cyberia 3.0.3 → 3.1.3

package/package.json

@@ -2,25 +2,30 @@
     "type": "module",
     "main": "src/index.js",
     "name": "cyberia",
-    "version": "3.0.3",
+    "version": "3.1.3",
     "description": "Cyberia Engine - Object Layer and Assets Management Microservice",
     "scripts": {
-        "start": "env-cmd -f .env.production node --max-old-space-size=8192 src/server",
-        "build": "node bin/deploy build-full-client",
-        "test": "env-cmd -f .env.test c8 mocha",
-        "dev": "env-cmd -f .env.development nodemon src/server",
-        "dev-img": "env-cmd -f .env.development node src/server",
-        "prod-img": "env-cmd -f .env.production node src/server",
-        "dev-api": "env-cmd -f .env.development nodemon --watch src --ignore src/client src/api",
-        "dev-client": "env-cmd -f .env.development node src/client.dev",
-        "dev-proxy": "env-cmd -f .env.development node src/proxy proxy",
+        "start": "node --max-old-space-size=8192 src/server dd-core",
+        "build": "node bin client",
+        "test": "NODE_ENV=test c8 mocha",
+        "dev": "NODE_ENV=development nodemon src/server",
+        "dev:container": "NODE_ENV=development node src/server",
+        "prod:container": "NODE_ENV=production node src/server",
+        "dev:api": "NODE_ENV=development nodemon --watch src --ignore src/client src/api",
+        "dev:client": "NODE_ENV=development node src/client.dev",
+        "dev:proxy": "NODE_ENV=development node src/proxy proxy",
         "docs": "jsdoc -c jsdoc.json",
-        "install-global": "npm install -g jsdoc && npm install -g prettier && npm install -g env-cmd",
-        "install-test": "npm install -g mocha && npm install -g c8 && npm install -g coveralls",
-        "install": "npm run install-global && npm run install-test",
+        "install:global": "npm install -g jsdoc && npm install -g prettier",
+        "install:test": "npm install -g mocha && npm install -g c8 && npm install -g coveralls",
+        "install": "npm run install:global && npm run install:test",
         "prettier": "prettier --write .",
         "fix": "npm audit fix --force && npm audit",
-        "baremetal": "node bin baremetal --dev --commission --ls --create-machine"
+        "baremetal": "node bin baremetal --dev --commission --ls --create-machine",
+        "security:secrets": "gitleaks detect --source . --config .gitleaks.toml --report-path ./gitleaks-report.json --report-format json --redact=0",
+        "security:secrets:ci": "gitleaks detect --source . --config .gitleaks.toml --redact=1",
+        "security:deps": "npm audit",
+        "security": "npm run security:secrets:ci && npm run security:deps",
+        "clean": "node bin env clean && node bin run clean"
     },
     "bin": {
         "cyberia": "bin/index.js"
@@ -44,67 +49,68 @@
     },
     "homepage": "https://github.com/underpostnet/engine-cyberia#readme",
     "dependencies": {
-        "@fortawesome/fontawesome-free": "^6.4.2",
-        "@fullcalendar/rrule": "^6.1.15",
-        "@neodrag/vanilla": "^2.0.3",
+        "@fortawesome/fontawesome-free": "^7.2.0",
+        "@fullcalendar/rrule": "^6.1.20",
+        "@neodrag/vanilla": "^2.3.1",
         "adm-zip": "^0.5.10",
-        "ag-grid-community": "^31.3.4",
-        "axios": "^1.5.1",
-        "chai": "^5.1.0",
+        "ag-grid-community": "^35.1.0",
+        "axios": "^1.13.6",
+        "chai": "^6.2.2",
         "clean-jsdoc-theme": "^4.3.0",
-        "clipboardy": "^4.0.0",
+        "clipboardy": "^5.3.1",
         "cloudinary": "^2.5.1",
         "colors": "^1.4.0",
-        "commander": "^12.1.0",
+        "commander": "^14.0.3",
         "compression": "^1.7.4",
         "cookie-parser": "^1.4.7",
-        "cors": "^2.8.5",
+        "cors": "^2.8.6",
         "d3": "^7.9.0",
-        "dotenv": "^16.3.1",
+        "dotenv": "^17.3.1",
         "easymde": "^2.18.0",
-        "env-cmd": "^10.1.0",
-        "express": "^4.18.2",
+        "escape-string-regexp": "^5.0.0",
+        "express": "^5.2.1",
         "express-fileupload": "^1.4.3",
-        "express-rate-limit": "^8.1.0",
-        "express-slow-down": "^3.0.0",
+        "express-rate-limit": "^8.3.1",
+        "express-slow-down": "^3.1.0",
         "fast-json-stable-stringify": "^2.1.0",
         "favicons": "^7.2.0",
-        "fs-extra": "^11.1.1",
+        "fs-extra": "^11.3.4",
         "fullcalendar": "^6.1.15",
         "helmet": "^8.1.0",
         "html-minifier-terser": "^7.2.0",
-        "http-proxy-middleware": "^2.0.6",
+        "http-proxy-middleware": "^3.0.5",
         "ignore-walk": "^8.0.0",
-        "iovalkey": "^0.2.1",
-        "json-colorizer": "^2.2.2",
-        "jsonwebtoken": "^9.0.2",
+        "iovalkey": "^0.3.3",
+        "json-colorizer": "^3.0.1",
+        "jsonwebtoken": "^9.0.3",
         "mariadb": "^3.2.2",
-        "marked": "^12.0.2",
+        "marked": "^17.0.4",
         "mocha": "^11.3.0",
-        "mongoose": "^8.9.5",
+        "mongoose": "^9.3.0",
         "morgan": "^1.10.0",
-        "nodemailer": "^7.0.9",
+        "nodemailer": "^8.0.2",
         "nodemon": "^3.0.1",
         "peer": "^1.0.2",
-        "peerjs": "^1.5.2",
+        "peerjs": "^1.5.5",
         "prom-client": "^15.1.2",
-        "read": "^2.1.0",
+        "read": "^5.0.1",
         "rrule": "^2.8.1",
         "shelljs": "^0.10.0",
-        "sitemap": "^7.1.1",
-        "socket.io": "^4.8.0",
+        "sitemap": "^9.0.1",
+        "socket.io": "^4.8.3",
         "sortablejs": "^1.15.0",
         "split-file": "^2.3.0",
-        "swagger-autogen": "^2.9.2",
+        "swagger-autogen": "^2.23.7",
         "swagger-ui-express": "^5.0.0",
         "uglify-js": "^3.17.4",
         "validator": "^13.11.0",
-        "vanilla-jsoneditor": "^2.3.2",
-        "winston": "^3.11.0",
+        "vanilla-jsoneditor": "^3.11.0",
+        "winston": "^3.19.0",
         "maxrects-packer": "^2.7.3",
         "pngjs": "^7.0.0",
         "jimp": "^1.6.0",
-        "sharp": "^0.32.5"
+        "sharp": "^0.32.5",
+        "ethers": "~6.16.0"
     },
     "publishConfig": {
         "provenance": true,

