@oscharko-dev/keiko-server 0.2.0

package/dist/promptEnhancer/routes.d.ts

@@ -0,0 +1,9 @@
+import type { RouteContext, RouteResult } from "../routes.js";
+import type { UiHandlerDeps } from "../deps.js";
+/**
+ * POST /api/prompt-enhancement — generate a governed, reviewable Enhanced Prompt from a raw draft.
+ * Validation, Model-Gateway routing (AC3), cancellation, and safe error shaping are all handled here.
+ */
+export declare const handlePromptEnhancement: (ctx: RouteContext, deps: UiHandlerDeps) => Promise<RouteResult>;
+export declare const handlePromptEnhancementEvidence: (ctx: RouteContext, deps: UiHandlerDeps) => RouteResult;
+//# sourceMappingURL=routes.d.ts.map

package/dist/promptEnhancer/routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/promptEnhancer/routes.ts"],"names":[],"mappings":"AAsBA,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AA+JhD;;;GAGG;AACH,eAAO,MAAM,uBAAuB,GAClC,KAAK,YAAY,EACjB,MAAM,aAAa,KAClB,OAAO,CAAC,WAAW,CAwCrB,CAAC;AAEF,eAAO,MAAM,+BAA+B,GAC1C,KAAK,YAAY,EACjB,MAAM,aAAa,KAClB,WA0BF,CAAC"}

