@superblocksteam/vite-plugin-file-sync 2.0.119-next.0 → 2.0.119-next.1

package/dist/util/log-sanitizer.d.ts

@@ -1,19 +1,18 @@
 /**
  * Log Sanitizer for Vite Plugin
  *
- * Sanitizes secrets and PII from log messages while preserving debugging information.
+ * Sanitizes secrets from log messages while preserving debugging information.
  * This is a lightweight version for the vite-plugin, avoiding a dependency
  * on the telemetry package.
  *
- * DESIGN DECISION: Sanitize secrets (API keys, tokens, JWTs) and PII (emails).
- * The dev-server runs locally and should not log user email addresses even in
- * dev mode (AGENT-2560). Preserve file paths and stack traces for troubleshooting.
+ * DESIGN DECISION: Only sanitize actual secrets (API keys, tokens, JWTs).
+ * Preserve debugging info (emails, file paths, stack traces) for troubleshooting.
  *
  * @see engineering/projects/o11y-refactor/managed-cloud-telemetry.md#logging-strategy
  */
 /**
- * Sanitizes secrets and PII from a log message string.
- * Preserves debugging info (file paths, stack traces, etc.) for troubleshooting.
+ * Sanitizes secrets from a log message string.
+ * Preserves debugging info (emails, file paths, etc.) for troubleshooting.
  */
 export declare function sanitizeLogMessage(message: string): string;
 /**

package/dist/util/log-sanitizer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"log-sanitizer.d.ts","sourceRoot":"","sources":["../../src/util/log-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAoEH;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAgB1D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOtD;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,SAAI,GAAG,CAAC,CAsCzD;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAM9D;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,GAAG,EAAE,OAAO,EACZ,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GACtB,MAAM,CAyDR"}
+{"version":3,"file":"log-sanitizer.d.ts","sourceRoot":"","sources":["../../src/util/log-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAuDH;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAa1D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOtD;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,SAAI,GAAG,CAAC,CAsCzD;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAM9D;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,GAAG,EAAE,OAAO,EACZ,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GACtB,MAAM,CAyDR"}

package/dist/util/log-sanitizer.js

@@ -1,13 +1,12 @@
 /**
  * Log Sanitizer for Vite Plugin
  *
- * Sanitizes secrets and PII from log messages while preserving debugging information.
+ * Sanitizes secrets from log messages while preserving debugging information.
  * This is a lightweight version for the vite-plugin, avoiding a dependency
  * on the telemetry package.
  *
- * DESIGN DECISION: Sanitize secrets (API keys, tokens, JWTs) and PII (emails).
- * The dev-server runs locally and should not log user email addresses even in
- * dev mode (AGENT-2560). Preserve file paths and stack traces for troubleshooting.
+ * DESIGN DECISION: Only sanitize actual secrets (API keys, tokens, JWTs).
+ * Preserve debugging info (emails, file paths, stack traces) for troubleshooting.
  *
  * @see engineering/projects/o11y-refactor/managed-cloud-telemetry.md#logging-strategy
  */
@@ -36,17 +35,6 @@ const SECRET_PATTERNS = [
         replacement: "[API_KEY_REDACTED]",
     },
 ];
-// ============================================================================
-// PII Patterns - Should not appear in dev-server logs
-// ============================================================================
-const PII_PATTERNS = [
-    // Match email addresses; requires an alphabetic TLD to avoid false positives on @mentions
-    // and npm/pnpm version strings (e.g. package@1.2.3)
-    {
-        pattern: /[\w.+-]+@(?:[\w-]+\.)+[a-zA-Z]{2,}/g,
-        replacement: "[EMAIL REDACTED]",
-    },
-];
 /**
  * Fields that contain secrets and should be stripped from log objects.
  * Only includes actual secret field names - NOT debugging info like stack traces.
@@ -71,18 +59,15 @@ const SECRET_FIELDS = new Set([
 // Public API
 // ============================================================================
 /**
- * Sanitizes secrets and PII from a log message string.
- * Preserves debugging info (file paths, stack traces, etc.) for troubleshooting.
+ * Sanitizes secrets from a log message string.
+ * Preserves debugging info (emails, file paths, etc.) for troubleshooting.
  */
 export function sanitizeLogMessage(message) {
     if (!message || typeof message !== "string") {
         return message;
     }
     let sanitized = message;
-    for (const { pattern, replacement } of [
-        ...SECRET_PATTERNS,
-        ...PII_PATTERNS,
-    ]) {
+    for (const { pattern, replacement } of SECRET_PATTERNS) {
         pattern.lastIndex = 0;
         sanitized = sanitized.replace(pattern, replacement);
     }

