@remnic/core 1.0.0

package/dist/chunk-ZJLY4QSU.js

@@ -0,0 +1,823 @@
+import {
+  EngramMcpServer
+} from "./chunk-CXWFUJR2.js";
+import {
+  validateRequest
+} from "./chunk-PGK3VUHN.js";
+import {
+  EngramAccessInputError
+} from "./chunk-QY2BHY5O.js";
+import {
+  isTrustZoneName
+} from "./chunk-EQINRHYR.js";
+import {
+  log
+} from "./chunk-KWBU5S5U.js";
+
+// src/access-http.ts
+import { createServer } from "http";
+import { randomUUID, timingSafeEqual } from "crypto";
+import { AsyncLocalStorage } from "async_hooks";
+import { existsSync } from "fs";
+import { readFile } from "fs/promises";
+import path from "path";
+import { fileURLToPath, URL } from "url";
+
+// src/adapters/types.ts
+function headerValue(headers, key) {
+  const raw = headers[key];
+  const value = Array.isArray(raw) ? raw[0] : raw;
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
+}
+
+// src/adapters/claude-code.ts
+var ClaudeCodeAdapter = class {
+  id = "claude-code";
+  matches(context) {
+    if (context.clientInfo?.name === "claude-code") return true;
+    const ua = headerValue(context.headers, "user-agent");
+    if (ua && ua.toLowerCase().startsWith("claude-code/")) return true;
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "claude-code") return true;
+    return false;
+  }
+  resolveIdentity(context) {
+    const mcpSessionId = headerValue(context.headers, "mcp-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "claude-code";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "claude-code";
+    return {
+      namespace,
+      principal,
+      sessionKey: mcpSessionId ?? context.sessionKey,
+      adapterId: this.id
+    };
+  }
+};
+
+// src/adapters/codex.ts
+var CodexAdapter = class {
+  id = "codex";
+  matches(context) {
+    if (context.clientInfo?.name === "codex-mcp-client") return true;
+    const clientName = context.clientInfo?.name?.toLowerCase() ?? "";
+    if (clientName.includes("codex") && clientName !== "codex-mcp-client") return true;
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "codex") return true;
+    return false;
+  }
+  resolveIdentity(context) {
+    const mcpSessionId = headerValue(context.headers, "mcp-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "codex";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "codex";
+    return {
+      namespace,
+      principal,
+      sessionKey: mcpSessionId ?? context.sessionKey,
+      adapterId: this.id
+    };
+  }
+};
+
+// src/adapters/replit.ts
+var ReplitAdapter = class {
+  id = "replit";
+  matches(context) {
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "replit") return true;
+    const clientName = context.clientInfo?.name?.toLowerCase() ?? "";
+    if (clientName.includes("replit")) return true;
+    return false;
+  }
+  resolveIdentity(context) {
+    const mcpSessionId = headerValue(context.headers, "mcp-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "replit-agent";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "replit";
+    return {
+      namespace,
+      principal,
+      sessionKey: mcpSessionId ?? context.sessionKey,
+      adapterId: this.id
+    };
+  }
+};
+
+// src/adapters/hermes.ts
+var HermesAdapter = class {
+  id = "hermes";
+  matches(context) {
+    if (headerValue(context.headers, "x-hermes-session-id")) return true;
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "hermes") return true;
+    const clientName = context.clientInfo?.name?.toLowerCase() ?? "";
+    if (clientName.includes("hermes")) return true;
+    return false;
+  }
+  resolveIdentity(context) {
+    const sessionId = headerValue(context.headers, "x-hermes-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "hermes-agent";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "hermes";
+    return {
+      namespace,
+      principal,
+      sessionKey: sessionId ?? context.sessionKey,
+      adapterId: this.id
+    };
+  }
+};
+
+// src/adapters/registry.ts
+var AdapterRegistry = class {
+  adapters;
+  constructor(adapters) {
+    this.adapters = adapters ?? [
+      new HermesAdapter(),
+      new ReplitAdapter(),
+      new CodexAdapter(),
+      new ClaudeCodeAdapter()
+    ];
+  }
+  /**
+   * Try each adapter in order. Return the first match, or null if
+   * no adapter recognizes the request context.
