@vltpkg/vsr 0.0.0-26 → 0.0.0-27

package/src/index.ts

@@ -1,434 +0,0 @@
-/* eslint-disable @typescript-eslint/no-unsafe-argument, @typescript-eslint/no-unsafe-assignment */
-import { OPEN_API_CONFIG } from '../config.ts'
-import { OpenAPIHono } from '@hono/zod-openapi'
-import { requestId } from 'hono/request-id'
-import { bearerAuth } from 'hono/bearer-auth'
-import { except } from 'hono/combine'
-import { logger } from 'hono/logger'
-import { secureHeaders } from 'hono/secure-headers'
-import { trimTrailingSlash } from 'hono/trailing-slash'
-import { telemetryMiddleware } from './middleware/telemetry.ts'
-import { configMiddleware } from './middleware/config.ts'
-import { getApp } from './utils/spa.ts'
-import { verifyToken } from './utils/auth.ts'
-import { mountDatabase } from './utils/database.ts'
-import { jsonResponseHandler } from './utils/response.ts'
-import { requiresToken } from './utils/routes.ts'
-import {
-  getUsername,
-  getUserProfile,
-  userProfileRoute,
-  whoamiRoute,
-} from './routes/users.ts'
-import { pingRoute, handlePing } from './routes/ping.ts'
-import { getDocs } from './routes/docs.ts'
-import {
-  getToken,
-  putToken,
-  postToken,
-  deleteToken,
-  getTokensRoute,
-  createTokenRoute,
-  updateTokenRoute,
-  deleteTokenRoute,
-} from './routes/tokens.ts'
-import {
-  getPackageDistTags,
-  putPackageDistTag,
-  deletePackageDistTag,
-  handleRootPackageRoute,
-  handlePackagePublish,
-  handlePackageVersion,
-  handlePackageTarball,
-  handleUpstreamPackage,
-  handleUpstreamScopedTarball,
-  handleUpstreamScopedVersion,
-  handleUpstreamEncodedScoped,
-  handleUpstreamUnified,
-  handleUpstreamTarball,
-  // Local package route definitions
-  getPackageRoute,
-  getPackageVersionRoute,
-  getPackageTarballRoute,
-  publishPackageRoute,
-  getPackageDistTagsRoute,
-  putPackageDistTagRoute,
-  deletePackageDistTagRoute,
-  // Upstream package route definitions
-  getUpstreamPackageRoute,
-  getUpstreamScopedPackageVersionRoute,
-  getUpstreamPackageTarballRoute,
-  getUpstreamScopedPackageTarballRoute,
-  getUpstreamEncodedScopedPackageRoute,
-  getUpstreamUnifiedRoute,
-} from './routes/packages.ts'
-import {
-  listPackagesAccess,
-  getPackageAccessStatus,
-  setPackageAccessStatus,
-  grantPackageAccess,
-  revokePackageAccess,
-  // OpenAPI route definitions
-  getPackageAccessRoute,
-  setPackageAccessRoute,
-  getScopedPackageAccessRoute,
-  setScopedPackageAccessRoute,
-  listPackagesAccessRoute,
-  grantPackageAccessRoute,
-  revokePackageAccessRoute,
-  grantScopedPackageAccessRoute,
-  revokeScopedPackageAccessRoute,
-} from './routes/access.ts'
-import {
-  searchPackages,
-  searchPackagesRoute,
-} from './routes/search.ts'
-import {
-  auditRoute,
-  auditQuickRoute,
-  advisoriesBulkRoute,
-  dashboardDataRoute,
-  appDataRoute,
-  handleDashboardData,
-  handleAppData,
-  handleSecurityAudit,
-  // Compatibility redirect routes
-  searchRedirectRoute,
-  userRedirectRoute,
-  tokensRedirectRoute,
-  createTokenRedirectRoute,
-  updateTokenRedirectRoute,
-  deleteTokenRedirectRoute,
-} from './routes/misc.ts'
-
-import { sessionMonitor } from './utils/tracing.ts'
-import type { createDatabaseOperations } from './db/client.ts'
-import {
-  handleStaticAssets,
-  handleFavicon,
-  handleRobots,
-  handleManifest,
-} from './routes/static.ts'
-import type { Environment } from '../types.ts'
-import type { Context } from 'hono'
-
-// Import queue handler from dedicated module
-import { queue } from './queue/index.ts'
-
-// ---------------------------------------------------------
-// App Initialization
-// ("strict mode" is turned off to ensure that routes like
-// `/hello` & `/hello/` are handled the same way - ref.
