@graphorin/cli 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (109) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/LICENSE +21 -0
  3. package/README.md +130 -0
  4. package/dist/bin/graphorin.d.ts +1 -0
  5. package/dist/bin/graphorin.js +606 -0
  6. package/dist/bin/graphorin.js.map +1 -0
  7. package/dist/commands/audit.d.ts +59 -0
  8. package/dist/commands/audit.d.ts.map +1 -0
  9. package/dist/commands/audit.js +156 -0
  10. package/dist/commands/audit.js.map +1 -0
  11. package/dist/commands/auth.d.ts +48 -0
  12. package/dist/commands/auth.d.ts.map +1 -0
  13. package/dist/commands/auth.js +148 -0
  14. package/dist/commands/auth.js.map +1 -0
  15. package/dist/commands/consolidator.d.ts +49 -0
  16. package/dist/commands/consolidator.d.ts.map +1 -0
  17. package/dist/commands/consolidator.js +97 -0
  18. package/dist/commands/consolidator.js.map +1 -0
  19. package/dist/commands/doctor.d.ts +64 -0
  20. package/dist/commands/doctor.d.ts.map +1 -0
  21. package/dist/commands/doctor.js +150 -0
  22. package/dist/commands/doctor.js.map +1 -0
  23. package/dist/commands/guard.d.ts +35 -0
  24. package/dist/commands/guard.d.ts.map +1 -0
  25. package/dist/commands/guard.js +86 -0
  26. package/dist/commands/guard.js.map +1 -0
  27. package/dist/commands/index.d.ts +21 -0
  28. package/dist/commands/index.js +22 -0
  29. package/dist/commands/init.d.ts +46 -0
  30. package/dist/commands/init.d.ts.map +1 -0
  31. package/dist/commands/init.js +131 -0
  32. package/dist/commands/init.js.map +1 -0
  33. package/dist/commands/memory.d.ts +243 -0
  34. package/dist/commands/memory.d.ts.map +1 -0
  35. package/dist/commands/memory.js +471 -0
  36. package/dist/commands/memory.js.map +1 -0
  37. package/dist/commands/migrate-config.d.ts +20 -0
  38. package/dist/commands/migrate-config.d.ts.map +1 -0
  39. package/dist/commands/migrate-config.js +48 -0
  40. package/dist/commands/migrate-config.js.map +1 -0
  41. package/dist/commands/migrate-export.d.ts +26 -0
  42. package/dist/commands/migrate-export.d.ts.map +1 -0
  43. package/dist/commands/migrate-export.js +67 -0
  44. package/dist/commands/migrate-export.js.map +1 -0
  45. package/dist/commands/migrate.d.ts +31 -0
  46. package/dist/commands/migrate.d.ts.map +1 -0
  47. package/dist/commands/migrate.js +59 -0
  48. package/dist/commands/migrate.js.map +1 -0
  49. package/dist/commands/pricing.d.ts +66 -0
  50. package/dist/commands/pricing.d.ts.map +1 -0
  51. package/dist/commands/pricing.js +128 -0
  52. package/dist/commands/pricing.js.map +1 -0
  53. package/dist/commands/secrets.d.ts +96 -0
  54. package/dist/commands/secrets.d.ts.map +1 -0
  55. package/dist/commands/secrets.js +182 -0
  56. package/dist/commands/secrets.js.map +1 -0
  57. package/dist/commands/skills.d.ts +58 -0
  58. package/dist/commands/skills.d.ts.map +1 -0
  59. package/dist/commands/skills.js +181 -0
  60. package/dist/commands/skills.js.map +1 -0
  61. package/dist/commands/start.d.ts +51 -0
  62. package/dist/commands/start.d.ts.map +1 -0
  63. package/dist/commands/start.js +122 -0
  64. package/dist/commands/start.js.map +1 -0
  65. package/dist/commands/storage.d.ts +110 -0
  66. package/dist/commands/storage.d.ts.map +1 -0
  67. package/dist/commands/storage.js +274 -0
  68. package/dist/commands/storage.js.map +1 -0
  69. package/dist/commands/telemetry.d.ts +21 -0
  70. package/dist/commands/telemetry.d.ts.map +1 -0
  71. package/dist/commands/telemetry.js +75 -0
  72. package/dist/commands/telemetry.js.map +1 -0
  73. package/dist/commands/token.d.ts +109 -0
  74. package/dist/commands/token.d.ts.map +1 -0
  75. package/dist/commands/token.js +246 -0
  76. package/dist/commands/token.js.map +1 -0
  77. package/dist/commands/tools-lint.d.ts +103 -0
  78. package/dist/commands/tools-lint.d.ts.map +1 -0
  79. package/dist/commands/tools-lint.js +240 -0
  80. package/dist/commands/tools-lint.js.map +1 -0
  81. package/dist/commands/traces.d.ts +33 -0
  82. package/dist/commands/traces.d.ts.map +1 -0
  83. package/dist/commands/traces.js +103 -0
  84. package/dist/commands/traces.js.map +1 -0
  85. package/dist/commands/triggers.d.ts +49 -0
  86. package/dist/commands/triggers.d.ts.map +1 -0
  87. package/dist/commands/triggers.js +129 -0
  88. package/dist/commands/triggers.js.map +1 -0
  89. package/dist/index.d.ts +46 -0
  90. package/dist/index.d.ts.map +1 -0
  91. package/dist/index.js +47 -0
  92. package/dist/index.js.map +1 -0
