@mojaloop/connection-manager-api 3.4.0 → 3.6.0

package/CHANGELOG.md

@@ -2,6 +2,61 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [3.6.0](https://github.com/mojaloop/connection-manager-api/compare/v3.5.0...v3.6.0) (2026-01-15)
+
+
+### Features
+
+* add docker compose profiles (ci, dev, full) and developer docs ([#176](https://github.com/mojaloop/connection-manager-api/issues/176)) ([8523040](https://github.com/mojaloop/connection-manager-api/commit/85230405ed056af7e47639c7f0063a9b56c29c8f))
+
+## [3.5.0](https://github.com/mojaloop/connection-manager-api/compare/v3.4.0...v3.5.0) (2026-01-15)
+
+
+### Features
+
+* add Traefik and domain-based routing ([f2ccf27](https://github.com/mojaloop/connection-manager-api/commit/f2ccf27e459984c6b76ab2f998457af3f3cad550))
+* add traefik for docker compose domain-based routing ([40c0f16](https://github.com/mojaloop/connection-manager-api/commit/40c0f1670c2b825dcef194e0161b18e418779d73))
+* unify domain routing in docker-compose, and persist Vault ([8a95263](https://github.com/mojaloop/connection-manager-api/commit/8a95263ae0e04bd7dc5673f97baca46cb32fadb4))
+
+
+### Bug Fixes
+
+*  deps ([121a7a5](https://github.com/mojaloop/connection-manager-api/commit/121a7a5bb59c3e7e4ff642cd6d90d5bfc31a4316))
+* add jest timeout ([6f59977](https://github.com/mojaloop/connection-manager-api/commit/6f5997717cc76d549eacf24184bb4273520766ef))
+* add more test cases, clean up test logging and suppress DB warnings ([e65f0a7](https://github.com/mojaloop/connection-manager-api/commit/e65f0a7410ed68aac076ef74c48da337dac23cd3))
+* add nvm ([e307275](https://github.com/mojaloop/connection-manager-api/commit/e307275a900c4b345b4f29ac4791c8127b3b60d2))
+* bump deps ([1fcc5cf](https://github.com/mojaloop/connection-manager-api/commit/1fcc5cfbda9af7006ebbcb95e4ec98effdcf7dae))
+* bump deps ([13ce461](https://github.com/mojaloop/connection-manager-api/commit/13ce4616cc24d52f7f9543938fb052adc508f03c))
+* config ([e9e6cee](https://github.com/mojaloop/connection-manager-api/commit/e9e6ceea61d06c3e33fb7cca5c993ada55dd3795))
+* deps ([2793011](https://github.com/mojaloop/connection-manager-api/commit/2793011fac3ee55f277d37345b94bb47a3dc9629))
+* deps ([4b580fd](https://github.com/mojaloop/connection-manager-api/commit/4b580fd33bbbaad66bf53533cf258ee0be699b58))
+* deps ([8cb320b](https://github.com/mojaloop/connection-manager-api/commit/8cb320b2d0cc6d936ca20a1a5b9396a218c1c9a8))
+* deps ([ec5680a](https://github.com/mojaloop/connection-manager-api/commit/ec5680a30e3ec182eeb6f222f1dcf5115692728e))
+* deps ([c29290a](https://github.com/mojaloop/connection-manager-api/commit/c29290a5904487ee304f8d60d13a22b6221541be))
+* dfspId assignment in tests ([d3f10ed](https://github.com/mojaloop/connection-manager-api/commit/d3f10edd05ead7a54c3450fa8d12ddc3e0483bf6))
+* disable auth ([fa68fae](https://github.com/mojaloop/connection-manager-api/commit/fa68fae8ff3afb199ed927d3b6fadea33c3f00d1))
+* docker compose deps ([5bc4aa1](https://github.com/mojaloop/connection-manager-api/commit/5bc4aa131ae3da2f7ff3683cae900f0b5972b567))
+* endpoint ([68962eb](https://github.com/mojaloop/connection-manager-api/commit/68962eb82655fcab695443b233c10996b41aef81))
+* links ([6b86057](https://github.com/mojaloop/connection-manager-api/commit/6b86057cf8edf0c868c38f5a35fa3b3147d90999))
+* resolve Keycloak pagination issues and standardize test configuration ([c0f5e37](https://github.com/mojaloop/connection-manager-api/commit/c0f5e37654a9d9df527827447e2b3c178d7cd291))
+* urls ([1fa67c6](https://github.com/mojaloop/connection-manager-api/commit/1fa67c65f394457e88b5a9a6be18ae3b697e0332))
+* vulnr ([6c7ea34](https://github.com/mojaloop/connection-manager-api/commit/6c7ea34e87c455b38826ea09387b328acd93bfe3))
+* vulnr ([bd76d49](https://github.com/mojaloop/connection-manager-api/commit/bd76d49756650752ef2e300410ce86fd1209487d))
+
+
+### Documentation
+
+* update configs and documentation to use domain-based routing (*.mcm.localhost) ([da06d77](https://github.com/mojaloop/connection-manager-api/commit/da06d77d553a86732141f0dc0a738103bbfd7bda))
+
+
+### Chore
+
+* bump deps ([4d6bf25](https://github.com/mojaloop/connection-manager-api/commit/4d6bf25a341be11e515a979d5b53217ecdbc5eb2))
+* bump deps ([5eb2ede](https://github.com/mojaloop/connection-manager-api/commit/5eb2ede9076f35e4c74739c2e1f75fd462b9d6d3))
+* cleanup ([68302f5](https://github.com/mojaloop/connection-manager-api/commit/68302f59c761771ad6fc5614579db90090650240))
+* fix lock file ([57c914d](https://github.com/mojaloop/connection-manager-api/commit/57c914dc241d975d6d60553790ce76a3e69332b6))
+* reorder imports ([f9c7865](https://github.com/mojaloop/connection-manager-api/commit/f9c7865bfbb9e707a37f81708da59427c5a4081e))
+
 ## [3.4.0](https://github.com/mojaloop/connection-manager-api/compare/v3.3.2...v3.4.0) (2025-12-12)
 
