@synth-deploy/server 0.1.0

package/src/api/api-keys.ts

@@ -0,0 +1,129 @@
+import crypto from "node:crypto";
+import type { FastifyInstance } from "fastify";
+import bcrypt from "bcryptjs";
+import type { IApiKeyStore } from "@synth-deploy/core";
+import type { ApiKeyId } from "@synth-deploy/core";
+
+export function registerApiKeyRoutes(
+  app: FastifyInstance,
+  apiKeyStore: IApiKeyStore,
+  _jwtSecret: Uint8Array,
+): void {
+
+  // --- GET /api/auth/api-keys ---
+  // List current user's active API keys (revokedAt === null).
+  app.get("/api/auth/api-keys", async (request, reply) => {
+    const user = request.user;
+    if (!user) {
+      return reply.status(401).send({ error: "Authentication required" });
+    }
+    const keys = apiKeyStore.listByUserId(user.id).filter(k => k.revokedAt === null);
+    return {
+      apiKeys: keys.map(k => ({
+        id: k.id,
+        name: k.name,
+        keyPrefix: k.keyPrefix,
+        keySuffix: k.keySuffix,
+        permissions: k.permissions,
+        createdAt: k.createdAt.toISOString(),
+        lastUsedAt: k.lastUsedAt ? k.lastUsedAt.toISOString() : null,
+      })),
+    };
+  });
+
+  // --- POST /api/auth/api-keys ---
+  // Create a new API key.
+  app.post("/api/auth/api-keys", async (request, reply) => {
+    const user = request.user;
+    if (!user) {
+      return reply.status(401).send({ error: "Authentication required" });
+    }
+    const body = request.body as { name?: string; permissions?: string[] };
+    if (!body.name || typeof body.name !== "string" || !body.name.trim()) {
+      return reply.status(400).send({ error: "name is required" });
+    }
+    const permissions = Array.isArray(body.permissions) ? body.permissions : [];
+    const rawKey = "synth_" + crypto.randomBytes(16).toString("hex"); // 32 hex chars
+    const keyBody = rawKey.slice(6); // strip "synth_"
+    const keyPrefix = keyBody.slice(0, 8);
+    const keySuffix = keyBody.slice(-4);
+    const keyHash = await bcrypt.hash(rawKey, 10);
+    const now = new Date();
+    const key = apiKeyStore.create({
+      id: crypto.randomUUID() as ApiKeyId,
+      userId: user.id,
+      name: body.name.trim(),
+      keyPrefix,
+      keySuffix,
+      keyHash,
+      permissions,
+      createdAt: now,
+      lastUsedAt: null,
+      revokedAt: null,
+    });
+    return {
+      key: {
+        id: key.id,
+        name: key.name,
+        keyPrefix: key.keyPrefix,
+        keySuffix: key.keySuffix,
+        permissions: key.permissions,
+        createdAt: key.createdAt.toISOString(),
+        lastUsedAt: null,
+      },
+      fullKey: rawKey,
+    };
+  });
+
+  // --- DELETE /api/auth/api-keys/:id ---
+  // Revoke an API key.
+  app.delete("/api/auth/api-keys/:id", async (request, reply) => {
+    const user = request.user;
+    if (!user) {
+      return reply.status(401).send({ error: "Authentication required" });
+    }
+    const { id } = request.params as { id: string };
+    const key = apiKeyStore.getById(id as ApiKeyId);
+    if (!key || key.userId !== user.id) {
+      return reply.status(404).send({ error: "API key not found" });
+    }
+    apiKeyStore.revoke(id as ApiKeyId);
+    return reply.status(204).send();
+  });
+
+  // --- POST /api/auth/api-keys/:id/regenerate ---
+  // Regenerate an API key.
