npm - @inkeep/agents-core - Versions diffs - 0.41.2 → 0.43.0 - Mend

@inkeep/agents-core 0.41.2 → 0.43.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/dist/api-client/base-client.d.ts +87 -8
package/dist/api-client/base-client.js +174 -1
package/dist/api-client/eval-api-client.d.ts +47 -0
package/dist/api-client/eval-api-client.js +65 -0
package/dist/api-client/index.d.ts +4 -0
package/dist/api-client/index.js +5 -0
package/dist/api-client/manage-api-client.d.ts +34 -0
package/dist/api-client/manage-api-client.js +104 -0
package/dist/auth/auth.d.ts +86 -20
package/dist/auth/auth.js +60 -2
package/dist/auth/authz/client.d.ts +87 -0
package/dist/auth/authz/client.js +196 -0
package/dist/auth/authz/config.d.ts +103 -0
package/dist/auth/authz/config.js +93 -0
package/dist/auth/authz/index.d.ts +5 -0
package/dist/auth/authz/index.js +6 -0
package/dist/auth/authz/permissions.d.ts +53 -0
package/dist/auth/authz/permissions.js +83 -0
package/dist/auth/authz/sync.d.ts +106 -0
package/dist/auth/authz/sync.js +321 -0
package/dist/auth/permissions.d.ts +13 -13
package/dist/auth/permissions.js +2 -181
package/dist/client-exports.d.ts +9 -3
package/dist/client-exports.js +4 -2
package/dist/constants/context-breakdown.d.ts +61 -0
package/dist/constants/context-breakdown.js +124 -0
package/dist/constants/execution-limits-shared/defaults.d.ts +1 -1
package/dist/constants/execution-limits-shared/defaults.js +1 -1
package/dist/constants/execution-limits-shared/index.d.ts +1 -1
package/dist/constants/otel-attributes.d.ts +4 -0
package/dist/constants/otel-attributes.js +4 -0
package/dist/context/ContextConfig.d.ts +2 -2
package/dist/context/ContextConfig.js +3 -3
package/dist/context/TemplateEngine.d.ts +0 -6
package/dist/context/TemplateEngine.js +4 -19
package/dist/context/index.d.ts +1 -5
package/dist/context/index.js +1 -5
package/dist/credential-stores/keychain-store.d.ts +20 -8
package/dist/credential-stores/keychain-store.js +107 -43
package/dist/credential-stuffer/CredentialStuffer.d.ts +1 -1
package/dist/data-access/index.d.ts +34 -26
package/dist/data-access/index.js +34 -26
package/dist/data-access/manage/agentFull.d.ts +36 -0
package/dist/data-access/{agentFull.js → manage/agentFull.js} +209 -7
package/dist/data-access/{agents.d.ts → manage/agents.d.ts} +64 -63
package/dist/data-access/{agents.js → manage/agents.js} +80 -27
package/dist/data-access/{artifactComponents.d.ts → manage/artifactComponents.d.ts} +33 -33
package/dist/data-access/{artifactComponents.js → manage/artifactComponents.js} +5 -5
package/dist/data-access/{contextConfigs.d.ts → manage/contextConfigs.d.ts} +26 -26
package/dist/data-access/{contextConfigs.js → manage/contextConfigs.js} +3 -3
package/dist/data-access/{credentialReferences.d.ts → manage/credentialReferences.d.ts} +17 -17
package/dist/data-access/{credentialReferences.js → manage/credentialReferences.js} +2 -2
package/dist/data-access/{dataComponents.d.ts → manage/dataComponents.d.ts} +26 -26
package/dist/data-access/{dataComponents.js → manage/dataComponents.js} +7 -7
package/dist/data-access/manage/evalConfig.d.ts +221 -0
package/dist/data-access/manage/evalConfig.js +275 -0
package/dist/data-access/{externalAgents.d.ts → manage/externalAgents.d.ts} +16 -16
package/dist/data-access/{externalAgents.js → manage/externalAgents.js} +2 -2
package/dist/data-access/manage/functionTools.d.ts +242 -0
package/dist/data-access/{functionTools.js → manage/functionTools.js} +124 -30
package/dist/data-access/{functions.d.ts → manage/functions.d.ts} +9 -9
package/dist/data-access/{functions.js → manage/functions.js} +3 -3
package/dist/data-access/manage/projectFull.d.ts +38 -0
package/dist/data-access/{projectFull.js → manage/projectFull.js} +64 -65
package/dist/data-access/manage/projectLifecycle.d.ts +119 -0
package/dist/data-access/manage/projectLifecycle.js +234 -0
package/dist/data-access/manage/projects.d.ts +75 -0
package/dist/data-access/{projects.js → manage/projects.js} +15 -16
package/dist/data-access/{subAgentExternalAgentRelations.d.ts → manage/subAgentExternalAgentRelations.d.ts} +43 -43
package/dist/data-access/{subAgentExternalAgentRelations.js → manage/subAgentExternalAgentRelations.js} +2 -2
package/dist/data-access/{subAgentRelations.d.ts → manage/subAgentRelations.d.ts} +65 -65
package/dist/data-access/{subAgentRelations.js → manage/subAgentRelations.js} +3 -3
package/dist/data-access/{subAgentTeamAgentRelations.d.ts → manage/subAgentTeamAgentRelations.d.ts} +43 -43
package/dist/data-access/{subAgentTeamAgentRelations.js → manage/subAgentTeamAgentRelations.js} +2 -2
package/dist/data-access/{subAgents.d.ts → manage/subAgents.d.ts} +28 -28
package/dist/data-access/{subAgents.js → manage/subAgents.js} +4 -4
package/dist/data-access/{tools.d.ts → manage/tools.d.ts} +65 -52
package/dist/data-access/{tools.js → manage/tools.js} +109 -64
package/dist/data-access/manage/triggers.d.ts +106 -0
package/dist/data-access/manage/triggers.js +81 -0
