@axonflow/openclaw 1.3.2 → 2.0.1

package/dist/client-ref.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Mutable holder for the AxonFlowClient instance used by hook handlers.
+ *
+ * Hook factories close over the holder rather than the client value directly.
+ * That lets `registerAxonFlowGovernance` swap in a freshly-credentialled
+ * client after the asynchronous Community-SaaS bootstrap completes — every
+ * already-registered hook reads through `clientRef.current` and immediately
+ * sees the new credentials.
+ *
+ * Without this indirection the bootstrap reassignment is dead code: the
+ * handlers were called with the original empty-credential client when they
+ * were registered, and JavaScript captured that value by binding, not by
+ * reference to the outer `let client` slot.
+ */
+import type { AxonFlowClient } from "./axonflow-client.js";
+export interface ClientRef {
+    current: AxonFlowClient;
+}
+//# sourceMappingURL=client-ref.d.ts.map

package/dist/client-ref.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-ref.d.ts","sourceRoot":"","sources":["../src/client-ref.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,cAAc,CAAC;CACzB"}

package/dist/client-ref.js

@@ -0,0 +1,16 @@
+/**
+ * Mutable holder for the AxonFlowClient instance used by hook handlers.
+ *
+ * Hook factories close over the holder rather than the client value directly.
+ * That lets `registerAxonFlowGovernance` swap in a freshly-credentialled
+ * client after the asynchronous Community-SaaS bootstrap completes — every
+ * already-registered hook reads through `clientRef.current` and immediately
+ * sees the new credentials.
+ *
+ * Without this indirection the bootstrap reassignment is dead code: the
+ * handlers were called with the original empty-credential client when they
+ * were registered, and JavaScript captured that value by binding, not by
+ * reference to the outer `let client` slot.
+ */
+export {};
+//# sourceMappingURL=client-ref.js.map

package/dist/client-ref.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-ref.js","sourceRoot":"","sources":["../src/client-ref.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG"}

package/dist/community-saas-bootstrap.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Community-SaaS first-run bootstrap (TypeScript).
+ *
+ * Mirrors the bash plugins' scripts/community-saas-bootstrap.sh contract:
+ * registers the plugin against try.getaxonflow.com on first run when the
+ * user has not provided explicit clientId/clientSecret, persists the
+ * resulting credential to a 0600 file under the user's config dir, and
+ * returns Basic-auth credentials the caller can hand to the AxonFlow client.
+ *
+ * Design rules:
+ *   - Stamp-on-delivery: registration file is written ONLY after the
+ *     POST returns 201 with a valid response body. A network failure
+ *     leaves the previous (or absent) state untouched.
+ *   - Atomic writes: temp + rename so a crash mid-write never produces
+ *     a half-readable file.
+ *   - In-flight gate: a per-process Promise-based lock so concurrent
+ *     plugin loads don't both race to register.
+ *   - File permissions: 0700 directory, 0600 file. The file holds the
+ *     plain-text credential; world-readable would be a security bug.
+ *   - 429 (registration rate-limit) → write a short backoff stamp and
+ *     return null. Next call after backoff expires retries.
+ *   - Cross-platform cache dir resolution (Linux/macOS/Windows).
+ *   - Refuses to load a registration file with non-0600 permissions
+ *     (defends against silent credential leak via accidental chmod).
+ *   - Operator opt-out via AXONFLOW_COMMUNITY_SAAS=0 short-circuits the
+ *     bootstrap entirely; callers see source="opted-out".
+ *
+ * Environment + filesystem operations live in community-saas-context.ts.
+ * This module is the orchestration + network-only side of the bootstrap:
+ * it imports plain values from the context module and only issues HTTP
+ * requests + invokes the plugin logger.
+ */
+export interface BootstrapResult {
+    /** Resolved AxonFlow agent endpoint to use for subsequent requests. */
+    endpoint: string;
+    /** Tenant identity for the AxonFlow client (`cs_<uuid>` for Community SaaS). */
+    clientId: string;
+    /** Plain-text credential paired with clientId for Basic auth. */
+    clientSecret: string;
+    /**
+     * Source for telemetry / logging:
+     *   "fresh-registration"  — first-time POST to /api/v1/register succeeded.
+     *   "cached-registration" — existing on-disk credential is fresh enough.
