@parmanasystems/server 1.0.19

package/dist/index.js

@@ -0,0 +1,943 @@
+// src/server.ts
+import Fastify from "fastify";
+import { createHash, randomUUID } from "crypto";
+import rateLimit from "@fastify/rate-limit";
+import cors from "@fastify/cors";
+import helmet from "@fastify/helmet";
+
+// src/runtime.ts
+import crypto from "crypto";
+import {
+  LocalSigner,
+  LocalVerifier,
+  getRuntimeManifest
+} from "@parmanasystems/execution";
+import {
+  loadPrivateKey,
+  loadPublicKey
+} from "@parmanasystems/crypto";
+function resolveKeyPair() {
+  if (process.env.Parmana_PRIVATE_KEY && process.env.Parmana_PUBLIC_KEY) {
+    return {
+      privateKey: process.env.Parmana_PRIVATE_KEY,
+      publicKey: process.env.Parmana_PUBLIC_KEY,
+      source: "env"
+    };
+  }
+  try {
+    return {
+      privateKey: loadPrivateKey(),
+      publicKey: loadPublicKey(),
+      source: "disk"
+    };
+  } catch {
+  }
+  const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519", {
+    privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    publicKeyEncoding: { type: "spki", format: "pem" }
+  });
+  return { privateKey, publicKey, source: "ephemeral" };
+}
+var keys = resolveKeyPair();
+var signingKeySource = keys.source;
+var signer = new LocalSigner(keys.privateKey);
+var verifier = new LocalVerifier(keys.publicKey);
+var runtimeManifest = getRuntimeManifest();
+
+// src/auth.ts
+async function authHook(req, reply) {
+  const apiKey = process.env.Parmana_API_KEY;
+  if (!apiKey) return;
+  const auth = req.headers.authorization;
+  if (auth !== `Bearer ${apiKey}`) {
+    req.log.warn({ reqId: req.id, reason: "auth_failure" }, "auth_failure");
+    reply.code(401).send({ error: "Unauthorized" });
+  }
+}
+
+// src/routes.ts
+import { getRuntimeManifest as getRuntimeManifest2 } from "@parmanasystems/execution";
+import { existsSync } from "fs";
+
+// src/routes/execute.ts
+import {
+  executeFromSignals,
+  RedisReplayStore
+} from "@parmanasystems/execution";
+var S_EXECUTION_OUTPUT = {
+  type: "object",
+  properties: {
+    status: {
+      type: "string"
+    },
+    execution_id: {
+      type: "string"
+    },
+    decision: {
+      type: "object"
+    },
+    execution_state: {
+      type: "string"
+    },
+    requires_override: {
+      type: "boolean"
+    },
+    signature: {
+      type: "string"
+    },
+    error: {
+      type: "string"
+    }
+  }
+};
+var S_ERROR = {
+  type: "object",
+  properties: {
+    error: {
+      type: "string"
+    }
+  },
+  required: [
+    "error"
+  ]
+};
+var S_RATE_LIMIT_ERROR = {
+  type: "object",
+  properties: {
+    error: {
+      type: "string"
+    },
+    limit: {
+      type: "integer"
+    },
+    remaining: {
+      type: "integer"
+    },
+    reset: {
+      type: "integer",
+      description: "Unix timestamp when the rate limit resets"
+    }
+  },
+  required: [
+    "error",
+    "limit",
+    "remaining",
+    "reset"
+  ]
+};
+function registerExecuteRoute(app2, deps) {
+  const {
+    signer: signer2,
+    verifier: verifier2,
+    auditDb: auditDb2
+  } = deps;
+  const replayStore = new RedisReplayStore(
+    "redis://127.0.0.1:6379"
+  );
+  app2.post(
+    "/execute",
+    {
+      bodyLimit: 65536,
+      config: {
+        rateLimit: {
+          max: 100,
+          timeWindow: "1 minute"
+        }
+      },
+      schema: {
+        tags: [
+          "Execution"
+        ],
+        summary: "Execute deterministic governance decision",
+        description: "Executes deterministic governance evaluation using governed signals and replay-safe execution semantics.",
+        security: [
+          { bearerAuth: [] }
+        ],
+        body: {
+          type: "object",
+          additionalProperties: false,
+          properties: {
+            policyId: {
+              type: "string",
