@pikku/inspector 0.12.11 → 0.12.13

package/CHANGELOG.md

@@ -1,3 +1,35 @@
+## 0.12.13
+
+### Patch Changes
+
+- 665bdb0: Add end-to-end data classification for SQLite and Postgres projects.
+
+  **Core (`@pikku/core`):** New `Private<T>` and `Secret<T>` intersection brands, `ClassificationManifest`, `ColumnClassification`, and `AnonymizeStrategy` types exported from `data-classification.ts`.
+
+  **CLI (`@pikku/cli`):**
+  - SQL comment annotations: `-- @public`, `-- @private[:strategy]`, `-- @secret[:strategy]` on `CREATE TABLE` columns and `ALTER TABLE ... ADD COLUMN` statements. Unannotated columns default to `private`.
+  - `pikku db migrate` now emits a `classification.gen.ts` manifest alongside `schema.d.ts`.
+  - New `pikku db audit` command — prints a per-column classification summary and warns on `private`/`secret` columns with no anonymize strategy.
+  - Postgres dialect support in `resolveDb`, `PostgresMigrationExecutor`, and `PostgresIntrospector`.
+
+  **Inspector (`@pikku/inspector`):** New PKU910 check — `findPiiPaths()` walks inferred function return types looking for `__pii__` brands (including inside `Array<T>`, `Record<K,V>`, and index signatures) and fails the build if a function exposes branded fields in its output.
+
+- Updated dependencies [665bdb0]
+  - @pikku/core@0.12.25
+
+## 0.12.12
+
+### Patch Changes
+
+- 9060165: Agents now declare their model directly as `<provider>/<model>` (e.g. `openai/gpt-4o`). The `models`, `agentDefaults`, and `agentOverrides` config blocks have been removed.
+
+  **Migration:** replace any bare `model: 'alias'` values with the full provider-qualified form and remove those blocks from `pikku.config.json`.
+
+- Updated dependencies [9060165]
+- Updated dependencies [9060165]
+- Updated dependencies [9060165]
+  - @pikku/core@0.12.21
+
 ## 0.12.11
 
 ### Patch Changes

package/dist/add/add-cli.js

@@ -295,10 +295,16 @@ function processCommand(logger, inspectorState, options, name, node, sourceFile,
                     meta.options = processOptions(logger, optionsNode, typeChecker, inspectorState, options, pikkuFuncId);
                 }
                 break;
-            case 'subcommands':
-                if (ts.isObjectLiteralExpression(prop.initializer)) {
+            case 'subcommands': {
+                let subcommandsNode = prop.initializer;
+                if (ts.isIdentifier(prop.initializer)) {
+                    subcommandsNode = resolveIdentifier(prop.initializer, typeChecker, [
+                        'defineCLICommands',
+                    ]);
+                }
+                if (subcommandsNode && ts.isObjectLiteralExpression(subcommandsNode)) {
                     meta.subcommands = {};
-                    for (const subProp of prop.initializer.properties) {
+                    for (const subProp of subcommandsNode.properties) {
                         if (!ts.isPropertyAssignment(subProp))
                             continue;
                         const subName = getPropertyName(subProp);
@@ -311,6 +317,7 @@ function processCommand(logger, inspectorState, options, name, node, sourceFile,
                     }
                 }
                 break;
+            }
             case 'isDefault':
                 if (prop.initializer.kind === ts.SyntaxKind.TrueKeyword ||
                     prop.initializer.kind === ts.SyntaxKind.FalseKeyword) {

package/dist/add/add-credential.js

@@ -1,5 +1,5 @@
 import * as ts from 'typescript';
-import { getPropertyValue, getArrayPropertyValue, } from '../utils/get-property-value.js';
+import { getPropertyValue, getArrayPropertyValue, assertStringLiteralProperty, } from '../utils/get-property-value.js';
 import { ErrorCode } from '../error-codes.js';
 import { detectSchemaVendorOrError } from '../utils/detect-schema-vendor.js';
 export const addCredential = (logger, node, checker, state, _options) => {
@@ -17,6 +17,7 @@ export const addCredential = (logger, node, checker, state, _options) => {
     }
     if (ts.isObjectLiteralExpression(firstArg)) {
         const obj = firstArg;
+        assertStringLiteralProperty(obj, 'name', 'Credential', logger);
         const nameValue = getPropertyValue(obj, 'name');
         const displayNameValue = getPropertyValue(obj, 'displayName');
         const descriptionValue = getPropertyValue(obj, 'description');

