@graphorin/server 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (204) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/LICENSE +21 -0
  3. package/README.md +116 -0
  4. package/dist/app.d.ts +174 -0
  5. package/dist/app.d.ts.map +1 -0
  6. package/dist/app.js +684 -0
  7. package/dist/app.js.map +1 -0
  8. package/dist/commentary/audit-bridge.d.ts +57 -0
  9. package/dist/commentary/audit-bridge.d.ts.map +1 -0
  10. package/dist/commentary/audit-bridge.js +92 -0
  11. package/dist/commentary/audit-bridge.js.map +1 -0
  12. package/dist/commentary/built-in-patterns.d.ts +24 -0
  13. package/dist/commentary/built-in-patterns.d.ts.map +1 -0
  14. package/dist/commentary/built-in-patterns.js +62 -0
  15. package/dist/commentary/built-in-patterns.js.map +1 -0
  16. package/dist/commentary/index.d.ts +5 -0
  17. package/dist/commentary/index.js +5 -0
  18. package/dist/commentary/sanitizer.d.ts +37 -0
  19. package/dist/commentary/sanitizer.d.ts.map +1 -0
  20. package/dist/commentary/sanitizer.js +182 -0
  21. package/dist/commentary/sanitizer.js.map +1 -0
  22. package/dist/commentary/types.d.ts +120 -0
  23. package/dist/commentary/types.d.ts.map +1 -0
  24. package/dist/config.d.ts +760 -0
  25. package/dist/config.d.ts.map +1 -0
  26. package/dist/config.js +217 -0
  27. package/dist/config.js.map +1 -0
  28. package/dist/consolidator/daemon.d.ts +88 -0
  29. package/dist/consolidator/daemon.d.ts.map +1 -0
  30. package/dist/consolidator/daemon.js +54 -0
  31. package/dist/consolidator/daemon.js.map +1 -0
  32. package/dist/consolidator/index.d.ts +2 -0
  33. package/dist/consolidator/index.js +3 -0
  34. package/dist/errors/index.d.ts +104 -0
  35. package/dist/errors/index.d.ts.map +1 -0
  36. package/dist/errors/index.js +131 -0
  37. package/dist/errors/index.js.map +1 -0
  38. package/dist/health/checks.d.ts +120 -0
  39. package/dist/health/checks.d.ts.map +1 -0
  40. package/dist/health/checks.js +127 -0
  41. package/dist/health/checks.js.map +1 -0
  42. package/dist/health/index.d.ts +3 -0
  43. package/dist/health/index.js +4 -0
  44. package/dist/health/routes.d.ts +66 -0
  45. package/dist/health/routes.d.ts.map +1 -0
  46. package/dist/health/routes.js +96 -0
  47. package/dist/health/routes.js.map +1 -0
  48. package/dist/index.d.ts +88 -0
  49. package/dist/index.d.ts.map +1 -0
  50. package/dist/index.js +86 -0
  51. package/dist/index.js.map +1 -0
  52. package/dist/internal/context.d.ts +66 -0
  53. package/dist/internal/context.d.ts.map +1 -0
  54. package/dist/internal/ids.js +21 -0
  55. package/dist/internal/ids.js.map +1 -0
  56. package/dist/internal/json.js +46 -0
  57. package/dist/internal/json.js.map +1 -0
  58. package/dist/lifecycle/hooks.d.ts +57 -0
  59. package/dist/lifecycle/hooks.d.ts.map +1 -0
  60. package/dist/lifecycle/index.d.ts +2 -0
  61. package/dist/lifecycle/index.js +3 -0
  62. package/dist/lifecycle/pre-bind.d.ts +38 -0
  63. package/dist/lifecycle/pre-bind.d.ts.map +1 -0
  64. package/dist/lifecycle/pre-bind.js +62 -0
  65. package/dist/lifecycle/pre-bind.js.map +1 -0
  66. package/dist/metrics/catalog.d.ts +34 -0
  67. package/dist/metrics/catalog.d.ts.map +1 -0
  68. package/dist/metrics/catalog.js +61 -0
  69. package/dist/metrics/catalog.js.map +1 -0
  70. package/dist/metrics/index.d.ts +3 -0
  71. package/dist/metrics/index.js +4 -0
  72. package/dist/metrics/registry.d.ts +63 -0
  73. package/dist/metrics/registry.d.ts.map +1 -0
  74. package/dist/metrics/registry.js +222 -0
  75. package/dist/metrics/registry.js.map +1 -0
  76. package/dist/middleware/audit.d.ts +47 -0
  77. package/dist/middleware/audit.d.ts.map +1 -0
  78. package/dist/middleware/audit.js +71 -0
  79. package/dist/middleware/audit.js.map +1 -0
  80. package/dist/middleware/auth.d.ts +50 -0
  81. package/dist/middleware/auth.d.ts.map +1 -0
  82. package/dist/middleware/auth.js +164 -0
  83. package/dist/middleware/auth.js.map +1 -0
  84. package/dist/middleware/cors.d.ts +15 -0
  85. package/dist/middleware/cors.d.ts.map +1 -0
  86. package/dist/middleware/cors.js +45 -0
  87. package/dist/middleware/cors.js.map +1 -0
  88. package/dist/middleware/csrf.d.ts +15 -0
  89. package/dist/middleware/csrf.d.ts.map +1 -0
  90. package/dist/middleware/csrf.js +77 -0
  91. package/dist/middleware/csrf.js.map +1 -0
  92. package/dist/middleware/idempotency.d.ts +41 -0
  93. package/dist/middleware/idempotency.d.ts.map +1 -0
  94. package/dist/middleware/idempotency.js +198 -0
  95. package/dist/middleware/idempotency.js.map +1 -0
  96. package/dist/middleware/index.d.ts +9 -0
  97. package/dist/middleware/index.js +10 -0
  98. package/dist/middleware/rate-limit.d.ts +17 -0
  99. package/dist/middleware/rate-limit.d.ts.map +1 -0
  100. package/dist/middleware/rate-limit.js +47 -0
  101. package/dist/middleware/rate-limit.js.map +1 -0
  102. package/dist/middleware/request-state.d.ts +27 -0
  103. package/dist/middleware/request-state.d.ts.map +1 -0
  104. package/dist/middleware/request-state.js +42 -0
