untrap-mcp 0.1.0

package/dist/auth/api-keys.d.ts

@@ -0,0 +1,53 @@
+interface ApiKeyValidation {
+    valid: boolean;
+    mspId?: string;
+    keyId?: string;
+    name?: string;
+    scopes?: string[];
+    error?: string;
+}
+/**
+ * Generate a new API key.
+ * Returns the raw key (shown once to user) and the hash (stored in DB).
+ */
+export declare function generateApiKey(): {
+    rawKey: string;
+    keyHash: string;
+};
+/**
+ * Validate an API key and return the associated MSP ID.
+ * This is the core auth function — the key determines which MSP's data you can access.
+ *
+ * Uses a SECURITY DEFINER function (lookup_api_key_by_hash) to bypass RLS
+ * for this single bootstrap lookup. We don't know the mspId yet — that's
+ * what we're resolving — so normal RLS can't work here.
+ */
+export declare function validateApiKey(rawKey: string): Promise<ApiKeyValidation>;
+/**
+ * Create a new API key for an MSP. Called from the dashboard API route.
+ * Returns the raw key (shown once) — it cannot be retrieved again.
+ */
+export declare function createApiKeyForMsp(mspId: string, name: string, createdBy: string, scopes?: string[], expiresInDays?: number): Promise<{
+    rawKey: string;
+    keyId: string;
+}>;
+/**
+ * Revoke an API key. Called from the dashboard API route.
+ */
+export declare function revokeApiKey(mspId: string, keyId: string): Promise<boolean>;
+/**
+ * List API keys for an MSP (without hashes). Called from the dashboard.
+ */
+export declare function listApiKeys(mspId: string): Promise<{
+    id: string;
+    name: string;
+    key_prefix: string;
+    scopes: string[];
+    is_active: boolean;
+    last_used_at: string | null;
+    expires_at: string | null;
+    created_by: string;
+    created_at: string;
+}[]>;
+export {};
+//# sourceMappingURL=api-keys.d.ts.map

package/dist/auth/api-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-keys.d.ts","sourceRoot":"","sources":["../../src/auth/api-keys.ts"],"names":[],"mappings":"AAkBA,UAAU,gBAAgB;IACxB,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAUD;;;GAGG;AACH,wBAAgB,cAAc,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAKpE;AAED;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA0D9E;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,GAAE,MAAM,EAAY,EAC1B,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAwB5C;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,OAAO,CAAC,CAOlB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM;QAEvC,MAAM;UACJ,MAAM;gBACA,MAAM;YACV,MAAM,EAAE;eACL,OAAO;kBACJ,MAAM,GAAG,IAAI;gBACf,MAAM,GAAG,IAAI;gBACb,MAAM;gBACN,MAAM;KAWrB"}

