npm - @karmaniverous/jeeves-server - Versions diffs - 3.1.1 → 3.1.3 - Mend

@karmaniverous/jeeves-server 3.1.1 → 3.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/.tsbuildinfo +1 -1
package/CHANGELOG.md +15 -8
package/dist/src/auth/keys.js +13 -1
package/dist/src/auth/keys.test.js +84 -0
package/dist/src/config/loadConfig.test.js +6 -1
package/dist/src/config/resolve.js +15 -2
package/dist/src/config/resolve.test.js +33 -4
package/dist/src/services/markdown.js +10 -2
package/package.json +1 -1
package/src/auth/keys.test.ts +115 -0
package/src/auth/keys.ts +18 -1
package/src/config/loadConfig.test.ts +6 -1
package/src/config/resolve.test.ts +33 -4
package/src/config/resolve.ts +17 -2
package/src/config/types.ts +9 -0
package/src/services/markdown.ts +21 -3

package/CHANGELOG.md CHANGED Viewed

@@ -2,8 +2,11 @@
 All notable changes to this project will be documented in this file. Dates are displayed in UTC.
-#### [v3.1.1](https://github.com/karmaniverous/jeeves-server/compare/v2.9.3...v3.1.1)
+#### [v3.1.3](https://github.com/karmaniverous/jeeves-server/compare/v2.9.3...v3.1.3)
+- docs: document scope override precedence in OpenClaw skill [`#95`](https://github.com/karmaniverous/jeeves-server/pull/95)
+- feat: explicit scope overrides take precedence over named scopes [`#94`](https://github.com/karmaniverous/jeeves-server/pull/94)
+- fix: parse inline tokens in heading renderer [`#93`](https://github.com/karmaniverous/jeeves-server/pull/93)
 - fix: prevent full data reload on tab switch [`#91`](https://github.com/karmaniverous/jeeves-server/pull/91)
 - fix: Rendered tab persists when switching to Raw on watcher-rendered files [`#90`](https://github.com/karmaniverous/jeeves-server/pull/90)
 - feat: extend /api/status with ?events=N for recent event log [`#89`](https://github.com/karmaniverous/jeeves-server/pull/89)
@@ -34,11 +37,12 @@ All notable changes to this project will be documented in this file. Dates are d
 - fix: exit edit mode after save [`#63`](https://github.com/karmaniverous/jeeves-server/pull/63)
 - chore: add default port 1934 [`#62`](https://github.com/karmaniverous/jeeves-server/pull/62)
 - chore: add default port 1934 [`#61`](https://github.com/karmaniverous/jeeves-server/pull/61)
+- fix: parse inline tokens in heading renderer (code spans, bold, italic) [`#92`](https://github.com/karmaniverous/jeeves-server/issues/92)
+- chore: add docs workflow, gitignore generated docs [`10bffb8`](https://github.com/karmaniverous/jeeves-server/commit/10bffb8b6ce9c45c31e88b07e26c4657cfba0776)
 - updated docs [`86d88c7`](https://github.com/karmaniverous/jeeves-server/commit/86d88c76b04b32132195370328f434b427b7e23d)
 - updated docs [`cbd8537`](https://github.com/karmaniverous/jeeves-server/commit/cbd853764a9b5953afb847aa653a5182f74b1cd6)
 - docs: refresh README and guides for v3 CLI + config [`e437387`](https://github.com/karmaniverous/jeeves-server/commit/e4373875d454518b8f4d8dcf37613ddc36f2aace)
 - refactor: remove hardcoded filters, fix lazy facet loading [`ffb0f2a`](https://github.com/karmaniverous/jeeves-server/commit/ffb0f2aa4fc763ddce66dd3f666bf5db6cc6dfe8)
-- chore: release @karmaniverous/jeeves-server-openclaw v0.1.0-0 [`b6c0f6d`](https://github.com/karmaniverous/jeeves-server/commit/b6c0f6db6ab8bbdcffb40affc00f9f573ca2caa5)
 - docs: add typedoc config and dependencies [`761bb8c`](https://github.com/karmaniverous/jeeves-server/commit/761bb8cef7c5d84f17c9193d688bd9b0be67a6ca)
 - feat: two-step facet selection + garbage value filtering [`6c60e97`](https://github.com/karmaniverous/jeeves-server/commit/6c60e9753761e9b2a844bcc9212baadc73841a19)
 - feat: schema-driven facet rendering by uiHint [`97af834`](https://github.com/karmaniverous/jeeves-server/commit/97af834a29d3d4e95be3c157ecd07855b8aee403)
@@ -47,15 +51,16 @@ All notable changes to this project will be documented in this file. Dates are d
 - perf: lazy-load facets only when 'Add filter' is clicked [`d0b111c`](https://github.com/karmaniverous/jeeves-server/commit/d0b111c8cd442a47238ad5e0512576221bac1572)
 - chore: add knip configs, remove dead exports, clean all code quality checks [`2a81072`](https://github.com/karmaniverous/jeeves-server/commit/2a81072cc5341047b2ef40333405a8cc9760dab4)
 - feat: garbage value diagnostics for inference rule debugging [`06e4f82`](https://github.com/karmaniverous/jeeves-server/commit/06e4f823fa87f991ca81c904d2eb55dc7ce59d26)