+              description: "Policy identifier"
+            },
+            policyVersion: {
+              type: "string",
+              description: "Policy version"
+            },
+            signals: {
+              type: "object",
+              description: "Governed deterministic input signals"
+            }
+          },
+          required: [
+            "policyId",
+            "policyVersion",
+            "signals"
+          ]
+        },
+        response: {
+          200: {
+            description: "Deterministic execution result",
+            ...S_EXECUTION_OUTPUT
+          },
+          400: {
+            description: "Invalid request body",
+            ...S_ERROR
+          },
+          413: {
+            description: "Request body too large",
+            ...S_ERROR
+          },
+          422: {
+            description: "Execution failure",
+            ...S_ERROR
+          },
+          429: {
+            description: "Rate limit exceeded",
+            ...S_RATE_LIMIT_ERROR
+          }
+        }
+      }
+    },
+    async (req, reply) => {
+      const {
+        policyId,
+        policyVersion,
+        signals
+      } = req.body;
+      try {
+        const execution = await executeFromSignals(
+          {
+            policyId,
+            policyVersion,
+            signals
+          },
+          signer2,
+          verifier2,
+          replayStore
+        );
+        auditDb2?.recordDecision(
+          execution
+        );
+        req.log.info(
+          {
+            reqId: req.id,
+            policyId,
+            policyVersion
+          },
+          "execute:success"
+        );
+        reply.send(
+          execution
+        );
+      } catch (err) {
+        req.log.warn(
+          {
+            reqId: req.id,
+            error: err.message
+          },
+          "execute:failure"
+        );
+        reply.code(422).send({
+          error: err.message
+        });
+      }
+    }
+  );
+}
+
+// src/routes/verify.ts
+import {
+  verifyAttestation
+} from "@parmanasystems/verifier";
+var S_ATTESTATION = {
+  type: "object",
+  properties: {
+    execution_id: {
+      type: "string"
+    },
+    decision: {
+      type: "object"
+    },
+    execution_state: {
+      type: "string"
+    },
+    runtime_hash: {
+      type: "string"
+    },
+    signature: {
+      type: "string",
+      description: "Base64 Ed25519 signature over the canonical attestation payload"
+    }
+  },
+  required: [
+    "execution_id",
+    "decision",
+    "execution_state",
+    "runtime_hash",
+    "signature"
+  ]
+};
+var S_VERIFICATION_RESULT = {
+  type: "object",
+  properties: {
+    valid: {
+      type: "boolean"
+    },
+    checks: {
+      type: "object",
+      properties: {
+        signature_verified: {
+          type: "boolean"
+        },
+        runtime_verified: {
+          type: "boolean"
+        },
+        schema_compatible: {
+          type: "boolean"
+        }
+      },
+      required: [
+        "signature_verified",
+        "runtime_verified",
+        "schema_compatible"
+      ]
+    }
+  },
+  required: [
+    "valid",
+    "checks"
+  ]
+};
+var S_ERROR2 = {
+  type: "object",
+  properties: {
+    error: {
+      type: "string"
+    }
+  },
+  required: [
+    "error"
+  ]
+};
+var S_RATE_LIMIT_ERROR2 = {
+  type: "object",
+  properties: {
+    error: {
+      type: "string"
+    },
+    limit: {
+      type: "integer"
+    },
+    remaining: {
+      type: "integer"
+    },
+    reset: {
+      type: "integer",
+      description: "Unix timestamp when the rate limit resets"
+    }
+  },
+  required: [
+    "error",
+    "limit",
+    "remaining",
+    "reset"
+  ]
+};
+function registerVerifyRoute(app2, deps) {
+  const {
+    verifier: verifier2,
+    runtimeManifest: runtimeManifest2,
+    auditDb: auditDb2
