@oscharko-dev/keiko-server 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/.tsbuildinfo +1 -0
- package/dist/assistant-response.d.ts +6 -0
- package/dist/assistant-response.d.ts.map +1 -0
- package/dist/assistant-response.js +12 -0
- package/dist/browser.d.ts +11 -0
- package/dist/browser.d.ts.map +1 -0
- package/dist/browser.js +245 -0
- package/dist/chat-handlers.d.ts +48 -0
- package/dist/chat-handlers.d.ts.map +1 -0
- package/dist/chat-handlers.js +821 -0
- package/dist/chat-stream-handlers.d.ts +4 -0
- package/dist/chat-stream-handlers.d.ts.map +1 -0
- package/dist/chat-stream-handlers.js +136 -0
- package/dist/conversation-prompt.d.ts +8 -0
- package/dist/conversation-prompt.d.ts.map +1 -0
- package/dist/conversation-prompt.js +36 -0
- package/dist/conversation-validation.d.ts +26 -0
- package/dist/conversation-validation.d.ts.map +1 -0
- package/dist/conversation-validation.js +125 -0
- package/dist/credentialPersistence.d.ts +23 -0
- package/dist/credentialPersistence.d.ts.map +1 -0
- package/dist/credentialPersistence.js +93 -0
- package/dist/credentialVault.d.ts +30 -0
- package/dist/credentialVault.d.ts.map +1 -0
- package/dist/credentialVault.js +206 -0
- package/dist/csp.d.ts +3 -0
- package/dist/csp.d.ts.map +1 -0
- package/dist/csp.js +75 -0
- package/dist/deps.d.ts +78 -0
- package/dist/deps.d.ts.map +1 -0
- package/dist/deps.js +457 -0
- package/dist/editor/agentRoutes.d.ts +7 -0
- package/dist/editor/agentRoutes.d.ts.map +1 -0
- package/dist/editor/agentRoutes.js +197 -0
- package/dist/editor/assuredGateRunner.d.ts +36 -0
- package/dist/editor/assuredGateRunner.d.ts.map +1 -0
- package/dist/editor/assuredGateRunner.js +100 -0
- package/dist/editor/assuredPreFilter.d.ts +34 -0
- package/dist/editor/assuredPreFilter.d.ts.map +1 -0
- package/dist/editor/assuredPreFilter.js +134 -0
- package/dist/editor/assuredPreFilterRunner.d.ts +31 -0
- package/dist/editor/assuredPreFilterRunner.d.ts.map +1 -0
- package/dist/editor/assuredPreFilterRunner.js +312 -0
- package/dist/editor/builtinLanguageProviders.d.ts +6 -0
- package/dist/editor/builtinLanguageProviders.d.ts.map +1 -0
- package/dist/editor/builtinLanguageProviders.js +221 -0
- package/dist/editor/codingContext.d.ts +12 -0
- package/dist/editor/codingContext.d.ts.map +1 -0
- package/dist/editor/codingContext.js +121 -0
- package/dist/editor/codingContextEvidence.d.ts +7 -0
- package/dist/editor/codingContextEvidence.d.ts.map +1 -0
- package/dist/editor/codingContextEvidence.js +52 -0
- package/dist/editor/codingContextProviders.d.ts +36 -0
- package/dist/editor/codingContextProviders.d.ts.map +1 -0
- package/dist/editor/codingContextProviders.js +348 -0
- package/dist/editor/completionModelEvidence.d.ts +16 -0
- package/dist/editor/completionModelEvidence.d.ts.map +1 -0
- package/dist/editor/completionModelEvidence.js +50 -0
- package/dist/editor/completionRoutes.d.ts +37 -0
- package/dist/editor/completionRoutes.d.ts.map +1 -0
- package/dist/editor/completionRoutes.js +411 -0
- package/dist/editor/contextRoutes.d.ts +6 -0
- package/dist/editor/contextRoutes.d.ts.map +1 -0
- package/dist/editor/contextRoutes.js +411 -0
- package/dist/editor/disposableAssuredExecution.d.ts +22 -0
- package/dist/editor/disposableAssuredExecution.d.ts.map +1 -0
- package/dist/editor/disposableAssuredExecution.js +57 -0
- package/dist/editor/editorCompletionModel.d.ts +47 -0
- package/dist/editor/editorCompletionModel.d.ts.map +1 -0
- package/dist/editor/editorCompletionModel.js +156 -0
- package/dist/editor/editorInlineCompletionModel.d.ts +34 -0
- package/dist/editor/editorInlineCompletionModel.d.ts.map +1 -0
- package/dist/editor/editorInlineCompletionModel.js +112 -0
- package/dist/editor/editorModelTokenBudget.d.ts +46 -0
- package/dist/editor/editorModelTokenBudget.d.ts.map +1 -0
- package/dist/editor/editorModelTokenBudget.js +121 -0
- package/dist/editor/inlineCompletionRateLimiter.d.ts +19 -0
- package/dist/editor/inlineCompletionRateLimiter.d.ts.map +1 -0
- package/dist/editor/inlineCompletionRateLimiter.js +46 -0
- package/dist/editor/inlineCompletionRoutes.d.ts +26 -0
- package/dist/editor/inlineCompletionRoutes.d.ts.map +1 -0
- package/dist/editor/inlineCompletionRoutes.js +404 -0
- package/dist/editor/inlineCompletionTelemetryEvidence.d.ts +5 -0
- package/dist/editor/inlineCompletionTelemetryEvidence.d.ts.map +1 -0
- package/dist/editor/inlineCompletionTelemetryEvidence.js +42 -0
- package/dist/editor/languageCancellation.d.ts +19 -0
- package/dist/editor/languageCancellation.d.ts.map +1 -0
- package/dist/editor/languageCancellation.js +48 -0
- package/dist/editor/languageProvider.d.ts +39 -0
- package/dist/editor/languageProvider.d.ts.map +1 -0
- package/dist/editor/languageProvider.js +11 -0
- package/dist/editor/languageRoutes.d.ts +15 -0
- package/dist/editor/languageRoutes.d.ts.map +1 -0
- package/dist/editor/languageRoutes.js +106 -0
- package/dist/editor/languageSanitize.d.ts +8 -0
- package/dist/editor/languageSanitize.d.ts.map +1 -0
- package/dist/editor/languageSanitize.js +101 -0
- package/dist/editor/languageService.d.ts +36 -0
- package/dist/editor/languageService.d.ts.map +1 -0
- package/dist/editor/languageService.js +93 -0
- package/dist/editor/languageServiceHost.d.ts +14 -0
- package/dist/editor/languageServiceHost.d.ts.map +1 -0
- package/dist/editor/languageServiceHost.js +242 -0
- package/dist/editor/localKnowledgeRetrieval.d.ts +21 -0
- package/dist/editor/localKnowledgeRetrieval.d.ts.map +1 -0
- package/dist/editor/localKnowledgeRetrieval.js +44 -0
- package/dist/editor/patchApplyEvidence.d.ts +21 -0
- package/dist/editor/patchApplyEvidence.d.ts.map +1 -0
- package/dist/editor/patchApplyEvidence.js +87 -0
- package/dist/editor/patchApplyRoutes.d.ts +16 -0
- package/dist/editor/patchApplyRoutes.d.ts.map +1 -0
- package/dist/editor/patchApplyRoutes.js +307 -0
- package/dist/editor/postApplyVerification.d.ts +42 -0
- package/dist/editor/postApplyVerification.d.ts.map +1 -0
- package/dist/editor/postApplyVerification.js +177 -0
- package/dist/editor/testGenerationEvidence.d.ts +6 -0
- package/dist/editor/testGenerationEvidence.d.ts.map +1 -0
- package/dist/editor/testGenerationEvidence.js +72 -0
- package/dist/editor/testGenerationPatch.d.ts +10 -0
- package/dist/editor/testGenerationPatch.d.ts.map +1 -0
- package/dist/editor/testGenerationPatch.js +66 -0
- package/dist/editor/testGenerationRoutes.d.ts +21 -0
- package/dist/editor/testGenerationRoutes.d.ts.map +1 -0
- package/dist/editor/testGenerationRoutes.js +254 -0
- package/dist/editor/testGenerationRunner.d.ts +23 -0
- package/dist/editor/testGenerationRunner.d.ts.map +1 -0
- package/dist/editor/testGenerationRunner.js +120 -0
- package/dist/editor/textOffsets.d.ts +6 -0
- package/dist/editor/textOffsets.d.ts.map +1 -0
- package/dist/editor/textOffsets.js +82 -0
- package/dist/editor/typescriptLanguageProvider.d.ts +3 -0
- package/dist/editor/typescriptLanguageProvider.d.ts.map +1 -0
- package/dist/editor/typescriptLanguageProvider.js +217 -0
- package/dist/evidence.d.ts +28 -0
- package/dist/evidence.d.ts.map +1 -0
- package/dist/evidence.js +145 -0
- package/dist/files-deny.d.ts +3 -0
- package/dist/files-deny.d.ts.map +1 -0
