@karmaniverous/jeeves-server 3.0.0-0 → 3.0.0

package/CHANGELOG.md

@@ -2,8 +2,11 @@
 
 All notable changes to this project will be documented in this file. Dates are displayed in UTC.
 
-#### [v3.0.0-0](https://github.com/karmaniverous/jeeves-server/compare/v2.9.3...v3.0.0-0)
+#### [v3.0.0](https://github.com/karmaniverous/jeeves-server/compare/v2.9.3...v3.0.0)
 
+- feat: named access scopes [`#84`](https://github.com/karmaniverous/jeeves-server/pull/84)
+- fix: plugin auth chain, status endpoint improvements [`#83`](https://github.com/karmaniverous/jeeves-server/pull/83)
+- fix: resetConfig should reload, not clear [`#82`](https://github.com/karmaniverous/jeeves-server/pull/82)
 - chore: integrate client as npm workspace member [`#81`](https://github.com/karmaniverous/jeeves-server/pull/81)
 - fix: force white background in panzoom fullscreen (dark mode) [`#80`](https://github.com/karmaniverous/jeeves-server/pull/80)
 - chore: make both packages releasable [`#79`](https://github.com/karmaniverous/jeeves-server/pull/79)
@@ -31,9 +34,11 @@ All notable changes to this project will be documented in this file. Dates are d
 - refactor: monorepo scaffolding (Phase 1, Step 1) [`15cf2ba`](https://github.com/karmaniverous/jeeves-server/commit/15cf2baa7079057f095c973932d233dda2013659)
 - feat: migrate config from jiti/TS to cosmiconfig/JSON [`adfba33`](https://github.com/karmaniverous/jeeves-server/commit/adfba3387219d49f4675a6c6579253d563788394)
 - fix: resolve all client ESLint errors and warnings [`768541a`](https://github.com/karmaniverous/jeeves-server/commit/768541a71644c3ddcbc4a50bc6ed7a42a1c6d9a5)
+- chore: release @karmaniverous/jeeves-server v3.0.0-0 [`07a6e47`](https://github.com/karmaniverous/jeeves-server/commit/07a6e475a08ccd485765bfaa535f9d63cb8bb42a)
 - chore: SOLID/DRY pass #3 + plugin test coverage [`7dcc4c3`](https://github.com/karmaniverous/jeeves-server/commit/7dcc4c3ad36a45a46dc99c8a1e749dfd2ec01e47)
 - feat: add CLI commands (start, config validate/show, service) [`0437984`](https://github.com/karmaniverous/jeeves-server/commit/0437984e7f783604f9cbdd333db61f8d1af42961)
 - fix: resolve knip unused files, dependencies, and exports [`964beba`](https://github.com/karmaniverous/jeeves-server/commit/964beba273f99be8d3302648c2dd442a3e3dcc07)
+- chore: release @karmaniverous/jeeves-server-openclaw v0.1.0-0 [`b6c0f6d`](https://github.com/karmaniverous/jeeves-server/commit/b6c0f6db6ab8bbdcffb40affc00f9f573ca2caa5)
 - fix: address all gap analysis findings [`1eb02ab`](https://github.com/karmaniverous/jeeves-server/commit/1eb02abf0634be38c687d4927a2360cd27c3aad8)
 - npm audit fix [`3a144b4`](https://github.com/karmaniverous/jeeves-server/commit/3a144b4b07e1387cf40733486e60aeaf7a34d0a6)
 - feat: add GET /api/link-info endpoint [`02ece39`](https://github.com/karmaniverous/jeeves-server/commit/02ece3960aa91861455034aa4bfe8850c0b0f363)
@@ -42,25 +47,37 @@ All notable changes to this project will be documented in this file. Dates are d
