promptfoo 0.121.4 → 0.121.7

package/dist/src/storage-CA-v9V2v.cjs

@@ -0,0 +1,911 @@
+const require_rolldown_runtime = require("./rolldown-runtime-D_mwlA32.cjs");
+const require_logger = require("./logger-cfNpzI4o.cjs");
+const require_invariant = require("./invariant-QtnLD03y.cjs");
+const require_types = require("./types-CxJvaY2S.cjs");
+const require_fetch = require("./fetch-Dw4XZHjj.cjs");
+const require_server = require("./server-B8rqV126.cjs");
+let fs = require("fs");
+fs = require_rolldown_runtime.__toESM(fs, 1);
+let path = require("path");
+path = require_rolldown_runtime.__toESM(path, 1);
+let dedent = require("dedent");
+dedent = require_rolldown_runtime.__toESM(dedent, 1);
+let fs_promises = require("fs/promises");
+fs_promises = require_rolldown_runtime.__toESM(fs_promises, 1);
+let crypto = require("crypto");
+crypto = require_rolldown_runtime.__toESM(crypto, 1);
+//#region src/util/cloud.ts
+const PERMISSION_CHECK_SERVER_FEATURE_NAME = "config-permission-check-endpoint";
+const PERMISSION_CHECK_SERVER_FEATURE_DATE = "2025-09-03T14:49:11Z";
+/**
+* Makes an authenticated HTTP request to the PromptFoo Cloud API.
+* @param path - The API endpoint path (with or without leading slash)
+* @param method - HTTP method (GET, POST, PUT, DELETE, etc.)
+* @param body - Optional request body that will be JSON stringified
+* @returns Promise resolving to the fetch Response object
+* @throws Error if the request fails due to network or other issues
+*/
+function makeRequest(path, method, body) {
+	const apiHost = require_fetch.cloudConfig.getApiHost();
+	const apiKey = require_fetch.cloudConfig.getApiKey();
+	const url = `${apiHost}/api/v1/${path.startsWith("/") ? path.slice(1) : path}`;
+	try {
+		return require_fetch.fetchWithProxy(url, {
+			method,
+			body: JSON.stringify(body),
+			headers: {
+				Authorization: `Bearer ${apiKey}`,
+				"Content-Type": "application/json"
+			}
+		});
+	} catch (e) {
+		require_logger.logger.error(`[Cloud] Failed to make request to ${url}: ${e}`);
+		if (e.cause) require_logger.logger.error(`Cause: ${e.cause}`);
+		throw e;
+	}
+}
+/**
+* Fetches a provider configuration from PromptFoo Cloud by its ID.
+* @param id - The unique identifier of the cloud provider
+* @returns Promise resolving to provider options with guaranteed id field
+* @throws Error if cloud is not enabled, provider not found, or request fails
+*/
+async function getProviderFromCloud(id) {
+	if (!require_fetch.cloudConfig.isEnabled()) throw new Error(`Could not fetch Provider ${id} from cloud. Cloud config is not enabled. Please run \`promptfoo auth login\` to login.`);
+	try {
+		const response = await makeRequest(`providers/${id}`, "GET");
+		if (!response.ok) {
+			const errorMessage = await response.text();
+			require_logger.logger.error(`[Cloud] Failed to fetch provider from cloud: ${errorMessage}. HTTP Status: ${response.status} -- ${response.statusText}.`);
+			throw new Error(`Failed to fetch provider from cloud: ${response.statusText}`);
+		}
+		const body = await response.json();
+		require_logger.logger.debug(`Provider fetched from cloud: ${id}`);
+		const provider = require_types.ProviderOptionsSchema.parse(body.config);
+		require_invariant.invariant(provider.id, `Provider ${id} has no id in ${body.config}`);
+		return {
+			...provider,
+			id: provider.id
+		};
+	} catch (e) {
+		require_logger.logger.error(`Failed to fetch provider from cloud: ${id}.`);
+		require_logger.logger.error(String(e));
+		throw new Error(`Failed to fetch provider from cloud: ${id}.`);
+	}
+}
+function isRecord(value) {
+	return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+async function fetchCloudConfig(path) {
+	const response = await makeRequest(path, "GET");
+	if (!response.ok) {
+		const errorMessage = typeof response.text === "function" ? await response.text() : "";
+		require_logger.logger.error(`[Cloud] Failed to fetch config from cloud: ${errorMessage}. HTTP Status: ${response.status} -- ${response.statusText}.`);
+		throw new Error(`Failed to fetch config from cloud: ${response.statusText}`);
+	}
+	return response.json();
+}
+function looksLikeEvalConfig(config) {
+	return "providers" in config || "providerIds" in config || "prompts" in config || "tests" in config || "testCases" in config;
