@oscharko-dev/keiko-memory-capture 0.2.0

package/dist/scope-inference.js

@@ -0,0 +1,45 @@
+// Scope inference for keiko-memory-capture. Fail-closed: when the requested scope kind requires
+// a coordinate (project/workspace/workflow) that is absent from the CaptureContext, the helper
+// returns `null` so the top-level capture function emits a `scope-not-resolvable` rejection
+// rather than silently downgrading to a less-specific scope (which would leak a project-scoped
+// memory into the user's global view).
+// When no explicit scopeKind is supplied, pick the most specific coordinate available on the
+// context. Precedence: project > workspace > workflow > user. This matches the user mental
+// model that captures made INSIDE a project are project-scoped by default.
+function pickImplicitScopeKind(context) {
+    if (context.projectId !== undefined) {
+        return "project";
+    }
+    if (context.workspaceId !== undefined) {
+        return "workspace";
+    }
+    if (context.workflowDefinitionId !== undefined) {
+        return "workflow";
+    }
+    return "user";
+}
+function resolveExplicitScope(kind, context, allowGlobal) {
+    if (kind === "global") {
+        return allowGlobal ? { kind: "global" } : null;
+    }
+    if (kind === "user") {
+        return { kind: "user", userId: context.userId };
+    }
+    if (kind === "project") {
+        return context.projectId === undefined
+            ? null
+            : { kind: "project", projectId: context.projectId };
+    }
+    if (kind === "workspace") {
+        return context.workspaceId === undefined
+            ? null
+            : { kind: "workspace", workspaceId: context.workspaceId };
+    }
+    return context.workflowDefinitionId === undefined
+        ? null
+        : { kind: "workflow", workflowDefinitionId: context.workflowDefinitionId };
+}
+export function inferScopeFromContext(context, options) {
+    const kind = options.scopeKind ?? pickImplicitScopeKind(context);
+    return resolveExplicitScope(kind, context, options.allowGlobalScope ?? false);
+}

package/dist/secret-patterns.d.ts

@@ -0,0 +1,3 @@
+import type { RejectionReason } from "./errors.js";
+export declare function scanForSecrets(value: string, customerIdentifierMatchers?: readonly RegExp[]): RejectionReason | null;
+//# sourceMappingURL=secret-patterns.d.ts.map

package/dist/secret-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-patterns.d.ts","sourceRoot":"","sources":["../src/secret-patterns.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAoGnD,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,EACb,0BAA0B,GAAE,SAAS,MAAM,EAAO,GACjD,eAAe,GAAG,IAAI,CAiBxB"}

