@mneme-ai/xray 2.150.0

package/dist/privacy.js

@@ -0,0 +1,43 @@
+// Things that should NEVER appear in a metric-only report.
+const CODE_SHAPES = [
+    [/\bfunction\s+\w+\s*\(/, "function definition"],
+    [/=>\s*\{/, "arrow-function body"],
+    [/\bclass\s+\w+\s*\{/, "class body"],
+    [/\bimport\s+.+\s+from\s+['"]/, "import statement"],
+    [/\b(const|let|var)\s+\w+\s*=/, "variable assignment"],
+    [/-----BEGIN [A-Z ]+-----/, "PEM block"],
+];
+/**
+ * Field-aware: symbol NAMES and signatures are allowed (they are structural),
+ * but they live in known fields. We scan the JSON with those known structural
+ * fields stripped, so a signature in `hotspots[].symbol` can't be mistaken for
+ * a leak, while an injected code body anywhere else is caught.
+ */
+export function xrayLeaksRaw(report) {
+    // fail-closed: a non-report is not safe to emit.
+    if (report === null || typeof report !== "object") {
+        return { leaks: true, reasons: ["not a report object"] };
+    }
+    let json;
+    try {
+        const clone = JSON.parse(JSON.stringify(report));
+        // strip the legitimately-structural string fields before scanning
+        if (clone && clone.complexity && Array.isArray(clone.complexity.hotspots)) {
+            clone.complexity = { ...clone.complexity, hotspots: clone.complexity.hotspots.map((h) => ({ ...h, symbol: "" })) };
+        }
+        json = JSON.stringify(clone);
+    }
+    catch {
+        return { leaks: true, reasons: ["report is not serializable JSON"] };
+    }
+    const reasons = [];
+    for (const [re, label] of CODE_SHAPES) {
+        if (re.test(json))
+            reasons.push(`contains ${label}`);
+    }
+    // very long unbroken token ⇒ likely an embedded blob/secret/source line
+    if (/[^\s"]{200,}/.test(json))
+        reasons.push("contains a 200+ char unbroken token (possible blob)");
+    return { leaks: reasons.length > 0, reasons };
+}
+//# sourceMappingURL=privacy.js.map

package/dist/privacy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"privacy.js","sourceRoot":"","sources":["../src/privacy.ts"],"names":[],"mappings":"AAcA,2DAA2D;AAC3D,MAAM,WAAW,GAA4B;IAC3C,CAAC,uBAAuB,EAAE,qBAAqB,CAAC;IAChD,CAAC,SAAS,EAAE,qBAAqB,CAAC;IAClC,CAAC,oBAAoB,EAAE,YAAY,CAAC;IACpC,CAAC,6BAA6B,EAAE,kBAAkB,CAAC;IACnD,CAAC,6BAA6B,EAAE,qBAAqB,CAAC;IACtD,CAAC,yBAAyB,EAAE,WAAW,CAAC;CACzC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,MAAe;IAC1C,iDAAiD;IACjD,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAClD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,qBAAqB,CAAC,EAAE,CAAC;IAC3D,CAAC;IACD,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAkD,CAAC;QAClG,kEAAkE;QAClE,IAAI,KAAK,IAAI,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1E,KAAK,CAAC,UAAU,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;QACrH,CAAC;QACD,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,iCAAiC,CAAC,EAAE,CAAC;IACvE,CAAC;IAED,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC;QACtC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,YAAY,KAAK,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,wEAAwE;IACxE,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IAEnG,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC;AAChD,CAAC"}

package/dist/publish.d.ts

@@ -0,0 +1,9 @@
+import type { SignedXRay } from "./types.js";
+export interface PublishResult {
+    ok: boolean;
+    profileId?: string;
+    fingerprint?: string;
+    error?: string;
+}
+export declare function publishReport(server: string, token: string, signed: SignedXRay): Promise<PublishResult>;
+//# sourceMappingURL=publish.d.ts.map

package/dist/publish.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"publish.d.ts","sourceRoot":"","sources":["../src/publish.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,aAAa;IAAG,EAAE,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE;AAExG,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,CAiB7G"}

package/dist/publish.js

@@ -0,0 +1,28 @@
+/**
+ * The local agent's side of the bridge. After building a signed, raw-free
+ * report on a PRIVATE repo locally, publish ONLY that report to a Lighthouse
+ * server. The source never leaves the machine — only metrics + a signature go.
