harper-kb 0.2.0

package/dist/oauth/validate.d.ts

@@ -0,0 +1,40 @@
+/**
+ * OAuth JWT Bearer Token Validation
+ *
+ * Validates JWT access tokens on incoming MCP requests.
+ * Verifies the signature, issuer, audience, expiration, and scope.
+ *
+ * Tokens are scoped to a specific KB via the audience claim:
+ *   aud = "{baseUrl}/mcp/{kbId}"
+ */
+import type { HarperRequest } from '../types.ts';
+export interface ValidatedCaller {
+    /** User identifier (from JWT sub claim, e.g. "github:octocat") */
+    userId: string;
+    /** OAuth client ID */
+    clientId: string;
+    /** Granted scopes */
+    scopes: string[];
+    /** Knowledge base this caller is scoped to (from URL path) */
+    kbId: string;
+}
+export interface AuthResult {
+    /** Validated caller, or null if no valid token */
+    caller: ValidatedCaller | null;
+    /** Whether an Authorization header with Bearer token was present */
+    hasToken: boolean;
+}
+/**
+ * Validate the Bearer token from an MCP request.
+ *
+ * The kbId is extracted from the URL path and used as part of the
+ * expected audience claim — tokens issued for one KB cannot be used
+ * on another.
+ *
+ * Returns { caller, hasToken } so the MCP middleware can distinguish:
+ * - No token → anonymous read-only access
+ * - Valid token → authenticated access with granted scopes
+ * - Invalid token → 401 (token present but verification failed)
+ */
+export declare function validateMcpAuth(request: HarperRequest, kbId: string): Promise<AuthResult>;
+//# sourceMappingURL=validate.d.ts.map

package/dist/oauth/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/oauth/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAIjD,MAAM,WAAW,eAAe;IAC/B,kEAAkE;IAClE,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB;IACrB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,8DAA8D;IAC9D,IAAI,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,UAAU;IAC1B,kDAAkD;IAClD,MAAM,EAAE,eAAe,GAAG,IAAI,CAAC;IAC/B,oEAAoE;IACpE,QAAQ,EAAE,OAAO,CAAC;CAClB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CA0B/F"}

package/dist/oauth/validate.js

@@ -0,0 +1,61 @@
+/**
+ * OAuth JWT Bearer Token Validation
+ *
+ * Validates JWT access tokens on incoming MCP requests.
+ * Verifies the signature, issuer, audience, expiration, and scope.
+ *
+ * Tokens are scoped to a specific KB via the audience claim:
+ *   aud = "{baseUrl}/mcp/{kbId}"
+ */
+import { jwtVerify, createLocalJWKSet } from 'jose';
+import { getBaseUrl, getHeader } from "../http-utils.js";
+import { getJwks } from "./keys.js";
+/**
+ * Validate the Bearer token from an MCP request.
+ *
+ * The kbId is extracted from the URL path and used as part of the
+ * expected audience claim — tokens issued for one KB cannot be used
+ * on another.
+ *
+ * Returns { caller, hasToken } so the MCP middleware can distinguish:
+ * - No token → anonymous read-only access
+ * - Valid token → authenticated access with granted scopes
+ * - Invalid token → 401 (token present but verification failed)
+ */
+export async function validateMcpAuth(request, kbId) {
+    const token = extractBearerToken(request);
+    if (!token)
+        return { caller: null, hasToken: false };
+    try {
+        const baseUrl = getBaseUrl(request);
+        const jwks = createLocalJWKSet(await getJwks());
+        const { payload } = await jwtVerify(token, jwks, {
+            issuer: baseUrl,
+            audience: `${baseUrl}/mcp/${kbId}`,
+        });
+        return {
+            caller: {
+                userId: payload.sub || 'unknown',
+                clientId: payload.client_id || 'unknown',
+                scopes: typeof payload.scope === 'string' ? payload.scope.split(' ') : [],
+                kbId,
+            },
+            hasToken: true,
+        };
+    }
+    catch (error) {
+        logger?.warn?.(`JWT validation failed: ${error.message}`);
+        return { caller: null, hasToken: true };
+    }
+}
+/**
+ * Extract the Bearer token from the Authorization header.
+ */
+function extractBearerToken(request) {
+    const authValue = getHeader(request, 'authorization');
+    if (!authValue)
+        return null;
+    const match = authValue.match(/^Bearer\s+(.+)$/i);
+    return match ? match[1] : null;
+}
+//# sourceMappingURL=validate.js.map

