +67 -0
  164. package/dist/distill/stages/01-cleanup.js.map +1 -0
  165. package/dist/distill/stages/02-normalize.d.ts +9 -0
  166. package/dist/distill/stages/02-normalize.js +76 -0
  167. package/dist/distill/stages/02-normalize.js.map +1 -0
  168. package/dist/distill/stages/03-chunk.d.ts +22 -0
  169. package/dist/distill/stages/03-chunk.js +138 -0
  170. package/dist/distill/stages/03-chunk.js.map +1 -0
  171. package/dist/distill/stages/04-compact.d.ts +28 -0
  172. package/dist/distill/stages/04-compact.js +69 -0
  173. package/dist/distill/stages/04-compact.js.map +1 -0
  174. package/dist/distill/stages/05-extract.d.ts +35 -0
  175. package/dist/distill/stages/05-extract.js +101 -0
  176. package/dist/distill/stages/05-extract.js.map +1 -0
  177. package/dist/distill/stages/06-reduce.d.ts +16 -0
  178. package/dist/distill/stages/06-reduce.js +30 -0
  179. package/dist/distill/stages/06-reduce.js.map +1 -0
  180. package/dist/distill/stages/07-memory-normalize.d.ts +27 -0
  181. package/dist/distill/stages/07-memory-normalize.js +65 -0
  182. package/dist/distill/stages/07-memory-normalize.js.map +1 -0
  183. package/dist/distill/stages/08-embed-index.d.ts +31 -0
  184. package/dist/distill/stages/08-embed-index.js +82 -0
  185. package/dist/distill/stages/08-embed-index.js.map +1 -0
  186. package/dist/doctor/checks.d.ts +77 -0
  187. package/dist/doctor/checks.js +626 -0
  188. package/dist/doctor/checks.js.map +1 -0
  189. package/dist/doctor/hardening-checks.d.ts +9 -0
  190. package/dist/doctor/hardening-checks.js +182 -0
  191. package/dist/doctor/hardening-checks.js.map +1 -0
  192. package/dist/doctor/probes/embed-probe.d.ts +19 -0
  193. package/dist/doctor/probes/embed-probe.js +47 -0
  194. package/dist/doctor/probes/embed-probe.js.map +1 -0
  195. package/dist/doctor/probes/llm-chat-probe.d.ts +11 -0
  196. package/dist/doctor/probes/llm-chat-probe.js +41 -0
  197. package/dist/doctor/probes/llm-chat-probe.js.map +1 -0
  198. package/dist/doctor/probes/plugin-coexistence.d.ts +14 -0
  199. package/dist/doctor/probes/plugin-coexistence.js +60 -0
  200. package/dist/doctor/probes/plugin-coexistence.js.map +1 -0
  201. package/dist/doctor/runner.d.ts +17 -0
  202. package/dist/doctor/runner.js +53 -0
  203. package/dist/doctor/runner.js.map +1 -0
  204. package/dist/doctor/types.d.ts +12 -0
  205. package/dist/doctor/types.js +2 -0
  206. package/dist/doctor/types.js.map +1 -0
  207. package/dist/entity/backfill.d.ts +30 -0
  208. package/dist/entity/backfill.js +55 -0
  209. package/dist/entity/backfill.js.map +1 -0
  210. package/dist/entity/extract-entities.d.ts +27 -0
  211. package/dist/entity/extract-entities.js +86 -0
  212. package/dist/entity/extract-entities.js.map +1 -0
  213. package/dist/entity/normalize.d.ts +17 -0
  214. package/dist/entity/normalize.js +20 -0
  215. package/dist/entity/normalize.js.map +1 -0
  216. package/dist/eval/harness.d.ts +96 -0
  217. package/dist/eval/harness.js +119 -0
  218. package/dist/eval/harness.js.map +1 -0
  219. package/dist/eval/metrics.d.ts +23 -0
  220. package/dist/eval/metrics.js +44 -0
  221. package/dist/eval/metrics.js.map +1 -0
  222. package/dist/log/correlation.d.ts +24 -0
  223. package/dist/log/correlation.js +33 -0
  224. package/dist/log/correlation.js.map +1 -0
  225. package/dist/log/logger.d.ts +38 -0
  226. package/dist/log/logger.js +129 -0
  227. package/dist/log/logger.js.map +1 -0
  228. package/dist/log/scrub.d.ts +33 -0
  229. package/dist/log/scrub.js +91 -0
  230. package/dist/log/scrub.js.map +1 -0
  231. package/dist/mcp/server.d.ts +36 -0
  232. package/dist/mcp/server.js +553 -0
  233. package/dist/mcp/server.js.map +1 -0
  234. package/dist/memory-tool/adapter.d.ts +73 -0
  235. package/dist/memory-tool/adapter.js +269 -0
  236. package/dist/memory-tool/adapter.js.map +1 -0
  237. package/dist/pipeline/errors.d.ts +21 -0
  238. package/dist/pipeline/errors.js +34 -0
  239. package/dist/pipeline/errors.js.map +1 -0
  240. package/dist/pipeline/failure-classifier.d.ts +13 -0
  241. package/dist/pipeline/failure-classifier.js +72 -0
  242. package/dist/pipeline/failure-classifier.js.map +1 -0
  243. package/dist/pipeline/handler-ctx-ext.d.ts +23 -0
  244. package/dist/pipeline/handler-ctx-ext.js +19 -0
  245. package/dist/pipeline/handler-ctx-ext.js.map +1 -0
  246. package/dist/pipeline/handler.d.ts +20 -0
  247. package/dist/pipeline/handler.js +2 -0
  248. package/dist/pipeline/handler.js.map +1 -0
  249. package/dist/pipeline/handlers/cleanup.d.ts +14 -0
  250. package/dist/pipeline/handlers/cleanup.js +47 -0
  251. package/dist/pipeline/handlers/cleanup.js.map +1 -0
  252. package/dist/pipeline/handlers/consolidate.d.ts +8 -0
  253. package/dist/pipeline/handlers/consolidate.js +23 -0
  254. package/dist/pipeline/handlers/consolidate.js.map +1 -0
  255. package/dist/pipeline/handlers/distill-events.d.ts +15 -0
  256. package/dist/pipeline/handlers/distill-events.js +134 -0
  257. package/dist/pipeline/handlers/distill-events.js.map +1 -0
  258. package/dist/pipeline/handlers/distill.d.ts +17 -0
  259. package/dist/pipeline/handlers/distill.js +110 -0
  260. package/dist/pipeline/handlers/distill.js.map +1 -0
  261. package/dist/pipeline/handlers/reembed.d.ts +10 -0
  262. package/dist/pipeline/handlers/reembed.js +34 -0
  263. package/dist/pipeline/handlers/reembed.js.map +1 -0
  264. package/dist/pipeline/job-repo.d.ts +86 -0
  265. package/dist/pipeline/job-repo.js +168 -0
  266. package/dist/pipeline/job-repo.js.map +1 -0
  267. package/dist/pipeline/mock-providers.d.ts +49 -0
  268. package/dist/pipeline/mock-providers.js +175 -0
  269. package/dist/pipeline/mock-providers.js.map +1 -0
  270. package/dist/pipeline/registry.d.ts +15 -0
  271. package/dist/pipeline/registry.js +20 -0
  272. package/dist/pipeline/registry.js.map +1 -0
