@synth-deploy/server 0.1.0

package/src/intake/index.ts

@@ -0,0 +1,5 @@
+export { parseWebhook, parseGitHubActionsWebhook, parseAzureDevOpsWebhook, parseJenkinsWebhook, parseGitLabCIWebhook, parseCircleCIWebhook, parseGenericWebhook } from "./webhook-handlers.js";
+export type { WebhookPayload } from "./webhook-handlers.js";
+export { RegistryPoller } from "./registry-poller.js";
+export { IntakeProcessor } from "./intake-processor.js";
+export { IntakeChannelStore, IntakeEventStore } from "./intake-store.js";

package/src/intake/intake-processor.ts

@@ -0,0 +1,111 @@
+/**
+ * Intake processor — takes a normalized webhook payload and creates
+ * or updates artifacts and versions in the artifact store.
+ */
+
+import type { IArtifactStore } from "@synth-deploy/core";
+import type { ArtifactAnalyzer } from "../artifact-analyzer.js";
+import { detectArtifactType } from "../artifact-analyzer.js";
+import type { WebhookPayload } from "./webhook-handlers.js";
+
+export class IntakeProcessor {
+  constructor(
+    private artifactStore: IArtifactStore,
+    private analyzer?: ArtifactAnalyzer,
+  ) {}
+
+  async process(
+    payload: WebhookPayload,
+    channelId: string,
+  ): Promise<{ artifactId: string; versionId: string }> {
+    // 1. Find existing artifact by name, or create a new one
+    const existing = this.artifactStore
+      .list()
+      .find((a) => a.name === payload.artifactName);
+
+    let artifactId: string;
+
+    if (existing) {
+      artifactId = existing.id;
+    } else {
+      const artifact = this.artifactStore.create({
+        name: payload.artifactName,
+        type: payload.artifactType,
+        analysis: {
+          summary: `Auto-ingested artifact from ${payload.source}`,
+          dependencies: [],
+          configurationExpectations: {},
+          deploymentIntent: undefined,
+          confidence: 0.1,
+        },
+        annotations: [],
+        learningHistory: [
+          {
+            timestamp: new Date(),
+            event: "intake-created",
+            details: `Created via intake channel ${channelId} from ${payload.source}`,
+          },
+        ],
+      });
+      artifactId = artifact.id;
+    }
+
+    // 2. Add new version
+    const stringMetadata: Record<string, string> = {};
+    for (const [k, v] of Object.entries(payload.metadata)) {
+      stringMetadata[k] = String(v ?? "");
+    }
+    if (payload.downloadUrl) {
+      stringMetadata["downloadUrl"] = payload.downloadUrl;
+    }
+    stringMetadata["intakeChannel"] = channelId;
+
+    const version = this.artifactStore.addVersion({
+      artifactId,
+      version: payload.version,
+      source: payload.source,
+      metadata: stringMetadata,
+    });
+
+    // 3. Trigger analysis if analyzer is available (best-effort, non-blocking)
+    if (this.analyzer) {
+      try {
+        const result = await this.analyzer.analyze({
+          name: payload.artifactName,
+          type: payload.artifactType,
+          source: payload.source,
+          content: payload.content,
+          metadata: stringMetadata,
+        });
+
+        // Resolve the best type: prefer the detected type over "unknown"
+        const detectedType = detectArtifactType({
+          name: payload.artifactName,
+          type: payload.artifactType !== "unknown" ? payload.artifactType : undefined,
+          source: payload.source,
+          content: payload.content,
+          metadata: stringMetadata,
+        });
+
+        // Update the artifact with the new analysis (and corrected type)
+        this.artifactStore.update(artifactId, {
+          type: detectedType !== "unknown" ? detectedType : payload.artifactType,
+          analysis: result.analysis,
+          learningHistory: [
+            ...(existing?.learningHistory ?? []),
+            {
+              timestamp: new Date(),
+              event: "intake-analysis",
+              details: `Re-analyzed via intake (method: ${result.method}, confidence: ${result.analysis.confidence})`,
+            },
+          ],
+        });
+      } catch (err) {
+        // Analysis failure should not block intake
+        console.error(`[IntakeProcessor] Analysis failed for ${payload.artifactName}:`, err);
+      }
+    }
+
+    return { artifactId, versionId: version.id };
+  }
+}

