npm - @selvajs/local-provider - Versions diffs - 0.11.0 - Mend

@selvajs/local-provider 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/LICENSE +21 -0
package/README.md +123 -0
package/dist/auth/LocalAuthProvider.d.ts +28 -0
package/dist/auth/LocalAuthProvider.d.ts.map +1 -0
package/dist/auth/LocalAuthProvider.js +142 -0
package/dist/auth/LocalAuthProvider.js.map +1 -0
package/dist/auth/__tests__/conformance.test.d.ts +2 -0
package/dist/auth/__tests__/conformance.test.d.ts.map +1 -0
package/dist/auth/__tests__/conformance.test.js +36 -0
package/dist/auth/__tests__/conformance.test.js.map +1 -0
package/dist/auth/hmac.d.ts +18 -0
package/dist/auth/hmac.d.ts.map +1 -0
package/dist/auth/hmac.js +41 -0
package/dist/auth/hmac.js.map +1 -0
package/dist/auth/index.d.ts +6 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +4 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/users.d.ts +38 -0
package/dist/auth/users.d.ts.map +1 -0
package/dist/auth/users.js +100 -0
package/dist/auth/users.js.map +1 -0
package/dist/compute/FilesystemComputeProvider.d.ts +16 -0
package/dist/compute/FilesystemComputeProvider.d.ts.map +1 -0
package/dist/compute/FilesystemComputeProvider.js +51 -0
package/dist/compute/FilesystemComputeProvider.js.map +1 -0
package/dist/compute/SingleComputeServerProvider.d.ts +15 -0
package/dist/compute/SingleComputeServerProvider.d.ts.map +1 -0
package/dist/compute/SingleComputeServerProvider.js +26 -0
package/dist/compute/SingleComputeServerProvider.js.map +1 -0
package/dist/compute/types.d.ts +30 -0
package/dist/compute/types.d.ts.map +1 -0
package/dist/compute/types.js +2 -0
package/dist/compute/types.js.map +1 -0
package/dist/computeServer/FilesystemComputeServerStore.d.ts +14 -0
package/dist/computeServer/FilesystemComputeServerStore.d.ts.map +1 -0
package/dist/computeServer/FilesystemComputeServerStore.js +35 -0
package/dist/computeServer/FilesystemComputeServerStore.js.map +1 -0
package/dist/computeServer/LocalComputeServerProvider.d.ts +18 -0
package/dist/computeServer/LocalComputeServerProvider.d.ts.map +1 -0
package/dist/computeServer/LocalComputeServerProvider.js +29 -0
package/dist/computeServer/LocalComputeServerProvider.js.map +1 -0
package/dist/computeServer/__tests__/conformance.test.d.ts +2 -0
package/dist/computeServer/__tests__/conformance.test.d.ts.map +1 -0
package/dist/computeServer/__tests__/conformance.test.js +20 -0
package/dist/computeServer/__tests__/conformance.test.js.map +1 -0
package/dist/computeServer/index.d.ts +2 -0
package/dist/computeServer/index.d.ts.map +1 -0
package/dist/computeServer/index.js +2 -0
package/dist/computeServer/index.js.map +1 -0
package/dist/data/LocalComputeServerStore.d.ts +72 -0
package/dist/data/LocalComputeServerStore.d.ts.map +1 -0
package/dist/data/LocalComputeServerStore.js +207 -0
package/dist/data/LocalComputeServerStore.js.map +1 -0
package/dist/data/LocalDataProvider.d.ts +47 -0
package/dist/data/LocalDataProvider.d.ts.map +1 -0
package/dist/data/LocalDataProvider.js +118 -0
package/dist/data/LocalDataProvider.js.map +1 -0
package/dist/data/LocalDefinitionMetaProvider.d.ts +22 -0
package/dist/data/LocalDefinitionMetaProvider.d.ts.map +1 -0
package/dist/data/LocalDefinitionMetaProvider.js +131 -0
package/dist/data/LocalDefinitionMetaProvider.js.map +1 -0
package/dist/data/LocalDefinitionStore.d.ts +33 -0
package/dist/data/LocalDefinitionStore.d.ts.map +1 -0
package/dist/data/LocalDefinitionStore.js +274 -0
package/dist/data/LocalDefinitionStore.js.map +1 -0
package/dist/data/LocalInviteStore.d.ts +23 -0
package/dist/data/LocalInviteStore.d.ts.map +1 -0
package/dist/data/LocalInviteStore.js +98 -0
package/dist/data/LocalInviteStore.js.map +1 -0
package/dist/data/LocalOrgStore.d.ts +67 -0
package/dist/data/LocalOrgStore.d.ts.map +1 -0
package/dist/data/LocalOrgStore.js +255 -0
package/dist/data/LocalOrgStore.js.map +1 -0
