studiograph 1.3.48-next.21 → 1.3.48-next.211
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +26 -16
- package/dist/agent/agent-pool.d.ts +87 -3
- package/dist/agent/agent-pool.js +188 -15
- package/dist/agent/agent-pool.js.map +1 -1
- package/dist/agent/followups.d.ts +34 -0
- package/dist/agent/followups.js +52 -0
- package/dist/agent/followups.js.map +1 -0
- package/dist/agent/orchestrator.d.ts +101 -4
- package/dist/agent/orchestrator.js +464 -66
- package/dist/agent/orchestrator.js.map +1 -1
- package/dist/agent/prompts/entity-types-section.d.ts +34 -0
- package/dist/agent/prompts/entity-types-section.js +76 -0
- package/dist/agent/prompts/entity-types-section.js.map +1 -0
- package/dist/agent/prompts/system.md +112 -54
- package/dist/agent/skill-loader.d.ts +30 -17
- package/dist/agent/skill-loader.js +63 -30
- package/dist/agent/skill-loader.js.map +1 -1
- package/dist/agent/skills/artifact-canvas/skill.md +152 -0
- package/dist/agent/skills/entity-schema.md +75 -431
- package/dist/agent/skills/interview/entity-templates.md +38 -37
- package/dist/agent/skills/interview/question-domains.md +54 -49
- package/dist/agent/skills/interview/skill.md +84 -16
- package/dist/agent/skills/schema-rules.md +28 -28
- package/dist/agent/tools/artifact-tools.d.ts +124 -0
- package/dist/agent/tools/artifact-tools.js +207 -0
- package/dist/agent/tools/artifact-tools.js.map +1 -0
- package/dist/agent/tools/capture-tools.d.ts +31 -0
- package/dist/agent/tools/capture-tools.js +40 -0
- package/dist/agent/tools/capture-tools.js.map +1 -0
- package/dist/agent/tools/folder-tools.d.ts +47 -0
- package/dist/agent/tools/folder-tools.js +249 -0
- package/dist/agent/tools/folder-tools.js.map +1 -0
- package/dist/agent/tools/fs-tools.d.ts +6 -5
- package/dist/agent/tools/fs-tools.js +5 -5
- package/dist/agent/tools/fs-tools.js.map +1 -1
- package/dist/agent/tools/graph-tools.d.ts +48 -72
- package/dist/agent/tools/graph-tools.js +852 -329
- package/dist/agent/tools/graph-tools.js.map +1 -1
- package/dist/agent/tools/history-tools.d.ts +95 -0
- package/dist/agent/tools/history-tools.js +461 -0
- package/dist/agent/tools/history-tools.js.map +1 -0
- package/dist/agent/tools/load-skill.d.ts +6 -5
- package/dist/agent/tools/load-skill.js +3 -3
- package/dist/agent/tools/load-skill.js.map +1 -1
- package/dist/agent/tools/ops-tools.d.ts +5 -4
- package/dist/agent/tools/ops-tools.js +130 -236
- package/dist/agent/tools/ops-tools.js.map +1 -1
- package/dist/agent/tools/permission-tools.d.ts +87 -17
- package/dist/agent/tools/permission-tools.js +233 -43
- package/dist/agent/tools/permission-tools.js.map +1 -1
- package/dist/agent/tools/tool-loader.js +5 -4
- package/dist/agent/tools/tool-loader.js.map +1 -1
- package/dist/agent/tools/web-tools.js +58 -9
- package/dist/agent/tools/web-tools.js.map +1 -1
- package/dist/cli/commands/about.d.ts +1 -0
- package/dist/cli/commands/about.js +55 -3
- package/dist/cli/commands/about.js.map +1 -1
- package/dist/cli/commands/admin/audit-workspace.d.ts +23 -0
- package/dist/cli/commands/admin/audit-workspace.js +133 -0
- package/dist/cli/commands/admin/audit-workspace.js.map +1 -0
- package/dist/cli/commands/admin/audit.d.ts +21 -0
- package/dist/cli/commands/admin/audit.js +174 -0
- package/dist/cli/commands/admin/audit.js.map +1 -0
- package/dist/cli/commands/admin/backup.d.ts +54 -0
- package/dist/cli/commands/admin/backup.js +207 -0
- package/dist/cli/commands/admin/backup.js.map +1 -0
- package/dist/cli/commands/admin/folder.d.ts +11 -0
- package/dist/cli/commands/{collection.js → admin/folder.js} +33 -32
- package/dist/cli/commands/admin/folder.js.map +1 -0
- package/dist/cli/commands/admin/index.d.ts +16 -0
- package/dist/cli/commands/admin/index.js +46 -0
- package/dist/cli/commands/admin/index.js.map +1 -0
- package/dist/cli/commands/admin/migrate-assets.d.ts +53 -0
- package/dist/cli/commands/admin/migrate-assets.js +184 -0
- package/dist/cli/commands/admin/migrate-assets.js.map +1 -0
- package/dist/cli/commands/admin/migrate.d.ts +56 -0
- package/dist/cli/commands/admin/migrate.js +263 -0
- package/dist/cli/commands/admin/migrate.js.map +1 -0
- package/dist/cli/commands/admin/restore.d.ts +24 -0
- package/dist/cli/commands/admin/restore.js +228 -0
- package/dist/cli/commands/admin/restore.js.map +1 -0
- package/dist/cli/commands/admin/secrets.d.ts +23 -0
- package/dist/cli/commands/admin/secrets.js +256 -0
- package/dist/cli/commands/admin/secrets.js.map +1 -0
- package/dist/cli/commands/admin/settings.d.ts +28 -0
- package/dist/cli/commands/admin/settings.js +284 -0
- package/dist/cli/commands/admin/settings.js.map +1 -0
- package/dist/cli/commands/admin/token.d.ts +42 -0
- package/dist/cli/commands/admin/token.js +126 -0
- package/dist/cli/commands/admin/token.js.map +1 -0
- package/dist/cli/commands/admin/transfer-ownership.d.ts +15 -0
- package/dist/cli/commands/admin/transfer-ownership.js +106 -0
- package/dist/cli/commands/admin/transfer-ownership.js.map +1 -0
- package/dist/cli/commands/admin/user.d.ts +11 -0
- package/dist/cli/commands/admin/user.js +187 -0
- package/dist/cli/commands/admin/user.js.map +1 -0
- package/dist/cli/commands/clone.d.ts +25 -3
- package/dist/cli/commands/clone.js +142 -36
- package/dist/cli/commands/clone.js.map +1 -1
- package/dist/cli/commands/config.d.ts +23 -107
- package/dist/cli/commands/config.js +52 -260
- package/dist/cli/commands/config.js.map +1 -1
- package/dist/cli/commands/connector.d.ts +10 -13
- package/dist/cli/commands/connector.js +16 -58
- package/dist/cli/commands/connector.js.map +1 -1
- package/dist/cli/commands/deploy.js +215 -68
- package/dist/cli/commands/deploy.js.map +1 -1
- package/dist/cli/commands/index.js +5 -1
- package/dist/cli/commands/index.js.map +1 -1
- package/dist/cli/commands/init.js +10 -30
- package/dist/cli/commands/init.js.map +1 -1
- package/dist/cli/commands/mcp.js +54 -6
- package/dist/cli/commands/mcp.js.map +1 -1
- package/dist/cli/commands/r2.d.ts +3 -0
- package/dist/cli/commands/r2.js +223 -204
- package/dist/cli/commands/r2.js.map +1 -1
- package/dist/cli/commands/redeploy.js +65 -12
- package/dist/cli/commands/redeploy.js.map +1 -1
- package/dist/cli/commands/reset.d.ts +22 -6
- package/dist/cli/commands/reset.js +132 -34
- package/dist/cli/commands/reset.js.map +1 -1
- package/dist/cli/commands/serve.js +231 -26
- package/dist/cli/commands/serve.js.map +1 -1
- package/dist/cli/commands/sync.d.ts +1 -1
- package/dist/cli/commands/sync.js +237 -227
- package/dist/cli/commands/sync.js.map +1 -1
- package/dist/cli/crypto-bundle.d.ts +39 -0
- package/dist/cli/crypto-bundle.js +94 -0
- package/dist/cli/crypto-bundle.js.map +1 -0
- package/dist/cli/index.js +24 -26
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/railway-pin.d.ts +68 -0
- package/dist/cli/railway-pin.js +96 -0
- package/dist/cli/railway-pin.js.map +1 -0
- package/dist/cli/railway-provisioning.d.ts +53 -0
- package/dist/cli/railway-provisioning.js +85 -0
- package/dist/cli/railway-provisioning.js.map +1 -0
- package/dist/cli/setup-wizard.d.ts +30 -49
- package/dist/cli/setup-wizard.js +39 -40
- package/dist/cli/setup-wizard.js.map +1 -1
- package/dist/core/accent-palette.d.ts +22 -0
- package/dist/core/accent-palette.js +47 -0
- package/dist/core/accent-palette.js.map +1 -0
- package/dist/core/artifact-asset-urls.d.ts +51 -0
- package/dist/core/artifact-asset-urls.js +79 -0
- package/dist/core/artifact-asset-urls.js.map +1 -0
- package/dist/core/artifact-bundle.d.ts +69 -0
- package/dist/core/artifact-bundle.js +305 -0
- package/dist/core/artifact-bundle.js.map +1 -0
- package/dist/core/artifact-escape.d.ts +5 -0
- package/dist/core/artifact-escape.js +26 -0
- package/dist/core/artifact-escape.js.map +1 -0
- package/dist/core/artifact-export.d.ts +17 -0
- package/dist/core/artifact-export.js +529 -0
- package/dist/core/artifact-export.js.map +1 -0
- package/dist/core/cell-anchor.d.ts +29 -0
- package/dist/core/cell-anchor.js +53 -0
- package/dist/core/cell-anchor.js.map +1 -0
- package/dist/core/comment-anchor.d.ts +41 -0
- package/dist/core/comment-anchor.js +147 -0
- package/dist/core/comment-anchor.js.map +1 -0
- package/dist/core/commit-messages.d.ts +57 -0
- package/dist/core/commit-messages.js +85 -0
- package/dist/core/commit-messages.js.map +1 -0
- package/dist/core/embeds.d.ts +96 -0
- package/dist/core/embeds.js +196 -0
- package/dist/core/embeds.js.map +1 -0
- package/dist/core/entity-body-templates.d.ts +21 -0
- package/dist/core/entity-body-templates.js +67 -0
- package/dist/core/entity-body-templates.js.map +1 -0
- package/dist/core/entity-types-catalog.d.ts +65 -0
- package/dist/core/entity-types-catalog.js +142 -0
- package/dist/core/entity-types-catalog.js.map +1 -0
- package/dist/core/field-library.d.ts +62 -0
- package/dist/core/field-library.js +129 -0
- package/dist/core/field-library.js.map +1 -0
- package/dist/core/folder-paths.d.ts +41 -0
- package/dist/core/folder-paths.js +95 -0
- package/dist/core/folder-paths.js.map +1 -0
- package/dist/core/folder-sidecar.d.ts +36 -0
- package/dist/core/folder-sidecar.js +91 -0
- package/dist/core/folder-sidecar.js.map +1 -0
- package/dist/core/format-registry.d.ts +170 -0
- package/dist/core/format-registry.js +412 -0
- package/dist/core/format-registry.js.map +1 -0
- package/dist/core/graph.d.ts +773 -14
- package/dist/core/graph.js +2269 -308
- package/dist/core/graph.js.map +1 -1
- package/dist/core/history-diff.d.ts +35 -0
- package/dist/core/history-diff.js +114 -0
- package/dist/core/history-diff.js.map +1 -0
- package/dist/core/refs.d.ts +41 -0
- package/dist/core/refs.js +80 -0
- package/dist/core/refs.js.map +1 -0
- package/dist/core/schema-registry.d.ts +66 -0
- package/dist/core/schema-registry.js +198 -37
- package/dist/core/schema-registry.js.map +1 -1
- package/dist/core/schemas/connector.d.ts +67 -0
- package/dist/core/schemas/connector.js +100 -0
- package/dist/core/schemas/connector.js.map +1 -0
- package/dist/core/schemas/workspace.d.ts +122 -0
- package/dist/core/schemas/workspace.js +211 -0
- package/dist/core/schemas/workspace.js.map +1 -0
- package/dist/core/secrets/SecretStore.d.ts +77 -0
- package/dist/core/secrets/SecretStore.js +13 -0
- package/dist/core/secrets/SecretStore.js.map +1 -0
- package/dist/core/secrets/SettingsResolver.d.ts +54 -0
- package/dist/core/secrets/SettingsResolver.js +80 -0
- package/dist/core/secrets/SettingsResolver.js.map +1 -0
- package/dist/core/secrets/SettingsStore.d.ts +30 -0
- package/dist/core/secrets/SettingsStore.js +9 -0
- package/dist/core/secrets/SettingsStore.js.map +1 -0
- package/dist/core/secrets/SqliteEncryptedStore.d.ts +90 -0
- package/dist/core/secrets/SqliteEncryptedStore.js +598 -0
- package/dist/core/secrets/SqliteEncryptedStore.js.map +1 -0
- package/dist/core/secrets/audit.d.ts +36 -0
- package/dist/core/secrets/audit.js +60 -0
- package/dist/core/secrets/audit.js.map +1 -0
- package/dist/core/secrets/auth-db-migration.d.ts +129 -0
- package/dist/core/secrets/auth-db-migration.js +653 -0
