plasalid 0.7.1 → 0.7.3

package/dist/scanner/pdf/password-store.js

@@ -0,0 +1,83 @@
+import { randomUUID } from "crypto";
+import { basename } from "path";
+import { encryptSecret, decryptSecret } from "../../db/encryption.js";
+const REGEX_META = /[.*+?^${}()|[\]\\]/g;
+const SEPARATORS = /[_\-\s.]/;
+const MIN_PREFIX_LEN = 3;
+/**
+ * Derive a regex from a filename. Strategy: take the leading alphabetic-ish
+ * prefix (up to the first separator: underscore, hyphen, space, or dot) and
+ * wildcard everything after it. Looser than a literal match — `AcctSt_May26.pdf`
+ * and `AcctSt_Jun26.pdf` share the same pattern.
+ *
+ * Falls back to the older digit-collapse strategy when the prefix is too short
+ * (<3 chars) or doesn't start with a letter, so we don't end up with overly
+ * generic patterns like `^a.*` or `^\d+.*`.
+ *
+ * Examples:
+ *   `AcctSt_May26.pdf`          → `^acctst.*`
+ *   `KBank-Savings-2026-01.pdf` → `^kbank.*`
+ *   `statement.pdf`             → `^statement.*`
+ *   `1234567890.pdf`            → `^\d+\.pdf$`           (fallback)
+ *   `e-statement.pdf`           → `^e\-statement\.pdf$`  (fallback — prefix too short)
+ */
+export function suggestPattern(filename) {
+    const name = basename(filename).toLowerCase();
+    const prefix = name.split(SEPARATORS)[0];
+    if (prefix.length >= MIN_PREFIX_LEN && /^[a-z]/.test(prefix)) {
+        return `^${prefix.replace(REGEX_META, "\\$&")}.*`;
+    }
+    const escaped = name.replace(REGEX_META, "\\$&");
+    const collapsed = escaped.replace(/\d+/g, "\\d+");
+    return `^${collapsed}$`;
+}
+/** Stored passwords whose pattern matches the basename of `filePath`. */
+export function findCandidates(db, filePath, dbKey) {
+    const target = basename(filePath);
+    const rows = db
+        .prepare(`SELECT id, pattern, password_encrypted, use_count, last_used_at
+       FROM file_passwords
+       ORDER BY use_count DESC, last_used_at DESC NULLS LAST, created_at ASC`)
+        .all();
+    return rows
+        .filter(r => safeTest(r.pattern, target))
+        .map(r => ({
+        id: r.id,
+        pattern: r.pattern,
+        password: decryptSecret(r.password_encrypted, dbKey),
+        useCount: r.use_count,
+        lastUsedAt: r.last_used_at,
+    }));
+}
+function safeTest(pattern, target) {
+    try {
+        return new RegExp(pattern, "i").test(target);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Upsert by pattern. If the pattern already exists the row is replaced — useful
+ * when the bank rotates the password for a recurring statement series.
+ */
+export function savePassword(db, pattern, password, dbKey) {
+    const encrypted = encryptSecret(password, dbKey);
+    const existing = db
+        .prepare(`SELECT id FROM file_passwords WHERE pattern = ?`)
+        .get(pattern);
+    if (existing) {
+        db.prepare(`UPDATE file_passwords
+       SET password_encrypted = ?, use_count = 0, last_used_at = NULL
+       WHERE id = ?`).run(encrypted, existing.id);
+        return existing.id;
+    }
+    const id = `fp:${randomUUID()}`;
+    db.prepare(`INSERT INTO file_passwords (id, pattern, password_encrypted) VALUES (?, ?, ?)`).run(id, pattern, encrypted);
+    return id;
+}
+export function recordUse(db, id) {
+    db.prepare(`UPDATE file_passwords
+     SET use_count = use_count + 1, last_used_at = datetime('now')
+     WHERE id = ?`).run(id);
+}

