@treeseed/core 0.4.1 → 0.4.4

package/dist/api/app.js

@@ -0,0 +1,270 @@
+import crypto from "node:crypto";
+import { AgentSdk, TREESEED_REMOTE_CONTRACT_HEADER, TREESEED_REMOTE_CONTRACT_VERSION } from "@treeseed/sdk";
+import { Hono } from "hono";
+import { registerAgentRoutes } from "./agent-routes.js";
+import { resolveApiConfig } from "./config.js";
+import { bearerTokenFromRequest, jsonError, requireAuthentication, requirePermission, requireScope } from "./http.js";
+import { registerOperationRoutes } from "./operations-routes.js";
+import { resolveApiRuntimeProviders } from "./providers.js";
+import { registerSdkRoutes } from "./sdk-routes.js";
+import { loadTemplateCatalog } from "./templates.js";
+function mergeApiOptions(options) {
+  const baseConfig = resolveApiConfig();
+  return {
+    config: {
+      ...baseConfig,
+      ...options.config ?? {},
+      providers: {
+        ...baseConfig.providers,
+        ...options.config?.providers ?? {},
+        agents: {
+          ...baseConfig.providers.agents,
+          ...options.config?.providers?.agents ?? {}
+        }
+      }
+    },
+    surfaces: {
+      auth: true,
+      templates: true,
+      sdk: true,
+      agent: true,
+      operations: true,
+      ...options.surfaces ?? {}
+    },
+    scopes: {
+      authMe: "auth:me",
+      sdk: "sdk",
+      agent: "agent",
+      operations: "operations",
+      ...options.scopes ?? {}
+    }
+  };
+}
+function createTreeseedApiApp(options = {}) {
+  const resolved = mergeApiOptions(options);
+  const runtimeProviders = resolveApiRuntimeProviders(resolved.config, options.runtimeProviders);
+  const sharedSdk = options.sdk ?? new AgentSdk({ repoRoot: resolved.config.repoRoot });
+  const app = new Hono();
+  app.use("*", async (c, next) => {
+    c.set("requestId", crypto.randomUUID());
+    c.set("config", resolved.config);
+    c.set("principal", null);
+    c.set("actingUser", null);
+    c.set("credential", null);
+    c.set("actorType", "anonymous");
+    c.set("permissionGrants", []);
+    c.header(TREESEED_REMOTE_CONTRACT_HEADER, String(TREESEED_REMOTE_CONTRACT_VERSION));
+    await next();
+  });
+  app.use("*", async (c, next) => {
+    const serviceId = c.req.header("x-treeseed-service-id");
+    const serviceSecret = c.req.header("x-treeseed-service-secret");
+    if (serviceId && serviceSecret) {
+      const result = await runtimeProviders.auth.authenticateServiceCredential(serviceId, serviceSecret);
+      if (!result) {
+        return jsonError(c, 401, "Invalid internal service credential.");
+      }
+      c.set("principal", result.principal);
+      c.set("credential", result.credential);
+      c.set("actorType", "service");
+      c.set("permissionGrants", result.principal.permissions);
+    }
+    await next();
+  });
+  app.use("*", async (c, next) => {
+    const token = bearerTokenFromRequest(c.req.raw);
+    if (token) {
+      const result = await runtimeProviders.auth.authenticateBearerToken(token);
+      if (result) {
+        c.set("principal", result.principal);
+        c.set("credential", result.credential);
+        c.set("actorType", result.credential.type === "service_token" ? "service" : "user");
+        c.set("permissionGrants", result.principal.permissions);
+      }
+    }
+    await next();
+  });
+  app.use("*", async (c, next) => {
+    const assertion = c.req.header("x-treeseed-user-assertion");
+    if (c.get("actorType") === "service" && assertion) {
+      const claims = runtimeProviders.auth.verifyTrustedUserAssertion(assertion);
+      if (!claims) {
+        return jsonError(c, 401, "Invalid trusted user assertion.");
+      }
+      const exchange = await runtimeProviders.auth.exchangeTrustedUserAssertion(claims);
+      c.set("actingUser", exchange.principal);
+      c.set("principal", exchange.principal);
+      c.set("actorType", "user");
+      c.set("permissionGrants", exchange.principal.permissions);
+    }
+    await next();
+  });
+  app.get("/healthz", (c) => c.json({
+    ok: true,
+    service: resolved.config.name,
+    status: "ok",
+    requestId: c.get("requestId")
+  }));
+  app.get("/readyz", (c) => c.json({
+    ok: true,
+    ready: true,
+    providers: runtimeProviders.selections,
+    surfaces: resolved.surfaces
+  }));
+  if (resolved.surfaces.templates) {
+    app.get("/templates", (c) => c.json(loadTemplateCatalog(resolved.config)));
+    app.get("/search/templates", (c) => c.json(loadTemplateCatalog(resolved.config)));
+    app.get("/templates/:id", (c) => {
+      const catalog = loadTemplateCatalog(resolved.config);
+      const item = catalog.items.find((entry) => entry.id === c.req.param("id"));
+      return item ? c.json({ ok: true, payload: item }) : jsonError(c, 404, `Unknown template "${c.req.param("id")}".`);
+    });
+  }
+  if (resolved.surfaces.auth) {
+    app.post("/auth/device/start", async (c) => {
+      const body = await c.req.json().catch(() => ({}));
+      return c.json(await runtimeProviders.auth.startDeviceFlow(body));
+    });
+    app.post("/auth/device/poll", async (c) => {
+      const body = await c.req.json().catch(() => ({}));
+      const response = await runtimeProviders.auth.pollDeviceFlow(body);
