@pikku/core 0.12.2 → 0.12.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (131) hide show
  1. package/CHANGELOG.md +18 -0
  2. package/dist/crypto-utils.d.ts +10 -0
  3. package/dist/crypto-utils.js +62 -0
  4. package/dist/function/function-runner.js +4 -4
  5. package/dist/function/functions.types.d.ts +26 -1
  6. package/dist/function/functions.types.js +16 -0
  7. package/dist/handle-error.d.ts +1 -1
  8. package/dist/handle-error.js +7 -3
  9. package/dist/index.d.ts +14 -2
  10. package/dist/index.js +1 -1
  11. package/dist/pikku-state.js +3 -1
  12. package/dist/schema.js +1 -1
  13. package/dist/services/in-memory-workflow-service.d.ts +8 -2
  14. package/dist/services/in-memory-workflow-service.js +28 -1
  15. package/dist/services/workflow-service.d.ts +8 -2
  16. package/dist/testing/index.d.ts +2 -0
  17. package/dist/testing/index.js +1 -0
  18. package/dist/testing/service-tests.d.ts +31 -0
  19. package/dist/testing/service-tests.js +598 -0
  20. package/dist/types/core.types.d.ts +9 -1
  21. package/dist/types/state.types.d.ts +4 -2
  22. package/dist/utils/hash.d.ts +2 -0
  23. package/dist/utils/hash.js +23 -0
  24. package/dist/wirings/ai-agent/agent-dynamic-workflow.d.ts +6 -0
  25. package/dist/wirings/ai-agent/agent-dynamic-workflow.js +348 -0
  26. package/dist/wirings/ai-agent/ai-agent-memory.d.ts +1 -1
  27. package/dist/wirings/ai-agent/ai-agent-memory.js +6 -5
  28. package/dist/wirings/ai-agent/ai-agent-prepare.d.ts +10 -7
  29. package/dist/wirings/ai-agent/ai-agent-prepare.js +127 -47
  30. package/dist/wirings/ai-agent/ai-agent-runner.d.ts +4 -0
  31. package/dist/wirings/ai-agent/ai-agent-runner.js +381 -27
  32. package/dist/wirings/ai-agent/ai-agent-stream.d.ts +7 -2
  33. package/dist/wirings/ai-agent/ai-agent-stream.js +109 -46
  34. package/dist/wirings/ai-agent/ai-agent.types.d.ts +22 -1
  35. package/dist/wirings/ai-agent/index.d.ts +1 -2
  36. package/dist/wirings/ai-agent/index.js +1 -2
  37. package/dist/wirings/channel/channel-handler.js +5 -1
  38. package/dist/wirings/channel/channel.types.d.ts +1 -7
  39. package/dist/wirings/channel/local/local-channel-handler.d.ts +1 -1
  40. package/dist/wirings/channel/local/local-channel-handler.js +5 -3
  41. package/dist/wirings/channel/local/local-channel-runner.js +14 -4
  42. package/dist/wirings/channel/serverless/serverless-channel-runner.js +4 -1
  43. package/dist/wirings/cli/cli-runner.js +10 -2
  44. package/dist/wirings/cli/cli.types.d.ts +1 -0
  45. package/dist/wirings/http/http-routes.js +0 -1
  46. package/dist/wirings/http/http-runner.d.ts +1 -1
  47. package/dist/wirings/http/http-runner.js +25 -3
  48. package/dist/wirings/http/http.types.d.ts +3 -11
  49. package/dist/wirings/http/index.d.ts +2 -1
  50. package/dist/wirings/http/index.js +1 -0
  51. package/dist/wirings/http/pikku-fetch-http-request.d.ts +1 -0
  52. package/dist/wirings/http/pikku-fetch-http-request.js +3 -0
  53. package/dist/wirings/http/pikku-fetch-http-response.d.ts +1 -0
  54. package/dist/wirings/http/pikku-fetch-http-response.js +4 -4
  55. package/dist/wirings/http/web-request.d.ts +12 -0
  56. package/dist/wirings/http/web-request.js +85 -0
  57. package/dist/wirings/mcp/mcp-endpoint-registry.js +1 -1
  58. package/dist/wirings/mcp/mcp-runner.js +13 -1
  59. package/dist/wirings/rpc/rpc-runner.d.ts +30 -6
  60. package/dist/wirings/rpc/rpc-runner.js +36 -14
  61. package/dist/wirings/rpc/rpc-types.d.ts +6 -1
  62. package/dist/wirings/rpc/wire-addon.d.ts +1 -0
  63. package/dist/wirings/rpc/wire-addon.js +1 -1
  64. package/dist/wirings/scheduler/scheduler-runner.js +1 -0
  65. package/dist/wirings/workflow/graph/graph-validation.d.ts +3 -0
  66. package/dist/wirings/workflow/graph/graph-validation.js +175 -0
  67. package/dist/wirings/workflow/graph/index.d.ts +1 -0
  68. package/dist/wirings/workflow/graph/index.js +1 -0
  69. package/dist/wirings/workflow/index.d.ts +1 -1
  70. package/dist/wirings/workflow/pikku-workflow-service.d.ts +8 -2
  71. package/dist/wirings/workflow/pikku-workflow-service.js +1 -2
  72. package/dist/wirings/workflow/workflow.types.d.ts +10 -1