+}
+function extractEvalConfigPayload(body) {
+	if (!isRecord(body)) throw new Error("Invalid cloud eval config response: expected a JSON object.");
+	const bodyConfig = isRecord(body.config) ? body.config : void 0;
+	if (!bodyConfig) {
+		if (looksLikeEvalConfig(body)) return body;
+		throw new Error("Invalid cloud eval config response: missing \"config\" object.");
+	}
+	const nestedConfig = isRecord(bodyConfig.config) ? bodyConfig.config : void 0;
+	if (!nestedConfig) return {
+		...bodyConfig,
+		...typeof bodyConfig.name !== "string" && typeof body.name === "string" ? { name: body.name } : {}
+	};
+	return {
+		...nestedConfig,
+		...typeof nestedConfig.name !== "string" && typeof bodyConfig.name === "string" ? { name: bodyConfig.name } : {}
+	};
+}
+function normalizeCloudEvalProvider(provider) {
+	if (typeof provider !== "string") return provider;
+	if (provider.startsWith("promptfoo://provider/") || !require_types.isUuid(provider)) return provider;
+	return `${require_fetch.CLOUD_PROVIDER_PREFIX}${provider}`;
+}
+function normalizeCloudEvalPrompt(prompt) {
+	if (typeof prompt === "string") return prompt;
+	if (isRecord(prompt)) {
+		if (typeof prompt.content === "string") return prompt.content;
+		if (typeof prompt.raw === "string") return prompt.raw;
+	}
+	return String(prompt ?? "");
+}
+function normalizeEvalConfig(config) {
+	const providers = Array.isArray(config.providers) ? config.providers : Array.isArray(config.providerIds) ? config.providerIds : [];
+	const prompts = Array.isArray(config.prompts) ? config.prompts : [];
+	const tests = Array.isArray(config.tests) ? config.tests : Array.isArray(config.testCases) ? config.testCases : [];
+	const commandLineOptions = {
+		...isRecord(config.commandLineOptions) ? config.commandLineOptions : {},
+		...config.maxConcurrency == null ? {} : { maxConcurrency: config.maxConcurrency },
+		...config.delay == null ? {} : { delay: config.delay },
+		...config.verbose == null ? {} : { verbose: config.verbose }
+	};
+	const normalizedConfig = {
+		...config,
+		providers: providers.map(normalizeCloudEvalProvider),
+		prompts: prompts.map(normalizeCloudEvalPrompt),
+		tests
+	};
+	if (Object.keys(commandLineOptions).length > 0) normalizedConfig.commandLineOptions = commandLineOptions;
+	else delete normalizedConfig.commandLineOptions;
+	if (typeof config.description === "string" && config.description.trim().length > 0) normalizedConfig.description = config.description;
+	else if (typeof config.name === "string" && config.name.trim().length > 0) normalizedConfig.description = config.name;
+	delete normalizedConfig.providerIds;
+	delete normalizedConfig.testCases;
+	delete normalizedConfig.maxConcurrency;
+	delete normalizedConfig.delay;
+	delete normalizedConfig.verbose;
+	return normalizedConfig;
+}
+/**
+* Fetches an eval configuration from PromptFoo Cloud by ID.
+* The response may contain legacy eval fields, which are normalized into UnifiedConfig.
+* @param id - The unique identifier of the cloud eval configuration
+* @returns Promise resolving to a normalized unified configuration object
+* @throws Error if cloud is not enabled, config not found, or response shape is invalid
+*/
+async function getEvalConfigFromCloud(id) {
+	if (!require_fetch.cloudConfig.isEnabled()) throw new Error(`Could not fetch Config ${id} from cloud. Cloud config is not enabled. Please run \`promptfoo auth login\` to login.`);
+	try {
+		const config = normalizeEvalConfig(extractEvalConfigPayload(await fetchCloudConfig(`configs/${id}`)));
+		require_logger.logger.info(`Eval config fetched from cloud: ${id}`);
+		return config;
+	} catch (e) {
+		require_logger.logger.error(`Failed to fetch eval config from cloud: ${id}.`);
+		require_logger.logger.error(String(e));
+		if (e instanceof Error) throw e;
+		throw new Error(String(e));
+	}
+}
+/**
+* Checks if a provider path represents a cloud-based provider.
+* @param providerPath - The provider path to check
+* @returns True if the path starts with the cloud provider prefix, false otherwise
+*/
+function isCloudProvider(providerPath) {
+	return providerPath.startsWith(require_fetch.CLOUD_PROVIDER_PREFIX);
+}
+/**
+* Extracts the database ID from a cloud provider path.
