@elliotding/ai-agent-mcp 0.1.24 → 0.1.26

package/src/auth/token-validator.ts

@@ -1,292 +0,0 @@
-/**
- * Token Validation via CSP API
- * Validates tokens by calling CSP /user/permissions endpoint
- */
-
-import { apiClient } from '../api/client';
-import { logger, logError, logAuthAttempt } from '../utils/logger';
-
-/**
- * Token validation payload structure
- */
-export interface TokenPayload {
-  userId: string;
-  email: string;
-  groups: string[];  // Changed from 'roles' to 'groups' to match API response
-  // Additional fields for compatibility
-  roles?: string[];  // Alias for groups
-  [key: string]: unknown;
-}
-
-/**
- * CSP API response for /user/permissions
- */
-interface PermissionsResponse {
-  code: number;
-  data?: {
-    user_id: string;
-    email: string;
-    groups: string[];
-  };
-  message?: string;
-}
-
-/**
- * Token validation cache (in-memory, 5 minute TTL)
- */
-const tokenCache = new Map<string, { payload: TokenPayload; expireAt: number }>();
-
-/**
- * Cache cleanup interval reference (for cleanup on shutdown)
- */
-let cacheCleanupInterval: NodeJS.Timeout | null = null;
-
-/**
- * Clean expired cache entries
- */
-function cleanExpiredCache(): void {
-  const now = Date.now();
-  let cleaned = 0;
-  
-  for (const [token, entry] of tokenCache.entries()) {
-    if (entry.expireAt < now) {
-      tokenCache.delete(token);
-      cleaned++;
-    }
-  }
-  
-  if (cleaned > 0) {
-    logger.debug(
-      { type: 'cache_cleanup', cleaned, remaining: tokenCache.size },
-      `Cleaned ${cleaned} expired token(s) from cache`
-    );
-  }
-}
-
-/**
- * Start cache cleanup interval
- */
-export function startCacheCleanup(): void {
-  if (cacheCleanupInterval) {
-    logger.warn('Cache cleanup interval already running');
-    return;
-  }
-  
-  // Clean cache every minute
-  cacheCleanupInterval = setInterval(cleanExpiredCache, 60000);
-  logger.info('Token cache cleanup interval started (60s)');
-}
-
-/**
- * Stop cache cleanup interval
- */
-export function stopCacheCleanup(): void {
-  if (cacheCleanupInterval) {
-    clearInterval(cacheCleanupInterval);
-    cacheCleanupInterval = null;
-    logger.info('Token cache cleanup interval stopped');
-  }
-}
-
-// Start cleanup on module load
-startCacheCleanup();
-
-/**
- * Verify token by calling CSP API /user/permissions
- * @param token - The JWT token to verify
- * @returns Token payload if valid, null otherwise
- */
-export async function verifyTokenViaAPI(token: string): Promise<TokenPayload | null> {
-  const tokenPreview = token.substring(0, 10) + '...' + token.substring(token.length - 10);
-  const startTime = Date.now();
-  
-  try {
-    logger.debug(
-      { 
-        type: 'auth', 
-        operation: 'verify_token_api',
-        tokenPreview,
-        timestamp: new Date().toISOString()
-      },
-      'Calling CSP API /user/permissions to validate token'
-    );
-
-    // Call CSP API to validate the token presented in the SSE Authorization header.
