studiograph 1.3.48-next.26 → 1.3.48-next.261

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1640) hide show
  1. package/README.md +27 -17
  2. package/dist/agent/agent-pool.d.ts +120 -4
  3. package/dist/agent/agent-pool.js +358 -18
  4. package/dist/agent/agent-pool.js.map +1 -1
  5. package/dist/agent/context-window.d.ts +113 -0
  6. package/dist/agent/context-window.js +459 -0
  7. package/dist/agent/context-window.js.map +1 -0
  8. package/dist/agent/followups.d.ts +34 -0
  9. package/dist/agent/followups.js +52 -0
  10. package/dist/agent/followups.js.map +1 -0
  11. package/dist/agent/orchestrator.d.ts +110 -11
  12. package/dist/agent/orchestrator.js +547 -75
  13. package/dist/agent/orchestrator.js.map +1 -1
  14. package/dist/agent/prompts/entity-types-section.d.ts +18 -9
  15. package/dist/agent/prompts/entity-types-section.js +42 -18
  16. package/dist/agent/prompts/entity-types-section.js.map +1 -1
  17. package/dist/agent/prompts/system.md +107 -19
  18. package/dist/agent/skill-loader.js +3 -9
  19. package/dist/agent/skill-loader.js.map +1 -1
  20. package/dist/agent/skills/artifact-canvas/skill.md +257 -0
  21. package/dist/agent/skills/create-skill.md +39 -0
  22. package/dist/agent/skills/entity-schema.md +67 -150
  23. package/dist/agent/skills/interview/skill.md +44 -29
  24. package/dist/agent/skills/paged-documents/skill.md +147 -0
  25. package/dist/agent/skills/schema-rules.md +28 -28
  26. package/dist/agent/tools/artifact-tools.d.ts +237 -0
  27. package/dist/agent/tools/artifact-tools.js +407 -0
  28. package/dist/agent/tools/artifact-tools.js.map +1 -0
  29. package/dist/agent/tools/capture-tools.d.ts +31 -0
  30. package/dist/agent/tools/capture-tools.js +40 -0
  31. package/dist/agent/tools/capture-tools.js.map +1 -0
  32. package/dist/agent/tools/folder-tools.d.ts +50 -0
  33. package/dist/agent/tools/folder-tools.js +340 -0
  34. package/dist/agent/tools/folder-tools.js.map +1 -0
  35. package/dist/agent/tools/fs-tools.d.ts +6 -5
  36. package/dist/agent/tools/fs-tools.js +1 -1
  37. package/dist/agent/tools/fs-tools.js.map +1 -1
  38. package/dist/agent/tools/graph-tools.d.ts +45 -73
  39. package/dist/agent/tools/graph-tools.js +765 -239
  40. package/dist/agent/tools/graph-tools.js.map +1 -1
  41. package/dist/agent/tools/history-tools.d.ts +95 -0
  42. package/dist/agent/tools/history-tools.js +465 -0
  43. package/dist/agent/tools/history-tools.js.map +1 -0
  44. package/dist/agent/tools/load-skill.d.ts +4 -3
  45. package/dist/agent/tools/load-skill.js +1 -1
  46. package/dist/agent/tools/load-skill.js.map +1 -1
  47. package/dist/agent/tools/ops-tools.d.ts +2 -1
  48. package/dist/agent/tools/ops-tools.js +125 -25
  49. package/dist/agent/tools/ops-tools.js.map +1 -1
  50. package/dist/agent/tools/permission-tools.d.ts +69 -21
  51. package/dist/agent/tools/permission-tools.js +183 -18
  52. package/dist/agent/tools/permission-tools.js.map +1 -1
  53. package/dist/agent/tools/tool-loader.js +5 -4
  54. package/dist/agent/tools/tool-loader.js.map +1 -1
  55. package/dist/agent/tools/web-tools.js +58 -9
  56. package/dist/agent/tools/web-tools.js.map +1 -1
  57. package/dist/cli/commands/about.d.ts +1 -0
  58. package/dist/cli/commands/about.js +55 -3
  59. package/dist/cli/commands/about.js.map +1 -1
  60. package/dist/cli/commands/admin/audit-workspace.d.ts +23 -0
  61. package/dist/cli/commands/admin/audit-workspace.js +133 -0
  62. package/dist/cli/commands/admin/audit-workspace.js.map +1 -0
  63. package/dist/cli/commands/admin/audit.d.ts +21 -0
  64. package/dist/cli/commands/admin/audit.js +174 -0
  65. package/dist/cli/commands/admin/audit.js.map +1 -0
  66. package/dist/cli/commands/admin/backup.d.ts +54 -0
  67. package/dist/cli/commands/admin/backup.js +207 -0
  68. package/dist/cli/commands/admin/backup.js.map +1 -0
  69. package/dist/cli/commands/admin/folder.d.ts +11 -0
  70. package/dist/cli/commands/admin/folder.js +187 -0
  71. package/dist/cli/commands/admin/folder.js.map +1 -0
  72. package/dist/cli/commands/admin/index.d.ts +16 -0
  73. package/dist/cli/commands/admin/index.js +48 -0
  74. package/dist/cli/commands/admin/index.js.map +1 -0
  75. package/dist/cli/commands/admin/migrate-asset-owners.d.ts +56 -0
  76. package/dist/cli/commands/admin/migrate-asset-owners.js +86 -0
  77. package/dist/cli/commands/admin/migrate-asset-owners.js.map +1 -0
  78. package/dist/cli/commands/admin/migrate-assets.d.ts +62 -0
  79. package/dist/cli/commands/admin/migrate-assets.js +237 -0
  80. package/dist/cli/commands/admin/migrate-assets.js.map +1 -0
  81. package/dist/cli/commands/admin/migrate.d.ts +56 -0
  82. package/dist/cli/commands/admin/migrate.js +263 -0
  83. package/dist/cli/commands/admin/migrate.js.map +1 -0
  84. package/dist/cli/commands/admin/restore.d.ts +24 -0
  85. package/dist/cli/commands/admin/restore.js +228 -0
  86. package/dist/cli/commands/admin/restore.js.map +1 -0
  87. package/dist/cli/commands/admin/secrets.d.ts +23 -0
  88. package/dist/cli/commands/admin/secrets.js +256 -0
  89. package/dist/cli/commands/admin/secrets.js.map +1 -0
  90. package/dist/cli/commands/admin/settings.d.ts +28 -0
  91. package/dist/cli/commands/admin/settings.js +284 -0
  92. package/dist/cli/commands/admin/settings.js.map +1 -0
  93. package/dist/cli/commands/admin/token.d.ts +42 -0
  94. package/dist/cli/commands/admin/token.js +126 -0
  95. package/dist/cli/commands/admin/token.js.map +1 -0
  96. package/dist/cli/commands/admin/transfer-ownership.d.ts +15 -0
  97. package/dist/cli/commands/admin/transfer-ownership.js +106 -0
  98. package/dist/cli/commands/admin/transfer-ownership.js.map +1 -0
  99. package/dist/cli/commands/admin/user.d.ts +11 -0
  100. package/dist/cli/commands/admin/user.js +187 -0
  101. package/dist/cli/commands/admin/user.js.map +1 -0
  102. package/dist/cli/commands/clone.d.ts +23 -3
  103. package/dist/cli/commands/clone.js +140 -36
  104. package/dist/cli/commands/clone.js.map +1 -1
  105. package/dist/cli/commands/config.d.ts +23 -107
  106. package/dist/cli/commands/config.js +52 -260
  107. package/dist/cli/commands/config.js.map +1 -1
  108. package/dist/cli/commands/connector.d.ts +10 -13
  109. package/dist/cli/commands/connector.js +16 -58
  110. package/dist/cli/commands/connector.js.map +1 -1
  111. package/dist/cli/commands/deploy.js +215 -68
  112. package/dist/cli/commands/deploy.js.map +1 -1
  113. package/dist/cli/commands/index.js +7 -4
  114. package/dist/cli/commands/index.js.map +1 -1
  115. package/dist/cli/commands/init.js +10 -30
  116. package/dist/cli/commands/init.js.map +1 -1
  117. package/dist/cli/commands/mcp.js +54 -6
  118. package/dist/cli/commands/mcp.js.map +1 -1
  119. package/dist/cli/commands/r2.d.ts +3 -0
  120. package/dist/cli/commands/r2.js +223 -204
  121. package/dist/cli/commands/r2.js.map +1 -1
  122. package/dist/cli/commands/redeploy.js +65 -12
  123. package/dist/cli/commands/redeploy.js.map +1 -1
  124. package/dist/cli/commands/reset.d.ts +22 -6
  125. package/dist/cli/commands/reset.js +132 -34
  126. package/dist/cli/commands/reset.js.map +1 -1
  127. package/dist/cli/commands/serve.js +242 -24
  128. package/dist/cli/commands/serve.js.map +1 -1
  129. package/dist/cli/commands/sync.d.ts +1 -1
  130. package/dist/cli/commands/sync.js +230 -227
  131. package/dist/cli/commands/sync.js.map +1 -1
  132. package/dist/cli/crypto-bundle.d.ts +39 -0
  133. package/dist/cli/crypto-bundle.js +94 -0
  134. package/dist/cli/crypto-bundle.js.map +1 -0
  135. package/dist/cli/index.js +24 -23
  136. package/dist/cli/index.js.map +1 -1
  137. package/dist/cli/railway-pin.d.ts +68 -0
  138. package/dist/cli/railway-pin.js +96 -0
  139. package/dist/cli/railway-pin.js.map +1 -0
  140. package/dist/cli/railway-provisioning.d.ts +53 -0
  141. package/dist/cli/railway-provisioning.js +85 -0
  142. package/dist/cli/railway-provisioning.js.map +1 -0
  143. package/dist/cli/setup-wizard.d.ts +30 -49
  144. package/dist/cli/setup-wizard.js +39 -40
  145. package/dist/cli/setup-wizard.js.map +1 -1
  146. package/dist/cli/theme.d.ts +1 -1
  147. package/dist/core/accent-palette.d.ts +7 -18
  148. package/dist/core/accent-palette.js +27 -38
  149. package/dist/core/accent-palette.js.map +1 -1
  150. package/dist/core/artifact-asset-resolution.d.ts +90 -0
  151. package/dist/core/artifact-asset-resolution.js +138 -0
  152. package/dist/core/artifact-asset-resolution.js.map +1 -0
  153. package/dist/core/artifact-asset-urls.d.ts +111 -0
  154. package/dist/core/artifact-asset-urls.js +174 -0
  155. package/dist/core/artifact-asset-urls.js.map +1 -0
  156. package/dist/core/artifact-bundle.d.ts +69 -0
  157. package/dist/core/artifact-bundle.js +305 -0
  158. package/dist/core/artifact-bundle.js.map +1 -0
  159. package/dist/core/artifact-escape.d.ts +5 -0
  160. package/dist/core/artifact-escape.js +26 -0
  161. package/dist/core/artifact-escape.js.map +1 -0
  162. package/dist/core/artifact-export.d.ts +83 -0
  163. package/dist/core/artifact-export.js +1567 -0
  164. package/dist/core/artifact-export.js.map +1 -0
  165. package/dist/core/artifact-frame-document.d.ts +105 -0
  166. package/dist/core/artifact-frame-document.js +1427 -0
  167. package/dist/core/artifact-frame-document.js.map +1 -0
  168. package/dist/core/artifact-frame-layout.d.ts +79 -0
  169. package/dist/core/artifact-frame-layout.js +94 -0
  170. package/dist/core/artifact-frame-layout.js.map +1 -0
  171. package/dist/core/artifact-frame-model.d.ts +198 -0
  172. package/dist/core/artifact-frame-model.js +603 -0
  173. package/dist/core/artifact-frame-model.js.map +1 -0
  174. package/dist/core/artifact-frame-selectors.d.ts +42 -0
  175. package/dist/core/artifact-frame-selectors.js +65 -0
  176. package/dist/core/artifact-frame-selectors.js.map +1 -0
  177. package/dist/core/artifact-libraries.d.ts +23 -0
  178. package/dist/core/artifact-libraries.js +229 -0
  179. package/dist/core/artifact-libraries.js.map +1 -0
  180. package/dist/core/artifact-manifest.d.ts +64 -0
  181. package/dist/core/artifact-manifest.js +88 -0
  182. package/dist/core/artifact-manifest.js.map +1 -0
  183. package/dist/core/artifact-paged-css.d.ts +64 -0
  184. package/dist/core/artifact-paged-css.js +253 -0
  185. package/dist/core/artifact-paged-css.js.map +1 -0
  186. package/dist/core/artifact-patch.d.ts +58 -0
  187. package/dist/core/artifact-patch.js +309 -0
  188. package/dist/core/artifact-patch.js.map +1 -0
  189. package/dist/core/artifact-warnings.d.ts +51 -0
  190. package/dist/core/artifact-warnings.js +165 -0
  191. package/dist/core/artifact-warnings.js.map +1 -0
  192. package/dist/core/breakpoints.d.ts +27 -0
  193. package/dist/core/breakpoints.js +28 -0
  194. package/dist/core/breakpoints.js.map +1 -0
  195. package/dist/core/cell-anchor.d.ts +29 -0
  196. package/dist/core/cell-anchor.js +53 -0
  197. package/dist/core/cell-anchor.js.map +1 -0
  198. package/dist/core/comment-anchor.d.ts +41 -0
  199. package/dist/core/comment-anchor.js +147 -0
  200. package/dist/core/comment-anchor.js.map +1 -0
  201. package/dist/core/commit-messages.d.ts +57 -0
  202. package/dist/core/commit-messages.js +85 -0
  203. package/dist/core/commit-messages.js.map +1 -0
  204. package/dist/core/embeds.d.ts +108 -0
  205. package/dist/core/embeds.js +226 -0
  206. package/dist/core/embeds.js.map +1 -0
  207. package/dist/core/entity-body-templates.d.ts +21 -0
  208. package/dist/core/entity-body-templates.js +66 -0
  209. package/dist/core/entity-body-templates.js.map +1 -0
  210. package/dist/core/entity-types-catalog.d.ts +65 -0
  211. package/dist/core/entity-types-catalog.js +142 -0
  212. package/dist/core/entity-types-catalog.js.map +1 -0
  213. package/dist/core/field-library.d.ts +62 -0
  214. package/dist/core/field-library.js +129 -0
  215. package/dist/core/field-library.js.map +1 -0
  216. package/dist/core/folder-paths.d.ts +41 -0
  217. package/dist/core/folder-paths.js +95 -0
  218. package/dist/core/folder-paths.js.map +1 -0
  219. package/dist/core/folder-sidecar.d.ts +36 -0
  220. package/dist/core/folder-sidecar.js +91 -0
  221. package/dist/core/folder-sidecar.js.map +1 -0
  222. package/dist/core/font-family.d.ts +62 -0
  223. package/dist/core/font-family.js +84 -0
  224. package/dist/core/font-family.js.map +1 -0
  225. package/dist/core/format-registry.d.ts +187 -0
  226. package/dist/core/format-registry.js +411 -0
  227. package/dist/core/format-registry.js.map +1 -0
  228. package/dist/core/graph.d.ts +770 -30
  229. package/dist/core/graph.js +2282 -386
  230. package/dist/core/graph.js.map +1 -1
  231. package/dist/core/history-diff.d.ts +35 -0
  232. package/dist/core/history-diff.js +114 -0
  233. package/dist/core/history-diff.js.map +1 -0
  234. package/dist/core/markdown-strip.d.ts +22 -0
  235. package/dist/core/markdown-strip.js +51 -0
  236. package/dist/core/markdown-strip.js.map +1 -0
  237. package/dist/core/refs.d.ts +41 -0
  238. package/dist/core/refs.js +80 -0
  239. package/dist/core/refs.js.map +1 -0
  240. package/dist/core/schema-registry.d.ts +66 -0
  241. package/dist/core/schema-registry.js +198 -37
  242. package/dist/core/schema-registry.js.map +1 -1
  243. package/dist/core/schemas/connector.d.ts +67 -0
  244. package/dist/core/schemas/connector.js +100 -0
  245. package/dist/core/schemas/connector.js.map +1 -0
  246. package/dist/core/schemas/workspace.d.ts +122 -0
  247. package/dist/core/schemas/workspace.js +211 -0
  248. package/dist/core/schemas/workspace.js.map +1 -0
  249. package/dist/core/secrets/SecretStore.d.ts +77 -0
  250. package/dist/core/secrets/SecretStore.js +13 -0
  251. package/dist/core/secrets/SecretStore.js.map +1 -0
  252. package/dist/core/secrets/SettingsResolver.d.ts +54 -0
  253. package/dist/core/secrets/SettingsResolver.js +80 -0
  254. package/dist/core/secrets/SettingsResolver.js.map +1 -0
  255. package/dist/core/secrets/SettingsStore.d.ts +30 -0
  256. package/dist/core/secrets/SettingsStore.js +9 -0
  257. package/dist/core/secrets/SettingsStore.js.map +1 -0
  258. package/dist/core/secrets/SqliteEncryptedStore.d.ts +90 -0
  259. package/dist/core/secrets/SqliteEncryptedStore.js +598 -0
  260. package/dist/core/secrets/SqliteEncryptedStore.js.map +1 -0
  261. package/dist/core/secrets/audit.d.ts +36 -0
  262. package/dist/core/secrets/audit.js +60 -0
  263. package/dist/core/secrets/audit.js.map +1 -0
  264. package/dist/core/secrets/auth-db-migration.d.ts +129 -0
  265. package/dist/core/secrets/auth-db-migration.js +653 -0
  266. package/dist/core/secrets/auth-db-migration.js.map +1 -0
  267. package/dist/core/secrets/bundle.d.ts +141 -0
  268. package/dist/core/secrets/bundle.js +435 -0
  269. package/dist/core/secrets/bundle.js.map +1 -0
  270. package/dist/core/secrets/dual-write.d.ts +81 -0
  271. package/dist/core/secrets/dual-write.js +247 -0
  272. package/dist/core/secrets/dual-write.js.map +1 -0
  273. package/dist/core/secrets/encryption.d.ts +44 -0
  274. package/dist/core/secrets/encryption.js +97 -0
  275. package/dist/core/secrets/encryption.js.map +1 -0
  276. package/dist/core/secrets/index.d.ts +49 -0
  277. package/dist/core/secrets/index.js +74 -0
  278. package/dist/core/secrets/index.js.map +1 -0
  279. package/dist/core/secrets/master-key.d.ts +38 -0
  280. package/dist/core/secrets/master-key.js +122 -0
  281. package/dist/core/secrets/master-key.js.map +1 -0
  282. package/dist/core/secrets/probes/anthropic.d.ts +98 -0
  283. package/dist/core/secrets/probes/anthropic.js +300 -0
  284. package/dist/core/secrets/probes/anthropic.js.map +1 -0
  285. package/dist/core/secrets/probes/brave.d.ts +9 -0
  286. package/dist/core/secrets/probes/brave.js +15 -0
  287. package/dist/core/secrets/probes/brave.js.map +1 -0
  288. package/dist/core/secrets/probes/r2.d.ts +15 -0
  289. package/dist/core/secrets/probes/r2.js +14 -0
  290. package/dist/core/secrets/probes/r2.js.map +1 -0
  291. package/dist/core/secrets/probes/tavily.d.ts +18 -0
  292. package/dist/core/secrets/probes/tavily.js +58 -0
  293. package/dist/core/secrets/probes/tavily.js.map +1 -0
  294. package/dist/core/secrets/probes/voyage.d.ts +13 -0
  295. package/dist/core/secrets/probes/voyage.js +52 -0
  296. package/dist/core/secrets/probes/voyage.js.map +1 -0
  297. package/dist/core/secrets/r2-structural-migration.d.ts +39 -0
  298. package/dist/core/secrets/r2-structural-migration.js +109 -0
  299. package/dist/core/secrets/r2-structural-migration.js.map +1 -0
  300. package/dist/core/secrets/read-flip.d.ts +59 -0
  301. package/dist/core/secrets/read-flip.js +87 -0
  302. package/dist/core/secrets/read-flip.js.map +1 -0
  303. package/dist/core/secrets/registry.d.ts +237 -0
  304. package/dist/core/secrets/registry.js +710 -0
  305. package/dist/core/secrets/registry.js.map +1 -0
  306. package/dist/core/seed-folder.d.ts +59 -0
  307. package/dist/core/seed-folder.js +76 -0
  308. package/dist/core/seed-folder.js.map +1 -0
  309. package/dist/core/types.d.ts +88 -480
  310. package/dist/core/types.js +53 -6
  311. package/dist/core/types.js.map +1 -1
  312. package/dist/core/user-config.d.ts +81 -14
  313. package/dist/core/user-config.js +147 -17
  314. package/dist/core/user-config.js.map +1 -1
  315. package/dist/core/validation.d.ts +828 -1472
  316. package/dist/core/validation.js +475 -163
  317. package/dist/core/validation.js.map +1 -1
  318. package/dist/core/view-scope.d.ts +88 -0
  319. package/dist/core/view-scope.js +71 -0
  320. package/dist/core/view-scope.js.map +1 -0
  321. package/dist/core/workspace-manager.d.ts +156 -11
  322. package/dist/core/workspace-manager.js +364 -92
  323. package/dist/core/workspace-manager.js.map +1 -1
  324. package/dist/core/workspace.d.ts +19 -5
  325. package/dist/core/workspace.js +72 -56
  326. package/dist/core/workspace.js.map +1 -1
  327. package/dist/mcp/comment-virtual-entity.d.ts +36 -0
  328. package/dist/mcp/comment-virtual-entity.js +71 -0
  329. package/dist/mcp/comment-virtual-entity.js.map +1 -0
  330. package/dist/mcp/connector-manager.d.ts +72 -2
  331. package/dist/mcp/connector-manager.js +211 -32
  332. package/dist/mcp/connector-manager.js.map +1 -1
  333. package/dist/mcp/oauth-provider.d.ts +0 -5
  334. package/dist/mcp/oauth-provider.js +31 -25
  335. package/dist/mcp/oauth-provider.js.map +1 -1
  336. package/dist/mcp/oauth-registry.d.ts +46 -8
  337. package/dist/mcp/oauth-registry.js +52 -13
  338. package/dist/mcp/oauth-registry.js.map +1 -1
  339. package/dist/mcp/server-discovery.d.ts +73 -0
  340. package/dist/mcp/server-discovery.js +164 -0
  341. package/dist/mcp/server-discovery.js.map +1 -0
  342. package/dist/mcp/server.d.ts +24 -3
  343. package/dist/mcp/server.js +53 -10
  344. package/dist/mcp/server.js.map +1 -1
  345. package/dist/mcp/state-signer.d.ts +62 -0
  346. package/dist/mcp/state-signer.js +205 -0
  347. package/dist/mcp/state-signer.js.map +1 -0
  348. package/dist/mcp/stdio-proxy.d.ts +67 -0
  349. package/dist/mcp/stdio-proxy.js +149 -0
  350. package/dist/mcp/stdio-proxy.js.map +1 -0
  351. package/dist/mcp/tools.d.ts +73 -2
  352. package/dist/mcp/tools.js +2289 -115
  353. package/dist/mcp/tools.js.map +1 -1
  354. package/dist/server/__tests__/helpers/graph-api.d.ts +17 -0
  355. package/dist/server/__tests__/helpers/graph-api.js +17 -0
  356. package/dist/server/__tests__/helpers/graph-api.js.map +1 -0
  357. package/dist/server/__tests__/helpers/multipart.d.ts +9 -0
  358. package/dist/server/__tests__/helpers/multipart.js +14 -0
  359. package/dist/server/__tests__/helpers/multipart.js.map +1 -0
  360. package/dist/server/artifact-asset-mint.d.ts +59 -0
  361. package/dist/server/artifact-asset-mint.js +127 -0
  362. package/dist/server/artifact-asset-mint.js.map +1 -0
  363. package/dist/server/asset-index-queue.d.ts +98 -0
  364. package/dist/server/asset-index-queue.js +193 -0
  365. package/dist/server/asset-index-queue.js.map +1 -0
  366. package/dist/server/body-write-coordinator.d.ts +161 -0
  367. package/dist/server/body-write-coordinator.js +182 -0
  368. package/dist/server/body-write-coordinator.js.map +1 -0
  369. package/dist/server/cloud-billing-flow.d.ts +32 -0
  370. package/dist/server/cloud-billing-flow.js +75 -0
