@equilateral_ai/mindmeld 3.5.3 → 4.0.1

package/src/handlers/github/githubOAuthCallback.js

@@ -1,178 +0,0 @@
-/**
- * GitHub OAuth Callback Handler
- * Receives GET redirect from GitHub, exchanges code for token, redirects to frontend
- *
- * GET /api/github/oauth/callback (No auth - GitHub redirect)
- * Query: ?code=...&state=...
- */
-
-const { wrapHandler, executeQuery } = require('./helpers');
-const crypto = require('crypto');
-const https = require('https');
-
-const FRONTEND_URL = process.env.FRONTEND_URL || 'https://app.mindmeld.dev';
-
-function redirect(url) {
-    return {
-        statusCode: 302,
-        headers: {
-            'Location': url,
-            'Access-Control-Allow-Origin': '*'
-        },
-        body: ''
-    };
-}
-
-function httpsRequest(options, postData) {
-    return new Promise((resolve, reject) => {
-        const req = https.request(options, (res) => {
-            let data = '';
-            res.on('data', chunk => data += chunk);
-            res.on('end', () => {
-                try {
-                    resolve({ statusCode: res.statusCode, body: JSON.parse(data) });
-                } catch (e) {
-                    // GitHub token endpoint may return form-encoded
-                    const parsed = {};
-                    data.split('&').forEach(pair => {
-                        const [key, val] = pair.split('=');
-                        if (key) parsed[decodeURIComponent(key)] = decodeURIComponent(val || '');
-                    });
-                    resolve({ statusCode: res.statusCode, body: parsed });
-                }
-            });
-        });
-        req.on('error', reject);
-        if (postData) req.write(postData);
-        req.end();
-    });
-}
-
-function encryptToken(token, key) {
-    const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv('aes-256-cbc', Buffer.from(key, 'hex'), iv);
-    let encrypted = cipher.update(token, 'utf8', 'hex');
-    encrypted += cipher.final('hex');
-    return iv.toString('hex') + ':' + encrypted;
-}
-
-async function githubOAuthCallback({ queryStringParameters }) {
-    try {
-        const code = queryStringParameters.code;
-        const state = queryStringParameters.state;
-
-        if (!code || !state) {
-            console.error('Missing code or state in callback');
-            return redirect(`${FRONTEND_URL}/onboarding?error=missing_params`);
-        }
-
-        // Look up state token in DB to identify user
-        const stateResult = await executeQuery(`
-            SELECT email_address FROM rapport.github_oauth_states
-            WHERE state_token = $1 AND used = FALSE
-            AND created_at > NOW() - INTERVAL '15 minutes'
-        `, [state]);
-
-        if (stateResult.rowCount === 0) {
-            console.error('Invalid or expired state token');
-            return redirect(`${FRONTEND_URL}/onboarding?error=invalid_state`);
-        }
-
-        const email = stateResult.rows[0].email_address;
-
-        // Mark state as used
-        await executeQuery(`
-            UPDATE rapport.github_oauth_states SET used = TRUE
-            WHERE state_token = $1
-        `, [state]);
-
-        // Exchange code for access token
-        const tokenPayload = JSON.stringify({
-            client_id: process.env.GITHUB_OAUTH_CLIENT_ID,
-            client_secret: process.env.GITHUB_OAUTH_CLIENT_SECRET,
-            code: code
-        });
-
-        const tokenResponse = await httpsRequest({
-            hostname: 'github.com',
-            path: '/login/oauth/access_token',
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-                'Accept': 'application/json',
-                'Content-Length': Buffer.byteLength(tokenPayload)
-            }
-        }, tokenPayload);
-
-        const accessToken = tokenResponse.body.access_token;
-        if (!accessToken) {
-            console.error('GitHub token exchange failed:', tokenResponse.body);
-            return redirect(`${FRONTEND_URL}/onboarding?error=token_exchange_failed`);
-        }
-
-        const tokenScope = tokenResponse.body.scope || '';
-
-        // Get GitHub user info
-        const userResponse = await httpsRequest({
-            hostname: 'api.github.com',
-            path: '/user',
-            method: 'GET',
-            headers: {
-                'Authorization': `Bearer ${accessToken}`,
-                'User-Agent': 'MindMeld-App',
-                'Accept': 'application/json'
-            }
-        });
-
-        if (userResponse.statusCode !== 200) {
-            console.error('GitHub user fetch failed:', userResponse.statusCode);
-            return redirect(`${FRONTEND_URL}/onboarding?error=github_user_failed`);
-        }
-
-        const githubUser = userResponse.body;
-
-        // Encrypt the access token
-        const encryptionKey = process.env.GITHUB_TOKEN_ENCRYPTION_KEY;
-        if (!encryptionKey) {
-            console.error('GITHUB_TOKEN_ENCRYPTION_KEY not configured');
-            return redirect(`${FRONTEND_URL}/onboarding?error=config_error`);
-        }
-        const encryptedToken = encryptToken(accessToken, encryptionKey);
-
-        // Upsert GitHub connection
-        await executeQuery(`
-            INSERT INTO rapport.github_connections (
-                email_address, github_username, github_user_id,
-                access_token_encrypted, token_scope, connected_at
-            ) VALUES ($1, $2, $3, $4, $5, NOW())
-            ON CONFLICT (email_address) DO UPDATE SET
-                github_username = EXCLUDED.github_username,
-                github_user_id = EXCLUDED.github_user_id,
-                access_token_encrypted = EXCLUDED.access_token_encrypted,
-                token_scope = EXCLUDED.token_scope,
-                connected_at = NOW(),
-                revoked = FALSE
-        `, [email, githubUser.login, githubUser.id, encryptedToken, tokenScope]);
-
-        // Determine redirect: enterprise users go to enterprise onboarding
-        const tierResult = await executeQuery(`
-            SELECT c.subscription_tier FROM rapport.users u
-            JOIN rapport.clients c ON c.client_id = u.client_id
-            WHERE u.email_address = $1 LIMIT 1
-        `, [email]);
-
-        const tier = tierResult.rows[0]?.subscription_tier;
-        if (tier === 'enterprise') {
-            return redirect(`${FRONTEND_URL}/enterprise/onboarding?step=4&github=connected`);
-        }
-
-        // Standard users - redirect to onboarding step 2
-        return redirect(`${FRONTEND_URL}/onboarding?step=2`);
-
-    } catch (error) {
-        console.error('GitHub OAuth Callback Error:', error);
-        return redirect(`${FRONTEND_URL}/onboarding?error=server_error`);
-    }
-}
-
-exports.handler = wrapHandler(githubOAuthCallback);

