@graphmemory/server 1.1.0

package/dist/api/rest/embed.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createEmbedRouter = createEmbedRouter;
+const crypto_1 = __importDefault(require("crypto"));
+const express_1 = require("express");
+const zod_1 = require("zod");
+const embedder_1 = require("../../lib/embedder");
+/**
+ * Create an Express router for the embedding API.
+ * POST /api/embed — embed texts using the server's embedding model.
+ */
+function createEmbedRouter(apiConfig, modelName) {
+    const router = (0, express_1.Router)();
+    const embedRequestSchema = zod_1.z.object({
+        texts: zod_1.z.array(zod_1.z.string().max(apiConfig.maxTextChars)).min(1).max(apiConfig.maxTexts),
+    });
+    router.post('/', async (req, res, next) => {
+        try {
+            // Auth: check embeddingApi.apiKey (separate from user apiKey)
+            if (apiConfig.apiKey) {
+                const auth = req.headers.authorization;
+                if (!auth?.startsWith('Bearer ')) {
+                    return res.status(401).json({ error: 'Invalid embedding API key' });
+                }
+                const provided = Buffer.from(auth.slice(7));
+                const expected = Buffer.from(apiConfig.apiKey);
+                if (provided.length !== expected.length || !crypto_1.default.timingSafeEqual(provided, expected)) {
+                    return res.status(401).json({ error: 'Invalid embedding API key' });
+                }
+            }
+            const parsed = embedRequestSchema.parse(req.body);
+            const inputs = parsed.texts.map(text => ({ title: text, content: '' }));
+            const embeddings = await (0, embedder_1.embedBatch)(inputs, modelName);
+            res.json({ embeddings });
+        }
+        catch (err) {
+            if (err?.name === 'ZodError') {
+                return res.status(400).json({ error: 'Validation error' });
+            }
+            next(err);
+        }
+    });
+    return router;
+}

package/dist/api/rest/files.js

@@ -0,0 +1,64 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createFilesRouter = createFilesRouter;
+const path_1 = __importDefault(require("path"));
+const express_1 = require("express");
+const validation_1 = require("../../api/rest/validation");
+function createFilesRouter() {
+    const router = (0, express_1.Router)({ mergeParams: true });
+    function getProject(req) {
+        return req.project;
+    }
+    // List all files
+    router.get('/', (0, validation_1.validateQuery)(validation_1.fileListSchema), (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const q = req.validatedQuery;
+            const files = p.fileIndexManager.listAllFiles(q);
+            res.json({ results: files });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Search files
+    router.get('/search', (0, validation_1.validateQuery)(validation_1.searchQuerySchema), async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const q = req.validatedQuery;
+            const results = await p.fileIndexManager.search(q.q, {
+                topK: q.topK,
+                minScore: q.minScore,
+            });
+            res.json({ results });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Get file info
+    router.get('/info', (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const filePath = req.query.path;
+            if (!filePath)
+                return res.status(400).json({ error: 'path query parameter required' });
+            // Prevent path traversal
+            const normalized = path_1.default.normalize(filePath);
+            if (normalized.startsWith('..') || path_1.default.isAbsolute(normalized)) {
+                return res.status(400).json({ error: 'Invalid path' });
+            }
+            const info = p.fileIndexManager.getFileInfo(normalized);
+            if (!info)
+                return res.status(404).json({ error: 'File not found' });
+            res.json(info);
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    return router;
+}

package/dist/api/rest/graph.js

