@vltpkg/vsr 0.0.0-27 → 0.0.0-29

package/src/index.ts

@@ -0,0 +1,434 @@
+/* eslint-disable @typescript-eslint/no-unsafe-argument, @typescript-eslint/no-unsafe-assignment */
+import { OPEN_API_CONFIG } from '../config.ts'
+import { OpenAPIHono } from '@hono/zod-openapi'
+import { requestId } from 'hono/request-id'
+import { bearerAuth } from 'hono/bearer-auth'
+import { except } from 'hono/combine'
+import { logger } from 'hono/logger'
+import { secureHeaders } from 'hono/secure-headers'
+import { trimTrailingSlash } from 'hono/trailing-slash'
+import { telemetryMiddleware } from './middleware/telemetry.ts'
+import { configMiddleware } from './middleware/config.ts'
+import { getApp } from './utils/spa.ts'
+import { verifyToken } from './utils/auth.ts'
+import { mountDatabase } from './utils/database.ts'
+import { jsonResponseHandler } from './utils/response.ts'
+import { requiresToken } from './utils/routes.ts'
+import {
+  getUsername,
+  getUserProfile,
+  userProfileRoute,
+  whoamiRoute,
+} from './routes/users.ts'
+import { pingRoute, handlePing } from './routes/ping.ts'
+import { getDocs } from './routes/docs.ts'
+import {
+  getToken,
+  putToken,
+  postToken,
+  deleteToken,
+  getTokensRoute,
+  createTokenRoute,
+  updateTokenRoute,
+  deleteTokenRoute,
+} from './routes/tokens.ts'
+import {
+  getPackageDistTags,
+  putPackageDistTag,
+  deletePackageDistTag,
+  handleRootPackageRoute,
+  handlePackagePublish,
+  handlePackageVersion,
+  handlePackageTarball,
+  handleUpstreamPackage,
+  handleUpstreamScopedTarball,
+  handleUpstreamScopedVersion,
+  handleUpstreamEncodedScoped,
+  handleUpstreamUnified,
+  handleUpstreamTarball,
+  // Local package route definitions
+  getPackageRoute,
+  getPackageVersionRoute,
+  getPackageTarballRoute,
+  publishPackageRoute,
+  getPackageDistTagsRoute,
+  putPackageDistTagRoute,
+  deletePackageDistTagRoute,
+  // Upstream package route definitions
+  getUpstreamPackageRoute,
+  getUpstreamScopedPackageVersionRoute,
+  getUpstreamPackageTarballRoute,
+  getUpstreamScopedPackageTarballRoute,
+  getUpstreamEncodedScopedPackageRoute,
+  getUpstreamUnifiedRoute,
+} from './routes/packages.ts'
+import {
+  listPackagesAccess,
+  getPackageAccessStatus,
+  setPackageAccessStatus,
+  grantPackageAccess,
+  revokePackageAccess,
+  // OpenAPI route definitions
+  getPackageAccessRoute,
+  setPackageAccessRoute,
+  getScopedPackageAccessRoute,
+  setScopedPackageAccessRoute,
+  listPackagesAccessRoute,
+  grantPackageAccessRoute,
+  revokePackageAccessRoute,
+  grantScopedPackageAccessRoute,
+  revokeScopedPackageAccessRoute,
+} from './routes/access.ts'
+import {
+  searchPackages,
+  searchPackagesRoute,
+} from './routes/search.ts'
+import {
+  auditRoute,
+  auditQuickRoute,
+  advisoriesBulkRoute,
+  dashboardDataRoute,
+  appDataRoute,
+  handleDashboardData,
+  handleAppData,
+  handleSecurityAudit,
+  // Compatibility redirect routes
+  searchRedirectRoute,
+  userRedirectRoute,
+  tokensRedirectRoute,
+  createTokenRedirectRoute,
+  updateTokenRedirectRoute,
+  deleteTokenRedirectRoute,
+} from './routes/misc.ts'
+
+import { sessionMonitor } from './utils/tracing.ts'
+import type { createDatabaseOperations } from './db/client.ts'
+import {
+  handleStaticAssets,
+  handleFavicon,
+  handleRobots,
+  handleManifest,
+} from './routes/static.ts'
+import type { Environment } from '../types.ts'
+import type { Context } from 'hono'
+
+// Import queue handler from dedicated module
+import { queue } from './queue/index.ts'
+
+// ---------------------------------------------------------
+// App Initialization
+// ("strict mode" is turned off to ensure that routes like
+// `/hello` & `/hello/` are handled the same way - ref.
