npm - @de-otio/chaoskb-server - Versions diffs - 0.2.0 - Mend

@de-otio/chaoskb-server 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/dist/lib/admin-handler/index.d.ts +22 -0
package/dist/lib/admin-handler/index.d.ts.map +1 -0
package/dist/lib/admin-handler/index.js +92 -0
package/dist/lib/admin-handler/index.js.map +1 -0
package/dist/lib/admin-handler/index.ts +123 -0
package/dist/lib/admin-handler/routes/metrics.d.ts +11 -0
package/dist/lib/admin-handler/routes/metrics.d.ts.map +1 -0
package/dist/lib/admin-handler/routes/metrics.js +200 -0
package/dist/lib/admin-handler/routes/metrics.js.map +1 -0
package/dist/lib/admin-handler/routes/metrics.ts +234 -0
package/dist/lib/admin-handler/routes/overview.d.ts +9 -0
package/dist/lib/admin-handler/routes/overview.d.ts.map +1 -0
package/dist/lib/admin-handler/routes/overview.js +110 -0
package/dist/lib/admin-handler/routes/overview.js.map +1 -0
package/dist/lib/admin-handler/routes/overview.ts +133 -0
package/dist/lib/admin-handler/routes/tenants.d.ts +10 -0
package/dist/lib/admin-handler/routes/tenants.d.ts.map +1 -0
package/dist/lib/admin-handler/routes/tenants.js +108 -0
package/dist/lib/admin-handler/routes/tenants.js.map +1 -0
package/dist/lib/admin-handler/routes/tenants.ts +134 -0
package/dist/lib/chaoskb-stack.d.ts +22 -0
package/dist/lib/chaoskb-stack.d.ts.map +1 -0
package/dist/lib/chaoskb-stack.js +60 -0
package/dist/lib/chaoskb-stack.js.map +1 -0
package/dist/lib/constructs/admin-api.d.ts +16 -0
package/dist/lib/constructs/admin-api.d.ts.map +1 -0
package/dist/lib/constructs/admin-api.js +93 -0
package/dist/lib/constructs/admin-api.js.map +1 -0
package/dist/lib/constructs/admin-dashboard.d.ts +18 -0
package/dist/lib/constructs/admin-dashboard.d.ts.map +1 -0
package/dist/lib/constructs/admin-dashboard.js +172 -0
package/dist/lib/constructs/admin-dashboard.js.map +1 -0
package/dist/lib/constructs/api.d.ts +17 -0
package/dist/lib/constructs/api.d.ts.map +1 -0
package/dist/lib/constructs/api.js +81 -0
package/dist/lib/constructs/api.js.map +1 -0
package/dist/lib/constructs/auth.d.ts +11 -0
package/dist/lib/constructs/auth.d.ts.map +1 -0
package/dist/lib/constructs/auth.js +18 -0
package/dist/lib/constructs/auth.js.map +1 -0
package/dist/lib/constructs/blob-store.d.ts +10 -0
package/dist/lib/constructs/blob-store.d.ts.map +1 -0
package/dist/lib/constructs/blob-store.js +31 -0
package/dist/lib/constructs/blob-store.js.map +1 -0
package/dist/lib/deploy-cli.d.ts +3 -0
package/dist/lib/deploy-cli.d.ts.map +1 -0
package/dist/lib/deploy-cli.js +49 -0
package/dist/lib/deploy-cli.js.map +1 -0
package/dist/lib/handler/index.d.ts +23 -0
package/dist/lib/handler/index.d.ts.map +1 -0
package/dist/lib/handler/index.js +276 -0
package/dist/lib/handler/index.js.map +1 -0
package/dist/lib/handler/index.ts +372 -0
package/dist/lib/handler/logger.d.ts +16 -0
package/dist/lib/handler/logger.d.ts.map +1 -0
package/dist/lib/handler/logger.js +26 -0
package/dist/lib/handler/logger.js.map +1 -0
package/dist/lib/handler/logger.ts +36 -0
package/dist/lib/handler/middleware/input-validation.d.ts +6 -0
package/dist/lib/handler/middleware/input-validation.d.ts.map +1 -0
package/dist/lib/handler/middleware/input-validation.js +36 -0
package/dist/lib/handler/middleware/input-validation.js.map +1 -0
package/dist/lib/handler/middleware/input-validation.ts +44 -0
