@cyanautomation/kaseki-agent 1.27.5 → 1.29.0

package/README.md

@@ -29,6 +29,26 @@ KASEKI_API_KEY=sk-dev kaseki-agent list
 KASEKI_API_KEY=sk-dev kaseki-agent report kaseki-1
 ```
 
+### First-Run API Host Setup
+
+For a Docker Compose API host, prepare storage and secrets before starting the
+service:
+
+```bash
+cd /agents/kaseki-agent
+sudo ./scripts/kaseki-setup-host.sh --fix
+docker compose up -d --force-recreate
+
+curl -H "Authorization: Bearer $(cat ~/secrets/kaseki_api_keys)" \
+  http://localhost:8080/api/preflight
+```
+
+The host prep helper creates `/agents`, `/agents/kaseki-results`,
+`/agents/kaseki-runs`, and `/agents/kaseki-cache` for UID/GID `10000:10000`,
+then normalizes `~/secrets` to directory mode `0750` and file mode `0640` with
+group `10000`. If preflight reports a deleted bind mount, recreate the container
+after rerunning the helper.
+
 ### Without Global Install
 
 ```bash

package/dist/__test-utils/openapi-assertions.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Shared OpenAPI test assertion helpers
+ * Reduces complexity of openapi-spec-generator.test.ts by extracting common patterns
+ * @jest-environment node
+ */
+/**
+ * Iterate through all paths and methods in an OpenAPI spec, executing a callback for each
+ * Replaces nested Object.entries().forEach() patterns with a single helper call
+ */
+export declare function forEachPathOperation(paths: Record<string, Record<string, unknown>>, callback: (pathName: string, method: string, operation: Record<string, unknown>) => void): void;
+/**
+ * Assert that a specific endpoint has a given HTTP status code documented in responses
+ */
+export declare function assertStatusCode(spec: Record<string, unknown>, endpoint: string, method: string, statusCode: string | number): void;
+/**
+ * Assert that a schema property has the expected constraints and types
+ */
+export declare function assertSchemaProperty(schema: Record<string, Record<string, unknown>>, propertyName: string, expectedType?: string, expectedFormat?: string): void;
+/**
+ * Assert that an endpoint requires or doesn't require authentication
+ */
+export declare function assertAuthRequired(spec: Record<string, unknown>, endpoint: string, shouldBeProtected: boolean): void;
+/**
+ * Assert that all operations in a path item have required fields
+ */
+export declare function assertPathItemOperationsComplete(pathItem: Record<string, Record<string, unknown>>, requiredFields: string[]): void;
+/**
+ * Assert that a schema is properly structured with type and properties
+ */
+export declare function assertSchemaStructure(schema: Record<string, unknown>, expectedType?: string): void;
+/**
+ * Assert that a field is in the required array of a schema
+ */
+export declare function assertFieldRequired(schema: Record<string, unknown>, fieldName: string): void;
+/**
+ * Assert that all paths have at least one operation defined (GET, POST, etc.)
+ */
+export declare function assertAllPathsHaveOperations(paths: Record<string, Record<string, unknown>>): void;
+//# sourceMappingURL=openapi-assertions.d.ts.map

package/dist/__test-utils/openapi-assertions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openapi-assertions.d.ts","sourceRoot":"","sources":["../../src/__test-utils/openapi-assertions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,EAC9C,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,GACvF,IAAI,CAMN;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,GAAG,MAAM,GAC1B,IAAI,CAQN;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,EAC/C,YAAY,EAAE,MAAM,EACpB,YAAY,CAAC,EAAE,MAAM,EACrB,cAAc,CAAC,EAAE,MAAM,GACtB,IAAI,CAWN;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,QAAQ,EAAE,MAAM,EAChB,iBAAiB,EAAE,OAAO,GACzB,IAAI,CAoBN;AAED;;GAEG;AACH,wBAAgB,gCAAgC,CAC9C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,EACjD,cAAc,EAAE,MAAM,EAAE,GACvB,IAAI,CAMN;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,YAAY,SAAW,GACtB,IAAI,CAIN;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,SAAS,EAAE,MAAM,GAChB,IAAI,CAKN;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAOjG"}