  105. package/dist/middleware/request-state.js.map +1 -0
  106. package/dist/middleware/scope.d.ts +24 -0
  107. package/dist/middleware/scope.d.ts.map +1 -0
  108. package/dist/middleware/scope.js +50 -0
  109. package/dist/middleware/scope.js.map +1 -0
  110. package/dist/registry/index.d.ts +135 -0
  111. package/dist/registry/index.d.ts.map +1 -0
  112. package/dist/registry/index.js +96 -0
  113. package/dist/registry/index.js.map +1 -0
  114. package/dist/replay/index.d.ts +2 -0
  115. package/dist/replay/index.js +3 -0
  116. package/dist/replay/routes.d.ts +46 -0
  117. package/dist/replay/routes.d.ts.map +1 -0
  118. package/dist/replay/routes.js +189 -0
  119. package/dist/replay/routes.js.map +1 -0
  120. package/dist/routes/agents.d.ts +41 -0
  121. package/dist/routes/agents.d.ts.map +1 -0
  122. package/dist/routes/agents.js +213 -0
  123. package/dist/routes/agents.js.map +1 -0
  124. package/dist/routes/audit.d.ts +57 -0
  125. package/dist/routes/audit.d.ts.map +1 -0
  126. package/dist/routes/audit.js +116 -0
  127. package/dist/routes/audit.js.map +1 -0
  128. package/dist/routes/auth.d.ts +26 -0
  129. package/dist/routes/auth.d.ts.map +1 -0
  130. package/dist/routes/auth.js +54 -0
  131. package/dist/routes/auth.js.map +1 -0
  132. package/dist/routes/health.d.ts +22 -0
  133. package/dist/routes/health.d.ts.map +1 -0
  134. package/dist/routes/health.js +33 -0
  135. package/dist/routes/health.js.map +1 -0
  136. package/dist/routes/index.d.ts +10 -0
  137. package/dist/routes/index.js +12 -0
  138. package/dist/routes/mcp.d.ts +32 -0
  139. package/dist/routes/mcp.d.ts.map +1 -0
  140. package/dist/routes/mcp.js +61 -0
  141. package/dist/routes/mcp.js.map +1 -0
  142. package/dist/routes/memory.d.ts +141 -0
  143. package/dist/routes/memory.d.ts.map +1 -0
  144. package/dist/routes/memory.js +102 -0
  145. package/dist/routes/memory.js.map +1 -0
  146. package/dist/routes/sessions.d.ts +54 -0
  147. package/dist/routes/sessions.d.ts.map +1 -0
  148. package/dist/routes/sessions.js +135 -0
  149. package/dist/routes/sessions.js.map +1 -0
  150. package/dist/routes/skills.d.ts +34 -0
  151. package/dist/routes/skills.d.ts.map +1 -0
  152. package/dist/routes/skills.js +54 -0
  153. package/dist/routes/skills.js.map +1 -0
  154. package/dist/routes/tokens.d.ts +25 -0
  155. package/dist/routes/tokens.d.ts.map +1 -0
  156. package/dist/routes/tokens.js +87 -0
  157. package/dist/routes/tokens.js.map +1 -0
  158. package/dist/routes/workflows.d.ts +27 -0
  159. package/dist/routes/workflows.d.ts.map +1 -0
  160. package/dist/routes/workflows.js +220 -0
  161. package/dist/routes/workflows.js.map +1 -0
  162. package/dist/runtime/run-state.d.ts +158 -0
  163. package/dist/runtime/run-state.d.ts.map +1 -0
  164. package/dist/runtime/run-state.js +182 -0
  165. package/dist/runtime/run-state.js.map +1 -0
  166. package/dist/sse/events.d.ts +44 -0
  167. package/dist/sse/events.d.ts.map +1 -0
  168. package/dist/sse/events.js +200 -0
  169. package/dist/sse/events.js.map +1 -0
  170. package/dist/sse/index.d.ts +2 -0
  171. package/dist/sse/index.js +3 -0
  172. package/dist/triggers/daemon.d.ts +74 -0
  173. package/dist/triggers/daemon.d.ts.map +1 -0
  174. package/dist/triggers/daemon.js +114 -0
  175. package/dist/triggers/daemon.js.map +1 -0
  176. package/dist/triggers/index.d.ts +3 -0
  177. package/dist/triggers/index.js +4 -0
  178. package/dist/triggers/routes.d.ts +21 -0
  179. package/dist/triggers/routes.d.ts.map +1 -0
  180. package/dist/triggers/routes.js +117 -0
  181. package/dist/triggers/routes.js.map +1 -0
  182. package/dist/ws/dispatcher.d.ts +169 -0
  183. package/dist/ws/dispatcher.d.ts.map +1 -0
  184. package/dist/ws/dispatcher.js +303 -0
  185. package/dist/ws/dispatcher.js.map +1 -0
  186. package/dist/ws/index.d.ts +6 -0
  187. package/dist/ws/index.js +7 -0
  188. package/dist/ws/replay-buffer.d.ts +47 -0
  189. package/dist/ws/replay-buffer.d.ts.map +1 -0
  190. package/dist/ws/replay-buffer.js +88 -0
  191. package/dist/ws/replay-buffer.js.map +1 -0
  192. package/dist/ws/subjects.d.ts +71 -0
  193. package/dist/ws/subjects.d.ts.map +1 -0
  194. package/dist/ws/subjects.js +112 -0
  195. package/dist/ws/subjects.js.map +1 -0
  196. package/dist/ws/ticket.d.ts +74 -0
  197. package/dist/ws/ticket.d.ts.map +1 -0
  198. package/dist/ws/ticket.js +112 -0
  199. package/dist/ws/ticket.js.map +1 -0
  200. package/dist/ws/upgrade.d.ts +63 -0
  201. package/dist/ws/upgrade.d.ts.map +1 -0
  202. package/dist/ws/upgrade.js +324 -0
  203. package/dist/ws/upgrade.js.map +1 -0
  204. package/package.json +156 -0
@@ -0,0 +1,760 @@
1
+ import { z } from "zod";
2
+
3
+ //#region src/config.d.ts
4
+
5
+ /**
6
+ * String literal that flags a value as a `SecretRef` URI. The
7
+ * server's pre-bind step resolves every `*Ref` field through the
8
+ * `@graphorin/security` resolver registry before binding the
9
+ * listener; an unresolvable ref fails fast with
10
+ * {@link import('./errors/index.js').PrebindSecretUnresolvableError}.