-- fix: make resetConfig reload runtime config [`79e8602`](https://github.com/karmaniverous/jeeves-server/commit/79e8602b4a8ee13c4de94bb3d262dd8bdb7cd2c8)
 - chore: release @karmaniverous/jeeves-server v3.1.0 [`0688333`](https://github.com/karmaniverous/jeeves-server/commit/0688333e880847fc4c3beb773cdb0a907a3f82e9)
 - updated docs [`075a6f3`](https://github.com/karmaniverous/jeeves-server/commit/075a6f36cee6279c83ba564e6efbde99ebac2f37)
+- chore: release @karmaniverous/jeeves-server v3.1.1 [`736ec35`](https://github.com/karmaniverous/jeeves-server/commit/736ec35c550c0f8da5800413562f10643f9da6db)
 - chore: release @karmaniverous/jeeves-server v3.0.1 [`67cf001`](https://github.com/karmaniverous/jeeves-server/commit/67cf0014073c62b18134da2c1266b505a1228874)
 - lintfix [`00dc2b2`](https://github.com/karmaniverous/jeeves-server/commit/00dc2b2ec30ea2a4365d93b86c66330b831737a7)
 - feat: render text/number facets as text inputs, chips for select/multiselect [`282adf8`](https://github.com/karmaniverous/jeeves-server/commit/282adf83c21b84d433ec23be5d1b6b51b5da8145)
 - docs: add changelogs as children of package guide indexes [`fd16b5b`](https://github.com/karmaniverous/jeeves-server/commit/fd16b5b7f80ad2b58d883fe3b7cf270668026f8e)
 - lintfix [`38a9376`](https://github.com/karmaniverous/jeeves-server/commit/38a937631ab2ac3c22240857f69b36d5d9570665)
 - fix: text/number facets skip value cleaning, cast values to String [`c9af039`](https://github.com/karmaniverous/jeeves-server/commit/c9af039c2fbdad59a7e9fdedd75f008ab5c1c148)
+- chore: release @karmaniverous/jeeves-server v3.1.2 [`d15fa4c`](https://github.com/karmaniverous/jeeves-server/commit/d15fa4c5d6ca2a31e28b6509d5566569025110ff)
 - chore: release @karmaniverous/jeeves-server v3.0.0-1 [`db96bc1`](https://github.com/karmaniverous/jeeves-server/commit/db96bc140b9cbca7ad52ddd562a805ac74ca67aa)
 - docs: document ?events=N query param on /api/status [`4a25f3b`](https://github.com/karmaniverous/jeeves-server/commit/4a25f3bcf5bf50e688cd7c38e0340a0f24341e96)
 - fix: restore eager facet loading on modal open [`a625bd0`](https://github.com/karmaniverous/jeeves-server/commit/a625bd08e47ab95cd5a05324a0a888bb0bf6fc4f)
@@ -64,8 +69,13 @@ All notable changes to this project will be documented in this file. Dates are d
 - chore: release @karmaniverous/jeeves-server-openclaw v0.1.1 [`abfee9f`](https://github.com/karmaniverous/jeeves-server/commit/abfee9f6ee5b2ac1cf6c8e4838edd3e2e8133359)
 - fix: remove unnecessary auth from /api/status calls (endpoint is public) [`f651fe7`](https://github.com/karmaniverous/jeeves-server/commit/f651fe7bff4320eb28b5039278bcdcd032cac6d5)
 - chore: release @karmaniverous/jeeves-server-openclaw v0.1.0-1 [`d08e571`](https://github.com/karmaniverous/jeeves-server/commit/d08e571d58bb6387e69441dc06511d92fb743c15)
+- chore: release @karmaniverous/jeeves-server v3.0.0 [`ef408c3`](https://github.com/karmaniverous/jeeves-server/commit/ef408c37ee306417ee24d58b256cba672f7984c1)
+- chore: release @karmaniverous/jeeves-server-openclaw v0.1.0 [`bbeac17`](https://github.com/karmaniverous/jeeves-server/commit/bbeac17333ebad423b0fd8c2bcd310bbb0b63b27)
 - fix: make +N more chip overflow a clickable link that expands the result [`d56ed6a`](https://github.com/karmaniverous/jeeves-server/commit/d56ed6a69526f96697ec8aa9922e104510b2a9f8)
+- fix: increase facets timeout to 15s, add error logging [`dfda5dd`](https://github.com/karmaniverous/jeeves-server/commit/dfda5dd22b06f9fbabff2572d4a8a2ddf3c55be9)
+- fix: use type=number input for number facets [`c245b6a`](https://github.com/karmaniverous/jeeves-server/commit/c245b6ae5dc9f7d762aebac21a9ca7f342f44024)
 - fix: prevent full data reload on tab switch (only reload on path change) [`6390b14`](https://github.com/karmaniverous/jeeves-server/commit/6390b1409db92ec001cd2071cea6757a4c8fa081)
+- fix: close SearchableSelect dropdown on outside click (capture phase) [`f85d8dd`](https://github.com/karmaniverous/jeeves-server/commit/f85d8dda1db97016b9f6d8244fac34bdaba2d1b1)
 - Revert "fix: Rendered tab persists when switching to Raw on watcher-rendered files" [`71b79d4`](https://github.com/karmaniverous/jeeves-server/commit/71b79d4f8a839dcf5d865d7a747bb30e1cb43db3)
 - feat: search facets, metadata chips, and click-to-filter [`20eeee8`](https://github.com/karmaniverous/jeeves-server/commit/20eeee8b6524d6a29ba99822e06ea57bef994fef)