+ */
+import { xrayLeaksRaw } from "./privacy.js";
+export async function publishReport(server, token, signed) {
+    // belt-and-braces: refuse to transmit anything that isn't raw-free
+    const leak = xrayLeaksRaw(signed.report);
+    if (leak.leaks)
+        return { ok: false, error: "refusing to publish: report is not raw-free (" + leak.reasons.join("; ") + ")" };
+    const base = server.replace(/\/+$/, "");
+    try {
+        const res = await fetch(base + "/api/ingest", {
+            method: "POST",
+            headers: { "content-type": "application/json", authorization: "Bearer " + token },
+            body: JSON.stringify(signed),
+        });
+        const data = (await res.json().catch(() => ({})));
+        if (!res.ok)
+            return { ok: false, error: data.error || `server returned ${res.status}` };
+        return { ok: true, profileId: data.profileId, fingerprint: data.fingerprint };
+    }
+    catch (e) {
+        return { ok: false, error: e.message };
+    }
+}
+//# sourceMappingURL=publish.js.map

package/dist/publish.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"publish.js","sourceRoot":"","sources":["../src/publish.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAK5C,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAc,EAAE,KAAa,EAAE,MAAkB;IACnF,mEAAmE;IACnE,MAAM,IAAI,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,IAAI,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,+CAA+C,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;IAC7H,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,GAAG,aAAa,EAAE;YAC5C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,aAAa,EAAE,SAAS,GAAG,KAAK,EAAE;YACjF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;SAC7B,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAuC,CAAC;QACxF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,mBAAmB,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;QACxF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC;IAChF,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC;IACpD,CAAC;AACH,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Mneme X-Ray server — the "Lighthouse".
+ *
+ * A single, dependency-light node:http server that:
+ *   POST /api/xray        { gitUrl }   → shallow-clone a PUBLIC repo, run the
+ *                                        deterministic battery, enforce the
+ *                                        raw-free gate, seal with NOTARY, return.
+ *   POST /api/verify      { signed }   → verify a report's receipt offline.
+ *   POST /api/ingest      { signed }   → THE BRIDGE: a local agent publishes a
+ *                                        report it built on a PRIVATE repo. The
+ *                                        server verifies the Ed25519 receipt +
+ *                                        raw-free gate and files it under the
+ *                                        caller's profile — WITHOUT ever seeing
+ *                                        the source (it was analysed locally).
+ *   GET  /api/profile/:id              → a profile's reports (raw-free).
+ *   GET  /api/report/:fingerprint      → a stored full signed report (deep-view).
+ *   GET  /api/board                    → recent public X-Rays (the board).
+ *   GET  /api/health                   → liveness.
+ *   GET  /                             → the clean white UI.
+ *
+ * PRIVACY: PUBLIC git URLs are shallow-cloned, analysed, and DELETED. PRIVATE
+ * repos never touch this server — the local agent (`mneme-xray <path> --publish`)
+ * analyses them on the user's machine and POSTs only the signed, raw-free
+ * report. Every persisted report passes xrayLeaksRaw first.
+ */
+import { type IncomingMessage, type ServerResponse } from "node:http";
+import { CosmicMonitor } from "./cosmic.js";
+export declare function createXRayServer(monitor?: CosmicMonitor): import("http").Server<typeof IncomingMessage, typeof ServerResponse>;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,OAAO,EAAgB,KAAK,eAAe,EAAE,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC;AASpF,OAAO,EAAE,aAAa,EAAoC,MAAM,aAAa,CAAC;AA+O9E,wBAAgB,gBAAgB,CAAC,OAAO,CAAC,EAAE,aAAa,wEA6IvD"}

package/dist/server.js

@@ -0,0 +1,482 @@
+/**
+ * Mneme X-Ray server — the "Lighthouse".
+ *
+ * A single, dependency-light node:http server that:
+ *   POST /api/xray        { gitUrl }   → shallow-clone a PUBLIC repo, run the
+ *                                        deterministic battery, enforce the
+ *                                        raw-free gate, seal with NOTARY, return.
