@easynet/agent-tool 1.0.61 → 1.0.63

package/dist/index.cjs

@@ -1,52 +1,131 @@
 'use strict';
 
-var chunkZH5MH3AK_cjs = require('./chunk-ZH5MH3AK.cjs');
-var chunkHK4GTFTQ_cjs = require('./chunk-HK4GTFTQ.cjs');
+require('./chunk-YL6RC7HQ.cjs');
+var chunkWO4LZKPQ_cjs = require('./chunk-WO4LZKPQ.cjs');
+var chunkR55NXJIH_cjs = require('./chunk-R55NXJIH.cjs');
+var chunkU67QDQFQ_cjs = require('./chunk-U67QDQFQ.cjs');
+require('./chunk-ICHSEIZN.cjs');
+require('./chunk-NOGGIM7B.cjs');
+var chunkNMZ4IMEW_cjs = require('./chunk-NMZ4IMEW.cjs');
+var chunkM2GEHWPN_cjs = require('./chunk-M2GEHWPN.cjs');
 require('./chunk-UUNG3GL3.cjs');
 require('./chunk-OG5ZSXQ5.cjs');
-require('./chunk-JNIWNSCQ.cjs');
-require('./chunk-ZDSZHEQU.cjs');
-require('./chunk-PYCCJF7C.cjs');
-require('./chunk-XPGHS4W7.cjs');
-require('./chunk-QEJF3KDV.cjs');
-
+var chunkJNIWNSCQ_cjs = require('./chunk-JNIWNSCQ.cjs');
+var chunkZDSZHEQU_cjs = require('./chunk-ZDSZHEQU.cjs');
+var chunkPYCCJF7C_cjs = require('./chunk-PYCCJF7C.cjs');
+var chunkXPGHS4W7_cjs = require('./chunk-XPGHS4W7.cjs');
+var chunkQEJF3KDV_cjs = require('./chunk-QEJF3KDV.cjs');
 
+// src/index.ts
+var platformApi = {
+  build: {
+    initProject: chunkNMZ4IMEW_cjs.initProject,
+    buildMCPPackage: chunkNMZ4IMEW_cjs.buildMCPPackage,
+    runMCPServer: chunkNMZ4IMEW_cjs.runMCPServer,
+    scanForTools: chunkJNIWNSCQ_cjs.scanForTools,
+    scan: chunkJNIWNSCQ_cjs.scan
+  },
+  extension: {
+    createExtension: chunkWO4LZKPQ_cjs.createExtension,
+    generateManifest: chunkWO4LZKPQ_cjs.generateManifest,
+    generateExtensionManifest: chunkWO4LZKPQ_cjs.generateExtensionManifest,
+    registerExtension: chunkWO4LZKPQ_cjs.registerExtension,
+    registerToolsFromManifest: chunkWO4LZKPQ_cjs.registerToolsFromManifest,
+    loadExtensionManifest: chunkWO4LZKPQ_cjs.loadExtensionManifest,
+    loadToolYaml: chunkWO4LZKPQ_cjs.loadToolYaml,
+    resolveExtensionPackageRoot: chunkWO4LZKPQ_cjs.resolveExtensionPackageRoot,
+    overrideWithConfig: chunkWO4LZKPQ_cjs.overrideWithConfig,
+    getGroupNamePrefixes: chunkWO4LZKPQ_cjs.getGroupNamePrefixes,
+    createDynamicImportAdapter: chunkWO4LZKPQ_cjs.createDynamicImportAdapter,
+    createContextRunner: chunkWO4LZKPQ_cjs.createContextRunner
+  },
+  security: {
+    resolveSandboxedPath: chunkZDSZHEQU_cjs.resolveSandboxedPath,
+    setSandboxValidationEnabled: chunkZDSZHEQU_cjs.setSandboxValidationEnabled,
+    validateUrl: chunkR55NXJIH_cjs.validateUrl,
+    isIpInBlockedCidrs: chunkR55NXJIH_cjs.isIpInBlockedCidrs
+  },
+  core: {
+    createToolSpec: chunkQEJF3KDV_cjs.createToolSpec,
+    DEFAULT_INPUT_SCHEMA: chunkQEJF3KDV_cjs.DEFAULT_INPUT_SCHEMA,
+    DEFAULT_OUTPUT_SCHEMA: chunkQEJF3KDV_cjs.DEFAULT_OUTPUT_SCHEMA
+  },
+  runtime: {
+    createTaggedError: chunkXPGHS4W7_cjs.createTaggedError,
+    withRetry: chunkXPGHS4W7_cjs.withRetry,
+    isRetryable: chunkXPGHS4W7_cjs.isRetryable,
+    ToolRegistry: chunkPYCCJF7C_cjs.ToolRegistry
+  }
+};
 
