npm - mstro-app - Versions diffs - 0.4.21 → 0.4.24 - Mend

mstro-app 0.4.21 → 0.4.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (167) hide show

package/dist/server/mcp/security-patterns.js CHANGED Viewed

@@ -12,6 +12,12 @@
  * - Sensitive operations (system paths, credentials) get AI review with context
  * - The question is: "Does this operation make sense given user intent?"
  *
+ * SECURITY NOTE: These patterns are public (open-source repo). Pattern
+ * visibility is intentional and follows industry practice (OWASP CRS,
+ * Snort, ModSecurity all publish rules publicly). The Haiku AI layer
+ * in bouncer-integration.ts is the actual security boundary — these
+ * patterns are a performance optimization for the fast path only.
+ *
  * Analysis logic (requiresAIReview, classifyRisk) lives in security-analysis.ts
  * and is re-exported here for backward compatibility.
  */
@@ -25,7 +31,7 @@ export { classifyRisk, isSensitivePath, requiresAIReview } from './security-anal
 export const SENSITIVE_PATHS = [
     // System directories - might be legitimate (e.g., user asked to configure something)
     { pattern: /^(Write|Edit):\s*\/etc\//i, reason: 'System configuration - verify user intent' },
-    { pattern: /^(Write|Edit):\s*\/(bin|sbin|usr\/bin|usr\/sbin)\//i, reason: 'System binaries - verify user intent' },
+    { pattern: /^(Write|Edit):\s*\/(bin|sbin|usr\/bin|usr\/sbin|usr\/local\/bin|usr\/local\/sbin)\//i, reason: 'System binaries - verify user intent' },
     { pattern: /^(Write|Edit):\s*\/boot\//i, reason: 'Boot directory - verify user intent' },
     { pattern: /^(Write|Edit):\s*\/root\//i, reason: 'Root home - verify user intent' },
     { pattern: /^(Write|Edit):\s*\/System\//i, reason: 'macOS system - verify user intent' },
@@ -51,7 +57,7 @@ export const SENSITIVE_PATHS = [
  */
 export const CRITICAL_THREATS = [
     {
-        pattern: /rm\s+-rf\s+(\/|~)($|\s)/i,
+        pattern: /rm\s+-rf\s+(\/|~)($|\s|;|&&|\|\|)/i,
         reason: 'Deleting root (/) or home (~) directory is never a legitimate dev task'
     },
     {
@@ -205,6 +211,45 @@ export const NEEDS_AI_REVIEW = [
     // MCP server manipulation
     { pattern: /\bclaude\b.*\bmcp\b.*\badd\b/i, reason: 'Adding MCP server - verify source is trusted' },
 ];
+/**
+ * Deploy-specific patterns — additional restrictions for board/headless executions
+ * triggered by end-user prompts (untrusted input from deployed app users).
+ *
+ * These catch operations that are unusual in an automated board execution context
+ * and should be routed to AI review. They supplement NEEDS_AI_REVIEW above.
+ */
+export const DEPLOY_PATTERNS = [
+    // Credential access from deploy context is suspicious
+    {
+        pattern: /\b(cat|head|tail|less|more)\b.*\.(env|pem|key|crt|p12|pfx|jks)\b/i,
+        reason: 'Deploy execution reading credential/certificate files — verify intent'
+    },
+    // Git push from deploy context — end-user code should not push upstream
+    {
+        pattern: /\bgit\b.*\bpush\b/i,
+        reason: 'Deploy execution attempting git push — verify this is intended'
+    },
+    // Network listeners — deploy executions should not open ports
+    {
+        pattern: /\b(nc|netcat|ncat|socat)\b.*(\blisten\b|\s-l\b)/i,
+        reason: 'Deploy execution opening network listener — potential backdoor'
+    },
+    // Process manipulation from deploy context
+    {
+        pattern: /\b(kill|killall|pkill)\b/i,
+        reason: 'Deploy execution attempting process termination — verify intent'
+    },
+    // SSH/SCP from deploy context
+    {
+        pattern: /\b(ssh|scp|sftp)\b.*@/i,
+        reason: 'Deploy execution initiating SSH/SCP connection — verify intent'
+    },
+    // Cron/systemd manipulation
+    {
+        pattern: /\b(crontab|systemctl|launchctl)\b/i,
+        reason: 'Deploy execution manipulating scheduled tasks — verify intent'
+    },
+];
 // ── Utility functions ─────────────────────────────────────────
 /**
  * Check if operation matches any pattern in array

package/dist/server/mcp/security-patterns.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"security-patterns.js","sourceRoot":"","sources":["../../../server/mcp/security-patterns.