package/src/handlers/github/githubOAuthStart.js

@@ -1,59 +0,0 @@
-/**
- * GitHub OAuth Start Handler
- * Generates GitHub OAuth authorization URL
- *
- * GET /api/github/oauth/start (CognitoAuthorizer)
- */
-
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
-const crypto = require('crypto');
-
-async function githubOAuthStart({ requestContext }) {
-    try {
-        const email = requestContext.authorizer?.claims?.email || requestContext.authorizer?.jwt?.claims?.email;
-
-        if (!email) {
-            return createErrorResponse(401, 'Authentication required');
-        }
-
-        const clientId = process.env.GITHUB_OAUTH_CLIENT_ID;
-        if (!clientId) {
-            return createErrorResponse(500, 'GitHub OAuth not configured');
-        }
-
-        // Generate unique state token and store in DB for CSRF verification
-        const stateToken = crypto.randomBytes(32).toString('hex');
-
-        // Clean up old unused states for this user, then insert new one
-        await executeQuery(`
-            DELETE FROM rapport.github_oauth_states
-            WHERE email_address = $1 OR created_at < NOW() - INTERVAL '15 minutes'
-        `, [email]);
-
-        await executeQuery(`
-            INSERT INTO rapport.github_oauth_states (state_token, email_address)
-            VALUES ($1, $2)
-        `, [stateToken, email]);
-
-        const callbackUrl = process.env.GITHUB_OAUTH_CALLBACK_URL || 'https://api.mindmeld.dev/api/github/oauth/callback';
-
-        const params = new URLSearchParams({
-            client_id: clientId,
-            redirect_uri: callbackUrl,
-            scope: 'repo',
-            state: stateToken
-        });
-
-        const authorization_url = `https://github.com/login/oauth/authorize?${params.toString()}`;
-
-        return createSuccessResponse(
-            { authorization_url },
-            'OAuth URL generated'
-        );
-    } catch (error) {
-        console.error('GitHub OAuth Start Error:', error);
-        return createErrorResponse(500, 'Failed to generate OAuth URL');
-    }
-}
-
-exports.handler = wrapHandler(githubOAuthStart);