-// https://hono.dev/docs/api/hono#strict-mode)
-// ---------------------------------------------------------
-
-const app = new OpenAPIHono<{
-  Bindings: Environment
-  Variables: {
-    db: ReturnType<typeof createDatabaseOperations>
-  }
-}>({ strict: false })
-
-// ---------------------------------------------------------
-// Middleware
-// ---------------------------------------------------------
-
-app.use(trimTrailingSlash())
-app.use('*', requestId())
-app.use('*', logger())
-app.use('*', configMiddleware)
-app.use('*', telemetryMiddleware)
-app.use('*', secureHeaders())
-app.use('*', jsonResponseHandler())
-app.use('*', except(['/-/ping', '/-/docs'], mountDatabase as any))
-app.use('*', sessionMonitor)
-
-// ---------------------------------------------------------
-// Home
-// (Single Page Application or API Docs)
-// ---------------------------------------------------------
-
-app.get('/', async c => {
-  // If daemon is disabled and API docs are enabled, redirect to docs
-  // This provides a better user experience when the daemon isn't available
-  if (!c.env.DAEMON_ENABLED && c.env.API_DOCS_ENABLED) {
-    return c.redirect('/-/docs', 302)
-  }
-
-  // If daemon is enabled, show the GUI (projects will be available)
-  if (c.env.DAEMON_ENABLED) {
-    return c.html(await getApp(c.env.ASSETS))
-  }
-
-  // Fallback: show docs if available, otherwise show GUI
-  if (c.env.API_DOCS_ENABLED) {
-    return c.redirect('/-/docs', 302)
-  } else {
-    return c.html(await getApp(c.env.ASSETS))
-  }
-})
-
-// ---------------------------------------------------------
-// Documentation
-// ---------------------------------------------------------
-
-// Mount API documentation routes
-app.doc('/-/api', OPEN_API_CONFIG)
-app.get('/-/docs', getDocs)
-
-// ---------------------------------------------------------
-// Health Check
-// ---------------------------------------------------------
-
-// Pattern: /-/ping
-app.openapi(pingRoute, handlePing as any)
-
-// ---------------------------------------------------------
-// Authorization Verification Middleware
-// ---------------------------------------------------------
-
-// Custom auth middleware that checks if token is required
-app.use('*', async (c, next) => {
-  if (requiresToken(c)) {
-    // Token is required, apply bearer auth
-    return bearerAuth({ verifyToken: verifyToken as any })(c, next)
-  } else {
-    // Token not required, skip auth
-    await next()
-  }
-})
-
-// ---------------------------------------------------------
-// User Routes
-// ---------------------------------------------------------
-
-// Pattern: /-/whoami
-app.openapi(whoamiRoute, getUsername)
-// Pattern: /-/user
-app.openapi(userProfileRoute, getUserProfile)
-
-// ---------------------------------------------------------
-// Daemon Project Routes - only local use
-// ---------------------------------------------------------
-
-// Pattern: /dashboard.json
-app.openapi(dashboardDataRoute, handleDashboardData as any)
-
-// Pattern: /app-data.json
-app.openapi(appDataRoute, handleAppData as any)
-
-// ---------------------------------------------------------
-// Token Routes
-// ---------------------------------------------------------
-
-// Pattern: /-/tokens
-app.openapi(getTokensRoute, getToken as any)
-// Pattern: /-/tokens
-app.openapi(createTokenRoute, postToken as any)
-// Pattern: /-/tokens
-app.openapi(updateTokenRoute, putToken as any)
