npm - @camstack/server - Versions diffs - 1.0.0 → 1.0.1 - Mend

@camstack/server 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (234) hide show

package/{src/agent-status-page.ts → dist/agent-status-page.js} +30 -45
package/dist/api/addon-upload.js +441 -0
package/dist/api/addons-custom.router.js +91 -0
package/dist/api/auth-whoami.js +55 -0
package/dist/api/bridge-addons.router.js +109 -0
package/dist/api/capabilities.router.js +229 -0
package/dist/api/core/addon-settings.router.js +117 -0
package/dist/api/core/agents.router.js +73 -0
package/dist/api/core/auth.router.js +286 -0
package/dist/api/core/bulk-update-coordinator.js +229 -0
package/dist/api/core/cap-providers.js +1124 -0
package/dist/api/core/capabilities.router.js +138 -0
package/dist/api/core/collection-preference.js +17 -0
package/dist/api/core/event-bus-proxy.router.js +45 -0
package/dist/api/core/hwaccel.router.js +91 -0
package/dist/api/core/live-events.router.js +61 -0
package/dist/api/core/logs.router.js +172 -0
package/dist/api/core/notifications.router.js +67 -0
package/dist/api/core/repl.router.js +35 -0
package/dist/api/core/settings-backend.router.js +121 -0
package/dist/api/core/stream-probe.router.js +58 -0
package/dist/api/core/system-events.router.js +100 -0
package/dist/api/health/health.routes.js +68 -0
package/{src/api/oauth2/consent-page.ts → dist/api/oauth2/consent-page.js} +11 -20
package/dist/api/oauth2/oauth2-routes.js +219 -0
package/dist/api/trpc/cap-mount-helpers.js +194 -0
package/dist/api/trpc/cap-route-error-formatter.js +133 -0
package/dist/api/trpc/client-ip.js +147 -0
package/dist/api/trpc/core-cap-bridge.js +115 -0
package/dist/api/trpc/generated-cap-mounts.js +388 -0
package/dist/api/trpc/generated-cap-routers.js +7635 -0
package/dist/api/trpc/scope-access.js +93 -0
package/dist/api/trpc/trpc.context.js +184 -0
package/dist/api/trpc/trpc.middleware.js +139 -0
package/dist/api/trpc/trpc.router.js +188 -0
package/dist/auth/session-cookie.js +47 -0
package/dist/boot/boot-config.js +241 -0
package/dist/boot/integration-id-backfill.js +76 -0
package/dist/boot/post-boot.service.js +85 -0
package/dist/core/addon/addon-call-gateway.js +99 -0
package/dist/core/addon/addon-package.service.js +1560 -0
package/dist/core/addon/addon-registry.service.js +2739 -0
package/{src/core/addon/addon-row-manifest.ts → dist/core/addon/addon-row-manifest.js} +5 -5
package/dist/core/addon/addon-search.service.js +62 -0
package/dist/core/addon/addon-settings-provider.js +102 -0
package/dist/core/addon/addon.tokens.js +5 -0
package/dist/core/addon-bridge/addon-bridge.service.js +145 -0
package/dist/core/addon-pages/addon-pages.service.js +107 -0
package/dist/core/addon-widgets/addon-widgets.service.js +120 -0
package/dist/core/agent/agent-registry.service.js +477 -0
package/dist/core/auth/auth.service.js +10 -0
package/dist/core/capability/capability.service.js +58 -0
package/dist/core/config/config.schema.js +7 -0
package/dist/core/config/config.service.js +10 -0
package/dist/core/events/event-bus.service.js +83 -0
package/dist/core/feature/feature.service.js +10 -0
package/dist/core/lifecycle/lifecycle-state-machine.js +6 -0
package/dist/core/logging/log-ring-buffer.js +6 -0
package/dist/core/logging/logging.service.js +130 -0
package/dist/core/logging/scoped-logger.js +6 -0
package/dist/core/moleculer/cap-call-fn.js +50 -0
package/dist/core/moleculer/cap-route-authority.js +122 -0
package/dist/core/moleculer/moleculer.service.js +898 -0
package/dist/core/network/network-quality.service.js +7 -0
package/dist/core/notification/notification-wrapper.service.js +33 -0
package/dist/core/notification/toast-wrapper.service.js +25 -0
package/dist/core/provider/provider.tokens.js +4 -0
package/dist/core/repl/repl-engine.service.js +140 -0
package/dist/core/storage/fs-storage-backend.js +6 -0
package/dist/core/storage/storage-location-manager.js +6 -0
package/dist/core/storage/storage.service.js +7 -0
package/dist/core/streaming/stream-probe.service.js +209 -0
package/dist/core/topology/topology-emitter.service.js +106 -0
package/dist/launcher.js +325 -0
package/dist/main.js +1098 -0
package/dist/manual-boot.js +227 -0
