@thotischner/observability-mcp 1.8.1 → 3.0.1

package/dist/openapi.js

@@ -23,6 +23,10 @@ const SOURCE_SCHEMA = {
         },
         tls: { type: "object", additionalProperties: true },
         signalType: { type: "string", enum: ["metrics", "logs", "traces"] },
+        tenant: {
+            type: "string",
+            description: "Tenant this source belongs to. Omitted = global (visible to every tenant). Tagged sources are visible only inside their named tenant; cross-tenant probes return 404 with no existence leak.",
+        },
     },
     additionalProperties: true,
 };
@@ -60,21 +64,27 @@ export function buildOpenApiSpec(version) {
             "/api/sources": {
                 get: {
                     tags: ["sources"],
-                    summary: "List configured sources with live health.",
+                    summary: "List configured sources with live health (tenant-scoped).",
+                    description: "Non-admin callers see only their own tenant's sources + globals (untagged). Admins (users:delete) see every source; pass ?tenant=X for an admin drill-down to that tenant + globals. Anonymous mode bypasses scoping (single-tenant default).",
+                    parameters: [
+                        { name: "tenant", in: "query", schema: { type: "string" }, description: "Admin-only tenant drill-down (silently ignored for non-admins, who are scoped to their own tenant)." },
+                    ],
                     responses: {
                         "200": {
-                            description: "Sources with status, latency, signal type.",
+                            description: "Sources with status, latency, signal type. The `tenant` field is present when the source is tagged.",
                             content: { "application/json": { schema: { type: "array", items: SOURCE_SCHEMA } } },
                         },
                     },
                 },
                 post: {
                     tags: ["sources"],
-                    summary: "Add a new source.",
+                    summary: "Add a new source (tenant-aware).",
+                    description: "Body may include `tenant` to tag the source. Non-admins may only create within their own tenant; setting body.tenant to another value returns 403. Admins may leave tenant unset (global) or set any value.",
                     requestBody: { required: true, content: { "application/json": { schema: SOURCE_SCHEMA } } },
                     responses: {
                         "201": { description: "Source created." },
                         "400": { description: "Validation error." },
+                        "403": { description: "Non-admin attempting to create in another tenant." },
                         "409": { description: "Source with that name already exists." },
                     },
                 },
@@ -107,14 +117,23 @@ export function buildOpenApiSpec(version) {
                 parameters: [{ name: "name", in: "path", required: true, schema: { type: "string" } }],
                 put: {
                     tags: ["sources"],
-                    summary: "Replace an existing source.",
+                    summary: "Replace an existing source (tenant-aware).",
+                    description: "Non-admin probes of a cross-tenant source return 404 (no existence leak — same posture as /api/products). Non-admins attempting to reassign body.tenant return 403. Admins may move sources between tenants.",
                     requestBody: { required: true, content: { "application/json": { schema: SOURCE_SCHEMA } } },
-                    responses: { "200": { description: "Updated." }, "404": { description: "Not found." } },
+                    responses: {
+                        "200": { description: "Updated." },
+                        "403": { description: "Non-admin attempting tenant reassignment." },
+                        "404": { description: "Not found (or hidden by tenant scope)." },
+                    },
                 },
                 delete: {
                     tags: ["sources"],
                     summary: "Remove a source.",
-                    responses: { "204": { description: "Removed." }, "404": { description: "Not found." } },
+                    description: "Cross-tenant deletes return 404 (no existence leak).",
+                    responses: {
+                        "204": { description: "Removed." },
+                        "404": { description: "Not found (or hidden by tenant scope)." },
+                    },
                 },
             },
             "/api/source-types": {
@@ -129,6 +148,35 @@ export function buildOpenApiSpec(version) {
                     },
                 },
             },
+            "/api/tools/registry": {
+                get: {
+                    tags: ["products"],
+                    summary: "MCP tool catalogue — name + category + one-line summary, used by the Products picker.",
+                    description: "Static metadata derived from REGISTERED_TOOLS. The Products modal pulls this to populate a multi-select picker grouped by category (discovery / query / diagnose / topology); the server-side typo guard (PR #343) stays as defence-in-depth.",
