npm - teamcopilot - Versions diffs - 0.0.1 - Mend

teamcopilot 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (209) hide show

package/dist/utils/redact.js ADDED Viewed

@@ -0,0 +1,108 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.maskValue = maskValue;
+exports.isLikelySensitiveKey = isLikelySensitiveKey;
+exports.sanitizeStringContent = sanitizeStringContent;
+exports.sanitizeForClient = sanitizeForClient;
+const SENSITIVE_KEY_PATTERN = /(token|secret|password|passwd|api[_-]?key|auth|credential)/i;
+function maskValue(value) {
+    if (value.startsWith("***")) {
+        return value;
+    }
+    const suffixLength = value.length <= 3 ? 1 : 3;
+    const tail = value.slice(-suffixLength);
+    return `***${tail}`;
+}
+function isLikelySensitiveKey(key) {
+    return SENSITIVE_KEY_PATTERN.test(key);
+}
+function sanitizeStringContent(input) {
+    let text = input;
+    // Redact Authorization header bearer tokens before generic key/value masking so
+    // "Authorization: Bearer <token>" doesn't get partially masked as "***rer".
+    text = text.replace(/(\bAuthorization\s*[:=]\s*)(Bearer\s+)([A-Za-z0-9._~+/=-]{8,})/gi, (_full, prefix, bearer, token) => `${prefix}${bearer}${maskValue(token)}`);
+    // Redact sensitive markdown list/label items such as:
+    // - **password**: value
+    // - **password** = value
+    // > __token__ : "value"
+    text = text.replace(/(^|[\r\n])([ \t>]*(?:[-*+][ \t]+)?)(\*\*|__)[ \t]*([A-Za-z_][A-Za-z0-9_-]*)[ \t]*(\3)([ \t]*(?::|=)[ \t]*)(?:"([^"\n]*)"|'([^'\n]*)'|([^\s"'#;,)\]}]+))/gm, (full, lineLead, prefix, openMarker, key, closeMarker, separator, doubleQuoted, singleQuoted, bare) => {
+        if (!isLikelySensitiveKey(key)) {
+            return full;
+        }
+        const rawValue = doubleQuoted ?? singleQuoted ?? bare ?? "";
+        if (!rawValue) {
+            return full;
+        }
+        const masked = maskValue(rawValue);
+        if (doubleQuoted !== undefined) {
+            return `${lineLead}${prefix}${openMarker}${key}${closeMarker}${separator}"${masked}"`;
+        }
+        if (singleQuoted !== undefined) {
+            return `${lineLead}${prefix}${openMarker}${key}${closeMarker}${separator}'${masked}'`;
+        }
+        return `${lineLead}${prefix}${openMarker}${key}${closeMarker}${separator}${masked}`;
+    });
+    // Redact sensitive env-style assignments anywhere in text, including multiple
+    // assignments per line and text prefixes.
+    text = text.replace(/(^|[^A-Za-z0-9_])((?:export[ \t]+)?([A-Za-z_][A-Za-z0-9_-]*)[ \t]*(?:=|:)[ \t]*)(?:"([^"\n]*)"|'([^'\n]*)'|([^\s"'#;,)\]}]+))/gm, (full, lead, assignmentPrefix, key, doubleQuoted, singleQuoted, bare) => {
+        if (!isLikelySensitiveKey(key)) {
+            return full;
+        }
+        const rawValue = doubleQuoted ?? singleQuoted ?? bare ?? "";
+        if (!rawValue) {
+            return full;
+        }
+        if (key.toLowerCase() === "authorization" && /^bearer$/i.test(rawValue)) {
+            return full;
+        }
+        const authorizationMatch = rawValue.match(/^([Bb]earer\s+)([^\s"']+)$/);
+        if (key.toLowerCase() === "authorization" && authorizationMatch) {
+            const bearerPrefix = authorizationMatch[1];
+            const bearerToken = authorizationMatch[2];
+            const maskedBearer = `${bearerPrefix}${maskValue(bearerToken)}`;
+            if (doubleQuoted !== undefined) {
+                return `${lead}${assignmentPrefix}"${maskedBearer}"`;
+            }
+            if (singleQuoted !== undefined) {
+                return `${lead}${assignmentPrefix}'${maskedBearer}'`;
+            }
+            return `${lead}${assignmentPrefix}${maskedBearer}`;
+        }
+        const masked = maskValue(rawValue);
+        if (doubleQuoted !== undefined) {
+            return `${lead}${assignmentPrefix}"${masked}"`;
+        }
+        if (singleQuoted !== undefined) {
+            return `${lead}${assignmentPrefix}'${masked}'`;
+        }
+        return `${lead}${assignmentPrefix}${masked}`;
+    });
+    // Redact common bearer and provider token forms.
+    text = text.replace(/\b(Bearer\s+)([A-Za-z0-9._~+/=-]{8,})\b/gi, (_full, prefix, token) => `${prefix}${maskValue(token)}`);
+    text = text.replace(/\b(sk-[A-Za-z0-9_-]{8,})\b/g, (token) => maskValue(token));
+    text = text.replace(/\b(ghp_[A-Za-z0-9]{8,})\b/g, (token) => maskValue(token));
+    return text;
+}
+function sanitizeObjectRecord(input) {
+    const output = {};
+    for (const [key, value] of Object.entries(input)) {
+        if (typeof value === "string" && isLikelySensitiveKey(key)) {
+            output[key] = maskValue(value);
+            continue;
+        }
+        output[key] = sanitizeForClient(value);
+    }
+    return output;
+}
+function sanitizeForClient(input) {
+    if (typeof input === "string") {
+        return sanitizeStringContent(input);
+    }
+    if (Array.isArray(input)) {
+        return input.map((item) => sanitizeForClient(item));
+    }
+    if (input && typeof input === "object") {
+        return sanitizeObjectRecord(input);
+    }
+    return input;
+}

