@fyresmith/hive-server 1.0.1-3

package/index.js

@@ -0,0 +1,129 @@
+import dotenv from 'dotenv';
+import { createServer } from 'http';
+import { fileURLToPath } from 'url';
+import express from 'express';
+import { Server } from 'socket.io';
+import authRoutes from './routes/auth.js';
+import * as vault from './lib/vaultManager.js';
+import { attachHandlers } from './lib/socketHandler.js';
+import { startYjsServer, getActiveRooms, forceCloseRoom, getRoomStatus } from './lib/yjsServer.js';
+
+const REQUIRED = [
+  'VAULT_PATH',
+  'JWT_SECRET',
+  'DISCORD_CLIENT_ID',
+  'DISCORD_CLIENT_SECRET',
+  'DISCORD_REDIRECT_URI',
+  'DISCORD_GUILD_ID',
+];
+
+function validateEnv() {
+  for (const key of REQUIRED) {
+    if (!process.env[key]) {
+      throw new Error(`[startup] Missing required env var: ${key}`);
+    }
+  }
+
+  const port = parseInt(process.env.PORT ?? '3000', 10);
+  const yjsPort = parseInt(process.env.YJS_PORT ?? '3001', 10);
+  if (!Number.isInteger(port) || port <= 0) {
+    throw new Error('[startup] PORT must be a positive integer');
+  }
+  if (!Number.isInteger(yjsPort) || yjsPort <= 0) {
+    throw new Error('[startup] YJS_PORT must be a positive integer');
+  }
+
+  return { port };
+}
+
+/**
+ * Start Hive server runtime.
+ *
+ * @param {{ envFile?: string, quiet?: boolean }} [options]
+ */
+export async function startHiveServer(options = {}) {
+  const { envFile, quiet = false } = options;
+
+  dotenv.config(
+    envFile
+      ? { path: envFile, override: true }
+      : undefined
+  );
+
+  const { port } = validateEnv();
+
+  const app = express();
+  const httpServer = createServer(app);
+
+  const io = new Server(httpServer, {
+    cors: {
+      origin: '*',
+      methods: ['GET', 'POST'],
+    },
+  });
+
+  app.use(express.json());
+
+  // Auth routes
+  app.use('/auth', authRoutes);
+
+  // Health check
+  app.get('/health', (req, res) => res.json({ ok: true, ts: Date.now() }));
+  app.get('/rooms', (req, res) => res.json({ rooms: getRoomStatus() }));
+
+  function broadcastFileUpdated(relPath, hash, excludeSocketId) {
+    io.sockets.sockets.forEach((sock) => {
+      if (sock.id !== excludeSocketId) {
+        sock.emit('file-updated', { relPath, hash });
+      }
+    });
+  }
+
+  attachHandlers(io, getActiveRooms, broadcastFileUpdated, forceCloseRoom);
+  startYjsServer(broadcastFileUpdated);
+
+  // Chokidar watch for external (non-plugin) changes
+  vault.initWatcher((relPath, event) => {
+    const docName = encodeURIComponent(relPath);
+    if (getActiveRooms().has(docName)) {
+      if (!quiet) {
+        console.log(`[chokidar] Ignoring external change to active room: ${relPath}`);
+      }
+      return;
+    }
+    if (!quiet) {
+      console.log(`[chokidar] External ${event}: ${relPath}`);
+    }
+    io.emit('external-update', { relPath, event });
+  });
+
+  await new Promise((resolve, reject) => {
+    httpServer.once('error', reject);
+    httpServer.listen(port, () => resolve());
+  });
+
+  if (!quiet) {
+    console.log(`[server] Hive server listening on port ${port}`);
+    console.log(`[server] Vault: ${process.env.VAULT_PATH}`);
+  }
+
+  return {
+    app,
+    io,
+    httpServer,
+    port,
+    close: () => new Promise((resolve, reject) => {
+      httpServer.close((err) => {
+        if (err) reject(err);
+        else resolve();
+      });
+    }),
+  };
+}
+
+if (process.argv[1] && fileURLToPath(import.meta.url) === process.argv[1]) {
+  startHiveServer().catch((err) => {
+    console.error(err?.message ?? err);
+    process.exit(1);
+  });
+}

package/lib/auth.js

@@ -0,0 +1,50 @@
+import jwt from 'jsonwebtoken';
+
+/**
+ * Verify a JWT and return the decoded payload.
+ * Throws if the token is invalid or expired.