- package/dist/files-deny.js +12 -0
- package/dist/files.d.ts +97 -0
- package/dist/files.d.ts.map +1 -0
- package/dist/files.js +733 -0
- package/dist/gateway-setup.d.ts +10 -0
- package/dist/gateway-setup.d.ts.map +1 -0
- package/dist/gateway-setup.js +896 -0
- package/dist/governed-workflow.d.ts +17 -0
- package/dist/governed-workflow.d.ts.map +1 -0
- package/dist/governed-workflow.js +147 -0
- package/dist/grounded-answer.d.ts +12 -0
- package/dist/grounded-answer.d.ts.map +1 -0
- package/dist/grounded-answer.js +69 -0
- package/dist/grounded-context-index.d.ts +25 -0
- package/dist/grounded-context-index.d.ts.map +1 -0
- package/dist/grounded-context-index.js +169 -0
- package/dist/grounded-document-evidence.d.ts +28 -0
- package/dist/grounded-document-evidence.d.ts.map +1 -0
- package/dist/grounded-document-evidence.js +430 -0
- package/dist/grounded-handoff.d.ts +4 -0
- package/dist/grounded-handoff.d.ts.map +1 -0
- package/dist/grounded-handoff.js +445 -0
- package/dist/grounded-orchestrator.d.ts +43 -0
- package/dist/grounded-orchestrator.d.ts.map +1 -0
- package/dist/grounded-orchestrator.js +1445 -0
- package/dist/grounded-prompt.d.ts +2 -0
- package/dist/grounded-prompt.d.ts.map +1 -0
- package/dist/grounded-prompt.js +17 -0
- package/dist/grounded-qa-hybrid.d.ts +36 -0
- package/dist/grounded-qa-hybrid.d.ts.map +1 -0
- package/dist/grounded-qa-hybrid.js +762 -0
- package/dist/grounded-qa-multi-source.d.ts +38 -0
- package/dist/grounded-qa-multi-source.d.ts.map +1 -0
- package/dist/grounded-qa-multi-source.js +461 -0
- package/dist/grounded-qa.d.ts +45 -0
- package/dist/grounded-qa.d.ts.map +1 -0
- package/dist/grounded-qa.js +877 -0
- package/dist/grounded-rerank.d.ts +26 -0
- package/dist/grounded-rerank.d.ts.map +1 -0
- package/dist/grounded-rerank.js +72 -0
- package/dist/grounded-turn-registry.d.ts +23 -0
- package/dist/grounded-turn-registry.d.ts.map +1 -0
- package/dist/grounded-turn-registry.js +102 -0
- package/dist/headers.d.ts +3 -0
- package/dist/headers.d.ts.map +1 -0
- package/dist/headers.js +22 -0
- package/dist/host-check.d.ts +3 -0
- package/dist/host-check.d.ts.map +1 -0
- package/dist/host-check.js +58 -0
- package/dist/index.d.ts +26 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +33 -0
- package/dist/load-csp.d.ts +3 -0
- package/dist/load-csp.d.ts.map +1 -0
- package/dist/load-csp.js +100 -0
- package/dist/local-knowledge-grounded-qa.d.ts +42 -0
- package/dist/local-knowledge-grounded-qa.d.ts.map +1 -0
- package/dist/local-knowledge-grounded-qa.js +678 -0
- package/dist/local-knowledge-handlers.d.ts +24 -0
- package/dist/local-knowledge-handlers.d.ts.map +1 -0
- package/dist/local-knowledge-handlers.js +1285 -0
- package/dist/local-knowledge-indexing-registry.d.ts +13 -0
- package/dist/local-knowledge-indexing-registry.d.ts.map +1 -0
- package/dist/local-knowledge-indexing-registry.js +53 -0
- package/dist/localKnowledgeKeyProvider.d.ts +11 -0
- package/dist/localKnowledgeKeyProvider.d.ts.map +1 -0
- package/dist/localKnowledgeKeyProvider.js +48 -0
- package/dist/memory-audit-event-builders.d.ts +21 -0
- package/dist/memory-audit-event-builders.d.ts.map +1 -0
- package/dist/memory-audit-event-builders.js +187 -0
- package/dist/memory-audit-handler.d.ts +23 -0
- package/dist/memory-audit-handler.d.ts.map +1 -0
- package/dist/memory-audit-handler.js +191 -0
- package/dist/memory-capture-policy.d.ts +10 -0
- package/dist/memory-capture-policy.d.ts.map +1 -0
- package/dist/memory-capture-policy.js +44 -0
- package/dist/memory-consolidation-handlers.d.ts +6 -0
- package/dist/memory-consolidation-handlers.d.ts.map +1 -0
- package/dist/memory-consolidation-handlers.js +491 -0
- package/dist/memory-consolidation-registry.d.ts +47 -0
- package/dist/memory-consolidation-registry.d.ts.map +1 -0
- package/dist/memory-consolidation-registry.js +106 -0
- package/dist/memory-conv-handlers.d.ts +8 -0
- package/dist/memory-conv-handlers.d.ts.map +1 -0
- package/dist/memory-conv-handlers.js +369 -0
- package/dist/memory-conversation-context.d.ts +13 -0
- package/dist/memory-conversation-context.d.ts.map +1 -0
- package/dist/memory-conversation-context.js +22 -0
- package/dist/memory-diagnostics.d.ts +29 -0
- package/dist/memory-diagnostics.d.ts.map +1 -0
- package/dist/memory-diagnostics.js +122 -0
- package/dist/memory-embedding.d.ts +21 -0
- package/dist/memory-embedding.d.ts.map +1 -0
- package/dist/memory-embedding.js +264 -0
- package/dist/memory-handlers.d.ts +19 -0
- package/dist/memory-handlers.d.ts.map +1 -0
- package/dist/memory-handlers.js +1204 -0
- package/dist/memory-maintenance-handlers.d.ts +35 -0
- package/dist/memory-maintenance-handlers.d.ts.map +1 -0
- package/dist/memory-maintenance-handlers.js +219 -0
- package/dist/memory-record-builders.d.ts +4 -0
- package/dist/memory-record-builders.d.ts.map +1 -0
- package/dist/memory-record-builders.js +19 -0
- package/dist/memory-retention.d.ts +31 -0
- package/dist/memory-retention.d.ts.map +1 -0
- package/dist/memory-retention.js +151 -0
- package/dist/memory-retrieval-signals.d.ts +12 -0
- package/dist/memory-retrieval-signals.d.ts.map +1 -0
- package/dist/memory-retrieval-signals.js +100 -0
- package/dist/memory-salience.d.ts +12 -0
- package/dist/memory-salience.d.ts.map +1 -0
- package/dist/memory-salience.js +154 -0
- package/dist/memory-scope-sanitizer.d.ts +6 -0
- package/dist/memory-scope-sanitizer.d.ts.map +1 -0
- package/dist/memory-scope-sanitizer.js +106 -0
- package/dist/memory-target-resolver.d.ts +4 -0
- package/dist/memory-target-resolver.d.ts.map +1 -0
- package/dist/memory-target-resolver.js +73 -0
- package/dist/memory-workflow-port.d.ts +14 -0
- package/dist/memory-workflow-port.d.ts.map +1 -0
- package/dist/memory-workflow-port.js +186 -0
- package/dist/private-json.d.ts +3 -0
- package/dist/private-json.d.ts.map +1 -0
- package/dist/private-json.js +62 -0
- package/dist/promptEnhancer/index.d.ts +3 -0
- package/dist/promptEnhancer/index.d.ts.map +1 -0
- package/dist/promptEnhancer/index.js +5 -0
- package/dist/promptEnhancer/orchestrate.d.ts +2 -0
- package/dist/promptEnhancer/orchestrate.d.ts.map +1 -0
- package/dist/promptEnhancer/orchestrate.js +5 -0
- package/dist/promptEnhancer/routes.d.ts +9 -0
- package/dist/promptEnhancer/routes.d.ts.map +1 -0
- package/dist/promptEnhancer/routes.js +205 -0
- package/dist/qualityIntelligence/capsuleAdapter.d.ts +27 -0
- package/dist/qualityIntelligence/capsuleAdapter.d.ts.map +1 -0
- package/dist/qualityIntelligence/capsuleAdapter.js +57 -0
- package/dist/qualityIntelligence/connectorAuthorization.d.ts +22 -0
- package/dist/qualityIntelligence/connectorAuthorization.d.ts.map +1 -0
- package/dist/qualityIntelligence/connectorAuthorization.js +35 -0
- package/dist/qualityIntelligence/connectorErrors.d.ts +16 -0
- package/dist/qualityIntelligence/connectorErrors.d.ts.map +1 -0
- package/dist/qualityIntelligence/connectorErrors.js +56 -0
- package/dist/qualityIntelligence/connectorRoutes.d.ts +7 -0
- package/dist/qualityIntelligence/connectorRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/connectorRoutes.js +167 -0
- package/dist/qualityIntelligence/editRoutes.d.ts +5 -0
