@ainyc/canonry 1.25.3 → 1.26.2

package/assets/index.html

@@ -12,8 +12,8 @@
     <link rel="icon" type="image/png" sizes="32x32" href="./favicon-32.png" />
     <link rel="apple-touch-icon" href="./apple-touch-icon.png" />
     <title>Canonry</title>
-    <script type="module" crossorigin src="./assets/index-DRL4RV8N.js"></script>
-    <link rel="stylesheet" crossorigin href="./assets/index-CoA39nr6.css">
+    <script type="module" crossorigin src="./assets/index-CE8TwvzO.js"></script>
+    <link rel="stylesheet" crossorigin href="./assets/index-D786SQZN.css">
   </head>
   <body>
     <div id="root"></div>

package/dist/{chunk-G5TMCVS4.js → chunk-NVCAUQ33.js}

@@ -72,6 +72,10 @@ Do not write config.yaml by hand; use "canonry init", "canonry settings", or "ca
     } catch {
     }
   }
+  if ("CANONRY_BASE_PATH" in process.env) {
+    const val = process.env.CANONRY_BASE_PATH.trim();
+    parsed.basePath = val || void 0;
+  }
   if (parsed.basePath) {
     const normalizedBase = "/" + parsed.basePath.replace(/^\/|\/$/g, "");
     try {
@@ -174,6 +178,7 @@ import crypto21 from "crypto";
 import fs5 from "fs";
 import path6 from "path";
 import { fileURLToPath } from "url";
+import { eq as eq22 } from "drizzle-orm";
 import Fastify from "fastify";
 
 // ../contracts/src/config-schema.ts
@@ -220,6 +225,8 @@ var notificationDtoSchema = z2.object({
   projectId: z2.string(),
   channel: z2.literal("webhook"),
   url: z2.string().url(),
+  urlDisplay: z2.string(),
+  urlHost: z2.string(),
   events: z2.array(notificationEventSchema),
   enabled: z2.boolean().default(true),
   webhookSecret: z2.string().optional(),
@@ -1390,29 +1397,60 @@ function shouldSkipAuth(url) {
   if (SKIP_PATHS.includes(url)) return true;
   if (url.endsWith("/openapi.json")) return true;
   if (url.includes("/google/callback")) return true;
+  if (url.endsWith("/session") || url.endsWith("/session/setup")) return true;
   return false;
 }
-async function authPlugin(app) {
+function parseCookies(header) {
+  if (!header) return {};
+  return header.split(";").map((part) => part.trim()).filter(Boolean).reduce((cookies, part) => {
+    const eqIdx = part.indexOf("=");
+    if (eqIdx <= 0) return cookies;
+    const name = part.slice(0, eqIdx).trim();
+    const value = part.slice(eqIdx + 1).trim();
+    if (!name) return cookies;
+    try {
+      cookies[name] = decodeURIComponent(value);
+    } catch {
+      cookies[name] = value;
+    }
+    return cookies;
+  }, {});
+}
+async function authPlugin(app, opts = {}) {
   app.addHook("onRequest", async (request, reply) => {
     const url = request.url.split("?")[0];
     if (shouldSkipAuth(url)) return;
     const header = request.headers.authorization;
-    if (!header) {
-      const err = authRequired();
-      return reply.status(err.statusCode).send(err.toJSON());
-    }
-    const parts = header.split(" ");
-    if (parts.length !== 2 || parts[0] !== "Bearer") {
+    let key;
+    if (header) {
+      const parts = header.split(" ");
+      if (parts.length !== 2 || parts[0] !== "Bearer") {
+        const err = authRequired();
+        return reply.status(err.statusCode).send(err.toJSON());
+      }
+      const token = parts[1];
+      const hash = hashKey(token);
+      key = app.db.select().from(apiKeys).where(eq(apiKeys.keyHash, hash)).get();
+      if (!key || key.revokedAt) {
+        const err = authInvalid();
+        return reply.status(err.statusCode).send(err.toJSON());
+      }
+    } else if (opts.resolveSessionApiKeyId && opts.sessionCookieName) {
+      const sessionId = parseCookies(request.headers.cookie)[opts.sessionCookieName];
+      if (sessionId) {
+        const apiKeyId = await opts.resolveSessionApiKeyId(sessionId);
+        if (apiKeyId) {
+          key = app.db.select().from(apiKeys).where(eq(apiKeys.id, apiKeyId)).get();
+        }
+      }
+      if (!key || key.revokedAt) {
+        const err = authRequired();
