@claudelaw/taichu 0.6.0

package/packages/server/src/routes/graphql.js

@@ -0,0 +1,344 @@
+/**
+ * GraphQL API Route
+ *
+ * REST 之外的第二个 API 通道。
+ * 提供灵活的客户端自定义查询——前端想要什么字段就取什么字段。
+ *
+ * POST /api/graphql — GraphQL 端点
+ * GET  /api/graphql — GraphiQL 交互式 IDE（开发环境）
+ *
+ * 支持 Bearer JWT 或 X-Taichu-Agent-Key 认证。
+ */
+
+import { buildSchema, graphql } from 'graphql';
+import { getStore, getHooks } from '../context.js';
+import { search as vectorSearch } from '../search.js';
+import { requireAuth } from '../middleware/auth.js';
+
+// ─── Schema Definition ────────────────────────────────────
+
+const schemaSDL = `
+  type Document {
+    id: ID!
+    type: String!
+    data: JSON
+    status: String
+    createdBy: String
+    createdAt: String
+    updatedAt: String
+  }
+
+  type ContentType {
+    name: String!
+    label: String!
+    description: String
+    schemaOrg: String
+    fieldCount: Int
+  }
+
+  type SearchResult {
+    id: ID!
+    type: String!
+    title: String
+    status: String
+    score: Float
+    updatedAt: String
+  }
+
+  scalar JSON
+
+  type Query {
+    """获取单个文档"""
+    content(type: String!, id: ID!): Document
+
+    """列出某类型的文档"""
+    contentList(
+      type: String!
+      status: String
+      search: String
+      limit: Int
+      offset: Int
+    ): [Document!]!
+
+    """语义搜索"""
+    search(query: String!, type: String, limit: Int): [SearchResult!]!
+
+    """列出所有内容类型"""
+    contentTypes: [ContentType!]!
+
+    """健康检查"""
+    health: String!
+  }
+
+  type Mutation {
+    """创建文档"""
+    createContent(type: String!, data: JSON!, status: String): Document
+
+    """更新文档"""
+    updateContent(type: String!, id: ID!, data: JSON!): Document
+
+    """删除文档"""
+    deleteContent(type: String!, id: ID!): Boolean!
+  }
+`;
+
+// ─── Resolvers ────────────────────────────────────────────
+
+const resolvers = {
+  JSON: {
+    serialize: (v) => v,
+    parseValue: (v) => v
+  },
+
+  Query: {
+    async content(_, { type, id }) {
+      const store = getStore();
+      return store.get(id);
+    },
+
+    async contentList(_, args) {
+      const store = getStore();
+      const docs = await store.list({
+        type: args.type,
+        status: args.status || undefined,
+        search: args.search || undefined,
+        limit: args.limit || 20,
+        offset: args.offset || 0
+      });
+      return docs;
+    },
+
+    async search(_, { query, type, limit = 10 }) {
+      const results = vectorSearch(query, limit);
+      const store = getStore();
+      const docs = [];
+
+      for (const { docId, score } of results) {
+        try {
+          const doc = await store.get(docId);
+          if (doc && (!type || doc.type === type)) {
+            docs.push({
+              id: doc.id,
+              type: doc.type,
+              title: doc.data?.title || doc.data?.name || '(untitled)',
+              status: doc.status,
+              score: Math.round(score * 100) / 100,
+              updatedAt: doc.updatedAt
+            });
+          }
+        } catch { /* skip */ }
+      }
+
+      return docs;
+    },
+
+    contentTypes() {
+      // Import dynamically to avoid circular deps
+      return import('./api.js').then(m => {
+        const types = m.getContentTypes ? m.getContentTypes() : [];
+        return types;
+      }).catch(() => []);
+    },
+
+    health() {
+      return `Taichu CMS v0.2.0 — uptime: ${Math.floor(process.uptime())}s`;
+    }
+  },
+
+  Mutation: {
+    async createContent(_, { type, data, status }) {
+      const store = getStore();
+      const hooks = getHooks();
+
+      let payload = { type, data, status: status || 'draft' };
+      payload = await hooks.run('beforeCreate', payload, { store });
+      const doc = await store.create(payload);
+      await hooks.run('afterCreate', doc, { store });
+      return doc;
+    },
+
+    async updateContent(_, { type, id, data }) {
+      const store = getStore();
+      const hooks = getHooks();
+
