npm - codepiper - Versions diffs - 0.1.0 - Mend

codepiper 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

package/.env.example +28 -0
package/CHANGELOG.md +10 -0
package/LEGAL_NOTICE.md +39 -0
package/LICENSE +21 -0
package/README.md +524 -0
package/package.json +90 -0
package/packages/cli/package.json +13 -0
package/packages/cli/src/commands/analytics.ts +157 -0
package/packages/cli/src/commands/attach.ts +299 -0
package/packages/cli/src/commands/audit.ts +50 -0
package/packages/cli/src/commands/auth.ts +261 -0
package/packages/cli/src/commands/daemon.ts +162 -0
package/packages/cli/src/commands/doctor.ts +303 -0
package/packages/cli/src/commands/env-set.ts +162 -0
package/packages/cli/src/commands/hook-forward.ts +268 -0
package/packages/cli/src/commands/keys.ts +77 -0
package/packages/cli/src/commands/kill.ts +19 -0
package/packages/cli/src/commands/logs.ts +419 -0
package/packages/cli/src/commands/model.ts +172 -0
package/packages/cli/src/commands/policy-set.ts +185 -0
package/packages/cli/src/commands/policy.ts +227 -0
package/packages/cli/src/commands/providers.ts +114 -0
package/packages/cli/src/commands/resize.ts +34 -0
package/packages/cli/src/commands/send.ts +184 -0
package/packages/cli/src/commands/sessions.ts +202 -0
package/packages/cli/src/commands/slash.ts +92 -0
package/packages/cli/src/commands/start.ts +243 -0
package/packages/cli/src/commands/stop.ts +19 -0
package/packages/cli/src/commands/tail.ts +137 -0
package/packages/cli/src/commands/workflow.ts +786 -0
package/packages/cli/src/commands/workspace.ts +127 -0
package/packages/cli/src/lib/api.ts +78 -0
package/packages/cli/src/lib/args.ts +72 -0
package/packages/cli/src/lib/format.ts +93 -0
package/packages/cli/src/main.ts +563 -0
package/packages/core/package.json +7 -0
package/packages/core/src/config.ts +30 -0
package/packages/core/src/errors.ts +38 -0
package/packages/core/src/eventBus.ts +56 -0
package/packages/core/src/eventBusAdapter.ts +143 -0
package/packages/core/src/index.ts +10 -0
package/packages/core/src/sqliteEventBus.ts +336 -0
package/packages/core/src/types.ts +63 -0
package/packages/daemon/package.json +11 -0
package/packages/daemon/src/api/analyticsRoutes.ts +343 -0
package/packages/daemon/src/api/authRoutes.ts +344 -0
package/packages/daemon/src/api/bodyLimit.ts +133 -0
package/packages/daemon/src/api/envSetRoutes.ts +170 -0
package/packages/daemon/src/api/gitRoutes.ts +409 -0
package/packages/daemon/src/api/hooks.ts +588 -0
package/packages/daemon/src/api/inputPolicy.ts +249 -0
package/packages/daemon/src/api/notificationRoutes.ts +532 -0
package/packages/daemon/src/api/policyRoutes.ts +234 -0
package/packages/daemon/src/api/policySetRoutes.ts +445 -0
package/packages/daemon/src/api/routeUtils.ts +28 -0
package/packages/daemon/src/api/routes.ts +1004 -0
package/packages/daemon/src/api/server.ts +1388 -0
package/packages/daemon/src/api/settingsRoutes.ts +367 -0
package/packages/daemon/src/api/sqliteErrors.ts +47 -0
package/packages/daemon/src/api/stt.ts +143 -0
package/packages/daemon/src/api/terminalRoutes.ts +200 -0
package/packages/daemon/src/api/validation.ts +287 -0
package/packages/daemon/src/api/validationRoutes.ts +174 -0
package/packages/daemon/src/api/workflowRoutes.ts +567 -0
package/packages/daemon/src/api/workspaceRoutes.ts +151 -0
package/packages/daemon/src/api/ws.ts +1588 -0
package/packages/daemon/src/auth/apiRateLimiter.ts +73 -0
package/packages/daemon/src/auth/authMiddleware.ts +305 -0
package/packages/daemon/src/auth/authService.ts +496 -0
package/packages/daemon/src/auth/rateLimiter.ts +137 -0
package/packages/daemon/src/config/pricing.ts +79 -0
package/packages/daemon/src/crypto/encryption.ts +196 -0
