npm - gitnexus - Versions diffs - 1.6.4-rc.60 → 1.6.4-rc.61 - Mend

gitnexus 1.6.4-rc.60 → 1.6.4-rc.61

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/dist/server/api.js CHANGED Viewed

@@ -25,7 +25,7 @@ import { mountMCPEndpoints } from './mcp-http.js';
 import { fork } from 'child_process';
 import { fileURLToPath, pathToFileURL } from 'url';
 import { JobManager } from './analyze-job.js';
-import { assertString, escapeRegExp, BadRequestError } from './validation.js';
+import { assertString, escapeRegExp, BadRequestError, createRouteLimiter } from './validation.js';
 import { extractRepoName, getCloneDir, cloneOrPull } from './git-clone.js';
 const _require = createRequire(import.meta.url);
 const pkg = _require('../../package.json');
@@ -186,7 +186,19 @@ export const registerWebUI = (app, staticDir) => {
         // The regex excludes /api paths AND paths with file extensions (.js, .css, etc.)
         // so missing assets get real 404s instead of the SPA HTML.
         // Adding routes below this will be unreachable for non-API, non-asset paths.
-        app.get(SPA_FALLBACK_REGEX, (_req, res) => {
+        // Rate-limited (CodeQL js/missing-rate-limiting): the SPA fallback
+        // serves a constant index.html, but the FS access from a route handler
+        // is enough to trip the analyzer. The limit is generous (300 rpm/IP =
+        // 5 req/s sustained) so that multi-tab browser navigation, prefetch,
+        // and service-worker revalidation do not produce 429s for legitimate
+        // SPA users. At this rate, real browser navigation is extremely
+        // unlikely to hit the limit in practice, so the cosmetic issue of
+        // JSON-on-429 to a browser is a low-likelihood path. Content
+        // negotiation on the 429 (returning the SPA shell to HTML clients
+        // instead of `{ error: '...' }`) would require swapping
+        // express-rate-limit's `message` for a `handler` function and is
+        // deferred to keep this PR focused on closing the CodeQL alert.
+        app.get(SPA_FALLBACK_REGEX, createRouteLimiter({ limit: 300 }), (_req, res) => {
             res.sendFile(path.join(staticDir, 'index.html'));
         });
     }
@@ -524,6 +536,26 @@ export const handleFileRequest = async (req, res, repoPath) => {
 export const createServer = async (port, host = '127.0.0.1') => {
     const app = express();
     app.disable('x-powered-by');
+    // Trust X-Forwarded-* headers only when the connection comes from the
+    // local loopback or RFC1918 private/link-local addresses — exactly the
+    // origins the CORS allowlist accepts. Without this, every request behind
+    // any reverse proxy / Docker bridge counts as the same `req.ip` and a
+    // single user can trip the per-IP rate limiter for everyone.
+    //
+    // SCOPE: this setting is process-wide. Every middleware and route in this
+    // Express app sees req.ip resolved from X-Forwarded-For when the upstream
+    // hop is in the trusted set above — not just the rate-limited routes.
+    // Future IP-based middleware (audit logging, IP-bound authz) inherits this
+    // behavior.
+    //
+    // CLOUD-DEPLOY CAVEAT: a public cloud LB (AWS ALB, Cloudflare, Fly.io
+    // edge, CGNAT 100.64/10) is NOT in the trusted set. In those topologies
+    // req.ip will collapse to the LB hop IP for every request and the per-IP
+    // rate limiter degrades to per-server. Add an explicit env-var override
+    // and document the cloud-deploy story before binding to a non-loopback
+    // host in those topologies (tracked as a follow-up; not blocking for the
+    // local-bound default).
+    app.set('trust proxy', 'loopback, linklocal, uniquelocal');
     // CORS: allow localhost, private/LAN networks, and the deployed site.
     // Non-browser requests (curl, server-to-server) have no origin and are allowed.
     // Disallowed origins get the response without Access-Control-Allow-Origin,
@@ -716,7 +748,10 @@ export const createServer = async (port, host = '127.0.0.1') => {
         }
     });
     // Delete a repo — removes index, clone dir (if any), and unregisters it
-    app.delete('/api/repo', async (req, res) => {
+    // Rate-limited (CodeQL js/missing-rate-limiting): destructive operation
+    // doing fs.rm of clone + storage dirs. Default 60 rpm/IP is generous for
+    // delete; tighten if abuse is observed.
+    app.delete('/api/repo', createRouteLimiter(), async (req, res) => {
         try {
             const repoName = requestedRepo(req);
             if (!repoName) {
@@ -997,7 +1032,8 @@ export const createServer = async (port, host = '127.0.0.1') => {
         }
     });
     // Read file — with path traversal guard
-    app.get('/api/file', async (req, res) => {
+    // Rate-limited (CodeQL js/missing-rate-limiting): per-request fs.readFile.
+    app.get('/api/file', createRouteLimiter(), async (req, res) => {
         const entry = await resolveRepo(requestedRepo(req));
         if (!entry) {
             res.status(404).json({ error: 'Repository not found' });
@@ -1007,7 +1043,10 @@ export const createServer = async (port, host = '127.0.0.1') => {
     });
     // Grep — regex search across file contents in the indexed repo
     // Uses filesystem-based search for memory efficiency (never loads all files into memory)
-    app.get('/api/grep', async (req, res) => {
+    // Rate-limited (CodeQL js/missing-rate-limiting): scans every file in
+    // the indexed repo per request — heaviest I/O endpoint. Same default 60
+    // rpm/IP for now; consider tightening if real-world load shows abuse.
+    app.get('/api/grep', createRouteLimiter(), async (req, res) => {
         try {
             const entry = await resolveRepo(requestedRepo(req));
             if (!entry) {

package/dist/server/validation.d.ts CHANGED Viewed

@@ -17,6 +17,7 @@
  * Helpers added in later units (U3 git-clone hardening, U4 rate-limiting) live
  * in this module too but are introduced with the dependency they require.
