@karmaniverous/jeeves-server 3.2.1 → 3.3.1

package/CHANGELOG.md

@@ -2,9 +2,27 @@
 
 All notable changes to this project will be documented in this file. Dates are displayed in UTC.
 
-#### [3.2.1](https://github.com/karmaniverous/jeeves-server/compare/service/3.2.0...3.2.1)
+#### [3.3.1](https://github.com/karmaniverous/jeeves-server/compare/service/3.3.0...3.3.1)
+
+- Add configurable host bind + metaUrl service probe [`#114`](https://github.com/karmaniverous/jeeves-server/pull/114)
+- chore: release @karmaniverous/jeeves-server-openclaw v0.4.0 [`566e438`](https://github.com/karmaniverous/jeeves-server/commit/566e438a5262e5f2e80db4690c9907b6658e5519)
+- [113] feat: add host bind and metaUrl config options [`798d133`](https://github.com/karmaniverous/jeeves-server/commit/798d133825f99f5a5fc19bb0ba9093b757f62f0f)
+- npm audit fix [`a07adac`](https://github.com/karmaniverous/jeeves-server/commit/a07adac906ca032bedeef25b16b9e0c05231b4b0)
+
+#### [service/3.3.0](https://github.com/karmaniverous/jeeves-server/compare/service/3.2.1...service/3.3.0)
+
+> 21 March 2026
+
+- feat: core v0.2.0 SDK adoption [`#111`](https://github.com/karmaniverous/jeeves-server/pull/111)
+- chore: release @karmaniverous/jeeves-server-openclaw v0.3.1 [`11309c1`](https://github.com/karmaniverous/jeeves-server/commit/11309c1c3d82f6950b3d0291546206b523df83fa)
+- chore: release @karmaniverous/jeeves-server v3.3.0 [`1b1aec6`](https://github.com/karmaniverous/jeeves-server/commit/1b1aec644106ce05576e608d278a37860a47de61)
+
+#### [service/3.2.1](https://github.com/karmaniverous/jeeves-server/compare/service/3.2.0...service/3.2.1)
+
+> 19 March 2026
 
 - fix(openclaw): bundle @karmaniverous/jeeves into plugin dist [`61fb7ac`](https://github.com/karmaniverous/jeeves-server/commit/61fb7ac3f91a036cef16720c16c33fe399f7c4e6)
+- chore: release @karmaniverous/jeeves-server v3.2.1 [`f13677b`](https://github.com/karmaniverous/jeeves-server/commit/f13677bd1cd020416ba510eaabc58ad85ee9aabf)
 - chore(openclaw): use resolveWorkspacePath from jeeves 0.1.4 [`71ddd58`](https://github.com/karmaniverous/jeeves-server/commit/71ddd588f1b5736f0cbd4d81d42bb0f9356eafe8)
 - chore(openclaw): update jeeves to 0.1.6, add servicePackage/pluginPackage [`1847ff7`](https://github.com/karmaniverous/jeeves-server/commit/1847ff750613b3770198b20b4bacd7e93bf0ec52)
 - chore(openclaw): update @karmaniverous/jeeves to 0.1.5 [`c8b040b`](https://github.com/karmaniverous/jeeves-server/commit/c8b040bfa945b3814cbde9395cf1d3f00cdd64a8)

package/dist/src/cli/commands/config.js

@@ -20,6 +20,7 @@ export function registerConfigCommand(cli) {
             const cfg = await loadConfig(options.config);
             console.log('\u2713 Configuration valid');
             console.log(`  Port: ${String(cfg.port)}`);
+            console.log(`  Host: ${cfg.host}`);
             console.log(`  Auth modes: ${cfg.authModes.join(', ')}`);
             console.log(`  Keys: ${String(cfg.resolvedKeys.length)}`);
             console.log(`  Insiders: ${String(cfg.resolvedInsiders.length)}`);
@@ -28,6 +29,8 @@ export function registerConfigCommand(cli) {
                 console.log(`  Watcher: ${cfg.watcherUrl}`);
             if (cfg.runnerUrl)
                 console.log(`  Runner: ${cfg.runnerUrl}`);
+            if (cfg.metaUrl)
+                console.log(`  Meta: ${cfg.metaUrl}`);
         }
         catch (error) {
             console.error('\u2717 Configuration invalid');
@@ -46,6 +49,7 @@ export function registerConfigCommand(cli) {
             console.log('');
             console.log('Server:');
             console.log(`  port: ${String(cfg.port)}`);
+            console.log(`  host: ${cfg.host}`);
             console.log(`  chromePath: ${cfg.chromePath}`);
             if (cfg.roots) {
                 console.log(`  roots: ${JSON.stringify(cfg.roots)}`);
@@ -69,6 +73,7 @@ export function registerConfigCommand(cli) {
             console.log('Integrations:');
             console.log(`  watcherUrl: ${cfg.watcherUrl ?? 'not configured'}`);
             console.log(`  runnerUrl: ${cfg.runnerUrl ?? 'not configured'}`);
+            console.log(`  metaUrl: ${cfg.metaUrl ?? 'not configured'}`);
             console.log('');
             console.log('Events:');
             const eventNames = Object.keys(cfg.events);