-// Pattern: /-/tokens/{token}
-app.openapi(deleteTokenRoute, deleteToken as any)
-
-// ---------------------------------------------------------
-// Dist-tag Routes
-// ---------------------------------------------------------
-
-// Pattern: /-/package/{pkg}/dist-tags
-app.openapi(getPackageDistTagsRoute, getPackageDistTags as any)
-// Pattern: /-/package/{pkg}/dist-tags/{tag}
-app.openapi(putPackageDistTagRoute, putPackageDistTag as any)
-// Pattern: /-/package/{pkg}/dist-tags/{tag}
-app.openapi(deletePackageDistTagRoute, deletePackageDistTag as any)
-
-// ---------------------------------------------------------
-// Access Control Routes
-// ---------------------------------------------------------
-
-// Pattern: /-/package/{pkg}/access (unscoped packages)
-app.openapi(getPackageAccessRoute, getPackageAccessStatus as any)
-app.openapi(setPackageAccessRoute, setPackageAccessStatus as any)
-
-// Pattern: /-/package/{scope}%2f{pkg}/access (scoped packages)
-app.openapi(
-  getScopedPackageAccessRoute,
-  getPackageAccessStatus as any,
-)
-app.openapi(
-  setScopedPackageAccessRoute,
-  setPackageAccessStatus as any,
-)
-
-// Pattern: /-/package/list
-app.openapi(listPackagesAccessRoute, listPackagesAccess as any)
-
-// Pattern: /-/package/{pkg}/collaborators/{username} (unscoped packages)
-app.openapi(grantPackageAccessRoute, grantPackageAccess as any)
-app.openapi(revokePackageAccessRoute, revokePackageAccess as any)
-
-// Pattern: /-/package/{scope}%2f{pkg}/collaborators/{username} (scoped packages)
-app.openapi(grantScopedPackageAccessRoute, grantPackageAccess as any)
-app.openapi(
-  revokeScopedPackageAccessRoute,
-  revokePackageAccess as any,
-)
-
-// ---------------------------------------------------------
-// Search Packages
-// ---------------------------------------------------------
-
-// Pattern: /-/search
-app.openapi(searchPackagesRoute, searchPackages as any)
-
-// ---------------------------------------------------------
-// Handle Audit Requests
-// ---------------------------------------------------------
-
-// Pattern: /-/npm/audit (security audit - not implemented)
-app.openapi(auditRoute, handleSecurityAudit as any)
-
-// ---------------------------------------------------------
-// NPM Compatibility Routes (Legacy API Redirects)
-// (maximizes backwards compatibility with npm clients)
-// ---------------------------------------------------------
-
-// Pattern: /-/v1/search → /-/search
-app.openapi(searchRedirectRoute, (c: Context) =>
-  c.redirect('/-/search', 308),
-)
-
-// Pattern: /-/npm/v1/user → /-/user
-app.openapi(userRedirectRoute, (c: Context) =>
-  c.redirect('/-/user', 308),
-)
-
-// Pattern: /-/npm/v1/tokens → /-/tokens (GET)
-app.openapi(tokensRedirectRoute, (c: Context) =>
-  c.redirect('/-/tokens', 308),
-)
-
-// Pattern: /-/npm/v1/tokens → /-/tokens (POST)
-app.openapi(createTokenRedirectRoute, (c: Context) =>
-  c.redirect('/-/tokens', 308),
-)
-
-// Pattern: /-/npm/v1/tokens → /-/tokens (PUT)
-app.openapi(updateTokenRedirectRoute, (c: Context) =>
-  c.redirect('/-/tokens', 308),
-)
-
-// Pattern: /-/npm/v1/tokens/token/{token} → /-/tokens/{token} (DELETE)
-app.openapi(deleteTokenRedirectRoute, (c: Context) => {
-  return c.redirect(`/-/tokens/${c.req.param('token')}`, 308)
-})
-
-// Pattern: /-/npm/v1/security/audits/quick → /-/npm/audit
-app.openapi(auditQuickRoute, (c: Context) => {
-  return c.redirect('/-/npm/audit', 308)
-})
