@codemation/core-nodes 0.9.0 → 0.10.1

package/dist/index.d.cts

@@ -1264,6 +1264,22 @@ interface ExecutionBinaryService {
     activationId: NodeActivationId;
   }): NodeBinaryAttachmentService;
   openReadStream(attachment: BinaryAttachment): Promise<BinaryStorageReadResult | undefined>;
+  /**
+   * Reads all bytes from the attachment into a contiguous `Uint8Array`.
+   * Checks `attachment.size` against `maxBytes` *before* any allocation; throws a bounded-read
+   * error when exceeded (no OOM). Throws if the stream is unavailable or the byte count mismatches.
+   */
+  getBytes(attachment: BinaryAttachment, maxBytes?: number): Promise<Uint8Array>;
+  /**
+   * Reads the attachment and decodes the bytes as UTF-8 text.
+   * Subject to the same bounded-read safety as `getBytes`.
+   */
+  getText(attachment: BinaryAttachment, maxBytes?: number): Promise<string>;
+  /**
+   * Reads the attachment, decodes as UTF-8 text, and parses as JSON.
+   * Throws a clear error on invalid JSON. Subject to the same bounded-read safety.
+   */
+  getJson<T = unknown>(attachment: BinaryAttachment, maxBytes?: number): Promise<T>;
 }
 interface ExecutionContext {
   runId: RunId;
@@ -2232,21 +2248,6 @@ declare class CodemationChatModelFactory implements ChatModelFactory<CodemationC
     config: CodemationChatModelConfig;
     ctx: NodeExecutionContext<any>;
   }>): Promise<ChatLanguageModel>;
-  /**
-   * Creates an HMAC-signed fetch wrapper for use with AI SDK's createOpenAI.
-   * Each call signs the request body with the workspace pairing secret so the
-   * LLM broker can authenticate the workspace without a user-managed API key.
-   *
-   * Mirrors HmacRequestSigner from @codemation/host/pairing without importing
-   * that package (which would create a circular dependency since @codemation/host
-   * depends on @codemation/core-nodes).
-   */
-  private buildHmacSignedFetch;
-  /**
-   * Produces a Codemation-Hmac v1 Authorization header value.
-   * The algorithm must match HmacVerifier.computeSignature() in the control-plane.
-   */
-  private buildHmacAuthHeader;
 }
 //#endregion
 //#region src/chatModels/ManagedModelFetcher.d.ts
@@ -3876,5 +3877,43 @@ declare const inboxApproval: DefinedHumanApprovalNode<"inbox.approval", {
   onTimeout: "halt" | "auto-accept";
 }, Record<string, unknown>, undefined>;
 //#endregion
-export { AIAgent, AIAgentConnectionWorkflowExpander, AIAgentExecutionHelpersFactory, AIAgentNode, AgentItemPortMap, AgentMessageFactory, AgentOutputFactory, AgentStructuredOutputRepairPromptFactory, AgentStructuredOutputRunner, AgentToolCallPortMap, AgentToolErrorClassifier, AgentToolExecutionCoordinator, AgentToolRepairExhaustedError, AgentToolRepairPolicy, Aggregate, AggregateNode, Assertion, AssertionNode, AssertionOptions, BM25Index, BinaryRef, Callback, CallbackHandler, CallbackNode, CallbackOptions, CallbackResultNormalizer, CanvasIconName, CodemationChatModelConfig, CodemationChatModelFactory, CodemationManagedModel, ConnectionCredentialExecutionContextFactory, ConnectionCredentialNode, ConnectionCredentialNodeConfig, ConnectionCredentialNodeConfigFactory, CredentialSession, CronTickJson, CronTrigger, CronTriggerNode, DeferredMetaToolStrategy, DeferredMetaToolStrategyFactory, DefineRestNodeOptions, ExecutedToolCall, Filter, FilterNode, FindToolsResult, HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES, HttpBodySpec, HttpCredentialDelta, HttpRequest, HttpRequestDownloadMode, HttpRequestNode, HttpRequestOutputJson, HttpRequestResult, HttpRequestSpec, If, IfNode, IsTestRun, IsTestRunNode, ItemScopedToolBinding, ManagedModelDto, ManagedModelFetcher, ManualTrigger, ManualTriggerNode, MapData, MapDataNode, MapDataOptions, Merge, MergeMode, MergeNode, NoOp, NoOpNode, OpenAIChatModelConfig, OpenAIChatModelFactory, OpenAiChatModelPresets, OpenAiCredentialSession, OpenAiStrictJsonSchemaFactory, PlannedToolCall, ResolvedTool, RestNodeApi, RestNodeErrorPolicy, RestNodeRequestShape, RestNodeResponseContext, SSRFBlockedError, Split, SplitNode, SsrfGuard, SubWorkflow, SubWorkflowNode, Switch, SwitchCaseKeyResolver, SwitchNode, TestTrigger, TestTriggerNode, TestTriggerOptions, ToolLoadingStrategy, ToolLoadingStrategyInitInput, ToolLoadingStrategyTurnContext, Wait, WaitDuration, WaitNode, WebhookRespondNowAndContinueError, WebhookRespondNowError, WebhookTrigger, WebhookTriggerNode, type WorkflowAgentMessages, type WorkflowAgentOptions, WorkflowAuthoringBuilder, WorkflowBranchBuilder, WorkflowChain, apiKeyCredentialType, basicAuthCredentialType, bearerTokenCredentialType, collectionDeleteNode, collectionFindOneNode, collectionGetNode, collectionInsertNode, collectionListNode, collectionUpdateNode, createWorkflowBuilder, defineRestNode, inboxApproval, oauth2ClientCredentialsType, openAiChatModelPresets, registerCoreNodes, workflow };
+//#region src/nodes/codemationDocumentScannerNode.d.ts
+declare const ANALYZER_TYPES: readonly ["document", "invoice", "image", "auto"];
+type DocScannerAnalyzerType = (typeof ANALYZER_TYPES)[number];
+/** Per-field value/confidence shape as returned by apps/doc-scanner. */
+type DocScannerField = Readonly<{
+  value: unknown;
+  confidence: number | null;
+}>;
+/** Output shape of CodemationDocumentScanner — identical to the service wire response. */
+type DocScannerOutput = Readonly<{
+  markdown: string;
+  fields: Readonly<Record<string, DocScannerField>>;
+}>;
+type CodemationDocumentScannerConfig = Readonly<{
+  /** Key on `item.binary` that holds the document. Default: "data". */
+  binaryField?: string;
+  /** Analyzer type. Default: "auto" (routes on mime type on the service side). */
+  analyzerType?: DocScannerAnalyzerType;
+  /** MIME type override. Falls back to attachment.mimeType. */
+  contentType?: string;
+  /** Include per-field confidence scores (0–1). Default: false.
+   *  Enabling this roughly doubles contextualization tokens for document analyzers.
+   *  Image and auto-to-image requests silently ignore this flag (confidence stays null). */
+  includeConfidence?: boolean;
+  /** Max bytes checked before any read. Default: 50 MiB (same cap as OCR nodes, LD10). */
+  maxBytes?: number;
+}>;
+declare const codemationDocumentScannerNode: DefinedNode<"codemation.document-scanner", {
+  binaryField?: string | undefined;
+  analyzerType?: "auto" | "document" | "invoice" | "image" | undefined;
+  contentType?: string | undefined;
+  includeConfidence?: boolean | undefined;
+  maxBytes?: number | undefined;
+}, unknown, Readonly<{
+  markdown: string;
+  fields: Readonly<Record<string, DocScannerField>>;
+}>, undefined>;
+//#endregion
+export { AIAgent, AIAgentConnectionWorkflowExpander, AIAgentExecutionHelpersFactory, AIAgentNode, AgentItemPortMap, AgentMessageFactory, AgentOutputFactory, AgentStructuredOutputRepairPromptFactory, AgentStructuredOutputRunner, AgentToolCallPortMap, AgentToolErrorClassifier, AgentToolExecutionCoordinator, AgentToolRepairExhaustedError, AgentToolRepairPolicy, Aggregate, AggregateNode, Assertion, AssertionNode, AssertionOptions, BM25Index, BinaryRef, Callback, CallbackHandler, CallbackNode, CallbackOptions, CallbackResultNormalizer, CanvasIconName, CodemationChatModelConfig, CodemationChatModelFactory, CodemationDocumentScannerConfig, CodemationManagedModel, ConnectionCredentialExecutionContextFactory, ConnectionCredentialNode, ConnectionCredentialNodeConfig, ConnectionCredentialNodeConfigFactory, CredentialSession, CronTickJson, CronTrigger, CronTriggerNode, DeferredMetaToolStrategy, DeferredMetaToolStrategyFactory, DefineRestNodeOptions, DocScannerAnalyzerType, DocScannerField, DocScannerOutput, ExecutedToolCall, Filter, FilterNode, FindToolsResult, HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES, HttpBodySpec, HttpCredentialDelta, HttpRequest, HttpRequestDownloadMode, HttpRequestNode, HttpRequestOutputJson, HttpRequestResult, HttpRequestSpec, If, IfNode, IsTestRun, IsTestRunNode, ItemScopedToolBinding, ManagedModelDto, ManagedModelFetcher, ManualTrigger, ManualTriggerNode, MapData, MapDataNode, MapDataOptions, Merge, MergeMode, MergeNode, NoOp, NoOpNode, OpenAIChatModelConfig, OpenAIChatModelFactory, OpenAiChatModelPresets, OpenAiCredentialSession, OpenAiStrictJsonSchemaFactory, PlannedToolCall, ResolvedTool, RestNodeApi, RestNodeErrorPolicy, RestNodeRequestShape, RestNodeResponseContext, SSRFBlockedError, Split, SplitNode, SsrfGuard, SubWorkflow, SubWorkflowNode, Switch, SwitchCaseKeyResolver, SwitchNode, TestTrigger, TestTriggerNode, TestTriggerOptions, ToolLoadingStrategy, ToolLoadingStrategyInitInput, ToolLoadingStrategyTurnContext, Wait, WaitDuration, WaitNode, WebhookRespondNowAndContinueError, WebhookRespondNowError, WebhookTrigger, WebhookTriggerNode, type WorkflowAgentMessages, type WorkflowAgentOptions, WorkflowAuthoringBuilder, WorkflowBranchBuilder, WorkflowChain, apiKeyCredentialType, basicAuthCredentialType, bearerTokenCredentialType, codemationDocumentScannerNode, collectionDeleteNode, collectionFindOneNode, collectionGetNode, collectionInsertNode, collectionListNode, collectionUpdateNode, createWorkflowBuilder, defineRestNode, inboxApproval, oauth2ClientCredentialsType, openAiChatModelPresets, registerCoreNodes, workflow };
 //# sourceMappingURL=index.d.cts.map

package/dist/index.d.ts

@@ -1264,6 +1264,22 @@ interface ExecutionBinaryService {
     activationId: NodeActivationId;
   }): NodeBinaryAttachmentService;
   openReadStream(attachment: BinaryAttachment): Promise<BinaryStorageReadResult | undefined>;
+  /**
+   * Reads all bytes from the attachment into a contiguous `Uint8Array`.
+   * Checks `attachment.size` against `maxBytes` *before* any allocation; throws a bounded-read
+   * error when exceeded (no OOM). Throws if the stream is unavailable or the byte count mismatches.
+   */
+  getBytes(attachment: BinaryAttachment, maxBytes?: number): Promise<Uint8Array>;
+  /**
+   * Reads the attachment and decodes the bytes as UTF-8 text.
+   * Subject to the same bounded-read safety as `getBytes`.
+   */
+  getText(attachment: BinaryAttachment, maxBytes?: number): Promise<string>;
+  /**
+   * Reads the attachment, decodes as UTF-8 text, and parses as JSON.
+   * Throws a clear error on invalid JSON. Subject to the same bounded-read safety.
+   */
+  getJson<T = unknown>(attachment: BinaryAttachment, maxBytes?: number): Promise<T>;
 }
 interface ExecutionContext {
   runId: RunId;
@@ -2232,21 +2248,6 @@ declare class CodemationChatModelFactory implements ChatModelFactory<CodemationC
     config: CodemationChatModelConfig;
     ctx: NodeExecutionContext<any>;
   }>): Promise<ChatLanguageModel>;
-  /**
-   * Creates an HMAC-signed fetch wrapper for use with AI SDK's createOpenAI.
-   * Each call signs the request body with the workspace pairing secret so the
-   * LLM broker can authenticate the workspace without a user-managed API key.
-   *
-   * Mirrors HmacRequestSigner from @codemation/host/pairing without importing
-   * that package (which would create a circular dependency since @codemation/host
-   * depends on @codemation/core-nodes).
-   */
-  private buildHmacSignedFetch;
-  /**
-   * Produces a Codemation-Hmac v1 Authorization header value.
-   * The algorithm must match HmacVerifier.computeSignature() in the control-plane.
