@synth-deploy/server 0.1.0

package/src/api/progress-event-store.ts

@@ -0,0 +1,153 @@
+/**
+ * In-memory store for deployment progress events.
+ *
+ * Each deployment gets a ring buffer of events (capped at MAX_EVENTS).
+ * SSE clients subscribe via addListener / removeListener, and the store
+ * pushes new events as they arrive from the envoy's progress callback.
+ *
+ * Cleanup happens automatically after a deployment completes —
+ * the buffer is retained for CLEANUP_DELAY_MS to let late-connecting
+ * clients catch up, then purged.
+ */
+
+export interface ProgressEvent {
+  id?: number;
+  deploymentId: string;
+  type:
+    | "step-started"
+    | "step-completed"
+    | "step-failed"
+    | "rollback-started"
+    | "rollback-completed"
+    | "deployment-completed";
+  stepIndex: number;
+  stepDescription: string;
+  status: "in_progress" | "completed" | "failed";
+  output?: string;
+  error?: string;
+  timestamp: string;
+  overallProgress: number;
+}
+
+export type ProgressListener = (event: ProgressEvent) => void;
+
+const MAX_EVENTS = 100;
+const CLEANUP_DELAY_MS = 60_000; // 1 minute after completion
+
+export class ProgressEventStore {
+  private buffers = new Map<string, ProgressEvent[]>();
+  private listeners = new Map<string, Set<ProgressListener>>();
+  private cleanupTimers = new Map<string, ReturnType<typeof setTimeout>>();
+  private nextEventId = 1;
+
+  /**
+   * Push a new event for a deployment. Assigns a sequential ID,
+   * stores in the ring buffer, and notifies all subscribed SSE listeners.
+   */
+  push(event: ProgressEvent): void {
+    const { deploymentId } = event;
+
+    // Assign sequential event ID for SSE Last-Event-ID replay
+    event.id = this.nextEventId++;
+
+    // Ensure buffer exists
+    if (!this.buffers.has(deploymentId)) {
+      this.buffers.set(deploymentId, []);
+    }
+
+    const buffer = this.buffers.get(deploymentId)!;
+
+    // Ring buffer: drop oldest if at capacity
+    if (buffer.length >= MAX_EVENTS) {
+      buffer.shift();
+    }
+    buffer.push(event);
+
+    // Notify listeners
+    const listeners = this.listeners.get(deploymentId);
+    if (listeners) {
+      for (const listener of listeners) {
+        try {
+          listener(event);
+        } catch {
+          // Don't let a broken listener stop others
+        }
+      }
+    }
+
+    // Schedule cleanup if deployment completed
+    if (event.type === "deployment-completed") {
+      this.scheduleCleanup(deploymentId);
+    }
+  }
+
+  /**
+   * Get all buffered events for a deployment (for catch-up on SSE connect).
+   */
+  getEvents(deploymentId: string): ProgressEvent[] {
+    return this.buffers.get(deploymentId) ?? [];
+  }
+
+  /**
+   * Get buffered events after a given event ID (for reconnect replay).
+   * Returns only events with id > afterId.
+   */
+  getEventsSince(deploymentId: string, afterId: number): ProgressEvent[] {
+    const buffer = this.buffers.get(deploymentId) ?? [];
+    return buffer.filter((e) => (e.id ?? 0) > afterId);
+  }
+
+  /**
+   * Subscribe to new events for a deployment.
+   */
+  addListener(deploymentId: string, listener: ProgressListener): void {
+    if (!this.listeners.has(deploymentId)) {
+      this.listeners.set(deploymentId, new Set());
+    }
+    this.listeners.get(deploymentId)!.add(listener);
+  }
+
+  /**
+   * Unsubscribe from events.
+   */
+  removeListener(deploymentId: string, listener: ProgressListener): void {
+    const set = this.listeners.get(deploymentId);
+    if (set) {
+      set.delete(listener);
+      if (set.size === 0) {
+        this.listeners.delete(deploymentId);
+      }
+    }
+  }
+
+  /**
+   * Schedule buffer cleanup after deployment completion.
+   * Gives late-connecting clients time to catch up.