+   */
+  resolve(context) {
+    for (const adapter of this.adapters) {
+      if (adapter.matches(context)) {
+        return adapter.resolveIdentity(context);
+      }
+    }
+    return null;
+  }
+  /** List registered adapter IDs */
+  list() {
+    return this.adapters.map((a) => a.id);
+  }
+};
+
+// src/access-http.ts
+function resolveDefaultAdminConsolePublicDir() {
+  const candidates = [
+    fileURLToPath(new URL("../admin-console/public", import.meta.url)),
+    fileURLToPath(new URL("./admin-console/public", import.meta.url))
+  ];
+  return candidates.find((candidate) => existsSync(candidate)) ?? candidates[0];
+}
+var defaultAdminConsolePublicDir = resolveDefaultAdminConsolePublicDir();
+var correlationIdStore = new AsyncLocalStorage();
+var WRITE_RATE_LIMIT_WINDOW_MS = 6e4;
+var WRITE_RATE_LIMIT_MAX_REQUESTS = 30;
+var TRUST_ZONE_RECORD_KINDS = ["memory", "artifact", "state", "trajectory", "external"];
+var TRUST_ZONE_SOURCE_CLASSES = ["tool_output", "web_content", "subagent_trace", "system_memory", "user_input", "manual"];
+var HttpError = class extends Error {
+  constructor(status, message, code, details) {
+    super(message);
+    this.status = status;
+    this.code = code ?? `http_${status}`;
+    this.details = details;
+  }
+  status;
+  code;
+  details;
+};
+function hostToUrlAuthority(host) {
+  if (host.includes(":") && !host.startsWith("[") && !host.endsWith("]")) {
+    return `[${host}]`;
+  }
+  return host;
+}
+function parseTrustZoneKindFilter(raw) {
+  if (raw === null) return void 0;
+  if (TRUST_ZONE_RECORD_KINDS.includes(raw)) {
+    return raw;
+  }
+  throw new HttpError(400, `kind must be one of ${TRUST_ZONE_RECORD_KINDS.join("|")}`, "invalid_kind_filter");
+}
+function parseTrustZoneSourceClassFilter(raw) {
+  if (raw === null) return void 0;
+  if (TRUST_ZONE_SOURCE_CLASSES.includes(raw)) {
+    return raw;
+  }
+  throw new HttpError(400, `sourceClass must be one of ${TRUST_ZONE_SOURCE_CLASSES.join("|")}`, "invalid_source_class_filter");
+}
+function parseTrustZoneFilter(raw) {
+  if (raw === null) return void 0;
+  if (isTrustZoneName(raw)) {
+    return raw;
+  }
+  throw new HttpError(400, "zone must be one of quarantine|working|trusted", "invalid_zone_filter");
+}
+var EngramAccessHttpServer = class {
+  service;
+  host;
+  requestedPort;
+  authToken;
+  authTokens;
+  authTokensGetter;
+  authenticatedPrincipal;
+  maxBodyBytes;
+  adminConsoleEnabled;
+  adminConsolePublicDir;
+  trustPrincipalHeader;
+  adapterRegistry;
+  writeRequestTimestamps = [];
+  mcpServer;
+  server = null;
+  boundPort = 0;
+  constructor(options) {
+    this.service = options.service;
+    this.host = options.host?.trim() || "127.0.0.1";
+    this.requestedPort = Number.isFinite(options.port) ? Math.max(0, Math.floor(options.port ?? 0)) : 0;
+    this.authToken = options.authToken?.trim() || void 0;
+    this.authTokens = (options.authTokens ?? []).map((t) => t.trim()).filter(Boolean);
+    this.authTokensGetter = options.authTokensGetter;
+    this.authenticatedPrincipal = options.principal?.trim() || void 0;
+    this.maxBodyBytes = Number.isFinite(options.maxBodyBytes) ? Math.max(1, Math.floor(options.maxBodyBytes ?? 131072)) : 131072;
+    this.adminConsoleEnabled = options.adminConsoleEnabled !== false;
+    this.adminConsolePublicDir = options.adminConsolePublicDir ?? defaultAdminConsolePublicDir;
+    this.trustPrincipalHeader = options.trustPrincipalHeader === true;
+    this.adapterRegistry = options.enableAdapters !== false ? options.adapterRegistry ?? new AdapterRegistry() : null;
+    this.mcpServer = new EngramMcpServer(this.service, { principal: options.principal });
+  }
+  async start() {
+    if (!this.authToken && this.authTokens.length === 0 && !this.authTokensGetter) {
+      throw new Error("engram access HTTP requires authToken or authTokens");
+    }
+    if (this.server) return this.status();
+    const server = createServer((req, res) => {