  273. package/dist/pipeline/worker.d.ts +41 -0
  274. package/dist/pipeline/worker.js +167 -0
  275. package/dist/pipeline/worker.js.map +1 -0
  276. package/dist/providers/embed/azure-openai.d.ts +25 -0
  277. package/dist/providers/embed/azure-openai.js +138 -0
  278. package/dist/providers/embed/azure-openai.js.map +1 -0
  279. package/dist/providers/embed/ollama.d.ts +17 -0
  280. package/dist/providers/embed/ollama.js +106 -0
  281. package/dist/providers/embed/ollama.js.map +1 -0
  282. package/dist/providers/index.d.ts +19 -0
  283. package/dist/providers/index.js +72 -0
  284. package/dist/providers/index.js.map +1 -0
  285. package/dist/providers/llm/azure-openai.d.ts +20 -0
  286. package/dist/providers/llm/azure-openai.js +135 -0
  287. package/dist/providers/llm/azure-openai.js.map +1 -0
  288. package/dist/providers/llm/ollama.d.ts +13 -0
  289. package/dist/providers/llm/ollama.js +113 -0
  290. package/dist/providers/llm/ollama.js.map +1 -0
  291. package/dist/providers/llm/pricing.d.ts +21 -0
  292. package/dist/providers/llm/pricing.js +22 -0
  293. package/dist/providers/llm/pricing.js.map +1 -0
  294. package/dist/recall/pack.d.ts +32 -0
  295. package/dist/recall/pack.js +90 -0
  296. package/dist/recall/pack.js.map +1 -0
  297. package/dist/recall/policy.d.ts +39 -0
  298. package/dist/recall/policy.js +96 -0
  299. package/dist/recall/policy.js.map +1 -0
  300. package/dist/redact/detectors.d.ts +20 -0
  301. package/dist/redact/detectors.js +85 -0
  302. package/dist/redact/detectors.js.map +1 -0
  303. package/dist/redact/entropy.d.ts +24 -0
  304. package/dist/redact/entropy.js +77 -0
  305. package/dist/redact/entropy.js.map +1 -0
  306. package/dist/redact/index.d.ts +47 -0
  307. package/dist/redact/index.js +165 -0
  308. package/dist/redact/index.js.map +1 -0
  309. package/dist/search/fuse.d.ts +108 -0
  310. package/dist/search/fuse.js +135 -0
  311. package/dist/search/fuse.js.map +1 -0
  312. package/dist/search/query.d.ts +28 -0
  313. package/dist/search/query.js +70 -0
  314. package/dist/search/query.js.map +1 -0
  315. package/dist/search/search.d.ts +164 -0
  316. package/dist/search/search.js +310 -0
  317. package/dist/search/search.js.map +1 -0
  318. package/dist/server/app.d.ts +17 -0
  319. package/dist/server/app.js +133 -0
  320. package/dist/server/app.js.map +1 -0
  321. package/dist/server/health-state.d.ts +29 -0
  322. package/dist/server/health-state.js +28 -0
  323. package/dist/server/health-state.js.map +1 -0
  324. package/dist/server/lib/network.d.ts +12 -0
  325. package/dist/server/lib/network.js +16 -0
  326. package/dist/server/lib/network.js.map +1 -0
  327. package/dist/server/lib/score-contract.d.ts +36 -0
  328. package/dist/server/lib/score-contract.js +54 -0
  329. package/dist/server/lib/score-contract.js.map +1 -0
  330. package/dist/server/lib/stable-stringify.d.ts +10 -0
  331. package/dist/server/lib/stable-stringify.js +27 -0
  332. package/dist/server/lib/stable-stringify.js.map +1 -0
  333. package/dist/server/lib/wire-meta.d.ts +7 -0
  334. package/dist/server/lib/wire-meta.js +29 -0
  335. package/dist/server/lib/wire-meta.js.map +1 -0
  336. package/dist/server/queries/dashboard.d.ts +142 -0
  337. package/dist/server/queries/dashboard.js +166 -0
  338. package/dist/server/queries/dashboard.js.map +1 -0
  339. package/dist/server/routes/consolidation.d.ts +14 -0
  340. package/dist/server/routes/consolidation.js +67 -0
  341. package/dist/server/routes/consolidation.js.map +1 -0
  342. package/dist/server/routes/dashboard-api-html.d.ts +15 -0
  343. package/dist/server/routes/dashboard-api-html.js +144 -0
  344. package/dist/server/routes/dashboard-api-html.js.map +1 -0
  345. package/dist/server/routes/dashboard-consolidation-html.d.ts +26 -0
  346. package/dist/server/routes/dashboard-consolidation-html.js +202 -0
  347. package/dist/server/routes/dashboard-consolidation-html.js.map +1 -0
  348. package/dist/server/routes/dashboard-html.d.ts +15 -0
  349. package/dist/server/routes/dashboard-html.js +365 -0
  350. package/dist/server/routes/dashboard-html.js.map +1 -0
  351. package/dist/server/routes/dashboard-jobs-html.d.ts +18 -0
  352. package/dist/server/routes/dashboard-jobs-html.js +186 -0
  353. package/dist/server/routes/dashboard-jobs-html.js.map +1 -0
  354. package/dist/server/routes/dashboard-search-html.d.ts +18 -0
  355. package/dist/server/routes/dashboard-search-html.js +189 -0
  356. package/dist/server/routes/dashboard-search-html.js.map +1 -0
  357. package/dist/server/routes/dashboard.d.ts +19 -0
  358. package/dist/server/routes/dashboard.js +68 -0
  359. package/dist/server/routes/dashboard.js.map +1 -0
  360. package/dist/server/routes/digest.d.ts +9 -0
  361. package/dist/server/routes/digest.js +37 -0
  362. package/dist/server/routes/digest.js.map +1 -0
  363. package/dist/server/routes/entities.d.ts +12 -0
  364. package/dist/server/routes/entities.js +46 -0
  365. package/dist/server/routes/entities.js.map +1 -0
  366. package/dist/server/routes/health.d.ts +14 -0
  367. package/dist/server/routes/health.js +100 -0
  368. package/dist/server/routes/health.js.map +1 -0
  369. package/dist/server/routes/ingest.d.ts +209 -0
  370. package/dist/server/routes/ingest.js +454 -0
  371. package/dist/server/routes/ingest.js.map +1 -0
  372. package/dist/server/routes/lifecycle.d.ts +21 -0
  373. package/dist/server/routes/lifecycle.js +132 -0
  374. package/dist/server/routes/lifecycle.js.map +1 -0
  375. package/dist/server/routes/mcp.d.ts +15 -0
  376. package/dist/server/routes/mcp.js +36 -0
  377. package/dist/server/routes/mcp.js.map +1 -0
  378. package/dist/server/routes/memory-tool.d.ts +14 -0
  379. package/dist/server/routes/memory-tool.js +28 -0
  380. package/dist/server/routes/memory-tool.js.map +1 -0