  */
+import { type RateLimitRequestHandler } from 'express-rate-limit';
 /**
  * Thrown by validation helpers when user input is rejected.
  * Routes catch via existing try/catch and convert with err.status / err.message.
@@ -58,3 +59,37 @@ export declare function assertSafePath(rawPath: string, root: string): string;
  * and any future endpoint that constructs a regex from caller input.
  */
 export declare function escapeRegExp(input: string): string;
+/**
+ * Project-specific subset of express-rate-limit options that callers may
+ * override. Intentionally narrow — `Partial<RateLimitOptions>` would let a
+ * caller pass `{ skip: () => true }` and silently disable limiting on a
+ * route. The two knobs below are sufficient for tests and any future
+ * legitimate per-route tuning.
+ */
+export interface RouteLimiterOverrides {
+    windowMs?: number;
+    /** Canonical name in express-rate-limit v8+. `max` is the deprecated alias. */
+    limit?: number;
+}
+/**
+ * Build a per-route rate-limit middleware with project-uniform defaults.
+ *
+ * Each call returns a NEW limiter instance — independent counters per route,
+ * so /api/file traffic doesn't push /api/grep into 429.
+ *
+ * Defaults:
+ *   - 60 requests per IP per minute
+ *   - draft-7 RateLimit-* response headers (no legacy X-RateLimit-* headers)
+ *   - 429 with a JSON body matching the project's `{ error: '...' }` shape
+ *   - passOnStoreError: store failures let the request through rather than
+ *     producing an HTML 500 from Express's default error handler
+ *   - keyGenerator: req.ip with a socket.remoteAddress fallback so abruptly
+ *     closed connections do not trigger ERR_ERL_UNDEFINED_IP_ADDRESS
+ *     (which would 500 the request via Express's default error handler).
+ *     Caller must wire `app.set('trust proxy', ...)` correctly — see
+ *     createServer in api.ts.
+ *
+ * Tests pass `{ windowMs: 100, limit: 3 }` to keep limiter tests fast and
+ * deterministic.
+ */
+export declare function createRouteLimiter(opts?: RouteLimiterOverrides): RateLimitRequestHandler;

package/dist/server/validation.js CHANGED Viewed

@@ -18,6 +18,7 @@
  * in this module too but are introduced with the dependency they require.
  */
 import path from 'node:path';
+import rateLimit from 'express-rate-limit';
 /**
  * Thrown by validation helpers when user input is rejected.
  * Routes catch via existing try/catch and convert with err.status / err.message.
@@ -89,3 +90,47 @@ export function assertSafePath(rawPath, root) {
 export function escapeRegExp(input) {
     return input.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 }
+/**
+ * Default rate-limit policy for FS-touching API routes (CodeQL
+ * js/missing-rate-limiting). Tuned for the local-bound HTTP server's expected
+ * traffic — interactive web UI use stays well under the limit; abusive loops
+ * trip 429.
+ *
+ * Module-internal — not exported. Tests assert the observable behavior
+ * (61st request returns 429), not the literal value, so callers don't grow
+ * a coupling on this number.
+ */
+const DEFAULT_RATE_LIMIT_RPM = 60;
+/**
+ * Build a per-route rate-limit middleware with project-uniform defaults.
+ *
+ * Each call returns a NEW limiter instance — independent counters per route,
+ * so /api/file traffic doesn't push /api/grep into 429.
+ *
+ * Defaults:
+ *   - 60 requests per IP per minute
+ *   - draft-7 RateLimit-* response headers (no legacy X-RateLimit-* headers)
+ *   - 429 with a JSON body matching the project's `{ error: '...' }` shape
+ *   - passOnStoreError: store failures let the request through rather than
+ *     producing an HTML 500 from Express's default error handler
+ *   - keyGenerator: req.ip with a socket.remoteAddress fallback so abruptly
+ *     closed connections do not trigger ERR_ERL_UNDEFINED_IP_ADDRESS
+ *     (which would 500 the request via Express's default error handler).
+ *     Caller must wire `app.set('trust proxy', ...)` correctly — see
+ *     createServer in api.ts.
+ *
+ * Tests pass `{ windowMs: 100, limit: 3 }` to keep limiter tests fast and
+ * deterministic.