+ *   POST /api/verify      { signed }   → verify a report's receipt offline.
+ *   POST /api/ingest      { signed }   → THE BRIDGE: a local agent publishes a
+ *                                        report it built on a PRIVATE repo. The
+ *                                        server verifies the Ed25519 receipt +
+ *                                        raw-free gate and files it under the
+ *                                        caller's profile — WITHOUT ever seeing
+ *                                        the source (it was analysed locally).
+ *   GET  /api/profile/:id              → a profile's reports (raw-free).
+ *   GET  /api/report/:fingerprint      → a stored full signed report (deep-view).
+ *   GET  /api/board                    → recent public X-Rays (the board).
+ *   GET  /api/health                   → liveness.
+ *   GET  /                             → the clean white UI.
+ *
+ * PRIVACY: PUBLIC git URLs are shallow-cloned, analysed, and DELETED. PRIVATE
+ * repos never touch this server — the local agent (`mneme-xray <path> --publish`)
+ * analyses them on the user's machine and POSTs only the signed, raw-free
+ * report. Every persisted report passes xrayLeaksRaw first.
+ */
+import { createServer } from "node:http";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, appendFileSync, readFileSync as rf } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { createHash } from "node:crypto";
+import { buildXRay } from "./engine.js";
+import { sealXRay, verifyXRay } from "./sign.js";
+import { xrayLeaksRaw } from "./privacy.js";
+import { isAllowedPublicUrl } from "./clone.js";
+import { CosmicMonitor, cosmicBadgeSvg, signCosmicStatus } from "./cosmic.js";
+const HERE = dirname(fileURLToPath(import.meta.url));
+const PUBLIC_DIR = join(HERE, "..", "public");
+// lazy so XRAY_DATA_DIR can be set per-process (incl. tests) before first use
+const dataDir = () => process.env.XRAY_DATA_DIR || join(process.cwd(), ".xray-data");
+const BOARD_FILE = () => join(dataDir(), "board.jsonl");
+const REPORTS_DIR = () => join(dataDir(), "reports");
+const PROFILES_DIR = () => join(dataDir(), "profiles");
+const PORT = parseInt(process.env.PORT || "8787", 10);
+const HOST = process.env.HOST || "0.0.0.0";
+/** Profile id is the hash of the caller's token (an API key they choose). The
+ *  raw token is never stored — only its hash names the profile dir. */
+function profileIdFromToken(token) {
+    return createHash("sha256").update("mneme-xray-profile:" + token).digest("hex").slice(0, 16);
+}
+function bearer(req) {
+    const h = (req.headers.authorization || "").trim();
+    return h.toLowerCase().startsWith("bearer ") ? h.slice(7).trim() : null;
+}
+const FP_RE = /^[a-f0-9]{16,64}$/;
+// crude per-IP rate limit: N requests / window
+const RL_MAX = 20, RL_WINDOW_MS = 60_000;
+const rl = new Map();
+function rateLimited(ip) {
+    const now = Date.now();
+    const e = rl.get(ip);
+    if (!e || e.resetAt < now) {
+        rl.set(ip, { n: 1, resetAt: now + RL_WINDOW_MS });
+        return false;
+    }
+    e.n++;
+    return e.n > RL_MAX;
+}
+function send(res, status, body, type = "application/json") {
+    const payload = type === "application/json" ? JSON.stringify(body) : String(body);
+    res.writeHead(status, {
+        "content-type": type === "application/json" ? "application/json; charset=utf-8" : type,
+        "access-control-allow-origin": "*",
+        "access-control-allow-methods": "GET,POST,OPTIONS",
+        "access-control-allow-headers": "content-type",
+    });
+    res.end(payload);
+}
+function readBody(req, limit = 256 * 1024) {
+    return new Promise((resolve, reject) => {
+        let data = "", size = 0;
+        req.on("data", (c) => { size += c.length; if (size > limit) {
+            reject(new Error("body too large"));
