@vibe-agent-toolkit/resources 0.1.39-rc.9 → 0.1.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (75) hide show
  1. package/dist/content-cache.d.ts +67 -0
  2. package/dist/content-cache.d.ts.map +1 -0
  3. package/dist/content-cache.js +160 -0
  4. package/dist/content-cache.js.map +1 -0
  5. package/dist/external-link-cache.d.ts +16 -2
  6. package/dist/external-link-cache.d.ts.map +1 -1
  7. package/dist/external-link-cache.js +43 -13
  8. package/dist/external-link-cache.js.map +1 -1
  9. package/dist/external-link-validator.d.ts +75 -2
  10. package/dist/external-link-validator.d.ts.map +1 -1
  11. package/dist/external-link-validator.js +184 -4
  12. package/dist/external-link-validator.js.map +1 -1
  13. package/dist/index.d.ts +4 -0
  14. package/dist/index.d.ts.map +1 -1
  15. package/dist/index.js +12 -0
  16. package/dist/index.js.map +1 -1
  17. package/dist/link-auth-classify.d.ts +34 -0
  18. package/dist/link-auth-classify.d.ts.map +1 -0
  19. package/dist/link-auth-classify.js +42 -0
  20. package/dist/link-auth-classify.js.map +1 -0
  21. package/dist/link-auth-config-build.d.ts +47 -0
  22. package/dist/link-auth-config-build.d.ts.map +1 -0
  23. package/dist/link-auth-config-build.js +86 -0
  24. package/dist/link-auth-config-build.js.map +1 -0
  25. package/dist/link-auth-content-fetch.d.ts +75 -0
  26. package/dist/link-auth-content-fetch.d.ts.map +1 -0
  27. package/dist/link-auth-content-fetch.js +101 -0
  28. package/dist/link-auth-content-fetch.js.map +1 -0
  29. package/dist/link-auth-deps-memo.d.ts +40 -0
  30. package/dist/link-auth-deps-memo.d.ts.map +1 -0
  31. package/dist/link-auth-deps-memo.js +47 -0
  32. package/dist/link-auth-deps-memo.js.map +1 -0
  33. package/dist/link-auth-transport.d.ts +44 -0
  34. package/dist/link-auth-transport.d.ts.map +1 -0
  35. package/dist/link-auth-transport.js +151 -0
  36. package/dist/link-auth-transport.js.map +1 -0
  37. package/dist/link-parser.d.ts.map +1 -1
  38. package/dist/link-parser.js +8 -1
  39. package/dist/link-parser.js.map +1 -1
  40. package/dist/link-validator.d.ts +8 -8
  41. package/dist/link-validator.d.ts.map +1 -1
  42. package/dist/link-validator.js +51 -18
  43. package/dist/link-validator.js.map +1 -1
  44. package/dist/resource-registry.d.ts +2 -0
  45. package/dist/resource-registry.d.ts.map +1 -1
  46. package/dist/resource-registry.js +19 -4
  47. package/dist/resource-registry.js.map +1 -1
  48. package/dist/schemas/link-auth.d.ts +1049 -303
  49. package/dist/schemas/link-auth.d.ts.map +1 -1
  50. package/dist/schemas/link-auth.js +39 -20
  51. package/dist/schemas/link-auth.js.map +1 -1
  52. package/dist/schemas/project-config.d.ts +2860 -759
  53. package/dist/schemas/project-config.d.ts.map +1 -1
  54. package/dist/schemas/project-config.js +18 -1
  55. package/dist/schemas/project-config.js.map +1 -1
  56. package/dist/schemas/resource-metadata.d.ts +10 -9
  57. package/dist/schemas/resource-metadata.d.ts.map +1 -1
  58. package/dist/schemas/resource-metadata.js +2 -0
  59. package/dist/schemas/resource-metadata.js.map +1 -1
  60. package/package.json +4 -4
  61. package/src/content-cache.ts +190 -0
  62. package/src/external-link-cache.ts +50 -13
  63. package/src/external-link-validator.ts +268 -5
  64. package/src/index.ts +23 -0
  65. package/src/link-auth-classify.ts +61 -0
  66. package/src/link-auth-config-build.ts +130 -0
  67. package/src/link-auth-content-fetch.ts +146 -0
  68. package/src/link-auth-deps-memo.ts +56 -0
  69. package/src/link-auth-transport.ts +179 -0
  70. package/src/link-parser.ts +8 -1
  71. package/src/link-validator.ts +65 -17
  72. package/src/resource-registry.ts +25 -5
  73. package/src/schemas/link-auth.ts +47 -21
  74. package/src/schemas/project-config.ts +22 -1
  75. package/src/schemas/resource-metadata.ts +2 -0
@@ -1,5 +1,81 @@
1
+ import { userInfo } from 'node:os';
2
+ import { resolveAuthenticatedUrl, safePath, } from '@vibe-agent-toolkit/utils';
1
3
  import markdownLinkCheck from 'markdown-link-check';
2
4
  import { ExternalLinkCache } from './external-link-cache.js';
5
+ import { classifyAuthenticatedResponse } from './link-auth-classify.js';
6
+ import { wrapLinkAuthDepsWithMemo } from './link-auth-deps-memo.js';
7
+ import { authTransport } from './link-auth-transport.js';
8
+ /**
9
+ * Resolve the OS user for cache scoping. Falls back through several layers
10
+ * because `os.userInfo()` throws when the running user has no /etc/passwd
11
+ * entry (common in container environments) — that's recoverable, not fatal.
12
+ */
13
+ function resolveOsUser() {
14
+ try {
15
+ const u = userInfo().username;
16
+ if (u !== '')
17
+ return u;
18
+ }
19
+ catch {
20
+ // userInfo() throws when the running user has no /etc/passwd entry —
21
+ // recover via env vars below.
22
+ }
23
+ // Use `||` (not `??`) so an empty-string USER/USERNAME also falls through.
24
+ // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
25
+ const fromEnv = process.env['USER'] || process.env['USERNAME'];
26
+ if (fromEnv)
27
+ return fromEnv;
28
+ // Last resort: two distinct OS users on the same host both end up here
29
+ // would share the auth cache (cross-user leak). Warn once so the
30
+ // collision is at least observable. Adopters whose container clears
31
+ // these env vars deliberately can set `USER=container-name` to scope.
32
+ warnDefaultUserFallbackOnce();
33
+ return 'default';
34
+ }
35
+ let defaultUserWarned = false;
36
+ function warnDefaultUserFallbackOnce() {
37
+ if (defaultUserWarned)
38
+ return;
39
+ defaultUserWarned = true;
40
+ console.warn("[vat] linkAuth: could not determine an OS user via os.userInfo() or USER/USERNAME env; " +
41
+ "scoping auth cache to 'default'. Two users on this host would share auth-cached results — " +
42
+ 'set the USER env var explicitly to scope per-user.');
43
+ }
44
+ /**
45
+ * Make an OS username safe for use as a directory component. Replaces path
46
+ * separators (`/`, `\`), the parent-directory shorthand (`..`), and other
47
+ * characters that could escape the cacheDir. Windows can produce
48
+ * `DOMAIN\user` forms; tests inject pathological values like `../escaped`.
49
+ */
50
+ function sanitizeOsUser(user) {
51
+ // Replace any character outside `[A-Za-z0-9._-]` with `_`. Then collapse any
52
+ // remaining `..` so a name like `..foo` cannot recombine into a traversal.
53
+ const replaced = user.replaceAll(/[^A-Za-z0-9._-]/g, '_').replaceAll('..', '__');
54
+ return replaced.length > 0 ? replaced : 'default';
55
+ }
56
+ /**
57
+ * Build a LinkValidationResult from a status code by re-classifying it under
58
+ * the current run's provider `check` block. Used by both the cache-hit and
59
+ * cache-miss paths so the two produce identical results for the same
60
+ * `(url, provider)` pair — the cache only persists `statusCode`, not the
61
+ * derived `code`, so the code must be re-derived on every read.
