@equilateral_ai/mindmeld 3.5.3 → 4.0.1

package/src/handlers/users/cognitoPreSignUp.js

@@ -1,114 +0,0 @@
-/**
- * Cognito PreSignUp Handler
- * Blocks bot registrations before user creation in Cognito
- * Auto-confirms Google OAuth users and admin-invited users
- *
- * Triggered by: Cognito User Pool pre-signup trigger
- *
- * Note: Cognito trigger must be configured manually in Cognito console
- * as SAM cannot reference external user pools
- */
-
-const { executeQuery } = require('./helpers');
-
-const DISPOSABLE_DOMAINS = new Set([
-    'mailinator.com', 'guerrillamail.com', 'tempmail.com',
-    'throwaway.email', 'yopmail.com', 'sharklasers.com',
-    'guerrillamailblock.com', 'grr.la', 'maildrop.cc',
-    'dispostable.com', 'temp-mail.org', '10minutemail.com',
-    'trashmail.com', 'fakeinbox.com', 'mailnesia.com',
-    'tempinbox.com', 'mailcatch.com', 'throwam.com'
-]);
-
-/**
- * Detect dot-stuffed Gmail addresses used by signup bots
- * Gmail ignores dots in the local part, so bots insert random dots
- * to generate unique-looking addresses that all deliver to the same inbox
- */
-function isDotStuffedGmail(email) {
-    const atIndex = email.lastIndexOf('@');
-    if (atIndex === -1) return false;
-
-    const localPart = email.substring(0, atIndex).toLowerCase();
-    const domain = email.substring(atIndex + 1).toLowerCase();
-
-    if (domain !== 'gmail.com' && domain !== 'googlemail.com') return false;
-
-    const dotCount = (localPart.match(/\./g) || []).length;
-    const cleanLength = localPart.replace(/\./g, '').length;
-
-    if (cleanLength === 0) return true;
-
-    // 4+ dots in a short local part is a strong bot signal
-    if (dotCount >= 4 && cleanLength < 20) return true;
-
-    // More than 30% dots relative to actual characters
-    if (dotCount > 0 && dotCount / cleanLength > 0.3) return true;
-
-    return false;
-}
-
-/**
- * Check if email uses a known disposable email domain
- */
-function isDisposableEmail(email) {
-    const domain = email.toLowerCase().split('@')[1];
-    return DISPOSABLE_DOMAINS.has(domain);
-}
-
-async function handler(event) {
-    console.log('PreSignUp trigger:', JSON.stringify({
-        triggerSource: event.triggerSource,
-        userName: event.userName,
-        email: event.request?.userAttributes?.email
-    }));
-
-    // Auto-confirm external provider signups (Google OAuth)
-    // Google provides verified email — no Cognito verification needed
-    if (event.triggerSource === 'PreSignUp_ExternalProvider') {
-        console.log(`[PreSignUp] Auto-confirming external provider user: ${event.request?.userAttributes?.email}`);
-        event.response.autoConfirmUser = true;
-        event.response.autoVerifyEmail = true;
-        return event;
-    }
-
-    // Only validate user-initiated signups (not admin-created)
-    if (event.triggerSource !== 'PreSignUp_SignUp') {
-        return event;
-    }
-
-    const email = event.request?.userAttributes?.email;
-    if (!email) {
-        throw new Error('Email address is required for registration');
-    }
-
-    if (isDisposableEmail(email)) {
-        console.log(`[PreSignUp] Blocked disposable email: ${email}`);
-        throw new Error('Please use a permanent email address to register.');
-    }
-
-    if (isDotStuffedGmail(email)) {
-        console.log(`[PreSignUp] Blocked dot-stuffed Gmail: ${email}`);
-        throw new Error('This email address format is not accepted. Please use your primary email address.');
-    }
-
-    // Auto-confirm users who have been invited (entitlement already exists)
-    try {
-        const result = await executeQuery(
-            'SELECT 1 FROM rapport.user_entitlements WHERE email_address = $1 LIMIT 1',
-            [email.toLowerCase()]
-        );
-        if (result.rows.length > 0) {
-            console.log(`[PreSignUp] Auto-confirming invited user: ${email}`);
-            event.response.autoConfirmUser = true;
-            event.response.autoVerifyEmail = true;
-        }
-    } catch (err) {
-        // DB check failed — don't block signup, just skip auto-confirm
-        console.error(`[PreSignUp] Entitlement check failed for ${email}:`, err.message);
-    }
-
-    return event;
-}
-
-module.exports = { handler };

