@intent-systems/nexus 2026.1.5-3 → 2026.1.5-4

package/dist/credentials/store.js

@@ -0,0 +1,323 @@
+import { exec, execFile } from "node:child_process";
+import fs from "node:fs";
+import fsp from "node:fs/promises";
+import path from "node:path";
+import { promisify } from "node:util";
+import { resolveCredentialsDir } from "../config/paths.js";
+export { resolveCredentialsDir };
+const execFileAsync = promisify(execFile);
+const execAsync = promisify(exec);
+export function resolveCredentialIndexPath() {
+    return path.join(resolveCredentialsDir(), "index.json");
+}
+export function resolveCredentialPath(service, account, authId) {
+    return path.join(resolveCredentialsDir(), service, "accounts", account, "auth", `${authId}.json`);
+}
+export function readCredentialRecordSync(filePath) {
+    try {
+        const raw = fs.readFileSync(filePath, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object")
+            return null;
+        if (!parsed.type || !parsed.storage)
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+export async function readCredentialRecord(filePath) {
+    try {
+        const raw = await fsp.readFile(filePath, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object")
+            return null;
+        if (!parsed.type || !parsed.storage)
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+export function writeCredentialRecordSync(service, account, authId, record) {
+    const filePath = resolveCredentialPath(service, account, authId);
+    const dir = path.dirname(filePath);
+    fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(filePath, `${JSON.stringify(record, null, 2)}\n`, "utf-8");
+    fs.chmodSync(filePath, 0o600);
+}
+export async function writeCredentialRecord(service, account, authId, record) {
+    const filePath = resolveCredentialPath(service, account, authId);
+    const dir = path.dirname(filePath);
+    await fsp.mkdir(dir, { recursive: true });
+    await fsp.writeFile(filePath, `${JSON.stringify(record, null, 2)}\n`, "utf-8");
+}
+function isDirentDirectory(entry) {
+    return typeof entry !== "string";
+}
+export function listCredentialEntriesSync() {
+    const root = resolveCredentialsDir();
+    if (!fs.existsSync(root))
+        return [];
+    const services = fs.readdirSync(root, { withFileTypes: true });
+    const entries = [];
+    for (const serviceEntry of services) {
+        if (!isDirentDirectory(serviceEntry) || !serviceEntry.isDirectory())
+            continue;
+        const service = serviceEntry.name;
+        const accountsDir = path.join(root, service, "accounts");
+        if (!fs.existsSync(accountsDir))
+            continue;
+        const accounts = fs.readdirSync(accountsDir, { withFileTypes: true });
+        for (const accountEntry of accounts) {
+            if (!isDirentDirectory(accountEntry) || !accountEntry.isDirectory())
+                continue;
+            const account = accountEntry.name;
+            const authDir = path.join(accountsDir, account, "auth");
+            if (!fs.existsSync(authDir))
+                continue;
+            const authFiles = fs.readdirSync(authDir, { withFileTypes: true });
+            for (const authEntry of authFiles) {
+                if (!isDirentDirectory(authEntry) || authEntry.isDirectory())
+                    continue;
+                if (!authEntry.name.endsWith(".json"))
+                    continue;
+                const authId = authEntry.name.replace(/\.json$/, "");
+                const filePath = path.join(authDir, authEntry.name);
+                const record = readCredentialRecordSync(filePath);
+                if (!record)
+                    continue;
+                entries.push({ service, account, authId, filePath, record });
+            }
+        }
+    }
+    return entries;
+}
+export async function listCredentialEntries() {
+    const root = resolveCredentialsDir();
+    if (!fs.existsSync(root))
+        return [];
+    const services = await fsp.readdir(root, { withFileTypes: true });
+    const entries = [];
+    for (const serviceEntry of services) {
+        if (!isDirentDirectory(serviceEntry) || !serviceEntry.isDirectory())
+            continue;
+        const service = serviceEntry.name;
+        const accountsDir = path.join(root, service, "accounts");
+        if (!fs.existsSync(accountsDir))
+            continue;
+        const accounts = await fsp.readdir(accountsDir, { withFileTypes: true });
+        for (const accountEntry of accounts) {
+            if (!isDirentDirectory(accountEntry) || !accountEntry.isDirectory())
+                continue;