+      let payload = { id, type, data };
+      payload = await hooks.run('beforeUpdate', payload, { store });
+      const doc = await store.update(id, payload);
+      if (doc) await hooks.run('afterUpdate', doc, { store });
+      return doc;
+    },
+
+    async deleteContent(_, { type, id }) {
+      const store = getStore();
+      const hooks = getHooks();
+
+      const basePayload = { id, type };
+      const payload = await hooks.run('beforeDelete', basePayload, { store });
+      const deleted = await store.delete(id);
+      if (deleted) await hooks.run('afterDelete', { id, type }, { store });
+      return deleted;
+    }
+  }
+};
+
+// ─── Build Schema ─────────────────────────────────────────
+
+let schema = null;
+
+function getSchema() {
+  if (!schema) {
+    schema = buildSchema(schemaSDL);
+  }
+  return schema;
+}
+
+// ─── Route Handler ────────────────────────────────────────
+
+/**
+ * @param {import('../context.js').Context} ctx
+ */
+export async function graphqlRoutes(ctx) {
+  const s = getSchema();
+
+  // GET: GraphiQL playground (simple HTML)
+  if (ctx.req.method === 'GET') {
+    ctx.res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+    ctx.res.end(GRAPHIQL_HTML);
+    return;
+  }
+
+  // POST: Execute GraphQL query (mutations require auth)
+  if (ctx.req.method === 'POST') {
+    const { query, variables, operationName } = ctx.body || {};
+
+    if (!query) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ errors: [{ message: 'Query is required' }] }));
+      return;
+    }
+
+    // Require auth for mutations
+    const isMutation = query.trim().toLowerCase().startsWith('mutation');
+    if (isMutation) {
+      const authResult = await requireAuth(ctx);
+      if (!authResult.authenticated) {
+        ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ errors: [{ message: authResult.message }] }));
+        return;
+      }
+      ctx.actor = authResult.actor;
+    }
+
+    // Validate query depth (prevent DoS via deeply nested queries)
+    const maxDepth = parseInt(process.env.TAICHU_GRAPHQL_MAX_DEPTH) || 5;
+    if (estimateQueryDepth(query) > maxDepth) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ errors: [{ message: `Query depth exceeds maximum of ${maxDepth}` }] }));
+      return;
+    }
+
+    try {
+      const result = await graphql({
+        schema: s,
+        source: query,
+        variableValues: variables,
+        operationName,
+        contextValue: {}
+      });
+
+      ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify(result));
+    } catch (err) {
+      ctx.res.writeHead(500, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ errors: [{ message: err.message }] }));
+    }
+    return;
+  }
+}
+
+/**
+ * Estimate query depth to prevent deeply nested DoS attacks.
+ * Simple bracket-based heuristic.
+ */
+function estimateQueryDepth(query) {
+  let depth = 0, maxDepth = 0;
+  for (const ch of query) {
+    if (ch === '{') { depth++; maxDepth = Math.max(maxDepth, depth); }
+    if (ch === '}') depth--;
+  }
+  return maxDepth;
+}
+
+// ─── GraphiQL HTML ────────────────────────────────────────
+
+const GRAPHIQL_HTML = `<!DOCTYPE html>
+<html>
+<head>
+  <title>Taichu GraphiQL</title>
+  <style>
+    * { margin:0; padding:0; box-sizing:border-box; }
+    body { font-family: -apple-system, sans-serif; background: #0F172A; color: #E2E8F0; height:100vh; display:flex; flex-direction:column; }
+    header { padding: 12px 24px; background: #1E293B; border-bottom: 1px solid #334155; display:flex; align-items:center; gap:12px; }
+    header h1 { font-size: 16px; color: #10B981; }
+    header span { font-size: 12px; color: #64748B; }
+    main { flex:1; display:flex; flex-direction:column; padding: 16px; gap:12px; }
+    #editor { flex:1; background:#1E293B; border:1px solid #334155; border-radius:8px; padding:16px; color:#E2E8F0; font-family:'Cascadia Code',monospace; font-size:13px; resize:none; outline:none; }
+    #editor:focus { border-color:#10B981; }