package/package.json +5 -1
package/src/__tests__/addon-install-e2e.test.ts +0 -74
package/src/__tests__/addon-pages-e2e.test.ts +0 -200
package/src/__tests__/addon-route-session.test.ts +0 -17
package/src/__tests__/addon-settings-router.spec.ts +0 -67
package/src/__tests__/addon-upload.spec.ts +0 -475
package/src/__tests__/agent-registry.spec.ts +0 -179
package/src/__tests__/agent-status-page.spec.ts +0 -82
package/src/__tests__/auth-session-cookie.test.ts +0 -48
package/src/__tests__/bulk-update-coordinator.spec.ts +0 -303
package/src/__tests__/cap-ownership-authority.spec.ts +0 -431
package/src/__tests__/cap-providers/cap-providers-location-import.spec.ts +0 -206
package/src/__tests__/cap-providers/cap-usage-graph.spec.ts +0 -37
package/src/__tests__/cap-providers/compute-topology-categories.spec.ts +0 -110
package/src/__tests__/cap-providers/integrations-delete-cascade.spec.ts +0 -292
package/src/__tests__/cap-providers-bulk-update.spec.ts +0 -408
package/src/__tests__/cap-route-adapter.spec.ts +0 -302
package/src/__tests__/cap-routers/_meta.spec.ts +0 -199
package/src/__tests__/cap-routers/addon-settings.router.spec.ts +0 -115
package/src/__tests__/cap-routers/broker-routing.router.spec.ts +0 -177
package/src/__tests__/cap-routers/cap-route-error-formatter.spec.ts +0 -125
package/src/__tests__/cap-routers/capabilities-node.spec.ts +0 -68
package/src/__tests__/cap-routers/device-link-overlay.spec.ts +0 -137
package/src/__tests__/cap-routers/device-manager-aggregate.router.spec.ts +0 -194
package/src/__tests__/cap-routers/harness.ts +0 -163
package/src/__tests__/cap-routers/metrics-provider.router.spec.ts +0 -133
package/src/__tests__/cap-routers/null-provider-guard.spec.ts +0 -64
package/src/__tests__/cap-routers/pipeline-executor.router.spec.ts +0 -159
package/src/__tests__/cap-routers/settings-store.router.spec.ts +0 -291
package/src/__tests__/capability-e2e.test.ts +0 -384
package/src/__tests__/cli-e2e.test.ts +0 -150
package/src/__tests__/core-cap-bridge.spec.ts +0 -91
package/src/__tests__/dev-bootstrap-shm-ring.spec.ts +0 -40
package/src/__tests__/device-settings-contribution-dispatch.spec.ts +0 -280
package/src/__tests__/embedded-deps-e2e.test.ts +0 -125
package/src/__tests__/event-bus-proxy-router.spec.ts +0 -75
package/src/__tests__/fixtures/mock-analysis-addon-a.ts +0 -37
package/src/__tests__/fixtures/mock-analysis-addon-b.ts +0 -37
package/src/__tests__/fixtures/mock-log-addon.ts +0 -37
package/src/__tests__/fixtures/mock-storage-addon.ts +0 -40
package/src/__tests__/framework-allowlist.spec.ts +0 -96
package/src/__tests__/framework-installer-defer-restart.spec.ts +0 -165
package/src/__tests__/https-e2e.test.ts +0 -124
package/src/__tests__/lifecycle-e2e.test.ts +0 -189
package/src/__tests__/live-events-subscription.spec.ts +0 -149
package/src/__tests__/moleculer/uds-readiness.spec.ts +0 -150
package/src/__tests__/moleculer/uds-topology.spec.ts +0 -418
package/src/__tests__/moleculer/uds-unowned-call.spec.ts +0 -383
package/src/__tests__/moleculer-register-node-idempotency.spec.ts +0 -273
package/src/__tests__/native-cap-route.spec.ts +0 -427
package/src/__tests__/oauth2-account-linking.spec.ts +0 -867
package/src/__tests__/post-boot-restart.spec.ts +0 -161
package/src/__tests__/singleton-contention.test.ts +0 -499
package/src/__tests__/streaming-diagnostic.test.ts +0 -615
package/src/__tests__/streaming-scale.test.ts +0 -314
package/src/__tests__/uds-addon-call-wiring.spec.ts +0 -242
package/src/__tests__/uds-log-ingest.spec.ts +0 -183
package/src/api/__tests__/addons-custom.spec.ts +0 -148
package/src/api/__tests__/capabilities.router.test.ts +0 -56
package/src/api/addon-upload.ts +0 -529
package/src/api/addons-custom.router.ts +0 -101
package/src/api/auth-whoami.ts +0 -101
package/src/api/bridge-addons.router.ts +0 -122
package/src/api/capabilities.router.ts +0 -265
package/src/api/core/__tests__/auth-router-totp.spec.ts +0 -297
package/src/api/core/__tests__/integration-markers.spec.ts +0 -10
package/src/api/core/addon-settings.router.ts +0 -127
package/src/api/core/agents.router.ts +0 -86
package/src/api/core/auth.router.ts +0 -322
package/src/api/core/bulk-update-coordinator.ts +0 -305
