@highstate/backend-api 0.9.16

package/dist/highstate.manifest.json

@@ -0,0 +1,5 @@
+{
+  "sourceHashes": {
+    "./dist/index.js": 3437641950
+  }
+}

package/dist/index.js

@@ -0,0 +1,139 @@
+import { createServer } from 'nice-grpc';
+import '@highstate/backend';
+import { InstanceServiceDefinition } from '@highstate/api/instance.v1';
+import { SecretServiceDefinition } from '@highstate/api/secret.v1';
+import { WorkerServiceDefinition } from '@highstate/api/worker.v1';
+import { ServerError, Status } from 'nice-grpc-common';
+import { isAbortError } from 'abort-controller-x';
+import { AccessError, workerSchema, instanceCustomStatusSchema } from '@highstate/backend/shared';
+
+// src/index.ts
+async function authenticate(services, context) {
+  const token = context.metadata.get("api-key");
+  if (!token) {
+    throw new ServerError(Status.UNAUTHENTICATED, "No API key provided");
+  }
+  const projectId = context.metadata.get("project-id");
+  if (!projectId) {
+    throw new ServerError(Status.UNAUTHENTICATED, "No project ID provided");
+  }
+  const apiKey = await services.apiKeyService.getApiKeyByToken(projectId, token);
+  return [projectId, apiKey];
+}
+function createErrorHandlingMiddleware(services) {
+  return async function* errorHandlingMiddleware(call, context) {
+    try {
+      return yield* call.next(call.request, context);
+    } catch (error) {
+      if (error instanceof ServerError || isAbortError(error)) {
+        throw error;
+      }
+      if (error instanceof AccessError) {
+        services.logger.info({ error }, "access denied");
+        throw new ServerError(Status.UNAUTHENTICATED, "Access denied");
+      }
+      services.logger.error({ error }, "unexpected error");
+      throw new ServerError(Status.INTERNAL, "An unexpected error occurred");
+    }
+  };
+}
+function parseArgument(request, argumentName, schema) {
+  const result = schema.safeParse(request[argumentName]);
+  if (!result.success) {
+    throw new ServerError(
+      Status.INVALID_ARGUMENT,
+      `Invalid argument "${argumentName}": ${result.error.message}`
+    );
+  }
+  return result.data;
+}
+function createInstanceService(services) {
+  return {
+    async updateCustomStatus(request, context) {
+      const [projectId] = await authenticate(services, context);
+      const customStatus = parseArgument(request, "status", instanceCustomStatusSchema);
+      await services.instanceStateService.updateCustomStatus(
+        projectId,
+        request.instanceId,
+        customStatus
+      );
+      return {};
+    },
+    async removeCustomStatus(request, _context) {
+      await services.instanceStateService.removeCustomStatus(
+        "",
+        request.instanceId,
+        request.statusName
+      );
+    }
+  };
+}
+
+// src/handlers/secret.ts
+function createSecretService(services) {
+  return {
+    async getSecretContent(request, context) {
+      const [projectId] = await authenticate(services, context);
+      const content = await services.stateManager.getSecretContentRepository(projectId).get(request.secretId);
+      return {
+        content
+      };
+    }
+  };
+}
+function createWorkerService(services) {
+  return {
+    async *connect(request, context) {