  381. package/dist/server/routes/memory.d.ts +7 -0
  382. package/dist/server/routes/memory.js +19 -0
  383. package/dist/server/routes/memory.js.map +1 -0
  384. package/dist/server/routes/recall.d.ts +15 -0
  385. package/dist/server/routes/recall.js +74 -0
  386. package/dist/server/routes/recall.js.map +1 -0
  387. package/dist/server/routes/search.d.ts +12 -0
  388. package/dist/server/routes/search.js +203 -0
  389. package/dist/server/routes/search.js.map +1 -0
  390. package/dist/server/routes/version.d.ts +2 -0
  391. package/dist/server/routes/version.js +11 -0
  392. package/dist/server/routes/version.js.map +1 -0
  393. package/dist/server/routes/why.d.ts +9 -0
  394. package/dist/server/routes/why.js +38 -0
  395. package/dist/server/routes/why.js.map +1 -0
  396. package/dist/service/index.d.ts +10 -0
  397. package/dist/service/index.js +25 -0
  398. package/dist/service/index.js.map +1 -0
  399. package/dist/service/install-flow.d.ts +18 -0
  400. package/dist/service/install-flow.js +47 -0
  401. package/dist/service/install-flow.js.map +1 -0
  402. package/dist/service/instance-lock.d.ts +26 -0
  403. package/dist/service/instance-lock.js +150 -0
  404. package/dist/service/instance-lock.js.map +1 -0
  405. package/dist/service/launchd.d.ts +11 -0
  406. package/dist/service/launchd.js +196 -0
  407. package/dist/service/launchd.js.map +1 -0
  408. package/dist/service/schtasks.d.ts +31 -0
  409. package/dist/service/schtasks.js +274 -0
  410. package/dist/service/schtasks.js.map +1 -0
  411. package/dist/service/shim.d.ts +21 -0
  412. package/dist/service/shim.js +80 -0
  413. package/dist/service/shim.js.map +1 -0
  414. package/dist/service/systemd.d.ts +11 -0
  415. package/dist/service/systemd.js +150 -0
  416. package/dist/service/systemd.js.map +1 -0
  417. package/dist/service/task-xml.d.ts +36 -0
  418. package/dist/service/task-xml.js +91 -0
  419. package/dist/service/task-xml.js.map +1 -0
  420. package/dist/service/types.d.ts +47 -0
  421. package/dist/service/types.js +2 -0
  422. package/dist/service/types.js.map +1 -0
  423. package/dist/storage/archival.d.ts +29 -0
  424. package/dist/storage/archival.js +47 -0
  425. package/dist/storage/archival.js.map +1 -0
  426. package/dist/storage/bearer-keystore.d.ts +34 -0
  427. package/dist/storage/bearer-keystore.js +75 -0
  428. package/dist/storage/bearer-keystore.js.map +1 -0
  429. package/dist/storage/db.d.ts +37 -0
  430. package/dist/storage/db.js +92 -0
  431. package/dist/storage/db.js.map +1 -0
  432. package/dist/storage/entities.d.ts +71 -0
  433. package/dist/storage/entities.js +141 -0
  434. package/dist/storage/entities.js.map +1 -0
  435. package/dist/storage/ingest-idempotency.d.ts +26 -0
  436. package/dist/storage/ingest-idempotency.js +29 -0
  437. package/dist/storage/ingest-idempotency.js.map +1 -0
  438. package/dist/storage/keystore.d.ts +64 -0
  439. package/dist/storage/keystore.js +194 -0
  440. package/dist/storage/keystore.js.map +1 -0
  441. package/dist/storage/memories.d.ts +51 -0
  442. package/dist/storage/memories.js +67 -0
  443. package/dist/storage/memories.js.map +1 -0
  444. package/dist/storage/memory-events.d.ts +145 -0
  445. package/dist/storage/memory-events.js +287 -0
  446. package/dist/storage/memory-events.js.map +1 -0
  447. package/dist/storage/migrate-encrypt.d.ts +16 -0
  448. package/dist/storage/migrate-encrypt.js +121 -0
  449. package/dist/storage/migrate-encrypt.js.map +1 -0
  450. package/dist/storage/migrate.d.ts +27 -0
  451. package/dist/storage/migrate.js +105 -0
  452. package/dist/storage/migrate.js.map +1 -0
  453. package/dist/storage/redaction-log.d.ts +18 -0
  454. package/dist/storage/redaction-log.js +27 -0
  455. package/dist/storage/redaction-log.js.map +1 -0
  456. package/dist/storage/usefulness.d.ts +115 -0
  457. package/dist/storage/usefulness.js +203 -0
  458. package/dist/storage/usefulness.js.map +1 -0
  459. package/dist/sync/conflict-resolve.d.ts +26 -0
  460. package/dist/sync/conflict-resolve.js +139 -0
  461. package/dist/sync/conflict-resolve.js.map +1 -0
  462. package/dist/sync/puller.d.ts +115 -0
  463. package/dist/sync/puller.js +173 -0
  464. package/dist/sync/puller.js.map +1 -0
  465. package/dist/sync/shipper.d.ts +112 -0
  466. package/dist/sync/shipper.js +189 -0
  467. package/dist/sync/shipper.js.map +1 -0
  468. package/dist/tag-hygiene/backfill.d.ts +50 -0
  469. package/dist/tag-hygiene/backfill.js +117 -0
  470. package/dist/tag-hygiene/backfill.js.map +1 -0
  471. package/dist/tag-hygiene/derive-repo.d.ts +9 -0
  472. package/dist/tag-hygiene/derive-repo.js +19 -0
  473. package/dist/tag-hygiene/derive-repo.js.map +1 -0
  474. package/dist/tag-hygiene/tier2-infer.d.ts +28 -0
  475. package/dist/tag-hygiene/tier2-infer.js +72 -0
  476. package/dist/tag-hygiene/tier2-infer.js.map +1 -0
  477. package/dist/vector/sqlite-vec.d.ts +16 -0
  478. package/dist/vector/sqlite-vec.js +49 -0
  479. package/dist/vector/sqlite-vec.js.map +1 -0
  480. package/migrations/001-init.sql +117 -0
  481. package/migrations/002-wire-v1.sql +16 -0
  482. package/migrations/003-expand-memory-types.sql +81 -0
  483. package/migrations/004-provenance.sql +4 -0
  484. package/migrations/005-security.sql +12 -0
  485. package/migrations/006-atom-v3.sql +28 -0
  486. package/migrations/007-memory-events.sql +30 -0
  487. package/migrations/008-consolidation.sql +31 -0
  488. package/migrations/009-tag-hygiene.sql +13 -0
  489. package/migrations/010-sync-pull.sql +53 -0
  490. package/migrations/011-embed-dim-migration.sql +28 -0
  491. package/migrations/012-entities.sql +36 -0
  492. package/migrations/013-archival.sql +50 -0
  493. package/package.json +50 -0
@@ -0,0 +1,90 @@
1
+ /**
2
+ * Memory-pack selection (KF-B) — the "injection judgment" v1.