+      return c.json(response, { status: response.ok ? 200 : response.status === "expired" ? 410 : 400 });
+    });
+    app.post("/auth/device/approve", async (c) => {
+      const body = await c.req.json().catch(() => ({}));
+      try {
+        return c.json(await runtimeProviders.auth.approveDeviceFlow(body));
+      } catch (error) {
+        return jsonError(c, 400, error instanceof Error ? error.message : String(error));
+      }
+    });
+    app.post("/auth/token/refresh", async (c) => {
+      const body = await c.req.json().catch(() => ({}));
+      try {
+        return c.json(await runtimeProviders.auth.refreshAccessToken(body));
+      } catch (error) {
+        return jsonError(c, 401, error instanceof Error ? error.message : String(error));
+      }
+    });
+    app.get("/auth/me", (c) => {
+      const unauthorized = requireScope(c, resolved.scopes.authMe);
+      if (unauthorized) return unauthorized;
+      return c.json({
+        ok: true,
+        payload: c.get("principal")
+      });
+    });
+    app.post("/auth/pat", async (c) => {
+      const unauthorized = requirePermission(c, "api_tokens:create:self");
+      if (unauthorized) return unauthorized;
+      const principal = c.get("principal");
+      const body = await c.req.json().catch(() => ({}));
+      if (!body.name?.trim() || !principal) {
+        return jsonError(c, 400, "Token name is required.");
+      }
+      return c.json({
+        ok: true,
+        payload: await runtimeProviders.auth.createPersonalAccessToken(principal.id, {
+          name: body.name.trim(),
+          scopes: body.scopes,
+          expiresAt: body.expiresAt ?? null
+        })
+      });
+    });
+    app.get("/auth/pat", async (c) => {
+      const unauthorized = requirePermission(c, "api_tokens:read:self");
+      if (unauthorized) return unauthorized;
+      const principal = c.get("principal");
+      if (!principal) return jsonError(c, 401, "Authentication required.");
+      return c.json({
+        ok: true,
+        payload: await runtimeProviders.auth.listPersonalAccessTokens(principal.id)
+      });
+    });
+    app.delete("/auth/pat/:id", async (c) => {
+      const unauthorized = requirePermission(c, "api_tokens:delete:self");
+      if (unauthorized) return unauthorized;
+      const principal = c.get("principal");
+      if (!principal) return jsonError(c, 401, "Authentication required.");
+      await runtimeProviders.auth.revokePersonalAccessToken(principal.id, c.req.param("id"));
+      return c.json({ ok: true });
+    });
+  }
+  app.post("/internal/auth/web/sync-user", async (c) => {
+    if (c.get("actorType") !== "service") {
+      return jsonError(c, 401, "Trusted service authentication required.");
+    }
+    const unauthorized = requirePermission(c, "services:impersonate:global");
+    if (unauthorized) return unauthorized;
+    const body = await c.req.json().catch(() => ({}));
+    return c.json({
+      ok: true,
+      payload: await runtimeProviders.auth.syncUserIdentity(body)
+    });
+  });
+  app.post("/internal/auth/web/exchange", async (c) => {
+    if (c.get("actorType") !== "service") {
+      return jsonError(c, 401, "Trusted service authentication required.");
+    }
+    const unauthorized = requirePermission(c, "services:impersonate:global");
+    if (unauthorized) return unauthorized;
+    const body = await c.req.json().catch(() => ({}));
+    return c.json(await runtimeProviders.auth.exchangeTrustedUserAssertion(body));
+  });
+  app.post("/internal/auth/service/token", async (c) => {
+    const unauthorized = requirePermission(c, "services:manage:global");
+    if (unauthorized) return unauthorized;
+    const body = await c.req.json().catch(() => ({}));
+    if (!body.serviceId?.trim() || !body.name?.trim()) {
+      return jsonError(c, 400, "serviceId and name are required.");
+    }
+    return c.json({
+      ok: true,
+      payload: await runtimeProviders.auth.createServiceToken({
+        serviceId: body.serviceId.trim(),
+        name: body.name.trim(),
+        roles: body.roles,
+        permissions: body.permissions
+      })
+    });
+  });
+  app.post("/internal/auth/service/rotate", async (c) => {
+    const unauthorized = requirePermission(c, "services:manage:global");
+    if (unauthorized) return unauthorized;
+    const body = await c.req.json().catch(() => ({}));
+    if (!body.serviceId?.trim()) {
+      return jsonError(c, 400, "serviceId is required.");
+    }
+    return c.json({
+      ok: true,
+      payload: await runtimeProviders.auth.rotateServiceToken(body.serviceId.trim())
+    });
+  });
+  if (resolved.surfaces.sdk) {
+    registerSdkRoutes(app, {
+      config: resolved.config,
+      sharedSdk,
+      scope: resolved.scopes.sdk
+    });
+  }
+  if (resolved.surfaces.agent) {
+    registerAgentRoutes(app, {
+      sdk: sharedSdk,
+      prefix: "/agent",
+      scope: resolved.scopes.agent,
+      projectId: "treeseed-market",
+      defaultActor: "api"
+    });
+  }
+  if (resolved.surfaces.operations) {
+    registerOperationRoutes(app, {
+      scope: resolved.scopes.operations,
+      executeOperation: options.workflowExecutor
+    });
+  }
+  app.notFound((c) => jsonError(c, 404, "Not found."));
+  return app;
+}
+export {
+  createTreeseedApiApp
+};

