@grapity/grapity 0.2.0 → 0.4.0

package/dist/cli/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/cli/index.ts
-import { Command as Command20 } from "commander";
+import { Command as Command21 } from "commander";
 
 // src/cli/commands/registry/index.ts
 import { Command as Command8 } from "commander";
@@ -18,14 +18,19 @@ import fs from "fs";
 import os from "os";
 import path from "path";
 import yaml from "js-yaml";
+var CONFIG_PATH = () => path.join(os.homedir(), ".grapity", "config.yaml");
 var DEFAULT_CONFIG = {
   mode: "local",
   local: {
-    port: 3750
+    port: 3750,
+    database: "sqlite"
   }
 };
+function configExists() {
+  return fs.existsSync(CONFIG_PATH());
+}
 function getConfig() {
-  const configPath = path.join(os.homedir(), ".grapity", "config.yaml");
+  const configPath = CONFIG_PATH();
   if (!fs.existsSync(configPath)) {
     return DEFAULT_CONFIG;
   }
@@ -40,12 +45,19 @@ function getConfig() {
     return DEFAULT_CONFIG;
   }
   const config = parsed;
+  let database = config.local?.database ?? DEFAULT_CONFIG.local.database;
+  if (!config.local?.database && config.local?.sqlitePath) {
+    database = "sqlite";
+  }
   return {
     mode: config.mode ?? DEFAULT_CONFIG.mode,
     remote: config.remote,
     local: {
       port: config.local?.port ?? DEFAULT_CONFIG.local.port,
-      sqlitePath: config.local?.sqlitePath
+      database,
+      sqlitePath: config.local?.sqlitePath,
+      postgresUrl: config.local?.postgresUrl,
+      auth: config.local?.auth
     }
   };
 }
@@ -56,6 +68,203 @@ function getRegistryUrl() {
   }
   return `http://localhost:${config.local?.port ?? 3750}`;
 }
+function isPostgresqlUrl(value) {
+  return value.startsWith("postgresql://") || value.startsWith("postgres://");
+}
+
+// src/cli/auth.ts
+import { decodeJwt } from "jose";
+
+// src/registry/auth/middleware.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+var AuthError = class extends Error {
+  constructor(statusCode, code, message) {
+    super(message);
+    this.statusCode = statusCode;
+    this.code = code;
+    this.name = "AuthError";
+  }
+  statusCode;
+  code;
+};
+function buildKeycloakUrls(config) {
+  const base = `${config.serverUrl}/realms/${config.realm}`;
+  return {
+    issuer: base,
+    jwksUri: `${base}/protocol/openid-connect/certs`,
+    tokenUrl: `${base}/protocol/openid-connect/token`
+  };
+}
+function createAuthMiddleware(config, routeScopes) {
+  if (config.auth?.mode !== "keycloak") {
+    return async (_c, next) => await next();
+  }
+  const authConfig = config.auth;
+  const { issuer, jwksUri } = buildKeycloakUrls(authConfig);
+  const jwks = createRemoteJWKSet(new URL(jwksUri));
+  const scopeByRoute = /* @__PURE__ */ new Map();
+  for (const route of routeScopes) {
+    const key = `${route.method.toUpperCase()}:${route.path}`;
+    scopeByRoute.set(key, {
+      operationId: route.operationId,
+      scopes: route.scopes
+    });
+  }
+  return async (c2, next) => {
+    const matchedPath = c2.req.matchedRoutes.map((r) => r.path).filter((p) => p !== "/*").pop();
+    const routeKey = matchedPath ? `${c2.req.method}:${matchedPath}` : `${c2.req.method}:${c2.req.routePath}`;
+    const required = scopeByRoute.get(routeKey);
+    if (!required || required.scopes.length === 0) {
+      return await next();
+    }
+    const authHeader = c2.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      throw new AuthError(401, "unauthorized", "Bearer token required");
+    }
+    const token = authHeader.slice("Bearer ".length).trim();
+    if (!token) {
+      throw new AuthError(401, "unauthorized", "Bearer token required");
+    }
+    let payload;
+    try {
+      const result = await jwtVerify(token, jwks, {
+        issuer,
+        audience: authConfig.audience
+      });
+      payload = result.payload;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Invalid token";
+      throw new AuthError(401, "unauthorized", `Invalid or expired token: ${message}`);
+    }
+    const subject = payload.sub;
+    if (!subject) {
+      throw new AuthError(401, "unauthorized", "Token missing subject claim");
+    }
+    const grantedScopes = extractScopes(payload, authConfig.roleSource ?? "scope");
+    const missing = required.scopes.filter((s) => !grantedScopes.has(s));
+    if (missing.length > 0) {
+      throw new AuthError(
+        403,
+        "forbidden",
+        `Missing required scope${missing.length > 1 ? "s" : ""}: ${missing.join(", ")}`
+      );
+    }
+    c2.set("actor", subject);
+    c2.set("claims", payload);
+    await next();
+  };
+}
+function extractScopes(payload, source) {
+  if (source === "realm_access.roles") {
+    const roles = payload.realm_access?.roles;
+    return new Set(roles ?? []);
+  }
+  const scopeValue = payload.scope;
+  if (typeof scopeValue === "string") {
+    return new Set(scopeValue.split(/\s+/).filter(Boolean));
+  }
+  return /* @__PURE__ */ new Set();
+}
+function parseRouteScopes(spec) {
+  const routes = [];
+  const paths = spec.paths;
+  if (!paths) return routes;
+  for (const [path12, operations] of Object.entries(paths)) {
+    for (const [method, operation] of Object.entries(operations)) {
+      if (typeof operation !== "object" || operation === null) continue;
+      const op = operation;
+      const operationId = op.operationId;
+      if (!operationId) continue;
+      const security = op.security;
+      const scopes = [];
+      if (security) {
+        for (const sec of security) {
+          for (const [name, required] of Object.entries(sec)) {
+            if (name === "keycloak" && Array.isArray(required)) {
+              scopes.push(...required);
+            }
+          }
+        }
+      }
+      routes.push({
+        method: method.toUpperCase(),
+        path: path12.replace(/\{([^}]+)\}/g, ":$1"),
+        operationId,
+        scopes
+      });
+    }
+  }
+  return routes;
+}
+
+// src/cli/auth.ts
+var cachedToken = null;
+function resetTokenCache() {
+  cachedToken = null;
+}
+async function getAccessToken(config) {
+  const staticToken = process.env.GRAPITY_TOKEN;
+  if (staticToken) {
+    return staticToken;
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (cachedToken && cachedToken.expiresAt > now + 60) {
+    return cachedToken.accessToken;
+  }
+  const clientSecret = process.env.GRAPITY_CLIENT_SECRET;
+  if (!clientSecret) {
+    throw new Error(
+      "Keycloak client secret not found. Set GRAPITY_CLIENT_SECRET or provide a static token via GRAPITY_TOKEN."
+    );
+  }
+  const { tokenUrl } = buildKeycloakUrls({ serverUrl: config.serverUrl, realm: config.realm });
+  const params = new URLSearchParams();
+  params.set("grant_type", "client_credentials");
+  params.set("client_id", config.clientId);
+  params.set("client_secret", clientSecret);
+  if (config.audience) {
+    params.set("audience", config.audience);
+  }
+  const response = await fetch(tokenUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: params.toString()
+  });
+  if (!response.ok) {
+    const text3 = await response.text().catch(() => "Unknown error");
+    throw new Error(`Keycloak token request failed: ${response.status} ${text3}`);
+  }
+  const data = await response.json();
+  cachedToken = {
+    accessToken: data.access_token,
+    expiresAt: now + data.expires_in
+  };
+  return data.access_token;
+}
+function decodeToken(token) {
+  try {
+    const payload = decodeJwt(token);
+    return {
+      sub: payload.sub,
+      exp: payload.exp,
+      iss: payload.iss,
+      scope: typeof payload.scope === "string" ? payload.scope : void 0,
+      roles: payload.realm_access?.roles
+    };
+  } catch {
+    return {};
+  }
+}
+function formatTokenStatus(token) {
+  const decoded = decodeToken(token);
+  const now = Math.floor(Date.now() / 1e3);
+  return {
+    valid: !!decoded.sub,
+    sub: decoded.sub,
+    exp: decoded.exp,
+    expired: decoded.exp ? decoded.exp < now : void 0
+  };
+}
 
 // src/cli/client.ts
 var BreakingChangeError = class extends Error {
@@ -66,19 +275,31 @@ var BreakingChangeError = class extends Error {
   }
   compatReport;
 };
+async function getAuthHeaders() {
+  const config = getConfig();
+  const authConfig = config.mode === "remote" ? config.remote?.auth : config.local?.auth;
+  const headers = {};
+  if (authConfig?.mode === "keycloak") {
+    if (!authConfig.clientId) {
+      throw new Error(
+        "Keycloak auth is configured but clientId is missing. Run grapity init with --keycloak-client-id."