3
+ * Heuristic, no ML: score = typeWeight · recency · importance,
4
+ * take top-N under a token budget, render grouped Markdown.
5
+ * Recency half-life 30 days mirrors search freshness decay.
6
+ */
7
+ export const DEFAULT_TYPE_WEIGHTS = {
8
+ decision: 1.0,
9
+ lesson: 0.9,
10
+ fact: 0.7,
11
+ command: 0.6,
12
+ note: 0.4,
13
+ todo: 0.4,
14
+ event: 0.4,
15
+ };
16
+ export const DEFAULT_BUDGET_TOKENS = 1500;
17
+ const RECENCY_HALF_LIFE_DAYS = 30;
18
+ const CANDIDATE_LIMIT = 500;
19
+ /**
20
+ * Rough token estimate: ~4 chars per token. Real tokenizers vary ±20% —
21
+ * callers needing exact budgets should leave ~10% headroom. The default
22
+ * 1500-token budget is deliberately conservative for this reason.
23
+ */
24
+ export function estimateTokens(text) {
25
+ return Math.ceil(text.length / 4);
26
+ }
27
+ export function selectPack(db, opts) {
28
+ const now = opts.now ?? Date.now();
29
+ const budget = opts.budgetTokens ?? DEFAULT_BUDGET_TOKENS;
30
+ const weights = opts.typeWeights ?? DEFAULT_TYPE_WEIGHTS;
31
+ // Atom v3 (ADR-001): invalidated memories (valid_to set) are excluded from
32
+ // the injected pack — a superseded/dead memory must not surface in recall.
33
+ const rows = db.prepare(`
34
+ SELECT id, type, text, importance, created_at
35
+ FROM memories
36
+ WHERE repo = ? AND valid_to IS NULL
37
+ ORDER BY created_at DESC
38
+ LIMIT ?
39
+ `).all(opts.repo, CANDIDATE_LIMIT);
40
+ const scored = rows.map(r => {
41
+ const ageDays = (now - r.created_at) / (24 * 60 * 60 * 1000);
42
+ const recency = Math.exp(-ageDays / RECENCY_HALF_LIFE_DAYS);
43
+ const typeWeight = weights[r.type] ?? 0.4;
44
+ return { id: r.id, type: r.type, text: r.text, score: typeWeight * recency * r.importance };
45
+ });
46
+ scored.sort((a, b) => b.score - a.score);
47
+ const pack = [];
48
+ let spent = 0;
49
+ for (const m of scored) {
50
+ const cost = estimateTokens(m.text);
51
+ if (spent + cost > budget) {
52
+ // Guarantee at least the single best memory even under a tiny budget
53
+ if (pack.length === 0)
54
+ pack.push(m);
55
+ break;
56
+ }
57
+ pack.push(m);
58
+ spent += cost;
59
+ }
60
+ return pack;
61
+ }
62
+ const TYPE_HEADINGS = {
63
+ decision: 'Decisions',
64
+ lesson: 'Lessons',
65
+ fact: 'Facts',
66
+ command: 'Commands',
67
+ todo: 'Todos',
68
+ note: 'Notes',
69
+ event: 'Events',
70
+ };
71
+ /** Render the pack as compact Markdown grouped by type, memory ids inline. */
72
+ export function renderPack(memories) {
73
+ if (memories.length === 0)
74
+ return '';
75
+ const byType = new Map();
76
+ for (const m of memories) {
77
+ const list = byType.get(m.type) ?? [];
78
+ list.push(m);
79
+ byType.set(m.type, list);
80
+ }
81
+ const sections = ['# Repo memory pack'];
82
+ for (const [type, list] of byType) {
83
+ sections.push(`\n## ${TYPE_HEADINGS[type] ?? type}`);
84
+ // Collapse internal newlines — a multi-line text would break the Markdown list item
85
+ for (const m of list)
86
+ sections.push(`- ${m.text.replace(/\s+/g, ' ')} \`(${m.id})\``);
87
+ }
88
+ return sections.join('\n');
89
+ }
90
+ //# sourceMappingURL=pack.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"pack.js","sourceRoot":"","sources":["../../src/recall/pack.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAoBH,MAAM,CAAC,MAAM,oBAAoB,GAA2B;IAC1D,QAAQ,EAAE,GAAG;IACb,MAAM,EAAE,GAAG;IACX,IAAI,EAAE,GAAG;IACT,OAAO,EAAE,GAAG;IACZ,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;IACT,KAAK,EAAE,GAAG;CACX,CAAC;AAEF,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAC1C,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAClC,MAAM,eAAe,GAAG,GAAG,CAAC;AAE5B;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACpC,CAAC;AAID,MAAM,UAAU,UAAU,CAAC,EAAM,EAAE,IAAiB;IAClD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IACnC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,IAAI,qBAAqB,CAAC;IAC1D,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,IAAI,oBAAoB,CAAC;IAEzD,2EAA2E;IAC3E,2EAA2E;IAC3E,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;GAMvB,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,eAAe,CAAU,CAAC;IAE5C,MAAM,MAAM,GAAiB,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QACxC,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,GAAG,sBAAsB,CAAC,CAAC;QAC5D,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC;QAC1C,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,GAAG,OAAO,GAAG,CAAC,CAAC,UAAU,EAAE,CAAC;IAC9F,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAEzC,MAAM,IAAI,GAAiB,EAAE,CAAC;IAC9B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,KAAK,GAAG,IAAI,GAAG,MAAM,EAAE,CAAC;YAC1B,qEAAqE;YACrE,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACpC,MAAM;QACR,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACb,KAAK,IAAI,IAAI,CAAC;IAChB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,aAAa,GAA2B;IAC5C,QAAQ,EAAE,WAAW;IACrB,MAAM,EAAE,SAAS;IACjB,IAAI,EAAE,OAAO;IACb,OAAO,EAAE,UAAU;IACnB,IAAI,EAAE,OAAO;IACb,IAAI,EAAE,OAAO;IACb,KAAK,EAAE,QAAQ;CAChB,CAAC;AAEF,8EAA8E;AAC9E,MAAM,UAAU,UAAU,CAAC,QAAsB;IAC/C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAwB,CAAC;IAC/C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACb,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC3B,CAAC;IACD,MAAM,QAAQ,GAAa,CAAC,oBAAoB,CAAC,CAAC;IAClD,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CAAC,QAAQ,aAAa,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACrD,oFAAoF;QACpF,KAAK,MAAM,CAAC,IAAI,IAAI;YAAE,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC"}
@@ -0,0 +1,39 @@
1
+ /**
2
+ * Injection-policy v1 (Wave 4d, ADR-005/ADR-010) — the heuristic
3
+ * "when-to-recall" layer. This is deliberately a THIN layer above pack
4
+ * selection, not part of search: the store answers "what matches",
5
+ * the policy answers "should anything be injected at all, and how much".