-
-// Pattern: /-/npm/v1/security/advisories/bulk → /-/npm/audit
-app.openapi(advisoriesBulkRoute, (c: Context) => {
-  return c.redirect('/-/npm/audit', 308)
-})
-
-// ---------------------------------------------------------
-// Upstream Utility Routes
-// (Registry utility endpoints for upstream registries)
-// (MUST come before upstream package routes to avoid conflicts)
-// ---------------------------------------------------------
-
-// Pattern: /{upstream}/-/ping (upstream registry ping)
-app.get('/:upstream/-/ping', handlePing)
-
-// Pattern: /{upstream}/-/docs (upstream registry docs)
-app.get('/:upstream/-/docs', getDocs)
-
-// Pattern: /{upstream}/-/whoami (upstream registry whoami)
-app.get('/:upstream/-/whoami', getUsername)
-
-// Pattern: /{upstream}/-/user (upstream registry user profile)
-app.get('/:upstream/-/user', getUserProfile)
-
-// Pattern: /{upstream}/-/tokens (upstream registry token management)
-app.get('/:upstream/-/tokens', getToken)
-app.post('/:upstream/-/tokens', postToken)
-app.put('/:upstream/-/tokens', putToken)
-app.delete('/:upstream/-/tokens/:token', deleteToken)
-
-// Pattern: /{upstream}/-/search (upstream registry search)
-app.get('/:upstream/-/search', searchPackages)
-
-// Pattern: /{upstream}/-/npm/audit (upstream registry audit)
-app.post('/:upstream/-/npm/audit', handleSecurityAudit)
-
-// ---------------------------------------------------------
-// Upstream Package Routes
-// (must come before catch-all package routes)
-// ---------------------------------------------------------
-
-// Pattern: /{upstream}/@{scope}/{pkg}/-/{tarball} (scoped package tarball)
-app.openapi(
-  getUpstreamScopedPackageTarballRoute,
-  handleUpstreamScopedTarball as any,
-)
-// Pattern: /{upstream}/@{scope}/{pkg}/{version} (scoped package version)
-app.openapi(
-  getUpstreamScopedPackageVersionRoute,
-  handleUpstreamScopedVersion as any,
-)
-// Pattern: /{upstream}/{pkg}/-/{tarball} (unscoped package tarball)
-app.openapi(
-  getUpstreamPackageTarballRoute,
-  handleUpstreamTarball as any,
-)
-// Pattern: /{upstream}/@{scope}%2f{pkg} (URL-encoded scoped package)
-app.openapi(
-  getUpstreamEncodedScopedPackageRoute,
-  handleUpstreamEncodedScoped as any,
-)
-// Pattern: /{upstream}/{param2}/{param3} (unified handler for ambiguous 3-segment paths)
-app.openapi(getUpstreamUnifiedRoute, handleUpstreamUnified as any)
-// Pattern: /{upstream}/{pkg} (unscoped package manifest)
-app.openapi(getUpstreamPackageRoute, handleUpstreamPackage as any)
-
-// Pattern: /-/npm/v1/security/advisories/bulk → /-/npm/audit
-app.openapi(advisoriesBulkRoute, async (c: Context) => {
-  return c.redirect('/-/npm/audit', 308)
-})
-
-// ---------------------------------------------------------
-// Local Package Routes
-// (catch-all patterns, must come after upstream routes)
-// ---------------------------------------------------------
-
-// Pattern: /{pkg} (package publishing via PUT)
-app.openapi(publishPackageRoute, handlePackagePublish as any)
-// Pattern: /{pkg}/-/{tarball} (package tarball download)
-app.openapi(getPackageTarballRoute, handlePackageTarball as any)
-// Pattern: /{pkg}/{version} (specific package version)
-app.openapi(getPackageVersionRoute, handlePackageVersion as any)
-// Pattern: /{pkg} (package manifest/packument)
-app.openapi(getPackageRoute, handleRootPackageRoute as any)
-
-// ---------------------------------------------------------
-// Handle Static Assets