- package/dist/core/secrets/auth-db-migration.js.map +1 -0
- package/dist/core/secrets/bundle.d.ts +141 -0
- package/dist/core/secrets/bundle.js +435 -0
- package/dist/core/secrets/bundle.js.map +1 -0
- package/dist/core/secrets/dual-write.d.ts +81 -0
- package/dist/core/secrets/dual-write.js +247 -0
- package/dist/core/secrets/dual-write.js.map +1 -0
- package/dist/core/secrets/encryption.d.ts +44 -0
- package/dist/core/secrets/encryption.js +97 -0
- package/dist/core/secrets/encryption.js.map +1 -0
- package/dist/core/secrets/index.d.ts +49 -0
- package/dist/core/secrets/index.js +74 -0
- package/dist/core/secrets/index.js.map +1 -0
- package/dist/core/secrets/master-key.d.ts +38 -0
- package/dist/core/secrets/master-key.js +122 -0
- package/dist/core/secrets/master-key.js.map +1 -0
- package/dist/core/secrets/probes/anthropic.d.ts +98 -0
- package/dist/core/secrets/probes/anthropic.js +300 -0
- package/dist/core/secrets/probes/anthropic.js.map +1 -0
- package/dist/core/secrets/probes/brave.d.ts +9 -0
- package/dist/core/secrets/probes/brave.js +15 -0
- package/dist/core/secrets/probes/brave.js.map +1 -0
- package/dist/core/secrets/probes/r2.d.ts +15 -0
- package/dist/core/secrets/probes/r2.js +14 -0
- package/dist/core/secrets/probes/r2.js.map +1 -0
- package/dist/core/secrets/probes/tavily.d.ts +18 -0
- package/dist/core/secrets/probes/tavily.js +58 -0
- package/dist/core/secrets/probes/tavily.js.map +1 -0
- package/dist/core/secrets/probes/voyage.d.ts +13 -0
- package/dist/core/secrets/probes/voyage.js +52 -0
- package/dist/core/secrets/probes/voyage.js.map +1 -0
- package/dist/core/secrets/r2-structural-migration.d.ts +39 -0
- package/dist/core/secrets/r2-structural-migration.js +109 -0
- package/dist/core/secrets/r2-structural-migration.js.map +1 -0
- package/dist/core/secrets/read-flip.d.ts +59 -0
- package/dist/core/secrets/read-flip.js +87 -0
- package/dist/core/secrets/read-flip.js.map +1 -0
- package/dist/core/secrets/registry.d.ts +188 -0
- package/dist/core/secrets/registry.js +616 -0
- package/dist/core/secrets/registry.js.map +1 -0
- package/dist/core/types.d.ts +77 -483
- package/dist/core/types.js +25 -3
- package/dist/core/types.js.map +1 -1
- package/dist/core/user-config.d.ts +75 -12
- package/dist/core/user-config.js +155 -14
- package/dist/core/user-config.js.map +1 -1
- package/dist/core/validation.d.ts +786 -1373
- package/dist/core/validation.js +458 -147
- package/dist/core/validation.js.map +1 -1
- package/dist/core/workspace-manager.d.ts +87 -14
- package/dist/core/workspace-manager.js +222 -94
- package/dist/core/workspace-manager.js.map +1 -1
- package/dist/core/workspace.d.ts +19 -5
- package/dist/core/workspace.js +67 -39
- package/dist/core/workspace.js.map +1 -1
- package/dist/mcp/comment-virtual-entity.d.ts +36 -0
- package/dist/mcp/comment-virtual-entity.js +71 -0
- package/dist/mcp/comment-virtual-entity.js.map +1 -0
- package/dist/mcp/connector-manager.d.ts +72 -2
- package/dist/mcp/connector-manager.js +211 -32
- package/dist/mcp/connector-manager.js.map +1 -1
- package/dist/mcp/oauth-provider.d.ts +0 -5
- package/dist/mcp/oauth-provider.js +10 -22
- package/dist/mcp/oauth-provider.js.map +1 -1
- package/dist/mcp/oauth-registry.d.ts +46 -8
- package/dist/mcp/oauth-registry.js +52 -13
- package/dist/mcp/oauth-registry.js.map +1 -1
- package/dist/mcp/server-discovery.d.ts +73 -0
- package/dist/mcp/server-discovery.js +164 -0
- package/dist/mcp/server-discovery.js.map +1 -0
- package/dist/mcp/server.d.ts +24 -3
- package/dist/mcp/server.js +53 -10
- package/dist/mcp/server.js.map +1 -1
- package/dist/mcp/state-signer.d.ts +62 -0
- package/dist/mcp/state-signer.js +205 -0
- package/dist/mcp/state-signer.js.map +1 -0
- package/dist/mcp/stdio-proxy.d.ts +67 -0
- package/dist/mcp/stdio-proxy.js +149 -0
- package/dist/mcp/stdio-proxy.js.map +1 -0
- package/dist/mcp/tools.d.ts +65 -2
- package/dist/mcp/tools.js +1772 -124
- package/dist/mcp/tools.js.map +1 -1
- package/dist/server/__tests__/helpers/graph-api.d.ts +16 -0
- package/dist/server/__tests__/helpers/graph-api.js +16 -0
- package/dist/server/__tests__/helpers/graph-api.js.map +1 -0
- package/dist/server/artifact-asset-mint.d.ts +41 -0
- package/dist/server/artifact-asset-mint.js +59 -0
- package/dist/server/artifact-asset-mint.js.map +1 -0
- package/dist/server/asset-index-queue.d.ts +98 -0
- package/dist/server/asset-index-queue.js +193 -0
- package/dist/server/asset-index-queue.js.map +1 -0
- package/dist/server/body-write-coordinator.d.ts +161 -0
- package/dist/server/body-write-coordinator.js +182 -0
- package/dist/server/body-write-coordinator.js.map +1 -0
- package/dist/server/cloud-billing-flow.d.ts +32 -0
- package/dist/server/cloud-billing-flow.js +75 -0
- package/dist/server/cloud-billing-flow.js.map +1 -0
- package/dist/server/commit-audit.d.ts +26 -0
- package/dist/server/commit-audit.js +30 -0
- package/dist/server/commit-audit.js.map +1 -0
- package/dist/server/index.d.ts +29 -3
- package/dist/server/index.js +657 -269
- package/dist/server/index.js.map +1 -1
- package/dist/server/middleware/sanitize.d.ts +46 -0
- package/dist/server/middleware/sanitize.js +182 -0
- package/dist/server/middleware/sanitize.js.map +1 -0
- package/dist/server/routes/artifact-export-api.d.ts +11 -0
- package/dist/server/routes/artifact-export-api.js +159 -0
- package/dist/server/routes/artifact-export-api.js.map +1 -0
- package/dist/server/routes/asset-api.d.ts +76 -1
- package/dist/server/routes/asset-api.js +761 -61
- package/dist/server/routes/asset-api.js.map +1 -1
- package/dist/server/routes/audit-api.d.ts +24 -0
- package/dist/server/routes/audit-api.js +117 -0
- package/dist/server/routes/audit-api.js.map +1 -0
- package/dist/server/routes/auth-api.js +532 -63
- package/dist/server/routes/auth-api.js.map +1 -1
- package/dist/server/routes/capture-api.d.ts +10 -3
- package/dist/server/routes/capture-api.js +213 -25
- package/dist/server/routes/capture-api.js.map +1 -1
- package/dist/server/routes/chat-sessions-api.d.ts +13 -0
- package/dist/server/routes/chat-sessions-api.js +455 -0
- package/dist/server/routes/chat-sessions-api.js.map +1 -0
- package/dist/server/routes/chat.d.ts +35 -1
- package/dist/server/routes/chat.js +699 -54
- package/dist/server/routes/chat.js.map +1 -1
- package/dist/server/routes/comments-api.d.ts +15 -0
- package/dist/server/routes/comments-api.js +444 -0
- package/dist/server/routes/comments-api.js.map +1 -0
- package/dist/server/routes/config-api.d.ts +3 -2
- package/dist/server/routes/config-api.js +179 -49
- package/dist/server/routes/config-api.js.map +1 -1
- package/dist/server/routes/connectors-api.js +177 -42
- package/dist/server/routes/connectors-api.js.map +1 -1
- package/dist/server/routes/event-ingest-api.d.ts +15 -0
- package/dist/server/routes/{meeting-ingest-api.js → event-ingest-api.js} +35 -20
- package/dist/server/routes/event-ingest-api.js.map +1 -0
- package/dist/server/routes/field-library-api.d.ts +28 -0
- package/dist/server/routes/field-library-api.js +126 -0
- package/dist/server/routes/field-library-api.js.map +1 -0
- package/dist/server/routes/git-http.d.ts +2 -2
- package/dist/server/routes/git-http.js +86 -39
- package/dist/server/routes/git-http.js.map +1 -1
- package/dist/server/routes/graph-api-access.d.ts +57 -0
- package/dist/server/routes/graph-api-access.js +112 -0
- package/dist/server/routes/graph-api-access.js.map +1 -0
- package/dist/server/routes/graph-api.d.ts +1 -1
- package/dist/server/routes/graph-api.js +1455 -325
- package/dist/server/routes/graph-api.js.map +1 -1
- package/dist/server/routes/health.d.ts +18 -0
- package/dist/server/routes/health.js +74 -0
- package/dist/server/routes/health.js.map +1 -0
- package/dist/server/routes/import-batch.d.ts +24 -0
- package/dist/server/routes/import-batch.js +33 -0
- package/dist/server/routes/import-batch.js.map +1 -0
- package/dist/server/routes/insights-api.d.ts +9 -2
- package/dist/server/routes/insights-api.js +355 -61
- package/dist/server/routes/insights-api.js.map +1 -1
- package/dist/server/routes/mcp.d.ts +7 -3
- package/dist/server/routes/mcp.js +24 -8
- package/dist/server/routes/mcp.js.map +1 -1
- package/dist/server/routes/oauth-api.d.ts +67 -0
- package/dist/server/routes/oauth-api.js +421 -0
- package/dist/server/routes/oauth-api.js.map +1 -0
- package/dist/server/routes/permissions-api.d.ts +9 -2
- package/dist/server/routes/permissions-api.js +87 -31
- package/dist/server/routes/permissions-api.js.map +1 -1
- package/dist/server/routes/r2-api.d.ts +25 -0
- package/dist/server/routes/r2-api.js +276 -0
- package/dist/server/routes/r2-api.js.map +1 -0
- package/dist/server/routes/secrets-api.d.ts +36 -0
- package/dist/server/routes/secrets-api.js +308 -0
- package/dist/server/routes/secrets-api.js.map +1 -0
- package/dist/server/routes/settings-api.d.ts +29 -0
- package/dist/server/routes/settings-api.js +180 -0
- package/dist/server/routes/settings-api.js.map +1 -0
- package/dist/server/routes/share-api.d.ts +32 -0
- package/dist/server/routes/share-api.js +234 -0
- package/dist/server/routes/share-api.js.map +1 -0
- package/dist/server/routes/views-api.js +51 -0
- package/dist/server/routes/views-api.js.map +1 -1
- package/dist/server/routes/workspace-api.d.ts +2 -1
- package/dist/server/routes/workspace-api.js +142 -23
- package/dist/server/routes/workspace-api.js.map +1 -1
- package/dist/server/routes/ws.d.ts +3 -2
- package/dist/server/routes/ws.js +68 -17
- package/dist/server/routes/ws.js.map +1 -1
- package/dist/server/session-manager.d.ts +48 -5
- package/dist/server/session-manager.js +182 -14
- package/dist/server/session-manager.js.map +1 -1
- package/dist/server/ws-hub.d.ts +124 -37
- package/dist/server/ws-hub.js +0 -0
- package/dist/server/ws-hub.js.map +1 -1
- package/dist/server/yjs-manager.d.ts +278 -7
- package/dist/server/yjs-manager.js +830 -38
- package/dist/server/yjs-manager.js.map +1 -1
- package/dist/server/yjs-persistence.d.ts +165 -0
- package/dist/server/yjs-persistence.js +557 -0
- package/dist/server/yjs-persistence.js.map +1 -0
- package/dist/server/yjs-text-diff.d.ts +32 -0
- package/dist/server/yjs-text-diff.js +61 -0
- package/dist/server/yjs-text-diff.js.map +1 -0
- package/dist/services/access-control.d.ts +73 -0
- package/dist/services/access-control.js +165 -0
- package/dist/services/access-control.js.map +1 -0
- package/dist/services/artifact-asset-token.d.ts +69 -0
- package/dist/services/artifact-asset-token.js +94 -0
- package/dist/services/artifact-asset-token.js.map +1 -0
- package/dist/services/artifact-library-sources.d.ts +3 -0
- package/dist/services/artifact-library-sources.js +44 -0
- package/dist/services/artifact-library-sources.js.map +1 -0
- package/dist/services/artifact-render-export.d.ts +97 -0
- package/dist/services/artifact-render-export.js +467 -0
- package/dist/services/artifact-render-export.js.map +1 -0
- package/dist/services/asset-caption-service.d.ts +103 -0
- package/dist/services/asset-caption-service.js +186 -0
