@mondaydotcomorg/atp-server 0.17.14

package/src/utils/provenance-reattachment.ts

@@ -0,0 +1,144 @@
+/**
+ * Provenance Re-attachment Utility
+ *
+ * Re-attaches provenance to values based on verified hints
+ */
+import {
+	getProvenance,
+	getProvenanceForPrimitive,
+	createProvenanceProxy,
+	markPrimitiveTainted,
+	computeDigest,
+	type ProvenanceMetadata,
+} from '@mondaydotcomorg/atp-provenance';
+
+/**
+ * Global registry of hint maps per execution
+ * Key: executionId, Value: Map<digest, metadata>
+ */
+const executionHintMaps = new Map<string, Map<string, ProvenanceMetadata>>();
+
+/**
+ * Global registry of hint values per execution
+ * Key: executionId, Value: Map<value, metadata> for substring checking
+ */
+const executionHintValues = new Map<string, Map<string, ProvenanceMetadata>>();
+
+/**
+ * Store hint map for an execution
+ */
+export function storeHintMap(executionId: string, hintMap: Map<string, ProvenanceMetadata>): void {
+	executionHintMaps.set(executionId, hintMap);
+}
+
+/**
+ * Store a hint value for substring matching
+ */
+export function storeHintValue(
+	executionId: string,
+	value: string,
+	metadata: ProvenanceMetadata
+): void {
+	let valueMap = executionHintValues.get(executionId);
+	if (!valueMap) {
+		valueMap = new Map();
+		executionHintValues.set(executionId, valueMap);
+	}
+	valueMap.set(value, metadata);
+}
+
+/**
+ * Get hint map for an execution
+ */
+export function getHintMap(executionId: string): Map<string, ProvenanceMetadata> | undefined {
+	return executionHintMaps.get(executionId);
+}
+
+/**
+ * Get hint values for an execution (for substring matching)
+ */
+export function getHintValues(executionId: string): Map<string, ProvenanceMetadata> | undefined {
+	return executionHintValues.get(executionId);
+}
+
+/**
+ * Clear hint map for an execution (cleanup)
+ */
+export function clearHintMap(executionId: string): void {
+	executionHintMaps.delete(executionId);
+	executionHintValues.delete(executionId);
+}
+
+/**
+ * Re-attach provenance from hints to tool arguments
+ * Scans arguments recursively and attaches provenance based on value digests
+ */
+export function reattachProvenanceFromHints(
+	args: Record<string, unknown>,
+	hintMap: Map<string, ProvenanceMetadata>
+): void {
+	if (!hintMap || hintMap.size === 0) {
+		return;
+	}
+
+	const visited = new WeakSet<object>();
+
+	function processValue(value: unknown): void {
+		if (value === null || value === undefined) {
+			return;
+		}
+
+		// Handle primitives (string/number)
+		if (typeof value === 'string' || typeof value === 'number') {
+			// Skip if already has provenance
+			if (getProvenanceForPrimitive(value)) {
+				return;
+			}
+
+			// Compute digest and check hint map
+			const digest = computeDigest(value);
+			if (digest && hintMap.has(digest)) {
+				const metadata = hintMap.get(digest)!;
+				markPrimitiveTainted(value, metadata);
+			}
+			return;
+		}
+
+		// Handle objects/arrays
+		if (typeof value === 'object') {
+			// Prevent circular reference processing
+			if (visited.has(value as object)) {
+				return;
+			}
+			visited.add(value as object);
+
+			// Skip if already has provenance
+			if (getProvenance(value)) {
+				return;
+			}
+
+			// Check if object itself has provenance in hints
+			const digest = computeDigest(value);
+			if (digest && hintMap.has(digest)) {
+				const metadata = hintMap.get(digest)!;
+				// Note: We can't modify the object in place, but we mark primitives inside
+			}
+
+			// Process children
+			if (Array.isArray(value)) {
+				for (const item of value) {
+					processValue(item);
+				}
+			} else {
+				for (const childValue of Object.values(value as Record<string, unknown>)) {
+					processValue(childValue);
+				}
+			}
+		}
+	}
+
+	// Process all argument values
+	for (const value of Object.values(args)) {
+		processValue(value);
+	}
+}