package/dist/promptEnhancer/routes.js

@@ -0,0 +1,205 @@
+// Prompt Enhancer BFF route (Epic #1307, Issue #1314; ADR-0044 §1 "BFF /api/prompt-enhancer/* routes").
+//
+// A single additive POST handler under `/api/prompt-enhancement`. It composes the existing route
+// plumbing (RouteContext / UiHandlerDeps / errorBody) exactly like `qualityIntelligence/connectorRoutes`
+// and does not modify any sibling handler. The deterministic enhancement is assembled by
+// `runPromptEnhancement` (orchestrate.ts); this file owns only the HTTP envelope: bounded body read,
+// JSON parsing, wire validation, cancellation, Model-Gateway config hand-off, redaction, and safe error
+// shaping. No provider SDK import, no outbound network request, no model dispatch.
+import { validatePromptEnhancementWireRequest } from "@oscharko-dev/keiko-contracts";
+import { EvidenceReadError, EvidenceWriteError, InvalidRunIdError, loadPromptEnhancementRun, recordPromptEnhancementRun, } from "@oscharko-dev/keiko-evidence";
+import { errorBody } from "../routes.js";
+import { currentEvidenceRequiresFullStringRedaction, currentEvidenceTopologyRedactionSecrets, currentGatewayConfig, } from "../deps.js";
+import { PromptEnhancementCancelledError, PromptEnhancementInputError, buildPromptEnhancementRecordInput, promptEnhancementGatewayRoutingConfig, runPromptEnhancement, } from "./orchestrate.js";
+// A generous-but-bounded cap. A maximal valid request (a 100k-character draft, fully \uXXXX-escaped in
+// JSON, plus the small metadata fields) stays well under this ceiling; anything larger is rejected with
+// a 413 before parsing so a hostile upload cannot exhaust memory.
+const MAX_BODY_BYTES = 1_048_576;
+class BodyTooLargeError extends Error {
+    constructor() {
+        super("Request body exceeds prompt-enhancement route cap");
+        this.name = "BodyTooLargeError";
+    }
+}
+const readBody = (req) => new Promise((resolve, reject) => {
+    const chunks = [];
+    let total = 0;
+    let capped = false;
+    req.on("data", (chunk) => {
+        total += chunk.length;
+        if (total > MAX_BODY_BYTES) {
+            if (!capped) {
+                capped = true;
+                chunks.length = 0;
+                reject(new BodyTooLargeError());
+                req.resume();
+            }
+            return;
+        }
+        chunks.push(chunk);
+    });
+    req.on("end", () => {
+        if (!capped)
+            resolve(Buffer.concat(chunks).toString("utf8"));
+    });
+    req.on("error", reject);
+});
+const isPlainObject = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
+const invalidRequest = (details) => ({
+    status: 400,
+    body: {
+        ...errorBody("PROMPT_ENHANCER_INVALID_REQUEST", "The prompt enhancement request was invalid."),
+        details,
+    },
+});
+// Bind an AbortSignal to client disconnect. The res "close" event is the canonical "client gone" signal
+// (the req "aborted" event is deprecated and fires unreliably since Node 17), mirroring grounded-qa.
+const requestAbortSignal = (ctx) => {
+    const controller = new AbortController();
+    ctx.res.on("close", () => {
+        if (!ctx.res.writableEnded && !controller.signal.aborted) {
+            controller.abort("prompt enhancement request cancelled");
+        }
+    });
+    return controller.signal;
+};
+const cancelledResult = () => ({
+    status: 499,
+    body: errorBody("PROMPT_ENHANCER_CANCELLED", "The prompt enhancement request was cancelled."),
+});
+const notRecordedEvidence = () => ({
+    status: "not-recorded",
+    reason: "evidence-store-not-configured",
+});
+const peEvidenceUrl = (runId) => `/api/prompt-enhancement/evidence/${encodeURIComponent(runId)}`;
+function recordEvidenceReference(rawInput, result, deps) {
+    if (deps.evidenceDir === undefined) {
+        return notRecordedEvidence();
+    }
+    const record = buildPromptEnhancementRecordInput({
+        rawInput,
+        result,
+        recordedAt: new Date().toISOString(),
+    });
+    const { manifest } = recordPromptEnhancementRun(record, {
+        evidenceDir: deps.evidenceDir,
+        redaction: {
+            additionalSecrets: currentEvidenceTopologyRedactionSecrets(deps),
+            redactAllStrings: currentEvidenceRequiresFullStringRedaction(deps),
+        },
+    });
+    return {
+        status: "recorded",
+        reason: "evidence-recorded",
+        runId: manifest.runId,