+* @param providerPath - The cloud provider path
+* @returns The database ID portion of the path
+* @throws Error if the path is not a valid cloud provider path
+*/
+function getCloudDatabaseId(providerPath) {
+	if (!isCloudProvider(providerPath)) throw new Error(`Provider path ${providerPath} is not a cloud provider.`);
+	return providerPath.slice(require_fetch.CLOUD_PROVIDER_PREFIX.length);
+}
+/**
+* Get the plugin severity overrides for a cloud provider.
+* @param cloudProviderId - The cloud provider ID.
+* @returns The plugin severity overrides.
+*/
+async function getPluginSeverityOverridesFromCloud(cloudProviderId) {
+	if (!require_fetch.cloudConfig.isEnabled()) throw new Error(`Could not fetch plugin severity overrides from cloud. Cloud config is not enabled. Please run \`promptfoo auth login\` to login.`);
+	try {
+		const response = await makeRequest(`/providers/${cloudProviderId}`, "GET");
+		if (!response.ok) {
+			const formattedErrorMessage = `Failed to provider from cloud: ${await response.text()}. HTTP Status: ${response.status} -- ${response.statusText}.`;
+			require_logger.logger.error(`[Cloud] ${formattedErrorMessage}`);
+			throw new Error(formattedErrorMessage);
+		}
+		const body = await response.json();
+		if (body.pluginSeverityOverrideId) {
+			const overrideRes = await makeRequest(`/redteam/plugins/severity-overrides/${body.pluginSeverityOverrideId}`, "GET");
+			if (!overrideRes.ok) {
+				const formattedErrorMessage = `Failed to fetch plugin severity override from cloud: ${await overrideRes.text()}. HTTP Status: ${overrideRes.status} -- ${overrideRes.statusText}.`;
+				require_logger.logger.error(`[Cloud] ${formattedErrorMessage}`);
+				throw new Error(formattedErrorMessage);
+			}
+			const pluginSeverityOverride = await overrideRes.json();
+			return {
+				id: pluginSeverityOverride.id,
+				severities: pluginSeverityOverride.members.reduce((acc, member) => ({
+					...acc,
+					[member.pluginId]: member.severity
+				}), {})
+			};
+		} else {
+			require_logger.logger.debug(`No plugin severity overrides found for cloud provider ${cloudProviderId}`);
+			return null;
+		}
+	} catch (e) {
+		require_logger.logger.error(`Failed to fetch plugin severity overrides from cloud.`);
+		require_logger.logger.error(String(e));
+		throw new Error(`Failed to fetch plugin severity overrides from cloud.`);
+	}
+}
+/**
+* Retrieves all teams for the current user from Promptfoo Cloud.
+* @returns Promise resolving to an array of team objects
+* @throws Error if the request fails
+*/
+async function getUserTeams(apiHost, apiKey) {
+	const response = apiHost && apiKey ? await require_fetch.fetchWithProxy(`${apiHost}/api/v1/users/me/teams`, { headers: { Authorization: `Bearer ${apiKey}` } }) : await makeRequest(`/users/me/teams`, "GET");
+	if (!response.ok) throw new Error(`Failed to get user teams: ${response.statusText}`);
+	return await response.json();
+}
+/**
+* Retrieves the default team for the current user from Promptfoo Cloud.
+* The default team is determined as the oldest team by creation date.
+* @returns Promise resolving to an object with team id, name, organizationId, and createdAt
+* @throws Error if the request fails or no teams are found
+*/
+async function getDefaultTeam() {
+	const teams = await getUserTeams();
+	if (teams.length === 0) throw new Error("No teams found for user");
+	const oldestTeam = teams.sort((a, b) => {
+		return new Date(a.createdAt).getTime() - new Date(b.createdAt).getTime();
+	})[0];
+	return {
+		id: oldestTeam.id,
+		name: oldestTeam.name,
+		organizationId: oldestTeam.organizationId,
+		createdAt: oldestTeam.createdAt
+	};
+}
+/**
+* Retrieves a team by its ID.
+* @param teamId - The team ID to look up
+* @returns Promise resolving to an object with team id, name, organizationId, and createdAt
+* @throws Error if the team is not found or not accessible
+*/
+async function getTeamById(teamId) {
+	const team = (await getUserTeams()).find((t) => t.id === teamId);
+	if (!team) throw new Error(`Team with ID '${teamId}' not found or not accessible`);
+	return {
+		id: team.id,
+		name: team.name,
+		organizationId: team.organizationId,
+		createdAt: team.createdAt
+	};
+}
+/**
+* Resolves a team identifier (name, slug, or ID) to a team object.