package/dist/add/add-functions.js

@@ -5,10 +5,12 @@ import { extractFunctionNode } from '../utils/extract-function-node.js';
 import { extractUsedWires } from '../utils/extract-services.js';
 import { formatVersionedId, parseVersionedId } from '@pikku/core';
 import { getPropertyValue, getCommonWireMetaData, } from '../utils/get-property-value.js';
+import { canonicalJSON, hashString } from '../utils/hash.js';
 import { resolveMiddleware } from '../utils/middleware.js';
 import { resolvePermissions } from '../utils/permissions.js';
 import { extractWireNames } from '../utils/post-process.js';
 import { ErrorCode } from '../error-codes.js';
+import { findPiiPaths } from '../utils/check-pii-output.js';
 const isValidVariableName = (name) => {
     const regex = /^[a-zA-Z_$][a-zA-Z0-9_$]*$/;
     return regex.test(name);
@@ -222,6 +224,20 @@ const areCompatibleFunctionIds = (existingId, incomingId) => {
     const incomingParsed = parseVersionedId(incomingId);
     return existingParsed.baseName === incomingParsed.baseName;
 };
+function printNode(node) {
+    return ts
+        .createPrinter({ removeComments: true })
+        .printNode(ts.EmitHint.Unspecified, node, node.getSourceFile());
+}
+function computeImplementationHash(args) {
+    const { wrapper, handler, objectNode, isDirectFunction } = args;
+    return hashString(canonicalJSON({
+        wrapper,
+        isDirectFunction,
+        handler: printNode(handler),
+        config: objectNode ? printNode(objectNode) : null,
+    }));
+}
 /**
  * Inspect pikkuFunc calls, extract input/output and first-arg destructuring,
  * then push into state.functions.meta.
@@ -409,7 +425,12 @@ export const addFunctions = (logger, node, checker, state, options) => {
         }
     }
     if (version !== undefined) {
-        const baseName = explicitName || exportedName || pikkuFuncId;
+        let baseName = explicitName || exportedName || pikkuFuncId;
+        // Strip trailing VN suffix if it matches the version (e.g. getDataV1 + version:1 → getData@v1)
+        const vSuffix = `V${version}`;
+        if (baseName.endsWith(vSuffix) && baseName.length > vSuffix.length) {
+            baseName = baseName.slice(0, -vSuffix.length);
+        }
         pikkuFuncId = formatVersionedId(baseName, version);
     }
     const isMCPToolFunc = expression.text === 'pikkuMCPToolFunc';
@@ -606,6 +627,25 @@ export const addFunctions = (logger, node, checker, state, options) => {
             }
         }
     }
+    // ── PII brand check ───────────────────────────────────────────────────────
+    // Walk the function body's ACTUAL inferred return type looking for Private<T>
+    // / Secret<T> brands (__pii__ property).  This runs for every function,
+    // including those with a Zod output schema, because the TS return type
+    // reflects what the body actually returns before any Zod coercion.
+    {
+        const sig = checker.getSignatureFromDeclaration(handler);
+        if (sig) {
+            const rawRet = checker.getReturnTypeOfSignature(sig);
+            const unwrapped = unwrapPromise(checker, rawRet);
+            const piiPaths = findPiiPaths(checker, unwrapped);
+            if (piiPaths.length > 0) {
+                logger.critical(ErrorCode.PII_IN_OUTPUT, `Function '${name}' exposes PII-classified field(s) in its return type: ` +
+                    piiPaths.map((p) => `'${p}'`).join(', ') +
+                    `.\n  Either strip these fields before returning or mark the column ` +
+                    `@public in the migration if it is safe to expose.`);
+            }
+        }
+    }
     // --- resolve middleware ---
     let middleware = objectNode
         ? resolveMiddleware(state, objectNode, tags, checker)
@@ -636,6 +676,12 @@ export const addFunctions = (logger, node, checker, state, options) => {
         }
     }
     const sessionless = expression.text !== 'pikkuFunc';
+    const implementationHash = computeImplementationHash({
+        wrapper: expression.text,
+        handler,
+        objectNode,
+        isDirectFunction,
+    });
     state.functions.meta[pikkuFuncId] = {
         pikkuFuncId,
         functionType: 'user',
@@ -655,6 +701,7 @@ export const addFunctions = (logger, node, checker, state, options) => {
         deploy: deploy || undefined,
         approvalRequired: approvalRequired || undefined,
         approvalDescription: approvalDescription || undefined,
+        implementationHash,
         version,
         title,
         tags: tags || undefined,