+            const account = accountEntry.name;
+            const authDir = path.join(accountsDir, account, "auth");
+            if (!fs.existsSync(authDir))
+                continue;
+            const authFiles = await fsp.readdir(authDir, { withFileTypes: true });
+            for (const authEntry of authFiles) {
+                if (!isDirentDirectory(authEntry) || authEntry.isDirectory())
+                    continue;
+                if (!authEntry.name.endsWith(".json"))
+                    continue;
+                const authId = authEntry.name.replace(/\.json$/, "");
+                const filePath = path.join(authDir, authEntry.name);
+                const record = await readCredentialRecord(filePath);
+                if (!record)
+                    continue;
+                entries.push({ service, account, authId, filePath, record });
+            }
+        }
+    }
+    return entries;
+}
+export function buildCredentialIndex(entries) {
+    const services = {};
+    for (const entry of entries) {
+        const service = services[entry.service] ?? { accounts: [] };
+        const account = service.accounts.find((acc) => acc.id === entry.account);
+        const status = entry.record.lastError
+            ? "broken"
+            : entry.record.lastUsed
+                ? "active"
+                : "ready";
+        if (account) {
+            if (!account.auths.includes(entry.authId))
+                account.auths.push(entry.authId);
+            if (entry.record.lastError) {
+                account.status = "broken";
+                account.lastError = entry.record.lastError;
+            }
+            else if (account.status !== "broken" && entry.record.lastUsed) {
+                account.status = "active";
+                account.lastUsed = entry.record.lastUsed;
+            }
+        }
+        else {
+            service.accounts.push({
+                id: entry.account,
+                owner: entry.record.owner,
+                auths: [entry.authId],
+                status,
+                lastUsed: entry.record.lastUsed,
+                lastError: entry.record.lastError ?? null,
+            });
+        }
+        services[entry.service] = service;
+    }
+    return {
+        version: 1,
+        lastUpdated: new Date().toISOString(),
+        services,
+    };
+}
+export function readCredentialIndexSync() {
+    const indexPath = resolveCredentialIndexPath();
+    try {
+        const raw = fs.readFileSync(indexPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object")
+            return null;
+        if (!parsed.services || typeof parsed.services !== "object")
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+export async function readCredentialIndex() {
+    const indexPath = resolveCredentialIndexPath();
+    try {
+        const raw = await fsp.readFile(indexPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object")
+            return null;
+        if (!parsed.services || typeof parsed.services !== "object")
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+export function writeCredentialIndexSync(index) {
+    const indexPath = resolveCredentialIndexPath();
+    fs.mkdirSync(path.dirname(indexPath), { recursive: true });
+    fs.writeFileSync(indexPath, `${JSON.stringify(index, null, 2)}\n`, "utf-8");
+}
+export async function writeCredentialIndex(index) {
+    const indexPath = resolveCredentialIndexPath();
+    await fsp.mkdir(path.dirname(indexPath), { recursive: true });
+    await fsp.writeFile(indexPath, `${JSON.stringify(index, null, 2)}\n`, "utf-8");
+}
+export function ensureCredentialIndexSync() {
+    const existing = readCredentialIndexSync();
+    if (existing)
+        return existing;
+    const index = buildCredentialIndex(listCredentialEntriesSync());
+    writeCredentialIndexSync(index);
+    return index;
+}
+function resolveStorageField(storage, field) {
+    if (storage.provider !== "1password")
+        return null;
+    const exact = storage.fields?.[field];
+    if (exact)
+        return exact;
+    if (field === "key")
+        return storage.fields?.apiKey ?? storage.fields?.token ?? null;
+    if (field === "accessToken")
+        return storage.fields?.accessToken ?? storage.fields?.token ?? null;
+    return null;
+}
+async function readSecretFromStorage(record, field) {
+    const storage = record.storage;
+    if (storage.provider === "plaintext") {
+        const value = field === "key" ? record.key : field === "token" ? record.token : record.accessToken;
+        return typeof value === "string" && value.trim() ? value.trim() : null;
+    }