+        manifestUrl: peEvidenceUrl(manifest.runId),
+        peEvidenceSchemaVersion: manifest.peEvidenceSchemaVersion,
+        recordIntegritySha256: manifest.integrityHashes.record,
+    };
+}
+async function readPromptEnhancementRequest(ctx, signal) {
+    let raw;
+    try {
+        raw = await readBody(ctx.req);
+    }
+    catch (error) {
+        if (error instanceof BodyTooLargeError) {
+            return {
+                ok: false,
+                result: {
+                    status: 413,
+                    body: errorBody("PROMPT_ENHANCER_PAYLOAD_TOO_LARGE", "The request body is too large."),
+                },
+            };
+        }
+        return { ok: false, result: invalidRequest(["request body could not be read"]) };
+    }
+    if (signal.aborted)
+        return { ok: false, result: cancelledResult() };
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return { ok: false, result: invalidRequest(["request body is not valid JSON"]) };
+    }
+    if (!isPlainObject(parsed)) {
+        return { ok: false, result: invalidRequest(["request body must be a JSON object"]) };
+    }
+    const validated = validatePromptEnhancementWireRequest(parsed);
+    if (!validated.ok) {
+        return { ok: false, result: invalidRequest(validated.errors) };
+    }
+    return { ok: true, value: validated.value };
+}
+/**
+ * POST /api/prompt-enhancement — generate a governed, reviewable Enhanced Prompt from a raw draft.
+ * Validation, Model-Gateway routing (AC3), cancellation, and safe error shaping are all handled here.
+ */
+export const handlePromptEnhancement = async (ctx, deps) => {
+    const signal = requestAbortSignal(ctx);
+    const validated = await readPromptEnhancementRequest(ctx, signal);
+    if (!validated.ok)
+        return validated.result;
+    try {
+        const result = runPromptEnhancement(validated.value, {
+            gatewayRoutingConfig: promptEnhancementGatewayRoutingConfig(currentGatewayConfig(deps)),
+            signal,
+        });
+        const body = {
+            ...result,
+            evidence: recordEvidenceReference(validated.value.text, result, deps),
+        };
+        // AC4 defence-in-depth: deep-redact every string leaf of the response through the live audit
+        // redactor before it leaves the server, so any secret-shaped substring a user pasted into their own
+        // draft is scrubbed from the echoed input / rendered prompt. Scores, ids, and enums are untouched.
+        return { status: 200, body: deps.redactor(body) };
+    }
+    catch (error) {
+        if (error instanceof PromptEnhancementCancelledError) {
+            return cancelledResult();
+        }
+        if (error instanceof PromptEnhancementInputError) {
+            return invalidRequest(error.errors);
+        }
+        if (error instanceof EvidenceWriteError) {
+            return {
+                status: 500,
+                body: errorBody("PROMPT_ENHANCER_EVIDENCE_WRITE", "Prompt enhancement evidence could not be recorded."),
+            };
+        }
+        // Unknown failure: a safe, content-free 500 (no raw input, stack, or provider detail).
+        return {
+            status: 500,
+            body: errorBody("PROMPT_ENHANCER_INTERNAL", "Prompt enhancement failed unexpectedly."),
+        };
+    }
+};
+export const handlePromptEnhancementEvidence = (ctx, deps) => {
+    const runId = ctx.params.runId ?? "";
+    if (deps.evidenceDir === undefined) {
+        return {
+            status: 404,
+            body: errorBody("NOT_FOUND", "No prompt enhancement evidence store is configured."),
+        };
+    }
+    try {
+        const manifest = loadPromptEnhancementRun(runId, { evidenceDir: deps.evidenceDir });
+        if (manifest === undefined) {
+            return {
+                status: 404,
+                body: errorBody("NOT_FOUND", "No prompt enhancement evidence for that run id."),
+            };
+        }
+        return { status: 200, body: { manifest } };
+    }
+    catch (error) {
+        if (error instanceof InvalidRunIdError) {
+            return { status: 400, body: errorBody("BAD_REQUEST", "The run id is not valid.") };
+        }
+        if (error instanceof EvidenceReadError) {
+            return { status: 422, body: errorBody("PROMPT_ENHANCER_EVIDENCE_READ", error.message) };
+        }
+        throw error;
+    }
+};