package/src/handlers/github/githubPatternsReview.js

@@ -1,76 +0,0 @@
-/**
- * GitHub Patterns Review Handler
- * Processes user's approve/reject decisions on discovered patterns
- *
- * PUT /api/github/patterns/review (CognitoAuthorizer)
- * Body: { project_id, approvals: [{ discovery_id, approved }] }
- */
-
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectAccess } = require('./helpers');
-
-async function githubPatternsReview({ body, requestContext }) {
-    try {
-        const email = requestContext.authorizer?.claims?.email || requestContext.authorizer?.jwt?.claims?.email;
-
-        if (!email) {
-            return createErrorResponse(401, 'Authentication required');
-        }
-
-        const { project_id, approvals } = body;
-        if (!project_id || !approvals || !Array.isArray(approvals)) {
-            return createErrorResponse(400, 'project_id and approvals array are required');
-        }
-
-        // Verify user has access to project (collaborator or company member)
-        const projectAccess = await verifyProjectAccess(project_id, email);
-        if (!projectAccess) {
-            return createErrorResponse(403, 'Access denied to project');
-        }
-
-        let patterns_created = 0;
-        let patterns_rejected = 0;
-
-        for (const { discovery_id, approved } of approvals) {
-            if (!discovery_id) continue;
-            // Skip frontend-generated placeholder IDs (disc_0, disc_1, etc.)
-            // These occur when the discover endpoint didn't return DB-generated UUIDs
-            if (discovery_id.startsWith('disc_')) continue;
-
-            if (approved) {
-                // Update discovery status to approved
-                await executeQuery(`
-                    UPDATE rapport.onboarding_discoveries
-                    SET status = 'approved', reviewed_at = NOW()
-                    WHERE discovery_id = $1 AND project_id = $2
-                `, [discovery_id, project_id]);
-
-                patterns_created++;
-            } else {
-                // Reject
-                await executeQuery(`
-                    UPDATE rapport.onboarding_discoveries
-                    SET status = 'rejected', reviewed_at = NOW()
-                    WHERE discovery_id = $1 AND project_id = $2
-                `, [discovery_id, project_id]);
-
-                patterns_rejected++;
-            }
-        }
-
-        // Mark onboarding as completed
-        await executeQuery(`
-            UPDATE rapport.projects SET onboarding_completed = TRUE
-            WHERE project_id = $1
-        `, [project_id]);
-
-        return createSuccessResponse(
-            { patterns_created, patterns_rejected },
-            'Patterns reviewed successfully'
-        );
-    } catch (error) {
-        console.error('GitHub Patterns Review Error:', error);
-        return createErrorResponse(500, 'Failed to process pattern reviews');
-    }
-}
-
-exports.handler = wrapHandler(githubPatternsReview);

package/src/handlers/github/githubReposList.js

@@ -1,105 +0,0 @@
-/**
- * GitHub Repos List Handler
- * Lists user's GitHub repositories
- *
- * GET /api/github/repos (CognitoAuthorizer)
- */
-
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
-const crypto = require('crypto');
-const https = require('https');
-
-function httpsGet(options) {
-    return new Promise((resolve, reject) => {
-        const req = https.request(options, (res) => {
-            let data = '';
-            res.on('data', chunk => data += chunk);
-            res.on('end', () => {
-                try {
-                    resolve({ statusCode: res.statusCode, body: JSON.parse(data) });
-                } catch (e) {
-                    resolve({ statusCode: res.statusCode, body: data });
-                }
-            });
-        });
-        req.on('error', reject);
-        req.end();
-    });
-}
-
-function decryptToken(encryptedData, key) {
-    const [ivHex, encrypted] = encryptedData.split(':');
-    const iv = Buffer.from(ivHex, 'hex');
-    const decipher = crypto.createDecipheriv('aes-256-cbc', Buffer.from(key, 'hex'), iv);
-    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
-    decrypted += decipher.final('utf8');
-    return decrypted;
-}
-
-async function githubReposList({ requestContext }) {
-    try {
-        const email = requestContext.authorizer?.claims?.email || requestContext.authorizer?.jwt?.claims?.email;
-
-        if (!email) {
-            return createErrorResponse(401, 'Authentication required');
-        }
-
-        // Get stored connection
-        const connResult = await executeQuery(`
-            SELECT access_token_encrypted FROM rapport.github_connections
-            WHERE email_address = $1 AND revoked = FALSE
-        `, [email]);
-
-        if (connResult.rowCount === 0) {
-            return createErrorResponse(404, 'No GitHub connection found. Please connect GitHub first.');
-        }
-
-        // Decrypt token
-        const encryptionKey = process.env.GITHUB_TOKEN_ENCRYPTION_KEY;
-        const accessToken = decryptToken(connResult.rows[0].access_token_encrypted, encryptionKey);
-
-        // Fetch repos from GitHub
-        const reposResponse = await httpsGet({
-            hostname: 'api.github.com',
-            path: '/user/repos?sort=updated&per_page=30&type=owner',
-            method: 'GET',
-            headers: {
-                'Authorization': `Bearer ${accessToken}`,
-                'User-Agent': 'MindMeld-App',
-                'Accept': 'application/json'
-            }
-        });
-
-        if (reposResponse.statusCode !== 200) {
-            console.error('GitHub repos fetch failed:', reposResponse.statusCode);
-            return createErrorResponse(502, 'Failed to fetch repositories from GitHub');
-        }
-
-        // Update last_used_at
-        await executeQuery(`
-            UPDATE rapport.github_connections SET last_used_at = NOW()
-            WHERE email_address = $1
-        `, [email]);
-
-        // Map to minimal repo info
-        const repos = reposResponse.body.map(repo => ({
-            name: repo.name,
-            full_name: repo.full_name,
-            language: repo.language,
-            default_branch: repo.default_branch,
-            private: repo.private,
-            html_url: repo.html_url,
-            updated_at: repo.updated_at
-        }));
-
-        return createSuccessResponse(
-            { repos },
-            'Repositories fetched successfully'
-        );
-    } catch (error) {
-        console.error('GitHub Repos List Error:', error);
-        return createErrorResponse(500, 'Failed to list repositories');
-    }
-}
-
-exports.handler = wrapHandler(githubReposList);

