deepline 0.1.66 → 0.1.69

package/dist/repo/apps/play-runner-workers/src/entry.ts

@@ -128,6 +128,19 @@ import {
 } from '../../../shared_libs/play-runtime/csv-rename';
 import { coordinatorRequestHeaders } from '../../../shared_libs/play-runtime/coordinator-headers';
 import { normalizePlayRunFailure } from '../../../shared_libs/play-runtime/run-failure';
+import { createSecretRedactionContext } from '../../../shared_libs/play-runtime/secret-redaction';
+import {
+  assertNoSecretTaint,
+  createBearerSecretAuth,
+  createHeaderSecretAuth,
+  createSecretHandle,
+  isSecretAuth,
+  secretAuthHeaderMarkers,
+  valueContainsSecret,
+  type SecretAuth,
+  type SecretAwareRequestInit,
+  type SecretHandle,
+} from '../../../shared_libs/play-runtime/secret-capability';
 import type {
   LiveNodeProgressMap,
   LiveNodeProgressSnapshot,
@@ -3183,6 +3196,39 @@ function createMinimalWorkerCtx(
   const inFlightChildCallsByPlayName: Record<string, number> = {};
   let inFlightChildPlayCalls = 0;
   const childPlaySlotWaiters: Array<() => void> = [];
+  const secretRedactor = createSecretRedactionContext();
+
+  const resolveSecretAuth = async (auth?: SecretAuth) => {
+    if (!auth) return {};
+    const response = await fetchRuntimeApi(
+      req.baseUrl,
+      '/api/v2/plays/internal/runtime',
+      {
+        method: 'POST',
+        headers: {
+          authorization: `Bearer ${req.executorToken}`,
+          'content-type': 'application/json',
+        },
+        body: JSON.stringify({
+          action: 'resolve_secret',
+          name: auth.secret.name,
+          playName: req.playName,
+        }),
+      },
+    );
+    if (!response.ok) {
+      throw new Error(`Secret ${auth.secret.name} is not available to this run.`);
+    }
+    const payload = (await response.json()) as { value?: unknown };
+    const value = typeof payload.value === 'string' ? payload.value : null;
+    if (!value) {
+      throw new Error(`Secret ${auth.secret.name} is not available to this run.`);
+    }
+    secretRedactor.register(value);
+    return auth.kind === 'bearer'
+      ? { authorization: `Bearer ${value}` }
+      : { [auth.header.toLowerCase()]: value };
+  };
 
