@jcode.labs/mimir 0.2.1 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +28 -0
- package/README.md +49 -0
- package/SECURITY-HARDENING.md +156 -0
- package/SECURITY.md +21 -0
- package/dist/access-log.d.ts +10 -0
- package/dist/access-log.d.ts.map +1 -0
- package/dist/access-log.js +29 -0
- package/dist/access-log.js.map +1 -0
- package/dist/cli.js +53 -1
- package/dist/cli.js.map +1 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +49 -0
- package/dist/config.js.map +1 -1
- package/dist/destroy.d.ts +3 -0
- package/dist/destroy.d.ts.map +1 -0
- package/dist/destroy.js +16 -0
- package/dist/destroy.js.map +1 -0
- package/dist/embeddings.d.ts.map +1 -1
- package/dist/embeddings.js +2 -0
- package/dist/embeddings.js.map +1 -1
- package/dist/files.js +1 -1
- package/dist/files.js.map +1 -1
- package/dist/index.d.ts +4 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +3 -0
- package/dist/index.js.map +1 -1
- package/dist/ingest.d.ts.map +1 -1
- package/dist/ingest.js +12 -1
- package/dist/ingest.js.map +1 -1
- package/dist/init.d.ts.map +1 -1
- package/dist/init.js +9 -0
- package/dist/init.js.map +1 -1
- package/dist/mcp.d.ts.map +1 -1
- package/dist/mcp.js +15 -4
- package/dist/mcp.js.map +1 -1
- package/dist/network.d.ts +4 -0
- package/dist/network.d.ts.map +1 -0
- package/dist/network.js +59 -0
- package/dist/network.js.map +1 -0
- package/dist/query.d.ts.map +1 -1
- package/dist/query.js +17 -1
- package/dist/query.js.map +1 -1
- package/dist/redaction.d.ts +7 -0
- package/dist/redaction.d.ts.map +1 -0
- package/dist/redaction.js +63 -0
- package/dist/redaction.js.map +1 -0
- package/dist/security.d.ts +3 -0
- package/dist/security.d.ts.map +1 -0
- package/dist/security.js +86 -0
- package/dist/security.js.map +1 -0
- package/dist/types.d.ts +67 -0
- package/dist/types.d.ts.map +1 -1
- package/dist/version.d.ts +1 -1
- package/dist/version.js +1 -1
- package/package.json +7 -3
- package/skills/mimir/SKILL.md +12 -2
package/CHANGELOG.md
ADDED
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
## 0.3.0 - 2026-06-28
|
|
4
|
+
|
|
5
|
+
- Add confidentiality hardening defaults: local-only Ollama network policy, built-in
|
|
6
|
+
redaction before indexing, metadata-only access logs, and bounded MCP retrieval.
|
|
7
|
+
- Add `kb security-audit` for zero-telemetry, network, redaction, gitignore, storage, and
|
|
8
|
+
MCP posture checks.
|
|
9
|
+
- Add `kb destroy-index --yes` to remove generated vector indexes.
|
|
10
|
+
- Add release verification artifacts: npm tarball, SHA256 checksums, SBOM, and manifest.
|
|
11
|
+
- Document air-gapped operation, threat model, MCP hardening, and secure deletion limits.
|
|
12
|
+
|
|
13
|
+
## 0.2.1 - 2026-06-28
|
|
14
|
+
|
|
15
|
+
- Add GitHub Sponsors funding metadata and document suggested sponsor tiers.
|
|
16
|
+
- Add maintainer positioning for Jean-Baptiste Thery and JCode Labs in the README.
|
|
17
|
+
- Make `kb init` and `kb install-skill` automatically keep `.kb/` and `.mimir/`
|
|
18
|
+
ignored by Git.
|
|
19
|
+
|
|
20
|
+
## 0.2.0 - 2026-06-28
|
|
21
|
+
|
|
22
|
+
- Rename public product branding to Mimir while keeping the JCode Labs npm scope.
|
|
23
|
+
- Add the bundled portable `mimir` agent skill.
|
|
24
|
+
- Add the MCP stdio server with `mimir_status`, `mimir_search`, `mimir_ask`, and
|
|
25
|
+
`mimir_audit`.
|
|
26
|
+
- Add production smoke coverage for the built CLI and MCP server.
|
|
27
|
+
- Add Biome, commitlint, publint, CodeQL, Dependabot grouping, protected npm publishing,
|
|
28
|
+
and open-source contribution/security documentation.
|
package/README.md
CHANGED
|
@@ -110,6 +110,7 @@ pnpm exec kb ingest
|
|
|
110
110
|
pnpm exec kb search "vendor invoice status"
|
|
111
111
|
pnpm exec kb ask "What do the documents prove?"
|
|
112
112
|
pnpm exec kb audit
|
|
113
|
+
pnpm exec kb security-audit
|
|
113
114
|
pnpm exec kb status
|
|
114
115
|
```
|
|
115
116
|
|
|
@@ -121,6 +122,7 @@ npx kb ingest
|
|
|
121
122
|
npx kb search "vendor invoice status"
|
|
122
123
|
npx kb ask "What do the documents prove?"
|
|
123
124
|
npx kb audit
|
|
125
|
+
npx kb security-audit
|
|
124
126
|
npx kb status
|
|
125
127
|
```
|
|
126
128
|
|
|
@@ -157,6 +159,7 @@ MCP tools exposed:
|
|
|
157
159
|
- `mimir_search`
|
|
158
160
|
- `mimir_ask`
|
|
159
161
|
- `mimir_audit`
|
|
162
|
+
- `mimir_security_audit`
|
|
160
163
|
|
|
161
164
|
Print the bundled skill path from the installed package:
|
|
162
165
|
|
|
@@ -175,12 +178,40 @@ your-project/
|
|
|
175
178
|
.kb/config.json # local config
|
|
176
179
|
.kb/sources.txt # optional extra source paths
|
|
177
180
|
.kb/storage/ # generated LanceDB index
|
|
181
|
+
.kb/access.log # metadata-only access log
|
|
178
182
|
```
|
|
179
183
|
|
|
180
184
|
The package never ships project documents. `kb init` adds gitignore entries for `.kb/`
|
|
181
185
|
and `private/**`, and `kb install-skill` keeps `.mimir/` ignored as generated local agent
|
|
182
186
|
state.
|
|
183
187
|
|
|
188
|
+
## Confidentiality Defaults
|
|
189
|
+
|
|
190
|
+
Mimir is designed for private repositories and sensitive local evidence.
|
|
191
|
+
|
|
192
|
+
- Zero telemetry: no analytics or document content is sent to JCode Labs.