package/dist/qualityIntelligence/capsuleAdapter.d.ts

@@ -0,0 +1,27 @@
+import type { UiHandlerDeps } from "../deps.js";
+/** One indexed document's id + full normalized text, read through the LK QI handoff seam. */
+export interface CapsuleDocumentText {
+    readonly documentId: string;
+    readonly text: string;
+}
+/**
+ * Resolves the full corpus text for a connected Local Knowledge connector. `capsule` reads a single
+ * capsule; `capsuleSet` fans out over a capsule-set's members. Both share one lazily-opened store
+ * handle and return `[]` on any failure (unknown id, store-open error) so the ingestion layer maps
+ * the empty result to a coded, user-actionable QI_CAPSULE_UNAVAILABLE error.
+ *
+ * `close` releases the underlying SQLite handle; must be called once per resolver lifetime (e.g. in
+ * the finally block of executeQiRun) to prevent a handle leak per QI run.
+ */
+export interface CapsuleResolver {
+    readonly capsule: (capsuleId: string) => readonly CapsuleDocumentText[];
+    readonly capsuleSet: (capsuleSetId: string) => readonly CapsuleDocumentText[];
+    readonly close: () => void;
+}
+/**
+ * Builds a CapsuleResolver that opens the LK store ONCE (per resolver) and returns the full corpus
+ * text for any capsule or capsule-set. Returns `undefined` when `deps.uiDbPath` is not set.
+ * Store-open errors produce a resolver whose methods always return `[]`.
+ */
+export declare function makeCapsuleResolver(deps: UiHandlerDeps): CapsuleResolver | undefined;
+//# sourceMappingURL=capsuleAdapter.d.ts.map

package/dist/qualityIntelligence/capsuleAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capsuleAdapter.d.ts","sourceRoot":"","sources":["../../src/qualityIntelligence/capsuleAdapter.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAGhD,6FAA6F;AAC7F,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,OAAO,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,SAAS,mBAAmB,EAAE,CAAC;IACxE,QAAQ,CAAC,UAAU,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,SAAS,mBAAmB,EAAE,CAAC;IAC9E,QAAQ,CAAC,KAAK,EAAE,MAAM,IAAI,CAAC;CAC5B;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,aAAa,GAAG,eAAe,GAAG,SAAS,CA6CpF"}