package/dist/oauth/validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/oauth/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAEpD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAoBpC;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAAsB,EAAE,IAAY;IACzE,MAAM,KAAK,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAErD,IAAI,CAAC;QACJ,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,iBAAiB,CAAC,MAAM,OAAO,EAAE,CAAC,CAAC;QAEhD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;YAChD,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,GAAG,OAAO,QAAQ,IAAI,EAAE;SAClC,CAAC,CAAC;QAEH,OAAO;YACN,MAAM,EAAE;gBACP,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,SAAS;gBAChC,QAAQ,EAAG,OAAO,CAAC,SAAoB,IAAI,SAAS;gBACpD,MAAM,EAAE,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;gBACzE,IAAI;aACJ;YACD,QAAQ,EAAE,IAAI;SACd,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,MAAM,EAAE,IAAI,EAAE,CAAC,0BAA2B,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QACrE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACzC,CAAC;AACF,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,OAAsB;IACjD,MAAM,SAAS,GAAG,SAAS,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IACtD,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAE5B,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAClD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAChC,CAAC"}

package/dist/resources/HistoryResource.d.ts

@@ -0,0 +1,41 @@
+/**
+ * History Resource
+ *
+ * REST endpoint for knowledge entry edit history.
+ * All operations require kbId query parameter for tenant scoping.
+ *
+ * Routes:
+ *   GET /History/<entryId>?kbId=..  — get edit history for a knowledge entry
+ */
+declare const HistoryResource_base: any;
+export declare class HistoryResource extends HistoryResource_base {
+    static loadAsInstance: boolean;
+    /**
+     * GET /History/<entryId>?kbId=.. — get edit history for a knowledge entry.
+     * Public read access (same as KnowledgeEntry).
+     */
+    get(target?: any): Promise<{
+        status: number;
+        data: {
+            error: string;
+        };
+        entryId?: undefined;
+        editCount?: undefined;
+        edits?: undefined;
+    } | {
+        entryId: string;
+        editCount: number;
+        edits: {
+            id: string;
+            kbId: string;
+            entryId: string;
+            editSummary: string | undefined;
+            changedFields: string[];
+            createdAt: Date | undefined;
+        }[];
+        status?: undefined;
+        data?: undefined;
+    }>;
+}
+export {};
+//# sourceMappingURL=HistoryResource.d.ts.map

package/dist/resources/HistoryResource.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"HistoryResource.d.ts","sourceRoot":"","sources":["../../src/resources/HistoryResource.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;;AAaH,qBAAa,eAAgB,SAAQ,oBAAkB;IACtD,MAAM,CAAC,cAAc,UAAS;IAE9B;;;OAGG;IACG,GAAG,CAAC,MAAM,CAAC,EAAE,GAAG;;;;;;;;;;;;;;;;;;;;;;CAwCtB"}

