@paperclipai/server 0.2.2

package/dist/services/secrets.js

@@ -0,0 +1,284 @@
+import { and, desc, eq } from "drizzle-orm";
+import { companySecrets, companySecretVersions } from "@paperclipai/db";
+import { envBindingSchema } from "@paperclipai/shared";
+import { conflict, notFound, unprocessable } from "../errors.js";
+import { getSecretProvider, listSecretProviders } from "../secrets/provider-registry.js";
+const ENV_KEY_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+const SENSITIVE_ENV_KEY_RE = /(api[-_]?key|access[-_]?token|auth(?:_?token)?|authorization|bearer|secret|passwd|password|credential|jwt|private[-_]?key|cookie|connectionstring)/i;
+const REDACTED_SENTINEL = "***REDACTED***";
+function asRecord(value) {
+    if (typeof value !== "object" || value === null || Array.isArray(value))
+        return null;
+    return value;
+}
+function isSensitiveEnvKey(key) {
+    return SENSITIVE_ENV_KEY_RE.test(key);
+}
+function canonicalizeBinding(binding) {
+    if (typeof binding === "string") {
+        return { type: "plain", value: binding };
+    }
+    if (binding.type === "plain") {
+        return { type: "plain", value: String(binding.value) };
+    }
+    return {
+        type: "secret_ref",
+        secretId: binding.secretId,
+        version: binding.version ?? "latest",
+    };
+}
+export function secretService(db) {
+    async function getById(id) {
+        return db
+            .select()
+            .from(companySecrets)
+            .where(eq(companySecrets.id, id))
+            .then((rows) => rows[0] ?? null);
+    }
+    async function getByName(companyId, name) {
+        return db
+            .select()
+            .from(companySecrets)
+            .where(and(eq(companySecrets.companyId, companyId), eq(companySecrets.name, name)))
+            .then((rows) => rows[0] ?? null);
+    }
+    async function getSecretVersion(secretId, version) {
+        return db
+            .select()
+            .from(companySecretVersions)
+            .where(and(eq(companySecretVersions.secretId, secretId), eq(companySecretVersions.version, version)))
+            .then((rows) => rows[0] ?? null);
+    }
+    async function assertSecretInCompany(companyId, secretId) {
+        const secret = await getById(secretId);
+        if (!secret)
+            throw notFound("Secret not found");
+        if (secret.companyId !== companyId)
+            throw unprocessable("Secret must belong to same company");
+        return secret;
+    }
+    async function resolveSecretValue(companyId, secretId, version) {
+        const secret = await assertSecretInCompany(companyId, secretId);
+        const resolvedVersion = version === "latest" ? secret.latestVersion : version;
+        const versionRow = await getSecretVersion(secret.id, resolvedVersion);
+        if (!versionRow)
+            throw notFound("Secret version not found");
+        const provider = getSecretProvider(secret.provider);
+        return provider.resolveVersion({
+            material: versionRow.material,
+            externalRef: secret.externalRef,
+        });
+    }
+    async function normalizeEnvConfig(companyId, envValue, opts) {
+        const record = asRecord(envValue);
+        if (!record)
+            throw unprocessable("adapterConfig.env must be an object");
+        const normalized = {};
+        for (const [key, rawBinding] of Object.entries(record)) {
+            if (!ENV_KEY_RE.test(key)) {
+                throw unprocessable(`Invalid environment variable name: ${key}`);
+            }
+            const parsed = envBindingSchema.safeParse(rawBinding);
+            if (!parsed.success) {
+                throw unprocessable(`Invalid environment binding for key: ${key}`);
+            }
+            const binding = canonicalizeBinding(parsed.data);
+            if (binding.type === "plain") {
+                if (opts?.strictMode && isSensitiveEnvKey(key) && binding.value.trim().length > 0) {
+                    throw unprocessable(`Strict secret mode requires secret references for sensitive key: ${key}`);
+                }
+                if (binding.value === REDACTED_SENTINEL) {
+                    throw unprocessable(`Refusing to persist redacted placeholder for key: ${key}`);
+                }
+                normalized[key] = binding;
+                continue;
+            }
+            await assertSecretInCompany(companyId, binding.secretId);
+            normalized[key] = {
+                type: "secret_ref",
+                secretId: binding.secretId,
+                version: binding.version,
+            };
+        }
+        return normalized;
+    }
+    async function normalizeAdapterConfigForPersistenceInternal(companyId, adapterConfig, opts) {
+        const normalized = { ...adapterConfig };
+        if (!Object.prototype.hasOwnProperty.call(adapterConfig, "env")) {
+            return normalized;
+        }
+        normalized.env = await normalizeEnvConfig(companyId, adapterConfig.env, opts);
+        return normalized;
+    }
+    return {
+        listProviders: () => listSecretProviders(),
+        list: (companyId) => db
+            .select()
+            .from(companySecrets)
+            .where(eq(companySecrets.companyId, companyId))
+            .orderBy(desc(companySecrets.createdAt)),
+        getById,
+        getByName,
+        create: async (companyId, input, actor) => {
+            const existing = await getByName(companyId, input.name);
+            if (existing)
+                throw conflict(`Secret already exists: ${input.name}`);
+            const provider = getSecretProvider(input.provider);
+            const prepared = await provider.createVersion({
+                value: input.value,
+                externalRef: input.externalRef ?? null,
+            });
+            return db.transaction(async (tx) => {
+                const secret = await tx
+                    .insert(companySecrets)
+                    .values({
+                    companyId,
+                    name: input.name,
+                    provider: input.provider,
+                    externalRef: prepared.externalRef,
+                    latestVersion: 1,
+                    description: input.description ?? null,
+                    createdByAgentId: actor?.agentId ?? null,
+                    createdByUserId: actor?.userId ?? null,
+                })
