@vfarcic/dot-ai 1.7.0 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/ai-provider-factory.d.ts.map +1 -1
- package/dist/core/ai-provider-factory.js +1 -2
- package/dist/core/embedding-service.d.ts.map +1 -1
- package/dist/core/model-config.d.ts +3 -4
- package/dist/core/model-config.d.ts.map +1 -1
- package/dist/core/model-config.js +4 -5
- package/dist/core/providers/vercel-provider.d.ts.map +1 -1
- package/dist/core/providers/vercel-provider.js +6 -5
- package/dist/core/rbac/audit-logger.d.ts +23 -0
- package/dist/core/rbac/audit-logger.d.ts.map +1 -0
- package/dist/core/rbac/audit-logger.js +63 -0
- package/dist/core/rbac/check-access.d.ts +48 -0
- package/dist/core/rbac/check-access.d.ts.map +1 -0
- package/dist/core/rbac/check-access.js +156 -0
- package/dist/core/rbac/index.d.ts +3 -0
- package/dist/core/rbac/index.d.ts.map +1 -0
- package/dist/core/rbac/index.js +11 -0
- package/dist/core/schema.d.ts.map +1 -1
- package/dist/core/schema.js +14 -1
- package/dist/interfaces/mcp.d.ts.map +1 -1
- package/dist/interfaces/mcp.js +129 -44
- package/dist/interfaces/rest-api.d.ts.map +1 -1
- package/dist/interfaces/rest-api.js +70 -1
- package/dist/tools/generate-manifests.d.ts.map +1 -1
- package/dist/tools/generate-manifests.js +22 -2
- package/dist/tools/manage-knowledge.d.ts.map +1 -1
- package/dist/tools/manage-knowledge.js +20 -0
- package/dist/tools/operate.d.ts.map +1 -1
- package/dist/tools/operate.js +37 -0
- package/dist/tools/organizational-data.d.ts.map +1 -1
- package/dist/tools/organizational-data.js +27 -0
- package/dist/tools/recommend.d.ts.map +1 -1
- package/dist/tools/recommend.js +24 -0
- package/dist/tools/remediate.d.ts.map +1 -1
- package/dist/tools/remediate.js +67 -18
- package/package.json +12 -9
- package/shared-prompts/prd-update-decisions.md +7 -0
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ai-provider-factory.d.ts","sourceRoot":"","sources":["../../src/core/ai-provider-factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,UAAU,EACV,gBAAgB,EACjB,MAAM,yBAAyB,CAAC;
|
|
1
|
+
{"version":3,"file":"ai-provider-factory.d.ts","sourceRoot":"","sources":["../../src/core/ai-provider-factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACL,UAAU,EACV,gBAAgB,EACjB,MAAM,yBAAyB,CAAC;AA6BjC;;;;;;;;;;;;;;GAcG;AACH,qBAAa,iBAAiB;IAC5B;;;;;;OAMG;IACH,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,gBAAgB,GAAG,UAAU;IA2BnD;;;;;;;;;;OAUG;IACH,MAAM,CAAC,aAAa,IAAI,UAAU;IAoFlC;;;;;OAKG;IACH,MAAM,CAAC,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAWrD;;;;OAIG;IACH,MAAM,CAAC,qBAAqB,IAAI,MAAM,EAAE;IAMxC;;;;;OAKG;IACH,MAAM,CAAC,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;CAGxD;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,UAAU,CAE7C"}
|
|
@@ -27,8 +27,7 @@ const PROVIDER_ENV_KEYS = {
|
|
|
27
27
|
openai: 'OPENAI_API_KEY',
|
|
28
28
|
google: 'GOOGLE_GENERATIVE_AI_API_KEY', // Standard Vercel AI SDK env var (also checks GOOGLE_API_KEY as fallback)
|
|
29
29
|
google_flash: 'GOOGLE_GENERATIVE_AI_API_KEY', // PRD #294: Uses same API key as regular Google
|
|
30
|
-
kimi: 'MOONSHOT_API_KEY', // PRD #
|
|
31
|
-
kimi_thinking: 'MOONSHOT_API_KEY', // PRD #237: Uses same API key as regular Kimi
|
|
30
|
+
kimi: 'MOONSHOT_API_KEY', // PRD #353: Moonshot AI Kimi K2.5
|
|
32
31
|
xai: 'XAI_API_KEY',
|
|
33
32
|
};
|
|
34
33
|
const IMPLEMENTED_PROVIDERS = Object.keys(model_config_1.CURRENT_MODELS);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"embedding-service.d.ts","sourceRoot":"","sources":["../../src/core/embedding-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,EAEL,mBAAmB,EAEpB,MAAM,mBAAmB,CAAC;AAc3B;;GAEG;AACH,eAAO,MAAM,mBAAmB,iDAItB,CAAC;AACX,MAAM,MAAM,qBAAqB,GAAG,CAAC,OAAO,mBAAmB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,qBAAqB,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACnD,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACzD,WAAW,IAAI,OAAO,CAAC;IACvB,aAAa,IAAI,MAAM,CAAC;IACxB,QAAQ,IAAI,MAAM,CAAC;CACpB;AAgBD;;;GAGG;AACH,qBAAa,uBAAwB,YAAW,iBAAiB;IAC/D,OAAO,CAAC,YAAY,CAAwB;IAC5C,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAU;IAC3B,OAAO,CAAC,aAAa,