 - feat: add GET /api/status endpoint [`764c3a7`](https://github.com/karmaniverous/jeeves-server/commit/764c3a7313bd895032cc17bdc811808cdc8eb80e)
 - chore: SOLID/DRY/test coverage pass [`e491bfb`](https://github.com/karmaniverous/jeeves-server/commit/e491bfbbce7fef13252c2488378b85e983a2207a)
 - refactor: extract buildRuntimeConfig to resolve.ts (DRY) [`87bd749`](https://github.com/karmaniverous/jeeves-server/commit/87bd749c6827e3c95e2ff9996ab1b781cb316932)
+- chore: add knip configs, remove dead exports, clean all code quality checks [`2a81072`](https://github.com/karmaniverous/jeeves-server/commit/2a81072cc5341047b2ef40333405a8cc9760dab4)
 - fix: address Gemini code review feedback across PRs #65-#76 [`2fef919`](https://github.com/karmaniverous/jeeves-server/commit/2fef9192b00c80605c9cca348ea7feff5af2602a)
+- fix: make resetConfig reload runtime config [`79e8602`](https://github.com/karmaniverous/jeeves-server/commit/79e8602b4a8ee13c4de94bb3d262dd8bdb7cd2c8)
 - refactor: extract shared renderMarkdownContent pipeline [`244dddf`](https://github.com/karmaniverous/jeeves-server/commit/244dddf83da846d2863e776ae78a029610532d2d)
 - feat: schema-driven search facet filters (Step 10) [`c305c2a`](https://github.com/karmaniverous/jeeves-server/commit/c305c2ae261514411b6329bdc84052ee5c189759)
 - feat: add scroll anchoring for async diagram renders [`e4bd972`](https://github.com/karmaniverous/jeeves-server/commit/e4bd97293dbb8a9a63d5cf3bceb6e0cbb7a26916)
 - feat: document rendering pipeline (Phase 4, Steps 16-18) [`56095ee`](https://github.com/karmaniverous/jeeves-server/commit/56095ee8f7153509048f0b8af1ed73bb95aa5ae0)
 - npm audit fix [`3810c0f`](https://github.com/karmaniverous/jeeves-server/commit/3810c0fad8067752c4513bcccdd721698c8b3c3b)
+- lintfix [`00dc2b2`](https://github.com/karmaniverous/jeeves-server/commit/00dc2b2ec30ea2a4365d93b86c66330b831737a7)
 - fix: resolve package.json path portably for version [`29d775c`](https://github.com/karmaniverous/jeeves-server/commit/29d775c318ee85003fd6be7f67303633e092a110)
 - feat: add GET /api/search/facets proxy endpoint [`28fc200`](https://github.com/karmaniverous/jeeves-server/commit/28fc20084453b7bee28b4b9b23932a85a88567d0)
 - ni [`e40deac`](https://github.com/karmaniverous/jeeves-server/commit/e40deacf8659a59328ceec50abb6f1f27041b5d8)
+- lintfix [`38a9376`](https://github.com/karmaniverous/jeeves-server/commit/38a937631ab2ac3c22240857f69b36d5d9570665)
 - chore: migrate default port to 1934 [`4614a5f`](https://github.com/karmaniverous/jeeves-server/commit/4614a5f4a5a1fd1d75eb730adbb8caa4a7dab7ff)
 - chore: add tsdoc.json to both package roots [`9ccf217`](https://github.com/karmaniverous/jeeves-server/commit/9ccf2171347ed4deabe617b16b236edba5b5bc75)
 - chore: add tsdoc.json to both package roots [`173cf94`](https://github.com/karmaniverous/jeeves-server/commit/173cf94061cfabd3c21796cb10ad0300c1e14e2b)