+    if (storage.provider === "keychain") {
+        try {
+            const { stdout } = await execFileAsync("security", [
+                "find-generic-password",
+                "-s",
+                storage.service,
+                "-a",
+                storage.account,
+                "-w",
+            ]);
+            const trimmed = stdout.trim();
+            return trimmed ? trimmed : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    if (storage.provider === "1password") {
+        const fieldName = resolveStorageField(storage, field);
+        if (!fieldName)
+            return null;
+        const itemRef = `op://${storage.vault}/${storage.item}/${fieldName}`;
+        try {
+            const { stdout } = await execFileAsync("op", ["read", itemRef]);
+            const trimmed = stdout.trim();
+            return trimmed ? trimmed : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    if (storage.provider === "external") {
+        try {
+            const { stdout } = await execAsync(storage.syncCommand);
+            const trimmed = stdout.trim();
+            return trimmed ? trimmed : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    return null;
+}
+export async function storeKeychainSecret(params) {
+    try {
+        await execFileAsync("security", [
+            "add-generic-password",
+            "-U",
+            "-s",
+            params.service,
+            "-a",
+            params.account,
+            "-w",
+            params.value,
+        ]);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function resolveCredentialValue(record) {
+    if (record.type === "api_key") {
+        const value = await readSecretFromStorage(record, "key");
+        if (!value)
+            return null;
+        return { value, field: "key" };
+    }
+    if (record.type === "token") {
+        const value = await readSecretFromStorage(record, "token");
+        if (!value)
+            return null;
+        return { value, field: "token" };
+    }
+    if (record.type === "oauth") {
+        const value = await readSecretFromStorage(record, "accessToken");
+        if (!value)
+            return null;
+        return { value, field: "accessToken" };
+    }
+    return null;
+}

package/dist/logging/redact.js

@@ -0,0 +1,109 @@
+import { loadConfig } from "../config/config.js";
+const DEFAULT_REDACT_MODE = "tools";
+const DEFAULT_REDACT_MIN_LENGTH = 18;
+const DEFAULT_REDACT_KEEP_START = 6;
+const DEFAULT_REDACT_KEEP_END = 4;
+const DEFAULT_REDACT_PATTERNS = [
+    // ENV-style assignments.
+    String.raw `\b[A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD)\b\s*[=:]\s*(["']?)([^\s"'\\]+)\1`,
+    // JSON fields.
+    String.raw `"(?:apiKey|token|secret|password|passwd|accessToken|refreshToken)"\s*:\s*"([^"]+)"`,
+    // CLI flags.
+    String.raw `--(?:api[-_]?key|token|secret|password|passwd)\s+(["']?)([^\s"']+)\1`,
+    // Authorization headers.
+    String.raw `Authorization\s*[:=]\s*Bearer\s+([A-Za-z0-9._\-+=]+)`,
+    String.raw `\bBearer\s+([A-Za-z0-9._\-+=]{18,})\b`,
+    // PEM blocks.
+    String.raw `-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]+?-----END [A-Z ]*PRIVATE KEY-----`,
+    // Common token prefixes.
+    String.raw `\b(sk-[A-Za-z0-9_-]{8,})\b`,
+    String.raw `\b(ghp_[A-Za-z0-9]{20,})\b`,
+    String.raw `\b(github_pat_[A-Za-z0-9_]{20,})\b`,
+    String.raw `\b(xox[baprs]-[A-Za-z0-9-]{10,})\b`,
+    String.raw `\b(xapp-[A-Za-z0-9-]{10,})\b`,
+    String.raw `\b(gsk_[A-Za-z0-9_-]{10,})\b`,
+    String.raw `\b(AIza[0-9A-Za-z\-_]{20,})\b`,
+    String.raw `\b(pplx-[A-Za-z0-9_-]{10,})\b`,
+    String.raw `\b(npm_[A-Za-z0-9]{10,})\b`,
+    String.raw `\b(\d{6,}:[A-Za-z0-9_-]{20,})\b`,
+];
+function normalizeMode(value) {
+    return value === "off" ? "off" : DEFAULT_REDACT_MODE;
+}
+function parsePattern(raw) {
+    if (!raw.trim())
+        return null;
+    const match = raw.match(/^\/(.+)\/([gimsuy]*)$/);
+    try {
+        if (match) {
+            const flags = match[2].includes("g") ? match[2] : `${match[2]}g`;
+            return new RegExp(match[1], flags);
+        }
+        return new RegExp(raw, "gi");
+    }
+    catch {
+        return null;
+    }
+}
+function resolvePatterns(value) {
+    const source = value?.length ? value : DEFAULT_REDACT_PATTERNS;
+    return source.map(parsePattern).filter((re) => Boolean(re));
+}
+function maskToken(token) {
+    if (token.length < DEFAULT_REDACT_MIN_LENGTH)
+        return "***";
+    const start = token.slice(0, DEFAULT_REDACT_KEEP_START);
+    const end = token.slice(-DEFAULT_REDACT_KEEP_END);
+    return `${start}…${end}`;
+}