package/dist/util/log-sanitizer.js.map

@@ -1 +1 @@
-{"version":3,"file":"log-sanitizer.js","sourceRoot":"","sources":["../../src/util/log-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,+EAA+E;AAC/E,sDAAsD;AACtD,+EAA+E;AAE/E,MAAM,eAAe,GAAoD;IACvE,oBAAoB;IACpB;QACE,OAAO,EAAE,sCAAsC;QAC/C,WAAW,EAAE,cAAc;KAC5B;IACD;QACE,OAAO,EACL,oEAAoE;QACtE,WAAW,EAAE,gBAAgB;KAC9B;IACD,WAAW;IACX;QACE,OAAO,EAAE,gDAAgD;QACzD,WAAW,EAAE,cAAc;KAC5B;IACD,wBAAwB;IACxB,EAAE,OAAO,EAAE,yBAAyB,EAAE,WAAW,EAAE,oBAAoB,EAAE;IACzE;QACE,OAAO,EAAE,+BAA+B;QACxC,WAAW,EAAE,oBAAoB;KAClC;CACF,CAAC;AAEF,+EAA+E;AAC/E,sDAAsD;AACtD,+EAA+E;AAE/E,MAAM,YAAY,GAAoD;IACpE,0FAA0F;IAC1F,oDAAoD;IACpD;QACE,OAAO,EAAE,qCAAqC;QAC9C,WAAW,EAAE,kBAAkB;KAChC;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,eAAe;IACf,UAAU;IACV,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,KAAK;IACL,cAAc;IACd,eAAe;IACf,aAAa;IACb,aAAa;IACb,YAAY;IACZ,eAAe;IACf,QAAQ;IACR,WAAW;CACZ,CAAC,CAAC;AAEH,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI,SAAS,GAAG,OAAO,CAAC;IAExB,KAAK,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI;QACrC,GAAG,eAAe;QAClB,GAAG,YAAY;KAChB,EAAE,CAAC;QACF,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,qEAAqE;IACrE,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAI,GAAM,EAAE,KAAK,GAAG,CAAC;IACpD,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;QACf,OAAO,qBAAqC,CAAC;IAC/C,CAAC;IAED,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtC,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,kBAAkB,CAAC,GAAG,CAAiB,CAAC;IACjD,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CACtB,iBAAiB,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CACnB,CAAC;IACpB,CAAC;IAED,MAAM,SAAS,GAA4B,EAAE,CAAC;IAE9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAA8B,CAAC,EAAE,CAAC;QAC1E,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAEnC,+BAA+B;QAC/B,IAAI,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChC,SAAS;QACX,CAAC;QAED,wCAAwC;QACxC,SAAS,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,KAAK,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,SAAc,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAC/B,GAAY,EACZ,KAAuB;IAEvB,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,OAAO,EAAE,CAAC;IAE3B,OAAO,IAAI,CAAC,SAAS,CACnB,GAAG,EACH,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QACb,sBAAsB;QACtB,IAAI,GAAG,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAChD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBACpB,OAAO,sBAAsB,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAEhB,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;gBAC3B,OAAO;oBACL,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,OAAO,EAAE,kBAAkB,CAAC,KAAK,CAAC,OAAO,CAAC;oBAC1C,0CAA0C;oBAC1C,KAAK,EAAE,kBAAkB,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;iBAC7C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,UAAU,EAAE,CAAC;YAChC,OAAO,cAAc,KAAK,CAAC,IAAI,IAAI,WAAW,GAAG,CAAC;QACpD,CAAC;QACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,YAAY,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC;QACzC,CAAC;QACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,YAAY,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC;QACzC,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC,EACD,KAAK,CACN,CAAC;AACJ,CAAC"}
+{"version":3,"file":"log-sanitizer.js","sourceRoot":"","sources":["../../src/util/log-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,+EAA+E;AAC/E,sDAAsD;AACtD,+EAA+E;AAE/E,MAAM,eAAe,GAAoD;IACvE,oBAAoB;IACpB;QACE,OAAO,EAAE,sCAAsC;QAC/C,WAAW,EAAE,cAAc;KAC5B;IACD;QACE,OAAO,EACL,oEAAoE;QACtE,WAAW,EAAE,gBAAgB;KAC9B;IACD,WAAW;IACX;QACE,OAAO,EAAE,gDAAgD;QACzD,WAAW,EAAE,cAAc;KAC5B;IACD,wBAAwB;IACxB,EAAE,OAAO,EAAE,yBAAyB,EAAE,WAAW,EAAE,oBAAoB,EAAE;IACzE;QACE,OAAO,EAAE,+BAA+B;QACxC,WAAW,EAAE,oBAAoB;KAClC;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,eAAe;IACf,UAAU;IACV,