deepline 0.1.134 → 0.1.136

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -156,6 +156,7 @@ import { normalizePlayRunFailure } from '../../../shared_libs/play-runtime/run-f
156
156
  import { createSecretRedactionContext } from '../../../shared_libs/play-runtime/secret-redaction';
157
157
  import {
158
158
  assertNoSecretTaint,
159
+ assertSecretAuthUsesTls,
159
160
  createBearerSecretAuth,
160
161
  createHeaderSecretAuth,
161
162
  createSecretHandle,
@@ -5531,6 +5532,11 @@ function createMinimalWorkerCtx(
5531
5532
  if (init.auth !== undefined && !isSecretAuth(init.auth)) {
5532
5533
  throw new Error('ctx.fetch auth must come from ctx.secrets.');
5533
5534
  }
5535
+ // Keep the boundary unmistakable: customer code may intentionally attach a
5536
+ // customer-owned secret to an outbound auth header, but Deepline must never
5537
+ // send that secret over plaintext HTTP. Non-secret arbitrary HTTP egress can
5538
+ // still use the generic_http lane; secret-bearing ctx.fetch requires TLS.
5539
+ assertSecretAuthUsesTls(init.auth, input, 'ctx.fetch');
5534
5540
  const url = input.toString();
5535
5541
  const method = (init.method ?? 'GET').toUpperCase();
5536
5542
  const secretHeaderMarkers = secretAuthHeaderMarkers(init.auth);
@@ -172,7 +172,9 @@ export type PlayBindings = {
172
172
  * Customer-authored play secrets this play is allowed to use at runtime.
173
173
  * Values are never bundled or exposed by the SDK; access them with
174
174
  * `ctx.secrets.get("NAME")` and approved helpers such as
175
- * `ctx.secrets.bearer(handle)`.
175
+ * `ctx.secrets.bearer(handle)`. Secret-authenticated `ctx.fetch` calls
176
+ * require an https:// URL so customer secrets never leave Deepline over
177
+ * plaintext HTTP.
176
178
  */
177
179
  secrets?: readonly string[];
178
180
  };
@@ -817,6 +819,7 @@ export interface DeeplinePlayRuntimeContext {
817
819
  * is recorded under `key` so workflow replay sees the same value. Prefer
818
820
  * `ctx.tools.execute(...)` for Deepline-managed provider APIs because tools
819
821
  * handle auth, retries, rate limits, extraction metadata, and spend tracking.
822
+ * If `init.auth` comes from `ctx.secrets`, `url` must be https://.
820
823
  *
821
824
  * @param key - Checkpoint id.
822
825
  * @param url - URL to fetch.
@@ -101,10 +101,10 @@ export const SDK_RELEASE = {
101
101
  // 0.1.108 ships explicit dataset column/tool recompute policy and removes
102
102
  // the SDK enrich generator's one-second stale policy.
103
103
  // 0.1.110 ships authored V2 prebuilts and required top-level play descriptions.
104
- version: '0.1.134',
104
+ version: '0.1.136',
105
105
  apiContract: '2026-06-dataset-column-cell-stale-hard-cutover',
106
106
  supportPolicy: {
107
- latest: '0.1.134',
107
+ latest: '0.1.136',
108
108
  minimumSupported: '0.1.53',
109
109
  deprecatedBelow: '0.1.53',
110
110
  commandMinimumSupported: [
@@ -99,6 +99,7 @@ import {
99
99
  } from './secret-redaction';
100
100
  import {
101
101
  assertNoSecretTaint,
102
+ assertSecretAuthUsesTls,
102
103
  createBearerSecretAuth,
103
104
  createHeaderSecretAuth,
104
105
  createSecretHandle,
@@ -4092,6 +4093,11 @@ export class PlayContextImpl {
4092
4093
  if (init.auth !== undefined && !isSecretAuth(init.auth)) {
4093
4094
  throw new Error('ctx.fetch auth must come from ctx.secrets.');
4094
4095
  }
4096
+ // Secret handles are deliberately resolved at the last possible moment, so
4097
+ // plaintext never lands in durable keys, receipts, map rows, or generic tool
4098
+ // payloads. The one place a customer secret is allowed to leave Deepline is
4099
+ // the requested auth header, and that transport must be TLS.