-// ---------------------------------------------------------
-
-// Pattern: /public/* (static assets from public directory)
-app.get('/public/*', handleStaticAssets)
-// Pattern: /favicon.ico (browser favicon)
-app.get('/favicon.ico', handleFavicon)
-// Pattern: /robots.txt (web crawler instructions)
-app.get('/robots.txt', handleRobots)
-// Pattern: /manifest.json (PWA web app manifest)
-app.get('/manifest.json', handleManifest)
-// Pattern: /* (catch-all for any other static assets)
-app.get('/*', handleStaticAssets)
-
-export { app }
-
-export default {
-  fetch: app.fetch,
-  queue,
-}

package/src/middleware/config.ts

@@ -1,79 +0,0 @@
-import type { Context } from 'hono'
-import {
-  API_DOCS_ENABLED,
-  DAEMON_ENABLED,
-  DAEMON_PORT,
-  DAEMON_URL,
-  DEBUG_ENABLED,
-  TELEMETRY_ENABLED,
-  SENTRY_CONFIG,
-  PORT,
-  VERSION,
-  URL,
-} from '../../config.ts'
-
-/**
- * Runtime configuration resolver - can be used outside of routes
- * Checks environment variables and falls back to defaults
- */
-export function resolveConfig(env?: any) {
-  const getBooleanFromEnv = (
-    key: string,
-    defaultValue: boolean,
-  ): boolean => {
-    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
-    const value = env?.[key]
-    return typeof value === 'string' ?
-        value.toLowerCase() === 'true'
-      : defaultValue
-  }
-
-  return {
-    // Daemon configuration
-    DAEMON_ENABLED: getBooleanFromEnv('ARG_DAEMON', DAEMON_ENABLED),
-
-    // Telemetry configuration
-    TELEMETRY_ENABLED: getBooleanFromEnv(
-      'ARG_TELEMETRY',
-      TELEMETRY_ENABLED,
-    ),
-
-    // Debug configuration
-    DEBUG_ENABLED: getBooleanFromEnv('ARG_DEBUG', DEBUG_ENABLED),
-
-    // Static config values (pass through)
-    API_DOCS_ENABLED,
-    DAEMON_PORT,
-    DAEMON_URL,
-    SENTRY_CONFIG,
-    PORT,
-    VERSION,
-    URL,
-  }
-}
-
-/**
- * Configuration middleware that enriches the context with computed config values
- * Merges compile-time defaults with runtime environment variables
- */
-export async function configMiddleware(
-  c: Context,
-  next: () => Promise<void>,
-): Promise<void> {
-  // Use the resolver to get computed config
-  const runtimeConfig = resolveConfig(c.env)
-
-  // Initialize global config if not already done
-  const { initializeGlobalConfig } = await import(
-    '../utils/config.ts'
-  )
-  initializeGlobalConfig(c.env)
-
-  // Enrich the context environment with computed values
-  // Ensure c.env exists (it might be undefined in test environments)
-  // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
-  c.env = c.env || {}
-  Object.assign(c.env, runtimeConfig)
-
-  await next()
-}

package/src/middleware/telemetry.ts

@@ -1,43 +0,0 @@
-import { sentry } from '@hono/sentry'
-import type { Context } from 'hono'
-import type { HonoContext } from '../../types.ts'
-
-/**
- * Telemetry middleware that conditionally applies Sentry based on configuration
- * Relies on configMiddleware to have already enriched c.env with TELEMETRY_ENABLED
- */
-export async function telemetryMiddleware(
-  c: HonoContext,
-  next: () => Promise<void>,
-) {
-  // Check if telemetry is enabled via the enriched config
-  if (c.env.TELEMETRY_ENABLED) {
-    // Apply Sentry middleware dynamically
-    const sentryMiddleware = sentry({
-      dsn: c.env.SENTRY?.dsn ?? c.env.SENTRY_CONFIG?.dsn ?? '',
-      environment:
-        c.env.SENTRY?.environment ??
