@inkeep/agents-core 0.0.0-dev-20260125001234 → 0.0.0-dev-20260126174131

package/dist/utils/JsonTransformer.d.ts

@@ -6,12 +6,10 @@ interface TransformOptions {
 }
 declare class JsonTransformer {
   private static readonly DEFAULT_TIMEOUT;
-  private static readonly MAX_EXPRESSION_LENGTH;
-  private static readonly DANGEROUS_PATTERNS;
   /**
    * Validate JMESPath expression for security and correctness
    */
-  private static validateJMESPath;
+  private static validateExpression;
   /**
    * Execute JMESPath with timeout protection
    */

package/dist/utils/JsonTransformer.js

@@ -1,32 +1,23 @@
+import { DANGEROUS_PATTERNS, MAX_EXPRESSION_LENGTH, compileJMESPath, validateJMESPathSecure } from "./jmespath-utils.js";
 import { getLogger } from "./logger.js";
-import * as jmespath$1 from "jmespath";
+import * as jmespath from "jmespath";
 
 //#region src/utils/JsonTransformer.ts
-const jmespathExt = jmespath$1;
 const logger = getLogger("JsonTransformer");
 var JsonTransformer = class JsonTransformer {
 	static DEFAULT_TIMEOUT = 5e3;
-	static MAX_EXPRESSION_LENGTH = 1e3;
-	static DANGEROUS_PATTERNS = [
-		/\$\{.*\}/,
-		/eval\s*\(/,
-		/function\s*\(/,
-		/constructor/,
-		/prototype/,
-		/__proto__/
-	];
 	/**
 	* Validate JMESPath expression for security and correctness
 	*/
-	static validateJMESPath(expression, _allowedFunctions) {
+	static validateExpression(expression, _allowedFunctions) {
 		if (!expression || typeof expression !== "string") throw new Error("JMESPath expression must be a non-empty string");
-		if (expression.length > JsonTransformer.MAX_EXPRESSION_LENGTH) throw new Error(`JMESPath expression too long (max ${JsonTransformer.MAX_EXPRESSION_LENGTH} characters)`);
-		for (const pattern of JsonTransformer.DANGEROUS_PATTERNS) if (pattern.test(expression)) throw new Error(`JMESPath expression contains dangerous pattern: ${pattern.source}`);
-		try {
-			jmespathExt.compile(expression);
-		} catch (error) {
-			throw new Error(`Invalid JMESPath syntax: ${error instanceof Error ? error.message : String(error)}`);
-		}
+		if (expression.length > MAX_EXPRESSION_LENGTH) throw new Error(`JMESPath expression too long (max ${MAX_EXPRESSION_LENGTH} characters)`);
+		for (const pattern of DANGEROUS_PATTERNS) if (pattern.test(expression)) throw new Error(`JMESPath expression contains dangerous pattern: ${pattern.source}`);
+		const result = validateJMESPathSecure(expression, {
+			maxLength: MAX_EXPRESSION_LENGTH + 1,
+			dangerousPatterns: []
+		});
+		if (!result.valid) throw new Error(`Invalid JMESPath syntax: ${result.error}`);
 		logger.debug("JMESPath expression validated", `${expression.substring(0, 100)}...`);
 	}
 	/**
@@ -38,7 +29,7 @@ var JsonTransformer = class JsonTransformer {
 				reject(/* @__PURE__ */ new Error(`JMESPath transformation timed out after ${timeoutMs}ms`));
 			}, timeoutMs);
 			try {
-				const result = jmespath$1.search(input, expression);
+				const result = jmespath.search(input, expression);
 				clearTimeout(timeout);
 				resolve(result);
 			} catch (error) {
@@ -52,7 +43,7 @@ var JsonTransformer = class JsonTransformer {
 	*/
 	static async transform(input, jmesPathExpression, options = {}) {
 		const { timeout = JsonTransformer.DEFAULT_TIMEOUT, allowedFunctions } = options;
-		JsonTransformer.validateJMESPath(jmesPathExpression, allowedFunctions);
+		JsonTransformer.validateExpression(jmesPathExpression, allowedFunctions);
 		try {
 			logger.debug("Executing JMESPath transformation", `inputType: ${typeof input}, expression: ${jmesPathExpression.substring(0, 100)}..., timeout: ${timeout}`);
 			const result = await JsonTransformer.executeWithTimeout(input, jmesPathExpression, timeout);
@@ -74,7 +65,7 @@ var JsonTransformer = class JsonTransformer {
 			if (!key || typeof key !== "string") throw new Error("Object transformation keys must be non-empty strings");
 			if (!path || typeof path !== "string") throw new Error("Object transformation values must be non-empty strings");
 			try {
-				jmespathExt.compile(path);
+				compileJMESPath(path);
 			} catch (error) {
 				throw new Error(`Invalid JMESPath in object transformation value "${path}": ${error instanceof Error ? error.message : String(error)}`);
 			}
@@ -101,7 +92,7 @@ var JsonTransformer = class JsonTransformer {
 	static transformSync(input, jmesPathExpression) {
 		logger.warn("Using deprecated synchronous transform method - security validation bypassed", "");
 		try {
-			return jmespath$1.search(input, jmesPathExpression);
+			return jmespath.search(input, jmesPathExpression);
 		} catch (error) {
 			throw new Error(`JMESPath transformation failed: ${error instanceof Error ? error.message : String(error)}`);
 		}