package/dist/data/LocalPlatformProjectGrantStore.d.ts +14 -0
package/dist/data/LocalPlatformProjectGrantStore.d.ts.map +1 -0
package/dist/data/LocalPlatformProjectGrantStore.js +62 -0
package/dist/data/LocalPlatformProjectGrantStore.js.map +1 -0
package/dist/data/LocalProjectStore.d.ts +30 -0
package/dist/data/LocalProjectStore.d.ts.map +1 -0
package/dist/data/LocalProjectStore.js +171 -0
package/dist/data/LocalProjectStore.js.map +1 -0
package/dist/data/LocalShareLinkStore.d.ts +39 -0
package/dist/data/LocalShareLinkStore.d.ts.map +1 -0
package/dist/data/LocalShareLinkStore.js +108 -0
package/dist/data/LocalShareLinkStore.js.map +1 -0
package/dist/data/__tests__/LocalDefinitionMetaProvider.test.d.ts +2 -0
package/dist/data/__tests__/LocalDefinitionMetaProvider.test.d.ts.map +1 -0
package/dist/data/__tests__/LocalDefinitionMetaProvider.test.js +21 -0
package/dist/data/__tests__/LocalDefinitionMetaProvider.test.js.map +1 -0
package/dist/data/__tests__/cascade.test.d.ts +2 -0
package/dist/data/__tests__/cascade.test.d.ts.map +1 -0
package/dist/data/__tests__/cascade.test.js +265 -0
package/dist/data/__tests__/cascade.test.js.map +1 -0
package/dist/data/__tests__/compute-server-conformance.test.d.ts +2 -0
package/dist/data/__tests__/compute-server-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/compute-server-conformance.test.js +21 -0
package/dist/data/__tests__/compute-server-conformance.test.js.map +1 -0
package/dist/data/__tests__/compute-server-encryption.test.d.ts +2 -0
package/dist/data/__tests__/compute-server-encryption.test.d.ts.map +1 -0
package/dist/data/__tests__/compute-server-encryption.test.js +131 -0
package/dist/data/__tests__/compute-server-encryption.test.js.map +1 -0
package/dist/data/__tests__/definition-conformance.test.d.ts +2 -0
package/dist/data/__tests__/definition-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/definition-conformance.test.js +20 -0
package/dist/data/__tests__/definition-conformance.test.js.map +1 -0
package/dist/data/__tests__/event-sink-conformance.test.d.ts +2 -0
package/dist/data/__tests__/event-sink-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/event-sink-conformance.test.js +24 -0
package/dist/data/__tests__/event-sink-conformance.test.js.map +1 -0
package/dist/data/__tests__/invite-conformance.test.d.ts +2 -0
package/dist/data/__tests__/invite-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/invite-conformance.test.js +21 -0
package/dist/data/__tests__/invite-conformance.test.js.map +1 -0
package/dist/data/__tests__/org-conformance.test.d.ts +2 -0
package/dist/data/__tests__/org-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/org-conformance.test.js +36 -0
package/dist/data/__tests__/org-conformance.test.js.map +1 -0
package/dist/data/__tests__/platform-project-grant-conformance.test.d.ts +2 -0
package/dist/data/__tests__/platform-project-grant-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/platform-project-grant-conformance.test.js +20 -0
package/dist/data/__tests__/platform-project-grant-conformance.test.js.map +1 -0
package/dist/data/__tests__/project-conformance.test.d.ts +2 -0
package/dist/data/__tests__/project-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/project-conformance.test.js +53 -0
package/dist/data/__tests__/project-conformance.test.js.map +1 -0
package/dist/data/__tests__/rules.test.d.ts +2 -0
package/dist/data/__tests__/rules.test.d.ts.map +1 -0
package/dist/data/__tests__/rules.test.js +484 -0
package/dist/data/__tests__/rules.test.js.map +1 -0
package/dist/data/__tests__/share-link-conformance.test.d.ts +2 -0
package/dist/data/__tests__/share-link-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/share-link-conformance.test.js +20 -0
package/dist/data/__tests__/share-link-conformance.test.js.map +1 -0
package/dist/data/fsJson.d.ts +12 -0
package/dist/data/fsJson.d.ts.map +1 -0
package/dist/data/fsJson.js +29 -0
