@startsimpli/api 0.1.0

package/src/lib/fetch-wrapper.ts

@@ -0,0 +1,188 @@
+/**
+ * Type-safe fetch wrapper for Django REST API
+ */
+
+import type { FetchOptions, HttpMethod } from '../types';
+import { buildUrl, buildQueryString } from '../utils';
+import { ApiException, parseErrorResponse, handleFetchError } from './error-handler';
+
+export interface FetchWrapperConfig {
+  baseUrl: string;
+  getToken?: () => Promise<string | null> | string | null;
+  onUnauthorized?: () => void;
+  onTokenRefresh?: () => Promise<string | null>;
+  defaultHeaders?: HeadersInit;
+}
+
+export class FetchWrapper {
+  private config: FetchWrapperConfig;
+  private isRefreshing = false;
+  private refreshPromise: Promise<string | null> | null = null;
+
+  constructor(config: FetchWrapperConfig) {
+    this.config = config;
+  }
+
+  /**
+   * Build headers with auth token
+   */
+  private async buildHeaders(customHeaders?: HeadersInit): Promise<Headers> {
+    const headers = new Headers(this.config.defaultHeaders);
+
+    // Add custom headers
+    if (customHeaders) {
+      const customHeadersObj = new Headers(customHeaders);
+      customHeadersObj.forEach((value, key) => {
+        headers.set(key, value);
+      });
+    }
+
+    // Add auth token if available
+    if (this.config.getToken) {
+      const token = await this.config.getToken();
+      if (token) {
+        headers.set('Authorization', `Bearer ${token}`);
+      }
+    }
+
+    // Always set content-type for JSON
+    if (!headers.has('Content-Type')) {
+      headers.set('Content-Type', 'application/json');
+    }
+
+    return headers;
+  }
+
+  /**
+   * Execute fetch request
+   */
+  private async execute<T>(
+    method: HttpMethod,
+    endpoint: string,
+    options?: FetchOptions
+  ): Promise<T> {
+    try {
+      const { params, headers: customHeaders, ...fetchOptions } = options || {};
+
+      // Build URL
+      const url = buildUrl({
+        baseUrl: this.config.baseUrl,
+        endpoint,
+        params,
+      });
+
+      // Build headers
+      const headers = await this.buildHeaders(customHeaders);
+
+      // Execute request
+      let response = await fetch(url, {
+        method,
+        headers,
+        credentials: 'include',
+        ...fetchOptions,
+      });
+
+      // Handle 401 Unauthorized - attempt token refresh
+      if (response.status === 401 && this.config.onTokenRefresh) {
+        // Prevent multiple simultaneous refresh attempts
+        if (!this.isRefreshing) {
+          this.isRefreshing = true;
+          this.refreshPromise = this.config.onTokenRefresh().finally(() => {
+            this.isRefreshing = false;
+            this.refreshPromise = null;
+          });
+        }
+
+        const newToken = await this.refreshPromise;
+
+        if (newToken) {
+          // Retry original request with new token
+          const retryHeaders = new Headers(headers);
+          retryHeaders.set('Authorization', `Bearer ${newToken}`);
+
+          response = await fetch(url, {
+            method,
+            headers: retryHeaders,
+            credentials: 'include',
+            ...fetchOptions,
+          });
+        } else if (this.config.onUnauthorized) {
+          // Refresh failed - call unauthorized callback
+          this.config.onUnauthorized();
+        }
+      }
+
+      // Handle error responses
+      if (!response.ok) {
+        const error = await parseErrorResponse(response);
+        throw new ApiException(error.message || 'Request failed', error);
+      }
+
+      // Handle 204 No Content
+      if (response.status === 204) {
+        return undefined as T;
+      }
+
+      // Parse JSON response
+      return await response.json();
+    } catch (error) {
+      handleFetchError(error);
+    }
+  }
+
+  /**
+   * GET request
+   */
+  async get<T>(endpoint: string, options?: FetchOptions): Promise<T> {
+    return this.execute<T>('GET', endpoint, options);
+  }
+
+  /**
+   * POST request
+   */
+  async post<T, D = unknown>(
+    endpoint: string,
+    data?: D,
+    options?: FetchOptions
+  ): Promise<T> {
+    return this.execute<T>('POST', endpoint, {
+      ...options,
+      body: data ? JSON.stringify(data) : undefined,
+    });
+  }
+
+  /**
+   * PUT request
+   */
+  async put<T, D = unknown>(
+    endpoint: string,
+    data?: D,
+    options?: FetchOptions
+  ): Promise<T> {
+    return this.execute<T>('PUT', endpoint, {
+      ...options,
+      body: data ? JSON.stringify(data) : undefined,
+    });
+  }
+
+  /**
+   * PATCH request
+   */
+  async patch<T, D = unknown>(
+    endpoint: string,
+    data?: D,
+    options?: FetchOptions
+  ): Promise<T> {
+    return this.execute<T>('PATCH', endpoint, {
+      ...options,
+      body: data ? JSON.stringify(data) : undefined,
+    });
+  }
+
+  /**
+   * DELETE request
+   */
+  async delete<T>(endpoint: string, options?: FetchOptions): Promise<T> {
+    return this.execute<T>('DELETE', endpoint, options);
+  }
+}

package/src/lib/llm-sanitize.ts

@@ -0,0 +1,145 @@
+/**
+ * Input Sanitization for LLM Prompts
+ *
+ * Provides protection against prompt injection attacks by sanitizing
+ * user input before including it in LLM prompts.