11
+ *
12
+ * @stable
13
+ */
14
+ type SecretRefString = string;
15
+ /**
16
+ * Selector for which `SecretsStore` flavour the server activates.
17
+ * Mirrors `--secrets-source` from DEC-136.
18
+ *
19
+ * @stable
20
+ */
21
+ type SecretsSource = 'auto' | 'keyring' | 'encrypted-file' | 'env';
22
+ /** @stable */
23
+ type IdempotencyRequireKeyMode = 'off' | 'warn' | 'enforce';
24
+ /** @stable */
25
+ type DeliveryCommentaryPolicyConfig = 'wrap' | 'strip' | 'pass-through';
26
+ /** @stable */
27
+ interface ServerConfigSpec {
28
+ readonly server: {
29
+ readonly host: string;
30
+ readonly port: number;
31
+ readonly basePath: string;
32
+ readonly cors: {
33
+ readonly allowOrigins: ReadonlyArray<string>;
34
+ readonly allowCredentials: boolean;
35
+ readonly allowMethods: ReadonlyArray<string>;
36
+ readonly allowHeaders: ReadonlyArray<string>;
37
+ readonly maxAgeSeconds: number;
38
+ };
39
+ readonly csrf: {
40
+ readonly enabled: boolean;
41
+ readonly cookieName: string;
42
+ readonly headerName: string;
43
+ readonly safeMethods: ReadonlyArray<string>;
44
+ };
45
+ readonly rateLimit: {
46
+ readonly enabled: boolean;
47
+ readonly windowMs: number;
48
+ readonly perIpRequests: number;
49
+ };
50
+ readonly idempotency: {
51
+ readonly enabled: boolean;
52
+ readonly requireKey: IdempotencyRequireKeyMode;
53
+ readonly ttlSeconds: number;
54
+ readonly checkBodyFingerprint: boolean;
55
+ readonly lruCacheSize: number;
56
+ };
57
+ readonly shutdown: {
58
+ readonly drainTimeoutMs: number;
59
+ };
60
+ readonly trustProxy: boolean;
61
+ readonly stream: {
62
+ readonly disconnectPolicy: 'continue' | 'pause-on-disconnect' | 'abort-on-disconnect';
63
+ readonly disconnectGracePeriodMs: number;
64
+ readonly replayBuffer: {
65
+ readonly maxEvents: number;
66
+ readonly ttlSeconds: number;
67
+ };
68
+ readonly perConnectionQueueLimit: number;
69
+ };
70
+ readonly ws: {
71
+ readonly enabled: boolean;
72
+ readonly path: string;
73
+ readonly ticketTtlMs: number;
74
+ readonly commentarySanitization: {
75
+ readonly policy: DeliveryCommentaryPolicyConfig;
76
+ readonly applyToEvents: ReadonlyArray<string>;
77
+ };
78
+ };
79
+ readonly sse: {
80
+ readonly enabled: boolean;
81
+ readonly path: string;
82
+ readonly keepAliveMs: number;
83
+ };
84
+ };
85
+ readonly storage: {
86
+ readonly path: string;
87
+ readonly mode: 'lib' | 'server';
88
+ readonly walCheckpointIntervalMs?: number;
89
+ readonly encryption: {
90
+ readonly enabled: boolean;
91
+ readonly cipher?: string;
92
+ readonly passphraseRef?: SecretRefString;
93
+ };
94
+ };
95
+ readonly audit: {
96
+ readonly enabled: boolean;
97
+ readonly path?: string;
98
+ readonly passphraseRef?: SecretRefString;
99
+ readonly cipher?: string;
100
+ };
101
+ readonly secrets: {
102
+ readonly source: SecretsSource;
103
+ readonly strict: boolean;
104
+ };
105
+ readonly auth: {
106
+ readonly kind: 'token' | 'none';
107
+ readonly pepperRef?: SecretRefString;
108
+ readonly tokenPrefix: string;
109
+ readonly tokenEnvironments: ReadonlyArray<string>;
110
+ readonly perIpFailureThreshold?: number;
111
+ readonly perIpLockoutMs?: number;
112
+ };
113
+ readonly observability: {
114
+ readonly logger: 'json' | 'pretty' | 'silent';
115
+ };
116
+ readonly hardening: {
117
+ readonly applyOnStart: boolean;
118
+ readonly refuseRoot: boolean;
119
+ readonly umask: number;
120
+ };
121
+ readonly metrics: {
122
+ readonly enabled: boolean;
123
+ readonly path: string;
124
+ readonly requireAuth: boolean;
125
+ };
126
+ readonly health: {
127
+ readonly walWarnThresholdBytes: number;
128
+ };
129
+ }
130
+ /**
131
+ * Zod schema for the resolved {@link ServerConfigSpec}. Exposed for
132
+ * advanced users that want to validate other config sources (env-only
133
+ * launch, CLI overrides, etc.).