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,KAAK;IACL,cAAc;IACd,eAAe;IACf,aAAa;IACb,aAAa;IACb,YAAY;IACZ,eAAe;IACf,QAAQ;IACR,WAAW;CACZ,CAAC,CAAC;AAEH,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,IAAI,SAAS,GAAG,OAAO,CAAC;IAExB,KAAK,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,eAAe,EAAE,CAAC;QACvD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,qEAAqE;IACrE,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAI,GAAM,EAAE,KAAK,GAAG,CAAC;IACpD,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;QACf,OAAO,qBAAqC,CAAC;IAC/C,CAAC;IAED,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtC,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,kBAAkB,CAAC,GAAG,CAAiB,CAAC;IACjD,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CACtB,iBAAiB,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CACnB,CAAC;IACpB,CAAC;IAED,MAAM,SAAS,GAA4B,EAAE,CAAC;IAE9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAA8B,CAAC,EAAE,CAAC;QAC1E,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAEnC,+BAA+B;QAC/B,IAAI,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChC,SAAS;QACX,CAAC;QAED,wCAAwC;QACxC,SAAS,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,KAAK,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,SAAc,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAC/B,GAAY,EACZ,KAAuB;IAEvB,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,OAAO,EAAE,CAAC;IAE3B,OAAO,IAAI,CAAC,SAAS,CACnB,GAAG,EACH,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QACb,sBAAsB;QACtB,IAAI,GAAG,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAChD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBACpB,OAAO,sBAAsB,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAEhB,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;gBAC3B,OAAO;oBACL,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,OAAO,EAAE,kBAAkB,CAAC,KAAK,CAAC,OAAO,CAAC;oBAC1C,0CAA0C;oBAC1C,KAAK,EAAE,kBAAkB,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;iBAC7C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,UAAU,EAAE,CAAC;YAChC,OAAO,cAAc,KAAK,CAAC,IAAI,IAAI,WAAW,GAAG,CAAC;QACpD,CAAC;QACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,YAAY,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC;QACzC,CAAC;QACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,YAAY,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC;QACzC,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC,EACD,KAAK,CACN,CAAC;AACJ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@superblocksteam/vite-plugin-file-sync",
-  "version": "2.0.119-next.0",
+  "version": "2.0.119-next.1",
   "keywords": [
     "vite-plugin"
   ],
@@ -103,18 +103,17 @@
     "yaml": "^2.7.1",
     "yauzl": "^3.2.0",
     "zod": "3.25.76",
-    "@superblocksteam/ai-service-templates": "2.0.119-next.0",
-    "@superblocksteam/clark": "2.0.119-next.0",
-    "@superblocksteam/library-shared": "2.0.119-next.0",
-    "@superblocksteam/sdk-api": "2.0.119-next.0",
-    "@superblocksteam/shared": "0.9589.1",
-    "@superblocksteam/util": "2.0.119-next.0"
+    "@superblocksteam/ai-service-templates": "2.0.119-next.1",
+    "@superblocksteam/clark": "2.0.119-next.1",
+    "@superblocksteam/library-shared": "2.0.119-next.1",
+    "@superblocksteam/sdk-api": "2.0.119-next.1",
+    "@superblocksteam/shared": "0.9586.9",
+    "@superblocksteam/util": "2.0.119-next.1"
   },
   "devDependencies": {
     "@ai-sdk/amazon-bedrock": "^4.0.96",
     "@ai-sdk/google-vertex": "^4.0.112",
     "@ai-sdk/test-server": "^1.0.3",
-    "@aws-sdk/credential-providers": "^3.848.0",
     "@dotenvx/dotenvx": "^1.59.1",
     "@eslint/js": "^9.39.2",
     "@types/archiver": "^6.0.2",
@@ -149,7 +148,7 @@
     "react-dom": "^18.3.1",
     "tsx": "^4.19.3",
     "typescript": "^5.9.3",
-    "typescript-eslint": "^8.59.2",
+    "typescript-eslint": "^8.54.0",
     "vitest": "^4.0.17"
   },
   "engines": {

