@cyberismo/backend 0.0.21 → 0.0.22

package/dist/public/config.json

@@ -1,3 +1,4 @@
 {
+  "logoutUrl": "",
   "staticMode": false
 }

package/dist/public/index.html

@@ -11,8 +11,8 @@
       name="msapplication-TileImage"
       content="/cropped-favicon-270x270.png"
     />
-    <script type="module" crossorigin src="/assets/index-Ca10XaMv.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-CRSBseQM.css">
+    <script type="module" crossorigin src="/assets/index-CEol8Bfi.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-B_lh6qtv.css">
   </head>
   <body>
     <div id="root"></div>

package/dist/types.d.ts

@@ -21,8 +21,33 @@ export interface TreeOptions {
     recursive?: boolean;
     cardKey?: string;
 }
+/**
+ * User roles - checked directly in middleware
+ * Role hierarchy: Admin > Editor > Reader
+ * - Admin: All operations including configuration
+ * - Editor: Can create, edit, and manage content but not config
+ * - Reader: Can only view content
+ */
+export declare enum UserRole {
+    Admin = "admin",
+    Editor = "editor",
+    Reader = "reader"
+}
+/**
+ * User information returned by the /me endpoint
+ */
+export interface UserInfo {
+    id: string;
+    email: string;
+    name: string;
+    role: UserRole;
+}
+/**
+ * Extended app variables including authentication info
+ */
 export interface AppVars {
     tree?: TreeOptions;
+    user?: UserInfo;
 }
 export type AppContext = Context<{
     Variables: AppVars;

package/dist/types.js

@@ -10,5 +10,17 @@
   details. You should have received a copy of the GNU Affero General Public
   License along with this program. If not, see <https://www.gnu.org/licenses/>.
 */
-export {};
+/**
+ * User roles - checked directly in middleware
+ * Role hierarchy: Admin > Editor > Reader
+ * - Admin: All operations including configuration
+ * - Editor: Can create, edit, and manage content but not config
+ * - Reader: Can only view content
+ */
+export var UserRole;
+(function (UserRole) {
+    UserRole["Admin"] = "admin";
+    UserRole["Editor"] = "editor";
+    UserRole["Reader"] = "reader";
+})(UserRole || (UserRole = {}));
 //# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE"}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAiBF;;;;;;GAMG;AACH,MAAM,CAAN,IAAY,QAIX;AAJD,WAAY,QAAQ;IAClB,2BAAe,CAAA;IACf,6BAAiB,CAAA;IACjB,6BAAiB,CAAA;AACnB,CAAC,EAJW,QAAQ,KAAR,QAAQ,QAInB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyberismo/backend",
-  "version": "0.0.21",
+  "version": "0.0.22",
   "description": "Express backend for Cyberismo",
   "main": "dist/index.js",
   "keywords": [],
@@ -14,14 +14,17 @@
   "bugs": "https://github.com/CyberismoCom/cyberismo/issues",
   "dependencies": {
     "@asciidoctor/core": "^3.0.4",
+    "@modelcontextprotocol/sdk": "^1.27.1",
     "@hono/node-server": "^1.19.2",
     "@hono/zod-validator": "^0.7.6",
     "@types/mime-types": "^3.0.1",
-    "dotenv": "^17.2.3",
+    "dotenv": "^17.3.1",
     "hono": "^4.10.7",
+    "jose": "^6.1.3",
     "mime-types": "^3.0.2",
     "zod": "^4.3.6",
-    "@cyberismo/data-handler": "0.0.21"
+    "@cyberismo/data-handler": "0.0.22",
+    "@cyberismo/mcp": "0.0.21"
   },
   "devDependencies": {
     "@cyberismo/app": "0.0.2"
@@ -37,8 +40,8 @@
   ],
   "scripts": {
     "start": "tsx src/main.ts",
-    "start-e2e": "node dist/main.js",
-    "dev": "tsx watch src/main.ts",
+    "start-e2e": "cross-env AUTH_MODE=mock node dist/main.js",
+    "dev": "cross-env AUTH_MODE=mock tsx watch src/main.ts",
     "debug": "tsx --inspect-brk src/main.ts",
     "export": "pnpm build && node dist/main.js --export",
     "build": "tsc -p tsconfig.build.json && shx rm -rf ./dist/public && shx cp -r ../app/dist ./dist/public",