package/dist/secret-patterns.js

@@ -0,0 +1,124 @@
+// Secret + private-data rejection scanner for keiko-memory-capture (Epic #204 child #207).
+//
+// This module is the WIDE secret-rejection net: it extends the narrow audit-summary heuristic
+// `looksLikeSecretShape` (keiko-contracts/memory-validation.ts) with patterns the capture layer
+// owns — opaque Bearer tokens, URL-embedded credentials, form-encoded password/secret/api_key/
+// token assignments, and well-known credential-store file paths. The wider net is appropriate
+// HERE (write-side gate, false positives reject a memory which the user can rephrase) but NOT
+// at audit-time (where a false positive would unnecessarily mask an audit summary).
+//
+// ReDoS safety: every pattern is a single linear character class with one bounded or open
+// quantifier — no nesting, no `(a+)+` style. Matches CodeQL js/polynomial-redos conventions
+// followed in keiko-security/redaction.ts.
+//
+// The return value is the typed RejectionReason class. The matched substring is intentionally
+// NOT returned: the rejection path itself must not leak the candidate's content (capture is the
+// PRIMARY secret-prevention boundary; even the rejection notice is a redaction-sensitive
+// surface). Callers render a generic "this looked like a credential" message keyed off the
+// reason class.
+// ─── Credential-shape patterns (extends looksLikeSecretShape) ────────────────
+const CREDENTIAL_SHAPE_PATTERNS = [
+    // Parity with looksLikeSecretShape: sk-, AKIA, gh[pousr]_, xox[abporsu]-, JWT, PEM, digit runs.
+    /\bsk-[A-Za-z0-9_-]{20,}\b/,
+    /\bAKIA[0-9A-Z]{16}\b/,
+    /\bgh[pousr]_[A-Za-z0-9]{36,}\b/,
+    /\bxox[abporsu]-[A-Za-z0-9-]{10,}\b/,
+    /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/,
+    /-----BEGIN [A-Z ]*PRIVATE KEY-----/,
+    /\b\d{13,19}\b/,
+    // Capture-layer extensions:
+    // Opaque Bearer tokens (any non-whitespace token after "Bearer "). looksLikeSecretShape
+    // intentionally skips this because audit summaries may legitimately mention the word "Bearer"
+    // with a placeholder; capture is stricter because a real Bearer in a memory body is almost
+    // never legitimate.
+    /\bBearer\s+[A-Za-z0-9._~+/=-]+/i,
+    // URL-embedded basic-auth credentials.
+    /\bhttps?:\/\/[^\s/:@]+:[^\s/:@]+@/i,
+    // Form-encoded credential assignments. Each is a single non-nested capture; the value run
+    // stops at whitespace or common delimiters so the quantifier can't backtrack.
+    /\bpassword\s*[=:]\s*[^\s,;"'`&]+/i,
+    /\bsecret\s*[=:]\s*[^\s,;"'`&]+/i,
+    /\bapi[_-]?key\s*[=:]\s*[^\s,;"'`&]+/i,
+    /\btoken\s*[=:]\s*[^\s,;"'`&]+/i,
+];
+// ─── Credential-store file paths ─────────────────────────────────────────────
+// Conservative, case-insensitive, anchored on the credential-store basename (after the last
+// slash). A bare mention of a path like `~/.ssh/id_rsa` or `.env.production` is a strong signal
+// the user is pasting an artefact they shouldn't be memorising.
+const CREDENTIAL_PATH_PATTERNS = [
+    // SSH private keys: id_rsa, id_ed25519, id_ecdsa, id_dsa, id_<custom>. Match any path segment.
+    /\.ssh\/id_[A-Za-z0-9_-]+/i,
+    // AWS credentials file.
+    /\.aws\/credentials\b/i,
+    // npm rc (auth tokens), gcloud credentials, k8s configs, common dotfile credential stores.
+    /(^|[\s/])\.npmrc\b/i,
+    // .env and .env.<environment>.
+    /(^|[\s/])\.env(\.[A-Za-z0-9_-]+)?\b/i,
+];
+const URL_CANDIDATE_RE = /\bhttps?:\/\/[^\s"'`<>]+/gi;
+const PROVIDER_CONTEXT_RE = /\b(provider|gateway|base\s+url|base-url|api\s+endpoint|endpoint|openai-compatible)\b/i;
+const ISO_LOG_TIMESTAMP_RE = /\b\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d{1,6})?Z\b/;
+const LOG_SEVERITY_RE = /\b(trace|debug|info|warn(?:ing)?|error|fatal)\b/i;
+const STACK_TRACE_MARKER_RE = /\b(stack trace|traceback|exception stack)\b/i;
+const STACK_FRAME_RE = /\bat\s+[A-Za-z_$][\w.$<>]*(?:\s+\[[^\]]+\])?\([^)\n]*\)/g;
+function matchesAny(value, patterns) {
+    for (const pattern of patterns) {
+        if (pattern.test(value)) {
+            return true;
+        }
+    }
+    return false;
+}
+function looksLikeProviderBaseUrl(value) {
+    for (const match of value.matchAll(URL_CANDIDATE_RE)) {
+        const raw = match[0];
+        const index = match.index;
+        let parsed;
+        try {
+            parsed = new URL(raw);
+        }
+        catch {
+            continue;
+        }
+        if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+            continue;
+        }
+        const normalizedPath = parsed.pathname.replace(/\/+$/u, "");
+        const hasOpenAiBasePath = normalizedPath === "/v1" ||
+            normalizedPath === "/openai/v1" ||
+            normalizedPath.endsWith("/openai/v1");
+        const snippet = value.slice(Math.max(0, index - 48), Math.min(value.length, index + raw.length + 24));
+        if (PROVIDER_CONTEXT_RE.test(snippet) || hasOpenAiBasePath) {
+            return true;
+        }
+    }
+    return false;
+}
+function looksLikeRawLog(value) {
+    const stackFrameCount = value.match(STACK_FRAME_RE)?.length ?? 0;
+    const hasSeverityWithTimestamp = LOG_SEVERITY_RE.test(value) && ISO_LOG_TIMESTAMP_RE.test(value);
+    const hasExplicitStackTrace = STACK_TRACE_MARKER_RE.test(value) && stackFrameCount >= 1;
+    return hasSeverityWithTimestamp || hasExplicitStackTrace || stackFrameCount >= 2;
+}
+// Returns the typed rejection class if `value` looks like a secret, credential-store path, or
+// customer-identifier match — otherwise `null`. The scan is total: it runs every pattern class
+// in a fixed precedence (credential-shape > credential-path > customer-identifier) so two
+// patterns firing on the same string produce a deterministic reason class.
+export function scanForSecrets(value, customerIdentifierMatchers = []) {
+    if (matchesAny(value, CREDENTIAL_SHAPE_PATTERNS)) {
+        return "credential-shape";
+    }
+    if (matchesAny(value, CREDENTIAL_PATH_PATTERNS)) {
+        return "private-credential-path";
+    }
+    if (looksLikeProviderBaseUrl(value)) {
+        return "provider-base-url";
+    }
+    if (looksLikeRawLog(value)) {
+        return "raw-log-content";
+    }
+    if (matchesAny(value, customerIdentifierMatchers)) {
+        return "customer-identifier";
+    }
+    return null;
+}