 Object.defineProperty(exports, "createAgentTools", {
   enumerable: true,
-  get: function () { return chunkZH5MH3AK_cjs.createAgentTools; }
+  get: function () { return chunkU67QDQFQ_cjs.createAgentTools; }
 });
 Object.defineProperty(exports, "createLangChainToolsAsync", {
   enumerable: true,
-  get: function () { return chunkZH5MH3AK_cjs.createLangChainToolsAsync; }
+  get: function () { return chunkU67QDQFQ_cjs.createLangChainToolsAsync; }
+});
+Object.defineProperty(exports, "langchainApi", {
+  enumerable: true,
+  get: function () { return chunkU67QDQFQ_cjs.langchainApi; }
+});
+Object.defineProperty(exports, "mcpApi", {
+  enumerable: true,
+  get: function () { return chunkU67QDQFQ_cjs.mcpApi; }
+});
+Object.defineProperty(exports, "openApi", {
+  enumerable: true,
+  get: function () { return chunkU67QDQFQ_cjs.openApi; }
+});
+Object.defineProperty(exports, "runtimeApi", {
+  enumerable: true,
+  get: function () { return chunkU67QDQFQ_cjs.runtimeApi; }
 });
 Object.defineProperty(exports, "createMCPServer", {
   enumerable: true,
-  get: function () { return chunkHK4GTFTQ_cjs.createMCPServer; }
+  get: function () { return chunkM2GEHWPN_cjs.createMCPServer; }
 });
 Object.defineProperty(exports, "createMCPServerStreamableHttp", {
   enumerable: true,
-  get: function () { return chunkHK4GTFTQ_cjs.createMCPServerStreamableHttp; }
+  get: function () { return chunkM2GEHWPN_cjs.createMCPServerStreamableHttp; }
 });
 Object.defineProperty(exports, "createMCPStreamableHttpHandler", {
   enumerable: true,
-  get: function () { return chunkHK4GTFTQ_cjs.createMCPStreamableHttpHandler; }
+  get: function () { return chunkM2GEHWPN_cjs.createMCPStreamableHttpHandler; }
 });
 Object.defineProperty(exports, "createOpenAPIServer", {
   enumerable: true,
-  get: function () { return chunkHK4GTFTQ_cjs.createHttpService; }
+  get: function () { return chunkM2GEHWPN_cjs.createHttpService; }
 });
 Object.defineProperty(exports, "createRuntimeFromConfig", {
   enumerable: true,
-  get: function () { return chunkHK4GTFTQ_cjs.createRuntimeFromConfig; }
+  get: function () { return chunkM2GEHWPN_cjs.createRuntimeFromConfig; }
 });
 Object.defineProperty(exports, "createRuntimeFromConfigSync", {
   enumerable: true,
-  get: function () { return chunkHK4GTFTQ_cjs.createRuntimeFromConfigSync; }
+  get: function () { return chunkM2GEHWPN_cjs.createRuntimeFromConfigSync; }
 });
 Object.defineProperty(exports, "runMCPServerOverStdio", {
   enumerable: true,
-  get: function () { return chunkHK4GTFTQ_cjs.runMCPServerOverStdio; }
+  get: function () { return chunkM2GEHWPN_cjs.runMCPServerOverStdio; }
+});
+Object.defineProperty(exports, "ToolRegistry", {
+  enumerable: true,
+  get: function () { return chunkPYCCJF7C_cjs.ToolRegistry; }
+});
+Object.defineProperty(exports, "createTaggedError", {
+  enumerable: true,
+  get: function () { return chunkXPGHS4W7_cjs.createTaggedError; }
+});
+Object.defineProperty(exports, "isRetryable", {
+  enumerable: true,
+  get: function () { return chunkXPGHS4W7_cjs.isRetryable; }
+});
+Object.defineProperty(exports, "withRetry", {
+  enumerable: true,
+  get: function () { return chunkXPGHS4W7_cjs.withRetry; }
 });
+exports.platformApi = platformApi;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"index.cjs"}
+{"version":3,"sources":["../src/index.ts"],"names":["initProject","buildMCPPackage","runMCPServer","scanForTools","scan","createExtension","generateManifest","generateExtensionManifest","registerExtension","registerToolsFromManifest","loadExtensionManifest","loadToolYaml","resolveExtensionPackageRoot","overrideWithConfig","getGroupNamePrefixes","createDynamicImportAdapter","createContextRunner","resolveSandboxedPath","setSandboxValidationEnabled","validateUrl","isIpInBlockedCidrs","createToolSpec","DEFAULT_INPUT_SCHEMA","DEFAULT_OUTPUT_SCHEMA","createTaggedError","withRetry","isRetryable","ToolRegistry"],"mappings":";;;;;;;;;;;;;;;;;;;AA+EO,IAAM,WAAA,GAAc;AAAA,EACzB,KAAA,EAAO;AAAA,iBACLA,6BAAA;AAAA,qBACAC,iCAAA;AAAA,kBACAC,8BAAA;AAAA,kBACAC,8BAAA;AAAA,UACAC;AAAA,GACF;AAAA,EACA,SAAA,EAAW;AAAA,qBACTC,iCAAA;AAAA,sBACAC,kCAAA;AAAA,+BACAC,2CAAA;AAAA,uBACAC,mCAAA;AAAA,+BACAC,2CAAA;AAAA,2BACAC,uCAAA;AAAA,kBACAC,8BAAA;AAAA,iCACAC,6CAAA;AAAA,wBACAC,oCAAA;AAAA,0BACAC,sCAAA;AAAA,gCACAC,4CAAA;AAAA,yBACAC;AAAA,GACF;AAAA,EACA,QAAA,EAAU;AAAA,0BACRC,sCAAA;AAAA,iCACAC,6CAAA;AAAA,iBACAC,6BAAA;AAAA,wBACAC;AAAA,GACF;AAAA,EACA,IAAA,EAAM;AAAA,oBACJC,gCAAA;AAAA,0BACAC,sCAAA;AAAA,2BACAC;AAAA,GACF;AAAA,EACA,OAAA,EAAS;AAAA,uBACPC,mCAAA;AAAA,eACAC,2BAAA;AAAA,iBACAC,6BAAA;AAAA,kBACAC;AAAA;AAEJ","file":"index.cjs","sourcesContent":["/**\n * Minimal public API for @easynet/agent-tool.\n * Keep root exports focused on high-level runtime/server creation.\n */\n\n// High-level API (most users should import from @easynet/agent-tool/api)\nexport {\n  createAgentTools,\n  createLangChainToolsAsync,\n  createOpenAPIServer,\n  createMCPServer,\n  runMCPServerOverStdio,\n  createMCPStreamableHttpHandler,\n  createMCPServerStreamableHttp,\n  createRuntimeFromConfig,\n  createRuntimeFromConfigSync,\n  langchainApi,\n  runtimeApi,\n  mcpApi,\n  openApi,\n} from \"./api/main.js\";\nexport type {\n  CreateAgentToolsOptions,\n  CreateRuntimeOptions,\n  CreateRuntimeResult,\n  MCPServerOptions,\n  MCPServerResult,\n  CreateMCPServerStreamableHttpOptions,\n  MCPServerStreamableHttpResult,\n  CreateHttpServiceOptions,\n  HttpServiceResult,\n  OpenAPIHttpServerOptions,\n} from \"./api/main.js\";\n\n// Backward compatibility: older extensions import runtime helpers from package root.\nexport { createTaggedError, withRetry, isRetryable, ToolRegistry } from \"./core/runtime.js\";\n\nimport {\n  initProject,\n  buildMCPPackage,\n  runMCPServer,\n  scanForTools,\n  scan,\n} from \"./build.js\";\nimport {\n  createExtension,\n  generateManifest,\n  generateExtensionManifest,\n  registerExtension,\n  registerToolsFromManifest,\n  loadExtensionManifest,\n  loadToolYaml,\n  resolveExtensionPackageRoot,\n  overrideWithConfig,\n  getGroupNamePrefixes,\n  createDynamicImportAdapter,\n  createContextRunner,\n} from \"./extension.js\";\nimport {\n  resolveSandboxedPath,\n  setSandboxValidationEnabled,\n  validateUrl,\n  isIpInBlockedCidrs,\n} from \"./security.js\";\nimport {\n  createToolSpec,\n  DEFAULT_INPUT_SCHEMA,\n  DEFAULT_OUTPUT_SCHEMA,\n} from \"./core/index.js\";\nimport {\n  createTaggedError,\n  withRetry,\n  isRetryable,\n  ToolRegistry,\n} from \"./core/runtime.js\";\n\n/**\n * Facade: grouped utilities beyond runtime/server creation.\n */\nexport const platformApi = {\n  build: {\n    initProject,\n    buildMCPPackage,\n    runMCPServer,\n    scanForTools,\n    scan,\n  },\n  extension: {\n    createExtension,\n    generateManifest,\n    generateExtensionManifest,\n    registerExtension,\n    registerToolsFromManifest,\n    loadExtensionManifest,\n    loadToolYaml,\n    resolveExtensionPackageRoot,\n    overrideWithConfig,\n    getGroupNamePrefixes,\n    createDynamicImportAdapter,\n    createContextRunner,\n  },\n  security: {\n    resolveSandboxedPath,\n    setSandboxValidationEnabled,\n    validateUrl,\n    isIpInBlockedCidrs,\n  },\n  core: {\n    createToolSpec,\n    DEFAULT_INPUT_SCHEMA,\n    DEFAULT_OUTPUT_SCHEMA,\n  },\n  runtime: {\n    createTaggedError,\n    withRetry,\n    isRetryable,\n    ToolRegistry,\n  },\n} as const;\n"]}

