@oscharko-dev/keiko 0.1.0-beta.0

package/dist/ui/static.js

@@ -0,0 +1,72 @@
+// Path-traversal-safe static file serving of the exported UI (ADR-0011 D5/D6). The BFF serves only
+// files contained within `dist/ui/static/`. The request path is decoded, normalized, and resolved
+// against the static root; the resolved path must remain inside the root or the request is refused.
+// There is no shell and no user-controlled path beyond the contained root.
+import { createReadStream } from "node:fs";
+import { lstat } from "node:fs/promises";
+import { join, normalize, resolve, sep, extname } from "node:path";
+const CONTENT_TYPES = {
+    ".html": "text/html; charset=utf-8",
+    ".js": "text/javascript; charset=utf-8",
+    ".css": "text/css; charset=utf-8",
+    ".json": "application/json; charset=utf-8",
+    ".txt": "text/plain; charset=utf-8",
+    ".svg": "image/svg+xml",
+    ".png": "image/png",
+    ".jpg": "image/jpeg",
+    ".jpeg": "image/jpeg",
+    ".gif": "image/gif",
+    ".webp": "image/webp",
+    ".ico": "image/x-icon",
+    ".woff": "font/woff",
+    ".woff2": "font/woff2",
+    ".map": "application/json; charset=utf-8",
+};
+function contentTypeFor(filePath) {
+    return CONTENT_TYPES[extname(filePath).toLowerCase()] ?? "application/octet-stream";
+}
+// Resolves a URL pathname to an absolute path strictly contained within `root`, or `undefined` when
+// the request escapes the root (traversal) or cannot be decoded. Containment is enforced on the
+// resolved, normalized path: it must equal `root` or start with `root + sep`.
+export function resolveContainedPath(root, pathname) {
+    let decoded;
+    try {
+        decoded = decodeURIComponent(pathname);
+    }
+    catch {
+        return undefined;
+    }
+    if (decoded.includes("\0")) {
+        return undefined;
+    }
+    // Containment is enforced below on the resolved path, so traversal segments cannot escape the
+    // root regardless of their position; `normalize` only collapses redundant separators here.
+    const candidate = resolve(join(root, normalize(decoded)));
+    const containedRoot = resolve(root);
+    if (candidate !== containedRoot && !candidate.startsWith(containedRoot + sep)) {
+        return undefined;
+    }
+    return candidate;
+}
+// Streams the file at `filePath` with the correct content type. Returns false when the path is not
+// a regular file (caller then falls back to the SPA index or a 404). Uses `lstat` (not `stat`) so a
+// symlink planted in the static root is NOT followed: a regular file is served, a symlink is refused
+// even when it points back inside the root — matching the audit store's never-follow-a-symlink rule
+// (defense in depth; the export pipeline emits only regular files).
+export async function serveFile(res, filePath) {
+    let info;
+    try {
+        info = await lstat(filePath);
+    }
+    catch {
+        return false;
+    }
+    if (info.isSymbolicLink() || !info.isFile()) {
+        return false;
+    }
+    res.statusCode = 200;
+    res.setHeader("Content-Type", contentTypeFor(filePath));
+    res.setHeader("Content-Length", info.size);
+    createReadStream(filePath).pipe(res);
+    return true;
+}

package/dist/ui/store/chats.d.ts

@@ -0,0 +1,14 @@
+import type { DatabaseSync } from "node:sqlite";
+import type { Chat, CreateChatOptions, UpdateChatPatch } from "./types.js";
+export declare function listChats(db: DatabaseSync, projectPath: string): readonly Chat[];
+export declare function insertChat(db: DatabaseSync, args: {
+    readonly id: string;
+    readonly projectPath: string;
+    readonly title: string;
+    readonly selectedModel: string;
+    readonly opts: CreateChatOptions | undefined;
+    readonly now: number;
+}): Chat;
+export declare function updateChat(db: DatabaseSync, id: string, patch: UpdateChatPatch, now: number): Chat;
+export declare function deleteChat(db: DatabaseSync, id: string): void;
+export declare function touchChat(db: DatabaseSync, id: string, now: number): void;

