deepline 0.1.134 → 0.1.136
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bundling-sources/apps/play-runner-workers/src/entry.ts +6 -0
- package/dist/bundling-sources/sdk/src/play.ts +4 -1
- package/dist/bundling-sources/sdk/src/release.ts +2 -2
- package/dist/bundling-sources/shared_libs/play-runtime/context.ts +6 -0
- package/dist/bundling-sources/shared_libs/play-runtime/secret-capability.ts +13 -0
- package/dist/cli/index.js +12 -2
- package/dist/cli/index.mjs +12 -2
- package/dist/index.d.mts +4 -1
- package/dist/index.d.ts +4 -1
- package/dist/index.js +2 -2
- package/dist/index.mjs +2 -2
- package/package.json +1 -1
|
@@ -156,6 +156,7 @@ import { normalizePlayRunFailure } from '../../../shared_libs/play-runtime/run-f
|
|
|
156
156
|
import { createSecretRedactionContext } from '../../../shared_libs/play-runtime/secret-redaction';
|
|
157
157
|
import {
|
|
158
158
|
assertNoSecretTaint,
|
|
159
|
+
assertSecretAuthUsesTls,
|
|
159
160
|
createBearerSecretAuth,
|
|
160
161
|
createHeaderSecretAuth,
|
|
161
162
|
createSecretHandle,
|
|
@@ -5531,6 +5532,11 @@ function createMinimalWorkerCtx(
|
|
|
5531
5532
|
if (init.auth !== undefined && !isSecretAuth(init.auth)) {
|
|
5532
5533
|
throw new Error('ctx.fetch auth must come from ctx.secrets.');
|
|
5533
5534
|
}
|
|
5535
|
+
// Keep the boundary unmistakable: customer code may intentionally attach a
|
|
5536
|
+
// customer-owned secret to an outbound auth header, but Deepline must never
|
|
5537
|
+
// send that secret over plaintext HTTP. Non-secret arbitrary HTTP egress can
|
|
5538
|
+
// still use the generic_http lane; secret-bearing ctx.fetch requires TLS.
|
|
5539
|
+
assertSecretAuthUsesTls(init.auth, input, 'ctx.fetch');
|
|
5534
5540
|
const url = input.toString();
|
|
5535
5541
|
const method = (init.method ?? 'GET').toUpperCase();
|
|
5536
5542
|
const secretHeaderMarkers = secretAuthHeaderMarkers(init.auth);
|
|
@@ -172,7 +172,9 @@ export type PlayBindings = {
|
|
|
172
172
|
* Customer-authored play secrets this play is allowed to use at runtime.
|
|
173
173
|
* Values are never bundled or exposed by the SDK; access them with
|
|
174
174
|
* `ctx.secrets.get("NAME")` and approved helpers such as
|
|
175
|
-
* `ctx.secrets.bearer(handle)`.
|
|
175
|
+
* `ctx.secrets.bearer(handle)`. Secret-authenticated `ctx.fetch` calls
|
|
176
|
+
* require an https:// URL so customer secrets never leave Deepline over
|
|
177
|
+
* plaintext HTTP.
|
|
176
178
|
*/
|
|
177
179
|
secrets?: readonly string[];
|
|
178
180
|
};
|
|
@@ -817,6 +819,7 @@ export interface DeeplinePlayRuntimeContext {
|
|
|
817
819
|
* is recorded under `key` so workflow replay sees the same value. Prefer
|
|
818
820
|
* `ctx.tools.execute(...)` for Deepline-managed provider APIs because tools
|
|
819
821
|
* handle auth, retries, rate limits, extraction metadata, and spend tracking.
|
|
822
|
+
* If `init.auth` comes from `ctx.secrets`, `url` must be https://.
|
|
820
823
|
*
|
|
821
824
|
* @param key - Checkpoint id.
|
|
822
825
|
* @param url - URL to fetch.
|
|
@@ -101,10 +101,10 @@ export const SDK_RELEASE = {
|
|
|
101
101
|
// 0.1.108 ships explicit dataset column/tool recompute policy and removes
|
|
102
102
|
// the SDK enrich generator's one-second stale policy.
|
|
103
103
|
// 0.1.110 ships authored V2 prebuilts and required top-level play descriptions.
|
|
104
|
-
version: '0.1.
|
|
104
|
+
version: '0.1.136',
|
|
105
105
|
apiContract: '2026-06-dataset-column-cell-stale-hard-cutover',
|
|
106
106
|
supportPolicy: {
|
|
107
|
-
latest: '0.1.
