iranti 0.3.32 → 0.3.33

package/README.md

@@ -87,15 +87,17 @@ Iranti is built around four internal Staff components that run alongside the hos
 The Attendant runs in three phases — `pre-response`, `mid-turn`, and `post-response` — and returns a structured result each time. Beyond raw fact injection, every `attend` response carries:
 
 - **`toolCallGuidance`** — when the host passes a pending tool call (`Read`, `Grep`, `Glob`, `Bash`, `WebSearch`, `WebFetch`), the Attendant derives entity hints from the tool args and emits a `shouldSkip` verdict when stored facts already cover the target. Hosts can gate tool execution on the verdict instead of string-matching notes.
-- **`drift`** — detects when the latest message has diverged from the declared task topic. Emits the driving tokens so the host can surface a confirmation prompt.
+- **`drift`** — detects when the latest message has diverged from the declared task topic. Emits the driving tokens so the host can surface a confirmation prompt. Suppressed when `checkpoint.currentStep` starts with `COMPLETE` — so a finished task does not produce spurious drift alarms as the conversation winds down.
 - **`sessionObjective`** — derived from the task description or checkpoint continuation, threaded through every attend call as a stable anchor.
 - **`autoCheckpointSignal`** — fires when pressure has built up (drift, turns-without-write, tool-cost threshold) so the host can checkpoint before the next risky step.
 - **`refinementPass`** — when the first retrieval pass comes back empty, the Attendant runs a bounded widened-hint retry (max 1 extra observe call) and reports the outcome.
 - **`subTurnLoopPlan`** — on `mid-turn` attends, when the host passes a `partialResponse` of the Attendant's own in-progress assistant output, the Attendant re-scores the partial against memory, harvests novel tokens and entity hints from the text, and fires one bounded extra observe call with the widened hints unioned onto the original ones. Net-new facts are deduped against the pre-retry baseline so repeat hits are dropped. Gated by phase, partial length, a once-per-turn budget, and a novelty check on the tokens. This is `refinementPass` re-applied on response progress rather than empty initial retrieval — the "most agentic" sub-turn loop from the M-series memo.
 - **`attendantToolPlan`** — up to three planned follow-up tool calls (search_related, observe_entity, query) derived from brief entities, drift tokens, or the session objective. Deterministic and surfaced, never executed.
 - **`councilConsultationPlan`** — proposes which peer Staff members the Attendant would consult for this turn (e.g. Librarian for source-reliability on a clear topic, Archivist when the injection surface has multiple low-confidence facts). Proposal only.
+- **`usageGuidance`** — carries the MANDATORY protocol reminder block. Gated on compliance health: when all counters (`turnsWithoutWrite`, `consecutiveUnusedMemoryInjections`, etc.) are zero the reminder is suppressed so well-behaved agents do not pay the injection cost every turn.
 - **`writeNudge`** — reminds the host to write a fact after substantial activity without a durable write.
 - **`toolResultExtraction`** — on mid-turn/post-response, the Attendant extracts candidate facts from the tool result so the host can autowrite them.
+- **`responseFileCapture`** — on `post-response`, the Attendant scans the assistant's reply for file paths, infers the action (`edited`/`created`/`read`) from the ±150-character context window around each match, and auto-writes `project/{id}/file/{basename}` facts so file-scoped memory is populated without host involvement. Result carries `autowriteBatchId`, `filesDetected`, `factsWritten`, `entities`, `skipped`, and `durationMs`. Only present on post-response attend calls.
 
 ### Archivist reasoning budget
 

package/dist/scripts/api-key-create.js

@@ -1,5 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * CLI utility to create or rotate an iranti API key.
+ *
+ * Args: --key-id <id>, --owner <owner>, --scopes <csv>, --description <text>.
+ * Run: `npm run api-key:create -- --key-id <id> --owner <owner>`.
+ * Requires DATABASE_URL.
+ */
 require("dotenv/config");
 const client_1 = require("../src/library/client");
 const apiKeys_1 = require("../src/security/apiKeys");

package/dist/scripts/api-key-list.js

@@ -1,5 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * CLI utility to list all registered iranti API keys.
+ *
+ * Prints keyId, owner, active status, scopes, and createdAt for each key.
+ * Run: `npm run api-key:list`. Requires DATABASE_URL.
+ */
 require("dotenv/config");
 const client_1 = require("../src/library/client");
 const apiKeys_1 = require("../src/security/apiKeys");

package/dist/scripts/api-key-revoke.js

@@ -1,5 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * CLI utility to revoke an iranti API key by keyId.
+ *
+ * Args: --key-id <id> (alias: -k). Exits non-zero if the key is not found.
+ * Run: `npm run api-key:revoke -- --key-id <id>`. Requires DATABASE_URL.
+ */
 require("dotenv/config");
 const client_1 = require("../src/library/client");
 const apiKeys_1 = require("../src/security/apiKeys");

package/dist/scripts/claude-code-memory-hook.js

@@ -4,6 +4,16 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildHookAdditionalContext = buildHookAdditionalContext;
+/**
+ * Claude Code session lifecycle hook for iranti auto-memory.
+ *
+ * Called by the Claude Code harness on SessionStart, UserPromptSubmit,
+ * Stop, and PreCompact events via settings.json hooks configuration.
+ * Reads the event JSON from stdin, injects memory into context, and
+ * persists durable facts extracted from assistant responses.
+ *
+ * Requires DATABASE_URL or IRANTI_PROJECT_ENV / IRANTI_INSTANCE_ENV binding.
+ */
 require("dotenv/config");
 const path_1 = __importDefault(require("path"));
 const createFirstPartyIranti_1 = require("../src/lib/createFirstPartyIranti");

package/dist/scripts/codex-setup.js

@@ -3,6 +3,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Configures a project directory for Codex (OpenAI agent) integration with iranti.
+ *
+ * Writes AGENTS.md, .vscode/mcp.json, and hooks configuration so the Codex CLI
+ * automatically connects to this project's iranti instance.
+ * Run: `iranti codex-setup [project-dir]`.
+ */
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
 const commandInvocation_1 = require("../src/lib/commandInvocation");

package/dist/scripts/iranti-cli.js

@@ -4,6 +4,26 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Main CLI entry point for the iranti binary.
+ *
+ * Provides commands: install, setup, configure, auth, doctor, run, attend,
+ * handshake, resolve, integrate, project-init, instance, status, upgrade,
+ * uninstall, issues, list-rules, delete-rule, and more.
+ *
+ * Run via `npx iranti <command>` or `iranti <command>` after global install.
+ * Requires DATABASE_URL or a project/instance binding for most commands.
+ */
+/**
+ * Main CLI entry point for the iranti binary.
+ *
+ * Provides commands: install, setup, configure, auth, doctor, run, attend,
+ * handshake, resolve, integrate, project-init, instance, status, upgrade,
+ * uninstall, issues, list-rules, delete-rule, and more.
+ *
+ * Run via `npx iranti <command>` or `iranti <command>` after global install.
+ * Requires DATABASE_URL or a project/instance binding for most commands.
+ */
 const fs_1 = __importDefault(require("fs"));
 const promises_1 = __importDefault(require("fs/promises"));
 const os_1 = __importDefault(require("os"));

