hippo-memory 0.34.0 → 0.35.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -0
- package/dist/audit.d.ts +26 -0
- package/dist/audit.d.ts.map +1 -1
- package/dist/audit.js +45 -0
- package/dist/audit.js.map +1 -1
- package/dist/auth.d.ts +28 -0
- package/dist/auth.d.ts.map +1 -0
- package/dist/auth.js +65 -0
- package/dist/auth.js.map +1 -0
- package/dist/cli.js +342 -10
- package/dist/cli.js.map +1 -1
- package/dist/dashboard.d.ts.map +1 -1
- package/dist/dashboard.js +5 -1
- package/dist/dashboard.js.map +1 -1
- package/dist/db.d.ts.map +1 -1
- package/dist/db.js +60 -1
- package/dist/db.js.map +1 -1
- package/dist/mcp/server.js +9 -5
- package/dist/mcp/server.js.map +1 -1
- package/dist/memory.d.ts +2 -0
- package/dist/memory.d.ts.map +1 -1
- package/dist/memory.js +1 -0
- package/dist/memory.js.map +1 -1
- package/dist/raw-archive.d.ts.map +1 -1
- package/dist/raw-archive.js +19 -0
- package/dist/raw-archive.js.map +1 -1
- package/dist/shared.d.ts +2 -0
- package/dist/shared.d.ts.map +1 -1
- package/dist/shared.js +6 -6
- package/dist/shared.js.map +1 -1
- package/dist/sso.d.ts +13 -0
- package/dist/sso.d.ts.map +1 -0
- package/dist/sso.js +22 -0
- package/dist/sso.js.map +1 -0
- package/dist/store.d.ts +14 -3
- package/dist/store.d.ts.map +1 -1
- package/dist/store.js +83 -18
- package/dist/store.js.map +1 -1
- package/dist/tenant.d.ts +7 -0
- package/dist/tenant.d.ts.map +1 -0
- package/dist/tenant.js +17 -0
- package/dist/tenant.js.map +1 -0
- package/extensions/openclaw-plugin/openclaw.plugin.json +1 -1
- package/extensions/openclaw-plugin/package.json +1 -1
- package/openclaw.plugin.json +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -60,6 +60,14 @@ hippo recall "data pipeline issues" --budget 2000
|
|
|
60
60
|
|
|
61
61
|
---
|
|
62
62
|
|
|
63
|
+
### What's new in v0.35.0
|
|
64
|
+
|
|
65
|
+
- **Stub auth landed.** API keys + audit log + per-tenant data isolation. `hippo auth create` mints a scrypt-hashed key shown plaintext exactly once. `hippo audit list` exposes the mutation trail.
|
|
66
|
+
- **Cross-tenant safety.** Set `HIPPO_TENANT=acme` (or pass an API key) and recall, explain, context, MCP, and dashboard all filter by that tenant. Tenant A cannot see tenant B's memories, proven by negative test.
|
|
67
|
+
- **Audit trail.** Every mutation writes to `audit_log`: remember, recall, promote, supersede, forget, archive, auth_revoke. Query with `hippo audit list --op recall --since 2026-04-01 --json`.
|
|
68
|
+
- **Schema v16.** `tenant_id` columns added to memories and four other tables, default 'default'. Existing data is unaffected.
|
|
69
|
+
- **SSO/SCIM stubs.** Hook points exist (throw `NotImplementedError`); full multi-tenant + OAuth deferred to v2.
|
|
70
|
+
|
|
63
71
|
### What's new in v0.34.0
|
|
64
72
|
|
|
65
73
|
- **Provenance envelope on every memory.** `kind` (raw / distilled / superseded), `scope`, `owner`, `artifact_ref` columns now ride alongside content. `hippo recall --why` shows them; `hippo remember --kind --scope --owner --artifact-ref` sets them. Foundation for ingestion connectors and right-to-be-forgotten.