+                    .returning()
+                    .then((rows) => rows[0]);
+                await tx.insert(companySecretVersions).values({
+                    secretId: secret.id,
+                    version: 1,
+                    material: prepared.material,
+                    valueSha256: prepared.valueSha256,
+                    createdByAgentId: actor?.agentId ?? null,
+                    createdByUserId: actor?.userId ?? null,
+                });
+                return secret;
+            });
+        },
+        rotate: async (secretId, input, actor) => {
+            const secret = await getById(secretId);
+            if (!secret)
+                throw notFound("Secret not found");
+            const provider = getSecretProvider(secret.provider);
+            const nextVersion = secret.latestVersion + 1;
+            const prepared = await provider.createVersion({
+                value: input.value,
+                externalRef: input.externalRef ?? secret.externalRef ?? null,
+            });
+            return db.transaction(async (tx) => {
+                await tx.insert(companySecretVersions).values({
+                    secretId: secret.id,
+                    version: nextVersion,
+                    material: prepared.material,
+                    valueSha256: prepared.valueSha256,
+                    createdByAgentId: actor?.agentId ?? null,
+                    createdByUserId: actor?.userId ?? null,
+                });
+                const updated = await tx
+                    .update(companySecrets)
+                    .set({
+                    latestVersion: nextVersion,
+                    externalRef: prepared.externalRef,
+                    updatedAt: new Date(),
+                })
+                    .where(eq(companySecrets.id, secret.id))
+                    .returning()
+                    .then((rows) => rows[0] ?? null);
+                if (!updated)
+                    throw notFound("Secret not found");
+                return updated;
+            });
+        },
+        update: async (secretId, patch) => {
+            const secret = await getById(secretId);
+            if (!secret)
+                throw notFound("Secret not found");
+            if (patch.name && patch.name !== secret.name) {
+                const duplicate = await getByName(secret.companyId, patch.name);
+                if (duplicate && duplicate.id !== secret.id) {
+                    throw conflict(`Secret already exists: ${patch.name}`);
+                }
+            }
+            return db
+                .update(companySecrets)
+                .set({
+                name: patch.name ?? secret.name,
+                description: patch.description === undefined ? secret.description : patch.description,
+                externalRef: patch.externalRef === undefined ? secret.externalRef : patch.externalRef,
+                updatedAt: new Date(),
+            })
+                .where(eq(companySecrets.id, secret.id))
+                .returning()
+                .then((rows) => rows[0] ?? null);
+        },
+        remove: async (secretId) => {
+            const secret = await getById(secretId);
+            if (!secret)
+                return null;
+            await db.delete(companySecrets).where(eq(companySecrets.id, secretId));
+            return secret;
+        },
+        normalizeAdapterConfigForPersistence: async (companyId, adapterConfig, opts) => normalizeAdapterConfigForPersistenceInternal(companyId, adapterConfig, opts),
+        normalizeHireApprovalPayloadForPersistence: async (companyId, payload, opts) => {
+            const normalized = { ...payload };
+            const adapterConfig = asRecord(payload.adapterConfig);
+            if (adapterConfig) {
+                normalized.adapterConfig = await normalizeAdapterConfigForPersistenceInternal(companyId, adapterConfig, opts);
+            }
+            return normalized;
+        },
+        resolveEnvBindings: async (companyId, envValue) => {
+            const record = asRecord(envValue);
+            if (!record)
+                return {};
+            const resolved = {};
+            for (const [key, rawBinding] of Object.entries(record)) {
+                if (!ENV_KEY_RE.test(key)) {
+                    throw unprocessable(`Invalid environment variable name: ${key}`);
+                }
+                const parsed = envBindingSchema.safeParse(rawBinding);
+                if (!parsed.success) {
+                    throw unprocessable(`Invalid environment binding for key: ${key}`);
+                }
+                const binding = canonicalizeBinding(parsed.data);
+                if (binding.type === "plain") {
+                    resolved[key] = binding.value;
+                }
+                else {
+                    resolved[key] = await resolveSecretValue(companyId, binding.secretId, binding.version);
+                }
+            }
+            return resolved;
+        },
+        resolveAdapterConfigForRuntime: async (companyId, adapterConfig) => {
+            const resolved = { ...adapterConfig };
+            if (!Object.prototype.hasOwnProperty.call(adapterConfig, "env")) {
+                return resolved;
+            }
+            const record = asRecord(adapterConfig.env);
+            if (!record) {
+                resolved.env = {};
+                return resolved;
+            }
+            const env = {};
+            for (const [key, rawBinding] of Object.entries(record)) {
+                if (!ENV_KEY_RE.test(key)) {
+                    throw unprocessable(`Invalid environment variable name: ${key}`);
+                }
+                const parsed = envBindingSchema.safeParse(rawBinding);
+                if (!parsed.success) {
+                    throw unprocessable(`Invalid environment binding for key: ${key}`);
+                }
+                const binding = canonicalizeBinding(parsed.data);
+                if (binding.type === "plain") {
+                    env[key] = binding.value;
+                }
+                else {
+                    env[key] = await resolveSecretValue(companyId, binding.secretId, binding.version);
+                }
+            }
+            resolved.env = env;
+            return resolved;
+        },
+    };
+}
+//# sourceMappingURL=secrets.js.map

