npm - @synth-deploy/server - Versions diffs - 0.1.0 - Mend

@synth-deploy/server 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

package/dist/agent/debrief-retention.d.ts +12 -0
package/dist/agent/debrief-retention.d.ts.map +1 -0
package/dist/agent/debrief-retention.js +27 -0
package/dist/agent/debrief-retention.js.map +1 -0
package/dist/agent/envoy-client.d.ts +216 -0
package/dist/agent/envoy-client.d.ts.map +1 -0
package/dist/agent/envoy-client.js +266 -0
package/dist/agent/envoy-client.js.map +1 -0
package/dist/agent/envoy-registry.d.ts +102 -0
package/dist/agent/envoy-registry.d.ts.map +1 -0
package/dist/agent/envoy-registry.js +319 -0
package/dist/agent/envoy-registry.js.map +1 -0
package/dist/agent/health-checker.d.ts +39 -0
package/dist/agent/health-checker.d.ts.map +1 -0
package/dist/agent/health-checker.js +49 -0
package/dist/agent/health-checker.js.map +1 -0
package/dist/agent/mcp-client-manager.d.ts +36 -0
package/dist/agent/mcp-client-manager.d.ts.map +1 -0
package/dist/agent/mcp-client-manager.js +106 -0
package/dist/agent/mcp-client-manager.js.map +1 -0
package/dist/agent/stale-deployment-detector.d.ts +15 -0
package/dist/agent/stale-deployment-detector.d.ts.map +1 -0
package/dist/agent/stale-deployment-detector.js +50 -0
package/dist/agent/stale-deployment-detector.js.map +1 -0
package/dist/agent/step-runner.d.ts +31 -0
package/dist/agent/step-runner.d.ts.map +1 -0
package/dist/agent/step-runner.js +80 -0
package/dist/agent/step-runner.js.map +1 -0
package/dist/agent/synth-agent.d.ts +168 -0
package/dist/agent/synth-agent.d.ts.map +1 -0
package/dist/agent/synth-agent.js +1195 -0
package/dist/agent/synth-agent.js.map +1 -0
package/dist/api/agent.d.ts +36 -0
package/dist/api/agent.d.ts.map +1 -0
package/dist/api/agent.js +867 -0
package/dist/api/agent.js.map +1 -0
package/dist/api/api-keys.d.ts +4 -0
package/dist/api/api-keys.d.ts.map +1 -0
package/dist/api/api-keys.js +118 -0
package/dist/api/api-keys.js.map +1 -0
package/dist/api/artifacts.d.ts +5 -0
package/dist/api/artifacts.d.ts.map +1 -0
package/dist/api/artifacts.js +142 -0
package/dist/api/artifacts.js.map +1 -0
package/dist/api/auth.d.ts +4 -0
package/dist/api/auth.d.ts.map +1 -0
package/dist/api/auth.js +280 -0
package/dist/api/auth.js.map +1 -0
package/dist/api/deployments.d.ts +11 -0
package/dist/api/deployments.d.ts.map +1 -0
package/dist/api/deployments.js +1098 -0
package/dist/api/deployments.js.map +1 -0
package/dist/api/environments.d.ts +5 -0
package/dist/api/environments.d.ts.map +1 -0
package/dist/api/environments.js +69 -0
package/dist/api/environments.js.map +1 -0
package/dist/api/envoy-reports.d.ts +17 -0
package/dist/api/envoy-reports.d.ts.map +1 -0
package/dist/api/envoy-reports.js +138 -0
package/dist/api/envoy-reports.js.map +1 -0
package/dist/api/envoys.d.ts +5 -0
package/dist/api/envoys.d.ts.map +1 -0
package/dist/api/envoys.js +192 -0
package/dist/api/envoys.js.map +1 -0
package/dist/api/fleet.d.ts +11 -0
package/dist/api/fleet.d.ts.map +1 -0
package/dist/api/fleet.js +394 -0
package/dist/api/fleet.js.map +1 -0
package/dist/api/graph.d.ts +8 -0
package/dist/api/graph.d.ts.map +1 -0
package/dist/api/graph.js +355 -0
package/dist/api/graph.js.map +1 -0
package/dist/api/health.d.ts +20 -0
package/dist/api/health.d.ts.map +1 -0
package/dist/api/health.js +248 -0
package/dist/api/health.js.map +1 -0
package/dist/api/idp-schemas.d.ts +41 -0
package/dist/api/idp-schemas.d.ts.map +1 -0
package/dist/api/idp-schemas.js +17 -0
package/dist/api/idp-schemas.js.map +1 -0
package/dist/api/idp.d.ts +6 -0
package/dist/api/idp.d.ts.map +1 -0
package/dist/api/idp.js +620 -0
package/dist/api/idp.js.map +1 -0
package/dist/api/intake.d.ts +10 -0
package/dist/api/intake.d.ts.map +1 -0
package/dist/api/intake.js +418 -0
package/dist/api/intake.js.map +1 -0
package/dist/api/partitions.d.ts +5 -0
package/dist/api/partitions.d.ts.map +1 -0
package/dist/api/partitions.js +113 -0
package/dist/api/partitions.js.map +1 -0
package/dist/api/progress-event-store.d.ts +62 -0
package/dist/api/progress-event-store.d.ts.map +1 -0
package/dist/api/progress-event-store.js +118 -0
package/dist/api/progress-event-store.js.map +1 -0
package/dist/api/schemas.d.ts +1000 -0
package/dist/api/schemas.d.ts.map +1 -0
package/dist/api/schemas.js +328 -0
package/dist/api/schemas.js.map +1 -0
package/dist/api/security-boundaries.d.ts +4 -0
package/dist/api/security-boundaries.d.ts.map +1 -0
package/dist/api/security-boundaries.js +32 -0
package/dist/api/security-boundaries.js.map +1 -0
package/dist/api/settings.d.ts +4 -0
package/dist/api/settings.d.ts.map +1 -0
package/dist/api/settings.js +99 -0
package/dist/api/settings.js.map +1 -0
package/dist/api/system.d.ts +75 -0
package/dist/api/system.d.ts.map +1 -0
package/dist/api/system.js +558 -0
package/dist/api/system.js.map +1 -0
package/dist/api/telemetry.d.ts +4 -0
package/dist/api/telemetry.d.ts.map +1 -0
package/dist/api/telemetry.js +24 -0
package/dist/api/telemetry.js.map +1 -0
package/dist/api/users.d.ts +4 -0
package/dist/api/users.d.ts.map +1 -0
package/dist/api/users.js +173 -0
package/dist/api/users.js.map +1 -0
package/dist/archive-unpacker.d.ts +24 -0
package/dist/archive-unpacker.d.ts.map +1 -0
package/dist/archive-unpacker.js +239 -0
package/dist/archive-unpacker.js.map +1 -0
package/dist/artifact-analyzer.d.ts +59 -0
package/dist/artifact-analyzer.d.ts.map +1 -0
package/dist/artifact-analyzer.js +334 -0
package/dist/artifact-analyzer.js.map +1 -0
package/dist/auth/idp/index.d.ts +9 -0
package/dist/auth/idp/index.d.ts.map +1 -0
package/dist/auth/idp/index.js +5 -0
package/dist/auth/idp/index.js.map +1 -0
package/dist/auth/idp/ldap.d.ts +56 -0
package/dist/auth/idp/ldap.d.ts.map +1 -0
package/dist/auth/idp/ldap.js +276 -0
package/dist/auth/idp/ldap.js.map +1 -0
package/dist/auth/idp/oidc.d.ts +27 -0
package/dist/auth/idp/oidc.d.ts.map +1 -0
package/dist/auth/idp/oidc.js +97 -0
package/dist/auth/idp/oidc.js.map +1 -0
package/dist/auth/idp/role-mapping.d.ts +9 -0
package/dist/auth/idp/role-mapping.d.ts.map +1 -0
package/dist/auth/idp/role-mapping.js +16 -0
package/dist/auth/idp/role-mapping.js.map +1 -0
package/dist/auth/idp/saml.d.ts +40 -0
package/dist/auth/idp/saml.d.ts.map +1 -0
package/dist/auth/idp/saml.js +117 -0
package/dist/auth/idp/saml.js.map +1 -0
package/dist/auth/idp/types.d.ts +23 -0
package/dist/auth/idp/types.d.ts.map +1 -0
package/dist/auth/idp/types.js +2 -0
package/dist/auth/idp/types.js.map +1 -0
package/dist/fleet/fleet-executor.d.ts +35 -0
package/dist/fleet/fleet-executor.d.ts.map +1 -0
package/dist/fleet/fleet-executor.js +228 -0
