@kozou/api 0.0.1 → 1.0.0

package/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -1,3 +1,202 @@
 # @kozou/api
 
-Placeholder publish. The real experimental release lands via CI shortly.
+> **Stable (Kozou v1.0).** The REST wire format, query grammar, and OpenAPI
+> extensions documented below are a stable contract: they will not change
+> incompatibly without a major release. The one part still evolving is the
+> composite-foreign-key relation shape — see [Stability](#stability).
+
+Kozou's own REST layer. Given a `SchemaContext` (from `@kozou/introspect`
++ `@kozou/core`) and a PostgreSQL connection, it serves the tables and
+views of your database as a REST API, driven entirely by your DDL and
+`COMMENT` metadata — no hand-written route code.
+
+This is the in-house data layer that Kozou v1.0 makes the default backend.
+The Admin UI talks to it through the same `DataAdapter` seam (`@kozou/core`)
+it already uses, so swapping the data layer is not a breaking change for UI
+code.
+
+## API
+
+### Service
+
+- `GET /` — service info (name, version) and the list of available resources.
+- `GET /openapi.json` — an OpenAPI 3.1 document for the whole API
+  (see [OpenAPI](#openapi)).
+
+### Reading
+
+- `GET /<resource>` — list rows of a table or view. Returns
+  `{ rows, total, page, pageSize }`. Supports:
+  - **pagination** — `page` (1-based) and `pageSize` (`LIMIT` / `OFFSET`, capped);
+  - **sort** — `sort=field.asc,other.desc`;
+  - **filter** — `<column>=<op>.<value>` (see [Filtering](#filtering));
+  - **free-text search** — `search=<text>` (`ILIKE` across text columns);
+  - **embedding** — `embed=<relation-chain>` (see [Embedding](#embedding)).
+- `GET /<resource>/<id>` — fetch a single table row by primary key. For a
+  composite primary key, `<id>` is the key columns in declaration order,
+  comma-joined in one path segment (`/order_lines/42,3`); `embed` is
+  supported here too. Returns the row, or `404`.
+- `GET /<resource>?as=options&label=<col>&fields=<a,b>&q=<text>&limit=<n>`
+  — lightweight relation-select lookup. Returns `{ options: [{ id, label }] }`.
+
+### Writing
+
+- `POST /<resource>` — create a row from a JSON body; returns `201` + the
+  created row. An empty body inserts a row of column defaults.
+- `PATCH /<resource>/<id>` — update the supplied columns; returns the row,
+  or `404`.
+- `DELETE /<resource>/<id>` — delete by primary key; returns the deleted
+  row, or `404`.
+
+Writes are rejected on views (`405`) and on unknown columns (`400`).
+
+### Filtering
+
+List filters use a `<column>=<op>.<value>` grammar:
+
+| operator | meaning |
+|---|---|
+| `eq` / `neq` | equal / not equal |
+| `gt` / `gte` / `lt` / `lte` | range comparisons |
+| `like` / `ilike` | pattern match (`*` is the wildcard) |
+| `in` | membership — `in.(a,b,c)` |
+| `is` | `is.null` / `is.notnull` / `is.true` / `is.false` |
+
+A bare value (`status=paid`) is shorthand for `eq` and stays backward
+compatible. Repeating a column ANDs its filters (e.g. a `gte` + `lt` range).
+A value that itself looks like an operator can be forced to equality with an
+explicit `eq.` prefix (`name=eq.gt.5`). Operators are a fixed allowlist, the
+column is checked against the schema, and every value is passed as a bound
+parameter — nothing is interpolated into SQL text. Values for the common
+scalar families (integer, numeric / float, boolean) are validated up front
+and rejected with a `400`; values for other types are enforced by
+PostgreSQL.
+
+### Embedding
+
+`embed=<relation-chain>` inlines related rows as nested JSON, on both list
+and item reads:
+
+- forward (to-one) and reverse (to-many) relations, mixed in one request;
+- dot-separated chains up to 5 deep (`embed=order.customer.region`);
+- comma-separated for several relations (`embed=customer,lines`);
+- up to 25 distinct relations per request, and up to 100 child rows inlined
+  per parent for a to-many relation.
+
+To-many embeds are rendered as a JSON array ordered by the child's primary
+key. Many-to-many is expressed by naming the junction explicitly
+(`embed=link.far`); there is no automatic flattening of junction tables.