package/dist/auth/api-keys.js

@@ -0,0 +1,115 @@
+import { createHash, randomBytes } from "node:crypto";
+import { queryRLS, queryWrite } from "../db/gateway-client.js";
+import { getServerMode } from "../config.js";
+const KEY_PREFIX = "untrap_sk_";
+/**
+ * Hash an API key using SHA-256.
+ * We never store the raw key — only the hash.
+ */
+function hashKey(rawKey) {
+    return createHash("sha256").update(rawKey).digest("hex");
+}
+/**
+ * Generate a new API key.
+ * Returns the raw key (shown once to user) and the hash (stored in DB).
+ */
+export function generateApiKey() {
+    const random = randomBytes(32).toString("base64url");
+    const rawKey = `${KEY_PREFIX}${random}`;
+    const keyHash = hashKey(rawKey);
+    return { rawKey, keyHash };
+}
+/**
+ * Validate an API key and return the associated MSP ID.
+ * This is the core auth function — the key determines which MSP's data you can access.
+ *
+ * Uses a SECURITY DEFINER function (lookup_api_key_by_hash) to bypass RLS
+ * for this single bootstrap lookup. We don't know the mspId yet — that's
+ * what we're resolving — so normal RLS can't work here.
+ */
+export async function validateApiKey(rawKey) {
+    // Basic format check
+    if (!rawKey.startsWith(KEY_PREFIX)) {
+        return { valid: false, error: "Invalid key format" };
+    }
+    const keyHash = hashKey(rawKey);
+    try {
+        // Use SECURITY DEFINER function — bypasses RLS for this narrow lookup.
+        // The function only accepts a key_hash and returns the minimum fields
+        // needed for auth. It cannot enumerate or scan the table.
+        const rows = await queryWrite(`SELECT id, msp_id, name, scopes, is_active, expires_at
+       FROM lookup_api_key_by_hash($1)`, [keyHash], 
+        // The mspId here is only needed for the Gateway Lambda's SET LOCAL.
+        // The SECURITY DEFINER function ignores RLS, so this value doesn't matter.
+        "00000000-0000-0000-0000-000000000000");
+        if (rows.length === 0) {
+            return { valid: false, error: "Invalid API key" };
+        }
+        const key = rows[0];
+        // Check if key is active
+        if (!key.is_active) {
+            return { valid: false, error: "API key has been revoked" };
+        }
+        // Check expiration
+        if (key.expires_at && new Date(key.expires_at) < new Date()) {
+            return { valid: false, error: "API key has expired" };
+        }
+        // Update last_used_at (fire and forget — only in modes with direct DB write access)
+        if (getServerMode() !== "production") {
+            queryWrite(`UPDATE mcp_api_keys SET last_used_at = NOW() WHERE id = $1 AND msp_id = $2`, [key.id, key.msp_id], key.msp_id).catch(() => {
+                // Non-critical, don't fail the request
+            });
+        }
+        return {
+            valid: true,
+            mspId: key.msp_id,
+            keyId: key.id,
+            name: key.name,
+            scopes: key.scopes,
+        };
+    }
+    catch {
+        return { valid: false, error: "Authentication service unavailable" };
+    }
+}
+/**
+ * Create a new API key for an MSP. Called from the dashboard API route.
+ * Returns the raw key (shown once) — it cannot be retrieved again.
+ */
+export async function createApiKeyForMsp(mspId, name, createdBy, scopes = ["all"], expiresInDays) {
+    const { rawKey, keyHash } = generateApiKey();
+    const expiresAt = expiresInDays
+        ? new Date(Date.now() + expiresInDays * 86400000).toISOString()
+        : null;
+    const rows = await queryWrite(`INSERT INTO mcp_api_keys (msp_id, key_hash, key_prefix, name, scopes, created_by, expires_at)
+     VALUES ($1, $2, $3, $4, $5::text[], $6, $7::timestamptz)
+     RETURNING id`, [
+        mspId,
+        keyHash,
+        rawKey.substring(0, 15) + "...", // Store prefix for identification
+        name,
+        scopes,
+        createdBy,
+        expiresAt,
+    ], mspId);
+    return { rawKey, keyId: rows[0].id };
+}
+/**
+ * Revoke an API key. Called from the dashboard API route.
+ */
+export async function revokeApiKey(mspId, keyId) {
+    const rows = await queryWrite(`UPDATE mcp_api_keys SET is_active = false WHERE id = $1 AND msp_id = $2 RETURNING id`, [keyId, mspId], mspId);
+    return rows.length > 0;
+}
+/**
+ * List API keys for an MSP (without hashes). Called from the dashboard.
+ */
+export async function listApiKeys(mspId) {
+    const rows = await queryRLS(`SELECT id, name, key_prefix, scopes, is_active, last_used_at::text,
+            expires_at::text, created_by, created_at::text
+     FROM mcp_api_keys
+     WHERE msp_id = $1
+     ORDER BY created_at DESC`, [mspId], mspId);
+    return rows;
+}
+//# sourceMappingURL=api-keys.js.map

package/dist/auth/api-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-keys.js","sourceRoot":"","sources":["../../src/auth/api-keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C,MAAM,UAAU,GAAG,YAAY,CAAC;AAuBhC;;;GAGG;AACH,SAAS,OAAO,CAAC,MAAc;IAC7B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC3D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc;IAC5B,MAAM,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACrD,MAAM,MAAM,GAAG,GAAG,UAAU,GAAG,MAAM,EAAE,CAAC;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAChC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC7B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAc;IACjD,qBAAqB;IACrB,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACvD,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEhC,IAAI,CAAC;QACH,uEAAuE;QACvE,sEAAsE;QACtE,0DAA0D;QAC1D,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B;uCACiC,EACjC,CAAC,OAAO,CAAC;QACT,oEAAoE;QACpE,2EAA2E;QAC3E,sCAAsC,CACvC,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAEpB,yBAAyB;QACzB,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC;QAC7D,CAAC;QAED,mBAAmB;QACnB,IAAI,GAAG,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YAC5D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QACxD,CAAC;QAED,oFAAoF;QACpF,IAAI,aAAa,EAAE,KAAK,YAAY,EAAE,CAAC;YACrC,UAAU,CACR,4EAA4E,EAC5E,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,EACpB,GAAG,CAAC,MAAM,CACX,CAAC,KAAK,CAAC,GAAG,EAAE;gBACX,uCAAuC;YACzC,CAAC,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,KAAK,EAAE,GAAG,CAAC,MAAM;YACjB,KAAK,EAAE,GAAG,CAAC,EAAE;YACb,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,GAAG,CAAC,MAAM;SACnB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;IACvE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAa,EACb,IAAY,EACZ,SAAiB,EACjB,SAAmB,CAAC,KAAK,CAAC,EAC1B,aAAsB;IAEtB,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,cAAc,EAAE,CAAC;IAE7C,MAAM,SAAS,GAAG,aAAa;QAC7B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,QAAQ,CAAC,CAAC,WAAW,EAAE;QAC/D,CAAC,CAAC,IAAI,CAAC;IAET,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B;;kBAEc,EACd;QACE,KAAK;QACL,OAAO;QACP,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,EAAE,kCAAkC;QACnE,IAAI;QACJ,MAAM;QACN,SAAS;QACT,SAAS;KACV,EACD,KAAK,CACN,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAAa,EACb,KAAa;IAEb,MAAM,IAAI,GAAG,MAAM,UAAU,CAC3B,sFAAsF,EACtF,CAAC,KAAK,EAAE,KAAK,CAAC,EACd,KAAK,CACN,CAAC;IACF,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,KAAa;IAC7C,MAAM,IAAI,GAAG,MAAM,QAAQ,CAWzB;;;;8BAI0B,EAC1B,CAAC,KAAK,CAAC,EACP,KAAK,CACN,CAAC;IACF,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/auth/rate-limiter.d.ts