package/dist/__test-utils/openapi-assertions.js

@@ -0,0 +1,101 @@
+/**
+ * Shared OpenAPI test assertion helpers
+ * Reduces complexity of openapi-spec-generator.test.ts by extracting common patterns
+ * @jest-environment node
+ */
+/**
+ * Iterate through all paths and methods in an OpenAPI spec, executing a callback for each
+ * Replaces nested Object.entries().forEach() patterns with a single helper call
+ */
+export function forEachPathOperation(paths, callback) {
+    Object.entries(paths).forEach(([pathName, pathItem]) => {
+        Object.entries(pathItem).forEach(([method, operation]) => {
+            callback(pathName, method, operation);
+        });
+    });
+}
+/**
+ * Assert that a specific endpoint has a given HTTP status code documented in responses
+ */
+export function assertStatusCode(spec, endpoint, method, statusCode) {
+    const paths = spec.paths;
+    const pathItem = paths?.[endpoint];
+    const operation = pathItem?.[method.toLowerCase()];
+    const responses = operation?.responses;
+    expect(responses).toBeDefined();
+    expect(responses?.[statusCode.toString()]).toBeDefined();
+}
+/**
+ * Assert that a schema property has the expected constraints and types
+ */
+export function assertSchemaProperty(schema, propertyName, expectedType, expectedFormat) {
+    const properties = schema.properties;
+    const property = properties?.[propertyName];
+    expect(property).toBeDefined();
+    if (expectedType) {
+        expect(property?.type).toBe(expectedType);
+    }
+    if (expectedFormat) {
+        expect(property?.format).toBe(expectedFormat);
+    }
+}
+/**
+ * Assert that an endpoint requires or doesn't require authentication
+ */
+export function assertAuthRequired(spec, endpoint, shouldBeProtected) {
+    const paths = spec.paths;
+    const pathItem = paths?.[endpoint];
+    expect(pathItem).toBeDefined();
+    Object.entries(pathItem).forEach(([, operation]) => {
+        const op = operation;
+        const security = op.security;
+        if (shouldBeProtected) {
+            expect(security).toBeDefined();
+            expect(Array.isArray(security)).toBe(true);
+            expect(security?.length).toBeGreaterThan(0);
+            expect(security?.[0]?.BearerAuth).toBeDefined();
+        }
+        else {
+            // Public endpoint: security should be empty array or undefined
+            expect(security === undefined || (Array.isArray(security) && security.length === 0)).toBe(true);
+        }
+    });
+}
+/**
+ * Assert that all operations in a path item have required fields
+ */
+export function assertPathItemOperationsComplete(pathItem, requiredFields) {
+    Object.entries(pathItem).forEach(([, operation]) => {
+        requiredFields.forEach((field) => {
+            expect(operation[field]).toBeDefined();
+        });
+    });
+}
+/**
+ * Assert that a schema is properly structured with type and properties
+ */
+export function assertSchemaStructure(schema, expectedType = 'object') {
+    expect(schema.type).toBe(expectedType);
+    expect(schema.properties).toBeDefined();
+    expect(typeof schema.properties).toBe('object');
+}
+/**
+ * Assert that a field is in the required array of a schema
+ */
+export function assertFieldRequired(schema, fieldName) {
+    const required = schema.required;
+    expect(required).toBeDefined();
+    expect(Array.isArray(required)).toBe(true);
+    expect(required).toContain(fieldName);
+}
+/**
+ * Assert that all paths have at least one operation defined (GET, POST, etc.)
+ */
+export function assertAllPathsHaveOperations(paths) {
+    const httpMethods = ['get', 'post', 'put', 'delete', 'patch', 'head', 'options'];
+    Object.entries(paths).forEach(([, pathItem]) => {
+        const hasOperation = httpMethods.some((method) => method in pathItem);
+        expect(hasOperation).toBe(true);
+    });
+}
+//# sourceMappingURL=openapi-assertions.js.map