  73. package/package.json +4 -2
  74. package/src/crypto-utils.test.ts +99 -1
  75. package/src/crypto-utils.ts +114 -0
  76. package/src/function/function-runner.ts +5 -5
  77. package/src/function/functions.types.ts +38 -1
  78. package/src/handle-error.test.ts +65 -2
  79. package/src/handle-error.ts +8 -4
  80. package/src/index.ts +14 -0
  81. package/src/pikku-state.ts +3 -1
  82. package/src/schema.ts +1 -1
  83. package/src/services/in-memory-workflow-service.ts +45 -2
  84. package/src/services/workflow-service.ts +12 -1
  85. package/src/testing/index.ts +2 -0
  86. package/src/testing/service-tests.ts +873 -0
  87. package/src/types/core.types.ts +9 -1
  88. package/src/types/state.types.ts +4 -2
  89. package/src/utils/hash.test.ts +68 -0
  90. package/src/utils/hash.ts +26 -0
  91. package/src/wirings/ai-agent/agent-dynamic-workflow.ts +469 -0
  92. package/src/wirings/ai-agent/ai-agent-memory.ts +7 -6
  93. package/src/wirings/ai-agent/ai-agent-prepare.ts +175 -61
  94. package/src/wirings/ai-agent/ai-agent-runner.test.ts +3 -1
  95. package/src/wirings/ai-agent/ai-agent-runner.ts +553 -31
  96. package/src/wirings/ai-agent/ai-agent-stream.test.ts +209 -2
  97. package/src/wirings/ai-agent/ai-agent-stream.ts +182 -89
  98. package/src/wirings/ai-agent/ai-agent.types.ts +23 -1
  99. package/src/wirings/ai-agent/index.ts +1 -5
  100. package/src/wirings/channel/channel-handler.ts +11 -2
  101. package/src/wirings/channel/channel.types.ts +1 -7
  102. package/src/wirings/channel/local/local-channel-handler.ts +5 -3
  103. package/src/wirings/channel/local/local-channel-runner.ts +17 -7
  104. package/src/wirings/channel/serverless/serverless-channel-runner.ts +4 -1
  105. package/src/wirings/cli/cli-runner.ts +12 -2
  106. package/src/wirings/cli/cli.types.ts +1 -0
  107. package/src/wirings/http/http-routes.ts +0 -1
  108. package/src/wirings/http/http-runner.ts +35 -10
  109. package/src/wirings/http/http.types.ts +3 -12
  110. package/src/wirings/http/index.ts +3 -0
  111. package/src/wirings/http/pikku-fetch-http-request.ts +4 -0
  112. package/src/wirings/http/pikku-fetch-http-response.ts +4 -4
  113. package/src/wirings/http/web-request.test.ts +236 -0
  114. package/src/wirings/http/web-request.ts +104 -0
  115. package/src/wirings/mcp/mcp-endpoint-registry.ts +1 -1
  116. package/src/wirings/mcp/mcp-runner.ts +30 -12
  117. package/src/wirings/rpc/rpc-runner.ts +45 -24
  118. package/src/wirings/rpc/rpc-types.ts +6 -1
  119. package/src/wirings/rpc/wire-addon.ts +2 -1
  120. package/src/wirings/scheduler/scheduler-runner.ts +1 -0
  121. package/src/wirings/workflow/graph/graph-validation.test.ts +170 -0
  122. package/src/wirings/workflow/graph/graph-validation.ts +237 -0
  123. package/src/wirings/workflow/graph/index.ts +5 -0
  124. package/src/wirings/workflow/index.ts +1 -0
  125. package/src/wirings/workflow/pikku-workflow-service.ts +14 -3
  126. package/src/wirings/workflow/workflow.types.ts +9 -1
  127. package/tsconfig.tsbuildinfo +1 -1
  128. package/dist/wirings/ai-agent/ai-agent-assistant-ui.d.ts +0 -5
  129. package/dist/wirings/ai-agent/ai-agent-assistant-ui.js +0 -168
  130. package/src/wirings/ai-agent/ai-agent-assistant-ui.test.ts +0 -363
  131. package/src/wirings/ai-agent/ai-agent-assistant-ui.ts +0 -238
@@ -0,0 +1,175 @@
1
+ import { pikkuState } from '../../../pikku-state.js';
2
+ import { resolveNamespace } from '../../rpc/rpc-runner.js';
3
+ function normalizeTargets(value) {
4
+ if (!value)
5
+ return [];
6
+ if (typeof value === 'string')
7
+ return [value];
8
+ if (Array.isArray(value))
9
+ return value.filter((v) => typeof v === 'string');
10
+ if (typeof value === 'object') {
11
+ const targets = [];
12
+ for (const v of Object.values(value)) {
13
+ targets.push(...normalizeTargets(v));
14
+ }
15
+ return targets;
16
+ }
17
+ return [];
18
+ }
19
+ function collectRefs(value, refs) {
20
+ if (typeof value === 'object' &&
21
+ value !== null &&
22
+ '$ref' in value &&
23
+ typeof value.$ref === 'string') {
24
+ refs.add(value.$ref);
25
+ return;
26
+ }
27
+ if (Array.isArray(value)) {
