@warmdrift/kgauto-compiler 2.0.0-alpha.23 → 2.0.0-alpha.24

package/dist/glassbox-routes/index.d.mts

@@ -2,6 +2,41 @@ import { G as GlassboxEvent } from '../types-D9WndxeD.mjs';
 import '../ir-B9zqlwjH.mjs';
 import '../dialect.mjs';
 
+/**
+ * Internal config + hook types for createGlassboxRoutes().
+ *
+ * The public contract lives on `GlassboxRoutesConfig` in ./index.ts; these
+ * are the narrower per-handler shapes consumed by proxy.ts and stream.ts.
+ */
+
+/**
+ * Wire contract for the Glass-Box Chrome extension's brain-poll endpoint.
+ *
+ * The list mode of `proxy(req)` returns `{ traces: TraceSummary[] }`. The
+ * detail mode (`?traceId=<id>`) returns a single `TraceDetail`. These are
+ * the camelCase shapes the extension renderer expects — distinct from the
+ * snake_case `compile_outcomes` row shape that PostgREST returns. The
+ * factory's typed `rowToSummary` / `rowToDetail` transformer is the single
+ * canonical boundary between the DB shape and the wire shape (see
+ * `feedback_typed_boundary_transformers.md` in kgauto memory for the rule).
+ */
+interface TraceSummary {
+    traceId: string;
+    appId: string;
+    archetype: string;
+    target: string;
+    createdAt: string;
+    tokensIn: number;
+    tokensOut: number;
+    estimatedCostUsd: number;
+}
+interface TraceDetail extends TraceSummary {
+    mutationsApplied: unknown[];
+    advisories: unknown[];
+    rawRequest?: unknown;
+    rawResponse?: unknown;
+}
+
 /**
  * Public entry point for `@warmdrift/kgauto-compiler/glassbox-routes`.
  *
@@ -12,11 +47,12 @@ import '../dialect.mjs';
  *   // app/api/glassbox/proxy/route.ts
  *   import { createGlassboxRoutes } from '@warmdrift/kgauto-compiler/glassbox-routes';
  *   const { proxy } = createGlassboxRoutes({
- *     installToken: process.env.GLASSBOX_INSTALL_TOKEN!,
- *     extensionId:  process.env.GLASSBOX_EXTENSION_ID!,
+ *     installToken:  process.env.GLASSBOX_INSTALL_TOKEN!,
+ *     extensionId:   process.env.GLASSBOX_EXTENSION_ID!,
  *     brainEndpoint: process.env.GLASSBOX_BRAIN_ENDPOINT!,
- *     brainJwt:     process.env.GLASSBOX_BRAIN_JWT!,
- *     appId:        'playbacksam',
+ *     brainJwt:      process.env.GLASSBOX_BRAIN_JWT!,      // scoped JWT (RLS via app_id claim)
+ *     brainAnonKey:  process.env.GLASSBOX_BRAIN_ANON_KEY!, // project anon/publishable key (Supabase apikey header)
+ *     appId:         'playbacksam',
  *   });
  *   export { proxy as GET };
  *
@@ -41,8 +77,21 @@ interface GlassboxRoutesConfig {
     extensionId: string;
     /** Brain endpoint base (e.g. https://kgauto-brain.supabase.co). Used by `proxy` for replay queries. */
     brainEndpoint: string;
-    /** Scoped JWT for brain reads. Use the per-consumer JWT minted via migration 013 (claim: app_id). */
+    /** Scoped JWT for brain reads. Use the per-consumer JWT minted via migration 013 (claim: app_id). Drives RLS via the `app_id` claim; sent as `Authorization: Bearer <jwt>` only. */
     brainJwt: string;
+    /**
+     * Anon/publishable key for the Supabase `apikey` header. Supabase requires
+     * `apikey` to be one of the project's known keys (anon or service_role) —
+     * the scoped JWT in `brainJwt` doesn't qualify there. Pass the project's
+     * legacy `anon` key (JWT format, role=anon) or the modern `sb_publishable_...`
+     * key. Safe to expose at the wire (that's what "publishable" means).
+     *
+     * Pre-alpha.24 this was missing and `brainJwt` was used as apikey too — first
+     * real call always 401'd against real Supabase. Catching this required a
+     * pre-publish smoke against the real brain; unit tests with mocked fetch
+     * couldn't surface it. See L-117 in command-center/learnings.md.
+     */
+    brainAnonKey: string;
     /** App scope filter — must match the JWT's app_id claim. */
     appId: string;
     /**
@@ -70,4 +119,4 @@ interface GlassboxRoutes {
 }
 declare function createGlassboxRoutes(config: GlassboxRoutesConfig): GlassboxRoutes;
 