package/dist/__test-utils/openapi-assertions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"openapi-assertions.js","sourceRoot":"","sources":["../../src/__test-utils/openapi-assertions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAA8C,EAC9C,QAAwF;IAExF,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,EAAE;QACrD,MAAM,CAAC,OAAO,CAAC,QAAmC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE;YAClF,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAoC,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,IAA6B,EAC7B,QAAgB,EAChB,MAAc,EACd,UAA2B;IAE3B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAgE,CAAC;IACpF,MAAM,QAAQ,GAAG,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,SAAS,GAAG,QAAQ,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,CAA4B,CAAC;IAC9E,MAAM,SAAS,GAAG,SAAS,EAAE,SAAoC,CAAC;IAElE,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;IAChC,MAAM,CAAC,SAAS,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAA+C,EAC/C,YAAoB,EACpB,YAAqB,EACrB,cAAuB;IAEvB,MAAM,UAAU,GAAG,MAAM,CAAC,UAAqD,CAAC;IAChF,MAAM,QAAQ,GAAG,UAAU,EAAE,CAAC,YAAY,CAAC,CAAC;IAE5C,MAAM,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/B,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAA6B,EAC7B,QAAgB,EAChB,iBAA0B;IAE1B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAgE,CAAC;IACpF,MAAM,QAAQ,GAAG,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC;IAEnC,MAAM,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAE/B,MAAM,CAAC,OAAO,CAAC,QAAmC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE,EAAE;QAC5E,MAAM,EAAE,GAAG,SAAoC,CAAC;QAChD,MAAM,QAAQ,GAAG,EAAE,CAAC,QAA0C,CAAC;QAE/D,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;YAC/B,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC3C,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC5C,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,+DAA+D;YAC/D,MAAM,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClG,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gCAAgC,CAC9C,QAAiD,EACjD,cAAwB;IAExB,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE,EAAE;QACjD,cAAc,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;YAC/B,MAAM,CAAE,SAAqC,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACtE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,MAA+B,EAC/B,YAAY,GAAG,QAAQ;IAEvB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACvC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;IACxC,MAAM,CAAC,OAAO,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAA+B,EAC/B,SAAiB;IAEjB,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAoC,CAAC;IAC7D,MAAM,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/B,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,4BAA4B,CAAC,KAA8C;IACzF,MAAM,WAAW,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAEjF,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,EAAE,EAAE;QAC7C,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,IAAI,QAAQ,CAAC,CAAC;QACtE,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/cli/commands/InitCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"InitCommand.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/InitCommand.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAK7C,qBAAa,WAAY,SAAQ,WAAW;IACpC,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAkC9C;;OAEG;IACH,OAAO,CAAC,SAAS;IA2CjB;;OAEG;IACH,OAAO,CAAC,cAAc;CA4DvB"}
+{"version":3,"file":"InitCommand.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/InitCommand.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAK7C,qBAAa,WAAY,SAAQ,WAAW;IACpC,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAoC9C;;OAEG;IACH,OAAO,CAAC,SAAS;IA4CjB;;OAEG;IACH,OAAO,CAAC,cAAc;CA4DvB"}

package/dist/cli/commands/InitCommand.js

@@ -17,6 +17,7 @@ export class InitCommand extends BaseCommand {
             // Check for command-specific flags
             const dryRun = args.includes('--dry-run');
             const importLegacy = args.includes('--import-legacy');
+            const force = args.includes('--force');
             // Show help if requested
             if (args.includes('--help') || args.includes('-h')) {
                 this.printHelp();
@@ -27,6 +28,7 @@ export class InitCommand extends BaseCommand {
             const context = await wizard.run({
                 dryRun,
                 importLegacy,
+                force,
             });
             // Show path-specific guidance
             if (!dryRun) {
@@ -55,6 +57,7 @@ USAGE
 OPTIONS
   --dry-run            Validate setup without saving configuration
   --import-legacy      Migrate configuration from old setup paths
+  --force              Skip permission validation and proceed (advanced users only)
   --help, -h           Show this help message
 