package/packages/daemon/src/db/db.ts +2745 -0
package/packages/daemon/src/db/index.ts +16 -0
package/packages/daemon/src/db/migrations.ts +182 -0
package/packages/daemon/src/db/policyDb.ts +349 -0
package/packages/daemon/src/db/schema.sql +408 -0
package/packages/daemon/src/db/workflowDb.ts +464 -0
package/packages/daemon/src/git/gitUtils.ts +544 -0
package/packages/daemon/src/index.ts +6 -0
package/packages/daemon/src/main.ts +525 -0
package/packages/daemon/src/notifications/pushNotifier.ts +369 -0
package/packages/daemon/src/providers/codexAppServerScaffold.ts +49 -0
package/packages/daemon/src/providers/registry.ts +111 -0
package/packages/daemon/src/providers/types.ts +82 -0
package/packages/daemon/src/sessions/auditLogger.ts +103 -0
package/packages/daemon/src/sessions/policyEngine.ts +165 -0
package/packages/daemon/src/sessions/policyMatcher.ts +114 -0
package/packages/daemon/src/sessions/policyTypes.ts +94 -0
package/packages/daemon/src/sessions/ptyProcess.ts +141 -0
package/packages/daemon/src/sessions/sessionManager.ts +1770 -0
package/packages/daemon/src/sessions/tmuxSession.ts +1073 -0
package/packages/daemon/src/sessions/transcriptManager.ts +110 -0
package/packages/daemon/src/sessions/transcriptParser.ts +149 -0
package/packages/daemon/src/sessions/transcriptTailer.ts +214 -0
package/packages/daemon/src/tracking/tokenTracker.ts +168 -0
package/packages/daemon/src/workflows/contextManager.ts +83 -0
package/packages/daemon/src/workflows/index.ts +31 -0
package/packages/daemon/src/workflows/resultExtractor.ts +118 -0
package/packages/daemon/src/workflows/waitConditionPoller.ts +131 -0
package/packages/daemon/src/workflows/workflowParser.ts +217 -0
package/packages/daemon/src/workflows/workflowRunner.ts +969 -0
package/packages/daemon/src/workflows/workflowTypes.ts +188 -0
package/packages/daemon/src/workflows/workflowValidator.ts +533 -0
package/packages/providers/claude-code/package.json +11 -0
package/packages/providers/claude-code/src/index.ts +7 -0
package/packages/providers/claude-code/src/overlaySettings.ts +198 -0
package/packages/providers/claude-code/src/provider.ts +311 -0
package/packages/web/dist/android-chrome-192x192.png +0 -0
package/packages/web/dist/android-chrome-512x512.png +0 -0
package/packages/web/dist/apple-touch-icon.png +0 -0
package/packages/web/dist/assets/AnalyticsPage-BIopKWRf.js +17 -0
package/packages/web/dist/assets/PoliciesPage-CjdLN3dl.js +11 -0
package/packages/web/dist/assets/SessionDetailPage-BtSA0V0M.js +179 -0
package/packages/web/dist/assets/SettingsPage-Dbbz4Ca5.js +37 -0
package/packages/web/dist/assets/WorkflowsPage-Dv6f3GgU.js +1 -0
package/packages/web/dist/assets/chart-vendor-DlOHLaCG.js +49 -0
package/packages/web/dist/assets/codicon-ngg6Pgfi.ttf +0 -0
package/packages/web/dist/assets/css.worker-BvV5MPou.js +93 -0
package/packages/web/dist/assets/editor.worker-CKy7Pnvo.js +26 -0
package/packages/web/dist/assets/html.worker-BLJhxQJQ.js +470 -0
package/packages/web/dist/assets/index-BbdhRfr2.css +1 -0
package/packages/web/dist/assets/index-hgphORiw.js +204 -0
package/packages/web/dist/assets/json.worker-usMZ-FED.js +58 -0
package/packages/web/dist/assets/monaco-core-B_19GPAS.css +1 -0
package/packages/web/dist/assets/monaco-core-DQ5Mk8AK.js +1234 -0
package/packages/web/dist/assets/monaco-react-DfZNWvtW.js +11 -0
package/packages/web/dist/assets/monacoSetup-DvBj52bT.js +1 -0
package/packages/web/dist/assets/pencil-Dbczxz59.js +11 -0
package/packages/web/dist/assets/react-vendor-B5MgMUHH.js +136 -0
package/packages/web/dist/assets/refresh-cw-B0MGsYPL.js +6 -0
package/packages/web/dist/assets/tabs-C8LsWiR5.js +1 -0
