npm - @hotmeshio/long-tail - Versions diffs - 0.4.18 → 0.4.19 - Mend

@hotmeshio/long-tail 0.4.18 → 0.4.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (350) hide show

package/build/modules/auth.js CHANGED Viewed

@@ -1,15 +1,50 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.requireAdmin = exports.requireAuth = exports.JwtAuthAdapter = void 0;
+exports.requireBuilder = exports.requireAdmin = exports.requireAuth = exports.JwtAuthAdapter = void 0;
 exports.createAuthMiddleware = createAuthMiddleware;
 exports.setAuthAdapter = setAuthAdapter;
 exports.signToken = signToken;
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const config_1 = require("./config");
+const sso_1 = require("./sso");
 const user_1 = require("../services/user");
+const sso_provision_1 = require("../services/user/sso-provision");
 const bot_api_key_1 = require("../services/auth/bot-api-key");
 const principal_1 = require("../services/iam/principal");
 /**
@@ -114,7 +149,39 @@ function createAuthMiddleware(adapter) {
  * middleware delegates to the custom adapter instead.
  */
 let _authMiddleware = null;
-const requireAuth = (req, res, next) => {
+const requireAuth = async (req, res, next) => {
+    // Fast path: Bearer token present — use standard JWT/adapter auth
+    const header = req.headers.authorization;
+    if (header?.startsWith('Bearer ')) {
+        const mw = _authMiddleware || createAuthMiddleware(new JwtAuthAdapter());
+        return mw(req, res, next);
+    }
+    // SSO fallback: no Bearer, but host may have authenticated via cookies/headers
+    const ssoConfig = (0, sso_1.getSSOConfig)();
+    if (ssoConfig) {
+        try {
+            const identity = await ssoConfig.resolve(req);
+            if (identity) {
+                const provisioned = await (0, sso_provision_1.ssoProvision)(identity, ssoConfig);
+                const highestType = provisioned.roles.some((r) => r.type === 'superadmin')
+                    ? 'superadmin'
+                    : provisioned.roles.some((r) => r.type === 'admin')
+                        ? 'admin'
+                        : 'member';
+                req.auth = {
+                    userId: provisioned.userId,
+                    role: highestType,
+                    roles: provisioned.roles,
+                    sso: true,
+                };
+                return next();
+            }
+        }
+        catch {
+            // SSO resolve failed — fall through to 401
+        }
+    }
+    // No Bearer, no SSO — delegate to standard middleware (returns 401)
     const mw = _authMiddleware || createAuthMiddleware(new JwtAuthAdapter());
     mw(req, res, next);
 };
@@ -155,6 +222,41 @@ const requireAdmin = async (req, res, next) => {
     }
 };
 exports.requireAdmin = requireAdmin;
+/**
+ * Middleware that requires builder access. Must be placed AFTER requireAuth.
+ *
+ * Builders are superadmin, admin, or users with the 'engineer' role.
+ * This is the backend equivalent of the dashboard's `isBuilder` check.
+ */
+const requireBuilder = async (req, res, next) => {
+    try {
+        if (!req.auth?.userId) {
+            res.status(403).json({ error: 'Forbidden' });
+            return;
+        }
+        // Fast path: trust the JWT role claim for admin/superadmin
+        if (req.auth.role === 'admin' || req.auth.role === 'superadmin') {
+            next();
+            return;
+        }
+        // Check database for superadmin role type
+        if (await (0, user_1.isSuperAdmin)(req.auth.userId)) {
+            next();
+            return;
+        }
+        // Check database for engineer role (builder)
+        const { hasRole } = await Promise.resolve().then(() => __importStar(require('../services/user/roles')));
+        if (await hasRole(req.auth.userId, 'engineer')) {
+            next();
+            return;
+        }
+        res.status(403).json({ error: 'Forbidden: builder access required' });
+    }
+    catch {
+        res.status(403).json({ error: 'Forbidden' });
+    }
+};
+exports.requireBuilder = requireBuilder;
 /**
  * Generate a JWT token. Utility for tests and token provisioning.
  */

package/build/modules/sso.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import type { LTSSOConfig } from '../types/auth';
+export declare function setSSOConfig(config: LTSSOConfig): void;
+export declare function getSSOConfig(): LTSSOConfig | null;
+export declare function isSSOEnabled(): boolean;
+/** Reset SSO config. Used by tests. */
+export declare function clearSSOConfig(): void;