+   */
+  private scheduleCleanup(deploymentId: string): void {
+    // Clear any existing timer
+    const existing = this.cleanupTimers.get(deploymentId);
+    if (existing) clearTimeout(existing);
+
+    const timer = setTimeout(() => {
+      this.buffers.delete(deploymentId);
+      this.listeners.delete(deploymentId);
+      this.cleanupTimers.delete(deploymentId);
+    }, CLEANUP_DELAY_MS);
+
+    this.cleanupTimers.set(deploymentId, timer);
+  }
+
+  /**
+   * Immediately clean up all data for a deployment (for testing).
+   */
+  clear(deploymentId: string): void {
+    this.buffers.delete(deploymentId);
+    this.listeners.delete(deploymentId);
+    const timer = this.cleanupTimers.get(deploymentId);
+    if (timer) {
+      clearTimeout(timer);
+      this.cleanupTimers.delete(deploymentId);
+    }
+  }
+}

package/src/api/schemas.ts

@@ -0,0 +1,376 @@
+import { z } from "zod";
+
+// --- Partitions ---
+
+export const CreatePartitionSchema = z.object({
+  name: z.string().min(1),
+  variables: z.record(z.string().max(10_000, "Variable value must not exceed 10,000 characters"))
+    .refine((v) => Object.keys(v).length <= 200, {
+      message: "Maximum 200 variables per entity",
+    })
+    .optional(),
+});
+
+export const UpdatePartitionSchema = z.object({
+  name: z.string().min(1).optional(),
+});
+
+export const SetVariablesSchema = z.object({
+  variables: z.record(z.string().max(10_000, "Variable value must not exceed 10,000 characters"))
+    .refine((v) => Object.keys(v).length <= 200, {
+      message: "Maximum 200 variables per entity",
+    }),
+});
+
+// --- Artifacts ---
+
+export const CreateArtifactSchema = z.object({
+  name: z.string().min(1),
+  type: z.string().min(1),
+  source: z.string().optional(),
+  metadata: z.record(z.string()).optional(),
+});
+
+export const AddAnnotationSchema = z.object({
+  field: z.string().min(1),
+  correction: z.string().min(1),
+});
+
+export const AddArtifactVersionSchema = z.object({
+  version: z.string().min(1),
+  source: z.string(),
+  metadata: z.record(z.string()).optional(),
+});
+
+// --- Security Boundaries ---
+
+export const SetSecurityBoundariesSchema = z.object({
+  boundaries: z.array(z.object({
+    boundaryType: z.enum(["filesystem", "service", "network", "credential", "execution"]),
+    config: z.record(z.unknown()),
+  })),
+});
+
+// --- Environments ---
+
+export const CreateEnvironmentSchema = z.object({
+  name: z.string().min(1),
+  variables: z.record(z.string().max(10_000, "Variable value must not exceed 10,000 characters"))
+    .refine((v) => Object.keys(v).length <= 200, {
+      message: "Maximum 200 variables per entity",
+    })
+    .optional(),
+});
+
+export const UpdateEnvironmentSchema = z.object({
+  name: z.string().min(1).optional(),
+  variables: z.record(z.string().max(10_000, "Variable value must not exceed 10,000 characters"))
+    .refine((v) => Object.keys(v).length <= 200, {
+      message: "Maximum 200 variables per entity",
+    })
+    .optional(),
+});
+
+// --- SSRF Prevention ---
+
+/**
+ * SSRF-safe URL validator. Blocks private/internal IP ranges and
+ * restricts to http/https protocols.