package/dist/resources/HistoryResource.js

@@ -0,0 +1,61 @@
+/**
+ * History Resource
+ *
+ * REST endpoint for knowledge entry edit history.
+ * All operations require kbId query parameter for tenant scoping.
+ *
+ * Routes:
+ *   GET /History/<entryId>?kbId=..  — get edit history for a knowledge entry
+ */
+import { getHistory } from "../core/history.js";
+import { getEntry } from "../core/entries.js";
+function getResourceClass() {
+    return globalThis.Resource;
+}
+function extractKbId(target) {
+    return target?.get?.('kbId') || target?.kbId || null;
+}
+export class HistoryResource extends getResourceClass() {
+    static loadAsInstance = false;
+    /**
+     * GET /History/<entryId>?kbId=.. — get edit history for a knowledge entry.
+     * Public read access (same as KnowledgeEntry).
+     */
+    async get(target) {
+        const kbId = extractKbId(target);
+        if (!kbId) {
+            return { status: 400, data: { error: 'kbId query parameter is required' } };
+        }
+        const entryId = this.getId();
+        if (!entryId) {
+            return {
+                status: 400,
+                data: { error: 'Entry ID required: GET /History/<entryId>?kbId=..' },
+            };
+        }
+        // Verify entry belongs to this KB
+        const entry = await getEntry(String(entryId));
+        if (!entry || entry.kbId !== kbId) {
+            return { status: 404, data: { error: 'Knowledge entry not found' } };
+        }
+        const limitParam = target?.get?.('limit') || target?.limit;
+        const limit = limitParam ? parseInt(String(limitParam), 10) : 50;
+        const edits = await getHistory(String(entryId), limit);
+        // Strip sensitive fields from public responses (usernames, previous values).
+        // Harper records use non-enumerable properties, so we must read fields explicitly.
+        const publicEdits = edits.map((edit) => ({
+            id: edit.id,
+            kbId: edit.kbId,
+            entryId: edit.entryId,
+            editSummary: edit.editSummary,
+            changedFields: edit.changedFields,
+            createdAt: edit.createdAt,
+        }));
+        return {
+            entryId: String(entryId),
+            editCount: publicEdits.length,
+            edits: publicEdits,
+        };
+    }
+}
+//# sourceMappingURL=HistoryResource.js.map

package/dist/resources/HistoryResource.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"HistoryResource.js","sourceRoot":"","sources":["../../src/resources/HistoryResource.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C,SAAS,gBAAgB;IACxB,OAAQ,UAAkB,CAAC,QAAQ,CAAC;AACrC,CAAC;AAED,SAAS,WAAW,CAAC,MAAY;IAChC,OAAO,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,MAAM,EAAE,IAAI,IAAI,IAAI,CAAC;AACtD,CAAC;AAED,MAAM,OAAO,eAAgB,SAAQ,gBAAgB,EAAE;IACtD,MAAM,CAAC,cAAc,GAAG,KAAK,CAAC;IAE9B;;;OAGG;IACH,KAAK,CAAC,GAAG,CAAC,MAAY;QACrB,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,kCAAkC,EAAE,EAAE,CAAC;QAC7E,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,OAAO;gBACN,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,EAAE,KAAK,EAAE,mDAAmD,EAAE;aACpE,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YACnC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,2BAA2B,EAAE,EAAE,CAAC;QACtE,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,MAAM,EAAE,KAAK,CAAC;QAC3D,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAEjE,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,KAAK,CAAC,CAAC;QACvD,6EAA6E;QAC7E,mFAAmF;QACnF,MAAM,WAAW,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACxC,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,SAAS,EAAE,IAAI,CAAC,SAAS;SACzB,CAAC,CAAC,CAAC;QACJ,OAAO;YACN,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC;YACxB,SAAS,EAAE,WAAW,CAAC,MAAM;YAC7B,KAAK,EAAE,WAAW;SAClB,CAAC;IACH,CAAC"}