+    .bar { display:flex; gap:8px; align-items:center; }
+    button { padding: 8px 20px; background:#10B981; color:white; border:none; border-radius:6px; cursor:pointer; font-size:13px; font-weight:600; }
+    button:hover { background:#059669; }
+    #result { flex:1; background:#1E293B; border:1px solid #334155; border-radius:8px; padding:16px; overflow:auto; font-family:'Cascadia Code',monospace; font-size:13px; white-space:pre-wrap; }
+    .error { color:#EF4444; }
+    .split { display:flex; flex:1; gap:12px; }
+    .split > * { flex:1; }
+  </style>
+</head>
+<body>
+<header><h1>⚡ Taichu GraphiQL</h1><span>GraphQL Explorer</span></header>
+<main>
+  <div class="bar">
+    <button onclick="run()">▶ 执行</button>
+    <span style="font-size:12px;color:#64748B">Ctrl+Enter</span>
+  </div>
+  <div class="split">
+    <textarea id="editor" placeholder="# GraphQL Query
+{
+  health
+  contentTypes { name label }
+  contentList(type:"article", limit:5) { id data status }
+}">{
+  health
+  contentTypes {
+    name
+    label
+    fieldCount
+  }
+}</textarea>
+    <div id="result">点击执行查看结果</div>
+  </div>
+</main>
+<script>
+const editor=document.getElementById('editor');
+const result=document.getElementById('result');
+
+async function run() {
+  try {
+    const q = editor.value;
+    const res = await fetch('/api/graphql', {
+      method: 'POST',
+      headers: {'Content-Type':'application/json'},
+      body: JSON.stringify({query:q})
+    });
+    const data = await res.json();
+    result.innerHTML = JSON.stringify(data, null, 2);
+  } catch(e) {
+    result.innerHTML = '<span class="error">'+e.message+'</span>';
+  }
+}
+
+editor.addEventListener('keydown', e => {
+  if (e.ctrlKey && e.key === 'Enter') run();
+});
+</script>
+</body>
+</html>`;

package/packages/server/src/routes/media.js

@@ -0,0 +1,169 @@
+/**
+ * Media Routes — 文件上传和管理 API
+ *
+ * POST   /api/media/upload       — 上传文件（multipart）
+ * GET    /api/media               — 列出媒体
+ * GET    /api/media/:id           — 获取媒体元数据
+ * DELETE /api/media/:id           — 删除媒体
+ * GET    /uploads/*              — 静态文件服务（由 router 转发到 static.js）
+ */
+
+import { parseMultipart } from '../multipart.js';
+import { createMediaStore } from '../media-store.js';
+import { requireAuth } from '../middleware/auth.js';
+import { getStore } from '../context.js';
+
+// Lazy-init media store singleton
+let _mediaStore = null;
+function getMediaStore() {
+  if (!_mediaStore) _mediaStore = createMediaStore();
+  return _mediaStore;
+}
+
+/**
+ * @param {import('../context.js').Context} ctx
+ */
+export async function mediaRoutes(ctx) {
+  const { pathname } = ctx.url;
+  const method = ctx.req.method;
+
+  // POST /api/media/upload
+  if (pathname === '/api/media/upload' && method === 'POST') {
+    const authResult = await requireAuth(ctx);
+    if (!authResult.authenticated) {
+      ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+      return;
+    }
+    ctx.actor = authResult.actor;
+
+    try {
+      const { files, fields } = await parseMultipart(ctx.req);
+      if (!files || files.length === 0) {
+        ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: 'No file uploaded' }));
+        return;
+      }
+
+      const mediaStore = getMediaStore();
+      const store = getStore();
+      const results = [];
+
+      for (const file of files) {
+        const saved = await mediaStore.save(file.buffer, file.filename, file.mimetype);
+
+        // Store metadata in Taichu's content system
+        const doc = await store.create({
+          type: 'media',
+          data: {
+            filename: saved.filename,
+            originalName: saved.originalName,
+            mimeType: saved.mimetype,
+            size: saved.size,
+            url: saved.url,
+            width: saved.width || null,
+            height: saved.height || null,
+            compressed: saved.compressed || false,
+            webp: saved.webp || null,