 - chore: add client as workspace member, align puppeteer versions [`6e3a40d`](https://github.com/karmaniverous/jeeves-server/commit/6e3a40dfdb91ffe2e39877d1b69b36db3e01f863)
@@ -78,6 +88,7 @@ All notable changes to this project will be documented in this file. Dates are d
 - chore: SOLID/DRY pass #3 + plugin test coverage [`7dcc4c3`](https://github.com/karmaniverous/jeeves-server/commit/7dcc4c3ad36a45a46dc99c8a1e749dfd2ec01e47)
 - feat: add CLI commands (start, config validate/show, service) [`0437984`](https://github.com/karmaniverous/jeeves-server/commit/0437984e7f783604f9cbdd333db61f8d1af42961)
 - fix: resolve knip unused files, dependencies, and exports [`964beba`](https://github.com/karmaniverous/jeeves-server/commit/964beba273f99be8d3302648c2dd442a3e3dcc07)
+- chore: release @karmaniverous/jeeves-server-openclaw v0.1.0-0 [`b6c0f6d`](https://github.com/karmaniverous/jeeves-server/commit/b6c0f6db6ab8bbdcffb40affc00f9f573ca2caa5)
 - fix: address all gap analysis findings [`1eb02ab`](https://github.com/karmaniverous/jeeves-server/commit/1eb02abf0634be38c687d4927a2360cd27c3aad8)
 - npm audit fix [`3a144b4`](https://github.com/karmaniverous/jeeves-server/commit/3a144b4b07e1387cf40733486e60aeaf7a34d0a6)
 - feat: add GET /api/link-info endpoint [`02ece39`](https://github.com/karmaniverous/jeeves-server/commit/02ece3960aa91861455034aa4bfe8850c0b0f363)
@@ -87,6 +98,7 @@ All notable changes to this project will be documented in this file. Dates are d
 - chore: SOLID/DRY/test coverage pass [`e491bfb`](https://github.com/karmaniverous/jeeves-server/commit/e491bfbbce7fef13252c2488378b85e983a2207a)
 - refactor: extract buildRuntimeConfig to resolve.ts (DRY) [`87bd749`](https://github.com/karmaniverous/jeeves-server/commit/87bd749c6827e3c95e2ff9996ab1b781cb316932)
 - fix: address Gemini code review feedback across PRs #65-#76 [`2fef919`](https://github.com/karmaniverous/jeeves-server/commit/2fef9192b00c80605c9cca348ea7feff5af2602a)
+- fix: make resetConfig reload runtime config [`79e8602`](https://github.com/karmaniverous/jeeves-server/commit/79e8602b4a8ee13c4de94bb3d262dd8bdb7cd2c8)
 - refactor: extract shared renderMarkdownContent pipeline [`244dddf`](https://github.com/karmaniverous/jeeves-server/commit/244dddf83da846d2863e776ae78a029610532d2d)
 - feat: schema-driven search facet filters (Step 10) [`c305c2a`](https://github.com/karmaniverous/jeeves-server/commit/c305c2ae261514411b6329bdc84052ee5c189759)
 - feat: add scroll anchoring for async diagram renders [`e4bd972`](https://github.com/karmaniverous/jeeves-server/commit/e4bd97293dbb8a9a63d5cf3bceb6e0cbb7a26916)
@@ -104,11 +116,6 @@ All notable changes to this project will be documented in this file. Dates are d
 - fix: update linux-compat CI for monorepo paths [`22dd30f`](https://github.com/karmaniverous/jeeves-server/commit/22dd30ffe5543042287a299523e5b1125c86381e)
 - chore: eliminate all lint warnings [`ed12c86`](https://github.com/karmaniverous/jeeves-server/commit/ed12c868546a3f14f7d809d7378235ac91415be7)
 - fix: CI rimraf resolution and remove redundant client steps [`757c45c`](https://github.com/karmaniverous/jeeves-server/commit/757c45cf429e7c70358442e353922f7999d74640)
-- chore: release @karmaniverous/jeeves-server v3.0.0 [`ef408c3`](https://github.com/karmaniverous/jeeves-server/commit/ef408c37ee306417ee24d58b256cba672f7984c1)
-- chore: release @karmaniverous/jeeves-server-openclaw v0.1.0 [`bbeac17`](https://github.com/karmaniverous/jeeves-server/commit/bbeac17333ebad423b0fd8c2bcd310bbb0b63b27)
-- fix: increase facets timeout to 15s, add error logging [`dfda5dd`](https://github.com/karmaniverous/jeeves-server/commit/dfda5dd22b06f9fbabff2572d4a8a2ddf3c55be9)
-- fix: use type=number input for number facets [`c245b6a`](https://github.com/karmaniverous/jeeves-server/commit/c245b6ae5dc9f7d762aebac21a9ca7f342f44024)
-- fix: close SearchableSelect dropdown on outside click (capture phase) [`f85d8dd`](https://github.com/karmaniverous/jeeves-server/commit/f85d8dda1db97016b9f6d8244fac34bdaba2d1b1)
 - fix: server_browse and server_export route mismatches [`82ef907`](https://github.com/karmaniverous/jeeves-server/commit/82ef907750dbb0d47158254cd21b7a8196d8eaeb)
 - npm audit fix [`2f3b5c8`](https://github.com/karmaniverous/jeeves-server/commit/2f3b5c89af0bf56b17fd37719f5927812f2c8e24)
 - publishconfig public access [`8e4358c`](https://github.com/karmaniverous/jeeves-server/commit/8e4358cc43dc2f131840047d34f2644eb6293fe2)