62
+ */
63
+ function buildAuthResult(originalUrl, statusCode, plan, cached, cachedStatusMessage) {
64
+ const classified = classifyAuthenticatedResponse(statusCode, plan.check);
65
+ const result = {
66
+ url: originalUrl,
67
+ status: classified?.outcome === 'alive' ? 'ok' : 'error',
68
+ statusCode,
69
+ cached,
70
+ };
71
+ if (classified?.code != null) {
72
+ result.code = classified.code;
73
+ }
74
+ if (result.status === 'error') {
75
+ result.error = cachedStatusMessage ?? `HTTP ${statusCode}`;
76
+ }
77
+ return result;
78
+ }
3
79
  /**
4
80
  * Safely serialize an error to a string, preventing [object Object] issues.
5
81
  * Handles Error objects, strings, objects, and edge cases.
@@ -55,7 +131,18 @@ function safeSerializeError(err) {
55
131
  */
56
132
  export class ExternalLinkValidator {
57
133
  cache;
134
+ /**
135
+ * Auth-branch cache — scoped to a per-OS-user subdirectory of `cacheDir`
136
+ * (#113 §6.3) so two users on a shared machine never read each other's
137
+ * authenticated results. Distinct from `cache` (the anonymous cache, which
138
+ * stays shared across users for the markdown-link-check path).
139
+ */
140
+ authCache;
58
141
  options;
142
+ linkAuthConfig;
143
+ fetchImpl;
144
+ linkAuthDeps;
145
+ sleep;
59
146
  /**
60
147
  * Create a new external link validator
61
148
  *
@@ -70,7 +157,20 @@ export class ExternalLinkValidator {
70
157
  userAgent: options.userAgent ??
71
158
  'Mozilla/5.0 (compatible; VAT-LinkChecker/1.0; +https://github.com/jdutton/vibe-agent-toolkit)',
72
159
  };
160
+ this.linkAuthConfig = options.linkAuthConfig;
161
+ this.fetchImpl = options.fetchImpl ?? globalThis.fetch;
162
+ // Wrap the configured runCommand (or the engine's default) with a memo
163
+ // keyed by stringified argv so each unique token-resolution command runs
164
+ // at most once per validator instance. Validating N links to the same
165
+ // host previously re-resolved the token N times — including subprocess
166
+ // spawns for `command` sources. Per #125 review: treat all token
167
+ // resolvers as expensive; the memo's lifetime equals one validate() run.
168
+ this.linkAuthDeps = wrapLinkAuthDepsWithMemo(options.linkAuthDeps);
169
+ this.sleep = options.sleep;
73
170
  this.cache = new ExternalLinkCache(cacheDir, this.options.cacheTtlHours);
171
+ const osUser = sanitizeOsUser(options.osUser ?? resolveOsUser());
172
+ const authCacheDir = safePath.join(cacheDir, `auth-${osUser}`);
173
+ this.authCache = new ExternalLinkCache(authCacheDir, this.options.cacheTtlHours);
74
174
  }
75
175
  /**
76
176
  * Validate a single external link
@@ -79,6 +179,28 @@ export class ExternalLinkValidator {
79
179
  * @returns Validation result
80
180
  */
81
181
  async validateLink(url) {
182
+ // Authenticated branch (issue #113): if a provider in linkAuthConfig
183
+ // claims this URL's host, bypass markdown-link-check and do a direct
184
+ // authenticated fetch + per-§7 classify.
185
+ if (this.linkAuthConfig) {
186
+ const plan = resolveAuthenticatedUrl(url, this.linkAuthConfig, this.linkAuthDeps);
187
+ if ('fetchUrl' in plan) {
188
+ return this.validateAuthenticatedLink(url, plan);
189
+ }
190
+ if (plan.outcome === 'unverified') {
191
+ // Per §6.3: never cache unverified outcomes — the result flips the
192
+ // moment a token appears, so caching a "no token" result is wrong.
193
+ return {
194
+ url,
195
+ status: 'error',
196
+ statusCode: 0,
197
+ error: plan.reason,
198
+ cached: false,
199
+ code: 'LINK_AUTH_UNVERIFIED',
200
+ };
201
+ }
202
+ // 'unsupported' → fall through to anonymous markdown-link-check path
203
+ }
82
204
  // Check cache first
83
205
  const cached = await this.cache.get(url);
84
206
  if (cached) {
@@ -119,6 +241,59 @@ export class ExternalLinkValidator {
119
241
  async validateLinks(urls) {
120
242
  return Promise.all(urls.map((url) => this.validateLink(url)));
121
243
  }
244
+ /**
245
+ * Issue an authenticated fetch for `originalUrl` using the engine's plan
246
+ * (rewritten URL + auth headers + provider's check config), classify the
247
+ * response per #113 §7, and write a status-cache entry. Cache is keyed by
248
+ * the *rewritten* URL (§6.3) — the original `blob/` URL 404s, so caching
249
+ * by original would poison results.
250
+ */
251
+ async validateAuthenticatedLink(originalUrl, plan) {
252
+ // Cache check, keyed by rewritten URL. IMPORTANT: re-classify the cached
253
+ // statusCode under the *current* run's provider `check` block, rather
254
+ // than treating cache-hit as a status-only short-circuit. The cache
255
+ // only persists `statusCode` — without re-classifying we'd drop the
256
+ // LINK_AUTH_* `code`, and the consumer would fall back to
257
+ // `EXTERNAL_URL_DEAD` (error) instead of `LINK_AUTH_DEAD_OR_UNAUTHORIZED`
258
+ // (warning). Cache-hit semantics must match cache-miss semantics for
259
+ // the same (url, provider) pair.
260
+ const cached = await this.authCache.get(plan.fetchUrl);
261
+ if (cached) {
262
+ return buildAuthResult(originalUrl, cached.statusCode, plan, true, cached.statusMessage);
263
+ }
264
+ // Fresh fetch via the auth-aware transport (handles cross-origin redirect
265
+ // Authorization stripping + 429/Retry-After per §5.2 §8). The conditional
266
+ // spread builds the object in one pass — AuthTransportOptions.sleep is
267
+ // readonly so post-construction assignment would be a TS error.
268
+ const transportOptions = {
269
+ signal: AbortSignal.timeout(this.options.timeout),
270
+ ...(this.sleep === undefined ? {} : { sleep: this.sleep }),
271
+ };
272
+ let response;
273
+ try {
274
+ response = await authTransport(plan.fetchUrl, plan.headers, this.fetchImpl, transportOptions);
275
+ }
276
+ catch (err) {
277
+ // Network-level failure (DNS/connect/TLS/timeout) — return error with
278
+ // no code so the consumer's existing statusCode→IssueCode mapping
279
+ // (EXTERNAL_URL_ERROR / EXTERNAL_URL_TIMEOUT) applies.
280
+ const message = safeSerializeError(err) ?? 'Authenticated fetch failed';
281
+ return {
282
+ url: originalUrl,
283
+ status: 'error',
284
+ statusCode: 0,
285
+ error: message,
286
+ cached: false,
287
+ };
288
+ }
289
+ const result = buildAuthResult(originalUrl, response.status, plan, false);
290
+ // Persist by rewritten URL so subsequent runs hit the cache. The cache
291
+ // only stores statusCode + statusMessage; the `code` is re-derived on
292
+ // read by re-running classifyAuthenticatedResponse against the current
293
+ // provider (see the authCache.get branch above).
294
+ await this.authCache.set(plan.fetchUrl, result.statusCode, result.error ?? 'OK');
295
+ return result;
296
+ }
122
297
  /**
123
298
  * Check a link using markdown-link-check
124
299
  */
@@ -179,16 +354,21 @@ export class ExternalLinkValidator {
179
354
  });
180
355
  }
181
356
  /**
182
- * Clear the validation cache
357
+ * Clear both validation caches (anonymous + authenticated).
358
+ *
359
+ * Adopters call this after rotating a token or invalidating link data —
360
+ * the operation must wipe both surfaces or stale auth results survive
361
+ * (a real bug: a 401 cached under the old token would haunt the new one).
183
362
  */
184
363
  async clearCache() {
185
- await this.cache.clear();
364
+ await Promise.all([this.cache.clear(), this.authCache.clear()]);
186
365
  }
187
366
  /**
188
- * Get cache statistics
367
+ * Get combined cache statistics across both caches.