+  } = deps;
+  app2.post(
+    "/verify",
+    {
+      bodyLimit: 65536,
+      config: {
+        rateLimit: {
+          max: 200,
+          timeWindow: "1 minute"
+        }
+      },
+      schema: {
+        tags: [
+          "Verification"
+        ],
+        summary: "Verify an execution attestation",
+        description: "Checks the cryptographic signature and runtime provenance of a deterministic execution attestation.",
+        security: [
+          { bearerAuth: [] }
+        ],
+        body: {
+          ...S_ATTESTATION,
+          additionalProperties: false,
+          description: "Canonical flattened ExecutionAttestation"
+        },
+        response: {
+          200: {
+            description: "Verification result with per-check breakdown",
+            ...S_VERIFICATION_RESULT
+          },
+          400: {
+            description: "Malformed attestation body",
+            ...S_ERROR2
+          },
+          413: {
+            description: "Request body too large",
+            ...S_ERROR2
+          },
+          422: {
+            description: "Verification threw an unexpected error",
+            ...S_ERROR2
+          },
+          429: {
+            description: "Rate limit exceeded",
+            ...S_RATE_LIMIT_ERROR2
+          }
+        }
+      }
+    },
+    async (req, reply) => {
+      const body = req.body;
+      if (typeof body?.execution_id !== "string" || typeof body?.signature !== "string") {
+        reply.code(400).send({
+          error: "Body must be a valid ExecutionAttestation"
+        });
+        return;
+      }
+      try {
+        const result = verifyAttestation(
+          body,
+          verifier2,
+          runtimeManifest2
+        );
+        auditDb2?.recordVerification(
+          body.execution_id,
+          result
+        );
+        req.log.info(
+          {
+            reqId: req.id,
+            valid: result.valid,
+            checks: result.checks
+          },
+          "verify:success"
+        );
+        reply.send(result);
+      } catch (err) {
+        reply.code(422).send({
+          error: err.message
+        });
+      }
+    }
+  );
+}
+
+// src/routes/audit.ts
+var S_ERROR3 = {
+  type: "object",
+  properties: { error: { type: "string" } },
+  required: ["error"]
+};
+function registerAuditRoutes(app2, auditDb2) {
+  app2.get("/audit/decisions", {
+    config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
+    schema: {
+      tags: ["Audit"],
+      summary: "Decision timeline",
+      description: "Returns a paginated, filtered list of governance decisions joined with their latest verification status. Ordered by executed_at descending.",
+      security: [{ bearerAuth: [] }],
+      querystring: {
+        type: "object",
+        properties: {
+          limit: {
+            type: "integer",
+            minimum: 1,
+            maximum: 1e3,
+            default: 50,
+            description: "Max rows (default 50, max 1000)"
+          },
+          offset: {
+            type: "integer",
+            minimum: 0,
+            default: 0,
+            description: "Row offset for pagination (default 0)"
+          },
+          policy_id: {
+            type: "string",
+            maxLength: 200,
+            description: "Filter by exact policy_id"
+          },
+          decision: {
+            type: "string",
+            enum: ["approve", "deny", "any"],
+            description: "Filter by decision value; 'any' returns all"
+          },
+          from: {
+            type: "string",
+            format: "date-time",
+            description: "ISO 8601 lower bound on executed_at (inclusive)"
+          },
+          to: {
+            type: "string",
+            format: "date-time",
+            description: "ISO 8601 upper bound on executed_at (inclusive)"
+          }
