@doccov/api 0.3.7 → 0.5.0

package/src/routes/orgs.ts

@@ -0,0 +1,387 @@
+import { Hono } from 'hono';
+import { nanoid } from 'nanoid';
+import { auth } from '../auth/config';
+import { db } from '../db/client';
+
+const SITE_URL = process.env.SITE_URL || 'http://localhost:3000';
+
+type Session = Awaited<ReturnType<typeof auth.api.getSession>>;
+
+type Env = {
+  Variables: {
+    session: NonNullable<Session>;
+  };
+};
+
+export const orgsRoute = new Hono<Env>();
+
+// Middleware: require auth
+orgsRoute.use('*', async (c, next) => {
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+  if (!session) {
+    return c.json({ error: 'Unauthorized' }, 401);
+  }
+  c.set('session', session);
+  await next();
+});
+
+// List user's organizations
+orgsRoute.get('/', async (c) => {
+  const session = c.get('session');
+
+  const memberships = await db
+    .selectFrom('org_members')
+    .innerJoin('organizations', 'organizations.id', 'org_members.orgId')
+    .where('org_members.userId', '=', session.user.id)
+    .select([
+      'organizations.id',
+      'organizations.name',
+      'organizations.slug',
+      'organizations.plan',
+      'organizations.isPersonal',
+      'organizations.aiCallsUsed',
+      'org_members.role',
+    ])
+    .execute();
+
+  return c.json({ organizations: memberships });
+});
+
+// Get single org by slug
+orgsRoute.get('/:slug', async (c) => {
+  const session = c.get('session');
+  const { slug } = c.req.param();
+
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .select([
+      'organizations.id',
+      'organizations.name',
+      'organizations.slug',
+      'organizations.plan',
+      'organizations.isPersonal',
+      'organizations.aiCallsUsed',
+      'organizations.aiCallsResetAt',
+      'org_members.role',
+    ])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Organization not found' }, 404);
+  }
+
+  return c.json({ organization: org });
+});
+
+// Get org's projects
+orgsRoute.get('/:slug/projects', async (c) => {
+  const session = c.get('session');
+  const { slug } = c.req.param();
+
+  // Verify membership
+  const membership = await db
+    .selectFrom('org_members')
+    .innerJoin('organizations', 'organizations.id', 'org_members.orgId')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .select(['org_members.orgId'])
+    .executeTakeFirst();
+
+  if (!membership) {
+    return c.json({ error: 'Organization not found' }, 404);
+  }
+
+  const projects = await db
+    .selectFrom('projects')
+    .where('orgId', '=', membership.orgId)
+    .selectAll()
+    .execute();
+
+  return c.json({ projects });
+});
+
+// Create a project
+orgsRoute.post('/:slug/projects', async (c) => {
+  const session = c.get('session');
+  const { slug } = c.req.param();
+  const body = await c.req.json<{ name: string; fullName: string; isPrivate?: boolean }>();
+
+  // Verify owner/admin membership
+  const membership = await db
+    .selectFrom('org_members')
+    .innerJoin('organizations', 'organizations.id', 'org_members.orgId')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['org_members.orgId'])
+    .executeTakeFirst();
+
+  if (!membership) {
+    return c.json({ error: 'Forbidden' }, 403);
+  }
+
+  const project = await db
+    .insertInto('projects')
+    .values({
+      id: nanoid(21),
+      orgId: membership.orgId,
+      name: body.name,
+      fullName: body.fullName,
+      isPrivate: body.isPrivate ?? false,
+      defaultBranch: 'main',
+    })
+    .returningAll()
+    .executeTakeFirst();
+
+  return c.json({ project }, 201);
+});
+
+// ============ Members ============
+
+// List org members
+orgsRoute.get('/:slug/members', async (c) => {
+  const session = c.get('session');
+  const { slug } = c.req.param();
+
+  // Verify membership
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .select(['organizations.id as orgId', 'org_members.role as myRole'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Organization not found' }, 404);
+  }
+
+  const members = await db
+    .selectFrom('org_members')
+    .innerJoin('user', 'user.id', 'org_members.userId')
+    .where('org_members.orgId', '=', org.orgId)
+    .select([
+      'org_members.id',
+      'org_members.userId',
+      'org_members.role',
+      'org_members.createdAt',
+      'user.email',
+      'user.name',
+      'user.image',
+    ])
+    .orderBy('org_members.createdAt', 'asc')
+    .execute();
+
+  return c.json({ members, myRole: org.myRole });
+});
+
+// Create invite
+orgsRoute.post('/:slug/invites', async (c) => {
+  const session = c.get('session');
+  const { slug } = c.req.param();
+  const body = await c.req.json<{ email: string; role: 'admin' | 'member' }>();
+
+  // Verify owner/admin