+ */
+
+/**
+ * Maximum allowed length for user prompts (characters)
+ */
+export const MAX_PROMPT_LENGTH = 2000;
+
+/**
+ * Maximum allowed length for chat messages (characters)
+ */
+export const MAX_CHAT_MESSAGE_LENGTH = 1000;
+
+/**
+ * Patterns that could be used for prompt injection
+ */
+const INJECTION_PATTERNS = [
+  // System/role injection attempts
+  /\bSYSTEM\s*:/gi,
+  /\bASSISTANT\s*:/gi,
+  /\bUSER\s*:/gi,
+  /\bHUMAN\s*:/gi,
+  /\bAI\s*:/gi,
+  // Instruction override attempts
+  /\bignore\s+(previous|above|all)\s+instructions?\b/gi,
+  /\bdisregard\s+(previous|above|all)\s+instructions?\b/gi,
+  /\bforget\s+(previous|above|all)\s+instructions?\b/gi,
+  /\bnew\s+instructions?\s*:/gi,
+  /\boverride\s*:/gi,
+  // Role-playing attempts
+  /\byou\s+are\s+now\b/gi,
+  /\bact\s+as\s+(if|a|an|the)\b/gi,
+  /\bpretend\s+(to\s+be|you\s+are)\b/gi,
+  // JSON/schema manipulation
+  /\b(output|respond|return)\s+only\s*:/gi,
+  /\bformat\s*:\s*json\b/gi,
+];
+
+/**
+ * Markdown/formatting sequences that could interfere with prompt structure
+ */
+const FORMATTING_MARKERS = [
+  '```',           // Code blocks
+  '---',           // Horizontal rules (when at line start)
+  '***',           // Alternative horizontal rules
+  '##',            // Headers (when at line start)
+  '>>',            // Potential quote injection
+];
+
+/**
+ * Control characters to remove (except standard whitespace)
+ */
+const CONTROL_CHAR_REGEX = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
+
+/**
+ * Sanitize user input for inclusion in LLM prompts
+ *
+ * @param input - Raw user input
+ * @param maxLength - Maximum allowed length (defaults to MAX_PROMPT_LENGTH)
+ * @returns Sanitized input safe for prompt inclusion
+ */
+export function sanitizeUserInput(
+  input: string,
+  maxLength: number = MAX_PROMPT_LENGTH
+): string {
+  if (!input || typeof input !== 'string') {
+    return '';
+  }
+
+  let sanitized = input;
+
+  // 1. Remove control characters (keep newlines, tabs, spaces)
+  sanitized = sanitized.replace(CONTROL_CHAR_REGEX, '');
+
+  // 2. Normalize whitespace (collapse multiple spaces/newlines)
+  sanitized = sanitized
+    .replace(/\r\n/g, '\n')           // Normalize line endings
+    .replace(/\r/g, '\n')
+    .replace(/\n{3,}/g, '\n\n')       // Max 2 consecutive newlines
+    .replace(/[ \t]{3,}/g, '  ')      // Max 2 consecutive spaces/tabs
+    .trim();
+
+  // 3. Strip or escape injection patterns
+  for (const pattern of INJECTION_PATTERNS) {
+    sanitized = sanitized.replace(pattern, (match) => {
+      // Replace with bracketed version to neutralize while preserving intent
+      return `[${match.replace(/:/g, '')}]`;
+    });
+  }
+
+  // 4. Escape formatting markers that could break prompt structure
+  for (const marker of FORMATTING_MARKERS) {
+    // Only escape when these appear at start of line or standalone
+    const escapeRegex = new RegExp(`(^|\\n)(${escapeRegexChars(marker)})`, 'g');
+    sanitized = sanitized.replace(escapeRegex, (_, prefix, match) => {
+      return `${prefix}[${match}]`;
+    });
+  }
+
+  // 5. Truncate to max length (at word boundary if possible)
+  if (sanitized.length > maxLength) {
+    sanitized = truncateAtWordBoundary(sanitized, maxLength);
+  }
+
+  return sanitized;
+}
+
+/**
+ * Sanitize chat message input (shorter limit, same rules)
+ */
+export function sanitizeChatMessage(input: string): string {
+  return sanitizeUserInput(input, MAX_CHAT_MESSAGE_LENGTH);
+}
+
+/**
+ * Truncate string at a word boundary
+ */
+function truncateAtWordBoundary(text: string, maxLength: number): string {
+  if (text.length <= maxLength) {
+    return text;
+  }
+
+  // Find the last space before maxLength
+  const truncated = text.slice(0, maxLength);
+  const lastSpace = truncated.lastIndexOf(' ');
+