package/proxy.yaml

@@ -74,6 +74,78 @@ spec:
           port: 4009
           weight: 100
     
+    - conditions:
+        - prefix: /r1
+      
+      enableWebsockets: true
+      services:
+        - name: dd-cyberia-development-blue-service
+          port: 4010
+          weight: 100
+    
+    - conditions:
+        - prefix: /r1/peer
+      
+      enableWebsockets: true
+      services:
+        - name: dd-cyberia-development-blue-service
+          port: 4011
+          weight: 100
+    
+    - conditions:
+        - prefix: /r2
+      
+      enableWebsockets: true
+      services:
+        - name: dd-cyberia-development-blue-service
+          port: 4012
+          weight: 100
+    
+    - conditions:
+        - prefix: /r2/peer
+      
+      enableWebsockets: true
+      services:
+        - name: dd-cyberia-development-blue-service
+          port: 4013
+          weight: 100
+    
+    - conditions:
+        - prefix: /r3
+      
+      enableWebsockets: true
+      services:
+        - name: dd-cyberia-development-blue-service
+          port: 4014
+          weight: 100
+    
+    - conditions:
+        - prefix: /r3/peer
+      
+      enableWebsockets: true
+      services:
+        - name: dd-cyberia-development-blue-service
+          port: 4015
+          weight: 100
+    
+    - conditions:
+        - prefix: /r4
+      
+      enableWebsockets: true
+      services:
+        - name: dd-cyberia-development-blue-service
+          port: 4016
+          weight: 100
+    
+    - conditions:
+        - prefix: /r4/peer
+      
+      enableWebsockets: true
+      services:
+        - name: dd-cyberia-development-blue-service
+          port: 4017
+          weight: 100
+    
 ---
 apiVersion: projectcontour.io/v1
 kind: HTTPProxy
@@ -90,7 +162,7 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-cyberia-development-blue-service
-          port: 4010
+          port: 4018
           weight: 100
     