package/dist/services/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../src/services/secrets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AAEzF,MAAM,UAAU,GAAG,0BAA0B,CAAC;AAC9C,MAAM,oBAAoB,GACxB,qJAAqJ,CAAC;AACxJ,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAM3C,SAAS,QAAQ,CAAC,KAAc;IAC9B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrF,OAAO,KAAgC,CAAC;AAC1C,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,OAAO,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAmB;IAC9C,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC3C,CAAC;IACD,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC7B,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;IACzD,CAAC;IACD,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,QAAQ;KACrC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,EAAM;IAClC,KAAK,UAAU,OAAO,CAAC,EAAU;QAC/B,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,cAAc,CAAC;aACpB,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;aAChC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,UAAU,SAAS,CAAC,SAAiB,EAAE,IAAY;QACtD,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,cAAc,CAAC;aACpB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,cAAc,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;aAClF,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,UAAU,gBAAgB,CAAC,QAAgB,EAAE,OAAe;QAC/D,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,qBAAqB,CAAC;aAC3B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAC5C,EAAE,CAAC,qBAAqB,CAAC,OAAO,EAAE,OAAO,CAAC,CAC3C,CACF;aACA,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,UAAU,qBAAqB,CAAC,SAAiB,EAAE,QAAgB;QACtE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM;YAAE,MAAM,QAAQ,CAAC,kBAAkB,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS;YAAE,MAAM,aAAa,CAAC,oCAAoC,CAAC,CAAC;QAC9F,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,UAAU,kBAAkB,CAC/B,SAAiB,EACjB,QAAgB,EAChB,OAA0B;QAE1B,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAChE,MAAM,eAAe,GAAG,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC;QAC9E,MAAM,UAAU,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,EAAE,EAAE,eAAe,CAAC,CAAC;QACtE,IAAI,CAAC,UAAU;YAAE,MAAM,QAAQ,CAAC,0BAA0B,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,iBAAiB,CAAC,MAAM,CAAC,QAA0B,CAAC,CAAC;QACtE,OAAO,QAAQ,CAAC,cAAc,CAAC;YAC7B,QAAQ,EAAE,UAAU,CAAC,QAAmC;YACxD,WAAW,EAAE,MAAM,CAAC,WAAW;SAChC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,kBAAkB,CAC/B,SAAiB,EACjB,QAAiB,EACjB,IAA+B;QAE/B,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,MAAM;YAAE,MAAM,aAAa,CAAC,qCAAqC,CAAC,CAAC;QAExE,MAAM,UAAU,GAAmB,EAAE,CAAC;QACtC,KAAK,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACvD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,MAAM,aAAa,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAC;YACnE,CAAC;YAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;YACtD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,aAAa,CAAC,wCAAwC,GAAG,EAAE,CAAC,CAAC;YACrE,CAAC;YAED,MAAM,OAAO,GAAG,mBAAmB,CAAC,MAAM,CAAC,IAAkB,CAAC,CAAC;YAC/D,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC7B,IAAI,IAAI,EAAE,UAAU,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAClF,MAAM,aAAa,CACjB,oEAAoE,GAAG,EAAE,CAC1E,CAAC;gBACJ,CAAC;gBACD,IAAI,OAAO,CAAC,KAAK,KAAK,iBAAiB,EAAE,CAAC;oBACxC,MAAM,aAAa,CAAC,qDAAqD,GAAG,EAAE,CAAC,CAAC;gBAClF,CAAC;gBACD,UAAU,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC;gBAC1B,SAAS;YACX,CAAC;YAED,MAAM,qBAAqB,CAAC,SAAS,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;YACzD,UAAU,CAAC,GAAG,CAAC,GAAG;gBAChB,IAAI,EAAE,YAAY;gBAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;aACzB,CAAC;QACJ,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,KAAK,UAAU,4CAA4C,CACzD,SAAiB,EACjB,aAAsC,EACtC,IAA+B;QAE/B,MAAM,UAAU,GAAG,EAAE,GAAG,aAAa,EAAE,CAAC;QACxC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,EAAE,CAAC;YAChE,OAAO,UAAU,CAAC;QACpB,CAAC;QACD,UAAU,CAAC,GAAG,GAAG,MAAM,kBAAkB,CAAC,SAAS,EAAE,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC9E,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO;QACL,aAAa,EAAE,GAAG,EAAE,CAAC,mBAAmB,EAAE;QAE1C,IAAI,EAAE,CAAC,SAAiB,EAAE,EAAE,CAC1B,EAAE;aACC,MAAM,EAAE;aACR,IAAI,CAAC,cAAc,CAAC;aACpB,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;aAC9C,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;QAE5C,OAAO;QACP,SAAS;QAET,MAAM,EAAE,KAAK,EACX,SAAiB,EACjB,KAMC,EACD,KAA2D,EAC3D,EAAE;YACF,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACxD,IAAI,QAAQ;gBAAE,MAAM,QAAQ,CAAC,0BAA0B,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YAErE,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC;gBAC5C,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;aACvC,CAAC,CAAC;YAEH,OAAO,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;gBACjC,MAAM,MAAM,GAAG,MAAM,EAAE;qBACpB,MAAM,CAAC,cAAc,CAAC;qBACtB,MAAM,CAAC;oBACN,SAAS;oBACT,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,WAAW,EAAE,QAAQ,CAAC,WAAW;oBACjC,aAAa,EAAE,CAAC;oBAChB,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;oBACtC,gBAAgB,EAAE,KAAK,EAAE,OAAO,IAAI,IAAI;oBACxC,eAAe,EAAE,KAAK,EAAE,MAAM,IAAI,IAAI;iBACvC,CAAC;qBACD,SAAS,EAAE;qBACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBAE3B,MAAM,EAAE,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,MAAM,CAAC;oBAC5C,QAAQ,EAAE,MAAM,CAAC,EAAE;oBACnB,OAAO,EAAE,CAAC;oBACV,