-export { type GlassboxRoutes, type GlassboxRoutesConfig, createGlassboxRoutes };
+export { type GlassboxRoutes, type GlassboxRoutesConfig, type TraceDetail, type TraceSummary, createGlassboxRoutes };

package/dist/glassbox-routes/index.d.ts

@@ -2,6 +2,41 @@ import { G as GlassboxEvent } from '../types-DiWBWvxg.js';
 import '../ir-B_XX2LAO.js';
 import '../dialect.js';
 
+/**
+ * Internal config + hook types for createGlassboxRoutes().
+ *
+ * The public contract lives on `GlassboxRoutesConfig` in ./index.ts; these
+ * are the narrower per-handler shapes consumed by proxy.ts and stream.ts.
+ */
+
+/**
+ * Wire contract for the Glass-Box Chrome extension's brain-poll endpoint.
+ *
+ * The list mode of `proxy(req)` returns `{ traces: TraceSummary[] }`. The
+ * detail mode (`?traceId=<id>`) returns a single `TraceDetail`. These are
+ * the camelCase shapes the extension renderer expects — distinct from the
+ * snake_case `compile_outcomes` row shape that PostgREST returns. The
+ * factory's typed `rowToSummary` / `rowToDetail` transformer is the single
+ * canonical boundary between the DB shape and the wire shape (see
+ * `feedback_typed_boundary_transformers.md` in kgauto memory for the rule).
+ */
+interface TraceSummary {
+    traceId: string;
+    appId: string;
+    archetype: string;
+    target: string;
+    createdAt: string;
+    tokensIn: number;
+    tokensOut: number;
+    estimatedCostUsd: number;
+}
+interface TraceDetail extends TraceSummary {
+    mutationsApplied: unknown[];
+    advisories: unknown[];
+    rawRequest?: unknown;
+    rawResponse?: unknown;
+}
+
 /**
  * Public entry point for `@warmdrift/kgauto-compiler/glassbox-routes`.
  *
@@ -12,11 +47,12 @@ import '../dialect.js';
  *   // app/api/glassbox/proxy/route.ts
  *   import { createGlassboxRoutes } from '@warmdrift/kgauto-compiler/glassbox-routes';
  *   const { proxy } = createGlassboxRoutes({
- *     installToken: process.env.GLASSBOX_INSTALL_TOKEN!,
- *     extensionId:  process.env.GLASSBOX_EXTENSION_ID!,
+ *     installToken:  process.env.GLASSBOX_INSTALL_TOKEN!,
+ *     extensionId:   process.env.GLASSBOX_EXTENSION_ID!,
  *     brainEndpoint: process.env.GLASSBOX_BRAIN_ENDPOINT!,
- *     brainJwt:     process.env.GLASSBOX_BRAIN_JWT!,
- *     appId:        'playbacksam',
+ *     brainJwt:      process.env.GLASSBOX_BRAIN_JWT!,      // scoped JWT (RLS via app_id claim)
+ *     brainAnonKey:  process.env.GLASSBOX_BRAIN_ANON_KEY!, // project anon/publishable key (Supabase apikey header)
+ *     appId:         'playbacksam',
  *   });
  *   export { proxy as GET };
  *
@@ -41,8 +77,21 @@ interface GlassboxRoutesConfig {
     extensionId: string;
     /** Brain endpoint base (e.g. https://kgauto-brain.supabase.co). Used by `proxy` for replay queries. */
     brainEndpoint: string;
-    /** Scoped JWT for brain reads. Use the per-consumer JWT minted via migration 013 (claim: app_id). */
+    /** Scoped JWT for brain reads. Use the per-consumer JWT minted via migration 013 (claim: app_id). Drives RLS via the `app_id` claim; sent as `Authorization: Bearer <jwt>` only. */
     brainJwt: string;
+    /**
+     * Anon/publishable key for the Supabase `apikey` header. Supabase requires
+     * `apikey` to be one of the project's known keys (anon or service_role) —
+     * the scoped JWT in `brainJwt` doesn't qualify there. Pass the project's
+     * legacy `anon` key (JWT format, role=anon) or the modern `sb_publishable_...`
+     * key. Safe to expose at the wire (that's what "publishable" means).
+     *
+     * Pre-alpha.24 this was missing and `brainJwt` was used as apikey too — first
+     * real call always 401'd against real Supabase. Catching this required a
+     * pre-publish smoke against the real brain; unit tests with mocked fetch
+     * couldn't surface it. See L-117 in command-center/learnings.md.
+     */
+    brainAnonKey: string;
     /** App scope filter — must match the JWT's app_id claim. */
     appId: string;
     /**
@@ -70,4 +119,4 @@ interface GlassboxRoutes {
 }
 declare function createGlassboxRoutes(config: GlassboxRoutesConfig): GlassboxRoutes;
 