package/src/api/core/cap-providers.ts +0 -1339
package/src/api/core/capabilities.router.ts +0 -149
package/src/api/core/collection-preference.ts +0 -40
package/src/api/core/event-bus-proxy.router.ts +0 -45
package/src/api/core/hwaccel.router.ts +0 -108
package/src/api/core/live-events.router.ts +0 -67
package/src/api/core/logs.router.ts +0 -195
package/src/api/core/notifications.router.ts +0 -66
package/src/api/core/repl.router.ts +0 -39
package/src/api/core/settings-backend.router.ts +0 -140
package/src/api/core/stream-probe.router.ts +0 -57
package/src/api/core/system-events.router.ts +0 -125
package/src/api/health/health.routes.ts +0 -117
package/src/api/oauth2/__tests__/oauth2-routes.spec.ts +0 -62
package/src/api/oauth2/oauth2-routes.ts +0 -281
package/src/api/trpc/__tests__/client-ip.spec.ts +0 -146
package/src/api/trpc/__tests__/scope-access-device.spec.ts +0 -268
package/src/api/trpc/__tests__/scope-access.spec.ts +0 -102
package/src/api/trpc/__tests__/webrtc-session-ua-enrich.spec.ts +0 -136
package/src/api/trpc/cap-mount-helpers.ts +0 -245
package/src/api/trpc/cap-route-error-formatter.ts +0 -171
package/src/api/trpc/client-ip.ts +0 -147
package/src/api/trpc/core-cap-bridge.ts +0 -154
package/src/api/trpc/generated-cap-mounts.ts +0 -1240
package/src/api/trpc/generated-cap-routers.ts +0 -11523
package/src/api/trpc/scope-access.ts +0 -110
package/src/api/trpc/trpc.context.ts +0 -258
package/src/api/trpc/trpc.middleware.ts +0 -146
package/src/api/trpc/trpc.router.ts +0 -389
package/src/auth/session-cookie.ts +0 -54
package/src/boot/__tests__/integration-id-backfill.spec.ts +0 -131
package/src/boot/boot-config.ts +0 -259
package/src/boot/integration-id-backfill.ts +0 -109
package/src/boot/post-boot.service.ts +0 -105
package/src/core/addon/__tests__/addon-registry-capability.test.ts +0 -62
package/src/core/addon/__tests__/addon-row-manifest.spec.ts +0 -62
package/src/core/addon/addon-call-gateway.ts +0 -171
package/src/core/addon/addon-package.service.ts +0 -1787
package/src/core/addon/addon-registry.service.ts +0 -3130
package/src/core/addon/addon-search.service.ts +0 -91
package/src/core/addon/addon-settings-provider.ts +0 -220
package/src/core/addon/addon.tokens.ts +0 -2
package/src/core/addon-bridge/addon-bridge.service.ts +0 -130
package/src/core/addon-pages/addon-pages.service.spec.ts +0 -117
package/src/core/addon-pages/addon-pages.service.ts +0 -82
package/src/core/addon-widgets/addon-widgets.service.ts +0 -95
package/src/core/agent/agent-registry.service.ts +0 -529
package/src/core/auth/auth.service.spec.ts +0 -86
package/src/core/auth/auth.service.ts +0 -8
package/src/core/capability/capability.service.ts +0 -66
package/src/core/config/config.schema.ts +0 -3
package/src/core/config/config.service.spec.ts +0 -175
package/src/core/config/config.service.ts +0 -7
package/src/core/events/event-bus.service.spec.ts +0 -235
package/src/core/events/event-bus.service.ts +0 -89
package/src/core/feature/feature.service.spec.ts +0 -99
package/src/core/feature/feature.service.ts +0 -8
package/src/core/lifecycle/lifecycle-state-machine.spec.ts +0 -166
package/src/core/lifecycle/lifecycle-state-machine.ts +0 -3
package/src/core/logging/log-ring-buffer.ts +0 -3
package/src/core/logging/logging.service.spec.ts +0 -287
package/src/core/logging/logging.service.ts +0 -143
package/src/core/logging/scoped-logger.ts +0 -3
package/src/core/moleculer/cap-call-fn.spec.ts +0 -173
package/src/core/moleculer/cap-call-fn.ts +0 -107
package/src/core/moleculer/cap-route-authority.ts +0 -194
package/src/core/moleculer/moleculer.service.ts +0 -1072
package/src/core/network/network-quality.service.spec.ts +0 -53
package/src/core/network/network-quality.service.ts +0 -5
package/src/core/notification/notification-wrapper.service.ts +0 -34
package/src/core/notification/toast-wrapper.service.ts +0 -27
package/src/core/provider/provider.tokens.ts +0 -1
package/src/core/repl/repl-engine.service.spec.ts +0 -444
package/src/core/repl/repl-engine.service.ts +0 -155
package/src/core/storage/fs-storage-backend.spec.ts +0 -70
package/src/core/storage/fs-storage-backend.ts +0 -3
package/src/core/storage/storage-location-manager.spec.ts +0 -130