@@ -0,0 +1,71 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createGraphRouter = createGraphRouter;
+const express_1 = require("express");
+const validation_1 = require("../../api/rest/validation");
+function exportGraph(graph, graphName) {
+    const nodes = [];
+    const edges = [];
+    graph.forEachNode((id, attrs) => {
+        // Skip proxy nodes and embeddings for transfer size
+        const { embedding, fileEmbedding, ...rest } = attrs;
+        nodes.push({ id, graph: graphName, ...rest });
+    });
+    graph.forEachEdge((_edge, attrs, source, target) => {
+        edges.push({ source, target, graph: graphName, ...attrs });
+    });
+    return { nodes, edges };
+}
+const GRAPH_TO_PROP = {
+    docs: 'docGraph',
+    code: 'codeGraph',
+    knowledge: 'knowledgeGraph',
+    tasks: 'taskGraph',
+    files: 'fileIndexGraph',
+    skills: 'skillGraph',
+};
+const ALL_GRAPHS = ['docs', 'code', 'knowledge', 'tasks', 'files', 'skills'];
+function createGraphRouter(canReadGraph) {
+    const router = (0, express_1.Router)({ mergeParams: true });
+    function getProject(req) {
+        return req.project;
+    }
+    router.get('/', (0, validation_1.validateQuery)(validation_1.graphExportSchema), (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const scope = req.validatedQuery.scope;
+            const allNodes = [];
+            const allEdges = [];
+            const add = (g, name) => {
+                if (!g)
+                    return;
+                const exp = exportGraph(g, name);
+                allNodes.push(...exp.nodes);
+                allEdges.push(...exp.edges);
+            };
+            if (scope === 'all') {
+                // Export only graphs the user can read
+                for (const gn of ALL_GRAPHS) {
+                    if (canReadGraph && !canReadGraph(req, gn))
+                        continue;
+                    const prop = GRAPH_TO_PROP[gn];
+                    add(p[prop], gn);
+                }
+            }
+            else {
+                // Specific graph — check access, 403 if denied
+                const gn = scope;
+                if (canReadGraph && !canReadGraph(req, gn)) {
+                    return res.status(403).json({ error: 'Access denied' });
+                }
+                const prop = GRAPH_TO_PROP[gn];
+                add(p[prop], gn);
+            }
+            res.json({ nodes: allNodes, edges: allEdges });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    return router;
+}

package/dist/api/rest/index.js

@@ -0,0 +1,371 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireWriteAccess = requireWriteAccess;
+exports.createRestApp = createRestApp;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const express_1 = __importDefault(require("express"));
+const cors_1 = __importDefault(require("cors"));
+const cookie_parser_1 = __importDefault(require("cookie-parser"));
+const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
+const multi_config_1 = require("../../lib/multi-config");
+const access_1 = require("../../lib/access");
+const jwt_1 = require("../../lib/jwt");
+const knowledge_1 = require("../../api/rest/knowledge");
+const tasks_1 = require("../../api/rest/tasks");
+const skills_1 = require("../../api/rest/skills");
+const docs_1 = require("../../api/rest/docs");
+const code_1 = require("../../api/rest/code");
+const files_1 = require("../../api/rest/files");
+const graph_1 = require("../../api/rest/graph");
+const tools_1 = require("../../api/rest/tools");
+const embed_1 = require("../../api/rest/embed");
+const team_1 = require("../../lib/team");
+/**
+ * Express middleware: reject if accessLevel (set by requireGraphAccess) is not 'rw'.
+ * Use on POST/PUT/DELETE routes inside domain routers.
+ */
+function requireWriteAccess(req, res, next) {
+    const level = req.accessLevel;
+    if (level && level !== 'rw') {
+        res.status(403).json({ error: 'Read-only access' });
+        return;
+    }
+    next();
+}
+/**
+ * Create an Express app with all REST routes mounted.
+ * Each route uses the ProjectManager to look up project-specific graphs.