package/dist/data-access/{apiKeys.d.ts → runtime/apiKeys.d.ts} +37 -37
package/dist/data-access/{apiKeys.js → runtime/apiKeys.js} +3 -3
package/dist/data-access/runtime/cascade-delete.d.ts +77 -0
package/dist/data-access/runtime/cascade-delete.js +111 -0
package/dist/data-access/{contextCache.d.ts → runtime/contextCache.d.ts} +13 -13
package/dist/data-access/{contextCache.js → runtime/contextCache.js} +5 -5
package/dist/data-access/{conversations.d.ts → runtime/conversations.d.ts} +80 -31
package/dist/data-access/{conversations.js → runtime/conversations.js} +13 -7
package/dist/data-access/runtime/evalRuns.d.ts +120 -0
package/dist/data-access/runtime/evalRuns.js +168 -0
package/dist/data-access/{ledgerArtifacts.d.ts → runtime/ledgerArtifacts.d.ts} +13 -13
package/dist/data-access/{ledgerArtifacts.js → runtime/ledgerArtifacts.js} +3 -3
package/dist/data-access/{messages.d.ts → runtime/messages.d.ts} +24 -24
package/dist/data-access/{messages.js → runtime/messages.js} +2 -2
package/dist/data-access/{organizations.d.ts → runtime/organizations.d.ts} +16 -7
package/dist/data-access/{organizations.js → runtime/organizations.js} +16 -4
package/dist/data-access/runtime/projects.d.ts +62 -0
package/dist/data-access/runtime/projects.js +90 -0
package/dist/data-access/runtime/tasks.d.ts +55 -0
package/dist/data-access/{tasks.js → runtime/tasks.js} +2 -2
package/dist/data-access/runtime/triggerInvocations.d.ts +62 -0
package/dist/data-access/runtime/triggerInvocations.js +54 -0
package/dist/data-access/runtime/users.d.ts +19 -0
package/dist/data-access/{users.js → runtime/users.js} +2 -2
package/dist/data-access/validation.d.ts +4 -4
package/dist/data-access/validation.js +1 -1
package/dist/db/clean.d.ts +8 -4
package/dist/db/clean.js +14 -105
package/dist/db/delete.d.ts +1 -1
package/dist/db/delete.js +7 -10
package/dist/db/manage/dolt-cleanup.d.ts +51 -0
package/dist/db/manage/dolt-cleanup.js +132 -0
package/dist/db/manage/manage-client.d.ts +26 -0
package/dist/db/manage/manage-client.js +68 -0
package/dist/db/{schema.d.ts → manage/manage-schema.d.ts} +1257 -969
package/dist/db/{schema.js → manage/manage-schema.js} +436 -334
package/dist/db/manage/test-manage-client.d.ts +27 -0
package/dist/db/manage/test-manage-client.js +68 -0
package/dist/db/runtime/runtime-client.d.ts +20 -0
package/dist/db/runtime/runtime-client.js +30 -0
package/dist/db/runtime/runtime-schema.d.ts +2834 -0
package/dist/db/runtime/runtime-schema.js +483 -0
package/dist/db/runtime/test-runtime-client.d.ts +27 -0
package/dist/db/{test-client.js → runtime/test-runtime-client.js} +11 -25
package/dist/db/utils.d.ts +6 -0
package/dist/db/utils.js +42 -0
package/dist/dolt/branch.d.ts +62 -0
package/dist/dolt/branch.js +82 -0
package/dist/dolt/branches-api.d.ts +108 -0
package/dist/dolt/branches-api.js +162 -0
package/dist/dolt/commit.d.ts +94 -0
package/dist/dolt/commit.js +103 -0
package/dist/dolt/diff.d.ts +27 -0
package/dist/dolt/diff.js +21 -0
package/dist/dolt/index.d.ts +10 -0
package/dist/dolt/index.js +11 -0
package/dist/dolt/merge.d.ts +63 -0
package/dist/dolt/merge.js +81 -0
package/dist/dolt/migrate-all-branches.d.ts +4 -0
package/dist/dolt/migrate-all-branches.js +83 -0
package/dist/dolt/migrate-dolt.d.ts +1 -0
package/dist/dolt/migrate-dolt.js +25 -0
package/dist/dolt/ref-helpers.d.ts +19 -0
package/dist/dolt/ref-helpers.js +65 -0
package/dist/dolt/ref-middleware.d.ts +82 -0
package/dist/dolt/ref-middleware.js +217 -0
package/dist/dolt/ref-scope.d.ts +101 -0
package/dist/dolt/ref-scope.js +231 -0
package/dist/dolt/schema-sync.d.ts +135 -0
package/dist/dolt/schema-sync.js +255 -0
package/dist/env.d.ts +6 -4
package/dist/env.js +3 -2
package/dist/index.d.ts +73 -46
package/dist/index.js +76 -49
package/dist/types/@napi-rs__keyring/index.d.ts +14 -0
package/dist/types/entities.d.ts +81 -2
package/dist/types/index.d.ts +3 -3
package/dist/types/utility.d.ts +46 -5
package/dist/types/utility.js +2 -1
package/dist/utils/JsonTransformer.d.ts +42 -0
package/dist/utils/JsonTransformer.js +103 -0
package/dist/utils/apiKeys.d.ts +5 -1
package/dist/utils/apiKeys.js +11 -1
package/dist/utils/colors.d.ts +34 -0
package/dist/utils/colors.js +49 -0
package/dist/utils/credential-store-utils.d.ts +1 -1
package/dist/utils/format-messages.d.ts +1 -1
package/dist/utils/index.d.ts +8 -4
package/dist/utils/index.js +8 -4
package/dist/utils/internal-service-auth.d.ts +79 -0
package/dist/utils/internal-service-auth.js +140 -0
package/dist/utils/jmespath-utils.d.ts +152 -0
package/dist/utils/jmespath-utils.js +213 -0
package/dist/utils/jwt-helpers.d.ts +56 -0
package/dist/utils/jwt-helpers.js +90 -0
package/dist/utils/mcp-client.d.ts +1 -1
package/dist/utils/mcp-client.js +1 -1
package/dist/utils/service-token-auth.d.ts +9 -27
package/dist/utils/service-token-auth.js +48 -96
package/dist/utils/signature-validation.d.ts +2 -0
package/dist/utils/signature-validation.js +3 -0
package/dist/utils/template-interpolation.d.ts +22 -0
package/dist/utils/template-interpolation.js +62 -0