  371. package/dist/server/cloud-billing-flow.js.map +1 -0
  372. package/dist/server/commit-audit.d.ts +26 -0
  373. package/dist/server/commit-audit.js +30 -0
  374. package/dist/server/commit-audit.js.map +1 -0
  375. package/dist/server/index.d.ts +50 -1
  376. package/dist/server/index.js +811 -229
  377. package/dist/server/index.js.map +1 -1
  378. package/dist/server/middleware/sanitize.d.ts +46 -0
  379. package/dist/server/middleware/sanitize.js +195 -0
  380. package/dist/server/middleware/sanitize.js.map +1 -0
  381. package/dist/server/process-guards.d.ts +37 -0
  382. package/dist/server/process-guards.js +44 -0
  383. package/dist/server/process-guards.js.map +1 -0
  384. package/dist/server/routes/ai-usage-api.d.ts +24 -0
  385. package/dist/server/routes/ai-usage-api.js +68 -0
  386. package/dist/server/routes/ai-usage-api.js.map +1 -0
  387. package/dist/server/routes/artifact-export-api.d.ts +11 -0
  388. package/dist/server/routes/artifact-export-api.js +180 -0
  389. package/dist/server/routes/artifact-export-api.js.map +1 -0
  390. package/dist/server/routes/artifact-patch-api.d.ts +19 -0
  391. package/dist/server/routes/artifact-patch-api.js +114 -0
  392. package/dist/server/routes/artifact-patch-api.js.map +1 -0
  393. package/dist/server/routes/artifact-selection-api.d.ts +15 -0
  394. package/dist/server/routes/artifact-selection-api.js +90 -0
  395. package/dist/server/routes/artifact-selection-api.js.map +1 -0
  396. package/dist/server/routes/asset-api.d.ts +88 -2
  397. package/dist/server/routes/asset-api.js +858 -112
  398. package/dist/server/routes/asset-api.js.map +1 -1
  399. package/dist/server/routes/audit-api.d.ts +24 -0
  400. package/dist/server/routes/audit-api.js +113 -0
  401. package/dist/server/routes/audit-api.js.map +1 -0
  402. package/dist/server/routes/auth-api.js +536 -44
  403. package/dist/server/routes/auth-api.js.map +1 -1
  404. package/dist/server/routes/capture-api.js +81 -9
  405. package/dist/server/routes/capture-api.js.map +1 -1
  406. package/dist/server/routes/chat-sessions-api.d.ts +13 -0
  407. package/dist/server/routes/chat-sessions-api.js +462 -0
  408. package/dist/server/routes/chat-sessions-api.js.map +1 -0
  409. package/dist/server/routes/chat.d.ts +35 -1
  410. package/dist/server/routes/chat.js +858 -68
  411. package/dist/server/routes/chat.js.map +1 -1
  412. package/dist/server/routes/comments-api.d.ts +15 -0
  413. package/dist/server/routes/comments-api.js +444 -0
  414. package/dist/server/routes/comments-api.js.map +1 -0
  415. package/dist/server/routes/config-api.d.ts +3 -2
  416. package/dist/server/routes/config-api.js +183 -57
  417. package/dist/server/routes/config-api.js.map +1 -1
  418. package/dist/server/routes/connectors-api.js +178 -45
  419. package/dist/server/routes/connectors-api.js.map +1 -1
  420. package/dist/server/routes/event-ingest-api.d.ts +15 -0
  421. package/dist/server/routes/event-ingest-api.js +125 -0
  422. package/dist/server/routes/event-ingest-api.js.map +1 -0
  423. package/dist/server/routes/field-library-api.d.ts +28 -0
  424. package/dist/server/routes/field-library-api.js +126 -0
  425. package/dist/server/routes/field-library-api.js.map +1 -0
  426. package/dist/server/routes/git-http.d.ts +3 -3
  427. package/dist/server/routes/git-http.js +90 -30
  428. package/dist/server/routes/git-http.js.map +1 -1
  429. package/dist/server/routes/graph-api-access.d.ts +63 -0
  430. package/dist/server/routes/graph-api-access.js +115 -0
  431. package/dist/server/routes/graph-api-access.js.map +1 -0
  432. package/dist/server/routes/graph-api.d.ts +2 -3
  433. package/dist/server/routes/graph-api.js +1341 -423
  434. package/dist/server/routes/graph-api.js.map +1 -1
  435. package/dist/server/routes/health.d.ts +18 -0
  436. package/dist/server/routes/health.js +116 -0
  437. package/dist/server/routes/health.js.map +1 -0
  438. package/dist/server/routes/import-batch.d.ts +24 -0
  439. package/dist/server/routes/import-batch.js +33 -0
  440. package/dist/server/routes/import-batch.js.map +1 -0
  441. package/dist/server/routes/insights-api.d.ts +9 -2
  442. package/dist/server/routes/insights-api.js +352 -66
  443. package/dist/server/routes/insights-api.js.map +1 -1
  444. package/dist/server/routes/mcp.d.ts +8 -3
  445. package/dist/server/routes/mcp.js +24 -8
  446. package/dist/server/routes/mcp.js.map +1 -1
  447. package/dist/server/routes/oauth-api.d.ts +67 -0
  448. package/dist/server/routes/oauth-api.js +421 -0
  449. package/dist/server/routes/oauth-api.js.map +1 -0
  450. package/dist/server/routes/permissions-api.d.ts +8 -3
  451. package/dist/server/routes/permissions-api.js +43 -12
  452. package/dist/server/routes/permissions-api.js.map +1 -1
  453. package/dist/server/routes/r2-api.d.ts +25 -0
  454. package/dist/server/routes/r2-api.js +273 -0
  455. package/dist/server/routes/r2-api.js.map +1 -0
  456. package/dist/server/routes/secrets-api.d.ts +36 -0
  457. package/dist/server/routes/secrets-api.js +305 -0
  458. package/dist/server/routes/secrets-api.js.map +1 -0
  459. package/dist/server/routes/settings-api.d.ts +29 -0
  460. package/dist/server/routes/settings-api.js +177 -0
  461. package/dist/server/routes/settings-api.js.map +1 -0
  462. package/dist/server/routes/share-api.d.ts +30 -6
  463. package/dist/server/routes/share-api.js +240 -31
  464. package/dist/server/routes/share-api.js.map +1 -1
  465. package/dist/server/routes/views-api.d.ts +11 -2
  466. package/dist/server/routes/views-api.js +123 -22
  467. package/dist/server/routes/views-api.js.map +1 -1
  468. package/dist/server/routes/workspace-api.d.ts +2 -1
  469. package/dist/server/routes/workspace-api.js +150 -23
  470. package/dist/server/routes/workspace-api.js.map +1 -1
  471. package/dist/server/routes/ws.d.ts +2 -1
  472. package/dist/server/routes/ws.js +73 -20
  473. package/dist/server/routes/ws.js.map +1 -1
  474. package/dist/server/session-manager.d.ts +48 -5
  475. package/dist/server/session-manager.js +182 -14
  476. package/dist/server/session-manager.js.map +1 -1
  477. package/dist/server/ws-hub.d.ts +135 -56
  478. package/dist/server/ws-hub.js +0 -0
  479. package/dist/server/ws-hub.js.map +1 -1
  480. package/dist/server/yjs-manager.d.ts +275 -18
  481. package/dist/server/yjs-manager.js +819 -70
  482. package/dist/server/yjs-manager.js.map +1 -1
  483. package/dist/server/yjs-persistence.d.ts +165 -0
  484. package/dist/server/yjs-persistence.js +557 -0
  485. package/dist/server/yjs-persistence.js.map +1 -0
  486. package/dist/server/yjs-text-diff.d.ts +32 -0
  487. package/dist/server/yjs-text-diff.js +61 -0
  488. package/dist/server/yjs-text-diff.js.map +1 -0
  489. package/dist/services/access-control.d.ts +121 -0
  490. package/dist/services/access-control.js +194 -0
  491. package/dist/services/access-control.js.map +1 -0
  492. package/dist/services/ai-usage-ledger.d.ts +75 -0
  493. package/dist/services/ai-usage-ledger.js +250 -0
  494. package/dist/services/ai-usage-ledger.js.map +1 -0
  495. package/dist/services/artifact-asset-token.d.ts +69 -0
  496. package/dist/services/artifact-asset-token.js +94 -0
  497. package/dist/services/artifact-asset-token.js.map +1 -0
  498. package/dist/services/artifact-inspect-metadata.d.ts +21 -0
  499. package/dist/services/artifact-inspect-metadata.js +66 -0
  500. package/dist/services/artifact-inspect-metadata.js.map +1 -0
  501. package/dist/services/artifact-library-sources.d.ts +33 -0
  502. package/dist/services/artifact-library-sources.js +91 -0
  503. package/dist/services/artifact-library-sources.js.map +1 -0
  504. package/dist/services/artifact-patch-runner.d.ts +52 -0
  505. package/dist/services/artifact-patch-runner.js +74 -0
  506. package/dist/services/artifact-patch-runner.js.map +1 -0
  507. package/dist/services/artifact-render-export.d.ts +230 -0
  508. package/dist/services/artifact-render-export.js +1003 -0
  509. package/dist/services/artifact-render-export.js.map +1 -0
  510. package/dist/services/artifact-selection-store.d.ts +68 -0
  511. package/dist/services/artifact-selection-store.js +90 -0
  512. package/dist/services/artifact-selection-store.js.map +1 -0
  513. package/dist/services/artifact-store.d.ts +118 -0
  514. package/dist/services/artifact-store.js +234 -0
  515. package/dist/services/artifact-store.js.map +1 -0
  516. package/dist/services/asset-caption-service.d.ts +103 -0
  517. package/dist/services/asset-caption-service.js +200 -0
  518. package/dist/services/asset-caption-service.js.map +1 -0
  519. package/dist/services/asset-delete-authz.d.ts +32 -0
  520. package/dist/services/asset-delete-authz.js +62 -0
  521. package/dist/services/asset-delete-authz.js.map +1 -0
  522. package/dist/services/asset-delete-impact.d.ts +63 -0
  523. package/dist/services/asset-delete-impact.js +96 -0
  524. package/dist/services/asset-delete-impact.js.map +1 -0
  525. package/dist/services/asset-finalize-service.d.ts +58 -0
  526. package/dist/services/asset-finalize-service.js +216 -0
  527. package/dist/services/asset-finalize-service.js.map +1 -0
  528. package/dist/services/asset-import-service.d.ts +116 -0
  529. package/dist/services/asset-import-service.js +436 -0
  530. package/dist/services/asset-import-service.js.map +1 -0
  531. package/dist/services/asset-index-sweep.d.ts +95 -0
  532. package/dist/services/asset-index-sweep.js +271 -0
  533. package/dist/services/asset-index-sweep.js.map +1 -0
  534. package/dist/services/asset-lifecycle-check.d.ts +22 -0
  535. package/dist/services/asset-lifecycle-check.js +80 -0
  536. package/dist/services/asset-lifecycle-check.js.map +1 -0
  537. package/dist/services/asset-listing.d.ts +63 -0
  538. package/dist/services/asset-listing.js +124 -0
  539. package/dist/services/asset-listing.js.map +1 -0
  540. package/dist/services/asset-move-impact.d.ts +49 -0
  541. package/dist/services/asset-move-impact.js +62 -0
  542. package/dist/services/asset-move-impact.js.map +1 -0
  543. package/dist/services/asset-presign-service.d.ts +62 -0
  544. package/dist/services/asset-presign-service.js +126 -0
  545. package/dist/services/asset-presign-service.js.map +1 -0
  546. package/dist/services/asset-reference-index.d.ts +39 -0
  547. package/dist/services/asset-reference-index.js +33 -0
  548. package/dist/services/asset-reference-index.js.map +1 -0
  549. package/dist/services/asset-reference-scan.d.ts +57 -0
  550. package/dist/services/asset-reference-scan.js +150 -0
  551. package/dist/services/asset-reference-scan.js.map +1 -0
  552. package/dist/services/asset-sidecar-service.d.ts +28 -0
  553. package/dist/services/asset-sidecar-service.js +79 -0
  554. package/dist/services/asset-sidecar-service.js.map +1 -0
  555. package/dist/services/asset-upload-errors.d.ts +41 -0
  556. package/dist/services/asset-upload-errors.js +45 -0
  557. package/dist/services/asset-upload-errors.js.map +1 -0
  558. package/dist/services/asset-upload-service.d.ts +56 -0
  559. package/dist/services/asset-upload-service.js +200 -0
  560. package/dist/services/asset-upload-service.js.map +1 -0
  561. package/dist/services/asset-upload-token.d.ts +58 -0
  562. package/dist/services/asset-upload-token.js +75 -0
  563. package/dist/services/asset-upload-token.js.map +1 -0
  564. package/dist/services/assets/asset-index-service.d.ts +158 -0
  565. package/dist/services/assets/asset-index-service.js +293 -0
  566. package/dist/services/assets/asset-index-service.js.map +1 -0
  567. package/dist/services/assets/base.d.ts +119 -4
  568. package/dist/services/assets/base.js +148 -3
  569. package/dist/services/assets/base.js.map +1 -1
  570. package/dist/services/assets/index.d.ts +90 -0
  571. package/dist/services/assets/index.js +202 -0
  572. package/dist/services/assets/index.js.map +1 -1
  573. package/dist/services/assets/local.d.ts +9 -0
  574. package/dist/services/assets/local.js +30 -4
  575. package/dist/services/assets/local.js.map +1 -1
  576. package/dist/services/assets/r2-sync.d.ts +88 -0
  577. package/dist/services/assets/r2-sync.js +412 -0
  578. package/dist/services/assets/r2-sync.js.map +1 -0
  579. package/dist/services/assets/r2.d.ts +80 -0
  580. package/dist/services/assets/r2.js +159 -4
  581. package/dist/services/assets/r2.js.map +1 -1
  582. package/dist/services/auth-service.d.ts +278 -51
  583. package/dist/services/auth-service.js +995 -272
  584. package/dist/services/auth-service.js.map +1 -1
  585. package/dist/services/chat-session-service.d.ts +189 -0
  586. package/dist/services/chat-session-service.js +544 -0
  587. package/dist/services/chat-session-service.js.map +1 -0
  588. package/dist/services/cloud-inference-billing.d.ts +64 -0
  589. package/dist/services/cloud-inference-billing.js +321 -0
  590. package/dist/services/cloud-inference-billing.js.map +1 -0
  591. package/dist/services/comment-service.d.ts +97 -0
  592. package/dist/services/comment-service.js +341 -0
  593. package/dist/services/comment-service.js.map +1 -0
  594. package/dist/services/comment-virtual-entity.d.ts +36 -0
  595. package/dist/services/comment-virtual-entity.js +71 -0
  596. package/dist/services/comment-virtual-entity.js.map +1 -0
  597. package/dist/services/convert-service.d.ts +64 -0
  598. package/dist/services/convert-service.js +68 -0
  599. package/dist/services/convert-service.js.map +1 -0
  600. package/dist/services/csv-service.d.ts +22 -17
  601. package/dist/services/csv-service.js +55 -92
  602. package/dist/services/csv-service.js.map +1 -1
  603. package/dist/services/entity-mutations.d.ts +313 -0
  604. package/dist/services/entity-mutations.js +531 -0
  605. package/dist/services/entity-mutations.js.map +1 -0
  606. package/dist/services/event-processor.d.ts +104 -0
  607. package/dist/services/event-processor.js +451 -0
  608. package/dist/services/event-processor.js.map +1 -0
  609. package/dist/services/extract/docx.d.ts +1 -0
  610. package/dist/services/extract/docx.js +233 -0
  611. package/dist/services/extract/docx.js.map +1 -0
  612. package/dist/services/extract/index.d.ts +9 -0
  613. package/dist/services/extract/index.js +10 -0
  614. package/dist/services/extract/index.js.map +1 -0
  615. package/dist/services/extract/pdf.d.ts +13 -0
  616. package/dist/services/extract/pdf.js +69 -0
  617. package/dist/services/extract/pdf.js.map +1 -0
  618. package/dist/services/folder-creation.d.ts +33 -0
  619. package/dist/services/folder-creation.js +103 -0
  620. package/dist/services/folder-creation.js.map +1 -0
  621. package/dist/services/fonts/font-metadata.d.ts +42 -0
  622. package/dist/services/fonts/font-metadata.js +126 -0
  623. package/dist/services/fonts/font-metadata.js.map +1 -0
  624. package/dist/services/fonts/font-skill-service.d.ts +66 -0
  625. package/dist/services/fonts/font-skill-service.js +137 -0
  626. package/dist/services/fonts/font-skill-service.js.map +1 -0
  627. package/dist/services/git.d.ts +58 -0
  628. package/dist/services/git.js +194 -55
  629. package/dist/services/git.js.map +1 -1
  630. package/dist/services/graph-maintenance.js +4 -4
  631. package/dist/services/graph-maintenance.js.map +1 -1
  632. package/dist/services/import-service.d.ts +51 -2
  633. package/dist/services/import-service.js +254 -107
  634. package/dist/services/import-service.js.map +1 -1
  635. package/dist/services/lint-service.js +10 -17
  636. package/dist/services/lint-service.js.map +1 -1
  637. package/dist/services/markdown.d.ts +12 -1
  638. package/dist/services/markdown.js +77 -9
  639. package/dist/services/markdown.js.map +1 -1
  640. package/dist/services/mention-detector.d.ts +23 -0
  641. package/dist/services/mention-detector.js +47 -0
  642. package/dist/services/mention-detector.js.map +1 -0
  643. package/dist/services/model-capabilities.d.ts +41 -0
  644. package/dist/services/model-capabilities.js +107 -0
  645. package/dist/services/model-capabilities.js.map +1 -0
  646. package/dist/services/notification-broadcast.d.ts +32 -0
  647. package/dist/services/notification-broadcast.js +38 -0
  648. package/dist/services/notification-broadcast.js.map +1 -0
  649. package/dist/services/notification-service.d.ts +41 -0
  650. package/dist/services/notification-service.js +100 -0
  651. package/dist/services/notification-service.js.map +1 -0
  652. package/dist/services/oauth-server-store.d.ts +147 -0
  653. package/dist/services/oauth-server-store.js +319 -0
  654. package/dist/services/oauth-server-store.js.map +1 -0
  655. package/dist/services/orphan-service.js +2 -2
  656. package/dist/services/orphan-service.js.map +1 -1
  657. package/dist/services/personal-folder.d.ts +49 -0
  658. package/dist/services/personal-folder.js +122 -0
  659. package/dist/services/personal-folder.js.map +1 -0
  660. package/dist/services/playwright-bootstrap.d.ts +78 -0
  661. package/dist/services/playwright-bootstrap.js +219 -0
  662. package/dist/services/playwright-bootstrap.js.map +1 -0
  663. package/dist/services/scratch-asset-promote.d.ts +57 -0
  664. package/dist/services/scratch-asset-promote.js +95 -0
  665. package/dist/services/scratch-asset-promote.js.map +1 -0
  666. package/dist/services/scratch-attachment-service.d.ts +201 -0
  667. package/dist/services/scratch-attachment-service.js +354 -0
  668. package/dist/services/scratch-attachment-service.js.map +1 -0
  669. package/dist/services/share-link-service.d.ts +57 -0
  670. package/dist/services/share-link-service.js +142 -0
  671. package/dist/services/share-link-service.js.map +1 -0
  672. package/dist/services/user-person-bridge.d.ts +136 -0
  673. package/dist/services/user-person-bridge.js +341 -0
  674. package/dist/services/user-person-bridge.js.map +1 -0
  675. package/dist/services/utility-model-resolver.d.ts +37 -0
  676. package/dist/services/utility-model-resolver.js +67 -0
  677. package/dist/services/utility-model-resolver.js.map +1 -0
  678. package/dist/services/vector-service.d.ts +282 -5
  679. package/dist/services/vector-service.js +594 -39
  680. package/dist/services/vector-service.js.map +1 -1
  681. package/dist/services/workspace-access.d.ts +115 -0
  682. package/dist/services/workspace-access.js +154 -0
  683. package/dist/services/workspace-access.js.map +1 -0
  684. package/dist/services/workspace-assets-folder.d.ts +46 -0
  685. package/dist/services/workspace-assets-folder.js +75 -0
  686. package/dist/services/workspace-assets-folder.js.map +1 -0
  687. package/dist/utils/git.d.ts +17 -2
  688. package/dist/utils/git.js +23 -7
  689. package/dist/utils/git.js.map +1 -1
  690. package/dist/utils/log.d.ts +42 -0
  691. package/dist/utils/log.js +137 -0
  692. package/dist/utils/log.js.map +1 -0
  693. package/dist/utils/preflight.js +2 -2
  694. package/dist/utils/preflight.js.map +1 -1
  695. package/dist/utils/version-checker.d.ts +12 -19
  696. package/dist/utils/version-checker.js +14 -104
  697. package/dist/utils/version-checker.js.map +1 -1
  698. package/dist/web/_app/immutable/assets/0.B8rPC4xg.css +2 -0
  699. package/dist/web/_app/immutable/assets/12.DlIf1mKh.css +1 -0
  700. package/dist/web/_app/immutable/assets/13.WUaKJbVc.css +1 -0
  701. package/dist/web/_app/immutable/assets/15.CItnu3nw.css +1 -0
  702. package/dist/web/_app/immutable/assets/16.C3czeWWx.css +1 -0
  703. package/dist/web/_app/immutable/assets/17.CHiwoAMO.css +1 -0
  704. package/dist/web/_app/immutable/assets/18.fUGuXQ0K.css +1 -0
  705. package/dist/web/_app/immutable/assets/19.DcuK5ZVm.css +1 -0
  706. package/dist/web/_app/immutable/assets/2.bJqlVFXX.css +1 -0
  707. package/dist/web/_app/immutable/assets/3.DDfEAhbB.css +1 -0
  708. package/dist/web/_app/immutable/assets/4.Dtodt1Fe.css +1 -0
  709. package/dist/web/_app/immutable/assets/6.JPVpkzLZ.css +1 -0
  710. package/dist/web/_app/immutable/assets/AssetLibraryPicker.BWH260L8.css +1 -0
  711. package/dist/web/_app/immutable/assets/BulkActionsBar.CXSM7tO7.css +1 -0
  712. package/dist/web/_app/immutable/assets/CalendarView.Cch9MMQW.css +1 -0
  713. package/dist/web/_app/immutable/assets/CodeMirrorEditor.D6hf2pNJ.css +1 -0
  714. package/dist/web/_app/immutable/assets/CopyField.DVGZtw4U.css +1 -0
  715. package/dist/web/_app/immutable/assets/FolderMembersPanel.BvV1lBCg.css +1 -0