+            thumbnails: saved.thumbnails || {},
+            altText: fields.alt || '',
+            caption: fields.caption || '',
+            uploadedBy: ctx.actor.id
+          },
+          status: 'active'
+        });
+
+        results.push({
+          id: doc.id,
+          ...saved,
+          altText: fields.alt || '',
+          caption: fields.caption || ''
+        });
+      }
+
+      ctx.res.writeHead(201, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify(results.length === 1 ? results[0] : { files: results }));
+    } catch (err) {
+      if (err.code === 'FILE_TOO_LARGE' || err.code === 'PAYLOAD_TOO_LARGE') {
+        ctx.res.writeHead(413, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: err.code, message: err.message }));
+        return;
+      }
+      throw err;
+    }
+    return;
+  }
+
+  // GET /api/media — list media
+  if (pathname === '/api/media' && method === 'GET') {
+    const authResult = await requireAuth(ctx);
+    if (!authResult.authenticated) {
+      ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+      return;
+    }
+
+    const store = getStore();
+    const docs = await store.list({ type: 'media', limit: 50, ...Object.fromEntries(ctx.url.searchParams) });
+
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ docs, total: docs.length }));
+    return;
+  }
+
+  // GET /api/media/:id
+  const mediaMatch = pathname.match(/^\/api\/media\/([\w-]+)$/);
+  if (mediaMatch && method === 'GET') {
+    const authResult = await requireAuth(ctx);
+    if (!authResult.authenticated) {
+      ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+      return;
+    }
+
+    const store = getStore();
+    const doc = await store.get(mediaMatch[1]);
+    if (!doc || doc.type !== 'media') {
+      ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'NOT_FOUND', message: 'Media not found' }));
+      return;
+    }
+
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify(doc));
+    return;
+  }
+
+  // DELETE /api/media/:id
+  if (mediaMatch && method === 'DELETE') {
+    const authResult = await requireAuth(ctx);
+    if (!authResult.authenticated) {
+      ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+      return;
+    }
+
+    const store = getStore();
+    const mediaStore = getMediaStore();
+    const doc = await store.get(mediaMatch[1]);
+
+    if (!doc || doc.type !== 'media') {
+      ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'NOT_FOUND', message: 'Media not found' }));
+      return;
+    }
+
+    // Delete file from disk
+    await mediaStore.remove(doc.data.filename);
+    // Delete metadata
+    await store.delete(mediaMatch[1]);
+
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ success: true }));
+    return;
+  }
+
+  // 404
+  ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+  ctx.res.end(JSON.stringify({ error: 'NOT_FOUND', message: `Media route not found: ${method} ${pathname}` }));
+}

package/packages/server/src/routes/plugin-marketplace.js

@@ -0,0 +1,171 @@
+/**
+ * Plugin Marketplace Routes
+ *
+ * GET  /api/plugins                    — list installed plugins
+ * GET  /api/plugins/marketplace        — search/browse marketplace
+ * POST /api/plugins/install            — install a plugin from marketplace
+ * POST /api/plugins/uninstall/:name    — uninstall a plugin
+ * POST /api/plugins/refresh            — refresh marketplace index
+ */
+
+import { requireAuth } from '../middleware/auth.js';
+import { installPlugin, uninstallPlugin, listInstalled, isInstalled } from '../plugin-installer.js';
+import { getPluginManager } from '../plugin-manager.js';
+
+/** Default marketplace index URL */
+const DEFAULT_MARKETPLACE_URL = 'https://raw.githubusercontent.com/Caludelaw/Taichu/main/marketplace.json';
+const MARKETPLACE_URL = process.env.TAICHU_MARKETPLACE_URL || DEFAULT_MARKETPLACE_URL;
+
+let _marketplaceCache = null;
+let _marketplaceCacheTime = 0;
+const CACHE_TTL = 300000; // 5 min
+
+/**
+ * Fetch marketplace index (with cache).