189
368
  */
190
369
  async getCacheStats() {
191
- return this.cache.getStats();
370
+ const [anon, auth] = await Promise.all([this.cache.getStats(), this.authCache.getStats()]);
371
+ return { total: anon.total + auth.total, expired: anon.expired + auth.expired };
192
372
  }
193
373
  }
194
374
  //# sourceMappingURL=external-link-validator.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"external-link-validator.js","sourceRoot":"","sources":["../src/external-link-validator.ts"],"names":[],"mappings":"AAAA,OAAO,iBAAiB,MAAM,qBAAqB,CAAC;AAEpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAE7D;;;GAGG;AACH,SAAS,kBAAkB,CAAC,GAAY;IACvC,IAAI,CAAC,GAAG,EAAE,CAAC;QACV,OAAO,SAAS,CAAC;IAClB,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC7B,iEAAiE;QACjE,OAAO,GAAG,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;IAChC,CAAC;IAED,IAAI,GAAG,YAAY,KAAK,EAAE,CAAC;QAC1B,0DAA0D;QAC1D,OAAO,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;IACxC,CAAC;IAED,gDAAgD;IAChD,IAAI,CAAC;QACJ,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACvC,mDAAmD;QACnD,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACzB,kDAAkD;YAClD,MAAM,GAAG,GAAI,GAA6B,CAAC,OAAO,CAAC;YACnD,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC;QACtE,CAAC;QACD,OAAO,UAAU,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACR,iDAAiD;QACjD,+CAA+C;QAC/C,MAAM,GAAG,GAAI,GAA6B,CAAC,OAAO,CAAC;QACnD,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,wBAAwB,CAAC;IAC/E,CAAC;AACF,CAAC;AAgCD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,qBAAqB;IAChB,KAAK,CAAoB;IACzB,OAAO,CAAyC;IAEjE;;;;;OAKG;IACH,YAAY,QAAgB,EAAE,UAAwC,EAAE;QACvE,IAAI,CAAC,OAAO,GAAG;YACd,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,EAAE;YAC1C,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,IAAI;YAChC,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,CAAC;YAC7B,SAAS,EACR,OAAO,CAAC,SAAS;gBACjB,+FAA+F;SAChG,CAAC;QAEF,IAAI,CAAC,KAAK,GAAG,IAAI,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1E,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,YAAY,CAAC,GAAW;QAC7B,oBAAoB;QACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,IAAI,MAAM,CAAC,UAAU,GAAG,GAAG,CAAC;YAEjE,4EAA4E;YAC5E,IAAI,IAAI,EAAE,CAAC;gBACV,OAAO;oBACN,GAAG;oBACH,MAAM,EAAE,IAAa;oBACrB,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,MAAM,EAAE,IAAI;iBACZ,CAAC;YACH,CAAC;YAED,0CAA0C;YAC1C,OAAO;gBACN,GAAG;gBACH,MAAM,EAAE,OAAgB;gBACxB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,MAAM,CAAC,aAAa;aAC3B,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAEzC,iBAAiB;QACjB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC;QAEnE,OAAO;YACN,GAAG,MAAM;YACT,MAAM,EAAE,KAAK;SACb,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CAAC,IAAc;QACjC,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CACtB,GAAW;QAEX,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC9B,MAAM,QAAQ,GAAG,UAAU,GAAG,GAAG,CAAC;YAElC,iBAAiB,CAChB,QAAQ,EACR;gBACC,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI;gBACpC,UAAU,EAAE,IAAI;gBAChB,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO;gBAChC,gBAAgB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;gBAChD,cAAc,EAAE,EAAE;gBAClB,WAAW,EAAE;oBACZ;wBACC,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,OAAO,EAAE;4BACR,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;yBACpC;qBACD;iBACD;aACD,EACD,CAAC,KAAmB,EAAE,OAAmG,EAAE,EAAE;gBAC5H,IAAI,KAAK,EAAE,CAAC;oBACX,OAAO,CAAC;wBACP,GAAG;wBACH,MAAM,EAAE,OAAO;wBACf,UAAU,EAAE,CAAC;wBACb,KAAK,EAAE,KAAK,CAAC,OAAO;qBACpB,CAAC,CAAC;oBACH,OAAO;gBACR,CAAC;gBAED,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;gBAC1B,IAAI,CAAC,MAAM,EAAE,CAAC;oBACb,OAAO,CAAC;wBACP,GAAG;wBACH,MAAM,EAAE,OAAO;wBACf,UAAU,EAAE,CAAC;wBACb,KAAK,EAAE,oCAAoC;qBAC3C,CAAC,CAAC;oBACH,OAAO;gBACR,CAAC;gBAED,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;oBAC/B,OAAO,CAAC;wBACP,GAAG;wBACH,MAAM,EAAE,IAAI;wBACZ,UAAU,EAAE,MAAM,CAAC,UAAU;qBAC7B,CAAC,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACP,MAAM,YAAY,GAAG,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,gBAAgB,MAAM,CAAC,MAAM,EAAE,CAAC;oBAEvF,OAAO,CAAC;wBACP,GAAG;wBACH,MAAM,EAAE,OAAO;wBACf,UAAU,EAAE,MAAM,CAAC,UAAU;wBAC7B,KAAK,EAAE,YAAY;qBACnB,CAAC,CAAC;gBACJ,CAAC;YACF,CAAC,CACD,CAAC;QACH,CAAC,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACf,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa;QAClB,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;IAC9B,CAAC;CACD"}
1
+ {"version":3,"file":"external-link-validator.js","sourceRoot":"","sources":["../src/external-link-validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAGnC,OAAO,EACL,uBAAuB,EACvB,QAAQ,GAGT,MAAM,2BAA2B,CAAC;AACnC,OAAO,iBAAiB,MAAM,qBAAqB,CAAC;AAEpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,6BAA6B,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAqB,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACvF,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAEzD;;;;GAIG;AACH,SAAS,aAAa;IACpB,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,QAAQ,EAAE,CAAC,QAAQ,CAAC;QAC9B,IAAI,CAAC,KAAK,EAAE;YAAE,OAAO,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,qEAAqE;QACrE,8BAA8B;IAChC,CAAC;IACD,2EAA2E;IAC3E,wEAAwE;IACxE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC/D,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,uEAAuE;IACvE,iEAAiE;IACjE,oEAAoE;IACpE,sEAAsE;IACtE,2BAA2B,EAAE,CAAC;IAC9B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,IAAI,iBAAiB,GAAG,KAAK,CAAC;AAC9B,SAAS,2BAA2B;IAClC,IAAI,iBAAiB;QAAE,OAAO;IAC9B,iBAAiB,GAAG,IAAI,CAAC;IACzB,OAAO,CAAC,IAAI,CACV,yFAAyF;QACvF,4FAA4F;QAC5F,oDAAoD,CACvD,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,IAAY;IAClC,6EAA6E;IAC7E,2EAA2E;IAC3E,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACjF,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;AACpD,CAAC;AAID;;;;;;GAMG;AACH,SAAS,eAAe,CACvB,WAAmB,EACnB,UAAkB,EAClB,IAAkB,EAClB,MAAe,EACf,mBAA4B;IAE5B,MAAM,UAAU,GAAG,6BAA6B,CAAC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IACzE,MAAM,MAAM,GAAyB;QACpC,GAAG,EAAE,WAAW;QAChB,MAAM,EAAE,UAAU,EAAE,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO;QACxD,UAAU;QACV,MAAM;KACN,CAAC;IACF,IAAI,UAAU,EAAE,IAAI,IAAI,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC;IAC/B,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC/B,MAAM,CAAC,KAAK,GAAG,mBAAmB,IAAI,QAAQ,UAAU,EAAE,CAAC;IAC5D,CAAC;IACD,OAAO,MAAM,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,GAAY;IACvC,IAAI,CAAC,GAAG,EAAE,CAAC;QACV,OAAO,SAAS,CAAC;IAClB,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC7B,iEAAiE;QACjE,OAAO,GAAG,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;IAChC,CAAC;IAED,IAAI,GAAG,YAAY,KAAK,EAAE,CAAC;QAC1B,0DAA0D;QAC1D,OAAO,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;IACxC,CAAC;IAED,gDAAgD;IAChD,IAAI,CAAC;QACJ,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACvC,mDAAmD;QACnD,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACzB,kDAAkD;YAClD,MAAM,GAAG,GAAI,GAA6B,CAAC,OAAO,CAAC;YACnD,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC;QACtE,CAAC;QACD,OAAO,UAAU,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACR,iDAAiD;QACjD,+CAA+C;QAC/C,MAAM,GAAG,GAAI,GAA6B,CAAC,OAAO,CAAC;QACnD,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,wBAAwB,CAAC;IAC/E,CAAC;AACF,CAAC;AA+ED