@@ -0,0 +1,6 @@
+export declare function checkRateLimit(mspId: string, toolName: string): Promise<{
+    allowed: boolean;
+    remaining: number;
+    limit: number;
+}>;
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/auth/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../src/auth/rate-limiter.ts"],"names":[],"mappings":"AAgFA,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBjE"}

package/dist/auth/rate-limiter.js

@@ -0,0 +1,77 @@
+import { config } from "../config.js";
+const TOOL_TIERS = {
+    // Tier 1: Analytics (read-only)
+    get_client_health_scores: "tier1",
+    get_disengaged_clients: "tier1",
+    get_backlog_pressure: "tier1",
+    get_technician_performance: "tier1",
+    get_pattern_clusters: "tier1",
+    get_billing_opportunities: "tier1",
+    get_qc_violations: "tier1",
+    get_client_experience: "tier1",
+    get_sla_breaches_by_technician: "tier1",
+    get_sla_breach_tickets: "tier1",
+    // Tier 2: AI-powered
+    explain_budget_overage: "tier2",
+    explain_experience_score: "tier2",
+    explain_sla_variance: "tier2",
+    suggest_technician_improvement: "tier2",
+    find_similar_tickets: "tier2",
+    analyze_root_causes: "tier2",
+    search_knowledge_base: "tier2",
+    // Tier 3: QBR
+    qbr_executive_summary: "tier3",
+    qbr_ticket_trends: "tier3",
+    qbr_client_health_overview: "tier3",
+    qbr_client_detail: "tier3",
+    qbr_sla_performance: "tier3",
+    qbr_technician_scorecard: "tier3",
+    qbr_top_issues: "tier3",
+    qbr_financial_summary: "tier3",
+    qbr_recommendations: "tier3",
+    // Tier 4: NL Query
+    query_data: "tier4",
+    // Tier 5: Composite
+    what_needs_attention_now: "tier5",
+    get_ticket_deep_dive: "tier5",
+    get_client_360: "tier5",
+    get_technician_360: "tier5",
+    compare_periods: "tier5",
+    draft_client_email: "tier5",
+    // Tier 6: Config
+    get_msp_context: "tier6",
+    get_configured_boards: "tier6",
+    get_configured_agreements: "tier6",
+    get_configured_technicians: "tier6",
+    get_agent_statuses: "tier6",
+    // CFO tools
+    cfo_financial_overview: "tier1",
+    cfo_client_profitability: "tier1",
+    cfo_technician_utilization: "tier1",
+    cfo_revenue_leakage: "tier1",
+    cfo_labor_cost_trend: "tier1",
+    cfo_agreement_analysis: "tier1",
+    cfo_service_cost_analysis: "tier2",
+};
+const buckets = new Map();
+function today() {
+    return new Date().toISOString().split("T")[0];
+}
+export async function checkRateLimit(mspId, toolName) {
+    const tier = TOOL_TIERS[toolName] ?? "tier1";
+    const limit = config.rateLimits[tier];
+    const key = `${mspId}:${toolName}`;
+    const now = today();
+    let bucket = buckets.get(key);
+    // Reset if new day or first call
+    if (!bucket || bucket.resetDate !== now) {
+        bucket = { count: 0, resetDate: now };
+        buckets.set(key, bucket);
+    }
+    if (bucket.count >= limit) {
+        return { allowed: false, remaining: 0, limit };
+    }
+    bucket.count++;
+    return { allowed: true, remaining: limit - bucket.count, limit };