package/dist/src/config/resolve.js

@@ -186,6 +186,7 @@ export function buildRuntimeConfig(config, rootDir, configPath) {
     const resolvedInsiders = resolveInsiders(config.insiders, config.scopes, stateFile);
     return {
         port: config.port,
+        host: config.host,
         eventTimeoutMs: config.eventTimeoutMs,
         eventLogPurgeMs: config.eventLogPurgeMs,
         maxZipSizeMb: config.maxZipSizeMb,
@@ -216,6 +217,7 @@ export function buildRuntimeConfig(config, rootDir, configPath) {
         internalInsiderKey: deriveInternalKey(resolvedKeys),
         runnerUrl: config.runnerUrl,
         watcherUrl: config.watcherUrl,
+        metaUrl: config.metaUrl,
         diagramCachePath: config.diagramCachePath,
         configPath,
         eventsLog: path.join(rootDir, 'logs', 'webhook-events.jsonl'),

package/dist/src/config/resolve.test.js

@@ -187,6 +187,8 @@ describe('buildRuntimeConfig', () => {
     it('constructs correct path fields', () => {
         const config = {
             port: 1934,
+            host: '0.0.0.0',
+            metaUrl: 'http://127.0.0.1:1938',
             eventTimeoutMs: 30000,
             eventLogPurgeMs: 2592000000,
             maxZipSizeMb: 100,

package/dist/src/config/schema.js

@@ -89,6 +89,12 @@ function getScopeRefs(scopes) {
 export const jeevesConfigSchema = z
     .object({
     port: z.number().int().positive().default(1934),
+    /**
+     * Network interface to bind the server to.
+     * Default: '0.0.0.0' (all interfaces — required for external access by insiders, share links, etc.)
+     * Set to '127.0.0.1' to restrict to loopback only.
+     */
+    host: z.string().min(1).default('0.0.0.0'),
     chromePath: z.string().min(1),
     auth: authSchema,
     /** Named scope definitions, referenced by insiders/keys/outsiderPolicy */
@@ -139,6 +145,11 @@ export const jeevesConfigSchema = z
      * When set, the search UI appears in the header. Example: 'http://localhost:3458'
      */
     watcherUrl: z.url().optional(),
+    /**
+     * URL of the jeeves-meta API for synthesis engine health checks.
+     * Default: 'http://127.0.0.1:1938'
+     */
+    metaUrl: z.url().default('http://127.0.0.1:1938'),
     /**
      * Global outsider policy â€" constrains which paths are eligible for outsider sharing.
      * Uses the same allow/deny model as insider scopes.

package/dist/src/routes/api/status.js

@@ -30,9 +30,10 @@ async function checkService(url) {
 export const statusRoutes = async (fastify) => {
     fastify.get('/api/status', async (request) => {
         const config = getConfig();
-        const [watcher, runner] = await Promise.all([
+        const [watcher, runner, meta] = await Promise.all([
             config.watcherUrl ? checkService(config.watcherUrl) : null,
             config.runnerUrl ? checkService(config.runnerUrl) : null,
+            config.metaUrl ? checkService(config.metaUrl) : null,
         ]);
         return {
             version: packageVersion,
@@ -67,6 +68,7 @@ export const statusRoutes = async (fastify) => {
             services: {
                 watcher,
                 runner,
+                meta,
             },
             ...(request.query.events
                 ? {