+        return reply.status(err.statusCode).send(err.toJSON());
+      }
+    } else {
       const err = authRequired();
       return reply.status(err.statusCode).send(err.toJSON());
     }
-    const token = parts[1];
-    const hash = hashKey(token);
-    const key = app.db.select().from(apiKeys).where(eq(apiKeys.keyHash, hash)).get();
-    if (!key || key.revokedAt) {
-      const err = authInvalid();
-      return reply.status(err.statusCode).send(err.toJSON());
-    }
     app.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq(apiKeys.id, key.id)).run();
   });
 }
@@ -2801,6 +2839,48 @@ async function applyRoutes(app, opts) {
 
 // ../api-routes/src/history.ts
 import { eq as eq9, desc as desc2, inArray } from "drizzle-orm";
+
+// ../api-routes/src/notification-redaction.ts
+var REDACTED_URL = {
+  url: "https://redacted.invalid/redacted",
+  urlDisplay: "invalid-url/redacted",
+  urlHost: "invalid-url"
+};
+function redactNotificationUrl(rawUrl) {
+  try {
+    const parsed = new URL(rawUrl);
+    const host = parsed.host || parsed.hostname;
+    return {
+      url: `${parsed.protocol}//${host}/redacted`,
+      urlDisplay: `${host}/redacted`,
+      urlHost: host
+    };
+  } catch {
+    return REDACTED_URL;
+  }
+}
+function redactNotificationDiff(value) {
+  if (Array.isArray(value)) {
+    return value.map(redactNotificationDiff);
+  }
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+  const output = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (key === "url" && typeof entry === "string") {
+      const redacted = redactNotificationUrl(entry);
+      output.url = redacted.url;
+      output.urlDisplay = redacted.urlDisplay;
+      output.urlHost = redacted.urlHost;
+      continue;
+    }
+    output[key] = redactNotificationDiff(entry);
+  }
+  return output;
+}
+
+// ../api-routes/src/history.ts
 async function historyRoutes(app) {
   app.get("/projects/:name/history", async (request, reply) => {
     const project = resolveProjectSafe4(app, request.params.name, reply);
@@ -2990,7 +3070,7 @@ function formatAuditEntry(row) {
     action: row.action,
     entityType: row.entityType,
     entityId: row.entityId,
-    diff: row.diff ? tryParseJson2(row.diff, null) : null,
+    diff: row.diff ? row.entityType === "notification" ? redactNotificationDiff(tryParseJson2(row.diff, null)) : tryParseJson2(row.diff, null) : null,
     createdAt: row.createdAt
   };
 }
@@ -5285,7 +5365,7 @@ async function notificationRoutes(app) {
       action: "notification.created",
       entityType: "notification",
       entityId: id,
-      diff: { channel, url, events }
+      diff: { channel, ...redactNotificationUrl(url), events }
     });
     return reply.status(201).send({
       ...formatNotification(app.db.select().from(notifications).where(eq12(notifications.id, id)).get()),
@@ -5343,9 +5423,10 @@ async function notificationRoutes(app) {
       ],
       dashboardUrl: `/projects/${project.name}`
     };
-    request.log.info(`[Notification test] POST ${config.url}`);
+    const targetLabel = redactNotificationUrl(config.url).urlDisplay;
+    request.log.info(`[Notification test] POST ${targetLabel}`);
     const { status, error } = await deliverWebhook(urlCheck.target, payload, notification.webhookSecret ?? null);
-    request.log.info(`[Notification test] Response: HTTP ${status} from ${config.url}`);
+    request.log.info(`[Notification test] Response: HTTP ${status} from ${targetLabel}`);
     writeAuditLog(app.db, {
       projectId: project.id,
       actor: "api",
@@ -5362,11 +5443,14 @@ async function notificationRoutes(app) {
 }
 function formatNotification(row) {
   const config = JSON.parse(row.config);
+  const redacted = redactNotificationUrl(config.url);
   return {
     id: row.id,
     projectId: row.projectId,
     channel: "webhook",
-    url: config.url,
+    url: redacted.url,
+    urlDisplay: redacted.urlDisplay,
+    urlHost: redacted.urlHost,
     events: config.events,
