npm - @remnic/core - Versions diffs - 9.3.531 → 9.3.533 - Mend

@remnic/core 9.3.531 → 9.3.533

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/dist/access-cli.js +4 -4
package/dist/access-http.d.ts +1 -1
package/dist/access-mcp.d.ts +1 -1
package/dist/access-service.d.ts +1 -1
package/dist/bootstrap.d.ts +1 -1
package/dist/{chunk-CWWMTTQE.js → chunk-6GUG4YNM.js} +44 -1
package/dist/{chunk-CWWMTTQE.js.map → chunk-6GUG4YNM.js.map} +1 -1
package/dist/{chunk-KAUXI453.js → chunk-KLZDGMDI.js} +2 -2
package/dist/{chunk-KCLX6LOV.js → chunk-SRAF4TIS.js} +4 -4
package/dist/{chunk-BECQDWBA.js → chunk-TQNRI55H.js} +35 -2
package/dist/chunk-TQNRI55H.js.map +1 -0
package/dist/{chunk-QMYXNM4P.js → chunk-VU3SVYMA.js} +3 -3
package/dist/{cli-CPe_2KB1.d.ts → cli-9pwA_PXm.d.ts} +1 -1
package/dist/cli.d.ts +3 -3
package/dist/cli.js +3 -3
package/dist/{connectors-cli-DbTPNj2H.d.ts → connectors-cli-2iaQ5tX2.d.ts} +1 -1
package/dist/connectors-cli.d.ts +2 -2
package/dist/explicit-capture.d.ts +1 -1
package/dist/{framework-CyHYDcri.d.ts → framework-CNDn2164.d.ts} +24 -7
package/dist/index.d.ts +4 -4
package/dist/index.js +9 -5
package/dist/index.js.map +1 -1
package/dist/live-connectors-runner.d.ts +1 -1
package/dist/live-connectors-runner.js +3 -3
package/dist/mcp-memory-inspector-app.d.ts +1 -1
package/dist/orchestrator.d.ts +1 -1
package/dist/orchestrator.js +4 -4
package/dist/{state-store-4QZISH3J.js → state-store-Z3EN56O5.js} +2 -2
package/package.json +1 -1
package/src/connectors/live/framework.ts +71 -6
package/src/connectors/live/github.ts +10 -0
package/src/connectors/live/gmail.ts +10 -0
package/src/connectors/live/google-drive.ts +12 -4
package/src/connectors/live/index.ts +2 -0
package/src/connectors/live/live-connectors.test.ts +141 -0
package/src/connectors/live/notion.ts +8 -0
package/src/index.ts +2 -0
package/dist/chunk-BECQDWBA.js.map +0 -1
/package/dist/{chunk-KAUXI453.js.map → chunk-KLZDGMDI.js.map} +0 -0
/package/dist/{chunk-KCLX6LOV.js.map → chunk-SRAF4TIS.js.map} +0 -0
/package/dist/{chunk-QMYXNM4P.js.map → chunk-VU3SVYMA.js.map} +0 -0
/package/dist/{state-store-4QZISH3J.js.map → state-store-Z3EN56O5.js.map} +0 -0

package/dist/live-connectors-runner.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { L as LiveConnector, C as ConnectorConfig, a as ConnectorDocument } from './framework-CyHYDcri.js';
+import { L as LiveConnector, C as ConnectorConfig, a as ConnectorDocument } from './framework-CNDn2164.js';
 import { LiveConnectorsConfig } from './types.js';
 import './types-BliCnURB.js';
 import './index-DJ9QWMw-.js';

package/dist/live-connectors-runner.js CHANGED Viewed

@@ -2,9 +2,9 @@ import {
   builtInLiveConnectorDefinitions,
   hasEnabledLiveConnector,
   runLiveConnectorsOnce
-} from "./chunk-QMYXNM4P.js";
-import "./chunk-BECQDWBA.js";
-import "./chunk-CWWMTTQE.js";
+} from "./chunk-VU3SVYMA.js";
+import "./chunk-TQNRI55H.js";
+import "./chunk-6GUG4YNM.js";
 import "./chunk-OKTXM5H4.js";
 import "./chunk-EYIEWJNI.js";
 import "./chunk-JUC24CTX.js";