package/src/app.ts

@@ -12,7 +12,6 @@
 */
 import { Hono } from 'hono';
 import { staticFrontendDirRelative } from './utils.js';
-import { cors } from 'hono/cors';
 import { serveStatic } from '@hono/node-server/serve-static';
 import { attachCommandManager } from './middleware/commandManager.js';
 import calculationsRouter from './domain/calculations/index.js';
@@ -32,31 +31,42 @@ import path from 'node:path';
 import resourcesRouter from './domain/resources/index.js';
 import logicProgramsRouter from './domain/logicPrograms/index.js';
 import { isSSGContext } from 'hono/ssg';
+import type { CommandManager } from '@cyberismo/data-handler';
 import type { AppVars, TreeOptions } from './types.js';
 import treeMiddleware from './middleware/tree.js';
 import projectRouter from './domain/project/index.js';
+import mcpRouter from './domain/mcp/index.js';
+import { createAuthRouter } from './domain/auth/index.js';
+import { createAuthMiddleware } from './middleware/auth.js';
+import type { AuthProvider } from './auth/types.js';
 
 /**
  * Create the Hono app for the backend
- * @param projectPath - Path to the project
+ * @param authProvider - Authentication provider
+ * @param commands - CommandManager instance for the project
  */
-export function createApp(projectPath?: string, opts?: TreeOptions) {
+export function createApp(
+  authProvider: AuthProvider,
+  commands: CommandManager,
+  opts?: TreeOptions,
+) {
   const app = new Hono<{ Variables: AppVars }>();
 
-  app.use('/api', cors());
-
-  app.use(
-    '*',
-    serveStatic({
-      root: staticFrontendDirRelative,
-    }),
-  );
-
   app.use(treeMiddleware(opts));
-  // Attach CommandManager to all requests
-  app.use(attachCommandManager(projectPath));
+  // Apply authentication middleware to all API and MCP routes
+  app.use('/api/*', createAuthMiddleware(authProvider));
+  app.use('/mcp', createAuthMiddleware(authProvider));
+  app.use('/mcp/*', createAuthMiddleware(authProvider));
 
+  // Attach CommandManager to API and MCP routes
+  const commandManagerMiddleware = attachCommandManager(commands);
+  app.use('/api/*', commandManagerMiddleware);
+  app.use('/mcp', commandManagerMiddleware);
+  app.use('/mcp/*', commandManagerMiddleware);
   // Wire up routes
+  app.route('/api/auth', createAuthRouter());
+
+  // Mount routers
   app.route('/api/calculations', calculationsRouter);
   app.route('/api/cards', cardsRouter);
   app.route('/api/cardTypes', cardTypesRouter);
@@ -73,6 +83,16 @@ export function createApp(projectPath?: string, opts?: TreeOptions) {
   app.route('/api/labels', labelsRouter);
   app.route('/api/project', projectRouter);
 
+  // MCP endpoint for AI assistant integration
+  app.route('/mcp', mcpRouter);
+
+  app.use(
+    '*',
+    serveStatic({
+      root: staticFrontendDirRelative,
+    }),
+  );
+
   // serve index.html for all other routes
   app.notFound(async (c) => {
     if (c.req.path.startsWith('/api')) {

package/src/auth/index.ts

@@ -0,0 +1,17 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+export type { AuthProvider } from './types.js';
+export { MockAuthProvider } from './mock.js';
+export { KeycloakAuthProvider } from './keycloak.js';
+export type { KeycloakConfig } from './keycloak.js';