package/dist/utils/third-party-mcp-servers/composio-client.d.ts +13 -1
package/dist/utils/third-party-mcp-servers/composio-client.js +47 -29
package/dist/utils/third-party-mcp-servers/index.d.ts +2 -2
package/dist/utils/third-party-mcp-servers/index.js +2 -2
package/dist/utils/trigger-auth.d.ts +85 -0
package/dist/utils/trigger-auth.js +233 -0
package/dist/validation/agentFull.js +2 -4
package/dist/validation/dolt-schemas.d.ts +49 -0
package/dist/validation/dolt-schemas.js +44 -0
package/dist/validation/drizzle-schema-helpers.d.ts +4 -26
package/dist/validation/drizzle-schema-helpers.js +5 -151
package/dist/validation/index.d.ts +5 -4
package/dist/validation/index.js +4 -3
package/dist/validation/render-validation.js +19 -0
package/dist/validation/schemas.d.ts +18223 -5148
package/dist/validation/schemas.js +559 -12
package/dist/validation/stream-event-schemas.d.ts +96 -1
package/dist/validation/stream-event-schemas.js +67 -2
package/drizzle/manage/0000_tearful_rhodey.sql +414 -0
package/drizzle/manage/0001_broken_wendell_vaughn.sql +19 -0
package/drizzle/manage/0002_bent_sunfire.sql +1 -0
package/drizzle/manage/0003_tiny_captain_universe.sql +8 -0
package/drizzle/manage/0004_curious_phil_sheldon.sql +2 -0
package/drizzle/manage/0005_silent_shatterstar.sql +53 -0
package/drizzle/manage/meta/0000_snapshot.json +2987 -0
package/drizzle/manage/meta/0001_snapshot.json +3115 -0
package/drizzle/manage/meta/0002_snapshot.json +3115 -0
package/drizzle/manage/meta/0003_snapshot.json +3134 -0
package/drizzle/manage/meta/0004_snapshot.json +3141 -0
package/drizzle/manage/meta/0005_snapshot.json +3141 -0
package/drizzle/manage/meta/_journal.json +48 -0
package/drizzle/runtime/0008_silly_preak.sql +127 -0
package/drizzle/runtime/0009_freezing_leo.sql +17 -0
package/drizzle/runtime/meta/0008_snapshot.json +2263 -0
package/drizzle/runtime/meta/0009_snapshot.json +2397 -0
package/drizzle/{meta → runtime/meta}/_journal.json +14 -0
package/package.json +56 -18
package/spicedb/schema.zed +114 -0
package/dist/context/ContextFetcher.d.ts +0 -73
package/dist/context/ContextFetcher.js +0 -291
package/dist/context/ContextResolver.d.ts +0 -60
package/dist/context/ContextResolver.js +0 -278
package/dist/context/context.d.ts +0 -27
package/dist/context/context.js +0 -128
package/dist/context/contextCache.d.ts +0 -58
package/dist/context/contextCache.js +0 -177
package/dist/data-access/agentFull.d.ts +0 -33
package/dist/data-access/functionTools.d.ts +0 -169
package/dist/data-access/projectFull.d.ts +0 -32
package/dist/data-access/projects.d.ts +0 -71
package/dist/data-access/tasks.d.ts +0 -45
package/dist/data-access/users.d.ts +0 -19
package/dist/db/client.d.ts +0 -20
package/dist/db/client.js +0 -28
package/dist/db/test-client.d.ts +0 -31
package/dist/middleware/contextValidation.d.ts +0 -46
package/dist/middleware/contextValidation.js +0 -280
package/dist/middleware/index.d.ts +0 -2
package/dist/middleware/index.js +0 -3
package/dist/utils/execution.d.ts +0 -22
package/dist/utils/execution.js +0 -25
/package/drizzle/{0000_exotic_mysterio.sql → runtime/0000_exotic_mysterio.sql} +0 -0
/package/drizzle/{0001_calm_sheva_callister.sql → runtime/0001_calm_sheva_callister.sql} +0 -0
/package/drizzle/{0002_puzzling_goblin_queen.sql → runtime/0002_puzzling_goblin_queen.sql} +0 -0
/package/drizzle/{0003_sweet_human_robot.sql → runtime/0003_sweet_human_robot.sql} +0 -0
/package/drizzle/{0004_cuddly_shooting_star.sql → runtime/0004_cuddly_shooting_star.sql} +0 -0
/package/drizzle/{0005_reflective_starfox.sql → runtime/0005_reflective_starfox.sql} +0 -0
/package/drizzle/{0006_stale_thaddeus_ross.sql → runtime/0006_stale_thaddeus_ross.sql} +0 -0
/package/drizzle/{0007_slim_karma.sql → runtime/0007_slim_karma.sql} +0 -0
/package/drizzle/{meta → runtime/meta}/0000_snapshot.json +0 -0
/package/drizzle/{meta → runtime/meta}/0001_snapshot.json +0 -0
/package/drizzle/{meta → runtime/meta}/0003_snapshot.json +0 -0
/package/drizzle/{meta → runtime/meta}/0005_snapshot.json +0 -0
/package/drizzle/{meta → runtime/meta}/0006_snapshot.json +0 -0
/package/drizzle/{meta → runtime/meta}/0007_snapshot.json +0 -0

package/dist/utils/trigger-auth.d.ts ADDED Viewed

@@ -0,0 +1,85 @@
+import { SignatureVerificationConfig, TriggerAuthHeaderInputSchema, TriggerAuthHeaderStoredSchema, TriggerAuthenticationStoredSchema } from "../validation/schemas.js";
+import { Context } from "hono";
+import { z } from "zod";
+//#region src/utils/trigger-auth.d.ts
+type TriggerAuthHeaderInput = z.infer<typeof TriggerAuthHeaderInputSchema>;
+type TriggerAuthHeaderStored = z.infer<typeof TriggerAuthHeaderStoredSchema>;
+type TriggerAuthenticationStored = z.infer<typeof TriggerAuthenticationStoredSchema>;
+interface TriggerAuthResult {
+  success: boolean;
+  status?: number;
+  message?: string;
+}
+interface HashedHeaderValue {
+  valueHash: string;
+  valuePrefix: string;
+}
+/**
+ * Hash a header value using scrypt for secure storage.
