npm - @kb-labs/adapters - Versions diffs - 0.5.0 - Mend

@kb-labs/adapters 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (276) hide show

package/.cursorrules +32 -0
package/.github/workflows/ci.yml +13 -0
package/.github/workflows/deploy.yml +28 -0
package/.github/workflows/docker-build.yml +25 -0
package/.github/workflows/drift-check.yml +10 -0
package/.github/workflows/profiles-validate.yml +16 -0
package/.github/workflows/release.yml +8 -0
package/.kb/devkit/agents/devkit-maintainer/context.globs +15 -0
package/.kb/devkit/agents/devkit-maintainer/permissions.yml +17 -0
package/.kb/devkit/agents/devkit-maintainer/prompt.md +28 -0
package/.kb/devkit/agents/devkit-maintainer/runbook.md +31 -0
package/.kb/devkit/agents/docs-crafter/prompt.md +24 -0
package/.kb/devkit/agents/docs-crafter/runbook.md +18 -0
package/.kb/devkit/agents/release-manager/context.globs +7 -0
package/.kb/devkit/agents/release-manager/prompt.md +27 -0
package/.kb/devkit/agents/release-manager/runbook.md +17 -0
package/.kb/devkit/agents/test-generator/context.globs +7 -0
package/.kb/devkit/agents/test-generator/prompt.md +27 -0
package/.kb/devkit/agents/test-generator/runbook.md +18 -0
package/CONTRIBUTING.md +90 -0
package/IMPLEMENTATION_COMPLETE.md +416 -0
package/LICENSE +186 -0
package/README-TEMPLATE.md +179 -0
package/README.md +306 -0
package/docs/DOCUMENTATION.md +74 -0
package/docs/adr/0000-template.md +49 -0
package/docs/adr/0001-architecture-and-repository-layout.md +33 -0
package/docs/adr/0002-plugins-and-extensibility.md +46 -0
package/docs/adr/0003-package-and-module-boundaries.md +37 -0
package/docs/adr/0004-versioning-and-release-policy.md +38 -0
package/docs/adr/0005-use-devkit-for-shared-tooling.md +48 -0
package/docs/adr/0006-adopt-devkit-sync.md +47 -0
package/docs/adr/0007-drift-kit-check.md +72 -0
package/docs/adr/0008-devkit-sync-wrapper-strategy.md +67 -0
package/docs/naming-convention.md +272 -0
package/eslint.config.js +27 -0
package/kb-labs.config.json +5 -0
package/package.json +84 -0
package/package.json.bin +25 -0
package/package.json.lib +30 -0
package/packages/adapters-analytics-duckdb/package.json +54 -0
package/packages/adapters-analytics-duckdb/scripts/migrate-from-jsonl.mjs +253 -0
package/packages/adapters-analytics-duckdb/src/index.ts +380 -0
package/packages/adapters-analytics-duckdb/src/manifest.ts +36 -0
package/packages/adapters-analytics-duckdb/src/schema.ts +161 -0
package/packages/adapters-analytics-duckdb/tsconfig.build.json +15 -0
package/packages/adapters-analytics-duckdb/tsconfig.json +9 -0
package/packages/adapters-analytics-duckdb/tsup.config.ts +9 -0
package/packages/adapters-analytics-file/README.md +32 -0
package/packages/adapters-analytics-file/eslint.config.js +27 -0
package/packages/adapters-analytics-file/package.json +50 -0
package/packages/adapters-analytics-file/src/__tests__/daily-stats.spec.ts +287 -0
package/packages/adapters-analytics-file/src/__tests__/scoped-analytics.test.ts +233 -0
package/packages/adapters-analytics-file/src/index.test.ts +214 -0
package/packages/adapters-analytics-file/src/index.ts +830 -0
package/packages/adapters-analytics-file/src/manifest.ts +45 -0
package/packages/adapters-analytics-file/tsconfig.build.json +15 -0
package/packages/adapters-analytics-file/tsconfig.json +9 -0
package/packages/adapters-analytics-file/tsup.config.ts +9 -0
package/packages/adapters-analytics-sqlite/package.json +55 -0
package/packages/adapters-analytics-sqlite/scripts/migrate-from-jsonl.mjs +194 -0
package/packages/adapters-analytics-sqlite/src/index.ts +460 -0
package/packages/adapters-analytics-sqlite/src/manifest.ts +41 -0
package/packages/adapters-analytics-sqlite/tsconfig.build.json +15 -0
package/packages/adapters-analytics-sqlite/tsconfig.json +9 -0
package/packages/adapters-analytics-sqlite/tsup.config.ts +9 -0
package/packages/adapters-environment-docker/README.md +28 -0