+ */
+function createRestApp(projectManager, options) {
+    const app = (0, express_1.default)();
+    const serverConfig = options?.serverConfig;
+    const users = options?.users ?? {};
+    const hasUsers = Object.keys(users).length > 0;
+    const corsOrigins = serverConfig?.corsOrigins;
+    app.use((0, cors_1.default)(corsOrigins?.length ? { origin: corsOrigins, credentials: true } : { credentials: true }));
+    app.use(express_1.default.json({ limit: '10mb' }));
+    app.use((0, cookie_parser_1.default)());
+    // Security headers
+    app.use((_req, res, next) => {
+        res.setHeader('X-Content-Type-Options', 'nosniff');
+        res.setHeader('X-Frame-Options', 'DENY');
+        next();
+    });
+    // --- Rate limiting ---
+    const rl = serverConfig?.rateLimit;
+    const rateLimitMsg = { error: 'Too many requests, please try again later' };
+    if (rl && rl.global > 0) {
+        app.use('/api/', (0, express_rate_limit_1.default)({ windowMs: 60_000, max: rl.global, standardHeaders: true, legacyHeaders: false, message: rateLimitMsg }));
+    }
+    if (rl && rl.search > 0) {
+        const searchLimiter = (0, express_rate_limit_1.default)({ windowMs: 60_000, max: rl.search, standardHeaders: true, legacyHeaders: false, message: rateLimitMsg });
+        app.use('/api/projects/:projectId/knowledge/notes/search', searchLimiter);
+        app.use('/api/projects/:projectId/tasks/search', searchLimiter);
+        app.use('/api/projects/:projectId/skills/search', searchLimiter);
+        app.use('/api/projects/:projectId/docs/search', searchLimiter);
+        app.use('/api/projects/:projectId/code/search', searchLimiter);
+        app.use('/api/projects/:projectId/files/search', searchLimiter);
+        app.use('/api/embed', searchLimiter);
+    }
+    if (rl && rl.auth > 0) {
+        app.use('/api/auth/login', (0, express_rate_limit_1.default)({ windowMs: 60_000, max: rl.auth, standardHeaders: true, legacyHeaders: false, message: rateLimitMsg }));
+    }
+    const jwtSecret = serverConfig?.jwtSecret;
+    const accessTokenTtl = serverConfig?.accessTokenTtl ?? '15m';
+    const refreshTokenTtl = serverConfig?.refreshTokenTtl ?? '7d';
+    // --- Auth endpoints (before auth middleware — always accessible) ---
+    // Auth status: check cookie JWT or Bearer apiKey
+    app.get('/api/auth/status', (req, res) => {
+        if (!hasUsers)
+            return res.json({ required: false, authenticated: false });
+        // 1. Cookie JWT
+        if (jwtSecret) {
+            const accessToken = (0, jwt_1.getAccessToken)(req);
+            if (accessToken) {
+                const payload = (0, jwt_1.verifyToken)(accessToken, jwtSecret);
+                if (payload?.type === 'access' && users[payload.userId]) {
+                    const user = users[payload.userId];
+                    return res.json({ required: true, authenticated: true, userId: payload.userId, name: user.name });
+                }
+            }
+        }
+        // 2. Bearer apiKey
+        const auth = req.headers.authorization;
+        if (auth?.startsWith('Bearer ')) {
+            const result = (0, access_1.resolveUserFromApiKey)(auth.slice(7), users);
+            if (result)
+                return res.json({ required: true, authenticated: true, userId: result.userId, name: result.user.name });
+        }
+        return res.json({ required: true, authenticated: false });
+    });
+    // Login: email + password → set JWT cookies
+    app.post('/api/auth/login', async (req, res) => {
+        if (!hasUsers || !jwtSecret) {
+            return res.status(400).json({ error: 'Authentication not configured' });
+        }
+        const { email, password } = req.body ?? {};
+        if (!email || !password) {
+            return res.status(400).json({ error: 'Email and password are required' });
+        }
+        const result = (0, jwt_1.resolveUserByEmail)(email, users);
+        if (!result || !result.user.passwordHash) {
+            return res.status(401).json({ error: 'Invalid credentials' });
+        }
+        const valid = await (0, jwt_1.verifyPassword)(password, result.user.passwordHash);
+        if (!valid) {