package/dist/add/add-http-route.js

@@ -146,17 +146,36 @@ export function registerHTTPRoute({ obj, state, checker, logger, sourceFile, bas
         return;
     }
     const input = fnMeta.inputs?.[0] || null;
+    const getRouteInputKeys = () => {
+        const targetFuncName = refAddonTarget ?? funcName;
+        const inputTypes = state.typesLookup.get(targetFuncName);
+        if (inputTypes && inputTypes.length > 0) {
+            return extractTypeKeys(inputTypes[0]);
+        }
+        const targetMeta = resolveFunctionMeta(state, targetFuncName);
+        if (targetMeta?.inputSchemaName) {
+            const schema = state.schemas[targetMeta.inputSchemaName];
+            const properties = schema?.properties;
+            if (properties && typeof properties === 'object') {
+                return Object.keys(properties);
+            }
+        }
+        return null;
+    };
     // Validate that route params and query params exist in function input type
     if (params.length > 0 || query.length > 0) {
-        const inputTypes = state.typesLookup.get(funcName);
-        if (inputTypes && inputTypes.length > 0) {
-            const inputKeys = extractTypeKeys(inputTypes[0]);
+        const inputKeys = getRouteInputKeys();
+        if (!inputKeys) {
+            // Input shape isn't inspectable at this phase (e.g. addon ref or opaque handler).
+            // Skip param/query validation rather than emitting a false positive.
+        }
+        else {
             // Check path params
             if (params.length > 0) {
                 const missingParams = params.filter((p) => !inputKeys.includes(p));
                 if (missingParams.length > 0) {
                     logger.critical(ErrorCode.ROUTE_PARAM_MISMATCH, `Route '${fullRoute}' has path parameter(s) [${missingParams.join(', ')}] ` +
-                        `not found in function '${funcName}' input type. ` +
+                        `not found in function '${refAddonTarget ?? funcName}' input type. ` +
                         `Input type has: [${inputKeys.join(', ')}]`);
                     return;
                 }
@@ -166,7 +185,7 @@ export function registerHTTPRoute({ obj, state, checker, logger, sourceFile, bas
                 const missingQuery = query.filter((q) => !inputKeys.includes(q));
                 if (missingQuery.length > 0) {
                     logger.critical(ErrorCode.ROUTE_QUERY_MISMATCH, `Route '${fullRoute}' has query parameter(s) [${missingQuery.join(', ')}] ` +
-                        `not found in function '${funcName}' input type. ` +
+                        `not found in function '${refAddonTarget ?? funcName}' input type. ` +
                         `Input type has: [${inputKeys.join(', ')}]`);
                     return;
                 }

package/dist/add/add-keyed-wiring.js

@@ -1,5 +1,5 @@
 import * as ts from 'typescript';
-import { getPropertyValue } from '../utils/get-property-value.js';
+import { getPropertyValue, assertStringLiteralProperty, } from '../utils/get-property-value.js';
 import { ErrorCode } from '../error-codes.js';
 import { detectSchemaVendorOrError } from '../utils/detect-schema-vendor.js';
 export const createAddKeyedWiring = (config) => {
@@ -19,6 +19,8 @@ export const createAddKeyedWiring = (config) => {
         }
         if (ts.isObjectLiteralExpression(firstArg)) {
             const obj = firstArg;
+            assertStringLiteralProperty(obj, 'name', config.label, logger);
+            assertStringLiteralProperty(obj, config.idField, config.label, logger);
             const nameValue = getPropertyValue(obj, 'name');
             const displayNameValue = getPropertyValue(obj, 'displayName');
             const descriptionValue = getPropertyValue(obj, 'description');

