@serve.zone/gitops 2.13.1

package/ts/opsserver/handlers/projects.handler.ts

@@ -0,0 +1,32 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireValidIdentity } from '../helpers/guards.js';
+
+export class ProjectsHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetProjects>(
+        'getProjects',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const provider = this.opsServerRef.gitopsAppRef.connectionManager.getProvider(
+            dataArg.connectionId,
+          );
+          const projects = await provider.getProjects({
+            search: dataArg.search,
+            page: dataArg.page,
+          });
+          return { projects };
+        },
+      ),
+    );
+  }
+}

package/ts/opsserver/handlers/secrets.handler.ts

@@ -0,0 +1,224 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireValidIdentity } from '../helpers/guards.js';
+
+export class SecretsHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private get actionLog() {
+    return this.opsServerRef.gitopsAppRef.actionLog;
+  }
+
+  private registerHandlers(): void {
+    // Get all secrets (cache-first, falls back to live fetch)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAllSecrets>(
+        'getAllSecrets',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const scanService = this.opsServerRef.gitopsAppRef.secretsScanService;
+
+          // Try cache first
+          const hasCached = await scanService.hasCachedData(dataArg.connectionId, dataArg.scope);
+          if (hasCached) {
+            const secrets = await scanService.getCachedSecrets({
+              connectionId: dataArg.connectionId,
+              scope: dataArg.scope,
+            });
+            return { secrets };
+          }
+
+          // Cache miss: live fetch and save to cache
+          const provider = this.opsServerRef.gitopsAppRef.connectionManager.getProvider(
+            dataArg.connectionId,
+          );
+
+          const allSecrets: interfaces.data.ISecret[] = [];
+
+          if (dataArg.scope === 'project') {
+            const projects = await provider.getProjects();
+            for (let i = 0; i < projects.length; i += 5) {
+              const batch = projects.slice(i, i + 5);
+              const results = await Promise.allSettled(
+                batch.map(async (p) => {
+                  const secrets = await provider.getProjectSecrets(p.id);
+                  return secrets.map((s) => ({
+                    ...s,
+                    scopeName: p.fullPath || p.name,
+                    scope: 'project' as const,
+                    scopeId: p.id,
+                    connectionId: dataArg.connectionId,
+                  }));
+                }),
+              );
+              for (const result of results) {
+                if (result.status === 'fulfilled') {
+                  allSecrets.push(...result.value);
+                }
+              }
+            }
+          } else {
+            const groups = await provider.getGroups();
+            for (let i = 0; i < groups.length; i += 5) {
+              const batch = groups.slice(i, i + 5);
+              const results = await Promise.allSettled(
+                batch.map(async (g) => {
+                  const secrets = await provider.getGroupSecrets(g.id);
+                  return secrets.map((s) => ({
+                    ...s,
+                    scopeName: g.fullPath || g.name,
+                    scope: 'group' as const,
+                    scopeId: g.id,
+                    connectionId: dataArg.connectionId,
+                  }));
+                }),
+              );
+              for (const result of results) {
+                if (result.status === 'fulfilled') {
+                  allSecrets.push(...result.value);
+                }
+              }
+            }
+          }
+
+          // Save fetched secrets to cache (fire-and-forget)
+          scanService.saveSecrets(allSecrets).catch(() => {});
+
+          return { secrets: allSecrets };
+        },
+      ),
+    );
+
+    // Get secrets (cache-first for single entity)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecrets>(
+        'getSecrets',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const scanService = this.opsServerRef.gitopsAppRef.secretsScanService;
+
+          // Try cache first
+          const cached = await scanService.getCachedSecrets({
+            connectionId: dataArg.connectionId,
+            scope: dataArg.scope,