28
+ for (const item of value)
29
+ collectRefs(item, refs);
30
+ return;
31
+ }
32
+ if (typeof value === 'object' && value !== null) {
33
+ for (const v of Object.values(value))
34
+ collectRefs(v, refs);
35
+ }
36
+ }
37
+ function resolveToolMeta(toolName) {
38
+ const resolved = toolName.includes(':') ? resolveNamespace(toolName) : null;
39
+ if (resolved) {
40
+ const fnMeta = pikkuState(resolved.package, 'function', 'meta')[resolved.function];
41
+ const schemas = pikkuState(resolved.package, 'misc', 'schemas');
42
+ return fnMeta ? { fnMeta, schemas } : null;
43
+ }
44
+ const rpcMeta = pikkuState(null, 'rpc', 'meta');
45
+ const pikkuFuncId = rpcMeta[toolName];
46
+ if (!pikkuFuncId)
47
+ return null;
48
+ const fnMeta = pikkuState(null, 'function', 'meta')[pikkuFuncId];
49
+ const schemas = pikkuState(null, 'misc', 'schemas');
50
+ return fnMeta ? { fnMeta, schemas } : null;
51
+ }
52
+ export function computeEntryNodeIds(nodes) {
53
+ const referenced = new Set();
54
+ for (const node of Object.values(nodes)) {
55
+ if (node.next) {
56
+ for (const target of normalizeTargets(node.next)) {
57
+ referenced.add(target);
58
+ }
59
+ }
60
+ if (node.onError) {
61
+ for (const target of normalizeTargets(node.onError)) {
62
+ referenced.add(target);
63
+ }
64
+ }
65
+ }
66
+ return Object.keys(nodes).filter((id) => !referenced.has(id));
67
+ }
68
+ export function validateWorkflowWiring(nodes, toolNames) {
69
+ const errors = [];
70
+ const nodeIds = new Set(Object.keys(nodes));
71
+ const toolSet = new Set(toolNames);
72
+ for (const [nodeId, node] of Object.entries(nodes)) {
73
+ if (!node.rpcName) {
74
+ errors.push(`Node '${nodeId}' is missing 'rpcName'`);
75
+ continue;
76
+ }
77
+ if (!toolSet.has(node.rpcName)) {
78
+ errors.push(`Node '${nodeId}' references unknown tool '${node.rpcName}'. Available tools: ${toolNames.join(', ')}`);
79
+ continue;
80
+ }
81
+ const nextTargets = normalizeTargets(node.next);
82
+ for (const target of nextTargets) {
83
+ if (!nodeIds.has(target)) {
84
+ errors.push(`Node '${nodeId}' routes to unknown node '${target}' in 'next'`);
85
+ }
86
+ }
87
+ const errorTargets = normalizeTargets(node.onError);
88
+ for (const target of errorTargets) {
89
+ if (!nodeIds.has(target)) {
90
+ errors.push(`Node '${nodeId}' routes to unknown node '${target}' in 'onError'`);
91
+ }
92
+ }
93
+ if (!node.input)
94
+ continue;
95
+ const refs = new Set();
96
+ collectRefs(node.input, refs);
97
+ for (const ref of refs) {
98
+ if (ref === 'trigger' || ref === '$item') {
99
+ const targetMeta = resolveToolMeta(node.rpcName);
100
+ if (targetMeta?.fnMeta?.inputSchemaName) {
101
+ const targetSchema = targetMeta.schemas.get(targetMeta.fnMeta.inputSchemaName);
102
+ if (targetSchema?.properties) {
103
+ for (const [field, fieldValue] of Object.entries(node.input)) {
104
+ if (typeof fieldValue === 'object' &&
105
+ fieldValue !== null &&
106
+ fieldValue.$ref === ref &&
107
+ !fieldValue.path) {
108
+ const targetType = targetSchema.properties[field]?.type;
109
+ if (targetType && targetType !== 'object') {
110
+ errors.push(`Node '${nodeId}' input field '${field}' expects type '${targetType}', but references the whole ${ref} object without a path. Use { $ref: "${ref}", path: "${field}" } to extract the field.`);
111
+ }
112
+ }
113
+ }
114
+ }
115
+ }
116
+ continue;
117
+ }
118
+ if (!nodeIds.has(ref)) {
119
+ errors.push(`Node '${nodeId}' references unknown node '${ref}' in input`);
120
+ continue;
121
+ }
122
+ const sourceNode = nodes[ref];
123
+ if (!sourceNode?.rpcName)
124
+ continue;
125
+ const sourceMeta = resolveToolMeta(sourceNode.rpcName);
126
+ if (!sourceMeta?.fnMeta?.outputSchemaName)
127
+ continue;
128
+ const sourceSchema = sourceMeta.schemas.get(sourceMeta.fnMeta.outputSchemaName);
129
+ if (!sourceSchema?.properties)
130
+ continue;
131
+ for (const [field, fieldValue] of Object.entries(node.input)) {
132
+ if (typeof fieldValue === 'object' &&
133
+ fieldValue !== null &&
134
+ fieldValue.$ref === ref &&
135
+ fieldValue.path) {
136
+ const pathRoot = fieldValue.path.split('.')[0];
137