package/dist/index.d.ts

@@ -2,6 +2,55 @@
  * Minimal public API for @easynet/agent-tool.
  * Keep root exports focused on high-level runtime/server creation.
  */
-export { createAgentTools, createLangChainToolsAsync, createOpenAPIServer, createMCPServer, runMCPServerOverStdio, createMCPStreamableHttpHandler, createMCPServerStreamableHttp, createRuntimeFromConfig, createRuntimeFromConfigSync, } from "./api/main.js";
+export { createAgentTools, createLangChainToolsAsync, createOpenAPIServer, createMCPServer, runMCPServerOverStdio, createMCPStreamableHttpHandler, createMCPServerStreamableHttp, createRuntimeFromConfig, createRuntimeFromConfigSync, langchainApi, runtimeApi, mcpApi, openApi, } from "./api/main.js";
 export type { CreateAgentToolsOptions, CreateRuntimeOptions, CreateRuntimeResult, MCPServerOptions, MCPServerResult, CreateMCPServerStreamableHttpOptions, MCPServerStreamableHttpResult, CreateHttpServiceOptions, HttpServiceResult, OpenAPIHttpServerOptions, } from "./api/main.js";
+export { createTaggedError, withRetry, isRetryable, ToolRegistry } from "./core/runtime.js";
+import { initProject, buildMCPPackage, runMCPServer, scanForTools, scan } from "./build.js";
+import { createExtension, generateManifest, generateExtensionManifest, registerExtension, registerToolsFromManifest, loadExtensionManifest, loadToolYaml, resolveExtensionPackageRoot, overrideWithConfig, getGroupNamePrefixes, createDynamicImportAdapter, createContextRunner } from "./extension.js";
+import { resolveSandboxedPath, setSandboxValidationEnabled, validateUrl, isIpInBlockedCidrs } from "./security.js";
+import { createToolSpec } from "./core/index.js";
+import { createTaggedError, withRetry, isRetryable, ToolRegistry } from "./core/runtime.js";
+/**
+ * Facade: grouped utilities beyond runtime/server creation.
+ */
+export declare const platformApi: {
+    readonly build: {
+        readonly initProject: typeof initProject;
+        readonly buildMCPPackage: typeof buildMCPPackage;
+        readonly runMCPServer: typeof runMCPServer;
+        readonly scanForTools: typeof scanForTools;
+        readonly scan: typeof scan;
+    };
+    readonly extension: {
+        readonly createExtension: typeof createExtension;
+        readonly generateManifest: typeof generateManifest;
+        readonly generateExtensionManifest: typeof generateExtensionManifest;
+        readonly registerExtension: typeof registerExtension;
+        readonly registerToolsFromManifest: typeof registerToolsFromManifest;
+        readonly loadExtensionManifest: typeof loadExtensionManifest;
+        readonly loadToolYaml: typeof loadToolYaml;
+        readonly resolveExtensionPackageRoot: typeof resolveExtensionPackageRoot;
+        readonly overrideWithConfig: typeof overrideWithConfig;
+        readonly getGroupNamePrefixes: typeof getGroupNamePrefixes;
+        readonly createDynamicImportAdapter: typeof createDynamicImportAdapter;
+        readonly createContextRunner: typeof createContextRunner;
+    };
+    readonly security: {
+        readonly resolveSandboxedPath: typeof resolveSandboxedPath;
+        readonly setSandboxValidationEnabled: typeof setSandboxValidationEnabled;
+        readonly validateUrl: typeof validateUrl;
+        readonly isIpInBlockedCidrs: typeof isIpInBlockedCidrs;
+    };
+    readonly core: {
+        readonly createToolSpec: typeof createToolSpec;
+        readonly DEFAULT_INPUT_SCHEMA: object;
+        readonly DEFAULT_OUTPUT_SCHEMA: object;
+    };
+    readonly runtime: {
+        readonly createTaggedError: typeof createTaggedError;
+        readonly withRetry: typeof withRetry;
+        readonly isRetryable: typeof isRetryable;
+        readonly ToolRegistry: typeof ToolRegistry;
+    };
+};
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EACL,gBAAgB,EAChB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,8BAA8B,EAC9B,6BAA6B,EAC7B,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,uBAAuB,EACvB,oBAAoB,EACpB,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EACf,oCAAoC,EACpC,6BAA6B,EAC7B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,eAAe,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EACL,gBAAgB,EAChB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,8BAA8B,EAC9B,6BAA6B,EAC7B,uBAAuB,EACvB,2BAA2B,EAC3B,YAAY,EACZ,UAAU,EACV,MAAM,EACN,OAAO,GACR,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,uBAAuB,EACvB,oBAAoB,EACpB,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EACf,oCAAoC,EACpC,6BAA6B,EAC7B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,eAAe,CAAC;AAGvB,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAE5F,OAAO,EACL,WAAW,EACX,eAAe,EACf,YAAY,EACZ,YAAY,EACZ,IAAI,EACL,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,yBAAyB,EACzB,iBAAiB,EACjB,yBAAyB,EACzB,qBAAqB,EACrB,YAAY,EACZ,2BAA2B,EAC3B,kBAAkB,EAClB,oBAAoB,EACpB,0BAA0B,EAC1B,mBAAmB,EACpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,2BAA2B,EAC3B,WAAW,EACX,kBAAkB,EACnB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,cAAc,EAGf,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,iBAAiB,EACjB,SAAS,EACT,WAAW,EACX,YAAY,EACb,MAAM,mBAAmB,CAAC;AAE3B;;GAEG;AACH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuCd,CAAC"}

