openlinear 0.1.3

package/dist/validation/index.d.mts

@@ -0,0 +1,74 @@
+import { z } from 'zod';
+
+declare const ErrorCategory: z.ZodEnum<["AUTH", "RATE_LIMIT", "MERGE_CONFLICT", "TIMEOUT", "UNKNOWN"]>;
+declare const ExecutionStatus: z.ZodEnum<["pending", "running", "completed", "failed", "cancelled"]>;
+declare const ExecutionMetadataSyncSchema: z.ZodObject<{
+    taskId: z.ZodString;
+    runId: z.ZodString;
+    status: z.ZodEnum<["pending", "running", "completed", "failed", "cancelled"]>;
+    startedAt: z.ZodOptional<z.ZodString>;
+    completedAt: z.ZodOptional<z.ZodString>;
+    durationMs: z.ZodOptional<z.ZodNumber>;
+    progress: z.ZodOptional<z.ZodNumber>;
+    branch: z.ZodOptional<z.ZodString>;
+    commitSha: z.ZodOptional<z.ZodString>;
+    prUrl: z.ZodOptional<z.ZodString>;
+    prNumber: z.ZodOptional<z.ZodNumber>;
+    outcome: z.ZodOptional<z.ZodString>;
+    errorCategory: z.ZodOptional<z.ZodEnum<["AUTH", "RATE_LIMIT", "MERGE_CONFLICT", "TIMEOUT", "UNKNOWN"]>>;
+    filesChanged: z.ZodOptional<z.ZodNumber>;
+    toolsExecuted: z.ZodOptional<z.ZodNumber>;
+}, "strict", z.ZodTypeAny, {
+    status: "pending" | "running" | "completed" | "failed" | "cancelled";
+    taskId: string;
+    runId: string;
+    startedAt?: string | undefined;
+    completedAt?: string | undefined;
+    durationMs?: number | undefined;
+    progress?: number | undefined;
+    branch?: string | undefined;
+    commitSha?: string | undefined;
+    prUrl?: string | undefined;
+    prNumber?: number | undefined;
+    outcome?: string | undefined;
+    errorCategory?: "AUTH" | "RATE_LIMIT" | "MERGE_CONFLICT" | "TIMEOUT" | "UNKNOWN" | undefined;
+    filesChanged?: number | undefined;
+    toolsExecuted?: number | undefined;
+}, {
+    status: "pending" | "running" | "completed" | "failed" | "cancelled";
+    taskId: string;
+    runId: string;
+    startedAt?: string | undefined;
+    completedAt?: string | undefined;
+    durationMs?: number | undefined;
+    progress?: number | undefined;
+    branch?: string | undefined;
+    commitSha?: string | undefined;
+    prUrl?: string | undefined;
+    prNumber?: number | undefined;
+    outcome?: string | undefined;
+    errorCategory?: "AUTH" | "RATE_LIMIT" | "MERGE_CONFLICT" | "TIMEOUT" | "UNKNOWN" | undefined;
+    filesChanged?: number | undefined;
+    toolsExecuted?: number | undefined;
+}>;
+type ExecutionMetadataSync = z.infer<typeof ExecutionMetadataSyncSchema>;
+declare function validateExecutionMetadataSync(payload: unknown): ExecutionMetadataSync;
+declare function safeValidateExecutionMetadataSync(payload: unknown): {
+    success: true;
+    data: ExecutionMetadataSync;
+} | {
+    success: false;
+    error: z.ZodError;
+};
+declare function checkExecutionMetadataSync(payload: unknown): {
+    valid: boolean;
+    issues?: string[];
+};
+declare const FORBIDDEN_SYNC_FIELDS: readonly ["prompt", "logs", "toolLogs", "executionLogs", "repoPath", "accessToken", "apiKey", "passwordHash", "jwt", "client", "timeoutId", "rawOutput", "diff", "fileContents", "env", "environment", "processEnv"];
+declare function isForbiddenField(field: string): boolean;
+declare function sanitizePayload(payload: Record<string, any>): {
+    sanitized: Record<string, any>;
+    removed: string[];
+};
+
+export { ErrorCategory, type ExecutionMetadataSync, ExecutionMetadataSyncSchema, ExecutionStatus, FORBIDDEN_SYNC_FIELDS, checkExecutionMetadataSync, isForbiddenField, safeValidateExecutionMetadataSync, sanitizePayload, validateExecutionMetadataSync };