  716. package/dist/web/_app/immutable/assets/FolderMutationDialogs.De2NQ55E.css +1 -0
  717. package/dist/web/_app/immutable/assets/FolderPicker.Cq1tMnu_.css +1 -0
  718. package/dist/web/_app/immutable/assets/FolderTreeField.DTSzn15s.css +1 -0
  719. package/dist/web/_app/immutable/assets/FrameCanvas.Clh5Xdr7.css +1 -0
  720. package/dist/web/_app/immutable/assets/GalleryView.Cqu3-wtr.css +1 -0
  721. package/dist/web/_app/immutable/assets/GraphView.BJtGL9py.css +1 -0
  722. package/dist/web/_app/immutable/assets/GridCell.czY6eDb_.css +1 -0
  723. package/dist/web/_app/immutable/assets/KanbanView.C5X8TbQk.css +1 -0
  724. package/dist/web/_app/immutable/assets/Link.vV0ne105.css +1 -0
  725. package/dist/web/_app/immutable/assets/Markdown.CSYKSAm0.css +1 -0
  726. package/dist/web/_app/immutable/assets/Rail.Dyxy_E0O.css +1 -0
  727. package/dist/web/_app/immutable/assets/RepoCheckList.BLeJ79Eg.css +1 -0
  728. package/dist/web/_app/immutable/assets/SaveViewDialog.Bb9E81xd.css +1 -0
  729. package/dist/web/_app/immutable/assets/SearchInput.DTB6W35f.css +1 -0
  730. package/dist/web/_app/immutable/assets/SettingsDialog.CHzfQoo_.css +1 -0
  731. package/dist/web/_app/immutable/assets/Spinner.UBfl0pab.css +1 -0
  732. package/dist/web/_app/immutable/assets/StopFilledAlt.CjuwgVxu.css +1 -0
  733. package/dist/web/_app/immutable/assets/TimelineView.u4YqiztR.css +1 -0
  734. package/dist/web/_app/immutable/assets/Version.BQq1Fihu.css +1 -0
  735. package/dist/web/_app/immutable/assets/ViewBanner.DWswnFdi.css +1 -0
  736. package/dist/web/_app/immutable/assets/WorkspaceView.Cd6TS6oo.css +1 -0
  737. package/dist/web/_app/immutable/assets/button.DOg1smbV.css +1 -0
  738. package/dist/web/_app/immutable/assets/checkbox.CAcHq8G6.css +1 -0
  739. package/dist/web/_app/immutable/assets/download-with-progress.BZlFTn09.css +1 -0
  740. package/dist/web/_app/immutable/assets/filters.RgfXKVpA.css +1 -0
  741. package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-400-normal.CvHOgSBP.woff +0 -0
  742. package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-400-normal.DMJ8VG8y.woff2 +0 -0
  743. package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-500-normal.CB9ihrfo.woff +0 -0
  744. package/dist/web/_app/immutable/assets/ibm-plex-mono-latin-500-normal.DSY6xOcd.woff2 +0 -0
  745. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-italic.CZTNEAuW.woff2 +0 -0
  746. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-italic.CsGl1sm0.woff +0 -0
  747. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-normal.CDDApCn2.woff2 +0 -0
  748. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-400-normal.CYLoc0-x.woff +0 -0
  749. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-italic.BNK2_mGO.woff2 +0 -0
  750. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-italic.DpEwFAQM.woff +0 -0
  751. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-normal.6ng42L7E.woff2 +0 -0
  752. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-500-normal.BgVn5rGT.woff +0 -0
  753. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-600-normal.Cu4Hd6ag.woff +0 -0
  754. package/dist/web/_app/immutable/assets/ibm-plex-sans-latin-600-normal.CuJfVYMP.woff2 +0 -0
  755. package/dist/web/_app/immutable/assets/list-columns.BgnafZ4K.css +1 -0
  756. package/dist/web/_app/immutable/chunks/-MYqXlc3.js +185 -0
  757. package/dist/web/_app/immutable/chunks/-Tbr-96c2.js +1 -0
  758. package/dist/web/_app/immutable/chunks/1QRy7-wo.js +1 -0
  759. package/dist/web/_app/immutable/chunks/1_BWKAKA2.js +23 -0
  760. package/dist/web/_app/immutable/chunks/2z2ekE6D2.js +2 -0
  761. package/dist/web/_app/immutable/chunks/6guf_P8c.js +1 -0
  762. package/dist/web/_app/immutable/chunks/7l950wkn.js +1 -0
  763. package/dist/web/_app/immutable/chunks/9Sn2PwSn2.js +1025 -0
  764. package/dist/web/_app/immutable/chunks/AFZSy-Vk.js +2 -0
  765. package/dist/web/_app/immutable/chunks/B06uE1qJ.js +1 -0
  766. package/dist/web/_app/immutable/chunks/B2cjR0rG.js +83 -0
  767. package/dist/web/_app/immutable/chunks/B3u4QMoU.js +1 -0
  768. package/dist/web/_app/immutable/chunks/B4PrlkmE.js +1 -0
  769. package/dist/web/_app/immutable/chunks/B5UH1FNe.js +3 -0
  770. package/dist/web/_app/immutable/chunks/B5sxjq1L2.js +1 -0
  771. package/dist/web/_app/immutable/chunks/B6Lt-qaJ.js +1 -0
  772. package/dist/web/_app/immutable/chunks/B6wo7Stk2.js +1 -0
  773. package/dist/web/_app/immutable/chunks/B9KfEsQw2.js +1 -0
  774. package/dist/web/_app/immutable/chunks/B9MY422N.js +1 -0
  775. package/dist/web/_app/immutable/chunks/B9VQbssY.js +3 -0
  776. package/dist/web/_app/immutable/chunks/BBrP9GiZ.js +1 -0
  777. package/dist/web/_app/immutable/chunks/BEGTD2EL2.js +1 -0
  778. package/dist/web/_app/immutable/chunks/BEyPhM3C.js +1 -0
  779. package/dist/web/_app/immutable/chunks/BIeOkmiV.js +1 -0
  780. package/dist/web/_app/immutable/chunks/BIwe25Lk.js +1 -0
  781. package/dist/web/_app/immutable/chunks/BO6-nRV9.js +1 -0
  782. package/dist/web/_app/immutable/chunks/BPILs-6H.js +1 -0
  783. package/dist/web/_app/immutable/chunks/BPRQzMGs.js +1 -0
  784. package/dist/web/_app/immutable/chunks/BQE7bWgF.js +1 -0
  785. package/dist/web/_app/immutable/chunks/BU5TCj7m.js +12 -0
  786. package/dist/web/_app/immutable/chunks/BZDKT2Qw2.js +2 -0
  787. package/dist/web/_app/immutable/chunks/B_y9A6Kg.js +4 -0
  788. package/dist/web/_app/immutable/chunks/BdR7t2GN.js +3 -0
  789. package/dist/web/_app/immutable/chunks/BnYohOts2.js +1 -0
  790. package/dist/web/_app/immutable/chunks/Bpmx7Umc.js +1 -0
  791. package/dist/web/_app/immutable/chunks/BqButnP4.js +1 -0
  792. package/dist/web/_app/immutable/chunks/BtDSRU36.js +1 -0
  793. package/dist/web/_app/immutable/chunks/Bvr6nSm92.js +1 -0
  794. package/dist/web/_app/immutable/chunks/BvyVm7-j.js +184 -0
  795. package/dist/web/_app/immutable/chunks/Bx6T8G5n2.js +1 -0
  796. package/dist/web/_app/immutable/chunks/BxeOdaUQ.js +1 -0
  797. package/dist/web/_app/immutable/chunks/C1B4xDs0.js +1 -0
  798. package/dist/web/_app/immutable/chunks/C2yz630b.js +2 -0
  799. package/dist/web/_app/immutable/chunks/C5YoDj-e.js +1 -0
  800. package/dist/web/_app/immutable/chunks/C6d9nn3k.js +1 -0
  801. package/dist/web/_app/immutable/chunks/C85NG5lS.js +1 -0
  802. package/dist/web/_app/immutable/chunks/C8ZiSqQm.js +1 -0
  803. package/dist/web/_app/immutable/chunks/CB-t1Bv-.js +1 -0
  804. package/dist/web/_app/immutable/chunks/CG8YKaqc.js +5 -0
  805. package/dist/web/_app/immutable/chunks/CJbr-v9X.js +1 -0
  806. package/dist/web/_app/immutable/chunks/CKGHeJzq.js +1 -0
  807. package/dist/web/_app/immutable/chunks/CKwV6HKc.js +1 -0
  808. package/dist/web/_app/immutable/chunks/CLninaDG2.js +2 -0
  809. package/dist/web/_app/immutable/chunks/CM400nLL.js +7 -0
  810. package/dist/web/_app/immutable/chunks/CPvxN2G62.js +1 -0
  811. package/dist/web/_app/immutable/chunks/CQW66fYJ.js +1 -0
  812. package/dist/web/_app/immutable/chunks/CQl_RUVN2.js +1 -0
  813. package/dist/web/_app/immutable/chunks/CR1JY_cb.js +6 -0
  814. package/dist/web/_app/immutable/chunks/CT35tdLp.js +1 -0
  815. package/dist/web/_app/immutable/chunks/CVKrGJ6C.js +1 -0
  816. package/dist/web/_app/immutable/chunks/CWIHttTH.js +1 -0
  817. package/dist/web/_app/immutable/chunks/CWZSexLW.js +1 -0
  818. package/dist/web/_app/immutable/chunks/CXPMb3zd.js +1 -0
  819. package/dist/web/_app/immutable/chunks/CZBW5wi82.js +1 -0
  820. package/dist/web/_app/immutable/chunks/CaimSvvF.js +5 -0
  821. package/dist/web/_app/immutable/chunks/CcWaWbrI2.js +1 -0
  822. package/dist/web/_app/immutable/chunks/CcgYvk_3.js +1 -0
  823. package/dist/web/_app/immutable/chunks/Cg7m1gqN.js +1 -0
  824. package/dist/web/_app/immutable/chunks/CgCz4Fj6.js +1 -0
  825. package/dist/web/_app/immutable/chunks/CgOgBK5j.js +1 -0
  826. package/dist/web/_app/immutable/chunks/ChS3kWO-.js +2 -0
  827. package/dist/web/_app/immutable/chunks/CkivrILi.js +1 -0
  828. package/dist/web/_app/immutable/chunks/CmWflMFc.js +1 -0
  829. package/dist/web/_app/immutable/chunks/Cm_yhEon2.js +1 -0
  830. package/dist/web/_app/immutable/chunks/CnoUnj6-2.js +1 -0
  831. package/dist/web/_app/immutable/chunks/CqyFdLMa.js +1 -0
  832. package/dist/web/_app/immutable/chunks/CsIWxmio2.js +22 -0
  833. package/dist/web/_app/immutable/chunks/CtgdtZ0G2.js +1 -0
  834. package/dist/web/_app/immutable/chunks/CuYL65Bn.js +2 -0
  835. package/dist/web/_app/immutable/chunks/CuatNdzp.js +2 -0
  836. package/dist/web/_app/immutable/chunks/Cx5IiiDO2.js +2 -0
  837. package/dist/web/_app/immutable/chunks/Cxdio_Al.js +2692 -0
  838. package/dist/web/_app/immutable/chunks/CyTgggiM2.js +1 -0
  839. package/dist/web/_app/immutable/chunks/D-vvXTU3.js +2 -0
  840. package/dist/web/_app/immutable/chunks/D0_Iu3Uj.js +2 -0
  841. package/dist/web/_app/immutable/chunks/D4vfNy_f.js +1 -0
  842. package/dist/web/_app/immutable/chunks/D6toh9Mr.js +1 -0
  843. package/dist/web/_app/immutable/chunks/DAsarOLg2.js +1 -0
  844. package/dist/web/_app/immutable/chunks/DBGaXAP8.js +1 -0
  845. package/dist/web/_app/immutable/chunks/DCgKWtld.js +1 -0
  846. package/dist/web/_app/immutable/chunks/DG7uGoZb2.js +58 -0
  847. package/dist/web/_app/immutable/chunks/DIsSxB_C.js +1 -0
  848. package/dist/web/_app/immutable/chunks/DJTvBXur.js +2 -0
  849. package/dist/web/_app/immutable/chunks/DLuIHCPq.js +1 -0
  850. package/dist/web/_app/immutable/chunks/DMFH9Cnt2.js +1 -0
  851. package/dist/web/_app/immutable/chunks/DNLoQniz.js +1 -0
  852. package/dist/web/_app/immutable/chunks/DPLkAijI2.js +1 -0
  853. package/dist/web/_app/immutable/chunks/DQMWa2t7.js +1 -0
  854. package/dist/web/_app/immutable/chunks/DTOO9nUj.js +1 -0
  855. package/dist/web/_app/immutable/chunks/DaB0hU8_.js +1 -0
  856. package/dist/web/_app/immutable/chunks/Dav8Lgyy2.js +5 -0
  857. package/dist/web/_app/immutable/chunks/Ddgu2Sjp.js +1 -0
  858. package/dist/web/_app/immutable/chunks/DfUXQOZ92.js +1 -0
  859. package/dist/web/_app/immutable/chunks/DgP0Pxes.js +224 -0
  860. package/dist/web/_app/immutable/chunks/DhD1HF7R.js +1 -0
  861. package/dist/web/_app/immutable/chunks/Dhmw5GUH.js +1 -0
  862. package/dist/web/_app/immutable/chunks/DiBVOY752.js +1 -0
  863. package/dist/web/_app/immutable/chunks/DiMsLIh3.js +1 -0
  864. package/dist/web/_app/immutable/chunks/DiiXREv7.js +1 -0
  865. package/dist/web/_app/immutable/chunks/DjXtgWTP.js +1 -0
  866. package/dist/web/_app/immutable/chunks/Dk2-JtmU2.js +1 -0
  867. package/dist/web/_app/immutable/chunks/Dl0bYyV_.js +1 -0
  868. package/dist/web/_app/immutable/chunks/DqKYbIld2.js +1 -0
  869. package/dist/web/_app/immutable/chunks/DtXJCaQc2.js +1 -0
  870. package/dist/web/_app/immutable/chunks/DwuBUEvU.js +1 -0
  871. package/dist/web/_app/immutable/chunks/F5xZdLlB.js +2 -0
  872. package/dist/web/_app/immutable/chunks/F92HmKX8.js +1 -0
  873. package/dist/web/_app/immutable/chunks/FISIvbqq.js +3 -0
  874. package/dist/web/_app/immutable/chunks/GC5Izn9E2.js +1 -0
  875. package/dist/web/_app/immutable/chunks/IMJutqSu2.js +1 -0
  876. package/dist/web/_app/immutable/chunks/K5YHt1WL2.js +1 -0
  877. package/dist/web/_app/immutable/chunks/MAYbL-xn2.js +6 -0
  878. package/dist/web/_app/immutable/chunks/MMtHlrry.js +1 -0
  879. package/dist/web/_app/immutable/chunks/MtN4vJa02.js +1 -0
  880. package/dist/web/_app/immutable/chunks/Oglnp7sm.js +14 -0
  881. package/dist/web/_app/immutable/chunks/PwUOTfSv.js +2 -0
  882. package/dist/web/_app/immutable/chunks/QsO256-z.js +1 -0
  883. package/dist/web/_app/immutable/chunks/RA-JwTzo.js +1 -0
  884. package/dist/web/_app/immutable/chunks/atFSAfcd2.js +2 -0
  885. package/dist/web/_app/immutable/chunks/j_uHTBnD.js +1 -0
  886. package/dist/web/_app/immutable/chunks/joKsoiFC.js +1 -0
  887. package/dist/web/_app/immutable/chunks/kNaey6uv.js +1 -0
  888. package/dist/web/_app/immutable/chunks/nqo2e2Yv.js +1 -0
  889. package/dist/web/_app/immutable/chunks/oIZupUnz.js +1 -0
  890. package/dist/web/_app/immutable/chunks/pPsy4008.js +1 -0
  891. package/dist/web/_app/immutable/chunks/qevfNcid.js +1 -0
  892. package/dist/web/_app/immutable/chunks/rjjyuGhb.js +1 -0
  893. package/dist/web/_app/immutable/chunks/sUAtda6y2.js +2 -0
  894. package/dist/web/_app/immutable/chunks/snCOoD78.js +1 -0
  895. package/dist/web/_app/immutable/chunks/uHaS74te.js +1 -0
  896. package/dist/web/_app/immutable/chunks/w5tsuIav.js +5 -0
  897. package/dist/web/_app/immutable/chunks/xihTtKlq.js +1 -0
  898. package/dist/web/_app/immutable/entry/app.1tcNTKI-.js +2 -0
  899. package/dist/web/_app/immutable/entry/start.BJMsySI1.js +1 -0
  900. package/dist/web/_app/immutable/nodes/0.v0W5DL7W.js +2 -0
  901. package/dist/web/_app/immutable/nodes/1.81Rb3Ith.js +1 -0
  902. package/dist/web/_app/immutable/nodes/10.CAlZNFOq.js +1 -0
  903. package/dist/web/_app/immutable/nodes/11.CCfUginI.js +1 -0
  904. package/dist/web/_app/immutable/nodes/12.BJLboAyk.js +1 -0
  905. package/dist/web/_app/immutable/nodes/13.Cz4UTl2G.js +1 -0
  906. package/dist/web/_app/immutable/nodes/14.DJwakC0o.js +1 -0
  907. package/dist/web/_app/immutable/nodes/15.D2mNE6C-.js +1 -0
  908. package/dist/web/_app/immutable/nodes/16.BjohAUt9.js +1 -0
  909. package/dist/web/_app/immutable/nodes/17.BI2F37bS.js +1 -0
  910. package/dist/web/_app/immutable/nodes/18.DsOT0tDo.js +1 -0
  911. package/dist/web/_app/immutable/nodes/19.BiJWLOUT.js +77 -0
  912. package/dist/web/_app/immutable/nodes/2.Cd72nG2V.js +124 -0
  913. package/dist/web/_app/immutable/nodes/3.BIT9mm9r.js +6 -0
  914. package/dist/web/_app/immutable/nodes/4.Cn7r0Poe.js +16 -0
  915. package/dist/web/_app/immutable/nodes/5.CkJNdCZG.js +1 -0
  916. package/dist/web/_app/immutable/nodes/6.1rbIRQgQ.js +6 -0
  917. package/dist/web/_app/immutable/nodes/7.w17Zl36i.js +1 -0
  918. package/dist/web/_app/immutable/nodes/8.DqTsYuU-.js +1 -0
  919. package/dist/web/_app/immutable/nodes/9.BJhYZPfc.js +1 -0
  920. package/dist/web/_app/version.json +1 -1
  921. package/dist/web/favicon-16.png +0 -0
  922. package/dist/web/favicon-180.png +0 -0
  923. package/dist/web/favicon-32.png +0 -0
  924. package/dist/web/favicon-48.png +0 -0
  925. package/dist/web/favicon-512.png +0 -0
  926. package/dist/web/favicon.ico +0 -0
  927. package/dist/web/favicon.svg +8 -0
  928. package/dist/web/index.html +59 -20
  929. package/dist/web/studiograph-logomark.svg +29 -0
  930. package/package.json +44 -15
  931. package/dist/agent/role-loader.d.ts +0 -24
  932. package/dist/agent/role-loader.js +0 -67
  933. package/dist/agent/role-loader.js.map +0 -1
  934. package/dist/agent/skills/create-deck/content-guide.md +0 -238
  935. package/dist/agent/skills/create-deck/deck-cadence.md +0 -105
  936. package/dist/agent/skills/create-deck/diagrams.md +0 -431
  937. package/dist/agent/skills/create-deck/skill.md +0 -89
  938. package/dist/agent/skills/create-deck/slide-selection.md +0 -115
  939. package/dist/agent/skills/create-deck/slide-types.md +0 -638
  940. package/dist/agent/skills/create-document/skill.md +0 -229
  941. package/dist/agent/skills/enrich-entities.md +0 -136
  942. package/dist/agent/skills/obsidian-source-setup.md +0 -246
  943. package/dist/agent/skills/skill-loader.d.ts +0 -48
  944. package/dist/agent/skills/skill-loader.js +0 -166
  945. package/dist/agent/skills/skill-loader.js.map +0 -1
  946. package/dist/agent/skills/sync-configuration.md +0 -119
  947. package/dist/agent/skills/sync-setup.md +0 -82
  948. package/dist/agent/tools/message-tools.d.ts +0 -42
  949. package/dist/agent/tools/message-tools.js +0 -96
  950. package/dist/agent/tools/message-tools.js.map +0 -1
  951. package/dist/agent/tools/sync-tools.d.ts +0 -35
  952. package/dist/agent/tools/sync-tools.js +0 -992
  953. package/dist/agent/tools/sync-tools.js.map +0 -1
  954. package/dist/auth/github.d.ts +0 -56
  955. package/dist/auth/github.js +0 -169
  956. package/dist/auth/github.js.map +0 -1
  957. package/dist/cli/commands/access.d.ts +0 -11
  958. package/dist/cli/commands/access.js +0 -156
  959. package/dist/cli/commands/access.js.map +0 -1
  960. package/dist/cli/commands/app.d.ts +0 -7
  961. package/dist/cli/commands/app.js +0 -268
  962. package/dist/cli/commands/app.js.map +0 -1
  963. package/dist/cli/commands/auth.d.ts +0 -10
  964. package/dist/cli/commands/auth.js +0 -79
  965. package/dist/cli/commands/auth.js.map +0 -1
  966. package/dist/cli/commands/clear.d.ts +0 -5
  967. package/dist/cli/commands/clear.js +0 -36
  968. package/dist/cli/commands/clear.js.map +0 -1
  969. package/dist/cli/commands/collection.d.ts +0 -10
  970. package/dist/cli/commands/collection.js +0 -185
  971. package/dist/cli/commands/collection.js.map +0 -1
  972. package/dist/cli/commands/enrich.d.ts +0 -11
  973. package/dist/cli/commands/enrich.js +0 -135
  974. package/dist/cli/commands/enrich.js.map +0 -1
  975. package/dist/cli/commands/graphrag.d.ts +0 -12
  976. package/dist/cli/commands/graphrag.js +0 -122
  977. package/dist/cli/commands/graphrag.js.map +0 -1
  978. package/dist/cli/commands/join.d.ts +0 -9
  979. package/dist/cli/commands/join.js +0 -255
  980. package/dist/cli/commands/join.js.map +0 -1
  981. package/dist/cli/commands/members.d.ts +0 -11
  982. package/dist/cli/commands/members.js +0 -230
  983. package/dist/cli/commands/members.js.map +0 -1
  984. package/dist/cli/commands/org.d.ts +0 -10
  985. package/dist/cli/commands/org.js +0 -132
  986. package/dist/cli/commands/org.js.map +0 -1
  987. package/dist/cli/commands/provision.d.ts +0 -8
  988. package/dist/cli/commands/provision.js +0 -116
  989. package/dist/cli/commands/provision.js.map +0 -1
  990. package/dist/cli/commands/resolve.d.ts +0 -8
  991. package/dist/cli/commands/resolve.js +0 -85
  992. package/dist/cli/commands/resolve.js.map +0 -1
  993. package/dist/cli/commands/review.d.ts +0 -19
  994. package/dist/cli/commands/review.js +0 -128
  995. package/dist/cli/commands/review.js.map +0 -1
  996. package/dist/cli/commands/source.d.ts +0 -16
  997. package/dist/cli/commands/source.js +0 -159
  998. package/dist/cli/commands/source.js.map +0 -1
  999. package/dist/cli/commands/start.d.ts +0 -7
  1000. package/dist/cli/commands/start.js +0 -576
  1001. package/dist/cli/commands/start.js.map +0 -1
  1002. package/dist/cli/commands/sync-collection.d.ts +0 -14
  1003. package/dist/cli/commands/sync-collection.js +0 -355
  1004. package/dist/cli/commands/sync-collection.js.map +0 -1
  1005. package/dist/cli/commands/sync-entities.d.ts +0 -13
  1006. package/dist/cli/commands/sync-entities.js +0 -242
  1007. package/dist/cli/commands/sync-entities.js.map +0 -1
  1008. package/dist/cli/commands/team.d.ts +0 -12
  1009. package/dist/cli/commands/team.js +0 -185
  1010. package/dist/cli/commands/team.js.map +0 -1
  1011. package/dist/cli/commands/update.d.ts +0 -8
  1012. package/dist/cli/commands/update.js +0 -155
  1013. package/dist/cli/commands/update.js.map +0 -1
  1014. package/dist/cli/commands/user.d.ts +0 -7
  1015. package/dist/cli/commands/user.js +0 -169
  1016. package/dist/cli/commands/user.js.map +0 -1
  1017. package/dist/cli/scaffolding.d.ts +0 -12
  1018. package/dist/cli/scaffolding.js +0 -397
  1019. package/dist/cli/scaffolding.js.map +0 -1
  1020. package/dist/cli/sync-review-interactive.d.ts +0 -31
  1021. package/dist/cli/sync-review-interactive.js +0 -393
  1022. package/dist/cli/sync-review-interactive.js.map +0 -1
  1023. package/dist/core/feature-flags.d.ts +0 -17
  1024. package/dist/core/feature-flags.js +0 -15
  1025. package/dist/core/feature-flags.js.map +0 -1
  1026. package/dist/core/features.d.ts +0 -16
  1027. package/dist/core/features.js +0 -48
  1028. package/dist/core/features.js.map +0 -1
  1029. package/dist/core/launch-entity-types.d.ts +0 -23
  1030. package/dist/core/launch-entity-types.js +0 -48
  1031. package/dist/core/launch-entity-types.js.map +0 -1
  1032. package/dist/core/migration-runner.d.ts +0 -42
  1033. package/dist/core/migration-runner.js +0 -232
  1034. package/dist/core/migration-runner.js.map +0 -1
  1035. package/dist/core/migration-types.d.ts +0 -101
  1036. package/dist/core/migration-types.js +0 -21
  1037. package/dist/core/migration-types.js.map +0 -1
  1038. package/dist/core/migrations/20260219-formalize-memory-location.d.ts +0 -2