+            return res.status(401).json({ error: 'Invalid credentials' });
+        }
+        const accessToken = (0, jwt_1.signAccessToken)(result.userId, jwtSecret, accessTokenTtl);
+        const refreshToken = (0, jwt_1.signRefreshToken)(result.userId, jwtSecret, refreshTokenTtl);
+        (0, jwt_1.setAuthCookies)(res, accessToken, refreshToken, accessTokenTtl, refreshTokenTtl);
+        res.json({ userId: result.userId, name: result.user.name });
+    });
+    // Refresh: refresh cookie → new access cookie
+    app.post('/api/auth/refresh', (req, res) => {
+        if (!hasUsers || !jwtSecret) {
+            return res.status(400).json({ error: 'Authentication not configured' });
+        }
+        const refreshToken = (0, jwt_1.getRefreshToken)(req);
+        if (!refreshToken) {
+            return res.status(401).json({ error: 'No refresh token' });
+        }
+        const payload = (0, jwt_1.verifyToken)(refreshToken, jwtSecret);
+        if (!payload || payload.type !== 'refresh') {
+            return res.status(401).json({ error: 'Invalid refresh token' });
+        }
+        // Check user still exists
+        if (!users[payload.userId]) {
+            (0, jwt_1.clearAuthCookies)(res);
+            return res.status(401).json({ error: 'User no longer exists' });
+        }
+        const newAccessToken = (0, jwt_1.signAccessToken)(payload.userId, jwtSecret, accessTokenTtl);
+        const newRefreshToken = (0, jwt_1.signRefreshToken)(payload.userId, jwtSecret, refreshTokenTtl);
+        (0, jwt_1.setAuthCookies)(res, newAccessToken, newRefreshToken, accessTokenTtl, refreshTokenTtl);
+        res.json({ userId: payload.userId, name: users[payload.userId].name });
+    });
+    // Logout: clear cookies
+    app.post('/api/auth/logout', (_req, res) => {
+        (0, jwt_1.clearAuthCookies)(res);
+        res.json({ ok: true });
+    });
+    // --- Auth middleware: cookie JWT → Bearer apiKey → anonymous ---
+    if (hasUsers) {
+        app.use('/api/', (req, _res, next) => {
+            // 1. Cookie JWT (from UI login)
+            if (jwtSecret) {
+                const accessToken = (0, jwt_1.getAccessToken)(req);
+                if (accessToken) {
+                    const payload = (0, jwt_1.verifyToken)(accessToken, jwtSecret);
+                    if (payload?.type === 'access' && users[payload.userId]) {
+                        req.userId = payload.userId;
+                        req.user = users[payload.userId];
+                        return next();
+                    }
+                    // Invalid/expired JWT cookie — don't reject, fall through to Bearer
+                }
+            }
+            // 2. Bearer apiKey (from MCP/API clients)
+            const auth = req.headers.authorization;
+            if (auth?.startsWith('Bearer ')) {
+                const apiKey = auth.slice(7);
+                const result = (0, access_1.resolveUserFromApiKey)(apiKey, users);
+                if (result) {
+                    req.userId = result.userId;
+                    req.user = result.user;
+                    return next();
+                }
+                return _res.status(401).json({ error: 'Invalid API key' });
+            }
+            // 3. No auth = anonymous (uses defaultAccess)
+            next();
+        });
+    }
+    // Project resolution middleware — injects project instance into req
+    app.param('projectId', (req, _res, next, projectId) => {
+        const project = projectManager.getProject(projectId);
+        if (!project) {
+            return _res.status(404).json({ error: `Project "${projectId}" not found` });
+        }
+        req.project = project;
+        next();
+    });
+    // List projects
+    app.get('/api/projects', (_req, res) => {
+        const userId = _req.userId;
+        const projects = projectManager.listProjects().map(id => {
+            const p = projectManager.getProject(id);
+            const gc = p.config.graphConfigs;
+            const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
+            // Per-graph info: enabled + access level for current user
+            const graphs = {};
+            for (const gn of multi_config_1.GRAPH_NAMES) {