package/dist/validation/index.d.ts

@@ -0,0 +1,74 @@
+import { z } from 'zod';
+
+declare const ErrorCategory: z.ZodEnum<["AUTH", "RATE_LIMIT", "MERGE_CONFLICT", "TIMEOUT", "UNKNOWN"]>;
+declare const ExecutionStatus: z.ZodEnum<["pending", "running", "completed", "failed", "cancelled"]>;
+declare const ExecutionMetadataSyncSchema: z.ZodObject<{
+    taskId: z.ZodString;
+    runId: z.ZodString;
+    status: z.ZodEnum<["pending", "running", "completed", "failed", "cancelled"]>;
+    startedAt: z.ZodOptional<z.ZodString>;
+    completedAt: z.ZodOptional<z.ZodString>;
+    durationMs: z.ZodOptional<z.ZodNumber>;
+    progress: z.ZodOptional<z.ZodNumber>;
+    branch: z.ZodOptional<z.ZodString>;
+    commitSha: z.ZodOptional<z.ZodString>;
+    prUrl: z.ZodOptional<z.ZodString>;
+    prNumber: z.ZodOptional<z.ZodNumber>;
+    outcome: z.ZodOptional<z.ZodString>;
+    errorCategory: z.ZodOptional<z.ZodEnum<["AUTH", "RATE_LIMIT", "MERGE_CONFLICT", "TIMEOUT", "UNKNOWN"]>>;
+    filesChanged: z.ZodOptional<z.ZodNumber>;
+    toolsExecuted: z.ZodOptional<z.ZodNumber>;
+}, "strict", z.ZodTypeAny, {
+    status: "pending" | "running" | "completed" | "failed" | "cancelled";
+    taskId: string;
+    runId: string;
+    startedAt?: string | undefined;
+    completedAt?: string | undefined;
+    durationMs?: number | undefined;
+    progress?: number | undefined;
+    branch?: string | undefined;
+    commitSha?: string | undefined;
+    prUrl?: string | undefined;
+    prNumber?: number | undefined;
+    outcome?: string | undefined;
+    errorCategory?: "AUTH" | "RATE_LIMIT" | "MERGE_CONFLICT" | "TIMEOUT" | "UNKNOWN" | undefined;
+    filesChanged?: number | undefined;
+    toolsExecuted?: number | undefined;
+}, {
+    status: "pending" | "running" | "completed" | "failed" | "cancelled";
+    taskId: string;
+    runId: string;
+    startedAt?: string | undefined;
+    completedAt?: string | undefined;
+    durationMs?: number | undefined;
+    progress?: number | undefined;
+    branch?: string | undefined;
+    commitSha?: string | undefined;
+    prUrl?: string | undefined;
+    prNumber?: number | undefined;
+    outcome?: string | undefined;
+    errorCategory?: "AUTH" | "RATE_LIMIT" | "MERGE_CONFLICT" | "TIMEOUT" | "UNKNOWN" | undefined;
+    filesChanged?: number | undefined;
+    toolsExecuted?: number | undefined;
+}>;
+type ExecutionMetadataSync = z.infer<typeof ExecutionMetadataSyncSchema>;
+declare function validateExecutionMetadataSync(payload: unknown): ExecutionMetadataSync;
+declare function safeValidateExecutionMetadataSync(payload: unknown): {
+    success: true;
+    data: ExecutionMetadataSync;
+} | {
+    success: false;
+    error: z.ZodError;
+};
+declare function checkExecutionMetadataSync(payload: unknown): {
+    valid: boolean;
+    issues?: string[];
+};
+declare const FORBIDDEN_SYNC_FIELDS: readonly ["prompt", "logs", "toolLogs", "executionLogs", "repoPath", "accessToken", "apiKey", "passwordHash", "jwt", "client", "timeoutId", "rawOutput", "diff", "fileContents", "env", "environment", "processEnv"];
+declare function isForbiddenField(field: string): boolean;
+declare function sanitizePayload(payload: Record<string, any>): {
+    sanitized: Record<string, any>;
+    removed: string[];
+};
+
+export { ErrorCategory, type ExecutionMetadataSync, ExecutionMetadataSyncSchema, ExecutionStatus, FORBIDDEN_SYNC_FIELDS, checkExecutionMetadataSync, isForbiddenField, safeValidateExecutionMetadataSync, sanitizePayload, validateExecutionMetadataSync };