+// https://hono.dev/docs/api/hono#strict-mode)
+// ---------------------------------------------------------
+
+const app = new OpenAPIHono<{
+  Bindings: Environment
+  Variables: {
+    db: ReturnType<typeof createDatabaseOperations>
+  }
+}>({ strict: false })
+
+// ---------------------------------------------------------
+// Middleware
+// ---------------------------------------------------------
+
+app.use(trimTrailingSlash())
+app.use('*', requestId())
+app.use('*', logger())
+app.use('*', configMiddleware)
+app.use('*', telemetryMiddleware)
+app.use('*', secureHeaders())
+app.use('*', jsonResponseHandler())
+app.use('*', except(['/-/ping', '/-/docs'], mountDatabase as any))
+app.use('*', sessionMonitor)
+
+// ---------------------------------------------------------
+// Home
+// (Single Page Application or API Docs)
+// ---------------------------------------------------------
+
+app.get('/', async c => {
+  // If daemon is disabled and API docs are enabled, redirect to docs
+  // This provides a better user experience when the daemon isn't available
+  if (!c.env.DAEMON_ENABLED && c.env.API_DOCS_ENABLED) {
+    return c.redirect('/-/docs', 302)
+  }
+
+  // If daemon is enabled, show the GUI (projects will be available)
+  if (c.env.DAEMON_ENABLED) {
+    return c.html(await getApp(c.env.ASSETS))
+  }
+
+  // Fallback: show docs if available, otherwise show GUI
+  if (c.env.API_DOCS_ENABLED) {
+    return c.redirect('/-/docs', 302)
+  } else {
+    return c.html(await getApp(c.env.ASSETS))
+  }
+})
+
+// ---------------------------------------------------------
+// Documentation
+// ---------------------------------------------------------
+
+// Mount API documentation routes
+app.doc('/-/api', OPEN_API_CONFIG)
+app.get('/-/docs', getDocs)
+
+// ---------------------------------------------------------
+// Health Check
+// ---------------------------------------------------------
+
+// Pattern: /-/ping
+app.openapi(pingRoute, handlePing as any)
+
+// ---------------------------------------------------------
+// Authorization Verification Middleware
+// ---------------------------------------------------------
+
+// Custom auth middleware that checks if token is required
+app.use('*', async (c, next) => {
+  if (requiresToken(c)) {
+    // Token is required, apply bearer auth
+    return bearerAuth({ verifyToken: verifyToken as any })(c, next)
+  } else {
+    // Token not required, skip auth
+    await next()
+  }
+})
+
+// ---------------------------------------------------------
+// User Routes
+// ---------------------------------------------------------
+
+// Pattern: /-/whoami
+app.openapi(whoamiRoute, getUsername)
+// Pattern: /-/user
+app.openapi(userProfileRoute, getUserProfile)
+
+// ---------------------------------------------------------
+// Daemon Project Routes - only local use
+// ---------------------------------------------------------
+
+// Pattern: /dashboard.json
+app.openapi(dashboardDataRoute, handleDashboardData as any)
+
+// Pattern: /app-data.json
+app.openapi(appDataRoute, handleAppData as any)
+
+// ---------------------------------------------------------
+// Token Routes
+// ---------------------------------------------------------
+
+// Pattern: /-/tokens
+app.openapi(getTokensRoute, getToken as any)
+// Pattern: /-/tokens
+app.openapi(createTokenRoute, postToken as any)
+// Pattern: /-/tokens
+app.openapi(updateTokenRoute, putToken as any)