+      const correlationId = randomUUID();
+      correlationIdStore.run(correlationId, () => {
+        void this.handle(req, res, correlationId).catch((err) => {
+          log.debug(`engram access HTTP request failed [${correlationId}]: ${err}`);
+          if (err instanceof HttpError) {
+            const payload = { error: err.message, code: err.code };
+            if (err.details) payload.details = err.details;
+            this.respondJson(res, err.status, payload);
+            return;
+          }
+          if (err instanceof EngramAccessInputError) {
+            this.respondJson(res, 400, { error: err.message, code: "input_error" });
+            return;
+          }
+          if (res.headersSent) {
+            res.destroy(err);
+            return;
+          }
+          this.respondJson(res, 500, { error: "internal_error", code: "internal_error" });
+        });
+      });
+    });
+    try {
+      await new Promise((resolve, reject) => {
+        const onError = (err) => {
+          server.off("listening", onListening);
+          reject(err);
+        };
+        const onListening = () => {
+          server.off("error", onError);
+          resolve();
+        };
+        server.once("error", onError);
+        server.once("listening", onListening);
+        server.listen(this.requestedPort, this.host);
+      });
+    } catch (err) {
+      server.close();
+      throw err;
+    }
+    this.server = server;
+    const address = server.address();
+    this.boundPort = typeof address === "object" && address ? address.port : this.requestedPort;
+    return this.status();
+  }
+  async stop() {
+    if (!this.server) return;
+    const server = this.server;
+    this.server = null;
+    this.boundPort = 0;
+    await new Promise((resolve, reject) => {
+      server.close((err) => err ? reject(err) : resolve());
+    });
+  }
+  status() {
+    return {
+      running: this.server !== null,
+      host: this.host,
+      port: this.boundPort,
+      maxBodyBytes: this.maxBodyBytes
+    };
+  }
+  /**
+   * Resolve the adapter identity for the incoming request.
+   * Includes MCP clientInfo from the last initialize handshake if available.
+   * Returns null if no adapter matches or adapters are disabled.
+   */
+  resolveAdapterIdentity(req) {
+    if (!this.adapterRegistry) return null;
+    const sessionId = (() => {
+      const raw = req.headers["mcp-session-id"];
+      return typeof raw === "string" ? raw.trim() : void 0;
+    })();
+    return this.adapterRegistry.resolve({
+      headers: req.headers,
+      clientInfo: this.mcpServer.getClientInfo(sessionId)
+    });
+  }
+  /** Cache for per-request identity resolution (avoids double adapter resolution) */
+  identityCache = /* @__PURE__ */ new WeakMap();
+  /** Resolve principal and namespace from request headers and adapter identity */
+  resolveRequestIdentity(req) {
+    const cached = this.identityCache.get(req);
+    if (cached) return cached;
+    let principal;
+    let namespace;
+    if (this.trustPrincipalHeader) {
+      const headerVal = req.headers["x-engram-principal"];
+      const raw = Array.isArray(headerVal) ? headerVal[0] : headerVal;
+      if (typeof raw === "string") {
+        const trimmed = raw.trim();
+        if (trimmed.length > 0) {
+          principal = trimmed;
+        }
+      }
+    }
+    const adapterIdentity = this.resolveAdapterIdentity(req);
+    if (adapterIdentity) {
+      if (!principal) {
+        principal = adapterIdentity.principal;
+      }
+      namespace = adapterIdentity.namespace;
+    }
+    if (!principal) {
+      principal = this.authenticatedPrincipal;
+    }
+    const result = { principal, namespace };
+    this.identityCache.set(req, result);
+    return result;
+  }
+  resolveRequestPrincipal(req) {
+    return this.resolveRequestIdentity(req).principal;
+  }
+  /** Resolve namespace: only use the explicit body value. Adapter-inferred namespace