package/dist/fleet/fleet-executor.js.map +1 -0
package/dist/fleet/fleet-store.d.ts +13 -0
package/dist/fleet/fleet-store.d.ts.map +1 -0
package/dist/fleet/fleet-store.js +13 -0
package/dist/fleet/fleet-store.js.map +1 -0
package/dist/fleet/index.d.ts +5 -0
package/dist/fleet/index.d.ts.map +1 -0
package/dist/fleet/index.js +4 -0
package/dist/fleet/index.js.map +1 -0
package/dist/fleet/representative-selector.d.ts +15 -0
package/dist/fleet/representative-selector.d.ts.map +1 -0
package/dist/fleet/representative-selector.js +71 -0
package/dist/fleet/representative-selector.js.map +1 -0
package/dist/graph/graph-executor.d.ts +36 -0
package/dist/graph/graph-executor.d.ts.map +1 -0
package/dist/graph/graph-executor.js +348 -0
package/dist/graph/graph-executor.js.map +1 -0
package/dist/graph/graph-inference.d.ts +22 -0
package/dist/graph/graph-inference.d.ts.map +1 -0
package/dist/graph/graph-inference.js +149 -0
package/dist/graph/graph-inference.js.map +1 -0
package/dist/graph/graph-store.d.ts +12 -0
package/dist/graph/graph-store.d.ts.map +1 -0
package/dist/graph/graph-store.js +61 -0
package/dist/graph/graph-store.js.map +1 -0
package/dist/graph/index.d.ts +5 -0
package/dist/graph/index.d.ts.map +1 -0
package/dist/graph/index.js +4 -0
package/dist/graph/index.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +837 -0
package/dist/index.js.map +1 -0
package/dist/intake/index.d.ts +6 -0
package/dist/intake/index.d.ts.map +1 -0
package/dist/intake/index.js +5 -0
package/dist/intake/index.js.map +1 -0
package/dist/intake/intake-processor.d.ts +17 -0
package/dist/intake/intake-processor.d.ts.map +1 -0
package/dist/intake/intake-processor.js +99 -0
package/dist/intake/intake-processor.js.map +1 -0
package/dist/intake/intake-store.d.ts +7 -0
package/dist/intake/intake-store.d.ts.map +1 -0
package/dist/intake/intake-store.js +7 -0
package/dist/intake/intake-store.js.map +1 -0
package/dist/intake/registry-poller.d.ts +41 -0
package/dist/intake/registry-poller.d.ts.map +1 -0
package/dist/intake/registry-poller.js +202 -0
package/dist/intake/registry-poller.js.map +1 -0
package/dist/intake/webhook-handlers.d.ts +37 -0
package/dist/intake/webhook-handlers.d.ts.map +1 -0
package/dist/intake/webhook-handlers.js +268 -0
package/dist/intake/webhook-handlers.js.map +1 -0
package/dist/logger.d.ts +5 -0
package/dist/logger.d.ts.map +1 -0
package/dist/logger.js +15 -0
package/dist/logger.js.map +1 -0
package/dist/mcp/resources.d.ts +9 -0
package/dist/mcp/resources.d.ts.map +1 -0
package/dist/mcp/resources.js +72 -0
package/dist/mcp/resources.js.map +1 -0
package/dist/mcp/server.d.ts +15 -0
package/dist/mcp/server.d.ts.map +1 -0
package/dist/mcp/server.js +20 -0
package/dist/mcp/server.js.map +1 -0
package/dist/mcp/tools.d.ts +9 -0
package/dist/mcp/tools.d.ts.map +1 -0
package/dist/mcp/tools.js +88 -0
package/dist/mcp/tools.js.map +1 -0
package/dist/middleware/auth.d.ts +29 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +76 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/permissions.d.ts +13 -0
package/dist/middleware/permissions.d.ts.map +1 -0
package/dist/middleware/permissions.js +32 -0
package/dist/middleware/permissions.js.map +1 -0
package/dist/pattern-store.d.ts +104 -0
package/dist/pattern-store.d.ts.map +1 -0
package/dist/pattern-store.js +299 -0
package/dist/pattern-store.js.map +1 -0
package/package.json +54 -0
package/src/agent/debrief-retention.ts +44 -0
package/src/agent/envoy-client.ts +474 -0
package/src/agent/envoy-registry.ts +384 -0
package/src/agent/health-checker.ts +70 -0
package/src/agent/mcp-client-manager.ts +131 -0
package/src/agent/stale-deployment-detector.ts +79 -0
package/src/agent/step-runner.ts +124 -0
package/src/agent/synth-agent.ts +1567 -0
package/src/api/agent.ts +1075 -0
package/src/api/api-keys.ts +129 -0
package/src/api/artifacts.ts +194 -0
package/src/api/auth.ts +320 -0
package/src/api/deployments.ts +1347 -0
package/src/api/environments.ts +97 -0
package/src/api/envoy-reports.ts +159 -0
package/src/api/envoys.ts +237 -0
package/src/api/fleet.ts +510 -0
package/src/api/graph.ts +516 -0
package/src/api/health.ts +311 -0
package/src/api/idp-schemas.ts +19 -0
package/src/api/idp.ts +735 -0
package/src/api/intake.ts +537 -0
package/src/api/partitions.ts +147 -0
package/src/api/progress-event-store.ts +153 -0
package/src/api/schemas.ts +376 -0
package/src/api/security-boundaries.ts +54 -0
package/src/api/settings.ts +118 -0
package/src/api/system.ts +704 -0
package/src/api/telemetry.ts +32 -0
package/src/api/users.ts +210 -0
package/src/archive-unpacker.ts +271 -0
package/src/artifact-analyzer.ts +438 -0
package/src/auth/idp/index.ts +8 -0
package/src/auth/idp/ldap.ts +340 -0
package/src/auth/idp/oidc.ts +117 -0
package/src/auth/idp/role-mapping.ts +22 -0
package/src/auth/idp/saml.ts +148 -0
package/src/auth/idp/types.ts +22 -0
package/src/fleet/fleet-executor.ts +309 -0
package/src/fleet/fleet-store.ts +13 -0
package/src/fleet/index.ts +4 -0
package/src/fleet/representative-selector.ts +83 -0
package/src/graph/graph-executor.ts +446 -0
package/src/graph/graph-inference.ts +184 -0
package/src/graph/graph-store.ts +75 -0
package/src/graph/index.ts +4 -0
package/src/index.ts +916 -0
package/src/intake/index.ts +5 -0
package/src/intake/intake-processor.ts +111 -0
package/src/intake/intake-store.ts +7 -0
package/src/intake/registry-poller.ts +230 -0
package/src/intake/webhook-handlers.ts +328 -0
package/src/logger.ts +19 -0
package/src/mcp/resources.ts +98 -0
package/src/mcp/server.ts +34 -0
package/src/mcp/tools.ts +117 -0
package/src/middleware/auth.ts +103 -0
package/src/middleware/permissions.ts +35 -0
package/src/pattern-store.ts +409 -0
package/tests/agent-mode.test.ts +536 -0
package/tests/api-handlers.test.ts +1245 -0
package/tests/archive-unpacker.test.ts +179 -0
package/tests/artifact-analyzer.test.ts +240 -0
package/tests/auth-middleware.test.ts +189 -0
package/tests/decision-diary.test.ts +957 -0
package/tests/diary-reader.test.ts +782 -0
package/tests/envoy-client.test.ts +342 -0
package/tests/envoy-reports.test.ts +156 -0
package/tests/mcp-tools.test.ts +213 -0
package/tests/orchestration.test.ts +536 -0
package/tests/partition-deletion.test.ts +143 -0
package/tests/partition-isolation.test.ts +830 -0
package/tests/pattern-store.test.ts +371 -0
package/tests/rbac-enforcement.test.ts +409 -0
package/tests/ssrf-validation.test.ts +56 -0
package/tests/stale-deployment.test.ts +85 -0
package/tests/step-runner.test.ts +308 -0
package/tests/ui-journey.test.ts +330 -0
package/tsconfig.json +11 -0
package/vitest.config.ts +27 -0

