@pikku/inspector 0.12.13 → 0.12.16

package/CHANGELOG.md

@@ -1,3 +1,51 @@
+## 0.12.16
+
+### Patch Changes
+
+- 646c5a8: Fix inspector failing to extract descriptions written as string concatenation (`+`). Descriptions like `'line one ' + 'line two'` are now correctly resolved to their full value. The `checker` parameter is also threaded through `getCommonWireMetaData` so all wiring types benefit from static string evaluation.
+
+## 0.12.15
+
+### Patch Changes
+
+- 0db854e: Fix workflow DSL extractor treating `x = await workflow.do(...)` as a set-step when `x` was previously declared as `null`. The referenced function is now correctly registered in `invokedFunctions` and `internalFiles`, so it appears in the generated `pikku-functions.gen.ts`.
+- 8249f6f: Fix `isStringLike` to unwrap type assertion expressions (`as T` / `<T>expr`) so that `workflow.do('step', 'rpcName' as any, data)` is correctly parsed as an RPC step rather than silently dropped as an inline step. Also removes the `as any` cast from the `Emails` step in `all.workflow.ts` now that the inspector handles it, and ensures `pikku all` generates email template artifacts.
+- f373a87: Fix PKU910 classification semantics and Postgres annotation propagation.
+
+  **Inspector (`@pikku/inspector`):**
+  - `findPiiPaths()` now returns `ClassifiedField[]` (path + classification level) so `private`/`pii` and `secret` brands are distinguished
+  - `Secret<T>` fields are blocked in the output of all exposed functions (sessioned or not)
+  - `Private<T>` / `Pii<T>` fields are only blocked in sessionless functions — authenticated (sessioned) functions may return private-classified data to their callers
+
+  **CLI (`@pikku/cli`):**
+  - Fix missing `rootDir` in the Postgres `generateSchemaTypes` call — the annotations sidecar file (`db/annotations.gen.json`) was silently ignored during Postgres migrations, causing columns annotated `@public` to remain branded as `Private<T>` in the generated schema
+
+## 0.12.14
+
+### Patch Changes
+
+- 4b5c75b: feat(auth-js): wire OIDC config (issuer/tenantId) as variables, expand provider registry
+  - Move `issuer` and `tenantId` out of the secret blob for OIDC providers (auth0, okta, azure-ad, keycloak, cognito, microsoft-entra-id) — they are public config URLs, not secrets. Now registered via `wireVariable` and loaded at runtime via `services.variables.get()`.
+  - Expand provider registry from 13 to 31 providers: reddit, notion, instagram, zoom, figma, tiktok, threads, patreon, dropbox, bitbucket, hubspot, salesforce, atlassian, strava, keycloak, cognito, microsoft-entra-id added.
+  - `serialize-auth-gen` emits `wireVariable({...})` declarations and `services.variables.get()` calls in the generated factory for OIDC providers.
+  - Integration verifier exercises real `/auth/providers` endpoint with `LocalSecretService` + `LocalVariablesService`, including a spy test proving `services.variables.get('AUTH0_ISSUER')` is called at request time.
+
+- 4b5c75b: Add end-to-end data classification for SQLite and Postgres projects.
+
+  **Core (`@pikku/core`):** New `Private<T>` and `Secret<T>` intersection brands, `ClassificationManifest`, `ColumnClassification`, and `AnonymizeStrategy` types exported from `data-classification.ts`.
+
+  **CLI (`@pikku/cli`):**
+  - SQL comment annotations: `-- @public`, `-- @private[:strategy]`, `-- @secret[:strategy]` on `CREATE TABLE` columns and `ALTER TABLE ... ADD COLUMN` statements. Unannotated columns default to `private`.
+  - `pikku db migrate` now emits a `classification.gen.ts` manifest alongside `schema.d.ts`.
+  - New `pikku db audit` command — prints a per-column classification summary and warns on `private`/`secret` columns with no anonymize strategy.
+  - Postgres dialect support in `resolveDb`, `PostgresMigrationExecutor`, and `PostgresIntrospector`.
+
+  **Inspector (`@pikku/inspector`):** New PKU910 check — `findPiiPaths()` walks inferred function return types looking for `__pii__` brands (including inside `Array<T>`, `Record<K,V>`, and index signatures) and fails the build if a function exposes branded fields in its output.
+
+- Updated dependencies [4b5c75b]
+- Updated dependencies [4b5c75b]
+  - @pikku/core@0.12.27
+
 ## 0.12.13
 