|
|
193
|
+
- Local-only network policy: Ollama must be on loopback by default.
|
|
194
|
+
- Redaction before indexing: common secrets and identifiers are redacted before chunks are
|
|
195
|
+
embedded and stored.
|
|
196
|
+
- Metadata-only access logs: query hashes and action metadata are logged, not raw queries.
|
|
197
|
+
- MCP is read-focused and bounded by `mcpMaxTopK`.
|
|
198
|
+
- Generated local state is ignored by Git.
|
|
199
|
+
|
|
200
|
+
Run:
|
|
201
|
+
|
|
202
|
+
```bash
|
|
203
|
+
pnpm exec kb security-audit --strict
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
Remove the generated vector index:
|
|
207
|
+
|
|
208
|
+
```bash
|
|
209
|
+
pnpm exec kb destroy-index --yes
|
|
210
|
+
```
|
|
211
|
+
|
|
212
|
+
For air-gapped operation, release verification, secure deletion limits, and threat model details,
|
|
213
|
+
read [`SECURITY-HARDENING.md`](./SECURITY-HARDENING.md).
|
|
214
|
+
|
|
184
215
|
## Supported Files
|
|
185
216
|
|
|
186
217
|
- Markdown: `.md`, `.mdx`
|
|
@@ -200,10 +231,19 @@ state.
|
|
|
200
231
|
"rawDir": "private",
|
|
201
232
|
"storageDir": ".kb/storage",
|
|
202
233
|
"sourcesFile": ".kb/sources.txt",
|
|
234
|
+
"accessLogPath": ".kb/access.log",
|
|
203
235
|
"tableName": "chunks",
|
|
204
236
|
"ollamaHost": "http://localhost:11434",
|
|
237
|
+
"networkPolicy": "local-only",
|
|
205
238
|
"embedModel": "nomic-embed-text",
|
|
206
239
|
"llmModel": "gemma4:latest",
|
|
240
|
+
"redaction": {
|
|
241
|
+
"enabled": true,
|
|
242
|
+
"builtIn": true,
|
|
243
|
+
"patterns": []
|
|
244
|
+
},
|
|
245
|
+
"accessLog": true,
|
|
246
|
+
"mcpMaxTopK": 10,
|
|
207
247
|
"topK": 5,
|
|
208
248
|
"chunkSize": 1200,
|
|
209
249
|
"chunkOverlap": 150
|
|
@@ -215,9 +255,15 @@ Environment overrides:
|
|
|
215
255
|
- `KB_RAW_DIR`
|
|
216
256
|
- `KB_STORAGE_DIR`
|
|
217
257
|
- `KB_SOURCES_FILE`
|
|
258
|
+
- `KB_ACCESS_LOG_PATH`
|
|
218
259
|
- `KB_OLLAMA_HOST`
|
|
260
|
+
- `KB_NETWORK_POLICY`
|
|
219
261
|
- `KB_EMBED_MODEL`
|
|
220
262
|
- `KB_LLM_MODEL`
|
|
263
|
+
- `KB_REDACTION_ENABLED`
|
|
264
|
+
- `KB_REDACTION_BUILT_IN`
|
|
265
|
+
- `KB_ACCESS_LOG`
|
|
266
|
+
- `KB_MCP_MAX_TOP_K`
|
|
221
267
|
- `KB_TOP_K`
|
|
222
268
|
- `KB_CHUNK_SIZE`
|
|
223
269
|
- `KB_CHUNK_OVERLAP`
|
|
@@ -235,6 +281,9 @@ const answer = await ask("What documents support the project timeline?")
|
|
|
235
281
|
## Privacy
|
|
236
282
|
|
|
237
283
|
- Embeddings and answers use local Ollama by default.
|
|
284
|
+
- Remote Ollama hosts are blocked unless `networkPolicy` explicitly allows them.
|
|
285
|
+
- Built-in redaction runs before indexing by default.
|
|
286
|
+
- Access logs store query hashes, not raw queries.
|
|
238
287
|
- The vector index is stored locally.
|
|
239
288
|
- Raw private documents should stay in the target repository's ignored `private/` folder.
|
|
240
289
|
- Do not put secrets or scans inside this package repository.
|
|
@@ -0,0 +1,156 @@
|
|
|
1
|
+
# Mimir Security Hardening
|
|
2
|
+
|
|
3
|
+
Mimir is a local-first knowledge base for private project documents. It is built to minimize
|
|
4
|
+
data movement, but it is not a certified high-assurance system.
|
|
5
|
+
|
|
6
|
+
## Current Guarantees
|
|
7
|
+
|
|
8
|
+
- Zero telemetry: Mimir does not send usage analytics or document content to JCode Labs.
|
|
9
|
+
- Local-only network policy by default: document text can only be sent to loopback Ollama hosts
|
|
10
|
+
unless the repository explicitly opts in to broader network access.
|
|
11
|
+
- Redaction before indexing: built-in DLP patterns redact common secrets and identifiers before
|
|
12
|
+
chunks are embedded and stored.
|
|
13
|
+
- Metadata-only access logs: access logs contain action metadata and query hashes, not raw
|
|
14
|
+
queries or retrieved text.
|
|
15
|
+
- Generated local state is ignored by Git: `.kb/`, `.mimir/`, and `private/**` are ignored by
|
|
16
|
+
default.
|
|
17
|
+
- MCP is read-focused: destructive tools are not exposed over MCP, and MCP retrieval is capped by
|
|
18
|
+
`mcpMaxTopK`.
|
|
19
|
+
- npm releases are published with provenance from the protected GitHub Actions workflow.
|
|
20
|
+
- Release artifacts include a package tarball, SHA256 checksums, SBOM, and manifest.
|
|
21
|
+
|
|
22
|
+
## Threat Model
|
|
23
|
+
|
|
24
|
+
Mimir protects against accidental repository leaks, accidental remote LLM usage, accidental secret
|
|
25
|
+
indexing, and weak release traceability.
|
|
26
|
+
|
|
27
|
+
Mimir does not protect against a compromised local machine, malicious dependencies already present
|
|
28
|
+
in the runtime, a user with filesystem access to the same checkout, or forensic recovery from an
|
|
29
|
+
unencrypted disk.
|
|
30
|
+
|
|
31
|
+
## At-Rest Encryption
|
|
32
|
+
|
|
33
|
+
Native encrypted LanceDB storage is not implemented yet. For sensitive environments, put the
|
|
34
|
+
repository and `.kb/` on an encrypted volume:
|
|
35
|
+
|
|
36
|
+
- macOS: FileVault or an encrypted APFS volume.
|
|
37
|
+
- Linux: LUKS, fscrypt, or an encrypted VM disk.