+      );
+    }
+    const token = await getAccessToken(authConfig);
+    headers["Authorization"] = `Bearer ${token}`;
+  }
+  return headers;
+}
 async function request(method, path12, body) {
   const baseUrl = getRegistryUrl();
   const url = `${baseUrl}${path12}`;
-  const config = getConfig();
-  const headers = {
-    "Content-Type": "application/json"
-  };
-  if (config.mode === "remote" && config.remote?.apiKey) {
-    headers["X-API-Key"] = config.remote.apiKey;
-  }
+  const authHeaders = await getAuthHeaders();
   const response = await fetch(url, {
     method,
-    headers,
+    headers: {
+      "Content-Type": "application/json",
+      ...authHeaders
+    },
     body: body ? JSON.stringify(body) : void 0
   });
   if (!response.ok) {
@@ -88,18 +309,17 @@ async function request(method, path12, body) {
     }
     throw new Error(error.message ?? `Request failed: ${response.status}`);
   }
-  const text2 = await response.text();
-  return text2 ? JSON.parse(text2) : void 0;
+  const text3 = await response.text();
+  return text3 ? JSON.parse(text3) : void 0;
 }
 async function requestText(method, path12) {
   const baseUrl = getRegistryUrl();
   const url = `${baseUrl}${path12}`;
-  const config = getConfig();
-  const headers = {};
-  if (config.mode === "remote" && config.remote?.apiKey) {
-    headers["X-API-Key"] = config.remote.apiKey;
-  }
-  const response = await fetch(url, { method, headers });
+  const authHeaders = await getAuthHeaders();
+  const response = await fetch(url, {
+    method,
+    headers: authHeaders
+  });
   if (!response.ok) {
     const error = await response.json();
     throw new Error(error.message ?? `Request failed: ${response.status}`);
@@ -150,9 +370,9 @@ var client = {
   fetchSpec: async (name, options) => {
     const format = options.format ?? "yaml";
     const path12 = options.semver ? `/v1/specs/${name}/versions/${options.semver}/spec.${format}` : `/v1/specs/${name}/spec.${format}`;
-    const { text: text2, headers } = await requestText("GET", path12);
+    const { text: text3, headers } = await requestText("GET", path12);
     return {
-      content: text2,
+      content: text3,
       resolvedVersion: headers.get("Grapity-Resolved-Version") ?? void 0
     };
   },
@@ -531,27 +751,65 @@ function formatInitSuccess(params) {
   ];
   if (params.mode === "local") {
     if (params.port) lines.push(`  ${c.label("Port")}  ${c.cyan(String(params.port))}`);
-    if (params.dbPath) lines.push(`  ${c.label("Database")}  ${c.dim(params.dbPath)}`);
-    lines.push("");
-    lines.push(`  ${c.dim("\u203A")} Start the server with:  ${c.primary("grapity serve")}`);
+    if (params.database) lines.push(`  ${c.label("Database")}  ${c.primary(params.database)}`);
+    if (params.dbPath) lines.push(`  ${c.label("Path")}  ${c.dim(params.dbPath)}`);
+    if (params.postgresUrl) lines.push(`  ${c.label("PostgreSQL")}  ${c.dim(params.postgresUrl)}`);
   } else {
     if (params.url) lines.push(`  ${c.label("URL")}  ${c.cyan(params.url)}`);
-    if (params.hasApiKey) lines.push(`  ${c.label("API key")}  ${c.dim("configured")}`);
+  }
+  if (params.authMode && params.authMode !== "none") {
+    lines.push("");
+    lines.push(`  ${c.label("Auth")}  ${c.primary(params.authMode)}`);
+    if (params.keycloakServer) lines.push(`  ${c.label("Keycloak")}  ${c.dim(params.keycloakServer)}`);
+    if (params.keycloakRealm) lines.push(`  ${c.label("Realm")}  ${c.dim(params.keycloakRealm)}`);
+    if (params.keycloakClientId) lines.push(`  ${c.label("Client ID")}  ${c.dim(params.keycloakClientId)}`);
     lines.push("");
-    lines.push(`  ${c.dim("\u203A")} Push a spec with:  ${c.primary("grapity registry push ./openapi.yaml --name my-api")}`);
+    lines.push(`  ${c.dim("\u203A")} Set the client secret in GRAPITY_CLIENT_SECRET before running commands.`);
+  } else {
+    lines.push("");
+    if (params.mode === "local") {
+      lines.push(`  ${c.dim("\u203A")} Start the server with:  ${c.primary("grapity serve")}`);
+    } else {
+      lines.push(`  ${c.dim("\u203A")} Push a spec with:  ${c.primary("grapity registry push ./openapi.yaml --name my-api")}`);
+    }
   }
   return lines.join("\n");
 }
 function formatServeConfig(params) {
-  const modeLabel = `local ${c.label("\xB7")} ${params.mode}`;
   const lines = [
-    `  ${c.label("Mode")}      ${c.primary(modeLabel)}`,
-    `  ${c.label("Port")}      ${c.cyan(String(params.port))}`
+    `  ${c.label("Mode")}      ${c.primary("local")}`,
+    `  ${c.label("Port")}      ${c.cyan(String(params.port))}`,
+    `  ${c.label("Database")}  ${c.primary(params.database)}`
   ];
-  if (params.dbPath) lines.push(`  ${c.label("Database")}  ${c.dim(params.dbPath)}`);
-  lines.push(`  ${c.label("Auth")}      ${c.primary(params.auth)}`);
+  if (params.database === "sqlite" && params.dbPath) {
+    lines.push(`  ${c.label("Path")}      ${c.dim(params.dbPath)}`);
+  }
+  if (params.database === "postgresql" && params.postgresUrl) {
+    lines.push(`  ${c.label("PostgreSQL")}  ${c.dim(maskPostgresUrl(params.postgresUrl))}`);
+  }
+  lines.push(`  ${c.label("Auth")}      ${c.primary(params.authMode ?? "none")}`);
+  if (params.keycloakServer) {
+    lines.push(`  ${c.label("Keycloak")}  ${c.dim(params.keycloakServer)}`);
+  }
+  if (params.keycloakRealm) {
+    lines.push(`  ${c.label("Realm")}     ${c.dim(params.keycloakRealm)}`);
+  }
+  if (params.keycloakAudience) {
+    lines.push(`  ${c.label("Audience")}  ${c.dim(params.keycloakAudience)}`);
+  }
   return lines.join("\n");
 }
+function maskPostgresUrl(url) {
+  try {
+    const parsed = new URL(url);
+    if (parsed.password) {
+      parsed.password = "***";
+    }
+    return parsed.toString();
+  } catch {
+    return url;
+  }
+}
 function formatHubConfig(params) {
   const lines = [
     `  ${c.label("Port")}      ${c.cyan(String(params.port))}`,
@@ -582,6 +840,39 @@ function formatEmptyState(message, hints) {
 function formatReady(port) {
   return `  ${c.success("\u25CF")}  Server ready  ${c.label("\xB7")}  ${c.cyan(`http://localhost:${port}`)}`;
 }
+function formatAuthStatus(params) {
+  const lines = [];
+  if (params.cleared) {
+    lines.push(`  ${c.success("\u2713")} Cached access token cleared`);
+    return lines.join("\n");
+  }
+  lines.push(`  ${c.label("Mode")}  ${c.primary(params.mode)}`);
+  if (!params.configured) {
+    lines.push(`  ${c.dim("\xB7")} No remote authentication configured`);
+    return lines.join("\n");
+  }
+  if (params.serverUrl) lines.push(`  ${c.label("Server")}  ${c.dim(params.serverUrl)}`);
+  if (params.realm) lines.push(`  ${c.label("Realm")}  ${c.dim(params.realm)}`);
+  if (params.clientId) lines.push(`  ${c.label("Client ID")}  ${c.dim(params.clientId)}`);
+  if (params.audience) lines.push(`  ${c.label("Audience")}  ${c.dim(params.audience)}`);
+  lines.push("");
+  if (params.valid === false) {
+    lines.push(`  ${c.error("\u2717")} Token is not a valid JWT`);
+  } else if (params.sub) {
+    lines.push(`  ${c.success("\u2713")} Authenticated as ${c.primary(params.sub)}`);
+    if (params.exp) {
+      const date = new Date(params.exp * 1e3).toISOString();
+      if (params.expired) {
+        lines.push(`  ${c.error("\u2717")} Token expired at ${c.dim(date)}`);
+      } else {
+        lines.push(`  ${c.success("\u2713")} Token valid until ${c.dim(date)}`);
+      }
+    }
+  } else {
+    lines.push(`  ${c.dim("\xB7")} No token fetched yet`);
+  }
+  return lines.join("\n");
+}
 function formatHubReady(port) {
   return `  ${c.success("\u25CF")}  Hub ready     ${c.label("\xB7")}  ${c.cyan(`http://localhost:${port}`)}`;
 }
@@ -744,18 +1035,18 @@ var validateCommand = new Command2("validate").description("Validate a spec agai
 import { Command as Command3 } from "commander";
 var listCommand = new Command3("list").description("List all specs in the registry").option("--type <type>", "Filter by spec type").option("--owner <owner>", "Filter by owner").option("--tags <tags>", "Filter by tags (comma-separated)").action(async (options) => {