package/dist/middleware/auth.js ADDED Viewed

@@ -0,0 +1,76 @@
+import { SignJWT, jwtVerify } from "jose";
+const EXEMPT_ROUTES = ["/health", "/api/health", "/api/auth/login", "/api/auth/register", "/api/auth/refresh", "/api/auth/status", "/api/auth/providers", "/api/envoy/report"];
+const EXEMPT_PREFIXES = ["/api/auth/oidc/", "/api/auth/callback/oidc/", "/api/auth/saml/", "/api/auth/callback/saml/", "/api/auth/ldap/", "/api/intake/webhook/"];
+// Envoy callback endpoints — validated by envoy token, not user JWT
+const EXEMPT_PATTERNS = [/^\/api\/deployments\/[^/]+\/progress$/];
+/**
+ * Registers JWT-based authentication middleware on a Fastify instance.
+ *
+ * All /api/ and /mcp routes require a valid JWT Bearer token,
+ * except routes listed in EXEMPT_ROUTES. Static file serving and
+ * health endpoints are always accessible.
+ */
+export function registerAuthMiddleware(app, userStore, userRoleStore, sessionStore, jwtSecret) {
+    app.addHook("onRequest", async (request, reply) => {
+        // Skip exempt routes
+        if (EXEMPT_ROUTES.some((r) => request.url.startsWith(r)))
+            return;
+        // Skip OIDC auth routes (dynamic paths)
+        if (EXEMPT_PREFIXES.some((p) => request.url.startsWith(p)))
+            return;
+        // Skip envoy callback endpoints (validated by envoy token in the route handler)
+        if (EXEMPT_PATTERNS.some((p) => p.test(request.url)))
+            return;
+        // Also skip static file serving (non-API routes), but NOT /mcp — it requires auth
+        if (!request.url.startsWith("/api/") && !request.url.startsWith("/mcp"))
+            return;
+        // Accept token from Authorization header or ?token= query param
+        // (EventSource API cannot send headers, so SSE endpoints use query param)
+        const authHeader = request.headers.authorization;
+        const queryToken = request.query?.token;
+        const rawToken = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : queryToken;
+        if (!rawToken) {
+            reply.status(401).send({ error: "Authentication required" });
+            return;
+        }
+        const token = rawToken;
+        try {
+            const { payload } = await jwtVerify(token, jwtSecret);
+            const userId = payload.sub;
+            const user = userStore.getById(userId);
+            if (!user) {
+                reply.status(401).send({ error: "User not found" });
+                return;
+            }
+            const session = sessionStore.getByToken(token);
+            if (!session) {
+                reply.status(401).send({ error: "Session expired" });
+                return;
+            }
+            const permissions = userRoleStore.getUserPermissions(userId);
+            request.user = { id: userId, email: user.email, name: user.name, permissions };
+        }
+        catch {
+            reply.status(401).send({ error: "Invalid token" });
+        }
+    });
+    return { enabled: true };
+}
+export async function generateTokens(userId, jwtSecret) {
+    const sessionTtl = process.env.SYNTH_SESSION_TTL ?? "8h";
+    const sessionTtlMs = sessionTtl.endsWith("h")
+        ? parseInt(sessionTtl) * 60 * 60 * 1000
+        : sessionTtl.endsWith("m")
+            ? parseInt(sessionTtl) * 60 * 1000
+            : 8 * 60 * 60 * 1000;
+    const token = await new SignJWT({ sub: userId })
+        .setProtectedHeader({ alg: "HS256" })
+        .setExpirationTime(sessionTtl)
+        .sign(jwtSecret);
+    const refreshToken = await new SignJWT({ sub: userId, type: "refresh" })
+        .setProtectedHeader({ alg: "HS256" })
+        .setExpirationTime("7d")
+        .sign(jwtSecret);
+    return { token, refreshToken, expiresAt: new Date(Date.now() + sessionTtlMs) };
+}
+//# sourceMappingURL=auth.js.map