     enabled: row.enabled === 1,
     createdAt: row.createdAt,
@@ -7472,10 +7556,13 @@ async function apiRoutes(app, opts) {
       }
     });
   });
-  if (!opts.skipAuth) {
-    await app.register(authPlugin);
-  }
   await app.register(async (api) => {
+    if (!opts.skipAuth) {
+      await authPlugin(api, {
+        sessionCookieName: opts.sessionCookieName,
+        resolveSessionApiKeyId: opts.resolveSessionApiKeyId
+      });
+    }
     await api.register(openApiRoutes, opts.openApiInfo ?? {});
     await api.register(projectRoutes, {
       onProjectDeleted: opts.onProjectDeleted,
@@ -10534,25 +10621,26 @@ var Notifier = class {
     return transitions;
   }
   async sendWebhook(url, payload, notificationId, projectId, webhookSecret) {
+    const targetLabel = redactNotificationUrl(url).urlDisplay;
     const targetCheck = await resolveWebhookTarget(url);
     if (!targetCheck.ok) {
-      log5.error("webhook.ssrf-blocked", { url, reason: targetCheck.message });
+      log5.error("webhook.ssrf-blocked", { url: targetLabel, reason: targetCheck.message });
       this.logDelivery(projectId, notificationId, payload.event, "failed", `SSRF: ${targetCheck.message}`);
       return;
     }
-    log5.info("webhook.send", { event: payload.event, url });
+    log5.info("webhook.send", { event: payload.event, url: targetLabel });
     const maxRetries = 3;
     const delays = [1e3, 4e3, 16e3];
     for (let attempt = 0; attempt < maxRetries; attempt++) {
       try {
         const response = await deliverWebhook(targetCheck.target, payload, webhookSecret);
         if (response.status >= 200 && response.status < 300) {
-          log5.info("webhook.delivered", { event: payload.event, url, httpStatus: response.status });
+          log5.info("webhook.delivered", { event: payload.event, url: targetLabel, httpStatus: response.status });
           this.logDelivery(projectId, notificationId, payload.event, "sent", null);
           return;
         }
         const errorDetail = response.error ?? `HTTP ${response.status}`;
-        log5.warn("webhook.attempt-failed", { event: payload.event, url, attempt: attempt + 1, maxRetries, httpStatus: response.status, error: errorDetail });
+        log5.warn("webhook.attempt-failed", { event: payload.event, url: targetLabel, attempt: attempt + 1, maxRetries, httpStatus: response.status, error: errorDetail });
         if (attempt === maxRetries - 1) {
           this.logDelivery(projectId, notificationId, payload.event, "failed", errorDetail);
         }
@@ -10560,7 +10648,7 @@ var Notifier = class {
         const errorDetail = err instanceof Error ? err.message : String(err);
         if (attempt === maxRetries - 1) {
           this.logDelivery(projectId, notificationId, payload.event, "failed", errorDetail);
-          log5.error("webhook.exhausted", { event: payload.event, url, maxRetries, error: errorDetail });
+          log5.error("webhook.exhausted", { event: payload.event, url: targetLabel, maxRetries, error: errorDetail });
         }
       }
       if (attempt < maxRetries - 1) {
@@ -10702,6 +10790,8 @@ var DEFAULT_QUOTA = {
   maxRequestsPerMinute: 10,
   maxRequestsPerDay: 1e3
 };
+var SESSION_COOKIE_NAME = "canonry_session";
+var SESSION_TTL_MS = 12 * 60 * 60 * 1e3;
 var API_ADAPTERS = [
   geminiAdapter,
   openaiAdapter,
@@ -10724,6 +10814,42 @@ function summarizeProviderConfig(provider, config) {
     quota: { ...config?.quota ?? DEFAULT_QUOTA }
   };
 }
+function hashApiKey(key) {
+  return crypto21.createHash("sha256").update(key).digest("hex");
+}
+function parseCookies2(header) {
+  if (!header) return {};
+  return header.split(";").map((part) => part.trim()).filter(Boolean).reduce((cookies, part) => {
+    const eqIdx = part.indexOf("=");
+    if (eqIdx <= 0) return cookies;
+    const name = part.slice(0, eqIdx).trim();
+    const value = part.slice(eqIdx + 1).trim();
+    if (!name) return cookies;
+    try {
