@wopr-network/platform-core 0.1.0

package/dist/metering/wal.js

@@ -0,0 +1,124 @@
+import { appendFileSync, existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import { dirname } from "node:path";
+/**
+ * Write-Ahead Log for meter events.
+ *
+ * Provides durable, fail-closed event persistence. Events are written
+ * to disk BEFORE being buffered, ensuring no event is lost even if
+ * the process crashes before flush completes.
+ */
+export class MeterWAL {
+    walPath;
+    lock = Promise.resolve();
+    async withLock(fn) {
+        const prev = this.lock;
+        let resolve;
+        this.lock = new Promise((r) => {
+            resolve = r;
+        });
+        try {
+            await prev;
+            return await fn();
+        }
+        finally {
+            resolve();
+        }
+    }
+    constructor(walPath) {
+        this.walPath = walPath;
+        this.ensureDir();
+    }
+    ensureDir() {
+        const dir = dirname(this.walPath);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+    }
+    /**
+     * Append an event to the WAL. appendFileSync is atomic on POSIX (O_APPEND),
+     * so no mutex is needed here. Returns the event with a generated ID.
+     */
+    append(event) {
+        const eventWithId = {
+            ...event,
+            id: event.id ?? crypto.randomUUID(),
+        };
+        const line = `${JSON.stringify(eventWithId)}\n`;
+        appendFileSync(this.walPath, line, { encoding: "utf8", flag: "a" });
+        return eventWithId;
+    }
+    /**
+     * Read all events from the WAL. Returns events in the order they were written.
+     * Skips malformed lines (defensive against incomplete writes).
+     */
+    readAll() {
+        if (!existsSync(this.walPath)) {
+            return [];
+        }
+        const content = readFileSync(this.walPath, "utf8");
+        if (!content.trim()) {
+            return [];
+        }
+        const events = [];
+        for (const line of content.trim().split("\n")) {
+            try {
+                events.push(JSON.parse(line));
+            }
+            catch {
+                // Skip malformed lines (e.g., from incomplete writes).
+            }
+        }
+        return events;
+    }
+    /**
+     * Remove specific event IDs from the WAL. This is done by rewriting
+     * the entire file without the specified events. Mutex-guarded.
+     */
+    async remove(eventIds) {
+        return this.withLock(() => {
+            if (!existsSync(this.walPath) || eventIds.size === 0) {
+                return;
+            }
+            const events = this.readAll();
+            const filtered = events.filter((e) => !eventIds.has(e.id));
+            if (filtered.length === 0) {
+                // All events removed — delete the WAL file.
+                this._clear();
+            }
+            else {
+                // Rewrite the WAL with remaining events.
+                const content = `${filtered.map((e) => JSON.stringify(e)).join("\n")}\n`;
+                writeFileSync(this.walPath, content, { encoding: "utf8" });
+            }
+        });
+    }
+    _clear() {
+        if (existsSync(this.walPath)) {
+            unlinkSync(this.walPath);
+        }
+    }
+    /**
+     * Clear the entire WAL (typically after successful flush). Mutex-guarded.
+     */
+    async clear() {
+        return this.withLock(() => {
+            this._clear();
+        });
+    }
+    /**
+     * Check if the WAL is empty.
+     */
+    isEmpty() {
+        if (!existsSync(this.walPath)) {
+            return true;
+        }
+        const content = readFileSync(this.walPath, "utf8");
+        return !content.trim();
+    }
+    /**
+     * Get the number of events in the WAL.
+     */
+    count() {
+        return this.readAll().length;
+    }
+}

package/dist/metering/wal.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/metering/wal.test.js

