@oscharko-dev/test-intelligence 0.0.1-beta.0 → 0.1.0-beta.1

package/dist/index.js

@@ -0,0 +1,1250 @@
+import { createRequire } from 'node:module';
+import { createServer } from 'http';
+import { createHash, timingSafeEqual, randomUUID } from 'crypto';
+
+createRequire(import.meta.url);
+
+// packages/server/src/package-identity.ts
+var PACKAGE_NAME = "@oscharko-dev/test-intelligence";
+var PACKAGE_VERSION = "0.0.1-beta.0";
+function resolveReleaseStage(version) {
+  const separatorIndex = version.indexOf("-");
+  if (separatorIndex === -1) {
+    return "stable";
+  }
+  const preRelease = version.slice(separatorIndex + 1);
+  return preRelease.startsWith("beta") ? "beta" : "pre-beta";
+}
+function getPackageIdentity() {
+  return {
+    name: PACKAGE_NAME,
+    version: PACKAGE_VERSION,
+    stage: resolveReleaseStage(PACKAGE_VERSION)
+  };
+}
+
+// packages/contracts/dist/index.js
+var TEST_INTELLIGENCE_ENV = "TEST_INTELLIGENCE_ENABLED";
+
+// packages/server/src/constants.ts
+var DEFAULT_HOST = "127.0.0.1";
+var DEFAULT_PORT = 1983;
+var DEFAULT_RATE_LIMIT_PER_MINUTE = 60;
+var RATE_LIMIT_WINDOW_MS = 6e4;
+var MAX_REQUEST_BODY_BYTES = 1048576;
+var MAX_SUBMIT_BODY_BYTES = 8388608;
+var ENABLE_HSTS_ENV = "TEST_INTELLIGENCE_ENABLE_HSTS";
+var DEFAULT_STRICT_TRANSPORT_SECURITY = "max-age=31536000";
+var DEFAULT_CONTENT_SECURITY_POLICY = "default-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'";
+var API_ROUTE_PREFIX = "/api/v1";
+var resolveTestIntelligenceEnabled = (env = process.env) => {
+  return parseBooleanEnv(env[TEST_INTELLIGENCE_ENV]);
+};
+var resolveStrictTransportSecurity = (env = process.env) => {
+  const raw = env[ENABLE_HSTS_ENV];
+  if (raw === void 0) {
+    return void 0;
+  }
+  const normalized = raw.trim().toLowerCase();
+  if (normalized === "" || normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off") {
+    return void 0;
+  }
+  return DEFAULT_STRICT_TRANSPORT_SECURITY;
+};
+var parseBooleanEnv = (raw) => {
+  if (raw === void 0) {
+    return false;
+  }
+  const normalized = raw.trim().toLowerCase();
+  return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on";
+};
+
+// packages/server/src/error-codes.ts
+var statusForErrorCode = (code) => {
+  switch (code) {
+    case "BAD_REQUEST":
+      return 400;
+    case "UNAUTHORIZED":
+    case "BEARER_TOKEN_MISSING":
+      return 401;
+    case "FORBIDDEN_REQUEST_ORIGIN":
+    case "FEATURE_GATE_DISABLED":
+      return 403;
+    case "NOT_FOUND":
+      return 404;
+    case "METHOD_NOT_ALLOWED":
+      return 405;
+    case "PAYLOAD_TOO_LARGE":
+      return 413;
+    case "UNSUPPORTED_MEDIA_TYPE":
+      return 415;
+    case "RATE_LIMITED":
+      return 429;
+    case "INTERNAL_ERROR":
+    case "VERIFICATION_FAILED":
+      return 500;
+    case "AUTHENTICATION_UNAVAILABLE":
+    case "LLM_GATEWAY_UNCONFIGURED":
+    case "LLM_GATEWAY_FAILED":
+      return 503;
+  }
+};
+
+// packages/server/src/http-helpers.ts
+var applySecurityHeaders = (response, options = {}) => {
+  response.setHeader("X-Content-Type-Options", "nosniff");
+  response.setHeader("Referrer-Policy", "no-referrer");
+  response.setHeader(
+    "Content-Security-Policy",
+    options.contentSecurityPolicy ?? DEFAULT_CONTENT_SECURITY_POLICY
+  );
+  const hsts = options.strictTransportSecurity ?? resolveStrictTransportSecurity();
+  if (hsts !== void 0) {
+    response.setHeader("Strict-Transport-Security", hsts);
+  }
+};
+var writeJsonResponse = ({
+  response,
+  statusCode,
+  payload,
+  extraHeaders
+}) => {
+  applySecurityHeaders(response);
+  response.setHeader("Content-Type", "application/json; charset=utf-8");
+  if (extraHeaders !== void 0) {
+    for (const [name, value] of Object.entries(extraHeaders)) {
+      response.setHeader(name, value);
+    }
+  }
+  response.statusCode = statusCode;
+  response.end(JSON.stringify(payload));
+};
+var writeErrorResponse = ({
+  response,
+  code,
+  message,
+  extraHeaders,
+  statusCode
+}) => {
+  const envelope = { error: code, message };
+  writeJsonResponse({
+    response,
+    statusCode: statusCode ?? statusForErrorCode(code),
+    payload: envelope,
+    ...extraHeaders !== void 0 ? { extraHeaders } : {}
+  });
+};
+var readJsonBody = async ({
+  request,
+  maxBytes
+}) => {
+  const chunks = [];
+  let received = 0;
+  for await (const chunk of request) {
+    const buf = typeof chunk === "string" ? Buffer.from(chunk, "utf8") : chunk;
+    received += buf.length;
+    if (received > maxBytes) {
+      return {
+        ok: false,
+        code: "PAYLOAD_TOO_LARGE",
+        message: `Request body exceeds ${maxBytes} bytes.`
+      };
+    }
+    chunks.push(buf);
+  }
+  if (chunks.length === 0) {
+    return {
+      ok: false,
+      code: "BAD_REQUEST",
+      message: "Request body is empty."