+- chore: release @karmaniverous/jeeves-server v3.0.0-1 [`db96bc1`](https://github.com/karmaniverous/jeeves-server/commit/db96bc140b9cbca7ad52ddd562a805ac74ca67aa)
 - fix: set rootDir and update start script path for monorepo layout [`a2fd77c`](https://github.com/karmaniverous/jeeves-server/commit/a2fd77cb067fbae733a64e9bc04c0d9159910f90)
 - fix: resolve TS2352 warnings in openclaw test mocks [`88950e2`](https://github.com/karmaniverous/jeeves-server/commit/88950e23bbd206e40a7bc25ea35c64d7609af281)
 - fix: CI failures and SvgViewer panzoom re-init bug [`7392712`](https://github.com/karmaniverous/jeeves-server/commit/73927128276341a37c362c3143334bd8bb416d09)
+- fix: resolve remaining lint errors (type annotations, unused params, unnecessary conditionals) [`e7714ae`](https://github.com/karmaniverous/jeeves-server/commit/e7714ae451a72a1dd9881d85c964d6d8aec17574)
+- fix: remove unnecessary auth from /api/status calls (endpoint is public) [`f651fe7`](https://github.com/karmaniverous/jeeves-server/commit/f651fe7bff4320eb28b5039278bcdcd032cac6d5)
 - fix: update linux-compat CI for monorepo paths [`22dd30f`](https://github.com/karmaniverous/jeeves-server/commit/22dd30ffe5543042287a299523e5b1125c86381e)
+- chore: release @karmaniverous/jeeves-server-openclaw v0.1.0-1 [`d08e571`](https://github.com/karmaniverous/jeeves-server/commit/d08e571d58bb6387e69441dc06511d92fb743c15)
 - chore: eliminate all lint warnings [`ed12c86`](https://github.com/karmaniverous/jeeves-server/commit/ed12c868546a3f14f7d809d7378235ac91415be7)
 - fix: CI rimraf resolution and remove redundant client steps [`757c45c`](https://github.com/karmaniverous/jeeves-server/commit/757c45cf429e7c70358442e353922f7999d74640)
+- chore: release @karmaniverous/jeeves-server-openclaw v0.1.0 [`bbeac17`](https://github.com/karmaniverous/jeeves-server/commit/bbeac17333ebad423b0fd8c2bcd310bbb0b63b27)
 - publishconfig public access [`8e4358c`](https://github.com/karmaniverous/jeeves-server/commit/8e4358cc43dc2f131840047d34f2644eb6293fe2)
+- fix: add pattern to StatusResponse events type [`f64e6af`](https://github.com/karmaniverous/jeeves-server/commit/f64e6af06ce51a54dee4bf69dd0e6fbae79dc683)
+- fix: normalize path for watcher render (Windows backslash + uppercase drive) [`f6c229d`](https://github.com/karmaniverous/jeeves-server/commit/f6c229d7f4ac7ec11099c884b75e6a90cc0cdf59)
+- zero version [`2c0db75`](https://github.com/karmaniverous/jeeves-server/commit/2c0db75d547d812fa638e15f2da732a7b91ad69c)
 - merge: incorporate main (PR #77 gap-analysis) [`845268d`](https://github.com/karmaniverous/jeeves-server/commit/845268de8d3b990187f078f0135053d52c311009)
 - fix: add missing return-await in facets handler [`b08d4a3`](https://github.com/karmaniverous/jeeves-server/commit/b08d4a34b1bc2a648edf4e9aeb23d4db0be45afc)
 - fix: remove unused parameter in linkInfo test [`36fca9a`](https://github.com/karmaniverous/jeeves-server/commit/36fca9ad8e051a47902ce75dab360ac98c169321)