+ */
+function isSsrfSafeUrl(url: string): boolean {
+  let parsed: URL;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return false;
+  }
+
+  // Only allow http and https
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    return false;
+  }
+
+  const hostname = parsed.hostname;
+
+  // Block localhost variants
+  if (hostname === "localhost" || hostname === "[::1]") {
+    return false;
+  }
+
+  // Block IPv6 loopback
+  if (hostname === "::1") {
+    return false;
+  }
+
+  // Check IPv4 private ranges
+  const ipv4Match = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+  if (ipv4Match) {
+    const [, a, b] = ipv4Match.map(Number);
+    // 127.0.0.0/8 — loopback
+    if (a === 127) return false;
+    // 10.0.0.0/8 — private
+    if (a === 10) return false;
+    // 172.16.0.0/12 — private
+    if (a === 172 && b >= 16 && b <= 31) return false;
+    // 192.168.0.0/16 — private
+    if (a === 192 && b === 168) return false;
+    // 169.254.0.0/16 — link-local (AWS metadata)
+    if (a === 169 && b === 254) return false;
+    // 0.0.0.0
+    if (a === 0) return false;
+  }
+
+  return true;
+}
+
+// --- Settings ---
+
+const LlmProviderEnum = z.enum(["claude", "openai", "gemini", "grok", "deepseek", "ollama", "custom"]);
+
+/**
+ * LLM base URL validator. Allows localhost/private IPs for local providers
+ * like Ollama, but validates URL format.
+ */
+function isValidLlmBaseUrl(url: string): boolean {
+  try {
+    const parsed = new URL(url);
+    return parsed.protocol === "http:" || parsed.protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+
+const LlmFallbackConfigSchema = z.object({
+  provider: LlmProviderEnum,
+  apiKeyConfigured: z.boolean().optional(),
+  baseUrl: z.string().refine(isValidLlmBaseUrl, {
+    message: "Must be a valid http or https URL",
+  }).optional(),
+  model: z.string().min(1),
+  timeoutMs: z.number().int().positive({ message: "Timeout must be a positive number" }),
+});
+
+const LlmProviderConfigSchema = z.object({
+  provider: LlmProviderEnum,
+  apiKeyConfigured: z.boolean().optional(),
+  apiKey: z.string().optional(),
+  baseUrl: z.string().refine(isValidLlmBaseUrl, {
+    message: "Must be a valid http or https URL",
+  }).optional(),
+  reasoningModel: z.string().min(1),
+  classificationModel: z.string().min(1),
+  timeoutMs: z.number().int().positive({ message: "Timeout must be a positive number" }),
+  rateLimitPerMin: z.number().int().positive({ message: "Rate limit must be a positive number" }),
+  fallbacks: z.array(LlmFallbackConfigSchema).optional(),
+});
+
+export { LlmProviderConfigSchema };
+
+const TaskModelConfigSchema = z.object({
+  logClassification: z.string().optional(),
+  diagnosticSynthesis: z.string().optional(),
+  postmortemGeneration: z.string().optional(),
+  queryAnswering: z.string().optional(),
+});
+
+export { TaskModelConfigSchema };
+
+export const VerifyTaskModelSchema = z.object({
+  task: z.enum(["logClassification", "diagnosticSynthesis", "postmortemGeneration", "queryAnswering"]),
+  model: z.string().min(1),
+});
+
+export const UpdateSettingsSchema = z.object({
+  environmentsEnabled: z.boolean().optional(),
+  defaultTheme: z.enum(["dark", "light", "system"]).optional(),
+  agent: z.object({
+    defaultHealthCheckRetries: z.number().int().nonnegative().optional(),
+    defaultTimeoutMs: z.number().int().positive().optional(),
+    conflictPolicy: z.enum(["permissive", "strict"]).optional(),
+    defaultVerificationStrategy: z.enum(["basic", "full", "none"]).optional(),
+    llmEntityExposure: z.enum(["names", "none"]).optional(),
+    llmOverride: LlmProviderConfigSchema.partial().optional(),
+    taskModels: TaskModelConfigSchema.optional(),
+  }).optional(),
+  envoy: z.object({
+    url: z.string().refine(isSsrfSafeUrl, {
+      message: "URL must not point to private/internal IP ranges (SSRF prevention)",
+    }).optional(),
