@paperclipai/server 0.2.2

package/dist/routes/sidebar-badges.js

@@ -0,0 +1,47 @@
+import { Router } from "express";
+import { and, eq, inArray, isNull, sql } from "drizzle-orm";
+import { issues, joinRequests } from "@paperclipai/db";
+import { sidebarBadgeService } from "../services/sidebar-badges.js";
+import { accessService } from "../services/access.js";
+import { assertCompanyAccess } from "./authz.js";
+const INBOX_ISSUE_STATUSES = ["backlog", "todo", "in_progress", "in_review", "blocked"];
+export function sidebarBadgeRoutes(db) {
+    const router = Router();
+    const svc = sidebarBadgeService(db);
+    const access = accessService(db);
+    router.get("/companies/:companyId/sidebar-badges", async (req, res) => {
+        const companyId = req.params.companyId;
+        assertCompanyAccess(req, companyId);
+        let canApproveJoins = false;
+        if (req.actor.type === "board") {
+            canApproveJoins =
+                req.actor.source === "local_implicit" ||
+                    Boolean(req.actor.isInstanceAdmin) ||
+                    (await access.canUser(companyId, req.actor.userId, "joins:approve"));
+        }
+        else if (req.actor.type === "agent" && req.actor.agentId) {
+            canApproveJoins = await access.hasPermission(companyId, "agent", req.actor.agentId, "joins:approve");
+        }
+        const joinRequestCount = canApproveJoins
+            ? await db
+                .select({ count: sql `count(*)` })
+                .from(joinRequests)
+                .where(and(eq(joinRequests.companyId, companyId), eq(joinRequests.status, "pending_approval")))
+                .then((rows) => Number(rows[0]?.count ?? 0))
+            : 0;
+        const assignedIssueCount = req.actor.type === "board" && req.actor.userId
+            ? await db
+                .select({ count: sql `count(*)` })
+                .from(issues)
+                .where(and(eq(issues.companyId, companyId), eq(issues.assigneeUserId, req.actor.userId), inArray(issues.status, [...INBOX_ISSUE_STATUSES]), isNull(issues.hiddenAt)))
+                .then((rows) => Number(rows[0]?.count ?? 0))
+            : 0;
+        const badges = await svc.get(companyId, {
+            joinRequests: joinRequestCount,
+            assignedIssues: assignedIssueCount,
+        });
+        res.json(badges);
+    });
+    return router;
+}
+//# sourceMappingURL=sidebar-badges.js.map

package/dist/routes/sidebar-badges.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sidebar-badges.js","sourceRoot":"","sources":["../../src/routes/sidebar-badges.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEjC,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAC5D,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,oBAAoB,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,WAAW,EAAE,SAAS,CAAU,CAAC;AAEjG,MAAM,UAAU,kBAAkB,CAAC,EAAM;IACvC,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,MAAM,GAAG,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,aAAa,CAAC,EAAE,CAAC,CAAC;IAEjC,MAAM,CAAC,GAAG,CAAC,sCAAsC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACpE,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,SAAmB,CAAC;QACjD,mBAAmB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACpC,IAAI,eAAe,GAAG,KAAK,CAAC;QAC5B,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC/B,eAAe;gBACb,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,gBAAgB;oBACrC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC;oBAClC,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;QACzE,CAAC;aAAM,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YAC3D,eAAe,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,SAAS,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACvG,CAAC;QAED,MAAM,gBAAgB,GAAG,eAAe;YACtC,CAAC,CAAC,MAAM,EAAE;iBACP,MAAM,CAAC,EAAE,KAAK,EAAE,GAAG,CAAQ,UAAU,EAAE,CAAC;iBACxC,IAAI,CAAC,YAAY,CAAC;iBAClB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;iBAC9F,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,CAAC,CAAC;YAC9C,CAAC,CAAC,CAAC,CAAC;QAEN,MAAM,kBAAkB,GACtB,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM;YAC5C,CAAC,CAAC,MAAM,EAAE;iBACP,MAAM,CAAC,EAAE,KAAK,EAAE,GAAG,CAAQ,UAAU,EAAE,CAAC;iBACxC,IAAI,CAAC,MAAM,CAAC;iBACZ,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,EAC/B,EAAE,CAAC,MAAM,CAAC,cAAc,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,EAC3C,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,oBAAoB,CAAC,CAAC,EACjD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CACxB,CACF;iBACA,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,CAAC,CAAC;YAC9C,CAAC,CAAC,CAAC,CAAC;QAER,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE;YACtC,YAAY,EAAE,gBAAgB;YAC9B,cAAc,EAAE,kBAAkB;SACnC,CAAC,CAAC;QACH,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/secrets/external-stub-providers.d.ts