4100
+ assertSecretAuthUsesTls(init.auth, input, 'ctx.fetch');
4095
4101
  const secretHeaderMarkers = secretAuthHeaderMarkers(init.auth);
4096
4102
 
4097
4103
  return this.executeWithRuntimeReceipt<PlayFetchResponse>(
@@ -94,6 +94,19 @@ export function secretAuthHeaderMarkers(
94
94
  return { [auth.header.toLowerCase()]: `[secret:${auth.secret.name}]` };
95
95
  }
96
96
 
97
+ export function assertSecretAuthUsesTls(
98
+ auth: SecretAuth | undefined,
99
+ input: string | URL,
100
+ sink: string,
101
+ ): void {
102
+ if (!auth) return;
103
+ const url = input instanceof URL ? input : new URL(input);
104
+ if (url.protocol === 'https:') return;
105
+ throw new Error(
106
+ `${sink} with ctx.secrets auth requires an https:// URL. Customer secrets may only leave Deepline over TLS.`,
107
+ );
108
+ }
109
+
97
110
  export function assertNoSecretTaint(value: unknown, sink: string): void {
98
111
  if (valueContainsSecret(value)) {
99
112
  throw new Error(
package/dist/cli/index.js CHANGED
@@ -413,10 +413,10 @@ var SDK_RELEASE = {
413
413
  // 0.1.108 ships explicit dataset column/tool recompute policy and removes
414
414
  // the SDK enrich generator's one-second stale policy.
415
415
  // 0.1.110 ships authored V2 prebuilts and required top-level play descriptions.
416
- version: "0.1.134",
416
+ version: "0.1.136",
417
417
  apiContract: "2026-06-dataset-column-cell-stale-hard-cutover",
418
418
  supportPolicy: {
419
- latest: "0.1.134",
419
+ latest: "0.1.136",
420
420
  minimumSupported: "0.1.53",
421
421
  deprecatedBelow: "0.1.53",
422
422
  commandMinimumSupported: [
@@ -15978,6 +15978,15 @@ function helperSource() {
15978
15978
  ` };`,
15979
15979
  `}`,
15980
15980
  ``,
15981
+ `function __dlBlankPayloadValue(value: unknown): boolean {`,
15982
+ ` return value === null || value === undefined || (typeof value === 'string' && value.trim() === '');`,
15983
+ `}`,
15984
+ ``,
15985
+ `function __dlShouldSkipEmptyPayload(tool: string, payload: Record<string, unknown>): boolean {`,
15986
+ ` if (tool === 'leadmagic_email_validation') return __dlBlankPayloadValue(payload.email);`,
15987
+ ` return false;`,
15988
+ `}`,
15989
+ ``,
15981
15990
  `function __dlAliasCandidates(alias: string): string[] {`,
15982
15991
  ` const aliases: string[] = [];`,
15983
15992
  ` for (const candidate of [alias, alias.replace(/-/g, '_'), alias.replace(/_/g, '-')]) {`,
@@ -16004,6 +16013,7 @@ function helperSource() {
16004
16013
  ` if (!shouldRun) return null;`,
16005
16014
  ` }`,
16006
16015
  ` const payload = __dlRuntimePayload(input.tool, __dlTemplate(input.payload, input.row) as Record<string, unknown>, input.row);`,
16016
+ ` if (__dlShouldSkipEmptyPayload(input.tool, payload)) return null;`,
16007
16017
  ` let result: unknown;`,
16008
16018
  ` try {`,
16009
16019
  ` result = await input.stepCtx.tools.execute({`,
@@ -390,10 +390,10 @@ var SDK_RELEASE = {
390
390
  // 0.1.108 ships explicit dataset column/tool recompute policy and removes
391
391
  // the SDK enrich generator's one-second stale policy.
392
392
  // 0.1.110 ships authored V2 prebuilts and required top-level play descriptions.
393
- version: "0.1.134",
393
+ version: "0.1.136",
394
394
  apiContract: "2026-06-dataset-column-cell-stale-hard-cutover",
395
395
  supportPolicy: {
396
- latest: "0.1.134",
396
+ latest: "0.1.136",
397
397
  minimumSupported: "0.1.53",
398
398
  deprecatedBelow: "0.1.53",
399
399
  commandMinimumSupported: [
@@ -15987,6 +15987,15 @@ function helperSource() {
15987
15987
  ` };`,
15988
15988
  `}`,
15989
15989
  ``,
15990
+ `function __dlBlankPayloadValue(value: unknown): boolean {`,
15991
+ ` return value === null || value === undefined || (typeof value === 'string' && value.trim() === '');`,
15992
+ `}`,
15993
+ ``,
15994
+ `function __dlShouldSkipEmptyPayload(tool: string, payload: Record<string, unknown>): boolean {`,
15995
+ ` if (tool === 'leadmagic_email_validation') return __dlBlankPayloadValue(payload.email);`,
15996
+ ` return false;`,
15997
+ `}`,
15998
+ ``,
15990
15999
  `function __dlAliasCandidates(alias: string): string[] {`,
15991
16000
  ` const aliases: string[] = [];`,
15992
16001
  ` for (const candidate of [alias, alias.replace(/-/g, '_'), alias.replace(/_/g, '-')]) {`,
@@ -16013,6 +16022,7 @@ function helperSource() {
16013
16022
  ` if (!shouldRun) return null;`,
16014
16023
  ` }`,
16015
16024
  ` const payload = __dlRuntimePayload(input.tool, __dlTemplate(input.payload, input.row) as Record<string, unknown>, input.row);`,
16025
+ ` if (__dlShouldSkipEmptyPayload(input.tool, payload)) return null;`,
16016
16026
  ` let result: unknown;`,
16017
16027
  ` try {`,
16018
16028
  ` result = await input.stepCtx.tools.execute({`,
package/dist/index.d.mts CHANGED
@@ -2788,7 +2788,9 @@ type PlayBindings = {
2788
2788
  * Customer-authored play secrets this play is allowed to use at runtime.