package/dist/api/auth/d1-database.d.ts

@@ -0,0 +1,3 @@
+import type { D1DatabaseLike } from '@treeseed/sdk/types/cloudflare';
+import type { ApiConfig } from '../types.ts';
+export declare function resolveApiD1Database(config: ApiConfig): D1DatabaseLike;

package/dist/api/auth/d1-database.js

@@ -0,0 +1,24 @@
+import { CloudflareHttpD1Database } from "@treeseed/sdk";
+import { WranglerD1Database } from "@treeseed/sdk/wrangler-d1";
+function resolveApiD1Database(config) {
+  if (config.cloudflareAccountId && config.cloudflareApiToken && config.d1DatabaseId) {
+    return new CloudflareHttpD1Database({
+      accountId: config.cloudflareAccountId,
+      apiToken: config.cloudflareApiToken,
+      databaseId: config.d1DatabaseId
+    });
+  }
+  if (config.d1DatabaseName) {
+    return new WranglerD1Database(
+      config.d1DatabaseName,
+      config.repoRoot,
+      config.d1LocalPersistTo || void 0
+    );
+  }
+  throw new Error(
+    "Treeseed API auth requires either CLOUDFLARE_ACCOUNT_ID + CLOUDFLARE_API_TOKEN + TREESEED_API_D1_DATABASE_ID for remote D1 access, or TREESEED_API_D1_DATABASE_NAME for local Wrangler-backed D1 access."
+  );
+}
+export {
+  resolveApiD1Database
+};