+    };
+  }
+  const text = Buffer.concat(chunks).toString("utf8");
+  try {
+    return { ok: true, value: JSON.parse(text) };
+  } catch {
+    return {
+      ok: false,
+      code: "BAD_REQUEST",
+      message: "Request body is not valid JSON."
+    };
+  }
+};
+var beginSseResponse = (response, options = {}) => {
+  applySecurityHeaders(response, options);
+  response.setHeader("Content-Type", "text/event-stream; charset=utf-8");
+  response.setHeader("Cache-Control", "no-cache, no-transform");
+  response.setHeader("Connection", "keep-alive");
+  response.statusCode = 200;
+  response.flushHeaders();
+  return {
+    writeEvent({ event, data, id }) {
+      const lines = [];
+      if (id !== void 0) {
+        lines.push(`id: ${id}`);
+      }
+      lines.push(`event: ${event}`);
+      const serialized = JSON.stringify(data);
+      for (const line of serialized.split("\n")) {
+        lines.push(`data: ${line}`);
+      }
+      lines.push("", "");
+      response.write(lines.join("\n"));
+    },
+    writeRetry(retryMs) {
+      response.write(`retry: ${String(retryMs)}
+
+`);
+    },
+    end() {
+      response.end();
+    }
+  };
+};
+var FORWARDED_FOR_HEADER = "x-forwarded-for";
+var resolveClientKey = (request) => {
+  const forwarded = request.headers[FORWARDED_FOR_HEADER];
+  const raw = Array.isArray(forwarded) ? forwarded[0] : forwarded;
+  if (typeof raw === "string" && raw.length > 0) {
+    const first = raw.split(",")[0]?.trim();
+    if (first !== void 0 && first.length > 0) {
+      return first;
+    }
+  }
+  return request.socket.remoteAddress ?? "unknown";
+};
+var createRequestLogger = (logger) => {
+  return {
+    log({ requestId, method, path, statusCode, durationMs, clientKey, route }) {
+      const segments = [
+        `method=${method}`,
+        `path=${path}`,
+        `status=${String(statusCode)}`,
+        `durationMs=${String(durationMs)}`,
+        `client=${clientKey}`
+      ];
+      if (route !== void 0) {
+        segments.push(`route=${route}`);
+      }
+      logger.log({
+        level: statusCode >= 500 ? "error" : "info",
+        message: segments.join(" "),
+        requestId,
+        method,
+        path,
+        statusCode
+      });
+    },
+    newRequestId() {
+      return randomUUID();
+    }
+  };
+};
+var createAuditLogger = ({
+  write,
+  now = () => (/* @__PURE__ */ new Date()).toISOString()
+}) => {
+  return {
+    record(event) {
+      const line = JSON.stringify({
+        ts: now(),
+        action: event.action,
+        subject: event.subject,
+        outcome: event.outcome,
+        ...event.principal !== void 0 ? { principal: event.principal } : {},
+        ...event.requestId !== void 0 ? { requestId: event.requestId } : {},
+        ...event.details !== void 0 ? { details: event.details } : {}
+      });
+      write(`${line}
+`);
+    }
+  };
+};
+
+// packages/server/src/rate-limit-store.ts
+var RateLimitStore = class {
+  buckets = /* @__PURE__ */ new Map();
+  get(key) {
+    return this.buckets.get(key);
+  }
+  set(key, bucket) {
+    this.buckets.set(key, bucket);
+  }
+  delete(key) {
+    this.buckets.delete(key);
+  }
+  clear() {
+    this.buckets.clear();
+  }
+  size() {
+    return this.buckets.size;
+  }
+};
+
+// packages/server/src/rate-limit.ts
+var createRateLimiter = ({
+  requestsPerMinute,
+  store = new RateLimitStore()
+}) => {
+  if (!Number.isFinite(requestsPerMinute) || requestsPerMinute < 1) {
+    throw new Error(
+      "createRateLimiter: requestsPerMinute must be a finite integer >= 1."
