npm - @getrift/rift - Versions diffs - 0.0.0 → 0.1.0-beta.0 - Mend

@getrift/rift 0.0.0 → 0.1.0-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (628) hide show

package/README.dev.md +110 -0
package/README.md +130 -0
package/dist/src/auth/keychain.d.ts +25 -0
package/dist/src/auth/keychain.d.ts.map +1 -0
package/dist/src/auth/keychain.js +113 -0
package/dist/src/auth/keychain.js.map +1 -0
package/dist/src/auth/middleware.d.ts +20 -0
package/dist/src/auth/middleware.d.ts.map +1 -0
package/dist/src/auth/middleware.js +49 -0
package/dist/src/auth/middleware.js.map +1 -0
package/dist/src/auth/rate-limit.d.ts +16 -0
package/dist/src/auth/rate-limit.d.ts.map +1 -0
package/dist/src/auth/rate-limit.js +38 -0
package/dist/src/auth/rate-limit.js.map +1 -0
package/dist/src/auth/rotation.d.ts +67 -0
package/dist/src/auth/rotation.d.ts.map +1 -0
package/dist/src/auth/rotation.js +190 -0
package/dist/src/auth/rotation.js.map +1 -0
package/dist/src/backfill/project-context-batch-constructor.d.ts +127 -0
package/dist/src/backfill/project-context-batch-constructor.d.ts.map +1 -0
package/dist/src/backfill/project-context-batch-constructor.js +210 -0
package/dist/src/backfill/project-context-batch-constructor.js.map +1 -0
package/dist/src/capture/auto-capture.d.ts +162 -0
package/dist/src/capture/auto-capture.d.ts.map +1 -0
package/dist/src/capture/auto-capture.js +601 -0
package/dist/src/capture/auto-capture.js.map +1 -0
package/dist/src/capture/batch-budget.d.ts +90 -0
package/dist/src/capture/batch-budget.d.ts.map +1 -0
package/dist/src/capture/batch-budget.js +148 -0
package/dist/src/capture/batch-budget.js.map +1 -0
package/dist/src/capture/codex-cli-triage-provider.d.ts +17 -0
package/dist/src/capture/codex-cli-triage-provider.d.ts.map +1 -0
package/dist/src/capture/codex-cli-triage-provider.js +109 -0
package/dist/src/capture/codex-cli-triage-provider.js.map +1 -0
package/dist/src/capture/observability.d.ts +42 -0
package/dist/src/capture/observability.d.ts.map +1 -0
package/dist/src/capture/observability.js +87 -0
package/dist/src/capture/observability.js.map +1 -0
package/dist/src/capture/openai-triage-provider.d.ts +92 -0
package/dist/src/capture/openai-triage-provider.d.ts.map +1 -0
package/dist/src/capture/openai-triage-provider.js +267 -0
package/dist/src/capture/openai-triage-provider.js.map +1 -0
package/dist/src/capture/review-queue-index.d.ts +51 -0
package/dist/src/capture/review-queue-index.d.ts.map +1 -0
package/dist/src/capture/review-queue-index.js +204 -0
package/dist/src/capture/review-queue-index.js.map +1 -0
package/dist/src/capture/review-queue.d.ts +43 -0
package/dist/src/capture/review-queue.d.ts.map +1 -0
package/dist/src/capture/review-queue.js +116 -0
package/dist/src/capture/review-queue.js.map +1 -0
package/dist/src/capture/sources.d.ts +7 -0
package/dist/src/capture/sources.d.ts.map +1 -0
package/dist/src/capture/sources.js +3 -0
package/dist/src/capture/sources.js.map +1 -0
package/dist/src/capture/triage-lane.d.ts +39 -0
package/dist/src/capture/triage-lane.d.ts.map +1 -0
package/dist/src/capture/triage-lane.js +217 -0
package/dist/src/capture/triage-lane.js.map +1 -0
package/dist/src/capture/triage-provider.d.ts +75 -0
package/dist/src/capture/triage-provider.d.ts.map +1 -0
package/dist/src/capture/triage-provider.js +120 -0
package/dist/src/capture/triage-provider.js.map +1 -0
package/dist/src/capture/triage.d.ts +30 -0
package/dist/src/capture/triage.d.ts.map +1 -0
package/dist/src/capture/triage.js +48 -0
package/dist/src/capture/triage.js.map +1 -0
package/dist/src/cli/commands/backfill.d.ts +3 -0
package/dist/src/cli/commands/backfill.d.ts.map +1 -0
package/dist/src/cli/commands/backfill.js +1376 -0
package/dist/src/cli/commands/backfill.js.map +1 -0
package/dist/src/cli/commands/bulk-ingest.d.ts +3 -0
package/dist/src/cli/commands/bulk-ingest.d.ts.map +1 -0
package/dist/src/cli/commands/bulk-ingest.js +126 -0
package/dist/src/cli/commands/bulk-ingest.js.map +1 -0
package/dist/src/cli/commands/capture.d.ts +12 -0
package/dist/src/cli/commands/capture.d.ts.map +1 -0
package/dist/src/cli/commands/capture.js +123 -0
package/dist/src/cli/commands/capture.js.map +1 -0
package/dist/src/cli/commands/compact.d.ts +3 -0
package/dist/src/cli/commands/compact.d.ts.map +1 -0
package/dist/src/cli/commands/compact.js +70 -0
package/dist/src/cli/commands/compact.js.map +1 -0
package/dist/src/cli/commands/feedback.d.ts +22 -0
package/dist/src/cli/commands/feedback.d.ts.map +1 -0
package/dist/src/cli/commands/feedback.js +125 -0
package/dist/src/cli/commands/feedback.js.map +1 -0
package/dist/src/cli/commands/import.d.ts +19 -0
package/dist/src/cli/commands/import.d.ts.map +1 -0
package/dist/src/cli/commands/import.js +258 -0
package/dist/src/cli/commands/import.js.map +1 -0
package/dist/src/cli/commands/ingest.d.ts +3 -0
package/dist/src/cli/commands/ingest.d.ts.map +1 -0
package/dist/src/cli/commands/ingest.js +80 -0
package/dist/src/cli/commands/ingest.js.map +1 -0
package/dist/src/cli/commands/mcp-install.d.ts +25 -0
package/dist/src/cli/commands/mcp-install.d.ts.map +1 -0
package/dist/src/cli/commands/mcp-install.js +134 -0
package/dist/src/cli/commands/mcp-install.js.map +1 -0
package/dist/src/cli/commands/onboard.d.ts +98 -0
package/dist/src/cli/commands/onboard.d.ts.map +1 -0
package/dist/src/cli/commands/onboard.js +742 -0
package/dist/src/cli/commands/onboard.js.map +1 -0
package/dist/src/cli/commands/rebuild.d.ts +12 -0
package/dist/src/cli/commands/rebuild.d.ts.map +1 -0
package/dist/src/cli/commands/rebuild.js +164 -0
package/dist/src/cli/commands/rebuild.js.map +1 -0
package/dist/src/cli/commands/reconcile.d.ts +3 -0
package/dist/src/cli/commands/reconcile.d.ts.map +1 -0
package/dist/src/cli/commands/reconcile.js +56 -0
package/dist/src/cli/commands/reconcile.js.map +1 -0
package/dist/src/cli/commands/reindex.d.ts +3 -0
package/dist/src/cli/commands/reindex.d.ts.map +1 -0
package/dist/src/cli/commands/reindex.js +66 -0
package/dist/src/cli/commands/reindex.js.map +1 -0
package/dist/src/cli/commands/review.d.ts +13 -0
package/dist/src/cli/commands/review.d.ts.map +1 -0
package/dist/src/cli/commands/review.js +383 -0
package/dist/src/cli/commands/review.js.map +1 -0
package/dist/src/cli/commands/save.d.ts +3 -0
package/dist/src/cli/commands/save.d.ts.map +1 -0
package/dist/src/cli/commands/save.js +111 -0
package/dist/src/cli/commands/save.js.map +1 -0
package/dist/src/cli/commands/search.d.ts +35 -0
package/dist/src/cli/commands/search.d.ts.map +1 -0
package/dist/src/cli/commands/search.js +88 -0
package/dist/src/cli/commands/search.js.map +1 -0
package/dist/src/cli/commands/stats.d.ts +3 -0
package/dist/src/cli/commands/stats.d.ts.map +1 -0
package/dist/src/cli/commands/stats.js +42 -0
package/dist/src/cli/commands/stats.js.map +1 -0
package/dist/src/cli/commands/status.d.ts +15 -0
package/dist/src/cli/commands/status.d.ts.map +1 -0
package/dist/src/cli/commands/status.js +89 -0
package/dist/src/cli/commands/status.js.map +1 -0
package/dist/src/cli/commands/token-issue.d.ts +3 -0
package/dist/src/cli/commands/token-issue.d.ts.map +1 -0
package/dist/src/cli/commands/token-issue.js +25 -0
package/dist/src/cli/commands/token-issue.js.map +1 -0
package/dist/src/cli/commands/triage.d.ts +3 -0
package/dist/src/cli/commands/triage.d.ts.map +1 -0
package/dist/src/cli/commands/triage.js +125 -0
package/dist/src/cli/commands/triage.js.map +1 -0
package/dist/src/cli/commands/uninstall.d.ts +3 -0
package/dist/src/cli/commands/uninstall.d.ts.map +1 -0
package/dist/src/cli/commands/uninstall.js +238 -0
package/dist/src/cli/commands/uninstall.js.map +1 -0
package/dist/src/cli/feedback/feedback-config.d.ts +21 -0
package/dist/src/cli/feedback/feedback-config.d.ts.map +1 -0
package/dist/src/cli/feedback/feedback-config.js +43 -0
package/dist/src/cli/feedback/feedback-config.js.map +1 -0
package/dist/src/cli/feedback/feedback-history.d.ts +4 -0
package/dist/src/cli/feedback/feedback-history.d.ts.map +1 -0
package/dist/src/cli/feedback/feedback-history.js +115 -0
package/dist/src/cli/feedback/feedback-history.js.map +1 -0
package/dist/src/cli/feedback/feedback-payload.d.ts +53 -0