   try {
-    const specs2 = await client.listSpecs({
+    const specs3 = await client.listSpecs({
       type: options.type,
       owner: options.owner,
       tags: options.tags?.split(",")
     });
-    if (specs2.length === 0) {
+    if (specs3.length === 0) {
       console.log(formatEmptyState("No specs in the registry.", [
         "Push one with:  grapity registry push ./openapi.yaml --name my-api"
       ]));
       return;
     }
-    for (const spec of specs2) {
+    for (const spec of specs3) {
       console.log(formatSpec(spec));
     }
   } catch (err) {
@@ -1145,10 +1436,10 @@ function convertPathToKong(path12) {
   }
   return converted;
 }
-function routeName(serviceName, index2, path12, methods) {
+function routeName(serviceName, index3, path12, methods) {
   const cleanPath = path12.replace(/[^a-zA-Z0-9]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
   const methodList = methods.join("-").toLowerCase();
-  return `${serviceName}-${cleanPath}-${methodList}-${index2}`;
+  return `${serviceName}-${cleanPath}-${methodList}-${index3}`;
 }
 function generateDeckYaml(config, envName) {
   const env = config.environments[envName];
@@ -1380,7 +1671,7 @@ import fs8 from "fs";
 import os3 from "os";
 import path8 from "path";
 import yaml4 from "js-yaml";
-var initCommand = new Command18("init").description("Configure grapity registry (local or remote mode)").option("--local", "Use local mode (SQLite)").option("--remote", "Use remote mode (connect to a grapity server)").option("--url <url>", "Registry URL (for remote mode)").option("--api-key <key>", "API key (for remote mode)").option("--port <port>", "Port for local server (default: 3750)").option("--db <path>", "Path to SQLite database file (for local mode)").action(async (options) => {
+var initCommand = new Command18("init").description("Configure grapity registry (local or remote mode)").option("--local", "Use local mode (SQLite or PostgreSQL)").option("--remote", "Use remote mode (connect to a grapity server)").option("--url <url>", "Registry URL (for remote mode)").option("--port <port>", "Port for local server (default: 3750)").option("--db <path-or-url>", "SQLite path or postgresql:// URL (for local mode)").option("--auth <mode>", "Auth mode: none | keycloak (default: none)").option("--keycloak-server <url>", "Keycloak server URL").option("--keycloak-realm <realm>", "Keycloak realm").option("--keycloak-client-id <id>", "Keycloak client ID (for CLI client credentials)").option("--keycloak-audience <audience>", "Keycloak token audience to validate").option("--keycloak-role-source <source>", "Where to read roles from: scope | realm_access.roles (default: scope)").action(async (options) => {
   const configDir = path8.join(os3.homedir(), ".grapity");
   const configPath = path8.join(configDir, "config.yaml");
   let mode;
@@ -1398,21 +1689,47 @@ var initCommand = new Command18("init").description("Configure grapity registry
         "missing flag",
         "Select registry mode: use --local or --remote.",
         [
-          "--local   Run a registry server on this machine (SQLite)",
+          "--local   Run a registry server on this machine",
           "--remote  Connect to an existing grapity server"
         ]
       )
     );
     process.exit(1);
   }
+  const authMode = options.auth ?? "none";
+  if (authMode !== "none" && authMode !== "keycloak") {
+    console.error(formatError("invalid auth mode", "--auth must be one of: none, keycloak"));
+    process.exit(1);
+  }
+  const keycloakAuth = authMode === "keycloak" ? parseKeycloakOptions(options, mode) : void 0;
   const config = { mode };
   if (mode === "local") {
+    const dbValue = options.db ?? process.env.GRAPITY_DATABASE_URL;
+    const database = dbValue && isPostgresqlUrl(dbValue) ? "postgresql" : "sqlite";
     config.local = {
       port: options.port ? parseInt(options.port, 10) : 3750,
-      sqlitePath: options.db
+      database
     };
-    if (!config.local.sqlitePath) {
-      config.local.sqlitePath = path8.join(os3.homedir(), ".grapity", "registry.db");
+    if (database === "postgresql") {
+      config.local.postgresUrl = dbValue;
+    } else {
+      config.local.sqlitePath = dbValue ?? path8.join(os3.homedir(), ".grapity", "registry.db");
+    }
+    if (keycloakAuth) {
+      if (!options.keycloakClientId) {
+        console.error(
+          formatError(
+            "missing flag",
+            "--keycloak-client-id is required when using Keycloak auth."
+          )
+        );
+        process.exit(1);
+      }
+      config.local.auth = {
+        mode: "keycloak",
+        clientId: options.keycloakClientId,
+        ...keycloakAuth
+      };
     }
   } else {
     if (!options.url) {
@@ -1426,9 +1743,18 @@ var initCommand = new Command18("init").description("Configure grapity registry
       process.exit(1);
     }
     config.remote = {
-      url: options.url.replace(/\/$/, ""),
-      apiKey: options.apiKey
+      url: options.url.replace(/\/$/, "")
     };
+    if (keycloakAuth) {
+      config.remote.auth = {
+        mode: "keycloak",
+        serverUrl: keycloakAuth.serverUrl,
+        realm: keycloakAuth.realm,
+        clientId: keycloakAuth.clientId,
+        audience: keycloakAuth.audience,
+        roleSource: keycloakAuth.roleSource
+      };
+    }
   }
   if (!fs8.existsSync(configDir)) {
     fs8.mkdirSync(configDir, { recursive: true });
@@ -1440,18 +1766,110 @@ var initCommand = new Command18("init").description("Configure grapity registry
       configPath,
       mode,
       port: config.local?.port,
+      database: config.local?.database,
       dbPath: config.local?.sqlitePath,
+      postgresUrl: config.local?.postgresUrl,
       url: config.remote?.url,
-      hasApiKey: !!config.remote?.apiKey
+      authMode,
+      keycloakServer: keycloakAuth?.serverUrl,
+      keycloakRealm: keycloakAuth?.realm,
+      keycloakClientId: config.local?.auth?.clientId ?? config.remote?.auth?.clientId
     })
   );
 });
+function parseKeycloakOptions(options, _mode) {
+  if (!options.keycloakServer) {
+    console.error(
+      formatError(
+        "missing flag",
+        "--keycloak-server is required when auth mode is keycloak.",
+        ["Example:  --keycloak-server https://keycloak.example.com"]
+      )
+    );
+    process.exit(1);
+  }
+  if (!options.keycloakRealm) {
+    console.error(
+      formatError(
+        "missing flag",
+        "--keycloak-realm is required when auth mode is keycloak.",
+        ["Example:  --keycloak-realm grapity"]
+      )
+    );
+    process.exit(1);
+  }
+  const roleSource = options.keycloakRoleSource;
+  if (roleSource && roleSource !== "scope" && roleSource !== "realm_access.roles") {
+    console.error(formatError("invalid role source", "--keycloak-role-source must be one of: scope, realm_access.roles"));
+    process.exit(1);
+  }
+  return {
+    serverUrl: options.keycloakServer.replace(/\/$/, ""),
+    realm: options.keycloakRealm,
+    clientId: options.keycloakClientId,
+    audience: options.keycloakAudience,
+    roleSource
+  };
+}
 
-// src/cli/commands/serve.ts
+// src/cli/commands/auth.ts
 import { Command as Command19 } from "commander";
+var authCommand = new Command19("auth").description("Manage authentication for remote registry mode").addCommand(
+  new Command19("status").description("Show current authentication status").action(async () => {
+    const config = getConfig();
+    const auth = config.mode === "remote" ? config.remote?.auth : config.local?.auth;
+    if (!auth) {
+      console.log(formatAuthStatus({ mode: "none", configured: false }));
+      return;
+    }
+    if (auth.mode !== "keycloak") {
+      console.log(formatAuthStatus({ mode: auth.mode, configured: true }));
+      return;
+    }
+    if (!auth.clientId) {
+      console.error(
+        formatError(
+          "auth misconfigured",
+          "Keycloak auth is configured but clientId is missing. Run grapity init with --keycloak-client-id."