+   *  is intentionally NOT used as a fallback for REST requests — omitting namespace
+   *  should default to the server's global namespace, not silently scope to an adapter. */
+  resolveNamespace(_req, bodyNamespace) {
+    return bodyNamespace || void 0;
+  }
+  async handle(req, res, correlationId) {
+    const parsed = new URL(req.url ?? "/", `http://${hostToUrlAuthority(this.host)}`);
+    const pathname = parsed.pathname;
+    if (this.adminConsoleEnabled && await this.handleAdminConsole(req, res, pathname)) {
+      return;
+    }
+    if (!this.isAuthorized(req)) {
+      const body = JSON.stringify({ error: "unauthorized", code: "unauthorized" });
+      res.writeHead(401, {
+        "content-type": "application/json; charset=utf-8",
+        "www-authenticate": "Bearer",
+        "x-request-id": correlationId
+      });
+      res.end(body);
+      return;
+    }
+    if (req.method === "POST" && pathname === "/mcp") {
+      await this.handleMcpRequest(req, res);
+      return;
+    }
+    if (req.method === "GET" && pathname === "/engram/v1/health") {
+      this.respondJson(res, 200, await this.service.health());
+      return;
+    }
+    if (req.method === "GET" && pathname === "/engram/v1/adapters") {
+      const identity = this.resolveAdapterIdentity(req);
+      this.respondJson(res, 200, {
+        adaptersEnabled: this.adapterRegistry !== null,
+        registered: this.adapterRegistry?.list() ?? [],
+        resolved: identity
+      });
+      return;
+    }
+    if (req.method === "POST" && pathname === "/engram/v1/recall") {
+      const body = await this.readValidatedBody(req, "recall");
+      const response = await this.service.recall({
+        query: body.query ?? "",
+        sessionKey: body.sessionKey,
+        namespace: this.resolveNamespace(req, body.namespace),
+        topK: body.topK,
+        mode: body.mode,
+        includeDebug: body.includeDebug === true
+      });
+      this.respondJson(res, 200, response);
+      return;
+    }
+    if (req.method === "POST" && pathname === "/engram/v1/recall/explain") {
+      const body = await this.readValidatedBody(req, "recallExplain");
+      const response = await this.service.recallExplain({
+        sessionKey: body.sessionKey,
+        namespace: this.resolveNamespace(req, body.namespace)
+      });
+      this.respondJson(res, 200, response);
+      return;
+    }
+    if (req.method === "POST" && pathname === "/engram/v1/observe") {
+      const body = await this.readValidatedBody(req, "observe");
+      this.ensureWriteRateLimitAvailable();
+      const response = await this.service.observe({
+        sessionKey: body.sessionKey,
+        messages: body.messages,
+        namespace: this.resolveNamespace(req, body.namespace),
+        authenticatedPrincipal: this.resolveRequestPrincipal(req),
+        skipExtraction: body.skipExtraction === true
+      });
+      this.recordWriteRateLimitHit();
+      this.respondJson(res, 202, response);
+      return;
+    }
+    if (req.method === "POST" && pathname === "/engram/v1/lcm/search") {
+      const body = await this.readValidatedBody(req, "lcmSearch");
+      const response = await this.service.lcmSearch({
+        query: body.query,
+        sessionKey: body.sessionKey,
+        namespace: this.resolveNamespace(req, body.namespace),
+        authenticatedPrincipal: this.resolveRequestPrincipal(req),
+        limit: body.limit
+      });
+      this.respondJson(res, 200, response);
+      return;
+    }
+    if (req.method === "GET" && pathname === "/engram/v1/lcm/status") {
+      this.respondJson(res, 200, await this.service.lcmStatus());
+      return;
+    }
+    if (req.method === "POST" && pathname === "/engram/v1/memories") {
+      const body = await this.readValidatedBody(req, "memoryStore");
+      const request = {
+        schemaVersion: body.schemaVersion,
+        idempotencyKey: body.idempotencyKey,
+        dryRun: body.dryRun === true,