 ### Patch Changes

package/dist/add/add-ai-agent.js

@@ -159,7 +159,7 @@ export const addAIAgent = (logger, node, checker, state, options) => {
     if (ts.isObjectLiteralExpression(firstArg)) {
         const obj = firstArg;
         const nameValue = getPropertyValue(obj, 'name');
-        const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'AI agent', nameValue, logger);
+        const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'AI agent', nameValue, logger, checker);
         if (disabled)
             return;
         const modelValue = getPropertyValue(obj, 'model');

package/dist/add/add-auth.d.ts

@@ -0,0 +1,2 @@
+import type { AddWiring } from '../types.js';
+export declare const addAuth: AddWiring;

package/dist/add/add-auth.js

@@ -0,0 +1,34 @@
+import * as ts from 'typescript';
+import { ErrorCode } from '../error-codes.js';
+export const addAuth = (logger, node, _checker, state) => {
+    if (!ts.isCallExpression(node))
+        return;
+    const expression = node.expression;
+    if (!ts.isIdentifier(expression) || expression.text !== 'wireAuth')
+        return;
+    const firstArg = node.arguments[0];
+    if (!firstArg || !ts.isObjectLiteralExpression(firstArg))
+        return;
+    const providersProp = firstArg.properties.find((p) => ts.isPropertyAssignment(p) &&
+        (ts.isIdentifier(p.name) || ts.isStringLiteral(p.name)) &&
+        p.name.text === 'providers');
+    const sourceFile = node.getSourceFile().fileName;
+    state.auth.files.add(sourceFile);
+    if (!providersProp) {
+        return;
+    }
+    if (!ts.isArrayLiteralExpression(providersProp.initializer)) {
+        logger.critical(ErrorCode.MISSING_NAME, 'wireAuth: providers must be an array literal of string literals.');
+        return;
+    }
+    for (const element of providersProp.initializer
+        .elements) {
+        if (!ts.isStringLiteral(element)) {
+            logger.critical(ErrorCode.NON_LITERAL_WIRE_NAME, `wireAuth: each provider must be a string literal. Found: ${element.getText()}`);
+            return;
+        }
+        if (!state.auth.providers.includes(element.text)) {
+            state.auth.providers.push(element.text);
+        }
+    }
+};