package/dist/src/auth/keys.js CHANGED Viewed

@@ -24,9 +24,21 @@ function pathMatchesPatterns(requestPath, patterns) {
 }
 /**
  * Check whether a request path matches normalized scopes (allow/deny).
- * Path must match at least one allow rule AND NOT match any deny rule.
+ *
+ * Evaluation order (explicit overrides take highest precedence):
+ * 1. If explicitDeny matches → DENIED (overrides named allow)
+ * 2. If explicitAllow matches → ALLOWED (overrides named deny)
+ * 3. Path must match at least one allow rule AND NOT match any deny rule.
  */
 function pathMatchesScopes(requestPath, scopes) {
+    // Explicit overrides take precedence over named scope patterns
+    if (scopes.explicitDeny.length > 0 &&
+        pathMatchesPatterns(requestPath, scopes.explicitDeny))
+        return false;
+    if (scopes.explicitAllow.length > 0 &&
+        pathMatchesPatterns(requestPath, scopes.explicitAllow))
+        return true;
+    // Standard evaluation: allow AND NOT deny
     if (!pathMatchesPatterns(requestPath, scopes.allow))
         return false;
     if (scopes.deny.length > 0 && pathMatchesPatterns(requestPath, scopes.deny))

package/dist/src/auth/keys.test.js ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+ * Tests for scope override precedence in key verification.
+ *
+ * Verifies the three-tier evaluation order:
+ * 1. explicitDeny → DENIED (overrides named allow)
+ * 2. explicitAllow → ALLOWED (overrides named deny)
+ * 3. Standard allow AND NOT deny
+ */
+import { describe, expect, it } from 'vitest';
+import { _pathMatchesScopes as pathMatchesScopes } from './keys.js';
+describe('pathMatchesScopes', () => {
+    it('allows a path matching allow and not deny', () => {
+        expect(pathMatchesScopes('/d/projects/foo', {
+            allow: ['/d/projects/**'],
+            deny: [],
+            explicitAllow: [],
+            explicitDeny: [],
+        })).toBe(true);
+    });
+    it('denies a path not matching any allow', () => {
+        expect(pathMatchesScopes('/d/secrets/foo', {
+            allow: ['/d/projects/**'],
+            deny: [],
+            explicitAllow: [],
+            explicitDeny: [],
+        })).toBe(false);
+    });
+    it('denies a path matching a deny pattern', () => {
+        expect(pathMatchesScopes('/d/projects/secret/foo', {
+            allow: ['/d/projects/**'],
+            deny: ['/d/projects/secret/**'],
+            explicitAllow: [],
+            explicitDeny: [],
+        })).toBe(false);
+    });
+    it('explicit allow overrides named deny', () => {
+        expect(pathMatchesScopes('/j/domains/projects/jill/doc.md', {
+            allow: ['/j/domains/projects/**'],
+            deny: ['/j/domains/projects/jill/**'],
+            explicitAllow: ['/j/domains/projects/jill/**'],
+            explicitDeny: [],
+        })).toBe(true);
+    });
+    it('explicit deny overrides named allow', () => {
+        expect(pathMatchesScopes('/d/repos/secret/code.ts', {
+            allow: ['/d/repos/**'],
+            deny: [],
+            explicitAllow: [],
+            explicitDeny: ['/d/repos/secret/**'],
+        })).toBe(false);
+    });
+    it('explicit deny takes precedence over explicit allow', () => {
+        expect(pathMatchesScopes('/d/repos/secret/code.ts', {
+            allow: ['/d/repos/**'],
+            deny: [],
+            explicitAllow: ['/d/repos/secret/**'],
+            explicitDeny: ['/d/repos/secret/**'],
+        })).toBe(false);
+    });
+    it('path not in any scope is denied even with explicit allow on different path', () => {
+        expect(pathMatchesScopes('/totally/elsewhere', {