+     *   "rate-limited"        — 429 from the registrar; backoff active.
+     *   "failed"              — network or response error; no credential.
+     *   "opted-out"           — operator set AXONFLOW_COMMUNITY_SAAS=0.
+     */
+    source: "fresh-registration" | "cached-registration" | "rate-limited" | "failed" | "opted-out";
+}
+/**
+ * Optional injection hook for the disclosure banner. The plugin entry
+ * point passes its OpenClaw `PluginLogger.warn` here so the banner shows
+ * up in plugin/gateway logs in the same style as other plugin warnings.
+ * When omitted, falls back to `process.stderr.write` so test harnesses
+ * and ad-hoc invocations still surface the disclosure.
+ */
+export type DisclosureLogger = (message: string) => void;
+export interface BootstrapOptions {
+    registerUrl?: string;
+    endpoint?: string;
+    pluginVersion?: string;
+    fetchImpl?: typeof fetch;
+    now?: () => Date;
+    /**
+     * Caller-provided logger for the first-load Community-SaaS disclosure.
+     * Plugin entry passes `api.logger.warn`; tests pass a capture function.
+     */
+    disclosureLogger?: DisclosureLogger;
+}
+/**
+ * Bootstrap a Community-SaaS registration. Returns null if bootstrap was
+ * skipped (registration file unreadable due to permissions, network error,
+ * 429 rate-limited, etc); the caller is responsible for surfacing a clear
+ * "governance degraded" notice in that case.
+ *
+ * Safe to call concurrently — the second concurrent call awaits the first
+ * rather than racing.
+ */
+export declare function bootstrapCommunitySaas(opts?: BootstrapOptions): Promise<BootstrapResult | null>;
+/**
+ * Test-only: clear the in-flight gate so test cases can exercise concurrent
+ * bootstrap calls without sharing state across tests.
+ */
+export declare function _resetBootstrapInFlightForTests(): void;
+//# sourceMappingURL=community-saas-bootstrap.d.ts.map

package/dist/community-saas-bootstrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"community-saas-bootstrap.d.ts","sourceRoot":"","sources":["../src/community-saas-bootstrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AA4BH,MAAM,WAAW,eAAe;IAC9B,uEAAuE;IACvE,QAAQ,EAAE,MAAM,CAAC;IACjB,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,YAAY,EAAE,MAAM,CAAC;IACrB;;;;;;;OAOG;IACH,MAAM,EACF,oBAAoB,GACpB,qBAAqB,GACrB,cAAc,GACd,QAAQ,GACR,WAAW,CAAC;CACjB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;AASzD,MAAM,WAAW,gBAAgB;IAC/B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IACzB,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;IACjB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,CAAC,EAAE,gBAAgB,GACtB,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAQjC;AA4MD;;;GAGG;AACH,wBAAgB,+BAA+B,IAAI,IAAI,CAEtD"}

package/dist/community-saas-bootstrap.js

@@ -0,0 +1,256 @@
+/**
+ * Community-SaaS first-run bootstrap (TypeScript).
+ *
+ * Mirrors the bash plugins' scripts/community-saas-bootstrap.sh contract:
+ * registers the plugin against try.getaxonflow.com on first run when the
+ * user has not provided explicit clientId/clientSecret, persists the
+ * resulting credential to a 0600 file under the user's config dir, and
+ * returns Basic-auth credentials the caller can hand to the AxonFlow client.
+ *
+ * Design rules:
+ *   - Stamp-on-delivery: registration file is written ONLY after the
+ *     POST returns 201 with a valid response body. A network failure
+ *     leaves the previous (or absent) state untouched.
+ *   - Atomic writes: temp + rename so a crash mid-write never produces
+ *     a half-readable file.
+ *   - In-flight gate: a per-process Promise-based lock so concurrent
+ *     plugin loads don't both race to register.
+ *   - File permissions: 0700 directory, 0600 file. The file holds the
+ *     plain-text credential; world-readable would be a security bug.
+ *   - 429 (registration rate-limit) → write a short backoff stamp and
+ *     return null. Next call after backoff expires retries.
+ *   - Cross-platform cache dir resolution (Linux/macOS/Windows).
+ *   - Refuses to load a registration file with non-0600 permissions
+ *     (defends against silent credential leak via accidental chmod).