package/dist/data/fsJson.js.map +1 -0
package/dist/data/index.d.ts +13 -0
package/dist/data/index.d.ts.map +1 -0
package/dist/data/index.js +9 -0
package/dist/data/index.js.map +1 -0
package/dist/data/pagination.d.ts +15 -0
package/dist/data/pagination.d.ts.map +1 -0
package/dist/data/pagination.js +36 -0
package/dist/data/pagination.js.map +1 -0
package/dist/data/secretCrypto.d.ts +23 -0
package/dist/data/secretCrypto.d.ts.map +1 -0
package/dist/data/secretCrypto.js +64 -0
package/dist/data/secretCrypto.js.map +1 -0
package/dist/data/userData.d.ts +40 -0
package/dist/data/userData.d.ts.map +1 -0
package/dist/data/userData.js +84 -0
package/dist/data/userData.js.map +1 -0
package/dist/definitions/LocalDefinitionMetaProvider.d.ts +27 -0
package/dist/definitions/LocalDefinitionMetaProvider.d.ts.map +1 -0
package/dist/definitions/LocalDefinitionMetaProvider.js +188 -0
package/dist/definitions/LocalDefinitionMetaProvider.js.map +1 -0
package/dist/definitions/__tests__/conformance.test.d.ts +2 -0
package/dist/definitions/__tests__/conformance.test.d.ts.map +1 -0
package/dist/definitions/__tests__/conformance.test.js +20 -0
package/dist/definitions/__tests__/conformance.test.js.map +1 -0
package/dist/definitions/index.d.ts +2 -0
package/dist/definitions/index.d.ts.map +1 -0
package/dist/definitions/index.js +2 -0
package/dist/definitions/index.js.map +1 -0
package/dist/definitions/providers/filesystem-files.d.ts +24 -0
package/dist/definitions/providers/filesystem-files.d.ts.map +1 -0
package/dist/definitions/providers/filesystem-files.js +170 -0
package/dist/definitions/providers/filesystem-files.js.map +1 -0
package/dist/definitions/providers/filesystem-meta.d.ts +17 -0
package/dist/definitions/providers/filesystem-meta.d.ts.map +1 -0
package/dist/definitions/providers/filesystem-meta.js +216 -0
package/dist/definitions/providers/filesystem-meta.js.map +1 -0
package/dist/fsJson.d.ts +12 -0
package/dist/fsJson.d.ts.map +1 -0
package/dist/fsJson.js +29 -0
package/dist/fsJson.js.map +1 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +16 -0
package/dist/index.js.map +1 -0
package/dist/invites/LocalInviteProvider.d.ts +24 -0
package/dist/invites/LocalInviteProvider.d.ts.map +1 -0
package/dist/invites/LocalInviteProvider.js +89 -0
package/dist/invites/LocalInviteProvider.js.map +1 -0
package/dist/invites/__tests__/conformance.test.d.ts +2 -0
package/dist/invites/__tests__/conformance.test.d.ts.map +1 -0
package/dist/invites/__tests__/conformance.test.js +21 -0
package/dist/invites/__tests__/conformance.test.js.map +1 -0
package/dist/organizations/LocalOrganizationProvider.d.ts +41 -0
package/dist/organizations/LocalOrganizationProvider.d.ts.map +1 -0
package/dist/organizations/LocalOrganizationProvider.js +198 -0
package/dist/organizations/LocalOrganizationProvider.js.map +1 -0
package/dist/organizations/__tests__/conformance.test.d.ts +2 -0
package/dist/organizations/__tests__/conformance.test.d.ts.map +1 -0
package/dist/organizations/__tests__/conformance.test.js +20 -0
package/dist/organizations/__tests__/conformance.test.js.map +1 -0
package/dist/organizations/index.d.ts +2 -0
package/dist/organizations/index.d.ts.map +1 -0
package/dist/organizations/index.js +2 -0
package/dist/organizations/index.js.map +1 -0
package/dist/pagination.d.ts +15 -0
package/dist/pagination.d.ts.map +1 -0
package/dist/pagination.js +36 -0
package/dist/pagination.js.map +1 -0
package/dist/permissions/LocalPlatformPermissionStore.d.ts +39 -0
package/dist/permissions/LocalPlatformPermissionStore.d.ts.map +1 -0
package/dist/permissions/LocalPlatformPermissionStore.js +117 -0
package/dist/permissions/LocalPlatformPermissionStore.js.map +1 -0
package/dist/permissions/__tests__/conformance.test.d.ts +2 -0
package/dist/permissions/__tests__/conformance.test.d.ts.map +1 -0
package/dist/permissions/__tests__/conformance.test.js +37 -0