+* @param identifier - The team name, slug, or ID
+* @returns Promise resolving to an object with team id, name, organizationId, and createdAt
+* @throws Error if the team is not found
+*/
+async function resolveTeamFromIdentifier(identifier) {
+	const teams = await getUserTeams();
+	let team = teams.find((t) => t.id === identifier);
+	if (team) return {
+		id: team.id,
+		name: team.name,
+		organizationId: team.organizationId,
+		createdAt: team.createdAt
+	};
+	team = teams.find((t) => t.name.toLowerCase() === identifier.toLowerCase());
+	if (team) return {
+		id: team.id,
+		name: team.name,
+		organizationId: team.organizationId,
+		createdAt: team.createdAt
+	};
+	team = teams.find((t) => t.slug === identifier);
+	if (team) return {
+		id: team.id,
+		name: team.name,
+		organizationId: team.organizationId,
+		createdAt: team.createdAt
+	};
+	const availableTeams = teams.map((t) => t.name).join(", ");
+	throw new Error(`Team '${identifier}' not found. Available teams: ${availableTeams}`);
+}
+/**
+* Resolves the current team context, checking stored preferences first.
+* @param teamIdentifier - Optional explicit team identifier to use
+* @param fallbackToDefault - Whether to fall back to server default team
+* @returns Promise resolving to an object with team id and name
+* @throws Error if no team can be resolved
+*/
+async function resolveTeamId(teamIdentifier, fallbackToDefault = true) {
+	if (teamIdentifier) {
+		require_logger.logger.debug(`[Team Resolution] Using explicit team identifier: ${teamIdentifier}`);
+		return await resolveTeamFromIdentifier(teamIdentifier);
+	}
+	const currentOrganizationId = require_fetch.cloudConfig.getCurrentOrganizationId();
+	const currentTeamId = require_fetch.cloudConfig.getCurrentTeamId(currentOrganizationId);
+	if (currentTeamId) try {
+		require_logger.logger.debug(`[Team Resolution] Using stored team ID: ${currentTeamId}`);
+		return await getTeamById(currentTeamId);
+	} catch (_error) {
+		require_logger.logger.warn(`[Team Resolution] Stored team ${currentTeamId} no longer accessible, falling back`);
+	}
+	if (fallbackToDefault) {
+		require_logger.logger.debug(`[Team Resolution] Using server default team`);
+		const defaultTeam = await getDefaultTeam();
+		require_fetch.cloudConfig.setCurrentTeamId(defaultTeam.id, defaultTeam.organizationId);
+		require_logger.logger.info(`Using team: ${defaultTeam.name} (use 'promptfoo auth teams set <name>' to change)`);
+		return defaultTeam;
+	}
+	throw new Error("No team specified and no default available");
+}
+/**
+* Custom error class for configuration permission-related failures.
+* Thrown when users lack necessary permissions to use certain cloud features.
+*/
+var ConfigPermissionError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "ConfigPermissionError";
+	}
+};
+/**
+* Converts an array of structured error objects into a human-readable message.
+* @param errors - Array of error objects with type, id, and message fields
+* @returns A comma-separated string of formatted error messages
+*/
+function convertErrorsToReadableMessage(errors) {
+	return errors.map((error) => `${error.type} ${error.id}: ${error.message}`).join(", ");
+}
+/**
+* Validates that the current user has necessary permissions for the given configuration.
+* Checks with PromptFoo Cloud to ensure providers and other resources can be accessed.
+* Gracefully degrades if cloud is disabled or server doesn't support permission checking.
+* @param config - The configuration to validate permissions for
+* @throws ConfigPermissionError if permissions are insufficient (403 responses)
+* @throws Error for other critical permission check failures
+*/
+async function checkCloudPermissions(config) {
+	if (!require_fetch.cloudConfig.isEnabled()) return;
+	if (!config.providers) {
+		require_logger.logger.warn("No providers specified. Skipping permission check.");
+		return;
+	}
+	try {
+		if (!await require_server.checkServerFeatureSupport(PERMISSION_CHECK_SERVER_FEATURE_NAME, PERMISSION_CHECK_SERVER_FEATURE_DATE)) {
+			require_logger.logger.debug(`[Config Permission Check] Server feature ${PERMISSION_CHECK_SERVER_FEATURE_NAME} is not supported. Skipping permission check.`);
+			return;
+		}
+		const { tests, scenarios, defaultTest, evaluateOptions, ...minimalConfig } = config;
+		if (minimalConfig.redteam) minimalConfig.redteam = {};
+		const response = await makeRequest("permissions/check", "POST", { config: minimalConfig });
+		if (!response.ok) {
+			const errorData = await response.json().catch(() => ({ errors: ["Unknown error"] }));
+			const errors = Array.isArray(errorData.errors) ? errorData.errors.map((error) => {
+				if (typeof error === "string") return {
+					type: "config",
+					id: "unknown",
+					message: error
+				};
+				return error;
+			}) : [{
+				type: "config",
+				id: "unknown",
+				message: errorData.error || "Permission check failed"
+			}];
+			if (response.status === 403) throw new ConfigPermissionError(`Permission denied: ${convertErrorsToReadableMessage(errors)}`);
+			require_logger.logger.warn(`Error checking permissions: ${convertErrorsToReadableMessage(errors)}. Continuing anyway.`);
+			return;
+		}
+		const result = await response.json();
+		if (result.errors && result.errors.length > 0) throw new ConfigPermissionError(`Not able to continue with config: ${convertErrorsToReadableMessage(result.errors)}`);
+		require_logger.logger.debug("Permission check passed");
+	} catch (error) {
+		if (error instanceof ConfigPermissionError) throw error;
+		require_logger.logger.warn(`Error checking permissions: ${error}. Continuing anyway.`);
+	}
+}
+/**
+* Given a list of policy IDs, fetches custom policies from Promptfoo Cloud.