|
|
107
|
+
latest: '0.1.136',
|
|
108
108
|
minimumSupported: '0.1.53',
|
|
109
109
|
deprecatedBelow: '0.1.53',
|
|
110
110
|
commandMinimumSupported: [
|
|
@@ -99,6 +99,7 @@ import {
|
|
|
99
99
|
} from './secret-redaction';
|
|
100
100
|
import {
|
|
101
101
|
assertNoSecretTaint,
|
|
102
|
+
assertSecretAuthUsesTls,
|
|
102
103
|
createBearerSecretAuth,
|
|
103
104
|
createHeaderSecretAuth,
|
|
104
105
|
createSecretHandle,
|
|
@@ -4092,6 +4093,11 @@ export class PlayContextImpl {
|
|
|
4092
4093
|
if (init.auth !== undefined && !isSecretAuth(init.auth)) {
|
|
4093
4094
|
throw new Error('ctx.fetch auth must come from ctx.secrets.');
|
|
4094
4095
|
}
|
|
4096
|
+
// Secret handles are deliberately resolved at the last possible moment, so
|
|
4097
|
+
// plaintext never lands in durable keys, receipts, map rows, or generic tool
|
|
4098
|
+
// payloads. The one place a customer secret is allowed to leave Deepline is
|
|
4099
|
+
// the requested auth header, and that transport must be TLS.
|
|
4100
|
+
assertSecretAuthUsesTls(init.auth, input, 'ctx.fetch');
|
|
4095
4101
|
const secretHeaderMarkers = secretAuthHeaderMarkers(init.auth);
|
|
4096
4102
|
|
|
4097
4103
|
return this.executeWithRuntimeReceipt<PlayFetchResponse>(
|
|
@@ -94,6 +94,19 @@ export function secretAuthHeaderMarkers(
|
|
|
94
94
|
return { [auth.header.toLowerCase()]: `[secret:${auth.secret.name}]` };
|
|
95
95
|
}
|
|
96
96
|
|
|
97
|
+
export function assertSecretAuthUsesTls(
|
|
98
|
+
auth: SecretAuth | undefined,
|
|
99
|
+
input: string | URL,
|
|
100
|
+
sink: string,
|
|
101
|
+
): void {
|
|
102
|
+
if (!auth) return;
|
|
103
|
+
const url = input instanceof URL ? input : new URL(input);
|
|
104
|
+
if (url.protocol === 'https:') return;
|
|
105
|
+
throw new Error(
|
|
106
|
+
`${sink} with ctx.secrets auth requires an https:// URL. Customer secrets may only leave Deepline over TLS.`,
|
|
107
|
+
);
|
|
108
|
+
}
|
|
109
|
+
|
|
97
110
|
export function assertNoSecretTaint(value: unknown, sink: string): void {
|
|
98
111
|
if (valueContainsSecret(value)) {
|
|
99
112
|
throw new Error(
|
package/dist/cli/index.js
CHANGED
|
@@ -413,10 +413,10 @@ var SDK_RELEASE = {
|
|
|
413
413
|
// 0.1.108 ships explicit dataset column/tool recompute policy and removes
|
|
414
414
|
// the SDK enrich generator's one-second stale policy.
|
|
415
415
|
// 0.1.110 ships authored V2 prebuilts and required top-level play descriptions.
|
|
416
|
-
version: "0.1.
|
|
416
|
+
version: "0.1.136",
|
|
417
417
|
apiContract: "2026-06-dataset-column-cell-stale-hard-cutover",
|
|
418
418
|
supportPolicy: {
|
|
419
|
-
latest: "0.1.