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,WAAW,EAAE,QAAQ,CAAC,WAAW;oBACjC,gBAAgB,EAAE,KAAK,EAAE,OAAO,IAAI,IAAI;oBACxC,eAAe,EAAE,KAAK,EAAE,MAAM,IAAI,IAAI;iBACvC,CAAC,CAAC;gBAEH,OAAO,MAAM,CAAC;YAChB,CAAC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,KAAK,EACX,QAAgB,EAChB,KAAqD,EACrD,KAA2D,EAC3D,EAAE;YACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,CAAC;YACvC,IAAI,CAAC,MAAM;gBAAE,MAAM,QAAQ,CAAC,kBAAkB,CAAC,CAAC;YAChD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,MAAM,CAAC,QAA0B,CAAC,CAAC;YACtE,MAAM,WAAW,GAAG,MAAM,CAAC,aAAa,GAAG,CAAC,CAAC;YAC7C,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC;gBAC5C,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,IAAI,IAAI;aAC7D,CAAC,CAAC;YAEH,OAAO,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;gBACjC,MAAM,EAAE,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,MAAM,CAAC;oBAC5C,QAAQ,EAAE,MAAM,CAAC,EAAE;oBACnB,OAAO,EAAE,WAAW;oBACpB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,WAAW,EAAE,QAAQ,CAAC,WAAW;oBACjC,gBAAgB,EAAE,KAAK,EAAE,OAAO,IAAI,IAAI;oBACxC,eAAe,EAAE,KAAK,EAAE,MAAM,IAAI,IAAI;iBACvC,CAAC,CAAC;gBAEH,MAAM,OAAO,GAAG,MAAM,EAAE;qBACrB,MAAM,CAAC,cAAc,CAAC;qBACtB,GAAG,CAAC;oBACH,aAAa,EAAE,WAAW;oBAC1B,WAAW,EAAE,QAAQ,CAAC,WAAW;oBACjC,SAAS,EAAE,IAAI,IAAI,EAAE;iBACtB,CAAC;qBACD,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;qBACvC,SAAS,EAAE;qBACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;gBAEnC,IAAI,CAAC,OAAO;oBAAE,MAAM,QAAQ,CAAC,kBAAkB,CAAC,CAAC;gBACjD,OAAO,OAAO,CAAC;YACjB,CAAC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,KAAK,EACX,QAAgB,EAChB,KAAkF,EAClF,EAAE;YACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,CAAC;YACvC,IAAI,CAAC,MAAM;gBAAE,MAAM,QAAQ,CAAC,kBAAkB,CAAC,CAAC;YAEhD,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC7C,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;gBAChE,IAAI,SAAS,IAAI,SAAS,CAAC,EAAE,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;oBAC5C,MAAM,QAAQ,CAAC,0BAA0B,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAED,OAAO,EAAE;iBACN,MAAM,CAAC,cAAc,CAAC;iBACtB,GAAG,CAAC;gBACH,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI;gBAC/B,WAAW,EACT,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW;gBAC1E,WAAW,EACT,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW;gBAC1E,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;iBACD,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;iBACvC,SAAS,EAAE;iBACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACrC,CAAC;QAED,MAAM,EAAE,KAAK,EAAE,QAAgB,EAAE,EAAE;YACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,CAAC;YACvC,IAAI,CAAC,MAAM;gBAAE,OAAO,IAAI,CAAC;YACzB,MAAM,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;YACvE,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,oCAAoC,EAAE,KAAK,EACzC,SAAiB,EACjB,aAAsC,EACtC,IAA+B,EAC/B,EAAE,CAAC,4CAA4C,CAAC,SAAS,EAAE,aAAa,EAAE,IAAI,CAAC;QAEjF,0CAA0C,EAAE,KAAK,EAC/C,SAAiB,EACjB,OAAgC,EAChC,IAA+B,EAC/B,EAAE;YACF,MAAM,UAAU,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;YAClC,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;YACtD,IAAI,aAAa,EAAE,CAAC;gBAClB,UAAU,CAAC,aAAa,GAAG,MAAM,4CAA4C,CAC3E,SAAS,EACT,aAAa,EACb,IAAI,CACL,CAAC;YACJ,CAAC;YACD,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,kBAAkB,EAAE,KAAK,EAAE,SAAiB,EAAE,QAAiB,EAAE,EAAE;YACjE,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAClC,IAAI,CAAC,MAAM;gBAAE,OAAO,EAA4B,CAAC;YACjD,MAAM,QAAQ,GAA2B,EAAE,CAAC;YAE5C,KAAK,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC1B,MAAM,aAAa,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAC;gBACnE,CAAC;gBACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;gBACtD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpB,MAAM,aAAa,CAAC,wCAAwC,GAAG,EAAE,CAAC,CAAC;gBACrE,CAAC;gBACD,MAAM,OAAO,GAAG,mBAAmB,CAAC,MAAM,CAAC,IAAkB,CAAC,CAAC;gBAC/D,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBAC7B,QAAQ,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC;gBAChC,CAAC;qBAAM,CAAC;oBACN,QAAQ,CAAC,GAAG,CAAC,GAAG,MAAM,kBAAkB,CAAC,SAAS,EAAE,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;gBACzF,CAAC;YACH,CAAC;YACD,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,8BAA8B,EAAE,KAAK,EAAE,SAAiB,EAAE,aAAsC,EAAE,EAAE;YAClG,MAAM,QAAQ,GAAG,EAAE,GAAG,aAAa,EAAE,CAAC;YACtC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,EAAE,CAAC;gBAChE,OAAO,QAAQ,CAAC;YAClB,CAAC;YACD,MAAM,MAAM,GAAG,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;YAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,QAAQ,CAAC,GAAG,GAAG,EAAE,CAAC;gBAClB,OAAO,QAAQ,CAAC;YAClB,CAAC;YACD,MAAM,GAAG,GAA2B,EAAE,CAAC;YACvC,KAAK,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC1B,MAAM,aAAa,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAC;gBACnE,CAAC;gBACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;gBACtD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpB,MAAM,aAAa,CAAC,wCAAwC,GAAG,EAAE,CAAC,CAAC;gBACrE,CAAC;gBACD,MAAM,OAAO,GAAG,mBAAmB,CAAC,MAAM,CAAC,IAAkB,CAAC,CAAC;gBAC/D,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBAC7B,GAAG,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC;gBAC3B,CAAC;qBAAM,CAAC;oBACN,GAAG,CAAC,GAAG,CAAC,GAAG,MAAM,kBAAkB,CAAC,SAAS,EAAE,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;gBACpF,CAAC;YACH,CAAC;YACD,QAAQ,CAAC,GAAG,GAAG,GAAG,CAAC;YACnB,OAAO,QAAQ,CAAC;QAClB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/services/sidebar-badges.d.ts