package/dist/ui/store/chats.js

@@ -0,0 +1,110 @@
+// ADR-0013 — chats CRUD scoped to a project. Parameterized SQL only.
+import { invalidRequest, notFound } from "./errors.js";
+const MAX_SELECTED_MODEL_LEN = 160;
+const SELECTED_MODEL_RE = /^[A-Za-z0-9][A-Za-z0-9._/\- ]*$/;
+const FORBIDDEN_SELECTED_MODEL_TERMS = [
+    "apiKey",
+    "api_key",
+    "baseUrl",
+    "base_url",
+    "provider",
+    "deployment",
+    "endpoint",
+    "secret",
+    "token",
+    "credential",
+];
+function rowToChat(row) {
+    const status = row.status === null ? undefined : row.status;
+    return {
+        id: row.id,
+        projectPath: row.project_path,
+        title: row.title,
+        selectedModel: row.selected_model,
+        branchLabel: row.branch_label ?? undefined,
+        status,
+        createdAt: row.created_at,
+        updatedAt: row.updated_at,
+    };
+}
+const SQL_LIST = "SELECT id, project_path, title, selected_model, branch_label, status, created_at, updated_at FROM chats WHERE project_path = ? ORDER BY created_at ASC";
+const SQL_INSERT = `
+INSERT INTO chats (id, project_path, title, selected_model, branch_label, status, created_at, updated_at)
+VALUES (?, ?, ?, ?, ?, NULL, ?, ?)
+RETURNING id, project_path, title, selected_model, branch_label, status, created_at, updated_at
+`;
+const SQL_UPDATE = `
+UPDATE chats SET
+  title = COALESCE(?, title),
+  selected_model = COALESCE(?, selected_model),
+  branch_label = COALESCE(?, branch_label),
+  status = COALESCE(?, status),
+  updated_at = ?
+WHERE id = ?
+RETURNING id, project_path, title, selected_model, branch_label, status, created_at, updated_at
+`;
+const SQL_DELETE = "DELETE FROM chats WHERE id = ?";
+const SQL_PROJECT_EXISTS = "SELECT 1 FROM projects WHERE path = ?";
+const SQL_TOUCH = "UPDATE chats SET updated_at = ? WHERE id = ?";
+function validateSelectedModel(value) {
+    if (value.length === 0)
+        throw invalidRequest("selectedModel is required.");
+    if (value.length > MAX_SELECTED_MODEL_LEN || !SELECTED_MODEL_RE.test(value)) {
+        throw invalidRequest("selectedModel must be a registry id.");
+    }
+    const lower = value.toLowerCase();
+    if (value.includes("://") ||
+        value.trim().startsWith("{") ||
+        FORBIDDEN_SELECTED_MODEL_TERMS.some((term) => lower.includes(term.toLowerCase()))) {
+        throw invalidRequest("selectedModel must be a registry id.");
+    }
+}
+export function listChats(db, projectPath) {
+    return db.prepare(SQL_LIST).all(projectPath).map(rowToChat);
+}
+export function insertChat(db, args) {
+    if (args.title.length === 0)
+        throw invalidRequest("Title is required.");
+    validateSelectedModel(args.selectedModel);
+    const projectExists = db.prepare(SQL_PROJECT_EXISTS).get(args.projectPath) !== undefined;
+    if (!projectExists)
+        throw notFound("Project");
+    const branch = args.opts?.branchLabel ?? null;
+    const row = db
+        .prepare(SQL_INSERT)
+        .get(args.id, args.projectPath, args.title, args.selectedModel, branch, args.now, args.now);
+    return rowToChat(row);
+}
+const VALID_CHAT_STATUSES = new Set(["open", "closed"]);
+function validateChatPatch(patch) {
+    // Runtime defense: handlers may pass widened (unknown) input cast to UpdateChatPatch.
+    const raw = patch.status;
+    if (raw !== undefined && (typeof raw !== "string" || !VALID_CHAT_STATUSES.has(raw))) {
+        throw invalidRequest("Invalid status.");
+    }
+}
+export function updateChat(db, id, patch, now) {
+    validateChatPatch(patch);
+    if (patch.selectedModel !== undefined)
+        validateSelectedModel(patch.selectedModel);
+    const titleParam = patch.title ?? null;
+    const modelParam = patch.selectedModel ?? null;
+    const branchParam = patch.branchLabel ?? null;
+    const statusParam = patch.status ?? null;
+    const row = db
+        .prepare(SQL_UPDATE)
+        .get(titleParam, modelParam, branchParam, statusParam, now, id);
+    if (row === undefined)
+        throw notFound("Chat");
+    return rowToChat(row);
+}
+export function deleteChat(db, id) {
+    const info = db.prepare(SQL_DELETE).run(id);
+    if (info.changes === 0)
+        throw notFound("Chat");
+}
+export function touchChat(db, id, now) {
+    const info = db.prepare(SQL_TOUCH).run(now, id);
+    if (info.changes === 0)
+        throw notFound("Chat");
+}

