Merge pull request #3 from pinecone-io/initial-updates

Initial updates

Author: cwaddingham

.gitignore

@@ -0,0 +1,68 @@
+# Node modules
+node_modules/
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage/
+
+# nyc test coverage
+.nyc_output/
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt/
+
+# Bower dependency directory (https://bower.io/)
+bower_components/
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+build/
+
+# Dependency directories
+dist/
+.tmp/
+
+tmp/
+temp/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# dotenv environment variables file
+.env
+.env.test
+.env.*.local
+
+# Mac system files
+.DS_Store
+
+# VSCode settings
+.vscode/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Jest coverage
+jest-coverage/
+
+# Zapier platform cache
+.zapier-platform-cache/ 

README.md

@@ -1,26 +1,25 @@
-# Pinecone
+# Pinecone Zapier Integration
 
 ## Prerequisites
 
 - Set up your environment as described in the [root level README](../../README.md#setup).
-- Zapier staff only: Add yourself as a collaborator [here](https://zapier.com/app/developer/app/226171/team), and accept the email invitation. This will grant you write access to the app.
+- Pinecone personnel: Ensure you have access to this repository and the necessary credentials for local development.
 
 ## Development
 
-1. From the root of the repository, navigate to your app directory `cd apps/pinecone`
-2. `npm install` to install dependencies from npm (don't forget to commit the generated `package-lock.json`).
-3. Make your app changes.
-4. `zapier test` to run unit tests. Note: These should not make live API calls.
-5. Bump the version in package.json. Use [SemVer](http://semver.org/) for versioning.
-6. Fill in a [changelog](CHANGELOG.md) entry for your new version.
-7. Open an MR on gitlab and follow the [test and deploy instructions](../../README.md#testing-and-deploying)
+1. From the root of the repository, navigate to your app directory: `cd apps/pinecone` (or the appropriate path).
+2. Run `npm install` to install dependencies (commit the generated `package-lock.json`).
+3. Make your app changes as needed.
+4. Run `npm test` (or `vitest`) to execute unit tests. These tests use mocks and do not make live API calls.
+5. Bump the version in `package.json` using [SemVer](http://semver.org/) for versioning.
+6. Add a [changelog](CHANGELOG.md) entry for your new version.
+7. Open a pull request and follow the [test and deploy instructions](../../README.md#testing-and-deploying).
 
-## Test Accounts
+## Local Testing
 
-- When testing in the Zap Editor, use API key found in 1Password (linked to `[email protected]` username)
-
-<!-- Include any API links that would be useful -->
+- When running or developing locally, use your own Pinecone API key for any manual API tests. Do not commit or share API keys.
+- All automated tests are fully mocked and do not require a live Pinecone account.
 
 ## API Links
 
-- https://docs.pinecone.io/reference/api/introduction
+- [Pinecone API Reference](https://docs.pinecone.io/reference/api/introduction)