package/dist/scripts/iranti-mcp.js

@@ -36,6 +36,16 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * MCP (Model Context Protocol) server for iranti.
+ *
+ * Exposes iranti tools (iranti_handshake, iranti_attend, iranti_write, etc.)
+ * over stdio transport. Loaded by Claude Code, Codex, Copilot, and other
+ * MCP-aware agents via their MCP server configuration.
+ *
+ * Env: DATABASE_URL required. Optional: IRANTI_MCP_DEFAULT_AGENT,
+ * IRANTI_PROJECT_ENV, IRANTI_INSTANCE_ENV, IRANTI_MCP_AGENT_NAME.
+ */
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
 const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
@@ -450,7 +460,7 @@ async function main() {
     }
     const server = new mcp_js_1.McpServer({
         name: 'iranti-mcp',
-        version: '0.3.22',
+        version: '0.3.33',
     });
     server.registerTool('iranti_handshake', {
         description: `Initialize or refresh an agent's working-memory brief for the current task.

package/dist/scripts/seed-codebase.js

@@ -1,5 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Seeds iranti with static codebase metadata facts (packages, database schema,
+ * architecture overview) to pre-populate a fresh instance with project context.
+ *
+ * Requires DATABASE_URL.
+ */
 require("dotenv/config");
 const sdk_1 = require("../src/sdk");
 async function seedCodebase() {

package/dist/scripts/seed.js

@@ -1,5 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Seeds initial operating rules for librarian, attendant, and archivist
+ * staff roles into the iranti knowledge base.
+ *
+ * Safe to re-run -- the Librarian pipeline deduplicates on (entityType, entityId, key).
+ * Must be run after setup.ts on a fresh database. Requires DATABASE_URL.
+ */
 require("dotenv/config");
 const client_1 = require("../src/library/client");
 const queries_1 = require("../src/library/queries");

package/dist/scripts/setup.js

@@ -3,6 +3,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Database setup and migration runner for iranti.
+ *
+ * Creates the Prisma DB schema, runs pending migrations, seeds initial
+ * operating-rule data, and ensures escalation folders exist on disk.
+ *
+ * Run: `npm run setup` or `iranti setup`. Requires DATABASE_URL.
+ */
 require("dotenv/config");
 const child_process_1 = require("child_process");
 const fs_1 = __importDefault(require("fs"));

package/dist/src/api/archivistScheduler.d.ts

@@ -1,3 +1,21 @@
+/**
+ * Archivist scheduler — drives periodic and file-watch-triggered maintenance.
+ *
+ * Wraps `iranti.runMaintenance()` in two trigger modes, both optional and
+ * independently enabled via env vars:
+ *  - **Interval** (`IRANTI_ARCHIVIST_INTERVAL_MS`) — runs maintenance on a
+ *    fixed timer. Set to 0 or omit to disable.
+ *  - **Escalation watch** (`IRANTI_ARCHIVIST_WATCH`, default true) — uses
+ *    `fs.watch` on the active escalation folder; fires a debounced maintenance
+ *    run whenever a `.md` file changes (debounce: `IRANTI_ARCHIVIST_DEBOUNCE_MS`,
+ *    default 60 s). Prevents redundant runs when multiple files are written rapidly.
+ *
+ * Maintenance runs are serialised — a `running` flag drops overlapping triggers
+ * into a single `pendingRun` that fires immediately after the current run ends.
+ *
+ * Returns a `SchedulerHandle` with `{ started, stop() }` so the server can
+ * cleanly shut down timers and the file watcher on exit.
+ */
 import { Iranti } from '../sdk';
 type SchedulerHandle = {
     stop: () => void;

package/dist/src/api/archivistScheduler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"archivistScheduler.d.ts","sourceRoot":"","sources":["../../../src/api/archivistScheduler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAGhC,KAAK,eAAe,GAAG;IACnB,IAAI,EAAE,MAAM,IAAI,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CACpB,CAAC;AAgBF,wBAAsB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CA4EtF"}
+{"version":3,"file":"archivistScheduler.d.ts","sourceRoot":"","sources":["../../../src/api/archivistScheduler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAGhC,KAAK,eAAe,GAAG;IACnB,IAAI,EAAE,MAAM,IAAI,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CACpB,CAAC;AAgBF,wBAAsB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CA4EtF"}

package/dist/src/api/archivistScheduler.js

@@ -1,4 +1,22 @@
 "use strict";
+/**
+ * Archivist scheduler — drives periodic and file-watch-triggered maintenance.
+ *
+ * Wraps `iranti.runMaintenance()` in two trigger modes, both optional and
+ * independently enabled via env vars:
+ *  - **Interval** (`IRANTI_ARCHIVIST_INTERVAL_MS`) — runs maintenance on a
+ *    fixed timer. Set to 0 or omit to disable.
+ *  - **Escalation watch** (`IRANTI_ARCHIVIST_WATCH`, default true) — uses
+ *    `fs.watch` on the active escalation folder; fires a debounced maintenance
+ *    run whenever a `.md` file changes (debounce: `IRANTI_ARCHIVIST_DEBOUNCE_MS`,
+ *    default 60 s). Prevents redundant runs when multiple files are written rapidly.
+ *
+ * Maintenance runs are serialised — a `running` flag drops overlapping triggers
+ * into a single `pendingRun` that fires immediately after the current run ends.
+ *
+ * Returns a `SchedulerHandle` with `{ started, stop() }` so the server can
+ * cleanly shut down timers and the file watcher on exit.
+ */
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