package/dist/lib/handler/middleware/rate-limit.d.ts +14 -0
package/dist/lib/handler/middleware/rate-limit.d.ts.map +1 -0
package/dist/lib/handler/middleware/rate-limit.js +94 -0
package/dist/lib/handler/middleware/rate-limit.js.map +1 -0
package/dist/lib/handler/middleware/rate-limit.ts +121 -0
package/dist/lib/handler/middleware/ssh-auth.d.ts +48 -0
package/dist/lib/handler/middleware/ssh-auth.d.ts.map +1 -0
package/dist/lib/handler/middleware/ssh-auth.js +256 -0
package/dist/lib/handler/middleware/ssh-auth.js.map +1 -0
package/dist/lib/handler/middleware/ssh-auth.ts +300 -0
package/dist/lib/handler/routes/audit.d.ts +24 -0
package/dist/lib/handler/routes/audit.d.ts.map +1 -0
package/dist/lib/handler/routes/audit.js +94 -0
package/dist/lib/handler/routes/audit.js.map +1 -0
package/dist/lib/handler/routes/audit.ts +101 -0
package/dist/lib/handler/routes/blobs.d.ts +13 -0
package/dist/lib/handler/routes/blobs.d.ts.map +1 -0
package/dist/lib/handler/routes/blobs.js +298 -0
package/dist/lib/handler/routes/blobs.js.map +1 -0
package/dist/lib/handler/routes/blobs.ts +348 -0
package/dist/lib/handler/routes/devices.d.ts +48 -0
package/dist/lib/handler/routes/devices.d.ts.map +1 -0
package/dist/lib/handler/routes/devices.js +394 -0
package/dist/lib/handler/routes/devices.js.map +1 -0
package/dist/lib/handler/routes/devices.ts +458 -0
package/dist/lib/handler/routes/export.d.ts +9 -0
package/dist/lib/handler/routes/export.d.ts.map +1 -0
package/dist/lib/handler/routes/export.js +40 -0
package/dist/lib/handler/routes/export.js.map +1 -0
package/dist/lib/handler/routes/export.ts +55 -0
package/dist/lib/handler/routes/github.d.ts +31 -0
package/dist/lib/handler/routes/github.d.ts.map +1 -0
package/dist/lib/handler/routes/github.js +118 -0
package/dist/lib/handler/routes/github.js.map +1 -0
package/dist/lib/handler/routes/github.ts +162 -0
package/dist/lib/handler/routes/health.d.ts +6 -0
package/dist/lib/handler/routes/health.d.ts.map +1 -0
package/dist/lib/handler/routes/health.js +14 -0
package/dist/lib/handler/routes/health.js.map +1 -0
package/dist/lib/handler/routes/health.ts +10 -0
package/dist/lib/handler/routes/invites.d.ts +24 -0
package/dist/lib/handler/routes/invites.d.ts.map +1 -0
package/dist/lib/handler/routes/invites.js +445 -0
package/dist/lib/handler/routes/invites.js.map +1 -0
package/dist/lib/handler/routes/invites.ts +527 -0
package/dist/lib/handler/routes/notifications.d.ts +39 -0
package/dist/lib/handler/routes/notifications.d.ts.map +1 -0
package/dist/lib/handler/routes/notifications.js +150 -0
package/dist/lib/handler/routes/notifications.js.map +1 -0
package/dist/lib/handler/routes/notifications.ts +163 -0
package/dist/lib/handler/routes/projects.d.ts +24 -0
package/dist/lib/handler/routes/projects.d.ts.map +1 -0
package/dist/lib/handler/routes/projects.js +47 -0
package/dist/lib/handler/routes/projects.js.map +1 -0
package/dist/lib/handler/routes/projects.ts +69 -0
package/dist/lib/handler/routes/register.d.ts +19 -0
package/dist/lib/handler/routes/register.d.ts.map +1 -0
package/dist/lib/handler/routes/register.js +327 -0
package/dist/lib/handler/routes/register.js.map +1 -0
package/dist/lib/handler/routes/register.ts +363 -0
package/dist/lib/handler/routes/restore.d.ts +9 -0
package/dist/lib/handler/routes/restore.d.ts.map +1 -0
package/dist/lib/handler/routes/restore.js +52 -0
package/dist/lib/handler/routes/restore.js.map +1 -0