  93. package/dist/internal/exit.js +17 -0
  94. package/dist/internal/exit.js.map +1 -0
  95. package/dist/internal/load-config.js +84 -0
  96. package/dist/internal/load-config.js.map +1 -0
  97. package/dist/internal/offline.d.ts +58 -0
  98. package/dist/internal/offline.d.ts.map +1 -0
  99. package/dist/internal/offline.js +72 -0
  100. package/dist/internal/offline.js.map +1 -0
  101. package/dist/internal/output.d.ts +56 -0
  102. package/dist/internal/output.d.ts.map +1 -0
  103. package/dist/internal/output.js +86 -0
  104. package/dist/internal/output.js.map +1 -0
  105. package/dist/internal/prompts.js +49 -0
  106. package/dist/internal/prompts.js.map +1 -0
  107. package/dist/internal/store-context.js +69 -0
  108. package/dist/internal/store-context.js.map +1 -0
  109. package/package.json +79 -0
@@ -0,0 +1,22 @@
1
+ import { runAuditExport, runAuditPrune, runAuditVerify } from "./audit.js";
2
+ import { runAuthList, runAuthLogin, runAuthRefresh, runAuthRevoke, runAuthStatus } from "./auth.js";
3
+ import { CONSOLIDATOR_INVALID_TIER_EXIT, runConsolidatorSetTier, runConsolidatorStatus, runConsolidatorStop } from "./consolidator.js";
4
+ import { expectedFileModes, runDoctor } from "./doctor.js";
5
+ import { runGuardExplain, runGuardStatus } from "./guard.js";
6
+ import { runInit } from "./init.js";
7
+ import { runMemoryActivity, runMemoryInspect, runMemoryMigrate, runMemoryReview, runMemoryStatus, runMemoryWhy } from "./memory.js";
8
+ import { runStart } from "./start.js";
9
+ import { runMigrate } from "./migrate.js";
10
+ import { runMigrateConfig } from "./migrate-config.js";
11
+ import { runMigrateExport } from "./migrate-export.js";
12
+ import { runPricingDiff, runPricingLookup, runPricingMissing, runPricingRefresh, runPricingStatus } from "./pricing.js";
13
+ import { runSecretsDelete, runSecretsGet, runSecretsList, runSecretsRef, runSecretsRotate, runSecretsSet } from "./secrets.js";
14
+ import { runSkillsAudit, runSkillsInspect, runSkillsInstall, runSkillsMigrateFrontmatter } from "./skills.js";
15
+ import { runStorageCleanupBackups, runStorageEncrypt, runStorageRekey, runStorageStatus } from "./storage.js";
16
+ import { runTelemetryDisable, runTelemetryEnable, runTelemetryInspect, runTelemetryStatus } from "./telemetry.js";
17
+ import { parseDuration, runTokenCreate, runTokenList, runTokenRekey, runTokenRevoke, runTokenRotate, runTokenVerify } from "./token.js";
18
+ import { runToolsLint } from "./tools-lint.js";
19
+ import { runTracesPrune, runTracesStatus } from "./traces.js";
20
+ import { runTriggersDisable, runTriggersFire, runTriggersList, runTriggersPrune, runTriggersStatus } from "./triggers.js";
21
+
22
+ export { CONSOLIDATOR_INVALID_TIER_EXIT, expectedFileModes, parseDuration, runAuditExport, runAuditPrune, runAuditVerify, runAuthList, runAuthLogin, runAuthRefresh, runAuthRevoke, runAuthStatus, runConsolidatorSetTier, runConsolidatorStatus, runConsolidatorStop, runDoctor, runGuardExplain, runGuardStatus, runInit, runMemoryActivity, runMemoryInspect, runMemoryMigrate, runMemoryReview, runMemoryStatus, runMemoryWhy, runMigrate, runMigrateConfig, runMigrateExport, runPricingDiff, runPricingLookup, runPricingMissing, runPricingRefresh, runPricingStatus, runSecretsDelete, runSecretsGet, runSecretsList, runSecretsRef, runSecretsRotate, runSecretsSet, runSkillsAudit, runSkillsInspect, runSkillsInstall, runSkillsMigrateFrontmatter, runStart, runStorageCleanupBackups, runStorageEncrypt, runStorageRekey, runStorageStatus, runTelemetryDisable, runTelemetryEnable, runTelemetryInspect, runTelemetryStatus, runTokenCreate, runTokenList, runTokenRekey, runTokenRevoke, runTokenRotate, runTokenVerify, runToolsLint, runTracesPrune, runTracesStatus, runTriggersDisable, runTriggersFire, runTriggersList, runTriggersPrune, runTriggersStatus };
@@ -0,0 +1,46 @@
1
+ //#region src/commands/init.d.ts
2
+ /**
3
+ * `graphorin init` — interactive bootstrap.
4
+ *
5
+ * Writes a fresh `graphorin.config.ts` to the current working
6
+ * directory (or `--out`), prompts the operator for the cloud-upload
7
+ * sensitivity tier + storage encryption opt-in, and prints exactly
8
+ * one bootstrap admin token (held by the operator from this point
9
+ * onward — the tool never persists nor logs the raw value).
10
+ *
11
+ * `--non-interactive` accepts every choice through flags or env vars
12
+ * so the command works equally well in CI / image-build pipelines.