package/dist/mcp-memory-inspector-app.d.ts CHANGED Viewed

@@ -31,7 +31,7 @@ import './local-llm.js';
 import './fallback-llm.js';
 import './resolve-provider-secret.js';
 import './live-connectors-runner.js';
-import './framework-CyHYDcri.js';
+import './framework-CNDn2164.js';
 import './relevance.js';
 import './negative.js';
 import './session-observer-state.js';

package/dist/orchestrator.d.ts CHANGED Viewed

@@ -34,7 +34,7 @@ import './runtime/better-sqlite.js';
 import 'better-sqlite3';
 import './session-integrity.js';
 import './resolve-provider-secret.js';
-import './framework-CyHYDcri.js';
+import './framework-CNDn2164.js';
 import './memory-provenance.js';
 import './user-model.js';
 import './lcm/archive.js';

package/dist/orchestrator.js CHANGED Viewed

@@ -26,7 +26,7 @@ import {
   sanitizeSessionKeyForFilename,
   shouldFilterLifecycleRecallCandidate,
   summarizeGraphShadowComparison
-} from "./chunk-KAUXI453.js";
+} from "./chunk-KLZDGMDI.js";
 import "./chunk-Y2SXZ5KZ.js";
 import "./chunk-BFBF3XEF.js";
 import "./chunk-S53PKKWK.js";
@@ -69,7 +69,7 @@ import "./chunk-ZZTOURJI.js";
 import "./chunk-XKXKSQU7.js";
 import "./chunk-3GPTTA4J.js";
 import "./chunk-IISBCCWR.js";
-import "./chunk-QMYXNM4P.js";
+import "./chunk-VU3SVYMA.js";
 import "./chunk-H63EDPFJ.js";
 import "./chunk-PD6O7AXF.js";
 import "./chunk-YAZNBMNF.js";
@@ -127,8 +127,8 @@ import "./chunk-HENLZHIT.js";
 import "./chunk-7DTASS5T.js";
 import "./chunk-KFY3SGN7.js";
 import "./chunk-PCI747N2.js";
-import "./chunk-BECQDWBA.js";
-import "./chunk-CWWMTTQE.js";
+import "./chunk-TQNRI55H.js";
+import "./chunk-6GUG4YNM.js";
 import "./chunk-JXS5PDQ7.js";
 import "./chunk-SKGV326D.js";
 import "./chunk-BEUDU7Y4.js";

package/dist/{state-store-4QZISH3J.js → state-store-Z3EN56O5.js} RENAMED Viewed

@@ -10,7 +10,7 @@ import {
   readConnectorState,
   withConnectorStateLock,
   writeConnectorState
-} from "./chunk-CWWMTTQE.js";
+} from "./chunk-6GUG4YNM.js";
 import "./chunk-EYIEWJNI.js";
 import "./chunk-JUC24CTX.js";
 import "./chunk-PZ5AY32C.js";
@@ -27,4 +27,4 @@ export {
   withConnectorStateLock,
   writeConnectorState
 };
-//# sourceMappingURL=state-store-4QZISH3J.js.map
+//# sourceMappingURL=state-store-Z3EN56O5.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@remnic/core",
-  "version": "9.3.531",
+  "version": "9.3.533",
   "description": "Framework-agnostic Remnic memory engine — orchestrator, storage, extraction, search, trust zones",
   "type": "module",
   "main": "dist/index.js",