package/src/intake/intake-store.ts

@@ -0,0 +1,7 @@
+/**
+ * Re-exports persistent stores for intake channels and events from @synth-deploy/core.
+ * These stores are now SQLite-backed to survive server restarts.
+ */
+
+export { PersistentIntakeChannelStore as IntakeChannelStore } from "@synth-deploy/core";
+export { PersistentIntakeEventStore as IntakeEventStore } from "@synth-deploy/core";

package/src/intake/registry-poller.ts

@@ -0,0 +1,230 @@
+/**
+ * Registry poller — periodically checks container and package registries
+ * for new versions and emits intake events when new versions are found.
+ *
+ * Known versions are persisted via PersistentRegistryPollerVersionStore
+ * so that server restarts don't re-trigger deployments for already-seen versions.
+ */
+
+import type { IntakeChannel, RegistryConfig } from "@synth-deploy/core";
+import type { PersistentRegistryPollerVersionStore } from "@synth-deploy/core";
+import type { WebhookPayload } from "./webhook-handlers.js";
+
+export class RegistryPoller {
+  private intervals = new Map<string, NodeJS.Timeout>();
+  private knownVersions = new Map<string, Set<string>>();
+  private onNewVersion: (channelId: string, payload: WebhookPayload) => Promise<void>;
+  private versionStore?: PersistentRegistryPollerVersionStore;
+
+  constructor(
+    onNewVersion: (channelId: string, payload: WebhookPayload) => Promise<void>,
+    versionStore?: PersistentRegistryPollerVersionStore,
+  ) {
+    this.onNewVersion = onNewVersion;
+    this.versionStore = versionStore;
+  }
+
+  startPolling(channel: IntakeChannel): void {
+    // Stop existing polling for this channel if any
+    this.stopPolling(channel.id);
+
+    const config = channel.config as unknown as RegistryConfig;
+    const intervalMs = config.pollIntervalMs || 300_000; // Default: 5 minutes
+
+    // Load persisted known versions, or initialize empty set
+    if (!this.knownVersions.has(channel.id)) {
+      if (this.versionStore) {
+        this.knownVersions.set(channel.id, this.versionStore.getKnownVersions(channel.id));
+      } else {
+        this.knownVersions.set(channel.id, new Set());
+      }
+    }
+
+    // Poll immediately on start
+    this.poll(channel).catch((err) => {
+      console.error(`[RegistryPoller] Initial poll failed for channel ${channel.id}:`, err);
+    });
+
+    // Set up interval
+    const interval = setInterval(() => {
+      this.poll(channel).catch((err) => {
+        console.error(`[RegistryPoller] Poll failed for channel ${channel.id}:`, err);
+      });
+    }, intervalMs);
+
+    this.intervals.set(channel.id, interval);
+  }
+
+  stopPolling(channelId: string): void {
+    const interval = this.intervals.get(channelId);
+    if (interval) {
+      clearInterval(interval);
+      this.intervals.delete(channelId);
+    }
+  }
+
+  stopAll(): void {
+    for (const [id] of this.intervals) {
+      this.stopPolling(id);
+    }
+  }
+
+  /**
+   * Record a version as known, both in memory and in the persistent store.
+   * Returns true if the version was newly seen (not previously known).
+   */
+  private recordVersion(channelId: string, versionKey: string): boolean {
+    const known = this.knownVersions.get(channelId) ?? new Set();
+    if (known.has(versionKey)) return false;
+
+    known.add(versionKey);
+    this.knownVersions.set(channelId, known);
+    this.versionStore?.addVersion(channelId, versionKey);
+    return true;
+  }
+
+  private async poll(channel: IntakeChannel): Promise<void> {
+    const config = channel.config as unknown as RegistryConfig;
+    switch (config.type) {
+      case "docker":
+        await this.pollDockerRegistry(channel, config);
+        break;
+      case "npm":
+        await this.pollNpmRegistry(channel, config);
+        break;
+      case "nuget":
+        await this.pollNuGetRegistry(channel, config);
+        break;
+    }
+  }
+
+  /**
+   * Poll a Docker registry for new image tags.
+   * Uses the Docker Registry HTTP API V2.
+   */
+  private async pollDockerRegistry(channel: IntakeChannel, config: RegistryConfig): Promise<void> {
+    const trackedImages = config.trackedImages ?? [];
+    if (trackedImages.length === 0) return;
+
+    const baseUrl = config.url.replace(/\/$/, "");
+    const headers: Record<string, string> = {};
+    if (config.credentials) {