+ */
+export function createRouteLimiter(opts) {
+    return rateLimit({
+        windowMs: 60 * 1000,
+        limit: DEFAULT_RATE_LIMIT_RPM,
+        standardHeaders: 'draft-7',
+        legacyHeaders: false,
+        passOnStoreError: true,
+        keyGenerator: (req) => req.ip ?? req.socket?.remoteAddress ?? 'unknown',
+        message: { error: 'Too many requests, please try again later.' },
+        ...opts,
+    });
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "gitnexus",
-  "version": "1.6.4-rc.60",
+  "version": "1.6.4-rc.61",
   "description": "Graph-powered code intelligence for AI agents. Index any codebase, query via MCP or CLI.",
   "author": "Abhigyan Patwari",
   "license": "PolyForm-Noncommercial-1.0.0",
@@ -60,6 +60,7 @@
     "commander": "^14.0.3",
     "cors": "^2.8.5",
     "express": "^4.19.2",
+    "express-rate-limit": "^8.4.1",
     "glob": "^13.0.6",
     "graphology": "^0.26.0",
     "graphology-indices": "^0.17.0",

package/web/assets/{agent-DSzTymIk.js → agent-C9r8n_cf.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import{r as e,t}from"./chunk-CilyBKbf.js";import{n,t as r}from"./index-DpMcvzVf.js";import{buildDynamicSystemPrompt as i}from"./context-builder-CqQNhRj1.js";var a=Object.defineProperty,o=(e,t)=>{let n={};for(var r in e)a(n,r,{get:e[r],enumerable:!0});return t||a(n,Symbol.toStringTag,{value:`Module`}),n};function s(e){let t=Symbol.for(e);return{brand(n,r){let i=r?Symbol.for(`${e}.${r}`):t;class a extends n{[i]=!0;constructor(...e){super(...e)}static isInstance(e){return typeof e==`object`&&!!e&&i in e&&e[i]===!0}}return Object.defineProperty(a,`name`,{value:n.name}),a},sub(t){return s(`${e}.${t}`)},isInstance(e){return typeof e==`object`&&!!e&&t in e&&e[t]===!0}}}var c=s(`langchain`),l=o({ContextOverflowError:()=>m,LangChainError:()=>f,ModelAbortError:()=>p,addLangChainErrorFields:()=>u,ns:()=>d});function u(e,t){return e.lc_error_code=t,e.message=`${e.message}\n\nTroubleshooting URL: https://docs.langchain.com/oss/javascript/langchain/errors/${t}/\n`,e}var d=c.sub(`error`),f=class extends d.brand(Error){name=`LangChainError`;constructor(e){super(e),Error.captureStackTrace&&Error.captureStackTrace(this,this.constructor)}},p=class extends d.brand(f,`model-abort`){name=`ModelAbortError`;partialOutput;constructor(e,t){super(e),this.partialOutput=t}},m=class e extends d.brand(f,`context-overflow`){name=`ContextOverflowError`;cause;constructor(e){super(e??`Input exceeded the model's context window.`)}static fromError(t){let n=new e(t.message);return n.cause=t,n}};function h(e){return!!(e&&typeof e==`object`&&`type`in e&&e.type===`tool_call`)}function g(e){return!!(e&&typeof e==`object`&&`toolCall`in e&&e.toolCall!=null&&typeof e.toolCall==`object`&&`id`in e.toolCall&&typeof e.toolCall.id==`string`)}var _=class extends Error{output;constructor(e,t){super(e),this.output=t}};function v(e,t=b){e=e.trim();let n=e.indexOf("```");if(n===-1)return t(e);let r=e.substring(n+3);r.startsWith(`json
+import{r as e,t}from"./chunk-CilyBKbf.js";import{n,t as r}from"./index-BcZj1uBK.js";import{buildDynamicSystemPrompt as i}from"./context-builder-CqQNhRj1.js";var a=Object.defineProperty,o=(e,t)=>{let n={};for(var r in e)a(n,r,{get:e[r],enumerable:!0});return t||a(n,Symbol.toStringTag,{value:`Module`}),n};function s(e){let t=Symbol.for(e);return{brand(n,r){let i=r?Symbol.for(`${e}.${r}`):t;class a extends n{[i]=!0;constructor(...e){super(...e)}static isInstance(e){return typeof e==`object`&&!!e&&i in e&&e[i]===!0}}return Object.defineProperty(a,`name`,{value:n.name}),a},sub(t){return s(`${e}.${t}`)},isInstance(e){return typeof e==`object`&&!!e&&t in e&&e[t]===!0}}}var c=s(`langchain`),l=o({ContextOverflowError:()=>m,LangChainError:()=>f,ModelAbortError:()=>p,addLangChainErrorFields:()=>u,ns:()=>d});function u(e,t){return e.lc_error_code=t,e.message=`${e.message}\n\nTroubleshooting URL: https://docs.langchain.com/oss/javascript/langchain/errors/${t}/\n`,e}var d=c.sub(`error`),f=class extends d.brand(Error){name=`LangChainError`;constructor(e){super(e),Error.captureStackTrace&&Error.captureStackTrace(this,this.constructor)}},p=class extends d.brand(f,`model-abort`){name=`ModelAbortError`;partialOutput;constructor(e,t){super(e),this.partialOutput=t}},m=class e extends d.brand(f,`context-overflow`){name=`ContextOverflowError`;cause;constructor(e){super(e??`Input exceeded the model's context window.`)}static fromError(t){let n=new e(t.message);return n.cause=t,n}};function h(e){return!!(e&&typeof e==`object`&&`type`in e&&e.type===`tool_call`)}function g(e){return!!(e&&typeof e==`object`&&`toolCall`in e&&e.toolCall!=null&&typeof e.toolCall==`object`&&`id`in e.toolCall&&typeof e.toolCall.id==`string`)}var _=class extends Error{output;constructor(e,t){super(e),this.output=t}};function v(e,t=b){e=e.trim();let n=e.indexOf("```");if(n===-1)return t(e);let r=e.substring(n+3);r.startsWith(`json