package/dist/src/routes/api/status.test.js

@@ -2,6 +2,7 @@ import { describe, expect, it, vi } from 'vitest';
 // Mock config
 const mockConfig = {
     port: 1934,
+    host: '0.0.0.0',
     chromePath: '/usr/bin/chromium',
     authModes: ['keys'],
     resolvedInsiders: [{ email: 'a@b.com' }, { email: 'c@d.com' }],
@@ -17,6 +18,7 @@ const mockConfig = {
     },
     watcherUrl: null,
     runnerUrl: null,
+    metaUrl: null,
     exportFormats: ['pdf', 'docx', 'zip'],
 };
 vi.mock('../../config/index.js', () => ({

package/dist/src/routes/config.js

@@ -0,0 +1,40 @@
+/**
+ * GET /config — query service configuration with optional JSONPath.
+ *
+ * Uses the core SDK's `createConfigQueryHandler()` for JSONPath support.
+ *
+ * @packageDocumentation
+ */
+import { createConfigQueryHandler } from '@karmaniverous/jeeves';
+import { getConfig } from '../config/index.js';
+/** Return a sanitized copy of the config (redact sensitive fields). */
+export function sanitizeConfig(config) {
+    return {
+        ...config,
+        sessionSecret: config.sessionSecret ? '[REDACTED]' : null,
+        internalInsiderKey: config.internalInsiderKey ? '[REDACTED]' : null,
+        googleAuth: config.googleAuth
+            ? {
+                clientId: config.googleAuth.clientId,
+                clientSecret: '[REDACTED]',
+            }
+            : null,
+        resolvedKeys: config.resolvedKeys.map((k) => ({
+            ...k,
+            seed: '[REDACTED]',
+        })),
+        resolvedInsiders: config.resolvedInsiders.map((i) => ({
+            ...i,
+            seed: '[REDACTED]',
+        })),
+    };
+}
+/** Register the GET /config route. */
+export function registerConfigRoute(app) {
+    const configHandler = createConfigQueryHandler(() => sanitizeConfig(getConfig()));
+    app.get('/config', async (request, reply) => {
+        const { path } = request.query;
+        const result = await configHandler({ path });
+        return reply.status(result.status).send(result.body);
+    });
+}

package/dist/src/routes/config.test.js

@@ -0,0 +1,108 @@
+/**
+ * Tests for GET /config route sanitization logic.
+ */
+import { describe, expect, it } from 'vitest';
+import { sanitizeConfig } from './config.js';
+/** Minimal RuntimeConfig fixture with sensitive fields populated. */
+function makeConfig(overrides = {}) {
+    return {
+        port: 1934,
+        host: '0.0.0.0',
+        eventTimeoutMs: 30_000,
+        eventLogPurgeMs: 604_800_000,
+        maxZipSizeMb: 100,
+        chromePath: '/usr/bin/chromium',
+        plantuml: { servers: [] },
+        outsiderPolicy: null,
+        events: {},
+        authModes: ['keys'],
+        resolvedKeys: [
+            {
+                name: 'primary',
+                seed: 'secret-key-seed-abc',
+                scopes: null,
+            },
+        ],
+        resolvedInsiders: [
+            {
+                email: 'jason@example.com',
+                seed: 'secret-insider-seed-xyz',
+                scopes: null,
+                keyCreatedAt: '2026-01-01T00:00:00Z',
+            },
+        ],
+        googleAuth: {
+            clientId: 'public-client-id',
+            clientSecret: 'super-secret-oauth-secret',
+        },
+        sessionSecret: 'session-hmac-secret',
+        internalInsiderKey: 'internal-key-seed',
+        configPath: '/etc/jeeves-server.config.json',
+        eventsLog: '/var/log/events.log',
+        stateFile: '/var/state.json',
+        eventQueuePath: '/var/queue.jsonl',
+        eventQueueCursorPath: '/var/cursor.json',
+        eventLogPath: '/var/event-log.jsonl',
+        ...overrides,
+    };
+}
+describe('sanitizeConfig', () => {
+    it('redacts sessionSecret', () => {
+        const result = sanitizeConfig(makeConfig());
+        expect(result.sessionSecret).toBe('[REDACTED]');
+    });
+    it('returns null for sessionSecret when not configured', () => {
+        const result = sanitizeConfig(makeConfig({ sessionSecret: null }));
+        expect(result.sessionSecret).toBeNull();
+    });
+    it('redacts internalInsiderKey', () => {
+        const result = sanitizeConfig(makeConfig());
+        expect(result.internalInsiderKey).toBe('[REDACTED]');
+    });
+    it('redacts googleAuth.clientSecret but preserves clientId', () => {
+        const result = sanitizeConfig(makeConfig());
+        const auth = result.googleAuth;
+        expect(auth.clientId).toBe('public-client-id');
+        expect(auth.clientSecret).toBe('[REDACTED]');
+    });
+    it('returns null for googleAuth when not configured', () => {
+        const result = sanitizeConfig(makeConfig({ googleAuth: null }));
+        expect(result.googleAuth).toBeNull();
+    });
+    it('redacts all key seeds', () => {
+        const config = makeConfig({
+            resolvedKeys: [
+                { name: 'a', seed: 'seed-a', scopes: null },
+                { name: 'b', seed: 'seed-b', scopes: null },
+            ],
+        });
+        const result = sanitizeConfig(config);
+        const keys = result.resolvedKeys;
+        expect(keys).toHaveLength(2);
+        expect(keys[0].name).toBe('a');
+        expect(keys[0].seed).toBe('[REDACTED]');
+        expect(keys[1].seed).toBe('[REDACTED]');
+    });
+    it('redacts all insider seeds but preserves other fields', () => {
+        const result = sanitizeConfig(makeConfig());
+        const insiders = result.resolvedInsiders;
+        expect(insiders[0].email).toBe('jason@example.com');
+        expect(insiders[0].seed).toBe('[REDACTED]');
+        expect(insiders[0].keyCreatedAt).toBe('2026-01-01T00:00:00Z');
+    });
+    it('preserves non-sensitive fields', () => {
+        const result = sanitizeConfig(makeConfig());
+        expect(result.port).toBe(1934);
+        expect(result.chromePath).toBe('/usr/bin/chromium');
+        expect(result.configPath).toBe('/etc/jeeves-server.config.json');
+    });
+    it('never leaks raw secret values', () => {
+        const config = makeConfig();
+        const json = JSON.stringify(sanitizeConfig(config));
+        expect(json).not.toContain('secret-key-seed-abc');
+        expect(json).not.toContain('secret-insider-seed-xyz');
+        expect(json).not.toContain('super-secret-oauth-secret');
+        expect(json).not.toContain('session-hmac-secret');
+        expect(json).not.toContain('internal-key-seed');
+    });
+});