+        sessionKey: body.sessionKey,
+        authenticatedPrincipal: this.resolveRequestPrincipal(req),
+        content: body.content,
+        category: body.category,
+        confidence: body.confidence,
+        namespace: this.resolveNamespace(req, body.namespace),
+        tags: body.tags,
+        entityRef: body.entityRef,
+        ttl: body.ttl,
+        sourceReason: body.sourceReason
+      };
+      const idempotencyStatus = await this.service.peekMemoryStoreIdempotency(request);
+      if (idempotencyStatus === "miss" && request.dryRun !== true) {
+        this.ensureWriteRateLimitAvailable();
+      }
+      const response = await this.service.memoryStore(request);
+      if (this.shouldCountWriteRateLimit(response)) {
+        this.recordWriteRateLimitHit();
+      }
+      this.respondJson(res, this.writeResponseStatus(response), response);
+      return;
+    }
+    if (req.method === "POST" && pathname === "/engram/v1/suggestions") {
+      const body = await this.readValidatedBody(req, "suggestionSubmit");
+      const request = {
+        schemaVersion: body.schemaVersion,
+        idempotencyKey: body.idempotencyKey,
+        dryRun: body.dryRun === true,
+        sessionKey: body.sessionKey,
+        authenticatedPrincipal: this.resolveRequestPrincipal(req),
+        content: body.content,
+        category: body.category,
+        confidence: body.confidence,
+        namespace: this.resolveNamespace(req, body.namespace),
+        tags: body.tags,
+        entityRef: body.entityRef,
+        ttl: body.ttl,
+        sourceReason: body.sourceReason
+      };
+      const idempotencyStatus = await this.service.peekSuggestionSubmitIdempotency(request);
+      if (idempotencyStatus === "miss" && request.dryRun !== true) {
+        this.ensureWriteRateLimitAvailable();
+      }
+      const response = await this.service.suggestionSubmit(request);
+      if (this.shouldCountWriteRateLimit(response)) {
+        this.recordWriteRateLimitHit();
+      }
+      this.respondJson(res, this.writeResponseStatus(response), response);
+      return;
+    }
+    if (req.method === "GET" && pathname === "/engram/v1/memories") {
+      const limitRaw = parseInt(parsed.searchParams.get("limit") ?? "50", 10);
+      const offsetRaw = parseInt(parsed.searchParams.get("offset") ?? "0", 10);
+      const sortParam = parsed.searchParams.get("sort") ?? void 0;
+      const sort = sortParam === "updated_desc" || sortParam === "updated_asc" || sortParam === "created_desc" || sortParam === "created_asc" ? sortParam : void 0;
+      const response = await this.service.memoryBrowse({
+        query: parsed.searchParams.get("q") ?? void 0,
+        status: parsed.searchParams.get("status") ?? void 0,
+        category: parsed.searchParams.get("category") ?? void 0,
+        namespace: parsed.searchParams.get("namespace") ?? void 0,
+        sort,
+        limit: Number.isFinite(limitRaw) ? limitRaw : 50,
+        offset: Number.isFinite(offsetRaw) ? offsetRaw : 0
+      });
+      this.respondJson(res, 200, response);
+      return;
+    }
+    const memoryMatch = pathname.match(/^\/engram\/v1\/memories\/([^/]+)$/);
+    if (req.method === "GET" && memoryMatch) {
+      const memoryId = decodeURIComponent(memoryMatch[1] ?? "");
+      const namespace = parsed.searchParams.get("namespace") ?? void 0;
+      const response = await this.service.memoryGet(memoryId, namespace, this.resolveRequestPrincipal(req));
+      this.respondJson(res, response.found ? 200 : 404, response);
+      return;
+    }
+    const timelineMatch = pathname.match(/^\/engram\/v1\/memories\/([^/]+)\/timeline$/);
+    if (req.method === "GET" && timelineMatch) {
+      const memoryId = decodeURIComponent(timelineMatch[1] ?? "");
+      const namespace = parsed.searchParams.get("namespace") ?? void 0;
+      const limitRaw = parseInt(parsed.searchParams.get("limit") ?? "200", 10);