+            req.destroy();
+        }
+        else
+            data += c; });
+        req.on("end", () => resolve(data));
+        req.on("error", reject);
+    });
+}
+function recordBoard(signed) {
+    try {
+        if (!existsSync(dataDir()))
+            mkdirSync(dataDir(), { recursive: true });
+        const r = signed.report;
+        // board carries only the headline metrics — already raw-free
+        appendFileSync(BOARD_FILE(), JSON.stringify({
+            at: r.generatedAt, repoName: r.subject.repoName, ref: r.subject.ref,
+            grade: r.summary.grade, headline: r.summary.headline, fingerprint: r.fingerprint,
+        }) + "\n");
+    }
+    catch { /* board is best-effort */ }
+}
+function readBoardRows() {
+    try {
+        if (!existsSync(BOARD_FILE()))
+            return [];
+        return rf(BOARD_FILE(), "utf8").trim().split("\n").filter(Boolean).map((l) => JSON.parse(l));
+    }
+    catch {
+        return [];
+    }
+}
+function readProfileRows(profileId) {
+    try {
+        const p = join(PROFILES_DIR(), profileId + ".jsonl");
+        if (!existsSync(p))
+            return [];
+        return rf(p, "utf8").trim().split("\n").filter(Boolean).map((l) => JSON.parse(l));
+    }
+    catch {
+        return [];
+    }
+}
+function summaryOf(r, visibility) {
+    return {
+        at: r.generatedAt, repoName: r.subject.repoName, ref: r.subject.kind === "git-url" ? r.subject.ref : "private",
+        grade: r.summary.grade, headline: r.summary.headline, fingerprint: r.fingerprint, visibility,
+    };
+}
+/** Persist the full signed report + a tiny meta sidecar (visibility/owner) for
+ *  access control. Idempotent by fingerprint. */
+function saveReport(signed, visibility = "public", profileId = "") {
+    try {
+        if (!existsSync(REPORTS_DIR()))
+            mkdirSync(REPORTS_DIR(), { recursive: true });
+        const fp = signed.report.fingerprint;
+        if (!FP_RE.test(fp))
+            return;
+        writeFileSync(join(REPORTS_DIR(), fp + ".json"), JSON.stringify(signed));
+        writeFileSync(join(REPORTS_DIR(), fp + ".meta.json"), JSON.stringify({ visibility, profileId }));
+    }
+    catch { /* best-effort */ }
+}
+function getReport(fingerprint) {
+    try {
+        if (!FP_RE.test(fingerprint))
+            return null;
+        const p = join(REPORTS_DIR(), fingerprint + ".json");
+        return existsSync(p) ? JSON.parse(rf(p, "utf8")) : null;
+    }
+    catch {
+        return null;
+    }
+}
+function getReportMeta(fingerprint) {
+    try {
+        if (!FP_RE.test(fingerprint))
+            return null;
+        const p = join(REPORTS_DIR(), fingerprint + ".meta.json");
+        return existsSync(p) ? JSON.parse(rf(p, "utf8")) : null;
+    }
+    catch {
+        return null;
+    }
+}
+/** Group raw scan-event rows by repo → first-seen + last-seen + scan count +
+ *  the latest grade/fingerprint. Newest activity first. Powers the listview. */
+function aggregateByRepo(rows) {
+    const map = new Map();
+    for (const r of rows) {
+        const key = String(r.repoName || r.ref || r.fingerprint);
+        const at = String(r.at || "");
+        const e = map.get(key);
+        if (!e) {
+            map.set(key, { repoName: String(r.repoName || ""), ref: String(r.ref || ""), firstAt: at, lastAt: at, count: 1, grade: String(r.grade || "?"), fingerprint: String(r.fingerprint || ""), visibility: String(r.visibility || "public") });
+        }
+        else {
+            e.count++;
+            if (at < e.firstAt)
+                e.firstAt = at;
+            if (at >= e.lastAt) {
+                e.lastAt = at;
+                e.grade = String(r.grade || e.grade);
+                e.fingerprint = String(r.fingerprint || e.fingerprint);
+            }
+        }
+    }