+      const [projectId] = await authenticate(services, context);
+      const workerId = parseArgument(request, "workerId", workerSchema.shape.id);
+      const registrationStream = services.pubsubManager.subscribe([
+        "worker-unit-registration",
+        projectId,
+        workerId
+      ]);
+      await services.workerManager.setWorkerRunning(projectId, workerId);
+      await services.workerManager.writeSystemMessage(projectId, workerId, "worker connected");
+      const registrations = await services.stateManager.getWorkerRegistrationIndexRepository(projectId, workerId).getAllItems();
+      for (const registration of registrations) {
+        yield {
+          event: {
+            $case: "unitRegistration",
+            value: {
+              instanceId: registration.id,
+              params: registration.params
+            }
+          }
+        };
+      }
+      for await (const event of registrationStream) {
+        yield {
+          event: {
+            $case: "unitRegistration",
+            value: {
+              instanceId: event.instanceId,
+              params: event.params
+            }
+          }
+        };
+      }
+    }
+  };
+}
+
+// src/index.ts
+async function startBackedApi(services) {
+  const server = createServer();
+  server.use(createErrorHandlingMiddleware(services));
+  server.add(InstanceServiceDefinition, createInstanceService(services));
+  server.add(SecretServiceDefinition, createSecretService(services));
+  server.add(WorkerServiceDefinition, createWorkerService(services));
+  const uid = process.geteuid();
+  const sockPath = `/run/user/${uid}/highstate.sock`;
+  await server.listen(`unix:${sockPath}`);
+  services.workerManager.config.HIGHSTATE_WORKER_API_PATH = sockPath;
+  services.logger.info(`api listening at %s`, sockPath);
+}
+
+export { startBackedApi };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/shared/authentication.ts","../src/shared/error-handling.ts","../src/shared/validation.ts","../src/handlers/instance.ts","../src/handlers/secret.ts","../src/handlers/worker.ts","../src/index.ts"],"names":["ServerError","Status"],"mappings":";;;;;;;;;;AAIA,eAAsB,YAAA,CACpB,UACA,OACqD,EAAA;AACrD,EAAA,MAAM,KAAQ,GAAA,OAAA,CAAQ,QAAS,CAAA,GAAA,CAAI,SAAS,CAAA;AAC5C,EAAA,IAAI,CAAC,KAAO,EAAA;AACV,IAAA,MAAM,IAAI,WAAA,CAAY,MAAO,CAAA,eAAA,EAAiB,qBAAqB,CAAA;AAAA;AAGrE,EAAA,MAAM,SAAY,GAAA,OAAA,CAAQ,QAAS,CAAA,GAAA,CAAI,YAAY,CAAA;AACnD,EAAA,IAAI,CAAC,SAAW,EAAA;AACd,IAAA,MAAM,IAAI,WAAA,CAAY,MAAO,CAAA,eAAA,EAAiB,wBAAwB,CAAA;AAAA;AAGxE,EAAA,MAAM,SAAS,MAAM,QAAA,CAAS,aAAc,CAAA,gBAAA,CAAiB,WAAW,KAAK,CAAA;AAE7E,EAAO,OAAA,CAAC,WAAW,MAAM,CAAA;AAC3B;AChBO,SAAS,8BAA8B,QAAoB,EAAA;AAChE,EAAO,OAAA,gBAAgB,uBACrB,CAAA,IAAA,EACA,OACA,EAAA;AACA,IAAI,IAAA;AACF,MAAA,OAAO,OAAO,IAAA,CAAK,IAAK,CAAA,IAAA,CAAK,SAAS,OAAO,CAAA;AAAA,aACtC,KAAO,EAAA;AACd,MAAA,IAAI,KAAiBA,YAAAA,WAAAA,IAAe,YAAa,CAAA,KAAK,CAAG,EAAA;AACvD,QAAM,MAAA,KAAA;AAAA;AAGR,MAAA,IAAI,iBAAiB,WAAa,EAAA;AAChC,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,CAAK,EAAE,KAAA,IAAS,eAAe,CAAA;AAC/C,QAAA,MAAM,IAAIA,WAAAA,CAAYC,MAAO,CAAA,eAAA,EAAiB,eAAe,CAAA;AAAA;AAG/D,MAAA,QAAA,CAAS,MAAO,CAAA,KAAA,CAAM,EAAE,KAAA,IAAS,kBAAkB,CAAA;AACnD,MAAA,MAAM,IAAID,WAAAA,CAAYC,MAAO,CAAA,QAAA,EAAU,8BAA8B,CAAA;AAAA;AACvE,GACF;AACF;ACvBO,SAAS,aAAA,CAId,OAAmB,EAAA,