package/build/modules/sso.js ADDED Viewed

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setSSOConfig = setSSOConfig;
+exports.getSSOConfig = getSSOConfig;
+exports.isSSOEnabled = isSSOEnabled;
+exports.clearSSOConfig = clearSSOConfig;
+let _ssoConfig = null;
+function setSSOConfig(config) {
+    _ssoConfig = config;
+}
+function getSSOConfig() {
+    return _ssoConfig;
+}
+function isSSOEnabled() {
+    return _ssoConfig !== null;
+}
+/** Reset SSO config. Used by tests. */
+function clearSSOConfig() {
+    _ssoConfig = null;
+}

package/build/routes/auth-sso.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ declare const router: import("express-serve-static-core").Router;
2	+ export default router;

package/build/routes/auth-sso.js ADDED Viewed

@@ -0,0 +1,51 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = require("express");
+const api = __importStar(require("../api/auth-sso"));
+const router = (0, express_1.Router)();
+/**
+ * POST /api/auth/sso
+ * Exchange host authentication for a Long Tail JWT.
+ *
+ * No Bearer token required — the host's cookies/headers carry the auth.
+ * The dashboard calls this on mount when SSO is enabled, replacing the
+ * login form with a transparent token exchange.
+ */
+router.post('/sso', async (req, res) => {
+    const result = await api.exchangeSSO(req);
+    res.status(result.status).json(result.data ?? { error: result.error });
+});
+exports.default = router;

package/build/routes/bot-accounts.js CHANGED Viewed

@@ -38,7 +38,7 @@ const auth_1 = require("../modules/auth");
 const api = __importStar(require("../api/bot-accounts"));
 const router = (0, express_1.Router)();
 // All bot account routes require admin access
-router.use(auth_1.requireAdmin);
+router.use(auth_1.requireBuilder);
 // ── Bot CRUD ─────────────────────────────────────────────────────────────────
 /**
  * GET /api/bot-accounts

package/build/routes/controlplane.js CHANGED Viewed

@@ -42,7 +42,7 @@ const router = (0, express_1.Router)();
  * List available HotMesh application IDs.
  * Admin-only.
  */
-router.get('/apps', auth_1.requireAdmin, async (_req, res) => {
+router.get('/apps', auth_1.requireBuilder, async (_req, res) => {
     const result = await api.listApps();
     res.status(result.status).json(result.data ?? { error: result.error });
 });
@@ -51,7 +51,7 @@ router.get('/apps', auth_1.requireAdmin, async (_req, res) => {
  * Execute a roll call — discovers all engines and workers.
  * Admin-only.
  */
-router.get('/rollcall', auth_1.requireAdmin, async (req, res) => {
+router.get('/rollcall', auth_1.requireBuilder, async (req, res) => {
     const result = await api.rollCall({
         appId: req.query.app_id || 'durable',
         delay: req.query.delay ? parseInt(req.query.delay, 10) : undefined,
@@ -66,7 +66,7 @@ router.get('/rollcall', auth_1.requireAdmin, async (req, res) => {
  * Body: { appId: string, throttle: number, topic?: string, guid?: string }
  *   throttle: ms delay (-1 = pause, 0 = resume, >0 = delay per msg)
  */
-router.post('/throttle', auth_1.requireAdmin, async (req, res) => {
+router.post('/throttle', auth_1.requireBuilder, async (req, res) => {
     const { appId = 'durable', throttle, topic, guid, scope } = req.body;
     const result = await api.applyThrottle({ appId, throttle, topic, guid, scope });
     res.status(result.status).json(result.data ?? { error: result.error });
@@ -79,7 +79,7 @@ router.post('/throttle', auth_1.requireAdmin, async (req, res) => {
  * duration: 15m | 30m | 1h | 1d | 7d (default: 1h)
  * stream: optional stream_name filter (specific task queue topic)
  */
-router.get('/streams', auth_1.requireAdmin, async (req, res) => {
+router.get('/streams', auth_1.requireBuilder, async (req, res) => {
     const result = await api.getStreamStats({
         app_id: req.query.app_id || 'durable',
         duration: req.query.duration || '1h',
@@ -97,7 +97,7 @@ router.get('/streams', auth_1.requireAdmin, async (req, res) => {
  * are separate tables with different schemas.
  * Admin-only.
  */
-router.get('/stream-messages', auth_1.requireAdmin, async (req, res) => {
+router.get('/stream-messages', auth_1.requireBuilder, async (req, res) => {
     const result = await api.listStreamMessages({
         namespace: req.query.namespace,
         source: req.query.source,
@@ -124,7 +124,7 @@ router.get('/stream-messages', auth_1.requireAdmin, async (req, res) => {
  *
  * Body: { appId: string }
  */
-router.post('/subscribe', auth_1.requireAdmin, async (req, res) => {
+router.post('/subscribe', auth_1.requireBuilder, async (req, res) => {
     const { appId = 'durable' } = req.body;
     const result = await api.subscribeMesh({ appId });
     res.status(result.status).json(result.data ?? { error: result.error });