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/auth/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../src/auth/rate-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAItC,MAAM,UAAU,GAA6B;IAC3C,gCAAgC;IAChC,wBAAwB,EAAE,OAAO;IACjC,sBAAsB,EAAE,OAAO;IAC/B,oBAAoB,EAAE,OAAO;IAC7B,0BAA0B,EAAE,OAAO;IACnC,oBAAoB,EAAE,OAAO;IAC7B,yBAAyB,EAAE,OAAO;IAClC,iBAAiB,EAAE,OAAO;IAC1B,qBAAqB,EAAE,OAAO;IAC9B,8BAA8B,EAAE,OAAO;IACvC,sBAAsB,EAAE,OAAO;IAE/B,qBAAqB;IACrB,sBAAsB,EAAE,OAAO;IAC/B,wBAAwB,EAAE,OAAO;IACjC,oBAAoB,EAAE,OAAO;IAC7B,8BAA8B,EAAE,OAAO;IACvC,oBAAoB,EAAE,OAAO;IAC7B,mBAAmB,EAAE,OAAO;IAC5B,qBAAqB,EAAE,OAAO;IAE9B,cAAc;IACd,qBAAqB,EAAE,OAAO;IAC9B,iBAAiB,EAAE,OAAO;IAC1B,0BAA0B,EAAE,OAAO;IACnC,iBAAiB,EAAE,OAAO;IAC1B,mBAAmB,EAAE,OAAO;IAC5B,wBAAwB,EAAE,OAAO;IACjC,cAAc,EAAE,OAAO;IACvB,qBAAqB,EAAE,OAAO;IAC9B,mBAAmB,EAAE,OAAO;IAE5B,mBAAmB;IACnB,UAAU,EAAE,OAAO;IAEnB,oBAAoB;IACpB,wBAAwB,EAAE,OAAO;IACjC,oBAAoB,EAAE,OAAO;IAC7B,cAAc,EAAE,OAAO;IACvB,kBAAkB,EAAE,OAAO;IAC3B,eAAe,EAAE,OAAO;IACxB,kBAAkB,EAAE,OAAO;IAE3B,iBAAiB;IACjB,eAAe,EAAE,OAAO;IACxB,qBAAqB,EAAE,OAAO;IAC9B,yBAAyB,EAAE,OAAO;IAClC,0BAA0B,EAAE,OAAO;IACnC,kBAAkB,EAAE,OAAO;IAE3B,YAAY;IACZ,sBAAsB,EAAE,OAAO;IAC/B,wBAAwB,EAAE,OAAO;IACjC,0BAA0B,EAAE,OAAO;IACnC,mBAAmB,EAAE,OAAO;IAC5B,oBAAoB,EAAE,OAAO;IAC7B,sBAAsB,EAAE,OAAO;IAC/B,yBAAyB,EAAE,OAAO;CACnC,CAAC;AAWF,MAAM,OAAO,GAAG,IAAI,GAAG,EAAuB,CAAC;AAE/C,SAAS,KAAK;IACZ,OAAO,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAa,EACb,QAAgB;IAEhB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC;IAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,GAAG,KAAK,IAAI,QAAQ,EAAE,CAAC;IACnC,MAAM,GAAG,GAAG,KAAK,EAAE,CAAC;IAEpB,IAAI,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAE9B,iCAAiC;IACjC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,KAAK,GAAG,EAAE,CAAC;QACxC,MAAM,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC3B,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,IAAI,KAAK,EAAE,CAAC;QAC1B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC;IACjD,CAAC;IAED,MAAM,CAAC,KAAK,EAAE,CAAC;IACf,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,GAAG,MAAM,CAAC,KAAK,EAAE,KAAK,EAAE,CAAC;AACnE,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,42 @@
+export declare const config: {
+    readonly gatewayApiUrl: string;
+    readonly gatewayApiUrlRead: string;
+    readonly gatewayApiKey: string;
+    readonly azureOpenAiEndpoint: string;
+    readonly azureOpenAiApiKey: string;
+    readonly azureOpenAiDeployment: string;
+    readonly azureOpenAiApiVersion: string;
+    readonly untrapApiUrl: string;
+    readonly apiKey: string;
+    readonly devMspId: string;
+    readonly rateLimits: {
+        readonly tier1: 500;
+        readonly tier2: 50;
+        readonly tier3: 10;
+        readonly tier4: 100;
+        readonly tier5: 200;
+        readonly tier6: 500;
+    };
+    readonly maxConcurrentRequests: 2;
+    readonly requestDelayMs: 300;
+    readonly requestTimeoutMs: 45000;
+    readonly maxRetries: 3;
+};
+/**
+ * Three operating modes:
+ *
+ * 1. DEV MODE: MSP_ID + GATEWAY_API_KEY
+ *    → Hardcoded msp_id, queries Gateway directly. Local testing only.
+ *
+ * 2. GATEWAY AUTH MODE: UNTRAP_API_KEY + GATEWAY_API_KEY (no MSP_ID)
+ *    → API key resolves msp_id, queries Gateway directly.
+ *    → For internal testing — doesn't need proxy deployed.
+ *
+ * 3. PRODUCTION MODE: UNTRAP_API_KEY only (no GATEWAY_API_KEY)
+ *    → API key auth + queries go through Untrap API proxy.
+ *    → Gateway key never leaves the server. Shipped to MSPs.
+ */
+export type ServerMode = "dev" | "gateway_auth" | "production";
+export declare function getServerMode(): ServerMode;
+export declare function validateConfig(): string[];
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;CAsCT,CAAC;AAEX;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,cAAc,GAAG,YAAY,CAAC;AAE/D,wBAAgB,aAAa,IAAI,UAAU,CAI1C;AAED,wBAAgB,cAAc,IAAI,MAAM,EAAE,CAoBzC"}