|
package/dist/audit.d.ts
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import type { MemoryEntry } from './memory.js';
|
|
2
|
+
import type { DatabaseSyncLike } from './db.js';
|
|
2
3
|
export type AuditSeverity = 'warning' | 'error';
|
|
3
4
|
export interface AuditIssue {
|
|
4
5
|
memoryId: string;
|
|
@@ -14,4 +15,29 @@ export interface AuditResult {
|
|
|
14
15
|
export declare function auditMemory(entry: MemoryEntry): AuditIssue | null;
|
|
15
16
|
export declare function auditMemories(entries: MemoryEntry[]): AuditResult;
|
|
16
17
|
export declare function isContentWorthStoring(content: string): boolean;
|
|
18
|
+
export type AuditOp = 'remember' | 'recall' | 'promote' | 'supersede' | 'forget' | 'archive_raw' | 'auth_revoke';
|
|
19
|
+
export interface AppendAuditOpts {
|
|
20
|
+
tenantId: string;
|
|
21
|
+
actor: string;
|
|
22
|
+
op: AuditOp;
|
|
23
|
+
targetId?: string;
|
|
24
|
+
metadata?: Record<string, unknown>;
|
|
25
|
+
}
|
|
26
|
+
export declare function appendAuditEvent(db: DatabaseSyncLike, opts: AppendAuditOpts): void;
|
|
27
|
+
export interface QueryAuditOpts {
|
|
28
|
+
tenantId: string;
|
|
29
|
+
op?: AuditOp;
|
|
30
|
+
since?: string;
|
|
31
|
+
limit?: number;
|
|
32
|
+
}
|
|
33
|
+
export interface AuditEvent {
|
|
34
|
+
id: number;
|
|
35
|
+
ts: string;
|
|
36
|
+
tenantId: string;
|
|
37
|
+
actor: string;
|
|
38
|
+
op: AuditOp;
|
|
39
|
+
targetId: string | null;
|
|
40
|
+
metadata: Record<string, unknown>;
|
|
41
|
+
}
|
|
42
|
+
export declare function queryAuditEvents(db: DatabaseSyncLike, opts: QueryAuditOpts): AuditEvent[];
|
|
17
43
|
//# sourceMappingURL=audit.d.ts.map
|
package/dist/audit.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAEhD,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,OAAO,CAAC;AAEhD,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,aAAa,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;CACf;AAuDD,wBAAgB,WAAW,CAAC,KAAK,EAAE,WAAW,GAAG,UAAU,GAAG,IAAI,CA6BjE;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,WAAW,CAWjE;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAQ9D;AAMD,MAAM,MAAM,OAAO,GACf,UAAU,GACV,QAAQ,GACR,SAAS,GACT,WAAW,GACX,QAAQ,GACR,aAAa,GACb,aAAa,CAAC;AAElB,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAUD,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,eAAe,GAAG,IAAI,CAWlF;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,cAAc,GAAG,UAAU,EAAE,CAmCzF"}
|
package/dist/audit.js
CHANGED
|
@@ -104,4 +104,49 @@ export function isContentWorthStoring(content) {
|
|
|
104
104
|
return false;
|
|
105
105
|
return true;
|
|
106
106
|
}
|
|
107
|
+
// node:sqlite returns INTEGER columns as bigint when the value exceeds
|
|
108
|
+
// Number.MAX_SAFE_INTEGER. Audit metadata can carry such values (row ids,
|
|
109
|
+
// counts), and JSON.stringify cannot serialize bigint without a replacer.
|
|
110
|
+
// Mirrors the bigintSafeReplacer in src/raw-archive.ts.
|
|
111
|
+
function bigintSafeReplacer(_key, value) {
|
|
112
|
+
return typeof value === 'bigint' ? value.toString() : value;
|
|
113
|
+
}
|
|
114
|
+
export function appendAuditEvent(db, opts) {
|
|
115
|
+
db.prepare(`INSERT INTO audit_log (ts, tenant_id, actor, op, target_id, metadata_json) VALUES (?, ?, ?, ?, ?, ?)`).run(new Date().toISOString(), opts.tenantId, opts.actor, opts.op, opts.targetId ?? null, JSON.stringify(opts.metadata ?? {}, bigintSafeReplacer));
|
|
116
|
+
}
|
|
117
|
+
export function queryAuditEvents(db, opts) {
|
|
118
|
+
const where = ['tenant_id = ?'];
|
|
119
|
+
const params = [opts.tenantId];
|
|
120
|
+
if (opts.op) {
|
|
121
|
+
where.push('op = ?');
|
|
122
|
+
params.push(opts.op);
|
|
123
|
+
}
|
|
124
|
+
if (opts.since) {
|
|
125
|
+
where.push('ts >= ?');
|
|
126
|
+
params.push(opts.since);
|
|
127
|
+
}
|
|
128
|
+
const limit = Math.max(1, Math.min(opts.limit ?? 100, 10000));
|
|
129
|
+
const rows = db
|
|
130
|
+
.prepare(`SELECT id, ts, tenant_id, actor, op, target_id, metadata_json
|
|
131
|
+
FROM audit_log WHERE ${where.join(' AND ')} ORDER BY ts DESC, id DESC LIMIT ?`)
|
|
132
|
+
.all(...params, limit);
|
|
133
|
+