package/dist/ai-service/agent/prompts/build-security-scan-prompt.d.ts

@@ -1,17 +0,0 @@
-/**
- * Three-layer prompt architecture for the Security Agent.
- *
- * Layer 1: System Skeleton — agent identity, behavioral rules, output contract, safety.
- * Layer 2: App Context — dynamic, per-app metadata to prevent false positives.
- * Layer 3: Admin Policy Prompt — what to look for (from template or IT admin).
- */
-export interface SecurityAgentAppContext {
-    integrations: Array<{
-        name: string;
-        pluginType: string;
-    }>;
-}
-export declare function buildSecurityAgentSkeleton(): string;
-export declare function buildSecurityAgentAppContext(context: SecurityAgentAppContext): string;
-export declare function composeSecurityAgentPrompt(appContext: SecurityAgentAppContext, adminPrompt?: string): string;
-//# sourceMappingURL=build-security-scan-prompt.d.ts.map

package/dist/ai-service/agent/prompts/build-security-scan-prompt.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"build-security-scan-prompt.d.ts","sourceRoot":"","sources":["../../../../src/ai-service/agent/prompts/build-security-scan-prompt.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,uBAAuB;IACtC,YAAY,EAAE,KAAK,CAAC;QAClB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC,CAAC;CACJ;AAOD,wBAAgB,0BAA0B,IAAI,MAAM,CAoDnD;AAED,wBAAgB,4BAA4B,CAC1C,OAAO,EAAE,uBAAuB,GAC/B,MAAM,CAwJR;AAED,wBAAgB,0BAA0B,CACxC,UAAU,EAAE,uBAAuB,EACnC,WAAW,CAAC,EAAE,MAAM,GACnB,MAAM,CAYR"}