 DESCRIPTION

package/dist/cli/commands/InitCommand.js.map

@@ -1 +1 @@
-{"version":3,"file":"InitCommand.js","sourceRoot":"","sources":["../../../src/cli/commands/InitCommand.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,MAAM,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;AAExC,MAAM,OAAO,WAAY,SAAQ,WAAW;IAC1C,KAAK,CAAC,OAAO,CAAC,IAAc;QAC1B,IAAI,CAAC;YACH,mCAAmC;YACnC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC1C,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;YAEtD,yBAAyB;YACzB,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjB,OAAO,CAAC,CAAC;YACX,CAAC;YAED,+BAA+B;YAC/B,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC;gBAC/B,MAAM;gBACN,YAAY;aACb,CAAC,CAAC;YAEH,8BAA8B;YAC9B,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;YAED,OAAO,CAAC,CAAC;QACX,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,iBAAiB,KAAK,EAAE,CAAC,CAAC;YACvC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,GAAG,EAAE,CAAC;gBAC9B,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED;;OAEG;IACK,SAAS;QACf,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAuCX,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,OAAY;QACjC,MAAM,UAAU,GAA2B;YACzC,YAAY,EAAE;;;;;;;;;;;OAWb;YAED,WAAW,EAAE;;;;;;;;;;;;;;;OAeZ;YAED,gBAAgB,EAAE;;;;;;;;;;;;;;;;;;;;;;OAsBjB;SACF,CAAC;QAEF,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,YAAY,CAAC,CAAC;QACnE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;CACF"}
+{"version":3,"file":"InitCommand.js","sourceRoot":"","sources":["../../../src/cli/commands/InitCommand.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,MAAM,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;AAExC,MAAM,OAAO,WAAY,SAAQ,WAAW;IAC1C,KAAK,CAAC,OAAO,CAAC,IAAc;QAC1B,IAAI,CAAC;YACH,mCAAmC;YACnC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC1C,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;YACtD,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAEvC,yBAAyB;YACzB,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjB,OAAO,CAAC,CAAC;YACX,CAAC;YAED,+BAA+B;YAC/B,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC;gBAC/B,MAAM;gBACN,YAAY;gBACZ,KAAK;aACN,CAAC,CAAC;YAEH,8BAA8B;YAC9B,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;YAED,OAAO,CAAC,CAAC;QACX,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,iBAAiB,KAAK,EAAE,CAAC,CAAC;YACvC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,GAAG,EAAE,CAAC;gBAC9B,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED;;OAEG;IACK,SAAS;QACf,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAwCX,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,OAAY;QACjC,MAAM,UAAU,GAA2B;YACzC,YAAY,EAAE;;;;;;;;;;;OAWb;YAED,WAAW,EAAE;;;;;;;;;;;;;;;OAeZ;YAED,gBAAgB,EAAE;;;;;;;;;;;;;;;;;;;;;;OAsBjB;SACF,CAAC;QAEF,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,YAAY,CAAC,CAAC;QACnE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;CACF"}