+    return [...map.values()].sort((a, b) => (a.lastAt < b.lastAt ? 1 : -1));
+}
+function page(items, offset, limit) {
+    const o = Math.max(0, offset | 0), l = Math.min(100, Math.max(1, limit | 0));
+    return { items: items.slice(o, o + l), total: items.length, offset: o, limit: l };
+}
+function recordProfile(profileId, r, visibility) {
+    try {
+        if (!existsSync(PROFILES_DIR()))
+            mkdirSync(PROFILES_DIR(), { recursive: true });
+        appendFileSync(join(PROFILES_DIR(), profileId + ".jsonl"), JSON.stringify(summaryOf(r, visibility)) + "\n");
+    }
+    catch { /* best-effort */ }
+}
+function serveStatic(res, file) {
+    const path = join(PUBLIC_DIR, file);
+    if (!existsSync(path)) {
+        send(res, 404, { error: "not found" });
+        return;
+    }
+    const type = file.endsWith(".html") ? "text/html; charset=utf-8"
+        : file.endsWith(".svg") ? "image/svg+xml"
+            : file.endsWith(".js") ? "text/javascript; charset=utf-8"
+                : "text/plain";
+    send(res, 200, readFileSync(path, "utf8"), type);
+}
+// ---- the growth engine: shareable badges + social cards + permalinks ----
+const GRADE_COLOR = { A: "#16a34a", B: "#65a30d", C: "#d97706", D: "#ea580c", F: "#dc2626" };
+const xesc = (s) => String(s).replace(/[&<>"]/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;" }[c]));
+function sendSvg(res, svg, maxAgeSec = 300) {
+    res.writeHead(200, {
+        "content-type": "image/svg+xml; charset=utf-8",
+        "cache-control": `public, max-age=${maxAgeSec}`,
+        "access-control-allow-origin": "*",
+    });
+    res.end(svg);
+}
+/** shields-style flat badge: "mneme x-ray | <grade>". */
+function badgeSvg(grade) {
+    const color = GRADE_COLOR[grade] || "#6b7280";
+    const label = "mneme x-ray", val = grade || "?";
+    const lw = 78, vw = 26, w = lw + vw, h = 20;
+    return `<svg xmlns="http://www.w3.org/2000/svg" width="${w}" height="${h}" role="img" aria-label="${label}: ${val}">
+<linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient>
+<clipPath id="r"><rect width="${w}" height="${h}" rx="3" fill="#fff"/></clipPath>
+<g clip-path="url(#r)"><rect width="${lw}" height="${h}" fill="#0a0a0a"/><rect x="${lw}" width="${vw}" height="${h}" fill="${color}"/><rect width="${w}" height="${h}" fill="url(#s)"/></g>
+<g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" font-size="11">
+<text x="${lw / 2}" y="14">${label}</text><text x="${lw + vw / 2}" y="14" font-weight="bold">${val}</text></g></svg>`;
+}
+/** 1200×630 social card for og:image (white, one big grade). NOTE: some platforms
+ *  (notably X/Twitter) do not render SVG og:image; Discord/Slack/LinkedIn do. A PNG
+ *  rasteriser is the future upgrade. */
+function socialCardSvg(r) {
+    const color = GRADE_COLOR[r.summary.grade] || "#6b7280";
+    const bullets = (r.summary.bullets || []).slice(0, 5);
+    const lines = bullets.map((b, i) => `<text x="90" y="${330 + i * 46}" font-size="26" fill="#374151">${xesc(b.replace(/[^\x20-\x7E]/g, "").trim())}</text>`).join("");
+    return `<svg xmlns="http://www.w3.org/2000/svg" width="1200" height="630" viewBox="0 0 1200 630">
+<rect width="1200" height="630" fill="#ffffff"/><rect x="0" y="0" width="1200" height="8" fill="${color}"/>
+<text x="90" y="120" font-family="Verdana,sans-serif" font-size="26" letter-spacing="4" fill="#6b7280">MNEME · REPO X-RAY</text>
+<rect x="90" y="160" width="120" height="120" rx="24" fill="${color}"/>
+<text x="150" y="252" font-family="Verdana,sans-serif" font-size="74" font-weight="bold" fill="#fff" text-anchor="middle">${xesc(r.summary.grade)}</text>
+<text x="240" y="232" font-family="Verdana,sans-serif" font-size="46" font-weight="bold" fill="#0a0a0a">${xesc(r.subject.repoName)}</text>
+<text x="240" y="272" font-family="Verdana,sans-serif" font-size="24" fill="#6b7280">${xesc(r.summary.headline)}</text>