package/dist/api/auth/d1-provider.d.ts

@@ -0,0 +1,67 @@
+import type { D1DatabaseLike } from '@treeseed/sdk/types/cloudflare';
+import type { ApiAuthProvider, ApiConfig, ApiCredential, ApiPrincipal, DeviceCodeApproveRequest, DeviceCodePollRequest, DeviceCodePollResponse, DeviceCodeStartRequest, DeviceCodeStartResponse, TokenRefreshRequest, TokenRefreshResponse, TrustedUserAssertionClaims, UserIdentityProfileInput } from '../types.ts';
+export declare class D1AuthProvider implements ApiAuthProvider {
+    private readonly config;
+    readonly id = "d1";
+    private readonly store;
+    constructor(config: ApiConfig, options?: {
+        db?: D1DatabaseLike;
+    });
+    startDeviceFlow(request: DeviceCodeStartRequest): Promise<DeviceCodeStartResponse>;
+    pollDeviceFlow(request: DeviceCodePollRequest): Promise<DeviceCodePollResponse>;
+    refreshAccessToken(request: TokenRefreshRequest): Promise<TokenRefreshResponse>;
+    approveDeviceFlow(request: DeviceCodeApproveRequest): Promise<{
+        ok: true;
+    }>;
+    authenticateBearerToken(token: string): Promise<{
+        principal: ApiPrincipal;
+        credential: ApiCredential;
+    } | null>;
+    authenticateServiceCredential(serviceId: string, secret: string): Promise<{
+        principal: ApiPrincipal;
+        credential: ApiCredential;
+    } | null>;
+    createPersonalAccessToken(userId: string, input: {
+        name: string;
+        scopes?: string[];
+        expiresAt?: string | null;
+    }): Promise<{
+        id: `${string}-${string}-${string}-${string}-${string}`;
+        token: string;
+        prefix: string;
+        name: string;
+        expiresAt: string;
+    }>;
+    listPersonalAccessTokens(userId: string): Promise<{
+        id: string;
+        name: string;
+        token_prefix: string;
+        expires_at: string | null;
+        last_used_at: string | null;
+        revoked_at: string | null;
+        created_at: string;
+    }[]>;
+    revokePersonalAccessToken(userId: string, tokenId: string): Promise<void>;
+    syncUserIdentity(identity: UserIdentityProfileInput): Promise<{
+        identityId: string;
+        principal: ApiPrincipal;
+        userId: string;
+    }>;
+    createServiceToken(input: {
+        serviceId: string;
+        name: string;
+        roles?: string[];
+        permissions?: string[];
+    }): Promise<import("./d1-store.ts").ServiceCredentialResult>;
+    rotateServiceToken(serviceId: string): Promise<import("./d1-store.ts").ServiceCredentialResult>;
+    createTrustedUserAssertion(claims: TrustedUserAssertionClaims): string;
+    verifyTrustedUserAssertion(assertion: string): TrustedUserAssertionClaims;
+    exchangeTrustedUserAssertion(claims: TrustedUserAssertionClaims): Promise<{
+        ok: true;
+        accessToken: string;
+        tokenType: "Bearer";
+        expiresAt: string;
+        expiresInSeconds: number;
+        principal: ApiPrincipal;
+    }>;
+}

package/dist/api/auth/d1-provider.js

@@ -0,0 +1,84 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+import { resolveApiD1Database } from "./d1-database.js";
+import { D1AuthStore } from "./d1-store.js";
+function encodePayload(payload) {
+  return Buffer.from(JSON.stringify(payload)).toString("base64url");
+}
+function decodePayload(value) {
+  return JSON.parse(Buffer.from(value, "base64url").toString("utf8"));
+}
+function signPayload(payload, secret) {
+  return createHmac("sha256", secret).update(payload).digest("base64url");
+}
+function safeEqual(left, right) {
+  const leftBuffer = Buffer.from(left);
+  const rightBuffer = Buffer.from(right);
+  return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+class D1AuthProvider {
+  constructor(config, options = {}) {
+    this.config = config;
+    this.store = new D1AuthStore(config, options.db ?? resolveApiD1Database(config));
+  }
+  config;
+  id = "d1";
+  store;
+  startDeviceFlow(request) {
+    return this.store.startDeviceFlow(request);
+  }
+  pollDeviceFlow(request) {
+    return this.store.pollDeviceFlow(request);
+  }
+  refreshAccessToken(request) {
+    return this.store.refreshAccessToken(request);
+  }
+  approveDeviceFlow(request) {
+    return this.store.approveDeviceFlow(request);
+  }
+  authenticateBearerToken(token) {
+    return this.store.authenticateBearerToken(token);
+  }
+  authenticateServiceCredential(serviceId, secret) {
+    return this.store.authenticateService(serviceId, secret);
+  }
+  createPersonalAccessToken(userId, input) {
+    return this.store.createPersonalAccessToken(userId, input);
+  }
+  listPersonalAccessTokens(userId) {
+    return this.store.listPersonalAccessTokens(userId);
+  }
+  revokePersonalAccessToken(userId, tokenId) {
+    return this.store.revokePersonalAccessToken(userId, tokenId);
+  }
+  syncUserIdentity(identity) {
+    return this.store.syncUser(identity);
+  }
+  createServiceToken(input) {
+    return this.store.createServiceCredential(input);
+  }
+  rotateServiceToken(serviceId) {
+    return this.store.rotateServiceCredential(serviceId);
+  }
+  createTrustedUserAssertion(claims) {
+    const payload = encodePayload(claims);
+    const signature = signPayload(payload, this.config.webAssertionSecret);
+    return `${payload}.${signature}`;
+  }
+  verifyTrustedUserAssertion(assertion) {
+    const [payload, signature] = assertion.split(".");
+    if (!payload || !signature) return null;
+    const expectedSignature = signPayload(payload, this.config.webAssertionSecret);
+    if (!safeEqual(signature, expectedSignature)) return null;
+    const claims = decodePayload(payload);
+    if (!claims.expiresAt || new Date(claims.expiresAt).getTime() <= Date.now()) {
+      return null;
+    }
+    return claims;
+  }
+  exchangeTrustedUserAssertion(claims) {
+    return this.store.exchangeTrustedUserAssertion(claims);
+  }
+}
+export {
+  D1AuthProvider
+};

