@naisys/common-node 3.0.0-beta.4 → 3.0.0-beta.5

package/dist/agentConfigLoader.js

@@ -4,77 +4,90 @@ import yaml from "js-yaml";
 import * as path from "path";
 /** Loads agent yaml configs from a file or directory path, returns a map of userId → UserEntry */
 export function loadAgentConfigs(startupPath) {
-    const configEntries = [];
-    const usernameToPath = new Map();
-    const resolvedPath = path.resolve(startupPath);
-    if (fs.statSync(resolvedPath).isDirectory()) {
-        processDirectory(resolvedPath, undefined, configEntries, usernameToPath);
-    }
-    else {
-        processFile(resolvedPath, undefined, configEntries, usernameToPath);
-    }
-    // Add admin if not present
-    const hasAdmin = configEntries.some((e) => e.username === adminAgentConfig.username);
-    if (!hasAdmin) {
-        configEntries.push({
-            username: adminAgentConfig.username,
-            leadEntryIndex: undefined,
-            config: adminAgentConfig,
-        });
-    }
-    // Build userId map (1-based sequential IDs)
-    const userMap = new Map();
-    for (let i = 0; i < configEntries.length; i++) {
-        const entry = configEntries[i];
-        const userId = i + 1;
-        const leadUserId = entry.leadEntryIndex !== undefined ? entry.leadEntryIndex + 1 : undefined;
-        userMap.set(userId, {
-            userId,
-            username: entry.username,
-            enabled: true,
-            leadUserId,
-            config: entry.config,
-        });
-    }
-    return userMap;
+  const configEntries = [];
+  const usernameToPath = new Map();
+  const resolvedPath = path.resolve(startupPath);
+  if (fs.statSync(resolvedPath).isDirectory()) {
+    processDirectory(resolvedPath, undefined, configEntries, usernameToPath);
+  } else {
+    processFile(resolvedPath, undefined, configEntries, usernameToPath);
+  }
+  // Add admin if not present
+  const hasAdmin = configEntries.some(
+    (e) => e.username === adminAgentConfig.username,
+  );
+  if (!hasAdmin) {
+    configEntries.push({
+      username: adminAgentConfig.username,
+      leadEntryIndex: undefined,
+      config: adminAgentConfig,
+    });
+  }
+  // Build userId map (1-based sequential IDs)
+  const userMap = new Map();
+  for (let i = 0; i < configEntries.length; i++) {
+    const entry = configEntries[i];
+    const userId = i + 1;
+    const leadUserId =
+      entry.leadEntryIndex !== undefined ? entry.leadEntryIndex + 1 : undefined;
+    userMap.set(userId, {
+      userId,
+      username: entry.username,
+      enabled: true,
+      leadUserId,
+      config: entry.config,
+    });
+  }
+  return userMap;
 }
-function processDirectory(dirPath, leadEntryIndex, configEntries, usernameToPath) {
-    const files = fs.readdirSync(dirPath);
-    for (const file of files) {
-        if (file.endsWith(".yaml") || file.endsWith(".yml")) {
-            processFile(path.join(dirPath, file), leadEntryIndex, configEntries, usernameToPath);
-        }
+function processDirectory(
+  dirPath,
+  leadEntryIndex,
+  configEntries,
+  usernameToPath,
+) {
+  const files = fs.readdirSync(dirPath);
+  for (const file of files) {
+    if (file.endsWith(".yaml") || file.endsWith(".yml")) {
+      processFile(
+        path.join(dirPath, file),
+        leadEntryIndex,
+        configEntries,
+        usernameToPath,
+      );
     }
+  }
 }
 function processFile(filePath, leadEntryIndex, configEntries, usernameToPath) {
-    const absolutePath = path.resolve(filePath);
-    try {
-        const configYaml = fs.readFileSync(absolutePath, "utf8");
-        const configObj = yaml.load(configYaml);
-        const agentConfig = AgentConfigFileSchema.parse(configObj);
-        const username = agentConfig.username;
-        // Check for duplicate usernames from different files
-        const existingPath = usernameToPath.get(username);
-        if (existingPath && existingPath !== absolutePath) {
-            throw new Error(`Duplicate username "${username}" found in multiple files:\n  ${existingPath}\n  ${absolutePath}`);
-        }
-        usernameToPath.set(username, absolutePath);
-        const currentIndex = configEntries.length;
-        configEntries.push({
-            username,
-            leadEntryIndex,
-            config: agentConfig,
-        });
-        console.log(`Loaded user: ${username} from ${filePath}`);
-        // Check for a subdirectory matching the filename (without extension)
-        const ext = path.extname(absolutePath);
-        const baseName = path.basename(absolutePath, ext);
-        const subDir = path.join(path.dirname(absolutePath), baseName);
-        if (fs.existsSync(subDir) && fs.statSync(subDir).isDirectory()) {
-            processDirectory(subDir, currentIndex, configEntries, usernameToPath);
-        }
+  const absolutePath = path.resolve(filePath);
+  try {
+    const configYaml = fs.readFileSync(absolutePath, "utf8");
+    const configObj = yaml.load(configYaml);
+    const agentConfig = AgentConfigFileSchema.parse(configObj);
+    const username = agentConfig.username;
+    // Check for duplicate usernames from different files
+    const existingPath = usernameToPath.get(username);
+    if (existingPath && existingPath !== absolutePath) {
+      throw new Error(
+        `Duplicate username "${username}" found in multiple files:\n  ${existingPath}\n  ${absolutePath}`,
+      );
     }
-    catch (e) {
-        throw new Error(`Failed to process agent config at ${filePath}: ${e}`);
+    usernameToPath.set(username, absolutePath);
+    const currentIndex = configEntries.length;
+    configEntries.push({
+      username,
+      leadEntryIndex,
+      config: agentConfig,
+    });
+    console.log(`Loaded user: ${username} from ${filePath}`);
+    // Check for a subdirectory matching the filename (without extension)
+    const ext = path.extname(absolutePath);
+    const baseName = path.basename(absolutePath, ext);
+    const subDir = path.join(path.dirname(absolutePath), baseName);
+    if (fs.existsSync(subDir) && fs.statSync(subDir).isDirectory()) {
+      processDirectory(subDir, currentIndex, configEntries, usernameToPath);
     }
+  } catch (e) {
+    throw new Error(`Failed to process agent config at ${filePath}: ${e}`);
+  }
 }