package/packages/adapters-environment-docker/eslint.config.js +5 -0
package/packages/adapters-environment-docker/package.json +49 -0
package/packages/adapters-environment-docker/src/index.test.ts +138 -0
package/packages/adapters-environment-docker/src/index.ts +439 -0
package/packages/adapters-environment-docker/src/manifest.ts +65 -0
package/packages/adapters-environment-docker/tsconfig.build.json +15 -0
package/packages/adapters-environment-docker/tsconfig.json +16 -0
package/packages/adapters-environment-docker/tsup.config.ts +9 -0
package/packages/adapters-eventbus-cache/README.md +242 -0
package/packages/adapters-eventbus-cache/eslint.config.js +27 -0
package/packages/adapters-eventbus-cache/package.json +46 -0
package/packages/adapters-eventbus-cache/src/index.test.ts +235 -0
package/packages/adapters-eventbus-cache/src/index.ts +215 -0
package/packages/adapters-eventbus-cache/src/manifest.ts +50 -0
package/packages/adapters-eventbus-cache/src/types.ts +58 -0
package/packages/adapters-eventbus-cache/tsconfig.build.json +15 -0
package/packages/adapters-eventbus-cache/tsconfig.json +9 -0
package/packages/adapters-eventbus-cache/tsup.config.ts +9 -0
package/packages/adapters-fs/README.md +171 -0
package/packages/adapters-fs/allowed.txt +1 -0
package/packages/adapters-fs/conflict.txt +1 -0
package/packages/adapters-fs/dest.txt +1 -0
package/packages/adapters-fs/eslint.config.js +27 -0
package/packages/adapters-fs/exists.txt +1 -0
package/packages/adapters-fs/not-allowed.txt +1 -0
package/packages/adapters-fs/other.txt +1 -0
package/packages/adapters-fs/package.json +55 -0
package/packages/adapters-fs/public/file1.txt +1 -0
package/packages/adapters-fs/public/file2.txt +1 -0
package/packages/adapters-fs/secret.txt +1 -0
package/packages/adapters-fs/secrets/key.txt +1 -0
package/packages/adapters-fs/src/index.test.ts +243 -0
package/packages/adapters-fs/src/index.ts +258 -0
package/packages/adapters-fs/src/manifest.ts +35 -0
package/packages/adapters-fs/src/secure-storage.test.ts +380 -0
package/packages/adapters-fs/src/secure-storage.ts +268 -0
package/packages/adapters-fs/test.json +1 -0
package/packages/adapters-fs/test.txt +1 -0
package/packages/adapters-fs/test.xyz +1 -0
package/packages/adapters-fs/test1.txt +1 -0
package/packages/adapters-fs/test2.txt +1 -0
package/packages/adapters-fs/tsconfig.build.json +15 -0
package/packages/adapters-fs/tsconfig.json +9 -0
package/packages/adapters-fs/tsup.config.ts +8 -0
package/packages/adapters-fs/vitest.config.ts +19 -0
package/packages/adapters-log-ringbuffer/README.md +228 -0
package/packages/adapters-log-ringbuffer/eslint.config.js +27 -0
package/packages/adapters-log-ringbuffer/package.json +47 -0
package/packages/adapters-log-ringbuffer/src/__tests__/ring-buffer.test.ts +450 -0
package/packages/adapters-log-ringbuffer/src/index.ts +212 -0
package/packages/adapters-log-ringbuffer/src/manifest.ts +30 -0
package/packages/adapters-log-ringbuffer/tsconfig.build.json +15 -0
package/packages/adapters-log-ringbuffer/tsconfig.json +9 -0
package/packages/adapters-log-ringbuffer/tsup.config.ts +9 -0
package/packages/adapters-log-ringbuffer/vitest.config.ts +14 -0
package/packages/adapters-log-sqlite/README.md +396 -0
package/packages/adapters-log-sqlite/eslint.config.js +27 -0
package/packages/adapters-log-sqlite/package.json +49 -0
package/packages/adapters-log-sqlite/src/__tests__/log-persistence.test.ts +718 -0
package/packages/adapters-log-sqlite/src/index.ts +1068 -0
package/packages/adapters-log-sqlite/src/manifest.ts +36 -0
package/packages/adapters-log-sqlite/src/schema.sql +46 -0
package/packages/adapters-log-sqlite/tsconfig.build.json +15 -0
package/packages/adapters-log-sqlite/tsconfig.json +9 -0
package/packages/adapters-log-sqlite/tsup.config.ts +9 -0
package/packages/adapters-log-sqlite/vitest.config.ts +15 -0
package/packages/adapters-mongodb/README.md +147 -0
package/packages/adapters-mongodb/eslint.config.js +27 -0