+function redactPemBlock(block) {
+    const lines = block.split(/\r?\n/).filter(Boolean);
+    if (lines.length < 2)
+        return "***";
+    return `${lines[0]}\n…redacted…\n${lines[lines.length - 1]}`;
+}
+function redactMatch(match, groups) {
+    if (match.includes("PRIVATE KEY-----"))
+        return redactPemBlock(match);
+    const token = groups
+        .filter((value) => typeof value === "string" && value.length > 0)
+        .at(-1) ?? match;
+    const masked = maskToken(token);
+    if (token === match)
+        return masked;
+    return match.replace(token, masked);
+}
+function redactText(text, patterns) {
+    let next = text;
+    for (const pattern of patterns) {
+        next = next.replace(pattern, (...args) => redactMatch(args[0], args.slice(1, args.length - 2)));
+    }
+    return next;
+}
+function resolveConfigRedaction() {
+    const cfg = loadConfig().logging;
+    return {
+        mode: normalizeMode(cfg?.redactSensitive),
+        patterns: cfg?.redactPatterns,
+    };
+}
+export function redactSensitiveText(text, options) {
+    if (!text)
+        return text;
+    const resolved = options ?? resolveConfigRedaction();
+    if (normalizeMode(resolved.mode) === "off")
+        return text;
+    const patterns = resolvePatterns(resolved.patterns);
+    if (!patterns.length)
+        return text;
+    return redactText(text, patterns);
+}
+export function redactToolDetail(detail) {
+    const resolved = resolveConfigRedaction();
+    if (normalizeMode(resolved.mode) !== "tools")
+        return detail;
+    return redactSensitiveText(detail, resolved);
+}
+export function getDefaultRedactPatterns() {
+    return [...DEFAULT_REDACT_PATTERNS];
+}

package/dist/markdown/fences.js

@@ -0,0 +1,58 @@
+export function parseFenceSpans(buffer) {
+    const spans = [];
+    let open;
+    let offset = 0;
+    while (offset <= buffer.length) {
+        const nextNewline = buffer.indexOf("\n", offset);
+        const lineEnd = nextNewline === -1 ? buffer.length : nextNewline;
+        const line = buffer.slice(offset, lineEnd);
+        const match = line.match(/^( {0,3})(`{3,}|~{3,})(.*)$/);
+        if (match) {
+            const indent = match[1];
+            const marker = match[2];
+            const markerChar = marker[0];
+            const markerLen = marker.length;
+            if (!open) {
+                open = {
+                    start: offset,
+                    markerChar,
+                    markerLen,
+                    openLine: line,
+                    marker,
+                    indent,
+                };
+            }
+            else if (open.markerChar === markerChar &&
+                markerLen >= open.markerLen) {
+                const end = nextNewline === -1 ? buffer.length : nextNewline + 1;
+                spans.push({
+                    start: open.start,
+                    end,
+                    openLine: open.openLine,
+                    marker: open.marker,
+                    indent: open.indent,
+                });
+                open = undefined;
+            }
+        }
+        if (nextNewline === -1)
+            break;
+        offset = nextNewline + 1;
+    }
+    if (open) {
+        spans.push({
+            start: open.start,
+            end: buffer.length,
+            openLine: open.openLine,
+            marker: open.marker,
+            indent: open.indent,
+        });
+    }
+    return spans;
+}
+export function findFenceSpanAt(spans, index) {
+    return spans.find((span) => index > span.start && index < span.end);
+}
+export function isSafeFenceBreak(spans, index) {
+    return !findFenceSpanAt(spans, index);
+}

package/dist/memory/embeddings.js

@@ -0,0 +1,146 @@
+import { resolveApiKeyForProvider } from "../agents/model-auth.js";
+const DEFAULT_OPENAI_BASE_URL = "https://api.openai.com/v1";
+const DEFAULT_LOCAL_MODEL = "hf:ggml-org/embeddinggemma-300M-GGUF/embeddinggemma-300M-Q8_0.gguf";
+function normalizeOpenAiModel(model) {
+    const trimmed = model.trim();
+    if (!trimmed)
+        return "text-embedding-3-small";
+    if (trimmed.startsWith("openai/"))
+        return trimmed.slice("openai/".length);
+    return trimmed;
+}
+async function createOpenAiEmbeddingProvider(options) {
+    const remote = options.remote;
+    const remoteApiKey = remote?.apiKey?.trim();
+    const remoteBaseUrl = remote?.baseUrl?.trim();
+    const { apiKey } = remoteApiKey
+        ? { apiKey: remoteApiKey }
+        : await resolveApiKeyForProvider({
+            provider: "openai",
+            cfg: options.config,
+            agentDir: options.agentDir,