package/src/connectors/live/framework.ts CHANGED Viewed

@@ -20,15 +20,61 @@
 /**
  * Free-form connector configuration. Validated by each connector's
- * `validateConfig` implementation. Stored alongside the cursor in the state
- * store. MUST be JSON-serializable: no functions, no class instances, no
+ * `validateConfig` implementation and passed to `syncIncremental` for runtime
+ * use. MUST be JSON-serializable: no functions, no class instances, no
  * circular references.
  *
- * Connectors MUST NOT persist secrets here — credentials belong in OS keychain
- * / OAuth token storage (PR 2 design).
+ * Runtime configs may contain hydrated credentials. Do not persist a runtime
+ * config directly. Any code that needs to store connector settings must call
+ * `persistableConnectorConfig()` so credentials are stripped or replaced by
+ * connector-owned references.
  */
 export type ConnectorConfig = Record<string, unknown>;
+const DEFAULT_SECRET_KEY_PARTS = [
+  "token",
+  "secret",
+  "password",
+  "credential",
+  "apikey",
+  "accesskey",
+  "privatekey",
+  "authorization",
+  "authheader",
+  "cookie",
+] as const;
+/**
+ * Redact secret-looking keys from a JSON-serializable connector config.
+ * Built-in connectors provide explicit projections, but this default keeps
+ * third-party connectors from accidentally persisting obvious credentials.
+ */
+export function redactConnectorConfigSecrets(config: ConnectorConfig): ConnectorConfig {
+  return redactConnectorConfigValue(config) as ConnectorConfig;
+}
+function redactConnectorConfigValue(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map((item) => redactConnectorConfigValue(item));
+  }
+  if (typeof value !== "object" || value === null) {
+    return value;
+  }
+  const out: Record<string, unknown> = {};
+  for (const [key, nested] of Object.entries(value as Record<string, unknown>)) {
+    if (isConnectorSecretConfigKey(key)) {
+      continue;
+    }
+    out[key] = redactConnectorConfigValue(nested);
+  }
+  return out;
+}
+function isConnectorSecretConfigKey(key: string): boolean {
+  const normalized = key.replace(/[^a-z0-9]/giu, "").toLowerCase();
+  return DEFAULT_SECRET_KEY_PARTS.some((part) => normalized.includes(part));
+}
 /**
  * Opaque cursor describing "where the last sync left off". Each connector
  * defines what `kind` and `value` mean (e.g. Drive: `{kind: "pageToken",
@@ -135,11 +181,20 @@ export interface LiveConnector {
   /**
    * Validate raw user-supplied config. MUST throw on malformed input — never
-   * silently default. The returned object is what gets persisted and passed
-   * back to `syncIncremental`. Connectors SHOULD strip unknown fields.
+   * silently default. The returned object is the runtime config passed back to
+   * `syncIncremental`; it may contain hydrated credentials and MUST NOT be
+   * persisted directly. Connectors SHOULD strip unknown fields.
    */
   validateConfig(raw: unknown): ConnectorConfig;
+  /**
+   * Return the subset of validated config that may be written to disk. Use this
+   * for state/config persistence instead of `validateConfig()`. Connectors that
+   * need credentials should omit the raw values here and store only non-secret
+   * scope/schedule fields plus any connector-owned secret references.
+   */
+  persistConfig?(validated: ConnectorConfig): ConnectorConfig;
   /**
    * Run one incremental sync pass. See `SyncIncrementalArgs` /
    * `SyncIncrementalResult` for the contract.
@@ -147,6 +202,16 @@ export interface LiveConnector {
   syncIncremental(args: SyncIncrementalArgs): Promise<SyncIncrementalResult>;
 }
+export function persistableConnectorConfig(
+  connector: Pick<LiveConnector, "persistConfig">,
+  validated: ConnectorConfig,
+): ConnectorConfig {
+  if (typeof connector.persistConfig === "function") {
+    return connector.persistConfig(validated);
+  }
+  return redactConnectorConfigSecrets(validated);
+}
 /**
  * Regex enforcing the connector-id naming rule. Exported so connectors and
  * tests can validate ids consistently with the registry.

package/src/connectors/live/github.ts CHANGED Viewed

@@ -514,6 +514,16 @@ export function createGitHubConnector(
       return validateGitHubConfig(raw) as unknown as ConnectorConfig;
     },
+    persistConfig(validated: ConnectorConfig): ConnectorConfig {
+      const config = validateGitHubConfig(validated);
+      return Object.freeze({
+        userLogin: config.userLogin,
+        repos: config.repos,
+        pollIntervalMs: config.pollIntervalMs,
+        includeDiscussions: config.includeDiscussions,
+      });
+    },
     async syncIncremental(args: SyncIncrementalArgs): Promise<SyncIncrementalResult> {
       const config = validateGitHubConfig(args.config);
       throwIfAborted(args.abortSignal);

package/src/connectors/live/gmail.ts CHANGED Viewed

@@ -848,6 +848,16 @@ export function createGmailConnector(
       return validateGmailConfig(raw) as unknown as ConnectorConfig;
     },
+    persistConfig(validated: ConnectorConfig): ConnectorConfig {
+      const config = validateGmailConfig(validated);
+      return Object.freeze({
+        clientId: config.clientId,
+        userId: config.userId,
+        query: config.query,
+        pollIntervalMs: config.pollIntervalMs,
+      });
+    },
     async syncIncremental(args: SyncIncrementalArgs): Promise<SyncIncrementalResult> {
       const config = validateGmailConfig(args.config);
       throwIfAborted(args.abortSignal);

