@de-otio/chaoskb-server 0.2.0

package/dist/lib/handler/routes/github.js

@@ -0,0 +1,118 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GitHubVerificationError = void 0;
+exports.fetchGitHubKeys = fetchGitHubKeys;
+exports.verifyKeyOnGitHub = verifyKeyOnGitHub;
+exports.storeGitHubAssociation = storeGitHubAssociation;
+exports.findTenantByGitHub = findTenantByGitHub;
+exports.storeGitHubReverseLookup = storeGitHubReverseLookup;
+exports._resetGitHubKeyCache = _resetGitHubKeyCache;
+const lib_dynamodb_1 = require("@aws-sdk/lib-dynamodb");
+const logger_js_1 = require("../logger.js");
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+const githubKeyCache = new Map();
+const CACHE_TTL_MS = 5 * 60 * 1000;
+/**
+ * Fetch SSH public keys from GitHub for a username.
+ * Returns one key per line. Uses a 5-minute in-memory cache.
+ */
+async function fetchGitHubKeys(username) {
+    const now = Date.now();
+    const cached = githubKeyCache.get(username);
+    if (cached && now < cached.expiresAt) {
+        return cached.keys;
+    }
+    const response = await fetch(`https://github.com/${encodeURIComponent(username)}.keys`, { signal: AbortSignal.timeout(10_000) });
+    if (response.status === 404) {
+        throw new GitHubVerificationError('github_user_not_found', `GitHub user "${username}" not found`);
+    }
+    if (!response.ok) {
+        throw new GitHubVerificationError('github_unreachable', `GitHub returned status ${response.status}`);
+    }
+    const text = await response.text();
+    const keys = text
+        .split('\n')
+        .map((line) => line.trim())
+        .filter((line) => line.length > 0);
+    githubKeyCache.set(username, { keys, expiresAt: now + CACHE_TTL_MS });
+    return keys;
+}
+/**
+ * Verify that a public key (in SSH authorized_keys format or base64) appears
+ * on a GitHub account.
+ */
+async function verifyKeyOnGitHub(publicKeyBase64, githubUsername) {
+    const githubKeys = await fetchGitHubKeys(githubUsername);
+    for (const ghKey of githubKeys) {
+        const parts = ghKey.split(/\s+/);
+        if (parts.length >= 2 && parts[1] === publicKeyBase64) {
+            return true;
+        }
+        // Also match if the full key blob matches
+        if (ghKey === publicKeyBase64) {
+            return true;
+        }
+    }
+    return false;
+}
+class GitHubVerificationError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = 'GitHubVerificationError';
+    }
+}
+exports.GitHubVerificationError = GitHubVerificationError;
+/**
+ * Store the GitHub username association on a tenant.
+ * DynamoDB: PK: TENANT#{tenantId}, SK: GITHUB#{username}
+ */
+async function storeGitHubAssociation(tenantId, githubUsername, ddb, tableName) {
+    const now = new Date().toISOString();
+    await ddb.send(new lib_dynamodb_1.PutCommand({
+        TableName: tableName,
+        Item: {
+            PK: `TENANT#${tenantId}`,
+            SK: `GITHUB#${githubUsername}`,
+            githubUsername,
+            createdAt: now,
+        },
+    }));
+    logger_js_1.logger.info('GitHub association stored', { tenantId, githubUsername });
+}
+/**
+ * Look up if a tenant is associated with a GitHub username.
+ * Returns the tenant ID if found, null otherwise.
+ */
+async function findTenantByGitHub(githubUsername, ddb, tableName) {
+    // We need a reverse lookup: GITHUB#{username} -> tenantId
+    // Store a top-level record for this
+    const result = await ddb.send(new lib_dynamodb_1.GetCommand({
+        TableName: tableName,
+        Key: {
+            PK: `GITHUB#${githubUsername}`,
+            SK: 'META',
+        },
+    }));
+    return result.Item?.['tenantId'] ?? null;
+}
+/**
+ * Store a reverse lookup record: GITHUB#{username} -> tenantId
+ */
+async function storeGitHubReverseLookup(githubUsername, tenantId, ddb, tableName) {
+    await ddb.send(new lib_dynamodb_1.PutCommand({
+        TableName: tableName,
+        Item: {
+            PK: `GITHUB#${githubUsername}`,
+            SK: 'META',
+            tenantId,
+            createdAt: new Date().toISOString(),
+        },
+    }));
+}
+// Export for testing
+function _resetGitHubKeyCache() {
+    githubKeyCache.clear();
+}
+//# sourceMappingURL=github.js.map