   const acquireChildPlaySlot = async (): Promise<() => void> => {
     while (
@@ -4007,6 +4053,7 @@ function createMinimalWorkerCtx(
      */
     signal: abortSignal ?? new AbortController().signal,
     log(message: string) {
+      assertNoSecretTaint(message, 'ctx.log');
       emitEvent({
         type: 'log',
         level: 'info',
@@ -4184,10 +4231,11 @@ function createMinimalWorkerCtx(
         'ctx.map(key, rows, fields, options) was removed. Use ctx.map(key, rows).step(...).run(options).',
       );
     },
-    tools: {
-      async execute(requestArg: unknown): Promise<unknown> {
+	    tools: {
+	      async execute(requestArg: unknown): Promise<unknown> {
         assertNotAborted(abortSignal);
         const request = normalizeToolExecuteArgs(requestArg);
+	        assertNoSecretTaint(request.input, 'ctx.tools.execute input');
         return await executeWithRuntimeReceipt(
           `tool:${request.id}:${deriveToolRequestIdentity({
             toolId: request.toolId,
@@ -4257,9 +4305,10 @@ function createMinimalWorkerCtx(
         timeoutMs?: number;
         staleAfterSeconds?: number;
       },
-    ): Promise<unknown> {
-      const normalizedKey = normalizeContextKey(key, 'runPlay');
-      const resolvedName = resolvePlayRefName(playRef);
+	    ): Promise<unknown> {
+	      const normalizedKey = normalizeContextKey(key, 'runPlay');
+	      const resolvedName = resolvePlayRefName(playRef);
+      assertNoSecretTaint(input, 'ctx.runPlay input');
       if (!resolvedName) {
         throw new Error('ctx.runPlay(...) requires a resolvable play name.');
       }
@@ -4498,17 +4547,37 @@ function createMinimalWorkerCtx(
         }
       });
     },
-    async fetch(
-      key: string,
-      input: string | URL,
-      init: RequestInit = {},
-      options?: { staleAfterSeconds?: number },
-    ): Promise<WorkerFetchResponse> {
-      assertNotAborted(abortSignal);
-      const normalizedKey = normalizeContextKey(key, 'fetch');
-      const url = input.toString();
-      const method = (init.method ?? 'GET').toUpperCase();
-      const safeHeaders = normalizeFetchHeaders(init.headers);
+	    async fetch(
+	      key: string,
+	      input: string | URL,
+	      init: SecretAwareRequestInit = {},
+	      options?: { staleAfterSeconds?: number },
+	    ): Promise<WorkerFetchResponse> {
+	      assertNotAborted(abortSignal);
+	      const normalizedKey = normalizeContextKey(key, 'fetch');
+      if (
+        valueContainsSecret(input) ||
+        valueContainsSecret(init.body)
+      ) {
+        throw new Error(
+          'ctx.fetch does not allow secrets in the URL or body. Use an approved secret auth helper.',
+        );
+      }
+      if (valueContainsSecret(init.headers)) {
+        throw new Error(
+          'ctx.fetch does not allow raw secret headers. Use ctx.secrets.bearer(...) or ctx.secrets.header(...).',
+        );
+      }
+      if (init.auth !== undefined && !isSecretAuth(init.auth)) {
+        throw new Error('ctx.fetch auth must come from ctx.secrets.');
+      }
+	      const url = input.toString();
+	      const method = (init.method ?? 'GET').toUpperCase();
+      const secretHeaderMarkers = secretAuthHeaderMarkers(init.auth);
+	      const safeHeaders = {
+        ...normalizeFetchHeaders(init.headers),
+        ...secretHeaderMarkers,
+      };
       const body = fetchBodyIdentity(init.body);
       const hasIdempotencyKey =
         safeHeaders['idempotency-key'] !== undefined ||
@@ -4524,20 +4593,44 @@ function createMinimalWorkerCtx(
         safeHeaders,
         url,
       })}${staleRuntimeSuffix(options?.staleAfterSeconds)}`;
-      return await executeWithRuntimeReceipt(receiptKey, async () => {
-        const response = await fetch(url, init);
-        assertNotAborted(abortSignal);
-        const bodyText = await response.text();
-        return {
-          ok: response.ok,
-          status: response.status,
-          statusText: response.statusText,
-          url: response.url,
-          headers: Object.fromEntries(response.headers.entries()),
-          bodyText,
-          json: parseFetchJsonOrNull(bodyText),
+	      return await executeWithRuntimeReceipt(receiptKey, async () => {
+        const secretHeaders = await resolveSecretAuth(init.auth);
+        const headers = {
+          ...normalizeFetchHeaders(init.headers),
+          ...secretHeaders,
         };
-      });
+        const fetchInit = { ...init, headers };
+        delete fetchInit.auth;
+	        const response = await fetch(url, fetchInit);
+	        assertNotAborted(abortSignal);
+	        const bodyText = await response.text();
+        const redactedBodyText = secretRedactor.redactString(bodyText);
+	        return {
+	          ok: response.ok,
+	          status: response.status,
+	          statusText: response.statusText,
+	          url: response.url,
+	          headers: secretRedactor.redact(
+              Object.fromEntries(response.headers.entries()),
+            ) as Record<string, string>,
+	          bodyText: redactedBodyText,
+	          json: secretRedactor.redact(parseFetchJsonOrNull(bodyText)),
+	        };
+	      });
+	    },
+    secrets: {
+      get(name: string): SecretHandle {
+        if (typeof name !== 'string' || !name.trim()) {
+          throw new Error('ctx.secrets.get(name) requires a non-empty name.');
+        }
+        return createSecretHandle(name.trim());
+      },
+      bearer(secret: SecretHandle): SecretAuth {
+        return createBearerSecretAuth(secret);
+      },
+      header(header: string, secret: SecretHandle): SecretAuth {
+        return createHeaderSecretAuth(header, secret);
+      },
     },
     async waitForEvent(
       eventType: string,