13
+ *
14
+ * @packageDocumentation
15
+ */
16
+ /**
17
+ * @stable
18
+ */
19
+ interface InitCommandOptions {
20
+ readonly out?: string;
21
+ readonly nonInteractive?: boolean;
22
+ readonly cloudConsent?: 'public-only' | 'public-and-internal' | 'all-with-warnings';
23
+ readonly encrypted?: boolean;
24
+ readonly cwd?: string;
25
+ /** Test seam: skip writing files (only print the report). */
26
+ readonly dryRun?: boolean;
27
+ /** Test seam: redirect stdout/err. */
28
+ readonly print?: (line: string) => void;
29
+ }
30
+ /**
31
+ * @stable
32
+ */
33
+ interface InitCommandResult {
34
+ readonly configPath: string;
35
+ readonly bootstrapToken: string;
36
+ readonly serverPepperHex: string;
37
+ readonly cloudConsent: 'public-only' | 'public-and-internal' | 'all-with-warnings';
38
+ readonly storageEncrypted: boolean;
39
+ }
40
+ /**
41
+ * @stable
42
+ */
43
+ declare function runInit(options?: InitCommandOptions): Promise<InitCommandResult>;
44
+ //#endregion
45
+ export { InitCommandOptions, InitCommandResult, runInit };
46
+ //# sourceMappingURL=init.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"init.d.ts","names":[],"sources":["../../src/commands/init.ts"],"sourcesContent":[],"mappings":";;AA0BA;AAeA;AAWA;;;;;;;;;;;;;;UA1BiB,kBAAA;;;;;;;;;;;;;;UAeA,iBAAA;;;;;;;;;;iBAWK,OAAA,WAAiB,qBAA0B,QAAQ"}
@@ -0,0 +1,131 @@
1
+ import { confirm, select } from "../internal/prompts.js";
2
+ import { mkdir, stat, writeFile } from "node:fs/promises";
3
+ import { dirname, isAbsolute, resolve } from "node:path";
4
+ import process from "node:process";
5
+ import { generatePepper, generateRawToken } from "@graphorin/security";
6
+
7
+ //#region src/commands/init.ts
8
+ /**
9
+ * `graphorin init` — interactive bootstrap.
10
+ *
11
+ * Writes a fresh `graphorin.config.ts` to the current working
12
+ * directory (or `--out`), prompts the operator for the cloud-upload
13
+ * sensitivity tier + storage encryption opt-in, and prints exactly
14
+ * one bootstrap admin token (held by the operator from this point
15
+ * onward — the tool never persists nor logs the raw value).
16
+ *
17
+ * `--non-interactive` accepts every choice through flags or env vars
18
+ * so the command works equally well in CI / image-build pipelines.
19
+ *
20
+ * @packageDocumentation
21
+ */
22
+ /**
23
+ * @stable
24
+ */
25
+ async function runInit(options = {}) {
26
+ const target = resolveOutPath(options.cwd ?? process.cwd(), options.out);
27
+ const print = options.print ?? ((line) => process.stderr.write(`${line}\n`));
28
+ const cloudConsent = await resolveCloudConsent(options);
29
+ const storageEncrypted = await resolveEncryption(options);
30
+ const pepperHex = await generatePepper().useBuffer((buf) => buf.toString("hex"));
31
+ const bootstrap = generateRawToken({ env: "live" });
32
+ if (options.dryRun !== true) {
33
+ if (await fileExists(target)) throw new Error(`[graphorin/cli] refusing to overwrite existing '${target}'. Move it aside or pass --out <path>.`);
34
+ await mkdir(dirname(target), { recursive: true });
35
+ await writeFile(target, renderConfig({
36
+ cloudConsent,
37
+ storageEncrypted
38
+ }), { mode: 384 });
39
+ }
40
+ print(`[graphorin/cli] wrote ${target}`);
41
+ print(`[graphorin/cli] bootstrap admin token (shown ONCE):`);
42
+ print(` ${bootstrap.raw}`);
43
+ print(`[graphorin/cli] server pepper hex (store in your keyring as 'graphorin_server_pepper'):`);
44
+ print(` ${pepperHex}`);
45
+ print("");
46
+ print("Next steps:");
47
+ print(` 1. Persist the pepper: graphorin secrets set graphorin_server_pepper --value ${pepperHex}`);
48
+ print(` 2. Persist the bootstrap token securely; do NOT commit it.`);
49
+ print(` 3. Run \`graphorin migrate --config ${target}\` to apply storage migrations.`);
50
+ print(` 4. Run \`graphorin start --config ${target}\` to launch the server.`);
51
+ return Object.freeze({
52
+ configPath: target,
53
+ bootstrapToken: bootstrap.raw,
54
+ serverPepperHex: pepperHex,
55
+ cloudConsent,
56
+ storageEncrypted
57
+ });
58
+ }
59
+ function resolveOutPath(cwd, out) {
60
+ if (out === void 0 || out.length === 0) return resolve(cwd, "graphorin.config.ts");
61
+ return isAbsolute(out) ? out : resolve(cwd, out);
62
+ }
63
+ async function fileExists(path) {
64
+ try {
65
+ await stat(path);
66
+ return true;
67
+ } catch {
68
+ return false;
69
+ }
70
+ }
71
+ async function resolveCloudConsent(options) {
72
+ if (options.cloudConsent !== void 0) return options.cloudConsent;
73
+ const envValue = process.env.GRAPHORIN_CLOUD_CONSENT;
74
+ if (envValue === "public-only" || envValue === "public-and-internal" || envValue === "all-with-warnings") return envValue;
75
+ if (options.nonInteractive === true) return "public-and-internal";
76
+ return await select("Cloud-upload consent for context sent to providers:", [