package/dist/lib/handler/routes/github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../../../../lib/handler/routes/github.ts"],"names":[],"mappings":";;;AAuBA,0CA4BC;AAMD,8CAkBC;AAgBD,wDAmBC;AAMD,gDAkBC;AAKD,4DAiBC;AAGD,oDAEC;AAjKD,wDAAuF;AACvF,4CAAsC;AAQtC,MAAM,YAAY,GAAG,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;AAO5D,MAAM,cAAc,GAAG,IAAI,GAAG,EAAsB,CAAC;AACrD,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnC;;;GAGG;AACI,KAAK,UAAU,eAAe,CAAC,QAAgB;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,sBAAsB,kBAAkB,CAAC,QAAQ,CAAC,OAAO,EACzD,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CACxC,CAAC;IAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,IAAI,uBAAuB,CAAC,uBAAuB,EAAE,gBAAgB,QAAQ,aAAa,CAAC,CAAC;IACpG,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,uBAAuB,CAAC,oBAAoB,EAAE,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACvG,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,IAAI,GAAG,IAAI;SACd,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAErC,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,GAAG,YAAY,EAAE,CAAC,CAAC;IACtE,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,iBAAiB,CACrC,eAAuB,EACvB,cAAsB;IAEtB,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,cAAc,CAAC,CAAC;IAEzD,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,eAAe,EAAE,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,0CAA0C;QAC1C,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAa,uBAAwB,SAAQ,KAAK;IAE9B;IADlB,YACkB,IAAY,EAC5B,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,SAAI,GAAJ,IAAI,CAAQ;QAI5B,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AARD,0DAQC;AAED;;;GAGG;AACI,KAAK,UAAU,sBAAsB,CAC1C,QAAgB,EAChB,cAAsB,EACtB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,IAAI,EAAE;YACJ,EAAE,EAAE,UAAU,QAAQ,EAAE;YACxB,EAAE,EAAE,UAAU,cAAc,EAAE;YAC9B,cAAc;YACd,SAAS,EAAE,GAAG;SACf;KACF,CAAC,CACH,CAAC;IACF,kBAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAC,CAAC;AACzE,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,kBAAkB,CACtC,cAAsB,EACtB,GAA2B,EAC3B,SAAiB;IAEjB,0DAA0D;IAC1D,oCAAoC;IACpC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE;YACH,EAAE,EAAE,UAAU,cAAc,EAAE;YAC9B,EAAE,EAAE,MAAM;SACX;KACF,CAAC,CACH,CAAC;IAEF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;AAC3C,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,wBAAwB,CAC5C,cAAsB,EACtB,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,IAAI,EAAE;YACJ,EAAE,EAAE,UAAU,cAAc,EAAE;YAC9B,EAAE,EAAE,MAAM;YACV,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC;KACF,CAAC,CACH,CAAC;AACJ,CAAC;AAED,qBAAqB;AACrB,SAAgB,oBAAoB;IAClC,cAAc,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC"}

package/dist/lib/handler/routes/github.ts

@@ -0,0 +1,162 @@
+import { DynamoDBDocumentClient, PutCommand, GetCommand } from '@aws-sdk/lib-dynamodb';
+import { logger } from '../logger.js';
+
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+
+// In-memory cache for GitHub keys (5 min TTL)
+interface CacheEntry {
+  keys: string[];
+  expiresAt: number;
+}
+const githubKeyCache = new Map<string, CacheEntry>();
+const CACHE_TTL_MS = 5 * 60 * 1000;
+
+/**
+ * Fetch SSH public keys from GitHub for a username.
+ * Returns one key per line. Uses a 5-minute in-memory cache.
+ */
+export async function fetchGitHubKeys(username: string): Promise<string[]> {
+  const now = Date.now();
+  const cached = githubKeyCache.get(username);
+  if (cached && now < cached.expiresAt) {
+    return cached.keys;
+  }
+
+  const response = await fetch(
+    `https://github.com/${encodeURIComponent(username)}.keys`,
+    { signal: AbortSignal.timeout(10_000) },
+  );
+
+  if (response.status === 404) {
+    throw new GitHubVerificationError('github_user_not_found', `GitHub user "${username}" not found`);
+  }
+
+  if (!response.ok) {
+    throw new GitHubVerificationError('github_unreachable', `GitHub returned status ${response.status}`);
+  }
+
+  const text = await response.text();
+  const keys = text
+    .split('\n')
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0);
+
+  githubKeyCache.set(username, { keys, expiresAt: now + CACHE_TTL_MS });
+  return keys;
+}
+
+/**
+ * Verify that a public key (in SSH authorized_keys format or base64) appears
+ * on a GitHub account.
+ */
+export async function verifyKeyOnGitHub(
+  publicKeyBase64: string,
+  githubUsername: string,
+): Promise<boolean> {
+  const githubKeys = await fetchGitHubKeys(githubUsername);
+
+  for (const ghKey of githubKeys) {
+    const parts = ghKey.split(/\s+/);
+    if (parts.length >= 2 && parts[1] === publicKeyBase64) {
+      return true;
+    }
+    // Also match if the full key blob matches
+    if (ghKey === publicKeyBase64) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+export class GitHubVerificationError extends Error {
+  constructor(
+    public readonly code: string,
+    message: string,
+  ) {
+    super(message);
+    this.name = 'GitHubVerificationError';
+  }
+}
+
+/**
+ * Store the GitHub username association on a tenant.
+ * DynamoDB: PK: TENANT#{tenantId}, SK: GITHUB#{username}
+ */
+export async function storeGitHubAssociation(
+  tenantId: string,
+  githubUsername: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<void> {
+  const now = new Date().toISOString();
+  await ddb.send(
+    new PutCommand({
+      TableName: tableName,
+      Item: {
+        PK: `TENANT#${tenantId}`,
+        SK: `GITHUB#${githubUsername}`,
+        githubUsername,
+        createdAt: now,
+      },
+    }),
+  );
+  logger.info('GitHub association stored', { tenantId, githubUsername });
+}
+
+/**
+ * Look up if a tenant is associated with a GitHub username.
+ * Returns the tenant ID if found, null otherwise.
+ */
+export async function findTenantByGitHub(
+  githubUsername: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<string | null> {
+  // We need a reverse lookup: GITHUB#{username} -> tenantId
+  // Store a top-level record for this
+  const result = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: {
+        PK: `GITHUB#${githubUsername}`,
+        SK: 'META',
+      },
+    }),
+  );
+
+  return result.Item?.['tenantId'] ?? null;
+}
+
+/**
+ * Store a reverse lookup record: GITHUB#{username} -> tenantId
+ */
+export async function storeGitHubReverseLookup(
+  githubUsername: string,
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<void> {
+  await ddb.send(
+    new PutCommand({
+      TableName: tableName,
+      Item: {
+        PK: `GITHUB#${githubUsername}`,
+        SK: 'META',
+        tenantId,
+        createdAt: new Date().toISOString(),
+      },
+    }),
+  );
+}
+
+// Export for testing
+export function _resetGitHubKeyCache(): void {
+  githubKeyCache.clear();
+}