package/dist/permissions/__tests__/conformance.test.js.map +1 -0
package/dist/permissions/index.d.ts +2 -0
package/dist/permissions/index.d.ts.map +1 -0
package/dist/permissions/index.js +2 -0
package/dist/permissions/index.js.map +1 -0
package/dist/projects/LocalProjectProvider.d.ts +21 -0
package/dist/projects/LocalProjectProvider.d.ts.map +1 -0
package/dist/projects/LocalProjectProvider.js +125 -0
package/dist/projects/LocalProjectProvider.js.map +1 -0
package/dist/projects/__tests__/conformance.test.d.ts +2 -0
package/dist/projects/__tests__/conformance.test.d.ts.map +1 -0
package/dist/projects/__tests__/conformance.test.js +44 -0
package/dist/projects/__tests__/conformance.test.js.map +1 -0
package/dist/projects/index.d.ts +2 -0
package/dist/projects/index.d.ts.map +1 -0
package/dist/projects/index.js +2 -0
package/dist/projects/index.js.map +1 -0
package/dist/storage/LocalStorageProvider.d.ts +27 -0
package/dist/storage/LocalStorageProvider.d.ts.map +1 -0
package/dist/storage/LocalStorageProvider.js +74 -0
package/dist/storage/LocalStorageProvider.js.map +1 -0
package/dist/storage/__tests__/conformance.test.d.ts +2 -0
package/dist/storage/__tests__/conformance.test.d.ts.map +1 -0
package/dist/storage/__tests__/conformance.test.js +20 -0
package/dist/storage/__tests__/conformance.test.js.map +1 -0
package/dist/storage/index.d.ts +2 -0
package/dist/storage/index.d.ts.map +1 -0
package/dist/storage/index.js +2 -0
package/dist/storage/index.js.map +1 -0
package/dist/userProfile/LocalUserProfileProvider.d.ts +25 -0
package/dist/userProfile/LocalUserProfileProvider.d.ts.map +1 -0
package/dist/userProfile/LocalUserProfileProvider.js +110 -0
package/dist/userProfile/LocalUserProfileProvider.js.map +1 -0
package/dist/userProfile/__tests__/conformance.test.d.ts +2 -0
package/dist/userProfile/__tests__/conformance.test.d.ts.map +1 -0
package/dist/userProfile/__tests__/conformance.test.js +40 -0
package/dist/userProfile/__tests__/conformance.test.js.map +1 -0
package/dist/userProfile/index.d.ts +2 -0
package/dist/userProfile/index.d.ts.map +1 -0
package/dist/userProfile/index.js +2 -0
package/dist/userProfile/index.js.map +1 -0
package/package.json +70 -0
package/src/README.md +37 -0
package/src/auth/LocalAuthProvider.ts +165 -0
package/src/auth/__tests__/conformance.test.ts +40 -0
package/src/auth/hmac.ts +53 -0
package/src/auth/index.ts +5 -0
package/src/auth/users.ts +151 -0
package/src/data/LocalComputeServerStore.ts +290 -0
package/src/data/LocalDataProvider.ts +148 -0
package/src/data/LocalDefinitionStore.ts +369 -0
package/src/data/LocalInviteStore.ts +117 -0
package/src/data/LocalOrgStore.ts +356 -0
package/src/data/LocalPlatformProjectGrantStore.ts +85 -0
package/src/data/LocalProjectStore.ts +274 -0
package/src/data/LocalShareLinkStore.ts +138 -0
package/src/data/__tests__/cascade.test.ts +300 -0
package/src/data/__tests__/compute-server-conformance.test.ts +26 -0
package/src/data/__tests__/compute-server-encryption.test.ts +185 -0
package/src/data/__tests__/definition-conformance.test.ts +23 -0
package/src/data/__tests__/event-sink-conformance.test.ts +28 -0
package/src/data/__tests__/invite-conformance.test.ts +24 -0
package/src/data/__tests__/org-conformance.test.ts +43 -0
package/src/data/__tests__/platform-project-grant-conformance.test.ts +24 -0
package/src/data/__tests__/project-conformance.test.ts +64 -0
package/src/data/__tests__/rules.test.ts +682 -0
package/src/data/__tests__/share-link-conformance.test.ts +23 -0
package/src/data/fsJson.ts +28 -0
package/src/data/index.ts +16 -0
package/src/data/pagination.ts +48 -0
package/src/data/secretCrypto.ts +69 -0
package/src/data/userData.ts +134 -0
package/src/index.ts +42 -0
package/src/permissions/LocalPlatformPermissionStore.ts +129 -0
package/src/permissions/__tests__/conformance.test.ts +40 -0
package/src/permissions/index.ts +1 -0
package/src/storage/LocalStorageProvider.ts +78 -0