-   */
-  private buildHmacAuthHeader;
 }
 //#endregion
 //#region src/chatModels/ManagedModelFetcher.d.ts
@@ -3876,5 +3877,43 @@ declare const inboxApproval: DefinedHumanApprovalNode<"inbox.approval", {
   onTimeout: "halt" | "auto-accept";
 }, Record<string, unknown>, undefined>;
 //#endregion
-export { AIAgent, AIAgentConnectionWorkflowExpander, AIAgentExecutionHelpersFactory, AIAgentNode, AgentItemPortMap, AgentMessageFactory, AgentOutputFactory, AgentStructuredOutputRepairPromptFactory, AgentStructuredOutputRunner, AgentToolCallPortMap, AgentToolErrorClassifier, AgentToolExecutionCoordinator, AgentToolRepairExhaustedError, AgentToolRepairPolicy, Aggregate, AggregateNode, Assertion, AssertionNode, AssertionOptions, BM25Index, BinaryRef, Callback, CallbackHandler, CallbackNode, CallbackOptions, CallbackResultNormalizer, CanvasIconName, CodemationChatModelConfig, CodemationChatModelFactory, CodemationManagedModel, ConnectionCredentialExecutionContextFactory, ConnectionCredentialNode, ConnectionCredentialNodeConfig, ConnectionCredentialNodeConfigFactory, CredentialSession, CronTickJson, CronTrigger, CronTriggerNode, DeferredMetaToolStrategy, DeferredMetaToolStrategyFactory, DefineRestNodeOptions, type ExecutedToolCall, Filter, FilterNode, type FindToolsResult, HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES, HttpBodySpec, HttpCredentialDelta, HttpRequest, HttpRequestDownloadMode, HttpRequestNode, HttpRequestOutputJson, HttpRequestResult, HttpRequestSpec, If, IfNode, IsTestRun, IsTestRunNode, type ItemScopedToolBinding, ManagedModelDto, ManagedModelFetcher, ManualTrigger, ManualTriggerNode, MapData, MapDataNode, MapDataOptions, Merge, MergeMode, MergeNode, NoOp, NoOpNode, OpenAIChatModelConfig, OpenAIChatModelFactory, OpenAiChatModelPresets, OpenAiCredentialSession, OpenAiStrictJsonSchemaFactory, type PlannedToolCall, type ResolvedTool, RestNodeApi, RestNodeErrorPolicy, RestNodeRequestShape, RestNodeResponseContext, SSRFBlockedError, Split, SplitNode, SsrfGuard, SubWorkflow, SubWorkflowNode, Switch, SwitchCaseKeyResolver, SwitchNode, TestTrigger, TestTriggerNode, TestTriggerOptions, type ToolLoadingStrategy, type ToolLoadingStrategyInitInput, type ToolLoadingStrategyTurnContext, Wait, WaitDuration, WaitNode, WebhookRespondNowAndContinueError, WebhookRespondNowError, WebhookTrigger, WebhookTriggerNode, type WorkflowAgentMessages, type WorkflowAgentOptions, WorkflowAuthoringBuilder, WorkflowBranchBuilder, WorkflowChain, apiKeyCredentialType, basicAuthCredentialType, bearerTokenCredentialType, collectionDeleteNode, collectionFindOneNode, collectionGetNode, collectionInsertNode, collectionListNode, collectionUpdateNode, createWorkflowBuilder, defineRestNode, inboxApproval, oauth2ClientCredentialsType, openAiChatModelPresets, registerCoreNodes, workflow };
+//#region src/nodes/codemationDocumentScannerNode.d.ts
+declare const ANALYZER_TYPES: readonly ["document", "invoice", "image", "auto"];
+type DocScannerAnalyzerType = (typeof ANALYZER_TYPES)[number];
+/** Per-field value/confidence shape as returned by apps/doc-scanner. */
+type DocScannerField = Readonly<{
+  value: unknown;
+  confidence: number | null;
+}>;
+/** Output shape of CodemationDocumentScanner — identical to the service wire response. */
+type DocScannerOutput = Readonly<{
+  markdown: string;
+  fields: Readonly<Record<string, DocScannerField>>;
+}>;
+type CodemationDocumentScannerConfig = Readonly<{
+  /** Key on `item.binary` that holds the document. Default: "data". */
+  binaryField?: string;
+  /** Analyzer type. Default: "auto" (routes on mime type on the service side). */
+  analyzerType?: DocScannerAnalyzerType;
+  /** MIME type override. Falls back to attachment.mimeType. */
+  contentType?: string;
+  /** Include per-field confidence scores (0–1). Default: false.
+   *  Enabling this roughly doubles contextualization tokens for document analyzers.