package/dist/src/config/index.js

@@ -58,6 +58,7 @@ export async function loadConfig(configPath) {
     return buildRuntimeConfig(parseResult.data, rootDir, result.filepath);
 }
 let configInstance = null;
+let lastConfigPath;
 /**
  * Check if the config singleton has been initialized.
  */
@@ -79,12 +80,20 @@ export function getConfig() {
  * @param configPath - Optional explicit path to a config file.
  */
 export async function initConfig(configPath) {
+    lastConfigPath = configPath;
     configInstance = await loadConfig(configPath);
     return configInstance;
 }
 /**
- * Reset the config singleton (for testing).
+ * Reload the config singleton from the last-used config path.
+ * Call after mutating state that affects resolved config (e.g., key rotation).
  */
-export function resetConfig() {
+export async function resetConfig() {
+    configInstance = await loadConfig(lastConfigPath);
+}
+/**
+ * Clear the config singleton (for testing only).
+ */
+export function clearConfig() {
     configInstance = null;
 }

package/dist/src/config/loadConfig.test.js

@@ -2,7 +2,7 @@ import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
 import { afterEach, beforeEach, describe, expect, it } from 'vitest';
-import { getConfig, initConfig, loadConfig, resetConfig } from './index.js';
+import { clearConfig, getConfig, initConfig, loadConfig } from './index.js';
 const VALID_CONFIG = {
     port: 9999,
     chromePath: '/usr/bin/chromium',
@@ -22,11 +22,11 @@ describe('loadConfig', () => {
     let tmpDir;
     beforeEach(() => {
         tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'jeeves-config-'));
-        resetConfig();
+        clearConfig();
     });
     afterEach(() => {
         fs.rmSync(tmpDir, { recursive: true, force: true });
-        resetConfig();
+        clearConfig();
     });
     it('loads a valid JSON config file', async () => {
         const configPath = writeConfig(tmpDir, VALID_CONFIG);
@@ -98,16 +98,37 @@ describe('loadConfig', () => {
         const config = await loadConfig(configPath);
         expect(config.resolvedKeys.find((k) => k.name === '_plugin')?.seed).toBe('c'.repeat(64));
     });
+    it('rejects undefined named scope references', async () => {
+        const configPath = writeConfig(tmpDir, {
+            ...VALID_CONFIG,
+            scopes: { restricted: { allow: ['/**'], deny: ['/secret'] } },
+            insiders: {
+                'a@example.com': { scopes: 'restricted' },
+                'b@example.com': { scopes: 'missing' },
+            },
+        });
+        await expect(loadConfig(configPath)).rejects.toThrow('Scope "missing" is not defined');
+    });
+    it('does not treat path globs as named scope references', async () => {
+        const configPath = writeConfig(tmpDir, {
+            ...VALID_CONFIG,
+            insiders: {
+                'a@example.com': { scopes: ['/docs/**'] },
+            },
+        });
+        const config = await loadConfig(configPath);
+        expect(config.resolvedInsiders.find((i) => i.email === 'a@example.com')?.scopes).toEqual({ allow: ['/docs/**'], deny: [] });
+    });
 });
 describe('config singleton', () => {
     let tmpDir;
     beforeEach(() => {
         tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'jeeves-config-'));
-        resetConfig();
+        clearConfig();
     });
     afterEach(() => {
         fs.rmSync(tmpDir, { recursive: true, force: true });
-        resetConfig();
+        clearConfig();
     });
     it('throws if getConfig called before initConfig', () => {
         expect(() => getConfig()).toThrow('Config not initialized');
@@ -118,10 +139,10 @@ describe('config singleton', () => {
         const config = getConfig();
         expect(config.port).toBe(9999);
     });
-    it('resetConfig clears the singleton', async () => {
+    it('clearConfig clears the singleton', async () => {
         const configPath = writeConfig(tmpDir, VALID_CONFIG);
         await initConfig(configPath);
-        resetConfig();
+        clearConfig();
         expect(() => getConfig()).toThrow('Config not initialized');
     });
 });