+ if (sourceSchema.properties &&
138
+ !(pathRoot in sourceSchema.properties)) {
139
+ errors.push(`Node '${nodeId}' input field '${field}' references path '${fieldValue.path}' but node '${ref}' (${sourceNode.rpcName}) output has no property '${pathRoot}'`);
140
+ continue;
141
+ }
142
+ const targetMeta = resolveToolMeta(node.rpcName);
143
+ if (!targetMeta?.fnMeta?.inputSchemaName)
144
+ continue;
145
+ const targetSchema = targetMeta.schemas.get(targetMeta.fnMeta.inputSchemaName);
146
+ if (!targetSchema?.properties?.[field])
147
+ continue;
148
+ const sourceType = sourceSchema.properties[pathRoot]?.type;
149
+ const targetType = targetSchema.properties[field].type;
150
+ if (sourceType && targetType && sourceType !== targetType) {
151
+ errors.push(`Node '${nodeId}' input field '${field}' expects type '${targetType}', but node '${ref}' output field '${pathRoot}' is type '${sourceType}'`);
152
+ }
153
+ }
154
+ }
155
+ }
156
+ }
157
+ return errors;
158
+ }
159
+ export function generateMermaidDiagram(workflowName, nodes, entryNodeIds) {
160
+ const lines = ['graph TD'];
161
+ for (const [nodeId, node] of Object.entries(nodes)) {
162
+ const label = node.rpcName || nodeId;
163
+ const isEntry = entryNodeIds.includes(nodeId);
164
+ lines.push(` ${nodeId}${isEntry ? '([' : '['}${label}${isEntry ? '])' : ']'}`);
165
+ const nextTargets = normalizeTargets(node.next);
166
+ for (const target of nextTargets) {
167
+ lines.push(` ${nodeId} --> ${target}`);
168
+ }
169
+ const errorTargets = normalizeTargets(node.onError);
170
+ for (const target of errorTargets) {
171
+ lines.push(` ${nodeId} -.->|error| ${target}`);
172
+ }
173
+ }
174
+ return lines.join('\n');
175
+ }
@@ -2,3 +2,4 @@ export { continueGraph, executeGraphStep, onGraphNodeComplete, runFromMeta, runW
2
2
  export { template } from './template.js';
3
3
  export type { TemplateString } from './template.js';
4
4
  export { pikkuWorkflowGraph, type PikkuWorkflowGraphConfig, type PikkuWorkflowGraphResult, } from './wire-workflow-graph.js';
5
+ export { validateWorkflowWiring, computeEntryNodeIds, generateMermaidDiagram, } from './graph-validation.js';
@@ -1,3 +1,4 @@
1
1
  export { continueGraph, executeGraphStep, onGraphNodeComplete, runFromMeta, runWorkflowGraph, } from './graph-runner.js';
2
2
  export { template } from './template.js';
3
3
  export { pikkuWorkflowGraph, } from './wire-workflow-graph.js';
4
+ export { validateWorkflowWiring, computeEntryNodeIds, generateMermaidDiagram, } from './graph-validation.js';
@@ -6,5 +6,5 @@ export { addWorkflow } from './dsl/workflow-runner.js';
6
6
  export { template, type TemplateString } from './graph/template.js';
7
7
  export { pikkuWorkflowGraph, type PikkuWorkflowGraphConfig, type PikkuWorkflowGraphResult, } from './graph/wire-workflow-graph.js';
8
8
  export { workflow, workflowStart, workflowStatus, graphStart, } from './workflow-helpers.js';
9
- export type { WorkflowService, WorkflowServiceConfig, WorkflowRunWire, WorkflowStatus, StepStatus, WorkflowRun, StepState, WorkflowRunService, CoreWorkflow, PikkuWorkflow, ContextVariable, WorkflowContext, WorkflowsMeta, WorkflowRuntimeMeta, WorkflowsRuntimeMeta, WorkflowStepInput, WorkflowOrchestratorInput, WorkflowSleeperInput, } from './workflow.types.js';
9
+ export type { WorkflowService, WorkflowServiceConfig, WorkflowRunWire, WorkflowStatus, WorkflowVersionStatus, StepStatus, WorkflowRun, StepState, WorkflowRunService, CoreWorkflow, PikkuWorkflow, ContextVariable, WorkflowContext, WorkflowsMeta, WorkflowRuntimeMeta, WorkflowsRuntimeMeta, WorkflowStepInput, WorkflowOrchestratorInput, WorkflowSleeperInput, } from './workflow.types.js';
10
10
  export type { WorkflowStepOptions, WorkflowWireDoRPC, WorkflowWireDoInline, WorkflowWireSleep, WorkflowWireSuspend, InputSource, OutputBinding, RpcStepMeta, SimpleCondition, Condition, BranchCase, BranchStepMeta, ParallelGroupStepMeta, FanoutStepMeta, ReturnStepMeta, InlineStepMeta, SleepStepMeta, CancelStepMeta, SetStepMeta, SwitchCaseMeta, SwitchStepMeta, FilterStepMeta, ArrayPredicateStepMeta, WorkflowStepMeta, WorkflowStepWire, PikkuWorkflowWire, } from './workflow.types.js';