package/src/handlers/users/userEntitlementsGet.js

@@ -1,89 +0,0 @@
-/**
- * User Entitlements Get Handler
- * Retrieves user's company/project access rights
- *
- * GET /api/users/entitlements
- * Auth: Cognito JWT required
- */
-
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, handleError } = require('./helpers');
-
-/**
- * Get current user's entitlements
- */
-async function getEntitlements({ requestContext }) {
-    try {
-        const Request_ID = requestContext.requestId;
-        // REST API: requestContext.authorizer.claims.email
-        // HTTP API: requestContext.authorizer.jwt.claims.email
-        const email = requestContext.authorizer?.claims?.email || requestContext.authorizer?.jwt?.claims?.email;
-
-        if (!email) {
-            return createErrorResponse(401, 'Authentication required');
-        }
-
-        // Get all entitlements with company and client details
-        const query = `
-            SELECT
-                ue.email_address,
-                ue.client_id,
-                c.client_name,
-                c.subscription_tier,
-                ue.company_id,
-                co.company_name,
-                ue.admin,
-                ue.member,
-                ue.create_date
-            FROM rapport.user_entitlements ue
-            JOIN rapport.clients c ON ue.client_id = c.client_id
-            JOIN rapport.companies co ON ue.company_id = co.company_id
-            WHERE ue.email_address = $1
-            AND c.active = true
-            AND co.active = true
-            ORDER BY c.client_name, co.company_name
-        `;
-
-        const result = await executeQuery(query, [email]);
-
-        // Group by client
-        const clientMap = {};
-        for (const row of result.rows) {
-            if (!clientMap[row.client_id]) {
-                clientMap[row.client_id] = {
-                    client_id: row.client_id,
-                    client_name: row.client_name,
-                    subscription_tier: row.subscription_tier,
-                    companies: []
-                };
-            }
-            clientMap[row.client_id].companies.push({
-                company_id: row.company_id,
-                company_name: row.company_name,
-                admin: row.admin,
-                member: row.member,
-                since: row.create_date
-            });
-        }
-
-        const clients = Object.values(clientMap);
-
-        return createSuccessResponse(
-            {
-                Records: clients
-            },
-            'Entitlements retrieved',
-            {
-                Total_Records: clients.length,
-                Total_Companies: result.rowCount,
-                Request_ID,
-                Timestamp: new Date().toISOString()
-            }
-        );
-
-    } catch (error) {
-        console.error('Handler Error:', error);
-        return handleError(error);
-    }
-}
-
-exports.handler = wrapHandler(getEntitlements);