+        )
+      );
+      process.exit(1);
+    }
+    try {
+      const token = await getAccessToken(auth);
+      const status = formatTokenStatus(token);
+      console.log(
+        formatAuthStatus({
+          mode: auth.mode,
+          configured: true,
+          serverUrl: auth.serverUrl,
+          realm: auth.realm,
+          clientId: auth.clientId,
+          audience: auth.audience,
+          ...status
+        })
+      );
+    } catch (err) {
+      console.error(
+        formatError(
+          "auth failed",
+          err instanceof Error ? err.message : "Unable to fetch access token"
+        )
+      );
+      process.exit(1);
+    }
+  })
+).addCommand(
+  new Command19("clear").description("Clear the cached access token").action(() => {
+    resetTokenCache();
+    console.log(formatAuthStatus({ mode: "none", configured: false, cleared: true }));
+  })
+);
+
+// src/cli/commands/serve.ts
+import { Command as Command20 } from "commander";
 import os4 from "os";
 import path11 from "path";
-import { readFileSync } from "fs";
 
 // src/registry/serve.ts
 import path9 from "path";
@@ -3090,9 +3508,9 @@ var RegistryService = class {
     return { spec, version: version2, compatReport, isNewSpec };
   }
   async listSpecs(filters) {
-    const specs2 = await this.store.listSpecs(filters);
+    const specs3 = await this.store.listSpecs(filters);
     return Promise.all(
-      specs2.map(async (spec) => {
+      specs3.map(async (spec) => {
         const latestVersion = await this.store.getLatestVersion(spec.name);
         return { ...spec, latestVersion: latestVersion ?? void 0 };
       })
@@ -3211,6 +3629,7 @@ var pushRoute = new Hono().post("/", async (c2) => {
   }
   const store = c2.get("store");
   const service = new RegistryService(store);
+  const actor = c2.get("actor") ?? body.pushedBy;
   try {
     const result = await service.pushSpec(body.content, body.name, {
       type: body.type,
@@ -3219,7 +3638,7 @@ var pushRoute = new Hono().post("/", async (c2) => {
       sourceRepo: body.sourceRepo,
       tags: Array.isArray(body.tags) ? body.tags : void 0,
       gitRef: body.gitRef,
-      pushedBy: body.pushedBy,
+      pushedBy: actor,
       prerelease: body.prerelease,
       force: body.force,
       reason: body.reason
@@ -3350,8 +3769,8 @@ var listRoute = new Hono3().get("/", async (c2) => {
   const type = c2.req.query("type");
   const owner = c2.req.query("owner");
   const tags = c2.req.query("tags")?.split(",");
-  const specs2 = await service.listSpecs({ type, owner, tags });
-  return c2.json({ data: specs2 });
+  const specs3 = await service.listSpecs({ type, owner, tags });
+  return c2.json({ data: specs3 });
 });
 
 // src/registry/routes/get-spec.ts
@@ -3384,7 +3803,8 @@ var deleteSpecRoute = new Hono5().delete(
     const name = c2.req.param("name");
     const store = c2.get("store");
     const service = new RegistryService(store);
-    const deleted = await service.deleteSpec(name);
+    const actor = c2.get("actor");
+    const deleted = await service.deleteSpec(name, actor);
     if (!deleted) {
       return c2.json({ error: "not_found", message: `Spec "${name}" not found`, statusCode: 404 }, 404);
     }
@@ -3985,8 +4405,7 @@ function switchTab(tab) {
 }
 var welcomeRoute = new Hono12().get("/", (c2) => {
   const config = c2.get("config");
-  const mode = config.database === "sqlite" ? "local" : "remote";
-  return c2.html(buildPage(config.port, mode));
+  return c2.html(buildPage(config.port, "local"));
 });
 
 // src/registry/routes/push-gateway-config.ts
@@ -4126,6 +4545,7 @@ var pushGatewayConfigRoute = new Hono13().post("/", async (c2) => {
   }
   const store = c2.get("store");
   const service = new GatewayService(store, store);
+  const actor = c2.get("actor") ?? body.pushedBy;
   try {
     const result = await service.pushGatewayConfig({
       name: body.name,
@@ -4136,7 +4556,7 @@ var pushGatewayConfigRoute = new Hono13().post("/", async (c2) => {
       environments: body.environments ?? {},
       callerIdentification: body.callerIdentification,
       content: body.content,
-      pushedBy: body.pushedBy
+      pushedBy: actor
     });
     return c2.json({ data: result }, 201);
   } catch (err) {
@@ -4327,7 +4747,6 @@ var ingestGatewayLogRoute = new Hono18().post("/ingest/:provider/:environment",
     await service.ingestLog(provider, environment, payload);
     return c2.json({ status: "ok" }, 201);
   } catch (err) {
-    console.error("Gateway log ingest error:", err);
     return c2.json({
       error: "bad_request",
       message: err instanceof Error ? err.message : "Invalid log payload",
@@ -4403,6 +4822,14 @@ var gatewayLogStatsRoute = new Hono21().get("/stats", async (c2) => {
 });
 
 // src/registry/server.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import yaml10 from "js-yaml";
+function loadOpenApiSpec() {
+  const path12 = fileURLToPath(new URL("../../openapi.yaml", import.meta.url));
+  const content = readFileSync(path12, "utf-8");
+  return yaml10.load(content);
+}
 function createApp(config, store) {
   const app = new Hono22();
   app.use("*", logger());
@@ -4413,6 +4840,21 @@ function createApp(config, store) {
     c2.set("config", config);
     await next();
   });
+  const routeScopes = parseRouteScopes(loadOpenApiSpec());
+  app.use("*", createAuthMiddleware(config, routeScopes));
+  app.onError((err, c2) => {
+    if (err instanceof AuthError) {
+      return c2.json(
+        { error: err.code, message: err.message, statusCode: err.statusCode },
+        err.statusCode
+      );
+    }
+    console.error("Unhandled error:", err);
+    return c2.json(
+      { error: "internal_error", message: "Internal server error", statusCode: 500 },
+      500
+    );
+  });
   app.route("/v1/specs", pushRoute);
   app.route("/v1/specs", validateRoute);
   app.route("/v1/specs", listRoute);
@@ -4441,8 +4883,7 @@ function createApp(config, store) {
 var defaultConfig = {
   port: 3750,
   database: "sqlite",
-  sqlitePath: void 0,
-  gracePeriodDays: 30
+  auth: { mode: "none" }
 };
 
 // src/registry/storage/sqlite.ts
@@ -4948,137 +5389,829 @@ var SQLiteSpecStore = class {
   }
 };
 
-// src/registry/serve.ts
-async function startServer(userConfig) {
-  const config = { ...defaultConfig, ...userConfig };
-  if (!config.sqlitePath && config.database === "sqlite") {
-    const homeDir = process.env.HOME || process.env.USERPROFILE || ".";
-    config.sqlitePath = path9.join(homeDir, ".grapity", "registry.db");
-  }
-  if (config.database === "sqlite" && config.sqlitePath) {
-    const dir = path9.dirname(config.sqlitePath);
-    if (!fs9.existsSync(dir)) {
-      fs9.mkdirSync(dir, { recursive: true });
-    }
-  }
-  const store = new SQLiteSpecStore(config.sqlitePath);
-  await store.migrate();
-  const app = createApp(config, store);
-  serve({
-    fetch: app.fetch,
-    port: config.port
-  });
-  return app;
-}
-if (process.argv[1] === new URL(import.meta.url).pathname) {
-  startServer();
-}
-
-// src/hub/serve.ts
-import { Hono as Hono23 } from "hono";
-import { serveStatic } from "@hono/node-server/serve-static";
-import { serve as serve2 } from "@hono/node-server";
-import path10 from "path";
-import fs10 from "fs";
+// src/registry/storage/postgresql.ts
+import { Pool } from "pg";
+import { drizzle as drizzle2 } from "drizzle-orm/node-postgres";
+import { migrate as migrate2 } from "drizzle-orm/node-postgres/migrator";
+import { eq as eq2, and as and2, desc as desc2, sql as sql2 } from "drizzle-orm";
 
-// src/hub/paths.ts
-var HUB_DIST_PATH = new URL(
-  "../../dist",
-  import.meta.url
-).pathname;
+// src/registry/storage/schema-pg.ts
+import { pgTable, text as text2, timestamp, boolean, jsonb, index as index2, integer as integer2 } from "drizzle-orm/pg-core";
+var specs2 = pgTable("specs", {
+  id: text2("id").primaryKey(),
+  name: text2("name").notNull().unique(),
+  type: text2("type", { enum: ["openapi", "asyncapi"] }).notNull(),
+  description: text2("description"),
+  owner: text2("owner"),
+  sourceRepo: text2("source_repo"),
+  tags: jsonb("tags").$type().default([]),
+  createdAt: timestamp("created_at").notNull(),
+  updatedAt: timestamp("updated_at").notNull()
+});
+var specVersions2 = pgTable("spec_versions", {
+  id: text2("id").primaryKey(),
+  specId: text2("spec_id").notNull().references(() => specs2.id),
+  semver: text2("semver").notNull(),