YAAA,EAA6B,MAAmC,EAAA;AACnF,EAAA,MAAM,MAAS,GAAA,MAAA,CAAO,SAAU,CAAA,OAAA,CAAQ,YAAY,CAAC,CAAA;AACrD,EAAI,IAAA,CAAC,OAAO,OAAS,EAAA;AACnB,IAAA,MAAM,IAAID,WAAAA;AAAA,MACRC,MAAO,CAAA,gBAAA;AAAA,MACP,CAAqB,kBAAA,EAAA,YAAY,CAAM,GAAA,EAAA,MAAA,CAAO,MAAM,OAAO,CAAA;AAAA,KAC7D;AAAA;AAGF,EAAA,OAAO,MAAO,CAAA,IAAA;AAChB;ACZO,SAAS,sBAAsB,QAAmD,EAAA;AACvF,EAAO,OAAA;AAAA,IACL,MAAM,kBAAmB,CAAA,OAAA,EAAS,OAAS,EAAA;AACzC,MAAA,MAAM,CAAC,SAAS,CAAA,GAAI,MAAM,YAAA,CAAa,UAAU,OAAO,CAAA;AAIxD,MAAA,MAAM,YAAe,GAAA,aAAA,CAAc,OAAS,EAAA,QAAA,EAAU,0BAA0B,CAAA;AAEhF,MAAA,MAAM,SAAS,oBAAqB,CAAA,kBAAA;AAAA,QAClC,SAAA;AAAA,QACA,OAAQ,CAAA,UAAA;AAAA,QACR;AAAA,OACF;AAEA,MAAA,OAAO,EAAC;AAAA,KACV;AAAA,IAEA,MAAM,kBAAmB,CAAA,OAAA,EAAS,QAAU,EAAA;AAC1C,MAAA,MAAM,SAAS,oBAAqB,CAAA,kBAAA;AAAA,QAClC,EAAA;AAAA,QACA,OAAQ,CAAA,UAAA;AAAA,QACR,OAAQ,CAAA;AAAA,OACV;AAAA;AACF,GACF;AACF;;;AC3BO,SAAS,oBAAoB,QAAiD,EAAA;AACnF,EAAO,OAAA;AAAA,IACL,MAAM,gBAAiB,CAAA,OAAA,EAAS,OAAS,EAAA;AACvC,MAAA,MAAM,CAAC,SAAS,CAAA,GAAI,MAAM,YAAA,CAAa,UAAU,OAAO,CAAA;AAIxD,MAAM,MAAA,OAAA,GAAU,MAAM,QAAS,CAAA,YAAA,CAC5B,2BAA2B,SAAS,CAAA,CACpC,GAAI,CAAA,OAAA,CAAQ,QAAQ,CAAA;AAEvB,MAAO,OAAA;AAAA,QACL;AAAA,OACF;AAAA;AACF,GACF;AACF;ACfO,SAAS,oBAAoB,QAAiD,EAAA;AACnF,EAAO,OAAA;AAAA,IACL,OAAO,OAAQ,CAAA,OAAA,EAAS,OAAS,EAAA;AAC/B,MAAA,MAAM,CAAC,SAAS,CAAA,GAAI,MAAM,YAAA,CAAa,UAAU,OAAO,CAAA;AAGxD,MAAA,MAAM,WAAW,aAAc,CAAA,OAAA,EAAS,UAAY,EAAA,YAAA,CAAa,MAAM,EAAE,CAAA;AAEzE,MAAM,MAAA,kBAAA,GAAqB,QAAS,CAAA,aAAA,CAAc,SAAU,CAAA;AAAA,QAC1D,0BAAA;AAAA,QACA,SAAA;AAAA,QACA;AAAA,OACD,CAAA;AAGD,MAAA,MAAM,QAAS,CAAA,aAAA,CAAc,gBAAiB,CAAA,SAAA,EAAW,QAAQ,CAAA;AACjE,MAAA,MAAM,QAAS,CAAA,aAAA,CAAc,kBAAmB,CAAA,SAAA,EAAW,UAAU,kBAAkB,CAAA;AAGvF,MAAM,MAAA,aAAA,GAAgB,MAAM,QAAS,CAAA,YAAA,CAClC,qCAAqC,SAAW,EAAA,QAAQ,EACxD,WAAY,EAAA;AAEf,MAAA,KAAA,MAAW,gBAAgB,aAAe,EAAA;AACxC,QAAM,MAAA;AAAA,UACJ,KAAO,EAAA;AAAA,YACL,KAAO,EAAA,kBAAA;AAAA,YACP,KAAO,EAAA;AAAA,cACL,YAAY,YAAa,CAAA,EAAA;AAAA,cACzB,QAAQ,YAAa,CAAA;AAAA;AACvB;AACF,SACF;AAAA;AAIF,MAAA,WAAA,MAAiB,SAAS,kBAAoB,EAAA;AAC5C,QAAM,MAAA;AAAA,UACJ,KAAO,EAAA;AAAA,YACL,KAAO,EAAA,kBAAA;AAAA,YACP,KAAO,EAAA;AAAA,cACL,YAAY,KAAM,CAAA,UAAA;AAAA,cAClB,QAAQ,KAAM,CAAA;AAAA;AAChB;AACF,SACF;AAAA;AACF;AACF,GACF;AACF;;;AC5CA,eAAsB,eAAe,QAAoB,EAAA;AACvD,EAAA,MAAM,SAAS,YAAa,EAAA;AAC5B,EAAO,MAAA,CAAA,GAAA,CAAI,6BAA8B,CAAA,QAAQ,CAAC,CAAA;AAElD,EAAA,MAAA,CAAO,GAAI,CAAA,yBAAA,EAA2B,qBAAsB,CAAA,QAAQ,CAAC,CAAA;AACrE,EAAA,MAAA,CAAO,GAAI,CAAA,uBAAA,EAAyB,mBAAoB,CAAA,QAAQ,CAAC,CAAA;AACjE,EAAA,MAAA,CAAO,GAAI,CAAA,uBAAA,EAAyB,mBAAoB,CAAA,QAAQ,CAAC,CAAA;AAEjE,EAAM,MAAA,GAAA,GAAM,QAAQ,OAAS,EAAA;AAC7B,EAAM,MAAA,QAAA,GAAW,aAAa,GAAG,CAAA,eAAA,CAAA;AAEjC,EAAA,MAAM,MAAO,CAAA,MAAA,CAAO,CAAQ,KAAA,EAAA,QAAQ,CAAE,CAAA,CAAA;AAEtC,EAAS,QAAA,CAAA,aAAA,CAAc,OAAO,yBAA4B,GAAA,QAAA;AAC1D,EAAS,QAAA,CAAA,MAAA,CAAO,IAAK,CAAA,CAAA,mBAAA,CAAA,EAAuB,QAAQ,CAAA;AACtD","file":"index.js","sourcesContent":["import type { Services } from \"@highstate/backend\"\nimport type { ProjectApiKey } from \"@highstate/backend/shared\"\nimport { ServerError, Status, type CallContext } from \"nice-grpc-common\"\n\nexport async function authenticate(\n  services: Services,\n  context: CallContext,\n): Promise<[projectId: string, apiKey: ProjectApiKey]> {\n  const token = context.metadata.get(\"api-key\")\n  if (!token) {\n    throw new ServerError(Status.UNAUTHENTICATED, \"No