@grapity/grapity 0.2.0 → 0.4.0

package/dist/hub/index.js

@@ -17,15 +17,34 @@ var DEFAULT_REGISTRY_URL = "http://localhost:3750";
 async function startHubServer(userConfig) {
   const config = {
     port: userConfig?.port ?? DEFAULT_PORT,
-    registryUrl: userConfig?.registryUrl ?? DEFAULT_REGISTRY_URL
+    registryUrl: userConfig?.registryUrl ?? DEFAULT_REGISTRY_URL,
+    auth: userConfig?.auth
   };
   const app = new Hono();
+  app.get("/config.js", (c) => {
+    const clientConfig = {
+      registryUrl: config.registryUrl,
+      auth: config.auth ? {
+        mode: config.auth.mode,
+        serverUrl: config.auth.serverUrl,
+        realm: config.auth.realm,
+        clientId: config.auth.clientId,
+        audience: config.auth.audience
+      } : void 0
+    };
+    c.header("Content-Type", "application/javascript");
+    return c.body(
+      `window.__GRAPITY_CONFIG__ = ${JSON.stringify(clientConfig)};`
+    );
+  });
   app.use("/v1/*", async (c) => {
     const url = new URL(c.req.url);
     const targetUrl = config.registryUrl + url.pathname + url.search;
+    const headers = new Headers(c.req.raw.headers);
+    headers.delete("host");
     const response = await fetch(targetUrl, {
       method: c.req.method,
-      headers: c.req.raw.headers,
+      headers,
       body: c.req.raw.body
     });
     return response;
@@ -33,13 +52,21 @@ async function startHubServer(userConfig) {
   app.use("/*", serveStatic({ root: HUB_DIST_PATH }));
   app.get("/*", async (c) => {
     const indexPath = path.join(HUB_DIST_PATH, "index.html");
-    if (fs.existsSync(indexPath)) {
-      return c.html(fs.readFileSync(indexPath, "utf-8"));
+    if (!fs.existsSync(indexPath)) {
+      return c.text(
+        "index.html not found. Build the project with 'bun run build' first.",
+        404
+      );
     }
-    return c.text(
-      "index.html not found. Build the project with 'bun run build' first.",
-      404
+    const html = fs.readFileSync(indexPath, "utf-8");
+    const configScript = `
+    <script src="/config.js"></script>
+  `;
+    const injected = html.replace(
+      "</head>",
+      `${configScript}</head>`
     );
+    return c.html(injected);
   });
   serve({
     fetch: app.fetch,

package/dist/hub/serve.d.ts

@@ -1,7 +1,15 @@
+interface HubAuthConfig {
+    mode: "keycloak";
+    serverUrl: string;
+    realm: string;
+    clientId: string;
+    audience?: string;
+}
 interface HubConfig {
     port?: number;
     registryUrl?: string;
+    auth?: HubAuthConfig;
 }
 declare function startHubServer(userConfig?: Partial<HubConfig>): Promise<void>;
 
-export { type HubConfig, startHubServer };
+export { type HubAuthConfig, type HubConfig, startHubServer };

package/dist/hub/serve.js

@@ -17,15 +17,34 @@ var DEFAULT_REGISTRY_URL = "http://localhost:3750";
 async function startHubServer(userConfig) {
   const config = {
     port: userConfig?.port ?? DEFAULT_PORT,
-    registryUrl: userConfig?.registryUrl ?? DEFAULT_REGISTRY_URL
+    registryUrl: userConfig?.registryUrl ?? DEFAULT_REGISTRY_URL,
+    auth: userConfig?.auth
   };
   const app = new Hono();
+  app.get("/config.js", (c) => {
+    const clientConfig = {
+      registryUrl: config.registryUrl,
+      auth: config.auth ? {
+        mode: config.auth.mode,
+        serverUrl: config.auth.serverUrl,
+        realm: config.auth.realm,
+        clientId: config.auth.clientId,
+        audience: config.auth.audience
+      } : void 0
+    };
+    c.header("Content-Type", "application/javascript");
+    return c.body(
+      `window.__GRAPITY_CONFIG__ = ${JSON.stringify(clientConfig)};`
+    );
+  });
   app.use("/v1/*", async (c) => {
     const url = new URL(c.req.url);
     const targetUrl = config.registryUrl + url.pathname + url.search;
+    const headers = new Headers(c.req.raw.headers);
+    headers.delete("host");
     const response = await fetch(targetUrl, {
       method: c.req.method,
-      headers: c.req.raw.headers,
+      headers,
       body: c.req.raw.body
     });
     return response;
@@ -33,13 +52,21 @@ async function startHubServer(userConfig) {
   app.use("/*", serveStatic({ root: HUB_DIST_PATH }));
   app.get("/*", async (c) => {
     const indexPath = path.join(HUB_DIST_PATH, "index.html");
-    if (fs.existsSync(indexPath)) {
-      return c.html(fs.readFileSync(indexPath, "utf-8"));
+    if (!fs.existsSync(indexPath)) {
+      return c.text(
+        "index.html not found. Build the project with 'bun run build' first.",
+        404
+      );
     }
-    return c.text(
-      "index.html not found. Build the project with 'bun run build' first.",
-      404
+    const html = fs.readFileSync(indexPath, "utf-8");
+    const configScript = `
+    <script src="/config.js"></script>
+  `;
+    const injected = html.replace(
+      "</head>",
+      `${configScript}</head>`
     );
+    return c.html(injected);
   });
   serve({
     fetch: app.fetch,