@@ -1,5 +1,5 @@
1
1
  import type { SerializedError } from '../../types/core.types.js';
2
- import type { StepState, WorkflowRun, WorkflowRunWire, WorkflowStatus, WorkflowStepOptions } from './workflow.types.js';
2
+ import type { StepState, WorkflowRun, WorkflowRunWire, WorkflowStatus, WorkflowVersionStatus, WorkflowStepOptions } from './workflow.types.js';
3
3
  import type { WorkflowService } from '../../services/workflow-service.js';
4
4
  import { PikkuError } from '../../errors/error-handler.js';
5
5
  /**
@@ -197,11 +197,17 @@ export declare abstract class PikkuWorkflowService implements WorkflowService {
197
197
  * @returns The state object with all variables
198
198
  */
199
199
  abstract getRunState(runId: string): Promise<Record<string, unknown>>;
200
- abstract upsertWorkflowVersion(name: string, graphHash: string, graph: any, source: string): Promise<void>;
200
+ abstract upsertWorkflowVersion(name: string, graphHash: string, graph: any, source: string, status?: WorkflowVersionStatus): Promise<void>;
201
+ abstract updateWorkflowVersionStatus(name: string, graphHash: string, status: WorkflowVersionStatus): Promise<void>;
201
202
  abstract getWorkflowVersion(name: string, graphHash: string): Promise<{
202
203
  graph: any;
203
204
  source: string;
204
205
  } | null>;
206
+ abstract getAIGeneratedWorkflows(agentName?: string): Promise<Array<{
207
+ workflowName: string;
208
+ graphHash: string;
209
+ graph: any;
210
+ }>>;
205
211
  /**
206
212
  * Resume a paused workflow by triggering the orchestrator
207
213
  * @param runId - Run ID
@@ -162,8 +162,7 @@ export class PikkuWorkflowService {
162
162
  if (!workflowMeta) {
163
163
  throw new WorkflowNotFoundError(name);
164
164
  }
165
- // Check if this is a graph workflow (source === 'graph')
166
- if (workflowMeta.source === 'graph') {
165
+ if (workflowMeta.source === 'graph' || workflowMeta.source === 'ai-agent') {
167
166
  const shouldInline = options?.inline || !getSingletonServices()?.queueService;
168
167
  return runWorkflowGraph(this, name, input, rpcService, shouldInline, options?.startNode, wire);
169
168
  }
@@ -19,6 +19,10 @@ export interface WorkflowServiceConfig {
19
19
  * Workflow run status
20
20
  */
21
21
  export type WorkflowStatus = 'running' | 'suspended' | 'completed' | 'failed' | 'cancelled';
22
+ /**
23
+ * Workflow version status (for AI-generated workflows)
24
+ */
25
+ export type WorkflowVersionStatus = 'draft' | 'active' | 'declined';
22
26
  /**
23
27
  * Workflow step status
24
28
  */
@@ -102,6 +106,11 @@ export interface WorkflowRunService {
102
106
  graph: any;
103
107
  source: string;
104
108
  } | null>;
109
+ getAIGeneratedWorkflows(agentName?: string): Promise<Array<{
110
+ workflowName: string;
111
+ graphHash: string;
112
+ graph: any;
113
+ }>>;
105
114
  deleteRun(id: string): Promise<boolean>;
106
115
  }
107
116
  /**
@@ -167,7 +176,7 @@ export interface WorkflowRuntimeMeta {
167
176
  /** Pikku function name (for execution) */
168
177
  pikkuFuncId: string;
169
178
  /** Source type: 'dsl' (serializable), 'complex' (has inline steps), 'graph' */
170
- source: 'dsl' | 'complex' | 'graph';
179
+ source: 'dsl' | 'complex' | 'graph' | 'ai-agent';
171
180
  /** Optional description */
172
181
  description?: string;
173
182
  /** Tags for organization */
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pikku/core",
3
- "version": "0.12.2",
3
+ "version": "0.12.3",
4
4
  "author": "yasser.fadl@gmail.com",
5
5
  "license": "MIT",
6
6
  "module": "dist/index.js",
@@ -41,8 +41,10 @@
41
41
  "./services": "./dist/services/index.js",
42
42
  "./services/local-content": "./dist/services/local-content.js",
43
43
  "./services/gopass-secrets": "./dist/services/gopass-secrets.js",
44
+ "./crypto-utils": "./dist/crypto-utils.js",
44
45
  "./internal": "./dist/internal.js",
45
- "./schema": "./dist/schema.js"
46
+ "./schema": "./dist/schema.js",
47
+ "./testing": "./dist/testing/index.js"
46
48
  },
47
49
  "dependencies": {
48
50
  "@standard-schema/spec": "^1.1.0",
@@ -1,6 +1,15 @@
1
1
