@autumnsgrove/groveengine 0.9.96 → 0.9.97

package/dist/config/petal.d.ts

@@ -99,6 +99,29 @@ export declare const FAILOVER_CONFIG: {
     /** Sanity check timeout (ms) */
     readonly sanityTimeoutMs: 10000;
 };
+/**
+ * PhotoDNA Cloud Service configuration
+ *
+ * PhotoDNA is Microsoft's industry-standard perceptual hash system for
+ * detecting known CSAM content against the NCMEC database.
+ *
+ * INTEGRATION STATUS: Awaiting Microsoft approval
+ * Once approved, add PHOTODNA_SUBSCRIPTION_KEY to Cloudflare secrets.
+ *
+ * @see https://www.microsoft.com/en-us/photodna
+ */
+export declare const PHOTODNA_CONFIG: {
+    /** PhotoDNA Cloud Service endpoint */
+    readonly endpoint: "https://api.microsoftmoderator.com/photodna";
+    /** Request timeout in milliseconds */
+    readonly timeoutMs: 5000;
+    /** Environment variable name for subscription key */
+    readonly subscriptionKeyEnvVar: "PHOTODNA_SUBSCRIPTION_KEY";
+    /** Whether PhotoDNA is the primary CSAM detection method */
+    readonly isPrimary: true;
+    /** Fall back to vision model if PhotoDNA unavailable */
+    readonly fallbackToVision: true;
+};
 /**
  * Approximate cost per image (in USD)
  * Based on Workers AI pricing: $0.27/M input, $0.85/M output

package/dist/config/petal.js

@@ -198,6 +198,32 @@ export const FAILOVER_CONFIG = {
     sanityTimeoutMs: 10_000,
 };
 // ============================================================================
+// PhotoDNA Configuration
+// ============================================================================
+/**
+ * PhotoDNA Cloud Service configuration
+ *
+ * PhotoDNA is Microsoft's industry-standard perceptual hash system for
+ * detecting known CSAM content against the NCMEC database.
+ *
+ * INTEGRATION STATUS: Awaiting Microsoft approval
+ * Once approved, add PHOTODNA_SUBSCRIPTION_KEY to Cloudflare secrets.
+ *
+ * @see https://www.microsoft.com/en-us/photodna
+ */
+export const PHOTODNA_CONFIG = {
+    /** PhotoDNA Cloud Service endpoint */
+    endpoint: "https://api.microsoftmoderator.com/photodna",
+    /** Request timeout in milliseconds */
+    timeoutMs: 5_000,
+    /** Environment variable name for subscription key */
+    subscriptionKeyEnvVar: "PHOTODNA_SUBSCRIPTION_KEY",
+    /** Whether PhotoDNA is the primary CSAM detection method */
+    isPrimary: true,
+    /** Fall back to vision model if PhotoDNA unavailable */
+    fallbackToVision: true,
+};
+// ============================================================================
 // Pricing (for cost tracking)
 // ============================================================================
 /**