package/dist/src/server.js

@@ -11,6 +11,7 @@ import Fastify from 'fastify';
 import { getConfig, initConfig, isConfigInitialized } from './config/index.js';
 import { apiRoute } from './routes/api/index.js';
 import { authRoute } from './routes/auth.js';
+import { registerConfigRoute } from './routes/config.js';
 import { eventRoute } from './routes/event.js';
 import { healthRoute } from './routes/health.js';
 import { keysRoute } from './routes/keys.js';
@@ -35,6 +36,7 @@ async function start() {
         // Register routes
         await fastify.register(staticRoutes);
         await fastify.register(healthRoute);
+        registerConfigRoute(fastify);
         await fastify.register(authRoute);
         await fastify.register(keysRoute);
         await fastify.register(eventRoute);
@@ -69,8 +71,8 @@ async function start() {
         initExportCache();
         // Start queue processor
         startQueueProcessor();
-        await fastify.listen({ port: config.port, host: '0.0.0.0' });
-        console.log(`Jeeves server listening on port ${String(config.port)}`);
+        await fastify.listen({ port: config.port, host: config.host });
+        console.log(`Jeeves server listening on ${config.host}:${String(config.port)}`);
         console.log(`Endpoints:`);
         console.log(`  GET  /browse/* - File browser SPA`);
         console.log(`  GET  /api/raw/*    - Raw file serving`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@karmaniverous/jeeves-server",
-  "version": "3.2.1",
+  "version": "3.3.1",
   "description": "Secure file browser, markdown viewer, and webhook gateway with PDF/DOCX export and expiring share links",
   "keywords": [
     "fastify",
@@ -47,6 +47,7 @@
   "license": "MIT",
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
+    "@karmaniverous/jeeves": "^0.2.0",
     "@fastify/cookie": "^11.0.2",
     "@fastify/static": "^8.3.0",
     "@karmaniverous/jsonmap": "^0.3.1",

