@realtimex/folio 0.1.2

package/dist/api/server.js

@@ -0,0 +1,106 @@
+import cors from "cors";
+import express from "express";
+import { existsSync } from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { config, validateConfig } from "./src/config/index.js";
+import { errorHandler } from "./src/middleware/errorHandler.js";
+import { apiRateLimit } from "./src/middleware/rateLimit.js";
+import routes from "./src/routes/index.js";
+import { SDKService } from "./src/services/SDKService.js";
+import { createLogger } from "./src/utils/logger.js";
+const logger = createLogger("Server");
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const configValidation = validateConfig();
+if (!configValidation.valid) {
+    logger.warn("Configuration warnings", { errors: configValidation.errors });
+}
+SDKService.initialize();
+const app = express();
+app.use((req, res, next) => {
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "DENY");
+    res.setHeader("X-XSS-Protection", "1; mode=block");
+    if (config.isProduction) {
+        res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+    }
+    next();
+});
+app.use(cors({
+    origin: config.isProduction ? config.security.corsOrigins : true,
+    credentials: true,
+    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+    allowedHeaders: ["Content-Type", "Authorization", "X-Supabase-Url", "X-Supabase-Anon-Key"]
+}));
+app.use(express.json({ limit: "10mb" }));
+app.use(express.urlencoded({ extended: true, limit: "10mb" }));
+app.use((req, res, next) => {
+    const start = Date.now();
+    res.on("finish", () => {
+        const duration = Date.now() - start;
+        logger.debug(`${req.method} ${req.path}`, { status: res.statusCode, durationMs: duration });
+    });
+    next();
+});
+app.use("/api", apiRateLimit);
+app.use("/api", routes);
+function getDistPath() {
+    if (process.env.ELECTRON_STATIC_PATH &&
+        existsSync(path.join(process.env.ELECTRON_STATIC_PATH, "index.html"))) {
+        return process.env.ELECTRON_STATIC_PATH;
+    }
+    const fromRoot = path.join(config.rootDir || process.cwd(), "dist");
+    if (existsSync(path.join(fromRoot, "index.html"))) {
+        return fromRoot;
+    }
+    let current = __dirname;
+    for (let i = 0; i < 4; i += 1) {
+        const candidate = path.join(current, "dist");
+        if (existsSync(path.join(candidate, "index.html"))) {
+            return candidate;
+        }
+        current = path.dirname(current);
+    }
+    return fromRoot;
+}
+const distUiPath = getDistPath();
+if (existsSync(path.join(distUiPath, "index.html"))) {
+    logger.info("Serving static UI", { distUiPath });
+    app.use(express.static(distUiPath));
+    app.get(/.*/, (req, res, next) => {
+        if (req.path.startsWith("/api")) {
+            return next();
+        }
+        res.sendFile(path.join(distUiPath, "index.html"), (error) => {
+            if (error) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        code: "NOT_FOUND",
+                        message: "Frontend not built or route not found"
+                    }
+                });
+            }
+        });
+    });
+}
+else {
+    logger.warn("No dist/index.html found. API will run without bundled UI.", { distUiPath });
+}
+app.use(errorHandler);
+const server = app.listen(config.port, () => {
+    logger.info("Folio API started", {
+        port: config.port,
+        environment: config.nodeEnv,
+        packageRoot: config.packageRoot
+    });
+});
+function shutdown(signal) {
+    logger.info(`Shutting down (${signal})`);
+    server.close(() => {
+        process.exit(0);
+    });
+}
+process.on("SIGINT", () => shutdown("SIGINT"));
+process.on("SIGTERM", () => shutdown("SIGTERM"));