@@ -0,0 +1,5 @@
+import type { SecretProviderModule } from "./types.js";
+export declare const awsSecretsManagerProvider: SecretProviderModule;
+export declare const gcpSecretManagerProvider: SecretProviderModule;
+export declare const vaultProvider: SecretProviderModule;
+//# sourceMappingURL=external-stub-providers.d.ts.map

package/dist/secrets/external-stub-providers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"external-stub-providers.d.ts","sourceRoot":"","sources":["../../src/secrets/external-stub-providers.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAsBvD,eAAO,MAAM,yBAAyB,sBAGrC,CAAC;AACF,eAAO,MAAM,wBAAwB,sBAGpC,CAAC;AACF,eAAO,MAAM,aAAa,sBAAkD,CAAC"}

package/dist/secrets/external-stub-providers.js

@@ -0,0 +1,21 @@
+import { unprocessable } from "../errors.js";
+function unavailableProvider(id, label) {
+    return {
+        id,
+        descriptor: {
+            id,
+            label,
+            requiresExternalRef: true,
+        },
+        async createVersion() {
+            throw unprocessable(`${id} provider is not configured in this deployment`);
+        },
+        async resolveVersion() {
+            throw unprocessable(`${id} provider is not configured in this deployment`);
+        },
+    };
+}
+export const awsSecretsManagerProvider = unavailableProvider("aws_secrets_manager", "AWS Secrets Manager");
+export const gcpSecretManagerProvider = unavailableProvider("gcp_secret_manager", "GCP Secret Manager");
+export const vaultProvider = unavailableProvider("vault", "HashiCorp Vault");
+//# sourceMappingURL=external-stub-providers.js.map

package/dist/secrets/external-stub-providers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"external-stub-providers.js","sourceRoot":"","sources":["../../src/secrets/external-stub-providers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,SAAS,mBAAmB,CAC1B,EAA0D,EAC1D,KAAa;IAEb,OAAO;QACL,EAAE;QACF,UAAU,EAAE;YACV,EAAE;YACF,KAAK;YACL,mBAAmB,EAAE,IAAI;SAC1B;QACD,KAAK,CAAC,aAAa;YACjB,MAAM,aAAa,CAAC,GAAG,EAAE,gDAAgD,CAAC,CAAC;QAC7E,CAAC;QACD,KAAK,CAAC,cAAc;YAClB,MAAM,aAAa,CAAC,GAAG,EAAE,gDAAgD,CAAC,CAAC;QAC7E,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,yBAAyB,GAAG,mBAAmB,CAC1D,qBAAqB,EACrB,qBAAqB,CACtB,CAAC;AACF,MAAM,CAAC,MAAM,wBAAwB,GAAG,mBAAmB,CACzD,oBAAoB,EACpB,oBAAoB,CACrB,CAAC;AACF,MAAM,CAAC,MAAM,aAAa,GAAG,mBAAmB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC"}

package/dist/secrets/local-encrypted-provider.d.ts

@@ -0,0 +1,3 @@
+import type { SecretProviderModule } from "./types.js";
+export declare const localEncryptedProvider: SecretProviderModule;
+//# sourceMappingURL=local-encrypted-provider.d.ts.map

package/dist/secrets/local-encrypted-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-encrypted-provider.d.ts","sourceRoot":"","sources":["../../src/secrets/local-encrypted-provider.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,oBAAoB,EAA+B,MAAM,YAAY,CAAC;AAgHpF,eAAO,MAAM,sBAAsB,EAAE,oBAmBpC,CAAC"}