+      const auth = Buffer.from(`${config.credentials.username}:${config.credentials.password}`).toString("base64");
+      headers["Authorization"] = `Basic ${auth}`;
+    }
+
+    for (const image of trackedImages) {
+      try {
+        const res = await fetch(`${baseUrl}/v2/${image}/tags/list`, { headers });
+        if (!res.ok) continue;
+
+        const data = await res.json() as { tags?: string[] };
+        const tags = data.tags ?? [];
+        const known = this.knownVersions.get(channel.id) ?? new Set();
+        const isFirstPoll = known.size === 0;
+
+        for (const tag of tags) {
+          const key = `${image}:${tag}`;
+          const isNew = this.recordVersion(channel.id, key);
+
+          // Don't emit events on first poll (seed phase)
+          if (isNew && !isFirstPoll) {
+            await this.onNewVersion(channel.id, {
+              artifactName: image,
+              artifactType: "docker",
+              version: tag,
+              source: `docker-registry:${baseUrl}`,
+              downloadUrl: `${baseUrl}/v2/${image}/manifests/${tag}`,
+              metadata: { registry: baseUrl, image, tag },
+            });
+          }
+        }
+      } catch (err) {
+        console.error(`[RegistryPoller] Docker poll error for ${image}:`, err);
+      }
+    }
+  }
+
+  /**
+   * Poll the npm registry for new package versions.
+   */
+  private async pollNpmRegistry(channel: IntakeChannel, config: RegistryConfig): Promise<void> {
+    const trackedPackages = config.trackedPackages ?? [];
+    if (trackedPackages.length === 0) return;
+
+    const baseUrl = config.url.replace(/\/$/, "") || "https://registry.npmjs.org";
+
+    for (const pkg of trackedPackages) {
+      try {
+        const res = await fetch(`${baseUrl}/${encodeURIComponent(pkg)}`);
+        if (!res.ok) continue;
+
+        const data = await res.json() as { versions?: Record<string, unknown> };
+        const versions = Object.keys(data.versions ?? {});
+        const known = this.knownVersions.get(channel.id) ?? new Set();
+        const isFirstPoll = known.size === 0;
+
+        for (const version of versions) {
+          const key = `${pkg}@${version}`;
+          const isNew = this.recordVersion(channel.id, key);
+
+          if (isNew && !isFirstPoll) {
+            await this.onNewVersion(channel.id, {
+              artifactName: pkg,
+              artifactType: "npm",
+              version,
+              source: `npm-registry:${baseUrl}`,
+              downloadUrl: `${baseUrl}/${encodeURIComponent(pkg)}/-/${pkg}-${version}.tgz`,
+              metadata: { registry: baseUrl, package: pkg, version },
+            });
+          }
+        }
+      } catch (err) {
+        console.error(`[RegistryPoller] npm poll error for ${pkg}:`, err);
+      }
+    }
+  }
+
+  /**
+   * Poll a NuGet feed for new package versions.
+   * Uses the NuGet V3 API.
+   */
+  private async pollNuGetRegistry(channel: IntakeChannel, config: RegistryConfig): Promise<void> {
+    const trackedPackages = config.trackedPackages ?? [];
+    if (trackedPackages.length === 0) return;
+
+    const baseUrl = config.url.replace(/\/$/, "") || "https://api.nuget.org/v3";
+
+    for (const pkg of trackedPackages) {
+      try {
+        // NuGet V3: flat container for version listing
+        const res = await fetch(
+          `${baseUrl}/flatcontainer/${pkg.toLowerCase()}/index.json`,
+        );
+        if (!res.ok) continue;
+
+        const data = await res.json() as { versions?: string[] };
+        const versions = data.versions ?? [];
+        const known = this.knownVersions.get(channel.id) ?? new Set();
+        const isFirstPoll = known.size === 0;
+
+        for (const version of versions) {
+          const key = `${pkg}@${version}`;
+          const isNew = this.recordVersion(channel.id, key);
+
+          if (isNew && !isFirstPoll) {
+            await this.onNewVersion(channel.id, {
+              artifactName: pkg,
+              artifactType: "nuget",
+              version,
+              source: `nuget-registry:${baseUrl}`,
+              metadata: { registry: baseUrl, package: pkg, version },
+            });
+          }
+        }
+      } catch (err) {
+        console.error(`[RegistryPoller] NuGet poll error for ${pkg}:`, err);
+      }
+    }
+  }
+}