return rows.map((r) => ({
|
|
134
|
+
id: r.id,
|
|
135
|
+
ts: r.ts,
|
|
136
|
+
tenantId: r.tenant_id,
|
|
137
|
+
actor: r.actor,
|
|
138
|
+
op: r.op,
|
|
139
|
+
targetId: r.target_id,
|
|
140
|
+
metadata: safeJsonParse(r.metadata_json),
|
|
141
|
+
}));
|
|
142
|
+
}
|
|
143
|
+
function safeJsonParse(raw) {
|
|
144
|
+
try {
|
|
145
|
+
const v = JSON.parse(raw);
|
|
146
|
+
return typeof v === 'object' && v !== null ? v : {};
|
|
147
|
+
}
|
|
148
|
+
catch {
|
|
149
|
+
return {};
|
|
150
|
+
}
|
|
151
|
+
}
|
|
107
152
|
//# sourceMappingURL=audit.js.map
|
package/dist/audit.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAkBA,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO;IACnE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI;IAC/D,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;IACjE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ;IACvE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK;IACrE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM;IACtE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK;CACpE,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,gBAAgB,CAAC;AAEpC,SAAS,oBAAoB,CAAC,IAAY;IACxC,OAAO,IAAI;SACR,WAAW,EAAE;SACb,KAAK,CAAC,KAAK,CAAC;SACZ,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;SAC/C,MAAM,CAAC;AACZ,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IACtB,kCAAkC;IAClC,IAAI,oDAAoD,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9E,mCAAmC;IACnC,IAAI,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,gDAAgD;IAChD,IAAI,8DAA8D,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACxF,gBAAgB;IAChB,IAAI,yCAAyC,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACnE,gBAAgB;IAChB,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IAClE,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IACnE,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,aAAa,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1C,IAAI,SAAS,IAAI,aAAa,IAAI,OAAO,IAAI,OAAO;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAkB;IAC5C,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IAErC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;IAC7F,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACxB,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IAC9F,CAAC;IAED,IAAI,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,2CAA2C,EAAE,CAAC;IACjH,CAAC;IAED,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IAC3G,CAAC;IAED,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAClD,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;QACpB,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,WAAW,kCAAkC,EAAE,CAAC;IAC7H,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,IAAI,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,mDAAmD,EAAE,CAAC;IAC3H,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,OAAsB;IAClD,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;QACjC,IAAI,KAAK;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC;IACD,OAAO;QACL,KAAK,EAAE,OAAO,CAAC,MAAM;QACrB,MAAM;QACN,KAAK,EAAE,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM;KACtC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,aAAa,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,oBAAoB,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACpD,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,IAAI,gBAAgB,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,IAAI,CAAC;AACd,CAAC;AAuBD,uEAAuE;AACvE,0EAA0E;AAC1E,0EAA0E;AAC1E,wDAAwD;AACxD,SAAS,kBAAkB,CAAC,IAAY,EAAE,KAAc;IACtD,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,EAAoB,EAAE,IAAqB;IAC1E,EAAE,CAAC,OAAO,CACR,sGAAsG,CACvG,CAAC,GAAG,CACH,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EACxB,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,EAAE,EACP,IAAI,CAAC,QAAQ,IAAI,IAAI,EACrB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,EAAE,kBAAkB,CAAC,CACxD,CAAC;AACJ,CAAC;AAmBD,MAAM,UAAU,gBAAgB,CAAC,EAAoB,EAAE,IAAoB;IACzE,MAAM,KAAK,GAAa,CAAC,eAAe,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;QACZ,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvB,CAAC;IACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACtB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IAC9D,MAAM,IAAI,GAAG,EAAE;SACZ,OAAO,CACN;8BACwB,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,oCAAoC,CAChF;SACA,GAAG,CAAC,GAAG,MAAM,EAAE,KAAK,CAQrB,CAAC;IACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACtB,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,QAAQ,EAAE,CAAC,CAAC,SAAS;QACrB,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,EAAE,EAAE,CAAC,CAAC,EAAa;QACnB,QAAQ,EAAE,CAAC,CAAC,SAAS;QACrB,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC;KACzC,CAAC,CAAC,CAAC;AACN,CAAC;AAED,SAAS,aAAa,CAAC,GAAW;IAChC,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC,CAAE,CAA6B,CAAC,CAAC,CAAC,EAAE,CAAC;IACnF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC"}
|
package/dist/auth.d.ts
ADDED
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import type { DatabaseSyncLike } from './db.js';
|
|
2
|
+
export interface CreateApiKeyOpts {
|
|
3
|
+
tenantId: string;
|
|
4
|
+
label?: string;
|
|
5
|
+
}
|
|
6
|
+
export interface CreateApiKeyResult {
|
|
7
|
+
keyId: string;
|
|
8
|
+
plaintext: string;
|
|
9
|
+
}
|
|
10
|
+
export declare function createApiKey(db: DatabaseSyncLike, opts: CreateApiKeyOpts): CreateApiKeyResult;
|
|
11
|
+
export interface ValidateResult {
|
|
12
|
+
valid: boolean;
|
|
13
|
+
tenantId?: string;
|
|
14
|
+
keyId?: string;
|
|
15
|
+
}
|
|
16
|
+
export declare function validateApiKey(db: DatabaseSyncLike, plaintext: string): ValidateResult;
|
|
17
|
+
export declare function revokeApiKey(db: DatabaseSyncLike, keyId: string): void;
|
|
18
|
+
export interface ApiKeyListItem {
|
|
19
|
+
keyId: string;
|
|
20
|
+
tenantId: string;
|
|
21
|
+
label: string | null;
|
|
22
|
+
createdAt: string;
|
|
23
|
+
revokedAt: string | null;
|
|
24
|
+
}
|
|
25
|
+
export declare function listApiKeys(db: DatabaseSyncLike, opts: {
|
|
26
|
+
active: boolean;
|
|
27
|
+
}): ApiKeyListItem[];
|
|
28
|
+
//# sourceMappingURL=auth.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAgChD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,YAAY,CAAC,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,gBAAgB,GAAG,kBAAkB,CAS7F;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAgB,cAAc,CAAC,EAAE,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,GAAG,cAAc,CAUtF;AAED,wBAAgB,YAAY,CAAC,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAGtE;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,wBAAgB,WAAW,CAAC,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE;IAAE,MAAM,EAAE,OAAO,CAAA;CAAE,GAAG,cAAc,EAAE,CAW7F"}
|
package/dist/auth.js
ADDED
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
import { randomBytes, scryptSync, timingSafeEqual } from 'node:crypto';
|
|
2
|
+
const KEY_PREFIX = 'hk_';
|
|
3
|
+
const ID_LEN = 24; // base32 chars after prefix
|
|
4
|
+
const SECRET_LEN = 32; // base32 chars after dot
|
|
5
|
+
const SCRYPT_KEYLEN = 32;
|
|
6
|
+
const BASE32 = 'abcdefghijklmnopqrstuvwxyz234567';
|
|
7
|
+
function randBase32(n) {
|
|
8
|
+
const bytes = randomBytes(n);
|
|
9
|
+
let out = '';
|
|
10
|
+
for (let i = 0; i < n; i++)
|
|
11
|
+
out += BASE32[bytes[i] % 32];
|
|
12
|
+
return out;
|
|
13
|
+
}
|
|
14
|
+
function hashKey(plaintext) {
|
|
15
|
+
// Format: scrypt$<saltHex>$<hashHex>
|
|
16
|
+
const salt = randomBytes(16);
|
|
17
|
+
const hash = scryptSync(plaintext, salt, SCRYPT_KEYLEN);
|
|
18
|
+
return `scrypt$${salt.toString('hex')}$${hash.toString('hex')}`;
|
|
19
|
+
}
|
|
20
|
+
function verifyKey(plaintext, stored) {
|
|
21
|
+
const parts = stored.split('$');
|
|
22
|
+
if (parts.length !== 3 || parts[0] !== 'scrypt')
|
|
23
|
+
return false;
|
|
24
|
+
const salt = Buffer.from(parts[1], 'hex');
|
|
25
|
+
const expected = Buffer.from(parts[2], 'hex');
|
|
26
|
+
const actual = scryptSync(plaintext, salt, expected.length);
|
|
27
|
+
return expected.length === actual.length && timingSafeEqual(expected, actual);
|
|
28
|
+
}
|
|
29
|
+
export function createApiKey(db, opts) {
|
|
30
|
+
const keyId = `${KEY_PREFIX}${randBase32(ID_LEN)}`;
|
|
31
|
+
const secret = randBase32(SECRET_LEN);
|
|
32
|
+
const plaintext = `${keyId}.${secret}`;
|
|