6
+ *
7
+ * v1 heuristics (no ML — instrumented via usefulness events so it can
8
+ * become learned later):
9
+ * 1. Task-type gating — trivial/smalltalk or very short prompts get no
10
+ * injection unless they explicitly reference memory ("remember",
11
+ * "last time", "we decided", ...).
12
+ * 2. Confidence threshold — only memories whose selection score clears
13
+ * `minScore` are injected; a pack of weak matches is worse than none.
14
+ * 3. Token-budget-aware top-k — the longer the prompt already is, the
15
+ * smaller the injection budget ("long context kills retrieval").
16
+ *
17
+ * Every injected memory is recorded as a recall_served usefulness event
18
+ * (ADR-010) so served-but-never-used patterns can tune this layer.
19
+ */
20
+ import type { DB } from '../storage/db.js';
21
+ import type { Config } from '../config/config.js';
22
+ import { type PackMemory } from './pack.js';
23
+ export interface PolicyDecision {
24
+ inject: boolean;
25
+ /** Machine-readable reason — stable strings, used in tests + telemetry. */
26
+ reason: 'injected' | 'no-eligible-memories' | 'prompt-too-short' | 'smalltalk' | 'below-min-score' | 'policy-disabled';
27
+ memories: PackMemory[];
28
+ pack: string;
29
+ budget_tokens: number;
30
+ }
31
+ export interface PolicyInput {
32
+ repo: string;
33
+ prompt: string;
34
+ /** Requested budget; the policy may shrink it, never grow it. */
35
+ budgetTokens?: number;
36
+ now?: number;
37
+ }
38
+ export declare function shrinkBudgetForPrompt(baseBudget: number, promptChars: number): number;
39
+ export declare function decideInjection(db: DB, config: Config, input: PolicyInput): PolicyDecision;
@@ -0,0 +1,96 @@
1
+ /**
2
+ * Injection-policy v1 (Wave 4d, ADR-005/ADR-010) — the heuristic
3
+ * "when-to-recall" layer. This is deliberately a THIN layer above pack
4
+ * selection, not part of search: the store answers "what matches",
5
+ * the policy answers "should anything be injected at all, and how much".
6
+ *
7
+ * v1 heuristics (no ML — instrumented via usefulness events so it can
8
+ * become learned later):
9
+ * 1. Task-type gating — trivial/smalltalk or very short prompts get no
10
+ * injection unless they explicitly reference memory ("remember",
11
+ * "last time", "we decided", ...).
12
+ * 2. Confidence threshold — only memories whose selection score clears
13
+ * `minScore` are injected; a pack of weak matches is worse than none.
14
+ * 3. Token-budget-aware top-k — the longer the prompt already is, the
15
+ * smaller the injection budget ("long context kills retrieval").
16
+ *
17
+ * Every injected memory is recorded as a recall_served usefulness event
18
+ * (ADR-010) so served-but-never-used patterns can tune this layer.
19
+ */
20
+ import { selectPack, renderPack, DEFAULT_BUDGET_TOKENS } from './pack.js';
21
+ import { recordRecallServed } from '../storage/usefulness.js';
22
+ /** Prompts that explicitly ask for memory always get injection. */
23
+ const MEMORY_REFERENCE_RE = /\b(remember|recall|last time|previously|we decided|as before|earlier session|what did (i|we))\b/i;
24
+ /** Cheap smalltalk/greeting classifier — gate, don't inject. */
25
+ const SMALLTALK_RE = /^\s*(hi|hey|hello|thanks?|thank you|ok(ay)?|yes|no|cool|nice|lol|good (morning|evening|night)|how are you)\s*[!.?]*\s*$/i;
26
+ /** Prompt sizes at which the injection budget starts shrinking / bottoms out. */
27
+ const PROMPT_SHRINK_START_CHARS = 4_000;
28
+ const PROMPT_SHRINK_FLOOR_TOKENS = 300;
29
+ export function shrinkBudgetForPrompt(baseBudget, promptChars) {
30
+ if (promptChars <= PROMPT_SHRINK_START_CHARS)
31
+ return baseBudget;
32
+ // Linear decay: every additional 4k chars halves the remaining headroom.
33
+ const over = promptChars - PROMPT_SHRINK_START_CHARS;
34
+ const factor = Math.max(0, 1 - over / 16_000);
35
+ return Math.max(PROMPT_SHRINK_FLOOR_TOKENS, Math.round(baseBudget * factor));
36
+ }
37
+ export function decideInjection(db, config, input) {
38
+ const policyCfg = config.recallPack.policy;
39
+ const baseBudget = input.budgetTokens ?? config.recallPack.budgetTokens ?? DEFAULT_BUDGET_TOKENS;
40
+ if (!policyCfg.enabled) {
41
+ // Policy off = legacy behavior: always inject whatever the pack selects.
42
+ const memories = selectPack(db, { repo: input.repo, budgetTokens: baseBudget, now: input.now });
43
+ record(db, input, memories);
44
+ return {
45
+ inject: memories.length > 0,
46
+ reason: memories.length > 0 ? 'injected' : 'no-eligible-memories',
47
+ memories,
48
+ pack: renderPack(memories),
49
+ budget_tokens: baseBudget,
50
+ };
51
+ }
52
+ const prompt = input.prompt ?? '';
53
+ const referencesMemory = MEMORY_REFERENCE_RE.test(prompt);
54
+ // 1. Task-type gating (memory references override every gate).
55
+ // Smalltalk first — a greeting is smalltalk regardless of its length.
56
+ if (!referencesMemory) {
57
+ if (SMALLTALK_RE.test(prompt)) {
58
+ return skip('smalltalk', baseBudget);
59
+ }
60
+ if (prompt.trim().length < policyCfg.minPromptChars) {
61
+ return skip('prompt-too-short', baseBudget);
62
+ }
63
+ }
64
+ // 3. Token-budget-aware top-k.