package/dist/ui/store/db.d.ts

@@ -0,0 +1,6 @@
+import type { UiStore, UiStoreFactoryOptions } from "./types.js";
+export declare function isProjectAvailable(project: {
+    readonly path: string;
+}): boolean;
+export declare function createInMemoryUiStore(opts?: UiStoreFactoryOptions): UiStore;
+export declare function createNodeUiStore(dbPath: string, opts?: UiStoreFactoryOptions): UiStore;

package/dist/ui/store/db.js

@@ -0,0 +1,182 @@
+// ADR-0013 D3/D8/D9 — DB lifecycle, factories, and the public UiStore wiring. The synchronous
+// `node:sqlite` DatabaseSync drives both factories; the node adapter adds directory creation,
+// 0o700/0o600 permission hardening (Unix), and reopen-safe migrations.
+import { DatabaseSync } from "node:sqlite";
+import { chmodSync, existsSync, mkdirSync, renameSync, statSync } from "node:fs";
+import { dirname } from "node:path";
+import { randomUUID } from "node:crypto";
+import { runMigrations } from "./schema.js";
+import { deleteProject as sqlDeleteProject, getProject as sqlGetProject, listProjects as sqlListProjects, updateProject as sqlUpdateProject, upsertProject as sqlUpsertProject, } from "./projects.js";
+import { deleteChat as sqlDeleteChat, insertChat as sqlInsertChat, listChats as sqlListChats, touchChat as sqlTouchChat, updateChat as sqlUpdateChat, } from "./chats.js";
+import { insertMessage as sqlInsertMessage, listMessages as sqlListMessages, updateMessage as sqlUpdateMessage, } from "./messages.js";
+import { validateProjectPath } from "./validation.js";
+import { basename } from "node:path";
+import { invalidRequest } from "./errors.js";
+const DEFAULT_REDACT = (s) => s;
+// Returns whether a project's directory currently exists and is a directory. Derived availability
+// (ADR-0013 D5): the store never deletes a row because the path went missing; the UI surfaces this.
+export function isProjectAvailable(project) {
+    try {
+        return statSync(project.path).isDirectory();
+    }
+    catch {
+        return false;
+    }
+}
+function resolveOptions(opts) {
+    return {
+        now: opts?.now ?? (() => Date.now()),
+        newId: opts?.newId ?? randomUUID,
+        redactString: opts?.redactString ?? DEFAULT_REDACT,
+    };
+}
+function deriveProjectName(explicit, path) {
+    if (explicit === undefined)
+        return basename(path);
+    if (explicit.length === 0)
+        throw invalidRequest("Name must not be empty.");
+    return explicit;
+}
+function createChatRecord(db, options, projectPath, title, selectedModel, opts) {
+    const project = sqlGetProject(db, projectPath);
+    if (project !== undefined && !isProjectAvailable(project)) {
+        throw invalidRequest("Project path is unavailable.");
+    }
+    return sqlInsertChat(db, {
+        id: options.newId(),
+        projectPath,
+        title,
+        selectedModel,
+        opts,
+        now: options.now(),
+    });
+}
+function createMessageRecord(db, options, msg) {
+    return sqlInsertMessage(db, options.newId(), msg, options.redactString);
+}
+function createProjectRecord(db, options, path, name) {
+    const normalized = validateProjectPath(path, { mustExist: true });
+    const resolvedName = deriveProjectName(name, normalized);
+    return sqlUpsertProject(db, normalized, resolvedName, name !== undefined, options.now());
+}
+function updateProjectRecord(db, options, path, patch) {
+    const normalized = validateProjectPath(path, { mustExist: false });
+    return sqlUpdateProject(db, normalized, patch, options.now());
+}
+function deleteProjectRecord(db, path) {
+    const normalized = validateProjectPath(path, { mustExist: false });
+    sqlDeleteProject(db, normalized);
+}
+function createMessageBatch(db, options, messages) {
+    if (messages.length === 0) {
+        throw invalidRequest("At least one message is required.");
+    }
+    db.exec("BEGIN");
+    try {