package/dist/curios/timeline/index.js

@@ -50,6 +50,31 @@ formatHistoricalContextForPrompt, formatContinuationForPrompt, buildPromptContex
 // =============================================================================
 // Utility Functions
 // =============================================================================
+/**
+ * Strip hallucinated GitHub links from AI output.
+ *
+ * The AI sometimes invents URLs for section headers like:
+ * [Sentinel Stress Testing System](https://github.com/AutumnsGrove/Sentinel Stress Testing System)
+ *
+ * This function strips fake links while preserving real commit/PR links.
+ * Real links have patterns like /commit/abc123 or /pull/123
+ */
+function stripHallucinatedLinks(text) {
+    // Match markdown links to github.com/AutumnsGrove/...
+    const githubLinkPattern = /\[([^\]]+)\]\((https?:\/\/github\.com\/AutumnsGrove\/[^)]+)\)/g;
+    return text.replace(githubLinkPattern, (match, linkText, url) => {
+        // Real links contain: /commit/, /pull/, /issues/, /blob/, /tree/
+        const isRealLink = /\/(commit|pull|issues|blob|tree|compare)\//.test(url) &&
+            // And shouldn't have spaces in the URL (hallucinated links often do)
+            !/ /.test(url);
+        if (isRealLink) {
+            return match; // Keep valid links
+        }
+        // Strip fake links, keep just the text
+        console.warn(`[Timeline] Stripped hallucinated link: ${url}`);
+        return linkText;
+    });
+}
 /**
  * Parse AI response into structured summary data
  */
@@ -65,14 +90,17 @@ export function parseAIResponse(response) {
         const validGutter = (parsed.gutter || [])
             .filter((item) => item.anchor && item.content && typeof item.content === "string")
             .map((item) => ({
-            anchor: item.anchor,
+            anchor: stripHallucinatedLinks(item.anchor),
             type: item.type || "comment",
             content: item.content.trim(),
         }));
+        // Sanitize brief and detailed to remove any hallucinated links
+        const brief = stripHallucinatedLinks(parsed.brief || "Worked on a few things today.");
+        const detailed = stripHallucinatedLinks(parsed.detailed || "## Projects\n\nSome progress was made.");
         return {
             success: true,
-            brief: parsed.brief || "Worked on a few things today.",
-            detailed: parsed.detailed || "## Projects\n\nSome progress was made.",
+            brief,
+            detailed,
             gutter: validGutter,
         };
     }

package/dist/curios/timeline/voices/presets/casual.js

@@ -83,7 +83,10 @@ REQUIREMENTS:
 - JSON only, no markdown code blocks
 - Escape newlines as \\n
 - Gutter anchors must EXACTLY match "### ProjectName" headers
-- Exactly ${gutterCount} gutter comments`;
+- Exactly ${gutterCount} gutter comments
+- NEVER create markdown links for section headers (no [Title](url) format)
+- Only use plain text for headings like "### ProjectName"
+- Do NOT invent URLs or link to non-existent repositories`;
     },
 };
 export default casual;

package/dist/curios/timeline/voices/presets/minimal.js

@@ -84,7 +84,10 @@ REQUIREMENTS:
 - Escape newlines as \\n
 - Gutter anchors must EXACTLY match "### ProjectName" headers
 - Exactly ${gutterCount} gutter comments
-- Keep everything as short as possible`;
+- Keep everything as short as possible
+- NEVER create markdown links for section headers (no [Title](url) format)
+- Only use plain text for headings
+- Do NOT invent URLs or link to non-existent repositories`;
     },
 };
 export default minimal;

package/dist/curios/timeline/voices/presets/poetic.js

@@ -84,7 +84,10 @@ REQUIREMENTS:
 - Escape newlines as \\n
 - Gutter anchors must EXACTLY match "### ProjectName" headers
 - Exactly ${gutterCount} gutter comments
-- Keep it genuine - find real meaning, don't force purple prose`;
+- Keep it genuine - find real meaning, don't force purple prose
+- NEVER create markdown links for section headers (no [Title](url) format)
+- Only use plain text for headings like "### ProjectName"
+- Do NOT invent URLs or link to non-existent repositories`;
     },
 };
 export default poetic;

package/dist/curios/timeline/voices/presets/professional.js

@@ -90,7 +90,10 @@ REQUIREMENTS:
 - JSON only, no markdown code blocks
 - Escape newlines as \\n
 - Gutter anchors must EXACTLY match "### ProjectName" headers
-- Exactly ${gutterCount} gutter comments`;
+- Exactly ${gutterCount} gutter comments
+- NEVER create markdown links for section headers (no [Title](url) format)
+- Only use plain text for headings like "### ProjectName"
+- Do NOT invent URLs or link to non-existent repositories`;
     },
 };
 export default professional;

