npm - @haaaiawd/second-nature - Versions diffs - 0.1.25 → 0.1.26 - Mend

@haaaiawd/second-nature 0.1.25 → 0.1.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/runtime/core/second-nature/orchestrator/platform-capability-router.js ADDED Viewed

@@ -0,0 +1,115 @@
+function kindToCapability(kind) {
+    if (kind === "exploration")
+        return "feed.read";
+    if (kind === "social")
+        return "comment.reply";
+    if (kind === "work")
+        return "work.discover";
+    if (kind === "outreach")
+        return "message.send";
+    return null;
+}
+function getPlatformIds(registry) {
+    if (registry) {
+        return registry.listRegisteredPlatformIds();
+    }
+    // Fallback: built-in platforms when registry is absent (backward compat)
+    return ["moltbook", "instreet", "evomap"];
+}
+function extractPlatformIdsFromGoals(goals, kind, platformIds) {
+    const capability = kindToCapability(kind);
+    const results = new Set();
+    for (const goal of goals) {
+        const text = `${goal.description} ${goal.completionCriteria ?? ""}`.toLowerCase();
+        for (const pid of platformIds) {
+            if (text.includes(pid)) {
+                results.add(pid);
+            }
+        }
+        // Also match if goal text contains the capability name (e.g. "feed.read")
+        if (capability && text.includes(capability.toLowerCase())) {
+            // capability alone doesn't tell us platform; keep for later
+        }
+    }
+    return [...results];
+}
+function extractPlatformIdsFromEvidence(refs, platformIds) {
+    const results = new Set();
+    for (const ref of refs) {
+        if (ref.kind === "connector_result" && ref.id) {
+            for (const pid of platformIds) {
+                if (ref.id.includes(pid)) {
+                    results.add(pid);
+                }
+            }
+        }
+        // Parse platform:// URIs (e.g. platform://moltbook/feed.read)
+        if (ref.uri && ref.uri.startsWith("platform://")) {
+            const afterScheme = ref.uri.slice("platform://".length);
+            const platformPart = afterScheme.split("/")[0];
+            if (platformPart && platformIds.includes(platformPart)) {
+                results.add(platformPart);
+            }
+        }
+        // L-02: Also support namespace format moltbook:feed.read (connector-system §5.3)
+        if (ref.uri && !ref.uri.includes("://") && ref.uri.includes(":")) {
+            const nsPart = ref.uri.split(":")[0];
+            if (nsPart && platformIds.includes(nsPart)) {
+                results.add(nsPart);
+            }
+        }
+    }
+    return [...results];
+}
+function validatePlatformCapability(platformId, kind, registry) {
+    const capability = kindToCapability(kind);
+    if (!capability)
+        return false;
+    try {
+        return registry.hasCapability(platformId, capability);
+    }
+    catch (err) {
+        // H-08: Log registry validation failures for observability.
+        console.warn(`[platform-capability-router] Registry validation failed for ${platformId}:${capability}`, err);
+        return false;
+    }
+}
+/**
+ * Resolve an explicit platformId for a candidate intent kind.
+ * Returns `undefined` when no unambiguous platform can be inferred.
+ */
+export function resolvePlatformForIntent(kind, context, registry) {
+    const capability = kindToCapability(kind);
+    if (!capability) {
+        // Quiet, reflection, maintenance have no connector capability mapping.
+        return undefined;
+    }
+    const platformIds = getPlatformIds(registry);
+    const candidates = [];
+    if (context.acceptedGoals && context.acceptedGoals.length > 0) {
+        candidates.push(...extractPlatformIdsFromGoals(context.acceptedGoals, kind, platformIds));
+    }
+    if (context.evidenceRefs && context.evidenceRefs.length > 0) {
+        candidates.push(...extractPlatformIdsFromEvidence(context.evidenceRefs, platformIds));
+    }
+    // Deduplicate while preserving order
+    const ordered = [...new Set(candidates)];
+    if (ordered.length === 0) {
+        return undefined;
+    }
+    if (ordered.length > 1) {
+        // Ambiguous: multiple platforms inferred → do not guess, return undefined.
+        // Guard layer will deny with "ambiguous_platform" reason.
+        return undefined;
+    }
+    const single = ordered[0];
+    if (registry) {
+        if (validatePlatformCapability(single, kind, registry)) {
+            return single;
+        }
+        // Registry says unsupported → undefined (guard layer will deny)
+        return undefined;
+    }
+    // No registry: best-effort return the single candidate (backward compat)
+    return single;
+}

package/runtime/observability/query/explain-query.d.ts CHANGED Viewed

@@ -25,6 +25,9 @@ export type ExplainQuery = {
 } | {
     kind: "source_ref";
     sourceRefId: string;
+} | {
+    kind: "relationship";
+    relationshipId: string;
 };
 export interface RedactedExplainEvent {
     eventId: string;

package/runtime/observability/query/explain-query.js CHANGED Viewed

@@ -60,6 +60,15 @@ function eventMatchesQuery(envelope, query) {
                 return false;
             }
         }
+        case "relationship": {
+            const needle = query.relationshipId;
+            try {
+                return JSON.stringify(payload).includes(needle);
+            }
+            catch {
+                return false;
+            }
+        }
     }
 }
 function summarizeEnvelope(e) {