package/dist/index.js

@@ -1,11 +1,63 @@
-export { createAgentTools, createLangChainToolsAsync } from './chunk-QPKBEU64.js';
-export { createMCPServer, createMCPServerStreamableHttp, createMCPStreamableHttpHandler, createHttpService as createOpenAPIServer, createRuntimeFromConfig, createRuntimeFromConfigSync, runMCPServerOverStdio } from './chunk-NVT4X4CB.js';
+import './chunk-FWWN4D2F.js';
+import { createContextRunner, createDynamicImportAdapter, getGroupNamePrefixes, overrideWithConfig, resolveExtensionPackageRoot, loadToolYaml, loadExtensionManifest, registerToolsFromManifest, registerExtension, generateExtensionManifest, generateManifest, createExtension } from './chunk-YPGF5Y2Y.js';
+import { isIpInBlockedCidrs, validateUrl } from './chunk-NKYFYALQ.js';
+export { createAgentTools, createLangChainToolsAsync, langchainApi, mcpApi, openApi, runtimeApi } from './chunk-YMHUDRYE.js';
+import './chunk-YLWTSNTT.js';
+import './chunk-DEDDPMBU.js';
+import { runMCPServer, buildMCPPackage, initProject } from './chunk-5J27MF7S.js';
+export { createMCPServer, createMCPServerStreamableHttp, createMCPStreamableHttpHandler, createHttpService as createOpenAPIServer, createRuntimeFromConfig, createRuntimeFromConfigSync, runMCPServerOverStdio } from './chunk-RJAF5XY6.js';
 import './chunk-NTWOVFEY.js';
 import './chunk-YRFUGA3C.js';
-import './chunk-45S2HPVU.js';
-import './chunk-QXQ4477T.js';
-import './chunk-WUMLZERG.js';
-import './chunk-RZTTO5MQ.js';
-import './chunk-ODEHUAR4.js';
+import { scan, scanForTools } from './chunk-45S2HPVU.js';
+import { setSandboxValidationEnabled, resolveSandboxedPath } from './chunk-QXQ4477T.js';
+import { ToolRegistry } from './chunk-WUMLZERG.js';
+export { ToolRegistry } from './chunk-WUMLZERG.js';
+import { isRetryable, withRetry, createTaggedError } from './chunk-RZTTO5MQ.js';
+export { createTaggedError, isRetryable, withRetry } from './chunk-RZTTO5MQ.js';
+import { DEFAULT_OUTPUT_SCHEMA, DEFAULT_INPUT_SCHEMA, createToolSpec } from './chunk-ODEHUAR4.js';
+
+// src/index.ts
+var platformApi = {
+  build: {
+    initProject,
+    buildMCPPackage,
+    runMCPServer,
+    scanForTools,
+    scan
+  },
+  extension: {
+    createExtension,
+    generateManifest,
+    generateExtensionManifest,
+    registerExtension,
+    registerToolsFromManifest,
+    loadExtensionManifest,
+    loadToolYaml,
+    resolveExtensionPackageRoot,
+    overrideWithConfig,
+    getGroupNamePrefixes,
+    createDynamicImportAdapter,
+    createContextRunner
+  },
+  security: {
+    resolveSandboxedPath,
+    setSandboxValidationEnabled,
+    validateUrl,
+    isIpInBlockedCidrs
+  },
+  core: {
+    createToolSpec,
+    DEFAULT_INPUT_SCHEMA,
+    DEFAULT_OUTPUT_SCHEMA
+  },
+  runtime: {
+    createTaggedError,
+    withRetry,
+    isRetryable,
+    ToolRegistry
+  }
+};
+
+export { platformApi };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}
+{"version":3,"sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;AA+EO,IAAM,WAAA,GAAc;AAAA,EACzB,KAAA,EAAO;AAAA,IACL,WAAA;AAAA,IACA,eAAA;AAAA,IACA,YAAA;AAAA,IACA,YAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,SAAA,EAAW;AAAA,IACT,eAAA;AAAA,IACA,gBAAA;AAAA,IACA,yBAAA;AAAA,IACA,iBAAA;AAAA,IACA,yBAAA;AAAA,IACA,qBAAA;AAAA,IACA,YAAA;AAAA,IACA,2BAAA;AAAA,IACA,kBAAA;AAAA,IACA,oBAAA;AAAA,IACA,0BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,QAAA,EAAU;AAAA,IACR,oBAAA;AAAA,IACA,2BAAA;AAAA,IACA,WAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,IAAA,EAAM;AAAA,IACJ,cAAA;AAAA,IACA,oBAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,OAAA,EAAS;AAAA,IACP,iBAAA;AAAA,IACA,SAAA;AAAA,IACA,WAAA;AAAA,IACA;AAAA;AAEJ","file":"index.js","sourcesContent":["/**\n * Minimal public API for @easynet/agent-tool.\n * Keep root exports focused on high-level runtime/server creation.\n */\n\n// High-level API (most users should import from @easynet/agent-tool/api)\nexport {\n  createAgentTools,\n  createLangChainToolsAsync,\n  createOpenAPIServer,\n  createMCPServer,\n  runMCPServerOverStdio,\n  createMCPStreamableHttpHandler,\n  createMCPServerStreamableHttp,\n  createRuntimeFromConfig,\n  createRuntimeFromConfigSync,\n  langchainApi,\n  runtimeApi,\n  mcpApi,\n  openApi,\n} from \"./api/main.js\";\nexport type {\n  CreateAgentToolsOptions,\n  CreateRuntimeOptions,\n  CreateRuntimeResult,\n  MCPServerOptions,\n  MCPServerResult,\n  CreateMCPServerStreamableHttpOptions,\n  MCPServerStreamableHttpResult,\n  CreateHttpServiceOptions,\n  HttpServiceResult,\n  OpenAPIHttpServerOptions,\n} from \"./api/main.js\";\n\n// Backward compatibility: older extensions import runtime helpers from package root.\nexport { createTaggedError, withRetry, isRetryable, ToolRegistry } from \"./core/runtime.js\";\n\nimport {\n  initProject,\n  buildMCPPackage,\n  runMCPServer,\n  scanForTools,\n  scan,\n} from \"./build.js\";\nimport {\n  createExtension,\n  generateManifest,\n  generateExtensionManifest,\n  registerExtension,\n  registerToolsFromManifest,\n  loadExtensionManifest,\n  loadToolYaml,\n  resolveExtensionPackageRoot,\n  overrideWithConfig,\n  getGroupNamePrefixes,\n  createDynamicImportAdapter,\n  createContextRunner,\n} from \"./extension.js\";\nimport {\n  resolveSandboxedPath,\n  setSandboxValidationEnabled,\n  validateUrl,\n  isIpInBlockedCidrs,\n} from \"./security.js\";\nimport {\n  createToolSpec,\n  DEFAULT_INPUT_SCHEMA,\n  DEFAULT_OUTPUT_SCHEMA,\n} from \"./core/index.js\";\nimport {\n  createTaggedError,\n  withRetry,\n  isRetryable,\n  ToolRegistry,\n} from \"./core/runtime.js\";\n\n/**\n * Facade: grouped utilities beyond runtime/server creation.\n */\nexport const platformApi = {\n  build: {\n    initProject,\n    buildMCPPackage,\n    runMCPServer,\n    scanForTools,\n    scan,\n  },\n  extension: {\n    createExtension,\n    generateManifest,\n    generateExtensionManifest,\n    registerExtension,\n    registerToolsFromManifest,\n    loadExtensionManifest,\n    loadToolYaml,\n    resolveExtensionPackageRoot,\n    overrideWithConfig,\n    getGroupNamePrefixes,\n    createDynamicImportAdapter,\n    createContextRunner,\n  },\n  security: {\n    resolveSandboxedPath,\n    setSandboxValidationEnabled,\n    validateUrl,\n    isIpInBlockedCidrs,\n  },\n  core: {\n    createToolSpec,\n    DEFAULT_INPUT_SCHEMA,\n    DEFAULT_OUTPUT_SCHEMA,\n  },\n  runtime: {\n    createTaggedError,\n    withRetry,\n    isRetryable,\n    ToolRegistry,\n  },\n} as const;\n"]}

package/dist/security.cjs

@@ -1,184 +1,19 @@
 'use strict';
 
+var chunkR55NXJIH_cjs = require('./chunk-R55NXJIH.cjs');
 var chunkZDSZHEQU_cjs = require('./chunk-ZDSZHEQU.cjs');
-var chunkXPGHS4W7_cjs = require('./chunk-XPGHS4W7.cjs');
-var promises = require('dns/promises');
+require('./chunk-XPGHS4W7.cjs');
 