package/dist/resources/KnowledgeBaseResource.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Knowledge Base Resource
+ *
+ * REST endpoint for managing knowledge base tenants.
+ * GET is public; POST, PUT, DELETE require team role.
+ *
+ * Routes:
+ *   GET  /KnowledgeBase/         — list all knowledge bases
+ *   GET  /KnowledgeBase/<id>     — get a single knowledge base
+ *   POST /KnowledgeBase/         — create a new knowledge base (team role)
+ *   PUT  /KnowledgeBase/<id>     — update a knowledge base (team role)
+ *   DELETE /KnowledgeBase/<id>   — delete a knowledge base (team role)
+ */
+declare const KnowledgeBaseResource_base: any;
+export declare class KnowledgeBaseResource extends KnowledgeBaseResource_base {
+    static loadAsInstance: boolean;
+    /**
+     * GET /KnowledgeBase/<id> — return a single KB.
+     * GET /KnowledgeBase/ — list all KBs.
+     * PUBLIC — no auth required.
+     */
+    get(): Promise<import("../types.ts").KnowledgeBase | import("../types.ts").KnowledgeBase[] | {
+        status: number;
+        data: {
+            error: string;
+        };
+    }>;
+    /**
+     * POST /KnowledgeBase/ — create a new knowledge base.
+     * AUTH REQUIRED: team role only.
+     */
+    post(_target: any, data: any): Promise<import("../types.ts").KnowledgeBase | {
+        status: number;
+        data: {
+            error: string;
+        };
+    }>;
+    /**
+     * PUT /KnowledgeBase/<id> — update a knowledge base.
+     * AUTH REQUIRED: team role only.
+     */
+    put(_target: any, data: any): Promise<import("../types.ts").KnowledgeBase | {
+        status: number;
+        data: {
+            error: string;
+        };
+    }>;
+    /**
+     * DELETE /KnowledgeBase/<id> — delete a knowledge base.
+     * AUTH REQUIRED: team role only.
+     */
+    delete(): Promise<true | {
+        status: number;
+        data: {
+            error: string;
+        };
+    }>;
+}
+export {};
+//# sourceMappingURL=KnowledgeBaseResource.d.ts.map

package/dist/resources/KnowledgeBaseResource.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"KnowledgeBaseResource.d.ts","sourceRoot":"","sources":["../../src/resources/KnowledgeBaseResource.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;;AAcH,qBAAa,qBAAsB,SAAQ,0BAAkB;IAC5D,MAAM,CAAC,cAAc,UAAS;IAE9B;;;;OAIG;IACG,GAAG;;;;;;IAaT;;;OAGG;IACG,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG;;;;;;IA0BlC;;;OAGG;IACG,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG;;;;;;IAwBjC;;;OAGG;IACG,MAAM;;;;;;CAwBZ"}