+  content: text2("content").notNull(),
+  checksum: text2("checksum").notNull(),
+  gitRef: text2("git_ref"),
+  pushedBy: text2("pushed_by"),
+  compatibility: jsonb("compatibility").$type(),
+  previousVersion: text2("previous_version"),
+  forceReason: text2("force_reason"),
+  isPrerelease: boolean("is_prerelease").notNull().default(false),
+  createdAt: timestamp("created_at").notNull()
+}, (table) => [
+  index2("idx_spec_versions_spec_id").on(table.specId),
+  index2("idx_spec_versions_semver").on(table.specId, table.semver)
+]);
+var auditLog2 = pgTable("audit_log", {
+  id: text2("id").primaryKey(),
+  action: text2("action", { enum: ["spec.push", "spec.push.force", "spec.delete"] }).notNull(),
+  actor: text2("actor").notNull(),
+  specName: text2("spec_name").notNull(),
+  version: text2("version"),
+  details: jsonb("details").$type(),
+  createdAt: timestamp("created_at").notNull()
+}, (table) => [
+  index2("idx_audit_log_spec_name").on(table.specName),
+  index2("idx_audit_log_created_at").on(table.createdAt)
+]);
+var gatewayConfigs2 = pgTable("gateway_configs", {
+  id: text2("id").primaryKey(),
+  name: text2("name").notNull().unique(),
+  provider: text2("provider", { enum: ["kong"] }).notNull(),
+  specName: text2("spec_name").notNull(),
+  specSemver: text2("spec_semver").notNull(),
+  createdAt: timestamp("created_at").notNull(),
+  updatedAt: timestamp("updated_at").notNull()
+});
+var gatewayConfigVersions2 = pgTable("gateway_config_versions", {
+  id: text2("id").primaryKey(),
+  gatewayConfigId: text2("gateway_config_id").notNull().references(() => gatewayConfigs2.id),
+  routes: jsonb("routes").$type().notNull(),
+  environments: jsonb("environments").$type().notNull(),
+  callerIdentification: jsonb("caller_identification").$type(),
+  content: text2("content").notNull(),
+  checksum: text2("checksum").notNull(),
+  pushedBy: text2("pushed_by"),
+  createdAt: timestamp("created_at").notNull()
+}, (table) => [
+  index2("idx_gateway_config_versions_config_id").on(table.gatewayConfigId)
+]);
+var httpLogs2 = pgTable("http_logs", {
+  id: text2("id").primaryKey(),
+  provider: text2("provider").notNull(),
+  gatewayConfigName: text2("gateway_config_name").notNull(),
+  environment: text2("environment").notNull(),
+  method: text2("method").notNull(),
+  path: text2("path").notNull(),
+  routePath: text2("route_path"),
+  status: integer2("status").notNull(),
+  callerId: text2("caller_id"),
+  callerSource: text2("caller_source"),
+  callerConfidence: text2("caller_confidence").notNull(),
+  occurredAt: timestamp("occurred_at").notNull(),
+  createdAt: timestamp("created_at").notNull()
+}, (table) => [
+  index2("idx_http_logs_config_env").on(table.gatewayConfigName, table.environment),
+  index2("idx_http_logs_occurred_at").on(table.occurredAt),
+  index2("idx_http_logs_caller").on(table.gatewayConfigName, table.environment, table.callerId)
+]);
+var provisions2 = pgTable("provisions", {
+  id: text2("id").primaryKey(),
+  gatewayConfigName: text2("gateway_config_name").notNull(),
+  gatewayConfigVersion: text2("gateway_config_version").notNull(),
+  environment: text2("environment").notNull(),
+  provider: text2("provider", { enum: ["kong"] }).notNull(),
+  synced: boolean("synced").notNull().default(false),
+  actor: text2("actor").notNull(),
+  details: jsonb("details").$type(),
+  createdAt: timestamp("created_at").notNull()
+}, (table) => [
+  index2("idx_provisions_config_name").on(table.gatewayConfigName),
+  index2("idx_provisions_created_at").on(table.createdAt)
+]);
 
-// src/hub/serve.ts
-var DEFAULT_PORT = 3e3;
-var DEFAULT_REGISTRY_URL = "http://localhost:3750";
-async function startHubServer(userConfig) {
-  const config = {
-    port: userConfig?.port ?? DEFAULT_PORT,
-    registryUrl: userConfig?.registryUrl ?? DEFAULT_REGISTRY_URL
-  };
-  const app = new Hono23();
-  app.use("/v1/*", async (c2) => {
-    const url = new URL(c2.req.url);
-    const targetUrl = config.registryUrl + url.pathname + url.search;
-    const response = await fetch(targetUrl, {
-      method: c2.req.method,
-      headers: c2.req.raw.headers,
-      body: c2.req.raw.body
-    });
-    return response;
-  });
-  app.use("/*", serveStatic({ root: HUB_DIST_PATH }));
-  app.get("/*", async (c2) => {
-    const indexPath = path10.join(HUB_DIST_PATH, "index.html");
-    if (fs10.existsSync(indexPath)) {
-      return c2.html(fs10.readFileSync(indexPath, "utf-8"));
+// src/registry/storage/postgresql.ts
+import { v4 as uuid6 } from "uuid";
+var MIGRATIONS_FOLDER2 = PG_MIGRATIONS_FOLDER;
+var DatabaseConnectionError = class extends Error {
+  constructor(message, postgresUrl, options) {
+    super(message, options);
+    this.postgresUrl = postgresUrl;
+    this.name = "DatabaseConnectionError";
+  }
+  postgresUrl;
+};
+function isConnectionError(err) {
+  if (typeof err !== "object" || err === null) return false;
+  if ("code" in err) {
+    const code = err.code;
+    if (code === "ECONNREFUSED" || code === "ETIMEDOUT" || code === "ENOTFOUND") {
+      return true;
     }
-    return c2.text(
-      "index.html not found. Build the project with 'bun run build' first.",
-      404
-    );
-  });
-  serve2({
-    fetch: app.fetch,
-    port: config.port
-  });
-}
-if (process.argv[1] === new URL(import.meta.url).pathname) {
-  startHubServer();
+  }
+  if (err instanceof AggregateError) {
+    if (err.errors.some(isConnectionError)) return true;
+  }
+  if ("cause" in err && err.cause) {
+    return isConnectionError(err.cause);
+  }
+  return false;
 }
-
-// src/cli/commands/serve.ts
-function getPackageVersion() {
+function maskPostgresPassword(url) {
   try {
-    const pkgPath = new URL("../../../../package.json", import.meta.url);
-    const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
-    return pkg.version;
+    const parsed = new URL(url);
+    if (parsed.password) parsed.password = "***";
+    return parsed.toString();
   } catch {
-    return "unknown";
+    return url;
   }
 }
-function createServeCommand(_version) {
-  return new Command19("serve").description("Start the local grapity registry server").option("-p, --port <port>", "Port to listen on", "3750").option("--db <url>", "Database URL (sqlite path or postgresql URL)").option("--auth <mode>", "Auth mode: none, api-key, jwt", "none").option("--hub-port <port>", "Port for the developer portal (Hub)", "3000").option("--no-hub", "Skip starting the developer portal").action(async (options) => {
-    const port = parseInt(options.port, 10);
-    const hubPort = parseInt(options.hubPort, 10);
-    const startHub = options.hub !== false;
-    const db = options.db;
-    const auth = options.auth;
-    const isPostgres = db?.startsWith("postgresql://");
-    const dbMode = isPostgres ? "postgresql" : "sqlite";
-    const dbPath = isPostgres ? void 0 : db ?? path11.join(os4.homedir(), ".grapity", "registry.db");
-    const version2 = getPackageVersion();
-    console.log(formatHeader("grapity Registry", `v${version2}`));
-    console.log("");
-    console.log(formatServeConfig({ mode: dbMode, port, dbPath, auth }));
-    console.log("");
-    await startServer({
-      port,
-      database: dbMode,
-      sqlitePath: dbPath,
-      postgresUrl: isPostgres ? db : void 0,
-      auth: auth === "none" ? { mode: "none" } : { mode: auth }
-    });
-    console.log(formatReady(port));
-    if (startHub) {
-      console.log("");
-      console.log(formatHeader("grapity Hub", `v${version2}`));
-      console.log("");
-      console.log(
-        formatHubConfig({
-          port: hubPort,
-          registryUrl: `http://localhost:${port}`
-        })
-      );
-      console.log("");
-      await startHubServer({
-        port: hubPort,
-        registryUrl: `http://localhost:${port}`
-      });
-      console.log(formatHubReady(hubPort));
-    }
-    process.on("SIGINT", () => {
+var PostgreSQLSpecStore = class {
+  db;
+  pool;
+  postgresUrl;
+  constructor(postgresUrl) {
+    this.postgresUrl = postgresUrl;
+    this.pool = new Pool({ connectionString: postgresUrl });
+    this.db = drizzle2(this.pool);
+  }
+  async migrate() {
+    try {
+      await migrate2(this.db, {
+        migrationsFolder: MIGRATIONS_FOLDER2
+      });
+    } catch (err) {
+      if (isConnectionError(err)) {
+        throw new DatabaseConnectionError(
+          `PostgreSQL is not reachable at ${maskPostgresPassword(this.postgresUrl)}`,