package/dist/add/add-middleware.js

@@ -171,7 +171,7 @@ export const addMiddleware = (logger, node, checker, state) => {
         logger.debug(`• Found middleware factory with services: ${services.services.join(', ')}${name ? ` (name: ${name})` : ''}${description ? ` (description: ${description})` : ''}`);
         return;
     }
-    if (expression.text === 'addMiddleware') {
+    if (expression.text === 'addTagMiddleware') {
         const tagArg = args[0];
         const middlewareArrayArg = args[1];
         if (!tagArg || !middlewareArrayArg)
@@ -181,11 +181,11 @@ export const addMiddleware = (logger, node, checker, state) => {
             tag = tagArg.text;
         }
         if (!tag) {
-            logger.warn(`• addMiddleware call without valid tag string`);
+            logger.warn(`• addTagMiddleware call without valid tag string`);
             return;
         }
         if (!ts.isArrayLiteralExpression(middlewareArrayArg)) {
-            logger.error(`• addMiddleware('${tag}', ...) must have a literal array as second argument`);
+            logger.error(`• addTagMiddleware('${tag}', ...) must have a literal array as second argument`);
             return;
         }
         const refs = extractMiddlewareRefs(middlewareArrayArg, checker, state.rootDir);
@@ -236,7 +236,7 @@ export const addMiddleware = (logger, node, checker, state) => {
         }
         if (!isFactory && exportedName) {
             logger.warn(`• Middleware group '${exportedName}' for tag '${tag}' is not wrapped in a factory function. ` +
-                `For tree-shaking, use: export const ${exportedName} = () => addMiddleware('${tag}', [...])`);
+                `For tree-shaking, use: export const ${exportedName} = () => addTagMiddleware('${tag}', [...])`);
         }
         state.middleware.tagMiddleware.set(tag, {
             exportName: exportedName,
@@ -253,6 +253,34 @@ export const addMiddleware = (logger, node, checker, state) => {
         logger.debug(`• Found tag middleware group: ${tag} -> [${instanceIds.join(', ')}] (${isFactory ? 'factory' : 'direct'})`);
         return;
     }
+    if (expression.text === 'addGlobalMiddleware') {
+        const middlewareArrayArg = args[0];
+        if (!middlewareArrayArg ||
+            !ts.isArrayLiteralExpression(middlewareArrayArg)) {
+            logger.error(`• addGlobalMiddleware(...) must have a literal array as its only argument`);
+            return;
+        }
+        const refs = extractMiddlewareRefs(middlewareArrayArg, checker, state.rootDir);
+        const definitionIds = refs.map((r) => r.definitionId);
+        if (definitionIds.length > 0) {
+            renameTempDefinitions(state, definitionIds, 'global', 'middleware');
+        }
+        const sourceFile = node.getSourceFile().fileName;
+        for (let i = 0; i < refs.length; i++) {
+            const instanceId = makeContextBasedId('global', 'middleware', String(i));
+            state.middleware.instances[instanceId] = {
+                definitionId: definitionIds[i],
+                sourceFile,
+                position: node.getStart(),
+                isFactoryCall: refs[i].isFactoryCall,
+            };
+        }
+        // Without this, bootstrap codegen's "import every file with a wire-call"
+        // pass skips middleware-only files and the registration never runs.
+        state.http.files.add(sourceFile);
+        logger.debug(`• Found global middleware group with ${refs.length} entries`);
+        return;
+    }
     if (expression.text === 'addHTTPMiddleware') {
         const patternArg = args[0];
         const middlewareArrayArg = args[1];
@@ -332,6 +360,7 @@ export const addMiddleware = (logger, node, checker, state) => {
             instanceIds,
             isFactory,
         });
+        state.http.files.add(sourceFile);
         logger.debug(`• Found HTTP route middleware group: ${pattern} -> [${instanceIds.join(', ')}] (${isFactory ? 'factory' : 'direct'})`);
         return;
     }