+// Pattern: /-/tokens/{token}
+app.openapi(deleteTokenRoute, deleteToken as any)
+
+// ---------------------------------------------------------
+// Dist-tag Routes
+// ---------------------------------------------------------
+
+// Pattern: /-/package/{pkg}/dist-tags
+app.openapi(getPackageDistTagsRoute, getPackageDistTags as any)
+// Pattern: /-/package/{pkg}/dist-tags/{tag}
+app.openapi(putPackageDistTagRoute, putPackageDistTag as any)
+// Pattern: /-/package/{pkg}/dist-tags/{tag}
+app.openapi(deletePackageDistTagRoute, deletePackageDistTag as any)
+
+// ---------------------------------------------------------
+// Access Control Routes
+// ---------------------------------------------------------
+
+// Pattern: /-/package/{pkg}/access (unscoped packages)
+app.openapi(getPackageAccessRoute, getPackageAccessStatus as any)
+app.openapi(setPackageAccessRoute, setPackageAccessStatus as any)
+
+// Pattern: /-/package/{scope}%2f{pkg}/access (scoped packages)
+app.openapi(
+  getScopedPackageAccessRoute,
+  getPackageAccessStatus as any,
+)
+app.openapi(
+  setScopedPackageAccessRoute,
+  setPackageAccessStatus as any,
+)
+
+// Pattern: /-/package/list
+app.openapi(listPackagesAccessRoute, listPackagesAccess as any)
+
+// Pattern: /-/package/{pkg}/collaborators/{username} (unscoped packages)
+app.openapi(grantPackageAccessRoute, grantPackageAccess as any)
+app.openapi(revokePackageAccessRoute, revokePackageAccess as any)
+
+// Pattern: /-/package/{scope}%2f{pkg}/collaborators/{username} (scoped packages)
+app.openapi(grantScopedPackageAccessRoute, grantPackageAccess as any)
+app.openapi(
+  revokeScopedPackageAccessRoute,
+  revokePackageAccess as any,
+)
+
+// ---------------------------------------------------------
+// Search Packages
+// ---------------------------------------------------------
+
+// Pattern: /-/search
+app.openapi(searchPackagesRoute, searchPackages as any)
+
+// ---------------------------------------------------------
+// Handle Audit Requests
+// ---------------------------------------------------------
+
+// Pattern: /-/npm/audit (security audit - not implemented)
+app.openapi(auditRoute, handleSecurityAudit as any)
+
+// ---------------------------------------------------------
+// NPM Compatibility Routes (Legacy API Redirects)
+// (maximizes backwards compatibility with npm clients)
+// ---------------------------------------------------------
+
+// Pattern: /-/v1/search → /-/search
+app.openapi(searchRedirectRoute, (c: Context) =>
+  c.redirect('/-/search', 308),
+)
+
+// Pattern: /-/npm/v1/user → /-/user
+app.openapi(userRedirectRoute, (c: Context) =>
+  c.redirect('/-/user', 308),
+)
+
+// Pattern: /-/npm/v1/tokens → /-/tokens (GET)
+app.openapi(tokensRedirectRoute, (c: Context) =>
+  c.redirect('/-/tokens', 308),
+)
+
+// Pattern: /-/npm/v1/tokens → /-/tokens (POST)
+app.openapi(createTokenRedirectRoute, (c: Context) =>
+  c.redirect('/-/tokens', 308),
+)
+
+// Pattern: /-/npm/v1/tokens → /-/tokens (PUT)
+app.openapi(updateTokenRedirectRoute, (c: Context) =>
+  c.redirect('/-/tokens', 308),
+)
+
+// Pattern: /-/npm/v1/tokens/token/{token} → /-/tokens/{token} (DELETE)
+app.openapi(deleteTokenRedirectRoute, (c: Context) => {
+  return c.redirect(`/-/tokens/${c.req.param('token')}`, 308)
+})
+
+// Pattern: /-/npm/v1/security/audits/quick → /-/npm/audit
+app.openapi(auditQuickRoute, (c: Context) => {
+  return c.redirect('/-/npm/audit', 308)