package/build/routes/escalations/list.js CHANGED Viewed

@@ -70,6 +70,7 @@ function registerListRoutes(router) {
             type: req.query.type,
             subtype: req.query.subtype,
             assigned_to: req.query.assigned_to,
+            claimed: req.query.claimed === 'true',
             priority: req.query.priority ? parseInt(req.query.priority, 10) : undefined,
             limit: req.query.limit ? parseInt(req.query.limit, 10) : undefined,
             offset: req.query.offset ? parseInt(req.query.offset, 10) : undefined,

package/build/routes/index.js CHANGED Viewed

@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const express_1 = require("express");
 const auth_1 = require("../modules/auth");
 const auth_2 = __importDefault(require("./auth"));
+const auth_sso_1 = __importDefault(require("./auth-sso"));
 const oauth_1 = __importDefault(require("./oauth"));
 const delegation_1 = __importDefault(require("./delegation"));
 const tasks_1 = __importDefault(require("./tasks"));
@@ -36,6 +37,7 @@ const nats_credentials_1 = __importDefault(require("./nats-credentials"));
 const router = (0, express_1.Router)();
 // Public routes (no auth required — they handle their own auth)
 router.use('/auth', auth_2.default);
+router.use('/auth', auth_sso_1.default);
 router.use('/auth/oauth', oauth_1.default);
 router.use('/delegation', delegation_1.default);
 router.use('/files', files_1.default);

package/build/routes/mcp-endpoint.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * MCP Streamable HTTP endpoint.
+ *
+ * Exposes long-tail's built-in MCP tools to external clients
+ * (Claude Desktop, Cursor, other agents) via the standard MCP
+ * streamable-http transport protocol.
+ *
+ * Stateless mode — each POST creates a fresh server+transport pair.
+ * Auth via Bearer token (JWT or bot API key) in the Authorization header.
+ *
+ * Mount at /mcp:
+ *   POST /mcp  → JSON-RPC messages (initialize, tools/list, tools/call)
+ *   GET  /mcp  → 405 (no SSE in stateless mode)
+ *   DELETE /mcp → 405 (no sessions in stateless mode)
+ */
+declare const router: import("express-serve-static-core").Router;
+export default router;