package/src/cli/commands/config.ts

@@ -27,6 +27,7 @@ export function registerConfigCommand(cli: Command): void {
         const cfg = await loadConfig(options.config);
         console.log('\u2713 Configuration valid');
         console.log(`  Port: ${String(cfg.port)}`);
+        console.log(`  Host: ${cfg.host}`);
         console.log(`  Auth modes: ${cfg.authModes.join(', ')}`);
         console.log(`  Keys: ${String(cfg.resolvedKeys.length)}`);
         console.log(`  Insiders: ${String(cfg.resolvedInsiders.length)}`);
@@ -35,6 +36,7 @@ export function registerConfigCommand(cli: Command): void {
         );
         if (cfg.watcherUrl) console.log(`  Watcher: ${cfg.watcherUrl}`);
         if (cfg.runnerUrl) console.log(`  Runner: ${cfg.runnerUrl}`);
+        if (cfg.metaUrl) console.log(`  Meta: ${cfg.metaUrl}`);
       } catch (error) {
         console.error('\u2717 Configuration invalid');
         console.error(error instanceof Error ? error.message : String(error));
@@ -53,6 +55,7 @@ export function registerConfigCommand(cli: Command): void {
         console.log('');
         console.log('Server:');
         console.log(`  port: ${String(cfg.port)}`);
+        console.log(`  host: ${cfg.host}`);
         console.log(`  chromePath: ${cfg.chromePath}`);
         if (cfg.roots) {
           console.log(`  roots: ${JSON.stringify(cfg.roots)}`);
@@ -78,6 +81,7 @@ export function registerConfigCommand(cli: Command): void {
         console.log('Integrations:');
         console.log(`  watcherUrl: ${cfg.watcherUrl ?? 'not configured'}`);
         console.log(`  runnerUrl: ${cfg.runnerUrl ?? 'not configured'}`);
+        console.log(`  metaUrl: ${cfg.metaUrl ?? 'not configured'}`);
         console.log('');
         console.log('Events:');
         const eventNames = Object.keys(cfg.events);

package/src/config/resolve.test.ts

@@ -236,6 +236,8 @@ describe('buildRuntimeConfig', () => {
   it('constructs correct path fields', () => {
     const config = {
       port: 1934,
+      host: '0.0.0.0',
+      metaUrl: 'http://127.0.0.1:1938',
       eventTimeoutMs: 30000,
       eventLogPurgeMs: 2592000000,
       maxZipSizeMb: 100,

package/src/config/resolve.ts

@@ -250,6 +250,7 @@ export function buildRuntimeConfig(
 
   return {
     port: config.port,
+    host: config.host,
     eventTimeoutMs: config.eventTimeoutMs,
     eventLogPurgeMs: config.eventLogPurgeMs,
     maxZipSizeMb: config.maxZipSizeMb,
@@ -285,6 +286,7 @@ export function buildRuntimeConfig(
     internalInsiderKey: deriveInternalKey(resolvedKeys),
     runnerUrl: config.runnerUrl,
     watcherUrl: config.watcherUrl,
+    metaUrl: config.metaUrl,
     diagramCachePath: config.diagramCachePath,
     configPath,
     eventsLog: path.join(rootDir, 'logs', 'webhook-events.jsonl'),

package/src/config/schema.ts

@@ -100,6 +100,12 @@ function getScopeRefs(scopes: unknown): string[] {
 export const jeevesConfigSchema = z
   .object({
     port: z.number().int().positive().default(1934),
+    /**
+     * Network interface to bind the server to.
+     * Default: '0.0.0.0' (all interfaces — required for external access by insiders, share links, etc.)
+     * Set to '127.0.0.1' to restrict to loopback only.
+     */
+    host: z.string().min(1).default('0.0.0.0'),
     chromePath: z.string().min(1),
     auth: authSchema,
     /** Named scope definitions, referenced by insiders/keys/outsiderPolicy */
@@ -150,6 +156,11 @@ export const jeevesConfigSchema = z
      * When set, the search UI appears in the header. Example: 'http://localhost:3458'
      */
     watcherUrl: z.url().optional(),
+    /**
+     * URL of the jeeves-meta API for synthesis engine health checks.
+     * Default: 'http://127.0.0.1:1938'
+     */
+    metaUrl: z.url().default('http://127.0.0.1:1938'),
     /**
      * Global outsider policy â€" constrains which paths are eligible for outsider sharing.
      * Uses the same allow/deny model as insider scopes.