-async function validateUrl(url, options) {
-  let parsed;
-  try {
-    parsed = new URL(url);
-  } catch {
-    throw chunkXPGHS4W7_cjs.createTaggedError(
-      "HTTP_DISALLOWED_HOST",
-      `Invalid URL: ${url}`,
-      { url }
-    );
-  }
-  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-    throw chunkXPGHS4W7_cjs.createTaggedError(
-      "HTTP_DISALLOWED_HOST",
-      `Protocol not allowed: ${parsed.protocol}. Only http: and https: are supported.`,
-      { url, protocol: parsed.protocol }
-    );
-  }
-  const hostname = parsed.hostname;
-  if (!isHostAllowed(hostname, options.allowedHosts)) {
-    throw chunkXPGHS4W7_cjs.createTaggedError(
-      "HTTP_DISALLOWED_HOST",
-      `Host "${hostname}" is not in the allowed hosts list`,
-      { url, hostname, allowedHosts: options.allowedHosts }
-    );
-  }
-  if (isHostBlocked(hostname, options.blockedHosts)) {
-    throw chunkXPGHS4W7_cjs.createTaggedError(
-      "HTTP_DISALLOWED_HOST",
-      `Host "${hostname}" is in the blocked hosts list`,
-      { url, hostname, blockedHosts: options.blockedHosts }
-    );
-  }
-  try {
-    const { address } = await promises.lookup(hostname);
-    if (isIpInBlockedCidrs(address, options.blockedCidrs)) {
-      throw chunkXPGHS4W7_cjs.createTaggedError(
-        "HTTP_DISALLOWED_HOST",
-        `Host "${hostname}" resolves to blocked IP: ${address}`,
-        { url, hostname, resolvedIp: address }
-      );
-    }
-  } catch (err) {
-    if (err instanceof Error && err.kind === "HTTP_DISALLOWED_HOST") {
-      throw err;
-    }
-    throw chunkXPGHS4W7_cjs.createTaggedError(
-      "HTTP_DISALLOWED_HOST",
-      `DNS resolution failed for host "${hostname}": ${err instanceof Error ? err.message : String(err)}`,
-      { url, hostname }
-    );
-  }
-  return parsed;
-}
-function isHostAllowed(hostname, allowedHosts) {
-  for (const pattern of allowedHosts) {
-    if (pattern === "*") {
-      return true;
-    }
-    if (pattern.startsWith("*.")) {
-      const suffix = pattern.slice(1);
-      if (hostname.endsWith(suffix) || hostname === pattern.slice(2)) {
-        return true;
-      }
-    } else if (hostname === pattern) {
-      return true;
-    }
-  }
-  return false;
-}
-function isHostBlocked(hostname, blockedHosts) {
-  for (const pattern of blockedHosts) {
-    if (pattern === "*") {
-      return true;
-    }
-    if (pattern.startsWith("*.")) {
-      const suffix = pattern.slice(1);
-      if (hostname.endsWith(suffix) || hostname === pattern.slice(2)) {
-        return true;
-      }
-    } else if (hostname === pattern) {
-      return true;
-    }
-  }
-  return false;
-}
-function isIpInBlockedCidrs(ip, cidrs) {
-  const normalizedIp = normalizeIp(ip);
-  if (!normalizedIp) return false;
-  for (const cidr of cidrs) {
-    if (cidr.includes(":")) {
-      if (!ip.includes(":")) continue;
-      if (isIpv6InCidr(ip, cidr)) return true;
-    } else {
-      if (isIpv4InCidr(normalizedIp, cidr)) return true;
-    }
-  }
-  return false;
-}
-function normalizeIp(ip) {
-  if (ip.startsWith("::ffff:")) {
-    return ip.slice(7);
-  }
-  if (/^\d+\.\d+\.\d+\.\d+$/.test(ip)) {
-    return ip;
-  }
-  return null;
-}
-function isIpv4InCidr(ip, cidr) {
-  const [cidrIp, prefixStr] = cidr.split("/");
-  if (!cidrIp || !prefixStr) return false;
-  const prefix = parseInt(prefixStr, 10);
-  if (isNaN(prefix) || prefix < 0 || prefix > 32) return false;
-  const ipNum = ipv4ToNum(ip);
-  const cidrNum = ipv4ToNum(cidrIp);
-  if (ipNum === null || cidrNum === null) return false;
-  const mask = prefix === 0 ? 0 : -1 << 32 - prefix >>> 0;
-  return (ipNum & mask) === (cidrNum & mask);
-}
-function ipv4ToNum(ip) {
-  const parts = ip.split(".");
-  if (parts.length !== 4) return null;
-  let num = 0;
-  for (const part of parts) {
-    const n = parseInt(part, 10);
-    if (isNaN(n) || n < 0 || n > 255) return null;
-    num = num << 8 | n;
-  }
-  return num >>> 0;
-}
-function isIpv6InCidr(ip, cidr) {
-  const [cidrIp, prefixStr] = cidr.split("/");
-  if (!cidrIp || !prefixStr) return false;
-  const prefix = parseInt(prefixStr, 10);
-  if (isNaN(prefix)) return false;
-  const ipBytes = expandIpv6(ip);
-  const cidrBytes = expandIpv6(cidrIp);
-  if (!ipBytes || !cidrBytes) return false;
-  const fullBytes = Math.floor(prefix / 8);
-  for (let i = 0; i < fullBytes && i < 16; i++) {
-    if (ipBytes[i] !== cidrBytes[i]) return false;
-  }
-  const remainingBits = prefix % 8;
-  if (remainingBits > 0 && fullBytes < 16) {
-    const mask = -1 << 8 - remainingBits & 255;
-    if ((ipBytes[fullBytes] & mask) !== (cidrBytes[fullBytes] & mask)) return false;
-  }
-  return true;
-}
-function expandIpv6(ip) {
-  const zoneIdx = ip.indexOf("%");
-  if (zoneIdx !== -1) ip = ip.slice(0, zoneIdx);
-  const parts = ip.split("::");
-  if (parts.length > 2) return null;
-  const bytes = new Array(16).fill(0);
-  const expandGroup = (group) => {
-    if (!group) return [];
-    return group.split(":").flatMap((hex) => {
-      const val = parseInt(hex || "0", 16);
-      return [val >> 8 & 255, val & 255];
-    });
-  };
-  if (parts.length === 1) {
-    const expanded = expandGroup(parts[0]);
-    if (expanded.length !== 16) return null;
-    return expanded;
-  }
-  const left = expandGroup(parts[0]);
-  const right = expandGroup(parts[1]);
-  if (left.length + right.length > 16) return null;
-  for (let i = 0; i < left.length; i++) bytes[i] = left[i];
-  for (let i = 0; i < right.length; i++) bytes[16 - right.length + i] = right[i];
-  return bytes;
-}
 
+
+Object.defineProperty(exports, "isIpInBlockedCidrs", {
+  enumerable: true,
+  get: function () { return chunkR55NXJIH_cjs.isIpInBlockedCidrs; }
+});
+Object.defineProperty(exports, "validateUrl", {
+  enumerable: true,
+  get: function () { return chunkR55NXJIH_cjs.validateUrl; }
+});
 Object.defineProperty(exports, "resolveSandboxedPath", {
   enumerable: true,
   get: function () { return chunkZDSZHEQU_cjs.resolveSandboxedPath; }
@@ -187,7 +22,5 @@ Object.defineProperty(exports, "setSandboxValidationEnabled", {
   enumerable: true,
   get: function () { return chunkZDSZHEQU_cjs.setSandboxValidationEnabled; }
 });
-exports.isIpInBlockedCidrs = isIpInBlockedCidrs;
-exports.validateUrl = validateUrl;
 //# sourceMappingURL=security.cjs.map
 //# sourceMappingURL=security.cjs.map

