@theokit/sdk 1.6.2 → 1.7.0

package/dist/workflow.cjs

@@ -1,11 +1,11 @@
 'use strict';
 
+var crypto = require('crypto');
 var promises = require('fs/promises');
 var path = require('path');
 var module$1 = require('module');
 var fs = require('fs');
 var async_hooks = require('async_hooks');
-var crypto = require('crypto');
 var zod = require('zod');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
@@ -19,6 +19,136 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/internal/security/redact.ts
+function readEnvOnce() {
+  const raw = process.env.THEOKIT_REDACT_SECRETS;
+  if (raw === void 0) return true;
+  return ["1", "true", "yes", "on"].includes(raw.toLowerCase());
+}
+function maskToken(token) {
+  if (token.length < 18) return "***";
+  return `${token.slice(0, 6)}...${token.slice(-4)}`;
+}
+function coerceToString(value) {
+  if (typeof value === "string") return value;
+  if (value === null || value === void 0) return null;
+  if (typeof value === "object") {
+    try {
+      const s = JSON.stringify(value);
+      return s === void 0 ? null : s;
+    } catch {
+      return "[unredactable: circular]";
+    }
+  }
+  return String(value);
+}
+function redactSecrets(text, opts) {
+  const coerced = coerceToString(text);
+  if (coerced === null) return "";
+  if (!REDACT_ENABLED) return coerced;
+  let s = coerced;
+  for (const re of BUILTIN_PATTERNS) {
+    s = s.replace(re, (m) => maskToken(m));
+  }
+  for (const re of _extraPatterns) {
+    s = s.replace(re, (m) => maskToken(m));
+  }
+  {
+    s = s.replace(BEARER_PATTERN, (_, prefix) => `${prefix}***`);
+    s = s.replace(PARAM_PATTERN, (whole, prefix, value) => {
+      if (value.includes("...")) return whole;
+      return `${prefix}***`;
+    });
+  }
+  return s;
+}
+var REDACT_ENABLED, warnedOptOut, BUILTIN_PATTERNS, BEARER_PATTERN, PARAM_PATTERN, _extraPatterns;
+var init_redact = __esm({
+  "src/internal/security/redact.ts"() {
+    REDACT_ENABLED = readEnvOnce();
+    warnedOptOut = false;
+    if (!REDACT_ENABLED && !warnedOptOut) {
+      process.stderr.write(
+        "[theokit-sdk] Secret redaction is DISABLED via THEOKIT_REDACT_SECRETS. Credentials may leak into errors, telemetry, logs, transcripts.\n"
+      );
+      warnedOptOut = true;
+    }
+    BUILTIN_PATTERNS = [
+      // T5.4: 30+ vendor prefixes (was 12 pre-T5.4). Order matters — more
+      // specific prefixes precede generic ones (e.g., sk-ant-admin01 before
+      // sk-ant-, sk-proj- before sk-). PEM block deliberately first so its
+      // multi-line span runs before any per-line patterns can fire.
+      /-----BEGIN[ ]+(?:RSA |EC |DSA |OPENSSH |ENCRYPTED |)PRIVATE KEY-----[\s\S]+?-----END[ ]+(?:RSA |EC |DSA |OPENSSH |ENCRYPTED |)PRIVATE KEY-----/g,
+      // JWT — exact 3-segment base64url. Dotted; the body floor of 4 chars per
+      // segment matches the minimum legal payload while skipping `a.b.c` noise.
+      /eyJ[A-Za-z0-9_-]{4,}\.eyJ[A-Za-z0-9_-]{4,}\.[A-Za-z0-9_-]{4,}/g,
+      // Azure Storage SAS — match the sig= component (URL-encoded base64).
+      /(?<=[?&]sig=)[A-Za-z0-9%+/]{20,}/g,
+      // Anthropic
+      /sk-ant-admin01-[A-Za-z0-9_-]{10,}/g,
+      //   Anthropic admin keys (must precede sk-ant-)
+      /sk-ant-[A-Za-z0-9_-]{10,}/g,
+      //           Anthropic regular
+      // OpenAI family + clones (sk- generic must come AFTER all sk-foo- variants)
+      /sk-proj-[A-Za-z0-9_-]{10,}/g,
+      //  OpenAI project key (must precede sk- generic)
+      /sk-[A-Za-z0-9_-]{10,}/g,
+      //       OpenAI / OpenRouter / DeepInfra / Together / DeepSeek
+      // Provider prefixes (alphabetized for maintainability)
+      /AIza[A-Za-z0-9_-]{35}/g,
+      //       Google API key
+      /AKIA[A-Z0-9]{16}/g,
+      //            AWS access key
+      /fw_[A-Za-z0-9]{20,}/g,
+      //         Fireworks
+      /glpat-[A-Za-z0-9_-]{20}/g,
+      //     GitLab PAT
+      /ghp_[A-Za-z0-9]{36}/g,
+      //         GitHub PAT classic
+      /github_pat_[A-Za-z0-9_]{82}/g,
+      // GitHub PAT fine-grained
+      /gsk_[A-Za-z0-9]{20,}/g,
+      //        Groq
+      /hf_[A-Za-z0-9]{20,}/g,
+      //         HuggingFace
+      /\bpa-[A-Za-z0-9_-]{20,}/g,
+      //     Voyage AI (word-boundary to skip CSS / kebab IDs)
+      /pcsk_[A-Za-z0-9_-]{20,}/g,
+      //     Pinecone
+      /pplx-[A-Za-z0-9_-]{20,}/g,
+      //     Perplexity
+      /r8_[A-Za-z0-9_-]{20,}/g,
+      //       Replicate
+      /rk_live_[A-Za-z0-9]{20,}/g,
+      //    Stripe restricted
+      /sk_live_[A-Za-z0-9]{20,}/g,
+      //    Stripe secret
+      /sntrys_[A-Za-z0-9]{40,}/g,
+      //     Sentry user auth
+      /xai-[A-Za-z0-9_-]{20,}/g,
+      //      xAI (Grok)
+      /xox[bpasr]-[A-Za-z0-9-]{10,}/g,
+      //Slack tokens
+      // Additional unique-prefix tokens with low false-positive risk
+      /npm_[A-Za-z0-9]{36}/g,
+      //         npm access token
+      /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g,
+      // SendGrid
+      /\bSK[A-Za-z0-9]{32}\b/g,
+      //       Twilio API SID (word-boundary to skip CSS class noise)
+      /\bkey-[a-f0-9]{32}\b/g,
+      //        Mailgun (hex-only narrows false positives)
+      /MT[A-Za-z0-9_-]{23}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}/g,
+      // Discord bot
+      /\b(?:sdk|mob)-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\b/g
+      // LaunchDarkly
+    ];
+    BEARER_PATTERN = /\b(Bearer\s+)([A-Za-z0-9_\-.+/=]{8,})/g;
+    PARAM_PATTERN = /(\b(?:access_token|api_key|api-key|client_secret|credential|credentials|id_token|jwt|password|private_key|refresh_token|secret|service_account|session_token|token|x-api-key)\b["']?\s*[:=]\s*["']?)([A-Za-z0-9_\-.+/]+)/gi;
+    _extraPatterns = [];
+  }
+});
+
 // src/errors.ts
 var TheokitAgentError, ConfigurationError, UnsupportedRunOperationError, InvalidTaskIdError, TaskNotFoundError;
 var init_errors = __esm({
@@ -166,9 +296,29 @@ var init_workflow = __esm({
     };
   }
 });
+function detectNetworkFsName(typeMagic) {
+  return NETWORK_FS_MAGIC.get(typeMagic) ?? null;
+}
+async function warnOnNetworkFsOnce(dirPath, label) {
+  const key2 = `${dirPath}\0${label}`;
+  if (warnedNfsDirs.has(key2)) return;
+  warnedNfsDirs.add(key2);
+  try {
+    const info = await promises.statfs(dirPath);
+    const fsName = detectNetworkFsName(info.type);
+    if (fsName === null) return;
+    process.stderr.write(
+      `[theokit-sdk] ${label}: detected network fs (${fsName}) at ${dirPath} \u2014 rename() atomicity guarantees may be weaker than expected.
+`
+    );
+  } catch {
+  }
+}
 async function replaceFileAtomic(filePath, content) {
-  const tmp = `${filePath}.${process.pid}.${Math.random().toString(36).slice(2, 10)}.tmp`;
-  const handle = await promises.open(tmp, "w");
+  await warnOnNetworkFsOnce(path.dirname(filePath), "atomic-write");
+  const suffix = crypto.randomBytes(8).toString("hex");
+  const tmp = `${filePath}.${process.pid}.${suffix}.tmp`;
+  const handle = await promises.open(tmp, "w", 384);
   try {
     await handle.writeFile(content, "utf8");
     await handle.sync();
@@ -186,8 +336,16 @@ async function atomicWriteText(filePath, content) {
   await promises.mkdir(path.dirname(filePath), { recursive: true });
   await replaceFileAtomic(filePath, content);
 }
+var NETWORK_FS_MAGIC, warnedNfsDirs;
 var init_atomic_write = __esm({
   "src/internal/persistence/atomic-write.ts"() {
+    NETWORK_FS_MAGIC = /* @__PURE__ */ new Map([
+      [26985, "nfs"],
+      [20859, "smb"],
+      [4283649346, "cifs"],
+      [1702057286, "fuse"]
+    ]);
+    warnedNfsDirs = /* @__PURE__ */ new Set();
   }
 });
 function getSnapshotStoreFor(options) {
@@ -564,91 +722,6 @@ var init_step_agent = __esm({
   }
 });
 