134
+ *
135
+ * @stable
136
+ */
137
+ declare const ServerConfigSchema: z.ZodDefault<z.ZodObject<{
138
+ server: z.ZodDefault<z.ZodObject<{
139
+ host: z.ZodDefault<z.ZodString>;
140
+ port: z.ZodDefault<z.ZodNumber>;
141
+ basePath: z.ZodDefault<z.ZodString>;
142
+ cors: z.ZodDefault<z.ZodObject<{
143
+ allowOrigins: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
144
+ allowCredentials: z.ZodDefault<z.ZodBoolean>;
145
+ allowMethods: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
146
+ allowHeaders: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
147
+ maxAgeSeconds: z.ZodDefault<z.ZodNumber>;
148
+ }, "strict", z.ZodTypeAny, {
149
+ allowOrigins: string[];
150
+ allowCredentials: boolean;
151
+ allowMethods: string[];
152
+ allowHeaders: string[];
153
+ maxAgeSeconds: number;
154
+ }, {
155
+ allowOrigins?: string[] | undefined;
156
+ allowCredentials?: boolean | undefined;
157
+ allowMethods?: string[] | undefined;
158
+ allowHeaders?: string[] | undefined;
159
+ maxAgeSeconds?: number | undefined;
160
+ }>>;
161
+ csrf: z.ZodDefault<z.ZodObject<{
162
+ enabled: z.ZodDefault<z.ZodBoolean>;
163
+ cookieName: z.ZodDefault<z.ZodString>;
164
+ headerName: z.ZodDefault<z.ZodString>;
165
+ safeMethods: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
166
+ }, "strict", z.ZodTypeAny, {
167
+ enabled: boolean;
168
+ cookieName: string;
169
+ headerName: string;
170
+ safeMethods: string[];
171
+ }, {
172
+ enabled?: boolean | undefined;
173
+ cookieName?: string | undefined;
174
+ headerName?: string | undefined;
175
+ safeMethods?: string[] | undefined;
176
+ }>>;
177
+ rateLimit: z.ZodDefault<z.ZodObject<{
178
+ enabled: z.ZodDefault<z.ZodBoolean>;
179
+ windowMs: z.ZodDefault<z.ZodNumber>;
180
+ perIpRequests: z.ZodDefault<z.ZodNumber>;
181
+ }, "strict", z.ZodTypeAny, {
182
+ enabled: boolean;
183
+ windowMs: number;
184
+ perIpRequests: number;
185
+ }, {
186
+ enabled?: boolean | undefined;
187
+ windowMs?: number | undefined;
188
+ perIpRequests?: number | undefined;
189
+ }>>;
190
+ idempotency: z.ZodDefault<z.ZodObject<{
191
+ enabled: z.ZodDefault<z.ZodBoolean>;
192
+ requireKey: z.ZodDefault<z.ZodEnum<["off", "warn", "enforce"]>>;
193
+ ttlSeconds: z.ZodDefault<z.ZodNumber>;
194
+ checkBodyFingerprint: z.ZodDefault<z.ZodBoolean>;
195
+ lruCacheSize: z.ZodDefault<z.ZodNumber>;
196
+ }, "strict", z.ZodTypeAny, {
197
+ enabled: boolean;
198
+ requireKey: "off" | "warn" | "enforce";
199
+ ttlSeconds: number;
200
+ checkBodyFingerprint: boolean;
201
+ lruCacheSize: number;
202
+ }, {
203
+ enabled?: boolean | undefined;
204
+ requireKey?: "off" | "warn" | "enforce" | undefined;
205
+ ttlSeconds?: number | undefined;
206
+ checkBodyFingerprint?: boolean | undefined;
207
+ lruCacheSize?: number | undefined;
208
+ }>>;
209
+ shutdown: z.ZodDefault<z.ZodObject<{
210
+ drainTimeoutMs: z.ZodDefault<z.ZodNumber>;
211
+ }, "strict", z.ZodTypeAny, {
212
+ drainTimeoutMs: number;
213
+ }, {
214
+ drainTimeoutMs?: number | undefined;
215
+ }>>;
216
+ trustProxy: z.ZodDefault<z.ZodBoolean>;
217
+ stream: z.ZodDefault<z.ZodObject<{
218
+ disconnectPolicy: z.ZodDefault<z.ZodEnum<["continue", "pause-on-disconnect", "abort-on-disconnect"]>>;
219
+ disconnectGracePeriodMs: z.ZodDefault<z.ZodNumber>;
220
+ replayBuffer: z.ZodDefault<z.ZodObject<{
221
+ maxEvents: z.ZodDefault<z.ZodNumber>;
222
+ ttlSeconds: z.ZodDefault<z.ZodNumber>;
223
+ }, "strict", z.ZodTypeAny, {
224
+ ttlSeconds: number;
225
+ maxEvents: number;
226
+ }, {
227
+ ttlSeconds?: number | undefined;
228
+ maxEvents?: number | undefined;
229
+ }>>;
230
+ perConnectionQueueLimit: z.ZodDefault<z.ZodNumber>;
231
+ }, "strict", z.ZodTypeAny, {
232
+ disconnectPolicy: "continue" | "pause-on-disconnect" | "abort-on-disconnect";
233
+ disconnectGracePeriodMs: number;
234
+ replayBuffer: {
235
+ ttlSeconds: number;
236
+ maxEvents: number;
237
+ };
238
+ perConnectionQueueLimit: number;
239
+ }, {
240
+ disconnectPolicy?: "continue" | "pause-on-disconnect" | "abort-on-disconnect" | undefined;
241
+ disconnectGracePeriodMs?: number | undefined;
242
+ replayBuffer?: {
243
+ ttlSeconds?: number | undefined;