+    );
+  }
+  const limit = Math.floor(requestsPerMinute);
+  return {
+    check({ clientKey, routeKey, nowMs }) {
+      const key = `${clientKey}\0${routeKey}`;
+      const existing = store.get(key);
+      if (existing === void 0 || nowMs - existing.windowStartedAtMs >= RATE_LIMIT_WINDOW_MS) {
+        store.set(key, { count: 1, windowStartedAtMs: nowMs });
+        return {
+          ok: true,
+          remaining: limit - 1,
+          resetAtMs: nowMs + RATE_LIMIT_WINDOW_MS
+        };
+      }
+      if (existing.count >= limit) {
+        const resetAtMs = existing.windowStartedAtMs + RATE_LIMIT_WINDOW_MS;
+        return {
+          ok: false,
+          retryAfterSeconds: Math.max(1, Math.ceil((resetAtMs - nowMs) / 1e3)),
+          resetAtMs
+        };
+      }
+      existing.count += 1;
+      return {
+        ok: true,
+        remaining: Math.max(0, limit - existing.count),
+        resetAtMs: existing.windowStartedAtMs + RATE_LIMIT_WINDOW_MS
+      };
+    },
+    reset() {
+      store.clear();
+    }
+  };
+};
+var JSON_CONTENT_TYPE_PATTERN = /^application\/json(?:\s*(?:;|$))/i;
+var ALLOWED_SEC_FETCH_SITE_VALUES = /* @__PURE__ */ new Set(["same-origin", "same-site"]);
+var TEST_INTELLIGENCE_BEARER_REALM = "test-intelligence";
+var getHeaderValue = (value) => {
+  if (typeof value === "string") {
+    return value;
+  }
+  if (Array.isArray(value)) {
+    return value[0];
+  }
+  return void 0;
+};
+var normalizeOrigin = (value) => {
+  if (value === void 0 || value.trim().length === 0) {
+    return void 0;
+  }
+  try {
+    return new URL(value).origin;
+  } catch {
+    return void 0;
+  }
+};
+var normalizeOriginHost = (host) => {
+  if (host.includes(":") && !host.startsWith("[")) {
+    return `[${host}]`;
+  }
+  return host;
+};
+var isLoopbackLikeHost = (host) => {
+  const normalized = host.trim().toLowerCase();
+  return normalized === "127.0.0.1" || normalized === "localhost" || normalized === "::1" || normalized === "[::1]" || normalized === "0.0.0.0" || normalized === "::" || normalized === "[::]";
+};
+var getAllowedWriteOrigins = ({
+  host,
+  port
+}) => {
+  const allowed = /* @__PURE__ */ new Set([
+    `http://${normalizeOriginHost(host)}:${port}`
+  ]);
+  if (isLoopbackLikeHost(host)) {
+    allowed.add(`http://127.0.0.1:${port}`);
+    allowed.add(`http://localhost:${port}`);
+    allowed.add(`http://[::1]:${port}`);
+  }
+  return allowed;
+};
+var validateWriteRequest = ({
+  request,
+  host,
+  port
+}) => {
+  const contentType = getHeaderValue(request.headers["content-type"]);
+  if (contentType === void 0 || !JSON_CONTENT_TYPE_PATTERN.test(contentType)) {
+    return {
+      ok: false,
+      statusCode: 415,
+      payload: {
+        error: "UNSUPPORTED_MEDIA_TYPE",
+        message: "Write routes require 'Content-Type: application/json'."
+      }
+    };
+  }
+  const originHeader = getHeaderValue(request.headers.origin);
+  const refererHeader = getHeaderValue(request.headers.referer);
+  const secFetchSite = getHeaderValue(request.headers["sec-fetch-site"])?.trim().toLowerCase();
+  const allowedOrigins = getAllowedWriteOrigins({ host, port });
+  if (secFetchSite !== void 0 && !ALLOWED_SEC_FETCH_SITE_VALUES.has(secFetchSite)) {
+    return forbiddenOrigin(
+      "Cross-site browser requests to test-intelligence write routes are blocked."
+    );
+  }
+  if (originHeader !== void 0) {
+    const origin = normalizeOrigin(originHeader);
+    if (origin === void 0 || !allowedOrigins.has(origin)) {
+      return forbiddenOrigin(
+        "Only same-origin browser requests may access test-intelligence write routes."
+      );
+    }
+  }
+  if (refererHeader !== void 0) {
+    const refererOrigin = normalizeOrigin(refererHeader);
+    if (refererOrigin === void 0 || !allowedOrigins.has(refererOrigin)) {
+      return forbiddenOrigin(
+        "Only same-origin browser requests may access test-intelligence write routes."