package/build/routes/mcp-endpoint.js ADDED Viewed

@@ -0,0 +1,70 @@
+"use strict";
+/**
+ * MCP Streamable HTTP endpoint.
+ *
+ * Exposes long-tail's built-in MCP tools to external clients
+ * (Claude Desktop, Cursor, other agents) via the standard MCP
+ * streamable-http transport protocol.
+ *
+ * Stateless mode — each POST creates a fresh server+transport pair.
+ * Auth via Bearer token (JWT or bot API key) in the Authorization header.
+ *
+ * Mount at /mcp:
+ *   POST /mcp  → JSON-RPC messages (initialize, tools/list, tools/call)
+ *   GET  /mcp  → 405 (no SSE in stateless mode)
+ *   DELETE /mcp → 405 (no sessions in stateless mode)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = require("express");
+const streamableHttp_js_1 = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
+const auth_1 = require("../modules/auth");
+const logger_1 = require("../lib/logger");
+const external_server_1 = require("../services/mcp/external-server");
+const exposure_1 = require("../services/mcp/exposure");
+const router = (0, express_1.Router)();
+// All MCP endpoint requests require authentication
+router.use(auth_1.requireAuth);
+// POST /mcp — JSON-RPC messages
+router.post('/', async (req, res) => {
+    try {
+        const exposure = (0, exposure_1.getExposureConfig)();
+        const callerScopes = req.auth?.scopes;
+        const server = await (0, external_server_1.createUnifiedMcpServer)(exposure, callerScopes);
+        const transport = new streamableHttp_js_1.StreamableHTTPServerTransport({
+            sessionIdGenerator: undefined, // stateless
+        });
+        res.on('close', () => {
+            transport.close().catch(() => { });
+            server.close().catch(() => { });
+        });
+        await server.connect(transport);
+        await transport.handleRequest(req, res, req.body);
+    }
+    catch (err) {
+        logger_1.loggerRegistry.error(`[lt-mcp:endpoint] error: ${err.message}`);
+        if (!res.headersSent) {
+            res.status(500).json({
+                jsonrpc: '2.0',
+                error: { code: -32603, message: 'Internal server error' },
+                id: null,
+            });
+        }
+    }
+});
+// GET /mcp — SSE stream (not supported in stateless mode)
+router.get('/', (_req, res) => {
+    res.status(405).json({
+        jsonrpc: '2.0',
+        error: { code: -32000, message: 'Method not allowed. Use POST for stateless requests.' },
+        id: null,
+    });
+});
+// DELETE /mcp — session close (not supported in stateless mode)
+router.delete('/', (_req, res) => {
+    res.status(405).json({
+        jsonrpc: '2.0',
+        error: { code: -32000, message: 'Method not allowed. Stateless mode has no sessions.' },
+        id: null,
+    });
+});
+exports.default = router;

package/build/routes/roles.js CHANGED Viewed

@@ -58,7 +58,7 @@ router.get('/details', async (_req, res) => {
  * Create a standalone role. Requires admin.
  * Body: { role: string }
  */
-router.post('/', auth_1.requireAdmin, async (req, res) => {
+router.post('/', auth_1.requireBuilder, async (req, res) => {
     const { role } = req.body || {};
     const result = await api.createRole({ role });
     res.status(result.status).json(result.data ?? { error: result.error });
@@ -76,7 +76,7 @@ router.get('/escalation-chains', async (_req, res) => {
  * Add a single escalation chain entry. Requires admin.
  * Body: { source_role: string, target_role: string }
  */
-router.post('/escalation-chains', auth_1.requireAdmin, async (req, res) => {
+router.post('/escalation-chains', auth_1.requireBuilder, async (req, res) => {
     const { source_role, target_role } = req.body || {};
     const result = await api.addEscalationChain({ source_role, target_role });
     res.status(result.status).json(result.data ?? { error: result.error });
@@ -86,7 +86,7 @@ router.post('/escalation-chains', auth_1.requireAdmin, async (req, res) => {
  * Remove a single escalation chain entry. Requires admin.
  * Body: { source_role: string, target_role: string }
  */
-router.delete('/escalation-chains', auth_1.requireAdmin, async (req, res) => {
+router.delete('/escalation-chains', auth_1.requireBuilder, async (req, res) => {
     const { source_role, target_role } = req.body || {};
     const result = await api.removeEscalationChain({ source_role, target_role });
     res.status(result.status).json(result.data ?? { error: result.error });
@@ -105,7 +105,7 @@ router.get('/:role/escalation-targets', async (req, res) => {
  * Replace escalation targets for a role. Requires admin.
  * Body: { targets: string[] }
  */
-router.put('/:role/escalation-targets', auth_1.requireAdmin, async (req, res) => {
+router.put('/:role/escalation-targets', auth_1.requireBuilder, async (req, res) => {
     const { targets } = req.body || {};
     const result = await api.replaceEscalationTargets({ role: req.params.role, targets });
     res.status(result.status).json(result.data ?? { error: result.error });
@@ -114,7 +114,7 @@ router.put('/:role/escalation-targets', auth_1.requireAdmin, async (req, res) =>
  * DELETE /api/roles/:role
  * Delete a role if it has no references. Requires admin.
  */
-router.delete('/:role', auth_1.requireAdmin, async (req, res) => {
+router.delete('/:role', auth_1.requireBuilder, async (req, res) => {
     const result = await api.deleteRole({ role: req.params.role });
     res.status(result.status).json(result.data ?? { error: result.error });
 });

