@gloocan/cat-inspector 0.1.2 → 0.1.3

package/README.md

@@ -1,166 +1,239 @@
-# 🐱 Cat Inspector SDK
+# @gloocan/cat-inspector
 
-<img
-src="https://cat-inspector.gloocan.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Flogo3.abd05647.png&w=1080&q=75"
-alt="logo"
-/>
+TypeScript SDK for **registering allowlisted backend functions** so QA and inspection tools get a **catalog** (ids, parameters, return metadata, optional JSON Schema), then **invoke** those units over a **versioned** wire protocol—embedded WebSocket, Socket.IO, or remote bridge—not arbitrary code execution from the network.
 
- **Welcome!** This is the official home of the TypeScript SDK that connects your backend to QA and inspection tooling—safely, deliberately, and without handing the internet a remote-code-execution button. ✨
+**Typical host:** Node.js with **Express** (or similar). Types ship with the package (`dist/*.d.ts`).
 
-The published package is `**@gloocan/cat-inspector`**. All source you can build and ship lives under `**[ts/](./ts/)`**.
+---
+
+## Install
+
+```bash
+npm install @gloocan/cat-inspector
+```
+
+Install **peer** packages you actually use in your app (npm does not install peers for you):
+
+| Peer            | When you need it                                      |
+| --------------- | ----------------------------------------------------- |
+| `express`       | Express integration (`registerCatPipeline`, etc.).  |
+| `socket.io`     | Socket.IO transport (`@gloocan/cat-inspector/socket-io`). Optional. |
+| `minio`         | Optional host-side object storage helpers.          |
+
+Always install **`reflect-metadata`** if you use **`@Cat`** decorators (see TypeScript below).
 
 ---
 
-## 👋 New here? Start calm
+## Package entry points
 
-**Cat Inspector** is a **host-side library**: you drop it into **your** Node.js app. It does **not** replace your product, your API design, or your database.
+The package is **ESM** (`"type": "module"`).
 
-Think of it as a friendly gatekeeper:
+| Import from                         | Use for |
+| ----------------------------------- | ------- |
+| `@gloocan/cat-inspector`            | Main API: registration, `bootstrap`, Express, RPC, WebSocket server, types, policy, validation, etc. |
+| `@gloocan/cat-inspector/socket-io`  | `attachCatRPC`, Socket.IO–oriented helpers. Requires `socket.io` as a dependency. |
 
-- 🎯 You choose **which** functions may be discovered and invoked by QA tools.
-- 📋 You attach **metadata** (names, parameters, return hints, optional JSON Schema) so generic UIs can build forms and checks.
-- 🔒 Only what you **register** is on the menu—nothing else gets exposed by accident.
+---
 
-**You do not need the whole map on day one.** Most teams start with three ideas:
+## TypeScript and decorators
 
-1. **Registration** — how functions join the catalog
-2. **Express** — how those units line up with your HTTP world
-3. **One transport** — how a QA client says hello (WebSocket, Socket.IO, bridge—pick what you use)
+For **`@Cat`** (and related metadata), enable decorator emit and load reflect metadata **before** other app imports:
 
-Everything beyond that is **bonus depth** when you need it. 🌱
+1. `npm install reflect-metadata`
+2. At the **top** of your app entry (e.g. `server.ts`): `import 'reflect-metadata'`
+3. In `tsconfig.json`:
+
+```json
+{
+	"compilerOptions": {
+		"experimentalDecorators": true,
+		"emitDecoratorMetadata": true
+	}
+}
+```
+
+If you only use the **functional** API (`cat()`, `catModule()`, …), decorators may be unnecessary; still follow the docs for your chosen registration style.
 
 ---
 
-## 🗂️ How `sdk/` fits this repo
+## Quick examples: registration
 
-This monorepo is bigger than the SDK (think **frontend**, **backend**, deploy recipes, examples). The `**sdk/`** folder is the **canonical home** for Cat Inspector:
+Each example uses a **stable function id** (`fnKey`) such as `Orders.find`—that id is what the catalog and RPC clients use. Pick ids that stay stable across refactors.
 
+### `cat()` — one function
 
-| Path                                        | What you’ll find                                                                                      |
-| ------------------------------------------- | ----------------------------------------------------------------------------------------------------- |
-| 📄 `[README.md](./README.md)` *(this file)* | Friendly orientation—perfect first stop for humans.                                                   |
-| 📦 `[ts/](./ts/)`                           | The real **npm package**: `package.json`, `src/`, tests, `PROTOCOL.md`, and `[ts/docs/](./ts/docs/)`. |
-| 🧠 `[ts/src/](./ts/src/)`                   | Implementation; the **public API** is whatever `[ts/src/index.ts](./ts/src/index.ts)` exports.        |
-| 🏗️ `[ts/dist/](./ts/dist/)`                | Build output from `npm run build` (publishable; often git-ignored).                                   |
+Wrap a plain function and give it a unique key. For HTTP-style handlers you can pass `route` / `method` so the catalog knows the path.
 