+* @param ids - The IDs of the policies to fetch.
+* @param teamId - The ID of the team to fetch policies from. Note that all policies must belong to this team.
+* @returns A map of policy IDs to their texts and severities.
+*/
+async function getPoliciesFromCloud(ids, teamId) {
+	if (!require_fetch.cloudConfig.isEnabled()) throw new Error(`Could not fetch policies from cloud. Cloud config is not enabled. Please run \`promptfoo auth login\` to login.`);
+	try {
+		const searchParams = new URLSearchParams();
+		ids.forEach((id) => {
+			searchParams.append("id", id);
+		});
+		const response = await makeRequest(`/custom-policies/?${searchParams.toString()}&teamId=${teamId}`, "GET");
+		if (!response.ok) {
+			const errorMessage = await response.text();
+			throw new Error(`Failed to fetch policies from cloud: ${errorMessage}. HTTP Status: ${response.status} -- ${response.statusText}.`);
+		}
+		const body = await response.json();
+		const policiesById = /* @__PURE__ */ new Map();
+		body.forEach((policy) => {
+			policiesById.set(policy.id, {
+				text: policy.text,
+				severity: policy.severity,
+				name: policy.name
+			});
+		});
+		return policiesById;
+	} catch (e) {
+		require_logger.logger.error(`Failed to fetch policies from cloud.`);
+		require_logger.logger.error(String(e));
+		throw new Error(`Failed to fetch policies from cloud.`);
+	}
+}
+/**
+* Validates linkedTargetId format and existence.
+* linkedTargetId is a Promptfoo Cloud feature that links custom provider results
+* to an existing target instead of creating duplicates.
+*
+* Validates the prefix and checks existence in cloud. Format validation
+* (e.g., UUID format) is deferred to the cloud API for simplicity.
+*
+* @param linkedTargetId - The linkedTargetId to validate
+* @throws Error if validation fails
+*/
+async function validateLinkedTargetId(linkedTargetId) {
+	if (!isCloudProvider(linkedTargetId)) {
+		const appHost = require_fetch.cloudConfig.getApiHost().replace("/api", "").replace(":3201", "");
+		throw new Error(dedent.default`
+        Invalid linkedTargetId format: "${linkedTargetId}"
+
+        linkedTargetId must start with "${require_fetch.CLOUD_PROVIDER_PREFIX}" followed by a target ID.
+        Example: ${require_fetch.CLOUD_PROVIDER_PREFIX}12345678-1234-1234-1234-123456789abc
+
+        linkedTargetId links your local provider configuration to a cloud target, allowing you to:
+        - Consolidate findings from multiple eval runs
+        - Track performance and vulnerabilities over time
+        - View comprehensive reporting in the cloud dashboard
+
+        To get a valid linkedTargetId:
+        1. Log in to Promptfoo Cloud: ${appHost}
+        2. Navigate to Targets page: ${appHost}/redteam/targets
+        3. Find the target you want to link to and copy its ID
+        4. Format as: ${require_fetch.CLOUD_PROVIDER_PREFIX}<target-id>
+      `);
+	}
+	if (!require_fetch.cloudConfig.isEnabled()) {
+		require_logger.logger.warn("[Cloud] linkedTargetId specified but cloud is not configured", {
+			linkedTargetId,
+			suggestion: "Run 'promptfoo auth login' to enable cloud features"
+		});
+		return;
+	}
+	const providerId = getCloudDatabaseId(linkedTargetId);
+	try {
+		require_logger.logger.debug("[Cloud] Validating linkedTargetId exists in cloud", {
+			linkedTargetId,
+			providerId
+		});
+		await getProviderFromCloud(providerId);
+		require_logger.logger.debug("[Cloud] linkedTargetId validation successful", { linkedTargetId });
+	} catch (error) {
+		require_logger.logger.error("[Cloud] linkedTargetId validation failed", {
+			linkedTargetId,
+			error
+		});
+		const appHost = require_fetch.cloudConfig.getApiHost().replace("/api", "").replace(":3201", "");
+		throw new Error(dedent.default`
+        linkedTargetId not found: "${linkedTargetId}"
+
+        This target doesn't exist in your Promptfoo Cloud organization or you don't have access to it.