package/dist/api/src/config/index.js

@@ -0,0 +1,81 @@
+import dotenv from "dotenv";
+import { existsSync } from "node:fs";
+import path, { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+function findPackageRoot(startDir) {
+    let current = startDir;
+    while (current !== path.parse(current).root) {
+        if (existsSync(join(current, "package.json")) && existsSync(join(current, "bin"))) {
+            return current;
+        }
+        current = dirname(current);
+    }
+    return process.cwd();
+}
+const packageRoot = findPackageRoot(__dirname);
+function loadEnvironment() {
+    const cwdEnv = join(process.cwd(), ".env");
+    const rootEnv = join(packageRoot, ".env");
+    if (existsSync(cwdEnv)) {
+        dotenv.config({ path: cwdEnv, override: true });
+    }
+    else if (existsSync(rootEnv)) {
+        dotenv.config({ path: rootEnv, override: true });
+    }
+    else {
+        dotenv.config();
+    }
+}
+loadEnvironment();
+function parseArgs(args) {
+    const portIndex = args.indexOf("--port");
+    let port = null;
+    if (portIndex !== -1 && args[portIndex + 1]) {
+        const candidate = Number.parseInt(args[portIndex + 1], 10);
+        if (!Number.isNaN(candidate) && candidate > 0 && candidate < 65536) {
+            port = candidate;
+        }
+    }
+    return {
+        port,
+        noUi: args.includes("--no-ui")
+    };
+}
+const cliArgs = parseArgs(process.argv.slice(2));
+export const config = {
+    packageRoot,
+    port: cliArgs.port || (process.env.PORT ? Number.parseInt(process.env.PORT, 10) : 3006),
+    noUi: cliArgs.noUi,
+    nodeEnv: process.env.NODE_ENV || "development",
+    isProduction: process.env.NODE_ENV === "production",
+    rootDir: packageRoot,
+    scriptsDir: join(packageRoot, "scripts"),
+    supabase: {
+        url: process.env.SUPABASE_URL || process.env.VITE_SUPABASE_URL || "",
+        anonKey: process.env.SUPABASE_ANON_KEY || process.env.VITE_SUPABASE_ANON_KEY || "",
+        serviceRoleKey: process.env.SUPABASE_SERVICE_ROLE_KEY || ""
+    },
+    security: {
+        jwtSecret: process.env.JWT_SECRET || "dev-secret-change-in-production",
+        encryptionKey: process.env.TOKEN_ENCRYPTION_KEY || "",
+        corsOrigins: process.env.CORS_ORIGINS?.split(",") || ["http://localhost:5173", "http://localhost:3006"],
+        rateLimitWindowMs: 60 * 1000,
+        rateLimitMax: 60,
+        disableAuth: process.env.DISABLE_AUTH === "true"
+    }
+};
+export function validateConfig() {
+    const errors = [];
+    if (config.isProduction && config.security.jwtSecret === "dev-secret-change-in-production") {
+        errors.push("JWT_SECRET must be set in production");
+    }
+    if (config.isProduction && !config.security.encryptionKey) {
+        errors.push("TOKEN_ENCRYPTION_KEY must be set in production");
+    }
+    return {
+        valid: errors.length === 0,
+        errors
+    };
+}