+                const access = serverConfig
+                    ? (0, access_1.resolveAccess)(userId, gn, p.config, serverConfig, ws?.config)
+                    : 'rw';
+                graphs[gn] = { enabled: gc[gn].enabled, access: gc[gn].enabled ? access : null };
+            }
+            return {
+                id,
+                projectDir: p.config.projectDir,
+                workspaceId: p.workspaceId ?? null,
+                graphs,
+                stats: {
+                    docs: p.docGraph ? p.docGraph.order : 0,
+                    code: p.codeGraph ? p.codeGraph.order : 0,
+                    knowledge: p.knowledgeGraph ? p.knowledgeGraph.order : 0,
+                    files: p.fileIndexGraph ? p.fileIndexGraph.order : 0,
+                    tasks: p.taskGraph ? p.taskGraph.order : 0,
+                    skills: p.skillGraph ? p.skillGraph.order : 0,
+                },
+            };
+        });
+        res.json({ results: projects });
+    });
+    // List workspaces
+    app.get('/api/workspaces', (_req, res) => {
+        const workspaces = projectManager.listWorkspaces().map(id => {
+            const ws = projectManager.getWorkspace(id);
+            return {
+                id,
+                projects: ws.config.projects,
+            };
+        });
+        res.json({ results: workspaces });
+    });
+    // Project stats
+    app.get('/api/projects/:projectId/stats', (req, res) => {
+        const p = req.project;
+        res.json({
+            docs: p.docGraph ? { nodes: p.docGraph.order, edges: p.docGraph.size } : null,
+            code: p.codeGraph ? { nodes: p.codeGraph.order, edges: p.codeGraph.size } : null,
+            knowledge: p.knowledgeGraph ? { nodes: p.knowledgeGraph.order, edges: p.knowledgeGraph.size } : null,
+            fileIndex: p.fileIndexGraph ? { nodes: p.fileIndexGraph.order, edges: p.fileIndexGraph.size } : null,
+            tasks: p.taskGraph ? { nodes: p.taskGraph.order, edges: p.taskGraph.size } : null,
+            skills: p.skillGraph ? { nodes: p.skillGraph.order, edges: p.skillGraph.size } : null,
+        });
+    });
+    // Team members (workspace: shared .team/ in mirrorDir; standalone: .team/ in projectDir)
+    // Requires at least read access to any graph in the project
+    app.get('/api/projects/:projectId/team', (req, res) => {
+        if (serverConfig && hasUsers) {
+            const userId = req.userId;
+            if (!userId)
+                return res.status(401).json({ error: 'Authentication required' });
+            const p = req.project;
+            const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
+            const hasAnyAccess = multi_config_1.GRAPH_NAMES.some(gn => (0, access_1.canRead)((0, access_1.resolveAccess)(userId, gn, p.config, serverConfig, ws?.config)));
+            if (!hasAnyAccess)
+                return res.status(403).json({ error: 'Access denied' });
+        }
+        const p = req.project;
+        const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
+        const baseDir = ws ? ws.config.mirrorDir : p.config.projectDir;
+        const members = (0, team_1.scanTeamDir)(path_1.default.join(baseDir, '.team'));
+        res.json({ results: members });
+    });
+    // Middleware: require a specific manager to be enabled, or return 404
+    function requireManager(managerKey) {
+        return (req, _res, next) => {
+            const p = req.project;
+            if (!p || !p[managerKey]) {
+                return _res.status(404).json({ error: 'This graph is disabled for this project' });
+            }
+            next();
+        };
+    }
+    // Middleware: check access level for a graph (read or read-write)
+    function requireGraphAccess(graphName, level) {
+        return (req, _res, next) => {
+            if (!serverConfig)
+                return next(); // no config = no auth enforcement
+            const p = req.project;
+            if (!p)
+                return next();
+            const userId = req.userId;
+            const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
+            const access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+            if (!(0, access_1.canRead)(access)) {