package/packages/adapters-mongodb/package.json +53 -0
package/packages/adapters-mongodb/src/index.ts +428 -0
package/packages/adapters-mongodb/src/manifest.ts +45 -0
package/packages/adapters-mongodb/src/secure-document.ts +231 -0
package/packages/adapters-mongodb/tsconfig.build.json +15 -0
package/packages/adapters-mongodb/tsconfig.json +9 -0
package/packages/adapters-mongodb/tsup.config.ts +8 -0
package/packages/adapters-openai/README.md +151 -0
package/packages/adapters-openai/embeddings.ts +37 -0
package/packages/adapters-openai/eslint.config.js +26 -0
package/packages/adapters-openai/index.ts +22 -0
package/packages/adapters-openai/package.json +57 -0
package/packages/adapters-openai/src/embeddings-manifest.ts +45 -0
package/packages/adapters-openai/src/embeddings.ts +104 -0
package/packages/adapters-openai/src/index.ts +13 -0
package/packages/adapters-openai/src/llm.ts +304 -0
package/packages/adapters-openai/src/manifest.ts +47 -0
package/packages/adapters-openai/tsconfig.build.json +15 -0
package/packages/adapters-openai/tsconfig.json +9 -0
package/packages/adapters-openai/tsup.config.ts +8 -0
package/packages/adapters-pino/README.md +152 -0
package/packages/adapters-pino/eslint.config.js +27 -0
package/packages/adapters-pino/package.json +49 -0
package/packages/adapters-pino/src/index.test.ts +44 -0
package/packages/adapters-pino/src/index.ts +322 -0
package/packages/adapters-pino/src/log-ring-buffer.ts +142 -0
package/packages/adapters-pino/src/manifest.ts +49 -0
package/packages/adapters-pino/tsconfig.build.json +15 -0
package/packages/adapters-pino/tsconfig.json +9 -0
package/packages/adapters-pino/tsup.config.ts +9 -0
package/packages/adapters-pino-http/README.md +141 -0
package/packages/adapters-pino-http/eslint.config.js +27 -0
package/packages/adapters-pino-http/package.json +46 -0
package/packages/adapters-pino-http/src/index.ts +229 -0
package/packages/adapters-pino-http/tsconfig.build.json +15 -0
package/packages/adapters-pino-http/tsconfig.json +9 -0
package/packages/adapters-pino-http/tsup.config.ts +9 -0
package/packages/adapters-qdrant/README.md +166 -0
package/packages/adapters-qdrant/eslint.config.js +27 -0
package/packages/adapters-qdrant/package.json +49 -0
package/packages/adapters-qdrant/src/index.ts +490 -0
package/packages/adapters-qdrant/src/manifest.ts +54 -0
package/packages/adapters-qdrant/src/retry.ts +204 -0
package/packages/adapters-qdrant/tsconfig.build.json +15 -0
package/packages/adapters-qdrant/tsconfig.json +9 -0
package/packages/adapters-qdrant/tsup.config.ts +9 -0
package/packages/adapters-redis/README.md +159 -0
package/packages/adapters-redis/eslint.config.js +27 -0
package/packages/adapters-redis/package.json +49 -0
package/packages/adapters-redis/src/index.ts +164 -0
package/packages/adapters-redis/src/manifest.ts +49 -0
package/packages/adapters-redis/tsconfig.build.json +15 -0
package/packages/adapters-redis/tsconfig.json +9 -0
package/packages/adapters-redis/tsup.config.ts +9 -0
package/packages/adapters-snapshot-localfs/README.md +10 -0
package/packages/adapters-snapshot-localfs/eslint.config.js +2 -0
package/packages/adapters-snapshot-localfs/package.json +46 -0
package/packages/adapters-snapshot-localfs/src/index.test.ts +40 -0
package/packages/adapters-snapshot-localfs/src/index.ts +292 -0
package/packages/adapters-snapshot-localfs/src/manifest.ts +32 -0
package/packages/adapters-snapshot-localfs/tsconfig.build.json +15 -0
package/packages/adapters-snapshot-localfs/tsconfig.json +16 -0
package/packages/adapters-snapshot-localfs/tsup.config.ts +11 -0
package/packages/adapters-sqlite/README.md +163 -0
package/packages/adapters-sqlite/eslint.config.js +27 -0
package/packages/adapters-sqlite/package.json +54 -0
package/packages/adapters-sqlite/src/index.test.ts +245 -0
package/packages/adapters-sqlite/src/index.ts +382 -0
package/packages/adapters-sqlite/src/manifest.ts +47 -0
package/packages/adapters-sqlite/src/secure-sql.test.ts +290 -0