package/src/storage/__tests__/conformance.test.ts +23 -0
package/src/storage/index.ts +1 -0
package/src/userProfile/LocalUserProfileProvider.ts +135 -0
package/src/userProfile/__tests__/conformance.test.ts +43 -0
package/src/userProfile/index.ts +1 -0

package/src/data/LocalComputeServerStore.ts ADDED Viewed

@@ -0,0 +1,290 @@
+import * as path from 'node:path';
+import {
+	isOrgServer,
+	isPlatformServer,
+	type IComputeServerStore,
+	type ComputeConfig,
+	type ComputeServerConfig,
+	type PlatformComputeServer,
+	type RequestContext
+} from '@selvajs/platform';
+import { readJsonFile, writeJsonFile } from './fsJson.js';
+import {
+	decodeSecretKey,
+	decryptSecret,
+	encryptSecret,
+	isEncryptedSecret
+} from './secretCrypto.js';
+/**
+ * On-disk file shape. Single document holding *all* servers (platform +
+ * org-private), the global `defaultServerId`, and the per-org
+ * `orgDefaults` map. Spec §3.
+ *
+ * `apiKey` on disk is always an `enc:v1:<…>` envelope (AES-256-GCM); the
+ * store decrypts on read so callers see plaintext.
+ */
+interface OnDiskShape {
+	servers: ComputeServerConfig[];
+	defaultServerId?: string;
+	orgDefaults?: Record<string, string>;
+}
+const EMPTY: OnDiskShape = { servers: [], orgDefaults: {} };
+/**
+ * Result of {@link LocalComputeServerStore.verifySecrets}. One entry per
+ * server whose `apiKey` couldn't be loaded:
+ *  - `plaintext_on_disk` — the field exists but isn't an `enc:v1:` envelope.
+ *    Either a hand-edit or a migration regression. Security-relevant.
+ *  - `key_mismatch`     — envelope is valid but GCM auth tag verification
+ *    fails under the current `SELVA_AT_REST_KEY`. The key was rotated or the
+ *    data came from another deployment.
+ */
+export type SecretVerificationFailureReason = 'key_mismatch' | 'plaintext_on_disk';
+export interface SecretVerificationFailure {
+	serverId: string;
+	serverLabel: string;
+	reason: SecretVerificationFailureReason;
+	/** Underlying error message for `key_mismatch`. Absent for plaintext. */
+	cause?: string;
+}
+export interface SecretVerificationReport {
+	ok: boolean;
+	failures: SecretVerificationFailure[];
+	/** True if at least one row holds an unencrypted apiKey on disk. */
+	plaintextFound: boolean;
+}
+/**
+ * Reads/writes compute.config.json. The file is re-read on every read call
+ * so changes take effect without a restart.
+ *
+ * Mutation methods are scope-targeted (`savePlatformServers`,
+ * `saveOrgServers`, `setOrgDefault`) — each preserves rows in the other
+ * scopes untouched.
+ */
+export class LocalComputeServerStore implements IComputeServerStore {
+	static fromEnv(env: Record<string, string | undefined>): LocalComputeServerStore {
+		if (!env.DATA_PATH) throw new Error('Missing required env var: DATA_PATH');
+		if (!env.SELVA_AT_REST_KEY) {
+			throw new Error(
+				'Missing required env var: SELVA_AT_REST_KEY (32-byte hex or base64). ' +
+					"Generate one with: node -e \"console.log(require('crypto').randomBytes(32).toString('hex'))\""
+			);
+		}
+		return new LocalComputeServerStore(
+			path.join(env.DATA_PATH, 'compute.config.json'),
+			decodeSecretKey(env.SELVA_AT_REST_KEY)
+		);
+	}
+	constructor(
+		private readonly configFilePath: string,
+		private readonly secretKey: Buffer
+	) {}
+	private async readAll(): Promise<OnDiskShape> {
+		const raw = await readJsonFile<OnDiskShape>(this.configFilePath, EMPTY);
+		return {
+			servers: raw.servers ?? [],
+			defaultServerId: raw.defaultServerId,
+			orgDefaults: raw.orgDefaults ?? {}
+		};
+	}
+	/**
+	 * Per-row tolerant decrypt. A row whose ciphertext can't be authenticated
+	 * under the current `SELVA_AT_REST_KEY` is returned with `apiKey: undefined`
+	 * and a warning logged once. The page that loaded the config keeps
+	 * rendering; solves against that server will fail later when Rhino.Compute
+	 * rejects the missing key.