|
|
1
|
+
{"version":3,"file":"embedding-service.d.ts","sourceRoot":"","sources":["../../src/core/embedding-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,EAEL,mBAAmB,EAEpB,MAAM,mBAAmB,CAAC;AAc3B;;GAEG;AACH,eAAO,MAAM,mBAAmB,iDAItB,CAAC;AACX,MAAM,MAAM,qBAAqB,GAAG,CAAC,OAAO,mBAAmB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,qBAAqB,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACnD,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACzD,WAAW,IAAI,OAAO,CAAC;IACvB,aAAa,IAAI,MAAM,CAAC;IACxB,QAAQ,IAAI,MAAM,CAAC;CACpB;AAgBD;;;GAGG;AACH,qBAAa,uBAAwB,YAAW,iBAAiB;IAC/D,OAAO,CAAC,YAAY,CAAwB;IAC5C,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAU;IAC3B,OAAO,CAAC,aAAa,CAA6B;gBAEtC,MAAM,EAAE,eAAe,GAAG;QAAE,QAAQ,EAAE,qBAAqB,CAAA;KAAE;IAmFnE,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAgElD,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;IA2E9D,WAAW,IAAI,OAAO;IAItB,aAAa,IAAI,MAAM;IAIvB,QAAQ,IAAI,MAAM;IAIlB,eAAe,IAAI,MAAM;CAG1B;AAqCD;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAA2B;gBAE/B,MAAM,GAAE,eAAoB;IAKxC;;;OAGG;IACG,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAgBxD;;;OAGG;IACG,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;IAiB9D;;OAEG;IACH,WAAW,IAAI,OAAO;IAItB;;OAEG;IACH,aAAa,IAAI,MAAM;IAIvB;;OAEG;IACH,SAAS,IAAI;QACX,SAAS,EAAE,OAAO,CAAC;QACnB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB;IAqCD;;OAEG;IACH,uBAAuB,CAAC,OAAO,EAAE;QAC/B,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,kBAAkB,EAAE,MAAM,EAAE,CAAC;QAC7B,SAAS,EAAE,MAAM,CAAC;KACnB,GAAG,MAAM;IAYV;;;OAGG;IACH,sBAAsB,IAAI,mBAAmB,GAAG,IAAI;CAGrD"}
|
|
@@ -8,15 +8,14 @@ export declare const CURRENT_MODELS: {
|
|
|
8
8
|
readonly anthropic: "claude-sonnet-4-6";
|
|
9
9
|
readonly anthropic_opus: "claude-opus-4-6";
|
|
10
10
|
readonly anthropic_haiku: "claude-haiku-4-5-20251001";
|
|
11
|
-
readonly openai: "gpt-5.
|
|
11
|
+
readonly openai: "gpt-5.4";
|
|
12
12
|
readonly google: "gemini-3.1-pro-preview";
|
|
13
13
|
readonly google_flash: "gemini-3-flash-preview";
|
|
14
|
-
readonly kimi: "kimi-k2
|
|
15
|
-
readonly kimi_thinking: "kimi-k2-thinking";
|
|
14
|
+
readonly kimi: "kimi-k2.5";
|
|
16
15
|
readonly xai: "grok-4";
|
|
17
16
|
readonly host: "host";
|
|
18
17
|
readonly openrouter: "anthropic/claude-haiku-4.5";
|
|
19
|
-
readonly custom: "gpt-5.
|
|
18
|
+
readonly custom: "gpt-5.4";
|
|
20
19
|
readonly amazon_bedrock: "global.anthropic.claude-sonnet-4-6";
|
|
21
20
|
};
|
|
22
21
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"model-config.d.ts","sourceRoot":"","sources":["../../src/core/model-config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,cAAc
|
|
1
|
+
{"version":3,"file":"model-config.d.ts","sourceRoot":"","sources":["../../src/core/model-config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,cAAc;;;;;;;;;;;;;CAajB,CAAC;AAEX;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,OAAO,cAAc,GAAG,MAAM,CAE7E"}
|
|
@@ -12,16 +12,15 @@ exports.CURRENT_MODELS = {
|
|
|
12
12
|
anthropic: 'claude-sonnet-4-6',
|
|
13
13
|
anthropic_opus: 'claude-opus-4-6',
|
|
14
14
|
anthropic_haiku: 'claude-haiku-4-5-20251001',
|
|
15
|
-
openai: 'gpt-5.
|
|
15
|
+
openai: 'gpt-5.4',
|
|
16
16
|
google: 'gemini-3.1-pro-preview',
|
|
17
17
|
google_flash: 'gemini-3-flash-preview', // PRD #294: Gemini 3 Flash - faster/cheaper variant with same 1M context
|
|
18
|
-
kimi: 'kimi-k2
|
|
19
|
-
kimi_thinking: 'kimi-k2-thinking', // PRD #237: Moonshot AI Kimi K2 - extended thinking variant
|
|
18
|
+
kimi: 'kimi-k2.5', // PRD #353: Moonshot AI Kimi K2.5 - single model with thinking by default, 256K context
|
|
20
19
|
xai: 'grok-4',
|
|
21
20
|
host: 'host', // Delegates generation to the client via MCP Sampling
|
|
22
21
|
openrouter: 'anthropic/claude-haiku-4.5', // PRD #194: OpenRouter default model (overridden by AI_MODEL env var)
|
|
23
|
-
custom: 'gpt-5.