package/dist/secrets/local-encrypted-provider.js

@@ -0,0 +1,116 @@
+import { createCipheriv, createDecipheriv, createHash, randomBytes } from "node:crypto";
+import { mkdirSync, readFileSync, writeFileSync, existsSync, chmodSync } from "node:fs";
+import path from "node:path";
+import { badRequest } from "../errors.js";
+function resolveMasterKeyFilePath() {
+    const fromEnv = process.env.PAPERCLIP_SECRETS_MASTER_KEY_FILE;
+    if (fromEnv && fromEnv.trim().length > 0)
+        return path.resolve(fromEnv.trim());
+    return path.resolve(process.cwd(), "data/secrets/master.key");
+}
+function decodeMasterKey(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed)
+        return null;
+    if (/^[A-Fa-f0-9]{64}$/.test(trimmed)) {
+        return Buffer.from(trimmed, "hex");
+    }
+    try {
+        const decoded = Buffer.from(trimmed, "base64");
+        if (decoded.length === 32)
+            return decoded;
+    }
+    catch {
+        // ignored
+    }
+    if (Buffer.byteLength(trimmed, "utf8") === 32) {
+        return Buffer.from(trimmed, "utf8");
+    }
+    return null;
+}
+function loadOrCreateMasterKey() {
+    const envKeyRaw = process.env.PAPERCLIP_SECRETS_MASTER_KEY;
+    if (envKeyRaw && envKeyRaw.trim().length > 0) {
+        const fromEnv = decodeMasterKey(envKeyRaw);
+        if (!fromEnv) {
+            throw badRequest("Invalid PAPERCLIP_SECRETS_MASTER_KEY (expected 32-byte base64, 64-char hex, or raw 32-char string)");
+        }
+        return fromEnv;
+    }
+    const keyPath = resolveMasterKeyFilePath();
+    if (existsSync(keyPath)) {
+        const raw = readFileSync(keyPath, "utf8");
+        const decoded = decodeMasterKey(raw);
+        if (!decoded) {
+            throw badRequest(`Invalid secrets master key at ${keyPath}`);
+        }
+        return decoded;
+    }
+    const dir = path.dirname(keyPath);
+    mkdirSync(dir, { recursive: true });
+    const generated = randomBytes(32);
+    writeFileSync(keyPath, generated.toString("base64"), { encoding: "utf8", mode: 0o600 });
+    try {
+        chmodSync(keyPath, 0o600);
+    }
+    catch {
+        // best effort
+    }
+    return generated;
+}
+function sha256Hex(value) {
+    return createHash("sha256").update(value).digest("hex");
+}
+function encryptValue(masterKey, value) {
+    const iv = randomBytes(12);
+    const cipher = createCipheriv("aes-256-gcm", masterKey, iv);
+    const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return {
+        scheme: "local_encrypted_v1",
+        iv: iv.toString("base64"),
+        tag: tag.toString("base64"),
+        ciphertext: ciphertext.toString("base64"),
+    };
+}
+function decryptValue(masterKey, material) {
+    const iv = Buffer.from(material.iv, "base64");
+    const tag = Buffer.from(material.tag, "base64");
+    const ciphertext = Buffer.from(material.ciphertext, "base64");
+    const decipher = createDecipheriv("aes-256-gcm", masterKey, iv);
+    decipher.setAuthTag(tag);
+    const plain = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return plain.toString("utf8");
+}
+function asLocalEncryptedMaterial(value) {
+    if (value &&
+        typeof value === "object" &&
+        value.scheme === "local_encrypted_v1" &&
+        typeof value.iv === "string" &&
+        typeof value.tag === "string" &&
+        typeof value.ciphertext === "string") {
+        return value;
+    }
+    throw badRequest("Invalid local_encrypted secret material");
+}
+export const localEncryptedProvider = {
+    id: "local_encrypted",
+    descriptor: {
+        id: "local_encrypted",
+        label: "Local encrypted (default)",
+        requiresExternalRef: false,
+    },
+    async createVersion(input) {
+        const masterKey = loadOrCreateMasterKey();
+        return {
+            material: encryptValue(masterKey, input.value),
+            valueSha256: sha256Hex(input.value),
+            externalRef: null,
+        };
+    },
+    async resolveVersion(input) {
+        const masterKey = loadOrCreateMasterKey();
+        return decryptValue(masterKey, asLocalEncryptedMaterial(input.material));
+    },
+};
+//# sourceMappingURL=local-encrypted-provider.js.map

package/dist/secrets/local-encrypted-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-encrypted-provider.js","sourceRoot":"","sources":["../../src/secrets/local-encrypted-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACxF,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACxF,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAS1C,SAAS,wBAAwB;IAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC;IAC9D,IAAI,OAAO,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9E,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,yBAAyB,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,IAAI,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC/C,IAAI,OAAO,CAAC,MAAM,KAAK,EAAE;YAAE,OAAO,OAAO,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,UAAU;IACZ,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;QAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,qBAAqB;IAC5B,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;IAC3D,IAAI,SAAS,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7C,MAAM,OAAO,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,UAAU,CACd,oGAAoG,CACrG,CAAC;QACJ,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,OAAO,GAAG,wBAAwB,EAAE,CAAC;IAC3C,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1C,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,UAAU,CAAC,iCAAiC,OAAO,EAAE,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAClC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,aAAa,CAAC,OAAO,EAAE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACxF,IAAI,CAAC;QACH,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,YAAY,CAAC,SAAiB,EAAE,KAAa;IACpD,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACjF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO;QACL,MAAM,EAAE,oBAAoB;QAC5B,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC3B,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC1C,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,SAAiB,EAAE,QAAgC;IACvE,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAChE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC7E,OAAO,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAkC;IAClE,IACE,KAAK;QACL,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,CAAC,MAAM,KAAK,oBAAoB;QACrC,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ;QAC5B,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ;QAC7B,OAAO,KAAK,CAAC,UAAU,KAAK,QAAQ,EACpC,CAAC;QACD,OAAO,KAA+B,CAAC;IACzC,CAAC;IACD,MAAM,UAAU,CAAC,yCAAyC,CAAC,CAAC;AAC9D,CAAC;AAED,MAAM,CAAC,MAAM,sBAAsB,GAAyB;IAC1D,EAAE,EAAE,iBAAiB;IACrB,UAAU,EAAE;QACV,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,2BAA2B;QAClC,mBAAmB,EAAE,KAAK;KAC3B;IACD,KAAK,CAAC,aAAa,CAAC,KAAK;QACvB,MAAM,SAAS,GAAG,qBAAqB,EAAE,CAAC;QAC1C,OAAO;YACL,QAAQ,EAAE,YAAY,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC;YAC9C,WAAW,EAAE,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC;YACnC,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IACD,KAAK,CAAC,cAAc,CAAC,KAAK;QACxB,MAAM,SAAS,GAAG,qBAAqB,EAAE,CAAC;QAC1C,OAAO,YAAY,CAAC,SAAS,EAAE,wBAAwB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3E,CAAC;CACF,CAAC"}