@@ -0,0 +1,175 @@
+import { existsSync, mkdirSync, rmSync } from "node:fs";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { Credit } from "../credits/credit.js";
+import { MeterDLQ } from "./dlq.js";
+import { MeterWAL } from "./wal.js";
+const TEST_DIR = "/tmp/wopr-wal-test";
+const TEST_WAL_PATH = `${TEST_DIR}/test-wal.jsonl`;
+const TEST_DLQ_PATH = `${TEST_DIR}/test-dlq.jsonl`;
+function makeEvent(overrides = {}) {
+    return {
+        tenant: "tenant-1",
+        cost: Credit.fromDollars(0.001),
+        charge: Credit.fromDollars(0.002),
+        capability: "embeddings",
+        provider: "openai",
+        timestamp: Date.now(),
+        ...overrides,
+    };
+}
+describe("MeterWAL", () => {
+    let wal;
+    beforeEach(() => {
+        if (existsSync(TEST_DIR)) {
+            rmSync(TEST_DIR, { recursive: true });
+        }
+        mkdirSync(TEST_DIR, { recursive: true });
+        wal = new MeterWAL(TEST_WAL_PATH);
+    });
+    afterEach(() => {
+        if (existsSync(TEST_DIR)) {
+            rmSync(TEST_DIR, { recursive: true });
+        }
+    });
+    it("appends events to the WAL", async () => {
+        const event = makeEvent();
+        const result = await wal.append(event);
+        expect(result.id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i);
+        expect(result.tenant).toBe("tenant-1");
+        expect(wal.count()).toBe(1);
+    });
+    it("preserves event ID if provided", async () => {
+        const event = { ...makeEvent(), id: "custom-id-123" };
+        const result = await wal.append(event);
+        expect(result.id).toBe("custom-id-123");
+    });
+    it("generates UUID if ID not provided", async () => {
+        const event = makeEvent();
+        const result = await wal.append(event);
+        expect(result.id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i);
+    });
+    it("readAll returns events in order", async () => {
+        await wal.append(makeEvent({ tenant: "t-1" }));
+        await wal.append(makeEvent({ tenant: "t-2" }));
+        await wal.append(makeEvent({ tenant: "t-3" }));
+        const events = wal.readAll();
+        expect(events).toHaveLength(3);
+        expect(events[0].tenant).toBe("t-1");
+        expect(events[1].tenant).toBe("t-2");
+        expect(events[2].tenant).toBe("t-3");
+    });
+    it("readAll returns empty array for empty WAL", () => {
+        const events = wal.readAll();
+        expect(events).toEqual([]);
+    });
+    it("remove deletes specific events", async () => {
+        const e1 = await wal.append(makeEvent({ tenant: "t-1" }));
+        const e2 = await wal.append(makeEvent({ tenant: "t-2" }));
+        const e3 = await wal.append(makeEvent({ tenant: "t-3" }));
+        await wal.remove(new Set([e2.id]));
+        const events = wal.readAll();
+        expect(events).toHaveLength(2);
+        expect(events[0].id).toBe(e1.id);
+        expect(events[1].id).toBe(e3.id);
+    });
+    it("remove with empty set does nothing", async () => {
+        await wal.append(makeEvent());
+        await wal.remove(new Set());
+        expect(wal.count()).toBe(1);
+    });
+    it("remove all events clears the WAL file", async () => {
+        const e1 = await wal.append(makeEvent());
+        const e2 = await wal.append(makeEvent());
+        await wal.remove(new Set([e1.id, e2.id]));
+        expect(wal.isEmpty()).toBe(true);
+        expect(existsSync(TEST_WAL_PATH)).toBe(false);
+    });
+    it("clear removes the WAL file", async () => {
+        await wal.append(makeEvent());