+                    responses: {
+                        "200": {
+                            description: "Tool registry.",
+                            content: { "application/json": { schema: {
+                                        type: "object",
+                                        properties: {
+                                            tools: {
+                                                type: "array",
+                                                items: {
+                                                    type: "object",
+                                                    required: ["name", "category", "summary"],
+                                                    properties: {
+                                                        name: { type: "string" },
+                                                        category: { type: "string", enum: ["discovery", "query", "diagnose", "topology"] },
+                                                        summary: { type: "string" },
+                                                    },
+                                                },
+                                            },
+                                        },
+                                    } } },
+                        },
+                    },
+                },
+            },
             "/api/services": {
                 get: {
                     tags: ["services"],
@@ -478,11 +526,12 @@ export function buildOpenApiSpec(version) {
             "/api/policy": {
                 get: {
                     tags: ["auth"],
-                    summary: "Read-only view of the active RBAC policy (admin-only). Dry-run probe with ?resource=&action=&roles=.",
+                    summary: "Read-only view of the active RBAC policy (admin-only). Dry-run probe with ?resource=&action=&roles=[&tenant=].",
                     parameters: [
                         { name: "roles", in: "query", required: false, schema: { type: "string" }, description: "Comma-separated role names to probe. Defaults to none (treated as anonymous → always denied)." },
                         { name: "resource", in: "query", required: false, schema: { type: "string" }, description: "Resource to probe. Pair with `action` to enter dry-run mode." },
                         { name: "action", in: "query", required: false, schema: { type: "string" }, description: "Action to probe. Pair with `resource` to enter dry-run mode." },
+                        { name: "tenant", in: "query", required: false, schema: { type: "string" }, description: "Tenant to probe under (dry-run only). Defaults to the caller's session tenant; admins may override to probe verdicts for any tenant — exactly how to debug tenant-conditional Rego rules under the OPA engine." },
                     ],
                     responses: {
                         "200": {
@@ -493,6 +542,7 @@ export function buildOpenApiSpec(version) {
                                         type: "object",
                                         properties: {
                                             engine: { type: "string", description: "Identifier of the active engine: 'builtin', 'file:<path>', 'opa:<url>'." },
+                                            tenantAware: { type: "boolean", description: "True when the active engine honours session.tenant on .evaluate() — i.e. OPA. Built-in / file-loaded engines ignore tenant ctx (false)." },
                                             policy: { type: "object", additionalProperties: true },
                                             roles: { type: "array", items: { type: "string" } },
                                             note: { type: "string" },
@@ -502,6 +552,7 @@ export function buildOpenApiSpec(version) {
                                                     roles: { type: "array", items: { type: "string" } },
                                                     resource: { type: "string" },
                                                     action: { type: "string" },
+                                                    tenant: { type: "string", description: "Tenant the probe ran under (echoed from ?tenant= or the caller's session)." },
                                                     allowed: { type: "boolean" },
                                                     reason: { type: "string" },
                                                 },
@@ -515,6 +566,97 @@ export function buildOpenApiSpec(version) {
                     },
                 },
             },
+            "/api/policy/roles/{name}": {
+                put: {
+                    tags: ["auth"],
+                    summary: "Upsert a role in the file-backed RBAC policy (admin-only, file engine only).",
+                    description: "Writes through OMCP_RBAC_POLICY_FILE atomically. 409 if the active engine isn't `file:…` or the env var is unset. Permissions are validated against VALID_RESOURCES + VALID_ACTIONS; unknown values return 422 with code OMCP_POLICY_UNKNOWN_RESOURCE / OMCP_POLICY_UNKNOWN_ACTION. On success the in-memory PolicyEngine is hot-swapped — existing gates pick up the new policy without a server restart.",