package/src/utils/request.ts

@@ -0,0 +1,53 @@
+import { IncomingMessage } from 'node:http';
+
+/**
+ * Default maximum request body size (10MB)
+ */
+export const DEFAULT_MAX_BODY_SIZE = 10 * 1024 * 1024;
+
+/**
+ * Reads the full request body as a string
+ * @param req - The HTTP request
+ * @param maxSize - Maximum allowed body size in bytes (default: 10MB)
+ * @returns Promise resolving to the complete body string
+ * @throws Error if body exceeds maxSize
+ */
+export function readBody(req: IncomingMessage, maxSize = DEFAULT_MAX_BODY_SIZE): Promise<string> {
+	return new Promise((resolve, reject) => {
+		let body = '';
+		let size = 0;
+
+		req.on('data', (chunk) => {
+			size += chunk.length;
+
+			if (size > maxSize) {
+				req.destroy();
+				reject(new Error(`Request body too large (max ${maxSize} bytes)`));
+				return;
+			}
+
+			body += chunk.toString();
+		});
+
+		req.on('end', () => resolve(body));
+		req.on('error', reject);
+	});
+}
+
+/**
+ * Reads and parses request body as JSON
+ * @param req - The HTTP request
+ * @param maxSize - Maximum allowed body size in bytes
+ * @returns Promise resolving to the parsed JSON object
+ */
+export async function readJsonBody<T = any>(
+	req: IncomingMessage,
+	maxSize = DEFAULT_MAX_BODY_SIZE
+): Promise<T> {
+	const body = await readBody(req, maxSize);
+	try {
+		return body ? JSON.parse(body) : (null as T);
+	} catch (error) {
+		throw new Error('Invalid JSON');
+	}
+}

package/src/utils/response.ts

@@ -0,0 +1,69 @@
+import { ServerResponse } from 'node:http';
+
+/**
+ * Sends a JSON response
+ */
+export function sendJson(res: ServerResponse, data: unknown, status = 200): void {
+	res.writeHead(status, { 'Content-Type': 'application/json' });
+	res.end(JSON.stringify(data));
+}
+
+/**
+ * Sends an error response
+ */
+export function sendError(
+	res: ServerResponse,
+	error: string | Error,
+	status = 500,
+	requestId?: string
+): void {
+	const message = error instanceof Error ? error.message : error;
+	sendJson(
+		res,
+		{
+			error: message,
+			...(requestId && { requestId }),
+		},
+		status
+	);
+}
+
+/**
+ * Sends a 404 Not Found response
+ */
+export function send404(res: ServerResponse): void {
+	sendJson(res, { error: 'Not found' }, 404);
+}
+
+/**
+ * Sends a 400 Bad Request response
+ */
+export function sendBadRequest(res: ServerResponse, message: string): void {
+	sendJson(res, { error: message }, 400);
+}
+
+/**
+ * Sends a 503 Service Unavailable response
+ */
+export function sendServiceUnavailable(res: ServerResponse, message: string): void {
+	sendJson(res, { error: message }, 503);
+}
+
+/**
+ * Sets CORS headers on a response
+ */
+export function setCorsHeaders(res: ServerResponse, origin = '*'): void {
+	res.setHeader('Access-Control-Allow-Origin', origin);
+	res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
+	res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Client-ID');
+	res.setHeader('Access-Control-Max-Age', '86400');
+}
+
+/**
+ * Handles OPTIONS preflight requests
+ */
+export function handleOptions(res: ServerResponse): void {
+	setCorsHeaders(res);
+	res.writeHead(204);
+	res.end();
+}

package/src/utils/runtime-types.ts

@@ -0,0 +1,14 @@
+/**
+ * Runtime SDK Type Generator
+ *
+ * Generates TypeScript definitions from the runtime API registry.
+ */
+import { GENERATED_METADATA, generateRuntimeTypes as generate } from '@mondaydotcomorg/atp-runtime';
+
+/**
+ * Generates TypeScript definitions for the runtime SDK
+ * Delegates to the runtime package's own type generator
+ */
+export function generateRuntimeTypes(): string {
+	return generate(GENERATED_METADATA);
+}

package/src/utils/schema.ts

@@ -0,0 +1,18 @@
+/**
+ * Converts a simple type map to a JSON Schema object
+ */
+export function toJSONSchema(types: Record<string, string>): {
+	type: 'object';
+	properties: Record<string, unknown>;
+	required: string[];
+} {
+	const properties: Record<string, unknown> = {};
+	const required: string[] = [];
+
+	for (const [key, type] of Object.entries(types)) {
+		properties[key] = { type };
+		required.push(key);
+	}
+
+	return { type: 'object', properties, required };
+}