 

package/README.md

@@ -1,6 +1,6 @@
 # Connection Manager API
 
-[![Release](https://github.com/modusbox/connection-manager-api/actions/workflows/releaseWorkflow.yml/badge.svg)](https://github.com/modusbox/connection-manager-api/actions/workflows/releaseWorkflow.yml)
+[![Release](https://github.com/mojaloop/connection-manager-api/actions/workflows/releaseWorkflow.yml/badge.svg)](https://github.com/mojaloop/connection-manager-api/actions/workflows/releaseWorkflow.yml)
 
 Connection Manager API is a component of the Mojaloop ecosystem that allows an administrator to manage the network configuration and PKI information for the Hub and a set of DFSPs.
 
@@ -29,7 +29,7 @@ The system uses OpenID Connect authentication, which is a provider-agnostic appr
 |OPENID_DISCOVERY_URL|OpenID Connect discovery URL|
 |OPENID_CLIENT_ID|Client ID for OpenID authentication|
 |OPENID_CLIENT_SECRET|Client secret for OpenID authentication|
-|OPENID_REDIRECT_URI|Redirect URI for OpenID authentication|http://localhost:3001/api/auth/callback
+|OPENID_REDIRECT_URI|Redirect URI for OpenID authentication|http://mcm.localhost/api/auth/callback
 |OPENID_JWT_COOKIE_NAME|Cookie name for storing the JWT token|MCM-API_ACCESS_TOKEN
 |OPENID_EVERYONE_ROLE|Role assigned to all authenticated users|everyone
 |OPENID_MTA_ROLE|DFSP Admin role mapping for OpenID|mta
@@ -49,102 +49,162 @@ P12_PASS_PHRASE="choose your own password" npm start
 
 The default config requires a `mysql` db running on the default port.
 