package/dist/curios/timeline/voices/presets/quest.js

@@ -83,7 +83,10 @@ REQUIREMENTS:
 - Escape newlines as \\n
 - Gutter anchors must EXACTLY match the "### [ProjectName] Expedition" headers you create
 - Exactly ${gutterCount} gutter comments
-- Keep it fun but still informative about what actually happened`;
+- Keep it fun but still informative about what actually happened
+- NEVER create markdown links for section headers (no [Title](url) format)
+- Only use plain text for headings
+- Do NOT invent URLs or link to non-existent repositories`;
     },
 };
 export default quest;

package/dist/grafts/login/LoginGraft.svelte

@@ -95,6 +95,7 @@
 		try {
 			const response = await fetch(GROVEAUTH_URLS.socialSignIn, {
 				method: "POST",
+				credentials: "include",  // Required for cross-origin cookies
 				headers: {
 					"Content-Type": "application/json",
 				},

package/dist/grafts/login/config.d.ts

@@ -76,8 +76,10 @@ export declare const AUTH_COOKIE_NAMES: {
     readonly refreshToken: "refresh_token";
     /** Session ID (legacy) @deprecated */
     readonly session: "session";
-    /** Better Auth session token (the new standard) */
+    /** Better Auth session token (the new standard) - unprefixed for dev */
     readonly betterAuthSession: "better-auth.session_token";
+    /** Better Auth session token with __Secure- prefix (production HTTPS) */
+    readonly betterAuthSessionSecure: "__Secure-better-auth.session_token";
 };
 /**
  * Cookie options for OAuth flow cookies.

package/dist/grafts/login/config.js

@@ -114,8 +114,10 @@ export const AUTH_COOKIE_NAMES = {
     refreshToken: "refresh_token",
     /** Session ID (legacy) @deprecated */
     session: "session",
-    /** Better Auth session token (the new standard) */
+    /** Better Auth session token (the new standard) - unprefixed for dev */
     betterAuthSession: "better-auth.session_token",
+    /** Better Auth session token with __Secure- prefix (production HTTPS) */
+    betterAuthSessionSecure: "__Secure-better-auth.session_token",
 };
 /**
  * Cookie options for OAuth flow cookies.