+ * @param {string} token
+ * @returns {object} decoded payload
+ */
+export function verifyToken(token) {
+  return jwt.verify(token, process.env.JWT_SECRET);
+}
+
+/**
+ * Express middleware — reads Authorization: Bearer <token> header.
+ */
+export function expressMiddleware(req, res, next) {
+  const auth = req.headers.authorization;
+  if (!auth?.startsWith('Bearer ')) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+  try {
+    req.user = verifyToken(auth.slice(7));
+    next();
+  } catch (err) {
+    res.status(401).json({ error: 'Invalid token' });
+  }
+}
+
+/**
+ * Socket.IO middleware — reads token from socket.handshake.auth.token.
+ */
+export function socketMiddleware(socket, next) {
+  const token = socket.handshake.auth?.token;
+  if (!token) return next(new Error('No token'));
+  try {
+    socket.user = verifyToken(token);
+    next();
+  } catch (err) {
+    next(new Error('Invalid token'));
+  }
+}
+
+/**
+ * Verify a JWT for the y-websocket WS handshake.
+ * @param {string} token
+ * @returns {object} decoded payload
+ */
+export function verifyWsToken(token) {
+  return verifyToken(token);
+}

package/lib/socketHandler.js

@@ -0,0 +1,226 @@
+import { socketMiddleware } from './auth.js';
+import * as vault from './vaultManager.js';
+
+/**
+ * presenceByFile: file path → Set of socket IDs
+ * @type {Map<string, Set<string>>}
+ */
+const presenceByFile = new Map();
+
+/**
+ * socketToFiles: socket ID → Set of file paths (for cleanup on disconnect)
+ * @type {Map<string, Set<string>>}
+ */
+const socketToFiles = new Map();
+
+/**
+ * userBySocket: socket ID → user object
+ * @type {Map<string, object>}
+ */
+const userBySocket = new Map();
+
+function respond(cb, payload) {
+  if (typeof cb === 'function') cb(payload);
+}
+
+function rejectPath(cb, relPath) {
+  console.warn(`[socket] Rejected disallowed path: ${String(relPath)}`);
+  respond(cb, { ok: false, error: 'Path not allowed' });
+}
+
+function isAllowedPath(relPath) {
+  return typeof relPath === 'string' && vault.isAllowed(relPath);
+}
+
+function normalizeHexColor(color) {
+  if (typeof color !== 'string') return null;
+  const trimmed = color.trim();
+  return /^#[0-9a-fA-F]{6}$/.test(trimmed) ? trimmed.toLowerCase() : null;
+}
+
+/**
+ * Attach all Socket.IO event handlers.
+ *
+ * @param {import('socket.io').Server} io
+ * @param {() => Set<string>} getActiveRooms  - returns encoded docNames currently in Yjs
+ * @param {(relPath: string, hash: string, excludeSocketId: string|null) => void} broadcastFileUpdated
+ * @param {(relPath: string) => Promise<void>} forceCloseRoom
+ */
+export function attachHandlers(io, getActiveRooms, broadcastFileUpdated, forceCloseRoom) {
+  // Auth middleware for every socket connection
+  io.use(socketMiddleware);
+
+  io.on('connection', (socket) => {
+    const user = socket.user;
+    console.log(`[socket] Connected: ${user.username} (${socket.id})`);
+
+    userBySocket.set(socket.id, user);
+    socketToFiles.set(socket.id, new Set());
+
+    // Notify others this user joined
+    socket.broadcast.emit('user-joined', { user });
+
+    // -----------------------------------------------------------------------
+    // vault-sync-request
+    // -----------------------------------------------------------------------
+    socket.on('vault-sync-request', async (cb) => {
+      try {
+        const manifest = await vault.getManifest();
+        respond(cb, { ok: true, manifest });
+      } catch (err) {
+        console.error('[socket] vault-sync-request error:', err);
+        respond(cb, { ok: false, error: err.message });
+      }
+    });
+
+    // -----------------------------------------------------------------------
+    // file-read
+    // -----------------------------------------------------------------------
+    socket.on('file-read', async (relPath, cb) => {
+      if (!isAllowedPath(relPath)) {
+        rejectPath(cb, relPath);
+        return;
+      }
+      try {
+        const content = await vault.readFile(relPath);
+        const hash = vault.hashContent(content);
+        respond(cb, { ok: true, content, hash });
+      } catch (err) {
+        console.error(`[socket] file-read error (${relPath}):`, err);
+        respond(cb, { ok: false, error: err.message });
+      }
+    });
+
+    // -----------------------------------------------------------------------
+    // file-write
+    // -----------------------------------------------------------------------