+      const limit = Number.isFinite(limitRaw) ? limitRaw : 200;
+      const response = await this.service.memoryTimeline(memoryId, namespace, limit, this.resolveRequestPrincipal(req));
+      this.respondJson(res, response.found ? 200 : 404, response);
+      return;
+    }
+    if (req.method === "GET" && pathname === "/engram/v1/entities") {
+      const limitRaw = parseInt(parsed.searchParams.get("limit") ?? "50", 10);
+      const offsetRaw = parseInt(parsed.searchParams.get("offset") ?? "0", 10);
+      const response = await this.service.entityList({
+        namespace: parsed.searchParams.get("namespace") ?? void 0,
+        query: parsed.searchParams.get("q") ?? void 0,
+        limit: Number.isFinite(limitRaw) ? limitRaw : 50,
+        offset: Number.isFinite(offsetRaw) ? offsetRaw : 0
+      });
+      this.respondJson(res, 200, response);
+      return;
+    }
+    const entityMatch = pathname.match(/^\/engram\/v1\/entities\/([^/]+)$/);
+    if (req.method === "GET" && entityMatch) {
+      const entityName = decodeURIComponent(entityMatch[1] ?? "");
+      const namespace = parsed.searchParams.get("namespace") ?? void 0;
+      const response = await this.service.entityGet(entityName, namespace);
+      this.respondJson(res, response.found ? 200 : 404, response);
+      return;
+    }
+    if (req.method === "GET" && pathname === "/engram/v1/review-queue") {
+      const response = await this.service.reviewQueue(
+        parsed.searchParams.get("runId") ?? void 0,
+        parsed.searchParams.get("namespace") ?? void 0,
+        this.resolveRequestPrincipal(req)
+      );
+      this.respondJson(res, 200, response);
+      return;
+    }
+    if (req.method === "GET" && pathname === "/engram/v1/maintenance") {
+      this.respondJson(res, 200, await this.service.maintenance(parsed.searchParams.get("namespace") ?? void 0, this.resolveRequestPrincipal(req)));
+      return;
+    }
+    if (req.method === "GET" && pathname === "/engram/v1/quality") {
+      this.respondJson(res, 200, await this.service.quality(parsed.searchParams.get("namespace") ?? void 0, this.resolveRequestPrincipal(req)));
+      return;
+    }
+    if (req.method === "GET" && pathname === "/engram/v1/trust-zones/status") {
+      this.respondJson(
+        res,
+        200,
+        await this.service.trustZoneStatus(parsed.searchParams.get("namespace") ?? void 0, this.resolveRequestPrincipal(req))
+      );
+      return;
+    }
+    if (req.method === "GET" && pathname === "/engram/v1/trust-zones/records") {
+      const limitRaw = parseInt(parsed.searchParams.get("limit") ?? "25", 10);
+      const offsetRaw = parseInt(parsed.searchParams.get("offset") ?? "0", 10);
+      const response = await this.service.trustZoneBrowse({
+        query: parsed.searchParams.get("q") ?? void 0,
+        zone: parseTrustZoneFilter(parsed.searchParams.get("zone")),
+        kind: parseTrustZoneKindFilter(parsed.searchParams.get("kind")),
+        sourceClass: parseTrustZoneSourceClassFilter(parsed.searchParams.get("sourceClass")),
+        namespace: parsed.searchParams.get("namespace") ?? void 0,
+        limit: Number.isFinite(limitRaw) ? limitRaw : 25,
+        offset: Number.isFinite(offsetRaw) ? offsetRaw : 0
+      }, this.resolveRequestPrincipal(req));
+      this.respondJson(res, 200, response);
+      return;
+    }
+    if (req.method === "POST" && pathname === "/engram/v1/review-disposition") {
+      const body = await this.readValidatedBody(req, "reviewDisposition");
+      this.ensureWriteRateLimitAvailable();
+      const response = await this.service.reviewDisposition({
+        memoryId: body.memoryId,
+        status: body.status,
+        reasonCode: body.reasonCode,
+        namespace: this.resolveNamespace(req, body.namespace),
+        authenticatedPrincipal: this.resolveRequestPrincipal(req)
+      });
+      if (this.shouldCountWriteRateLimit(response)) {
+        this.recordWriteRateLimitHit();
+      }