+                return _res.status(403).json({ error: 'Access denied' });
+            }
+            if (level === 'rw' && !(0, access_1.canWrite)(access)) {
+                return _res.status(403).json({ error: 'Read-only access' });
+            }
+            req.accessLevel = access;
+            next();
+        };
+    }
+    // Helper: combine requireManager + read access check
+    function graphMiddleware(managerKey, graphName) {
+        return [requireManager(managerKey), requireGraphAccess(graphName, 'r')];
+    }
+    // Mount domain routers (gated by manager existence + read access)
+    // Mutation endpoints (POST/PUT/DELETE) inside routers check req.accessLevel for write access
+    app.use('/api/projects/:projectId/knowledge', ...graphMiddleware('knowledgeManager', 'knowledge'), (0, knowledge_1.createKnowledgeRouter)());
+    app.use('/api/projects/:projectId/tasks', ...graphMiddleware('taskManager', 'tasks'), (0, tasks_1.createTasksRouter)());
+    app.use('/api/projects/:projectId/skills', ...graphMiddleware('skillManager', 'skills'), (0, skills_1.createSkillsRouter)());
+    app.use('/api/projects/:projectId/docs', ...graphMiddleware('docManager', 'docs'), (0, docs_1.createDocsRouter)());
+    app.use('/api/projects/:projectId/code', ...graphMiddleware('codeManager', 'code'), (0, code_1.createCodeRouter)());
+    app.use('/api/projects/:projectId/files', ...graphMiddleware('fileIndexManager', 'files'), (0, files_1.createFilesRouter)());
+    app.use('/api/projects/:projectId/graph', (0, graph_1.createGraphRouter)((req, graphName) => {
+        if (!serverConfig)
+            return true; // no config = no auth enforcement
+        const p = req.project;
+        if (!p)
+            return true;
+        const userId = req.userId;
+        const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
+        const access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+        return (0, access_1.canRead)(access);
+    }));
+    app.use('/api/projects/:projectId/tools', (0, tools_1.createToolsRouter)(projectManager, (req, graphName, level) => {
+        if (!serverConfig)
+            return true;
+        const p = req.project;
+        if (!p)
+            return true;
+        const userId = req.userId;
+        const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
+        const access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+        if (level === 'rw')
+            return (0, access_1.canWrite)(access);
+        return (0, access_1.canRead)(access);
+    }));
+    // Embedding API (optional, gated by server.embeddingApi.enabled)
+    if (serverConfig?.embeddingApi?.enabled && options?.embeddingApiModelName) {
+        app.use('/api/embed', (0, embed_1.createEmbedRouter)(serverConfig.embeddingApi, options.embeddingApiModelName));
+    }
+    // Serve UI static files — check dist/ui/ (npm package) then ui/dist/ (dev)
+    const uiDistPkg = path_1.default.resolve(__dirname, '../../ui');
+    const uiDistDev = path_1.default.resolve(__dirname, '../../../ui/dist');
+    const uiDist = fs_1.default.existsSync(uiDistPkg) ? uiDistPkg : uiDistDev;
+    app.use(express_1.default.static(uiDist));
+    // SPA fallback: serve index.html for non-API routes
+    app.get('/{*splat}', (_req, res, next) => {
+        if (_req.path.startsWith('/api/'))
+            return next();
+        res.sendFile(path_1.default.join(uiDist, 'index.html'), (err) => {
+            if (err)
+                next();
+        });
+    });
+    // Error handler
+    app.use((err, _req, res, _next) => {
+        if (err.name === 'ZodError') {
+            const fields = (err.issues ?? []).map((i) => ({
+                path: i.path?.join('.'),
+                message: i.message,
+            }));
+            return res.status(400).json({ error: 'Validation error', fields });
+        }
+        if (err.type === 'entity.parse.failed' || (err instanceof SyntaxError && 'body' in err)) {
+            return res.status(400).json({ error: 'Invalid JSON' });
+        }
+        process.stderr.write(`[rest] Error: ${err.stack || err}\n`);
+        res.status(500).json({ error: 'Internal server error' });
+    });
+    return app;
+}