@refrainai/cli 0.4.1

package/dist/chunk-HQDXLWAY.js

@@ -0,0 +1,109 @@
+#!/usr/bin/env node
+import {
+  tenantModelOverrides,
+  tenantModelProviders
+} from "./chunk-CLYJHKPY.js";
+
+// src/server/inngest/helpers/tenant-ai-config.ts
+import { eq } from "drizzle-orm";
+
+// src/server/crypto.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+var ALGORITHM = "aes-256-gcm";
+var IV_LENGTH = 12;
+var AUTH_TAG_LENGTH = 16;
+function encrypt(plaintext, key) {
+  const keyBuffer = Buffer.from(key, "hex");
+  if (keyBuffer.length !== 32) {
+    throw new Error("Encryption key must be 32 bytes (64 hex characters)");
+  }
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, keyBuffer, iv, {
+    authTagLength: AUTH_TAG_LENGTH
+  });
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+}
+function decrypt(encrypted, key) {
+  const keyBuffer = Buffer.from(key, "hex");
+  if (keyBuffer.length !== 32) {
+    throw new Error("Encryption key must be 32 bytes (64 hex characters)");
+  }
+  const [ivHex, authTagHex, ciphertextHex] = encrypted.split(":");
+  if (!ivHex || !authTagHex || !ciphertextHex) {
+    throw new Error("Invalid encrypted format: expected iv:authTag:ciphertext");
+  }
+  const iv = Buffer.from(ivHex, "hex");
+  const authTag = Buffer.from(authTagHex, "hex");
+  const ciphertext = Buffer.from(ciphertextHex, "hex");
+  const decipher = createDecipheriv(ALGORITHM, keyBuffer, iv, {
+    authTagLength: AUTH_TAG_LENGTH
+  });
+  decipher.setAuthTag(authTag);
+  return Buffer.concat([
+    decipher.update(ciphertext),
+    decipher.final()
+  ]).toString("utf8");
+}
+function maskSensitiveValue(value) {
+  if (value.length <= 8) return "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
+  return `${value.slice(0, 4)}\u2022\u2022\u2022\u2022${value.slice(-4)}`;
+}
+function isMaskedValue(value) {
+  return value.includes("\u2022\u2022\u2022\u2022") || /^\*+$/.test(value);
+}
+
+// src/server/inngest/helpers/tenant-ai-config.ts
+var ENCRYPTED_CONFIG_FIELDS = ["apiKey", "bedrockSecretAccessKey"];
+async function resolveTenantAIConfig(db, tenantId, encryptionKey) {
+  const [provider] = await db.select().from(tenantModelProviders).where(eq(tenantModelProviders.tenantId, tenantId)).limit(1);
+  if (!provider) {
+    throw new Error(
+      `AI provider not configured for tenant ${tenantId}. Please configure an AI provider in Settings > AI Models.`
+    );
+  }
+  const overrides = await db.select().from(tenantModelOverrides).where(eq(tenantModelOverrides.tenantId, tenantId));
+  const modelOverrides = {};
+  for (const o of overrides) {
+    modelOverrides[o.purpose] = o.modelId;
+  }
+  const rawConfig = provider.config ?? {};
+  const config = { ...rawConfig };
+  for (const field of ENCRYPTED_CONFIG_FIELDS) {
+    const value = config[field];
+    if (value) {
+      try {
+        config[field] = decrypt(value, encryptionKey);
+      } catch {