package/dist/src/cli/feedback/feedback-payload.d.ts.map +1 -0
package/dist/src/cli/feedback/feedback-payload.js +10 -0
package/dist/src/cli/feedback/feedback-payload.js.map +1 -0
package/dist/src/cli/feedback/feedback-relay.d.ts +15 -0
package/dist/src/cli/feedback/feedback-relay.d.ts.map +1 -0
package/dist/src/cli/feedback/feedback-relay.js +47 -0
package/dist/src/cli/feedback/feedback-relay.js.map +1 -0
package/dist/src/cli/feedback/feedback-status.d.ts +11 -0
package/dist/src/cli/feedback/feedback-status.d.ts.map +1 -0
package/dist/src/cli/feedback/feedback-status.js +122 -0
package/dist/src/cli/feedback/feedback-status.js.map +1 -0
package/dist/src/cli/http-client.d.ts +36 -0
package/dist/src/cli/http-client.d.ts.map +1 -0
package/dist/src/cli/http-client.js +153 -0
package/dist/src/cli/http-client.js.map +1 -0
package/dist/src/cli/index.d.ts +4 -0
package/dist/src/cli/index.d.ts.map +1 -0
package/dist/src/cli/index.js +66 -0
package/dist/src/cli/index.js.map +1 -0
package/dist/src/cli/job-poller.d.ts +13 -0
package/dist/src/cli/job-poller.d.ts.map +1 -0
package/dist/src/cli/job-poller.js +29 -0
package/dist/src/cli/job-poller.js.map +1 -0
package/dist/src/cli/mcp-config-writers/codex-toml.d.ts +10 -0
package/dist/src/cli/mcp-config-writers/codex-toml.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/codex-toml.js +410 -0
package/dist/src/cli/mcp-config-writers/codex-toml.js.map +1 -0
package/dist/src/cli/mcp-config-writers/errors.d.ts +17 -0
package/dist/src/cli/mcp-config-writers/errors.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/errors.js +13 -0
package/dist/src/cli/mcp-config-writers/errors.js.map +1 -0
package/dist/src/cli/mcp-config-writers/index.d.ts +18 -0
package/dist/src/cli/mcp-config-writers/index.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/index.js +49 -0
package/dist/src/cli/mcp-config-writers/index.js.map +1 -0
package/dist/src/cli/mcp-config-writers/json-config.d.ts +12 -0
package/dist/src/cli/mcp-config-writers/json-config.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/json-config.js +177 -0
package/dist/src/cli/mcp-config-writers/json-config.js.map +1 -0
package/dist/src/cli/mcp-config-writers/redact.d.ts +28 -0
package/dist/src/cli/mcp-config-writers/redact.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/redact.js +48 -0
package/dist/src/cli/mcp-config-writers/redact.js.map +1 -0
package/dist/src/cli/mcp-config-writers/types.d.ts +32 -0
package/dist/src/cli/mcp-config-writers/types.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/types.js +5 -0
package/dist/src/cli/mcp-config-writers/types.js.map +1 -0
package/dist/src/cli/output.d.ts +8 -0
package/dist/src/cli/output.d.ts.map +1 -0
package/dist/src/cli/output.js +34 -0
package/dist/src/cli/output.js.map +1 -0
package/dist/src/cli/status/friend-header.d.ts +33 -0
package/dist/src/cli/status/friend-header.d.ts.map +1 -0
package/dist/src/cli/status/friend-header.js +108 -0
package/dist/src/cli/status/friend-header.js.map +1 -0
package/dist/src/cli/status/local-signals.d.ts +14 -0
package/dist/src/cli/status/local-signals.d.ts.map +1 -0
package/dist/src/cli/status/local-signals.js +73 -0
package/dist/src/cli/status/local-signals.js.map +1 -0
package/dist/src/cli/token.d.ts +37 -0
package/dist/src/cli/token.d.ts.map +1 -0
package/dist/src/cli/token.js +105 -0
package/dist/src/cli/token.js.map +1 -0
package/dist/src/cli/uninstall/mcp-uninstall.d.ts +33 -0
package/dist/src/cli/uninstall/mcp-uninstall.d.ts.map +1 -0
package/dist/src/cli/uninstall/mcp-uninstall.js +181 -0
package/dist/src/cli/uninstall/mcp-uninstall.js.map +1 -0
package/dist/src/config/loader.d.ts +9 -0
package/dist/src/config/loader.d.ts.map +1 -0
package/dist/src/config/loader.js +73 -0
package/dist/src/config/loader.js.map +1 -0
package/dist/src/config/schema.d.ts +635 -0
package/dist/src/config/schema.d.ts.map +1 -0
package/dist/src/config/schema.js +208 -0
package/dist/src/config/schema.js.map +1 -0
package/dist/src/ingestion/bulk-ingest.d.ts +11 -0
package/dist/src/ingestion/bulk-ingest.d.ts.map +1 -0
package/dist/src/ingestion/bulk-ingest.js +11 -0
package/dist/src/ingestion/bulk-ingest.js.map +1 -0
package/dist/src/ingestion/extractor.d.ts +16 -0
package/dist/src/ingestion/extractor.d.ts.map +1 -0
package/dist/src/ingestion/extractor.js +85 -0
package/dist/src/ingestion/extractor.js.map +1 -0
package/dist/src/ingestion/extractors/docx.d.ts +3 -0
package/dist/src/ingestion/extractors/docx.d.ts.map +1 -0
package/dist/src/ingestion/extractors/docx.js +20 -0
package/dist/src/ingestion/extractors/docx.js.map +1 -0
package/dist/src/ingestion/extractors/pdf.d.ts +3 -0
package/dist/src/ingestion/extractors/pdf.d.ts.map +1 -0
package/dist/src/ingestion/extractors/pdf.js +32 -0
package/dist/src/ingestion/extractors/pdf.js.map +1 -0
package/dist/src/ingestion/historical-campaign.d.ts +340 -0
package/dist/src/ingestion/historical-campaign.d.ts.map +1 -0
package/dist/src/ingestion/historical-campaign.js +1010 -0
package/dist/src/ingestion/historical-campaign.js.map +1 -0
package/dist/src/ingestion/ignored-paths.d.ts +20 -0
package/dist/src/ingestion/ignored-paths.d.ts.map +1 -0
package/dist/src/ingestion/ignored-paths.js +45 -0
package/dist/src/ingestion/ignored-paths.js.map +1 -0
package/dist/src/ingestion/inbox-watcher.d.ts +12 -0
package/dist/src/ingestion/inbox-watcher.d.ts.map +1 -0
package/dist/src/ingestion/inbox-watcher.js +99 -0
package/dist/src/ingestion/inbox-watcher.js.map +1 -0
package/dist/src/ingestion/indexer.d.ts +32 -0
package/dist/src/ingestion/indexer.d.ts.map +1 -0
package/dist/src/ingestion/indexer.js +68 -0
package/dist/src/ingestion/indexer.js.map +1 -0
package/dist/src/ingestion/metadata-extraction.d.ts +53 -0
package/dist/src/ingestion/metadata-extraction.d.ts.map +1 -0
package/dist/src/ingestion/metadata-extraction.js +132 -0
package/dist/src/ingestion/metadata-extraction.js.map +1 -0
package/dist/src/ingestion/parsers/chatgpt-web.d.ts +29 -0
package/dist/src/ingestion/parsers/chatgpt-web.d.ts.map +1 -0
package/dist/src/ingestion/parsers/chatgpt-web.js +100 -0
package/dist/src/ingestion/parsers/chatgpt-web.js.map +1 -0
package/dist/src/ingestion/parsers/claude-code-jsonl.d.ts +16 -0
package/dist/src/ingestion/parsers/claude-code-jsonl.d.ts.map +1 -0
package/dist/src/ingestion/parsers/claude-code-jsonl.js +123 -0
package/dist/src/ingestion/parsers/claude-code-jsonl.js.map +1 -0
package/dist/src/ingestion/parsers/claude-web.d.ts +24 -0
package/dist/src/ingestion/parsers/claude-web.d.ts.map +1 -0
package/dist/src/ingestion/parsers/claude-web.js +78 -0
package/dist/src/ingestion/parsers/claude-web.js.map +1 -0
package/dist/src/ingestion/parsers/codex-jsonl.d.ts +18 -0
package/dist/src/ingestion/parsers/codex-jsonl.d.ts.map +1 -0
package/dist/src/ingestion/parsers/codex-jsonl.js +125 -0
package/dist/src/ingestion/parsers/codex-jsonl.js.map +1 -0
package/dist/src/ingestion/parsers/gemini-web.d.ts +16 -0
package/dist/src/ingestion/parsers/gemini-web.d.ts.map +1 -0
package/dist/src/ingestion/parsers/gemini-web.js +170 -0
package/dist/src/ingestion/parsers/gemini-web.js.map +1 -0
package/dist/src/ingestion/parsers/grok-web.d.ts +40 -0
package/dist/src/ingestion/parsers/grok-web.d.ts.map +1 -0
package/dist/src/ingestion/parsers/grok-web.js +67 -0
package/dist/src/ingestion/parsers/grok-web.js.map +1 -0
package/dist/src/ingestion/parsers/types.d.ts +34 -0
package/dist/src/ingestion/parsers/types.d.ts.map +1 -0
package/dist/src/ingestion/parsers/types.js +26 -0
package/dist/src/ingestion/parsers/types.js.map +1 -0
package/dist/src/ingestion/scanner.d.ts +48 -0
package/dist/src/ingestion/scanner.d.ts.map +1 -0
package/dist/src/ingestion/scanner.js +131 -0
package/dist/src/ingestion/scanner.js.map +1 -0
package/dist/src/ingestion/staging.d.ts +109 -0
package/dist/src/ingestion/staging.d.ts.map +1 -0
package/dist/src/ingestion/staging.js +411 -0
package/dist/src/ingestion/staging.js.map +1 -0
package/dist/src/ingestion/watcher.d.ts +65 -0
package/dist/src/ingestion/watcher.d.ts.map +1 -0
package/dist/src/ingestion/watcher.js +182 -0