package/dist/types.d.ts

@@ -0,0 +1,61 @@
+import type { ConversationId, MemoryForget, MemoryId, MemoryProposal, MemoryProposalId, MemoryScope, MemoryScopeKind, MemorySensitivity, MemorySupersession, MemoryUpdate, ProjectId, UserId, WorkflowDefinitionId, WorkflowRunId, WorkspaceId } from "@oscharko-dev/keiko-contracts/memory";
+import type { RejectionReason } from "./errors.js";
+export interface CaptureContext {
+    readonly userId: UserId;
+    readonly workspaceId?: WorkspaceId;
+    readonly projectId?: ProjectId;
+    readonly workflowDefinitionId?: WorkflowDefinitionId;
+    readonly sourceWorkflowRunId?: WorkflowRunId;
+    readonly conversationId?: ConversationId;
+    readonly nowMs: number;
+    readonly newMemoryId: () => MemoryId;
+    readonly newProposalId: () => MemoryProposalId;
+}
+export type CaptureMemoryResolver = (target: string, scope: MemoryScope) => readonly MemoryId[];
+export interface CapturePolicyOptions {
+    readonly customerIdentifierMatchers?: readonly RegExp[];
+    readonly defaultSensitivity?: MemorySensitivity;
+    readonly resolver?: CaptureMemoryResolver;
+    readonly allowGlobalScope?: boolean;
+    readonly scopeKind?: MemoryScopeKind;
+    readonly maxBodyChars?: number;
+}
+export interface WorkflowOutcomeInput {
+    readonly runId: WorkflowRunId;
+    readonly outcomeKind: "success" | "corrected" | "failed";
+    readonly structuredReport: string;
+    readonly capturedAt: number;
+}
+export type CaptureOutcome = {
+    readonly kind: "candidate";
+    readonly proposal: MemoryProposal;
+    readonly requiresApproval: boolean;
+} | {
+    readonly kind: "update";
+    readonly operation: MemoryUpdate;
+} | {
+    readonly kind: "forget";
+    readonly operation: MemoryForget;
+    readonly requiresConfirmation: boolean;
+} | {
+    readonly kind: "supersession";
+    readonly operation: MemorySupersession;
+} | {
+    readonly kind: "rejected";
+    readonly reason: RejectionReason;
+};
+export type MemoryScopeKindHint = Extract<MemoryScopeKind, "user" | "project" | "workspace">;
+export interface SalienceInput {
+    readonly userText: string;
+    readonly assistantText?: string;
+    readonly existingBodies: readonly string[];
+    readonly context: CaptureContext;
+    readonly policy?: CapturePolicyOptions;
+}
+export interface SalienceDeps {
+    readonly callModel: (system: string, user: string) => Promise<string>;
+    readonly now: () => number;
+    readonly newMemoryId: () => MemoryId;
+    readonly newProposalId: () => MemoryProposalId;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EACV,cAAc,EACd,YAAY,EACZ,QAAQ,EACR,cAAc,EACd,gBAAgB,EAChB,WAAW,EACX,eAAe,EACf,iBAAiB,EACjB,kBAAkB,EAClB,YAAY,EACZ,SAAS,EACT,MAAM,EACN,oBAAoB,EACpB,aAAa,EACb,WAAW,EACZ,MAAM,sCAAsC,CAAC;AAE9C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAOnD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,WAAW,CAAC;IACnC,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IACrD,QAAQ,CAAC,mBAAmB,CAAC,EAAE,aAAa,CAAC;IAC7C,QAAQ,CAAC,cAAc,CAAC,EAAE,cAAc,CAAC;IAGzC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IAEvB,QAAQ,CAAC,WAAW,EAAE,MAAM,QAAQ,CAAC;IACrC,QAAQ,CAAC,aAAa,EAAE,MAAM,gBAAgB,CAAC;CAChD;AASD,MAAM,MAAM,qBAAqB,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,KAAK,SAAS,QAAQ,EAAE,CAAC;AAGhG,MAAM,WAAW,oBAAoB;IAInC,QAAQ,CAAC,0BAA0B,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAGxD,QAAQ,CAAC,kBAAkB,CAAC,EAAE,iBAAiB,CAAC;IAIhD,QAAQ,CAAC,QAAQ,CAAC,EAAE,qBAAqB,CAAC;IAG1C,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAGpC,QAAQ,CAAC,SAAS,CAAC,EAAE,eAAe,CAAC;IAGrC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AAMD,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,QAAQ,CAAC,WAAW,EAAE,SAAS,GAAG,WAAW,GAAG,QAAQ,CAAC;IACzD,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAKD,MAAM,MAAM,cAAc,GACtB;IACE,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;CACpC,GACD;IAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IAAC,QAAQ,CAAC,SAAS,EAAE,YAAY,CAAA;CAAE,GAC7D;IACE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,YAAY,CAAC;IACjC,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC;CACxC,GACD;IAAE,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAAC,QAAQ,CAAC,SAAS,EAAE,kBAAkB,CAAA;CAAE,GACzE;IAAE,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAA;CAAE,CAAC;AAMpE,MAAM,MAAM,mBAAmB,GAAG,OAAO,CAAC,eAAe,EAAE,MAAM,GAAG,SAAS,GAAG,WAAW,CAAC,CAAC;AAK7F,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE,oBAAoB,CAAC;CACxC;AAKD,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,SAAS,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACtE,QAAQ,CAAC,GAAG,EAAE,MAAM,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,MAAM,QAAQ,CAAC;IACrC,QAAQ,CAAC,aAAa,EAAE,MAAM,gBAAgB,CAAC;CAChD"}