+        }
+      },
+      response: {
+        200: { description: "Decision timeline rows", type: "array", items: { type: "object" } },
+        400: { description: "Invalid query parameters", ...S_ERROR3 },
+        500: S_ERROR3
+      }
+    }
+  }, async (req, reply) => {
+    const { limit, offset: _offset, policy_id, decision, from, to } = req.query;
+    const parsedLimit = parseInt(String(limit ?? 50), 10);
+    const normalizedDecision = decision === "any" ? void 0 : decision;
+    try {
+      reply.send(await auditDb2.getDecisionTimeline(parsedLimit, {
+        policy_id: policy_id || void 0,
+        decision: normalizedDecision,
+        from_date: from || void 0,
+        to_date: to || void 0
+      }));
+    } catch (err) {
+      reply.code(500).send({ error: err.message });
+    }
+  });
+  app2.get("/audit/decisions/:executionId", {
+    config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
+    schema: {
+      tags: ["Audit"],
+      summary: "Decision detail",
+      description: "Returns the full audit record for a single governance decision, including the stored attestation JSONB.",
+      security: [{ bearerAuth: [] }],
+      params: {
+        type: "object",
+        properties: { executionId: { type: "string", minLength: 1, maxLength: 200 } },
+        required: ["executionId"]
+      },
+      response: {
+        200: { description: "Audit decision record", type: "object" },
+        400: { description: "Invalid path parameters", ...S_ERROR3 },
+        404: S_ERROR3,
+        500: S_ERROR3
+      }
+    }
+  }, async (req, reply) => {
+    try {
+      const decision = await auditDb2.getDecisionById(req.params.executionId);
+      if (!decision) {
+        reply.code(404).send({ error: "Decision not found" });
+        return;
+      }
+      reply.send(decision);
+    } catch (err) {
+      reply.code(500).send({ error: err.message });
+    }
+  });
+  app2.get("/audit/security", {
+    config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
+    schema: {
+      tags: ["Audit"],
+      summary: "Security dashboard",
+      description: "Returns aggregated security event counts grouped by event_type and severity, ordered by event_count descending.",
+      security: [{ bearerAuth: [] }],
+      querystring: {
+        type: "object",
+        properties: {
+          from: {
+            type: "string",
+            format: "date-time",
+            description: "ISO 8601 lower bound on occurred_at (inclusive)"
+          },
+          to: {
+            type: "string",
+            format: "date-time",
+            description: "ISO 8601 upper bound on occurred_at (inclusive)"
+          },
+          limit: {
+            type: "integer",
+            minimum: 1,
+            maximum: 1e3,
+            default: 50,
+            description: "Max rows (default 50, max 1000)"
+          }
+        }
+      },
+      response: {
+        200: { description: "Security event summary", type: "array", items: { type: "object" } },
+        400: { description: "Invalid query parameters", ...S_ERROR3 },
+        500: S_ERROR3
+      }
+    }
+  }, async (_req, reply) => {
+    try {
+      reply.send(await auditDb2.getSecurityDashboard());
+    } catch (err) {
+      reply.code(500).send({ error: err.message });
+    }
+  });
+  app2.get("/audit/stats", {
+    config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
+    schema: {
+      tags: ["Audit"],
+      summary: "Audit statistics",
+      description: "Returns aggregate counts across all audit tables: total decisions, decisions today, verifications (valid/invalid), security events, and API access calls.",
+      security: [{ bearerAuth: [] }],
+      response: {
+        200: { description: "Aggregate audit statistics", type: "object" },
+        500: S_ERROR3
+      }
+    }