+          this.postgresUrl,
+          { cause: err }
+        );
+      }
+      throw err;
+    }
+  }
+  async end() {
+    await this.pool.end();
+  }
+  async getSpec(name) {
+    const rows = await this.db.select().from(specs2).where(eq2(specs2.name, name)).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapSpecRow(rows[0]);
+  }
+  async getSpecVersion(name, semver) {
+    const spec = await this.getSpec(name);
+    if (!spec) return null;
+    const rows = await this.db.select().from(specVersions2).where(and2(eq2(specVersions2.specId, spec.id), eq2(specVersions2.semver, semver))).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapVersionRow(rows[0]);
+  }
+  async getLatestVersion(name) {
+    const spec = await this.getSpec(name);
+    if (!spec) return null;
+    const rows = await this.db.select().from(specVersions2).where(eq2(specVersions2.specId, spec.id)).orderBy(desc2(specVersions2.createdAt), desc2(specVersions2.id)).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapVersionRow(rows[0]);
+  }
+  async listSpecs(filters) {
+    const conditions = [];
+    if (filters?.type) conditions.push(eq2(specs2.type, filters.type));
+    if (filters?.owner) conditions.push(eq2(specs2.owner, filters.owner));
+    let rows = conditions.length > 0 ? await this.db.select().from(specs2).where(and2(...conditions)) : await this.db.select().from(specs2);
+    if (filters?.tags && filters.tags.length > 0) {
+      rows = rows.filter((row) => {
+        const rowTags = row.tags ?? [];
+        return filters.tags.every((tag) => rowTags.includes(tag));
+      });
+    }
+    return rows.map((r) => this.mapSpecRow(r));
+  }
+  async listVersions(name, options) {
+    const spec = await this.getSpec(name);
+    if (!spec) return { versions: [], total: 0 };
+    const limit = options?.limit ?? 10;
+    const offset = options?.offset ?? 0;
+    const [countRow] = await this.db.select({ count: sql2`count(*)` }).from(specVersions2).where(eq2(specVersions2.specId, spec.id));
+    const total = Number(countRow?.count ?? 0);
+    const rows = await this.db.select().from(specVersions2).where(eq2(specVersions2.specId, spec.id)).orderBy(desc2(specVersions2.createdAt), desc2(specVersions2.id)).limit(limit).offset(offset);
+    return { versions: rows.map((r) => this.mapVersionRow(r)), total };
+  }
+  async pushSpecVersion(spec, version2) {
+    const existingSpec = await this.getSpec(spec.name);
+    if (!existingSpec) {
+      await this.db.insert(specs2).values({
+        id: spec.id,
+        name: spec.name,
+        type: spec.type,
+        description: spec.description ?? null,
+        owner: spec.owner ?? null,
+        sourceRepo: spec.sourceRepo ?? null,
+        tags: spec.tags ?? [],
+        createdAt: spec.createdAt,
+        updatedAt: spec.updatedAt
+      });
+    } else {
+      await this.db.update(specs2).set({ updatedAt: /* @__PURE__ */ new Date() }).where(eq2(specs2.id, existingSpec.id));
+    }
+    const specId = existingSpec?.id ?? spec.id;
+    await this.db.insert(specVersions2).values({
+      id: version2.id,
+      specId,
+      semver: version2.semver,
+      content: version2.content,
+      checksum: version2.checksum,
+      gitRef: version2.gitRef ?? null,
+      pushedBy: version2.pushedBy ?? null,
+      compatibility: version2.compatibility ?? null,
+      previousVersion: version2.previousVersion ?? null,
+      forceReason: version2.forceReason ?? null,
+      isPrerelease: version2.isPrerelease,
+      createdAt: version2.createdAt
+    });
+    return version2;
+  }
+  async deleteSpec(name) {
+    const existingSpec = await this.getSpec(name);
+    if (!existingSpec) return false;
+    await this.db.delete(specVersions2).where(eq2(specVersions2.specId, existingSpec.id));
+    await this.db.delete(specs2).where(eq2(specs2.id, existingSpec.id));
+    return true;
+  }
+  async getCompatReport(name, semver) {
+    const version2 = await this.getSpecVersion(name, semver);
+    return version2?.compatibility ?? null;
+  }
+  async logAudit(action, actor, specName, version2, details) {
+    await this.db.insert(auditLog2).values({
+      id: uuid6(),
+      action,
+      actor,
+      specName,
+      version: version2 ?? null,
+      details: details ?? null,
+      createdAt: /* @__PURE__ */ new Date()
+    });
+  }
+  mapSpecRow(row) {
+    return {
+      id: row.id,
+      name: row.name,
+      type: row.type,
+      description: row.description ?? void 0,
+      owner: row.owner ?? void 0,
+      sourceRepo: row.sourceRepo ?? void 0,
+      tags: row.tags ?? [],
+      createdAt: row.createdAt,
+      updatedAt: row.updatedAt
+    };
+  }
+  mapVersionRow(row) {
+    return {
+      id: row.id,
+      specId: row.specId,
+      semver: row.semver,
+      content: row.content,
+      checksum: row.checksum,
+      gitRef: row.gitRef ?? void 0,
+      pushedBy: row.pushedBy ?? void 0,
+      compatibility: row.compatibility ?? void 0,
+      previousVersion: row.previousVersion ?? void 0,
+      forceReason: row.forceReason ?? void 0,
+      isPrerelease: row.isPrerelease,
+      createdAt: row.createdAt
+    };
+  }
+  // GatewayConfigStore implementation
+  async getGatewayConfig(name) {
+    const rows = await this.db.select().from(gatewayConfigs2).where(eq2(gatewayConfigs2.name, name)).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapGatewayConfigRow(rows[0]);
+  }
+  async listGatewayConfigs() {
+    const rows = await this.db.select().from(gatewayConfigs2);
+    return rows.map((r) => this.mapGatewayConfigRow(r));
+  }
+  async getGatewayConfigVersion(name, versionId) {
+    const config = await this.getGatewayConfig(name);
+    if (!config) return null;
+    const rows = await this.db.select().from(gatewayConfigVersions2).where(and2(eq2(gatewayConfigVersions2.gatewayConfigId, config.id), eq2(gatewayConfigVersions2.id, versionId))).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapGatewayConfigVersionRow(rows[0]);
+  }
+  async getLatestGatewayConfigVersion(name) {
+    const config = await this.getGatewayConfig(name);
+    if (!config) return null;
+    const rows = await this.db.select().from(gatewayConfigVersions2).where(eq2(gatewayConfigVersions2.gatewayConfigId, config.id)).orderBy(desc2(gatewayConfigVersions2.createdAt), desc2(gatewayConfigVersions2.id)).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapGatewayConfigVersionRow(rows[0]);
+  }
+  async listGatewayConfigVersions(name) {
+    const config = await this.getGatewayConfig(name);
+    if (!config) return [];
+    const rows = await this.db.select().from(gatewayConfigVersions2).where(eq2(gatewayConfigVersions2.gatewayConfigId, config.id)).orderBy(desc2(gatewayConfigVersions2.createdAt), desc2(gatewayConfigVersions2.id)).limit(5);
+    return rows.map((r) => this.mapGatewayConfigVersionRow(r));
+  }
+  async pushGatewayConfigVersion(config, version2) {
+    const existingConfig = await this.getGatewayConfig(config.name);
+    if (!existingConfig) {
+      await this.db.insert(gatewayConfigs2).values({
+        id: config.id,
+        name: config.name,
+        provider: config.provider,
+        specName: config.specName,
+        specSemver: config.specSemver,
+        createdAt: config.createdAt,
+        updatedAt: config.updatedAt
+      });
+    } else {
+      await this.db.update(gatewayConfigs2).set({ updatedAt: /* @__PURE__ */ new Date(), specSemver: config.specSemver }).where(eq2(gatewayConfigs2.id, existingConfig.id));
+    }
+    const configId = existingConfig?.id ?? config.id;
+    await this.db.insert(gatewayConfigVersions2).values({
+      id: version2.id,
+      gatewayConfigId: configId,
+      routes: version2.routes,
+      environments: version2.environments,
+      callerIdentification: version2.callerIdentification ?? null,
+      content: version2.content,
+      checksum: version2.checksum,
+      pushedBy: version2.pushedBy ?? null,
+      createdAt: version2.createdAt
+    });
+    const versions = await this.db.select().from(gatewayConfigVersions2).where(eq2(gatewayConfigVersions2.gatewayConfigId, configId)).orderBy(desc2(gatewayConfigVersions2.createdAt), desc2(gatewayConfigVersions2.id));
+    if (versions.length > 5) {
+      const toDelete = versions.slice(5);
+      for (const v of toDelete) {
+        await this.db.delete(gatewayConfigVersions2).where(eq2(gatewayConfigVersions2.id, v.id));
+      }
+    }
+    return version2;