+	 *
+	 * Boot-time `verifySecrets()` is the strict counterpart — call that from
+	 * the app entrypoint to refuse to start when this state is detected.
+	 *
+	 * Plaintext-on-disk is still hard-fail. That state is never produced by
+	 * the store itself (every write goes through `encryptApiKeys`), so seeing
+	 * it means someone hand-edited the file with a real secret in plaintext —
+	 * which is a security issue we should surface loudly, not paper over.
+	 */
+	private decryptApiKeys(servers: ComputeServerConfig[]): ComputeServerConfig[] {
+		return servers.map((s) => {
+			if (!s.apiKey) return s;
+			if (!isEncryptedSecret(s.apiKey)) {
+				throw new Error(
+					`compute.config.json contains an unencrypted apiKey for server "${s.label}" (${s.id}). ` +
+						'Re-enter the key via /admin/compute so it is stored encrypted.'
+				);
+			}
+			try {
+				return { ...s, apiKey: decryptSecret(s.apiKey, this.secretKey) };
+			} catch (cause) {
+				console.warn(
+					`[selva] Could not decrypt apiKey for compute server "${s.label}" (${s.id}). ` +
+						'The stored ciphertext does not match the current SELVA_AT_REST_KEY. ' +
+						'This server will be returned without an apiKey; solves against it will fail. ' +
+						'Re-enter the key via /admin/compute, or restore the original SELVA_AT_REST_KEY. ' +
+						'See docs/Troubleshooting.md.',
+					cause
+				);
+				return { ...s, apiKey: undefined };
+			}
+		});
+	}
+	/**
+	 * Boot-time integrity check. Reads every server row and attempts to
+	 * decrypt each encrypted `apiKey`. Returns a structured report — does NOT
+	 * throw. The caller decides what to do (refuse boot, log + degrade, etc.).
+	 *
+	 * Use this from app startup (`hooks.server.ts`) so a key mismatch fails
+	 * loudly at deploy time instead of as a blank page when a user first hits
+	 * a route that loads compute config.
+	 */
+	async verifySecrets(): Promise<SecretVerificationReport> {
+		const all = await this.readAll();
+		const failures: SecretVerificationFailure[] = [];
+		let plaintextFound = false;
+		for (const s of all.servers) {
+			if (!s.apiKey) continue;
+			if (!isEncryptedSecret(s.apiKey)) {
+				plaintextFound = true;
+				failures.push({
+					serverId: s.id,
+					serverLabel: s.label,
+					reason: 'plaintext_on_disk'
+				});
+				continue;
+			}
+			try {
+				decryptSecret(s.apiKey, this.secretKey);
+			} catch (cause) {
+				failures.push({
+					serverId: s.id,
+					serverLabel: s.label,
+					reason: 'key_mismatch',
+					cause: cause instanceof Error ? cause.message : String(cause)
+				});
+			}
+		}
+		return { ok: failures.length === 0, failures, plaintextFound };
+	}
+	private encryptApiKeys(servers: ComputeServerConfig[]): ComputeServerConfig[] {
+		return servers.map((s) => {
+			if (!s.apiKey) return s;
+			if (isEncryptedSecret(s.apiKey)) return s;
+			return { ...s, apiKey: encryptSecret(s.apiKey, this.secretKey) };
+		});
+	}
+	async getConfig(_ctx: RequestContext): Promise<ComputeConfig> {
+		const all = await this.readAll();
+		return {
+			servers: this.decryptApiKeys(all.servers),
+			defaultServerId: all.defaultServerId,
+			orgDefaults: all.orgDefaults
+		};
+	}
+	async savePlatformServers(
+		_ctx: RequestContext,
+		servers: ComputeServerConfig[],
+		defaultServerId: string | undefined
+	): Promise<void> {
+		const all = await this.readAll();
+		const orgRows = all.servers.filter(isOrgServer);
+		const platformRows = this.encryptApiKeys(servers.filter(isPlatformServer));
+		await writeJsonFile<OnDiskShape>(this.configFilePath, {
+			servers: [...platformRows, ...orgRows],
+			defaultServerId,
+			orgDefaults: all.orgDefaults
+		});
+	}
+	async saveOrgServers(
+		_ctx: RequestContext,
+		orgId: string,
+		servers: ComputeServerConfig[],
+		defaultServerId?: string | null
+	): Promise<void> {
+		const all = await this.readAll();
+		const platformRows = all.servers.filter(isPlatformServer);
+		const otherOrgRows = all.servers.filter((s) => isOrgServer(s) && s.ownerOrgId !== orgId);
+		const thisOrgRows = this.encryptApiKeys(
+			servers
+				.filter((_s): _s is ComputeServerConfig => true)
+				.map((s) =>
+					isOrgServer(s)
+						? { ...s, ownerOrgId: orgId }
+						: // Coerce — caller passed something with the wrong/missing scope.
