@kinqs/brainrouter-mcp-server 0.3.4

package/dist/__tests__/retry.test.js

@@ -0,0 +1,30 @@
+import { describe, expect, it, vi } from "vitest";
+import { ExternalApiError, fetchWithExternalRetry, retryExternalCall } from "../memory/retry.js";
+describe("external API retry helpers", () => {
+    it("retries retryable HTTP errors and returns the successful response", async () => {
+        const responses = [
+            new Response("rate limited", { status: 429, statusText: "Too Many Requests" }),
+            new Response("unavailable", { status: 503, statusText: "Service Unavailable" }),
+            new Response(JSON.stringify({ ok: true }), { status: 200 }),
+        ];
+        const fetchMock = vi.fn(async () => responses.shift());
+        vi.stubGlobal("fetch", fetchMock);
+        const response = await fetchWithExternalRetry("https://example.test/api", {}, {
+            label: "test API",
+            sleep: async () => undefined,
+        });
+        expect(response.status).toBe(200);
+        expect(fetchMock).toHaveBeenCalledTimes(3);
+        vi.unstubAllGlobals();
+    });
+    it("does not retry non-retryable external API errors", async () => {
+        const operation = vi.fn(async () => {
+            throw new ExternalApiError("bad request", 400);
+        });
+        await expect(retryExternalCall(operation, {
+            label: "test API",
+            sleep: async () => undefined,
+        })).rejects.toThrow("bad request");
+        expect(operation).toHaveBeenCalledTimes(1);
+    });
+});

package/dist/__tests__/skill-activation.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/skill-activation.test.js