package/dist/index.html

@@ -9,8 +9,9 @@
     <link rel="preconnect" href="https://fonts.googleapis.com" />
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
     <link href="https://fonts.googleapis.com/css2?family=Space+Grotesk:wght@400;500;600;700&family=Inter:wght@400;500;600&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet" />
-    <script type="module" crossorigin src="/assets/index-Dq5tdnlb.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-NJpHAonA.css">
+    <script src="/config.js"></script>
+    <script type="module" crossorigin src="/assets/index-JAhtTTW2.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-LDlidn22.css">
   </head>
   <body>
     <div id="root"></div>

package/dist/registry/{index-Baj_sSgl.d.ts → index-Bx-7YlUF.d.ts}

@@ -191,28 +191,35 @@ interface GatewayConfigStore {
     deleteGatewayLogsOlderThan(days: number): Promise<void>;
 }
 
+type RoleSource = "scope" | "realm_access.roles";
+interface KeycloakAuthConfig {
+    mode: "keycloak";
+    serverUrl: string;
+    realm: string;
+    audience?: string;
+    roleSource?: RoleSource;
+}
+type AuthConfig = {
+    mode: "none";
+} | KeycloakAuthConfig;
+
+type DatabaseBackend = "sqlite" | "postgresql";
 interface ServerConfig {
     port: number;
-    database: "sqlite" | "postgresql";
+    database: DatabaseBackend;
     sqlitePath?: string;
     postgresUrl?: string;
-    gracePeriodDays: number;
-    auth?: {
-        mode: "none" | "api-key" | "jwt";
-        apiKeyHashes?: string[];
-        jwtSecret?: string;
-    };
-    audit?: {
-        enabled: boolean;
-    };
+    auth: AuthConfig;
 }
 
 type AppEnv = {
     Variables: {
         store: SpecStore & GatewayConfigStore;
         config: ServerConfig;
+        actor?: string;
+        claims?: Record<string, unknown>;
     };
 };
 declare function createApp(config: ServerConfig, store: SpecStore & GatewayConfigStore): Hono<AppEnv, hono_types.BlankSchema, "/">;
 
-export { type AppEnv as A, type ServerConfig as S, createApp as c };
+export { type AuditAction as A, type CompatReport as C, type GatewayConfigStore as G, type Provision as P, type SpecStore as S, type Spec as a, type SpecVersion as b, type SpecFilters as c, type GatewayConfig as d, type GatewayConfigVersion as e, type GatewayLog as f, type GatewayLogFilters as g, type GatewayLogStats as h, createApp as i, type ServerConfig as j };

package/dist/registry/index.d.ts

@@ -1,3 +1,3 @@
-export { S as ServerConfig, c as createApp } from './index-Baj_sSgl.js';
+export { j as ServerConfig, i as createApp } from './index-Bx-7YlUF.js';
 import 'hono/types';
 import 'hono';