package/src/auth/keycloak.ts

@@ -0,0 +1,109 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+import type { JWTPayload } from 'jose';
+import { UserRole } from '../types.js';
+import type { UserInfo } from '../types.js';
+import type { AuthProvider } from './types.js';
+
+export interface KeycloakConfig {
+  issuer: string;
+  audience: string;
+}
+
+interface KeycloakJWTPayload extends JWTPayload {
+  email?: string;
+  name?: string;
+  preferred_username?: string;
+  realm_access?: {
+    roles?: string[];
+  };
+}
+
+export class KeycloakAuthProvider implements AuthProvider {
+  private readonly issuer: string;
+  private readonly audience: string;
+  private jwks: ReturnType<typeof createRemoteJWKSet> | null = null;
+
+  constructor(config: KeycloakConfig) {
+    this.issuer = config.issuer;
+    this.audience = config.audience;
+  }
+
+  private getJWKS(): ReturnType<typeof createRemoteJWKSet> {
+    if (!this.jwks) {
+      const jwksUrl = new URL(
+        `${this.issuer.replace(/\/$/, '')}/protocol/openid-connect/certs`,
+      );
+      this.jwks = createRemoteJWKSet(jwksUrl);
+    }
+    return this.jwks;
+  }
+
+  async authenticate(req: Request): Promise<UserInfo | null> {
+    const authHeader = req.headers.get('authorization');
+    if (!authHeader) {
+      return null;
+    }
+
+    const token = authHeader.replace(/^Bearer\s+/i, '');
+    if (!token) {
+      return null;
+    }
+
+    try {
+      const jwks = this.getJWKS();
+      const { payload } = await jwtVerify(token, jwks, {
+        issuer: this.issuer,
+        audience: this.audience,
+      });
+
+      const claims = payload as KeycloakJWTPayload;
+      const role = this.mapRole(claims.realm_access?.roles);
+
+      if (!claims.sub) {
+        throw new Error('Missing sub');
+      }
+      if (!claims.email) {
+        throw new Error('Missing email');
+      }
+
+      return {
+        id: claims.sub,
+        email: claims.email,
+        name: claims.name ?? claims.preferred_username ?? 'Unknown',
+        role,
+      };
+    } catch {
+      // TODO: add proper logging
+      return null;
+    }
+  }
+
+  private mapRole(roles?: string[]): UserRole {
+    if (!roles) {
+      throw new Error('Token missing realm_access roles');
+    }
+    if (roles.includes('admin')) {
+      return UserRole.Admin;
+    }
+    if (roles.includes('editor')) {
+      return UserRole.Editor;
+    }
+    if (roles.includes('reader')) {
+      return UserRole.Reader;
+    }
+    throw new Error('No recognized role found in token');
+  }
+}

package/src/auth/mock.ts

@@ -0,0 +1,38 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+import { UserRole } from '../types.js';
+import type { UserInfo } from '../types.js';
+import type { AuthProvider } from './types.js';
+
+export interface MockUserConfig {
+  name?: string;
+  email?: string;
+}
+
+export class MockAuthProvider implements AuthProvider {
+  private readonly userConfig: MockUserConfig;
+
+  constructor(config?: MockUserConfig) {
+    this.userConfig = config ?? {};
+  }
+
+  async authenticate(): Promise<UserInfo> {
+    return {
+      id: 'mock-user',
+      email: this.userConfig.email ?? 'admin@cyberismo.local',
+      name: this.userConfig.name ?? 'Local Admin',
+      role: UserRole.Admin,
+    };
+  }
+}

package/src/auth/types.ts

@@ -0,0 +1,18 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+import type { UserInfo } from '../types.js';
+
+export interface AuthProvider {
+  authenticate(req: Request): Promise<UserInfo | null>;
+}

package/src/domain/auth/index.ts

@@ -0,0 +1,35 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+import { Hono } from 'hono';
+import { getCurrentUser } from '../../middleware/auth.js';
+
+export function createAuthRouter() {
+  const router = new Hono();
+
+  /**
+   * GET /api/auth/me
+   * Returns the current user's information (id, email, name, role)
+   */
+  router.get('/me', async (c) => {
+    const user = getCurrentUser(c);
+
+    if (!user) {
+      return c.json({ error: 'Unauthorized' }, 401);
+    }
+
+    return c.json(user);
+  });
+
+  return router;
+}

package/src/domain/calculations/index.ts

@@ -15,6 +15,8 @@ import { Hono } from 'hono';
 import * as calculationService from './service.js';
 import { createCalculationSchema } from './schema.js';
 import { zValidator } from '../../middleware/zvalidator.js';
+import { UserRole } from '../../types.js';
+import { requireRole } from '../../middleware/auth.js';
 
 const router = new Hono();
 