package/src/config/types.ts

@@ -50,6 +50,7 @@ export interface ResolvedInsider {
  */
 export interface RuntimeConfig {
   port: number;
+  host: string;
   eventTimeoutMs: number;
   eventLogPurgeMs: number;
   maxZipSizeMb: number;
@@ -64,6 +65,7 @@ export interface RuntimeConfig {
   diagramCachePath?: string;
   runnerUrl?: string;
   watcherUrl?: string;
+  metaUrl?: string;
   outsiderPolicy: NormalizedScopes | null;
   events: JeevesConfig['events'];
   authModes: AuthMode[];

package/src/routes/api/status.test.ts

@@ -3,6 +3,7 @@ import { describe, expect, it, vi } from 'vitest';
 // Mock config
 const mockConfig = {
   port: 1934,
+  host: '0.0.0.0',
   chromePath: '/usr/bin/chromium',
   authModes: ['keys'],
   resolvedInsiders: [{ email: 'a@b.com' }, { email: 'c@d.com' }],
@@ -18,6 +19,7 @@ const mockConfig = {
   },
   watcherUrl: null,
   runnerUrl: null,
+  metaUrl: null,
   exportFormats: ['pdf', 'docx', 'zip'],
 };
 

package/src/routes/api/status.ts

@@ -44,9 +44,10 @@ export const statusRoutes: FastifyPluginAsync = async (fastify) => {
     async (request) => {
       const config = getConfig();
 
-      const [watcher, runner] = await Promise.all([
+      const [watcher, runner, meta] = await Promise.all([
         config.watcherUrl ? checkService(config.watcherUrl) : null,
         config.runnerUrl ? checkService(config.runnerUrl) : null,
+        config.metaUrl ? checkService(config.metaUrl) : null,
       ]);
 
       return {
@@ -82,6 +83,7 @@ export const statusRoutes: FastifyPluginAsync = async (fastify) => {
         services: {
           watcher,
           runner,
+          meta,
         },
         ...(request.query.events
           ? {