-Once running, you can access the [Swagger UI interface](http://localhost:3001/docs)
+Once running, you can access the [Swagger UI interface](http://mcm.localhost/api/docs)
 
 ## Running the server + db + web UI locally while developing
 
-The API server requires a mysql db. There's also a Web UI [https://github.com/modusbox/connection-manager-ui](https://github.com/modusbox/connection-manager-ui).
-
 To run them together, you can use the following setup:
 
-- Clone this repo and the Web UI repo at the same level
-- Use the `docker-compose` config in this repo to run a mysql DB, the WebUI and the API server
+- Clone this repo
+- Use the `docker-compose` config in this repo to run a mysql DB, Vault, Keycloak, the WebUI and the API server
 
 ```bash
-mkdir modusbox
-cd modusbox
-git clone https://github.com/modusbox/connection-manager-ui
-git clone https://github.com/modusbox/connection-manager-api
-cd connection-manager-api/docker
-docker-compose build
-docker-compose up
+mkdir mojaloop
+cd mojaloop
+git clone https://github.com/mojaloop/connection-manager-api
+cd connection-manager-api
+docker compose --profile full up -d --wait
 ```
 
-Once the docker containers are confirmed to be stable and up, you will need to create the initial HUB environment. From a new terminal
- session, execute the following;
+### Docker Compose Profiles
 
- ```bash
-curl -X POST "http://localhost:3001/api/environments" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"name\": \"DEV\", \"defaultDN\": { \"CN\": \"tes1.centralhub.modusbox.live\", \"O\": \"Modusbox\", \"OU\": \"MCM\" }}"
- ```
+| Profile | API                  | UI        | Use case              |
+|---------|----------------------|-----------|-----------------------|
+| `ci`    | container (local)    | -         | CI/CD, running tests  |
+| `dev`   | proxy → host         | container | Local API development |
+| `full`  | container (official) | container | Full environment      |
 
-The UI 'localhost' can now be opened in your local browser.
+```bash
+# CI/CD (builds local image, runs tests)
+docker compose --profile ci up -d --wait
 
-If you want to start the app with auth enabled:
+# Local development (run API on host, UI in container)
+docker compose --profile dev up -d --wait
+npm start  # run API locally
 
-1) create a local copy of `docker-compose-auth.yml` as in:
+# Full environment
+docker compose --profile full up -d --wait
+```
 
-`cp docker-compose-auth.yml docker-compose-auth.local.yml`
+### Accessing Services
 
-( `docker-compose-auth.local.yml` is git-ignored )
+The stack includes Traefik for local DNS routing. All services are accessible via `*.mcm.localhost` domains:
 
-1) Edit `docker-compose-auth.local.yml` and enter the security details.
+| Service | URL | Description |
+|---------|-----|-------------|
+| MCM UI | http://mcm.localhost | Web UI |
+| MCM API | http://mcm.localhost/api | API Server |
+| Vault UI | http://vault.mcm.localhost | Vault UI |
+| Keycloak | http://keycloak.mcm.localhost | Keycloak Admin Console |
+| Mailpit | http://mailpit.mcm.localhost | Email Testing UI |
+| Traefik Dashboard | http://localhost:8090 | Traefik Dashboard |
 
-1) Run the bundle with:
+### Customizing Configuration
 
-`docker-compose build && docker-compose -f docker-compose.yml -f docker-compose-auth.local.yml up`
+You can customize the domain and ports by creating a `.env` file:
 
-## Configuration
+```bash
+# .env
+COMPOSE_DOMAIN=myapp.localhost
+TRAEFIK_HTTP_PORT=8080
+DATABASE_PORT=3307
+```
+
+This will change all services to use `*.myapp.localhost`, expose Traefik on port 8080, and MySQL on port 3307.
+
+**Note**: If port 80 is already in use, set `TRAEFIK_HTTP_PORT` to an available port (e.g., 8080). Access services at `http://ui.myapp.localhost:8080`.
+
+### Running Multiple Instances
+
+To run multiple instances simultaneously:
 
-There's a [Constants.js file](./src/constants/Constants.js) that pulls the values from the environment or uses defaults if not defined.
+```bash
+# Instance 1 (default ports)
+COMPOSE_PROJECT_NAME=mcm1 COMPOSE_DOMAIN=mcm1.localhost docker compose --profile full up -d
+
+# Instance 2 (different ports)
+COMPOSE_PROJECT_NAME=mcm2 COMPOSE_DOMAIN=mcm2.localhost TRAEFIK_HTTP_PORT=8080 DATABASE_PORT=3307 docker compose --profile full up -d
+```
+
+Access via:
+- Instance 1: http://mcm1.localhost, MySQL at `localhost:3306`
+- Instance 2: http://mcm2.localhost:8080, MySQL at `localhost:3307`
+
+See [.env-example](./.env-example) for all available configuration options.
 