package/dist/middleware/auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAgB1C,MAAM,aAAa,GAAG,CAAC,SAAS,EAAE,aAAa,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,mBAAmB,CAAC,CAAC;AAC/K,MAAM,eAAe,GAAG,CAAC,iBAAiB,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,sBAAsB,CAAC,CAAC;AAClK,oEAAoE;AACpE,MAAM,eAAe,GAAG,CAAC,uCAAuC,CAAC,CAAC;AAElE;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CACpC,GAAoB,EACpB,SAAqB,EACrB,aAA6B,EAC7B,YAA2B,EAC3B,SAAqB;IAErB,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAE,EAAE;QAC9E,qBAAqB;QACrB,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO;QACjE,wCAAwC;QACxC,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO;QACnE,gFAAgF;QAChF,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAAE,OAAO;QAC7D,kFAAkF;QAClF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO;QAEhF,gEAAgE;QAChE,0EAA0E;QAC1E,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,MAAM,UAAU,GAAI,OAAO,CAAC,KAAgC,EAAE,KAAK,CAAC;QACpE,MAAM,QAAQ,GAAG,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QACtF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;YAC7D,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;YACtD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAa,CAAC;YACrC,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACvC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;gBACpD,OAAO;YACT,CAAC;YACD,MAAM,OAAO,GAAG,YAAY,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC/C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;gBACrD,OAAO;YACT,CAAC;YACD,MAAM,WAAW,GAAG,aAAa,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAC7D,OAAO,CAAC,IAAI,GAAG,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC;QACjF,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAc,EACd,SAAqB;IAErB,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,IAAI,CAAC;IACzD,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC;QAC3C,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;QACvC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC;YAC1B,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,IAAI;YAClC,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEvB,MAAM,KAAK,GAAG,MAAM,IAAI,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;SAC7C,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,iBAAiB,CAAC,UAAU,CAAC;SAC7B,IAAI,CAAC,SAAS,CAAC,CAAC;IAEnB,MAAM,YAAY,GAAG,MAAM,IAAI,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;SACrE,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,iBAAiB,CAAC,IAAI,CAAC;SACvB,IAAI,CAAC,SAAS,CAAC,CAAC;IAEnB,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,CAAC,EAAE,CAAC;AACjF,CAAC"}

package/dist/middleware/permissions.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { FastifyRequest, FastifyReply } from "fastify";
+import type { Permission, EnterpriseFeature } from "@synth-deploy/core";
+/**
+ * Returns a Fastify preHandler that checks whether the authenticated user
+ * has all of the specified permissions.
+ */
+export declare function requirePermission(...permissions: Permission[]): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+/**
+ * Returns a Fastify preHandler that gates an enterprise-only feature.
+ * Throws EditionError (caught by global error handler → 402) on Community edition.
+ */
+export declare function requireEdition(feature: EnterpriseFeature): (_request: FastifyRequest, _reply: FastifyReply) => Promise<void>;
+//# sourceMappingURL=permissions.d.ts.map

package/dist/middleware/permissions.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/middleware/permissions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5D,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAGxE;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,WAAW,EAAE,UAAU,EAAE,IAC9C,SAAS,cAAc,EAAE,OAAO,YAAY,mBAe3D;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,iBAAiB,IACzC,UAAU,cAAc,EAAE,QAAQ,YAAY,mBAG7D"}

package/dist/middleware/permissions.js ADDED Viewed

@@ -0,0 +1,32 @@
+import { requireEnterprise } from "@synth-deploy/core";
+/**
+ * Returns a Fastify preHandler that checks whether the authenticated user
+ * has all of the specified permissions.
+ */
+export function requirePermission(...permissions) {
+    return async (request, reply) => {
+        const user = request.user;
+        if (!user) {
+            reply.status(401).send({ error: "Authentication required" });
+            return;
+        }
+        const missing = permissions.filter((p) => !user.permissions.includes(p));
+        if (missing.length > 0) {
+            reply.status(403).send({
+                error: "Forbidden",
+                required: permissions,
+                message: `This action requires: ${missing.join(", ")}`,
+            });
+        }
+    };
+}
+/**
+ * Returns a Fastify preHandler that gates an enterprise-only feature.
+ * Throws EditionError (caught by global error handler → 402) on Community edition.
+ */
+export function requireEdition(feature) {
+    return async (_request, _reply) => {
+        requireEnterprise(feature);
+    };
+}
+//# sourceMappingURL=permissions.js.map

package/dist/middleware/permissions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/middleware/permissions.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAuB,MAAM,oBAAoB,CAAC;AAE5E;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAG,WAAyB;IAC5D,OAAO,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAE,EAAE;QAC5D,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QAC1B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;YAC7D,OAAO;QACT,CAAC;QACD,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACzE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACrB,KAAK,EAAE,WAAW;gBAClB,QAAQ,EAAE,WAAW;gBACrB,OAAO,EAAE,yBAAyB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aACvD,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,OAA0B;IACvD,OAAO,KAAK,EAAE,QAAwB,EAAE,MAAoB,EAAE,EAAE;QAC9D,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC,CAAC;AACJ,CAAC"}