+    timeoutMs: z.number().int().positive().optional(),
+  }).optional(),
+  coBranding: z.object({
+    operatorName: z.string(),
+    logoUrl: z.string(),
+    accentColor: z.string().optional(),
+  }).optional().nullable(),
+  mcpServers: z.array(z.object({
+    name: z.string(),
+    url: z.string().url().refine(isSsrfSafeUrl, {
+      message: "URL must not point to private/internal IP ranges (SSRF prevention)",
+    }),
+    description: z.string().optional(),
+  })).optional(),
+  llm: LlmProviderConfigSchema.partial().optional(),
+});
+
+// --- Artifacts (update) ---
+
+export const UpdateArtifactSchema = z.object({
+  name: z.string().min(1).optional(),
+  type: z.string().min(1).optional(),
+  source: z.string().optional(),
+  metadata: z.record(z.string()).optional(),
+});
+
+// --- Deployments ---
+
+export const CreateDeploymentSchema = z.object({
+  artifactId: z.string().min(1),
+  environmentId: z.string().min(1).optional(),
+  partitionId: z.string().optional(),
+  envoyId: z.string().optional(),
+  version: z.string().optional(),
+});
+
+export const ApproveDeploymentSchema = z.object({
+  approvedBy: z.string().min(1),
+  modifications: z.string().optional(),
+});
+
+export const RejectDeploymentSchema = z.object({
+  reason: z.string().min(1),
+});
+
+export const ModifyDeploymentPlanSchema = z.object({
+  steps: z.array(z.object({
+    description: z.string().min(1),
+    action: z.string().min(1),
+    target: z.string().min(1),
+    reversible: z.boolean(),
+    rollbackAction: z.string().optional(),
+  })).min(1, "Plan must contain at least one step"),
+  reason: z.string().min(1),
+});
+
+export const SubmitPlanSchema = z.object({
+  plan: z.object({
+    steps: z.array(z.object({
+      description: z.string().min(1),
+      action: z.string().min(1),
+      target: z.string().min(1),
+      reversible: z.boolean(),
+      rollbackAction: z.string().optional(),
+    })).min(1),
+    reasoning: z.string().min(1),
+    diffFromCurrent: z.array(z.object({ key: z.string(), from: z.string(), to: z.string() })).optional(),
+    diffFromPreviousPlan: z.string().optional(),
+  }),
+  rollbackPlan: z.object({
+    steps: z.array(z.object({
+      description: z.string().min(1),
+      action: z.string().min(1),
+      target: z.string().min(1),
+      reversible: z.boolean(),
+      rollbackAction: z.string().optional(),
+    })),
+    reasoning: z.string().min(1),
+  }),
+});
+
+export const DeploymentListQuerySchema = z.object({
+  partitionId: z.string().optional(),
+  artifactId: z.string().optional(),
+  envoyId: z.string().optional(),
+});
+
+export const ReplanDeploymentSchema = z.object({
+  feedback: z.string().min(1),
+});
+
+export const DebriefQuerySchema = z.object({
+  limit: z.coerce.number().int().positive().optional(),
+  partitionId: z.string().optional(),
+  decisionType: z.string().optional(),
+});
+
+// --- Progress Events (from envoy callback) ---
+
+export const ProgressEventSchema = z.object({
+  deploymentId: z.string(),
+  type: z.enum([
+    "step-started",
+    "step-completed",
+    "step-failed",
+    "rollback-started",
+    "rollback-completed",
+    "deployment-completed",
+  ]),
+  stepIndex: z.number().int().nonnegative(),
+  stepDescription: z.string(),
+  status: z.enum(["in_progress", "completed", "failed"]),
+  output: z.string().optional(),
+  error: z.string().optional(),
+  timestamp: z.string(),
+  overallProgress: z.number().min(0).max(100),
+});
+
+// --- Telemetry ---
+
+export const TelemetryQuerySchema = z.object({
+  actor: z.string().optional(),
+  action: z.string().optional(),
+  from: z.string().optional(),
+  to: z.string().optional(),
+  limit: z.coerce.number().int().positive().max(200).optional(),
+  offset: z.coerce.number().int().nonnegative().optional(),
+});
+
+// --- Agent ---
+
+export const QueryRequestSchema = z.object({
+  query: z.string().min(1),