  1039. package/dist/core/migrations/20260219-formalize-memory-location.js +0 -35
  1040. package/dist/core/migrations/20260219-formalize-memory-location.js.map +0 -1
  1041. package/dist/core/migrations/20260220-add-workspace-metadata.d.ts +0 -12
  1042. package/dist/core/migrations/20260220-add-workspace-metadata.js +0 -65
  1043. package/dist/core/migrations/20260220-add-workspace-metadata.js.map +0 -1
  1044. package/dist/core/migrations/20260220-add-workspace-readme.d.ts +0 -11
  1045. package/dist/core/migrations/20260220-add-workspace-readme.js +0 -82
  1046. package/dist/core/migrations/20260220-add-workspace-readme.js.map +0 -1
  1047. package/dist/core/migrations/20260220-migrate-yaml-to-json.d.ts +0 -9
  1048. package/dist/core/migrations/20260220-migrate-yaml-to-json.js +0 -64
  1049. package/dist/core/migrations/20260220-migrate-yaml-to-json.js.map +0 -1
  1050. package/dist/core/migrations/index.d.ts +0 -11
  1051. package/dist/core/migrations/index.js +0 -23
  1052. package/dist/core/migrations/index.js.map +0 -1
  1053. package/dist/integrations/asana.d.ts +0 -26
  1054. package/dist/integrations/asana.js +0 -78
  1055. package/dist/integrations/asana.js.map +0 -1
  1056. package/dist/integrations/figma-local.d.ts +0 -16
  1057. package/dist/integrations/figma-local.js +0 -10
  1058. package/dist/integrations/figma-local.js.map +0 -1
  1059. package/dist/integrations/figma.d.ts +0 -17
  1060. package/dist/integrations/figma.js +0 -17
  1061. package/dist/integrations/figma.js.map +0 -1
  1062. package/dist/integrations/granola.d.ts +0 -24
  1063. package/dist/integrations/granola.js +0 -60
  1064. package/dist/integrations/granola.js.map +0 -1
  1065. package/dist/integrations/linear.d.ts +0 -14
  1066. package/dist/integrations/linear.js +0 -80
  1067. package/dist/integrations/linear.js.map +0 -1
  1068. package/dist/integrations/paper-local.d.ts +0 -14
  1069. package/dist/integrations/paper-local.js +0 -10
  1070. package/dist/integrations/paper-local.js.map +0 -1
  1071. package/dist/integrations/paper.d.ts +0 -2
  1072. package/dist/integrations/paper.js +0 -10
  1073. package/dist/integrations/paper.js.map +0 -1
  1074. package/dist/integrations/pipedrive.d.ts +0 -26
  1075. package/dist/integrations/pipedrive.js +0 -97
  1076. package/dist/integrations/pipedrive.js.map +0 -1
  1077. package/dist/integrations/registry.d.ts +0 -8
  1078. package/dist/integrations/registry.js +0 -7
  1079. package/dist/integrations/registry.js.map +0 -1
  1080. package/dist/integrations/types.d.ts +0 -43
  1081. package/dist/integrations/types.js +0 -5
  1082. package/dist/integrations/types.js.map +0 -1
  1083. package/dist/lib/lib/utils.d.ts +0 -2
  1084. package/dist/lib/lib/utils.js +0 -6
  1085. package/dist/lib/lib/utils.js.map +0 -1
  1086. package/dist/mcp/connectors/asana.d.ts +0 -2
  1087. package/dist/mcp/connectors/asana.js +0 -20
  1088. package/dist/mcp/connectors/asana.js.map +0 -1
  1089. package/dist/mcp/connectors/definitions.d.ts +0 -45
  1090. package/dist/mcp/connectors/definitions.js +0 -32
  1091. package/dist/mcp/connectors/definitions.js.map +0 -1
  1092. package/dist/mcp/connectors/figma.d.ts +0 -5
  1093. package/dist/mcp/connectors/figma.js +0 -21
  1094. package/dist/mcp/connectors/figma.js.map +0 -1
  1095. package/dist/mcp/connectors/gdrive.d.ts +0 -2
  1096. package/dist/mcp/connectors/gdrive.js +0 -20
  1097. package/dist/mcp/connectors/gdrive.js.map +0 -1
  1098. package/dist/mcp/connectors/granola.d.ts +0 -2
  1099. package/dist/mcp/connectors/granola.js +0 -12
  1100. package/dist/mcp/connectors/granola.js.map +0 -1
  1101. package/dist/mcp/connectors/linear.d.ts +0 -2
  1102. package/dist/mcp/connectors/linear.js +0 -19
  1103. package/dist/mcp/connectors/linear.js.map +0 -1
  1104. package/dist/mcp/connectors/obsidian.d.ts +0 -2
  1105. package/dist/mcp/connectors/obsidian.js +0 -19
  1106. package/dist/mcp/connectors/obsidian.js.map +0 -1
  1107. package/dist/mcp/connectors/pipedrive.d.ts +0 -2
  1108. package/dist/mcp/connectors/pipedrive.js +0 -20
  1109. package/dist/mcp/connectors/pipedrive.js.map +0 -1
  1110. package/dist/mcp/connectors/slack.d.ts +0 -2
  1111. package/dist/mcp/connectors/slack.js +0 -21
  1112. package/dist/mcp/connectors/slack.js.map +0 -1
  1113. package/dist/mcp/server-oauth-provider.d.ts +0 -56
  1114. package/dist/mcp/server-oauth-provider.js +0 -142
  1115. package/dist/mcp/server-oauth-provider.js.map +0 -1
  1116. package/dist/renderers/documents/branding.d.ts +0 -2
  1117. package/dist/renderers/documents/branding.js +0 -42
  1118. package/dist/renderers/documents/branding.js.map +0 -1
  1119. package/dist/renderers/documents/entity-types.json +0 -14
  1120. package/dist/renderers/documents/parser/frontmatter.d.ts +0 -5
  1121. package/dist/renderers/documents/parser/frontmatter.js +0 -90
  1122. package/dist/renderers/documents/parser/frontmatter.js.map +0 -1
  1123. package/dist/renderers/documents/parser/index.d.ts +0 -5
  1124. package/dist/renderers/documents/parser/index.js +0 -142
  1125. package/dist/renderers/documents/parser/index.js.map +0 -1
  1126. package/dist/renderers/documents/parser/sections.d.ts +0 -18
  1127. package/dist/renderers/documents/parser/sections.js +0 -131
  1128. package/dist/renderers/documents/parser/sections.js.map +0 -1
  1129. package/dist/renderers/documents/pdf/generator.d.ts +0 -13
  1130. package/dist/renderers/documents/pdf/generator.js +0 -79
  1131. package/dist/renderers/documents/pdf/generator.js.map +0 -1
  1132. package/dist/renderers/documents/plugin.d.ts +0 -2
  1133. package/dist/renderers/documents/plugin.js +0 -63
  1134. package/dist/renderers/documents/plugin.js.map +0 -1
  1135. package/dist/renderers/documents/public/branding/logo.svg +0 -3
  1136. package/dist/renderers/documents/public/editor/chrome.css +0 -461
  1137. package/dist/renderers/documents/public/editor/chrome.js +0 -524
  1138. package/dist/renderers/documents/public/editor/editor.css +0 -751
  1139. package/dist/renderers/documents/public/editor/editor.html +0 -140
  1140. package/dist/renderers/documents/public/editor/editor.js +0 -953
  1141. package/dist/renderers/documents/public/fonts/fonts.css +0 -145
  1142. package/dist/renderers/documents/public/viewer/viewer.css +0 -1
  1143. package/dist/renderers/documents/public/viewer/viewer.js +0 -4
  1144. package/dist/renderers/documents/renderer/back.d.ts +0 -8
  1145. package/dist/renderers/documents/renderer/back.js +0 -28
  1146. package/dist/renderers/documents/renderer/back.js.map +0 -1
  1147. package/dist/renderers/documents/renderer/content.d.ts +0 -7
  1148. package/dist/renderers/documents/renderer/content.js +0 -25
  1149. package/dist/renderers/documents/renderer/content.js.map +0 -1
  1150. package/dist/renderers/documents/renderer/cover.d.ts +0 -15
  1151. package/dist/renderers/documents/renderer/cover.js +0 -43
  1152. package/dist/renderers/documents/renderer/cover.js.map +0 -1
  1153. package/dist/renderers/documents/renderer/helpers.d.ts +0 -1
  1154. package/dist/renderers/documents/renderer/helpers.js +0 -11
  1155. package/dist/renderers/documents/renderer/helpers.js.map +0 -1
  1156. package/dist/renderers/documents/renderer/index.d.ts +0 -32
  1157. package/dist/renderers/documents/renderer/index.js +0 -80
  1158. package/dist/renderers/documents/renderer/index.js.map +0 -1
  1159. package/dist/renderers/documents/renderer/styles.d.ts +0 -16
  1160. package/dist/renderers/documents/renderer/styles.js +0 -546
  1161. package/dist/renderers/documents/renderer/styles.js.map +0 -1
  1162. package/dist/renderers/documents/routes/api.d.ts +0 -2
  1163. package/dist/renderers/documents/routes/api.js +0 -587
  1164. package/dist/renderers/documents/routes/api.js.map +0 -1
  1165. package/dist/renderers/documents/routes/editor.d.ts +0 -2
  1166. package/dist/renderers/documents/routes/editor.js +0 -31
  1167. package/dist/renderers/documents/routes/editor.js.map +0 -1
  1168. package/dist/renderers/documents/routes/viewer.d.ts +0 -2
  1169. package/dist/renderers/documents/routes/viewer.js +0 -67
  1170. package/dist/renderers/documents/routes/viewer.js.map +0 -1
  1171. package/dist/renderers/documents/types.d.ts +0 -61
  1172. package/dist/renderers/documents/types.js +0 -2
  1173. package/dist/renderers/documents/types.js.map +0 -1
  1174. package/dist/renderers/index.d.ts +0 -24
  1175. package/dist/renderers/index.js +0 -66
  1176. package/dist/renderers/index.js.map +0 -1
  1177. package/dist/renderers/slides/design-system/tokens.d.ts +0 -108
  1178. package/dist/renderers/slides/design-system/tokens.js +0 -44
  1179. package/dist/renderers/slides/design-system/tokens.js.map +0 -1
  1180. package/dist/renderers/slides/entity-types.json +0 -14
  1181. package/dist/renderers/slides/parser/comment-parser.d.ts +0 -10
  1182. package/dist/renderers/slides/parser/comment-parser.js +0 -89
  1183. package/dist/renderers/slides/parser/comment-parser.js.map +0 -1
  1184. package/dist/renderers/slides/parser/frontmatter.d.ts +0 -10
  1185. package/dist/renderers/slides/parser/frontmatter.js +0 -93
  1186. package/dist/renderers/slides/parser/frontmatter.js.map +0 -1
  1187. package/dist/renderers/slides/parser/index.d.ts +0 -7
  1188. package/dist/renderers/slides/parser/index.js +0 -569
  1189. package/dist/renderers/slides/parser/index.js.map +0 -1
  1190. package/dist/renderers/slides/parser/slide-splitter.d.ts +0 -6
  1191. package/dist/renderers/slides/parser/slide-splitter.js +0 -54
  1192. package/dist/renderers/slides/parser/slide-splitter.js.map +0 -1
  1193. package/dist/renderers/slides/parser/type-detector.d.ts +0 -6
  1194. package/dist/renderers/slides/parser/type-detector.js +0 -70
  1195. package/dist/renderers/slides/parser/type-detector.js.map +0 -1
  1196. package/dist/renderers/slides/pdf/generator.d.ts +0 -11
  1197. package/dist/renderers/slides/pdf/generator.js +0 -105
  1198. package/dist/renderers/slides/pdf/generator.js.map +0 -1
  1199. package/dist/renderers/slides/plugin.d.ts +0 -2
  1200. package/dist/renderers/slides/plugin.js +0 -70
  1201. package/dist/renderers/slides/plugin.js.map +0 -1
  1202. package/dist/renderers/slides/public/editor/.gitkeep +0 -0
  1203. package/dist/renderers/slides/public/editor/chrome.css +0 -461
  1204. package/dist/renderers/slides/public/editor/chrome.js +0 -519
  1205. package/dist/renderers/slides/public/editor/editor.css +0 -896
  1206. package/dist/renderers/slides/public/editor/editor.html +0 -131
  1207. package/dist/renderers/slides/public/editor/editor.js +0 -1038
  1208. package/dist/renderers/slides/public/fonts/fonts.css +0 -145
  1209. package/dist/renderers/slides/public/viewer/.gitkeep +0 -0
  1210. package/dist/renderers/slides/public/viewer/chrome.css +0 -62
  1211. package/dist/renderers/slides/public/viewer/transitions.css +0 -1
  1212. package/dist/renderers/slides/public/viewer/viewer.css +0 -2145
  1213. package/dist/renderers/slides/public/viewer/viewer.js +0 -303
  1214. package/dist/renderers/slides/renderer/chrome/browser-frame.d.ts +0 -5
  1215. package/dist/renderers/slides/renderer/chrome/browser-frame.js +0 -22
  1216. package/dist/renderers/slides/renderer/chrome/browser-frame.js.map +0 -1
  1217. package/dist/renderers/slides/renderer/chrome/mobile-frame.d.ts +0 -6
  1218. package/dist/renderers/slides/renderer/chrome/mobile-frame.js +0 -18
  1219. package/dist/renderers/slides/renderer/chrome/mobile-frame.js.map +0 -1
  1220. package/dist/renderers/slides/renderer/helpers.d.ts +0 -13
  1221. package/dist/renderers/slides/renderer/helpers.js +0 -33
  1222. package/dist/renderers/slides/renderer/helpers.js.map +0 -1
  1223. package/dist/renderers/slides/renderer/index.d.ts +0 -16
  1224. package/dist/renderers/slides/renderer/index.js +0 -160
  1225. package/dist/renderers/slides/renderer/index.js.map +0 -1
  1226. package/dist/renderers/slides/renderer/layouts/agenda.d.ts +0 -2
  1227. package/dist/renderers/slides/renderer/layouts/agenda.js +0 -18
  1228. package/dist/renderers/slides/renderer/layouts/agenda.js.map +0 -1
  1229. package/dist/renderers/slides/renderer/layouts/blank.d.ts +0 -2
  1230. package/dist/renderers/slides/renderer/layouts/blank.js +0 -4
  1231. package/dist/renderers/slides/renderer/layouts/blank.js.map +0 -1
  1232. package/dist/renderers/slides/renderer/layouts/columns.d.ts +0 -2
  1233. package/dist/renderers/slides/renderer/layouts/columns.js +0 -32
  1234. package/dist/renderers/slides/renderer/layouts/columns.js.map +0 -1
  1235. package/dist/renderers/slides/renderer/layouts/cover.d.ts +0 -2
  1236. package/dist/renderers/slides/renderer/layouts/cover.js +0 -18
  1237. package/dist/renderers/slides/renderer/layouts/cover.js.map +0 -1
  1238. package/dist/renderers/slides/renderer/layouts/diagram-concentric.d.ts +0 -2
  1239. package/dist/renderers/slides/renderer/layouts/diagram-concentric.js +0 -120
  1240. package/dist/renderers/slides/renderer/layouts/diagram-concentric.js.map +0 -1
  1241. package/dist/renderers/slides/renderer/layouts/diagram-matrix.d.ts +0 -2
  1242. package/dist/renderers/slides/renderer/layouts/diagram-matrix.js +0 -158
  1243. package/dist/renderers/slides/renderer/layouts/diagram-matrix.js.map +0 -1
  1244. package/dist/renderers/slides/renderer/layouts/diagram-pyramid.d.ts +0 -2
  1245. package/dist/renderers/slides/renderer/layouts/diagram-pyramid.js +0 -86
  1246. package/dist/renderers/slides/renderer/layouts/diagram-pyramid.js.map +0 -1
  1247. package/dist/renderers/slides/renderer/layouts/diagram-sitemap.d.ts +0 -2
  1248. package/dist/renderers/slides/renderer/layouts/diagram-sitemap.js +0 -146
  1249. package/dist/renderers/slides/renderer/layouts/diagram-sitemap.js.map +0 -1
  1250. package/dist/renderers/slides/renderer/layouts/diagram-venn.d.ts +0 -2
  1251. package/dist/renderers/slides/renderer/layouts/diagram-venn.js +0 -100
  1252. package/dist/renderers/slides/renderer/layouts/diagram-venn.js.map +0 -1
  1253. package/dist/renderers/slides/renderer/layouts/diagram.d.ts +0 -2
  1254. package/dist/renderers/slides/renderer/layouts/diagram.js +0 -21
  1255. package/dist/renderers/slides/renderer/layouts/diagram.js.map +0 -1
  1256. package/dist/renderers/slides/renderer/layouts/divider.d.ts +0 -2
  1257. package/dist/renderers/slides/renderer/layouts/divider.js +0 -4
  1258. package/dist/renderers/slides/renderer/layouts/divider.js.map +0 -1
  1259. package/dist/renderers/slides/renderer/layouts/end.d.ts +0 -2
  1260. package/dist/renderers/slides/renderer/layouts/end.js +0 -8
  1261. package/dist/renderers/slides/renderer/layouts/end.js.map +0 -1
  1262. package/dist/renderers/slides/renderer/layouts/framework.d.ts +0 -2
  1263. package/dist/renderers/slides/renderer/layouts/framework.js +0 -47
  1264. package/dist/renderers/slides/renderer/layouts/framework.js.map +0 -1
  1265. package/dist/renderers/slides/renderer/layouts/image-browser-2up.d.ts +0 -2
  1266. package/dist/renderers/slides/renderer/layouts/image-browser-2up.js +0 -38
  1267. package/dist/renderers/slides/renderer/layouts/image-browser-2up.js.map +0 -1
  1268. package/dist/renderers/slides/renderer/layouts/image-browser-6up.d.ts +0 -2
  1269. package/dist/renderers/slides/renderer/layouts/image-browser-6up.js +0 -30
  1270. package/dist/renderers/slides/renderer/layouts/image-browser-6up.js.map +0 -1
  1271. package/dist/renderers/slides/renderer/layouts/image-browser.d.ts +0 -2
  1272. package/dist/renderers/slides/renderer/layouts/image-browser.js +0 -18
  1273. package/dist/renderers/slides/renderer/layouts/image-browser.js.map +0 -1
  1274. package/dist/renderers/slides/renderer/layouts/image-bullets.d.ts +0 -2
  1275. package/dist/renderers/slides/renderer/layouts/image-bullets.js +0 -26
  1276. package/dist/renderers/slides/renderer/layouts/image-bullets.js.map +0 -1
  1277. package/dist/renderers/slides/renderer/layouts/image-device-pair.d.ts +0 -2
  1278. package/dist/renderers/slides/renderer/layouts/image-device-pair.js +0 -34
  1279. package/dist/renderers/slides/renderer/layouts/image-device-pair.js.map +0 -1
  1280. package/dist/renderers/slides/renderer/layouts/image-full.d.ts +0 -2
  1281. package/dist/renderers/slides/renderer/layouts/image-full.js +0 -36
  1282. package/dist/renderers/slides/renderer/layouts/image-full.js.map +0 -1
  1283. package/dist/renderers/slides/renderer/layouts/image-grid-2x2.d.ts +0 -2
  1284. package/dist/renderers/slides/renderer/layouts/image-grid-2x2.js +0 -23
  1285. package/dist/renderers/slides/renderer/layouts/image-grid-2x2.js.map +0 -1
  1286. package/dist/renderers/slides/renderer/layouts/image-keywords.d.ts +0 -2
  1287. package/dist/renderers/slides/renderer/layouts/image-keywords.js +0 -31
  1288. package/dist/renderers/slides/renderer/layouts/image-keywords.js.map +0 -1
  1289. package/dist/renderers/slides/renderer/layouts/image-mobile-3up.d.ts +0 -2
  1290. package/dist/renderers/slides/renderer/layouts/image-mobile-3up.js +0 -22
  1291. package/dist/renderers/slides/renderer/layouts/image-mobile-3up.js.map +0 -1
  1292. package/dist/renderers/slides/renderer/layouts/image-mobile.d.ts +0 -2
  1293. package/dist/renderers/slides/renderer/layouts/image-mobile.js +0 -17
  1294. package/dist/renderers/slides/renderer/layouts/image-mobile.js.map +0 -1
  1295. package/dist/renderers/slides/renderer/layouts/image-split-right.d.ts +0 -2
  1296. package/dist/renderers/slides/renderer/layouts/image-split-right.js +0 -19
  1297. package/dist/renderers/slides/renderer/layouts/image-split-right.js.map +0 -1
  1298. package/dist/renderers/slides/renderer/layouts/image-split.d.ts +0 -2
  1299. package/dist/renderers/slides/renderer/layouts/image-split.js +0 -19
  1300. package/dist/renderers/slides/renderer/layouts/image-split.js.map +0 -1
  1301. package/dist/renderers/slides/renderer/layouts/introductions.d.ts +0 -2
  1302. package/dist/renderers/slides/renderer/layouts/introductions.js +0 -41
  1303. package/dist/renderers/slides/renderer/layouts/introductions.js.map +0 -1
  1304. package/dist/renderers/slides/renderer/layouts/moodboard.d.ts +0 -15
  1305. package/dist/renderers/slides/renderer/layouts/moodboard.js +0 -63
  1306. package/dist/renderers/slides/renderer/layouts/moodboard.js.map +0 -1
  1307. package/dist/renderers/slides/renderer/layouts/next-steps.d.ts +0 -2
  1308. package/dist/renderers/slides/renderer/layouts/next-steps.js +0 -13
  1309. package/dist/renderers/slides/renderer/layouts/next-steps.js.map +0 -1
  1310. package/dist/renderers/slides/renderer/layouts/pullquote.d.ts +0 -2
  1311. package/dist/renderers/slides/renderer/layouts/pullquote.js +0 -17
  1312. package/dist/renderers/slides/renderer/layouts/pullquote.js.map +0 -1
  1313. package/dist/renderers/slides/renderer/layouts/schedule.d.ts +0 -2
  1314. package/dist/renderers/slides/renderer/layouts/schedule.js +0 -58
  1315. package/dist/renderers/slides/renderer/layouts/schedule.js.map +0 -1
  1316. package/dist/renderers/slides/renderer/layouts/section.d.ts +0 -2
  1317. package/dist/renderers/slides/renderer/layouts/section.js +0 -18
  1318. package/dist/renderers/slides/renderer/layouts/section.js.map +0 -1
  1319. package/dist/renderers/slides/renderer/layouts/statement.d.ts +0 -2
  1320. package/dist/renderers/slides/renderer/layouts/statement.js +0 -13
  1321. package/dist/renderers/slides/renderer/layouts/statement.js.map +0 -1
  1322. package/dist/renderers/slides/renderer/layouts/stats.d.ts +0 -2
  1323. package/dist/renderers/slides/renderer/layouts/stats.js +0 -26
  1324. package/dist/renderers/slides/renderer/layouts/stats.js.map +0 -1
  1325. package/dist/renderers/slides/renderer/layouts/table.d.ts +0 -2
  1326. package/dist/renderers/slides/renderer/layouts/table.js +0 -23
  1327. package/dist/renderers/slides/renderer/layouts/table.js.map +0 -1
  1328. package/dist/renderers/slides/renderer/layouts/text-body.d.ts +0 -2
  1329. package/dist/renderers/slides/renderer/layouts/text-body.js +0 -14
  1330. package/dist/renderers/slides/renderer/layouts/text-body.js.map +0 -1
  1331. package/dist/renderers/slides/renderer/placeholder.d.ts +0 -5
  1332. package/dist/renderers/slides/renderer/placeholder.js +0 -12
  1333. package/dist/renderers/slides/renderer/placeholder.js.map +0 -1