- package/dist/qualityIntelligence/editRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/editRoutes.js +293 -0
- package/dist/qualityIntelligence/exportAssembly.d.ts +22 -0
- package/dist/qualityIntelligence/exportAssembly.d.ts.map +1 -0
- package/dist/qualityIntelligence/exportAssembly.js +352 -0
- package/dist/qualityIntelligence/exportRoutes.d.ts +5 -0
- package/dist/qualityIntelligence/exportRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/exportRoutes.js +320 -0
- package/dist/qualityIntelligence/figma/figmaConcurrency.d.ts +8 -0
- package/dist/qualityIntelligence/figma/figmaConcurrency.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaConcurrency.js +34 -0
- package/dist/qualityIntelligence/figma/figmaConnector.d.ts +65 -0
- package/dist/qualityIntelligence/figma/figmaConnector.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaConnector.js +184 -0
- package/dist/qualityIntelligence/figma/figmaConnectorAudit.d.ts +52 -0
- package/dist/qualityIntelligence/figma/figmaConnectorAudit.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaConnectorAudit.js +63 -0
- package/dist/qualityIntelligence/figma/figmaConnectorErrors.d.ts +31 -0
- package/dist/qualityIntelligence/figma/figmaConnectorErrors.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaConnectorErrors.js +220 -0
- package/dist/qualityIntelligence/figma/figmaConnectorMetrics.d.ts +44 -0
- package/dist/qualityIntelligence/figma/figmaConnectorMetrics.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaConnectorMetrics.js +49 -0
- package/dist/qualityIntelligence/figma/figmaConsent.d.ts +39 -0
- package/dist/qualityIntelligence/figma/figmaConsent.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaConsent.js +62 -0
- package/dist/qualityIntelligence/figma/figmaHttpPort.d.ts +28 -0
- package/dist/qualityIntelligence/figma/figmaHttpPort.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaHttpPort.js +70 -0
- package/dist/qualityIntelligence/figma/figmaObservedActions.d.ts +49 -0
- package/dist/qualityIntelligence/figma/figmaObservedActions.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaObservedActions.js +89 -0
- package/dist/qualityIntelligence/figma/figmaReadiness.d.ts +32 -0
- package/dist/qualityIntelligence/figma/figmaReadiness.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaReadiness.js +67 -0
- package/dist/qualityIntelligence/figma/figmaRenderPort.d.ts +29 -0
- package/dist/qualityIntelligence/figma/figmaRenderPort.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaRenderPort.js +93 -0
- package/dist/qualityIntelligence/figma/figmaResnapshot.d.ts +28 -0
- package/dist/qualityIntelligence/figma/figmaResnapshot.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaResnapshot.js +38 -0
- package/dist/qualityIntelligence/figma/figmaRetry.d.ts +31 -0
- package/dist/qualityIntelligence/figma/figmaRetry.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaRetry.js +62 -0
- package/dist/qualityIntelligence/figma/figmaScopeRef.d.ts +9 -0
- package/dist/qualityIntelligence/figma/figmaScopeRef.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaScopeRef.js +18 -0
- package/dist/qualityIntelligence/figma/figmaScopedPagination.d.ts +86 -0
- package/dist/qualityIntelligence/figma/figmaScopedPagination.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaScopedPagination.js +308 -0
- package/dist/qualityIntelligence/figma/figmaSnapshotBuilder.d.ts +31 -0
- package/dist/qualityIntelligence/figma/figmaSnapshotBuilder.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaSnapshotBuilder.js +314 -0
- package/dist/qualityIntelligence/figma/figmaSnapshotHash.d.ts +18 -0
- package/dist/qualityIntelligence/figma/figmaSnapshotHash.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaSnapshotHash.js +63 -0
- package/dist/qualityIntelligence/figma/figmaSnapshotTypes.d.ts +65 -0
- package/dist/qualityIntelligence/figma/figmaSnapshotTypes.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaSnapshotTypes.js +13 -0
- package/dist/qualityIntelligence/figma/figmaTokenSource.d.ts +9 -0
- package/dist/qualityIntelligence/figma/figmaTokenSource.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaTokenSource.js +61 -0
- package/dist/qualityIntelligence/figma/figmaTokenStore.d.ts +19 -0
- package/dist/qualityIntelligence/figma/figmaTokenStore.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaTokenStore.js +156 -0
- package/dist/qualityIntelligence/figma/figmaUrl.d.ts +6 -0
- package/dist/qualityIntelligence/figma/figmaUrl.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/figmaUrl.js +36 -0
- package/dist/qualityIntelligence/figma/index.d.ts +20 -0
- package/dist/qualityIntelligence/figma/index.d.ts.map +1 -0
- package/dist/qualityIntelligence/figma/index.js +26 -0
- package/dist/qualityIntelligence/figmaCodegenRoutes.d.ts +28 -0
- package/dist/qualityIntelligence/figmaCodegenRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/figmaCodegenRoutes.js +165 -0
- package/dist/qualityIntelligence/figmaSnapshotAdapter.d.ts +55 -0
- package/dist/qualityIntelligence/figmaSnapshotAdapter.d.ts.map +1 -0
- package/dist/qualityIntelligence/figmaSnapshotAdapter.js +219 -0
- package/dist/qualityIntelligence/figmaSnapshotOrchestration.d.ts +64 -0
- package/dist/qualityIntelligence/figmaSnapshotOrchestration.d.ts.map +1 -0
- package/dist/qualityIntelligence/figmaSnapshotOrchestration.js +203 -0
- package/dist/qualityIntelligence/figmaSnapshotRoutes.d.ts +112 -0
- package/dist/qualityIntelligence/figmaSnapshotRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/figmaSnapshotRoutes.js +1063 -0
- package/dist/qualityIntelligence/figmaSnapshotScreenIds.d.ts +19 -0
- package/dist/qualityIntelligence/figmaSnapshotScreenIds.d.ts.map +1 -0
- package/dist/qualityIntelligence/figmaSnapshotScreenIds.js +75 -0
- package/dist/qualityIntelligence/generationPort.d.ts +15 -0
- package/dist/qualityIntelligence/generationPort.d.ts.map +1 -0
- package/dist/qualityIntelligence/generationPort.js +185 -0
- package/dist/qualityIntelligence/handoffErrors.d.ts +9 -0
- package/dist/qualityIntelligence/handoffErrors.d.ts.map +1 -0
- package/dist/qualityIntelligence/handoffErrors.js +21 -0
- package/dist/qualityIntelligence/handoffRoutes.d.ts +15 -0
- package/dist/qualityIntelligence/handoffRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/handoffRoutes.js +341 -0
- package/dist/qualityIntelligence/index.d.ts +17 -0
- package/dist/qualityIntelligence/index.d.ts.map +1 -0
- package/dist/qualityIntelligence/index.js +36 -0
- package/dist/qualityIntelligence/judgePort.d.ts +30 -0
- package/dist/qualityIntelligence/judgePort.d.ts.map +1 -0
- package/dist/qualityIntelligence/judgePort.js +326 -0
- package/dist/qualityIntelligence/modelSelection.d.ts +58 -0
- package/dist/qualityIntelligence/modelSelection.d.ts.map +1 -0
- package/dist/qualityIntelligence/modelSelection.js +148 -0
- package/dist/qualityIntelligence/reCheckRoutes.d.ts +6 -0
- package/dist/qualityIntelligence/reCheckRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/reCheckRoutes.js +1157 -0
- package/dist/qualityIntelligence/retentionEnforcement.d.ts +13 -0
- package/dist/qualityIntelligence/retentionEnforcement.d.ts.map +1 -0
- package/dist/qualityIntelligence/retentionEnforcement.js +47 -0