package/src/intake/webhook-handlers.ts

@@ -0,0 +1,328 @@
+import crypto from "node:crypto";
+
+/**
+ * Webhook payload parsers for CI/CD system integrations.
+ *
+ * Each parser extracts a normalized WebhookPayload from the raw
+ * webhook body sent by the respective CI/CD platform.
+ */
+
+export interface WebhookPayload {
+  artifactName: string;
+  artifactType: string;
+  version: string;
+  source: string;
+  downloadUrl?: string;
+  metadata: Record<string, unknown>;
+  /** Raw file content — passed through to the analyzer for deterministic extraction */
+  content?: Buffer;
+}
+
+// ---------------------------------------------------------------------------
+// GitHub Actions — workflow_run completed event
+// ---------------------------------------------------------------------------
+
+export function parseGitHubActionsWebhook(body: unknown): WebhookPayload | null {
+  if (!body || typeof body !== "object") return null;
+  const data = body as Record<string, unknown>;
+
+  // GitHub sends workflow_run events with action: "completed"
+  const workflowRun = data.workflow_run as Record<string, unknown> | undefined;
+  if (!workflowRun) return null;
+
+  const conclusion = workflowRun.conclusion as string | undefined;
+  if (conclusion !== "success") return null;
+
+  const repo = data.repository as Record<string, unknown> | undefined;
+  const repoName = (repo?.name as string) ?? "unknown";
+  const headSha = (workflowRun.head_sha as string) ?? "unknown";
+  const headBranch = (workflowRun.head_branch as string) ?? "unknown";
+  const runNumber = workflowRun.run_number as number | undefined;
+
+  return {
+    artifactName: repoName,
+    artifactType: "github-actions-build",
+    version: runNumber ? `build-${runNumber}` : headSha.slice(0, 8),
+    source: "github-actions",
+    downloadUrl: (workflowRun.artifacts_url as string) ?? undefined,
+    metadata: {
+      sha: headSha,
+      branch: headBranch,
+      workflow: (workflowRun.name as string) ?? "unknown",
+      runId: workflowRun.id,
+      runNumber,
+      htmlUrl: workflowRun.html_url,
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Azure DevOps — build.complete event
+// ---------------------------------------------------------------------------
+
+export function parseAzureDevOpsWebhook(body: unknown): WebhookPayload | null {
+  if (!body || typeof body !== "object") return null;
+  const data = body as Record<string, unknown>;
+
+  const eventType = data.eventType as string | undefined;
+  if (eventType !== "build.complete") return null;
+
+  const resource = data.resource as Record<string, unknown> | undefined;
+  if (!resource) return null;
+
+  const result = resource.result as string | undefined;
+  if (result !== "succeeded") return null;
+
+  const definition = resource.definition as Record<string, unknown> | undefined;
+  const buildNumber = (resource.buildNumber as string) ?? "unknown";
+  const sourceVersion = (resource.sourceVersion as string) ?? "unknown";
+
+  return {
+    artifactName: (definition?.name as string) ?? "unknown",
+    artifactType: "azure-devops-build",
+    version: buildNumber,
+    source: "azure-devops",
+    downloadUrl: (resource.url as string) ?? undefined,
+    metadata: {
+      buildId: resource.id,
+      buildNumber,
+      sourceVersion,
+      sourceBranch: resource.sourceBranch,
+      definitionName: definition?.name,
+      project: (data.resourceContainers as Record<string, unknown>)?.project,
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Jenkins — build notification
+// ---------------------------------------------------------------------------
+
+export function parseJenkinsWebhook(body: unknown): WebhookPayload | null {
+  if (!body || typeof body !== "object") return null;
+  const data = body as Record<string, unknown>;
+
+  const build = data.build as Record<string, unknown> | undefined;
+  if (!build) {
+    // Some Jenkins plugins send flat payloads