+  // If we found a space in the last 20% of the string, truncate there
+  if (lastSpace > maxLength * 0.8) {
+    return truncated.slice(0, lastSpace).trim();
+  }
+
+  // Otherwise just hard truncate
+  return truncated.trim();
+}
+
+/**
+ * Escape special regex characters in a string
+ */
+function escapeRegexChars(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

package/src/lib/messages-api.ts

@@ -0,0 +1,273 @@
+/**
+ * Messages API wrapper
+ *
+ * Provides type-safe access to Django Messages API
+ */
+
+import type { ApiClient } from './api-client';
+
+export type MessageStatus = 'draft' | 'scheduled' | 'sending' | 'sent' | 'failed';
+export type MessageContentType = 'text/plain' | 'text/markdown' | 'text/html';
+export type RecipientStatus = 'pending' | 'sent' | 'delivered' | 'bounced' | 'opened' | 'clicked';
+
+export interface Message {
+  id: string;
+  team: string;
+  channel: string;
+  channelDetails?: {
+    key: string;
+    name: string;
+    description: string;
+    icon: string;
+  };
+  subject: string;
+  body: string;
+  contentType: MessageContentType;
+  fromName: string | null;
+  fromEmail: string | null;
+  replyTo: string | null;
+  status: MessageStatus;
+  scheduledAt: string | null;
+  sentAt: string | null;
+  metadata: Record<string, any>;
+  totalRecipients: number;
+  recipientsSent: number;
+  recipientsDelivered: number;
+  recipientsOpened: number;
+  recipientsClicked: number;
+  recipientsBounced: number;
+  recipientsUnsubscribed: number;
+  openRate: number;
+  clickRate: number;
+  bounceRate: number;
+  errorMessage: string | null;
+  createdAt: string;
+  updatedAt: string;
+}
+
+export interface MessageRecipient {
+  id: string;
+  recipientType: string;
+  recipientId: string | null;
+  recipientEmail: string;
+  recipientName: string | null;
+  channelIdentifier: string | null;
+  channelProfiles: Record<string, any>;
+  status: RecipientStatus;
+  sentAt: string | null;
+  deliveredAt: string | null;
+  bouncedAt: string | null;
+  firstOpenedAt: string | null;
+  lastOpenedAt: string | null;
+  firstClickedAt: string | null;
+  lastClickedAt: string | null;
+  openCount: number;
+  clickCount: number;
+  isUnsubscribed: boolean;
+  unsubscribedAt: string | null;
+  errorMessage: string | null;
+  createdAt: string;
+}
+
+export interface MessagingChannel {
+  id: string;
+  key: string;
+  name: string;
+  description: string;
+  icon: string;
+  capabilities: {
+    maxContentLength: number;
+    supportsHtml: boolean;
+    supportsMarkdown: boolean;
+    supportsAttachments: boolean;
+    maxAttachments: number;
+    maxAttachmentSize: number;
+  };
+  requirements: {
+    requiresConnection: boolean;
+    requiresOptIn: boolean;
+    authRequirements: Record<string, any>;
+  };
+  rateLimit: {
+    messages: number;
+    seconds: number;
+    scope: string;
+    description: string;
+  };
+  metadata: Record<string, any>;
+}
+
+export interface MessageFilters {
+  status?: MessageStatus;
+  contentType?: MessageContentType;
+  scheduledAfter?: string;
+  scheduledBefore?: string;
+  sentAfter?: string;
+  sentBefore?: string;
+  search?: string;
+  page?: number;
+  pageSize?: number;
+  ordering?: string;
+}
+
+export interface CreateMessageInput {
+  channel: string;
+  subject: string;
+  body: string;
+  contentType?: MessageContentType;
+  fromName?: string;
+  fromEmail?: string;
+  replyTo?: string;
+  scheduledAt?: string;
+  metadata?: Record<string, any>;
+  recipients?: Array<{
+    recipientType: string;
+    recipientEmail: string;
+    recipientName?: string;
+    channelIdentifier?: string;
+  }>;
+}
+
+export interface ScheduleMessageInput {
+  scheduledAt: string;
+}
+
+export interface SendTestInput {
+  testEmail?: string;
+}
+
+export class MessagesApi {
+  constructor(private client: ApiClient) {}
+
+  /**
+   * List messages with optional filters