77
+ "public-only",
78
+ "public-and-internal",
79
+ "all-with-warnings"
80
+ ], "public-and-internal");
81
+ }
82
+ async function resolveEncryption(options) {
83
+ if (options.encrypted !== void 0) return options.encrypted;
84
+ if (process.env.GRAPHORIN_STORAGE_ENCRYPTED === "1") return true;
85
+ if (process.env.GRAPHORIN_STORAGE_ENCRYPTED === "0") return false;
86
+ if (options.nonInteractive === true) return false;
87
+ return await confirm("Enable storage encryption (defense-in-depth on top of FDE)?", false);
88
+ }
89
+ function renderConfig(input) {
90
+ return `import { defineConfig } from '@graphorin/server';
91
+
92
+ export default defineConfig({
93
+ server: {
94
+ host: '127.0.0.1',
95
+ port: 8080,
96
+ },
97
+ auth: {
98
+ kind: 'token',
99
+ pepperRef: 'keyring:graphorin_server_pepper',
100
+ },
101
+ storage: {
102
+ path: './.graphorin/data.db',
103
+ mode: 'server',
104
+ encryption: ${input.storageEncrypted ? `{
105
+ enabled: true,
106
+ passphraseRef: 'keyring:graphorin_db_passphrase',
107
+ }` : `{ enabled: false }`},
108
+ },
109
+ audit: {
110
+ enabled: ${input.storageEncrypted ? "true" : "false"},
111
+ },
112
+ secrets: {
113
+ source: 'auto',
114
+ strict: false,
115
+ },
116
+ observability: {
117
+ logger: 'json',
118
+ },
119
+ // IP-5: no top-level 'defaults' block — the strict server-config
120
+ // parser rejects unknown keys, so the old render made a fresh
121
+ // 'graphorin init' fail on the very next migrate/start. The tier you
122
+ // chose at init is recorded below; enforce it via the memory
123
+ // package (createMemory contextEngine privacy options):
124
+ // cloudUploadConsent: ${JSON.stringify(input.cloudConsent)}
125
+ });
126
+ `;
127
+ }
128
+
129
+ //#endregion
130
+ export { runInit };
131
+ //# sourceMappingURL=init.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"init.js","names":[],"sources":["../../src/commands/init.ts"],"sourcesContent":["/**\n * `graphorin init` — interactive bootstrap.\n *\n * Writes a fresh `graphorin.config.ts` to the current working\n * directory (or `--out`), prompts the operator for the cloud-upload\n * sensitivity tier + storage encryption opt-in, and prints exactly\n * one bootstrap admin token (held by the operator from this point\n * onward — the tool never persists nor logs the raw value).\n *\n * `--non-interactive` accepts every choice through flags or env vars\n * so the command works equally well in CI / image-build pipelines.\n *\n * @packageDocumentation\n */\n\nimport { mkdir, stat, writeFile } from 'node:fs/promises';\nimport { dirname, isAbsolute, resolve } from 'node:path';\nimport process from 'node:process';\n\nimport { generatePepper, generateRawToken } from '@graphorin/security';\n\nimport { confirm, select } from '../internal/prompts.js';\n\n/**\n * @stable\n */\nexport interface InitCommandOptions {\n readonly out?: string;\n readonly nonInteractive?: boolean;\n readonly cloudConsent?: 'public-only' | 'public-and-internal' | 'all-with-warnings';\n readonly encrypted?: boolean;\n readonly cwd?: string;\n /** Test seam: skip writing files (only print the report). */\n readonly dryRun?: boolean;\n /** Test seam: redirect stdout/err. */\n readonly print?: (line: string) => void;\n}\n\n/**\n * @stable\n */\nexport interface InitCommandResult {\n readonly configPath: string;\n readonly bootstrapToken: string;\n readonly serverPepperHex: string;\n readonly cloudConsent: 'public-only' | 'public-and-internal' | 'all-with-warnings';\n readonly storageEncrypted: boolean;\n}\n\n/**\n * @stable\n */\nexport async function runInit(options: InitCommandOptions = {}): Promise<InitCommandResult> {\n const cwd = options.cwd ?? process.cwd();\n const target = resolveOutPath(cwd, options.out);\n const print = options.print ?? ((line: string) => process.stderr.write(`${line}\\n`));\n\n const cloudConsent = await resolveCloudConsent(options);\n const storageEncrypted = await resolveEncryption(options);\n\n const pepper = generatePepper();\n const pepperHex = await pepper.useBuffer((buf) => buf.toString('hex'));\n\n const bootstrap = generateRawToken({ env: 'live' });\n\n if (options.dryRun !== true) {\n if (await fileExists(target)) {\n throw new Error(\n `[graphorin/cli] refusing to overwrite existing '${target}'. Move it aside or pass --out <path>.`,\n );\n }\n await mkdir(dirname(target), { recursive: true });\n await writeFile(target, renderConfig({ cloudConsent, storageEncrypted }), { mode: 0o600 });\n }\n\n print(`[graphorin/cli] wrote ${target}`);\n print(`[graphorin/cli] bootstrap admin token (shown ONCE):`);\n print(` ${bootstrap.raw}`);\n print(`[graphorin/cli] server pepper hex (store in your keyring as 'graphorin_server_pepper'):`);\n print(` ${pepperHex}`);\n print('');\n print('Next steps:');\n print(\n ` 1. Persist the pepper: graphorin secrets set graphorin_server_pepper --value ${pepperHex}`,\n );\n print(` 2. Persist the bootstrap token securely; do NOT commit it.