package/src/utils/token-emitter.ts

@@ -0,0 +1,182 @@
+import {
+	issueProvenanceToken,
+	type ProvenanceMetadata,
+	type ProvenanceMode,
+	ProvenanceMode as PM,
+} from '@mondaydotcomorg/atp-provenance';
+import type { CacheProvider } from '@mondaydotcomorg/atp-protocol';
+import type { log } from '@mondaydotcomorg/atp-runtime';
+
+type Logger = ReturnType<typeof log.child>;
+
+interface TokenEmission {
+	path: string;
+	token: string;
+}
+
+/**
+ * Emits provenance tokens for all values in the result that have provenance in the snapshot.
+ * This works by:
+ * 1. Traversing the actual serialized result object
+ * 2. For each value, checking if it matches provenance in the snapshot
+ * 3. Emitting tokens with the ACTUAL value for correct digest matching
+ */
+export async function emitProvenanceTokens(
+	result: unknown,
+	clientId: string,
+	executionId: string,
+	provenanceMode: ProvenanceMode,
+	cacheProvider: CacheProvider,
+	logger: Logger,
+	maxTokens: number = 5000,
+	tokenTTL: number = 3600,
+	provenanceSnapshot?: {
+		registry: Array<[string, ProvenanceMetadata]>;
+		primitives: Array<[string, ProvenanceMetadata]>;
+	}
+): Promise<TokenEmission[]> {
+	if (provenanceMode === PM.NONE || !result || !provenanceSnapshot) {
+		logger.debug('Skipping token emission', {
+			hasResult: !!result,
+			hasSnapshot: !!provenanceSnapshot,
+			mode: provenanceMode,
+		});
+		return [];
+	}
+
+	logger.info('Token emission starting from snapshot', {
+		executionId,
+		registrySize: provenanceSnapshot.registry.length,
+		primitiveMapSize: provenanceSnapshot.primitives.length,
+		resultType: typeof result,
+	});
+
+	const tokens: TokenEmission[] = [];
+	const visited = new WeakSet<object>();
+	const primitiveMap = new Map<string, ProvenanceMetadata>(provenanceSnapshot.primitives);
+
+	const taintedValues = new Set<string>();
+	for (const [key] of provenanceSnapshot.primitives) {
+		if (key.startsWith('tainted:')) {
+			taintedValues.add(key.slice('tainted:'.length));
+		}
+	}
+
+	const queue: Array<{ value: unknown; path: string }> = [{ value: result, path: '' }];
+
+	while (queue.length > 0 && tokens.length < maxTokens) {
+		const { value, path } = queue.shift()!;
+
+		if (value === null || value === undefined) {
+			continue;
+		}
+
+		if (typeof value === 'string' || typeof value === 'number') {
+			const valueStr = String(value);
+
+			const taintedKey = `tainted:${valueStr}`;
+			let meta = primitiveMap.get(taintedKey);
+
+			if (!meta) {
+				for (const [key, metadata] of primitiveMap.entries()) {
+					if (!key.startsWith('tainted:')) {
+						const parts = key.split(':');
+						if (parts.length >= 3) {
+							const derivedValue = parts.slice(2).join(':');
+							if (derivedValue === valueStr) {
+								meta = metadata;
+								logger.debug('Found property-derived primitive match', {
+									path,
+									key,
+									valuePreview: valueStr.substring(0, 30),
+								});
+								break;
+							}
+						}
+					}
+				}
+			}
+
+			if (meta) {
+				try {
+					const token = await issueProvenanceToken(
+						meta,
+						value,
+						clientId,
+						executionId,
+						cacheProvider,
+						tokenTTL
+					);
+					if (token) {
+						tokens.push({ path, token });
+						logger.debug('Emitted token for primitive', {
+							path,
+							valuePreview: typeof value === 'string' ? value.substring(0, 30) : value,
+							tokenPrefix: token.substring(0, 10),
+						});
+					}
+				} catch (error) {
+					logger.warn('Failed to issue token for primitive', { path, error });
+				}
+			}
+			continue;
+		}
+
+		if (typeof value === 'object') {
+			if (visited.has(value as object)) {
+				continue;
+			}
+			visited.add(value as object);
+
+			// For objects, we need to check if ANY of the registry metadata applies
+			// Since we can't match by identity, we emit tokens for ALL registry entries
+			// and let the client match by digest
+			if (provenanceSnapshot.registry.length > 0 && path === '') {
+				for (const [id, meta] of provenanceSnapshot.registry) {
+					if (tokens.length >= maxTokens) break;
+
+					try {
+						const token = await issueProvenanceToken(
+							meta,
+							value,
+							clientId,
+							executionId,
+							cacheProvider,
+							tokenTTL
+						);
+						if (token) {
+							tokens.push({ path, token });
+							logger.debug('Emitted token for object', {
+								path,
+								id,
+								tokenPrefix: token.substring(0, 10),
+							});
+						}
+					} catch (error) {
+						logger.warn('Failed to issue token for object', { path, id, error });
+					}
+				}
+			}
+
+			if (Array.isArray(value)) {
+				for (let i = 0; i < value.length; i++) {
+					queue.push({ value: value[i], path: `${path}/${i}` });
+				}
+			} else {
+				for (const key in value) {
+					if (Object.prototype.hasOwnProperty.call(value, key)) {
+						const escapedKey = key.replace(/~/g, '~0').replace(/\//g, '~1');
+						queue.push({ value: (value as any)[key], path: `${path}/${escapedKey}` });
+					}
+				}
+			}
+		}
+	}
+
+	if (tokens.length >= maxTokens) {
+		logger.warn('Max provenance tokens reached', { executionId, maxTokens });
+	}
+
+	logger.info('Token emission completed', { executionId, tokenCount: tokens.length });
+	return tokens;
+}