package/dist/src/config/resolve.js

@@ -30,21 +30,86 @@ export function normalizeScopes(raw) {
     }
     return null;
 }
+/**
+ * Resolve named scope references (string or string[]) against the top-level scopes map,
+ * optionally merging explicit allow/deny overrides.
+ *
+ * Returns null if no scopes are provided.
+ * Falls back to normalizeScopes() for legacy inline scope formats.
+ */
+export function resolveNamedScopes(named, rawScopes, overrides) {
+    if (rawScopes === undefined || rawScopes === null) {
+        if (overrides?.allow?.length || overrides?.deny?.length) {
+            return {
+                allow: overrides.allow ?? ['/**'],
+                deny: overrides.deny ?? [],
+            };
+        }
+        return null;
+    }
+    // Determine whether rawScopes is a named reference (identifier(s))
+    const isName = (v) => /^[A-Za-z0-9_-]+$/.test(v);
+    const refs = typeof rawScopes === 'string'
+        ? isName(rawScopes)
+            ? [rawScopes]
+            : null
+        : Array.isArray(rawScopes) &&
+            rawScopes.every((v) => typeof v === 'string')
+            ? rawScopes.filter((v) => isName(v))
+            : null;
+    if (refs && refs.length > 0) {
+        const allow = [];
+        const deny = [];
+        for (const ref of refs) {
+            const scope = named[ref];
+            if (!scope)
+                continue; // schema should have validated
+            if (scope.allow)
+                allow.push(...scope.allow);
+            if (scope.deny)
+                deny.push(...scope.deny);
+        }
+        if (overrides?.allow)
+            allow.push(...overrides.allow);
+        if (overrides?.deny)
+            deny.push(...overrides.deny);
+        return {
+            allow: allow.length > 0 ? allow : ['/**'],
+            deny,
+        };
+    }
+    // Legacy inline scopes
+    const normalized = normalizeScopes(rawScopes);
+    if (!normalized)
+        return null;
+    if (overrides?.allow)
+        normalized.allow.push(...overrides.allow);
+    if (overrides?.deny)
+        normalized.deny.push(...overrides.deny);
+    return normalized;
+}
 /**
  * Resolve raw key entries to ResolvedKey[].
  */
-export function resolveKeys(keys) {
+export function resolveKeys(keys, namedScopes) {
     return Object.entries(keys).map(([name, entry]) => {
         if (typeof entry === 'string') {
             return { name, seed: entry, scopes: null };
         }
-        return { name, seed: entry.key, scopes: normalizeScopes(entry.scopes) };
+        return {
+            name,
+            seed: entry.key,
+            scopes: resolveNamedScopes(namedScopes, entry.scopes, {
+                allow: entry.allow,
+                deny: entry.deny,
+            }),
+        };
     });
 }
 /**
  * Resolve insider entries by merging config (identity + scopes) with state (keys).
  */
-export function resolveInsiders(insiders, stateFile) {
+export function resolveInsiders(insiders, namedScopes, stateFile) {
     let serverState = {};
     try {
         if (fs.existsSync(stateFile)) {
@@ -56,7 +121,10 @@ export function resolveInsiders(insiders, stateFile) {
     }
     return Object.entries(insiders).map(([rawEmail, entry]) => {
         const email = rawEmail.toLowerCase();
-        const scopes = normalizeScopes(entry.scopes);
+        const scopes = resolveNamedScopes(namedScopes, entry.scopes, {
+            allow: entry.allow,
+            deny: entry.deny,
+        });
         const stateKey = serverState.insiderKeys?.[email];
         return {
             email,
@@ -101,8 +169,8 @@ export function deriveInternalKey(resolvedKeys) {
  */
 export function buildRuntimeConfig(config, rootDir, configPath) {
     const stateFile = path.join(rootDir, 'state.json');
-    const resolvedKeys = resolveKeys(config.keys);
-    const resolvedInsiders = resolveInsiders(config.insiders, stateFile);
+    const resolvedKeys = resolveKeys(config.keys, config.scopes);
+    const resolvedInsiders = resolveInsiders(config.insiders, config.scopes, stateFile);
     return {
         port: config.port,
         eventTimeoutMs: config.eventTimeoutMs,
@@ -113,7 +181,19 @@ export function buildRuntimeConfig(config, rootDir, configPath) {
         // eslint-disable-next-line @typescript-eslint/no-deprecated
         mermaidCliPath: config.mermaidCliPath,
         plantuml: resolvePlantuml(config.plantuml, rootDir),
-        outsiderPolicy: normalizeScopes(config.outsiderPolicy) ?? null,
+        outsiderPolicy: resolveNamedScopes(config.scopes, config.outsiderPolicy &&
+            typeof config.outsiderPolicy === 'object' &&
+            !Array.isArray(config.outsiderPolicy)
+            ? (config.outsiderPolicy.scopes ??
+                config.outsiderPolicy)
+            : config.outsiderPolicy, config.outsiderPolicy &&
+            typeof config.outsiderPolicy === 'object' &&
+            !Array.isArray(config.outsiderPolicy)
+            ? {
+                allow: config.outsiderPolicy.allow,
+                deny: config.outsiderPolicy.deny,
+            }
+            : undefined) ?? null,
         events: config.events,
         authModes: config.auth.modes,
         resolvedKeys,