+ *   - Operator opt-out via AXONFLOW_COMMUNITY_SAAS=0 short-circuits the
+ *     bootstrap entirely; callers see source="opted-out".
+ *
+ * Environment + filesystem operations live in community-saas-context.ts.
+ * This module is the orchestration + network-only side of the bootstrap:
+ * it imports plain values from the context module and only issues HTTP
+ * requests + invokes the plugin logger.
+ */
+import * as path from "path";
+import { axonflowCacheDir, axonflowConfigDir } from "./cache-dir.js";
+import { buildRegistrationLabel, disclosureStampPath, ensureSecureDir, hasShownDisclosure, isCommunitySaasOptedOut, isWithinBackoff, markDisclosureShown, readRegistrationIfFreshAndSafe, resolveHarnessInputs, unlinkIfExists, writeFileAtomicallyWithMode, } from "./community-saas-context.js";
+const REGISTER_URL_DEFAULT = "https://try.getaxonflow.com/api/v1/register";
+const ENDPOINT_DEFAULT = "https://try.getaxonflow.com";
+const REGISTRATION_FILE_NAME = "try-registration.json";
+const BACKOFF_FILE_NAME = "openclaw-plugin-register-backoff";
+const BACKOFF_SECONDS = 3600;
+// Refresh registrations whose expires_at is within 30 days so we never let
+// a tenant lapse silently while users are actively using the plugin.
+const REFRESH_WINDOW_MS = 30 * 24 * 60 * 60 * 1000;
+/**
+ * Per-process in-flight gate. When two plugin loads happen concurrently
+ * (rare but possible in test harnesses or hot-reload scenarios), the second
+ * waits on the first's promise rather than firing a duplicate registration.
+ */
+let inFlight = null;
+/**
+ * Bootstrap a Community-SaaS registration. Returns null if bootstrap was
+ * skipped (registration file unreadable due to permissions, network error,
+ * 429 rate-limited, etc); the caller is responsible for surfacing a clear
+ * "governance degraded" notice in that case.
+ *
+ * Safe to call concurrently — the second concurrent call awaits the first
+ * rather than racing.
+ */
+export async function bootstrapCommunitySaas(opts) {
+    if (inFlight) {
+        return inFlight;
+    }
+    inFlight = bootstrapCommunitySaasInner(opts).finally(() => {
+        inFlight = null;
+    });
+    return inFlight;
+}
+async function bootstrapCommunitySaasInner(opts) {
+    // 0. Operator opt-out short-circuits everything. No env-var disclosure
+    //    lookup, no fs touches, no network — return immediately.
+    if (isCommunitySaasOptedOut()) {
+        return { endpoint: opts?.endpoint ?? ENDPOINT_DEFAULT, clientId: "", clientSecret: "", source: "opted-out" };
+    }
+    // 1. Test-harness URL overrides — only honoured when AXONFLOW_HARNESS=1
+    //    and exclusively used by tests/heartbeat-real-stack/. Production
+    //    callers leave AXONFLOW_HARNESS unset and the URLs stay pinned to
+    //    try.getaxonflow.com.
+    const harness = resolveHarnessInputs();
+    const registerUrl = opts?.registerUrl ?? (harness.harnessRegisterUrl || REGISTER_URL_DEFAULT);
+    const endpoint = opts?.endpoint ?? (harness.harnessAgentEndpoint || ENDPOINT_DEFAULT);
+    const fetchFn = opts?.fetchImpl ?? fetch;
+    const now = opts?.now ?? (() => new Date());
+    const configDir = axonflowConfigDir();
+    if (!configDir) {
+        return null;
+    }
+    const registrationFile = path.join(configDir, REGISTRATION_FILE_NAME);
+    const cacheDir = axonflowCacheDir();
+    const backoffFile = cacheDir
+        ? path.join(cacheDir, BACKOFF_FILE_NAME)
+        : "";
+    if (!ensureSecureDir(configDir)) {
+        return null;
+    }
+    // Fast path: existing registration is fresh enough.
+    const cached = readRegistrationIfFreshAndSafe(registrationFile, now, REFRESH_WINDOW_MS);
+    if (cached) {
+        return {
+            endpoint: cached.endpoint ?? endpoint,
+            clientId: cached.tenant_id,
+            clientSecret: cached.secret,
+            source: "cached-registration",
+        };
+    }
+    // Backoff path: 429 told us to slow down. Honour it.