+  }, async (_req, reply) => {
+    try {
+      reply.send(await auditDb2.getStats());
+    } catch (err) {
+      reply.code(500).send({ error: err.message });
+    }
+  });
+  app2.get("/audit/verifications/:executionId", {
+    config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
+    schema: {
+      tags: ["Audit"],
+      summary: "Verification history",
+      description: "Returns all verification attempts for a given execution ID, newest first.",
+      security: [{ bearerAuth: [] }],
+      params: {
+        type: "object",
+        properties: { executionId: { type: "string", format: "uuid" } },
+        required: ["executionId"]
+      },
+      response: {
+        200: { description: "Verification records", type: "array", items: { type: "object" } },
+        500: S_ERROR3
+      }
+    }
+  }, async (req, reply) => {
+    try {
+      reply.send(await auditDb2.getVerificationsByExecution(req.params.executionId));
+    } catch (err) {
+      reply.code(500).send({ error: err.message });
+    }
+  });
+}
+
+// src/routes.ts
+var S_ERROR4 = {
+  type: "object",
+  properties: { error: { type: "string" } },
+  required: ["error"]
+};
+var S_NOT_IMPLEMENTED = {
+  ...S_ERROR4,
+  properties: { error: { type: "string", enum: ["Not implemented"] } }
+};
+function checkRuntime() {
+  try {
+    getRuntimeManifest2();
+    return "ok";
+  } catch {
+    return "error";
+  }
+}
+function checkSigningKey() {
+  if (process.env.Parmana_PRIVATE_KEY) return "ok";
+  if (existsSync("./dev-keys/bundle_signing_key")) return "ok";
+  return "unconfigured";
+}
+async function checkAuditDb(db) {
+  if (!db) return "unconfigured";
+  try {
+    await db.ping();
+    return "ok";
+  } catch {
+    return "unavailable";
+  }
+}
+function registerRoutes(app2, deps) {
+  const { signer: signer2, verifier: verifier2, runtimeManifest: runtimeManifest2, auditDb: auditDb2 } = deps;
+  app2.get("/health", {
+    config: { rateLimit: { max: 300, timeWindow: "1 minute" } },
+    schema: {
+      tags: ["Runtime"],
+      summary: "Health check",
+      response: {
+        200: {
+          description: "Server health status with per-subsystem checks",
+          type: "object",
+          properties: {
+            status: { type: "string", enum: ["ok", "degraded"] },
+            version: { type: "string" },
+            timestamp: { type: "string", format: "date-time" },
+            checks: {
+              type: "object",
+              properties: {
+                runtime_manifest: { type: "string", enum: ["ok", "error"] },
+                signing_key: { type: "string", enum: ["ok", "unconfigured"] },
+                audit_db: { type: "string", enum: ["ok", "unavailable", "unconfigured"] }
+              },
+              required: ["runtime_manifest", "signing_key", "audit_db"]
+            }
+          },
+          required: ["status", "version", "timestamp", "checks"]
+        }
+      }
+    }
+  }, async () => {
+    const checks = {
+      runtime_manifest: checkRuntime(),
+      signing_key: checkSigningKey(),
+      audit_db: await checkAuditDb(auditDb2)
+    };
+    const degraded = Object.values(checks).some((v) => v === "error" || v === "unavailable");
+    return {
+      status: degraded ? "degraded" : "ok",
+      version: "1.2.3",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      checks
+    };
+  });
+  registerExecuteRoute(app2, { signer: signer2, verifier: verifier2, auditDb: auditDb2 });
+  registerVerifyRoute(app2, { verifier: verifier2, runtimeManifest: runtimeManifest2, auditDb: auditDb2 });
+  if (auditDb2) {
+    registerAuditRoutes(app2, auditDb2);
+  }
+  const stub = async (_req, reply) => {
+    reply.code(501).send({ error: "Not implemented" });
+  };
+  app2.get("/runtime/manifest", {
+    config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
+    schema: {