 `)?r=r.substring(5):r.startsWith(`json`)?r=r.substring(4):r.startsWith(`
 `)&&(r=r.substring(1));let i=r.indexOf("```"),a=r;return i!==-1&&(a=r.substring(0,i)),t(a.trim())}function y(e){try{return JSON.parse(e)}catch{}let t=e.trim();if(t.length===0)throw Error(`Unexpected end of JSON input`);let n=0;function r(){for(;n<t.length&&/\s/.test(t[n]);)n+=1}function i(){if(t[n]!==`"`)throw Error(`Expected '"' at position ${n}, got '${t[n]}'`);n+=1;let e=``,r=!1;for(;n<t.length;){let i=t[n];if(r){if(i===`n`)e+=`
 `;else if(i===`t`)e+=`	`;else if(i===`r`)e+=`\r`;else if(i===`\\`)e+=`\\`;else if(i===`"`)e+=`"`;else if(i===`b`)e+=`\b`;else if(i===`f`)e+=`\f`;else if(i===`/`)e+=`/`;else if(i===`u`){let r=t.substring(n+1,n+5);if(/^[0-9A-Fa-f]{0,4}$/.test(r))r.length===4?e+=String.fromCharCode(Number.parseInt(r,16)):e+=`u${r}`,n+=r.length;else throw Error(`Invalid unicode escape sequence '\\u${r}' at position ${n}`)}else throw Error(`Invalid escape sequence '\\${i}' at position ${n}`);r=!1}else if(i===`\\`)r=!0;else if(i===`"`)return n+=1,e;else e+=i;n+=1}return r&&(e+=`\\`),e}function a(){let e=n,r=``;if(t[n]===`-`&&(r+=`-`,n+=1),n<t.length&&t[n]===`0`&&(r+=`0`,n+=1,t[n]>=`0`&&t[n]<=`9`))throw Error(`Invalid number at position ${e}`);if(n<t.length&&t[n]>=`1`&&t[n]<=`9`)for(;n<t.length&&t[n]>=`0`&&t[n]<=`9`;)r+=t[n],n+=1;if(n<t.length&&t[n]===`.`)for(r+=`.`,n+=1;n<t.length&&t[n]>=`0`&&t[n]<=`9`;)r+=t[n],n+=1;if(n<t.length&&(t[n]===`e`||t[n]===`E`))for(r+=t[n],n+=1,n<t.length&&(t[n]===`+`||t[n]===`-`)&&(r+=t[n],n+=1);n<t.length&&t[n]>=`0`&&t[n]<=`9`;)r+=t[n],n+=1;if(r===`-`)return-0;let i=Number.parseFloat(r);if(Number.isNaN(i))throw n=e,Error(`Invalid number '${r}' at position ${e}`);return i}function o(){if(r(),n>=t.length)throw Error(`Unexpected end of input at position ${n}`);let e=t[n];if(e===`{`)return c();if(e===`[`)return s();if(e===`"`)return i();if(`null`.startsWith(t.substring(n,n+4)))return n+=Math.min(4,t.length-n),null;if(`true`.startsWith(t.substring(n,n+4)))return n+=Math.min(4,t.length-n),!0;if(`false`.startsWith(t.substring(n,n+5)))return n+=Math.min(5,t.length-n),!1;if(e===`-`||e>=`0`&&e<=`9`)return a();throw Error(`Unexpected character '${e}' at position ${n}`)}function s(){if(t[n]!==`[`)throw Error(`Expected '[' at position ${n}, got '${t[n]}'`);let e=[];if(n+=1,r(),n>=t.length)return e;if(t[n]===`]`)return n+=1,e;for(;n<t.length;){if(r(),n>=t.length||(e.push(o()),r(),n>=t.length))return e;if(t[n]===`]`)return n+=1,e;if(t[n]===`,`){n+=1;continue}throw Error(`Expected ',' or ']' at position ${n}, got '${t[n]}'`)}return e}function c(){if(t[n]!==`{`)throw Error(`Expected '{' at position ${n}, got '${t[n]}'`);let e={};if(n+=1,r(),n>=t.length)return e;if(t[n]===`}`)return n+=1,e;for(;n<t.length;){if(r(),n>=t.length)return e;let a=i();if(r(),n>=t.length)return e;if(t[n]!==`:`)throw Error(`Expected ':' at position ${n}, got '${t[n]}'`);if(n+=1,r(),n>=t.length||(e[a]=o(),r(),n>=t.length))return e;if(t[n]===`}`)return n+=1,e;if(t[n]===`,`){n+=1;continue}throw Error(`Expected ',' or '}' at position ${n}, got '${t[n]}'`)}return e}let l=o();if(r(),n<t.length)throw Error(`Unexpected character '${t[n]}' at position ${n}`);return l}function b(e){try{return e===void 0?null:y(e)}catch{return null}}var ee=t(((e,t)=>{t.exports=function(e,t){if(typeof e!=`string`)throw TypeError(`Expected a string`);return t=t===void 0?`_`:t,e.replace(/([a-z\d])([A-Z])/g,`$1`+t+`$2`).replace(/([A-Z]+)([A-Z][a-z\d]+)/g,`$1`+t+`$2`).toLowerCase()}})),x=t(((e,t)=>{var n=/[\p{Lu}]/u,r=/[\p{Ll}]/u,i=/^[\p{Lu}](?![\p{Lu}])/gu,a=/([\p{Alpha}\p{N}_]|$)/u,o=/[_.\- ]+/,s=RegExp(`^`+o.source),c=new RegExp(o.source+a.source,`gu`),l=RegExp(`\\d+`+a.source,`gu`),u=(e,t,i)=>{let a=!1,o=!1,s=!1;for(let c=0;c<e.length;c++){let l=e[c];a&&n.test(l)?(e=e.slice(0,c)+`-`+e.slice(c),a=!1,s=o,o=!0,c++):o&&s&&r.test(l)?(e=e.slice(0,c-1)+`-`+e.slice(c-1),s=o,o=!1,a=!0):(a=t(l)===l&&i(l)!==l,s=o,o=i(l)===l&&t(l)!==l)}return e},d=(e,t)=>(i.lastIndex=0,e.replace(i,e=>t(e))),f=(e,t)=>(c.lastIndex=0,l.lastIndex=0,e.replace(c,(e,n)=>t(n)).replace(l,e=>t(e))),p=(e,t)=>{if(!