+      );
+    }
+  }
+  return { ok: true };
+};
+var forbiddenOrigin = (message) => ({
+  ok: false,
+  statusCode: 403,
+  payload: { error: "FORBIDDEN_REQUEST_ORIGIN", message }
+});
+var normalizeConfiguredBearerToken = (value) => {
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : void 0;
+};
+var readBearerToken = (request) => {
+  const authorization = getHeaderValue(request.headers.authorization);
+  if (authorization === void 0) {
+    return void 0;
+  }
+  const expectedScheme = "bearer";
+  if (authorization.length <= expectedScheme.length) {
+    return void 0;
+  }
+  for (let index = 0; index < expectedScheme.length; index += 1) {
+    const code = authorization.charCodeAt(index);
+    const lowered = code >= 65 && code <= 90 ? String.fromCharCode(code + 32) : authorization[index];
+    if (lowered !== expectedScheme[index]) {
+      return void 0;
+    }
+  }
+  let tokenStart = expectedScheme.length;
+  while (tokenStart < authorization.length) {
+    const code = authorization.charCodeAt(tokenStart);
+    if (code !== 32 && code !== 9) {
+      break;
+    }
+    tokenStart += 1;
+  }
+  if (tokenStart === expectedScheme.length || tokenStart >= authorization.length) {
+    return void 0;
+  }
+  let tokenEnd = authorization.length;
+  while (tokenEnd > tokenStart) {
+    const code = authorization.charCodeAt(tokenEnd - 1);
+    if (code !== 32 && code !== 9) {
+      break;
+    }
+    tokenEnd -= 1;
+  }
+  return tokenEnd > tokenStart ? authorization.slice(tokenStart, tokenEnd) : void 0;
+};
+var tokensMatch = (expected, candidate) => {
+  const expectedDigest = createHash("sha256").update(expected, "utf8").digest();
+  const candidateDigest = createHash("sha256").update(candidate, "utf8").digest();
+  return timingSafeEqual(expectedDigest, candidateDigest);
+};
+var validateBearerToken = ({
+  request,
+  bearerToken,
+  routeLabel
+}) => {
+  const configuredToken = normalizeConfiguredBearerToken(bearerToken);
+  if (configuredToken === void 0) {
+    return {
+      ok: false,
+      statusCode: 503,
+      payload: {
+        error: "AUTHENTICATION_UNAVAILABLE",
+        message: `${routeLabel} writes are disabled until server bearer authentication is configured.`
+      }
+    };
+  }
+  const receivedToken = readBearerToken(request);
+  if (receivedToken !== void 0 && tokensMatch(configuredToken, receivedToken)) {
+    return { ok: true, principal: { scheme: "bearer" } };
+  }
+  return {
+    ok: false,
+    statusCode: 401,
+    payload: {
+      error: "UNAUTHORIZED",
+      message: `${routeLabel} writes require a valid Bearer token.`
+    },
+    wwwAuthenticate: `Bearer realm="${TEST_INTELLIGENCE_BEARER_REALM}"`
+  };
+};
+var STABLE_SEGMENT_RE = /^[A-Za-z0-9_.-]{1,128}$/u;
+var isSafeIdSegment = (segment) => {
+  if (!STABLE_SEGMENT_RE.test(segment)) {
+    return false;
+  }
+  if (segment === "." || segment === "..") {
+    return false;
+  }
+  return true;
+};
+var stripTrailingSlash = (pathname) => {
+  if (pathname.length > 1 && pathname.endsWith("/")) {
+    return pathname.slice(0, -1);
+  }
+  return pathname;
+};
+
+// packages/server/src/test-intelligence-routes.ts
+var parseTestIntelligenceRoute = ({
+  method,
+  pathname
+}) => {
+  const upper = method.toUpperCase();
+  if (upper === "OPTIONS") {
+    return { ok: true, route: { kind: "cors_preflight" } };
+  }
+  const normalized = stripTrailingSlash(pathname);
+  if (normalized === "/healthz") {
+    return methodGuard(upper, "GET", { kind: "healthz" });
+  }
+  if (normalized === "/readyz") {
+    return methodGuard(upper, "GET", { kind: "readyz" });
+  }
+  if (normalized === "/openapi.json") {
+    return methodGuard(upper, "GET", { kind: "openapi" });
+  }
+  if (!normalized.startsWith(`${API_ROUTE_PREFIX}/`)) {
+    return { ok: false, reason: "unknown_route" };
+  }
+  const rest = normalized.slice(API_ROUTE_PREFIX.length + 1);
+  const segments = rest.split("/");
+  return dispatchSegments(upper, segments);
+};
+var methodGuard = (method, allowed, route) => {
+  if (method !== allowed) {
+    return {
+      ok: false,
+      reason: "method_not_allowed",
+      allowedMethods: [allowed]
+    };
+  }
+  return { ok: true, route };
+};
+var dispatchSegments = (method, segments) => {
+  if (segments.length === 0 || segments[0] === "") {
+    return { ok: false, reason: "unknown_route" };
+  }
+  const head = segments[0];
+  const tail = segments.slice(1);
+  switch (head) {
+    case "jobs":
+      return dispatchJobs(method, tail);
+    case "review":
+      return dispatchReview(method, tail);
+    case "tms":
+      return dispatchTms(method, tail);
+    case "execution":
+      return dispatchExecution(method, tail);
+    case "onboard":
+      return dispatchSingleton(method, tail, "POST", { kind: "onboard" });
+    case "figma-export":
+      return dispatchSingleton(method, tail, "POST", { kind: "figma_export" });