package/dist/validation/index.js

@@ -0,0 +1,137 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/validation/index.ts
+var validation_exports = {};
+__export(validation_exports, {
+  ErrorCategory: () => ErrorCategory,
+  ExecutionMetadataSyncSchema: () => ExecutionMetadataSyncSchema,
+  ExecutionStatus: () => ExecutionStatus,
+  FORBIDDEN_SYNC_FIELDS: () => FORBIDDEN_SYNC_FIELDS,
+  checkExecutionMetadataSync: () => checkExecutionMetadataSync,
+  isForbiddenField: () => isForbiddenField,
+  safeValidateExecutionMetadataSync: () => safeValidateExecutionMetadataSync,
+  sanitizePayload: () => sanitizePayload,
+  validateExecutionMetadataSync: () => validateExecutionMetadataSync
+});
+module.exports = __toCommonJS(validation_exports);
+
+// src/validation/security.ts
+var import_zod = require("zod");
+var ErrorCategory = import_zod.z.enum([
+  "AUTH",
+  "RATE_LIMIT",
+  "MERGE_CONFLICT",
+  "TIMEOUT",
+  "UNKNOWN"
+]);
+var ExecutionStatus = import_zod.z.enum([
+  "pending",
+  "running",
+  "completed",
+  "failed",
+  "cancelled"
+]);
+var ExecutionMetadataSyncSchema = import_zod.z.object({
+  taskId: import_zod.z.string(),
+  runId: import_zod.z.string(),
+  status: ExecutionStatus,
+  startedAt: import_zod.z.string().datetime().optional(),
+  completedAt: import_zod.z.string().datetime().optional(),
+  durationMs: import_zod.z.number().int().min(0).optional(),
+  progress: import_zod.z.number().int().min(0).max(100).optional(),
+  branch: import_zod.z.string().optional(),
+  commitSha: import_zod.z.string().optional(),
+  prUrl: import_zod.z.string().url().optional(),
+  prNumber: import_zod.z.number().int().positive().optional(),
+  outcome: import_zod.z.string().max(500).optional(),
+  errorCategory: ErrorCategory.optional(),
+  filesChanged: import_zod.z.number().int().min(0).optional(),
+  toolsExecuted: import_zod.z.number().int().min(0).optional()
+}).strict();
+function validateExecutionMetadataSync(payload) {
+  return ExecutionMetadataSyncSchema.parse(payload);
+}
+function safeValidateExecutionMetadataSync(payload) {
+  const result = ExecutionMetadataSyncSchema.safeParse(payload);
+  if (result.success) {
+    return { success: true, data: result.data };
+  } else {
+    return { success: false, error: result.error };
+  }
+}
+function checkExecutionMetadataSync(payload) {
+  const result = ExecutionMetadataSyncSchema.safeParse(payload);
+  if (result.success) {
+    return { valid: true };
+  } else {
+    return {
+      valid: false,
+      issues: result.error.errors.map(
+        (e) => `${e.path.join(".")}: ${e.message}`
+      )
+    };
+  }
+}
+var FORBIDDEN_SYNC_FIELDS = [
+  "prompt",
+  "logs",
+  "toolLogs",
+  "executionLogs",
+  "repoPath",
+  "accessToken",
+  "apiKey",
+  "passwordHash",
+  "jwt",
+  "client",
+  "timeoutId",
+  "rawOutput",
+  "diff",
+  "fileContents",
+  "env",
+  "environment",
+  "processEnv"
+];
+function isForbiddenField(field) {
+  return FORBIDDEN_SYNC_FIELDS.includes(field);
+}
+function sanitizePayload(payload) {
+  const sanitized = {};
+  const removed = [];
+  for (const [key, value] of Object.entries(payload)) {
+    if (isForbiddenField(key)) {
+      removed.push(key);
+    } else {
+      sanitized[key] = value;
+    }
+  }
+  return { sanitized, removed };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ErrorCategory,
+  ExecutionMetadataSyncSchema,
+  ExecutionStatus,
+  FORBIDDEN_SYNC_FIELDS,
+  checkExecutionMetadataSync,
+  isForbiddenField,
+  safeValidateExecutionMetadataSync,
+  sanitizePayload,
+  validateExecutionMetadataSync
+});