@@ -0,0 +1,112 @@
+import { describe, expect, it } from "vitest";
+import { detectPrewarmSkills, decayPotential, spikeSkill } from "../memory/pipeline/skill-prewarm.js";
+class InMemoryActivationStore {
+    activations = new Map();
+    hints = new Map();
+    activationWriteCount = 0;
+    getSkillActivations(userId) {
+        return [...(this.activations.get(userId) ?? [])].sort((a, b) => b.potential - a.potential);
+    }
+    upsertSkillActivations(userId, records) {
+        this.activationWriteCount += 1;
+        const current = new Map((this.activations.get(userId) ?? []).map((record) => [record.skillName, record]));
+        for (const record of records) {
+            current.set(record.skillName, record);
+        }
+        this.activations.set(userId, [...current.values()]);
+    }
+    upsertSkillHints(skillName, hints, sourceFile = "") {
+        this.hints.set(skillName, {
+            skillName,
+            hints,
+            sourceFile,
+            registeredAt: "2026-05-20T00:00:00.000Z",
+        });
+    }
+    getSkillHints(skillName) {
+        return this.hints.get(skillName)?.hints ?? null;
+    }
+}
+function createStore() {
+    return new InMemoryActivationStore();
+}
+describe("skill activation potential routing", () => {
+    it("persists skill activations through the store contract", () => {
+        const store = createStore();
+        store.upsertSkillActivations("user-1", [
+            { skillName: "testing-skill", potential: 1.25, lastDecayTime: "2026-05-20T00:00:00.000Z" },
+        ]);
+        expect(store.getSkillActivations("user-1")).toEqual([
+            { skillName: "testing-skill", potential: 1.25, lastDecayTime: "2026-05-20T00:00:00.000Z" },
+        ]);
+        expect(store.getSkillActivations("user-2")).toEqual([]);
+    });
+    it("spikes a skill and caps potential at the configured maximum", () => {
+        const store = createStore();
+        const now = new Date("2026-05-20T00:00:00.000Z");
+        spikeSkill({
+            userId: "user-1",
+            skillName: "incremental-implementation",
+            store,
+            now,
+            config: { spikeAmount: 1, maxPotential: 2, minTurnDecay: 0, halfLifeMinutes: 10 },
+        });
+        spikeSkill({
+            userId: "user-1",
+            skillName: "incremental-implementation",
+            store,
+            now,
+            config: { spikeAmount: 1.5, maxPotential: 2, minTurnDecay: 0, halfLifeMinutes: 10 },
+        });
+        expect(store.getSkillActivations("user-1")).toEqual([
+            { skillName: "incremental-implementation", potential: 2, lastDecayTime: now.toISOString() },
+        ]);
+    });
+    it("applies exponential decay by half-life and minimum per-turn decay", () => {
+        const lastDecayTime = "2026-05-20T00:00:00.000Z";
+        const thirtyMinutesLater = new Date("2026-05-20T00:30:00.000Z");
+        const sameTurn = new Date(lastDecayTime);
+        expect(decayPotential({
+            potential: 4,
+            lastDecayTime,
+            now: thirtyMinutesLater,
+            halfLifeMinutes: 10,
+            minTurnDecay: 0,
+        })).toBeCloseTo(0.5, 5);
+        expect(decayPotential({
+            potential: 4,
+            lastDecayTime,
+            now: sameTurn,
+            halfLifeMinutes: 10,
+            minTurnDecay: 0.05,
+        })).toBeCloseTo(3.8, 5);
+    });
+    it("returns thresholded prewarm hints sorted by decayed potential without writing decay state", () => {
+        const store = createStore();
+        const now = new Date("2026-05-20T00:10:00.000Z");
+        store.upsertSkillHints("testing-skill", "Test carefully", "testing/SKILL.md");
+        store.upsertSkillHints("incremental-implementation", "Ship in small steps", "implementation/SKILL.md");
+        store.upsertSkillActivations("user-1", [
+            { skillName: "testing-skill", potential: 4, lastDecayTime: "2026-05-20T00:00:00.000Z" },
+            { skillName: "incremental-implementation", potential: 2, lastDecayTime: "2026-05-20T00:00:00.000Z" },
+            { skillName: "missing-hints", potential: 4, lastDecayTime: "2026-05-20T00:00:00.000Z" },
+        ]);
+        const writeCountBeforeDetect = store.activationWriteCount;
+        const results = detectPrewarmSkills({
+            userId: "user-1",
+            store,
+            now,
+            threshold: 0.75,
+            config: { halfLifeMinutes: 10, minTurnDecay: 0 },
+        });
+        expect(results.map((result) => result.skillName)).toEqual([
+            "testing-skill",
+            "incremental-implementation",
+        ]);
+        expect(results[0].potential).toBeCloseTo(2, 5);
+        expect(results[1].potential).toBeCloseTo(1, 5);
+        expect(store.activationWriteCount).toBe(writeCountBeforeDetect);
+        expect(store.getSkillActivations("user-1").find((record) => record.skillName === "testing-skill")?.lastDecayTime)
+            .toBe("2026-05-20T00:00:00.000Z");
+    });
+});

package/dist/__tests__/working-memory.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/working-memory.test.js