  1334. package/dist/renderers/slides/routes/api.d.ts +0 -2
  1335. package/dist/renderers/slides/routes/api.js +0 -568
  1336. package/dist/renderers/slides/routes/api.js.map +0 -1
  1337. package/dist/renderers/slides/routes/editor.d.ts +0 -2
  1338. package/dist/renderers/slides/routes/editor.js +0 -32
  1339. package/dist/renderers/slides/routes/editor.js.map +0 -1
  1340. package/dist/renderers/slides/routes/viewer.d.ts +0 -2
  1341. package/dist/renderers/slides/routes/viewer.js +0 -67
  1342. package/dist/renderers/slides/routes/viewer.js.map +0 -1
  1343. package/dist/renderers/slides/types.d.ts +0 -111
  1344. package/dist/renderers/slides/types.js +0 -2
  1345. package/dist/renderers/slides/types.js.map +0 -1
  1346. package/dist/server/agents/agent-loader.d.ts +0 -16
  1347. package/dist/server/agents/agent-loader.js +0 -175
  1348. package/dist/server/agents/agent-loader.js.map +0 -1
  1349. package/dist/server/agents/agent-runner.d.ts +0 -33
  1350. package/dist/server/agents/agent-runner.js +0 -187
  1351. package/dist/server/agents/agent-runner.js.map +0 -1
  1352. package/dist/server/agents/agent-runtime.d.ts +0 -39
  1353. package/dist/server/agents/agent-runtime.js +0 -214
  1354. package/dist/server/agents/agent-runtime.js.map +0 -1
  1355. package/dist/server/agents/base-agent.d.ts +0 -30
  1356. package/dist/server/agents/base-agent.js +0 -88
  1357. package/dist/server/agents/base-agent.js.map +0 -1
  1358. package/dist/server/agents/executive-digest.d.ts +0 -16
  1359. package/dist/server/agents/executive-digest.js +0 -115
  1360. package/dist/server/agents/executive-digest.js.map +0 -1
  1361. package/dist/server/agents/graph-steward.d.ts +0 -16
  1362. package/dist/server/agents/graph-steward.js +0 -59
  1363. package/dist/server/agents/graph-steward.js.map +0 -1
  1364. package/dist/server/agents/meeting-followup.d.ts +0 -16
  1365. package/dist/server/agents/meeting-followup.js +0 -88
  1366. package/dist/server/agents/meeting-followup.js.map +0 -1
  1367. package/dist/server/agents/pipeline-monitor.d.ts +0 -15
  1368. package/dist/server/agents/pipeline-monitor.js +0 -86
  1369. package/dist/server/agents/pipeline-monitor.js.map +0 -1
  1370. package/dist/server/agents/types.d.ts +0 -81
  1371. package/dist/server/agents/types.js +0 -41
  1372. package/dist/server/agents/types.js.map +0 -1
  1373. package/dist/server/chrome/chrome.css +0 -701
  1374. package/dist/server/chrome/chrome.js +0 -374
  1375. package/dist/server/collab-authority.d.ts +0 -70
  1376. package/dist/server/collab-authority.js +0 -218
  1377. package/dist/server/collab-authority.js.map +0 -1
  1378. package/dist/server/collab.d.ts +0 -29
  1379. package/dist/server/collab.js +0 -195
  1380. package/dist/server/collab.js.map +0 -1
  1381. package/dist/server/commit-scheduler.d.ts +0 -39
  1382. package/dist/server/commit-scheduler.js +0 -113
  1383. package/dist/server/commit-scheduler.js.map +0 -1
  1384. package/dist/server/plugin-loader.d.ts +0 -53
  1385. package/dist/server/plugin-loader.js +0 -155
  1386. package/dist/server/plugin-loader.js.map +0 -1
  1387. package/dist/server/routes/agents-api.d.ts +0 -10
  1388. package/dist/server/routes/agents-api.js +0 -25
  1389. package/dist/server/routes/agents-api.js.map +0 -1
  1390. package/dist/server/routes/collab.d.ts +0 -6
  1391. package/dist/server/routes/collab.js +0 -10
  1392. package/dist/server/routes/collab.js.map +0 -1
  1393. package/dist/server/routes/features-api.d.ts +0 -10
  1394. package/dist/server/routes/features-api.js +0 -15
  1395. package/dist/server/routes/features-api.js.map +0 -1
  1396. package/dist/server/routes/git-api.d.ts +0 -9
  1397. package/dist/server/routes/git-api.js +0 -82
  1398. package/dist/server/routes/git-api.js.map +0 -1
  1399. package/dist/server/routes/meeting-ingest-api.d.ts +0 -14
  1400. package/dist/server/routes/meeting-ingest-api.js +0 -117
  1401. package/dist/server/routes/meeting-ingest-api.js.map +0 -1
  1402. package/dist/server/routes/messages-api.d.ts +0 -15
  1403. package/dist/server/routes/messages-api.js +0 -569
  1404. package/dist/server/routes/messages-api.js.map +0 -1
  1405. package/dist/server/routes/sync-api.d.ts +0 -26
  1406. package/dist/server/routes/sync-api.js +0 -848
  1407. package/dist/server/routes/sync-api.js.map +0 -1
  1408. package/dist/server/routes/view-public.d.ts +0 -10
  1409. package/dist/server/routes/view-public.js +0 -107
  1410. package/dist/server/routes/view-public.js.map +0 -1
  1411. package/dist/server/routes/webhook.d.ts +0 -14
  1412. package/dist/server/routes/webhook.js +0 -102
  1413. package/dist/server/routes/webhook.js.map +0 -1
  1414. package/dist/services/batch-processor.d.ts +0 -49
  1415. package/dist/services/batch-processor.js +0 -166
  1416. package/dist/services/batch-processor.js.map +0 -1
  1417. package/dist/services/briefing.d.ts +0 -26
  1418. package/dist/services/briefing.js +0 -206
  1419. package/dist/services/briefing.js.map +0 -1
  1420. package/dist/services/github-provisioner.d.ts +0 -36
  1421. package/dist/services/github-provisioner.js +0 -126
  1422. package/dist/services/github-provisioner.js.map +0 -1
  1423. package/dist/services/github-service.d.ts +0 -99
  1424. package/dist/services/github-service.js +0 -310
  1425. package/dist/services/github-service.js.map +0 -1
  1426. package/dist/services/heartbeat.d.ts +0 -35
  1427. package/dist/services/heartbeat.js +0 -236
  1428. package/dist/services/heartbeat.js.map +0 -1
  1429. package/dist/services/image-import-service.d.ts +0 -24
  1430. package/dist/services/image-import-service.js +0 -108
  1431. package/dist/services/image-import-service.js.map +0 -1
  1432. package/dist/services/insights.d.ts +0 -38
  1433. package/dist/services/insights.js +0 -269
  1434. package/dist/services/insights.js.map +0 -1
  1435. package/dist/services/meeting-processor.d.ts +0 -97
  1436. package/dist/services/meeting-processor.js +0 -382
  1437. package/dist/services/meeting-processor.js.map +0 -1
  1438. package/dist/services/message-service.d.ts +0 -117
  1439. package/dist/services/message-service.js +0 -414
  1440. package/dist/services/message-service.js.map +0 -1
  1441. package/dist/services/sync/collection-sync.d.ts +0 -60
  1442. package/dist/services/sync/collection-sync.js +0 -509
  1443. package/dist/services/sync/collection-sync.js.map +0 -1
  1444. package/dist/services/sync/commit.d.ts +0 -60
  1445. package/dist/services/sync/commit.js +0 -354
  1446. package/dist/services/sync/commit.js.map +0 -1
  1447. package/dist/services/sync/context-index.d.ts +0 -69
  1448. package/dist/services/sync/context-index.js +0 -280
  1449. package/dist/services/sync/context-index.js.map +0 -1
  1450. package/dist/services/sync/data-fetcher.d.ts +0 -31
  1451. package/dist/services/sync/data-fetcher.js +0 -12
  1452. package/dist/services/sync/data-fetcher.js.map +0 -1
  1453. package/dist/services/sync/derive.d.ts +0 -34
  1454. package/dist/services/sync/derive.js +0 -164
  1455. package/dist/services/sync/derive.js.map +0 -1
  1456. package/dist/services/sync/enrichment-state.d.ts +0 -31
  1457. package/dist/services/sync/enrichment-state.js +0 -63
  1458. package/dist/services/sync/enrichment-state.js.map +0 -1
  1459. package/dist/services/sync/enrichment.d.ts +0 -25
  1460. package/dist/services/sync/enrichment.js +0 -121
  1461. package/dist/services/sync/enrichment.js.map +0 -1
  1462. package/dist/services/sync/entity-refresh.d.ts +0 -30
  1463. package/dist/services/sync/entity-refresh.js +0 -275
  1464. package/dist/services/sync/entity-refresh.js.map +0 -1
  1465. package/dist/services/sync/frontmatter-extractor.d.ts +0 -40
  1466. package/dist/services/sync/frontmatter-extractor.js +0 -279
  1467. package/dist/services/sync/frontmatter-extractor.js.map +0 -1
  1468. package/dist/services/sync/graph-match-state.d.ts +0 -33
  1469. package/dist/services/sync/graph-match-state.js +0 -61
  1470. package/dist/services/sync/graph-match-state.js.map +0 -1
  1471. package/dist/services/sync/graph-match.d.ts +0 -53
  1472. package/dist/services/sync/graph-match.js +0 -316
  1473. package/dist/services/sync/graph-match.js.map +0 -1
  1474. package/dist/services/sync/graphrag-client.d.ts +0 -43
  1475. package/dist/services/sync/graphrag-client.js +0 -94
  1476. package/dist/services/sync/graphrag-client.js.map +0 -1
  1477. package/dist/services/sync/graphrag-config.d.ts +0 -16
  1478. package/dist/services/sync/graphrag-config.js +0 -39
  1479. package/dist/services/sync/graphrag-config.js.map +0 -1
  1480. package/dist/services/sync/graphrag-context.d.ts +0 -14
  1481. package/dist/services/sync/graphrag-context.js +0 -109
  1482. package/dist/services/sync/graphrag-context.js.map +0 -1
  1483. package/dist/services/sync/graphrag-indexer.d.ts +0 -30
  1484. package/dist/services/sync/graphrag-indexer.js +0 -358
  1485. package/dist/services/sync/graphrag-indexer.js.map +0 -1
  1486. package/dist/services/sync/llm.d.ts +0 -32
  1487. package/dist/services/sync/llm.js +0 -115
  1488. package/dist/services/sync/llm.js.map +0 -1
  1489. package/dist/services/sync/mcp-client.d.ts +0 -71
  1490. package/dist/services/sync/mcp-client.js +0 -299
  1491. package/dist/services/sync/mcp-client.js.map +0 -1
  1492. package/dist/services/sync/model-factory.d.ts +0 -13
  1493. package/dist/services/sync/model-factory.js +0 -38
  1494. package/dist/services/sync/model-factory.js.map +0 -1
  1495. package/dist/services/sync/name-quality.d.ts +0 -31
  1496. package/dist/services/sync/name-quality.js +0 -60
  1497. package/dist/services/sync/name-quality.js.map +0 -1
  1498. package/dist/services/sync/output-schemas.d.ts +0 -92
  1499. package/dist/services/sync/output-schemas.js +0 -43
  1500. package/dist/services/sync/output-schemas.js.map +0 -1
  1501. package/dist/services/sync/prompts.d.ts +0 -19
  1502. package/dist/services/sync/prompts.js +0 -128
  1503. package/dist/services/sync/prompts.js.map +0 -1
  1504. package/dist/services/sync/reconciler.d.ts +0 -48
  1505. package/dist/services/sync/reconciler.js +0 -294
  1506. package/dist/services/sync/reconciler.js.map +0 -1
  1507. package/dist/services/sync/rest-client.d.ts +0 -40
  1508. package/dist/services/sync/rest-client.js +0 -100
  1509. package/dist/services/sync/rest-client.js.map +0 -1
  1510. package/dist/services/sync/source-config.d.ts +0 -67
  1511. package/dist/services/sync/source-config.js +0 -304
  1512. package/dist/services/sync/source-config.js.map +0 -1
  1513. package/dist/services/sync/source-definitions/asana.d.ts +0 -14
  1514. package/dist/services/sync/source-definitions/asana.js +0 -42
  1515. package/dist/services/sync/source-definitions/asana.js.map +0 -1
  1516. package/dist/services/sync/source-definitions/definitions.d.ts +0 -8
  1517. package/dist/services/sync/source-definitions/definitions.js +0 -8
  1518. package/dist/services/sync/source-definitions/definitions.js.map +0 -1
  1519. package/dist/services/sync/source-definitions/gdrive.d.ts +0 -16
  1520. package/dist/services/sync/source-definitions/gdrive.js +0 -68
  1521. package/dist/services/sync/source-definitions/gdrive.js.map +0 -1
  1522. package/dist/services/sync/source-definitions/granola.d.ts +0 -2
  1523. package/dist/services/sync/source-definitions/granola.js +0 -21
  1524. package/dist/services/sync/source-definitions/granola.js.map +0 -1
  1525. package/dist/services/sync/source-definitions/linear.d.ts +0 -2
  1526. package/dist/services/sync/source-definitions/linear.js +0 -62
  1527. package/dist/services/sync/source-definitions/linear.js.map +0 -1
  1528. package/dist/services/sync/source-definitions/obsidian.d.ts +0 -2
  1529. package/dist/services/sync/source-definitions/obsidian.js +0 -55
  1530. package/dist/services/sync/source-definitions/obsidian.js.map +0 -1
  1531. package/dist/services/sync/source-definitions/pipedrive.d.ts +0 -2
  1532. package/dist/services/sync/source-definitions/pipedrive.js +0 -43
  1533. package/dist/services/sync/source-definitions/pipedrive.js.map +0 -1
  1534. package/dist/services/sync/staging.d.ts +0 -53
  1535. package/dist/services/sync/staging.js +0 -130
  1536. package/dist/services/sync/staging.js.map +0 -1
  1537. package/dist/services/sync/structured-extractor.d.ts +0 -57
  1538. package/dist/services/sync/structured-extractor.js +0 -584
  1539. package/dist/services/sync/structured-extractor.js.map +0 -1
  1540. package/dist/services/sync/sync-runner.d.ts +0 -32
  1541. package/dist/services/sync/sync-runner.js +0 -195
  1542. package/dist/services/sync/sync-runner.js.map +0 -1
  1543. package/dist/services/sync/sync-state.d.ts +0 -43
  1544. package/dist/services/sync/sync-state.js +0 -154
  1545. package/dist/services/sync/sync-state.js.map +0 -1
  1546. package/dist/services/sync/types.d.ts +0 -381
  1547. package/dist/services/sync/types.js +0 -8
  1548. package/dist/services/sync/types.js.map +0 -1
  1549. package/dist/services/sync/unstructured-extractor.d.ts +0 -27
  1550. package/dist/services/sync/unstructured-extractor.js +0 -185
  1551. package/dist/services/sync/unstructured-extractor.js.map +0 -1
  1552. package/dist/utils/merge-resolver.d.ts +0 -59
  1553. package/dist/utils/merge-resolver.js +0 -303
  1554. package/dist/utils/merge-resolver.js.map +0 -1
  1555. package/dist/utils/workspace-config.d.ts +0 -8
  1556. package/dist/utils/workspace-config.js +0 -22
  1557. package/dist/utils/workspace-config.js.map +0 -1
  1558. package/dist/web/_app/immutable/assets/0.B3eM5J6m.css +0 -1
  1559. package/dist/web/_app/immutable/assets/10.2jzI3cZY.css +0 -1
  1560. package/dist/web/_app/immutable/assets/11.BbBNo8jg.css +0 -1
  1561. package/dist/web/_app/immutable/assets/12.vV-8Nqud.css +0 -1
  1562. package/dist/web/_app/immutable/assets/2.CDsrnCq3.css +0 -1
  1563. package/dist/web/_app/immutable/assets/3.Ih7su2rl.css +0 -1
  1564. package/dist/web/_app/immutable/assets/4.CwXIQz3p.css +0 -1
  1565. package/dist/web/_app/immutable/assets/ChevronLeft.BwM9mwS4.css +0 -1
  1566. package/dist/web/_app/immutable/assets/GraphView.CRV5cekT.css +0 -1
  1567. package/dist/web/_app/immutable/assets/Toaster.rN8r_Hzv.css +0 -1
  1568. package/dist/web/_app/immutable/assets/ViewToolbar.CsWTe0yn.css +0 -1
  1569. package/dist/web/_app/immutable/assets/WorkspaceView.iWtzksrr.css +0 -1
  1570. package/dist/web/_app/immutable/chunks/0kuZ2gtb.js +0 -1
  1571. package/dist/web/_app/immutable/chunks/1Ea1UXwM.js +0 -2
  1572. package/dist/web/_app/immutable/chunks/284Zhbif.js +0 -1
  1573. package/dist/web/_app/immutable/chunks/7S2LGqoP.js +0 -2
  1574. package/dist/web/_app/immutable/chunks/7WZENMwt.js +0 -1
  1575. package/dist/web/_app/immutable/chunks/B0qHb2ee.js +0 -1
  1576. package/dist/web/_app/immutable/chunks/B45od9dM.js +0 -2
  1577. package/dist/web/_app/immutable/chunks/B4hXkypI.js +0 -1
  1578. package/dist/web/_app/immutable/chunks/BB_5th5W.js +0 -3383
  1579. package/dist/web/_app/immutable/chunks/BDvg8O5k.js +0 -5
  1580. package/dist/web/_app/immutable/chunks/BGiCmAMQ.js +0 -4
  1581. package/dist/web/_app/immutable/chunks/BHgT2Ede.js +0 -1
  1582. package/dist/web/_app/immutable/chunks/BQ1nK9ru.js +0 -1
  1583. package/dist/web/_app/immutable/chunks/BS0-13V2.js +0 -1
  1584. package/dist/web/_app/immutable/chunks/BSiC7hSS.js +0 -1
  1585. package/dist/web/_app/immutable/chunks/BkxW0BJZ.js +0 -1
  1586. package/dist/web/_app/immutable/chunks/Bp7FKkGt.js +0 -1
  1587. package/dist/web/_app/immutable/chunks/BrebtJNG.js +0 -18
  1588. package/dist/web/_app/immutable/chunks/Bz0ZjVQE.js +0 -2
  1589. package/dist/web/_app/immutable/chunks/C0LVZhvn.js +0 -1
  1590. package/dist/web/_app/immutable/chunks/C0Zx4tMe.js +0 -1
  1591. package/dist/web/_app/immutable/chunks/CHJcPZZK.js +0 -2
  1592. package/dist/web/_app/immutable/chunks/CRpK3grw.js +0 -2
  1593. package/dist/web/_app/immutable/chunks/CSVbGg_b.js +0 -5
  1594. package/dist/web/_app/immutable/chunks/CX_61fY8.js +0 -5
  1595. package/dist/web/_app/immutable/chunks/CYrVHOHA.js +0 -1
  1596. package/dist/web/_app/immutable/chunks/CdIKiXW6.js +0 -1
  1597. package/dist/web/_app/immutable/chunks/CqkleIqs.js +0 -1
  1598. package/dist/web/_app/immutable/chunks/D14M5KlG.js +0 -1
  1599. package/dist/web/_app/immutable/chunks/D71c9o7J.js +0 -2
  1600. package/dist/web/_app/immutable/chunks/DFYOFE3o.js +0 -1
  1601. package/dist/web/_app/immutable/chunks/DHJAqtPb.js +0 -1
  1602. package/dist/web/_app/immutable/chunks/DOqcDZIJ.js +0 -1
  1603. package/dist/web/_app/immutable/chunks/DQNtFKv6.js +0 -1
  1604. package/dist/web/_app/immutable/chunks/DZHWps9n.js +0 -1
  1605. package/dist/web/_app/immutable/chunks/DjLrjK2H.js +0 -1
  1606. package/dist/web/_app/immutable/chunks/DjvJRtva.js +0 -1
  1607. package/dist/web/_app/immutable/chunks/DnL9f0lc.js +0 -7
  1608. package/dist/web/_app/immutable/chunks/Dqq8gyOz.js +0 -1
  1609. package/dist/web/_app/immutable/chunks/DsnmJJEf.js +0 -1
  1610. package/dist/web/_app/immutable/chunks/DtG1tx2A.js +0 -1
  1611. package/dist/web/_app/immutable/chunks/Dxmmz-Kc.js +0 -1
  1612. package/dist/web/_app/immutable/chunks/DzVOENkg.js +0 -1
  1613. package/dist/web/_app/immutable/chunks/Ee5s0qSS.js +0 -5
  1614. package/dist/web/_app/immutable/chunks/KlRV1tKP.js +0 -1
  1615. package/dist/web/_app/immutable/chunks/L7dfS1-w.js +0 -1
  1616. package/dist/web/_app/immutable/chunks/MaQouOBH.js +0 -2
  1617. package/dist/web/_app/immutable/chunks/PPVm8Dsz.js +0 -1
  1618. package/dist/web/_app/immutable/chunks/WSUKABI_.js +0 -1
  1619. package/dist/web/_app/immutable/chunks/_7ZfIgbM.js +0 -1
  1620. package/dist/web/_app/immutable/chunks/pNJmbo_B.js +0 -1
  1621. package/dist/web/_app/immutable/chunks/q4I7EnCp.js +0 -1
  1622. package/dist/web/_app/immutable/chunks/qE6Hm01v.js +0 -1
  1623. package/dist/web/_app/immutable/chunks/vxEtkL8z.js +0 -1
  1624. package/dist/web/_app/immutable/chunks/wDIGUaoU.js +0 -3
  1625. package/dist/web/_app/immutable/chunks/wZWzupWT.js +0 -1
  1626. package/dist/web/_app/immutable/entry/app.Dc6h105F.js +0 -2
  1627. package/dist/web/_app/immutable/entry/start.D4codAU1.js +0 -1
  1628. package/dist/web/_app/immutable/nodes/0.BM3j5xaK.js +0 -2
  1629. package/dist/web/_app/immutable/nodes/1.CZ2dT63B.js +0 -1
  1630. package/dist/web/_app/immutable/nodes/10.AJJtsnPU.js +0 -1
  1631. package/dist/web/_app/immutable/nodes/11.B7SEgGLF.js +0 -1
  1632. package/dist/web/_app/immutable/nodes/12.BcJKl4UQ.js +0 -1
  1633. package/dist/web/_app/immutable/nodes/2.jp27tyTq.js +0 -269
  1634. package/dist/web/_app/immutable/nodes/3.I7SH_06w.js +0 -5
  1635. package/dist/web/_app/immutable/nodes/4.Bdphc-UJ.js +0 -11
  1636. package/dist/web/_app/immutable/nodes/5.CXpOErnP.js +0 -1
  1637. package/dist/web/_app/immutable/nodes/6.1wcSxmEA.js +0 -1
  1638. package/dist/web/_app/immutable/nodes/7.D0b7WYTp.js +0 -1
  1639. package/dist/web/_app/immutable/nodes/8.D0Gxvy3F.js +0 -1
  1640. package/dist/web/_app/immutable/nodes/9.B5Nr92OR.js +0 -1
@@ -9,57 +9,76 @@
9
9
  import Fastify from 'fastify';
10
10
  import cookie from '@fastify/cookie';
11
11
  import cors from '@fastify/cors';
12
+ import rateLimit from '@fastify/rate-limit';
12
13
  import websocket from '@fastify/websocket';
14
+ import { sanitize } from './middleware/sanitize.js';
13
15
  import { existsSync, readFileSync, createReadStream, statSync } from 'fs';
14
- import { join, extname } from 'path';
16
+ import { join, extname, resolve, sep } from 'path';
15
17
  import { Workspace } from '../core/workspace.js';
16
18
  import { AgentOrchestrator } from '../agent/orchestrator.js';
17
19
  import { registerGraphApiRoutes } from './routes/graph-api.js';
18
20
  import { registerChatRoutes } from './routes/chat.js';
19
21
  import { registerWorkspaceApiRoutes } from './routes/workspace-api.js';
22
+ import { registerHealthApiRoutes } from './routes/health.js';
20
23
  import { registerPermissionsApiRoutes } from './routes/permissions-api.js';
21
24
  import { registerAuthApiRoutes } from './routes/auth-api.js';
22
25
  import { registerGitHttpRoutes } from './routes/git-http.js';
23
26
  import { registerViewsApiRoutes } from './routes/views-api.js';
24
- import { registerBriefingApiRoutes } from './routes/insights-api.js';