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE~~;;;;;;;;;;;;;;GAcG~~;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,0DAA0D;AAC1D,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAOzF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,qFAAqF;IACrF,EAAE,OAAO,EAAE,2BAA2B,EAAE,MAAM,EAAE,2CAA2C,EAAE;IAC7F,EAAE,OAAO,EAAE,~~qDAAqD~~,EAAE,MAAM,EAAE,sCAAsC,EAAE;~~IAClH~~,EAAE,OAAO,EAAE,4BAA4B,EAAE,MAAM,EAAE,qCAAqC,EAAE;IACxF,EAAE,OAAO,EAAE,4BAA4B,EAAE,MAAM,EAAE,gCAAgC,EAAE;IACnF,EAAE,OAAO,EAAE,8BAA8B,EAAE,MAAM,EAAE,mCAAmC,EAAE;IACxF,EAAE,OAAO,EAAE,6DAA6D,EAAE,MAAM,EAAE,4CAA4C,EAAE;IAEhI,uEAAuE;IACvE,EAAE,OAAO,EAAE,+BAA+B,EAAE,MAAM,EAAE,wCAAwC,EAAE;IAC9F,EAAE,OAAO,EAAE,iCAAiC,EAAE,MAAM,EAAE,+BAA+B,EAAE;IACvF,EAAE,OAAO,EAAE,mDAAmD,EAAE,MAAM,EAAE,sCAAsC,EAAE;IAChH,EAAE,OAAO,EAAE,+DAA+D,EAAE,MAAM,EAAE,0CAA0C,EAAE;IAEhI,kEAAkE;IAClE,EAAE,OAAO,EAAE,+EAA+E,EAAE,MAAM,EAAE,oCAAoC,EAAE;CAC3I,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAsB;IACjD;QACE,OAAO,EAAE,~~0BAA0B~~;~~QACnC~~,MAAM,EAAE,wEAAwE;KACjF;IACD;QACE,OAAO,EAAE,4BAA4B;QACrC,MAAM,EAAE,6DAA6D;KACtE;IACD;QACE,OAAO,EAAE,qCAAqC;QAC9C,MAAM,EAAE,0DAA0D;KACnE;IACD;QACE,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,0DAA0D;KACnE;IACD;QACE,OAAO,EAAE,yBAAyB;QAClC,MAAM,EAAE,iEAAiE;KAC1E;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,MAAM,EAAE,wDAAwD;KACjE;IACD;QACE,OAAO,EAAE,mBAAmB;QAC5B,MAAM,EAAE,oDAAoD;KAC7D;IACD;QACE,OAAO,EAAE,eAAe;QACxB,MAAM,EAAE,yDAAyD;KAClE;IACD;QACE,OAAO,EAAE,0BAA0B;QACnC,MAAM,EAAE,2DAA2D;KACpE;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,oDAAoD;IACpD,EAAE,OAAO,EAAE,SAAS,EAAE;IACtB,EAAE,OAAO,EAAE,SAAS,EAAE;IACtB,EAAE,OAAO,EAAE,SAAS,EAAE;IAEtB,sDAAsD;IACtD,EAAE,OAAO,EAAE,6BAA6B,EAAE;IAC1C,EAAE,OAAO,EAAE,4BAA4B,EAAE;IACzC,EAAE,OAAO,EAAE,4BAA4B,EAAE;IACzC,EAAE,OAAO,EAAE,2BAA2B,EAAE;IAExC,oDAAoD;IACpD,EAAE,OAAO,EAAE,yFAAyF,EAAE;IACtG,EAAE,OAAO,EAAE,yFAAyF,EAAE;IACtG,EAAE,OAAO,EAAE,6DAA6D,EAAE;IAC1E,EAAE,OAAO,EAAE,mFAAmF,EAAE;IAChG,EAAE,OAAO,EAAE,uFAAuF,EAAE;IAEpG,+DAA+D;IAC/D,EAAE,OAAO,EAAE,gDAAgD,EAAE;IAC7D,EAAE,OAAO,EAAE,wCAAwC,EAAE;IACrD,EAAE,OAAO,EAAE,yCAAyC,EAAE;IACtD,EAAE,OAAO,EAAE,2CAA2C,EAAE;IACxD,EAAE,OAAO,EAAE,0CAA0C,EAAE;IACvD,EAAE,OAAO,EAAE,0CAA0C,EAAE;IACvD,EAAE,OAAO,EAAE,+CAA+C,EAAE;IAE5D,iCAAiC;IACjC,EAAE,OAAO,EAAE,2BAA2B,EAAE;IACxC,EAAE,OAAO,EAAE,gCAAgC,EAAE;IAE7C,yBAAyB;IACzB,EAAE,OAAO,EAAE,2DAA2D,EAAE;IAExE,iCAAiC;IACjC,EAAE,OAAO,EAAE,8CAA8C,EAAE;IAC3D,EAAE,OAAO,EAAE,qCAAqC,EAAE;IAClD,EAAE,OAAO,EAAE,gEAAgE,EAAE;IAC7E,EAAE,OAAO,EAAE,0CAA0C,EAAE;IACvD,EAAE,OAAO,EAAE,sFAAsF,EAAE;IACnG,EAAE,OAAO,EAAE,4DAA4D,EAAE;IACzE,EAAE,OAAO,EAAE,oGAAoG,EAAE;IACjH,EAAE,OAAO,EAAE,0GAA0G,EAAE;IACvH,EAAE,OAAO,EAAE,+CAA+C,EAAE;IAC5D,EAAE,OAAO,EAAE,sFAAsF,EAAE;IACnG,EAAE,OAAO,EAAE,0EAA0E,EAAE;IACvF,EAAE,OAAO,EAAE,wDAAwD,EAAE;IACrE,EAAE,OAAO,EAAE,+EAA+E,EAAE;IAC5F,EAAE,OAAO,EAAE,+EAA+E,EAAE;IAC5F,EAAE,OAAO,EAAE,oBAAoB,EAAE;IAEjC,8CAA8C;IAC9C,EAAE,OAAO,EAAE,aAAa,EAAE;IAC1B,EAAE,OAAO,EAAE,cAAc,EAAE;IAE3B,gDAAgD;IAChD,EAAE,OAAO,EAAE,UAAU,EAAE;IACvB,EAAE,OAAO,EAAE,iBAAiB,EAAE;CAC/B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,iCAAiC;IACjC;QACE,OAAO,EAAE,+BAA+B;QACxC,MAAM,EAAE,iEAAiE;KAC1E;IAED,sBAAsB;IACtB,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,wDAAwD,EAAE;IAEtF,8DAA8D;IAC9D,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,wDAAwD,EAAE;IAE1F,6BAA6B;IAC7B,EAAE,OAAO,EAAE,0BAA0B,EAAE,MAAM,EAAE,8CAA8C,EAAE;IAC/F,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,kDAAkD,EAAE;IACtF,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,4CAA4C,EAAE;IACjF,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,qDAAqD,EAAE;IAE7F,0EAA0E;IAC1E;QACE,OAAO,EAAE,4CAA4C;QACrD,MAAM,EAAE,qDAAqD;KAC9D;IAED,iCAAiC;IACjC,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,sCAAsC,EAAE;IAC5E,EAAE,OAAO,EAAE,6BAA6B,EAAE,MAAM,EAAE,+CAA+C,EAAE;IACnG;QACE,OAAO,EAAE,sDAAsD;QAC/D,MAAM,EAAE,0DAA0D;KACnE;IACD,EAAE,OAAO,EAAE,iCAAiC,EAAE,MAAM,EAAE,4BAA4B,EAAE;IAEpF,qDAAqD;IACrD;QACE,OAAO,EAAE,4CAA4C;QACrD,MAAM,EAAE,+DAA+D;KACxE;IACD,EAAE,OAAO,EAAE,mCAAmC,EAAE,MAAM,EAAE,oCAAoC,EAAE;IAC9F,EAAE,OAAO,EAAE,mCAAmC,EAAE,MAAM,EAAE,uDAAuD,EAAE;IACjH;QACE,OAAO,EAAE,4CAA4C;QACrD,MAAM,EAAE,mCAAmC;KAC5C;IAED,wBAAwB;IACxB,EAAE,OAAO,EAAE,qBAAqB,EAAE,MAAM,EAAE,oDAAoD,EAAE;IAChG,EAAE,OAAO,EAAE,6BAA6B,EAAE,MAAM,EAAE,kDAAkD,EAAE;IAEtG,yBAAyB;IACzB;QACE,OAAO,EAAE,4EAA4E;QACrF,MAAM,EAAE,+DAA+D;KACxE;IACD,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,iDAAiD,EAAE;IAE9F,wBAAwB;IACxB,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,gDAAgD,EAAE;IAE7F,sDAAsD;IACtD;QACE,OAAO,EAAE,gDAAgD;QACzD,MAAM,EAAE,iEAAiE;KAC1E;IAED,0BAA0B;IAC1B,EAAE,OAAO,EAAE,+BAA+B,EAAE,MAAM,EAAE,8CAA8C,EAAE;CACrG,CAAC;AAEF,iEAAiE;AAEjE;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB,EAAE,QAA2B;IAC3E,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAC9D,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;QAChC,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QACxC,OAAO,GAAG,IAAI,KAAK,cAAc,EAAE,CAAC;IACtC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}