+
+### OpenAPI
+
+`GET /openapi.json` returns an OpenAPI 3.1 document generated from the
+schema. Database `COMMENT`s drive it: table / view / column descriptions
+become schema `description`s, CHECK / ENUM members become `enum`, and
+Kozou's `@`-annotations become vendor extensions:
+
+- `@ai:` notes → `x-kozou-ai`
+- the resolved widget → `x-kozou-widget`
+- `@policy:` advisories → `x-kozou-policy`
+- embeddable relations → `x-kozou-embeds` (with `cardinality`)
+
+The document models the schema, the `x-kozou-*` metadata, and the list /
+item / CRUD surface. A few runtime behaviors are enforced by the server but
+not yet fully modeled in the generated document: create accepts an empty body
+(column defaults) and `PATCH` accepts a partial column subset, the
+`as=options` relation-select mode shares the collection path, and ambiguous
+embeds are rejected at request time. These are being refined; the wire
+behavior itself is stable.
+
+## Stability
+
+Stable as of Kozou v1.0 (covered by semantic versioning — no incompatible
+change without a major release):
+
+- the REST envelopes — the list `{ rows, total, page, pageSize }`, the item
+  shape, and the create / update / delete return shapes;
+- the query grammar — pagination, `sort`, the `<column>=<op>.<value>` filter
+  grammar, `as=options`, and `embed`;
+- the `GET /openapi.json` document — OpenAPI 3.1 plus the `x-kozou-ai` /
+  `x-kozou-widget` / `x-kozou-policy` / `x-kozou-embeds` extensions;
+- the auth boundary — JWT claims mapped to `SET LOCAL ROLE` (see below).
+
+Still evolving (not yet covered by the stability guarantee):
+
+- the **composite-foreign-key relation shape**. A composite FK is surfaced
+  as a `BuildIssue` rather than silently dropped, but embedding and
+  relation-select over a composite FK are a fast-follow, so the relation
+  shape they will take is not frozen yet.
+- the **`@kozou/codegen`** output (a separate package, still experimental).
+
+## Scope: default coverage vs PostgREST opt-out
+
+`@kozou/api` covers the relational REST surface most schemas need; Kozou
+v1.0 makes it the default backend. Deployments that need a feature in the
+"opt-out" column can stay on (or switch back to) the PostgREST adapter
+(`adapter: postgrest`) — see the migration notes in the `kozou` package. The
+intent is no silent gap: the in-house backend by default, PostgREST as a
+deliberate opt-out.
+
+| Capability | `@kozou/api` (v1.0 default) | Notes |
+|---|---|---|
+| Table CRUD | ✅ (incl. composite primary keys) | item routes (get/update/delete by id) need a primary key — single or composite; a primary-key-less table gets list + create only |
+| Views | ✅ read-only / list | no item-by-id, writes are `405`, no embedding from a view |
+| Embed 1:1 / many-to-1 / 1-to-many | ✅ `embed=` (mixed direction, multi-hop) | forward to-one + reverse to-many |
+| Many-to-many | △ name the junction and chain (`embed=link.far`) | no automatic junction flattening |
+| Relation-select | ✅ `as=options&label=&q=` | composite PK / FK support is a fast-follow |
+| Filter operators | ✅ `eq` / `neq` / `gt` / `gte` / `lt` / `lte` / `like` / `ilike` / `in` / `is` | |
+| Sort / pagination | ✅ | `sort`, `page` / `pageSize` |
+| COMMENT-native OpenAPI 3.1 (`x-kozou-*`) | ✅ | **Kozou's differentiator** — PostgREST treats COMMENTs as opaque text |
+| JWT + RLS (`SET LOCAL ROLE`) | ✅ | |
+| RPC (Postgres functions) | ❌ opt-out | |
+| Full-text search (fts) | ❌ opt-out | approximate with `ilike` |
+| Vertical select (column projection) | ❌ opt-out | always returns all columns |
+| Writable views (`INSTEAD OF`) | ❌ opt-out | views are read-only |
+| Upsert / bulk insert | ❌ opt-out | |
+| Automatic M:N flattening | ❌ opt-out | name the junction instead |
+
+## Security boundary
+
+By default the API ships with **no authentication** and binds to
+`127.0.0.1` (like the MCP HTTP server); it prints a
+loud warning when bound to a non-loopback host. Run the unauthenticated
+server only inside a trusted boundary (local dev, a docker-compose network).