- package/dist/services/asset-caption-service.js.map +1 -0
- package/dist/services/asset-delete-authz.d.ts +31 -0
- package/dist/services/asset-delete-authz.js +61 -0
- package/dist/services/asset-delete-authz.js.map +1 -0
- package/dist/services/asset-finalize-service.d.ts +58 -0
- package/dist/services/asset-finalize-service.js +216 -0
- package/dist/services/asset-finalize-service.js.map +1 -0
- package/dist/services/asset-import-service.d.ts +111 -0
- package/dist/services/asset-import-service.js +394 -0
- package/dist/services/asset-import-service.js.map +1 -0
- package/dist/services/asset-index-sweep.d.ts +95 -0
- package/dist/services/asset-index-sweep.js +249 -0
- package/dist/services/asset-index-sweep.js.map +1 -0
- package/dist/services/asset-lifecycle-check.d.ts +22 -0
- package/dist/services/asset-lifecycle-check.js +80 -0
- package/dist/services/asset-lifecycle-check.js.map +1 -0
- package/dist/services/asset-listing.d.ts +72 -0
- package/dist/services/asset-listing.js +321 -0
- package/dist/services/asset-listing.js.map +1 -0
- package/dist/services/asset-presign-service.d.ts +68 -0
- package/dist/services/asset-presign-service.js +124 -0
- package/dist/services/asset-presign-service.js.map +1 -0
- package/dist/services/asset-sidecar-service.d.ts +28 -0
- package/dist/services/asset-sidecar-service.js +79 -0
- package/dist/services/asset-sidecar-service.js.map +1 -0
- package/dist/services/asset-upload-errors.d.ts +41 -0
- package/dist/services/asset-upload-errors.js +45 -0
- package/dist/services/asset-upload-errors.js.map +1 -0
- package/dist/services/asset-upload-service.d.ts +56 -0
- package/dist/services/asset-upload-service.js +200 -0
- package/dist/services/asset-upload-service.js.map +1 -0
- package/dist/services/asset-upload-token.d.ts +58 -0
- package/dist/services/asset-upload-token.js +75 -0
- package/dist/services/asset-upload-token.js.map +1 -0
- package/dist/services/assets/asset-index-service.d.ts +127 -0
- package/dist/services/assets/asset-index-service.js +227 -0
- package/dist/services/assets/asset-index-service.js.map +1 -0
- package/dist/services/assets/base.d.ts +128 -2
- package/dist/services/assets/base.js +98 -1
- package/dist/services/assets/base.js.map +1 -1
- package/dist/services/assets/index.d.ts +114 -1
- package/dist/services/assets/index.js +221 -0
- package/dist/services/assets/index.js.map +1 -1
- package/dist/services/assets/local.d.ts +16 -1
- package/dist/services/assets/local.js +110 -1
- package/dist/services/assets/local.js.map +1 -1
- package/dist/services/assets/r2-sync.d.ts +88 -0
- package/dist/services/assets/r2-sync.js +412 -0
- package/dist/services/assets/r2-sync.js.map +1 -0
- package/dist/services/assets/r2.d.ts +87 -1
- package/dist/services/assets/r2.js +203 -1
- package/dist/services/assets/r2.js.map +1 -1
- package/dist/services/auth-service.d.ts +312 -45
- package/dist/services/auth-service.js +1011 -195
- package/dist/services/auth-service.js.map +1 -1
- package/dist/services/chat-session-service.d.ts +188 -0
- package/dist/services/chat-session-service.js +512 -0
- package/dist/services/chat-session-service.js.map +1 -0
- package/dist/services/cloud-inference-billing.d.ts +64 -0
- package/dist/services/cloud-inference-billing.js +313 -0
- package/dist/services/cloud-inference-billing.js.map +1 -0
- package/dist/services/comment-service.d.ts +97 -0
- package/dist/services/comment-service.js +341 -0
- package/dist/services/comment-service.js.map +1 -0
- package/dist/services/comment-virtual-entity.d.ts +36 -0
- package/dist/services/comment-virtual-entity.js +71 -0
- package/dist/services/comment-virtual-entity.js.map +1 -0
- package/dist/services/convert-service.d.ts +64 -0
- package/dist/services/convert-service.js +68 -0
- package/dist/services/convert-service.js.map +1 -0
- package/dist/services/csv-service.d.ts +22 -17
- package/dist/services/csv-service.js +55 -92
- package/dist/services/csv-service.js.map +1 -1
- package/dist/services/entity-mutations.d.ts +213 -0
- package/dist/services/entity-mutations.js +380 -0
- package/dist/services/entity-mutations.js.map +1 -0
- package/dist/services/{meeting-processor.d.ts → event-processor.d.ts} +15 -8
- package/dist/services/{meeting-processor.js → event-processor.js} +124 -65
- package/dist/services/event-processor.js.map +1 -0
- package/dist/services/extract/docx.d.ts +1 -0
- package/dist/services/extract/docx.js +233 -0
- package/dist/services/extract/docx.js.map +1 -0
- package/dist/services/extract/index.d.ts +9 -0
- package/dist/services/extract/index.js +10 -0
- package/dist/services/extract/index.js.map +1 -0
- package/dist/services/extract/pdf.d.ts +13 -0
- package/dist/services/extract/pdf.js +69 -0
- package/dist/services/extract/pdf.js.map +1 -0
- package/dist/services/folder-creation.d.ts +33 -0
- package/dist/services/folder-creation.js +103 -0
- package/dist/services/folder-creation.js.map +1 -0
- package/dist/services/git.d.ts +58 -0
- package/dist/services/git.js +194 -55
- package/dist/services/git.js.map +1 -1
- package/dist/services/graph-maintenance.js +4 -4
- package/dist/services/graph-maintenance.js.map +1 -1
- package/dist/services/import-service.d.ts +51 -2
- package/dist/services/import-service.js +254 -107
- package/dist/services/import-service.js.map +1 -1
- package/dist/services/lint-service.js +10 -17
- package/dist/services/lint-service.js.map +1 -1
- package/dist/services/markdown.d.ts +12 -1
- package/dist/services/markdown.js +77 -9
- package/dist/services/markdown.js.map +1 -1
- package/dist/services/mention-detector.d.ts +23 -0
- package/dist/services/mention-detector.js +47 -0
- package/dist/services/mention-detector.js.map +1 -0
- package/dist/services/model-capabilities.d.ts +41 -0
- package/dist/services/model-capabilities.js +107 -0
- package/dist/services/model-capabilities.js.map +1 -0
- package/dist/services/notification-broadcast.d.ts +32 -0
- package/dist/services/notification-broadcast.js +38 -0
- package/dist/services/notification-broadcast.js.map +1 -0
- package/dist/services/notification-service.d.ts +41 -0
- package/dist/services/notification-service.js +100 -0
- package/dist/services/notification-service.js.map +1 -0
- package/dist/services/oauth-server-store.d.ts +147 -0
- package/dist/services/oauth-server-store.js +319 -0
- package/dist/services/oauth-server-store.js.map +1 -0
- package/dist/services/orphan-service.js +2 -2
- package/dist/services/orphan-service.js.map +1 -1
- package/dist/services/personal-folder.d.ts +40 -0
- package/dist/services/personal-folder.js +101 -0
- package/dist/services/personal-folder.js.map +1 -0
- package/dist/services/scratch-asset-promote.d.ts +57 -0
- package/dist/services/scratch-asset-promote.js +95 -0
- package/dist/services/scratch-asset-promote.js.map +1 -0
- package/dist/services/scratch-attachment-service.d.ts +196 -0
- package/dist/services/scratch-attachment-service.js +347 -0
- package/dist/services/scratch-attachment-service.js.map +1 -0
- package/dist/services/share-link-service.d.ts +57 -0
- package/dist/services/share-link-service.js +142 -0
- package/dist/services/share-link-service.js.map +1 -0
- package/dist/services/user-person-bridge.d.ts +136 -0
- package/dist/services/user-person-bridge.js +340 -0
- package/dist/services/user-person-bridge.js.map +1 -0
- package/dist/services/vector-service.d.ts +282 -5
- package/dist/services/vector-service.js +585 -29
- package/dist/services/vector-service.js.map +1 -1
- package/dist/services/workspace-access.d.ts +108 -0
- package/dist/services/workspace-access.js +149 -0
- package/dist/services/workspace-access.js.map +1 -0
- package/dist/services/workspace-assets-folder.d.ts +46 -0
- package/dist/services/workspace-assets-folder.js +75 -0
- package/dist/services/workspace-assets-folder.js.map +1 -0
- package/dist/utils/git.d.ts +17 -2
- package/dist/utils/git.js +23 -7
- package/dist/utils/git.js.map +1 -1
- package/dist/utils/log.d.ts +42 -0
- package/dist/utils/log.js +137 -0
- package/dist/utils/log.js.map +1 -0
- package/dist/utils/preflight.js +2 -2
- package/dist/utils/preflight.js.map +1 -1
- package/dist/utils/version-checker.d.ts +12 -19
- package/dist/utils/version-checker.js +14 -104
- package/dist/utils/version-checker.js.map +1 -1
- package/dist/web/_app/immutable/assets/0.Bs_z3Z86.css +2 -0
- package/dist/web/_app/immutable/assets/12.DlIf1mKh.css +1 -0
- package/dist/web/_app/immutable/assets/14.7d-Q37wc.css +1 -0
- package/dist/web/_app/immutable/assets/15.BwBFdc1D.css +1 -0
- package/dist/web/_app/immutable/assets/16.CmLrbzZp.css +1 -0
- package/dist/web/_app/immutable/assets/17.DcuK5ZVm.css +1 -0
- package/dist/web/_app/immutable/assets/2.DATnR31c.css +1 -0
- package/dist/web/_app/immutable/assets/3.Cz4H8n_O.css +1 -0
- package/dist/web/_app/immutable/assets/4.aDHteTDy.css +1 -0
- package/dist/web/_app/immutable/assets/6.CF1i5Bon.css +1 -0
- package/dist/web/_app/immutable/assets/ArtifactEntityView.C4ooklFD.css +1 -0
- package/dist/web/_app/immutable/assets/AssetLibraryPicker.BOFW0MvF.css +1 -0
- package/dist/web/_app/immutable/assets/BulkActionsBar.cmKvHzRK.css +1 -0
- package/dist/web/_app/immutable/assets/CalendarView.lBCvS3X5.css +1 -0
- package/dist/web/_app/immutable/assets/CodeMirrorEditor.D6hf2pNJ.css +1 -0
- package/dist/web/_app/immutable/assets/CopyField.DVGZtw4U.css +1 -0
- package/dist/web/_app/immutable/assets/FolderMembersPanel.kiYnDFHu.css +1 -0
- package/dist/web/_app/immutable/assets/FolderMutationDialogs.BMRF6Z3z.css +1 -0
- package/dist/web/_app/immutable/assets/FolderPicker.Cp46GHe2.css +1 -0
- package/dist/web/_app/immutable/assets/GalleryView.WBGxxUQc.css +1 -0
- package/dist/web/_app/immutable/assets/GraphView.BJtGL9py.css +1 -0
- package/dist/web/_app/immutable/assets/KanbanView.BOaI5KFL.css +1 -0
- package/dist/web/_app/immutable/assets/Link.vV0ne105.css +1 -0
- package/dist/web/_app/immutable/assets/Markdown.BZnsSOSf.css +1 -0
- package/dist/web/_app/immutable/assets/Rail.ilusFgD4.css +1 -0
- package/dist/web/_app/immutable/assets/SettingsDialog.D7-BO6S_.css +1 -0
- package/dist/web/_app/immutable/assets/Spinner.UBfl0pab.css +1 -0
- package/dist/web/_app/immutable/assets/StopFilledAlt.fNlDN65D.css +1 -0
- package/dist/web/_app/immutable/assets/TimelineView.xAZBJhHw.css +1 -0
- package/dist/web/_app/immutable/assets/WorkspaceView.C8ErUJAY.css +1 -0
- package/dist/web/_app/immutable/assets/button.BlLm4Dg1.css +1 -0
- package/dist/web/_app/immutable/assets/history-summary.LpmHXasl.css +1 -0