package/dist/resources/KnowledgeBaseResource.js

@@ -0,0 +1,118 @@
+/**
+ * Knowledge Base Resource
+ *
+ * REST endpoint for managing knowledge base tenants.
+ * GET is public; POST, PUT, DELETE require team role.
+ *
+ * Routes:
+ *   GET  /KnowledgeBase/         — list all knowledge bases
+ *   GET  /KnowledgeBase/<id>     — get a single knowledge base
+ *   POST /KnowledgeBase/         — create a new knowledge base (team role)
+ *   PUT  /KnowledgeBase/<id>     — update a knowledge base (team role)
+ *   DELETE /KnowledgeBase/<id>   — delete a knowledge base (team role)
+ */
+import { createKnowledgeBase, getKnowledgeBase, updateKnowledgeBase, deleteKnowledgeBase, listKnowledgeBases, } from "../core/knowledge-base.js";
+function getResourceClass() {
+    return globalThis.Resource;
+}
+export class KnowledgeBaseResource extends getResourceClass() {
+    static loadAsInstance = false;
+    /**
+     * GET /KnowledgeBase/<id> — return a single KB.
+     * GET /KnowledgeBase/ — list all KBs.
+     * PUBLIC — no auth required.
+     */
+    async get() {
+        const id = this.getId();
+        if (id) {
+            const kb = await getKnowledgeBase(String(id));
+            if (!kb) {
+                return { status: 404, data: { error: 'Knowledge base not found' } };
+            }
+            return kb;
+        }
+        return listKnowledgeBases();
+    }
+    /**
+     * POST /KnowledgeBase/ — create a new knowledge base.
+     * AUTH REQUIRED: team role only.
+     */
+    async post(_target, data) {
+        const user = this.getCurrentUser();
+        if (!user) {
+            return { status: 401, data: { error: 'Authentication required' } };
+        }
+        if (user.role !== 'team') {
+            return { status: 403, data: { error: 'Team role required' } };
+        }
+        if (!data?.id || !data?.name) {
+            return { status: 400, data: { error: 'id and name are required' } };
+        }
+        try {
+            return await createKnowledgeBase({
+                ...data,
+                createdBy: user.username || user.id || 'unknown',
+            });
+        }
+        catch (error) {
+            if (error.message.includes('already exists')) {
+                return { status: 409, data: { error: error.message } };
+            }
+            throw error;
+        }
+    }
+    /**
+     * PUT /KnowledgeBase/<id> — update a knowledge base.
+     * AUTH REQUIRED: team role only.
+     */
+    async put(_target, data) {
+        const user = this.getCurrentUser();
+        if (!user) {
+            return { status: 401, data: { error: 'Authentication required' } };
+        }
+        if (user.role !== 'team') {
+            return { status: 403, data: { error: 'Team role required' } };
+        }
+        const id = this.getId();
+        if (!id) {
+            return { status: 400, data: { error: 'Knowledge base ID required' } };
+        }
+        try {
+            return await updateKnowledgeBase(String(id), data);
+        }
+        catch (error) {
+            if (error.message.includes('not found')) {
+                return { status: 404, data: { error: error.message } };
+            }
+            throw error;
+        }
+    }
+    /**
+     * DELETE /KnowledgeBase/<id> — delete a knowledge base.
+     * AUTH REQUIRED: team role only.
+     */
+    async delete() {
+        const user = this.getCurrentUser();
+        if (!user) {
+            return { status: 401, data: { error: 'Authentication required' } };
+        }
+        if (user.role !== 'team') {
+            return { status: 403, data: { error: 'Team role required' } };
+        }
+        const id = this.getId();
+        if (!id) {
+            return { status: 400, data: { error: 'Knowledge base ID required' } };
+        }
+        try {
+            await deleteKnowledgeBase(String(id));
+            return true;
+        }
+        catch (error) {
+            if (error.message.includes('not found')) {
+                return { status: 404, data: { error: error.message } };
+            }
+            throw error;
+        }
+    }
+}
+//# sourceMappingURL=KnowledgeBaseResource.js.map