(typeof e==`string`||Array.isArray(e)))throw TypeError("Expected the input to be `string | string[]`");if(t={pascalCase:!1,preserveConsecutiveUppercase:!1,...t},e=Array.isArray(e)?e.map(e=>e.trim()).filter(e=>e.length).join(`-`):e.trim(),e.length===0)return``;let n=t.locale===!1?e=>e.toLowerCase():e=>e.toLocaleLowerCase(t.locale),r=t.locale===!1?e=>e.toUpperCase():e=>e.toLocaleUpperCase(t.locale);return e.length===1?t.pascalCase?r(e):n(e):(e!==n(e)&&(e=u(e,n,r)),e=e.replace(s,``),e=t.preserveConsecutiveUppercase?d(e,n):n(e),t.pascalCase&&(e=r(e.charAt(0))+e.slice(1)),f(e,r))};t.exports=p,t.exports.default=p})),te=e(ee(),1),S=e(x(),1);function ne(e,t){return t?.[e]||(0,te.default)(e)}function re(e,t){return t?.[e]||(0,S.default)(e)}function ie(e,t,n){let r={};for(let i in e)Object.hasOwn(e,i)&&(r[t(i,n)]=e[i]);return r}var ae=`__lc_escaped__`;function oe(e){return`lc`in e||Object.keys(e).length===1&&`__lc_escaped__`in e}function se(e){return{[ae]:e}}function ce(e){return Object.keys(e).length===1&&`__lc_escaped__`in e}function C(e){return typeof e==`object`&&!!e&&`lc_serializable`in e&&typeof e.toJSON==`function`}function le(e){let t;return t=typeof e==`object`&&e?`lc_id`in e&&Array.isArray(e.lc_id)?e.lc_id:[e.constructor?.name??`Object`]:[typeof e],{lc:1,type:`not_implemented`,id:t}}function ue(e,t=new WeakSet){if(typeof e==`object`&&e&&!Array.isArray(e)){if(t.has(e))return le(e);if(C(e))return e;t.add(e);let n=e;if(oe(n))return t.delete(e),se(n);let r={};for(let[e,i]of Object.entries(n))r[e]=ue(i,t);return t.delete(e),r}return Array.isArray(e)?e.map(e=>ue(e,t)):e}function de(e){if(typeof e==`object`&&e&&!Array.isArray(e)){let t=e;if(ce(t))return t[ae];let n={};for(let[e,r]of Object.entries(t))n[e]=de(r);return n}return Array.isArray(e)?e.map(e=>de(e)):e}var fe=o({Serializable:()=>ge,get_lc_unique_name:()=>he});function pe(e){return Array.isArray(e)?[...e]:{...e}}function me(e,t){let n=pe(e);for(let[e,r]of Object.entries(t)){let[t,...i]=e.split(`.`).reverse(),a=n;for(let e of i.reverse()){if(a[e]===void 0)break;a[e]=pe(a[e]),a=a[e]}a[t]!==void 0&&(a[t]={lc:1,type:`secret`,id:[r]})}return n}function he(e){let t=Object.getPrototypeOf(e);return typeof e.lc_name==`function`&&(typeof t.lc_name!=`function`||e.lc_name()!==t.lc_name())?e.lc_name():e.name}var ge=class e{lc_serializable=!1;lc_kwargs;static lc_name(){return this.name}get lc_id(){return[...this.lc_namespace,he(this.constructor)]}get lc_secrets(){}get lc_attributes(){}get lc_aliases(){}get lc_serializable_keys(){}constructor(e,...t){this.lc_serializable_keys===void 0?this.lc_kwargs=e??{}:this.lc_kwargs=Object.fromEntries(Object.entries(e||{}).filter(([e])=>this.lc_serializable_keys?.includes(e)))}toJSON(){if(!this.lc_serializable||this.lc_kwargs instanceof e||typeof this.lc_kwargs!=`object`||Array.isArray(this.lc_kwargs))return this.toJSONNotImplemented();let t={},n={},r=Object.keys(this.lc_kwargs).reduce((e,t)=>(e[t]=t in this?this[t]:this.lc_kwargs[t],e),{});for(let e=Object.getPrototypeOf(this);e;e=Object.getPrototypeOf(e))Object.assign(t,Reflect.get(e,`lc_aliases`,this)),Object.assign(n,Reflect.get(e,`lc_secrets`,this)),Object.assign(r,Reflect.get(e,`lc_attributes`,this));Object.keys(n).forEach(e=>{let t=this,n=r,[i,...a]=e.split(`.`).reverse();for(let e of a.reverse()){if(!(e in t)||t[e]===void 0)return;(!(e in n)||n[e]===void 0)&&(typeof t[e]==`object`&&t[e]!=null?n[e]={}:Array.isArray(t[e])&&(n[e]=[])),t=t[e],n=n[e]}i in t&&t[i]!==void 0&&(n[i]=n[i]||t[i])});let i={},a=new WeakSet;a.add(this);for(let[e,t]of Object.entries(r))i[e]=ue(t,a);let o=ie(Object.keys(n).length?me(i,n):i,ne,t);return{lc:1,type:`constructor`,id:this.lc_id,kwargs:o}}toJSONNotImplemented(){return{lc:1,type:`not_implemented`,id:this.lc_id}}};function _e(e){return typeof e==`object`&&!!e&&`type`in e&&typeof e.type==`string`&&`source_type`in e&&(e.source_type===`url`||e.source_type===`base64`||e.source_type===`text`||e.source_type===`id`)}function ve(e){return _e(e)&&e.source_type===`url`&&`url`in e&&typeof e.url==`string`}function ye(e){return _e(e)&&e.source_type===`base64`&&`data`in e&&typeof e.data==`string`}function be(e){return _e(e)&&e.source_type===`text`&&`text`in e&&typeof e.text==`string`}function xe(e){return _e(e)&&e.source_type===`id`&&`id`in e&&typeof e.id==`string`}function Se(e){if(_e(e)){if(e.source_type===`url`)return{type:`image_url`,image_url:{url:e.url}};if(e.source_type===`base64`){if(!e.mime_type)throw Error(`mime_type key is required for base64 data.`);return{type:`image_url`,image_url:{url:`data:${e.mime_type};base64,${e.data}`}}}}throw Error(`Unsupported source type. Only 'url' and 'base64' are supported.`)}function Ce(e){let t=e.split(`;`)[0].split(`/`);if(t.length!==2)throw Error(`Invalid mime type: "${e}" - does not match type/subtype format.