package/dist/qualityIntelligence/capsuleAdapter.js

@@ -0,0 +1,57 @@
+// capsuleAdapter.ts — capsule-corpus resolver seam for QI ingestion (Epic #710, Issue #717).
+//
+// Opens the Local Knowledge store lazily on the first call (once per resolver lifetime),
+// then reads the full document corpus for any capsule OR capsule-set via the approved
+// keiko-local-knowledge QI handoff seam. Store-open failures are handled by returning an empty
+// array — the caller maps that to QI_CAPSULE_UNAVAILABLE. When uiDbPath is not set the resolver
+// cannot be built (returns undefined); the ingestion layer then rejects capsule sources with
+// QI_CAPSULE_UNAVAILABLE.
+import { dirname } from "node:path";
+import { openKnowledgeStore, resolveKnowledgeStorePath, QualityIntelligenceHandoff, } from "@oscharko-dev/keiko-local-knowledge";
+import { localKnowledgeProtectionOptions } from "../localKnowledgeKeyProvider.js";
+/**
+ * Builds a CapsuleResolver that opens the LK store ONCE (per resolver) and returns the full corpus
+ * text for any capsule or capsule-set. Returns `undefined` when `deps.uiDbPath` is not set.
+ * Store-open errors produce a resolver whose methods always return `[]`.
+ */
+export function makeCapsuleResolver(deps) {
+    const uiDbPath = deps.uiDbPath;
+    if (uiDbPath === undefined || uiDbPath.length === 0)
+        return undefined;
+    const dbPath = resolveKnowledgeStorePath({ runtimeStateDir: dirname(uiDbPath) });
+    const protection = localKnowledgeProtectionOptions(deps.localKnowledgeKeyProvider);
+    let store = null;
+    let openFailed = false;
+    const ensureStore = () => {
+        if (openFailed)
+            return null;
+        if (store !== null)
+            return store;
+        try {
+            store = openKnowledgeStore(protection === undefined ? { dbPath } : { dbPath, protection });
+            return store;
+        }
+        catch {
+            openFailed = true;
+            return null;
+        }
+    };
+    const read = (id, reader) => {
+        const s = ensureStore();
+        if (s === null)
+            return [];
+        try {
+            return reader(s, id);
+        }
+        catch {
+            return [];
+        }
+    };
+    return {
+        capsule: (capsuleId) => read(capsuleId, QualityIntelligenceHandoff.listCapsuleDocumentTexts),
+        capsuleSet: (capsuleSetId) => read(capsuleSetId, QualityIntelligenceHandoff.listCapsuleSetDocumentTexts),
+        close: () => {
+            store?.close();
+        },
+    };
+}

package/dist/qualityIntelligence/connectorAuthorization.d.ts

@@ -0,0 +1,22 @@
+export interface QiConnectorConfig {
+    readonly figma_connector_authorized?: unknown;
+    readonly jira_connector_authorized?: unknown;
+}
+export interface QiConnectorCapabilities {
+    readonly figma: boolean;
+    readonly jira: boolean;
+}
+/**
+ * True only when `config.figma_connector_authorized === true`. Pure.
+ */
+export declare const isFigmaConnectorAuthorized: (config: QiConnectorConfig | undefined) => boolean;
+/**
+ * True only when `config.jira_connector_authorized === true`. Pure.
+ */
+export declare const isJiraConnectorAuthorized: (config: QiConnectorConfig | undefined) => boolean;
+/**
+ * Capabilities summary suitable for the `/api/quality-intelligence/sources/capabilities`
+ * route. Carries booleans only — NEVER credentials, endpoint URLs, or raw config values.
+ */
+export declare const summariseQiConnectorCapabilities: (config: QiConnectorConfig | undefined) => QiConnectorCapabilities;
+//# sourceMappingURL=connectorAuthorization.d.ts.map

package/dist/qualityIntelligence/connectorAuthorization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connectorAuthorization.d.ts","sourceRoot":"","sources":["../../src/qualityIntelligence/connectorAuthorization.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IAC9C,QAAQ,CAAC,yBAAyB,CAAC,EAAE,OAAO,CAAC;CAC9C;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;CACxB;AAID;;GAEG;AACH,eAAO,MAAM,0BAA0B,GAAI,QAAQ,iBAAiB,GAAG,SAAS,KAAG,OAGlF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,yBAAyB,GAAI,QAAQ,iBAAiB,GAAG,SAAS,KAAG,OAGjF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,gCAAgC,GAC3C,QAAQ,iBAAiB,GAAG,SAAS,KACpC,uBAGD,CAAC"}