package/packages/web/dist/assets/terminal-vendor-Cs8KPbV3.js +9 -0
package/packages/web/dist/assets/terminal-vendor-LcAfv9l9.css +32 -0
package/packages/web/dist/assets/trash-2-Btlg0d4l.js +6 -0
package/packages/web/dist/assets/ts.worker-DGHjMaqB.js +67731 -0
package/packages/web/dist/favicon.ico +0 -0
package/packages/web/dist/icon.svg +1 -0
package/packages/web/dist/index.html +29 -0
package/packages/web/dist/manifest.json +29 -0
package/packages/web/dist/og-image.png +0 -0
package/packages/web/dist/originals/android-chrome-192x192.png +0 -0
package/packages/web/dist/originals/android-chrome-512x512.png +0 -0
package/packages/web/dist/originals/apple-touch-icon.png +0 -0
package/packages/web/dist/originals/favicon.ico +0 -0
package/packages/web/dist/piper.svg +1 -0
package/packages/web/dist/sounds/codepiper-soft-chime.wav +0 -0
package/packages/web/dist/sw.js +257 -0
package/scripts/postinstall-link-workspaces.mjs +58 -0

package/packages/daemon/src/api/policyRoutes.ts ADDED Viewed

@@ -0,0 +1,234 @@
+/**
+ * Policy API route handlers
+ */
+import type { PolicyRule } from "../db/policyDb";
+import { createPolicyDb } from "../db/policyDb";
+import type { RouteContext } from "./routes";
+import { jsonError, parseJsonBody } from "./routeUtils";
+import {
+  getErrorMessage,
+  isSqliteForeignKeyConstraintError,
+  isSqliteUniqueConstraintError,
+} from "./sqliteErrors";
+/**
+ * GET /policies - List all policies
+ */
+export async function handleListPolicies(req: Request, ctx: RouteContext): Promise<Response> {
+  const policyDb = createPolicyDb(ctx.db);
+  // Parse query parameters
+  const url = new URL(req.url);
+  const enabledParam = url.searchParams.get("enabled");
+  const sessionIdParam = url.searchParams.get("sessionId");
+  const options: any = {};
+  if (enabledParam !== null) {
+    options.enabled = enabledParam === "true";
+  }
+  if (sessionIdParam !== null) {
+    options.sessionId = sessionIdParam === "null" ? null : sessionIdParam;
+  }
+  const policies = policyDb.getPolicies(options);
+  return Response.json({ policies });
+}
+/**
+ * POST /policies - Create a new policy
+ */
+export async function handleCreatePolicy(req: Request, ctx: RouteContext): Promise<Response> {
+  const parsed = await parseJsonBody<Record<string, unknown>>(req);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const body = parsed.body as any;
+  // Validate required fields
+  if (!body.id) {
+    return jsonError(400, "Missing required field: id");
+  }
+  if (!body.name) {
+    return jsonError(400, "Missing required field: name");
+  }
+  if (body.enabled === undefined) {
+    return jsonError(400, "Missing required field: enabled");
+  }
+  if (body.priority === undefined) {
+    return jsonError(400, "Missing required field: priority");
+  }
+  if (body.sessionId === undefined) {
+    return jsonError(400, "Missing required field: sessionId");
+  }
+  if (!body.rules) {
+    return jsonError(400, "Missing required field: rules");
+  }
+  if (!Array.isArray(body.rules)) {
+    return jsonError(400, "Field 'rules' must be an array");
+  }
+  if (typeof body.enabled !== "boolean") {
+    return jsonError(400, "Field 'enabled' must be a boolean");
+  }
+  if (
+    typeof body.priority !== "number" ||
+    !Number.isInteger(body.priority) ||
+    !Number.isFinite(body.priority)
+  ) {
+    return jsonError(400, "Field 'priority' must be an integer");
+  }
+  if (body.sessionId !== null && typeof body.sessionId !== "string") {
+    return jsonError(400, "Field 'sessionId' must be a string or null");
+  }
+  if (body.sessionId !== null && !ctx.db.getSession(body.sessionId)) {
+    return jsonError(404, `Session not found: ${body.sessionId}`);