- package/dist/qualityIntelligence/retentionRoutes.d.ts +8 -0
- package/dist/qualityIntelligence/retentionRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/retentionRoutes.js +74 -0
- package/dist/qualityIntelligence/reviewRoutes.d.ts +5 -0
- package/dist/qualityIntelligence/reviewRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/reviewRoutes.js +145 -0
- package/dist/qualityIntelligence/reviewStore.d.ts +75 -0
- package/dist/qualityIntelligence/reviewStore.d.ts.map +1 -0
- package/dist/qualityIntelligence/reviewStore.js +170 -0
- package/dist/qualityIntelligence/runExecution.d.ts +36 -0
- package/dist/qualityIntelligence/runExecution.d.ts.map +1 -0
- package/dist/qualityIntelligence/runExecution.js +180 -0
- package/dist/qualityIntelligence/runIngestion.d.ts +70 -0
- package/dist/qualityIntelligence/runIngestion.d.ts.map +1 -0
- package/dist/qualityIntelligence/runIngestion.js +1235 -0
- package/dist/qualityIntelligence/runRegistry.d.ts +31 -0
- package/dist/qualityIntelligence/runRegistry.d.ts.map +1 -0
- package/dist/qualityIntelligence/runRegistry.js +66 -0
- package/dist/qualityIntelligence/runRoutes.d.ts +16 -0
- package/dist/qualityIntelligence/runRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/runRoutes.js +357 -0
- package/dist/qualityIntelligence/traceabilityRoutes.d.ts +5 -0
- package/dist/qualityIntelligence/traceabilityRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/traceabilityRoutes.js +173 -0
- package/dist/qualityIntelligence/uiRoutes.d.ts +7 -0
- package/dist/qualityIntelligence/uiRoutes.d.ts.map +1 -0
- package/dist/qualityIntelligence/uiRoutes.js +336 -0
- package/dist/read-handlers.d.ts +9 -0
- package/dist/read-handlers.d.ts.map +1 -0
- package/dist/read-handlers.js +265 -0
- package/dist/relationship-handlers.d.ts +191 -0
- package/dist/relationship-handlers.d.ts.map +1 -0
- package/dist/relationship-handlers.js +0 -0
- package/dist/routes.d.ts +37 -0
- package/dist/routes.d.ts.map +1 -0
- package/dist/routes.js +507 -0
- package/dist/run-engine.d.ts +25 -0
- package/dist/run-engine.d.ts.map +1 -0
- package/dist/run-engine.js +385 -0
- package/dist/run-handlers.d.ts +9 -0
- package/dist/run-handlers.d.ts.map +1 -0
- package/dist/run-handlers.js +465 -0
- package/dist/run-request.d.ts +17 -0
- package/dist/run-request.d.ts.map +1 -0
- package/dist/run-request.js +219 -0
- package/dist/runs.d.ts +47 -0
- package/dist/runs.d.ts.map +1 -0
- package/dist/runs.js +100 -0
- package/dist/server.d.ts +13 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +152 -0
- package/dist/sink.d.ts +28 -0
- package/dist/sink.d.ts.map +1 -0
- package/dist/sink.js +80 -0
- package/dist/sse-write.d.ts +9 -0
- package/dist/sse-write.d.ts.map +1 -0
- package/dist/sse-write.js +26 -0
- package/dist/sse.d.ts +8 -0
- package/dist/sse.d.ts.map +1 -0
- package/dist/sse.js +27 -0
- package/dist/static.d.ts +5 -0
- package/dist/static.d.ts.map +1 -0
- package/dist/static.js +76 -0
- package/dist/store/chats.d.ts +17 -0
- package/dist/store/chats.d.ts.map +1 -0
- package/dist/store/chats.js +624 -0
- package/dist/store/db.d.ts +11 -0
- package/dist/store/db.d.ts.map +1 -0
- package/dist/store/db.js +203 -0
- package/dist/store/errors.d.ts +13 -0
- package/dist/store/errors.d.ts.map +1 -0
- package/dist/store/errors.js +30 -0
- package/dist/store/index.d.ts +7 -0
- package/dist/store/index.d.ts.map +1 -0
- package/dist/store/index.js +6 -0
- package/dist/store/messages.d.ts +8 -0
- package/dist/store/messages.d.ts.map +1 -0
- package/dist/store/messages.js +149 -0
- package/dist/store/paths.d.ts +5 -0
- package/dist/store/paths.d.ts.map +1 -0
- package/dist/store/paths.js +84 -0
- package/dist/store/projects.d.ts +8 -0
- package/dist/store/projects.d.ts.map +1 -0
- package/dist/store/projects.js +59 -0
- package/dist/store/relationship-audit.d.ts +42 -0
- package/dist/store/relationship-audit.d.ts.map +1 -0
- package/dist/store/relationship-audit.js +155 -0
- package/dist/store/relationships.d.ts +191 -0
- package/dist/store/relationships.d.ts.map +1 -0
- package/dist/store/relationships.js +724 -0
- package/dist/store/schema.d.ts +4 -0
- package/dist/store/schema.d.ts.map +1 -0
- package/dist/store/schema.js +220 -0
- package/dist/store/types.d.ts +29 -0
- package/dist/store/types.d.ts.map +1 -0
- package/dist/store/types.js +8 -0
- package/dist/store/validation.d.ts +7 -0
- package/dist/store/validation.d.ts.map +1 -0
- package/dist/store/validation.js +117 -0
- package/dist/store-handlers.d.ts +17 -0
- package/dist/store-handlers.d.ts.map +1 -0
- package/dist/store-handlers.js +872 -0
- package/dist/terminal-errors.d.ts +22 -0
- package/dist/terminal-errors.d.ts.map +1 -0
- package/dist/terminal-errors.js +45 -0
- package/dist/terminal-evidence.d.ts +21 -0
- package/dist/terminal-evidence.d.ts.map +1 -0
- package/dist/terminal-evidence.js +65 -0
- package/dist/terminal-routes.d.ts +10 -0
- package/dist/terminal-routes.d.ts.map +1 -0
- package/dist/terminal-routes.js +219 -0
- package/dist/terminal.d.ts +68 -0
- package/dist/terminal.d.ts.map +1 -0
- package/dist/terminal.js +855 -0
- package/package.json +52 -0
|
@@ -0,0 +1,206 @@
|
|
|
1
|
+
// Provider-credential vault policy (Issue #1320, Epic #1319).
|
|
2
|
+
//
|
|
3
|
+
// This is the local, dependency-light glue between the generic AES-256-GCM secret vault
|
|
4
|
+
// (@oscharko-dev/keiko-security/secret-vault) and the Model Gateway config. It owns:
|
|
5
|
+
// - the stable, NON-SECRET reference scheme persisted in keiko.config.json (`cred:<modelId>`),
|
|
6
|
+
// - where the encrypted provider-credential store lives (a `credentials/` dir next to the config),
|
|
7
|
+
// - the env -> keychain -> keyfile key namespace for that store,
|
|
8
|
+
// - the read-side resolver the gateway/CLI inject to turn a reference back into a real apiKey,
|
|
9
|
+
// - the write-side transform that seals provider apiKeys and strips plaintext from the config.
|
|
10
|
+
//
|
|
11
|
+
// It deliberately imports nothing heavy (no server barrel, no SQLite, no Figma orchestration) so the
|
|
12
|
+
// offline `keiko run` and `keiko repair` commands can resolve/detect credentials without loading the
|
|
13
|
+
// full BFF runtime. Figma PAT routing and the migration orchestration live in credentialPersistence.
|
|
14
|
+
import { existsSync } from "node:fs";
|
|
15
|
+
import { dirname, join } from "node:path";
|
|
16
|
+
import { createLocalSecretVault, readLocalVaultReferences, resolveLocalVaultKey, } from "@oscharko-dev/keiko-security/secret-vault";
|
|
17
|
+
const CREDENTIALS_SUBDIR = "credentials";
|
|
18
|
+
const CREDENTIALS_STORE_FILE = "provider-credentials.vault";
|
|
19
|
+
const CREDENTIALS_KEYFILE = "provider-credentials-vault.key";
|
|
20
|
+
const CREDENTIALS_KEY_ENV = "KEIKO_PROVIDER_CREDENTIALS_KEY";
|
|
21
|
+
const CREDENTIALS_KEYCHAIN_SERVICE = "keiko-provider-credentials-vault";
|
|
22
|
+
// The reference prefix is an opaque, NON-SECRET marker stored in plaintext config alongside the
|
|
23
|
+
// (separately keyed) sealed material. It is derived from the provider modelId — already present in
|
|
24
|
+
// the same config entry — so it is stable across re-saves and migrations and leaks nothing new.