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,qBAAqB;IAChB,KAAK,CAAoB;IAC1C;;;;;OAKG;IACc,SAAS,CAAoB;IAC7B,OAAO,CAKtB;IACe,cAAc,CAA6B;IAC3C,SAAS,CAAe;IACxB,YAAY,CAAe;IAC3B,KAAK,CAA8C;IAEpE;;;;;OAKG;IACH,YAAY,QAAgB,EAAE,UAAwC,EAAE;QACvE,IAAI,CAAC,OAAO,GAAG;YACd,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,EAAE;YAC1C,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,IAAI;YAChC,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,CAAC;YAC7B,SAAS,EACR,OAAO,CAAC,SAAS;gBACjB,+FAA+F;SAChG,CAAC;QAEF,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QAC7C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC;QACvD,uEAAuE;QACvE,yEAAyE;QACzE,sEAAsE;QACtE,uEAAuE;QACvE,iEAAiE;QACjE,yEAAyE;QACzE,IAAI,CAAC,YAAY,GAAG,wBAAwB,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACnE,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAE3B,IAAI,CAAC,KAAK,GAAG,IAAI,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAEzE,MAAM,MAAM,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,IAAI,aAAa,EAAE,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,MAAM,EAAE,CAAC,CAAC;QAC/D,IAAI,CAAC,SAAS,GAAG,IAAI,iBAAiB,CAAC,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAClF,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,YAAY,CAAC,GAAW;QAC7B,qEAAqE;QACrE,qEAAqE;QACrE,yCAAyC;QACzC,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,uBAAuB,CAAC,GAAG,EAAE,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;YAClF,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,yBAAyB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAClD,CAAC;YACD,IAAI,IAAI,CAAC,OAAO,KAAK,YAAY,EAAE,CAAC;gBACnC,mEAAmE;gBACnE,mEAAmE;gBACnE,OAAO;oBACN,GAAG;oBACH,MAAM,EAAE,OAAO;oBACf,UAAU,EAAE,CAAC;oBACb,KAAK,EAAE,IAAI,CAAC,MAAM;oBAClB,MAAM,EAAE,KAAK;oBACb,IAAI,EAAE,sBAAsB;iBAC5B,CAAC;YACH,CAAC;YACD,qEAAqE;QACtE,CAAC;QAED,oBAAoB;QACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,IAAI,MAAM,CAAC,UAAU,GAAG,GAAG,CAAC;YAEjE,4EAA4E;YAC5E,IAAI,IAAI,EAAE,CAAC;gBACV,OAAO;oBACN,GAAG;oBACH,MAAM,EAAE,IAAa;oBACrB,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,MAAM,EAAE,IAAI;iBACZ,CAAC;YACH,CAAC;YAED,0CAA0C;YAC1C,OAAO;gBACN,GAAG;gBACH,MAAM,EAAE,OAAgB;gBACxB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,MAAM,EAAE,IAAI;gBACZ,KAAK,EAAE,MAAM,CAAC,aAAa;aAC3B,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAEzC,iBAAiB;QACjB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC;QAEnE,OAAO;YACN,GAAG,MAAM;YACT,MAAM,EAAE,KAAK;SACb,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CAAC,IAAc;QACjC,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,yBAAyB,CACtC,WAAmB,EACnB,IAAkB;QAElB,yEAAyE;QACzE,sEAAsE;QACtE,oEAAoE;QACpE,oEAAoE;QACpE,0DAA0D;QAC1D,0EAA0E;QAC1E,qEAAqE;QACrE,iCAAiC;QACjC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvD,IAAI,MAAM,EAAE,CAAC;YACZ,OAAO,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1F,CAAC;QAED,0EAA0E;QAC1E,0EAA0E;QAC1E,uEAAuE;QACvE,gEAAgE;QAChE,MAAM,gBAAgB,GAAwC;YAC7D,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;YACjD,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;SAC1D,CAAC;QAEF,IAAI,QAAkB,CAAC;QACvB,IAAI,CAAC;YACJ,QAAQ,GAAG,MAAM,aAAa,CAC7B,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,SAAS,EACd,gBAAgB,CAChB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,sEAAsE;YACtE,kEAAkE;YAClE,uDAAuD;YACvD,MAAM,OAAO,GAAG,kBAAkB,CAAC,GAAG,CAAC,IAAI,4BAA4B,CAAC;YACxE,OAAO;gBACN,GAAG,EAAE,WAAW;gBAChB,MAAM,EAAE,OAAO;gBACf,UAAU,EAAE,CAAC;gBACb,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,KAAK;aACb,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,eAAe,CAAC,WAAW,EAAE,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAC1E,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,iDAAiD;QACjD,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC;QACjF,OAAO,MAAM,CAAC;IACf,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CACtB,GAAW;QAEX,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC9B,MAAM,QAAQ,GAAG,UAAU,GAAG,GAAG,CAAC;YAElC,iBAAiB,CAChB,QAAQ,EACR;gBACC,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI;gBACpC,UAAU,EAAE,IAAI;gBAChB,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO;gBAChC,gBAAgB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC;gBAChD,cAAc,EAAE,EAAE;gBAClB,WAAW,EAAE;oBACZ;wBACC,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,OAAO,EAAE;4BACR,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;yBACpC;qBACD;iBACD;aACD,EACD,CAAC,KAAmB,EAAE,OAAmG,EAAE,EAAE;gBAC5H,IAAI,KAAK,EAAE,CAAC;oBACX,OAAO,CAAC;wBACP,GAAG;wBACH,MAAM,EAAE,OAAO;wBACf,UAAU,EAAE,CAAC;wBACb,KAAK,EAAE,KAAK,CAAC,OAAO;qBACpB,CAAC,CAAC;oBACH,OAAO;gBACR,CAAC;gBAED,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;gBAC1B,IAAI,CAAC,MAAM,EAAE,CAAC;oBACb,OAAO,CAAC;wBACP,GAAG;wBACH,MAAM,EAAE,OAAO;wBACf,UAAU,EAAE,CAAC;wBACb,KAAK,EAAE,oCAAoC;qBAC3C,CAAC,CAAC;oBACH,OAAO;gBACR,CAAC;gBAED,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;oBAC/B,OAAO,CAAC;wBACP,GAAG;wBACH,MAAM,EAAE,IAAI;wBACZ,UAAU,EAAE,MAAM,CAAC,UAAU;qBAC7B,CAAC,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACP,MAAM,YAAY,GAAG,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,gBAAgB,MAAM,CAAC,MAAM,EAAE,CAAC;oBAEvF,OAAO,CAAC;wBACP,GAAG;wBACH,MAAM,EAAE,OAAO;wBACf,UAAU,EAAE,MAAM,CAAC,UAAU;wBAC7B,KAAK,EAAE,YAAY;qBACnB,CAAC,CAAC;gBACJ,CAAC;YACF,CAAC,CACD,CAAC;QACH,CAAC,CAAC,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,UAAU;QACf,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACjE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa;QAClB,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC3F,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IACjF,CAAC;CACD"}
package/dist/index.d.ts CHANGED
@@ -44,4 +44,8 @@ export { openFrontmatter, FrontmatterParseError, type FrontmatterEditor, } from
44
44
  export { rewriteFrontmatterUriReferencesFromSchema, rewriteFrontmatterFieldsAtPaths, rewriteBodyLinks, type RewriteHref, } from './rewriter-helpers.js';
45
45
  export { parseConfigFile, loadConfig, } from './config-parser.js';
46
46
  export { ProjectConfigSchema, SkillFileEntrySchema, SkillsConfigSchema, SkillPackagingConfigSchema, SkillSourceDescriptorSchema, TestConfigSchema, type SkillSourceDescriptor, type TestConfig, } from './schemas/project-config.js';
47
+ export { fetchAuthenticated, type ContentFetchResult, type FetchAuthenticatedOptions, } from './link-auth-content-fetch.js';
48
+ export { ContentCache, type ContentMetadata } from './content-cache.js';
49
+ export { wrapLinkAuthDepsWithMemo, type LinkAuthDeps, } from './link-auth-deps-memo.js';
50
+ export { buildLinkAuthEngineConfig } from './link-auth-config-build.js';
47
51