-    const response = await apiClient.get<PermissionsResponse>(
-      '/csp/api/user/permissions',
-      {
-        headers: {
-          'Authorization': `Bearer ${token}`,
-        },
-        timeout: 5000, // 5 second timeout for auth check
-      }
-    );
-
-    const duration = Date.now() - startTime;
-
-    // Check response code (2000 means success)
-    if (response.code === 2000 && response.data) {
-      const payload: TokenPayload = {
-        userId: response.data.user_id,
-        email: response.data.email,
-        groups: response.data.groups || [],
-        roles: response.data.groups || [],  // Alias for backward compatibility
-      };
-
-      logger.info(
-        { 
-          type: 'auth', 
-          operation: 'verify_token_api',
-          userId: payload.userId,
-          email: payload.email,
-          groups: payload.groups,
-          duration,
-          timestamp: new Date().toISOString()
-        },
-        `Token validated successfully for user ${payload.userId}`
-      );
-
-      logAuthAttempt('token_validation', true, {
-        userId: payload.userId,
-        email: payload.email,
-        groups: payload.groups,
-        duration
-      });
-
-      return payload;
-    }
-
-    logger.warn(
-      { 
-        type: 'auth', 
-        operation: 'verify_token_api', 
-        code: response.code,
-        message: response.message,
-        tokenPreview,
-        duration,
-        timestamp: new Date().toISOString()
-      },
-      'Token validation failed - invalid or expired token'
-    );
-    
-    logAuthAttempt('token_validation', false, {
-      code: response.code,
-      message: response.message,
-      duration
-    });
-    
-    return null;
-  } catch (error) {
-    const duration = Date.now() - startTime;
-    
-    logError(error as Error, {
-      type: 'auth',
-      operation: 'verify_token_api',
-      tokenPreview,
-      duration,
-      timestamp: new Date().toISOString()
-    });
-    
-    logAuthAttempt('token_validation', false, {
-      error: error instanceof Error ? error.message : String(error),
-      duration
-    });
-    
-    return null;
-  }
-}
-
-/**
- * Verify token with caching
- * Uses cached result if available to reduce API calls
- * @param token - The token to verify
- * @returns Token payload if valid, null otherwise
- */
-export async function verifyToken(token: string): Promise<TokenPayload | null> {
-  const tokenPreview = token.substring(0, 10) + '...' + token.substring(token.length - 10);
-  
-  // Check cache first
-  const cached = tokenCache.get(token);
-  if (cached && cached.expireAt > Date.now()) {
-    logger.debug(
-      { 
-        type: 'auth', 
-        operation: 'verify_token', 
-        userId: cached.payload.userId,
-        email: cached.payload.email,
-        cacheHit: true,
-        tokenPreview,
-        timestamp: new Date().toISOString()
-      },
-      'Token validation cache hit'
-    );
-    return cached.payload;
-  }
-
-  logger.debug(
-    {
-      type: 'auth',
-      operation: 'verify_token',
-      cacheHit: false,
-      tokenPreview,
-      timestamp: new Date().toISOString()
-    },
-    'Token validation cache miss, calling API'
-  );
-
-  // Validate via API
-  const payload = await verifyTokenViaAPI(token);
-
-  // Cache the result if valid (5 minute TTL)
-  if (payload) {
-    const expireAt = Date.now() + 5 * 60 * 1000; // 5 minutes
-    tokenCache.set(token, { payload, expireAt });
-    logger.debug(
-      { 
-        type: 'auth', 
-        operation: 'verify_token', 
-        userId: payload.userId,
-        email: payload.email,
-        cacheTTL: '5min',
-        timestamp: new Date().toISOString()
-      },
-      'Token validation result cached (5 min TTL)'
-    );
-  }
-
-  return payload;
-}
-
-/**
- * Clear token from cache (e.g., after logout)
- * @param token - The token to invalidate
- */
-export function invalidateToken(token: string): void {
-  tokenCache.delete(token);
-  logger.debug(
-    { type: 'auth', operation: 'invalidate_token' },
-    'Token removed from cache'
-  );
-}
-
-/**
- * Clear all cached tokens
- */
-export function clearTokenCache(): void {
-  tokenCache.clear();
-  logger.info(
-    { type: 'auth', operation: 'clear_cache' },
-    'All cached tokens cleared'
-  );
-}
-
-/**