package/dist/bearerToken.js

@@ -3,7 +3,6 @@
  * Returns undefined if the header is missing or not in Bearer format.
  */
 export function extractBearerToken(authHeader) {
-    if (!authHeader?.startsWith("Bearer "))
-        return undefined;
-    return authHeader.slice(7);
+  if (!authHeader?.startsWith("Bearer ")) return undefined;
+  return authHeader.slice(7);
 }

package/dist/customModelsLoader.js

@@ -3,37 +3,37 @@ import fs from "fs";
 import yaml from "js-yaml";
 import path from "path";
 export function loadCustomModels(folder) {
-    if (!folder) {
-        return { llmModels: [], imageModels: [] };
-    }
-    const filePath = path.join(folder, "custom-models.yaml");
-    if (!fs.existsSync(filePath)) {
-        return { llmModels: [], imageModels: [] };
-    }
-    const raw = fs.readFileSync(filePath, "utf-8");
-    const parsed = yaml.load(raw);
-    const result = CustomModelsFileSchema.parse(parsed);
-    return {
-        llmModels: result.llmModels ?? [],
-        imageModels: result.imageModels ?? [],
-    };
+  if (!folder) {
+    return { llmModels: [], imageModels: [] };
+  }
+  const filePath = path.join(folder, "custom-models.yaml");
+  if (!fs.existsSync(filePath)) {
+    return { llmModels: [], imageModels: [] };
+  }
+  const raw = fs.readFileSync(filePath, "utf-8");
+  const parsed = yaml.load(raw);
+  const result = CustomModelsFileSchema.parse(parsed);
+  return {
+    llmModels: result.llmModels ?? [],
+    imageModels: result.imageModels ?? [],
+  };
 }
 export function saveCustomModels(data) {
-    const folder = process.env.NAISYS_FOLDER;
-    if (!folder) {
-        throw new Error("NAISYS_FOLDER environment variable is not set");
-    }
-    // Validate before writing
-    CustomModelsFileSchema.parse(data);
-    // Omit empty arrays from output
-    const output = {};
-    if (data.llmModels && data.llmModels.length > 0) {
-        output.llmModels = data.llmModels;
-    }
-    if (data.imageModels && data.imageModels.length > 0) {
-        output.imageModels = data.imageModels;
-    }
-    const filePath = path.join(folder, "custom-models.yaml");
-    const yamlStr = yaml.dump(output, { lineWidth: -1 });
-    fs.writeFileSync(filePath, yamlStr, "utf-8");
+  const folder = process.env.NAISYS_FOLDER;
+  if (!folder) {
+    throw new Error("NAISYS_FOLDER environment variable is not set");
+  }
+  // Validate before writing
+  CustomModelsFileSchema.parse(data);
+  // Omit empty arrays from output
+  const output = {};
+  if (data.llmModels && data.llmModels.length > 0) {
+    output.llmModels = data.llmModels;
+  }
+  if (data.imageModels && data.imageModels.length > 0) {
+    output.imageModels = data.imageModels;
+  }
+  const filePath = path.join(folder, "custom-models.yaml");
+  const yamlStr = yaml.dump(output, { lineWidth: -1 });
+  fs.writeFileSync(filePath, yamlStr, "utf-8");
 }