package/dist/api/src/middleware/auth.js

@@ -0,0 +1,93 @@
+import { createClient } from "@supabase/supabase-js";
+import { config } from "../config/index.js";
+import { getServerSupabase, getSupabaseConfigFromHeaders } from "../services/supabase.js";
+import { Logger, createLogger } from "../utils/logger.js";
+import { AuthenticationError, AuthorizationError } from "./errorHandler.js";
+const logger = createLogger("AuthMiddleware");
+function resolveSupabaseConfig(req) {
+    const headerConfig = getSupabaseConfigFromHeaders(req.headers);
+    const envUrl = config.supabase.url;
+    const envKey = config.supabase.anonKey;
+    const envIsValid = envUrl.startsWith("http://") || envUrl.startsWith("https://");
+    if (envIsValid && envKey) {
+        return { url: envUrl, anonKey: envKey };
+    }
+    return headerConfig;
+}
+export async function authMiddleware(req, _res, next) {
+    try {
+        const supabaseConfig = resolveSupabaseConfig(req);
+        if (!supabaseConfig) {
+            throw new AuthenticationError("Supabase not configured");
+        }
+        if (config.security.disableAuth && !config.isProduction) {
+            const user = {
+                id: "00000000-0000-0000-0000-000000000000",
+                email: "dev@folio.local",
+                user_metadata: {},
+                app_metadata: {},
+                aud: "authenticated",
+                created_at: new Date().toISOString()
+            };
+            const supabase = getServerSupabase() ||
+                createClient(supabaseConfig.url, supabaseConfig.anonKey, {
+                    auth: {
+                        autoRefreshToken: false,
+                        persistSession: false
+                    }
+                });
+            req.user = user;
+            req.supabase = supabase;
+            Logger.setPersistence(supabase, user.id);
+            return next();
+        }
+        const authHeader = req.headers.authorization;
+        if (!authHeader?.startsWith("Bearer ")) {
+            throw new AuthenticationError("Missing bearer token");
+        }
+        const token = authHeader.slice(7);
+        const supabase = createClient(supabaseConfig.url, supabaseConfig.anonKey, {
+            global: {
+                headers: {
+                    Authorization: `Bearer ${token}`
+                }
+            }
+        });
+        const { data: { user }, error } = await supabase.auth.getUser(token);
+        if (error || !user) {
+            throw new AuthenticationError("Invalid or expired token");
+        }
+        req.user = user;
+        req.supabase = supabase;
+        Logger.setPersistence(supabase, user.id);
+        next();
+    }
+    catch (error) {
+        logger.error("Auth middleware error", {
+            error: error instanceof Error ? error.message : String(error)
+        });
+        next(error);
+    }
+}
+export function optionalAuth(req, res, next) {
+    const authHeader = req.headers.authorization;
+    if (!authHeader?.startsWith("Bearer ")) {
+        next();
+        return;
+    }
+    void authMiddleware(req, res, next);
+}
+export function requireRole(roles) {
+    return (req, _res, next) => {
+        if (!req.user) {
+            next(new AuthenticationError());
+            return;
+        }
+        const role = req.user.user_metadata?.role || "user";
+        if (!roles.includes(role)) {
+            next(new AuthorizationError(`Requires one of: ${roles.join(", ")}`));
+            return;
+        }
+        next();
+    };
+}

package/dist/api/src/middleware/errorHandler.js

@@ -0,0 +1,73 @@
+import { config } from "../config/index.js";
+import { createLogger } from "../utils/logger.js";
+const logger = createLogger("ErrorHandler");
+export class AppError extends Error {
+    statusCode;
+    isOperational;
+    code;
+    constructor(message, statusCode = 500, code) {
+        super(message);
+        this.statusCode = statusCode;
+        this.isOperational = true;
+        this.code = code;
+        Error.captureStackTrace(this, this.constructor);
+    }
+}
+export class ValidationError extends AppError {
+    constructor(message) {
+        super(message, 400, "VALIDATION_ERROR");
+    }
+}
+export class AuthenticationError extends AppError {
+    constructor(message = "Authentication required") {
+        super(message, 401, "AUTHENTICATION_ERROR");
+    }
+}
+export class AuthorizationError extends AppError {
+    constructor(message = "Insufficient permissions") {
+        super(message, 403, "AUTHORIZATION_ERROR");
+    }
+}
+export class NotFoundError extends AppError {
+    constructor(resource = "Resource") {
+        super(`${resource} not found`, 404, "NOT_FOUND");
+    }
+}
+export class RateLimitError extends AppError {
+    constructor() {
+        super("Too many requests", 429, "RATE_LIMIT_EXCEEDED");
+    }
+}
+export function errorHandler(err, req, res, _next) {
+    const statusCode = err instanceof AppError ? err.statusCode : 500;
+    const code = err instanceof AppError ? err.code : "INTERNAL_ERROR";
+    if (statusCode >= 500) {
+        logger.error("Server error", {
+            method: req.method,
+            path: req.path,
+            statusCode,
+            message: err.message
+        });
+    }
+    else {
+        logger.warn("Client error", {
+            method: req.method,
+            path: req.path,
+            statusCode,
+            message: err.message
+        });
+    }
+    res.status(statusCode).json({
+        success: false,
+        error: {
+            code,
+            message: !config.isProduction ? err.message : statusCode >= 500 ? "Unexpected error" : err.message,
+            ...(config.isProduction ? {} : { stack: err.stack })
+        }
+    });
+}
+export function asyncHandler(fn) {
+    return (req, res, next) => {
+        Promise.resolve(fn(req, res, next)).catch(next);
+    };
+}

