@grapity/grapity 0.2.0 → 0.4.0

package/dist/registry/serve.js

@@ -1635,9 +1635,9 @@ var RegistryService = class {
     return { spec, version, compatReport, isNewSpec };
   }
   async listSpecs(filters) {
-    const specs2 = await this.store.listSpecs(filters);
+    const specs3 = await this.store.listSpecs(filters);
     return Promise.all(
-      specs2.map(async (spec) => {
+      specs3.map(async (spec) => {
         const latestVersion = await this.store.getLatestVersion(spec.name);
         return { ...spec, latestVersion: latestVersion ?? void 0 };
       })
@@ -1756,6 +1756,7 @@ var pushRoute = new Hono().post("/", async (c) => {
   }
   const store = c.get("store");
   const service = new RegistryService(store);
+  const actor = c.get("actor") ?? body.pushedBy;
   try {
     const result = await service.pushSpec(body.content, body.name, {
       type: body.type,
@@ -1764,7 +1765,7 @@ var pushRoute = new Hono().post("/", async (c) => {
       sourceRepo: body.sourceRepo,
       tags: Array.isArray(body.tags) ? body.tags : void 0,
       gitRef: body.gitRef,
-      pushedBy: body.pushedBy,
+      pushedBy: actor,
       prerelease: body.prerelease,
       force: body.force,
       reason: body.reason
@@ -1895,8 +1896,8 @@ var listRoute = new Hono3().get("/", async (c) => {
   const type = c.req.query("type");
   const owner = c.req.query("owner");
   const tags = c.req.query("tags")?.split(",");
-  const specs2 = await service.listSpecs({ type, owner, tags });
-  return c.json({ data: specs2 });
+  const specs3 = await service.listSpecs({ type, owner, tags });
+  return c.json({ data: specs3 });
 });
 
 // src/registry/routes/get-spec.ts
@@ -1929,7 +1930,8 @@ var deleteSpecRoute = new Hono5().delete(
     const name = c.req.param("name");
     const store = c.get("store");
     const service = new RegistryService(store);
-    const deleted = await service.deleteSpec(name);
+    const actor = c.get("actor");
+    const deleted = await service.deleteSpec(name, actor);
     if (!deleted) {
       return c.json({ error: "not_found", message: `Spec "${name}" not found`, statusCode: 404 }, 404);
     }
@@ -2530,8 +2532,7 @@ function switchTab(tab) {
 }
 var welcomeRoute = new Hono12().get("/", (c) => {
   const config = c.get("config");
-  const mode = config.database === "sqlite" ? "local" : "remote";
-  return c.html(buildPage(config.port, mode));
+  return c.html(buildPage(config.port, "local"));
 });
 
 // src/registry/routes/push-gateway-config.ts
@@ -2671,6 +2672,7 @@ var pushGatewayConfigRoute = new Hono13().post("/", async (c) => {
   }
   const store = c.get("store");
   const service = new GatewayService(store, store);
+  const actor = c.get("actor") ?? body.pushedBy;
   try {
     const result = await service.pushGatewayConfig({
       name: body.name,
@@ -2681,7 +2683,7 @@ var pushGatewayConfigRoute = new Hono13().post("/", async (c) => {
       environments: body.environments ?? {},
       callerIdentification: body.callerIdentification,
       content: body.content,
-      pushedBy: body.pushedBy
+      pushedBy: actor
     });
     return c.json({ data: result }, 201);
   } catch (err) {
@@ -2872,7 +2874,6 @@ var ingestGatewayLogRoute = new Hono18().post("/ingest/:provider/:environment",
     await service.ingestLog(provider, environment, payload);
     return c.json({ status: "ok" }, 201);
   } catch (err) {
-    console.error("Gateway log ingest error:", err);
     return c.json({
       error: "bad_request",
       message: err instanceof Error ? err.message : "Invalid log payload",
@@ -2947,7 +2948,137 @@ var gatewayLogStatsRoute = new Hono21().get("/stats", async (c) => {
   });
 });
 
+// src/registry/auth/middleware.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+var AuthError = class extends Error {
+  constructor(statusCode, code, message) {
+    super(message);
+    this.statusCode = statusCode;
+    this.code = code;
+    this.name = "AuthError";
+  }