+      tags: ["Runtime"],
+      summary: "Runtime bundle manifest",
+      description: "Returns the signed bundle manifest for the active governance runtime.",
+      security: [{ bearerAuth: [] }],
+      response: { 501: { description: "Not yet implemented", ...S_NOT_IMPLEMENTED } }
+    }
+  }, stub);
+  app2.get("/runtime/capabilities", {
+    config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
+    schema: {
+      tags: ["Runtime"],
+      summary: "Runtime capability declarations",
+      description: "Lists the capabilities supported by this runtime instance.",
+      security: [{ bearerAuth: [] }],
+      response: { 501: { description: "Not yet implemented", ...S_NOT_IMPLEMENTED } }
+    }
+  }, stub);
+  app2.post("/evaluate", {
+    bodyLimit: 65536,
+    config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
+    schema: {
+      tags: ["Execution"],
+      summary: "Evaluate a policy without executing",
+      description: "Dry-run policy evaluation \u2014 computes a decision without issuing an attestation or consuming a replay slot.",
+      security: [{ bearerAuth: [] }],
+      body: { type: "object" },
+      response: { 501: { description: "Not yet implemented", ...S_NOT_IMPLEMENTED } }
+    }
+  }, stub);
+  app2.post("/simulate", {
+    bodyLimit: 65536,
+    config: { rateLimit: { max: 60, timeWindow: "1 minute" } },
+    schema: {
+      tags: ["Execution"],
+      summary: "Simulate a governance decision dry-run",
+      description: "Runs the full execution pipeline in simulation mode \u2014 no side effects, no attestation produced.",
+      security: [{ bearerAuth: [] }],
+      body: { type: "object" },
+      response: { 501: { description: "Not yet implemented", ...S_NOT_IMPLEMENTED } }
+    }
+  }, stub);
+}
+
+// src/server.ts
+import { AuditDb } from "@parmanasystems/audit-db";
+
+// src/middleware/audit.ts
+function createAuditMiddleware(auditDb2) {
+  return async function onResponse(req, reply) {
+    auditDb2.recordApiAccess({
+      method: req.method,
+      path: req.url,
+      status_code: reply.statusCode,
+      response_time_ms: Number.isFinite(reply.elapsedTime) ? Math.round(reply.elapsedTime) : void 0,
+      ip_address: req.ip,
+      user_agent: req.headers["user-agent"]
+    });
+    if (reply.statusCode === 401) {
+      auditDb2.recordSecurityEvent({
+        event_type: "auth_failure",
+        severity: "medium",
+        ip_address: req.ip,
+        path: req.url,
+        method: req.method,
+        user_agent: req.headers["user-agent"],
+        details: { status_code: 401 }
+      });
+    }
+  };
+}
+
+// src/server.ts
+function createServer() {
+  const app2 = Fastify({
+    bodyLimit: 1048576,
+    // 1 MB global default
+    logger: {
+      level: process.env.LOG_LEVEL ?? (process.env.NODE_ENV === "production" ? "info" : "debug"),
+      redact: {
+        paths: [
+          "req.headers.authorization",
+          "req.body.signature",
+          "req.body.attestation.signature"
+        ],
+        censor: "[REDACTED]"
+      },
+      serializers: {
+        req(req) {
+          const fwd = req.headers["x-forwarded-for"];
+          return {
+            method: req.method,
+            url: req.url,
+            reqId: req.id,
+            remoteAddress: (Array.isArray(fwd) ? fwd[0] : fwd) ?? req.socket?.remoteAddress
+          };
+        },
+        res(res) {
+          return {
+            statusCode: res.statusCode
+          };
+        }
+      }
+    },
+    genReqId: (req) => req.headers["x-request-id"] ?? randomUUID()
+  });
+  const corsOriginEnv = process.env.CORS_ORIGIN;
+  const corsOrigin = corsOriginEnv === "*" ? true : corsOriginEnv ? corsOriginEnv.split(",").map((o) => o.trim()) : ["http://localhost:5173", "http://localhost:8080"];
+  app2.register(cors, {
+    origin: corsOrigin,