package/dist/src/ingestion/watcher.js.map +1 -0
package/dist/src/jobs/codex-override-handler.d.ts +3 -0
package/dist/src/jobs/codex-override-handler.d.ts.map +1 -0
package/dist/src/jobs/codex-override-handler.js +16 -0
package/dist/src/jobs/codex-override-handler.js.map +1 -0
package/dist/src/jobs/handlers/compact.d.ts +30 -0
package/dist/src/jobs/handlers/compact.d.ts.map +1 -0
package/dist/src/jobs/handlers/compact.js +329 -0
package/dist/src/jobs/handlers/compact.js.map +1 -0
package/dist/src/jobs/handlers/ingest.d.ts +13 -0
package/dist/src/jobs/handlers/ingest.d.ts.map +1 -0
package/dist/src/jobs/handlers/ingest.js +255 -0
package/dist/src/jobs/handlers/ingest.js.map +1 -0
package/dist/src/jobs/handlers/reconcile.d.ts +29 -0
package/dist/src/jobs/handlers/reconcile.d.ts.map +1 -0
package/dist/src/jobs/handlers/reconcile.js +476 -0
package/dist/src/jobs/handlers/reconcile.js.map +1 -0
package/dist/src/jobs/handlers/reindex.d.ts +38 -0
package/dist/src/jobs/handlers/reindex.d.ts.map +1 -0
package/dist/src/jobs/handlers/reindex.js +52 -0
package/dist/src/jobs/handlers/reindex.js.map +1 -0
package/dist/src/jobs/handlers/save.d.ts +10 -0
package/dist/src/jobs/handlers/save.d.ts.map +1 -0
package/dist/src/jobs/handlers/save.js +206 -0
package/dist/src/jobs/handlers/save.js.map +1 -0
package/dist/src/jobs/handlers/triage.d.ts +47 -0
package/dist/src/jobs/handlers/triage.d.ts.map +1 -0
package/dist/src/jobs/handlers/triage.js +95 -0
package/dist/src/jobs/handlers/triage.js.map +1 -0
package/dist/src/jobs/queue.d.ts +107 -0
package/dist/src/jobs/queue.d.ts.map +1 -0
package/dist/src/jobs/queue.js +319 -0
package/dist/src/jobs/queue.js.map +1 -0
package/dist/src/jobs/types.d.ts +39 -0
package/dist/src/jobs/types.d.ts.map +1 -0
package/dist/src/jobs/types.js +29 -0
package/dist/src/jobs/types.js.map +1 -0
package/dist/src/jobs/worker-entry.d.ts +10 -0
package/dist/src/jobs/worker-entry.d.ts.map +1 -0
package/dist/src/jobs/worker-entry.js +210 -0
package/dist/src/jobs/worker-entry.js.map +1 -0
package/dist/src/jobs/worker-process.d.ts +50 -0
package/dist/src/jobs/worker-process.d.ts.map +1 -0
package/dist/src/jobs/worker-process.js +186 -0
package/dist/src/jobs/worker-process.js.map +1 -0
package/dist/src/jobs/worker.d.ts +11 -0
package/dist/src/jobs/worker.d.ts.map +1 -0
package/dist/src/jobs/worker.js +14 -0
package/dist/src/jobs/worker.js.map +1 -0
package/dist/src/main.d.ts +2 -0
package/dist/src/main.d.ts.map +1 -0
package/dist/src/main.js +425 -0
package/dist/src/main.js.map +1 -0
package/dist/src/mcp/errors.d.ts +8 -0
package/dist/src/mcp/errors.d.ts.map +1 -0
package/dist/src/mcp/errors.js +50 -0
package/dist/src/mcp/errors.js.map +1 -0
package/dist/src/mcp/server.d.ts +10 -0
package/dist/src/mcp/server.d.ts.map +1 -0
package/dist/src/mcp/server.js +94 -0
package/dist/src/mcp/server.js.map +1 -0
package/dist/src/mcp/tools/context-pack.d.ts +35 -0
package/dist/src/mcp/tools/context-pack.d.ts.map +1 -0
package/dist/src/mcp/tools/context-pack.js +97 -0
package/dist/src/mcp/tools/context-pack.js.map +1 -0
package/dist/src/mcp/tools/conversations-search.d.ts +38 -0
package/dist/src/mcp/tools/conversations-search.d.ts.map +1 -0
package/dist/src/mcp/tools/conversations-search.js +73 -0
package/dist/src/mcp/tools/conversations-search.js.map +1 -0
package/dist/src/mcp/tools/save.d.ts +32 -0
package/dist/src/mcp/tools/save.d.ts.map +1 -0
package/dist/src/mcp/tools/save.js +60 -0
package/dist/src/mcp/tools/save.js.map +1 -0
package/dist/src/mcp/tools/search.d.ts +33 -0
package/dist/src/mcp/tools/search.d.ts.map +1 -0
package/dist/src/mcp/tools/search.js +58 -0
package/dist/src/mcp/tools/search.js.map +1 -0
package/dist/src/mcp/tools/status.d.ts +17 -0
package/dist/src/mcp/tools/status.d.ts.map +1 -0
package/dist/src/mcp/tools/status.js +12 -0
package/dist/src/mcp/tools/status.js.map +1 -0
package/dist/src/observability/coverage.d.ts +100 -0
package/dist/src/observability/coverage.d.ts.map +1 -0
package/dist/src/observability/coverage.js +180 -0
package/dist/src/observability/coverage.js.map +1 -0
package/dist/src/observability/rift-context.d.ts +47 -0
package/dist/src/observability/rift-context.d.ts.map +1 -0
package/dist/src/observability/rift-context.js +118 -0
package/dist/src/observability/rift-context.js.map +1 -0
package/dist/src/observability/staleness.d.ts +43 -0
package/dist/src/observability/staleness.d.ts.map +1 -0
package/dist/src/observability/staleness.js +74 -0
package/dist/src/observability/staleness.js.map +1 -0
package/dist/src/observability/tool-usage-stats.d.ts +23 -0
package/dist/src/observability/tool-usage-stats.d.ts.map +1 -0
package/dist/src/observability/tool-usage-stats.js +83 -0
package/dist/src/observability/tool-usage-stats.js.map +1 -0
package/dist/src/observability/tool-usage.d.ts +68 -0
package/dist/src/observability/tool-usage.d.ts.map +1 -0
package/dist/src/observability/tool-usage.js +207 -0
package/dist/src/observability/tool-usage.js.map +1 -0
package/dist/src/onboarding/daemon-control.d.ts +33 -0
package/dist/src/onboarding/daemon-control.d.ts.map +1 -0
package/dist/src/onboarding/daemon-control.js +92 -0
package/dist/src/onboarding/daemon-control.js.map +1 -0
package/dist/src/onboarding/env-file.d.ts +18 -0
package/dist/src/onboarding/env-file.d.ts.map +1 -0
package/dist/src/onboarding/env-file.js +89 -0
package/dist/src/onboarding/env-file.js.map +1 -0
package/dist/src/onboarding/voyage-validate.d.ts +16 -0
package/dist/src/onboarding/voyage-validate.d.ts.map +1 -0
package/dist/src/onboarding/voyage-validate.js +85 -0
package/dist/src/onboarding/voyage-validate.js.map +1 -0
package/dist/src/providers/anthropic-digest.d.ts +23 -0
package/dist/src/providers/anthropic-digest.d.ts.map +1 -0
package/dist/src/providers/anthropic-digest.js +91 -0
package/dist/src/providers/anthropic-digest.js.map +1 -0
package/dist/src/providers/codex-cli-digest.d.ts +12 -0
package/dist/src/providers/codex-cli-digest.d.ts.map +1 -0
package/dist/src/providers/codex-cli-digest.js +70 -0
package/dist/src/providers/codex-cli-digest.js.map +1 -0
package/dist/src/providers/codex-cli-metadata-extraction.d.ts +14 -0
package/dist/src/providers/codex-cli-metadata-extraction.d.ts.map +1 -0
package/dist/src/providers/codex-cli-metadata-extraction.js +101 -0
package/dist/src/providers/codex-cli-metadata-extraction.js.map +1 -0
package/dist/src/providers/codex-cli-runner.d.ts +14 -0
package/dist/src/providers/codex-cli-runner.d.ts.map +1 -0
package/dist/src/providers/codex-cli-runner.js +272 -0
package/dist/src/providers/codex-cli-runner.js.map +1 -0
package/dist/src/providers/conversation-generation.d.ts +10 -0
package/dist/src/providers/conversation-generation.d.ts.map +1 -0
package/dist/src/providers/conversation-generation.js +54 -0
package/dist/src/providers/conversation-generation.js.map +1 -0
package/dist/src/providers/ollama-embed.d.ts +22 -0
package/dist/src/providers/ollama-embed.d.ts.map +1 -0
package/dist/src/providers/ollama-embed.js +133 -0
package/dist/src/providers/ollama-embed.js.map +1 -0
package/dist/src/providers/ollama.d.ts +42 -0
package/dist/src/providers/ollama.d.ts.map +1 -0
package/dist/src/providers/ollama.js +169 -0
package/dist/src/providers/ollama.js.map +1 -0
package/dist/src/providers/openai-metadata-extraction.d.ts +73 -0
package/dist/src/providers/openai-metadata-extraction.d.ts.map +1 -0
package/dist/src/providers/openai-metadata-extraction.js +161 -0
package/dist/src/providers/openai-metadata-extraction.js.map +1 -0
package/dist/src/providers/operator-overrides.d.ts +24 -0
package/dist/src/providers/operator-overrides.d.ts.map +1 -0
package/dist/src/providers/operator-overrides.js +84 -0
package/dist/src/providers/operator-overrides.js.map +1 -0
package/dist/src/providers/stub.d.ts +17 -0
package/dist/src/providers/stub.d.ts.map +1 -0
package/dist/src/providers/stub.js +72 -0
package/dist/src/providers/stub.js.map +1 -0
package/dist/src/providers/types.d.ts +82 -0
package/dist/src/providers/types.d.ts.map +1 -0
package/dist/src/providers/types.js +52 -0
package/dist/src/providers/types.js.map +1 -0
package/dist/src/providers/voyage.d.ts +23 -0