+        expect(existsSync(TEST_WAL_PATH)).toBe(true);
+        await wal.clear();
+        expect(existsSync(TEST_WAL_PATH)).toBe(false);
+        expect(wal.isEmpty()).toBe(true);
+    });
+    it("isEmpty returns true for non-existent WAL", () => {
+        expect(wal.isEmpty()).toBe(true);
+    });
+    it("isEmpty returns false after append", async () => {
+        await wal.append(makeEvent());
+        expect(wal.isEmpty()).toBe(false);
+    });
+    it("count returns 0 for empty WAL", () => {
+        expect(wal.count()).toBe(0);
+    });
+    it("handles multiple appends without data loss", async () => {
+        for (let i = 0; i < 100; i++) {
+            await wal.append(makeEvent({ tenant: `t-${i}` }));
+        }
+        expect(wal.count()).toBe(100);
+    });
+    it("concurrent append during remove does not lose events", async () => {
+        // Seed 3 events
+        const e1 = await wal.append(makeEvent({ tenant: "t-1" }));
+        const e2 = await wal.append(makeEvent({ tenant: "t-2" }));
+        await wal.append(makeEvent({ tenant: "t-3" }));
+        // Remove e1 and e2, while concurrently appending e4
+        const removePromise = wal.remove(new Set([e1.id, e2.id]));
+        const appendPromise = wal.append(makeEvent({ tenant: "t-4" }));
+        await Promise.all([removePromise, appendPromise]);
+        const events = wal.readAll();
+        const tenants = events.map((e) => e.tenant);
+        // e3 must survive the remove, e4 must not be lost
+        expect(tenants).toContain("t-3");
+        expect(tenants).toContain("t-4");
+        expect(tenants).not.toContain("t-1");
+        expect(tenants).not.toContain("t-2");
+        expect(events).toHaveLength(2);
+    });
+});
+describe("MeterDLQ", () => {
+    let dlq;
+    beforeEach(() => {
+        if (existsSync(TEST_DIR)) {
+            rmSync(TEST_DIR, { recursive: true });
+        }
+        mkdirSync(TEST_DIR, { recursive: true });
+        dlq = new MeterDLQ(TEST_DLQ_PATH);
+    });
+    afterEach(() => {
+        if (existsSync(TEST_DIR)) {
+            rmSync(TEST_DIR, { recursive: true });
+        }
+    });
+    it("appends failed events with metadata", () => {
+        const event = { ...makeEvent(), id: "failed-event-1" };
+        dlq.append(event, "Database connection lost", 3);
+        const entries = dlq.readAll();
+        expect(entries).toHaveLength(1);
+        expect(entries[0].id).toBe("failed-event-1");
+        expect(entries[0].tenant).toBe("tenant-1");
+        expect(entries[0].dlq_error).toBe("Database connection lost");
+        expect(entries[0].dlq_retries).toBe(3);
+        expect(entries[0].dlq_timestamp).toBeGreaterThan(0);
+    });
+    it("readAll returns empty array for empty DLQ", () => {
+        const entries = dlq.readAll();
+        expect(entries).toEqual([]);
+    });
+    it("count returns 0 for empty DLQ", () => {
+        expect(dlq.count()).toBe(0);
+    });
+    it("count returns correct number of entries", () => {
+        dlq.append({ ...makeEvent(), id: "e1" }, "error1", 3);
+        dlq.append({ ...makeEvent(), id: "e2" }, "error2", 3);
+        expect(dlq.count()).toBe(2);
+    });
+    it("preserves all DLQ entries across multiple appends", () => {
+        for (let i = 0; i < 10; i++) {
+            dlq.append({ ...makeEvent(), id: `e-${i}` }, `error-${i}`, i + 1);
+        }
+        const entries = dlq.readAll();
+        expect(entries).toHaveLength(10);
+        expect(entries[0].dlq_retries).toBe(1);
+        expect(entries[9].dlq_retries).toBe(10);
+    });
+});