+    default:
+      return { ok: false, reason: "unknown_route" };
+  }
+};
+var dispatchJobs = (method, tail) => {
+  if (tail.length === 0) {
+    return methodGuard(method, "POST", { kind: "submit_job" });
+  }
+  const jobId = tail[0];
+  if (jobId === "") {
+    return { ok: false, reason: "empty_segment" };
+  }
+  if (!isSafeIdSegment(jobId)) {
+    return { ok: false, reason: "unsafe_id_segment" };
+  }
+  if (tail.length === 1) {
+    return methodGuard(method, "GET", { kind: "job_status", jobId });
+  }
+  if (tail.length === 2 && tail[1] === "events") {
+    return methodGuard(method, "GET", { kind: "job_events", jobId });
+  }
+  if (tail.length === 3 && tail[2] === "verify") {
+    return jobsVerifySubroute(method, jobId, tail[1]);
+  }
+  return { ok: false, reason: "unknown_route" };
+};
+var jobsVerifySubroute = (method, jobId, subject) => {
+  switch (subject) {
+    case "evidence":
+      return methodGuard(method, "POST", { kind: "verify_evidence", jobId });
+    case "audit-dossier":
+      return methodGuard(method, "POST", {
+        kind: "verify_audit_dossier",
+        jobId
+      });
+    case "provenance":
+      return methodGuard(method, "POST", { kind: "verify_provenance", jobId });
+    case "seal":
+      return methodGuard(method, "POST", { kind: "verify_seal", jobId });
+    default:
+      return { ok: false, reason: "unknown_route" };
+  }
+};
+var dispatchReview = (method, tail) => {
+  if (tail.length === 0) {
+    return { ok: false, reason: "unknown_route" };
+  }
+  const jobId = tail[0];
+  if (jobId === "") {
+    return { ok: false, reason: "empty_segment" };
+  }
+  if (!isSafeIdSegment(jobId)) {
+    return { ok: false, reason: "unsafe_id_segment" };
+  }
+  if (tail.length === 1) {
+    return methodGuard(method, "GET", { kind: "review_snapshot", jobId });
+  }
+  if (tail.length === 2 && tail[1] === "decision") {
+    return methodGuard(method, "POST", { kind: "review_decision", jobId });
+  }
+  return { ok: false, reason: "unknown_route" };
+};
+var dispatchTms = (method, tail) => {
+  return dispatchSingleton(method, tail, "POST", { kind: "tms_push" }, [
+    "push"
+  ]);
+};
+var dispatchExecution = (method, tail) => {
+  return dispatchSingleton(method, tail, "POST", { kind: "execution_pull" }, [
+    "pull"
+  ]);
+};
+var dispatchSingleton = (method, tail, allowedMethod, route, expectedTail = []) => {
+  if (tail.length !== expectedTail.length) {
+    return { ok: false, reason: "unknown_route" };
+  }
+  for (let i = 0; i < expectedTail.length; i += 1) {
+    if (tail[i] !== expectedTail[i]) {
+      return { ok: false, reason: "unknown_route" };
+    }
+  }
+  return methodGuard(method, allowedMethod, route);
+};
+
+// packages/server/src/route-handlers.ts
+var buildHandlerTable = (options) => {
+  const defaults = {
+    healthz: handleHealthz,
+    readyz: ({ response }) => handleReadyz(response, options),
+    openapi: handleOpenapi,
+    cors_preflight: ({ response }) => handleCorsPreflight(response, options),
+    submit_job: handleNotImplemented("submit_job"),
+    job_status: handleNotImplemented("job_status"),
+    job_events: handleSseStub,
+    verify_evidence: handleNotImplemented("verify_evidence"),
+    verify_audit_dossier: handleNotImplemented("verify_audit_dossier"),
+    verify_provenance: handleNotImplemented("verify_provenance"),
+    verify_seal: handleNotImplemented("verify_seal"),
+    review_snapshot: handleNotImplemented("review_snapshot"),
+    review_decision: handleNotImplemented("review_decision"),
+    tms_push: handleNotImplemented("tms_push"),
+    execution_pull: handleNotImplemented("execution_pull"),
+    onboard: handleNotImplemented("onboard"),
+    figma_export: handleNotImplemented("figma_export")
+  };
+  const overrides = options.routeHandlers ?? {};
+  for (const [kind, handler] of Object.entries(overrides)) {
+    defaults[kind] = handler;
+  }
+  return defaults;
+};
+var handleHealthz = ({ response }) => {
+  writeJsonResponse({
+    response,
+    statusCode: 200,
+    payload: { status: "ok", checkedAt: (/* @__PURE__ */ new Date()).toISOString() }
+  });
+};
+var handleReadyz = (response, options) => {
+  writeJsonResponse({
+    response,
+    statusCode: 200,
+    payload: {
+      status: "ready",
+      featureGate: options.testIntelligenceEnabled ? "enabled" : "disabled",
+      authConfigured: options.bearerToken !== void 0,
+      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  });
+};
+var handleOpenapi = ({ response }) => {
+  writeJsonResponse({
+    response,
+    statusCode: 200,
+    payload: {
+      openapi: "3.1.0",
+      info: { title: "Test Intelligence API", version: "0.0.1" },
+      paths: {}
+    }
+  });
+};
+var handleCorsPreflight = (response, options) => {
+  const allowedOrigin = options.allowedCorsOrigins?.[0];
+  if (allowedOrigin !== void 0) {
+    response.setHeader("Access-Control-Allow-Origin", allowedOrigin);