+${lines}
+<text x="90" y="590" font-family="Verdana,sans-serif" font-size="20" fill="#16a34a">✓ deterministic · signed · offline-verifiable — no AI guessed any number</text></svg>`;
+}
+/** latest stored report fingerprint for a repo slug like "github/owner/repo". */
+function latestByRepoSlug(slug) {
+    try {
+        if (!existsSync(BOARD_FILE()))
+            return null;
+        const ownerRepo = slug.split("/").slice(1).join("/").toLowerCase();
+        const host = slug.split("/")[0].toLowerCase();
+        const lines = rf(BOARD_FILE(), "utf8").trim().split("\n").filter(Boolean).reverse();
+        for (const l of lines) {
+            const row = JSON.parse(l);
+            const ref = String(row.ref || "").toLowerCase();
+            if (ref.includes(host) && ref.includes(ownerRepo) && row.fingerprint) {
+                return { fingerprint: row.fingerprint, grade: String(row.grade || "?") };
+            }
+        }
+    }
+    catch { /* ignore */ }
+    return null;
+}
+function reportPageWithOg(signed, origin) {
+    const tpl = readFileSync(join(PUBLIC_DIR, "report.html"), "utf8");
+    const r = signed.report;
+    const title = `${r.subject.repoName} — Grade ${r.summary.grade} · Mneme X-Ray`;
+    const desc = (r.summary.bullets || []).slice(0, 4).map((b) => b.replace(/[^\x20-\x7E]/g, "").trim()).join(" · ") || r.summary.headline;
+    const url = `${origin}/r/${r.fingerprint}`;
+    const img = `${origin}/og/${r.fingerprint}.svg`;
+    const og = [
+        `<meta property="og:type" content="website"/>`,
+        `<meta property="og:title" content="${xesc(title)}"/>`,
+        `<meta property="og:description" content="${xesc(desc)}"/>`,
+        `<meta property="og:url" content="${xesc(url)}"/>`,
+        `<meta property="og:image" content="${xesc(img)}"/>`,
+        `<meta name="twitter:card" content="summary_large_image"/>`,
+        `<meta name="twitter:title" content="${xesc(title)}"/>`,
+        `<meta name="twitter:description" content="${xesc(desc)}"/>`,
+        `<meta name="twitter:image" content="${xesc(img)}"/>`,
+        `<meta name="description" content="${xesc(desc)}"/>`,
+    ].join("\n");
+    return tpl.replace("<title>Mneme · Repo X-Ray</title>", `<title>${xesc(title)}</title>`).replace("<!--OGMETA-->", og);
+}
+export function createXRayServer(monitor) {
+    return createServer(async (req, res) => {
+        const ip = req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.socket.remoteAddress || "?";
+        const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
+        if (req.method === "OPTIONS")
+            return send(res, 204, "");
+        if (req.method === "GET" && url.pathname === "/api/health")
+            return send(res, 200, { ok: true, ts: Date.now() });
+        if (req.method === "GET" && url.pathname === "/api/board") {
+            const offset = parseInt(url.searchParams.get("offset") || "0", 10);
+            const limit = parseInt(url.searchParams.get("limit") || "20", 10);
+            return send(res, 200, page(aggregateByRepo(readBoardRows()), offset, limit));
+        }
+        if (req.method === "GET" && (url.pathname === "/" || url.pathname === "/index.html"))
+            return serveStatic(res, "index.html");
+        if (req.method === "GET" && url.pathname === "/favicon.svg")
+            return serveStatic(res, "favicon.svg");
+        if (req.method === "GET" && url.pathname === "/card.js")
+            return serveStatic(res, "card.js");
+        if (req.method === "GET" && url.pathname === "/cosmic")
+            return serveStatic(res, "cosmic.html");
+        // COSMIC MONITOR (additive superpower for the cosmic-link server) — measured + signed
+        if (req.method === "GET" && url.pathname === "/badge/cosmic.svg") {