package/dist/resources/KnowledgeBaseResource.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"KnowledgeBaseResource.js","sourceRoot":"","sources":["../../src/resources/KnowledgeBaseResource.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EACN,mBAAmB,EACnB,gBAAgB,EAChB,mBAAmB,EACnB,mBAAmB,EACnB,kBAAkB,GAClB,MAAM,2BAA2B,CAAC;AAEnC,SAAS,gBAAgB;IACxB,OAAQ,UAAkB,CAAC,QAAQ,CAAC;AACrC,CAAC;AAED,MAAM,OAAO,qBAAsB,SAAQ,gBAAgB,EAAE;IAC5D,MAAM,CAAC,cAAc,GAAG,KAAK,CAAC;IAE9B;;;;OAIG;IACH,KAAK,CAAC,GAAG;QACR,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACxB,IAAI,EAAE,EAAE,CAAC;YACR,MAAM,EAAE,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;YAC9C,IAAI,CAAC,EAAE,EAAE,CAAC;gBACT,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,0BAA0B,EAAE,EAAE,CAAC;YACrE,CAAC;YACD,OAAO,EAAE,CAAC;QACX,CAAC;QAED,OAAO,kBAAkB,EAAE,CAAC;IAC7B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CAAC,OAAY,EAAE,IAAS;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,CAAC;QACpE,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC1B,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,CAAC;QAC/D,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;YAC9B,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,0BAA0B,EAAE,EAAE,CAAC;QACrE,CAAC;QAED,IAAI,CAAC;YACJ,OAAO,MAAM,mBAAmB,CAAC;gBAChC,GAAG,IAAI;gBACP,SAAS,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,EAAE,IAAI,SAAS;aAChD,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAK,KAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBACzD,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,EAAE,CAAC;YACnE,CAAC;YACD,MAAM,KAAK,CAAC;QACb,CAAC;IACF,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,GAAG,CAAC,OAAY,EAAE,IAAS;QAChC,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,CAAC;QACpE,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC1B,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,CAAC;QAC/D,CAAC;QAED,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACxB,IAAI,CAAC,EAAE,EAAE,CAAC;YACT,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,4BAA4B,EAAE,EAAE,CAAC;QACvE,CAAC;QAED,IAAI,CAAC;YACJ,OAAO,MAAM,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAK,KAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACpD,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,EAAE,CAAC;YACnE,CAAC;YACD,MAAM,KAAK,CAAC;QACb,CAAC;IACF,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM;QACX,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,CAAC;QACpE,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC1B,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,CAAC;QAC/D,CAAC;QAED,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACxB,IAAI,CAAC,EAAE,EAAE,CAAC;YACT,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,4BAA4B,EAAE,EAAE,CAAC;QACvE,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;YACtC,OAAO,IAAI,CAAC;QACb,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAK,KAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACpD,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,EAAE,CAAC;YACnE,CAAC;YACD,MAAM,KAAK,CAAC;QACb,CAAC;IACF,CAAC"}

package/dist/resources/KnowledgeEntryResource.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Knowledge Entry Resource
+ *
+ * REST endpoint for knowledge base entries.
+ * GET is public; POST, PUT, DELETE require authentication.
+ * All operations require kbId query parameter for tenant scoping.
+ *
+ * Routes:
+ *   GET  /Knowledge/<id>?kbId=..      — return single entry
+ *   GET  /Knowledge/?kbId=..&query=.. — search entries
+ *   POST /Knowledge/?kbId=..          — create new entry (auth required)
+ *   PUT  /Knowledge/<id>?kbId=..      — update entry (auth required)
+ *   DELETE /Knowledge/<id>?kbId=..    — deprecate entry (team role required)
+ */
+declare const KnowledgeEntryResource_base: any;
+export declare class KnowledgeEntryResource extends KnowledgeEntryResource_base {
+    static loadAsInstance: boolean;
+    /**
+     * GET /Knowledge/<id>?kbId=.. — return a single entry by ID.
+     * GET /Knowledge/?kbId=..&query=... — search the knowledge base.
+     * PUBLIC — no auth required. kbId required.
+     */
+    get(target?: any): Promise<Omit<import("../types.ts").KnowledgeEntry, "embedding"> | Omit<import("../types.ts").KnowledgeEntry, "embedding">[] | {
+        status: number;
+        data: {
+            error: string;
+        };
+    }>;
+    /**
+     * POST /Knowledge/?kbId=.. — create a new knowledge entry.
+     * AUTH REQUIRED. AI agents have their confidence forced to "ai-generated".
+     */
+    post(target: any, data: any): Promise<import("../types.ts").KnowledgeEntry | {
+        status: number;
+        data: {
+            error: string;
+        };
+    }>;
+    /**
+     * PUT /Knowledge/<id>?kbId=.. — create or update an entry.
+     * AUTH REQUIRED. AI agents have their confidence forced to "ai-generated".
+     */
+    put(target: any, data: any): Promise<import("../types.ts").KnowledgeEntry | {
+        status: number;
+        data: {
+            error: string;
+        };
+    }>;
+    /**
+     * DELETE /Knowledge/<id>?kbId=.. — deprecate an entry (soft delete).
+     * AUTH REQUIRED: team role only.
+     */
+    delete(target?: any): Promise<true | {
+        status: number;
+        data: {
+            error: string;
+        };
+    }>;
+}
+export {};
+//# sourceMappingURL=KnowledgeEntryResource.d.ts.map