1	+ {"version":3,"file":"security-patterns.js","sourceRoot":"","sources":["../../../server/mcp/security-patterns.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,0DAA0D;AAC1D,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAOzF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,qFAAqF;IACrF,EAAE,OAAO,EAAE,2BAA2B,EAAE,MAAM,EAAE,2CAA2C,EAAE;IAC7F,EAAE,OAAO,EAAE,sFAAsF,EAAE,MAAM,EAAE,sCAAsC,EAAE;IACnJ,EAAE,OAAO,EAAE,4BAA4B,EAAE,MAAM,EAAE,qCAAqC,EAAE;IACxF,EAAE,OAAO,EAAE,4BAA4B,EAAE,MAAM,EAAE,gCAAgC,EAAE;IACnF,EAAE,OAAO,EAAE,8BAA8B,EAAE,MAAM,EAAE,mCAAmC,EAAE;IACxF,EAAE,OAAO,EAAE,6DAA6D,EAAE,MAAM,EAAE,4CAA4C,EAAE;IAEhI,uEAAuE;IACvE,EAAE,OAAO,EAAE,+BAA+B,EAAE,MAAM,EAAE,wCAAwC,EAAE;IAC9F,EAAE,OAAO,EAAE,iCAAiC,EAAE,MAAM,EAAE,+BAA+B,EAAE;IACvF,EAAE,OAAO,EAAE,mDAAmD,EAAE,MAAM,EAAE,sCAAsC,EAAE;IAChH,EAAE,OAAO,EAAE,+DAA+D,EAAE,MAAM,EAAE,0CAA0C,EAAE;IAEhI,kEAAkE;IAClE,EAAE,OAAO,EAAE,+EAA+E,EAAE,MAAM,EAAE,oCAAoC,EAAE;CAC3I,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAsB;IACjD;QACE,OAAO,EAAE,oCAAoC;QAC7C,MAAM,EAAE,wEAAwE;KACjF;IACD;QACE,OAAO,EAAE,4BAA4B;QACrC,MAAM,EAAE,6DAA6D;KACtE;IACD;QACE,OAAO,EAAE,qCAAqC;QAC9C,MAAM,EAAE,0DAA0D;KACnE;IACD;QACE,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,0DAA0D;KACnE;IACD;QACE,OAAO,EAAE,yBAAyB;QAClC,MAAM,EAAE,iEAAiE;KAC1E;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,MAAM,EAAE,wDAAwD;KACjE;IACD;QACE,OAAO,EAAE,mBAAmB;QAC5B,MAAM,EAAE,oDAAoD;KAC7D;IACD;QACE,OAAO,EAAE,eAAe;QACxB,MAAM,EAAE,yDAAyD;KAClE;IACD;QACE,OAAO,EAAE,0BAA0B;QACnC,MAAM,EAAE,2DAA2D;KACpE;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,oDAAoD;IACpD,EAAE,OAAO,EAAE,SAAS,EAAE;IACtB,EAAE,OAAO,EAAE,SAAS,EAAE;IACtB,EAAE,OAAO,EAAE,SAAS,EAAE;IAEtB,sDAAsD;IACtD,EAAE,OAAO,EAAE,6BAA6B,EAAE;IAC1C,EAAE,OAAO,EAAE,4BAA4B,EAAE;IACzC,EAAE,OAAO,EAAE,4BAA4B,EAAE;IACzC,EAAE,OAAO,EAAE,2BAA2B,EAAE;IAExC,oDAAoD;IACpD,EAAE,OAAO,EAAE,yFAAyF,EAAE;IACtG,EAAE,OAAO,EAAE,yFAAyF,EAAE;IACtG,EAAE,OAAO,EAAE,6DAA6D,EAAE;IAC1E,EAAE,OAAO,EAAE,mFAAmF,EAAE;IAChG,EAAE,OAAO,EAAE,uFAAuF,EAAE;IAEpG,+DAA+D;IAC/D,EAAE,OAAO,EAAE,gDAAgD,EAAE;IAC7D,EAAE,OAAO,EAAE,wCAAwC,EAAE;IACrD,EAAE,OAAO,EAAE,yCAAyC,EAAE;IACtD,EAAE,OAAO,EAAE,2CAA2C,EAAE;IACxD,EAAE,OAAO,EAAE,0CAA0C,EAAE;IACvD,EAAE,OAAO,EAAE,0CAA0C,EAAE;IACvD,EAAE,OAAO,EAAE,+CAA+C,EAAE;IAE5D,iCAAiC;IACjC,EAAE,OAAO,EAAE,2BAA2B,EAAE;IACxC,EAAE,OAAO,EAAE,gCAAgC,EAAE;IAE7C,yBAAyB;IACzB,EAAE,OAAO,EAAE,2DAA2D,EAAE;IAExE,iCAAiC;IACjC,EAAE,OAAO,EAAE,8CAA8C,EAAE;IAC3D,EAAE,OAAO,EAAE,qCAAqC,EAAE;IAClD,EAAE,OAAO,EAAE,gEAAgE,EAAE;IAC7E,EAAE,OAAO,EAAE,0CAA0C,EAAE;IACvD,EAAE,OAAO,EAAE,sFAAsF,EAAE;IACnG,EAAE,OAAO,EAAE,4DAA4D,EAAE;IACzE,EAAE,OAAO,EAAE,oGAAoG,EAAE;IACjH,EAAE,OAAO,EAAE,0GAA0G,EAAE;IACvH,EAAE,OAAO,EAAE,+CAA+C,EAAE;IAC5D,EAAE,OAAO,EAAE,sFAAsF,EAAE;IACnG,EAAE,OAAO,EAAE,0EAA0E,EAAE;IACvF,EAAE,OAAO,EAAE,wDAAwD,EAAE;IACrE,EAAE,OAAO,EAAE,+EAA+E,EAAE;IAC5F,EAAE,OAAO,EAAE,+EAA+E,EAAE;IAC5F,EAAE,OAAO,EAAE,oBAAoB,EAAE;IAEjC,8CAA8C;IAC9C,EAAE,OAAO,EAAE,aAAa,EAAE;IAC1B,EAAE,OAAO,EAAE,cAAc,EAAE;IAE3B,gDAAgD;IAChD,EAAE,OAAO,EAAE,UAAU,EAAE;IACvB,EAAE,OAAO,EAAE,iBAAiB,EAAE;CAC/B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,iCAAiC;IACjC;QACE,OAAO,EAAE,+BAA+B;QACxC,MAAM,EAAE,iEAAiE;KAC1E;IAED,sBAAsB;IACtB,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,wDAAwD,EAAE;IAEtF,8DAA8D;IAC9D,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,wDAAwD,EAAE;IAE1F,6BAA6B;IAC7B,EAAE,OAAO,EAAE,0BAA0B,EAAE,MAAM,EAAE,8CAA8C,EAAE;IAC/F,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,kDAAkD,EAAE;IACtF,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,4CAA4C,EAAE;IACjF,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,qDAAqD,EAAE;IAE7F,0EAA0E;IAC1E;QACE,OAAO,EAAE,4CAA4C;QACrD,MAAM,EAAE,qDAAqD;KAC9D;IAED,iCAAiC;IACjC,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,sCAAsC,EAAE;IAC5E,EAAE,OAAO,EAAE,6BAA6B,EAAE,MAAM,EAAE,+CAA+C,EAAE;IACnG;QACE,OAAO,EAAE,sDAAsD;QAC/D,MAAM,EAAE,0DAA0D;KACnE;IACD,EAAE,OAAO,EAAE,iCAAiC,EAAE,MAAM,EAAE,4BAA4B,EAAE;IAEpF,qDAAqD;IACrD;QACE,OAAO,EAAE,4CAA4C;QACrD,MAAM,EAAE,+DAA+D;KACxE;IACD,EAAE,OAAO,EAAE,mCAAmC,EAAE,MAAM,EAAE,oCAAoC,EAAE;IAC9F,EAAE,OAAO,EAAE,mCAAmC,EAAE,MAAM,EAAE,uDAAuD,EAAE;IACjH;QACE,OAAO,EAAE,4CAA4C;QACrD,MAAM,EAAE,mCAAmC;KAC5C;IAED,wBAAwB;IACxB,EAAE,OAAO,EAAE,qBAAqB,EAAE,MAAM,EAAE,oDAAoD,EAAE;IAChG,EAAE,OAAO,EAAE,6BAA6B,EAAE,MAAM,EAAE,kDAAkD,EAAE;IAEtG,yBAAyB;IACzB;QACE,OAAO,EAAE,4EAA4E;QACrF,MAAM,EAAE,+DAA+D;KACxE;IACD,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,iDAAiD,EAAE;IAE9F,wBAAwB;IACxB,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,gDAAgD,EAAE;IAE7F,sDAAsD;IACtD;QACE,OAAO,EAAE,gDAAgD;QACzD,MAAM,EAAE,iEAAiE;KAC1E;IAED,0BAA0B;IAC1B,EAAE,OAAO,EAAE,+BAA+B,EAAE,MAAM,EAAE,8CAA8C,EAAE;CACrG,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,sDAAsD;IACtD;QACE,OAAO,EAAE,mEAAmE;QAC5E,MAAM,EAAE,uEAAuE;KAChF;IAED,wEAAwE;IACxE;QACE,OAAO,EAAE,oBAAoB;QAC7B,MAAM,EAAE,gEAAgE;KACzE;IAED,8DAA8D;IAC9D;QACE,OAAO,EAAE,kDAAkD;QAC3D,MAAM,EAAE,gEAAgE;KACzE;IAED,2CAA2C;IAC3C;QACE,OAAO,EAAE,2BAA2B;QACpC,MAAM,EAAE,iEAAiE;KAC1E;IAED,8BAA8B;IAC9B;QACE,OAAO,EAAE,wBAAwB;QACjC,MAAM,EAAE,gEAAgE;KACzE;IAED,4BAA4B;IAC5B;QACE,OAAO,EAAE,oCAAoC;QAC7C,MAAM,EAAE,+DAA+D;KACxE;CACF,CAAC;AAEF,iEAAiE;AAEjE;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB,EAAE,QAA2B;IAC3E,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAC9D,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;QAChC,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QACxC,OAAO,GAAG,IAAI,KAAK,cAAc,EAAE,CAAC;IACtC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/server/services/deploy/ai-broker.d.ts ADDED Viewed