+            if (!monitor)
+                return sendSvg(res, cosmicBadgeSvg({ url: "", up: false, lastCheck: null, uptimePct: 0, checks: 0, p50Ms: 0, p95Ms: 0, sinceTs: null, windowMs: 0 }), 30);
+            return sendSvg(res, cosmicBadgeSvg(monitor.status()), 30);
+        }
+        if (req.method === "GET" && url.pathname === "/api/cosmic/status") {
+            if (!monitor)
+                return send(res, 200, { configured: false, note: "cosmic monitor not enabled on this instance" });
+            const st = monitor.status();
+            return send(res, 200, { ...st, attestation: signCosmicStatus(process.cwd(), st) });
+        }
+        // embeddable badge — /badge/<fingerprint>.svg OR /badge/github/owner/repo.svg
+        if (req.method === "GET" && url.pathname.startsWith("/badge/") && url.pathname.endsWith(".svg")) {
+            const target = decodeURIComponent(url.pathname.slice("/badge/".length, -4));
+            let grade = "?";
+            if (FP_RE.test(target)) {
+                grade = getReport(target)?.report.summary.grade ?? "?";
+            }
+            else {
+                grade = latestByRepoSlug(target)?.grade ?? "?";
+            }
+            return sendSvg(res, badgeSvg(grade));
+        }
+        // social card (og:image) — /og/<fingerprint>.svg
+        if (req.method === "GET" && url.pathname.startsWith("/og/") && url.pathname.endsWith(".svg")) {
+            const fp = decodeURIComponent(url.pathname.slice("/og/".length, -4));
+            const signed = getReport(fp);
+            if (!signed || getReportMeta(fp)?.visibility === "private")
+                return send(res, 404, { error: "not found" });
+            return sendSvg(res, socialCardSvg(signed.report));
+        }
+        // shareable permalink — /r/<fingerprint> (server-renders OG meta for social previews)
+        if (req.method === "GET" && url.pathname.startsWith("/r/")) {
+            const fp = decodeURIComponent(url.pathname.slice("/r/".length).replace(/\/$/, ""));
+            const signed = getReport(fp);
+            const meta = getReportMeta(fp);
+            const origin = `${req.headers["x-forwarded-proto"] || "http"}://${req.headers.host || "localhost"}`;
+            // private (or unknown) → serve the bare shell with NO OG meta, so the repo
+            // name never leaks; the page's API fetch will 404 for anyone but the owner.
+            if (!signed || meta?.visibility === "private") {
+                return send(res, 200, readFileSync(join(PUBLIC_DIR, "report.html"), "utf8"), "text/html; charset=utf-8");
+            }
+            return send(res, 200, reportPageWithOg(signed, origin), "text/html; charset=utf-8");
+        }
+        // deep-view: fetch a stored full signed report by fingerprint.
+        // PRIVATE reports are access-controlled: only the owning key may fetch them,
+        // and we return 404 (not 403) so their very existence isn't revealed.
+        if (req.method === "GET" && url.pathname.startsWith("/api/report/")) {
+            const fp = decodeURIComponent(url.pathname.slice("/api/report/".length));
+            const signed = getReport(fp);
+            if (!signed)
+                return send(res, 404, { error: "report not found" });
+            const meta = getReportMeta(fp);
+            if (meta?.visibility === "private") {
+                const tok = bearer(req);
+                if (!tok || profileIdFromToken(tok) !== meta.profileId)
+                    return send(res, 404, { error: "report not found" });
+            }
+            return send(res, 200, signed);
+        }
+        // a profile's reports — aggregated by repo (first/last seen + count), paged.
+        // id is the profile hash; knowing it is required to list. Private items live
+        // ONLY here, never on the public board.