package/dist/expandEnv.js

@@ -1,7 +1,10 @@
 import os from "os";
 /** Expand ~ to the user's home directory in NAISYS_FOLDER */
 export function expandNaisysFolder() {
-    if (process.env.NAISYS_FOLDER?.startsWith("~")) {
-        process.env.NAISYS_FOLDER = process.env.NAISYS_FOLDER.replace("~", os.homedir());
-    }
+  if (process.env.NAISYS_FOLDER?.startsWith("~")) {
+    process.env.NAISYS_FOLDER = process.env.NAISYS_FOLDER.replace(
+      "~",
+      os.homedir(),
+    );
+  }
 }

package/dist/hashToken.js

@@ -1,5 +1,5 @@
 import { createHash } from "crypto";
 /** Hash a token (session cookie, API key) with SHA-256 for safe cache keys / DB lookup. */
 export function hashToken(token) {
-    return createHash("sha256").update(token).digest("hex");
+  return createHash("sha256").update(token).digest("hex");
 }

package/dist/hubCertVerification.js

@@ -8,33 +8,34 @@ import tls from "tls";
  * Returns undefined if the file does not exist.
  */
 export function readHubAccessKeyFile() {
-    const naisysFolder = process.env.NAISYS_FOLDER || "";
-    const accessKeyPath = join(naisysFolder, "cert", "hub-access-key");
-    if (!existsSync(accessKeyPath))
-        return undefined;
-    return readFileSync(accessKeyPath, "utf-8").trim();
+  const naisysFolder = process.env.NAISYS_FOLDER || "";
+  const accessKeyPath = join(naisysFolder, "cert", "hub-access-key");
+  if (!existsSync(accessKeyPath)) return undefined;
+  return readFileSync(accessKeyPath, "utf-8").trim();
 }
 /**
  * Resolve the hub access key from environment variable or local cert file.
  * Returns undefined if neither is available.
  */
 export function resolveHubAccessKey() {
-    return process.env.HUB_ACCESS_KEY || readHubAccessKeyFile();
+  return process.env.HUB_ACCESS_KEY || readHubAccessKeyFile();
 }
 /** Parse a hub access key in format "<fingerprintPrefix>+<secret>" */
 export function parseHubAccessKey(accessKey) {
-    const plusIndex = accessKey.indexOf("+");
-    if (plusIndex === -1) {
-        throw new Error(`Invalid hub access key format, expected <fingerprint>+<secret>, got ${accessKey}`);
-    }
-    return {
-        fingerprintPrefix: accessKey.substring(0, plusIndex),
-        secret: accessKey.substring(plusIndex + 1),
-    };
+  const plusIndex = accessKey.indexOf("+");
+  if (plusIndex === -1) {
+    throw new Error(
+      `Invalid hub access key format, expected <fingerprint>+<secret>, got ${accessKey}`,
+    );
+  }
+  return {
+    fingerprintPrefix: accessKey.substring(0, plusIndex),
+    secret: accessKey.substring(plusIndex + 1),
+  };
 }
 /** Compute SHA-256 fingerprint of a DER-encoded certificate */
 export function computeCertFingerprint(derCert) {
-    return createHash("sha256").update(derCert).digest("hex");
+  return createHash("sha256").update(derCert).digest("hex");
 }
 /**
  * Connect to a TLS server, verify that the certificate fingerprint matches
@@ -42,27 +43,32 @@ export function computeCertFingerprint(derCert) {
  * trusted CA in subsequent connections.
  */
 export async function verifyHubCertificate(host, port, fingerprintPrefix) {
-    return new Promise((resolve, reject) => {
-        const sock = tls.connect(port, host, { rejectUnauthorized: false }, () => {
-            const cert = sock.getPeerCertificate(true);
-            sock.destroy();
-            if (!cert?.raw) {
-                reject(new Error("No certificate received from hub"));
-                return;
-            }
-            const fingerprint = computeCertFingerprint(cert.raw);
-            if (!fingerprint.startsWith(fingerprintPrefix)) {
-                reject(new Error(`Hub certificate fingerprint mismatch: expected prefix ${fingerprintPrefix}, got ${fingerprint.substring(0, fingerprintPrefix.length)}`));
-                return;
-            }
-            // Convert DER to PEM so it can be used as a trusted CA
-            const pem = "-----BEGIN CERTIFICATE-----\n" +
-                cert.raw.toString("base64") +
-                "\n-----END CERTIFICATE-----\n";
-            resolve(pem);
-        });
-        sock.on("error", reject);
+  return new Promise((resolve, reject) => {
+    const sock = tls.connect(port, host, { rejectUnauthorized: false }, () => {
+      const cert = sock.getPeerCertificate(true);
+      sock.destroy();
+      if (!cert?.raw) {
+        reject(new Error("No certificate received from hub"));
+        return;
+      }
+      const fingerprint = computeCertFingerprint(cert.raw);
+      if (!fingerprint.startsWith(fingerprintPrefix)) {
+        reject(
+          new Error(
+            `Hub certificate fingerprint mismatch: expected prefix ${fingerprintPrefix}, got ${fingerprint.substring(0, fingerprintPrefix.length)}`,
+          ),
+        );
+        return;
+      }
+      // Convert DER to PEM so it can be used as a trusted CA
+      const pem =
+        "-----BEGIN CERTIFICATE-----\n" +
+        cert.raw.toString("base64") +
+        "\n-----END CERTIFICATE-----\n";
+      resolve(pem);
     });
+    sock.on("error", reject);
+  });
 }
 /**
  * Create an https.Agent that trusts only the given PEM certificate.
@@ -70,9 +76,9 @@ export async function verifyHubCertificate(host, port, fingerprintPrefix) {
  * to the same cert (no TOCTOU gap since Node's TLS layer enforces it).
  */
 export function createPinnedHttpsAgent(certPem) {
-    return new https.Agent({
-        ca: certPem,
-        // Skip hostname check — cert is already pinned by fingerprint
-        checkServerIdentity: () => undefined,
-    });
+  return new https.Agent({
+    ca: certPem,
+    // Skip hostname check — cert is already pinned by fingerprint
+    checkServerIdentity: () => undefined,
+  });
 }