+  }
+  response.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+  response.setHeader(
+    "Access-Control-Allow-Headers",
+    "Content-Type, Authorization"
+  );
+  response.setHeader("Access-Control-Max-Age", "600");
+  response.statusCode = 204;
+  response.end();
+};
+var handleNotImplemented = (routeKind) => {
+  return ({
+    request,
+    response,
+    route,
+    audit,
+    requestId
+  }) => {
+    void readJsonBodyForRoute(request, route).then((body) => {
+      audit.record({
+        action: `${routeKind}.received`,
+        subject: routeKind,
+        outcome: body.ok ? "ok" : "denied",
+        requestId
+      });
+      writeErrorResponse({
+        response,
+        code: "LLM_GATEWAY_UNCONFIGURED",
+        message: `Route '${routeKind}' is reachable but no operator-supplied handler is wired.`
+      });
+    });
+  };
+};
+var handleSseStub = ({ response }) => {
+  const sse = beginSseResponse(response);
+  sse.writeRetry(15e3);
+  sse.writeEvent({
+    event: "noop",
+    data: { message: "No event source is wired for this job." },
+    id: "0"
+  });
+  sse.end();
+};
+var readJsonBodyForRoute = async (request, route) => {
+  const maxBytes = route.kind === "submit_job" ? MAX_SUBMIT_BODY_BYTES : MAX_REQUEST_BODY_BYTES;
+  const result = await readJsonBody({ request, maxBytes });
+  return { ok: result.ok };
+};
+
+// packages/server/src/request-handler.ts
+var createTestIntelligenceRequestHandler = (options) => {
+  const rateLimiter = createRateLimiter({
+    requestsPerMinute: options.requestsPerMinute ?? DEFAULT_RATE_LIMIT_PER_MINUTE
+  });
+  const requestLog = createRequestLogger(options.logger);
+  const audit = createAuditLogger({
+    write: options.auditWrite ?? defaultAuditWrite(options.logger)
+  });
+  const handlers = buildHandlerTable(options);
+  const nowMs = options.nowMs ?? (() => Date.now());
+  return (request, response) => {
+    void runHandler({
+      request,
+      response,
+      options,
+      rateLimiter,
+      requestLog,
+      audit,
+      handlers,
+      nowMs
+    });
+  };
+};
+var runHandler = async (input) => {
+  const { request, response, options, requestLog } = input;
+  const start = Date.now();
+  const requestId = requestLog.newRequestId();
+  const clientKey = resolveClientKey(request);
+  const method = request.method ?? "GET";
+  const pathname = extractPathname(request.url ?? "/");
+  try {
+    const dispatched = await dispatch({
+      ...input,
+      method,
+      pathname,
+      requestId,
+      clientKey
+    });
+    requestLog.log({
+      requestId,
+      method,
+      path: pathname,
+      statusCode: response.statusCode,
+      durationMs: Date.now() - start,
+      clientKey,
+      route: dispatched
+    });
+  } catch (error) {
+    handleUnexpectedError({ response, error, options, requestId });
+    requestLog.log({
+      requestId,
+      method,
+      path: pathname,
+      statusCode: response.statusCode,
+      durationMs: Date.now() - start,
+      clientKey
+    });
+  }
+};
+var dispatch = async (input) => {
+  const {
+    request,
+    response,
+    method,
+    pathname,
+    options,
+    rateLimiter,
+    handlers,
+    requestId,
+    clientKey,
+    audit,
+    nowMs
+  } = input;
+  const parse = parseTestIntelligenceRoute({ method, pathname });
+  if (!parse.ok) {
+    emitParseFailure({
+      response,
+      reason: parse.reason,
+      allowed: parse.allowedMethods
+    });
+    return `parse:${parse.reason}`;
+  }
+  const route = parse.route;
+  const routeKey = `${method.toUpperCase()} ${route.kind}`;
+  const limit = rateLimiter.check({
+    clientKey,
+    routeKey,
+    nowMs: nowMs()
+  });
+  if (!limit.ok) {
+    writeErrorResponse({
+      response,
+      code: "RATE_LIMITED",
+      message: "Too many requests; retry after the indicated interval.",
+      extraHeaders: { "Retry-After": String(limit.retryAfterSeconds) }
+    });
+    return route.kind;
+  }
+  if (requiresWriteGate(route)) {
+    const gate = enforceWriteGate({ request, response, options, route });
+    if (!gate.ok) {
+      return route.kind;
+    }
+  }
+  await handlers[route.kind]({
+    request,
+    response,
+    route,
+    requestId,
+    clientKey,
+    audit,
+    logger: options.logger
+  });
+  return route.kind;
+};
+var requiresWriteGate = (route) => {
+  switch (route.kind) {
+    case "healthz":
+    case "readyz":
+    case "openapi":
+    case "cors_preflight":
+    case "job_status":
+    case "job_events":
+    case "review_snapshot":
+      return false;
+    default:
+      return true;
+  }
+};
+var enforceWriteGate = ({
+  request,
+  response,
+  options,
+  route
+}) => {
+  if (!options.testIntelligenceEnabled) {
+    writeErrorResponse({
+      response,
+      code: "FEATURE_GATE_DISABLED",
+      message: "The test-intelligence feature gate is disabled on this server."