+  statusCode;
+  code;
+};
+function buildKeycloakUrls(config) {
+  const base = `${config.serverUrl}/realms/${config.realm}`;
+  return {
+    issuer: base,
+    jwksUri: `${base}/protocol/openid-connect/certs`,
+    tokenUrl: `${base}/protocol/openid-connect/token`
+  };
+}
+function createAuthMiddleware(config, routeScopes) {
+  if (config.auth?.mode !== "keycloak") {
+    return async (_c, next) => await next();
+  }
+  const authConfig = config.auth;
+  const { issuer, jwksUri } = buildKeycloakUrls(authConfig);
+  const jwks = createRemoteJWKSet(new URL(jwksUri));
+  const scopeByRoute = /* @__PURE__ */ new Map();
+  for (const route of routeScopes) {
+    const key = `${route.method.toUpperCase()}:${route.path}`;
+    scopeByRoute.set(key, {
+      operationId: route.operationId,
+      scopes: route.scopes
+    });
+  }
+  return async (c, next) => {
+    const matchedPath = c.req.matchedRoutes.map((r) => r.path).filter((p) => p !== "/*").pop();
+    const routeKey = matchedPath ? `${c.req.method}:${matchedPath}` : `${c.req.method}:${c.req.routePath}`;
+    const required = scopeByRoute.get(routeKey);
+    if (!required || required.scopes.length === 0) {
+      return await next();
+    }
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      throw new AuthError(401, "unauthorized", "Bearer token required");
+    }
+    const token = authHeader.slice("Bearer ".length).trim();
+    if (!token) {
+      throw new AuthError(401, "unauthorized", "Bearer token required");
+    }
+    let payload;
+    try {
+      const result = await jwtVerify(token, jwks, {
+        issuer,
+        audience: authConfig.audience
+      });
+      payload = result.payload;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Invalid token";
+      throw new AuthError(401, "unauthorized", `Invalid or expired token: ${message}`);
+    }
+    const subject = payload.sub;
+    if (!subject) {
+      throw new AuthError(401, "unauthorized", "Token missing subject claim");
+    }
+    const grantedScopes = extractScopes(payload, authConfig.roleSource ?? "scope");
+    const missing = required.scopes.filter((s) => !grantedScopes.has(s));
+    if (missing.length > 0) {
+      throw new AuthError(
+        403,
+        "forbidden",
+        `Missing required scope${missing.length > 1 ? "s" : ""}: ${missing.join(", ")}`
+      );
+    }
+    c.set("actor", subject);
+    c.set("claims", payload);
+    await next();
+  };
+}
+function extractScopes(payload, source) {
+  if (source === "realm_access.roles") {
+    const roles = payload.realm_access?.roles;
+    return new Set(roles ?? []);
+  }
+  const scopeValue = payload.scope;
+  if (typeof scopeValue === "string") {
+    return new Set(scopeValue.split(/\s+/).filter(Boolean));
+  }
+  return /* @__PURE__ */ new Set();
+}
+function parseRouteScopes(spec) {
+  const routes = [];
+  const paths = spec.paths;
+  if (!paths) return routes;
+  for (const [path2, operations] of Object.entries(paths)) {
+    for (const [method, operation] of Object.entries(operations)) {
+      if (typeof operation !== "object" || operation === null) continue;
+      const op = operation;
+      const operationId = op.operationId;
+      if (!operationId) continue;
+      const security = op.security;
+      const scopes = [];
+      if (security) {
+        for (const sec of security) {
+          for (const [name, required] of Object.entries(sec)) {
+            if (name === "keycloak" && Array.isArray(required)) {
+              scopes.push(...required);
+            }
+          }
+        }
+      }
+      routes.push({
+        method: method.toUpperCase(),
+        path: path2.replace(/\{([^}]+)\}/g, ":$1"),
+        operationId,
+        scopes
+      });
+    }
+  }
+  return routes;
+}
+
 // src/registry/server.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import yaml6 from "js-yaml";
+function loadOpenApiSpec() {
+  const path2 = fileURLToPath(new URL("../../openapi.yaml", import.meta.url));