+  }
+  async recordProvision(provision) {
+    await this.db.insert(provisions2).values({
+      id: provision.id,
+      gatewayConfigName: provision.gatewayConfigName,
+      gatewayConfigVersion: provision.gatewayConfigVersion,
+      environment: provision.environment,
+      provider: provision.provider,
+      synced: provision.synced,
+      actor: provision.actor,
+      details: provision.details ?? null,
+      createdAt: provision.createdAt
+    });
+  }
+  async listProvisions(gatewayConfigName) {
+    const rows = gatewayConfigName ? await this.db.select().from(provisions2).where(eq2(provisions2.gatewayConfigName, gatewayConfigName)).orderBy(desc2(provisions2.createdAt)) : await this.db.select().from(provisions2).orderBy(desc2(provisions2.createdAt));
+    return rows.map((r) => ({
+      id: r.id,
+      gatewayConfigName: r.gatewayConfigName,
+      gatewayConfigVersion: r.gatewayConfigVersion,
+      environment: r.environment,
+      provider: r.provider,
+      synced: r.synced,
+      actor: r.actor,
+      details: r.details ?? void 0,
+      createdAt: r.createdAt
+    }));
+  }
+  mapGatewayConfigRow(row) {
+    return {
+      id: row.id,
+      name: row.name,
+      provider: row.provider,
+      specName: row.specName,
+      specSemver: row.specSemver,
+      createdAt: row.createdAt,
+      updatedAt: row.updatedAt
+    };
+  }
+  mapGatewayConfigVersionRow(row) {
+    return {
+      id: row.id,
+      gatewayConfigId: row.gatewayConfigId,
+      routes: row.routes,
+      environments: row.environments,
+      callerIdentification: row.callerIdentification ?? void 0,
+      content: row.content,
+      checksum: row.checksum,
+      pushedBy: row.pushedBy ?? void 0,
+      createdAt: row.createdAt
+    };
+  }
+  async recordGatewayLog(log) {
+    await this.db.insert(httpLogs2).values({
+      id: log.id,
+      provider: log.provider,
+      gatewayConfigName: log.gatewayConfigName,
+      environment: log.environment,
+      method: log.method,
+      path: log.path,
+      routePath: log.routePath ?? null,
+      status: log.status,
+      callerId: log.callerId ?? null,
+      callerSource: log.callerSource ?? null,
+      callerConfidence: log.callerConfidence,
+      occurredAt: log.occurredAt,
+      createdAt: log.createdAt
+    });
+  }
+  async listGatewayLogs(filters) {
+    const limit = filters.limit ?? 50;
+    const offset = filters.offset ?? 0;
+    let query = this.db.select().from(httpLogs2);
+    const conditions = [];
+    if (filters.gatewayConfigName) {
+      conditions.push(eq2(httpLogs2.gatewayConfigName, filters.gatewayConfigName));
+    }
+    if (filters.environment) {
+      conditions.push(eq2(httpLogs2.environment, filters.environment));
+    }
+    if (filters.path) {
+      conditions.push(eq2(httpLogs2.path, filters.path));
+    }
+    if (filters.method) {
+      conditions.push(eq2(httpLogs2.method, filters.method));
+    }
+    if (filters.status !== void 0) {
+      conditions.push(eq2(httpLogs2.status, filters.status));
+    }
+    if (filters.from) {
+      conditions.push(sql2`${httpLogs2.occurredAt} >= ${filters.from}`);
+    }
+    if (filters.to) {
+      conditions.push(sql2`${httpLogs2.occurredAt} <= ${filters.to}`);
+    }
+    if (conditions.length > 0) {
+      query = query.where(and2(...conditions));
+    }
+    const countResult = await this.db.select({ count: sql2`count(*)` }).from(httpLogs2).where(conditions.length > 0 ? and2(...conditions) : void 0);
+    const total = countResult[0]?.count ?? 0;
+    const rows = await query.orderBy(desc2(httpLogs2.occurredAt)).limit(limit).offset(offset);
+    return {
+      logs: rows.map((r) => ({
+        id: r.id,
+        provider: r.provider,
+        gatewayConfigName: r.gatewayConfigName,
+        environment: r.environment,
+        method: r.method,
+        path: r.path,
+        routePath: r.routePath ?? void 0,
+        status: r.status,
+        callerId: r.callerId ?? void 0,
+        callerSource: r.callerSource ?? void 0,
+        callerConfidence: r.callerConfidence,
+        occurredAt: r.occurredAt,
+        createdAt: r.createdAt
+      })),
+      total
+    };
+  }
+  async getGatewayLog(id) {
+    const rows = await this.db.select().from(httpLogs2).where(eq2(httpLogs2.id, id)).limit(1);
+    if (rows.length === 0) return null;
+    const r = rows[0];
+    return {
+      id: r.id,
+      provider: r.provider,
+      gatewayConfigName: r.gatewayConfigName,
+      environment: r.environment,
+      method: r.method,
+      path: r.path,
+      routePath: r.routePath ?? void 0,
+      status: r.status,
+      callerId: r.callerId ?? void 0,
+      callerSource: r.callerSource ?? void 0,
+      callerConfidence: r.callerConfidence,
+      occurredAt: r.occurredAt,
+      createdAt: r.createdAt
+    };
+  }
+  async getGatewayLogStats(_filters) {
+    const conditions = [];
+    if (_filters.gatewayConfigName) {
+      conditions.push(eq2(httpLogs2.gatewayConfigName, _filters.gatewayConfigName));
+    }
+    if (_filters.environment) {
+      conditions.push(eq2(httpLogs2.environment, _filters.environment));
+    }
+    if (_filters.from) {
+      conditions.push(sql2`${httpLogs2.occurredAt} >= ${_filters.from}`);
+    }
+    if (_filters.to) {
+      conditions.push(sql2`${httpLogs2.occurredAt} <= ${_filters.to}`);
+    }
+    const whereClause = conditions.length > 0 ? and2(...conditions) : void 0;
+    const rows = await this.db.select({
+      gatewayConfigName: httpLogs2.gatewayConfigName,
+      environment: httpLogs2.environment,
+      method: httpLogs2.method,
+      routePath: httpLogs2.routePath,
+      lastSeenAt: sql2`max(${httpLogs2.occurredAt})`,
+      totalCalls: sql2`count(*)`,
+      uniqueCallerIds: sql2`count(distinct ${httpLogs2.callerId})`
+    }).from(httpLogs2).where(whereClause).groupBy(httpLogs2.gatewayConfigName, httpLogs2.environment, httpLogs2.method, httpLogs2.routePath);
+    return rows.map((r) => ({
+      gatewayConfigName: r.gatewayConfigName,
+      environment: r.environment,
+      method: r.method,
+      routePath: r.routePath ?? "/",
+      lastSeenAt: new Date(r.lastSeenAt),
+      totalCalls: r.totalCalls,
+      uniqueCallerIds: r.uniqueCallerIds
+    }));
+  }
+  async deleteGatewayLogsOlderThan(days) {
+    const cutoff = /* @__PURE__ */ new Date();
+    cutoff.setDate(cutoff.getDate() - days);
+    await this.db.delete(httpLogs2).where(sql2`${httpLogs2.occurredAt} < ${cutoff}`);
+  }
+};
+
+// src/registry/serve.ts
+async function startServer(userConfig) {
+  const config = { ...defaultConfig, ...userConfig };
+  let store;
+  if (config.database === "postgresql") {
+    if (!config.postgresUrl) {
+      throw new Error("PostgreSQL database requested but no postgresUrl provided.");
+    }
+    store = new PostgreSQLSpecStore(config.postgresUrl);
+  } else {
+    const sqlitePath = config.sqlitePath ?? path9.join(
+      process.env.HOME || process.env.USERPROFILE || ".",
+      ".grapity",
+      "registry.db"
+    );
+    const dir = path9.dirname(sqlitePath);
+    if (!fs9.existsSync(dir)) {
+      fs9.mkdirSync(dir, { recursive: true });
+    }
+    store = new SQLiteSpecStore(sqlitePath);
+  }
+  await store.migrate();
+  const app = createApp(config, store);
+  const server = serve({
+    fetch: app.fetch,
+    port: config.port
+  });
+  return { app, store, server };
+}
+if (process.argv[1] === new URL(import.meta.url).pathname) {
+  startServer();
+}
+
+// src/hub/serve.ts
+import { Hono as Hono23 } from "hono";
+import { serveStatic } from "@hono/node-server/serve-static";
+import { serve as serve2 } from "@hono/node-server";
+import path10 from "path";
+import fs10 from "fs";
+
+// src/hub/paths.ts
+var HUB_DIST_PATH = new URL(
+  "../../dist",
+  import.meta.url
+).pathname;
+
+// src/hub/serve.ts
+var DEFAULT_PORT = 3e3;
+var DEFAULT_REGISTRY_URL = "http://localhost:3750";
+async function startHubServer(userConfig) {
+  const config = {
+    port: userConfig?.port ?? DEFAULT_PORT,
+    registryUrl: userConfig?.registryUrl ?? DEFAULT_REGISTRY_URL,
+    auth: userConfig?.auth
+  };
+  const app = new Hono23();
+  app.get("/config.js", (c2) => {
+    const clientConfig = {
+      registryUrl: config.registryUrl,
+      auth: config.auth ? {
+        mode: config.auth.mode,
+        serverUrl: config.auth.serverUrl,
+        realm: config.auth.realm,
+        clientId: config.auth.clientId,