 ---
@@ -109,7 +181,7 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-cyberia-development-blue-service
-          port: 4011
+          port: 4019
           weight: 100
     
     - conditions:
@@ -118,7 +190,7 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-cyberia-development-blue-service
-          port: 4012
+          port: 4020
           weight: 100
     
 ---
@@ -137,7 +209,7 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-cyberia-development-blue-service
-          port: 4013
+          port: 4021
           weight: 100
     
 ---
@@ -156,7 +228,7 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-cyberia-development-blue-service
-          port: 4014
+          port: 4022
           weight: 100
     
     - conditions:
@@ -165,7 +237,7 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-cyberia-development-blue-service
-          port: 4015
+          port: 4023
           weight: 100
     
 ---
@@ -184,6 +256,6 @@ spec:
       enableWebsockets: true
       services:
         - name: dd-cyberia-development-blue-service
-          port: 4016
+          port: 4024
           weight: 100
     

package/pv-pvc.yaml

@@ -0,0 +1,132 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-public-dd-cyberia-dd-cyberia-development-blue
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: pvc-public-dd-cyberia-dd-cyberia-development-blue
+    namespace: default
+  hostPath:
+    path: /home/dd/engine/volume/pv-public-dd-cyberia-dd-cyberia-development-blue
+    type: DirectoryOrCreate
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc-public-dd-cyberia-dd-cyberia-development-blue
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: manual
+  volumeName: pv-public-dd-cyberia-dd-cyberia-development-blue
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-public-dd-cyberia-underpost-dd-cyberia-development-blue
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: pvc-public-dd-cyberia-underpost-dd-cyberia-development-blue
+    namespace: default
+  hostPath:
+    path: /home/dd/engine/volume/pv-public-dd-cyberia-underpost-dd-cyberia-development-blue
+    type: DirectoryOrCreate
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc-public-dd-cyberia-underpost-dd-cyberia-development-blue
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: manual
+  volumeName: pv-public-dd-cyberia-underpost-dd-cyberia-development-blue
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-public-dd-cyberia-dd-cyberia-development-green
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: pvc-public-dd-cyberia-dd-cyberia-development-green
+    namespace: default
+  hostPath:
+    path: /home/dd/engine/volume/pv-public-dd-cyberia-dd-cyberia-development-green
+    type: DirectoryOrCreate
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc-public-dd-cyberia-dd-cyberia-development-green
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: manual
+  volumeName: pv-public-dd-cyberia-dd-cyberia-development-green
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-public-dd-cyberia-underpost-dd-cyberia-development-green
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: pvc-public-dd-cyberia-underpost-dd-cyberia-development-green
+    namespace: default
+  hostPath:
+    path: /home/dd/engine/volume/pv-public-dd-cyberia-underpost-dd-cyberia-development-green
+    type: DirectoryOrCreate
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc-public-dd-cyberia-underpost-dd-cyberia-development-green
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: manual
+  volumeName: pv-public-dd-cyberia-underpost-dd-cyberia-development-green
+  resources:
+    requests:
+      storage: 5Gi

package/scripts/k3s-node-setup.sh

@@ -52,7 +52,7 @@ cd /home/dd/engine
 
 echo "Applying host configuration..."
 