package/dist/utils/resource-access.js ADDED Viewed

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getResourceAccessSummary = getResourceAccessSummary;
+const permission_common_1 = require("./permission-common");
+const user_role_1 = require("./user-role");
+const skill_approval_snapshot_1 = require("./skill-approval-snapshot");
+const workflow_approval_snapshot_1 = require("./workflow-approval-snapshot");
+const skill_1 = require("./skill");
+const workflow_1 = require("./workflow");
+async function getResourceAccessSummary(resourceType, slug, userId) {
+    if (resourceType === "workflow") {
+        await (0, workflow_1.readWorkflowManifestAndEnsurePermissions)(slug);
+    }
+    else {
+        await (0, skill_1.readSkillManifestAndEnsurePermissions)(slug);
+    }
+    const permission = await (0, permission_common_1.getResourcePermissionWithUsers)(resourceType, slug, resourceType === "workflow" ? "Workflow run" : "Skill access");
+    const mode = (0, permission_common_1.assertCommonPermissionMode)(permission.permission_mode, resourceType === "workflow" ? "workflow run" : "skill access");
+    const allowedUserIds = permission.allowedUsers.map((row) => row.user_id);
+    const canCurrentUserUse = mode === "everyone" || allowedUserIds.includes(userId);
+    const isLockedDueToMissingUsers = mode === "restricted" && allowedUserIds.length === 0;
+    const approvalState = resourceType === "workflow"
+        ? await (0, workflow_approval_snapshot_1.getWorkflowSnapshotApprovalState)(slug)
+        : await (0, skill_approval_snapshot_1.getSkillSnapshotApprovalState)(slug);
+    const isEngineer = await (0, user_role_1.isEngineerUser)(userId);
+    const canEdit = approvalState.is_current_code_approved
+        ? canCurrentUserUse
+        : (isEngineer || canCurrentUserUse);
+    const canView = canEdit;
+    return {
+        permission_mode: mode,
+        is_locked_due_to_missing_users: isLockedDueToMissingUsers,
+        is_approved: approvalState.is_current_code_approved,
+        can_view: canView,
+        can_edit: canEdit,
+    };
+}