- package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-400-normal.CvHOgSBP.woff +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-400-normal.DMJ8VG8y.woff2 +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-500-normal.CB9ihrfo.woff +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-500-normal.DSY6xOcd.woff2 +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-italic.CZTNEAuW.woff2 +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-italic.CsGl1sm0.woff +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-normal.CDDApCn2.woff2 +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-normal.CYLoc0-x.woff +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-italic.BNK2_mGO.woff2 +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-italic.DpEwFAQM.woff +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-normal.6ng42L7E.woff2 +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-normal.BgVn5rGT.woff +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-600-normal.Cu4Hd6ag.woff +0 -0
- package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-600-normal.CuJfVYMP.woff2 +0 -0
- package/dist/web/_app/immutable/assets/inline-list.cqga56xT.css +1 -0
- package/dist/web/_app/immutable/assets/list-columns.BgnafZ4K.css +1 -0
- package/dist/web/_app/immutable/assets/realtime.DDCWxn3B.css +1 -0
- package/dist/web/_app/immutable/assets/select.B90KUqR4.css +1 -0
- package/dist/web/_app/immutable/assets/sheet.RF9RBmml.css +1 -0
- package/dist/web/_app/immutable/chunks/22qYtvr82.js +1 -0
- package/dist/web/_app/immutable/chunks/2f1VclTm.js +1 -0
- package/dist/web/_app/immutable/chunks/4xgUPoGj2.js +2 -0
- package/dist/web/_app/immutable/chunks/5CYQk4xR.js +1 -0
- package/dist/web/_app/immutable/chunks/6S9WOky52.js +1 -0
- package/dist/web/_app/immutable/chunks/9K8VREGP.js +1 -0
- package/dist/web/_app/immutable/chunks/B-n5q6ku.js +1 -0
- package/dist/web/_app/immutable/chunks/B0p2fSEV2.js +1 -0
- package/dist/web/_app/immutable/chunks/B2oi87jG.js +2 -0
- package/dist/web/_app/immutable/chunks/B5Rb52QU.js +1 -0
- package/dist/web/_app/immutable/chunks/B6Lt-qaJ.js +1 -0
- package/dist/web/_app/immutable/chunks/B6O-q2CN.js +1 -0
- package/dist/web/_app/immutable/chunks/B6qeIQZz.js +2 -0
- package/dist/web/_app/immutable/chunks/B9KfEsQw2.js +1 -0
- package/dist/web/_app/immutable/chunks/BB-RSeXQ.js +1 -0
- package/dist/web/_app/immutable/chunks/BCQQzpbj.js +1 -0
- package/dist/web/_app/immutable/chunks/BGdzd-Tc.js +1 -0
- package/dist/web/_app/immutable/chunks/BLs1h0Rh2.js +1 -0
- package/dist/web/_app/immutable/chunks/BPzV_xOS2.js +1 -0
- package/dist/web/_app/immutable/chunks/BT2C6q8n.js +1 -0
- package/dist/web/_app/immutable/chunks/BUesbLq2.js +1 -0
- package/dist/web/_app/immutable/chunks/BUrnwOw4.js +2 -0
- package/dist/web/_app/immutable/chunks/BV-iCKqa.js +1 -0
- package/dist/web/_app/immutable/chunks/BVCJtXyc.js +1 -0
- package/dist/web/_app/immutable/chunks/BY9a3GSt.js +6 -0
- package/dist/web/_app/immutable/chunks/BZi3uKF4.js +1 -0
- package/dist/web/_app/immutable/chunks/BbfHGU9n2.js +1 -0
- package/dist/web/_app/immutable/chunks/Bbqu2-5G2.js +1 -0
- package/dist/web/_app/immutable/chunks/BbsX1Slr.js +3 -0
- package/dist/web/_app/immutable/chunks/BcwjqHaZ2.js +1 -0
- package/dist/web/_app/immutable/chunks/BizeEpTx.js +2 -0
- package/dist/web/_app/immutable/chunks/BlgjVmFM2.js +14 -0
- package/dist/web/_app/immutable/chunks/BocSRgv12.js +1 -0
- package/dist/web/_app/immutable/chunks/BojBYqc3.js +1 -0
- package/dist/web/_app/immutable/chunks/BpCG9m962.js +1 -0
- package/dist/web/_app/immutable/chunks/BqvnBg_y.js +1 -0
- package/dist/web/_app/immutable/chunks/BsT0J1QD.js +1 -0
- package/dist/web/_app/immutable/chunks/BsW72fyR2.js +1 -0
- package/dist/web/_app/immutable/chunks/Bti_XKwx.js +2692 -0
- package/dist/web/_app/immutable/chunks/Bua97Had2.js +2 -0
- package/dist/web/_app/immutable/chunks/BuhW5Fr0.js +689 -0
- package/dist/web/_app/immutable/chunks/Bx74EEyn2.js +1 -0
- package/dist/web/_app/immutable/chunks/BxPN0T61.js +1 -0
- package/dist/web/_app/immutable/chunks/Bz9lrgGs.js +1 -0
- package/dist/web/_app/immutable/chunks/BzaxZ6j12.js +1 -0
- package/dist/web/_app/immutable/chunks/C1B4xDs0.js +1 -0
- package/dist/web/_app/immutable/chunks/C1trcC8M.js +7 -0
- package/dist/web/_app/immutable/chunks/C9tvkk7Y2.js +22 -0
- package/dist/web/_app/immutable/chunks/CBQjdDZf.js +1 -0
- package/dist/web/_app/immutable/chunks/CDeazMFW2.js +2 -0
- package/dist/web/_app/immutable/chunks/CEahbtnP.js +1 -0
- package/dist/web/_app/immutable/chunks/CGjVCd0e.js +8 -0
- package/dist/web/_app/immutable/chunks/CICK9maP.js +1 -0
- package/dist/web/_app/immutable/chunks/CIoNEHQ82.js +184 -0
- package/dist/web/_app/immutable/chunks/CP8_U450.js +1 -0
- package/dist/web/_app/immutable/chunks/CQ1eQ93t2.js +6 -0
- package/dist/web/_app/immutable/chunks/CUFQMEBn2.js +1 -0
- package/dist/web/_app/immutable/chunks/CYEYDNwO2.js +1 -0
- package/dist/web/_app/immutable/chunks/CYyIP7kP2.js +66 -0
- package/dist/web/_app/immutable/chunks/CZgFaimi2.js +83 -0
- package/dist/web/_app/immutable/chunks/CZqvCTCv.js +1 -0
- package/dist/web/_app/immutable/chunks/CcI9jYBV.js +1 -0
- package/dist/web/_app/immutable/chunks/CcWaWbrI2.js +1 -0
- package/dist/web/_app/immutable/chunks/CdtzRVZK.js +1 -0
- package/dist/web/_app/immutable/chunks/CfYG72Hc.js +1 -0
- package/dist/web/_app/immutable/chunks/Ch1kmm3J2.js +1 -0
- package/dist/web/_app/immutable/chunks/CmSSN61R2.js +1 -0
- package/dist/web/_app/immutable/chunks/Cqm5wAin.js +1 -0
- package/dist/web/_app/immutable/chunks/CuYPXpWU.js +1 -0
- package/dist/web/_app/immutable/chunks/CvSEodTA.js +1 -0
- package/dist/web/_app/immutable/chunks/CvqqrTrj.js +1 -0
- package/dist/web/_app/immutable/chunks/CwAmWt6h.js +1 -0
- package/dist/web/_app/immutable/chunks/CwP3Oa7F.js +1 -0
- package/dist/web/_app/immutable/chunks/CyTluew1.js +2 -0
- package/dist/web/_app/immutable/chunks/CzXdOgVl2.js +7 -0
- package/dist/web/_app/immutable/chunks/D0IAituJ.js +1 -0
- package/dist/web/_app/immutable/chunks/D0W7c6Sg.js +185 -0
- package/dist/web/_app/immutable/chunks/D0rBhnqB2.js +1 -0
- package/dist/web/_app/immutable/chunks/D1-GZSN1.js +1 -0
- package/dist/web/_app/immutable/chunks/D1yvtriI.js +1 -0
- package/dist/web/_app/immutable/chunks/D25NMRpl.js +1 -0
- package/dist/web/_app/immutable/chunks/D8wZ2xul.js +4 -0
- package/dist/web/_app/immutable/chunks/DA3HEX3X.js +1 -0
- package/dist/web/_app/immutable/chunks/DD9wj4ca2.js +1 -0
- package/dist/web/_app/immutable/chunks/DJ1YeiJL2.js +1 -0
- package/dist/web/_app/immutable/chunks/DKFZnpVC.js +5 -0
- package/dist/web/_app/immutable/chunks/DKJl40hl.js +1 -0
- package/dist/web/_app/immutable/chunks/DPUVu0T0.js +1 -0
- package/dist/web/_app/immutable/chunks/DQMWa2t7.js +1 -0
- package/dist/web/_app/immutable/chunks/DXsFrDer2.js +1 -0
- package/dist/web/_app/immutable/chunks/DYc5KW3F.js +1 -0
- package/dist/web/_app/immutable/chunks/DZcTwXBW.js +1 -0
- package/dist/web/_app/immutable/chunks/DcPrzUMJ.js +1 -0
- package/dist/web/_app/immutable/chunks/DdPO8kRu2.js +2 -0
- package/dist/web/_app/immutable/chunks/DeOXyJZw2.js +1 -0
- package/dist/web/_app/immutable/chunks/DfufUFR1.js +2 -0
- package/dist/web/_app/immutable/chunks/DiQg3ing.js +1 -0
- package/dist/web/_app/immutable/chunks/DjIqa1_y.js +2 -0
- package/dist/web/_app/immutable/chunks/DkJ1dkxV2.js +1 -0
- package/dist/web/_app/immutable/chunks/Dl63IUnH2.js +224 -0
- package/dist/web/_app/immutable/chunks/DmFdD6zT.js +1 -0
- package/dist/web/_app/immutable/chunks/Dn3R8S-U.js +1 -0
- package/dist/web/_app/immutable/chunks/DpNr1GQ2.js +1 -0
- package/dist/web/_app/immutable/chunks/DpVNDHXz.js +2 -0
- package/dist/web/_app/immutable/chunks/DuxziNnw.js +1 -0
- package/dist/web/_app/immutable/chunks/Dv3A3Wcj.js +1 -0
- package/dist/web/_app/immutable/chunks/FuiJnZG0.js +1 -0
- package/dist/web/_app/immutable/chunks/Izkulod7.js +1 -0
- package/dist/web/_app/immutable/chunks/KZY6ongq2.js +2 -0
- package/dist/web/_app/immutable/chunks/LYL8znYR2.js +23 -0
- package/dist/web/_app/immutable/chunks/PhN6tXuJ2.js +1 -0
- package/dist/web/_app/immutable/chunks/PyLyCpuL.js +1 -0
- package/dist/web/_app/immutable/chunks/RK4gCWN0.js +2 -0
- package/dist/web/_app/immutable/chunks/VsBngTf4.js +2 -0
- package/dist/web/_app/immutable/chunks/XcWejFm_.js +5 -0
- package/dist/web/_app/immutable/chunks/al_nidE9.js +1 -0
- package/dist/web/_app/immutable/chunks/e50-izZO2.js +1 -0
- package/dist/web/_app/immutable/chunks/hG-QCarB.js +1 -0
- package/dist/web/_app/immutable/chunks/hStvCHkX.js +1 -0
- package/dist/web/_app/immutable/chunks/iJVY9p0y.js +3 -0
- package/dist/web/_app/immutable/chunks/kNaey6uv.js +1 -0
- package/dist/web/_app/immutable/chunks/pIXNe0C1.js +1 -0
- package/dist/web/_app/immutable/chunks/pNSRq_1B.js +2 -0
- package/dist/web/_app/immutable/chunks/qwr5boV8.js +1 -0
- package/dist/web/_app/immutable/chunks/rjjyuGhb.js +1 -0
- package/dist/web/_app/immutable/chunks/sg-T-FoN.js +1 -0
- package/dist/web/_app/immutable/chunks/uBgoVlsx.js +3 -0
- package/dist/web/_app/immutable/chunks/ulshNz6x.js +2 -0
- package/dist/web/_app/immutable/chunks/xY0c-UfG.js +3 -0
- package/dist/web/_app/immutable/chunks/xeNvx4Bl2.js +1 -0
- package/dist/web/_app/immutable/chunks/xihTtKlq.js +1 -0
- package/dist/web/_app/immutable/entry/app.pNUW-q4U.js +2 -0
- package/dist/web/_app/immutable/entry/start.DxGtIGG_.js +1 -0
- package/dist/web/_app/immutable/nodes/0.D6ZCY_R6.js +2 -0
- package/dist/web/_app/immutable/nodes/1.BryH3TNr.js +1 -0
- package/dist/web/_app/immutable/nodes/10.CMZMvR17.js +1 -0
- package/dist/web/_app/immutable/nodes/11.QHx_JShx.js +1 -0
- package/dist/web/_app/immutable/nodes/12.CiRWbb4X.js +1 -0
- package/dist/web/_app/immutable/nodes/13.CYrHXCA8.js +1 -0
- package/dist/web/_app/immutable/nodes/14.K18eIE5Z.js +1 -0
- package/dist/web/_app/immutable/nodes/15.DxgnZ61h.js +1 -0
- package/dist/web/_app/immutable/nodes/16.Dn6iuWIo.js +1 -0
- package/dist/web/_app/immutable/nodes/17.viwS7vTR.js +77 -0
- package/dist/web/_app/immutable/nodes/2.BQkQ_uUM.js +122 -0
- package/dist/web/_app/immutable/nodes/3.B4pqXsqq.js +6 -0
- package/dist/web/_app/immutable/nodes/4.CKXEgIAP.js +11 -0
- package/dist/web/_app/immutable/nodes/5.A2TASl4Q.js +1 -0
- package/dist/web/_app/immutable/nodes/6.DaIRO3SI.js +6 -0
- package/dist/web/_app/immutable/nodes/7.ga2UvFm-.js +1 -0
- package/dist/web/_app/immutable/nodes/8.BTEWT81u.js +1 -0
- package/dist/web/_app/immutable/nodes/9.BVxo0E0c.js +1 -0
- package/dist/web/_app/version.json +1 -1
- package/dist/web/favicon-16.png +0 -0
- package/dist/web/favicon-180.png +0 -0
- package/dist/web/favicon-32.png +0 -0
- package/dist/web/favicon-48.png +0 -0
- package/dist/web/favicon-512.png +0 -0
- package/dist/web/favicon.ico +0 -0
- package/dist/web/favicon.svg +8 -0
- package/dist/web/index.html +56 -21
- package/dist/web/studiograph-logomark.svg +29 -0
- package/package.json +35 -14
- package/dist/agent/skills/enrich-entities.md +0 -136
- package/dist/agent/skills/sync-configuration.md +0 -119
- package/dist/agent/skills/sync-setup.md +0 -82
- package/dist/agent/tools/message-tools.d.ts +0 -42
- package/dist/agent/tools/message-tools.js +0 -106
- package/dist/agent/tools/message-tools.js.map +0 -1
- package/dist/cli/commands/app.d.ts +0 -7
- package/dist/cli/commands/app.js +0 -268
- package/dist/cli/commands/app.js.map +0 -1
- package/dist/cli/commands/clear.d.ts +0 -5
- package/dist/cli/commands/clear.js +0 -36
- package/dist/cli/commands/clear.js.map +0 -1
