teamcopilot 0.1.16 → 0.2.0

package/dist/index.js

@@ -3,6 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.createApp = createApp;
 BigInt.prototype.toJSON = function () {
     const num = Number(this);
     if (num > Number.MAX_SAFE_INTEGER || num < Number.MIN_SAFE_INTEGER) {
@@ -19,6 +20,7 @@ const workflows_1 = __importDefault(require("./workflows"));
 const chat_1 = __importDefault(require("./chat"));
 const skills_1 = __importDefault(require("./skills"));
 const users_1 = __importDefault(require("./users"));
+const secrets_1 = __importDefault(require("./secrets"));
 const cronjob_1 = require("./cronjob");
 const opencode_server_1 = require("./opencode-server");
 const path_1 = __importDefault(require("path"));
@@ -30,97 +32,102 @@ const opencode_auth_1 = require("./utils/opencode-auth");
 const opencode_auth_2 = __importDefault(require("./opencode-auth"));
 const jwt_secret_1 = require("./utils/jwt-secret");
 const runtime_paths_1 = require("./utils/runtime-paths");
-const app = (0, express_1.default)();
-const frontendDistDirectory = (0, runtime_paths_1.getFrontendDistDirectory)();
-app.use(express_1.default.json());
-// Logging middleware
-// app.use((req, res, next) => {
-//     const start = Date.now();
-//     res.on('finish', async () => {
-//         const duration = Date.now() - start;
-//         const logData = {
-//             method: req.method,
-//             path: req.path,
-//             statusCode: res.statusCode,
-//             duration: `${duration}ms`,
-//             userAgent: req.get('user-agent'),
-//             ip: req.ip
-//         };
-//         logInfo(`HTTP Request: ${req.method} ${req.path} ${res.statusCode}`, { meta: logData });
-//     });
-//     next();
-// });
-// Mount auth routes directly (no sanitization for token responses)
-app.use('/api/auth', auth_1.default);
-const apiRouter = express_1.default.Router();
-apiRouter.use((_req, res, next) => {
-    const originalJson = res.json.bind(res);
-    const originalSend = res.send.bind(res);
-    const shouldSkipSanitization = () => Boolean(res.locals.skipResponseSanitization);
-    const hasJsonContentType = () => {
-        const contentType = res.getHeader("Content-Type");
-        if (typeof contentType === "string") {
-            return contentType.includes("application/json");
-        }
-        if (Array.isArray(contentType)) {
-            return contentType.some((value) => value.includes("application/json"));
-        }
-        return false;
-    };
-    res.json = ((body) => {
-        if (shouldSkipSanitization()) {
-            return originalJson(body);
-        }
-        return originalJson((0, redact_1.sanitizeForClient)(body));
-    });
-    res.send = ((body) => {
-        if (shouldSkipSanitization()) {
-            return originalSend(body);
-        }
-        if (typeof body === "string") {
-            if (hasJsonContentType()) {
-                return originalSend(body);
+function createApp() {
+    const app = (0, express_1.default)();
+    const frontendDistDirectory = (0, runtime_paths_1.getFrontendDistDirectory)();
+    app.use(express_1.default.json());
+    // Logging middleware
+    // app.use((req, res, next) => {
+    //     const start = Date.now();
+    //     res.on('finish', async () => {
+    //         const duration = Date.now() - start;
+    //         const logData = {
+    //             method: req.method,
+    //             path: req.path,
+    //             statusCode: res.statusCode,
+    //             duration: `${duration}ms`,
+    //             userAgent: req.get('user-agent'),
+    //             ip: req.ip
+    //         };
+    //         logInfo(`HTTP Request: ${req.method} ${req.path} ${res.statusCode}`, { meta: logData });
+    //     });
+    //     next();
+    // });
+    // Mount auth routes directly (no sanitization for token responses)
+    app.use('/api/auth', auth_1.default);
+    const apiRouter = express_1.default.Router();
+    apiRouter.use((_req, res, next) => {
+        const originalJson = res.json.bind(res);
+        const originalSend = res.send.bind(res);
+        const shouldSkipSanitization = () => Boolean(res.locals.skipResponseSanitization);
+        const hasJsonContentType = () => {
+            const contentType = res.getHeader("Content-Type");
+            if (typeof contentType === "string") {
+                return contentType.includes("application/json");
             }
-            return originalSend((0, redact_1.sanitizeStringContent)(body));
-        }
-        if (Buffer.isBuffer(body)) {
-            if (hasJsonContentType()) {