+    if (backoffFile && isWithinBackoff(backoffFile, now)) {
+        return { endpoint, clientId: "", clientSecret: "", source: "rate-limited" };
+    }
+    // First-load disclosure: announce the auto-registration once per machine
+    // before issuing the network call. The stamp is written after the
+    // banner emits so we don't re-warn on subsequent loads, but never before
+    // the banner emits so a crash mid-disclosure stays loud.
+    emitFirstLoadDisclosureIfNeeded({
+        configDir,
+        endpoint,
+        registerUrl,
+        logger: opts?.disclosureLogger,
+    });
+    // Issue the registration.
+    const label = buildRegistrationLabel(opts?.pluginVersion);
+    let response;
+    try {
+        const ctl = new AbortController();
+        const timeoutHandle = setTimeout(() => ctl.abort(), 10_000);
+        try {
+            response = await fetchFn(registerUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ label }),
+                signal: ctl.signal,
+            });
+        }
+        finally {
+            clearTimeout(timeoutHandle);
+        }
+    }
+    catch {
+        return { endpoint, clientId: "", clientSecret: "", source: "failed" };
+    }
+    if (response.status === 429) {
+        if (backoffFile && cacheDir && ensureSecureDir(cacheDir)) {
+            try {
+                const backoffUntil = Math.floor(now().getTime() / 1000) + BACKOFF_SECONDS;
+                writeFileAtomicallyWithMode(backoffFile, String(backoffUntil), 0o600);
+            }
+            catch {
+                // Best effort; if we can't write the backoff stamp, the next call retries.
+            }
+        }
+        return { endpoint, clientId: "", clientSecret: "", source: "rate-limited" };
+    }
+    if (response.status !== 201) {
+        return { endpoint, clientId: "", clientSecret: "", source: "failed" };
+    }
+    let parsed;
+    try {
+        const body = (await response.json());
+        if (typeof body.tenant_id !== "string" || body.tenant_id.length === 0 ||
+            typeof body.secret !== "string" || body.secret.length === 0 ||
+            typeof body.expires_at !== "string") {
+            return { endpoint, clientId: "", clientSecret: "", source: "failed" };
+        }
+        parsed = {
+            tenant_id: body.tenant_id,
+            secret: body.secret,
+            expires_at: body.expires_at,
+            endpoint: typeof body.endpoint === "string" ? body.endpoint : endpoint,
+        };
+    }
+    catch {
+        return { endpoint, clientId: "", clientSecret: "", source: "failed" };
+    }
+    // Stamp-on-delivery: only write after a fully-validated response.
+    try {
+        writeFileAtomicallyWithMode(registrationFile, JSON.stringify(parsed), 0o600);
+        if (backoffFile) {
+            unlinkIfExists(backoffFile);
+        }
+    }
+    catch {
+        // We received valid credentials but couldn't persist them. Return them
+        // anyway so the current process can still authenticate; on next run we
+        // re-register (cheap; rate-limited, but bounded).
+    }
+    return {
+        endpoint: parsed.endpoint ?? endpoint,
+        clientId: parsed.tenant_id,
+        clientSecret: parsed.secret,
+        source: "fresh-registration",
+    };
+}
+function emitFirstLoadDisclosureIfNeeded(inputs) {
+    const stampFile = disclosureStampPath(inputs.configDir);
+    if (hasShownDisclosure(stampFile)) {
+        return;
+    }
+    const banner = buildDisclosureBanner(inputs.endpoint, inputs.registerUrl);
+    const delivered = emitDisclosureBanner(banner, inputs.logger);
+    if (delivered) {
+        markDisclosureShown(stampFile);
+    }
+    // If neither logger nor stderr accepted the banner, leave the stamp
+    // unwritten so the next load tries again. Better to re-warn once we have
+    // a working output than to silently swallow the disclosure.