+  conversationId: z.string().optional(),
+});
+
+// --- Auth ---
+
+export const LoginSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(1),
+});
+
+export const RegisterSchema = z.object({
+  email: z.string().email(),
+  name: z.string().min(1),
+  password: z.string().min(8),
+});
+
+export const RefreshTokenSchema = z.object({
+  refreshToken: z.string().min(1),
+});
+
+export const CreateUserSchema = z.object({
+  email: z.string().email(),
+  name: z.string().min(1),
+  password: z.string().min(8),
+});
+
+export const UpdateUserSchema = z.object({
+  email: z.string().email().optional(),
+  name: z.string().min(1).optional(),
+  password: z.string().min(8).optional(),
+});
+
+export const AssignRolesSchema = z.object({
+  roleIds: z.array(z.string().min(1)),
+});
+
+export const CreateRoleSchema = z.object({
+  name: z.string().min(1),
+  permissions: z.array(z.string().min(1)),
+});
+
+export const UpdateRoleSchema = z.object({
+  name: z.string().min(1).optional(),
+  permissions: z.array(z.string().min(1)).optional(),
+});

package/src/api/security-boundaries.ts

@@ -0,0 +1,54 @@
+import crypto from "node:crypto";
+import type { FastifyInstance } from "fastify";
+import type { ISecurityBoundaryStore, ITelemetryStore } from "@synth-deploy/core";
+import { SetSecurityBoundariesSchema } from "./schemas.js";
+import { requirePermission } from "../middleware/permissions.js";
+
+export function registerSecurityBoundaryRoutes(
+  app: FastifyInstance,
+  securityBoundaryStore: ISecurityBoundaryStore,
+  telemetry: ITelemetryStore,
+): void {
+  // Get boundaries for envoy
+  app.get<{ Params: { envoyId: string } }>(
+    "/api/envoys/:envoyId/security-boundaries",
+    { preHandler: [requirePermission("envoy.view")] },
+    async (request) => {
+      const boundaries = securityBoundaryStore.get(request.params.envoyId);
+      return { boundaries };
+    },
+  );
+
+  // Set/replace boundaries for envoy
+  app.put<{ Params: { envoyId: string } }>(
+    "/api/envoys/:envoyId/security-boundaries",
+    { preHandler: [requirePermission("envoy.configure")] },
+    async (request, reply) => {
+      const parsed = SetSecurityBoundariesSchema.safeParse(request.body);
+      if (!parsed.success) {
+        return reply.status(400).send({ error: parsed.error.message });
+      }
+
+      const boundaries = parsed.data.boundaries.map((b) => ({
+        id: crypto.randomUUID(),
+        envoyId: request.params.envoyId,
+        boundaryType: b.boundaryType,
+        config: b.config,
+      }));
+
+      securityBoundaryStore.set(request.params.envoyId, boundaries);
+      telemetry.record({ actor: (request.user?.email) ?? "anonymous", action: "security-boundary.updated", target: { type: "envoy", id: request.params.envoyId }, details: { boundaryCount: boundaries.length } });
+      return { boundaries };
+    },
+  );
+
+  // Remove all boundaries for envoy
+  app.delete<{ Params: { envoyId: string } }>(
+    "/api/envoys/:envoyId/security-boundaries",
+    { preHandler: [requirePermission("envoy.configure")] },
+    async (request, reply) => {
+      securityBoundaryStore.delete(request.params.envoyId);
+      return reply.status(204).send();
+    },
+  );
+}

package/src/api/settings.ts

@@ -0,0 +1,118 @@
+import type { FastifyInstance } from "fastify";
+import type { ISettingsStore, ITelemetryStore, AppSettings, LlmProviderConfig } from "@synth-deploy/core";
+import { UpdateSettingsSchema } from "./schemas.js";
+import { requirePermission } from "../middleware/permissions.js";
+import { requireEnterprise, getEdition, getLicenseInfo, getMaxEnvoys, isPartnership, ENTERPRISE_FEATURES } from "@synth-deploy/core";
+import { invalidateLlmHealthCache } from "./health.js";
+
+/**
+ * Strips API key from LLM settings before returning to the frontend.
+ * The apiKeyConfigured field tells the UI whether a key is set without exposing it.