+        const created = messages.map((msg) => createMessageRecord(db, options, msg));
+        for (const chatId of new Set(messages.map((msg) => msg.chatId))) {
+            sqlTouchChat(db, chatId, options.now());
+        }
+        db.exec("COMMIT");
+        return created;
+    }
+    catch (error) {
+        db.exec("ROLLBACK");
+        throw error;
+    }
+}
+function buildStore(db, options) {
+    return {
+        listProjects: () => sqlListProjects(db),
+        createProject: (path, name) => createProjectRecord(db, options, path, name),
+        updateProject: (path, patch) => updateProjectRecord(db, options, path, patch),
+        deleteProject: (path) => {
+            deleteProjectRecord(db, path);
+        },
+        listChats: (projectPath) => sqlListChats(db, projectPath),
+        createChat: (projectPath, title, selectedModel, opts) => createChatRecord(db, options, projectPath, title, selectedModel, opts),
+        updateChat: (id, patch) => sqlUpdateChat(db, id, patch, options.now()),
+        deleteChat: (id) => {
+            sqlDeleteChat(db, id);
+        },
+        listMessages: (chatId) => sqlListMessages(db, chatId),
+        createMessage: (msg) => {
+            const message = createMessageRecord(db, options, msg);
+            sqlTouchChat(db, msg.chatId, options.now());
+            return message;
+        },
+        createMessages: (messages) => createMessageBatch(db, options, messages),
+        updateMessage: (id, patch) => sqlUpdateMessage(db, id, patch, options.redactString),
+        close: () => {
+            db.close();
+        },
+    };
+}
+function quarantineCorruptDb(target) {
+    const ts = new Date().toISOString().replace(/[:.]/g, "-");
+    renameSync(target, `${target}.corrupt.${ts}`);
+    for (const sidecar of [`${target}-wal`, `${target}-shm`]) {
+        if (existsSync(sidecar)) {
+            renameSync(sidecar, `${sidecar}.corrupt.${ts}`);
+        }
+    }
+}
+function preparedDatabase(target) {
+    const db = new DatabaseSync(target);
+    db.exec("PRAGMA foreign_keys = ON");
+    return db;
+}
+// ────────────────────────────────────────────────────────────────────────────
+// In-memory factory (tests)
+// ────────────────────────────────────────────────────────────────────────────
+export function createInMemoryUiStore(opts) {
+    const db = preparedDatabase(":memory:");
+    runMigrations(db);
+    return buildStore(db, resolveOptions(opts));
+}
+// ────────────────────────────────────────────────────────────────────────────
+// Node on-disk factory
+// ────────────────────────────────────────────────────────────────────────────
+function ensureDirHardened(dir) {
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    }
+    if (process.platform !== "win32") {
+        try {
+            chmodSync(dir, 0o700);
+        }
+        catch {
+            // best-effort; leave existing perms if owner change is unavailable
+        }
+    }
+}
+function chmodIfPresent(path, mode) {
+    if (process.platform === "win32")
+        return;
+    try {
+        chmodSync(path, mode);
+    }
+    catch {
+        // file may not exist yet (WAL/-shm sidecars); best-effort
+    }
+}
+export function createNodeUiStore(dbPath, opts) {
+    ensureDirHardened(dirname(dbPath));
+    let db = preparedDatabase(dbPath);
+    try {
+        db.exec("PRAGMA journal_mode = WAL");
+        runMigrations(db);
+    }
+    catch {
+        // Corrupt DB: quarantine (rename to .corrupt.<iso>) and open a fresh one.
+        db.close();
+        quarantineCorruptDb(dbPath);
+        db = preparedDatabase(dbPath);
+        db.exec("PRAGMA journal_mode = WAL");
+        runMigrations(db);
+    }
+    chmodIfPresent(dbPath, 0o600);
+    chmodIfPresent(`${dbPath}-wal`, 0o600);
+    chmodIfPresent(`${dbPath}-shm`, 0o600);
+    return buildStore(db, resolveOptions(opts));
+}