API key provided\")\n  }\n\n  const projectId = context.metadata.get(\"project-id\")\n  if (!projectId) {\n    throw new ServerError(Status.UNAUTHENTICATED, \"No project ID provided\")\n  }\n\n  const apiKey = await services.apiKeyService.getApiKeyByToken(projectId, token)\n\n  return [projectId, apiKey]\n}\n","import type { Services } from \"@highstate/backend\"\nimport { ServerError, Status, type CallContext, type ServerMiddlewareCall } from \"nice-grpc-common\"\nimport { isAbortError } from \"abort-controller-x\"\nimport { AccessError } from \"@highstate/backend/shared\"\n\nexport function createErrorHandlingMiddleware(services: Services) {\n  return async function* errorHandlingMiddleware<TRequest, TResponse>(\n    call: ServerMiddlewareCall<TRequest, TResponse>,\n    context: CallContext,\n  ) {\n    try {\n      return yield* call.next(call.request, context)\n    } catch (error) {\n      if (error instanceof ServerError || isAbortError(error)) {\n        throw error\n      }\n\n      if (error instanceof AccessError) {\n        services.logger.info({ error }, \"access denied\")\n        throw new ServerError(Status.UNAUTHENTICATED, \"Access denied\")\n      }\n\n      services.logger.error({ error }, \"unexpected error\")\n      throw new ServerError(Status.INTERNAL, \"An unexpected error occurred\")\n    }\n  }\n}\n","import type { z } from \"zod\"\nimport { ServerError, Status } from \"nice-grpc-common\"\n\nexport function parseArgument<\n  TRequest,\n  TArgumentName extends string & keyof TRequest,\n  TSchema extends z.ZodType,\n>(request: TRequest, argumentName: TArgumentName, schema: TSchema): z.infer<TSchema> {\n  const result = schema.safeParse(request[argumentName])\n  if (!result.success) {\n    throw new ServerError(\n      Status.INVALID_ARGUMENT,\n      `Invalid argument \"${argumentName}\": ${result.error.message}`,\n    )\n  }\n\n  return result.data\n}\n","import type { Services } from \"@highstate/backend\"\nimport type { InstanceServiceImplementation } from \"@highstate/api/instance.v1\"\nimport { instanceCustomStatusSchema } from \"@highstate/backend/shared\"\nimport { authenticate, parseArgument } from \"../shared\"\n\nexport function createInstanceService(services: Services): InstanceServiceImplementation {\n  return {\n    async updateCustomStatus(request, context) {\n      const [projectId] = await authenticate(services, context)\n\n      // TODO: validate instance access\n\n      const customStatus = parseArgument(request, \"status\", instanceCustomStatusSchema)\n\n      await services.instanceStateService.updateCustomStatus(\n        projectId,\n        request.instanceId,\n        customStatus,\n      )\n\n      return {}\n    },\n\n    async removeCustomStatus(request, _context) {\n      await services.instanceStateService.removeCustomStatus(\n        \"\",\n        request.instanceId,\n        request.statusName,\n      )\n    },\n  }\n}\n","import type { SecretServiceImplementation } from \"@highstate/api/secret.v1\"\nimport type { Services } from \"@highstate/backend\"\nimport { authenticate } from \"../shared\"\n\nexport function createSecretService(services: Services): SecretServiceImplementation {\n  return {\n    async getSecretContent(request, context) {\n      