package/packages/adapters-sqlite/src/secure-sql.ts +281 -0
package/packages/adapters-sqlite/tsconfig.build.json +15 -0
package/packages/adapters-sqlite/tsconfig.json +9 -0
package/packages/adapters-sqlite/tsup.config.ts +8 -0
package/packages/adapters-sqlite/vitest.config.ts +19 -0
package/packages/adapters-transport/README.md +170 -0
package/packages/adapters-transport/eslint.config.js +27 -0
package/packages/adapters-transport/package.json +49 -0
package/packages/adapters-transport/src/__tests__/unix-socket-server.test.ts +550 -0
package/packages/adapters-transport/src/index.ts +101 -0
package/packages/adapters-transport/src/ipc-transport.ts +228 -0
package/packages/adapters-transport/src/transport.ts +224 -0
package/packages/adapters-transport/src/types.ts +92 -0
package/packages/adapters-transport/src/unix-socket-server.ts +193 -0
package/packages/adapters-transport/src/unix-socket-transport.ts +280 -0
package/packages/adapters-transport/tsconfig.build.json +15 -0
package/packages/adapters-transport/tsconfig.json +9 -0
package/packages/adapters-transport/tsup.config.ts +9 -0
package/packages/adapters-vibeproxy/README.md +159 -0
package/packages/adapters-vibeproxy/eslint.config.js +27 -0
package/packages/adapters-vibeproxy/package.json +51 -0
package/packages/adapters-vibeproxy/src/index.ts +13 -0
package/packages/adapters-vibeproxy/src/llm.ts +437 -0
package/packages/adapters-vibeproxy/src/manifest.ts +51 -0
package/packages/adapters-vibeproxy/tsconfig.build.json +15 -0
package/packages/adapters-vibeproxy/tsconfig.json +9 -0
package/packages/adapters-vibeproxy/tsup.config.ts +8 -0
package/packages/adapters-workspace-agent/package.json +46 -0
package/packages/adapters-workspace-agent/src/__tests__/adapter.test.ts +212 -0
package/packages/adapters-workspace-agent/src/index.ts +220 -0
package/packages/adapters-workspace-agent/src/manifest.ts +36 -0
package/packages/adapters-workspace-agent/tsconfig.build.json +15 -0
package/packages/adapters-workspace-agent/tsconfig.json +16 -0
package/packages/adapters-workspace-agent/tsup.config.ts +11 -0
package/packages/adapters-workspace-localfs/README.md +9 -0
package/packages/adapters-workspace-localfs/eslint.config.js +2 -0
package/packages/adapters-workspace-localfs/package.json +46 -0
package/packages/adapters-workspace-localfs/src/index.test.ts +27 -0
package/packages/adapters-workspace-localfs/src/index.ts +172 -0
package/packages/adapters-workspace-localfs/src/manifest.ts +32 -0
package/packages/adapters-workspace-localfs/tsconfig.build.json +15 -0
package/packages/adapters-workspace-localfs/tsconfig.json +16 -0
package/packages/adapters-workspace-localfs/tsup.config.ts +11 -0
package/packages/adapters-workspace-worktree/README.md +9 -0
package/packages/adapters-workspace-worktree/eslint.config.js +2 -0
package/packages/adapters-workspace-worktree/package.json +46 -0
package/packages/adapters-workspace-worktree/src/index.test.ts +38 -0
package/packages/adapters-workspace-worktree/src/index.ts +245 -0
package/packages/adapters-workspace-worktree/src/manifest.ts +38 -0
package/packages/adapters-workspace-worktree/tsconfig.build.json +15 -0
package/packages/adapters-workspace-worktree/tsconfig.json +16 -0
package/packages/adapters-workspace-worktree/tsup.config.ts +11 -0
package/pnpm-workspace.yaml +2800 -0
package/prettierrc.json +1 -0
package/scripts/devkit-sync.mjs +37 -0
package/scripts/hooks/post-push +9 -0
package/scripts/hooks/pre-commit +9 -0
package/scripts/hooks/pre-push +9 -0
package/test-integration.ts +242 -0
package/test.txt +1 -0
package/tsconfig.base.json +6 -0
package/tsconfig.build.json +15 -0
package/tsconfig.json +9 -0
package/tsconfig.paths.json +26 -0
package/tsconfig.tools.json +17 -0
package/tsup.config.bin.ts +34 -0
package/tsup.config.cli.ts +41 -0
package/tsup.config.dual.ts +46 -0
package/tsup.config.ts +36 -0
package/tsup.external.json +103 -0
package/vitest.config.ts +2 -0