package/dist/config.js

@@ -0,0 +1,62 @@
+export const config = {
+    // Gateway API (RDS access with RLS)
+    gatewayApiUrl: process.env.GATEWAY_API_URL || "",
+    gatewayApiUrlRead: process.env.GATEWAY_API_URL_READ || "",
+    gatewayApiKey: process.env.GATEWAY_API_KEY || "",
+    // Azure OpenAI (for AI-powered tools)
+    azureOpenAiEndpoint: process.env.AZURE_OPENAI_ENDPOINT || "",
+    azureOpenAiApiKey: process.env.AZURE_OPENAI_KEY || process.env.AZURE_OPENAI_API_KEY || "",
+    azureOpenAiDeployment: process.env.AZURE_OPENAI_DEPLOYMENT_NAME || "",
+    azureOpenAiApiVersion: process.env.AZURE_OPENAI_API_VERSION || "2024-12-01-preview",
+    // Untrap API URL (production proxy endpoint)
+    untrapApiUrl: process.env.UNTRAP_API_URL || "https://app.getuntrap.com",
+    // Auth — API key determines which MSP's data is accessible
+    // In stdio mode, the key is passed via env var at startup
+    apiKey: process.env.UNTRAP_API_KEY || "",
+    // Dev mode — bypass API key auth and use MSP_ID directly
+    // ONLY for local testing. Never use in production.
+    devMspId: process.env.MSP_ID || "",
+    // Rate limiting defaults
+    rateLimits: {
+        tier1: 500, // Analytics (read-only)
+        tier2: 50, // AI-powered
+        tier3: 10, // QBR
+        tier4: 100, // NL Query
+        tier5: 200, // Composite
+        tier6: 500, // Config
+    },
+    // Request queue settings
+    maxConcurrentRequests: 2,
+    requestDelayMs: 300,
+    requestTimeoutMs: 45_000,
+    maxRetries: 3,
+};
+export function getServerMode() {
+    if (config.devMspId && config.gatewayApiKey)
+        return "dev";
+    if (config.apiKey && config.gatewayApiKey)
+        return "gateway_auth";
+    return "production";
+}
+export function validateConfig() {
+    const errors = [];
+    const mode = getServerMode();
+    if (mode === "dev") {
+        if (!config.gatewayApiUrl) {
+            errors.push("GATEWAY_API_URL is required in dev mode");
+        }
+    }
+    else if (mode === "gateway_auth") {
+        if (!config.gatewayApiUrl) {
+            errors.push("GATEWAY_API_URL is required in gateway auth mode");
+        }
+    }
+    else {
+        // Production: needs Untrap API key (proxy handles Gateway access)
+        if (!config.apiKey) {
+            errors.push("UNTRAP_API_KEY is required (or set MSP_ID + GATEWAY_API_KEY for dev mode)");
+        }
+    }
+    return errors;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,MAAM,GAAG;IACpB,oCAAoC;IACpC,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE;IAChD,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE;IACzD,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE;IAEhD,sCAAsC;IACtC,mBAAmB,EAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,EAAE;IAC5D,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE;IACzF,qBAAqB,EAAE,OAAO,CAAC,GAAG,CAAC,4BAA4B,IAAI,EAAE;IACrE,qBAAqB,EAAE,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,oBAAoB;IAEnF,6CAA6C;IAC7C,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,2BAA2B;IAEvE,2DAA2D;IAC3D,0DAA0D;IAC1D,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE;IAExC,yDAAyD;IACzD,mDAAmD;IACnD,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE;IAElC,yBAAyB;IACzB,UAAU,EAAE;QACV,KAAK,EAAE,GAAG,EAAE,wBAAwB;QACpC,KAAK,EAAE,EAAE,EAAE,aAAa;QACxB,KAAK,EAAE,EAAE,EAAE,MAAM;QACjB,KAAK,EAAE,GAAG,EAAE,WAAW;QACvB,KAAK,EAAE,GAAG,EAAE,YAAY;QACxB,KAAK,EAAE,GAAG,EAAE,SAAS;KACtB;IAED,yBAAyB;IACzB,qBAAqB,EAAE,CAAC;IACxB,cAAc,EAAE,GAAG;IACnB,gBAAgB,EAAE,MAAM;IACxB,UAAU,EAAE,CAAC;CACL,CAAC;AAkBX,MAAM,UAAU,aAAa;IAC3B,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IAC1D,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,aAAa;QAAE,OAAO,cAAc,CAAC;IACjE,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,aAAa,EAAE,CAAC;IAE7B,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;SAAM,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;QACnC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;SAAM,CAAC;QACN,kEAAkE;QAClE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,CAAC,IAAI,CAAC,2EAA2E,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/db/__tests__/assert-msp-scoped.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=assert-msp-scoped.test.d.ts.map

package/dist/db/__tests__/assert-msp-scoped.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"assert-msp-scoped.test.d.ts","sourceRoot":"","sources":["../../../src/db/__tests__/assert-msp-scoped.test.ts"],"names":[],"mappings":""}