-// src/internal/security/redact.ts
-function readEnvOnce() {
-  const raw = process.env.THEOKIT_REDACT_SECRETS;
-  if (raw === void 0) return true;
-  return ["1", "true", "yes", "on"].includes(raw.toLowerCase());
-}
-function maskToken(token) {
-  if (token.length < 18) return "***";
-  return `${token.slice(0, 6)}...${token.slice(-4)}`;
-}
-function coerceToString(value) {
-  if (typeof value === "string") return value;
-  if (value === null || value === void 0) return null;
-  if (typeof value === "object") {
-    try {
-      const s = JSON.stringify(value);
-      return s === void 0 ? null : s;
-    } catch {
-      return "[unredactable: circular]";
-    }
-  }
-  return String(value);
-}
-function redactSecrets(text, opts) {
-  const coerced = coerceToString(text);
-  if (coerced === null) return "";
-  if (!REDACT_ENABLED) return coerced;
-  let s = coerced;
-  for (const re of BUILTIN_PATTERNS) {
-    s = s.replace(re, (m) => maskToken(m));
-  }
-  for (const re of _extraPatterns) {
-    s = s.replace(re, (m) => maskToken(m));
-  }
-  {
-    s = s.replace(BEARER_PATTERN, (_, prefix) => `${prefix}***`);
-    s = s.replace(PARAM_PATTERN, (_, prefix) => `${prefix}***`);
-  }
-  return s;
-}
-var REDACT_ENABLED, warnedOptOut, BUILTIN_PATTERNS, BEARER_PATTERN, PARAM_PATTERN, _extraPatterns;
-var init_redact = __esm({
-  "src/internal/security/redact.ts"() {
-    REDACT_ENABLED = readEnvOnce();
-    warnedOptOut = false;
-    if (!REDACT_ENABLED && !warnedOptOut) {
-      process.stderr.write(
-        "[theokit-sdk] Secret redaction is DISABLED via THEOKIT_REDACT_SECRETS. Credentials may leak into errors, telemetry, logs, transcripts.\n"
-      );
-      warnedOptOut = true;
-    }
-    BUILTIN_PATTERNS = [
-      /sk-ant-[A-Za-z0-9_-]{10,}/g,
-      //   Anthropic
-      /sk-proj-[A-Za-z0-9_-]{10,}/g,
-      //  OpenAI project key (must precede sk- generic)
-      /sk-[A-Za-z0-9_-]{10,}/g,
-      //       OpenAI / OpenRouter / DeepInfra. {10,} body floor —
-      //   real keys are 40+ chars; 10-char floor still skips `sk-test` (4) and
-      //   `sk-test-key` (8). codeFile mode protects placeholders/examples.
-      /ghp_[A-Za-z0-9]{36}/g,
-      //         GitHub PAT classic (exact length)
-      /github_pat_[A-Za-z0-9_]{82}/g,
-      // GitHub PAT fine-grained
-      /glpat-[A-Za-z0-9_-]{20}/g,
-      //     GitLab PAT
-      /AKIA[A-Z0-9]{16}/g,
-      //            AWS access key
-      /AIza[A-Za-z0-9_-]{35}/g,
-      //       Google API key
-      /xox[bpasr]-[A-Za-z0-9-]{10,}/g,
-      //Slack tokens
-      /sntrys_[A-Za-z0-9]{40,}/g,
-      //     Sentry user auth
-      /sk_live_[A-Za-z0-9]{20,}/g,
-      //    Stripe secret
-      /rk_live_[A-Za-z0-9]{20,}/g
-      //    Stripe restricted
-    ];
-    BEARER_PATTERN = /\b(Bearer\s+)([A-Za-z0-9_\-.+/=]{8,})/g;
-    PARAM_PATTERN = /(\b(?:access_token|api_key|api-key|password|secret|x-api-key)\b["']?\s*[:=]\s*["']?)([A-Za-z0-9_\-.+/]+)/gi;
-    _extraPatterns = [];
-  }
-});
-
 // src/internal/workflow/step-branch.ts
 async function runBranchStep(step, input, ctx, options, prevStepResults, dispatch) {
   const startedAt = Date.now();
@@ -2132,6 +2205,23 @@ var PersistenceSchema = zod.z.object({
 