+
+        Troubleshooting steps:
+        1. Verify you're logged in to the correct organization
+           Run: promptfoo auth status
+
+        2. Check that the target exists in your cloud dashboard:
+           ${appHost}/redteam/targets
+
+        3. Ensure you have permission to access this target
+           (Targets are scoped to your organization)
+
+        4. Verify the target ID is correct and hasn't been deleted
+      `);
+	}
+}
+/**
+* Fetches the current organization and optional team context for display.
+* Returns null if cloud is not enabled or if fetching fails.
+* @returns Promise resolving to organization name and optional team name, or null
+*/
+async function getOrgContext() {
+	if (!require_fetch.cloudConfig.isEnabled()) return null;
+	try {
+		const apiHost = require_fetch.cloudConfig.getApiHost();
+		const apiKey = require_fetch.cloudConfig.getApiKey();
+		const response = await require_fetch.fetchWithProxy(`${apiHost}/api/v1/users/me`, { headers: { Authorization: `Bearer ${apiKey}` } });
+		if (!response.ok) return null;
+		const { organization } = await response.json();
+		const currentTeamId = require_fetch.cloudConfig.getCurrentTeamId(organization.id);
+		let teamName;
+		if (currentTeamId) try {
+			const team = await getTeamById(currentTeamId);
+			if (team.name !== organization.name) teamName = team.name;
+		} catch {}
+		return {
+			organizationName: organization.name,
+			teamName
+		};
+	} catch {
+		return null;
+	}
+}
+//#endregion
+//#region src/storage/localFileSystemProvider.ts
+/**
+* Local filesystem storage provider for media files.
+*
+* Stores media in the local promptfoo data directory (~/.promptfoo/media).
+* Uses content-based hashing for deduplication.
+*/
+const MEDIA_SUBDIR = "media";
+const HASH_INDEX_FILE = "hash-index.json";
+/**
+* Get file extension from content type
+*/
+function getExtensionFromContentType(contentType) {
+	return {
+		"audio/wav": "wav",
+		"audio/mp3": "mp3",
+		"audio/mpeg": "mp3",
+		"audio/ogg": "ogg",
+		"audio/webm": "webm",
+		"image/png": "png",
+		"image/jpeg": "jpg",
+		"image/jpg": "jpg",
+		"image/gif": "gif",
+		"image/webp": "webp",
+		"video/mp4": "mp4",
+		"video/webm": "webm",
+		"video/ogg": "ogv"
+	}[contentType] || "bin";
+}
+/**
+* Compute SHA-256 hash of data
+*/
+function computeHash(data) {
+	return crypto.createHash("sha256").update(data).digest("hex");
+}
+/**
+* Local filesystem storage provider
+*/
+var LocalFileSystemProvider = class {
+	providerId = "local";
+	basePath;
+	hashIndexPath;
+	hashIndex = /* @__PURE__ */ new Map();
+	constructor(config = {}) {
+		this.basePath = config.basePath || path.join(require_logger.getConfigDirectoryPath(true), MEDIA_SUBDIR);
+		this.hashIndexPath = path.join(this.basePath, HASH_INDEX_FILE);
+		this.ensureDirectory();
+		this.loadHashIndex();
+	}
+	/**
+	* Ensure the media directory exists
+	*/
+	ensureDirectory() {
+		if (!fs.existsSync(this.basePath)) {
+			fs.mkdirSync(this.basePath, { recursive: true });
+			require_logger.logger.debug(`[LocalStorage] Created media directory: ${this.basePath}`);
+		}
+	}
+	/**
+	* Load the hash index from disk
+	*/
+	loadHashIndex() {
+		try {
+			if (fs.existsSync(this.hashIndexPath)) {
+				const data = fs.readFileSync(this.hashIndexPath, "utf8");
+				const parsed = JSON.parse(data);
+				this.hashIndex = new Map(Object.entries(parsed));
+				require_logger.logger.debug(`[LocalStorage] Loaded hash index with ${this.hashIndex.size} entries`);
+			}
+		} catch (error) {
+			require_logger.logger.warn(`[LocalStorage] Failed to load hash index, starting fresh`, { error });
+			this.hashIndex = /* @__PURE__ */ new Map();
+		}
+	}
+	/**
+	* Save the hash index to disk
+	*/
+	async saveHashIndex() {
+		try {
+			const data = JSON.stringify(Object.fromEntries(this.hashIndex), null, 2);
+			await fs_promises.writeFile(this.hashIndexPath, data, "utf8");
+		} catch (error) {
+			require_logger.logger.warn(`[LocalStorage] Failed to save hash index`, { error });
+		}
+	}
+	/**
+	* Get the full path for a storage key
+	*/
+	getFilePath(key) {
+		const targetPath = path.resolve(this.basePath, key);
+		const safeBase = path.resolve(this.basePath) + path.sep;