package/dist/security.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/security/ssrf.ts"],"names":["createTaggedError","lookup"],"mappings":";;;;;;AAsBA,eAAsB,WAAA,CAAY,KAAa,OAAA,EAA2C;AACxF,EAAA,IAAI,MAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAA,GAAS,IAAI,IAAI,GAAG,CAAA;AAAA,EACtB,CAAA,CAAA,MAAQ;AACN,IAAA,MAAMA,mCAAA;AAAA,MACJ,sBAAA;AAAA,MACA,gBAAgB,GAAG,CAAA,CAAA;AAAA,MACnB,EAAE,GAAA;AAAI,KACR;AAAA,EACF;AAGA,EAAA,IAAI,MAAA,CAAO,QAAA,KAAa,OAAA,IAAW,MAAA,CAAO,aAAa,QAAA,EAAU;AAC/D,IAAA,MAAMA,mCAAA;AAAA,MACJ,sBAAA;AAAA,MACA,CAAA,sBAAA,EAAyB,OAAO,QAAQ,CAAA,sCAAA,CAAA;AAAA,MACxC,EAAE,GAAA,EAAK,QAAA,EAAU,MAAA,CAAO,QAAA;AAAS,KACnC;AAAA,EACF;AAEA,EAAA,MAAM,WAAW,MAAA,CAAO,QAAA;AAExB,EAAA,IAAI,CAAC,aAAA,CAAc,QAAA,EAAU,OAAA,CAAQ,YAAY,CAAA,EAAG;AAClD,IAAA,MAAMA,mCAAA;AAAA,MACJ,sBAAA;AAAA,MACA,SAAS,QAAQ,CAAA,kCAAA,CAAA;AAAA,MACjB,EAAE,GAAA,EAAK,QAAA,EAAU,YAAA,EAAc,QAAQ,YAAA;AAAa,KACtD;AAAA,EACF;AACA,EAAA,IAAI,aAAA,CAAc,QAAA,EAAU,OAAA,CAAQ,YAAY,CAAA,EAAG;AACjD,IAAA,MAAMA,mCAAA;AAAA,MACJ,sBAAA;AAAA,MACA,SAAS,QAAQ,CAAA,8BAAA,CAAA;AAAA,MACjB,EAAE,GAAA,EAAK,QAAA,EAAU,YAAA,EAAc,QAAQ,YAAA;AAAa,KACtD;AAAA,EACF;AAGA,EAAA,IAAI;AACF,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAMC,gBAAO,QAAQ,CAAA;AACzC,IAAA,IAAI,kBAAA,CAAmB,OAAA,EAAS,OAAA,CAAQ,YAAY,CAAA,EAAG;AACrD,MAAA,MAAMD,mCAAA;AAAA,QACJ,sBAAA;AAAA,QACA,CAAA,MAAA,EAAS,QAAQ,CAAA,0BAAA,EAA6B,OAAO,CAAA,CAAA;AAAA,QACrD,EAAE,GAAA,EAAK,QAAA,EAAU,UAAA,EAAY,OAAA;AAAQ,OACvC;AAAA,IACF;AAAA,EACF,SAAS,GAAA,EAAK;AAEZ,IAAA,IAAI,GAAA,YAAe,KAAA,IAAU,GAAA,CAAY,IAAA,KAAS,sBAAA,EAAwB;AACxE,MAAA,MAAM,GAAA;AAAA,IACR;AAEA,IAAA,MAAMA,mCAAA;AAAA,MACJ,sBAAA;AAAA,MACA,CAAA,gCAAA,EAAmC,QAAQ,CAAA,GAAA,EAAM,GAAA,YAAe,QAAQ,GAAA,CAAI,OAAA,GAAU,MAAA,CAAO,GAAG,CAAC,CAAA,CAAA;AAAA,MACjG,EAAE,KAAK,QAAA;AAAS,KAClB;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAMA,SAAS,aAAA,CAAc,UAAkB,YAAA,EAAiC;AACxE,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAClC,IAAA,IAAI,YAAY,GAAA,EAAK;AACnB,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,EAAG;AAC5B,MAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAA;AAC9B,MAAA,IAAI,QAAA,CAAS,SAAS,MAAM,CAAA,IAAK,aAAa,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAA,EAAG;AAC9D,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF,CAAA,MAAA,IAAW,aAAa,OAAA,EAAS;AAC/B,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,OAAO,KAAA;AACT;AAKA,SAAS,aAAA,CAAc,UAAkB,YAAA,EAAiC;AACxE,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAClC,IAAA,IAAI,YAAY,GAAA,EAAK;AACnB,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,EAAG;AAC5B,MAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAA;AAC9B,MAAA,IAAI,QAAA,CAAS,SAAS,MAAM,CAAA,IAAK,aAAa,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAA,EAAG;AAC9D,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF,CAAA,MAAA,IAAW,aAAa,OAAA,EAAS;AAC/B,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,OAAO,KAAA;AACT;AAKO,SAAS,kBAAA,CAAmB,IAAY,KAAA,EAA0B;AAEvE,EAAA,MAAM,YAAA,GAAe,YAAY,EAAE,CAAA;AACnC,EAAA,IAAI,CAAC,cAAc,OAAO,KAAA;AAE1B,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAG,CAAA,EAAG;AAEtB,MAAA,IAAI,CAAC,EAAA,CAAG,QAAA,CAAS,GAAG,CAAA,EAAG;AACvB,MAAA,IAAI,YAAA,CAAa,EAAA,EAAI,IAAI,CAAA,EAAG,OAAO,IAAA;AAAA,IACrC,CAAA,MAAO;AACL,MAAA,IAAI,YAAA,CAAa,YAAA,EAAc,IAAI,CAAA,EAAG,OAAO,IAAA;AAAA,IAC/C;AAAA,EACF;AACA,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,YAAY,EAAA,EAA2B;AAE9C,EAAA,IAAI,EAAA,CAAG,UAAA,CAAW,SAAS,CAAA,EAAG;AAC5B,IAAA,OAAO,EAAA,CAAG,MAAM,CAAC,CAAA;AAAA,EACnB;AAEA,EAAA,IAAI,sBAAA,CAAuB,IAAA,CAAK,EAAE,CAAA,EAAG;AACnC,IAAA,OAAO,EAAA;AAAA,EACT;AACA,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,YAAA,CAAa,IAAY,IAAA,EAAuB;AACvD,EAAA,MAAM,CAAC,MAAA,EAAQ,SAAS,CAAA,GAAI,IAAA,CAAK,MAAM,GAAG,CAAA;AAC1C,EAAA,IAAI,CAAC,MAAA,IAAU,CAAC,SAAA,EAAW,OAAO,KAAA;AAElC,EAAA,MAAM,MAAA,GAAS,QAAA,CAAS,SAAA,EAAW,EAAE,CAAA;AACrC,EAAA,IAAI,MAAM,MAAM,CAAA,IAAK,SAAS,CAAA,IAAK,MAAA,GAAS,IAAI,OAAO,KAAA;AAEvD,EAAA,MAAM,KAAA,GAAQ,UAAU,EAAE,CAAA;AAC1B,EAAA,MAAM,OAAA,GAAU,UAAU,MAAM,CAAA;AAChC,EAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,OAAA,KAAY,IAAA,EAAM,OAAO,KAAA;AAE/C,EAAA,MAAM,OAAO,MAAA,KAAW,CAAA,GAAI,IAAK,EAAC,IAAM,KAAK,MAAA,KAAa,CAAA;AAC1D,EAAA,OAAA,CAAQ,KAAA,GAAQ,WAAW,OAAA,GAAU,IAAA,CAAA;AACvC;AAEA,SAAS,UAAU,EAAA,EAA2B;AAC5C,EAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAC/B,EAAA,IAAI,GAAA,GAAM,CAAA;AACV,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAM,CAAA,GAAI,QAAA,CAAS,IAAA,EAAM,EAAE,CAAA;AAC3B,IAAA,IAAI,MAAM,CAAC,CAAA,IAAK,IAAI,CAAA,IAAK,CAAA,GAAI,KAAK,OAAO,IAAA;AACzC,IAAA,GAAA,GAAO,OAAO,CAAA,GAAK,CAAA;AAAA,EACrB;AACA,EAAA,OAAO,GAAA,KAAQ,CAAA;AACjB;AAEA,SAAS,YAAA,CAAa,IAAY,IAAA,EAAuB;AAEvD,EAAA,MAAM,CAAC,MAAA,EAAQ,SAAS,CAAA,GAAI,IAAA,CAAK,MAAM,GAAG,CAAA;AAC1C,EAAA,IAAI,CAAC,MAAA,IAAU,CAAC,SAAA,EAAW,OAAO,KAAA;AAElC,EAAA,MAAM,MAAA,GAAS,QAAA,CAAS,SAAA,EAAW,EAAE,CAAA;AACrC,EAAA,IAAI,KAAA,CAAM,MAAM,CAAA,EAAG,OAAO,KAAA;AAE1B,EAAA,MAAM,OAAA,GAAU,WAAW,EAAE,CAAA;AAC7B,EAAA,MAAM,SAAA,GAAY,WAAW,MAAM,CAAA