- package/dist/cli/commands/collection.d.ts +0 -10
- package/dist/cli/commands/collection.js.map +0 -1
- package/dist/cli/commands/join.d.ts +0 -9
- package/dist/cli/commands/join.js +0 -255
- package/dist/cli/commands/join.js.map +0 -1
- package/dist/cli/commands/start.d.ts +0 -7
- package/dist/cli/commands/start.js +0 -584
- package/dist/cli/commands/start.js.map +0 -1
- package/dist/cli/commands/update.d.ts +0 -8
- package/dist/cli/commands/update.js +0 -155
- package/dist/cli/commands/update.js.map +0 -1
- package/dist/cli/commands/user.d.ts +0 -7
- package/dist/cli/commands/user.js +0 -175
- package/dist/cli/commands/user.js.map +0 -1
- package/dist/cli/scaffolding.d.ts +0 -12
- package/dist/cli/scaffolding.js +0 -397
- package/dist/cli/scaffolding.js.map +0 -1
- package/dist/integrations/registry.d.ts +0 -8
- package/dist/integrations/registry.js +0 -7
- package/dist/integrations/registry.js.map +0 -1
- package/dist/integrations/types.d.ts +0 -43
- package/dist/integrations/types.js +0 -5
- package/dist/integrations/types.js.map +0 -1
- package/dist/lib/lib/utils.d.ts +0 -2
- package/dist/lib/lib/utils.js +0 -6
- package/dist/lib/lib/utils.js.map +0 -1
- package/dist/server/chrome/chrome.css +0 -691
- package/dist/server/chrome/chrome.js +0 -374
- package/dist/server/commit-scheduler.d.ts +0 -39
- package/dist/server/commit-scheduler.js +0 -113
- package/dist/server/commit-scheduler.js.map +0 -1
- package/dist/server/plugin-loader.d.ts +0 -53
- package/dist/server/plugin-loader.js +0 -155
- package/dist/server/plugin-loader.js.map +0 -1
- package/dist/server/routes/meeting-ingest-api.d.ts +0 -14
- package/dist/server/routes/meeting-ingest-api.js.map +0 -1
- package/dist/server/routes/messages-api.d.ts +0 -15
- package/dist/server/routes/messages-api.js +0 -385
- package/dist/server/routes/messages-api.js.map +0 -1
- package/dist/services/batch-processor.d.ts +0 -49
- package/dist/services/batch-processor.js +0 -166
- package/dist/services/batch-processor.js.map +0 -1
- package/dist/services/briefing.d.ts +0 -26
- package/dist/services/briefing.js +0 -230
- package/dist/services/briefing.js.map +0 -1
- package/dist/services/heartbeat.d.ts +0 -28
- package/dist/services/heartbeat.js +0 -183
- package/dist/services/heartbeat.js.map +0 -1
- package/dist/services/image-import-service.d.ts +0 -24
- package/dist/services/image-import-service.js +0 -108
- package/dist/services/image-import-service.js.map +0 -1
- package/dist/services/insights.d.ts +0 -38
- package/dist/services/insights.js +0 -269
- package/dist/services/insights.js.map +0 -1
- package/dist/services/meeting-processor.js.map +0 -1
- package/dist/services/message-service.d.ts +0 -68
- package/dist/services/message-service.js +0 -220
- package/dist/services/message-service.js.map +0 -1
- package/dist/utils/workspace-config.d.ts +0 -8
- package/dist/utils/workspace-config.js +0 -22
- package/dist/utils/workspace-config.js.map +0 -1
- package/dist/web/_app/immutable/assets/0.uPSqtsC5.css +0 -1
- package/dist/web/_app/immutable/assets/11.2jzI3cZY.css +0 -1
- package/dist/web/_app/immutable/assets/12.CT4xL4K3.css +0 -1
- package/dist/web/_app/immutable/assets/13.BUrHkYry.css +0 -1
- package/dist/web/_app/immutable/assets/2.DpQWr6q6.css +0 -1
- package/dist/web/_app/immutable/assets/3.BxdqT7zi.css +0 -1
- package/dist/web/_app/immutable/assets/4.DdNqjd0T.css +0 -1
- package/dist/web/_app/immutable/assets/5.DFeGxLYf.css +0 -1
- package/dist/web/_app/immutable/assets/6.DXZr_rI_.css +0 -1
- package/dist/web/_app/immutable/assets/GraphView.D9ePpZez.css +0 -1
- package/dist/web/_app/immutable/assets/Toaster.rN8r_Hzv.css +0 -1
- package/dist/web/_app/immutable/assets/ViewToolbar.BWE03S64.css +0 -1
- package/dist/web/_app/immutable/assets/WorkspaceView.CgGDi_Zb.css +0 -1
- package/dist/web/_app/immutable/assets/wikilinks.CzMBkUMB.css +0 -1
- package/dist/web/_app/immutable/chunks/-jG4Obyh.js +0 -4
- package/dist/web/_app/immutable/chunks/2nrc8f_O.js +0 -1
- package/dist/web/_app/immutable/chunks/7S2LGqoP.js +0 -2
- package/dist/web/_app/immutable/chunks/8Q3ZJIYu.js +0 -1
- package/dist/web/_app/immutable/chunks/B8ydT5xX.js +0 -2
- package/dist/web/_app/immutable/chunks/BB_5th5W.js +0 -3383
- package/dist/web/_app/immutable/chunks/BEn6N5c2.js +0 -1
- package/dist/web/_app/immutable/chunks/BFNNbCAM.js +0 -1
- package/dist/web/_app/immutable/chunks/BFZZEUd5.js +0 -1
- package/dist/web/_app/immutable/chunks/BGk8kfOE.js +0 -2
- package/dist/web/_app/immutable/chunks/BIBCr278.js +0 -1
- package/dist/web/_app/immutable/chunks/BPCkkwqe.js +0 -1
- package/dist/web/_app/immutable/chunks/BhlvzGQx.js +0 -1
- package/dist/web/_app/immutable/chunks/BlMknQeF.js +0 -1
- package/dist/web/_app/immutable/chunks/BpjqrlCg.js +0 -1
- package/dist/web/_app/immutable/chunks/BrebtJNG.js +0 -18
- package/dist/web/_app/immutable/chunks/ByBZ7JIT.js +0 -1
- package/dist/web/_app/immutable/chunks/Bz0ZjVQE.js +0 -2
- package/dist/web/_app/immutable/chunks/BzJTZOK2.js +0 -1
- package/dist/web/_app/immutable/chunks/C0LVZhvn.js +0 -1
- package/dist/web/_app/immutable/chunks/C3uBrOS5.js +0 -1
- package/dist/web/_app/immutable/chunks/C8R1sDpW.js +0 -1
- package/dist/web/_app/immutable/chunks/CDRHrs0g.js +0 -1
- package/dist/web/_app/immutable/chunks/CN5_py1I.js +0 -1
- package/dist/web/_app/immutable/chunks/CPne482a.js +0 -1
- package/dist/web/_app/immutable/chunks/CSVbGg_b.js +0 -5
- package/dist/web/_app/immutable/chunks/CWyU-seV.js +0 -1
- package/dist/web/_app/immutable/chunks/CX_61fY8.js +0 -5
- package/dist/web/_app/immutable/chunks/CYrVHOHA.js +0 -1
- package/dist/web/_app/immutable/chunks/ChsiIm-E.js +0 -1
- package/dist/web/_app/immutable/chunks/CojKppbh.js +0 -1
- package/dist/web/_app/immutable/chunks/CqkleIqs.js +0 -1
- package/dist/web/_app/immutable/chunks/CtYLtD7K.js +0 -1
- package/dist/web/_app/immutable/chunks/D-HDy5qS.js +0 -1
- package/dist/web/_app/immutable/chunks/D5aIYSkd.js +0 -1
- package/dist/web/_app/immutable/chunks/DBBXARVf.js +0 -1
- package/dist/web/_app/immutable/chunks/DFYOFE3o.js +0 -1
- package/dist/web/_app/immutable/chunks/DKaafS50.js +0 -1
- package/dist/web/_app/immutable/chunks/DUMOo1Pn.js +0 -1
- package/dist/web/_app/immutable/chunks/DWX9f6AF.js +0 -1
- package/dist/web/_app/immutable/chunks/DY8-EONP.js +0 -1
- package/dist/web/_app/immutable/chunks/DkoHPElM.js +0 -1
- package/dist/web/_app/immutable/chunks/DnL9f0lc.js +0 -7
- package/dist/web/_app/immutable/chunks/DsnmJJEf.js +0 -1
- package/dist/web/_app/immutable/chunks/DujahU3W.js +0 -1
- package/dist/web/_app/immutable/chunks/FBn-ES5k.js +0 -1
- package/dist/web/_app/immutable/chunks/HQpwSOb3.js +0 -1
- package/dist/web/_app/immutable/chunks/KyjzlWRN.js +0 -2
- package/dist/web/_app/immutable/chunks/PPVm8Dsz.js +0 -1
- package/dist/web/_app/immutable/chunks/UwYfmrPx.js +0 -2
- package/dist/web/_app/immutable/chunks/W25ZVI8L.js +0 -2
- package/dist/web/_app/immutable/chunks/WSUKABI_.js +0 -1
- package/dist/web/_app/immutable/chunks/XjsuEnNE.js +0 -5
- package/dist/web/_app/immutable/chunks/ZD6ARAtb.js +0 -1
- package/dist/web/_app/immutable/chunks/pBTf4stg.js +0 -2
- package/dist/web/_app/immutable/chunks/rGIarcnp.js +0 -1
- package/dist/web/_app/immutable/chunks/vxEtkL8z.js +0 -1
- package/dist/web/_app/immutable/chunks/wDIGUaoU.js +0 -3
- package/dist/web/_app/immutable/entry/app.ZHiTM8WS.js +0 -2
- package/dist/web/_app/immutable/entry/start.C9-FfAVc.js +0 -1
- package/dist/web/_app/immutable/nodes/0.D92Orz8k.js +0 -2
- package/dist/web/_app/immutable/nodes/1.BMdyglM_.js +0 -1
- package/dist/web/_app/immutable/nodes/10.BilVDHSL.js +0 -1
- package/dist/web/_app/immutable/nodes/11.CS9E0Hic.js +0 -1
- package/dist/web/_app/immutable/nodes/12.D3BOxYzG.js +0 -1
- package/dist/web/_app/immutable/nodes/13.CClMKYtN.js +0 -1
- package/dist/web/_app/immutable/nodes/2.C8KKElPL.js +0 -267
- package/dist/web/_app/immutable/nodes/3.C5n5uiWU.js +0 -5
- package/dist/web/_app/immutable/nodes/4.DcGVvgiL.js +0 -11
- package/dist/web/_app/immutable/nodes/5.DxIjnFQO.js +0 -4
- package/dist/web/_app/immutable/nodes/6.lkh6kKLj.js +0 -1
- package/dist/web/_app/immutable/nodes/7.Bg7SbfhA.js +0 -1
- package/dist/web/_app/immutable/nodes/8.DcXWCNBE.js +0 -1
- package/dist/web/_app/immutable/nodes/9.Cefi8Jfm.js +0 -1
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"yjs-text-diff.js","sourceRoot":"","sources":["../../src/server/yjs-text-diff.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,MAAM,UAAU,GAAG,CAAC,CAAC;AACrB,MAAM,WAAW,GAAG,CAAC,CAAC;AACtB,MAAM,WAAW,GAAG,CAAC,CAAC,CAAC;AAEvB;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,IAAW,EAAE,KAAa,EAAE,MAAc,EAAE,MAAc;IACtF,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;IACjC,IAAI,OAAO,KAAK,MAAM;QAAE,OAAO;IAE/B,MAAM,GAAG,GAAG,IAAI,gBAAgB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC7C,8EAA8E;IAC9E,0EAA0E;IAC1E,GAAG,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC;IAEhC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE;QACjB,IAAI,GAAG,GAAG,CAAC,CAAC;QACZ,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,KAAK,EAAE,CAAC;YAC/B,IAAI,EAAE,KAAK,UAAU,EAAE,CAAC;gBACtB,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC;YACrB,CAAC;iBAAM,IAAI,EAAE,KAAK,WAAW,EAAE,CAAC;gBAC9B,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;gBAC/B,uEAAuE;YACzE,CAAC;iBAAM,IAAI,EAAE,KAAK,WAAW,EAAE,CAAC;gBAC9B,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;gBACxB,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC;YACrB,CAAC;QACH,CAAC;IACH,CAAC,EAAE,MAAM,CAAC,CAAC;AACb,CAAC"}
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Framework-free per-folder access control helpers.
|
|
3
|
+
*
|
|
4
|
+
* These functions decide what a given user can see or write in the workspace.
|
|
5
|
+
* They take `AuthUser | undefined` directly (not a Fastify request) so they
|
|
6
|
+
* can be reused across transports — HTTP (/api/*), MCP HTTP (/mcp), and
|
|
7
|
+
* MCP stdio all share the same rules.
|
|
8
|
+
*
|
|
9
|
+
* Rule summary:
|
|
10
|
+
* - `user === undefined` means "no identified user". On the **web** this is
|
|
11
|
+
* API-key / open-mode (full access). On **MCP** the caller site rejects
|
|
12
|
+
* unidentified requests before reaching these helpers, so every MCP tool
|
|
13
|
+
* can assume a concrete user and `undefined` is never passed in.
|
|
14
|
+
* - A user can see a folder if they are an explicit member (folder_access row),
|
|
15
|
+
* or if they are the workspace owner AND the folder has more than one member
|
|
16
|
+
* (shared folders are visible to owners, solo folders stay private).
|
|
17
|
+
* - A user can write to a folder if they are a folder member (role = admin|editor),
|
|
18
|
+
* or if they are the workspace owner on a shared folder.
|
|
19
|
+
* - A folder with `personal: true` is only visible/writable to its owner,
|
|
20
|
+
* regardless of folder_access grants or workspace ownership. Stale grants
|
|
21
|
+
* (from an older sharing attempt or test setup) cannot leak a user's
|
|
22
|
+
* private notes to another account.