+                    parameters: [
+                        { name: "name", in: "path", required: true, schema: { type: "string" } },
+                    ],
+                    requestBody: {
+                        required: true,
+                        content: { "application/json": { schema: {
+                                    type: "object",
+                                    required: ["permissions"],
+                                    properties: { permissions: { type: "array", items: { type: "object", properties: {
+                                                    resource: { type: "string" },
+                                                    action: { type: "string" },
+                                                } } } },
+                                } } },
+                    },
+                    responses: {
+                        "200": { description: "Role saved + hot-swapped." },
+                        "400": { description: "Body shape invalid OR role name pattern rejected." },
+                        "403": { description: "Missing users:delete permission (admin-only)." },
+                        "409": { description: "Active engine isn't `file:…`, or OMCP_RBAC_POLICY_FILE unset (codes: OMCP_POLICY_ENGINE_NOT_FILE / OMCP_POLICY_FILE_NOT_SET)." },
+                        "422": { description: "Unknown resource or action (codes: OMCP_POLICY_UNKNOWN_RESOURCE / OMCP_POLICY_UNKNOWN_ACTION)." },
+                    },
+                },
+            },
+            "/api/users/{username}/roles": {
+                put: {
+                    tags: ["auth"],
+                    summary: "Update a local user's role assignments (admin-only, file-backed).",
+                    description: "Writes through OMCP_USERS_FILE. Roles are validated against the active policy engine's role catalogue; unknown role names return 422 with OMCP_USER_UNKNOWN_ROLE. The in-memory user store is refreshed atomically after the file write so the next login picks up the new roles without a server restart.",
+                    parameters: [
+                        { name: "username", in: "path", required: true, schema: { type: "string" } },
+                    ],
+                    requestBody: {
+                        required: true,
+                        content: { "application/json": { schema: {
+                                    type: "object",
+                                    required: ["roles"],
+                                    properties: { roles: { type: "array", items: { type: "string" } } },
+                                } } },
+                    },
+                    responses: {
+                        "200": { description: "Roles updated." },
+                        "400": { description: "Body must be { roles: string[] }." },
+                        "403": { description: "Missing users:delete permission (admin-only)." },
+                        "404": { description: "User not found OR users file unreadable." },
+                        "409": { description: "OMCP_USERS_FILE is not configured — basic-mode user roles can't be edited via the API." },
+                        "422": { description: "tools[] references unknown role names. Body includes `unknown` + `available`; error code OMCP_USER_UNKNOWN_ROLE." },
+                    },
+                },
+            },
+            "/api/subjects": {
+                get: {
+                    tags: ["auth"],
+                    summary: "Aggregated subjects view — local users + API-key names + OIDC group mappings (admin-only).",
+                    description: "Read-only catalogue of the principals an OMCP deployment knows about. Three independent sources: OMCP_USERS_FILE (users), OMCP_API_KEYS (apiKeys), OMCP_OIDC_ROLE_MAP (oidcGroups). Tokens + password hashes are never returned — only metadata.",
+                    responses: {
+                        "200": {
+                            description: "Subjects payload.",
+                            content: { "application/json": { schema: {
+                                        type: "object",
+                                        properties: {
+                                            users: { type: "array", items: { type: "object", properties: {
+                                                        username: { type: "string" }, name: { type: "string" },
+                                                        roles: { type: "array", items: { type: "string" } },
+                                                        tenant: { type: "string" },
+                                                    } } },
+                                            apiKeys: { type: "array", items: { type: "object", properties: {
+                                                        name: { type: "string" }, tenant: { type: "string" },
+                                                        productId: { type: "string" },
+                                                        bypassRedaction: { type: "boolean" },