-export { type GlassboxRoutes, type GlassboxRoutesConfig, createGlassboxRoutes };
+export { type GlassboxRoutes, type GlassboxRoutesConfig, type TraceDetail, type TraceSummary, createGlassboxRoutes };

package/dist/glassbox-routes/index.js

@@ -48,8 +48,11 @@ function checkAuth(req, config) {
     return jsonError(401, "unauthorized");
   }
   const origin = req.headers.get("Origin") ?? "";
-  const expected = `chrome-extension://${config.extensionId}`;
-  if (origin !== expected) {
+  const xExtId = req.headers.get("X-Glassbox-Extension-Id") ?? "";
+  const expectedOrigin = `chrome-extension://${config.extensionId}`;
+  const originOk = origin === expectedOrigin;
+  const xExtOk = xExtId.length > 0 && tokensEqual(xExtId, config.extensionId);
+  if (!originOk && !xExtOk) {
     return jsonError(403, "forbidden_origin");
   }
   return null;
@@ -82,12 +85,35 @@ function parseLimit(raw) {
   if (!Number.isFinite(n) || n <= 0) return DEFAULT_LIMIT;
   return Math.min(n, MAX_LIMIT);
 }
+function rowToSummary(row) {
+  return {
+    traceId: typeof row.handle === "string" ? row.handle : "",
+    appId: typeof row.app_id === "string" ? row.app_id : "",
+    archetype: typeof row.intent_archetype === "string" ? row.intent_archetype : "",
+    target: typeof row.model === "string" ? row.model : "",
+    createdAt: typeof row.created_at === "string" ? row.created_at : "",
+    tokensIn: typeof row.tokens_in === "number" ? row.tokens_in : 0,
+    tokensOut: typeof row.tokens_out === "number" ? row.tokens_out : 0,
+    estimatedCostUsd: typeof row.cost_usd_actual === "number" ? row.cost_usd_actual : 0
+  };
+}
+function rowToDetail(row) {
+  return {
+    ...rowToSummary(row),
+    mutationsApplied: Array.isArray(row.mutations_applied) ? row.mutations_applied : [],
+    advisories: [],
+    // compile_outcomes has no advisories column today
+    rawRequest: row.prompt_preview ?? void 0,
+    rawResponse: row.response_preview ?? void 0
+  };
+}
 function createProxyHandler(config) {
   const {
     installToken,
     extensionId,
     brainEndpoint,
     brainJwt,
+    brainAnonKey,
     appId,
     scrub,
     fetch: fetchImpl
@@ -114,8 +140,13 @@ function createProxyHandler(config) {
       brainRes = await doFetch(brainUrl, {
         method: "GET",
         headers: {
+          // Authorization carries the scoped JWT — drives RLS via app_id claim.
           Authorization: `Bearer ${brainJwt}`,
-          apikey: brainJwt,
+          // apikey MUST be one of the project's known keys (anon or
+          // service_role). Supabase rejects any other JWT here, even when
+          // HS256-signed with the same secret. Pre-alpha.24 this was set to
+          // brainJwt and silently 401'd against real Supabase. See L-117.
+          apikey: brainAnonKey,
           Accept: "application/json"
         }
       });
@@ -140,8 +171,15 @@ function createProxyHandler(config) {
     if (!Array.isArray(rows)) {
       return jsonError2(502, "brain_unavailable");
     }
-    const scrubbed = rows.map((row) => applyScrub(row, scrub));
-    return jsonResponse(200, scrubbed);
+    const scrubbed = rows.map(
+      (row) => applyScrub(row, scrub)
+    );
+    if (traceId) {
+      const first = scrubbed[0];
+      if (!first) return jsonError2(404, "not_found");
+      return jsonResponse(200, rowToDetail(first));
+    }
+    return jsonResponse(200, { traces: scrubbed.map(rowToSummary) });
   };
 }
 