+  }
+  try {
+    const policyDb = createPolicyDb(ctx.db);
+    policyDb.createPolicy({
+      id: body.id,
+      name: body.name,
+      description: body.description,
+      enabled: body.enabled,
+      priority: body.priority,
+      sessionId: body.sessionId,
+      rules: body.rules as PolicyRule[],
+    });
+    const policy = policyDb.getPolicy(body.id);
+    return Response.json({ policy }, { status: 201 });
+  } catch (error) {
+    if (isSqliteUniqueConstraintError(error)) {
+      return jsonError(409, `Policy already exists: ${body.id}`);
+    }
+    if (isSqliteForeignKeyConstraintError(error)) {
+      return jsonError(422, "Policy references a missing related record");
+    }
+    return jsonError(500, getErrorMessage(error));
+  }
+}
+/**
+ * GET /policies/:id - Get a specific policy
+ */
+export async function handleGetPolicy(
+  _req: Request,
+  ctx: RouteContext,
+  policyId: string
+): Promise<Response> {
+  const policyDb = createPolicyDb(ctx.db);
+  const policy = policyDb.getPolicy(policyId);
+  if (!policy) {
+    return Response.json({ error: `Policy not found: ${policyId}` }, { status: 404 });
+  }
+  return Response.json({ policy });
+}
+/**
+ * PUT /policies/:id - Update a policy
+ */
+export async function handleUpdatePolicy(
+  req: Request,
+  ctx: RouteContext,
+  policyId: string
+): Promise<Response> {
+  const parsed = await parseJsonBody<Record<string, unknown>>(req);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const body = parsed.body as any;
+  // Validate rules if provided
+  if (body.rules !== undefined && !Array.isArray(body.rules)) {
+    return jsonError(400, "Field 'rules' must be an array");
+  }
+  if (body.name !== undefined && typeof body.name !== "string") {
+    return jsonError(400, "Field 'name' must be a string");
+  }
+  if (
+    body.description !== undefined &&
+    body.description !== null &&
+    typeof body.description !== "string"
+  ) {
+    return jsonError(400, "Field 'description' must be a string or null");
+  }
+  if (body.enabled !== undefined && typeof body.enabled !== "boolean") {
+    return jsonError(400, "Field 'enabled' must be a boolean");
+  }
+  if (
+    body.priority !== undefined &&
+    (typeof body.priority !== "number" ||
+      !Number.isInteger(body.priority) ||
+      !Number.isFinite(body.priority))
+  ) {
+    return jsonError(400, "Field 'priority' must be an integer");
+  }
+  const policyDb = createPolicyDb(ctx.db);
+  // Check if policy exists
+  const existing = policyDb.getPolicy(policyId);
+  if (!existing) {
+    return jsonError(404, `Policy not found: ${policyId}`);
+  }
+  try {
+    const updates: any = {};
+    if (body.name !== undefined) {
+      updates.name = body.name;
+    }
+    if (body.description !== undefined) {
+      updates.description = body.description;
+    }
+    if (body.enabled !== undefined) {
+      updates.enabled = body.enabled;
+    }
+    if (body.priority !== undefined) {
+      updates.priority = body.priority;
+    }
+    if (body.rules !== undefined) {
+      updates.rules = body.rules;
+    }
+    policyDb.updatePolicy(policyId, updates);
+    const policy = policyDb.getPolicy(policyId);
+    return Response.json({ policy });
+  } catch (error) {
+    return jsonError(500, getErrorMessage(error));
+  }
+}
+/**
+ * DELETE /policies/:id - Delete a policy
+ */
+export async function handleDeletePolicy(
+  _req: Request,
+  ctx: RouteContext,
+  policyId: string
+): Promise<Response> {
+  const policyDb = createPolicyDb(ctx.db);
+  // Check if policy exists
+  const existing = policyDb.getPolicy(policyId);
+  if (!existing) {