+                                                        allowedSources: { type: "array", items: { type: "string" } },
+                                                    } } },
+                                            oidcGroups: { type: "array", items: { type: "object", properties: {
+                                                        claim: { type: "string" }, role: { type: "string" },
+                                                    } } },
+                                            sources: { type: "object", properties: {
+                                                    users: { type: ["string", "null"] },
+                                                    apiKeys: { type: ["string", "null"] },
+                                                    oidcGroups: { type: ["string", "null"] },
+                                                } },
+                                        },
+                                    } } },
+                        },
+                        "403": { description: "Missing users:delete permission (admin-only)." },
+                    },
+                },
+            },
             "/api/products": {
                 get: {
                     tags: ["products"],
@@ -542,6 +684,25 @@ export function buildOpenApiSpec(version) {
                         "403": { description: "Missing products:read permission." },
                     },
                 },
+                post: {
+                    tags: ["products"],
+                    summary: "Create a new product (strict create — 409 on conflict; PUT for upsert).",
+                    description: "Strict create-only variant of PUT. Same tenancy + typo-guard posture. Returns 409 when a product with body.id already exists. Body must include id + name; tools[] entries must reference registered MCP tool names (typo → 422).",
+                    requestBody: {
+                        required: true,
+                        content: { "application/json": { schema: { type: "object", additionalProperties: true } } },
+                    },
+                    responses: {
+                        "201": { description: "Created.", content: { "application/json": { schema: { type: "object", properties: {
+                                            product: { type: "object", additionalProperties: true },
+                                            persisted: { type: "boolean" },
+                                        } } } } },
+                        "400": { description: "Body invalid (missing id / shape rejected by validateProduct)." },
+                        "403": { description: "Missing products:write permission, or non-admin attempting to create in another tenant." },
+                        "409": { description: "Product with that id already exists — use PUT to update." },
+                        "422": { description: "tools[] references unknown tool names. Body includes `unknown` + `available`; error code OMCP_PRODUCT_UNKNOWN_TOOL." },
+                    },
+                },
             },
             "/api/products/{id}": {
                 get: {
@@ -577,6 +738,7 @@ export function buildOpenApiSpec(version) {
                         "400": { description: "Body shape invalid (validateProduct rejected — typo, unknown key, wrong type, ...)." },
                         "403": { description: "Missing products:write permission, or non-admin attempting to write into another tenant." },
                         "404": { description: "Existing product belongs to a different tenant (non-admin)." },
+                        "422": { description: "tools[] references unknown tool names. Body includes `unknown` + `available`; error code OMCP_PRODUCT_UNKNOWN_TOOL." },
                     },
                 },
                 delete: {
@@ -592,6 +754,52 @@ export function buildOpenApiSpec(version) {
                     },
                 },
             },
+            "/api/products/{id}/preview": {
+                get: {
+                    tags: ["products"],
+                    summary: "Agent preview — the filtered tools/list a credential bound to this product would receive.",
+                    description: "Same tenancy + staging filter as GET /api/products/{id}. Returns the product's branding/identity metadata + the registered MCP tools after applying its tools allow-list. The UI uses this for the per-card 'Preview as agent' affordance.",
+                    parameters: [
+                        { name: "id", in: "path", required: true, schema: { type: "string" } },
+                    ],
+                    responses: {
+                        "200": {
+                            description: "Preview payload.",
+                            content: { "application/json": { schema: {
+                                        type: "object",
+                                        required: ["product", "unrestricted", "tools"],
+                                        properties: {
+                                            product: {
+                                                type: "object",