package/src/connectors/live/google-drive.ts CHANGED Viewed

@@ -397,14 +397,22 @@ export function createGoogleDriveConnector(
     validateConfig(raw: unknown): ConnectorConfig {
       // Cast to ConnectorConfig (Record<string, unknown>) per framework
-      // contract. The frozen object survives JSON round-trips through the
-      // state store.
+      // contract. Persist only `persistConfig()` output; this runtime object
+      // carries hydrated credentials.
       return validateGoogleDriveConfig(raw) as unknown as ConnectorConfig;
     },
+    persistConfig(validated: ConnectorConfig): ConnectorConfig {
+      const config = validateGoogleDriveConfig(validated);
+      return Object.freeze({
+        clientId: config.clientId,
+        pollIntervalMs: config.pollIntervalMs,
+        folderIds: config.folderIds,
+      });
+    },
     async syncIncremental(args: SyncIncrementalArgs): Promise<SyncIncrementalResult> {
-      // Re-validate on every pass: the framework persists raw config, and
-      // a JS caller could mutate it between passes.
+      // Re-validate on every pass: a JS caller could mutate it between passes.
       const config = validateGoogleDriveConfig(args.config);
       throwIfAborted(args.abortSignal);

package/src/connectors/live/index.ts CHANGED Viewed

@@ -13,6 +13,8 @@
 export {
   CONNECTOR_ID_PATTERN,
   isValidConnectorId,
+  persistableConnectorConfig,
+  redactConnectorConfigSecrets,
   type ConnectorConfig,
   type ConnectorCursor,
   type ConnectorDocument,