+            scopeId: dataArg.scopeId,
+          });
+          if (cached.length > 0) {
+            return { secrets: cached };
+          }
+
+          // Cache miss: live fetch
+          const provider = this.opsServerRef.gitopsAppRef.connectionManager.getProvider(
+            dataArg.connectionId,
+          );
+          const secrets = dataArg.scope === 'project'
+            ? await provider.getProjectSecrets(dataArg.scopeId)
+            : await provider.getGroupSecrets(dataArg.scopeId);
+
+          // Save to cache (fire-and-forget)
+          const fullSecrets = secrets.map((s) => ({
+            ...s,
+            scope: dataArg.scope,
+            scopeId: dataArg.scopeId,
+            connectionId: dataArg.connectionId,
+          }));
+          scanService.saveSecrets(fullSecrets).catch(() => {});
+
+          return { secrets };
+        },
+      ),
+    );
+
+    // Create secret
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateSecret>(
+        'createSecret',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const provider = this.opsServerRef.gitopsAppRef.connectionManager.getProvider(
+            dataArg.connectionId,
+          );
+          const secret = dataArg.scope === 'project'
+            ? await provider.createProjectSecret(dataArg.scopeId, dataArg.key, dataArg.value)
+            : await provider.createGroupSecret(dataArg.scopeId, dataArg.key, dataArg.value);
+          // Refresh cache for this entity
+          const scanService = this.opsServerRef.gitopsAppRef.secretsScanService;
+          scanService.scanEntity(dataArg.connectionId, dataArg.scope, dataArg.scopeId).catch(() => {});
+          this.actionLog.append({
+            actionType: 'create',
+            entityType: 'secret',
+            entityId: `${dataArg.scopeId}/${dataArg.key}`,
+            entityName: dataArg.key,
+            details: `Created ${dataArg.scope} secret "${dataArg.key}" in ${dataArg.scopeId}`,
+            username: dataArg.identity.username,
+          });
+          return { secret };
+        },
+      ),
+    );
+
+    // Update secret
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSecret>(
+        'updateSecret',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const provider = this.opsServerRef.gitopsAppRef.connectionManager.getProvider(
+            dataArg.connectionId,
+          );
+          const secret = dataArg.scope === 'project'
+            ? await provider.updateProjectSecret(dataArg.scopeId, dataArg.key, dataArg.value)
+            : await provider.updateGroupSecret(dataArg.scopeId, dataArg.key, dataArg.value);
+          // Refresh cache for this entity
+          const scanService = this.opsServerRef.gitopsAppRef.secretsScanService;
+          scanService.scanEntity(dataArg.connectionId, dataArg.scope, dataArg.scopeId).catch(() => {});
+          this.actionLog.append({
+            actionType: 'update',
+            entityType: 'secret',
+            entityId: `${dataArg.scopeId}/${dataArg.key}`,
+            entityName: dataArg.key,
+            details: `Updated ${dataArg.scope} secret "${dataArg.key}" in ${dataArg.scopeId}`,
+            username: dataArg.identity.username,
+          });
+          return { secret };
+        },
+      ),
+    );
+
+    // Delete secret
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteSecret>(
+        'deleteSecret',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const provider = this.opsServerRef.gitopsAppRef.connectionManager.getProvider(
+            dataArg.connectionId,
+          );
+          if (dataArg.scope === 'project') {
+            await provider.deleteProjectSecret(dataArg.scopeId, dataArg.key);
+          } else {
+            await provider.deleteGroupSecret(dataArg.scopeId, dataArg.key);
+          }
+          // Refresh cache for this entity
+          const scanService = this.opsServerRef.gitopsAppRef.secretsScanService;
+          scanService.scanEntity(dataArg.connectionId, dataArg.scope, dataArg.scopeId).catch(() => {});
+          this.actionLog.append({
+            actionType: 'delete',
+            entityType: 'secret',
+            entityId: `${dataArg.scopeId}/${dataArg.key}`,
+            entityName: dataArg.key,
+            details: `Deleted ${dataArg.scope} secret "${dataArg.key}" from ${dataArg.scopeId}`,
+            username: dataArg.identity.username,
+          });
+          return { ok: true };
+        },
+      ),
+    );
+  }
+}