+    socket.on('file-write', async (payload, cb) => {
+      const relPath = payload?.relPath;
+      const content = payload?.content;
+      if (!isAllowedPath(relPath) || typeof content !== 'string') {
+        rejectPath(cb, relPath);
+        return;
+      }
+      try {
+        await vault.writeFile(relPath, content);
+        const hash = vault.hashContent(content);
+        socket.broadcast.emit('file-updated', { relPath, hash, user });
+        respond(cb, { ok: true, hash });
+        console.log(`[socket] file-write: ${relPath} by ${user.username}`);
+      } catch (err) {
+        console.error(`[socket] file-write error (${relPath}):`, err);
+        respond(cb, { ok: false, error: err.message });
+      }
+    });
+
+    // -----------------------------------------------------------------------
+    // file-create
+    // -----------------------------------------------------------------------
+    socket.on('file-create', async (payload, cb) => {
+      const relPath = payload?.relPath;
+      const content = payload?.content;
+      if (!isAllowedPath(relPath) || typeof content !== 'string') {
+        rejectPath(cb, relPath);
+        return;
+      }
+      try {
+        await vault.writeFile(relPath, content);
+        io.emit('file-created', { relPath, user });
+        respond(cb, { ok: true });
+        console.log(`[socket] file-create: ${relPath} by ${user.username}`);
+      } catch (err) {
+        console.error(`[socket] file-create error (${relPath}):`, err);
+        respond(cb, { ok: false, error: err.message });
+      }
+    });
+
+    // -----------------------------------------------------------------------
+    // file-delete
+    // -----------------------------------------------------------------------
+    socket.on('file-delete', async (relPath, cb) => {
+      if (!isAllowedPath(relPath)) {
+        rejectPath(cb, relPath);
+        return;
+      }
+      try {
+        // Force-close active Yjs room first
+        const docName = encodeURIComponent(relPath);
+        if (getActiveRooms().has(docName)) {
+          await forceCloseRoom(relPath);
+        }
+        await vault.deleteFile(relPath);
+        io.emit('file-deleted', { relPath, user });
+        respond(cb, { ok: true });
+        console.log(`[socket] file-delete: ${relPath} by ${user.username}`);
+      } catch (err) {
+        console.error(`[socket] file-delete error (${relPath}):`, err);
+        respond(cb, { ok: false, error: err.message });
+      }
+    });
+
+    // -----------------------------------------------------------------------
+    // file-rename
+    // -----------------------------------------------------------------------
+    socket.on('file-rename', async (payload, cb) => {
+      const oldPath = payload?.oldPath;
+      const newPath = payload?.newPath;
+      if (!isAllowedPath(oldPath) || !isAllowedPath(newPath)) {
+        rejectPath(cb, `${String(oldPath)} -> ${String(newPath)}`);
+        return;
+      }
+      try {
+        // Force-close active Yjs room for old path
+        const docName = encodeURIComponent(oldPath);
+        if (getActiveRooms().has(docName)) {
+          await forceCloseRoom(oldPath);
+        }
+        await vault.renameFile(oldPath, newPath);
+        io.emit('file-renamed', { oldPath, newPath, user });
+        respond(cb, { ok: true });
+        console.log(`[socket] file-rename: ${oldPath} → ${newPath} by ${user.username}`);
+      } catch (err) {
+        console.error(`[socket] file-rename error (${oldPath}):`, err);
+        respond(cb, { ok: false, error: err.message });
+      }
+    });
+
+    // -----------------------------------------------------------------------
+    // presence-file-opened
+    // -----------------------------------------------------------------------
+    socket.on('presence-file-opened', (payload) => {
+      const relPath = typeof payload === 'string' ? payload : payload?.relPath;
+      const color = normalizeHexColor(typeof payload === 'string' ? null : payload?.color);
+      if (!isAllowedPath(relPath)) return;
+      if (!presenceByFile.has(relPath)) presenceByFile.set(relPath, new Set());
+      presenceByFile.get(relPath).add(socket.id);
+      socketToFiles.get(socket.id)?.add(relPath);
+      const presenceUser = color ? { ...user, color } : user;
+      socket.broadcast.emit('presence-file-opened', { relPath, user: presenceUser });
+    });
+