package/dist/logFileService.js

@@ -1,58 +1,55 @@
 import fsp from "node:fs/promises";
 const MAX_READ_BYTES = 256 * 1024;
 export async function tailLogFile(filePath, lineCount, minLevel) {
-    let stat;
+  let stat;
+  try {
+    stat = await fsp.stat(filePath);
+  } catch {
+    return { entries: [], fileSize: 0 };
+  }
+  const fileSize = stat.size;
+  if (fileSize === 0) {
+    return { entries: [], fileSize: 0 };
+  }
+  const readSize = Math.min(fileSize, MAX_READ_BYTES);
+  const position = fileSize - readSize;
+  const buffer = Buffer.alloc(readSize);
+  const handle = await fsp.open(filePath, "r");
+  try {
+    await handle.read(buffer, 0, readSize, position);
+  } finally {
+    await handle.close();
+  }
+  const text = buffer.toString("utf-8");
+  const lines = text.split("\n").filter((line) => line.trim().length > 0);
+  // If we didn't read from the start, drop the first line (likely partial)
+  if (position > 0 && lines.length > 0) {
+    lines.shift();
+  }
+  const OMIT_KEYS = new Set(["level", "time", "msg", "pid", "hostname"]);
+  const entries = [];
+  for (const line of lines) {
     try {
-        stat = await fsp.stat(filePath);
-    }
-    catch {
-        return { entries: [], fileSize: 0 };
-    }
-    const fileSize = stat.size;
-    if (fileSize === 0) {
-        return { entries: [], fileSize: 0 };
-    }
-    const readSize = Math.min(fileSize, MAX_READ_BYTES);
-    const position = fileSize - readSize;
-    const buffer = Buffer.alloc(readSize);
-    const handle = await fsp.open(filePath, "r");
-    try {
-        await handle.read(buffer, 0, readSize, position);
-    }
-    finally {
-        await handle.close();
-    }
-    const text = buffer.toString("utf-8");
-    const lines = text.split("\n").filter((line) => line.trim().length > 0);
-    // If we didn't read from the start, drop the first line (likely partial)
-    if (position > 0 && lines.length > 0) {
-        lines.shift();
-    }
-    const OMIT_KEYS = new Set(["level", "time", "msg", "pid", "hostname"]);
-    const entries = [];
-    for (const line of lines) {
-        try {
-            const parsed = JSON.parse(line);
-            const level = parsed.level ?? 30;
-            if (minLevel != null && level < minLevel)
-                continue;
-            const extra = {};
-            for (const key of Object.keys(parsed)) {
-                if (!OMIT_KEYS.has(key)) {
-                    extra[key] = parsed[key];
-                }
-            }
-            const detail = Object.keys(extra).length > 0 ? JSON.stringify(extra) : undefined;
-            entries.push({
-                level,
-                time: parsed.time ?? 0,
-                msg: parsed.msg ?? "",
-                detail,
-            });
-        }
-        catch {
-            // skip malformed lines
+      const parsed = JSON.parse(line);
+      const level = parsed.level ?? 30;
+      if (minLevel != null && level < minLevel) continue;
+      const extra = {};
+      for (const key of Object.keys(parsed)) {
+        if (!OMIT_KEYS.has(key)) {
+          extra[key] = parsed[key];
         }
+      }
+      const detail =
+        Object.keys(extra).length > 0 ? JSON.stringify(extra) : undefined;
+      entries.push({
+        level,
+        time: parsed.time ?? 0,
+        msg: parsed.msg ?? "",
+        detail,
+      });
+    } catch {
+      // skip malformed lines
     }
-    return { entries: entries.slice(-lineCount), fileSize };
+  }
+  return { entries: entries.slice(-lineCount), fileSize };
 }