+                                                properties: {
+                                                    id: { type: "string" },
+                                                    name: { type: "string" },
+                                                    version: { type: "string" },
+                                                    branding: { type: "object", additionalProperties: true },
+                                                    tenant: { type: "string" },
+                                                    status: { type: "string" },
+                                                },
+                                            },
+                                            unrestricted: { type: "boolean", description: "True when the product has no tools allow-list — the bound agent sees every registered tool." },
+                                            tools: {
+                                                type: "array",
+                                                items: {
+                                                    type: "object",
+                                                    properties: {
+                                                        name: { type: "string" },
+                                                        category: { type: "string", enum: ["discovery", "query", "diagnose", "topology"] },
+                                                        summary: { type: "string" },
+                                                    },
+                                                },
+                                            },
+                                        },
+                                    } } },
+                        },
+                        "404": { description: "Not found (or hidden by tenant / staging scope)." },
+                        "403": { description: "Missing products:read permission." },
+                    },
+                },
+            },
             "/api/catalog": {
                 get: {
                     tags: ["catalog"],

package/dist/openapi.test.js

@@ -13,6 +13,7 @@ test("openapi — every user-visible /api path is documented", () => {
         "/api/sources/{name}",
         "/api/sources/{name}/metrics",
         "/api/source-types",
+        "/api/tools/registry",
         "/api/settings",
         "/api/health-thresholds",
         "/api/me",
@@ -24,9 +25,13 @@ test("openapi — every user-visible /api path is documented", () => {
         "/api/audit",
         "/api/usage",
         "/api/policy",
+        "/api/subjects",
+        "/api/users/{username}/roles",
+        "/api/policy/roles/{name}",
         "/api/catalog",
         "/api/products",
         "/api/products/{id}",
+        "/api/products/{id}/preview",
         "/api/info",
         "/api/openapi.json",
     ];
@@ -62,3 +67,32 @@ test("openapi — info.version is the version string the caller passed in", () =
     const spec = buildOpenApiSpec("9.9.9-test");
     assert.equal(spec.info?.version, "9.9.9-test");
 });
+test("openapi — SOURCE_SCHEMA exposes the tenant field (tenant-aware sources contract)", () => {
+    // Source entries gained a `tenant` field when per-tenant connector
+    // scoping shipped. The spec is the contract operators write
+    // generated clients against — drift = broken downstream clients.
+    const spec = buildOpenApiSpec("test-1.0.0");
+    // SOURCE_SCHEMA is inlined into both `items` of GET /api/sources and
+    // the requestBody of POST/PUT — pick the GET response, the canonical
+    // read path.
+    const sources = spec.paths?.["/api/sources"]?.get;
+    const items = sources.responses["200"].content["application/json"].schema.items;
+    assert.ok(items.properties.tenant, "SOURCE_SCHEMA must document `tenant` (added when per-tenant scoping shipped)");
+});
+test("openapi — /api/sources GET documents the admin `?tenant=` drill-down query param", () => {
+    const spec = buildOpenApiSpec("test-1.0.0");
+    const get = spec.paths?.["/api/sources"]?.get;
+    const params = get.parameters || [];
+    const tenantParam = params.find((p) => p.name === "tenant" && p.in === "query");
+    assert.ok(tenantParam, "GET /api/sources must document the admin `?tenant=` drill-down param");
+});
+test("openapi — /api/policy GET documents the `?tenant=` probe param + `tenantAware` snapshot field", () => {
+    const spec = buildOpenApiSpec("test-1.0.0");
+    const get = spec.paths?.["/api/policy"]?.get;
+    const params = get.parameters || [];
+    assert.ok(params.some((p) => p.name === "tenant" && p.in === "query"), "GET /api/policy must document the `?tenant=` probe param");
+    const schema = get.responses["200"].content["application/json"].schema;
+    assert.ok(schema.properties.tenantAware, "snapshot must document the `tenantAware` field");
+    const dryRun = schema.properties.dryRun;
+    assert.ok(dryRun?.properties?.tenant, "dryRun must echo the `tenant` field so operators see which tenant the verdict ran under");
+});

package/dist/policy/redact.js

@@ -31,7 +31,7 @@ const PATTERNS = [
     // - PEM private-key blocks: greedy match across newlines.