package/dist/repo/sdk/src/client.ts

@@ -57,6 +57,9 @@ import type {
   PublishPlayVersionResult,
   StartPlayRunRequest,
   DeletePlayResult,
+  SharePageStatus,
+  PublishSharePageRequest,
+  UpdateSharePageRequest,
   ToolDefinition,
   ToolSearchOptions,
   ToolSearchResult,
@@ -158,6 +161,19 @@ export type PlaySheetRowsResult = {
   deltaCursor?: number;
 };
 
+export type PlaySecretMetadata = {
+  _id: string;
+  orgId: string;
+  scope: 'org' | 'play';
+  playName?: string;
+  name: string;
+  status: string;
+  hasValue: boolean;
+  createdAt: number;
+  updatedAt: number;
+  lastUsedAt?: number;
+};
+
 export type RunsNamespace = {
   get: (runId: string, options?: { full?: boolean }) => Promise<PlayStatus>;
   list: (options: RunsListOptions) => Promise<PlayRunListItem[]>;
@@ -571,6 +587,30 @@ export class DeeplineClient {
     };
   }
 
+  // ——————————————————————————————————————————————————————————
+  // Secrets
+  // ——————————————————————————————————————————————————————————
+
+  async listSecrets(): Promise<PlaySecretMetadata[]> {
+    const response = await this.http.get<{ secrets?: PlaySecretMetadata[] }>(
+      '/api/v2/secrets',
+    );
+    return Array.isArray(response.secrets) ? response.secrets : [];
+  }
+
+  async checkSecret(name: string): Promise<PlaySecretMetadata | null> {
+    const normalized = name.trim().toUpperCase();
+    const secrets = await this.listSecrets();
+    return (
+      secrets.find(
+        (secret) =>
+          secret.name === normalized &&
+          secret.status === 'active' &&
+          secret.hasValue,
+      ) ?? null
+    );
+  }
+
   // ——————————————————————————————————————————————————————————
   // Tools
   // ——————————————————————————————————————————————————————————
@@ -1625,6 +1665,76 @@ export class DeeplineClient {
     return this.http.delete<DeletePlayResult>(`/api/v2/plays/${encodedName}`);
   }
 