package/dist/migrationHelper.js

@@ -9,113 +9,121 @@ const execAsync = promisify(exec);
  * Uses `better-sqlite3` directly (synchronous, no Prisma dependency) for the version check.
  */
 export async function deployPrismaMigrations(options) {
-    const { packageDir, databasePath, expectedVersion, envOverrides } = options;
-    // Ensure database directory exists
-    const databaseDir = dirname(databasePath);
-    if (!existsSync(databaseDir)) {
-        mkdirSync(databaseDir, { recursive: true });
+  const { packageDir, databasePath, expectedVersion, envOverrides } = options;
+  // Ensure database directory exists
+  const databaseDir = dirname(databasePath);
+  if (!existsSync(databaseDir)) {
+    mkdirSync(databaseDir, { recursive: true });
+  }
+  let currentVersion;
+  // Check version if database file already exists
+  if (existsSync(databasePath)) {
+    const db = new Database(databasePath);
+    try {
+      const row = db
+        .prepare("SELECT version FROM schema_version WHERE id = 1")
+        .get();
+      currentVersion = row?.version;
+    } catch {
+      // "no such table" → treat as new DB, proceed with migration
     }
-    let currentVersion;
-    // Check version if database file already exists
-    if (existsSync(databasePath)) {
-        const db = new Database(databasePath);
-        try {
-            const row = db
-                .prepare("SELECT version FROM schema_version WHERE id = 1")
-                .get();
-            currentVersion = row?.version;
-        }
-        catch {
-            // "no such table" → treat as new DB, proceed with migration
-        }
-        // Switch from WAL to DELETE journal mode before closing. This merges any
-        // pending WAL data and removes the -wal/-shm files entirely. Without this,
-        // prisma migrate (a separate process) sees the leftover SHM file and fails
-        // with "database is locked".
-        try {
-            db.pragma("journal_mode=DELETE");
-        }
-        catch {
-            // Failed — another process may genuinely hold the lock
-        }
-        db.close();
-        if (currentVersion === expectedVersion) {
-            return; // Fast path — already at expected version
-        }
+    // Switch from WAL to DELETE journal mode before closing. This merges any
+    // pending WAL data and removes the -wal/-shm files entirely. Without this,
+    // prisma migrate (a separate process) sees the leftover SHM file and fails
+    // with "database is locked".
+    try {
+      db.pragma("journal_mode=DELETE");
+    } catch {
+      // Failed — another process may genuinely hold the lock
     }
-    // Log migration status
-    if (currentVersion !== undefined) {
-        if (currentVersion > expectedVersion) {
-            throw new Error(`Database version ${currentVersion} is newer than expected ${expectedVersion}. Manual intervention required.`);
-        }
-        console.log(`Migrating database from version ${currentVersion} to ${expectedVersion}...`);
+    db.close();
+    if (currentVersion === expectedVersion) {
+      return; // Fast path — already at expected version
     }
-    else {
-        console.log(`Creating new database with schema version ${expectedVersion}...`);
+  }
+  // Log migration status
+  if (currentVersion !== undefined) {
+    if (currentVersion > expectedVersion) {
+      throw new Error(
+        `Database version ${currentVersion} is newer than expected ${expectedVersion}. Manual intervention required.`,
+      );
     }
-    // Run prisma migrate deploy
-    const schemaPath = join(packageDir, "prisma", "schema.prisma");
-    const absoluteDbPath = resolve(databasePath).replace(/\\/g, "/");
-    let stdout;
-    let stderr;
-    try {
-        ({ stdout, stderr } = await execAsync(`npx prisma migrate deploy --schema="${schemaPath}"`, {
+    console.log(
+      `Migrating database from version ${currentVersion} to ${expectedVersion}...`,
+    );
+  } else {
+    console.log(
+      `Creating new database with schema version ${expectedVersion}...`,
+    );
+  }
+  // Run prisma migrate deploy
+  const schemaPath = join(packageDir, "prisma", "schema.prisma");
+  const absoluteDbPath = resolve(databasePath).replace(/\\/g, "/");
+  let stdout;
+  let stderr;
+  try {
+    ({ stdout, stderr } = await execAsync(