+            if (Array.isArray(contentType)) {
+                return contentType.some((value) => value.includes("application/json"));
+            }
+            return false;
+        };
+        res.json = ((body) => {
+            if (shouldSkipSanitization()) {
+                return originalJson(body);
+            }
+            return originalJson((0, redact_1.sanitizeForClient)(body));
+        });
+        res.send = ((body) => {
+            if (shouldSkipSanitization()) {
                 return originalSend(body);
             }
-            return originalSend(Buffer.from((0, redact_1.sanitizeStringContent)(body.toString("utf-8")), "utf-8"));
+            if (typeof body === "string") {
+                if (hasJsonContentType()) {
+                    return originalSend(body);
+                }
+                return originalSend((0, redact_1.sanitizeStringContent)(body));
+            }
+            if (Buffer.isBuffer(body)) {
+                if (hasJsonContentType()) {
+                    return originalSend(body);
+                }
+                return originalSend(Buffer.from((0, redact_1.sanitizeStringContent)(body.toString("utf-8")), "utf-8"));
+            }
+            return originalSend((0, redact_1.sanitizeForClient)(body));
+        });
+        next();
+    });
+    apiRouter.get("/", (_req, res) => {
+        // for healthcheck
+        res.send("Hello from the API!");
+    });
+    apiRouter.get("/workspace", (0, utils_1.apiHandler)(async (_req, res) => {
+        const workspaceDir = (0, workspace_sync_1.getWorkspaceDirFromEnv)();
+        res.json({ workspace_dir: workspaceDir });
+    }, false));
+    apiRouter.use('/workflows', workflows_1.default);
+    apiRouter.use('/chat', chat_1.default);
+    apiRouter.use('/skills', skills_1.default);
+    apiRouter.use('/users', users_1.default);
+    apiRouter.use('/secrets', secrets_1.default);
+    apiRouter.use('/opencode-auth', opencode_auth_2.default);
+    app.use('/api', apiRouter);
+    // Serve static assets (JS, CSS, etc.) with correct MIME types
+    app.use(express_1.default.static(frontendDistDirectory));
+    // SPA fallback: serve index.html for non-API routes (client-side routing)
+    app.get("*", (_req, res) => {
+        res.sendFile(path_1.default.join(frontendDistDirectory, "index.html"));
+    });
+    app.use(async (err, req, res, _) => {
+        let status = err.status || 500;
+        let doLogging = err.doLogging !== false;
+        if (status !== 404 && doLogging) {
+            (0, logging_1.logError)({ err, apiPath: req.path, apiMethod: req.method });
         }
-        return originalSend((0, redact_1.sanitizeForClient)(body));
+        res.status(status).json({ message: err.message || 'Unknown error' });
     });
-    next();
-});
-apiRouter.get("/", (_req, res) => {
-    // for healthcheck
-    res.send("Hello from the API!");
-});
-apiRouter.get("/workspace", (0, utils_1.apiHandler)(async (_req, res) => {
-    const workspaceDir = (0, workspace_sync_1.getWorkspaceDirFromEnv)();
-    res.json({ workspace_dir: workspaceDir });
-}, false));
-apiRouter.use('/workflows', workflows_1.default);
-apiRouter.use('/chat', chat_1.default);
-apiRouter.use('/skills', skills_1.default);
-apiRouter.use('/users', users_1.default);
-apiRouter.use('/opencode-auth', opencode_auth_2.default);
-app.use('/api', apiRouter);
-// Serve static assets (JS, CSS, etc.) with correct MIME types
-app.use(express_1.default.static(frontendDistDirectory));
-// SPA fallback: serve index.html for non-API routes (client-side routing)
-app.get("*", (_req, res) => {
-    res.sendFile(path_1.default.join(frontendDistDirectory, "index.html"));
-});
-app.use(async (err, req, res, _) => {
-    let status = err.status || 500;
-    let doLogging = err.doLogging !== false;
-    if (status !== 404 && doLogging) {
-        (0, logging_1.logError)({ err, apiPath: req.path, apiMethod: req.method });
-    }
-    res.status(status).json({ message: err.message || 'Unknown error' });
-});
+    return app;
+}
+const app = createApp();
 let httpServer = null;
 let isShuttingDown = false;
 async function shutdown(exitCode) {
@@ -163,7 +170,9 @@ process.on("unhandledRejection", (reason) => {
     console.error("Unhandled rejection:", reason);
     void shutdown(1);
 });
-void bootstrap().catch((err) => {
-    console.error("Failed to start server:", err);
-    process.exit(1);
-});
+if (require.main === module) {
+    void bootstrap().catch((err) => {
+        console.error("Failed to start server:", err);
+        process.exit(1);
+    });
+}