package/dist/add/add-channel.js

@@ -165,7 +165,7 @@ export function addMessagesRoutes(logger, obj, state, checker) {
                                         if (fnMeta) {
                                             // Resolve middleware for this route
                                             const routeTags = ts.isObjectLiteralExpression(init)
-                                                ? getCommonWireMetaData(init, 'Channel message', routeKey, logger).tags
+                                                ? getCommonWireMetaData(init, 'Channel message', routeKey, logger, checker).tags
                                                 : undefined;
                                             const routeMiddleware = ts.isObjectLiteralExpression(init)
                                                 ? resolveMiddleware(state, init, routeTags, checker)
@@ -187,7 +187,7 @@ export function addMessagesRoutes(logger, obj, state, checker) {
                                     if (fnMeta) {
                                         // Resolve middleware for this route
                                         const routeTags = ts.isObjectLiteralExpression(init)
-                                            ? getCommonWireMetaData(init, 'Channel message', routeKey, logger).tags
+                                            ? getCommonWireMetaData(init, 'Channel message', routeKey, logger, checker).tags
                                             : undefined;
                                         const routeMiddleware = ts.isObjectLiteralExpression(init)
                                             ? resolveMiddleware(state, init, routeTags, checker)
@@ -220,7 +220,7 @@ export function addMessagesRoutes(logger, obj, state, checker) {
                                                 if (fnMeta) {
                                                     // Resolve middleware for this route
                                                     const routeTags = ts.isObjectLiteralExpression(init)
-                                                        ? getCommonWireMetaData(init, 'Channel message', routeKey, logger).tags
+                                                        ? getCommonWireMetaData(init, 'Channel message', routeKey, logger, checker).tags
                                                         : undefined;
                                                     const routeMiddleware = ts.isObjectLiteralExpression(init)
                                                         ? resolveMiddleware(state, init, routeTags, checker)
@@ -239,7 +239,7 @@ export function addMessagesRoutes(logger, obj, state, checker) {
                                                 if (fnMeta) {
                                                     // Resolve middleware for this route
                                                     const routeTags = ts.isObjectLiteralExpression(init)
-                                                        ? getCommonWireMetaData(init, 'Channel message', routeKey, logger).tags
+                                                        ? getCommonWireMetaData(init, 'Channel message', routeKey, logger, checker).tags
                                                         : undefined;
                                                     const routeMiddleware = ts.isObjectLiteralExpression(init)
                                                         ? resolveMiddleware(state, init, routeTags, checker)
@@ -303,7 +303,7 @@ export function addMessagesRoutes(logger, obj, state, checker) {
                             if (fnMeta) {
                                 // Resolve middleware for this route
                                 const routeTags = ts.isObjectLiteralExpression(init)
-                                    ? getCommonWireMetaData(init, 'Channel message', routeKey, logger).tags
+                                    ? getCommonWireMetaData(init, 'Channel message', routeKey, logger, checker).tags
                                     : undefined;
                                 const routeMiddleware = ts.isObjectLiteralExpression(init)
                                     ? resolveMiddleware(state, init, routeTags, checker)
@@ -332,7 +332,7 @@ export function addMessagesRoutes(logger, obj, state, checker) {
             // Resolve middleware and permissions for this route
             // Check if the route config is an object literal with middleware/permissions
             const routeTags = ts.isObjectLiteralExpression(init)
-                ? getCommonWireMetaData(init, 'Channel message', routeKey, logger).tags
+                ? getCommonWireMetaData(init, 'Channel message', routeKey, logger, checker).tags
                 : undefined;
             const routeMiddleware = ts.isObjectLiteralExpression(init)
                 ? resolveMiddleware(state, init, routeTags, checker)
@@ -378,7 +378,7 @@ export const addChannel = (logger, node, checker, state, options) => {
             .keys.filter((k) => k.type === 'param')
             .map((k) => k.name)
         : [];
-    const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'Channel', name, logger);
+    const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'Channel', name, logger, checker);
     if (disabled)
         return;
     const query = getPropertyValue(obj, 'query');
@@ -437,6 +437,24 @@ export const addChannel = (logger, node, checker, state, options) => {
             : null;
         state.serviceAggregation.usedFunctions.add(disconnectFuncId);
     }
+    // Synthesize function meta for connect/disconnect handlers that are defined
+    // with pikkuChannelConnectionFunc/pikkuChannelDisconnectionFunc (not pikkuFunc/
+    // pikkuSessionlessFunc), so the runtime has correct sessionless info without
+    // needing to inject it at runtime.
+    {
+        const routeAuth = getPropertyValue(obj, 'auth');
+        const sessionless = routeAuth === false ? true : undefined;
+        for (const funcId of [connectFuncId, disconnectFuncId]) {
+            if (funcId && !state.functions.meta[funcId]) {
+                state.functions.meta[funcId] = {
+                    pikkuFuncId: funcId,
+                    sessionless,
+                    inputSchemaName: null,
+                    outputSchemaName: null,
+                };
+            }
+        }
+    }
     if (message) {
         state.serviceAggregation.usedFunctions.add(message.pikkuFuncId);
     }