+      }
+    }
+  }
+  return {
+    modelId: provider.modelId,
+    provider: provider.providerId,
+    apiKey: config.apiKey,
+    baseURL: config.baseURL,
+    bedrockRegion: config.bedrockRegion,
+    bedrockAccessKeyId: config.bedrockAccessKeyId,
+    bedrockSecretAccessKey: config.bedrockSecretAccessKey,
+    bedrockSessionToken: config.bedrockSessionToken,
+    vertexProject: config.vertexProject,
+    vertexLocation: config.vertexLocation,
+    azureResourceName: config.azureResourceName,
+    azureApiVersion: config.azureApiVersion,
+    modelOverrides: Object.keys(modelOverrides).length > 0 ? modelOverrides : void 0
+  };
+}
+
+export {
+  encrypt,
+  decrypt,
+  maskSensitiveValue,
+  isMaskedValue,
+  resolveTenantAIConfig
+};
+//# sourceMappingURL=chunk-HQDXLWAY.js.map

package/dist/chunk-HQDXLWAY.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/inngest/helpers/tenant-ai-config.ts","../../../src/server/crypto.ts"],"sourcesContent":["/**\n * テナント別 AI モデル設定解決\n *\n * tenantModelProviders + tenantModelOverrides → AIModelConfig 構築。\n * 暗号化フィールドは decrypt() で復号。\n * プロバイダー未設定時はエラーをスロー（サイレントフォールバックしない）。\n */\n\nimport { eq } from \"drizzle-orm\";\nimport type { getDb } from \"../../db/client.js\";\nimport { tenantModelProviders, tenantModelOverrides } from \"../../db/schema.js\";\nimport { decrypt } from \"../../crypto.js\";\nimport type { AIModelConfig, ModelProvider, ModelPurpose } from \"../../../harness/ai-model.js\";\nimport { buildModelFactory } from \"../../../harness/ai-model.js\";\n\nexport { buildModelFactory };\n\ntype Db = ReturnType<typeof getDb>;\n\n/** 暗号化された provider config のフィールド */\nconst ENCRYPTED_CONFIG_FIELDS = [\"apiKey\", \"bedrockSecretAccessKey\"];\n\ninterface ProviderConfig {\n  apiKey?: string;\n  baseURL?: string;\n  bedrockRegion?: string;\n  bedrockAccessKeyId?: string;\n  bedrockSecretAccessKey?: string;\n  bedrockSessionToken?: string;\n  vertexProject?: string;\n  vertexLocation?: string;\n  azureResourceName?: string;\n  azureApiVersion?: string;\n}\n\n/**\n * DB からプロバイダーとオーバーライドを読み込み、AIModelConfig を構築する。\n * プロバイダー未設定時はエラーをスロー（サイレントフォールバックしない）。\n */\nexport async function resolveTenantAIConfig(\n  db: Db,\n  tenantId: string,\n  encryptionKey: string,\n): Promise<AIModelConfig> {\n  // プロバイダーを取得（connected 状態に関係なく使用）\n  const [provider] = await db\n    .select()\n    .from(tenantModelProviders)\n    .where(eq(tenantModelProviders.tenantId, tenantId))\n    .limit(1);\n\n  if (!provider) {\n    throw new Error(\n      `AI provider not configured for tenant ${tenantId}. Please configure an AI provider in Settings > AI Models.