`);let n=t[0].trim(),r=t[1].trim();if(n===``||r===``)throw Error(`Invalid mime type: "${e}" - type or subtype is empty.`);let i={};for(let t of e.split(`;`).slice(1)){let n=t.split(`=`);if(n.length!==2)throw Error(`Invalid parameter syntax in mime type: "${e}".`);let r=n[0].trim(),a=n[1].trim();if(r===``)throw Error(`Invalid parameter syntax in mime type: "${e}".`);i[r]=a}return{type:n,subtype:r,parameters:i}}function we({dataUrl:e,asTypedArray:t=!1}){let n=e.match(/^data:(\w+\/\w+);base64,([A-Za-z0-9+/]+=*)$/),r;if(n){r=n[1].toLowerCase();let e=t?Uint8Array.from(atob(n[2]),e=>e.charCodeAt(0)):n[2];return{mime_type:r,data:e}}}function Te(e,t){if(e.type===`text`){if(!t.fromStandardTextBlock)throw Error(`Converter for ${t.providerName} does not implement \`fromStandardTextBlock\` method.`);return t.fromStandardTextBlock(e)}if(e.type===`image`){if(!t.fromStandardImageBlock)throw Error(`Converter for ${t.providerName} does not implement \`fromStandardImageBlock\` method.`);return t.fromStandardImageBlock(e)}if(e.type===`audio`){if(!t.fromStandardAudioBlock)throw Error(`Converter for ${t.providerName} does not implement \`fromStandardAudioBlock\` method.`);return t.fromStandardAudioBlock(e)}if(e.type===`file`){if(!t.fromStandardFileBlock)throw Error(`Converter for ${t.providerName} does not implement \`fromStandardFileBlock\` method.`);return t.fromStandardFileBlock(e)}throw Error(`Unable to convert content block type '${e.type}' to provider-specific format: not recognized.`)}function w(e,t){return T(e)&&e.type===t}function T(e){return typeof e==`object`&&!!e}function Ee(e){return Array.isArray(e)}function E(e){return typeof e==`string`}function De(e){return typeof e==`number`}function Oe(e){return e instanceof Uint8Array}function D(e){try{return JSON.parse(e)}catch{return}}var ke=e=>e();function Ae(e){if(e.type===`char_location`&&E(e.document_title)&&De(e.start_char_index)&&De(e.end_char_index)&&E(e.cited_text)){let{document_title:t,start_char_index:n,end_char_index:r,cited_text:i,...a}=e;return{...a,type:`citation`,source:`char`,title:t??void 0,startIndex:n,endIndex:r,citedText:i}}if(e.type===`page_location`&&E(e.document_title)&&De(e.start_page_number)&&De(e.end_page_number)&&E(e.cited_text)){let{document_title:t,start_page_number:n,end_page_number:r,cited_text:i,...a}=e;return{...a,type:`citation`,source:`page`,title:t??void 0,startIndex:n,endIndex:r,citedText:i}}if(e.type===`content_block_location`&&E(e.document_title)&&De(e.start_block_index)&&De(e.end_block_index)&&E(e.cited_text)){let{document_title:t,start_block_index:n,end_block_index:r,cited_text:i,...a}=e;return{...a,type:`citation`,source:`block`,title:t??void 0,startIndex:n,endIndex:r,citedText:i}}if(e.type===`web_search_result_location`&&E(e.url)&&E(e.title)&&E(e.encrypted_index)&&E(e.cited_text)){let{url:t,title:n,encrypted_index:r,cited_text:i,...a}=e;return{...a,type:`citation`,source:`url`,url:t,title:n,startIndex:Number(r),endIndex:Number(r),citedText:i}}if(e.type===`search_result_location`&&E(e.source)&&E(e.title)&&De(e.start_block_index)&&De(e.end_block_index)&&E(e.cited_text)){let{source:t,title:n,start_block_index:r,end_block_index:i,cited_text:a,...o}=e;return{...o,type:`citation`,source:`search`,url:t,title:n??void 0,startIndex:r,endIndex:i,citedText:a}}}function je(e){if(w(e,`document`)&&T(e.source)&&`type`in e.source){if(e.source.type===`base64`&&E(e.source.media_type)&&E(e.source.data))return{type:`file`,mimeType:e.source.media_type,data:e.source.data};if(e.source.type===`url`&&E(e.source.url))return{type:`file`,url:e.source.url};if(e.source.type===`file`&&E(e.source.file_id))return{type:`file`,fileId:e.source.file_id};if(e.source.type===`text`&&E(e.source.data))return{type:`file`,mimeType:String(e.source.media_type??`text/plain`),data:e.source.data}}else if(w(e,`image`)&&T(e.source)&&`type`in e.source){if(e.source.type===`base64`&&E(e.source.media_type)&&E(e.source.data))return{type:`image`,mimeType:e.source.media_type,data:e.source.data};if(e.source.type===`url`&&E(e.source.url))return{type:`image`,url:e.source.url};if(e.source.type===`file`&&E(e.source.file_id))return{type:`image`,fileId:e.source.file_id}}}function Me(e){function*t(){for(let t of e){let e=je(t);e?yield e:yield t}}return Array.from(t())}function Ne(e){function*t(){let t=typeof e.content==`string`?[{type:`text`,text:e.content}]:e.content;for(let n of t){if(w(n,`text`)&&E(n.text)){let{text:e,citations:t,...r}=n;if(Ee(t)&&t.length){let n=t.reduce((e,t)=>{let n=Ae(t);return n?