+  // ——————————————————————————————————————————————————————————
+  // Plays — public share pages
+  // ——————————————————————————————————————————————————————————
+
+  /**
+   * Current share status for a play: the public page (if any), the published
+   * copy, and the revision picker. Read-only.
+   */
+  async getSharePage(name: string): Promise<SharePageStatus> {
+    const encodedName = encodeURIComponent(name);
+    return this.http.get<SharePageStatus>(`/api/v2/plays/${encodedName}/share`);
+  }
+
+  /**
+   * Publish (or repoint) the play's public share page to a revision. Requires
+   * `acknowledgedUnlisted: true` — the page is publicly viewable. Org-admin only.
+   */
+  async publishSharePage(
+    name: string,
+    request: PublishSharePageRequest,
+  ): Promise<SharePageStatus> {
+    const encodedName = encodeURIComponent(name);
+    return this.http.post<SharePageStatus>(
+      `/api/v2/plays/${encodedName}/share`,
+      request,
+    );
+  }
+
+  /**
+   * Update share-page settings (SEO indexing, credit-cost / latency display)
+   * without moving the published pointer. Org-admin only.
+   */
+  async updateSharePage(
+    name: string,
+    request: UpdateSharePageRequest,
+  ): Promise<SharePageStatus> {
+    const encodedName = encodeURIComponent(name);
+    return this.http.patch<SharePageStatus>(
+      `/api/v2/plays/${encodedName}/share`,
+      request,
+    );
+  }
+
+  /**
+   * Unshare: hard-delete the play's public page and its cards. Returns the
+   * fresh status (now `share: null`). Org-admin only. Idempotent — a no-op when
+   * the play was never published.
+   */
+  async unpublishSharePage(name: string): Promise<SharePageStatus> {
+    const encodedName = encodeURIComponent(name);
+    return this.http.delete<SharePageStatus>(
+      `/api/v2/plays/${encodedName}/share`,
+    );
+  }
+
+  /**
+   * Regenerate the LLM landing-page copy for a revision (defaults to the
+   * published one). Org-admin only.
+   */
+  async regenerateSharePage(
+    name: string,
+    request: { revisionId?: string } = {},
+  ): Promise<SharePageStatus> {
+    const encodedName = encodeURIComponent(name);
+    return this.http.post<SharePageStatus>(
+      `/api/v2/plays/${encodedName}/share/regenerate`,
+      request,
+    );
+  }
+
   // ——————————————————————————————————————————————————————————
   // Plays — high-level orchestration
   // ——————————————————————————————————————————————————————————

package/dist/repo/sdk/src/http.ts

@@ -35,7 +35,7 @@ import {
 const MAX_DIAGNOSTIC_HEADER_LENGTH = 120;
 
 interface RequestOptions {
-  method?: 'GET' | 'POST' | 'PUT' | 'DELETE';
+  method?: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';
   body?: unknown;
   formData?: FormData | (() => FormData);
   headers?: Record<string, string>;
@@ -392,6 +392,14 @@ export class HttpClient {
     });
   }
 
+  async patch<T = unknown>(
+    path: string,
+    body: unknown,
+    headers?: Record<string, string>,
+  ): Promise<T> {
+    return this.request<T>(path, { method: 'PATCH', body, headers });
+  }
+
   /**
    * Send a DELETE request.
    *

package/dist/repo/sdk/src/play.ts

@@ -146,6 +146,33 @@ export type PlayBindings = {
     /** IANA timezone (e.g. `'America/New_York'`). Defaults to UTC. */
     timezone?: string;
   };
+  /**
+   * Customer-authored play secrets this play is allowed to use at runtime.
+   * Values are never bundled or exposed by the SDK; access them with
+   * `ctx.secrets.get("NAME")` and approved helpers such as
+   * `ctx.secrets.bearer(handle)`.
+   */
+  secrets?: readonly string[];
+};
+
+declare const SECRET_HANDLE_BRAND: unique symbol;
+
+export type SecretHandle = {
+  readonly [SECRET_HANDLE_BRAND]: never;
+  readonly name: string;
+  toString(): string;
+  toJSON(): never;
+};
+
+export type SecretAuth = {
+  readonly kind: 'bearer' | 'header';
+  readonly secret: SecretHandle;
+  readonly header?: string;
+};
+
+export type SecretAwareRequestInit = Omit<RequestInit, 'headers'> & {
+  headers?: HeadersInit;
+  auth?: SecretAuth;
 };
 
 export type LoosePlayObject = {
@@ -523,7 +550,7 @@ export interface DeeplinePlayRuntimeContext {
   fetch(
     key: string,
     url: string | URL,
-    init?: RequestInit,
+    init?: SecretAwareRequestInit,
     options?: { staleAfterSeconds?: number },
   ): Promise<{
     ok: boolean;
@@ -534,6 +561,11 @@ export interface DeeplinePlayRuntimeContext {
     bodyText: string;
     json: unknown | null;
   }>;
+  secrets: {
+    get(name: string): SecretHandle;
+    bearer(secret: SecretHandle): SecretAuth;
+    header(header: string, secret: SecretHandle): SecretAuth;
+  };
   runPlay<TOutput = unknown>(
     key: string,
     playRef: string | PlayReferenceLike,