+							({ ...s, scope: 'org', ownerOrgId: orgId } as ComputeServerConfig)
+				)
+		);
+		const orgDefaults = { ...(all.orgDefaults ?? {}) };
+		if (defaultServerId === null) {
+			delete orgDefaults[orgId];
+		} else if (typeof defaultServerId === 'string') {
+			orgDefaults[orgId] = defaultServerId;
+		}
+		await writeJsonFile<OnDiskShape>(this.configFilePath, {
+			servers: [...platformRows, ...otherOrgRows, ...thisOrgRows],
+			defaultServerId: all.defaultServerId,
+			orgDefaults
+		});
+	}
+	async setOrgDefault(_ctx: RequestContext, orgId: string, serverId: string | null): Promise<void> {
+		const all = await this.readAll();
+		const orgDefaults = { ...(all.orgDefaults ?? {}) };
+		if (serverId === null) {
+			delete orgDefaults[orgId];
+		} else {
+			orgDefaults[orgId] = serverId;
+		}
+		await writeJsonFile<OnDiskShape>(this.configFilePath, { ...all, orgDefaults });
+	}
+	async deleteByOrg(_ctx: RequestContext, orgId: string): Promise<void> {
+		const all = await this.readAll();
+		// Drop org-private rows owned by this org.
+		const remaining = all.servers.filter((s) => !(isOrgServer(s) && s.ownerOrgId === orgId));
+		// Strip this org from any platform server's `sharedWith` allowlist.
+		const cleaned: ComputeServerConfig[] = remaining.map((s) => {
+			if (!isPlatformServer(s)) return s;
+			if (s.sharedWith === 'all') return s;
+			if (!s.sharedWith.includes(orgId)) return s;
+			const next: PlatformComputeServer = {
+				...s,
+				sharedWith: s.sharedWith.filter((id) => id !== orgId)
+			};
+			return next;
+		});
+		const orgDefaults = { ...(all.orgDefaults ?? {}) };
+		const hadDefault = orgId in orgDefaults;
+		delete orgDefaults[orgId];
+		const changed =
+			cleaned.length !== all.servers.length ||
+			hadDefault ||
+			cleaned.some((c, i) => c !== all.servers[i]);
+		if (!changed) return;
+		await writeJsonFile<OnDiskShape>(this.configFilePath, {
+			servers: cleaned,
+			defaultServerId: all.defaultServerId,
+			orgDefaults
+		});
+	}
+}

package/src/data/LocalDataProvider.ts ADDED Viewed

@@ -0,0 +1,148 @@
+import type {
+	IDataProvider,
+	IOrgStore,
+	IProjectStore,
+	IDefinitionStore,
+	IComputeServerStore,
+	IInviteStore,
+	IShareLinkStore,
+	IUserProfileStore,
+	IPlatformPermissionStore,
+	IPlatformProjectGrantStore,
+	IEventSink,
+	RequestContext
+} from '@selvajs/platform';
+import { NoopEventSink } from '@selvajs/platform';
+import * as path from 'node:path';
+import { LocalOrgStore, LocalOrgStoreLoader } from './LocalOrgStore.js';
+import { LocalProjectStore } from './LocalProjectStore.js';
+import { LocalDefinitionStore } from './LocalDefinitionStore.js';
+import { LocalComputeServerStore } from './LocalComputeServerStore.js';
+import { LocalInviteStore } from './LocalInviteStore.js';
+import { LocalShareLinkStore } from './LocalShareLinkStore.js';
+import { LocalPlatformProjectGrantStore } from './LocalPlatformProjectGrantStore.js';
+import { LocalUserProfileProvider } from '../userProfile/LocalUserProfileProvider.js';
+import { LocalPlatformPermissionStore } from '../permissions/LocalPlatformPermissionStore.js';
+import { createLocalUserDataStore, type LocalUserDataStore } from './userData.js';
+/**
+ * Composition of every local-provider data store. One `LocalOrgStoreLoader`
+ * is shared across org + project stores so they see the same cache and
+ * atomic write path.