@@ -0,0 +1,200 @@
+import { existsSync, readFileSync, rmSync } from "node:fs";
+import { mkdtempSync } from "node:fs";
+import { homedir, tmpdir } from "node:os";
+import { join, resolve } from "node:path";
+import { describe, expect, it } from "vitest";
+import { handleMemoryWorkingTool } from "../tools/memory-working.js";
+function parseToolJson(result) {
+    return JSON.parse(result.content[0].text);
+}
+describe("short-term working memory tools", () => {
+    it("writes refs and updates the Mermaid canvas during a 100-tool-call session", async () => {
+        const workspacePath = mkdtempSync(join(tmpdir(), "brainrouter-working-"));
+        const userId = "user-1";
+        const sessionKey = "session-100";
+        let workDir = "";
+        for (let index = 0; index < 100; index += 1) {
+            const offload = parseToolJson(await handleMemoryWorkingTool("memory_working_offload", {
+                workspacePath,
+                userId,
+                sessionKey,
+                payload: `tool output ${index} ${"x".repeat(120)}`,
+                title: `Tool call ${index}`,
+                summary: `Summary ${index}`,
+                kind: "tool_output",
+            }));
+            workDir = offload.state.workDir;
+        }
+        // Working memory now lives under the user home — never inside the
+        // workspace tree. The workDir is partitioned by user + workspace-hash
+        // + sessionKey.
+        expect(workDir.startsWith(join(homedir(), ".brainrouter", "work", userId))).toBe(true);
+        expect(workDir.endsWith(sessionKey)).toBe(true);
+        expect(existsSync(join(workDir, "steps.jsonl"))).toBe(true);
+        expect(existsSync(join(workDir, "canvas.mmd"))).toBe(true);
+        expect(existsSync(join(workDir, "refs"))).toBe(true);
+        expect(readFileSync(join(workDir, "canvas.mmd"), "utf8")).toContain("flowchart TD");
+    });
+    it("returns working context without raw payloads unless a ref is requested", async () => {
+        const workspacePath = mkdtempSync(join(tmpdir(), "brainrouter-working-context-"));
+        const userId = "user-1";
+        const sessionKey = "context-session";
+        const payload = "raw payload that should stay out of injected state";
+        const offload = parseToolJson(await handleMemoryWorkingTool("memory_working_offload", {
+            workspacePath,
+            userId,
+            sessionKey,
+            payload,
+            title: "Context payload",
+            summary: "Safe summary",
+        }));
+        const context = parseToolJson(await handleMemoryWorkingTool("memory_working_context", {
+            workspacePath,
+            userId,
+            sessionKey,
+        }));
+        expect(context.canvas).toContain("flowchart TD");
+        expect(JSON.stringify(context.state.injectedState)).not.toContain(payload);
+        expect(context.ref).toBeUndefined();
+        const withRef = parseToolJson(await handleMemoryWorkingTool("memory_working_context", {
+            workspacePath,
+            userId,
+            sessionKey,
+            nodeId: offload.nodeId,
+        }));
+        expect(withRef.ref.content).toContain(payload);
+    });
+    it("uses aggressive pressure above 85 percent estimated context fill", async () => {
+        const workspacePath = mkdtempSync(join(tmpdir(), "brainrouter-working-aggressive-"));
+        const userId = "user-1";
+        const sessionKey = "aggressive-session";
+        const result = parseToolJson(await handleMemoryWorkingTool("memory_working_offload", {
+            workspacePath,
+            userId,
+            sessionKey,
+            payload: "large result",
+            title: "Large result",
+            contextWindowTokens: 100,
+            estimatedTokens: 86,
+        }));
+        expect(result.pressureLevel).toBe("aggressive");
+        expect(result.state.injectedState.rawPayloadsIncluded).toBe(false);
+    });
+    it("returns an annotated canvas with the active working node highlighted", async () => {
+        const workspacePath = mkdtempSync(join(tmpdir(), "brainrouter-working-annotated-"));
+        const userId = "user-1";
+        const sessionKey = "annotated-session";
+        const offload = parseToolJson(await handleMemoryWorkingTool("memory_working_offload", {
+            workspacePath,
+            userId,
+            sessionKey,
+            payload: "active payload",
+            title: "Active payload",
+            summary: "Highlighted summary",
+        }));
+        const context = parseToolJson(await handleMemoryWorkingTool("memory_working_context", {
+            workspacePath,
+            userId,
+            sessionKey,
+            activeNodeId: offload.nodeId,
+        }));
+        expect(context.canvas).toContain(`style ${offload.nodeId} fill:#2b6cb0`);
+        expect(context.canvas).toContain("🌟 Active payload");
+        expect(context.annotatedCanvas).toBe(context.canvas);
+    });
+    it("partitions working memory files by user ID", async () => {
+        const workspacePath = mkdtempSync(join(tmpdir(), "brainrouter-working-users-"));