+    // -----------------------------------------------------------------------
+    // presence-file-closed
+    // -----------------------------------------------------------------------
+    socket.on('presence-file-closed', (relPath) => {
+      if (!isAllowedPath(relPath)) return;
+      presenceByFile.get(relPath)?.delete(socket.id);
+      socketToFiles.get(socket.id)?.delete(relPath);
+      socket.broadcast.emit('presence-file-closed', { relPath, user });
+    });
+
+    // -----------------------------------------------------------------------
+    // disconnect
+    // -----------------------------------------------------------------------
+    socket.on('disconnect', () => {
+      console.log(`[socket] Disconnected: ${user.username} (${socket.id})`);
+      const openFiles = socketToFiles.get(socket.id) ?? new Set();
+      for (const relPath of openFiles) {
+        presenceByFile.get(relPath)?.delete(socket.id);
+        socket.broadcast.emit('presence-file-closed', { relPath, user });
+      }
+      socketToFiles.delete(socket.id);
+      userBySocket.delete(socket.id);
+      socket.broadcast.emit('user-left', { user });
+    });
+  });
+}

package/lib/vaultManager.js

@@ -0,0 +1,258 @@
+import { createHash } from 'crypto';
+import { resolve, join, sep, extname, relative, dirname } from 'path';
+import { readFile, writeFile as fsWriteFile, rename, unlink, mkdir, stat, readdir } from 'fs/promises';
+import { existsSync } from 'fs';
+import chokidar from 'chokidar';
+
+// ---------------------------------------------------------------------------
+// Deny / allow lists
+// ---------------------------------------------------------------------------
+
+const DENY_PREFIXES = ['.obsidian', 'Attachments', '.git'];
+const DENY_FILES = ['.DS_Store', 'Thumbs.db'];
+// Keep synced content text-based to ensure hash/read/write semantics stay safe.
+const ALLOW_EXTS = new Set(['.md', '.canvas']);
+
+// ---------------------------------------------------------------------------
+// Internals
+// ---------------------------------------------------------------------------
+
+/** @type {string} */
+let VAULT_ROOT;
+
+function getVaultRoot() {
+  if (!VAULT_ROOT) {
+    if (!process.env.VAULT_PATH) throw new Error('VAULT_PATH env var is required');
+    VAULT_ROOT = resolve(process.env.VAULT_PATH);
+  }
+  return VAULT_ROOT;
+}
+
+/**
+ * mtime+size → hash cache so we avoid rehashing unchanged files.
+ * @type {Map<string, {mtime: number, size: number, hash: string}>}
+ */
+const manifestCache = new Map();
+
+// ---------------------------------------------------------------------------
+// Path helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve a relative path against VAULT_ROOT and assert no traversal.
+ * @param {string} relPath
+ * @returns {string} absolute path
+ */
+export function safePath(relPath) {
+  const root = getVaultRoot();
+  const abs = resolve(root, relPath);
+  if (!abs.startsWith(root + sep) && abs !== root) {
+    throw new Error(`Path traversal: ${relPath}`);
+  }
+  return abs;
+}
+
+/**
+ * Returns true if the relative path matches a deny prefix or deny filename.
+ * @param {string} relPath  forward-slash relative path
+ */
+export function isDenied(relPath) {
+  const normalised = relPath.replace(/\\/g, '/');
+  const parts = normalised.split('/');
+  const base = parts[parts.length - 1];
+  if (DENY_FILES.includes(base)) return true;
+  for (const prefix of DENY_PREFIXES) {
+    if (normalised === prefix || normalised.startsWith(prefix + '/')) return true;
+  }
+  return false;
+}
+
+/**
+ * Returns true if the path is allowed to sync (extension + not denied).
+ * @param {string} relPath
+ */
+export function isAllowed(relPath) {
+  if (isDenied(relPath)) return false;
+  return ALLOW_EXTS.has(extname(relPath).toLowerCase());
+}
+
+// ---------------------------------------------------------------------------
+// Content hashing
+// ---------------------------------------------------------------------------
+
+/**
+ * SHA-256 hex digest of a UTF-8 string.
+ * @param {string} str
+ * @returns {string}
+ */
+export function hashContent(str) {
+  return createHash('sha256').update(str, 'utf-8').digest('hex');
+}
+
+// ---------------------------------------------------------------------------
+// Recursive directory walk
+// ---------------------------------------------------------------------------
+
+/**
+ * Walk VAULT_ROOT recursively, returning all allowed relative paths.