const [projectId] = await authenticate(services, context)\n\n      // TODO: validate secret access\n\n      const content = await services.stateManager\n        .getSecretContentRepository(projectId)\n        .get(request.secretId)\n\n      return {\n        content,\n      }\n    },\n  }\n}\n","import type { Services } from \"@highstate/backend\"\nimport type { WorkerServiceImplementation } from \"@highstate/api/worker.v1\"\nimport { workerSchema } from \"@highstate/backend/shared\"\nimport { authenticate, parseArgument } from \"../shared\"\n\nexport function createWorkerService(services: Services): WorkerServiceImplementation {\n  return {\n    async *connect(request, context) {\n      const [projectId] = await authenticate(services, context)\n\n      // TODO: check worker access\n      const workerId = parseArgument(request, \"workerId\", workerSchema.shape.id)\n\n      const registrationStream = services.pubsubManager.subscribe([\n        \"worker-unit-registration\",\n        projectId,\n        workerId,\n      ])\n\n      // update worker status\n      await services.workerManager.setWorkerRunning(projectId, workerId)\n      await services.workerManager.writeSystemMessage(projectId, workerId, \"worker connected\")\n\n      // emit existing registrations\n      const registrations = await services.stateManager\n        .getWorkerRegistrationIndexRepository(projectId, workerId)\n        .getAllItems()\n\n      for (const registration of registrations) {\n        yield {\n          event: {\n            $case: \"unitRegistration\",\n            value: {\n              instanceId: registration.id,\n              params: registration.params,\n            },\n          },\n        }\n      }\n\n      // emit new registrations\n      for await (const event of registrationStream) {\n        yield {\n          event: {\n            $case: \"unitRegistration\",\n            value: {\n              instanceId: event.instanceId,\n              params: event.params,\n            },\n          },\n        }\n      }\n    },\n  }\n}\n","import { createServer } from \"nice-grpc\"\nimport { type Services } from \"@highstate/backend\"\nimport { InstanceServiceDefinition } from \"@highstate/api/instance.v1\"\nimport { SecretServiceDefinition } from \"@highstate/api/secret.v1\"\nimport { WorkerServiceDefinition } from \"@highstate/api/worker.v1\"\nimport { createErrorHandlingMiddleware } from \"./shared\"\nimport { createInstanceService } from \"./handlers/instance\"\nimport { createSecretService } from \"./handlers/secret\"\nimport { createWorkerService } from \"./handlers/worker\"\n\nexport async function startBackedApi(services: Services) {\n  const server = createServer()\n  server.use(createErrorHandlingMiddleware(services))\n\n  server.add(InstanceServiceDefinition, createInstanceService(services))\n  server.add(SecretServiceDefinition, createSecretService(services))\n  server.add(WorkerServiceDefinition, createWorkerService(services))\n\n  const uid = process.geteuid!()\n  const sockPath = `/run/user/${uid}/highstate.sock`\n\n  await server.listen(`unix:${sockPath}`)\n\n  services.workerManager.config.HIGHSTATE_WORKER_API_PATH = sockPath\n  services.logger.info(`api listening at %s`, sockPath)\n}\n"]}