+    return jsonError(404, `Policy not found: ${policyId}`);
+  }
+  try {
+    policyDb.deletePolicy(policyId);
+    return Response.json({ success: true });
+  } catch (error) {
+    return jsonError(500, getErrorMessage(error));
+  }
+}

package/packages/daemon/src/api/policySetRoutes.ts ADDED Viewed

@@ -0,0 +1,445 @@
+/**
+ * Policy Set API route handlers
+ */
+import type { RouteContext } from "./routes";
+import { hasAnyDefinedField, jsonError, parseJsonBody } from "./routeUtils";
+import {
+  getErrorMessage,
+  isSqliteForeignKeyConstraintError,
+  isSqliteUniqueConstraintError,
+} from "./sqliteErrors";
+const VALID_POLICY_DECISIONS = new Set(["allow", "deny", "ask"]);
+function setContainsPolicy(ctx: RouteContext, setId: string, policyId: string): boolean {
+  return ctx.db.getPolicySetMembers(setId).some((policy) => policy.id === policyId);
+}
+function sessionHasPolicySet(ctx: RouteContext, sessionId: string, setId: string): boolean {
+  return ctx.db.getSessionPolicySets(sessionId).some((set) => set.id === setId);
+}
+/**
+ * GET /policy-sets - List all policy sets
+ */
+export async function handleListPolicySets(_req: Request, ctx: RouteContext): Promise<Response> {
+  const policySets = ctx.db.listPolicySets();
+  return Response.json({ policySets });
+}
+/**
+ * POST /policy-sets - Create a new policy set
+ */
+export async function handleCreatePolicySet(req: Request, ctx: RouteContext): Promise<Response> {
+  const parsed = await parseJsonBody(req);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const body = parsed.body as any;
+  if (!body.id) {
+    return jsonError(400, "Missing required field: id");
+  }
+  if (!body.name) {
+    return jsonError(400, "Missing required field: name");
+  }
+  if (typeof body.id !== "string") {
+    return jsonError(400, "Field 'id' must be a string");
+  }
+  if (typeof body.name !== "string") {
+    return jsonError(400, "Field 'name' must be a string");
+  }
+  if (
+    body.description !== undefined &&
+    body.description !== null &&
+    typeof body.description !== "string"
+  ) {
+    return jsonError(400, "Field 'description' must be a string or null");
+  }
+  if (body.isDefault !== undefined && typeof body.isDefault !== "boolean") {
+    return jsonError(400, "Field 'isDefault' must be a boolean");
+  }
+  if (body.policyIds !== undefined) {
+    if (!Array.isArray(body.policyIds)) {
+      return jsonError(400, "Field 'policyIds' must be an array of strings");
+    }
+    for (const policyId of body.policyIds) {
+      if (typeof policyId !== "string") {
+        return jsonError(400, "Field 'policyIds' must be an array of strings");
+      }
+    }
+    const missingPolicyIds = [...new Set<string>(body.policyIds)].filter(
+      (policyId) => !ctx.db.getPolicy(policyId)
+    );
+    if (missingPolicyIds.length > 0) {
+      return jsonError(422, "One or more referenced policies were not found", {
+        missingPolicyIds,
+      });
+    }
+  }
+  try {
+    ctx.db.createPolicySet({
+      id: body.id,
+      name: body.name,
+      description: body.description,
+      isDefault: body.isDefault ?? false,
+      policyIds: body.policyIds,
+    });
+    const policySet = ctx.db.getPolicySet(body.id);
+    const members = ctx.db.getPolicySetMembers(body.id);
+    return Response.json({ policySet: { ...policySet, policies: members } }, { status: 201 });
+  } catch (error) {
+    if (isSqliteUniqueConstraintError(error)) {
+      return jsonError(409, `Policy set already exists: ${body.id ?? body.name}`);
+    }
+    if (isSqliteForeignKeyConstraintError(error)) {
+      return jsonError(422, "Policy set references a missing related record");