+ * @returns {Promise<string[]>}
+ */
+async function walkVault() {
+  const root = getVaultRoot();
+  const results = [];
+
+  async function walk(dir) {
+    let entries;
+    try {
+      entries = await readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const absPath = join(dir, entry.name);
+      const relPath = relative(root, absPath).replace(/\\/g, '/');
+      if (entry.isDirectory()) {
+        if (!isDenied(relPath + '/')) {
+          await walk(absPath);
+        }
+      } else if (entry.isFile()) {
+        if (isAllowed(relPath)) {
+          results.push(relPath);
+        }
+      }
+    }
+  }
+
+  await walk(root);
+  return results;
+}
+
+// ---------------------------------------------------------------------------
+// Manifest
+// ---------------------------------------------------------------------------
+
+/**
+ * Returns the full vault manifest. Uses mtime+size first; only recomputes
+ * SHA-256 when mtime or size changes.
+ * @returns {Promise<Array<{path: string, hash: string, mtime: number, size: number}>>}
+ */
+export async function getManifest() {
+  const paths = await walkVault();
+  const manifest = [];
+
+  for (const relPath of paths) {
+    const abs = safePath(relPath);
+    let fileStat;
+    try {
+      fileStat = await stat(abs);
+    } catch {
+      continue;
+    }
+    const mtime = fileStat.mtimeMs;
+    const size = fileStat.size;
+
+    const cached = manifestCache.get(relPath);
+    let hash;
+    if (cached && cached.mtime === mtime && cached.size === size) {
+      hash = cached.hash;
+    } else {
+      try {
+        const content = await readFile(abs, 'utf-8');
+        hash = hashContent(content);
+      } catch {
+        continue;
+      }
+      manifestCache.set(relPath, { mtime, size, hash });
+    }
+
+    manifest.push({ path: relPath, hash, mtime, size });
+  }
+
+  return manifest;
+}
+
+// ---------------------------------------------------------------------------
+// File operations — all paths go through safePath
+// ---------------------------------------------------------------------------
+
+/**
+ * Read a file as UTF-8.
+ * @param {string} relPath
+ * @returns {Promise<string>}
+ */
+export async function readFile_(relPath) {
+  const abs = safePath(relPath);
+  return readFile(abs, 'utf-8');
+}
+// Export under the spec name
+export { readFile_ as readFile };
+
+/**
+ * Atomically write content to a file (write .tmp → rename).
+ * @param {string} relPath
+ * @param {string} content
+ */
+export async function writeFile(relPath, content) {
+  const abs = safePath(relPath);
+  const tmp = abs + '.tmp';
+  await mkdir(dirname(abs), { recursive: true });
+  await fsWriteFile(tmp, content, 'utf-8');
+  await rename(tmp, abs);
+  // Invalidate cache entry so next manifest reflects new content
+  manifestCache.delete(relPath);
+}
+
+/**
+ * Delete a file.
+ * @param {string} relPath
+ */
+export async function deleteFile(relPath) {
+  const abs = safePath(relPath);
+  await unlink(abs);
+  manifestCache.delete(relPath);
+}
+
+/**
+ * Rename a file.
+ * @param {string} oldRelPath
+ * @param {string} newRelPath
+ */
+export async function renameFile(oldRelPath, newRelPath) {
+  const oldAbs = safePath(oldRelPath);
+  const newAbs = safePath(newRelPath);
+  await mkdir(dirname(newAbs), { recursive: true });
+  await rename(oldAbs, newAbs);
+  manifestCache.delete(oldRelPath);
+  manifestCache.delete(newRelPath);
+}
+
+// ---------------------------------------------------------------------------
+// Chokidar watcher
+// ---------------------------------------------------------------------------
+
+/**
+ * Start watching VAULT_ROOT for external file changes.
+ * @param {(relPath: string, event: string) => void} onExternalChange
+ * @returns {chokidar.FSWatcher}
+ */
+export function initWatcher(onExternalChange) {
+  const root = getVaultRoot();
+  const watcher = chokidar.watch(root, {
+    ignoreInitial: true,
+    persistent: true,
+    awaitWriteFinish: { stabilityThreshold: 200, pollInterval: 100 },
+  });
+
+  const handler = (event) => (absPath) => {
+    const relPath = relative(root, absPath).replace(/\\/g, '/');
+    if (!isAllowed(relPath)) return;
+    onExternalChange(relPath, event);
+  };
+
+  watcher.on('add', handler('add'));
+  watcher.on('change', handler('change'));
+  watcher.on('unlink', handler('unlink'));
+
+  console.log(`[vault] Watching: ${root}`);
+  return watcher;
+}