package/dist/registry/index.js

@@ -1751,6 +1751,7 @@ var pushRoute = new Hono().post("/", async (c) => {
   }
   const store = c.get("store");
   const service = new RegistryService(store);
+  const actor = c.get("actor") ?? body.pushedBy;
   try {
     const result = await service.pushSpec(body.content, body.name, {
       type: body.type,
@@ -1759,7 +1760,7 @@ var pushRoute = new Hono().post("/", async (c) => {
       sourceRepo: body.sourceRepo,
       tags: Array.isArray(body.tags) ? body.tags : void 0,
       gitRef: body.gitRef,
-      pushedBy: body.pushedBy,
+      pushedBy: actor,
       prerelease: body.prerelease,
       force: body.force,
       reason: body.reason
@@ -1924,7 +1925,8 @@ var deleteSpecRoute = new Hono5().delete(
     const name = c.req.param("name");
     const store = c.get("store");
     const service = new RegistryService(store);
-    const deleted = await service.deleteSpec(name);
+    const actor = c.get("actor");
+    const deleted = await service.deleteSpec(name, actor);
     if (!deleted) {
       return c.json({ error: "not_found", message: `Spec "${name}" not found`, statusCode: 404 }, 404);
     }
@@ -2525,8 +2527,7 @@ function switchTab(tab) {
 }
 var welcomeRoute = new Hono12().get("/", (c) => {
   const config = c.get("config");
-  const mode = config.database === "sqlite" ? "local" : "remote";
-  return c.html(buildPage(config.port, mode));
+  return c.html(buildPage(config.port, "local"));
 });
 
 // src/registry/routes/push-gateway-config.ts
@@ -2666,6 +2667,7 @@ var pushGatewayConfigRoute = new Hono13().post("/", async (c) => {
   }
   const store = c.get("store");
   const service = new GatewayService(store, store);
+  const actor = c.get("actor") ?? body.pushedBy;
   try {
     const result = await service.pushGatewayConfig({
       name: body.name,
@@ -2676,7 +2678,7 @@ var pushGatewayConfigRoute = new Hono13().post("/", async (c) => {
       environments: body.environments ?? {},
       callerIdentification: body.callerIdentification,
       content: body.content,
-      pushedBy: body.pushedBy
+      pushedBy: actor
     });
     return c.json({ data: result }, 201);
   } catch (err) {
@@ -2867,7 +2869,6 @@ var ingestGatewayLogRoute = new Hono18().post("/ingest/:provider/:environment",
     await service.ingestLog(provider, environment, payload);
     return c.json({ status: "ok" }, 201);
   } catch (err) {
-    console.error("Gateway log ingest error:", err);
     return c.json({
       error: "bad_request",
       message: err instanceof Error ? err.message : "Invalid log payload",
@@ -2942,7 +2943,137 @@ var gatewayLogStatsRoute = new Hono21().get("/stats", async (c) => {
   });
 });
 