-Variables:
+## Configuration
 
 |Environment variable|Description|Default Value
 :---|:---|:---
 | **MCM API server configuration**
-|PORT|mcm API HTTP port|3001
+|PORT|MCM API HTTP port|3001
+|CLIENT_URL|MCM UI URL|http://mcm.localhost
+|SWITCH_ID|Switch identifier (required)|
+|SWITCH_FQDN|Switch FQDN|switch.example.com
+| **Docker Compose configuration**
+|COMPOSE_DOMAIN|Domain for Traefik routing (docker-compose only)|mcm.localhost
 | **Authentication features**
-|OPENID_ENABLED|Enables support for OAuth2. 'TRUE' to enable| (disabled)
-|OPENID_ENABLE_2FA|Enables two-factor authentication 'TRUE' to enable| (disabled)
+|OPENID_ENABLED|Enable OpenID Connect authentication|false
+|OPENID_ENABLE_2FA|Enable two-factor authentication|false
+|OPENID_ALLOW_INSECURE|Allow insecure HTTPS for development|false
+|OPENID_DISCOVERY_URL|OpenID Connect discovery URL|
+|OPENID_CLIENT_ID|Client ID for OpenID authentication|
+|OPENID_CLIENT_SECRET|Client secret for OpenID authentication|
+|LOGIN_CALLBACK|OAuth callback URL|http://mcm.localhost/api/auth/callback
+|OPENID_AUDIENCE|JWT audience claim|connection-manager-api
+|OPENID_JWT_COOKIE_NAME|Cookie name for JWT token|MCM-API_ACCESS_TOKEN
+| **OpenID Connect groups/roles**
+|OPENID_APPLICATION_GROUP|Application group name|Application
+|OPENID_EVERYONE_GROUP|Authenticated users group|everyone
+|OPENID_MTA_GROUP|DFSP Admin group|MTA
+|OPENID_PTA_GROUP|HUB Admin group|PTA
+|OPENID_DFSP_GROUP|DFSP group|DFSP
 | **Session configuration**
-|SESSION_STORE_SECRET|Secret for encrypting session data|
-|SESSION_MAX_AGE|Session timeout in milliseconds|86400000 (24 hours)
-|SESSION_SAME_SITE|SameSite cookie setting|'strict'
-|SESSION_SECURE|Whether session cookies require HTTPS|true in production
-| **OAuth2 roles**
-|MTA_ROLE|DFSP Admin role|'Application/MTA'
-|PTA_ROLE|HUB Admin Role|'Application/PTA'
-|EVERYONE_ROLE|Authenticated users role|'Internal/everyone'
+|SESSION_STORE_SECRET|Secret for encrypting session data|connection_manager_session_secret
+|SESSION_COOKIE_SAME_SITE_STRICT|Use strict SameSite cookie setting|true
 | **Database configuration**
-|DATABASE_HOST|mysql host|localhost
-|DATABASE_PORT|mysql port|3306
-|DATABASE_USER|mysql user|mcm
-|DATABASE_PASSWORD|mysql password|mcm
-|DATABASE_SCHEMA|mysql schema|mcm
+|DATABASE_HOST|MySQL host|localhost
+|DATABASE_PORT|MySQL port (also used for docker-compose host mapping)|3306
+|DATABASE_USER|MySQL user|mcm
+|DATABASE_PASSWORD|MySQL password|mcm
+|DATABASE_SCHEMA|MySQL schema|mcm
 |DATABASE_SSL_ENABLED|Enable SSL for MySQL connection|false
 |DATABASE_SSL_VERIFY|Verify server certificate when using SSL|false
 |DATABASE_SSL_CA|CA certificate string for MySQL SSL|''
-|DB_RETRIES|Times the initial connection to the DB will be retried|10,
-|DB_CONNECTION_RETRY_WAIT_MILLISECONDS|Pause between retries|5000,
-|RUN_MIGRATIONS|If true, run db schema migration at startup. Can always be true as the schema creation is idempotent|true,
-|CURRENCY_CODES|Path to file containing all the supported currency codes|'./data/currencyCodes.json',
-|DATA_CONFIGURATION_FILE|Initial data configuration path. See specific doc|'./data/sampleConfiguration.json'