package/dist/db/__tests__/assert-msp-scoped.test.js

@@ -0,0 +1,93 @@
+/**
+ * Regression tests for assertMspScoped() — the tenant isolation guard.
+ *
+ * These tests verify that queries without proper msp_id predicates are
+ * rejected at runtime, preventing cross-MSP data leaks when RLS is
+ * bypassed by the rds_superuser gateway role.
+ *
+ * Run: npx vitest run src/db/__tests__/assert-msp-scoped.test.ts
+ */
+import { describe, it, expect } from "vitest";
+// We can't import assertMspScoped directly (it's not exported), so we
+// replicate the exact logic here for isolated testing.
+const MSP_FILTER_EXEMPT = [
+    /lookup_api_key_by_hash/i,
+];
+const TENANT_PREDICATE_PATTERNS = [
+    /\b(WHERE|AND)\s+\w*\.?msp_id\s*(?:::[\w]+)?\s*=\s*\$\d+/i,
+    /\bON\s+[^)]*\bmsp_id\b[^)]*=/i,
+    /INSERT\s+INTO\s+\w+\s*\([^)]*\bmsp_id\b/i,
+    /\(\s*SELECT[^)]+\b(WHERE|AND)\s+\w*\.?msp_id\s*(?:::[\w]+)?\s*=\s*\$\d+/i,
+];
+function assertMspScoped(text, params, mspId) {
+    for (const pattern of MSP_FILTER_EXEMPT) {
+        if (pattern.test(text))
+            return;
+    }
+    if (!params.includes(mspId)) {
+        throw new Error(`[TENANT ISOLATION] mspId not found in query params.`);
+    }
+    const hasPredicate = TENANT_PREDICATE_PATTERNS.some((p) => p.test(text));
+    if (!hasPredicate) {
+        throw new Error(`[TENANT ISOLATION] No msp_id predicate found in SQL.`);
+    }
+}
+const MSP = "5f54271b-54d5-40b3-8ad7-38cfdde8db85";
+describe("assertMspScoped", () => {
+    // ═══════════════════════════════════════════
+    // SHOULD PASS — properly scoped queries
+    // ═══════════════════════════════════════════
+    it("passes: WHERE msp_id = $1", () => {
+        expect(() => assertMspScoped("SELECT * FROM ticket_lifecycle WHERE msp_id = $1 LIMIT 100", [MSP], MSP)).not.toThrow();
+    });
+    it("passes: WHERE msp_id::uuid = $1::uuid", () => {
+        expect(() => assertMspScoped("SELECT * FROM billing_classifications WHERE msp_id::uuid = $1::uuid", [MSP], MSP)).not.toThrow();
+    });
+    it("passes: AND msp_id = $1 (compound WHERE)", () => {
+        expect(() => assertMspScoped("SELECT * FROM ticket_lifecycle WHERE is_closed = true AND msp_id = $1", [MSP], MSP)).not.toThrow();
+    });
+    it("passes: table-qualified tl.msp_id = $1", () => {
+        expect(() => assertMspScoped("SELECT * FROM ticket_lifecycle tl WHERE tl.msp_id = $1 LIMIT 100", [MSP], MSP)).not.toThrow();
+    });
+    it("passes: INSERT with msp_id in columns", () => {
+        expect(() => assertMspScoped("INSERT INTO mcp_api_keys (msp_id, key_hash, name) VALUES ($1, $2, $3)", [MSP, "abc", "test"], MSP)).not.toThrow();
+    });
+    it("passes: CTE with msp_id predicate", () => {
+        expect(() => assertMspScoped(`WITH active AS (SELECT * FROM ticket_lifecycle WHERE msp_id = $1 AND is_closed = false)
+         SELECT * FROM active LIMIT 100`, [MSP], MSP)).not.toThrow();
+    });
+    it("passes: JOIN with msp_id", () => {
+        expect(() => assertMspScoped(`SELECT tl.*, te.actual_hours
+         FROM ticket_lifecycle tl
+         JOIN time_entries te ON te.msp_id = tl.msp_id AND te.ticket_id = tl.ticket_id
+         WHERE tl.msp_id = $1`, [MSP], MSP)).not.toThrow();
+    });
+    it("passes: bootstrap key lookup (exempt)", () => {
+        expect(() => assertMspScoped("SELECT * FROM lookup_api_key_by_hash($1)", ["somehash"], "00000000-0000-0000-0000-000000000000")).not.toThrow();
+    });
+    it("passes: UPDATE with AND msp_id = $2", () => {
+        expect(() => assertMspScoped("UPDATE mcp_api_keys SET last_used_at = NOW() WHERE id = $1 AND msp_id = $2", ["some-id", MSP], MSP)).not.toThrow();
+    });
+    // ═══════════════════════════════════════════
+    // SHOULD FAIL — cross-MSP leak risks
+    // ═══════════════════════════════════════════
+    it("REJECTS: SELECT msp_id without filtering (GPT's example)", () => {
+        expect(() => assertMspScoped("SELECT msp_id, company_name FROM companies LIMIT 10", [MSP], MSP)).toThrow("[TENANT ISOLATION]");
+    });
+    it("REJECTS: no msp_id at all", () => {
+        expect(() => assertMspScoped("SELECT * FROM ticket_lifecycle LIMIT 100", [], MSP)).toThrow("[TENANT ISOLATION]");
+    });
+    it("REJECTS: msp_id in SELECT list but not WHERE", () => {
+        expect(() => assertMspScoped("SELECT msp_id, COUNT(*) FROM ticket_lifecycle GROUP BY msp_id", [MSP], MSP)).toThrow("[TENANT ISOLATION]");
+    });
+    it("REJECTS: mspId not in params even if SQL looks right", () => {
+        expect(() => assertMspScoped("SELECT * FROM ticket_lifecycle WHERE msp_id = $1", ["wrong-id"], MSP)).toThrow("[TENANT ISOLATION]");
+    });
+    it("REJECTS: msp_id only in ORDER BY", () => {
+        expect(() => assertMspScoped("SELECT * FROM companies ORDER BY msp_id LIMIT 10", [MSP], MSP)).toThrow("[TENANT ISOLATION]");
+    });
+    it("REJECTS: msp_id only as a column alias", () => {
+        expect(() => assertMspScoped("SELECT id AS msp_id FROM companies LIMIT 10", [MSP], MSP)).toThrow("[TENANT ISOLATION]");
+    });
+});
+//# sourceMappingURL=assert-msp-scoped.test.js.map