package/src/handlers/users/userGet.js

@@ -1,118 +0,0 @@
-/**
- * User Get Handler
- * Retrieves user profile and subscription info
- *
- * GET /api/users/me
- * Auth: Cognito JWT required
- */
-
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, handleError, getTierConfig } = require('./helpers');
-
-/**
- * Get current user's profile
- */
-async function getUser({ requestContext }) {
-    try {
-        const Request_ID = requestContext.requestId;
-        // REST API: requestContext.authorizer.claims.email
-        // HTTP API: requestContext.authorizer.jwt.claims.email
-        const email = requestContext.authorizer?.claims?.email || requestContext.authorizer?.jwt?.claims?.email;
-
-        if (!email) {
-            return createErrorResponse(401, 'Authentication required');
-        }
-
-        // Get user with their primary client subscription and company
-        const query = `
-            SELECT
-                u.email_address,
-                u.first_name,
-                u.last_name,
-                u.client_id,
-                u.user_status,
-                u.create_date,
-                c.client_name,
-                c.subscription_tier,
-                c.subscription_status,
-                c.subscription_ends_at,
-                c.stripe_customer_id,
-                ue.company_id
-            FROM rapport.users u
-            LEFT JOIN rapport.clients c ON u.client_id = c.client_id
-            LEFT JOIN rapport.user_entitlements ue ON u.email_address = ue.email_address
-            WHERE u.email_address = $1
-            AND u.active = true
-            LIMIT 1
-        `;
-
-        const result = await executeQuery(query, [email]);
-
-        if (result.rowCount === 0) {
-            return createErrorResponse(404, 'User not found');
-        }
-
-        const user = result.rows[0];
-        const tierConfig = getTierConfig(user.subscription_tier || 'free');
-
-        // Get usage counts scoped to user's entitled companies
-        const usageQuery = `
-            SELECT
-                (SELECT COUNT(*) FROM rapport.user_entitlements WHERE client_id = $1) as collaborators,
-                (SELECT COUNT(*) FROM rapport.projects p
-                 JOIN rapport.user_entitlements ue ON p.company_id = ue.company_id
-                 WHERE ue.email_address = $2 AND p.archived = false) as projects,
-                (SELECT COUNT(*) FROM rapport.invariants i
-                 JOIN rapport.projects p ON i.project_id = p.project_id
-                 JOIN rapport.user_entitlements ue ON p.company_id = ue.company_id
-                 WHERE ue.email_address = $2) as invariants
-        `;
-
-        const usageResult = await executeQuery(usageQuery, [user.client_id, email]);
-        const usage = usageResult.rows[0];
-
-        return createSuccessResponse(
-            {
-                Records: [{
-                    email_address: user.email_address,
-                    first_name: user.first_name,
-                    last_name: user.last_name,
-                    client_id: user.client_id,
-                    company_id: user.company_id,
-                    client_name: user.client_name,
-                    user_status: user.user_status,
-                    member_since: user.create_date,
-                    subscription: {
-                        tier: user.subscription_tier || 'free',
-                        tier_name: tierConfig?.displayName || 'Free',
-                        status: user.subscription_status || 'active',
-                        ends_at: user.subscription_ends_at,
-                        has_stripe: !!user.stripe_customer_id,
-                        features: tierConfig?.features || []
-                    },
-                    usage: {
-                        collaborators: parseInt(usage.collaborators) || 0,
-                        projects: parseInt(usage.projects) || 0,
-                        invariants: parseInt(usage.invariants) || 0
-                    },
-                    limits: {
-                        max_collaborators: tierConfig?.maxCollaborators ?? null,
-                        max_projects: tierConfig?.maxProjects ?? null,
-                        max_invariants: tierConfig?.maxInvariants ?? null
-                    }
-                }]
-            },
-            'User profile retrieved',
-            {
-                Total_Records: 1,
-                Request_ID,
-                Timestamp: new Date().toISOString()
-            }
-        );
-
-    } catch (error) {
-        console.error('Handler Error:', error);
-        return handleError(error);
-    }
-}
-
-exports.handler = wrapHandler(getUser);

package/src/handlers/users/userProfilePut.js

@@ -1,77 +0,0 @@
-/**
- * User Profile Update Handler
- * Updates user display name (first_name, last_name)
- *
- * PUT /api/users/profile
- * Auth: Cognito JWT required
- */
-
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, handleError } = require('./helpers');
-
-/**
- * Update current user's profile
- */
-async function updateProfile({ body, requestContext }) {
-    try {
-        const email = requestContext.authorizer?.claims?.email || requestContext.authorizer?.jwt?.claims?.email;
-
-        if (!email) {
-            return createErrorResponse(401, 'Authentication required');
-        }
-
-        const { first_name, last_name } = JSON.parse(body || '{}');
-
-        if (!first_name && !last_name) {
-            return createErrorResponse(400, 'At least one of first_name or last_name is required');
-        }
-
-        // Build dynamic update
-        const setClauses = [];
-        const params = [];
-        let paramIndex = 1;
-
-        if (first_name !== undefined) {
-            setClauses.push(`first_name = $${paramIndex++}`);
-            params.push(first_name.trim().substring(0, 100));
-        }
-        if (last_name !== undefined) {
-            setClauses.push(`last_name = $${paramIndex++}`);
-            params.push(last_name.trim().substring(0, 100));
-        }
-
-        setClauses.push(`last_updated = NOW()`);
-        params.push(email);
-
-        const query = `
-            UPDATE rapport.users
-            SET ${setClauses.join(', ')}
-            WHERE email_address = $${paramIndex}
-            AND active = true
-            RETURNING email_address, first_name, last_name
-        `;
-
-        const result = await executeQuery(query, params);
-
-        if (result.rowCount === 0) {
-            return createErrorResponse(404, 'User not found');
-        }
-
-        const user = result.rows[0];
-
-        return createSuccessResponse(
-            {
-                email_address: user.email_address,
-                first_name: user.first_name,
-                last_name: user.last_name,
-                display_name: [user.first_name, user.last_name].filter(Boolean).join(' ')
-            },
-            'Profile updated'
-        );
-
-    } catch (error) {
-        console.error('Handler Error:', error);
-        return handleError(error);
-    }
-}
-
-exports.handler = wrapHandler(updateProfile);