+            allow: ['/d/projects/**'],
+            deny: [],
+            explicitAllow: ['/j/domains/projects/jill/**'],
+            explicitDeny: [],
+        })).toBe(false);
+    });
+    it('Robert/Jill scenario: projects + no-private + explicit jill allow', () => {
+        // Named scopes: projects (allow /j/domains/projects/**) + no-private (deny /j/domains/projects/jill/**)
+        // Explicit: allow /j/domains/projects/jill/**
+        const scopes = {
+            allow: ['/j/domains/projects/**'],
+            deny: ['/j/domains/projects/jill/**'],
+            explicitAllow: ['/j/domains/projects/jill/**'],
+            explicitDeny: [],
+        };
+        // Jill's project should be accessible (explicit allow overrides named deny)
+        expect(pathMatchesScopes('/j/domains/projects/jill/thesis.md', scopes)).toBe(true);
+        // Other projects should work normally
+        expect(pathMatchesScopes('/j/domains/projects/jeeves-server/readme.md', scopes)).toBe(true);
+        // Other private projects (if they existed) would still be denied
+        // (only jill is explicitly allowed)
+    });
+});

package/dist/src/config/loadConfig.test.js CHANGED Viewed

@@ -117,7 +117,12 @@ describe('loadConfig', () => {
             },
         });
         const config = await loadConfig(configPath);
-        expect(config.resolvedInsiders.find((i) => i.email === 'a@example.com')?.scopes).toEqual({ allow: ['/docs/**'], deny: [] });
+        expect(config.resolvedInsiders.find((i) => i.email === 'a@example.com')?.scopes).toEqual({
+            allow: ['/docs/**'],
+            deny: [],
+            explicitAllow: [],
+            explicitDeny: [],
+        });
     });
 });
 describe('config singleton', () => {

package/dist/src/config/resolve.js CHANGED Viewed

@@ -18,14 +18,21 @@ export function normalizeScopes(raw) {
     if (raw === undefined || raw === null)
         return null;
     if (typeof raw === 'string')
-        return { allow: [raw], deny: [] };
+        return { allow: [raw], deny: [], explicitAllow: [], explicitDeny: [] };
     if (Array.isArray(raw))
-        return { allow: raw, deny: [] };
+        return {
+            allow: raw,
+            deny: [],
+            explicitAllow: [],
+            explicitDeny: [],
+        };
     if (typeof raw === 'object') {
         const obj = raw;
         return {
             allow: obj.allow ?? ['/**'],
             deny: obj.deny ?? [],
+            explicitAllow: [],
+            explicitDeny: [],
         };
     }
     return null;
@@ -43,6 +50,8 @@ export function resolveNamedScopes(named, rawScopes, overrides) {
             return {
                 allow: overrides.allow ?? ['/**'],
                 deny: overrides.deny ?? [],
+                explicitAllow: overrides.allow ?? [],
+                explicitDeny: overrides.deny ?? [],
             };
         }
         return null;
@@ -76,6 +85,8 @@ export function resolveNamedScopes(named, rawScopes, overrides) {
         return {
             allow: allow.length > 0 ? allow : ['/**'],
             deny,
+            explicitAllow: overrides?.allow ?? [],
+            explicitDeny: overrides?.deny ?? [],
         };
     }
     // Legacy inline scopes
@@ -86,6 +97,8 @@ export function resolveNamedScopes(named, rawScopes, overrides) {
         normalized.allow.push(...overrides.allow);
     if (overrides?.deny)
         normalized.deny.push(...overrides.deny);
+    normalized.explicitAllow = overrides?.allow ?? [];
+    normalized.explicitDeny = overrides?.deny ?? [];
     return normalized;
 }
 /**