+})
+
+// Pattern: /-/npm/v1/security/advisories/bulk → /-/npm/audit
+app.openapi(advisoriesBulkRoute, (c: Context) => {
+  return c.redirect('/-/npm/audit', 308)
+})
+
+// ---------------------------------------------------------
+// Upstream Utility Routes
+// (Registry utility endpoints for upstream registries)
+// (MUST come before upstream package routes to avoid conflicts)
+// ---------------------------------------------------------
+
+// Pattern: /{upstream}/-/ping (upstream registry ping)
+app.get('/:upstream/-/ping', handlePing)
+
+// Pattern: /{upstream}/-/docs (upstream registry docs)
+app.get('/:upstream/-/docs', getDocs)
+
+// Pattern: /{upstream}/-/whoami (upstream registry whoami)
+app.get('/:upstream/-/whoami', getUsername)
+
+// Pattern: /{upstream}/-/user (upstream registry user profile)
+app.get('/:upstream/-/user', getUserProfile)
+
+// Pattern: /{upstream}/-/tokens (upstream registry token management)
+app.get('/:upstream/-/tokens', getToken)
+app.post('/:upstream/-/tokens', postToken)
+app.put('/:upstream/-/tokens', putToken)
+app.delete('/:upstream/-/tokens/:token', deleteToken)
+
+// Pattern: /{upstream}/-/search (upstream registry search)
+app.get('/:upstream/-/search', searchPackages)
+
+// Pattern: /{upstream}/-/npm/audit (upstream registry audit)
+app.post('/:upstream/-/npm/audit', handleSecurityAudit)
+
+// ---------------------------------------------------------
+// Upstream Package Routes
+// (must come before catch-all package routes)
+// ---------------------------------------------------------
+
+// Pattern: /{upstream}/@{scope}/{pkg}/-/{tarball} (scoped package tarball)
+app.openapi(
+  getUpstreamScopedPackageTarballRoute,
+  handleUpstreamScopedTarball as any,
+)
+// Pattern: /{upstream}/@{scope}/{pkg}/{version} (scoped package version)
+app.openapi(
+  getUpstreamScopedPackageVersionRoute,
+  handleUpstreamScopedVersion as any,
+)
+// Pattern: /{upstream}/{pkg}/-/{tarball} (unscoped package tarball)
+app.openapi(
+  getUpstreamPackageTarballRoute,
+  handleUpstreamTarball as any,
+)
+// Pattern: /{upstream}/@{scope}%2f{pkg} (URL-encoded scoped package)
+app.openapi(
+  getUpstreamEncodedScopedPackageRoute,
+  handleUpstreamEncodedScoped as any,
+)
+// Pattern: /{upstream}/{param2}/{param3} (unified handler for ambiguous 3-segment paths)
+app.openapi(getUpstreamUnifiedRoute, handleUpstreamUnified as any)
+// Pattern: /{upstream}/{pkg} (unscoped package manifest)
+app.openapi(getUpstreamPackageRoute, handleUpstreamPackage as any)
+
+// Pattern: /-/npm/v1/security/advisories/bulk → /-/npm/audit
+app.openapi(advisoriesBulkRoute, async (c: Context) => {
+  return c.redirect('/-/npm/audit', 308)
+})
+
+// ---------------------------------------------------------
+// Local Package Routes
+// (catch-all patterns, must come after upstream routes)
+// ---------------------------------------------------------
+
+// Pattern: /{pkg} (package publishing via PUT)
+app.openapi(publishPackageRoute, handlePackagePublish as any)
+// Pattern: /{pkg}/-/{tarball} (package tarball download)
+app.openapi(getPackageTarballRoute, handlePackageTarball as any)
+// Pattern: /{pkg}/{version} (specific package version)
+app.openapi(getPackageVersionRoute, handlePackageVersion as any)
+// Pattern: /{pkg} (package manifest/packument)
+app.openapi(getPackageRoute, handleRootPackageRoute as any)
+
+// ---------------------------------------------------------