+      `npx prisma migrate deploy --schema="${schemaPath}"`,
+      {
+        cwd: packageDir,
+        env: {
+          ...process.env,
+          // Resolve to absolute so prisma.config.ts gets a correct path
+          // regardless of this subprocess's cwd (which is packageDir)
+          NAISYS_FOLDER: resolve(process.env.NAISYS_FOLDER || ""),
+          ...envOverrides,
+        },
+      },
+    ));
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    if (msg.includes("database is locked")) {
+      // Stale WAL/SHM files from a crashed process — remove and retry
+      const walPath = absoluteDbPath + "-wal";
+      const shmPath = absoluteDbPath + "-shm";
+      let removed = false;
+      for (const staleFile of [walPath, shmPath]) {
+        if (existsSync(staleFile)) {
+          console.log(`Removing stale file: ${staleFile}`);
+          unlinkSync(staleFile);
+          removed = true;
+        }
+      }
+      if (removed) {
+        console.log("Retrying migration after removing stale WAL files...");
+        ({ stdout, stderr } = await execAsync(
+          `npx prisma migrate deploy --schema="${schemaPath}"`,
+          {
             cwd: packageDir,
             env: {
-                ...process.env,
-                // Resolve to absolute so prisma.config.ts gets a correct path
-                // regardless of this subprocess's cwd (which is packageDir)
-                NAISYS_FOLDER: resolve(process.env.NAISYS_FOLDER || ""),
-                ...envOverrides,
+              ...process.env,
+              NAISYS_FOLDER: resolve(process.env.NAISYS_FOLDER || ""),
+              ...envOverrides,
             },
-        }));
-    }
-    catch (error) {
-        const msg = error instanceof Error ? error.message : String(error);
-        if (msg.includes("database is locked")) {
-            // Stale WAL/SHM files from a crashed process — remove and retry
-            const walPath = absoluteDbPath + "-wal";
-            const shmPath = absoluteDbPath + "-shm";
-            let removed = false;
-            for (const staleFile of [walPath, shmPath]) {
-                if (existsSync(staleFile)) {
-                    console.log(`Removing stale file: ${staleFile}`);
-                    unlinkSync(staleFile);
-                    removed = true;
-                }
-            }
-            if (removed) {
-                console.log("Retrying migration after removing stale WAL files...");
-                ({ stdout, stderr } = await execAsync(`npx prisma migrate deploy --schema="${schemaPath}"`, {
-                    cwd: packageDir,
-                    env: {
-                        ...process.env,
-                        NAISYS_FOLDER: resolve(process.env.NAISYS_FOLDER || ""),
-                        ...envOverrides,
-                    },
-                }));
-            }
-            else {
-                throw new Error(`Database is locked: ${absoluteDbPath}\n` +
-                    `Another process may be using the database.`);
-            }
-        }
-        else {
-            throw error;
-        }
-    }
-    if (stdout)
-        console.log(stdout);
-    if (stderr && !stderr.includes("Loaded Prisma config")) {
-        console.error(stderr);
-    }
-    // Upsert schema_version row via raw SQL
-    const db = new Database(absoluteDbPath);
-    try {
-        db.prepare("INSERT OR REPLACE INTO schema_version (id, version, updated) VALUES (1, ?, ?)").run(expectedVersion, new Date().toISOString());
-    }
-    finally {
-        db.close();
+          },
+        ));
+      } else {
+        throw new Error(
+          `Database is locked: ${absoluteDbPath}\n` +
+            `Another process may be using the database.`,
+        );
+      }
+    } else {
+      throw error;
     }
-    console.log("Database migration completed.");
+  }
+  if (stdout) console.log(stdout);
+  if (stderr && !stderr.includes("Loaded Prisma config")) {
+    console.error(stderr);
+  }
+  // Upsert schema_version row via raw SQL
+  const db = new Database(absoluteDbPath);
+  try {
+    db.prepare(
+      "INSERT OR REPLACE INTO schema_version (id, version, updated) VALUES (1, ?, ?)",
+    ).run(expectedVersion, new Date().toISOString());
+  } finally {
+    db.close();
+  }
+  console.log("Database migration completed.");
 }