`);\n print(` 3. Run \\`graphorin migrate --config ${target}\\` to apply storage migrations.`);\n print(` 4. Run \\`graphorin start --config ${target}\\` to launch the server.`);\n\n return Object.freeze({\n configPath: target,\n bootstrapToken: bootstrap.raw,\n serverPepperHex: pepperHex,\n cloudConsent,\n storageEncrypted,\n });\n}\n\nfunction resolveOutPath(cwd: string, out: string | undefined): string {\n if (out === undefined || out.length === 0) return resolve(cwd, 'graphorin.config.ts');\n return isAbsolute(out) ? out : resolve(cwd, out);\n}\n\nasync function fileExists(path: string): Promise<boolean> {\n try {\n await stat(path);\n return true;\n } catch {\n return false;\n }\n}\n\nasync function resolveCloudConsent(\n options: InitCommandOptions,\n): Promise<'public-only' | 'public-and-internal' | 'all-with-warnings'> {\n if (options.cloudConsent !== undefined) return options.cloudConsent;\n const envValue = process.env.GRAPHORIN_CLOUD_CONSENT;\n if (\n envValue === 'public-only' ||\n envValue === 'public-and-internal' ||\n envValue === 'all-with-warnings'\n ) {\n return envValue;\n }\n if (options.nonInteractive === true) return 'public-and-internal';\n const choice = await select(\n 'Cloud-upload consent for context sent to providers:',\n ['public-only', 'public-and-internal', 'all-with-warnings'],\n 'public-and-internal',\n );\n return choice as 'public-only' | 'public-and-internal' | 'all-with-warnings';\n}\n\nasync function resolveEncryption(options: InitCommandOptions): Promise<boolean> {\n if (options.encrypted !== undefined) return options.encrypted;\n if (process.env.GRAPHORIN_STORAGE_ENCRYPTED === '1') return true;\n if (process.env.GRAPHORIN_STORAGE_ENCRYPTED === '0') return false;\n if (options.nonInteractive === true) return false;\n return await confirm('Enable storage encryption (defense-in-depth on top of FDE)?', false);\n}\n\nfunction renderConfig(input: {\n readonly cloudConsent: 'public-only' | 'public-and-internal' | 'all-with-warnings';\n readonly storageEncrypted: boolean;\n}): string {\n return `import { defineConfig } from '@graphorin/server';\n\nexport default defineConfig({\n server: {\n host: '127.0.0.1',\n port: 8080,\n },\n auth: {\n kind: 'token',\n pepperRef: 'keyring:graphorin_server_pepper',\n },\n storage: {\n path: './.graphorin/data.db',\n mode: 'server',\n encryption: ${\n input.storageEncrypted\n ? `{\n enabled: true,\n passphraseRef: 'keyring:graphorin_db_passphrase',\n }`\n : `{ enabled: false }`\n },\n },\n audit: {\n enabled: ${input.storageEncrypted ? 'true' : 'false'},\n },\n secrets: {\n source: 'auto',\n strict: false,\n },\n observability: {\n logger: 'json',\n },\n // IP-5: no top-level 'defaults' block — the strict server-config\n // parser rejects unknown keys, so the old render made a fresh\n // 'graphorin init' fail on the very next migrate/start. The tier you\n // chose at init is recorded below; enforce it via the memory\n // package (createMemory contextEngine privacy options):\n // cloudUploadConsent: ${JSON.stringify(input.cloudConsent)}\n});\n`;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAoDA,eAAsB,QAAQ,UAA8B,EAAE,EAA8B;CAE1F,MAAM,SAAS,eADH,QAAQ,OAAO,QAAQ,KAAK,EACL,QAAQ,IAAI;CAC/C,MAAM,QAAQ,QAAQ,WAAW,SAAiB,QAAQ,OAAO,MAAM,GAAG,KAAK,IAAI;CAEnF,MAAM,eAAe,MAAM,oBAAoB,QAAQ;CACvD,MAAM,mBAAmB,MAAM,kBAAkB,QAAQ;CAGzD,MAAM,YAAY,MADH,gBAAgB,CACA,WAAW,QAAQ,IAAI,SAAS,MAAM,CAAC;CAEtE,MAAM,YAAY,iBAAiB,EAAE,KAAK,QAAQ,CAAC;AAEnD,KAAI,QAAQ,WAAW,MAAM;AAC3B,MAAI,MAAM,WAAW,OAAO,CAC1B,OAAM,IAAI,MACR,mDAAmD,OAAO,wCAC3D;AAEH,QAAM,MAAM,QAAQ,OAAO,EAAE,EAAE,WAAW,MAAM,CAAC;AACjD,QAAM,UAAU,QAAQ,aAAa;GAAE;GAAc;GAAkB,CAAC,EAAE,EAAE,MAAM,KAAO,CAAC;;AAG5F,OAAM,yBAAyB,SAAS;AACxC,OAAM,sDAAsD;AAC5D,OAAM,KAAK,UAAU,MAAM;AAC3B,OAAM,0FAA0F;AAChG,OAAM,KAAK,YAAY;AACvB,OAAM,GAAG;AACT,OAAM,cAAc;AACpB,OACE,kFAAkF,YACnF;AACD,OAAM,+DAA+D;AACrE,OAAM,yCAAyC,OAAO,iCAAiC;AACvF,OAAM,uCAAuC,OAAO,0BAA0B;AAE9E,QAAO,OAAO,OAAO;EACnB,YAAY;EACZ,gBAAgB,UAAU;EAC1B,iBAAiB;EACjB;EACA;EACD,CAAC;;AAGJ,SAAS,eAAe,KAAa,KAAiC;AACpE,KAAI,QAAQ,UAAa,IAAI,WAAW,EAAG,QAAO,QAAQ,KAAK,sBAAsB;AACrF,QAAO,WAAW,IAAI,GAAG,MAAM,QAAQ,KAAK,IAAI;;AAGlD,eAAe,WAAW,MAAgC;AACxD,KAAI;AACF,QAAM,KAAK,KAAK;AAChB,SAAO;SACD;AACN,SAAO;;;AAIX,eAAe,oBACb,SACsE;AACtE,KAAI,QAAQ,iBAAiB,OAAW,QAAO,QAAQ;CACvD,MAAM,WAAW,QAAQ,IAAI;AAC7B,KACE,aAAa,iBACb,aAAa,yBACb,aAAa,oBAEb,QAAO;AAET,KAAI,QAAQ,mBAAmB,KAAM,QAAO;AAM5C,QALe,MAAM,OACnB,uDACA;EAAC;EAAe;EAAuB;EAAoB,EAC3D,sBACD;;AAIH,eAAe,kBAAkB,SAA+C;AAC9E,KAAI,QAAQ,cAAc,OAAW,QAAO,QAAQ;AACpD,KAAI,QAAQ,IAAI,gCAAgC,IAAK,QAAO;AAC5D,KAAI,QAAQ,IAAI,gCAAgC,IAAK,QAAO;AAC5D,KAAI,QAAQ,mBAAmB,KAAM,QAAO;AAC5C,QAAO,MAAM,QAAQ,+DAA+D,MAAM;;AAG5F,SAAS,aAAa,OAGX;AACT,QAAO;;;;;;;;;;;;;;kBAeH,MAAM,mBACF;;;SAIA,qBACL;;;eAGU,MAAM,mBAAmB,SAAS,QAAQ;;;;;;;;;;;;;;2BAc9B,KAAK,UAAU,MAAM,aAAa,CAAC"}