@@ -0,0 +1,9 @@
+import type { Db } from "@paperclipai/db";
+import type { SidebarBadges } from "@paperclipai/shared";
+export declare function sidebarBadgeService(db: Db): {
+    get: (companyId: string, extra?: {
+        joinRequests?: number;
+        assignedIssues?: number;
+    }) => Promise<SidebarBadges>;
+};
+//# sourceMappingURL=sidebar-badges.d.ts.map

package/dist/services/sidebar-badges.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sidebar-badges.d.ts","sourceRoot":"","sources":["../../src/services/sidebar-badges.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,iBAAiB,CAAC;AAE1C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAKzD,wBAAgB,mBAAmB,CAAC,EAAE,EAAE,EAAE;qBAGzB,MAAM,UACT;QAAE,YAAY,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,CAAC,EAAE,MAAM,CAAA;KAAE,KACzD,OAAO,CAAC,aAAa,CAAC;EAyC5B"}

package/dist/services/sidebar-badges.js

@@ -0,0 +1,33 @@
+import { and, desc, eq, inArray, not, sql } from "drizzle-orm";
+import { agents, approvals, heartbeatRuns } from "@paperclipai/db";
+const ACTIONABLE_APPROVAL_STATUSES = ["pending", "revision_requested"];
+const FAILED_HEARTBEAT_STATUSES = ["failed", "timed_out"];
+export function sidebarBadgeService(db) {
+    return {
+        get: async (companyId, extra) => {
+            const actionableApprovals = await db
+                .select({ count: sql `count(*)` })
+                .from(approvals)
+                .where(and(eq(approvals.companyId, companyId), inArray(approvals.status, ACTIONABLE_APPROVAL_STATUSES)))
+                .then((rows) => Number(rows[0]?.count ?? 0));
+            const latestRunByAgent = await db
+                .selectDistinctOn([heartbeatRuns.agentId], {
+                runStatus: heartbeatRuns.status,
+            })
+                .from(heartbeatRuns)
+                .innerJoin(agents, eq(heartbeatRuns.agentId, agents.id))
+                .where(and(eq(heartbeatRuns.companyId, companyId), eq(agents.companyId, companyId), not(eq(agents.status, "terminated"))))
+                .orderBy(heartbeatRuns.agentId, desc(heartbeatRuns.createdAt));
+            const failedRuns = latestRunByAgent.filter((row) => FAILED_HEARTBEAT_STATUSES.includes(row.runStatus)).length;
+            const joinRequests = extra?.joinRequests ?? 0;
+            const assignedIssues = extra?.assignedIssues ?? 0;
+            return {
+                inbox: actionableApprovals + failedRuns + joinRequests + assignedIssues,
+                approvals: actionableApprovals,
+                failedRuns,
+                joinRequests,
+            };
+        },
+    };
+}
+//# sourceMappingURL=sidebar-badges.js.map

package/dist/services/sidebar-badges.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sidebar-badges.js","sourceRoot":"","sources":["../../src/services/sidebar-badges.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAE/D,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAGnE,MAAM,4BAA4B,GAAG,CAAC,SAAS,EAAE,oBAAoB,CAAC,CAAC;AACvE,MAAM,yBAAyB,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;AAE1D,MAAM,UAAU,mBAAmB,CAAC,EAAM;IACxC,OAAO;QACL,GAAG,EAAE,KAAK,EACR,SAAiB,EACjB,KAA0D,EAClC,EAAE;YAC1B,MAAM,mBAAmB,GAAG,MAAM,EAAE;iBACjC,MAAM,CAAC,EAAE,KAAK,EAAE,GAAG,CAAQ,UAAU,EAAE,CAAC;iBACxC,IAAI,CAAC,SAAS,CAAC;iBACf,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC,EAClC,OAAO,CAAC,SAAS,CAAC,MAAM,EAAE,4BAA4B,CAAC,CACxD,CACF;iBACA,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC;YAE/C,MAAM,gBAAgB,GAAG,MAAM,EAAE;iBAC9B,gBAAgB,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE;gBACzC,SAAS,EAAE,aAAa,CAAC,MAAM;aAChC,CAAC;iBACD,IAAI,CAAC,aAAa,CAAC;iBACnB,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;iBACvD,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,SAAS,CAAC,EACtC,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,EAC/B,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CACrC,CACF;iBACA,OAAO,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;YAEjE,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CACjD,yBAAyB,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAClD,CAAC,MAAM,CAAC;YAET,MAAM,YAAY,GAAG,KAAK,EAAE,YAAY,IAAI,CAAC,CAAC;YAC9C,MAAM,cAAc,GAAG,KAAK,EAAE,cAAc,IAAI,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,mBAAmB,GAAG,UAAU,GAAG,YAAY,GAAG,cAAc;gBACvE,SAAS,EAAE,mBAAmB;gBAC9B,UAAU;gBACV,YAAY;aACb,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/startup-banner.d.ts

@@ -0,0 +1,27 @@
+import type { DeploymentExposure, DeploymentMode } from "@paperclipai/shared";
+type UiMode = "none" | "static" | "vite-dev";
+type ExternalPostgresInfo = {
+    mode: "external-postgres";
+    connectionString: string;
+};
+type EmbeddedPostgresInfo = {
+    mode: "embedded-postgres";
+    dataDir: string;
+    port: number;
+};
+type StartupBannerOptions = {
+    host: string;
+    deploymentMode: DeploymentMode;
+    deploymentExposure: DeploymentExposure;
+    authReady: boolean;
+    requestedPort: number;
+    listenPort: number;
+    uiMode: UiMode;
+    db: ExternalPostgresInfo | EmbeddedPostgresInfo;
+    migrationSummary: string;
+    heartbeatSchedulerEnabled: boolean;
+    heartbeatSchedulerIntervalMs: number;
+};
+export declare function printStartupBanner(opts: StartupBannerOptions): void;
+export {};
+//# sourceMappingURL=startup-banner.d.ts.map

package/dist/startup-banner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"startup-banner.d.ts","sourceRoot":"","sources":["../src/startup-banner.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAI9E,KAAK,MAAM,GAAG,MAAM,GAAG,QAAQ,GAAG,UAAU,CAAC;AAE7C,KAAK,oBAAoB,GAAG;IAC1B,IAAI,EAAE,mBAAmB,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,KAAK,oBAAoB,GAAG;IAC1B,IAAI,EAAE,mBAAmB,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,KAAK,oBAAoB,GAAG;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,EAAE,cAAc,CAAC;IAC/B,kBAAkB,EAAE,kBAAkB,CAAC;IACvC,SAAS,EAAE,OAAO,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,EAAE,EAAE,oBAAoB,GAAG,oBAAoB,CAAC;IAChD,gBAAgB,EAAE,MAAM,CAAC;IACzB,yBAAyB,EAAE,OAAO,CAAC;IACnC,4BAA4B,EAAE,MAAM,CAAC;CACtC,CAAC;AA+DF,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,oBAAoB,GAAG,IAAI,CAuEnE"}