package/dist/sessionCookie.js

@@ -1,10 +1,10 @@
 export const SESSION_COOKIE_NAME = "naisys_session";
 export function sessionCookieOptions(expiresAt) {
-    return {
-        path: "/",
-        httpOnly: true,
-        sameSite: "lax",
-        secure: process.env.NODE_ENV === "production",
-        maxAge: Math.floor((expiresAt.getTime() - Date.now()) / 1000),
-    };
+  return {
+    path: "/",
+    httpOnly: true,
+    sameSite: "lax",
+    secure: process.env.NODE_ENV === "production",
+    maxAge: Math.floor((expiresAt.getTime() - Date.now()) / 1000),
+  };
 }

package/package.json

@@ -1,11 +1,13 @@
 {
   "name": "@naisys/common-node",
-  "version": "3.0.0-beta.4",
+  "version": "3.0.0-beta.5",
   "type": "module",
   "description": "[internal] Node-only utilities for NAISYS",
   "files": [
     "dist",
-    "!dist/**/*.map"
+    "!dist/**/*.map",
+    "!dist/**/*.d.ts",
+    "!dist/**/*.d.ts.map"
   ],
   "scripts": {
     "clean": "rimraf dist",
@@ -14,7 +16,7 @@
     "npm:publish": "npm publish --access public"
   },
   "dependencies": {
-    "@naisys/common": "3.0.0-beta.4",
+    "@naisys/common": "3.0.0-beta.5",
     "better-sqlite3": "^12.6.2",
     "js-yaml": "^4.1.1"
   },

package/dist/agentConfigLoader.d.ts

@@ -1,4 +0,0 @@
-import type { UserEntry } from "@naisys/common";
-/** Loads agent yaml configs from a file or directory path, returns a map of userId → UserEntry */
-export declare function loadAgentConfigs(startupPath: string): Map<number, UserEntry>;
-//# sourceMappingURL=agentConfigLoader.d.ts.map

package/dist/bearerToken.d.ts

@@ -1,6 +0,0 @@
-/**
- * Extract the API key from an Authorization: Bearer header value.
- * Returns undefined if the header is missing or not in Bearer format.
- */
-export declare function extractBearerToken(authHeader: string | undefined): string | undefined;
-//# sourceMappingURL=bearerToken.d.ts.map

package/dist/customModelsLoader.d.ts

@@ -1,4 +0,0 @@
-import { type CustomModelsFile } from "@naisys/common";
-export declare function loadCustomModels(folder: string): CustomModelsFile;
-export declare function saveCustomModels(data: CustomModelsFile): void;
-//# sourceMappingURL=customModelsLoader.d.ts.map