package/dist/src/providers/voyage.d.ts.map +1 -0
package/dist/src/providers/voyage.js +135 -0
package/dist/src/providers/voyage.js.map +1 -0
package/dist/src/retrieval/compact.d.ts +89 -0
package/dist/src/retrieval/compact.d.ts.map +1 -0
package/dist/src/retrieval/compact.js +348 -0
package/dist/src/retrieval/compact.js.map +1 -0
package/dist/src/retrieval/context-pack.d.ts +123 -0
package/dist/src/retrieval/context-pack.d.ts.map +1 -0
package/dist/src/retrieval/context-pack.js +553 -0
package/dist/src/retrieval/context-pack.js.map +1 -0
package/dist/src/retrieval/cwd.d.ts +25 -0
package/dist/src/retrieval/cwd.d.ts.map +1 -0
package/dist/src/retrieval/cwd.js +48 -0
package/dist/src/retrieval/cwd.js.map +1 -0
package/dist/src/retrieval/degraded.d.ts +20 -0
package/dist/src/retrieval/degraded.d.ts.map +1 -0
package/dist/src/retrieval/degraded.js +43 -0
package/dist/src/retrieval/degraded.js.map +1 -0
package/dist/src/retrieval/hybrid.d.ts +38 -0
package/dist/src/retrieval/hybrid.d.ts.map +1 -0
package/dist/src/retrieval/hybrid.js +82 -0
package/dist/src/retrieval/hybrid.js.map +1 -0
package/dist/src/retrieval/lexical.d.ts +28 -0
package/dist/src/retrieval/lexical.d.ts.map +1 -0
package/dist/src/retrieval/lexical.js +301 -0
package/dist/src/retrieval/lexical.js.map +1 -0
package/dist/src/retrieval/post-filter.d.ts +32 -0
package/dist/src/retrieval/post-filter.d.ts.map +1 -0
package/dist/src/retrieval/post-filter.js +57 -0
package/dist/src/retrieval/post-filter.js.map +1 -0
package/dist/src/retrieval/reranker.d.ts +72 -0
package/dist/src/retrieval/reranker.d.ts.map +1 -0
package/dist/src/retrieval/reranker.js +129 -0
package/dist/src/retrieval/reranker.js.map +1 -0
package/dist/src/retrieval/vector.d.ts +47 -0
package/dist/src/retrieval/vector.d.ts.map +1 -0
package/dist/src/retrieval/vector.js +112 -0
package/dist/src/retrieval/vector.js.map +1 -0
package/dist/src/runtime/legacy-migration.d.ts +27 -0
package/dist/src/runtime/legacy-migration.d.ts.map +1 -0
package/dist/src/runtime/legacy-migration.js +140 -0
package/dist/src/runtime/legacy-migration.js.map +1 -0
package/dist/src/runtime/legacy-name-guard.d.ts +35 -0
package/dist/src/runtime/legacy-name-guard.d.ts.map +1 -0
package/dist/src/runtime/legacy-name-guard.js +58 -0
package/dist/src/runtime/legacy-name-guard.js.map +1 -0
package/dist/src/runtime/rift-env.d.ts +14 -0
package/dist/src/runtime/rift-env.d.ts.map +1 -0
package/dist/src/runtime/rift-env.js +79 -0
package/dist/src/runtime/rift-env.js.map +1 -0
package/dist/src/runtime/watcher-startup.d.ts +2 -0
package/dist/src/runtime/watcher-startup.d.ts.map +1 -0
package/dist/src/runtime/watcher-startup.js +4 -0
package/dist/src/runtime/watcher-startup.js.map +1 -0
package/dist/src/security/archive.d.ts +23 -0
package/dist/src/security/archive.d.ts.map +1 -0
package/dist/src/security/archive.js +163 -0
package/dist/src/security/archive.js.map +1 -0
package/dist/src/security/paths.d.ts +21 -0
package/dist/src/security/paths.d.ts.map +1 -0
package/dist/src/security/paths.js +67 -0
package/dist/src/security/paths.js.map +1 -0
package/dist/src/server/app.d.ts +29 -0
package/dist/src/server/app.d.ts.map +1 -0
package/dist/src/server/app.js +226 -0
package/dist/src/server/app.js.map +1 -0
package/dist/src/server/build-info.d.ts +8 -0
package/dist/src/server/build-info.d.ts.map +1 -0
package/dist/src/server/build-info.js +61 -0
package/dist/src/server/build-info.js.map +1 -0
package/dist/src/server/lifecycle.d.ts +30 -0
package/dist/src/server/lifecycle.d.ts.map +1 -0
package/dist/src/server/lifecycle.js +59 -0
package/dist/src/server/lifecycle.js.map +1 -0
package/dist/src/server/middleware/multipart.d.ts +51 -0
package/dist/src/server/middleware/multipart.d.ts.map +1 -0
package/dist/src/server/middleware/multipart.js +86 -0
package/dist/src/server/middleware/multipart.js.map +1 -0
package/dist/src/server/routes/compact.d.ts +37 -0
package/dist/src/server/routes/compact.d.ts.map +1 -0
package/dist/src/server/routes/compact.js +77 -0
package/dist/src/server/routes/compact.js.map +1 -0
package/dist/src/server/routes/context.d.ts +5 -0
package/dist/src/server/routes/context.d.ts.map +1 -0
package/dist/src/server/routes/context.js +50 -0
package/dist/src/server/routes/context.js.map +1 -0
package/dist/src/server/routes/conversations-search.d.ts +4 -0
package/dist/src/server/routes/conversations-search.d.ts.map +1 -0
package/dist/src/server/routes/conversations-search.js +243 -0
package/dist/src/server/routes/conversations-search.js.map +1 -0
package/dist/src/server/routes/friend-status.d.ts +72 -0
package/dist/src/server/routes/friend-status.d.ts.map +1 -0
package/dist/src/server/routes/friend-status.js +71 -0
package/dist/src/server/routes/friend-status.js.map +1 -0
package/dist/src/server/routes/ingest.d.ts +15 -0
package/dist/src/server/routes/ingest.d.ts.map +1 -0
package/dist/src/server/routes/ingest.js +139 -0
package/dist/src/server/routes/ingest.js.map +1 -0
package/dist/src/server/routes/jobs.d.ts +10 -0
package/dist/src/server/routes/jobs.d.ts.map +1 -0
package/dist/src/server/routes/jobs.js +29 -0
package/dist/src/server/routes/jobs.js.map +1 -0
package/dist/src/server/routes/mcp-usage.d.ts +13 -0
package/dist/src/server/routes/mcp-usage.d.ts.map +1 -0
package/dist/src/server/routes/mcp-usage.js +17 -0
package/dist/src/server/routes/mcp-usage.js.map +1 -0
package/dist/src/server/routes/reconcile.d.ts +4 -0
package/dist/src/server/routes/reconcile.d.ts.map +1 -0
package/dist/src/server/routes/reconcile.js +43 -0
package/dist/src/server/routes/reconcile.js.map +1 -0
package/dist/src/server/routes/reindex.d.ts +4 -0
package/dist/src/server/routes/reindex.d.ts.map +1 -0
package/dist/src/server/routes/reindex.js +74 -0
package/dist/src/server/routes/reindex.js.map +1 -0
package/dist/src/server/routes/save.d.ts +40 -0
package/dist/src/server/routes/save.d.ts.map +1 -0
package/dist/src/server/routes/save.js +112 -0
package/dist/src/server/routes/save.js.map +1 -0
package/dist/src/server/routes/search.d.ts +5 -0
package/dist/src/server/routes/search.d.ts.map +1 -0
package/dist/src/server/routes/search.js +400 -0
package/dist/src/server/routes/search.js.map +1 -0
package/dist/src/server/routes/stats.d.ts +10 -0
package/dist/src/server/routes/stats.d.ts.map +1 -0
package/dist/src/server/routes/stats.js +15 -0
package/dist/src/server/routes/stats.js.map +1 -0
package/dist/src/server/routes/status.d.ts +20 -0
package/dist/src/server/routes/status.d.ts.map +1 -0
package/dist/src/server/routes/status.js +31 -0
package/dist/src/server/routes/status.js.map +1 -0
package/dist/src/server/routes/triage.d.ts +4 -0
package/dist/src/server/routes/triage.d.ts.map +1 -0
package/dist/src/server/routes/triage.js +94 -0
package/dist/src/server/routes/triage.js.map +1 -0
package/dist/src/server/save-quality.d.ts +21 -0
package/dist/src/server/save-quality.d.ts.map +1 -0
package/dist/src/server/save-quality.js +51 -0
package/dist/src/server/save-quality.js.map +1 -0
package/dist/src/storage/atomic.d.ts +8 -0
package/dist/src/storage/atomic.d.ts.map +1 -0
package/dist/src/storage/atomic.js +22 -0
package/dist/src/storage/atomic.js.map +1 -0
package/dist/src/storage/db.d.ts +15 -0
package/dist/src/storage/db.d.ts.map +1 -0
package/dist/src/storage/db.js +43 -0
package/dist/src/storage/db.js.map +1 -0
package/dist/src/storage/integrity.d.ts +11 -0
package/dist/src/storage/integrity.d.ts.map +1 -0
package/dist/src/storage/integrity.js +66 -0
package/dist/src/storage/integrity.js.map +1 -0
package/dist/src/storage/rebuild.d.ts +37 -0
package/dist/src/storage/rebuild.d.ts.map +1 -0
package/dist/src/storage/rebuild.js +353 -0
package/dist/src/storage/rebuild.js.map +1 -0
package/dist/src/storage/shadow-swap.d.ts +20 -0
package/dist/src/storage/shadow-swap.d.ts.map +1 -0
package/dist/src/storage/shadow-swap.js +163 -0
package/dist/src/storage/shadow-swap.js.map +1 -0
package/dist/src/storage/tables.d.ts +77 -0
package/dist/src/storage/tables.d.ts.map +1 -0
package/dist/src/storage/tables.js +196 -0
package/dist/src/storage/tables.js.map +1 -0
package/package.json +45 -14
package/index.js +0 -3

