codex-snapshots 0.1.0 → 0.1.1

package/dist/core/privacy.js

@@ -0,0 +1,81 @@
+import os from "node:os";
+export function detectRisks(text) {
+    const checks = [
+        { id: "private-key", label: "Private key block", severity: "high", count: 0, pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g },
+        { id: "jwt", label: "JWT-like token", severity: "high", count: 0, pattern: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
+        { id: "api-key", label: "API key or secret assignment", severity: "high", count: 0, pattern: /\b(api[_-]?key|secret|access[_-]?token|auth[_-]?token|refresh[_-]?token|password|passwd|cookie|authorization)\b\s*[:=]\s*["']?[^"'\s`]{8,}/gi },
+        { id: "bearer", label: "Bearer token", severity: "high", count: 0, pattern: /\bBearer\s+[A-Za-z0-9._~+/=-]{16,}/g },
+        { id: "openai-key", label: "OpenAI-style API key", severity: "high", count: 0, pattern: /\bsk-[A-Za-z0-9_-]{20,}\b/g },
+        { id: "aws-key", label: "AWS access key", severity: "high", count: 0, pattern: /\b(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b/g },
+        { id: "home-path", label: "Local home path", severity: "medium", count: 0, pattern: new RegExp(escapeRegExp(os.homedir()), "g") },
+        { id: "internal-domain", label: "Internal-looking domain", severity: "medium", count: 0, pattern: /\b[A-Za-z0-9.-]+\.(bytedance|byteintl|corp|internal|local)\b/gi },
+        { id: "env-file", label: "Environment file mention", severity: "medium", count: 0, pattern: /(^|[\/\s])\.env([.\w-]*)?\b/g },
+    ];
+    const risks = [];
+    for (const check of checks) {
+        const matches = text.match(check.pattern);
+        if (matches?.length) {
+            risks.push({
+                id: check.id,
+                label: check.label,
+                severity: check.severity,
+                count: matches.length,
+            });
+        }
+    }
+    return risks;
+}
+export function addRisks(risks, text, turn) {
+    for (const risk of detectRisks(text)) {
+        addRiskEntry(risks, risk, turn);
+    }
+}
+export function addImageRisk(risks, count, turn) {
+    if (!count) {
+        return;
+    }
+    addRiskEntry(risks, {
+        id: "image-attachment",
+        label: "Image attachment",
+        severity: "medium",
+        count,
+    }, turn);
+}
+export function severityRank(severity) {
+    if (severity === "high") {
+        return 3;
+    }
+    if (severity === "medium") {
+        return 2;
+    }
+    return 1;
+}
+export function redactText(text) {
+    let output = text;
+    output = output.replace(/-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g, "[REDACTED_PRIVATE_KEY]");
+    output = output.replace(/\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g, "[REDACTED_JWT]");
+    output = output.replace(/\bBearer\s+[A-Za-z0-9._~+/=-]{16,}/g, "Bearer [REDACTED]");
+    output = output.replace(/\bsk-[A-Za-z0-9_-]{20,}\b/g, "sk-[REDACTED]");
+    output = output.replace(/\b(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b/g, "[REDACTED_AWS_KEY]");
+    output = output.replace(/\b(api[_-]?key|secret|access[_-]?token|auth[_-]?token|refresh[_-]?token|password|passwd|cookie|authorization)\b(\s*[:=]\s*)["']?[^"'\s`]{8,}/gi, "$1$2[REDACTED]");
+    output = output.replace(new RegExp(escapeRegExp(os.homedir()), "g"), "~");
+    return output;
+}
+function addRiskEntry(risks, risk, turn) {
+    const key = risk.id;
+    const current = risks.get(key) || {
+        id: risk.id,
+        label: risk.label,
+        severity: risk.severity,
+        count: 0,
+        turns: [],
+    };
+    current.count += risk.count;
+    if (!current.turns.includes(turn)) {
+        current.turns.push(turn);
+    }
+    risks.set(key, current);
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}