package/dist/src/api/archivistScheduler.js.map

@@ -1 +1 @@
-{"version":3,"file":"archivistScheduler.js","sourceRoot":"","sources":["../../../src/api/archivistScheduler.ts"],"names":[],"mappings":";;;;;AAuBA,0DA4EC;AAnGD,4CAAoB;AAEpB,4DAAiE;AAOjE,SAAS,gBAAgB,CAAC,KAAyB,EAAE,QAAgB;IACjE,IAAI,CAAC,KAAK;QAAE,OAAO,QAAQ,CAAC;IAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1C,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;AACrE,CAAC;AAED,SAAS,YAAY,CAAC,KAAyB,EAAE,QAAiB;IAC9D,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,QAAQ,CAAC;IACzC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,QAAQ,CAAC;AACpB,CAAC;AAEM,KAAK,UAAU,uBAAuB,CAAC,MAAc;IACxD,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,CAAC,CAAC,CAAC;IACjF,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,KAAM,CAAC,CAAC;IACtF,MAAM,gBAAgB,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,CAAC,CAAC;IAEhF,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACvC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC,EAAE,CAAC;IAC9C,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,IAAA,yCAAuB,GAAE,CAAC;IACxD,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,QAAQ,GAAG,KAAK,CAAC;IAErB,IAAI,cAAc,GAA0B,IAAI,CAAC;IACjD,IAAI,cAAc,GAA0B,IAAI,CAAC;IACjD,IAAI,OAAO,GAAwB,IAAI,CAAC;IAExC,MAAM,cAAc,GAAG,KAAK,EAAE,MAAc,EAAiB,EAAE;QAC3D,IAAI,QAAQ;YAAE,OAAO;QACrB,IAAI,OAAO,EAAE,CAAC;YACV,UAAU,GAAG,IAAI,CAAC;YAClB,OAAO;QACX,CAAC;QAED,OAAO,GAAG,IAAI,CAAC;QACf,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,EAAE,CAAC;YAC7C,OAAO,CAAC,GAAG,CACP,mBAAmB,MAAM,cAAc,MAAM,CAAC,oBAAoB,GAAG;gBACrE,WAAW,MAAM,CAAC,eAAe,aAAa,MAAM,CAAC,qBAAqB,WAAW,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CAC9G,CAAC;QACN,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;QACpE,CAAC;gBAAS,CAAC;YACP,OAAO,GAAG,KAAK,CAAC;YAChB,IAAI,UAAU,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC1B,UAAU,GAAG,KAAK,CAAC;gBACnB,YAAY,CAAC,GAAG,EAAE;oBACd,KAAK,cAAc,CAAC,SAAS,CAAC,CAAC;gBACnC,CAAC,CAAC,CAAC;YACP,CAAC;QACL,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,oBAAoB,GAAG,GAAS,EAAE;QACpC,IAAI,QAAQ;YAAE,OAAO;QACrB,IAAI,cAAc;YAAE,YAAY,CAAC,cAAc,CAAC,CAAC;QACjD,cAAc,GAAG,UAAU,CAAC,GAAG,EAAE;YAC7B,cAAc,GAAG,IAAI,CAAC;YACtB,KAAK,cAAc,CAAC,mBAAmB,CAAC,CAAC;QAC7C,CAAC,EAAE,UAAU,CAAC,CAAC;IACnB,CAAC,CAAC;IAEF,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;QACjB,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE;YAC9B,KAAK,cAAc,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC,EAAE,UAAU,CAAC,CAAC;IACnB,CAAC;IAED,IAAI,gBAAgB,EAAE,CAAC;QACnB,OAAO,GAAG,YAAE,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,EAAE;YAChE,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,OAAO;YACnD,oBAAoB,EAAE,CAAC;QAC3B,CAAC,CAAC,CAAC;IACP,CAAC;IAED,OAAO;QACH,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,GAAG,EAAE;YACP,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,cAAc;gBAAE,aAAa,CAAC,cAAc,CAAC,CAAC;YAClD,IAAI,cAAc;gBAAE,YAAY,CAAC,cAAc,CAAC,CAAC;YACjD,IAAI,OAAO;gBAAE,OAAO,CAAC,KAAK,EAAE,CAAC;QACjC,CAAC;KACJ,CAAC;AACN,CAAC"}
+{"version":3,"file":"archivistScheduler.js","sourceRoot":"","sources":["../../../src/api/archivistScheduler.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;GAiBG;;;;;AAyBH,0DA4EC;AAnGD,4CAAoB;AAEpB,4DAAiE;AAOjE,SAAS,gBAAgB,CAAC,KAAyB,EAAE,QAAgB;IACjE,IAAI,CAAC,KAAK;QAAE,OAAO,QAAQ,CAAC;IAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1C,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;AACrE,CAAC;AAED,SAAS,YAAY,CAAC,KAAyB,EAAE,QAAiB;IAC9D,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,QAAQ,CAAC;IACzC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,QAAQ,CAAC;AACpB,CAAC;AAEM,KAAK,UAAU,uBAAuB,CAAC,MAAc;IACxD,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,CAAC,CAAC,CAAC;IACjF,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,KAAM,CAAC,CAAC;IACtF,MAAM,gBAAgB,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,CAAC,CAAC;IAEhF,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACvC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC,EAAE,CAAC;IAC9C,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,IAAA,yCAAuB,GAAE,CAAC;IACxD,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,QAAQ,GAAG,KAAK,CAAC;IAErB,IAAI,cAAc,GAA0B,IAAI,CAAC;IACjD,IAAI,cAAc,GAA0B,IAAI,CAAC;IACjD,IAAI,OAAO,GAAwB,IAAI,CAAC;IAExC,MAAM,cAAc,GAAG,KAAK,EAAE,MAAc,EAAiB,EAAE;QAC3D,IAAI,QAAQ;YAAE,OAAO;QACrB,IAAI,OAAO,EAAE,CAAC;YACV,UAAU,GAAG,IAAI,CAAC;YAClB,OAAO;QACX,CAAC;QAED,OAAO,GAAG,IAAI,CAAC;QACf,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,EAAE,CAAC;YAC7C,OAAO,CAAC,GAAG,CACP,mBAAmB,MAAM,cAAc,MAAM,CAAC,oBAAoB,GAAG;gBACrE,WAAW,MAAM,CAAC,eAAe,aAAa,MAAM,CAAC,qBAAqB,WAAW,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CAC9G,CAAC;QACN,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC;QACpE,CAAC;gBAAS,CAAC;YACP,OAAO,GAAG,KAAK,CAAC;YAChB,IAAI,UAAU,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC1B,UAAU,GAAG,KAAK,CAAC;gBACnB,YAAY,CAAC,GAAG,EAAE;oBACd,KAAK,cAAc,CAAC,SAAS,CAAC,CAAC;gBACnC,CAAC,CAAC,CAAC;YACP,CAAC;QACL,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,oBAAoB,GAAG,GAAS,EAAE;QACpC,IAAI,QAAQ;YAAE,OAAO;QACrB,IAAI,cAAc;YAAE,YAAY,CAAC,cAAc,CAAC,CAAC;QACjD,cAAc,GAAG,UAAU,CAAC,GAAG,EAAE;YAC7B,cAAc,GAAG,IAAI,CAAC;YACtB,KAAK,cAAc,CAAC,mBAAmB,CAAC,CAAC;QAC7C,CAAC,EAAE,UAAU,CAAC,CAAC;IACnB,CAAC,CAAC;IAEF,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;QACjB,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE;YAC9B,KAAK,cAAc,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC,EAAE,UAAU,CAAC,CAAC;IACnB,CAAC;IAED,IAAI,gBAAgB,EAAE,CAAC;QACnB,OAAO,GAAG,YAAE,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,EAAE;YAChE,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,OAAO;YACnD,oBAAoB,EAAE,CAAC;QAC3B,CAAC,CAAC,CAAC;IACP,CAAC;IAED,OAAO;QACH,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,GAAG,EAAE;YACP,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,cAAc;gBAAE,aAAa,CAAC,cAAc,CAAC,CAAC;YAClD,IAAI,cAAc;gBAAE,YAAY,CAAC,cAAc,CAAC,CAAC;YACjD,IAAI,OAAO;gBAAE,OAAO,CAAC,KAAK,EAAE,CAAC;QACjC,CAAC;KACJ,CAAC;AACN,CAAC"}