+ * Returns the hash and a prefix for display purposes.
+ *
+ * @param value - The plaintext header value to hash
+ * @returns Object containing valueHash (for storage) and valuePrefix (for display)
+ */
+declare function hashTriggerHeaderValue(value: string): Promise<HashedHeaderValue>;
+/**
+ * Validate a header value against its stored hash using timing-safe comparison.
+ *
+ * @param value - The plaintext header value from the incoming request
+ * @param storedHash - The hash stored in the database
+ * @returns True if the value matches the hash
+ */
+declare function validateTriggerHeaderValue(value: string, storedHash: string): Promise<boolean>;
+/**
+ * Transform authentication input (plaintext values) to stored format (hashed values).
+ * Used when creating or updating triggers.
+ *
+ * @param headers - Array of header inputs with plaintext values
+ * @returns Array of headers with hashed values for storage
+ */
+declare function hashAuthenticationHeaders(headers: TriggerAuthHeaderInput[]): Promise<TriggerAuthHeaderStored[]>;
+/**
+ * Verifies incoming webhook requests using the configured authentication headers.
+ * Each configured header must be present and match its expected value (via hash comparison).
+ *
+ * @param c - Hono context containing the request headers
+ * @param authentication - Trigger authentication configuration with hashed header values
+ * @returns TriggerAuthResult indicating success/failure with appropriate HTTP status
+ */
+declare function verifyTriggerAuth(c: Context, authentication?: TriggerAuthenticationStored | null): Promise<TriggerAuthResult>;
+/**
+ * Error codes for signature verification failures.
+ */
+type SignatureVerificationErrorCode = 'MISSING_SIGNATURE' | 'MISSING_COMPONENT' | 'INVALID_SIGNATURE_FORMAT' | 'SIGNATURE_MISMATCH';
+interface SignatureVerificationResult {
+  success: boolean;
+  errorCode?: SignatureVerificationErrorCode;
+  status?: number;
+  message?: string;
+}
+/**
+ * Verifies webhook signature using flexible, provider-agnostic configuration.
+ * Supports GitHub, Slack, Zendesk, Stripe and other webhook signature schemes.
+ *
+ * SECURITY: Uses crypto.timingSafeEqual() for all signature comparisons to prevent timing attacks.
+ *
+ * @param c - Hono context containing request headers, query, and body
+ * @param config - Signature verification configuration
+ * @param signingSecret - HMAC signing secret
+ * @param body - Raw request body as string
+ * @returns SignatureVerificationResult with success status and error details
+ *
+ * @example
+ * // GitHub webhook verification
+ * const result = verifySignatureWithConfig(c, {
+ *   algorithm: 'sha256',
+ *   encoding: 'hex',
+ *   signature: { source: 'header', key: 'x-hub-signature-256', prefix: 'sha256=' },
+ *   signedComponents: [{ source: 'body', key: '@' }],
+ *   componentJoin: { strategy: 'concatenate', separator: '' }
+ * }, secret, body);
+ */
+declare function verifySignatureWithConfig(c: Context, config: SignatureVerificationConfig, signingSecret: string, body: string): SignatureVerificationResult;
+//#endregion
+export { HashedHeaderValue, SignatureVerificationErrorCode, SignatureVerificationResult, TriggerAuthResult, hashAuthenticationHeaders, hashTriggerHeaderValue, validateTriggerHeaderValue, verifySignatureWithConfig, verifyTriggerAuth };

package/dist/utils/trigger-auth.js ADDED Viewed

@@ -0,0 +1,233 @@
+import { searchJMESPath } from "./jmespath-utils.js";
+import { createHmac, randomBytes, scrypt, timingSafeEqual } from "node:crypto";
+import { promisify } from "node:util";
+//#region src/utils/trigger-auth.ts
+const scryptAsync = promisify(scrypt);
+const SALT_LENGTH = 32;
+const KEY_LENGTH = 64;
+const VALUE_PREFIX_LENGTH = 8;
+/**
+* Hash a header value using scrypt for secure storage.
+* Returns the hash and a prefix for display purposes.
+*
+* @param value - The plaintext header value to hash
+* @returns Object containing valueHash (for storage) and valuePrefix (for display)
+*/
+async function hashTriggerHeaderValue(value) {
+	const salt = randomBytes(SALT_LENGTH);
+	const hashedBuffer = await scryptAsync(value, salt, KEY_LENGTH);
+	return {
+		valueHash: Buffer.concat([salt, hashedBuffer]).toString("base64"),
+		valuePrefix: value.substring(0, VALUE_PREFIX_LENGTH)
+	};
+}
+/**
+* Validate a header value against its stored hash using timing-safe comparison.
+*
+* @param value - The plaintext header value from the incoming request
+* @param storedHash - The hash stored in the database
+* @returns True if the value matches the hash
+*/
+async function validateTriggerHeaderValue(value, storedHash) {
+	try {
+		const combined = Buffer.from(storedHash, "base64");
+		const salt = combined.subarray(0, SALT_LENGTH);
+		return timingSafeEqual(combined.subarray(SALT_LENGTH), await scryptAsync(value, salt, KEY_LENGTH));
+	} catch {
+		return false;
+	}
+}
+/**
+* Transform authentication input (plaintext values) to stored format (hashed values).
+* Used when creating or updating triggers.
+*
+* @param headers - Array of header inputs with plaintext values
+* @returns Array of headers with hashed values for storage
+*/
+async function hashAuthenticationHeaders(headers) {
+	return Promise.all(headers.map(async (header) => {
+		const { valueHash, valuePrefix } = await hashTriggerHeaderValue(header.value);
+		return {
+			name: header.name,
+			valueHash,
+			valuePrefix
+		};
+	}));
+}
+/**
+* Verifies incoming webhook requests using the configured authentication headers.
+* Each configured header must be present and match its expected value (via hash comparison).