package/dist/scanner/pdf/pdf-unlock.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Thin wrapper around the mupdf WASM library. Lazy-imported on first call so
+ * the WASM module isn't loaded for data dirs that contain only plaintext PDFs.
+ */
+export declare function isEncrypted(bytes: Buffer): Promise<boolean>;
+export interface UnlockResult {
+    ok: boolean;
+    /** Set when `ok === true`. Plaintext (decrypted) PDF bytes ready to forward. */
+    decrypted?: Buffer;
+}
+/**
+ * Attempt to unlock and re-save `bytes` as an unencrypted PDF using `password`.
+ * Returns `{ ok: false }` on wrong password or non-PDF input. Returns
+ * `{ ok: true, decrypted }` on success. If the input wasn't encrypted to begin
+ * with, returns `{ ok: true, decrypted: bytes }` unchanged.
+ */
+export declare function unlock(bytes: Buffer, password: string): Promise<UnlockResult>;

package/dist/scanner/pdf/pdf-unlock.js

@@ -0,0 +1,50 @@
+/**
+ * Thin wrapper around the mupdf WASM library. Lazy-imported on first call so
+ * the WASM module isn't loaded for data dirs that contain only plaintext PDFs.
+ */
+let mupdfPromise = null;
+/** mupdf's authenticatePassword returns 0 on a wrong password, non-zero on success. */
+const MUPDF_AUTH_FAILED = 0;
+function getMupdf() {
+    if (!mupdfPromise) {
+        mupdfPromise = import("mupdf");
+    }
+    return mupdfPromise;
+}
+export async function isEncrypted(bytes) {
+    const mupdf = await getMupdf();
+    const doc = mupdf.Document.openDocument(bytes, "application/pdf");
+    try {
+        return doc.needsPassword();
+    }
+    finally {
+        doc.destroy();
+    }
+}
+/**
+ * Attempt to unlock and re-save `bytes` as an unencrypted PDF using `password`.
+ * Returns `{ ok: false }` on wrong password or non-PDF input. Returns
+ * `{ ok: true, decrypted }` on success. If the input wasn't encrypted to begin
+ * with, returns `{ ok: true, decrypted: bytes }` unchanged.
+ */
+export async function unlock(bytes, password) {
+    const mupdf = await getMupdf();
+    const doc = mupdf.Document.openDocument(bytes, "application/pdf");
+    try {
+        if (!(doc instanceof mupdf.PDFDocument)) {
+            return { ok: false };
+        }
+        if (!doc.needsPassword()) {
+            return { ok: true, decrypted: bytes };
+        }
+        const result = doc.authenticatePassword(password);
+        if (result === MUPDF_AUTH_FAILED) {
+            return { ok: false };
+        }
+        const out = doc.saveToBuffer("decrypt");
+        return { ok: true, decrypted: Buffer.from(out.asUint8Array()) };
+    }
+    finally {
+        doc.destroy();
+    }
+}

package/dist/scanner/pdf/pdf.d.ts

@@ -0,0 +1,17 @@
+import type { DocumentBlock } from "../../ai/provider.js";
+export interface LoadedFile {
+    bytes: Buffer;
+    hash: string;
+    mime: string;
+    fileName: string;
+}
+/**
+ * Read a local PDF, hash its bytes, and return everything the scan pipeline
+ * needs to decide whether to skip / re-scan / unlock the file. The hash is
+ * sha256 of the original on-disk bytes (still encrypted if the PDF is
+ * password-protected) — that's what the dedup contract relies on, so we can
+ * recognize the same file across re-scans regardless of unlock state.
+ */
+export declare function readPdf(path: string): LoadedFile;
+/** Build an Anthropic-compatible document content block from PDF bytes. */
+export declare function buildDocumentBlock(bytes: Buffer, fileName: string, mime?: string): DocumentBlock;