+        const sessionKey = "shared-session";
+        await handleMemoryWorkingTool("memory_working_offload", {
+            workspacePath,
+            userId: "user-a",
+            sessionKey,
+            payload: "payload for user a",
+            title: "User A",
+        });
+        await handleMemoryWorkingTool("memory_working_offload", {
+            workspacePath,
+            userId: "user-b",
+            sessionKey,
+            payload: "payload for user b",
+            title: "User B",
+        });
+        const userAContext = parseToolJson(await handleMemoryWorkingTool("memory_working_context", {
+            workspacePath,
+            userId: "user-a",
+            sessionKey,
+        }));
+        const userBContext = parseToolJson(await handleMemoryWorkingTool("memory_working_context", {
+            workspacePath,
+            userId: "user-b",
+            sessionKey,
+        }));
+        // workDir layout is `~/.brainrouter/work/<userId>/<workspaceHash>/<sessionKey>`.
+        // We anchor on the user partition + session terminator; the workspace
+        // hash slot in between is a sha256 of the resolved workspace path.
+        expect(userAContext.workDir.startsWith(join(homedir(), ".brainrouter", "work", "user-a"))).toBe(true);
+        expect(userAContext.workDir.endsWith(sessionKey)).toBe(true);
+        expect(userBContext.workDir.startsWith(join(homedir(), ".brainrouter", "work", "user-b"))).toBe(true);
+        expect(userBContext.workDir.endsWith(sessionKey)).toBe(true);
+        expect(userAContext.canvas).toContain("User A");
+        expect(userAContext.canvas).not.toContain("User B");
+        expect(userBContext.canvas).toContain("User B");
+        expect(userBContext.canvas).not.toContain("User A");
+    });
+    it("uses the authenticated MCP user when a tool call omits userId", async () => {
+        const workspacePath = mkdtempSync(join(tmpdir(), "brainrouter-working-default-user-"));
+        const sessionKey = "authenticated-session";
+        await handleMemoryWorkingTool("memory_working_offload", {
+            workspacePath,
+            sessionKey,
+            payload: "payload for authenticated user",
+            title: "Authenticated user",
+        }, { defaultUserId: "admin" });
+        const adminContext = parseToolJson(await handleMemoryWorkingTool("memory_working_context", {
+            workspacePath,
+            sessionKey,
+        }, { defaultUserId: "admin" }));
+        const fallbackContext = parseToolJson(await handleMemoryWorkingTool("memory_working_context", {
+            workspacePath,
+            sessionKey,
+        }));
+        expect(adminContext.workDir.startsWith(join(homedir(), ".brainrouter", "work", "admin"))).toBe(true);
+        expect(adminContext.workDir.endsWith(sessionKey)).toBe(true);
+        expect(adminContext.canvas).toContain("Authenticated user");
+        expect(fallbackContext.workDir.startsWith(join(homedir(), ".brainrouter", "work", "default"))).toBe(true);
+        expect(fallbackContext.workDir.endsWith(sessionKey)).toBe(true);
+        expect(fallbackContext.canvas).not.toContain("Authenticated user");
+    });
+    it("routes foreign absolute workspace paths to the user fallback instead of the process cwd", async () => {
+        if (process.platform === "win32")
+            return;
+        const foreignWorkspacePath = "c:\\Users\\Miu\\Desktop\\Tung\\review paper 1";
+        const pollutedPath = resolve(foreignWorkspacePath);
+        rmSync(pollutedPath, { recursive: true, force: true });
+        const result = parseToolJson(await handleMemoryWorkingTool("memory_working_offload", {
+            workspacePath: foreignWorkspacePath,
+            userId: "user-1",
+            sessionKey: "foreign-session",
+            payload: "foreign path payload",
+            title: "Foreign path payload",
+        }));
+        expect(result.state.workDir).toContain(join(homedir(), ".brainrouter", "work", "user-1"));
+        expect(result.state.workDir).not.toContain(foreignWorkspacePath);
+        expect(existsSync(join(result.state.workDir, "refs"))).toBe(true);
+        expect(existsSync(pollutedPath)).toBe(false);
+        rmSync(result.state.workDir, { recursive: true, force: true });
+    });
+    it("treats listed workspace IDs as fallback-store IDs, not relative paths", async () => {
+        const sessionKey = "workspace-id-session";
+        const result = parseToolJson(await handleMemoryWorkingTool("memory_working_offload", {
+            workspacePath: "abc123abc123",
+            userId: "workspace-id-user",
+            sessionKey,
+            payload: "payload for listed workspace id",
+            title: "Listed workspace id",
+        }));
+        expect(result.state.workDir).toBe(join(homedir(), ".brainrouter", "work", "workspace-id-user", "abc123abc123", sessionKey));
+        expect(existsSync(join(resolve("abc123abc123"), ".brainrouter"))).toBe(false);
+        rmSync(result.state.workDir, { recursive: true, force: true });
+    });
+});