package/dist/ai-service/agent/prompts/build-security-scan-prompt.js

@@ -1,219 +0,0 @@
-/**
- * Three-layer prompt architecture for the Security Agent.
- *
- * Layer 1: System Skeleton — agent identity, behavioral rules, output contract, safety.
- * Layer 2: App Context — dynamic, per-app metadata to prevent false positives.
- * Layer 3: Admin Policy Prompt — what to look for (from template or IT admin).
- */
-// Templates are stored in the review_policy_agent_template DB table and loaded
-// at scan time. The fallback below is only used when no prompt is provided.
-const DEFAULT_ADMIN_PROMPT = "Perform a comprehensive security review of this application. Report any security concern you find.";
-export function buildSecurityAgentSkeleton() {
-    const today = new Date().toISOString().split("T")[0];
-    return `## Role
-
-You are a policy enforcement agent for a Superblocks application. Your sole purpose is to
-analyze the application's source files against the provided policy and produce a
-structured findings report. You are NOT a builder — you must never modify files.
-
-Today is ${today}.
-
-## Scanning Procedure
-
-1. **List files** — Use the file listing tools to enumerate all application files.
-2. **Triage** — Prioritize security-relevant files: server-side code, API definitions, auth logic, config files, and files that handle user input. Skip auto-generated files, pure CSS/styling, and large JSON data fixtures.
-3. **Read priority files** — Read the prioritized files. For large applications (100+ files), use grep to search for suspicious patterns (secrets, eval, dangerouslySetInnerHTML, etc.) across ALL files first, then read specific files flagged by grep.
-4. **Analyze integrations** — Inspect integration configurations for leaked credentials or insecure settings.
-5. **Deep dive** — Read additional files as needed based on grep results and cross-references.
-6. **Report findings** — Call the \`reportReviewRun\` tool with your structured findings. Do NOT output JSON as text — always use the tool.
-
-## Output Contract
-
-You MUST call the \`reportReviewRun\` tool exactly once as your final action. The tool enforces the required schema. Example input:
-
-{
-  "findings": [
-    {
-      "id": "finding-1",
-      "category": "secret",
-      "severity": "critical",
-      "title": "Hardcoded API key in config",
-      "description": "An API key is hardcoded in the configuration file.",
-      "location": { "file": "config.ts", "line": 42 },
-      "evidence": "const API_KEY = '***'",
-      "suggestedFix": "Move the API key to an environment variable or integration secret.",
-      "confidence": "high"
-    }
-  ],
-  "summary": { "critical": 1, "high": 0, "medium": 0, "low": 0, "info": 0, "total": 1 },
-  "scannedFiles": 12,
-  "scanComplete": true
-}
-
-## Critical Rules
-
-- **ALWAYS call \`reportReviewRun\`** to submit your results. Never output findings as raw text or JSON.
-- **NEVER include raw secret values** in your output. Redact them with \`***\` (e.g., \`"const API_KEY = '***'"\`).
-- **NEVER modify files.** You are a read-only reviewer. Do not call any write, edit, or delete tools.
-- **NEVER hallucinate findings.** Only report issues backed by evidence you found in the source code. If a file is clean, do not invent problems.
-- **Respect developer comments explaining security decisions.** If a comment explains why a particular pattern is used (e.g., a platform limitation, a deliberate trade-off), acknowledge it in your finding, adjust severity accordingly, and do NOT suggest a fix the comment already says does not work.
-- **Severity must match actual exploitability.** "critical" means an attacker can exploit it with no mitigations. If the code has mitigations (input validation, escaping, platform-level access control), lower the severity. Manual SQL escaping with a documented platform limitation is NOT "critical" — it is "medium" or "low".
-- If no issues are found, call \`reportReviewRun\` with an empty findings array, all summary counts at zero, and \`scanComplete: true\`.`;
-}
-export function buildSecurityAgentAppContext(context) {
-    const sections = [
-        `## Superblocks Application Context
-
-This is a Superblocks application. Superblocks is a low-code platform where applications
-are built with React components on the client side and server-side API steps that run in
-a sandboxed environment. Understanding the platform's architecture is critical to avoid
-false positives.
-
-**Authentication and authorization are handled by the platform.** Users must be authenticated
-to access any Superblocks application, and each application has its own access control list.
-Only users who have been granted access to an application can view it or call its APIs.
-Do NOT flag APIs for "missing authentication" or "missing authorization" simply because
-the API code does not contain explicit auth checks — the platform enforces these before
-any application code runs. Only flag authorization issues when an API accepts a sensitive
-identifier (like a user ID or role) from client input and uses it for access decisions
-instead of reading the authenticated user from the server-side context (\`Global.user\`
-or \`ctx.user\`).`,
-    ];
-    sections.push(`### Execution Model
-
-- **Client code** runs in the browser (React components, pages, custom components).
-- **Server code** runs in a sandboxed environment (API steps, backend logic). Console output
-  from server steps is internal and not exposed to end users.
-- **Bindings** use \`{{ }}\` syntax (e.g., \`{{ Input1.value }}\`). These are NOT eval-style
-  injection — they are evaluated in a controlled sandbox.
-- Each API step runs in isolation. Variables do not leak between steps unless explicitly passed.`);
-    sections.push(`### Integration Model
-
-Superblocks manages database and API connections through **integrations**. Integrations are
-configured via the platform's UI and referenced in code by their UUID. Important:
-
-- **Integration UUIDs are NOT hardcoded secrets.** They are internal references to managed
-  connections. Do NOT flag them as hardcoded credentials.
-- Credentials for integrations (passwords, API keys, connection strings) are stored securely
-  by the platform and injected at runtime — they never appear in application source code.
-- If you see a UUID like \`228d92c5-d4e3-44d2-824c-7fd0674351d3\` used as an integration