-| **MCM Internal Certificate Authority configuration**
-|P12_PASS_PHRASE|Pass phrase used to save the internal CA Key in the DB.|
-| **Support for self-signed certificates on OAuth Server and other TLS client connections**
-|EXTRA_CERTIFICATE_CHAIN_FILE_NAME|Extra trusted server certificate chain file name ( PEM-encoded, as explained in https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options )|
+|DB_RETRIES|Times the initial connection to the DB will be retried|10
+|DB_CONNECTION_RETRY_WAIT_MILLISECONDS|Pause between retries|1000
+|DB_POOL_SIZE_MAX|Maximum database connection pool size|10
+| **Vault PKI configuration**
+|VAULT_ENDPOINT|Vault server endpoint|http://127.0.0.1:8233
+|VAULT_AUTH_METHOD|Vault auth method (K8S or APP_ROLE)|APP_ROLE (required)
+|VAULT_ROLE_ID_FILE|Path to Vault role ID file|docker/vault/tmp/role-id
+|VAULT_ROLE_SECRET_ID_FILE|Path to Vault secret ID file|docker/vault/tmp/secret-id
+|VAULT_PKI_SERVER_ROLE|Vault PKI role for server certs|(required)
+|VAULT_PKI_CLIENT_ROLE|Vault PKI role for client certs|(required)
+|VAULT_SIGN_EXPIRY_HOURS|Certificate signing expiry in hours|43800
+|PRIVATE_KEY_LENGTH|RSA key length for certificates|4096
+|PRIVATE_KEY_ALGORITHM|Key algorithm|rsa
+|INTERNAL_CA_TTL|Internal CA certificate TTL|8760h
+|VAULT_MOUNT_PKI|Vault PKI mount path|pki
+|VAULT_MOUNT_INTERMEDIATE_PKI|Vault intermediate PKI mount path|pki_int
+|VAULT_MOUNT_KV|Vault KV mount path|secrets
+| **Certificate CSR parameters**
+|CLIENT_CSR_PARAMETERS|Path to client CSR parameters JSON file|
+|SERVER_CSR_PARAMETERS|Path to server CSR parameters JSON file|
+|CA_CSR_PARAMETERS|Path to CA CSR parameters JSON file|
+| **Support for self-signed certificates**
+|EXTRA_CERTIFICATE_CHAIN_FILE_NAME|Extra trusted server certificate chain file name|
 |EXTRA_ROOT_CERT_FILE_NAME|Extra trusted server root certificate file name|
-| **CFSSL**
-|CFSSL_VERSION|Expected CFSSL version to use. Should be updated to keep in sync with the cfssl development|1.3.4
-|CFSSL_COMMAND_PATH|cfssl command; it should be just cfssl if it's in the PATH or the full path|cfssl
 | **Keycloak Integration**
 |KEYCLOAK_ENABLED|Enable Keycloak integration for DFSP account creation|false
-|KEYCLOAK_BASE_URL|Base URL of the Keycloak server|http://localhost:8080
-|KEYCLOAK_DISCOVERY_URL|OpenID Connect discovery URL for Keycloak|http://localhost:8080/realms/dfsps/.well-known/openid-configuration
+|KEYCLOAK_BASE_URL|Base URL of the Keycloak server|http://keycloak.mcm.localhost
+|KEYCLOAK_DISCOVERY_URL|OpenID Connect discovery URL for Keycloak|http://keycloak.mcm.localhost/realms/dfsps/.well-known/openid-configuration
 |KEYCLOAK_ADMIN_CLIENT_ID|Client ID for Keycloak admin operations|connection-manager-client
 |KEYCLOAK_ADMIN_CLIENT_SECRET|Client secret for Keycloak admin operations|
 |KEYCLOAK_DFSPS_REALM|Keycloak realm for DFSP accounts|dfsps
-|KEYCLOAK_AUTO_CREATE_ACCOUNTS|Automatically create Keycloak accounts when DFSPs are created|**false** (disabled by default)
+|KEYCLOAK_AUTO_CREATE_ACCOUNTS|Automatically create Keycloak accounts when DFSPs are created|false
+| **Other features**
+|DFSP_WATCHER_ENABLED|Enable DFSP watcher service|false
 