package/src/handlers/webhooks/githubWebhook.js

@@ -1,215 +0,0 @@
-/**
- * GitHub Webhook Handler
- * Receives push and pull_request events to track commits and PRs
- *
- * POST /api/webhooks/github
- * Auth: GitHub webhook signature verification (no Cognito)
- */
-
-const crypto = require('crypto');
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
-
-exports.handler = wrapHandler(async ({ body, headers }) => {
-    // Verify webhook signature — try per-repo secret first, then global fallback
-    const signature = headers['x-hub-signature-256'] || headers['X-Hub-Signature-256'];
-    const rawBody = JSON.stringify(body);
-    const repoFullName = body?.repository?.full_name;
-
-    let verified = false;
-
-    // Try per-repo secret from git_repositories
-    if (repoFullName) {
-        const repoResult = await executeQuery(`
-            SELECT webhook_secret FROM rapport.git_repositories
-            WHERE repo_name = $1 AND webhook_secret IS NOT NULL
-            LIMIT 1
-        `, [repoFullName]);
-
-        if (repoResult.rowCount > 0 && repoResult.rows[0].webhook_secret) {
-            verified = verifySignature(rawBody, signature, repoResult.rows[0].webhook_secret);
-        }
-    }
-
-    // Fallback to global secret
-    if (!verified) {
-        const globalSecret = process.env.GITHUB_WEBHOOK_SECRET;
-        if (globalSecret) {
-            verified = verifySignature(rawBody, signature, globalSecret);
-        }
-    }
-
-    if (!verified) {
-        return createErrorResponse(401, 'Invalid signature');
-    }
-
-    const eventType = headers['x-github-event'] || headers['X-GitHub-Event'];
-
-    if (eventType === 'push') {
-        await handlePushEvent(body);
-    } else if (eventType === 'pull_request') {
-        await handlePREvent(body);
-    } else if (eventType === 'ping') {
-        // GitHub sends ping when webhook is first configured
-        return createSuccessResponse({ received: true }, 'Webhook configured');
-    }
-
-    return createSuccessResponse(
-        { received: true, event: eventType },
-        'Webhook processed'
-    );
-});
-
-function verifySignature(payload, signature, secret) {
-    if (!signature) return false;
-
-    const expectedSignature = 'sha256=' + crypto
-        .createHmac('sha256', secret)
-        .update(payload)
-        .digest('hex');
-
-    return crypto.timingSafeEqual(
-        Buffer.from(signature),
-        Buffer.from(expectedSignature)
-    );
-}
-
-async function handlePushEvent(payload) {
-    const repoFullName = payload.repository?.full_name;
-    if (!repoFullName) return;
-
-    const repoUrl = payload.repository?.html_url || `https://github.com/${repoFullName}`;
-    const branch = payload.ref?.replace('refs/heads/', '') || 'unknown';
-
-    // Find or create repo in git_repositories
-    let repoResult = await executeQuery(`
-        SELECT repo_id, company_id FROM rapport.git_repositories
-        WHERE repo_name = $1 OR repo_url = $2
-    `, [repoFullName, repoUrl]);
-
-    if (repoResult.rowCount === 0) {
-        // Look up company from projects table
-        const projectResult = await executeQuery(`
-            SELECT project_id, company_id FROM rapport.projects
-            WHERE repo_url LIKE $1
-            LIMIT 1
-        `, [`%${repoFullName}%`]);
-
-        const companyId = projectResult.rows[0]?.company_id || null;
-
-        // Auto-register the repo
-        repoResult = await executeQuery(`
-            INSERT INTO rapport.git_repositories (repo_id, repo_name, repo_url, company_id, default_branch, created_at, updated_at)
-            VALUES (gen_random_uuid(), $1, $2, $3, $4, NOW(), NOW())
-            RETURNING repo_id, company_id
-        `, [repoFullName, repoUrl, companyId, branch]);
-
-        console.log(`Auto-registered repo: ${repoFullName} (repo_id: ${repoResult.rows[0].repo_id})`);