+  const content = readFileSync(path2, "utf-8");
+  return yaml6.load(content);
+}
 function createApp(config, store) {
   const app = new Hono22();
   app.use("*", logger());
@@ -2958,6 +3089,21 @@ function createApp(config, store) {
     c.set("config", config);
     await next();
   });
+  const routeScopes = parseRouteScopes(loadOpenApiSpec());
+  app.use("*", createAuthMiddleware(config, routeScopes));
+  app.onError((err, c) => {
+    if (err instanceof AuthError) {
+      return c.json(
+        { error: err.code, message: err.message, statusCode: err.statusCode },
+        err.statusCode
+      );
+    }
+    console.error("Unhandled error:", err);
+    return c.json(
+      { error: "internal_error", message: "Internal server error", statusCode: 500 },
+      500
+    );
+  });
   app.route("/v1/specs", pushRoute);
   app.route("/v1/specs", validateRoute);
   app.route("/v1/specs", listRoute);
@@ -2986,8 +3132,7 @@ function createApp(config, store) {
 var defaultConfig = {
   port: 3750,
   database: "sqlite",
-  sqlitePath: void 0,
-  gracePeriodDays: 30
+  auth: { mode: "none" }
 };
 
 // src/registry/storage/sqlite.ts
@@ -3493,27 +3638,575 @@ var SQLiteSpecStore = class {
   }
 };
 
+// src/registry/storage/postgresql.ts
+import { Pool } from "pg";
+import { drizzle as drizzle2 } from "drizzle-orm/node-postgres";
+import { migrate as migrate2 } from "drizzle-orm/node-postgres/migrator";
+import { eq as eq2, and as and2, desc as desc2, sql as sql2 } from "drizzle-orm";
+
+// src/registry/storage/schema-pg.ts
+import { pgTable, text as text2, timestamp, boolean, jsonb, index as index2, integer as integer2 } from "drizzle-orm/pg-core";
+var specs2 = pgTable("specs", {
+  id: text2("id").primaryKey(),
+  name: text2("name").notNull().unique(),
+  type: text2("type", { enum: ["openapi", "asyncapi"] }).notNull(),
+  description: text2("description"),
+  owner: text2("owner"),
+  sourceRepo: text2("source_repo"),
+  tags: jsonb("tags").$type().default([]),
+  createdAt: timestamp("created_at").notNull(),
+  updatedAt: timestamp("updated_at").notNull()
+});
+var specVersions2 = pgTable("spec_versions", {
+  id: text2("id").primaryKey(),
+  specId: text2("spec_id").notNull().references(() => specs2.id),
+  semver: text2("semver").notNull(),
+  content: text2("content").notNull(),
+  checksum: text2("checksum").notNull(),
+  gitRef: text2("git_ref"),
+  pushedBy: text2("pushed_by"),
+  compatibility: jsonb("compatibility").$type(),
+  previousVersion: text2("previous_version"),
+  forceReason: text2("force_reason"),
+  isPrerelease: boolean("is_prerelease").notNull().default(false),
+  createdAt: timestamp("created_at").notNull()
+}, (table) => [
+  index2("idx_spec_versions_spec_id").on(table.specId),
+  index2("idx_spec_versions_semver").on(table.specId, table.semver)
+]);
+var auditLog2 = pgTable("audit_log", {
+  id: text2("id").primaryKey(),
+  action: text2("action", { enum: ["spec.push", "spec.push.force", "spec.delete"] }).notNull(),
+  actor: text2("actor").notNull(),
+  specName: text2("spec_name").notNull(),
+  version: text2("version"),
+  details: jsonb("details").$type(),
+  createdAt: timestamp("created_at").notNull()
+}, (table) => [
+  index2("idx_audit_log_spec_name").on(table.specName),
+  index2("idx_audit_log_created_at").on(table.createdAt)
+]);
+var gatewayConfigs2 = pgTable("gateway_configs", {
+  id: text2("id").primaryKey(),
+  name: text2("name").notNull().unique(),
+  provider: text2("provider", { enum: ["kong"] }).notNull(),
+  specName: text2("spec_name").notNull(),
+  specSemver: text2("spec_semver").notNull(),
+  createdAt: timestamp("created_at").notNull(),
+  updatedAt: timestamp("updated_at").notNull()
+});
+var gatewayConfigVersions2 = pgTable("gateway_config_versions", {
+  id: text2("id").primaryKey(),
+  gatewayConfigId: text2("gateway_config_id").notNull().references(() => gatewayConfigs2.id),
+  routes: jsonb("routes").$type().notNull(),