package/dist/secrets/index.js

@@ -0,0 +1,74 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = __importDefault(require("express"));
+const client_1 = __importDefault(require("../prisma/client"));
+const utils_1 = require("../utils");
+const secrets_1 = require("../utils/secrets");
+const router = express_1.default.Router({ mergeParams: true });
+router.get("/global", (0, utils_1.apiHandler)(async (req, res) => {
+    const rows = await client_1.default.global_secrets.findMany({
+        orderBy: { key: "asc" }
+    });
+    const shouldMaskValues = req.opencode_session_id === undefined;
+    res.json({
+        secrets: rows.map((row) => (0, secrets_1.toSecretListItem)(row, shouldMaskValues))
+    });
+}, true));
+router.put("/global/:key", (0, utils_1.apiHandler)(async (req, res) => {
+    if (req.role !== "Engineer") {
+        throw {
+            status: 403,
+            message: "Only engineers can manage global secrets"
+        };
+    }
+    const key = (0, secrets_1.assertSecretKey)(req.params.key);
+    const value = typeof req.body?.value === "string" ? req.body.value : "";
+    if (value.length === 0) {
+        throw {
+            status: 400,
+            message: "value is required"
+        };
+    }
+    const now = BigInt(Date.now());
+    const row = await client_1.default.global_secrets.upsert({
+        where: { key },
+        create: {
+            key,
+            value,
+            created_by_user_id: req.userId,
+            updated_by_user_id: req.userId,
+            created_at: now,
+            updated_at: now,
+        },
+        update: {
+            value,
+            updated_by_user_id: req.userId,
+            updated_at: now,
+        },
+    });
+    res.json({
+        secret: (0, secrets_1.toSecretListItem)(row, req.opencode_session_id === undefined)
+    });
+}, true));
+router.delete("/global/:key", (0, utils_1.apiHandler)(async (req, res) => {
+    if (req.role !== "Engineer") {
+        throw {
+            status: 403,
+            message: "Only engineers can manage global secrets"
+        };
+    }
+    const key = (0, secrets_1.assertSecretKey)(req.params.key);
+    await client_1.default.global_secrets.delete({
+        where: { key }
+    }).catch(() => {
+        throw {
+            status: 404,
+            message: `Global secret not found for key: ${key}`
+        };
+    });
+    res.json({ success: true });
+}, true));
+exports.default = router;