package/package.json

@@ -0,0 +1,49 @@
+{
+  "name": "@highstate/backend-api",
+  "version": "0.9.16",
+  "type": "module",
+  "files": [
+    "dist",
+    "src",
+    "patches"
+  ],
+  "exports": {
+    ".": {
+      "types": "./src/index.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "highstate build",
+    "generate-sdk": "./scripts/generate-sdk.sh"
+  },
+  "peerDependencies": {
+    "@pulumi/pulumi": "^3.163.0",
+    "classic-level": "^2.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@pulumi/pulumi": {
+      "optional": true
+    },
+    "classic-level": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "ts-proto": "^2.7.5"
+  },
+  "dependencies": {
+    "@bufbuild/protobuf": "^2.6.1",
+    "@highstate/api": "^0.9.16",
+    "@highstate/backend": "^0.9.16",
+    "@highstate/cli": "^0.9.16",
+    "abort-controller-x": "^0.4.3",
+    "nice-grpc": "^2.1.12",
+    "nice-grpc-common": "^2.0.2",
+    "zod": "^4.0.5"
+  },
+  "gitHead": "458d6f1f9f6d4aec0ba75a2b2c4c01408cb9c8df"
+}

package/src/handlers/instance.ts

@@ -0,0 +1,32 @@
+import type { Services } from "@highstate/backend"
+import type { InstanceServiceImplementation } from "@highstate/api/instance.v1"
+import { instanceCustomStatusSchema } from "@highstate/backend/shared"
+import { authenticate, parseArgument } from "../shared"
+
+export function createInstanceService(services: Services): InstanceServiceImplementation {
+  return {
+    async updateCustomStatus(request, context) {
+      const [projectId] = await authenticate(services, context)
+
+      // TODO: validate instance access
+
+      const customStatus = parseArgument(request, "status", instanceCustomStatusSchema)
+
+      await services.instanceStateService.updateCustomStatus(
+        projectId,
+        request.instanceId,
+        customStatus,
+      )
+
+      return {}
+    },
+
+    async removeCustomStatus(request, _context) {
+      await services.instanceStateService.removeCustomStatus(
+        "",
+        request.instanceId,
+        request.statusName,
+      )
+    },
+  }
+}

package/src/handlers/secret.ts

@@ -0,0 +1,21 @@
+import type { SecretServiceImplementation } from "@highstate/api/secret.v1"
+import type { Services } from "@highstate/backend"
+import { authenticate } from "../shared"
+
+export function createSecretService(services: Services): SecretServiceImplementation {
+  return {
+    async getSecretContent(request, context) {
+      const [projectId] = await authenticate(services, context)
+
+      // TODO: validate secret access
+
+      const content = await services.stateManager
+        .getSecretContentRepository(projectId)
+        .get(request.secretId)
+
+      return {
+        content,
+      }
+    },
+  }
+}

package/src/handlers/worker.ts

@@ -0,0 +1,55 @@
+import type { Services } from "@highstate/backend"
+import type { WorkerServiceImplementation } from "@highstate/api/worker.v1"
+import { workerSchema } from "@highstate/backend/shared"
+import { authenticate, parseArgument } from "../shared"
+
+export function createWorkerService(services: Services): WorkerServiceImplementation {
+  return {
+    async *connect(request, context) {
+      const [projectId] = await authenticate(services, context)
+
+      // TODO: check worker access
+      const workerId = parseArgument(request, "workerId", workerSchema.shape.id)
+
+      const registrationStream = services.pubsubManager.subscribe([
+        "worker-unit-registration",
+        projectId,
+        workerId,
+      ])
+
+      // update worker status
+      await services.workerManager.setWorkerRunning(projectId, workerId)
+      await services.workerManager.writeSystemMessage(projectId, workerId, "worker connected")
+
+      // emit existing registrations
+      const registrations = await services.stateManager
+        .getWorkerRegistrationIndexRepository(projectId, workerId)
+        .getAllItems()
+
+      for (const registration of registrations) {
+        yield {
+          event: {
+            $case: "unitRegistration",
+            value: {
+              instanceId: registration.id,
+              params: registration.params,
+            },
+          },
+        }
+      }
+
+      // emit new registrations
+      for await (const event of registrationStream) {
+        yield {
+          event: {
+            $case: "unitRegistration",
+            value: {
+              instanceId: event.instanceId,
+              params: event.params,
+            },
+          },
+        }
+      }
+    },
+  }
+}