package/dist/pattern-store.d.ts ADDED Viewed

@@ -0,0 +1,104 @@
+export interface CorrectionRecord {
+    timestamp: Date;
+    field: string;
+    from: string;
+    to: string;
+    artifactId: string;
+}
+export interface AnalysisPattern {
+    id: string;
+    source: string;
+    artifactType: string;
+    namePattern: string;
+    corrections: CorrectionRecord[];
+    derivedAnalysis: DerivedAnalysis;
+    confidence: number;
+    appliedCount: number;
+    createdAt: Date;
+    updatedAt: Date;
+}
+/**
+ * The subset of ArtifactAnalysis fields that can be derived from pattern
+ * corrections. Each field is optional — only corrected fields are stored.
+ */
+export interface DerivedAnalysis {
+    summary?: string;
+    dependencies?: string[];
+    configurationExpectations?: Record<string, string>;
+    deploymentIntent?: string;
+}
+export interface PatternMatch {
+    pattern: AnalysisPattern;
+    /** "auto" when confidence >= 0.7 and >= 2 corrections; "suggest" otherwise */
+    mode: "auto" | "suggest";
+}
+/**
+ * Recomputes confidence from a correction history.
+ *
+ *   - First correction: 0.5
+ *   - Each subsequent correction that agrees with the current value: +0.15
+ *   - A contradictory correction (same field, different `to` value as the
+ *     last correction for that field) resets to 0.5
+ *   - Capped at 0.95
+ */
+export declare function computeConfidence(corrections: CorrectionRecord[]): number;
+/**
+ * SQLite-backed storage for artifact analysis patterns.
+ *
+ * Patterns capture corrections users make to LLM-generated artifact analyses.
+ * When enough consistent corrections accumulate for a given source + type +
+ * name combination, the system can auto-apply the learned corrections instead
+ * of re-running LLM analysis.
+ */
+export declare class PatternStore {
+    private db;
+    private stmts;
+    constructor(dbPath: string);
+    /**
+     * Record a correction against a pattern, creating the pattern if it doesn't
+     * exist. Returns the updated pattern.
+     */
+    recordCorrection(key: {
+        source: string;
+        artifactType: string;
+        namePattern: string;
+    }, correction: Omit<CorrectionRecord, "timestamp">): AnalysisPattern;
+    /**
+     * Find patterns matching a given artifact by source + type, then filter by
+     * name glob match. Returns patterns sorted by confidence (descending).
+     */
+    findMatches(source: string, artifactType: string, artifactName: string): PatternMatch[];
+    /**
+     * Record that a pattern was applied to an artifact.
+     */
+    recordApplication(patternId: string): void;
+    /**
+     * Get a pattern by ID.
+     */
+    getById(id: string): AnalysisPattern | undefined;
+    /**
+     * List all patterns, most recently updated first.
+     */
+    listAll(): AnalysisPattern[];
+    /**
+     * Delete a pattern.
+     */
+    delete(id: string): boolean;
+    /**
+     * Close the database connection.
+     */
+    close(): void;
+    private _findExact;
+    /**
+     * Build a DerivedAnalysis by taking the latest correction `to` value for
+     * each known field. Supports: summary, deploymentIntent, dependencies
+     * (comma-separated), and configurationExpectations (key=value).
+     */
+    private _buildDerivedAnalysis;
+    /**
+     * Simple glob matching: supports `*` (any characters) and `?` (single char).
+     * Used to match artifact names against stored name patterns.
+     */
+    private _globMatch;
+}
+//# sourceMappingURL=pattern-store.d.ts.map

package/dist/pattern-store.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pattern-store.d.ts","sourceRoot":"","sources":["../src/pattern-store.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,IAAI,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,gBAAgB,EAAE,CAAC;IAChC,eAAe,EAAE,eAAe,CAAC;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,yBAAyB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnD,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,eAAe,CAAC;IACzB,8EAA8E;IAC9E,IAAI,EAAE,MAAM,GAAG,SAAS,CAAC;CAC1B;AAWD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,gBAAgB,EAAE,GAAG,MAAM,CAqBzE;AA6CD;;;;;;;GAOG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,EAAE,CAAoB;IAC9B,OAAO,CAAC,KAAK,CAQX;gBAEU,MAAM,EAAE,MAAM;IAwD1B;;;OAGG;IACH,gBAAgB,CACd,GAAG,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,EAClE,UAAU,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,CAAC,GAC9C,eAAe;IA+DlB;;;OAGG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,YAAY,EAAE;IAmBvF;;OAEG;IACH,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAO1C;;OAEG;IACH,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IAKhD;;OAEG;IACH,OAAO,IAAI,eAAe,EAAE;IAK5B;;OAEG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAK3B;;OAEG;IACH,KAAK,IAAI,IAAI;IAQb,OAAO,CAAC,UAAU;IAclB;;;;OAIG;IACH,OAAO,CAAC,qBAAqB;IAkC7B;;;OAGG;IACH,OAAO,CAAC,UAAU;CAQnB"}