+*
+* @param c - Hono context containing the request headers
+* @param authentication - Trigger authentication configuration with hashed header values
+* @returns TriggerAuthResult indicating success/failure with appropriate HTTP status
+*/
+async function verifyTriggerAuth(c, authentication) {
+	if (!authentication || !authentication.headers || authentication.headers.length === 0) return { success: true };
+	for (const header of authentication.headers) {
+		const headerName = header.name.toLowerCase();
+		const actualValue = c.req.header(headerName);
+		if (!actualValue) return {
+			success: false,
+			status: 401,
+			message: `Missing authentication header: ${header.name}`
+		};
+		if (!await validateTriggerHeaderValue(actualValue, header.valueHash)) return {
+			success: false,
+			status: 403,
+			message: `Invalid value for header: ${header.name}`
+		};
+	}
+	return { success: true };
+}
+/**
+* Extracts the signature from the request based on configuration.
+* Supports extraction from headers, query parameters, or body via JMESPath.
+* Optionally strips prefix and applies regex extraction.
+*
+* @param c - Hono context
+* @param config - Signature verification configuration
+* @param body - Raw request body as string
+* @returns Extracted signature string or null if not found
+*/
+function extractSignature(c, config, body) {
+	const { signature } = config;
+	const caseSensitive = config.validation?.headerCaseSensitive ?? false;
+	let value;
+	if (signature.source === "header") {
+		const headerKey = caseSensitive ? signature.key : signature.key.toLowerCase();
+		value = c.req.header(headerKey);
+	} else if (signature.source === "query") value = c.req.query(signature.key);
+	else if (signature.source === "body") try {
+		value = searchJMESPath(JSON.parse(body), signature.key);
+	} catch {
+		return null;
+	}
+	if (!value) return null;
+	if (signature.prefix && value.startsWith(signature.prefix)) value = value.slice(signature.prefix.length);
+	if (signature.regex) try {
+		const match = value.match(new RegExp(signature.regex));
+		if (match?.[1]) value = match[1];
+		else return null;
+	} catch {
+		return null;
+	}
+	return value;
+}
+/**
+* Extracts a single signed component from the request.
+*
+* @param c - Hono context
+* @param component - Component configuration
+* @param body - Raw request body as string
+* @param caseSensitive - Whether header names should be case-sensitive
+* @returns Extracted component value or null if required and not found
+*/
+function extractComponent(c, component, body, caseSensitive) {
+	let value;
+	if (component.source === "literal") value = component.value ?? "";
+	else if (component.source === "header") {
+		if (!component.key) return component.required ? null : "";
+		const headerKey = caseSensitive ? component.key : component.key.toLowerCase();
+		value = c.req.header(headerKey);
+	} else if (component.source === "body") if (!component.key) value = body;
+	else try {
+		value = searchJMESPath(JSON.parse(body), component.key);
+	} catch {
+		return component.required ? null : "";
+	}
+	if (value === void 0 || value === null) return component.required ? null : "";
+	value = String(value);
+	if (component.regex) try {
+		const match = value.match(new RegExp(component.regex));
+		if (match?.[1]) value = match[1];
+		else return component.required ? null : "";
+	} catch {
+		return component.required ? null : "";
+	}
+	return value;
+}
+/**
+* Verifies webhook signature using flexible, provider-agnostic configuration.
+* Supports GitHub, Slack, Zendesk, Stripe and other webhook signature schemes.
+*
+* SECURITY: Uses crypto.timingSafeEqual() for all signature comparisons to prevent timing attacks.
+*
+* @param c - Hono context containing request headers, query, and body
+* @param config - Signature verification configuration
+* @param signingSecret - HMAC signing secret
+* @param body - Raw request body as string
+* @returns SignatureVerificationResult with success status and error details
+*
+* @example
+* // GitHub webhook verification
+* const result = verifySignatureWithConfig(c, {
+*   algorithm: 'sha256',
+*   encoding: 'hex',
+*   signature: { source: 'header', key: 'x-hub-signature-256', prefix: 'sha256=' },
+*   signedComponents: [{ source: 'body', key: '@' }],
+*   componentJoin: { strategy: 'concatenate', separator: '' }
+* }, secret, body);
+*/
+function verifySignatureWithConfig(c, config, signingSecret, body) {
+	const caseSensitive = config.validation?.headerCaseSensitive ?? false;
+	const allowEmptyBody = config.validation?.allowEmptyBody ?? true;
+	const normalizeUnicode = config.validation?.normalizeUnicode ?? false;
+	const signature = extractSignature(c, config, body);
+	if (!signature) return {
+		success: false,
+		errorCode: "MISSING_SIGNATURE",
+		status: 401,
+		message: "Missing or invalid signature"
+	};
+	const components = [];
+	for (const componentConfig of config.signedComponents) {
+		const componentValue = extractComponent(c, componentConfig, body, caseSensitive);
+		if (componentValue === null) return {