+  app.post("/api/auth/api-keys/:id/regenerate", async (request, reply) => {
+    const user = request.user;
+    if (!user) {
+      return reply.status(401).send({ error: "Authentication required" });
+    }
+    const { id } = request.params as { id: string };
+    const key = apiKeyStore.getById(id as ApiKeyId);
+    if (!key || key.userId !== user.id) {
+      return reply.status(404).send({ error: "API key not found" });
+    }
+    if (key.revokedAt !== null) {
+      return reply.status(400).send({ error: "Cannot regenerate a revoked key" });
+    }
+    const rawKey = "synth_" + crypto.randomBytes(16).toString("hex");
+    const keyBody = rawKey.slice(6);
+    const keyPrefix = keyBody.slice(0, 8);
+    const keySuffix = keyBody.slice(-4);
+    const keyHash = await bcrypt.hash(rawKey, 10);
+    apiKeyStore.updateHash(id as ApiKeyId, keyHash, keyPrefix, keySuffix);
+    const updated = apiKeyStore.getById(id as ApiKeyId)!;
+    return {
+      key: {
+        id: updated.id,
+        name: updated.name,
+        keyPrefix: updated.keyPrefix,
+        keySuffix: updated.keySuffix,
+        permissions: updated.permissions,
+        createdAt: updated.createdAt.toISOString(),
+        lastUsedAt: updated.lastUsedAt ? updated.lastUsedAt.toISOString() : null,
+      },
+      fullKey: rawKey,
+    };
+  });
+}

package/src/api/artifacts.ts

@@ -0,0 +1,194 @@
+import type { FastifyInstance } from "fastify";
+import type { IArtifactStore, ITelemetryStore } from "@synth-deploy/core";
+import { requirePermission, requireEdition } from "../middleware/permissions.js";
+import {
+  CreateArtifactSchema,
+  UpdateArtifactSchema,
+  AddAnnotationSchema,
+  AddArtifactVersionSchema,
+} from "./schemas.js";
+import type { ArtifactAnalyzer } from "../artifact-analyzer.js";
+
+export function registerArtifactRoutes(
+  app: FastifyInstance,
+  artifactStore: IArtifactStore,
+  telemetry: ITelemetryStore,
+  analyzer?: ArtifactAnalyzer,
+): void {
+  // List all artifacts
+  app.get("/api/artifacts", { preHandler: [requirePermission("artifact.view")] }, async () => {
+    return { artifacts: artifactStore.list() };
+  });
+
+  // Create artifact
+  app.post("/api/artifacts", { preHandler: [requirePermission("artifact.create")] }, async (request, reply) => {
+    const parsed = CreateArtifactSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({ error: parsed.error.message });
+    }
+
+    const artifact = artifactStore.create({
+      name: parsed.data.name,
+      type: parsed.data.type,
+      analysis: {
+        summary: "",
+        dependencies: [],
+        configurationExpectations: {},
+        deploymentIntent: "",
+        confidence: 0,
+      },
+      annotations: [],
+      learningHistory: [],
+    });
+
+    telemetry.record({ actor: (request.user?.email) ?? "anonymous", action: "artifact.created", target: { type: "artifact", id: artifact.id }, details: { name: parsed.data.name, type: parsed.data.type } });
+    return reply.status(201).send({ artifact });
+  });
+
+  // Get artifact by ID (with analysis, annotations, learning history)
+  app.get<{ Params: { id: string } }>("/api/artifacts/:id", { preHandler: [requirePermission("artifact.view")] }, async (request, reply) => {
+    const artifact = artifactStore.get(request.params.id);
+    if (!artifact) {
+      return reply.status(404).send({ error: "Artifact not found" });
+    }
+
+    const versions = artifactStore.getVersions(artifact.id);
+
+    return { artifact, versions };
+  });
+
+  // Update artifact metadata
+  app.put<{ Params: { id: string } }>("/api/artifacts/:id", { preHandler: [requirePermission("artifact.update")] }, async (request, reply) => {