package/build/routes/topics.js CHANGED Viewed

@@ -94,6 +94,8 @@ router.delete('/by-name/:topic', async (req, res) => {
 router.post('/by-name/:topic/publish', async (req, res) => {
     const result = await api.publishTopic({
         topic: decodeURIComponent(req.params.topic),
+        subject: req.body.subject || undefined,
+        eventId: req.body.eventId || undefined,
         data: req.body.data ?? {},
         source: req.body.source ?? 'dashboard',
     });

package/build/routes/users.js CHANGED Viewed

@@ -66,24 +66,24 @@ router.get('/:id', async (req, res) => {
  * Create a new user.
  * Body: { external_id, email?, display_name?, roles?: [{ role, type }], metadata? }
  */
-router.post('/', auth_1.requireAdmin, async (req, res) => {
+router.post('/', auth_1.requireBuilder, async (req, res) => {
     const result = await api.createUser(req.body || {});
     res.status(result.status).json(result.data ?? { error: result.error });
 });
 /**
  * PUT /api/users/:id
- * Update a user.
+ * Update a user. Builder only.
  * Body: { email?, display_name?, status?, metadata? }
  */
-router.put('/:id', auth_1.requireAdmin, async (req, res) => {
+router.put('/:id', auth_1.requireBuilder, async (req, res) => {
     const result = await api.updateUser({ id: req.params.id, ...(req.body || {}) });
     res.status(result.status).json(result.data ?? { error: result.error });
 });
 /**
  * DELETE /api/users/:id
- * Delete a user.
+ * Delete a user. Builder only.
  */
-router.delete('/:id', auth_1.requireAdmin, async (req, res) => {
+router.delete('/:id', auth_1.requireBuilder, async (req, res) => {
     const result = await api.deleteUser({ id: req.params.id });
     res.status(result.status).json(result.data ?? { error: result.error });
 });
@@ -100,9 +100,35 @@ router.get('/:id/roles', async (req, res) => {
  * POST /api/users/:id/roles
  * Add a role to a user.
  * Body: { role, type } — type must be superadmin, admin, or member
+ *
+ * Scoping rules:
+ * - superadmin: can assign any role/type
+ * - engineer: can assign up to admin type, but never superadmin type
+ * - role/admin (non-builder): can only assign member/admin for roles they hold
  */
 router.post('/:id/roles', auth_1.requireAdmin, async (req, res) => {
     const { role, type } = req.body || {};
+    const userId = req.auth.userId;
+    // Superadmin bypasses all scoping
+    const { isSuperAdmin } = await Promise.resolve().then(() => __importStar(require('../services/user/rbac')));
+    if (!(await isSuperAdmin(userId))) {
+        // Non-superadmin can never assign superadmin type
+        if (type === 'superadmin') {
+            res.status(403).json({ error: 'Only superadmin can assign superadmin role type' });
+            return;
+        }
+        // Check if caller has the engineer role (builder) — can assign any non-superadmin role
+        const { hasRole: checkRole } = await Promise.resolve().then(() => __importStar(require('../services/user/roles')));
+        const isEngineer = await checkRole(userId, 'engineer');
+        if (!isEngineer) {
+            // Non-builder admin: can only assign roles they themselves hold
+            const callerHasRole = await checkRole(userId, role);
+            if (!callerHasRole) {
+                res.status(403).json({ error: `You can only assign roles you hold. You do not have the '${role}' role.` });
+                return;
+            }
+        }
+    }
     const result = await api.addUserRole({ id: req.params.id, role, type });
     res.status(result.status).json(result.data ?? { error: result.error });
 });

package/build/sdk/index.d.ts CHANGED Viewed

@@ -89,6 +89,7 @@ export declare function createClient(options?: LTClientOptions): {
             type?: string;
             subtype?: string;
             assigned_to?: string;
+            claimed?: boolean;
             priority?: number;
             limit?: number;
             offset?: number;