+// src/registry/auth/middleware.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+var AuthError = class extends Error {
+  constructor(statusCode, code, message) {
+    super(message);
+    this.statusCode = statusCode;
+    this.code = code;
+    this.name = "AuthError";
+  }
+  statusCode;
+  code;
+};
+function buildKeycloakUrls(config) {
+  const base = `${config.serverUrl}/realms/${config.realm}`;
+  return {
+    issuer: base,
+    jwksUri: `${base}/protocol/openid-connect/certs`,
+    tokenUrl: `${base}/protocol/openid-connect/token`
+  };
+}
+function createAuthMiddleware(config, routeScopes) {
+  if (config.auth?.mode !== "keycloak") {
+    return async (_c, next) => await next();
+  }
+  const authConfig = config.auth;
+  const { issuer, jwksUri } = buildKeycloakUrls(authConfig);
+  const jwks = createRemoteJWKSet(new URL(jwksUri));
+  const scopeByRoute = /* @__PURE__ */ new Map();
+  for (const route of routeScopes) {
+    const key = `${route.method.toUpperCase()}:${route.path}`;
+    scopeByRoute.set(key, {
+      operationId: route.operationId,
+      scopes: route.scopes
+    });
+  }
+  return async (c, next) => {
+    const matchedPath = c.req.matchedRoutes.map((r) => r.path).filter((p) => p !== "/*").pop();
+    const routeKey = matchedPath ? `${c.req.method}:${matchedPath}` : `${c.req.method}:${c.req.routePath}`;
+    const required = scopeByRoute.get(routeKey);
+    if (!required || required.scopes.length === 0) {
+      return await next();
+    }
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      throw new AuthError(401, "unauthorized", "Bearer token required");
+    }
+    const token = authHeader.slice("Bearer ".length).trim();
+    if (!token) {
+      throw new AuthError(401, "unauthorized", "Bearer token required");
+    }
+    let payload;
+    try {
+      const result = await jwtVerify(token, jwks, {
+        issuer,
+        audience: authConfig.audience
+      });
+      payload = result.payload;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Invalid token";
+      throw new AuthError(401, "unauthorized", `Invalid or expired token: ${message}`);
+    }
+    const subject = payload.sub;
+    if (!subject) {
+      throw new AuthError(401, "unauthorized", "Token missing subject claim");
+    }
+    const grantedScopes = extractScopes(payload, authConfig.roleSource ?? "scope");
+    const missing = required.scopes.filter((s) => !grantedScopes.has(s));
+    if (missing.length > 0) {
+      throw new AuthError(
+        403,
+        "forbidden",
+        `Missing required scope${missing.length > 1 ? "s" : ""}: ${missing.join(", ")}`
+      );
+    }
+    c.set("actor", subject);
+    c.set("claims", payload);
+    await next();
+  };
+}
+function extractScopes(payload, source) {
+  if (source === "realm_access.roles") {
+    const roles = payload.realm_access?.roles;
+    return new Set(roles ?? []);
+  }
+  const scopeValue = payload.scope;
+  if (typeof scopeValue === "string") {
+    return new Set(scopeValue.split(/\s+/).filter(Boolean));
+  }
+  return /* @__PURE__ */ new Set();
+}
+function parseRouteScopes(spec) {
+  const routes = [];
+  const paths = spec.paths;
+  if (!paths) return routes;
+  for (const [path, operations] of Object.entries(paths)) {
+    for (const [method, operation] of Object.entries(operations)) {
+      if (typeof operation !== "object" || operation === null) continue;
+      const op = operation;
+      const operationId = op.operationId;
+      if (!operationId) continue;
+      const security = op.security;
+      const scopes = [];
+      if (security) {
+        for (const sec of security) {
+          for (const [name, required] of Object.entries(sec)) {
+            if (name === "keycloak" && Array.isArray(required)) {
+              scopes.push(...required);
+            }
+          }
+        }
+      }
+      routes.push({
+        method: method.toUpperCase(),
+        path: path.replace(/\{([^}]+)\}/g, ":$1"),
+        operationId,
+        scopes
+      });
+    }
+  }
+  return routes;
+}
+
 // src/registry/server.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import yaml6 from "js-yaml";
+function loadOpenApiSpec() {
+  const path = fileURLToPath(new URL("../../openapi.yaml", import.meta.url));
+  const content = readFileSync(path, "utf-8");
+  return yaml6.load(content);
+}
 function createApp(config, store) {
   const app = new Hono22();
   app.use("*", logger());
@@ -2953,6 +3084,21 @@ function createApp(config, store) {
     c.set("config", config);
     await next();
   });
+  const routeScopes = parseRouteScopes(loadOpenApiSpec());
+  app.use("*", createAuthMiddleware(config, routeScopes));
+  app.onError((err, c) => {
+    if (err instanceof AuthError) {
+      return c.json(
+        { error: err.code, message: err.message, statusCode: err.statusCode },
+        err.statusCode
+      );
+    }
+    console.error("Unhandled error:", err);
+    return c.json(
+      { error: "internal_error", message: "Internal server error", statusCode: 500 },
+      500
+    );
+  });
   app.route("/v1/specs", pushRoute);
   app.route("/v1/specs", validateRoute);
   app.route("/v1/specs", listRoute);

package/dist/registry/serve.d.ts

@@ -1,7 +1,98 @@
-import * as hono from 'hono';
-import * as hono_types from 'hono/types';
-import { S as ServerConfig, A as AppEnv } from './index-Baj_sSgl.js';
+import { ServerType } from '@hono/node-server';
+import { S as SpecStore, G as GatewayConfigStore, a as Spec, b as SpecVersion, c as SpecFilters, C as CompatReport, A as AuditAction, d as GatewayConfig, e as GatewayConfigVersion, P as Provision, f as GatewayLog, g as GatewayLogFilters, h as GatewayLogStats, i as createApp, j as ServerConfig } from './index-Bx-7YlUF.js';
+import 'hono/types';
+import 'hono';
 