+    }
+    return jsonError(500, getErrorMessage(error));
+  }
+}
+/**
+ * GET /policy-sets/:id - Get a specific policy set with member policies
+ */
+export async function handleGetPolicySet(
+  _req: Request,
+  ctx: RouteContext,
+  setId: string
+): Promise<Response> {
+  const policySet = ctx.db.getPolicySet(setId);
+  if (!policySet) {
+    return Response.json({ error: `Policy set not found: ${setId}` }, { status: 404 });
+  }
+  const members = ctx.db.getPolicySetMembers(setId);
+  return Response.json({ policySet: { ...policySet, policies: members } });
+}
+/**
+ * PUT /policy-sets/:id - Update a policy set
+ */
+export async function handleUpdatePolicySet(
+  req: Request,
+  ctx: RouteContext,
+  setId: string
+): Promise<Response> {
+  const parsed = await parseJsonBody(req);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const body = parsed.body as any;
+  const existing = ctx.db.getPolicySet(setId);
+  if (!existing) {
+    return jsonError(404, `Policy set not found: ${setId}`);
+  }
+  if (body.name !== undefined && typeof body.name !== "string") {
+    return jsonError(400, "Field 'name' must be a string");
+  }
+  if (
+    body.description !== undefined &&
+    body.description !== null &&
+    typeof body.description !== "string"
+  ) {
+    return jsonError(400, "Field 'description' must be a string or null");
+  }
+  if (body.isDefault !== undefined && typeof body.isDefault !== "boolean") {
+    return jsonError(400, "Field 'isDefault' must be a boolean");
+  }
+  const hasUpdates = hasAnyDefinedField(body, ["name", "description", "isDefault"]);
+  if (!hasUpdates) {
+    return jsonError(422, "At least one field must be provided: name, description, or isDefault");
+  }
+  try {
+    const updates: any = {};
+    if (body.name !== undefined) updates.name = body.name;
+    if (body.description !== undefined) updates.description = body.description;
+    if (body.isDefault !== undefined) updates.isDefault = body.isDefault;
+    ctx.db.updatePolicySet(setId, updates);
+    const policySet = ctx.db.getPolicySet(setId);
+    const members = ctx.db.getPolicySetMembers(setId);
+    return Response.json({ policySet: { ...policySet, policies: members } });
+  } catch (error) {
+    if (isSqliteUniqueConstraintError(error)) {
+      return jsonError(409, `Policy set name already exists: ${body.name}`);
+    }
+    return jsonError(500, getErrorMessage(error));
+  }
+}
+/**
+ * DELETE /policy-sets/:id - Delete a policy set
+ */
+export async function handleDeletePolicySet(
+  _req: Request,
+  ctx: RouteContext,
+  setId: string
+): Promise<Response> {
+  const existing = ctx.db.getPolicySet(setId);
+  if (!existing) {
+    return jsonError(404, `Policy set not found: ${setId}`);
+  }
+  try {
+    ctx.db.deletePolicySet(setId);
+    return Response.json({ success: true });
+  } catch (error) {
+    return jsonError(500, getErrorMessage(error));
+  }
+}
+/**
+ * POST /policy-sets/:id/policies - Add a policy to a set
+ */
+export async function handleAddPolicyToSet(
+  req: Request,
+  ctx: RouteContext,
+  setId: string
+): Promise<Response> {
+  const parsed = await parseJsonBody(req);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const body = parsed.body as any;
+  if (!body.policyId) {
+    return jsonError(400, "Missing required field: policyId");
+  }
+  if (typeof body.policyId !== "string") {
+    return jsonError(400, "Field 'policyId' must be a string");
+  }
+  const set = ctx.db.getPolicySet(setId);
+  if (!set) {
+    return jsonError(404, `Policy set not found: ${setId}`);
+  }
+  const policy = ctx.db.getPolicy(body.policyId);
+  if (!policy) {