|
|
38
|
+
- Containers/VMs: mount `.kb/` on an encrypted host volume.
|
|
39
|
+
|
|
40
|
+
`kb destroy-index --yes` removes generated index files, but secure deletion on SSDs and copy-on-write
|
|
41
|
+
filesystems cannot be guaranteed without encrypted storage and key destruction.
|
|
42
|
+
|
|
43
|
+
## Air-Gapped Operation
|
|
44
|
+
|
|
45
|
+
Prepare artifacts on an internet-connected build machine:
|
|
46
|
+
|
|
47
|
+
```bash
|
|
48
|
+
pnpm install --frozen-lockfile
|
|
49
|
+
pnpm build
|
|
50
|
+
pnpm release:artifacts
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
Move the generated tarball from `release-artifacts/` into the offline environment and install it:
|
|
54
|
+
|
|
55
|
+
```bash
|
|
56
|
+
pnpm add -D ./jcode.labs-mimir-<version>.tgz
|
|
57
|
+
pnpm exec kb init
|
|
58
|
+
pnpm exec kb ingest
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
Ollama and the required models must also be preloaded inside the offline environment.
|
|
62
|
+
|
|
63
|
+
## Zero Network Posture
|
|
64
|
+
|
|
65
|
+
Default config:
|
|
66
|
+
|
|
67
|
+
```json
|
|
68
|
+
{
|
|
69
|
+
"ollamaHost": "http://localhost:11434",
|
|
70
|
+
"networkPolicy": "local-only"
|
|
71
|
+
}
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
Allowed policies:
|
|
75
|
+
|
|
76
|
+
- `local-only`: only loopback hosts such as `localhost` and `127.0.0.1`.
|
|
77
|
+
- `allow-private`: loopback and private LAN hosts.
|
|
78
|
+
- `allow-any`: any host. Use only when the remote endpoint is explicitly trusted.
|
|
79
|
+
|
|
80
|
+
Run:
|
|
81
|
+
|
|
82
|
+
```bash
|
|
83
|
+
pnpm exec kb security-audit --strict
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
## DLP Redaction
|
|
87
|
+
|
|
88
|
+
Built-in redaction is enabled by default for common secret and identifier shapes: private keys,
|
|
89
|
+
JWTs, API tokens, emails, IBANs, and card-like numbers.
|
|
90
|
+
|
|
91
|
+
Custom patterns can be added in `.kb/config.json`:
|
|
92
|
+
|
|
93
|
+
```json
|
|
94
|
+
{
|
|
95
|
+
"redaction": {
|
|
96
|
+
"enabled": true,
|
|
97
|
+
"builtIn": true,
|
|
98
|
+
"patterns": [
|
|
99
|
+
{
|
|
100
|
+
"name": "internal_case_id",
|
|
101
|
+
"pattern": "CASE-[0-9]+",
|
|
102
|
+
"replacement": "[CASE]"
|
|
103
|
+
}
|
|
104
|
+
]
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
Redaction changes the indexed text, not the raw files under `private/`.
|
|
110
|
+
|
|
111
|
+
## MCP Hardening
|
|
112
|
+
|
|
113
|
+
MCP gives an agent access to retrieved private context. Use it only for agents running under the
|
|
114
|
+
same trust boundary as the repository.
|
|
115
|
+
|
|
116
|
+
Mimir MCP defaults:
|
|
117
|
+
|
|
118
|
+
- read-focused tools only;
|
|
119
|
+
- no index deletion tool exposed over MCP;
|
|
120
|
+
- bounded retrieval through `mcpMaxTopK`;
|
|
121
|
+
- metadata-only access logging.
|
|
122
|
+
|
|
123
|
+
For team use, prefer one checkout per user or per role. Mimir does not implement RBAC.
|
|
124
|
+
|
|
125
|
+
## Release Verification
|
|
126
|
+
|
|
127
|
+
The protected npm workflow runs validation, generates release artifacts, and publishes with
|
|
128
|
+
provenance:
|
|
129
|
+
|
|
130
|
+
```bash
|
|
131
|
+
npm publish --access public --provenance
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
Release artifacts include:
|
|
135
|
+
|
|
136
|
+
- npm tarball;
|
|
137
|
+
- `SHA256SUMS`;
|
|
138
|
+
- CycloneDX SBOM;
|
|
139
|
+
- `release-manifest.json`.
|
|
140
|
+
|
|
141
|
+
Verify checksums offline with:
|
|
142
|
+
|
|
143
|
+
```bash
|
|
144
|
+
sha256sum -c SHA256SUMS
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
On macOS:
|
|
148
|
+
|
|
149
|
+
```bash
|
|
150
|
+
shasum -a 256 -c SHA256SUMS
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
## External Audit Status
|
|
154
|
+
|
|
155
|
+
No external security audit has been completed yet. Treat Mimir as useful hardening for private
|
|
156
|
+
developer workflows, not as military-grade certified software.
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Supported Versions
|
|
4
|
+
|
|
5
|
+
Only the latest published version of `@jcode.labs/mimir` receives security fixes.
|
|
6
|
+
|
|
7
|
+
## Reporting A Vulnerability
|
|
8
|
+
|
|
9
|
+
Please report vulnerabilities privately by email:
|
|
10
|
+
|
|
11
|
+
```plain text
|
|
12
|
+
contact@jcode.works
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
Do not open public issues for vulnerabilities, leaked secrets, credential exposure,
|
|
16
|
+
or private document disclosure.
|
|
17
|
+
|
|
18
|
+
## Data Boundary
|
|
19
|
+
|
|
20
|
+
Mimir is designed to index local project documents. Raw project documents,
|
|
21
|
+
`.kb/storage/`, environment files, and credentials must remain outside commits.