package/dist/pattern-store.js ADDED Viewed

@@ -0,0 +1,299 @@
+import crypto from "node:crypto";
+import Database from "better-sqlite3";
+// ---------------------------------------------------------------------------
+// Confidence calculation
+// ---------------------------------------------------------------------------
+const INITIAL_CORRECTION_CONFIDENCE = 0.5;
+const CONSISTENT_CORRECTION_BOOST = 0.15;
+const CONTRADICTION_RESET_CONFIDENCE = 0.5;
+const MAX_CONFIDENCE = 0.95;
+/**
+ * Recomputes confidence from a correction history.
+ *
+ *   - First correction: 0.5
+ *   - Each subsequent correction that agrees with the current value: +0.15
+ *   - A contradictory correction (same field, different `to` value as the
+ *     last correction for that field) resets to 0.5
+ *   - Capped at 0.95
+ */
+export function computeConfidence(corrections) {
+    if (corrections.length === 0)
+        return 0;
+    let confidence = INITIAL_CORRECTION_CONFIDENCE;
+    // Track the latest `to` value per field to detect contradictions
+    const latestByField = new Map();
+    for (const c of corrections) {
+        const prev = latestByField.get(c.field);
+        if (prev !== undefined && prev !== c.to) {
+            // Contradictory correction — reset
+            confidence = CONTRADICTION_RESET_CONFIDENCE;
+        }
+        else if (prev !== undefined) {
+            // Consistent — boost
+            confidence = Math.min(confidence + CONSISTENT_CORRECTION_BOOST, MAX_CONFIDENCE);
+        }
+        // First correction for this field — confidence stays at initial
+        latestByField.set(c.field, c.to);
+    }
+    return Math.round(confidence * 100) / 100; // avoid floating-point noise
+}
+function rowToPattern(row) {
+    const corrections = JSON.parse(row.corrections).map((c) => ({
+        ...c,
+        timestamp: new Date(c.timestamp),
+    }));
+    return {
+        id: row.id,
+        source: row.source,
+        artifactType: row.artifact_type,
+        namePattern: row.name_pattern,
+        corrections,
+        derivedAnalysis: JSON.parse(row.derived_analysis),
+        confidence: row.confidence,
+        appliedCount: row.applied_count,
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at),
+    };
+}
+// ---------------------------------------------------------------------------
+// PatternStore
+// ---------------------------------------------------------------------------
+/**
+ * SQLite-backed storage for artifact analysis patterns.
+ *
+ * Patterns capture corrections users make to LLM-generated artifact analyses.
+ * When enough consistent corrections accumulate for a given source + type +
+ * name combination, the system can auto-apply the learned corrections instead
+ * of re-running LLM analysis.
+ */
+export class PatternStore {
+    db;
+    stmts;
+    constructor(dbPath) {
+        this.db = new Database(dbPath);
+        this.db.pragma("journal_mode = WAL");
+        this.db.pragma("foreign_keys = ON");
+        this.db.exec(`
+      CREATE TABLE IF NOT EXISTS analysis_patterns (
+        id TEXT PRIMARY KEY,
+        source TEXT NOT NULL,
+        artifact_type TEXT NOT NULL,
+        name_pattern TEXT NOT NULL,
+        corrections TEXT NOT NULL DEFAULT '[]',
+        derived_analysis TEXT NOT NULL DEFAULT '{}',
+        confidence REAL NOT NULL DEFAULT 0,
+        applied_count INTEGER NOT NULL DEFAULT 0,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_patterns_source_type
+        ON analysis_patterns(source, artifact_type);
+      CREATE INDEX IF NOT EXISTS idx_patterns_confidence
+        ON analysis_patterns(confidence);
+    `);
+        this.stmts = {
+            insert: this.db.prepare(`
+        INSERT INTO analysis_patterns
+          (id, source, artifact_type, name_pattern, corrections, derived_analysis, confidence, applied_count, created_at, updated_at)
+        VALUES
+          (@id, @source, @artifact_type, @name_pattern, @corrections, @derived_analysis, @confidence, @applied_count, @created_at, @updated_at)
+      `),
+            update: this.db.prepare(`
+        UPDATE analysis_patterns
+        SET corrections = @corrections,
+            derived_analysis = @derived_analysis,
+            confidence = @confidence,
+            updated_at = @updated_at
+        WHERE id = @id
+      `),
+            getById: this.db.prepare(`SELECT * FROM analysis_patterns WHERE id = ?`),
+            findMatches: this.db.prepare(`
+        SELECT * FROM analysis_patterns
+        WHERE source = @source AND artifact_type = @artifact_type
+        ORDER BY confidence DESC
+      `),
+            incrementApplied: this.db.prepare(`
+        UPDATE analysis_patterns
+        SET applied_count = applied_count + 1, updated_at = @updated_at
+        WHERE id = @id
+      `),
+            listAll: this.db.prepare(`SELECT * FROM analysis_patterns ORDER BY updated_at DESC`),
+            deleteById: this.db.prepare(`DELETE FROM analysis_patterns WHERE id = ?`),
+        };
+    }
+    /**
+     * Record a correction against a pattern, creating the pattern if it doesn't
+     * exist. Returns the updated pattern.
+     */
+    recordCorrection(key, correction) {
+        const now = new Date();
+        const existing = this._findExact(key.source, key.artifactType, key.namePattern);
+        if (existing) {
+            const record = { ...correction, timestamp: now };
+            const corrections = [...existing.corrections, record];
+            const confidence = computeConfidence(corrections);
+            // Rebuild derived analysis from latest corrections
+            const derivedAnalysis = this._buildDerivedAnalysis(corrections);
+            this.stmts.update.run({
+                id: existing.id,
+                corrections: JSON.stringify(corrections),
+                derived_analysis: JSON.stringify(derivedAnalysis),
+                confidence,
+                updated_at: now.toISOString(),
+            });
+            return {
+                ...existing,
+                corrections,
+                derivedAnalysis: derivedAnalysis,
+                confidence,
+                updatedAt: now,
+            };
+        }
+        // Create new pattern
+        const record = { ...correction, timestamp: now };
+        const corrections = [record];
+        const confidence = computeConfidence(corrections);
+        const derivedAnalysis = this._buildDerivedAnalysis(corrections);
+        const id = crypto.randomUUID();
+        this.stmts.insert.run({
+            id,
+            source: key.source,
+            artifact_type: key.artifactType,
+            name_pattern: key.namePattern,
+            corrections: JSON.stringify(corrections),
+            derived_analysis: JSON.stringify(derivedAnalysis),
+            confidence,
+            applied_count: 0,
+            created_at: now.toISOString(),
+            updated_at: now.toISOString(),
+        });
+        return {
+            id,
+            source: key.source,
+            artifactType: key.artifactType,
+            namePattern: key.namePattern,
+            corrections,
+            derivedAnalysis: derivedAnalysis,
+            confidence,
+            appliedCount: 0,
+            createdAt: now,
+            updatedAt: now,
+        };
+    }
+    /**
+     * Find patterns matching a given artifact by source + type, then filter by
+     * name glob match. Returns patterns sorted by confidence (descending).
+     */
+    findMatches(source, artifactType, artifactName) {
+        const rows = this.stmts.findMatches.all({ source, artifact_type: artifactType });
+        const matches = [];
+        for (const row of rows) {
+            const pattern = rowToPattern(row);
+            if (this._globMatch(pattern.namePattern, artifactName)) {
+                const autoApply = pattern.corrections.length >= 2 && pattern.confidence >= 0.7;
+                matches.push({
+                    pattern,
+                    mode: autoApply ? "auto" : "suggest",
+                });
+            }
+        }
+        return matches;
+    }
+    /**
+     * Record that a pattern was applied to an artifact.
+     */
+    recordApplication(patternId) {
+        this.stmts.incrementApplied.run({
+            id: patternId,
+            updated_at: new Date().toISOString(),
+        });
+    }
+    /**
+     * Get a pattern by ID.
+     */
+    getById(id) {
+        const row = this.stmts.getById.get(id);
+        return row ? rowToPattern(row) : undefined;
+    }
+    /**
+     * List all patterns, most recently updated first.
+     */
+    listAll() {
+        const rows = this.stmts.listAll.all();
+        return rows.map(rowToPattern);
+    }
+    /**
+     * Delete a pattern.
+     */
+    delete(id) {
+        const result = this.stmts.deleteById.run(id);
+        return result.changes > 0;
+    }
+    /**
+     * Close the database connection.
+     */
+    close() {
+        this.db.close();
+    }
+    // -------------------------------------------------------------------------
+    // Private helpers
+    // -------------------------------------------------------------------------
+    _findExact(source, artifactType, namePattern) {
+        const rows = this.stmts.findMatches.all({ source, artifact_type: artifactType });
+        for (const row of rows) {
+            if (row.name_pattern === namePattern) {
+                return rowToPattern(row);
+            }
+        }
+        return undefined;
+    }
+    /**
+     * Build a DerivedAnalysis by taking the latest correction `to` value for
+     * each known field. Supports: summary, deploymentIntent, dependencies
+     * (comma-separated), and configurationExpectations (key=value).
+     */
+    _buildDerivedAnalysis(corrections) {
+        const derived = {};
+        const latestByField = new Map();
+        for (const c of corrections) {
+            latestByField.set(c.field, c.to);
+        }
+        for (const [field, value] of latestByField) {
+            switch (field) {
+                case "summary":
+                    derived.summary = value;
+                    break;
+                case "deploymentIntent":
+                    derived.deploymentIntent = value;
+                    break;
+                case "dependencies":
+                    derived.dependencies = value.split(",").map((d) => d.trim()).filter(Boolean);
+                    break;
+                default:
+                    // Treat as a configuration expectation
+                    if (field.startsWith("config.")) {
+                        if (!derived.configurationExpectations) {
+                            derived.configurationExpectations = {};
+                        }
+                        derived.configurationExpectations[field.slice("config.".length)] = value;
+                    }
+                    break;
+            }
+        }
+        return derived;
+    }
+    /**
+     * Simple glob matching: supports `*` (any characters) and `?` (single char).
+     * Used to match artifact names against stored name patterns.
+     */
+    _globMatch(pattern, name) {
+        // Escape regex special chars except * and ?
+        const regexStr = pattern
+            .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+            .replace(/\*/g, ".*")
+            .replace(/\?/g, ".");
+        return new RegExp(`^${regexStr}$`).test(name);
+    }
+}
+//# sourceMappingURL=pattern-store.js.map