+
+**Opt-in JWT + row-level security.** Pass an `auth` config (and a `pool`)
+to `startApiServer` to require a signed JWT on every request. Kozou verifies
+the token (an HS256 shared secret, an RS256 public key, or a provider's
+remote JWKS endpoint — exactly one), then runs each request
+inside a transaction on a dedicated connection under
+`SET LOCAL ROLE <role-from-claim>`, with the claims published via
+`set_config('request.jwt.claims', …, true)` — so **your own Postgres RLS
+policies** decide what each request can read and write. Kozou authenticates
+and switches role; it does not generate policies. A missing or invalid token
+gets `401`; a token whose role is not permitted gets `403`.
+
+Set `auth.anonRole` to allow **anonymous access**: a request that carries no
+`Authorization` header runs under that role (with empty claims) so your RLS
+policies decide what an anonymous caller sees, instead of a `401`. Only a
+fully absent header is anonymous — a present but invalid/expired token is
+still `401`, never silently downgraded. The login role must be `GRANT`ed
+membership in the anonymous role.
+
+Set `auth.jwt.jwksUri` to verify against a provider's **remote JWKS endpoint**
+(Auth0, Clerk, Supabase, …) instead of a static key: the verification key is
+selected by the token's `kid`, fetched once, cached, and refreshed when the
+provider rotates keys.
+
+For a trusted same-host caller that has no end user to obtain a token from
+(the bundled Admin UI under `kozou dev`), `signServiceToken` mints an HS256
+token claiming a given role, signed with the same secret the server verifies.
+
+## Safety
+
+- Table / view / column identifiers are validated against the introspected
+  `SchemaContext` (an allowlist) before any query is built, and are quoted
+  defensively.
+- All user-supplied values are passed as parameterized query arguments;
+  values are never interpolated into SQL text.
+
+## License
+
+Apache 2.0

package/dist/auth.d.ts

@@ -0,0 +1,75 @@
+import { type JWTPayload } from 'jose';
+export type JwtAlgorithm = 'HS256' | 'RS256';
+export type AuthConfig = {
+    jwt: {
+        /** Shared secret for HS256. Provide exactly one of secret / publicKey / jwksUri. */
+        secret?: string;
+        /** Verification key for RS256: a PEM (SPKI) string or a JWK JSON string. */
+        publicKey?: string;
+        /** URL of the provider's JWKS endpoint (Auth0 / Clerk / Supabase, …). The
+         *  key is selected by the token's `kid`, fetched once, cached, and
+         *  refreshed on rotation. Provide exactly one of secret / publicKey / jwksUri. */
+        jwksUri?: string;
+        /** Accepted algorithms. Defaults to ['HS256'] or ['RS256'] by key type. */
+        algorithms?: JwtAlgorithm[];
+        /** Expected `iss`. When set, a mismatch is rejected. */
+        issuer?: string;
+        /** Expected `aud`. When set, a mismatch is rejected. */
+        audience?: string | string[];
+    };
+    /** Claim that names the database role to assume. Default: 'role'. */
+    roleClaim?: string;
+    /** Allowlist of assumable roles. When set, any other role is forbidden. */
+    allowedRoles?: string[];
+    /** Role used when the token carries no role claim. */
+    defaultRole?: string;
+    /** Role assumed when a request carries NO Authorization header at all, so
+     *  the database's RLS policies decide what an anonymous caller may see.
+     *  Unset (default): a request with no token is rejected with 401. A present
+     *  but invalid/expired token is always 401 — only a fully absent header is
+     *  treated as anonymous (it is not subject to `allowedRoles`). */
+    anonRole?: string;
+    /** Runtime setting the claims are published under. Default 'request.jwt.claims'. */
+    claimsGuc?: string;
+};
+export type AuthContext = {
+    role: string;
+    claims: JWTPayload;
+};
+export type Authenticator = {
+    roleClaim: string;
+    claimsGuc: string;
+    /** Verify a raw `Authorization` header value and resolve the role.