 ## Testing
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/connection-manager-api",
-  "version": "3.4.0",
+  "version": "3.6.0",
   "description": "Mojaloop Connection Manager API",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -46,7 +46,7 @@
     "migrate:rollback": "npm run knex-cli  migrate:rollback",
     "migrate:new": "npm run knex-cli  migrate:make",
     "knex-cli": "DOTENV_CONFIG_PATH=$(pwd)/.env npx knex --knexfile src/knexfile.js ",
-    "backend:start": "docker compose --profile functional up -d --wait",
+    "backend:start": "docker compose --profile ci up -d --wait",
     "backend:stop": "docker compose down -v",
     "backend:restart": "npm run backend:stop && npm run backend:start"
   },
@@ -64,7 +64,7 @@
     "sanitize-html": "2.12.1",
     "oas3-tools": {
       "body-parser": "^1.20.3",
-      "qs": "^6.14.0",
+      "qs": "^6.14.1",
       "js-yaml": "^3"
     },
     "postcss": {
@@ -92,16 +92,16 @@
   },
   "dependencies": {
     "@hapi/hapi": "21.4.4",
-    "@keycloak/keycloak-admin-client": "^26.4.7",
+    "@keycloak/keycloak-admin-client": "^26.5.1",
     "@kubernetes/client-node": "^1.4.0",
-    "@mojaloop/central-services-logger": "11.10.2",
+    "@mojaloop/central-services-logger": "11.10.3",
     "@mojaloop/central-services-metrics": "12.8.3",
-    "@mojaloop/central-services-shared": "18.34.5",
+    "@mojaloop/central-services-shared": "18.34.6",
     "@ory/keto-client": "^25.4.0",
     "async-exit-hook": "^2.0.1",
     "async-retry": "^1.3.3",
     "axios": "1.13.2",
-    "body-parser": "^2.2.1",
+    "body-parser": "^2.2.2",
     "connect": "^3.7.0",
     "convict": "6.2.4",
     "cookies": "^0.9.1",
@@ -117,22 +117,22 @@
     "jsonwebtoken": "^9.0.3",
     "knex": "^3.1.0",
     "moment": "^2.30.1",
-    "mysql2": "^3.15.3",
+    "mysql2": "^3.16.0",
     "node-forge": "^1.3.3",
     "node-vault": "^0.10.9",
     "oas3-tools": "^2.2.3",
     "openid-client": "^6.8.1",
     "passport": "^0.7.0",
     "passport-jwt": "^4.0.1",
-    "qs": "^6.14.0",
-    "soap": "^1.6.1",
+    "qs": "^6.14.1",
+    "soap": "^1.6.3",
     "ulid": "3.0.2",
     "winston": "^3.19.0",
     "xml2js": "^0.6.2"
   },
   "devDependencies": {
-    "@commitlint/cli": "^20.2.0",
-    "@commitlint/config-conventional": "^20.2.0",
+    "@commitlint/cli": "^20.3.1",
+    "@commitlint/config-conventional": "^20.3.1",
     "@types/jest": "30.0.0",
     "audit-ci": "^7.1.0",
     "axios-mock-adapter": "2.1.0",
@@ -144,14 +144,14 @@
     "husky": "^9.1.7",
     "jest": "^30.0.2",
     "jest-extended": "^7.0.0",
-    "npm-check-updates": "^19.2.0",
+    "npm-check-updates": "^19.3.1",
     "nyc": "^17.1.0",
-    "sinon": "^21.0.0",
+    "sinon": "^21.0.1",
     "snazzy": "^9.0.0",
     "source-map-support": "^0.5.21",
     "standard-version": "^9.5.0",
     "standardx": "^7.0.0",
-    "supertest": "^7.1.4",
+    "supertest": "^7.2.2",
     "tap-xunit": "^2.4.1",
     "tmp": "^0.2.5"
   },