package/dist/src/api/diag.d.ts

@@ -1,2 +1,13 @@
+/**
+ * Dev-only: active-handle / active-request diagnostics for the iranti Express server.
+ *
+ * Starts a minimal Express server and a raw http.createServer on ports 3001/3002,
+ * then calls the Node.js internal `_getActiveHandles` / `_getActiveRequests` APIs
+ * to inspect what is keeping the event loop alive at each lifecycle stage.
+ *
+ * NOT shipped — run directly with ts-node for debugging graceful-shutdown hang issues.
+ * The `(process as NodeProcessInternal)` casts are intentional: these are private
+ * Node.js inspection APIs with no public TypeScript declarations.
+ */
 export {};
 //# sourceMappingURL=diag.d.ts.map

package/dist/src/api/diag.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"diag.d.ts","sourceRoot":"","sources":["../../../src/api/diag.ts"],"names":[],"mappings":""}
+{"version":3,"file":"diag.d.ts","sourceRoot":"","sources":["../../../src/api/diag.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG"}

package/dist/src/api/diag.js

@@ -1,4 +1,15 @@
 "use strict";
+/**
+ * Dev-only: active-handle / active-request diagnostics for the iranti Express server.
+ *
+ * Starts a minimal Express server and a raw http.createServer on ports 3001/3002,
+ * then calls the Node.js internal `_getActiveHandles` / `_getActiveRequests` APIs
+ * to inspect what is keeping the event loop alive at each lifecycle stage.
+ *
+ * NOT shipped — run directly with ts-node for debugging graceful-shutdown hang issues.
+ * The `(process as NodeProcessInternal)` casts are intentional: these are private
+ * Node.js inspection APIs with no public TypeScript declarations.
+ */
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -23,8 +34,9 @@ async function testExpress() {
         console.log('Express listening on 3001');
         logHandles('After Express listen');
         // Check if server handle is ref'd
-        if (server._handle && typeof server._handle.hasRef === 'function') {
-            console.log(`Server handle hasRef: ${server._handle.hasRef()}`);
+        const serverWithHandle = server;
+        if (serverWithHandle._handle && typeof serverWithHandle._handle.hasRef === 'function') {
+            console.log(`Server handle hasRef: ${serverWithHandle._handle.hasRef()}`);
         }
         // Wait a bit and check again
         setTimeout(() => {

package/dist/src/api/diag.js.map

@@ -1 +1 @@
-{"version":3,"file":"diag.js","sourceRoot":"","sources":["../../../src/api/diag.ts"],"names":[],"mappings":";;;;;AAAA,sDAA8B;AAC9B,gDAAwB;AAExB,SAAS,UAAU,CAAC,KAAa;IAC7B,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC;IAChC,MAAM,OAAO,GAAI,OAAe,CAAC,iBAAiB,EAAE,CAAC;IACrD,MAAM,QAAQ,GAAI,OAAe,CAAC,kBAAkB,EAAE,CAAC;IACvD,OAAO,CAAC,GAAG,CAAC,mBAAmB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACjD,OAAO,CAAC,OAAO,CAAC,CAAC,CAAM,EAAE,CAAS,EAAE,EAAE;QAClC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvF,CAAC,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,oBAAoB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;AACxC,CAAC;AAED,KAAK,UAAU,WAAW;IACtB,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC;IACtB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;QACjC,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACzC,UAAU,CAAC,sBAAsB,CAAC,CAAC;QAEnC,kCAAkC;QAClC,IAAK,MAAc,CAAC,OAAO,IAAI,OAAQ,MAAc,CAAC,OAAO,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAClF,OAAO,CAAC,GAAG,CAAC,yBAA0B,MAAc,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,6BAA6B;QAC7B,UAAU,CAAC,GAAG,EAAE;YACZ,UAAU,CAAC,oBAAoB,CAAC,CAAC;YACjC,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,WAAW,EAAE,CAAC;QAClB,CAAC,EAAE,IAAI,CAAC,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,WAAW;IAChB,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,cAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC1C,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IACH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;QACrB,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QAC1C,UAAU,CAAC,uBAAuB,CAAC,CAAC;QAEpC,UAAU,CAAC,GAAG,EAAE;YACZ,UAAU,CAAC,qBAAqB,CAAC,CAAC;YAClC,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACvC,CAAC,EAAE,IAAI,CAAC,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC;AAED,UAAU,CAAC,SAAS,CAAC,CAAC;AACtB,WAAW,EAAE,CAAC"}
+{"version":3,"file":"diag.js","sourceRoot":"","sources":["../../../src/api/diag.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;;;AAEH,sDAA8B;AAC9B,gDAAwB;AAaxB,SAAS,UAAU,CAAC,KAAa;IAC7B,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC;IAChC,MAAM,OAAO,GAAI,OAA+B,CAAC,iBAAiB,EAAE,CAAC;IACrE,MAAM,QAAQ,GAAI,OAA+B,CAAC,kBAAkB,EAAE,CAAC;IACvE,OAAO,CAAC,GAAG,CAAC,mBAAmB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACjD,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACrB,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvF,CAAC,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,oBAAoB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;AACxC,CAAC;AAED,KAAK,UAAU,WAAW;IACtB,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC;IACtB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;QACjC,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACzC,UAAU,CAAC,sBAAsB,CAAC,CAAC;QAEnC,kCAAkC;QAClC,MAAM,gBAAgB,GAAG,MAA0B,CAAC;QACpD,IAAI,gBAAgB,CAAC,OAAO,IAAI,OAAO,gBAAgB,CAAC,OAAO,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACpF,OAAO,CAAC,GAAG,CAAC,yBAAyB,gBAAgB,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC9E,CAAC;QAED,6BAA6B;QAC7B,UAAU,CAAC,GAAG,EAAE;YACZ,UAAU,CAAC,oBAAoB,CAAC,CAAC;YACjC,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,WAAW,EAAE,CAAC;QAClB,CAAC,EAAE,IAAI,CAAC,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,WAAW;IAChB,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,cAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC1C,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IACH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;QACrB,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QAC1C,UAAU,CAAC,uBAAuB,CAAC,CAAC;QAEpC,UAAU,CAAC,GAAG,EAAE;YACZ,UAAU,CAAC,qBAAqB,CAAC,CAAC;YAClC,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACvC,CAAC,EAAE,IAAI,CAAC,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC;AAED,UAAU,CAAC,SAAS,CAAC,CAAC;AACtB,WAAW,EAAE,CAAC"}