[...e,n]:e},[]);yield{...r,type:`text`,text:e,annotations:n};continue}else{yield{...r,type:`text`,text:e};continue}}else if(w(n,`thinking`)&&E(n.thinking)){let{thinking:e,signature:t,...r}=n;yield{...r,type:`reasoning`,reasoning:e,signature:t};continue}else if(w(n,`redacted_thinking`)){yield{type:`non_standard`,value:n};continue}else if(w(n,`tool_use`)&&E(n.name)&&E(n.id)){yield{type:`tool_call`,id:n.id,name:n.name,args:n.input};continue}else if(w(n,`input_json_delta`)){if(Fe(e)&&e.tool_call_chunks?.length){let t=e.tool_call_chunks[0];yield{type:`tool_call_chunk`,id:t.id,name:t.name,args:t.args,index:t.index};continue}}else if(w(n,`server_tool_use`)&&E(n.name)&&E(n.id)){let{name:e,id:t}=n;if(e===`web_search`){yield{id:t,type:`server_tool_call`,name:`web_search`,args:{query:ke(()=>{if(typeof n.input==`string`)return n.input;if(T(n.input)&&E(n.input.query))return n.input.query;if(E(n.partial_json)){let e=D(n.partial_json);if(e?.query)return e.query}return``})}};continue}else if(n.name===`code_execution`){yield{id:t,type:`server_tool_call`,name:`code_execution`,args:{code:ke(()=>{if(typeof n.input==`string`)return n.input;if(T(n.input)&&E(n.input.code))return n.input.code;if(E(n.partial_json)){let e=D(n.partial_json);if(e?.code)return e.code}return``})}};continue}}else if(w(n,`web_search_tool_result`)&&E(n.tool_use_id)&&Ee(n.content)){let{content:e,tool_use_id:t}=n;yield{type:`server_tool_call_result`,name:`web_search`,toolCallId:t,status:`success`,output:{urls:e.reduce((e,t)=>w(t,`web_search_result`)?[...e,t.url]:e,[])}};continue}else if(w(n,`code_execution_tool_result`)&&E(n.tool_use_id)&&T(n.content)){yield{type:`server_tool_call_result`,name:`code_execution`,toolCallId:n.tool_use_id,status:`success`,output:n.content};continue}else if(w(n,`mcp_tool_use`)){yield{id:n.id,type:`server_tool_call`,name:`mcp_tool_use`,args:n.input};continue}else if(w(n,`mcp_tool_result`)&&E(n.tool_use_id)&&T(n.content)){yield{type:`server_tool_call_result`,name:`mcp_tool_use`,toolCallId:n.tool_use_id,status:`success`,output:n.content};continue}else if(w(n,`container_upload`)){yield{type:`server_tool_call`,name:`container_upload`,args:n.input};continue}else if(w(n,`search_result`)){yield{id:n.id,type:`non_standard`,value:n};continue}else if(w(n,`tool_result`)){yield{id:n.id,type:`non_standard`,value:n};continue}else{let e=je(n);if(e){yield e;continue}}yield{type:`non_standard`,value:n}}}return Array.from(t())}var Pe={translateContent:Ne,translateContentChunk:Ne};function Fe(e){return typeof e?._getType==`function`&&typeof e.concat==`function`&&e._getType()===`ai`}function Ie(e){return ve(e)?{type:e.type,mimeType:e.mime_type,url:e.url,metadata:e.metadata}:ye(e)?{type:e.type,mimeType:e.mime_type??`application/octet-stream`,data:e.data,metadata:e.metadata}:xe(e)?{type:e.type,mimeType:e.mime_type,fileId:e.id,metadata:e.metadata}:e}function Le(e){return e.map(Ie)}function Re(e){return!!(w(e,`image_url`)&&T(e.image_url)||w(e,`input_audio`)&&T(e.input_audio)||w(e,`file`)&&T(e.file))}function ze(e){if(w(e,`image_url`)&&T(e.image_url)&&E(e.image_url.url)){let t=we({dataUrl:e.image_url.url});return t?{type:`image`,mimeType:t.mime_type,data:t.data}:{type:`image`,url:e.image_url.url}}else if(w(e,`input_audio`)&&T(e.input_audio)&&E(e.input_audio.data)&&E(e.input_audio.format))return{type:`audio`,data:e.input_audio.data,mimeType:`audio/${e.input_audio.format}`};else if(w(e,`file`)&&T(e.file)&&E(e.file.data)){let t=we({dataUrl:e.file.data});if(t)return{type:`file`,data:t.data,mimeType:t.mime_type};if(E(e.file.file_id))return{type:`file`,fileId:e.file.file_id}}return e}function Be(e){let t=[];typeof e.content==`string`?e.content.length>0&&t.push({type:`text`,text:e.content}):t.push(...He(e.content));for(let n of e.tool_calls??[])t.push({type:`tool_call`,id:n.id,name:n.name,args:n.args});return t}function Ve(e){let t=[];typeof e.content==`string`?e.content.length>0&&t.push({type:`text`,text:e.content}):t.push(...He(e.content));for(let n of e.tool_calls??[])t.push({type:`tool_call`,id:n.id,name:n.name,args:n.args});return t}function He(e){let t=[];for(let n of e)Re(n)?t.push(ze(n)):t.push(n);return t}function Ue(e){if(e.type===`url_citation`){let{url:t,title:n,start_index:r,end_index:i}=e;return{type:`citation`,url:t,title:n,startIndex:r,endIndex:i}}if(e.type===`file_citation`){let{file_id:t,filename:n,index:r}=e;return{type:`citation`,title:n,startIndex:r,endIndex:r,fileId:t}}return e}function We(e){function*t(){T(e.additional_kwargs?.reasoning)&&Ee(e.additional_kwargs.reasoning.summary)&&(yield{type:`reasoning`,reasoning:e.additional_kwargs.reasoning.summary.reduce((e,t)=>T(t)&&E(t.text)?`${e}${t.text}`:e,``)});let t=typeof e.content==`string`?