+ */
+function sanitizeLlmSettings(settings: AppSettings): AppSettings {
+  const sanitized = structuredClone(settings);
+
+  if (sanitized.llm) {
+    // Remove any raw apiKey that leaked into the config
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    delete (sanitized.llm as any)["apiKey"];
+    // Ensure apiKeyConfigured reflects whether an env var key is set
+    sanitized.llm.apiKeyConfigured =
+      typeof process.env.SYNTH_LLM_API_KEY === "string" &&
+      process.env.SYNTH_LLM_API_KEY.length > 0;
+
+    if (sanitized.llm.fallbacks) {
+      for (const fb of sanitized.llm.fallbacks) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        delete (fb as any)["apiKey"];
+        fb.apiKeyConfigured =
+          typeof process.env.SYNTH_LLM_API_KEY === "string" &&
+          process.env.SYNTH_LLM_API_KEY.length > 0;
+      }
+    }
+  }
+
+  return sanitized;
+}
+
+/**
+ * Strips API key from incoming LLM provider config before persisting.
+ * API keys are stored in environment variables only — never in the settings store.
+ */
+function stripApiKeyFromConfig(
+  llmConfig: LlmProviderConfig & { apiKey?: string },
+): LlmProviderConfig {
+  const { apiKey: _apiKey, ...rest } = llmConfig;
+  return {
+    ...rest,
+    apiKeyConfigured:
+      typeof process.env.SYNTH_LLM_API_KEY === "string" &&
+      process.env.SYNTH_LLM_API_KEY.length > 0,
+  };
+}
+
+export function registerSettingsRoutes(
+  app: FastifyInstance,
+  settings: ISettingsStore,
+  telemetry: ITelemetryStore,
+): void {
+  // Get all settings
+  app.get("/api/settings", { preHandler: [requirePermission("settings.manage")] }, async () => {
+    return { settings: sanitizeLlmSettings(settings.get()) };
+  });
+
+  // Update settings (partial merge)
+  app.put("/api/settings", { preHandler: [requirePermission("settings.manage")] }, async (request, reply) => {
+    const parsed = UpdateSettingsSchema.safeParse(request.body);
+    if (!parsed.success) {
+      const msg = parsed.error.issues.map(i => `${i.path.join(".")}: ${i.message}`).join("; ");
+      return reply.status(400).send({ error: msg || "Invalid input" });
+    }
+
+    // Gate enterprise-only settings
+    const data = parsed.data as Partial<AppSettings> & { llm?: LlmProviderConfig & { apiKey?: string } };
+    if (data.coBranding) requireEnterprise("co-branding");
+    if (data.mcpServers && data.mcpServers.length > 0) requireEnterprise("mcp-servers");
+
+    // Persist API key encrypted in DB and apply to process env, then strip before storing settings
+    if (data.llm) {
+      if (data.llm.apiKey && data.llm.apiKey.length > 0) {
+        settings.setSecret("llm_api_key", data.llm.apiKey);
+        process.env.SYNTH_LLM_API_KEY = data.llm.apiKey;
+        invalidateLlmHealthCache();
+      }
+      data.llm = stripApiKeyFromConfig(data.llm);
+    }
+
+    const updated = settings.update(data as Partial<AppSettings>);
+    telemetry.record({ actor: (request.user?.email) ?? "anonymous", action: "settings.updated", target: { type: "settings", id: "app" }, details: { fields: Object.keys(parsed.data) } });
+    return { settings: sanitizeLlmSettings(updated) };
+  });
+
+  // Edition info — public (no auth required), used by UI to render edition badge and gate features
+  app.get("/api/edition", async () => {
+    const edition = getEdition();
+    const license = getLicenseInfo();
+    return {
+      edition,
+      maxEnvoys: getMaxEnvoys(),
+      partnership: isPartnership(),
+      license,
+      features: ENTERPRISE_FEATURES,
+    };
+  });
+
+  // Read-only command info
+  app.get("/api/settings/command-info", { preHandler: [requirePermission("settings.manage")] }, async () => {
+    return {
+      info: {
+        version: "0.1.0",
+        host: process.env.HOST ?? "0.0.0.0",
+        port: parseInt(process.env.PORT ?? "9410", 10),
+        startedAt: commandStartTime,
+      },
+    };
+  });
+}
+
+const commandStartTime = new Date().toISOString();