package/dist/src/api/healthChecks.d.ts

@@ -1,3 +1,22 @@
+/**
+ * Health check state and vector backend monitor for iranti's API server.
+ *
+ * Provides lightweight, side-effect-free helpers used by `server.ts` to
+ * build and maintain the `/health` response:
+ *
+ *  - `createHealthCheckState(initial)` — factory for a mutable `HealthCheckState`
+ *    object that `server.ts` updates as probes complete
+ *  - `deriveOperatorStatus(context)` — computes `'ok' | 'degraded'` from the
+ *    combination of runtime authority source, metadata health, and vector backend
+ *    health; degraded when any critical check has failed
+ *  - `createVectorBackendMonitor(options)` — starts an interval-based probe loop
+ *    against the vector backend's `ping()`. Updates a shared `HealthCheckState`
+ *    on each probe result and calls `logError` on failure. Returns `{ probe,
+ *    start, stop }` so the server can control the monitor lifecycle.
+ *
+ * Designed for testability: `setIntervalImpl` / `clearIntervalImpl` overrides
+ * allow tests to inject fake timers without patching globals.
+ */
 export type HealthCheckState = {
     checked: boolean;
     ok: boolean;

package/dist/src/api/healthChecks.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"healthChecks.d.ts","sourceRoot":"","sources":["../../../src/api/healthChecks.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAChC,sBAAsB,EAAE,KAAK,GAAG,UAAU,GAAG,WAAW,GAAG,SAAS,GAAG,MAAM,CAAC;IAC9E,qBAAqB,EAAE,gBAAgB,CAAC;IACxC,mBAAmB,EAAE,gBAAgB,CAAC;CACzC,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,UAAU,CAAC;AAElD,KAAK,cAAc,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAErD,KAAK,2BAA2B,GAAG;IAC/B,IAAI,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACrC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IACrC,iBAAiB,CAAC,EAAE,OAAO,aAAa,CAAC;CAC5C,CAAC;AAEF,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,gBAAgB,GAAG,gBAAgB,CAElF;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,GAAG,IAAI,GAAG,UAAU,CAKtF;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,2BAA2B;;qBAkB7C,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC;iBAgBxC,cAAc;gBASf,IAAI;EAYxB"}
+{"version":3,"file":"healthChecks.d.ts","sourceRoot":"","sources":["../../../src/api/healthChecks.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,MAAM,gBAAgB,GAAG;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAChC,sBAAsB,EAAE,KAAK,GAAG,UAAU,GAAG,WAAW,GAAG,SAAS,GAAG,MAAM,CAAC;IAC9E,qBAAqB,EAAE,gBAAgB,CAAC;IACxC,mBAAmB,EAAE,gBAAgB,CAAC;CACzC,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,UAAU,CAAC;AAElD,KAAK,cAAc,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAErD,KAAK,2BAA2B,GAAG;IAC/B,IAAI,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACrC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IACrC,iBAAiB,CAAC,EAAE,OAAO,aAAa,CAAC;CAC5C,CAAC;AAEF,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,gBAAgB,GAAG,gBAAgB,CAElF;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,GAAG,IAAI,GAAG,UAAU,CAKtF;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,2BAA2B;;qBAkB7C,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC;iBAgBxC,cAAc;gBASf,IAAI;EAYxB"}

package/dist/src/api/healthChecks.js

@@ -1,4 +1,23 @@
 "use strict";
+/**
+ * Health check state and vector backend monitor for iranti's API server.
+ *
+ * Provides lightweight, side-effect-free helpers used by `server.ts` to
+ * build and maintain the `/health` response:
+ *
+ *  - `createHealthCheckState(initial)` — factory for a mutable `HealthCheckState`
+ *    object that `server.ts` updates as probes complete
+ *  - `deriveOperatorStatus(context)` — computes `'ok' | 'degraded'` from the
+ *    combination of runtime authority source, metadata health, and vector backend
+ *    health; degraded when any critical check has failed
+ *  - `createVectorBackendMonitor(options)` — starts an interval-based probe loop
+ *    against the vector backend's `ping()`. Updates a shared `HealthCheckState`
+ *    on each probe result and calls `logError` on failure. Returns `{ probe,
+ *    start, stop }` so the server can control the monitor lifecycle.
+ *
+ * Designed for testability: `setIntervalImpl` / `clearIntervalImpl` overrides
+ * allow tests to inject fake timers without patching globals.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createHealthCheckState = createHealthCheckState;
 exports.deriveOperatorStatus = deriveOperatorStatus;

