npm - neotoma - Versions diffs - 0.10.1 → 0.11.1 - Mend

neotoma 0.10.1 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (301) hide show

package/README.md +2 -2
package/dist/actions.d.ts +4 -10
package/dist/actions.d.ts.map +1 -1
package/dist/actions.js +41 -48
package/dist/actions.js.map +1 -1
package/dist/cli/aauth_signer.d.ts +9 -2
package/dist/cli/aauth_signer.d.ts.map +1 -1
package/dist/cli/aauth_signer.js +25 -7
package/dist/cli/aauth_signer.js.map +1 -1
package/dist/cli/agent_instructions_scan.d.ts +12 -3
package/dist/cli/agent_instructions_scan.d.ts.map +1 -1
package/dist/cli/agent_instructions_scan.js +55 -64
package/dist/cli/agent_instructions_scan.js.map +1 -1
package/dist/cli/bootstrap.js +0 -0
package/dist/cli/config.d.ts +10 -0
package/dist/cli/config.d.ts.map +1 -1
package/dist/cli/config.js +70 -7
package/dist/cli/config.js.map +1 -1
package/dist/cli/harness_configure.d.ts +36 -0
package/dist/cli/harness_configure.d.ts.map +1 -0
package/dist/cli/harness_configure.js +42 -0
package/dist/cli/harness_configure.js.map +1 -0
package/dist/cli/index.d.ts.map +1 -1
package/dist/cli/index.js +330 -253
package/dist/cli/index.js.map +1 -1
package/dist/cli/inspector_admin_unlock_url.d.ts +13 -0
package/dist/cli/inspector_admin_unlock_url.d.ts.map +1 -0
package/dist/cli/inspector_admin_unlock_url.js +36 -0
package/dist/cli/inspector_admin_unlock_url.js.map +1 -0
package/dist/cli/mcp_config_scan.d.ts +1 -0
package/dist/cli/mcp_config_scan.d.ts.map +1 -1
package/dist/cli/mcp_config_scan.js +34 -12
package/dist/cli/mcp_config_scan.js.map +1 -1
package/dist/cli/setup.d.ts +6 -2
package/dist/cli/setup.d.ts.map +1 -1
package/dist/cli/setup.js +26 -8
package/dist/cli/setup.js.map +1 -1
package/dist/cli/setup_runners.d.ts +16 -0
package/dist/cli/setup_runners.d.ts.map +1 -0
package/dist/cli/setup_runners.js +141 -0
package/dist/cli/setup_runners.js.map +1 -0
package/dist/config.d.ts +2 -0
package/dist/config.d.ts.map +1 -1
package/dist/config.js +3 -0
package/dist/config.js.map +1 -1
package/dist/core/operations.d.ts +2 -2
package/dist/core/operations.d.ts.map +1 -1
package/dist/core/operations.js +2 -2
package/dist/core/operations.js.map +1 -1
package/dist/mcp_instruction_doc.d.ts +11 -0
package/dist/mcp_instruction_doc.d.ts.map +1 -0
package/dist/mcp_instruction_doc.js +39 -0
package/dist/mcp_instruction_doc.js.map +1 -0
package/dist/proxy/mcp_stdio_proxy.d.ts.map +1 -1
package/dist/proxy/mcp_stdio_proxy.js +23 -7
package/dist/proxy/mcp_stdio_proxy.js.map +1 -1
package/dist/server.d.ts +5 -8
package/dist/server.d.ts.map +1 -1
package/dist/server.js +37 -22
package/dist/server.js.map +1 -1
package/dist/services/agent_capabilities.d.ts +1 -1
package/dist/services/agent_capabilities.d.ts.map +1 -1
package/dist/services/agent_capabilities.js +7 -1
package/dist/services/agent_capabilities.js.map +1 -1
package/dist/services/agent_grants.d.ts.map +1 -1
package/dist/services/agent_grants.js +1 -0
package/dist/services/agent_grants.js.map +1 -1
package/dist/services/dashboard_stats.d.ts.map +1 -1
package/dist/services/dashboard_stats.js +3 -0
package/dist/services/dashboard_stats.js.map +1 -1
package/dist/services/observation_storage.js +1 -1
package/dist/services/observation_storage.js.map +1 -1
package/dist/services/root_landing/harness_snippets.js +1 -1
package/dist/services/root_landing/harness_snippets.js.map +1 -1
package/dist/services/root_landing/html_template.d.ts.map +1 -1
package/dist/services/root_landing/html_template.js +12 -4
package/dist/services/root_landing/html_template.js.map +1 -1
package/dist/services/root_landing/index.d.ts.map +1 -1
package/dist/services/root_landing/index.js +32 -9
package/dist/services/root_landing/index.js.map +1 -1