package/dist/lib/handler/routes/restore.ts +73 -0
package/dist/lib/handler/routes/revocation.d.ts +13 -0
package/dist/lib/handler/routes/revocation.d.ts.map +1 -0
package/dist/lib/handler/routes/revocation.js +63 -0
package/dist/lib/handler/routes/revocation.js.map +1 -0
package/dist/lib/handler/routes/revocation.ts +87 -0
package/dist/lib/handler/routes/rotation.d.ts +24 -0
package/dist/lib/handler/routes/rotation.d.ts.map +1 -0
package/dist/lib/handler/routes/rotation.js +291 -0
package/dist/lib/handler/routes/rotation.js.map +1 -0
package/dist/lib/handler/routes/rotation.ts +336 -0
package/dist/lib/handler/routes/tenants.d.ts +11 -0
package/dist/lib/handler/routes/tenants.d.ts.map +1 -0
package/dist/lib/handler/routes/tenants.js +181 -0
package/dist/lib/handler/routes/tenants.js.map +1 -0
package/dist/lib/handler/routes/tenants.ts +198 -0
package/dist/lib/handler/routes/wrapped-key.d.ts +21 -0
package/dist/lib/handler/routes/wrapped-key.d.ts.map +1 -0
package/dist/lib/handler/routes/wrapped-key.js +76 -0
package/dist/lib/handler/routes/wrapped-key.js.map +1 -0
package/dist/lib/handler/routes/wrapped-key.ts +108 -0
package/dist/lib/index.d.ts +7 -0
package/dist/lib/index.d.ts.map +1 -0
package/dist/lib/index.js +16 -0
package/dist/lib/index.js.map +1 -0
package/dist/vitest.config.d.ts +3 -0
package/dist/vitest.config.d.ts.map +1 -0
package/dist/vitest.config.js +18 -0
package/dist/vitest.config.js.map +1 -0
package/package.json +61 -0

package/dist/lib/handler/routes/devices.ts ADDED Viewed

@@ -0,0 +1,458 @@
+import * as crypto from 'crypto';
+import {
+  DynamoDBDocumentClient,
+  PutCommand,
+  GetCommand,
+  DeleteCommand,
+  QueryCommand,
+  UpdateCommand,
+} from '@aws-sdk/lib-dynamodb';
+import { logger } from '../logger.js';
+import { createNotification } from './notifications.js';
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+/**
+ * POST /v1/link-code — authenticated
+ *
+ * Creates a link code record so a new device can join this tenant.
+ * The caller displays the raw code; the server stores only its SHA-256 hash.
+ */
+export async function handleCreateLinkCode(
+  tenantId: string,
+  body: string | null | undefined,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  if (!body) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+    };
+  }
+  let parsed: { codeHash: string };
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Invalid JSON body' }),
+    };
+  }
+  if (!parsed.codeHash || typeof parsed.codeHash !== 'string') {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'codeHash is required' }),
+    };
+  }
+  const now = new Date();
+  const expiresAt = new Date(now.getTime() + 5 * 60 * 1000).toISOString();
+  const ttl = Math.floor(now.getTime() / 1000) + 10 * 60; // DynamoDB TTL: 10 min (generous)
+  await ddb.send(
+    new PutCommand({
+      TableName: tableName,
+      Item: {
+        PK: `TENANT#${tenantId}`,
+        SK: `LINK#${parsed.codeHash}`,
+        newPublicKey: null,
+        failureCount: 0,
+        expiresAt,
+        ttl,
+      },
+    }),
+  );
+  logger.info('Link code created', { tenantId });
+  return {
+    statusCode: 201,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ status: 'created', expiresAt }),
+  };
+}
+/**
+ * POST /v1/link-confirm — unauthenticated (new device)
+ *
+ * The new device sends the raw link code and its public key.