package/README.dev.md ADDED Viewed

@@ -0,0 +1,110 @@
+# Rift (`rift`)
+Local-first personal memory + reasoning infrastructure. Captures local CLI sessions, web conversation exports, and project documents; routes them through triage, metadata extraction, and embedding; persists into LanceDB; exposes retrieval through a small MCP surface so agents can pull *capability, not payload*.
+Designed to feel like a built-in capability for whatever assistant is in front of it, not like a giant preloaded briefing.
+---
+## Architecture at a glance
+```
+┌─────────────────────────────────────────────────────────┐
+│  Live capture (claude_code, codex_cli session JSONLs)   │
+│  Web exports (chatgpt_web, claude_web, gemini, grok)    │
+│  Project docs (filesystem watchers / scheduled scans)   │
+└────────────────────┬────────────────────────────────────┘
+                     │
+                ┌────▼────┐
+                │ Triage  │   ← Codex CLI (default)
+                │  loop   │
+                └────┬────┘
+                     │ save / review / discard
+                     │
+                ┌────▼─────────────┐
+                │ Metadata extract │   ← Codex CLI (web/ingest path)
+                │  (POST /ingest)  │
+                └────┬─────────────┘
+                     │
+                ┌────▼──────────────────────────────────┐
+                │ Voyage AI embedding (voyage-3-lite)   │
+                └────┬──────────────────────────────────┘
+                     │
+                ┌────▼─────────────────────────────────┐
+                │ LanceDB                              │
+                │   conversations_hot / cold           │
+                │   structured_docs                    │
+                │   digests   ← Codex CLI digest job   │
+                └────┬─────────────────────────────────┘
+                     │
+                ┌────▼──────────────────────────┐
+                │ MCP server (life_*)           │
+                │ HTTP daemon on 127.0.0.1:3577 │
+                └───────────────────────────────┘
+```
+## Models & runtimes in use
+| Stage | Runtime | Model |
+|---|---|---|
+| Triage (decide save/review/discard) | local `codex` CLI | CLI default |
+| Metadata extraction (web/ingest path) | local `codex` CLI | CLI default |
+| Digest summarization (compact job) | local `codex` CLI | CLI default |
+| Embeddings | Voyage AI (cloud) | `voyage-3-lite` |
+| Local-LLM override (optional) | Ollama at `localhost:11434` | configurable (`metadata_model`, `digest_model`) |
+**Cloud mode (default)** — set `local_generation.enabled: false` in `config.json`. All LLM calls go through the operator's already-authenticated `codex` CLI. No Anthropic / OpenAI API key required.
+**Local-LLM override** — set `local_generation.enabled: true`. Metadata + digest go through the configured Ollama models. Triage still uses Codex CLI.
+The two modes are mutually exclusive — exactly one runtime owns LLM calls at a time.
+## CLI vs API surface
+**Local-only (no network)**:
+- `codex` CLI subprocess (every triage / metadata / digest call).
+- Filesystem watchers for project sources.
+- LanceDB on disk under `data/lancedb/`.
+- Daemon HTTP listens on `127.0.0.1:3577` (loopback only).
+- MCP server speaks JSON-RPC over stdio.
+**Network**:
+- Voyage embedding API (`api.voyageai.com`) — only consumer.
+**Provider classes preserved but not in the live default path** (kept for explicit batch/historical use): `OpenAITriageProvider`, `OpenAIMetadataExtractor`, `AnthropicDigestSummarizer`, `CliMetadataExtractor` (legacy Claude CLI subprocess).
+## Main commands
+```bash
+# Live capture (Claude Code + Codex CLI session files)
+rift capture                       # both sources
+rift capture --source codex_cli    # one source
+rift capture --dry-run             # preflight + triage, no saves
+# Status + telemetry
+rift status                        # daemon briefing + auto-capture summary
+rift stats                         # table counts, source coverage
+# Search
+rift search "..."
+# Daemon (managed by launchd)
+launchctl kickstart -k gui/$UID/com.rift.daemon
+launchctl print gui/$UID/com.rift.daemon
+```
+The macOS menu bar (SwiftBar plugin at `operator/swiftbar/rift.10s.sh`) shows daemon health and the live MCP-usage telemetry block (today / this week / this month / all-time call counts + tokens-saved estimate) at the top of its dropdown.
+## Pointers
+- [`TODO.md`](./TODO.md) — current/next/later tracker (updated end of every session).
+- [`PROJECT_STATE.md`](./PROJECT_STATE.md) — what's currently in flight.
+- [`CLAUDE.md`](./CLAUDE.md) — instructions for AI agents working in this repo.
+- [`docs/`](./docs/) — design docs (current system, API/MCP spec, capture contract, intelligence direction, etc.).
+## Conventions
+- TypeScript strict; `pnpm check` (or `npm run check`) before ship.
+- Vitest. Pretest generates fixtures.
+- Local-first, file-native storage under `data/`, `jobs/`, `reports/`.
+- Auto-capture triage depends on a working, authenticated `codex` CLI. Preflight failures here mean CLI auth/install/runtime issues (`codex login`, CLI upgrade/reinstall, or launchd PATH), not a missing `rift.openai` Keychain secret — that path was retired.