package/dist/db/__tests__/assert-msp-scoped.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"assert-msp-scoped.test.js","sourceRoot":"","sources":["../../../src/db/__tests__/assert-msp-scoped.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAE9C,sEAAsE;AACtE,uDAAuD;AAEvD,MAAM,iBAAiB,GAAG;IACxB,yBAAyB;CAC1B,CAAC;AAEF,MAAM,yBAAyB,GAAG;IAChC,0DAA0D;IAC1D,+BAA+B;IAC/B,0CAA0C;IAC1C,0EAA0E;CAC3E,CAAC;AAEF,SAAS,eAAe,CAAC,IAAY,EAAE,MAAiB,EAAE,KAAa;IACrE,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO;IACjC,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,MAAM,YAAY,GAAG,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACzE,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED,MAAM,GAAG,GAAG,sCAAsC,CAAC;AAEnD,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,8CAA8C;IAC9C,wCAAwC;IACxC,8CAA8C;IAE9C,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,4DAA4D,EAC5D,CAAC,GAAG,CAAC,EACL,GAAG,CACJ,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,qEAAqE,EACrE,CAAC,GAAG,CAAC,EACL,GAAG,CACJ,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,uEAAuE,EACvE,CAAC,GAAG,CAAC,EACL,GAAG,CACJ,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,kEAAkE,EAClE,CAAC,GAAG,CAAC,EACL,GAAG,CACJ,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,uEAAuE,EACvE,CAAC,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,EACpB,GAAG,CACJ,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb;wCACgC,EAChC,CAAC,GAAG,CAAC,EACL,GAAG,CACJ,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb;;;8BAGsB,EACtB,CAAC,GAAG,CAAC,EACL,GAAG,CACJ,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,0CAA0C,EAC1C,CAAC,UAAU,CAAC,EACZ,sCAAsC,CACvC,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,4EAA4E,EAC5E,CAAC,SAAS,EAAE,GAAG,CAAC,EAChB,GAAG,CACJ,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,8CAA8C;IAC9C,qCAAqC;IACrC,8CAA8C;IAE9C,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,qDAAqD,EACrD,CAAC,GAAG,CAAC,EACL,GAAG,CACJ,CACF,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,0CAA0C,EAC1C,EAAE,EACF,GAAG,CACJ,CACF,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,+DAA+D,EAC/D,CAAC,GAAG,CAAC,EACL,GAAG,CACJ,CACF,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,kDAAkD,EAClD,CAAC,UAAU,CAAC,EACZ,GAAG,CACJ,CACF,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,kDAAkD,EAClD,CAAC,GAAG,CAAC,EACL,GAAG,CACJ,CACF,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,CAAC,GAAG,EAAE,CACV,eAAe,CACb,6CAA6C,EAC7C,CAAC,GAAG,CAAC,EACL,GAAG,CACJ,CACF,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/db/azure-openai.d.ts

@@ -0,0 +1,24 @@
+interface ChatMessage {
+    role: "system" | "user" | "assistant";
+    content: string;
+}
+interface CompletionOptions {
+    messages: ChatMessage[];
+    maxTokens?: number;
+    temperature?: number;
+}
+interface CompletionResult {
+    content: string;
+    usage: {
+        prompt_tokens: number;
+        completion_tokens: number;
+        total_tokens: number;
+    };
+}
+/**
+ * Call Azure OpenAI chat completions API.
+ * Uses raw fetch (same pattern as all existing API routes in the Next.js app).
+ */
+export declare function chatCompletion(options: CompletionOptions): Promise<CompletionResult>;
+export {};
+//# sourceMappingURL=azure-openai.d.ts.map