+    const parsed = UpdateArtifactSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({ error: parsed.error.message });
+    }
+
+    const artifact = artifactStore.get(request.params.id);
+    if (!artifact) {
+      return reply.status(404).send({ error: "Artifact not found" });
+    }
+
+    try {
+      const updated = artifactStore.update(request.params.id, parsed.data as Record<string, unknown>);
+      return { artifact: updated };
+    } catch (err) {
+      if (err instanceof Error && err.message.toLowerCase().includes("not found")) {
+        return reply.status(404).send({ error: "Artifact not found" });
+      }
+      app.log.error(err, "Failed to update artifact");
+      return reply.status(500).send({ error: "Internal server error" });
+    }
+  });
+
+  // Delete artifact
+  app.delete<{ Params: { id: string } }>("/api/artifacts/:id", { preHandler: [requirePermission("artifact.delete")] }, async (request, reply) => {
+    const artifact = artifactStore.get(request.params.id);
+    if (!artifact) {
+      return reply.status(404).send({ error: "Artifact not found" });
+    }
+
+    artifactStore.delete(request.params.id);
+    return reply.status(204).send();
+  });
+
+  // Add user annotation/correction
+  app.post<{ Params: { id: string } }>(
+    "/api/artifacts/:id/annotations",
+    { preHandler: [requirePermission("artifact.annotate")] },
+    async (request, reply) => {
+      const artifact = artifactStore.get(request.params.id);
+      if (!artifact) {
+        return reply.status(404).send({ error: "Artifact not found" });
+      }
+
+      const parsed = AddAnnotationSchema.safeParse(request.body);
+      if (!parsed.success) {
+        return reply.status(400).send({ error: parsed.error.message });
+      }
+
+      const updated = artifactStore.addAnnotation(request.params.id, {
+        field: parsed.data.field,
+        correction: parsed.data.correction,
+        annotatedBy: request.user?.email ?? request.user?.name ?? "unknown",
+        annotatedAt: new Date(),
+      });
+
+      telemetry.record({ actor: (request.user?.email) ?? "anonymous", action: "artifact.annotated", target: { type: "artifact", id: request.params.id }, details: { field: parsed.data.field } });
+
+      // Fire async LLM re-analysis incorporating user corrections — don't block the response
+      if (analyzer && updated) {
+        analyzer.reanalyzeWithAnnotations(updated).then((revised) => {
+          if (!revised) return;
+          const latest = artifactStore.get(request.params.id);
+          if (!latest) return;
+          latest.analysis = revised;
+          artifactStore.update(request.params.id, { analysis: revised });
+        }).catch(() => {});
+      }
+
+      return reply.status(201).send({ artifact: updated });
+    },
+  );
+
+  // List versions for artifact
+  app.get<{ Params: { id: string } }>(
+    "/api/artifacts/:id/versions",
+    { preHandler: [requirePermission("artifact.view")] },
+    async (request, reply) => {
+      const artifact = artifactStore.get(request.params.id);
+      if (!artifact) {
+        return reply.status(404).send({ error: "Artifact not found" });
+      }
+
+      const versions = artifactStore.getVersions(request.params.id);
+      return { versions };
+    },
+  );
+
+  // Add new version
+  app.post<{ Params: { id: string } }>(
+    "/api/artifacts/:id/versions",
+    { preHandler: [requirePermission("artifact.create")] },
+    async (request, reply) => {
+      const artifact = artifactStore.get(request.params.id);
+      if (!artifact) {
+        return reply.status(404).send({ error: "Artifact not found" });
+      }
+
+      const parsed = AddArtifactVersionSchema.safeParse(request.body);
+      if (!parsed.success) {