@@ -0,0 +1,243 @@
1
+ import { CommonOutputOptions } from "../internal/output.js";
2
+
3
+ //#region src/commands/memory.d.ts
4
+
5
+ /** @stable */
6
+ interface MemoryCommonOptions extends CommonOutputOptions {
7
+ readonly config?: string;
8
+ }
9
+ /** @stable */
10
+ interface MemoryStatusEmbedder {
11
+ readonly id: string;
12
+ readonly model: string;
13
+ readonly dim: number;
14
+ readonly distanceMetric: string;
15
+ readonly retired: boolean;
16
+ readonly createdAt: string;
17
+ readonly retiredAt?: string;
18
+ }
19
+ /** @stable */
20
+ interface MemoryStatusResult {
21
+ readonly storagePath: string;
22
+ readonly embedders: ReadonlyArray<MemoryStatusEmbedder>;
23
+ readonly counts: {
24
+ readonly facts: number;
25
+ readonly episodes: number;
26
+ readonly sessionMessages: number;
27
+ readonly procedures: number;
28
+ };
29
+ }
30
+ /** @stable */
31
+ declare function runMemoryStatus(options?: MemoryCommonOptions): Promise<MemoryStatusResult>;
32
+ /** @stable */
33
+ interface MemoryMigrateOptions extends MemoryCommonOptions {
34
+ readonly from: string;
35
+ readonly to: string;
36
+ readonly strategy: 'lock-on-first' | 'auto-migrate' | 'multi-active';
37
+ /**
38
+ * Optional path to a JS / TS module exporting an
39
+ * `embedders` object: `{ <id>: () => EmbedderProvider }`. The CLI
40
+ * imports this module so it can construct the source / target
41
+ * embedder instances the runner needs. Without the module the
42
+ * command exits `2` with a pointer to the documentation.
43
+ */
44
+ readonly embeddersModule?: string;
45
+ }
46
+ /**
47
+ * `graphorin memory migrate` — embedder swap. The migration logic lives
48
+ * in `@graphorin/memory`'s `migrateEmbedder(...)`; the CLI prints a
49
+ * pointer when the operator did not supply the embedder factory module
50
+ * (the framework cannot guess the operator's embedder configuration).
51
+ *
52
+ * @stable
53
+ */
54
+ declare function runMemoryMigrate(options: MemoryMigrateOptions): Promise<never>;
55
+ /** @stable */
56
+ interface MemoryInspectFact {
57
+ readonly id: string;
58
+ readonly text: string;
59
+ readonly status: string;
60
+ readonly provenance: string | null;
61
+ /** X-1 / migration 015: per-fact importance (salience hint), if set. */
62
+ readonly importance: number | null;
63
+ readonly validFrom: string | null;
64
+ readonly validTo: string | null;
65
+ readonly supersedes: string | null;
66
+ readonly supersededBy: string | null;
67
+ readonly createdAt: string;
68
+ }
69
+ /**
70
+ * A canonical entity a fact links to (P2-1 / migration 016). `name` follows
71
+ * `merged_into` to the surviving entity, so a merged link shows its canonical.
72
+ *
73
+ * @stable
74
+ */
75
+ interface MemoryInspectEntity {
76
+ readonly entityId: string;
77
+ readonly name: string;
78
+ readonly role: string;
79
+ /** Set when the linked entity was merged into `entityId`/`name`. */
80
+ readonly mergedFrom: string | null;
81
+ }
82
+ /** @stable */
83
+ interface MemoryHistoryEntry {
84
+ readonly event: string;
85
+ readonly source: string;
86
+ readonly createdAt: string;
87
+ }
88
+ /** @stable */
89
+ interface MemoryConflictEntry {
90
+ readonly candidateId: string;
91
+ readonly existingId: string | null;
92
+ readonly decision: string;
93
+ readonly stage: string;
94
+ readonly similarity: number | null;
95
+ readonly detectedAt: string;
96
+ }
97
+ /** @stable */
98
+ interface MemoryCitingInsight {
99
+ readonly id: string;
100
+ readonly text: string;
101
+ readonly status: string;
102
+ readonly salience: number;
103
+ }
104
+ /** @stable */
105
+ interface MemoryInspectResult {
106
+ readonly found: boolean;
107
+ readonly fact: MemoryInspectFact | null;
108
+ readonly chain: ReadonlyArray<MemoryInspectFact>;
109
+ readonly history: ReadonlyArray<MemoryHistoryEntry>;
110
+ readonly conflicts: ReadonlyArray<MemoryConflictEntry>;
111
+ readonly citingInsights: ReadonlyArray<MemoryCitingInsight>;
112
+ /** Canonical entities this fact links to (P2-1 / migration 016). */
113
+ readonly linkedEntities: ReadonlyArray<MemoryInspectEntity>;
114
+ }
115
+ /** @stable */
116
+ interface MemoryInspectOptions extends MemoryCommonOptions {
117
+ readonly factId: string;
118
+ }
119
+ /**
120
+ * `graphorin memory inspect <factId>` — surface everything the store
121
+ * knows about one fact: its retrieval-trust status + provenance, the
122
+ * full bi-temporal supersede chain it belongs to, the audit-log events
123
+ * recorded against it, the conflict decisions that referenced it, and
124
+ * the (quarantined) insights that cite it. Pure read-only inspection.