package/dist/core/snapshot.js

@@ -0,0 +1 @@
+export {};

package/dist/renderers/markdown.mjs

@@ -0,0 +1,81 @@
+// @ts-nocheck
+import hljs from "highlight.js";
+import markdownit from "markdown-it";
+import { mergeLinkRel, sanitizeRenderedHtml, stripAppDirectives } from "../shared/sanitize.js";
+const MARKDOWN_LANGUAGE_ALIASES = new Map([
+    ["plain", "plaintext"],
+    ["plaintext", "plaintext"],
+    ["text", "plaintext"],
+    ["js", "javascript"],
+    ["jsx", "javascript"],
+    ["ts", "typescript"],
+    ["tsx", "typescript"],
+    ["yml", "yaml"],
+]);
+const markdownRenderer = markdownit({
+    breaks: true,
+    html: false,
+    linkify: true,
+    typographer: false,
+    highlight: renderHighlightedCode,
+});
+configureMarkdownLinks(markdownRenderer);
+export function renderMarkdownHtml(text) {
+    return sanitizeRenderedHtml(markdownRenderer.render(stripAppDirectives(text)).trim());
+}
+function configureMarkdownLinks(renderer) {
+    const defaultRender = renderer.renderer.rules.link_open || ((tokens, index, options, env, self) => {
+        return self.renderToken(tokens, index, options);
+    });
+    renderer.renderer.rules.link_open = (tokens, index, options, env, self) => {
+        const token = tokens[index];
+        setMarkdownTokenAttr(token, "target", "_blank");
+        setMarkdownTokenAttr(token, "rel", mergeLinkRel(token.attrGet("rel")));
+        return defaultRender(tokens, index, options, env, self);
+    };
+}
+function setMarkdownTokenAttr(token, name, value) {
+    const index = token.attrIndex(name);
+    if (index < 0) {
+        token.attrPush([name, value]);
+        return;
+    }
+    token.attrs[index][1] = value;
+}
+function renderHighlightedCode(source, rawLanguage) {
+    const language = normalizeMarkdownLanguage(rawLanguage);
+    const displayLanguage = language || normalizeMarkdownLanguageLabel(rawLanguage) || "text";
+    const code = String(source || "");
+    let html = "";
+    if (language && hljs.getLanguage(language)) {
+        html = hljs.highlight(code, { language, ignoreIllegals: true }).value;
+    }
+    else {
+        html = escapeHtml(code);
+    }
+    const className = language ? ` class="hljs language-${escapeHtml(language)}"` : " class=\"hljs\"";
+    return `<pre data-language="${escapeHtml(displayLanguage)}"><code${className}>${html}</code></pre>`;
+}
+function normalizeMarkdownLanguage(rawLanguage) {
+    const language = normalizeMarkdownLanguageLabel(rawLanguage);
+    if (!language) {
+        return "";
+    }
+    const mapped = MARKDOWN_LANGUAGE_ALIASES.get(language) || language;
+    return hljs.getLanguage(mapped) ? mapped : "";
+}
+function normalizeMarkdownLanguageLabel(rawLanguage) {
+    return String(rawLanguage || "")
+        .trim()
+        .split(/\s+/)[0]
+        .replace(/[^A-Za-z0-9_+-]/g, "")
+        .toLowerCase();
+}
+function escapeHtml(value) {
+    return String(value ?? "")
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}