package/src/core/storage/storage-location-manager.ts +0 -3
package/src/core/storage/storage.service.spec.ts +0 -73
package/src/core/storage/storage.service.ts +0 -3
package/src/core/streaming/stream-probe.service.ts +0 -221
package/src/core/topology/topology-emitter.service.ts +0 -105
package/src/launcher.ts +0 -314
package/src/main.ts +0 -1245
package/src/manual-boot.ts +0 -301
package/tsconfig.build.json +0 -8
package/tsconfig.json +0 -33
package/vitest.config.ts +0 -26

package/src/api/core/__tests__/auth-router-totp.spec.ts DELETED Viewed

@@ -1,297 +0,0 @@
-/* eslint-disable @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-argument, @typescript-eslint/no-unsafe-return -- mock factories cross typed boundaries */
-import { describe, it, expect, beforeEach, vi } from 'vitest'
-import { createAuthRouter } from '../auth.router.js'
-import { AuthService } from '../../../core/auth/auth.service.js'
-/**
- * Two-phase TOTP login flow tests for `auth.router`. Focus on the
- * cap-router contracts the SDK + admin-ui depend on:
- *
- *   • `login` returns `requiresTotp: true` + a short-lived challenge
- *     token when the user has TOTP enrolled.
- *   • `login` returns a regular session token when the user has NO
- *     TOTP (backwards compat).
- *   • `loginVerifyTotp` validates the challenge token + code and
- *     mints the real session JWT.
- *   • Failure paths: wrong code, expired/forged challenge, missing
- *     user, missing user-management cap.
- */
-interface MockUser {
-  id: string
-  username: string
-  isAdmin: boolean
-  passwordHash: string
-  allowedProviders: string | string[]
-  allowedDevices: Record<string, unknown>
-  scopes: unknown[]
-}
-interface MockUserManagement {
-  validateCredentials: ReturnType<typeof vi.fn>
-  getTotpStatus: ReturnType<typeof vi.fn>
-  verifyTotp: ReturnType<typeof vi.fn>
-  listUsers: ReturnType<typeof vi.fn>
-}
-function makeUser(overrides: Partial<MockUser> = {}): MockUser {
-  return {
-    id: 'u-1',
-    username: 'alice',
-    isAdmin: false,
-    passwordHash: 'hashed',
-    allowedProviders: '*',
-    allowedDevices: {},
-    scopes: [],
-    ...overrides,
-  }
-}
-function makeUserMgmt(overrides: Partial<MockUserManagement> = {}): MockUserManagement {
-  return {
-    validateCredentials: vi.fn(),
-    getTotpStatus: vi.fn(async () => ({ enabled: false, confirmedAt: null })),
-    verifyTotp: vi.fn(async () => ({ valid: true })),
-    listUsers: vi.fn(async () => [makeUser()]),
-    ...overrides,
-  }
-}
-function makeConfig(overrides: Record<string, unknown> = {}): {
-  get<T>(p: string): T
-  update(s: string, d: Record<string, unknown>): void
-} {
-  const store: Record<string, unknown> = { 'auth.jwtSecret': 'unit-test-secret', ...overrides }
-  return {
-    get<T>(path: string): T {
-      return store[path] as T
-    },
-    update(_section: string, _data: Record<string, unknown>): void {
-      /* no-op */
-    },
-  }
-}
-function makeRegistry(userMgmt: MockUserManagement): {
-  getSingleton: (name: string) => unknown | null
-} {
-  return {
-    getSingleton: (name: string) => (name === 'user-management' ? userMgmt : null),
-  }
-}
-/** Invoke a tRPC procedure directly via the router's internal API. */
-async function callProc(
-  router: ReturnType<typeof createAuthRouter>,
-  name: 'login' | 'loginVerifyTotp',
-  input: unknown,
-): Promise<unknown> {
-  const caller = router.createCaller({} as never)
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  const fn = (caller as any)[name]
-  return fn(input)
-}
-describe('auth.router — TOTP gate', () => {
-  let auth: AuthService
-  let userMgmt: MockUserManagement
-  let registry: ReturnType<typeof makeRegistry>
-  beforeEach(() => {
-    auth = new AuthService(makeConfig() as never)
-    userMgmt = makeUserMgmt()
-    registry = makeRegistry(userMgmt)
-  })
-  describe('login (phase 1)', () => {
-    it('returns a regular session token + requiresTotp:false when user has NO TOTP', async () => {
-      const u = makeUser()
-      userMgmt.validateCredentials.mockResolvedValueOnce(u)
-      userMgmt.getTotpStatus.mockResolvedValueOnce({ enabled: false, confirmedAt: null })