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,KAAK,YAAY,EACjB,KAAK,uBAAuB,EAC5B,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,KAAK,cAAc,GACpB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAG9D,YAAY,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AAGtF,YAAY,EACV,YAAY,EACZ,QAAQ,EACR,WAAW,EACX,YAAY,EACZ,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,cAAc,EACd,cAAc,EACd,oBAAoB,EACpB,YAAY,EACZ,YAAY,EACZ,uBAAuB,EACvB,4BAA4B,GAC7B,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EACjB,kBAAkB,EAClB,sBAAsB,GACvB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,gCAAgC,CAAC;AAGxC,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,eAAe,EAAE,KAAK,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAElG,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAElD,YAAY,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,KAAK,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAG9E,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAKjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAG3D,OAAO,EACL,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,cAAc,GACpB,MAAM,wBAAwB,CAAC;AAMhC,OAAO,EAAE,gBAAgB,EAAE,KAAK,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAG3E,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,KAAK,iBAAiB,GACvB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EACL,yCAAyC,EACzC,+BAA+B,EAC/B,gBAAgB,EAChB,KAAK,WAAW,GACjB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EACL,eAAe,EACf,UAAU,GACX,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EAClB,0BAA0B,EAC1B,2BAA2B,EAC3B,gBAAgB,EAChB,KAAK,qBAAqB,EAC1B,KAAK,UAAU,GAChB,MAAM,6BAA6B,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,KAAK,YAAY,EACjB,KAAK,uBAAuB,EAC5B,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,KAAK,cAAc,GACpB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAG9D,YAAY,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AAGtF,YAAY,EACV,YAAY,EACZ,QAAQ,EACR,WAAW,EACX,YAAY,EACZ,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,cAAc,EACd,cAAc,EACd,oBAAoB,EACpB,YAAY,EACZ,YAAY,EACZ,uBAAuB,EACvB,4BAA4B,GAC7B,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EACjB,kBAAkB,EAClB,sBAAsB,GACvB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,gCAAgC,CAAC;AAGxC,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,eAAe,EAAE,KAAK,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAElG,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAElD,YAAY,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,KAAK,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAG9E,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAKjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAG3D,OAAO,EACL,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,cAAc,GACpB,MAAM,wBAAwB,CAAC;AAMhC,OAAO,EAAE,gBAAgB,EAAE,KAAK,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAG3E,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,KAAK,iBAAiB,GACvB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EACL,yCAAyC,EACzC,+BAA+B,EAC/B,gBAAgB,EAChB,KAAK,WAAW,GACjB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EACL,eAAe,EACf,UAAU,GACX,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EAClB,0BAA0B,EAC1B,2BAA2B,EAC3B,gBAAgB,EAChB,KAAK,qBAAqB,EAC1B,KAAK,UAAU,GAChB,MAAM,6BAA6B,CAAC;AAIrC,OAAO,EACL,kBAAkB,EAClB,KAAK,kBAAkB,EACvB,KAAK,yBAAyB,GAC/B,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,YAAY,EAAE,KAAK,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAKxE,OAAO,EACL,wBAAwB,EACxB,KAAK,YAAY,GAClB,MAAM,0BAA0B,CAAC;AAKlC,OAAO,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAC"}
package/dist/index.js CHANGED
@@ -57,4 +57,16 @@ export { rewriteFrontmatterUriReferencesFromSchema, rewriteFrontmatterFieldsAtPa
57
57
  // Export project config parsing
58
58
  export { parseConfigFile, loadConfig, } from './config-parser.js';
59
59
  export { ProjectConfigSchema, SkillFileEntrySchema, SkillsConfigSchema, SkillPackagingConfigSchema, SkillSourceDescriptorSchema, TestConfigSchema, } from './schemas/project-config.js';
60
+ // linkAuth content-fetch primitive (issue #113 slice 3). Ships standalone;
61
+ // callers wire it into asset-reference / bundling consumers as they need.
62
+ export { fetchAuthenticated, } from './link-auth-content-fetch.js';
63
+ export { ContentCache } from './content-cache.js';
64
+ // Token-resolution memo wrapper. High-volume callers iterating many URLs
65
+ // from the same provider wrap their deps once and reuse the result, so
66
+ // expensive token sources (`gh auth token` etc.) run at most once.
67
+ export { wrapLinkAuthDepsWithMemo, } from './link-auth-deps-memo.js';
68
+ // Bridge from adopter `resources.linkAuth` (Zod-validated) to the engine's
69
+ // `LinkAuthConfig` (fully-expanded providers). Adopters carrying a parsed
70
+ // config can hand it directly to `fetchAuthenticated` via this bridge.
71
+ export { buildLinkAuthEngineConfig } from './link-auth-config-build.js';
60
72
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,+DAA+D;AAC/D,OAAO,EACL,gBAAgB,EAChB,kBAAkB,GAMnB,MAAM,wBAAwB,CAAC;AAEhC,yDAAyD;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,oFAAoF;AACpF,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AA2B9D,qFAAqF;AACrF,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EACjB,kBAAkB,EAClB,sBAAsB,GACvB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,gCAAgC,CAAC;AAExC,iDAAiD;AACjD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,eAAe,EAAoB,MAAM,kBAAkB,CAAC;AAElG,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAGlD,OAAO,EAAE,gBAAgB,EAAyB,MAAM,qBAAqB,CAAC;AAE9E,gCAAgC;AAChC,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAEjE,6EAA6E;AAC7E,yEAAyE;AACzE,8EAA8E;AAC9E,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAE3D,qDAAqD;AACrD,OAAO,EACL,gBAAgB,GAKjB,MAAM,wBAAwB,CAAC;AAEhC,kEAAkE;AAClE,0EAA0E;AAE1E,2EAA2E;AAC3E,OAAO,EAAE,gBAAgB,EAA+B,MAAM,YAAY,CAAC;AAE3E,sEAAsE;AACtE,OAAO,EACL,eAAe,EACf,qBAAqB,GAEtB,MAAM,yBAAyB,CAAC;AAEjC,+EAA+E;AAC/E,OAAO,EACL,yCAAyC,EACzC,+BAA+B,EAC/B,gBAAgB,GAEjB,MAAM,uBAAuB,CAAC;AAE/B,gCAAgC;AAChC,OAAO,EACL,eAAe,EACf,UAAU,GACX,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EAClB,0BAA0B,EAC1B,2BAA2B,EAC3B,gBAAgB,GAGjB,MAAM,6BAA6B,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,+DAA+D;AAC/D,OAAO,EACL,gBAAgB,EAChB,kBAAkB,GAMnB,MAAM,wBAAwB,CAAC;AAEhC,yDAAyD;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,oFAAoF;AACpF,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AA2B9D,qFAAqF;AACrF,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EACjB,kBAAkB,EAClB,sBAAsB,GACvB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,gCAAgC,CAAC;AAExC,iDAAiD;AACjD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,eAAe,EAAoB,MAAM,kBAAkB,CAAC;AAElG,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAGlD,OAAO,EAAE,gBAAgB,EAAyB,MAAM,qBAAqB,CAAC;AAE9E,gCAAgC;AAChC,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAEjE,6EAA6E;AAC7E,yEAAyE;AACzE,8EAA8E;AAC9E,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAE3D,qDAAqD;AACrD,OAAO,EACL,gBAAgB,GAKjB,MAAM,wBAAwB,CAAC;AAEhC,kEAAkE;AAClE,0EAA0E;AAE1E,2EAA2E;AAC3E,OAAO,EAAE,gBAAgB,EAA+B,MAAM,YAAY,CAAC;AAE3E,sEAAsE;AACtE,OAAO,EACL,eAAe,EACf,qBAAqB,GAEtB,MAAM,yBAAyB,CAAC;AAEjC,+EAA+E;AAC/E,OAAO,EACL,yCAAyC,EACzC,+BAA+B,EAC/B,gBAAgB,GAEjB,MAAM,uBAAuB,CAAC;AAE/B,gCAAgC;AAChC,OAAO,EACL,eAAe,EACf,UAAU,GACX,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EAClB,0BAA0B,EAC1B,2BAA2B,EAC3B,gBAAgB,GAGjB,MAAM,6BAA6B,CAAC;AAErC,2EAA2E;AAC3E,0EAA0E;AAC1E,OAAO,EACL,kBAAkB,GAGnB,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,YAAY,EAAwB,MAAM,oBAAoB,CAAC;AAExE,yEAAyE;AACzE,uEAAuE;AACvE,mEAAmE;AACnE,OAAO,EACL,wBAAwB,GAEzB,MAAM,0BAA0B,CAAC;AAElC,2EAA2E;AAC3E,0EAA0E;AAC1E,uEAAuE;AACvE,OAAO,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAC"}
@@ -0,0 +1,34 @@
1
+ /**
2
+ * Classify a response from an authenticated external-link fetch into one of
3
+ * the outcomes defined in design issue #113 §7.
