@karmaniverous/jeeves-server 3.0.0-0 → 3.0.0

package/src/config/schema.ts

@@ -57,6 +57,10 @@ export const scopesSchema = z.union([
 /** Insider entry (identity + scopes only; keys are in state.json) */
 export const insiderEntrySchema = z.object({
   scopes: scopesSchema.optional(),
+  /** Extra allow patterns merged on top of named scope references */
+  allow: z.array(z.string()).optional(),
+  /** Extra deny patterns merged on top of named scope references */
+  deny: z.array(z.string()).optional(),
 });
 
 /** Key entry â€" plain string (seed, no scopes) or object with key + optional scopes */
@@ -65,15 +69,41 @@ export const keyEntrySchema = z.union([
   z.object({
     key: z.string().min(1),
     scopes: scopesSchema.optional(),
+    /** Extra allow patterns merged on top of named scope references */
+    allow: z.array(z.string()).optional(),
+    /** Extra deny patterns merged on top of named scope references */
+    deny: z.array(z.string()).optional(),
   }),
 ]);
 
+/** Helper: collect named scope references from a scopes field value.
+ *
+ * Backward-compat note: `scopes` has historically accepted path globs like "/**" or ["/a","/b"].
+ * We only treat values as *named scope references* if they look like identifiers
+ * (e.g. "restricted", "no-vc") rather than path globs.
+ */
+function getScopeRefs(scopes: unknown): string[] {
+  const isName = (v: string): boolean => /^[A-Za-z0-9_-]+$/.test(v);
+
+  if (typeof scopes === 'string') return isName(scopes) ? [scopes] : [];
+
+  if (Array.isArray(scopes) && scopes.length > 0) {
+    const strs = scopes.filter((v) => typeof v === 'string');
+    if (strs.length !== scopes.length) return [];
+    return strs.filter((v) => isName(v));
+  }
+
+  return [];
+}
+
 /** Top-level Jeeves Server configuration */
 export const jeevesConfigSchema = z
   .object({
     port: z.number().int().positive().default(1934),
     chromePath: z.string().min(1),
     auth: authSchema,
+    /** Named scope definitions, referenced by insiders/keys/outsiderPolicy */
+    scopes: z.record(z.string(), scopesObjectSchema).default({}),
     insiders: z.record(z.email(), insiderEntrySchema).default({}),
     keys: z.record(z.string(), keyEntrySchema).default({}),
     events: z.record(z.string(), eventConfigSchema).default({}),
@@ -125,7 +155,7 @@ export const jeevesConfigSchema = z
      * Uses the same allow/deny model as insider scopes.
      * If omitted, all paths are shareable with outsiders.
      */
-    outsiderPolicy: scopesObjectSchema.optional(),
+    outsiderPolicy: scopesSchema.optional(),
   })
   .superRefine((config, ctx) => {
     // Google auth mode requires google config + sessionSecret
@@ -170,6 +200,38 @@ export const jeevesConfigSchema = z
         });
       }
     }
+
+    // Validate all scope name references resolve to the top-level scopes map
+    const scopeNames = new Set(Object.keys(config.scopes));
+    const validateRefs = (
+      refs: string[],
+      refPath: (string | number)[],
+    ): void => {
+      for (const ref of refs) {
+        if (!scopeNames.has(ref)) {
+          ctx.addIssue({
+            code: 'custom',
+            message: `Scope "${ref}" is not defined in the top-level scopes map`,
+            path: refPath,
+          });
+        }
+      }
+    };
+
+    for (const [email, entry] of Object.entries(config.insiders)) {
+      const refs = getScopeRefs(entry.scopes);
+      if (refs.length > 0) validateRefs(refs, ['insiders', email, 'scopes']);
+    }
+
+    for (const [name, entry] of Object.entries(config.keys)) {
+      if (typeof entry === 'object') {
+        const refs = getScopeRefs(entry.scopes);
+        if (refs.length > 0) validateRefs(refs, ['keys', name, 'scopes']);
+      }
+    }
+
+    const outsiderRefs = getScopeRefs(config.outsiderPolicy);
+    if (outsiderRefs.length > 0) validateRefs(outsiderRefs, ['outsiderPolicy']);
   });
 
 /** Inferred config type */

package/src/routes/api/fileContent.ts

@@ -266,7 +266,14 @@ async function tryWatcherRender(
     const res = await fetch(`${config.watcherUrl}/render`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ path: fsPath }),
+      body: JSON.stringify({
+        path: fsPath
+          .replace(/\\/g, '/')
+          .replace(
+            /^([A-Z]):/,
+            (_: string, d: string) => d.toLowerCase() + ':',
+          ),
+      }),
       signal: AbortSignal.timeout(5000),
     });
 

package/src/routes/api/middleware.ts

@@ -24,6 +24,7 @@ export function addAuthMiddleware(fastify: FastifyInstance): void {
     if (request.url.startsWith('/api/content-link/')) return;
     if (request.url.startsWith('/api/auth/status')) return;
     if (request.url.startsWith('/api/diagram/')) return;
+    if (request.url.startsWith('/api/status')) return;
 