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['organizations.id as orgId', 'organizations.name'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Forbidden' }, 403);
+  }
+
+  // Check if already a member
+  const existingMember = await db
+    .selectFrom('org_members')
+    .innerJoin('user', 'user.id', 'org_members.userId')
+    .where('org_members.orgId', '=', org.orgId)
+    .where('user.email', '=', body.email)
+    .select('org_members.id')
+    .executeTakeFirst();
+
+  if (existingMember) {
+    return c.json({ error: 'User is already a member' }, 400);
+  }
+
+  const token = nanoid(32);
+  const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days
+
+  const invite = await db
+    .insertInto('org_invites')
+    .values({
+      id: nanoid(21),
+      orgId: org.orgId,
+      email: body.email,
+      role: body.role || 'member',
+      token,
+      expiresAt,
+      createdBy: session.user.id,
+    })
+    .returningAll()
+    .executeTakeFirst();
+
+  const inviteUrl = `${SITE_URL}/invite/${token}`;
+
+  return c.json({ invite, inviteUrl }, 201);
+});
+
+// List pending invites
+orgsRoute.get('/:slug/invites', async (c) => {
+  const session = c.get('session');
+  const { slug } = c.req.param();
+
+  // Verify owner/admin
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['organizations.id as orgId'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Forbidden' }, 403);
+  }
+
+  const invites = await db
+    .selectFrom('org_invites')
+    .where('orgId', '=', org.orgId)
+    .where('expiresAt', '>', new Date())
+    .select(['id', 'email', 'role', 'expiresAt', 'createdAt'])
+    .orderBy('createdAt', 'desc')
+    .execute();
+
+  return c.json({ invites });
+});
+
+// Delete invite
+orgsRoute.delete('/:slug/invites/:inviteId', async (c) => {
+  const session = c.get('session');
+  const { slug, inviteId } = c.req.param();
+
+  // Verify owner/admin
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['organizations.id as orgId'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Forbidden' }, 403);
+  }
+
+  await db
+    .deleteFrom('org_invites')
+    .where('id', '=', inviteId)
+    .where('orgId', '=', org.orgId)
+    .execute();
+
+  return c.json({ success: true });
+});
+
+// Update member role
+orgsRoute.patch('/:slug/members/:userId', async (c) => {
+  const session = c.get('session');
+  const { slug, userId } = c.req.param();
+  const body = await c.req.json<{ role: 'admin' | 'member' }>();
+
+  // Verify owner
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', '=', 'owner')
+    .select(['organizations.id as orgId'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Only owner can change roles' }, 403);
+  }
+
+  // Don't allow changing owner role
+  const targetMember = await db
+    .selectFrom('org_members')
+    .where('orgId', '=', org.orgId)
+    .where('userId', '=', userId)
+    .select('role')
+    .executeTakeFirst();
+
+  if (!targetMember) {
+    return c.json({ error: 'Member not found' }, 404);
+  }
+
+  if (targetMember.role === 'owner') {
+    return c.json({ error: 'Cannot change owner role' }, 400);
+  }
+
+  await db
+    .updateTable('org_members')
+    .set({ role: body.role })
+    .where('orgId', '=', org.orgId)
+    .where('userId', '=', userId)
+    .execute();
+
+  return c.json({ success: true });
+});
+
+// Remove member
+orgsRoute.delete('/:slug/members/:userId', async (c) => {
+  const session = c.get('session');
+  const { slug, userId } = c.req.param();
+
+  // Verify owner/admin
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['organizations.id as orgId', 'org_members.role as myRole'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Forbidden' }, 403);
+  }
+
+  // Don't allow removing owner
+  const targetMember = await db
+    .selectFrom('org_members')
+    .where('orgId', '=', org.orgId)
+    .where('userId', '=', userId)
+    .select('role')
+    .executeTakeFirst();
+
+  if (!targetMember) {
+    return c.json({ error: 'Member not found' }, 404);
+  }
+
+  if (targetMember.role === 'owner') {
+    return c.json({ error: 'Cannot remove owner' }, 400);
+  }
+
+  // Admins can only remove members, not other admins
+  if (org.myRole === 'admin' && targetMember.role === 'admin') {
+    return c.json({ error: 'Admins cannot remove other admins' }, 403);
+  }
+
+  await db
+    .deleteFrom('org_members')
+    .where('orgId', '=', org.orgId)
+    .where('userId', '=', userId)
+    .execute();
+
+  return c.json({ success: true });
+});

package/src/routes/plan.ts

@@ -1,81 +1,11 @@
 /**
- * Plan route for local development (mirrors api/plan.ts)
- * Does NOT use Vercel Sandbox - only GitHub API + Anthropic Claude
+ * Plan route - TODO: implement plan-agent
  */
 