package/dist/services/root_landing/md_template.d.ts.map +1 -1
package/dist/services/root_landing/md_template.js +3 -0
package/dist/services/root_landing/md_template.js.map +1 -1
package/dist/shared/contract_mappings.d.ts.map +1 -1
package/dist/shared/contract_mappings.js +4 -13
package/dist/shared/contract_mappings.js.map +1 -1
package/dist/shared/openapi_types.d.ts +3 -44
package/dist/shared/openapi_types.d.ts.map +1 -1
package/dist/tool_definitions.d.ts +1 -1
package/dist/tool_definitions.d.ts.map +1 -1
package/dist/tool_definitions.js +5 -40
package/dist/tool_definitions.js.map +1 -1
package/dist/utils/local_http_port_file.d.ts +16 -0
package/dist/utils/local_http_port_file.d.ts.map +1 -0
package/dist/utils/local_http_port_file.js +46 -0
package/dist/utils/local_http_port_file.js.map +1 -0
package/docs/developer/mcp/instructions.md +211 -0
package/openapi.yaml +2 -17
package/package.json +4 -3
package/skills/store-data/SKILL.md +1 -3
package/dist/cli/auth_keygen.d.ts +0 -11
package/dist/cli/auth_keygen.d.ts.map +0 -1
package/dist/cli/auth_keygen.js +0 -110
package/dist/cli/auth_keygen.js.map +0 -1
package/dist/cli/packs.d.ts +0 -15
package/dist/cli/packs.d.ts.map +0 -1
package/dist/cli/packs.js +0 -156
package/dist/cli/packs.js.map +0 -1
package/dist/inspector/assets/Combination-BM2JQOww.js +0 -41
package/dist/inspector/assets/agent_badge-CpN0F7Uw.js +0 -1
package/dist/inspector/assets/agent_detail-BiJ3HPkP.js +0 -1
package/dist/inspector/assets/agent_filter-BazKcQ9w.js +0 -1
package/dist/inspector/assets/agent_grant_detail-DXgCn9N4.js +0 -1
package/dist/inspector/assets/agent_grant_form-DZQjBAcw.js +0 -1
package/dist/inspector/assets/agent_grants-DCKfkpwq.js +0 -1
package/dist/inspector/assets/agents-ThrWnZTX.js +0 -1
package/dist/inspector/assets/arrow-left-DaYPjbWH.js +0 -6
package/dist/inspector/assets/attribution_card-D8wccbDX.js +0 -1
package/dist/inspector/assets/attribution_summary-Ds3UqXE_.js +0 -1
package/dist/inspector/assets/card-gNKW1s0y.js +0 -1
package/dist/inspector/assets/check-CsKn_Wh2.js +0 -6
package/dist/inspector/assets/checkbox-Ckyj4vrh.js +0 -1
package/dist/inspector/assets/chevron-down-7OlcRYdt.js +0 -6
package/dist/inspector/assets/chevron-right-BLI_oHPA.js +0 -6
package/dist/inspector/assets/compliance-CBrpHE20.js +0 -1
package/dist/inspector/assets/confirm-dialog--bNglOrP.js +0 -6
package/dist/inspector/assets/conversation_common-BtftGfBd.js +0 -1
package/dist/inspector/assets/conversation_detail-DcL600xx.js +0 -1
package/dist/inspector/assets/copy_id_button-V_cdlRRU.js +0 -6
package/dist/inspector/assets/corrections-CSny2Vo_.js +0 -1
package/dist/inspector/assets/dashboard-QDIRlmWG.js +0 -73
package/dist/inspector/assets/data-table-qmF3Z4gV.js +0 -22
package/dist/inspector/assets/dialog-DYUGw6eQ.js +0 -10
package/dist/inspector/assets/dropdown-menu-F92-sh_x.js +0 -6
package/dist/inspector/assets/entities-Dsipnex_.js +0 -1
package/dist/inspector/assets/entity_detail-BfgIPU8x.js +0 -17
package/dist/inspector/assets/entity_link-Ux3LzoaM.js +0 -1
package/dist/inspector/assets/external-link-CWkNK5Tk.js +0 -6
package/dist/inspector/assets/feedback-CJK1vjsI.js +0 -35
package/dist/inspector/assets/graph_explorer-BZV40eAE.css +0 -1
package/dist/inspector/assets/graph_explorer-BmseNUoQ.js +0 -23
package/dist/inspector/assets/index-BAvZ5vLC.css +0 -1
package/dist/inspector/assets/index-BykFtejE.js +0 -1
package/dist/inspector/assets/index-CYCtoVGs.js +0 -224
package/dist/inspector/assets/index-DV_dUptd.js +0 -1
package/dist/inspector/assets/index-DwNCMlAU.js +0 -1
package/dist/inspector/assets/interpretations-CMfzQ1Ln.js +0 -1
package/dist/inspector/assets/interpretations-T0E9nJx-.js +0 -1
package/dist/inspector/assets/json_viewer-Bq_YbebZ.js +0 -1
package/dist/inspector/assets/label-Bl-6LEeg.js +0 -1