[{type:`text`,text:e.content}]:e.content;for(let e of t)if(w(e,`text`)){let{text:t,annotations:n,phase:r,extras:i,...a}=e,o=T(i)?{...i}:{};E(r)&&(o.phase=r);let s=Object.keys(o).length>0?{extras:o}:{};Array.isArray(n)?yield{...a,...s,type:`text`,text:String(t),annotations:n.map(Ue)}:yield{...a,...s,type:`text`,text:String(t)}}for(let t of e.tool_calls??[])yield{type:`tool_call`,id:t.id,name:t.name,args:t.args};if(T(e.additional_kwargs)&&Ee(e.additional_kwargs.tool_outputs))for(let t of e.additional_kwargs.tool_outputs){if(w(t,`web_search_call`)){let e={};if(T(t.action)&&E(t.action.query)&&(e.query=t.action.query),yield{id:t.id,type:`server_tool_call`,name:`web_search`,args:e},t.status===`completed`||t.status===`failed`){let e={};T(t.action)&&(e.action=t.action),yield{type:`server_tool_call_result`,toolCallId:E(t.id)?t.id:``,status:t.status===`completed`?`success`:`error`,output:e}}continue}else if(w(t,`file_search_call`)){yield{id:t.id,type:`server_tool_call`,name:`file_search`,args:{queries:Ee(t.queries)?t.queries:[]}},(t.status===`completed`||t.status===`failed`)&&(yield{type:`server_tool_call_result`,toolCallId:E(t.id)?t.id:``,status:t.status===`completed`?`success`:`error`,output:Ee(t.results)?{results:t.results}:{}});continue}else if(w(t,`computer_call`)){yield{type:`non_standard`,value:t};continue}else if(w(t,`code_interpreter_call`)){if(E(t.code)&&(yield{id:t.id,type:`server_tool_call`,name:`code_interpreter`,args:{code:t.code}}),Ee(t.outputs)){let e=ke(()=>{if(t.status!==`in_progress`){if(t.status===`completed`)return 0;if(t.status===`incomplete`)return 127;if(t.status!==`interpreting`&&t.status===`failed`)return 1}});for(let n of t.outputs)if(w(n,`logs`)){yield{type:`server_tool_call_result`,toolCallId:t.id??``,status:`success`,output:{type:`code_interpreter_output`,returnCode:e??0,stderr:[0,void 0].includes(e)?void 0:String(n.logs),stdout:[0,void 0].includes(e)?String(n.logs):void 0}};continue}}continue}else if(w(t,`mcp_call`)){yield{id:t.id,type:`server_tool_call`,name:`mcp_call`,args:t.input};continue}else if(w(t,`mcp_list_tools`)){yield{id:t.id,type:`server_tool_call`,name:`mcp_list_tools`,args:t.input};continue}else if(w(t,`mcp_approval_request`)){yield{type:`non_standard`,value:t};continue}else if(w(t,`tool_search_call`)){let e={};T(t.arguments)&&Object.assign(e,t.arguments);let n={};E(t.execution)&&(n.execution=t.execution),E(t.status)&&(n.status=t.status),E(t.call_id)&&(n.call_id=t.call_id),yield{id:E(t.id)?t.id:``,type:`server_tool_call`,name:`tool_search`,args:e,...Object.keys(n).length>0?{extras:n}:{}};continue}else if(w(t,`tool_search_output`)){let e={name:`tool_search`};E(t.execution)&&(e.execution=t.execution),yield{type:`server_tool_call_result`,toolCallId:E(t.id)?t.id:``,status:t.status===`completed`?`success`:t.status===`failed`?`error`:`success`,output:{tools:Ee(t.tools)?t.tools:[]},extras:e};continue}else if(w(t,`image_generation_call`)){E(t.result)&&(yield{type:`image`,mimeType:`image/png`,data:t.result,id:E(t.id)?t.id:void 0,metadata:{status:E(t.status)?t.status:void 0}}),yield{type:`non_standard`,value:t};continue}T(t)&&(yield{type:`non_standard`,value:t})}}return Array.from(t())}function Ge(e){function*t(){yield*We(e);for(let t of e.tool_call_chunks??[])yield{type:`tool_call_chunk`,id:t.id,name:t.name,args:t.args}}return Array.from(t())}var Ke={translateContent:e=>typeof e.content==`string`?Be(e):We(e),translateContentChunk:e=>typeof e.content==`string`?Ve(e):Ge(e)};function qe(e){return typeof e==`object`&&!!e&&`type`in e&&`content`in e&&(typeof e.content==`string`||Array.isArray(e.content))}function Je(e,t=`pretty`){return t===`pretty`?Ye(e):JSON.stringify(e)}function Ye(e){let t=[],n=` ${e.type.charAt(0).toUpperCase()+e.type.slice(1)} Message `,r=Math.floor((80-n.length)/2),i=`=`.repeat(r),a=n.length%2==0?i:`${i}=`;if(t.push(`${i}${n}${a}`),e.type===`ai`){let n=e;if(n.tool_calls&&n.tool_calls.length>0){t.push(`Tool Calls:`);for(let e of n.tool_calls){t.push(`  ${e.name} (${e.id})`),t.push(` Call ID: ${e.id}`),t.push(`  Args:`);for(let[n,r]of Object.entries(e.args))t.push(`    ${n}: ${typeof r==`object`?JSON.stringify(r):r}`)}}}if(e.type===`tool`){let n=e;n.name&&t.push(`Name: ${n.name}`)}return typeof e.content==`string`&&e.content.trim()&&(t.length>1&&t.push(``),t.push(e.content)),t.join(`

package/web/assets/architecture-YZFGNWBL-S5CXDPWN-CL__bSw6.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ import"./index-BcZj1uBK.js";import"./chunk-H3VCZNTA-S6JCDFX6.js";import"./chunk-FXACKDTF-DDbh9iQA.js";import{n as e}from"./chunk-XGPFEOL4-C8lmtgql.js";export{e as createArchitectureServices};