;AACnC,EAAA,IAAI,CAAC,OAAA,IAAW,CAAC,SAAA,EAAW,OAAO,KAAA;AAGnC,EAAA,MAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,MAAA,GAAS,CAAC,CAAA;AACvC,EAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,SAAA,IAAa,CAAA,GAAI,IAAI,CAAA,EAAA,EAAK;AAC5C,IAAA,IAAI,QAAQ,CAAC,CAAA,KAAM,SAAA,CAAU,CAAC,GAAG,OAAO,KAAA;AAAA,EAC1C;AAEA,EAAA,MAAM,gBAAgB,MAAA,GAAS,CAAA;AAC/B,EAAA,IAAI,aAAA,GAAgB,CAAA,IAAK,SAAA,GAAY,EAAA,EAAI;AACvC,IAAA,MAAM,IAAA,GAAQ,EAAC,IAAM,CAAA,GAAI,aAAA,GAAkB,GAAA;AAC3C,IAAA,IAAA,CAAK,OAAA,CAAQ,SAAS,CAAA,GAAK,IAAA,OAAW,UAAU,SAAS,CAAA,GAAK,OAAO,OAAO,KAAA;AAAA,EAC9E;AAEA,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,WAAW,EAAA,EAA6B;AAE/C,EAAA,MAAM,OAAA,GAAU,EAAA,CAAG,OAAA,CAAQ,GAAG,CAAA;AAC9B,EAAA,IAAI,YAAY,EAAA,EAAI,EAAA,GAAK,EAAA,CAAG,KAAA,CAAM,GAAG,OAAO,CAAA;AAE5C,EAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,IAAI,CAAA;AAC3B,EAAA,IAAI,KAAA,CAAM,MAAA,GAAS,CAAA,EAAG,OAAO,IAAA;AAE7B,EAAA,MAAM,QAAkB,IAAI,KAAA,CAAM,EAAE,CAAA,CAAE,KAAK,CAAC,CAAA;AAE5C,EAAA,MAAM,WAAA,GAAc,CAAC,KAAA,KAA4B;AAC/C,IAAA,IAAI,CAAC,KAAA,EAAO,OAAO,EAAC;AACpB,IAAA,OAAO,MAAM,KAAA,CAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,CAAC,GAAA,KAAQ;AACvC,MAAA,MAAM,GAAA,GAAM,QAAA,CAAS,GAAA,IAAO,GAAA,EAAK,EAAE,CAAA;AACnC,MAAA,OAAO,CAAE,GAAA,IAAO,CAAA,GAAK,GAAA,EAAM,MAAM,GAAI,CAAA;AAAA,IACvC,CAAC,CAAA;AAAA,EACH,CAAA;AAEA,EAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,IAAA,MAAM,QAAA,GAAW,WAAA,CAAY,KAAA,CAAM,CAAC,CAAE,CAAA;AACtC,IAAA,IAAI,QAAA,CAAS,MAAA,KAAW,EAAA,EAAI,OAAO,IAAA;AACnC,IAAA,OAAO,QAAA;AAAA,EACT;AAEA,EAAA,MAAM,IAAA,GAAO,WAAA,CAAY,KAAA,CAAM,CAAC,CAAE,CAAA;AAClC,EAAA,MAAM,KAAA,GAAQ,WAAA,CAAY,KAAA,CAAM,CAAC,CAAE,CAAA;AAEnC,EAAA,IAAI,IAAA,CAAK,MAAA,GAAS,KAAA,CAAM,MAAA,GAAS,IAAI,OAAO,IAAA;AAE5C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,IAAA,CAAK,MAAA,EAAQ,KAAK,KAAA,CAAM,CAAC,CAAA,GAAI,IAAA,CAAK,CAAC,CAAA;AACvD,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,MAAA,EAAQ,CAAA,EAAA,EAAK,KAAA,CAAM,EAAA,GAAK,KAAA,CAAM,MAAA,GAAS,CAAC,CAAA,GAAI,MAAM,CAAC,CAAA;AAE7E,EAAA,OAAO,KAAA;AACT","file":"security.cjs","sourcesContent":["import { lookup } from \"node:dns/promises\";\nimport { createTaggedError } from \"../core/runtime/Retry.js\";\n\n/**\n * Options for validateUrl. Unified rule: allow iff host is in allowedHosts AND not in blockedHosts.\n * - \"Default allow all + blocklist\": allowedHosts: [\"*\"], blockedHosts: [\"*.internal\", ...]\n * - \"Default disallow all + allowlist\": allowedHosts: [\"api.github.com\", ...], blockedHosts: []\n */\nexport interface ValidateUrlOptions {\n  /** Allow only these hosts. Use [\"*\"] for allow-all. Supports \"*.example.com\", exact host. */\n  allowedHosts: string[];\n  /** Block these hosts even if allowed. Supports \"*.internal\", exact host. Merged with allowlist. */\n  blockedHosts: string[];\n  /** CIDR ranges to block (resolved IP). */\n  blockedCidrs: string[];\n}\n\n/**\n * Validate a URL: allow iff (host in allowedHosts) AND (host not in blockedHosts). Then check blockedCidrs on resolved IP.\n *\n * @throws HTTP_DISALLOWED_HOST if the URL is blocked\n */\nexport async function validateUrl(url: string, options: ValidateUrlOptions): Promise<URL> {\n  let parsed: URL;\n  try {\n    parsed = new URL(url);\n  } catch {\n    throw createTaggedError(\n      \"HTTP_DISALLOWED_HOST\",\n      `Invalid URL: ${url}`,\n      { url },\n    );\n  }\n\n  // Only allow http/https\n  if (parsed.protocol !== \"http:\" && parsed.protocol !== \"https:\") {\n    throw createTaggedError(\n      \"HTTP_DISALLOWED_HOST\",\n      `Protocol not allowed: ${parsed.protocol}. Only http: and https: are supported.`,\n      { url, protocol: parsed.protocol },\n    );\n  }\n\n  const hostname = parsed.hostname;\n\n  if (!isHostAllowed(hostname, options.allowedHosts)) {\n    throw createTaggedError(\n      \"HTTP_DISALLOWED_HOST\",\n      `Host \"${hostname}\" is not in the allowed hosts list`,\n      { url, hostname, allowedHosts: options.allowedHosts },\n    );\n  }\n  if (isHostBlocked(hostname, options.blockedHosts)) {\n    throw createTaggedError(\n      \"HTTP_DISALLOWED_HOST\",\n      `Host \"${hostname}\" is in the blocked hosts list`,\n      { url, hostname, blockedHosts: options.blockedHosts },\n    );\n  }\n\n  // DNS resolve and check against blocked CIDRs\n  try {\n    const { address } = await lookup(hostname);\n    if (isIpInBlockedCidrs(address, options.blockedCidrs)) {\n      throw createTaggedError(\n        \"HTTP_DISALLOWED_HOST\",\n        `Host \"${hostname}\" resolves to blocked IP: ${address}`,\n        { url, hostname, resolvedIp: address },\n      );\n    }\n  } catch (err) {\n    // Re-throw our tagged errors\n    if (err instanceof Error && (err as any).kind === \"HTTP_DISALLOWED_HOST\") {\n      throw err;\n    }\n    // DNS resolution failure — block by default\n    throw createTaggedError(\n      \"HTTP_DISALLOWED_HOST\",\n      `DNS resolution failed for host \"${hostname}\": ${err instanceof Error ? err.message : String(err)}`,\n      { url, hostname },\n    );\n  }\n\n  return parsed;\n}\n\n/**\n * Check if a hostname matches any entry in the allowed hosts list.