package/dist/grafts/login/server/callback.js

@@ -10,24 +10,7 @@
  */
 import { redirect } from "@sveltejs/kit";
 import { AUTH_COOKIE_NAMES } from "../config.js";
-// =============================================================================
-// ERROR HANDLING
-// =============================================================================
-/**
- * User-friendly error messages for common OAuth errors.
- */
-const ERROR_MESSAGES = {
-    access_denied: "You cancelled the login process",
-    auth_failed: "Authentication failed, please try again",
-    no_session: "Session was not created, please try again",
-    rate_limited: "Too many login attempts. Please wait before trying again.",
-};
-/**
- * Get a user-friendly error message for an error code.
- */
-function getFriendlyErrorMessage(errorCode) {
-    return ERROR_MESSAGES[errorCode] || "An error occurred during login";
-}
+import { AUTH_ERRORS, getAuthError, logAuthError, buildErrorParams, } from "../../../groveauth/errors.js";
 // =============================================================================
 // RATE LIMITING
 // =============================================================================
@@ -104,10 +87,11 @@ export function createCallbackHandler(config = {}) {
             const rateLimited = await isRateLimited(kv, `auth-callback:${clientIp}`, 10, // 10 attempts
             900);
             if (rateLimited) {
-                console.warn("[Auth Callback] Rate limited:", { ip: clientIp });
+                const authError = AUTH_ERRORS.RATE_LIMITED;
+                logAuthError(authError, { ip: clientIp });
                 return new Response(JSON.stringify({
-                    error: "rate_limited",
-                    message: getFriendlyErrorMessage("rate_limited"),
+                    error: authError.code,
+                    message: authError.userMessage,
                 }), {
                     status: 429,
                     headers: {
@@ -120,19 +104,27 @@ export function createCallbackHandler(config = {}) {
         // Check for error from OAuth provider
         const errorParam = url.searchParams.get("error");
         if (errorParam) {
-            console.error("[Auth Callback] Error from provider:", errorParam);
-            const friendlyMessage = getFriendlyErrorMessage(errorParam === "access_denied" ? "access_denied" : "auth_failed");
-            redirect(302, `/auth/login?error=${encodeURIComponent(friendlyMessage)}`);
+            const authError = getAuthError(errorParam);
+            logAuthError(authError, {
+                oauthError: errorParam,
+                ip: getClientIP(request),
+            });
+            redirect(302, `/auth/login?${buildErrorParams(authError)}`);
         }
         // Get return URL from query params (set by LoginGraft) or use default
         const returnTo = url.searchParams.get("returnTo") || defaultReturnTo;
         // Verify Better Auth session cookie was set
-        // Better Auth sets this cookie during the OAuth callback
-        const sessionToken = cookies.get(AUTH_COOKIE_NAMES.betterAuthSession);
+        // Better Auth uses __Secure- prefix in production (HTTPS)
+        // Check both prefixed and unprefixed names for compatibility
+        const sessionToken = cookies.get(AUTH_COOKIE_NAMES.betterAuthSessionSecure) ||
+            cookies.get(AUTH_COOKIE_NAMES.betterAuthSession);
         if (!sessionToken) {
             // No session cookie - auth may have failed silently
-            console.warn("[Auth Callback] No Better Auth session cookie found");
-            redirect(302, `/auth/login?error=${encodeURIComponent(getFriendlyErrorMessage("no_session"))}`);
+            const authError = AUTH_ERRORS.NO_SESSION;
+            logAuthError(authError, {
+                ip: getClientIP(request),
+            });
+            redirect(302, `/auth/login?${buildErrorParams(authError)}`);
         }
         // Success! Redirect to the requested destination
         console.log("[Auth Callback] Success, redirecting to:", returnTo);

package/dist/groveauth/client.js

@@ -190,9 +190,11 @@ export class GroveAuthClient {
                 code_verifier: codeVerifier,
             }),
         });
-        const data = (await response.json());
+        // Parse response body once (streams can only be consumed once)
+        const data = await response.json();
         if (!response.ok) {
-            throw new GroveAuthError(data.error || "token_error", data.error_description || data.message || "Failed to exchange code", response.status);
+            const error = data;
+            throw new GroveAuthError(error.error || "token_error", error.error_description || error.message || "Failed to exchange code", response.status);
         }
         return data;
     }
@@ -219,9 +221,13 @@ export class GroveAuthClient {
                     client_secret: this.config.clientSecret,
                 }),
             });
-            const data = (await response.json());
+            // Parse response body once (streams can only be consumed once)
+            const data = await response.json();
             if (!response.ok) {
-                throw new GroveAuthError(data.error || "refresh_error", data.error_description || data.message || "Failed to refresh token", response.status);
+                const error = data;
+                throw new GroveAuthError(error.error || "refresh_error", error.error_description ||
+                    error.message ||
+                    "Failed to refresh token", response.status);
             }
             return data;
         }, { maxRetries: options.maxRetries ?? 3 });
@@ -255,8 +261,8 @@ export class GroveAuthClient {
             }),
         });
         if (!response.ok) {
-            const data = (await response.json());
-            throw new GroveAuthError(data.error || "revoke_error", data.error_description || data.message || "Failed to revoke token", response.status);
+            const error = (await response.json());
+            throw new GroveAuthError(error.error || "revoke_error", error.error_description || error.message || "Failed to revoke token", response.status);
         }
     }
     // ===========================================================================
@@ -287,8 +293,8 @@ export class GroveAuthClient {
             },
         });
         if (!response.ok) {
-            const data = (await response.json());
-            throw new GroveAuthError(data.error || "userinfo_error", data.error_description || data.message || "Failed to get user info", response.status);
+            const error = (await response.json());
+            throw new GroveAuthError(error.error || "userinfo_error", error.error_description || error.message || "Failed to get user info", response.status);
         }
         return response.json();
     }
@@ -305,8 +311,8 @@ export class GroveAuthClient {
             },
         });
         if (!response.ok) {
-            const data = (await response.json());
-            throw new GroveAuthError(data.error || "subscription_error", data.message || "Failed to get subscription", response.status);
+            const error = (await response.json());
+            throw new GroveAuthError(error.error || "subscription_error", error.message || "Failed to get subscription", response.status);
         }
         return response.json();
     }