|
|
24
|
-
amazon_bedrock: 'global.anthropic.claude-sonnet-4-6' // PRD #175: Amazon Bedrock default model (overridden by AI_MODEL env var)
|
|
22
|
+
custom: 'gpt-5.4', // PRD #194: Custom endpoint default model (overridden by AI_MODEL env var)
|
|
23
|
+
amazon_bedrock: 'global.anthropic.claude-sonnet-4-6', // PRD #175: Amazon Bedrock default model (overridden by AI_MODEL env var)
|
|
25
24
|
};
|
|
26
25
|
/**
|
|
27
26
|
* Get current model for a provider
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vercel-provider.d.ts","sourceRoot":"","sources":["../../../src/core/providers/vercel-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;
|
|
1
|
+
{"version":3,"file":"vercel-provider.d.ts","sourceRoot":"","sources":["../../../src/core/providers/vercel-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH,OAAO,EACL,UAAU,EACV,UAAU,EACV,gBAAgB,EAChB,cAAc,EACd,aAAa,EACd,MAAM,0BAA0B,CAAC;AA4DlC,qBAAa,cAAe,YAAW,UAAU;IAC/C,OAAO,CAAC,YAAY,CAAoB;IACxC,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,SAAS,CAAU;IAC3B,OAAO,CAAC,OAAO,CAAC,CAAS;IACzB,OAAO,CAAC,aAAa,CAAiB;gBAE1B,MAAM,EAAE,gBAAgB;IAWpC,OAAO,CAAC,qBAAqB;IAiB7B,OAAO,CAAC,eAAe;IAwFvB,eAAe,IAAI,MAAM;IAIzB,eAAe,IAAI,MAAM;IAIzB,YAAY,IAAI,MAAM;IAItB,aAAa,IAAI,OAAO;IAIxB,OAAO,CAAC,iBAAiB;IAyBnB,WAAW,CACf,OAAO,EAAE,MAAM,EACf,SAAS,GAAE,MAAkB,EAC7B,iBAAiB,CAAC,EAAE;QAClB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GACA,OAAO,CAAC,UAAU,CAAC;IAsJtB;;;;;;;;;;;;OAYG;IACG,QAAQ,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;CA6b/D"}
|
|
@@ -9,6 +9,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
9
9
|
exports.VercelProvider = void 0;
|
|
10
10
|
const ai_1 = require("ai");
|
|
11
11
|
const openai_1 = require("@ai-sdk/openai");
|
|
12
|
+
const openai_compatible_1 = require("@ai-sdk/openai-compatible");
|
|
12
13
|
const google_1 = require("@ai-sdk/google");
|
|
13
14
|
const anthropic_1 = require("@ai-sdk/anthropic");
|
|
14
15
|
const xai_1 = require("@ai-sdk/xai");
|
|
@@ -75,15 +76,15 @@ class VercelProvider {
|
|
|
75
76
|
provider = (0, xai_1.createXai)({ apiKey: this.apiKey });
|
|
76
77
|
break;
|
|
77
78
|
case 'kimi':
|
|
78
|
-
|
|
79
|
-
//
|
|
80
|
-
// Use .chat() explicitly to use /chat/completions instead of /responses
|
|
79
|
+
// PRD #353: Moonshot AI Kimi K2.5 - uses @ai-sdk/openai-compatible for proper
|
|
80
|
+
// reasoning_content preservation in multi-turn tool calling
|
|
81
81
|
// Use global endpoint (api.moonshot.ai) - China endpoint (api.moonshot.cn) requires China-specific API keys
|
|
82
|
-
provider = (0,
|
|
82
|
+
provider = (0, openai_compatible_1.createOpenAICompatible)({
|
|
83
|
+
name: 'kimi',
|
|
83
84
|
apiKey: this.apiKey,
|
|
84
85
|
baseURL: 'https://api.moonshot.ai/v1',
|
|
85
86
|
});
|
|
86
|
-
this.modelInstance = provider.
|
|
87
|
+
this.modelInstance = provider.chatModel(this.model);
|
|
87
88
|
return; // Early return - model instance already set
|
|
88
89
|
case 'amazon_bedrock':
|
|
89
90
|
// PRD #175: Amazon Bedrock provider
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* RBAC Audit Logger (PRD #392 Milestone 5)
|
|
3
|
+
*
|
|
4
|
+
* Logs all authorization decisions and user management operations
|
|
5
|
+
* for traceability. Uses a dedicated "RBAC-Audit" component name
|
|
6
|
+
* so entries can be filtered with grep/jq in pod logs.
|
|
7
|
+
*/
|
|
8
|
+
import type { UserIdentity } from '../../interfaces/oauth/types';
|
|
9
|
+
import type { RbacCheckParams, RbacCheckResult } from './check-access';
|
|
10
|
+
/**
|
|
11
|
+
* Log a tool access authorization decision (allowed or denied).
|
|
12
|
+
*
|
|
13
|
+
* Called automatically from checkToolAccess() for every RBAC evaluation.
|
|
14
|
+
* Token user access is logged at DEBUG level to reduce noise.
|
|
15
|
+
*/
|
|
16
|
+
export declare function logToolAccessDecision(identity: UserIdentity | undefined, params: RbacCheckParams, result: RbacCheckResult): void;
|
|
17
|
+
/**
|
|
18
|
+
* Log a successful user management operation (create or delete).
|
|
19
|
+
*
|
|
20
|
+
* Called from REST API handlers after the operation completes successfully.