+  environments: jsonb("environments").$type().notNull(),
+  callerIdentification: jsonb("caller_identification").$type(),
+  content: text2("content").notNull(),
+  checksum: text2("checksum").notNull(),
+  pushedBy: text2("pushed_by"),
+  createdAt: timestamp("created_at").notNull()
+}, (table) => [
+  index2("idx_gateway_config_versions_config_id").on(table.gatewayConfigId)
+]);
+var httpLogs2 = pgTable("http_logs", {
+  id: text2("id").primaryKey(),
+  provider: text2("provider").notNull(),
+  gatewayConfigName: text2("gateway_config_name").notNull(),
+  environment: text2("environment").notNull(),
+  method: text2("method").notNull(),
+  path: text2("path").notNull(),
+  routePath: text2("route_path"),
+  status: integer2("status").notNull(),
+  callerId: text2("caller_id"),
+  callerSource: text2("caller_source"),
+  callerConfidence: text2("caller_confidence").notNull(),
+  occurredAt: timestamp("occurred_at").notNull(),
+  createdAt: timestamp("created_at").notNull()
+}, (table) => [
+  index2("idx_http_logs_config_env").on(table.gatewayConfigName, table.environment),
+  index2("idx_http_logs_occurred_at").on(table.occurredAt),
+  index2("idx_http_logs_caller").on(table.gatewayConfigName, table.environment, table.callerId)
+]);
+var provisions2 = pgTable("provisions", {
+  id: text2("id").primaryKey(),
+  gatewayConfigName: text2("gateway_config_name").notNull(),
+  gatewayConfigVersion: text2("gateway_config_version").notNull(),
+  environment: text2("environment").notNull(),
+  provider: text2("provider", { enum: ["kong"] }).notNull(),
+  synced: boolean("synced").notNull().default(false),
+  actor: text2("actor").notNull(),
+  details: jsonb("details").$type(),
+  createdAt: timestamp("created_at").notNull()
+}, (table) => [
+  index2("idx_provisions_config_name").on(table.gatewayConfigName),
+  index2("idx_provisions_created_at").on(table.createdAt)
+]);
+
+// src/registry/storage/postgresql.ts
+import { v4 as uuid6 } from "uuid";
+var MIGRATIONS_FOLDER2 = PG_MIGRATIONS_FOLDER;
+var DatabaseConnectionError = class extends Error {
+  constructor(message, postgresUrl, options) {
+    super(message, options);
+    this.postgresUrl = postgresUrl;
+    this.name = "DatabaseConnectionError";
+  }
+  postgresUrl;
+};
+function isConnectionError(err) {
+  if (typeof err !== "object" || err === null) return false;
+  if ("code" in err) {
+    const code = err.code;
+    if (code === "ECONNREFUSED" || code === "ETIMEDOUT" || code === "ENOTFOUND") {
+      return true;
+    }
+  }
+  if (err instanceof AggregateError) {
+    if (err.errors.some(isConnectionError)) return true;
+  }
+  if ("cause" in err && err.cause) {
+    return isConnectionError(err.cause);
+  }
+  return false;
+}
+function maskPostgresPassword(url) {
+  try {
+    const parsed = new URL(url);
+    if (parsed.password) parsed.password = "***";
+    return parsed.toString();
+  } catch {
+    return url;
+  }
+}
+var PostgreSQLSpecStore = class {
+  db;
+  pool;
+  postgresUrl;
+  constructor(postgresUrl) {
+    this.postgresUrl = postgresUrl;
+    this.pool = new Pool({ connectionString: postgresUrl });
+    this.db = drizzle2(this.pool);
+  }
+  async migrate() {
+    try {
+      await migrate2(this.db, {
+        migrationsFolder: MIGRATIONS_FOLDER2
+      });
+    } catch (err) {
+      if (isConnectionError(err)) {
+        throw new DatabaseConnectionError(
+          `PostgreSQL is not reachable at ${maskPostgresPassword(this.postgresUrl)}`,
+          this.postgresUrl,
+          { cause: err }
+        );
+      }
+      throw err;
+    }
+  }
+  async end() {
+    await this.pool.end();
+  }
+  async getSpec(name) {
+    const rows = await this.db.select().from(specs2).where(eq2(specs2.name, name)).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapSpecRow(rows[0]);
+  }
+  async getSpecVersion(name, semver) {
+    const spec = await this.getSpec(name);
+    if (!spec) return null;