+		if (!targetPath.startsWith(safeBase)) throw new Error(`[LocalStorage] Invalid media key: path traversal attempt detected ("${key}")`);
+		return targetPath;
+	}
+	/**
+	* Generate a storage key from hash and metadata
+	*/
+	generateKey(hash, metadata) {
+		const extension = getExtensionFromContentType(metadata.contentType);
+		return `${metadata.mediaType || "media"}/${hash.slice(0, 12)}.${extension}`;
+	}
+	async store(data, metadata) {
+		const contentHash = computeHash(data);
+		const existingKey = await this.findByHash(contentHash);
+		if (existingKey) {
+			require_logger.logger.debug(`[LocalStorage] Deduplicated media: ${existingKey}`);
+			return {
+				ref: {
+					provider: this.providerId,
+					key: existingKey,
+					contentHash,
+					metadata
+				},
+				deduplicated: true
+			};
+		}
+		const key = this.generateKey(contentHash, metadata);
+		const filePath = this.getFilePath(key);
+		const dir = path.dirname(filePath);
+		await fs_promises.mkdir(dir, { recursive: true });
+		await fs_promises.writeFile(filePath, data);
+		this.hashIndex.set(contentHash, key);
+		await this.saveHashIndex();
+		const metadataPath = `${filePath}.meta.json`;
+		await fs_promises.writeFile(metadataPath, JSON.stringify({
+			...metadata,
+			contentHash,
+			sizeBytes: data.length,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString()
+		}, null, 2));
+		require_logger.logger.debug(`[LocalStorage] Stored media: ${key} (${data.length} bytes)`);
+		return {
+			ref: {
+				provider: this.providerId,
+				key,
+				contentHash,
+				metadata: {
+					...metadata,
+					sizeBytes: data.length,
+					contentHash
+				}
+			},
+			deduplicated: false
+		};
+	}
+	async retrieve(key) {
+		const filePath = this.getFilePath(key);
+		try {
+			return await fs_promises.readFile(filePath);
+		} catch (error) {
+			if (error.code === "ENOENT") throw new Error(`[LocalStorage] Media not found: ${key}`);
+			throw error;
+		}
+	}
+	async exists(key) {
+		try {
+			const filePath = this.getFilePath(key);
+			await fs_promises.access(filePath);
+			return true;
+		} catch {
+			return false;
+		}
+	}
+	async delete(key) {
+		const filePath = this.getFilePath(key);
+		const metadataPath = `${filePath}.meta.json`;
+		for (const [hash, storedKey] of this.hashIndex.entries()) if (storedKey === key) {
+			this.hashIndex.delete(hash);
+			break;
+		}
+		await this.saveHashIndex();
+		try {
+			await fs_promises.unlink(filePath);
+		} catch (error) {
+			if (error.code !== "ENOENT") throw error;
+		}
+		try {
+			await fs_promises.unlink(metadataPath);
+		} catch (error) {
+			if (error.code !== "ENOENT") throw error;
+		}
+		require_logger.logger.debug(`[LocalStorage] Deleted media: ${key}`);
+	}
+	async getUrl(key, _expiresIn) {
+		try {
+			const filePath = this.getFilePath(key);
+			await fs_promises.access(filePath);
+			return `file://${filePath}`;
+		} catch {
+			return null;
+		}
+	}
+	async findByHash(contentHash) {
+		const key = this.hashIndex.get(contentHash);
+		if (key && await this.exists(key)) return key;
+		if (key) {
+			this.hashIndex.delete(contentHash);
+			await this.saveHashIndex();
+		}
+		return null;
+	}
+	/**
+	* Get the base path for this provider
+	*/
+	getBasePath() {
+		return this.basePath;
+	}
+	/**
+	* Get stats about stored media
+	*/
+	async getStats() {
+		let fileCount = 0;
+		let totalSizeBytes = 0;
+		const walkDir = async (dir) => {
+			let entries;
+			try {
+				entries = await fs_promises.readdir(dir, { withFileTypes: true });
+			} catch (error) {
+				if (error.code === "ENOENT") return;
+				throw error;
+			}
+			for (const entry of entries) {
+				const fullPath = path.join(dir, entry.name);
+				if (entry.isDirectory()) await walkDir(fullPath);
+				else if (!entry.name.endsWith(".json")) try {
+					const stat = await fs_promises.stat(fullPath);
+					fileCount++;
+					totalSizeBytes += stat.size;
+				} catch (error) {
+					if (error.code !== "ENOENT") throw error;
+				}
+			}
+		};
+		await walkDir(this.basePath);
+		return {
+			fileCount,
+			totalSizeBytes
+		};
+	}
+};
+//#endregion
+//#region src/storage/index.ts
+/**
+* Media storage module for promptfoo.