|
|
21
|
+
*/
|
|
22
|
+
export declare function logUserManagementOperation(identity: UserIdentity | undefined, operation: 'created' | 'deleted', targetEmail: string): void;
|
|
23
|
+
//# sourceMappingURL=audit-logger.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"audit-logger.d.ts","sourceRoot":"","sources":["../../../src/core/rbac/audit-logger.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAIvE;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,YAAY,GAAG,SAAS,EAClC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,eAAe,GACtB,IAAI,CA4BN;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,YAAY,GAAG,SAAS,EAClC,SAAS,EAAE,SAAS,GAAG,SAAS,EAChC,WAAW,EAAE,MAAM,GAClB,IAAI,CAUN"}
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* RBAC Audit Logger (PRD #392 Milestone 5)
|
|
4
|
+
*
|
|
5
|
+
* Logs all authorization decisions and user management operations
|
|
6
|
+
* for traceability. Uses a dedicated "RBAC-Audit" component name
|
|
7
|
+
* so entries can be filtered with grep/jq in pod logs.
|
|
8
|
+
*/
|
|
9
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
+
exports.logToolAccessDecision = logToolAccessDecision;
|
|
11
|
+
exports.logUserManagementOperation = logUserManagementOperation;
|
|
12
|
+
const error_handling_1 = require("../error-handling");
|
|
13
|
+
const auditLogger = new error_handling_1.ConsoleLogger('RBAC-Audit', error_handling_1.LogLevel.DEBUG);
|
|
14
|
+
/**
|
|
15
|
+
* Log a tool access authorization decision (allowed or denied).
|
|
16
|
+
*
|
|
17
|
+
* Called automatically from checkToolAccess() for every RBAC evaluation.
|
|
18
|
+
* Token user access is logged at DEBUG level to reduce noise.
|
|
19
|
+
*/
|
|
20
|
+
function logToolAccessDecision(identity, params, result) {
|
|
21
|
+
const event = result.allowed ? 'tool.access.allowed' : 'tool.access.denied';
|
|
22
|
+
const data = {
|
|
23
|
+
event,
|
|
24
|
+
userId: identity?.userId,
|
|
25
|
+
email: identity?.email,
|
|
26
|
+
source: identity?.source,
|
|
27
|
+
tool: params.toolName,
|
|
28
|
+
resource: params.resource || 'tools',
|
|
29
|
+
verb: params.verb || 'execute',
|
|
30
|
+
};
|
|
31
|
+
if (params.namespace) {
|
|
32
|
+
data.namespace = params.namespace;
|
|
33
|
+
}
|
|
34
|
+
if (result.reason) {
|
|
35
|
+
data.reason = result.reason;
|
|
36
|
+
}
|
|
37
|
+
if (result.evaluationError) {
|
|
38
|
+
data.evaluationError = result.evaluationError;
|
|
39
|
+
}
|
|
40
|
+
// Token users log at debug level to avoid noise
|
|
41
|
+
if (identity?.source === 'token') {
|
|
42
|
+
auditLogger.debug(event, data);
|
|
43
|
+
}
|
|
44
|
+
else {
|
|
45
|
+
auditLogger.info(event, data);
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
/**
|
|
49
|
+
* Log a successful user management operation (create or delete).
|
|
50
|
+
*
|
|
51
|
+
* Called from REST API handlers after the operation completes successfully.
|
|
52
|
+
*/
|
|
53
|
+
function logUserManagementOperation(identity, operation, targetEmail) {
|
|
54
|
+
const event = `user.${operation}`;
|
|
55
|
+
auditLogger.info(event, {
|
|
56
|
+
event,
|
|
57
|
+
userId: identity?.userId,
|
|
58
|
+
email: identity?.email,
|
|
59
|
+
source: identity?.source,
|
|
60
|
+
operation,
|
|
61
|
+
targetEmail,
|
|
62
|
+
});
|
|
63
|
+
}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* RBAC Enforcement Module (PRD #392 Milestone 1)
|
|
3
|
+
*
|
|
4
|
+
* Wraps Kubernetes SubjectAccessReview to check tool-level permissions
|
|
5
|
+
* for OAuth-authenticated users. Token users bypass RBAC entirely.
|
|
6
|
+
*
|
|
7
|
+
* Uses the virtual API group "dot-ai.devopstoolkit.ai" — no CRDs needed.
|
|
8
|
+
* Kubernetes evaluates RBAC rules as pure string matching on the group,
|
|
9
|
+
* resource, resourceName, and verb fields.
|
|
10
|
+
*/
|
|
11
|
+
import type { UserIdentity } from '../../interfaces/oauth/types';
|
|
12
|
+
/**
|
|
13
|
+
* Whether RBAC enforcement is enabled.
|
|
14
|
+
* When disabled (default), all authenticated users have full access.
|
|
15
|
+
* Set DOT_AI_RBAC_ENABLED=true to enforce tool-level RBAC via SubjectAccessReview.
|
|
16
|
+
*/
|
|
17
|
+
export declare function isRbacEnabled(): boolean;
|
|
18
|
+
export interface RbacCheckResult {
|
|
19
|
+
allowed: boolean;
|
|
20
|
+
reason?: string;
|
|
21
|
+
evaluationError?: string;
|
|
22
|
+
}
|
|
23
|
+
export interface RbacCheckParams {
|
|
24
|
+
toolName: string;
|
|
25
|
+
namespace?: string;
|
|
26
|
+
resource?: string;
|
|
27
|
+
verb?: string;
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Check whether the given identity is authorized to use the specified tool.