package/dist/db/azure-openai.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure-openai.d.ts","sourceRoot":"","sources":["../../src/db/azure-openai.ts"],"names":[],"mappings":"AAEA,UAAU,WAAW;IACnB,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,WAAW,CAAC;IACtC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,UAAU,iBAAiB;IACzB,QAAQ,EAAE,WAAW,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,UAAU,gBAAgB;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE;QACL,aAAa,EAAE,MAAM,CAAC;QACtB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,gBAAgB,CAAC,CA6C3B"}

package/dist/db/azure-openai.js

@@ -0,0 +1,45 @@
+import { config } from "../config.js";
+/**
+ * Call Azure OpenAI chat completions API.
+ * Uses raw fetch (same pattern as all existing API routes in the Next.js app).
+ */
+export async function chatCompletion(options) {
+    const { azureOpenAiEndpoint, azureOpenAiApiKey, azureOpenAiDeployment, azureOpenAiApiVersion } = config;
+    if (!azureOpenAiApiKey || !azureOpenAiEndpoint || !azureOpenAiDeployment) {
+        throw new Error("Azure OpenAI environment variables are not set (AZURE_OPENAI_KEY, AZURE_OPENAI_ENDPOINT, AZURE_OPENAI_DEPLOYMENT_NAME)");
+    }
+    const url = `${azureOpenAiEndpoint}/openai/deployments/${azureOpenAiDeployment}/chat/completions?api-version=${azureOpenAiApiVersion}`;
+    const res = await fetch(url, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            "api-key": azureOpenAiApiKey,
+        },
+        body: JSON.stringify({
+            messages: options.messages,
+            max_completion_tokens: options.maxTokens ?? 500,
+            temperature: options.temperature ?? 0.7,
+            model: azureOpenAiDeployment,
+        }),
+    });
+    const rawBody = await res.text();
+    if (!res.ok) {
+        throw new Error(`Azure OpenAI API error (${res.status}): ${rawBody.substring(0, 200)}`);
+    }
+    let data;
+    try {
+        data = JSON.parse(rawBody);
+    }
+    catch {
+        throw new Error("Azure OpenAI returned non-JSON response");
+    }
+    const choices = data.choices;
+    const content = choices?.[0]?.message?.content ?? "";
+    const usage = data.usage ?? {
+        prompt_tokens: 0,
+        completion_tokens: 0,
+        total_tokens: 0,
+    };
+    return { content, usage };
+}
+//# sourceMappingURL=azure-openai.js.map

package/dist/db/azure-openai.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure-openai.js","sourceRoot":"","sources":["../../src/db/azure-openai.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAsBtC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAA0B;IAE1B,MAAM,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,GAAG,MAAM,CAAC;IAExG,IAAI,CAAC,iBAAiB,IAAI,CAAC,mBAAmB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACzE,MAAM,IAAI,KAAK,CAAC,wHAAwH,CAAC,CAAC;IAC5I,CAAC;IAED,MAAM,GAAG,GAAG,GAAG,mBAAmB,uBAAuB,qBAAqB,iCAAiC,qBAAqB,EAAE,CAAC;IAEvI,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,SAAS,EAAE,iBAAiB;SAC7B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,qBAAqB,EAAE,OAAO,CAAC,SAAS,IAAI,GAAG;YAC/C,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,GAAG;YACvC,KAAK,EAAE,qBAAqB;SAC7B,CAAC;KACH,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAEjC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,CAAC,MAAM,MAAM,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,IAA6B,CAAC;IAClC,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,OAA8D,CAAC;IACpF,MAAM,OAAO,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;IACrD,MAAM,KAAK,GAAI,IAAI,CAAC,KAAmC,IAAI;QACzD,aAAa,EAAE,CAAC;QAChB,iBAAiB,EAAE,CAAC;QACpB,YAAY,EAAE,CAAC;KAChB,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC5B,CAAC"}

package/dist/db/gateway-client.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Execute a query. Routes based on server mode:
+ *   - dev / gateway_auth → Gateway Lambda directly
+ *   - production → Untrap API proxy
+ */
+export declare function queryRLS<T = Record<string, unknown>>(text: string, params: unknown[], mspId: string): Promise<T[]>;
+/**
+ * Execute a write query. Routes based on server mode:
+ *   - dev / gateway_auth → Gateway Lambda directly
+ *   - production → Untrap API proxy
+ */
+export declare function queryWrite<T = Record<string, unknown>>(text: string, params: unknown[], mspId: string): Promise<T[]>;
+//# sourceMappingURL=gateway-client.d.ts.map

package/dist/db/gateway-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway-client.d.ts","sourceRoot":"","sources":["../../src/db/gateway-client.ts"],"names":[],"mappings":"AA8KA;;;;GAIG;AACH,wBAAsB,QAAQ,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxD,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,OAAO,EAAE,EACjB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,CAAC,EAAE,CAAC,CAWd;AA8DD;;;;GAIG;AACH,wBAAsB,UAAU,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1D,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,OAAO,EAAE,EACjB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,CAAC,EAAE,CAAC,CAiBd"}