27
+ import { registerInsightsApiRoutes } from './routes/insights-api.js';
25
28
  import { registerMcpRoutes } from './routes/mcp.js';
29
+ import { registerArtifactSelectionRoutes } from './routes/artifact-selection-api.js';
26
30
  import { registerConnectorsApiRoutes } from './routes/connectors-api.js';
31
+ import { registerOAuthApiRoutes, resolveCanonicalBaseUrl } from './routes/oauth-api.js';
27
32
  import { registerAssetApiRoutes } from './routes/asset-api.js';
33
+ import { verifyArtifactAssetToken } from '../services/artifact-asset-token.js';
34
+ import { mintArtifactAssetTokenForBundle } from './artifact-asset-mint.js';
35
+ import { registerR2ApiRoutes } from './routes/r2-api.js';
28
36
  import multipart from '@fastify/multipart';
29
- import { registerMeetingIngestRoutes } from './routes/meeting-ingest-api.js';
37
+ import { registerEventIngestRoutes } from './routes/event-ingest-api.js';
30
38
  import { registerCaptureRoutes } from './routes/capture-api.js';
31
39
  import { registerUrlRoutes } from './routes/url-api.js';
32
- import { registerMessagesApiRoutes } from './routes/messages-api.js';
33
40
  import { registerConfigApiRoutes } from './routes/config-api.js';
41
+ import { registerSettingsApiRoutes } from './routes/settings-api.js';
42
+ import { registerSecretsApiRoutes } from './routes/secrets-api.js';
43
+ import { registerAuditApiRoutes } from './routes/audit-api.js';
44
+ import { registerAiUsageApiRoutes } from './routes/ai-usage-api.js';
45
+ import { registerCommentsApiRoutes } from './routes/comments-api.js';
46
+ import { registerChatSessionsApiRoutes } from './routes/chat-sessions-api.js';
47
+ import { registerShareApiRoutes } from './routes/share-api.js';
48
+ import { registerArtifactExportApiRoutes } from './routes/artifact-export-api.js';
49
+ import { registerArtifactPatchRoutes } from './routes/artifact-patch-api.js';
34
50
  import { AuthService, isWorkspaceOwner } from '../services/auth-service.js';
35
- import { registerFeaturesApiRoutes } from './routes/features-api.js';
36
- import { MessageService } from '../services/message-service.js';
51
+ import { isOpenMode } from '../services/access-control.js';
37
52
  import { MemoryService } from '../services/memory-service.js';
53
+ import { CommentService } from '../services/comment-service.js';
54
+ import { ArtifactSelectionStore } from '../services/artifact-selection-store.js';
55
+ import { ChatSessionService } from '../services/chat-session-service.js';
56
+ import { AiUsageLedger, setAiUsageLedger } from '../services/ai-usage-ledger.js';
57
+ import { ShareLinkService } from '../services/share-link-service.js';
58
+ import { NotificationService } from '../services/notification-service.js';
38
59
  import { WsHub } from './ws-hub.js';
39
60
  import { registerWsRoute } from './routes/ws.js';
40
61
  import { SessionManager } from './session-manager.js';
62
+ import { AssetIndexQueue } from './asset-index-queue.js';
41
63
  import { YjsManager } from './yjs-manager.js';
42
- /** Ensure every user has a private "My Entries" collection (idempotent). */
43
- async function ensureAllPrivateCollections(authService, workspacePath, workspaceManager) {
64
+ import { YjsPersistence, acquireYjsStateLock } from './yjs-persistence.js';
65
+ import { BodyWriteCoordinator } from './body-write-coordinator.js';
66
+ import { ensureSeedFolder } from '../services/personal-folder.js';
67
+ import { loadUserConfig, resolveProvider, resolveModelId, resolveApiKey } from '../core/user-config.js';
68
+ import { resolveUtilityModelConfig } from '../services/utility-model-resolver.js';
69
+ /** Ensure every user has a personal "My Folder" folder + admin access on it (idempotent). */
70
+ async function ensureAllPersonalFolders(authService, workspacePath, workspaceManager) {
44
71
  const users = authService.listUsers();
45
72
  const workspace = new Workspace(workspacePath);
46
73
  for (const user of users) {
47
- if (workspaceManager.getUserPrivateRepo(user.id))
48
- continue;
49
74
  try {
50
- await workspace.registerRepo({
51
- name: `entries-${user.id}`,
52
- display_name: 'My Entries',
53
- description: `Private entries for ${user.displayName}`,
54
- private: true,
55
- owner_id: user.id,
56
- });
57
- workspaceManager.reloadConfig();
75
+ await ensureSeedFolder(workspace, authService, user);
58
76
  }
59
- catch { /* already exists or other issue skip */ }
77
+ catch { /* non-fatal skip and let the user re-authenticate */ }
60
78
  }
79
+ workspaceManager.reloadConfig();
61
80
  }
62
- /** MIME types for static file serving (web UI + chrome.css). */
81
+ /** MIME types for static file serving (web UI assets). */
63
82
  const MIME_TYPES = {
64
83
  '.html': 'text/html',
65
84
  '.css': 'text/css',
@@ -81,63 +100,315 @@ const MIME_TYPES = {
81
100
  '.mp4': 'video/mp4',
82
101
  '.webm': 'video/webm',
83
102
  };
103
+ // EXACT two-segment immutable asset shape — the only path the artifact-asset
104
+ // capability token (`?at=`) may unlock. Excludes the legacy 3-segment route
105
+ // (which carries known repo-identity hazards) by matching to end-of-path.
106
+ const ARTIFACT_ASSET_TOKEN_PATH_RE = /^\/api\/assets\/[^/]+\/[^/]+$/;
107
+ // Public share surface: EXACTLY the read + asset shapes (see the auth hook).
108
+ // Single-sourced so the hook's bypass and the anomaly logger's classifier
109
+ // can't drift apart.
110
+ const SHARE_PUBLIC_PATH_RE = /^\/api\/share\/[^/]+(\/asset\/[^/]+\/[^/]+)?$/;
111
+ /**
112
+ * Classify an `/api/**` path as one of the anonymous-BY-DESIGN surfaces, or
113
+ * null when no unauthenticated 2xx should ever be served there.
114
+ *
115
+ * Feeds the access-anomaly logger: a 2xx response with no resolved user on a
116
+ * null-classified /api route is a likely auth-hook bypass (the next.232
117
+ * incident shape) and is logged at `warn`; the named surfaces log at `info`
118
+ * so anonymous access stays auditable without alarm noise. Keep this list in
119
+ * lockstep with the auth hook's explicit exemptions above the HTML-accept
120
+ * bypass.
121
+ */
122
+ export function publicApiSurface(method, urlPath) {
123
+ // Only the genuinely-anonymous auth endpoints — NOT the whole /api/auth/
124
+ // prefix. The other /api/auth routes (me, users, tokens, seed, …) resolve
125
+ // credentials locally and stamp req.user (see auth-api requireUser), so an
126
+ // anonymous 2xx on them is an anomaly the logger must NOT downgrade to info.
127
+ if (urlPath === '/api/auth/login' ||
128
+ urlPath === '/api/auth/logout' ||
129
+ urlPath === '/api/auth/status' ||
130
+ urlPath === '/api/auth/setup' ||
131
+ urlPath === '/api/auth/colors')
132
+ return 'auth';
133
+ if (urlPath.startsWith('/api/cloud/auth/'))
134
+ return 'cloud-auth';
135
+ if (urlPath.startsWith('/api/oauth/callback/'))
136
+ return 'oauth-connector-callback';
137
+ if (urlPath.startsWith('/api/oauth/claim/'))
138
+ return 'oauth-connector-claim';
139
+ if (method === 'GET' || method === 'HEAD') {
140
+ // The render-readiness probe is intentionally anonymous (see the auth hook).
141
+ // EXACT path so /api/health/dirty (authed) is not classified public.
142
+ if (urlPath === '/api/health')
143
+ return 'health';
144
+ if (SHARE_PUBLIC_PATH_RE.test(urlPath))
145
+ return 'share-link';
146
+ // An anonymous 2xx here means the artifact-asset capability token
147
+ // authorized the serve (the route fails closed without one).
148
+ if (ARTIFACT_ASSET_TOKEN_PATH_RE.test(urlPath))
149
+ return 'artifact-asset-token';
150
+ }
151
+ return null;
152
+ }
153
+ export function resolveStaticFilePath(webDir, urlPath) {
154
+ let decodedPath;
155
+ try {
156
+ decodedPath = decodeURIComponent(urlPath);
157
+ }
158
+ catch {
159
+ return null;
160
+ }
161
+ const filePath = decodedPath === '/' ? '/index.html' : decodedPath;
162
+ const webRoot = resolve(webDir);
163
+ const fullPath = resolve(webRoot, `.${filePath}`);
164
+ if (fullPath !== webRoot && !fullPath.startsWith(webRoot + sep)) {
165
+ return null;
166
+ }
167
+ return fullPath;
168
+ }
169
+ function normalizeOrigin(value) {
170
+ if (!value)
171
+ return null;
172
+ try {
173
+ return new URL(value).origin;
174
+ }
175
+ catch {
176
+ return null;
177
+ }
178
+ }
179
+ export function buildAllowedCorsOrigins(workspaceConfig, port) {
180
+ const rawOrigins = [];
181
+ const envOrigins = process.env.STUDIOGRAPH_CORS_ORIGINS;
182
+ if (envOrigins)
183
+ rawOrigins.push(...envOrigins.split(',').map(o => o.trim()).filter(Boolean));
184
+ const configured = workspaceConfig.cors_origins;
185
+ if (Array.isArray(configured)) {
186
+ rawOrigins.push(...configured.filter((o) => typeof o === 'string'));
187
+ }
188
+ else if (typeof configured === 'string') {
189
+ rawOrigins.push(...configured.split(',').map(o => o.trim()).filter(Boolean));
190
+ }
191
+ const serverUrl = workspaceConfig.server_url;
192
+ if (typeof serverUrl === 'string')
193
+ rawOrigins.push(serverUrl);
194
+ rawOrigins.push(`http://localhost:${port}`, `http://127.0.0.1:${port}`, `http://[::1]:${port}`);
195
+ return new Set(rawOrigins.map(normalizeOrigin).filter((o) => Boolean(o)));
196
+ }
197
+ export function isCorsOriginAllowed(origin, allowedOrigins) {
198
+ if (!origin)
199
+ return true;
200
+ const normalized = normalizeOrigin(origin);
201
+ return Boolean(normalized && allowedOrigins.has(normalized));
202
+ }
203
+ /**
204
+ * Whether a 4xx/5xx response should be rewritten into the SPA index.html shell.
205
+ * True only for client-side ROUTE navigations: a GET, a `text/html` Accept, a
206
+ * JSON error body, and crucially a NON-`/api/` path. An `/api/` request must
207
+ * keep its real status + JSON — rewriting a 401 into a 200 HTML shell hides
208
+ * auth failures from clients/tooling and would mask the very auth-hook bypass
209
+ * this carries the `/api/` guard to prevent. Mirrors the auth hook's
210
+ * `text/html` SPA-bypass scope. Pure + exported for regression testing.
211
+ */
212
+ export function shouldServeSpaShellOnError(method, url, statusCode, accept, contentType) {
213
+ return (method === 'GET' &&
214
+ !url.startsWith('/api/') &&
215
+ statusCode >= 400 &&
216
+ Boolean(accept?.includes('text/html')) &&
217
+ typeof contentType === 'string' && contentType.includes('application/json'));
218
+ }
84
219
  /**
85
220
  * Auth middleware — validates JWT cookie or Authorization: Bearer <key> header.
86
221
  * When users exist in the auth database, all routes require authentication
87
222
  * (except auth endpoints and static assets). When no users exist, everything
88
223
  * is open (backward compatible).
89
224
  */
90
- function createAuthHook(apiKeys, authService) {
225
+ export function createAuthHook(authService, workspaceConfig) {
91
226
  return async (req, reply) => {
227
+ // Render-readiness probe: a public, unauthenticated health endpoint (for the
228
+ // operator + uptime monitors, reachable on any origin without a session). It
229
+ // exposes only Playwright readiness + render-library resolution — no workspace
230
+ // data. EXACT path + GET/HEAD only, so the sibling `/api/health/dirty` (which
231
+ // reports repo dirty state) stays fully authed.
232
+ if ((req.method === 'GET' || req.method === 'HEAD') &&
233
+ req.url.split('?')[0] === '/api/health')
234
+ return;
92
235
  // Always allow auth endpoints
93
236
  if (req.url.startsWith('/api/auth/'))
94
237
  return;
238
+ // Managed Cloud login handoff verifies its own short-lived token.
239
+ if (req.url.startsWith('/api/cloud/auth/'))
240
+ return;
95
241
  // OAuth callbacks and claims identify the user via state/claim code, not cookies
96
242
  if (req.url.startsWith('/api/oauth/callback/'))
97
243
  return;
98
244
  if (req.url.startsWith('/api/oauth/claim/'))
99
245
  return;
246
+ // OAuth authorization-server discovery + token endpoints are
247
+ // unauthenticated by spec (the client has no user yet). They are
248
+ // rate-limited + validated in oauth-api.ts. NOT /oauth/authorize — that
249
+ // one must run as the logged-in user (handled explicitly below, above the
250
+ // HTML-GET bypass which would otherwise skip cookie resolution).
251
+ if (req.url.startsWith('/.well-known/oauth-'))
252
+ return;
253
+ if (req.url.startsWith('/oauth/token') ||
254
+ req.url.startsWith('/oauth/register') ||
255
+ req.url.startsWith('/oauth/revoke'))
256
+ return;
257
+ if (req.url.startsWith('/oauth/authorize')) {
258
+ const cookieTok = req.cookies?.['__sg_token'];
259
+ // Resolve the session cookie, but REFUSE an OAuth access token here — a
260
+ // cookie is a browser-session surface and must never carry an
261
+ // authorization-server-issued token (see the cookie branch below).
262
+ const c = cookieTok ? authService.verifyTokenWithClaims(cookieTok) : null;
263
+ if (c && !c.oauth) {
264
+ req.user = c.user;
265
+ return;
266
+ }
267
+ // Not logged in: bounce a browser GET to login (carrying the authorize
268
+ // URL as returnTo); refuse a POST.
269
+ if (req.method === 'GET') {
270
+ return reply.redirect(`/login?returnTo=${encodeURIComponent(req.url)}`);
271
+ }
272
+ return reply.status(401).send({ error: 'login_required' });
273
+ }
100
274
  // Git HTTP routes have their own Basic Auth
101
275
  if (req.url.startsWith('/git/'))
102
276
  return;
103
277
  // WebSocket route handles its own auth
104
278
  if (req.url.startsWith('/ws'))
105
279
  return;
106
- // Allow static assets (JS, CSS, fonts, images) — needed for login page
107
- if (req.url.startsWith('/_app/') || req.url.startsWith('/api/chrome/'))
280
+ // Allow static assets (JS, CSS, fonts, images) — needed for login page.
281
+ // Covers SvelteKit-bundled output under /_app/ and root-level public
282
+ // files (favicon.ico, studiograph-logomark.svg, …) identified by a file
283
+ // extension on a non-API GET.
284
+ if (req.url.startsWith('/_app/'))
108
285
  return;
109
- // Allow HTML page requests (SPA routing) the app handles auth client-side
110
- if (req.method === 'GET' && req.headers.accept?.includes('text/html'))
286
+ // Public share surface: the two read-only routes are authorized by the
287
+ // opaque token (verified in share-api.ts), not a session. Scope the bypass
288
+ // to EXACTLY the public read + asset shapes so a future /api/share/* route
289
+ // isn't accidentally public. Allow HEAD as well as GET — the asset route is
290
+ // registered for both (image preflights / link unfurlers issue HEAD). The
291
+ // mint route is POST /api/repos/... and stays fully authed.
292
+ if ((req.method === 'GET' || req.method === 'HEAD') &&
293
+ SHARE_PUBLIC_PATH_RE.test(req.url.split('?')[0]))
111
294
  return;
112
- // If no users configured, allow everything (open mode)
113
- if (!authService.hasUsers()) {
114
- // Still check API keys for programmatic routes if configured
115
- if (apiKeys.length > 0) {
116
- const authHeader = req.headers['authorization'];
117
- const bearer = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : undefined;
118
- if (bearer && apiKeys.includes(bearer))
119
- return;
120
- // For non-API routes (i.e. browser requests), allow without auth
121
- if (!req.url.startsWith('/api/') || req.url.startsWith('/api/auth/'))
122
- return;
123
- // For API routes without a bearer token, allow if no users exist
295
+ // (The former anonymous public-fonts bypass is gone: artifact @font-face
296
+ // loads ride the same asset-resolution contract as images — the `?at=`
297
+ // capability token below, the share-token path, or export bundling. A
298
+ // cookieless font request without a token fails closed like any asset.)
299
+ // Sandboxed artifact iframes (opaque origin, no cookie) carry an
300
+ // artifact-asset capability token in `?at=`. Only the EXACT 2-segment
301
+ // immutable shape qualifies (never the legacy 3-seg route). Verify the
302
+ // signature and stash the payload as a CANDIDATE — the asset route does the
303
+ // authoritative authz against the resolved row (repo + allowlist + per-serve
304
+ // user re-check). We do NOT set req.user. An invalid token falls through to
305
+ // normal auth (→ 401/404), so a bad `?at=` can't downgrade security.
306
+ if ((req.method === 'GET' || req.method === 'HEAD') &&
307
+ ARTIFACT_ASSET_TOKEN_PATH_RE.test(req.url.split('?')[0])) {
308
+ const at = req.query?.at;
309
+ if (typeof at === 'string' && at.length > 0) {
310
+ try {
311
+ req.artifactAssetToken = verifyArtifactAssetToken(at, authService.getJwtSecret());
312
+ // Only short-circuit for a cookieless caller (the sandboxed iframe).
313
+ // If a session cookie is present, fall through to normal auth so
314
+ // req.user is set and the route serves on the SESSION's access — the
315
+ // token is a fallback for the no-cookie case, never an override.
316
+ if (!req.cookies?.['__sg_token'])
317
+ return;
318
+ }
319
+ catch { /* invalid/expired → fall through to normal auth */ }
124
320
  }
125
- return;
126
321
  }
127
- // Check JWT cookie (web UI sessions)
322
+ if (req.method === 'GET' &&
323
+ !req.url.startsWith('/api/') &&
324
+ extname(req.url.split('?')[0]).length > 1)
325
+ return;
326
+ // Allow HTML page requests (SPA routing) — the app handles auth client-side.
327
+ // MUST exclude /api/: this bypass is for client-side ROUTES (e.g.
328
+ // /workspace/...), which are non-API paths. Without the /api/ guard, ANY
329
+ // GET to a data route with `Accept: text/html` (trivially set on a fetch or
330
+ // a direct browser navigation) skips auth entirely — req.user stays
331
+ // undefined and hasRepoAccess(undefined) returns full access, so a
332
+ // cookieless caller reads private repo content. Every intentionally-public
333
+ // /api surface is already exempted explicitly above (share read/asset,
334
+ // oauth callback/claim, the artifact-asset token path); everything else
335
+ // under /api/ must fall through to the real cookie/bearer auth below. The
336
+ // sibling static-asset bypass above already carries the same /api/ guard.
337
+ if (req.method === 'GET' && !req.url.startsWith('/api/') && req.headers.accept?.includes('text/html'))
338
+ return;
339
+ // If no users configured, allow everything in local open mode. Managed
340
+ // Cloud workspaces still require auth before the first user handoff lands.
341
+ // (Shared predicate with the access-control helpers — which now fail
342
+ // CLOSED for an unidentified caller outside open mode, so even a future
343
+ // bypass above this line no longer grants content access by itself.)
344
+ if (isOpenMode(authService))
345
+ return;
346
+ // Check JWT cookie (web UI sessions).
347
+ //
348
+ // Security: resolve with verifyTokenWithClaims and REJECT OAuth access
349
+ // tokens (`oauth:true`). OAuth tokens are JWTs signed with the same
350
+ // jwtSecret, so the legacy verifyToken() would accept one supplied as a
351
+ // cookie and return a fully-privileged session — bypassing the MCP-only
352
+ // audience scoping enforced on the Bearer path below. A session cookie is
353
+ // a web-UI surface and must never carry an authorization-server token.
128
354
  const jwtToken = req.cookies?.['__sg_token'];
129
355
  if (jwtToken) {
130
- const user = authService.verifyToken(jwtToken);
131
- if (user) {
132
- req.user = user;
356
+ const claims = authService.verifyTokenWithClaims(jwtToken);
357
+ if (claims && !claims.oauth) {
358
+ req.user = claims.user;
133
359
  return;
134
360
  }
135
361
  }
136
- // Check Bearer token (API clients, MCP)
362
+ // Check Bearer token (API clients, MCP, CLI): JWT → per-user API token.
363
+ // Both yield a user identity. There is no shared workspace key — every
364
+ // caller must be identifiable so access control can enforce per-folder rules.
137
365
  const authHeader = req.headers['authorization'];
138
366
  const bearer = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : undefined;
139
- if (bearer && apiKeys.includes(bearer))
140
- return;
367
+ if (bearer) {
368
+ const claims = authService.verifyTokenWithClaims(bearer);
369
+ if (claims) {
370
+ if (claims.oauth) {
371
+ // OAuth access tokens are confined to the MCP surface. Reject them on
372
+ // the rest of the REST API so a leaked connector token can't drive the
373
+ // whole product (least privilege — sg_ tokens stay full).