+ * We hash the code, look up the LINK record, validate expiry and failure count,
+ * and store the public key for the existing device to pick up.
+ */
+export async function handleLinkConfirm(
+  body: string | null | undefined,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  if (!body) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+    };
+  }
+  let parsed: { linkCode: string; publicKey: string };
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Invalid JSON body' }),
+    };
+  }
+  if (!parsed.linkCode || !parsed.publicKey) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'linkCode and publicKey are required' }),
+    };
+  }
+  const codeHash = crypto.createHash('sha256').update(parsed.linkCode).digest('hex');
+  // Find the LINK record across tenants — query by SK pattern
+  // We need to scan for the link code. Since link codes are short-lived and rare,
+  // we use a GSI or scan. For simplicity, the caller must provide tenantId or
+  // we search by a known pattern. Actually, the link code hash is unique enough
+  // that we store a reverse-lookup record.
+  //
+  // Alternative approach: query all tenants. But DynamoDB doesn't support that
+  // efficiently. Instead, store a top-level LINK_CODE#{hash} -> tenantId mapping.
+  //
+  // For this implementation, the link-confirm looks up LINK_CODE#{hash} at the
+  // table level (PK = LINK_CODE#{hash}).
+  const lookupResult = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: {
+        PK: `LINK_CODE#${codeHash}`,
+        SK: 'META',
+      },
+    }),
+  );
+  // Fallback: try the tenant-scoped approach by scanning LINK# records
+  // For the initial implementation, we use a top-level lookup key.
+  // The handleCreateLinkCode also writes this lookup record.
+  if (!lookupResult.Item) {
+    return {
+      statusCode: 404,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'not_found', message: 'Invalid or expired link code' }),
+    };
+  }
+  const tenantId = lookupResult.Item['tenantId'] as string;
+  // Fetch the tenant-scoped link record
+  const linkResult = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: {
+        PK: `TENANT#${tenantId}`,
+        SK: `LINK#${codeHash}`,
+      },
+    }),
+  );
+  if (!linkResult.Item) {
+    return {
+      statusCode: 404,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'not_found', message: 'Invalid or expired link code' }),
+    };
+  }
+  const linkRecord = linkResult.Item;
+  // Check expiry
+  if (new Date(linkRecord['expiresAt'] as string) < new Date()) {
+    return {
+      statusCode: 410,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'expired', message: 'Link code has expired' }),
+    };
+  }
+  // Check failure count
+  const failureCount = (linkRecord['failureCount'] as number) ?? 0;
+  if (failureCount >= 3) {
+    // Delete the record
+    await ddb.send(
+      new DeleteCommand({
+        TableName: tableName,
+        Key: { PK: `TENANT#${tenantId}`, SK: `LINK#${codeHash}` },
+      }),
+    );
+    await ddb.send(
+      new DeleteCommand({
+        TableName: tableName,
+        Key: { PK: `LINK_CODE#${codeHash}`, SK: 'META' },
+      }),
+    );
+    return {
+      statusCode: 429,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'too_many_failures', message: 'Too many failed attempts' }),
+    };
+  }
+  // Store the new device's public key in the link record
+  try {
+    await ddb.send(
+      new UpdateCommand({
+        TableName: tableName,
+        Key: {
+          PK: `TENANT#${tenantId}`,
+          SK: `LINK#${codeHash}`,
+        },
+        UpdateExpression: 'SET newPublicKey = :pk',
+        ConditionExpression: 'attribute_exists(PK)',
+        ExpressionAttributeValues: {
+          ':pk': parsed.publicKey,
+        },
+      }),
+    );
+  } catch (err: unknown) {
+    if ((err as { name?: string }).name === 'ConditionalCheckFailedException') {
+      return {
+        statusCode: 404,
+        headers: JSON_HEADERS,
+        body: JSON.stringify({ error: 'not_found', message: 'Link code no longer valid' }),
+      };
+    }
+    throw err;
+  }
+  logger.info('Link confirmed', { tenantId, codeHash: codeHash.slice(0, 8) });
+  return {
+    statusCode: 200,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ status: 'confirmed' }),
+  };
+}
+/**
+ * POST /v1/link-code (extended) — also writes the reverse-lookup record.