|
|
25
|
+
export const PROVIDER_SECRET_REF_PREFIX = "cred:";
|
|
26
|
+
export function providerSecretRef(modelId) {
|
|
27
|
+
return `${PROVIDER_SECRET_REF_PREFIX}${modelId}`;
|
|
28
|
+
}
|
|
29
|
+
// The credential store lives next to keiko.config.json so a copied or synced config directory carries
|
|
30
|
+
// only its separately-keyed ciphertext — never plaintext, and never the key when env/keychain tiers
|
|
31
|
+
// are in use.
|
|
32
|
+
export function credentialVaultDir(configPath) {
|
|
33
|
+
return join(dirname(configPath), CREDENTIALS_SUBDIR);
|
|
34
|
+
}
|
|
35
|
+
export function credentialStorePath(configPath) {
|
|
36
|
+
return join(credentialVaultDir(configPath), CREDENTIALS_STORE_FILE);
|
|
37
|
+
}
|
|
38
|
+
export function openProviderCredentialVault(options) {
|
|
39
|
+
const vaultDir = credentialVaultDir(options.configPath);
|
|
40
|
+
const { key } = resolveLocalVaultKey({
|
|
41
|
+
env: options.env,
|
|
42
|
+
vaultDir,
|
|
43
|
+
envVarName: CREDENTIALS_KEY_ENV,
|
|
44
|
+
keychainService: CREDENTIALS_KEYCHAIN_SERVICE,
|
|
45
|
+
keyfileName: CREDENTIALS_KEYFILE,
|
|
46
|
+
...(options.keychainAccess !== undefined ? { keychainAccess: options.keychainAccess } : {}),
|
|
47
|
+
});
|
|
48
|
+
return createLocalSecretVault({ key, storePath: credentialStorePath(options.configPath) });
|
|
49
|
+
}
|
|
50
|
+
// A crypto-free resolver for the gateway/CLI: maps `cred:<modelId>` to its plaintext secret. It is
|
|
51
|
+
// store-existence-gated so a config without vaulted credentials (env-only or legacy plaintext) never
|
|
52
|
+
// triggers key generation, and degrades to undefined on any vault fault so a locked/tampered vault
|
|
53
|
+
// surfaces as the gateway's honest "apiKey must be set" config error rather than a crash.
|
|
54
|
+
export function createProviderSecretResolver(options) {
|
|
55
|
+
const storePath = credentialStorePath(options.configPath);
|
|
56
|
+
let vault;
|
|
57
|
+
return (reference) => {
|
|
58
|
+
if (!existsSync(storePath))
|
|
59
|
+
return undefined;
|
|
60
|
+
try {
|
|
61
|
+
vault ??= openProviderCredentialVault(options);
|
|
62
|
+
return vault.get(reference);
|
|
63
|
+
}
|
|
64
|
+
catch {
|
|
65
|
+
return undefined;
|
|
66
|
+
}
|
|
67
|
+
};
|
|
68
|
+
}
|
|
69
|
+
function isRecord(value) {
|
|
70
|
+
return typeof value === "object" && value !== null && !Array.isArray(value);
|
|
71
|
+
}
|
|
72
|
+
function envModelToken(modelId) {
|
|
73
|
+
return modelId.replace(/[^A-Za-z0-9]/g, "_").toUpperCase();
|
|
74
|
+
}
|
|
75
|
+
// True when the environment supplies the exact same effective apiKey, so it must NOT be persisted
|
|
76
|
+
// (env credentials stay transient and are never written back to disk). If an env override differs
|
|
77
|
+
// from the file value, the file value is still a durable configured credential and must be vaulted so
|
|
78
|
+
// behavior survives after the temporary env override is removed.
|
|
79
|
+
export function isEnvProvidedApiKey(modelId, apiKey, env) {
|
|
80
|
+
const perModel = env[`KEIKO_MODEL_${envModelToken(modelId)}_API_KEY`];
|
|
81
|
+
if (perModel !== undefined && perModel.length > 0 && perModel === apiKey) {
|
|
82
|
+
return true;
|
|
83
|
+
}
|
|
84
|
+
const defaultKey = env.KEIKO_DEFAULT_API_KEY;
|
|
85
|
+
return defaultKey !== undefined && defaultKey.length > 0 && defaultKey === apiKey;
|
|
86
|
+
}
|
|
87
|
+
function stripCredentialFields(provider) {
|
|
88
|
+
const out = {};
|
|
89
|
+
for (const [key, value] of Object.entries(provider)) {
|
|
90
|
+
if (key !== "apiKey" && key !== "apiKeySecretRef") {
|
|
91
|
+
out[key] = value;
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
return out;
|
|
95
|
+
}
|
|
96
|
+
function existingSecretRef(provider) {
|
|
97
|
+
const value = provider.apiKeySecretRef;
|
|
98
|
+
return typeof value === "string" && value.length > 0 ? value : undefined;
|
|
99
|
+
}
|
|
100
|
+
function providerWithSecretRef(cleaned, reference) {
|
|
101
|
+
return { provider: { ...cleaned, apiKeySecretRef: reference }, activeSecretRef: reference };
|
|
102
|
+
}
|
|
103
|
+
function planPlaintextProviderCredential(modelId, apiKey, cleaned, configuredRef, env, vaultedRefs, toSeal) {
|
|
104
|
+
const reference = providerSecretRef(modelId);
|
|
105
|
+
if (!isEnvProvidedApiKey(modelId, apiKey, env)) {
|
|
106
|
+
toSeal.set(reference, apiKey);
|
|
107
|
+
return providerWithSecretRef(cleaned, reference);
|
|
108
|
+
}
|
|
109
|
+
// Env override: preserve the durable vaulted credential + its reference if one already exists.
|
|
110
|
+
const durableRef = configuredRef ?? reference;
|
|
111
|
+
return vaultedRefs.has(durableRef) ? providerWithSecretRef(cleaned, durableRef) : { provider: cleaned };
|
|
112
|
+
}
|
|
113
|
+
function planReferenceOnlyProviderCredential(modelId, cleaned, configuredRef, vaultedRefs) {
|
|
114
|
+
// No plaintext: keep an explicit reference as-is. If the config omitted a reference but a durable
|
|
115
|
+
// vault entry for the model already exists, preserve that entry through a re-save.
|
|
116
|
+
const reference = providerSecretRef(modelId);
|
|
117
|
+
const ref = configuredRef ?? (vaultedRefs.has(reference) ? reference : undefined);
|
|
118
|
+
return ref === undefined ? { provider: cleaned } : providerWithSecretRef(cleaned, ref);
|
|
119
|
+
}
|
|
120
|
+
// Decides how a single provider is persisted, given the references already present in the vault:
|
|
121
|
+
// - a non-env plaintext key is sealed into the vault and the provider carries its reference;
|
|
122
|
+
// - an env-provided key whose durable credential is ALREADY vaulted keeps its reference and its
|
|
123
|
+
// vaulted value untouched (env is a transient override layered over the durable secret, so the
|
|
124
|
+
// vault entry must survive an env var being later unset — Issue #1320 / review blocker);
|
|
125
|
+
// - a reference-bearing provider with no plaintext (an already-migrated entry) keeps its reference;
|
|
126
|
+
// - a pure-env or referenceless provider is stripped (env stays transient, nothing persists).
|
|
127
|
+
// `toSeal` is populated only with new non-env values. Stale refs are pruned only after the config
|
|
128
|
+
// rewrite succeeds, so an already reference-only config is never left pointing at deleted vault
|
|
129
|
+
// material after a crash.