+     *  Throws a 401 KozouApiError for any token problem, 403 for a role one. */
+    authenticate(authorizationHeader: string | undefined): Promise<AuthContext>;
+};
+/** Validate config (throws a plain Error at startup on misconfiguration),
+ *  import the key once, and return a verifier closure. */
+export declare function createAuthenticator(config: AuthConfig): Authenticator;
+export type ServiceTokenOptions = {
+    /** HS256 shared secret used to sign. Must match the verifier's secret. */
+    secret: string;
+    /** Claim that names the database role. Default: 'role'. */
+    roleClaim?: string;
+    /** Role to assume. When omitted, no role claim is set and the verifier
+     *  falls back to its configured defaultRole. */
+    role?: string;
+    /** `iss` to set; required when the verifier expects a matching issuer. */
+    issuer?: string;
+    /** `aud` to set; required when the verifier expects a matching audience. */
+    audience?: string | string[];
+};
+/**
+ * Mint an HS256 service token for a trusted same-host caller — the bundled
+ * Admin UI under `kozou dev`, which has no end user to obtain a token from.
+ * The token is signed with the same HS256 secret the API verifies against
+ * and carries the role claim the authenticator reads, so the caller runs
+ * under that role with the schema author's own RLS policies applied.
+ *
+ * No `exp` is set: the token lives only for the lifetime of the dev process
+ * that mints it and is passed in-process to the UI, never persisted. Minting
+ * needs the shared secret, so it is HS256-only — an RS256 deployment must
+ * supply a token from its identity provider instead.
+ */
+export declare function signServiceToken(opts: ServiceTokenOptions): Promise<string>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AASA,OAAO,EAOL,KAAK,UAAU,EAGhB,MAAM,MAAM,CAAC;AAGd,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,OAAO,CAAC;AAE7C,MAAM,MAAM,UAAU,GAAG;IACvB,GAAG,EAAE;QACH,oFAAoF;QACpF,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,4EAA4E;QAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB;;0FAEkF;QAClF,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,2EAA2E;QAC3E,UAAU,CAAC,EAAE,YAAY,EAAE,CAAC;QAC5B,wDAAwD;QACxD,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,wDAAwD;QACxD,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;KAC9B,CAAC;IACF,qEAAqE;IACrE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2EAA2E;IAC3E,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,sDAAsD;IACtD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;sEAIkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oFAAoF;IACpF,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,UAAU,CAAA;CAAE,CAAC;AAE/D,MAAM,MAAM,aAAa,GAAG;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB;gFAC4E;IAC5E,YAAY,CAAC,mBAAmB,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;CAC7E,CAAC;AAEF;0DAC0D;AAC1D,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,UAAU,GAAG,aAAa,CA0DrE;AAsCD,MAAM,MAAM,mBAAmB,GAAG;IAChC,0EAA0E;IAC1E,MAAM,EAAE,MAAM,CAAC;IACf,2DAA2D;IAC3D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;oDACgD;IAChD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0EAA0E;IAC1E,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4EAA4E;IAC5E,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC9B,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC,CAajF"}

package/dist/auth.js

@@ -0,0 +1,128 @@
+// JWT verification for the read/write path. Pure over (Authorization header,
+// config): verifies the token, resolves the database role to assume, and
+// returns the claims. The caller (startApiServer) then opens a transaction,
+// runs `SET LOCAL ROLE <role>`, and exposes the claims to PostgreSQL so the
+// schema author's own row-level-security policies decide what each request
+// can see — kozou authenticates and switches role; it never writes policies.
+//
+// No node:http and no pg here, so this unit-tests with a signed token alone.
+import { importSPKI, importJWK, jwtVerify, createRemoteJWKSet, SignJWT, errors as joseErrors, } from 'jose';
+import { unauthorized, forbidden } from './errors.js';
+/** Validate config (throws a plain Error at startup on misconfiguration),
+ *  import the key once, and return a verifier closure. */
+export function createAuthenticator(config) {
+    const { jwt } = config;
+    const hasSecret = typeof jwt.secret === 'string' && jwt.secret.length > 0;
+    const hasPublicKey = typeof jwt.publicKey === 'string' && jwt.publicKey.length > 0;
+    const hasJwksUri = typeof jwt.jwksUri === 'string' && jwt.jwksUri.length > 0;
+    if ([hasSecret, hasPublicKey, hasJwksUri].filter(Boolean).length !== 1) {
+        throw new Error('@kozou/api auth: configure exactly one of jwt.secret (HS256), ' +
+            'jwt.publicKey (RS256), or jwt.jwksUri (remote JWKS).');
+    }
+    const algorithms = jwt.algorithms ?? (hasSecret ? ['HS256'] : ['RS256']);
+    const roleClaim = config.roleClaim ?? 'role';
+    const claimsGuc = config.claimsGuc ?? 'request.jwt.claims';
+    const verifyOptions = { algorithms };
+    if (jwt.issuer !== undefined)
+        verifyOptions.issuer = jwt.issuer;
+    if (jwt.audience !== undefined)
+        verifyOptions.audience = jwt.audience;
+    // Resolve the key once into a getKey function jose calls per token. A remote
+    // JWKS resolves the key by `kid` (fetched + cached); a secret / static public
+    // key is imported once and wrapped so the verify call is uniform.