     const config = getConfig();
 

package/src/routes/api/sharing.ts

@@ -132,7 +132,7 @@ export const sharingRoutes: FastifyPluginAsync = async (fastify) => {
     const newSeed = crypto.randomBytes(32).toString('hex');
     const now = new Date().toISOString();
     setInsiderKey(insider.email, newSeed, now);
-    resetConfig();
+    await resetConfig();
 
     return reply.send({ ok: true, keyCreatedAt: now });
   });

package/src/routes/api/status.test.ts

@@ -29,7 +29,7 @@ vi.mock('../../config/index.js', () => ({
 const { statusRoutes } = await import('./status.js');
 
 describe('GET /api/status', () => {
-  it('returns structured status for insider requests', async () => {
+  it('returns structured status', async () => {
     // Create a minimal Fastify-like test harness
     const routes: Record<string, (req: unknown) => Promise<unknown>> = {};
     const fakeFastify = {
@@ -53,20 +53,16 @@ describe('GET /api/status', () => {
     expect((status.auth as { insiderCount: number }).insiderCount).toBe(2);
     expect((status.auth as { keyCount: number }).keyCount).toBe(1);
     expect(status.events).toHaveLength(2);
-    expect(status.exportFormats).toEqual(['pdf', 'docx', 'zip']);
-    expect((status.diagrams as { mermaid: boolean }).mermaid).toBe(true);
-  });
-
-  it('rejects non-insider requests', async () => {
-    const routes: Record<string, (req: unknown) => Promise<unknown>> = {};
-    const fakeFastify = {
-      get: (path: string, handler: (req: unknown) => Promise<unknown>) => {
-        routes[path] = handler;
-      },
+    const exports = status.exports as {
+      documents: string[];
+      directories: string[];
+      diagrams: string[];
+      chromeAvailable: boolean;
     };
-
-    await statusRoutes(fakeFastify as never, {});
-    const result = await routes['/api/status']({ accessMode: 'outsider' });
-    expect(result).toEqual({ error: 'Insider auth required' });
+    expect(exports.documents).toEqual(['pdf', 'docx']);
+    expect(exports.directories).toEqual(['zip']);
+    expect(exports.diagrams).toEqual(['svg', 'png']);
+    expect(exports.chromeAvailable).toBe(true);
+    expect((status.diagrams as { mermaid: boolean }).mermaid).toBe(true);
   });
 });

package/src/routes/api/status.ts

@@ -19,30 +19,28 @@ interface ServiceStatus {
 }
 
 async function checkService(url: string): Promise<ServiceStatus> {
-  try {
-    const res = await fetch(`${url}/status`, {
-      signal: AbortSignal.timeout(3000),
-    });
-    if (res.ok) {
-      const data = (await res.json()) as { version?: string };
-      return { url, reachable: true, version: data.version };
+  // Try /status first (watcher), then /health (runner)
+  for (const endpoint of ['/status', '/health']) {
+    try {
+      const res = await fetch(`${url}${endpoint}`, {
+        signal: AbortSignal.timeout(3000),
+      });
+      if (res.ok) {
+        const data = (await res.json()) as { version?: string };
+        return { url, reachable: true, version: data.version };
+      }
+    } catch {
+      // try next endpoint
     }
-    return { url, reachable: false };
-  } catch {
-    return { url, reachable: false };
   }
+  return { url, reachable: false };
 }
 
 // eslint-disable-next-line @typescript-eslint/require-await
 export const statusRoutes: FastifyPluginAsync = async (fastify) => {
-  fastify.get('/api/status', async (request) => {
+  fastify.get('/api/status', async () => {
     const config = getConfig();
 
-    // Only insiders get status
-    if (request.accessMode !== 'insider') {
-      return { error: 'Insider auth required' };
-    }
-
     const [watcher, runner] = await Promise.all([
       config.watcherUrl ? checkService(config.watcherUrl) : null,
       config.runnerUrl ? checkService(config.runnerUrl) : null,
@@ -65,9 +63,14 @@ export const statusRoutes: FastifyPluginAsync = async (fastify) => {
         name,
         cmd: schema.cmd,
       })),
-      exportFormats: ['pdf', 'docx', 'zip'],
+      exports: {
+        documents: ['pdf', 'docx'],
+        directories: ['zip'],
+        diagrams: ['svg', 'png'],
+        chromeAvailable: Boolean(config.chromePath),
+      },
       diagrams: {
-        mermaid: true, // bundled via @mermaid-js/mermaid-cli
+        mermaid: true,
         plantuml: {
           localJar: Boolean(config.plantuml.jarPath),
           servers: config.plantuml.servers,

package/src/routes/auth.ts

@@ -108,7 +108,7 @@ export const authRoute: FastifyPluginAsync = async (fastify) => {
 
       // Persist to state.json (mutable runtime state)
       setInsiderKey(insider.email, newSeed, timestamp);
-      resetConfig(); // Reload to pick up new state
+      await resetConfig(); // Reload to pick up new state
     }
 