package/dist/utils/jmespath-utils.d.ts

@@ -0,0 +1,152 @@
+import { z } from "@hono/zod-openapi";
+
+//#region src/utils/jmespath-utils.d.ts
+
+/**
+ * Result of validating a JMESPath expression or regex pattern.
+ */
+interface ValidationResult {
+  valid: boolean;
+  error?: string;
+}
+/**
+ * Maximum allowed length for JMESPath expressions.
+ */
+declare const MAX_EXPRESSION_LENGTH = 1000;
+/**
+ * Validates a JMESPath expression by attempting to compile it.
+ * Uses the jmespath package which is already available in the codebase.
+ *
+ * @param expression - The JMESPath expression to validate
+ * @returns ValidationResult with valid flag and optional error message
+ *
+ * @example
+ * ```typescript
+ * const result = validateJMESPath('body.user.id');
+ * if (!result.valid) {
+ *   console.error(result.error);
+ * }
+ * ```
+ */
+declare function validateJMESPath(expression: string): ValidationResult;
+/**
+ * Validates a regex pattern by attempting to construct a RegExp object.
+ * Returns clear error messages for common regex issues.
+ *
+ * @param pattern - The regex pattern to validate (without delimiters)
+ * @returns ValidationResult with valid flag and optional error message
+ *
+ * @example
+ * ```typescript
+ * const result = validateRegex('v\\d+,(.+)');
+ * if (!result.valid) {
+ *   console.error(result.error);
+ * }
+ * ```
+ */
+declare function validateRegex(pattern: string): ValidationResult;
+/**
+ * Compiles a JMESPath expression.
+ * Wrapper around jmespath.compile() with proper typing.
+ *
+ * @param expression - The JMESPath expression to compile
+ * @returns The compiled expression object
+ * @throws Error if the expression is invalid
+ */
+declare function compileJMESPath(expression: string): unknown;
+/**
+ * Safely searches data using a JMESPath expression.
+ * Wrapper around jmespath.search() with proper typing.
+ *
+ * @param data - The object to search (e.g., template context, webhook body, tool result)
+ * @param expression - The JMESPath expression
+ * @returns The search result
+ *
+ * @example
+ * ```typescript
+ * const data = { users: [{ name: 'Alice' }] };
+ * const name = searchJMESPath<string>(data, 'users[0].name');
+ * // name is 'Alice'
+ *
+ * // Common use cases:
+ * // - Template contexts: { headers: {...}, body: {...} }
+ * // - Webhook payloads: { event: "...", data: {...} }
+ * // - Tool results: { status: "success", result: {...} }
+ * ```
+ */
+declare function searchJMESPath<T = unknown>(data: Record<string, unknown>, expression: string): T;
+/**
+ * Normalize a JMESPath expression by wrapping property names with dashes in quotes.
+ * JMESPath requires identifiers with special characters (like dashes) to be quoted.
+ *
+ * @param path - The JMESPath expression to normalize
+ * @returns The normalized JMESPath expression
+ *
+ * @example
+ * ```typescript
+ * normalizeJMESPath('headers.x-tenant-id');
+ * // Returns: 'headers."x-tenant-id"'
+ *
+ * normalizeJMESPath('api-responses[0].response-code');
+ * // Returns: '"api-responses"[0]."response-code"'
+ *
+ * normalizeJMESPath('simple.path');
+ * // Returns: 'simple.path' (unchanged)
+ * ```
+ */
+declare function normalizeJMESPath(path: string): string;
+/**
+ * Dangerous patterns that should not appear in JMESPath expressions.
+ * These patterns are checked during secure validation to prevent injection attacks.
+ */
+declare const DANGEROUS_PATTERNS: RegExp[];
+/**
+ * Options for secure JMESPath validation.
+ */
+interface SecurityOptions {
+  maxLength?: number;
+  dangerousPatterns?: RegExp[];
+}
+/**
+ * Validates a JMESPath expression with security checks.
+ * Performs checks in order of cost: length (O(1)), patterns (O(n)), compile (expensive).
+ *
+ * @param expression - The JMESPath expression to validate
+ * @param options - Optional security options
+ * @returns ValidationResult with valid flag and optional error message
+ *
+ * @example
+ * ```typescript
+ * const result = validateJMESPathSecure('body.user.id');
+ * if (!result.valid) {
+ *   console.error(result.error);
+ * }
+ *
+ * // With custom options
+ * const result2 = validateJMESPathSecure('expression', { maxLength: 500 });
+ * ```
+ */
+declare function validateJMESPathSecure(expression: string, options?: SecurityOptions): ValidationResult;
+/**
+ * Options for jmespathString Zod schema factory.
+ */
+interface JMESPathStringOptions {
+  maxLength?: number;
+}
+/**
+ * Creates a Zod string schema for JMESPath expressions with OpenAPI-visible constraints.
+ * Includes maxLength constraint and a description with valid/invalid examples.
+ *
+ * @param options - Optional configuration for the schema
+ * @returns A Zod string schema with maxLength and description
+ *
+ * @example
+ * ```typescript
+ * const schema = z.object({
+ *   transform: jmespathString().optional(),
+ * });
+ * ```
+ */
+declare function jmespathString(options?: JMESPathStringOptions): z.ZodString;
+//#endregion
+export { DANGEROUS_PATTERNS, JMESPathStringOptions, MAX_EXPRESSION_LENGTH, SecurityOptions, ValidationResult, compileJMESPath, jmespathString, normalizeJMESPath, searchJMESPath, validateJMESPath, validateJMESPathSecure, validateRegex };