-import { fetchGitHubContext, parseScanGitHubUrl } from '@doccov/sdk';
 import { Hono } from 'hono';
-import { generateBuildPlan } from '../../lib/plan-agent';
 
 export const planRoute = new Hono();
 
 planRoute.post('/', async (c) => {
-  const body = await c.req.json<{ url: string; ref?: string; package?: string }>();
-
-  if (!body.url) {
-    return c.json({ error: 'url is required' }, 400);
-  }
-
-  // Validate URL format
-  let repoUrl: string;
-  try {
-    const parsed = parseScanGitHubUrl(body.url);
-    if (!parsed) {
-      return c.json({ error: 'Invalid GitHub URL' }, 400);
-    }
-    repoUrl = `https://github.com/${parsed.owner}/${parsed.repo}`;
-  } catch {
-    return c.json({ error: 'Invalid GitHub URL' }, 400);
-  }
-
-  try {
-    // Fetch project context from GitHub
-    const context = await fetchGitHubContext(repoUrl, body.ref);
-
-    // Check for private repos
-    if (context.metadata.isPrivate) {
-      return c.json(
-        {
-          error: 'Private repositories are not supported',
-          hint: 'Use a public repository or run doccov locally',
-        },
-        403,
-      );
-    }
-
-    // Generate build plan using AI
-    const plan = await generateBuildPlan(context, {
-      targetPackage: body.package,
-    });
-
-    return c.json({
-      plan,
-      context: {
-        owner: context.metadata.owner,
-        repo: context.metadata.repo,
-        ref: context.ref,
-        packageManager: context.packageManager,
-        isMonorepo: context.workspace.isMonorepo,
-      },
-    });
-  } catch (error) {
-    console.error('Plan generation error:', error);
-
-    if (error instanceof Error) {
-      if (error.message.includes('404') || error.message.includes('not found')) {
-        return c.json({ error: 'Repository not found' }, 404);
-      }
-      if (error.message.includes('rate limit')) {
-        return c.json({ error: 'GitHub API rate limit exceeded' }, 429);
-      }
-    }
-
-    return c.json(
-      {
-        error: 'Failed to generate build plan',
-        message: error instanceof Error ? error.message : 'Unknown error',
-      },
-      500,
-    );
-  }
+  return c.json({ error: 'Plan endpoint not yet implemented' }, 501);
 });

package/src/server.ts

@@ -0,0 +1,22 @@
+import { serve } from '@hono/node-server';
+import { runMigrations } from './db/migrate';
+import app from './index';
+
+const port = parseInt(process.env.PORT || '3001');
+
+async function start() {
+  // Run migrations on startup
+  console.log('Running migrations...');
+  await runMigrations();
+
+  // Start server
+  console.log(`Starting server on port ${port}`);
+  serve({
+    fetch: app.fetch,
+    port,
+  });
+
+  console.log(`Server running at http://localhost:${port}`);
+}
+
+start().catch(console.error);

package/src/utils/api-keys.ts

@@ -0,0 +1,20 @@
+import { createHash } from 'node:crypto';
+import { nanoid } from 'nanoid';
+
+const KEY_PREFIX = 'doccov_';
+
+export function generateApiKey(): { key: string; hash: string; prefix: string } {
+  const random = nanoid(32);
+  const key = `${KEY_PREFIX}${random}`;
+  const hash = hashApiKey(key);
+  const prefix = key.slice(0, 12);
+  return { key, hash, prefix };
+}
+
+export function hashApiKey(key: string): string {
+  return createHash('sha256').update(key).digest('hex');
+}
+
+export function isValidKeyFormat(key: string): boolean {
+  return key.startsWith(KEY_PREFIX) && key.length === KEY_PREFIX.length + 32;
+}