package/dist/src/config/resolve.test.js CHANGED Viewed

@@ -11,23 +11,36 @@ describe('normalizeScopes', () => {
         expect(normalizeScopes(null)).toBe(null);
     });
     it('wraps a string in allow array', () => {
-        expect(normalizeScopes('/docs')).toEqual({ allow: ['/docs'], deny: [] });
+        expect(normalizeScopes('/docs')).toEqual({
+            allow: ['/docs'],
+            deny: [],
+            explicitAllow: [],
+            explicitDeny: [],
+        });
     });
     it('wraps an array as allow', () => {
         expect(normalizeScopes(['/a', '/b'])).toEqual({
             allow: ['/a', '/b'],
             deny: [],
+            explicitAllow: [],
+            explicitDeny: [],
         });
     });
     it('fills defaults for partial object', () => {
         expect(normalizeScopes({ deny: ['/secret'] })).toEqual({
             allow: ['/**'],
             deny: ['/secret'],
+            explicitAllow: [],
+            explicitDeny: [],
         });
     });
     it('passes through complete object', () => {
         const scopes = { allow: ['/a'], deny: ['/b'] };
-        expect(normalizeScopes(scopes)).toEqual(scopes);
+        expect(normalizeScopes(scopes)).toEqual({
+            ...scopes,
+            explicitAllow: [],
+            explicitDeny: [],
+        });
     });
 });
 describe('resolveKeys', () => {
@@ -43,7 +56,12 @@ describe('resolveKeys', () => {
         }, {});
         expect(result[0].name).toBe('scoped');
         expect(result[0].seed).toBe('seed456');
-        expect(result[0].scopes).toEqual({ allow: ['/docs'], deny: [] });
+        expect(result[0].scopes).toEqual({
+            allow: ['/docs'],
+            deny: [],
+            explicitAllow: [],
+            explicitDeny: [],
+        });
     });
     it('handles mixed entries', () => {
         const result = resolveKeys({
@@ -52,7 +70,12 @@ describe('resolveKeys', () => {
         }, {});
         expect(result).toHaveLength(2);
         expect(result[0].scopes).toBe(null);
-        expect(result[1].scopes).toEqual({ allow: ['/x'], deny: ['/y'] });
+        expect(result[1].scopes).toEqual({
+            allow: ['/x'],
+            deny: ['/y'],
+            explicitAllow: [],
+            explicitDeny: [],
+        });
     });
 });
 describe('resolveInsiders', () => {
@@ -92,6 +115,8 @@ describe('resolveNamedScopes', () => {
         expect(resolveNamedScopes(named, 'restricted')).toEqual({
             allow: ['/**'],
             deny: ['/secret'],
+            explicitAllow: [],
+            explicitDeny: [],
         });
     });
     it('unions multiple named scopes and merges overrides', () => {
@@ -105,6 +130,8 @@ describe('resolveNamedScopes', () => {
         })).toEqual({
             allow: ['/**', '/extra'],
             deny: ['/secret', '/vc/**', '/more'],
+            explicitAllow: ['/extra'],
+            explicitDeny: ['/more'],
         });
     });
     it('falls back to legacy inline scope strings', () => {
@@ -112,6 +139,8 @@ describe('resolveNamedScopes', () => {
         expect(resolveNamedScopes(named, '/docs')).toEqual({
             allow: ['/docs'],
             deny: [],
+            explicitAllow: [],
+            explicitDeny: [],
         });
     });
 });

package/dist/src/services/markdown.js CHANGED Viewed

@@ -83,6 +83,10 @@ export function parseMarkdown(markdown, options = {}) {
         const text = typeof args === 'object' ? args.text : args;
         const raw = typeof args === 'object' && args.raw ? args.raw : text;
         const level = typeof args === 'object' ? args.depth : 1;
+        // Parse inline tokens to render code spans, bold, italic, links, etc.
+        const renderedText = typeof args === 'object' && args.tokens
+            ? this.parser.parseInline(args.tokens)
+            : text;
         const slug = raw
             .toLowerCase()
             .replace(/<[^>]+>/g, '')
@@ -90,8 +94,12 @@ export function parseMarkdown(markdown, options = {}) {
             .replace(/\s+/g, '-')
             .replace(/-+/g, '-')
             .replace(/^-|-$/g, '');
-        headings.push({ level, text: text.replace(/<[^>]+>/g, ''), slug });
-        return `<h${String(level)} id="${slug}">${text} <a href="#${slug}" class="anchor">#</a></h${String(level)}>\n`;
+        headings.push({
+            level,
+            text: renderedText.replace(/<[^>]+>/g, ''),
+            slug,
+        });
+        return `<h${String(level)} id="${slug}">${renderedText} <a href="#${slug}" class="anchor">#</a></h${String(level)}>\n`;
     };
     // Rewrite relative image src to /path/ URLs
     if (options.basePath) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@karmaniverous/jeeves-server",
-  "version": "3.1.1",
+  "version": "3.1.3",
   "description": "Secure file browser, markdown viewer, and webhook gateway with PDF/DOCX export and expiring share links",
   "keywords": [
     "fastify",