-  reference, this is expected platform behavior.`);
-    if (context.integrations.length > 0) {
-        const integrationList = context.integrations
-            .map((i) => `- **${i.name}** (${i.pluginType})`)
-            .join("\n");
-        sections.push(`### Integrations In Use
-
-This application has the following integrations configured:
-
-${integrationList}
-
-These are managed connections. Their presence in code as references is expected.`);
-    }
-    sections.push(`### Server-Side API Model
-
-Server-side logic is defined as **API steps** — TypeScript (or YAML) functions that run
-in a sandboxed Node.js environment on the server. Key points:
-
-- Client code calls APIs via hooks from \`@superblocksteam/library\`:
-  - \`useApiData("GetUsers", { email })\` — declarative, auto-fetches on mount and when inputs change.
-  - \`useApi("CreateOrder")\` — imperative, call \`run()\` manually for event-driven actions.
-  - \`executeApi("MyApi", { param })\` — plain Promise outside React (utility functions, event handlers).
-  These are standard, platform-sanctioned patterns — not security concerns.
-- Each API step runs in isolation. Variables do not leak between steps unless explicitly
-  passed via \`return\` / \`output\`.
-- Console output from API steps is internal (visible to the developer in the editor) and
-  NOT exposed to end users in deployed apps.
-- API steps can reference integrations by UUID to execute queries against databases or
-  external services. The platform injects credentials at runtime.
-
-#### SQL Parameterization
-
-Superblocks SQL blocks support **parameterized queries** using \`parameters: "[var1, var2]"\`
-with database-specific placeholders (e.g., \`$1\` for PostgreSQL, \`?\` for MySQL/Snowflake,
-\`@PARAM_1\` for MSSQL). When reviewing SQL code:
-
-- **Parameterized queries are safe.** If a query uses placeholders and a \`parameters\` array,
-  it is NOT vulnerable to SQL injection — do not flag it.
-- **Binding functions for dynamic SQL elements** (table names, column names) are acceptable
-  platform patterns: \`statement: ({ tableName }) => \\\`SELECT * FROM \\\${tableName}\\\`\`.
-  These run in the sandbox and cannot be manipulated by end users unless the input originates
-  from unvalidated user input.
-- **Flag as injection risk** only when raw user input is interpolated directly into SQL
-  without parameterization or validation.
-
-#### Permissions (Global Object)
-
-Server-side API steps have access to a \`Global\` object injected by the platform:
-
-\`\`\`typescript
-Global.user   // { email, username, id, name, groups }
-Global.groups // Group[] — organization groups
-\`\`\`
-
-The standard authorization pattern is \`Global.groups.some(g => g.name === "Admin")\`.
-This is the correct way to implement RBAC in Superblocks APIs — it is NOT a security
-concern. However, DO flag authorization checks that rely solely on frontend data
-(e.g., a user role passed as an API input from the client) instead of \`Global\`.`);
-    sections.push(`### Platform Hooks (Safe Patterns)
-
-Superblocks provides built-in React hooks that are part of the platform. Their usage is
-expected and should NOT be flagged as security concerns:
-
-- \`useSuperblocksUser()\` — returns current user info (name, email, id, groups). This is
-  the standard way to access the authenticated user. It is NOT PII leakage.
-- \`useSuperblocksGroups()\` — returns organization groups. Standard RBAC pattern.
-- \`useSuperblocksDataTags()\` / \`setDataTag()\` — switches between data environments
-  (e.g., staging vs production data). This is a platform feature, not a config leak.
-- \`getAppMode()\` — returns "EDIT", "PREVIEW", or "PUBLISHED". Safe runtime context.
-- \`useEmbedProperties()\` — reads properties from a parent iframe embedder. This is
-  the standard Superblocks embed SDK pattern, not a postMessage injection risk.
-- \`useEmbedEvent()\` / \`useEmitEmbedEvent()\` — bidirectional event communication with
-  the embedding page. Part of the official embed SDK.
-- \`logoutIntegrations()\` — clears OAuth tokens for integrations. Standard logout pattern.`);
-    sections.push(`### Environments & Data Tags
-
-Superblocks apps run in three environments: **Edit** (developer), **Preview** (testing),
-and **Production** (deployed). Each environment can have different **data tags** (also
-called "profiles") that control which data sources, credentials, and configurations are
-active.
-
-- Superblocks does NOT use traditional feature flags or environment variables. Instead,
-  apps use \`getAppMode()\` to branch behavior by environment, and \`useSuperblocksDataTags()\`
-  to switch between data contexts (e.g., staging vs production databases).
-- When suggesting fixes that require environment-specific behavior (e.g., "enable this
-  only in development"), recommend using \`getAppMode()\` or data tags — not feature flags
-  or environment variables, which are not available in the Superblocks runtime.`);
-    sections.push(`### Framework & Runtime
-
-- UI is built with **React** and **Tailwind CSS v4** with shadcn/Radix UI components.
-- Routing uses **react-router v7** in data mode.
-- Custom components are sandboxed — they can use React hooks and local state but cannot
-  call APIs directly (data must be passed via props).
-- The design system uses semantic tokens defined in \`index.css\`.`);
-    sections.push(`### Additional Platform Documentation
-
-For deeper understanding of Superblocks patterns, you can read the platform skill files
-using \`build_readFile\`:
-
-- \`skills/system/superblocks-frontend/SKILL.md\` — frontend patterns, hooks, component model.
-- \`skills/system/superblocks-api/SKILL.md\` — API block types, SQL patterns, control flow.
-- \`skills/system/superblocks-api/references/sql-databases.md\` — database-specific parameterization syntax.
-
-Read these if you encounter code patterns you do not recognize and need to determine
-whether they are safe platform conventions or genuine security concerns.`);
-    return sections.join("\n\n");
-}
-export function composeSecurityAgentPrompt(appContext, adminPrompt) {
-    const skeleton = buildSecurityAgentSkeleton();
-    const context = buildSecurityAgentAppContext(appContext);
-    const policy = adminPrompt ?? DEFAULT_ADMIN_PROMPT;
-    return `${skeleton}
-
-${context}
-
-## Policy: What to Review
-
-${policy}`;
-}
-//# sourceMappingURL=build-security-scan-prompt.js.map