package/dist/src/config/resolve.test.js

@@ -2,7 +2,7 @@ import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
 import { afterEach, beforeEach, describe, expect, it } from 'vitest';
-import { buildRuntimeConfig, deriveInternalKey, normalizeScopes, resolveInsiders, resolveKeys, resolvePlantuml, } from './resolve.js';
+import { buildRuntimeConfig, deriveInternalKey, normalizeScopes, resolveInsiders, resolveKeys, resolveNamedScopes, resolvePlantuml, } from './resolve.js';
 describe('normalizeScopes', () => {
     it('returns null for undefined', () => {
         expect(normalizeScopes(undefined)).toBe(null);
@@ -32,7 +32,7 @@ describe('normalizeScopes', () => {
 });
 describe('resolveKeys', () => {
     it('handles string key entries', () => {
-        const result = resolveKeys({ primary: 'seed123' });
+        const result = resolveKeys({ primary: 'seed123' }, {});
         expect(result).toEqual([
             { name: 'primary', seed: 'seed123', scopes: null },
         ]);
@@ -40,7 +40,7 @@ describe('resolveKeys', () => {
     it('handles object key entries with scopes', () => {
         const result = resolveKeys({
             scoped: { key: 'seed456', scopes: ['/docs'] },
-        });
+        }, {});
         expect(result[0].name).toBe('scoped');
         expect(result[0].seed).toBe('seed456');
         expect(result[0].scopes).toEqual({ allow: ['/docs'], deny: [] });
@@ -49,7 +49,7 @@ describe('resolveKeys', () => {
         const result = resolveKeys({
             plain: 'abc',
             complex: { key: 'def', scopes: { allow: ['/x'], deny: ['/y'] } },
-        });
+        }, {});
         expect(result).toHaveLength(2);
         expect(result[0].scopes).toBe(null);
         expect(result[1].scopes).toEqual({ allow: ['/x'], deny: ['/y'] });
@@ -65,7 +65,7 @@ describe('resolveInsiders', () => {
     });
     it('normalizes email to lowercase', () => {
         const stateFile = path.join(tmpDir, 'state.json');
-        const result = resolveInsiders({ 'Test@Example.COM': {} }, stateFile);
+        const result = resolveInsiders({ 'Test@Example.COM': {} }, {}, stateFile);
         expect(result[0].email).toBe('test@example.com');
     });
     it('merges state keys when available', () => {
@@ -75,17 +75,46 @@ describe('resolveInsiders', () => {
                 'test@example.com': { seed: 'stateseed', createdAt: '2026-01-01' },
             },
         }));
-        const result = resolveInsiders({ 'test@example.com': {} }, stateFile);
+        const result = resolveInsiders({ 'test@example.com': {} }, {}, stateFile);
         expect(result[0].seed).toBe('stateseed');
         expect(result[0].keyCreatedAt).toBe('2026-01-01');
     });
     it('returns empty seed when no state exists', () => {
         const stateFile = path.join(tmpDir, 'state.json');
-        const result = resolveInsiders({ 'new@example.com': {} }, stateFile);
+        const result = resolveInsiders({ 'new@example.com': {} }, {}, stateFile);
         expect(result[0].seed).toBe('');
         expect(result[0].keyCreatedAt).toBe(null);
     });
 });
+describe('resolveNamedScopes', () => {
+    it('resolves a single named scope', () => {
+        const named = { restricted: { allow: ['/**'], deny: ['/secret'] } };
+        expect(resolveNamedScopes(named, 'restricted')).toEqual({
+            allow: ['/**'],
+            deny: ['/secret'],
+        });
+    });
+    it('unions multiple named scopes and merges overrides', () => {
+        const named = {
+            restricted: { allow: ['/**'], deny: ['/secret'] },
+            noVc: { deny: ['/vc/**'] },
+        };
+        expect(resolveNamedScopes(named, ['restricted', 'noVc'], {
+            allow: ['/extra'],
+            deny: ['/more'],
+        })).toEqual({
+            allow: ['/**', '/extra'],
+            deny: ['/secret', '/vc/**', '/more'],
+        });
+    });
+    it('falls back to legacy inline scope strings', () => {
+        const named = { restricted: { allow: ['/**'] } };
+        expect(resolveNamedScopes(named, '/docs')).toEqual({
+            allow: ['/docs'],
+            deny: [],
+        });
+    });
+});
 describe('resolvePlantuml', () => {
     it('appends community server as fallback', () => {
         const result = resolvePlantuml();
@@ -133,6 +162,7 @@ describe('buildRuntimeConfig', () => {
             eventLogPurgeMs: 2592000000,
             maxZipSizeMb: 100,
             chromePath: '/usr/bin/chrome',
+            scopes: {},
             events: {},
             auth: { modes: ['keys'] },
             keys: { primary: 'a'.repeat(64) },