244
+ maxEvents?: number | undefined;
245
+ } | undefined;
246
+ perConnectionQueueLimit?: number | undefined;
247
+ }>>;
248
+ ws: z.ZodDefault<z.ZodObject<{
249
+ enabled: z.ZodDefault<z.ZodBoolean>;
250
+ path: z.ZodDefault<z.ZodString>;
251
+ ticketTtlMs: z.ZodDefault<z.ZodNumber>;
252
+ commentarySanitization: z.ZodDefault<z.ZodObject<{
253
+ policy: z.ZodDefault<z.ZodEnum<["wrap", "strip", "pass-through"]>>;
254
+ applyToEvents: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
255
+ }, "strict", z.ZodTypeAny, {
256
+ policy: "strip" | "wrap" | "pass-through";
257
+ applyToEvents: string[];
258
+ }, {
259
+ policy?: "strip" | "wrap" | "pass-through" | undefined;
260
+ applyToEvents?: string[] | undefined;
261
+ }>>;
262
+ }, "strict", z.ZodTypeAny, {
263
+ path: string;
264
+ enabled: boolean;
265
+ ticketTtlMs: number;
266
+ commentarySanitization: {
267
+ policy: "strip" | "wrap" | "pass-through";
268
+ applyToEvents: string[];
269
+ };
270
+ }, {
271
+ path?: string | undefined;
272
+ enabled?: boolean | undefined;
273
+ ticketTtlMs?: number | undefined;
274
+ commentarySanitization?: {
275
+ policy?: "strip" | "wrap" | "pass-through" | undefined;
276
+ applyToEvents?: string[] | undefined;
277
+ } | undefined;
278
+ }>>;
279
+ sse: z.ZodDefault<z.ZodObject<{
280
+ enabled: z.ZodDefault<z.ZodBoolean>;
281
+ path: z.ZodDefault<z.ZodString>;
282
+ keepAliveMs: z.ZodDefault<z.ZodNumber>;
283
+ }, "strict", z.ZodTypeAny, {
284
+ path: string;
285
+ enabled: boolean;
286
+ keepAliveMs: number;
287
+ }, {
288
+ path?: string | undefined;
289
+ enabled?: boolean | undefined;
290
+ keepAliveMs?: number | undefined;
291
+ }>>;
292
+ }, "strict", z.ZodTypeAny, {
293
+ host: string;
294
+ port: number;
295
+ basePath: string;
296
+ cors: {
297
+ allowOrigins: string[];
298
+ allowCredentials: boolean;
299
+ allowMethods: string[];
300
+ allowHeaders: string[];
301
+ maxAgeSeconds: number;
302
+ };
303
+ csrf: {
304
+ enabled: boolean;
305
+ cookieName: string;
306
+ headerName: string;
307
+ safeMethods: string[];
308
+ };
309
+ rateLimit: {
310
+ enabled: boolean;
311
+ windowMs: number;
312
+ perIpRequests: number;
313
+ };
314
+ idempotency: {
315
+ enabled: boolean;
316
+ requireKey: "off" | "warn" | "enforce";
317
+ ttlSeconds: number;
318
+ checkBodyFingerprint: boolean;
319
+ lruCacheSize: number;
320
+ };
321
+ shutdown: {
322
+ drainTimeoutMs: number;
323
+ };
324
+ trustProxy: boolean;
325
+ stream: {
326
+ disconnectPolicy: "continue" | "pause-on-disconnect" | "abort-on-disconnect";
327
+ disconnectGracePeriodMs: number;
328
+ replayBuffer: {
329
+ ttlSeconds: number;
330
+ maxEvents: number;
331
+ };
332
+ perConnectionQueueLimit: number;
333
+ };
334
+ ws: {
335
+ path: string;
336
+ enabled: boolean;
337
+ ticketTtlMs: number;
338
+ commentarySanitization: {
339
+ policy: "strip" | "wrap" | "pass-through";
340
+ applyToEvents: string[];
341
+ };
342
+ };
343
+ sse: {
344
+ path: string;
345
+ enabled: boolean;
346
+ keepAliveMs: number;
347
+ };
348
+ }, {
349
+ host?: string | undefined;
350
+ port?: number | undefined;
351
+ basePath?: string | undefined;
352
+ cors?: {
353
+ allowOrigins?: string[] | undefined;
354
+ allowCredentials?: boolean | undefined;
355
+ allowMethods?: string[] | undefined;
356
+ allowHeaders?: string[] | undefined;
357
+ maxAgeSeconds?: number | undefined;
358
+ } | undefined;
359
+ csrf?: {
360
+ enabled?: boolean | undefined;
361
+ cookieName?: string | undefined;
362
+ headerName?: string | undefined;
363
+ safeMethods?: string[] | undefined;
364
+ } | undefined;
365
+ rateLimit?: {
366
+ enabled?: boolean | undefined;
367
+ windowMs?: number | undefined;
368
+ perIpRequests?: number | undefined;
369
+ } | undefined;
370
+ idempotency?: {
371
+ enabled?: boolean | undefined;
372
+ requireKey?: "off" | "warn" | "enforce" | undefined;
373
+ ttlSeconds?: number | undefined;
374
+ checkBodyFingerprint?: boolean | undefined;
375
+ lruCacheSize?: number | undefined;
376
+ } | undefined;
377
+ shutdown?: {
378
+ drainTimeoutMs?: number | undefined;
379
+ } | undefined;
380
+ trustProxy?: boolean | undefined;