package/dist/api/auth/d1-store.d.ts

@@ -0,0 +1,97 @@
+import type { D1DatabaseLike } from '@treeseed/sdk/types/cloudflare';
+import type { ApiConfig, ApiCredential, ApiPrincipal, DeviceCodeApproveRequest, DeviceCodePollRequest, DeviceCodePollResponse, DeviceCodeStartRequest, DeviceCodeStartResponse, TokenRefreshRequest, TokenRefreshResponse, TrustedUserAssertionClaims, UserIdentityProfileInput } from '../types.ts';
+export interface PersonalAccessTokenResult {
+    id: string;
+    token: string;
+    prefix: string;
+    name: string;
+    expiresAt: string | null;
+}
+export interface ServiceCredentialResult {
+    id: string;
+    serviceId: string;
+    secret: string;
+}
+export declare class D1AuthStore {
+    private readonly config;
+    private readonly db;
+    private initializationPromise;
+    constructor(config: ApiConfig, db: D1DatabaseLike);
+    private run;
+    private first;
+    private all;
+    private ensureInitialized;
+    private seedCatalog;
+    private seedConfiguredServices;
+    private loadUser;
+    private loadIdentityByProvider;
+    private rolesForUser;
+    private permissionsForUser;
+    private scopesForPrincipal;
+    private principalForUser;
+    private assignRole;
+    private bootstrapRolesForUser;
+    private writeAuditEvent;
+    syncUser(identity: UserIdentityProfileInput): Promise<{
+        identityId: string;
+        principal: ApiPrincipal;
+        userId: string;
+    }>;
+    startDeviceFlow(request: DeviceCodeStartRequest): Promise<DeviceCodeStartResponse>;
+    approveDeviceFlow(request: DeviceCodeApproveRequest): Promise<{
+        ok: true;
+    }>;
+    pollDeviceFlow(request: DeviceCodePollRequest): Promise<DeviceCodePollResponse>;
+    refreshAccessToken(request: TokenRefreshRequest): Promise<TokenRefreshResponse>;
+    createPersonalAccessToken(userId: string, input: {
+        name: string;
+        scopes?: string[];
+        expiresAt?: string | null;
+    }): Promise<{
+        id: `${string}-${string}-${string}-${string}-${string}`;
+        token: string;
+        prefix: string;
+        name: string;
+        expiresAt: string;
+    }>;
+    listPersonalAccessTokens(userId: string): Promise<{
+        id: string;
+        name: string;
+        token_prefix: string;
+        expires_at: string | null;
+        last_used_at: string | null;
+        revoked_at: string | null;
+        created_at: string;
+    }[]>;
+    revokePersonalAccessToken(userId: string, tokenId: string): Promise<void>;
+    upsertServiceCredential(input: {
+        serviceId: string;
+        name: string;
+        secret: string;
+        roles?: string[];
+        permissions?: string[];
+    }): Promise<string>;
+    createServiceCredential(input: {
+        serviceId: string;
+        name: string;
+        roles?: string[];
+        permissions?: string[];
+    }): Promise<ServiceCredentialResult>;
+    rotateServiceCredential(serviceId: string): Promise<ServiceCredentialResult>;
+    authenticateBearerToken(token: string): Promise<{
+        principal: ApiPrincipal;
+        credential: ApiCredential;
+    } | null>;
+    authenticateService(serviceId: string, secret: string): Promise<{
+        principal: ApiPrincipal;
+        credential: ApiCredential;
+    } | null>;
+    exchangeTrustedUserAssertion(claims: TrustedUserAssertionClaims): Promise<{
+        ok: true;
+        accessToken: string;
+        tokenType: "Bearer";
+        expiresAt: string;
+        expiresInSeconds: number;
+        principal: ApiPrincipal;
+    }>;
+}