package/dist/__tests__/workspace-paths.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/workspace-paths.test.js

@@ -0,0 +1,56 @@
+import { createHash } from "node:crypto";
+import { existsSync, readFileSync, rmSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, resolve } from "node:path";
+import { describe, expect, it } from "vitest";
+import { getSafeWorkspacePath, isForeignAbsolutePath } from "../resolver.js";
+import { handleMemoryResolveSession } from "../tools/memory_resolve_session.js";
+function mcpCacheFile(workspacePath, name) {
+    const hash = createHash("sha256").update(workspacePath).digest("hex").slice(0, 12);
+    return join(homedir(), ".brainrouter", "mcp-cache", hash, name);
+}
+function parseToolJson(result) {
+    return JSON.parse(result.content[0].text);
+}
+describe("workspace path compatibility", () => {
+    it("detects Windows absolute paths as foreign on POSIX hosts", () => {
+        expect(isForeignAbsolutePath("c:\\Users\\Miu\\Desktop\\Tung\\review paper 1")).toBe(process.platform !== "win32");
+    });
+    it("uses a fallback workspace for foreign absolute paths", () => {
+        const foreignWorkspacePath = "c:\\Users\\Miu\\Desktop\\Tung\\review paper 1";
+        const safePath = getSafeWorkspacePath(foreignWorkspacePath);
+        if (process.platform === "win32") {
+            expect(safePath).toBe(resolve(foreignWorkspacePath));
+        }
+        else {
+            expect(safePath).toContain(join(homedir(), ".brainrouter", "fallback-workspaces"));
+            expect(safePath).not.toContain(foreignWorkspacePath);
+        }
+    });
+    it("caches resolved sessions under the user-home MCP cache for foreign absolute paths", async () => {
+        if (process.platform === "win32")
+            return;
+        const foreignWorkspacePath = "c:\\Users\\Miu\\Desktop\\Tung\\review paper 1";
+        const pollutedPath = resolve(foreignWorkspacePath);
+        const safePath = getSafeWorkspacePath(foreignWorkspacePath);
+        const cacheFile = mcpCacheFile(safePath, "active_session.json");
+        rmSync(pollutedPath, { recursive: true, force: true });
+        rmSync(safePath, { recursive: true, force: true });
+        rmSync(cacheFile, { force: true });
+        const result = parseToolJson(await handleMemoryResolveSession({
+            workspacePath: foreignWorkspacePath,
+        }));
+        const cached = JSON.parse(readFileSync(cacheFile, "utf8"));
+        expect(result.source).toBe("new_workspace_generation");
+        expect(cached.sessionKey).toBe(result.sessionKey);
+        expect(cached.workspace).toBe(foreignWorkspacePath);
+        expect(cached.cacheWorkspace).toBe(safePath);
+        // Critical regression guard: neither the polluted Windows-style path
+        // NOR the safe fallback workspace should have a `.brainrouter/` shell
+        // created inside it. The cache lives entirely under `~/.brainrouter/`.
+        expect(existsSync(pollutedPath)).toBe(false);
+        expect(existsSync(join(safePath, ".brainrouter"))).toBe(false);
+        rmSync(safePath, { recursive: true, force: true });
+        rmSync(cacheFile, { force: true });
+    });
+});

package/dist/__tests__/writer.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/writer.test.js