125
+ *
126
+ * @stable
127
+ */
128
+ declare function runMemoryInspect(options: MemoryInspectOptions): Promise<MemoryInspectResult>;
129
+ /** @stable */
130
+ interface MemoryActivityEvent {
131
+ readonly memoryKind: string;
132
+ readonly memoryId: string;
133
+ readonly event: string;
134
+ readonly source: string;
135
+ readonly createdAt: string;
136
+ }
137
+ /** @stable */
138
+ interface MemoryActivityConflict {
139
+ readonly candidateId: string;
140
+ readonly existingId: string | null;
141
+ readonly decision: string;
142
+ readonly stage: string;
143
+ readonly detectedAt: string;
144
+ }
145
+ /** @stable */
146
+ interface MemoryActivityResult {
147
+ readonly quarantine: {
148
+ readonly facts: number;
149
+ readonly episodes: number;
150
+ readonly insights: number;
151
+ };
152
+ readonly recentHistory: ReadonlyArray<MemoryActivityEvent>;
153
+ readonly recentConflicts: ReadonlyArray<MemoryActivityConflict>;
154
+ }
155
+ /** @stable */
156
+ interface MemoryActivityOptions extends MemoryCommonOptions {
157
+ /** Cap on the recent-history / recent-conflict rows returned. Default 20. */
158
+ readonly limit?: number;
159
+ }
160
+ /**
161
+ * `graphorin memory activity` — a store-wide view of what the
162
+ * consolidator and reflection passes have been doing: how many facts /
163
+ * episodes / insights currently sit in quarantine, the most recent
164
+ * audit-log events (supersede / validate / quarantine / archive), and
165
+ * the most recent conflict decisions. Pure read-only inspection.
166
+ *
167
+ * @stable
168
+ */
169
+ declare function runMemoryActivity(options?: MemoryActivityOptions): Promise<MemoryActivityResult>;
170
+ /** A single decoded recall explanation surfaced by `graphorin memory why`. */
171
+ interface MemoryWhyRecall {
172
+ readonly spanId: string;
173
+ /** Span start time (unix nanos) of the recall. */
174
+ readonly at: number;
175
+ readonly results: ReadonlyArray<{
176
+ readonly id: string;
177
+ readonly rank: number;
178
+ readonly score: number;
179
+ readonly signals: Readonly<Record<string, number>>;
180
+ }>;
181
+ }
182
+ /** @stable */
183
+ interface MemoryWhyResult {
184
+ readonly recalls: ReadonlyArray<MemoryWhyRecall>;
185
+ }
186
+ /** @stable */
187
+ interface MemoryWhyOptions extends MemoryCommonOptions {
188
+ /** Restrict to one session's recall spans. */
189
+ readonly sessionId?: string;
190
+ /** Cap on the most-recent recall spans returned. Default 5. */
191
+ readonly limit?: number;
192
+ }
193
+ /**
194
+ * `graphorin memory why` — explain why facts were recalled, by decoding the
195
+ * `memory.search.semantic.explain` attribute off the persisted recall spans.
196
+ * Pure read-only inspection; requires the SQLite span exporter to have recorded
197
+ * spans (RP-17). Empty when nothing was recorded.
198
+ *
199
+ * @stable
200
+ */
201
+ declare function runMemoryWhy(options: MemoryWhyOptions): Promise<MemoryWhyResult>;
202
+ /** A single quarantined memory row surfaced by `graphorin memory review`. */
203
+ interface MemoryReviewItem {
204
+ readonly id: string;
205
+ readonly text: string;
206
+ readonly provenance: string | null;
207
+ }
208
+ /** @stable */
209
+ interface MemoryReviewResult {
210
+ /** Set when `--promote <id>` succeeded. */
211
+ readonly promoted?: {
212
+ readonly id: string;
213
+ readonly type: string;
214
+ };
215
+ readonly facts: ReadonlyArray<MemoryReviewItem>;
216
+ readonly episodes: ReadonlyArray<MemoryReviewItem>;
217
+ readonly insights: ReadonlyArray<MemoryReviewItem>;
218
+ readonly procedures: ReadonlyArray<MemoryReviewItem>;
219
+ }
220
+ /** @stable */
221
+ interface MemoryReviewOptions extends MemoryCommonOptions {
222
+ /** Cap on the rows listed per type. Default 20. */
223
+ readonly limit?: number;
224
+ /** Promote this id out of quarantine instead of listing. */
225
+ readonly promote?: string;
226
+ /** Audit reason recorded with the promotion. */
227
+ readonly reason?: string;
228
+ /** Override the injection-refusal gate (operator action, after review). */
229
+ readonly force?: boolean;
230
+ }
231
+ /**
232
+ * `graphorin memory review` — list the facts / episodes / insights / induced
233
+ * procedures the consolidator left in quarantine (read-only), or promote a
234
+ * reviewed item out of quarantine with `--promote <id>`. The promote path runs
235
+ * through the tier `validate(...)`, so an injection-flagged memory is refused
236
+ * unless `--force` is supplied after review (MCON-2).