381
+ stream?: {
382
+ disconnectPolicy?: "continue" | "pause-on-disconnect" | "abort-on-disconnect" | undefined;
383
+ disconnectGracePeriodMs?: number | undefined;
384
+ replayBuffer?: {
385
+ ttlSeconds?: number | undefined;
386
+ maxEvents?: number | undefined;
387
+ } | undefined;
388
+ perConnectionQueueLimit?: number | undefined;
389
+ } | undefined;
390
+ ws?: {
391
+ path?: string | undefined;
392
+ enabled?: boolean | undefined;
393
+ ticketTtlMs?: number | undefined;
394
+ commentarySanitization?: {
395
+ policy?: "strip" | "wrap" | "pass-through" | undefined;
396
+ applyToEvents?: string[] | undefined;
397
+ } | undefined;
398
+ } | undefined;
399
+ sse?: {
400
+ path?: string | undefined;
401
+ enabled?: boolean | undefined;
402
+ keepAliveMs?: number | undefined;
403
+ } | undefined;
404
+ }>>;
405
+ storage: z.ZodDefault<z.ZodObject<{
406
+ path: z.ZodDefault<z.ZodString>;
407
+ mode: z.ZodDefault<z.ZodEnum<["lib", "server"]>>;
408
+ walCheckpointIntervalMs: z.ZodOptional<z.ZodNumber>;
409
+ encryption: z.ZodDefault<z.ZodObject<{
410
+ enabled: z.ZodDefault<z.ZodBoolean>;
411
+ cipher: z.ZodOptional<z.ZodString>;
412
+ passphraseRef: z.ZodOptional<z.ZodString>;
413
+ }, "strict", z.ZodTypeAny, {
414
+ enabled: boolean;
415
+ cipher?: string | undefined;
416
+ passphraseRef?: string | undefined;
417
+ }, {
418
+ enabled?: boolean | undefined;
419
+ cipher?: string | undefined;
420
+ passphraseRef?: string | undefined;
421
+ }>>;
422
+ }, "strict", z.ZodTypeAny, {
423
+ path: string;
424
+ mode: "server" | "lib";
425
+ encryption: {
426
+ enabled: boolean;
427
+ cipher?: string | undefined;
428
+ passphraseRef?: string | undefined;
429
+ };
430
+ walCheckpointIntervalMs?: number | undefined;
431
+ }, {
432
+ path?: string | undefined;
433
+ mode?: "server" | "lib" | undefined;
434
+ walCheckpointIntervalMs?: number | undefined;
435
+ encryption?: {
436
+ enabled?: boolean | undefined;
437
+ cipher?: string | undefined;
438
+ passphraseRef?: string | undefined;
439
+ } | undefined;
440
+ }>>;
441
+ audit: z.ZodDefault<z.ZodObject<{
442
+ enabled: z.ZodDefault<z.ZodBoolean>;
443
+ path: z.ZodOptional<z.ZodString>;
444
+ passphraseRef: z.ZodOptional<z.ZodString>;
445
+ cipher: z.ZodOptional<z.ZodString>;
446
+ }, "strict", z.ZodTypeAny, {
447
+ enabled: boolean;
448
+ path?: string | undefined;
449
+ cipher?: string | undefined;
450
+ passphraseRef?: string | undefined;
451
+ }, {
452
+ path?: string | undefined;
453
+ enabled?: boolean | undefined;
454
+ cipher?: string | undefined;
455
+ passphraseRef?: string | undefined;
456
+ }>>;
457
+ secrets: z.ZodDefault<z.ZodObject<{
458
+ source: z.ZodDefault<z.ZodEnum<["auto", "keyring", "encrypted-file", "env"]>>;
459
+ strict: z.ZodDefault<z.ZodBoolean>;
460
+ }, "strict", z.ZodTypeAny, {
461
+ strict: boolean;
462
+ source: "auto" | "keyring" | "encrypted-file" | "env";
463
+ }, {
464
+ strict?: boolean | undefined;
465
+ source?: "auto" | "keyring" | "encrypted-file" | "env" | undefined;
466
+ }>>;
467
+ auth: z.ZodDefault<z.ZodObject<{
468
+ kind: z.ZodDefault<z.ZodEnum<["token", "none"]>>;
469
+ pepperRef: z.ZodOptional<z.ZodString>;
470
+ tokenPrefix: z.ZodDefault<z.ZodString>;
471
+ tokenEnvironments: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
472
+ perIpFailureThreshold: z.ZodOptional<z.ZodNumber>;
473
+ perIpLockoutMs: z.ZodOptional<z.ZodNumber>;
474
+ }, "strict", z.ZodTypeAny, {
475
+ kind: "token" | "none";
476
+ tokenPrefix: string;
477
+ tokenEnvironments: string[];
478
+ pepperRef?: string | undefined;
479
+ perIpFailureThreshold?: number | undefined;
480
+ perIpLockoutMs?: number | undefined;
481
+ }, {
482
+ kind?: "token" | "none" | undefined;
483
+ pepperRef?: string | undefined;
484
+ tokenPrefix?: string | undefined;
485
+ tokenEnvironments?: string[] | undefined;
486
+ perIpFailureThreshold?: number | undefined;
487
+ perIpLockoutMs?: number | undefined;
488
+ }>>;
489
+ observability: z.ZodDefault<z.ZodObject<{
490
+ logger: z.ZodDefault<z.ZodEnum<["json", "pretty", "silent"]>>;
491
+ }, "strict", z.ZodTypeAny, {
492
+ logger: "json" | "pretty" | "silent";
493
+ }, {
494