package/dist/scanner/pdf/pdf.js

@@ -0,0 +1,36 @@
+import { readFileSync, statSync } from "fs";
+import { createHash } from "crypto";
+import { basename, extname } from "path";
+const MIME_BY_EXT = {
+    ".pdf": "application/pdf",
+};
+const MAX_BYTES = 30 * 1024 * 1024;
+/**
+ * Read a local PDF, hash its bytes, and return everything the scan pipeline
+ * needs to decide whether to skip / re-scan / unlock the file. The hash is
+ * sha256 of the original on-disk bytes (still encrypted if the PDF is
+ * password-protected) — that's what the dedup contract relies on, so we can
+ * recognize the same file across re-scans regardless of unlock state.
+ */
+export function readPdf(path) {
+    const ext = extname(path).toLowerCase();
+    const mime = MIME_BY_EXT[ext];
+    if (!mime) {
+        throw new Error(`Unsupported file extension: ${ext}. Plasalid v1 only ingests PDFs.`);
+    }
+    const stat = statSync(path);
+    if (stat.size > MAX_BYTES) {
+        throw new Error(`File too large (${stat.size} bytes). Limit is ${MAX_BYTES} bytes.`);
+    }
+    const bytes = readFileSync(path);
+    const hash = createHash("sha256").update(bytes).digest("hex");
+    return { bytes, hash, mime, fileName: basename(path) };
+}
+/** Build an Anthropic-compatible document content block from PDF bytes. */
+export function buildDocumentBlock(bytes, fileName, mime = "application/pdf") {
+    return {
+        type: "document",
+        source: { type: "base64", media_type: mime, data: bytes.toString("base64") },
+        title: fileName,
+    };
+}

package/dist/scanner/pdf/state-machine.d.ts

@@ -0,0 +1,60 @@
+import type { StoredPassword } from "./password-store.js";
+/**
+ * Pure state machine for the unlock phase of a single file scan. Side effects
+ * (mupdf calls, prompts, DB reads) live in the orchestrator; this module only
+ * encodes the transition logic so it can be exhaustively unit-tested.
+ */
+export declare const MAX_PASSWORD_ATTEMPTS = 10;
+export type UnlockOutcome = {
+    kind: "plaintext";
+} | {
+    kind: "from-store";
+    storedId: string;
+} | {
+    kind: "from-user";
+    password: string;
+};
+export type UnlockState = {
+    kind: "init";
+} | {
+    kind: "trying-stored";
+    candidates: StoredPassword[];
+} | {
+    kind: "awaiting-user";
+    attempt: number;
+} | {
+    kind: "done";
+    decrypted: Buffer;
+    outcome: UnlockOutcome;
+} | {
+    kind: "failed";
+    reason: string;
+};
+export type UnlockEvent = {
+    kind: "INSPECTED_PLAINTEXT";
+    bytes: Buffer;
+} | {
+    kind: "INSPECTED_ENCRYPTED";
+    candidates: StoredPassword[];
+} | {
+    kind: "STORED_UNLOCK_OK";
+    decrypted: Buffer;
+    usedStoredId: string;
+} | {
+    kind: "STORED_UNLOCK_EXHAUSTED";
+} | {
+    kind: "USER_CANCELLED";
+} | {
+    kind: "UNLOCK_OK";
+    decrypted: Buffer;
+    password: string;
+} | {
+    kind: "UNLOCK_FAIL";
+};
+export declare function isTerminal(state: UnlockState): boolean;
+/**
+ * Pure transition. Throws if the event doesn't make sense for the current state;
+ * the orchestrator never produces such combinations, so reaching the throw is a
+ * programmer error worth surfacing loudly.
+ */
+export declare function transition(state: UnlockState, event: UnlockEvent): UnlockState;

package/dist/scanner/pdf/state-machine.js

@@ -0,0 +1,64 @@
+/**
+ * Pure state machine for the unlock phase of a single file scan. Side effects
+ * (mupdf calls, prompts, DB reads) live in the orchestrator; this module only
+ * encodes the transition logic so it can be exhaustively unit-tested.
+ */
+export const MAX_PASSWORD_ATTEMPTS = 10;
+export function isTerminal(state) {
+    return state.kind === "done" || state.kind === "failed";
+}
+/**
+ * Pure transition. Throws if the event doesn't make sense for the current state;
+ * the orchestrator never produces such combinations, so reaching the throw is a
+ * programmer error worth surfacing loudly.
+ */
+export function transition(state, event) {
+    switch (state.kind) {
+        case "init":
+            if (event.kind === "INSPECTED_PLAINTEXT") {
+                return { kind: "done", decrypted: event.bytes, outcome: { kind: "plaintext" } };
+            }
+            if (event.kind === "INSPECTED_ENCRYPTED") {
+                return { kind: "trying-stored", candidates: event.candidates };
+            }
+            break;
+        case "trying-stored":
+            if (event.kind === "STORED_UNLOCK_OK") {
+                return {
+                    kind: "done",
+                    decrypted: event.decrypted,
+                    outcome: { kind: "from-store", storedId: event.usedStoredId },
+                };
+            }
+            if (event.kind === "STORED_UNLOCK_EXHAUSTED") {
+                return { kind: "awaiting-user", attempt: 1 };
+            }
+            break;
+        case "awaiting-user":
+            if (event.kind === "USER_CANCELLED") {
+                return { kind: "failed", reason: "password required" };
+            }
+            if (event.kind === "UNLOCK_OK") {
+                return {
+                    kind: "done",
+                    decrypted: event.decrypted,
+                    outcome: { kind: "from-user", password: event.password },
+                };
+            }
+            if (event.kind === "UNLOCK_FAIL") {
+                if (state.attempt >= MAX_PASSWORD_ATTEMPTS) {
+                    return {
+                        kind: "failed",
+                        reason: `incorrect password after ${MAX_PASSWORD_ATTEMPTS} attempts`,
+                    };
+                }
+                return { kind: "awaiting-user", attempt: state.attempt + 1 };
+            }
+            break;
+        case "done":
+        case "failed":
+            // Terminal — no further transitions.
+            break;
+    }
+    throw new Error(`Invalid unlock transition: ${state.kind} + ${event.kind}`);
+}