package/dist/expandEnv.d.ts

@@ -1,3 +0,0 @@
-/** Expand ~ to the user's home directory in NAISYS_FOLDER */
-export declare function expandNaisysFolder(): void;
-//# sourceMappingURL=expandEnv.d.ts.map

package/dist/hashToken.d.ts

@@ -1,3 +0,0 @@
-/** Hash a token (session cookie, API key) with SHA-256 for safe cache keys / DB lookup. */
-export declare function hashToken(token: string): string;
-//# sourceMappingURL=hashToken.d.ts.map

package/dist/hubCertVerification.d.ts

@@ -1,31 +0,0 @@
-import https from "https";
-/**
- * Read the hub access key from the local cert file at NAISYS_FOLDER/cert/hub-access-key.
- * Returns undefined if the file does not exist.
- */
-export declare function readHubAccessKeyFile(): string | undefined;
-/**
- * Resolve the hub access key from environment variable or local cert file.
- * Returns undefined if neither is available.
- */
-export declare function resolveHubAccessKey(): string | undefined;
-/** Parse a hub access key in format "<fingerprintPrefix>+<secret>" */
-export declare function parseHubAccessKey(accessKey: string): {
-    fingerprintPrefix: string;
-    secret: string;
-};
-/** Compute SHA-256 fingerprint of a DER-encoded certificate */
-export declare function computeCertFingerprint(derCert: Buffer): string;
-/**
- * Connect to a TLS server, verify that the certificate fingerprint matches
- * the expected prefix, and return the PEM-encoded certificate for use as a
- * trusted CA in subsequent connections.
- */
-export declare function verifyHubCertificate(host: string, port: number, fingerprintPrefix: string): Promise<string>;
-/**
- * Create an https.Agent that trusts only the given PEM certificate.
- * Used after verifyHubCertificate to pin all subsequent connections
- * to the same cert (no TOCTOU gap since Node's TLS layer enforces it).
- */
-export declare function createPinnedHttpsAgent(certPem: string): https.Agent;
-//# sourceMappingURL=hubCertVerification.d.ts.map

package/dist/index.d.ts

@@ -1,10 +0,0 @@
-export * from "./agentConfigLoader.js";
-export * from "./bearerToken.js";
-export * from "./expandEnv.js";
-export * from "./customModelsLoader.js";
-export * from "./hashToken.js";
-export * from "./hubCertVerification.js";
-export * from "./logFileService.js";
-export * from "./migrationHelper.js";
-export * from "./sessionCookie.js";
-//# sourceMappingURL=index.d.ts.map

package/dist/logFileService.d.ts

@@ -1,11 +0,0 @@
-export interface PinoLogEntry {
-    level: number;
-    time: number;
-    msg: string;
-    detail?: string;
-}
-export declare function tailLogFile(filePath: string, lineCount: number, minLevel?: number): Promise<{
-    entries: PinoLogEntry[];
-    fileSize: number;
-}>;
-//# sourceMappingURL=logFileService.d.ts.map

package/dist/migrationHelper.d.ts

@@ -1,15 +0,0 @@
-/**
- * Shared helper that runs `prisma migrate deploy` with a version-checked fast path.
- * Uses `better-sqlite3` directly (synchronous, no Prisma dependency) for the version check.
- */
-export declare function deployPrismaMigrations(options: {
-    /** Directory containing prisma.config.ts and prisma/ folder */
-    packageDir: string;
-    /** Absolute path to the .db file */
-    databasePath: string;
-    /** Skip migrations if DB already at this version */
-    expectedVersion: number;
-    /** Extra env vars forwarded to `prisma migrate deploy` */
-    envOverrides?: Record<string, string>;
-}): Promise<void>;
-//# sourceMappingURL=migrationHelper.d.ts.map

package/dist/sessionCookie.d.ts

@@ -1,9 +0,0 @@
-export declare const SESSION_COOKIE_NAME = "naisys_session";
-export declare function sessionCookieOptions(expiresAt: Date): {
-    path: string;
-    httpOnly: boolean;
-    sameSite: "lax";
-    secure: boolean;
-    maxAge: number;
-};
-//# sourceMappingURL=sessionCookie.d.ts.map