+        return reply.status(400).send({ error: parsed.error.message });
+      }
+
+      const version = artifactStore.addVersion({
+        artifactId: request.params.id,
+        version: parsed.data.version,
+        source: parsed.data.source,
+        metadata: parsed.data.metadata ?? {},
+      });
+
+      return reply.status(201).send({ version });
+    },
+  );
+
+  // Get specific version
+  app.get<{ Params: { id: string; versionId: string } }>(
+    "/api/artifacts/:id/versions/:versionId",
+    { preHandler: [requirePermission("artifact.view")] },
+    async (request, reply) => {
+      const artifact = artifactStore.get(request.params.id);
+      if (!artifact) {
+        return reply.status(404).send({ error: "Artifact not found" });
+      }
+
+      const versions = artifactStore.getVersions(request.params.id);
+      const version = versions.find((v) => v.id === request.params.versionId);
+      if (!version) {
+        return reply.status(404).send({ error: "Version not found" });
+      }
+
+      return { version };
+    },
+  );
+}

package/src/api/auth.ts

@@ -0,0 +1,320 @@
+import crypto from "node:crypto";
+import type { FastifyInstance } from "fastify";
+import bcrypt from "bcryptjs";
+import { jwtVerify } from "jose";
+import type { IUserStore, IRoleStore, IUserRoleStore, ISessionStore, UserId, UserPublic } from "@synth-deploy/core";
+import { generateTokens } from "../middleware/auth.js";
+import { LoginSchema, RegisterSchema, RefreshTokenSchema } from "./schemas.js";
+
+function toPublicUser(user: { id: UserId; email: string; name: string; authSource?: string; externalId?: string; createdAt: Date; updatedAt: Date }): UserPublic {
+  return {
+    id: user.id,
+    email: user.email,
+    name: user.name,
+    authSource: (user.authSource as UserPublic["authSource"]) ?? "local",
+    createdAt: user.createdAt,
+    updatedAt: user.updatedAt,
+  };
+}
+
+export function registerAuthRoutes(
+  app: FastifyInstance,
+  userStore: IUserStore,
+  roleStore: IRoleStore,
+  userRoleStore: IUserRoleStore,
+  sessionStore: ISessionStore,
+  jwtSecret: Uint8Array,
+): void {
+
+  // --- GET /api/auth/status ---
+  // Returns whether setup is required (no users exist yet)
+  app.get("/api/auth/status", async () => {
+    const userCount = userStore.count();
+    return { needsSetup: userCount === 0 };
+  });
+
+  // --- POST /api/auth/register ---
+  // First-user registration only. Creates the initial admin user.
+  app.post("/api/auth/register", async (request, reply) => {
+    const parsed = RegisterSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({ error: "Validation failed", details: parsed.error.flatten() });
+    }
+
+    const userCount = userStore.count();
+    if (userCount > 0) {
+      return reply.status(403).send({ error: "Registration is closed. Users already exist." });
+    }
+
+    const { email, name, password } = parsed.data;
+    const passwordHash = await bcrypt.hash(password, 10);
+    const userId = crypto.randomUUID() as UserId;
+    const now = new Date();
+
+    const user = userStore.create({
+      id: userId,
+      email,
+      name,
+      passwordHash,
+      createdAt: now,
+      updatedAt: now,
+    });
+
+    // Assign Admin role
+    const adminRole = roleStore.getByName("Admin");
+    if (adminRole) {
+      userRoleStore.assign(userId, adminRole.id, userId);
+    }
+
+    // Create session
+    const tokens = await generateTokens(userId, jwtSecret);
+    sessionStore.create({
+      id: crypto.randomUUID(),
+      userId,
+      token: tokens.token,
+      refreshToken: tokens.refreshToken,
+      expiresAt: tokens.expiresAt,
+      createdAt: now,
+      userAgent: request.headers["user-agent"] ?? undefined,
+      ipAddress: request.ip ?? undefined,