  import { describe, test } from 'node:test'
2
2
  import assert from 'node:assert'
3
- import { encryptJSON, decryptJSON } from './crypto-utils.js'
3
+ import {
4
+ encryptJSON,
5
+ decryptJSON,
6
+ generateDEK,
7
+ wrapDEK,
8
+ unwrapDEK,
9
+ envelopeEncrypt,
10
+ envelopeDecrypt,
11
+ envelopeRewrap,
12
+ } from './crypto-utils.js'
4
13
 
5
14
  describe('encryptJSON / decryptJSON', () => {
6
15
  const secret = 'test-secret-key-for-encryption'
@@ -114,3 +123,92 @@ describe('encryptJSON / decryptJSON', () => {
114
123
  assert.deepStrictEqual(decrypted, original)
115
124
  })
116
125
  })
126
+
127
+ describe('envelope encryption', () => {
128
+ const kek = 'my-key-encryption-key'
129
+
130
+ test('generateDEK produces unique keys', async () => {
131
+ const dek1 = await generateDEK()
132
+ const dek2 = await generateDEK()
133
+ assert.notStrictEqual(dek1, dek2)
134
+ assert.ok(dek1.length > 0)
135
+ })
136
+
137
+ test('wrapDEK / unwrapDEK round-trip', async () => {
138
+ const dek = await generateDEK()
139
+ const wrapped = await wrapDEK(kek, dek)
140
+ const unwrapped = await unwrapDEK(kek, wrapped)
141
+ assert.strictEqual(unwrapped, dek)
142
+ })
143
+
144
+ test('unwrapDEK fails with wrong KEK', async () => {
145
+ const dek = await generateDEK()
146
+ const wrapped = await wrapDEK(kek, dek)
147
+ await assert.rejects(
148
+ () => unwrapDEK('wrong-kek', wrapped),
149
+ (err: any) => err instanceof Error
150
+ )
151
+ })
152
+
153
+ test('envelopeEncrypt / envelopeDecrypt round-trip', async () => {
154
+ const original = {
155
+ apiKey: 'sk-secret-123',
156
+ endpoint: 'https://api.example.com',
157
+ }
158
+ const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, original)
159
+ const decrypted = await envelopeDecrypt(kek, ciphertext, wrappedDEK)
160
+ assert.deepStrictEqual(decrypted, original)
161
+ })
162
+
163
+ test('envelopeEncrypt produces unique ciphertexts and DEKs per call', async () => {
164
+ const value = { same: 'data' }
165
+ const r1 = await envelopeEncrypt(kek, value)
166
+ const r2 = await envelopeEncrypt(kek, value)
167
+ assert.notStrictEqual(r1.ciphertext, r2.ciphertext)
168
+ assert.notStrictEqual(r1.wrappedDEK, r2.wrappedDEK)
169
+ })
170
+
171
+ test('envelopeDecrypt fails with wrong KEK', async () => {
172
+ const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, 'secret')
173
+ await assert.rejects(
174
+ () => envelopeDecrypt('wrong-kek', ciphertext, wrappedDEK),
175
+ (err: any) => err instanceof Error
176
+ )
177
+ })
178
+
179
+ test('envelopeRewrap allows decryption with new KEK', async () => {
180
+ const newKEK = 'my-new-kek'
181
+ const original = { token: 'abc-123' }
182
+ const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, original)
183
+
184
+ const rewrapped = await envelopeRewrap(kek, newKEK, wrappedDEK)
185
+
186
+ await assert.rejects(
187
+ () => envelopeDecrypt(kek, ciphertext, rewrapped),
188
+ (err: any) => err instanceof Error
189
+ )
190
+
191
+ const decrypted = await envelopeDecrypt(newKEK, ciphertext, rewrapped)
192
+ assert.deepStrictEqual(decrypted, original)
193
+ })
194
+
195
+ test('envelopeRewrap does not change the ciphertext', async () => {
196
+ const original = { data: 'important' }
197
+ const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, original)
198
+ const rewrapped = await envelopeRewrap(kek, 'new-kek', wrappedDEK)
199
+
200
+ assert.notStrictEqual(rewrapped, wrappedDEK)
201
+
202
+ const decrypted = await envelopeDecrypt('new-kek', ciphertext, rewrapped)
203
+ assert.deepStrictEqual(decrypted, original)
204
+ })
205
+
206
+ test('envelope handles string secrets', async () => {
207
+ const { ciphertext, wrappedDEK } = await envelopeEncrypt(
208
+ kek,
209
+ 'plain-string-secret'
210
+ )
211
+ const decrypted = await envelopeDecrypt<string>(kek, ciphertext, wrappedDEK)
212
+ assert.strictEqual(decrypted, 'plain-string-secret')
213
+ })
214
+ })
@@ -97,3 +97,117 @@ export const decryptJSON = async <T>(
97
97
  )
98
98
  return JSON.parse(decoder.decode(new Uint8Array(decrypted))) as T
99
99
  }
100
+
101
+ /**
102
+ * Envelope encryption utilities.