@@ -533,12 +571,14 @@ function createGlassboxRoutes(config) {
   const extensionId = requireString("extensionId", config.extensionId);
   const brainEndpoint = requireString("brainEndpoint", config.brainEndpoint);
   const brainJwt = requireString("brainJwt", config.brainJwt);
+  const brainAnonKey = requireString("brainAnonKey", config.brainAnonKey);
   const appId = requireString("appId", config.appId);
   const proxy = createProxyHandler({
     installToken,
     extensionId,
     brainEndpoint,
     brainJwt,
+    brainAnonKey,
     appId,
     scrub: config.scrub,
     fetch: config.fetch

package/dist/glassbox-routes/index.mjs

@@ -27,8 +27,11 @@ function checkAuth(req, config) {
     return jsonError(401, "unauthorized");
   }
   const origin = req.headers.get("Origin") ?? "";
-  const expected = `chrome-extension://${config.extensionId}`;
-  if (origin !== expected) {
+  const xExtId = req.headers.get("X-Glassbox-Extension-Id") ?? "";
+  const expectedOrigin = `chrome-extension://${config.extensionId}`;
+  const originOk = origin === expectedOrigin;
+  const xExtOk = xExtId.length > 0 && tokensEqual(xExtId, config.extensionId);
+  if (!originOk && !xExtOk) {
     return jsonError(403, "forbidden_origin");
   }
   return null;
@@ -61,12 +64,35 @@ function parseLimit(raw) {
   if (!Number.isFinite(n) || n <= 0) return DEFAULT_LIMIT;
   return Math.min(n, MAX_LIMIT);
 }
+function rowToSummary(row) {
+  return {
+    traceId: typeof row.handle === "string" ? row.handle : "",
+    appId: typeof row.app_id === "string" ? row.app_id : "",
+    archetype: typeof row.intent_archetype === "string" ? row.intent_archetype : "",
+    target: typeof row.model === "string" ? row.model : "",
+    createdAt: typeof row.created_at === "string" ? row.created_at : "",
+    tokensIn: typeof row.tokens_in === "number" ? row.tokens_in : 0,
+    tokensOut: typeof row.tokens_out === "number" ? row.tokens_out : 0,
+    estimatedCostUsd: typeof row.cost_usd_actual === "number" ? row.cost_usd_actual : 0
+  };
+}
+function rowToDetail(row) {
+  return {
+    ...rowToSummary(row),
+    mutationsApplied: Array.isArray(row.mutations_applied) ? row.mutations_applied : [],
+    advisories: [],
+    // compile_outcomes has no advisories column today
+    rawRequest: row.prompt_preview ?? void 0,
+    rawResponse: row.response_preview ?? void 0
+  };
+}
 function createProxyHandler(config) {
   const {
     installToken,
     extensionId,
     brainEndpoint,
     brainJwt,
+    brainAnonKey,
     appId,
     scrub,
     fetch: fetchImpl
@@ -93,8 +119,13 @@ function createProxyHandler(config) {
       brainRes = await doFetch(brainUrl, {
         method: "GET",
         headers: {
+          // Authorization carries the scoped JWT — drives RLS via app_id claim.
           Authorization: `Bearer ${brainJwt}`,
-          apikey: brainJwt,
+          // apikey MUST be one of the project's known keys (anon or
+          // service_role). Supabase rejects any other JWT here, even when
+          // HS256-signed with the same secret. Pre-alpha.24 this was set to
+          // brainJwt and silently 401'd against real Supabase. See L-117.
+          apikey: brainAnonKey,
           Accept: "application/json"
         }
       });
@@ -119,8 +150,15 @@ function createProxyHandler(config) {
     if (!Array.isArray(rows)) {
       return jsonError2(502, "brain_unavailable");
     }
-    const scrubbed = rows.map((row) => applyScrub(row, scrub));
-    return jsonResponse(200, scrubbed);
+    const scrubbed = rows.map(
+      (row) => applyScrub(row, scrub)
+    );
+    if (traceId) {
+      const first = scrubbed[0];
+      if (!first) return jsonError2(404, "not_found");
+      return jsonResponse(200, rowToDetail(first));
+    }
+    return jsonResponse(200, { traces: scrubbed.map(rowToSummary) });
   };
 }
 
@@ -243,12 +281,14 @@ function createGlassboxRoutes(config) {
   const extensionId = requireString("extensionId", config.extensionId);
   const brainEndpoint = requireString("brainEndpoint", config.brainEndpoint);
   const brainJwt = requireString("brainJwt", config.brainJwt);
+  const brainAnonKey = requireString("brainAnonKey", config.brainAnonKey);
   const appId = requireString("appId", config.appId);
   const proxy = createProxyHandler({
     installToken,
     extensionId,
     brainEndpoint,
     brainJwt,
+    brainAnonKey,
     appId,
     scrub: config.scrub,
     fetch: config.fetch

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@warmdrift/kgauto-compiler",
-  "version": "2.0.0-alpha.23",
+  "version": "2.0.0-alpha.24",
   "description": "Prompt compiler + central learning brain for multi-model AI apps. Swap models without rewriting prompts.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",