package/dist/src/api/healthChecks.js.map

@@ -1 +1 @@
-{"version":3,"file":"healthChecks.js","sourceRoot":"","sources":["../../../src/api/healthChecks.ts"],"names":[],"mappings":";;AAwBA,wDAEC;AAED,oDAKC;AAED,gEAuDC;AAlED,SAAgB,sBAAsB,CAAC,OAAyB;IAC5D,OAAO,EAAE,GAAG,OAAO,EAAE,CAAC;AAC1B,CAAC;AAED,SAAgB,oBAAoB,CAAC,OAA8B;IAC/D,IAAI,OAAO,CAAC,sBAAsB,KAAK,SAAS;QAAE,OAAO,UAAU,CAAC;IACpE,IAAI,OAAO,CAAC,qBAAqB,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,EAAE;QAAE,OAAO,UAAU,CAAC;IAClG,IAAI,OAAO,CAAC,mBAAmB,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE;QAAE,OAAO,UAAU,CAAC;IAC9F,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,SAAgB,0BAA0B,CAAC,OAAoC;IAC3E,MAAM,KAAK,GAAG,sBAAsB,CAAC;QACjC,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,IAAI;QACR,MAAM,EAAE,wCAAwC;KACnD,CAAC,CAAC;IACH,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAM,CAAC;IAChD,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,WAAW,CAAC;IAC/D,MAAM,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,IAAI,aAAa,CAAC;IACrE,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IACvD,IAAI,cAAc,GAA0B,IAAI,CAAC;IAEjD,SAAS,IAAI,CAAC,EAAW,EAAE,MAAc;QACrC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC;QACrB,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC;QACd,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;IAC1B,CAAC;IAED,KAAK,UAAU,KAAK,CAAC,OAAqB;QACtC,IAAI,CAAC;YACD,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;YAChC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACN,IAAI,CAAC,KAAK,EAAE,wCAAwC,CAAC,CAAC;gBACtD,QAAQ,CAAC,YAAY,OAAO,yDAAyD,CAAC,CAAC;gBACvF,OAAO;YACX,CAAC;YACD,IAAI,CAAC,IAAI,EAAE,kCAAkC,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACrB,QAAQ,CAAC,YAAY,OAAO,wBAAwB,OAAO,EAAE,CAAC,CAAC;QACnE,CAAC;IACL,CAAC;IAED,SAAS,KAAK;QACV,IAAI,cAAc;YAAE,OAAO,cAAc,CAAC;QAC1C,cAAc,GAAG,eAAe,CAAC,GAAG,EAAE;YAClC,KAAK,KAAK,CAAC,UAAU,CAAC,CAAC;QAC3B,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,cAAc,CAAC,KAAK,EAAE,EAAE,CAAC;QACzB,OAAO,cAAc,CAAC;IAC1B,CAAC;IAED,SAAS,IAAI;QACT,IAAI,CAAC,cAAc;YAAE,OAAO;QAC5B,iBAAiB,CAAC,cAAc,CAAC,CAAC;QAClC,cAAc,GAAG,IAAI,CAAC;IAC1B,CAAC;IAED,OAAO;QACH,KAAK;QACL,KAAK;QACL,KAAK;QACL,IAAI;KACP,CAAC;AACN,CAAC"}
+{"version":3,"file":"healthChecks.js","sourceRoot":"","sources":["../../../src/api/healthChecks.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;GAkBG;;AA0BH,wDAEC;AAED,oDAKC;AAED,gEAuDC;AAlED,SAAgB,sBAAsB,CAAC,OAAyB;IAC5D,OAAO,EAAE,GAAG,OAAO,EAAE,CAAC;AAC1B,CAAC;AAED,SAAgB,oBAAoB,CAAC,OAA8B;IAC/D,IAAI,OAAO,CAAC,sBAAsB,KAAK,SAAS;QAAE,OAAO,UAAU,CAAC;IACpE,IAAI,OAAO,CAAC,qBAAqB,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,EAAE;QAAE,OAAO,UAAU,CAAC;IAClG,IAAI,OAAO,CAAC,mBAAmB,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE;QAAE,OAAO,UAAU,CAAC;IAC9F,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,SAAgB,0BAA0B,CAAC,OAAoC;IAC3E,MAAM,KAAK,GAAG,sBAAsB,CAAC;QACjC,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,IAAI;QACR,MAAM,EAAE,wCAAwC;KACnD,CAAC,CAAC;IACH,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAM,CAAC;IAChD,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,WAAW,CAAC;IAC/D,MAAM,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,IAAI,aAAa,CAAC;IACrE,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IACvD,IAAI,cAAc,GAA0B,IAAI,CAAC;IAEjD,SAAS,IAAI,CAAC,EAAW,EAAE,MAAc;QACrC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC;QACrB,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC;QACd,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;IAC1B,CAAC;IAED,KAAK,UAAU,KAAK,CAAC,OAAqB;QACtC,IAAI,CAAC;YACD,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;YAChC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACN,IAAI,CAAC,KAAK,EAAE,wCAAwC,CAAC,CAAC;gBACtD,QAAQ,CAAC,YAAY,OAAO,yDAAyD,CAAC,CAAC;gBACvF,OAAO;YACX,CAAC;YACD,IAAI,CAAC,IAAI,EAAE,kCAAkC,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACrB,QAAQ,CAAC,YAAY,OAAO,wBAAwB,OAAO,EAAE,CAAC,CAAC;QACnE,CAAC;IACL,CAAC;IAED,SAAS,KAAK;QACV,IAAI,cAAc;YAAE,OAAO,cAAc,CAAC;QAC1C,cAAc,GAAG,eAAe,CAAC,GAAG,EAAE;YAClC,KAAK,KAAK,CAAC,UAAU,CAAC,CAAC;QAC3B,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,cAAc,CAAC,KAAK,EAAE,EAAE,CAAC;QACzB,OAAO,cAAc,CAAC;IAC1B,CAAC;IAED,SAAS,IAAI;QACT,IAAI,CAAC,cAAc;YAAE,OAAO;QAC5B,iBAAiB,CAAC,cAAc,CAAC,CAAC;QAClC,cAAc,GAAG,IAAI,CAAC;IAC1B,CAAC;IAED,OAAO;QACH,KAAK;QACL,KAAK;QACL,KAAK;QACL,IAAI;KACP,CAAC;AACN,CAAC"}

package/dist/src/api/middleware/auth.d.ts

@@ -1,3 +1,18 @@
+/**
+ * iranti API authentication middleware.
+ *
+ * Validates requests against iranti's own API key store (not Auth.js or any
+ * third-party auth system). Accepts the key via two header forms:
+ *  - `X-Iranti-Key: <key>` — preferred
+ *  - `Authorization: Bearer <key>` — compat with standard tooling
+ *
+ * On success, attaches `req.irantiAuth` (`IrantiAuthContext`) with the key's
+ * `keyId`, `owner`, `mode`, and `scopes` so downstream authorization middleware
+ * can gate specific operations without re-querying the key store.
+ *
+ * On failure (missing or invalid key), responds 401. Uses the `Express.Request`
+ * global augmentation so TypeScript sees `req.irantiAuth` without casts.
+ */
 import { Request, Response, NextFunction } from 'express';
 export interface IrantiAuthContext {
     mode: string;

package/dist/src/api/middleware/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../../src/api/middleware/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG1D,MAAM,WAAW,iBAAiB;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,OAAO,CAAC,MAAM,CAAC;IACX,UAAU,OAAO,CAAC;QACd,UAAU,OAAO;YACb,UAAU,CAAC,EAAE,iBAAiB,CAAC;SAClC;KACJ;CACJ;AAmBD,wBAAsB,YAAY,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAiBjG"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../../src/api/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG1D,MAAM,WAAW,iBAAiB;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,OAAO,CAAC,MAAM,CAAC;IACX,UAAU,OAAO,CAAC;QACd,UAAU,OAAO;YACb,UAAU,CAAC,EAAE,iBAAiB,CAAC;SAClC;KACJ;CACJ;AAmBD,wBAAsB,YAAY,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAiBjG"}