374
+ const path = req.url.split('?')[0];
375
+ const mcpScoped = path === '/mcp' || path.startsWith('/mcp/') || path.startsWith('/oauth/');
376
+ if (!mcpScoped) {
377
+ return reply.status(403).send({ error: 'insufficient_scope' });
378
+ }
379
+ // Enforce the token audience: it must be bound to THIS server's /mcp
380
+ // resource. Without this, any JWT signed with the workspace secret +
381
+ // `oauth:true` would be accepted regardless of the `aud` it was minted
382
+ // for (stale/wrong-resource/host-spoofed tokens).
383
+ let expectedAud = null;
384
+ try {
385
+ expectedAud = `${resolveCanonicalBaseUrl(workspaceConfig, req)}/mcp`;
386
+ }
387
+ catch {
388
+ expectedAud = null;
389
+ }
390
+ if (!expectedAud || claims.aud !== expectedAud) {
391
+ return reply.status(403).send({ error: 'insufficient_scope', error_description: 'token audience mismatch' });
392
+ }
393
+ // Label the integration for agent-activity attribution (parity with
394
+ // the api-token name path below). cid is the stable client_id.
395
+ if (claims.cid) {
396
+ const client = authService.oauthServer.getClient(claims.cid);
397
+ req.apiTokenName = client?.client_name ?? 'OAuth client';
398
+ }
399
+ }
400
+ req.user = claims.user;
401
+ return;
402
+ }
403
+ const tokenMeta = authService.verifyApiTokenWithMeta(bearer);
404
+ if (tokenMeta) {
405
+ req.user = tokenMeta.user;
406
+ // Stash the token's user-set name so downstream surfaces (MCP, agent
407
+ // activity) can label the integration. Absent for cookie/JWT auth.
408
+ req.apiTokenName = tokenMeta.tokenName;
409
+ return;
410
+ }
411
+ }
141
412
  // Check Basic Auth (CLI join command)
142
413
  if (authHeader?.startsWith('Basic ')) {
143
414
  try {
@@ -153,27 +424,177 @@ function createAuthHook(apiKeys, authService) {
153
424
  }
154
425
  catch { /* fall through to 401 */ }
155
426
  }
427
+ // A verified artifact-asset candidate is its own authorization scheme for
428
+ // the exact 2-segment asset path (the route re-checks allowlist + current
429
+ // repo access per serve). Reached only when no stronger credential
430
+ // resolved above — so a PRESENT-but-invalid session cookie is never worse
431
+ // than NO cookie. WebKit sends cookies from sandboxed artifact iframes; a
432
+ // stale/foreign __sg_token would otherwise 401 every artifact image in
433
+ // Safari despite a valid capability token.
434
+ if (req.artifactAssetToken)
435
+ return;
436
+ // Asset fetches from sandboxed artifact iframes come from an opaque
437
+ // origin, so without an ACAO header the browser reports this 401 as a
438
+ // CORS failure — an inscrutable "No Access-Control-Allow-Origin" console
439
+ // error instead of the real cause. Reflect the success path's open CORS
440
+ // policy on the denial so it reads as a clean 401. Header-only; the
441
+ // gate itself is unchanged.
442
+ if ((req.method === 'GET' || req.method === 'HEAD') &&
443
+ ARTIFACT_ASSET_TOKEN_PATH_RE.test(req.url.split('?')[0])) {
444
+ reply.header('Access-Control-Allow-Origin', '*');
445
+ }
446
+ // MCP OAuth discovery: an unauthenticated /mcp request gets a
447
+ // WWW-Authenticate header pointing at the protected-resource metadata, so
448
+ // an MCP client (Claude Chat/Cowork) knows to begin the OAuth flow.
449
+ if (req.url.startsWith('/mcp')) {
450
+ // Best-effort: if no canonical issuer is pinned (fails closed in prod),
451
+ // skip the discovery hint rather than 500 the 401.
452
+ try {
453
+ const base = resolveCanonicalBaseUrl(workspaceConfig, req);
454
+ reply.header('WWW-Authenticate', `Bearer resource_metadata="${base}/.well-known/oauth-protected-resource"`);
455
+ }
456
+ catch { /* issuer unconfigured — omit discovery header */ }
457
+ }
156
458
  return reply.status(401).send({ error: 'Unauthorized' });
157
459
  };
158
460
  }
461
+ /**
462
+ * Phase 11 — preSerialization payload sanitizer.
463
+ *
464
+ * The API has many routes that respond with `{ error: err.message }` from a
465
+ * catch block. Those messages can carry upstream provider errors, git
466
+ * stderr (with embedded credentials), or other free-form text that we
467
+ * don't want surfacing in HTTP responses. Walk the response payload,
468
+ * sanitize any string value at a "message" / "error" / "detail" key,
469
+ * and leave structured fields (status codes, IDs, classification flags)
470
+ * alone.
471
+ *
472
+ * Conservatively, we ONLY redact at keys that conventionally carry
473
+ * free-form text. Arbitrary string fields (entity names, IDs, etc.) are
474
+ * left untouched so we don't garble legitimate content. The Fastify
475
+ * logger sanitization (above) handles log-line redaction independently;
476
+ * this hook focuses on the wire response.
477
+ */
478
+ const FREEFORM_ERROR_KEYS = new Set(['error', 'message', 'detail', 'stack', 'description', 'error_description']);
479
+ function sanitizeResponsePayload(value) {
480
+ if (typeof value === 'string')
481
+ return sanitize(value);
482
+ if (Array.isArray(value))
483
+ return value.map(sanitizeResponsePayload);
484
+ if (value && typeof value === 'object') {
485
+ const out = {};
486
+ for (const [k, v] of Object.entries(value)) {
487
+ if (FREEFORM_ERROR_KEYS.has(k) && typeof v === 'string') {
488
+ out[k] = sanitize(v);
489
+ }
490
+ else if (v && typeof v === 'object') {
491
+ out[k] = sanitizeResponsePayload(v);
492
+ }
493
+ else {
494
+ out[k] = v;
495
+ }
496
+ }
497
+ return out;
498
+ }
499
+ return value;
500
+ }
159
501
  export async function createServer(config) {
502
+ // Phase 11: every Fastify log line flows through sanitize() before
503
+ // reaching stdout. A thin Writable wrapper passes each chunk through
504
+ // the redactor; pino accepts any `stream` with a `write()` method.
505
+ // STUDIOGRAPH_LOG_RAW=1 disables redaction for local debugging.
506
+ const shouldRedactFastifyLogs = process.env.STUDIOGRAPH_LOG_RAW !== '1' &&
507
+ (process.env.NODE_ENV === 'production' || !!process.env.RAILWAY_ENVIRONMENT);
508
+ const redactingStream = {
509
+ write(chunk) {
510
+ const out = shouldRedactFastifyLogs ? sanitize(chunk) : chunk;
511
+ process.stdout.write(out);
512
+ },
513
+ };
160
514
  const fastify = Fastify({
161
515
  logger: process.env.STUDIOGRAPH_LOG === '1'
162
- ? true
163
- : { level: 'warn' },
516
+ ? { stream: redactingStream }
517
+ : { level: 'warn', stream: redactingStream },
164
518
  bodyLimit: 10 * 1024 * 1024, // 10 MB — entities can be large (e.g. meeting transcripts)
165
519
  });
520
+ // Phase 11: sanitize uncaught errors before serialization so neither
521
+ // err.message nor err.stack echoes upstream secrets. Stable error
522
+ // codes (err.code) pass through; we only redact freeform text.
523
+ fastify.setErrorHandler((error, _req, reply) => {
524
+ const sanitizedMsg = shouldRedactFastifyLogs ? sanitize(error.message) : error.message;
525
+ const status = error.statusCode ?? 500;
526
+ fastify.log.error({
527
+ err: { message: sanitizedMsg, code: error.code },
528
+ });
529
+ reply.status(status).send({
530
+ statusCode: status,
531
+ code: error.code,
532
+ error: status >= 500 ? 'Internal Server Error' : (error.name || 'Error'),
533
+ message: status >= 500 ? 'An internal error occurred.' : sanitizedMsg,
534
+ });
535
+ });
536
+ // Phase 11: pre-serialization hook scans every response body for
537
+ // freeform error/message strings and runs them through sanitize().
538
+ // This catches the many `reply.status(4xx).send({ error: err.message })`
539
+ // call sites scattered across the API routes — without this, an
540
+ // upstream provider error or git remote error would echo through to
541
+ // the API consumer with embedded credentials. Stable error codes pass
542
+ // through unchanged. Only kicks in when redaction is enabled.
543
+ if (shouldRedactFastifyLogs) {
544
+ fastify.addHook('preSerialization', async (_req, _reply, payload) => {
545
+ if (!payload || typeof payload !== 'object')
546
+ return payload;
547
+ return sanitizeResponsePayload(payload);
548
+ });
549
+ }
166
550
  // CORS
551
+ const allowedCorsOrigins = buildAllowedCorsOrigins(config.workspaceConfig, config.port);
167
552
  await fastify.register(cors, {
168
- origin: true,
553
+ origin: (origin, cb) => {
554
+ cb(null, isCorsOriginAllowed(origin, allowedCorsOrigins));
555
+ },
169
556
  credentials: true,
170
557
  });
171
558
  // Cookie support for web UI session auth
172
559
  await fastify.register(cookie);
173
- // WebSocket support for real-time notifications
174
- await fastify.register(websocket);
560
+ // WebSocket support for real-time notifications.
561
+ //
562
+ // perMessageDeflate is enabled here on purpose. Our origin would otherwise
563
+ // leave compression off (ws lib default), but Railway's edge proxy
564
+ // negotiates `permessage-deflate` with the browser anyway and does its own
565
+ // inflate/deflate layer in the middle — which Safari/WebKit mis-decodes,
566
+ // producing truncated buffers and `RangeError: Length out of range of buffer`
567
+ // inside Yjs's varint reader, followed by WS disconnect loops.
568
+ //
569
+ // Negotiating compression at the origin forces end-to-end deflate (Node's
570
+ // zlib ↔ browser) and prevents the proxy from inserting its own layer.
571
+ // `noContextTakeover` on both sides keeps each frame independently
572
+ // decompressible, which avoids cross-frame state bugs that have historically
573
+ // hit Safari.
574
+ await fastify.register(websocket, {
575
+ options: {
576
+ perMessageDeflate: {
577
+ threshold: 1024,
578
+ serverNoContextTakeover: true,
579
+ clientNoContextTakeover: true,
580
+ },
581
+ },
582
+ });
175
583
  // Multipart support for file uploads (images, assets)
176
584
  await fastify.register(multipart, { limits: { fileSize: 10 * 1024 * 1024 } });
585
+ // Global rate-limit registration with a permissive default; individual
586
+ // routes opt into tighter limits via `config: { rateLimit: ... }`. Today
587
+ // only comment mutations apply tight limits — keeps the runtime in
588
+ // place without changing the rest of the API's request-rate behaviour.
589
+ await fastify.register(rateLimit, {
590
+ global: false,
591
+ max: 1000,
592
+ timeWindow: '1 minute',
593
+ keyGenerator: (req) => {
594
+ const u = req.user;
595
+ return u?.id ? `u:${u.id}` : (req.ip ?? 'unknown');
596
+ },
597
+ });
177
598
  fastify.addContentTypeParser('application/json', { parseAs: 'buffer' }, (req, body, done) => {
178
599
  try {
179
600
  req.rawBody = body;
@@ -183,6 +604,21 @@ export async function createServer(config) {
183
604
  done(err, undefined);
184
605
  }
185
606
  });
607
+ // application/x-www-form-urlencoded — the OAuth token + consent POSTs use
608
+ // form encoding (RFC 6749). Parsed inline to avoid pulling in a dependency
609
+ // just for two endpoints; mirrors the hand-rolled JSON parser above.
610
+ fastify.addContentTypeParser('application/x-www-form-urlencoded', { parseAs: 'string' }, (_req, body, done) => {
611
+ try {
612
+ const params = new URLSearchParams(body);
613
+ const obj = {};
614
+ for (const [k, v] of params)
615
+ obj[k] = v;
616
+ done(null, obj);
617
+ }
618
+ catch (err) {
619
+ done(err, undefined);
620
+ }
621
+ });
186
622
  // Git Smart HTTP binary content types — pass raw stream through (no parsing)
187
623
  for (const gitType of [
188
624
  'application/x-git-upload-pack-request',
@@ -192,165 +628,243 @@ export async function createServer(config) {
192
628
  done(null); // Don't consume the body — the route handler pipes req.raw directly
193
629
  });
194
630
  }
195
- // Initialize auth service, WebSocket hub, session manager, and collab server
196
- const authService = new AuthService(config.workspacePath);
197
- // Ensure API key is committed to auth-seed.json so `studiograph pull` can use it
198
- authService.syncApiKeyToSeed();
199
- // Ensure all users have their private "My Entries" collection
200
- await ensureAllPrivateCollections(authService, config.workspacePath, config.workspaceManager);
201
- const wsHub = new WsHub();
202
- const messageService = new MessageService(config.workspacePath);
631
+ // Initialize auth service, WebSocket hub, session manager, and collab server.
632
+ // Phase 8: when the boot path provided master-key options, hand them through
633
+ // so OAuth tokens + per-user secret prefs use the encrypted column path.
634
+ const authService = new AuthService(config.workspacePath, config.authCryptoOptions);
635
+ // Ensure all users have their personal "My Folder" folder
636
+ await ensureAllPersonalFolders(authService, config.workspacePath, config.workspaceManager);
637
+ const { getCurrentVersion } = await import('../utils/version-checker.js');
638
+ const wsHub = new WsHub(getCurrentVersion());
639
+ const commentService = new CommentService(config.workspacePath);
640
+ // P4.4: per-process store of the user's current artifact-canvas selection, fed
641
+ // by the web canvas (PUT /selection) and read by the get_current_selection MCP
642
+ // tool — shared with the in-process HTTP /mcp endpoint so external agents see it.
643
+ const selectionStore = new ArtifactSelectionStore();
644
+ const chatSessionService = new ChatSessionService(config.workspacePath);
645
+ // AI usage ledger (cost-control Phase 0): per-call spend attribution. Module
646
+ // singleton so non-wired callers (caption service, event processor) can record.
647
+ const aiUsageLedger = new AiUsageLedger(config.workspacePath);
648
+ setAiUsageLedger(aiUsageLedger);
649
+ const aiUsagePruneTimer = setInterval(() => aiUsageLedger.prune(), 24 * 60 * 60 * 1000);
650
+ aiUsagePruneTimer.unref();
651
+ const shareLinkService = new ShareLinkService(config.workspacePath);
652
+ const notificationService = new NotificationService(config.workspacePath);
203
653
  const sessionManager = new SessionManager(config.workspaceManager, wsHub);
204
- const yjsManager = new YjsManager(config.workspaceManager);
654
+ // Recover any dirty repos before accepting requests. Replays persisted
655
+ // pending commits from a previous process AND sweeps every working tree
656
+ // for uncommitted state. Catches anything dropped by a crash, OOM, or
657
+ // hard restart. Logs and continues on failure — recovery is best-effort
658
+ // and must never block server startup.
659
+ try {
660
+ await sessionManager.recoverOnBoot();
661
+ }
662
+ catch (err) {
663
+ console.warn('[server] sessionManager.recoverOnBoot failed:', err.message);
664
+ }
665
+ // Live asset-index drain: captions new image uploads and re-extracts document
666
+ // sidecars while the server runs, instead of only at boot (a tenant can run
667
+ // for weeks between deploys). Config (model/key/gate/repos) is resolved fresh
668
+ // each drain so a Settings change takes effect without a restart. Web upload
669
+ // + MCP finalize call `enqueue()` after the asset entity exists.
670
+ const assetIndexQueue = new AssetIndexQueue({
671
+ workspaceManager: config.workspaceManager,
672
+ resolveConfig: () => {
673
+ const userConfig = loadUserConfig();
674
+ // Read the LIVE workspace config from the WorkspaceManager, NOT the boot
675
+ // snapshot (config.workspaceConfig). reloadConfig() refreshes both the
676
+ // repo list (so a folder auto-created at runtime — e.g. the shared
677
+ // "Assets" store on first inline/presign upload — is visible to the
678
+ // sweep) and the captioning gate (so toggling it in workspace.json takes
679
+ // effect without a restart). Model/key already resolve store-first.
680
+ const wsConfig = config.workspaceManager.getConfig();
681
+ const apiKey = resolveApiKey(userConfig, wsConfig);
682
+ return {
683
+ repos: config.workspaceManager.getAllRepoConfigs(),
684
+ // Captioning is a background utility task — route it to the provider's
685
+ // cheap vision tier (Phase 2), never the primary (e.g. Opus) model.
686
+ captionConfig: apiKey
687
+ ? resolveUtilityModelConfig({ provider: resolveProvider(userConfig, wsConfig), modelId: resolveModelId(userConfig, wsConfig), apiKey })
688
+ : null,
689
+ captioningEnabled: wsConfig.captioning?.enabled ?? true,
690
+ };
691
+ },
692
+ log: (msg) => console.warn(`[asset-index] ${msg}`),
693
+ });
694
+ assetIndexQueue.start();
695
+ // Single chokepoint: VectorService fires onAssetPending exactly when a fresh
696
+ // indexable IMAGE assets.db row is seeded `pending` (every image-upload path
697
+ // funnels through ensureInitialAssetIndexState — import, manager/editor
698
+ // upload, presign finalize). Registering here replaces per-call-site enqueue
699
+ // wiring and keys the queue on the immutable assetId.
700
+ config.workspaceManager.vectorService?.setOnAssetPending((assetId) => assetIndexQueue.enqueue(assetId));
701
+ // Boot recovery: drain anything a prior process left queued AND re-derive the
702
+ // full unfinished set in LanceDB (legacy assets, a mid-flight crash). Fire-and-
703
+ // forget — it can take minutes on a large gallery and must not block listen().
704
+ void assetIndexQueue.recoverOnBoot().catch((err) => {
705
+ console.warn('[asset-index] recoverOnBoot failed (non-fatal):', err instanceof Error ? err.message : err);
706
+ });
707
+ // Persistence layer: durable Y.Doc snapshot store across server restarts.
708
+ // Lives at `<workspace>/.studiograph/yjs-state/` — gitignored binary state
709
+ // separate from the .md files (which remain canonical for git, MCP, agents).
710
+ // See yjs-persistence.ts for the file format and concurrency model.
711
+ const yjsStateDir = join(config.workspacePath, '.studiograph', 'yjs-state');
712
+ // Single-instance lock. Throws if another studiograph server is already
713
+ // running against this workspace. We don't support horizontal scaling today
714
+ // (no shared Yjs pubsub), so the safe default is to fail fast on misuse
715
+ // rather than silently corrupt snapshots via concurrent writers.
716
+ const releaseYjsLock = acquireYjsStateLock(yjsStateDir);
717
+ const yjsPersistence = new YjsPersistence(yjsStateDir);
718
+ const yjsManager = new YjsManager(config.workspaceManager, yjsPersistence);
719
+ // Yjs configuration startup log. Surfacing the flags at boot lets operators
720
+ // verify the configuration without reading source. The fail-closed guards
721
+ // (`assertWritable`, 412 convergence gate) prevent silent data corruption
722
+ // regardless of how the flags are set, but `broadcast=off` while clients
723
+ // are connected degrades UX, so we warn explicitly.
724
+ const broadcastEnabled = process.env.STUDIOGRAPH_YJS_BROADCAST !== '0';
725
+ const allowDegradedWrites = process.env.STUDIOGRAPH_ALLOW_DEGRADED_WRITES === '1';
726
+ console.log(`[yjs] config: broadcast=${broadcastEnabled ? 'on' : 'OFF'} ` +
727
+ `allow-degraded-writes=${allowDegradedWrites ? 'on' : 'off'}`);
728
+ if (!broadcastEnabled && !allowDegradedWrites) {
729
+ console.warn('[yjs] STUDIOGRAPH_YJS_BROADCAST=0 without STUDIOGRAPH_ALLOW_DEGRADED_WRITES=1: ' +
730
+ 'server-side body writes will REFUSE while clients are connected. ' +
731
+ 'This is the fail-closed kill-switch path — intentional during incident response, ' +
732
+ 'misconfiguration otherwise.');
733
+ }
734
+ // Wire the Yjs persistence layer to follow structural .md mutations.
735
+ // delete / rename / changeType all change a doc's identity (path on disk
736
+ // and its docName), so the snapshot file has to move with it. Without
737
+ // these hooks, snapshots leak (orphaned files for deleted entities) or
738
+ // serve stale state at the new identity (ghost content after a rename).
739
+ config.workspaceManager.setPersistenceCallbacks({
740
+ onDelete: (repo, entityType, entityId) => yjsPersistence.delete(`${repo}/${entityType}/${entityId}`),
741
+ onRename: (repo, entityType, oldId, newId) => yjsPersistence.rename(`${repo}/${entityType}/${oldId}`, `${repo}/${entityType}/${newId}`),
742
+ onChangeType: (repo, entityId, fromType, toType) => yjsPersistence.rename(`${repo}/${fromType}/${entityId}`, `${repo}/${toType}/${entityId}`),
743
+ });
744
+ // Body-write coordinator owns the single critical section for every body
745
+ // write (autosave PUT + MCP / agent / event-processor server-writes). Holds
746
+ // the per-doc lock, base-hash precondition, atomic disk write, commit +
747
+ // dirty recovery, post-commit applyAgentContent broadcast, and
748
+ // mdRevisionHash bookkeeping. Replaces the previous nine-callback shape on
749
+ // graph.update.
750
+ const bodyWriteCoordinator = new BodyWriteCoordinator({
751
+ // Narrow commit hook — keeps the coordinator from reaching back
752
+ // through WorkspaceManager. No-op when the repo has no GitService.
753
+ commit: async (coords, actor, message) => {
754
+ const gitService = config.workspaceManager.getGraph(coords.repo).getGitService();
755
+ if (!gitService)
756
+ return;
757
+ const tx = gitService.createTransaction();
758
+ tx.add({
759
+ operation: 'update',
760
+ entityType: coords.entityType,
761
+ entityId: coords.entityId,
762
+ filePath: coords.entityPath,
763
+ });
764
+ await tx.commit(actor, message);
765
+ },
766
+ }, yjsManager, sessionManager);
767
+ config.workspaceManager.setBodyWriteCoordinator(bodyWriteCoordinator);
205
768
  // Register auth API routes (before the auth hook so they are always accessible)
206
769
  await registerAuthApiRoutes(fastify, authService, config.workspacePath, config.workspaceManager, config.workspaceConfig.team_name);
207
770
  // Auth hook — applied to all routes
208
- const authHook = createAuthHook(config.apiKeys, authService);
771
+ const authHook = createAuthHook(authService, config.workspaceConfig);
209
772
  fastify.addHook('preHandler', authHook);
773
+ // Access-anomaly audit log. The next.232 auth bypass was retroactively
774
+ // un-auditable because nothing recorded anonymous /api access. Log every
775
+ // 2xx served with NO resolved user outside open mode: anonymous-by-design
776
+ // surfaces (share links, oauth callbacks, auth endpoints, artifact-asset
777
+ // tokens) at `info` for the audit trail; anything else at `warn` — each
778
+ // warn line is a potential auth-hook bypass and should be investigated.
779
+ fastify.addHook('onResponse', async (req, reply) => {
780
+ if (req.method === 'OPTIONS')
781
+ return; // CORS preflight is anonymous by spec
782
+ // Prefix check on the raw url first (the query string can't affect a
783
+ // path prefix) so the majority non-/api traffic skips the split.
784
+ if (!req.url.startsWith('/api/'))
785
+ return;
786
+ if (req.user)
787
+ return;
788
+ const urlPath = req.url.split('?')[0];
789
+ if (reply.statusCode < 200 || reply.statusCode >= 300)
790
+ return;
791
+ if (isOpenMode(authService))
792
+ return;
793
+ const surface = publicApiSurface(req.method, urlPath);
794
+ const entry = {
795
+ anonymousApi: true,
796
+ method: req.method,
797
+ // Log the ROUTE PATTERN, not the raw path — share/asset paths embed
798
+ // capability tokens that must never land in logs.