package/dist/add/add-functions.js

@@ -330,7 +330,7 @@ export const addFunctions = (logger, node, checker, state, options) => {
     // Extract config properties if using object form
     if (ts.isObjectLiteralExpression(firstArg)) {
         objectNode = firstArg;
-        const metadata = getCommonWireMetaData(firstArg, 'Function', name, logger);
+        const metadata = getCommonWireMetaData(firstArg, 'Function', name, logger, checker);
         if (metadata.disabled)
             return;
         title = metadata.title;
@@ -627,22 +627,38 @@ export const addFunctions = (logger, node, checker, state, options) => {
             }
         }
     }
-    // ── PII brand check ───────────────────────────────────────────────────────
-    // Walk the function body's ACTUAL inferred return type looking for Private<T>
-    // / Secret<T> brands (__pii__ property).  This runs for every function,
-    // including those with a Zod output schema, because the TS return type
-    // reflects what the body actually returns before any Zod coercion.
+    const sessionless = expression.text !== 'pikkuFunc';
+    // ── Classification brand check ─────────────────────────────────────────────
+    // Walk the function body's ACTUAL inferred return type looking for classification
+    // brands (__classification__ property on Private<T>, Pii<T>, Secret<T>).
+    //
+    // Semantics:
+    //   secret  → never returned by any exposed function (sessioned or not)
+    //   private → only visible to authenticated (sessioned) users; ok for pikkuFunc
+    //   public  → safe for sessionless functions
     {
         const sig = checker.getSignatureFromDeclaration(handler);
         if (sig) {
             const rawRet = checker.getReturnTypeOfSignature(sig);
             const unwrapped = unwrapPromise(checker, rawRet);
-            const piiPaths = findPiiPaths(checker, unwrapped);
-            if (piiPaths.length > 0) {
-                logger.critical(ErrorCode.PII_IN_OUTPUT, `Function '${name}' exposes PII-classified field(s) in its return type: ` +
-                    piiPaths.map((p) => `'${p}'`).join(', ') +
-                    `.\n  Either strip these fields before returning or mark the column ` +
-                    `@public in the migration if it is safe to expose.`);
+            const classifiedFields = findPiiPaths(checker, unwrapped);
+            const secretPaths = classifiedFields
+                .filter((f) => f.classification === 'secret')
+                .map((f) => f.path);
+            const privatePaths = classifiedFields
+                .filter((f) => f.classification === 'private' || f.classification === 'pii')
+                .map((f) => f.path);
+            if (secretPaths.length > 0) {
+                logger.critical(ErrorCode.PII_IN_OUTPUT, `Function '${name}' exposes secret-classified field(s) in its return type: ` +
+                    secretPaths.map((p) => `'${p}'`).join(', ') +
+                    `.\n  Secret fields must never appear in function output. ` +
+                    `Strip these fields before returning or change the column classification.`);
+            }
+            if (sessionless && privatePaths.length > 0) {
+                logger.critical(ErrorCode.PII_IN_OUTPUT, `Sessionless function '${name}' exposes private-classified field(s) in its return type: ` +
+                    privatePaths.map((p) => `'${p}'`).join(', ') +
+                    `.\n  Private fields are only safe to return from authenticated (sessioned) functions. ` +
+                    `Either require a session (use pikkuFunc) or mark the column @public if it is safe to expose publicly.`);
             }
         }
     }
@@ -675,7 +691,6 @@ export const addFunctions = (logger, node, checker, state, options) => {
             permissions = [...(permissions || []), ...newPermissions];
         }
     }
-    const sessionless = expression.text !== 'pikkuFunc';
     const implementationHash = computeImplementationHash({
         wrapper: expression.text,
         handler,

package/dist/add/add-gateway.js

@@ -23,7 +23,7 @@ export const addGateway = (logger, node, checker, state, _options) => {
     const nameValue = getPropertyValue(obj, 'name');
     const typeValue = getPropertyValue(obj, 'type');
     const routeValue = getPropertyValue(obj, 'route');
-    const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'Gateway', nameValue, logger);
+    const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'Gateway', nameValue, logger, checker);
     if (disabled)
         return;
     const funcInitializer = getPropertyAssignmentInitializer(obj, 'func', true, checker);