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
import type { Config } from "./types.js";
|
|
2
|
+
export interface AccessLogEvent {
|
|
3
|
+
action: "ingest" | "search" | "ask" | "destroy-index";
|
|
4
|
+
query?: string;
|
|
5
|
+
topK?: number;
|
|
6
|
+
resultCount?: number;
|
|
7
|
+
redactions?: number;
|
|
8
|
+
}
|
|
9
|
+
export declare function recordAccess(config: Config, event: AccessLogEvent): Promise<void>;
|
|
10
|
+
//# sourceMappingURL=access-log.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"access-log.d.ts","sourceRoot":"","sources":["../src/access-log.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAExC,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,QAAQ,GAAG,QAAQ,GAAG,KAAK,GAAG,eAAe,CAAA;IACrD,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAWvF"}
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
import { createHash } from "node:crypto";
|
|
2
|
+
import { appendFile, mkdir } from "node:fs/promises";
|
|
3
|
+
import path from "node:path";
|
|
4
|
+
export async function recordAccess(config, event) {
|
|
5
|
+
if (!config.accessLog) {
|
|
6
|
+
return;
|
|
7
|
+
}
|
|
8
|
+
try {
|
|
9
|
+
await mkdir(path.dirname(config.accessLogPath), { recursive: true });
|
|
10
|
+
await appendFile(config.accessLogPath, `${JSON.stringify(toLogLine(event))}\n`, "utf8");
|
|
11
|
+
}
|
|
12
|
+
catch {
|
|
13
|
+
// Access logging is best-effort so read-only workspaces do not block local use.
|
|
14
|
+
}
|
|
15
|
+
}
|
|
16
|
+
function toLogLine(event) {
|
|
17
|
+
return {
|
|
18
|
+
timestamp: new Date().toISOString(),
|
|
19
|
+
action: event.action,
|
|
20
|
+
queryHash: event.query ? hashQuery(event.query) : undefined,
|
|
21
|
+
topK: event.topK,
|
|
22
|
+
resultCount: event.resultCount,
|
|
23
|
+
redactions: event.redactions,
|
|
24
|
+
};
|
|
25
|
+
}
|
|
26
|
+
function hashQuery(query) {
|
|
27
|
+
return createHash("sha256").update(query).digest("hex");
|
|
28
|
+
}
|
|
29
|
+
//# sourceMappingURL=access-log.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"access-log.js","sourceRoot":"","sources":["../src/access-log.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAA;AACpD,OAAO,IAAI,MAAM,WAAW,CAAA;AAW5B,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAc,EAAE,KAAqB;IACtE,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACtB,OAAM;IACR,CAAC;IAED,IAAI,CAAC;QACH,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;QACpE,MAAM,UAAU,CAAC,MAAM,CAAC,aAAa,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;IACzF,CAAC;IAAC,MAAM,CAAC;QACP,gFAAgF;IAClF,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAqB;IACtC,OAAO;QACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;QAC3D,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,UAAU,EAAE,KAAK,CAAC,UAAU;KAC7B,CAAA;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AACzD,CAAC"}
|
package/dist/cli.js
CHANGED
|
@@ -2,10 +2,12 @@
|
|
|
2
2
|
import { Command } from "commander";
|
|
3
3
|
import pc from "picocolors";
|
|
4
4
|
import { loadConfig } from "./config.js";
|
|
5
|
+
import { destroyIndex } from "./destroy.js";
|
|
5
6
|
import { audit, ingest } from "./ingest.js";
|
|
6
7
|
import { initProject } from "./init.js";
|
|
7
8
|
import { serveMcp } from "./mcp.js";
|
|
8
9
|
import { ask, search } from "./query.js";
|
|
10
|
+
import { securityAudit } from "./security.js";
|
|
9
11
|
import { bundledSkillPath, installSkill } from "./skill.js";
|
|
10
12
|
import { countRows } from "./store.js";
|
|
11
13
|
import { VERSION } from "./version.js";
|
|
@@ -34,7 +36,7 @@ program
|
|
|
34
36
|
.option("--rebuild", "Accepted for compatibility; ingest always rebuilds the local index.")
|
|
35
37
|
.action(async () => {
|
|
36
38
|
const result = await ingest({ cwd: process.cwd(), rebuild: true });
|
|
37
|
-
console.log(pc.green(`Done. indexedFiles=${result.indexedFiles} chunks=${result.chunks} skippedFiles=${result.skippedFiles} errors=${result.errors.length}`));
|
|
39
|
+
console.log(pc.green(`Done. indexedFiles=${result.indexedFiles} chunks=${result.chunks} skippedFiles=${result.skippedFiles} redactions=${result.redactions} errors=${result.errors.length}`));
|
|
38
40
|
for (const error of result.errors) {
|
|
39
41
|
console.error(pc.red(` - ${error.path}: ${error.message}`));
|
|
40
42
|
}
|
|
@@ -105,10 +107,60 @@ program
|
|
|
105
107
|
console.log(`rawDir=${config.rawDir}`);
|
|
106
108
|
console.log(`storageDir=${config.storageDir}`);
|
|
107
109
|
console.log(`sourcesFile=${config.sourcesFile}`);
|
|
110
|
+
console.log(`accessLogPath=${config.accessLogPath}`);
|
|
111
|
+
console.log(`networkPolicy=${config.networkPolicy}`);
|
|
108
112
|
console.log(`embedModel=${config.embedModel}`);
|
|
109
113
|
console.log(`llmModel=${config.llmModel}`);
|
|
114
|
+
console.log(`redactionEnabled=${config.redaction.enabled}`);
|
|
115
|
+
console.log(`accessLog=${config.accessLog}`);
|
|
116
|
+
console.log(`mcpMaxTopK=${config.mcpMaxTopK}`);
|
|
110
117
|
console.log(`chunksIndexed=${rows}`);
|
|
111
118
|
});
|
|
119
|
+
program
|
|
120
|
+
.command("security-audit")
|
|
121
|
+
.description("Show local privacy, network, redaction, MCP, and gitignore posture.")
|
|
122
|
+
.option("--json", "Print machine-readable JSON.")
|
|
123
|
+
.option("--strict", "Exit with code 1 when warnings are present.")
|
|
124
|
+
.action(async (options) => {
|
|
125
|
+
const report = await securityAudit(process.cwd());
|
|
126
|
+
if (options.json) {
|
|
127
|
+
console.log(JSON.stringify(report, null, 2));
|
|
128
|
+
}
|
|
129
|
+
else {
|
|
130
|
+
console.log(`zeroTelemetry=${report.zeroTelemetry}`);
|
|
131
|
+
console.log(`networkPolicy=${report.network.policy}`);
|
|
132
|
+
console.log(`ollamaHost=${report.network.ollamaHost}`);
|
|
133
|
+
console.log(`ollamaHostClassification=${report.network.classification}`);
|
|
134
|
+
console.log(`redactionEnabled=${report.redaction.enabled}`);
|
|
135
|
+
console.log(`redactionBuiltIn=${report.redaction.builtIn}`);
|
|
136
|
+
console.log(`accessLog=${report.accessLog.enabled}`);
|
|
137
|
+
console.log(`accessLogStoresRawQueries=${report.accessLog.storesRawQueries}`);
|
|
138
|
+
console.log(`storageGitIgnored=${report.storage.gitIgnored}`);
|
|
139
|
+
console.log(`mcpMaxTopK=${report.mcp.maxTopK}`);
|
|
140
|
+
console.log(`mcpDestructiveToolsExposed=${report.mcp.destructiveToolsExposed}`);
|
|
141
|
+
for (const warning of report.warnings) {
|
|
142
|
+
console.log(pc.yellow(`warning: ${warning}`));
|
|
143
|
+
}
|
|
144
|
+
}
|
|
145
|
+
if (options.strict && report.warnings.length > 0) {
|
|
146
|
+
process.exitCode = 1;
|
|
147
|
+
}
|
|
148
|
+
});
|
|
149
|
+
program
|
|
150
|
+
.command("destroy-index")
|
|
151
|
+
.description("Remove the generated local vector index from .kb/storage.")