|
|
31
|
+
*
|
|
32
|
+
* - Token users (`source: 'token'`) always bypass RBAC.
|
|
33
|
+
* - OAuth users are checked via SubjectAccessReview against the virtual
|
|
34
|
+
* API group `dot-ai.devopstoolkit.ai`.
|
|
35
|
+
*/
|
|
36
|
+
export declare function checkToolAccess(identity: UserIdentity | undefined, params: RbacCheckParams): Promise<RbacCheckResult>;
|
|
37
|
+
/**
|
|
38
|
+
* Check which tools from a list the identity is authorized for.
|
|
39
|
+
* Runs checks in parallel for efficiency.
|
|
40
|
+
*/
|
|
41
|
+
export declare function filterAuthorizedTools<T extends {
|
|
42
|
+
name: string;
|
|
43
|
+
}>(identity: UserIdentity | undefined, tools: T[]): Promise<T[]>;
|
|
44
|
+
/**
|
|
45
|
+
* Reset the cached API client (for testing).
|
|
46
|
+
*/
|
|
47
|
+
export declare function resetAuthzApi(): void;
|
|
48
|
+
//# sourceMappingURL=check-access.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"check-access.d.ts","sourceRoot":"","sources":["../../../src/core/rbac/check-access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAMjE;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAaD;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,YAAY,GAAG,SAAS,EAClC,MAAM,EAAE,eAAe,GACtB,OAAO,CAAC,eAAe,CAAC,CA8D1B;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,EACpE,QAAQ,EAAE,YAAY,GAAG,SAAS,EAClC,KAAK,EAAE,CAAC,EAAE,GACT,OAAO,CAAC,CAAC,EAAE,CAAC,CAcd;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAEpC"}
|
|
@@ -0,0 +1,156 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* RBAC Enforcement Module (PRD #392 Milestone 1)
|
|
4
|
+
*
|
|
5
|
+
* Wraps Kubernetes SubjectAccessReview to check tool-level permissions
|
|
6
|
+
* for OAuth-authenticated users. Token users bypass RBAC entirely.
|
|
7
|
+
*
|
|
8
|
+
* Uses the virtual API group "dot-ai.devopstoolkit.ai" — no CRDs needed.
|
|
9
|
+
* Kubernetes evaluates RBAC rules as pure string matching on the group,
|
|
10
|
+
* resource, resourceName, and verb fields.
|
|
11
|
+
*/
|
|
12
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
13
|
+
if (k2 === undefined) k2 = k;
|
|
14
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
15
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
16
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
17
|
+
}
|
|
18
|
+
Object.defineProperty(o, k2, desc);
|
|
19
|
+
}) : (function(o, m, k, k2) {
|
|
20
|
+
if (k2 === undefined) k2 = k;
|
|
21
|
+
o[k2] = m[k];
|
|
22
|
+
}));
|
|
23
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
24
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
25
|
+
}) : function(o, v) {
|
|
26
|
+
o["default"] = v;
|
|
27
|
+
});
|
|
28
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
29
|
+
var ownKeys = function(o) {
|
|
30
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
31
|
+
var ar = [];
|
|
32
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
33
|
+
return ar;
|
|
34
|
+
};
|
|
35
|
+
return ownKeys(o);
|
|
36
|
+
};
|
|
37
|
+
return function (mod) {
|
|
38
|
+
if (mod && mod.__esModule) return mod;
|
|
39
|
+
var result = {};
|
|
40
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
41
|
+
__setModuleDefault(result, mod);
|
|
42
|
+
return result;
|
|
43
|
+
};
|
|
44
|
+
})();
|
|
45
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
46
|
+
exports.isRbacEnabled = isRbacEnabled;
|
|
47
|
+
exports.checkToolAccess = checkToolAccess;
|
|
48
|
+
exports.filterAuthorizedTools = filterAuthorizedTools;
|
|
49
|
+
exports.resetAuthzApi = resetAuthzApi;
|
|
50
|
+
const k8s = __importStar(require("@kubernetes/client-node"));
|
|
51
|
+
const audit_logger_1 = require("./audit-logger");
|
|
52
|
+
const RBAC_API_GROUP = 'dot-ai.devopstoolkit.ai';
|
|
53
|
+
const RBAC_VERB = 'execute';
|
|
54
|
+
/**
|
|
55
|
+
* Whether RBAC enforcement is enabled.
|
|
56
|
+
* When disabled (default), all authenticated users have full access.
|
|
57
|
+
* Set DOT_AI_RBAC_ENABLED=true to enforce tool-level RBAC via SubjectAccessReview.
|
|
58
|
+
*/
|
|
59
|
+
function isRbacEnabled() {
|
|
60
|
+
return process.env.DOT_AI_RBAC_ENABLED === 'true';
|
|
61
|
+
}
|
|
62
|
+
let authzApi;
|
|
63
|
+
function getAuthzApi() {
|
|
64
|
+
if (!authzApi) {
|
|
65
|
+
const kc = new k8s.KubeConfig();
|
|
66
|
+
kc.loadFromDefault();
|
|
67
|
+
authzApi = kc.makeApiClient(k8s.AuthorizationV1Api);
|
|
68
|
+
}
|
|
69
|
+
return authzApi;
|
|
70
|
+
}
|
|
71
|
+
/**
|
|
72
|
+
* Check whether the given identity is authorized to use the specified tool.
|
|
73
|
+
*
|
|
74
|
+
* - Token users (`source: 'token'`) always bypass RBAC.