799
+ route: req.routeOptions?.url ?? null,
800
+ statusCode: reply.statusCode,
801
+ surface: surface ?? undefined,
802
+ };
803
+ if (surface) {
804
+ req.log.info(entry, 'anonymous public-surface /api response');
805
+ }
806
+ else {
807
+ req.log.warn(entry, 'ANOMALY: anonymous 2xx on /api route — possible auth bypass');
808
+ }
809
+ });
210
810
  // Register WebSocket route (real-time change notifications + cursor broadcasting)
211
- await registerWsRoute(fastify, wsHub, authService, yjsManager);
212
- // Register feature flags API routes
213
- await registerFeaturesApiRoutes(fastify);
214
- // Register graph API routes (with per-collection access filtering)
215
- await registerGraphApiRoutes(fastify, config.workspaceManager, authService, wsHub, sessionManager, yjsManager);
811
+ await registerWsRoute(fastify, wsHub, authService, config.workspaceManager, yjsManager);
812
+ // Register graph API routes (with per-folder access filtering)
813
+ await registerGraphApiRoutes(fastify, config.workspaceManager, authService, wsHub, sessionManager);
216
814
  // Register workspace API routes (git operations)
217
- await registerWorkspaceApiRoutes(fastify, config.workspaceManager, config.gitUser);
815
+ await registerWorkspaceApiRoutes(fastify, config.workspaceManager, config.gitUser, authService);
816
+ // Register health endpoints (per-repo dirty status)
817
+ await registerHealthApiRoutes(fastify, config.workspaceManager, sessionManager);
218
818
  // Register config + workspace data API routes (for `studiograph push/pull --remote`)
219
819
  await registerConfigApiRoutes(fastify, config.workspaceManager, config.workspacePath, authService);
220
- // Register permissions API routes (self-hosted collection access)
820
+ // Register Phase 7 settings/secrets/audit API routes. Owner-only via
821
+ // isWorkspaceOwner() inside each handler.
822
+ await registerSettingsApiRoutes(fastify, authService);
823
+ await registerSecretsApiRoutes(fastify, authService);
824
+ await registerAuditApiRoutes(fastify, authService);
825
+ // AI usage rollup (cost-control Phase 0). Owner-only, read-only.
826
+ await registerAiUsageApiRoutes(fastify, authService, aiUsageLedger);
827
+ // Register comments API + notifications feed (Comments-First Phase 1).
828
+ // The getAgent closure resolves the orchestrator lazily — it's
829
+ // initialised below at line ~613, AFTER routes register, so route
830
+ // handlers can't capture it eagerly. The closure binding to the outer
831
+ // `agent` variable picks up the value once the orchestrator is alive.
832
+ await registerCommentsApiRoutes(fastify, commentService, notificationService, authService, wsHub, config.workspaceManager, () => agent);
833
+ // Register chat-session persistence routes (cross-device agent history).
834
+ // `() => agent` defers the orchestrator handle (assigned below) so the scratch
835
+ // cleanup can also evict the agent-pool session JSON on chat deletion.
836
+ await registerChatSessionsApiRoutes(fastify, chatSessionService, config.workspaceManager, authService, wsHub, () => agent);
837
+ // Register permissions API routes (self-hosted folder access)
221
838
  await registerPermissionsApiRoutes(fastify, authService, config.workspaceManager, wsHub);
222
839
  // Messages API routes registered after agent init (below) so @agent invocation works
223
840
  // Register connectors API routes (MCP connector management + OAuth)
224
841
  await registerConnectorsApiRoutes(fastify, authService, config.workspacePath);
842
+ // Register OAuth 2.0 authorization-server routes (Claude Chat/Cowork connect)
843
+ await registerOAuthApiRoutes(fastify, authService, config.workspaceConfig);
225
844
  // Register asset upload routes (image upload to R2/local)
226
- await registerAssetApiRoutes(fastify, config.workspaceManager, authService);
845
+ await registerAssetApiRoutes(fastify, config.workspaceManager, authService, wsHub);
846
+ // Register public share-link routes (mint authed; read + asset public)
847
+ await registerShareApiRoutes(fastify, config.workspaceManager, authService, shareLinkService);
848
+ // Register authenticated artifact export routes.
849
+ await registerArtifactExportApiRoutes(fastify, config.workspaceManager, authService);
850
+ // Register R2 management routes (bucket creation, local-asset sync, status)
851
+ await registerR2ApiRoutes(fastify, config.workspaceManager, authService, config.gitUser);
227
852
  // Register git Smart HTTP routes (clone/fetch/push with Basic Auth)
228
853
  await registerGitHttpRoutes(fastify, config.workspaceManager, authService, config.workspacePath, wsHub);
229
854
  // Register views API routes (per-user saved views)
230
855
  await registerViewsApiRoutes(fastify, authService, config.workspaceManager);
231
856
  // Register insights + preferences API routes
232
- // Build core tool metadata once from actual tool factories
233
- const coreToolMeta = [];
234
- try {
235
- const { createGraphTools } = await import('../agent/tools/graph-tools.js');
236
- const { createOpsTools } = await import('../agent/tools/ops-tools.js');
237
- const dummyUser = { id: '0', name: 'system', email: 'system' };
238
- const allTools = [
239
- ...createGraphTools(config.workspaceManager, dummyUser, config.workspacePath, undefined, undefined, () => null, authService),
240
- ...createOpsTools(config.workspacePath, config.workspaceConfig),
241
- ];
242
- for (const t of allTools) {
243
- if (t.name && t.description) {
244
- coreToolMeta.push({ name: t.name, description: t.description });
245
- }
246
- }
247
- }
248
- catch (err) {
249
- console.warn('[insights] Failed to build tool metadata:', err);
250
- }
251
- const getToolsForUser = (userId) => {
252
- const tools = [...coreToolMeta];
253
- // Add connector tools based on user's actually connected services
254
- try {
255
- const connectedConnectors = authService.getUserConnectedConnectors(userId);
256
- for (const c of connectedConnectors) {
257
- tools.push({ name: `${c.connector_name}_connector`, description: `Connected ${c.connector_name} integration — can sync and access ${c.connector_name} data` });
258
- }
259
- }
260
- catch { /* no connector tools */ }
261
- return tools;
262
- };
263
- await registerBriefingApiRoutes(fastify, config.workspaceManager, authService, config.workspacePath, wsHub, getToolsForUser);
264
- // Background briefing refresh — check staleness for online users every heartbeat tick
265
- {
266
- /** Format a Date as YYYY-MM-DD in the given IANA timezone. Falls back to
267
- * UTC when the timezone is invalid so we never crash on bad input. */
268
- const localDateIn = (d, tz) => {
269
- try {
270
- return new Intl.DateTimeFormat('en-CA', {
271
- timeZone: tz,
272
- year: 'numeric',
273
- month: '2-digit',
274
- day: '2-digit',
275
- }).format(d);
276
- }
277
- catch {
278
- return d.toISOString().slice(0, 10);
279
- }
280
- };
281
- const loadWsConfig = () => {
282
- const cfgPath = join(config.workspacePath, '.studiograph', 'workspace.json');
283
- if (!existsSync(cfgPath))
284
- return undefined;
285
- try {
286
- return JSON.parse(readFileSync(cfgPath, 'utf-8'));
287
- }
288
- catch {
289
- return undefined;
290
- }
291
- };
292
- const getReposForUser = (userId) => {
293
- const allRepos = config.workspaceManager.getAllRepoConfigs();
294
- const user = authService.findUserById(userId);
295
- if (!user)
296
- return allRepos.filter(r => !r.private).map(r => r.name);
297
- // Folder membership is the sole source of truth — no role-based short-circuit.
298
- const allowed = new Set(authService.getUserFolders(user.id));
299
- return allRepos.filter(r => allowed.has(r.name)).map(r => r.name);
300
- };
301
- wsHub.setBriefingRefresh((userId, tz) => {
302
- const brief = authService.getHomeBrief(userId);
303
- if (!brief)
304
- return false;
305
- // Always regenerate if no briefing text exists yet (migration from old insights system)
306
- const cached = authService.getCachedBriefing(userId);
307
- if (!cached.briefingText || !cached.generatedAt)
308
- return true;
309
- // Stale when the cached briefing was generated on an earlier calendar
310
- // date in the user's local timezone. This anchors "daily briefing"
311
- // to the user's morning rather than a rolling 24h window, and aligns
312
- // with the chat session's local-calendar-day rollover.
313
- const cachedLocal = localDateIn(new Date(cached.generatedAt), tz);
314
- const todayLocal = localDateIn(new Date(), tz);
315
- return cachedLocal < todayLocal;
316
- }, async (userId) => {
317
- const brief = authService.getHomeBrief(userId);
318
- const repoNames = getReposForUser(userId);
319
- const tools = getToolsForUser(userId);
320
- try {
321
- const { generateBriefing } = await import('../services/briefing.js');
322
- await generateBriefing(config.workspaceManager, repoNames, brief, authService, userId, loadWsConfig(), tools);
323
- wsHub.broadcastToUser(String(userId), { type: 'briefing_updated', timestamp: new Date().toISOString() });
324
- console.log(`[briefing] Background refresh complete for user ${userId}`);
325
- }
326
- catch (err) {
327
- console.error(`[briefing] Background refresh failed for user ${userId}:`, err.message);
328
- }
329
- });
330
- }
331
- // Register meeting ingest API (Chrome extension + other capture tools)
332
- await registerMeetingIngestRoutes(fastify, config.workspaceManager, authService, wsHub);
857
+ await registerInsightsApiRoutes(fastify, config.workspaceManager, authService, config.workspacePath, wsHub, chatSessionService);
858
+ // Register event ingest API (meeting capture from desktop and external sources)
859
+ await registerEventIngestRoutes(fastify, config.workspaceManager, authService, wsHub, yjsManager);
860
+ // Register artifact-selection API (web canvas pushes the current selection;
861
+ // read by the get_current_selection MCP tool via the shared selectionStore)
862
+ await registerArtifactSelectionRoutes(fastify, authService, config.workspaceManager, selectionStore);
863
+ // Register artifact-patch API (P5: web canvas applies user direct-manipulation
864
+ // edits reorder/rename through the same op path as the agent)
865
+ await registerArtifactPatchRoutes(fastify, authService, config.workspaceManager, wsHub);
333
866
  // Register MCP Streamable HTTP endpoint
334
- await registerMcpRoutes(fastify, config.workspaceManager, authService);
335
- // Serve chrome assets (shared header/footer for app editors)
336
- const chromeDir = join(import.meta.dirname, 'chrome');
337
- if (existsSync(chromeDir)) {
338
- const CHROME_MIME = { '.js': 'application/javascript', '.css': 'text/css' };
339
- fastify.get('/api/chrome/:file', async (req, reply) => {
340
- const file = req.params.file;
341
- if (file.includes('..') || file.includes('/')) {
342
- return reply.status(400).send({ error: 'Invalid path' });
343
- }
344
- const filePath = join(chromeDir, file);
345
- if (!existsSync(filePath) || !statSync(filePath).isFile()) {
346
- return reply.status(404).send({ error: 'Not found' });
347
- }
348
- const ext = extname(filePath).toLowerCase();
349
- reply.type(CHROME_MIME[ext] || 'application/octet-stream');
350
- reply.header('Cache-Control', 'public, max-age=300');
351
- return reply.send(createReadStream(filePath));
352
- });
353
- }
867
+ await registerMcpRoutes(fastify, config.workspaceManager, authService, wsHub, commentService, selectionStore);
354
868
  // Initialize memory service and agent — non-fatal so the server can still serve graph API
355
869
  const memoryService = new MemoryService();
356
870
  let agent = null;
@@ -362,15 +876,36 @@ export async function createServer(config) {
362
876
  gitUser: config.gitUser,
363
877
  recentMemory,
364
878
  workspaceManager: config.workspaceManager,
365
- messageService,
366
- // After the agent writes to an entity, push fresh disk content into
367
- // any active Y.Doc so live editors see the update and the CRDT
368
- // doesn't duplicate content on the next resync.
369
- onEntityContentMutation: (repo, entityType, entityId) => {
370
- yjsManager.syncDocFromDisk(`${repo}/${entityType}/${entityId}`);
879
+ // Share the route-level AuthService. Without this the orchestrator
880
+ // constructs its own crypto-less copy and (a) errors when reading
881
+ // encrypted oauth_tokens rows, (b) subscribes to a different
882
+ // pubsub than the one the OAuth callback fires on — so per-user
883
+ // OAuth state changes never invalidate the agent pool.
884
+ authService,
885
+ // Lets the agent's generic read tools resolve the virtual `comment`
886
+ // entity type, and lets the chat route fold an entry's comments into
887
+ // context (see registerChatRoutes below).
888
+ commentService,
889
+ // Lets the agent's `save_file_to_assets` tool promote a conversation
890
+ // scratch image into the curated asset library.
891
+ chatSessionService,
892
+ // Headless-render asset access for inspect_artifact: mint a bundle-scoped
893
+ // signed token and point the in-process Playwright render at the server's
894
+ // own loopback origin, so `/api/assets/...` images load (token-mode auth)
895
+ // instead of aborting to the broken-image placeholder. Without this the
896
+ // render falls back to assets:{mode:'none'} and the agent sees a false
897
+ // "original asset is no longer available".
898
+ mintInspectAssets: (repo, entityId, bundle, userId) => {
899
+ try {
900
+ const { token } = mintArtifactAssetTokenForBundle(config.workspaceManager, authService, repo, entityId, bundle, userId);
901
+ return { baseUrl: `http://127.0.0.1:${config.port}`, assetToken: token };
902
+ }
903
+ catch {
904
+ return null;
905
+ }
371
906
  },
372
907
  });
373
- await registerChatRoutes(fastify, agent, memoryService);
908
+ await registerChatRoutes(fastify, agent, wsHub, authService, memoryService, commentService, chatSessionService);
374
909
  await registerCaptureRoutes(fastify, agent);
375
910
  await registerUrlRoutes(fastify);
376
911
  }
@@ -390,23 +925,27 @@ export async function createServer(config) {
390
925
  return reply.status(503).send({ error: 'The AI agent is not configured yet. Please set the API key for your model provider in the server environment variables and restart.' });
391
926
  });
392
927
  }
393
- // Initialize heartbeat service for conversation analysis
394
- let heartbeatService = null;
395
- try {
396
- const { HeartbeatService } = await import('../services/heartbeat.js');
397
- heartbeatService = new HeartbeatService(messageService, config.workspaceManager, wsHub, agent ?? null);
398
- heartbeatService.start();
399
- }
400
- catch (err) {
401
- fastify.log.warn(`Heartbeat not available: ${err.message}`);
402
- }
403
- // Register messages API routes (collection-scoped messaging with @agent support)
404
- await registerMessagesApiRoutes(fastify, messageService, authService, wsHub, config.workspaceManager, agent, heartbeatService);
405
928
  // GET /api/workspace — workspace metadata
406
929
  fastify.get('/api/workspace', async (_req, reply) => {
407
930
  const workspace = new Workspace(config.workspacePath);
408
931
  const about = workspace.loadAbout();
409
- return reply.send({ name: config.workspaceConfig.team_name, about });
932
+ // Storage backend is workspace-global (one config shared by every graph),
933
+ // so it belongs on workspace metadata rather than per-asset. Readable by
934
+ // any member — it powers the Library "About assets" dialog.
935
+ const storage = config.workspaceManager.getAssetStorage();
936
+ return reply.send({ name: config.workspaceConfig.team_name, about, storage });
937
+ });
938
+ // GET /api/server-info — identity probe for the stdio MCP proxy.
939
+ // Authed by the global middleware (not in the exempt list), so a 401/403 here
940
+ // tells the proxy "server present, token rejected" → fail loud, never write
941
+ // locally. The serverId + workspacePath let the proxy confirm it is talking
942
+ // to the server that owns this exact workspace before forwarding tool calls.
943
+ fastify.get('/api/server-info', async (_req, reply) => {
944
+ return reply.send({
945
+ serverId: config.serverId ?? null,
946
+ workspacePath: config.workspacePath,
947
+ name: config.workspaceConfig.team_name,
948
+ });
410
949
  });
411
950
  // PUT /api/workspace — update workspace identity (owner only)
412
951
  fastify.put('/api/workspace', async (req, reply) => {
@@ -425,24 +964,38 @@ export async function createServer(config) {
425
964
  }
426
965
  return reply.send({ success: true });
427
966
  });
428
- // GET /api/workspace/mcp-config — MCP client configuration snippet (all authenticated users)
967
+ // GET /api/workspace/mcp-config — MCP client configuration snippet.
968
+ // Returns a template with `<your-token-here>` in the Authorization header;
969
+ // the frontend fills it in after the user mints a personal token via
970
+ // POST /api/auth/tokens. We never embed a shared key here because doing so
971
+ // would leak a workspace-wide credential and re-introduce the bug the
972
+ // per-user-token model exists to solve.
429
973
  fastify.get('/api/workspace/mcp-config', async (req, reply) => {
430
- const proto = req.headers['x-forwarded-proto'] === 'https' ? 'https' : (req.protocol ?? 'http');
431
- const host = req.headers['x-forwarded-host'] || req.headers.host || 'localhost';
432
- const baseUrl = `${proto}://${host}`;
433
- const apiKey = authService.getApiKey();
974
+ // Prefer the pinned canonical URL so the connect URL shown in Settings
975
+ // matches the OAuth issuer/resource. Fall back to the request origin when
976
+ // none is configured (local dev / unpinned), rather than failing closed —
977
+ // this endpoint is informational, not a security boundary.
978
+ let baseUrl;
979
+ try {
980
+ baseUrl = resolveCanonicalBaseUrl(config.workspaceConfig, req);
981
+ }
982
+ catch {
983
+ const proto = req.headers['x-forwarded-proto'] === 'https' ? 'https' : (req.protocol ?? 'http');
984
+ const host = req.headers['x-forwarded-host'] || req.headers.host || 'localhost';
985
+ baseUrl = `${proto}://${host}`;
986
+ }
434
987
  const mcpConfig = {
435
988
  mcpServers: {
436
989
  studiograph: {
437
990
  type: 'streamable-http',
438
991
  url: `${baseUrl}/mcp`,
439
992
  headers: {
440
- Authorization: `Bearer ${apiKey}`,
993
+ Authorization: 'Bearer <your-token-here>',
441
994
  },
442
995
  },
443
996
  },
444
997
  };
445
- return reply.send({ config: mcpConfig });
998
+ return reply.send({ config: mcpConfig, url: `${baseUrl}/mcp` });
446
999
  });
447
1000
  // DELETE /api/memory — clear all agent memory files
448
1001
  fastify.delete('/api/memory', async (_req, reply) => {
@@ -465,16 +1018,38 @@ export async function createServer(config) {
465
1018
  // serve the SPA instead so client-side routing can handle the URL.
466
1019
  // Read fresh from disk each time so rebuilds take effect without server restart.
467
1020
  const readIndexHtml = () => readFileSync(indexPath);
1021
+ /**
1022
+ * Cache policy for static assets:
1023
+ * - `/_app/immutable/*` are content-hashed by SvelteKit, so the URL
1024
+ * changes every time the file does — safe to cache forever.
1025
+ * - `index.html` (and the SPA fallback) MUST revalidate every load,
1026
+ * otherwise stale HTML keeps pointing at expired immutable hashes.
1027
+ * - Other root assets (favicons, og images, etc.) get a modest TTL.
1028
+ *
1029
+ * Without these headers the upstream CDN (Fastly in front of Railway)
1030
+ * forwards almost every request to origin, producing multi-second
1031
+ * TTFB on cold edges and a 3-5s "black screen" while the SPA bundle
1032
+ * loads.
1033
+ */
1034
+ function setStaticCacheHeader(reply, urlPath) {
1035
+ if (urlPath.startsWith('/_app/immutable/')) {
1036
+ reply.header('Cache-Control', 'public, max-age=31536000, immutable');
1037
+ }
1038
+ else if (urlPath === '/' || urlPath === '/index.html' || !extname(urlPath)) {
1039
+ reply.header('Cache-Control', 'no-cache');
1040
+ }
1041
+ else {
1042
+ reply.header('Cache-Control', 'public, max-age=3600');
1043
+ }
1044
+ }
468
1045
  fastify.addHook('onSend', async (request, reply, payload) => {
469
1046
  if (reply.sent)
470
1047
  return payload;
471
1048
  const ct = reply.getHeader('content-type');
472
- if (request.method === 'GET' &&
473
- reply.statusCode >= 400 &&
474
- request.headers.accept?.includes('text/html') &&
475
- typeof ct === 'string' && ct.includes('application/json')) {
1049
+ if (shouldServeSpaShellOnError(request.method, request.url, reply.statusCode, request.headers.accept, ct)) {
476
1050
  reply.removeHeader('content-length');
477
1051
  reply.code(200).type('text/html');
1052
+ reply.header('Cache-Control', 'no-cache');
478
1053
  return readIndexHtml();
479
1054
  }
480
1055
  return payload;
@@ -482,16 +1057,16 @@ export async function createServer(config) {
482
1057
  // Use setNotFoundHandler so API routes take priority over SPA fallback
483
1058
  fastify.setNotFoundHandler(async (req, reply) => {
484
1059
  const urlPath = req.url.split('?')[0];
485
- const filePath = urlPath === '/' ? '/index.html' : urlPath;
486
- const fullPath = join(webDir, filePath);
1060
+ const fullPath = resolveStaticFilePath(webDir, urlPath);
1061
+ if (!fullPath) {
1062
+ return reply.status(400).send({ error: 'Invalid path' });
1063
+ }
487
1064
  // Serve the file if it exists (and is a file, not directory)
488
1065
  if (existsSync(fullPath) && statSync(fullPath).isFile()) {
489
- if (fullPath.includes('..')) {
490
- return reply.status(400).send({ error: 'Invalid path' });
491
- }
492
1066
  const ext = extname(fullPath).toLowerCase();
493
1067
  const contentType = MIME_TYPES[ext] || 'application/octet-stream';
494
1068
  reply.type(contentType);
1069
+ setStaticCacheHeader(reply, urlPath);
495
1070
  return reply.send(createReadStream(fullPath));
496
1071
  }
497
1072
  // SPA fallback — serve index.html for client-side routing.
@@ -501,18 +1076,25 @@ export async function createServer(config) {
501
1076
  const hasFileExt = extname(urlPath).length > 1;
502
1077
  if (req.method === 'GET' && !hasFileExt && existsSync(indexPath)) {
503
1078
  reply.type('text/html');
1079
+ reply.header('Cache-Control', 'no-cache');
504
1080
  return reply.send(createReadStream(indexPath));
505
1081
  }
506
1082
  return reply.status(404).send({ error: 'Not found' });
507
1083
  });
508
1084
  fastify.log.info('Web UI enabled — serving from dist/web/');
509
1085
  }
510
- // Graceful shutdown
1086
+ // Graceful shutdown — sessionManager.shutdown() flushes pending commits
1087
+ // BEFORE tearing down the timer (the old destroy()-only path could lose
1088
+ // dirty sessions if called without an explicit flush).
511
1089
  fastify.addHook('onClose', async () => {
512
- await sessionManager.flushAll();
513
- sessionManager.destroy();
514
- yjsManager.destroy();
1090
+ await sessionManager.shutdown();
1091
+ await assetIndexQueue.shutdown();
1092
+ await yjsManager.destroy();
515
1093
  wsHub.destroy();
1094
+ releaseYjsLock();
1095
+ clearInterval(aiUsagePruneTimer);
1096
+ setAiUsageLedger(null);
1097
+ aiUsageLedger.close();
516
1098
  });
517
1099
  return fastify;
518
1100
  }