akribes 0.21.17

package/dist/sub/versions.d.ts

@@ -0,0 +1,29 @@
+import type { HttpClient } from '../http';
+import type { ScriptVersion, ScriptVersionResponse, DryRunResult } from '../types';
+export declare class VersionsClient {
+    private http;
+    private projectId;
+    private defaultPublishedBy;
+    constructor(http: HttpClient, projectId: number, defaultPublishedBy: string | undefined);
+    private path;
+    list(scriptName: string, opts?: {
+        signal?: AbortSignal;
+    }): Promise<ScriptVersion[]>;
+    get(scriptName: string, versionId: number, opts?: {
+        signal?: AbortSignal;
+    }): Promise<ScriptVersion | null>;
+    getLatest(scriptName: string, opts?: {
+        signal?: AbortSignal;
+    }): Promise<ScriptVersionResponse | null>;
+    /** @deprecated Use scripts.saveDraft + versions.publish instead */
+    save(scriptName: string, source: string, opts?: {
+        signal?: AbortSignal;
+    }): Promise<void>;
+    publish(scriptName: string, label: string | null, channels: string[], publishedBy?: string, opts?: {
+        force?: boolean;
+        reason?: string;
+        dryRun?: boolean;
+        signal?: AbortSignal;
+    }): Promise<ScriptVersion | DryRunResult>;
+}
+//# sourceMappingURL=versions.d.ts.map

package/dist/sub/versions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"versions.d.ts","sourceRoot":"","sources":["../../src/sub/versions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE1C,OAAO,KAAK,EAAE,aAAa,EAAE,qBAAqB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAEnF,qBAAa,cAAc;IAEvB,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,kBAAkB;gBAFlB,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,GAAG,SAAS;IAGhD,OAAO,CAAC,IAAI;IAIN,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,WAAW,CAAA;KAAE,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAInF,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,WAAW,CAAA;KAAE,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAM1G,SAAS,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,WAAW,CAAA;KAAE,GAAG,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC;IAM3G,mEAAmE;IAC7D,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,WAAW,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAOxF,OAAO,CACX,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,GAAG,IAAI,EACpB,QAAQ,EAAE,MAAM,EAAE,EAClB,WAAW,CAAC,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,WAAW,CAAA;KAAE,GAClF,OAAO,CAAC,aAAa,GAAG,YAAY,CAAC;CAoBzC"}

package/dist/sub/versions.js

@@ -0,0 +1,52 @@
+import { nullOn404 } from '../http';
+export class VersionsClient {
+    http;
+    projectId;
+    defaultPublishedBy;
+    constructor(http, projectId, defaultPublishedBy) {
+        this.http = http;
+        this.projectId = projectId;
+        this.defaultPublishedBy = defaultPublishedBy;
+    }
+    path(scriptName, ...segments) {
+        return this.http.scriptPath(this.projectId, scriptName, ...segments);
+    }
+    async list(scriptName, opts) {
+        return (await this.http.fetchOk(this.path(scriptName, 'versions'), opts)).json();
+    }
+    async get(scriptName, versionId, opts) {
+        return nullOn404(async () => (await this.http.fetchOk(this.path(scriptName, 'versions', String(versionId)), opts)).json());
+    }
+    async getLatest(scriptName, opts) {
+        return nullOn404(async () => (await this.http.fetchOk(this.path(scriptName, 'latest'), opts)).json());
+    }
+    /** @deprecated Use scripts.saveDraft + versions.publish instead */
+    async save(scriptName, source, opts) {
+        await this.http.fetchOk(this.path(scriptName, 'versions'), {
+            method: 'POST', headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ source }), signal: opts?.signal,
+        });
+    }
+    async publish(scriptName, label, channels, publishedBy, opts) {
+        const body = await (await this.http.fetchOk(this.path(scriptName, 'publish'), {
+            method: 'POST', headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                label, channels,
+                published_by: publishedBy ?? this.defaultPublishedBy,
+                force: opts?.force,
+                // The server persists `reason` on the versions row's
+                // force_published_reason column when force is true and the
+                // unified contract check produced breaks. ≥ 20 chars enforced
+                // server-side; the Studio enforces it client-side too for fast
+                // feedback but the source of truth is the server.
+                reason: opts?.reason,
+                dry_run: opts?.dryRun,
+            }),
+            signal: opts?.signal,
+        })).json();
+        if (body.dry_run)
+            return body;
+        return body.version;
+    }
+}
+//# sourceMappingURL=versions.js.map