package/dist/src/config/schema.js

@@ -50,6 +50,10 @@ export const scopesSchema = z.union([
 /** Insider entry (identity + scopes only; keys are in state.json) */
 export const insiderEntrySchema = z.object({
     scopes: scopesSchema.optional(),
+    /** Extra allow patterns merged on top of named scope references */
+    allow: z.array(z.string()).optional(),
+    /** Extra deny patterns merged on top of named scope references */
+    deny: z.array(z.string()).optional(),
 });
 /** Key entry â€" plain string (seed, no scopes) or object with key + optional scopes */
 export const keyEntrySchema = z.union([
@@ -57,14 +61,38 @@ export const keyEntrySchema = z.union([
     z.object({
         key: z.string().min(1),
         scopes: scopesSchema.optional(),
+        /** Extra allow patterns merged on top of named scope references */
+        allow: z.array(z.string()).optional(),
+        /** Extra deny patterns merged on top of named scope references */
+        deny: z.array(z.string()).optional(),
     }),
 ]);
+/** Helper: collect named scope references from a scopes field value.
+ *
+ * Backward-compat note: `scopes` has historically accepted path globs like "/**" or ["/a","/b"].
+ * We only treat values as *named scope references* if they look like identifiers
+ * (e.g. "restricted", "no-vc") rather than path globs.
+ */
+function getScopeRefs(scopes) {
+    const isName = (v) => /^[A-Za-z0-9_-]+$/.test(v);
+    if (typeof scopes === 'string')
+        return isName(scopes) ? [scopes] : [];
+    if (Array.isArray(scopes) && scopes.length > 0) {
+        const strs = scopes.filter((v) => typeof v === 'string');
+        if (strs.length !== scopes.length)
+            return [];
+        return strs.filter((v) => isName(v));
+    }
+    return [];
+}
 /** Top-level Jeeves Server configuration */
 export const jeevesConfigSchema = z
     .object({
     port: z.number().int().positive().default(1934),
     chromePath: z.string().min(1),
     auth: authSchema,
+    /** Named scope definitions, referenced by insiders/keys/outsiderPolicy */
+    scopes: z.record(z.string(), scopesObjectSchema).default({}),
     insiders: z.record(z.email(), insiderEntrySchema).default({}),
     keys: z.record(z.string(), keyEntrySchema).default({}),
     events: z.record(z.string(), eventConfigSchema).default({}),
@@ -116,7 +144,7 @@ export const jeevesConfigSchema = z
      * Uses the same allow/deny model as insider scopes.
      * If omitted, all paths are shareable with outsiders.
      */
-    outsiderPolicy: scopesObjectSchema.optional(),
+    outsiderPolicy: scopesSchema.optional(),
 })
     .superRefine((config, ctx) => {
     // Google auth mode requires google config + sessionSecret
@@ -156,4 +184,32 @@ export const jeevesConfigSchema = z
             });
         }
     }
+    // Validate all scope name references resolve to the top-level scopes map
+    const scopeNames = new Set(Object.keys(config.scopes));
+    const validateRefs = (refs, refPath) => {
+        for (const ref of refs) {
+            if (!scopeNames.has(ref)) {
+                ctx.addIssue({
+                    code: 'custom',
+                    message: `Scope "${ref}" is not defined in the top-level scopes map`,
+                    path: refPath,
+                });
+            }
+        }
+    };
+    for (const [email, entry] of Object.entries(config.insiders)) {
+        const refs = getScopeRefs(entry.scopes);
+        if (refs.length > 0)
+            validateRefs(refs, ['insiders', email, 'scopes']);
+    }
+    for (const [name, entry] of Object.entries(config.keys)) {
+        if (typeof entry === 'object') {
+            const refs = getScopeRefs(entry.scopes);
+            if (refs.length > 0)
+                validateRefs(refs, ['keys', name, 'scopes']);
+        }
+    }
+    const outsiderRefs = getScopeRefs(config.outsiderPolicy);
+    if (outsiderRefs.length > 0)
+        validateRefs(outsiderRefs, ['outsiderPolicy']);
 });

package/dist/src/routes/api/fileContent.js

@@ -191,7 +191,11 @@ async function tryWatcherRender(fsPath) {
         const res = await fetch(`${config.watcherUrl}/render`, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({ path: fsPath }),
+            body: JSON.stringify({
+                path: fsPath
+                    .replace(/\\/g, '/')
+                    .replace(/^([A-Z]):/, (_, d) => d.toLowerCase() + ':'),
+            }),
             signal: AbortSignal.timeout(5000),
         });
         if (!res.ok)

package/dist/src/routes/api/middleware.js

@@ -21,6 +21,8 @@ export function addAuthMiddleware(fastify) {
             return;
         if (request.url.startsWith('/api/diagram/'))
             return;
+        if (request.url.startsWith('/api/status'))
+            return;
         const config = getConfig();
         // Utility endpoints handle their own scope checking
         if (request.url.startsWith('/api/util/')) {

package/dist/src/routes/api/sharing.js

@@ -109,7 +109,7 @@ export const sharingRoutes = async (fastify) => {
         const newSeed = crypto.randomBytes(32).toString('hex');
         const now = new Date().toISOString();
         setInsiderKey(insider.email, newSeed, now);
-        resetConfig();
+        await resetConfig();
         return reply.send({ ok: true, keyCreatedAt: now });
     });
     // POST /api/util/share-for