package/build/services/agent/input-mapper.js CHANGED Viewed

@@ -40,7 +40,23 @@ function applyInputMapping(mapping, event) {
         if (typeof value === 'string') {
             result[key] = resolveTemplate(value, event);
         }
-        else if (value && typeof value === 'object' && !Array.isArray(value)) {
+        else if (Array.isArray(value)) {
+            result[key] = value.map((item) => {
+                if (typeof item === 'string') {
+                    const resolved = resolveTemplate(item, event);
+                    // Coerce scalars to strings when the template was a string in an array context.
+                    // Objects/arrays pass through (e.g., "{event.data}" resolves to the full object).
+                    if (resolved !== null && resolved !== undefined && typeof resolved !== 'object') {
+                        return String(resolved);
+                    }
+                    return resolved;
+                }
+                if (item && typeof item === 'object')
+                    return applyInputMapping(item, event);
+                return item;
+            });
+        }
+        else if (value && typeof value === 'object') {
             result[key] = applyInputMapping(value, event);
         }
         else {

package/build/services/escalation/crud.js CHANGED Viewed

@@ -135,7 +135,20 @@ async function getEscalationRoles(ids) {
 async function releaseEscalation(id, userId) {
     const pool = (0, db_1.getPool)();
     const { rows } = await pool.query(sql_1.RELEASE_ESCALATION, [id, userId]);
-    return rows[0] || null;
+    const released = rows[0];
+    if (released) {
+        (0, publish_1.publishEscalationEvent)({
+            type: 'escalation.released',
+            source: 'service',
+            workflowId: released.workflow_id || '',
+            workflowName: released.workflow_type || '',
+            taskQueue: released.task_queue || '',
+            escalationId: released.id,
+            status: 'released',
+            data: { released_by: userId },
+        });
+    }
+    return released || null;
 }
 async function releaseExpiredClaims() {
     const pool = (0, db_1.getPool)();

package/build/services/escalation/queries.d.ts CHANGED Viewed

@@ -8,6 +8,7 @@ export declare function listEscalations(filters: {
     type?: string;
     subtype?: string;
     assigned_to?: string;
+    claimed?: boolean;
     priority?: number;
     limit?: number;
     offset?: number;

package/build/services/escalation/queries.js CHANGED Viewed

@@ -96,6 +96,13 @@ async function listEscalations(filters) {
     if (filters.assigned_to) {
         conditions.push(`assigned_to = $${idx++}`);
         values.push(filters.assigned_to);
+        // Only return active claims — expired claims are back in the available pool
+        conditions.push('assigned_until > NOW()');
+    }
+    if (filters.claimed) {
+        // All actively claimed escalations (by anyone)
+        conditions.push('assigned_to IS NOT NULL');
+        conditions.push('assigned_until > NOW()');
     }
     if (filters.priority) {
         conditions.push(`priority = $${idx++}`);

package/build/services/mcp/exposure.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * MCP exposure configuration — controls which tools are visible
+ * when long-tail acts as an MCP server for external clients.
+ *
+ * Set once at startup from startConfig.mcp.exposure.
+ * Read by the /mcp endpoint handler on each request.
+ */
+export interface ExposureConfig {
+    readOnly?: boolean;
+    hideAiWhenUnavailable?: boolean;
+    allowServers?: string[];
+    denyServers?: string[];
+}
+export declare function setExposureConfig(config?: ExposureConfig): void;
+export declare function getExposureConfig(): ExposureConfig | undefined;

package/build/services/mcp/exposure.js ADDED Viewed

@@ -0,0 +1,18 @@
+"use strict";
+/**
+ * MCP exposure configuration — controls which tools are visible
+ * when long-tail acts as an MCP server for external clients.
+ *
+ * Set once at startup from startConfig.mcp.exposure.
+ * Read by the /mcp endpoint handler on each request.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setExposureConfig = setExposureConfig;
+exports.getExposureConfig = getExposureConfig;
+let _exposure;
+function setExposureConfig(config) {
+    _exposure = config;
+}
+function getExposureConfig() {
+    return _exposure;
+}

package/build/services/mcp/external-server.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Unified MCP server for external clients.
+ *
+ * Aggregates tools from all shipped built-in servers into a single
+ * McpServer instance that can be connected to a StreamableHTTPServerTransport.
+ * Created per-request in stateless mode (pure in-memory, no IO).
+ */
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { ExposureConfig } from './exposure';
+/**
+ * Create a unified McpServer with tools from all qualifying shipped servers.
+ * Called per-request in stateless mode. Server instances are cached; only
+ * the McpServer wrapper and tool registrations are fresh (pure in-memory).
+ */
+export declare function createUnifiedMcpServer(exposure?: ExposureConfig, callerScopes?: string[]): Promise<McpServer>;