package/dist/add/add-http-route.js

@@ -97,7 +97,7 @@ export function registerHTTPRoute({ obj, state, checker, logger, sourceFile, bas
         return;
     }
     // Get common metadata
-    const { disabled, title, tags: routeTags, summary, description, errors, } = getCommonWireMetaData(obj, 'HTTP route', fullRoute, logger);
+    const { disabled, title, tags: routeTags, summary, description, errors, } = getCommonWireMetaData(obj, 'HTTP route', fullRoute, logger, checker);
     if (disabled)
         return;
     // Merge inherited tags with route tags
@@ -136,6 +136,28 @@ export function registerHTTPRoute({ obj, state, checker, logger, sourceFile, bas
         }
     }
     ensureFunctionMetadata(state, funcName, fullRoute, funcInitializer, checker, extracted.isHelper);
+    // Propagate sessionless from the addon target so the runtime can correctly
+    // determine whether a session is required for ref()-based routes.
+    if (refAddonTarget) {
+        const targetMeta = resolveFunctionMeta(state, refAddonTarget);
+        const inlineMeta = state.functions.meta[funcName];
+        if (targetMeta && inlineMeta && targetMeta.sessionless !== undefined) {
+            inlineMeta.sessionless = targetMeta.sessionless;
+        }
+    }
+    // For inline functions (e.g. oauth2 handlers), propagate sessionless: true
+    // when auth is explicitly disabled at the route or group level — the
+    // developer opted out of auth so no session is required.
+    {
+        const inlineMeta = state.functions.meta[funcName];
+        if (inlineMeta && inlineMeta.sessionless === undefined) {
+            const routeAuth = getPropertyValue(obj, 'auth');
+            const resolvedAuth = routeAuth === true || routeAuth === false ? routeAuth : inheritedAuth;
+            if (resolvedAuth === false) {
+                inlineMeta.sessionless = true;
+            }
+        }
+    }
     // Lookup existing function metadata
     const fnMeta = resolveFunctionMeta(state, funcName);
     if (!fnMeta) {

package/dist/add/add-mcp-prompt.js

@@ -25,7 +25,7 @@ export const addMCPPrompt = (logger, node, checker, state, options) => {
     if (ts.isObjectLiteralExpression(firstArg)) {
         const obj = firstArg;
         const nameValue = getPropertyValue(obj, 'name');
-        const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'MCP prompt', nameValue, logger);
+        const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'MCP prompt', nameValue, logger, checker);
         if (disabled)
             return;
         const funcInitializer = getPropertyAssignmentInitializer(obj, 'func', true, checker);

package/dist/add/add-mcp-resource.js

@@ -26,7 +26,7 @@ export const addMCPResource = (logger, node, checker, state, options) => {
         const obj = firstArg;
         const uriValue = getPropertyValue(obj, 'uri');
         const titleValue = getPropertyValue(obj, 'title');
-        const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'MCP resource', uriValue, logger);
+        const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'MCP resource', uriValue, logger, checker);
         if (disabled)
             return;
         const streamingValue = getPropertyValue(obj, 'streaming');

package/dist/add/add-queue-worker.js

@@ -23,7 +23,7 @@ export const addQueueWorker = (logger, node, checker, state) => {
     if (ts.isObjectLiteralExpression(firstArg)) {
         const obj = firstArg;
         const name = getPropertyValue(obj, 'name');
-        const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'Queue worker', name, logger);
+        const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'Queue worker', name, logger, checker);
         if (disabled)
             return;
         // --- find the referenced function ---

package/dist/add/add-schedule.js

@@ -24,7 +24,7 @@ export const addSchedule = (logger, node, checker, state, options) => {
         const obj = firstArg;
         const nameValue = getPropertyValue(obj, 'name');
         const scheduleValue = getPropertyValue(obj, 'schedule');
-        const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'Scheduler', nameValue, logger);
+        const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'Scheduler', nameValue, logger, checker);
         if (disabled)
             return;
         const funcInitializer = getPropertyAssignmentInitializer(obj, 'func', true, checker);