|
|
419
|
+
latest: "0.1.136",
|
|
420
420
|
minimumSupported: "0.1.53",
|
|
421
421
|
deprecatedBelow: "0.1.53",
|
|
422
422
|
commandMinimumSupported: [
|
|
@@ -15978,6 +15978,15 @@ function helperSource() {
|
|
|
15978
15978
|
` };`,
|
|
15979
15979
|
`}`,
|
|
15980
15980
|
``,
|
|
15981
|
+
`function __dlBlankPayloadValue(value: unknown): boolean {`,
|
|
15982
|
+
` return value === null || value === undefined || (typeof value === 'string' && value.trim() === '');`,
|
|
15983
|
+
`}`,
|
|
15984
|
+
``,
|
|
15985
|
+
`function __dlShouldSkipEmptyPayload(tool: string, payload: Record<string, unknown>): boolean {`,
|
|
15986
|
+
` if (tool === 'leadmagic_email_validation') return __dlBlankPayloadValue(payload.email);`,
|
|
15987
|
+
` return false;`,
|
|
15988
|
+
`}`,
|
|
15989
|
+
``,
|
|
15981
15990
|
`function __dlAliasCandidates(alias: string): string[] {`,
|
|
15982
15991
|
` const aliases: string[] = [];`,
|
|
15983
15992
|
` for (const candidate of [alias, alias.replace(/-/g, '_'), alias.replace(/_/g, '-')]) {`,
|
|
@@ -16004,6 +16013,7 @@ function helperSource() {
|
|
|
16004
16013
|
` if (!shouldRun) return null;`,
|
|
16005
16014
|
` }`,
|
|
16006
16015
|
` const payload = __dlRuntimePayload(input.tool, __dlTemplate(input.payload, input.row) as Record<string, unknown>, input.row);`,
|
|
16016
|
+
` if (__dlShouldSkipEmptyPayload(input.tool, payload)) return null;`,
|
|
16007
16017
|
` let result: unknown;`,
|
|
16008
16018
|
` try {`,
|
|
16009
16019
|
` result = await input.stepCtx.tools.execute({`,
|
package/dist/cli/index.mjs
CHANGED
|
@@ -390,10 +390,10 @@ var SDK_RELEASE = {
|
|
|
390
390
|
// 0.1.108 ships explicit dataset column/tool recompute policy and removes
|
|
391
391
|
// the SDK enrich generator's one-second stale policy.
|
|
392
392
|
// 0.1.110 ships authored V2 prebuilts and required top-level play descriptions.
|
|
393
|
-
version: "0.1.
|
|
393
|
+
version: "0.1.136",
|
|
394
394
|
apiContract: "2026-06-dataset-column-cell-stale-hard-cutover",
|
|
395
395
|
supportPolicy: {
|
|
396
|
-
latest: "0.1.
|
|
396
|
+
latest: "0.1.136",
|
|
397
397
|
minimumSupported: "0.1.53",
|
|
398
398
|
deprecatedBelow: "0.1.53",
|
|
399
399
|
commandMinimumSupported: [
|
|
@@ -15987,6 +15987,15 @@ function helperSource() {
|
|
|
15987
15987
|
` };`,
|
|
15988
15988
|
`}`,
|
|
15989
15989
|
``,
|
|
15990
|
+
`function __dlBlankPayloadValue(value: unknown): boolean {`,
|
|
15991
|
+
` return value === null || value === undefined || (typeof value === 'string' && value.trim() === '');`,
|
|
15992
|
+
`}`,
|
|
15993
|
+
``,
|
|
15994
|
+
`function __dlShouldSkipEmptyPayload(tool: string, payload: Record<string, unknown>): boolean {`,
|
|
15995
|
+
` if (tool === 'leadmagic_email_validation') return __dlBlankPayloadValue(payload.email);`,
|
|
15996
|
+
` return false;`,
|
|
15997
|
+
`}`,
|
|
15998
|
+
``,
|
|
15990
15999
|
`function __dlAliasCandidates(alias: string): string[] {`,
|
|
15991
16000
|
` const aliases: string[] = [];`,
|
|
15992
16001
|
` for (const candidate of [alias, alias.replace(/-/g, '_'), alias.replace(/_/g, '-')]) {`,
|
|
@@ -16013,6 +16022,7 @@ function helperSource() {
|
|
|
16013
16022
|
` if (!shouldRun) return null;`,
|
|
16014
16023
|
` }`,
|
|
16015
16024
|
` const payload = __dlRuntimePayload(input.tool, __dlTemplate(input.payload, input.row) as Record<string, unknown>, input.row);`,
|
|
16025
|
+
` if (__dlShouldSkipEmptyPayload(input.tool, payload)) return null;`,
|
|
16016
16026
|
` let result: unknown;`,
|
|
16017
16027
|
` try {`,
|
|
16018
16028
|
` result = await input.stepCtx.tools.execute({`,
|
package/dist/index.d.mts
CHANGED
|
@@ -2788,7 +2788,9 @@ type PlayBindings = {
|
|
|
2788
2788
|
* Customer-authored play secrets this play is allowed to use at runtime.
|
|
2789
2789
|
* Values are never bundled or exposed by the SDK; access them with
|
|
2790
2790
|
* `ctx.secrets.get("NAME")` and approved helpers such as
|
|
2791
|
-
* `ctx.secrets.bearer(handle)`.