SECURITY.md

@@ -0,0 +1,49 @@
+# Security Policy
+
+## Known Vulnerabilities
+
+This project currently has known vulnerabilities in transitive dependencies, as reported by automated tools (e.g., Dependabot, npm audit). These vulnerabilities are present due to requirements of upstream dependencies and cannot be resolved directly within this project at this time.
+
+### 1. `crypto-js` (Critical)
+
+- **Advisories:**
+  - [GHSA-xwcq-pm8m-c4vf](https://github.com/advisories/GHSA-xwcq-pm8m-c4vf) (PBKDF2 much weaker than standard)
+  - [GHSA-3w3w-pxmm-2w2j](https://github.com/advisories/GHSA-3w3w-pxmm-2w2j) (Insecure random numbers)
+- **Origin:**
+  - `crypto-js` is a transitive dependency of `zapier-platform-core` via `fernet`.
+  - This project does **not** use `crypto-js` directly.
+- **Mitigation:**
+  - Do not use `crypto-js` directly in your own code.
+  - Monitor for updates to `zapier-platform-core` and `fernet` that address these vulnerabilities.
+  - If you are forking or extending this project, avoid introducing direct usage of `crypto-js`.
+
+### 2. `esbuild` (Moderate, Development)
+
+- **Advisory:**
+  - [GHSA-67mh-4wv8-2f99](https://github.com/advisories/GHSA-67mh-4wv8-2f99)
+- **Origin:**
+  - `esbuild` is a transitive dependency of dev tools such as `vite` and `vitest`.
+  - This project does **not** use `esbuild` directly in production code.
+- **Mitigation:**
+  - Only affects development environments. Do not expose dev servers to untrusted networks.
+  - Monitor for updates to `vite`, `vitest`, and related tools.
+
+### 3. `brace-expansion` (Low, Development)
+
+- **Advisory:**
+  - [GHSA-xg9f-g7g7-2323](https://github.com/advisories/GHSA-xg9f-g7g7-2323)
+- **Origin:**
+  - Used by dev dependencies only.
+- **Mitigation:**
+  - Only affects development environments. Monitor for updates to dev tools.
+
+## General Guidance
+
+- **Do not use vulnerable packages directly** in your own code.
+- **Monitor upstream dependencies** (`zapier-platform-core`, `fernet`, `vite`, `vitest`, etc.) for security updates.
+- **Update this project** as soon as upstream fixes are available.
+- **Document these issues** for your team and users.
+
+## Reporting a Vulnerability
+
+If you discover a security issue in this project, please open an issue or contact the maintainers. If the issue is in an upstream dependency, consider reporting it to the relevant project as well. 

__mocks__/@pinecone-database/pinecone.ts

@@ -0,0 +1,73 @@
+import { vi } from 'vitest';
+
+type PineconeMockState = {
+  inference: {
+    embed: ReturnType<typeof vi.fn>;
+    getModel: ReturnType<typeof vi.fn>;
+    listModels: ReturnType<typeof vi.fn>;
+    rerank: ReturnType<typeof vi.fn>;
+  };
+  describeIndex: ReturnType<typeof vi.fn>;
+  listIndexes: ReturnType<typeof vi.fn>;
+  index: ReturnType<typeof vi.fn>;
+  configureIndex: ReturnType<typeof vi.fn>;
+};
+
+const pineconeMockState: PineconeMockState = {
+  inference: {
+    embed: vi.fn(),
+    getModel: vi.fn(),
+    listModels: vi.fn(),
+    rerank: vi.fn(),
+  },
+  describeIndex: vi.fn(),
+  listIndexes: vi.fn(),
+  index: vi.fn(),
+  configureIndex: vi.fn(),
+};
+
+// Helper: always return an object with namespace() for index()
+function createIndexMock(namespaceImpl?: any) {
+  return vi.fn().mockImplementation(() => ({
+    namespace: namespaceImpl || vi.fn()
+  }));
+}
+
+export class Pinecone {
+  constructor() {}
+  get inference() {
+    return {
+      embed: pineconeMockState.inference.embed,
+      getModel: pineconeMockState.inference.getModel,
+      listModels: pineconeMockState.inference.listModels,
+      rerank: pineconeMockState.inference.rerank,
+    };
+  }
+  describeIndex = pineconeMockState.describeIndex;
+  listIndexes = pineconeMockState.listIndexes;
+  index = (...args: any[]) => {
+    // If the test set a custom index mock, use it
+    if (typeof pineconeMockState.index === 'function') {
+      const result = pineconeMockState.index(...args);
+      // If the result has a namespace function, return as is
+      if (result && typeof result.namespace === 'function') return result;
+    }
+    // Default: return an object with a namespace function that returns an object with upsert/update/deleteOne mocks
+    return {
+      namespace: vi.fn().mockReturnValue({
+        upsert: vi.fn(),
+        upsertRecords: vi.fn(),
+        update: vi.fn(),
+        deleteOne: vi.fn(),
+      })
+    };
+  };
+  configureIndex = pineconeMockState.configureIndex;
+}
+
+export function __setPineconeMockState(newState: Partial<PineconeMockState>) {
+  Object.assign(pineconeMockState, newState);
+}
+export function __getPineconeMockState() {
+  return pineconeMockState;
+}