+    if (!data.name && !data.job_name) return null;
+    return {
+      artifactName: (data.name as string) ?? (data.job_name as string) ?? "unknown",
+      artifactType: "jenkins-build",
+      version: String(data.build_number ?? data.number ?? "unknown"),
+      source: "jenkins",
+      downloadUrl: (data.build_url as string) ?? (data.url as string) ?? undefined,
+      metadata: {
+        status: data.status ?? data.build_status,
+        url: data.build_url ?? data.url,
+      },
+    };
+  }
+
+  const phase = build.phase as string | undefined;
+  const status = build.status as string | undefined;
+
+  // Only process completed successful builds
+  if (phase !== "COMPLETED" && phase !== "FINALIZED") return null;
+  if (status && status !== "SUCCESS") return null;
+
+  return {
+    artifactName: (data.name as string) ?? "unknown",
+    artifactType: "jenkins-build",
+    version: String(build.number ?? "unknown"),
+    source: "jenkins",
+    downloadUrl: (build.full_url as string) ?? (build.url as string) ?? undefined,
+    metadata: {
+      buildNumber: build.number,
+      phase,
+      status,
+      url: build.full_url ?? build.url,
+      scmInfo: build.scm,
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// GitLab CI — pipeline event
+// ---------------------------------------------------------------------------
+
+export function parseGitLabCIWebhook(body: unknown): WebhookPayload | null {
+  if (!body || typeof body !== "object") return null;
+  const data = body as Record<string, unknown>;
+
+  const objectKind = data.object_kind as string | undefined;
+  if (objectKind !== "pipeline") return null;
+
+  const attrs = data.object_attributes as Record<string, unknown> | undefined;
+  if (!attrs) return null;
+
+  const status = attrs.status as string | undefined;
+  if (status !== "success") return null;
+
+  const project = data.project as Record<string, unknown> | undefined;
+
+  return {
+    artifactName: (project?.name as string) ?? "unknown",
+    artifactType: "gitlab-ci-build",
+    version: `pipeline-${attrs.id ?? "unknown"}`,
+    source: "gitlab-ci",
+    downloadUrl: (project?.web_url as string) ?? undefined,
+    metadata: {
+      pipelineId: attrs.id,
+      ref: attrs.ref,
+      sha: attrs.sha,
+      source: attrs.source,
+      projectName: project?.name,
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// CircleCI — workflow-completed event
+// ---------------------------------------------------------------------------
+
+export function parseCircleCIWebhook(body: unknown): WebhookPayload | null {
+  if (!body || typeof body !== "object") return null;
+  const data = body as Record<string, unknown>;
+
+  const type = data.type as string | undefined;
+  if (type !== "workflow-completed") return null;
+
+  const workflow = data.workflow as Record<string, unknown> | undefined;
+  if (!workflow) return null;
+
+  const status = workflow.status as string | undefined;
+  if (status !== "success") return null;
+
+  const pipeline = data.pipeline as Record<string, unknown> | undefined;
+  const project = data.project as Record<string, unknown> | undefined;
+
+  return {
+    artifactName: (project?.name as string) ?? "unknown",
+    artifactType: "circleci-build",
+    version: `workflow-${workflow.id ?? "unknown"}`,
+    source: "circleci",
+    metadata: {
+      workflowId: workflow.id,
+      workflowName: workflow.name,
+      pipelineId: pipeline?.id,
+      pipelineNumber: pipeline?.number,
+      projectSlug: project?.slug,
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Generic — expects normalized payload
+// ---------------------------------------------------------------------------
+
+export function parseGenericWebhook(body: unknown): WebhookPayload | null {
+  if (!body || typeof body !== "object") return null;
+  const data = body as Record<string, unknown>;
+
+  const artifactName = data.artifactName as string | undefined;
+  const version = data.version as string | undefined;