package/dist/api/src/middleware/index.js

@@ -0,0 +1,4 @@
+export * from "./auth.js";
+export * from "./errorHandler.js";
+export * from "./rateLimit.js";
+export * from "./validation.js";

package/dist/api/src/middleware/rateLimit.js

@@ -0,0 +1,43 @@
+import { config } from "../config/index.js";
+import { RateLimitError } from "./errorHandler.js";
+const rateLimitStore = new Map();
+setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of rateLimitStore.entries()) {
+        if (entry.resetAt < now) {
+            rateLimitStore.delete(key);
+        }
+    }
+}, 60_000);
+export function rateLimit(options = {}) {
+    const { windowMs = config.security.rateLimitWindowMs, max = config.security.rateLimitMax, keyGenerator = (req) => req.ip || String(req.headers["x-forwarded-for"] || "unknown"), skip = () => false } = options;
+    return (req, res, next) => {
+        if (skip(req)) {
+            return next();
+        }
+        const key = keyGenerator(req);
+        const now = Date.now();
+        let entry = rateLimitStore.get(key);
+        if (!entry || entry.resetAt < now) {
+            entry = {
+                count: 1,
+                resetAt: now + windowMs
+            };
+            rateLimitStore.set(key, entry);
+        }
+        else {
+            entry.count += 1;
+        }
+        res.setHeader("X-RateLimit-Limit", max);
+        res.setHeader("X-RateLimit-Remaining", Math.max(0, max - entry.count));
+        res.setHeader("X-RateLimit-Reset", Math.ceil(entry.resetAt / 1000));
+        if (entry.count > max) {
+            return next(new RateLimitError());
+        }
+        next();
+    };
+}
+export const apiRateLimit = rateLimit({
+    windowMs: 60_000,
+    max: 60
+});

package/dist/api/src/middleware/validation.js

@@ -0,0 +1,54 @@
+import { z, ZodError } from "zod";
+import { ValidationError } from "./errorHandler.js";
+export function validateBody(schema) {
+    return (req, _res, next) => {
+        try {
+            req.body = schema.parse(req.body);
+            next();
+        }
+        catch (error) {
+            if (error instanceof ZodError) {
+                const message = error.errors.map((item) => `${item.path.join(".")}: ${item.message}`).join(", ");
+                next(new ValidationError(message));
+                return;
+            }
+            next(error);
+        }
+    };
+}
+export function validateQuery(schema) {
+    return (req, _res, next) => {
+        try {
+            req.query = schema.parse(req.query);
+            next();
+        }
+        catch (error) {
+            if (error instanceof ZodError) {
+                const message = error.errors.map((item) => `${item.path.join(".")}: ${item.message}`).join(", ");
+                next(new ValidationError(message));
+                return;
+            }
+            next(error);
+        }
+    };
+}
+export const schemas = {
+    testSupabase: z.object({
+        url: z.string().url(),
+        anonKey: z.string().min(10)
+    }),
+    autoProvision: z.object({
+        orgId: z.string().min(1),
+        projectName: z.string().min(1).max(64).optional(),
+        region: z.string().min(1).max(64).optional()
+    }),
+    migrate: z.object({
+        projectRef: z.string().min(1),
+        accessToken: z.string().min(1),
+        anonKey: z.string().min(1).optional()
+    }),
+    dispatchProcessing: z.object({
+        source_type: z.string().min(1),
+        payload: z.record(z.unknown())
+    })
+};