33
|
+
const hash = hashKey(plaintext);
|
|
34
|
+
db.prepare(`INSERT INTO api_keys (key_id, key_hash, tenant_id, label, created_at) VALUES (?, ?, ?, ?, ?)`).run(keyId, hash, opts.tenantId, opts.label ?? null, new Date().toISOString());
|
|
35
|
+
return { keyId, plaintext };
|
|
36
|
+
}
|
|
37
|
+
export function validateApiKey(db, plaintext) {
|
|
38
|
+
const dot = plaintext.indexOf('.');
|
|
39
|
+
if (dot < 0)
|
|
40
|
+
return { valid: false };
|
|
41
|
+
const keyId = plaintext.slice(0, dot);
|
|
42
|
+
const row = db
|
|
43
|
+
.prepare(`SELECT key_hash, tenant_id, revoked_at FROM api_keys WHERE key_id = ?`)
|
|
44
|
+
.get(keyId);
|
|
45
|
+
if (!row || row.revoked_at)
|
|
46
|
+
return { valid: false };
|
|
47
|
+
if (!verifyKey(plaintext, row.key_hash))
|
|
48
|
+
return { valid: false };
|
|
49
|
+
return { valid: true, tenantId: row.tenant_id, keyId };
|
|
50
|
+
}
|
|
51
|
+
export function revokeApiKey(db, keyId) {
|
|
52
|
+
db.prepare(`UPDATE api_keys SET revoked_at = ? WHERE key_id = ? AND revoked_at IS NULL`)
|
|
53
|
+
.run(new Date().toISOString(), keyId);
|
|
54
|
+
}
|
|
55
|
+
export function listApiKeys(db, opts) {
|
|
56
|
+
const sql = opts.active
|
|
57
|
+
? `SELECT key_id, tenant_id, label, created_at, revoked_at FROM api_keys WHERE revoked_at IS NULL ORDER BY id DESC`
|
|
58
|
+
: `SELECT key_id, tenant_id, label, created_at, revoked_at FROM api_keys ORDER BY id DESC`;
|
|
59
|
+
const rows = db.prepare(sql).all();
|
|
60
|
+
return rows.map(r => ({
|
|
61
|
+
keyId: r.key_id, tenantId: r.tenant_id, label: r.label,
|
|
62
|
+
createdAt: r.created_at, revokedAt: r.revoked_at,
|
|
63
|
+
}));
|
|
64
|
+
}
|
|
65
|
+
//# sourceMappingURL=auth.js.map
|
package/dist/auth.js.map
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGvE,MAAM,UAAU,GAAG,KAAK,CAAC;AACzB,MAAM,MAAM,GAAG,EAAE,CAAC,CAAO,4BAA4B;AACrD,MAAM,UAAU,GAAG,EAAE,CAAC,CAAG,yBAAyB;AAClD,MAAM,aAAa,GAAG,EAAE,CAAC;AAEzB,MAAM,MAAM,GAAG,kCAAkC,CAAC;AAElD,SAAS,UAAU,CAAC,CAAS;IAC3B,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE;QAAE,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAE,GAAG,EAAE,CAAC,CAAC;IAC1D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,OAAO,CAAC,SAAiB;IAChC,qCAAqC;IACrC,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;IACxD,OAAO,UAAU,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAClE,CAAC;AAED,SAAS,SAAS,CAAC,SAAiB,EAAE,MAAc;IAClD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9D,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,KAAK,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC5D,OAAO,QAAQ,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;AAChF,CAAC;AAYD,MAAM,UAAU,YAAY,CAAC,EAAoB,EAAE,IAAsB;IACvE,MAAM,KAAK,GAAG,GAAG,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;IACnD,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,GAAG,KAAK,IAAI,MAAM,EAAE,CAAC;IACvC,MAAM,IAAI,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,EAAE,CAAC,OAAO,CACR,8FAA8F,CAC/F,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IAChF,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AAC9B,CAAC;AAQD,MAAM,UAAU,cAAc,CAAC,EAAoB,EAAE,SAAiB;IACpE,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACrC,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CAAC,uEAAuE,CAAC;SAChF,GAAG,CAAC,KAAK,CAAmF,CAAC;IAChG,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACpD,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,CAAC,QAAQ,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACjE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,EAAoB,EAAE,KAAa;IAC9D,EAAE,CAAC,OAAO,CAAC,4EAA4E,CAAC;SACrF,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,KAAK,CAAC,CAAC;AAC1C,CAAC;AAUD,MAAM,UAAU,WAAW,CAAC,EAAoB,EAAE,IAAyB;IACzE,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM;QACrB,CAAC,CAAC,iHAAiH;QACnH,CAAC,CAAC,wFAAwF,CAAC;IAC7F,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAE9B,CAAC;IACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACpB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK;QACtD,SAAS,EAAE,CAAC,CAAC,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC,UAAU;KACjD,CAAC,CAAC,CAAC;AACN,CAAC"}
|