package/dist/startup-banner.js

@@ -0,0 +1,112 @@
+import { existsSync, readFileSync } from "node:fs";
+import { resolvePaperclipConfigPath, resolvePaperclipEnvPath } from "./paths.js";
+import { parse as parseEnvFileContents } from "dotenv";
+const ansi = {
+    reset: "\x1b[0m",
+    bold: "\x1b[1m",
+    dim: "\x1b[2m",
+    cyan: "\x1b[36m",
+    green: "\x1b[32m",
+    yellow: "\x1b[33m",
+    magenta: "\x1b[35m",
+    blue: "\x1b[34m",
+};
+function color(text, c) {
+    return `${ansi[c]}${text}${ansi.reset}`;
+}
+function row(label, value) {
+    return `${color(label.padEnd(16), "dim")} ${value}`;
+}
+function redactConnectionString(raw) {
+    try {
+        const u = new URL(raw);
+        const user = u.username || "user";
+        const auth = `${user}:***@`;
+        return `${u.protocol}//${auth}${u.host}${u.pathname}`;
+    }
+    catch {
+        return "<invalid DATABASE_URL>";
+    }
+}
+function resolveAgentJwtSecretStatus(envFilePath) {
+    const envValue = process.env.PAPERCLIP_AGENT_JWT_SECRET?.trim();
+    if (envValue) {
+        return {
+            status: "pass",
+            message: "set",
+        };
+    }
+    if (existsSync(envFilePath)) {
+        const parsed = parseEnvFileContents(readFileSync(envFilePath, "utf-8"));
+        const fileValue = typeof parsed.PAPERCLIP_AGENT_JWT_SECRET === "string" ? parsed.PAPERCLIP_AGENT_JWT_SECRET.trim() : "";
+        if (fileValue) {
+            return {
+                status: "warn",
+                message: `found in ${envFilePath} but not loaded`,
+            };
+        }
+    }
+    return {
+        status: "warn",
+        message: "missing (run `pnpm paperclipai onboard`)",
+    };
+}
+export function printStartupBanner(opts) {
+    const baseHost = opts.host === "0.0.0.0" ? "localhost" : opts.host;
+    const baseUrl = `http://${baseHost}:${opts.listenPort}`;
+    const apiUrl = `${baseUrl}/api`;
+    const uiUrl = opts.uiMode === "none" ? "disabled" : baseUrl;
+    const configPath = resolvePaperclipConfigPath();
+    const envFilePath = resolvePaperclipEnvPath();
+    const agentJwtSecret = resolveAgentJwtSecretStatus(envFilePath);
+    const dbMode = opts.db.mode === "embedded-postgres"
+        ? color("embedded-postgres", "green")
+        : color("external-postgres", "yellow");
+    const uiMode = opts.uiMode === "vite-dev"
+        ? color("vite-dev-middleware", "cyan")
+        : opts.uiMode === "static"
+            ? color("static-ui", "magenta")
+            : color("headless-api", "yellow");
+    const portValue = opts.requestedPort === opts.listenPort
+        ? `${opts.listenPort}`
+        : `${opts.listenPort} ${color(`(requested ${opts.requestedPort})`, "dim")}`;
+    const dbDetails = opts.db.mode === "embedded-postgres"
+        ? `${opts.db.dataDir} ${color(`(pg:${opts.db.port})`, "dim")}`
+        : redactConnectionString(opts.db.connectionString);
+    const heartbeat = opts.heartbeatSchedulerEnabled
+        ? `enabled ${color(`(${opts.heartbeatSchedulerIntervalMs}ms)`, "dim")}`
+        : color("disabled", "yellow");
+    const art = [
+        color("██████╗  █████╗ ██████╗ ███████╗██████╗  ██████╗██╗     ██╗██████╗ ", "cyan"),
+        color("██╔══██╗██╔══██╗██╔══██╗██╔════╝██╔══██╗██╔════╝██║     ██║██╔══██╗", "cyan"),
+        color("██████╔╝███████║██████╔╝█████╗  ██████╔╝██║     ██║     ██║██████╔╝", "cyan"),
+        color("██╔═══╝ ██╔══██║██╔═══╝ ██╔══╝  ██╔══██╗██║     ██║     ██║██╔═══╝ ", "cyan"),
+        color("██║     ██║  ██║██║     ███████╗██║  ██║╚██████╗███████╗██║██║     ", "cyan"),
+        color("╚═╝     ╚═╝  ╚═╝╚═╝     ╚══════╝╚═╝  ╚═╝ ╚═════╝╚══════╝╚═╝╚═╝     ", "cyan"),
+    ];
+    const lines = [
+        "",
+        ...art,
+        color("  ───────────────────────────────────────────────────────", "blue"),
+        row("Mode", `${dbMode}  |  ${uiMode}`),
+        row("Deploy", `${opts.deploymentMode} (${opts.deploymentExposure})`),
+        row("Auth", opts.authReady ? color("ready", "green") : color("not-ready", "yellow")),
+        row("Server", portValue),
+        row("API", `${apiUrl} ${color(`(health: ${apiUrl}/health)`, "dim")}`),
+        row("UI", uiUrl),
+        row("Database", dbDetails),
+        row("Migrations", opts.migrationSummary),
+        row("Agent JWT", agentJwtSecret.status === "pass"
+            ? color(agentJwtSecret.message, "green")
+            : color(agentJwtSecret.message, "yellow")),
+        row("Heartbeat", heartbeat),
+        row("Config", configPath),
+        agentJwtSecret.status === "warn"
+            ? color("  ───────────────────────────────────────────────────────", "yellow")
+            : null,
+        color("  ───────────────────────────────────────────────────────", "blue"),
+        "",
+    ];
+    console.log(lines.filter((line) => line !== null).join("\n"));
+}
+//# sourceMappingURL=startup-banner.js.map