65
+ const budget = shrinkBudgetForPrompt(baseBudget, prompt.length);
66
+ const candidates = selectPack(db, { repo: input.repo, budgetTokens: budget, now: input.now });
67
+ if (candidates.length === 0)
68
+ return skip('no-eligible-memories', budget);
69
+ // 2. Confidence threshold on the selection score.
70
+ const confident = candidates.filter(m => m.score >= policyCfg.minScore);
71
+ if (confident.length === 0)
72
+ return skip('below-min-score', budget);
73
+ record(db, input, confident);
74
+ return {
75
+ inject: true,
76
+ reason: 'injected',
77
+ memories: confident,
78
+ pack: renderPack(confident),
79
+ budget_tokens: budget,
80
+ };
81
+ function skip(reason, budgetTokens) {
82
+ return { inject: false, reason, memories: [], pack: '', budget_tokens: budgetTokens };
83
+ }
84
+ }
85
+ function record(db, input, memories) {
86
+ if (memories.length === 0)
87
+ return;
88
+ recordRecallServed(db, {
89
+ query: `pack:${input.repo}`,
90
+ atomIds: memories.map(m => m.id),
91
+ scores: memories.map(m => m.score),
92
+ surface: 'rest',
93
+ mode: 'pack-policy',
94
+ });
95
+ }
96
+ //# sourceMappingURL=policy.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/recall/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,qBAAqB,EAAmB,MAAM,WAAW,CAAC;AAC3F,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAyB9D,mEAAmE;AACnE,MAAM,mBAAmB,GACvB,kGAAkG,CAAC;AAErG,gEAAgE;AAChE,MAAM,YAAY,GAChB,0HAA0H,CAAC;AAE7H,iFAAiF;AACjF,MAAM,yBAAyB,GAAG,KAAK,CAAC;AACxC,MAAM,0BAA0B,GAAG,GAAG,CAAC;AAEvC,MAAM,UAAU,qBAAqB,CAAC,UAAkB,EAAE,WAAmB;IAC3E,IAAI,WAAW,IAAI,yBAAyB;QAAE,OAAO,UAAU,CAAC;IAChE,yEAAyE;IACzE,MAAM,IAAI,GAAG,WAAW,GAAG,yBAAyB,CAAC;IACrD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,GAAG,MAAM,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,EAAM,EAAE,MAAc,EAAE,KAAkB;IACxE,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;IAC3C,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,IAAI,MAAM,CAAC,UAAU,CAAC,YAAY,IAAI,qBAAqB,CAAC;IAEjG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;QACvB,yEAAyE;QACzE,MAAM,QAAQ,GAAG,UAAU,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAChG,MAAM,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC5B,OAAO;YACL,MAAM,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC;YAC3B,MAAM,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,sBAAsB;YACjE,QAAQ;YACR,IAAI,EAAE,UAAU,CAAC,QAAQ,CAAC;YAC1B,aAAa,EAAE,UAAU;SAC1B,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC;IAClC,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAE1D,+DAA+D;IAC/D,yEAAyE;IACzE,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QACvC,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,SAAS,CAAC,cAAc,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,MAAM,MAAM,GAAG,qBAAqB,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAEhE,MAAM,UAAU,GAAG,UAAU,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9F,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC;IAEzE,kDAAkD;IAClD,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,SAAS,CAAC,QAAQ,CAAC,CAAC;IACxE,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;IAEnE,MAAM,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IAC7B,OAAO;QACL,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,UAAU;QAClB,QAAQ,EAAE,SAAS;QACnB,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC;QAC3B,aAAa,EAAE,MAAM;KACtB,CAAC;IAEF,SAAS,IAAI,CAAC,MAAgC,EAAE,YAAoB;QAClE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC;IACxF,CAAC;AACH,CAAC;AAED,SAAS,MAAM,CAAC,EAAM,EAAE,KAAkB,EAAE,QAAsB;IAChE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAClC,kBAAkB,CAAC,EAAE,EAAE;QACrB,KAAK,EAAE,QAAQ,KAAK,CAAC,IAAI,EAAE;QAC3B,OAAO,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;QAClC,OAAO,EAAE,MAAM;QACf,IAAI,EAAE,aAAa;KACpB,CAAC,CAAC;AACL,CAAC"}
@@ -0,0 +1,20 @@
1
+ /**
2
+ * Pattern-based secret detectors (stage-0 redaction, SEC-3/5, spec §4.2).
3
+ *
4
+ * Each detector is a regex run with the `d` (hasIndices) flag so that, when
5
+ * `valueGroup` is set, we can redact JUST the captured secret value and keep
6
+ * the surrounding key name / scheme intact (e.g. `Password=` stays, only the
7
+ * value after it is replaced).
8
+ */
9
+ export interface PatternDetector {
10
+ type: string;
11
+ /** Regex WITHOUT the 'g'/'d' flags — added automatically at match time. */
12
+ source: string;
13
+ flags: string;
14
+ /** Capture group index to redact instead of the whole match (1-based). */
15
+ valueGroup?: number;
16
+ }
17
+ export declare const PEM_DETECTOR: PatternDetector;
18
+ export declare const PATTERN_DETECTORS: PatternDetector[];
19
+ /** Build a `custom` detector from a user-supplied regex source string. */
20
+ export declare function customDetector(source: string): PatternDetector;
@@ -0,0 +1,85 @@
1
+ /**
2
+ * Pattern-based secret detectors (stage-0 redaction, SEC-3/5, spec §4.2).
3
+ *
4
+ * Each detector is a regex run with the `d` (hasIndices) flag so that, when
5
+ * `valueGroup` is set, we can redact JUST the captured secret value and keep
6
+ * the surrounding key name / scheme intact (e.g. `Password=` stays, only the
7
+ * value after it is replaced).
8
+ */
9
+ // ---------------------------------------------------------------------------
10
+ // PEM private-key blocks — run first, whole block redacted (spec §4.2).
11
+ // ---------------------------------------------------------------------------
12
+ export const PEM_DETECTOR = {
13
+ type: 'pem_private_key',
14
+ source: '-----BEGIN (?:[A-Z0-9]+ )*PRIVATE KEY-----[\\s\\S]*?-----END (?:[A-Z0-9]+ )*PRIVATE KEY-----',
15
+ flags: 's',
16
+ };
17
+ // ---------------------------------------------------------------------------
18
+ // Vendor-specific token/key patterns.