+
+  if (!artifactName || !version) return null;
+
+  return {
+    artifactName,
+    artifactType: (data.type as string) ?? "generic",
+    version,
+    source: (data.source as string) ?? "generic",
+    downloadUrl: (data.downloadUrl as string) ?? undefined,
+    metadata: (data.metadata as Record<string, unknown>) ?? {},
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Webhook signature verification
+// ---------------------------------------------------------------------------
+
+export interface WebhookVerificationResult {
+  verified: boolean;
+  error?: string;
+}
+
+/**
+ * Verify a webhook signature from GitHub (X-Hub-Signature-256) or
+ * GitLab (X-Gitlab-Token). Returns { verified: true } if the signature
+ * is valid, or { verified: false, error } if not.
+ *
+ * If no secretToken is configured for the channel, verification is skipped
+ * (returns verified: true) to allow backwards-compatible operation.
+ */
+export function verifyWebhookSignature(
+  source: string,
+  secretToken: string | undefined,
+  headers: Record<string, string | string[] | undefined>,
+  rawBody: string,
+): WebhookVerificationResult {
+  // Unauthenticated webhooks allowed when no secret is configured
+  if (!secretToken) {
+    return { verified: true };
+  }
+
+  switch (source) {
+    case "github-actions": {
+      const signature = headers["x-hub-signature-256"] as string | undefined;
+      if (!signature) {
+        return { verified: false, error: "Missing X-Hub-Signature-256 header" };
+      }
+      const expected = "sha256=" + crypto
+        .createHmac("sha256", secretToken)
+        .update(rawBody)
+        .digest("hex");
+      const valid = crypto.timingSafeEqual(
+        Buffer.from(signature),
+        Buffer.from(expected),
+      );
+      return valid
+        ? { verified: true }
+        : { verified: false, error: "Invalid GitHub webhook signature" };
+    }
+
+    case "gitlab-ci": {
+      const token = headers["x-gitlab-token"] as string | undefined;
+      if (!token) {
+        return { verified: false, error: "Missing X-Gitlab-Token header" };
+      }
+      // GitLab uses a shared secret token (not HMAC) — compare in constant time
+      if (token.length !== secretToken.length) {
+        return { verified: false, error: "Invalid GitLab webhook token" };
+      }
+      const valid = crypto.timingSafeEqual(
+        Buffer.from(token),
+        Buffer.from(secretToken),
+      );
+      return valid
+        ? { verified: true }
+        : { verified: false, error: "Invalid GitLab webhook token" };
+    }
+
+    default:
+      // No standard signature mechanism for this source type
+      return { verified: true };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Router — dispatch to the correct parser based on source
+// ---------------------------------------------------------------------------
+
+export function parseWebhook(source: string, body: unknown): WebhookPayload | null {
+  switch (source) {
+    case "github-actions":
+      return parseGitHubActionsWebhook(body);
+    case "azure-devops":
+      return parseAzureDevOpsWebhook(body);
+    case "jenkins":
+      return parseJenkinsWebhook(body);
+    case "gitlab-ci":
+      return parseGitLabCIWebhook(body);
+    case "circleci":
+      return parseCircleCIWebhook(body);
+    default:
+      return parseGenericWebhook(body);
+  }
+}

package/src/logger.ts

@@ -0,0 +1,19 @@
+import { SynthLogger } from "@synth-deploy/core";
+
+let _logger: SynthLogger | null = null;
+
+export function initServerLogger(dataDir: string): void {
+  _logger = new SynthLogger(dataDir, "server");
+}
+
+export function serverLog(label: string, data?: unknown): void {
+  _logger?.log(label, data);
+}
+
+export function serverWarn(label: string, data?: unknown): void {
+  _logger?.warn(label, data);
+}
+
+export function serverError(label: string, data?: unknown): void {
+  _logger?.error(label, data);
+}