package/dist/ui/store/errors.d.ts

@@ -0,0 +1,12 @@
+export type UiStoreErrorCode = "invalid_path" | "path_not_directory" | "path_not_found" | "project_exists" | "not_found" | "invalid_request" | "internal";
+export declare class UiStoreError extends Error {
+    readonly code: UiStoreErrorCode;
+    readonly status: number;
+    constructor(code: UiStoreErrorCode, message: string, status: number);
+}
+export declare function invalidPath(message: string): UiStoreError;
+export declare function pathNotDirectory(): UiStoreError;
+export declare function pathNotFound(): UiStoreError;
+export declare function notFound(entity: string): UiStoreError;
+export declare function invalidRequest(message: string): UiStoreError;
+export declare function projectExists(): UiStoreError;

package/dist/ui/store/errors.js

@@ -0,0 +1,30 @@
+// ADR-0013 — Typed errors with stable codes. NEVER include the raw path, SQL text, or system error
+// strings in `.message` — these surface to the BFF error envelope and must be safe to log/expose.
+export class UiStoreError extends Error {
+    code;
+    status;
+    constructor(code, message, status) {
+        super(message);
+        this.name = "UiStoreError";
+        this.code = code;
+        this.status = status;
+    }
+}
+export function invalidPath(message) {
+    return new UiStoreError("invalid_path", message, 400);
+}
+export function pathNotDirectory() {
+    return new UiStoreError("path_not_directory", "The path is not a directory.", 400);
+}
+export function pathNotFound() {
+    return new UiStoreError("path_not_found", "The path does not exist.", 400);
+}
+export function notFound(entity) {
+    return new UiStoreError("not_found", `${entity} not found.`, 404);
+}
+export function invalidRequest(message) {
+    return new UiStoreError("invalid_request", message, 400);
+}
+export function projectExists() {
+    return new UiStoreError("project_exists", "Project already registered.", 409);
+}

package/dist/ui/store/index.d.ts

@@ -0,0 +1,6 @@
+export type { Chat, ChatMessage, ChatRole, CreateChatOptions, NewChatMessage, Project, UiStore, UiStoreFactoryOptions, UpdateChatMessagePatch, UpdateChatPatch, UpdateProjectPatch, WorkflowStatus, } from "./types.js";
+export { UiStoreError, type UiStoreErrorCode, invalidPath, invalidRequest, notFound, pathNotDirectory, pathNotFound, projectExists, } from "./errors.js";
+export { validateProjectPath, type ValidateProjectPathOptions } from "./validation.js";
+export { assertUiDbOutsideProject, resolveUiDbPath, UI_DB_FILENAME, UI_DB_DIRNAME, } from "./paths.js";
+export { runMigrations, SCHEMA_VERSION } from "./schema.js";
+export { createInMemoryUiStore, createNodeUiStore, isProjectAvailable } from "./db.js";