package/dist/api/src/routes/accounts.js

@@ -0,0 +1,110 @@
+import { Router } from "express";
+import axios from "axios";
+import { asyncHandler } from "../middleware/errorHandler.js";
+import { optionalAuth } from "../middleware/auth.js";
+const router = Router();
+router.use(optionalAuth);
+// GET /api/accounts
+router.get("/", asyncHandler(async (req, res) => {
+    if (!req.user || !req.supabase) {
+        res.status(401).json({ error: "Authentication required" });
+        return;
+    }
+    const { data, error } = await req.supabase
+        .from("integrations")
+        .select("id, provider, is_enabled, created_at, updated_at")
+        .eq("user_id", req.user.id);
+    if (error) {
+        res.status(500).json({ error: error.message });
+        return;
+    }
+    // Map to expected frontend format
+    const accounts = data?.map(integration => ({
+        id: integration.id,
+        email_address: integration.provider, // Just for UI display
+        provider: integration.provider,
+        is_connected: integration.is_enabled,
+        sync_enabled: integration.is_enabled,
+        created_at: integration.created_at,
+        updated_at: integration.updated_at
+    })) || [];
+    res.json({ accounts });
+}));
+// POST /api/accounts/google-drive/auth-url
+router.post("/google-drive/auth-url", asyncHandler(async (req, res) => {
+    const { clientId } = req.body;
+    if (!clientId) {
+        res.status(400).json({ error: "Missing clientId" });
+        return;
+    }
+    const redirectUri = "urn:ietf:wg:oauth:2.0:oob"; // Desktop/local app flow
+    // We request drive (full access) to allow downloading and uploading (moving) files
+    const params = new URLSearchParams({
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        response_type: "code",
+        scope: "https://www.googleapis.com/auth/drive",
+        access_type: "offline",
+        prompt: "consent",
+    });
+    const authUrl = `https://accounts.google.com/o/oauth2/v2/auth?${params.toString()}`;
+    res.json({ authUrl });
+}));
+// POST /api/accounts/google-drive/connect
+router.post("/google-drive/connect", asyncHandler(async (req, res) => {
+    if (!req.supabase || !req.user) {
+        res.status(401).json({ error: "Authentication required" });
+        return;
+    }
+    const { authCode, clientId, clientSecret } = req.body;
+    if (!authCode || !clientId || !clientSecret) {
+        res.status(400).json({ error: "Missing authCode, clientId, or clientSecret" });
+        return;
+    }
+    try {
+        // Exchange code for tokens
+        const tokenResponse = await axios.post("https://oauth2.googleapis.com/token", null, {
+            params: {
+                client_id: clientId,
+                client_secret: clientSecret,
+                code: authCode,
+                grant_type: "authorization_code",
+                redirect_uri: "urn:ietf:wg:oauth:2.0:oob",
+            },
+        });
+        const { access_token, refresh_token, expires_in } = tokenResponse.data;
+        const credentials = {
+            access_token,
+            refresh_token,
+            expires_at: Date.now() + expires_in * 1000,
+            client_id: clientId,
+            client_secret: clientSecret
+        };
+        // Save to integrations
+        const { data: integration, error } = await req.supabase
+            .from("integrations")
+            .upsert({
+            user_id: req.user.id,
+            provider: "google_drive",
+            credentials,
+            is_enabled: true
+        }, { onConflict: "user_id,provider" })
+            .select()
+            .single();
+        if (error) {
+            throw new Error(`Database error: ${error.message}`);
+        }
+        res.json({ success: true, account: integration });
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    }
+    catch (error) {
+        const errorMessage = error.response?.data?.error_description
+            || error.response?.data?.error
+            || error.message
+            || "Failed to connect Google Drive";
+        res.status(500).json({
+            error: errorMessage
+        });
+    }
+}));
+export default router;