@@ -0,0 +1,63 @@
+import { Hono } from 'hono';
+import { type HealthUpdateData, type UsageReportData } from './headless-session-handler.js';
+export interface AiBrokerInvokeBody {
+    capability: 'headless' | 'pm-board';
+    deploymentId: string;
+    endUserId: string;
+    prompt: string;
+    boardTemplateId?: string;
+    systemPrompt?: string;
+    allowedTools?: string[];
+    model?: string;
+}
+interface DeployTokenRecord {
+    deploymentId: string;
+    tokenHash: string;
+    capabilities: ('headless' | 'pm-board')[];
+    rateLimit: {
+        maxRequestsPerMinute: number | null;
+        maxConcurrentSessions: number;
+    };
+    aiConfig: {
+        aiEnabled: boolean;
+        defaultSystemPrompt: string | null;
+        defaultModel: string;
+        maxTokensPerRequest: number | null;
+        workingDir: string;
+        allowedBoardTemplateIds: string[];
+        maxConcurrentBoardExecutions: number;
+        maxBoardExecutionsPerMinute: number | null;
+    };
+    /** When set, the deployment requires payment and this URL is returned on 402 */
+    paymentUrl?: string;
+    /** Whether the deployment is currently active */
+    enabled: boolean;
+}
+export declare function registerDeployToken(record: DeployTokenRecord): void;
+export declare function unregisterDeployToken(deploymentId: string): void;
+export declare function getDeployTokenRecord(deploymentId: string): DeployTokenRecord | undefined;
+/**
+ * Update rate limit and AI config on an existing deploy token record.
+ * Called when the server syncs updated deployment config to the CLI.
+ */
+export declare function updateDeployTokenConfig(deploymentId: string, updates: {
+    maxRequestsPerMinute?: number | null;
+    maxConcurrentSessions?: number;
+    maxTokensPerRequest?: number | null;
+    aiEnabled?: boolean;
+}): boolean;
+type UsageReportListener = (report: UsageReportData) => void;
+type HealthUpdateListener = (update: HealthUpdateData) => void;
+/**
+ * Register a listener for deploy usage reports.
+ * Called from the server setup to wire usage reports to the platform connection.
+ */
+export declare function setDeployUsageReportListener(listener: UsageReportListener): void;
+/**
+ * Register a listener for deploy AI health updates.
+ * Called from the server setup to wire health updates to the platform connection.
+ */
+export declare function setDeployHealthUpdateListener(listener: HealthUpdateListener): void;
+export declare function createAiBrokerRoutes(): Hono;
+export {};
+//# sourceMappingURL=ai-broker.d.ts.map

package/dist/server/services/deploy/ai-broker.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ai-broker.d.ts","sourceRoot":"","sources":["../../../../server/services/deploy/ai-broker.ts"],"names":[],"mappings":"AAsBA,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAO1C,OAAO,EAGL,KAAK,gBAAgB,EAErB,KAAK,eAAe,EACrB,MAAM,+BAA+B,CAAC;AAIvC,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,UAAU,GAAG,UAAU,CAAC;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,UAAU,iBAAiB;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,CAAC,UAAU,GAAG,UAAU,CAAC,EAAE,CAAC;IAC1C,SAAS,EAAE;QACT,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;QACpC,qBAAqB,EAAE,MAAM,CAAC;KAC/B,CAAC;IACF,QAAQ,EAAE;QACR,SAAS,EAAE,OAAO,CAAC;QACnB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;QACnC,YAAY,EAAE,MAAM,CAAC;QACrB,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;QACnC,UAAU,EAAE,MAAM,CAAC;QACnB,uBAAuB,EAAE,MAAM,EAAE,CAAC;QAClC,4BAA4B,EAAE,MAAM,CAAC;QACrC,2BAA2B,EAAE,MAAM,GAAG,IAAI,CAAC;KAC5C,CAAC;IACF,gFAAgF;IAChF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,OAAO,EAAE,OAAO,CAAC;CAClB;AAWD,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAEnE;AAED,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAEhE;AAED,wBAAgB,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS,CAExF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE;IACP,oBAAoB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB,GACA,OAAO,CAkBT;AAID,KAAK,mBAAmB,GAAG,CAAC,MAAM,EAAE,eAAe,KAAK,IAAI,CAAC;AAC7D,KAAK,oBAAoB,GAAG,CAAC,MAAM,EAAE,gBAAgB,KAAK,IAAI,CAAC;AAK/D;;;GAGG;AACH,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,mBAAmB,GAAG,IAAI,CAEhF;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,QAAQ,EAAE,oBAAoB,GAAG,IAAI,CAElF;AA8ID,wBAAgB,oBAAoB,IAAI,IAAI,CAoD3C"}

package/dist/server/services/deploy/ai-broker.js ADDED Viewed

@@ -0,0 +1,360 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+/**
+ * AI Broker — HTTP endpoint for developer backends to invoke AI execution.
+ *
+ * POST /api/deploy/ai/invoke
+ *   Accepts { capability, deploymentId, endUserId, prompt, ... }
+ *   Authorization: Bearer <deploy-token>
+ *
+ * GET /api/deploy/ai/jobs/:jobId
+ *   Poll board execution status.