package/runtime/shared/types/credential.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-export type CredentialState = "missing" | "pending_verification" | "active" | "expired" | "revoked" | "failed";
+export type CredentialState = "missing" | "pending_verification" | "active" | "expired" | "revoked" | "failed" | "decrypt_failed";
 export type CredentialType = "api_key" | "oauth_token" | "node_secret" | "verification_code";
 export interface CredentialContext {
     platformId: string;

package/runtime/storage/chronicle/session-chronicle-store.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import type { StateDatabase } from "../db/index.js";
-export type ChronicleEventKind = "heartbeat" | "connector_action" | "outreach" | "owner_reply" | "dream_run" | "maintenance";
+export type ChronicleEventKind = "heartbeat" | "connector_action" | "outreach" | "owner_reply" | "dream_run" | "maintenance" | "system_notice";
 export interface SourceRef {
     sourceId: string;
     kind: string;

package/runtime/storage/services/credential-vault.d.ts CHANGED Viewed

@@ -10,4 +10,22 @@ export interface CredentialVault {
     loadCredentialContext(platformId: string): Promise<CredentialContext | null>;
     getCredentialState(platformId: string): Promise<CredentialState>;
 }
+/** T1.4.1 — runtime secret health probe result for a single credential row. */
+export interface CredentialHealthProbe {
+    platformId: string;
+    state: CredentialState | "decrypt_failed";
+    keyHealth: "missing_key" | "wrong_key" | "ok";
+    hasBaseUrl: boolean;
+    diagnosticCode: "missing_runtime_secret" | "credential_recovery_required" | "ok";
+}
+/**
+ * T1.4.1 — probe a credential record for runtime secret health.
+ *
+ * Given a raw encrypted value from the DB, this function checks:
+ * 1. Is SECOND_NATURE_ENCRYPTION_KEY present and >= 32 chars?
+ * 2. Can the ciphertext be decrypted with that key?
+ *
+ * It never throws; all failures are encoded in the returned state.
+ */
+export declare function probeCredentialHealth(platformId: string, encryptedValue: string | undefined | null, baseUrl: string | undefined | null): CredentialHealthProbe;
 export declare function createCredentialVault(db: StateDatabase["db"]): CredentialVault;

package/runtime/storage/services/credential-vault.js CHANGED Viewed

@@ -54,6 +54,58 @@ export function decryptCredentialAtRest(ciphertext) {
         return "";
     return decryptInternal(ciphertext);
 }
+/**
+ * T1.4.1 — probe a credential record for runtime secret health.
+ *
+ * Given a raw encrypted value from the DB, this function checks:
+ * 1. Is SECOND_NATURE_ENCRYPTION_KEY present and >= 32 chars?
+ * 2. Can the ciphertext be decrypted with that key?
+ *
+ * It never throws; all failures are encoded in the returned state.
+ */
+export function probeCredentialHealth(platformId, encryptedValue, baseUrl) {
+    // Key availability check
+    const rawKey = process.env.SECOND_NATURE_ENCRYPTION_KEY?.trim();
+    if (!rawKey || rawKey.length < 32) {
+        return {
+            platformId,
+            state: encryptedValue ? "decrypt_failed" : "missing",
+            keyHealth: "missing_key",
+            hasBaseUrl: Boolean(baseUrl),
+            diagnosticCode: "missing_runtime_secret",
+        };
+    }
+    // No encrypted value to test
+    if (!encryptedValue) {
+        return {
+            platformId,
+            state: "missing",
+            keyHealth: "ok",
+            hasBaseUrl: Boolean(baseUrl),
+            diagnosticCode: "ok",
+        };
+    }
+    // Decryption attempt
+    try {
+        decryptCredentialAtRest(encryptedValue);
+        return {
+            platformId,
+            state: "active",
+            keyHealth: "ok",
+            hasBaseUrl: Boolean(baseUrl),
+            diagnosticCode: "ok",
+        };
+    }
+    catch {
+        return {
+            platformId,
+            state: "decrypt_failed",
+            keyHealth: "wrong_key",
+            hasBaseUrl: Boolean(baseUrl),
+            diagnosticCode: "credential_recovery_required",
+        };
+    }
+}
 export function createCredentialVault(db) {
     return {
         async saveCredentialContext(input) {
@@ -89,16 +141,34 @@ export function createCredentialVault(db) {
             if (!record)
                 return null;
             let plain;
+            let status = record.status;
             if (record.encryptedValue) {
                 if (!isCredentialCiphertext(record.encryptedValue)) {
-                    throw new Error("credential_store_plaintext_or_invalid_legacy_record");
+                    // Fail-closed: return decrypt_failed so callers do not crash.
+                    return {
+                        platformId: record.platformId,
+                        credentialType: record.credentialType,
+                        status: "decrypt_failed",
+                        encryptedValue: undefined,
+                        verificationCode: record.verificationCode ?? undefined,
+                        challengeText: record.challengeText ?? undefined,
+                        verificationDeadline: record.expiresAt ?? undefined,
+                        attemptsRemaining: record.attemptsRemaining ?? undefined,
+                    };
+                }
+                try {
+                    plain = decryptCredentialAtRest(record.encryptedValue);
+                }
+                catch {
+                    // Decryption failure must not break the whole state load.
+                    status = "decrypt_failed";
+                    plain = undefined;
                 }
-                plain = decryptCredentialAtRest(record.encryptedValue);
             }
             return {
                 platformId: record.platformId,
                 credentialType: record.credentialType,
-                status: record.status,
+                status,
                 encryptedValue: plain,
                 verificationCode: record.verificationCode ?? undefined,
                 challengeText: record.challengeText ?? undefined,