+    });
+
+    const permissions = userRoleStore.getUserPermissions(userId);
+
+    return {
+      user: toPublicUser(user),
+      token: tokens.token,
+      refreshToken: tokens.refreshToken,
+      permissions,
+    };
+  });
+
+  // --- POST /api/auth/login ---
+  app.post("/api/auth/login", async (request, reply) => {
+    const parsed = LoginSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({ error: "Validation failed", details: parsed.error.flatten() });
+    }
+
+    const { email, password } = parsed.data;
+    const user = userStore.getByEmail(email);
+    if (!user) {
+      return reply.status(401).send({ error: "Invalid email or password" });
+    }
+
+    const valid = await bcrypt.compare(password, user.passwordHash);
+    if (!valid) {
+      return reply.status(401).send({ error: "Invalid email or password" });
+    }
+
+    const tokens = await generateTokens(user.id, jwtSecret);
+    sessionStore.create({
+      id: crypto.randomUUID(),
+      userId: user.id,
+      token: tokens.token,
+      refreshToken: tokens.refreshToken,
+      expiresAt: tokens.expiresAt,
+      createdAt: new Date(),
+      userAgent: request.headers["user-agent"] ?? undefined,
+      ipAddress: request.ip ?? undefined,
+    });
+
+    const permissions = userRoleStore.getUserPermissions(user.id);
+
+    return {
+      user: toPublicUser(user),
+      token: tokens.token,
+      refreshToken: tokens.refreshToken,
+      permissions,
+    };
+  });
+
+  // --- POST /api/auth/refresh ---
+  app.post("/api/auth/refresh", async (request, reply) => {
+    const parsed = RefreshTokenSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({ error: "Validation failed", details: parsed.error.flatten() });
+    }
+
+    const { refreshToken } = parsed.data;
+
+    // Verify the refresh token JWT
+    try {
+      await jwtVerify(refreshToken, jwtSecret);
+    } catch {
+      return reply.status(401).send({ error: "Invalid refresh token" });
+    }
+
+    const session = sessionStore.getByRefreshToken(refreshToken);
+    if (!session) {
+      return reply.status(401).send({ error: "Session not found" });
+    }
+
+    // Delete old session
+    sessionStore.deleteByToken(session.token);
+
+    // Generate new tokens — preserve UA/IP from the original session
+    const tokens = await generateTokens(session.userId, jwtSecret);
+    sessionStore.create({
+      id: crypto.randomUUID(),
+      userId: session.userId,
+      token: tokens.token,
+      refreshToken: tokens.refreshToken,
+      expiresAt: tokens.expiresAt,
+      createdAt: new Date(),
+      userAgent: session.userAgent,
+      ipAddress: session.ipAddress,
+    });
+
+    return {
+      token: tokens.token,
+      refreshToken: tokens.refreshToken,
+      expiresAt: tokens.expiresAt.toISOString(),
+    };
+  });
+
+  // --- POST /api/auth/logout ---
+  app.post("/api/auth/logout", async (request, reply) => {
+    const authHeader = request.headers.authorization;
+    if (authHeader?.startsWith("Bearer ")) {
+      const token = authHeader.slice(7);
+      sessionStore.deleteByToken(token);
+    }
+    return reply.status(204).send();
+  });
+
+  // --- GET /api/auth/me ---
+  app.get("/api/auth/me", async (request, reply) => {
+    const user = request.user;
+    if (!user) {
+      return reply.status(401).send({ error: "Authentication required" });
+    }
+    const fullUser = userStore.getById(user.id);
+    if (!fullUser) {
+      return reply.status(401).send({ error: "User not found" });
+    }
+    return {
+      user: toPublicUser(fullUser),
+      permissions: user.permissions,
+    };
+  });
+
+  // --- PUT /api/auth/me ---
+  // Update the authenticated user's name and/or email.