|
|
152
|
+
.option("--yes", "Confirm deletion without an interactive prompt.")
|
|
153
|
+
.action(async (options) => {
|
|
154
|
+
if (!options.yes) {
|
|
155
|
+
console.error(pc.red("Refusing to delete the index without --yes."));
|
|
156
|
+
process.exitCode = 1;
|
|
157
|
+
return;
|
|
158
|
+
}
|
|
159
|
+
const result = await destroyIndex(process.cwd());
|
|
160
|
+
console.log(`storageDir=${result.storageDir}`);
|
|
161
|
+
console.log(`removed=${result.removed}`);
|
|
162
|
+
console.log(result.note);
|
|
163
|
+
});
|
|
112
164
|
program
|
|
113
165
|
.command("serve-mcp")
|
|
114
166
|
.description("Start the MCP server over stdio for Claude, Codex, and other MCP-compatible agents.")
|
package/dist/cli.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,MAAM,YAAY,CAAA;AAC3B,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AACvC,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAA;AACnC,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AACxC,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAEtC,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;AAE7B,OAAO;KACJ,IAAI,CAAC,IAAI,CAAC;KACV,WAAW,CAAC,+DAA+D,CAAC;KAC5E,OAAO,CAAC,OAAO,CAAC,CAAA;AAEnB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,iFAAiF,CAAC;KAC9F,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAChD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAA;QAC7C,OAAM;IACR,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAA;IACjC,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAA;IAC5B,CAAC;AACH,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,oFAAoF,CAAC;KACjG,MAAM,CAAC,WAAW,EAAE,qEAAqE,CAAC;KAC1F,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAA;IAClE,OAAO,CAAC,GAAG,CACT,EAAE,CAAC,KAAK,CACN,sBAAsB,MAAM,CAAC,YAAY,WAAW,MAAM,CAAC,MAAM,iBAAiB,MAAM,CAAC,YAAY,WAAW,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,MAAM,YAAY,CAAA;AAC3B,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAC3C,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AACvC,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAA;AACnC,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAC7C,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAEtC,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;AAE7B,OAAO;KACJ,IAAI,CAAC,IAAI,CAAC;KACV,WAAW,CAAC,+DAA+D,CAAC;KAC5E,OAAO,CAAC,OAAO,CAAC,CAAA;AAEnB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,iFAAiF,CAAC;KAC9F,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAChD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAA;QAC7C,OAAM;IACR,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAA;IACjC,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAA;IAC5B,CAAC;AACH,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,oFAAoF,CAAC;KACjG,MAAM,CAAC,WAAW,EAAE,qEAAqE,CAAC;KAC1F,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAA;IAClE,OAAO,CAAC,GAAG,CACT,EAAE,CAAC,KAAK,CACN,sBAAsB,MAAM,CAAC,YAAY,WAAW,MAAM,CAAC,MAAM,iBAAiB,MAAM,CAAC,YAAY,eAAe,MAAM,CAAC,UAAU,WAAW,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CACvK,CACF,CAAA;IACD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;IAC9D,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAA;IACtB,CAAC;AACH,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,6DAA6D,CAAC;KAC1E,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;KACpC,MAAM,CAAC,sBAAsB,EAAE,+BAA+B,EAAE,gBAAgB,CAAC;KACjF,MAAM,CAAC,KAAK,EAAE,KAAa,EAAE,OAA0B,EAAE,EAAE;IAC1D,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;IAC3D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,sDAAsD,CAAC,CAAC,CAAA;QAChF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAA;QACpB,OAAM;IACR,CAAC;IAED,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;QAC9E,OAAO,CAAC,GAAG,CACT,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,GAAG,CAAC,KAAK,MAAM,CAAC,YAAY,EAAE,CAAC,UAAU,MAAM,CAAC,UAAU,aAAa,QAAQ,EAAE,CACxG,CAAA;QACD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAA;IACxC,CAAC;AACH,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,KAAK,CAAC;KACd,WAAW,CAAC,sEAAsE,CAAC;KACnF,QAAQ,CAAC,SAAS,EAAE,qBAAqB,CAAC;KAC1C,MAAM,CAAC,sBAAsB,EAAE,4BAA4B,EAAE,gBAAgB,CAAC;KAC9E,MAAM,CAAC,KAAK,EAAE,KAAa,EAAE,OAA0B,EAAE,EAAE;IAC1D,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;IACvD,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,MAAM,IAAI,CAAC,CAAA;IACnC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAA;QAC/B,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,KAAK,MAAM,CAAC,YAAY,UAAU,MAAM,CAAC,UAAU,EAAE,CAAC,CAAA;QACnF,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,gEAAgE,CAAC;KAC7E,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IACzC,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAA;IAC7D,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAA;IACzD,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;IAChD,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAA;IACjE,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAA;IAEzD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,CAAA;IAC5C,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACvC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,CAAA;IACvC,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAA;IACtB,CAAC;AACH,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,gDAAgD,CAAC;KAC7D,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAC9C,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAA;IACpC,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;IAChD,OAAO,CAAC,GAAG,CAAC,UAAU,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;IACtC,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,UAAU,EAAE,CAAC,CAAA;IAC9C,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;IAChD,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,aAAa,EAAE,CAAC,CAAA;IACpD,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,aAAa,EAAE,CAAC,CAAA;IACpD,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,UAAU,EAAE,CAAC,CAAA;IAC9C,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAA;IAC1C,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAA;IAC3D,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,SAAS,EAAE,CAAC,CAAA;IAC5C,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,UAAU,EAAE,CAAC,CAAA;IAC9C,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAA;AACtC,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,WAAW,CAAC,qEAAqE,CAAC;KAClF,MAAM,CAAC,QAAQ,EAAE,8BAA8B,CAAC;KAChD,MAAM,CAAC,UAAU,EAAE,6CAA6C,CAAC;KACjE,MAAM,CAAC,KAAK,EAAE,OAA6C,EAAE,EAAE;IAC9D,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IACjD,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IAC9C,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,aAAa,EAAE,CAAC,CAAA;QACpD,