+// Handle Static Assets
+// ---------------------------------------------------------
+
+// Pattern: /public/* (static assets from public directory)
+app.get('/public/*', handleStaticAssets)
+// Pattern: /favicon.ico (browser favicon)
+app.get('/favicon.ico', handleFavicon)
+// Pattern: /robots.txt (web crawler instructions)
+app.get('/robots.txt', handleRobots)
+// Pattern: /manifest.json (PWA web app manifest)
+app.get('/manifest.json', handleManifest)
+// Pattern: /* (catch-all for any other static assets)
+app.get('/*', handleStaticAssets)
+
+export { app }
+
+export default {
+  fetch: app.fetch,
+  queue,
+}

package/src/middleware/config.ts

@@ -0,0 +1,79 @@
+import type { Context } from 'hono'
+import {
+  API_DOCS_ENABLED,
+  DAEMON_ENABLED,
+  DAEMON_PORT,
+  DAEMON_URL,
+  DEBUG_ENABLED,
+  TELEMETRY_ENABLED,
+  SENTRY_CONFIG,
+  PORT,
+  VERSION,
+  URL,
+} from '../../config.ts'
+
+/**
+ * Runtime configuration resolver - can be used outside of routes
+ * Checks environment variables and falls back to defaults
+ */
+export function resolveConfig(env?: any) {
+  const getBooleanFromEnv = (
+    key: string,
+    defaultValue: boolean,
+  ): boolean => {
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
+    const value = env?.[key]
+    return typeof value === 'string' ?
+        value.toLowerCase() === 'true'
+      : defaultValue
+  }
+
+  return {
+    // Daemon configuration
+    DAEMON_ENABLED: getBooleanFromEnv('ARG_DAEMON', DAEMON_ENABLED),
+
+    // Telemetry configuration
+    TELEMETRY_ENABLED: getBooleanFromEnv(
+      'ARG_TELEMETRY',
+      TELEMETRY_ENABLED,
+    ),
+
+    // Debug configuration
+    DEBUG_ENABLED: getBooleanFromEnv('ARG_DEBUG', DEBUG_ENABLED),
+
+    // Static config values (pass through)
+    API_DOCS_ENABLED,
+    DAEMON_PORT,
+    DAEMON_URL,
+    SENTRY_CONFIG,
+    PORT,
+    VERSION,
+    URL,
+  }
+}
+
+/**
+ * Configuration middleware that enriches the context with computed config values
+ * Merges compile-time defaults with runtime environment variables
+ */
+export async function configMiddleware(
+  c: Context,
+  next: () => Promise<void>,
+): Promise<void> {
+  // Use the resolver to get computed config
+  const runtimeConfig = resolveConfig(c.env)
+
+  // Initialize global config if not already done
+  const { initializeGlobalConfig } = await import(
+    '../utils/config.ts'
+  )
+  initializeGlobalConfig(c.env)
+
+  // Enrich the context environment with computed values
+  // Ensure c.env exists (it might be undefined in test environments)
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+  c.env = c.env || {}
+  Object.assign(c.env, runtimeConfig)
+
+  await next()
+}

package/src/middleware/telemetry.ts

@@ -0,0 +1,43 @@
+import { sentry } from '@hono/sentry'
+import type { Context } from 'hono'
+import type { HonoContext } from '../../types.ts'
+
+/**
+ * Telemetry middleware that conditionally applies Sentry based on configuration
+ * Relies on configMiddleware to have already enriched c.env with TELEMETRY_ENABLED
+ */
+export async function telemetryMiddleware(
+  c: HonoContext,
+  next: () => Promise<void>,
+) {
+  // Check if telemetry is enabled via the enriched config
+  if (c.env.TELEMETRY_ENABLED) {
+    // Apply Sentry middleware dynamically
+    const sentryMiddleware = sentry({
+      dsn: c.env.SENTRY?.dsn ?? c.env.SENTRY_CONFIG?.dsn ?? '',
+      environment:
+        c.env.SENTRY?.environment ??