package/dist/skills/index.js

@@ -17,6 +17,8 @@ const skill_files_1 = require("../utils/skill-files");
 const resource_file_routes_1 = require("../utils/resource-file-routes");
 const skill_approval_snapshot_1 = require("../utils/skill-approval-snapshot");
 const resource_access_1 = require("../utils/resource-access");
+const secrets_1 = require("../utils/secrets");
+const secret_contract_validation_1 = require("../utils/secret-contract-validation");
 const router = express_1.default.Router({ mergeParams: true });
 const uploadTmpDir = path_1.default.join(os_1.default.tmpdir(), "teamcopilot-skill-uploads");
 fs_1.default.mkdirSync(uploadTmpDir, { recursive: true });
@@ -77,6 +79,7 @@ router.get("/", (0, index_1.apiHandler)(async (req, res) => {
     const slugs = (0, skill_1.listSkillSlugs)();
     const skills = [];
     const creatorIds = new Set();
+    const resolvedSecrets = await (0, secrets_1.listResolvedSecretsForUser)(req.userId);
     const metadataBySlug = new Map();
     for (const slug of slugs) {
         const metadata = await (0, skill_1.getOrCreateSkillMetadataAndEnsurePermission)(slug);
@@ -122,6 +125,8 @@ router.get("/", (0, index_1.apiHandler)(async (req, res) => {
             can_edit: accessSummary.can_edit,
             permission_mode: accessSummary.permission_mode,
             is_locked_due_to_missing_users: accessSummary.is_locked_due_to_missing_users,
+            required_secrets: manifest.required_secrets,
+            missing_required_secrets: (0, secrets_1.resolveSecretsFromResolvedMap)(resolvedSecrets, manifest.required_secrets).missingKeys,
         });
     }
     res.json({ skills });
@@ -144,6 +149,7 @@ router.get("/:slug", (0, index_1.apiHandler)(async (req, res) => {
     const approver = approvedByUserId ? (usersById.get(approvedByUserId) ?? null) : null;
     const accessSummary = await (0, resource_access_1.getResourceAccessSummary)("skill", slug, req.userId);
     const permission = await (0, skill_permissions_1.getSkillAccessPermissionWithUsers)(slug);
+    const secretResolution = await (0, secrets_1.resolveSecretsForUser)(req.userId, manifest.required_secrets);
     const permissionMode = (0, permission_common_1.assertCommonPermissionMode)(permission.permission_mode, "skill access");
     const permissions = permissionMode === "everyone"
         ? { mode: "everyone" }
@@ -163,6 +169,8 @@ router.get("/:slug", (0, index_1.apiHandler)(async (req, res) => {
             can_edit: accessSummary.can_edit,
             permission_mode: accessSummary.permission_mode,
             is_locked_due_to_missing_users: accessSummary.is_locked_due_to_missing_users,
+            required_secrets: manifest.required_secrets,
+            missing_required_secrets: secretResolution.missingKeys,
             permissions,
             allowed_users_resolved: permission.allowedUsers.map((row) => ({
                 user_id: row.user.id,
@@ -174,6 +182,40 @@ router.get("/:slug", (0, index_1.apiHandler)(async (req, res) => {
         }
     });
 }, true));
+router.get("/:slug/runtime-content", (0, index_1.apiHandler)(async (req, res) => {
+    const slug = req.params.slug;
+    await assertCanViewSkillFiles(slug, req.userId);
+    const { manifest } = await (0, skill_1.readSkillManifestAndEnsurePermissions)(slug);
+    const accessSummary = await (0, resource_access_1.getResourceAccessSummary)("skill", slug, req.userId);
+    if (!accessSummary.is_approved) {
+        throw {
+            status: 403,
+            message: `Skill "${slug}" is not approved yet. Only approved skills can be read through getSkillContent.`
+        };
+    }
+    const skillContent = await (0, skill_files_1.readSkillFileContent)(slug, "SKILL.md");
+    if (skillContent.kind !== "text") {
+        throw {
+            status: 500,
+            message: "SKILL.md must be a text file"
+        };
+    }
+    (0, secret_contract_validation_1.validateSkillSecretContract)(skillContent.content ?? "");
+    const secretResolution = await (0, secrets_1.resolveSecretsForUser)(req.userId, manifest.required_secrets);
+    if (secretResolution.missingKeys.length > 0) {
+        throw {
+            status: 400,
+            message: `I can't use skill "${slug}" because these required secrets are missing: ${secretResolution.missingKeys.join(", ")}. Ask the user to add these keys in TeamCopilot Profile Secrets before using this skill.`
+        };
+    }
+    res.json({
+        skill: {
+            slug,
+            path: skillContent.path,
+            content: skillContent.content ?? "",
+        }
+    });
+}, true));
 router.post("/:slug/approve", (0, index_1.apiHandler)(async (req, res) => {
     const slug = req.params.slug;
     const approvalResult = await (0, skill_approval_snapshot_1.approveSkillWithSnapshot)(slug, req.userId);
@@ -212,6 +254,7 @@ router.get("/:slug/approval-diff", (0, index_1.apiHandler)(async (req, res) => {
     const previousSnapshot = await (0, skill_approval_snapshot_1.loadApprovedSkillSnapshotFromDb)(slug);
     const currentSnapshot = (0, skill_approval_snapshot_1.collectCurrentSkillSnapshot)(slug);
     const diff = (0, skill_approval_snapshot_1.buildSkillApprovalDiffResponse)(previousSnapshot, currentSnapshot);
+    res.locals.skipResponseSanitization = true;
     res.json(diff);
 }, true));
 (0, resource_file_routes_1.registerResourceFileRoutes)({
@@ -230,7 +273,6 @@ router.get("/:slug/approval-diff", (0, index_1.apiHandler)(async (req, res) => {
     uploadFileFromTempPath: skill_files_1.uploadSkillFileFromTempPath,
     renamePath: skill_files_1.renameSkillPath,
     deletePath: skill_files_1.deleteSkillPath,
-    skipResponseSanitizationForFileContentRead: false,
 });
 const updateSkillPermissionsHandler = (0, index_1.apiHandler)(async (req, res) => {
     const slug = req.params.slug;