package/dist/middleware/csrf.d.ts

@@ -0,0 +1,24 @@
+import type { MiddlewareHandler } from "hono";
+/**
+ * Validate that a request's Origin or Referer matches one of the allowed origins.
+ * Returns true if the request is safe, false if it should be blocked.
+ */
+export declare function validateCsrfOrigin(headers: Headers, allowedOrigins: string[]): boolean;
+export interface CsrfOptions {
+    /** Allowed origins (e.g. ["https://app.example.com"]). */
+    allowedOrigins: string[];
+    /**
+     * Paths exempt from CSRF validation.
+     * Use trailing "*" for prefix matching (e.g. "/api/auth/*").
+     * Exact strings match exactly (e.g. "/api/billing/webhook").
+     */
+    exemptPaths?: string[];
+}
+/**
+ * Hono middleware that validates Origin/Referer on state-changing requests.
+ * Skips:
+ * - GET/HEAD/OPTIONS requests (safe methods)
+ * - Requests with Bearer token (not vulnerable to CSRF)
+ * - Exempt paths (configurable)
+ */
+export declare function csrfProtection(options: CsrfOptions): MiddlewareHandler;

package/dist/middleware/csrf.js

@@ -0,0 +1,80 @@
+import { extractBearerToken } from "../auth/index.js";
+const MUTATION_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+/**
+ * Check whether a path matches any of the exempt patterns.
+ * Patterns ending with "*" match as prefixes; exact strings match exactly.
+ */
+function isExempt(path, exemptPaths) {
+    for (const pattern of exemptPaths) {
+        if (pattern.endsWith("*")) {
+            const prefix = pattern.slice(0, -1);
+            if (path.startsWith(prefix))
+                return true;
+        }
+        else {
+            if (path === pattern)
+                return true;
+        }
+    }
+    return false;
+}
+/**
+ * Validate that a request's Origin or Referer matches one of the allowed origins.
+ * Returns true if the request is safe, false if it should be blocked.
+ */
+export function validateCsrfOrigin(headers, allowedOrigins) {
+    const origin = headers.get("origin");
+    // Check Origin header first (most reliable)
+    if (origin) {
+        return allowedOrigins.includes(origin);
+    }
+    // Fall back to Referer header
+    const referer = headers.get("referer");
+    if (referer) {
+        try {
+            const refererOrigin = new URL(referer).origin;
+            return allowedOrigins.includes(refererOrigin);
+        }
+        catch {
+            return false;
+        }
+    }
+    // No Origin or Referer on a mutation request — block it
+    return false;
+}
+/**
+ * Hono middleware that validates Origin/Referer on state-changing requests.
+ * Skips:
+ * - GET/HEAD/OPTIONS requests (safe methods)
+ * - Requests with Bearer token (not vulnerable to CSRF)
+ * - Exempt paths (configurable)
+ */
+export function csrfProtection(options) {
+    const exempt = options.exemptPaths ?? [];
+    return async (c, next) => {
+        // Safe methods — no CSRF risk
+        if (!MUTATION_METHODS.has(c.req.method)) {
+            return next();
+        }
+        // Exempt paths
+        if (isExempt(c.req.path, exempt)) {
+            return next();
+        }
+        // Bearer-token requests are not vulnerable to CSRF (browser doesn't auto-send)
+        const authHeader = c.req.header("Authorization");
+        if (extractBearerToken(authHeader)) {
+            return next();
+        }
+        // Unauthenticated requests (no session user, no bearer token) cannot be CSRF attacks —
+        // there is no credential to hijack. Let auth middleware return 401 naturally.
+        const user = c.get("user");
+        if (!user) {
+            return next();
+        }
+        // Validate Origin/Referer
+        if (!validateCsrfOrigin(c.req.raw.headers, options.allowedOrigins)) {
+            return c.json({ error: "CSRF validation failed" }, 403);
+        }
+        return next();
+    };
+}

package/dist/middleware/csrf.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/middleware/csrf.test.js