+      this.respondJson(res, 200, response);
+      return;
+    }
+    if (req.method === "POST" && pathname === "/engram/v1/trust-zones/promote") {
+      const body = await this.readValidatedBody(req, "trustZonePromote");
+      const dryRun = body.dryRun === true;
+      if (!dryRun) {
+        this.ensureWriteRateLimitAvailable();
+      }
+      const response = await this.service.trustZonePromote({
+        recordId: body.recordId,
+        targetZone: body.targetZone,
+        promotionReason: body.promotionReason,
+        recordedAt: body.recordedAt,
+        summary: body.summary,
+        dryRun,
+        namespace: this.resolveNamespace(req, body.namespace),
+        authenticatedPrincipal: this.resolveRequestPrincipal(req)
+      });
+      if (this.shouldCountWriteRateLimit(response)) {
+        this.recordWriteRateLimitHit();
+      }
+      this.respondJson(res, response.dryRun ? 200 : 201, response);
+      return;
+    }
+    if (req.method === "POST" && pathname === "/engram/v1/trust-zones/demo-seed") {
+      const body = await this.readValidatedBody(req, "trustZoneDemoSeed");
+      const dryRun = body.dryRun === true;
+      if (!dryRun) {
+        this.ensureWriteRateLimitAvailable();
+      }
+      const response = await this.service.trustZoneDemoSeed({
+        scenario: body.scenario,
+        recordedAt: body.recordedAt,
+        dryRun,
+        namespace: this.resolveNamespace(req, body.namespace),
+        authenticatedPrincipal: this.resolveRequestPrincipal(req)
+      });
+      if (this.shouldCountWriteRateLimit(response)) {
+        this.recordWriteRateLimitHit();
+      }
+      this.respondJson(res, response.dryRun ? 200 : 201, response);
+      return;
+    }
+    this.respondJson(res, 404, { error: "not_found", code: "not_found" });
+  }
+  async handleMcpRequest(req, res) {
+    const body = await this.readJsonBody(req);
+    const request = body;
+    const isMcpWrite = request.method === "tools/call" && typeof request.params?.name === "string" && (request.params.name === "engram.memory_store" || request.params.name === "engram.suggestion_submit" || request.params.name === "engram.observe");
+    if (isMcpWrite) {
+      this.ensureWriteRateLimitAvailable();
+    }
+    const sessionId = (() => {
+      const raw = req.headers["mcp-session-id"];
+      return typeof raw === "string" ? raw.trim() : void 0;
+    })();
+    const mcpCorrelationId = correlationIdStore.getStore() ?? randomUUID();
+    const response = await this.mcpServer.handleRequest(request, {
+      principalOverride: this.resolveRequestPrincipal(req),
+      sessionId,
+      correlationId: mcpCorrelationId
+    });
+    if (isMcpWrite && response !== null) {
+      const result = response.result;
+      const isError = result?.isError === true;
+      const structured = result?.structuredContent;
+      if (!isError && structured && this.shouldCountWriteRateLimit(structured)) {
+        this.recordWriteRateLimitHit();
+      }
+    }
+    if (response === null) {
+      res.statusCode = 202;
+      res.end();
+      return;
+    }
+    const assignedSessionId = this.mcpServer.popInitSessionId(mcpCorrelationId);
+    if (assignedSessionId) {
+      res.setHeader("mcp-session-id", assignedSessionId);
+    }
+    this.respondJson(res, 200, response);
+  }
+  respondJson(res, status, payload) {
+    const body = JSON.stringify(payload, null, 2);
+    res.statusCode = status;
+    res.setHeader("content-type", "application/json; charset=utf-8");
+    res.setHeader("content-length", String(Buffer.byteLength(body)));
+    const cid = correlationIdStore.getStore();
+    if (cid) {
+      res.setHeader("x-request-id", cid);
+    }
+    res.end(body);
+  }
+  async handleAdminConsole(req, res, pathname) {
+    if (req.method !== "GET") return false;
+    if (pathname === "/engram/ui" || pathname === "/engram/ui/") {
+      await this.respondStatic(res, path.join(this.adminConsolePublicDir, "index.html"), "text/html; charset=utf-8");