+      cookies[name] = decodeURIComponent(value);
+    } catch {
+      cookies[name] = value;
+    }
+    return cookies;
+  }, {});
+}
+function serializeSessionCookie(opts) {
+  const parts = [
+    `${opts.name}=${opts.value ? encodeURIComponent(opts.value) : ""}`,
+    `Path=${opts.path}`,
+    "HttpOnly",
+    "SameSite=Lax"
+  ];
+  if (opts.value) {
+    parts.push(`Max-Age=${Math.floor(opts.ttlMs / 1e3)}`);
+  } else {
+    parts.push("Max-Age=0");
+  }
+  if (opts.secure) {
+    parts.push("Secure");
+  }
+  return parts.join("; ");
+}
 async function createServer(opts) {
   const logger = opts.logger === false ? false : process.stdout.isTTY ? {
     transport: {
@@ -10880,10 +11006,154 @@ async function createServer(opts) {
   const normalizedBasePath = rawBasePath ? "/" + rawBasePath.replace(/^\//, "").replace(/\/?$/, "/") : void 0;
   const basePath = normalizedBasePath === "/" ? void 0 : normalizedBasePath;
   const apiPrefix = basePath ? `${basePath}api/v1` : "/api/v1";
+  if (opts.config.apiKey) {
+    const keyHash = hashApiKey(opts.config.apiKey);
+    const existing = opts.db.select().from(apiKeys).where(eq22(apiKeys.keyHash, keyHash)).get();
+    if (!existing) {
+      const prefix = opts.config.apiKey.slice(0, 12);
+      opts.db.insert(apiKeys).values({
+        id: `key_${crypto21.randomBytes(8).toString("hex")}`,
+        name: "default",
+        keyHash,
+        keyPrefix: prefix,
+        scopes: JSON.stringify(["*"]),
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      }).run();
+    }
+  }
+  const sessionCookiePath = basePath ?? "/";
+  const sessionCookieSecure = Boolean(
+    opts.config.publicUrl?.startsWith("https://") || opts.config.apiUrl?.startsWith("https://")
+  );
+  const sessions = /* @__PURE__ */ new Map();
+  const pruneExpiredSessions = () => {
+    const now = Date.now();
+    for (const [sessionId, session] of sessions.entries()) {
+      if (session.expiresAt <= now) {
+        sessions.delete(sessionId);
+      }
+    }
+  };
+  const createSession = (apiKeyId) => {
+    pruneExpiredSessions();
+    const sessionId = crypto21.randomBytes(32).toString("hex");
+    sessions.set(sessionId, {
+      apiKeyId,
+      expiresAt: Date.now() + SESSION_TTL_MS
+    });
+    return sessionId;
+  };
+  const resolveSessionApiKeyId = (sessionId) => {
+    pruneExpiredSessions();
+    const session = sessions.get(sessionId);
+    if (!session) return null;
+    if (session.expiresAt <= Date.now()) {
+      sessions.delete(sessionId);
+      return null;
+    }
+    return session.apiKeyId;
+  };
+  const clearSession = (sessionId) => {
+    if (sessionId) {
+      sessions.delete(sessionId);
+    }
+  };
+  const getDefaultApiKey = () => {
+    if (!opts.config.apiKey) return void 0;
+    return opts.db.select().from(apiKeys).where(eq22(apiKeys.keyHash, hashApiKey(opts.config.apiKey))).get();
+  };
+  const createPasswordSession = (reply) => {
+    const key = getDefaultApiKey();
+    if (!key || key.revokedAt) return false;
+    const sessionId = createSession(key.id);
+    reply.header("set-cookie", serializeSessionCookie({
+      name: SESSION_COOKIE_NAME,
+      value: sessionId,
+      path: sessionCookiePath,
+      secure: sessionCookieSecure,
+      ttlMs: SESSION_TTL_MS
+    }));
+    return true;
+  };
+  app.get(apiPrefix + "/session", async (request, reply) => {
+    const sessionId = parseCookies2(request.headers.cookie)[SESSION_COOKIE_NAME];
+    return reply.send({
+      authenticated: Boolean(sessionId && resolveSessionApiKeyId(sessionId)),
+      setupRequired: !opts.config.dashboardPasswordHash
+    });
+  });
+  app.post(apiPrefix + "/session/setup", async (request, reply) => {
+    if (opts.config.dashboardPasswordHash) {
+      const err = validationError("Dashboard password is already configured");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    const password = request.body?.password?.trim();