+   *  Image and auto-to-image requests silently ignore this flag (confidence stays null). */
+  includeConfidence?: boolean;
+  /** Max bytes checked before any read. Default: 50 MiB (same cap as OCR nodes, LD10). */
+  maxBytes?: number;
+}>;
+declare const codemationDocumentScannerNode: DefinedNode<"codemation.document-scanner", {
+  binaryField?: string | undefined;
+  analyzerType?: "auto" | "document" | "invoice" | "image" | undefined;
+  contentType?: string | undefined;
+  includeConfidence?: boolean | undefined;
+  maxBytes?: number | undefined;
+}, unknown, Readonly<{
+  markdown: string;
+  fields: Readonly<Record<string, DocScannerField>>;
+}>, undefined>;
+//#endregion
+export { AIAgent, AIAgentConnectionWorkflowExpander, AIAgentExecutionHelpersFactory, AIAgentNode, AgentItemPortMap, AgentMessageFactory, AgentOutputFactory, AgentStructuredOutputRepairPromptFactory, AgentStructuredOutputRunner, AgentToolCallPortMap, AgentToolErrorClassifier, AgentToolExecutionCoordinator, AgentToolRepairExhaustedError, AgentToolRepairPolicy, Aggregate, AggregateNode, Assertion, AssertionNode, AssertionOptions, BM25Index, BinaryRef, Callback, CallbackHandler, CallbackNode, CallbackOptions, CallbackResultNormalizer, CanvasIconName, CodemationChatModelConfig, CodemationChatModelFactory, CodemationDocumentScannerConfig, CodemationManagedModel, ConnectionCredentialExecutionContextFactory, ConnectionCredentialNode, ConnectionCredentialNodeConfig, ConnectionCredentialNodeConfigFactory, CredentialSession, CronTickJson, CronTrigger, CronTriggerNode, DeferredMetaToolStrategy, DeferredMetaToolStrategyFactory, DefineRestNodeOptions, DocScannerAnalyzerType, DocScannerField, DocScannerOutput, type ExecutedToolCall, Filter, FilterNode, type FindToolsResult, HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES, HttpBodySpec, HttpCredentialDelta, HttpRequest, HttpRequestDownloadMode, HttpRequestNode, HttpRequestOutputJson, HttpRequestResult, HttpRequestSpec, If, IfNode, IsTestRun, IsTestRunNode, type ItemScopedToolBinding, ManagedModelDto, ManagedModelFetcher, ManualTrigger, ManualTriggerNode, MapData, MapDataNode, MapDataOptions, Merge, MergeMode, MergeNode, NoOp, NoOpNode, OpenAIChatModelConfig, OpenAIChatModelFactory, OpenAiChatModelPresets, OpenAiCredentialSession, OpenAiStrictJsonSchemaFactory, type PlannedToolCall, type ResolvedTool, RestNodeApi, RestNodeErrorPolicy, RestNodeRequestShape, RestNodeResponseContext, SSRFBlockedError, Split, SplitNode, SsrfGuard, SubWorkflow, SubWorkflowNode, Switch, SwitchCaseKeyResolver, SwitchNode, TestTrigger, TestTriggerNode, TestTriggerOptions, type ToolLoadingStrategy, type ToolLoadingStrategyInitInput, type ToolLoadingStrategyTurnContext, Wait, WaitDuration, WaitNode, WebhookRespondNowAndContinueError, WebhookRespondNowError, WebhookTrigger, WebhookTriggerNode, type WorkflowAgentMessages, type WorkflowAgentOptions, WorkflowAuthoringBuilder, WorkflowBranchBuilder, WorkflowChain, apiKeyCredentialType, basicAuthCredentialType, bearerTokenCredentialType, codemationDocumentScannerNode, collectionDeleteNode, collectionFindOneNode, collectionGetNode, collectionInsertNode, collectionListNode, collectionUpdateNode, createWorkflowBuilder, defineRestNode, inboxApproval, oauth2ClientCredentialsType, openAiChatModelPresets, registerCoreNodes, workflow };
 //# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -4359,6 +4359,59 @@ var OpenAiChatModelPresets = class {
 };
 const openAiChatModelPresets = new OpenAiChatModelPresets();
 
+//#endregion
+//#region src/chatModels/ManagedHmacSignerFactory.types.ts
+/**
+* Creates an HMAC-signing fetch wrapper that authenticates requests to
+* Codemation managed services (LLM broker, doc-scanner) with the
+* Codemation-Hmac v=1 scheme.
+*
+* Mirrors HmacRequestSigner from @codemation/host/pairing without importing
+* that package (which would create a circular dependency since @codemation/host
+* depends on @codemation/core-nodes).
+*
+* @param workspaceId   - Workspace identifier injected by the CP provisioner.
+* @param pairingSecret - Base64-encoded 32-byte HMAC key injected by the provisioner.
+* @param options       - Optional behaviour flags and test seams.