package/dist/config/ConfigManager.d.ts

@@ -35,14 +35,14 @@ declare const ConfigSchema: z.ZodObject<{
         timeout_seconds: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
         guardrails: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
     }, "strip", z.ZodTypeAny, {
+        timeout_seconds?: number | undefined;
         model?: string | undefined;
         provider?: string | undefined;
-        timeout_seconds?: number | undefined;
         guardrails?: boolean | undefined;
     }, {
+        timeout_seconds?: number | undefined;
         model?: string | undefined;
         provider?: string | undefined;
-        timeout_seconds?: number | undefined;
         guardrails?: boolean | undefined;
     }>>;
     repo: z.ZodOptional<z.ZodObject<{
@@ -71,22 +71,22 @@ declare const ConfigSchema: z.ZodObject<{
     }, "strip", z.ZodTypeAny, {
         allowlist?: string[] | undefined;
         commands?: string[] | undefined;
+        max_diff_bytes?: number | undefined;
         skip_missing_npm_scripts?: boolean | undefined;
         fail_fast?: boolean | undefined;
         validate_after_agent_failure?: boolean | undefined;
         validation_allowlist?: string[] | undefined;
         restore_disallowed_changes?: boolean | undefined;
-        max_diff_bytes?: number | undefined;
         allow_empty_diff?: boolean | undefined;
     }, {
         allowlist?: string[] | undefined;
         commands?: string[] | undefined;
+        max_diff_bytes?: number | undefined;
         skip_missing_npm_scripts?: boolean | undefined;
         fail_fast?: boolean | undefined;
         validate_after_agent_failure?: boolean | undefined;
         validation_allowlist?: string[] | undefined;
         restore_disallowed_changes?: boolean | undefined;
-        max_diff_bytes?: number | undefined;
         allow_empty_diff?: boolean | undefined;
     }>>;
     caching: z.ZodOptional<z.ZodObject<{
@@ -131,11 +131,11 @@ declare const ConfigSchema: z.ZodObject<{
         app_enabled: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
         publish_mode: z.ZodOptional<z.ZodOptional<z.ZodEnum<["auto", "on", "off"]>>>;
     }, "strip", z.ZodTypeAny, {
-        app_enabled?: boolean | undefined;
         publish_mode?: "auto" | "off" | "on" | undefined;
-    }, {
         app_enabled?: boolean | undefined;
+    }, {
         publish_mode?: "auto" | "off" | "on" | undefined;
+        app_enabled?: boolean | undefined;
     }>>;
     docker: z.ZodOptional<z.ZodObject<{
         image: z.ZodOptional<z.ZodOptional<z.ZodString>>;
@@ -211,12 +211,12 @@ declare const ConfigSchema: z.ZodObject<{
     validation?: {
         allowlist?: string[] | undefined;
         commands?: string[] | undefined;
+        max_diff_bytes?: number | undefined;
         skip_missing_npm_scripts?: boolean | undefined;
         fail_fast?: boolean | undefined;
         validate_after_agent_failure?: boolean | undefined;
         validation_allowlist?: string[] | undefined;
         restore_disallowed_changes?: boolean | undefined;
-        max_diff_bytes?: number | undefined;
         allow_empty_diff?: boolean | undefined;
     } | undefined;
     debug?: {
@@ -234,9 +234,9 @@ declare const ConfigSchema: z.ZodObject<{
         github_app_private_key_file?: string | undefined;
     } | undefined;
     agent?: {
+        timeout_seconds?: number | undefined;
         model?: string | undefined;
         provider?: string | undefined;
-        timeout_seconds?: number | undefined;
         guardrails?: boolean | undefined;
     } | undefined;
     repo?: {
@@ -259,8 +259,8 @@ declare const ConfigSchema: z.ZodObject<{
         max_bytes?: number | undefined;
     } | undefined;
     github?: {
-        app_enabled?: boolean | undefined;
         publish_mode?: "auto" | "off" | "on" | undefined;
+        app_enabled?: boolean | undefined;
     } | undefined;
     docker?: {
         image?: string | undefined;
@@ -284,12 +284,12 @@ declare const ConfigSchema: z.ZodObject<{
     validation?: {
         allowlist?: string[] | undefined;
         commands?: string[] | undefined;
+        max_diff_bytes?: number | undefined;
         skip_missing_npm_scripts?: boolean | undefined;
         fail_fast?: boolean | undefined;
         validate_after_agent_failure?: boolean | undefined;
         validation_allowlist?: string[] | undefined;
         restore_disallowed_changes?: boolean | undefined;
-        max_diff_bytes?: number | undefined;
         allow_empty_diff?: boolean | undefined;
     } | undefined;
     debug?: {
@@ -307,9 +307,9 @@ declare const ConfigSchema: z.ZodObject<{
         github_app_private_key_file?: string | undefined;
     } | undefined;
     agent?: {
+        timeout_seconds?: number | undefined;
         model?: string | undefined;
         provider?: string | undefined;
-        timeout_seconds?: number | undefined;
         guardrails?: boolean | undefined;
     } | undefined;
     repo?: {
@@ -332,8 +332,8 @@ declare const ConfigSchema: z.ZodObject<{
         max_bytes?: number | undefined;
     } | undefined;
     github?: {
-        app_enabled?: boolean | undefined;
         publish_mode?: "auto" | "off" | "on" | undefined;
+        app_enabled?: boolean | undefined;
     } | undefined;
     docker?: {
         image?: string | undefined;