package/dist/renderers/transcript.js

@@ -0,0 +1,195 @@
+import { escapeHtml, sanitizeRenderedHtml, stripAppDirectives } from "../shared/sanitize.js";
+export function buildTranscriptItems(turns) {
+    const items = [];
+    let index = 0;
+    let previousUserTurn = null;
+    while (index < turns.length) {
+        const turn = turns[index];
+        if (isUserMessageTurn(turn)) {
+            items.push({ kind: "turn", turn });
+            previousUserTurn = turn;
+            index += 1;
+            continue;
+        }
+        const segment = [];
+        while (index < turns.length && !isUserMessageTurn(turns[index])) {
+            segment.push(turns[index]);
+            index += 1;
+        }
+        const finalIndex = segment.map(isAssistantMessageTurn).lastIndexOf(true);
+        if (finalIndex === -1) {
+            if (segment.length) {
+                items.push({
+                    kind: "process",
+                    turns: segment,
+                    durationTurns: buildProcessDurationTurns(previousUserTurn, segment),
+                });
+            }
+            continue;
+        }
+        if (finalIndex === segment.length - 1) {
+            const processTurns = segment.slice(0, finalIndex);
+            const finalTurn = segment[finalIndex];
+            if (processTurns.length) {
+                items.push({
+                    kind: "process",
+                    turns: processTurns,
+                    durationTurns: buildProcessDurationTurns(previousUserTurn, processTurns.concat(finalTurn)),
+                });
+            }
+            items.push({ kind: "turn", turn: finalTurn });
+            continue;
+        }
+        items.push({
+            kind: "process",
+            turns: segment,
+            durationTurns: buildProcessDurationTurns(previousUserTurn, segment),
+        });
+    }
+    return items;
+}
+export function processLabel(turns, label = "已处理") {
+    const duration = processDurationLabel(turns);
+    return duration ? `${label} ${duration}` : label;
+}
+export function processDurationLabel(turns) {
+    const times = turns.map((turn) => new Date(turn.timestamp || "").getTime()).filter(Number.isFinite);
+    if (times.length < 2) {
+        return "";
+    }
+    const seconds = Math.max(1, Math.round((Math.max(...times) - Math.min(...times)) / 1000));
+    if (seconds < 60) {
+        return `${seconds}s`;
+    }
+    const minutes = Math.floor(seconds / 60);
+    const rest = seconds % 60;
+    if (minutes < 60) {
+        return rest ? `${minutes}m ${rest}s` : `${minutes}m`;
+    }
+    const hours = Math.floor(minutes / 60);
+    const minuteRest = minutes % 60;
+    return minuteRest ? `${hours}h ${minuteRest}m` : `${hours}h`;
+}
+export function renderTranscriptHtml(turns, emptyHtmlOrOptions = "<div class='empty'>没有可分享的对话记录。</div>", options = {}) {
+    const renderOptions = normalizeTranscriptRenderOptions(emptyHtmlOrOptions, options);
+    const html = buildTranscriptItems(turns).map((item, index) => renderTranscriptItemHtml(item, index, renderOptions)).join("");
+    return html || renderOptions.emptyHtml;
+}
+function normalizeTranscriptRenderOptions(emptyHtmlOrOptions, options) {
+    const base = typeof emptyHtmlOrOptions === "string" ? { ...options, emptyHtml: emptyHtmlOrOptions } : emptyHtmlOrOptions;
+    return {
+        bodyWrapper: base.bodyWrapper !== false,
+        emptyHtml: base.emptyHtml || "<div class='empty'>没有可分享的对话记录。</div>",
+        bodyClassName: base.bodyClassName || "body",
+        contentClassName: base.contentClassName || "",
+        includeProcessMessageMeta: Boolean(base.includeProcessMessageMeta),
+        includeTopLevelToolMeta: Boolean(base.includeTopLevelToolMeta),
+        roleClassMode: base.roleClassMode || "space",
+        labels: {
+            assistant: base.labels?.assistant || "Assistant",
+            message: base.labels?.message || "Message",
+            processed: base.labels?.processed || "已处理",
+            tool: base.labels?.tool || "工具",
+            user: base.labels?.user || "User",
+            imageUnavailable: base.labels?.imageUnavailable || "图片暂不可用",
+            imageAltPrefix: base.labels?.imageAltPrefix || "图片附件",
+        },
+    };
+}
+function buildProcessDurationTurns(startTurn, turns) {
+    return [startTurn, ...turns].filter(Boolean);
+}
+function isUserMessageTurn(turn) {