package/dist/startup-banner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"startup-banner.js","sourceRoot":"","sources":["../src/startup-banner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,0BAA0B,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAGjF,OAAO,EAAE,KAAK,IAAI,oBAAoB,EAAE,MAAM,QAAQ,CAAC;AA6BvD,MAAM,IAAI,GAAG;IACX,KAAK,EAAE,SAAS;IAChB,IAAI,EAAE,SAAS;IACf,GAAG,EAAE,SAAS;IACd,IAAI,EAAE,UAAU;IAChB,KAAK,EAAE,UAAU;IACjB,MAAM,EAAE,UAAU;IAClB,OAAO,EAAE,UAAU;IACnB,IAAI,EAAE,UAAU;CACjB,CAAC;AAEF,SAAS,KAAK,CAAC,IAAY,EAAE,CAAoB;IAC/C,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,GAAG,CAAC,KAAa,EAAE,KAAa;IACvC,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,IAAI,KAAK,EAAE,CAAC;AACtD,CAAC;AAED,SAAS,sBAAsB,CAAC,GAAW;IACzC,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,IAAI,MAAM,CAAC;QAClC,MAAM,IAAI,GAAG,GAAG,IAAI,OAAO,CAAC;QAC5B,OAAO,GAAG,CAAC,CAAC,QAAQ,KAAK,IAAI,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,wBAAwB,CAAC;IAClC,CAAC;AACH,CAAC;AAED,SAAS,2BAA2B,CAClC,WAAmB;IAKnB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,EAAE,CAAC;IAChE,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,KAAK;SACf,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,oBAAoB,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;QACxE,MAAM,SAAS,GAAG,OAAO,MAAM,CAAC,0BAA0B,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,0BAA0B,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACxH,IAAI,SAAS,EAAE,CAAC;YACd,OAAO;gBACL,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,YAAY,WAAW,iBAAiB;aAClD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,0CAA0C;KACpD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,IAA0B;IAC3D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;IACnE,MAAM,OAAO,GAAG,UAAU,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;IACxD,MAAM,MAAM,GAAG,GAAG,OAAO,MAAM,CAAC;IAChC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC;IAC5D,MAAM,UAAU,GAAG,0BAA0B,EAAE,CAAC;IAChD,MAAM,WAAW,GAAG,uBAAuB,EAAE,CAAC;IAC9C,MAAM,cAAc,GAAG,2BAA2B,CAAC,WAAW,CAAC,CAAC;IAEhE,MAAM,MAAM,GACV,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,mBAAmB;QAClC,CAAC,CAAC,KAAK,CAAC,mBAAmB,EAAE,OAAO,CAAC;QACrC,CAAC,CAAC,KAAK,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,MAAM,GACV,IAAI,CAAC,MAAM,KAAK,UAAU;QACxB,CAAC,CAAC,KAAK,CAAC,qBAAqB,EAAE,MAAM,CAAC;QACtC,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,QAAQ;YACxB,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,SAAS,CAAC;YAC/B,CAAC,CAAC,KAAK,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;IAExC,MAAM,SAAS,GACb,IAAI,CAAC,aAAa,KAAK,IAAI,CAAC,UAAU;QACpC,CAAC,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE;QACtB,CAAC,CAAC,GAAG,IAAI,CAAC,UAAU,IAAI,KAAK,CAAC,cAAc,IAAI,CAAC,aAAa,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC;IAEhF,MAAM,SAAS,GACb,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,mBAAmB;QAClC,CAAC,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,IAAI,GAAG,EAAE,KAAK,CAAC,EAAE;QAC9D,CAAC,CAAC,sBAAsB,CAAC,IAAI,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC;IAEvD,MAAM,SAAS,GAAG,IAAI,CAAC,yBAAyB;QAC9C,CAAC,CAAC,WAAW,KAAK,CAAC,IAAI,IAAI,CAAC,4BAA4B,KAAK,EAAE,KAAK,CAAC,EAAE;QACvE,CAAC,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAEhC,MAAM,GAAG,GAAG;QACV,KAAK,CAAC,qEAAqE,EAAE,MAAM,CAAC;QACpF,KAAK,CAAC,qEAAqE,EAAE,MAAM,CAAC;QACpF,KAAK,CAAC,qEAAqE,EAAE,MAAM,CAAC;QACpF,KAAK,CAAC,qEAAqE,EAAE,MAAM,CAAC;QACpF,KAAK,CAAC,qEAAqE,EAAE,MAAM,CAAC;QACpF,KAAK,CAAC,qEAAqE,EAAE,MAAM,CAAC;KACrF,CAAC;IAEF,MAAM,KAAK,GAAG;QACZ,EAAE;QACF,GAAG,GAAG;QACN,KAAK,CAAC,2DAA2D,EAAE,MAAM,CAAC;QAC1E,GAAG,CAAC,MAAM,EAAE,GAAG,MAAM,QAAQ,MAAM,EAAE,CAAC;QACtC,GAAG,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,cAAc,KAAK,IAAI,CAAC,kBAAkB,GAAG,CAAC;QACpE,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACpF,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC;QACxB,GAAG,CAAC,KAAK,EAAE,GAAG,MAAM,IAAI,KAAK,CAAC,YAAY,MAAM,UAAU,EAAE,KAAK,CAAC,EAAE,CAAC;QACrE,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC;QAChB,GAAG,CAAC,UAAU,EAAE,SAAS,CAAC;QAC1B,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,gBAAgB,CAAC;QACxC,GAAG,CACD,WAAW,EACX,cAAc,CAAC,MAAM,KAAK,MAAM;YAC9B,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC;YACxC,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,QAAQ,CAAC,CAC5C;QACD,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC;QAC3B,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC;QACzB,cAAc,CAAC,MAAM,KAAK,MAAM;YAC9B,CAAC,CAAC,KAAK,CAAC,2DAA2D,EAAE,QAAQ,CAAC;YAC9E,CAAC,CAAC,IAAI;QACR,KAAK,CAAC,2DAA2D,EAAE,MAAM,CAAC;QAC1E,EAAE;KACH,CAAC;IAEF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAkB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAChF,CAAC"}