package/dist/resources/KnowledgeEntryResource.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"KnowledgeEntryResource.d.ts","sourceRoot":"","sources":["../../src/resources/KnowledgeEntryResource.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;;AAiBH,qBAAa,sBAAuB,SAAQ,2BAAkB;IAC7D,MAAM,CAAC,cAAc,UAAS;IAE9B;;;;OAIG;IACG,GAAG,CAAC,MAAM,CAAC,EAAE,GAAG;;;;;;IAuDtB;;;OAGG;IACG,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG;;;;;;IAgCjC;;;OAGG;IACG,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG;;;;;;IA0ChC;;;OAGG;IACG,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG;;;;;;CAmCzB"}

package/dist/resources/KnowledgeEntryResource.js

@@ -0,0 +1,191 @@
+/**
+ * Knowledge Entry Resource
+ *
+ * REST endpoint for knowledge base entries.
+ * GET is public; POST, PUT, DELETE require authentication.
+ * All operations require kbId query parameter for tenant scoping.
+ *
+ * Routes:
+ *   GET  /Knowledge/<id>?kbId=..      — return single entry
+ *   GET  /Knowledge/?kbId=..&query=.. — search entries
+ *   POST /Knowledge/?kbId=..          — create new entry (auth required)
+ *   PUT  /Knowledge/<id>?kbId=..      — update entry (auth required)
+ *   DELETE /Knowledge/<id>?kbId=..    — deprecate entry (team role required)
+ */
+import { createEntry, getEntry, updateEntry, deprecateEntry, stripEmbedding } from "../core/entries.js";
+import { search, listEntries } from "../core/search.js";
+function getResourceClass() {
+    return globalThis.Resource;
+}
+/**
+ * Extract kbId from query params (target).
+ */
+function extractKbId(target) {
+    return target?.get?.('kbId') || target?.kbId || null;
+}
+export class KnowledgeEntryResource extends getResourceClass() {
+    static loadAsInstance = false;
+    /**
+     * GET /Knowledge/<id>?kbId=.. — return a single entry by ID.
+     * GET /Knowledge/?kbId=..&query=... — search the knowledge base.
+     * PUBLIC — no auth required. kbId required.
+     */
+    async get(target) {
+        const kbId = extractKbId(target);
+        if (!kbId) {
+            return { status: 400, data: { error: 'kbId query parameter is required' } };
+        }
+        const id = this.getId();
+        if (id) {
+            const entry = await getEntry(String(id));
+            if (!entry || entry.kbId !== kbId) {
+                return { status: 404, data: { error: 'Entry not found' } };
+            }
+            return stripEmbedding(entry);
+        }
+        // Search mode: extract query params from target
+        const query = target?.get?.('query') || target?.query;
+        const tagsParam = target?.get?.('tags') || target?.tags;
+        const limitParam = target?.get?.('limit') || target?.limit;
+        const tags = tagsParam ? String(tagsParam).split(',') : undefined;
+        const limit = limitParam ? parseInt(String(limitParam), 10) : undefined;
+        // Browse mode: query=* or no query — list entries without scoring
+        if (!query || String(query) === '*') {
+            return listEntries(kbId, tags, limit);
+        }
+        const contextParam = target?.get?.('context') || target?.context;
+        const modeParam = target?.get?.('mode') || target?.mode;
+        let context;
+        if (contextParam) {
+            try {
+                context = typeof contextParam === 'string' ? JSON.parse(contextParam) : contextParam;
+            }
+            catch {
+                return {
+                    status: 400,
+                    data: { error: 'Invalid context parameter: must be valid JSON' },
+                };
+            }
+        }
+        const params = {
+            kbId,
+            query: String(query),
+            tags,
+            limit,
+            context,
+            mode: modeParam,
+        };
+        const results = await search(params);
+        return results.map(stripEmbedding);
+    }
+    /**
+     * POST /Knowledge/?kbId=.. — create a new knowledge entry.
+     * AUTH REQUIRED. AI agents have their confidence forced to "ai-generated".
+     */
+    async post(target, data) {