package/dist/inspector/assets/live_relative_time-B1_XT7na.js +0 -1
package/dist/inspector/assets/observations-DBIz6sjx.js +0 -1
package/dist/inspector/assets/page_shell-BEmO9wa5.js +0 -1
package/dist/inspector/assets/pagination-BUY-_ZUw.js +0 -6
package/dist/inspector/assets/pdf.worker.min-yatZIOMy.mjs +0 -21
package/dist/inspector/assets/plus-CN3iw613.js +0 -6
package/dist/inspector/assets/query_loading-BFETHugg.js +0 -1
package/dist/inspector/assets/query_refresh_indicator-BvQCvZ7y.js +0 -1
package/dist/inspector/assets/recent_activity-8sqCYQa2.js +0 -11
package/dist/inspector/assets/recent_conversations-Dm7bsH19.js +0 -1
package/dist/inspector/assets/recent_conversations-ZmrvYZt6.js +0 -1
package/dist/inspector/assets/recent_records_feed-BCwEB-gO.js +0 -1
package/dist/inspector/assets/relationship_detail-AY29Q_zg.js +0 -1
package/dist/inspector/assets/relationships-BfjaoQF3.js +0 -1
package/dist/inspector/assets/relationships-C9JOmG6k.js +0 -1
package/dist/inspector/assets/sandbox-2sw7hAPG.js +0 -1
package/dist/inspector/assets/schema_detail-BwWRhFNS.js +0 -11
package/dist/inspector/assets/schemas-UX8RWzu0.js +0 -5
package/dist/inspector/assets/search-sJaK1X54.js +0 -1
package/dist/inspector/assets/select-Sk4XRvus.js +0 -6
package/dist/inspector/assets/settings-D9mhRMBN.js +0 -1
package/dist/inspector/assets/source_detail-BAF1G5q0.js +0 -17
package/dist/inspector/assets/source_link-DTok2HA9.js +0 -1
package/dist/inspector/assets/sources-DUcCw0Vc.js +0 -9
package/dist/inspector/assets/switch-DepRZ0--.js +0 -1
package/dist/inspector/assets/tabs-B0Dy5is1.js +0 -1
package/dist/inspector/assets/textarea-pfrE_cJC.js +0 -1
package/dist/inspector/assets/timeline-Bh9ngotn.js +0 -1
package/dist/inspector/assets/timeline-COztEDwn.js +0 -1
package/dist/inspector/assets/timeline_event_detail-CN1g0r15.js +0 -1
package/dist/inspector/assets/trash-2-CGNk7jcZ.js +0 -6
package/dist/inspector/assets/turn_detail-DYjGa2Qt.js +0 -1
package/dist/inspector/assets/turns-qZVfg6Dm.js +0 -1
package/dist/inspector/assets/use_agents-B8yN5BKA.js +0 -1
package/dist/inspector/assets/use_entities-l4hLQEUh.js +0 -1
package/dist/inspector/assets/use_interpretations-B_ssuETV.js +0 -1
package/dist/inspector/assets/use_mutations-BjaD74zY.js +0 -1
package/dist/inspector/assets/use_recent_conversations-BgZIIrU6.js +0 -1
package/dist/inspector/assets/use_relationships-6dqoUmCP.js +0 -1
package/dist/inspector/assets/use_schemas-BkMuCTZx.js +0 -1
package/dist/inspector/assets/use_sources-Bu_vb2VA.js +0 -1
package/dist/inspector/assets/use_stats-DvcjJbZf.js +0 -1
package/dist/inspector/assets/use_timeline-BXlKLsFO.js +0 -1
package/dist/inspector/assets/use_turns-BYjwOq0j.js +0 -1
package/dist/inspector/assets/value-BTdN53H7.js +0 -1
package/dist/inspector/favicon.svg +0 -10
package/dist/inspector/index.html +0 -14
package/dist/services/activation/stage_zero_five.d.ts +0 -62
package/dist/services/activation/stage_zero_five.d.ts.map +0 -1
package/dist/services/activation/stage_zero_five.js +0 -126
package/dist/services/activation/stage_zero_five.js.map +0 -1
package/dist/services/activation/user_preference.d.ts +0 -110
package/dist/services/activation/user_preference.d.ts.map +0 -1
package/dist/services/activation/user_preference.js +0 -98
package/dist/services/activation/user_preference.js.map +0 -1
package/dist/services/activation/vertical_detection.d.ts +0 -78
package/dist/services/activation/vertical_detection.d.ts.map +0 -1
package/dist/services/activation/vertical_detection.js +0 -219
package/dist/services/activation/vertical_detection.js.map +0 -1
package/dist/services/bundled_pages/html_shell.d.ts +0 -118
package/dist/services/bundled_pages/html_shell.d.ts.map +0 -1