+    return Boolean(turn && turn.kind !== "tool" && turn.role === "user");
+}
+function isAssistantMessageTurn(turn) {
+    return Boolean(turn && turn.kind !== "tool" && turn.role === "assistant");
+}
+function renderTranscriptItemHtml(item, index, options) {
+    if (item.kind === "process") {
+        return renderProcessGroupHtml(item, index, options);
+    }
+    return renderTurnHtml(item.turn, options);
+}
+function renderTurnHtml(turn, options) {
+    const role = turnRole(turn);
+    const meta = options.includeTopLevelToolMeta && role === "tool"
+        ? `<div class="turn-meta">${escapeHtml(turnLabel(role, turn, options))}</div>`
+        : "";
+    return `<article class="${escapeHtml(turnClassName(role, options))}"><div class="message-card">${meta}${renderBodyContainerHtml(turn, options)}</div></article>`;
+}
+function renderProcessGroupHtml(item, index, options) {
+    const turns = item.turns || [];
+    if (!turns.length) {
+        return "";
+    }
+    return `<article class="${escapeHtml(processClassName(options))}"><details class="process-details" data-process-index="${escapeHtml(index)}"><summary class="process-summary"><span>${escapeHtml(processLabel(item.durationTurns || turns, options.labels.processed))}</span></summary><div class="process-body">${turns.map((turn) => renderProcessEntryHtml(turn, options)).join("")}</div></details></article>`;
+}
+function renderProcessEntryHtml(turn, options) {
+    const role = turnRole(turn);
+    const meta = options.includeProcessMessageMeta && role !== "tool"
+        ? `<div class="turn-meta">${escapeHtml(turnLabel(role, turn, options))}</div>`
+        : "";
+    return `<section class="process-entry process-${escapeHtml(role)}">${meta}${renderBodyContainerHtml(turn, options)}</section>`;
+}
+function turnRole(turn) {
+    if (turn.kind === "tool") {
+        return "tool";
+    }
+    return turn.role === "user" ? "user" : "assistant";
+}
+function renderTurnBodyHtml(turn, options) {
+    if (turn.kind === "tool") {
+        return `<details class="tool-details"><summary>${escapeHtml(options.labels.tool)}${turn.name ? ` / ${escapeHtml(turn.name)}` : ""}</summary><pre>${escapeHtml(turn.text || "")}</pre></details>`;
+    }
+    const content = `${sanitizeRenderedHtml(turn.html || "") || renderPlainTextHtml(turn.text)}${renderImagesHtml(turn.images || [], options)}`;
+    return options.contentClassName ? `<div class="${escapeHtml(options.contentClassName)}">${content}</div>` : content;
+}
+function renderBodyContainerHtml(turn, options) {
+    const body = renderTurnBodyHtml(turn, options);
+    return options.bodyWrapper ? `<div class="${escapeHtml(options.bodyClassName)}">${body}</div>` : body;
+}
+function turnClassName(role, options) {
+    return options.roleClassMode === "prefixed" ? `turn turn-${role}` : `turn ${role}`;
+}
+function processClassName(options) {
+    return options.roleClassMode === "prefixed" ? "turn turn-process" : "turn process";
+}
+function turnLabel(role, turn, options) {
+    if (role === "tool") {
+        return `${options.labels.tool}${turn.name ? ` / ${turn.name}` : ""}`;
+    }
+    if (role === "user") {
+        return options.labels.user;
+    }
+    if (role === "assistant") {
+        return options.labels.assistant;
+    }
+    return role || options.labels.message;
+}
+function renderPlainTextHtml(value) {
+    const visibleText = stripAppDirectives(value);
+    if (!visibleText) {
+        return "";
+    }
+    return visibleText
+        .split(/\n{2,}/)
+        .map((block) => `<p>${escapeHtml(block).replace(/\n/g, "<br>")}</p>`)
+        .join("");
+}
+function renderImagesHtml(images, options) {
+    if (!Array.isArray(images) || !images.length) {
+        return "";
+    }
+    return `<div class="attachment-grid">${images
+        .map((image, index) => {
+        if (!image.src) {
+            return `<figure class="image-attachment image-unavailable"><div>${escapeHtml(image.unavailableReason || options.labels.imageUnavailable)}</div></figure>`;
+        }
+        return `<figure class="image-attachment"><img src="${escapeHtml(image.src)}" alt="${escapeHtml(image.alt || `${options.labels.imageAltPrefix} ${index + 1}`)}" decoding="async"></figure>`;
+    })
+        .join("")}</div>`;
+}
+export function sanitizeTranscriptHtml(value) {
+    return sanitizeRenderedHtml(value);
+}