-declare function startServer(userConfig?: Partial<ServerConfig>): Promise<hono.Hono<AppEnv, hono_types.BlankSchema, "/">>;
+declare class SQLiteSpecStore implements SpecStore, GatewayConfigStore {
+    private db;
+    constructor(dbPath: string);
+    migrate(): Promise<void>;
+    getSpec(name: string): Promise<Spec | null>;
+    getSpecVersion(name: string, semver: string): Promise<SpecVersion | null>;
+    getLatestVersion(name: string): Promise<SpecVersion | null>;
+    listSpecs(filters?: SpecFilters): Promise<Spec[]>;
+    listVersions(name: string, options?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<{
+        versions: SpecVersion[];
+        total: number;
+    }>;
+    pushSpecVersion(spec: Spec, version: SpecVersion): Promise<SpecVersion>;
+    deleteSpec(name: string): Promise<boolean>;
+    getCompatReport(name: string, semver: string): Promise<CompatReport | null>;
+    logAudit(action: AuditAction, actor: string, specName: string, version: string | undefined, details: Record<string, unknown> | undefined): Promise<void>;
+    private mapSpecRow;
+    private mapVersionRow;
+    getGatewayConfig(name: string): Promise<GatewayConfig | null>;
+    listGatewayConfigs(): Promise<GatewayConfig[]>;
+    getGatewayConfigVersion(name: string, versionId: string): Promise<GatewayConfigVersion | null>;
+    getLatestGatewayConfigVersion(name: string): Promise<GatewayConfigVersion | null>;
+    listGatewayConfigVersions(name: string): Promise<GatewayConfigVersion[]>;
+    pushGatewayConfigVersion(config: GatewayConfig, version: GatewayConfigVersion): Promise<GatewayConfigVersion>;
+    recordProvision(provision: Provision): Promise<void>;
+    listProvisions(gatewayConfigName?: string): Promise<Provision[]>;
+    private mapGatewayConfigRow;
+    private mapGatewayConfigVersionRow;
+    recordGatewayLog(log: GatewayLog): Promise<void>;
+    listGatewayLogs(filters: GatewayLogFilters): Promise<{
+        logs: GatewayLog[];
+        total: number;
+    }>;
+    getGatewayLog(id: string): Promise<GatewayLog | null>;
+    getGatewayLogStats(_filters: GatewayLogFilters): Promise<GatewayLogStats[]>;
+    deleteGatewayLogsOlderThan(days: number): Promise<void>;
+}
 
-export { ServerConfig, startServer };
+declare class PostgreSQLSpecStore implements SpecStore, GatewayConfigStore {
+    private db;
+    private pool;
+    private postgresUrl;
+    constructor(postgresUrl: string);
+    migrate(): Promise<void>;
+    end(): Promise<void>;
+    getSpec(name: string): Promise<Spec | null>;
+    getSpecVersion(name: string, semver: string): Promise<SpecVersion | null>;
+    getLatestVersion(name: string): Promise<SpecVersion | null>;
+    listSpecs(filters?: SpecFilters): Promise<Spec[]>;
+    listVersions(name: string, options?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<{
+        versions: SpecVersion[];
+        total: number;
+    }>;
+    pushSpecVersion(spec: Spec, version: SpecVersion): Promise<SpecVersion>;
+    deleteSpec(name: string): Promise<boolean>;
+    getCompatReport(name: string, semver: string): Promise<CompatReport | null>;
+    logAudit(action: AuditAction, actor: string, specName: string, version: string | undefined, details: Record<string, unknown> | undefined): Promise<void>;
+    private mapSpecRow;
+    private mapVersionRow;
+    getGatewayConfig(name: string): Promise<GatewayConfig | null>;
+    listGatewayConfigs(): Promise<GatewayConfig[]>;
+    getGatewayConfigVersion(name: string, versionId: string): Promise<GatewayConfigVersion | null>;
+    getLatestGatewayConfigVersion(name: string): Promise<GatewayConfigVersion | null>;
+    listGatewayConfigVersions(name: string): Promise<GatewayConfigVersion[]>;
+    pushGatewayConfigVersion(config: GatewayConfig, version: GatewayConfigVersion): Promise<GatewayConfigVersion>;
+    recordProvision(provision: Provision): Promise<void>;
+    listProvisions(gatewayConfigName?: string): Promise<Provision[]>;
+    private mapGatewayConfigRow;
+    private mapGatewayConfigVersionRow;
+    recordGatewayLog(log: GatewayLog): Promise<void>;
+    listGatewayLogs(filters: GatewayLogFilters): Promise<{
+        logs: GatewayLog[];
+        total: number;
+    }>;
+    getGatewayLog(id: string): Promise<GatewayLog | null>;
+    getGatewayLogStats(_filters: GatewayLogFilters): Promise<GatewayLogStats[]>;
+    deleteGatewayLogsOlderThan(days: number): Promise<void>;
+}
+
+interface RunningServer {
+    app: ReturnType<typeof createApp>;
+    store: SQLiteSpecStore | PostgreSQLSpecStore;
+    server: ServerType;
+}
+declare function startServer(userConfig?: Partial<ServerConfig>): Promise<RunningServer>;
+
+export { type RunningServer, ServerConfig, startServer };