package/src/routes/config.test.ts

@@ -0,0 +1,133 @@
+/**
+ * Tests for GET /config route sanitization logic.
+ */
+
+import { describe, expect, it } from 'vitest';
+
+import type { RuntimeConfig } from '../config/types.js';
+import { sanitizeConfig } from './config.js';
+
+/** Minimal RuntimeConfig fixture with sensitive fields populated. */
+function makeConfig(overrides: Partial<RuntimeConfig> = {}): RuntimeConfig {
+  return {
+    port: 1934,
+    host: '0.0.0.0',
+    eventTimeoutMs: 30_000,
+    eventLogPurgeMs: 604_800_000,
+    maxZipSizeMb: 100,
+    chromePath: '/usr/bin/chromium',
+    plantuml: { servers: [] },
+    outsiderPolicy: null,
+    events: {},
+    authModes: ['keys'],
+    resolvedKeys: [
+      {
+        name: 'primary',
+        seed: 'secret-key-seed-abc',
+        scopes: null,
+      },
+    ],
+    resolvedInsiders: [
+      {
+        email: 'jason@example.com',
+        seed: 'secret-insider-seed-xyz',
+        scopes: null,
+        keyCreatedAt: '2026-01-01T00:00:00Z',
+      },
+    ],
+    googleAuth: {
+      clientId: 'public-client-id',
+      clientSecret: 'super-secret-oauth-secret',
+    },
+    sessionSecret: 'session-hmac-secret',
+    internalInsiderKey: 'internal-key-seed',
+    configPath: '/etc/jeeves-server.config.json',
+    eventsLog: '/var/log/events.log',
+    stateFile: '/var/state.json',
+    eventQueuePath: '/var/queue.jsonl',
+    eventQueueCursorPath: '/var/cursor.json',
+    eventLogPath: '/var/event-log.jsonl',
+    ...overrides,
+  };
+}
+
+describe('sanitizeConfig', () => {
+  it('redacts sessionSecret', () => {
+    const result = sanitizeConfig(makeConfig()) as Record<string, unknown>;
+    expect(result.sessionSecret).toBe('[REDACTED]');
+  });
+
+  it('returns null for sessionSecret when not configured', () => {
+    const result = sanitizeConfig(
+      makeConfig({ sessionSecret: null }),
+    ) as Record<string, unknown>;
+    expect(result.sessionSecret).toBeNull();
+  });
+
+  it('redacts internalInsiderKey', () => {
+    const result = sanitizeConfig(makeConfig()) as Record<string, unknown>;
+    expect(result.internalInsiderKey).toBe('[REDACTED]');
+  });
+
+  it('redacts googleAuth.clientSecret but preserves clientId', () => {
+    const result = sanitizeConfig(makeConfig()) as Record<string, unknown>;
+    const auth = result.googleAuth as {
+      clientId: string;
+      clientSecret: string;
+    };
+    expect(auth.clientId).toBe('public-client-id');
+    expect(auth.clientSecret).toBe('[REDACTED]');
+  });
+
+  it('returns null for googleAuth when not configured', () => {
+    const result = sanitizeConfig(makeConfig({ googleAuth: null })) as Record<
+      string,
+      unknown
+    >;
+    expect(result.googleAuth).toBeNull();
+  });
+
+  it('redacts all key seeds', () => {
+    const config = makeConfig({
+      resolvedKeys: [
+        { name: 'a', seed: 'seed-a', scopes: null },
+        { name: 'b', seed: 'seed-b', scopes: null },
+      ],
+    });
+    const result = sanitizeConfig(config) as Record<string, unknown>;
+    const keys = result.resolvedKeys as Array<{ name: string; seed: string }>;
+    expect(keys).toHaveLength(2);
+    expect(keys[0].name).toBe('a');
+    expect(keys[0].seed).toBe('[REDACTED]');
+    expect(keys[1].seed).toBe('[REDACTED]');
+  });
+
+  it('redacts all insider seeds but preserves other fields', () => {
+    const result = sanitizeConfig(makeConfig()) as Record<string, unknown>;
+    const insiders = result.resolvedInsiders as Array<{
+      email: string;
+      seed: string;
+      keyCreatedAt: string;
+    }>;
+    expect(insiders[0].email).toBe('jason@example.com');
+    expect(insiders[0].seed).toBe('[REDACTED]');
+    expect(insiders[0].keyCreatedAt).toBe('2026-01-01T00:00:00Z');
+  });
+
+  it('preserves non-sensitive fields', () => {
+    const result = sanitizeConfig(makeConfig()) as Record<string, unknown>;
+    expect(result.port).toBe(1934);
+    expect(result.chromePath).toBe('/usr/bin/chromium');
+    expect(result.configPath).toBe('/etc/jeeves-server.config.json');
+  });
+
+  it('never leaks raw secret values', () => {
+    const config = makeConfig();
+    const json = JSON.stringify(sanitizeConfig(config));
+    expect(json).not.toContain('secret-key-seed-abc');
+    expect(json).not.toContain('secret-insider-seed-xyz');
+    expect(json).not.toContain('super-secret-oauth-secret');
+    expect(json).not.toContain('session-hmac-secret');
+    expect(json).not.toContain('internal-key-seed');
+  });
+});

package/src/routes/config.ts

@@ -0,0 +1,49 @@
+/**
+ * GET /config — query service configuration with optional JSONPath.
+ *
+ * Uses the core SDK's `createConfigQueryHandler()` for JSONPath support.
+ *
+ * @packageDocumentation
+ */
+
+import { createConfigQueryHandler } from '@karmaniverous/jeeves';
+import type { FastifyInstance } from 'fastify';
+
+import { getConfig } from '../config/index.js';
+import type { RuntimeConfig } from '../config/types.js';
+
+/** Return a sanitized copy of the config (redact sensitive fields). */
+export function sanitizeConfig(config: RuntimeConfig): unknown {
+  return {
+    ...config,
+    sessionSecret: config.sessionSecret ? '[REDACTED]' : null,
+    internalInsiderKey: config.internalInsiderKey ? '[REDACTED]' : null,
+    googleAuth: config.googleAuth
+      ? {
+          clientId: config.googleAuth.clientId,
+          clientSecret: '[REDACTED]',
+        }
+      : null,
+    resolvedKeys: config.resolvedKeys.map((k) => ({
+      ...k,
+      seed: '[REDACTED]',
+    })),
+    resolvedInsiders: config.resolvedInsiders.map((i) => ({
+      ...i,
+      seed: '[REDACTED]',
+    })),
+  };
+}
+
+/** Register the GET /config route. */
+export function registerConfigRoute(app: FastifyInstance): void {
+  const configHandler = createConfigQueryHandler(() =>
+    sanitizeConfig(getConfig()),
+  );
+
+  app.get('/config', async (request, reply) => {
+    const { path } = request.query as { path?: string };
+    const result = await configHandler({ path });
+    return reply.status(result.status).send(result.body);
+  });
+}