+    methods: ["GET", "POST"],
+    allowedHeaders: ["Content-Type", "Authorization", "X-Request-ID"],
+    exposedHeaders: ["X-Request-ID", "X-RateLimit-Limit", "X-RateLimit-Remaining", "X-RateLimit-Reset"],
+    credentials: true,
+    maxAge: 86400
+  });
+  app2.register(helmet, {
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'none'"],
+        frameAncestors: ["'none'"]
+      }
+    },
+    crossOriginEmbedderPolicy: false,
+    crossOriginResourcePolicy: { policy: "cross-origin" },
+    dnsPrefetchControl: { allow: false },
+    frameguard: { action: "deny" },
+    hsts: {
+      maxAge: 31536e3,
+      includeSubDomains: true,
+      preload: true
+    },
+    ieNoOpen: true,
+    noSniff: true,
+    referrerPolicy: { policy: "no-referrer" },
+    xssFilter: true
+  });
+  const auditDb2 = process.env.AUDIT_DATABASE_URL ? new AuditDb(process.env.AUDIT_DATABASE_URL) : void 0;
+  if (auditDb2) {
+    auditDb2.migrate().catch(
+      (err) => app2.log.error({ err }, "audit-db migration failed \u2014 continuing without audit persistence")
+    );
+    app2.addHook("onResponse", createAuditMiddleware(auditDb2));
+  }
+  app2.addHook("onSend", async (req, reply) => {
+    reply.header("X-Request-ID", req.id);
+  });
+  app2.addHook("onSend", async (_req, reply) => {
+    reply.removeHeader("X-Powered-By");
+  });
+  app2.addHook("preHandler", authHook);
+  const apiKeyHash = process.env.Parmana_API_KEY ? createHash("sha256").update(process.env.Parmana_API_KEY).digest("hex") : null;
+  app2.register(rateLimit, {
+    keyGenerator(req) {
+      if (apiKeyHash) return apiKeyHash;
+      const forwarded = req.headers["x-forwarded-for"];
+      const forwardedStr = Array.isArray(forwarded) ? forwarded[0] : forwarded;
+      const forwardedIp = forwardedStr?.split(",")[0]?.trim();
+      const realIp = req.headers["x-real-ip"];
+      const realIpStr = Array.isArray(realIp) ? realIp[0] : realIp;
+      return forwardedIp ?? realIpStr ?? req.ip;
+    },
+    errorResponseBuilder(_req, context) {
+      return {
+        error: "Rate limit exceeded",
+        limit: context.max,
+        remaining: 0,
+        reset: Math.floor(Date.now() / 1e3) + Math.ceil(context.ttl / 1e3)
+      };
+    }
+  });
+  registerRoutes(app2, { signer, verifier, runtimeManifest, auditDb: auditDb2 });
+  return { app: app2, auditDb: auditDb2 };
+}
+
+// src/index.ts
+var port = parseInt(process.env.PORT ?? "3000", 10);
+var host = process.env.HOST ?? "0.0.0.0";
+var { app, auditDb } = createServer();
+async function shutdown(signal) {
+  app.log.info(`Shutdown signal received (${signal}), closing server...`);
+  const shutdownTimeout = setTimeout(() => {
+    app.log.error("Graceful shutdown timed out, forcing exit");
+    process.exit(1);
+  }, 1e4);
+  shutdownTimeout.unref();
+  try {
+    await app.close();
+    if (auditDb) {
+      await auditDb.disconnect();
+    }
+    clearTimeout(shutdownTimeout);
+    app.log.info("Server closed cleanly");
+    process.exit(0);
+  } catch (err) {
+    app.log.error({ err }, "Error during shutdown");
+    process.exit(1);
+  }
+}
+process.on("SIGTERM", () => {
+  void shutdown("SIGTERM");
+});
+process.on("SIGINT", () => {
+  void shutdown("SIGINT");
+});
+async function startServer() {
+  try {
+    await app.listen({ port, host });
+    app.log.info(`Server listening on http://${host}:${port}`);
+    if (auditDb) {
+      app.log.info("Audit DB connected");
+    } else {
+      app.log.info("Audit DB not configured");
+    }
+    const keyMsg = {
+      env: "Signing key loaded from env",
+      disk: "Signing key loaded from disk",
+      ephemeral: "Using ephemeral signing key"
+    };
+    app.log.info(keyMsg[signingKeySource]);
+  } catch (err) {
+    app.log.error(err);
+    process.exit(1);
+  }
+}
+export {
+  app,
+  startServer
+};
+//# sourceMappingURL=index.js.map