`,\n    );\n  }\n\n  // オーバーライドを取得\n  const overrides = await db\n    .select()\n    .from(tenantModelOverrides)\n    .where(eq(tenantModelOverrides.tenantId, tenantId));\n\n  const modelOverrides: Partial<Record<ModelPurpose, string>> = {};\n  for (const o of overrides) {\n    modelOverrides[o.purpose as ModelPurpose] = o.modelId;\n  }\n\n  // provider.config の暗号化フィールドを復号\n  const rawConfig = (provider.config ?? {}) as ProviderConfig;\n  const config: ProviderConfig = { ...rawConfig };\n  for (const field of ENCRYPTED_CONFIG_FIELDS) {\n    const value = config[field as keyof ProviderConfig] as string | undefined;\n    if (value) {\n      try {\n        (config as Record<string, unknown>)[field] = decrypt(value, encryptionKey);\n      } catch {\n        // 復号失敗は無視（平文の可能性あり）\n      }\n    }\n  }\n\n  return {\n    modelId: provider.modelId,\n    provider: provider.providerId as ModelProvider,\n    apiKey: config.apiKey,\n    baseURL: config.baseURL,\n    bedrockRegion: config.bedrockRegion,\n    bedrockAccessKeyId: config.bedrockAccessKeyId,\n    bedrockSecretAccessKey: config.bedrockSecretAccessKey,\n    bedrockSessionToken: config.bedrockSessionToken,\n    vertexProject: config.vertexProject,\n    vertexLocation: config.vertexLocation,\n    azureResourceName: config.azureResourceName,\n    azureApiVersion: config.azureApiVersion,\n    modelOverrides: Object.keys(modelOverrides).length > 0 ? modelOverrides : undefined,\n  };\n}\n\n","/**\n * AES-256-GCM 暗号化/復号ユーティリティ\n */\n\nimport { createCipheriv, createDecipheriv, randomBytes } from \"node:crypto\";\n\nconst ALGORITHM = \"aes-256-gcm\";\nconst IV_LENGTH = 12;\nconst AUTH_TAG_LENGTH = 16;\n\n/**\n * AES-256-GCM で暗号化し、`iv:authTag:ciphertext` 形式の hex 文字列を返す\n */\nexport function encrypt(plaintext: string, key: string): string {\n  const keyBuffer = Buffer.from(key, \"hex\");\n  if (keyBuffer.length !== 32) {\n    throw new Error(\"Encryption key must be 32 bytes (64 hex characters)\");\n  }\n\n  const iv = randomBytes(IV_LENGTH);\n  const cipher = createCipheriv(ALGORITHM, keyBuffer, iv, {\n    authTagLength: AUTH_TAG_LENGTH,\n  });\n\n  const encrypted = Buffer.concat([\n    cipher.update(plaintext, \"utf8\"),\n    cipher.final(),\n  ]);\n  const authTag = cipher.getAuthTag();\n\n  return `${iv.toString(\"hex\")}:${authTag.toString(\"hex\")}:${encrypted.toString(\"hex\")}`;\n}\n\n/**\n * `iv:authTag:ciphertext` 形式の hex 文字列を復号\n */\nexport function decrypt(encrypted: string, key: string): string {\n  const keyBuffer = Buffer.from(key, \"hex\");\n  if (keyBuffer.length !== 32) {\n    throw new Error(\"Encryption key must be 32 bytes (64 hex characters)\");\n  }\n\n  const [ivHex, authTagHex, ciphertextHex] = encrypted.split(\":\");\n  if (!ivHex || !authTagHex || !ciphertextHex) {\n    throw new Error(\"Invalid encrypted format: expected iv:authTag:ciphertext\");\n  }\n\n  const iv = Buffer.from(ivHex, \"hex\");\n  const authTag = Buffer.from(authTagHex, \"hex\");\n  const ciphertext = Buffer.from(ciphertextHex, \"hex\");\n\n  const decipher = createDecipheriv(ALGORITHM, keyBuffer, iv, {\n    authTagLength: AUTH_TAG_LENGTH,\n  });\n  decipher.setAuthTag(authTag);\n\n  return Buffer.concat([\n    decipher.update(ciphertext),\n    decipher.final(),\n  ]).toString(\"utf8\");\n}\n\n/**\n * 表示用マスク: 先頭4文字 + `••••` + 末尾4文字\n */\nexport function maskSensitiveValue(value: string): string {\n  if (value.length <= 8) return \"••••••••\";\n  return `${value.slice(0, 4)}••••${value.slice(-4)}`;\n}\n\n/**\n * マスク値かどうかを判定。