package/dist/kaseki-api-routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"kaseki-api-routes.d.ts","sourceRoot":"","sources":["../src/kaseki-api-routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAmC,MAAM,SAAS,CAAC;AAOlE,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAU5D,OAAO,EAAE,eAAe,EAAkB,MAAM,qBAAqB,CAAC;AAStE,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAI7C,OAAO,EAAE,oBAAoB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAuO5E,OAAO,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAmMjE;;GAEG;AACH,wBAAgB,eAAe,CAC7B,SAAS,EAAE,YAAY,EACvB,MAAM,EAAE,eAAe,EACvB,gBAAgB,EAAE,gBAAgB,EAClC,kBAAkB,EAAE,kBAAkB,EACtC,aAAa,cAIX,GACD,MAAM,CA8YR"}
+{"version":3,"file":"kaseki-api-routes.d.ts","sourceRoot":"","sources":["../src/kaseki-api-routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAmC,MAAM,SAAS,CAAC;AAOlE,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAU5D,OAAO,EAAE,eAAe,EAAkB,MAAM,qBAAqB,CAAC;AAStE,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAI7C,OAAO,EAAE,oBAAoB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAwR5E,OAAO,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AA0PjE;;GAEG;AACH,wBAAgB,eAAe,CAC7B,SAAS,EAAE,YAAY,EACvB,MAAM,EAAE,eAAe,EACvB,gBAAgB,EAAE,gBAAgB,EAClC,kBAAkB,EAAE,kBAAkB,EACtC,aAAa,cAIX,GACD,MAAM,CA8YR"}