package/dist/src/routes/api/status.js

@@ -8,28 +8,27 @@ import { getConfig } from '../../config/index.js';
 import { packageVersion } from '../../util/packageVersion.js';
 const startTime = Date.now();
 async function checkService(url) {
-    try {
-        const res = await fetch(`${url}/status`, {
-            signal: AbortSignal.timeout(3000),
-        });
-        if (res.ok) {
-            const data = (await res.json());
-            return { url, reachable: true, version: data.version };
+    // Try /status first (watcher), then /health (runner)
+    for (const endpoint of ['/status', '/health']) {
+        try {
+            const res = await fetch(`${url}${endpoint}`, {
+                signal: AbortSignal.timeout(3000),
+            });
+            if (res.ok) {
+                const data = (await res.json());
+                return { url, reachable: true, version: data.version };
+            }
+        }
+        catch {
+            // try next endpoint
         }
-        return { url, reachable: false };
-    }
-    catch {
-        return { url, reachable: false };
     }
+    return { url, reachable: false };
 }
 // eslint-disable-next-line @typescript-eslint/require-await
 export const statusRoutes = async (fastify) => {
-    fastify.get('/api/status', async (request) => {
+    fastify.get('/api/status', async () => {
         const config = getConfig();
-        // Only insiders get status
-        if (request.accessMode !== 'insider') {
-            return { error: 'Insider auth required' };
-        }
         const [watcher, runner] = await Promise.all([
             config.watcherUrl ? checkService(config.watcherUrl) : null,
             config.runnerUrl ? checkService(config.runnerUrl) : null,
@@ -51,9 +50,14 @@ export const statusRoutes = async (fastify) => {
                 name,
                 cmd: schema.cmd,
             })),
-            exportFormats: ['pdf', 'docx', 'zip'],
+            exports: {
+                documents: ['pdf', 'docx'],
+                directories: ['zip'],
+                diagrams: ['svg', 'png'],
+                chromeAvailable: Boolean(config.chromePath),
+            },
             diagrams: {
-                mermaid: true, // bundled via @mermaid-js/mermaid-cli
+                mermaid: true,
                 plantuml: {
                     localJar: Boolean(config.plantuml.jarPath),
                     servers: config.plantuml.servers,

package/dist/src/routes/api/status.test.js

@@ -25,7 +25,7 @@ vi.mock('../../config/index.js', () => ({
 // Must import AFTER mock
 const { statusRoutes } = await import('./status.js');
 describe('GET /api/status', () => {
-    it('returns structured status for insider requests', async () => {
+    it('returns structured status', async () => {
         // Create a minimal Fastify-like test harness
         const routes = {};
         const fakeFastify = {
@@ -45,18 +45,11 @@ describe('GET /api/status', () => {
         expect(status.auth.insiderCount).toBe(2);
         expect(status.auth.keyCount).toBe(1);
         expect(status.events).toHaveLength(2);
-        expect(status.exportFormats).toEqual(['pdf', 'docx', 'zip']);
+        const exports = status.exports;
+        expect(exports.documents).toEqual(['pdf', 'docx']);
+        expect(exports.directories).toEqual(['zip']);
+        expect(exports.diagrams).toEqual(['svg', 'png']);
+        expect(exports.chromeAvailable).toBe(true);
         expect(status.diagrams.mermaid).toBe(true);
     });
-    it('rejects non-insider requests', async () => {
-        const routes = {};
-        const fakeFastify = {
-            get: (path, handler) => {
-                routes[path] = handler;
-            },
-        };
-        await statusRoutes(fakeFastify, {});
-        const result = await routes['/api/status']({ accessMode: 'outsider' });
-        expect(result).toEqual({ error: 'Insider auth required' });
-    });
 });

package/dist/src/routes/auth.js

@@ -73,7 +73,7 @@ export const authRoute = async (fastify) => {
             insider.seed = newSeed;
             // Persist to state.json (mutable runtime state)
             setInsiderKey(insider.email, newSeed, timestamp);
-            resetConfig(); // Reload to pick up new state
+            await resetConfig(); // Reload to pick up new state
         }
         // Set session cookie
         const cookieValue = createSessionCookie(email, sessionSecret, userInfo.picture);