+*/
+function managedHmacFetchFactory(workspaceId, pairingSecret, options) {
+	const signBody = options?.signBody ?? true;
+	return async (input, init) => {
+		const url = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+		const method = init?.method ?? "POST";
+		let bodyForSigning = "";
+		if (signBody && init?.body !== void 0 && init.body !== null) bodyForSigning = typeof init.body === "string" ? init.body : await new Response(init.body).text();
+		const authHeader = buildHmacAuthHeader(workspaceId, pairingSecret, method, url, bodyForSigning, options);
+		const headers = new Headers(init?.headers);
+		headers.set("Authorization", authHeader);
+		const outgoingBody = signBody ? bodyForSigning || init?.body : init?.body;
+		return fetch(input, {
+			...init,
+			body: outgoingBody,
+			headers
+		});
+	};
+}
+/**
+* Produces a Codemation-Hmac v=1 Authorization header value.
+* Algorithm must match HmacVerifier.computeSignature() in the control-plane.
+*/
+function buildHmacAuthHeader(workspaceId, pairingSecret, method, url, body, overrides) {
+	const ts = overrides?.now ? overrides.now() : Math.floor(Date.now() / 1e3);
+	const nonce = overrides?.nonce ? overrides.nonce() : randomBytes(16).toString("base64");
+	const parsed = new URL(url);
+	const path = (parsed.pathname + parsed.search).toLowerCase();
+	const bodyHash = createHash("sha256").update(body, "utf8").digest("hex");
+	const baseString = [
+		method.toUpperCase(),
+		path,
+		ts,
+		nonce,
+		bodyHash
+	].join("\n");
+	return `Codemation-Hmac v=1,workspaceId=${workspaceId},ts=${ts},nonce=${nonce},sig=${createHmac("sha256", Buffer.from(pairingSecret, "base64")).update(baseString, "utf8").digest("base64")}`;
+}
+
 //#endregion
 //#region src/chatModels/CodemationChatModelFactory.ts
 let CodemationChatModelFactory = class CodemationChatModelFactory$1 {
@@ -4368,7 +4421,7 @@ let CodemationChatModelFactory = class CodemationChatModelFactory$1 {
 		const workspaceId = process.env["WORKSPACE_ID"];
 		const pairingSecret = process.env["WORKSPACE_PAIRING_SECRET"];
 		if (!workspaceId || !pairingSecret) throw new Error("Codemation managed AI not available in this environment (workspace pairing is not configured).");
-		const hmacFetch = this.buildHmacSignedFetch(workspaceId, pairingSecret);
+		const hmacFetch = managedHmacFetchFactory(workspaceId, pairingSecret);
 		const languageModel = createOpenAI({
 			baseURL: `${gatewayUrl}/v1`,
 			apiKey: "codemation-managed",
@@ -4384,52 +4437,6 @@ let CodemationChatModelFactory = class CodemationChatModelFactory$1 {
 			}
 		});
 	}
-	/**
-	* Creates an HMAC-signed fetch wrapper for use with AI SDK's createOpenAI.
-	* Each call signs the request body with the workspace pairing secret so the
-	* LLM broker can authenticate the workspace without a user-managed API key.
-	*
-	* Mirrors HmacRequestSigner from @codemation/host/pairing without importing
-	* that package (which would create a circular dependency since @codemation/host
-	* depends on @codemation/core-nodes).
-	*/
-	buildHmacSignedFetch(workspaceId, pairingSecret) {
-		return async (input, init) => {
-			const url = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
-			const method = init?.method ?? "POST";
-			let bodyString = "";
-			if (init?.body !== void 0 && init.body !== null) if (typeof init.body === "string") bodyString = init.body;
-			else bodyString = await new Response(init.body).text();
-			const authHeader = this.buildHmacAuthHeader(workspaceId, pairingSecret, method, url, bodyString);
-			const headers = new Headers(init?.headers);
-			headers.set("Authorization", authHeader);
-			const effectiveBody = bodyString || init?.body;
-			return fetch(input, {
-				...init,
-				body: effectiveBody,
-				headers
-			});
-		};
-	}
-	/**
-	* Produces a Codemation-Hmac v1 Authorization header value.
-	* The algorithm must match HmacVerifier.computeSignature() in the control-plane.
