@cyberismo/backend 0.0.21 → 0.0.23

package/src/domain/reports/index.ts

@@ -15,6 +15,8 @@ import { Hono } from 'hono';
 import * as reportService from './service.js';
 import { createReportSchema } from './schema.js';
 import { zValidator } from '../../middleware/zvalidator.js';
+import { UserRole } from '../../types.js';
+import { requireRole } from '../../middleware/auth.js';
 
 const router = new Hono();
 
@@ -43,12 +45,17 @@ const router = new Hono();
  *       500:
  *         description: Server error
  */
-router.post('/', zValidator('json', createReportSchema), async (c) => {
-  const commands = c.get('commands');
-  const { identifier } = c.req.valid('json');
+router.post(
+  '/',
+  requireRole(UserRole.Admin),
+  zValidator('json', createReportSchema),
+  async (c) => {
+    const commands = c.get('commands');
+    const { identifier } = c.req.valid('json');
 
-  await reportService.createReport(commands, identifier);
-  return c.json({ message: 'Report created successfully' });
-});
+    await reportService.createReport(commands, identifier);
+    return c.json({ message: 'Report created successfully' });
+  },
+);
 
 export default router;

package/src/domain/resources/index.ts

@@ -14,12 +14,14 @@
 import { Hono } from 'hono';
 import * as resourceService from './service.js';
 import type { ResourceValidationResponse } from '../../types.js';
+import { UserRole } from '../../types.js';
 import { resourceParamsSchema } from '../../common/validationSchemas.js';
 import { zValidator } from '../../middleware/zvalidator.js';
 import {
   validateResourceParamsSchema,
   updateOperationBodySchema,
 } from './schema.js';
+import { requireRole } from '../../middleware/auth.js';
 
 const router = new Hono();
 
@@ -35,7 +37,7 @@ const router = new Hono();
  *       500:
  *         description: project_path not set or other internal error
  */
-router.get('/tree', async (c) => {
+router.get('/tree', requireRole(UserRole.Reader), async (c) => {
   const commands = c.get('commands');
 
   try {
@@ -97,6 +99,7 @@ router.get('/tree', async (c) => {
  */
 router.get(
   '/:prefix/:type/:identifier/validate',
+  requireRole(UserRole.Reader),
   zValidator('param', validateResourceParamsSchema),
   async (c) => {
     const commands = c.get('commands');
@@ -117,6 +120,7 @@ router.get(
 
 router.delete(
   '/:prefix/:type/:identifier',
+  requireRole(UserRole.Admin),
   zValidator('param', resourceParamsSchema),
   async (c) => {
     const commands = c.get('commands');
@@ -130,6 +134,7 @@ router.delete(
 
 router.post(
   '/:prefix/:type/:identifier/operation',
+  requireRole(UserRole.Admin),
   zValidator('param', resourceParamsSchema),
   zValidator('json', updateOperationBodySchema),
   async (c) => {

package/src/domain/resources/service.ts

@@ -42,7 +42,7 @@ const resourceTypes: ResourceFolderType[] = [
 
 async function getModules(commands: CommandManager) {
   try {
-    const moduleNames = commands.showCmd.showModules();
+    const moduleNames = await commands.showCmd.showModules();
     return Promise.all(
       moduleNames.map(async (moduleName) => {
         try {
@@ -77,102 +77,104 @@ function sortTemplateCardsByRank(
 }
 
 export async function buildResourceTree(commands: CommandManager) {
-  const project = await commands.showCmd.showProject();
-  const tree: unknown[] = [];
-
-  const sortByDisplayName = (
-    nodes: { data: { displayName: string; name: string } }[],
-  ) =>
-    nodes.sort((a, b) =>
-      (a.data.displayName || a.data.name.split('/')[2] || '').localeCompare(
-        b.data.displayName || b.data.name.split('/')[2] || '',
-      ),
-    );
-
-  const modules = await getModules(commands);
-
-  // General section first (single node with project + modules metadata)
-  tree.push({
-    id: 'general-project',
-    type: 'general',
-    name: 'project',
-    data: {
-      name: project.name,
-      cardKeyPrefix: project.prefix,
-      modules,
-    },
-    readOnly: false,
-  });
-
-  // Process each resource type
-  for (const resourceType of resourceTypes) {
-    let rootResources: unknown[];
-    let moduleResources: { [prefix: string]: unknown[] };
-
-    if (resourceType === 'templates') {
-      ({ rootResources, moduleResources } = await processTemplates(
-        commands,
-        project.prefix,
-      ));
-    } else {
-      ({ rootResources, moduleResources } = await groupResourcesByPrefix(
-        commands,
-        resourceType,
-        project.prefix,
-      ));
-    }
+  return commands.consistent(async () => {
+    const project = await commands.showCmd.showProject();
+    const tree: unknown[] = [];
+
+    const sortByDisplayName = (
+      nodes: { data: { displayName: string; name: string } }[],
+    ) =>
+      nodes.sort((a, b) =>
+        (a.data.displayName || a.data.name.split('/')[2] || '').localeCompare(
+          b.data.displayName || b.data.name.split('/')[2] || '',
+        ),
+      );
 