4
+ *
5
+ * Pure function: takes the HTTP status from a completed fetch plus the
6
+ * matched provider's `check` block, returns the outcome name and the matching
7
+ * `LINK_AUTH_*` code from `CODE_REGISTRY`. Pre-fetch outcomes (`unsupported`,
8
+ * `unverified`) are produced upstream by `resolveAuthenticatedUrl` and never
9
+ * reach this classifier.
10
+ *
11
+ * Status codes that don't match any classified outcome return `null` — the
12
+ * caller falls through to the existing anonymous `EXTERNAL_URL_DEAD` path
13
+ * (per §7 "unsupported"), since the authenticated fetch produced no signal
14
+ * the per-provider table can speak to.
15
+ */
16
+ import type { ProviderCheck } from '@vibe-agent-toolkit/utils';
17
+ export type LinkAuthOutcome = {
18
+ readonly outcome: 'alive';
19
+ readonly code: null;
20
+ } | {
21
+ readonly outcome: 'dead';
22
+ readonly code: 'LINK_AUTH_DEAD';
23
+ } | {
24
+ readonly outcome: 'dead_or_unauthorized';
25
+ readonly code: 'LINK_AUTH_DEAD_OR_UNAUTHORIZED';
26
+ } | {
27
+ readonly outcome: 'forbidden';
28
+ readonly code: 'LINK_AUTH_FORBIDDEN';
29
+ } | {
30
+ readonly outcome: 'unauthorized';
31
+ readonly code: 'LINK_AUTH_UNAUTHORIZED';
32
+ };
33
+ export declare function classifyAuthenticatedResponse(status: number, check: ProviderCheck): LinkAuthOutcome | null;
34
+ //# sourceMappingURL=link-auth-classify.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"link-auth-classify.d.ts","sourceRoot":"","sources":["../src/link-auth-classify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE/D,MAAM,MAAM,eAAe,GACvB;IAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAA;CAAE,GAClD;IAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,IAAI,EAAE,gBAAgB,CAAA;CAAE,GAC7D;IACE,QAAQ,CAAC,OAAO,EAAE,sBAAsB,CAAC;IACzC,QAAQ,CAAC,IAAI,EAAE,gCAAgC,CAAC;CACjD,GACD;IAAE,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC;IAAC,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAA;CAAE,GACvE;IAAE,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;IAAC,QAAQ,CAAC,IAAI,EAAE,wBAAwB,CAAA;CAAE,CAAC;AAElF,wBAAgB,6BAA6B,CAC3C,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,aAAa,GACnB,eAAe,GAAG,IAAI,CA6BxB"}
@@ -0,0 +1,42 @@
1
+ /**
2
+ * Classify a response from an authenticated external-link fetch into one of
3
+ * the outcomes defined in design issue #113 §7.
4
+ *
5
+ * Pure function: takes the HTTP status from a completed fetch plus the
6
+ * matched provider's `check` block, returns the outcome name and the matching
7
+ * `LINK_AUTH_*` code from `CODE_REGISTRY`. Pre-fetch outcomes (`unsupported`,
8
+ * `unverified`) are produced upstream by `resolveAuthenticatedUrl` and never
9
+ * reach this classifier.
10
+ *
11
+ * Status codes that don't match any classified outcome return `null` — the
12
+ * caller falls through to the existing anonymous `EXTERNAL_URL_DEAD` path
13
+ * (per §7 "unsupported"), since the authenticated fetch produced no signal
14
+ * the per-provider table can speak to.
15
+ */
16
+ export function classifyAuthenticatedResponse(status, check) {
17
+ // aliveStatus wins first: a provider can in principle declare any code as
18
+ // alive (e.g. a future host where 204 means alive), so the membership test
19
+ // runs before the well-known-status branches.
20
+ if (check.aliveStatus.includes(status)) {
21
+ return { outcome: 'alive', code: null };
22
+ }
23
+ if (status === 401) {
24
+ return { outcome: 'unauthorized', code: 'LINK_AUTH_UNAUTHORIZED' };
25
+ }
26
+ if (status === 403) {
27
+ return { outcome: 'forbidden', code: 'LINK_AUTH_FORBIDDEN' };
28
+ }
29
+ if (status === 404 || status === 410) {
30
+ if (check.notFoundMeaning === 'dead') {
31
+ return { outcome: 'dead', code: 'LINK_AUTH_DEAD' };
32
+ }
33
+ return {
34
+ outcome: 'dead_or_unauthorized',
35
+ code: 'LINK_AUTH_DEAD_OR_UNAUTHORIZED',
36
+ };
37
+ }
38
+ // 2xx not in aliveStatus, 3xx redirects, 429 rate-limit, 5xx server errors
39
+ // — none of these are classified per §7. Caller decides what to do.
40
+ return null;
41
+ }
42
+ //# sourceMappingURL=link-auth-classify.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"link-auth-classify.js","sourceRoot":"","sources":["../src/link-auth-classify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAcH,MAAM,UAAU,6BAA6B,CAC3C,MAAc,EACd,KAAoB;IAEpB,0EAA0E;IAC1E,2EAA2E;IAC3E,8CAA8C;IAC9C,IAAI,KAAK,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACvC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAC1C,CAAC;IAED,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,wBAAwB,EAAE,CAAC;IACrE,CAAC;IAED,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,qBAAqB,EAAE,CAAC;IAC/D,CAAC;IAED,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACrC,IAAI,KAAK,CAAC,eAAe,KAAK,MAAM,EAAE,CAAC;YACrC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAC;QACrD,CAAC;QACD,OAAO;YACL,OAAO,EAAE,sBAAsB;YAC/B,IAAI,EAAE,gCAAgC;SACvC,CAAC;IACJ,CAAC;IAED,2EAA2E;IAC3E,oEAAoE;IACpE,OAAO,IAAI,CAAC;AACd,CAAC"}
@@ -0,0 +1,47 @@
1
+ /**
2
+ * Bridge between the adopter-facing linkAuth config (Zod-validated, with
3
+ * macro references) and the engine-facing config (fully-expanded providers).
4
+ *
5
+ * Adopter config providers can be either:
6
+ * - `{ use: <macro>, ...overrides }` — reference a shipped macro; deep-merge
7
+ * `overrides` on top of the macro's defaults
8
+ * - A full inline `{ match, rewrite, auth, token, check }` — used as-is
9
+ *
10
+ * This function walks each provider entry, runs macro expansion when needed,
11
+ * and re-validates each fully-expanded provider against `InlineProviderSchema`.