package/dist/storage/index.d.ts

@@ -0,0 +1,6 @@
+import { type Config } from "../config.js";
+import type { StorageService } from "./types.js";
+export declare function createStorageServiceFromConfig(config: Config): StorageService;
+export declare function getStorageService(): StorageService;
+export type { StorageService, PutFileResult } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/storage/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/storage/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,MAAM,EAAE,MAAM,cAAc,CAAC;AAGvD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAiBjD,wBAAgB,8BAA8B,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,CAE7E;AAED,wBAAgB,iBAAiB,IAAI,cAAc,CAQlD;AAED,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}

package/dist/storage/index.js

@@ -0,0 +1,29 @@
+import { loadConfig } from "../config.js";
+import { createStorageProviderFromConfig } from "./provider-registry.js";
+import { createStorageService } from "./service.js";
+let cachedStorageService = null;
+let cachedSignature = null;
+function signatureForConfig(config) {
+    return JSON.stringify({
+        provider: config.storageProvider,
+        localDisk: config.storageLocalDiskBaseDir,
+        s3Bucket: config.storageS3Bucket,
+        s3Region: config.storageS3Region,
+        s3Endpoint: config.storageS3Endpoint,
+        s3Prefix: config.storageS3Prefix,
+        s3ForcePathStyle: config.storageS3ForcePathStyle,
+    });
+}
+export function createStorageServiceFromConfig(config) {
+    return createStorageService(createStorageProviderFromConfig(config));
+}
+export function getStorageService() {
+    const config = loadConfig();
+    const signature = signatureForConfig(config);
+    if (!cachedStorageService || cachedSignature !== signature) {
+        cachedStorageService = createStorageServiceFromConfig(config);
+        cachedSignature = signature;
+    }
+    return cachedStorageService;
+}
+//# sourceMappingURL=index.js.map

package/dist/storage/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/storage/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAe,MAAM,cAAc,CAAC;AACvD,OAAO,EAAE,+BAA+B,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAGpD,IAAI,oBAAoB,GAA0B,IAAI,CAAC;AACvD,IAAI,eAAe,GAAkB,IAAI,CAAC;AAE1C,SAAS,kBAAkB,CAAC,MAAc;IACxC,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC,eAAe;QAChC,SAAS,EAAE,MAAM,CAAC,uBAAuB;QACzC,QAAQ,EAAE,MAAM,CAAC,eAAe;QAChC,QAAQ,EAAE,MAAM,CAAC,eAAe;QAChC,UAAU,EAAE,MAAM,CAAC,iBAAiB;QACpC,QAAQ,EAAE,MAAM,CAAC,eAAe;QAChC,gBAAgB,EAAE,MAAM,CAAC,uBAAuB;KACjD,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,MAAc;IAC3D,OAAO,oBAAoB,CAAC,+BAA+B,CAAC,MAAM,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,MAAM,SAAS,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,oBAAoB,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QAC3D,oBAAoB,GAAG,8BAA8B,CAAC,MAAM,CAAC,CAAC;QAC9D,eAAe,GAAG,SAAS,CAAC;IAC9B,CAAC;IACD,OAAO,oBAAoB,CAAC;AAC9B,CAAC"}

package/dist/storage/local-disk-provider.d.ts

@@ -0,0 +1,3 @@
+import type { StorageProvider } from "./types.js";
+export declare function createLocalDiskStorageProvider(baseDir: string): StorageProvider;
+//# sourceMappingURL=local-disk-provider.d.ts.map

package/dist/storage/local-disk-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-disk-provider.d.ts","sourceRoot":"","sources":["../../src/storage/local-disk-provider.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAqC,MAAM,YAAY,CAAC;AAmCrF,wBAAgB,8BAA8B,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,CAmD/E"}

package/dist/storage/local-disk-provider.js

@@ -0,0 +1,79 @@
+import { createReadStream, promises as fs } from "node:fs";
+import path from "node:path";
+import { notFound, badRequest } from "../errors.js";
+function normalizeObjectKey(objectKey) {
+    const normalized = objectKey.replace(/\\/g, "/").trim();
+    if (!normalized || normalized.startsWith("/")) {
+        throw badRequest("Invalid object key");
+    }
+    const parts = normalized.split("/").filter((part) => part.length > 0);
+    if (parts.length === 0 || parts.some((part) => part === "." || part === "..")) {
+        throw badRequest("Invalid object key");
+    }
+    return parts.join("/");
+}
+function resolveWithin(baseDir, objectKey) {
+    const normalizedKey = normalizeObjectKey(objectKey);
+    const resolved = path.resolve(baseDir, normalizedKey);
+    const base = path.resolve(baseDir);
+    if (resolved !== base && !resolved.startsWith(base + path.sep)) {
+        throw badRequest("Invalid object key path");
+    }
+    return resolved;
+}
+async function statOrNull(filePath) {
+    try {
+        return await fs.stat(filePath);
+    }
+    catch {
+        return null;
+    }
+}
+export function createLocalDiskStorageProvider(baseDir) {
+    const root = path.resolve(baseDir);
+    return {
+        id: "local_disk",
+        async putObject(input) {
+            const targetPath = resolveWithin(root, input.objectKey);
+            const dir = path.dirname(targetPath);
+            await fs.mkdir(dir, { recursive: true });
+            const tempPath = `${targetPath}.tmp-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+            await fs.writeFile(tempPath, input.body);
+            await fs.rename(tempPath, targetPath);
+        },
+        async getObject(input) {
+            const filePath = resolveWithin(root, input.objectKey);
+            const stat = await statOrNull(filePath);
+            if (!stat || !stat.isFile()) {
+                throw notFound("Object not found");
+            }
+            return {
+                stream: createReadStream(filePath),
+                contentLength: stat.size,
+                lastModified: stat.mtime,
+            };
+        },
+        async headObject(input) {
+            const filePath = resolveWithin(root, input.objectKey);
+            const stat = await statOrNull(filePath);
+            if (!stat || !stat.isFile()) {
+                return { exists: false };
+            }
+            return {
+                exists: true,
+                contentLength: stat.size,
+                lastModified: stat.mtime,
+            };
+        },
+        async deleteObject(input) {
+            const filePath = resolveWithin(root, input.objectKey);
+            try {
+                await fs.unlink(filePath);
+            }
+            catch {
+                // idempotent delete
+            }
+        },
+    };
+}
+//# sourceMappingURL=local-disk-provider.js.map