-      const router = createAuthRouter(auth, registry as never)
-      const result = (await callProc(router, 'login', { username: 'alice', password: 'pw' })) as {
-        token: string
-        user: { id: string; username: string; isAdmin: boolean }
-        requiresTotp?: boolean
-      }
-      expect(result.requiresTotp).toBe(false)
-      expect(result.user).toEqual({ id: 'u-1', username: 'alice', isAdmin: false })
-      // The token verifies as a regular session token (NOT a challenge).
-      const verified = auth.verifyToken(result.token)
-      expect(verified.userId).toBe('u-1')
-      // verifyTotpChallengeToken should NOT recognize a regular session token.
-      expect(auth.verifySsoBridgeToken(result.token)).toBeNull()
-    })
-    it('returns a challenge token + requiresTotp:true when user HAS TOTP', async () => {
-      const u = makeUser()
-      userMgmt.validateCredentials.mockResolvedValueOnce(u)
-      userMgmt.getTotpStatus.mockResolvedValueOnce({ enabled: true, confirmedAt: Date.now() })
-      const router = createAuthRouter(auth, registry as never)
-      const result = (await callProc(router, 'login', { username: 'alice', password: 'pw' })) as {
-        token: string
-        user: { id: string; username: string; isAdmin: boolean }
-        requiresTotp?: boolean
-      }
-      expect(result.requiresTotp).toBe(true)
-      // The challenge token MUST NOT verify as a session JWT — it has
-      // `kind: 'totp-challenge'` and the standard verifyToken expects
-      // the session shape (it'd throw or return garbage).
-      const challengeClaims = auth.verifyTotpChallengeToken(result.token)
-      expect(challengeClaims).not.toBeNull()
-      expect(challengeClaims!.userId).toBe('u-1')
-      expect(challengeClaims!.isAdmin).toBe(false)
-    })
-    it('rejects invalid credentials', async () => {
-      userMgmt.validateCredentials.mockResolvedValueOnce(null)
-      const router = createAuthRouter(auth, registry as never)
-      await expect(
-        callProc(router, 'login', { username: 'alice', password: 'wrong' }),
-      ).rejects.toThrow('Invalid credentials')
-    })
-    it('throws when user-management cap is unregistered (boot failure)', async () => {
-      const emptyRegistry = { getSingleton: () => null } as never
-      const router = createAuthRouter(auth, emptyRegistry)
-      await expect(
-        callProc(router, 'login', { username: 'alice', password: 'pw' }),
-      ).rejects.toThrow(/user-management.*capability not registered/)
-    })
-    it('falls through to session-token branch when getTotpStatus method is absent (older user-mgmt builds)', async () => {
-      const u = makeUser()
-      const legacyMgmt = {
-        validateCredentials: vi.fn().mockResolvedValueOnce(u),
-        // getTotpStatus deliberately undefined
-        verifyTotp: vi.fn(),
-        listUsers: vi.fn(),
-      }
-      const router = createAuthRouter(auth, makeRegistry(legacyMgmt as never) as never)
-      const result = (await callProc(router, 'login', { username: 'alice', password: 'pw' })) as {
-        requiresTotp?: boolean
-      }
-      expect(result.requiresTotp).toBe(false)
-    })
-  })
-  describe('loginVerifyTotp (phase 2)', () => {
-    it('mints the real session JWT when challenge + code are both valid', async () => {
-      const u = makeUser({ scopes: [{ type: 'category', target: 'storage', access: ['view'] }] })
-      userMgmt.verifyTotp.mockResolvedValueOnce({ valid: true })
-      userMgmt.listUsers.mockResolvedValueOnce([u])
-      const challengeToken = auth.signTotpChallengeToken({
-        userId: u.id,
-        username: u.username,
-        isAdmin: u.isAdmin,
-      })
-      const router = createAuthRouter(auth, registry as never)
-      const result = (await callProc(router, 'loginVerifyTotp', {
-        challengeToken,
-        code: '123456',
-      })) as {
-        token: string
-        user: { id: string; username: string; isAdmin: boolean }
-        requiresTotp?: boolean
-      }
-      expect(result.requiresTotp).toBe(false)
-      expect(result.user.id).toBe('u-1')
-      // Session JWT verifies + carries the user's scopes snapshot.