package/src/index.ts

@@ -0,0 +1,26 @@
+import { createServer } from "nice-grpc"
+import { type Services } from "@highstate/backend"
+import { InstanceServiceDefinition } from "@highstate/api/instance.v1"
+import { SecretServiceDefinition } from "@highstate/api/secret.v1"
+import { WorkerServiceDefinition } from "@highstate/api/worker.v1"
+import { createErrorHandlingMiddleware } from "./shared"
+import { createInstanceService } from "./handlers/instance"
+import { createSecretService } from "./handlers/secret"
+import { createWorkerService } from "./handlers/worker"
+
+export async function startBackedApi(services: Services) {
+  const server = createServer()
+  server.use(createErrorHandlingMiddleware(services))
+
+  server.add(InstanceServiceDefinition, createInstanceService(services))
+  server.add(SecretServiceDefinition, createSecretService(services))
+  server.add(WorkerServiceDefinition, createWorkerService(services))
+
+  const uid = process.geteuid!()
+  const sockPath = `/run/user/${uid}/highstate.sock`
+
+  await server.listen(`unix:${sockPath}`)
+
+  services.workerManager.config.HIGHSTATE_WORKER_API_PATH = sockPath
+  services.logger.info(`api listening at %s`, sockPath)
+}

package/src/shared/authentication.ts

@@ -0,0 +1,22 @@
+import type { Services } from "@highstate/backend"
+import type { ProjectApiKey } from "@highstate/backend/shared"
+import { ServerError, Status, type CallContext } from "nice-grpc-common"
+
+export async function authenticate(
+  services: Services,
+  context: CallContext,
+): Promise<[projectId: string, apiKey: ProjectApiKey]> {
+  const token = context.metadata.get("api-key")
+  if (!token) {
+    throw new ServerError(Status.UNAUTHENTICATED, "No API key provided")
+  }
+
+  const projectId = context.metadata.get("project-id")
+  if (!projectId) {
+    throw new ServerError(Status.UNAUTHENTICATED, "No project ID provided")
+  }
+
+  const apiKey = await services.apiKeyService.getApiKeyByToken(projectId, token)
+
+  return [projectId, apiKey]
+}

package/src/shared/error-handling.ts

@@ -0,0 +1,27 @@
+import type { Services } from "@highstate/backend"
+import { ServerError, Status, type CallContext, type ServerMiddlewareCall } from "nice-grpc-common"
+import { isAbortError } from "abort-controller-x"
+import { AccessError } from "@highstate/backend/shared"
+
+export function createErrorHandlingMiddleware(services: Services) {
+  return async function* errorHandlingMiddleware<TRequest, TResponse>(
+    call: ServerMiddlewareCall<TRequest, TResponse>,
+    context: CallContext,
+  ) {
+    try {
+      return yield* call.next(call.request, context)
+    } catch (error) {
+      if (error instanceof ServerError || isAbortError(error)) {
+        throw error
+      }
+
+      if (error instanceof AccessError) {
+        services.logger.info({ error }, "access denied")
+        throw new ServerError(Status.UNAUTHENTICATED, "Access denied")
+      }
+
+      services.logger.error({ error }, "unexpected error")
+      throw new ServerError(Status.INTERNAL, "An unexpected error occurred")
+    }
+  }
+}

package/src/shared/index.ts

@@ -0,0 +1,3 @@
+export * from "./authentication"
+export * from "./error-handling"
+export * from "./validation"

package/src/shared/validation.ts

@@ -0,0 +1,18 @@
+import type { z } from "zod"
+import { ServerError, Status } from "nice-grpc-common"
+
+export function parseArgument<
+  TRequest,
+  TArgumentName extends string & keyof TRequest,
+  TSchema extends z.ZodType,
+>(request: TRequest, argumentName: TArgumentName, schema: TSchema): z.infer<TSchema> {
+  const result = schema.safeParse(request[argumentName])
+  if (!result.success) {
+    throw new ServerError(
+      Status.INVALID_ARGUMENT,
+      `Invalid argument "${argumentName}": ${result.error.message}`,
+    )
+  }
+
+  return result.data
+}