+      return true;
+    }
+    if (pathname === "/engram/ui/app.js") {
+      await this.respondStatic(res, path.join(this.adminConsolePublicDir, "app.js"), "application/javascript; charset=utf-8");
+      return true;
+    }
+    return false;
+  }
+  async respondStatic(res, filePath, contentType) {
+    try {
+      const body = await readFile(filePath, "utf-8");
+      res.statusCode = 200;
+      res.setHeader("content-type", contentType);
+      res.setHeader("content-length", String(Buffer.byteLength(body)));
+      res.end(body);
+    } catch {
+      this.respondJson(res, 404, { error: "not_found" });
+    }
+  }
+  async readJsonBody(req) {
+    const chunks = [];
+    let total = 0;
+    for await (const chunk of req) {
+      const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+      total += buffer.length;
+      if (total > this.maxBodyBytes) {
+        throw new HttpError(413, "request_body_too_large", "request_body_too_large");
+      }
+      chunks.push(buffer);
+    }
+    if (chunks.length === 0) return {};
+    const raw = Buffer.concat(chunks).toString("utf-8").trim();
+    if (raw.length === 0) return {};
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      throw new HttpError(400, "invalid_json", "invalid_json");
+    }
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new HttpError(400, "invalid_json_object", "invalid_json_object");
+    }
+    return parsed;
+  }
+  async readValidatedBody(req, schemaName) {
+    const raw = await this.readJsonBody(req);
+    const result = validateRequest(schemaName, raw);
+    if (!result.success) {
+      throw new HttpError(400, result.error.error, "validation_error", result.error.details);
+    }
+    return result.data;
+  }
+  isAuthorized(req) {
+    if (!this.authToken && this.authTokens.length === 0 && !this.authTokensGetter) return false;
+    const raw = req.headers.authorization;
+    if (!raw) return false;
+    const separator = raw.indexOf(" ");
+    if (separator <= 0) return false;
+    const scheme = raw.slice(0, separator).toLowerCase();
+    if (scheme !== "bearer") return false;
+    const token = raw.slice(separator + 1).trim();
+    if (this.authToken && this.timingSafeStringEqual(token, this.authToken)) return true;
+    for (const valid of this.authTokens) {
+      if (this.timingSafeStringEqual(token, valid)) return true;
+    }
+    if (this.authTokensGetter) {
+      for (const valid of this.authTokensGetter()) {
+        if (this.timingSafeStringEqual(token, valid)) return true;
+      }
+    }
+    return false;
+  }
+  timingSafeStringEqual(a, b) {
+    const left = this.encodeSecret(a);
+    const right = this.encodeSecret(b);
+    if (!left || !right) return false;
+    return timingSafeEqual(left, right);
+  }
+  encodeSecret(value) {
+    const encoded = Buffer.from(value, "utf-8");
+    if (encoded.length > 1024) return null;
+    const out = Buffer.alloc(2 + 1024);
+    out.writeUInt16BE(encoded.length, 0);
+    encoded.copy(out, 2);
+    return out;
+  }
+  writeResponseStatus(response) {
+    if (response.dryRun === true) return 200;
+    if (response.status === "stored" || response.status === "queued_for_review") return 201;
+    return 200;
+  }
+  ensureWriteRateLimitAvailable() {
+    const now = Date.now();
+    while (this.writeRequestTimestamps.length > 0 && now - (this.writeRequestTimestamps[0] ?? 0) > WRITE_RATE_LIMIT_WINDOW_MS) {
+      this.writeRequestTimestamps.shift();
+    }
+    if (this.writeRequestTimestamps.length >= WRITE_RATE_LIMIT_MAX_REQUESTS) {
+      throw new HttpError(429, "write_rate_limited", "write_rate_limited");
+    }
+  }
+  recordWriteRateLimitHit() {
+    this.writeRequestTimestamps.push(Date.now());
+  }
+  shouldCountWriteRateLimit(response) {
+    return response.dryRun !== true && response.idempotencyReplay !== true;
+  }
+};
+
+export {
+  EngramAccessHttpServer
+};
+//# sourceMappingURL=chunk-ZJLY4QSU.js.map