-	*/
-	buildHmacAuthHeader(workspaceId, pairingSecret, method, url, body) {
-		const ts = Math.floor(Date.now() / 1e3);
-		const nonce = randomBytes(16).toString("base64");
-		const parsed = new URL(url);
-		const path = (parsed.pathname + parsed.search).toLowerCase();
-		const bodyHash = createHash("sha256").update(body, "utf8").digest("hex");
-		const baseString = [
-			method.toUpperCase(),
-			path,
-			ts,
-			nonce,
-			bodyHash
-		].join("\n");
-		return `Codemation-Hmac v=1,workspaceId=${workspaceId},ts=${ts},nonce=${nonce},sig=${createHmac("sha256", Buffer.from(pairingSecret, "base64")).update(baseString, "utf8").digest("base64")}`;
-	}
 };
 CodemationChatModelFactory = __decorate([chatModel({ packageName: "@codemation/core-nodes" })], CodemationChatModelFactory);
 
@@ -6785,7 +6792,11 @@ let AIAgentNode = class AIAgentNode$1 {
 		});
 		try {
 			const callOptions = this.resolveCallOptions(model, guardrails.modelInvocationOptions);
-			const outputSchema = structuredOptions?.strict && !this.isZodSchema(schema) ? Output.object({ schema: jsonSchema(schema) }) : Output.object({ schema });
+			const schemaRecord = this.isZodSchema(schema) ? this.executionHelpers.createJsonSchemaRecord(schema, {
+				schemaName: structuredOptions?.schemaName ?? "structured_output",
+				requireObjectRoot: true
+			}) : schema;
+			const outputSchema = Output.object({ schema: jsonSchema(schemaRecord) });
 			const result = await generateText({
 				model: model.languageModel,
 				messages: [...messages],
@@ -9022,5 +9033,85 @@ const inboxApproval = defineHumanApprovalNode({
 });
 
 //#endregion
-export { AIAgent, AIAgentConnectionWorkflowExpander, AIAgentExecutionHelpersFactory, AIAgentNode, AgentItemPortMap, AgentMessageFactory, AgentOutputFactory, AgentStructuredOutputRepairPromptFactory, AgentStructuredOutputRunner, AgentToolCallPortMap, AgentToolErrorClassifier, AgentToolExecutionCoordinator, AgentToolRepairExhaustedError, AgentToolRepairPolicy, Aggregate, AggregateNode, Assertion, AssertionNode, BM25Index, Callback, CallbackNode, CallbackResultNormalizer, CodemationChatModelConfig, CodemationChatModelFactory, ConnectionCredentialExecutionContextFactory, ConnectionCredentialNode, ConnectionCredentialNodeConfig, ConnectionCredentialNodeConfigFactory, CronTrigger, CronTriggerNode, DeferredMetaToolStrategy, DeferredMetaToolStrategyFactory, Filter, FilterNode, HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES, HttpRequest, HttpRequestNode, If, IfNode, IsTestRun, IsTestRunNode, ManagedModelFetcher, ManualTrigger, ManualTriggerNode, MapData, MapDataNode, Merge, MergeNode, NoOp, NoOpNode, OpenAIChatModelConfig, OpenAIChatModelFactory, OpenAiChatModelPresets, OpenAiStrictJsonSchemaFactory, SSRFBlockedError, Split, SplitNode, SsrfGuard, SubWorkflow, SubWorkflowNode, Switch, SwitchNode, TestTrigger, TestTriggerNode, Wait, WaitDuration, WaitNode, WebhookRespondNowAndContinueError, WebhookRespondNowError, WebhookTrigger, WebhookTriggerNode, WorkflowAuthoringBuilder, WorkflowBranchBuilder, WorkflowChain, apiKeyCredentialType, basicAuthCredentialType, bearerTokenCredentialType, collectionDeleteNode, collectionFindOneNode, collectionGetNode, collectionInsertNode, collectionListNode, collectionUpdateNode, createWorkflowBuilder, defineRestNode, inboxApproval, oauth2ClientCredentialsType, openAiChatModelPresets, registerCoreNodes, workflow };
+//#region src/nodes/codemationDocumentScannerNode.ts
+const ANALYZER_TYPES = [
+	"document",
+	"invoice",
+	"image",
+	"auto"
+];
+const codemationDocumentScannerNode = defineNode({
+	key: "codemation.document-scanner",
+	title: "Codemation Document Scanner",
+	description: "Analyzes a binary attachment (document or image) via the managed Codemation document-scanning service and returns markdown text plus structured fields. No Azure credential required — auth uses the workspace pairing secret. Enable includeConfidence to get per-field confidence scores (0–1).",
+	icon: "lucide:scan-text",
+	input: {
+		binaryField: "data",
+		analyzerType: "auto",
+		contentType: void 0,
+		includeConfidence: false,
+		maxBytes: void 0
+	},
+	configSchema: object({
+		binaryField: string().optional(),
+		analyzerType: _enum(ANALYZER_TYPES).optional(),