package/dist/qualityIntelligence/connectorAuthorization.js

@@ -0,0 +1,35 @@
+// Quality Intelligence connector authorisation (Epic #270, Issue #278).
+//
+// Typed authorisation predicates for the QI dry-run connector routes. Every
+// authorisation DEFAULTS TO FALSE; only flips on an explicit boolean `true` config flag.
+// No reflection, no string coercion — the boolean must be a real `true`.
+//
+// The config object passed to these predicates is intentionally a structural Record
+// that the BFF resolver hydrates from the gateway-config storage layer (issue #279 will
+// formalise this; today it is read off `env` until the gateway exposes it). The
+// predicates themselves are pure — they do no IO and cannot construct credentials.
+const isExplicitTrue = (value) => value === true;
+/**
+ * True only when `config.figma_connector_authorized === true`. Pure.
+ */
+export const isFigmaConnectorAuthorized = (config) => {
+    if (config === undefined)
+        return false;
+    return isExplicitTrue(config.figma_connector_authorized);
+};
+/**
+ * True only when `config.jira_connector_authorized === true`. Pure.
+ */
+export const isJiraConnectorAuthorized = (config) => {
+    if (config === undefined)
+        return false;
+    return isExplicitTrue(config.jira_connector_authorized);
+};
+/**
+ * Capabilities summary suitable for the `/api/quality-intelligence/sources/capabilities`
+ * route. Carries booleans only — NEVER credentials, endpoint URLs, or raw config values.
+ */
+export const summariseQiConnectorCapabilities = (config) => ({
+    figma: isFigmaConnectorAuthorized(config),
+    jira: isJiraConnectorAuthorized(config),
+});

package/dist/qualityIntelligence/connectorErrors.d.ts

@@ -0,0 +1,16 @@
+export type QiConnectorErrorCode = "QI_BAD_REQUEST" | "QI_CONNECTOR_DISABLED" | "QI_FORBIDDEN_PAYLOAD" | "QI_INVALID_ENVELOPE_SELECTION" | "QI_INTERNAL";
+export interface QiConnectorErrorBody {
+    readonly error: {
+        readonly code: QiConnectorErrorCode;
+        readonly message: string;
+    };
+}
+export declare const qiConnectorErrorBody: (code: QiConnectorErrorCode) => QiConnectorErrorBody;
+export declare const containsForbiddenSecretShape: (value: string) => boolean;
+/**
+ * Scan a plain-object payload's string values (one level deep) for credential-shaped
+ * substrings. Returns true if any value matches. Used by the dry-run routes BEFORE the
+ * payload is even processed so a leaky client gets a 400 with a generic message.
+ */
+export declare const payloadContainsForbiddenSecretShape: (payload: Readonly<Record<string, unknown>>) => boolean;
+//# sourceMappingURL=connectorErrors.d.ts.map

package/dist/qualityIntelligence/connectorErrors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connectorErrors.d.ts","sourceRoot":"","sources":["../../src/qualityIntelligence/connectorErrors.ts"],"names":[],"mappings":"AASA,MAAM,MAAM,oBAAoB,GAC5B,gBAAgB,GAChB,uBAAuB,GACvB,sBAAsB,GACtB,+BAA+B,GAC/B,aAAa,CAAC;AAElB,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,KAAK,EAAE;QAAE,QAAQ,CAAC,IAAI,EAAE,oBAAoB,CAAC;QAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CACnF;AAYD,eAAO,MAAM,oBAAoB,GAAI,MAAM,oBAAoB,KAAG,oBAEhE,CAAC;AAqBH,eAAO,MAAM,4BAA4B,GAAI,OAAO,MAAM,KAAG,OAM5D,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,mCAAmC,GAC9C,SAAS,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,KACzC,OAKF,CAAC"}