package/dist/services/bundled_pages/html_shell.js +0 -242
package/dist/services/bundled_pages/html_shell.js.map +0 -1
package/dist/services/bundled_pages/tokens.d.ts +0 -496
package/dist/services/bundled_pages/tokens.d.ts.map +0 -1
package/dist/services/bundled_pages/tokens.js +0 -261
package/dist/services/bundled_pages/tokens.js.map +0 -1
package/dist/services/compliance/alerting.d.ts +0 -123
package/dist/services/compliance/alerting.d.ts.map +0 -1
package/dist/services/compliance/alerting.js +0 -169
package/dist/services/compliance/alerting.js.map +0 -1
package/dist/services/compliance/historical_backfill.d.ts +0 -74
package/dist/services/compliance/historical_backfill.d.ts.map +0 -1
package/dist/services/compliance/historical_backfill.js +0 -244
package/dist/services/compliance/historical_backfill.js.map +0 -1
package/dist/services/compliance/renderer.d.ts +0 -21
package/dist/services/compliance/renderer.d.ts.map +0 -1
package/dist/services/compliance/renderer.js +0 -208
package/dist/services/compliance/renderer.js.map +0 -1
package/dist/services/compliance/routes.d.ts +0 -55
package/dist/services/compliance/routes.d.ts.map +0 -1
package/dist/services/compliance/routes.js +0 -212
package/dist/services/compliance/routes.js.map +0 -1
package/dist/services/docs_bundle/frontmatter.d.ts +0 -26
package/dist/services/docs_bundle/frontmatter.d.ts.map +0 -1
package/dist/services/docs_bundle/frontmatter.js +0 -50
package/dist/services/docs_bundle/frontmatter.js.map +0 -1
package/dist/services/docs_bundle/loader.d.ts +0 -28
package/dist/services/docs_bundle/loader.d.ts.map +0 -1
package/dist/services/docs_bundle/loader.js +0 -91
package/dist/services/docs_bundle/loader.js.map +0 -1
package/dist/services/docs_bundle/render_html.d.ts +0 -15
package/dist/services/docs_bundle/render_html.d.ts.map +0 -1
package/dist/services/docs_bundle/render_html.js +0 -48
package/dist/services/docs_bundle/render_html.js.map +0 -1
package/dist/services/docs_bundle/types.d.ts +0 -73
package/dist/services/docs_bundle/types.d.ts.map +0 -1
package/dist/services/docs_bundle/types.js +0 -50
package/dist/services/docs_bundle/types.js.map +0 -1
package/dist/services/docs_install/loader.d.ts +0 -25
package/dist/services/docs_install/loader.d.ts.map +0 -1
package/dist/services/docs_install/loader.js +0 -63
package/dist/services/docs_install/loader.js.map +0 -1
package/dist/services/docs_install/renderer.d.ts +0 -40
package/dist/services/docs_install/renderer.d.ts.map +0 -1
package/dist/services/docs_install/renderer.js +0 -323
package/dist/services/docs_install/renderer.js.map +0 -1
package/dist/services/docs_install/routes.d.ts +0 -20
package/dist/services/docs_install/routes.d.ts.map +0 -1
package/dist/services/docs_install/routes.js +0 -117
package/dist/services/docs_install/routes.js.map +0 -1
package/dist/services/oauth_pages/render.d.ts +0 -25
package/dist/services/oauth_pages/render.d.ts.map +0 -1
package/dist/services/oauth_pages/render.js +0 -235
package/dist/services/oauth_pages/render.js.map +0 -1
package/dist/services/root_landing/auth_overview.d.ts +0 -60
package/dist/services/root_landing/auth_overview.d.ts.map +0 -1
package/dist/services/root_landing/auth_overview.js +0 -86
package/dist/services/root_landing/auth_overview.js.map +0 -1
package/dist/services/root_landing/cli_overview.d.ts +0 -34
package/dist/services/root_landing/cli_overview.d.ts.map +0 -1
package/dist/services/root_landing/cli_overview.js +0 -123
package/dist/services/root_landing/cli_overview.js.map +0 -1
package/dist/services/root_landing/http_api_overview.d.ts +0 -34
package/dist/services/root_landing/http_api_overview.d.ts.map +0 -1
package/dist/services/root_landing/http_api_overview.js +0 -110
package/dist/services/root_landing/http_api_overview.js.map +0 -1