package/dist/validation/index.mjs

@@ -0,0 +1,22 @@
+import {
+  ErrorCategory,
+  ExecutionMetadataSyncSchema,
+  ExecutionStatus,
+  FORBIDDEN_SYNC_FIELDS,
+  checkExecutionMetadataSync,
+  isForbiddenField,
+  safeValidateExecutionMetadataSync,
+  sanitizePayload,
+  validateExecutionMetadataSync
+} from "../chunk-P3FFNK6N.mjs";
+export {
+  ErrorCategory,
+  ExecutionMetadataSyncSchema,
+  ExecutionStatus,
+  FORBIDDEN_SYNC_FIELDS,
+  checkExecutionMetadataSync,
+  isForbiddenField,
+  safeValidateExecutionMetadataSync,
+  sanitizePayload,
+  validateExecutionMetadataSync
+};

package/package.json

@@ -0,0 +1,61 @@
+{
+  "name": "openlinear",
+  "version": "0.1.3",
+  "description": "OpenLinear launcher, installer, and validation utilities",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/kaizen403/openlinear"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs",
+      "types": "./dist/index.d.ts"
+    },
+    "./types": {
+      "import": "./dist/types/index.js",
+      "require": "./dist/types/index.cjs",
+      "types": "./dist/types/index.d.ts"
+    },
+    "./validation": {
+      "import": "./dist/validation/index.js",
+      "require": "./dist/validation/index.cjs",
+      "types": "./dist/validation/index.d.ts"
+    },
+    "./config": {
+      "import": "./dist/config/index.js",
+      "require": "./dist/config/index.cjs",
+      "types": "./dist/config/index.d.ts"
+    }
+  },
+  "bin": {
+    "openlinear": "bin/openlinear.js"
+  },
+  "files": [
+    "bin",
+    "scripts",
+    "dist",
+    "src"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts src/types/index.ts src/validation/index.ts src/config/index.ts --format cjs,esm --dts",
+    "postinstall": "node scripts/postinstall.js",
+    "prepublishOnly": "npm run build"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "zod": "^3.25.6"
+  },
+  "devDependencies": {
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0"
+  }
+}

package/scripts/postinstall.js

@@ -0,0 +1,65 @@
+const fs = require('node:fs');
+const https = require('node:https');
+const os = require('node:os');
+const path = require('node:path');
+
+const packageJson = require('../package.json');
+
+const platform = process.platform;
+const arch = process.arch;
+
+if (platform !== 'linux' || arch !== 'x64') {
+  console.log('OpenLinear installer currently supports Linux x64 only.');
+  process.exit(0);
+}
+
+const baseUrl = process.env.OPENLINEAR_RELEASE_BASE_URL ||
+  `https://github.com/kaizen403/openlinear/releases/download/v${packageJson.version}`;
+const fileName = `openlinear-${packageJson.version}-x86_64.AppImage`;
+const downloadUrl = `${baseUrl}/${fileName}`;
+
+const installDir = path.join(os.homedir(), '.openlinear');
+const targetPath = path.join(installDir, 'openlinear.AppImage');
+
+function download(url, destination) {
+  return new Promise((resolve, reject) => {
+    const request = https.get(url, (response) => {
+      if (response.statusCode && response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) {
+        response.resume();
+        download(response.headers.location, destination).then(resolve).catch(reject);
+        return;
+      }
+
+      if (response.statusCode !== 200) {
+        response.resume();
+        reject(new Error(`Download failed with status ${response.statusCode}`));
+        return;
+      }
+
+      const fileStream = fs.createWriteStream(destination);
+      response.pipe(fileStream);
+      fileStream.on('finish', () => {
+        fileStream.close(resolve);
+      });
+      fileStream.on('error', (err) => {
+        fileStream.close();
+        reject(err);
+      });
+    });
+
+    request.on('error', reject);
+  });
+}
+
+async function main() {
+  try {
+    fs.mkdirSync(installDir, { recursive: true });
+    await download(downloadUrl, targetPath);
+    fs.chmodSync(targetPath, 0o755);
+    console.log(`OpenLinear AppImage downloaded to ${targetPath}`);
+  } catch (error) {
+    console.error(`Failed to download OpenLinear AppImage: ${error.message}`);
+  }
+}
+
+main();