-    // Sort resources by display name if present
-    sortByDisplayName(
-      rootResources as { data: { displayName: string; name: string } }[],
-    );
+    const modules = await getModules(commands);
+
+    // General section first (single node with project + modules metadata)
+    tree.push({
+      id: 'general-project',
+      type: 'general',
+      name: 'project',
+      data: {
+        name: project.name,
+        cardKeyPrefix: project.prefix,
+        modules,
+      },
+      readOnly: false,
+    });
+
+    // Process each resource type
+    for (const resourceType of resourceTypes) {
+      let rootResources: unknown[];
+      let moduleResources: { [prefix: string]: unknown[] };
+
+      if (resourceType === 'templates') {
+        ({ rootResources, moduleResources } = await processTemplates(
+          commands,
+          project.prefix,
+        ));
+      } else {
+        ({ rootResources, moduleResources } = await groupResourcesByPrefix(
+          commands,
+          resourceType,
+          project.prefix,
+        ));
+      }
 
-    Object.values(moduleResources).forEach((resources) =>
+      // Sort resources by display name if present
       sortByDisplayName(
-        resources as { data: { displayName: string; name: string } }[],
-      ),
-    );
+        rootResources as { data: { displayName: string; name: string } }[],
+      );
+
+      Object.values(moduleResources).forEach((resources) =>
+        sortByDisplayName(
+          resources as { data: { displayName: string; name: string } }[],
+        ),
+      );
 
-    const projectNode =
-      rootResources.length > 0
-        ? [
-            {
-              id: `${resourceType}-project`,
-              type: 'module',
-              name: 'project',
-              children: rootResources,
-              readOnly: false,
-            },
-          ]
-        : [];
-
-    const moduleNodes = Object.entries(moduleResources)
-      .map(([prefix, resources]) => ({
-        id: `${resourceType}-module-${prefix}`,
-        type: 'module',
-        name:
-          modules.find((module) => module.cardKeyPrefix === prefix)?.name ||
+      const projectNode =
+        rootResources.length > 0
+          ? [
+              {
+                id: `${resourceType}-project`,
+                type: 'module',
+                name: 'project',
+                children: rootResources,
+                readOnly: false,
+              },
+            ]
+          : [];
+
+      const moduleNodes = Object.entries(moduleResources)
+        .map(([prefix, resources]) => ({
+          id: `${resourceType}-module-${prefix}`,
+          type: 'module',
+          name:
+            modules.find((module) => module.cardKeyPrefix === prefix)?.name ||
+            prefix,
           prefix,
-        prefix,
-        children: resources,
-        readOnly: true,
-      }))
-      .sort((a, b) => a.name.localeCompare(b.name));
-
-    const allResources = [...projectNode, ...moduleNodes];
-
-    // Add combined resources (project + modules nested under module nodes) under the same group
-    if (allResources.length > 0) {
-      tree.push({
-        id: resourceType,
-        type: 'resourceGroup',
-        name: resourceType,
-        children: allResources,
-      });
+          children: resources,
+          readOnly: true,
+        }))
+        .sort((a, b) => a.name.localeCompare(b.name));
+
+      const allResources = [...projectNode, ...moduleNodes];
+
+      // Add combined resources (project + modules nested under module nodes) under the same group
+      if (allResources.length > 0) {
+        tree.push({
+          id: resourceType,
+          type: 'resourceGroup',
+          name: resourceType,
+          children: allResources,
+        });
+      }
     }
-  }
 