|
|
23
|
+
* - **Owner admin escalation**: workspace owners can lift the personal-
|
|
24
|
+
* folder restriction by passing `{ includePrivate: true }` to these
|
|
25
|
+
* helpers. The flag is enforced as owner-only inside the helpers — non-
|
|
26
|
+
* owners passing it get no extra access. The owner-only CLI (`clone` /
|
|
27
|
+
* `pull` / `push`) sends it unconditionally so the owner always sees every
|
|
28
|
+
* folder; web / API surfaces opt in via the `?include_private=1` query
|
|
29
|
+
* param on `/api/repos` or the `X-Studiograph-Include-Private: 1` header
|
|
30
|
+
* for git transport. Used for migrations, audits, and offboarding.
|
|
31
|
+
*/
|
|
32
|
+
import type { WorkspaceManager } from '../core/workspace-manager.js';
|
|
33
|
+
import type { RepoConfig } from '../core/types.js';
|
|
34
|
+
import { type AuthService, type AuthUser } from './auth-service.js';
|
|
35
|
+
/**
|
|
36
|
+
* Options accepted by the access helpers. `includePrivate` is an owner-
|
|
37
|
+
* gated admin escalation: workspace owners can opt into seeing every
|
|
38
|
+
* folder (including other users' personal ones) for migration / audit /
|
|
39
|
+
* offboarding work. Default operations stay scoped so the owner's daily
|
|
40
|
+
* workflow isn't cluttered with members' private content.
|
|
41
|
+
*/
|
|
42
|
+
export interface AccessOptions {
|
|
43
|
+
/** Owner-only override: when true AND caller is a workspace owner, the
|
|
44
|
+
* personal-folder restriction is lifted. No-op for non-owners. */
|
|
45
|
+
includePrivate?: boolean;
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Return the list of repos the user can access (content visibility).
|
|
49
|
+
* Unidentified caller (undefined) → full access, preserves legacy
|
|
50
|
+
* web / API-key behavior.
|
|
51
|
+
*/
|
|
52
|
+
export declare function getAccessibleRepos(user: AuthUser | undefined, workspaceManager: WorkspaceManager, authService: AuthService, opts?: AccessOptions): RepoConfig[];
|
|
53
|
+
/** True if the user may read the given folder's contents. */
|
|
54
|
+
export declare function hasRepoAccess(user: AuthUser | undefined, repoName: string, workspaceManager: WorkspaceManager, authService: AuthService, opts?: AccessOptions): boolean;
|
|
55
|
+
/** True if the user is a folder admin on the given repo, OR a workspace
|
|
56
|
+
* owner on a shared folder (>1 member). Solo/private folders require
|
|
57
|
+
* actual folder-admin membership — workspace ownership alone does not
|
|
58
|
+
* let owners rename, delete, or push members into a private folder. */
|
|
59
|
+
export declare function isFolderAdminOrOwner(user: AuthUser | undefined, repoName: string, workspaceManager: WorkspaceManager, authService: AuthService): boolean;
|
|
60
|
+
/**
|
|
61
|
+
* True if the user may write (create/update/delete entities) in the given folder.
|
|
62
|
+
* Membership grants write access regardless of role (both 'admin' and 'editor'
|
|
63
|
+
* can edit), and workspace owners can write to shared folders.
|
|
64
|
+
*/
|
|
65
|
+
export declare function canWriteRepo(user: AuthUser | undefined, repoName: string, workspaceManager: WorkspaceManager, authService: AuthService): boolean;
|
|
66
|
+
/**
|
|
67
|
+
* Build a set of all entity IDs visible to the user across their accessible
|
|
68
|
+
* folders. Returns null when the caller is unidentified (no filtering needed —
|
|
69
|
+
* `filterWikilinks` treats null as "no-op").
|
|
70
|
+
*/
|
|
71
|
+
export declare function getAccessibleEntityIds(user: AuthUser | undefined, workspaceManager: WorkspaceManager, authService: AuthService): Set<string> | null;
|
|
72
|
+
/** Filter a wikilink list to only entities the caller can access. */
|
|
73
|
+
export declare function filterWikilinks(wikilinks: string[], accessibleIds: Set<string> | null): string[];
|
|
@@ -0,0 +1,165 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Framework-free per-folder access control helpers.
|
|
3
|
+
*
|
|
4
|
+
* These functions decide what a given user can see or write in the workspace.
|
|
5
|
+
* They take `AuthUser | undefined` directly (not a Fastify request) so they
|
|
6
|
+
* can be reused across transports — HTTP (/api/*), MCP HTTP (/mcp), and
|
|
7
|
+
* MCP stdio all share the same rules.
|
|
8
|
+
*
|
|
9
|
+
* Rule summary:
|
|
10
|
+
* - `user === undefined` means "no identified user". On the **web** this is
|
|
11
|
+
* API-key / open-mode (full access). On **MCP** the caller site rejects
|
|
12
|
+
* unidentified requests before reaching these helpers, so every MCP tool
|
|
13
|
+
* can assume a concrete user and `undefined` is never passed in.
|
|
14
|
+
* - A user can see a folder if they are an explicit member (folder_access row),
|
|
15
|
+
* or if they are the workspace owner AND the folder has more than one member
|
|
16
|
+
* (shared folders are visible to owners, solo folders stay private).
|
|
17
|
+
* - A user can write to a folder if they are a folder member (role = admin|editor),
|
|
18
|
+
* or if they are the workspace owner on a shared folder.
|
|
19
|
+
* - A folder with `personal: true` is only visible/writable to its owner,
|
|
20
|
+
* regardless of folder_access grants or workspace ownership. Stale grants
|
|
21
|
+
* (from an older sharing attempt or test setup) cannot leak a user's
|
|
22
|
+
* private notes to another account.
|
|
23
|
+
* - **Owner admin escalation**: workspace owners can lift the personal-
|
|
24
|
+
* folder restriction by passing `{ includePrivate: true }` to these
|
|
25
|
+
* helpers. The flag is enforced as owner-only inside the helpers — non-
|
|
26
|
+
* owners passing it get no extra access. The owner-only CLI (`clone` /
|
|
27
|
+
* `pull` / `push`) sends it unconditionally so the owner always sees every
|
|
28
|
+
* folder; web / API surfaces opt in via the `?include_private=1` query
|
|
29
|
+
* param on `/api/repos` or the `X-Studiograph-Include-Private: 1` header
|
|
30
|
+
* for git transport. Used for migrations, audits, and offboarding.
|
|
31
|
+
*/
|
|
32
|
+
import { isWorkspaceOwner } from './auth-service.js';
|
|
33
|
+
/** True if the folder is `personal: true` and the caller is not its owner.
|
|
34
|
+
* The personal flag is an owner-private invariant: it overrides folder_access
|
|
35
|
+
* rows and workspace ownership. Unidentified callers (open mode / API key)
|
|
36
|
+
* are never restricted — `undefined` user means full access. */
|
|
37
|
+
function isRestrictedPersonalFolder(user, repoName, workspaceManager) {
|
|
38
|
+
if (!user)
|
|
39
|
+
return false;
|
|
40
|
+
const repo = workspaceManager.getRepoConfig(repoName);
|
|
41
|
+
if (!repo?.personal)
|
|
42
|
+
return false;
|
|
43
|
+
// Missing owner_id on a personal folder would be a config bug; err on
|
|
44
|
+
// the side of deny to avoid leaking content.
|
|
45
|
+
return repo.owner_id === undefined || repo.owner_id !== user.id;
|
|
46
|
+
}
|
|
47
|
+
/** True if the folder is workspace-wide (the reserved shared asset store).
|
|
48
|
+
* Every authenticated member gets read + write (upload) without a
|
|
49
|
+
* folder_access grant. This does NOT grant folder-admin (rename/delete the
|
|
50
|
+
* folder) or per-asset deletion — those stay owner/uploader-scoped. A
|
|
51
|
+
* workspace-wide folder must never also be `personal`. */
|
|
52
|
+
function isWorkspaceWide(repoName, workspaceManager) {
|
|
53
|
+
return workspaceManager.getRepoConfig(repoName)?.workspace_wide === true;
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Return the list of repos the user can access (content visibility).
|
|
57
|
+
* Unidentified caller (undefined) → full access, preserves legacy
|
|
58
|
+
* web / API-key behavior.
|
|
59
|
+
*/
|
|
60
|
+
export function getAccessibleRepos(user, workspaceManager, authService, opts = {}) {
|
|
61
|
+
const allRepos = workspaceManager.getAllRepoConfigs();
|
|
62
|
+
if (!user)
|
|
63
|
+
return allRepos;
|
|
64
|
+
const allowed = new Set(authService.getUserFolders(user.id));
|
|
65
|
+
const isOwner = isWorkspaceOwner(user.role);
|
|
66
|
+
const ownerOverride = isOwner && opts.includePrivate === true;
|
|
67
|
+
return allRepos.filter(r => {
|
|
68
|
+
if (ownerOverride)
|
|
69
|
+
return true;
|
|
70
|
+
// Personal folders are owner-only, regardless of grants.
|
|
71
|
+
if (r.personal && r.owner_id !== user.id)
|
|
72
|
+
return false;
|
|
73
|
+
// Workspace-wide folders (the shared asset store) are visible to every
|
|
74
|
+
// member without a grant. (Mutually exclusive with `personal`.)
|
|
75
|
+
if (r.workspace_wide)
|
|
76
|
+
return true;
|
|
77
|
+
if (allowed.has(r.name))
|
|
78
|
+
return true;
|
|
79
|
+
if (isOwner && authService.getFolderMembers(r.name).length > 1)
|
|
80
|
+
return true;
|
|
81
|
+
return false;
|
|
82
|
+
});
|
|
83
|
+
}
|
|
84
|
+
/** True if the user may read the given folder's contents. */
|
|
85
|
+
export function hasRepoAccess(user, repoName, workspaceManager, authService, opts = {}) {
|
|
86
|
+
if (!user)
|
|
87
|
+
return true;
|
|
88
|
+
const isOwner = isWorkspaceOwner(user.role);
|
|
89
|
+
if (isOwner && opts.includePrivate === true)
|
|
90
|
+
return true;
|
|
91
|
+
if (isRestrictedPersonalFolder(user, repoName, workspaceManager))
|
|
92
|
+
return false;
|
|
93
|
+
if (isWorkspaceWide(repoName, workspaceManager))
|
|
94
|
+
return true;
|
|
95
|
+
if (authService.getUserFolders(user.id).includes(repoName))
|
|
96
|
+
return true;
|
|
97
|
+
if (isOwner && authService.getFolderMembers(repoName).length > 1)
|
|
98
|
+
return true;
|
|
99
|
+
return false;
|
|
100
|
+
}
|
|
101
|
+
/** True if the user is a folder admin on the given repo, OR a workspace
|
|
102
|
+
* owner on a shared folder (>1 member). Solo/private folders require
|
|
103
|
+
* actual folder-admin membership — workspace ownership alone does not
|
|
104
|
+
* let owners rename, delete, or push members into a private folder. */
|
|
105
|
+
export function isFolderAdminOrOwner(user, repoName, workspaceManager, authService) {
|
|
106
|
+
if (!user)
|
|
107
|
+
return true;
|
|
108
|
+
if (isRestrictedPersonalFolder(user, repoName, workspaceManager))
|
|
109
|
+
return false;
|
|
110
|
+
if (authService.isFolderAdmin(user.id, repoName))
|
|
111
|
+
return true;
|
|
112
|
+
if (isWorkspaceOwner(user.role) && authService.getFolderMembers(repoName).length > 1)
|
|
113
|
+
return true;
|
|
114
|
+
return false;
|
|
115
|
+
}
|
|
116
|
+
/**
|
|
117
|
+
* True if the user may write (create/update/delete entities) in the given folder.
|
|
118
|
+
* Membership grants write access regardless of role (both 'admin' and 'editor'
|
|
119
|
+
* can edit), and workspace owners can write to shared folders.
|
|
120
|
+
*/
|
|
121
|
+
export function canWriteRepo(user, repoName, workspaceManager, authService) {
|
|
122
|
+
if (!user)
|
|
123
|
+
return true;
|
|
124
|
+
if (isRestrictedPersonalFolder(user, repoName, workspaceManager))
|
|
125
|
+
return false;
|
|
126
|
+
// Workspace-wide store: any member may upload (create/update). Per-asset
|
|
127
|
+
// DELETE is restricted separately at the asset-delete route (uploader +
|
|
128
|
+
// workspace owner) — write access here does not imply delete-anyone's-asset.
|
|
129
|
+
if (isWorkspaceWide(repoName, workspaceManager))
|
|
130
|
+
return true;
|
|
131
|
+
const role = authService.getFolderRole(user.id, repoName);
|
|
132
|
+
if (role === 'admin' || role === 'editor')
|
|
133
|
+
return true;
|
|
134
|
+
if (isWorkspaceOwner(user.role) && authService.getFolderMembers(repoName).length > 1)
|
|
135
|
+
return true;
|
|
136
|
+
return false;
|
|
137
|
+
}
|
|
138
|
+
/**
|
|
139
|
+
* Build a set of all entity IDs visible to the user across their accessible
|
|
140
|
+
* folders. Returns null when the caller is unidentified (no filtering needed —
|
|
141
|
+
* `filterWikilinks` treats null as "no-op").