package/dist/ui/store/index.js

@@ -0,0 +1,6 @@
+// ADR-0013 — UI-local SQLite persistence layer. Barrel re-exporting the public seams.
+export { UiStoreError, invalidPath, invalidRequest, notFound, pathNotDirectory, pathNotFound, projectExists, } from "./errors.js";
+export { validateProjectPath } from "./validation.js";
+export { assertUiDbOutsideProject, resolveUiDbPath, UI_DB_FILENAME, UI_DB_DIRNAME, } from "./paths.js";
+export { runMigrations, SCHEMA_VERSION } from "./schema.js";
+export { createInMemoryUiStore, createNodeUiStore, isProjectAvailable } from "./db.js";

package/dist/ui/store/messages.d.ts

@@ -0,0 +1,5 @@
+import type { DatabaseSync } from "node:sqlite";
+import type { ChatMessage, NewChatMessage, UpdateChatMessagePatch } from "./types.js";
+export declare function listMessages(db: DatabaseSync, chatId: string): readonly ChatMessage[];
+export declare function insertMessage(db: DatabaseSync, id: string, msg: NewChatMessage, redactString: (s: string) => string): ChatMessage;
+export declare function updateMessage(db: DatabaseSync, id: string, patch: UpdateChatMessagePatch, redactString: (s: string) => string): ChatMessage;