+ *
+ * Deploy tokens are per-deployment. The CLI stores the SHA-256 hash; the
+ * developer's backend sends the raw token. We hash the incoming token and
+ * compare against the stored hash.
+ *
+ * Headless sessions return SSE (text/event-stream).
+ * Board executions return { jobId, statusUrl } immediately.
+ */
+import { createHash } from 'node:crypto';
+import { Hono } from 'hono';
+import { streamSSE } from 'hono/streaming';
+import { getBoardExecutionStatus, startBoardExecution, } from './board-execution-handler.js';
+import { handleHeadlessSession, } from './headless-session-handler.js';
+// ========== Token Store ==========
+/**
+ * In-memory store for deploy tokens. Populated when deployments are created
+ * via the WebSocket handlers. Each entry maps a deployment ID to its
+ * hashed token and configuration.
+ */
+const tokenStore = new Map();
+export function registerDeployToken(record) {
+    tokenStore.set(record.deploymentId, record);
+}
+export function unregisterDeployToken(deploymentId) {
+    tokenStore.delete(deploymentId);
+}
+export function getDeployTokenRecord(deploymentId) {
+    return tokenStore.get(deploymentId);
+}
+/**
+ * Update rate limit and AI config on an existing deploy token record.
+ * Called when the server syncs updated deployment config to the CLI.
+ */
+export function updateDeployTokenConfig(deploymentId, updates) {
+    const record = tokenStore.get(deploymentId);
+    if (!record)
+        return false;
+    if (updates.maxRequestsPerMinute !== undefined) {
+        record.rateLimit.maxRequestsPerMinute = updates.maxRequestsPerMinute;
+    }
+    if (updates.maxConcurrentSessions !== undefined) {
+        record.rateLimit.maxConcurrentSessions = updates.maxConcurrentSessions;
+    }
+    if (updates.maxTokensPerRequest !== undefined) {
+        record.aiConfig.maxTokensPerRequest = updates.maxTokensPerRequest;
+    }
+    if (updates.aiEnabled !== undefined) {
+        record.aiConfig.aiEnabled = updates.aiEnabled;
+    }
+    return true;
+}
+let usageReportListener = null;
+let healthUpdateListener = null;
+/**
+ * Register a listener for deploy usage reports.
+ * Called from the server setup to wire usage reports to the platform connection.
+ */
+export function setDeployUsageReportListener(listener) {
+    usageReportListener = listener;
+}
+/**
+ * Register a listener for deploy AI health updates.
+ * Called from the server setup to wire health updates to the platform connection.
+ */
+export function setDeployHealthUpdateListener(listener) {
+    healthUpdateListener = listener;
+}
+// ========== Token Validation ==========
+function hashToken(token) {
+    return createHash('sha256').update(token).digest('hex');
+}
+function extractBearerToken(authHeader) {
+    if (!authHeader)
+        return null;
+    const match = authHeader.match(/^Bearer\s+(.+)$/i);
+    return match ? match[1] : null;
+}
+/**
+ * Validate a deploy token against the stored hash.
+ * Returns the token record if valid, null otherwise.
+ */
+function validateDeployToken(rawToken, deploymentId) {
+    const record = tokenStore.get(deploymentId);
+    if (!record)
+        return null;
+    const incomingHash = hashToken(rawToken);
+    if (incomingHash !== record.tokenHash)
+        return null;
+    return record;
+}
+const brokerRateBuckets = new Map();
+function getBucket(key) {
+    let bucket = brokerRateBuckets.get(key);
+    if (!bucket) {
+        bucket = { timestamps: [], activeSessions: 0 };
+        brokerRateBuckets.set(key, bucket);
+    }
+    return bucket;
+}
+function pruneTimestamps(bucket) {
+    const oneMinuteAgo = Date.now() - 60_000;
+    while (bucket.timestamps.length > 0 && bucket.timestamps[0] < oneMinuteAgo) {
+        bucket.timestamps.shift();
+    }
+}
+function checkBrokerRateLimit(record) {
+    const bucket = getBucket(record.deploymentId);
+    if (bucket.activeSessions >= record.rateLimit.maxConcurrentSessions) {
+        return { limited: true, retryAfterMs: 5_000 };
+    }
+    if (record.rateLimit.maxRequestsPerMinute !== null) {
+        pruneTimestamps(bucket);
+        if (bucket.timestamps.length >= record.rateLimit.maxRequestsPerMinute) {
+            // Calculate retry-after based on oldest timestamp expiry
+            const oldestTs = bucket.timestamps[0];
+            const retryAfterMs = oldestTs + 60_000 - Date.now();
+            return { limited: true, retryAfterMs: Math.max(1_000, retryAfterMs) };
+        }
+    }
+    return { limited: false };
+}
+function recordBrokerRequestStart(deploymentId) {
+    const bucket = getBucket(deploymentId);
+    bucket.timestamps.push(Date.now());
+    bucket.activeSessions++;
+}
+function recordBrokerRequestEnd(deploymentId) {
+    const bucket = getBucket(deploymentId);
+    bucket.activeSessions = Math.max(0, bucket.activeSessions - 1);
+}
+function validateBody(body) {
+    if (!body.capability || !body.deploymentId || !body.endUserId || !body.prompt) {
+        return 'Missing required fields: capability, deploymentId, endUserId, prompt';
+    }
+    if (body.capability !== 'headless' && body.capability !== 'pm-board') {
+        return "Invalid capability. Must be 'headless' or 'pm-board'";
+    }
+    if (body.capability === 'pm-board' && !body.boardTemplateId) {
+        return "boardTemplateId is required when capability is 'pm-board'";
+    }
+    return null;
+}
+function validateTokenAndConfig(rawToken, body) {
+    const record = validateDeployToken(rawToken, body.deploymentId);
+    if (!record) {
+        return { ok: false, error: 'Invalid deploy token', status: 401 };
+    }
+    if (!record.enabled) {
+        return { ok: false, error: 'Deployment is disabled', status: 403 };
+    }
+    if (!record.aiConfig.aiEnabled) {
+        return { ok: false, error: 'AI features are not enabled for this deployment', status: 403 };
+    }
+    if (!record.capabilities.includes(body.capability)) {
+        return { ok: false, error: `Capability '${body.capability}' is not enabled for this deployment`, status: 403 };
+    }
+    const rateCheck = checkBrokerRateLimit(record);
+    if (rateCheck.limited) {
+        const retryAfterSec = Math.ceil((rateCheck.retryAfterMs ?? 5_000) / 1_000);
+        return {
+            ok: false,
+            error: 'Rate limit exceeded. Try again later.',
+            status: 429,
+            headers: { 'Retry-After': String(retryAfterSec) },
+        };
+    }
+    return { ok: true, body, record };
+}
+// ========== Route Factory ==========
+export function createAiBrokerRoutes() {
+    const routes = new Hono();
+    // ── POST /invoke — trigger AI execution ────────────────────
+    routes.post('/invoke', async (c) => {
+        const rawToken = extractBearerToken(c.req.header('Authorization'));
+        if (!rawToken) {
+            return c.json({ error: 'Missing or malformed Authorization header. Expected: Bearer <deploy-token>' }, 401);
+        }
+        let body;
+        try {
+            body = await c.req.json();
+        }
+        catch {
+            return c.json({ error: 'Invalid JSON body' }, 400);
+        }
+        const bodyError = validateBody(body);
+        if (bodyError) {
+            return c.json({ error: bodyError }, 400);
+        }
+        const validation = validateTokenAndConfig(rawToken, body);
+        if (!validation.ok) {