package/src/auth/keys.test.ts ADDED Viewed

@@ -0,0 +1,115 @@
+/**
+ * Tests for scope override precedence in key verification.
+ *
+ * Verifies the three-tier evaluation order:
+ * 1. explicitDeny → DENIED (overrides named allow)
+ * 2. explicitAllow → ALLOWED (overrides named deny)
+ * 3. Standard allow AND NOT deny
+ */
+import { describe, expect, it } from 'vitest';
+import { _pathMatchesScopes as pathMatchesScopes } from './keys.js';
+describe('pathMatchesScopes', () => {
+  it('allows a path matching allow and not deny', () => {
+    expect(
+      pathMatchesScopes('/d/projects/foo', {
+        allow: ['/d/projects/**'],
+        deny: [],
+        explicitAllow: [],
+        explicitDeny: [],
+      }),
+    ).toBe(true);
+  });
+  it('denies a path not matching any allow', () => {
+    expect(
+      pathMatchesScopes('/d/secrets/foo', {
+        allow: ['/d/projects/**'],
+        deny: [],
+        explicitAllow: [],
+        explicitDeny: [],
+      }),
+    ).toBe(false);
+  });
+  it('denies a path matching a deny pattern', () => {
+    expect(
+      pathMatchesScopes('/d/projects/secret/foo', {
+        allow: ['/d/projects/**'],
+        deny: ['/d/projects/secret/**'],
+        explicitAllow: [],
+        explicitDeny: [],
+      }),
+    ).toBe(false);
+  });
+  it('explicit allow overrides named deny', () => {
+    expect(
+      pathMatchesScopes('/j/domains/projects/jill/doc.md', {
+        allow: ['/j/domains/projects/**'],
+        deny: ['/j/domains/projects/jill/**'],
+        explicitAllow: ['/j/domains/projects/jill/**'],
+        explicitDeny: [],
+      }),
+    ).toBe(true);
+  });
+  it('explicit deny overrides named allow', () => {
+    expect(
+      pathMatchesScopes('/d/repos/secret/code.ts', {
+        allow: ['/d/repos/**'],
+        deny: [],
+        explicitAllow: [],
+        explicitDeny: ['/d/repos/secret/**'],
+      }),
+    ).toBe(false);
+  });
+  it('explicit deny takes precedence over explicit allow', () => {
+    expect(
+      pathMatchesScopes('/d/repos/secret/code.ts', {
+        allow: ['/d/repos/**'],
+        deny: [],
+        explicitAllow: ['/d/repos/secret/**'],
+        explicitDeny: ['/d/repos/secret/**'],
+      }),
+    ).toBe(false);
+  });
+  it('path not in any scope is denied even with explicit allow on different path', () => {
+    expect(
+      pathMatchesScopes('/totally/elsewhere', {
+        allow: ['/d/projects/**'],
+        deny: [],
+        explicitAllow: ['/j/domains/projects/jill/**'],
+        explicitDeny: [],
+      }),
+    ).toBe(false);
+  });
+  it('Robert/Jill scenario: projects + no-private + explicit jill allow', () => {
+    // Named scopes: projects (allow /j/domains/projects/**) + no-private (deny /j/domains/projects/jill/**)
+    // Explicit: allow /j/domains/projects/jill/**
+    const scopes = {
+      allow: ['/j/domains/projects/**'],
+      deny: ['/j/domains/projects/jill/**'],
+      explicitAllow: ['/j/domains/projects/jill/**'],
+      explicitDeny: [],
+    };
+    // Jill's project should be accessible (explicit allow overrides named deny)
+    expect(
+      pathMatchesScopes('/j/domains/projects/jill/thesis.md', scopes),
+    ).toBe(true);
+    // Other projects should work normally
+    expect(
+      pathMatchesScopes('/j/domains/projects/jeeves-server/readme.md', scopes),
+    ).toBe(true);
+    // Other private projects (if they existed) would still be denied
+    // (only jill is explicitly allowed)
+  });
+});