-underpost install
+npm install
 
 node bin run secret
 

package/scripts/ports-ls.sh

@@ -3,6 +3,8 @@ set -euo pipefail
 
 BASHRC="$HOME/.bashrc"
 
+sudo dnf install -y iproute lsof nmap-ncat net-tools procps-ng
+
 # Check whether a "ports" function is already defined
 if grep -Eq '^\s*(function\s+ports|ports\s*\(\))' "$BASHRC"; then
   echo "The 'ports' function already exists in $BASHRC. Nothing was changed."

package/src/api/atlas-sprite-sheet/atlas-sprite-sheet.controller.js

@@ -51,7 +51,9 @@ const AtlasSpriteSheetController = {
   },
   get: async (req, res, options) => {
     try {
-      res.setHeader('Access-Control-Allow-Origin', '*');
+      if (req && req.headers && req.headers.origin) {
+        res.set('Access-Control-Allow-Origin', req.headers.origin);
+      } else res.setHeader('Access-Control-Allow-Origin', '*');
       res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
       const { page, limit } = req.query;
       const result = await AtlasSpriteSheetService.get(

package/src/api/atlas-sprite-sheet/atlas-sprite-sheet.model.js

@@ -118,11 +118,10 @@ AtlasSpriteSheetSchema.index({ 'metadata.itemKey': 1 }, { unique: true });
 AtlasSpriteSheetSchema.index({ fileId: 1 });
 
 // Pre-save validation
-AtlasSpriteSheetSchema.pre('save', function (next) {
+AtlasSpriteSheetSchema.pre('save', function () {
   if (!this.fileId || !this.metadata) {
     throw new Error('AtlasSpriteSheet missing required fields: fileId or metadata');
   }
-  next();
 });
 
 const AtlasSpriteSheetModel = model('AtlasSpriteSheet', AtlasSpriteSheetSchema);

package/src/api/document/document.service.js

@@ -497,7 +497,7 @@ const DocumentService = {
         req.body.isPublic = isPublic;
         req.body.tags = tags;
 
-        return await Document.findByIdAndUpdate(req.params.id, req.body, { new: true });
+        return await Document.findByIdAndUpdate(req.params.id, req.body, { returnDocument: 'after' });
       }
     }
   },

package/src/api/file/file.controller.js

@@ -19,7 +19,9 @@ const FileController = {
   },
   get: async (req, res, options) => {
     try {
-      res.setHeader('Access-Control-Allow-Origin', '*');
+      if (req && req.headers && req.headers.origin) {
+        res.set('Access-Control-Allow-Origin', req.headers.origin);
+      } else res.setHeader('Access-Control-Allow-Origin', '*');
       res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
       const result = await FileService.get(req, res, options);
       if (result instanceof Buffer) {

package/src/api/file/file.service.js

@@ -387,12 +387,35 @@ const FileService = {
         if (doc.isPublic) return true;
 
         // Otherwise, user must be authenticated and own the document
+        // Try bearer token first
         const token = getBearerToken(req);
-        if (!token) false;
-        const payload = jwtVerify(token, options);
-        const user = await User.findOne({ _id: payload._id }).lean();
-        if (!user) return false;
-        return String(doc.userId) === String(user._id);
+        if (token) {
+          try {
+            const payload = jwtVerify(token, options);
+            const user = await User.findOne({ _id: payload._id }).lean();
+            if (user && String(doc.userId) === String(user._id)) return true;
+          } catch (bearerErr) {
+            logger.warn('Bearer token verification failed, trying cookie session fallback:', bearerErr.message);
+          }
+        }
+
+        // Fallback: check cookie-based session (refreshToken cookie)
+        const refreshToken = req.cookies?.refreshToken;
+        if (refreshToken) {
+          try {
+            const user = await User.findOne({ 'activeSessions.tokenHash': refreshToken }).lean();
+            if (user) {
+              const session = user.activeSessions.find((s) => s.tokenHash === refreshToken);
+              if (session && (!session.expiresAt || session.expiresAt >= new Date())) {
+                return String(doc.userId) === String(user._id);
+              }
+            }
+          } catch (cookieErr) {
+            logger.warn('Cookie session verification failed:', cookieErr.message);
+          }
+        }
+
+        return false;
       } catch (err) {
         console.log(err);
         logger.error('Authorization check failed:', err);

package/src/api/ipfs/ipfs.service.js

@@ -24,7 +24,7 @@ const createPinRecord = async ({ cid, userId, options }) => {
   const record = await Ipfs.findOneAndUpdate(
     { cid, userId },
     { cid, userId },
-    { upsert: true, new: true, setDefaultsOnInsert: true },
+    { upsert: true, returnDocument: 'after', setDefaultsOnInsert: true },
   );
 