package/dist/pattern-store.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pattern-store.js","sourceRoot":"","sources":["../src/pattern-store.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AA4CtC,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,MAAM,6BAA6B,GAAG,GAAG,CAAC;AAC1C,MAAM,2BAA2B,GAAG,IAAI,CAAC;AACzC,MAAM,8BAA8B,GAAG,GAAG,CAAC;AAC3C,MAAM,cAAc,GAAG,IAAI,CAAC;AAE5B;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAA+B;IAC/D,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEvC,IAAI,UAAU,GAAG,6BAA6B,CAAC;IAC/C,iEAAiE;IACjE,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEhD,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YACxC,mCAAmC;YACnC,UAAU,GAAG,8BAA8B,CAAC;QAC9C,CAAC;aAAM,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YAC9B,qBAAqB;YACrB,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,GAAG,2BAA2B,EAAE,cAAc,CAAC,CAAC;QAClF,CAAC;QACD,gEAAgE;QAChE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,6BAA6B;AAC1E,CAAC;AAmBD,SAAS,YAAY,CAAC,GAAe;IACnC,MAAM,WAAW,GAAuB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,GAAG,CACrE,CAAC,CAAqF,EAAE,EAAE,CAAC,CAAC;QAC1F,GAAG,CAAC;QACJ,SAAS,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;KACjC,CAAC,CACH,CAAC;IAEF,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,YAAY,EAAE,GAAG,CAAC,aAAa;QAC/B,WAAW,EAAE,GAAG,CAAC,YAAY;QAC7B,WAAW;QACX,eAAe,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACjD,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,YAAY,EAAE,GAAG,CAAC,aAAa;QAC/B,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;QACnC,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,OAAO,YAAY;IACf,EAAE,CAAoB;IACtB,KAAK,CAQX;IAEF,YAAY,MAAc;QACxB,IAAI,CAAC,EAAE,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACrC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;QAEpC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;KAkBZ,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,GAAG;YACX,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;OAKvB,CAAC;YACF,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;OAOvB,CAAC;YACF,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,8CAA8C,CAAC;YACxE,WAAW,EAAE,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;OAI5B,CAAC;YACF,gBAAgB,EAAE,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;OAIjC,CAAC;YACF,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,0DAA0D,CAAC;YACpF,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,4CAA4C,CAAC;SAC1E,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,gBAAgB,CACd,GAAkE,EAClE,UAA+C;QAE/C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;QAEhF,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,MAAM,GAAqB,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;YACnE,MAAM,WAAW,GAAG,CAAC,GAAG,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YACtD,MAAM,UAAU,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAElD,mDAAmD;YACnD,MAAM,eAAe,GAAG,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;YAEhE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC;gBACpB,EAAE,EAAE,QAAQ,CAAC,EAAE;gBACf,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;gBACxC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC;gBACjD,UAAU;gBACV,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;aAC9B,CAAC,CAAC;YAEH,OAAO;gBACL,GAAG,QAAQ;gBACX,WAAW;gBACX,eAAe,EAAE,eAAe;gBAChC,UAAU;gBACV,SAAS,EAAE,GAAG;aACf,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,MAAM,MAAM,GAAqB,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;QACnE,MAAM,WAAW,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7B,MAAM,UAAU,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;QAClD,MAAM,eAAe,GAAG,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAChE,MAAM,EAAE,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAE/B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC;YACpB,EAAE;YACF,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,aAAa,EAAE,GAAG,CAAC,YAAY;YAC/B,YAAY,EAAE,GAAG,CAAC,WAAW;YAC7B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;YACxC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC;YACjD,UAAU;YACV,aAAa,EAAE,CAAC;YAChB,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;YAC7B,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAC,CAAC;QAEH,OAAO;YACL,EAAE;YACF,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,WAAW,EAAE,GAAG,CAAC,WAAW;YAC5B,WAAW;YACX,eAAe,EAAE,eAAe;YAChC,UAAU;YACV,YAAY,EAAE,CAAC;YACf,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;SACf,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,MAAc,EAAE,YAAoB,EAAE,YAAoB;QACpE,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,CAAiB,CAAC;QACjG,MAAM,OAAO,GAAmB,EAAE,CAAC;QAEnC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,EAAE,CAAC;gBACvD,MAAM,SAAS,GACb,OAAO,CAAC,WAAW,CAAC,MAAM,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;gBAC/D,OAAO,CAAC,IAAI,CAAC;oBACX,OAAO;oBACP,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;iBACrC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,SAAiB;QACjC,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,GAAG,CAAC;YAC9B,EAAE,EAAE,SAAS;YACb,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,EAAU;QAChB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAA2B,CAAC;QACjE,OAAO,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,OAAO;QACL,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,EAAkB,CAAC;QACtD,OAAO,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,EAAU;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;IAED,4EAA4E;IAC5E,kBAAkB;IAClB,4EAA4E;IAEpE,UAAU,CAChB,MAAc,EACd,YAAoB,EACpB,WAAmB;QAEnB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,CAAiB,CAAC;QACjG,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,GAAG,CAAC,YAAY,KAAK,WAAW,EAAE,CAAC;gBACrC,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACK,qBAAqB,CAAC,WAA+B;QAC3D,MAAM,OAAO,GAAoB,EAAE,CAAC;QACpC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;QAEhD,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YAC5B,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;QACnC,CAAC;QAED,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,aAAa,EAAE,CAAC;YAC3C,QAAQ,KAAK,EAAE,CAAC;gBACd,KAAK,SAAS;oBACZ,OAAO,CAAC,OAAO,GAAG,KAAK,CAAC;oBACxB,MAAM;gBACR,KAAK,kBAAkB;oBACrB,OAAO,CAAC,gBAAgB,GAAG,KAAK,CAAC;oBACjC,MAAM;gBACR,KAAK,cAAc;oBACjB,OAAO,CAAC,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;oBAC7E,MAAM;gBACR;oBACE,uCAAuC;oBACvC,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;wBAChC,IAAI,CAAC,OAAO,CAAC,yBAAyB,EAAE,CAAC;4BACvC,OAAO,CAAC,yBAAyB,GAAG,EAAE,CAAC;wBACzC,CAAC;wBACD,OAAO,CAAC,yBAAyB,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC;oBAC3E,CAAC;oBACD,MAAM;YACV,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;OAGG;IACK,UAAU,CAAC,OAAe,EAAE,IAAY;QAC9C,4CAA4C;QAC5C,MAAM,QAAQ,GAAG,OAAO;aACrB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;aACpC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC;aACpB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACvB,OAAO,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,CAAC;CACF"}