package/src/config/feature-flags.ts

@@ -0,0 +1,121 @@
+import { z } from 'zod';
+
+export const FeatureFlagsSchema = z.object({
+  LOCAL_EXECUTION_ENABLED: z
+    .enum(['true', 'false'])
+    .default('false')
+    .transform((v) => v === 'true'),
+  SERVER_EXECUTION_ENABLED: z
+    .enum(['true', 'false'])
+    .default('true')
+    .transform((v) => v === 'true'),
+  CANARY_PERCENTAGE: z
+    .string()
+    .default('0')
+    .transform((v) => parseInt(v, 10))
+    .refine((v) => v >= 0 && v <= 100, {
+      message: 'CANARY_PERCENTAGE must be between 0 and 100',
+    }),
+  FORCE_LOCAL_EXECUTION: z
+    .enum(['true', 'false'])
+    .default('false')
+    .transform((v) => v === 'true'),
+  KILL_SWITCH_LOCAL_EXECUTION: z
+    .enum(['true', 'false'])
+    .default('false')
+    .transform((v) => v === 'true'),
+});
+
+export type FeatureFlags = z.infer<typeof FeatureFlagsSchema>;
+
+export function parseFeatureFlags(env: Record<string, string | undefined> = process.env): FeatureFlags {
+  return FeatureFlagsSchema.parse(env);
+}
+
+export function getFeatureFlags(): FeatureFlags {
+  return parseFeatureFlags();
+}
+
+export function isLocalExecutionEnabled(userId: string, flags: FeatureFlags = getFeatureFlags()): boolean {
+  if (flags.KILL_SWITCH_LOCAL_EXECUTION) {
+    return false;
+  }
+
+  if (flags.FORCE_LOCAL_EXECUTION) {
+    return true;
+  }
+
+  if (!flags.LOCAL_EXECUTION_ENABLED) {
+    return false;
+  }
+
+  if (flags.CANARY_PERCENTAGE >= 100) {
+    return true;
+  }
+
+  if (flags.CANARY_PERCENTAGE <= 0) {
+    return false;
+  }
+
+  const hash = hashString(userId);
+  const userPercentage = (hash % 100) + 1;
+
+  return userPercentage <= flags.CANARY_PERCENTAGE;
+}
+
+export function isServerExecutionEnabled(flags: FeatureFlags = getFeatureFlags()): boolean {
+  return flags.SERVER_EXECUTION_ENABLED;
+}
+
+export function validateFlagConfiguration(flags: FeatureFlags): { valid: boolean; errors: string[] } {
+  const errors: string[] = [];
+
+  if (flags.FORCE_LOCAL_EXECUTION && flags.KILL_SWITCH_LOCAL_EXECUTION) {
+    errors.push('Cannot enable both FORCE_LOCAL_EXECUTION and KILL_SWITCH_LOCAL_EXECUTION');
+  }
+
+  if (!flags.LOCAL_EXECUTION_ENABLED && !flags.SERVER_EXECUTION_ENABLED) {
+    errors.push('At least one execution mode must be enabled');
+  }
+
+  return {
+    valid: errors.length === 0,
+    errors,
+  };
+}
+
+function hashString(str: string): number {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash);
+}
+
+export function getMigrationPhase(flags: FeatureFlags = getFeatureFlags()): 
+  | 'shadow'
+  | 'canary'
+  | 'cutover'
+  | 'rollback'
+  | 'unknown' {
+  
+  if (flags.KILL_SWITCH_LOCAL_EXECUTION) {
+    return 'rollback';
+  }
+
+  if (!flags.SERVER_EXECUTION_ENABLED) {
+    return 'cutover';
+  }
+
+  if (flags.LOCAL_EXECUTION_ENABLED && flags.CANARY_PERCENTAGE > 0) {
+    return 'canary';
+  }
+
+  if (flags.LOCAL_EXECUTION_ENABLED && flags.CANARY_PERCENTAGE === 0) {
+    return 'shadow';
+  }
+
+  return 'unknown';
+}