package/ts/opsserver/handlers/sync.handler.ts

@@ -0,0 +1,224 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+import { requireValidIdentity } from '../helpers/guards.js';
+import { logger } from '../../logging.js';
+
+export class SyncHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+    this.setupBroadcast();
+  }
+
+  /**
+   * Wire up the logger's broadcast function to push sync log entries
+   * to all connected frontends via TypedSocket.
+   */
+  private setupBroadcast(): void {
+    logger.setBroadcastFn((entry) => {
+      try {
+        const typedsocket = this.opsServerRef.server?.typedserver?.typedsocket;
+        if (!typedsocket) return;
+        typedsocket.findAllTargetConnectionsByTag('syncLogClient').then((connections) => {
+          for (const conn of connections) {
+            typedsocket
+              .createTypedRequest<interfaces.requests.IReq_PushSyncLog>('pushSyncLog', conn)
+              .fire({ entry })
+              .catch(() => {});
+          }
+        }).catch(() => {});
+      } catch {
+        // Server may not be ready yet — ignore
+      }
+    });
+  }
+
+  private get syncManager() {
+    return this.opsServerRef.gitopsAppRef.syncManager;
+  }
+
+  private get actionLog() {
+    return this.opsServerRef.gitopsAppRef.actionLog;
+  }
+
+  private registerHandlers(): void {
+    // Get all sync configs
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSyncConfigs>(
+        'getSyncConfigs',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          return { configs: this.syncManager.getConfigs() };
+        },
+      ),
+    );
+
+    // Create sync config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateSyncConfig>(
+        'createSyncConfig',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const config = await this.syncManager.createConfig({
+            name: dataArg.name,
+            sourceConnectionId: dataArg.sourceConnectionId,
+            targetConnectionId: dataArg.targetConnectionId,
+            targetGroupOffset: dataArg.targetGroupOffset,
+            intervalMinutes: dataArg.intervalMinutes,
+            enforceDelete: dataArg.enforceDelete,
+            enforceGroupDelete: dataArg.enforceGroupDelete,
+            addMirrorHint: dataArg.addMirrorHint,
+            useGroupAvatarsForProjects: dataArg.useGroupAvatarsForProjects,
+          });
+          this.actionLog.append({
+            actionType: 'create',
+            entityType: 'sync',
+            entityId: config.id,
+            entityName: config.name,
+            details: `Created sync config "${config.name}" (${config.intervalMinutes}m interval)`,
+            username: dataArg.identity.username,
+          });
+          return { config };
+        },
+      ),
+    );
+
+    // Update sync config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSyncConfig>(
+        'updateSyncConfig',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const config = await this.syncManager.updateConfig(dataArg.syncConfigId, {
+            name: dataArg.name,
+            targetGroupOffset: dataArg.targetGroupOffset,
+            intervalMinutes: dataArg.intervalMinutes,
+            enforceDelete: dataArg.enforceDelete,
+            enforceGroupDelete: dataArg.enforceGroupDelete,
+            addMirrorHint: dataArg.addMirrorHint,
+            useGroupAvatarsForProjects: dataArg.useGroupAvatarsForProjects,
+          });
+          this.actionLog.append({
+            actionType: 'update',
+            entityType: 'sync',
+            entityId: config.id,
+            entityName: config.name,
+            details: `Updated sync config "${config.name}"`,
+            username: dataArg.identity.username,
+          });
+          return { config };
+        },
+      ),
+    );
+
+    // Delete sync config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteSyncConfig>(
+        'deleteSyncConfig',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const config = this.syncManager.getConfig(dataArg.syncConfigId);
+          await this.syncManager.deleteConfig(dataArg.syncConfigId);
+          this.actionLog.append({
+            actionType: 'delete',
+            entityType: 'sync',
+            entityId: dataArg.syncConfigId,
+            entityName: config?.name || dataArg.syncConfigId,
+            details: `Deleted sync config "${config?.name || dataArg.syncConfigId}"`,
+            username: dataArg.identity.username,
+          });
+          return { ok: true };
+        },
+      ),
+    );
+
+    // Pause/resume sync config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PauseSyncConfig>(
+        'pauseSyncConfig',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const config = await this.syncManager.pauseConfig(
+            dataArg.syncConfigId,
+            dataArg.paused,
+          );
+          this.actionLog.append({
+            actionType: dataArg.paused ? 'pause' : 'resume',
+            entityType: 'sync',
+            entityId: config.id,
+            entityName: config.name,
+            details: `${dataArg.paused ? 'Paused' : 'Resumed'} sync config "${config.name}"`,
+            username: dataArg.identity.username,
+          });
+          return { config };
+        },
+      ),
+    );
+
+    // Trigger sync manually
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_TriggerSync>(
+        'triggerSync',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const config = this.syncManager.getConfig(dataArg.syncConfigId);
+          if (!config) {
+            return { ok: false, message: 'Sync config not found' };
+          }
+          // Fire and forget — force=true bypasses paused check for manual triggers
+          this.syncManager.executeSync(dataArg.syncConfigId, true).catch((err) => {
+            console.error(`Manual sync trigger failed: ${err}`);
+          });
+          this.actionLog.append({
+            actionType: 'sync',
+            entityType: 'sync',
+            entityId: config.id,
+            entityName: config.name,
+            details: `Manually triggered sync "${config.name}"`,
+            username: dataArg.identity.username,
+          });
+          return { ok: true, message: 'Sync triggered' };
+        },
+      ),
+    );
+
+    // Preview sync (dry run — shows source → target mappings)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PreviewSync>(
+        'previewSync',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const result = await this.syncManager.previewSync(dataArg.syncConfigId);
+          return { mappings: result.mappings, deletions: result.deletions, groupDeletions: result.groupDeletions };
+        },
+      ),
+    );
+
+    // Get repo statuses for a sync config
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSyncRepoStatuses>(
+        'getSyncRepoStatuses',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const statuses = await this.syncManager.getRepoStatuses(dataArg.syncConfigId);
+          return { statuses };
+        },
+      ),
+    );
+
+    // Get recent sync log entries
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSyncLogs>(
+        'getSyncLogs',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const logs = logger.getSyncLogs(dataArg.limit || 200);
+          return { logs };
+        },
+      ),
+    );
+  }
+}