package/dist/users/index.js

@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const express_1 = __importDefault(require("express"));
 const client_1 = __importDefault(require("../prisma/client"));
 const index_1 = require("../utils/index");
+const secrets_1 = require("../utils/secrets");
 const router = express_1.default.Router({ mergeParams: true });
 router.get("/", (0, index_1.apiHandler)(async (_req, res) => {
     const users = await client_1.default.users.findMany({
@@ -19,4 +20,101 @@ router.get("/", (0, index_1.apiHandler)(async (_req, res) => {
     });
     res.json({ users });
 }, true));
+router.get("/me/secrets", (0, index_1.apiHandler)(async (req, res) => {
+    const rows = await client_1.default.user_secrets.findMany({
+        where: {
+            user_id: req.userId,
+        },
+        orderBy: { key: "asc" }
+    });
+    const shouldMaskValues = req.opencode_session_id === undefined;
+    res.json({
+        secrets: rows.map((row) => (0, secrets_1.toSecretListItem)(row, shouldMaskValues))
+    });
+}, true));
+router.get("/me/resolved-secrets", (0, index_1.apiHandler)(async (req, res) => {
+    const resolvedSecretMap = await (0, secrets_1.listResolvedSecretsForUser)(req.userId);
+    res.json({
+        secret_keys: Object.keys(resolvedSecretMap),
+        total: Object.keys(resolvedSecretMap).length,
+    });
+}, true));
+router.post("/me/resolve-secrets", (0, index_1.apiHandler)(async (req, res) => {
+    if (req.opencode_session_id === undefined) {
+        throw {
+            status: 403,
+            message: "This endpoint requires an opencode session token"
+        };
+    }
+    const rawKeys = Array.isArray(req.body?.keys) ? req.body.keys : [];
+    const requestedKeys = rawKeys
+        .filter((key) => typeof key === "string")
+        .map((key) => (0, secrets_1.assertSecretKey)(key));
+    if (requestedKeys.length === 0) {
+        throw {
+            status: 400,
+            message: "keys is required"
+        };
+    }
+    const resolution = await (0, secrets_1.resolveSecretsForUser)(req.userId, requestedKeys);
+    if (resolution.missingKeys.length > 0) {
+        throw {
+            status: 400,
+            message: `This command references missing secrets: ${resolution.missingKeys.join(", ")}. Ask the user to add these keys in TeamCopilot Profile Secrets before retrying.`
+        };
+    }
+    res.json({
+        secret_map: resolution.secretMap,
+    });
+}, true));
+router.put("/me/secrets/:key", (0, index_1.apiHandler)(async (req, res) => {
+    const key = (0, secrets_1.assertSecretKey)(req.params.key);
+    const value = typeof req.body?.value === "string" ? req.body.value : "";
+    if (value.length === 0) {
+        throw {
+            status: 400,
+            message: "value is required"
+        };
+    }
+    const now = BigInt(Date.now());
+    const row = await client_1.default.user_secrets.upsert({
+        where: {
+            user_id_key: {
+                user_id: req.userId,
+                key,
+            }
+        },
+        create: {
+            user_id: req.userId,
+            key,
+            value,
+            created_at: now,
+            updated_at: now,
+        },
+        update: {
+            value,
+            updated_at: now,
+        }
+    });
+    res.json({
+        secret: (0, secrets_1.toSecretListItem)(row, req.opencode_session_id === undefined)
+    });
+}, true));
+router.delete("/me/secrets/:key", (0, index_1.apiHandler)(async (req, res) => {
+    const key = (0, secrets_1.assertSecretKey)(req.params.key);
+    await client_1.default.user_secrets.delete({
+        where: {
+            user_id_key: {
+                user_id: req.userId,
+                key,
+            }
+        }
+    }).catch(() => {
+        throw {
+            status: 404,
+            message: `Secret not found for key: ${key}`
+        };
+    });
+    res.json({ success: true });
+}, true));
 exports.default = router;