package/dist/services/root_landing/mcp_overview.d.ts +0 -34
package/dist/services/root_landing/mcp_overview.d.ts.map +0 -1
package/dist/services/root_landing/mcp_overview.js +0 -133
package/dist/services/root_landing/mcp_overview.js.map +0 -1
package/dist/services/sandbox/inspector_redirect.d.ts +0 -41
package/dist/services/sandbox/inspector_redirect.d.ts.map +0 -1
package/dist/services/sandbox/inspector_redirect.js +0 -59
package/dist/services/sandbox/inspector_redirect.js.map +0 -1
package/dist/services/verticals/baseline_metadata.d.ts +0 -39
package/dist/services/verticals/baseline_metadata.d.ts.map +0 -1
package/dist/services/verticals/baseline_metadata.js +0 -394
package/dist/services/verticals/baseline_metadata.js.map +0 -1
package/dist/services/verticals/entity_type_registry.d.ts +0 -29
package/dist/services/verticals/entity_type_registry.d.ts.map +0 -1
package/dist/services/verticals/entity_type_registry.js +0 -169
package/dist/services/verticals/entity_type_registry.js.map +0 -1
package/dist/services/verticals/install.d.ts +0 -64
package/dist/services/verticals/install.d.ts.map +0 -1
package/dist/services/verticals/install.js +0 -262
package/dist/services/verticals/install.js.map +0 -1
package/dist/services/verticals/registry.d.ts +0 -131
package/dist/services/verticals/registry.d.ts.map +0 -1
package/dist/services/verticals/registry.js +0 -457
package/dist/services/verticals/registry.js.map +0 -1

package/README.md CHANGED Viewed

@@ -100,8 +100,8 @@ The agent handles npm install, initialization, and MCP configuration. **Manual i
 ```bash
 npm install -g neotoma
 neotoma init
+neotoma setup --tool <cursor|claude-code|codex> --yes
 neotoma mcp config
-neotoma mcp check --mcp-transport a
 ```
 More options: [Docker](docs/developer/docker.md) | [CLI reference](docs/developer/cli_reference.md) | [Getting started](docs/developer/getting_started.md)
@@ -221,7 +221,7 @@ Neotoma exposes state via MCP. Local storage only in preview. Local built-in aut
 **Setup guides:** [Cursor](https://neotoma.io/neotoma-with-cursor) · [Claude Code](https://neotoma.io/neotoma-with-claude-code) · [Claude](https://neotoma.io/neotoma-with-claude) · [ChatGPT](https://neotoma.io/neotoma-with-chatgpt) · [Codex](https://neotoma.io/neotoma-with-codex) · [OpenCode](docs/integrations/hooks/opencode.md) · [OpenClaw](https://neotoma.io/neotoma-with-openclaw) · [IronClaw](https://neotoma.io/neotoma-with-ironclaw)
-For local source iteration, use the stable dev shim (`scripts/run_neotoma_mcp_stdio_dev_shim.sh`) or signed shim (`scripts/run_neotoma_mcp_signed_stdio_dev_shim.sh`) instead of pointing installed MCP clients at a `tsx watch` stdio process. `neotoma mcp check` defaults to **`a`**: signed + AAuth with **neotoma-dev → dev** and **neotoma → prod** HTTP `/mcp` behind stdio; use `--mcp-transport c` for direct stdio, **`d`** if both MCP entries should target prod.
+For local source iteration, use the stable dev shim (`scripts/run_neotoma_mcp_stdio_dev_shim.sh`) or signed shim (`scripts/run_neotoma_mcp_signed_stdio_dev_shim.sh`) instead of pointing installed MCP clients at a `tsx watch` stdio process. `neotoma mcp config` defaults to **`b`** for low-friction local stdio setup; use **`a`** for signed + AAuth HTTP `/mcp` proxy entries when the Neotoma API is running, **`c`** for direct stdio, or **`d`** when both MCP entries should target prod.
 **Agent behavior contract:** Store first, retrieve before storing, extract entities from user input, create tasks for commitments, and attach bounded host context such as repository name/root scope when available. Full instructions: [MCP instructions](docs/developer/mcp/instructions.md) and [CLI agent instructions](docs/developer/cli_agent_instructions.md).