\n * Supports: exact \"*\" (allow any host), wildcard prefix (e.g. \"*.github.com\"), or exact host.\n */\nfunction isHostAllowed(hostname: string, allowedHosts: string[]): boolean {\n  for (const pattern of allowedHosts) {\n    if (pattern === \"*\") {\n      return true;\n    }\n    if (pattern.startsWith(\"*.\")) {\n      const suffix = pattern.slice(1); // \".github.com\"\n      if (hostname.endsWith(suffix) || hostname === pattern.slice(2)) {\n        return true;\n      }\n    } else if (hostname === pattern) {\n      return true;\n    }\n  }\n  return false;\n}\n\n/**\n * Check if a hostname matches any entry in the blocked hosts list (same pattern rules as allowlist).\n */\nfunction isHostBlocked(hostname: string, blockedHosts: string[]): boolean {\n  for (const pattern of blockedHosts) {\n    if (pattern === \"*\") {\n      return true;\n    }\n    if (pattern.startsWith(\"*.\")) {\n      const suffix = pattern.slice(1);\n      if (hostname.endsWith(suffix) || hostname === pattern.slice(2)) {\n        return true;\n      }\n    } else if (hostname === pattern) {\n      return true;\n    }\n  }\n  return false;\n}\n\n/**\n * Check if an IPv4 address falls within any blocked CIDR range.\n */\nexport function isIpInBlockedCidrs(ip: string, cidrs: string[]): boolean {\n  // Handle IPv4-mapped IPv6\n  const normalizedIp = normalizeIp(ip);\n  if (!normalizedIp) return false;\n\n  for (const cidr of cidrs) {\n    if (cidr.includes(\":\")) {\n      // IPv6 CIDR — skip for IPv4 addresses\n      if (!ip.includes(\":\")) continue;\n      if (isIpv6InCidr(ip, cidr)) return true;\n    } else {\n      if (isIpv4InCidr(normalizedIp, cidr)) return true;\n    }\n  }\n  return false;\n}\n\nfunction normalizeIp(ip: string): string | null {\n  // Handle IPv4-mapped IPv6 (e.g. \"::ffff:127.0.0.1\")\n  if (ip.startsWith(\"::ffff:\")) {\n    return ip.slice(7);\n  }\n  // Pure IPv4\n  if (/^\\d+\\.\\d+\\.\\d+\\.\\d+$/.test(ip)) {\n    return ip;\n  }\n  return null;\n}\n\nfunction isIpv4InCidr(ip: string, cidr: string): boolean {\n  const [cidrIp, prefixStr] = cidr.split(\"/\");\n  if (!cidrIp || !prefixStr) return false;\n\n  const prefix = parseInt(prefixStr, 10);\n  if (isNaN(prefix) || prefix < 0 || prefix > 32) return false;\n\n  const ipNum = ipv4ToNum(ip);\n  const cidrNum = ipv4ToNum(cidrIp);\n  if (ipNum === null || cidrNum === null) return false;\n\n  const mask = prefix === 0 ? 0 : (~0 << (32 - prefix)) >>> 0;\n  return (ipNum & mask) === (cidrNum & mask);\n}\n\nfunction ipv4ToNum(ip: string): number | null {\n  const parts = ip.split(\".\");\n  if (parts.length !== 4) return null;\n  let num = 0;\n  for (const part of parts) {\n    const n = parseInt(part, 10);\n    if (isNaN(n) || n < 0 || n > 255) return null;\n    num = (num << 8) | n;\n  }\n  return num >>> 0;\n}\n\nfunction isIpv6InCidr(ip: string, cidr: string): boolean {\n  // Simplified IPv6 CIDR matching for common cases (::1, fc00::, fe80::)\n  const [cidrIp, prefixStr] = cidr.split(\"/\");\n  if (!cidrIp || !prefixStr) return false;\n\n  const prefix = parseInt(prefixStr, 10);\n  if (isNaN(prefix)) return false;\n\n  const ipBytes = expandIpv6(ip);\n  const cidrBytes = expandIpv6(cidrIp);\n  if (!ipBytes || !cidrBytes) return false;\n\n  // Compare prefix bits\n  const fullBytes = Math.floor(prefix / 8);\n  for (let i = 0; i < fullBytes && i < 16; i++) {\n    if (ipBytes[i] !== cidrBytes[i]) return false;\n  }\n\n  const remainingBits = prefix % 8;\n  if (remainingBits > 0 && fullBytes < 16) {\n    const mask = (~0 << (8 - remainingBits)) & 0xff;\n    if ((ipBytes[fullBytes]! & mask) !== (cidrBytes[fullBytes]! & mask)) return false;\n  }\n\n  return true;\n}\n\nfunction expandIpv6(ip: string): number[] | null {\n  // Remove zone ID\n  const zoneIdx = ip.indexOf(\"%\");\n  if (zoneIdx !== -1) ip = ip.slice(0, zoneIdx);\n\n  const parts = ip.split(\"::\");\n  if (parts.length > 2) return null;\n\n  const bytes: number[] = new Array(16).fill(0);\n\n  const expandGroup = (group: string): number[] => {\n    if (!group) return [];\n    return group.split(\":\").flatMap((hex) => {\n      const val = parseInt(hex || \"0\", 16);\n      return [(val >> 8) & 0xff, val & 0xff];\n    });\n  };\n\n  if (parts.length === 1) {\n    const expanded = expandGroup(parts[0]!);\n    if (expanded.length !== 16) return null;\n    return expanded;\n  }\n\n  const left = expandGroup(parts[0]!);\n  const right = expandGroup(parts[1]!);\n\n  if (left.length + right.length > 16) return null;\n\n  for (let i = 0; i < left.length; i++) bytes[i] = left[i]!;\n  for (let i = 0; i < right.length; i++) bytes[16 - right.length + i] = right[i]!;\n\n  return bytes;\n}\n"]}
+{"version":3,"sources":[],"names":[],"mappings":"","file":"security.cjs"}