package/dist/utils/jmespath-utils.js

@@ -0,0 +1,213 @@
+import { z } from "@hono/zod-openapi";
+import * as jmespath from "jmespath";
+
+//#region src/utils/jmespath-utils.ts
+const jmespathExt = jmespath;
+/**
+* Maximum allowed length for JMESPath expressions.
+*/
+const MAX_EXPRESSION_LENGTH = 1e3;
+/**
+* Validates a JMESPath expression by attempting to compile it.
+* Uses the jmespath package which is already available in the codebase.
+*
+* @param expression - The JMESPath expression to validate
+* @returns ValidationResult with valid flag and optional error message
+*
+* @example
+* ```typescript
+* const result = validateJMESPath('body.user.id');
+* if (!result.valid) {
+*   console.error(result.error);
+* }
+* ```
+*/
+function validateJMESPath(expression) {
+	if (!expression || typeof expression !== "string") return {
+		valid: false,
+		error: "JMESPath expression must be a non-empty string"
+	};
+	try {
+		jmespathExt.compile(expression);
+		return { valid: true };
+	} catch (error) {
+		return {
+			valid: false,
+			error: `Invalid JMESPath expression: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+}
+/**
+* Validates a regex pattern by attempting to construct a RegExp object.
+* Returns clear error messages for common regex issues.
+*
+* @param pattern - The regex pattern to validate (without delimiters)
+* @returns ValidationResult with valid flag and optional error message
+*
+* @example
+* ```typescript
+* const result = validateRegex('v\\d+,(.+)');
+* if (!result.valid) {
+*   console.error(result.error);
+* }
+* ```
+*/
+function validateRegex(pattern) {
+	if (pattern === null || pattern === void 0) return {
+		valid: false,
+		error: "Regex pattern must be provided"
+	};
+	if (typeof pattern !== "string") return {
+		valid: false,
+		error: "Regex pattern must be a string"
+	};
+	if (pattern === "") return { valid: true };
+	try {
+		new RegExp(pattern);
+		return { valid: true };
+	} catch (error) {
+		return {
+			valid: false,
+			error: `Invalid regex pattern: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+}
+/**
+* Compiles a JMESPath expression.
+* Wrapper around jmespath.compile() with proper typing.
+*
+* @param expression - The JMESPath expression to compile
+* @returns The compiled expression object
+* @throws Error if the expression is invalid
+*/
+function compileJMESPath(expression) {
+	return jmespathExt.compile(expression);
+}
+/**
+* Safely searches data using a JMESPath expression.
+* Wrapper around jmespath.search() with proper typing.
+*
+* @param data - The object to search (e.g., template context, webhook body, tool result)
+* @param expression - The JMESPath expression
+* @returns The search result
+*
+* @example
+* ```typescript
+* const data = { users: [{ name: 'Alice' }] };
+* const name = searchJMESPath<string>(data, 'users[0].name');
+* // name is 'Alice'
+*
+* // Common use cases:
+* // - Template contexts: { headers: {...}, body: {...} }
+* // - Webhook payloads: { event: "...", data: {...} }
+* // - Tool results: { status: "success", result: {...} }
+* ```
+*/
+function searchJMESPath(data, expression) {
+	return jmespath.search(data, expression);
+}
+/**
+* Normalize a JMESPath expression by wrapping property names with dashes in quotes.
+* JMESPath requires identifiers with special characters (like dashes) to be quoted.
+*
+* @param path - The JMESPath expression to normalize
+* @returns The normalized JMESPath expression