package/src/handlers/health/healthGet.js

@@ -1,55 +0,0 @@
-/**
- * Health Check Handler
- * Returns system health status for monitoring
- *
- * GET /api/health
- * Auth: None (public endpoint for external monitors)
- */
-
-const { executeQuery } = require('./helpers');
-
-exports.handler = async (event) => {
-    const headers = {
-        'Content-Type': 'application/json',
-        'Access-Control-Allow-Origin': '*',
-        'Access-Control-Allow-Methods': 'GET,OPTIONS',
-        'Access-Control-Allow-Headers': 'Content-Type'
-    };
-
-    const result = {
-        status: 'ok',
-        timestamp: new Date().toISOString(),
-        version: process.env.STACK_VERSION || '1.0.0',
-        checks: {}
-    };
-
-    // Database connectivity
-    try {
-        const start = Date.now();
-        await executeQuery('SELECT 1 AS ok');
-        result.checks.database = {
-            status: 'ok',
-            latency_ms: Date.now() - start
-        };
-    } catch (err) {
-        result.status = 'degraded';
-        result.checks.database = {
-            status: 'error',
-            message: 'Database connection failed'
-        };
-        console.error('[Health] Database check failed:', err.message);
-    }
-
-    // Stripe configuration
-    result.checks.stripe = {
-        status: process.env.STRIPE_SECRET_KEY ? 'configured' : 'not_configured'
-    };
-
-    const statusCode = result.status === 'ok' ? 200 : 503;
-
-    return {
-        statusCode,
-        headers,
-        body: JSON.stringify(result)
-    };
-};