+			success: false,
+			errorCode: "MISSING_COMPONENT",
+			status: 400,
+			message: "Missing required signed component"
+		};
+		components.push(componentValue);
+	}
+	let signedData = components.join(config.componentJoin.separator);
+	if (normalizeUnicode) signedData = signedData.normalize("NFC");
+	if (!allowEmptyBody && signedData === "") return {
+		success: false,
+		errorCode: "MISSING_COMPONENT",
+		status: 400,
+		message: "Empty body not allowed"
+	};
+	const hmac = createHmac(config.algorithm, signingSecret);
+	hmac.update(signedData);
+	const expectedSignature = hmac.digest(config.encoding);
+	try {
+		const signatureBuffer = Buffer.from(signature, config.encoding);
+		const expectedBuffer = Buffer.from(expectedSignature, config.encoding);
+		if (signatureBuffer.length !== expectedBuffer.length) return {
+			success: false,
+			errorCode: "SIGNATURE_MISMATCH",
+			status: 403,
+			message: "Invalid signature"
+		};
+		if (!timingSafeEqual(signatureBuffer, expectedBuffer)) return {
+			success: false,
+			errorCode: "SIGNATURE_MISMATCH",
+			status: 403,
+			message: "Invalid signature"
+		};
+		return { success: true };
+	} catch {
+		return {
+			success: false,
+			errorCode: "INVALID_SIGNATURE_FORMAT",
+			status: 403,
+			message: "Invalid signature format"
+		};
+	}
+}
+//#endregion
+export { hashAuthenticationHeaders, hashTriggerHeaderValue, validateTriggerHeaderValue, verifySignatureWithConfig, verifyTriggerAuth };

package/dist/validation/agentFull.js CHANGED Viewed

@@ -53,10 +53,8 @@ function validateAgentRelationships(agentData) {
 		if (subAgent.canTransferTo && Array.isArray(subAgent.canTransferTo)) {
 			for (const targetId of subAgent.canTransferTo) if (!availableAgentIds.has(targetId)) errors.push(`Agent '${subAgentId}' has transfer target '${targetId}' that doesn't exist in agent`);
 		}
-		if (subAgent.canDelegateTo && Array.isArray(subAgent.canDelegateTo)) for (const targetItem of subAgent.canDelegateTo) {
-			console.log("targetItem", targetItem);
-			if (typeof targetItem === "string") {
-				console.log("targetItem is string", targetItem);
+		if (subAgent.canDelegateTo && Array.isArray(subAgent.canDelegateTo)) {
+			for (const targetItem of subAgent.canDelegateTo) if (typeof targetItem === "string") {
 				if (!availableAgentIds.has(targetItem) && !availableExternalAgentIds.has(targetItem)) errors.push(`Agent '${subAgentId}' has delegation target '${targetItem}' that doesn't exist in agent`);
 			}
 		}

package/dist/validation/dolt-schemas.d.ts ADDED Viewed

@@ -0,0 +1,49 @@
+import { z } from "@hono/zod-openapi";
+//#region src/validation/dolt-schemas.d.ts
+declare const BranchNameSchema: z.ZodString;
+declare const CreateBranchRequestSchema: z.ZodObject<{
+  name: z.ZodString;
+  from: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+declare const BranchInfoSchema: z.ZodObject<{
+  baseName: z.ZodString;
+  fullName: z.ZodString;
+  hash: z.ZodString;
+}, z.core.$strip>;
+declare const BranchResponseSchema: z.ZodObject<{
+  data: z.ZodObject<{
+    baseName: z.ZodString;
+    fullName: z.ZodString;
+    hash: z.ZodString;
+  }, z.core.$strip>;
+}, z.core.$strip>;
+declare const BranchListResponseSchema: z.ZodObject<{
+  data: z.ZodArray<z.ZodObject<{
+    baseName: z.ZodString;
+    fullName: z.ZodString;
+    hash: z.ZodString;
+  }, z.core.$strip>>;
+}, z.core.$strip>;
+declare const BranchNameParamsSchema: z.ZodObject<{
+  tenantId: z.ZodString;
+  projectId: z.ZodString;
+  branchName: z.ZodString;
+}, z.core.$strip>;
+declare const ResolvedRefSchema: z.ZodObject<{
+  type: z.ZodEnum<{
+    commit: "commit";
+    tag: "tag";
+    branch: "branch";
+  }>;
+  name: z.ZodString;
+  hash: z.ZodString;
+}, z.core.$strip>;
+type ResolvedRef = z.infer<typeof ResolvedRefSchema>;
+type CreateBranchRequest = z.infer<typeof CreateBranchRequestSchema>;
+type BranchInfo = z.infer<typeof BranchInfoSchema>;
+type BranchResponse = z.infer<typeof BranchResponseSchema>;
+type BranchListResponse = z.infer<typeof BranchListResponseSchema>;
+type BranchNameParams = z.infer<typeof BranchNameParamsSchema>;
+//#endregion
+export { BranchInfo, BranchInfoSchema, BranchListResponse, BranchListResponseSchema, BranchNameParams, BranchNameParamsSchema, BranchNameSchema, BranchResponse, BranchResponseSchema, CreateBranchRequest, CreateBranchRequestSchema, ResolvedRef, ResolvedRefSchema };

package/dist/validation/dolt-schemas.js ADDED Viewed

@@ -0,0 +1,44 @@
+import { z } from "@hono/zod-openapi";
+//#region src/validation/dolt-schemas.ts
+const BranchNameSchema = z.string().min(1, "Branch name cannot be empty").max(255, "Branch name too long").regex(/^[a-zA-Z0-9\-_./]+$/, { message: "Branch name can only contain letters, numbers, hyphens, underscores, dots, and slashes" }).openapi({
+	example: "feature-x",
+	description: "Name of the branch"
+});
+const CreateBranchRequestSchema = z.object({
+	name: BranchNameSchema,
+	from: z.string().optional().describe("Branch or commit to create from. Defaults to tenant main branch.")