+    if (!password || password.length < 8) {
+      const err = validationError("Password must be at least 8 characters");
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    opts.config.dashboardPasswordHash = hashApiKey(password);
+    saveConfig(opts.config);
+    if (!createPasswordSession(reply)) {
+      const err = authInvalid();
+      return reply.status(err.statusCode).send(err.toJSON());
+    }
+    return reply.send({ authenticated: true });
+  });
+  app.post(apiPrefix + "/session", async (request, reply) => {
+    const password = request.body?.password?.trim();
+    const apiKey = request.body?.apiKey?.trim();
+    if (password) {
+      if (!opts.config.dashboardPasswordHash) {
+        const err2 = validationError("No dashboard password configured \u2014 use /session/setup first");
+        return reply.status(err2.statusCode).send(err2.toJSON());
+      }
+      if (hashApiKey(password) !== opts.config.dashboardPasswordHash) {
+        return reply.status(401).send({ error: { code: "AUTH_INVALID", message: "Incorrect password" } });
+      }
+      if (!createPasswordSession(reply)) {
+        return reply.status(401).send({ error: { code: "AUTH_INVALID", message: "Server API key not found \u2014 re-run canonry init" } });
+      }
+      return reply.send({ authenticated: true });
+    }
+    if (apiKey) {
+      const key = opts.db.select().from(apiKeys).where(eq22(apiKeys.keyHash, hashApiKey(apiKey))).get();
+      if (!key || key.revokedAt) {
+        const err2 = authInvalid();
+        return reply.status(err2.statusCode).send(err2.toJSON());
+      }
+      opts.db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq22(apiKeys.id, key.id)).run();
+      const sessionId = createSession(key.id);
+      reply.header("set-cookie", serializeSessionCookie({
+        name: SESSION_COOKIE_NAME,
+        value: sessionId,
+        path: sessionCookiePath,
+        secure: sessionCookieSecure,
+        ttlMs: SESSION_TTL_MS
+      }));
+      return reply.send({ authenticated: true });
+    }
+    const err = validationError("Either password or apiKey is required");
+    return reply.status(err.statusCode).send(err.toJSON());
+  });
+  app.delete(apiPrefix + "/session", async (request, reply) => {
+    const sessionId = parseCookies2(request.headers.cookie)[SESSION_COOKIE_NAME];
+    clearSession(sessionId);
+    reply.header("set-cookie", serializeSessionCookie({
+      name: SESSION_COOKIE_NAME,
+      value: null,
+      path: sessionCookiePath,
+      secure: sessionCookieSecure,
+      ttlMs: SESSION_TTL_MS
+    }));
+    return reply.status(204).send();
+  });
   await app.register(apiRoutes, {
     db: opts.db,
     routePrefix: apiPrefix,
     skipAuth: false,
+    sessionCookieName: SESSION_COOKIE_NAME,
+    resolveSessionApiKeyId,
     getGoogleAuthConfig: () => getGoogleAuthConfig(opts.config),
     googleConnectionStore,
     googleStateSecret,
@@ -11118,7 +11388,7 @@ async function createServer(opts) {
   if (fs5.existsSync(assetsDir)) {
     const indexPath = path6.join(assetsDir, "index.html");
     const injectConfig = (html) => {
-      const clientConfig = { apiKey: opts.config.apiKey };
+      const clientConfig = {};
       if (basePath) clientConfig.basePath = basePath;
       const configScript = `<script>window.__CANONRY_CONFIG__=${JSON.stringify(clientConfig)}</script>`;
       const baseTag = basePath ? `<base href="${basePath}">` : "";
@@ -11162,7 +11432,12 @@ async function createServer(opts) {
       return reply.status(404).send({ error: "Not found" });
     });
   }
-  const healthHandler = async () => ({ status: "ok", service: "canonry", version: PKG_VERSION });
+  const healthHandler = async () => ({
+    status: "ok",
+    service: "canonry",
+    version: PKG_VERSION,
+    ...basePath ? { basePath: basePath.replace(/\/$/, "") } : {}
+  });
   app.get("/health", healthHandler);
   if (basePath) {
     app.get(`${basePath}health`, healthHandler);