@@ -0,0 +1,94 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { scaffoldSkill, updateSkillSection, updateDocSection } from '../writer.js';
+import { readFileSync, mkdirSync, rmSync, existsSync, writeFileSync } from 'fs';
+import { join, resolve } from 'path';
+import { tmpdir } from 'os';
+describe('writer.ts', () => {
+    const localRoot = join(tmpdir(), 'brainrouter-writer-test-local');
+    const globalRoot = join(tmpdir(), 'brainrouter-writer-test-global');
+    beforeEach(() => {
+        rmSync(localRoot, { recursive: true, force: true });
+        rmSync(globalRoot, { recursive: true, force: true });
+        mkdirSync(localRoot, { recursive: true });
+        mkdirSync(globalRoot, { recursive: true });
+    });
+    it('should scaffold a new skill in targetRoot (local)', () => {
+        const params = {
+            name: 'new-skill',
+            category: 'agent',
+            description: 'New description',
+            targetRoot: localRoot,
+            project: 'TestProject',
+        };
+        const path = scaffoldSkill(params);
+        expect(existsSync(path)).toBe(true);
+        expect(path).toContain(localRoot);
+        expect(path).toContain(join('projects', 'TestProject', 'skills', 'agent', 'new-skill', 'SKILL.md'));
+        const content = readFileSync(path, 'utf-8');
+        expect(content).toContain('name: new-skill');
+        expect(content).toContain('description: New description');
+    });
+    it('should scaffold a new skill in targetRoot (global)', () => {
+        const params = {
+            name: 'global-skill',
+            category: 'universal',
+            description: 'Global description',
+            targetRoot: globalRoot,
+            project: 'Universal',
+        };
+        const path = scaffoldSkill(params);
+        expect(existsSync(path)).toBe(true);
+        expect(path).toContain(globalRoot);
+        expect(path).toContain(join('projects', 'Universal', 'skills', 'universal', 'global-skill', 'SKILL.md'));
+        const content = readFileSync(path, 'utf-8');
+        expect(content).toContain('name: global-skill');
+    });
+    it('should scaffold a new project-specific skill in targetRoot (global)', () => {
+        const params = {
+            name: 'storage-skill',
+            category: 'api',
+            description: 'Storage description',
+            targetRoot: globalRoot,
+            project: 'TestProject',
+        };
+        const path = scaffoldSkill(params);
+        expect(existsSync(path)).toBe(true);
+        expect(path).toContain(join(globalRoot, 'projects', 'TestProject', 'skills', 'api', 'storage-skill', 'SKILL.md'));
+        const content = readFileSync(path, 'utf-8');
+        expect(content).toContain('name: storage-skill');
+    });
+    it('should block writes outside of targetRoot', () => {
+        const outsidePath = resolve('/tmp/not-my-project/SKILL.md');
+        expect(() => {
+            updateSkillSection(outsidePath, 'workflow', 'content', localRoot);
+        }).toThrow(/WRITE BLOCKED/);
+    });
+    it('should update a skill section and preserve frontmatter', () => {
+        const skillDir = join(localRoot, 'projects', 'TestProject', 'skills', 'agent', 'test-skill');
+        mkdirSync(skillDir, { recursive: true });
+        const skillPath = join(skillDir, 'SKILL.md');
+        const initial = `---
+name: test-skill
+description: old desc
+---
+## Workflow
+Old step.
+`;
+        writeFileSync(skillPath, initial);
+        updateSkillSection(skillPath, 'workflow', 'New step.', localRoot);
+        const updated = readFileSync(skillPath, 'utf-8');
+        expect(updated).toContain('description: old desc');
+        expect(updated).toContain('New step.');
+        expect(updated).not.toContain('Old step.');
+    });
+    it('should update a doc section in localRoot', () => {
+        const docDir = join(localRoot, 'docs', 'api');
+        mkdirSync(docDir, { recursive: true });
+        const docPath = join(docDir, 'API.md');
+        writeFileSync(docPath, '## Endpoints\n- GET /old');
+        updateDocSection(docPath, 'Endpoints', '- GET /new', localRoot);
+        const updated = readFileSync(docPath, 'utf-8');
+        expect(updated).toContain('- GET /new');
+        expect(updated).not.toContain('- GET /old');
+    });
+});