package/packages/adapters-fs/src/secure-storage.test.ts ADDED Viewed

@@ -0,0 +1,380 @@
+/**
+ * @module @kb-labs/adapters-fs/__tests__/secure-storage
+ * Unit tests for SecureStorageAdapter
+ */
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { mkdtemp, rm } from "node:fs/promises";
+import { createAdapter } from "./index.js";
+import {
+  SecureStorageAdapter,
+  StoragePermissionError,
+} from "./secure-storage.js";
+describe("SecureStorageAdapter", () => {
+  let tmpDir: string;
+  let baseStorage: ReturnType<typeof createAdapter>;
+  beforeEach(async () => {
+    tmpDir = await mkdtemp(join(tmpdir(), "kb-test-secure-"));
+    baseStorage = createAdapter({ baseDir: tmpDir });
+    // Create some test files
+    await baseStorage.write("public/file.txt", Buffer.from("public"));
+    await baseStorage.write("private/secret.txt", Buffer.from("secret"));
+    await baseStorage.write("docs/readme.md", Buffer.from("readme"));
+  });
+  afterEach(async () => {
+    await rm(tmpDir, { recursive: true, force: true });
+  });
+  describe("Operation Permissions", () => {
+    it("should allow read when permission granted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, { read: true });
+      const content = await secure.read("public/file.txt");
+      expect(content?.toString()).toBe("public");
+    });
+    it("should deny read when permission not granted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, { read: false });
+      await expect(secure.read("public/file.txt")).rejects.toThrow(
+        StoragePermissionError,
+      );
+      await expect(secure.read("public/file.txt")).rejects.toThrow(
+        "read operations are disabled",
+      );
+    });
+    it("should allow write when permission granted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, { write: true });
+      await secure.write("new/file.txt", Buffer.from("new content"));
+      const content = await baseStorage.read("new/file.txt");
+      expect(content?.toString()).toBe("new content");
+    });
+    it("should deny write when permission not granted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, { write: false });
+      await expect(
+        secure.write("new/file.txt", Buffer.from("test")),
+      ).rejects.toThrow(StoragePermissionError);
+    });
+    it("should allow delete when permission granted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, { delete: true });
+      await secure.delete("public/file.txt");
+      expect(await baseStorage.exists("public/file.txt")).toBe(false);
+    });
+    it("should deny delete when permission explicitly set to false", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, { delete: false });
+      await expect(secure.delete("public/file.txt")).rejects.toThrow(
+        StoragePermissionError,
+      );
+      await expect(secure.delete("public/file.txt")).rejects.toThrow(
+        "delete operations are disabled",
+      );
+    });
+  });
+  describe("Path Allowlist", () => {
+    it("should allow access to allowlisted paths", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/", "docs/"],
+        read: true,
+      });
+      const content1 = await secure.read("public/file.txt");
+      const content2 = await secure.read("docs/readme.md");
+      expect(content1?.toString()).toBe("public");
+      expect(content2?.toString()).toBe("readme");
+    });
+    it("should deny access to non-allowlisted paths", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+      });
+      await expect(secure.read("private/secret.txt")).rejects.toThrow(
+        StoragePermissionError,
+      );
+      await expect(secure.read("private/secret.txt")).rejects.toThrow(
+        "not in allowlist",
+      );
+    });
+    it("should work with empty allowlist (allow all)", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: [],
+        read: true,
+      });
+      const content = await secure.read("private/secret.txt");
+      expect(content?.toString()).toBe("secret");
+    });
+    it("should work with undefined allowlist (allow all)", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        read: true,
+      });
+      const content = await secure.read("private/secret.txt");
+      expect(content?.toString()).toBe("secret");
+    });
+  });
+  describe("Path Denylist", () => {
+    it("should deny access to denylisted paths", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        denylist: ["private/"],
+        read: true,
+      });
+      await expect(secure.read("private/secret.txt")).rejects.toThrow(
+        StoragePermissionError,
+      );
+      await expect(secure.read("private/secret.txt")).rejects.toThrow(
+        "path matches denylist",
+      );
+    });
+    it("should allow access to non-denylisted paths", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        denylist: ["private/"],
+        read: true,
+      });
+      const content = await secure.read("public/file.txt");
+      expect(content?.toString()).toBe("public");
+    });
+    it("should give denylist precedence over allowlist", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["private/"],
+        denylist: ["private/"],
+        read: true,
+      });
+      await expect(secure.read("private/secret.txt")).rejects.toThrow(
+        StoragePermissionError,
+      );