-      const decoded = auth.verifyToken(result.token)
-      expect(decoded.userId).toBe('u-1')
-    })
-    it('rejects an invalid/expired challenge token', async () => {
-      const router = createAuthRouter(auth, registry as never)
-      await expect(
-        callProc(router, 'loginVerifyTotp', { challengeToken: 'not.a.real.jwt', code: '123456' }),
-      ).rejects.toThrow(/Invalid or expired TOTP challenge/)
-    })
-    it('rejects a forged challenge token (signed with wrong secret)', async () => {
-      const other = new AuthService(makeConfig({ 'auth.jwtSecret': 'attacker-secret' }) as never)
-      const forged = other.signTotpChallengeToken({
-        userId: 'u-1',
-        username: 'alice',
-        isAdmin: true,
-      })
-      const router = createAuthRouter(auth, registry as never)
-      await expect(
-        callProc(router, 'loginVerifyTotp', { challengeToken: forged, code: '000000' }),
-      ).rejects.toThrow(/Invalid or expired TOTP challenge/)
-    })
-    it('rejects a session token reused as a challenge token (wrong kind)', async () => {
-      const sessionTok = auth.signToken({
-        userId: 'u-1',
-        username: 'alice',
-        isAdmin: true,
-        allowedProviders: '*',
-        allowedDevices: {},
-      })
-      const router = createAuthRouter(auth, registry as never)
-      await expect(
-        callProc(router, 'loginVerifyTotp', { challengeToken: sessionTok, code: '000000' }),
-      ).rejects.toThrow(/Invalid or expired TOTP challenge/)
-    })
-    it('rejects a wrong 6-digit code', async () => {
-      userMgmt.verifyTotp.mockResolvedValueOnce({ valid: false })
-      const challengeToken = auth.signTotpChallengeToken({
-        userId: 'u-1',
-        username: 'alice',
-        isAdmin: false,
-      })
-      const router = createAuthRouter(auth, registry as never)
-      await expect(
-        callProc(router, 'loginVerifyTotp', { challengeToken, code: '000000' }),
-      ).rejects.toThrow(/Invalid TOTP code/)
-    })
-    it('rejects when the user vanishes between legs (deleted concurrently)', async () => {
-      userMgmt.verifyTotp.mockResolvedValueOnce({ valid: true })
-      // The fresh listUsers() call returns nothing — user was deleted.
-      userMgmt.listUsers.mockResolvedValueOnce([])
-      const challengeToken = auth.signTotpChallengeToken({
-        userId: 'ghost',
-        username: 'alice',
-        isAdmin: false,
-      })
-      const router = createAuthRouter(auth, registry as never)
-      await expect(
-        callProc(router, 'loginVerifyTotp', { challengeToken, code: '123456' }),
-      ).rejects.toThrow(/User no longer exists/)
-    })
-    it('uses the FRESHLY fetched user record (scope changes pick up immediately)', async () => {
-      // Issue challenge for u-1 with empty scopes (the in-token snapshot).
-      const challengeToken = auth.signTotpChallengeToken({
-        userId: 'u-1',
-        username: 'alice',
-        isAdmin: false,
-      })
-      // Between the two legs, an admin granted u-1 a new scope.
-      userMgmt.verifyTotp.mockResolvedValueOnce({ valid: true })
-      userMgmt.listUsers.mockResolvedValueOnce([
-        makeUser({ scopes: [{ type: 'category', target: 'addon', access: ['view'] }] }),
-      ])
-      const router = createAuthRouter(auth, registry as never)
-      const result = (await callProc(router, 'loginVerifyTotp', {
-        challengeToken,
-        code: '123456',
-      })) as { token: string }
-      const decoded = auth.verifyToken(result.token)
-      // The fresh scope is in the minted session JWT, not the snapshot
-      // from the (potentially stale) password leg.