     { category: "aws-key", re: /\b(?:AKIA|ASIA|AROA)[0-9A-Z]{16,20}\b/g },
     { category: "slack-token", re: /\bxox[abprsu]-[A-Za-z0-9-]{10,}\b/g },
-    { category: "gh-pat", re: /\b(?:github_pat_[A-Za-z0-9_]{40,}|gh[opsuru]_[A-Za-z0-9]{36})\b/g },
+    { category: "gh-pat", re: /\b(?:github_pat_[A-Za-z0-9_]{40,}|gh[oprsu]_[A-Za-z0-9]{36})\b/g },
     { category: "private-key", re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP |ENCRYPTED )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH |PGP |ENCRYPTED )?PRIVATE KEY-----/g },
     // emails before other patterns so they don't get eaten partially
     { category: "email", re: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,24}\b/g },

package/dist/postmortem/store.d.ts

@@ -0,0 +1,34 @@
+import type { PostmortemReport } from "./synthesizer.js";
+export interface StoredPostmortem {
+    id: string;
+    /** RFC-3339 timestamp of when the report was generated. */
+    ts: string;
+    /** Subject identity that called generate_postmortem. */
+    createdBy: string;
+    /** Tenant the report belongs to. */
+    tenant: string;
+    /** The shipped report shape — service + window + synopsis +
+     *  markdown + sections. */
+    report: PostmortemReport;
+}
+export declare class PostmortemStore {
+    private readonly path;
+    private entries;
+    private bootstrapped;
+    constructor(path: string);
+    load(): Promise<void>;
+    /** List entries, newest-first. Optionally scoped to a tenant. */
+    list(tenant?: string): StoredPostmortem[];
+    get(id: string, tenant?: string): StoredPostmortem | undefined;
+    /** Append a freshly-generated report. Returns the stored entry
+     *  with its assigned id + ts. */
+    append(input: {
+        report: PostmortemReport;
+        createdBy: string;
+        tenant: string;
+    }): Promise<StoredPostmortem>;
+    /** Delete one entry by id. Atomic rewrite. Returns whether
+     *  anything was removed. */
+    delete(id: string, tenant?: string): Promise<boolean>;
+    private rewrite;
+}

package/dist/postmortem/store.js

@@ -0,0 +1,113 @@
+// PostmortemStore — file-backed JSONL persistence for
+// generate_postmortem output.
+//
+// Design notes:
+//   - One JSON object per line (append-only). Cheap to tail, cheap
+//     to scan, surives crashes mid-write (the partial line is just
+//     ignored on load).
+//   - load() reads the whole file into an in-memory array (in
+//     practice operators don't accumulate thousands; the tool
+//     produces one report per incident).
+//   - delete() rewrites the file atomically (tmp + rename). Same
+//     pattern as the SCIM store from F21.
+//
+// The schema is intentionally narrow — we store what the tool's
+// PostmortemReport already returns plus an id, ts, and createdBy.
+import { readFile, writeFile, mkdir, rename, appendFile } from "node:fs/promises";
+import { dirname } from "node:path";
+import { randomUUID } from "node:crypto";
+export class PostmortemStore {
+    path;
+    entries = [];
+    bootstrapped = null;
+    constructor(path) {
+        this.path = path;
+    }
+    async load() {
+        if (this.bootstrapped)
+            return this.bootstrapped;
+        this.bootstrapped = (async () => {
+            try {
+                const raw = await readFile(this.path, "utf8");
+                const out = [];
+                for (const line of raw.split("\n")) {
+                    const t = line.trim();
+                    if (!t)
+                        continue;
+                    try {
+                        const obj = JSON.parse(t);
+                        if (obj && typeof obj.id === "string")
+                            out.push(obj);
+                    }
+                    catch {
+                        // Partial / corrupt line — skip, don't fail load. The
+                        // operator can purge by re-saving with delete().