package/dist/repo/sdk/src/plays/bundle-play-file.ts

@@ -17,6 +17,7 @@ import {
   type PlayArtifactKind,
 } from '../../../shared_libs/play-runtime/backend.js';
 import { resolveExecutionProfile } from '../../../shared_libs/play-runtime/profiles.js';
+import { validatePlaySourceFilesHaveNoInlineSecrets } from '../../../shared_libs/plays/secret-guardrails.js';
 import { discoverPackagedLocalFiles } from './local-file-discovery.js';
 
 export type {
@@ -149,11 +150,13 @@ export async function bundlePlayFile(
   filePath: string,
   options: BundlePlayFileOptions = {},
 ): Promise<BundledPlayFileResult> {
-  return bundlePlayFileCore(filePath, {
+  const result = await bundlePlayFileCore(filePath, {
     target: options.target ?? defaultPlayBundleTarget(),
     exportName: options.exportName,
     adapter: createSdkPlayBundlingAdapter(),
   });
+  if (result.success) validatePlaySourceFilesHaveNoInlineSecrets(result.sourceFiles);
+  return result;
 }
 
 export { PLAY_ARTIFACT_KINDS };

package/dist/repo/sdk/src/release.ts

@@ -50,10 +50,10 @@ export type SdkRelease = {
 };
 
 export const SDK_RELEASE = {
-  version: '0.1.66',
+  version: '0.1.69',
   apiContract: '2026-05-play-bootstrap-dataset-summary',
   supportPolicy: {
-    latest: '0.1.66',
+    latest: '0.1.69',
     minimumSupported: '0.1.53',
     deprecatedBelow: '0.1.53',
   },

package/dist/repo/sdk/src/types.ts

@@ -889,3 +889,62 @@ export interface DeletePlayResult {
   deletedBindingCount: number;
   deletedRunCount: number;
 }
+
+// ——————————————————————————————————————————————————————————
+// Shareable play pages
+// ——————————————————————————————————————————————————————————
+
+/** Owner-facing view of a play's public share page. */
+export interface SharePageOwnerView {
+  shareSlug: string;
+  publishedRevisionId: string;
+  publishedVersion: number;
+  visibility: string;
+  seoIndexing: 'index' | 'noindex';
+  showAverageDeeplineCost: boolean;
+  showAverageLatency: boolean;
+  /** Stable public path, e.g. `/p/{shareSlug}`. */
+  publicPath: string;
+  /** Version-pinned canonical path, e.g. `/p/{shareSlug}/v/{version}`. */
+  canonicalPath: string;
+  createdAt: number;
+  updatedAt: number;
+}
+
+/** One row in the owner-facing revision picker for sharing. */
+export interface SharePageRevisionOption {
+  revisionId: string;
+  version: number;
+  isLive: boolean;
+  isWorking: boolean;
+  isPublished: boolean;
+  hasMap: boolean;
+  hasCard: boolean;
+  createdAt: number;
+}
+
+/** Status payload from `GET/POST/PATCH /api/v2/plays/:name/share`. */
+export interface SharePageStatus {
+  playName: string;
+  share: SharePageOwnerView | null;
+  publishedCopy: unknown | null;
+  revisions: SharePageRevisionOption[];
+  /** Present on publish responses when share-card generation was non-strict. */
+  warning?: string | null;
+}
+
+export interface PublishSharePageRequest {
+  /** The revision to publish/repoint the public page to. */
+  revisionId: string;
+  /** Must be true — acknowledges the page is publicly viewable. */
+  acknowledgedUnlisted: true;
+  showAverageDeeplineCost?: boolean;
+  showAverageLatency?: boolean;
+  seoIndexing?: 'index' | 'noindex';
+}
+
+export interface UpdateSharePageRequest {
+  showAverageDeeplineCost?: boolean;
+  showAverageLatency?: boolean;
+  seoIndexing?: 'index' | 'noindex';
+}