package/README.md ADDED Viewed

@@ -0,0 +1,130 @@
+# Rift
+**Mémoire personnelle locale pour tes IA.** Rift capture en local tes sessions Claude Code et Codex CLI, les triage, les indexe, et expose une mémoire interrogeable via MCP — pour que Claude Desktop, Claude Code, Codex et Cursor retrouvent ce que tu leur as déjà dit.
+Tout reste sur ta machine, sauf les *embeddings* (envoyés à Voyage AI sous une clé qui t'appartient).
+---
+## À lire avant d'installer
+> **La capture démarre maintenant.**
+> Au premier lancement, Rift pose un *watermark* sur tes sessions Claude Code et Codex CLI existantes : **elles ne sont pas réingérées rétroactivement**. Seules les sessions à partir de l'installation comptent.
+>
+> Si tu veux que tes conversations historiques (sessions Claude Code locales antérieures, exports `.zip` de claude.ai / chatgpt.com / gemini.google.com / grok.com) soient *aussi* indexées, c'est une **prestation séparée** — voir la section [Backfill historique (payant)](#backfill-historique-payant) plus bas.
+---
+## Prérequis
+- macOS 12.3 ou plus récent.
+- Node.js 20.19+ (vérifie avec `node --version`).
+- npm (livré avec Node).
+- [Codex CLI](https://github.com/openai/codex) installé et authentifié (`codex login`). Rift fait passer le triage et l'extraction de métadonnées par ton CLI Codex local — pas besoin de clé OpenAI séparée.
+- Une clé Voyage AI (création gratuite sur [voyageai.com](https://www.voyageai.com/)). Sert *uniquement* aux embeddings ; chaque user a sa propre clé.
+## Installation (1 commande)
+```sh
+curl -fsSL https://getrift.dev/install | bash
+```
+Ce que fait le script :
+- vérifie les prérequis (macOS, Node, codex CLI…),
+- installe globalement le paquet npm `@getrift/rift@beta`,
+- crée les dossiers de données (`~/Library/Application Support/Rift/`),
+- pose un agent launchd (`com.getrift.daemon`) qui démarre Rift à la session,
+- attend que `/health` réponde sur `127.0.0.1:3577`.
+Si l'installation échoue, le script restaure ton état précédent et imprime un identifiant de backup pour le diagnostic.
+## Premier paramétrage
+```sh
+rift onboard
+```
+L'assistant va :
+1. te demander ta clé Voyage AI (collée depuis ton 1Password — elle ne s'affiche pas) ;
+2. valider la clé en faisant un embed test ;
+3. faire un *preflight* sur ton Codex CLI (vérifie qu'il est authentifié) ;
+4. lancer une première passe de capture (les sessions existantes sont watermarkées, pas ingérées) ;
+5. proposer de brancher Rift comme serveur MCP dans Claude Desktop / Claude Code / Codex / Cursor.
+Tu peux importer un export ChatGPT ou Claude.ai pendant l'onboarding (optionnel — voir la section backfill).
+## Vérifier que ça tourne
+```sh
+rift status
+```
+Tu dois voir quelque chose comme :
+```
+Rift v0.1.0-beta.0  ·  daemon: running (uptime 5m)  ·  port 3577 ✓
+Voyage:      key valid (last 4 …xxxx, last embed 2m ago)
+Codex CLI:   authed ✓
+Capture:     last run 8m ago — 3 saved · 0 review · 0 failed
+MCP:         claude-desktop ✓  ·  codex ✓  ·  claude-code ✓  ·  cursor ✓
+Feedback:    relay off (local JSONL only)
+Next:        nothing broken. Try rift search "<topic>".
+```
+## Usage quotidien
+- **Rien à faire.** Le daemon tourne en tâche de fond, ingère tes nouvelles sessions Claude Code / Codex CLI toutes les heures, et expose la mémoire via MCP.
+- **Rechercher en CLI :** `rift search "comment on a structuré le pricing"`
+- **Forcer une passe maintenant :** `rift capture`
+- **Ouvrir une conversation MCP** (Claude Desktop, Cursor, etc.) — Rift apparaît dans la liste des outils. Tape *"recall what we decided about X"* et l'agent appellera `rift_search` / `rift_context_pack` automatiquement.
+## Vie privée
+- **Local par défaut.** Tes sessions, métadonnées, et la base vectorielle (LanceDB) restent sur ta machine.
+- **Voyage AI.** Seuls les *snippets* envoyés pour embedding partent vers Voyage. Ta clé t'appartient ; tu peux la révoquer côté Voyage à tout moment.
+- **Aucune télémétrie de contenu.** Rift n'envoie rien chez moi, sauf si tu actives explicitement le *feedback relay* (`rift feedback --kind=...`) — et même là, c'est uniquement la note que tu écris, pas tes conversations.
+- **Désinstallation propre :** `rift uninstall` enlève le daemon, les entrées MCP, et (avec `--purge-data`) les données.
+Le contrat de vie privée détaillé arrive avec le paquet : `docs/feedback/PRIVACY.md`.
+## Backfill historique (payant)
+Le watermark protège ton historique pré-installation : Rift ne va pas inonder ta mémoire avec deux ans de conversations dont la moitié sont du débogage jetable. Mais si tu veux *vraiment* que ton corpus passé soit indexé — sessions Claude Code locales antérieures, exports `.zip` claude.ai, chatgpt.com, gemini.google.com, grok.com — c'est faisable, mais ça représente plusieurs heures de tri et de QA pour calibrer les filtres à ton usage.
+**Tarif : 500 € HT, prestation ponctuelle.**
+Ce que ça inclut :
+- import de tes exports web (`rift import <export.zip>`) avec audit du contenu,
+- déwatermark ciblé des sessions Claude Code / Codex CLI valant le coup (filtré par date, projet, ou heuristique),
+- tuning des règles de triage à ton usage réel pendant une semaine,
+- une session de 60 min en visio pour valider ce qui est dans la mémoire vs ce qui a été écarté.
+Pour déclencher : il me faut un bon de commande / facture HT signée par ton boss. Une fois validé, on cale 1h de kickoff.
+## En cas de pépin
+- **Le daemon ne répond pas :**
+  ```sh
+  launchctl kickstart -k gui/$UID/com.getrift.daemon
+  ```
+- **Codex CLI auth périmé :** `codex login`
+- **Clé Voyage révoquée / changée :** `rift onboard --reconfigure-voyage`
+- **MCP pas branché dans un client :** `rift mcp install --client=claude-desktop` (ou `codex`, `claude-code`, `cursor`)
+- **Donner du feedback (utile) :** `rift feedback --kind=broke --with-status` — capture l'état du daemon et l'envoie en local (et en relay si tu l'as activé pendant l'onboard).
+## Désinstaller
+```sh
+rift uninstall              # enlève daemon + MCP
+rift uninstall --purge-data # + supprime les données locales
+```
+La clé Voyage reste dans `~/.rift.env` même après `--purge-data` — la commande affiche le `rm` exact pour la supprimer (ou tu peux la révoquer côté Voyage).
+## License
+Beta privée. Pas de redistribution.