package/dist/secrets/provider-registry.d.ts

@@ -0,0 +1,5 @@
+import type { SecretProvider, SecretProviderDescriptor } from "@paperclipai/shared";
+import type { SecretProviderModule } from "./types.js";
+export declare function getSecretProvider(id: SecretProvider): SecretProviderModule;
+export declare function listSecretProviders(): SecretProviderDescriptor[];
+//# sourceMappingURL=provider-registry.d.ts.map

package/dist/secrets/provider-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-registry.d.ts","sourceRoot":"","sources":["../../src/secrets/provider-registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAOpF,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAcvD,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,cAAc,GAAG,oBAAoB,CAI1E;AAED,wBAAgB,mBAAmB,IAAI,wBAAwB,EAAE,CAEhE"}

package/dist/secrets/provider-registry.js

@@ -0,0 +1,20 @@
+import { localEncryptedProvider } from "./local-encrypted-provider.js";
+import { awsSecretsManagerProvider, gcpSecretManagerProvider, vaultProvider, } from "./external-stub-providers.js";
+import { unprocessable } from "../errors.js";
+const providers = [
+    localEncryptedProvider,
+    awsSecretsManagerProvider,
+    gcpSecretManagerProvider,
+    vaultProvider,
+];
+const providerById = new Map(providers.map((provider) => [provider.id, provider]));
+export function getSecretProvider(id) {
+    const provider = providerById.get(id);
+    if (!provider)
+        throw unprocessable(`Unsupported secret provider: ${id}`);
+    return provider;
+}
+export function listSecretProviders() {
+    return providers.map((provider) => provider.descriptor);
+}
+//# sourceMappingURL=provider-registry.js.map

package/dist/secrets/provider-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-registry.js","sourceRoot":"","sources":["../../src/secrets/provider-registry.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AACvE,OAAO,EACL,yBAAyB,EACzB,wBAAwB,EACxB,aAAa,GACd,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C,MAAM,SAAS,GAA2B;IACxC,sBAAsB;IACtB,yBAAyB;IACzB,wBAAwB;IACxB,aAAa;CACd,CAAC;AAEF,MAAM,YAAY,GAAG,IAAI,GAAG,CAC1B,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CACrD,CAAC;AAEF,MAAM,UAAU,iBAAiB,CAAC,EAAkB;IAClD,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACtC,IAAI,CAAC,QAAQ;QAAE,MAAM,aAAa,CAAC,gCAAgC,EAAE,EAAE,CAAC,CAAC;IACzE,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AAC1D,CAAC"}

package/dist/secrets/types.d.ts

@@ -0,0 +1,21 @@
+import type { SecretProvider, SecretProviderDescriptor } from "@paperclipai/shared";
+export interface StoredSecretVersionMaterial {
+    [key: string]: unknown;
+}
+export interface SecretProviderModule {
+    id: SecretProvider;
+    descriptor: SecretProviderDescriptor;
+    createVersion(input: {
+        value: string;
+        externalRef: string | null;
+    }): Promise<{
+        material: StoredSecretVersionMaterial;
+        valueSha256: string;
+        externalRef: string | null;
+    }>;
+    resolveVersion(input: {
+        material: StoredSecretVersionMaterial;
+        externalRef: string | null;
+    }): Promise<string>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/secrets/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/secrets/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAEpF,MAAM,WAAW,2BAA2B;IAC1C,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,cAAc,CAAC;IACnB,UAAU,EAAE,wBAAwB,CAAC;IACrC,aAAa,CAAC,KAAK,EAAE;QACnB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;KAC5B,GAAG,OAAO,CAAC;QACV,QAAQ,EAAE,2BAA2B,CAAC;QACtC,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;KAC5B,CAAC,CAAC;IACH,cAAc,CAAC,KAAK,EAAE;QACpB,QAAQ,EAAE,2BAA2B,CAAC;QACtC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;KAC5B,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACrB"}

package/dist/secrets/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/secrets/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/secrets/types.ts"],"names":[],"mappings":""}