+```ts
+import { cat, Return, Throw } from '@gloocan/cat-inspector'
 
-> 💡 **Consuming from npm?** You only need the package name + docs—you don’t have to clone the whole repo unless you want examples or contributions.
+export const findUser = cat('Users.findById', function findUser(id: string) {
+	if (!id) return Throw('INVALID', new Error('id required'))
+	return Return('OK', { id, name: 'Ada' })
+})
+```
 
----
+Call `findUser('42')` as normal; the wrapper records **which labeled branch** ran for inspector UIs.
 
-## 🎪 What it *is*
+### `@Cat` — class methods
 
-Backend devs **register** hand-picked functions (handlers, services, little modules) as **named, typed, inspectable units**. QA clients get a **catalog**—stable ids, parameters, return metadata, optional tags—and can drive **forms + assertions** instead of shipping bespoke test code for every app.
+Requires `reflect-metadata` and the `tsconfig.json` flags above. Registration runs when the class is **loaded**.
 
----
+```ts
+import 'reflect-metadata'
+import { Cat, Return } from '@gloocan/cat-inspector'
 
-## 🚀 What it’s *for*
+export class Billing {
+	@Cat
+	estimate(total: number) {
+		return Return('QUOTE', { cents: Math.round(total * 100) })
+	}
+}
+```
 
+The catalog entry key becomes **`Billing.estimate`** (class name + method name).
 
-| Goal                                 | Why it feels good                                                                                               |
-| ------------------------------------ | --------------------------------------------------------------------------------------------------------------- |
-| 🛡️ **Controlled surface**           | Pick entry points that are safe and meaningful to call from tooling—not “whatever was imported.”                |
-| 🤖 **Machine-friendly descriptions** | Schemas, labels, type hints keep QA UIs generic across products.                                                |
-| 🔌 **Authorized clients**            | Embedded WebSocket, optional Socket.IO, remote bridge—listing and invoke stay under **your** process and rules. |
+### `catModule()` — a namespace of functions
 
+Registers every export under **`${moduleName}.${methodName}`** in one call.
 
-**Typical host:** a **Node.js / Express** (or similar) service where your real business logic already lives. ☕
+```ts
+import { catModule, Return } from '@gloocan/cat-inspector'
 
----
+export const inventory = catModule('Inventory', {
+	list() {
+		return Return('LIST', [{ sku: 'a1' }])
+	},
+	reserve(sku: string) {
+		return Return('RESERVED', { sku, qty: 1 })
+	},
+})
+// Keys: Inventory.list, Inventory.reserve — call inventory.list() as usual.
+```
 
-## 🧩 Main areas at a glance
+Optional third argument lets you attach per-method `params`, `declaredReturn`, or `paramsJsonSchema` (see typings).
 
+### `registerCatPipeline()` — Express route + middleware chain
 
-| Area                        | Role                                                                                                     |
-| --------------------------- | -------------------------------------------------------------------------------------------------------- |
-| 🏷️ **Registration**        | `@Cat`, `cat`, `catModule`, class/service helpers, instance registration → catalog entries.              |
-| 📡 **Bootstrap & metadata** | Load/merge catalog + bootstrap data; optional storage-backed bits so tools see one coherent picture.     |
-| 🚂 **Express**              | Pipelines, correlation, optional HTTP bridge—meet your routes where they already are.                    |
-| ⚡ **RPC surface**           | Invoke by id with structured results/errors—no ad-hoc “run anything” scripting.                          |
-| 🌐 **Transports**           | WebSocket server, remote bridge, Socket.IO subpath export when you need it.                              |
-| ✅ **Validation & policy**   | JSON Schema, serialization limits, pre-invoke hooks, rate limits, audits.                                |
-| 🎨 **Returns & labels**     | `Return`, `Throw`, `ApiReturn` so tooling can tell labeled outcomes apart from plain values.             |
-| 🎁 **Optional extras**      | Coverage helpers, OpenAPI export, uploads materialization, jobs/broadcasts, sessions—grab what you need. |
+Pass an Express `Router`, HTTP method, route path, and an array of **already wrapped** `cat()` handlers. The **last** handler is the route endpoint; earlier entries are treated as middleware (`req`, `res`, `next`).
 