2789
2789
  * Values are never bundled or exposed by the SDK; access them with
2790
2790
  * `ctx.secrets.get("NAME")` and approved helpers such as
2791
- * `ctx.secrets.bearer(handle)`.
2791
+ * `ctx.secrets.bearer(handle)`. Secret-authenticated `ctx.fetch` calls
2792
+ * require an https:// URL so customer secrets never leave Deepline over
2793
+ * plaintext HTTP.
2792
2794
  */
2793
2795
  secrets?: readonly string[];
2794
2796
  };
@@ -3288,6 +3290,7 @@ interface DeeplinePlayRuntimeContext {
3288
3290
  * is recorded under `key` so workflow replay sees the same value. Prefer
3289
3291
  * `ctx.tools.execute(...)` for Deepline-managed provider APIs because tools
3290
3292
  * handle auth, retries, rate limits, extraction metadata, and spend tracking.
3293
+ * If `init.auth` comes from `ctx.secrets`, `url` must be https://.
3291
3294
  *
3292
3295
  * @param key - Checkpoint id.
3293
3296
  * @param url - URL to fetch.
package/dist/index.d.ts CHANGED
@@ -2788,7 +2788,9 @@ type PlayBindings = {
2788
2788
  * Customer-authored play secrets this play is allowed to use at runtime.
2789
2789
  * Values are never bundled or exposed by the SDK; access them with
2790
2790
  * `ctx.secrets.get("NAME")` and approved helpers such as
2791
- * `ctx.secrets.bearer(handle)`.
2791
+ * `ctx.secrets.bearer(handle)`. Secret-authenticated `ctx.fetch` calls
2792
+ * require an https:// URL so customer secrets never leave Deepline over
2793
+ * plaintext HTTP.
2792
2794
  */
2793
2795
  secrets?: readonly string[];
2794
2796
  };
@@ -3288,6 +3290,7 @@ interface DeeplinePlayRuntimeContext {
3288
3290
  * is recorded under `key` so workflow replay sees the same value. Prefer
3289
3291
  * `ctx.tools.execute(...)` for Deepline-managed provider APIs because tools
3290
3292
  * handle auth, retries, rate limits, extraction metadata, and spend tracking.
3293
+ * If `init.auth` comes from `ctx.secrets`, `url` must be https://.
3291
3294
  *
3292
3295
  * @param key - Checkpoint id.
3293
3296
  * @param url - URL to fetch.
package/dist/index.js CHANGED
@@ -284,10 +284,10 @@ var SDK_RELEASE = {
284
284
  // 0.1.108 ships explicit dataset column/tool recompute policy and removes
285
285
  // the SDK enrich generator's one-second stale policy.
286
286
  // 0.1.110 ships authored V2 prebuilts and required top-level play descriptions.
287
- version: "0.1.134",
287
+ version: "0.1.136",
288
288
  apiContract: "2026-06-dataset-column-cell-stale-hard-cutover",
289
289
  supportPolicy: {
290
- latest: "0.1.134",
290
+ latest: "0.1.136",
291
291
  minimumSupported: "0.1.53",
292
292
  deprecatedBelow: "0.1.53",
293
293
  commandMinimumSupported: [
package/dist/index.mjs CHANGED
@@ -206,10 +206,10 @@ var SDK_RELEASE = {
206
206
  // 0.1.108 ships explicit dataset column/tool recompute policy and removes
207
207
  // the SDK enrich generator's one-second stale policy.
208
208
  // 0.1.110 ships authored V2 prebuilts and required top-level play descriptions.
209
- version: "0.1.134",
209
+ version: "0.1.136",
210
210
  apiContract: "2026-06-dataset-column-cell-stale-hard-cutover",
211
211
  supportPolicy: {
212
- latest: "0.1.134",
212
+ latest: "0.1.136",
213
213
  minimumSupported: "0.1.53",
214
214
  deprecatedBelow: "0.1.53",
215
215
  commandMinimumSupported: [
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "deepline",
3
- "version": "0.1.134",
3
+ "version": "0.1.136",
4
4
  "description": "Deepline SDK + CLI — B2B data enrichment powered by durable cloud execution",
5
5
  "license": "MIT",
6
6
  "repository": {