     // Set session cookie

package/src/routes/keys.ts

@@ -86,7 +86,7 @@ export const keysRoute: FastifyPluginAsync = async (fastify) => {
         const insiderResult = resolveInsiderKeyAuth(config, provided);
         if (insiderResult.valid && insiderResult.email) {
           // Insider key rotation
-          return rotateInsiderSeed(insiderResult.email, config);
+          return await rotateInsiderSeed(insiderResult.email, config);
         }
 
         // Machine key rotation is not supported with TS config
@@ -105,7 +105,7 @@ export const keysRoute: FastifyPluginAsync = async (fastify) => {
       // Try session-based auth
       const sessionResult = resolveSessionAuth(config, request);
       if (sessionResult.valid && sessionResult.email) {
-        return rotateInsiderSeed(sessionResult.email, config);
+        return await rotateInsiderSeed(sessionResult.email, config);
       }
 
       return reply.code(401).send({ error: 'Invalid insider key' });
@@ -149,7 +149,7 @@ export const keysRoute: FastifyPluginAsync = async (fastify) => {
   );
 };
 
-function rotateInsiderSeed(
+async function rotateInsiderSeed(
   email: string,
   config: ReturnType<typeof getConfig>,
 ) {
@@ -166,7 +166,7 @@ function rotateInsiderSeed(
     at: timestamp,
   });
   setKeyRotationTimestamp(timestamp);
-  resetConfig();
+  await resetConfig();
 
   return { ok: true, keyName: insider.email };
 }

package/src/services/deepShareLinks.ts

@@ -35,7 +35,7 @@ export function encodeStack(stack: string[]): string {
 /**
  * Compute the remaining depth for a given stack.
  */
-export function remainingDepth(maxDepth: number, stack: string[]): number {
+function remainingDepth(maxDepth: number, stack: string[]): number {
   return maxDepth - (stack.length - 1);
 }
 
@@ -43,7 +43,7 @@ export function remainingDepth(maxDepth: number, stack: string[]): number {
  * Compute a sub-link URL for an outgoing link target.
  * Returns null if the link should be stripped (depth exhausted or type not allowed).
  */
-export function computeSubLink(
+function computeSubLink(
   seed: string,
   targetUrlPath: string,
   currentStack: string[],

package/src/services/diagramCache.ts

@@ -39,7 +39,7 @@ function cacheKey(type: string, source: string): string {
  * Look up a cached diagram. Returns the content as a string or null on miss.
  * @param format - Output format extension (e.g. 'svg', 'png', 'pdf'). Defaults to 'svg'.
  */
-export function getCachedDiagram(
+function getCachedDiagram(
   type: string,
   source: string,
   format: string = 'svg',
@@ -75,7 +75,7 @@ export function getCachedDiagramBuffer(
  * Store a rendered diagram in the cache (string content).
  * @param format - Output format extension. Defaults to 'svg'.
  */
-export function cacheDiagram(
+function cacheDiagram(
   type: string,
   source: string,
   content: string,

package/src/services/embeddedDiagrams.ts

@@ -50,7 +50,7 @@ function startCleanup(): void {
 /**
  * Compute content hash matching the cache key format.
  */
-export function diagramHash(type: string, source: string): string {
+function diagramHash(type: string, source: string): string {
   return crypto.createHash('sha256').update(`${type}\0${source}`).digest('hex');
 }
 

package/src/services/export.ts

@@ -17,7 +17,7 @@ import {
 
 export type ExportFormat = 'pdf' | 'docx';
 
-export interface ExportOptions {
+interface ExportOptions {
   url: string;
   fileName: string;
   format: ExportFormat;
@@ -30,7 +30,7 @@ const MAX_HEIGHT_PX = 768;
 /**
  * Export page as PDF.
  */
-export async function exportPDF(options: ExportOptions): Promise<Buffer> {
+async function exportPDF(options: ExportOptions): Promise<Buffer> {
   const browser = await launchBrowser();
   try {
     const page = await browser.newPage();
@@ -53,7 +53,7 @@ export async function exportPDF(options: ExportOptions): Promise<Buffer> {
 /**
  * Export page as DOCX.
  */
-export async function exportDOCX(options: ExportOptions): Promise<Buffer> {
+async function exportDOCX(options: ExportOptions): Promise<Buffer> {
   const browser = await launchBrowser();
   try {
     const page = await browser.newPage();

package/src/util/breadcrumbs.ts

@@ -2,7 +2,7 @@
  * Breadcrumb filtering utilities.
  */
 
-export interface Breadcrumb {
+interface Breadcrumb {
   label: string;
   path: string;
 }

package/src/util/state.ts

@@ -10,7 +10,7 @@ import type { ServerState } from '../config/types.js';
 /**
  * Load state from file
  */
-export function loadState(): ServerState {
+function loadState(): ServerState {
   const { stateFile } = getConfig();
   try {
     if (fs.existsSync(stateFile)) {
@@ -26,7 +26,7 @@ export function loadState(): ServerState {
 /**
  * Save state to file
  */
-export function saveState(state: ServerState): void {
+function saveState(state: ServerState): void {
   const { stateFile } = getConfig();
   fs.writeFileSync(stateFile, JSON.stringify(state, null, 2), 'utf8');
 }