|
|
75
|
+
* - OAuth users are checked via SubjectAccessReview against the virtual
|
|
76
|
+
* API group `dot-ai.devopstoolkit.ai`.
|
|
77
|
+
*/
|
|
78
|
+
async function checkToolAccess(identity, params) {
|
|
79
|
+
// No identity — deny
|
|
80
|
+
if (!identity) {
|
|
81
|
+
const result = { allowed: false, reason: 'No identity available' };
|
|
82
|
+
(0, audit_logger_1.logToolAccessDecision)(identity, params, result);
|
|
83
|
+
return result;
|
|
84
|
+
}
|
|
85
|
+
// Token users bypass RBAC (backward-compatible)
|
|
86
|
+
if (identity.source === 'token') {
|
|
87
|
+
const result = { allowed: true };
|
|
88
|
+
(0, audit_logger_1.logToolAccessDecision)(identity, params, result);
|
|
89
|
+
return result;
|
|
90
|
+
}
|
|
91
|
+
// RBAC disabled — all authenticated users have full access
|
|
92
|
+
if (!isRbacEnabled()) {
|
|
93
|
+
return { allowed: true };
|
|
94
|
+
}
|
|
95
|
+
const resource = params.resource || 'tools';
|
|
96
|
+
const verb = params.verb || RBAC_VERB;
|
|
97
|
+
try {
|
|
98
|
+
const api = getAuthzApi();
|
|
99
|
+
const review = await api.createSubjectAccessReview({
|
|
100
|
+
body: {
|
|
101
|
+
apiVersion: 'authorization.k8s.io/v1',
|
|
102
|
+
kind: 'SubjectAccessReview',
|
|
103
|
+
spec: {
|
|
104
|
+
user: identity.email,
|
|
105
|
+
groups: identity.groups,
|
|
106
|
+
resourceAttributes: {
|
|
107
|
+
group: RBAC_API_GROUP,
|
|
108
|
+
resource,
|
|
109
|
+
name: params.toolName,
|
|
110
|
+
verb,
|
|
111
|
+
...(params.namespace ? { namespace: params.namespace } : {}),
|
|
112
|
+
},
|
|
113
|
+
},
|
|
114
|
+
},
|
|
115
|
+
});
|
|
116
|
+
const status = review.status;
|
|
117
|
+
const result = {
|
|
118
|
+
allowed: status?.allowed ?? false,
|
|
119
|
+
reason: status?.reason ||
|
|
120
|
+
(status?.allowed ? undefined : 'Access denied by RBAC policy'),
|
|
121
|
+
};
|
|
122
|
+
(0, audit_logger_1.logToolAccessDecision)(identity, params, result);
|
|
123
|
+
return result;
|
|
124
|
+
}
|
|
125
|
+
catch (error) {
|
|
126
|
+
const message = error instanceof Error ? error.message : String(error);
|
|
127
|
+
const result = {
|
|
128
|
+
allowed: false,
|
|
129
|
+
reason: 'RBAC evaluation failed',
|
|
130
|
+
evaluationError: message,
|
|
131
|
+
};
|
|
132
|
+
(0, audit_logger_1.logToolAccessDecision)(identity, params, result);
|
|
133
|
+
return result;
|
|
134
|
+
}
|
|
135
|
+
}
|
|
136
|
+
/**
|
|
137
|
+
* Check which tools from a list the identity is authorized for.
|
|
138
|
+
* Runs checks in parallel for efficiency.
|
|
139
|
+
*/
|
|
140
|
+
async function filterAuthorizedTools(identity, tools) {
|
|
141
|
+
// No identity, token user, or RBAC disabled — return all tools
|
|
142
|
+
if (!identity || identity.source === 'token' || !isRbacEnabled()) {
|
|
143
|
+
return tools;
|
|
144
|
+
}
|
|
145
|
+
const checks = await Promise.all(tools.map(async (tool) => ({
|
|
146
|
+
tool,
|
|
147
|
+
result: await checkToolAccess(identity, { toolName: tool.name }),
|
|
148
|
+
})));
|
|
149
|
+
return checks.filter(c => c.result.allowed).map(c => c.tool);
|
|
150
|
+
}
|
|
151
|
+
/**
|
|
152
|
+
* Reset the cached API client (for testing).