package/dist/actions.d.ts CHANGED Viewed

@@ -2,17 +2,11 @@ import express from "express";
 import { type StoreInterpretationInput } from "./shared/action_schemas.js";
 export declare const app: import("express-serve-static-core").Express;
 /**
- * True when the request arrived over a loopback socket.
+ * True when the request is genuinely local to this process.
  *
- * SECURITY: derived from the TCP socket's remote address, NOT the `Host`
- * header. `req.headers.host` is attacker-controlled; using it to gate
- * authentication / auto-approval produces a trivial bypass when the server is
- * bound to a non-loopback interface. We check `req.socket.remoteAddress`
- * directly so spoofed `Host: localhost` headers do not promote a remote
- * caller into the local-dev trust zone.
- *
- * Express's `req.ip` is also unsafe here because `trust proxy` honours the
- * X-Forwarded-For header — any caller can claim to be loopback.
+ * SECURITY: a same-host reverse proxy (Caddy, nginx, Cloudflare tunnel, etc.)
+ * connects to Node over loopback even for public internet callers. In
+ * production, loopback alone is therefore not enough to grant local-dev auth.
  */
 export declare function isLocalRequest(req: express.Request): boolean;
 /**

package/dist/actions.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../src/actions.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;~~AA2G9B~~,OAAO,EAyBL,KAAK,wBAAwB,~~EAG9B~~,MAAM,4BAA4B,CAAC;AA+BpC,eAAO,MAAM,GAAG,6CAAY,CAAC;~~AAygB7B;;;;;;;;;;;;GAYG~~;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,GAAG,OAAO,~~CAU5D~~;AA4PD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,CAmBhD;AAiyHD,KAAK,oBAAoB,GAAG;IAC1B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,CAAC;AAuDF,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;IACpC,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,OAAO,4BAA4B,EAAE,iBAAiB,CAAC;IAC3E,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,oBAAoB,EAAE,CAAC;IACvC,cAAc,CAAC,EAAE,wBAAwB,CAAC;IAC1C,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;;;;;;;;;;;;;cA+gBS,MAAM;gBACJ,MAAM;2BACK,MAAM;qBACZ,MAAM;mBACR,MAAM;wBACD,MAAM;uBACP,MAAM;;;;;mBA3JV,MAAM;qBACJ,MAAM;wBACH,MAAM,GAAG,IAAI;2BACV,MAAM;;wBAET,MAAM;uBACP,MAAM,EAAE;wBACP,MAAM;uBACP,MAAM;;kBA9NX,MAAM;oBACJ,MAAM;yBACD,MAAM;4BACH,MAAM;2BACP,MAAM;;+BA4NF,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;;;2BAkFlC,MAAM;0BACP,MAAM;0BACN,MAAM;;;;;;;;GAsG3B;~~AA+iED~~,wBAAsB,eAAe;;;~~eA2FpC~~"}
1	+ {"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../src/actions.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;AA4G9B,OAAO,EAyBL,KAAK,wBAAwB,EAE9B,MAAM,4BAA4B,CAAC;AA+BpC,eAAO,MAAM,GAAG,6CAAY,CAAC;AAiiB7B;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAa5D;AA4PD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,CAmBhD;AAiyHD,KAAK,oBAAoB,GAAG;IAC1B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,CAAC;AAuDF,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;IACpC,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,OAAO,4BAA4B,EAAE,iBAAiB,CAAC;IAC3E,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,oBAAoB,EAAE,CAAC;IACvC,cAAc,CAAC,EAAE,wBAAwB,CAAC;IAC1C,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;;;;;;;;;;;;;cA+gBS,MAAM;gBACJ,MAAM;2BACK,MAAM;qBACZ,MAAM;mBACR,MAAM;wBACD,MAAM;uBACP,MAAM;;;;;mBA3JV,MAAM;qBACJ,MAAM;wBACH,MAAM,GAAG,IAAI;2BACV,MAAM;;wBAET,MAAM;uBACP,MAAM,EAAE;wBACP,MAAM;uBACP,MAAM;;kBA9NX,MAAM;oBACJ,MAAM;yBACD,MAAM;4BACH,MAAM;2BACP,MAAM;;+BA4NF,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;;;2BAkFlC,MAAM;0BACP,MAAM;0BACN,MAAM;;;;;;;;GAsG3B;AAmhED,wBAAsB,eAAe;;;eA8FpC"}

package/dist/actions.js CHANGED Viewed

@@ -10,6 +10,7 @@ import { db } from "./db.js";
 import { config } from "./config.js";
 import fs from "fs";
 import path from "path";
+import { writeLocalHttpPortFile } from "./utils/local_http_port_file.js";
 import yaml from "js-yaml";
 import { ensurePublicKeyRegistered, getPublicKey, getUserIdFromBearerToken, isBearerTokenValid, } from "./services/public_key_registry.js";
 import { verifyRequest, parseAuthHeader } from "./crypto/auth.js";
@@ -43,7 +44,7 @@ import { resolveSandboxReportTransport } from "./services/sandbox/transport.js";
 import { getSqliteDb } from "./repositories/sqlite/sqlite_client.js";