+```ts
+import express from 'express'
+import type { Request, Response, NextFunction } from 'express'
+import { cat, registerCatPipeline, Return } from '@gloocan/cat-inspector'
 
----
+const router = express.Router()
 
-## 📖 Tiny glossary
+const requireAuth = cat('Api.requireAuth', (req: Request, res: Response, next: NextFunction) => {
+	// …validate session, then:
+	next()
+})
 
+const getProfile = cat('Api.getProfile', (req: Request, res: Response) => {
+	return Return('BODY', { userId: req.params['id'] })
+})
 
-| Term                      | In plain English                                                                             |
-| ------------------------- | -------------------------------------------------------------------------------------------- |
-| **Host**                  | Your Node process running the SDK and your app code.                                         |
-| **Catalog**               | The allowlisted set of registered units + metadata tools may see.                            |
-| **Function id**           | Stable string clients use when they invoke something specific.                               |
-| **Inspector / QA client** | Another app or UI that talks to your host—not shipped inside this package.                   |
-| **Protocol**              | Versioned JSON + message families—see `[ts/PROTOCOL.md](./ts/PROTOCOL.md)` for the contract. |
+registerCatPipeline(router, 'get', '/users/:id', [requireAuth, getProfile])
+// app.use('/v1', router)
+```
 
+The SDK aligns all handlers in the array with one **pipeline id** (e.g. `GET /users/:id`) so tools see middleware + endpoint as one HTTP unit.
 
 ---
 
-## ✅ Before you integrate (checklist vibes)
+## `Return()` and `Throw()` — labels for tooling
 
-- **Node.js** + **npm** (or pnpm/yarn—your house, your rules).  
-- **TypeScript** in the host is typical; types ship with the package.  
-- **Peers:** `express` when you use Express helpers; `**minio`** / `**socket.io`** are optional—peek at `[ts/package.json](./ts/package.json)`.  
-- `**@Cat` decorators?** Turn on `**reflect-metadata`** + TS `**experimentalDecorators`** / `**emitDecoratorMetadata`** (details live in the docs linked below).
+These helpers are **no-ops for business data**: they return or throw the same values you would use without Cat Inspector. Their job is to attach a **string label** so QA clients and the catalog can distinguish branches (success variants, validation failures, expected errors) without parsing your whole codebase.
 
----
+| Helper | What you write | What QA / catalog sees |
+| ------ | -------------- | ---------------------- |
+| `Return(label, value)` | `return Return('CREATED', entity)` | Outcome tied to label **`CREATED`**; payload is `value` (types/shapes can be captured for assertions). |
+| `Throw(label, error)` | `return Throw('NOT_FOUND', new Error('…'))` | Expected error path **`NOT_FOUND`** with message/stack; still throws `error` to callers. |
+
+**Labels** are arbitrary string literals you choose (`'OK'`, `'INVALID'`, `'QUOTE'`, …). Use short, stable names: they become part of how teams author **assertions** (“expect `Users.findById` to resolve with label `OK`”).
 
-## 🗺️ Suggested reading order (snackable path)
+**Data:** the second argument to `Return` is whatever your function would normally return. `Throw` always takes an `Error` (or subclass); use normal `throw new Error()` for unexpected failures you do **not** want labeled.
 
-1. **This README** — you’re almost done with step one. Nice. 🎉
-2. `**[ts/docs/protocol-client.md](./ts/docs/protocol-client.md)`** — if you’ll build or wire a client.
-3. `**[ts/docs/boostrap.md](./ts/docs/boostrap.md)`** — bootstrap-oriented notes (path matches the repository filename).
-4. `**[ts/PROTOCOL.md](./ts/PROTOCOL.md)`** — wire truth; keep clients aligned with `**PROTOCOL_VERSION**`.
-5. **[Nextra docs](../qa-test-doc/src/)** — long-form MDX. Run:
-  ```bash
-   cd qa-test-doc/src && npm install && npm run dev
-  ```
-   …then open **[http://localhost:3015](http://localhost:3015)** (default dev port).
-6. **Runnable demo:** `[examples/cat-demo/backend](../examples/cat-demo/backend/README.md)` — Express + Socket.IO, real bootstrap, copy-paste energy. 🐾
+Combine with `cat` / `@Cat` / `catModule` so the inspector knows **which function** is active when a label fires (`ActiveContext` is managed by the wrappers).
 
 ---
 
-## 📚 Doc map (who reads what)
+## Minimal integration shape
 
+Exact APIs depend on your stack; most setups touch these ideas in order:
 
-| Resource                               | Best for                           |
-| -------------------------------------- | ---------------------------------- |
-| `[ts/PROTOCOL.md](./ts/PROTOCOL.md)`   | Wire compatibility detectives 🕵️  |
-| `[ts/docs/](./ts/docs/)`               | Day-to-day integrators             |
-| `[qa-test-doc/](../qa-test-doc/)`      | Deep dives + searchable reference  |
-| `[ts/package.json](./ts/package.json)` | Scripts, `exports`, peers, version |
+1. **Register** testable units (`@Cat`, `cat`, `catModule`, class helpers, `registerInstance`, …).
+2. **Wire Express** (e.g. `registerCatPipeline`, correlation middleware) so HTTP routes map to catalog entries.
+3. **Expose a transport** so a QA client can load the catalog and call `invoke`—e.g. `startInspectorWebSocket`, or `attachCatRPC` from the `socket-io` entry after you create your `socket.io` `Server`.
 