package/dist/scanner/pdf/unlock.d.ts

@@ -0,0 +1,22 @@
+import type Database from "libsql";
+import { type UnlockOutcome } from "./state-machine.js";
+export interface UnlockCtx {
+    db: Database.Database;
+    filePath: string;
+    bytes: Buffer;
+    interactive: boolean;
+}
+/**
+ * Drive the pure unlock state machine to a terminal state, returning the
+ * decrypted bytes and the outcome (plaintext / from-store / from-user) so the
+ * caller can persist passwords or record stored-key usage.
+ */
+export declare function unlockIfNeeded(ctx: UnlockCtx): Promise<{
+    decrypted: Buffer;
+    outcome: UnlockOutcome;
+}>;
+/**
+ * After a successful unlock: bump usage on a stored hit, save a fresh user
+ * password under a filename-pattern key, or no-op for plaintext.
+ */
+export declare function persistUnlockOutcome(db: Database.Database, filePath: string, outcome: UnlockOutcome): void;

package/dist/scanner/pdf/unlock.js

@@ -0,0 +1,121 @@
+import inquirer from "inquirer";
+import { basename } from "path";
+import { config } from "../../config.js";
+import { statusSpinner } from "../../cli/ux.js";
+import { findCandidates, savePassword, recordUse, suggestPattern, } from "./password-store.js";
+import { transition, isTerminal, MAX_PASSWORD_ATTEMPTS, } from "./state-machine.js";
+import { isEncrypted, unlock } from "./pdf-unlock.js";
+/**
+ * Drive the pure unlock state machine to a terminal state, returning the
+ * decrypted bytes and the outcome (plaintext / from-store / from-user) so the
+ * caller can persist passwords or record stored-key usage.
+ */
+export async function unlockIfNeeded(ctx) {
+    let state = { kind: "init" };
+    while (!isTerminal(state)) {
+        const event = await stepUnlock(state, ctx);
+        state = transition(state, event);
+    }
+    if (state.kind === "failed") {
+        throw new Error(state.reason);
+    }
+    if (state.kind !== "done") {
+        throw new Error(`unlock loop exited in non-terminal state ${state.kind}`);
+    }
+    return { decrypted: state.decrypted, outcome: state.outcome };
+}
+async function stepUnlock(state, ctx) {
+    switch (state.kind) {
+        case "init": {
+            const spinner = statusSpinner(`Inspecting ${basename(ctx.filePath)}...`);
+            try {
+                const encrypted = await isEncrypted(ctx.bytes);
+                if (!encrypted) {
+                    spinner.succeed(`${basename(ctx.filePath)} is not encrypted.`);
+                    return { kind: "INSPECTED_PLAINTEXT", bytes: ctx.bytes };
+                }
+                const candidates = findCandidates(ctx.db, ctx.filePath, config.dbEncryptionKey);
+                spinner.info(`${basename(ctx.filePath)} is encrypted (${candidates.length} saved password${candidates.length === 1 ? "" : "s"} match).`);
+                return { kind: "INSPECTED_ENCRYPTED", candidates };
+            }
+            catch (err) {
+                spinner.fail("Inspection failed.");
+                throw err;
+            }
+        }
+        case "trying-stored":
+            return await tryStoredPasswords(ctx.bytes, state.candidates);
+        case "awaiting-user": {
+            if (!ctx.interactive) {
+                return { kind: "USER_CANCELLED" };
+            }
+            const password = await promptForPassword(basename(ctx.filePath), state.attempt);
+            if (!password) {
+                return { kind: "USER_CANCELLED" };
+            }