+        c.env.SENTRY_CONFIG?.environment ??
+        'development',
+      sendDefaultPii: c.env.SENTRY_CONFIG?.sendDefaultPii ?? true,
+      sampleRate: c.env.SENTRY_CONFIG?.sampleRate ?? 1.0,
+      tracesSampleRate: c.env.SENTRY_CONFIG?.tracesSampleRate ?? 0.1,
+      beforeSend(event, _hint) {
+        // Filter out expected errors to reduce noise
+        if (
+          event.exception?.values?.[0]?.value?.includes('404') ||
+          event.exception?.values?.[0]?.value?.includes('not found')
+        ) {
+          return null
+        }
+        return event
+      },
+    })
+
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+    return sentryMiddleware(c as Context, next)
+  } else {
+    // Skip Sentry when telemetry is disabled
+    return next()
+  }
+}

package/src/queue/index.ts

@@ -0,0 +1,97 @@
+import type { QueueBatch, Environment } from '../../types.ts'
+import { createDatabaseOperations } from '../db/client.ts'
+import {
+  getUpstreamConfig,
+  buildUpstreamUrl,
+} from '../utils/upstream.ts'
+
+/**
+ * Queue handler for background cache refresh jobs
+ *
+ * Processes queue messages to refresh package and version cache data
+ * from upstream registries. This runs in the background to keep
+ * cached data fresh without blocking user requests.
+ */
+export async function queue(batch: QueueBatch, env: Environment) {
+  if (!env.DB) {
+    throw new Error('Database not available')
+  }
+  const db = createDatabaseOperations(env.DB)
+
+  for (const message of batch.messages) {
+    try {
+      const {
+        type,
+        packageName,
+        spec,
+        upstream,
+        options: _options,
+      } = message.body
+
+      if (type === 'package_refresh' && packageName) {
+        // Handle package refresh - refetch from upstream and cache
+        const upstreamConfig = getUpstreamConfig(upstream)
+        if (upstreamConfig) {
+          const upstreamUrl = buildUpstreamUrl(
+            upstreamConfig,
+            packageName,
+          )
+          const response = await fetch(upstreamUrl, {
+            headers: { Accept: 'application/json' },
+          })
+
+          if (response.ok) {
+            // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+            const upstreamData = (await response.json()) as Record<
+              string,
+              any
+            >
+
+            // Cache the package metadata
+            if (upstreamData['dist-tags']) {
+              await db.upsertCachedPackage(
+                packageName,
+                upstreamData['dist-tags'] as Record<string, string>,
+                upstream,
+                new Date().toISOString(),
+              )
+            }
+
+            // Cache all versions
+            if (upstreamData.versions) {
+              const versionPromises = Object.entries(
+                upstreamData.versions as Record<string, any>,
+              ).map(async ([version, manifest]) => {
+                try {
+                  await db.upsertCachedVersion(
+                    `${packageName}@${version}`,
+                    manifest as Record<string, any>,
+                    upstream,
+                    // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+                    (manifest.publishedAt as string) ||
+                      new Date().toISOString(),
+                  )
+                } catch (_error) {
+                  // Silently fail individual versions
+                }
+              })
+              await Promise.allSettled(versionPromises)
+            }
+          }
+        }
+      } else if (type === 'version_refresh' && spec) {
+        // Handle version refresh - similar logic for individual versions
+        // (This would be implemented if needed)
+      }
+
+      // Acknowledge successful processing
+      message.ack()
+    } catch (error) {
+      // Retry failed messages
+      // TODO: Replace with proper logging system
+      // eslint-disable-next-line no-console
+      console.error('Queue processing error:', error)
+      message.retry()
+    }
+  }
+}