103
+ *
104
+ * Each secret gets its own random DEK (data encryption key).
105
+ * The DEK is wrapped (encrypted) by a KEK (key encryption key) — typically an env var.
106
+ * The actual secret is encrypted with the DEK.
107
+ *
108
+ * KEK rotation only re-wraps the DEK, never touches the ciphertext.
109
+ */
110
+
111
+ const importRawKey = async (rawBytes: Uint8Array): Promise<CryptoKey> => {
112
+ const subtle = getSubtle()
113
+ return subtle.importKey(
114
+ 'raw',
115
+ rawBytes.buffer as ArrayBuffer,
116
+ { name: 'AES-GCM' },
117
+ true,
118
+ ['encrypt', 'decrypt']
119
+ )
120
+ }
121
+
122
+ export const generateDEK = async (): Promise<string> => {
123
+ const raw = globalThis.crypto.getRandomValues(new Uint8Array(32))
124
+ return toBase64Url(raw)
125
+ }
126
+
127
+ export const wrapDEK = async (
128
+ kek: string,
129
+ plaintextDEK: string
130
+ ): Promise<string> => {
131
+ return encryptJSON(kek, plaintextDEK)
132
+ }
133
+
134
+ export const unwrapDEK = async (
135
+ kek: string,
136
+ wrappedDEK: string
137
+ ): Promise<string> => {
138
+ return decryptJSON<string>(kek, wrappedDEK)
139
+ }
140
+
141
+ const encryptWithDEK = async (
142
+ dekBase64: string,
143
+ value: unknown
144
+ ): Promise<string> => {
145
+ const crypto = globalThis.crypto
146
+ const subtle = getSubtle()
147
+ const iv = crypto.getRandomValues(new Uint8Array(12))
148
+ const key = await importRawKey(fromBase64Url(dekBase64))
149
+ const plaintext = encoder.encode(JSON.stringify(value))
150
+ const encrypted = await subtle.encrypt(
151
+ { name: 'AES-GCM', iv },
152
+ key,
153
+ plaintext
154
+ )
155
+ const cipherBytes = new Uint8Array(encrypted)
156
+ const out = new Uint8Array(iv.length + cipherBytes.length)
157
+ out.set(iv, 0)
158
+ out.set(cipherBytes, iv.length)
159
+ return toBase64Url(out)
160
+ }
161
+
162
+ const decryptWithDEK = async <T>(
163
+ dekBase64: string,
164
+ token: string
165
+ ): Promise<T> => {
166
+ const subtle = getSubtle()
167
+ const data = fromBase64Url(token)
168
+ if (data.length < 13) {
169
+ throw new Error('Invalid encrypted payload')
170
+ }
171
+ const iv = data.slice(0, 12)
172
+ const ciphertext = data.slice(12)
173
+ const key = await importRawKey(fromBase64Url(dekBase64))
174
+ const decrypted = await subtle.decrypt(
175
+ { name: 'AES-GCM', iv },
176
+ key,
177
+ ciphertext
178
+ )
179
+ return JSON.parse(decoder.decode(new Uint8Array(decrypted))) as T
180
+ }
181
+
182
+ export interface EnvelopeEncryptResult {
183
+ ciphertext: string
184
+ wrappedDEK: string
185
+ }
186
+
187
+ export const envelopeEncrypt = async (
188
+ kek: string,
189
+ value: unknown
190
+ ): Promise<EnvelopeEncryptResult> => {
191
+ const dek = await generateDEK()
192
+ const ciphertext = await encryptWithDEK(dek, value)
193
+ const wrappedDEK = await wrapDEK(kek, dek)
194
+ return { ciphertext, wrappedDEK }
195
+ }
196
+
197
+ export const envelopeDecrypt = async <T>(
198
+ kek: string,
199
+ ciphertext: string,
200
+ wrappedDEK: string
201
+ ): Promise<T> => {
202
+ const dek = await unwrapDEK(kek, wrappedDEK)
203
+ return decryptWithDEK<T>(dek, ciphertext)
204
+ }
205
+
206
+ export const envelopeRewrap = async (
207
+ oldKEK: string,
208
+ newKEK: string,
209
+ wrappedDEK: string
210
+ ): Promise<string> => {
211
+ const dek = await unwrapDEK(oldKEK, wrappedDEK)
212
+ return wrapDEK(newKEK, dek)
213
+ }
@@ -95,7 +95,7 @@ export const getAllFunctionNames = (): string[] => {
95
95
  const mainFunctionsMeta = pikkuState(null, 'function', 'meta')
96
96
  functions.push(...Object.keys(mainFunctionsMeta))
97
97
 
98
- const addons = pikkuState(null, 'rpc', 'addons')