package/dist/api/auth/crypto.d.ts

@@ -0,0 +1,4 @@
+export declare function hashPassword(password: string): Promise<string>;
+export declare function verifyPassword(password: string, stored: string): Promise<boolean>;
+export declare function signJwt(payload: Record<string, unknown>, secret: string, expiresInSecs: number): string;
+export declare function verifyJwt(token: string, secret: string): Record<string, unknown> | null;

package/dist/api/auth/crypto.js

@@ -0,0 +1,54 @@
+import { createHmac, randomBytes, scrypt as scryptCallback, timingSafeEqual } from "node:crypto";
+import { promisify } from "node:util";
+const scrypt = promisify(scryptCallback);
+function base64UrlEncode(input) {
+    const buf = Buffer.isBuffer(input) ? input : Buffer.from(input);
+    return buf.toString("base64url");
+}
+function base64UrlDecode(input) {
+    return Buffer.from(input, "base64url");
+}
+export async function hashPassword(password) {
+    const salt = randomBytes(16);
+    const derived = await scrypt(password, salt, 64);
+    return `${salt.toString("hex")}:${derived.toString("hex")}`;
+}
+export async function verifyPassword(password, stored) {
+    const [saltHex, hashHex] = stored.split(":");
+    if (!saltHex || !hashHex)
+        return false;
+    const salt = Buffer.from(saltHex, "hex");
+    const storedHash = Buffer.from(hashHex, "hex");
+    const derived = await scrypt(password, salt, storedHash.length);
+    if (derived.length !== storedHash.length)
+        return false;
+    return timingSafeEqual(derived, storedHash);
+}
+export function signJwt(payload, secret, expiresInSecs) {
+    const now = Math.floor(Date.now() / 1000);
+    const body = { ...payload, iat: now, exp: now + expiresInSecs };
+    const header = base64UrlEncode(JSON.stringify({ alg: "HS256", typ: "JWT" }));
+    const claims = base64UrlEncode(JSON.stringify(body));
+    const signature = createHmac("sha256", secret).update(`${header}.${claims}`).digest("base64url");
+    return `${header}.${claims}.${signature}`;
+}
+export function verifyJwt(token, secret) {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        return null;
+    const [header, claims, signature] = parts;
+    const expected = createHmac("sha256", secret).update(`${header}.${claims}`).digest();
+    const actual = Buffer.from(signature, "base64url");
+    if (actual.length !== expected.length || !timingSafeEqual(actual, expected))
+        return null;
+    try {
+        const payload = JSON.parse(base64UrlDecode(claims).toString("utf8"));
+        const exp = typeof payload.exp === "number" ? payload.exp : 0;
+        if (exp <= Math.floor(Date.now() / 1000))
+            return null;
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}

package/dist/api/middleware/auth.d.ts

@@ -0,0 +1,12 @@
+import type { Request, Response, NextFunction } from "express";
+export type AuthedRequest = Request & {
+    userId?: string;
+    isAdmin?: boolean;
+    email?: string;
+};
+export declare const USING_FALLBACK_JWT_SECRET: boolean;
+export declare const JWT_SECRET: string;
+export declare function requireAuth(req: AuthedRequest, res: Response, next: NextFunction): void;
+export declare function requireJwt(req: AuthedRequest, res: Response, next: NextFunction): void;
+export declare function requireAnyAuth(req: AuthedRequest, res: Response, next: NextFunction): void;
+export declare function requireAdmin(req: AuthedRequest, res: Response, next: NextFunction): void;