- * Get cache statistics
- */
-export function getTokenCacheStats() {
-  cleanExpiredCache();
-  return {
-    size: tokenCache.size,
-    tokens: Array.from(tokenCache.keys()).map(t => t.substring(0, 10) + '...'),
-  };
-}

package/src/cache/cache-manager.ts

@@ -1,243 +0,0 @@
-/**
- * Multi-Layer Cache Manager
- * L1: In-memory LRU cache
- * L2: Redis persistent cache
- */
-
-import { LRUCache } from 'lru-cache';
-import { config } from '../config';
-import { logger } from '../utils/logger';
-import { redisClient } from './redis-client';
-
-const CACHE_KEY_PREFIX = 'csp:cache';
-
-/** JSON-serializable cache value type (satisfies LRUCache V extends {}) */
-type CacheValue = object | string | number | boolean;
-
-export interface CacheStats {
-  l1Hits: number;
-  l2Hits: number;
-  misses: number;
-  hitRate: number;
-}
-
-export class CacheManager {
-  private static instance: CacheManager | null = null;
-  private readonly l1: LRUCache<string, CacheValue>;
-  private readonly l2: typeof redisClient;
-  private readonly defaultTtlSeconds: number;
-  private readonly defaultNamespace: string;
-
-  private l1Hits = 0;
-  private l2Hits = 0;
-  private misses = 0;
-
-  private constructor(options?: { namespace?: string }) {
-    const ttlMs = (config.cache.redis?.ttl ?? 900) * 1000;
-    this.defaultTtlSeconds = config.cache.redis?.ttl ?? 900;
-    this.defaultNamespace = options?.namespace ?? 'default';
-
-    this.l1 = new LRUCache<string, CacheValue>({
-      max: 100,
-      ttl: ttlMs,
-      ttlAutopurge: true,
-    });
-
-    this.l2 = redisClient;
-
-    logger.info(
-      {
-        type: 'cache',
-        message: 'CacheManager initialized',
-        l1Max: 100,
-        ttlSeconds: this.defaultTtlSeconds,
-        namespace: this.defaultNamespace,
-      },
-      'Multi-layer cache initialized'
-    );
-  }
-
-  static getInstance(options?: { namespace?: string }): CacheManager {
-    if (CacheManager.instance === null) {
-      CacheManager.instance = new CacheManager(options);
-    }
-    return CacheManager.instance;
-  }
-
-  static async resetInstance(): Promise<void> {
-    if (CacheManager.instance) {
-      await CacheManager.instance.clear();
-      await CacheManager.instance.l2.disconnect();
-      CacheManager.instance = null;
-    }
-  }
-
-  private buildKey(key: string, namespace?: string): string {
-    const ns = namespace ?? this.defaultNamespace;
-    return `${CACHE_KEY_PREFIX}:${ns}:${key}`;
-  }
-
-  private getRedisPattern(namespace?: string): string {
-    const ns = namespace ?? this.defaultNamespace;
-    return `${CACHE_KEY_PREFIX}:${ns}:*`;
-  }
-
-  async connect(): Promise<void> {
-    await this.l2.connect();
-  }
-
-  /**
-   * Get value from cache. Checks L1 first, then L2.
-   * On L2 hit, promotes value to L1.
-   */
-  async get(key: string, namespace?: string): Promise<unknown | null> {
-    const fullKey = this.buildKey(key, namespace);
-
-    const l1Value = this.l1.get(fullKey);
-    if (l1Value !== undefined) {
-      this.l1Hits++;
-      logger.debug({ type: 'cache', key: fullKey, layer: 'L1' }, 'Cache L1 hit');
-      return l1Value;
-    }
-
-    let l2Value: string | null = null;
-    try {
-      l2Value = await this.l2.get(fullKey);
-    } catch (error) {
-      logger.debug(
-        { type: 'cache', key: fullKey, error: (error as Error).message },
-        'L2 get failed, Redis may be unavailable'
-      );
-    }
-
-    if (l2Value !== null) {
-      this.l2Hits++;
-      try {
-        const parsed = JSON.parse(l2Value) as unknown;
-        if (parsed !== null && parsed !== undefined) {
-          this.l1.set(fullKey, parsed as CacheValue);
-        }
-        logger.debug({ type: 'cache', key: fullKey, layer: 'L2' }, 'Cache L2 hit, promoted to L1');
-        return parsed;
-      } catch (error) {
-        logger.warn(
-          { type: 'cache', key: fullKey, error: (error as Error).message },
-          'Failed to parse L2 cache value'
-        );
-        try {
-          await this.l2.del(fullKey);
-        } catch {
-          /* Redis may be unavailable */
-        }
-        this.misses++;
-        return null;
-      }
-    }
-
-    this.misses++;
-    logger.debug({ type: 'cache', key: fullKey }, 'Cache miss');
-    return null;
-  }
-
-  /**
-   * Set value in both L1 and L2 caches.