-  return tree;
+    return tree;
+  });
 }
 
 // Helper function to parse resource prefix
@@ -456,9 +458,8 @@ export async function validateResource(
   commands: CommandManager,
   resource: ValidateResourceParams,
 ) {
-  const errors = await commands.validateCmd.validateResource(
-    resource,
-    commands.project,
+  const errors = await commands.consistent(() =>
+    commands.validateCmd.validateResource(resource, commands.project),
   );
 
   return {
@@ -476,9 +477,13 @@ export async function updateResourceWithOperation(
   body: UpdateOperationBody,
 ) {
   const { updateKey, operation } = body;
-  await commands.updateCmd.applyResourceOperation(
-    resourceNameToString(resource),
-    updateKey,
-    operation,
+  await commands.atomic(
+    () =>
+      commands.updateCmd.applyResourceOperation(
+        resourceNameToString(resource),
+        updateKey,
+        operation,
+      ),
+    `Update ${resource.type} ${resource.identifier}`,
   );
 }

package/src/domain/templates/index.ts

@@ -16,6 +16,8 @@ import * as templateService from './service.js';
 import { createTemplateSchema, addTemplateCardSchema } from './schema.js';
 import { zValidator } from '../../middleware/zvalidator.js';
 import { isSSGContext } from 'hono/ssg';
+import { UserRole } from '../../types.js';
+import { requireRole } from '../../middleware/auth.js';
 
 const router = new Hono();
 
@@ -33,7 +35,7 @@ const router = new Hono();
  *       500:
  *         description: project_path not set or other internal error
  */
-router.get('/', async (c) => {
+router.get('/', requireRole(UserRole.Reader), async (c) => {
   // We do not need templates in ssg context
   if (isSSGContext(c)) {
     return c.json([]);
@@ -78,13 +80,18 @@ router.get('/', async (c) => {
  *       500:
  *         description: Server error
  */
-router.post('/', zValidator('json', createTemplateSchema), async (c) => {
-  const commands = c.get('commands');
-  const { identifier } = c.req.valid('json');
+router.post(
+  '/',
+  requireRole(UserRole.Admin),
+  zValidator('json', createTemplateSchema),
+  async (c) => {
+    const commands = c.get('commands');
+    const { identifier } = c.req.valid('json');
 
-  await templateService.createTemplate(commands, identifier);
-  return c.json({ message: 'Template created successfully' });
-});
+    await templateService.createTemplate(commands, identifier);
+    return c.json({ message: 'Template created successfully' });
+  },
+);
 
 /**
  * @swagger
@@ -119,18 +126,23 @@ router.post('/', zValidator('json', createTemplateSchema), async (c) => {
  *       500:
  *         description: Server error
  */
-router.post('/card', zValidator('json', addTemplateCardSchema), async (c) => {
-  const commands = c.get('commands');
-  const { template, cardType, parentKey, count } = c.req.valid('json');
+router.post(
+  '/card',
+  requireRole(UserRole.Admin),
+  zValidator('json', addTemplateCardSchema),
+  async (c) => {
+    const commands = c.get('commands');
+    const { template, cardType, parentKey, count } = c.req.valid('json');
 
-  const added = await templateService.addTemplateCard(
-    commands,
-    template,
-    cardType,
-    parentKey,
-    count,
-  );
-  return c.json({ cards: added });
-});
+    const added = await templateService.addTemplateCard(
+      commands,
+      template,
+      cardType,
+      parentKey,
+      count,
+    );
+    return c.json({ cards: added });
+  },
+);
 
 export default router;

package/src/domain/tree/index.ts

@@ -15,6 +15,8 @@ import { Hono } from 'hono';
 import * as treeService from './service.js';
 import { isSSGContext } from 'hono/ssg';
 import type { AppContext } from '../../types.js';
+import { UserRole } from '../../types.js';
+import { requireRole } from '../../middleware/auth.js';
 
 const router = new Hono();
 
@@ -32,7 +34,7 @@ const router = new Hono();
  *       500:
  *         description: project_path not set or other internal error
  */
-router.get('/', async (c: AppContext) => {
+router.get('/', requireRole(UserRole.Reader), async (c: AppContext) => {
   const commands = c.get('commands');
   const tree = c.get('tree');
 

package/src/domain/tree/service.ts

@@ -27,7 +27,6 @@ export async function getCardTree(
   cardKey?: string,
   recursive?: boolean,
 ): ReturnType<typeof commands.calculateCmd.runQuery> {
-  await commands.calculateCmd.generate();
   return commands.calculateCmd.runQuery(
     'tree',
     isSsg ? 'exportedSite' : 'localApp',

package/src/domain/workflows/index.ts

@@ -15,6 +15,8 @@ import { Hono } from 'hono';
 import * as workflowService from './service.js';
 import { createWorkflowSchema } from './schema.js';
 import { zValidator } from '../../middleware/zvalidator.js';
+import { UserRole } from '../../types.js';
+import { requireRole } from '../../middleware/auth.js';
 
 const router = new Hono();
 