package/dist/src/auth/keychain.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Low-level Keychain operations.
+ *
+ * Abstracted as an interface so rotation.ts can be tested with an
+ * in-memory implementation that never touches the real Keychain.
+ */
+export interface KeychainOps {
+    read(version: number): Promise<string | null>;
+    write(version: number, token: string): Promise<void>;
+    delete(version: number): Promise<void>;
+    findLatestVersion(): Promise<number>;
+}
+/**
+ * Production Keychain backend using the macOS `security` CLI.
+ *
+ * Token versioning: each version is stored as a separate generic-password
+ * entry. A metadata entry (`AUTH_TOKEN_CURRENT_VERSION`) tracks the
+ * latest version number so we avoid scanning the entire keychain.
+ *
+ * Error policy: only "item not found" (exit 44) is swallowed where
+ * appropriate. All other errors (locked keychain, permission denied,
+ * missing binary) propagate as thrown exceptions.
+ */
+export declare const macKeychain: KeychainOps;
+//# sourceMappingURL=keychain.d.ts.map

package/dist/src/auth/keychain.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"keychain.d.ts","sourceRoot":"","sources":["../../../src/auth/keychain.ts"],"names":[],"mappings":"AAaA;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC9C,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,iBAAiB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CACtC;AAgBD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,WAAW,EAAE,WA0EzB,CAAC"}

package/dist/src/auth/keychain.js ADDED Viewed

@@ -0,0 +1,113 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
+const SERVICE = "com.getrift.daemon";
+/**
+ * macOS `security` CLI exit code for errSecItemNotFound.
+ * This is the only error we treat as "success with empty result".
+ * All other non-zero exits are real failures that must propagate.
+ */
+const ERR_SEC_ITEM_NOT_FOUND = 44;
+function accountName(version) {
+    return `AUTH_TOKEN_v${version}`;
+}
+/**
+ * Returns true only for the specific "item not found" error from
+ * the macOS `security` CLI. All other errors are real failures.
+ */
+function isItemNotFound(err) {
+    if (!(err instanceof Error))
+        return false;
+    const execErr = err;
+    return execErr.code === ERR_SEC_ITEM_NOT_FOUND;
+}
+/**
+ * Production Keychain backend using the macOS `security` CLI.
+ *
+ * Token versioning: each version is stored as a separate generic-password
+ * entry. A metadata entry (`AUTH_TOKEN_CURRENT_VERSION`) tracks the
+ * latest version number so we avoid scanning the entire keychain.
+ *
+ * Error policy: only "item not found" (exit 44) is swallowed where
+ * appropriate. All other errors (locked keychain, permission denied,
+ * missing binary) propagate as thrown exceptions.
+ */
+export const macKeychain = {
+    async read(version) {
+        try {
+            const { stdout } = await execFileAsync("security", [
+                "find-generic-password",
+                "-a",
+                accountName(version),
+                "-s",
+                SERVICE,
+                "-w",
+            ]);
+            return stdout.trim() || null;
+        }
+        catch (err) {
+            if (isItemNotFound(err))
+                return null;
+            throw err;
+        }
+    },
+    async write(version, token) {
+        await execFileAsync("security", [
+            "add-generic-password",
+            "-a",
+            accountName(version),
+            "-s",
+            SERVICE,
+            "-w",
+            token,
+            "-U",
+        ]);
+        // Update version counter
+        await execFileAsync("security", [
+            "add-generic-password",
+            "-a",
+            "AUTH_TOKEN_CURRENT_VERSION",
+            "-s",
+            SERVICE,
+            "-w",
+            String(version),
+            "-U",
+        ]);
+    },
+    async delete(version) {
+        try {
+            await execFileAsync("security", [
+                "delete-generic-password",
+                "-a",
+                accountName(version),
+                "-s",
+                SERVICE,
+            ]);
+        }
+        catch (err) {
+            if (isItemNotFound(err))
+                return; // Already gone — fine.
+            throw err;
+        }
+    },
+    async findLatestVersion() {
+        try {
+            const { stdout } = await execFileAsync("security", [
+                "find-generic-password",
+                "-a",
+                "AUTH_TOKEN_CURRENT_VERSION",
+                "-s",
+                SERVICE,
+                "-w",
+            ]);
+            const version = Number(stdout.trim());
+            return Number.isNaN(version) ? 0 : version;
+        }
+        catch (err) {
+            if (isItemNotFound(err))
+                return 0; // No tokens issued yet.
+            throw err;
+        }
+    },
+};
+//# sourceMappingURL=keychain.js.map

package/dist/src/auth/keychain.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"keychain.js","sourceRoot":"","sources":["../../../src/auth/keychain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAC1C,MAAM,OAAO,GAAG,oBAAoB,CAAC;AAErC;;;;GAIG;AACH,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAelC,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,eAAe,OAAO,EAAE,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,GAAY;IAClC,IAAI,CAAC,CAAC,GAAG,YAAY,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,OAAO,GAAG,GAAwB,CAAC;IACzC,OAAO,OAAO,CAAC,IAAI,KAAK,sBAAsB,CAAC;AACjD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,WAAW,GAAgB;IACtC,KAAK,CAAC,IAAI,CAAC,OAAO;QAChB,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE;gBACjD,uBAAuB;gBACvB,IAAI;gBACJ,WAAW,CAAC,OAAO,CAAC;gBACpB,IAAI;gBACJ,OAAO;gBACP,IAAI;aACL,CAAC,CAAC;YACH,OAAO,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;QAC/B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,cAAc,CAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YACrC,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK;QACxB,MAAM,aAAa,CAAC,UAAU,EAAE;YAC9B,sBAAsB;YACtB,IAAI;YACJ,WAAW,CAAC,OAAO,CAAC;YACpB,IAAI;YACJ,OAAO;YACP,IAAI;YACJ,KAAK;YACL,IAAI;SACL,CAAC,CAAC;QACH,yBAAyB;QACzB,MAAM,aAAa,CAAC,UAAU,EAAE;YAC9B,sBAAsB;YACtB,IAAI;YACJ,4BAA4B;YAC5B,IAAI;YACJ,OAAO;YACP,IAAI;YACJ,MAAM,CAAC,OAAO,CAAC;YACf,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAO;QAClB,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,UAAU,EAAE;gBAC9B,yBAAyB;gBACzB,IAAI;gBACJ,WAAW,CAAC,OAAO,CAAC;gBACpB,IAAI;gBACJ,OAAO;aACR,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,cAAc,CAAC,GAAG,CAAC;gBAAE,OAAO,CAAC,uBAAuB;YACxD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE;gBACjD,uBAAuB;gBACvB,IAAI;gBACJ,4BAA4B;gBAC5B,IAAI;gBACJ,OAAO;gBACP,IAAI;aACL,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YACtC,OAAO,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,cAAc,CAAC,GAAG,CAAC;gBAAE,OAAO,CAAC,CAAC,CAAC,wBAAwB;YAC3D,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/src/auth/middleware.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import type { FastifyInstance } from "fastify";
+import type { Config } from "../config/schema.js";
+import type { TokenManager } from "./rotation.js";
+import type { RateLimiter } from "./rate-limit.js";
+/**
+ * Register the bearer-token auth hook and per-token rate limiter.
+ *
+ * Auth is skipped for /health, /ready, /version, and /stats/mcp-usage
+ * (unauthenticated probes used by health/operator surfaces).
+ *
+ * Test-only bypass: when `NODE_ENV=test` AND `config.auth.test_token`
+ * is set AND the bearer matches it, the request is allowed without
+ * consulting the TokenManager. This is the ONLY way to bypass Keychain
+ * in tests — it is never active in production config.
+ *
+ * Rate limiting is skipped for `DELETE /auth/token` so a leaked token
+ * that has hit the rate-limit cap can still revoke itself.
+ */
+export declare function registerAuth(server: FastifyInstance, config: Config, tokenManager: TokenManager | null, rateLimiter: RateLimiter): void;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/src/auth/middleware.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAYnD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,YAAY,CAC1B,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,YAAY,GAAG,IAAI,EACjC,WAAW,EAAE,WAAW,GACvB,IAAI,CA8BN"}