|
|
130
|
+
function planProviderCredential(provider, env, vaultedRefs, toSeal) {
|
|
131
|
+
const modelId = typeof provider.modelId === "string" ? provider.modelId : "";
|
|
132
|
+
const apiKey = typeof provider.apiKey === "string" ? provider.apiKey : "";
|
|
133
|
+
const cleaned = stripCredentialFields(provider);
|
|
134
|
+
if (modelId.length === 0) {
|
|
135
|
+
return { provider: cleaned };
|
|
136
|
+
}
|
|
137
|
+
const configuredRef = existingSecretRef(provider);
|
|
138
|
+
if (apiKey.length > 0) {
|
|
139
|
+
return planPlaintextProviderCredential(modelId, apiKey, cleaned, configuredRef, env, vaultedRefs, toSeal);
|
|
140
|
+
}
|
|
141
|
+
return planReferenceOnlyProviderCredential(modelId, cleaned, configuredRef, vaultedRefs);
|
|
142
|
+
}
|
|
143
|
+
// Seals each persistable provider apiKey into the credential vault and returns the providers array
|
|
144
|
+
// rewritten to carry an `apiKeySecretRef` instead of the plaintext `apiKey`. Vault writes happen
|
|
145
|
+
// FIRST (before the caller rewrites the config) so a crash leaves the old plaintext config in place
|
|
146
|
+
// and the next migration re-runs idempotently. Pure env credentials are dropped entirely (no
|
|
147
|
+
// reference, no vault entry), while env overrides layered over an existing durable vault entry keep
|
|
148
|
+
// that reference. Stale refs are pruned only after the config rewrite succeeds, so an already
|
|
149
|
+
// reference-only config is never left pointing at deleted vault material after a crash.
|
|
150
|
+
export function prepareSealedProviderApiKeys(options) {
|
|
151
|
+
const providersRaw = Array.isArray(options.raw.providers)
|
|
152
|
+
? options.raw.providers
|
|
153
|
+
: [];
|
|
154
|
+
const vaultedRefs = new Set(readLocalVaultReferences(credentialStorePath(options.configPath)));
|
|
155
|
+
const vaultEntries = new Map();
|
|
156
|
+
const activeSecretRefs = new Set();
|
|
157
|
+
const sealedProviders = providersRaw.map((provider) => {
|
|
158
|
+
if (!isRecord(provider)) {
|
|
159
|
+
return provider;
|
|
160
|
+
}
|
|
161
|
+
const planned = planProviderCredential(provider, options.env, vaultedRefs, vaultEntries);
|
|
162
|
+
if (planned.activeSecretRef !== undefined) {
|
|
163
|
+
activeSecretRefs.add(planned.activeSecretRef);
|
|
164
|
+
}
|
|
165
|
+
return planned.provider;
|
|
166
|
+
});
|
|
167
|
+
persistVaultEntries(options, vaultEntries);
|
|
168
|
+
return { providers: sealedProviders, activeSecretRefs: [...activeSecretRefs] };
|
|
169
|
+
}
|
|
170
|
+
function persistVaultEntries(options, entries) {
|
|
171
|
+
if (entries.size === 0)
|
|
172
|
+
return;
|
|
173
|
+
const vault = openProviderCredentialVault(options);
|
|
174
|
+
for (const [reference, secret] of entries) {
|
|
175
|
+
vault.set(reference, secret);
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
export function pruneProviderCredentialVault(options, activeSecretRefs) {
|
|
179
|
+
const storePath = credentialStorePath(options.configPath);
|
|
180
|
+
if (!existsSync(storePath))
|
|
181
|
+
return;
|
|
182
|
+
const active = new Set(activeSecretRefs);
|
|
183
|
+
const vault = openProviderCredentialVault(options);
|
|
184
|
+
for (const reference of vault.list()) {
|
|
185
|
+
if (!active.has(reference)) {
|
|
186
|
+
vault.delete(reference);
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
}
|
|
190
|
+
export function sealProviderApiKeys(options) {
|
|
191
|
+
const sealed = prepareSealedProviderApiKeys(options);
|
|
192
|
+
return sealed.providers;
|
|
193
|
+
}
|
|
194
|
+
// Structural detector for an UNMIGRATED or partially migrated config: any provider still carrying a
|
|
195
|
+
// plaintext apiKey, or a figma block still carrying a plaintext accessToken. Pure and read-only —
|
|
196
|
+
// `keiko repair` uses it to flag an incomplete credential migration without opening any vault.
|
|
197
|
+
export function hasPlaintextGatewayCredentials(raw) {
|
|
198
|
+
if (!isRecord(raw)) {
|
|
199
|
+
return false;
|
|
200
|
+
}
|
|
201
|
+
const providers = Array.isArray(raw.providers) ? raw.providers : [];
|
|
202
|
+
const providerHasPlaintext = providers.some((provider) => isRecord(provider) && typeof provider.apiKey === "string" && provider.apiKey.length > 0);
|
|
203
|
+
const figma = raw.figma;
|
|
204
|
+
const figmaHasPlaintext = isRecord(figma) && typeof figma.accessToken === "string" && figma.accessToken.trim().length > 0;
|
|
205
|
+
return providerHasPlaintext || figmaHasPlaintext;
|
|
206
|
+
}
|
package/dist/csp.d.ts
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csp.d.ts","sourceRoot":"","sources":["../src/csp.ts"],"names":[],"mappings":"AAoCA,wBAAgB,yBAAyB,CAAC,aAAa,EAAE,SAAS,MAAM,EAAE,GAAG,SAAS,MAAM,EAAE,CAgB7F;AAKD,wBAAgB,cAAc,CAAC,YAAY,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,CAsBtE"}
|
package/dist/csp.js
ADDED
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
// Hash-based Content-Security-Policy support (ADR-0011 D5, risk #1). The Next static export emits
|
|
2
|
+
// inline RSC-bootstrap `<script>` blocks (`self.__next_f.push(...)`). The BFF serves
|
|
3
|
+
// `script-src 'self'` with NO `'unsafe-inline'`, so each distinct inline script must be allowed by
|
|
4
|
+
// its SHA-256 hash. `extractInlineScriptHashes` computes those hashes from exported HTML at build
|
|
5
|
+
// time; `buildCspHeader` folds them into the policy the BFF sets on every response.
|
|
6
|
+
//
|
|
7
|
+
// The SHA-256 base64 primitive is sourced from @oscharko-dev/keiko-security so the CSP hash and the
|
|
8
|
+
// rest of Keiko's content hashing share one audited cryptographic boundary.
|
|
9
|
+
import { sha256Base64 } from "@oscharko-dev/keiko-security";
|
|
10
|
+
// `/\bsrc\s*=/i` matches an attribute key only — no `<`/`>` involved, so it does not trigger
|
|
11
|
+
// CodeQL js/bad-tag-filter (which fires on regexes that structurally match HTML tags).
|
|
12
|
+
const SRC_ATTRIBUTE_PATTERN = /\bsrc\s*=/i;
|
|
13
|
+
// Finds the next inline-script body starting at cursor `i`, using a case-insensitive indexOf scan
|
|
14
|
+
// rather than a tag-matching regex (eliminates the CodeQL js/bad-tag-filter class entirely). Body
|
|
15
|
+
// is sliced from original-case `html` so the SHA-256 matches what the browser executes.
|
|
16
|
+
function nextInlineScript(html, lower, i) {
|
|
17
|
+
const open = lower.indexOf("<script", i);
|
|
18
|
+
if (open === -1)
|
|
19
|
+
return null;
|
|
20
|
+
const openEnd = lower.indexOf(">", open);
|
|
21
|
+
if (openEnd === -1)
|
|
22
|
+
return null;
|
|
23
|
+
const close = lower.indexOf("</script", openEnd + 1);
|
|
24
|
+
if (close === -1)
|
|
25
|
+
return null;
|
|
26
|
+
const closeEnd = lower.indexOf(">", close);
|
|
27
|
+
const next = closeEnd === -1 ? close + 8 : closeEnd + 1;
|
|
28
|
+
return { openTag: html.slice(open, openEnd + 1), body: html.slice(openEnd + 1, close), next };
|
|
29
|
+
}
|
|
30
|
+
// Returns the distinct `'sha256-...'` CSP source tokens for every inline script across the given
|
|
31
|
+
// HTML documents, in stable sorted order so the generated policy is deterministic.
|
|
32
|
+
export function extractInlineScriptHashes(htmlDocuments) {
|
|
33
|
+
const tokens = new Set();
|
|
34
|
+
for (const html of htmlDocuments) {
|
|
35
|
+
const lower = html.toLowerCase();
|
|
36
|
+
let i = 0;
|
|
37
|
+
for (;;) {
|
|
38
|
+
const found = nextInlineScript(html, lower, i);
|
|
39
|
+
if (found === null)
|
|
40
|
+
break;
|
|
41
|
+
const { openTag, body, next } = found;
|
|
42
|
+
if (!SRC_ATTRIBUTE_PATTERN.test(openTag) && body.length > 0) {
|
|
43
|
+
tokens.add(`'sha256-${sha256Base64(body)}'`);
|
|
44
|
+
}
|
|
45
|
+
i = next;
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
return [...tokens].sort();
|
|
49
|
+
}
|
|
50
|
+
// Builds the full CSP header value. `scriptHashes` are folded into `script-src` alongside `'self'`.
