@docyrus/docyrus 0.0.26 → 0.0.27

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@docyrus/docyrus",
-  "version": "0.0.26",
+  "version": "0.0.27",
   "private": false,
   "description": "Docyrus API CLI",
   "main": "./main.js",

package/resources/pi-agent/skills/docyrus-platform/SKILL.md

@@ -24,7 +24,7 @@ For detailed specifications of each building block, see [references/core-buildin
 
 ### Querying & Data Operations
 
-Unified query engine with column selection, 50+ filter operators, aggregations, formulas, pivots, child queries, and full-text search. Full CRUD with bulk operations.
+Unified query engine with column selection, 50+ filter operators, aggregations, formulas, pivots, child queries, and full-text search. Full CRUD with bulk operations, record comments, and file attachments.
 
 See [references/querying-and-data-operations.md](references/querying-and-data-operations.md).
 

package/resources/pi-agent/skills/docyrus-platform/references/developer-tools.md

@@ -14,7 +14,7 @@
 ## CLI
 
 - Full-featured CLI (`@docyrus/docyrus`) for terminal and AI agent use
-- Commands: environment management, authentication, data operations, schema management (studio), app management, API discovery, AI chat, and direct API requests
+- Commands: environment management, authentication, data operations, record comments, record file attachments, schema management (studio), app management, API discovery, AI chat, and direct API requests
 - Multi-account, multi-tenant session management
 - OpenAPI discovery with caching and fallback generation
 - Interactive TUI mode

package/resources/pi-agent/skills/docyrus-platform/references/docyrus-cli-usage.md

@@ -251,6 +251,52 @@ Delete a data source item.
 | `dataSourceSlug` | string | yes | Data source slug |
 | `recordId` | string | yes | Record ID |
 
+### `docyrus ds comments create <appSlug> <dataSourceSlug> <recordId>`
+
+Create a record-scoped comment.
+
+| Argument | Type | Required | Description |
+|---|---|---|---|
+| `appSlug` | string | yes | App slug |
+| `dataSourceSlug` | string | yes | Data source slug |
+| `recordId` | string | yes | Record ID |
+
+| Option | Type | Description |
+|---|---|---|
+| `--message` | string | Comment message |
+| `--data` | string | Full JSON payload for the comment DTO |
+| `--fromFile` | string | Path to a JSON payload file |
+| `--parentId` | string | Parent comment ID |
+| `--assignedTo` | string | Assigned user ID |
+| `--attachments` | string | JSON attachments payload |
+| `--level` | number | Comment level |
+| `--status` | number | Comment status |
+| `--done` | boolean | Mark comment as done |
+
+**Notes:**
+- Use either `--message` or `--data` / `--fromFile`
+- `--data` and `--fromFile` cannot be mixed with field-specific flags
+
+### `docyrus ds files upload <appSlug> <dataSourceSlug> <recordId>`
+
+Upload a record-scoped file attachment.
+
+| Argument | Type | Required | Description |
+|---|---|---|---|
+| `appSlug` | string | yes | App slug |
+| `dataSourceSlug` | string | yes | Data source slug |
+| `recordId` | string | yes | Record ID |
+
+| Option | Type | Description |
+|---|---|---|
+| `--file` | string | Path to the local file to upload |
+| `--contentType` | string | Override the inferred MIME type |
+| `--publicFile` | boolean | Store the file in the public tenant bucket |
+
+**Notes:**
+- Uploads use `multipart/form-data`
+- Content type is inferred from the file extension when omitted
+
 ---
 
 ## discover — OpenAPI Discovery

package/resources/pi-agent/skills/docyrus-platform/references/querying-and-data-operations.md

@@ -6,6 +6,13 @@
 - Bulk create, bulk update, bulk delete (batched for performance)
 - Insert/update/delete with custom return value selection
 
+## Record Comments & Files
+
+- Record-scoped comments with create, list, fetch by ID, update, and delete operations
+- Comment payloads can include threading (`parentId`), assignee targeting (`assignedTo`), attachments metadata, level, status, and done state
+- Record-scoped file attachments with upload, list, fetch by ID, insert-without-upload, copy/move, and delete operations
+- File uploads support multipart form data, public/private storage selection, and record association
+
 ## Query Engine
 
 Every list/get call accepts a structured query payload:

package/server-loader.js

@@ -795,6 +795,7 @@ var AgentEnvStore = class {
 
 // src/server/agentServer.ts
 var import_node_child_process = require("node:child_process");
+var import_node_crypto2 = require("node:crypto");
 var import_promises3 = require("node:fs/promises");
 var import_node_path3 = require("node:path");
 