+    const getKey = hasJwksUri
+        ? Promise.resolve(createRemoteJWKSet(new URL(jwt.jwksUri)))
+        : (hasSecret
+            ? Promise.resolve(new TextEncoder().encode(jwt.secret))
+            : importPublicKey(jwt.publicKey, algorithms[0] ?? 'RS256')).then((key) => () => Promise.resolve(key));
+    return {
+        roleClaim,
+        claimsGuc,
+        async authenticate(header) {
+            const token = extractBearer(header);
+            if (token === undefined) {
+                // Only a fully absent header is anonymous. A present-but-malformed
+                // header ("Basic …", "Bearer "} is a failed auth attempt, never
+                // silently downgraded to the anonymous role.
+                if (header === undefined && config.anonRole !== undefined) {
+                    return { role: config.anonRole, claims: {} };
+                }
+                throw unauthorized('Missing or malformed Authorization header.');
+            }
+            let payload;
+            try {
+                ({ payload } = await jwtVerify(token, await getKey, verifyOptions));
+            }
+            catch (err) {
+                // Any verification failure (signature, expiry, nbf, iss, aud, alg)
+                // is a 401 with a generic message — never leak which check failed.
+                if (err instanceof joseErrors.JOSEError) {
+                    throw unauthorized('Invalid or expired token.');
+                }
+                throw err;
+            }
+            return { role: resolveRole(payload, roleClaim, config), claims: payload };
+        },
+    };
+}
+function extractBearer(header) {
+    // Linear parse (no regex) to avoid backtracking on adversarial input:
+    // split on the first space into "<scheme> <token>".
+    if (header === undefined)
+        return undefined;
+    const trimmed = header.trim();
+    const space = trimmed.indexOf(' ');
+    if (space === -1)
+        return undefined;
+    if (trimmed.slice(0, space).toLowerCase() !== 'bearer')
+        return undefined;
+    const token = trimmed.slice(space + 1).trim();
+    return token.length > 0 ? token : undefined;
+}
+async function importPublicKey(publicKey, algorithm) {
+    const trimmed = publicKey.trim();
+    if (trimmed.startsWith('-----BEGIN')) {
+        return importSPKI(trimmed, algorithm);
+    }
+    return importJWK(JSON.parse(trimmed), algorithm);
+}
+function resolveRole(payload, roleClaim, config) {
+    const claimed = payload[roleClaim];
+    const role = typeof claimed === 'string' && claimed.length > 0 ? claimed : config.defaultRole;
+    if (role === undefined || role.length === 0) {
+        throw forbidden('Token does not specify a role and no default role is configured.');
+    }
+    if (config.allowedRoles !== undefined && !config.allowedRoles.includes(role)) {
+        throw forbidden(`Role "${role}" is not permitted.`);
+    }
+    return role;
+}
+/**
+ * Mint an HS256 service token for a trusted same-host caller — the bundled
+ * Admin UI under `kozou dev`, which has no end user to obtain a token from.
+ * The token is signed with the same HS256 secret the API verifies against
+ * and carries the role claim the authenticator reads, so the caller runs
+ * under that role with the schema author's own RLS policies applied.
+ *
+ * No `exp` is set: the token lives only for the lifetime of the dev process
+ * that mints it and is passed in-process to the UI, never persisted. Minting
+ * needs the shared secret, so it is HS256-only — an RS256 deployment must
+ * supply a token from its identity provider instead.