+}).openapi("CreateBranchRequest");
+const BranchInfoSchema = z.object({
+	baseName: z.string().describe("User-provided branch name"),
+	fullName: z.string().describe("Full namespaced branch name"),
+	hash: z.string().describe("Current commit hash of the branch")
+}).openapi("BranchInfo");
+const BranchResponseSchema = z.object({ data: BranchInfoSchema }).openapi("BranchResponse");
+const BranchListResponseSchema = z.object({ data: z.array(BranchInfoSchema) }).openapi("BranchListResponse");
+const BranchNameParamsSchema = z.object({
+	tenantId: z.string().openapi({ param: {
+		name: "tenantId",
+		in: "path"
+	} }),
+	projectId: z.string().openapi({ param: {
+		name: "projectId",
+		in: "path"
+	} }),
+	branchName: z.string().openapi({ param: {
+		name: "branchName",
+		in: "path"
+	} })
+}).openapi("BranchNameParams");
+const ResolvedRefSchema = z.object({
+	type: z.enum([
+		"commit",
+		"tag",
+		"branch"
+	]).describe("The type of ref"),
+	name: z.string().describe("The name of the ref (branch name, tag name, or commit hash)"),
+	hash: z.string().describe("The commit hash this ref resolves to")
+}).openapi("ResolvedRef");
+//#endregion
+export { BranchInfoSchema, BranchListResponseSchema, BranchNameParamsSchema, BranchNameSchema, BranchResponseSchema, CreateBranchRequestSchema, ResolvedRefSchema };

package/dist/validation/drizzle-schema-helpers.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { z } from "@hono/zod-openapi";
-import * as drizzle_zod141 from "drizzle-zod";
+import * as drizzle_zod15 from "drizzle-zod";
 import { AnySQLiteTable } from "drizzle-orm/sqlite-core";
 //#region src/validation/drizzle-schema-helpers.d.ts
@@ -22,8 +22,8 @@ declare const resourceIdSchema: z.ZodString;
 declare function createResourceIdSchema(description: string, options?: {
   example?: string;
 }): z.ZodString;
-declare function createSelectSchemaWithModifiers<T extends AnySQLiteTable>(table: T, overrides?: Partial<Record<keyof T['_']['columns'], (schema: z.ZodTypeAny) => z.ZodTypeAny>>): drizzle_zod141.BuildSchema<"select", T["_"]["columns"], drizzle_zod141.BuildRefine<T["_"]["columns"], undefined>, undefined>;
-declare function createInsertSchemaWithModifiers<T extends AnySQLiteTable>(table: T, overrides?: Partial<Record<keyof T['_']['columns'], (schema: z.ZodTypeAny) => z.ZodTypeAny>>): drizzle_zod141.BuildSchema<"insert", T["_"]["columns"], drizzle_zod141.BuildRefine<Pick<T["_"]["columns"], keyof T["$inferInsert"]>, undefined>, undefined>;
+declare function createSelectSchemaWithModifiers<T extends AnySQLiteTable>(table: T, overrides?: Partial<Record<keyof T['_']['columns'], (schema: z.ZodTypeAny) => z.ZodTypeAny>>): drizzle_zod15.BuildSchema<"select", T["_"]["columns"], drizzle_zod15.BuildRefine<T["_"]["columns"], undefined>, undefined>;
+declare function createInsertSchemaWithModifiers<T extends AnySQLiteTable>(table: T, overrides?: Partial<Record<keyof T['_']['columns'], (schema: z.ZodTypeAny) => z.ZodTypeAny>>): drizzle_zod15.BuildSchema<"insert", T["_"]["columns"], drizzle_zod15.BuildRefine<Pick<T["_"]["columns"], keyof T["$inferInsert"]>, undefined>, undefined>;
 declare const createSelectSchema: typeof createSelectSchemaWithModifiers;
 declare const createInsertSchema: typeof createInsertSchemaWithModifiers;
 /**
@@ -38,27 +38,5 @@ declare const createInsertSchema: typeof createInsertSchemaWithModifiers;
  * The schema shape itself is not modified, but the field schemas are registered.
  */
 declare function registerFieldSchemas<T extends z.ZodObject<any>>(schema: T): T;
-/**
- * Wrapper for .partial() that registers the resulting schema and its fields in the global registry.
- * This function ensures that field schemas are properly registered and configured with OpenAPI metadata.
- */
-declare function partialWithRegistry<T extends z.ZodObject<any>>(schema: T, metadata?: {
-  description?: string;
-  [key: string]: unknown;
-}): T;
-/**
- * Wrapper for .omit() that registers the resulting schema and its fields in the global registry
- */
-declare function omitWithRegistry<T extends z.ZodObject<any>>(schema: T, keys: z.ZodObject<any>['shape'], metadata?: {
-  description?: string;
-  [key: string]: unknown;
-}): T;
-/**
- * Wrapper for .extend() that registers the resulting schema and its fields in the global registry
- */
-declare function extendWithRegistry<T extends z.ZodObject<any>>(schema: T, shape: z.ZodRawShape, metadata?: {
-  description?: string;
-  [key: string]: unknown;
-}): T;
 //#endregion
-export { MAX_ID_LENGTH, MIN_ID_LENGTH, URL_SAFE_ID_PATTERN, createInsertSchema, createResourceIdSchema, createSelectSchema, extendWithRegistry, omitWithRegistry, partialWithRegistry, registerFieldSchemas, resourceIdSchema };
+export { MAX_ID_LENGTH, MIN_ID_LENGTH, URL_SAFE_ID_PATTERN, createInsertSchema, createResourceIdSchema, createSelectSchema, registerFieldSchemas, resourceIdSchema };

package/dist/validation/drizzle-schema-helpers.js CHANGED Viewed

@@ -31,95 +31,17 @@ function createResourceIdSchema(description, options) {
 	modified.meta({ description });
 	return modified;
 }
-const FIELD_MODIFIERS = {
-	id: (schema) => {
-		const modified = schema.min(MIN_ID_LENGTH).max(MAX_ID_LENGTH).describe("Resource identifier").regex(URL_SAFE_ID_PATTERN, { message: "ID must contain only letters, numbers, hyphens, underscores, and dots" }).openapi({
-			description: "Resource identifier",
-			example: "resource_789"
-		});
-		modified.meta({ description: "Resource identifier" });
-		return modified;
-	},
-	name: (_schema) => {
-		const modified = z.string().describe("Name");
-		modified.meta({ description: "Name" });
-		return modified;
-	},
-	description: (_schema) => {
-		const modified = z.string().describe("Description");
-		modified.meta({ description: "Description" });
-		return modified;
-	},
-	tenantId: (schema) => {
-		const modified = schema.describe("Tenant identifier");
-		modified.meta({ description: "Tenant identifier" });
-		return modified;
-	},
-	projectId: (schema) => {
-		const modified = schema.describe("Project identifier");
-		modified.meta({ description: "Project identifier" });
-		return modified;
-	},
-	agentId: (schema) => {
-		const modified = schema.describe("Agent identifier");
-		modified.meta({ description: "Agent identifier" });
-		return modified;
-	},
-	subAgentId: (schema) => {
-		const modified = schema.describe("Sub-agent identifier");
-		modified.meta({ description: "Sub-agent identifier" });
-		return modified;
-	},
-	createdAt: (schema) => {
-		const modified = schema.describe("Creation timestamp");
-		modified.meta({ description: "Creation timestamp" });
-		return modified;
-	},
-	updatedAt: (schema) => {
-		const modified = schema.describe("Last update timestamp");
-		modified.meta({ description: "Last update timestamp" });
-		return modified;
-	}
-};
 function createSelectSchemaWithModifiers(table, overrides) {
-	const tableColumns = table._?.columns;
-	if (!tableColumns) return createSelectSchema$1(table, overrides);
-	const tableFieldNames = Object.keys(tableColumns);
-	const modifiers = {};
-	for (const fieldName of tableFieldNames) {
-		const fieldNameStr = String(fieldName);
-		if (fieldNameStr in FIELD_MODIFIERS) modifiers[fieldNameStr] = FIELD_MODIFIERS[fieldNameStr];
-	}
-	return createSelectSchema$1(table, {
-		...modifiers,
-		...overrides
-	});
+	if (!table._?.columns) return createSelectSchema$1(table, overrides);
+	throw new Error("Unexpected \"tableColumns\" is defined");
 }
 function createInsertSchemaWithModifiers(table, overrides) {
-	const tableColumns = table._?.columns;
-	if (!tableColumns) return createInsertSchema$1(table, overrides);
-	const tableFieldNames = Object.keys(tableColumns);
-	const modifiers = {};
-	for (const fieldName of tableFieldNames) {
-		const fieldNameStr = String(fieldName);
-		if (fieldNameStr in FIELD_MODIFIERS) modifiers[fieldNameStr] = FIELD_MODIFIERS[fieldNameStr];
-	}
-	return createInsertSchema$1(table, {
-		...modifiers,
-		...overrides
-	});
+	if (!table._?.columns) return createInsertSchema$1(table, overrides);
+	throw new Error("Unexpected \"tableColumns\" is defined");
 }
 const createSelectSchema = createSelectSchemaWithModifiers;
 const createInsertSchema = createInsertSchemaWithModifiers;
 /**
-* Helper function to register a schema in the global registry using .meta() and return it.