package/src/utils/github-app.ts

@@ -0,0 +1,196 @@
+/**
+ * GitHub App utilities for token management and API access
+ */
+
+import { SignJWT } from 'jose';
+import { db } from '../db/client';
+
+const GITHUB_APP_ID = process.env.GITHUB_APP_ID!;
+const GITHUB_APP_PRIVATE_KEY = process.env.GITHUB_APP_PRIVATE_KEY!;
+
+/**
+ * Generate a JWT for GitHub App authentication
+ */
+async function generateAppJWT(): Promise<string> {
+  const privateKey = await importPrivateKey(GITHUB_APP_PRIVATE_KEY);
+
+  const jwt = await new SignJWT({})
+    .setProtectedHeader({ alg: 'RS256' })
+    .setIssuedAt()
+    .setIssuer(GITHUB_APP_ID)
+    .setExpirationTime('10m')
+    .sign(privateKey);
+
+  return jwt;
+}
+
+/**
+ * Import PEM private key for signing
+ */
+async function importPrivateKey(pem: string) {
+  // Handle escaped newlines from env vars
+  const formattedPem = pem.replace(/\\n/g, '\n');
+
+  const pemContents = formattedPem
+    .replace('-----BEGIN RSA PRIVATE KEY-----', '')
+    .replace('-----END RSA PRIVATE KEY-----', '')
+    .replace(/\s/g, '');
+
+  const binaryKey = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+
+  return crypto.subtle.importKey(
+    'pkcs8',
+    binaryKey,
+    { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
+    false,
+    ['sign'],
+  );
+}
+
+/**
+ * Get or refresh installation access token
+ */
+export async function getInstallationToken(orgId: string): Promise<string | null> {
+  const installation = await db
+    .selectFrom('github_installations')
+    .where('orgId', '=', orgId)
+    .select(['id', 'installationId', 'accessToken', 'tokenExpiresAt'])
+    .executeTakeFirst();
+
+  if (!installation) {
+    return null;
+  }
+
+  // Check if token is still valid (with 5 min buffer)
+  const now = new Date();
+  const expiresAt = installation.tokenExpiresAt;
+  const isExpired = !expiresAt || new Date(expiresAt.getTime() - 5 * 60 * 1000) <= now;
+
+  if (!isExpired && installation.accessToken) {
+    return installation.accessToken;
+  }
+
+  // Refresh the token
+  try {
+    const jwt = await generateAppJWT();
+    const response = await fetch(
+      `https://api.github.com/app/installations/${installation.installationId}/access_tokens`,
+      {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${jwt}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
+    );
+
+    if (!response.ok) {
+      console.error('Failed to get installation token:', await response.text());
+      return null;
+    }
+
+    const data = (await response.json()) as { token: string; expires_at: string };
+
+    // Update token in database
+    await db
+      .updateTable('github_installations')
+      .set({
+        accessToken: data.token,
+        tokenExpiresAt: new Date(data.expires_at),
+        updatedAt: new Date(),
+      })
+      .where('id', '=', installation.id)
+      .execute();
+
+    return data.token;
+  } catch (err) {
+    console.error('Error refreshing installation token:', err);
+    return null;
+  }
+}
+
+/**
+ * Get installation token by installation ID (for webhooks)
+ */
+export async function getTokenByInstallationId(installationId: string): Promise<string | null> {
+  const installation = await db
+    .selectFrom('github_installations')
+    .where('installationId', '=', installationId)
+    .select(['orgId'])
+    .executeTakeFirst();
+
+  if (!installation) {
+    return null;
+  }
+
+  return getInstallationToken(installation.orgId);
+}
+
+/**
+ * List repositories accessible to an installation
+ */
+export async function listInstallationRepos(
+  orgId: string,
+): Promise<Array<{ id: number; name: string; full_name: string; private: boolean }> | null> {
+  const token = await getInstallationToken(orgId);
+  if (!token) return null;
+
+  try {
+    const response = await fetch('https://api.github.com/installation/repositories', {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: 'application/vnd.github+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    });
+
+    if (!response.ok) {
+      console.error('Failed to list repos:', await response.text());
+      return null;
+    }
+
+    const data = (await response.json()) as {
+      repositories: Array<{ id: number; name: string; full_name: string; private: boolean }>;
+    };
+    return data.repositories;
+  } catch (err) {
+    console.error('Error listing repos:', err);
+    return null;
+  }
+}
+
+/**
+ * Fetch file content from a private repo
+ */
+export async function fetchRepoFile(
+  orgId: string,
+  owner: string,
+  repo: string,
+  path: string,
+  ref?: string,
+): Promise<string | null> {
+  const token = await getInstallationToken(orgId);
+  if (!token) return null;
+
+  try {
+    const url = new URL(`https://api.github.com/repos/${owner}/${repo}/contents/${path}`);
+    if (ref) url.searchParams.set('ref', ref);
+
+    const response = await fetch(url.toString(), {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: 'application/vnd.github.raw+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    });
+
+    if (!response.ok) {
+      return null;
+    }
+
+    return response.text();
+  } catch {
+    return null;
+  }
+}