+		contentType: string().optional(),
+		includeConfidence: boolean().optional(),
+		maxBytes: number().int().positive().optional()
+	}),
+	inspectorSummary({ config: config$1 }) {
+		const cfg = config$1;
+		const rows = [{
+			label: "Analyzer type",
+			value: cfg.analyzerType ?? "auto"
+		}];
+		const binaryField = cfg.binaryField ?? "data";
+		if (binaryField !== "data") rows.push({
+			label: "Binary field",
+			value: binaryField
+		});
+		if (cfg.includeConfidence) rows.push({
+			label: "Confidence",
+			value: "enabled"
+		});
+		if (cfg.contentType) rows.push({
+			label: "Content type",
+			value: cfg.contentType
+		});
+		return rows;
+	},
+	async execute({ item, ctx }, { config: rawConfig }) {
+		const config$1 = rawConfig;
+		const gatewayUrl = process.env["DOC_SCANNER_GATEWAY_URL"];
+		if (!gatewayUrl) throw new Error("Codemation Document Scanner not available in this environment (DOC_SCANNER_GATEWAY_URL is not set).");
+		const workspaceId = process.env["WORKSPACE_ID"];
+		const pairingSecret = process.env["WORKSPACE_PAIRING_SECRET"];
+		if (!workspaceId || !pairingSecret) throw new Error("Codemation Document Scanner not available (workspace pairing is not configured).");
+		const binaryField = config$1.binaryField ?? "data";
+		const attachment = item.binary?.[binaryField];
+		if (!attachment) throw new Error(`Codemation Document Scanner: no binary attachment at key "${binaryField}".`);
+		const body = await ctx.binary.getBytes(attachment, config$1.maxBytes);
+		const contentType = config$1.contentType ?? attachment.mimeType ?? "application/octet-stream";
+		const analyzerType = config$1.analyzerType ?? "auto";
+		const confidenceSuffix = config$1.includeConfidence ?? false ? "&confidence=true" : "";
+		const url = `${gatewayUrl}/analyze?type=${encodeURIComponent(analyzerType)}${confidenceSuffix}`;
+		const response = await managedHmacFetchFactory(workspaceId, pairingSecret, { signBody: false })(url, {
+			method: "POST",
+			body: body.buffer,
+			headers: {
+				"Content-Type": contentType,
+				"Content-Length": String(body.byteLength),
+				"X-Codemation-Caller": "workflow-node"
+			}
+		});
+		if (!response.ok) {
+			const text = await response.text().catch(() => "(unreadable)");
+			throw new Error(`Codemation Document Scanner: service responded ${response.status} ${response.statusText} — ${text}`);
+		}
+		return await response.json();
+	}
+});
+
+//#endregion
+export { AIAgent, AIAgentConnectionWorkflowExpander, AIAgentExecutionHelpersFactory, AIAgentNode, AgentItemPortMap, AgentMessageFactory, AgentOutputFactory, AgentStructuredOutputRepairPromptFactory, AgentStructuredOutputRunner, AgentToolCallPortMap, AgentToolErrorClassifier, AgentToolExecutionCoordinator, AgentToolRepairExhaustedError, AgentToolRepairPolicy, Aggregate, AggregateNode, Assertion, AssertionNode, BM25Index, Callback, CallbackNode, CallbackResultNormalizer, CodemationChatModelConfig, CodemationChatModelFactory, ConnectionCredentialExecutionContextFactory, ConnectionCredentialNode, ConnectionCredentialNodeConfig, ConnectionCredentialNodeConfigFactory, CronTrigger, CronTriggerNode, DeferredMetaToolStrategy, DeferredMetaToolStrategyFactory, Filter, FilterNode, HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES, HttpRequest, HttpRequestNode, If, IfNode, IsTestRun, IsTestRunNode, ManagedModelFetcher, ManualTrigger, ManualTriggerNode, MapData, MapDataNode, Merge, MergeNode, NoOp, NoOpNode, OpenAIChatModelConfig, OpenAIChatModelFactory, OpenAiChatModelPresets, OpenAiStrictJsonSchemaFactory, SSRFBlockedError, Split, SplitNode, SsrfGuard, SubWorkflow, SubWorkflowNode, Switch, SwitchNode, TestTrigger, TestTriggerNode, Wait, WaitDuration, WaitNode, WebhookRespondNowAndContinueError, WebhookRespondNowError, WebhookTrigger, WebhookTriggerNode, WorkflowAuthoringBuilder, WorkflowBranchBuilder, WorkflowChain, apiKeyCredentialType, basicAuthCredentialType, bearerTokenCredentialType, codemationDocumentScannerNode, collectionDeleteNode, collectionFindOneNode, collectionGetNode, collectionInsertNode, collectionListNode, collectionUpdateNode, createWorkflowBuilder, defineRestNode, inboxApproval, oauth2ClientCredentialsType, openAiChatModelPresets, registerCoreNodes, workflow };
 //# sourceMappingURL=index.js.map