 // src/internal/security/path-guard.ts
 init_errors();
+var PathTraversalError = class extends ConfigurationError {
+  name = "PathTraversalError";
+  constructor(input, resolvedPath) {
+    super(`Path traversal attempt: ${input} \u2192 ${resolvedPath}`, {
+      code: "path_traversal"
+    });
+  }
+};
+function rejectNulAndControlChars(input, role) {
+  for (let i = 0; i < input.length; i++) {
+    const code = input.charCodeAt(i);
+    if (code === 0 || code >= 1 && code <= 31 || code === 127) {
+      const label = code === 0 ? "<nul-byte>" : `<control-char-0x${code.toString(16)}>`;
+      throw new PathTraversalError(`${role}: ${input}`, label);
+    }
+  }
+}
 var IDENTIFIER_PATTERN = /^[a-z0-9][a-z0-9\-_]*$/i;
 function sanitizeIdentifier(input, options) {
   const maxLen = options?.maxLen;
@@ -2140,6 +2230,7 @@ function sanitizeIdentifier(input, options) {
       code: "invalid_identifier"
     });
   }
+  rejectNulAndControlChars(input, "identifier");
   if (!IDENTIFIER_PATTERN.test(input)) {
     throw new ConfigurationError(`Identifier contains invalid characters: "${input}"`, {
       code: "invalid_identifier"