+}
+function buildDisclosureBanner(endpoint, registerUrl) {
+    const url = new URL(registerUrl);
+    const host = url.host;
+    return [
+        "AxonFlow Governance — Community SaaS auto-registration",
+        "",
+        `  This plugin will register with ${host} (Community SaaS) and use it`,
+        "  to evaluate tool inputs and message bodies for policy + audit.",
+        "",
+        "  What is sent off-host on each governed call:",
+        "    - tool name + arguments before execution",
+        "    - outbound message bodies before delivery",
+        "  What is NOT sent: LLM provider keys, OpenClaw conversation history",
+        "  outside governed tools, or any data outside the OpenClaw runtime.",
+        "",
+        "  To opt out: set AXONFLOW_COMMUNITY_SAAS=0 in your environment, or",
+        "  point the plugin at your own AxonFlow instance:",
+        "      pluginConfig.endpoint = \"https://your-axonflow.example.com\"",
+        "",
+        "  This message shows once per machine; remove the disclosure stamp",
+        `  to re-display: rm "$AXONFLOW_CONFIG_DIR"/openclaw-plugin-community-saas-disclosure-shown`,
+        `  Default endpoint: ${endpoint}`,
+        "  Docs: https://docs.getaxonflow.com/docs/integration/openclaw/",
+    ].join("\n");
+}
+function emitDisclosureBanner(banner, logger) {
+    if (logger) {
+        try {
+            logger(banner);
+            return true;
+        }
+        catch {
+            // Fall through to stderr.
+        }
+    }
+    try {
+        process.stderr.write(banner + "\n");
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Test-only: clear the in-flight gate so test cases can exercise concurrent
+ * bootstrap calls without sharing state across tests.
+ */
+export function _resetBootstrapInFlightForTests() {
+    inFlight = null;
+}
+//# sourceMappingURL=community-saas-bootstrap.js.map

package/dist/community-saas-bootstrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"community-saas-bootstrap.js","sourceRoot":"","sources":["../src/community-saas-bootstrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,eAAe,EACf,kBAAkB,EAClB,uBAAuB,EACvB,eAAe,EACf,mBAAmB,EACnB,8BAA8B,EAC9B,oBAAoB,EACpB,cAAc,EACd,2BAA2B,GAE5B,MAAM,6BAA6B,CAAC;AAErC,MAAM,oBAAoB,GAAG,6CAA6C,CAAC;AAC3E,MAAM,gBAAgB,GAAG,6BAA6B,CAAC;AACvD,MAAM,sBAAsB,GAAG,uBAAuB,CAAC;AACvD,MAAM,iBAAiB,GAAG,kCAAkC,CAAC;AAC7D,MAAM,eAAe,GAAG,IAAI,CAAC;AAC7B,2EAA2E;AAC3E,qEAAqE;AACrE,MAAM,iBAAiB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAkCnD;;;;GAIG;AACH,IAAI,QAAQ,GAA2C,IAAI,CAAC;AAe5D;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,IAAuB;IAEvB,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,QAAQ,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE;QACxD,QAAQ,GAAG,IAAI,CAAC;IAClB,CAAC,CAAC,CAAC;IACH,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,2BAA2B,CACxC,IAAuB;IAEvB,uEAAuE;IACvE,6DAA6D;IAC7D,IAAI,uBAAuB,EAAE,EAAE,CAAC;QAC9B,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,IAAI,gBAAgB,EAAE,QAAQ,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC/G,CAAC;IAED,wEAAwE;IACxE,qEAAqE;IACrE,sEAAsE;IACtE,0BAA0B;IAC1B,MAAM,OAAO,GAAG,oBAAoB,EAAE,CAAC;IACvC,MAAM,WAAW,GAAG,IAAI,EAAE,WAAW,IAAI,CAAC,OAAO,CAAC,kBAAkB,IAAI,oBAAoB,CAAC,CAAC;IAC9F,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,CAAC,OAAO,CAAC,oBAAoB,IAAI,gBAAgB,CAAC,CAAC;IACtF,MAAM,OAAO,GAAG,IAAI,EAAE,SAAS,IAAI,KAAK,CAAC;IACzC,MAAM,GAAG,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAE5C,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,sBAAsB,CAAC,CAAC;IAEtE,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IACpC,MAAM,WAAW,GAAG,QAAQ;QAC1B,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,iBAAiB,CAAC;QACxC,CAAC,CAAC,EAAE,CAAC;IAEP,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,oDAAoD;IACpD,MAAM,MAAM,GAAG,8BAA8B,CAAC,gBAAgB,EAAE,GAAG,EAAE,iBAAiB,CAAC,CAAC;IACxF,IAAI,MAAM,EAAE,CAAC;QACX,OAAO;YACL,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,QAAQ;YACrC,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,YAAY