 import { getMcpAuthToken } from "./crypto/mcp_auth_token.js";
 import { isOauthKeyCredentialValid, normalizeOauthNextPath, OAuthKeySessionStore, } from "./services/oauth_key_gate.js";
-import { AnalyzeSchemaCandidatesRequestSchema, CorrectEntityRequestSchema, CreateInterpretationRequestSchema, CreateRelationshipsRequestSchema, CreateRelationshipRequestSchema, DeleteEntityRequestSchema, DeleteRelationshipRequestSchema, EntitiesQueryRequestSchema, EntitySnapshotRequestSchema, FieldProvenanceRequestSchema, GetSchemaRecommendationsRequestSchema, ListObservationsRequestSchema, ListRelationshipsRequestSchema, MergeEntitiesRequestSchema, SplitEntityRequestSchema, ObservationsQueryRequestSchema, RegisterSchemaRequestSchema, RelationshipSnapshotRequestSchema, RestoreEntityRequestSchema, RestoreRelationshipRequestSchema, RetrieveEntityByIdentifierSchema, RetrieveGraphNeighborhoodSchema, RetrieveRelatedEntitiesSchema, StoreRequestSchema, StoreUnstructuredRequestSchema, UpdateSchemaIncrementalRequestSchema, } from "./shared/action_schemas.js";
+import { AnalyzeSchemaCandidatesRequestSchema, CorrectEntityRequestSchema, CreateInterpretationRequestSchema, CreateRelationshipsRequestSchema, CreateRelationshipRequestSchema, DeleteEntityRequestSchema, DeleteRelationshipRequestSchema, EntitiesQueryRequestSchema, EntitySnapshotRequestSchema, FieldProvenanceRequestSchema, GetSchemaRecommendationsRequestSchema, ListObservationsRequestSchema, ListRelationshipsRequestSchema, MergeEntitiesRequestSchema, SplitEntityRequestSchema, ObservationsQueryRequestSchema, RegisterSchemaRequestSchema, RelationshipSnapshotRequestSchema, RestoreEntityRequestSchema, RestoreRelationshipRequestSchema, RetrieveEntityByIdentifierSchema, RetrieveGraphNeighborhoodSchema, RetrieveRelatedEntitiesSchema, StoreRequestSchema, UpdateSchemaIncrementalRequestSchema, } from "./shared/action_schemas.js";
 import { getMimeTypeFromExtension } from "./services/file_text_extraction.js";
 import { queryEntitiesWithCount } from "./shared/action_handlers/entity_handlers.js";
 import { retrieveEntityByIdentifierWithFallback } from "./shared/action_handlers/entity_identifier_handler.js";
@@ -521,34 +522,50 @@ app.get("/mcp-interaction-instructions", (_req, res) => {
 const mcpTransports = new Map();
 // Store server instances by session ID to preserve authentication state
 const mcpServerInstances = new Map();
-/**
- * True when the request arrived over a loopback socket.
- *
- * SECURITY: derived from the TCP socket's remote address, NOT the `Host`
- * header. `req.headers.host` is attacker-controlled; using it to gate
- * authentication / auto-approval produces a trivial bypass when the server is
- * bound to a non-loopback interface. We check `req.socket.remoteAddress`
- * directly so spoofed `Host: localhost` headers do not promote a remote
- * caller into the local-dev trust zone.
- *
- * Express's `req.ip` is also unsafe here because `trust proxy` honours the
- * X-Forwarded-For header — any caller can claim to be loopback.
- */
-export function isLocalRequest(req) {
-    const remote = (req.socket?.remoteAddress || "").toLowerCase();
+function isLoopbackAddress(value) {
+    const remote = (value || "").trim().toLowerCase();
     if (!remote)
         return false;
-    // Unix-domain socket requests have no remote address; treat as non-local.
     if (remote === "127.0.0.1" || remote === "::1")
         return true;
-    // IPv4 loopback range (127.0.0.0/8)
     if (remote.startsWith("127."))
         return true;
-    // IPv4-mapped IPv6 loopback (e.g. ::ffff:127.0.0.1)
     if (remote.startsWith("::ffff:127."))
         return true;
     return false;
 }
+function forwardedForValues(req) {
+    const headers = req.headers || {};
+    const raw = headers["x-forwarded-for"] || headers["X-Forwarded-For"];
+    const values = Array.isArray(raw) ? raw : raw ? [raw] : [];
+    return values
+        .flatMap((value) => String(value).split(","))
+        .map((value) => value.trim())
+        .filter(Boolean);
+}
+function isProductionEnvironment(env = process.env) {
+    const value = (env.NEOTOMA_ENV || "development").trim().toLowerCase();
+    return value === "production" || value === "prod";
+}
+/**
+ * True when the request is genuinely local to this process.