+        });
+    const providerConfig = options.config.models?.providers?.openai;
+    const baseUrl = remoteBaseUrl || providerConfig?.baseUrl?.trim() || DEFAULT_OPENAI_BASE_URL;
+    const url = `${baseUrl.replace(/\/$/, "")}/embeddings`;
+    const headerOverrides = Object.assign({}, providerConfig?.headers, remote?.headers);
+    const headers = {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiKey}`,
+        ...headerOverrides,
+    };
+    const model = normalizeOpenAiModel(options.model);
+    const embed = async (input) => {
+        if (input.length === 0)
+            return [];
+        const res = await fetch(url, {
+            method: "POST",
+            headers,
+            body: JSON.stringify({ model, input }),
+        });
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`openai embeddings failed: ${res.status} ${text}`);
+        }
+        const payload = (await res.json());
+        const data = payload.data ?? [];
+        return data.map((entry) => entry.embedding ?? []);
+    };
+    return {
+        id: "openai",
+        model,
+        embedQuery: async (text) => {
+            const [vec] = await embed([text]);
+            return vec ?? [];
+        },
+        embedBatch: embed,
+    };
+}
+async function createLocalEmbeddingProvider(options) {
+    const modelPath = options.local?.modelPath?.trim() || DEFAULT_LOCAL_MODEL;
+    const modelCacheDir = options.local?.modelCacheDir?.trim();
+    // Lazy-load node-llama-cpp to keep startup light unless local is enabled.
+    const moduleName = "node-llama-cpp";
+    const { getLlama, resolveModelFile, LlamaLogLevel } = (await import(moduleName));
+    let llama = null;
+    let embeddingModel = null;
+    let embeddingContext = null;
+    const ensureContext = async () => {
+        if (!llama) {
+            llama = await getLlama({ logLevel: LlamaLogLevel.error });
+        }
+        if (!embeddingModel) {
+            const resolved = await resolveModelFile(modelPath, modelCacheDir || undefined);
+            embeddingModel = await llama.loadModel({ modelPath: resolved });
+        }
+        if (!embeddingContext) {
+            embeddingContext = await embeddingModel.createEmbeddingContext();
+        }
+        return embeddingContext;
+    };
+    return {
+        id: "local",
+        model: modelPath,
+        embedQuery: async (text) => {
+            const ctx = await ensureContext();
+            const embedding = await ctx.getEmbeddingFor(text);
+            return Array.from(embedding.vector);
+        },
+        embedBatch: async (texts) => {
+            const ctx = await ensureContext();
+            const embeddings = await Promise.all(texts.map(async (text) => {
+                const embedding = await ctx.getEmbeddingFor(text);
+                return Array.from(embedding.vector);
+            }));
+            return embeddings;
+        },
+    };
+}
+export async function createEmbeddingProvider(options) {
+    const requestedProvider = options.provider;
+    if (options.provider === "local") {
+        try {
+            const provider = await createLocalEmbeddingProvider(options);
+            return { provider, requestedProvider };
+        }
+        catch (err) {
+            const reason = formatLocalSetupError(err);
+            if (options.fallback === "openai") {
+                try {
+                    const provider = await createOpenAiEmbeddingProvider(options);
+                    return {
+                        provider,
+                        requestedProvider,
+                        fallbackFrom: "local",
+                        fallbackReason: reason,
+                    };
+                }
+                catch (fallbackErr) {
+                    throw new Error(`${reason}\n\nFallback to OpenAI failed: ${formatError(fallbackErr)}`);
+                }
+            }
+            throw new Error(reason);
+        }
+    }
+    const provider = await createOpenAiEmbeddingProvider(options);
+    return { provider, requestedProvider };
+}
+function formatError(err) {
+    if (err instanceof Error)
+        return err.message;
+    return String(err);
+}
+function formatLocalSetupError(err) {
+    const detail = formatError(err);
+    return [
+        "Local embeddings unavailable.",
+        detail ? `Reason: ${detail}` : undefined,
+        "To enable local embeddings:",
+        "1) pnpm approve-builds",
+        "2) select node-llama-cpp",
+        "3) pnpm rebuild node-llama-cpp",
+        'Or set agent.memorySearch.provider = "openai" (remote).',
+    ]
+        .filter(Boolean)
+        .join("\n");
+}