12
+ * Since the schemas are passthrough (per the repo Postel's Law rule for
13
+ * adopter input), unknown extra keys survive expansion silently — the engine
14
+ * ignores them at runtime, and a separate lint/warn pass is the right home
15
+ * for typo-catching DX. Post-expansion validation still catches the cases
16
+ * passthrough doesn't relax: missing required fields, and wrong types on
17
+ * declared fields (e.g. `notFoundMeaning: 'totally-invalid'`).
18
+ *
19
+ * Per design issue #113 §5 (macros are config, not a privileged code path)
20
+ * and §4 (engine vocabulary).
21
+ */
22
+ import { type LinkAuthConfig, type Provider } from '@vibe-agent-toolkit/utils';
23
+ import { InlineProviderSchema, type LinkAuthProjectConfig } from './schemas/link-auth.js';
24
+ /**
25
+ * Compile-time drift defense: top-level field sets must match between the
26
+ * Zod schema and the engine's `Provider` interface. A strict structural
27
+ * check would also catch sub-type drift, but TS variance (readonly arrays in
28
+ * engine vs mutable in Zod inference) makes that noisy — the realistic
29
+ * drift mode is adding/renaming a top-level field on one side and forgetting
30
+ * the other, which this top-level key comparison catches at `tsc` time.
31
+ *
32
+ * The schema and engine type are kept in sync by review (per slice 1 design
33
+ * decision); this guard makes that review easier.
34
+ */
35
+ type _SchemaKeys = keyof typeof InlineProviderSchema.shape;
36
+ type _EngineKeys = keyof Provider;
37
+ type _KeysAgree = [_SchemaKeys] extends [_EngineKeys] ? [_EngineKeys] extends [_SchemaKeys] ? true : {
38
+ error: 'engine Provider has a field that InlineProviderSchema lacks';
39
+ missing: Exclude<_EngineKeys, _SchemaKeys>;
40
+ } : {
41
+ error: 'InlineProviderSchema has a field that engine Provider lacks';
42
+ missing: Exclude<_SchemaKeys, _EngineKeys>;
43
+ };
44
+ export declare const _assertSchemaKeysAgreeWithEngine: _KeysAgree;
45
+ export declare function buildLinkAuthEngineConfig(adopter: LinkAuthProjectConfig): LinkAuthConfig;
46
+ export {};
47
+ //# sourceMappingURL=link-auth-config-build.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"link-auth-config-build.d.ts","sourceRoot":"","sources":["../src/link-auth-config-build.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAEL,KAAK,cAAc,EACnB,KAAK,QAAQ,EACd,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAE1F;;;;;;;;;;GAUG;AAKH,KAAK,WAAW,GAAG,MAAM,OAAO,oBAAoB,CAAC,KAAK,CAAC;AAC3D,KAAK,WAAW,GAAG,MAAM,QAAQ,CAAC;AAClC,KAAK,UAAU,GAAG,CAAC,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,GACjD,CAAC,WAAW,CAAC,SAAS,CAAC,WAAW,CAAC,GACjC,IAAI,GACJ;IAAE,KAAK,EAAE,6DAA6D,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,CAAA;CAAE,GACtH;IAAE,KAAK,EAAE,6DAA6D,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,CAAA;CAAE,CAAC;AAIzH,eAAO,MAAM,gCAAgC,EAAE,UAAiB,CAAC;AAEjE,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,qBAAqB,GAAG,cAAc,CAaxF"}
@@ -0,0 +1,86 @@
1
+ /**
2
+ * Bridge between the adopter-facing linkAuth config (Zod-validated, with
3
+ * macro references) and the engine-facing config (fully-expanded providers).
4
+ *
5
+ * Adopter config providers can be either:
6
+ * - `{ use: <macro>, ...overrides }` — reference a shipped macro; deep-merge
7
+ * `overrides` on top of the macro's defaults
8
+ * - A full inline `{ match, rewrite, auth, token, check }` — used as-is
9
+ *
10
+ * This function walks each provider entry, runs macro expansion when needed,
11
+ * and re-validates each fully-expanded provider against `InlineProviderSchema`.
12
+ * Since the schemas are passthrough (per the repo Postel's Law rule for
13
+ * adopter input), unknown extra keys survive expansion silently — the engine
14
+ * ignores them at runtime, and a separate lint/warn pass is the right home
15
+ * for typo-catching DX. Post-expansion validation still catches the cases
16
+ * passthrough doesn't relax: missing required fields, and wrong types on
17
+ * declared fields (e.g. `notFoundMeaning: 'totally-invalid'`).
18
+ *
19
+ * Per design issue #113 §5 (macros are config, not a privileged code path)
20
+ * and §4 (engine vocabulary).
21
+ */
22
+ import { expandMacro, } from '@vibe-agent-toolkit/utils';
23
+ import { InlineProviderSchema } from './schemas/link-auth.js';
24
+ // Type-level assert: the declaration must compile to `true` (i.e. both
25
+ // directions of the key-set check pass). The exported function holds a
26
+ // reference to the type so noUnusedLocals doesn't fire.
27
+ export const _assertSchemaKeysAgreeWithEngine = true;
28
+ export function buildLinkAuthEngineConfig(adopter) {
29
+ const providers = adopter.providers.map((entry, index) => expandProviderEntry(entry, index));
30
+ // Pass the cache block through to the engine config so the slice-3
31
+ // content-fetch primitive can read `ttlMinutes` from the same source of
32
+ // truth as the rest of the engine config. The engine itself doesn't consume
33
+ // this field — it stays stateless — but riding along on the config keeps
34
+ // callers from having to pass two objects to the primitive.
35
+ if (adopter.cache !== undefined) {
36
+ return { providers, cache: buildEngineCache(adopter.cache) };
37
+ }
38
+ return { providers };
39
+ }
40
+ function buildEngineCache(adopterCache) {
41
+ // Schema is passthrough so adopterCache may carry forward-compatible extras
42
+ // we don't know about — copy only the fields the engine type declares.
43
+ return adopterCache.ttlMinutes === undefined ? {} : { ttlMinutes: adopterCache.ttlMinutes };
44
+ }
45
+ function expandProviderEntry(entry, index) {
46
+ // Discriminate via Object.hasOwn (not `'use' in entry`) so a prototype-
47
+ // injected `use` cannot reroute an inline entry into macro expansion. The
48
+ // Zod parser already produces plain JSON-shaped objects, but defending in
49
+ // depth costs nothing.
50
+ const isMacroRef = typeof entry === 'object' &&
51
+ entry !== null &&
52
+ Object.hasOwn(entry, 'use');
53
+ if (!isMacroRef) {
54
+ return entry;
55
+ }
56
+ const { use, overrides } = splitMacroEntry(entry);
57
+ const expanded = expandMacro(use, overrides);
58
+ // Re-validate the fully-expanded shape. Unknown extra keys pass through
59
+ // (the engine ignores them); what we still catch are missing required
60
+ // fields and wrong types on declared fields — e.g. a macro override that
61
+ // sets `check.notFoundMeaning: 'bogus'` is rejected here even though the
62
+ // upstream macro schema's passthrough accepted it.
63
+ const parsed = InlineProviderSchema.safeParse(expanded);
64
+ if (!parsed.success) {
65
+ throw new Error(`linkAuth providers[${index}] (use: ${JSON.stringify(use)}) ` +
66
+ `produced an invalid provider after macro expansion: ${parsed.error.message}`);
67
+ }
68
+ return parsed.data;
69
+ }
70
+ function splitMacroEntry(entry) {
71
+ // `use` value comes from a Zod-validated source so the type is string at
72
+ // this point — but defensively-check it anyway: `Object.hasOwn` upstream
73
+ // tells us the key exists, not what its value's type is.