package/dist/qualityIntelligence/connectorErrors.js

@@ -0,0 +1,56 @@
+// Quality Intelligence connector error shapes (Epic #270, Issue #278).
+//
+// Safe error JSON for the QI connector routes. Bodies NEVER carry credentials, raw
+// payloads, endpoint URLs, header values, or anything that could be mistaken for a
+// secret. Every error message is a fixed string keyed by a stable code.
+//
+// The shape matches the existing BFF `ApiError` envelope (`{ error: { code, message } }`)
+// so the gateway/router serialises it consistently with the other route groups.
+const SAFE_MESSAGES = {
+    QI_BAD_REQUEST: "The request body is not a valid Quality Intelligence connector payload.",
+    QI_CONNECTOR_DISABLED: "The requested connector is disabled. Enable it explicitly in the gateway configuration to send a dry-run.",
+    QI_FORBIDDEN_PAYLOAD: "The request body contained a forbidden field. Connector payloads may not carry credentials, headers, or URLs.",
+    QI_INVALID_ENVELOPE_SELECTION: "One or more selected envelope ids are not well-formed.",
+    QI_INTERNAL: "The Quality Intelligence connector route could not service the request.",
+};
+export const qiConnectorErrorBody = (code) => ({
+    error: { code, message: SAFE_MESSAGES[code] },
+});
+/**
+ * Defence-in-depth scrub: detect substrings that would indicate the caller is trying to
+ * smuggle credentials or a header pair through a connector payload. Pure, no IO.
+ *
+ * Comparison is case-insensitive so that variants like "BEARER ", "API_KEY", or
+ * "AUTHORIZATION:" are detected regardless of casing (prior case-variant list was
+ * incomplete and bypassed by non-listed casings — Issue #281).
+ */
+const FORBIDDEN_SUBSTRINGS = [
+    "authorization:",
+    "bearer ",
+    "basic ",
+    "apikey",
+    "api_key",
+    "cookie:",
+    "set-cookie",
+    "x-api-key",
+];
+export const containsForbiddenSecretShape = (value) => {
+    const lower = value.toLowerCase();
+    for (const forbidden of FORBIDDEN_SUBSTRINGS) {
+        if (lower.includes(forbidden))
+            return true;
+    }
+    return false;
+};
+/**
+ * Scan a plain-object payload's string values (one level deep) for credential-shaped
+ * substrings. Returns true if any value matches. Used by the dry-run routes BEFORE the
+ * payload is even processed so a leaky client gets a 400 with a generic message.
+ */
+export const payloadContainsForbiddenSecretShape = (payload) => {
+    for (const value of Object.values(payload)) {
+        if (typeof value === "string" && containsForbiddenSecretShape(value))
+            return true;
+    }
+    return false;
+};

package/dist/qualityIntelligence/connectorRoutes.d.ts

@@ -0,0 +1,7 @@
+import type { RouteContext, RouteResult } from "../routes.js";
+import type { UiHandlerDeps } from "../deps.js";
+export declare const handleQiSourceSelect: (ctx: RouteContext, _deps: UiHandlerDeps) => Promise<RouteResult>;
+export declare const handleQiDryRunFigma: (ctx: RouteContext, deps: UiHandlerDeps) => Promise<RouteResult>;
+export declare const handleQiDryRunJira: (ctx: RouteContext, deps: UiHandlerDeps) => Promise<RouteResult>;
+export declare const handleQiCapabilities: (_ctx: RouteContext, deps: UiHandlerDeps) => RouteResult;
+//# sourceMappingURL=connectorRoutes.d.ts.map

package/dist/qualityIntelligence/connectorRoutes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connectorRoutes.d.ts","sourceRoot":"","sources":["../../src/qualityIntelligence/connectorRoutes.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAmIhD,eAAO,MAAM,oBAAoB,GAC/B,KAAK,YAAY,EACjB,OAAO,aAAa,KACnB,OAAO,CAAC,WAAW,CAcrB,CAAC;AAoBF,eAAO,MAAM,mBAAmB,GAC9B,KAAK,YAAY,EACjB,MAAM,aAAa,KAClB,OAAO,CAAC,WAAW,CAOrB,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAC7B,KAAK,YAAY,EACjB,MAAM,aAAa,KAClB,OAAO,CAAC,WAAW,CAOrB,CAAC;AAIF,eAAO,MAAM,oBAAoB,GAAI,MAAM,YAAY,EAAE,MAAM,aAAa,KAAG,WAI9E,CAAC"}