+   */
+  async list(filters?: MessageFilters) {
+    const params = new URLSearchParams();
+
+    if (filters?.status) params.append('status', filters.status);
+    if (filters?.contentType) params.append('contentType', filters.contentType);
+    if (filters?.scheduledAfter) params.append('scheduledAfter', filters.scheduledAfter);
+    if (filters?.scheduledBefore) params.append('scheduledBefore', filters.scheduledBefore);
+    if (filters?.sentAfter) params.append('sentAfter', filters.sentAfter);
+    if (filters?.sentBefore) params.append('sentBefore', filters.sentBefore);
+    if (filters?.search) params.append('search', filters.search);
+    if (filters?.page) params.append('page', String(filters.page));
+    if (filters?.pageSize) params.append('pageSize', String(filters.pageSize));
+    if (filters?.ordering) params.append('ordering', filters.ordering);
+
+    return this.client.get<{ results: Message[]; count: number; next: string | null; previous: string | null }>(
+      `/api/v1/messages/?${params.toString()}`
+    );
+  }
+
+  /**
+   * Get message by ID
+   */
+  async get(id: string) {
+    return this.client.get<Message>(`/api/v1/messages/${id}/`);
+  }
+
+  /**
+   * Create a new message
+   */
+  async create(data: CreateMessageInput) {
+    return this.client.post<Message>('/api/v1/messages/', data);
+  }
+
+  /**
+   * Update message (draft only)
+   */
+  async update(id: string, data: Partial<CreateMessageInput>) {
+    return this.client.patch<Message>(`/api/v1/messages/${id}/`, data);
+  }
+
+  /**
+   * Delete message (draft only)
+   */
+  async delete(id: string) {
+    return this.client.delete(`/api/v1/messages/${id}/`);
+  }
+
+  /**
+   * Schedule message for future sending
+   */
+  async schedule(id: string, input: ScheduleMessageInput) {
+    return this.client.post<{ id: string; status: MessageStatus; scheduledAt: string; message: string }>(
+      `/api/v1/messages/${id}/schedule/`,
+      input
+    );
+  }
+
+  /**
+   * Send message immediately
+   */
+  async sendNow(id: string) {
+    return this.client.post<{ id: string; status: MessageStatus; message: string }>(
+      `/api/v1/messages/${id}/send_now/`,
+      {}
+    );
+  }
+
+  /**
+   * Send test message
+   */
+  async sendTest(id: string, input?: SendTestInput) {
+    return this.client.post<{ id: string; testEmail: string; message: string }>(
+      `/api/v1/messages/${id}/send_test/`,
+      input || {}
+    );
+  }
+
+  /**
+   * Preview message rendering
+   */
+  async preview(id: string) {
+    return this.client.get<{
+      subject: string;
+      body: string;
+      previewHtml: string;
+      fromName: string;
+      fromEmail: string;
+    }>(`/api/v1/messages/${id}/preview/`);
+  }
+
+  /**
+   * List recipients for a message
+   */
+  async getRecipients(id: string, page?: number, pageSize?: number) {
+    const params = new URLSearchParams();
+    if (page) params.append('page', String(page));
+    if (pageSize) params.append('pageSize', String(pageSize));
+
+    return this.client.get<{ results: MessageRecipient[]; count: number }>(
+      `/api/v1/messages/${id}/recipients/?${params.toString()}`
+    );
+  }
+
+  /**
+   * Add recipients to a message
+   */
+  async addRecipients(
+    id: string,
+    recipients: Array<{
+      recipientType: string;
+      recipientEmail: string;
+      recipientName?: string;
+      channelIdentifier?: string;
+    }>
+  ) {
+    return this.client.post<{
+      message: string;
+      totalRecipients: number;
+      recipients: MessageRecipient[];
+    }>(`/api/v1/messages/${id}/add_recipients/`, { recipients });
+  }
+
+  /**
+   * Get available messaging channels
+   */
+  async getChannels() {
+    return this.client.get<{ channels: MessagingChannel[]; count: number }>('/api/v1/messages/channels/');
+  }
+}