package/dist/add/add-trigger.js

@@ -29,7 +29,7 @@ const addWireTrigger = (logger, node, checker, state, firstArg) => {
     }
     const obj = firstArg;
     const nameValue = getPropertyValue(obj, 'name');
-    const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'Trigger', nameValue, logger);
+    const { disabled, tags, summary, description, errors } = getCommonWireMetaData(obj, 'Trigger', nameValue, logger, checker);
     if (disabled)
         return;
     const funcInitializer = getPropertyAssignmentInitializer(obj, 'func', true, checker);

package/dist/add/add-workflow.js

@@ -185,7 +185,7 @@ export const addWorkflow = (logger, node, checker, state) => {
     let inline;
     let expose;
     if (ts.isObjectLiteralExpression(firstArg)) {
-        const metadata = getCommonWireMetaData(firstArg, 'Workflow', workflowName, logger);
+        const metadata = getCommonWireMetaData(firstArg, 'Workflow', workflowName, logger, checker);
         if (metadata.disabled)
             return;
         tags = metadata.tags;

package/dist/inspector.js

@@ -115,6 +115,10 @@ export function getInitialInspectorState(rootDir) {
             meta: {},
             files: new Set(),
         },
+        auth: {
+            providers: [],
+            files: new Set(),
+        },
         secrets: {
             definitions: [],
             files: new Set(),

package/dist/types.d.ts

@@ -339,6 +339,10 @@ export interface InspectorState {
         meta: NodesMeta;
         files: Set<string>;
     };
+    auth: {
+        providers: string[];
+        files: Set<string>;
+    };
     secrets: {
         definitions: SecretDefinitions;
         files: Set<string>;

package/dist/utils/check-pii-output.d.ts

@@ -1,14 +1,19 @@
 import * as ts from 'typescript';
+export type ClassifiedField = {
+    path: string;
+    classification: 'private' | 'pii' | 'secret' | string;
+};
 /**
- * Recursively walks a resolved TypeScript type looking for `__pii__` brands —
- * the structural marker emitted by `Private<T>` and `Secret<T>`.
+ * Recursively walks a resolved TypeScript type looking for `__classification__` brands —
+ * the structural marker emitted by `Private<T>`, `Pii<T>`, and `Secret<T>`.
  *
- * `Private<T> = T & { readonly __pii__: 'private' }` shows up in the TS type
- * system as an intersection whose constituents include a type with a `__pii__`
+ * `Private<T> = T & { readonly __classification__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__classification__`
  * property.  We detect that by checking whether any constituent of an
- * intersection exposes a property named `__pii__`.
+ * intersection exposes a property named `__classification__`.
  *
- * Returns the list of dotted field paths where a brand was found
- * (e.g. `['email', 'address.phone']`).  An empty array means clean.
+ * Returns the list of classified fields found, each with its dotted path and
+ * classification level (e.g. `[{ path: 'email', classification: 'private' }]`).
+ * An empty array means clean.
  */
-export declare function findPiiPaths(checker: ts.TypeChecker, type: ts.Type, path?: string, depth?: number, seen?: Set<ts.Type>): string[];
+export declare function findPiiPaths(checker: ts.TypeChecker, type: ts.Type, path?: string, depth?: number, seen?: Set<ts.Type>): ClassifiedField[];