|
|
142
|
+
*/
|
|
143
|
+
export function getAccessibleEntityIds(user, workspaceManager, authService) {
|
|
144
|
+
if (!user)
|
|
145
|
+
return null;
|
|
146
|
+
const repos = getAccessibleRepos(user, workspaceManager, authService);
|
|
147
|
+
const ids = new Set();
|
|
148
|
+
for (const repo of repos) {
|
|
149
|
+
try {
|
|
150
|
+
const graph = workspaceManager.getGraph(repo.name);
|
|
151
|
+
for (const e of graph.search({})) {
|
|
152
|
+
ids.add(e.id);
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
catch { /* skip unmounted repos */ }
|
|
156
|
+
}
|
|
157
|
+
return ids;
|
|
158
|
+
}
|
|
159
|
+
/** Filter a wikilink list to only entities the caller can access. */
|
|
160
|
+
export function filterWikilinks(wikilinks, accessibleIds) {
|
|
161
|
+
if (!accessibleIds)
|
|
162
|
+
return wikilinks;
|
|
163
|
+
return wikilinks.filter(id => accessibleIds.has(id));
|
|
164
|
+
}
|
|
165
|
+
//# sourceMappingURL=access-control.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"access-control.js","sourceRoot":"","sources":["../../src/services/access-control.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAIH,OAAO,EAAE,gBAAgB,EAAmC,MAAM,mBAAmB,CAAC;AAEtF;;;iEAGiE;AACjE,SAAS,0BAA0B,CACjC,IAA0B,EAC1B,QAAgB,EAChB,gBAAkC;IAElC,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,IAAI,GAAG,gBAAgB,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;IACtD,IAAI,CAAC,IAAI,EAAE,QAAQ;QAAE,OAAO,KAAK,CAAC;IAClC,sEAAsE;IACtE,6CAA6C;IAC7C,OAAO,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,EAAE,CAAC;AAClE,CAAC;AAED;;;;2DAI2D;AAC3D,SAAS,eAAe,CACtB,QAAgB,EAChB,gBAAkC;IAElC,OAAO,gBAAgB,CAAC,aAAa,CAAC,QAAQ,CAAC,EAAE,cAAc,KAAK,IAAI,CAAC;AAC3E,CAAC;AAeD;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAA0B,EAC1B,gBAAkC,EAClC,WAAwB,EACxB,OAAsB,EAAE;IAExB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,iBAAiB,EAAE,CAAC;IACtD,IAAI,CAAC,IAAI;QAAE,OAAO,QAAQ,CAAC;IAC3B,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5C,MAAM,aAAa,GAAG,OAAO,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,CAAC;IAC9D,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;QACzB,IAAI,aAAa;YAAE,OAAO,IAAI,CAAC;QAC/B,yDAAyD;QACzD,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,KAAK,IAAI,CAAC,EAAE;YAAE,OAAO,KAAK,CAAC;QACvD,uEAAuE;QACvE,gEAAgE;QAChE,IAAI,CAAC,CAAC,cAAc;YAAE,OAAO,IAAI,CAAC;QAClC,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACrC,IAAI,OAAO,IAAI,WAAW,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5E,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC;AAED,6DAA6D;AAC7D,MAAM,UAAU,aAAa,CAC3B,IAA0B,EAC1B,QAAgB,EAChB,gBAAkC,EAClC,WAAwB,EACxB,OAAsB,EAAE;IAExB,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5C,IAAI,OAAO,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACzD,IAAI,0BAA0B,CAAC,IAAI,EAAE,QAAQ,EAAE,gBAAgB,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/E,IAAI,eAAe,CAAC,QAAQ,EAAE,gBAAgB,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,IAAI,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACxE,IAAI,OAAO,IAAI,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9E,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;wEAGwE;AACxE,MAAM,UAAU,oBAAoB,CAClC,IAA0B,EAC1B,QAAgB,EAChB,gBAAkC,EAClC,WAAwB;IAExB,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,0BAA0B,CAAC,IAAI,EAAE,QAAQ,EAAE,gBAAgB,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/E,IAAI,WAAW,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9D,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClG,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAC1B,IAA0B,EAC1B,QAAgB,EAChB,gBAAkC,EAClC,WAAwB;IAExB,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,0BAA0B,CAAC,IAAI,EAAE,QAAQ,EAAE,gBAAgB,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/E,yEAAyE;IACzE,wEAAwE;IACxE,6EAA6E;IAC7E,IAAI,eAAe,CAAC,QAAQ,EAAE,gBAAgB,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,IAAI,GAAG,WAAW,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC1D,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACvD,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClG,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CACpC,IAA0B,EAC1B,gBAAkC,EAClC,WAAwB;IAExB,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;IACtE,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnD,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;gBACjC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,0BAA0B,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,eAAe,CAAC,SAAmB,EAAE,aAAiC;IACpF,IAAI,CAAC,aAAa;QAAE,OAAO,SAAS,CAAC;IACrC,OAAO,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;AACvD,CAAC"}
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* HMAC-signed capability token that lets a SANDBOXED artifact iframe load the
|
|
3
|
+
* workspace images it embeds.
|
|
4
|
+
*
|
|
5
|
+
* Why this exists: artifact iframes run with `sandbox="allow-scripts"` (no
|
|
6
|
+
* `allow-same-origin`) → opaque origin → the `__sg_token` session cookie is
|
|
7
|
+
* NOT sent on `<img>`/CSS asset requests, and an `<img>` can't carry a Bearer
|
|
8
|
+
* header. So authorized image loads need the credential IN THE URL (`?at=`).
|
|
9
|
+
*
|
|
10
|
+
* Security shape (see ~/.claude/plans/artifact-asset-proxy.md):
|
|
11
|
+
* - **Artifact-scoped allowlist** — the token names the EXACT `assetId/filename`
|
|
12
|
+
* keys the artifact references (`assets`), not the whole repo. Malicious
|
|
13
|
+
* artifact JS holding the token can only re-load the images already on the
|
|
14
|
+
* page, not enumerate the repo.
|
|
15
|
+
* - **Bound user** — `userId` is re-checked at serve time (`hasRepoAccess`), so
|
|
16
|
+
* a token stops working the moment the user loses access (modulo browser
|
|
17
|
+
* cache; the serve path uses revalidate+ETag, not immutable).
|
|
18
|
+
* - **Purpose-pinned** — verify REJECTS any JWT that isn't `purpose:
|
|
19
|
+
* 'artifact-asset'`, so a session/OAuth JWT signed with the same secret can
|
|
20
|
+
* never satisfy this gate (and this token can never satisfy a session gate).
|
|
21
|
+
*
|
|
22
|
+
* Signed with the workspace JWT secret via `authService.getJwtSecret()` — one
|
|
23
|
+
* rotation lever, same as `asset-upload-token.ts`.
|
|
24
|
+
*
|
|
25
|
+
* The token is a bearer credential visible to (untrusted) artifact JS. The
|
|
26
|
+
* defenses above (narrow asset allowlist + serve-time access re-check + short
|
|
27
|
+
* TTL) — NOT `connect-src 'none'` — are what make that acceptable: artifact JS
|
|
28
|
+
* can `postMessage` the token out, but it only unlocks this artifact's own
|
|
29
|
+
* images for a user who still has access.
|
|
30
|
+
*/
|
|
31
|
+
/** Thrown by `verifyArtifactAssetToken` on tamper / expiry / wrong secret /
|
|
32
|
+
* wrong purpose / malformed shape. Callers map it to a fail-closed 404. */
|
|
33
|
+
export declare class ArtifactAssetTokenError extends Error {
|
|
34
|
+
readonly code = "artifact_asset_token_invalid";
|
|
35
|
+
constructor(message: string);
|
|
36
|
+
}
|
|
37
|
+
export interface ArtifactAssetTokenPayload {
|
|
38
|
+
/** Discriminator. Verify rejects any token without exactly this value, which
|
|
39
|
+
* is what keeps session/OAuth JWTs (signed with the same secret) out. */
|
|
40
|
+
purpose: 'artifact-asset';
|
|
41
|
+
/** The repo the artifact lives in. Serve re-checks `payload.repo === row.repo`. */
|
|
42
|
+
repo: string;
|
|
43
|
+
/** The artifact entity id this token was minted for (audit + scoping context). */
|
|
44
|
+
artifactId: string;
|
|
45
|
+
/** Allowlist of exact `${assetId}/${filename}` keys the artifact references.
|
|
46
|
+
* Serve refuses any key not in this set — the token can't read sibling or
|
|
47
|
+
* unrelated assets even within the same repo. */
|
|
48
|
+
assets: string[];
|
|
49
|
+
/** Auth user id (as string) the token was minted for. Re-resolved + re-authed
|
|
50
|
+
* at serve time so revocation/removal takes effect before expiry. */
|
|
51
|
+
userId: string;
|
|
52
|
+
}
|
|
53
|
+
export declare const ARTIFACT_ASSET_TOKEN_TTL_SECONDS: number;
|
|
54
|
+
export declare function signArtifactAssetToken(payload: ArtifactAssetTokenPayload, secret: string): string;
|
|
55
|
+
/**
|
|
56
|
+
* Verify a token and return its payload. Throws `ArtifactAssetTokenError` on:
|
|
57
|
+
* - tamper (any field mutated) / wrong secret (rotation) / expired / malformed
|
|
58
|
+
* - wrong or missing `purpose` (rejects session + OAuth JWTs decisively)
|
|
59
|
+
*
|
|
60
|
+
* The caller (asset route, token path) is responsible for the post-verify
|
|
61
|
+
* checks the signature alone can't make:
|
|
62
|
+
* - `payload.repo === row.repo`
|
|
63
|
+
* - `${row.assetId}/${row.filename}` ∈ `payload.assets`
|
|
64
|
+
* - re-resolve `payload.userId` and re-run `hasRepoAccess`
|
|
65
|
+
*/
|
|
66
|
+
export declare function verifyArtifactAssetToken(token: string, secret: string): ArtifactAssetTokenPayload;
|
|
67
|
+
/** Build the canonical allowlist key for an asset. Centralized so the mint,
|
|
68
|
+
* serve, and tests can't drift on separator/whitespace. */
|
|
69
|
+
export declare function artifactAssetKey(assetId: string, filename: string): string;
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* HMAC-signed capability token that lets a SANDBOXED artifact iframe load the
|
|
3
|
+
* workspace images it embeds.
|
|
4
|
+
*
|
|
5
|
+
* Why this exists: artifact iframes run with `sandbox="allow-scripts"` (no
|
|
6
|
+
* `allow-same-origin`) → opaque origin → the `__sg_token` session cookie is
|
|
7
|
+
* NOT sent on `<img>`/CSS asset requests, and an `<img>` can't carry a Bearer
|
|
8
|
+
* header. So authorized image loads need the credential IN THE URL (`?at=`).
|
|
9
|
+
*
|
|
10
|
+
* Security shape (see ~/.claude/plans/artifact-asset-proxy.md):
|
|
11
|
+
* - **Artifact-scoped allowlist** — the token names the EXACT `assetId/filename`
|
|
12
|
+
* keys the artifact references (`assets`), not the whole repo. Malicious
|
|
13
|
+
* artifact JS holding the token can only re-load the images already on the
|
|
14
|
+
* page, not enumerate the repo.
|
|
15
|
+
* - **Bound user** — `userId` is re-checked at serve time (`hasRepoAccess`), so
|
|
16
|
+
* a token stops working the moment the user loses access (modulo browser
|
|
17
|
+
* cache; the serve path uses revalidate+ETag, not immutable).
|
|
18
|
+
* - **Purpose-pinned** — verify REJECTS any JWT that isn't `purpose:
|
|
19
|
+
* 'artifact-asset'`, so a session/OAuth JWT signed with the same secret can
|
|
20
|
+
* never satisfy this gate (and this token can never satisfy a session gate).
|
|
21
|
+
*
|
|
22
|
+
* Signed with the workspace JWT secret via `authService.getJwtSecret()` — one
|
|
23
|
+
* rotation lever, same as `asset-upload-token.ts`.
|
|
24
|
+
*
|
|
25
|
+
* The token is a bearer credential visible to (untrusted) artifact JS. The
|
|
26
|
+
* defenses above (narrow asset allowlist + serve-time access re-check + short
|
|
27
|
+
* TTL) — NOT `connect-src 'none'` — are what make that acceptable: artifact JS
|
|
28
|
+
* can `postMessage` the token out, but it only unlocks this artifact's own
|
|
29
|
+
* images for a user who still has access.