+*
+* @example
+* ```typescript
+* normalizeJMESPath('headers.x-tenant-id');
+* // Returns: 'headers."x-tenant-id"'
+*
+* normalizeJMESPath('api-responses[0].response-code');
+* // Returns: '"api-responses"[0]."response-code"'
+*
+* normalizeJMESPath('simple.path');
+* // Returns: 'simple.path' (unchanged)
+* ```
+*/
+function normalizeJMESPath(path) {
+	return path.split(".").map((segment) => {
+		if (!segment.includes("-")) return segment;
+		if (segment.startsWith("\"") && segment.includes("\"")) return segment;
+		const bracketIndex = segment.indexOf("[");
+		if (bracketIndex !== -1) return `"${segment.substring(0, bracketIndex)}"${segment.substring(bracketIndex)}`;
+		return `"${segment}"`;
+	}).join(".");
+}
+/**
+* Dangerous patterns that should not appear in JMESPath expressions.
+* These patterns are checked during secure validation to prevent injection attacks.
+*/
+const DANGEROUS_PATTERNS = [
+	/\$\{.*\}/,
+	/eval\s*\(/,
+	/function\s*\(/,
+	/constructor/,
+	/prototype/,
+	/__proto__/
+];
+/**
+* Validates a JMESPath expression with security checks.
+* Performs checks in order of cost: length (O(1)), patterns (O(n)), compile (expensive).
+*
+* @param expression - The JMESPath expression to validate
+* @param options - Optional security options
+* @returns ValidationResult with valid flag and optional error message
+*
+* @example
+* ```typescript
+* const result = validateJMESPathSecure('body.user.id');
+* if (!result.valid) {
+*   console.error(result.error);
+* }
+*
+* // With custom options
+* const result2 = validateJMESPathSecure('expression', { maxLength: 500 });
+* ```
+*/
+function validateJMESPathSecure(expression, options) {
+	if (!expression || typeof expression !== "string") return {
+		valid: false,
+		error: "JMESPath expression must be a non-empty string"
+	};
+	const maxLength = options?.maxLength ?? MAX_EXPRESSION_LENGTH;
+	const patterns = options?.dangerousPatterns ?? DANGEROUS_PATTERNS;
+	if (expression.length > maxLength) return {
+		valid: false,
+		error: `JMESPath expression exceeds maximum length of ${maxLength} characters`
+	};
+	for (const pattern of patterns) if (pattern.test(expression)) return {
+		valid: false,
+		error: `JMESPath expression contains dangerous pattern: ${pattern.source}`
+	};
+	try {
+		jmespathExt.compile(expression);
+		return { valid: true };
+	} catch (error) {
+		return {
+			valid: false,
+			error: `Invalid JMESPath expression: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+}
+/**
+* Creates a Zod string schema for JMESPath expressions with OpenAPI-visible constraints.
+* Includes maxLength constraint and a description with valid/invalid examples.
+*
+* @param options - Optional configuration for the schema
+* @returns A Zod string schema with maxLength and description
+*
+* @example
+* ```typescript
+* const schema = z.object({
+*   transform: jmespathString().optional(),
+* });
+* ```
+*/
+function jmespathString(options) {
+	const maxLen = options?.maxLength ?? MAX_EXPRESSION_LENGTH;
+	return z.string().max(maxLen).describe(`JMESPath expression (max ${maxLen} chars). Valid: "data.items[0].name", "results[?status=='active']", "keys(@)". Invalid: "\${...}" (template injection), "eval(...)", "constructor", "__proto__".`);
+}
+
+//#endregion
+export { DANGEROUS_PATTERNS, MAX_EXPRESSION_LENGTH, compileJMESPath, jmespathString, normalizeJMESPath, searchJMESPath, validateJMESPath, validateJMESPathSecure, validateRegex };