-        c.env.SENTRY_CONFIG?.environment ??
-        'development',
-      sendDefaultPii: c.env.SENTRY_CONFIG?.sendDefaultPii ?? true,
-      sampleRate: c.env.SENTRY_CONFIG?.sampleRate ?? 1.0,
-      tracesSampleRate: c.env.SENTRY_CONFIG?.tracesSampleRate ?? 0.1,
-      beforeSend(event, _hint) {
-        // Filter out expected errors to reduce noise
-        if (
-          event.exception?.values?.[0]?.value?.includes('404') ||
-          event.exception?.values?.[0]?.value?.includes('not found')
-        ) {
-          return null
-        }
-        return event
-      },
-    })
-
-    // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-    return sentryMiddleware(c as Context, next)
-  } else {
-    // Skip Sentry when telemetry is disabled
-    return next()
-  }
-}

package/src/queue/index.ts

@@ -1,97 +0,0 @@
-import type { QueueBatch, Environment } from '../../types.ts'
-import { createDatabaseOperations } from '../db/client.ts'
-import {
-  getUpstreamConfig,
-  buildUpstreamUrl,
-} from '../utils/upstream.ts'
-
-/**
- * Queue handler for background cache refresh jobs
- *
- * Processes queue messages to refresh package and version cache data
- * from upstream registries. This runs in the background to keep
- * cached data fresh without blocking user requests.
- */
-export async function queue(batch: QueueBatch, env: Environment) {
-  if (!env.DB) {
-    throw new Error('Database not available')
-  }
-  const db = createDatabaseOperations(env.DB)
-
-  for (const message of batch.messages) {
-    try {
-      const {
-        type,
-        packageName,
-        spec,
-        upstream,
-        options: _options,
-      } = message.body
-
-      if (type === 'package_refresh' && packageName) {
-        // Handle package refresh - refetch from upstream and cache
-        const upstreamConfig = getUpstreamConfig(upstream)
-        if (upstreamConfig) {
-          const upstreamUrl = buildUpstreamUrl(
-            upstreamConfig,
-            packageName,
-          )
-          const response = await fetch(upstreamUrl, {
-            headers: { Accept: 'application/json' },
-          })
-
-          if (response.ok) {
-            // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
-            const upstreamData = (await response.json()) as Record<
-              string,
-              any
-            >
-
-            // Cache the package metadata
-            if (upstreamData['dist-tags']) {
-              await db.upsertCachedPackage(
-                packageName,
-                upstreamData['dist-tags'] as Record<string, string>,
-                upstream,
-                new Date().toISOString(),
-              )
-            }
-
-            // Cache all versions
-            if (upstreamData.versions) {
-              const versionPromises = Object.entries(
-                upstreamData.versions as Record<string, any>,
-              ).map(async ([version, manifest]) => {
-                try {
-                  await db.upsertCachedVersion(
-                    `${packageName}@${version}`,
-                    manifest as Record<string, any>,
-                    upstream,
-                    // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
-                    (manifest.publishedAt as string) ||
-                      new Date().toISOString(),
-                  )
-                } catch (_error) {
-                  // Silently fail individual versions
-                }
-              })
-              await Promise.allSettled(versionPromises)
-            }
-          }
-        }
-      } else if (type === 'version_refresh' && spec) {
-        // Handle version refresh - similar logic for individual versions
-        // (This would be implemented if needed)
-      }
-
-      // Acknowledge successful processing
-      message.ack()
-    } catch (error) {
-      // Retry failed messages
-      // TODO: Replace with proper logging system
-      // eslint-disable-next-line no-console
-      console.error('Queue processing error:', error)
-      message.retry()
-    }
-  }
-}