19
+ // ---------------------------------------------------------------------------
20
+ export const PATTERN_DETECTORS = [
21
+ {
22
+ type: 'aws_access_key',
23
+ source: '\\bAKIA[0-9A-Z]{16}\\b',
24
+ flags: '',
25
+ },
26
+ {
27
+ type: 'github_token',
28
+ source: '\\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{20,255}\\b|\\bgithub_pat_[A-Za-z0-9_]{20,255}\\b',
29
+ flags: '',
30
+ },
31
+ // Azure storage account key, labeled: `;AccountKey=<base64>`
32
+ {
33
+ type: 'azure_key',
34
+ source: '\\bAccountKey\\s*=\\s*(\\S+)',
35
+ flags: 'id',
36
+ valueGroup: 1,
37
+ },
38
+ // Azure SAS token query param: `...&sig=<urlencoded-base64>`
39
+ {
40
+ type: 'azure_key',
41
+ source: '[?&]sig=([A-Za-z0-9%+/=]{10,})',
42
+ flags: 'id',
43
+ valueGroup: 1,
44
+ },
45
+ // Bare Azure storage account key (88-char base64, no label).
46
+ {
47
+ type: 'azure_key',
48
+ source: '\\b[A-Za-z0-9+/]{86}==',
49
+ flags: '',
50
+ },
51
+ {
52
+ type: 'gcp_api_key',
53
+ source: '\\bAIza[0-9A-Za-z\\-_]{35}\\b',
54
+ flags: '',
55
+ },
56
+ {
57
+ type: 'slack_token',
58
+ source: '\\bxox[baprs]-[0-9A-Za-z-]{10,72}\\b',
59
+ flags: '',
60
+ },
61
+ // Generic `key = value` / `key: value` credential — redact value only.
62
+ {
63
+ type: 'generic_credential',
64
+ source: '\\b(?:api[_-]?key|secret|token|password|passwd|pwd)\\s*[:=]\\s*(\\S+)',
65
+ flags: 'id',
66
+ valueGroup: 1,
67
+ },
68
+ {
69
+ type: 'jwt',
70
+ source: '\\bey[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\b',
71
+ flags: '',
72
+ },
73
+ // Connection-string userinfo: scheme://user:pass@ — redact the "user:pass" span.
74
+ {
75
+ type: 'connection_string',
76
+ source: '\\b[a-zA-Z][a-zA-Z0-9+.-]*://([^/\\s:@]+:[^/\\s@]+)@',
77
+ flags: 'd',
78
+ valueGroup: 1,
79
+ },
80
+ ];
81
+ /** Build a `custom` detector from a user-supplied regex source string. */
82
+ export function customDetector(source) {
83
+ return { type: 'custom', source, flags: 'g' };
84
+ }
85
+ //# sourceMappingURL=detectors.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"detectors.js","sourceRoot":"","sources":["../../src/redact/detectors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAWH,8EAA8E;AAC9E,wEAAwE;AACxE,8EAA8E;AAE9E,MAAM,CAAC,MAAM,YAAY,GAAoB;IAC3C,IAAI,EAAE,iBAAiB;IACvB,MAAM,EAAE,8FAA8F;IACtG,KAAK,EAAE,GAAG;CACX,CAAC;AAEF,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E,MAAM,CAAC,MAAM,iBAAiB,GAAsB;IAClD;QACE,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,wBAAwB;QAChC,KAAK,EAAE,EAAE;KACV;IACD;QACE,IAAI,EAAE,cAAc;QACpB,MAAM,EAAE,yFAAyF;QACjG,KAAK,EAAE,EAAE;KACV;IACD,6DAA6D;IAC7D;QACE,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,8BAA8B;QACtC,KAAK,EAAE,IAAI;QACX,UAAU,EAAE,CAAC;KACd;IACD,6DAA6D;IAC7D;QACE,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,gCAAgC;QACxC,KAAK,EAAE,IAAI;QACX,UAAU,EAAE,CAAC;KACd;IACD,6DAA6D;IAC7D;QACE,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,wBAAwB;QAChC,KAAK,EAAE,EAAE;KACV;IACD;QACE,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,+BAA+B;QACvC,KAAK,EAAE,EAAE;KACV;IACD;QACE,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,sCAAsC;QAC9C,KAAK,EAAE,EAAE;KACV;IACD,uEAAuE;IACvE;QACE,IAAI,EAAE,oBAAoB;QAC1B,MAAM,EAAE,uEAAuE;QAC/E,KAAK,EAAE,IAAI;QACX,UAAU,EAAE,CAAC;KACd;IACD;QACE,IAAI,EAAE,KAAK;QACX,MAAM,EAAE,sEAAsE;QAC9E,KAAK,EAAE,EAAE;KACV;IACD,iFAAiF;IACjF;QACE,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,sDAAsD;QAC9D,KAAK,EAAE,GAAG;QACV,UAAU,EAAE,CAAC;KACd;CACF,CAAC;AAEF,0EAA0E;AAC1E,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AAChD,CAAC"}
@@ -0,0 +1,24 @@
1
+ /**
2
+ * Shannon-entropy secret detector (stage-0 redaction, SEC-3/5).
3
+ *
4
+ * Runs LAST, over whatever text survives the pattern-detector pass — catches
5
+ * high-randomness tokens (raw keys, unlabeled secrets) that don't match a
6
+ * known vendor format. False-positive guards keep it from flagging git SHAs,
7
+ * UUIDs, and file paths (see redactText doc-comment for the full list).
8
+ */
9
+ /** Shannon entropy in bits/char over the token's character distribution. */
10
+ export declare function shannonEntropy(token: string): number;
11
+ export interface EntropyToken {
12
+ value: string;
13
+ start: number;
14
+ end: number;
15
+ }
16
+ /** Split text into whitespace-delimited tokens with their [start,end) offsets. */
17
+ export declare function tokenize(text: string): EntropyToken[];
18
+ export interface EntropyMatch {
19
+ start: number;
20
+ end: number;
21
+ value: string;
22
+ }
23
+ /** Find entropy-based secret candidates in `text` above `threshold` bits/char. */
24
+ export declare function findEntropySecrets(text: string, threshold: number): EntropyMatch[];
@@ -0,0 +1,77 @@
1
+ /**
2
+ * Shannon-entropy secret detector (stage-0 redaction, SEC-3/5).
3
+ *
4
+ * Runs LAST, over whatever text survives the pattern-detector pass — catches
5
+ * high-randomness tokens (raw keys, unlabeled secrets) that don't match a
6
+ * known vendor format. False-positive guards keep it from flagging git SHAs,
7
+ * UUIDs, and file paths (see redactText doc-comment for the full list).