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;QACrD,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAA;QACtD,OAAO,CAAC,GAAG,CAAC,4BAA4B,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAA;QACxE,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAA;QAC3D,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAA;QAC3D,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAA;QACpD,OAAO,CAAC,GAAG,CAAC,6BAA6B,MAAM,CAAC,SAAS,CAAC,gBAAgB,EAAE,CAAC,CAAA;QAC7E,OAAO,CAAC,GAAG,CAAC,qBAAqB,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAA;QAC7D,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QAC/C,OAAO,CAAC,GAAG,CAAC,8BAA8B,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,CAAC,CAAA;QAC/E,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,YAAY,OAAO,EAAE,CAAC,CAAC,CAAA;QAC/C,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAA;IACtB,CAAC;AACH,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,eAAe,CAAC;KACxB,WAAW,CAAC,2DAA2D,CAAC;KACxE,MAAM,CAAC,OAAO,EAAE,iDAAiD,CAAC;KAClE,MAAM,CAAC,KAAK,EAAE,OAA0B,EAAE,EAAE;IAC3C,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QACjB,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC,CAAA;QACpE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAA;QACpB,OAAM;IACR,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAChD,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,UAAU,EAAE,CAAC,CAAA;IAC9C,OAAO,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;IACxC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;AAC1B,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,WAAW,CAAC;KACpB,WAAW,CACV,qFAAqF,CACtF;KACA,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;AAC/B,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,YAAY,CAAC;KACrB,WAAW,CAAC,+EAA+E,CAAC;KAC5F,MAAM,CAAC,GAAG,EAAE;IACX,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC,CAAA;AACjC,CAAC,CAAC,CAAA;AAEJ,OAAO;KACJ,OAAO,CAAC,eAAe,CAAC;KACxB,WAAW,CAAC,kFAAkF,CAAC;KAC/F,MAAM,CACL,qBAAqB,EACrB,oDAAoD,EACpD,eAAe,CAChB;KACA,MAAM,CAAC,KAAK,EAAE,OAA8B,EAAE,EAAE;IAC/C,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC,CAAA;IACvF,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAA;IACzC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAA;IAC5B,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,SAAS,EAAE,CAAC,CAAA;IAC9C,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,aAAa,EAAE,CAAC,CAAA;AAC5D,CAAC,CAAC,CAAA;AAEJ,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;AAEtC,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;IACzC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAA;IACjD,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,QAAQ,CAAC,IAAwB;IACxC,OAAO,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,CAAA;AACnF,CAAC"}
|
package/dist/config.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAuCxC,wBAAgB,eAAe,CAAC,KAAK,SAAgB,GAAG,MAAM,CAc7D;AAED,wBAAsB,UAAU,CAAC,KAAK,SAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,CAgCvE"}
|
package/dist/config.js
CHANGED
|
@@ -6,10 +6,28 @@ const rawConfigSchema = z.object({
|
|
|
6
6
|
rawDir: z.string().default("private"),
|
|
7
7
|
storageDir: z.string().default(".kb/storage"),
|
|
8
8
|
sourcesFile: z.string().default(".kb/sources.txt"),
|
|
9
|
+
accessLogPath: z.string().default(".kb/access.log"),
|
|
9
10
|
tableName: z.string().default("chunks"),
|
|
10
11
|
ollamaHost: z.string().default("http://localhost:11434"),
|
|
12
|
+
networkPolicy: z.enum(["local-only", "allow-private", "allow-any"]).default("local-only"),
|
|
11
13
|
embedModel: z.string().default("nomic-embed-text"),
|
|
12
14
|
llmModel: z.string().default("gemma4:latest"),
|
|
15
|
+
redaction: z
|
|
16
|
+
.object({
|
|
17
|
+
enabled: z.boolean().default(true),
|
|
18
|
+
builtIn: z.boolean().default(true),
|
|
19
|
+
patterns: z
|
|
20
|
+
.array(z.object({
|
|
21
|
+
name: z.string().min(1),
|
|
22
|
+
pattern: z.string().min(1),
|
|
23
|
+
flags: z.string().optional(),
|
|
24
|
+
replacement: z.string().optional(),
|
|
25
|
+
}))
|
|
26
|
+
.default([]),
|
|
27
|
+
})
|
|
28
|
+
.default({ enabled: true, builtIn: true, patterns: [] }),
|
|
29
|
+
accessLog: z.boolean().default(true),
|
|
30
|
+
mcpMaxTopK: z.number().int().positive().default(10),
|
|
13
31
|
topK: z.number().int().positive().default(5),
|
|
14
32
|
chunkSize: z.number().int().positive().default(1200),
|
|
15
33
|
chunkOverlap: z.number().int().nonnegative().default(150),
|
|
@@ -44,10 +62,15 @@ export async function loadConfig(start = process.cwd()) {
|
|
|
44
62
|
rawDir: resolveFromRoot(projectRoot, withEnv.rawDir),
|
|
45
63
|
storageDir: resolveFromRoot(projectRoot, withEnv.storageDir),
|
|
46
64
|
sourcesFile: resolveFromRoot(projectRoot, withEnv.sourcesFile),
|
|
65
|
+
accessLogPath: resolveFromRoot(projectRoot, withEnv.accessLogPath),
|
|
47
66
|
tableName: withEnv.tableName,
|
|
48
67
|
ollamaHost: withEnv.ollamaHost,
|
|
68
|
+
networkPolicy: withEnv.networkPolicy,
|
|
49
69
|
embedModel: withEnv.embedModel,
|
|
50
70
|
llmModel: withEnv.llmModel,
|
|
71
|
+
redaction: withEnv.redaction,
|
|
72
|
+
accessLog: withEnv.accessLog,
|
|
73
|
+
mcpMaxTopK: withEnv.mcpMaxTopK,
|
|
51
74
|
topK: withEnv.topK,
|
|
52
75
|
chunkSize: withEnv.chunkSize,
|
|
53
76
|
chunkOverlap: withEnv.chunkOverlap,
|
|
@@ -62,14 +85,40 @@ function applyEnv(config) {
|
|
|
62
85
|
rawDir: process.env.KB_RAW_DIR ?? config.rawDir,
|
|
63
86
|
storageDir: process.env.KB_STORAGE_DIR ?? config.storageDir,
|
|
64
87
|
sourcesFile: process.env.KB_SOURCES_FILE ?? config.sourcesFile,
|
|
88
|
+
accessLogPath: process.env.KB_ACCESS_LOG_PATH ?? config.accessLogPath,
|
|
65
89
|
ollamaHost: process.env.KB_OLLAMA_HOST ?? config.ollamaHost,
|
|
90
|
+
networkPolicy: readNetworkPolicyEnv("KB_NETWORK_POLICY", config.networkPolicy),
|
|
66
91
|
embedModel: process.env.KB_EMBED_MODEL ?? config.embedModel,
|
|
67
92
|
llmModel: process.env.KB_LLM_MODEL ?? config.llmModel,
|
|
93
|
+
redaction: {
|
|
94
|
+
...config.redaction,
|
|
95
|
+
enabled: readBooleanEnv("KB_REDACTION_ENABLED", config.redaction.enabled),
|
|
96
|
+
builtIn: readBooleanEnv("KB_REDACTION_BUILT_IN", config.redaction.builtIn),
|
|
97
|
+
},
|
|
98
|
+
accessLog: readBooleanEnv("KB_ACCESS_LOG", config.accessLog),
|
|
99
|
+
mcpMaxTopK: readPositiveIntEnv("KB_MCP_MAX_TOP_K", config.mcpMaxTopK),
|
|
68
100
|
topK: readPositiveIntEnv("KB_TOP_K", config.topK),
|
|
69
101
|
chunkSize: readPositiveIntEnv("KB_CHUNK_SIZE", config.chunkSize),
|
|
70
102
|
chunkOverlap: readNonNegativeIntEnv("KB_CHUNK_OVERLAP", config.chunkOverlap),
|
|
71
103
|
};
|
|
72
104
|
}
|
|
105
|
+
function readNetworkPolicyEnv(name, fallback) {
|
|
106
|
+