+  app.put("/api/auth/me", async (request, reply) => {
+    const user = request.user;
+    if (!user) {
+      return reply.status(401).send({ error: "Authentication required" });
+    }
+    const body = request.body as { name?: string; email?: string };
+    const updates: { name?: string; email?: string; updatedAt: Date } = { updatedAt: new Date() };
+    if (typeof body.name === "string" && body.name.trim()) {
+      updates.name = body.name.trim();
+    }
+    if (typeof body.email === "string" && body.email.trim()) {
+      updates.email = body.email.trim().toLowerCase();
+    }
+    try {
+      const updated = userStore.update(user.id, updates);
+      return { user: toPublicUser(updated) };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Update failed";
+      return reply.status(400).send({ error: message });
+    }
+  });
+
+  // --- GET /api/auth/sessions ---
+  // List current user's active sessions (without token/refreshToken fields).
+  app.get("/api/auth/sessions", async (request, reply) => {
+    const user = request.user;
+    if (!user) {
+      return reply.status(401).send({ error: "Authentication required" });
+    }
+    const authHeader = request.headers.authorization;
+    const currentToken = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+
+    const sessions = sessionStore.listByUserId(user.id);
+    return {
+      sessions: sessions.map(s => ({
+        id: s.id,
+        createdAt: s.createdAt.toISOString(),
+        expiresAt: s.expiresAt.toISOString(),
+        current: currentToken ? s.token === currentToken : false,
+        userAgent: s.userAgent ?? null,
+        ipAddress: s.ipAddress ?? null,
+      })),
+    };
+  });
+
+  // --- DELETE /api/auth/sessions/:id ---
+  // Revoke a specific session (cannot revoke current session).
+  app.delete("/api/auth/sessions/:id", async (request, reply) => {
+    const user = request.user;
+    if (!user) {
+      return reply.status(401).send({ error: "Authentication required" });
+    }
+    const { id } = request.params as { id: string };
+    const authHeader = request.headers.authorization;
+    const currentToken = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+
+    const sessions = sessionStore.listByUserId(user.id);
+    const target = sessions.find(s => s.id === id);
+    if (!target) {
+      return reply.status(404).send({ error: "Session not found" });
+    }
+    if (currentToken && target.token === currentToken) {
+      return reply.status(400).send({ error: "Cannot revoke current session" });
+    }
+    sessionStore.deleteById(id);
+    return reply.status(204).send();
+  });
+
+  // --- DELETE /api/auth/sessions ---
+  // Revoke all other sessions (keep current).
+  app.delete("/api/auth/sessions", async (request, reply) => {
+    const user = request.user;
+    if (!user) {
+      return reply.status(401).send({ error: "Authentication required" });
+    }
+    const authHeader = request.headers.authorization;
+    const currentToken = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+
+    const sessions = sessionStore.listByUserId(user.id);
+    for (const s of sessions) {
+      if (!currentToken || s.token !== currentToken) {
+        sessionStore.deleteById(s.id);
+      }
+    }
+    return reply.status(204).send();
+  });
+
+  // --- POST /api/auth/me/password ---
+  // Change the authenticated user's password (local accounts only).
+  app.post("/api/auth/me/password", async (request, reply) => {
+    const user = request.user;
+    if (!user) {
+      return reply.status(401).send({ error: "Authentication required" });
+    }
+    const fullUser = userStore.getById(user.id);
+    if (!fullUser) {
+      return reply.status(401).send({ error: "User not found" });
+    }
+    if (fullUser.authSource !== "local") {
+      return reply.status(400).send({ error: "Password change is only available for local accounts" });
+    }
+    const body = request.body as { currentPassword?: string; newPassword?: string };
+    if (!body.currentPassword || !body.newPassword) {
+      return reply.status(400).send({ error: "currentPassword and newPassword are required" });
+    }
+    if (body.newPassword.length < 8) {
+      return reply.status(400).send({ error: "New password must be at least 8 characters" });
+    }
+    const valid = await bcrypt.compare(body.currentPassword, fullUser.passwordHash);
+    if (!valid) {
+      return reply.status(401).send({ error: "Current password is incorrect" });
+    }
+    const passwordHash = await bcrypt.hash(body.newPassword, 10);
+    userStore.update(user.id, { passwordHash, updatedAt: new Date() });
+    return reply.status(204).send();
+  });
+}