,EAAE,MAAM,CAAC,MAAM;YAC3B,MAAM,EAAE,qBAAqB;SAC9B,CAAC;IACJ,CAAC;IAED,qDAAqD;IACrD,IAAI,WAAW,IAAI,eAAe,CAAC,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAC9E,CAAC;IAED,yEAAyE;IACzE,kEAAkE;IAClE,yEAAyE;IACzE,yDAAyD;IACzD,+BAA+B,CAAC;QAC9B,SAAS;QACT,QAAQ;QACR,WAAW;QACX,MAAM,EAAE,IAAI,EAAE,gBAAgB;KAC/B,CAAC,CAAC;IAEH,0BAA0B;IAC1B,MAAM,KAAK,GAAG,sBAAsB,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;IAC1D,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,eAAe,EAAE,CAAC;QAClC,MAAM,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,MAAM,CAAC,CAAC;QAC5D,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,OAAO,CAAC,WAAW,EAAE;gBACpC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;gBAC/B,MAAM,EAAE,GAAG,CAAC,MAAM;aACnB,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,aAAa,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IACxE,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,IAAI,WAAW,IAAI,QAAQ,IAAI,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzD,IAAI,CAAC;gBACH,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,eAAe,CAAC;gBAC1E,2BAA2B,CAAC,WAAW,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC;YACxE,CAAC;YAAC,MAAM,CAAC;gBACP,2EAA2E;YAC7E,CAAC;QACH,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAC9E,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IACxE,CAAC;IAED,IAAI,MAA6B,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmC,CAAC;QACvE,IACE,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC;YACjE,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;YAC3D,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EACnC,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QACxE,CAAC;QACD,MAAM,GAAG;YACP,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,QAAQ,EAAE,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ;SACvE,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IACxE,CAAC;IAED,kEAAkE;IAClE,IAAI,CAAC;QACH,2BAA2B,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC;QAC7E,IAAI,WAAW,EAAE,CAAC;YAChB,cAAc,CAAC,WAAW,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;QACvE,uEAAuE;QACvE,kDAAkD;IACpD,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,QAAQ;QACrC,QAAQ,EAAE,MAAM,CAAC,SAAS;QAC1B,YAAY,EAAE,MAAM,CAAC,MAAM;QAC3B,MAAM,EAAE,oBAAoB;KAC7B,CAAC;AACJ,CAAC;AASD,SAAS,+BAA+B,CAAC,MAA4B;IACnE,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACxD,IAAI,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;QAClC,OAAO;IACT,CAAC;IACD,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IAC1E,MAAM,SAAS,GAAG,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9D,IAAI,SAAS,EAAE,CAAC;QACd,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACjC,CAAC;IACD,oEAAoE;IACpE,yEAAyE;IACzE,4DAA4D;AAC9D,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAgB,EAAE,WAAmB;IAClE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;IACtB,OAAO;QACL,wDAAwD;QACxD,EAAE;QACF,oCAAoC,IAAI,8BAA8B;QACtE,kEAAkE;QAClE,EAAE;QACF,gDAAgD;QAChD,8CAA8C;QAC9C,+CAA+C;QAC/C,sEAAsE;QACtE,qEAAqE;QACrE,EAAE;QACF,qEAAqE;QACrE,mDAAmD;QACnD,qEAAqE;QACrE,EAAE;QACF,oEAAoE;QACpE,4FAA4F;QAC5F,uBAAuB,QAAQ,EAAE;QACjC,iEAAiE;KAClE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAc,EAAE,MAAoC;IAChF,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,CAAC;YACf,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;IACH,CAAC;IACD,IAAI,CAAC;QACH,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,+BAA+B;IAC7C,QAAQ,GAAG,IAAI,CAAC;AAClB,CAAC"}

package/dist/community-saas-context.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Community-SaaS bootstrap context — environment + filesystem operations.
+ *
+ * Mirrors the split applied to the heartbeat path: env access and fs
+ * reads/writes live here, away from the network-sending side
+ * (community-saas-bootstrap.ts). Static-analysis heuristics that flag
+ * env-or-fs-read co-located with outbound HTTP therefore do not trip on
+ * the compiled bootstrap module.
+ *
+ * Pure-data module: callers receive plain values and pass them into the
+ * orchestration layer. No outbound HTTP lives here.