@@ -4397,7 +4398,7 @@ async function walkFiles(params) {
   }
 }
 async function createAgentServer(params) {
-  const { port, sessionManager, modelRegistry, authRuntime, context, onCreateSession, onResumeSession } = params;
+  const { port, sessionManager, modelRegistry, authRuntime, context, onCreateSession, onResumeSession, authToken } = params;
   let activeSession = params.session;
   const pendingAskUserRequests = /* @__PURE__ */ new Map();
   const oauthFlowManager = new OAuthFlowManager();
@@ -4424,6 +4425,13 @@ async function createAgentServer(params) {
     });
   }
   app.use("/*", cors({ origin: "*" }));
+  app.use("/*", async (c, next) => {
+    const unauthorizedResponse = authorizeServerRequest(c.req.raw, authToken);
+    if (unauthorizedResponse) {
+      return unauthorizedResponse;
+    }
+    await next();
+  });
   app.get("/api/health", (c) => {
     return c.json({ ok: true });
   });
@@ -5146,6 +5154,140 @@ async function createAgentServer(params) {
     devUrl = null;
     return c.json({ status: "stopped", url: stoppedUrl, pid });
   });
+  function gitExec(args, gitCwd) {
+    return new Promise((res, rej) => {
+      (0, import_node_child_process.execFile)("git", args, { cwd: gitCwd, maxBuffer: 50 * 1024 * 1024 }, (err, stdout) => {
+        if (err) {
+          return rej(err);
+        }
+        res(stdout);
+      });
+    });
+  }
+  app.get("/api/git/diff", async (c) => {
+    const filterPath = c.req.query("path");
+    const cwd = context.cwd;
+    try {
+      let branch;
+      let hasHead = true;
+      try {
+        branch = (await gitExec(["rev-parse", "--abbrev-ref", "HEAD"], cwd)).trim() || void 0;
+      } catch {
+        hasHead = false;
+      }
+      const diffRef = hasHead ? ["diff", "HEAD"] : ["diff", "--cached"];
+      const [nameStatusRaw, untrackedRaw, numstatRaw] = await Promise.all([
+        gitExec([...diffRef, "--name-status"], cwd).catch(() => ""),
+        gitExec(["ls-files", "--others", "--exclude-standard"], cwd).catch(() => ""),
+        gitExec([...diffRef, "--numstat"], cwd).catch(() => "")
+      ]);
+      const entries = [];
+      for (const line of nameStatusRaw.split("\n").filter(Boolean)) {
+        const parts = line.split("	");
+        const code = parts[0];
+        if (code.startsWith("R")) {
+          entries.push({ path: parts[2], status: "renamed", oldPath: parts[1] });
+        } else if (code.startsWith("C")) {
+          entries.push({ path: parts[2], status: "copied", oldPath: parts[1] });
+        } else if (code.startsWith("M")) {
+          entries.push({ path: parts[1], status: "modified" });
+        } else if (code.startsWith("A")) {
+          entries.push({ path: parts[1], status: "added" });
+        } else if (code.startsWith("D")) {
+          entries.push({ path: parts[1], status: "deleted" });
+        }
+      }
+      for (const filePath of untrackedRaw.split("\n").filter(Boolean)) {
+        entries.push({ path: filePath, status: "untracked" });
+      }
+      const numstatMap = /* @__PURE__ */ new Map();
+      for (const line of numstatRaw.split("\n").filter(Boolean)) {
+        const match2 = line.match(/^(-|\d+)\t(-|\d+)\t(.+)$/);
+        if (!match2) {
+          continue;
+        }
+        const isBinary = match2[1] === "-" && match2[2] === "-";
+        const additions = isBinary ? 0 : Number(match2[1]);
+        const deletions = isBinary ? 0 : Number(match2[2]);
+        let filePath = match2[3];
+        const arrowIdx = filePath.indexOf(" => ");
+        if (arrowIdx !== -1) {
+          const braceStart = filePath.indexOf("{");
+          if (braceStart !== -1 && braceStart < arrowIdx) {
+            const braceEnd = filePath.indexOf("}", arrowIdx);
+            if (braceEnd !== -1) {
+              const prefix = filePath.slice(0, braceStart);
+              const suffix = filePath.slice(braceEnd + 1);
+              const newPart = filePath.slice(braceStart + 1, braceEnd).split(" => ")[1];
+              filePath = prefix + newPart + suffix;
+            }
+          } else {
+            filePath = filePath.slice(arrowIdx + 4);
+          }
+        }
+        numstatMap.set(filePath, { additions, deletions, isBinary });
+      }
+      const filtered = filterPath ? entries.filter((e) => e.path === filterPath) : entries;
+      const MAX_CONTENT_SIZE = 1e6;
+      const fileResults = await Promise.all(filtered.map(async (entry) => {
+        const stats = numstatMap.get(entry.path);
+        if (stats?.isBinary) {
+          return null;
+        }
+        let oldContent = "";
+        let newContent = "";
+        let truncated = false;
+        if (hasHead && (entry.status === "modified" || entry.status === "deleted" || entry.status === "renamed" || entry.status === "copied")) {
+          const showPath = entry.oldPath ?? entry.path;
+          try {
+            oldContent = await gitExec(["show", `HEAD:${showPath}`], cwd);
+            if (oldContent.length > MAX_CONTENT_SIZE) {
+              oldContent = oldContent.slice(0, MAX_CONTENT_SIZE);
+              truncated = true;
+            }
+          } catch {
+          }
+        }
+        if (entry.status !== "deleted") {
+          try {
+            const resolved = (0, import_node_path3.resolve)(cwd, entry.path);
+            const buf = await (0, import_promises3.readFile)(resolved);
+            if (buf.subarray(0, 8192).includes(0)) {
+              return null;
+            }
+            newContent = buf.toString("utf-8");
+            if (newContent.length > MAX_CONTENT_SIZE) {
+              newContent = newContent.slice(0, MAX_CONTENT_SIZE);
+              truncated = true;
+            }
+          } catch {
+          }
+        }
+        const additions = stats?.additions ?? (entry.status === "untracked" ? newContent.split("\n").length : 0);
+        const deletions = stats?.deletions ?? 0;
+        const file = {
+          path: entry.path,
+          status: entry.status,
+          oldContent,
+          newContent,
+          additions,
+          deletions
+        };
+        if (entry.oldPath) {
+          file.oldPath = entry.oldPath;
+        }
+        if (truncated) {
+          file.truncated = true;
+        }
+        return file;
+      }));
+      const files = fileResults.filter((f) => f !== null);
+      return c.json({ files, ...branch ? { branch } : {} });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json({ error: message }, 500);
+    }
+  });
   const BOOLEAN_CLI_FLAGS = /* @__PURE__ */ new Set(["json", "verbose", "global", "noAuth", "expand", "i"]);
   function buildCliArgs(pathSegments, query, body) {
     const args = [...pathSegments, "--json"];
@@ -5294,6 +5436,8 @@ async function createAgentServer(params) {
     process.stderr.write(`  POST /api/env/serve                     \u2014 start dev server (pnpm dev)
 `);
     process.stderr.write(`  POST /api/env/stop                      \u2014 stop dev server
+`);
+    process.stderr.write(`  GET  /api/git/diff                      \u2014 uncommitted file diffs
 `);
     process.stderr.write(`  *    /api/cli/**                        \u2014 proxy any docyrus CLI command
 