\n * Web UI は `***`、CLI/将来実装は `••••` 系を返しうるため両方を受け入れる。\n */\nexport function isMaskedValue(value: string): boolean {\n  return value.includes(\"••••\") || /^\\*+$/.test(value);\n}\n"],"mappings":";;;;;;;AAQA,SAAS,UAAU;;;ACJnB,SAAS,gBAAgB,kBAAkB,mBAAmB;AAE9D,IAAM,YAAY;AAClB,IAAM,YAAY;AAClB,IAAM,kBAAkB;AAKjB,SAAS,QAAQ,WAAmB,KAAqB;AAC9D,QAAM,YAAY,OAAO,KAAK,KAAK,KAAK;AACxC,MAAI,UAAU,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,qDAAqD;AAAA,EACvE;AAEA,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,WAAW,IAAI;AAAA,IACtD,eAAe;AAAA,EACjB,CAAC;AAED,QAAM,YAAY,OAAO,OAAO;AAAA,IAC9B,OAAO,OAAO,WAAW,MAAM;AAAA,IAC/B,OAAO,MAAM;AAAA,EACf,CAAC;AACD,QAAM,UAAU,OAAO,WAAW;AAElC,SAAO,GAAG,GAAG,SAAS,KAAK,CAAC,IAAI,QAAQ,SAAS,KAAK,CAAC,IAAI,UAAU,SAAS,KAAK,CAAC;AACtF;AAKO,SAAS,QAAQ,WAAmB,KAAqB;AAC9D,QAAM,YAAY,OAAO,KAAK,KAAK,KAAK;AACxC,MAAI,UAAU,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,qDAAqD;AAAA,EACvE;AAEA,QAAM,CAAC,OAAO,YAAY,aAAa,IAAI,UAAU,MAAM,GAAG;AAC9D,MAAI,CAAC,SAAS,CAAC,cAAc,CAAC,eAAe;AAC3C,UAAM,IAAI,MAAM,0DAA0D;AAAA,EAC5E;AAEA,QAAM,KAAK,OAAO,KAAK,OAAO,KAAK;AACnC,QAAM,UAAU,OAAO,KAAK,YAAY,KAAK;AAC7C,QAAM,aAAa,OAAO,KAAK,eAAe,KAAK;AAEnD,QAAM,WAAW,iBAAiB,WAAW,WAAW,IAAI;AAAA,IAC1D,eAAe;AAAA,EACjB,CAAC;AACD,WAAS,WAAW,OAAO;AAE3B,SAAO,OAAO,OAAO;AAAA,IACnB,SAAS,OAAO,UAAU;AAAA,IAC1B,SAAS,MAAM;AAAA,EACjB,CAAC,EAAE,SAAS,MAAM;AACpB;AAKO,SAAS,mBAAmB,OAAuB;AACxD,MAAI,MAAM,UAAU,EAAG,QAAO;AAC9B,SAAO,GAAG,MAAM,MAAM,GAAG,CAAC,CAAC,2BAAO,MAAM,MAAM,EAAE,CAAC;AACnD;AAMO,SAAS,cAAc,OAAwB;AACpD,SAAO,MAAM,SAAS,0BAAM,KAAK,QAAQ,KAAK,KAAK;AACrD;;;ADxDA,IAAM,0BAA0B,CAAC,UAAU,wBAAwB;AAmBnE,eAAsB,sBACpB,IACA,UACA,eACwB;AAExB,QAAM,CAAC,QAAQ,IAAI,MAAM,GACtB,OAAO,EACP,KAAK,oBAAoB,EACzB,MAAM,GAAG,qBAAqB,UAAU,QAAQ,CAAC,EACjD,MAAM,CAAC;AAEV,MAAI,CAAC,UAAU;AACb,UAAM,IAAI;AAAA,MACR,yCAAyC,QAAQ;AAAA,IACnD;AAAA,EACF;AAGA,QAAM,YAAY,MAAM,GACrB,OAAO,EACP,KAAK,oBAAoB,EACzB,MAAM,GAAG,qBAAqB,UAAU,QAAQ,CAAC;AAEpD,QAAM,iBAAwD,CAAC;AAC/D,aAAW,KAAK,WAAW;AACzB,mBAAe,EAAE,OAAuB,IAAI,EAAE;AAAA,EAChD;AAGA,QAAM,YAAa,SAAS,UAAU,CAAC;AACvC,QAAM,SAAyB,EAAE,GAAG,UAAU;AAC9C,aAAW,SAAS,yBAAyB;AAC3C,UAAM,QAAQ,OAAO,KAA6B;AAClD,QAAI,OAAO;AACT,UAAI;AACF,QAAC,OAAmC,KAAK,IAAI,QAAQ,OAAO,aAAa;AAAA,MAC3E,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,SAAS,SAAS;AAAA,IAClB,UAAU,SAAS;AAAA,IACnB,QAAQ,OAAO;AAAA,IACf,SAAS,OAAO;AAAA,IAChB,eAAe,OAAO;AAAA,IACtB,oBAAoB,OAAO;AAAA,IAC3B,wBAAwB,OAAO;AAAA,IAC/B,qBAAqB,OAAO;AAAA,IAC5B,eAAe,OAAO;AAAA,IACtB,gBAAgB,OAAO;AAAA,IACvB,mBAAmB,OAAO;AAAA,IAC1B,iBAAiB,OAAO;AAAA,IACxB,gBAAgB,OAAO,KAAK,cAAc,EAAE,SAAS,IAAI,iBAAiB;AAAA,EAC5E;AACF;","names":[]}