+    const rows = await this.db.select().from(specVersions2).where(and2(eq2(specVersions2.specId, spec.id), eq2(specVersions2.semver, semver))).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapVersionRow(rows[0]);
+  }
+  async getLatestVersion(name) {
+    const spec = await this.getSpec(name);
+    if (!spec) return null;
+    const rows = await this.db.select().from(specVersions2).where(eq2(specVersions2.specId, spec.id)).orderBy(desc2(specVersions2.createdAt), desc2(specVersions2.id)).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapVersionRow(rows[0]);
+  }
+  async listSpecs(filters) {
+    const conditions = [];
+    if (filters?.type) conditions.push(eq2(specs2.type, filters.type));
+    if (filters?.owner) conditions.push(eq2(specs2.owner, filters.owner));
+    let rows = conditions.length > 0 ? await this.db.select().from(specs2).where(and2(...conditions)) : await this.db.select().from(specs2);
+    if (filters?.tags && filters.tags.length > 0) {
+      rows = rows.filter((row) => {
+        const rowTags = row.tags ?? [];
+        return filters.tags.every((tag) => rowTags.includes(tag));
+      });
+    }
+    return rows.map((r) => this.mapSpecRow(r));
+  }
+  async listVersions(name, options) {
+    const spec = await this.getSpec(name);
+    if (!spec) return { versions: [], total: 0 };
+    const limit = options?.limit ?? 10;
+    const offset = options?.offset ?? 0;
+    const [countRow] = await this.db.select({ count: sql2`count(*)` }).from(specVersions2).where(eq2(specVersions2.specId, spec.id));
+    const total = Number(countRow?.count ?? 0);
+    const rows = await this.db.select().from(specVersions2).where(eq2(specVersions2.specId, spec.id)).orderBy(desc2(specVersions2.createdAt), desc2(specVersions2.id)).limit(limit).offset(offset);
+    return { versions: rows.map((r) => this.mapVersionRow(r)), total };
+  }
+  async pushSpecVersion(spec, version) {
+    const existingSpec = await this.getSpec(spec.name);
+    if (!existingSpec) {
+      await this.db.insert(specs2).values({
+        id: spec.id,
+        name: spec.name,
+        type: spec.type,
+        description: spec.description ?? null,
+        owner: spec.owner ?? null,
+        sourceRepo: spec.sourceRepo ?? null,
+        tags: spec.tags ?? [],
+        createdAt: spec.createdAt,
+        updatedAt: spec.updatedAt
+      });
+    } else {
+      await this.db.update(specs2).set({ updatedAt: /* @__PURE__ */ new Date() }).where(eq2(specs2.id, existingSpec.id));
+    }
+    const specId = existingSpec?.id ?? spec.id;
+    await this.db.insert(specVersions2).values({
+      id: version.id,
+      specId,
+      semver: version.semver,
+      content: version.content,
+      checksum: version.checksum,
+      gitRef: version.gitRef ?? null,
+      pushedBy: version.pushedBy ?? null,
+      compatibility: version.compatibility ?? null,
+      previousVersion: version.previousVersion ?? null,
+      forceReason: version.forceReason ?? null,
+      isPrerelease: version.isPrerelease,
+      createdAt: version.createdAt
+    });
+    return version;
+  }
+  async deleteSpec(name) {
+    const existingSpec = await this.getSpec(name);
+    if (!existingSpec) return false;
+    await this.db.delete(specVersions2).where(eq2(specVersions2.specId, existingSpec.id));
+    await this.db.delete(specs2).where(eq2(specs2.id, existingSpec.id));
+    return true;
+  }
+  async getCompatReport(name, semver) {
+    const version = await this.getSpecVersion(name, semver);
+    return version?.compatibility ?? null;
+  }
+  async logAudit(action, actor, specName, version, details) {
+    await this.db.insert(auditLog2).values({
+      id: uuid6(),
+      action,
+      actor,
+      specName,
+      version: version ?? null,
+      details: details ?? null,
+      createdAt: /* @__PURE__ */ new Date()
+    });
+  }
+  mapSpecRow(row) {
+    return {
+      id: row.id,
+      name: row.name,
+      type: row.type,