+    });
+    return { ok: false };
+  }
+  const writeCheck = validateWriteRequest({
+    request,
+    host: options.host,
+    port: options.port
+  });
+  if (!writeCheck.ok) {
+    writeErrorResponse({
+      response,
+      code: writeCheck.payload.error,
+      message: writeCheck.payload.message,
+      statusCode: writeCheck.statusCode
+    });
+    return { ok: false };
+  }
+  const auth = validateBearerToken({
+    request,
+    bearerToken: options.bearerToken,
+    routeLabel: route.kind
+  });
+  if (!auth.ok) {
+    writeErrorResponse({
+      response,
+      code: auth.payload.error,
+      message: auth.payload.message,
+      statusCode: auth.statusCode,
+      ...auth.wwwAuthenticate !== void 0 ? { extraHeaders: { "WWW-Authenticate": auth.wwwAuthenticate } } : {}
+    });
+    return { ok: false };
+  }
+  return { ok: true };
+};
+var emitParseFailure = ({
+  response,
+  reason,
+  allowed
+}) => {
+  if (reason === "method_not_allowed") {
+    writeErrorResponse({
+      response,
+      code: "METHOD_NOT_ALLOWED",
+      message: "The requested method is not allowed on this route.",
+      ...allowed !== void 0 ? { extraHeaders: { Allow: allowed.join(", ") } } : {}
+    });
+    return;
+  }
+  const code = reason === "unsafe_id_segment" || reason === "empty_segment" ? "BAD_REQUEST" : "NOT_FOUND";
+  const message = code === "BAD_REQUEST" ? "The route contains an unsafe or empty path segment." : "The requested route does not exist.";
+  writeErrorResponse({ response, code, message });
+};
+var extractPathname = (url) => {
+  const queryIndex = url.indexOf("?");
+  return queryIndex === -1 ? url : url.slice(0, queryIndex);
+};
+var defaultAuditWrite = (logger) => (line) => {
+  logger.log({ level: "info", message: `audit ${line.trimEnd()}` });
+};
+var handleUnexpectedError = ({
+  response,
+  error,
+  options,
+  requestId
+}) => {
+  const message = error instanceof Error ? error.message : "Unknown error.";
+  options.logger.log({
+    level: "error",
+    message: `request handler failure: ${message}`,
+    requestId
+  });
+  if (!response.headersSent) {
+    writeErrorResponse({
+      response,
+      code: "INTERNAL_ERROR",
+      message: "An unexpected error occurred handling the request."
+    });
+  } else if (!response.writableEnded) {
+    response.end();
+  }
+};
+
+// packages/server/src/openapi.ts
+var ERROR_ENVELOPE_SCHEMA = {
+  type: "object",
+  required: ["error", "message"],
+  properties: {
+    error: { type: "string" },
+    message: { type: "string" }
+  },
+  additionalProperties: false
+};
+var READYZ_SCHEMA = {
+  type: "object",
+  required: ["status", "featureGate", "authConfigured", "checkedAt"],
+  properties: {
+    status: { type: "string", enum: ["ready"] },
+    featureGate: { type: "string", enum: ["enabled", "disabled"] },
+    authConfigured: { type: "boolean" },
+    checkedAt: { type: "string", format: "date-time" }
+  },
+  additionalProperties: false
+};
+var HEALTHZ_SCHEMA = {
+  type: "object",
+  required: ["status", "checkedAt"],
+  properties: {
+    status: { type: "string", enum: ["ok"] },
+    checkedAt: { type: "string", format: "date-time" }
+  },
+  additionalProperties: false
+};
+var errorResponse = (description) => ({
+  description,
+  content: {
+    "application/json": {
+      schema: { $ref: "#/components/schemas/Error" }
+    }
+  }
+});
+var writeRoute = (summary, operationId) => ({
+  post: {
+    summary,
+    operationId,
+    security: [{ bearerAuth: [] }],
+    requestBody: {
+      required: true,
+      content: { "application/json": { schema: { type: "object" } } }
+    },
+    responses: {
+      "200": { description: "Operation completed." },
+      "401": errorResponse("Bearer token is missing or incorrect."),
+      "403": errorResponse("Feature gate or origin policy denied the call."),
+      "413": errorResponse("Request body exceeded the configured limit."),
+      "415": errorResponse("Content-Type is not application/json."),
+      "429": errorResponse("Per-client rate limit was exceeded."),
+      "503": errorResponse("Server is not configured for this route.")
+    }
+  }
+});
+var readRoute = (summary, operationId, responseSchemaRef) => ({
+  get: {
+    summary,
+    operationId,
+    responses: {
+      "200": {
+        description: "Result.",
+        content: {
+          "application/json": { schema: { $ref: responseSchemaRef } }
+        }
+      },
+      "404": errorResponse("Resource not found."),
+      "429": errorResponse("Per-client rate limit was exceeded.")
+    }
+  }
+});
+var jobScopedWriteRoute = (summary, operationId) => {
+  const route = writeRoute(summary, operationId);
+  route.post["parameters"] = [
+    {
+      name: "jobId",
+      in: "path",
+      required: true,
+      schema: { type: "string", pattern: "^[A-Za-z0-9_.-]{1,128}$" }
+    }
+  ];
+  return route;
+};
+var buildPaths = () => ({
+  "/healthz": readRoute(
+    "Liveness probe.",
+    "getHealthz",
+    "#/components/schemas/Healthz"
+  ),
+  "/readyz": readRoute(
+    "Readiness probe.",
+    "getReadyz",
+    "#/components/schemas/Readyz"
+  ),
+  "/openapi.json": readRoute(
+    "Return this OpenAPI document.",