package/dist/add/add-permission.js

@@ -27,7 +27,7 @@ function isInsidePermissionContainer(node) {
         if (ts.isCallExpression(current) &&
             ts.isIdentifier(current.expression) &&
             (current.expression.text === 'pikkuPermissionFactory' ||
-                current.expression.text === 'addPermission' ||
+                current.expression.text === 'addTagPermission' ||
                 current.expression.text === 'addHTTPPermission')) {
             return true;
         }
@@ -247,9 +247,9 @@ export const addPermission = (logger, node, checker, state) => {
     }
     // Handle addPermission('tag', [permission1, permission2])
     // Supports two patterns:
-    // 1. export const x = () => addPermission('tag', [...])  (factory - tree-shakeable)
-    // 2. export const x = addPermission('tag', [...])  (direct - no tree-shaking)
-    if (expression.text === 'addPermission') {
+    // 1. export const x = () => addTagPermission('tag', [...])  (factory - tree-shakeable)
+    // 2. export const x = addTagPermission('tag', [...])  (direct - no tree-shaking)
+    if (expression.text === 'addTagPermission') {
         const tagArg = args[0];
         const permissionsArrayArg = args[1];
         if (!tagArg || !permissionsArrayArg)
@@ -260,13 +260,13 @@ export const addPermission = (logger, node, checker, state) => {
             tag = tagArg.text;
         }
         if (!tag) {
-            logger.warn(`• addPermission call without valid tag string`);
+            logger.warn(`• addTagPermission call without valid tag string`);
             return;
         }
         // Check if permissions is a literal array or object
         if (!ts.isArrayLiteralExpression(permissionsArrayArg) &&
             !ts.isObjectLiteralExpression(permissionsArrayArg)) {
-            logger.error(`• addPermission('${tag}', ...) must have a literal array or object as second argument`);
+            logger.error(`• addTagPermission('${tag}', ...) must have a literal array or object as second argument`);
             return;
         }
         // Extract permission pikkuFuncIds from array
@@ -305,7 +305,7 @@ export const addPermission = (logger, node, checker, state) => {
         }
         if (!isFactory && exportedName) {
             logger.warn(`• Permission group '${exportedName}' for tag '${tag}' is not wrapped in a factory function. ` +
-                `For tree-shaking, use: export const ${exportedName} = () => addPermission('${tag}', [...])`);
+                `For tree-shaking, use: export const ${exportedName} = () => addTagPermission('${tag}', [...])`);
         }
         state.permissions.tagPermissions.set(tag, {
             exportName: exportedName,

package/dist/add/add-workflow-graph.js

@@ -281,6 +281,8 @@ function extractGraphFromNewFormat(nodesNode, configNode, checker, state) {
             input: {},
             next: undefined,
             onError: undefined,
+            retries: undefined,
+            retryDelay: undefined,
         };
     }
     // Extract config for each node from 'config' property
@@ -301,6 +303,8 @@ function extractGraphFromNewFormat(nodesNode, configNode, checker, state) {
                     nodes[nodeId].next = nodeConfig.next;
                     nodes[nodeId].onError = nodeConfig.onError;
                     nodes[nodeId].input = nodeConfig.input;
+                    nodes[nodeId].retries = nodeConfig.retries;
+                    nodes[nodeId].retryDelay = nodeConfig.retryDelay;
                 }
             }
         }
@@ -314,6 +318,8 @@ function extractNodeConfigFromObject(obj, checker) {
     let next = undefined;
     let onError = undefined;
     let input = {};
+    let retries = undefined;
+    let retryDelay = undefined;
     for (const prop of obj.properties) {
         if (!ts.isPropertyAssignment(prop) || !ts.isIdentifier(prop.name))
             continue;
@@ -327,8 +333,21 @@ function extractNodeConfigFromObject(obj, checker) {
         else if (propName === 'input') {
             input = extractInputMapping(prop.initializer, checker);
         }
+        else if (propName === 'retries') {
+            if (ts.isNumericLiteral(prop.initializer)) {
+                retries = Number(prop.initializer.text);
+            }
+        }
+        else if (propName === 'retryDelay') {
+            if (ts.isNumericLiteral(prop.initializer)) {
+                retryDelay = Number(prop.initializer.text);
+            }
+            else if (ts.isStringLiteral(prop.initializer)) {
+                retryDelay = prop.initializer.text;
+            }
+        }
     }
-    return { next, onError, input };
+    return { next, onError, input, retries, retryDelay };
 }
 /**
  * Inspector for pikkuWorkflowGraph() calls