package/dist/utils/check-pii-output.js

@@ -1,27 +1,37 @@
 import * as ts from 'typescript';
 /**
- * Recursively walks a resolved TypeScript type looking for `__pii__` brands —
- * the structural marker emitted by `Private<T>` and `Secret<T>`.
+ * Recursively walks a resolved TypeScript type looking for `__classification__` brands —
+ * the structural marker emitted by `Private<T>`, `Pii<T>`, and `Secret<T>`.
  *
- * `Private<T> = T & { readonly __pii__: 'private' }` shows up in the TS type
- * system as an intersection whose constituents include a type with a `__pii__`
+ * `Private<T> = T & { readonly __classification__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__classification__`
  * property.  We detect that by checking whether any constituent of an
- * intersection exposes a property named `__pii__`.
+ * intersection exposes a property named `__classification__`.
  *
- * Returns the list of dotted field paths where a brand was found
- * (e.g. `['email', 'address.phone']`).  An empty array means clean.
+ * Returns the list of classified fields found, each with its dotted path and
+ * classification level (e.g. `[{ path: 'email', classification: 'private' }]`).
+ * An empty array means clean.
  */
 export function findPiiPaths(checker, type, path = '', depth = 0, seen = new Set()) {
     if (depth > 8 || seen.has(type))
         return [];
     seen.add(type);
     // ── Is this type itself branded? ─────────────────────────────────────────
-    // Private<T> = T & { readonly __pii__: 'private' }  →  isIntersection()
-    // where one constituent has a `__pii__` property.
+    // Private<T> = T & { readonly __classification__: 'private' }  →  isIntersection()
+    // where one constituent has a `__classification__` property whose type is a string literal.
     if (type.isIntersection()) {
-        const branded = type.types.some((t) => t.getProperties().some((p) => p.name === '__pii__'));
-        if (branded) {
-            return [path || '<return value>'];
+        for (const t of type.types) {
+            const classificationProp = t
+                .getProperties()
+                .find((p) => p.name === '__classification__');
+            if (classificationProp) {
+                const decl = classificationProp.valueDeclaration ??
+                    classificationProp.declarations?.[0];
+                const classification = decl
+                    ? (checker.getTypeOfSymbolAtLocation(classificationProp, decl)?.value ?? 'private')
+                    : 'private';
+                return [{ path: path || '<return value>', classification }];
+            }
         }
     }
     const violations = [];

package/dist/utils/ensure-function-metadata.js

@@ -192,7 +192,7 @@ export function ensureFunctionMetadata(state, pikkuFuncId, fallbackName, funcIni
             const firstArg = pikkuFuncCall.arguments[0];
             if (firstArg && ts.isObjectLiteralExpression(firstArg)) {
                 if (!meta.tags) {
-                    const { tags } = getCommonWireMetaData(firstArg, 'Function', fallbackName || pikkuFuncId);
+                    const { tags } = getCommonWireMetaData(firstArg, 'Function', fallbackName || pikkuFuncId, undefined, checker);
                     if (tags) {
                         meta.tags = tags;
                     }

package/dist/utils/extract-node-value.d.ts

@@ -8,7 +8,7 @@ export declare function extractStringLiteral(node: ts.Node, checker: ts.TypeChec
 /**
  * Check if node is string-like (string literal or template expression)
  */
-export declare function isStringLike(node: ts.Node, _checker: ts.TypeChecker): boolean;
+export declare function isStringLike(node: ts.Node, checker: ts.TypeChecker): boolean;
 /**
  * Check if node is function-like (arrow, function expression, or function declaration)
  */

package/dist/utils/extract-node-value.js

@@ -24,6 +24,11 @@ export function extractStringLiteral(node, checker) {
     if (ts.isAsExpression(node) || ts.isTypeAssertionExpression(node)) {
         return extractStringLiteral(node.expression, checker);
     }
+    if (ts.isBinaryExpression(node) &&
+        node.operatorToken.kind === ts.SyntaxKind.PlusToken) {
+        return (extractStringLiteral(node.left, checker) +
+            extractStringLiteral(node.right, checker));
+    }
     // Try to evaluate constant identifiers
     if (ts.isIdentifier(node)) {
         const symbol = checker.getSymbolAtLocation(node);
@@ -40,7 +45,7 @@ export function extractStringLiteral(node, checker) {
 /**
  * Check if node is string-like (string literal or template expression)
  */
-export function isStringLike(node, _checker) {
+export function isStringLike(node, checker) {
     if (ts.isStringLiteral(node) || ts.isNoSubstitutionTemplateLiteral(node)) {
         return true;
     }
@@ -48,6 +53,10 @@ export function isStringLike(node, _checker) {
     if (ts.isTemplateExpression(node)) {
         return true;
     }
+    // Unwrap type assertions: `expr as Type` or `<Type>expr`
+    if (ts.isAsExpression(node) || ts.isTypeAssertionExpression(node)) {
+        return isStringLike(node.expression, checker);
+    }
     return false;
 }
 /**