package/dist/api/src/routes/baseline-config.js

@@ -0,0 +1,91 @@
+import { Router } from "express";
+import { asyncHandler } from "../middleware/errorHandler.js";
+import { optionalAuth } from "../middleware/auth.js";
+import { BaselineConfigService, DEFAULT_BASELINE_FIELDS } from "../services/BaselineConfigService.js";
+import { PolicyEngine } from "../services/PolicyEngine.js";
+const router = Router();
+router.use(optionalAuth);
+// GET /api/baseline-config
+// Returns the active config. If none exists, returns the built-in defaults
+// with id: null so the UI can distinguish "never saved" from "saved and active".
+router.get("/", asyncHandler(async (req, res) => {
+    if (!req.supabase || !req.user) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+    const config = await BaselineConfigService.getActive(req.supabase, req.user.id);
+    res.json({
+        success: true,
+        config,
+        defaults: DEFAULT_BASELINE_FIELDS,
+    });
+}));
+// GET /api/baseline-config/history
+// Returns all saved versions for the user, newest first.
+router.get("/history", asyncHandler(async (req, res) => {
+    if (!req.supabase || !req.user) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+    const history = await BaselineConfigService.list(req.supabase, req.user.id);
+    res.json({ success: true, history });
+}));
+// POST /api/baseline-config
+// Save a new version. Body: { context?, fields[], activate? }
+// Always creates a new row — never mutates an existing version.
+router.post("/", asyncHandler(async (req, res) => {
+    if (!req.supabase || !req.user) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+    const { context, fields, activate = true } = req.body;
+    if (!Array.isArray(fields) || fields.length === 0) {
+        res.status(400).json({ success: false, error: "fields array is required and must not be empty" });
+        return;
+    }
+    const config = await BaselineConfigService.save(req.supabase, req.user.id, { context, fields }, activate);
+    res.status(201).json({ success: true, config });
+}));
+// POST /api/baseline-config/:id/activate
+// Activate a previously saved version.
+router.post("/:id/activate", asyncHandler(async (req, res) => {
+    if (!req.supabase || !req.user) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+    const ok = await BaselineConfigService.activate(req.supabase, req.user.id, req.params.id);
+    if (!ok) {
+        res.status(404).json({ success: false, error: "Config version not found" });
+        return;
+    }
+    res.json({ success: true });
+}));
+// POST /api/baseline-config/suggest
+// Body: { description, provider?, model? }
+// Returns a draft { context, fields[] } for the user to review before saving.
+router.post("/suggest", asyncHandler(async (req, res) => {
+    if (!req.supabase || !req.user) {
+        res.status(401).json({ success: false, error: "Authentication required" });
+        return;
+    }
+    const { description, provider, model } = req.body;
+    if (!description || typeof description !== "string") {
+        res.status(400).json({ success: false, error: "description is required" });
+        return;
+    }
+    // Pass current active fields so the LLM avoids duplicating them
+    const activeConfig = await BaselineConfigService.getActive(req.supabase, req.user.id);
+    const currentFields = activeConfig?.fields ?? DEFAULT_BASELINE_FIELDS;
+    const result = await PolicyEngine.suggestBaseline(description, currentFields, {
+        provider,
+        model,
+        userId: req.user.id,
+        supabase: req.supabase,
+    });
+    if (!result.suggestion) {
+        res.status(503).json({ success: false, error: result.error ?? "Suggestion failed. SDK may be unavailable." });
+        return;
+    }
+    res.json({ success: true, suggestion: result.suggestion });
+}));
+export default router;