package/dist/src/api/middleware/auth.js

@@ -1,4 +1,19 @@
 "use strict";
+/**
+ * iranti API authentication middleware.
+ *
+ * Validates requests against iranti's own API key store (not Auth.js or any
+ * third-party auth system). Accepts the key via two header forms:
+ *  - `X-Iranti-Key: <key>` — preferred
+ *  - `Authorization: Bearer <key>` — compat with standard tooling
+ *
+ * On success, attaches `req.irantiAuth` (`IrantiAuthContext`) with the key's
+ * `keyId`, `owner`, `mode`, and `scopes` so downstream authorization middleware
+ * can gate specific operations without re-querying the key store.
+ *
+ * On failure (missing or invalid key), responds 401. Uses the `Express.Request`
+ * global augmentation so TypeScript sees `req.irantiAuth` without casts.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.authenticate = authenticate;
 const apiKeys_1 = require("../../security/apiKeys");

package/dist/src/api/middleware/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../../src/api/middleware/auth.ts"],"names":[],"mappings":";;AAmCA,oCAiBC;AAnDD,oDAAwD;AAiBxD,SAAS,aAAa,CAAC,GAAY;IAC/B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IACzE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/D,OAAO,SAAS,CAAC,IAAI,EAAE,CAAC;IAC5B,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IACpE,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAChD,CAAC;AAEM,KAAK,UAAU,YAAY,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IAC9E,MAAM,WAAW,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IAEvC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAc,EAAC,WAAW,CAAC,CAAC;IACjD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACb,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,oDAAoD,EAAE,CAAC,CAAC;QACvH,OAAO;IACX,CAAC;IAED,GAAG,CAAC,UAAU,GAAG;QACb,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,UAAU;QAC/B,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,SAAS;QAChC,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,SAAS;QAChC,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC;KACjC,CAAC;IAEF,IAAI,EAAE,CAAC;AACX,CAAC"}
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../../src/api/middleware/auth.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;AAqCH,oCAiBC;AAnDD,oDAAwD;AAiBxD,SAAS,aAAa,CAAC,GAAY;IAC/B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IACzE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/D,OAAO,SAAS,CAAC,IAAI,EAAE,CAAC;IAC5B,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IACpE,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAChD,CAAC;AAEM,KAAK,UAAU,YAAY,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IAC9E,MAAM,WAAW,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IAEvC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAc,EAAC,WAAW,CAAC,CAAC;IACjD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACb,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,oDAAoD,EAAE,CAAC,CAAC;QACvH,OAAO;IACX,CAAC;IAED,GAAG,CAAC,UAAU,GAAG;QACb,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,UAAU;QAC/B,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,SAAS;QAChC,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,SAAS;QAChC,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC;KACjC,CAAC;IAEF,IAAI,EAAE,CAAC;AACX,CAAC"}

package/dist/src/api/middleware/authorization.d.ts

@@ -1,3 +1,21 @@
+/**
+ * iranti API authorization middleware — scope-based access control.
+ *
+ * Enforces which operations an API key is allowed to perform based on the
+ * `scopes` array populated by the auth middleware. Scope formats follow the
+ * `family:action` pattern (e.g. `knowledge:read`, `memory:write`).
+ *
+ * Exported middleware factories:
+ *  - `requireAnyScope(scopes)` — passes if the key holds at least one of the
+ *    listed scopes (global or family match)
+ *  - `requireScopeByMethod(readScope, writeScope)` — infers required scope
+ *    from HTTP method (GET/HEAD/OPTIONS → read, else → write)
+ *  - `requireScopeFamilyByMethod(readFamily, writeFamily)` — same but family
+ *    prefix matching (e.g. `knowledge` matches `knowledge:read`)
+ *  - `requireEntityScopeByMethod(extractor, readScope, writeScope)` — combines
+ *    method-based scope inference with entity-level access checks via
+ *    `evaluateEntityScopeAccess` (supports entity-scoped API keys)
+ */
 import { NextFunction, Request, Response } from 'express';
 export interface EntityTarget {
     entityType: string;

package/dist/src/api/middleware/authorization.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["../../../../src/api/middleware/authorization.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAG1D,MAAM,WAAW,YAAY;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CACpB;AAED,KAAK,eAAe,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,YAAY,GAAG,YAAY,EAAE,CAAC;AA6BvE,wBAAgB,eAAe,CAAC,cAAc,EAAE,MAAM,EAAE,IAG5C,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAkBjE;AAED,wBAAgB,qBAAqB,CAAC,cAAc,EAAE,MAAM,EAAE,IAGlD,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAkBjE;AAED,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,IAC9D,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAIjE;AAED,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,IACpE,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAIjE;AAED,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,eAAe,EAAE,eAAe,IACtG,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAkCjE"}
+{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["../../../../src/api/middleware/authorization.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAG1D,MAAM,WAAW,YAAY;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CACpB;AAED,KAAK,eAAe,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,YAAY,GAAG,YAAY,EAAE,CAAC;AA6BvE,wBAAgB,eAAe,CAAC,cAAc,EAAE,MAAM,EAAE,IAG5C,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAkBjE;AAED,wBAAgB,qBAAqB,CAAC,cAAc,EAAE,MAAM,EAAE,IAGlD,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAkBjE;AAED,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,IAC9D,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAIjE;AAED,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,IACpE,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAIjE;AAED,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,eAAe,EAAE,eAAe,IACtG,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAkCjE"}

package/dist/src/api/middleware/authorization.js

@@ -1,4 +1,22 @@
 "use strict";
+/**
+ * iranti API authorization middleware — scope-based access control.
+ *
+ * Enforces which operations an API key is allowed to perform based on the
+ * `scopes` array populated by the auth middleware. Scope formats follow the
+ * `family:action` pattern (e.g. `knowledge:read`, `memory:write`).
+ *
+ * Exported middleware factories:
+ *  - `requireAnyScope(scopes)` — passes if the key holds at least one of the
+ *    listed scopes (global or family match)
+ *  - `requireScopeByMethod(readScope, writeScope)` — infers required scope
+ *    from HTTP method (GET/HEAD/OPTIONS → read, else → write)
+ *  - `requireScopeFamilyByMethod(readFamily, writeFamily)` — same but family
+ *    prefix matching (e.g. `knowledge` matches `knowledge:read`)
+ *  - `requireEntityScopeByMethod(extractor, readScope, writeScope)` — combines
+ *    method-based scope inference with entity-level access checks via
+ *    `evaluateEntityScopeAccess` (supports entity-scoped API keys)
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.requireAnyScope = requireAnyScope;
 exports.requireAnyScopeFamily = requireAnyScopeFamily;