+ *
+ * This is a wrapper that ensures both the tenant-scoped LINK# record
+ * and the top-level LINK_CODE# lookup record are created.
+ */
+export async function handleCreateLinkCodeFull(
+  tenantId: string,
+  body: string | null | undefined,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  if (!body) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+    };
+  }
+  let parsed: { codeHash: string };
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Invalid JSON body' }),
+    };
+  }
+  if (!parsed.codeHash || typeof parsed.codeHash !== 'string') {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'codeHash is required' }),
+    };
+  }
+  const now = new Date();
+  const expiresAt = new Date(now.getTime() + 5 * 60 * 1000).toISOString();
+  const ttl = Math.floor(now.getTime() / 1000) + 10 * 60;
+  // Write the tenant-scoped link record
+  await ddb.send(
+    new PutCommand({
+      TableName: tableName,
+      Item: {
+        PK: `TENANT#${tenantId}`,
+        SK: `LINK#${parsed.codeHash}`,
+        newPublicKey: null,
+        failureCount: 0,
+        expiresAt,
+        ttl,
+      },
+    }),
+  );
+  // Write the reverse-lookup record (for unauthenticated link-confirm)
+  await ddb.send(
+    new PutCommand({
+      TableName: tableName,
+      Item: {
+        PK: `LINK_CODE#${parsed.codeHash}`,
+        SK: 'META',
+        tenantId,
+        expiresAt,
+        ttl,
+      },
+    }),
+  );
+  logger.info('Link code created', { tenantId });
+  return {
+    statusCode: 201,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ status: 'created', expiresAt }),
+  };
+}
+/**
+ * GET /v1/link-code/{hash}/status — authenticated
+ *
+ * Returns { status: 'waiting' } or { status: 'ready', newPublicKey }.
+ */
+export async function handleGetLinkCodeStatus(
+  tenantId: string,
+  codeHash: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const result = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: {
+        PK: `TENANT#${tenantId}`,
+        SK: `LINK#${codeHash}`,
+      },
+    }),
+  );
+  if (!result.Item) {
+    return {
+      statusCode: 404,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'not_found', message: 'Link code not found' }),
+    };
+  }
+  const newPublicKey = result.Item['newPublicKey'] as string | null;
+  if (newPublicKey) {
+    return {
+      statusCode: 200,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ status: 'ready', newPublicKey }),
+    };
+  }
+  return {
+    statusCode: 200,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ status: 'waiting' }),
+  };
+}
+/**
+ * GET /v1/devices — authenticated
+ *
+ * Lists all registered devices (KEY#{fingerprint} items) for the tenant.
+ */
+export async function handleListDevices(
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const result = await ddb.send(
+    new QueryCommand({
+      TableName: tableName,
+      KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+      ExpressionAttributeValues: {
+        ':pk': `TENANT#${tenantId}`,
+        ':prefix': 'KEY#',
+      },
+    }),
+  );
+  const devices = (result.Items ?? []).map((item) => ({
+    fingerprint: (item['SK'] as string).replace('KEY#', ''),
+    registeredAt: item['registeredAt'] as string,
+    publicKey: item['publicKey'] as string | undefined,
+  }));
+  return {
+    statusCode: 200,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ devices }),
+  };
+}
+/**
+ * DELETE /v1/devices/{fingerprint} — authenticated
+ *
+ * Removes the KEY# item and WRAPPED_KEY# item for the given device.