package/dist/kaseki-api-routes.js

@@ -54,46 +54,53 @@ function tailTextByLines(content, lineCount) {
     const lines = content.replace(/\r\n/g, '\n').split('\n');
     return lines.slice(-lineCount).join('\n').trim();
 }
-function buildTemplateHealthStatus(templateDir = process.env.KASEKI_TEMPLATE_DIR || '/agents/kaseki-template') {
-    const checkoutDir = process.env.KASEKI_CHECKOUT_DIR || '/agents/kaseki-agent';
-    const checkoutRef = getTemplateCheckoutRef(checkoutDir);
-    const runScript = path.join(templateDir, 'run-kaseki.sh');
-    const missingFiles = REQUIRED_TEMPLATE_FILES.filter((file) => !fs.existsSync(path.join(templateDir, file)));
+function validateTemplateRunScript(templateDir, runScript, templateRef, checkoutDir) {
     if (!fs.existsSync(runScript)) {
         return {
             ok: false,
             templateDir,
             runScript,
             checkoutDir,
-            checkoutRef,
+            checkoutRef: templateRef,
             detail: `Missing template runner: ${runScript}`,
             remediation: TEMPLATE_REMEDIATION,
         };
     }
+    return null;
+}
+function validateTemplateFiles(templateDir, runScript, templateRef, checkoutDir) {
+    const missingFiles = REQUIRED_TEMPLATE_FILES.filter((file) => !fs.existsSync(path.join(templateDir, file)));
     if (missingFiles.length > 0) {
         return {
             ok: false,
             templateDir,
             runScript,
             checkoutDir,
-            checkoutRef,
+            checkoutRef: templateRef,
             detail: `Template is incomplete at ${templateDir}; missing ${missingFiles.join(', ')}.`,
             remediation: 'Run scripts/kaseki-activate.sh --controller bootstrap, or scripts/kaseki-setup-host.sh --fix before starting the API.',
         };
     }
+    return null;
+}
+function runTemplateDoctor(runScript, checkoutDir) {
     const activateScript = path.join(checkoutDir, 'scripts', 'kaseki-activate.sh');
     const doctorArgs = fs.existsSync(activateScript)
         ? [activateScript, '--json', 'doctor']
         : [runScript, '--doctor'];
-    const doctorCommand = doctorArgs.join(' ');
-    const doctorResult = spawnSync(doctorArgs[0], doctorArgs.slice(1), {
+    return spawnSync(doctorArgs[0], doctorArgs.slice(1), {
         cwd: fs.existsSync(checkoutDir) ? checkoutDir : undefined,
         encoding: 'utf-8',
         timeout: getTemplateDoctorTimeoutMs(),
         maxBuffer: 128 * 1024,
     });
+}
+function validateTemplateDoctor(doctorResult, templateDir, runScript, templateRef, checkoutDir) {
     const stderr = `${doctorResult.stderr || ''}${doctorResult.error ? `\n${doctorResult.error.message}` : ''}`;
     const doctorStderrTail = tailTextByLines(stderr, TEMPLATE_DOCTOR_STDERR_TAIL_LINES);
+    const doctorArgs = fs.existsSync(path.join(checkoutDir, 'scripts', 'kaseki-activate.sh'))
+        ? `${path.join(checkoutDir, 'scripts', 'kaseki-activate.sh')} --json doctor`
+        : `${runScript} --doctor`;
     if (doctorResult.error || doctorResult.status !== 0) {
         const timedOut = doctorResult.error?.message.toLowerCase().includes('timeout') || doctorResult.signal === 'SIGTERM';
         return {
@@ -101,27 +108,50 @@ function buildTemplateHealthStatus(templateDir = process.env.KASEKI_TEMPLATE_DIR
             templateDir,
             runScript,
             checkoutDir,
-            checkoutRef,
-            doctorCommand,
+            checkoutRef: templateRef,
+            doctorCommand: doctorArgs,
             doctorExitCode: doctorResult.status,
             doctorSignal: doctorResult.signal,
             doctorStderrTail,
             detail: timedOut
-                ? `Template doctor timed out after ${getTemplateDoctorTimeoutMs()}ms: ${doctorCommand}`
-                : `Template doctor failed: ${doctorCommand} exited with ${doctorResult.status ?? 'unknown'}`,
+                ? `Template doctor timed out after ${getTemplateDoctorTimeoutMs()}ms: ${doctorArgs}`
+                : `Template doctor failed: ${doctorArgs} exited with ${doctorResult.status ?? 'unknown'}`,
             remediation: TEMPLATE_REMEDIATION,
         };
     }
+    return null;
+}
+function buildTemplateHealthStatus(templateDir = process.env.KASEKI_TEMPLATE_DIR || '/agents/kaseki-template') {
+    const checkoutDir = process.env.KASEKI_CHECKOUT_DIR || '/agents/kaseki-agent';