package/dist/lib/handler/routes/health.d.ts

@@ -0,0 +1,6 @@
+export declare function handleHealth(): {
+    statusCode: number;
+    body: string;
+    headers: Record<string, string>;
+};
+//# sourceMappingURL=health.d.ts.map

package/dist/lib/handler/routes/health.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../../../../lib/handler/routes/health.ts"],"names":[],"mappings":"AAAA,wBAAgB,YAAY,IAAI;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,CASpG"}

package/dist/lib/handler/routes/health.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleHealth = handleHealth;
+function handleHealth() {
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            status: 'ok',
+            timestamp: new Date().toISOString(),
+        }),
+    };
+}
+//# sourceMappingURL=health.js.map

package/dist/lib/handler/routes/health.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.js","sourceRoot":"","sources":["../../../../lib/handler/routes/health.ts"],"names":[],"mappings":";;AAAA,oCASC;AATD,SAAgB,YAAY;IAC1B,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;KACH,CAAC;AACJ,CAAC"}

package/dist/lib/handler/routes/health.ts

@@ -0,0 +1,10 @@
+export function handleHealth(): { statusCode: number; body: string; headers: Record<string, string> } {
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      status: 'ok',
+      timestamp: new Date().toISOString(),
+    }),
+  };
+}

package/dist/lib/handler/routes/invites.d.ts

@@ -0,0 +1,24 @@
+import { DynamoDBDocumentClient } from '@aws-sdk/lib-dynamodb';
+interface HandlerResponse {
+    statusCode: number;
+    body: string;
+    headers: Record<string, string>;
+}
+/**
+ * POST /v1/invites - Create an invite
+ */
+export declare function handleCreateInvite(tenantId: string, fingerprint: string, body: string | null | undefined, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+/**
+ * GET /v1/invites - List pending invites for the authenticated user
+ */
+export declare function handleListInvites(tenantId: string, fingerprint: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+/**
+ * POST /v1/invites/{id}/accept - Accept an invite
+ */
+export declare function handleAcceptInvite(tenantId: string, fingerprint: string, inviteId: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+/**
+ * POST /v1/invites/{id}/decline - Decline an invite
+ */
+export declare function handleDeclineInvite(tenantId: string, fingerprint: string, inviteId: string, body: string | null | undefined, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+export {};
+//# sourceMappingURL=invites.d.ts.map

package/dist/lib/handler/routes/invites.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"invites.d.ts","sourceRoot":"","sources":["../../../../lib/handler/routes/invites.ts"],"names":[],"mappings":"AACA,OAAO,EACL,sBAAsB,EAKvB,MAAM,uBAAuB,CAAC;AAI/B,UAAU,eAAe;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAgHD;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CAyH1B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CAiC1B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CA0G1B;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CAiG1B"}