@@ -43,12 +45,17 @@ const router = new Hono();
  *       500:
  *         description: Server error
  */
-router.post('/', zValidator('json', createWorkflowSchema), async (c) => {
-  const commands = c.get('commands');
-  const { identifier } = c.req.valid('json');
+router.post(
+  '/',
+  requireRole(UserRole.Admin),
+  zValidator('json', createWorkflowSchema),
+  async (c) => {
+    const commands = c.get('commands');
+    const { identifier } = c.req.valid('json');
 
-  await workflowService.createWorkflow(commands, identifier);
-  return c.json({ message: 'Workflow created successfully' });
-});
+    await workflowService.createWorkflow(commands, identifier);
+    return c.json({ message: 'Workflow created successfully' });
+  },
+);
 
 export default router;

package/src/export.ts

@@ -15,8 +15,9 @@ import path from 'node:path';
 
 import fs, { readFile } from 'node:fs/promises';
 
-import { CommandManager } from '@cyberismo/data-handler';
+import type { CommandManager } from '@cyberismo/data-handler';
 import { createApp } from './app.js';
+import { MockAuthProvider } from './auth/mock.js';
 import { cp, writeFile } from 'node:fs/promises';
 import { staticFrontendDirRelative } from './utils.js';
 import type { QueryResult } from '@cyberismo/data-handler/types/queries';
@@ -41,18 +42,17 @@ export function reset() {
 /**
  * Get the card query result for a given card key. Should only be called during
  * static site generation
- * @param projectPath - Path to the project.
+ * @param commands - CommandManager instance for the project.
  * @param cardKey - Key of the card to get the query result for.
  * @returns The card query result for the given card key.
  */
 export async function getCardQueryResult(
-  projectPath: string,
+  commands: CommandManager,
   cardKey?: string,
 ): Promise<QueryResult<'card'>[]> {
   if (!_cardQueryPromise) {
-    const commands = await CommandManager.getInstance(projectPath);
     // fetch all cards
-    _cardQueryPromise = commands.project.calculationEngine.runQuery(
+    _cardQueryPromise = commands.calculateCmd.runQuery(
       'card',
       'exportedSite',
       {},
@@ -73,20 +73,19 @@ export async function getCardQueryResult(
 /**
  * Export the site to a given directory.
  * Note: Do not call this function in parallel.
- * @param projectPath - Path to the project.
+ * @param commands - CommandManager instance for the project.
+ * @param exportDir - Directory to export to.
  * @param options - Export options.
  * @param options.recursive - Whether to export cards recursively.
  * @param options.cardKey - Key of the card to export. If not provided, all cards will be exported.
- * @param exportDir - Directory to export to.
  * @param level - Log level for the operation.
  * @param onProgress - Optional progress callback function.
  * @returns An object containing any errors that occurred during export.
  */
 export async function exportSite(
-  projectPath: string,
+  commands: CommandManager,
   exportDir?: string,
   options?: TreeOptions,
-  level?: 'trace' | 'debug' | 'info' | 'warn' | 'error' | 'fatal',
   onProgress?: (current: number, total: number) => void,
 ): Promise<{ errors: string[] }> {
   exportDir = exportDir || 'static';
@@ -96,7 +95,7 @@ export async function exportSite(
     ...options,
   };
 
-  const app = createApp(projectPath, opts);
+  const app = createApp(new MockAuthProvider(), commands, opts);
 
   // copy whole frontend to the same directory
   await cp(staticFrontendDirRelative, exportDir, { recursive: true });
@@ -109,12 +108,7 @@ export async function exportSite(
     JSON.stringify(configJson),
   );
 
-  const commands = await CommandManager.getInstance(projectPath, {
-    logLevel: level,
-  });
-
   reset();
-  await commands.project.calculationEngine.generate();
 
   // estimate total based on the number of cards to export
   const cards = await findAllCards(commands, opts);
@@ -130,6 +124,14 @@ export async function exportSite(
     concurrency: 5,
     plugins: [
       {
+        beforeRequestHook: (req) => {
+          const url = new URL(req.url);
+          // Skip MCP routes — they require session state and are not part of the static site
+          if (url.pathname.startsWith('/mcp')) {
+            return false;
+          }
+          return req;
+        },
         afterResponseHook: async (response) => {
           if (![200, 201, 204].includes(response.status)) {
             const error = await response.json();