package/src/auth/keys.ts CHANGED Viewed

@@ -44,12 +44,29 @@ function pathMatchesPatterns(requestPath: string, patterns: string[]): boolean {
 /**
  * Check whether a request path matches normalized scopes (allow/deny).
- * Path must match at least one allow rule AND NOT match any deny rule.
+ *
+ * Evaluation order (explicit overrides take highest precedence):
+ * 1. If explicitDeny matches → DENIED (overrides named allow)
+ * 2. If explicitAllow matches → ALLOWED (overrides named deny)
+ * 3. Path must match at least one allow rule AND NOT match any deny rule.
  */
 function pathMatchesScopes(
   requestPath: string,
   scopes: NormalizedScopes,
 ): boolean {
+  // Explicit overrides take precedence over named scope patterns
+  if (
+    scopes.explicitDeny.length > 0 &&
+    pathMatchesPatterns(requestPath, scopes.explicitDeny)
+  )
+    return false;
+  if (
+    scopes.explicitAllow.length > 0 &&
+    pathMatchesPatterns(requestPath, scopes.explicitAllow)
+  )
+    return true;
+  // Standard evaluation: allow AND NOT deny
   if (!pathMatchesPatterns(requestPath, scopes.allow)) return false;
   if (scopes.deny.length > 0 && pathMatchesPatterns(requestPath, scopes.deny))
     return false;

package/src/config/loadConfig.test.ts CHANGED Viewed

@@ -147,7 +147,12 @@ describe('loadConfig', () => {
     const config = await loadConfig(configPath);
     expect(
       config.resolvedInsiders.find((i) => i.email === 'a@example.com')?.scopes,
-    ).toEqual({ allow: ['/docs/**'], deny: [] });
+    ).toEqual({
+      allow: ['/docs/**'],
+      deny: [],
+      explicitAllow: [],
+      explicitDeny: [],
+    });
   });
 });

package/src/config/resolve.test.ts CHANGED Viewed

@@ -25,13 +25,20 @@ describe('normalizeScopes', () => {
   });
   it('wraps a string in allow array', () => {
-    expect(normalizeScopes('/docs')).toEqual({ allow: ['/docs'], deny: [] });
+    expect(normalizeScopes('/docs')).toEqual({
+      allow: ['/docs'],
+      deny: [],
+      explicitAllow: [],
+      explicitDeny: [],
+    });
   });
   it('wraps an array as allow', () => {
     expect(normalizeScopes(['/a', '/b'])).toEqual({
       allow: ['/a', '/b'],
       deny: [],
+      explicitAllow: [],
+      explicitDeny: [],
     });
   });
@@ -39,12 +46,18 @@ describe('normalizeScopes', () => {
     expect(normalizeScopes({ deny: ['/secret'] })).toEqual({
       allow: ['/**'],
       deny: ['/secret'],
+      explicitAllow: [],
+      explicitDeny: [],
     });
   });
   it('passes through complete object', () => {
     const scopes = { allow: ['/a'], deny: ['/b'] };
-    expect(normalizeScopes(scopes)).toEqual(scopes);
+    expect(normalizeScopes(scopes)).toEqual({
+      ...scopes,
+      explicitAllow: [],
+      explicitDeny: [],
+    });
   });
 });
@@ -65,7 +78,12 @@ describe('resolveKeys', () => {
     );
     expect(result[0].name).toBe('scoped');
     expect(result[0].seed).toBe('seed456');
-    expect(result[0].scopes).toEqual({ allow: ['/docs'], deny: [] });
+    expect(result[0].scopes).toEqual({
+      allow: ['/docs'],
+      deny: [],
+      explicitAllow: [],
+      explicitDeny: [],
+    });
   });
   it('handles mixed entries', () => {
@@ -78,7 +96,12 @@ describe('resolveKeys', () => {
     );
     expect(result).toHaveLength(2);
     expect(result[0].scopes).toBe(null);
-    expect(result[1].scopes).toEqual({ allow: ['/x'], deny: ['/y'] });
+    expect(result[1].scopes).toEqual({
+      allow: ['/x'],
+      deny: ['/y'],
+      explicitAllow: [],
+      explicitDeny: [],
+    });
   });
 });
@@ -128,6 +151,8 @@ describe('resolveNamedScopes', () => {
     expect(resolveNamedScopes(named, 'restricted')).toEqual({
       allow: ['/**'],
       deny: ['/secret'],
+      explicitAllow: [],
+      explicitDeny: [],
     });
   });
@@ -144,6 +169,8 @@ describe('resolveNamedScopes', () => {
     ).toEqual({
       allow: ['/**', '/extra'],
       deny: ['/secret', '/vc/**', '/more'],
+      explicitAllow: ['/extra'],
+      explicitDeny: ['/more'],
     });
   });
@@ -152,6 +179,8 @@ describe('resolveNamedScopes', () => {
     expect(resolveNamedScopes(named, '/docs')).toEqual({
       allow: ['/docs'],
       deny: [],
+      explicitAllow: [],
+      explicitDeny: [],
     });
   });
 });