-      const scopes = (decoded as { scopes?: unknown[] }).scopes
-      expect(scopes).toHaveLength(1)
-    })
-  })
-})

package/src/api/core/__tests__/integration-markers.spec.ts DELETED Viewed

@@ -1,10 +0,0 @@
-import { describe, it, expect } from 'vitest'
-import { INTEGRATION_CAP_MARKERS } from '../cap-providers.js'
-describe('integration cap markers', () => {
-  it('recognises device-adoption (not the old ha-discovery)', () => {
-    expect(INTEGRATION_CAP_MARKERS.has('device-adoption')).toBe(true)
-    expect(INTEGRATION_CAP_MARKERS.has('ha-discovery')).toBe(false)
-    expect(INTEGRATION_CAP_MARKERS.has('device-provider')).toBe(true)
-  })
-})

package/src/api/core/addon-settings.router.ts DELETED Viewed

@@ -1,127 +0,0 @@
-/**
- * Addon settings router — raw DB proxy for the common settings API.
- *
- * Exposes four protected procedures consumed by:
- *   1. Forked addons (via the tRPC WSS client in `WorkerBootstrapService`)
- *      to read/write their 3-level settings chain from the worker process.
- *   2. Future UI flows that want to inspect/mutate addon settings through
- *      a single well-typed endpoint.
- *
- * The router is deliberately thin — it does NOT perform schema-based
- * resolver merging (defaults → global → per-device). That happens on the
- * consumer side where the addon's `ConfigUISchema` is available:
- *   - In-process addons: handled by `SettingsResolverService.createView()`
- *     wired into `AddonContext.settings` during `createAddonContext()`.
- *   - Forked addons: handled by the `AddonSettingsView` constructed inside
- *     `WorkerBootstrapService`, which has access to the worker's local
- *     addon schema.
- *
- * Introduced in session 5 Sprint 3a (worker-bootstrap cap-aware wiring).
- */
-import { z } from 'zod'
-import type { ConfigService } from '../../core/config/config.service.js'
-import { trpcRouter, protectedProcedure } from '../trpc/trpc.middleware.js'
-const AddonSettingsRecordSchema = z.record(z.string(), z.unknown())
-const AddonIdInputSchema = z.object({
-  addonId: z.string(),
-})
-const AddonDeviceInputSchema = z.object({
-  addonId: z.string(),
-  deviceId: z.string(),
-})
-const UpdateGlobalInputSchema = z.object({
-  addonId: z.string(),
-  field: z.string(),
-  value: z.unknown(),
-})
-const UpdateDeviceInputSchema = z.object({
-  addonId: z.string(),
-  deviceId: z.string(),
-  field: z.string(),
-  value: z.unknown(),
-})
-const SuccessSchema = z.object({ success: z.literal(true) })
-const ReplaceGlobalInputSchema = z.object({
-  addonId: z.string(),
-  config: z.record(z.string(), z.unknown()),
-})
-export function createAddonSettingsRouter(cfg: ConfigService) {
-  return trpcRouter({
-    /**
-     * Read the addon-global settings record for the given addon.
-     * Returns the raw stored values (no defaults, no device overrides).
-     */
-    getGlobal: protectedProcedure
-      .input(AddonIdInputSchema)
-      .output(AddonSettingsRecordSchema)
-      .query(({ input }) => cfg.getAddonConfig(input.addonId)),
-    /**
-     * Read the per-device override record for the given addon × device.
-     * Returns the raw stored values (schema filtering happens on the
-     * consumer side at merge time).
-     */
-    getDeviceOverrides: protectedProcedure
-      .input(AddonDeviceInputSchema)
-      .output(AddonSettingsRecordSchema)
-      .query(({ input }) => cfg.getAddonDevice(input.addonId, input.deviceId)),
-    /**
-     * Update a single field in the addon-global settings record.
-     * Reads the current record, merges the new value, and writes back
-     * via `setAddonConfig` (bulk replace). Intended for small per-field
-     * writes from addon code; bulk updates should use a dedicated admin
-     * endpoint (not exposed here).
-     */
-    updateGlobal: protectedProcedure
-      .input(UpdateGlobalInputSchema)
-      .output(SuccessSchema)
-      .mutation(({ input }) => {
-        const current = cfg.getAddonConfig(input.addonId)
-        cfg.setAddonConfig(input.addonId, { ...current, [input.field]: input.value })
-        return { success: true as const }
-      }),
-    /**
-     * Update a single field in the per-device override record for the
-     * given addon × device. Merges with the existing overrides and
-     * writes back via `setAddonDevice`. Scope enforcement (dropping
-     * fields not declared as `scope: 'device'`) is the consumer's
-     * responsibility — we preserve the raw shape at this layer so the
-     * resolver contract remains symmetric with `getDeviceOverrides`.