+            const spinner = statusSpinner("Decrypting...");
+            const result = await unlock(ctx.bytes, password);
+            if (result.ok && result.decrypted) {
+                spinner.succeed("Decrypted.");
+                return { kind: "UNLOCK_OK", decrypted: result.decrypted, password };
+            }
+            spinner.fail(`Incorrect password (attempt ${state.attempt}/${MAX_PASSWORD_ATTEMPTS}).`);
+            return { kind: "UNLOCK_FAIL" };
+        }
+        default:
+            throw new Error(`stepUnlock called with terminal state ${state.kind}`);
+    }
+}
+async function tryStoredPasswords(bytes, candidates) {
+    if (candidates.length === 0) {
+        return { kind: "STORED_UNLOCK_EXHAUSTED" };
+    }
+    const spinner = statusSpinner(`Trying saved password 1/${candidates.length}...`);
+    for (let i = 0; i < candidates.length; i++) {
+        const cand = candidates[i];
+        spinner.text = `Trying saved password ${i + 1}/${candidates.length} (pattern ${cand.pattern})`;
+        const result = await unlock(bytes, cand.password);
+        if (result.ok && result.decrypted) {
+            spinner.succeed(`Unlocked with saved password (pattern ${cand.pattern}).`);
+            return {
+                kind: "STORED_UNLOCK_OK",
+                decrypted: result.decrypted,
+                usedStoredId: cand.id,
+            };
+        }
+    }
+    spinner.info("No saved password matched. Asking the user.");
+    return { kind: "STORED_UNLOCK_EXHAUSTED" };
+}
+async function promptForPassword(fileName, attempt) {
+    const message = attempt === 1
+        ? `This PDF is encrypted. Password for ${fileName}:`
+        : `Password for ${fileName} (attempt ${attempt}/${MAX_PASSWORD_ATTEMPTS}):`;
+    const { password } = await inquirer.prompt([
+        { type: "password", name: "password", mask: "*", message },
+    ]);
+    return String(password ?? "").trim();
+}
+const PERSIST = {
+    plaintext: () => { },
+    "from-store": (db, _filePath, o) => { recordUse(db, o.storedId); },
+    "from-user": (db, filePath, o) => {
+        const pattern = suggestPattern(filePath);
+        const spinner = statusSpinner(`Saving password for pattern ${pattern}...`);
+        try {
+            savePassword(db, pattern, o.password, config.dbEncryptionKey);
+            spinner.succeed(`Saved password for pattern ${pattern} in secure vault.`);
+        }
+        catch (err) {
+            spinner.fail(`Could not save password: ${err instanceof Error ? err.message : String(err)}`);
+            throw err;
+        }
+    },
+};
+/**
+ * After a successful unlock: bump usage on a stored hit, save a fresh user
+ * password under a filename-pattern key, or no-op for plaintext.
+ */
+export function persistUnlockOutcome(db, filePath, outcome) {
+    PERSIST[outcome.kind](db, filePath, outcome);
+}

package/dist/scanner/phase-decrypt.d.ts

@@ -0,0 +1,10 @@
+import type Database from "libsql";
+import type { ScanState } from "./engine.js";
+import type { ScanHooks } from "./hooks.js";
+/**
+ * Phase 1 — walk the data dir, optionally filter by regex, decrypt each file
+ * sequentially (password prompts can't share a TTY). Output partitions into
+ * decrypted / skipped / failed via a kind-keyed dispatch map. Bootstrapped
+ * scanned_files rows are tagged onto each DecryptedFile.
+ */
+export declare function decryptPhase(db: Database.Database, state: ScanState, hooks: ScanHooks): Promise<void>;