package/dist/utils/get-property-value.d.ts

@@ -25,7 +25,7 @@ export declare const getPropertyValue: (obj: ts.ObjectLiteralExpression, propert
  */
 export declare const getCommonWireMetaData: (obj: ts.ObjectLiteralExpression, wiringType: string, wiringName: string | null, logger?: {
     critical: (code: ErrorCode, message: string) => void;
-}) => {
+}, checker?: ts.TypeChecker) => {
     disabled?: true;
     title?: string;
     tags?: string[];

package/dist/utils/get-property-value.js

@@ -1,5 +1,6 @@
 import * as ts from 'typescript';
 import { ErrorCode } from '../error-codes.js';
+import { extractStringLiteral } from './extract-node-value.js';
 /**
  * Extracts an array of strings from an object property.
  */
@@ -94,7 +95,7 @@ export const getPropertyValue = (obj, propertyName) => {
  * @param logger - Optional logger instance; if not provided, uses console.error
  * @returns Object containing the common wire metadata fields
  */
-export const getCommonWireMetaData = (obj, wiringType, wiringName, logger) => {
+export const getCommonWireMetaData = (obj, wiringType, wiringName, logger, checker) => {
     const metadata = {};
     assertStringLiteralProperty(obj, 'name', wiringType, logger);
     obj.properties.forEach((prop) => {
@@ -104,16 +105,41 @@ export const getCommonWireMetaData = (obj, wiringType, wiringName, logger) => {
                 prop.initializer.kind === ts.SyntaxKind.TrueKeyword) {
                 metadata.disabled = true;
             }
-            else if (propName === 'title' && ts.isStringLiteral(prop.initializer)) {
-                metadata.title = prop.initializer.text;
+            else if (propName === 'title') {
+                try {
+                    metadata.title = checker
+                        ? extractStringLiteral(prop.initializer, checker)
+                        : ts.isStringLiteral(prop.initializer)
+                            ? prop.initializer.text
+                            : undefined;
+                }
+                catch {
+                    // non-static title — skip
+                }
             }
-            else if (propName === 'summary' &&
-                ts.isStringLiteral(prop.initializer)) {
-                metadata.summary = prop.initializer.text;
+            else if (propName === 'summary') {
+                try {
+                    metadata.summary = checker
+                        ? extractStringLiteral(prop.initializer, checker)
+                        : ts.isStringLiteral(prop.initializer)
+                            ? prop.initializer.text
+                            : undefined;
+                }
+                catch {
+                    // non-static summary — skip
+                }
             }
-            else if (propName === 'description' &&
-                ts.isStringLiteral(prop.initializer)) {
-                metadata.description = prop.initializer.text;
+            else if (propName === 'description') {
+                try {
+                    metadata.description = checker
+                        ? extractStringLiteral(prop.initializer, checker)
+                        : ts.isStringLiteral(prop.initializer)
+                            ? prop.initializer.text
+                            : undefined;
+                }
+                catch {
+                    // non-static description — skip
+                }
             }
             else if (propName === 'tags') {
                 if (ts.isArrayLiteralExpression(prop.initializer)) {

package/dist/utils/serialize-inspector-state.d.ts

@@ -203,6 +203,10 @@ export interface SerializableInspectorState {
         meta: InspectorState['nodes']['meta'];
         files: string[];
     };
+    auth: {
+        providers: string[];
+        files: string[];
+    };
     secrets: {
         definitions: InspectorState['secrets']['definitions'];
         files: string[];