package/dist/error-codes.d.ts

@@ -8,6 +8,7 @@
  */
 export declare enum ErrorCode {
     MISSING_NAME = "PKU111",
+    NON_LITERAL_WIRE_NAME = "PKU118",
     MISSING_DESCRIPTION = "PKU123",
     INVALID_VALUE = "PKU124",
     MISSING_URI = "PKU220",
@@ -53,5 +54,6 @@ export declare enum ErrorCode {
     SCHEMA_AND_WIRING_COLOCATED = "PKU490",
     SERVICES_NOT_DESTRUCTURED = "PKU410",
     WIRES_NOT_DESTRUCTURED = "PKU411",
-    WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED = "PKU901"
+    WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED = "PKU901",
+    PII_IN_OUTPUT = "PKU910"
 }

package/dist/error-codes.js

@@ -10,6 +10,7 @@ export var ErrorCode;
 (function (ErrorCode) {
     // Validation errors
     ErrorCode["MISSING_NAME"] = "PKU111";
+    ErrorCode["NON_LITERAL_WIRE_NAME"] = "PKU118";
     ErrorCode["MISSING_DESCRIPTION"] = "PKU123";
     ErrorCode["INVALID_VALUE"] = "PKU124";
     ErrorCode["MISSING_URI"] = "PKU220";
@@ -66,4 +67,6 @@ export var ErrorCode;
     ErrorCode["WIRES_NOT_DESTRUCTURED"] = "PKU411";
     // Feature Flag
     ErrorCode["WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED"] = "PKU901";
+    // Data classification errors
+    ErrorCode["PII_IN_OUTPUT"] = "PKU910";
 })(ErrorCode || (ErrorCode = {}));

package/dist/index.d.ts

@@ -6,6 +6,7 @@ export { ErrorCode } from './error-codes.js';
 export { serializeInspectorState, deserializeInspectorState, } from './utils/serialize-inspector-state.js';
 export type { SerializableInspectorState } from './utils/serialize-inspector-state.js';
 export { filterInspectorState } from './utils/filter-inspector-state.js';
+export { resolveDeployTarget } from './utils/resolve-deploy-target.js';
 export { generateCustomTypes, sanitizeTypeName, } from './utils/custom-types-generator.js';
 export { createEmptyManifest, serializeManifest, } from './utils/contract-hashes.js';
 export type { ContractEntry, VersionHashEntry, VersionValidateError, VersionManifest, VersionManifestEntry, } from './utils/contract-hashes.js';

package/dist/index.js

@@ -2,6 +2,7 @@ export { inspect, getInitialInspectorState } from './inspector.js';
 export { ErrorCode } from './error-codes.js';
 export { serializeInspectorState, deserializeInspectorState, } from './utils/serialize-inspector-state.js';
 export { filterInspectorState } from './utils/filter-inspector-state.js';
+export { resolveDeployTarget } from './utils/resolve-deploy-target.js';
 export { generateCustomTypes, sanitizeTypeName, } from './utils/custom-types-generator.js';
 export { createEmptyManifest, serializeManifest, } from './utils/contract-hashes.js';
 export { serializeMCPJson } from './utils/serialize-mcp-json.js';