+        if (req.method === "GET" && url.pathname.startsWith("/api/profile/")) {
+            const id = decodeURIComponent(url.pathname.slice("/api/profile/".length));
+            if (!/^[a-f0-9]{8,32}$/.test(id))
+                return send(res, 400, { error: "bad profile id" });
+            const offset = parseInt(url.searchParams.get("offset") || "0", 10);
+            const limit = parseInt(url.searchParams.get("limit") || "20", 10);
+            return send(res, 200, { profileId: id, ...page(aggregateByRepo(readProfileRows(id)), offset, limit) });
+        }
+        if (req.method === "POST" && url.pathname === "/api/xray") {
+            if (rateLimited(ip))
+                return send(res, 429, { error: "rate limit — try again in a minute" });
+            let body;
+            try {
+                body = JSON.parse(await readBody(req) || "{}");
+            }
+            catch {
+                return send(res, 400, { error: "invalid JSON" });
+            }
+            const gitUrl = (body.gitUrl || "").trim();
+            if (!isAllowedPublicUrl(gitUrl)) {
+                return send(res, 400, { error: "Only public github.com / gitlab.com / bitbucket.org URLs (no credentials) are accepted. For private repos, run mneme-xray locally." });
+            }
+            try {
+                const report = await buildXRay({ gitUrl });
+                const leak = xrayLeaksRaw(report);
+                if (leak.leaks)
+                    return send(res, 500, { error: "internal: report failed raw-free gate", reasons: leak.reasons });
+                const signed = sealXRay(process.cwd(), report);
+                const tok = bearer(req);
+                recordBoard(signed); // public repos are public by definition
+                saveReport(signed, "public", tok ? profileIdFromToken(tok) : "");
+                if (tok)
+                    recordProfile(profileIdFromToken(tok), report, "public");
+                return send(res, 200, signed);
+            }
+            catch (e) {
+                return send(res, 502, { error: e.message.slice(0, 300) });
+            }
+        }
+        // THE BRIDGE — a local agent publishes a report it built on a PRIVATE repo.
+        // The server NEVER sees the source: it only verifies the signature + raw-free
+        // gate and files the report under the caller's profile.
+        if (req.method === "POST" && url.pathname === "/api/ingest") {
+            const tok = bearer(req);
+            if (!tok)
+                return send(res, 401, { error: "missing bearer token (your X-Ray key)" });
+            if (rateLimited("ingest:" + ip))
+                return send(res, 429, { error: "rate limit — try again in a minute" });
+            let signed;
+            try {
+                signed = JSON.parse(await readBody(req, 2 * 1024 * 1024));
+            }
+            catch {
+                return send(res, 400, { error: "invalid signed report" });
+            }
+            if (!signed?.report || !signed.receipt)
+                return send(res, 400, { error: "expected { report, receipt }" });
+            // 1) the report a local agent sends must itself be raw-free
+            const leak = xrayLeaksRaw(signed.report);
+            if (leak.leaks)
+                return send(res, 422, { error: "report is not raw-free — refused", reasons: leak.reasons });
+            // 2) the Ed25519 receipt must verify offline
+            const v = verifyXRay(signed);
+            if (!v.valid)
+                return send(res, 422, { error: "signature does not verify: " + v.reason });
+            const visibility = signed.report.subject.kind === "git-url" ? "public" : "private";
+            saveReport(signed, visibility, profileIdFromToken(tok));
+            recordProfile(profileIdFromToken(tok), signed.report, visibility);
+            if (visibility === "public")
+                recordBoard(signed);
+            return send(res, 200, { ok: true, profileId: profileIdFromToken(tok), fingerprint: signed.report.fingerprint });
+        }
+        if (req.method === "POST" && url.pathname === "/api/verify") {
+            try {
+                const signed = JSON.parse(await readBody(req));
+                return send(res, 200, verifyXRay(signed));
+            }
+            catch {
+                return send(res, 400, { error: "invalid signed report" });
+            }
+        }
+        return send(res, 404, { error: "not found" });
+    });
+}
+// run when invoked directly (npm run serve / node dist/server.js)
+const invokedDirectly = process.argv[1] && fileURLToPath(import.meta.url) === process.argv[1];
+if (invokedDirectly) {
+    // COSMIC MONITOR — observe the cosmic-link server over localhost (additive,
+    // never touches it). Disable with COSMIC_URL=off.
+    const cosmicUrl = process.env.COSMIC_URL ?? "http://127.0.0.1:8081/";
+    const monitor = cosmicUrl && cosmicUrl !== "off"
+        ? new CosmicMonitor(cosmicUrl, join(dataDir(), "cosmic-samples.jsonl"))
+        : undefined;
+    if (monitor)
+        monitor.start(15000);
+    const server = createXRayServer(monitor);
+    server.listen(PORT, HOST, () => {
+        process.stdout.write(`Mneme X-Ray server on http://${HOST}:${PORT}  (data: ${dataDir()})${monitor ? `  · cosmic monitor → ${cosmicUrl}` : ""}\n`);
+    });
+    process.on("SIGTERM", () => server.close(() => process.exit(0)));
+    process.on("SIGINT", () => server.close(() => process.exit(0)));
+}
+//# sourceMappingURL=server.js.map