package/dist/services/access.d.ts

@@ -0,0 +1,81 @@
+import type { Db } from "@paperclipai/db";
+import { companyMemberships } from "@paperclipai/db";
+import type { PermissionKey, PrincipalType } from "@paperclipai/shared";
+type MembershipRow = typeof companyMemberships.$inferSelect;
+type GrantInput = {
+    permissionKey: PermissionKey;
+    scope?: Record<string, unknown> | null;
+};
+export declare function accessService(db: Db): {
+    isInstanceAdmin: (userId: string | null | undefined) => Promise<boolean>;
+    canUser: (companyId: string, userId: string | null | undefined, permissionKey: PermissionKey) => Promise<boolean>;
+    hasPermission: (companyId: string, principalType: PrincipalType, principalId: string, permissionKey: PermissionKey) => Promise<boolean>;
+    getMembership: (companyId: string, principalType: PrincipalType, principalId: string) => Promise<MembershipRow | null>;
+    ensureMembership: (companyId: string, principalType: PrincipalType, principalId: string, membershipRole?: string | null, status?: "pending" | "active" | "suspended") => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    }>;
+    listMembers: (companyId: string) => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    }[]>;
+    setMemberPermissions: (companyId: string, memberId: string, grants: GrantInput[], grantedByUserId: string | null) => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    } | null>;
+    promoteInstanceAdmin: (userId: string) => Promise<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        role: string;
+    }>;
+    demoteInstanceAdmin: (userId: string) => Promise<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        role: string;
+    }>;
+    listUserCompanyAccess: (userId: string) => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    }[]>;
+    setUserCompanyAccess: (userId: string, companyIds: string[]) => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    }[]>;
+    setPrincipalGrants: (companyId: string, principalType: PrincipalType, principalId: string, grants: GrantInput[], grantedByUserId: string | null) => Promise<void>;
+};
+export {};
+//# sourceMappingURL=access.d.ts.map

package/dist/services/access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/services/access.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EACL,kBAAkB,EAGnB,MAAM,iBAAiB,CAAC;AACzB,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAExE,KAAK,aAAa,GAAG,OAAO,kBAAkB,CAAC,YAAY,CAAC;AAC5D,KAAK,UAAU,GAAG;IAChB,aAAa,EAAE,aAAa,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACxC,CAAC;AAEF,wBAAgB,aAAa,CAAC,EAAE,EAAE,EAAE;8BACK,MAAM,GAAG,IAAI,GAAG,SAAS,KAAG,OAAO,CAAC,OAAO,CAAC;yBAoDtE,MAAM,UACT,MAAM,GAAG,IAAI,GAAG,SAAS,iBAClB,aAAa,KAC3B,OAAO,CAAC,OAAO,CAAC;+BA1BN,MAAM,iBACF,aAAa,eACf,MAAM,iBACJ,aAAa,KAC3B,OAAO,CAAC,OAAO,CAAC;+BAtBN,MAAM,iBACF,aAAa,eACf,MAAM,KAClB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;kCA6JnB,MAAM,iBACF,aAAa,eACf,MAAM,mBACH,MAAM,GAAG,IAAI,WACrB,SAAS,GAAG,QAAQ,GAAG,WAAW;;;;;;;;;;6BAlHN,MAAM;;;;;;;;;;sCAS/B,MAAM,YACP,MAAM,UACR,UAAU,EAAE,mBACH,MAAM,GAAG,IAAI;;;;;;;;;;mCAsCY,MAAM;;;;;;;kCAiBP,MAAM;;;;;;;oCAQJ,MAAM;;;;;;;;;;mCAQP,MAAM,cAAc,MAAM,EAAE;;;;;;;;;;oCA6D3D,MAAM,iBACF,aAAa,eACf,MAAM,UACX,UAAU,EAAE,mBACH,MAAM,GAAG,IAAI;EA0CjC"}