package/dist/ai-service/agent/prompts/build-security-scan-prompt.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"build-security-scan-prompt.js","sourceRoot":"","sources":["../../../../src/ai-service/agent/prompts/build-security-scan-prompt.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AASH,+EAA+E;AAC/E,4EAA4E;AAC5E,MAAM,oBAAoB,GACxB,oGAAoG,CAAC;AAEvG,MAAM,UAAU,0BAA0B;IACxC,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAErD,OAAO;;;;;;WAME,KAAK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yIA0CyH,CAAC;AAC1I,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,OAAgC;IAEhC,MAAM,QAAQ,GAAa;QACzB;;;;;;;;;;;;;;;kBAec;KACf,CAAC;IAEF,QAAQ,CAAC,IAAI,CAAC;;;;;;;iGAOiF,CAAC,CAAC;IAEjG,QAAQ,CAAC,IAAI,CAAC;;;;;;;;;;iDAUiC,CAAC,CAAC;IAEjD,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,eAAe,GAAG,OAAO,CAAC,YAAY;aACzC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC;aAC/C,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,QAAQ,CAAC,IAAI,CAAC;;;;EAIhB,eAAe;;iFAEgE,CAAC,CAAC;IACjF,CAAC;IAED,QAAQ,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kFA4CkE,CAAC,CAAC;IAElF,QAAQ,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;4FAe4E,CAAC,CAAC;IAE5F,QAAQ,CAAC,IAAI,CAAC;;;;;;;;;;;;gFAYgE,CAAC,CAAC;IAEhF,QAAQ,CAAC,IAAI,CAAC;;;;;;mEAMmD,CAAC,CAAC;IAEnE,QAAQ,CAAC,IAAI,CAAC;;;;;;;;;;yEAUyD,CAAC,CAAC;IAEzE,OAAO,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,UAAmC,EACnC,WAAoB;IAEpB,MAAM,QAAQ,GAAG,0BAA0B,EAAE,CAAC;IAC9C,MAAM,OAAO,GAAG,4BAA4B,CAAC,UAAU,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,WAAW,IAAI,oBAAoB,CAAC;IAEnD,OAAO,GAAG,QAAQ;;EAElB,OAAO;;;;EAIP,MAAM,EAAE,CAAC;AACX,CAAC"}