+*
+* Provides abstraction for storing binary media (audio, images, video)
+* separately from the main database.
+*
+* @example
+* ```typescript
+* import { getMediaStorage, storeMedia, retrieveMedia } from './storage';
+*
+* // Store audio data
+* const { ref } = await storeMedia(audioBuffer, {
+*   contentType: 'audio/wav',
+*   mediaType: 'audio',
+*   evalId: 'eval-123',
+* });
+*
+* // Later, retrieve it
+* const buffer = await retrieveMedia(ref.key);
+* ```
+*/
+let defaultProvider = null;
+/**
+* Get the default media storage provider.
+*
+* For OSS, this returns a LocalFileSystemProvider.
+* For cloud deployments, this can be overridden.
+*/
+function getMediaStorage(config) {
+	if (!defaultProvider) {
+		defaultProvider = new LocalFileSystemProvider({ basePath: config?.basePath || require_logger.getEnvString("PROMPTFOO_MEDIA_PATH") });
+		require_logger.logger.debug(`[MediaStorage] Initialized local storage provider`);
+	}
+	return defaultProvider;
+}
+/**
+* Store media data and return a reference
+*/
+async function storeMedia(data, metadata) {
+	return getMediaStorage().store(data, metadata);
+}
+/**
+* Check if media storage should be used based on config/env
+*
+* Returns true if media storage is enabled (default for new installs).
+* Set PROMPTFOO_INLINE_MEDIA=true to disable and use legacy inline base64.
+*/
+function isMediaStorageEnabled() {
+	const inline = require_logger.getEnvString("PROMPTFOO_INLINE_MEDIA");
+	return inline !== "true" && inline !== "1";
+}
+//#endregion
+Object.defineProperty(exports, "checkCloudPermissions", {
+	enumerable: true,
+	get: function() {
+		return checkCloudPermissions;
+	}
+});
+Object.defineProperty(exports, "getCloudDatabaseId", {
+	enumerable: true,
+	get: function() {
+		return getCloudDatabaseId;
+	}
+});
+Object.defineProperty(exports, "getEvalConfigFromCloud", {
+	enumerable: true,
+	get: function() {
+		return getEvalConfigFromCloud;
+	}
+});
+Object.defineProperty(exports, "getMediaStorage", {
+	enumerable: true,
+	get: function() {
+		return getMediaStorage;
+	}
+});
+Object.defineProperty(exports, "getOrgContext", {
+	enumerable: true,
+	get: function() {
+		return getOrgContext;
+	}
+});
+Object.defineProperty(exports, "getPluginSeverityOverridesFromCloud", {
+	enumerable: true,
+	get: function() {
+		return getPluginSeverityOverridesFromCloud;
+	}
+});
+Object.defineProperty(exports, "getPoliciesFromCloud", {
+	enumerable: true,
+	get: function() {
+		return getPoliciesFromCloud;
+	}
+});
+Object.defineProperty(exports, "getProviderFromCloud", {
+	enumerable: true,
+	get: function() {
+		return getProviderFromCloud;
+	}
+});
+Object.defineProperty(exports, "isCloudProvider", {
+	enumerable: true,
+	get: function() {
+		return isCloudProvider;
+	}
+});
+Object.defineProperty(exports, "isMediaStorageEnabled", {
+	enumerable: true,
+	get: function() {
+		return isMediaStorageEnabled;
+	}
+});
+Object.defineProperty(exports, "makeRequest", {
+	enumerable: true,
+	get: function() {
+		return makeRequest;
+	}
+});
+Object.defineProperty(exports, "resolveTeamId", {
+	enumerable: true,
+	get: function() {
+		return resolveTeamId;
+	}
+});
+Object.defineProperty(exports, "storeMedia", {
+	enumerable: true,
+	get: function() {
+		return storeMedia;
+	}
+});
+Object.defineProperty(exports, "validateLinkedTargetId", {
+	enumerable: true,
+	get: function() {
+		return validateLinkedTargetId;
+	}
+});
+
+//# sourceMappingURL=storage-CA-v9V2v.cjs.map