@@ -5326,6 +5470,61 @@ async function createAgentServer(params) {
     }
   }
 }
+function extractBearerToken(authorizationHeader) {
+  if (!authorizationHeader) {
+    return null;
+  }
+  const trimmed = authorizationHeader.trim();
+  const firstSpaceIndex = trimmed.indexOf(" ");
+  if (firstSpaceIndex <= 0) {
+    return null;
+  }
+  const scheme = trimmed.slice(0, firstSpaceIndex);
+  const token = trimmed.slice(firstSpaceIndex + 1).trim();
+  if (scheme.toLowerCase() !== "bearer" || token.length === 0) {
+    return null;
+  }
+  return token;
+}
+function hashToken(token) {
+  return (0, import_node_crypto2.createHash)("sha256").update(token).digest();
+}
+function isBearerTokenAuthorized(actualToken, expectedToken) {
+  if (!expectedToken) {
+    return true;
+  }
+  if (!actualToken) {
+    return false;
+  }
+  const actualHash = hashToken(actualToken);
+  const expectedHash = hashToken(expectedToken);
+  return (0, import_node_crypto2.timingSafeEqual)(actualHash, expectedHash);
+}
+function createUnauthorizedResponse() {
+  return new Response(JSON.stringify({ error: "Unauthorized" }), {
+    status: 401,
+    headers: {
+      "Content-Type": "application/json",
+      "WWW-Authenticate": "Bearer"
+    }
+  });
+}
+function authorizeServerRequest(request, expectedToken) {
+  if (!expectedToken || request.method === "OPTIONS") {
+    return null;
+  }
+  const authorizationHeader = request.headers.get("Authorization");
+  const token = extractBearerToken(authorizationHeader);
+  if (!isBearerTokenAuthorized(token, expectedToken)) {
+    return createUnauthorizedResponse();
+  }
+  return null;
+}
+
+// src/server/loaderRequest.ts
+function parseServerLoaderRequest(payload) {
+  return JSON.parse(payload);
+}
 
 // src/server/server-loader.ts
 function readRequiredEnv(name) {
@@ -5336,7 +5535,7 @@ function readRequiredEnv(name) {
   return value;
 }
 function readLoaderRequest() {
-  return JSON.parse(readRequiredEnv("DOCYRUS_PI_REQUEST"));
+  return parseServerLoaderRequest(readRequiredEnv("DOCYRUS_PI_REQUEST"));
 }
 async function loadPiExports() {
   const piPackageDir = readRequiredEnv("PI_PACKAGE_DIR");
@@ -5547,6 +5746,7 @@ Or create ${modelsJsonPath}`
   }
   await createAgentServer({
     session: createServerSessionAdapter({ session, extensionsResult }),
+    authToken: request.auth,
     port: request.port,
     sessionManager: {
       list: () => pi.SessionManager.list(cwd, request.sessionDir),