package/dist/ai-service/agent/tools/apis/api-comparator.d.ts

@@ -1,36 +0,0 @@
-import type { ApiExecutionResult } from "./api-executor.js";
-export interface ApiComparisonDiffEntry {
-    path: string;
-    kind: "missing_key" | "extra_key" | "type_mismatch" | "null_mismatch" | "cardinality_mismatch" | "value_mismatch";
-    expectedType?: string;
-    actualType?: string;
-    expectedLength?: number;
-    actualLength?: number;
-    expectedHash?: string;
-    actualHash?: string;
-    /**
-     * Human-readable failure message when one side errored. Only set by the
-     * one-sided-failure divergence path in runMigrationVerification (where the
-     * underlying side has a systemError or errors[] available); never set by
-     * the structural diff in compareApiResults (whose entries describe value
-     * shape differences, not execution failures).
-     */
-    failureMessage?: string;
-}
-export interface ApiComparisonDiffValueEntry {
-    path: string;
-    expected: unknown;
-    actual: unknown;
-    reason: string;
-}
-export interface ApiComparisonDiff {
-    empty: boolean;
-    valuesForUi: ApiComparisonDiffValueEntry[];
-    summaryForAgent: ApiComparisonDiffEntry[];
-}
-/**
- * Compare the outputs of a v2 YAML execution against a v3 TS execution.
- * Pure function: no I/O, no side effects.
- */
-export declare function compareApiResults(v2: Pick<ApiExecutionResult, "success" | "outputs">, v3: Pick<ApiExecutionResult, "success" | "outputs">): ApiComparisonDiff;
-//# sourceMappingURL=api-comparator.d.ts.map

package/dist/ai-service/agent/tools/apis/api-comparator.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"api-comparator.d.ts","sourceRoot":"","sources":["../../../../../src/ai-service/agent/tools/apis/api-comparator.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAE5D,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EACA,aAAa,GACb,WAAW,GACX,eAAe,GACf,eAAe,GACf,sBAAsB,GACtB,gBAAgB,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,2BAA2B;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,WAAW,EAAE,2BAA2B,EAAE,CAAC;IAC3C,eAAe,EAAE,sBAAsB,EAAE,CAAC;CAC3C;AA+YD;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,EAAE,EAAE,IAAI,CAAC,kBAAkB,EAAE,SAAS,GAAG,SAAS,CAAC,EACnD,EAAE,EAAE,IAAI,CAAC,kBAAkB,EAAE,SAAS,GAAG,SAAS,CAAC,GAClD,iBAAiB,CAwBnB"}