package/dist/scanner/phase-decrypt.js

@@ -0,0 +1,80 @@
+import { randomUUID } from "crypto";
+import { readPdf } from "./pdf/pdf.js";
+import { unlockIfNeeded, persistUnlockOutcome } from "./pdf/unlock.js";
+import { scanDataDir } from "./walker.js";
+import { tryExecute } from "./result.js";
+function findScannedByHash(db, hash) {
+    return db
+        .prepare(`SELECT id FROM scanned_files WHERE file_hash = ?`)
+        .get(hash) ?? null;
+}
+async function decryptOne(db, file, opts) {
+    const read = await tryExecute(() => readPdf(file.path));
+    if (!read.ok)
+        return { kind: "failed", error: `read failed: ${read.error}` };
+    const pdf = read.value;
+    const existing = findScannedByHash(db, pdf.hash);
+    if (existing && !opts.force) {
+        return { kind: "skipped", existingScannedFileId: existing.id };
+    }
+    const unlock = await tryExecute(() => unlockIfNeeded({
+        db,
+        filePath: file.path,
+        bytes: pdf.bytes,
+        interactive: opts.interactive,
+    }));
+    if (!unlock.ok)
+        return { kind: "failed", error: unlock.error || "unlock failed" };
+    persistUnlockOutcome(db, file.path, unlock.value.outcome);
+    return {
+        kind: "decrypted",
+        file: {
+            path: file.path,
+            fileName: file.name,
+            relPath: file.relPath,
+            hash: pdf.hash,
+            mime: pdf.mime,
+            decryptedBytes: unlock.value.decrypted,
+            replacesPriorScannedFileId: existing?.id,
+        },
+    };
+}
+const APPLY = {
+    decrypted: (state, _file, o) => { state.decrypted.push(o.file); },
+    skipped: (state, file, o) => { state.skipped.push({ file, existingScannedFileId: o.existingScannedFileId }); },
+    failed: (state, file, o) => { state.failed.push({ file, error: o.error }); },
+};
+/**
+ * Bootstrap one scanned_files row per decrypted file. Chunk workers later
+ * stamp transactions with source_file_id, so the row must exist before any
+ * tool writes hit the DB. Status flips to 'scanned' after parse completes.
+ */
+function bootstrapScannedFiles(db, state) {
+    for (const file of state.decrypted) {
+        if (file.replacesPriorScannedFileId) {
+            db.prepare(`DELETE FROM scanned_files WHERE id = ?`).run(file.replacesPriorScannedFileId);
+        }
+        const sfId = `sf:${randomUUID()}`;
+        db.prepare(`INSERT INTO scanned_files (id, path, file_hash, mime, status) VALUES (?, ?, ?, ?, 'pending')`).run(sfId, file.path, file.hash, file.mime);
+        file.scannedFileId = sfId;
+    }
+}
+/**
+ * Phase 1 — walk the data dir, optionally filter by regex, decrypt each file
+ * sequentially (password prompts can't share a TTY). Output partitions into
+ * decrypted / skipped / failed via a kind-keyed dispatch map. Bootstrapped
+ * scanned_files rows are tagged onto each DecryptedFile.
+ */
+export async function decryptPhase(db, state, hooks) {
+    await hooks.beforeDecrypt?.(state);
+    const matcher = state.options.regex ? new RegExp(state.options.regex, "i") : null;
+    state.files = scanDataDir().filter(f => (matcher ? matcher.test(f.relPath) : true));
+    const interactive = state.options.interactive ?? true;
+    const force = !!state.options.force;
+    for (const file of state.files) {
+        const outcome = await decryptOne(db, file, { force, interactive });
+        APPLY[outcome.kind](state, file, outcome);
+    }
+    bootstrapScannedFiles(db, state);
+    await hooks.afterDecrypt?.(state);
+}

package/dist/scanner/phase-parse.d.ts

@@ -0,0 +1,10 @@
+import type Database from "libsql";
+import type { ScanState } from "./engine.js";
+import type { ScanHooks } from "./hooks.js";
+/**
+ * Phase 3 — fan out FileWorkers in parallel. Each FileWorker fans out its
+ * file's chunks in parallel internally. The scanId + progress sink are
+ * threaded through ScanState; chunk-worker tools write to the DB directly
+ * and tick the progress sink as they go.
+ */
+export declare function parsePhase(db: Database.Database, state: ScanState, hooks: ScanHooks): Promise<void>;