+      await expect(secure.read("private/secret.txt")).rejects.toThrow(
+        "path matches denylist",
+      );
+    });
+  });
+  describe("List Operations with Permissions", () => {
+    it("should list files respecting permissions", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+      });
+      const files = await secure.list("public/");
+      expect(files).toContain("public/file.txt");
+    });
+    it("should deny list for non-allowlisted paths", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+      });
+      await expect(secure.list("private/")).rejects.toThrow(
+        StoragePermissionError,
+      );
+    });
+  });
+  describe("Exists with Permissions", () => {
+    it("should check existence when allowed", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+      });
+      expect(await secure.exists("public/file.txt")).toBe(true);
+    });
+    it("should return false for denied paths (security by obscurity)", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+      });
+      // exists() returns false for denied paths instead of throwing error
+      // This prevents information leakage about file existence
+      expect(await secure.exists("private/secret.txt")).toBe(false);
+    });
+  });
+  describe("Extended Methods with Permissions", () => {
+    it("should allow stat when permitted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+      });
+      const metadata = await secure.stat?.("public/file.txt");
+      expect(metadata).not.toBeNull();
+      expect(metadata?.path).toBe("public/file.txt");
+    });
+    it("should deny stat when not permitted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+      });
+      await expect(secure.stat?.("private/secret.txt")).rejects.toThrow(
+        StoragePermissionError,
+      );
+    });
+    it("should allow copy when both paths permitted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+        write: true,
+      });
+      await secure.copy?.("public/file.txt", "public/copy.txt");
+      expect(await baseStorage.exists("public/copy.txt")).toBe(true);
+    });
+    it("should deny copy when source not permitted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+        write: true,
+      });
+      await expect(
+        secure.copy?.("private/secret.txt", "public/copy.txt"),
+      ).rejects.toThrow(StoragePermissionError);
+    });
+    it("should deny copy when destination not permitted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+        write: true,
+      });
+      await expect(
+        secure.copy?.("public/file.txt", "private/copy.txt"),
+      ).rejects.toThrow(StoragePermissionError);
+    });
+    it("should allow move when both paths permitted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+        write: true,
+      });
+      await secure.move?.("public/file.txt", "public/moved.txt");
+      expect(await baseStorage.exists("public/file.txt")).toBe(false);
+      expect(await baseStorage.exists("public/moved.txt")).toBe(true);
+    });
+    it("should allow listWithMetadata when permitted", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/"],
+        read: true,
+      });
+      const files = await secure.listWithMetadata?.("public/");
+      expect(files).toBeDefined();
+      expect(files!.length).toBeGreaterThan(0);
+      expect(files![0]!.path).toBeDefined();
+    });
+  });
+  describe("Complex Permission Scenarios", () => {
+    it("should handle multiple allowlist patterns", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/", "docs/"],
+        read: true,
+      });
+      const content1 = await secure.read("public/file.txt");
+      const content2 = await secure.read("docs/readme.md");
+      expect(content1).not.toBeNull();
+      expect(content2).not.toBeNull();
+    });
+    it("should handle multiple denylist patterns", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        denylist: ["private/", "secrets/"],
+        read: true,
+      });
+      await expect(secure.read("private/secret.txt")).rejects.toThrow(
+        StoragePermissionError,
+      );
+    });
+    it("should combine allowlist and denylist correctly", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        allowlist: ["public/", "private/"],
+        denylist: ["private/"],
+        read: true,
+      });
+      // public/ is in allowlist and not in denylist - allowed
+      const content = await secure.read("public/file.txt");
+      expect(content).not.toBeNull();
+      // private/ is in both - denylist takes precedence - denied
+      await expect(secure.read("private/secret.txt")).rejects.toThrow(
+        StoragePermissionError,
+      );
+    });
+    it("should handle read-only permissions", async () => {
+      const secure = new SecureStorageAdapter(baseStorage, {
+        read: true,
+        write: false,
+        delete: false,
+      });
+      // Can read
+      const content = await secure.read("public/file.txt");
+      expect(content).not.toBeNull();
+      // Cannot write
+      await expect(
+        secure.write("new.txt", Buffer.from("test")),
+      ).rejects.toThrow(StoragePermissionError);
+      // Cannot delete
+      await expect(secure.delete("public/file.txt")).rejects.toThrow(
+        StoragePermissionError,
+      );
+    });
+  });
+});