package/dist/services/access.js

@@ -0,0 +1,187 @@
+import { and, eq, inArray, sql } from "drizzle-orm";
+import { companyMemberships, instanceUserRoles, principalPermissionGrants, } from "@paperclipai/db";
+export function accessService(db) {
+    async function isInstanceAdmin(userId) {
+        if (!userId)
+            return false;
+        const row = await db
+            .select({ id: instanceUserRoles.id })
+            .from(instanceUserRoles)
+            .where(and(eq(instanceUserRoles.userId, userId), eq(instanceUserRoles.role, "instance_admin")))
+            .then((rows) => rows[0] ?? null);
+        return Boolean(row);
+    }
+    async function getMembership(companyId, principalType, principalId) {
+        return db
+            .select()
+            .from(companyMemberships)
+            .where(and(eq(companyMemberships.companyId, companyId), eq(companyMemberships.principalType, principalType), eq(companyMemberships.principalId, principalId)))
+            .then((rows) => rows[0] ?? null);
+    }
+    async function hasPermission(companyId, principalType, principalId, permissionKey) {
+        const membership = await getMembership(companyId, principalType, principalId);
+        if (!membership || membership.status !== "active")
+            return false;
+        const grant = await db
+            .select({ id: principalPermissionGrants.id })
+            .from(principalPermissionGrants)
+            .where(and(eq(principalPermissionGrants.companyId, companyId), eq(principalPermissionGrants.principalType, principalType), eq(principalPermissionGrants.principalId, principalId), eq(principalPermissionGrants.permissionKey, permissionKey)))
+            .then((rows) => rows[0] ?? null);
+        return Boolean(grant);
+    }
+    async function canUser(companyId, userId, permissionKey) {
+        if (!userId)
+            return false;
+        if (await isInstanceAdmin(userId))
+            return true;
+        return hasPermission(companyId, "user", userId, permissionKey);
+    }
+    async function listMembers(companyId) {
+        return db
+            .select()
+            .from(companyMemberships)
+            .where(eq(companyMemberships.companyId, companyId))
+            .orderBy(sql `${companyMemberships.createdAt} desc`);
+    }
+    async function setMemberPermissions(companyId, memberId, grants, grantedByUserId) {
+        const member = await db
+            .select()
+            .from(companyMemberships)
+            .where(and(eq(companyMemberships.companyId, companyId), eq(companyMemberships.id, memberId)))
+            .then((rows) => rows[0] ?? null);
+        if (!member)
+            return null;
+        await db.transaction(async (tx) => {
+            await tx
+                .delete(principalPermissionGrants)
+                .where(and(eq(principalPermissionGrants.companyId, companyId), eq(principalPermissionGrants.principalType, member.principalType), eq(principalPermissionGrants.principalId, member.principalId)));
+            if (grants.length > 0) {
+                await tx.insert(principalPermissionGrants).values(grants.map((grant) => ({
+                    companyId,
+                    principalType: member.principalType,
+                    principalId: member.principalId,
+                    permissionKey: grant.permissionKey,
+                    scope: grant.scope ?? null,
+                    grantedByUserId,
+                    createdAt: new Date(),
+                    updatedAt: new Date(),
+                })));
+            }
+        });
+        return member;
+    }
+    async function promoteInstanceAdmin(userId) {
+        const existing = await db
+            .select()
+            .from(instanceUserRoles)
+            .where(and(eq(instanceUserRoles.userId, userId), eq(instanceUserRoles.role, "instance_admin")))
+            .then((rows) => rows[0] ?? null);
+        if (existing)
+            return existing;
+        return db
+            .insert(instanceUserRoles)
+            .values({
+            userId,
+            role: "instance_admin",
+        })
+            .returning()
+            .then((rows) => rows[0]);
+    }
+    async function demoteInstanceAdmin(userId) {
+        return db
+            .delete(instanceUserRoles)
+            .where(and(eq(instanceUserRoles.userId, userId), eq(instanceUserRoles.role, "instance_admin")))
+            .returning()
+            .then((rows) => rows[0] ?? null);
+    }
+    async function listUserCompanyAccess(userId) {
+        return db
+            .select()
+            .from(companyMemberships)
+            .where(and(eq(companyMemberships.principalType, "user"), eq(companyMemberships.principalId, userId)))
+            .orderBy(sql `${companyMemberships.createdAt} desc`);
+    }
+    async function setUserCompanyAccess(userId, companyIds) {
+        const existing = await listUserCompanyAccess(userId);
+        const existingByCompany = new Map(existing.map((row) => [row.companyId, row]));
+        const target = new Set(companyIds);
+        await db.transaction(async (tx) => {
+            const toDelete = existing.filter((row) => !target.has(row.companyId)).map((row) => row.id);
+            if (toDelete.length > 0) {
+                await tx.delete(companyMemberships).where(inArray(companyMemberships.id, toDelete));
+            }
+            for (const companyId of target) {
+                if (existingByCompany.has(companyId))
+                    continue;
+                await tx.insert(companyMemberships).values({
+                    companyId,
+                    principalType: "user",
+                    principalId: userId,
+                    status: "active",
+                    membershipRole: "member",
+                });
+            }
+        });
+        return listUserCompanyAccess(userId);
+    }
+    async function ensureMembership(companyId, principalType, principalId, membershipRole = "member", status = "active") {
+        const existing = await getMembership(companyId, principalType, principalId);
+        if (existing) {
+            if (existing.status !== status || existing.membershipRole !== membershipRole) {
+                const updated = await db
+                    .update(companyMemberships)
+                    .set({ status, membershipRole, updatedAt: new Date() })
+                    .where(eq(companyMemberships.id, existing.id))
+                    .returning()
+                    .then((rows) => rows[0] ?? null);
+                return updated ?? existing;
+            }
+            return existing;
+        }
+        return db
+            .insert(companyMemberships)
+            .values({
+            companyId,
+            principalType,
+            principalId,
+            status,
+            membershipRole,
+        })
+            .returning()
+            .then((rows) => rows[0]);
+    }
+    async function setPrincipalGrants(companyId, principalType, principalId, grants, grantedByUserId) {
+        await db.transaction(async (tx) => {
+            await tx
+                .delete(principalPermissionGrants)
+                .where(and(eq(principalPermissionGrants.companyId, companyId), eq(principalPermissionGrants.principalType, principalType), eq(principalPermissionGrants.principalId, principalId)));
+            if (grants.length === 0)
+                return;
+            await tx.insert(principalPermissionGrants).values(grants.map((grant) => ({
+                companyId,
+                principalType,
+                principalId,
+                permissionKey: grant.permissionKey,
+                scope: grant.scope ?? null,
+                grantedByUserId,
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            })));
+        });
+    }
+    return {
+        isInstanceAdmin,
+        canUser,
+        hasPermission,
+        getMembership,
+        ensureMembership,
+        listMembers,
+        setMemberPermissions,
+        promoteInstanceAdmin,
+        demoteInstanceAdmin,
+        listUserCompanyAccess,
+        setUserCompanyAccess,
+        setPrincipalGrants,
+    };
+}
+//# sourceMappingURL=access.js.map