+ *
+ * SECURITY: a same-host reverse proxy (Caddy, nginx, Cloudflare tunnel, etc.)
+ * connects to Node over loopback even for public internet callers. In
+ * production, loopback alone is therefore not enough to grant local-dev auth.
+ */
+export function isLocalRequest(req) {
+    if (!isLoopbackAddress(req.socket?.remoteAddress))
+        return false;
+    const forwardedFor = forwardedForValues(req);
+    if (forwardedFor.length > 0) {
+        return forwardedFor.every(isLoopbackAddress);
+    }
+    if (isProductionEnvironment() && process.env.NEOTOMA_TRUST_PROD_LOOPBACK === "1") {
+        return true;
+    }
+    return !isProductionEnvironment();
+}
 const OAUTH_KEY_SESSION_COOKIE = "neotoma_oauth_key_session";
 const oauthKeySessions = new OAuthKeySessionStore();
 function readCookie(req, name) {
@@ -4053,7 +4070,7 @@ export async function storeStructuredForApi(params) {
         const entityTypes = entities
             .map((entity) => entity?.entity_type)
             .filter((t) => typeof t === "string" && t.length > 0);
-        enforceAgentCapability("store_structured", entityTypes, capabilityCtx);
+        enforceAgentCapability("store", entityTypes, capabilityCtx);
         const relationshipOp = Array.isArray(relationships) && relationships.length > 0;
         if (relationshipOp) {
             enforceAgentCapability("create_relationship", entityTypes, capabilityCtx);
@@ -4069,7 +4086,7 @@ export async function storeStructuredForApi(params) {
             .filter((t) => typeof t === "string" && t.length > 0);
         assertCanWriteProtectedBatch({
             entity_types: entityTypes,
-            op: "store_structured",
+            op: "store",
             identity: getCurrentAgentIdentity(),
             admission: getCurrentAAuthAdmission(),
         });
@@ -4663,33 +4680,6 @@ if (isSandboxMode()) {
     app.post("/sandbox/aauth-only/store", writeRateLimit, aauthRequired, handleStorePost);
     logger.info("[Sandbox] AAuth-required write route enabled at POST /sandbox/aauth-only/store");
 }
-// POST /api/store/unstructured - Store raw file (base64), optional AI interpretation
-app.post("/store/unstructured", async (req, res) => {
-    const parsed = StoreUnstructuredRequestSchema.safeParse(req.body);
-    if (!parsed.success) {
-        logWarn("ValidationError:store_unstructured", req, { issues: parsed.error.issues });
-        return sendValidationError(res, parsed.error.issues);
-    }
-    try {
-        const userId = await getAuthenticatedUserId(req, parsed.data.user_id);
-        const response = await storeUnstructuredForApi({
-            userId,
-            fileContent: parsed.data.file_content,
-            mimeType: parsed.data.mime_type,
-            idempotencyKey: parsed.data.idempotency_key,
-            originalFilename: parsed.data.original_filename,
-        });
-        return res.status(200).json(response);
-    }
-    catch (error) {
-        if (error instanceof Error && error.message.includes("Not authenticated")) {
-            return sendError(res, 401, "AUTH_REQUIRED", error.message);
-        }
-        logError("APIError:store_unstructured", req, error);
-        const message = error instanceof Error ? error.message : "Failed to store unstructured file";
-        return sendError(res, 500, "DB_QUERY_FAILED", message);
-    }
-});
 // POST /api/observations/query - Query observations
 app.post("/observations/query", async (req, res) => {
     const parsed = ObservationsQueryRequestSchema.safeParse(req.body);
@@ -6152,6 +6142,9 @@ export async function startHTTPServer() {
             }
             // eslint-disable-next-line no-console
             console.log(`HTTP Actions listening on :${boundPort}`);
+            if (process.env.NODE_ENV !== "test") {
+                writeLocalHttpPortFile(config.projectRoot, boundPort);
+            }
             // Start background OAuth state cleanup job
             import("./services/mcp_oauth.js").then((oauth) => {
                 oauth.startStateCleanupJob();