+      description: row.description ?? void 0,
+      owner: row.owner ?? void 0,
+      sourceRepo: row.sourceRepo ?? void 0,
+      tags: row.tags ?? [],
+      createdAt: row.createdAt,
+      updatedAt: row.updatedAt
+    };
+  }
+  mapVersionRow(row) {
+    return {
+      id: row.id,
+      specId: row.specId,
+      semver: row.semver,
+      content: row.content,
+      checksum: row.checksum,
+      gitRef: row.gitRef ?? void 0,
+      pushedBy: row.pushedBy ?? void 0,
+      compatibility: row.compatibility ?? void 0,
+      previousVersion: row.previousVersion ?? void 0,
+      forceReason: row.forceReason ?? void 0,
+      isPrerelease: row.isPrerelease,
+      createdAt: row.createdAt
+    };
+  }
+  // GatewayConfigStore implementation
+  async getGatewayConfig(name) {
+    const rows = await this.db.select().from(gatewayConfigs2).where(eq2(gatewayConfigs2.name, name)).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapGatewayConfigRow(rows[0]);
+  }
+  async listGatewayConfigs() {
+    const rows = await this.db.select().from(gatewayConfigs2);
+    return rows.map((r) => this.mapGatewayConfigRow(r));
+  }
+  async getGatewayConfigVersion(name, versionId) {
+    const config = await this.getGatewayConfig(name);
+    if (!config) return null;
+    const rows = await this.db.select().from(gatewayConfigVersions2).where(and2(eq2(gatewayConfigVersions2.gatewayConfigId, config.id), eq2(gatewayConfigVersions2.id, versionId))).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapGatewayConfigVersionRow(rows[0]);
+  }
+  async getLatestGatewayConfigVersion(name) {
+    const config = await this.getGatewayConfig(name);
+    if (!config) return null;
+    const rows = await this.db.select().from(gatewayConfigVersions2).where(eq2(gatewayConfigVersions2.gatewayConfigId, config.id)).orderBy(desc2(gatewayConfigVersions2.createdAt), desc2(gatewayConfigVersions2.id)).limit(1);
+    if (rows.length === 0) return null;
+    return this.mapGatewayConfigVersionRow(rows[0]);
+  }
+  async listGatewayConfigVersions(name) {
+    const config = await this.getGatewayConfig(name);
+    if (!config) return [];
+    const rows = await this.db.select().from(gatewayConfigVersions2).where(eq2(gatewayConfigVersions2.gatewayConfigId, config.id)).orderBy(desc2(gatewayConfigVersions2.createdAt), desc2(gatewayConfigVersions2.id)).limit(5);
+    return rows.map((r) => this.mapGatewayConfigVersionRow(r));
+  }
+  async pushGatewayConfigVersion(config, version) {
+    const existingConfig = await this.getGatewayConfig(config.name);
+    if (!existingConfig) {
+      await this.db.insert(gatewayConfigs2).values({
+        id: config.id,
+        name: config.name,
+        provider: config.provider,
+        specName: config.specName,
+        specSemver: config.specSemver,
+        createdAt: config.createdAt,
+        updatedAt: config.updatedAt
+      });
+    } else {
+      await this.db.update(gatewayConfigs2).set({ updatedAt: /* @__PURE__ */ new Date(), specSemver: config.specSemver }).where(eq2(gatewayConfigs2.id, existingConfig.id));
+    }
+    const configId = existingConfig?.id ?? config.id;
+    await this.db.insert(gatewayConfigVersions2).values({
+      id: version.id,
+      gatewayConfigId: configId,
+      routes: version.routes,
+      environments: version.environments,
+      callerIdentification: version.callerIdentification ?? null,
+      content: version.content,
+      checksum: version.checksum,
+      pushedBy: version.pushedBy ?? null,
+      createdAt: version.createdAt
+    });
+    const versions = await this.db.select().from(gatewayConfigVersions2).where(eq2(gatewayConfigVersions2.gatewayConfigId, configId)).orderBy(desc2(gatewayConfigVersions2.createdAt), desc2(gatewayConfigVersions2.id));
+    if (versions.length > 5) {
+      const toDelete = versions.slice(5);
+      for (const v of toDelete) {
+        await this.db.delete(gatewayConfigVersions2).where(eq2(gatewayConfigVersions2.id, v.id));