package/dist/utils/signature-validation.d.ts

@@ -1,39 +1,2 @@
-//#region src/utils/signature-validation.d.ts
-interface ValidationResult {
-  valid: boolean;
-  error?: string;
-}
-/**
- * Validates a JMESPath expression by attempting to compile it.
- * Uses the jmespath package which is already available in the codebase.
- *
- * @param expression - The JMESPath expression to validate
- * @returns ValidationResult with valid flag and optional error message
- *
- * @example
- * ```typescript
- * const result = validateJMESPath('body.user.id');
- * if (!result.valid) {
- *   console.error(result.error);
- * }
- * ```
- */
-declare function validateJMESPath(expression: string): ValidationResult;
-/**
- * Validates a regex pattern by attempting to construct a RegExp object.
- * Returns clear error messages for common regex issues.
- *
- * @param pattern - The regex pattern to validate (without delimiters)
- * @returns ValidationResult with valid flag and optional error message
- *
- * @example
- * ```typescript
- * const result = validateRegex('v\\d+,(.+)');
- * if (!result.valid) {
- *   console.error(result.error);
- * }
- * ```
- */
-declare function validateRegex(pattern: string): ValidationResult;
-//#endregion
-export { ValidationResult, validateJMESPath, validateRegex };
+import { ValidationResult, validateJMESPath, validateRegex } from "./jmespath-utils.js";
+export { type ValidationResult, validateJMESPath, validateRegex };

package/dist/utils/signature-validation.js

@@ -1,71 +1,3 @@
-import * as jmespath$1 from "jmespath";
+import { validateJMESPath, validateRegex } from "./jmespath-utils.js";
 