package/dist/qualityIntelligence/connectorRoutes.js

@@ -0,0 +1,167 @@
+// Quality Intelligence connector BFF routes (Epic #270, Issue #278).
+//
+// Four additive HTTP handlers under `/api/quality-intelligence/sources/*`:
+//   * POST /api/quality-intelligence/sources/select         — plan a user-selected envelope set
+//   * POST /api/quality-intelligence/sources/dryrun-figma   — DRY-RUN only; disabled by default
+//   * POST /api/quality-intelligence/sources/dryrun-jira    — DRY-RUN only; disabled by default
+//   * GET  /api/quality-intelligence/sources/capabilities   — boolean capability summary
+//
+// Hard constraints:
+//   * No provider SDK imports (no figma-api, no jira.js, no @atlassian/*).
+//   * No outbound network request from any handler in this file.
+//   * Authorisation defaults to FALSE — only flips on explicit `*_connector_authorized: true`.
+//   * Error JSON never carries credentials, payloads, URLs, or header pairs.
+//   * Composes existing route plumbing (RouteContext / UiHandlerDeps); does not modify
+//     any sibling handler.
+import { QualityIntelligence } from "@oscharko-dev/keiko-contracts";
+import { QualityIntelligenceIngestion } from "@oscharko-dev/keiko-quality-intelligence";
+import { isFigmaConnectorAuthorized, isJiraConnectorAuthorized, summariseQiConnectorCapabilities, } from "./connectorAuthorization.js";
+import { payloadContainsForbiddenSecretShape, qiConnectorErrorBody } from "./connectorErrors.js";
+const MAX_BODY_BYTES = 256 * 1024;
+class BodyTooLargeError extends Error {
+    constructor() {
+        super("Request body exceeds connector route cap");
+        this.name = "BodyTooLargeError";
+    }
+}
+const readBody = (req) => {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let total = 0;
+        let capped = false;
+        req.on("data", (chunk) => {
+            total += chunk.length;
+            if (total > MAX_BODY_BYTES) {
+                if (!capped) {
+                    capped = true;
+                    chunks.length = 0;
+                    reject(new BodyTooLargeError());
+                    req.resume();
+                }
+                return;
+            }
+            chunks.push(chunk);
+        });
+        req.on("end", () => {
+            if (!capped)
+                resolve(Buffer.concat(chunks).toString("utf8"));
+        });
+        req.on("error", reject);
+    });
+};
+const isPlainObject = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
+const parseConnectorBody = async (req) => {
+    let raw;
+    try {
+        raw = await readBody(req);
+    }
+    catch (e) {
+        if (e instanceof BodyTooLargeError) {
+            return { ok: false, result: { status: 413, body: qiConnectorErrorBody("QI_BAD_REQUEST") } };
+        }
+        return { ok: false, result: { status: 400, body: qiConnectorErrorBody("QI_BAD_REQUEST") } };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return { ok: false, result: { status: 400, body: qiConnectorErrorBody("QI_BAD_REQUEST") } };
+    }
+    if (!isPlainObject(parsed)) {
+        return { ok: false, result: { status: 400, body: qiConnectorErrorBody("QI_BAD_REQUEST") } };
+    }
+    if (payloadContainsForbiddenSecretShape(parsed)) {
+        return {
+            ok: false,
+            result: { status: 400, body: qiConnectorErrorBody("QI_FORBIDDEN_PAYLOAD") },
+        };
+    }
+    return { ok: true, body: parsed };
+};
+const resolveConnectorConfig = (deps) => {
+    const env = deps.env;
+    return {
+        figma_connector_authorized: env.FIGMA_CONNECTOR_AUTHORIZED === "true",
+        jira_connector_authorized: env.JIRA_CONNECTOR_AUTHORIZED === "true",
+    };
+};
+// ─── /sources/select ───────────────────────────────────────────────────────────
+const collectIds = (raw) => {
+    if (!Array.isArray(raw))
+        return null;
+    const ids = [];
+    for (const candidate of raw) {
+        if (typeof candidate !== "string")
+            return null;
+        try {
+            ids.push(QualityIntelligence.asQualityIntelligenceSourceEnvelopeId(candidate));
+        }
+        catch {
+            return null;
+        }
+    }
+    return ids;
+};
+const buildSelectionEnvelopes = (ids, registeredAt) => {
+    // Selection routes accept opaque envelope IDS — no display label or hash is supplied
+    // by the browser tier. The planner only needs id+kind+priority, so we synthesise a
+    // minimal repository-context envelope (the default kind for selection) and let the
+    // QI domain decide what to do downstream when the real envelope catalogue is wired
+    // in #274. Hash is the zero-digest so the planner's "kind+id" stable key still works.
+    return ids.map((id) => ({
+        id,
+        kind: "repository-context",
+        displayLabel: `selected:${id}`,
+        provenance: {
+            origin: "user-selection",
+            registeredAt,
+            integrityHashSha256Hex: "0".repeat(64),
+        },
+        localRef: id,
+    }));
+};
+export const handleQiSourceSelect = async (ctx, _deps) => {
+    const parsed = await parseConnectorBody(ctx.req);
+    if (!parsed.ok)
+        return parsed.result;
+    const ids = collectIds(parsed.body.envelopeIds);
+    if (ids === null) {
+        return { status: 400, body: qiConnectorErrorBody("QI_INVALID_ENVELOPE_SELECTION") };
+    }
+    const registeredAt = typeof parsed.body.registeredAt === "string"
+        ? parsed.body.registeredAt
+        : "1970-01-01T00:00:00Z";
+    const envelopes = buildSelectionEnvelopes(ids, registeredAt);
+    const plan = QualityIntelligenceIngestion.planSourceMix(envelopes);
+    return { status: 200, body: { plan } };
+};
+const buildDryRunOutcome = (connector, body, authorized) => ({
+    status: authorized ? "DRYRUN_OK" : "DISABLED",
+    connector,
+    wouldUseFieldCount: Object.keys(body).length,
+});
+export const handleQiDryRunFigma = async (ctx, deps) => {
+    const parsed = await parseConnectorBody(ctx.req);
+    if (!parsed.ok)
+        return parsed.result;
+    const config = resolveConnectorConfig(deps);
+    const authorized = isFigmaConnectorAuthorized(config);
+    const outcome = buildDryRunOutcome("figma", parsed.body, authorized);
+    return { status: 200, body: outcome };
+};
+export const handleQiDryRunJira = async (ctx, deps) => {
+    const parsed = await parseConnectorBody(ctx.req);
+    if (!parsed.ok)
+        return parsed.result;
+    const config = resolveConnectorConfig(deps);
+    const authorized = isJiraConnectorAuthorized(config);
+    const outcome = buildDryRunOutcome("jira", parsed.body, authorized);
+    return { status: 200, body: outcome };
+};
+// ─── /sources/capabilities ─────────────────────────────────────────────────────
+export const handleQiCapabilities = (_ctx, deps) => {
+    const config = resolveConnectorConfig(deps);
+    const capabilities = summariseQiConnectorCapabilities(config);
+    return { status: 200, body: { capabilities } };
+};

package/dist/qualityIntelligence/editRoutes.d.ts

@@ -0,0 +1,5 @@
+import type { RouteContext, RouteResult, RouteDefinition } from "../routes.js";
+import type { UiHandlerDeps } from "../deps.js";
+export declare function handleQiEditCandidate(ctx: RouteContext, deps: UiHandlerDeps): Promise<RouteResult>;
+export declare const QI_EDIT_ROUTE_GROUP: readonly RouteDefinition[];
+//# sourceMappingURL=editRoutes.d.ts.map

package/dist/qualityIntelligence/editRoutes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"editRoutes.d.ts","sourceRoot":"","sources":["../../src/qualityIntelligence/editRoutes.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAwThD,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,YAAY,EACjB,IAAI,EAAE,aAAa,GAClB,OAAO,CAAC,WAAW,CAAC,CAmBtB;AAED,eAAO,MAAM,mBAAmB,EAAE,SAAS,eAAe,EAMzD,CAAC"}