package/dist/ui/store/messages.js

@@ -0,0 +1,137 @@
+// ADR-0013 — chat_messages CRUD. shortResult is redacted+truncated to ≤ MAX_SHORT_RESULT before persist.
+// Issue #66 adds:
+//   - `cancelled` to the accepted workflow status set (parity with src/ui/runs.ts RunStatus).
+//   - `task_type` column read/write so non-workflow runs (verify/explain-plan) can be labelled.
+//   - updateMessage(): partial PATCH on the row, re-using the existing redact+truncate path.
+import { invalidRequest, notFound } from "./errors.js";
+const MAX_SHORT_RESULT = 200;
+const MAX_TASK_TYPE = 64;
+// Constrained to a-z, digits, and a single inner `-` so the label remains URL-safe and survives
+// a SQL round-trip. Identical to the rule the BFF descriptors use for taskType identifiers.
+const TASK_TYPE_RE = /^[a-z][a-z0-9-]*$/;
+const ROLES = new Set(["user", "assistant", "system"]);
+const STATUSES = new Set([
+    "pending",
+    "running",
+    "completed",
+    "failed",
+    "cancelled",
+]);
+function rowToMessage(row) {
+    return {
+        id: row.id,
+        chatId: row.chat_id,
+        role: row.role,
+        content: row.content,
+        timestamp: row.timestamp,
+        runId: row.run_id ?? undefined,
+        workflowId: row.workflow_id ?? undefined,
+        workflowStatus: (row.workflow_status ?? undefined),
+        shortResult: row.short_result ?? undefined,
+        taskType: row.task_type ?? undefined,
+    };
+}
+const COLUMNS = "id, chat_id, role, content, timestamp, run_id, workflow_id, workflow_status, short_result, task_type";
+const SQL_LIST = `SELECT ${COLUMNS} FROM chat_messages WHERE chat_id = ? ORDER BY timestamp ASC, id ASC`;
+const SQL_CHAT_EXISTS = "SELECT 1 FROM chats WHERE id = ?";
+const SQL_INSERT = `
+INSERT INTO chat_messages
+  (id, chat_id, role, content, timestamp, run_id, workflow_id, workflow_status, short_result, task_type)
+VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+RETURNING ${COLUMNS}
+`;
+function validateTaskType(value) {
+    if (value.length === 0 || value.length > MAX_TASK_TYPE || !TASK_TYPE_RE.test(value)) {
+        throw invalidRequest("Invalid taskType.");
+    }
+}
+function hasRunSummaryFields(msg) {
+    return (msg.runId !== undefined ||
+        msg.workflowId !== undefined ||
+        msg.workflowStatus !== undefined ||
+        msg.shortResult !== undefined ||
+        msg.taskType !== undefined);
+}
+function validateRunIdentifiers(msg) {
+    if (msg.runId?.length === 0) {
+        throw invalidRequest("runId is required for run summaries.");
+    }
+    if (msg.workflowId?.length === 0) {
+        throw invalidRequest("workflowId must be non-empty.");
+    }
+}
+function validateRunSummaryScope(msg) {
+    if (hasRunSummaryFields(msg) && (msg.role !== "system" || msg.runId === undefined)) {
+        throw invalidRequest("Run summary fields require a system message with runId.");
+    }
+}
+function validateMessage(msg) {
+    if (!ROLES.has(msg.role))
+        throw invalidRequest("Invalid role.");
+    if (msg.content.length === 0)
+        throw invalidRequest("Content is required.");
+    validateRunIdentifiers(msg);
+    validateRunSummaryScope(msg);
+    if (msg.workflowStatus !== undefined && !STATUSES.has(msg.workflowStatus)) {
+        throw invalidRequest("Invalid workflowStatus.");
+    }
+    if (msg.taskType !== undefined)
+        validateTaskType(msg.taskType);
+}
+function processShortResult(raw, redactString) {
+    if (raw === undefined)
+        return null;
+    const redacted = redactString(raw);
+    return redacted.length > MAX_SHORT_RESULT ? redacted.slice(0, MAX_SHORT_RESULT) : redacted;
+}
+export function listMessages(db, chatId) {
+    return db.prepare(SQL_LIST).all(chatId).map(rowToMessage);
+}
+export function insertMessage(db, id, msg, redactString) {
+    validateMessage(msg);
+    const chatExists = db.prepare(SQL_CHAT_EXISTS).get(msg.chatId) !== undefined;
+    if (!chatExists)
+        throw notFound("Chat");
+    const shortResult = processShortResult(msg.shortResult, redactString);
+    const row = db
+        .prepare(SQL_INSERT)
+        .get(id, msg.chatId, msg.role, msg.content, msg.timestamp, msg.runId ?? null, msg.workflowId ?? null, msg.workflowStatus ?? null, shortResult, msg.taskType ?? null);
+    return rowToMessage(row);
+}
+// Issue #66 — Partial PATCH on a system run-summary message. Builds a dynamic SET clause from the
+// supplied fields so absent fields are not overwritten. shortResult goes through the existing
+// redact+truncate pipeline. workflowStatus and taskType are validated before SQL is built. An
+// empty patch is an invalid_request — the route surface guards this earlier, but the store layer
+// also fails-closed.
+export function updateMessage(db, id, patch, redactString) {
+    const sets = [];
+    const args = [];
+    if (patch.workflowStatus !== undefined) {
+        if (!STATUSES.has(patch.workflowStatus))
+            throw invalidRequest("Invalid workflowStatus.");
+        sets.push("workflow_status = ?");
+        args.push(patch.workflowStatus);
+    }
+    if (patch.shortResult !== undefined) {
+        sets.push("short_result = ?");
+        args.push(processShortResult(patch.shortResult, redactString));
+    }
+    if (patch.taskType !== undefined) {
+        validateTaskType(patch.taskType);
+        sets.push("task_type = ?");
+        args.push(patch.taskType);
+    }
+    if (sets.length === 0) {
+        throw invalidRequest("PATCH body must include at least one updatable field.");
+    }
+    const sql = `
+    UPDATE chat_messages
+    SET ${sets.join(", ")}
+    WHERE id = ? AND role = 'system' AND run_id IS NOT NULL AND length(run_id) > 0
+    RETURNING ${COLUMNS}
+  `;
+    const row = db.prepare(sql).get(...args, id);
+    if (row === undefined)
+        throw notFound("Message");
+    return rowToMessage(row);
+}