const raw = process.env[name];
|
|
107
|
+
if (raw === "local-only" || raw === "allow-private" || raw === "allow-any") {
|
|
108
|
+
return raw;
|
|
109
|
+
}
|
|
110
|
+
return fallback;
|
|
111
|
+
}
|
|
112
|
+
function readBooleanEnv(name, fallback) {
|
|
113
|
+
const raw = process.env[name]?.toLowerCase();
|
|
114
|
+
if (raw === "1" || raw === "true" || raw === "yes") {
|
|
115
|
+
return true;
|
|
116
|
+
}
|
|
117
|
+
if (raw === "0" || raw === "false" || raw === "no") {
|
|
118
|
+
return false;
|
|
119
|
+
}
|
|
120
|
+
return fallback;
|
|
121
|
+
}
|
|
73
122
|
function readPositiveIntEnv(name, fallback) {
|
|
74
123
|
const raw = process.env[name];
|
|
75
124
|
if (!raw) {
|
package/dist/config.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAA;AAC3C,OAAO,IAAI,MAAM,WAAW,CAAA;AAC5B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;IACrC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,iBAAiB,CAAC;IAClD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;IACvC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,wBAAwB,CAAC;IACxD,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,kBAAkB,CAAC;IAClD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,eAAe,CAAC;IAC7C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACpD,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;CAC1D,CAAC,CAAA;AAIF,MAAM,WAAW,GAAG,iBAAiB,CAAA;AAErC,MAAM,UAAU,eAAe,CAAC,KAAK,GAAG,OAAO,CAAC,GAAG,EAAE;IACnD,IAAI,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;IAEjC,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,EAAE,CAAC;YAChD,OAAO,OAAO,CAAA;QAChB,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;QACpC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QAC5B,CAAC;QACD,OAAO,GAAG,MAAM,CAAA;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAK,GAAG,OAAO,CAAC,GAAG,EAAE;IACpD,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,CAAC,CAAA;IAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAA;IACtD,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,CAAC;QAChC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAa;QAC7D,CAAC,CAAC,EAAE,CAAA;IAEN,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAA;IAEhC,IAAI,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAA;IAC/D,CAAC;IAED,OAAO;QACL,WAAW;QACX,MAAM,EAAE,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC;QACpD,UAAU,EAAE,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC,UAAU,CAAC;QAC5D,WAAW,EAAE,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC,WAAW,CAAC;QAC9D,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAA;AACH,CAAC;AAED,SAAS,eAAe,CAAC,WAAmB,EAAE,KAAa;IACzD,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,CAAC,CAAA;AAC1E,CAAC;AAED,SAAS,QAAQ,CAAC,MAAiB;IACjC,OAAO;QACL,GAAG,MAAM;QACT,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,MAAM,CAAC,MAAM;QAC/C,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,MAAM,CAAC,UAAU;QAC3D,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,MAAM,CAAC,WAAW;QAC9D,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,MAAM,CAAC,UAAU;QAC3D,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,MAAM,CAAC,UAAU;QAC3D,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,MAAM,CAAC,QAAQ;QACrD,IAAI,EAAE,kBAAkB,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC;QACjD,SAAS,EAAE,kBAAkB,CAAC,eAAe,EAAE,MAAM,CAAC,SAAS,CAAC;QAChE,YAAY,EAAE,qBAAqB,CAAC,kBAAkB,EAAE,MAAM,CAAC,YAAY,CAAC;KAC7E,CAAA;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAY,EAAE,QAAgB;IACxD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC7B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,QAAQ,CAAA;IACjB,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;IACtC,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAA;AAChE,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY,EAAE,QAAgB;IAC3D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC7B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,QAAQ,CAAA;IACjB,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;IACtC,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAA;AACjE,CAAC"}
|
|
1
|
+
{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAA;AAC3C,OAAO,IAAI,MAAM,WAAW,CAAA;AAC5B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;IACrC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,iBAAiB,CAAC;IAClD,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,gBAAgB,CAAC;IACnD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;IACvC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,wBAAwB,CAAC;IACxD,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IACzF,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,kBAAkB,CAAC;IAClD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,eAAe,CAAC;IAC7C,SAAS,EAAE,CAAC;SACT,MAAM,CAAC;QACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QAClC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QAClC,QAAQ,EAAE,CAAC;aACR,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;YACP,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YACvB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC5B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SACnC,CAAC,CACH;aACA,OAAO,CAAC,EAAE,CAAC;KACf,CAAC;SACD,OAAO,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC1D,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACpC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACnD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACpD,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;CAC1D,CAAC,CAAA;AAIF,MAAM,WAAW,GAAG,iBAAiB,CAAA;AAErC,MAAM,UAAU,eAAe,CAAC,KAAK,GAAG,OAAO,CAAC,GAAG,EAAE;IACnD,IAAI,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;IAEjC,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,EAAE,CAAC;YAChD,OAAO,OAAO,CAAA;QAChB,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;QACpC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QAC5B,CAAC;QACD,OAAO,GAAG,MAAM,CAAA;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAK,GAAG,OAAO,CAAC,GAAG,EAAE;IACpD,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,CAAC,CAAA;IAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAA;IACtD,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,CAAC;QAChC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAa;QAC7D,CAAC,CAAC,EAAE,CAAA;IAEN,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAA;IAEhC,IAAI,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAA;IAC/D,CAAC;IAED,OAAO;QACL,WAAW;QACX,MAAM,EAAE,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC;QACpD,UAAU,EAAE,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC,UAAU,CAAC;QAC5D,WAAW,EAAE,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC,WAAW,CAAC;QAC9D,aAAa,EAAE,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC,aAAa,CAAC;QAClE,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAA;AACH,CAAC;AAED,SAAS,eAAe,CAAC,WAAmB,EAAE,KAAa;IACzD,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,CAAC,CAAA;AAC1E,CAAC;AAED,SAAS,QAAQ,CAAC,MAAiB;IACjC,OAAO;QACL,GAAG,MAAM;QACT,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,MAAM,CAAC,MAAM;QAC/C,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,MAAM,CAAC,UAAU;QAC3D,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,MAAM,CAAC,WAAW;QAC9D,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,MAAM,CAAC,aAAa;QACrE,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,MAAM,CAAC,UAAU;QAC3D,aAAa,EAAE,oBAAoB,CAAC,mBAAmB,EAAE,MAAM,CAAC,aAAa,CAAC;QAC9E,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,MAAM,CAAC,UAAU;QAC3D,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,MAAM,CAAC,QAAQ;QACrD,SAAS,EAAE;YACT,GAAG,MAAM,CAAC,SAAS;YACnB,OAAO,EAAE,cAAc,CAAC,sBAAsB,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC;YACzE,OAAO,EAAE,cAAc,CAAC,uBAAuB,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC;SAC3E;QACD,SAAS,EAAE,cAAc,CAAC,eAAe,EAAE,MAAM,CAAC,SAAS,CAAC;QAC5D,UAAU,EAAE,kBAAkB,CAAC,kBAAkB,EAAE,MAAM,CAAC,UAAU,CAAC;QACrE,IAAI,EAAE,kBAAkB,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC;QACjD,SAAS,EAAE,kBAAkB,CAAC,eAAe,EAAE,MAAM,CAAC,SAAS,CAAC;QAChE,YAAY,EAAE,qBAAqB,CAAC,kBAAkB,EAAE,MAAM,CAAC,YAAY,CAAC;KAC7E,CAAA;AACH,CAAC;AAED,SAAS,oBAAoB,CAC3B,IAAY,EACZ,QAAoC;IAEpC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC7B,IAAI,GAAG,KAAK,YAAY,IAAI,GAAG,KAAK,eAAe,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;QAC3E,OAAO,GAAG,CAAA;IACZ,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,SAAS,cAAc,CAAC,IAAY,EAAE,QAAiB;IACrD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,CAAA;IAC5C,IAAI,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QACnD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,IAAI,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QACnD,OAAO,KAAK,CAAA;IACd,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAY,EAAE,QAAgB;IACxD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC7B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,QAAQ,CAAA;IACjB,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;IACtC,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAA;AAChE,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY,EAAE,QAAgB;IAC3D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC7B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,QAAQ,CAAA;IACjB,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;IACtC,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAA;AACjE,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"destroy.d.ts","sourceRoot":"","sources":["../src/destroy.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAA;AAEpD,wBAAsB,YAAY,CAAC,GAAG,SAAgB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAYnF"}
|
package/dist/destroy.js
ADDED
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { existsSync } from "node:fs";
|
|
2
|
+
import { rm } from "node:fs/promises";
|
|
3
|
+
import { recordAccess } from "./access-log.js";
|
|
4
|
+
import { loadConfig } from "./config.js";
|
|
5
|
+
export async function destroyIndex(cwd = process.cwd()) {
|
|
6
|
+
const config = await loadConfig(cwd);
|
|
7
|
+
const existed = existsSync(config.storageDir);
|
|
8
|
+
await recordAccess(config, { action: "destroy-index" });
|
|
9
|
+
await rm(config.storageDir, { recursive: true, force: true });
|
|
10
|
+
return {
|
|
11
|
+
storageDir: config.storageDir,
|
|
12
|
+
removed: existed,
|
|
13
|
+
note: "Generated index removed. For forensic deletion guarantees, keep .kb/ on an encrypted volume and rotate/destroy the volume key.",
|
|
14
|
+
};
|
|
15
|
+
}
|
|
16
|
+
//# sourceMappingURL=destroy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"destroy.js","sourceRoot":"","sources":["../src/destroy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AACpC,OAAO,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAA;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAGxC,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE;IACpD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,CAAA;IACpC,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IAE7C,MAAM,YAAY,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,CAAA;IACvD,MAAM,EAAE,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;IAE7D,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE,gIAAgI;KACvI,CAAA;AACH,CAAC"}
|
package/dist/embeddings.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"embeddings.d.ts","sourceRoot":"","sources":["../src/embeddings.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"embeddings.d.ts","sourceRoot":"","sources":["../src/embeddings.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAExC,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAmBrF;AAED,wBAAsB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAM/E"}
|
package/dist/embeddings.js
CHANGED
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
import { Ollama } from "ollama";
|
|
2
|
+
import { assertNetworkPolicy } from "./network.js";
|
|
2
3
|
export async function embedTexts(texts, config) {
|
|
3
4
|
if (texts.length === 0) {
|
|
4
5
|
return [];
|
|
5
6
|
}
|
|
7
|
+
assertNetworkPolicy(config);
|
|
6
8
|
const client = new Ollama({ host: config.ollamaHost });
|
|
7
9
|
const response = await client.embed({
|
|
8
10
|
model: config.embedModel,
|
package/dist/embeddings.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"embeddings.js","sourceRoot":"","sources":["../src/embeddings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;
|
|
1
|
+
{"version":3,"file":"embeddings.js","sourceRoot":"","sources":["../src/embeddings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC/B,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAA;AAGlD,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAe,EAAE,MAAc;IAC9D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,CAAA;IACX,CAAC;IAED,mBAAmB,CAAC,MAAM,CAAC,CAAA;IAC3B,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAA;IACtD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC;QAClC,KAAK,EAAE,MAAM,CAAC,UAAU;QACxB,KAAK,EAAE,KAAK;KACb,CAAC,CAAA;IAEF,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QACxE,MAAM,IAAI,KAAK,CACb,YAAY,KAAK,CAAC,MAAM,yBAAyB,QAAQ,CAAC,UAAU,EAAE,MAAM,IAAI,CAAC,GAAG,CACrF,CAAA;IACH,CAAC;IAED,OAAO,QAAQ,CAAC,UAAU,CAAA;AAC5B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAY,EAAE,MAAc;IAC1D,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAA;IACpD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAA;IACrD,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC"}
|