package/src/connectors/live/live-connectors.test.ts CHANGED Viewed

@@ -6,6 +6,10 @@ import test from "node:test";
 import {
   CONNECTOR_ID_PATTERN,
+  createGitHubConnector,
+  createGmailConnector,
+  createGoogleDriveConnector,
+  createNotionConnector,
   type ConnectorConfig,
   type ConnectorCursor,
   type ConnectorDocument,
@@ -13,6 +17,8 @@ import {
   type LiveConnector,
   LiveConnectorRegistry,
   LiveConnectorRegistryError,
+  persistableConnectorConfig,
+  redactConnectorConfigSecrets,
   type SyncIncrementalArgs,
   type SyncIncrementalResult,
   isValidConnectorId,
@@ -21,6 +27,10 @@ import {
   withConnectorStateLock,
   writeConnectorState,
 } from "./index.js";
+import {
+  persistableConnectorConfig as persistableConnectorConfigFromRoot,
+  redactConnectorConfigSecrets as redactConnectorConfigSecretsFromRoot,
+} from "../../index.js";
 import {
   _connectorStatePathForTest,
   _refreshConnectorLockForTest,
@@ -122,6 +132,137 @@ test("CONNECTOR_ID_PATTERN matches isValidConnectorId", () => {
   assert.ok(!CONNECTOR_ID_PATTERN.test("Drive"));
 });
+test("redactConnectorConfigSecrets removes nested secret-shaped keys", () => {
+  assert.deepEqual(
+    redactConnectorConfigSecrets({
+      endpoint: "https://example.invalid",
+      authorization: "Bearer synthetic-token",
+      authHeader: "Basic synthetic-credentials",
+      authorName: "kept",
+      nested: {
+        accessToken: "synthetic-token",
+        cookieHeader: "sid=synthetic-session",
+        publicLabel: "kept",
+      },
+      list: [
+        { clientSecret: "synthetic-secret", sessionCookie: "synthetic-cookie", label: "kept" },
+      ],
+    }),
+    {
+      endpoint: "https://example.invalid",
+      authorName: "kept",
+      nested: {
+        publicLabel: "kept",
+      },
+      list: [{ label: "kept" }],
+    }
+  );
+});
+test("persisted-config helpers are exported from the package root", () => {
+  assert.equal(persistableConnectorConfigFromRoot, persistableConnectorConfig);
+  assert.equal(redactConnectorConfigSecretsFromRoot, redactConnectorConfigSecrets);
+});
+test("built-in live connectors expose persistable config without credential material", () => {
+  const cases: Array<{
+    connector: LiveConnector;
+    raw: ConnectorConfig;
+    secretKeys: readonly string[];
+    secretValues: readonly string[];
+    expected: ConnectorConfig;
+  }> = [
+    {
+      connector: createGitHubConnector(),
+      raw: {
+        token: "synthetic-github-token",
+        userLogin: "octocat",
+        repos: ["owner/repo"],
+        pollIntervalMs: 300_000,
+        includeDiscussions: true,
+      },
+      secretKeys: ["token"],
+      secretValues: ["synthetic-github-token"],
+      expected: {
+        userLogin: "octocat",
+        repos: ["owner/repo"],
+        pollIntervalMs: 300_000,
+        includeDiscussions: true,
+      },
+    },
+    {
+      connector: createGmailConnector(),
+      raw: {
+        clientId: "synthetic-gmail-client-id",
+        clientSecret: "synthetic-gmail-client-secret",
+        refreshToken: "synthetic-gmail-refresh-token",
+        userId: "me",
+        query: "in:inbox",
+        pollIntervalMs: 300_000,
+      },
+      secretKeys: ["clientSecret", "refreshToken"],
+      secretValues: ["synthetic-gmail-client-secret", "synthetic-gmail-refresh-token"],
+      expected: {
+        clientId: "synthetic-gmail-client-id",
+        userId: "me",
+        query: "in:inbox",
+        pollIntervalMs: 300_000,
+      },
+    },
+    {
+      connector: createGoogleDriveConnector(),
+      raw: {
+        clientId: "synthetic-drive-client-id",
+        clientSecret: "synthetic-drive-client-secret",
+        refreshToken: "synthetic-drive-refresh-token",
+        folderIds: ["folder_12345678"],
+        pollIntervalMs: 300_000,
+      },
+      secretKeys: ["clientSecret", "refreshToken"],
+      secretValues: ["synthetic-drive-client-secret", "synthetic-drive-refresh-token"],
+      expected: {
+        clientId: "synthetic-drive-client-id",
+        folderIds: ["folder_12345678"],
+        pollIntervalMs: 300_000,
+      },
+    },
+    {
+      connector: createNotionConnector(),
+      raw: {
+        token: "secret_synthetic-notion-token",
+        databaseIds: ["0123456789abcdef0123456789abcdef"],
+        pollIntervalMs: 300_000,
+      },
+      secretKeys: ["token"],
+      secretValues: ["secret_synthetic-notion-token"],
+      expected: {
+        databaseIds: ["0123456789abcdef0123456789abcdef"],
+        pollIntervalMs: 300_000,
+      },
+    },
+  ];
+  for (const testCase of cases) {
+    const runtimeConfig = testCase.connector.validateConfig(testCase.raw);
+    for (const key of testCase.secretKeys) {
+      assert.ok(key in runtimeConfig, `${testCase.connector.id} runtime config should keep ${key}`);
+    }
+    const persisted = persistableConnectorConfig(testCase.connector, runtimeConfig);
+    assert.deepEqual(persisted, testCase.expected);
+    const persistedJson = JSON.stringify(persisted);
+    for (const key of testCase.secretKeys) {
+      assert.ok(!(key in persisted), `${testCase.connector.id} persisted config should omit ${key}`);
+    }
+    for (const value of testCase.secretValues) {
+      assert.ok(
+        !persistedJson.includes(value),
+        `${testCase.connector.id} persisted config leaked ${value}`,
+      );
+    }
+  }
+});
 // ───────────────────────────────────────────────────────────────────────────
 // Registry
 // ───────────────────────────────────────────────────────────────────────────

package/src/connectors/live/notion.ts CHANGED Viewed

@@ -643,6 +643,14 @@ export function createNotionConnector(
       return validateNotionConfig(raw) as unknown as ConnectorConfig;
     },
+    persistConfig(validated: ConnectorConfig): ConnectorConfig {
+      const config = validateNotionConfig(validated);
+      return Object.freeze({
+        databaseIds: config.databaseIds,
+        pollIntervalMs: config.pollIntervalMs,
+      });
+    },
     async syncIncremental(args: SyncIncrementalArgs): Promise<SyncIncrementalResult> {
       const config = validateNotionConfig(args.config);
       throwIfAborted(args.abortSignal);

package/src/index.ts CHANGED Viewed

@@ -794,6 +794,8 @@ export { coerceInstallExtension } from "./connectors/coerce.js";
 export {
   CONNECTOR_ID_PATTERN,
   isValidConnectorId,
+  persistableConnectorConfig,
+  redactConnectorConfigSecrets,
   LiveConnectorRegistry,
   LiveConnectorRegistryError,
   listConnectorStates,