+        const user = this.getCurrentUser();
+        if (!user) {
+            return { status: 401, data: { error: 'Authentication required' } };
+        }
+        const kbId = extractKbId(target) || data?.kbId;
+        if (!kbId) {
+            return { status: 400, data: { error: 'kbId is required' } };
+        }
+        if (!data?.title || !data?.content) {
+            return { status: 400, data: { error: 'title and content are required' } };
+        }
+        if (data.title.length > 500 || data.content.length > 100_000) {
+            return {
+                status: 400,
+                data: { error: 'Title max 500 chars, content max 100,000 chars' },
+            };
+        }
+        // Force ai-generated confidence for ai-agent role
+        if (user.role === 'ai-agent') {
+            data.confidence = 'ai-generated';
+        }
+        if (!data.addedBy) {
+            data.addedBy = user.username || user.id || 'unknown';
+        }
+        return createEntry({ ...data, kbId });
+    }
+    /**
+     * PUT /Knowledge/<id>?kbId=.. — create or update an entry.
+     * AUTH REQUIRED. AI agents have their confidence forced to "ai-generated".
+     */
+    async put(target, data) {
+        const user = this.getCurrentUser();
+        if (!user) {
+            return { status: 401, data: { error: 'Authentication required' } };
+        }
+        const id = this.getId();
+        if (!id) {
+            return { status: 400, data: { error: 'Entry ID required' } };
+        }
+        const kbId = extractKbId(target) || data?.kbId;
+        if (!kbId) {
+            return { status: 400, data: { error: 'kbId is required' } };
+        }
+        if (user.role === 'ai-agent') {
+            data.confidence = 'ai-generated';
+        }
+        if (!data.addedBy) {
+            data.addedBy = user.username || user.id || 'unknown';
+        }
+        // Upsert: try update first, create if not found
+        try {
+            const existing = await getEntry(String(id));
+            if (existing && existing.kbId !== kbId) {
+                return { status: 404, data: { error: 'Entry not found' } };
+            }
+            return await updateEntry(String(id), data);
+        }
+        catch (error) {
+            if (error.message.includes('not found')) {
+                // Entry doesn't exist — create if full data provided, otherwise 404
+                if (!data.title || !data.content) {
+                    return { status: 404, data: { error: 'Entry not found' } };
+                }
+                return createEntry({ ...data, id: String(id), kbId });
+            }
+            throw error;
+        }
+    }
+    /**
+     * DELETE /Knowledge/<id>?kbId=.. — deprecate an entry (soft delete).
+     * AUTH REQUIRED: team role only.
+     */
+    async delete(target) {
+        const user = this.getCurrentUser();
+        if (!user) {
+            return { status: 401, data: { error: 'Authentication required' } };
+        }
+        if (user.role !== 'team') {
+            return { status: 403, data: { error: 'Team role required' } };
+        }
+        const id = this.getId();
+        if (!id) {
+            return { status: 400, data: { error: 'Entry ID required' } };
+        }
+        const kbId = extractKbId(target);
+        if (!kbId) {
+            return { status: 400, data: { error: 'kbId query parameter is required' } };
+        }
+        // Verify entry belongs to this KB
+        const existing = await getEntry(String(id));
+        if (!existing || existing.kbId !== kbId) {
+            return { status: 404, data: { error: 'Entry not found' } };
+        }
+        try {
+            await deprecateEntry(String(id));
+            return true;
+        }
+        catch (error) {
+            if (error.message.includes('not found')) {
+                return { status: 404, data: { error: error.message } };
+            }
+            throw error;
+        }
+    }
+}
+//# sourceMappingURL=KnowledgeEntryResource.js.map