+ */
+async function fetchMarketplace(opts = {}) {
+  const force = opts.force || false;
+  if (!force && _marketplaceCache && (Date.now() - _marketplaceCacheTime) < CACHE_TTL) {
+    return _marketplaceCache;
+  }
+
+  try {
+    const res = await fetch(MARKETPLACE_URL);
+    if (!res.ok) throw new Error(`Marketplace fetch failed: ${res.status}`);
+    _marketplaceCache = await res.json();
+    _marketplaceCacheTime = Date.now();
+    return _marketplaceCache;
+  } catch (err) {
+    // Return cached if available, otherwise empty
+    if (_marketplaceCache) return _marketplaceCache;
+    return { version: 1, plugins: [], error: err.message };
+  }
+}
+
+/** @param {import('../context.js').Context} ctx */
+export async function pluginMarketplaceRoutes(ctx) {
+  const { pathname } = ctx.url;
+  const method = ctx.req.method;
+
+  // Auth required for all plugin management
+  const authResult = await requireAuth(ctx);
+  if (!authResult.authenticated) {
+    ctx.res.writeHead(authResult.status, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ error: authResult.error, message: authResult.message }));
+    return;
+  }
+
+  // GET /api/plugins — list installed
+  if (pathname === '/api/plugins' && method === 'GET') {
+    const pm = getPluginManager();
+    const installed = listInstalled();
+    const loaded = pm.list();
+    const result = installed.map(p => ({
+      ...p,
+      loaded: loaded.some(l => l.name === p.name)
+    }));
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ plugins: result, total: result.length }));
+    return;
+  }
+
+  // GET /api/plugins/marketplace — browse marketplace
+  if (pathname === '/api/plugins/marketplace' && method === 'GET') {
+    const search = ctx.url.searchParams.get('search')?.toLowerCase();
+    const category = ctx.url.searchParams.get('category');
+
+    const marketplace = await fetchMarketplace();
+    let results = marketplace.plugins || [];
+
+    if (search) {
+      results = results.filter(p =>
+        p.name.toLowerCase().includes(search) ||
+        p.description.toLowerCase().includes(search) ||
+        (p.keywords || []).some(k => k.toLowerCase().includes(search))
+      );
+    }
+    if (category) {
+      results = results.filter(p => p.category === category);
+    }
+
+    // Add install status
+    const enriched = results.map(p => ({
+      ...p,
+      installed: isInstalled(p.name)
+    }));
+
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({
+      plugins: enriched,
+      total: enriched.length,
+      lastUpdated: marketplace.lastUpdated || null,
+      source: MARKETPLACE_URL
+    }));
+    return;
+  }
+
+  // POST /api/plugins/install — install from marketplace
+  if (pathname === '/api/plugins/install' && method === 'POST') {
+    const { repo, name } = ctx.body || {};
+
+    if (!repo && !name) {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: 'Either "repo" (GitHub repo) or "name" (marketplace plugin name) is required' }));
+      return;
+    }
+
+    let installRepo = repo;
+    if (!installRepo) {
+      // Look up in marketplace
+      const marketplace = await fetchMarketplace();
+      const plugin = (marketplace.plugins || []).find(p => p.name === name);
+      if (!plugin) {
+        ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'NOT_FOUND', message: `Plugin "${name}" not found in marketplace` }));
+        return;
+      }
+      installRepo = plugin.repository?.replace('https://github.com/', '') || plugin.repo;
+      if (!installRepo) {
+        ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+        ctx.res.end(JSON.stringify({ error: 'VALIDATION_ERROR', message: `Plugin "${name}" has no repository URL` }));
+        return;
+      }
+    }
+
+    const result = await installPlugin(installRepo, { version: ctx.body.version });
+    if (result.success) {
+      ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify(result));
+    } else {
+      ctx.res.writeHead(400, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify(result));
+    }
+    return;
+  }
+
+  // POST /api/plugins/uninstall/:name
+  const uninstallMatch = pathname.match(/^\/api\/plugins\/uninstall\/(.+)$/);
+  if (uninstallMatch && method === 'POST') {
+    const name = uninstallMatch[1];
+    const result = await uninstallPlugin(name);
+    if (result.success) {
+      ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify(result));
+    } else {
+      ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+      ctx.res.end(JSON.stringify(result));
+    }
+    return;
+  }
+
+  // POST /api/plugins/refresh — refresh marketplace cache
+  if (pathname === '/api/plugins/refresh' && method === 'POST') {
+    const marketplace = await fetchMarketplace({ force: true });
+    ctx.res.writeHead(200, { 'Content-Type': 'application/json' });
+    ctx.res.end(JSON.stringify({ refreshed: true, pluginCount: (marketplace.plugins || []).length }));
+    return;
+  }
+
+  ctx.res.writeHead(404, { 'Content-Type': 'application/json' });
+  ctx.res.end(JSON.stringify({ error: 'NOT_FOUND' }));
+}