package/packages/adapters-fs/src/secure-storage.ts ADDED Viewed

@@ -0,0 +1,268 @@
+/**
+ * @module @kb-labs/adapters-fs/secure-storage
+ * SecureStorageAdapter - IStorage wrapper with permission validation.
+ *
+ * Design Philosophy: Validation-only security (like fs-shim)
+ * - Validates paths against allowlists/denylists
+ * - Does NOT rewrite paths or queries
+ * - Fails fast with clear errors
+ * - Transparent pass-through when permitted
+ *
+ * @example
+ * ```typescript
+ * import { createAdapter } from '@kb-labs/adapters-fs';
+ * import { SecureStorageAdapter } from '@kb-labs/adapters-fs/secure-storage';
+ *
+ * const base = createAdapter({ baseDir: '/var/data' });
+ * const secure = new SecureStorageAdapter(base, {
+ *   allowlist: ['docs/', 'uploads/'],
+ *   denylist: ['uploads/private/'],
+ * });
+ *
+ * await secure.write('docs/readme.md', Buffer.from('# Hello')); // ✅ Allowed
+ * await secure.write('config/secrets.json', Buffer.from('{}')); // ❌ Denied
+ * ```
+ */
+import type {
+  IStorage,
+  StorageMetadata,
+} from "@kb-labs/core-platform/adapters";
+/**
+ * Permission configuration for storage access.
+ */
+export interface StoragePermissions {
+  /**
+   * Allowed path prefixes (e.g., ['docs/', 'uploads/']).
+   * If empty or undefined, all paths are allowed (unless denied).
+   */
+  allowlist?: string[];
+  /**
+   * Denied path prefixes (e.g., ['config/', 'secrets/']).
+   * Takes precedence over allowlist.
+   */
+  denylist?: string[];
+  /**
+   * Allow read operations (default: true)
+   */
+  read?: boolean;
+  /**
+   * Allow write operations (default: true)
+   */
+  write?: boolean;
+  /**
+   * Allow delete operations (default: false - safer default)
+   */
+  delete?: boolean;
+}
+/**
+ * Error thrown when storage access is denied.
+ */
+export class StoragePermissionError extends Error {
+  constructor(
+    public readonly operation: string,
+    public readonly path: string,
+    public readonly reason: string,
+  ) {
+    super(`Storage access denied: ${operation} ${path} - ${reason}`);
+    this.name = "StoragePermissionError";
+  }
+}
+/**
+ * SecureStorageAdapter - validates permissions before delegating to base storage.
+ *
+ * Design:
+ * - Validation-only (no path rewriting)
+ * - Fails fast with clear errors
+ * - Transparent pass-through when permitted
+ * - Supports both coarse (read/write/delete) and fine (path-based) permissions
+ */
+export class SecureStorageAdapter implements IStorage {
+  constructor(
+    private readonly baseStorage: IStorage,
+    private readonly permissions: StoragePermissions,
+  ) {}
+  /**
+   * Check if a path is allowed by permissions.
+   */
+  // eslint-disable-next-line sonarjs/cognitive-complexity -- Security-critical permission check with denylist/allowlist logic
+  private checkPath(
+    path: string,
+    operation: "read" | "write" | "delete",
+  ): void {
+    // Check operation-level permissions
+    const operationAllowed = this.permissions[operation] !== false;
+    if (!operationAllowed) {
+      throw new StoragePermissionError(
+        operation,
+        path,
+        `${operation} operations are disabled`,
+      );
+    }
+    // Check denylist first (takes precedence)
+    if (this.permissions.denylist) {
+      for (const denied of this.permissions.denylist) {
+        if (path.startsWith(denied)) {
+          throw new StoragePermissionError(
+            operation,
+            path,
+            `path matches denylist: ${denied}`,
+          );
+        }
+      }
+    }
+    // Check allowlist (if defined)
+    if (this.permissions.allowlist && this.permissions.allowlist.length > 0) {
+      let allowed = false;
+      for (const prefix of this.permissions.allowlist) {
+        if (path.startsWith(prefix)) {
+          allowed = true;
+          break;
+        }
+      }
+      if (!allowed) {
+        throw new StoragePermissionError(
+          operation,
+          path,
+          `path not in allowlist: [${this.permissions.allowlist.join(", ")}]`,
+        );
+      }
+    }
+  }
+  // ═══════════════════════════════════════════════════════════════════════
+  // Core IStorage methods (required)
+  // ═══════════════════════════════════════════════════════════════════════
+  async read(path: string): Promise<Buffer | null> {
+    this.checkPath(path, "read");
+    return this.baseStorage.read(path);
+  }
+  async write(path: string, data: Buffer): Promise<void> {
+    this.checkPath(path, "write");
+    await this.baseStorage.write(path, data);
+  }