package/dist/services/access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.js","sourceRoot":"","sources":["../../src/services/access.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAEpD,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AASzB,MAAM,UAAU,aAAa,CAAC,EAAM;IAClC,KAAK,UAAU,eAAe,CAAC,MAAiC;QAC9D,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC1B,MAAM,GAAG,GAAG,MAAM,EAAE;aACjB,MAAM,CAAC,EAAE,EAAE,EAAE,iBAAiB,CAAC,EAAE,EAAE,CAAC;aACpC,IAAI,CAAC,iBAAiB,CAAC;aACvB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC;aAC9F,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACnC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,UAAU,aAAa,CAC1B,SAAiB,EACjB,aAA4B,EAC5B,WAAmB;QAEnB,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,SAAS,CAAC,EAC3C,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,aAAa,CAAC,EACnD,EAAE,CAAC,kBAAkB,CAAC,WAAW,EAAE,WAAW,CAAC,CAChD,CACF;aACA,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,UAAU,aAAa,CAC1B,SAAiB,EACjB,aAA4B,EAC5B,WAAmB,EACnB,aAA4B;QAE5B,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;QAC9E,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAChE,MAAM,KAAK,GAAG,MAAM,EAAE;aACnB,MAAM,CAAC,EAAE,EAAE,EAAE,yBAAyB,CAAC,EAAE,EAAE,CAAC;aAC5C,IAAI,CAAC,yBAAyB,CAAC;aAC/B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,yBAAyB,CAAC,SAAS,EAAE,SAAS,CAAC,EAClD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,EAC1D,EAAE,CAAC,yBAAyB,CAAC,WAAW,EAAE,WAAW,CAAC,EACtD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,CAC3D,CACF;aACA,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACnC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC;IAED,KAAK,UAAU,OAAO,CACpB,SAAiB,EACjB,MAAiC,EACjC,aAA4B;QAE5B,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC1B,IAAI,MAAM,eAAe,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/C,OAAO,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,UAAU,WAAW,CAAC,SAAiB;QAC1C,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;aAClD,OAAO,CAAC,GAAG,CAAA,GAAG,kBAAkB,CAAC,SAAS,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,KAAK,UAAU,oBAAoB,CACjC,SAAiB,EACjB,QAAgB,EAChB,MAAoB,EACpB,eAA8B;QAE9B,MAAM,MAAM,GAAG,MAAM,EAAE;aACpB,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;aAC5F,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;YAChC,MAAM,EAAE;iBACL,MAAM,CAAC,yBAAyB,CAAC;iBACjC,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,yBAAyB,CAAC,SAAS,EAAE,SAAS,CAAC,EAClD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,EACjE,EAAE,CAAC,yBAAyB,CAAC,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,CAC9D,CACF,CAAC;YACJ,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,MAAM,EAAE,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAC/C,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBACrB,SAAS;oBACT,aAAa,EAAE,MAAM,CAAC,aAAa;oBACnC,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,aAAa,EAAE,KAAK,CAAC,aAAa;oBAClC,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;oBAC1B,eAAe;oBACf,SAAS,EAAE,IAAI,IAAI,EAAE;oBACrB,SAAS,EAAE,IAAI,IAAI,EAAE;iBACtB,CAAC,CAAC,CACJ,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,UAAU,oBAAoB,CAAC,MAAc;QAChD,MAAM,QAAQ,GAAG,MAAM,EAAE;aACtB,MAAM,EAAE;aACR,IAAI,CAAC,iBAAiB,CAAC;aACvB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC;aAC9F,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACnC,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAC9B,OAAO,EAAE;aACN,MAAM,CAAC,iBAAiB,CAAC;aACzB,MAAM,CAAC;YACN,MAAM;YACN,IAAI,EAAE,gBAAgB;SACvB,CAAC;aACD,SAAS,EAAE;aACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAAc;QAC/C,OAAO,EAAE;aACN,MAAM,CAAC,iBAAiB,CAAC;aACzB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC;aAC9F,SAAS,EAAE;aACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,UAAU,qBAAqB,CAAC,MAAc;QACjD,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;aACpG,OAAO,CAAC,GAAG,CAAA,GAAG,kBAAkB,CAAC,SAAS,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,KAAK,UAAU,oBAAoB,CAAC,MAAc,EAAE,UAAoB;QACtE,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,MAAM,CAAC,CAAC;QACrD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;QAC/E,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QAEnC,MAAM,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;YAChC,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC3F,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;YACtF,CAAC;YAED,KAAK,MAAM,SAAS,IAAI,MAAM,EAAE,CAAC;gBAC/B,IAAI,iBAAiB,CAAC,GAAG,CAAC,SAAS,CAAC;oBAAE,SAAS;gBAC/C,MAAM,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC;oBACzC,SAAS;oBACT,aAAa,EAAE,MAAM;oBACrB,WAAW,EAAE,MAAM;oBACnB,MAAM,EAAE,QAAQ;oBAChB,cAAc,EAAE,QAAQ;iBACzB,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO,qBAAqB,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,UAAU,gBAAgB,CAC7B,SAAiB,EACjB,aAA4B,EAC5B,WAAmB,EACnB,iBAAgC,QAAQ,EACxC,SAA6C,QAAQ;QAErD,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;QAC5E,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,cAAc,KAAK,cAAc,EAAE,CAAC;gBAC7E,MAAM,OAAO,GAAG,MAAM,EAAE;qBACrB,MAAM,CAAC,kBAAkB,CAAC;qBAC1B,GAAG,CAAC,EAAE,MAAM,EAAE,cAAc,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;qBACtD,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC;qBAC7C,SAAS,EAAE;qBACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;gBACnC,OAAO,OAAO,IAAI,QAAQ,CAAC;YAC7B,CAAC;YACD,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,OAAO,EAAE;aACN,MAAM,CAAC,kBAAkB,CAAC;aAC1B,MAAM,CAAC;YACN,SAAS;YACT,aAAa;YACb,WAAW;YACX,MAAM;YACN,cAAc;SACf,CAAC;aACD,SAAS,EAAE;aACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,UAAU,kBAAkB,CAC/B,SAAiB,EACjB,aAA4B,EAC5B,WAAmB,EACnB,MAAoB,EACpB,eAA8B;QAE9B,MAAM,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;YAChC,MAAM,EAAE;iBACL,MAAM,CAAC,yBAAyB,CAAC;iBACjC,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,yBAAyB,CAAC,SAAS,EAAE,SAAS,CAAC,EAClD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,EAC1D,EAAE,CAAC,yBAAyB,CAAC,WAAW,EAAE,WAAW,CAAC,CACvD,CACF,CAAC;YACJ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO;YAChC,MAAM,EAAE,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAC/C,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrB,SAAS;gBACT,aAAa;gBACb,WAAW;gBACX,aAAa,EAAE,KAAK,CAAC,aAAa;gBAClC,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;gBAC1B,eAAe;gBACf,SAAS,EAAE,IAAI,IAAI,EAAE;gBACrB,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC,CAAC,CACJ,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,eAAe;QACf,OAAO;QACP,aAAa;QACb,aAAa;QACb,gBAAgB;QAChB,WAAW;QACX,oBAAoB;QACpB,oBAAoB;QACpB,mBAAmB;QACnB,qBAAqB;QACrB,oBAAoB;QACpB,kBAAkB;KACnB,CAAC;AACJ,CAAC"}