package/dist/utils/redact.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sanitizeStringContent = sanitizeStringContent;
 exports.sanitizeForClient = sanitizeForClient;
 const SENSITIVE_KEY_PATTERN = /(token|secret|password|passwd|api[_-]?key|auth|credential)/i;
+const SECRET_PLACEHOLDER_PATTERN = /\{\{SECRET:[A-Z][A-Z0-9_]*\}\}/g;
 function maskValue(value) {
     if (value.startsWith("***")) {
         return value;
@@ -14,14 +15,40 @@ function maskValue(value) {
 function isLikelySensitiveKey(key) {
     return SENSITIVE_KEY_PATTERN.test(key);
 }
+function isProtectedSecretPlaceholderToken(value) {
+    return /__TCPLH_\d+__/.test(value.trim());
+}
+function isSecretPlaceholderValue(value) {
+    return value.trim().match(/^\{\{SECRET:[A-Z][A-Z0-9_]*\}\}$/) !== null;
+}
+function protectSecretPlaceholders(input) {
+    const placeholders = [];
+    const protectedText = input.replace(SECRET_PLACEHOLDER_PATTERN, (match) => {
+        const index = placeholders.push(match) - 1;
+        return `__TCPLH_${index}__`;
+    });
+    return {
+        protectedText,
+        restore: (value) => value.replace(/__TCPLH_(\d+)__/g, (_full, rawIndex) => {
+            const index = Number(rawIndex);
+            return placeholders[index] ?? _full;
+        }),
+    };
+}
 function sanitizeStringContent(input) {
-    let text = input;
+    const { protectedText, restore } = protectSecretPlaceholders(input);
+    let text = protectedText;
     // Redact credentials embedded in URLs such as:
     // https://user:password@host/path
     text = text.replace(/\b(https?:\/\/)([^\/\s"'@:]+):([^\/\s"'@]+)@/gi, (_full, scheme, username, password) => `${scheme}${username}:${maskValue(password)}@`);
     // Redact Authorization header bearer tokens before generic key/value masking so
     // "Authorization: Bearer <token>" doesn't get partially masked as "***rer".
-    text = text.replace(/(\bAuthorization\s*[:=]\s*)(Bearer\s+)([A-Za-z0-9._~+/=-]{8,})/gi, (_full, prefix, bearer, token) => `${prefix}${bearer}${maskValue(token)}`);
+    text = text.replace(/(\bAuthorization\s*[:=]\s*)(Bearer\s+)([A-Za-z0-9._~+/=-]{8,})/gi, (_full, prefix, bearer, token) => {
+        if (isProtectedSecretPlaceholderToken(token)) {
+            return `${prefix}${bearer}${token}`;
+        }
+        return `${prefix}${bearer}${maskValue(token)}`;
+    });
     // Redact sensitive markdown list/label items such as:
     // - **password**: value
     // - **password** = value
@@ -34,6 +61,9 @@ function sanitizeStringContent(input) {
         if (!rawValue) {
             return full;
         }
+        if (isProtectedSecretPlaceholderToken(rawValue)) {
+            return full;
+        }
         const masked = maskValue(rawValue);
         if (doubleQuoted !== undefined) {
             return `${lineLead}${prefix}${openMarker}${key}${closeMarker}${separator}"${masked}"`;
@@ -54,6 +84,9 @@ function sanitizeStringContent(input) {
         if (!rawValue) {
             return full;
         }
+        if (isProtectedSecretPlaceholderToken(rawValue)) {
+            return full;
+        }
         const masked = maskValue(rawValue);
         if (doubleQuoted !== undefined) {
             return `${lead}${assignmentPrefix}"${masked}"`;
@@ -73,6 +106,9 @@ function sanitizeStringContent(input) {
         if (!rawValue) {
             return full;
         }
+        if (isProtectedSecretPlaceholderToken(rawValue)) {
+            return full;
+        }
         if (key.toLowerCase() === "authorization" && /^bearer$/i.test(rawValue)) {
             return full;
         }
@@ -80,6 +116,9 @@ function sanitizeStringContent(input) {
         if (key.toLowerCase() === "authorization" && authorizationMatch) {
             const bearerPrefix = authorizationMatch[1];
             const bearerToken = authorizationMatch[2];
+            if (isProtectedSecretPlaceholderToken(bearerToken)) {
+                return full;
+            }
             const maskedBearer = `${bearerPrefix}${maskValue(bearerToken)}`;
             if (doubleQuoted !== undefined) {
                 return `${lead}${assignmentPrefix}"${maskedBearer}"`;
@@ -99,15 +138,23 @@ function sanitizeStringContent(input) {
         return `${lead}${assignmentPrefix}${masked}`;
     });
     // Redact common bearer and provider token forms.
-    text = text.replace(/\b(Bearer\s+)([A-Za-z0-9._~+/=-]{8,})\b/gi, (_full, prefix, token) => `${prefix}${maskValue(token)}`);
+    text = text.replace(/\b(Bearer\s+)([A-Za-z0-9._~+/=-]{8,})\b/gi, (_full, prefix, token) => {
+        if (isProtectedSecretPlaceholderToken(token)) {
+            return `${prefix}${token}`;
+        }
+        return `${prefix}${maskValue(token)}`;
+    });
     text = text.replace(/\b(sk-[A-Za-z0-9_-]{8,})\b/g, (token) => maskValue(token));
     text = text.replace(/\b(ghp_[A-Za-z0-9]{8,})\b/g, (token) => maskValue(token));
-    return text;
+    return restore(text);
 }
 function sanitizeObjectRecord(input) {
     const output = {};
     for (const [key, value] of Object.entries(input)) {
-        if (typeof value === "string" && isLikelySensitiveKey(key)) {
+        if (typeof value === "string"
+            && isLikelySensitiveKey(key)
+            && !isProtectedSecretPlaceholderToken(value)
+            && !isSecretPlaceholderValue(value)) {
             output[key] = maskValue(value);
             continue;
         }