+            return c.json({ error: validation.error }, { status: validation.status, headers: validation.headers });
+        }
+        if (body.capability === 'headless') {
+            return handleHeadlessInvoke(c, body, validation.record);
+        }
+        return handleBoardInvoke(c, body, validation.record);
+    });
+    // ── GET /jobs/:jobId — poll board execution status ─────────
+    routes.get('/jobs/:jobId', (c) => {
+        const { jobId } = c.req.param();
+        const endUserId = c.req.query('endUserId');
+        const status = getBoardExecutionStatus(jobId, endUserId ?? undefined);
+        if (!status) {
+            return c.json({ error: 'Job not found' }, 404);
+        }
+        return c.json(status);
+    });
+    return routes;
+}
+// ========== Headless Dispatch ==========
+async function handleHeadlessInvoke(c, body, record) {
+    const config = {
+        deploymentId: record.deploymentId,
+        aiEnabled: record.aiConfig.aiEnabled,
+        allowedAiCapabilities: record.capabilities,
+        maxTokensPerRequest: record.aiConfig.maxTokensPerRequest,
+        maxRequestsPerMinute: record.rateLimit.maxRequestsPerMinute,
+        maxConcurrentSessions: record.rateLimit.maxConcurrentSessions,
+        defaultSystemPrompt: record.aiConfig.defaultSystemPrompt,
+        defaultModel: record.aiConfig.defaultModel,
+        workingDir: record.aiConfig.workingDir,
+    };
+    recordBrokerRequestStart(record.deploymentId);
+    // Stream headless session output as SSE
+    return streamSSE(c, async (stream) => {
+        let resultSent = false;
+        const callbacks = {
+            onOutput: (text) => {
+                stream.writeSSE({ event: 'output', data: text }).catch(() => { });
+            },
+            onThinking: (text) => {
+                stream.writeSSE({ event: 'thinking', data: text }).catch(() => { });
+            },
+            onToolUse: (event) => {
+                stream.writeSSE({ event: 'tool_use', data: JSON.stringify(event) }).catch(() => { });
+            },
+            onUsageReport: (report) => {
+                usageReportListener?.(report);
+            },
+            onHealthUpdate: (update) => {
+                healthUpdateListener?.(update);
+            },
+        };
+        try {
+            const result = await handleHeadlessSession({
+                prompt: body.prompt,
+                systemPrompt: body.systemPrompt,
+                allowedTools: body.allowedTools,
+                model: body.model,
+                endUserId: body.endUserId,
+            }, config, callbacks);
+            if (result.ok) {
+                await stream.writeSSE({
+                    event: 'done',
+                    data: JSON.stringify({
+                        sessionId: result.result.sessionId,
+                        completed: result.result.completed,
+                        totalTokens: result.result.totalTokens,
+                        durationMs: result.result.durationMs,
+                    }),
+                });
+            }
+            else {
+                // Map error codes to appropriate SSE error events
+                const statusCode = mapErrorCodeToStatus(result.error.code);
+                const errorData = {
+                    code: result.error.code,
+                    message: result.error.message,
+                    statusCode,
+                };
+                if (statusCode === 402 && record.paymentUrl) {
+                    errorData.paymentUrl = record.paymentUrl;
+                }
+                await stream.writeSSE({
+                    event: 'error',
+                    data: JSON.stringify(errorData),
+                });
+            }
+            resultSent = true;
+        }
+        catch (error) {
+            if (!resultSent) {
+                const message = error instanceof Error ? error.message : String(error);
+                await stream.writeSSE({
+                    event: 'error',
+                    data: JSON.stringify({ code: 'EXECUTION_FAILED', message }),
+                }).catch(() => { });
+            }
+        }
+        finally {
+            recordBrokerRequestEnd(record.deploymentId);
+        }
+    });
+}
+// ========== Board Dispatch ==========
+function handleBoardInvoke(c, body, record) {
+    const config = {
+        deploymentId: record.deploymentId,
+        aiEnabled: record.aiConfig.aiEnabled,
+        allowedAiCapabilities: record.capabilities.map((cap) => cap === 'pm-board' ? 'board-execution' : cap),
+        allowedBoardTemplateIds: record.aiConfig.allowedBoardTemplateIds,
+        maxConcurrentBoardExecutions: record.aiConfig.maxConcurrentBoardExecutions,
+        maxBoardExecutionsPerMinute: record.aiConfig.maxBoardExecutionsPerMinute,
+        defaultModel: record.aiConfig.defaultModel,
+        workingDir: record.aiConfig.workingDir,
+    };
+    const result = startBoardExecution({
+        boardTemplateId: body.boardTemplateId,
+        endUserPrompt: body.prompt,
+        endUserId: body.endUserId,
+        deploymentId: body.deploymentId,
+    }, config);
+    if (!result.ok) {
+        const statusCode = mapErrorCodeToStatus(result.error.code);
+        const body = { error: result.error.message, code: result.error.code };
+        if (statusCode === 402 && record.paymentUrl) {
+            body.paymentUrl = record.paymentUrl;
+        }
+        return c.json(body, statusCode);
+    }
+    // Construct polling URL relative to the request
+    const host = c.req.header('Host') || 'localhost';
+    const protocol = c.req.header('X-Forwarded-Proto') || 'http';
+    const statusUrl = `${protocol}://${host}/api/deploy/ai/jobs/${result.jobId}`;
+    return c.json({
+        jobId: result.jobId,
+        statusUrl,
+    }, 202);
+}
+// ========== Error Mapping ==========
+function mapErrorCodeToStatus(code) {
+    switch (code) {
+        case 'CAPABILITY_DENIED':
+        case 'AI_DISABLED':
+            return 403;
+        case 'RATE_LIMIT_EXCEEDED':
+        case 'CONCURRENT_LIMIT_EXCEEDED':
+            return 429;
+        case 'INVALID_REQUEST':
+        case 'INVALID_BOARD_TEMPLATE':
+        case 'BOARD_TEMPLATE_NOT_FOUND':
+            return 400;
+        case 'PAYMENT_REQUIRED':
+            return 402;
+        default:
+            return 500;
+    }
+}
+//# sourceMappingURL=ai-broker.js.map