+    return jsonError(404, `Policy not found: ${body.policyId}`);
+  }
+  if (setContainsPolicy(ctx, setId, body.policyId)) {
+    return jsonError(409, `Policy ${body.policyId} is already a member of set ${setId}`);
+  }
+  try {
+    ctx.db.addPolicyToSet(setId, body.policyId);
+    return Response.json({ success: true });
+  } catch (error) {
+    if (isSqliteForeignKeyConstraintError(error)) {
+      return jsonError(422, "Policy set membership references a missing related record");
+    }
+    return jsonError(500, getErrorMessage(error));
+  }
+}
+/**
+ * DELETE /policy-sets/:id/policies/:policyId - Remove a policy from a set
+ */
+export async function handleRemovePolicyFromSet(
+  _req: Request,
+  ctx: RouteContext,
+  setId: string,
+  policyId: string
+): Promise<Response> {
+  const set = ctx.db.getPolicySet(setId);
+  if (!set) {
+    return jsonError(404, `Policy set not found: ${setId}`);
+  }
+  const policy = ctx.db.getPolicy(policyId);
+  if (!policy) {
+    return jsonError(404, `Policy not found: ${policyId}`);
+  }
+  if (!setContainsPolicy(ctx, setId, policyId)) {
+    return jsonError(404, `Policy ${policyId} is not a member of set ${setId}`);
+  }
+  try {
+    ctx.db.removePolicyFromSet(setId, policyId);
+    return Response.json({ success: true });
+  } catch (error) {
+    return jsonError(500, getErrorMessage(error));
+  }
+}
+/**
+ * GET /sessions/:id/policy-sets - Get policy sets applied to a session
+ */
+export async function handleGetSessionPolicySets(
+  _req: Request,
+  ctx: RouteContext,
+  sessionId: string
+): Promise<Response> {
+  const session = ctx.db.getSession(sessionId);
+  if (!session) {
+    return jsonError(404, `Session not found: ${sessionId}`);
+  }
+  const policySets = ctx.db.getSessionPolicySets(sessionId);
+  return Response.json({ policySets });
+}
+/**
+ * POST /sessions/:id/policy-sets - Apply a policy set to a session
+ */
+export async function handleApplyPolicySetToSession(
+  req: Request,
+  ctx: RouteContext,
+  sessionId: string
+): Promise<Response> {
+  const parsed = await parseJsonBody(req);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const body = parsed.body as any;
+  if (!body.policySetId) {
+    return jsonError(400, "Missing required field: policySetId");
+  }
+  if (typeof body.policySetId !== "string") {
+    return jsonError(400, "Field 'policySetId' must be a string");
+  }
+  const session = ctx.db.getSession(sessionId);
+  if (!session) {
+    return jsonError(404, `Session not found: ${sessionId}`);
+  }
+  const set = ctx.db.getPolicySet(body.policySetId);
+  if (!set) {
+    return jsonError(404, `Policy set not found: ${body.policySetId}`);
+  }
+  if (sessionHasPolicySet(ctx, sessionId, body.policySetId)) {
+    return jsonError(
+      409,
+      `Policy set ${body.policySetId} is already applied to session ${sessionId}`
+    );
+  }
+  try {
+    ctx.db.applyPolicySetToSession(sessionId, body.policySetId);
+    return Response.json({ success: true });
+  } catch (error) {
+    if (isSqliteForeignKeyConstraintError(error)) {
+      return jsonError(422, "Session policy set references a missing related record");
+    }
+    return jsonError(500, getErrorMessage(error));
+  }
+}
+/**
+ * DELETE /sessions/:id/policy-sets/:setId - Remove a policy set from a session
+ */
+export async function handleRemovePolicySetFromSession(
+  _req: Request,
+  ctx: RouteContext,
+  sessionId: string,
+  setId: string
+): Promise<Response> {
+  const session = ctx.db.getSession(sessionId);
+  if (!session) {
+    return jsonError(404, `Session not found: ${sessionId}`);
+  }
+  const set = ctx.db.getPolicySet(setId);
+  if (!set) {