+      }
+    }
+    return version;
+  }
+  async recordProvision(provision) {
+    await this.db.insert(provisions2).values({
+      id: provision.id,
+      gatewayConfigName: provision.gatewayConfigName,
+      gatewayConfigVersion: provision.gatewayConfigVersion,
+      environment: provision.environment,
+      provider: provision.provider,
+      synced: provision.synced,
+      actor: provision.actor,
+      details: provision.details ?? null,
+      createdAt: provision.createdAt
+    });
+  }
+  async listProvisions(gatewayConfigName) {
+    const rows = gatewayConfigName ? await this.db.select().from(provisions2).where(eq2(provisions2.gatewayConfigName, gatewayConfigName)).orderBy(desc2(provisions2.createdAt)) : await this.db.select().from(provisions2).orderBy(desc2(provisions2.createdAt));
+    return rows.map((r) => ({
+      id: r.id,
+      gatewayConfigName: r.gatewayConfigName,
+      gatewayConfigVersion: r.gatewayConfigVersion,
+      environment: r.environment,
+      provider: r.provider,
+      synced: r.synced,
+      actor: r.actor,
+      details: r.details ?? void 0,
+      createdAt: r.createdAt
+    }));
+  }
+  mapGatewayConfigRow(row) {
+    return {
+      id: row.id,
+      name: row.name,
+      provider: row.provider,
+      specName: row.specName,
+      specSemver: row.specSemver,
+      createdAt: row.createdAt,
+      updatedAt: row.updatedAt
+    };
+  }
+  mapGatewayConfigVersionRow(row) {
+    return {
+      id: row.id,
+      gatewayConfigId: row.gatewayConfigId,
+      routes: row.routes,
+      environments: row.environments,
+      callerIdentification: row.callerIdentification ?? void 0,
+      content: row.content,
+      checksum: row.checksum,
+      pushedBy: row.pushedBy ?? void 0,
+      createdAt: row.createdAt
+    };
+  }
+  async recordGatewayLog(log) {
+    await this.db.insert(httpLogs2).values({
+      id: log.id,
+      provider: log.provider,
+      gatewayConfigName: log.gatewayConfigName,
+      environment: log.environment,
+      method: log.method,
+      path: log.path,
+      routePath: log.routePath ?? null,
+      status: log.status,
+      callerId: log.callerId ?? null,
+      callerSource: log.callerSource ?? null,
+      callerConfidence: log.callerConfidence,
+      occurredAt: log.occurredAt,
+      createdAt: log.createdAt
+    });
+  }
+  async listGatewayLogs(filters) {
+    const limit = filters.limit ?? 50;
+    const offset = filters.offset ?? 0;
+    let query = this.db.select().from(httpLogs2);
+    const conditions = [];
+    if (filters.gatewayConfigName) {
+      conditions.push(eq2(httpLogs2.gatewayConfigName, filters.gatewayConfigName));
+    }
+    if (filters.environment) {
+      conditions.push(eq2(httpLogs2.environment, filters.environment));
+    }
+    if (filters.path) {
+      conditions.push(eq2(httpLogs2.path, filters.path));
+    }
+    if (filters.method) {
+      conditions.push(eq2(httpLogs2.method, filters.method));
+    }
+    if (filters.status !== void 0) {
+      conditions.push(eq2(httpLogs2.status, filters.status));
+    }
+    if (filters.from) {
+      conditions.push(sql2`${httpLogs2.occurredAt} >= ${filters.from}`);
+    }
+    if (filters.to) {
+      conditions.push(sql2`${httpLogs2.occurredAt} <= ${filters.to}`);
+    }
+    if (conditions.length > 0) {
+      query = query.where(and2(...conditions));
+    }
+    const countResult = await this.db.select({ count: sql2`count(*)` }).from(httpLogs2).where(conditions.length > 0 ? and2(...conditions) : void 0);
+    const total = countResult[0]?.count ?? 0;
+    const rows = await query.orderBy(desc2(httpLogs2.occurredAt)).limit(limit).offset(offset);
+    return {
+      logs: rows.map((r) => ({
+        id: r.id,
+        provider: r.provider,
+        gatewayConfigName: r.gatewayConfigName,
+        environment: r.environment,
+        method: r.method,
+        path: r.path,
+        routePath: r.routePath ?? void 0,