@@ -0,0 +1,152 @@
+import { Hono } from "hono";
+import { describe, expect, it } from "vitest";
+import { csrfProtection, validateCsrfOrigin } from "./csrf.js";
+// ---------------------------------------------------------------------------
+// validateCsrfOrigin unit tests
+// ---------------------------------------------------------------------------
+describe("validateCsrfOrigin", () => {
+    function makeHeaders(headers) {
+        return new Headers(headers);
+    }
+    it("returns true when Origin matches allowed origin", () => {
+        const result = validateCsrfOrigin(makeHeaders({ origin: "https://app.example.com" }), ["https://app.example.com"]);
+        expect(result).toBe(true);
+    });
+    it("returns true when Origin matches one of multiple allowed origins", () => {
+        const result = validateCsrfOrigin(makeHeaders({ origin: "https://staging.example.com" }), [
+            "https://app.example.com",
+            "https://staging.example.com",
+        ]);
+        expect(result).toBe(true);
+    });
+    it("returns false when Origin does not match any allowed origin", () => {
+        const result = validateCsrfOrigin(makeHeaders({ origin: "https://evil.com" }), ["https://app.example.com"]);
+        expect(result).toBe(false);
+    });
+    it("falls back to Referer when Origin is absent", () => {
+        const result = validateCsrfOrigin(makeHeaders({ referer: "https://app.example.com/dashboard" }), [
+            "https://app.example.com",
+        ]);
+        expect(result).toBe(true);
+    });
+    it("returns false when neither Origin nor Referer is present", () => {
+        const result = validateCsrfOrigin(makeHeaders({}), ["https://app.example.com"]);
+        expect(result).toBe(false);
+    });
+    it("returns false for malformed Referer URL", () => {
+        const result = validateCsrfOrigin(makeHeaders({ referer: "not-a-url" }), ["https://app.example.com"]);
+        expect(result).toBe(false);
+    });
+});
+// ---------------------------------------------------------------------------
+// csrfProtection middleware integration tests
+// ---------------------------------------------------------------------------
+describe("csrfProtection middleware", () => {
+    const exemptPaths = [
+        "/api/auth/*",
+        "/api/billing/webhook",
+        "/api/billing/crypto/*",
+        "/internal/*",
+        "/health*",
+        "/auth/*",
+    ];
+    function createApp(allowedOrigins) {
+        const app = new Hono();
+        // Simulate session user being set so CSRF validation logic actually runs
+        app.use("/*", async (c, next) => {
+            c.set("user", { id: "test-user", roles: ["user"] });
+            return next();
+        });
+        app.use("/*", csrfProtection({ allowedOrigins, exemptPaths }));
+        app.post("/api/fleet/bots", (c) => c.json({ ok: true }));
+        app.put("/api/billing/checkout", (c) => c.json({ ok: true }));
+        app.delete("/fleet/bots/123", (c) => c.json({ ok: true }));
+        app.get("/api/fleet/bots", (c) => c.json({ ok: true }));
+        app.post("/api/auth/sign-in/email", (c) => c.json({ ok: true }));
+        app.post("/api/billing/webhook", (c) => c.json({ ok: true }));
+        app.post("/internal/nodes/register", (c) => c.json({ ok: true }));
+        app.post("/health", (c) => c.json({ ok: true }));
+        app.post("/trpc/fleet.create", (c) => c.json({ ok: true }));
+        return app;
+    }
+    const origins = ["https://app.example.com"];
+    it("blocks POST without Origin header", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/api/fleet/bots", { method: "POST" });
+        expect(res.status).toBe(403);
+        const body = await res.json();
+        expect(body.error).toBe("CSRF validation failed");
+    });
+    it("blocks POST with wrong Origin", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/api/fleet/bots", {
+            method: "POST",
+            headers: { origin: "https://evil.com" },
+        });
+        expect(res.status).toBe(403);
+    });
+    it("allows POST with correct Origin", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/api/fleet/bots", {
+            method: "POST",
+            headers: { origin: "https://app.example.com" },
+        });
+        expect(res.status).toBe(200);
+    });
+    it("allows GET requests without Origin", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/api/fleet/bots", { method: "GET" });
+        expect(res.status).toBe(200);
+    });
+    it("blocks PUT without Origin", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/api/billing/checkout", { method: "PUT" });
+        expect(res.status).toBe(403);
+    });
+    it("blocks DELETE without Origin", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/fleet/bots/123", { method: "DELETE" });
+        expect(res.status).toBe(403);
+    });
+    it("exempts /api/auth/* routes", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/api/auth/sign-in/email", { method: "POST" });
+        expect(res.status).toBe(200);
+    });
+    it("exempts /api/billing/webhook", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/api/billing/webhook", { method: "POST" });
+        expect(res.status).toBe(200);
+    });
+    it("exempts /internal/* routes", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/internal/nodes/register", { method: "POST" });
+        expect(res.status).toBe(200);
+    });
+    it("exempts /health routes", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/health", { method: "POST" });
+        expect(res.status).toBe(200);
+    });
+    it("skips CSRF check when Authorization Bearer header is present", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/api/fleet/bots", {
+            method: "POST",
+            headers: { authorization: "Bearer some-token" },
+        });
+        expect(res.status).toBe(200);
+    });
+    it("protects /trpc/* mutation routes", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/trpc/fleet.create", { method: "POST" });
+        expect(res.status).toBe(403);
+    });
+    it("allows /trpc/* with correct Origin", async () => {
+        const app = createApp(origins);
+        const res = await app.request("/trpc/fleet.create", {
+            method: "POST",
+            headers: { origin: "https://app.example.com" },
+        });
+        expect(res.status).toBe(200);
+    });
+});