package/dist/server/services/deploy/ai-broker.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ai-broker.js","sourceRoot":"","sources":["../../../../server/services/deploy/ai-broker.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAEL,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAIL,qBAAqB,GAEtB,MAAM,+BAA+B,CAAC;AAuCvC,oCAAoC;AAEpC;;;;GAIG;AACH,MAAM,UAAU,GAAG,IAAI,GAAG,EAA6B,CAAC;AAExD,MAAM,UAAU,mBAAmB,CAAC,MAAyB;IAC3D,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,YAAoB;IACxD,UAAU,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,YAAoB;IACvD,OAAO,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,YAAoB,EACpB,OAKC;IAED,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC5C,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B,IAAI,OAAO,CAAC,oBAAoB,KAAK,SAAS,EAAE,CAAC;QAC/C,MAAM,CAAC,SAAS,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IACvE,CAAC;IACD,IAAI,OAAO,CAAC,qBAAqB,KAAK,SAAS,EAAE,CAAC;QAChD,MAAM,CAAC,SAAS,CAAC,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IACzE,CAAC;IACD,IAAI,OAAO,CAAC,mBAAmB,KAAK,SAAS,EAAE,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,CAAC,QAAQ,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IAChD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAOD,IAAI,mBAAmB,GAA+B,IAAI,CAAC;AAC3D,IAAI,oBAAoB,GAAgC,IAAI,CAAC;AAE7D;;;GAGG;AACH,MAAM,UAAU,4BAA4B,CAAC,QAA6B;IACxE,mBAAmB,GAAG,QAAQ,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,6BAA6B,CAAC,QAA8B;IAC1E,oBAAoB,GAAG,QAAQ,CAAC;AAClC,CAAC;AAED,yCAAyC;AAEzC,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,kBAAkB,CAAC,UAA8B;IACxD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACnD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAC1B,QAAgB,EAChB,YAAoB;IAEpB,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC5C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,YAAY,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,YAAY,KAAK,MAAM,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAEnD,OAAO,MAAM,CAAC;AAChB,CAAC;AASD,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAA4B,CAAC;AAE9D,SAAS,SAAS,CAAC,GAAW;IAC5B,IAAI,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC;QAC/C,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,eAAe,CAAC,MAAwB;IAC/C,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;IACzC,OAAO,MAAM,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,YAAY,EAAE,CAAC;QAC3E,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAC3B,MAAyB;IAEzB,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAE9C,IAAI,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,SAAS,CAAC,qBAAqB,EAAE,CAAC;QACpE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IAChD,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,CAAC,oBAAoB,KAAK,IAAI,EAAE,CAAC;QACnD,eAAe,CAAC,MAAM,CAAC,CAAC;QACxB,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,CAAC,oBAAoB,EAAE,CAAC;YACtE,yDAAyD;YACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACtC,MAAM,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACpD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,YAAY,CAAC,EAAE,CAAC;QACxE,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC5B,CAAC;AAED,SAAS,wBAAwB,CAAC,YAAoB;IACpD,MAAM,MAAM,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;IACvC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACnC,MAAM,CAAC,cAAc,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,sBAAsB,CAAC,YAAoB;IAClD,MAAM,MAAM,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;IACvC,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC;AACjE,CAAC;AAQD,SAAS,YAAY,CAAC,IAAwB;IAC5C,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QAC9E,OAAO,sEAAsE,CAAC;IAChF,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,KAAK,UAAU,IAAI,IAAI,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QACrE,OAAO,sDAAsD,CAAC;IAChE,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,KAAK,UAAU,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;QAC5D,OAAO,2DAA2D,CAAC;IACrE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,sBAAsB,CAC7B,QAAgB,EAChB,IAAwB;IAExB,MAAM,MAAM,GAAG,mBAAmB,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAChE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACnE,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACrE,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QAC/B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,iDAAiD,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IAC9F,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACnD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,IAAI,CAAC,UAAU,sCAAsC,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACjH,CAAC;IAED,MAAM,SAAS,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QACtB,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,IAAI,KAAK,CAAC,GAAG,KAAK,CAAC,CAAC;QAC3E,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,uCAAuC;YAC9C,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,EAAE;SAClD,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AACpC,CAAC;AAED,sCAAsC;AAEtC,MAAM,UAAU,oBAAoB;IAClC,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IAE1B,8DAA8D;IAE9D,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACjC,MAAM,QAAQ,GAAG,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC;QACnE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4EAA4E,EAAE,EAAE,GAAG,CAAC,CAAC;QAC9G,CAAC;QAED,IAAI,IAAwB,CAAC;QAC7B,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAsB,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,GAAG,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,GAAG,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,UAAU,GAAG,sBAAsB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;YACnB,OAAO,CAAC,CAAC,IAAI,CACX,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,EAC3B,EAAE,MAAM,EAAE,UAAU,CAAC,MAAa,EAAE,OAAO,EAAE,UAAU,CAAC,OAAO,EAAE,CAClE,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YACnC,OAAO,oBAAoB,CAAC,CAAC,EAAE,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,iBAAiB,CAAC,CAAC,EAAE,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,8DAA8D;IAE9D,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,EAAE;QAC/B,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,uBAAuB,CAAC,KAAK,EAAE,SAAS,IAAI,SAAS,CAAC,CAAC;QACtE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,GAAG,CAAC,CAAC;QACjD,CAAC;QAED,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,0CAA0C;AAE1C,KAAK,UAAU,oBAAoB,CACjC,CAAU,EACV,IAAwB,EACxB,MAAyB;IAEzB,MAAM,MAAM,GAAuB;QACjC,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,SAAS;QACpC,qBAAqB,EAAE,MAAM,CAAC,YAAY;QAC1C,mBAAmB,EAAE,MAAM,CAAC,QAAQ,CAAC,mBAAmB;QACxD,oBAAoB,EAAE,MAAM,CAAC,SAAS,CAAC,oBAAoB;QAC3D,qBAAqB,EAAE,MAAM,CAAC,SAAS,CAAC,qBAAqB;QAC7D,mBAAmB,EAAE,MAAM,CAAC,QAAQ,CAAC,mBAAmB;QACxD,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,YAAY;QAC1C,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU;KACvC,CAAC;IAEF,wBAAwB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAE9C,wCAAwC;IACxC,OAAO,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;QACnC,IAAI,UAAU,GAAG,KAAK,CAAC;QAEvB,MAAM,SAAS,GAAmC;YAChD,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE;gBACjB,MAAM,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACnE,CAAC;YACD,UAAU,EAAE,CAAC,IAAI,EAAE,EAAE;gBACnB,MAAM,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACrE,CAAC;YACD,SAAS,EAAE,CAAC,KAAK,EAAE,EAAE;gBACnB,MAAM,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACtF,CAAC;YACD,aAAa,EAAE,CAAC,MAAM,EAAE,EAAE;gBACxB,mBAAmB,EAAE,CAAC,MAAM,CAAC,CAAC;YAChC,CAAC;YACD,cAAc,EAAE,CAAC,MAAM,EAAE,EAAE;gBACzB,oBAAoB,EAAE,CAAC,MAAM,CAAC,CAAC;YACjC,CAAC;SACF,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,qBAAqB,CACxC;gBACE,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,YAAY,EAAE,IAAI,CAAC,YAAY;gBAC/B,YAAY,EAAE,IAAI,CAAC,YAAY;gBAC/B,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,EACD,MAAM,EACN,SAAS,CACV,CAAC;YAEF,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;gBACd,MAAM,MAAM,CAAC,QAAQ,CAAC;oBACpB,KAAK,EAAE,MAAM;oBACb,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS;wBAClC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS;wBAClC,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW;wBACtC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU;qBACrC,CAAC;iBACH,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,kDAAkD;gBAClD,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC3D,MAAM,SAAS,GAA4B;oBACzC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI;oBACvB,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO;oBAC7B,UAAU;iBACX,CAAC;gBACF,IAAI,UAAU,KAAK,GAAG,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;oBAC5C,SAAS,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;gBAC3C,CAAC;gBACD,MAAM,MAAM,CAAC,QAAQ,CAAC;oBACpB,KAAK,EAAE,OAAO;oBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;iBAChC,CAAC,CAAC;YACL,CAAC;YACD,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACvE,MAAM,MAAM,CAAC,QAAQ,CAAC;oBACpB,KAAK,EAAE,OAAO;oBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC;iBAC5D,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,sBAAsB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,uCAAuC;AAEvC,SAAS,iBAAiB,CACxB,CAAU,EACV,IAAwB,EACxB,MAAyB;IAEzB,MAAM,MAAM,GAAyB;QACnC,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,SAAS;QACpC,qBAAqB,EAAE,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CACrD,GAAG,KAAK,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAC7C;QACD,uBAAuB,EAAE,MAAM,CAAC,QAAQ,CAAC,uBAAuB;QAChE,4BAA4B,EAAE,MAAM,CAAC,QAAQ,CAAC,4BAA4B;QAC1E,2BAA2B,EAAE,MAAM,CAAC,QAAQ,CAAC,2BAA2B;QACxE,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,YAAY;QAC1C,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU;KACvC,CAAC;IAEF,MAAM,MAAM,GAAG,mBAAmB,CAChC;QACE,eAAe,EAAE,IAAI,CAAC,eAAgB;QACtC,aAAa,EAAE,IAAI,CAAC,MAAM;QAC1B,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,YAAY,EAAE,IAAI,CAAC,YAAY;KAChC,EACD,MAAM,CACP,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,IAAI,GAA4B,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC/F,IAAI,UAAU,KAAK,GAAG,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YAC5C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QACtC,CAAC;QACD,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,UAAiB,CAAC,CAAC;IACzC,CAAC;IAED,gDAAgD;IAChD,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,WAAW,CAAC;IACjD,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;IAC7D,MAAM,SAAS,GAAG,GAAG,QAAQ,MAAM,IAAI,uBAAuB,MAAM,CAAC,KAAK,EAAE,CAAC;IAE7E,OAAO,CAAC,CAAC,IAAI,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,SAAS;KACV,EAAE,GAAG,CAAC,CAAC;AACV,CAAC;AAED,sCAAsC;AAEtC,SAAS,oBAAoB,CAAC,IAAY;IACxC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,mBAAmB,CAAC;QACzB,KAAK,aAAa;YAChB,OAAO,GAAG,CAAC;QACb,KAAK,qBAAqB,CAAC;QAC3B,KAAK,2BAA2B;YAC9B,OAAO,GAAG,CAAC;QACb,KAAK,iBAAiB,CAAC;QACvB,KAAK,wBAAwB,CAAC;QAC9B,KAAK,0BAA0B;YAC7B,OAAO,GAAG,CAAC;QACb,KAAK,kBAAkB;YACrB,OAAO,GAAG,CAAC;QACb;YACE,OAAO,GAAG,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/server/services/deploy/board-execution-handler.d.ts ADDED Viewed

@@ -0,0 +1,114 @@
+/**
+ * Sanitize an end-user prompt before passing it to the AI.
+ *
+ * SECURITY: End-user prompts are untrusted. This function:
+ * 1. Strips system instruction XML delimiters to prevent prompt escape
+ * 2. Removes null bytes and zero-width characters used for evasion
+ * 3. Truncates to MAX_END_USER_PROMPT_LENGTH
+ *
+ * Note: This does NOT strip tool-use instructions or path traversal text —
+ * those are handled by the Security Bouncer (tool execution level) and
+ * the isolated working directory (filesystem level).
+ */
+export declare function sanitizeEndUserPrompt(prompt: string): string;
+export interface BoardExecutionRequest {
+    /** Board template to execute (must be in deployment's allowedBoardTemplateIds) */
+    boardTemplateId: string;
+    /** The end user's prompt (untrusted input) */
+    endUserPrompt: string;
+    /** Unique identifier for the end user (for isolation + rate tracking) */
+    endUserId: string;
+    /** Deployment that owns this execution */
+    deploymentId: string;
+}
+export interface BoardExecutionConfig {
+    deploymentId: string;
+    aiEnabled: boolean;
+    allowedAiCapabilities: string[];
+    /** Board template IDs this deployment is allowed to execute */
+    allowedBoardTemplateIds: string[];
+    /** Max concurrent board executions per deployment */
+    maxConcurrentBoardExecutions: number;
+    /** Max board executions per minute (null = unlimited) */
+    maxBoardExecutionsPerMinute: number | null;
+    defaultModel: string;
+    workingDir: string;
+}
+export type BoardExecutionErrorCode = 'CAPABILITY_DENIED' | 'AI_DISABLED' | 'INVALID_BOARD_TEMPLATE' | 'BOARD_TEMPLATE_NOT_FOUND' | 'RATE_LIMIT_EXCEEDED' | 'CONCURRENT_LIMIT_EXCEEDED' | 'INVALID_REQUEST' | 'EXECUTION_FAILED';
+export interface BoardExecutionError {
+    code: BoardExecutionErrorCode;
+    message: string;
+}
+export type BoardExecutionJobStatus = 'customizing' | 'executing' | 'completed' | 'failed' | 'cancelled';
+export interface BoardExecutionProgress {
+    phase: 'isolating' | 'customizing' | 'executing' | 'collecting' | 'done';
+    issuesTotal: number;
+    issuesCompleted: number;
+    currentWaveIds: string[];
+}
+export interface BoardExecutionJobResult {
+    completed: boolean;
+    issuesTotal: number;
+    issuesCompleted: number;
+    issuesFailed: number;
+    /** Output artifact contents keyed by filename */
+    outputs: Record<string, string>;
+    durationMs: number;
+}
+export interface BoardExecutionStatusResult {
+    jobId: string;
+    status: BoardExecutionJobStatus;
+    progress: BoardExecutionProgress;
+    result: BoardExecutionJobResult | null;
+    error: string | null;
+}
+export type StartBoardExecutionResult = {
+    ok: true;
+    jobId: string;
+} | {
+    ok: false;
+    error: BoardExecutionError;
+};
+/**
+ * Start a board execution for an end user. Returns a job ID immediately.
+ * The execution runs asynchronously — poll with getBoardExecutionStatus().
+ *
+ * Validates the deployment config, checks rate limits, verifies the board
+ * template exists and is allowed, then launches the background execution.
+ *
+ * @returns Structured result with either the job ID or an error.
+ */
+export declare function startBoardExecution(request: BoardExecutionRequest, config: BoardExecutionConfig): StartBoardExecutionResult;
+/**
+ * Get the current status of a board execution job.
+ *
+ * Optionally pass endUserId to enforce isolation — returns null if the
+ * job belongs to a different end user.
+ *
+ * @returns Job status or null if not found / access denied.
+ */
+export declare function getBoardExecutionStatus(jobId: string, endUserId?: string): BoardExecutionStatusResult | null;
+/**
+ * Get the current rate limit state for a deployment's board executions.
+ * Useful for status/monitoring endpoints.
+ */
+export declare function getDeploymentBoardExecutionState(deploymentId: string): {
+    executionsInLastMinute: number;
+    activeExecutions: number;
+};
+/**
+ * Reset rate limit state for a deployment's board executions.
+ * Call when a deployment is deleted.
+ */
+export declare function resetDeploymentBoardExecutionRateLimit(deploymentId: string): void;
+/**
+ * Sweep stale isolated directories left behind by crashed executions.
+ *
+ * Board execution creates temp dirs prefixed with 'mstro-board-exec-'.
+ * If the process crashes before cleanup, these dirs leak. This function
+ * removes any that are older than the retention window + buffer.
+ *
+ * Safe to call on startup or periodically.
+ */
+export declare function sweepStaleIsolatedDirs(): number;
+//# sourceMappingURL=board-execution-handler.d.ts.map