package/dist/groveauth/errors.d.ts

@@ -0,0 +1,165 @@
+/**
+ * Heartwood Auth Error System
+ *
+ * Provides structured error codes for authentication failures.
+ * Error codes follow the format: HW-AUTH-XXX
+ *
+ * Categories:
+ * - user: User can fix this themselves (try again, use different method)
+ * - admin: User should contact admin/support (config issue, permissions)
+ * - bug: Internal error (should not happen, needs investigation)
+ *
+ * @see https://github.com/AutumnsGrove/GroveEngine/issues/668
+ */
+export type ErrorCategory = "user" | "admin" | "bug";
+export interface AuthErrorDef {
+    /** Heartwood error code (e.g., HW-AUTH-001) */
+    code: string;
+    /** Error category for determining how to display */
+    category: ErrorCategory;
+    /** User-facing message (safe to display) */
+    userMessage: string;
+    /** Admin-facing message with more detail */
+    adminMessage: string;
+}
+/**
+ * All Heartwood authentication error codes.
+ *
+ * Ranges:
+ * - 001-019: OAuth provider errors
+ * - 020-039: Session/token errors
+ * - 040-059: Client configuration errors
+ * - 060-079: Rate limiting and security
+ * - 080-099: Internal errors
+ */
+export declare const AUTH_ERRORS: {
+    readonly ACCESS_DENIED: {
+        readonly code: "HW-AUTH-001";
+        readonly category: "user";
+        readonly userMessage: "You cancelled the sign-in process. Try again when ready.";
+        readonly adminMessage: "User denied OAuth consent or cancelled the flow.";
+    };
+    readonly PROVIDER_ERROR: {
+        readonly code: "HW-AUTH-002";
+        readonly category: "bug";
+        readonly userMessage: "The sign-in provider encountered an error. Please try again.";
+        readonly adminMessage: "OAuth provider returned an error during authentication.";
+    };
+    readonly INVALID_SCOPE: {
+        readonly code: "HW-AUTH-003";
+        readonly category: "admin";
+        readonly userMessage: "Sign-in failed due to a configuration issue. Contact support.";
+        readonly adminMessage: "OAuth scope is invalid or not permitted for this client.";
+    };
+    readonly REDIRECT_URI_MISMATCH: {
+        readonly code: "HW-AUTH-004";
+        readonly category: "admin";
+        readonly userMessage: "Sign-in failed due to a configuration issue. Contact support.";
+        readonly adminMessage: "The redirect_uri does not match any registered URI for this client.";
+    };
+    readonly NO_SESSION: {
+        readonly code: "HW-AUTH-020";
+        readonly category: "user";
+        readonly userMessage: "Your session wasn't created. Please try signing in again.";
+        readonly adminMessage: "No session cookie was set after OAuth callback. May indicate cookie blocking.";
+    };
+    readonly SESSION_EXPIRED: {
+        readonly code: "HW-AUTH-021";
+        readonly category: "user";
+        readonly userMessage: "Your session has expired. Please sign in again.";
+        readonly adminMessage: "Session token has expired or been invalidated.";
+    };
+    readonly INVALID_TOKEN: {
+        readonly code: "HW-AUTH-022";
+        readonly category: "user";
+        readonly userMessage: "Your session is invalid. Please sign in again.";
+        readonly adminMessage: "Token validation failed - token is malformed or revoked.";
+    };
+    readonly TOKEN_EXCHANGE_FAILED: {
+        readonly code: "HW-AUTH-023";
+        readonly category: "bug";
+        readonly userMessage: "Sign-in failed. Please try again.";
+        readonly adminMessage: "Failed to exchange authorization code for tokens. Check client credentials.";
+    };