package/dist/ui/store/paths.d.ts

@@ -0,0 +1,4 @@
+export declare const UI_DB_FILENAME = "keiko-ui.db";
+export declare const UI_DB_DIRNAME = ".keiko";
+export declare function resolveUiDbPath(explicit: string | undefined, env: Readonly<Record<string, string | undefined>>): string;
+export declare function assertUiDbOutsideProject(uiDbPath: string | undefined, projectPath: string): void;

package/dist/ui/store/paths.js

@@ -0,0 +1,69 @@
+// ADR-0013 D4 — resolveUiDbPath precedence (mirrors resolveEvidenceDir):
+// explicit option → KEIKO_UI_DATA_DIR/keiko-ui.db → homedir()/.keiko/keiko-ui.db.
+import { homedir } from "node:os";
+import { existsSync, lstatSync } from "node:fs";
+import { dirname, isAbsolute, join, normalize, parse, resolve, sep } from "node:path";
+import { invalidRequest } from "./errors.js";
+export const UI_DB_FILENAME = "keiko-ui.db";
+export const UI_DB_DIRNAME = ".keiko";
+function isInsideCurrentWorkingDirectory(path) {
+    const cwd = resolve(process.cwd());
+    const resolved = resolve(path);
+    return resolved === cwd || resolved.startsWith(`${cwd}${sep}`);
+}
+function hasSymlinkAncestor(path) {
+    let current = dirname(path);
+    const root = parse(current).root;
+    while (current !== root) {
+        if (existsSync(current)) {
+            return lstatSync(current).isSymbolicLink();
+        }
+        current = dirname(current);
+    }
+    return false;
+}
+function resolveConfiguredPath(path, label) {
+    if (!isAbsolute(path)) {
+        throw invalidRequest(`${label} must be absolute.`);
+    }
+    const resolved = normalize(path);
+    if (isInsideCurrentWorkingDirectory(resolved)) {
+        throw invalidRequest(`${label} must not be inside the current workspace.`);
+    }
+    if (existsSync(resolved) && lstatSync(resolved).isSymbolicLink()) {
+        throw invalidRequest(`${label} must not be a symlink.`);
+    }
+    if (hasSymlinkAncestor(resolved)) {
+        throw invalidRequest(`${label} must not be inside a symlinked directory.`);
+    }
+    return resolved;
+}
+function containsPath(parent, child) {
+    const resolvedParent = resolve(parent);
+    const resolvedChild = resolve(child);
+    return resolvedChild === resolvedParent || resolvedChild.startsWith(`${resolvedParent}${sep}`);
+}
+export function resolveUiDbPath(explicit, env) {
+    if (explicit !== undefined && explicit.length > 0) {
+        return resolveConfiguredPath(explicit, "UI database path");
+    }
+    const dir = env.KEIKO_UI_DATA_DIR;
+    if (dir !== undefined && dir.length > 0) {
+        return join(resolveConfiguredPath(dir, "KEIKO_UI_DATA_DIR"), UI_DB_FILENAME);
+    }
+    return join(homedir(), UI_DB_DIRNAME, UI_DB_FILENAME);
+}
+export function assertUiDbOutsideProject(uiDbPath, projectPath) {
+    if (uiDbPath === undefined || uiDbPath.length === 0) {
+        return;
+    }
+    const resolvedDbPath = resolve(uiDbPath);
+    const resolvedDbDir = dirname(resolvedDbPath);
+    const resolvedProject = resolve(projectPath);
+    if (containsPath(resolvedProject, resolvedDbPath)) {
+        throw invalidRequest("UI database path must not be inside a selected project.");
+    }
+    if (containsPath(resolvedDbDir, resolvedProject)) {
+        throw invalidRequest("Selected projects must not be inside the UI database directory.");
+    }
+}