package/dist/inspector.js

@@ -4,7 +4,7 @@ import { visitSetup, visitRoutes } from './visit.js';
 import { TypesMap } from './types-map.js';
 import { getFilesAndMethods } from './utils/get-files-and-methods.js';
 import { findCommonAncestor } from './utils/find-root-dir.js';
-import { aggregateRequiredServices, validateAgentModels, validateAgentOverrides, validateSecretOverrides, validateVariableOverrides, validateCredentialOverrides, computeResolvedIOTypes, computeMiddlewareGroupsMeta, computePermissionsGroupsMeta, computeRequiredSchemas, computeDiagnostics, validateSchemaWiringSeparation, } from './utils/post-process.js';
+import { aggregateRequiredServices, validateAgentModels, validateSecretOverrides, validateVariableOverrides, validateCredentialOverrides, computeResolvedIOTypes, computeMiddlewareGroupsMeta, computePermissionsGroupsMeta, computeRequiredSchemas, computeDiagnostics, validateSchemaWiringSeparation, } from './utils/post-process.js';
 import { generateOpenAPISpec } from './utils/serialize-openapi-json.js';
 import { pikkuState } from '@pikku/core/internal';
 import { resolveLatestVersions } from './utils/resolve-versions.js';
@@ -203,8 +203,6 @@ export const inspect = async (logger, routeFiles, options = {}) => {
     // Use provided rootDir or infer from source files
     const rootDir = options.rootDir || findCommonAncestor(routeFiles);
     const startSourceFiles = performance.now();
-    // Filter source files to only include files within the project rootDir
-    // This prevents picking up types from external packages (including workspace symlinks)
     const sourceFiles = program
         .getSourceFiles()
         .filter((sf) => sf.fileName.startsWith(rootDir));
@@ -262,8 +260,7 @@ export const inspect = async (logger, routeFiles, options = {}) => {
         if (options.openAPI) {
             state.openAPISpec = await generateOpenAPISpec(logger, state.functions.meta, state.http.meta, state.schemas, options.openAPI.additionalInfo, pikkuState(null, 'misc', 'errors'));
         }
-        validateAgentModels(logger, state, options.modelConfig);
-        validateAgentOverrides(logger, state, options.modelConfig);
+        validateAgentModels(logger, state);
         validateSecretOverrides(logger, state);
         validateVariableOverrides(logger, state);
         validateCredentialOverrides(logger, state);

package/dist/types.d.ts

@@ -143,10 +143,19 @@ export interface InspectorPermissionState {
 export type InspectorFilters = {
     names?: string[];
     tags?: string[];
-    types?: string[];
+    wires?: string[];
     directories?: string[];
     httpRoutes?: string[];
     httpMethods?: string[];
+    excludeNames?: string[];
+    excludeTags?: string[];
+    excludeWires?: string[];
+    excludeDirectories?: string[];
+    excludeHttpRoutes?: string[];
+    excludeHttpMethods?: string[];
+    target?: Array<'serverless' | 'server'>;
+    excludeTarget?: Array<'serverless' | 'server'>;
+    serverlessIncompatible?: string[];
 };
 export type AddonConfig = {
     package: string;
@@ -154,23 +163,6 @@ export type AddonConfig = {
     secretOverrides?: Record<string, string>;
     forceInclude?: boolean;
 };
-export type ModelConfigEntry = string | {
-    model: string;
-    temperature?: number;
-    maxSteps?: number;
-};
-export type InspectorModelConfig = {
-    models?: Record<string, ModelConfigEntry>;
-    agentDefaults?: {
-        temperature?: number;
-        maxSteps?: number;
-    };
-    agentOverrides?: Record<string, {
-        model?: string;
-        temperature?: number;
-        maxSteps?: number;
-    }>;
-};
 export type InspectorOptions = Partial<{
     setupOnly: boolean;
     rootDir: string;
@@ -193,7 +185,6 @@ export type InspectorOptions = Partial<{
     };
     tags: string[];
     manifest: VersionManifest;
-    modelConfig: InspectorModelConfig;
     oldProgram: ts.Program | undefined;
 }>;
 export interface InspectorLogger {