+    readonly LEGACY_SESSION_EXPIRED: {
+        readonly code: "HW-AUTH-024";
+        readonly category: "user";
+        readonly userMessage: "Your old session format has expired. Please sign in with a fresh login.";
+        readonly adminMessage: "Legacy session cookie found but migration deadline has passed.";
+    };
+    readonly UNREGISTERED_CLIENT: {
+        readonly code: "HW-AUTH-040";
+        readonly category: "admin";
+        readonly userMessage: "Sign-in failed due to a configuration issue. Contact support.";
+        readonly adminMessage: "Client ID is not registered with GroveAuth or has been revoked.";
+    };
+    readonly INVALID_CLIENT: {
+        readonly code: "HW-AUTH-041";
+        readonly category: "admin";
+        readonly userMessage: "Sign-in failed due to a configuration issue. Contact support.";
+        readonly adminMessage: "Client authentication failed (invalid client_id or secret).";
+    };
+    readonly ORIGIN_NOT_ALLOWED: {
+        readonly code: "HW-AUTH-042";
+        readonly category: "admin";
+        readonly userMessage: "Sign-in failed due to a configuration issue. Contact support.";
+        readonly adminMessage: "The request origin is not in the allowed origins list for this client.";
+    };
+    readonly RATE_LIMITED: {
+        readonly code: "HW-AUTH-060";
+        readonly category: "user";
+        readonly userMessage: "Too many sign-in attempts. Please wait a few minutes and try again.";
+        readonly adminMessage: "Rate limit exceeded for authentication endpoint.";
+    };
+    readonly CSRF_MISMATCH: {
+        readonly code: "HW-AUTH-061";
+        readonly category: "user";
+        readonly userMessage: "Sign-in failed for security reasons. Please try again.";
+        readonly adminMessage: "OAuth state parameter mismatch - possible CSRF attack.";
+    };
+    readonly INTERNAL_ERROR: {
+        readonly code: "HW-AUTH-080";
+        readonly category: "bug";
+        readonly userMessage: "An unexpected error occurred. Please try again later.";
+        readonly adminMessage: "Internal server error during authentication.";
+    };
+    readonly UNKNOWN_ERROR: {
+        readonly code: "HW-AUTH-099";
+        readonly category: "bug";
+        readonly userMessage: "An unexpected error occurred. Please try again.";
+        readonly adminMessage: "Unknown error code received from OAuth flow.";
+    };
+};
+export type AuthErrorKey = keyof typeof AUTH_ERRORS;
+/**
+ * Get the Heartwood error definition for an OAuth error code.
+ *
+ * @param oauthError - The error code from OAuth (e.g., "access_denied")
+ * @returns The corresponding AuthErrorDef
+ */
+export declare function getAuthError(oauthError: string): AuthErrorDef;
+/**
+ * Get error by Heartwood code (e.g., "HW-AUTH-001").
+ */
+export declare function getAuthErrorByCode(hwCode: string): AuthErrorDef | undefined;
+/**
+ * Log an auth error with structured context.
+ * Sensitive data (tokens, secrets) is NEVER logged.
+ *
+ * @param error - The error definition
+ * @param context - Additional context (sanitized)
+ */
+export declare function logAuthError(error: AuthErrorDef, context?: {
+    oauthError?: string;
+    ip?: string;
+    path?: string;
+    userAgent?: string;
+}): void;
+/**
+ * Build error URL parameters for redirecting to login page.
+ * Includes the error code so the login page can display appropriate messaging.
+ *
+ * @param error - The error definition
+ * @param isAdminFlow - Whether this is an admin-facing flow (shows more detail)
+ */
+export declare function buildErrorParams(error: AuthErrorDef, isAdminFlow?: boolean): string;