package/src/index.ts

@@ -16,8 +16,13 @@ import { Hono } from 'hono';
 import { serveStatic } from '@hono/node-server/serve-static';
 import path from 'node:path';
 import { readFile } from 'node:fs/promises';
+import type { CommandManager } from '@cyberismo/data-handler';
 import { findFreePort } from './utils.js';
 import { createApp } from './app.js';
+import type { AuthProvider } from './auth/types.js';
+export { MockAuthProvider } from './auth/mock.js';
+export type { MockUserConfig } from './auth/mock.js';
+export type { AuthProvider } from './auth/types.js';
 export { exportSite } from './export.js';
 
 const DEFAULT_PORT = 3000;
@@ -31,11 +36,14 @@ const DEFAULT_MAX_PORT = DEFAULT_PORT + 100;
 export async function previewSite(dir: string, findPort: boolean = true) {
   const app = new Hono();
   app.use(serveStatic({ root: dir }));
-  app.get('*', (c) =>
-    c.html(
+  app.get('*', (c) => {
+    if (c.req.path.startsWith('/api/')) {
+      return c.json({ error: 'Resource not found' }, 404);
+    }
+    return c.html(
       readFile(path.join(dir, 'index.html')).then((file) => file.toString()),
-    ),
-  );
+    );
+  });
 
   let port = parseInt(process.env.PORT || DEFAULT_PORT.toString(), 10);
 
@@ -47,11 +55,13 @@ export async function previewSite(dir: string, findPort: boolean = true) {
 
 /**
  * Start the server
- * @param projectPath - Path to the project
+ * @param authProvider - Authentication provider
+ * @param commands - CommandManager instance for the project
  * @param findPort - If true, find a free port
  */
 export async function startServer(
-  projectPath?: string,
+  authProvider: AuthProvider,
+  commands: CommandManager,
   findPort: boolean = true,
 ) {
   let port = parseInt(process.env.PORT || DEFAULT_PORT.toString(), 10);
@@ -59,7 +69,7 @@ export async function startServer(
   if (findPort) {
     port = await findFreePort(port, DEFAULT_MAX_PORT);
   }
-  const app = createApp(projectPath);
+  const app = createApp(authProvider, commands);
   startApp(app, port);
 }
 
@@ -71,6 +81,7 @@ function startApp<E extends Env, S extends Schema, P extends string>(
     {
       fetch: app.fetch,
       port: port,
+      hostname: process.env.HOST || '127.0.0.1',
     },
     (info) => {
       console.log(`Running Cyberismo app on http://localhost:${info.port}`);

package/src/main.ts

@@ -10,15 +10,57 @@
   details. You should have received a copy of the GNU Affero General Public
   License along with this program. If not, see <https://www.gnu.org/licenses/>.
 */
+import { CommandManager } from '@cyberismo/data-handler';
 import { startServer } from './index.js';
 import { exportSite } from './export.js';
+import { MockAuthProvider } from './auth/mock.js';
+import { KeycloakAuthProvider } from './auth/keycloak.js';
+import type { AuthProvider } from './auth/types.js';
 import dotenv from 'dotenv';
 
 // Load environment variables from .env file
 dotenv.config();
 
+function createAuthProvider(): AuthProvider {
+  const authMode = process.env.AUTH_MODE;
+
+  if (!authMode) {
+    console.error(
+      'Fatal: AUTH_MODE environment variable is required. Set to "mock" or "idp".',
+    );
+    process.exit(1);
+  }
+
+  if (authMode === 'mock') {
+    return new MockAuthProvider();
+  }
+
+  if (authMode === 'idp') {
+    const issuer = process.env.OIDC_ISSUER;
+    const clientId = process.env.OIDC_CLIENT_ID;
+
+    if (!issuer || !clientId) {
+      console.error(
+        'Fatal: OIDC_ISSUER and OIDC_CLIENT_ID environment variables are required when AUTH_MODE=idp.',
+      );
+      process.exit(1);
+    }
+
+    return new KeycloakAuthProvider({ issuer, audience: clientId });
+  }
+
+  console.error(
+    `Fatal: Unrecognized AUTH_MODE "${authMode}". Must be "mock" or "idp".`,
+  );
+  process.exit(1);
+}
+
+const projectPath = process.env.npm_config_project_path || '';
+const commands = await CommandManager.getInstance(projectPath);
+
 if (process.argv.includes('--export')) {
-  await exportSite(process.env.npm_config_project_path || '');
+  await exportSite(commands);
 } else {
-  await startServer(process.env.npm_config_project_path || '');
+  const authProvider = createAuthProvider();
+  await startServer(authProvider, commands);
 }