+    return jsonError(404, `Policy set not found: ${setId}`);
+  }
+  if (!sessionHasPolicySet(ctx, sessionId, setId)) {
+    return jsonError(404, `Policy set ${setId} is not applied to session ${sessionId}`);
+  }
+  try {
+    ctx.db.removePolicySetFromSession(sessionId, setId);
+    return Response.json({ success: true });
+  } catch (error) {
+    return jsonError(500, getErrorMessage(error));
+  }
+}
+/**
+ * GET /sessions/:id/effective-policies - Get resolved policies for a session
+ */
+export async function handleGetEffectivePolicies(
+  _req: Request,
+  ctx: RouteContext,
+  sessionId: string
+): Promise<Response> {
+  const session = ctx.db.getSession(sessionId);
+  if (!session) {
+    return jsonError(404, `Session not found: ${sessionId}`);
+  }
+  const policies = ctx.db.getEffectivePolicies(sessionId);
+  return Response.json({ policies });
+}
+/**
+ * GET /policy-decisions - List all policy decisions (audit log)
+ */
+export async function handleListPolicyDecisions(
+  req: Request,
+  ctx: RouteContext
+): Promise<Response> {
+  const url = new URL(req.url);
+  const sessionId = url.searchParams.get("sessionId");
+  const decisionParam = url.searchParams.get("decision");
+  if (decisionParam !== null && !VALID_POLICY_DECISIONS.has(decisionParam)) {
+    return jsonError(422, "Query param 'decision' must be one of: allow, deny, ask");
+  }
+  const decision = decisionParam as "allow" | "deny" | "ask" | null;
+  const limitParam = url.searchParams.get("limit");
+  const limit = limitParam ? Number.parseInt(limitParam, 10) : 100;
+  if (!Number.isInteger(limit) || limit <= 0 || limit > 1000) {
+    return jsonError(422, "Query param 'limit' must be an integer between 1 and 1000");
+  }
+  if (sessionId) {
+    const decisions = ctx.db.getPolicyDecisionsBySessionId(sessionId, {
+      decision: decision || undefined,
+      limit,
+    });
+    return Response.json({ decisions });
+  }
+  // All decisions across sessions (query raw)
+  const bunDb = (ctx.db as any).db;
+  let sql = "SELECT * FROM policy_decisions WHERE 1=1";
+  const values: unknown[] = [];
+  if (decision) {
+    sql += " AND decision = ?";
+    values.push(decision);
+  }
+  sql += " ORDER BY id DESC LIMIT ?";
+  values.push(limit);
+  const rows = bunDb.prepare(sql).all(...values) as any[];
+  const decisions = rows.map((row: any) => ({
+    id: row.id,
+    sessionId: row.session_id,
+    eventId: row.event_id ?? undefined,
+    policyId: row.policy_id ?? undefined,
+    toolName: row.tool_name,
+    args: row.args_json ? JSON.parse(row.args_json) : undefined,
+    decision: row.decision,
+    reason: row.reason ?? undefined,
+    timestamp: new Date(row.timestamp),
+  }));
+  return Response.json({ decisions });
+}

package/packages/daemon/src/api/routeUtils.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Shared helpers for consistent API route validation and error responses.
+ */
+export function jsonError(
+  status: number,
+  message: string,
+  extra?: Record<string, unknown>
+): Response {
+  return Response.json(extra ? { error: message, ...extra } : { error: message }, { status });
+}
+export type ParsedJsonBody<T> = { ok: true; body: T } | { ok: false; response: Response };
+export async function parseJsonBody<T = any>(req: Request): Promise<ParsedJsonBody<T>> {
+  try {
+    return { ok: true, body: (await req.json()) as T };
+  } catch {
+    return { ok: false, response: jsonError(400, "Invalid JSON in request body") };
+  }
+}
+export function hasAnyDefinedField(
+  body: Record<string, unknown>,
+  fields: readonly string[]
+): boolean {
+  return fields.some((field) => body[field] !== undefined);
+}