package/dist/utils/resource-file-routes.js ADDED Viewed

@@ -0,0 +1,115 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerResourceFileRoutes = registerResourceFileRoutes;
+const fs_1 = __importDefault(require("fs"));
+const index_1 = require("./index");
+function registerResourceFileRoutes(options) {
+    const { router, uploadMiddleware, ensureResourceExists, assertCanView, getEditorAccess, assertCanEdit, listDirectory, readFileContent, saveFileContent, createFileOrFolder, uploadFileFromTempPath, renamePath, deletePath, skipResponseSanitizationForFileContentRead = true, } = options;
+    router.get("/:slug/files/access", (0, index_1.apiHandler)(async (req, res) => {
+        const slug = req.params.slug;
+        const authReq = req;
+        const access = await getEditorAccess(slug, authReq.userId);
+        res.json(access);
+    }, true));
+    router.get("/:slug/files/tree", (0, index_1.apiHandler)(async (req, res) => {
+        const slug = req.params.slug;
+        const authReq = req;
+        await assertCanView(slug, authReq.userId);
+        await ensureResourceExists(slug);
+        const rawPath = typeof req.query.path === "string" ? req.query.path : undefined;
+        const tree = listDirectory(slug, rawPath);
+        res.json(tree);
+    }, true));
+    router.get("/:slug/files/content", (0, index_1.apiHandler)(async (req, res) => {
+        const slug = req.params.slug;
+        const authReq = req;
+        await assertCanView(slug, authReq.userId);
+        await ensureResourceExists(slug);
+        const rawPath = typeof req.query.path === "string" ? req.query.path : undefined;
+        const content = readFileContent(slug, rawPath);
+        if (skipResponseSanitizationForFileContentRead) {
+            res.locals.skipResponseSanitization = true;
+        }
+        res.json(content);
+    }, true));
+    router.put("/:slug/files/content", (0, index_1.apiHandler)(async (req, res) => {
+        const slug = req.params.slug;
+        const authReq = req;
+        await assertCanEdit(slug, authReq.userId);
+        const { path, content, base_etag } = req.body;
+        if (typeof path !== "string" || typeof content !== "string" || typeof base_etag !== "string") {
+            throw {
+                status: 400,
+                message: "path, content, and base_etag are required"
+            };
+        }
+        const result = saveFileContent(slug, { path, content, base_etag });
+        res.json(result);
+    }, true));
+    router.post("/:slug/files", (0, index_1.apiHandler)(async (req, res) => {
+        const slug = req.params.slug;
+        const authReq = req;
+        await assertCanEdit(slug, authReq.userId);
+        const { parent_path, name, kind } = req.body;
+        if (typeof name !== "string" || (kind !== "file" && kind !== "directory")) {
+            throw {
+                status: 400,
+                message: 'name and kind ("file" or "directory") are required'
+            };
+        }
+        const node = createFileOrFolder(slug, typeof parent_path === "string" ? parent_path : "", name, kind);
+        res.json({ node });
+    }, true));
+    router.post("/:slug/files/upload", uploadMiddleware, (0, index_1.apiHandler)(async (req, res) => {
+        const slug = req.params.slug;
+        const authReq = req;
+        await assertCanEdit(slug, authReq.userId);
+        const { parent_path, name } = req.body;
+        if (typeof name !== "string") {
+            throw {
+                status: 400,
+                message: "name is required"
+            };
+        }
+        if (!authReq.file?.path) {
+            throw {
+                status: 400,
+                message: "file is required"
+            };
+        }
+        try {
+            const node = uploadFileFromTempPath(slug, typeof parent_path === "string" ? parent_path : "", name, authReq.file.path);
+            res.json({ node });
+        }
+        finally {
+            if (fs_1.default.existsSync(authReq.file.path)) {
+                fs_1.default.unlinkSync(authReq.file.path);
+            }
+        }
+    }, true));
+    router.patch("/:slug/files/rename", (0, index_1.apiHandler)(async (req, res) => {
+        const slug = req.params.slug;
+        const authReq = req;
+        await assertCanEdit(slug, authReq.userId);
+        const { path, new_name } = req.body;
+        if (typeof path !== "string" || typeof new_name !== "string") {
+            throw {
+                status: 400,
+                message: "path and new_name are required"
+            };
+        }
+        const result = renamePath(slug, path, new_name);
+        res.json(result);
+    }, true));
+    router.delete("/:slug/files", (0, index_1.apiHandler)(async (req, res) => {
+        const slug = req.params.slug;
+        const authReq = req;
+        await assertCanEdit(slug, authReq.userId);
+        const rawPath = typeof req.query.path === "string" ? req.query.path : undefined;
+        deletePath(slug, rawPath);
+        res.json({ success: true });
+    }, true));
+}