package/dist/src/api/middleware/authorization.js.map

@@ -1 +1 @@
-{"version":3,"file":"authorization.js","sourceRoot":"","sources":["../../../../src/api/middleware/authorization.ts"],"names":[],"mappings":";;AAqCA,0CAqBC;AAED,sDAqBC;AAED,oDAKC;AAED,gEAKC;AAED,gEAmCC;AAnID,kDAA0G;AAS1G,SAAS,eAAe,CAAC,MAAe;IACpC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAC;IACtC,OAAO,MAAM;SACR,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;SACpC,MAAM,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,cAAc,CAAC,aAAuB,EAAE,aAAqB;IAClE,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAA,2BAAkB,EAAC,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;AACnF,CAAC;AAED,SAAS,gBAAgB,CAAC,aAAuB,EAAE,aAAqB;IACpE,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAA,2BAAkB,EAAC,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;AACnF,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAc,EAAE,SAAiB,EAAE,UAAkB;IAC7E,MAAM,MAAM,GAAG,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,SAAS,CAAC;IAC7E,OAAO,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC;AAC3C,CAAC;AAED,SAAS,MAAM,CAAC,GAAa,EAAE,MAAc;IACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACjB,KAAK,EAAE,WAAW;QAClB,MAAM;KACT,CAAC,CAAC;AACP,CAAC;AAED,SAAgB,eAAe,CAAC,cAAwB;IACpD,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE7E,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC,CAAC;YAC7E,OAAO;QACX,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;QAClG,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACjB,KAAK,EAAE,mDAAmD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aAClF,CAAC,CAAC;YACH,OAAO;QACX,CAAC;QAED,IAAI,EAAE,CAAC;IACX,CAAC,CAAC;AACN,CAAC;AAED,SAAgB,qBAAqB,CAAC,cAAwB;IAC1D,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE7E,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC,CAAC;YAC7E,OAAO;QACX,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;QACpG,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACjB,KAAK,EAAE,mDAAmD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aAClF,CAAC,CAAC;YACH,OAAO;QACX,CAAC;QAED,IAAI,EAAE,CAAC;IACX,CAAC,CAAC;AACN,CAAC;AAED,SAAgB,oBAAoB,CAAC,SAAiB,EAAE,UAAkB;IACtE,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7D,MAAM,UAAU,GAAG,eAAe,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;QAC5F,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC,CAAC;AACN,CAAC;AAED,SAAgB,0BAA0B,CAAC,SAAiB,EAAE,UAAkB;IAC5E,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7D,MAAM,UAAU,GAAG,qBAAqB,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;QAClG,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC,CAAC;AACN,CAAC;AAED,SAAgB,0BAA0B,CAAC,SAAiB,EAAE,UAAkB,EAAE,eAAgC;IAC9G,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC,CAAC;YAC7E,OAAO;QACX,CAAC;QAED,IAAI,OAAuB,CAAC;QAC5B,IAAI,CAAC;YACD,MAAM,SAAS,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;YACvC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QACjE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACxF,OAAO;QACX,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,EAAE,yCAAyC,CAAC,CAAC;YACvD,OAAO;QACX,CAAC;QAED,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QACvE,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAE7C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC3B,MAAM,QAAQ,GAAG,IAAA,kCAAyB,EAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YAClG,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;gBAC7B,OAAO;YACX,CAAC;QACL,CAAC;QAED,IAAI,EAAE,CAAC;IACX,CAAC,CAAC;AACN,CAAC"}
+{"version":3,"file":"authorization.js","sourceRoot":"","sources":["../../../../src/api/middleware/authorization.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;GAiBG;;AAuCH,0CAqBC;AAED,sDAqBC;AAED,oDAKC;AAED,gEAKC;AAED,gEAmCC;AAnID,kDAA0G;AAS1G,SAAS,eAAe,CAAC,MAAe;IACpC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAC;IACtC,OAAO,MAAM;SACR,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;SACpC,MAAM,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,cAAc,CAAC,aAAuB,EAAE,aAAqB;IAClE,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAA,2BAAkB,EAAC,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;AACnF,CAAC;AAED,SAAS,gBAAgB,CAAC,aAAuB,EAAE,aAAqB;IACpE,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAA,2BAAkB,EAAC,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;AACnF,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAc,EAAE,SAAiB,EAAE,UAAkB;IAC7E,MAAM,MAAM,GAAG,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,SAAS,CAAC;IAC7E,OAAO,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC;AAC3C,CAAC;AAED,SAAS,MAAM,CAAC,GAAa,EAAE,MAAc;IACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACjB,KAAK,EAAE,WAAW;QAClB,MAAM;KACT,CAAC,CAAC;AACP,CAAC;AAED,SAAgB,eAAe,CAAC,cAAwB;IACpD,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE7E,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC,CAAC;YAC7E,OAAO;QACX,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;QAClG,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACjB,KAAK,EAAE,mDAAmD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aAClF,CAAC,CAAC;YACH,OAAO;QACX,CAAC;QAED,IAAI,EAAE,CAAC;IACX,CAAC,CAAC;AACN,CAAC;AAED,SAAgB,qBAAqB,CAAC,cAAwB;IAC1D,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE7E,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC,CAAC;YAC7E,OAAO;QACX,CAAC;QAED,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;QACpG,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACjB,KAAK,EAAE,mDAAmD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aAClF,CAAC,CAAC;YACH,OAAO;QACX,CAAC;QAED,IAAI,EAAE,CAAC;IACX,CAAC,CAAC;AACN,CAAC;AAED,SAAgB,oBAAoB,CAAC,SAAiB,EAAE,UAAkB;IACtE,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7D,MAAM,UAAU,GAAG,eAAe,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;QAC5F,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC,CAAC;AACN,CAAC;AAED,SAAgB,0BAA0B,CAAC,SAAiB,EAAE,UAAkB;IAC5E,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7D,MAAM,UAAU,GAAG,qBAAqB,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;QAClG,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC,CAAC;AACN,CAAC;AAED,SAAgB,0BAA0B,CAAC,SAAiB,EAAE,UAAkB,EAAE,eAAgC;IAC9G,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC,CAAC;YAC7E,OAAO;QACX,CAAC;QAED,IAAI,OAAuB,CAAC;QAC5B,IAAI,CAAC;YACD,MAAM,SAAS,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;YACvC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QACjE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACxF,OAAO;QACX,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,EAAE,yCAAyC,CAAC,CAAC;YACvD,OAAO;QACX,CAAC;QAED,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QACvE,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAE7C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC3B,MAAM,QAAQ,GAAG,IAAA,kCAAyB,EAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YAClG,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;gBAC7B,OAAO;YACX,CAAC;QACL,CAAC;QAED,IAAI,EAAE,CAAC;IACX,CAAC,CAAC;AACN,CAAC"}