74
+ const useValue = entry['use'];
75
+ if (typeof useValue !== 'string') {
76
+ throw new TypeError(`linkAuth provider \`use\` must be a string, got ${typeof useValue}`);
77
+ }
78
+ const overrides = {};
79
+ for (const [key, value] of Object.entries(entry)) {
80
+ if (key === 'use')
81
+ continue;
82
+ overrides[key] = value;
83
+ }
84
+ return { use: useValue, overrides };
85
+ }
86
+ //# sourceMappingURL=link-auth-config-build.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"link-auth-config-build.js","sourceRoot":"","sources":["../src/link-auth-config-build.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EACL,WAAW,GAGZ,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,oBAAoB,EAA8B,MAAM,wBAAwB,CAAC;AAwB1F,uEAAuE;AACvE,uEAAuE;AACvE,wDAAwD;AACxD,MAAM,CAAC,MAAM,gCAAgC,GAAe,IAAI,CAAC;AAEjE,MAAM,UAAU,yBAAyB,CAAC,OAA8B;IACtE,MAAM,SAAS,GAAe,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CACnE,mBAAmB,CAAC,KAAK,EAAE,KAAK,CAAC,CAClC,CAAC;IACF,mEAAmE;IACnE,wEAAwE;IACxE,4EAA4E;IAC5E,yEAAyE;IACzE,4DAA4D;IAC5D,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;IAC/D,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,CAAC;AACvB,CAAC;AAED,SAAS,gBAAgB,CACvB,YAAyD;IAEzD,4EAA4E;IAC5E,uEAAuE;IACvE,OAAO,YAAY,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,YAAY,CAAC,UAAU,EAAE,CAAC;AAC9F,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc,EAAE,KAAa;IACxD,wEAAwE;IACxE,0EAA0E;IAC1E,0EAA0E;IAC1E,uBAAuB;IACvB,MAAM,UAAU,GACd,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,KAAK,IAAI;QACd,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAE9B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,KAAiB,CAAC;IAC3B,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,KAAgC,CAAC,CAAC;IAC7E,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAE7C,wEAAwE;IACxE,sEAAsE;IACtE,yEAAyE;IACzE,yEAAyE;IACzE,mDAAmD;IACnD,MAAM,MAAM,GAAG,oBAAoB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACxD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,sBAAsB,KAAK,WAAW,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI;YAC3D,uDAAuD,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAChF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,IAAgB,CAAC;AACjC,CAAC;AAED,SAAS,eAAe,CAAC,KAA8B;IAIrD,yEAAyE;IACzE,yEAAyE;IACzE,yDAAyD;IACzD,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAC9B,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,mDAAmD,OAAO,QAAQ,EAAE,CAAC,CAAC;IAC5F,CAAC;IACD,MAAM,SAAS,GAA4B,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,IAAI,GAAG,KAAK,KAAK;YAAE,SAAS;QAC5B,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACzB,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACtC,CAAC"}
@@ -0,0 +1,75 @@
1
+ /**
2
+ * Public content-fetch primitive for the linkAuth feature (design issue #113 §6.2).
3
+ *
4
+ * Ships as a standalone primitive — no consumer wiring (asset-references,
5
+ * bundling) lands in this slice. The shape and security disciplines are
6
+ * designed so future callers can adopt it without reworking the contract.
7
+ *
8
+ * Responsibility split:
9
+ * - `resolveAuthenticatedUrl` (engine): pick provider, rewrite URL, resolve
10
+ * token, expand auth.headers AND fetch.headers against the same context.
11
+ * - `ContentCache`: persist `(bytes, metadata)` keyed by rewritten URL with
12
+ * 30-min default TTL; whitelists fields so tokens cannot be persisted.
13
+ * - `authTransport`: cross-origin auth strip, 429/Retry-After handling.
14
+ * - **This primitive**: wire them together, decide cache vs fetch, build
15
+ * metadata, return a typed result.
16
+ *
17
+ * Behavior matrix:
18
+ * - Engine returns `unsupported` → return as-is, no fetch, no cache touch.
19
+ * - Engine returns `unverified` → return as-is, no fetch, **no cache touch**
20
+ * even if a cache was supplied (§6.3: result flips when a token appears,
21
+ * so caching the no-token answer would poison future runs).
22
+ * - Engine returns success + cache present + not forceRefresh + cache hit →
23
+ * return `{ bytes, metadata, cached: true }`, no fetch.
24
+ * - Engine returns success otherwise → fetch via `authTransport` (using
25
+ * `fetch.headers` merged over `auth.headers` when present), write to
26
+ * cache if supplied, return `{ bytes, metadata, cached: false }`.
27
+ *
28
+ * **Throws** on network-level failures from the transport: DNS resolution
29
+ * failure, TLS handshake failure, connection refused, `AbortError` from the
30
+ * caller's `signal`, or any underlying `fetchImpl` rejection. The cache is
31
+ * only touched after the response body is fully read, so a transport failure
32
+ * cannot land a partial entry on disk. Consumers that need degradation
33
+ * semantics (validators, batch tools) should wrap calls in a try/catch.
34
+ *
35
+ * **Token never persisted.** Tokens are interpolated into headers in-memory;
36
+ * the metadata interface excludes header fields. The cache additionally
37
+ * whitelists the metadata fields it accepts. See cycle-6 token-persistence
38
+ * test for the on-disk assertion.
39
+ *
40
+ * **High-volume callers**: token resolution can be expensive (`gh auth token`
41
+ * spawns a subprocess). Callers iterating many URLs should wrap their `deps`
42
+ * once with `wrapLinkAuthDepsWithMemo` from `./link-auth-deps-memo.js` and
43
+ * pass the wrapped object to every invocation, so the same argv resolves at
44
+ * most once across the iteration.
45
+ */
46
+ import { type LinkAuthConfig } from '@vibe-agent-toolkit/utils';
47
+ import { type ContentCache, type ContentMetadata } from './content-cache.js';
48
+ import { type LinkAuthDeps } from './link-auth-deps-memo.js';
49
+ import { type AuthTransportOptions } from './link-auth-transport.js';
50
+ export interface FetchAuthenticatedOptions {
51
+ /** Content cache to read from and write to. Omit to skip caching entirely. */
52
+ readonly cache?: ContentCache;
53
+ /** Bypass cache reads (still writes through on success). Default: false. */
54
+ readonly forceRefresh?: boolean;
55
+ /** Test/DI hook. Default: `globalThis.fetch`. */
56
+ readonly fetchImpl?: typeof fetch;
57
+ /** Token-resolution dependencies (env map, runCommand). Default: engine defaults. */
58
+ readonly deps?: LinkAuthDeps;
59
+ /** Propagated to the transport — caller's per-request timeout budget. */
60
+ readonly signal?: AbortSignal;
61
+ /** Per-call overrides for the transport's redirect / retry caps. */
62
+ readonly transportOptions?: AuthTransportOptions;
63
+ }
64
+ export type ContentFetchResult = {
65
+ readonly bytes: Uint8Array;
66
+ readonly metadata: ContentMetadata;
67
+ readonly cached: boolean;
68
+ } | {
69
+ readonly outcome: 'unsupported';
70
+ } | {
71
+ readonly outcome: 'unverified';
72
+ readonly reason: string;
73
+ };
74
+ export declare function fetchAuthenticated(url: string, config: LinkAuthConfig, options?: FetchAuthenticatedOptions): Promise<ContentFetchResult>;
75
+ //# sourceMappingURL=link-auth-content-fetch.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"link-auth-content-fetch.d.ts","sourceRoot":"","sources":["../src/link-auth-content-fetch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAEH,OAAO,EAA2B,KAAK,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAEzF,OAAO,EAAE,KAAK,YAAY,EAAE,KAAK,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC7E,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAiB,KAAK,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAEpF,MAAM,WAAW,yBAAyB;IACxC,8EAA8E;IAC9E,QAAQ,CAAC,KAAK,CAAC,EAAE,YAAY,CAAC;IAC9B,4EAA4E;IAC5E,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;IAChC,iDAAiD;IACjD,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IAClC,qFAAqF;IACrF,QAAQ,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC;IAC7B,yEAAyE;IACzE,QAAQ,CAAC,MAAM,CAAC,EAAE,WAAW,CAAC;IAC9B,oEAAoE;IACpE,QAAQ,CAAC,gBAAgB,CAAC,EAAE,oBAAoB,CAAC;CAClD;AAED,MAAM,MAAM,kBAAkB,GAC1B;IACE,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC;IAC3B,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;CAC1B,GACD;IAAE,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAA;CAAE,GACnC;IAAE,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAEhE,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,cAAc,EACtB,OAAO,GAAE,yBAA8B,GACtC,OAAO,CAAC,kBAAkB,CAAC,CAiE7B"}