package/dist/types.js

@@ -0,0 +1,6 @@
+// Public types for keiko-memory-capture (Epic #204 child #207).
+//
+// Capture is purely deterministic: the caller injects clock (`nowMs`) and id factories (`newId`,
+// `newProposalId`) via `CaptureContext`, so the same input + context produces a byte-identical
+// outcome. This keeps the evaluation harness (#215) and audit ledger (#214) reproducible.
+export {};

package/dist/version.d.ts

@@ -0,0 +1,2 @@
+export declare const KEIKO_MEMORY_CAPTURE_VERSION: "0.1.0";
+//# sourceMappingURL=version.d.ts.map

package/dist/version.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,4BAA4B,EAAG,OAAgB,CAAC"}

package/dist/version.js

@@ -0,0 +1 @@
+export const KEIKO_MEMORY_CAPTURE_VERSION = "0.1.0";

package/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "@oscharko-dev/keiko-memory-capture",
+  "version": "0.2.0",
+  "type": "module",
+  "license": "Apache-2.0",
+  "description": "MemoriaViva — Internal memory-capture package: governed capture policy gate that turns raw user text and reviewed workflow outcomes into MemoryProposal / MemoryUpdate / MemoryForget / MemorySupersession envelopes. PRIMARY secret-prevention boundary (defence-in-depth on top of looksLikeSecretShape in keiko-contracts). Pure functions only; no IO, no clock, no randomness (caller supplies nowMs and newId via CaptureContext). ADR-0019 direction rule 3g (capture may depend only on keiko-contracts and keiko-security). Not published independently.",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc -b tsconfig.json",
+    "typecheck": "tsc -b tsconfig.json",
+    "test": "vitest run"
+  },
+  "files": [
+    "dist"
+  ],
+  "sideEffects": false,
+  "engines": {
+    "node": ">=22"
+  },
+  "dependencies": {
+    "@oscharko-dev/keiko-contracts": "0.2.0",
+    "@oscharko-dev/keiko-security": "0.2.0"
+  }
+}