package/dist/services/activity-log.d.ts

@@ -0,0 +1,14 @@
+import type { Db } from "@paperclipai/db";
+export interface LogActivityInput {
+    companyId: string;
+    actorType: "agent" | "user" | "system";
+    actorId: string;
+    action: string;
+    entityType: string;
+    entityId: string;
+    agentId?: string | null;
+    runId?: string | null;
+    details?: Record<string, unknown> | null;
+}
+export declare function logActivity(db: Db, input: LogActivityInput): Promise<void>;
+//# sourceMappingURL=activity-log.d.ts.map

package/dist/services/activity-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"activity-log.d.ts","sourceRoot":"","sources":["../../src/services/activity-log.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,iBAAiB,CAAC;AAK1C,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,OAAO,GAAG,MAAM,GAAG,QAAQ,CAAC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC1C;AAED,wBAAsB,WAAW,CAAC,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,gBAAgB,iBA4BhE"}

package/dist/services/activity-log.js

@@ -0,0 +1,32 @@
+import { activityLog } from "@paperclipai/db";
+import { publishLiveEvent } from "./live-events.js";
+import { sanitizeRecord } from "../redaction.js";
+export async function logActivity(db, input) {
+    const sanitizedDetails = input.details ? sanitizeRecord(input.details) : null;
+    await db.insert(activityLog).values({
+        companyId: input.companyId,
+        actorType: input.actorType,
+        actorId: input.actorId,
+        action: input.action,
+        entityType: input.entityType,
+        entityId: input.entityId,
+        agentId: input.agentId ?? null,
+        runId: input.runId ?? null,
+        details: sanitizedDetails,
+    });
+    publishLiveEvent({
+        companyId: input.companyId,
+        type: "activity.logged",
+        payload: {
+            actorType: input.actorType,
+            actorId: input.actorId,
+            action: input.action,
+            entityType: input.entityType,
+            entityId: input.entityId,
+            agentId: input.agentId ?? null,
+            runId: input.runId ?? null,
+            details: sanitizedDetails,
+        },
+    });
+}
+//# sourceMappingURL=activity-log.js.map

package/dist/services/activity-log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"activity-log.js","sourceRoot":"","sources":["../../src/services/activity-log.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAcjD,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,EAAM,EAAE,KAAuB;IAC/D,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9E,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;QAClC,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;QAC9B,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;QAC1B,OAAO,EAAE,gBAAgB;KAC1B,CAAC,CAAC;IAEH,gBAAgB,CAAC;QACf,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE;YACP,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;YAC9B,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;YAC1B,OAAO,EAAE,gBAAgB;SAC1B;KACF,CAAC,CAAC;AACL,CAAC"}