8
+ */
9
+ const MIN_TOKEN_LENGTH = 20;
10
+ const CONTEXT_WINDOW = 40;
11
+ const HEX_DIGEST_CONTEXT_RE = /\b(commit|sha|hash|digest)\b/i;
12
+ const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
13
+ const PURE_HEX_RE = /^[0-9a-f]+$/i;
14
+ const PLACEHOLDER_RE = /^\[REDACTED:[^\]]+\]$/;
15
+ /** Shannon entropy in bits/char over the token's character distribution. */
16
+ export function shannonEntropy(token) {
17
+ if (token.length === 0)
18
+ return 0;
19
+ const freq = new Map();
20
+ for (const ch of token) {
21
+ freq.set(ch, (freq.get(ch) ?? 0) + 1);
22
+ }
23
+ let entropy = 0;
24
+ for (const count of freq.values()) {
25
+ const p = count / token.length;
26
+ entropy -= p * Math.log2(p);
27
+ }
28
+ return entropy;
29
+ }
30
+ /** Split text into whitespace-delimited tokens with their [start,end) offsets. */
31
+ export function tokenize(text) {
32
+ const tokens = [];
33
+ const re = /\S+/g;
34
+ let m;
35
+ while ((m = re.exec(text)) !== null) {
36
+ tokens.push({ value: m[0], start: m.index, end: m.index + m[0].length });
37
+ }
38
+ return tokens;
39
+ }
40
+ /**
41
+ * True if `token` should be SKIPPED (i.e. is a known false-positive shape)
42
+ * rather than flagged as a high-entropy secret.
43
+ */
44
+ function isGuarded(token, text, start, end) {
45
+ if (token.length < MIN_TOKEN_LENGTH)
46
+ return true;
47
+ if (PLACEHOLDER_RE.test(token))
48
+ return true;
49
+ if (UUID_RE.test(token))
50
+ return true;
51
+ if (token.includes('/') || token.includes('\\'))
52
+ return true;
53
+ // Pure-hex 40/64-char strings (git SHA-1 / SHA-256) adjacent to a
54
+ // commit/sha/hash/digest keyword within ~40 chars are assumed to be
55
+ // content hashes, not secrets.
56
+ if ((token.length === 40 || token.length === 64) && PURE_HEX_RE.test(token)) {
57
+ const windowStart = Math.max(0, start - CONTEXT_WINDOW);
58
+ const windowEnd = Math.min(text.length, end + CONTEXT_WINDOW);
59
+ if (HEX_DIGEST_CONTEXT_RE.test(text.slice(windowStart, windowEnd))) {
60
+ return true;
61
+ }
62
+ }
63
+ return false;
64
+ }
65
+ /** Find entropy-based secret candidates in `text` above `threshold` bits/char. */
66
+ export function findEntropySecrets(text, threshold) {
67
+ const matches = [];
68
+ for (const tok of tokenize(text)) {
69
+ if (isGuarded(tok.value, text, tok.start, tok.end))
70
+ continue;
71
+ if (shannonEntropy(tok.value) >= threshold) {
72
+ matches.push({ start: tok.start, end: tok.end, value: tok.value });
73
+ }
74
+ }
75
+ return matches;
76
+ }
77
+ //# sourceMappingURL=entropy.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"entropy.js","sourceRoot":"","sources":["../../src/redact/entropy.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,gBAAgB,GAAG,EAAE,CAAC;AAC5B,MAAM,cAAc,GAAG,EAAE,CAAC;AAC1B,MAAM,qBAAqB,GAAG,+BAA+B,CAAC;AAC9D,MAAM,OAAO,GAAG,iEAAiE,CAAC;AAClF,MAAM,WAAW,GAAG,cAAc,CAAC;AACnC,MAAM,cAAc,GAAG,uBAAuB,CAAC;AAE/C,4EAA4E;AAC5E,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC;QAC/B,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAQD,kFAAkF;AAClF,MAAM,UAAU,QAAQ,CAAC,IAAY;IACnC,MAAM,MAAM,GAAmB,EAAE,CAAC;IAClC,MAAM,EAAE,GAAG,MAAM,CAAC;IAClB,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,KAAa,EAAE,IAAY,EAAE,KAAa,EAAE,GAAW;IACxE,IAAI,KAAK,CAAC,MAAM,GAAG,gBAAgB;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAE7D,kEAAkE;IAClE,oEAAoE;IACpE,+BAA+B;IAC/B,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,EAAE,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,cAAc,CAAC,CAAC;QACxD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,cAAc,CAAC,CAAC;QAC9D,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAQD,kFAAkF;AAClF,MAAM,UAAU,kBAAkB,CAAC,IAAY,EAAE,SAAiB;IAChE,MAAM,OAAO,GAAmB,EAAE,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACjC,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAC7D,IAAI,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}
@@ -0,0 +1,47 @@
1
+ /**
2
+ * Stage-0 secret redaction (spec docs/specs/2026-07-02-encryption-and-secret-redaction.md
3
+ * §4.2/§4.3, SEC-3..6/SEC-9).
4
+ *
5
+ * Single entry point: `redactText(input, opts)`. Invoked at the ingest choke
6
+ * point (POST /ingest/transcript, before the `transcripts` INSERT) and on the
7
+ * `/remember` manual-write path (spec OQ-2: yes). Downstream pipeline stages
8
+ * inherit already-redacted text — there is no second redaction pass.
9
+ *
10
+ * Placeholder format: `[REDACTED:<type>:<hash8>]` where hash8 = first 8 hex
11
+ * chars of SHA-256(secret value). Same secret -> same placeholder (dedup-safe
12
+ * across a transcript); the raw value is NEVER stored or logged (SEC-5).
13
+ *
14
+ * Detection order (never redact inside an already-inserted placeholder):
15
+ * 1. PEM private-key blocks (multiline, whole block)
16
+ * 2. Vendor/pattern detectors (AWS, GitHub, Azure, GCP, Slack, generic
17
+ * key=value, JWT, connection-string userinfo) + config custom patterns
18
+ * 3. Shannon-entropy detector over whatever text remains
19
+ */
20
+ import type { Config } from '../config/config.js';
21
+ export interface RedactionEvent {
22
+ type: string;
23
+ hash8: string;
24
+ /** Offset of the redacted span within the text snapshot at detection time. */
25
+ offset: number;
26
+ }
27
+ export interface RedactOptions {
28
+ /** Shannon-entropy threshold in bits/char. Default 4.0. */
29
+ entropyThreshold?: number;
30
+ /** Additional regex sources (as strings) from config, type 'custom'. */
31
+ customPatterns?: string[];
32
+ }
33
+ export interface RedactResult {
34
+ text: string;
35
+ events: RedactionEvent[];
36
+ }
37
+ /**
38
+ * Redact secrets from `input`. Pure function — no I/O, no DB writes (callers
39
+ * aggregate `events` into `redaction_log` themselves).
40
+ */
41
+ export declare function redactText(input: string, opts?: RedactOptions): RedactResult;
42
+ /**
43
+ * Choke-point helper for route handlers: applies config (enabled flag,
44
+ * entropy threshold, custom patterns) and is a no-op passthrough when
45
+ * `security.redaction.enabled` is false (SEC-9).
46
+ */
47
+ export declare function redactIfEnabled(input: string, config: Config): RedactResult;