package/dist/scanner/phase-parse.js

@@ -0,0 +1,46 @@
+import { runWithConcurrency } from "./concurrency.js";
+import { runFileWorker } from "./file-worker.js";
+import { errorMessage } from "./result.js";
+const DEFAULT_MAX_FILE_WORKERS = 5;
+const DEFAULT_MAX_CHUNK_WORKERS_PER_FILE = 5;
+const HARD_CAP = 8;
+const clamp = (n, fallback) => Math.min(HARD_CAP, Math.max(1, n ?? fallback));
+/**
+ * Phase 3 — fan out FileWorkers in parallel. Each FileWorker fans out its
+ * file's chunks in parallel internally. The scanId + progress sink are
+ * threaded through ScanState; chunk-worker tools write to the DB directly
+ * and tick the progress sink as they go.
+ */
+export async function parsePhase(db, state, hooks) {
+    await hooks.beforeParse?.(state);
+    const maxFile = clamp(state.options.maxFileWorkers, DEFAULT_MAX_FILE_WORKERS);
+    const maxChunk = clamp(state.options.maxChunkWorkersPerFile, DEFAULT_MAX_CHUNK_WORKERS_PER_FILE);
+    const fileGroups = state.decrypted
+        .map(file => ({
+        fileId: file.path,
+        scannedFileId: file.scannedFileId,
+        chunks: state.chunks.filter(c => c.fileId === file.path),
+    }))
+        .filter(g => g.chunks.length > 0);
+    const tasks = fileGroups.map(group => () => runFileWorker({
+        db,
+        scanId: state.scanId,
+        scannedFileId: group.scannedFileId,
+        progress: state.progress,
+        fileId: group.fileId,
+        chunks: group.chunks,
+        maxChunkWorkers: maxChunk,
+    }, hooks));
+    const settled = await runWithConcurrency(tasks, maxFile);
+    for (let i = 0; i < settled.length; i++) {
+        const r = settled[i];
+        if (!r.ok)
+            state.errors.push({ phase: "parse", target: fileGroups[i].fileId, error: errorMessage(r.error) });
+    }
+    for (const file of state.decrypted) {
+        if (!file.scannedFileId)
+            continue;
+        db.prepare(`UPDATE scanned_files SET status = 'scanned', scanned_at = datetime('now') WHERE id = ?`).run(file.scannedFileId);
+    }
+    await hooks.afterParse?.(state);
+}

package/dist/scanner/phases/chunk.d.ts

@@ -0,0 +1,8 @@
+import type Database from "libsql";
+import type { ScanState } from "../engine.js";
+import type { ScanHooks } from "../hooks.js";
+/**
+ * Phase 2 — turn every decrypted file into a list of single-page Chunks.
+ * Sequential across files (cheap in-memory operation, no contention).
+ */
+export declare function chunkPhase(_db: Database.Database, state: ScanState, hooks: ScanHooks): Promise<void>;

package/dist/scanner/phases/chunk.js

@@ -0,0 +1,13 @@
+import { chunkPdf } from "../chunker.js";
+/**
+ * Phase 2 — turn every decrypted file into a list of single-page Chunks.
+ * Sequential across files (cheap in-memory operation, no contention).
+ */
+export async function chunkPhase(_db, state, hooks) {
+    await hooks.beforeChunk?.(state);
+    for (const file of state.decrypted) {
+        const chunks = await chunkPdf(file);
+        state.chunks.push(...chunks);
+    }
+    await hooks.afterChunk?.(state);
+}

package/dist/scanner/phases/commit.d.ts

@@ -0,0 +1,12 @@
+import type Database from "libsql";
+import { type TransactionInput } from "../../db/queries/transactions.js";
+import type { ScanState } from "../engine.js";
+import type { ScanHooks } from "../hooks.js";
+/**
+ * Phase 5 — flush the shared buffer to the DB. Per-row transactions so one
+ * bad row drops only itself (lands as a scan_commit_failure unknown). Every
+ * successful mutation appends an action_log row keyed to scanId so the run
+ * can be reverted as a unit.
+ */
+export declare function commitPhase(db: Database.Database, state: ScanState, hooks: ScanHooks): Promise<void>;
+export type { TransactionInput };