|
|
2791
|
+
* `ctx.secrets.bearer(handle)`. Secret-authenticated `ctx.fetch` calls
|
|
2792
|
+
* require an https:// URL so customer secrets never leave Deepline over
|
|
2793
|
+
* plaintext HTTP.
|
|
2792
2794
|
*/
|
|
2793
2795
|
secrets?: readonly string[];
|
|
2794
2796
|
};
|
|
@@ -3288,6 +3290,7 @@ interface DeeplinePlayRuntimeContext {
|
|
|
3288
3290
|
* is recorded under `key` so workflow replay sees the same value. Prefer
|
|
3289
3291
|
* `ctx.tools.execute(...)` for Deepline-managed provider APIs because tools
|
|
3290
3292
|
* handle auth, retries, rate limits, extraction metadata, and spend tracking.
|
|
3293
|
+
* If `init.auth` comes from `ctx.secrets`, `url` must be https://.
|
|
3291
3294
|
*
|
|
3292
3295
|
* @param key - Checkpoint id.
|
|
3293
3296
|
* @param url - URL to fetch.
|
package/dist/index.d.ts
CHANGED
|
@@ -2788,7 +2788,9 @@ type PlayBindings = {
|
|
|
2788
2788
|
* Customer-authored play secrets this play is allowed to use at runtime.
|
|
2789
2789
|
* Values are never bundled or exposed by the SDK; access them with
|
|
2790
2790
|
* `ctx.secrets.get("NAME")` and approved helpers such as
|
|
2791
|
-
* `ctx.secrets.bearer(handle)`.
|
|
2791
|
+
* `ctx.secrets.bearer(handle)`. Secret-authenticated `ctx.fetch` calls
|
|
2792
|
+
* require an https:// URL so customer secrets never leave Deepline over
|
|
2793
|
+
* plaintext HTTP.
|
|
2792
2794
|
*/
|
|
2793
2795
|
secrets?: readonly string[];
|
|
2794
2796
|
};
|
|
@@ -3288,6 +3290,7 @@ interface DeeplinePlayRuntimeContext {
|
|
|
3288
3290
|
* is recorded under `key` so workflow replay sees the same value. Prefer
|
|
3289
3291
|
* `ctx.tools.execute(...)` for Deepline-managed provider APIs because tools
|
|
3290
3292
|
* handle auth, retries, rate limits, extraction metadata, and spend tracking.
|
|
3293
|
+
* If `init.auth` comes from `ctx.secrets`, `url` must be https://.
|
|
3291
3294
|
*
|
|
3292
3295
|
* @param key - Checkpoint id.
|
|
3293
3296
|
* @param url - URL to fetch.
|
package/dist/index.js
CHANGED
|
@@ -284,10 +284,10 @@ var SDK_RELEASE = {
|
|
|
284
284
|
// 0.1.108 ships explicit dataset column/tool recompute policy and removes
|
|
285
285
|
// the SDK enrich generator's one-second stale policy.
|
|
286
286
|
// 0.1.110 ships authored V2 prebuilts and required top-level play descriptions.
|
|
287
|
-
version: "0.1.
|
|
287
|
+
version: "0.1.136",
|
|
288
288
|
apiContract: "2026-06-dataset-column-cell-stale-hard-cutover",
|
|
289
289
|
supportPolicy: {
|
|
290
|
-
latest: "0.1.
|
|
290
|
+
latest: "0.1.136",
|
|
291
291
|
minimumSupported: "0.1.53",
|
|
292
292
|
deprecatedBelow: "0.1.53",
|
|
293
293
|
commandMinimumSupported: [
|
package/dist/index.mjs
CHANGED
|
@@ -206,10 +206,10 @@ var SDK_RELEASE = {
|
|
|
206
206
|
// 0.1.108 ships explicit dataset column/tool recompute policy and removes
|
|
207
207
|
// the SDK enrich generator's one-second stale policy.
|
|
208
208
|
// 0.1.110 ships authored V2 prebuilts and required top-level play descriptions.
|
|
209
|
-
version: "0.1.
|
|
209
|
+
version: "0.1.136",
|
|
210
210
|
apiContract: "2026-06-dataset-column-cell-stale-hard-cutover",
|
|
211
211
|
supportPolicy: {
|
|
212
|
-
latest: "0.1.
|
|
212
|
+
latest: "0.1.136",
|
|
213
213
|
minimumSupported: "0.1.53",
|
|
214
214
|
deprecatedBelow: "0.1.53",
|
|
215
215
|
commandMinimumSupported: [
|