98
+ const addons = pikkuState(null, 'addons', 'packages')
99
99
  for (const [namespace, config] of addons) {
100
100
  const packageFunctionsMeta = pikkuState(config.package, 'function', 'meta')
101
101
  for (const funcName of Object.keys(packageFunctionsMeta)) {
@@ -280,6 +280,10 @@ export const runPikkuFunc = async <In = any, Out = any>(
280
280
  // Validate and coerce data if schema is defined
281
281
  const inputSchemaName = funcMeta.inputSchemaName
282
282
  if (inputSchemaName) {
283
+ // Coerce (top level) data types before validation (e.g. string→array, string→date)
284
+ if (coerceDataFromSchema) {
285
+ coerceTopLevelDataFromSchema(inputSchemaName, actualData, packageName)
286
+ }
283
287
  // Validate request data against the defined schema, if any
284
288
  await validateSchema(
285
289
  resolvedSingletonServices.logger,
@@ -288,10 +292,6 @@ export const runPikkuFunc = async <In = any, Out = any>(
288
292
  actualData,
289
293
  packageName
290
294
  )
291
- // Coerce (top level) query string parameters or date objects if specified by the schema
292
- if (coerceDataFromSchema) {
293
- coerceTopLevelDataFromSchema(inputSchemaName, actualData, packageName)
294
- }
295
295
  }
296
296
 
297
297
  if (
@@ -7,6 +7,7 @@ import type {
7
7
  PickRequired,
8
8
  } from '../types/core.types.js'
9
9
  import type { StandardSchemaV1 } from '@standard-schema/spec'
10
+ import type { PikkuError } from '../errors/error-handler.js'
10
11
  import type { CoreNodeConfig } from '../wirings/node/node.types.js'
11
12
 
12
13
  /**
@@ -194,6 +195,40 @@ export const pikkuPermissionFactory = <In = any>(
194
195
  return factory
195
196
  }
196
197
 
198
+ /**
199
+ * A function that generates a human-readable description of a pending approval action.
200
+ * Used by AI agents to show meaningful approval prompts instead of raw tool arguments.
201
+ *
202
+ * @template In - The input type (same as the function it describes).
203
+ * @template Services - The services type, defaults to `CoreSingletonServices`.
204
+ */
205
+ export type CorePikkuApprovalDescription<
206
+ In = any,
207
+ Services extends CoreSingletonServices = CoreSingletonServices,
208
+ > = (services: Services, data: In) => Promise<string>
209
+
210
+ /**
211
+ * Factory function for creating approval description functions with tree-shaking support.
212
+ *
213
+ * @example
214
+ * ```typescript
215
+ * export const deleteTodoApproval = pikkuApprovalDescription(
216
+ * async ({ todoStore }, { id }) => {
217
+ * const todo = await todoStore.get(id)
218
+ * return `Delete todo: "${todo.title}"`
219
+ * }
220
+ * )
221
+ * ```
222
+ */
223
+ export const pikkuApprovalDescription = <
224
+ In = any,
225
+ Services extends CoreSingletonServices = CoreSingletonServices,
226
+ >(
227
+ fn: CorePikkuApprovalDescription<In, Services>
228
+ ): CorePikkuApprovalDescription<In, Services> => {
229
+ return fn
230
+ }
231
+
197
232
  export type CorePikkuAuth<
198
233
  Services extends CoreSingletonServices = CoreServices,
199
234
  Session extends CoreUserSession = CoreUserSession,
@@ -256,7 +291,8 @@ export type CorePikkuFunctionConfig<
256
291
  remote?: boolean
257
292
  mcp?: boolean
258
293
  readonly?: boolean
259
- requiresApproval?: boolean
294
+ approvalRequired?: boolean
295
+ approvalDescription?: any
260
296
  func: PikkuFunction
261
297
  auth?: boolean
262
298
  permissions?: CorePermissionGroup<PikkuPermission>
@@ -264,4 +300,5 @@ export type CorePikkuFunctionConfig<
264
300
  input?: InputSchema
265
301
  output?: OutputSchema
266
302
  node?: CoreNodeConfig
303
+ errors?: Array<typeof PikkuError>
267
304
  }