package/ts/opsserver/handlers/webhook.handler.ts

@@ -0,0 +1,62 @@
+import * as plugins from '../../plugins.js';
+import { logger } from '../../logging.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export class WebhookHandler {
+  constructor(private opsServerRef: OpsServer) {}
+
+  public registerRoutes(typedserver: plugins.typedserver.TypedServer): void {
+    typedserver.addRoute('/webhook/:connectionId', 'POST', async (ctx) => {
+      const connectionId = ctx.params.connectionId;
+
+      // Validate connection exists
+      const connection = this.opsServerRef.gitopsAppRef.connectionManager.getConnection(connectionId);
+      if (!connection) {
+        return new Response(JSON.stringify({ error: 'Connection not found' }), {
+          status: 404,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      }
+
+      // Parse event type from provider-specific headers
+      const giteaEvent = ctx.headers.get('X-Gitea-Event');
+      const gitlabEvent = ctx.headers.get('X-Gitlab-Event');
+      const event = giteaEvent || gitlabEvent || 'unknown';
+      const provider = giteaEvent ? 'gitea' : gitlabEvent ? 'gitlab' : 'unknown';
+
+      logger.info(`Webhook received: ${provider}/${event} for connection ${connection.name} (${connectionId})`);
+
+      // Broadcast to all connected frontends via TypedSocket
+      try {
+        const typedsocket = this.opsServerRef.server.typedserver.typedsocket;
+        if (typedsocket) {
+          const connections = await typedsocket.findAllTargetConnectionsByTag('syncLogClient');
+          for (const conn of connections) {
+            const req = typedsocket.createTypedRequest<interfaces.requests.IReq_WebhookNotification>(
+              'webhookNotification',
+              conn,
+            );
+            req.fire({
+              connectionId,
+              provider,
+              event,
+              timestamp: Date.now(),
+            }).catch((err: any) => {
+              logger.warn(`Failed to notify client: ${err.message || err}`);
+            });
+          }
+        }
+      } catch (err: any) {
+        logger.warn(`Failed to broadcast webhook event: ${err.message || err}`);
+      }
+
+      return new Response(JSON.stringify({ ok: true }), {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    });
+
+    logger.info('WebhookHandler routes registered');
+  }
+}