+Example (illustrative only—adapt ports, CORS, and auth to your environment):
 
----
+```ts
+import 'reflect-metadata'
 
-## 🛠️ Install & build (from a full clone)
+import express from 'express'
+import http from 'node:http'
+import { Server as SocketIOServer } from 'socket.io'
 
-```bash
-cd sdk/ts
-npm install
-npm run build
-npm test
+import {
+	createInspectorCorrelationMiddleware,
+	attachCatRPC,
+} from '@gloocan/cat-inspector/socket-io'
+
+const app = express()
+app.use(express.json())
+app.use('/api', createInspectorCorrelationMiddleware())
+
+const server = http.createServer(app)
+const io = new SocketIOServer(server, {
+	cors: { origin: 'http://localhost:3013' },
+})
+
+attachCatRPC(io, {
+	scanRoots: [new URL('.', import.meta.url).pathname],
+	serverId: 'my-service',
+	isDevelopment: process.env.NODE_ENV !== 'production',
+	// bootstrap, upload, auth: see docs and PROTOCOL.md in the source repo
+})
+
+server.listen(5050)
 ```
 
-**Consumers** add `**@gloocan/cat-inspector`** from your registry or workspace. Imports follow `**package.json` → `exports`** (main entry + optional `**@gloocan/cat-inspector/socket-io`** when published).
+For **`executeRPC`**, validation, serialization limits, pre-invoke hooks, and audits, import from `@gloocan/cat-inspector`.
 
 ---
 
-## 🤝 Contributing
+## Wire protocol and versioning
+
+Clients and hosts must agree on JSON message shapes. The SDK exports **`PROTOCOL_VERSION`** from the main entry—bump-aware clients should read it and follow the contract documented alongside the source tree.
 
-- Keep `**index.ts` exports** stable or clearly versioned—downstream clients will thank you. 🙏  
-- Under `sdk/ts`, run `**npm run typecheck`** and `**npm test`** before opening a PR.  
-- If behavior crosses the wire, update `**PROTOCOL.md`** plus `**ts/docs/**` or `**qa-test-doc/**` in the same breath when you can.
+**Note:** The **published npm tarball** contains **`dist/`** (compiled JS + declarations) plus standard metadata. Markdown references such as **`PROTOCOL.md`** live in the **source repository** (use the **Repository** link on the [npm package page](https://www.npmjs.com/package/@gloocan/cat-inspector) if your maintainers have set `repository` in `package.json`).
 
 ---
 
-## 🌟 One-sentence summary
+## Security (read before production)
 
-**Cat Inspector** is the **host-side SDK** that says *which* backend behavior is QA-visible, *how* tools should describe and validate it, and *how* authorized clients connect—while keeping the whole story explicit in **your** codebase.
+- Only **registered** functions are invokable—treat registration as an **allowlist**.
+- **Authenticate** transports in non-dev environments; do not expose invoke surfaces anonymously on the public internet.
+- Prefer **read-only** or sandbox data for QA; avoid putting production secrets in tool-visible payloads.
+- Configure **serialization limits**, **rate limits**, and **pre-invoke** hooks where appropriate (`setRpcSerializationConfig`, `configureInvokeRateLimit`, `registerPreInvoke`, …—see typings and docs).
 
 ---
 
-*Happy inspecting! 🐱✨*
+## Documentation and examples
+
+- **Product / docs site:** [cat-inspector.gloocan.com](https://cat-inspector.gloocan.com) (when available for your deployment).
+- **Deep reference:** your team’s Nextra or internal doc site, if published.
+- **Runnable monorepo example:** an Express + Socket.IO backend under the same repository as this package (search for `examples/cat-demo` in the SDK source tree).
+
+---
+
+## Public API surface
+
+The supported public API is whatever **`@gloocan/cat-inspector` re-exports** from its main module (registration, `bootstrap`, Express helpers, `executeRPC`, transports, `PROTOCOL_VERSION`, wire types such as `RegistryEntry` and `RpcResponse`, validation helpers, policy hooks, uploads, coverage/OpenAPI helpers, sessions, etc.). Prefer importing from the package root rather than deep paths into `dist/`, which are not a stable contract.
+
+---
+
+## License
+
+MIT — see the `license` field in `package.json`.

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@gloocan/cat-inspector",
-	"version": "0.1.2",
+	"version": "0.1.3",
 	"description": "TypeScript @Cat decorator, Return() paths, AST metadata, WebSocket inspector",
 	"type": "module",
 	"main": "./dist/index.js",