-* This ensures metadata persists through transformations.
-*/
-function registerSchema(schema, metadata) {
-	schema.meta(metadata);
-	return schema;
-}
-/**
 * Registers all field schemas in an object schema that match known field names.
 * This ensures metadata persists through transformations like .partial() and .omit().
 * For the 'id' field, also applies full validation constraints via .openapi().
@@ -164,74 +86,6 @@ function registerFieldSchemas(schema) {
 	}
 	return schema;
 }
-/**
-* Wrapper for .partial() that registers the resulting schema and its fields in the global registry.
-* This function ensures that field schemas are properly registered and configured with OpenAPI metadata.
-*/
-function partialWithRegistry(schema, metadata) {
-	const partialSchema = schema.partial();
-	registerFieldSchemas(partialSchema);
-	const shape = partialSchema.shape;
-	const newShape = {};
-	const fieldMetadata = {
-		id: { description: "Resource identifier" },
-		name: { description: "Name" },
-		description: { description: "Description" },
-		tenantId: { description: "Tenant identifier" },
-		projectId: { description: "Project identifier" },
-		agentId: { description: "Agent identifier" },
-		subAgentId: { description: "Sub-agent identifier" },
-		createdAt: { description: "Creation timestamp" },
-		updatedAt: { description: "Last update timestamp" }
-	};
-	for (const [fieldName, fieldSchema] of Object.entries(shape)) {
-		let configuredSchema = fieldSchema;
-		if (fieldName in fieldMetadata) {
-			let innerSchema;
-			const isOptional = configuredSchema instanceof z.ZodOptional;
-			if (isOptional) innerSchema = configuredSchema._def.innerType;
-			else innerSchema = configuredSchema;
-			if (fieldName === "id" && innerSchema instanceof z.ZodString) {
-				const configuredId = innerSchema.min(MIN_ID_LENGTH).max(MAX_ID_LENGTH).describe("Resource identifier").regex(URL_SAFE_ID_PATTERN, { message: "ID must contain only letters, numbers, hyphens, underscores, and dots" }).openapi({
-					description: "Resource identifier",
-					minLength: MIN_ID_LENGTH,
-					maxLength: MAX_ID_LENGTH,
-					pattern: URL_SAFE_ID_PATTERN.source,
-					example: "resource_789"
-				});
-				configuredId.meta({ description: "Resource identifier" });
-				configuredSchema = isOptional ? configuredId.optional() : configuredId;
-			} else if (innerSchema instanceof z.ZodString) {
-				const configuredField = innerSchema.describe(fieldMetadata[fieldName].description).openapi({ description: fieldMetadata[fieldName].description });
-				configuredField.meta(fieldMetadata[fieldName]);
-				configuredSchema = isOptional ? configuredField.optional() : configuredField;
-			}
-		}
-		newShape[fieldName] = configuredSchema;
-	}
-	const reconstructedSchema = partialSchema.extend(newShape).partial();
-	registerFieldSchemas(reconstructedSchema);
-	if (metadata) registerSchema(reconstructedSchema, metadata);
-	return reconstructedSchema;
-}
-/**
-* Wrapper for .omit() that registers the resulting schema and its fields in the global registry
-*/
-function omitWithRegistry(schema, keys, metadata) {
-	const omittedSchema = schema.omit(keys);
-	registerFieldSchemas(omittedSchema);
-	if (metadata) registerSchema(omittedSchema, metadata);
-	return omittedSchema;
-}
-/**
-* Wrapper for .extend() that registers the resulting schema and its fields in the global registry
-*/
-function extendWithRegistry(schema, shape, metadata) {
-	const extendedSchema = schema.extend(shape);
-	registerFieldSchemas(extendedSchema);
-	if (metadata) registerSchema(extendedSchema, metadata);
-	return extendedSchema;
-}
 //#endregion
-export { MAX_ID_LENGTH, MIN_ID_LENGTH, URL_SAFE_ID_PATTERN, createInsertSchema, createResourceIdSchema, createSelectSchema, extendWithRegistry, omitWithRegistry, partialWithRegistry, registerFieldSchemas, resourceIdSchema };
+export { MAX_ID_LENGTH, MIN_ID_LENGTH, URL_SAFE_ID_PATTERN, createInsertSchema, createResourceIdSchema, createSelectSchema, registerFieldSchemas, resourceIdSchema };