package/dist/src/auth/middleware.js ADDED Viewed

@@ -0,0 +1,49 @@
+const EXEMPT_ROUTES = new Set([
+    "/health",
+    "/ready",
+    "/version",
+    // SwiftBar polls this on every tick. Response carries only call counts
+    // and tool names — no user content — so unauthenticated is safe and
+    // matches the /health, /version posture.
+    "/stats/mcp-usage",
+]);
+/**
+ * Register the bearer-token auth hook and per-token rate limiter.
+ *
+ * Auth is skipped for /health, /ready, /version, and /stats/mcp-usage
+ * (unauthenticated probes used by health/operator surfaces).
+ *
+ * Test-only bypass: when `NODE_ENV=test` AND `config.auth.test_token`
+ * is set AND the bearer matches it, the request is allowed without
+ * consulting the TokenManager. This is the ONLY way to bypass Keychain
+ * in tests — it is never active in production config.
+ *
+ * Rate limiting is skipped for `DELETE /auth/token` so a leaked token
+ * that has hit the rate-limit cap can still revoke itself.
+ */
+export function registerAuth(server, config, tokenManager, rateLimiter) {
+    server.addHook("onRequest", async (request, reply) => {
+        const path = request.url.split("?")[0];
+        if (EXEMPT_ROUTES.has(path))
+            return;
+        const authHeader = request.headers.authorization;
+        if (!authHeader || !authHeader.startsWith("Bearer ")) {
+            return reply.code(401).send({ error: "missing_token" });
+        }
+        const token = authHeader.slice(7);
+        // Test-only bypass — double-gated.
+        const isTestBypass = process.env.NODE_ENV === "test" &&
+            config.auth.test_token !== undefined &&
+            token === config.auth.test_token;
+        if (!isTestBypass && (tokenManager === null || !tokenManager.validate(token))) {
+            return reply.code(401).send({ error: "invalid_token" });
+        }
+        // Rate limit — but exempt DELETE /auth/token so a leaked token
+        // that has already hit the cap can still revoke itself.
+        const isRateLimitExempt = path === "/auth/token" && request.method === "DELETE";
+        if (!isRateLimitExempt && !rateLimiter.check(token)) {
+            return reply.code(429).send({ error: "rate_limit_exceeded" });
+        }
+    });
+}
+//# sourceMappingURL=middleware.js.map

package/dist/src/auth/middleware.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/auth/middleware.ts"],"names":[],"mappings":"AAKA,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,SAAS;IACT,QAAQ;IACR,UAAU;IACV,uEAAuE;IACvE,oEAAoE;IACpE,yCAAyC;IACzC,kBAAkB;CACnB,CAAC,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,YAAY,CAC1B,MAAuB,EACvB,MAAc,EACd,YAAiC,EACjC,WAAwB;IAExB,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QACnD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACvC,IAAI,aAAa,CAAC,GAAG,CAAC,IAAK,CAAC;YAAE,OAAO;QAErC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAElC,mCAAmC;QACnC,MAAM,YAAY,GAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM;YAC/B,MAAM,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS;YACpC,KAAK,KAAK,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QAEnC,IAAI,CAAC,YAAY,IAAI,CAAC,YAAY,KAAK,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAC9E,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,+DAA+D;QAC/D,wDAAwD;QACxD,MAAM,iBAAiB,GACrB,IAAI,KAAK,aAAa,IAAI,OAAO,CAAC,MAAM,KAAK,QAAQ,CAAC;QACxD,IAAI,CAAC,iBAAiB,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACpD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/src/auth/rate-limit.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Per-token sliding-window rate limiter.
+ *
+ * Tracks request timestamps per token. On each call to `check()`,
+ * expired entries are pruned and the count is compared to the limit.
+ */
+export declare class RateLimiter {
+    private windowMs;
+    private maxRequests;
+    private windows;
+    constructor(windowMs: number, maxRequests: number);
+    /** Returns `true` if the request is allowed, `false` if rate-limited. */
+    check(token: string): boolean;
+    reset(): void;
+}
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/src/auth/rate-limit.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../../src/auth/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,qBAAa,WAAW;IAIpB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,WAAW;IAJrB,OAAO,CAAC,OAAO,CAA+B;gBAGpC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM;IAG7B,yEAAyE;IACzE,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAuB7B,KAAK,IAAI,IAAI;CAGd"}

package/dist/src/auth/rate-limit.js ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Per-token sliding-window rate limiter.
+ *
+ * Tracks request timestamps per token. On each call to `check()`,
+ * expired entries are pruned and the count is compared to the limit.
+ */
+export class RateLimiter {
+    windowMs;
+    maxRequests;
+    windows = new Map();
+    constructor(windowMs, maxRequests) {
+        this.windowMs = windowMs;
+        this.maxRequests = maxRequests;
+    }
+    /** Returns `true` if the request is allowed, `false` if rate-limited. */
+    check(token) {
+        const now = Date.now();
+        const cutoff = now - this.windowMs;
+        let timestamps = this.windows.get(token);
+        if (!timestamps) {
+            timestamps = [];
+            this.windows.set(token, timestamps);
+        }
+        // Prune expired entries from the front.
+        while (timestamps.length > 0 && timestamps[0] < cutoff) {
+            timestamps.shift();
+        }
+        if (timestamps.length >= this.maxRequests) {
+            return false;
+        }
+        timestamps.push(now);
+        return true;
+    }
+    reset() {
+        this.windows.clear();
+    }
+}
+//# sourceMappingURL=rate-limit.js.map

package/dist/src/auth/rate-limit.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../../src/auth/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,OAAO,WAAW;IAIZ;IACA;IAJF,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;IAE9C,YACU,QAAgB,EAChB,WAAmB;QADnB,aAAQ,GAAR,QAAQ,CAAQ;QAChB,gBAAW,GAAX,WAAW,CAAQ;IAC1B,CAAC;IAEJ,yEAAyE;IACzE,KAAK,CAAC,KAAa;QACjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;QAEnC,IAAI,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACzC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,UAAU,GAAG,EAAE,CAAC;YAChB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QACtC,CAAC;QAED,wCAAwC;QACxC,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,CAAC,CAAE,GAAG,MAAM,EAAE,CAAC;YACxD,UAAU,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK;QACH,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;CACF"}

package/dist/src/auth/rotation.d.ts ADDED Viewed

@@ -0,0 +1,67 @@
+import type { KeychainOps } from "./keychain.js";
+/**
+ * In-memory token state machine backed by a KeychainOps provider.
+ *
+ * Invariants:
+ * - At most 2 tokens are valid at once: current + grace (previous).
+ * - Grace expires after `gracePeriodMs` (default 60 s).
+ * - `load()` restores only the current version — no grace for old
+ *   tokens on daemon restart (PRD: timer does not survive restart).
+ * - `revokeAll()` immediately invalidates everything and deletes
+ *   ALL Keychain entries (versions 1..current) so revoked tokens
+ *   don't resurface on restart and old secrets don't accumulate.
+ * - `issue()` eagerly deletes any superseded grace version from
+ *   Keychain before setting up new grace, so rapid rotation
+ *   (v1→v2→v3 within one grace window) never leaves old secrets.
+ *   The latest grace version is cleaned up when its timer fires.
+ */
+export declare class TokenManager {
+    private keychain;
+    private gracePeriodMs;
+    private currentVersion;
+    private currentToken;
+    private graceToken;
+    private graceVersion;
+    private graceTimer;
+    constructor(keychain: KeychainOps, gracePeriodMs?: number);
+    /**
+     * Cold-load: restore the current token from keychain with no grace.
+     * Used at daemon startup — PRD: grace timer does not survive restart.
+     */
+    load(): Promise<void>;
+    /**
+     * Hot-reload: pick up a new token from keychain (e.g. after CLI
+     * issues a token and sends SIGHUP).
+     *
+     * When `noGrace` is false (default), the old token enters a 60 s
+     * grace window. When `noGrace` is true, the old token is immediately
+     * invalidated and its Keychain entry deleted — used by `token issue`
+     * to enforce single-active-credential semantics (PRD: "makes it the
+     * sole active token").
+     *
+     * If the version hasn't changed, just refreshes the current value.
+     */
+    reload(opts?: {
+        noGrace?: boolean;
+    }): Promise<void>;
+    /** Check if a token is currently valid (current or within grace). */
+    validate(token: string): boolean;
+    /** Issue a new token. Returns the new version number. */
+    issue(newToken: string): Promise<number>;
+    /**
+     * Immediately revoke all tokens. No grace period.
+     *
+     * Clears in-memory state first (immediate effect for the running
+     * daemon), then deletes ALL Keychain entries (versions 1..current)
+     * so revoked tokens cannot resurface on restart.
+     *
+     * Keychain delete errors propagate — the caller (route handler)
+     * should surface them so the operator knows cleanup may be incomplete.
+     */
+    revokeAll(): Promise<void>;
+    /** Clean up timers. Call on daemon shutdown. */
+    shutdown(): void;
+    private clearGraceTimer;
+    private clearGrace;
+}
+//# sourceMappingURL=rotation.d.ts.map

package/dist/src/auth/rotation.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rotation.d.ts","sourceRoot":"","sources":["../../../src/auth/rotation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAEjD;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,YAAY;IAQrB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,aAAa;IARvB,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,YAAY,CAAK;IACzB,OAAO,CAAC,UAAU,CAA8C;gBAGtD,QAAQ,EAAE,WAAW,EACrB,aAAa,SAAS;IAGhC;;;OAGG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAS3B;;;;;;;;;;;OAWG;IACG,MAAM,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAoEzD,qEAAqE;IACrE,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAMhC,yDAAyD;IACnD,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA6C9C;;;;;;;;;OASG;IACG,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAWhC,gDAAgD;IAChD,QAAQ,IAAI,IAAI;IAIhB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,UAAU;CAKnB"}