+        audience: config.auth.audience
+      } : void 0
+    };
+    c2.header("Content-Type", "application/javascript");
+    return c2.body(
+      `window.__GRAPITY_CONFIG__ = ${JSON.stringify(clientConfig)};`
+    );
+  });
+  app.use("/v1/*", async (c2) => {
+    const url = new URL(c2.req.url);
+    const targetUrl = config.registryUrl + url.pathname + url.search;
+    const headers = new Headers(c2.req.raw.headers);
+    headers.delete("host");
+    const response = await fetch(targetUrl, {
+      method: c2.req.method,
+      headers,
+      body: c2.req.raw.body
+    });
+    return response;
+  });
+  app.use("/*", serveStatic({ root: HUB_DIST_PATH }));
+  app.get("/*", async (c2) => {
+    const indexPath = path10.join(HUB_DIST_PATH, "index.html");
+    if (!fs10.existsSync(indexPath)) {
+      return c2.text(
+        "index.html not found. Build the project with 'bun run build' first.",
+        404
+      );
+    }
+    const html = fs10.readFileSync(indexPath, "utf-8");
+    const configScript = `
+    <script src="/config.js"></script>
+  `;
+    const injected = html.replace(
+      "</head>",
+      `${configScript}</head>`
+    );
+    return c2.html(injected);
+  });
+  serve2({
+    fetch: app.fetch,
+    port: config.port
+  });
+}
+if (process.argv[1] === new URL(import.meta.url).pathname) {
+  startHubServer();
+}
+
+// src/cli/commands/serve.ts
+function resolveServerConfig(cliOptions, cliConfig) {
+  if (cliConfig.mode === "remote") {
+    throw new Error(
+      `grapity serve is for local mode only. Your config is set to remote (${cliConfig.remote?.url ?? "no URL"}). Use grapity serve on the machine running the local registry.`
+    );
+  }
+  const envUrl = process.env.GRAPITY_DATABASE_URL;
+  const local = cliConfig.local;
+  const dbValue = envUrl ?? local?.postgresUrl;
+  const base = { port: cliOptions.port };
+  if (dbValue && isPostgresqlUrl(dbValue)) {
+    base.database = "postgresql";
+    base.postgresUrl = dbValue;
+  } else {
+    base.database = "sqlite";
+    base.sqlitePath = dbValue ?? local?.sqlitePath ?? path11.join(os4.homedir(), ".grapity", "registry.db");
+  }
+  if (cliOptions.noAuth) {
+    base.auth = { mode: "none" };
+  } else {
+    base.auth = resolveAuthConfig(local?.auth);
+  }
+  return base;
+}
+function resolveAuthConfig(authConfig) {
+  if (!authConfig || authConfig.mode === "none") {
+    throw new Error(
+      "Authentication is required by default. Configure it with: grapity init --local --auth keycloak ...\nOr run with: grapity serve --no-auth"
+    );
+  }
+  if (!authConfig.serverUrl) {
+    throw new Error(
+      "Keycloak auth is configured but serverUrl is missing. Run grapity init --local --auth keycloak --keycloak-server <url> ..."
+    );
+  }
+  if (!authConfig.realm) {
+    throw new Error(
+      "Keycloak auth is configured but realm is missing. Run grapity init --local --auth keycloak --keycloak-realm <realm> ..."
+    );
+  }
+  return {
+    mode: "keycloak",
+    serverUrl: authConfig.serverUrl.replace(/\/$/, ""),
+    realm: authConfig.realm,
+    audience: authConfig.audience,
+    roleSource: authConfig.roleSource
+  };
+}
+async function verifyKeycloakReachable(serverUrl, realm) {
+  const url = `${serverUrl}/realms/${realm}/.well-known/openid-configuration`;
+  try {
+    const res = await fetch(url, { signal: AbortSignal.timeout(5e3) });
+    if (!res.ok) {
+      throw new Error(`Keycloak returned ${res.status}`);
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    throw new Error(
+      `Keycloak is not reachable at ${url}: ${message}
+See https://grapity.dev/docs/cli-reference/init#local-mode-with-keycloak to set up a local Keycloak server.
+Or run with: grapity serve --no-auth`
+    );
+  }
+}
+function formatDatabaseConnectionError(err) {
+  return formatError(
+    "PostgreSQL is not reachable",
+    err.message,
+    [
+      "Make sure PostgreSQL is running and accessible.",
+      "Check the database URL in ~/.grapity/config.yaml or GRAPITY_DATABASE_URL."
+    ]
+  );
+}
+function createServeCommand(version2) {
+  return new Command20("serve").description("Start the local grapity registry server").option("-p, --port <port>", "Port to listen on", "3750").option("--hub-port <port>", "Port for the developer portal (Hub)", "3000").option("--no-hub", "Skip starting the developer portal").option("--no-auth", "Start without authentication").action(async (options) => {
+    const port = parseInt(options.port, 10);
+    const hubPort = parseInt(options.hubPort, 10);
+    const startHub = options.hub !== false;
+    const noAuth = options.auth === false;
+    if (!configExists()) {
+      console.error(
+        formatError(
+          "not initialized",
+          "Run grapity init first to configure the local registry.",
+          ["Example: grapity init --local"]
+        )
+      );
+      process.exit(1);
+    }
+    const cliConfig = getConfig();
+    let serverConfig;
+    try {
+      serverConfig = resolveServerConfig({ port, noAuth }, cliConfig);
+    } catch (err) {
+      console.error(formatError("invalid config", err.message));
+      process.exit(1);
+    }
+    if (serverConfig.auth?.mode === "keycloak" && !noAuth) {
+      try {
+        await verifyKeycloakReachable(
+          serverConfig.auth.serverUrl,
+          serverConfig.auth.realm
+        );
+      } catch (err) {
+        console.error(formatError("keycloak unreachable", err.message));
+        process.exit(1);
+      }
+    }
+    console.log(formatHeader("grapity", `v${version2}`));
+    console.log("");
+    console.log(formatHeader("grapity Registry"));
+    console.log("");
+    console.log(
+      formatServeConfig({
+        port,
+        database: serverConfig.database,
+        dbPath: serverConfig.sqlitePath,
+        postgresUrl: serverConfig.postgresUrl,
+        authMode: serverConfig.auth?.mode,
+        keycloakServer: serverConfig.auth?.mode === "keycloak" ? serverConfig.auth.serverUrl : void 0,
+        keycloakRealm: serverConfig.auth?.mode === "keycloak" ? serverConfig.auth.realm : void 0,
+        keycloakAudience: serverConfig.auth?.mode === "keycloak" ? serverConfig.auth.audience : void 0
+      })
+    );
+    console.log("");
+    let store;
+    try {
+      const started = await startServer(serverConfig);
+      store = started.store;
+    } catch (err) {
+      if (err instanceof DatabaseConnectionError) {
+        console.error(formatDatabaseConnectionError(err));
+      } else {
+        console.error(formatError("failed to start server", err.message));
+      }
+      process.exit(1);
+    }
+    console.log(formatReady(port));
+    if (startHub) {
+      console.log("");
+      console.log(formatHeader("grapity Hub"));
+      console.log("");
+      console.log(
+        formatHubConfig({
+          port: hubPort,
+          registryUrl: `http://localhost:${port}`
+        })
+      );
+      console.log("");
+      await startHubServer({
+        port: hubPort,
+        registryUrl: `http://localhost:${port}`,
+        auth: serverConfig.auth?.mode === "keycloak" ? {
+          mode: "keycloak",
+          serverUrl: serverConfig.auth.serverUrl,
+          realm: serverConfig.auth.realm,
+          clientId: "grapity-hub",
+          audience: serverConfig.auth.audience
+        } : void 0
+      });
+      console.log(formatHubReady(hubPort));
+    }
+    process.on("SIGINT", async () => {
       console.log("");
       console.log(formatShutdown());
+      if ("end" in store && typeof store.end === "function") {
+        await store.end();
+      }
       process.exit(0);
     });
   });
@@ -5088,7 +6221,7 @@ function createServeCommand(_version) {
 import { createRequire } from "module";
 var require2 = createRequire(import.meta.url);
 var { version } = require2("../../package.json");
-var program = new Command20();
+var program = new Command21();
 program.name("grapity").description("grapity - API spec registry and compatibility guardian").version(version).addHelpText(
   "after",
   "\nDocumentation: https://grapity.dev/docs/getting-started/quickstart"
@@ -5096,5 +6229,6 @@ program.name("grapity").description("grapity - API spec registry and compatibili
 program.addCommand(registryCommand);
 program.addCommand(gatewayCommand);
 program.addCommand(initCommand);
+program.addCommand(authCommand);
 program.addCommand(createServeCommand(version));
 program.parse();