package/dist/utils/check-pii-output.d.ts

@@ -0,0 +1,14 @@
+import * as ts from 'typescript';
+/**
+ * Recursively walks a resolved TypeScript type looking for `__pii__` brands —
+ * the structural marker emitted by `Private<T>` and `Secret<T>`.
+ *
+ * `Private<T> = T & { readonly __pii__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__pii__`
+ * property.  We detect that by checking whether any constituent of an
+ * intersection exposes a property named `__pii__`.
+ *
+ * Returns the list of dotted field paths where a brand was found
+ * (e.g. `['email', 'address.phone']`).  An empty array means clean.
+ */
+export declare function findPiiPaths(checker: ts.TypeChecker, type: ts.Type, path?: string, depth?: number, seen?: Set<ts.Type>): string[];

package/dist/utils/check-pii-output.js

@@ -0,0 +1,63 @@
+import * as ts from 'typescript';
+/**
+ * Recursively walks a resolved TypeScript type looking for `__pii__` brands —
+ * the structural marker emitted by `Private<T>` and `Secret<T>`.
+ *
+ * `Private<T> = T & { readonly __pii__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__pii__`
+ * property.  We detect that by checking whether any constituent of an
+ * intersection exposes a property named `__pii__`.
+ *
+ * Returns the list of dotted field paths where a brand was found
+ * (e.g. `['email', 'address.phone']`).  An empty array means clean.
+ */
+export function findPiiPaths(checker, type, path = '', depth = 0, seen = new Set()) {
+    if (depth > 8 || seen.has(type))
+        return [];
+    seen.add(type);
+    // ── Is this type itself branded? ─────────────────────────────────────────
+    // Private<T> = T & { readonly __pii__: 'private' }  →  isIntersection()
+    // where one constituent has a `__pii__` property.
+    if (type.isIntersection()) {
+        const branded = type.types.some((t) => t.getProperties().some((p) => p.name === '__pii__'));
+        if (branded) {
+            return [path || '<return value>'];
+        }
+    }
+    const violations = [];
+    // ── Union: check every branch ─────────────────────────────────────────────
+    if (type.isUnion()) {
+        for (const branch of type.types) {
+            violations.push(...findPiiPaths(checker, branch, path, depth, seen));
+        }
+        return violations;
+    }
+    // ── Object: recurse into named properties ─────────────────────────────────
+    if (type.flags & ts.TypeFlags.Object) {
+        const ref = type;
+        for (const arg of ref.typeArguments ?? []) {
+            violations.push(...findPiiPaths(checker, arg, path, depth + 1, seen));
+        }
+        const numberIndex = checker.getIndexTypeOfType(type, ts.IndexKind.Number);
+        if (numberIndex) {
+            const idxPath = path ? `${path}[]` : '[]';
+            violations.push(...findPiiPaths(checker, numberIndex, idxPath, depth + 1, seen));
+        }
+        const stringIndex = checker.getIndexTypeOfType(type, ts.IndexKind.String);
+        if (stringIndex) {
+            const idxPath = path ? `${path}[*]` : '[*]';
+            violations.push(...findPiiPaths(checker, stringIndex, idxPath, depth + 1, seen));
+        }
+        for (const prop of type.getProperties()) {
+            if (prop.name.startsWith('__'))
+                continue;
+            const decl = prop.valueDeclaration ?? prop.declarations?.[0];
+            if (!decl)
+                continue;
+            const propType = checker.getTypeOfSymbolAtLocation(prop, decl);
+            const subPath = path ? `${path}.${prop.name}` : prop.name;
+            violations.push(...findPiiPaths(checker, propType, subPath, depth + 1, seen));
+        }
+    }
+    return violations;
+}

package/dist/utils/extract-function-name.js

@@ -338,6 +338,12 @@ export function extractFunctionName(callExpr, checker, rootDir) {
         result.pikkuFuncId = `__temp_${randomUUID()}`;
     }
     if (result.version !== null) {
+        // Strip trailing VN suffix if it matches the version (e.g. createCardV1 + version:1 → createCard@v1)
+        const vSuffix = `V${result.version}`;
+        if (result.pikkuFuncId.endsWith(vSuffix) &&
+            result.pikkuFuncId.length > vSuffix.length) {
+            result.pikkuFuncId = result.pikkuFuncId.slice(0, -vSuffix.length);
+        }
         result.pikkuFuncId = formatVersionedId(result.pikkuFuncId, result.version);
     }
     return result;