-   */
-  async set(
-    key: string,
-    value: unknown,
-    ttl?: number,
-    namespace?: string
-  ): Promise<void> {
-    const fullKey = this.buildKey(key, namespace);
-    const ttlSeconds = ttl ?? this.defaultTtlSeconds;
-    const ttlMs = ttlSeconds * 1000;
-
-    if (value !== null && value !== undefined) {
-      this.l1.set(fullKey, value as CacheValue, { ttl: ttlMs });
-    }
-
-    const serialized = JSON.stringify(value);
-    try {
-      await this.l2.set(fullKey, serialized, ttlSeconds);
-    } catch (error) {
-      logger.debug(
-        { type: 'cache', key: fullKey, error: (error as Error).message },
-        'L2 set failed, Redis may be unavailable'
-      );
-    }
-
-    logger.debug(
-      { type: 'cache', key: fullKey, ttlSeconds },
-      'Cache set'
-    );
-  }
-
-  /**
-   * Delete key from both caches.
-   */
-  async del(key: string, namespace?: string): Promise<void> {
-    const fullKey = this.buildKey(key, namespace);
-    this.l1.delete(fullKey);
-    try {
-      await this.l2.del(fullKey);
-    } catch (error) {
-      logger.debug(
-        { type: 'cache', key: fullKey, error: (error as Error).message },
-        'L2 del failed, Redis may be unavailable'
-      );
-    }
-    logger.debug({ type: 'cache', key: fullKey }, 'Cache del');
-  }
-
-  /**
-   * Clear all cache layers. If namespace provided, clear only that namespace.
-   */
-  async clear(namespace?: string): Promise<void> {
-    if (namespace !== undefined) {
-      const pattern = this.getRedisPattern(namespace);
-      const prefix = `${CACHE_KEY_PREFIX}:${namespace}:`;
-      for (const k of this.l1.keys()) {
-        if (k.startsWith(prefix)) {
-          this.l1.delete(k);
-        }
-      }
-      try {
-        await this.l2.clear(pattern);
-      } catch (error) {
-        logger.debug(
-          { type: 'cache', namespace, error: (error as Error).message },
-          'L2 clear failed, Redis may be unavailable'
-        );
-      }
-      logger.info({ type: 'cache', namespace }, 'Cache cleared for namespace');
-    } else {
-      this.l1.clear();
-      try {
-        await this.l2.clear(`${CACHE_KEY_PREFIX}:*`);
-      } catch (error) {
-        logger.debug(
-          { type: 'cache', error: (error as Error).message },
-          'L2 clear failed, Redis may be unavailable'
-        );
-      }
-      logger.info({ type: 'cache' }, 'Cache cleared');
-    }
-  }
-
-  getStats(): CacheStats {
-    const total = this.l1Hits + this.l2Hits + this.misses;
-    const hitRate = total > 0 ? (this.l1Hits + this.l2Hits) / total : 0;
-    return {
-      l1Hits: this.l1Hits,
-      l2Hits: this.l2Hits,
-      misses: this.misses,
-      hitRate,
-    };
-  }
-
-  resetStats(): void {
-    this.l1Hits = 0;
-    this.l2Hits = 0;
-    this.misses = 0;
-  }
-}

package/src/cache/index.ts

@@ -1,6 +0,0 @@
-/**
- * Cache module exports
- */
-
-export { CacheManager, type CacheStats } from './cache-manager';
-export { redisClient, RedisClient } from './redis-client';