+                    }
+                }
+                this.entries = out;
+            }
+            catch (err) {
+                if (err.code === "ENOENT") {
+                    this.entries = [];
+                    return;
+                }
+                console.warn(`[postmortem-store] failed to load ${this.path}: ${err.message} — starting empty`);
+                this.entries = [];
+            }
+        })();
+        return this.bootstrapped;
+    }
+    /** List entries, newest-first. Optionally scoped to a tenant. */
+    list(tenant) {
+        const src = tenant ? this.entries.filter((e) => e.tenant === tenant) : this.entries;
+        return src.slice().sort((a, b) => b.ts.localeCompare(a.ts));
+    }
+    get(id, tenant) {
+        const e = this.entries.find((x) => x.id === id);
+        if (!e)
+            return undefined;
+        if (tenant && e.tenant !== tenant)
+            return undefined;
+        return e;
+    }
+    /** Append a freshly-generated report. Returns the stored entry
+     *  with its assigned id + ts. */
+    async append(input) {
+        const entry = {
+            id: randomUUID(),
+            ts: new Date().toISOString(),
+            createdBy: input.createdBy,
+            tenant: input.tenant,
+            report: input.report,
+        };
+        this.entries.push(entry);
+        await mkdir(dirname(this.path), { recursive: true }).catch(() => undefined);
+        // Append-only — atomic enough for a JSONL (one write = one
+        // syscall; partial writes are skipped on load).
+        await appendFile(this.path, JSON.stringify(entry) + "\n", { mode: 0o600 });
+        return entry;
+    }
+    /** Delete one entry by id. Atomic rewrite. Returns whether
+     *  anything was removed. */
+    async delete(id, tenant) {
+        const before = this.entries.length;
+        this.entries = this.entries.filter((e) => {
+            if (e.id !== id)
+                return true;
+            if (tenant && e.tenant !== tenant)
+                return true;
+            return false;
+        });
+        if (this.entries.length === before)
+            return false;
+        await this.rewrite();
+        return true;
+    }
+    async rewrite() {
+        await mkdir(dirname(this.path), { recursive: true }).catch(() => undefined);
+        const body = this.entries.map((e) => JSON.stringify(e)).join("\n") + (this.entries.length ? "\n" : "");
+        const tmp = `${this.path}.tmp`;
+        await writeFile(tmp, body, { mode: 0o600 });
+        await rename(tmp, this.path);
+    }
+}

package/dist/postmortem/store.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/postmortem/store.test.js

@@ -0,0 +1,118 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, statSync, existsSync, readFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { PostmortemStore } from "./store.js";
+function tmpStore() {
+    return join(mkdtempSync(join(tmpdir(), "pmstore-")), "postmortems.jsonl");
+}
+function fakeReport(service = "payment") {
+    return {
+        service,
+        window: "1h",
+        fromIso: "2026-06-06T00:00:00.000Z",
+        toIso: "2026-06-06T01:00:00.000Z",
+        synopsis: "test",
+        markdown: "# Test",
+        sections: {
+            timeline: [],
+            blastRadius: { nodes: [], edgeCount: 0 },
+            topTraces: [],
+            contributingSignals: [],
+            followUps: [],
+            logHighlights: [],
+        },
+    };
+}
+test("PostmortemStore: load() on missing file → empty list", async () => {
+    const s = new PostmortemStore(tmpStore());
+    await s.load();
+    assert.deepEqual(s.list(), []);
+});
+test("PostmortemStore: append issues UUID + ISO ts, persists JSONL", async () => {
+    const path = tmpStore();
+    const s = new PostmortemStore(path);