|
|
51
|
+
// `style-src` keeps `'unsafe-inline'` for Tailwind's injected styles (the only permitted inline
|
|
52
|
+
// source); `script-src` never receives `'unsafe-inline'` or `'unsafe-eval'`.
|
|
53
|
+
export function buildCspHeader(scriptHashes) {
|
|
54
|
+
const scriptSrc = ["'self'", ...scriptHashes].join(" ");
|
|
55
|
+
return [
|
|
56
|
+
"default-src 'none'",
|
|
57
|
+
`script-src ${scriptSrc}`,
|
|
58
|
+
"style-src 'self' 'unsafe-inline'",
|
|
59
|
+
"img-src 'self' data:",
|
|
60
|
+
"connect-src 'self'",
|
|
61
|
+
"font-src 'self'",
|
|
62
|
+
// `manifest-src 'self'` is required for the PWA manifest at /manifest.webmanifest to load
|
|
63
|
+
// under our `default-src 'none'` fallback (browsers will otherwise refuse the fetch). The
|
|
64
|
+
// directive is strictly additive and does not loosen any existing source allow-list.
|
|
65
|
+
"manifest-src 'self'",
|
|
66
|
+
// `worker-src 'self'` is required for the service worker at /sw.js to register under the
|
|
67
|
+
// `default-src 'none'` fallback (issue #126, ADR-0024 D6). The SW script itself is loaded
|
|
68
|
+
// by the existing `script-src 'self'`; this directive controls worker creation. Strictly
|
|
69
|
+
// additive — no existing source allow-list is loosened.
|
|
70
|
+
"worker-src 'self'",
|
|
71
|
+
"base-uri 'none'",
|
|
72
|
+
"form-action 'none'",
|
|
73
|
+
"frame-ancestors 'none'",
|
|
74
|
+
].join("; ");
|
|
75
|
+
}
|
package/dist/deps.d.ts
ADDED
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
import { type EnvSource, type GatewayConfig } from "@oscharko-dev/keiko-model-gateway";
|
|
2
|
+
import type { ModelPort } from "@oscharko-dev/keiko-harness";
|
|
3
|
+
import type { EvidenceStore } from "@oscharko-dev/keiko-evidence";
|
|
4
|
+
import type { RunRegistry } from "./runs.js";
|
|
5
|
+
import { type UiStore } from "./store/index.js";
|
|
6
|
+
import { type TerminalExecutionManager } from "./terminal.js";
|
|
7
|
+
import { type BrowserSessionManager } from "@oscharko-dev/keiko-tools";
|
|
8
|
+
import { type MemoryVaultStore } from "@oscharko-dev/keiko-memory-vault";
|
|
9
|
+
import { type ConsolidationJobRegistry } from "./memory-consolidation-registry.js";
|
|
10
|
+
import type { OpenAIEmbeddingBatchOutcome, OpenAIEmbeddingBatchRequest, OpenAIEmbeddingOutcome, OpenAIEmbeddingRequest } from "@oscharko-dev/keiko-model-gateway";
|
|
11
|
+
import { type RelationshipHandlerDeps } from "./relationship-handlers.js";
|
|
12
|
+
import { type GroundingLimits } from "@oscharko-dev/keiko-contracts/bff-wire";
|
|
13
|
+
import type { EditorLanguageRouteOptions } from "./editor/languageRoutes.js";
|
|
14
|
+
import type { KnowledgeStoreKeyProvider } from "@oscharko-dev/keiko-local-knowledge";
|
|
15
|
+
import { type QiRetentionAuditSink } from "./qualityIntelligence/retentionEnforcement.js";
|
|
16
|
+
export type Redactor = (value: unknown) => unknown;
|
|
17
|
+
export type ModelPortFactory = (modelId: string) => ModelPort | undefined;
|
|
18
|
+
type GatewayEgressConfig = NonNullable<GatewayConfig["egress"]>;
|
|
19
|
+
export interface RuntimeGatewayConfig {
|
|
20
|
+
readonly storagePath: string;
|
|
21
|
+
current(): GatewayConfig | undefined;
|
|
22
|
+
present(): boolean;
|
|
23
|
+
set(config: GatewayConfig | undefined, present: boolean): void;
|
|
24
|
+
}
|
|
25
|
+
export interface UiHandlerDeps {
|
|
26
|
+
readonly config: GatewayConfig | undefined;
|
|
27
|
+
readonly configPresent: boolean;
|
|
28
|
+
readonly evidenceStore: EvidenceStore;
|
|
29
|
+
readonly env: EnvSource;
|
|
30
|
+
readonly egress?: GatewayEgressConfig | undefined;
|
|
31
|
+
readonly redactor: Redactor;
|
|
32
|
+
readonly registry: RunRegistry;
|
|
33
|
+
readonly modelPortFactory: ModelPortFactory;
|
|
34
|
+
readonly redactionSecrets?: readonly string[] | undefined;
|
|
35
|
+
readonly store: UiStore;
|
|
36
|
+
readonly uiDbPath?: string | undefined;
|
|
37
|
+
readonly preferredProjectPath?: string | undefined;
|
|
38
|
+
readonly terminal?: TerminalExecutionManager | undefined;
|
|
39
|
+
readonly browser?: BrowserSessionManager | undefined;
|
|
40
|
+
readonly memoryVault?: MemoryVaultStore | undefined;
|
|
41
|
+
readonly consolidationJobs?: ConsolidationJobRegistry | undefined;
|
|
42
|
+
readonly gatewayConfig?: RuntimeGatewayConfig | undefined;
|
|
43
|
+
readonly gatewaySetupTester?: ((config: GatewayConfig, candidateModelIds: readonly string[]) => Promise<readonly string[]>) | undefined;
|
|
44
|
+
readonly gatewayModelDiscovery?: ((baseUrl: string, apiKey: string, apiKeyHeaderName?: string, egress?: GatewayEgressConfig) => Promise<readonly string[]>) | undefined;
|
|
45
|
+
readonly figmaCredentialTester?: ((accessToken: string, egress?: GatewayEgressConfig) => Promise<void>) | undefined;
|
|
46
|
+
readonly editorLanguageRouteOptions?: EditorLanguageRouteOptions | undefined;
|
|
47
|
+
readonly localKnowledgeEmbeddingRequest?: ((request: OpenAIEmbeddingRequest) => Promise<OpenAIEmbeddingOutcome>) | undefined;
|
|
48
|
+
readonly localKnowledgeEmbeddingBatchRequest?: ((request: OpenAIEmbeddingBatchRequest) => Promise<OpenAIEmbeddingBatchOutcome>) | undefined;
|
|
49
|
+
readonly relationship?: RelationshipHandlerDeps | undefined;
|
|
50
|
+
readonly evidenceDir?: string | undefined;
|
|
51
|
+
readonly localKnowledgeKeyProvider?: KnowledgeStoreKeyProvider | undefined;
|
|
52
|
+
}
|
|
53
|
+
export interface BuildHandlerDepsOptions {
|
|
54
|
+
readonly configPath: string | undefined;
|
|
55
|
+
readonly evidenceDir: string | undefined;
|
|
56
|
+
readonly env: EnvSource;
|
|
57
|
+
readonly registry?: RunRegistry | undefined;
|
|
58
|
+
readonly modelPortFactory?: ModelPortFactory | undefined;
|
|
59
|
+
readonly uiDbPath?: string | undefined;
|
|
60
|
+
readonly store?: UiStore | undefined;
|
|
61
|
+
readonly initialProjectPath?: string | undefined;
|
|
62
|
+
readonly gatewaySetupTester?: ((config: GatewayConfig, candidateModelIds: readonly string[]) => Promise<readonly string[]>) | undefined;
|
|
63
|
+
readonly gatewayModelDiscovery?: ((baseUrl: string, apiKey: string, apiKeyHeaderName?: string, egress?: GatewayEgressConfig) => Promise<readonly string[]>) | undefined;
|
|
64
|
+
readonly figmaCredentialTester?: ((accessToken: string, egress?: GatewayEgressConfig) => Promise<void>) | undefined;
|
|
65
|
+
readonly qiRetentionAuditSink?: QiRetentionAuditSink | undefined;
|
|
66
|
+
readonly qiRetentionNow?: (() => number) | undefined;
|
|
67
|
+
}
|
|
68
|
+
export declare function currentGatewayConfig(deps: UiHandlerDeps): GatewayConfig | undefined;