+ logger?: "json" | "pretty" | "silent" | undefined;
495
+ }>>;
496
+ hardening: z.ZodDefault<z.ZodObject<{
497
+ applyOnStart: z.ZodDefault<z.ZodBoolean>;
498
+ refuseRoot: z.ZodDefault<z.ZodBoolean>;
499
+ umask: z.ZodDefault<z.ZodNumber>;
500
+ }, "strict", z.ZodTypeAny, {
501
+ applyOnStart: boolean;
502
+ refuseRoot: boolean;
503
+ umask: number;
504
+ }, {
505
+ applyOnStart?: boolean | undefined;
506
+ refuseRoot?: boolean | undefined;
507
+ umask?: number | undefined;
508
+ }>>;
509
+ metrics: z.ZodDefault<z.ZodObject<{
510
+ enabled: z.ZodDefault<z.ZodBoolean>;
511
+ path: z.ZodDefault<z.ZodString>;
512
+ requireAuth: z.ZodDefault<z.ZodBoolean>;
513
+ }, "strict", z.ZodTypeAny, {
514
+ path: string;
515
+ enabled: boolean;
516
+ requireAuth: boolean;
517
+ }, {
518
+ path?: string | undefined;
519
+ enabled?: boolean | undefined;
520
+ requireAuth?: boolean | undefined;
521
+ }>>;
522
+ health: z.ZodDefault<z.ZodObject<{
523
+ walWarnThresholdBytes: z.ZodDefault<z.ZodNumber>;
524
+ }, "strict", z.ZodTypeAny, {
525
+ walWarnThresholdBytes: number;
526
+ }, {
527
+ walWarnThresholdBytes?: number | undefined;
528
+ }>>;
529
+ }, "strict", z.ZodTypeAny, {
530
+ server: {
531
+ host: string;
532
+ port: number;
533
+ basePath: string;
534
+ cors: {
535
+ allowOrigins: string[];
536
+ allowCredentials: boolean;
537
+ allowMethods: string[];
538
+ allowHeaders: string[];
539
+ maxAgeSeconds: number;
540
+ };
541
+ csrf: {
542
+ enabled: boolean;
543
+ cookieName: string;
544
+ headerName: string;
545
+ safeMethods: string[];
546
+ };
547
+ rateLimit: {
548
+ enabled: boolean;
549
+ windowMs: number;
550
+ perIpRequests: number;
551
+ };
552
+ idempotency: {
553
+ enabled: boolean;
554
+ requireKey: "off" | "warn" | "enforce";
555
+ ttlSeconds: number;
556
+ checkBodyFingerprint: boolean;
557
+ lruCacheSize: number;
558
+ };
559
+ shutdown: {
560
+ drainTimeoutMs: number;
561
+ };
562
+ trustProxy: boolean;
563
+ stream: {
564
+ disconnectPolicy: "continue" | "pause-on-disconnect" | "abort-on-disconnect";
565
+ disconnectGracePeriodMs: number;
566
+ replayBuffer: {
567
+ ttlSeconds: number;
568
+ maxEvents: number;
569
+ };
570
+ perConnectionQueueLimit: number;
571
+ };
572
+ ws: {
573
+ path: string;
574
+ enabled: boolean;
575
+ ticketTtlMs: number;
576
+ commentarySanitization: {
577
+ policy: "strip" | "wrap" | "pass-through";
578
+ applyToEvents: string[];
579
+ };
580
+ };
581
+ sse: {
582
+ path: string;
583
+ enabled: boolean;
584
+ keepAliveMs: number;
585
+ };
586
+ };
587
+ storage: {
588
+ path: string;
589
+ mode: "server" | "lib";
590
+ encryption: {
591
+ enabled: boolean;
592
+ cipher?: string | undefined;
593
+ passphraseRef?: string | undefined;
594
+ };
595
+ walCheckpointIntervalMs?: number | undefined;
596
+ };
597
+ audit: {
598
+ enabled: boolean;
599
+ path?: string | undefined;
600
+ cipher?: string | undefined;
601
+ passphraseRef?: string | undefined;
602
+ };
603
+ secrets: {
604
+ strict: boolean;
605
+ source: "auto" | "keyring" | "encrypted-file" | "env";
606
+ };
607
+ auth: {
608
+ kind: "token" | "none";
609
+ tokenPrefix: string;
610
+ tokenEnvironments: string[];
611
+ pepperRef?: string | undefined;
612
+ perIpFailureThreshold?: number | undefined;
613
+ perIpLockoutMs?: number | undefined;
614
+ };
615
+ observability: {
616
+ logger: "json" | "pretty" | "silent";
617
+ };
618
+ hardening: {
619
+ applyOnStart: boolean;
620
+ refuseRoot: boolean;
621
+ umask: number;
622
+ };
623
+ metrics: {
624
+ path: string;
625
+ enabled: boolean;
626
+ requireAuth: boolean;
627
+ };
628
+ health: {
629
+ walWarnThresholdBytes: number;
630
+ };
631
+ }, {
632
+ server?: {
633
+ host?: string | undefined;
634
+ port?: number | undefined;
635
+ basePath?: string | undefined;
636
+ cors?: {
637
+ allowOrigins?: string[] | undefined;
638
+ allowCredentials?: boolean | undefined;
639
+ allowMethods?: string[] | undefined;
640
+ allowHeaders?: string[] | undefined;
641
+ maxAgeSeconds?: number | undefined;
642
+ } | undefined;
643
+ csrf?: {
644
+ enabled?: boolean | undefined;
645
+ cookieName?: string | undefined;
646
+ headerName?: string | undefined;