package/src/handlers/helpers/auditLogger.js

@@ -1,201 +0,0 @@
-/**
- * Unified Audit Logger
- *
- * Provides consistent audit logging across all handlers.
- * Simplified from EquilateralAgents pattern — no agent chains or impersonation.
- *
- * Usage:
- *   const { logModificationEvent, AuditEventType, EntityType } = require('./helpers');
- *   await logModificationEvent(AuditEventType.DATA_CREATE, EntityType.PROJECT, projectId, {
- *       requestContext, client_id, after_state: { project_name }
- *   });
- */
-
-const { executeQuery } = require('./dbOperations');
-const crypto = require('crypto');
-
-const AuditEventType = {
-    // Authentication
-    AUTH_LOGIN: 'AUTH_LOGIN',
-    AUTH_LOGOUT: 'AUTH_LOGOUT',
-    AUTH_FAILED: 'AUTH_FAILED',
-
-    // Access
-    ACCESS_VIEW: 'ACCESS_VIEW',
-    ACCESS_DENIED: 'ACCESS_DENIED',
-
-    // Modification
-    DATA_CREATE: 'DATA_CREATE',
-    DATA_UPDATE: 'DATA_UPDATE',
-    DATA_DELETE: 'DATA_DELETE',
-    DATA_ARCHIVE: 'DATA_ARCHIVE',
-
-    // Admin
-    ADMIN_USER_UPDATE: 'ADMIN_USER_UPDATE',
-    ADMIN_PERMISSION_CHANGE: 'ADMIN_PERMISSION_CHANGE',
-
-    // System
-    SYSTEM_ERROR: 'SYSTEM_ERROR',
-    SYSTEM_CONFIG_CHANGE: 'SYSTEM_CONFIG_CHANGE',
-};
-
-const EntityType = {
-    USER: 'USER',
-    CLIENT: 'CLIENT',
-    PROJECT: 'PROJECT',
-    STANDARD: 'STANDARD',
-    KNOWLEDGE: 'KNOWLEDGE',
-    INVARIANT: 'INVARIANT',
-    SESSION: 'SESSION',
-    SYSTEM: 'SYSTEM',
-};
-
-/**
- * Generate a correlation ID for request tracing
- */
-function generateCorrelationId() {
-    const timestamp = Date.now().toString(36);
-    const random = crypto.randomBytes(4).toString('hex');
-    return `COR_${timestamp}_${random}`;
-}
-
-/**
- * Extract request context from lambdaWrapper's requestContext
- */
-function extractRequestContext(requestContext) {
-    return {
-        request_id: requestContext?.requestId || null,
-        ip_address: requestContext?.identity?.sourceIp || null,
-        user_agent: requestContext?.identity?.userAgent || null,
-        user_email: requestContext?.authorizer?.claims?.email
-            || requestContext?.authorizer?.jwt?.claims?.email
-            || null,
-    };
-}
-
-/**
- * Core audit event logger — INSERT into rapport.unified_audit_log
- * Non-throwing: logs errors but never breaks business logic.
- */
-async function logAuditEvent(params) {
-    const {
-        event_type,
-        entity_type,
-        entity_id = null,
-        actor_email = null,
-        actor_type = 'USER',
-        client_id = null,
-        company_id = null,
-        details = {},
-        before_state = null,
-        after_state = null,
-        correlation_id = null,
-        request_id = null,
-        ip_address = null,
-        user_agent = null,
-        outcome = 'SUCCESS',
-        error_message = null,
-    } = params;
-
-    try {
-        const query = `
-            INSERT INTO rapport.unified_audit_log (
-                event_type, entity_type, entity_id,
-                actor_email, actor_type,
-                client_id, company_id,
-                details, before_state, after_state,
-                correlation_id, request_id,
-                ip_address, user_agent,
-                outcome, error_message,
-                created_at
-            ) VALUES (
-                $1, $2, $3, $4, $5, $6, $7,
-                $8, $9, $10, $11, $12, $13, $14,
-                $15, $16, NOW()
-            )
-            RETURNING audit_id
-        `;
-
-        const result = await executeQuery(query, [
-            event_type,
-            entity_type,
-            entity_id,
-            actor_email,
-            actor_type,
-            client_id,
-            company_id,
-            JSON.stringify(details),
-            before_state ? JSON.stringify(before_state) : null,
-            after_state ? JSON.stringify(after_state) : null,
-            correlation_id || generateCorrelationId(),
-            request_id,
-            ip_address,
-            user_agent,
-            outcome,
-            error_message,
-        ]);
-
-        return result.rows[0]?.audit_id;
-    } catch (error) {
-        console.error('[AuditLogger] Failed to log audit event:', error.message);
-        console.error('[AuditLogger] Event:', JSON.stringify({ event_type, entity_type, entity_id }));
-        return null;
-    }
-}
-
-/**
- * Log a data modification event (create, update, delete, archive)
- */
-async function logModificationEvent(event_type, entity_type, entity_id, opts = {}) {
-    const { requestContext, client_id = null, company_id = null, before_state = null, after_state = null, details = {} } = opts;
-    const ctx = extractRequestContext(requestContext);
-
-    return logAuditEvent({
-        event_type,
-        entity_type,
-        entity_id,
-        actor_email: ctx.user_email,
-        actor_type: 'USER',
-        client_id,
-        company_id,
-        before_state,
-        after_state,
-        details,
-        request_id: ctx.request_id,
-        ip_address: ctx.ip_address,
-        user_agent: ctx.user_agent,
-        outcome: 'SUCCESS',
-    });
-}
-
-/**
- * Log a data access event (read operations)
- */
-async function logAccessEvent(entity_type, entity_id, opts = {}) {
-    const { requestContext, client_id = null, details = {} } = opts;
-    const ctx = extractRequestContext(requestContext);
-
-    return logAuditEvent({
-        event_type: AuditEventType.ACCESS_VIEW,
-        entity_type,
-        entity_id,
-        actor_email: ctx.user_email,
-        actor_type: 'USER',
-        client_id,
-        details,
-        request_id: ctx.request_id,
-        ip_address: ctx.ip_address,
-        user_agent: ctx.user_agent,
-        outcome: 'SUCCESS',
-    });
-}
-
-module.exports = {
-    AuditEventType,
-    EntityType,
-    logAuditEvent,
-    logModificationEvent,
-    logAccessEvent,
-    extractRequestContext,
-    generateCorrelationId,
-};