package/dist/sub/versions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"versions.js","sourceRoot":"","sources":["../../src/sub/versions.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAGpC,MAAM,OAAO,cAAc;IAEf;IACA;IACA;IAHV,YACU,IAAgB,EAChB,SAAiB,EACjB,kBAAsC;QAFtC,SAAI,GAAJ,IAAI,CAAY;QAChB,cAAS,GAAT,SAAS,CAAQ;QACjB,uBAAkB,GAAlB,kBAAkB,CAAoB;IAC7C,CAAC;IAEI,IAAI,CAAC,UAAkB,EAAE,GAAG,QAAkB;QACpD,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,GAAG,QAAQ,CAAC,CAAC;IACvE,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,UAAkB,EAAE,IAA+B;QAC5D,OAAO,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACnF,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,UAAkB,EAAE,SAAiB,EAAE,IAA+B;QAC9E,OAAO,SAAS,CAAC,KAAK,IAAI,EAAE,CAC1B,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAC7F,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,UAAkB,EAAE,IAA+B;QACjE,OAAO,SAAS,CAAC,KAAK,IAAI,EAAE,CAC1B,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CACxE,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,IAAI,CAAC,UAAkB,EAAE,MAAc,EAAE,IAA+B;QAC5E,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE;YACzD,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/D,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;SACvD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO,CACX,UAAkB,EAClB,KAAoB,EACpB,QAAkB,EAClB,WAAoB,EACpB,IAAmF;QAEnF,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,EAAE;YAC5E,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/D,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,QAAQ;gBACf,YAAY,EAAE,WAAW,IAAI,IAAI,CAAC,kBAAkB;gBACpD,KAAK,EAAE,IAAI,EAAE,KAAK;gBAClB,qDAAqD;gBACrD,2DAA2D;gBAC3D,8DAA8D;gBAC9D,+DAA+D;gBAC/D,kDAAkD;gBAClD,MAAM,EAAE,IAAI,EAAE,MAAM;gBACpB,OAAO,EAAE,IAAI,EAAE,MAAM;aACtB,CAAC;YACF,MAAM,EAAE,IAAI,EAAE,MAAM;SACrB,CAAC,CAAC,CAAC,IAAI,EAAmE,CAAC;QAC5E,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,IAAoB,CAAC;QAC9C,OAAO,IAAI,CAAC,OAAwB,CAAC;IACvC,CAAC;CACF"}

package/dist/tokenSafety.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Refuse to put a token in a URL query string unless it looks like a
+ * scoped token (`akribes_tk_…` / `aura_tk_…`). Long-lived service
+ * tokens — the secret half of `AKRIBES_SERVICE_TOKEN_<NAME>=*:secret`
+ * configured on trusted backends like puto — must never traverse a
+ * reverse-proxy / load-balancer / Forgejo-runner access log via
+ * `?token=`, because a leak of a wildcard-Admin service token equals
+ * full platform compromise (PENTEST CRITICAL-02).
+ *
+ * Call this from any SDK code path that appends a token to a URL.
+ * It throws synchronously so misuse is caught at the call site, not
+ * silently leaked at request time.
+ */
+export declare function assertTokenSafeInUrl(token: string): void;
+//# sourceMappingURL=tokenSafety.d.ts.map

package/dist/tokenSafety.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenSafety.d.ts","sourceRoot":"","sources":["../src/tokenSafety.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAWxD"}

package/dist/tokenSafety.js

@@ -0,0 +1,24 @@
+/**
+ * Refuse to put a token in a URL query string unless it looks like a
+ * scoped token (`akribes_tk_…` / `aura_tk_…`). Long-lived service
+ * tokens — the secret half of `AKRIBES_SERVICE_TOKEN_<NAME>=*:secret`
+ * configured on trusted backends like puto — must never traverse a
+ * reverse-proxy / load-balancer / Forgejo-runner access log via
+ * `?token=`, because a leak of a wildcard-Admin service token equals
+ * full platform compromise (PENTEST CRITICAL-02).
+ *
+ * Call this from any SDK code path that appends a token to a URL.
+ * It throws synchronously so misuse is caught at the call site, not
+ * silently leaked at request time.
+ */
+export function assertTokenSafeInUrl(token) {
+    if (token.startsWith('akribes_tk_') || token.startsWith('aura_tk_')) {
+        return;
+    }
+    throw new Error('Refusing to put a non-scoped token in the URL query string. ' +
+        'Scoped tokens (akribes_tk_…) may be passed in ?token= because they ' +
+        'are short-lived and revokable; service tokens (the secret half of ' +
+        'AKRIBES_SERVICE_TOKEN_<NAME>=*:secret) MUST use header bearer auth ' +
+        'and never appear in URLs that hit access logs.');
+}
+//# sourceMappingURL=tokenSafety.js.map

package/dist/tokenSafety.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenSafety.js","sourceRoot":"","sources":["../src/tokenSafety.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,IAAI,KAAK,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACpE,OAAO;IACT,CAAC;IACD,MAAM,IAAI,KAAK,CACb,8DAA8D;QAC5D,qEAAqE;QACrE,oEAAoE;QACpE,qEAAqE;QACrE,gDAAgD,CACnD,CAAC;AACJ,CAAC"}