package/dist/middleware/drizzle-rate-limit-repository.d.ts

@@ -0,0 +1,9 @@
+import type { PlatformDb } from "../db/index.js";
+import type { IRateLimitRepository, RateLimitEntry } from "./rate-limit-repository.js";
+export declare class DrizzleRateLimitRepository implements IRateLimitRepository {
+    private readonly db;
+    constructor(db: PlatformDb);
+    increment(key: string, scope: string, windowMs: number): Promise<RateLimitEntry>;
+    get(key: string, scope: string): Promise<RateLimitEntry | null>;
+    purgeStale(windowMs: number): Promise<number>;
+}

package/dist/middleware/drizzle-rate-limit-repository.js

@@ -0,0 +1,52 @@
+import { and, eq, lt, sql } from "drizzle-orm";
+import { rateLimitEntries } from "../db/schema/index.js";
+export class DrizzleRateLimitRepository {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    async increment(key, scope, windowMs) {
+        const now = Date.now();
+        // Check if existing entry is within the current window
+        const rows = await this.db
+            .select()
+            .from(rateLimitEntries)
+            .where(and(eq(rateLimitEntries.key, key), eq(rateLimitEntries.scope, scope)));
+        const existing = rows[0];
+        if (existing && now - existing.windowStart < windowMs) {
+            // Within window: increment
+            await this.db
+                .update(rateLimitEntries)
+                .set({ count: sql `${rateLimitEntries.count} + 1` })
+                .where(and(eq(rateLimitEntries.key, key), eq(rateLimitEntries.scope, scope)));
+            return { key, scope, count: existing.count + 1, windowStart: existing.windowStart };
+        }
+        // New window (or first request): upsert with count = 1
+        await this.db
+            .insert(rateLimitEntries)
+            .values({ key, scope, count: 1, windowStart: now })
+            .onConflictDoUpdate({
+            target: [rateLimitEntries.key, rateLimitEntries.scope],
+            set: { count: 1, windowStart: now },
+        });
+        return { key, scope, count: 1, windowStart: now };
+    }
+    async get(key, scope) {
+        const rows = await this.db
+            .select()
+            .from(rateLimitEntries)
+            .where(and(eq(rateLimitEntries.key, key), eq(rateLimitEntries.scope, scope)));
+        const row = rows[0];
+        if (!row)
+            return null;
+        return { key: row.key, scope: row.scope, count: row.count, windowStart: row.windowStart };
+    }
+    async purgeStale(windowMs) {
+        const cutoff = Date.now() - windowMs;
+        const result = await this.db
+            .delete(rateLimitEntries)
+            .where(lt(rateLimitEntries.windowStart, cutoff))
+            .returning({ key: rateLimitEntries.key });
+        return result.length;
+    }
+}

package/dist/middleware/drizzle-rate-limit-repository.test.d.ts

@@ -0,0 +1 @@
+export {};