+    "getOpenapi",
+    "#/components/schemas/Error"
+  ),
+  [`${API_ROUTE_PREFIX}/jobs`]: writeRoute(
+    "Submit a Test Intelligence run.",
+    "submitJob"
+  ),
+  [`${API_ROUTE_PREFIX}/jobs/{jobId}`]: readRoute(
+    "Read a job's status.",
+    "getJobStatus",
+    "#/components/schemas/Error"
+  ),
+  [`${API_ROUTE_PREFIX}/jobs/{jobId}/events`]: readRoute(
+    "Server-Sent Events stream of a job's phase events.",
+    "streamJobEvents",
+    "#/components/schemas/Error"
+  ),
+  [`${API_ROUTE_PREFIX}/jobs/{jobId}/evidence/verify`]: jobScopedWriteRoute(
+    "Verify a job's evidence manifest.",
+    "verifyJobEvidence"
+  ),
+  [`${API_ROUTE_PREFIX}/jobs/{jobId}/audit-dossier/verify`]: jobScopedWriteRoute(
+    "Verify a job's audit dossier bundle.",
+    "verifyJobAuditDossier"
+  ),
+  [`${API_ROUTE_PREFIX}/jobs/{jobId}/provenance/verify`]: jobScopedWriteRoute(
+    "Verify a job's provenance document.",
+    "verifyJobProvenance"
+  ),
+  [`${API_ROUTE_PREFIX}/jobs/{jobId}/seal/verify`]: jobScopedWriteRoute(
+    "Verify a job's seal bundle.",
+    "verifyJobSeal"
+  ),
+  [`${API_ROUTE_PREFIX}/review/{jobId}`]: readRoute(
+    "Read the review snapshot for a job.",
+    "getReviewSnapshot",
+    "#/components/schemas/Error"
+  ),
+  [`${API_ROUTE_PREFIX}/review/{jobId}/decision`]: jobScopedWriteRoute(
+    "Record a review decision.",
+    "recordReviewDecision"
+  ),
+  [`${API_ROUTE_PREFIX}/tms/push`]: writeRoute(
+    "Push completed test cases to a configured TMS adapter.",
+    "pushToTms"
+  ),
+  [`${API_ROUTE_PREFIX}/execution/pull`]: writeRoute(
+    "Pull execution evidence from a TMS adapter.",
+    "pullExecutionEvidence"
+  ),
+  [`${API_ROUTE_PREFIX}/onboard`]: writeRoute(
+    "Run tenant onboarding.",
+    "runTenantOnboarding"
+  ),
+  [`${API_ROUTE_PREFIX}/figma-export`]: writeRoute(
+    "Fetch a Figma file as a TI ingest payload.",
+    "exportFigmaForTestIntelligence"
+  )
+});
+var buildOpenApiDocument = () => ({
+  openapi: "3.1.0",
+  info: {
+    title: "Test Intelligence API",
+    version: PACKAGE_VERSION,
+    description: "Standalone HTTP surface for the Test Intelligence runtime. Every write route is bearer-protected and fails closed when the test-intelligence feature gate is disabled."
+  },
+  servers: [{ url: "http://127.0.0.1:1983" }],
+  components: {
+    securitySchemes: {
+      bearerAuth: {
+        type: "http",
+        scheme: "bearer"
+      }
+    },
+    schemas: {
+      Error: ERROR_ENVELOPE_SCHEMA,
+      Readyz: READYZ_SCHEMA,
+      Healthz: HEALTHZ_SCHEMA
+    }
+  },
+  paths: buildPaths()
+});
+
+// packages/server/src/server.ts
+var createTestIntelligenceServer = async (options) => {
+  const host = options.host ?? DEFAULT_HOST;
+  const requestedPort = options.port ?? DEFAULT_PORT;
+  const testIntelligenceEnabled = options.testIntelligenceEnabled ?? resolveTestIntelligenceEnabled(options.env);
+  const openApiHandler = ({ response }) => {
+    writeJsonResponse({
+      response,
+      statusCode: 200,
+      payload: buildOpenApiDocument()
+    });
+  };
+  const mergedRouteHandlers = {
+    openapi: openApiHandler,
+    ...options.routeHandlers ?? {}
+  };
+  const handler = createTestIntelligenceRequestHandler({
+    host,
+    port: requestedPort,
+    logger: options.logger,
+    testIntelligenceEnabled,
+    requestsPerMinute: options.requestsPerMinute ?? DEFAULT_RATE_LIMIT_PER_MINUTE,
+    routeHandlers: mergedRouteHandlers,
+    ...options.bearerToken !== void 0 ? { bearerToken: options.bearerToken } : {},
+    ...options.auditWrite !== void 0 ? { auditWrite: options.auditWrite } : {},
+    ...options.allowedCorsOrigins !== void 0 ? { allowedCorsOrigins: options.allowedCorsOrigins } : {}
+  });
+  const server = createServer((request, response) => {
+    handler(request, response);
+  });
+  await listen(server, host, requestedPort);
+  const address = server.address();
+  const boundPort = address !== null && typeof address === "object" ? address.port : requestedPort;
+  const url = `http://${formatHost(host)}:${String(boundPort)}`;
+  const startedAt = Date.now();
+  return {
+    server,
+    host,
+    port: boundPort,
+    url,
+    startedAt,
+    close: () => closeServer(server)
+  };
+};
+var listen = (server, host, port) => {
+  return new Promise((resolve, reject) => {
+    const onError = (error) => {
+      server.off("listening", onListening);
+      reject(error);
+    };
+    const onListening = () => {
+      server.off("error", onError);
+      resolve();
+    };
+    server.once("error", onError);
+    server.once("listening", onListening);
+    server.listen(port, host);
+  });
+};
+var closeServer = (server) => {
+  return new Promise((resolve, reject) => {
+    server.close((error) => {
+      if (error !== void 0) {
+        reject(error);
+        return;
+      }
+      resolve();
+    });
+  });
+};
+var formatHost = (host) => {
+  if (host.includes(":") && !host.startsWith("[")) {
+    return `[${host}]`;
+  }
+  return host;
+};
+
+export { PACKAGE_NAME, PACKAGE_VERSION, createTestIntelligenceServer, getPackageIdentity, resolveReleaseStage };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map