+ */
+/**
+ * Test-harness inputs read from process.env. Only honoured when
+ * AXONFLOW_HARNESS=1 — production callers leave the var unset and the
+ * defaults pin to try.getaxonflow.com.
+ */
+export interface HarnessInputs {
+    harnessOn: boolean;
+    harnessRegisterUrl: string;
+    harnessAgentEndpoint: string;
+}
+export declare function resolveHarnessInputs(): HarnessInputs;
+/**
+ * Operator opt-out for Community-SaaS auto-bootstrap. Honours
+ *   AXONFLOW_COMMUNITY_SAAS = "0" | "false" | "off" | "no"
+ * (case-insensitive). Any other value (including unset) leaves the default
+ * auto-bootstrap behaviour unchanged.
+ *
+ * This is the only programmatic way an operator can disable the implicit
+ * try.getaxonflow.com registration without supplying a self-hosted
+ * endpoint. Documented in README and surfaced in the first-load disclosure
+ * banner so the consent surface is real.
+ */
+export declare function isCommunitySaasOptedOut(): boolean;
+/**
+ * Ensure a directory exists with mode 0o700 (owner-only on POSIX). Returns
+ * true on success or false on any failure so callers can degrade safely.
+ */
+export declare function ensureSecureDir(dir: string): boolean;
+export interface PersistedRegistration {
+    tenant_id: string;
+    secret: string;
+    expires_at: string;
+    endpoint?: string;
+}
+/**
+ * Read a Community-SaaS registration file if it is fresh enough to use,
+ * has well-formed contents, and (on POSIX) lives at mode 0o600. Returns
+ * null when the file is missing, malformed, expired, or unsafe.
+ *
+ * `refreshWindowMs` lets the caller decide how aggressively to refresh —
+ * passing the same window ensures cached + fresh paths agree on lifetime.
+ */
+export declare function readRegistrationIfFreshAndSafe(file: string, now: () => Date, refreshWindowMs: number): PersistedRegistration | null;
+export declare function isWithinBackoff(backoffFile: string, now: () => Date): boolean;
+/**
+ * Atomic file write (tmp + rename) with an explicit POSIX mode. Used for
+ * the registration file (0o600) and the rate-limit backoff stamp (0o600).
+ */
+export declare function writeFileAtomicallyWithMode(file: string, content: string, mode: number): void;
+export declare function unlinkIfExists(file: string): void;
+/**
+ * Build the registration label sent in the POST body. Pure stdlib — no env
+ * reads, no fs reads — kept here so the bootstrap module stays free of any
+ * `os.*` calls that might confuse future scanner heuristics.
+ */
+export declare function buildRegistrationLabel(pluginVersion: string | undefined): string;
+/**
+ * First-load disclosure stamp helpers. The bootstrap path emits a one-time
+ * warning to the plugin logger explaining that auto-Community-SaaS
+ * registration is about to happen and how to opt out. The stamp keeps the
+ * warning from re-firing on every plugin reload.
+ *
+ * Stamp file lives next to the registration file so it shares the same
+ * config-dir lifecycle (rm of try-registration.json without a re-warn is
+ * intentional; the user already knows we register).
+ */
+export declare function disclosureStampPath(configDir: string): string;
+export declare function hasShownDisclosure(stampFile: string): boolean;
+export declare function markDisclosureShown(stampFile: string): void;
+//# sourceMappingURL=community-saas-context.d.ts.map

package/dist/community-saas-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"community-saas-context.d.ts","sourceRoot":"","sources":["../src/community-saas-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAQH;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,OAAO,CAAC;IACnB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oBAAoB,EAAE,MAAM,CAAC;CAC9B;AAED,wBAAgB,oBAAoB,IAAI,aAAa,CAKpD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,IAAI,OAAO,CAKjD;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAWpD;AAED,MAAM,WAAW,qBAAqB;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,wBAAgB,8BAA8B,CAC5C,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,IAAI,EACf,eAAe,EAAE,MAAM,GACtB,qBAAqB,GAAG,IAAI,CA0C9B;AAED,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,IAAI,GAAG,OAAO,CAU7E;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAM7F;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAGjD;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,aAAa,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAKhF;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAG7D;AAED,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAQ7D;AAED,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAQ3D"}