+ */
+export async function handleDeleteDevice(
+  tenantId: string,
+  fingerprint: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  // Delete the KEY# record
+  await ddb.send(
+    new DeleteCommand({
+      TableName: tableName,
+      Key: {
+        PK: `TENANT#${tenantId}`,
+        SK: `KEY#${fingerprint}`,
+      },
+    }),
+  );
+  // Delete the WRAPPED_KEY# record
+  await ddb.send(
+    new DeleteCommand({
+      TableName: tableName,
+      Key: {
+        PK: `TENANT#${tenantId}`,
+        SK: `WRAPPED_KEY#${fingerprint}`,
+      },
+    }),
+  );
+  // Create revocation notification for remaining devices
+  await createNotification(tenantId, 'device_revoked', {
+    hostname: fingerprint,
+  }, ddb, tableName);
+  logger.info('Device removed', { tenantId, fingerprint });
+  return {
+    statusCode: 200,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ status: 'deleted' }),
+  };
+}

package/dist/lib/handler/routes/export.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import { DynamoDBDocumentClient } from '@aws-sdk/lib-dynamodb';
+interface HandlerResponse {
+    statusCode: number;
+    body: string;
+    headers: Record<string, string>;
+}
+export declare function handleExport(tenantId: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+export {};
+//# sourceMappingURL=export.d.ts.map

package/dist/lib/handler/routes/export.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"export.d.ts","sourceRoot":"","sources":["../../../../lib/handler/routes/export.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAgB,MAAM,uBAAuB,CAAC;AAG7E,UAAU,eAAe;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CAyC1B"}

package/dist/lib/handler/routes/export.js ADDED Viewed

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleExport = handleExport;
+const lib_dynamodb_1 = require("@aws-sdk/lib-dynamodb");
+const logger_js_1 = require("../logger.js");
+async function handleExport(tenantId, ddb, tableName) {
+    const allBlobs = [];
+    let lastKey;
+    do {
+        const result = await ddb.send(new lib_dynamodb_1.QueryCommand({
+            TableName: tableName,
+            KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+            ExpressionAttributeValues: {
+                ':pk': `TENANT#${tenantId}`,
+                ':prefix': 'BLOB#',
+            },
+            FilterExpression: 'attribute_not_exists(deletedAt)',
+            ExclusiveStartKey: lastKey,
+        }));
+        for (const item of result.Items ?? []) {
+            const sk = item['SK'];
+            const blobId = sk.slice(5); // Remove 'BLOB#' prefix
+            const data = item['data'];
+            allBlobs.push({
+                id: blobId,
+                data: Buffer.from(data).toString('base64'),
+                size: item['size'],
+                ts: item['updatedAt'],
+            });
+        }
+        lastKey = result.LastEvaluatedKey;
+    } while (lastKey);
+    logger_js_1.logger.info('Export completed', { tenantId, operation: 'EXPORT', blobCount: allBlobs.length });
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ blobs: allBlobs }),
+    };
+}
+//# sourceMappingURL=export.js.map

package/dist/lib/handler/routes/export.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"export.js","sourceRoot":"","sources":["../../../../lib/handler/routes/export.ts"],"names":[],"mappings":";;AASA,oCA6CC;AAtDD,wDAA6E;AAC7E,4CAAsC;AAQ/B,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,QAAQ,GAA6D,EAAE,CAAC;IAC9E,IAAI,OAA4C,CAAC;IAEjD,GAAG,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,2BAAY,CAAC;YACf,SAAS,EAAE,SAAS;YACpB,sBAAsB,EAAE,uCAAuC;YAC/D,yBAAyB,EAAE;gBACzB,KAAK,EAAE,UAAU,QAAQ,EAAE;gBAC3B,SAAS,EAAE,OAAO;aACnB;YACD,gBAAgB,EAAE,iCAAiC;YACnD,iBAAiB,EAAE,OAAO;SAC3B,CAAC,CACH,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;YACtC,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAW,CAAC;YAChC,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,wBAAwB;YACpD,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAW,CAAC;YAEpC,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,MAAM;gBACV,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC1C,IAAI,EAAE,IAAI,CAAC,MAAM,CAAW;gBAC5B,EAAE,EAAE,IAAI,CAAC,WAAW,CAAW;aAChC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,GAAG,MAAM,CAAC,gBAAuD,CAAC;IAC3E,CAAC,QAAQ,OAAO,EAAE;IAElB,kBAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAE/F,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;KAC1C,CAAC;AACJ,CAAC"}