package/package.json ADDED Viewed

@@ -0,0 +1,54 @@
+{
+  "name": "@synth-deploy/server",
+  "version": "0.1.0",
+  "license": "BUSL-1.1",
+  "type": "module",
+  "publishConfig": {
+    "access": "public"
+  },
+  "main": "dist/index.js",
+  "bin": {
+    "synth-server": "./dist/index.js"
+  },
+  "exports": {
+    ".": "./dist/index.js",
+    "./agent/*": "./dist/agent/*",
+    "./api/*": "./dist/api/*",
+    "./mcp/*": "./dist/mcp/*"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx --env-file=../../.env --watch src/index.ts",
+    "start": "node dist/index.js",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "@fastify/cors": "^11.2.0",
+    "@fastify/formbody": "^8.0.2",
+    "@fastify/multipart": "^9.4.0",
+    "@fastify/rate-limit": "^10.3.0",
+    "@fastify/static": "^9.0.0",
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "@node-saml/node-saml": "^5.1.0",
+    "@synth-deploy/core": "*",
+    "@types/bcryptjs": "^2.4.6",
+    "adm-zip": "^0.5.16",
+    "bcryptjs": "^3.0.3",
+    "better-sqlite3": "^12.6.2",
+    "fastify": "^5.0.0",
+    "ldapjs": "^3.0.7",
+    "openid-client": "^6.8.2",
+    "tar-stream": "^2.2.0",
+    "zod": "^3.25.0"
+  },
+  "devDependencies": {
+    "@types/adm-zip": "^0.5.7",
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/ldapjs": "^3.0.6",
+    "@types/node": "^25.3.0",
+    "@types/tar-stream": "^3.1.4",
+    "tsx": "^4.0.0",
+    "typescript": "^5.7.0",
+    "vitest": "^4.0.18"
+  }
+}

package/src/agent/debrief-retention.ts ADDED Viewed

@@ -0,0 +1,44 @@
+import type { PersistentDecisionDebrief } from "@synth-deploy/core";
+const DEFAULT_RETENTION_DAYS = Number(
+  process.env.SYNTH_DEBRIEF_RETENTION_DAYS ?? 90,
+);
+const DEFAULT_RETENTION_INTERVAL_MS = Number(
+  process.env.SYNTH_RETENTION_INTERVAL_MS ?? 24 * 60 * 60 * 1000, // daily
+);
+/**
+ * Runs a single retention pass: purges debrief entries older than
+ * the retention threshold.
+ */
+export function runRetentionPass(
+  debrief: PersistentDecisionDebrief,
+  retentionDays: number = DEFAULT_RETENTION_DAYS,
+): number {
+  const cutoff = new Date(Date.now() - retentionDays * 24 * 60 * 60 * 1000);
+  const purged = debrief.purgeOlderThan(cutoff);
+  if (purged > 0) {
+    console.log(`[debrief-retention] Purged ${purged} entries older than ${retentionDays} days`);
+  }
+  return purged;
+}
+/**
+ * Starts a periodic retention scanner.
+ * Returns a cleanup function to stop the interval.
+ */
+export function startRetentionScanner(
+  debrief: PersistentDecisionDebrief,
+  intervalMs: number = DEFAULT_RETENTION_INTERVAL_MS,
+  retentionDays: number = DEFAULT_RETENTION_DAYS,
+): () => void {
+  // Run once on startup
+  runRetentionPass(debrief, retentionDays);
+  const timer = setInterval(() => {
+    runRetentionPass(debrief, retentionDays);
+  }, intervalMs);
+  return () => clearInterval(timer);
+}