package/dist/repo/shared_libs/play-runtime/secret-capability.ts

@@ -0,0 +1,103 @@
+const SECRET_HANDLE_BRAND = Symbol.for('deepline.secret.handle');
+const SECRET_AUTH_BRAND = Symbol.for('deepline.secret.auth');
+const SECRET_HANDLE_MARKER_RE = /\[secret:[A-Z0-9_ -]+\]/i;
+
+export type SecretHandle = {
+  readonly [SECRET_HANDLE_BRAND]: true;
+  readonly name: string;
+  toString(): string;
+  toJSON(): never;
+};
+
+export type SecretAuth =
+  | {
+      readonly [SECRET_AUTH_BRAND]: true;
+      readonly kind: 'bearer';
+      readonly secret: SecretHandle;
+    }
+  | {
+      readonly [SECRET_AUTH_BRAND]: true;
+      readonly kind: 'header';
+      readonly header: string;
+      readonly secret: SecretHandle;
+    };
+
+export type SecretAwareRequestInit = RequestInit & {
+  auth?: SecretAuth;
+};
+
+function isRecord(value: unknown): value is Record<string | symbol, unknown> {
+  return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
+}
+
+export function isSecretHandle(value: unknown): value is SecretHandle {
+  return isRecord(value) && value[SECRET_HANDLE_BRAND] === true;
+}
+
+export function isSecretAuth(value: unknown): value is SecretAuth {
+  return isRecord(value) && value[SECRET_AUTH_BRAND] === true;
+}
+
+export function valueContainsSecret(value: unknown): boolean {
+  if (isSecretHandle(value) || isSecretAuth(value)) return true;
+  if (typeof value === 'string') return SECRET_HANDLE_MARKER_RE.test(value);
+  if (Array.isArray(value)) return value.some(valueContainsSecret);
+  if (isRecord(value)) return Object.values(value).some(valueContainsSecret);
+  return false;
+}
+
+export function createSecretHandle(name: string): SecretHandle {
+  return {
+    [SECRET_HANDLE_BRAND]: true,
+    name,
+    toString: () => `[secret:${name}]`,
+    toJSON: () => {
+      throw new Error(
+        `Secret ${name} cannot be serialized. Use an approved ctx.secrets helper.`,
+      );
+    },
+  };
+}
+
+export function createBearerSecretAuth(secret: SecretHandle): SecretAuth {
+  if (!isSecretHandle(secret)) {
+    throw new Error('ctx.secrets.bearer(...) requires a SecretHandle.');
+  }
+  return { [SECRET_AUTH_BRAND]: true, kind: 'bearer', secret };
+}
+
+export function createHeaderSecretAuth(
+  header: string,
+  secret: SecretHandle,
+): SecretAuth {
+  if (!isSecretHandle(secret)) {
+    throw new Error('ctx.secrets.header(...) requires a SecretHandle.');
+  }
+  if (typeof header !== 'string' || !header.trim()) {
+    throw new Error('ctx.secrets.header(...) requires a header name.');
+  }
+  return {
+    [SECRET_AUTH_BRAND]: true,
+    kind: 'header',
+    header: header.trim(),
+    secret,
+  };
+}
+
+export function secretAuthHeaderMarkers(
+  auth: SecretAuth | undefined,
+): Record<string, string> {
+  if (!auth) return {};
+  if (auth.kind === 'bearer') {
+    return { authorization: `[secret:${auth.secret.name}]` };
+  }
+  return { [auth.header.toLowerCase()]: `[secret:${auth.secret.name}]` };
+}
+
+export function assertNoSecretTaint(value: unknown, sink: string): void {
+  if (valueContainsSecret(value)) {
+    throw new Error(
+      `${sink} cannot receive secret handles or secret-tainted values. Use an approved ctx.secrets helper.`,
+    );
+  }
+}