|
|
153
|
+
*/
|
|
154
|
+
function resetAuthzApi() {
|
|
155
|
+
authzApi = undefined;
|
|
156
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/core/rbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,aAAa,EACb,aAAa,EACb,KAAK,eAAe,EACpB,KAAK,eAAe,GACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,qBAAqB,EAAE,0BAA0B,EAAE,MAAM,gBAAgB,CAAC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.logUserManagementOperation = exports.logToolAccessDecision = exports.resetAuthzApi = exports.isRbacEnabled = exports.filterAuthorizedTools = exports.checkToolAccess = void 0;
|
|
4
|
+
var check_access_1 = require("./check-access");
|
|
5
|
+
Object.defineProperty(exports, "checkToolAccess", { enumerable: true, get: function () { return check_access_1.checkToolAccess; } });
|
|
6
|
+
Object.defineProperty(exports, "filterAuthorizedTools", { enumerable: true, get: function () { return check_access_1.filterAuthorizedTools; } });
|
|
7
|
+
Object.defineProperty(exports, "isRbacEnabled", { enumerable: true, get: function () { return check_access_1.isRbacEnabled; } });
|
|
8
|
+
Object.defineProperty(exports, "resetAuthzApi", { enumerable: true, get: function () { return check_access_1.resetAuthzApi; } });
|
|
9
|
+
var audit_logger_1 = require("./audit-logger");
|
|
10
|
+
Object.defineProperty(exports, "logToolAccessDecision", { enumerable: true, get: function () { return audit_logger_1.logToolAccessDecision; } });
|
|
11
|
+
Object.defineProperty(exports, "logUserManagementOperation", { enumerable: true, get: function () { return audit_logger_1.logUserManagementOperation; } });
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/core/schema.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAUrD,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AA6B7C,MAAM,WAAW,gBAAgB;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACrC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAGD,MAAM,WAAW,SAAS;IACxB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;CAC/B;AAGD,MAAM,WAAW,gBAAiB,SAAQ,gBAAgB;IACxD,OAAO,EAAE,SAAS,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,GAAG,QAAQ,GAAG,aAAa,GAAG,SAAS,GAAG,QAAQ,CAAC;IAC/D,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE;QACX,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,MAAM,CAAC,EAAE,OAAO,CAAC;CAElB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,QAAQ,EAAE,CAAC;IACrB,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,QAAQ,EAAE,QAAQ,EAAE,CAAC;IACrB,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,eAAO,MAAM,sBAAsB,EAAE,QAQpC,CAAC;AAEF,eAAO,MAAM,oBAAoB,EAAE,QAOlC,CAAC;AAwBF,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,QAAQ,GAAG,aAAa,CAAC;IAC/B,SAAS,EAAE,cAAc,EAAE,CAAC;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,aAAa,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC9B,kBAAkB,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAC/C;AAKD,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,cAAc,EAAE,mBAAmB,EAAE,CAAC;IACtC,cAAc,EAAE,mBAAmB,EAAE,CAAC;IACtC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,eAAe,CAAC,EAAE;QAAE,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;KAAE,CAAC;CACrD;AA8GD;;GAEG;AACH,qBAAa,YAAY;IACvB;;OAEG;IACH,wBAAwB,CAAC,WAAW,EAAE,mBAAmB,GAAG,cAAc;IAuD1E;;OAEG;IACH,OAAO,CAAC,cAAc;IA4BtB;;OAEG;IACH,OAAO,CAAC,aAAa;IAqBrB;;OAEG;IACH,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,gBAAgB;CA2D3E;AAED;;;GAGG;AACH,qBAAa,iBAAiB;IAC5B;;OAEG;;IAKH;;;OAGG;YACW,uBAAuB;IAuCrC;;;;OAIG;IACG,gBAAgB,CACpB,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,QAAQ,GAAG,QAAQ,CAAA;KAAE,GAC5C,OAAO,CAAC,gBAAgB,CAAC;IAqF5B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CAqBhC;AAED;;;GAGG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,cAAc,CAAC,CAAuB;IAC9C,OAAO,CAAC,iBAAiB,CAAC,CAA0B;IACpD,OAAO,CAAC,aAAa,CAAC,CAAsB;gBAEhC,UAAU,CAAC,EAAE,UAAU;IAqDnC;;;OAGG;YACW,uBAAuB;IAuCrC;;OAEG;IACG,iBAAiB,CACrB,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,EACvD,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,cAAc,CAAC;IA+G1B;;OAEG;YACW,wBAAwB;IAwBtC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IA4EnC;;OAEG;YACW,0BAA0B;IA2CxC;;OAEG;YACW,0BAA0B;IAyExC;;OAEG;IACH,OAAO,CAAC,8BAA8B;IAQtC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAanC;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAYpC;;;OAGG;YACW,sBAAsB;IA8BpC;;OAEG;YACW,oBAAoB;IAsElC;;;OAGG;YACW,sBAAsB;IAuGpC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAchC;;OAEG;YACW,uBAAuB;
|
|
1
|
+