package/dist/utils/resource-file-routes.js

@@ -7,7 +7,7 @@ exports.registerResourceFileRoutes = registerResourceFileRoutes;
 const fs_1 = __importDefault(require("fs"));
 const index_1 = require("./index");
 function registerResourceFileRoutes(options) {
-    const { router, uploadMiddleware, ensureResourceExists, assertCanView, getEditorAccess, assertCanEdit, listDirectory, readFileContent, saveFileContent, createFileOrFolder, uploadFileFromTempPath, renamePath, deletePath, skipResponseSanitizationForFileContentRead = true, } = options;
+    const { router, uploadMiddleware, ensureResourceExists, assertCanView, getEditorAccess, assertCanEdit, listDirectory, readFileContent, saveFileContent, createFileOrFolder, uploadFileFromTempPath, renamePath, deletePath, } = options;
     router.get("/:slug/files/access", (0, index_1.apiHandler)(async (req, res) => {
         const slug = req.params.slug;
         const authReq = req;
@@ -30,9 +30,7 @@ function registerResourceFileRoutes(options) {
         await ensureResourceExists(slug);
         const rawPath = typeof req.query.path === "string" ? req.query.path : undefined;
         const content = readFileContent(slug, rawPath);
-        if (skipResponseSanitizationForFileContentRead) {
-            res.locals.skipResponseSanitization = true;
-        }
+        res.locals.skipResponseSanitization = true;
         res.json(content);
     }, true));
     router.put("/:slug/files/content", (0, index_1.apiHandler)(async (req, res) => {

package/dist/utils/resource-files.js

@@ -10,7 +10,7 @@ const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
 const redact_1 = require("./redact");
 function createResourceFileManager(options) {
-    const { getResourcePath, resourceLabel, editorLabel } = options;
+    const { getResourcePath, resourceLabel, editorLabel, validateBeforeSave } = options;
     const rootLabel = `${resourceLabel} root`;
     const symlinkError = `${editorLabel} editor does not support symlinks`;
     function getResolvedRootPaths(slug) {
@@ -345,10 +345,18 @@ function createResourceFileManager(options) {
         }
         const name = path_1.default.basename(relativePath);
         const currentRawContent = currentBytes.toString("utf-8");
-        const wasServedRedacted = name === ".env" || resourceLabel === "skill";
+        const wasServedRedacted = name === ".env";
         const nextContent = wasServedRedacted
             ? mergeRedactedEditorContent(currentRawContent, request.content)
             : request.content;
+        if (validateBeforeSave) {
+            validateBeforeSave({
+                slug,
+                resourcePath: getResourcePath(slug),
+                relativePath,
+                nextContent,
+            });
+        }
         fs_1.default.writeFileSync(absolutePath, nextContent, "utf-8");
         const nextBytes = fs_1.default.readFileSync(absolutePath);
         const nextStat = fs_1.default.statSync(absolutePath);