package/src/config/index.ts

@@ -0,0 +1 @@
+export * from './feature-flags';

package/src/index.ts

@@ -0,0 +1,6 @@
+export * from './config/feature-flags';
+export { 
+  isForbiddenField, 
+  sanitizePayload 
+} from './validation/security';
+export * from './types';

package/src/types/execution-metadata.ts

@@ -0,0 +1,116 @@
+import { z } from 'zod';
+
+export const ErrorCategory = z.enum([
+  'AUTH',
+  'RATE_LIMIT', 
+  'MERGE_CONFLICT',
+  'TIMEOUT',
+  'UNKNOWN'
+]);
+
+export const ExecutionStatus = z.enum([
+  'pending',
+  'running',
+  'completed',
+  'failed',
+  'cancelled'
+]);
+
+export const ExecutionMetadataSyncSchema = z.object({
+  taskId: z.string(),
+  runId: z.string(),
+  status: ExecutionStatus,
+  startedAt: z.string().datetime().optional(),
+  completedAt: z.string().datetime().optional(),
+  durationMs: z.number().int().min(0).optional(),
+  progress: z.number().int().min(0).max(100).optional(),
+  branch: z.string().optional(),
+  commitSha: z.string().optional(),
+  prUrl: z.string().url().optional(),
+  prNumber: z.number().int().positive().optional(),
+  outcome: z.string().max(500).optional(),
+  errorCategory: ErrorCategory.optional(),
+  filesChanged: z.number().int().min(0).optional(),
+  toolsExecuted: z.number().int().min(0).optional(),
+}).strict();
+
+export type ExecutionMetadataSync = z.infer<typeof ExecutionMetadataSyncSchema>;
+
+export function validateExecutionMetadataSync(payload: unknown): ExecutionMetadataSync {
+  return ExecutionMetadataSyncSchema.parse(payload);
+}
+
+export function safeValidateExecutionMetadataSync(payload: unknown): 
+  | { success: true; data: ExecutionMetadataSync }
+  | { success: false; error: z.ZodError } {
+  const result = ExecutionMetadataSyncSchema.safeParse(payload);
+  
+  if (result.success) {
+    return { success: true, data: result.data };
+  } else {
+    return { success: false, error: result.error };
+  }
+}
+
+export function checkExecutionMetadataSync(payload: unknown): {
+  valid: boolean;
+  issues?: string[];
+} {
+  const result = ExecutionMetadataSyncSchema.safeParse(payload);
+  
+  if (result.success) {
+    return { valid: true };
+  } else {
+    return {
+      valid: false,
+      issues: result.error.errors.map(e => 
+        `${e.path.join('.')}: ${e.message}`
+      )
+    };
+  }
+}
+
+export function validateExecutionMetadataMiddleware() {
+  return (req: any, res: any, next: any) => {
+    const result = safeValidateExecutionMetadataSync(req.body);
+    
+    if (!result.success) {
+      const hasUnknownKeys = result.error.errors.some(e => 
+        e.message.includes('Unrecognized key') || 
+        e.code === 'unrecognized_keys'
+      );
+      
+      return res.status(400).json({
+        error: 'Invalid sync payload',
+        code: hasUnknownKeys ? 'FORBIDDEN_FIELDS' : 'VALIDATION_ERROR',
+        details: result.error.errors.map(e => ({
+          field: e.path.join('.'),
+          message: e.message
+        }))
+      });
+    }
+    
+    req.validatedMetadata = result.data;
+    next();
+  };
+}
+
+export const FORBIDDEN_SYNC_FIELDS = [
+  'prompt',
+  'logs',
+  'toolLogs', 
+  'executionLogs',
+  'repoPath',
+  'accessToken',
+  'apiKey',
+  'passwordHash',
+  'jwt',
+  'client',
+  'timeoutId',
+  'rawOutput',
+  'diff',
+  'fileContents',
+  'env',
+  'environment',
+  'processEnv',
+] as const;

package/src/types/index.ts

@@ -0,0 +1 @@
+export * from './execution-metadata';

package/src/validation/index.ts

@@ -0,0 +1 @@
+export * from './security';