-    }
-
-    const repoId = repoResult.rows[0].repo_id;
-
-    for (const commit of (payload.commits || [])) {
-        await recordCommit(commit, repoId, repoFullName, repoUrl);
-    }
-
-    // Update last_commit_sha on the repo
-    const lastCommit = payload.head_commit?.id || payload.commits?.[payload.commits.length - 1]?.id;
-    if (lastCommit) {
-        await executeQuery(`
-            UPDATE rapport.git_repositories SET last_commit_sha = $1, updated_at = NOW()
-            WHERE repo_id = $2
-        `, [lastCommit, repoId]);
-    }
-}
-
-async function recordCommit(commit, repoId, repoName, repoUrl) {
-    const authorEmail = commit.author?.email;
-    if (!authorEmail) return;
-
-    // Check for duplicate
-    const existing = await executeQuery(`
-        SELECT 1 FROM rapport.commits WHERE commit_sha = $1 LIMIT 1
-    `, [commit.id]);
-
-    if (existing.rowCount > 0) {
-        console.log(`Commit ${commit.id.substring(0, 8)} already recorded, skipping`);
-        return;
-    }
-
-    // Build changed_files JSONB from GitHub payload
-    const changedFiles = [
-        ...(commit.added || []).map(f => ({ path: f, action: 'added' })),
-        ...(commit.modified || []).map(f => ({ path: f, action: 'modified' })),
-        ...(commit.removed || []).map(f => ({ path: f, action: 'removed' }))
-    ];
-
-    await executeQuery(`
-        INSERT INTO rapport.commits (
-            commit_id, commit_sha, repo_id, repo_url, repo_name,
-            author_email, author_name, commit_timestamp, message,
-            changed_files, is_merge, created_at
-        ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, NOW())
-    `, [
-        commit.id,
-        commit.id,
-        repoId,
-        repoUrl,
-        repoName,
-        authorEmail,
-        commit.author?.name || authorEmail,
-        commit.timestamp,
-        commit.message?.substring(0, 2000),
-        JSON.stringify(changedFiles),
-        commit.message?.toLowerCase().startsWith('merge') || false
-    ]);
-
-    console.log(`Recorded commit ${commit.id.substring(0, 8)} by ${authorEmail}`);
-}
-
-async function handlePREvent(payload) {
-    const pr = payload.pull_request;
-    const repoFullName = payload.repository?.full_name;
-    if (!pr || !repoFullName) return;
-
-    const repoUrl = payload.repository?.html_url || `https://github.com/${repoFullName}`;
-
-    // Find repo
-    const repoResult = await executeQuery(`
-        SELECT repo_id FROM rapport.git_repositories
-        WHERE repo_name = $1 OR repo_url = $2
-    `, [repoFullName, repoUrl]);
-
-    if (repoResult.rowCount === 0) {
-        console.log(`Repo not found for: ${repoFullName} — push event must arrive first`);
-        return;
-    }
-
-    const repoId = repoResult.rows[0].repo_id;
-    const authorEmail = pr.user?.email || `${pr.user?.login}@users.noreply.github.com`;
-    const status = pr.merged ? 'merged' : pr.state;
-
-    // Upsert PR by repo_id + pr_number
-    await executeQuery(`
-        INSERT INTO rapport.pull_requests (
-            pr_id, repo_id, pr_number, title, author_email,
-            status, created_at, merged_at, closed_at,
-            lines_added, lines_removed, files_changed, review_comments
-        ) VALUES (gen_random_uuid(), $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
-        ON CONFLICT (pr_id) DO NOTHING
-    `, [
-        repoId,
-        pr.number,
-        pr.title?.substring(0, 500),
-        authorEmail,
-        status,
-        pr.created_at,
-        pr.merged_at || null,
-        pr.closed_at || null,
-        pr.additions || 0,
-        pr.deletions || 0,
-        pr.changed_files || 0,
-        pr.review_comments || 0
-    ]);
-
-    console.log(`Recorded PR #${pr.number} (${status}) for ${authorEmail}`);
-}