|
|
69
|
+
export declare function currentGatewayConfigPresent(deps: UiHandlerDeps): boolean;
|
|
70
|
+
export declare function currentGatewayEgressConfig(deps: Pick<UiHandlerDeps, "config" | "gatewayConfig" | "env" | "egress">): GatewayEgressConfig | undefined;
|
|
71
|
+
export declare function currentGroundingLimits(deps: UiHandlerDeps): GroundingLimits;
|
|
72
|
+
export type { GroundingLimits };
|
|
73
|
+
export declare function buildRedactor(env: EnvSource, config?: GatewayConfig): Redactor;
|
|
74
|
+
export declare function currentRedactionSecrets(deps: UiHandlerDeps): readonly string[];
|
|
75
|
+
export declare function currentEvidenceTopologyRedactionSecrets(deps: UiHandlerDeps): readonly string[];
|
|
76
|
+
export declare function currentEvidenceRequiresFullStringRedaction(deps: UiHandlerDeps): boolean;
|
|
77
|
+
export declare function buildUiHandlerDeps(options: BuildHandlerDepsOptions): UiHandlerDeps;
|
|
78
|
+
//# sourceMappingURL=deps.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"deps.d.ts","sourceRoot":"","sources":["../src/deps.ts"],"names":[],"mappings":"AAQA,OAAO,EAML,KAAK,SAAS,EACd,KAAK,aAAa,EACnB,MAAM,mCAAmC,CAAC;AAG3C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAQ7D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAElE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAE7C,OAAO,EAML,KAAK,OAAO,EACb,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAkC,KAAK,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAC9F,OAAO,EAA+B,KAAK,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AACpG,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAGzE,OAAO,EAEL,KAAK,wBAAwB,EAC9B,MAAM,oCAAoC,CAAC;AAC5C,OAAO,KAAK,EACV,2BAA2B,EAC3B,2BAA2B,EAC3B,sBAAsB,EACtB,sBAAsB,EACvB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAEL,KAAK,uBAAuB,EAC7B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAEL,KAAK,eAAe,EACrB,MAAM,wCAAwC,CAAC;AAChD,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,4BAA4B,CAAC;AAG7E,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qCAAqC,CAAC;AAErF,OAAO,EAEL,KAAK,oBAAoB,EAC1B,MAAM,+CAA+C,CAAC;AAIvD,MAAM,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC;AAMnD,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,EAAE,MAAM,KAAK,SAAS,GAAG,SAAS,CAAC;AAC1E,KAAK,mBAAmB,GAAG,WAAW,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC;AAEhE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,OAAO,IAAI,aAAa,GAAG,SAAS,CAAC;IACrC,OAAO,IAAI,OAAO,CAAC;IACnB,GAAG,CAAC,MAAM,EAAE,aAAa,GAAG,SAAS,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;CAChE;AAED,MAAM,WAAW,aAAa;IAE5B,QAAQ,CAAC,MAAM,EAAE,aAAa,GAAG,SAAS,CAAC;IAE3C,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAEhC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IAEtC,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;IAExB,QAAQ,CAAC,MAAM,CAAC,EAAE,mBAAmB,GAAG,SAAS,CAAC;IAElD,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAE5B,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC;IAE/B,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAE5C,QAAQ,CAAC,gBAAgB,CAAC,EAAE,SAAS,MAAM,EAAE,GAAG,SAAS,CAAC;IAG1D,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IAGxB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAGvC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAGnD,QAAQ,CAAC,QAAQ,CAAC,EAAE,wBAAwB,GAAG,SAAS,CAAC;IAGzD,QAAQ,CAAC,OAAO,CAAC,EAAE,qBAAqB,GAAG,SAAS,CAAC;IAGrD,QAAQ,CAAC,WAAW,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAC;IAEpD,QAAQ,CAAC,iBAAiB,CAAC,EAAE,wBAAwB,GAAG,SAAS,CAAC;IAGlE,QAAQ,CAAC,aAAa,CAAC,EAAE,oBAAoB,GAAG,SAAS,CAAC;IAE1D,QAAQ,CAAC,kBAAkB,CAAC,EACxB,CAAC,CAAC,MAAM,EAAE,aAAa,EAAE,iBAAiB,EAAE,SAAS,MAAM,EAAE,KAAK,OAAO,CAAC,SAAS,MAAM,EAAE,CAAC,CAAC,GAC7F,SAAS,CAAC;IAEd,QAAQ,CAAC,qBAAqB,CAAC,EAC3B,CAAC,CACC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,gBAAgB,CAAC,EAAE,MAAM,EACzB,MAAM,CAAC,EAAE,mBAAmB,KACzB,OAAO,CAAC,SAAS,MAAM,EAAE,CAAC,CAAC,GAChC,SAAS,CAAC;IAEd,QAAQ,CAAC,qBAAqB,CAAC,EAC3B,CAAC,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,mBAAmB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC,GACtE,SAAS,CAAC;IAGd,QAAQ,CAAC,0BAA0B,CAAC,EAAE,0BAA0B,GAAG,SAAS,CAAC;IAG7E,QAAQ,CAAC,8BAA8B,CAAC,EACpC,CAAC,CAAC,OAAO,EAAE,sBAAsB,KAAK,OAAO,CAAC,sBAAsB,CAAC,CAAC,GACtE,SAAS,CAAC;IAId,QAAQ,CAAC,mCAAmC,CAAC,EACzC,CAAC,CAAC,OAAO,EAAE,2BAA2B,KAAK,OAAO,CAAC,2BAA2B,CAAC,CAAC,GAChF,SAAS,CAAC;IAId,QAAQ,CAAC,YAAY,CAAC,EAAE,uBAAuB,GAAG,SAAS,CAAC;IAI5D,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAK1C,QAAQ,CAAC,yBAAyB,CAAC,EAAE,yBAAyB,GAAG,SAAS,CAAC;CAC5E;AAED,MAAM,WAAW,uBAAuB;IAEtC,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;IAExC,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IACzC,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;IAExB,QAAQ,CAAC,QAAQ,CAAC,EAAE,WAAW,GAAG,SAAS,CAAC;IAE5C,QAAQ,CAAC,gBAAgB,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAC;IAGzD,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAEvC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IAGrC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAEjD,QAAQ,CAAC,kBAAkB,CAAC,EACxB,CAAC,CAAC,MAAM,EAAE,aAAa,EAAE,iBAAiB,EAAE,SAAS,MAAM,EAAE,KAAK,OAAO,CAAC,SAAS,MAAM,EAAE,CAAC,CAAC,GAC7F,SAAS,CAAC;IAEd,QAAQ,CAAC,qBAAqB,CAAC,EAC3B,CAAC,CACC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,gBAAgB,CAAC,EAAE,MAAM,EACzB,MAAM,CAAC,EAAE,mBAAmB,KACzB,OAAO,CAAC,SAAS,MAAM,EAAE,CAAC,CAAC,GAChC,SAAS,CAAC;IAEd,QAAQ,CAAC,qBAAqB,CAAC,EAC3B,CAAC,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,mBAAmB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC,GACtE,SAAS,CAAC;IAId,QAAQ,CAAC,oBAAoB,CAAC,EAAE,oBAAoB,GAAG,SAAS,CAAC;IACjE,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC,MAAM,MAAM,CAAC,GAAG,SAAS,CAAC;CACtD;AA2HD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,aAAa,GAAG,aAAa,GAAG,SAAS,CAEnF;AAED,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAExE;AAED,wBAAgB,0BAA0B,CACxC,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,QAAQ,GAAG,eAAe,GAAG,KAAK,GAAG,QAAQ,CAAC,GACvE,mBAAmB,GAAG,SAAS,CAOjC;AA0CD,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,aAAa,GAAG,eAAe,CAG3E;AAGD,YAAY,EAAE,eAAe,EAAE,CAAC;AA8FhC,wBAAgB,aAAa,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,aAAa,GAAG,QAAQ,CAS9E;AAED,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,aAAa,GAAG,SAAS,MAAM,EAAE,CAE9E;AAED,wBAAgB,uCAAuC,CAAC,IAAI,EAAE,aAAa,GAAG,SAAS,MAAM,EAAE,CAO9F;AAED,wBAAgB,0CAA0C,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAMvF;AA8LD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,uBAAuB,GAAG,aAAa,CAiDlF"}
|