237
+ *
238
+ * @stable
239
+ */
240
+ declare function runMemoryReview(options?: MemoryReviewOptions): Promise<MemoryReviewResult>;
241
+ //#endregion
242
+ export { MemoryActivityConflict, MemoryActivityEvent, MemoryActivityOptions, MemoryActivityResult, MemoryCitingInsight, MemoryCommonOptions, MemoryConflictEntry, MemoryHistoryEntry, MemoryInspectEntity, MemoryInspectFact, MemoryInspectOptions, MemoryInspectResult, MemoryMigrateOptions, MemoryReviewItem, MemoryReviewOptions, MemoryReviewResult, MemoryStatusEmbedder, MemoryStatusResult, MemoryWhyOptions, MemoryWhyRecall, MemoryWhyResult, runMemoryActivity, runMemoryInspect, runMemoryMigrate, runMemoryReview, runMemoryStatus, runMemoryWhy };
243
+ //# sourceMappingURL=memory.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"memory.d.ts","names":[],"sources":["../../src/commands/memory.ts"],"sourcesContent":[],"mappings":";;;;;AAyPgC,UAxNf,mBAAA,SAA4B,mBAwNb,CAAA;EAAd,SAAA,MAAA,CAAA,EAAA,MAAA;;;AAEkB,UArNnB,oBAAA,CAqNmB;EAAd,SAAA,EAAA,EAAA,MAAA;EACmB,SAAA,KAAA,EAAA,MAAA;EAAd,SAAA,GAAA,EAAA,MAAA;EAEc,SAAA,cAAA,EAAA,MAAA;EAAd,SAAA,OAAA,EAAA,OAAA;EAAa,SAAA,SAAA,EAAA,MAAA;EAIvB,SAAA,SAAA,CAAA,EAAA,MAAqB;AAatC;;AAEW,UAhOM,kBAAA,CAgON;EAAR,SAAA,WAAA,EAAA,MAAA;EAAO,SAAA,SAAA,EA9NY,aA8NZ,CA9N0B,oBA8N1B,CAAA;EAwJO,SAAA,MAAA,EAAA;IASA,SAAA,KAAA,EAAA,MAAsB;IAStB,SAAA,QAAA,EAAoB,MAAA;IAMG,SAAA,eAAA,EAAA,MAAA;IAAd,SAAA,UAAA,EAAA,MAAA;EACgB,CAAA;;;AAIzB,iBAzYK,eAAA,CAyYyB,OAAmB,CAAnB,EAxYpC,mBAwYuD,CAAA,EAvY/D,OAuY+D,CAvYvD,kBAuYuD,CAAA;AAclE;AACW,UAtWM,oBAAA,SAA6B,mBAsWnC,CAAA;EACA,SAAA,IAAA,EAAA,MAAA;EAAR,SAAA,EAAA,EAAA,MAAA;EAAO,SAAA,QAAA,EAAA,eAAA,GAAA,cAAA,GAAA,cAAA;EAiGO;;;;;AAajB;AAKA;EAqBsB,SAAA,eAAY,CAAA,EAAA,MAAA;;;;;AAyElC;AAOA;;;;AAIqB,iBA7iBC,gBAAA,CA6iBD,OAAA,EA7iB2B,oBA6iB3B,CAAA,EA7iBkD,OA6iBlD,CAAA,KAAA,CAAA;;AACA,UAnfJ,iBAAA,CAmfI;EACgB,SAAA,EAAA,EAAA,MAAA;EAAd,SAAA,IAAA,EAAA,MAAA;EAAa,SAAA,MAAA,EAAA,MAAA;EAInB,SAAA,UAAA,EAAA,MAAoB,GAAA,IAAQ;EA2BvB;EACX,SAAA,UAAA,EAAA,MAAA,GAAA,IAAA;EACA,SAAA,SAAA,EAAA,MAAA,GAAA,IAAA;EAAR,SAAA,OAAA,EAAA,MAAA,GAAA,IAAA;EAAO,SAAA,UAAA,EAAA,MAAA,GAAA,IAAA;;;;;;;;;;UAjgBO,mBAAA;;;;;;;;UASA,kBAAA;;;;;;UAOA,mBAAA;;;;;;;;;UAUA,mBAAA;;;;;;;UAQA,mBAAA;;iBAEA;kBACC,cAAc;oBACZ,cAAc;sBACZ,cAAc;2BACT,cAAc;;2BAEd,cAAc;;;UAIxB,oBAAA,SAA6B;;;;;;;;;;;;iBAaxB,gBAAA,UACX,uBACR,QAAQ;;UAwJM,mBAAA;;;;;;;;UASA,sBAAA;;;;;;;;UASA,oBAAA;;;;;;0BAMS,cAAc;4BACZ,cAAc;;;UAIzB,qBAAA,SAA8B;;;;;;;;;;;;;iBAczB,iBAAA,WACX,wBACR,QAAQ;;UAiGM,eAAA;;;;oBAIG;;;;sBAIE,SAAS;;;;UAKd,eAAA;oBACG,cAAc;;;UAIjB,gBAAA,SAAyB;;;;;;;;;;;;;;iBAqBpB,YAAA,UAAsB,mBAAmB,QAAQ;;UAyEtD,gBAAA;;;;;;UAOA,kBAAA;;;;;;kBAGC,cAAc;qBACX,cAAc;qBACd,cAAc;uBACZ,cAAc;;;UAIpB,mBAAA,SAA4B;;;;;;;;;;;;;;;;;;;iBA2BvB,eAAA,WACX,sBACR,QAAQ"}