+        status: r.status,
+        callerId: r.callerId ?? void 0,
+        callerSource: r.callerSource ?? void 0,
+        callerConfidence: r.callerConfidence,
+        occurredAt: r.occurredAt,
+        createdAt: r.createdAt
+      })),
+      total
+    };
+  }
+  async getGatewayLog(id) {
+    const rows = await this.db.select().from(httpLogs2).where(eq2(httpLogs2.id, id)).limit(1);
+    if (rows.length === 0) return null;
+    const r = rows[0];
+    return {
+      id: r.id,
+      provider: r.provider,
+      gatewayConfigName: r.gatewayConfigName,
+      environment: r.environment,
+      method: r.method,
+      path: r.path,
+      routePath: r.routePath ?? void 0,
+      status: r.status,
+      callerId: r.callerId ?? void 0,
+      callerSource: r.callerSource ?? void 0,
+      callerConfidence: r.callerConfidence,
+      occurredAt: r.occurredAt,
+      createdAt: r.createdAt
+    };
+  }
+  async getGatewayLogStats(_filters) {
+    const conditions = [];
+    if (_filters.gatewayConfigName) {
+      conditions.push(eq2(httpLogs2.gatewayConfigName, _filters.gatewayConfigName));
+    }
+    if (_filters.environment) {
+      conditions.push(eq2(httpLogs2.environment, _filters.environment));
+    }
+    if (_filters.from) {
+      conditions.push(sql2`${httpLogs2.occurredAt} >= ${_filters.from}`);
+    }
+    if (_filters.to) {
+      conditions.push(sql2`${httpLogs2.occurredAt} <= ${_filters.to}`);
+    }
+    const whereClause = conditions.length > 0 ? and2(...conditions) : void 0;
+    const rows = await this.db.select({
+      gatewayConfigName: httpLogs2.gatewayConfigName,
+      environment: httpLogs2.environment,
+      method: httpLogs2.method,
+      routePath: httpLogs2.routePath,
+      lastSeenAt: sql2`max(${httpLogs2.occurredAt})`,
+      totalCalls: sql2`count(*)`,
+      uniqueCallerIds: sql2`count(distinct ${httpLogs2.callerId})`
+    }).from(httpLogs2).where(whereClause).groupBy(httpLogs2.gatewayConfigName, httpLogs2.environment, httpLogs2.method, httpLogs2.routePath);
+    return rows.map((r) => ({
+      gatewayConfigName: r.gatewayConfigName,
+      environment: r.environment,
+      method: r.method,
+      routePath: r.routePath ?? "/",
+      lastSeenAt: new Date(r.lastSeenAt),
+      totalCalls: r.totalCalls,
+      uniqueCallerIds: r.uniqueCallerIds
+    }));
+  }
+  async deleteGatewayLogsOlderThan(days) {
+    const cutoff = /* @__PURE__ */ new Date();
+    cutoff.setDate(cutoff.getDate() - days);
+    await this.db.delete(httpLogs2).where(sql2`${httpLogs2.occurredAt} < ${cutoff}`);
+  }
+};
+
 // src/registry/serve.ts
 async function startServer(userConfig) {
   const config = { ...defaultConfig, ...userConfig };
-  if (!config.sqlitePath && config.database === "sqlite") {
-    const homeDir = process.env.HOME || process.env.USERPROFILE || ".";
-    config.sqlitePath = path.join(homeDir, ".grapity", "registry.db");
-  }
-  if (config.database === "sqlite" && config.sqlitePath) {
-    const dir = path.dirname(config.sqlitePath);
+  let store;
+  if (config.database === "postgresql") {
+    if (!config.postgresUrl) {
+      throw new Error("PostgreSQL database requested but no postgresUrl provided.");
+    }
+    store = new PostgreSQLSpecStore(config.postgresUrl);
+  } else {
+    const sqlitePath = config.sqlitePath ?? path.join(
+      process.env.HOME || process.env.USERPROFILE || ".",
+      ".grapity",
+      "registry.db"
+    );
+    const dir = path.dirname(sqlitePath);
     if (!fs.existsSync(dir)) {
       fs.mkdirSync(dir, { recursive: true });
     }
+    store = new SQLiteSpecStore(sqlitePath);
   }
-  const store = new SQLiteSpecStore(config.sqlitePath);
   await store.migrate();
   const app = createApp(config, store);
-  serve({
+  const server = serve({
     fetch: app.fetch,
     port: config.port
   });
-  return app;
+  return { app, store, server };
 }
 if (process.argv[1] === new URL(import.meta.url).pathname) {
   startServer();