package/dist/lib/handler/routes/export.ts ADDED Viewed

@@ -0,0 +1,55 @@
+import { DynamoDBDocumentClient, QueryCommand } from '@aws-sdk/lib-dynamodb';
+import { logger } from '../logger.js';
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+export async function handleExport(
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const allBlobs: { id: string; data: string; size: number; ts: string }[] = [];
+  let lastKey: Record<string, unknown> | undefined;
+  do {
+    const result = await ddb.send(
+      new QueryCommand({
+        TableName: tableName,
+        KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+        ExpressionAttributeValues: {
+          ':pk': `TENANT#${tenantId}`,
+          ':prefix': 'BLOB#',
+        },
+        FilterExpression: 'attribute_not_exists(deletedAt)',
+        ExclusiveStartKey: lastKey,
+      }),
+    );
+    for (const item of result.Items ?? []) {
+      const sk = item['SK'] as string;
+      const blobId = sk.slice(5); // Remove 'BLOB#' prefix
+      const data = item['data'] as Buffer;
+      allBlobs.push({
+        id: blobId,
+        data: Buffer.from(data).toString('base64'),
+        size: item['size'] as number,
+        ts: item['updatedAt'] as string,
+      });
+    }
+    lastKey = result.LastEvaluatedKey as Record<string, unknown> | undefined;
+  } while (lastKey);
+  logger.info('Export completed', { tenantId, operation: 'EXPORT', blobCount: allBlobs.length });
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ blobs: allBlobs }),
+  };
+}

package/dist/lib/handler/routes/github.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import { DynamoDBDocumentClient } from '@aws-sdk/lib-dynamodb';
+/**
+ * Fetch SSH public keys from GitHub for a username.
+ * Returns one key per line. Uses a 5-minute in-memory cache.
+ */
+export declare function fetchGitHubKeys(username: string): Promise<string[]>;
+/**
+ * Verify that a public key (in SSH authorized_keys format or base64) appears
+ * on a GitHub account.
+ */
+export declare function verifyKeyOnGitHub(publicKeyBase64: string, githubUsername: string): Promise<boolean>;
+export declare class GitHubVerificationError extends Error {
+    readonly code: string;
+    constructor(code: string, message: string);
+}
+/**
+ * Store the GitHub username association on a tenant.
+ * DynamoDB: PK: TENANT#{tenantId}, SK: GITHUB#{username}
+ */
+export declare function storeGitHubAssociation(tenantId: string, githubUsername: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<void>;
+/**
+ * Look up if a tenant is associated with a GitHub username.
+ * Returns the tenant ID if found, null otherwise.
+ */
+export declare function findTenantByGitHub(githubUsername: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<string | null>;
+/**
+ * Store a reverse lookup record: GITHUB#{username} -> tenantId
+ */
+export declare function storeGitHubReverseLookup(githubUsername: string, tenantId: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<void>;
+export declare function _resetGitHubKeyCache(): void;
+//# sourceMappingURL=github.d.ts.map

package/dist/lib/handler/routes/github.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../../../lib/handler/routes/github.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAA0B,MAAM,uBAAuB,CAAC;AAmBvF;;;GAGG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CA4BzE;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,eAAe,EAAE,MAAM,EACvB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,OAAO,CAAC,CAelB;AAED,qBAAa,uBAAwB,SAAQ,KAAK;aAE9B,IAAI,EAAE,MAAM;gBAAZ,IAAI,EAAE,MAAM,EAC5B,OAAO,EAAE,MAAM;CAKlB;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,EACtB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC,CAcf;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,cAAc,EAAE,MAAM,EACtB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAcxB;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,cAAc,EAAE,MAAM,EACtB,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC,CAYf;AAGD,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C"}