-     */
-    updateDevice: protectedProcedure
-      .input(UpdateDeviceInputSchema)
-      .output(SuccessSchema)
-      .mutation(({ input }) => {
-        const current = cfg.getAddonDevice(input.addonId, input.deviceId)
-        cfg.setAddonDevice(input.addonId, input.deviceId, {
-          ...current,
-          [input.field]: input.value,
-        })
-        return { success: true as const }
-      }),
-    /**
-     * Replace the entire addon-global settings record in one call.
-     * Used by forked workers for `context.config.setAll()`. Unlike
-     * `updateGlobal` (single-field merge), this overwrites the full record.
-     * Admin-level write: only workers with valid hub tokens can call this.
-     */
-    replaceGlobal: protectedProcedure
-      .input(ReplaceGlobalInputSchema)
-      .output(SuccessSchema)
-      .mutation(({ input }) => {
-        cfg.setAddonConfig(input.addonId, input.config)
-        return { success: true as const }
-      }),
-  })
-}

package/src/api/core/agents.router.ts DELETED Viewed

@@ -1,86 +0,0 @@
-/**
- * Agents router — fixed core API (not a capability).
- *
- * Thin binding over AgentRegistryService which now delegates to Moleculer
- * for node discovery and health. Only role-assignment management and
- * node listing remain; protocol endpoints (register, heartbeat, task
- * dispatch) are handled natively by the Moleculer service mesh.
- */
-import { z } from 'zod'
-import type { AgentRegistryService } from '../../core/agent/agent-registry.service.js'
-import type { MoleculerService } from '../../core/moleculer/moleculer.service.js'
-import { trpcRouter, adminProcedure } from '../trpc/trpc.middleware.js'
-const AgentRoleSchema = z.enum(['decoder', 'transcoder', 'detector', 'recorder'])
-export function createAgentsRouter(ar: AgentRegistryService, moleculer: MoleculerService) {
-  return trpcRouter({
-    // ── Node listing (replaces listAgents / listConnected) ────────────
-    listNodes: adminProcedure.input(z.void()).query(async () => {
-      const items = await ar.listNodes()
-      // Spread to mutable copies: AgentListItem uses readonly arrays; Zod output schema uses mutable.
-      return items.map((a) => ({
-        ...a,
-        info: {
-          ...a.info,
-          capabilities: [...a.info.capabilities],
-        },
-        status: {
-          ...a.status,
-          fps: { ...a.status.fps },
-          errors: [...a.status.errors],
-        },
-        subProcesses: [...a.subProcesses],
-      }))
-    }),
-    // ── Capability discovery (via Moleculer service list) ─────────────
-    getAgentCapabilities: adminProcedure.input(z.void()).query(async () => {
-      // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access -- moleculer.broker.call typing chain unresolvable; runtime shape validated by the cast below
-      const services = (await moleculer.broker.call('$node.services', {})) as Array<{
-        name: string
-      }>
-      const capSet = new Set<string>()
-      for (const svc of services) {
-        if (svc.name.startsWith('$')) continue
-        capSet.add(svc.name)
-      }
-      return [...capSet].toSorted()
-    }),
-    // ── Role assignments ──────────────────────────────────────────────
-    getAssignments: adminProcedure
-      .input(z.object({ cameraId: z.number().optional() }))
-      .query(({ input }) => ar.getAssignments(input.cameraId)),
-    setAssignment: adminProcedure
-      .input(
-        z.object({
-          cameraId: z.number(),
-          role: AgentRoleSchema,
-          agentId: z.string(),
-          priority: z.enum(['primary', 'backup', 'overflow']),
-          rtspUrl: z.string().optional(),
-        }),
-      )
-      .mutation(({ input }) => ar.setAssignment(input as never)),
-    removeAssignment: adminProcedure
-      .input(
-        z.object({
-          cameraId: z.number(),
-          role: AgentRoleSchema,
-        }),
-      )
-      .mutation(({ input }) => ar.removeAssignment(input.cameraId, input.role as never)),
-    activateBackup: adminProcedure
-      .input(
-        z.object({
-          cameraId: z.number(),
-          role: AgentRoleSchema,
-        }),
-      )
-      .mutation(({ input }) => ar.activateBackup(input.cameraId, input.role as never)),
-  })
-}