package/dist/server/http.js

@@ -0,0 +1,10 @@
+export function sendJson(response, data, status = 200) {
+    send(response, status, "application/json; charset=utf-8", JSON.stringify(data, null, 2));
+}
+export function send(response, status, contentType, body) {
+    response.writeHead(status, {
+        "content-type": contentType,
+        "cache-control": "no-store",
+    });
+    response.end(body);
+}

package/dist/server/local-security.js

@@ -0,0 +1,66 @@
+import { randomBytes } from "node:crypto";
+import { sendJson } from "./http.js";
+export const MUTATION_CSRF_HEADER = "x-codex-snapshot-csrf";
+export function createMutationCsrfToken() {
+    return randomBytes(32).toString("base64url");
+}
+export function setSnapshotServerCorsHeaders(request, response) {
+    const origin = request.headers.origin || "";
+    if (!origin) {
+        response.setHeader("access-control-allow-origin", "*");
+    }
+    else if (isAllowedSnapshotOrigin(origin)) {
+        response.setHeader("access-control-allow-origin", origin);
+        response.setHeader("vary", "Origin");
+    }
+    response.setHeader("access-control-allow-methods", "GET,POST,OPTIONS");
+    response.setHeader("access-control-allow-headers", `content-type,${MUTATION_CSRF_HEADER}`);
+    response.setHeader("access-control-max-age", "86400");
+}
+export function isAllowedSnapshotServerRequest(request) {
+    const origin = request.headers.origin || "";
+    return !origin || isAllowedSnapshotOrigin(origin);
+}
+export function isAllowedSnapshotOrigin(origin) {
+    const text = Array.isArray(origin) ? origin[0] || "" : origin;
+    const configuredOrigins = String(process.env.SNAPSHOT_VIEWER_ALLOWED_ORIGINS || "")
+        .split(",")
+        .map((value) => value.trim())
+        .filter(Boolean);
+    const allowedOrigins = new Set([
+        "http://127.0.0.1:3000",
+        "http://localhost:3000",
+        ...configuredOrigins,
+    ]);
+    if (allowedOrigins.has(text)) {
+        return true;
+    }
+    try {
+        const url = new URL(text);
+        return url.protocol === "http:" && ["127.0.0.1", "localhost", "::1"].includes(url.hostname);
+    }
+    catch {
+        return false;
+    }
+}
+export function allowMutationRequest(request, response, csrfToken) {
+    if (request.method !== "POST") {
+        sendJson(response, { error: "method not allowed" }, 405);
+        return false;
+    }
+    const origin = String(request.headers.origin || "");
+    if (!origin) {
+        sendJson(response, { error: "origin is required for local mutation requests" }, 403);
+        return false;
+    }
+    if (!isAllowedSnapshotOrigin(origin)) {
+        sendJson(response, { error: "origin is not allowed to mutate this local snapshot server" }, 403);
+        return false;
+    }
+    const token = String(request.headers[MUTATION_CSRF_HEADER] || "");
+    if (!token || token !== csrfToken) {
+        sendJson(response, { error: "invalid csrf token" }, 403);
+        return false;
+    }
+    return true;
+}