+    const checkoutRef = getTemplateCheckoutRef(checkoutDir);
+    const runScript = path.join(templateDir, 'run-kaseki.sh');
+    // Check 1: Validate run script exists
+    let validation = validateTemplateRunScript(templateDir, runScript, checkoutRef, checkoutDir);
+    if (validation)
+        return validation;
+    // Check 2: Validate all required files exist
+    validation = validateTemplateFiles(templateDir, runScript, checkoutRef, checkoutDir);
+    if (validation)
+        return validation;
+    // Check 3: Run doctor check
+    const doctorResult = runTemplateDoctor(runScript, checkoutDir);
+    validation = validateTemplateDoctor(doctorResult, templateDir, runScript, checkoutRef, checkoutDir);
+    if (validation)
+        return validation;
+    // All checks passed
+    const doctorArgs = fs.existsSync(path.join(checkoutDir, 'scripts', 'kaseki-activate.sh'))
+        ? `${path.join(checkoutDir, 'scripts', 'kaseki-activate.sh')} --json doctor`
+        : `${runScript} --doctor`;
     return {
         ok: true,
         templateDir,
         runScript,
         checkoutDir,
         checkoutRef,
-        doctorCommand,
+        doctorCommand: doctorArgs,
         doctorExitCode: doctorResult.status,
         doctorSignal: doctorResult.signal,
-        doctorStderrTail,
+        doctorStderrTail: '',
         detail: `Template runner passed doctor check: ${runScript}`,
     };
 }
@@ -198,6 +228,52 @@ function inspectImageDigest(image) {
 }
 // Re-export from subprocess-helpers for backward compatibility with tests
 export { classifyDockerFailure } from './lib/subprocess-helpers.js';
+function parseMountInfo() {
+    try {
+        const mountInfoPath = process.env.KASEKI_MOUNTINFO_PATH || '/proc/self/mountinfo';
+        const content = fs.readFileSync(mountInfoPath, 'utf-8');
+        return content
+            .split(/\r?\n/)
+            .filter(Boolean)
+            .map((line) => {
+            const fields = line.split(' ');
+            return {
+                root: fields[3] || '',
+                mountPoint: fields[4] || '',
+            };
+        });
+    }
+    catch {
+        return [];
+    }
+}
+function checkDeletedBindMounts(paths) {
+    const mountInfo = parseMountInfo();
+    const uniquePaths = [...new Set(paths.filter(Boolean))];
+    const deletedMounts = mountInfo.filter((mount) => {
+        const root = mount.root.toLowerCase();
+        if (!root.includes('deleted')) {
+            return false;
+        }
+        return uniquePaths.some((targetPath) => (targetPath === mount.mountPoint || targetPath.startsWith(`${mount.mountPoint}/`)));
+    });
+    if (deletedMounts.length === 0) {
+        return {
+            name: 'bind-mounts',
+            ok: true,
+            detail: 'No deleted bind mounts detected for Kaseki paths.',
+        };
+    }
+    const details = deletedMounts
+        .map((mount) => `${mount.mountPoint} is backed by deleted source ${mount.root}`)
+        .join('; ');
+    return {
+        name: 'bind-mounts',
+        ok: false,
+        detail: details,
+        remediation: 'Recreate the missing host directory, then recreate the kaseki-api container so Docker binds the live path. For the default layout: sudo /agents/kaseki-agent/scripts/kaseki-setup-host.sh --fix && docker compose up -d --force-recreate.',
+    };
+}
 function checkOpenRouterKey() {
     const keyValue = readHostSecret('openrouter_api_key');
     if (keyValue) {
@@ -282,11 +358,13 @@ function isGitHubAppReady() {
 }
 function buildPreflightResponse(config) {
     const templateDir = process.env.KASEKI_TEMPLATE_DIR || '/agents/kaseki-template';
+    const secretsDir = process.env.KASEKI_SECRETS_DIR || '/agents/secrets';
     const image = readKasekiImage(templateDir);
     const templateImageDigest = readFirstLine(path.join(templateDir, '.kaseki-image-digest')) || inspectImageDigest(image);
     const checkoutDir = process.env.KASEKI_CHECKOUT_DIR || '/agents/kaseki-agent';
     const templateRef = getTemplateCheckoutRef(checkoutDir);
     const checks = [];
+    checks.push(checkDeletedBindMounts([config.resultsDir, templateDir, checkoutDir, secretsDir]));
     try {
         fs.accessSync(config.resultsDir, fs.constants.R_OK | fs.constants.W_OK);
         checks.push({ name: 'results-dir', ok: true, detail: `${config.resultsDir} is readable and writable.` });