+ *
+ * The `LocalUserDataStore` is similarly shared across the permissions and
+ * profile stores: both write to `user-data.json`, and `ensureUser` seeds
+ * exactly the same row both stores read from. This is the local equivalent
+ * of Supabase's `handle_new_auth_user` trigger.
+ *
+ * Stores are passed as a record so adding a new store doesn't ripple through
+ * test fixtures and call sites.
+ */
+export class LocalDataProvider implements IDataProvider {
+	readonly orgs: IOrgStore;
+	readonly projects: IProjectStore;
+	readonly definitions: IDefinitionStore;
+	readonly computeServer: IComputeServerStore;
+	readonly invites: IInviteStore;
+	readonly shareLinks: IShareLinkStore;
+	readonly userProfile: IUserProfileStore;
+	readonly permissions: IPlatformPermissionStore;
+	readonly platformProjectGrants: IPlatformProjectGrantStore;
+	private readonly userData: LocalUserDataStore;
+	private constructor(
+		stores: Omit<IDataProvider, 'ensureUser' | 'onUserDeleted'>,
+		userData: LocalUserDataStore
+	) {
+		this.orgs = stores.orgs;
+		this.projects = stores.projects;
+		this.definitions = stores.definitions;
+		this.computeServer = stores.computeServer;
+		this.invites = stores.invites;
+		this.shareLinks = stores.shareLinks;
+		this.userProfile = stores.userProfile;
+		this.permissions = stores.permissions;
+		this.platformProjectGrants = stores.platformProjectGrants;
+		this.userData = userData;
+	}
+	/**
+	 * Idempotently register a user in the data layer. Called from
+	 * `hooks.server.ts` on every authed request — the local equivalent of
+	 * Supabase's `handle_new_auth_user` trigger. After this completes the
+	 * user has an empty row in `user-data.json` that the permissions and
+	 * profile stores can read and update.
+	 *
+	 * `ctx` is unused — registration runs as a system operation regardless of
+	 * the calling user. Argument is kept for interface symmetry with adapters
+	 * that need it.
+	 */
+	async ensureUser(_ctx: RequestContext, userId: string): Promise<void> {
+		await this.userData.ensure(userId);
+	}
+	/**
+	 * Cascade hook called after the auth provider deletes a user. Removes the
+	 * matching `user-data.json` row so the data layer doesn't accumulate
+	 * orphans. Tolerates missing rows.
+	 */
+	async onUserDeleted(_ctx: RequestContext, userId: string): Promise<void> {
+		try {
+			await this.userData.deleteUser(userId);
+		} catch {
+			// Already absent — nothing to clean up.
+		}
+	}
+	static fromEnv(
+		env: Record<string, string | undefined>,
+		events: IEventSink = new NoopEventSink()
+	): LocalDataProvider {
+		if (!env.DATA_PATH) throw new Error('Missing required env var: DATA_PATH');
+		const dataPath = env.DATA_PATH;
+		const userDataFilePath = path.join(dataPath, 'user-data.json');
+		const loader = new LocalOrgStoreLoader(dataPath);
+		const platformProjectGrants = LocalPlatformProjectGrantStore.fromEnv(env);
+		const invites = LocalInviteStore.fromEnv(env, events);
+		const computeServer = LocalComputeServerStore.fromEnv(env);
+		const projects = new LocalProjectStore({ loader, grants: platformProjectGrants, events });
+		const definitions = new LocalDefinitionStore(dataPath, undefined, events);
+		const shareLinks = new LocalShareLinkStore({
+			filePath: path.join(dataPath, 'share-links.json'),
+			events
+		});
+		const orgs = new LocalOrgStore({
+			loader,
+			invites,
+			computeServer,
+			grants: platformProjectGrants,
+			events
+		});
+		// Wire cross-store deps that aren't constructor-injected:
+		// - canEditDefinition needs the project store for `listPublic`
+		// - share-link resolution needs the definition store to enforce the §7
+		//   soft-delete cascade (Supabase does the equivalent via JOIN)
+		definitions.setProjectProvider(projects);
+		shareLinks.setDefinitionProvider(definitions);
+		const userData = createLocalUserDataStore(userDataFilePath);
+		return new LocalDataProvider(
+			{
+				orgs,
+				projects,
+				definitions,
+				computeServer,
+				invites,
+				shareLinks,
+				userProfile: new LocalUserProfileProvider(userDataFilePath),
+				permissions: new LocalPlatformPermissionStore(userDataFilePath),
+				platformProjectGrants
+			},
+			userData
+		);
+	}
+}