+    await s.load();
+    const stored = await s.append({ report: fakeReport(), createdBy: "alice", tenant: "default" });
+    assert.match(stored.id, /^[0-9a-f-]{36}$/);
+    assert.match(stored.ts, /^\d{4}-\d{2}-\d{2}T/);
+    assert.equal(stored.report.service, "payment");
+    // disk format is one JSON per line
+    const raw = readFileSync(path, "utf8");
+    assert.equal(raw.split("\n").filter((l) => l).length, 1);
+    assert.equal(statSync(path).mode & 0o777, 0o600);
+});
+test("PostmortemStore: list() returns newest-first", async () => {
+    const s = new PostmortemStore(tmpStore());
+    await s.load();
+    await s.append({ report: fakeReport("a"), createdBy: "u", tenant: "t" });
+    await new Promise((r) => setTimeout(r, 5));
+    await s.append({ report: fakeReport("b"), createdBy: "u", tenant: "t" });
+    const out = s.list();
+    assert.equal(out[0].report.service, "b");
+    assert.equal(out[1].report.service, "a");
+});
+test("PostmortemStore: list(tenant) scopes correctly", async () => {
+    const s = new PostmortemStore(tmpStore());
+    await s.load();
+    await s.append({ report: fakeReport("a"), createdBy: "u", tenant: "alpha" });
+    await s.append({ report: fakeReport("b"), createdBy: "u", tenant: "beta" });
+    assert.equal(s.list("alpha").length, 1);
+    assert.equal(s.list("alpha")[0].report.service, "a");
+});
+test("PostmortemStore: get() by id, tenant-scoped", async () => {
+    const s = new PostmortemStore(tmpStore());
+    await s.load();
+    const e = await s.append({ report: fakeReport(), createdBy: "u", tenant: "alpha" });
+    assert.equal(s.get(e.id)?.id, e.id);
+    assert.equal(s.get(e.id, "alpha")?.id, e.id);
+    // wrong tenant → undefined
+    assert.equal(s.get(e.id, "beta"), undefined);
+    assert.equal(s.get("nope"), undefined);
+});
+test("PostmortemStore: delete() rewrites file + scoped by tenant", async () => {
+    const path = tmpStore();
+    const s = new PostmortemStore(path);
+    await s.load();
+    const e1 = await s.append({ report: fakeReport("a"), createdBy: "u", tenant: "alpha" });
+    await s.append({ report: fakeReport("b"), createdBy: "u", tenant: "beta" });
+    // wrong tenant → no-op
+    assert.equal(await s.delete(e1.id, "beta"), false);
+    assert.equal(s.list().length, 2);
+    // correct tenant → removed
+    assert.equal(await s.delete(e1.id, "alpha"), true);
+    assert.equal(s.list().length, 1);
+    // disk reflects the rewrite
+    const raw = readFileSync(path, "utf8");
+    assert.equal(raw.split("\n").filter((l) => l).length, 1);
+});
+test("PostmortemStore: delete() missing id → false", async () => {
+    const s = new PostmortemStore(tmpStore());
+    await s.load();
+    assert.equal(await s.delete("nope"), false);
+});
+test("PostmortemStore: round-trip through disk (load after append sees entries)", async () => {
+    const path = tmpStore();
+    const a = new PostmortemStore(path);
+    await a.load();
+    await a.append({ report: fakeReport("a"), createdBy: "u", tenant: "default" });
+    await a.append({ report: fakeReport("b"), createdBy: "u", tenant: "default" });
+    const b = new PostmortemStore(path);
+    await b.load();
+    assert.equal(b.list().length, 2);
+});
+test("PostmortemStore: load skips corrupt lines", async () => {
+    const path = tmpStore();
+    // Hand-write a file with one good + one garbage line
+    const a = new PostmortemStore(path);
+    await a.load();
+    await a.append({ report: fakeReport(), createdBy: "u", tenant: "default" });
+    const fs = await import("node:fs/promises");
+    await fs.appendFile(path, "{not valid json\n");
+    const b = new PostmortemStore(path);
+    await b.load();
+    // Good entry survived; corrupt line ignored.
+    assert.equal(b.list().length, 1);
+    assert.ok(existsSync(path));
+});