@@ -43,12 +45,17 @@ const router = new Hono();
  *       500:
  *         description: Server error
  */
-router.post('/', zValidator('json', createCalculationSchema), async (c) => {
-  const commands = c.get('commands');
-  const { identifier } = c.req.valid('json');
+router.post(
+  '/',
+  requireRole(UserRole.Admin),
+  zValidator('json', createCalculationSchema),
+  async (c) => {
+    const commands = c.get('commands');
+    const { identifier } = c.req.valid('json');
 
-  await calculationService.createCalculation(commands, identifier);
-  return c.json({ message: 'Calculation created successfully' });
-});
+    await calculationService.createCalculation(commands, identifier);
+    return c.json({ message: 'Calculation created successfully' });
+  },
+);
 
 export default router;

package/src/domain/calculations/service.ts

@@ -26,20 +26,22 @@ export async function createCalculation(
   commands: CommandManager,
   identifier: string,
 ) {
-  await commands.createCmd.createCalculation(identifier);
+  await commands.atomic(async () => {
+    await commands.createCmd.createCalculation(identifier);
 
-  // Set displayName to capitalized version of identifier
-  const project = await commands.showCmd.showProject();
-  await updateResourceWithOperation(
-    commands,
-    { prefix: project.prefix, type: 'calculations', identifier },
-    {
-      updateKey: { key: 'displayName' },
-      operation: {
-        name: 'change',
-        target: '',
-        to: capitalize(identifier),
+    // Set displayName to capitalized version of identifier
+    const project = await commands.showCmd.showProject();
+    await updateResourceWithOperation(
+      commands,
+      { prefix: project.prefix, type: 'calculations', identifier },
+      {
+        updateKey: { key: 'displayName' },
+        operation: {
+          name: 'change',
+          target: '',
+          to: capitalize(identifier),
+        },
       },
-    },
-  );
+    );
+  }, `Create calculation ${identifier}`);
 }

package/src/domain/cardTypes/index.ts

@@ -19,6 +19,8 @@ import {
   fieldVisibilityBodySchema,
 } from './schema.js';
 import { zValidator } from '../../middleware/zvalidator.js';
+import { UserRole } from '../../types.js';
+import { requireRole } from '../../middleware/auth.js';
 
 const router = new Hono();
 
@@ -36,7 +38,7 @@ const router = new Hono();
  *       500:
  *         description: project_path not set or other internal error
  */
-router.get('/', async (c) => {
+router.get('/', requireRole(UserRole.Reader), async (c) => {
   const commands = c.get('commands');
 
   try {
@@ -80,22 +82,27 @@ router.get('/', async (c) => {
  *       500:
  *         description: Server error
  */
-router.post('/', zValidator('json', createCardTypeSchema), async (c) => {
-  const commands = c.get('commands');
-  const { identifier, workflowName } = c.req.valid('json');
+router.post(
+  '/',
+  requireRole(UserRole.Admin),
+  zValidator('json', createCardTypeSchema),
+  async (c) => {
+    const commands = c.get('commands');
+    const { identifier, workflowName } = c.req.valid('json');
 
-  try {
-    await cardTypeService.createCardType(commands, identifier, workflowName);
-    return c.json({ message: 'Card type created successfully' });
-  } catch (error) {
-    return c.json(
-      {
-        error: `${error instanceof Error ? error.message : 'Unknown error'}`,
-      },
-      500,
-    );
-  }
-});
+    try {
+      await cardTypeService.createCardType(commands, identifier, workflowName);
+      return c.json({ message: 'Card type created successfully' });
+    } catch (error) {
+      return c.json(
+        {
+          error: `${error instanceof Error ? error.message : 'Unknown error'}`,
+        },
+        500,
+      );
+    }
+  },
+);
 
 /**
  * @swagger
@@ -142,6 +149,7 @@ router.post('/', zValidator('json', createCardTypeSchema), async (c) => {
  */
 router.patch(
   '/:cardTypeName/field-visibility',
+  requireRole(UserRole.Admin),
   zValidator('param', cardTypeNameParamSchema),
   zValidator('json', fieldVisibilityBodySchema),
   async (c) => {