|
|
30
|
+
*/
|
|
31
|
+
import jwt from 'jsonwebtoken';
|
|
32
|
+
/** Thrown by `verifyArtifactAssetToken` on tamper / expiry / wrong secret /
|
|
33
|
+
* wrong purpose / malformed shape. Callers map it to a fail-closed 404. */
|
|
34
|
+
export class ArtifactAssetTokenError extends Error {
|
|
35
|
+
code = 'artifact_asset_token_invalid';
|
|
36
|
+
constructor(message) {
|
|
37
|
+
super(message);
|
|
38
|
+
this.name = 'ArtifactAssetTokenError';
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
const PURPOSE = 'artifact-asset';
|
|
42
|
+
export const ARTIFACT_ASSET_TOKEN_TTL_SECONDS = 12 * 60 * 60; // 12h — single source of truth
|
|
43
|
+
export function signArtifactAssetToken(payload, secret) {
|
|
44
|
+
return jwt.sign(payload, secret, {
|
|
45
|
+
algorithm: 'HS256',
|
|
46
|
+
expiresIn: ARTIFACT_ASSET_TOKEN_TTL_SECONDS,
|
|
47
|
+
});
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Verify a token and return its payload. Throws `ArtifactAssetTokenError` on:
|
|
51
|
+
* - tamper (any field mutated) / wrong secret (rotation) / expired / malformed
|
|
52
|
+
* - wrong or missing `purpose` (rejects session + OAuth JWTs decisively)
|
|
53
|
+
*
|
|
54
|
+
* The caller (asset route, token path) is responsible for the post-verify
|
|
55
|
+
* checks the signature alone can't make:
|
|
56
|
+
* - `payload.repo === row.repo`
|
|
57
|
+
* - `${row.assetId}/${row.filename}` ∈ `payload.assets`
|
|
58
|
+
* - re-resolve `payload.userId` and re-run `hasRepoAccess`
|
|
59
|
+
*/
|
|
60
|
+
export function verifyArtifactAssetToken(token, secret) {
|
|
61
|
+
let decoded;
|
|
62
|
+
try {
|
|
63
|
+
decoded = jwt.verify(token, secret, { algorithms: ['HS256'] });
|
|
64
|
+
}
|
|
65
|
+
catch (err) {
|
|
66
|
+
throw new ArtifactAssetTokenError(err instanceof Error ? err.message : 'token verification failed');
|
|
67
|
+
}
|
|
68
|
+
if (!isPayload(decoded)) {
|
|
69
|
+
throw new ArtifactAssetTokenError('token payload has unexpected shape or purpose');
|
|
70
|
+
}
|
|
71
|
+
return {
|
|
72
|
+
purpose: PURPOSE,
|
|
73
|
+
repo: decoded.repo,
|
|
74
|
+
artifactId: decoded.artifactId,
|
|
75
|
+
assets: decoded.assets,
|
|
76
|
+
userId: decoded.userId,
|
|
77
|
+
};
|
|
78
|
+
}
|
|
79
|
+
/** Build the canonical allowlist key for an asset. Centralized so the mint,
|
|
80
|
+
* serve, and tests can't drift on separator/whitespace. */
|
|
81
|
+
export function artifactAssetKey(assetId, filename) {
|
|
82
|
+
return `${assetId}/${filename}`;
|
|
83
|
+
}
|
|
84
|
+
function isPayload(value) {
|
|
85
|
+
if (!value || typeof value !== 'object')
|
|
86
|
+
return false;
|
|
87
|
+
const v = value;
|
|
88
|
+
return (v.purpose === PURPOSE &&
|
|
89
|
+
typeof v.repo === 'string' && v.repo.length > 0 &&
|
|
90
|
+
typeof v.artifactId === 'string' && v.artifactId.length > 0 &&
|
|
91
|
+
Array.isArray(v.assets) && v.assets.every((a) => typeof a === 'string') &&
|
|
92
|
+
typeof v.userId === 'string' && v.userId.length > 0);
|
|
93
|
+
}
|
|
94
|
+
//# sourceMappingURL=artifact-asset-token.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"artifact-asset-token.js","sourceRoot":"","sources":["../../src/services/artifact-asset-token.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,GAAG,MAAM,cAAc,CAAC;AAE/B;4EAC4E;AAC5E,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IACvC,IAAI,GAAG,8BAA8B,CAAC;IAC/C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAmBD,MAAM,OAAO,GAAG,gBAAyB,CAAC;AAC1C,MAAM,CAAC,MAAM,gCAAgC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,+BAA+B;AAE7F,MAAM,UAAU,sBAAsB,CACpC,OAAkC,EAClC,MAAc;IAEd,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE;QAC/B,SAAS,EAAE,OAAO;QAClB,SAAS,EAAE,gCAAgC;KAC5C,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,wBAAwB,CACtC,KAAa,EACb,MAAc;IAEd,IAAI,OAAgB,CAAC;IACrB,IAAI,CAAC;QACH,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,uBAAuB,CAC/B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,2BAA2B,CACjE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,uBAAuB,CAAC,+CAA+C,CAAC,CAAC;IACrF,CAAC;IACD,OAAO;QACL,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC;AACJ,CAAC;AAED;4DAC4D;AAC5D,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IAChE,OAAO,GAAG,OAAO,IAAI,QAAQ,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,SAAS,CAAC,KAAc;IAC/B,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACtD,MAAM,CAAC,GAAG,KAAgC,CAAC;IAC3C,OAAO,CACL,CAAC,CAAC,OAAO,KAAK,OAAO;QACrB,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC;QAC/C,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC3D,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QACvE,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CACpD,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
// Server-side artifact library loader. This path is synchronous because the
|
|
2
|
+
// render/export pipeline runs in Node and reads bundled library sources from
|
|
3
|
+
// disk before handing them to Playwright.
|
|
4
|
+
import { readFileSync } from 'fs';
|
|
5
|
+
import { createRequire } from 'module';
|
|
6
|
+
import { dirname, join } from 'path';
|
|
7
|
+
const require = createRequire(import.meta.url);
|
|
8
|
+
const LIBRARY_PATHS = {
|
|
9
|
+
d3: 'd3/dist/d3.min.js',
|
|
10
|
+
motion: 'motion/dist/motion.js',
|
|
11
|
+
three: 'three/build/three.module.min.js',
|
|
12
|
+
threeCore: 'three/build/three.core.min.js',
|
|
13
|
+
};
|
|
14
|
+
const cache = {};
|
|
15
|
+
function packageRoot(packageName) {
|
|
16
|
+
let current = dirname(require.resolve(packageName));
|
|
17
|
+
while (current !== dirname(current)) {
|
|
18
|
+
try {
|
|
19
|
+
const pkg = JSON.parse(readFileSync(join(current, 'package.json'), 'utf8'));
|
|
20
|
+
if (pkg.name === packageName)
|
|
21
|
+
return current;
|
|
22
|
+
}
|
|
23
|
+
catch {
|
|
24
|
+
}
|
|
25
|
+
current = dirname(current);
|
|
26
|
+
}
|
|
27
|
+
throw new Error(`Could not resolve package root for ${packageName}`);
|
|
28
|
+
}
|
|
29
|
+
function readLibrarySource(key) {
|
|
30
|
+
const [packageName, ...parts] = LIBRARY_PATHS[key].split('/');
|
|
31
|
+
cache[key] ??= readFileSync(join(packageRoot(packageName), ...parts), 'utf8');
|
|
32
|
+
return cache[key];
|
|
33
|
+
}
|
|
34
|
+
export function artifactLibrarySourcesForBundle(bundle) {
|
|
35
|
+
const sources = {};
|
|
36
|
+
for (const key of bundle.libraries ?? []) {
|
|
37
|
+
sources[key] = readLibrarySource(key);
|
|
38
|
+
if (key === 'three') {
|
|
39
|
+
sources.threeCore = readLibrarySource('threeCore');
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
return sources;
|
|
43
|
+
}
|
|
44
|
+
//# sourceMappingURL=artifact-library-sources.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"artifact-library-sources.js","sourceRoot":"","sources":["../../src/services/artifact-library-sources.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,6EAA6E;AAC7E,0CAA0C;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAIrC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAE/C,MAAM,aAAa,GAAG;IACpB,EAAE,EAAE,mBAAmB;IACvB,MAAM,EAAE,uBAAuB;IAC/B,KAAK,EAAE,iCAAiC;IACxC,SAAS,EAAE,+BAA+B;CAClC,CAAC;AAEX,MAAM,KAAK,GAAwD,EAAE,CAAC;AAEtE,SAAS,WAAW,CAAC,WAAmB;IACtC,IAAI,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IACpD,OAAO,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,EAAE,MAAM,CAAC,CAAsB,CAAC;YACjG,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW;gBAAE,OAAO,OAAO,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;QACT,CAAC;QACD,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,sCAAsC,WAAW,EAAE,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,iBAAiB,CAAC,GAA+B;IACxD,MAAM,CAAC,WAAW,EAAE,GAAG,KAAK,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9D,KAAK,CAAC,GAAG,CAAC,KAAK,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,GAAG,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC;IAC9E,OAAO,KAAK,CAAC,GAAG,CAAE,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,MAAsB;IACpE,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,SAAS,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
import type { ArtifactBundle } from '../core/artifact-bundle.js';
|
|
2
|
+
export declare class ArtifactRenderExportUnavailableError extends Error {
|
|
3
|
+
constructor(message?: string);
|
|
4
|
+
}
|
|
5
|
+
export interface ArtifactRenderExportOptions {
|
|
6
|
+
baseUrl?: string;
|
|
7
|
+
timeoutMs?: number;
|
|
8
|
+
context?: 'editor' | 'fullscreen' | 'export';
|
|
9
|
+
onPage?: (page: import('playwright').Page) => void | Promise<void>;
|
|
10
|
+
/** Artifact-asset capability token so the headless page (no session cookie)
|
|
11
|
+
* can load workspace images via `/api/assets/...?at=`. */
|
|
12
|
+
assetToken?: string;
|
|
13
|
+
}
|
|
14
|
+
export interface ArtifactPngExportFile {
|
|
15
|
+
index: number;
|
|
16
|
+
bytes: Buffer;
|
|
17
|
+
}
|
|
18
|
+
export interface NamedArtifactPngExportFile extends ArtifactPngExportFile {
|
|
19
|
+
filename: string;
|
|
20
|
+
}
|
|
21
|
+
export interface ArtifactInspectOptions extends Omit<ArtifactRenderExportOptions, 'context'> {
|
|
22
|
+
context?: 'editor' | 'fullscreen';
|
|
23
|
+
frameSelector?: string;
|
|
24
|
+
frameIndexes?: number[];
|
|
25
|
+
maxFrames?: number;
|
|
26
|
+
includePageScreenshot?: boolean;
|
|
27
|
+
includeFrameScreenshots?: boolean;
|
|
28
|
+
screenshotFormat?: 'png' | 'jpeg';
|
|
29
|
+
jpegQuality?: number;
|
|
30
|
+
}
|
|
31
|
+
export interface ArtifactInspectionImage {
|
|
32
|
+
mimeType: 'image/png' | 'image/jpeg';
|
|
33
|
+
byteLength: number;
|
|
34
|
+
dataUrl: string;
|
|
35
|
+
}
|
|
36
|
+
export interface ArtifactInspectionFrame {
|
|
37
|
+
index: number;
|
|
38
|
+
tagName: string;
|
|
39
|
+
id?: string;
|
|
40
|
+
className?: string;
|
|
41
|
+
textSnippet?: string;
|
|
42
|
+
rect: {
|
|
43
|
+
x: number;
|
|
44
|
+
y: number;
|
|
45
|
+
width: number;
|
|
46
|
+
height: number;
|
|
47
|
+
};
|
|
48
|
+
screenshot?: ArtifactInspectionImage;
|
|
49
|
+
screenshotError?: string;
|
|
50
|
+
}
|
|
51
|
+
export interface ArtifactInspectionResult {
|
|
52
|
+
artifactId: string;
|
|
53
|
+
title: string;
|
|
54
|
+
kind: string;
|
|
55
|
+
context: 'editor' | 'fullscreen';
|
|
56
|
+
viewport: {
|
|
57
|
+
width: number;
|
|
58
|
+
height: number;
|
|
59
|
+
};
|
|
60
|
+
documentSize: {
|
|
61
|
+
width: number;
|
|
62
|
+
height: number;
|
|
63
|
+
};
|
|
64
|
+
frameSelector: string;
|
|
65
|
+
frameCount: number;
|
|
66
|
+
bodyTextSnippet: string;
|
|
67
|
+
console: Array<{
|
|
68
|
+
type: string;
|
|
69
|
+
text: string;
|
|
70
|
+
}>;
|
|
71
|
+
pageErrors: string[];
|
|
72
|
+
requestFailures: Array<{
|
|
73
|
+
url: string;
|
|
74
|
+
errorText: string;
|
|
75
|
+
}>;
|
|
76
|
+
screenshot?: ArtifactInspectionImage;
|
|
77
|
+
frames: ArtifactInspectionFrame[];
|
|
78
|
+
}
|
|
79
|
+
export declare function artifactPngArchiveFilename(bundle: ArtifactBundle): string;
|
|
80
|
+
export declare function artifactPngFrameFilename(bundle: ArtifactBundle, index: number, count: number): string;
|
|
81
|
+
export declare function nameArtifactPngFiles(bundle: ArtifactBundle, files: ArtifactPngExportFile[]): NamedArtifactPngExportFile[];
|
|
82
|
+
/** Zip an arbitrary set of named byte entries. Backing primitive for both the
|
|
83
|
+
* multi-PNG archive and the self-contained HTML-export bundle. */
|
|
84
|
+
export declare function zipArtifactFiles(files: Array<{
|
|
85
|
+
filename: string;
|
|
86
|
+
bytes: Buffer;
|
|
87
|
+
}>): Promise<Buffer>;
|
|
88
|
+
/** @deprecated naming — use {@link zipArtifactFiles}. Kept for callers. */
|
|
89
|
+
export declare function zipArtifactPngFiles(files: Array<{
|
|
90
|
+
filename: string;
|
|
91
|
+
bytes: Buffer;
|
|
92
|
+
}>): Promise<Buffer>;
|
|
93
|
+
export declare function withRenderedArtifact<T>(bundle: ArtifactBundle, options: ArtifactRenderExportOptions, callback: (page: import('playwright').Page) => Promise<T>): Promise<T>;
|
|
94
|
+
export declare function renderArtifactPng(bundle: ArtifactBundle, options?: ArtifactRenderExportOptions): Promise<Buffer>;
|
|
95
|
+
export declare function renderArtifactPngFiles(bundle: ArtifactBundle, options?: ArtifactRenderExportOptions): Promise<ArtifactPngExportFile[]>;
|
|
96
|
+
export declare function renderArtifactPdf(bundle: ArtifactBundle, options?: ArtifactRenderExportOptions): Promise<Buffer>;
|
|
97
|
+
export declare function inspectArtifactRender(bundle: ArtifactBundle, options?: ArtifactInspectOptions): Promise<ArtifactInspectionResult>;
|