+  async delete(path: string): Promise<void> {
+    this.checkPath(path, "delete");
+    await this.baseStorage.delete(path);
+  }
+  async list(prefix: string): Promise<string[]> {
+    this.checkPath(prefix, "read");
+    const files = await this.baseStorage.list(prefix);
+    // Filter results by permissions (double-check each file)
+    return files.filter((file) => {
+      try {
+        this.checkPath(file, "read");
+        return true;
+      } catch {
+        return false; // Silently exclude files that don't pass permission check
+      }
+    });
+  }
+  async exists(path: string): Promise<boolean> {
+    try {
+      this.checkPath(path, "read");
+      return await this.baseStorage.exists(path);
+    } catch (error) {
+      if (error instanceof StoragePermissionError) {
+        return false; // Treat permission denied as "not exists" for safety
+      }
+      throw error;
+    }
+  }
+  // ═══════════════════════════════════════════════════════════════════════
+  // Extended IStorage methods (optional)
+  // ═══════════════════════════════════════════════════════════════════════
+  async stat?(path: string): Promise<StorageMetadata | null> {
+    if (!this.baseStorage.stat) {
+      return null;
+    }
+    this.checkPath(path, "read");
+    return this.baseStorage.stat(path);
+  }
+  async copy?(sourcePath: string, destPath: string): Promise<void> {
+    if (!this.baseStorage.copy) {
+      throw new Error("copy() not supported by base storage adapter");
+    }
+    this.checkPath(sourcePath, "read");
+    this.checkPath(destPath, "write");
+    await this.baseStorage.copy(sourcePath, destPath);
+  }
+  async move?(sourcePath: string, destPath: string): Promise<void> {
+    if (!this.baseStorage.move) {
+      throw new Error("move() not supported by base storage adapter");
+    }
+    this.checkPath(sourcePath, "read");
+    this.checkPath(sourcePath, "delete"); // Move = read + delete source
+    this.checkPath(destPath, "write");
+    await this.baseStorage.move(sourcePath, destPath);
+  }
+  async listWithMetadata?(prefix: string): Promise<StorageMetadata[]> {
+    if (!this.baseStorage.listWithMetadata) {
+      return [];
+    }
+    this.checkPath(prefix, "read");
+    const files = await this.baseStorage.listWithMetadata(prefix);
+    // Filter results by permissions (double-check each file)
+    return files.filter((file) => {
+      try {
+        this.checkPath(file.path, "read");
+        return true;
+      } catch {
+        return false; // Silently exclude files that don't pass permission check
+      }
+    });
+  }
+}
+/**
+ * Create secure storage adapter with permission validation.
+ *
+ * @param baseStorage - Base storage adapter (filesystem, S3, etc.)
+ * @param permissions - Permission configuration
+ * @returns Wrapped storage adapter with permission checks
+ *
+ * @example
+ * ```typescript
+ * const secure = createSecureStorage(base, {
+ *   allowlist: ['docs/', 'uploads/'],
+ *   denylist: ['uploads/private/'],
+ *   delete: false, // Prevent deletions
+ * });
+ * ```
+ */
+export function createSecureStorage(
+  baseStorage: IStorage,
+  permissions: StoragePermissions,
+): SecureStorageAdapter {
+  return new SecureStorageAdapter(baseStorage, permissions);
+}
+// Default export for direct import
+export default createSecureStorage;

package/packages/adapters-fs/test.json ADDED Viewed

	@@ -0,0 +1 @@
1	+ {}

package/packages/adapters-fs/test.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ text

package/packages/adapters-fs/test.xyz ADDED Viewed

	@@ -0,0 +1 @@
1	+ data

package/packages/adapters-fs/test1.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ content1

package/packages/adapters-fs/test2.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ content2

package/packages/adapters-fs/tsconfig.build.json ADDED Viewed

@@ -0,0 +1,15 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "dist",
+    "baseUrl": ".",
+    "paths": {}
+  },
+  "include": [
+    "src/**/*"
+  ],
+  "exclude": [
+    "dist",
+    "node_modules"
+  ]
+}

package/packages/adapters-fs/tsconfig.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "extends": "@kb-labs/devkit/tsconfig/node.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist"
+  },
+  "include": ["src"]
+}

package/packages/adapters-fs/tsup.config.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { defineConfig } from 'tsup';
+import nodePreset from '@kb-labs/devkit/tsup/node';
+export default defineConfig({
+  ...nodePreset,
+  tsconfig: 'tsconfig.build.json',
+  dts: true,
+});