package/ts/opsserver/helpers/guards.ts

@@ -0,0 +1,16 @@
+import * as plugins from '../../plugins.js';
+import type { AdminHandler } from '../handlers/admin.handler.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export async function requireValidIdentity<T extends { identity?: interfaces.data.IIdentity }>(
+  adminHandler: AdminHandler,
+  dataArg: T,
+): Promise<void> {
+  if (!dataArg.identity) {
+    throw new plugins.typedrequest.TypedResponseError('No identity provided');
+  }
+  const passed = await adminHandler.validIdentityGuard.exec({ identity: dataArg.identity });
+  if (!passed) {
+    throw new plugins.typedrequest.TypedResponseError('Valid identity required');
+  }
+}

package/ts/opsserver/index.ts

@@ -0,0 +1 @@
+export { OpsServer } from './classes.opsserver.js';

package/ts/paths.ts

@@ -0,0 +1,19 @@
+import * as plugins from './plugins.js';
+
+export interface IGitopsPaths {
+  gitopsHomeDir: string;
+  defaultStoragePath: string;
+  defaultTsmDbPath: string;
+}
+
+/**
+ * Resolve gitops paths. Accepts optional baseDir for test isolation.
+ */
+export function resolvePaths(baseDir?: string): IGitopsPaths {
+  const home = baseDir ?? plugins.path.join(process.env.HOME ?? '/tmp', '.serve.zone', 'gitops');
+  return {
+    gitopsHomeDir: home,
+    defaultStoragePath: plugins.path.join(home, 'storage'),
+    defaultTsmDbPath: plugins.path.join(home, 'tsmdb'),
+  };
+}

package/ts/plugins.ts

@@ -0,0 +1,38 @@
+/**
+ * Centralized dependency imports for GitOps
+ */
+
+// Node native scope
+import * as path from 'node:path';
+import * as fs from 'node:fs/promises';
+import * as os from 'node:os';
+import * as nodeUrl from 'node:url';
+import * as childProcess from 'node:child_process';
+import { Buffer } from 'node:buffer';
+
+export { path, fs, os, nodeUrl, childProcess, Buffer };
+
+// TypedRequest/TypedServer infrastructure
+import * as typedrequest from '@api.global/typedrequest';
+import * as typedserver from '@api.global/typedserver';
+export { typedrequest, typedserver };
+
+// Auth & Guards
+import * as smartguard from '@push.rocks/smartguard';
+import * as smartjwt from '@push.rocks/smartjwt';
+export { smartguard, smartjwt };
+
+// API Clients
+import * as giteaClient from '@apiclient.xyz/gitea';
+import * as gitlabClient from '@apiclient.xyz/gitlab';
+import * as bookstackClient from '@apiclient.xyz/bookstack';
+export { giteaClient, gitlabClient, bookstackClient };
+
+// Database
+import * as smartmongo from '@push.rocks/smartmongo';
+import * as smartdata from '@push.rocks/smartdata';
+export { smartmongo, smartdata };
+
+// Secrets
+import * as smartsecret from '@push.rocks/smartsecret';
+export { smartsecret };