-//#region src/utils/signature-validation.ts
-/**
-* Validates a JMESPath expression by attempting to compile it.
-* Uses the jmespath package which is already available in the codebase.
-*
-* @param expression - The JMESPath expression to validate
-* @returns ValidationResult with valid flag and optional error message
-*
-* @example
-* ```typescript
-* const result = validateJMESPath('body.user.id');
-* if (!result.valid) {
-*   console.error(result.error);
-* }
-* ```
-*/
-function validateJMESPath(expression) {
-	if (!expression || typeof expression !== "string") return {
-		valid: false,
-		error: "JMESPath expression must be a non-empty string"
-	};
-	try {
-		jmespath$1.compile(expression);
-		return { valid: true };
-	} catch (error) {
-		return {
-			valid: false,
-			error: `Invalid JMESPath expression: ${error instanceof Error ? error.message : String(error)}`
-		};
-	}
-}
-/**
-* Validates a regex pattern by attempting to construct a RegExp object.
-* Returns clear error messages for common regex issues.
-*
-* @param pattern - The regex pattern to validate (without delimiters)
-* @returns ValidationResult with valid flag and optional error message
-*
-* @example
-* ```typescript
-* const result = validateRegex('v\\d+,(.+)');
-* if (!result.valid) {
-*   console.error(result.error);
-* }
-* ```
-*/
-function validateRegex(pattern) {
-	if (pattern === null || pattern === void 0) return {
-		valid: false,
-		error: "Regex pattern must be provided"
-	};
-	if (typeof pattern !== "string") return {
-		valid: false,
-		error: "Regex pattern must be a string"
-	};
-	if (pattern === "") return { valid: true };
-	try {
-		new RegExp(pattern);
-		return { valid: true };
-	} catch (error) {
-		return {
-			valid: false,
-			error: `Invalid regex pattern: ${error instanceof Error ? error.message : String(error)}`
-		};
-	}
-}
-
-//#endregion
 export { validateJMESPath, validateRegex };

package/dist/utils/trigger-auth.js

@@ -1,4 +1,4 @@
-import * as jmespath$1 from "jmespath";
+import { searchJMESPath } from "./jmespath-utils.js";
 import { createHmac, randomBytes, scrypt, timingSafeEqual } from "node:crypto";
 import { promisify } from "node:util";
 
@@ -100,8 +100,7 @@ function extractSignature(c, config, body) {
 		value = c.req.header(headerKey);
 	} else if (signature.source === "query") value = c.req.query(signature.key);
 	else if (signature.source === "body") try {
-		const bodyData = JSON.parse(body);
-		value = jmespath$1.search(bodyData, signature.key);
+		value = searchJMESPath(JSON.parse(body), signature.key);
 	} catch {
 		return null;
 	}
@@ -134,8 +133,7 @@ function extractComponent(c, component, body, caseSensitive) {
 		value = c.req.header(headerKey);
 	} else if (component.source === "body") if (!component.key) value = body;
 	else try {
-		const bodyData = JSON.parse(body);
-		value = jmespath$1.search(bodyData, component.key);
+		value = searchJMESPath(JSON.parse(body), component.key);
 	} catch {
 		return component.required ? null : "";
 	}

package/dist/validation/dolt-schemas.d.ts

@@ -32,8 +32,8 @@ declare const BranchNameParamsSchema: z.ZodObject<{
 }, z.core.$strip>;
 declare const ResolvedRefSchema: z.ZodObject<{
   type: z.ZodEnum<{
-    commit: "commit";
     tag: "tag";
+    commit: "commit";
     branch: "branch";
   }>;
   name: z.ZodString;