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/core/schema.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAUrD,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AA6B7C,MAAM,WAAW,gBAAgB;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACrC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAGD,MAAM,WAAW,SAAS;IACxB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;CAC/B;AAGD,MAAM,WAAW,gBAAiB,SAAQ,gBAAgB;IACxD,OAAO,EAAE,SAAS,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,GAAG,QAAQ,GAAG,aAAa,GAAG,SAAS,GAAG,QAAQ,CAAC;IAC/D,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE;QACX,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,MAAM,CAAC,EAAE,OAAO,CAAC;CAElB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,QAAQ,EAAE,CAAC;IACrB,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,QAAQ,EAAE,QAAQ,EAAE,CAAC;IACrB,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,eAAO,MAAM,sBAAsB,EAAE,QAQpC,CAAC;AAEF,eAAO,MAAM,oBAAoB,EAAE,QAOlC,CAAC;AAwBF,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,QAAQ,GAAG,aAAa,CAAC;IAC/B,SAAS,EAAE,cAAc,EAAE,CAAC;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,aAAa,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC9B,kBAAkB,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAC/C;AAKD,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,cAAc,EAAE,mBAAmB,EAAE,CAAC;IACtC,cAAc,EAAE,mBAAmB,EAAE,CAAC;IACtC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,eAAe,CAAC,EAAE;QAAE,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;KAAE,CAAC;CACrD;AA8GD;;GAEG;AACH,qBAAa,YAAY;IACvB;;OAEG;IACH,wBAAwB,CAAC,WAAW,EAAE,mBAAmB,GAAG,cAAc;IAuD1E;;OAEG;IACH,OAAO,CAAC,cAAc;IA4BtB;;OAEG;IACH,OAAO,CAAC,aAAa;IAqBrB;;OAEG;IACH,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,gBAAgB;CA2D3E;AAED;;;GAGG;AACH,qBAAa,iBAAiB;IAC5B;;OAEG;;IAKH;;;OAGG;YACW,uBAAuB;IAuCrC;;;;OAIG;IACG,gBAAgB,CACpB,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,QAAQ,GAAG,QAAQ,CAAA;KAAE,GAC5C,OAAO,CAAC,gBAAgB,CAAC;IAqF5B;;OAEG;IACH,OAAO,CAAC,uBAAuB;CAqBhC;AAED;;;GAGG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,cAAc,CAAC,CAAuB;IAC9C,OAAO,CAAC,iBAAiB,CAAC,CAA0B;IACpD,OAAO,CAAC,aAAa,CAAC,CAAsB;gBAEhC,UAAU,CAAC,EAAE,UAAU;IAqDnC;;;OAGG;YACW,uBAAuB;IAuCrC;;OAEG;IACG,iBAAiB,CACrB,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,EACvD,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,cAAc,CAAC;IA+G1B;;OAEG;YACW,wBAAwB;IAwBtC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IA4EnC;;OAEG;YACW,0BAA0B;IA2CxC;;OAEG;YACW,0BAA0B;IAyExC;;OAEG;IACH,OAAO,CAAC,8BAA8B;IAQtC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAanC;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAYpC;;;OAGG;YACW,sBAAsB;IA8BpC;;OAEG;YACW,oBAAoB;IAsElC;;;OAGG;YACW,sBAAsB;IAuGpC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAchC;;OAEG;YACW,uBAAuB;IA2OrC;;OAEG;IACG,6BAA6B,CACjC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,aAAa,EACpB,WAAW,EAAE,MAAM,EACnB,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,aAAa,CAAC;IAgJzB;;OAEG;IACG,qBAAqB,CACzB,KAAK,EAAE,aAAa,GACnB,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;CA4CnD"}
|
package/dist/core/schema.js
CHANGED
|
@@ -1035,7 +1035,7 @@ ${resourceDetails}`;
|
|
|
1035
1035
|
!questions.open) {
|
|
1036
1036
|
throw new Error('Invalid question structure from AI');
|
|
1037
1037
|
}
|
|
1038
|
-
// Sanitize
|
|
1038
|
+
// Sanitize questions: ensure suggestedAnswer passes its own validation constraints
|
|
1039
1039
|
const sanitizeQuestions = (qs) => {
|
|
1040
1040
|
for (const q of qs) {
|
|
1041
1041
|
if ((q.type === 'select' || q.type === 'multiselect') &&
|
|
@@ -1057,6 +1057,19 @@ ${resourceDetails}`;
|
|
|
1057
1057
|
}
|
|
1058
1058
|
}
|
|
1059
1059
|
}
|
|
1060
|
+
// Clamp number suggestedAnswer to validation.min/max bounds
|
|
1061
|
+
if (q.type === 'number' && q.suggestedAnswer !== undefined && q.validation) {
|
|
1062
|
+
let num = Number(q.suggestedAnswer);
|
|
1063
|
+
if (!isNaN(num)) {
|
|
1064
|
+
if (q.validation.min !== undefined && num < q.validation.min) {
|
|
1065
|
+
num = q.validation.min;
|
|
1066
|
+
}
|
|
1067
|
+
if (q.validation.max !== undefined && num > q.validation.max) {
|
|
1068
|
+
num = q.validation.max;
|
|
1069
|
+
}
|
|
1070
|
+
q.suggestedAnswer = num;
|
|
1071
|
+
}
|
|
1072
|
+
}
|
|
1060
1073
|
}
|
|
1061
1074
|
};
|
|
1062
1075
|
sanitizeQuestions(questions.required);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../../src/interfaces/mcp.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../../src/interfaces/mcp.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAwEtC,OAAO,EAAgB,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAcvD,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,+DAA+D;IAC/D,aAAa,CAAC,EAAE,aAAa,CAAC;CAC/B;AAmBD,qBAAa,SAAS;IACpB,OAAO,CAAC,KAAK,CAAQ;IACrB,OAAO,CAAC,WAAW,CAAkB;IACrC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,gBAAgB,CAAa;IACrC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,UAAU,CAAC,CAAkC;IACrD,4EAA4E;IAC5E,OAAO,CAAC,QAAQ,CAAiC;IACjD,OAAO,CAAC,cAAc,CAAC,CAAiC;IACxD,OAAO,CAAC,YAAY,CAAmB;IACvC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,aAAa,CAAC,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,CAA6B;IAC9C,OAAO,CAAC,aAAa,CAAC,CAAqB;IAC3C,OAAO,CAAC,SAAS,CAAC,CAAM;gBAEZ,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe;IA6BjD;;;OAGG;IACH,gBAAgB,IAAI,aAAa,GAAG,SAAS;IAQ7C;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAuBxB;;OAEG;IACH,OAAO,CAAC,eAAe;IA2CvB;;OAEG;IACH,OAAO,CAAC,WAAW;IAkKnB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAmBzB;;;;OAIG;YACW,mBAAmB;IA6CjC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAkCzB,OAAO,CAAC,qBAAqB;IAS7B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAWzB,OAAO,CAAC,iBAAiB;IAInB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAed,kBAAkB;YAuQlB,gBAAgB;IAexB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAoC3B,OAAO,IAAI,OAAO;CAGnB"}
|