+ */
+export async function signServiceToken(opts) {
+    if (typeof opts.secret !== 'string' || opts.secret.length === 0) {
+        throw new Error('@kozou/api signServiceToken: a non-empty HS256 secret is required.');
+    }
+    const roleClaim = opts.roleClaim ?? 'role';
+    const payload = {};
+    if (typeof opts.role === 'string' && opts.role.length > 0) {
+        payload[roleClaim] = opts.role;
+    }
+    let jwt = new SignJWT(payload).setProtectedHeader({ alg: 'HS256' }).setIssuedAt();
+    if (opts.issuer !== undefined)
+        jwt = jwt.setIssuer(opts.issuer);
+    if (opts.audience !== undefined)
+        jwt = jwt.setAudience(opts.audience);
+    return jwt.sign(new TextEncoder().encode(opts.secret));
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAC7E,yEAAyE;AACzE,4EAA4E;AAC5E,4EAA4E;AAC5E,2EAA2E;AAC3E,6EAA6E;AAC7E,EAAE;AACF,6EAA6E;AAE7E,OAAO,EACL,UAAU,EACV,SAAS,EACT,SAAS,EACT,kBAAkB,EAClB,OAAO,EACP,MAAM,IAAI,UAAU,GAIrB,MAAM,MAAM,CAAC;AACd,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AA+CtD;0DAC0D;AAC1D,MAAM,UAAU,mBAAmB,CAAC,MAAkB;IACpD,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC;IACvB,MAAM,SAAS,GAAG,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;IAC1E,MAAM,YAAY,GAAG,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC;IACnF,MAAM,UAAU,GAAG,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7E,IAAI,CAAC,SAAS,EAAE,YAAY,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvE,MAAM,IAAI,KAAK,CACb,gEAAgE;YAC9D,sDAAsD,CACzD,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACzE,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC;IAC7C,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,oBAAoB,CAAC;IAE3D,MAAM,aAAa,GAAqB,EAAE,UAAU,EAAE,CAAC;IACvD,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;QAAE,aAAa,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;IAChE,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS;QAAE,aAAa,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAEtE,6EAA6E;IAC7E,8EAA8E;IAC9E,kEAAkE;IAClE,MAAM,MAAM,GAA6B,UAAU;QACjD,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,OAAiB,CAAC,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC,SAAS;YACR,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACvD,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,SAAmB,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,CACrE,CAAC,IAAI,CAAC,CAAC,GAAG,EAAmB,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IAEjE,OAAO;QACL,SAAS;QACT,SAAS;QACT,KAAK,CAAC,YAAY,CAAC,MAAM;YACvB,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;YACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,mEAAmE;gBACnE,gEAAgE;gBAChE,6CAA6C;gBAC7C,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;gBAC/C,CAAC;gBACD,MAAM,YAAY,CAAC,4CAA4C,CAAC,CAAC;YACnE,CAAC;YACD,IAAI,OAAmB,CAAC;YACxB,IAAI,CAAC;gBACH,CAAC,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,MAAM,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC;YACtE,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,mEAAmE;gBACnE,mEAAmE;gBACnE,IAAI,GAAG,YAAY,UAAU,CAAC,SAAS,EAAE,CAAC;oBACxC,MAAM,YAAY,CAAC,2BAA2B,CAAC,CAAC;gBAClD,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,WAAW,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QAC5E,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,MAA0B;IAC/C,sEAAsE;IACtE,oDAAoD;IACpD,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC3C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACnC,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IACzE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9C,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9C,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,SAAiB,EACjB,SAAuB;IAEvB,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;IACjC,IAAI,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACrC,OAAO,UAAU,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,EAAE,SAAS,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,WAAW,CAAC,OAAmB,EAAE,SAAiB,EAAE,MAAkB;IAC7E,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IACnC,MAAM,IAAI,GACR,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC;IACnF,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,MAAM,SAAS,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,IAAI,MAAM,CAAC,YAAY,KAAK,SAAS,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7E,MAAM,SAAS,CAAC,SAAS,IAAI,qBAAqB,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAgBD;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAyB;IAC9D,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC;IAC3C,MAAM,OAAO,GAAe,EAAE,CAAC;IAC/B,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC;IACjC,CAAC;IACD,IAAI,GAAG,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAClF,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS;QAAE,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS;QAAE,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtE,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;AACzD,CAAC"}