647
+ safeMethods?: string[] | undefined;
648
+ } | undefined;
649
+ rateLimit?: {
650
+ enabled?: boolean | undefined;
651
+ windowMs?: number | undefined;
652
+ perIpRequests?: number | undefined;
653
+ } | undefined;
654
+ idempotency?: {
655
+ enabled?: boolean | undefined;
656
+ requireKey?: "off" | "warn" | "enforce" | undefined;
657
+ ttlSeconds?: number | undefined;
658
+ checkBodyFingerprint?: boolean | undefined;
659
+ lruCacheSize?: number | undefined;
660
+ } | undefined;
661
+ shutdown?: {
662
+ drainTimeoutMs?: number | undefined;
663
+ } | undefined;
664
+ trustProxy?: boolean | undefined;
665
+ stream?: {
666
+ disconnectPolicy?: "continue" | "pause-on-disconnect" | "abort-on-disconnect" | undefined;
667
+ disconnectGracePeriodMs?: number | undefined;
668
+ replayBuffer?: {
669
+ ttlSeconds?: number | undefined;
670
+ maxEvents?: number | undefined;
671
+ } | undefined;
672
+ perConnectionQueueLimit?: number | undefined;
673
+ } | undefined;
674
+ ws?: {
675
+ path?: string | undefined;
676
+ enabled?: boolean | undefined;
677
+ ticketTtlMs?: number | undefined;
678
+ commentarySanitization?: {
679
+ policy?: "strip" | "wrap" | "pass-through" | undefined;
680
+ applyToEvents?: string[] | undefined;
681
+ } | undefined;
682
+ } | undefined;
683
+ sse?: {
684
+ path?: string | undefined;
685
+ enabled?: boolean | undefined;
686
+ keepAliveMs?: number | undefined;
687
+ } | undefined;
688
+ } | undefined;
689
+ storage?: {
690
+ path?: string | undefined;
691
+ mode?: "server" | "lib" | undefined;
692
+ walCheckpointIntervalMs?: number | undefined;
693
+ encryption?: {
694
+ enabled?: boolean | undefined;
695
+ cipher?: string | undefined;
696
+ passphraseRef?: string | undefined;
697
+ } | undefined;
698
+ } | undefined;
699
+ audit?: {
700
+ path?: string | undefined;
701
+ enabled?: boolean | undefined;
702
+ cipher?: string | undefined;
703
+ passphraseRef?: string | undefined;
704
+ } | undefined;
705
+ secrets?: {
706
+ strict?: boolean | undefined;
707
+ source?: "auto" | "keyring" | "encrypted-file" | "env" | undefined;
708
+ } | undefined;
709
+ auth?: {
710
+ kind?: "token" | "none" | undefined;
711
+ pepperRef?: string | undefined;
712
+ tokenPrefix?: string | undefined;
713
+ tokenEnvironments?: string[] | undefined;
714
+ perIpFailureThreshold?: number | undefined;
715
+ perIpLockoutMs?: number | undefined;
716
+ } | undefined;
717
+ observability?: {
718
+ logger?: "json" | "pretty" | "silent" | undefined;
719
+ } | undefined;
720
+ hardening?: {
721
+ applyOnStart?: boolean | undefined;
722
+ refuseRoot?: boolean | undefined;
723
+ umask?: number | undefined;
724
+ } | undefined;
725
+ metrics?: {
726
+ path?: string | undefined;
727
+ enabled?: boolean | undefined;
728
+ requireAuth?: boolean | undefined;
729
+ } | undefined;
730
+ health?: {
731
+ walWarnThresholdBytes?: number | undefined;
732
+ } | undefined;
733
+ }>>;
734
+ /**
735
+ * Input shape accepted by {@link defineConfig}. Every field is
736
+ * optional; missing values fall back to a documented default.
737
+ *
738
+ * @stable
739
+ */
740
+ type ServerConfigInput = z.input<typeof ServerConfigSchema>;
741
+ /**
742
+ * Helper for `graphorin.config.ts` files. Pure pass-through that
743
+ * provides editor autocomplete; the actual parsing happens at server
744
+ * startup so callers always see the same error path regardless of
745
+ * which loader (TS / JS / JSON) the operator picked.
746
+ *
747
+ * @stable
748
+ */
749
+ declare function defineConfig(input: ServerConfigInput): ServerConfigInput;
750
+ /**
751
+ * Parse + validate user input. Returns a strongly-typed
752
+ * {@link ServerConfigSpec}; throws {@link ConfigInvalidError} on
753
+ * any invalid field with a flattened issue list.
754
+ *
755
+ * @stable
756
+ */
757
+ declare function parseServerConfig(input: unknown): ServerConfigSpec;
758
+ //#endregion
759
+ export { DeliveryCommentaryPolicyConfig, IdempotencyRequireKeyMode, SecretRefString, SecretsSource, ServerConfigInput, ServerConfigSchema, ServerConfigSpec, defineConfig, parseServerConfig };
760
+ //# sourceMappingURL=config.d.ts.map