   logger.info(`IPFS pin record upserted – CID: ${cid}, userId: ${userId}`);
@@ -107,7 +107,7 @@ const IpfsService = {
   put: async (req, res, options) => {
     /** @type {import('./ipfs.model.js').IpfsModel} */
     const Ipfs = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.Ipfs;
-    return await Ipfs.findByIdAndUpdate(req.params.id, req.body, { new: true });
+    return await Ipfs.findByIdAndUpdate(req.params.id, req.body, { returnDocument: 'after' });
   },
 
   delete: async (req, res, options) => {

package/src/api/object-layer/object-layer.controller.js

@@ -21,7 +21,9 @@ const ObjectLayerController = {
   },
   get: async (req, res, options) => {
     try {
-      res.setHeader('Access-Control-Allow-Origin', '*');
+      if (req && req.headers && req.headers.origin) {
+        res.set('Access-Control-Allow-Origin', req.headers.origin);
+      } else res.setHeader('Access-Control-Allow-Origin', '*');
       res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
       const result = await ObjectLayerService.get(req, res, options);
       return res.status(200).json({
@@ -39,7 +41,9 @@ const ObjectLayerController = {
   generateWebp: async (req, res, options) => {
     try {
       const result = await ObjectLayerService.generateWebp(req, res, options);
-      res.setHeader('Access-Control-Allow-Origin', '*');
+      if (req && req.headers && req.headers.origin) {
+        res.set('Access-Control-Allow-Origin', req.headers.origin);
+      } else res.setHeader('Access-Control-Allow-Origin', '*');
       res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
       res.setHeader('Content-Type', 'image/webp');
       res.setHeader(

package/src/api/object-layer/object-layer.model.js

@@ -49,18 +49,22 @@ const ItemSchema = new Schema(
 /**
  * @typedef {Object} Ledger
  * Blockchain protocol metadata linking the visual object-layer prefab to its economic reality.
- * @property {string} type - The token standard or off-chain designation (ERC20, ERC721, OFF_CHAIN).
- * @property {string} address - The Solidity smart contract address.
+ * Uses ERC-1155 as the single multi-token standard for both fungible (CryptoKoyn) and
+ * non-fungible / semi-fungible Object Layer items within one contract.
+ * @property {string} type - The token standard or off-chain designation (ERC1155, OFF_CHAIN).
+ * @property {string} address - The Solidity smart contract address (ObjectLayerToken).
+ * @property {string} tokenId - The uint256 ERC-1155 token ID (derived from keccak256 of the item identifier).
  * @memberof CyberiaObjectLayerModel
  */
 const LedgerSchema = new Schema(
   {
     type: {
       type: String,
-      enum: ['ERC20', 'ERC721', 'OFF_CHAIN'],
+      enum: ['ERC1155', 'OFF_CHAIN'],
       required: true,
     },
-    address: { type: String }, // Solidity contract address
+    address: { type: String }, // ObjectLayerToken ERC-1155 contract address
+    tokenId: { type: String, default: '' }, // uint256 ERC-1155 token ID (hex or decimal string)
   },
   { _id: false },
 );
@@ -96,8 +100,9 @@ const RenderSchema = new Schema(
  * @property {string} data.item.description - Description of the item
  * @property {boolean} data.item.activable - Whether the item can be activated
  * @property {Object} data.ledger - Blockchain protocol metadata linking the visual object-layer prefab to its economic reality
- * @property {string} data.ledger.type - The token standard or off-chain designation (ERC20, ERC721, OFF_CHAIN).
- * @property {string} data.ledger.address - The Solidity smart contract address.
+ * @property {string} data.ledger.type - The token standard or off-chain designation (ERC1155, OFF_CHAIN).
+ * @property {string} data.ledger.address - The ObjectLayerToken ERC-1155 smart contract address.
+ * @property {string} data.ledger.tokenId - The uint256 ERC-1155 token ID (hex or decimal string).
  * @property {Object} data.render - IPFS content identifiers for the consolidated atlas sprite sheet
  * @property {string} data.render.cid - IPFS Content Identifier for the consolidated atlas sprite sheet PNG
  * @property {string} data.render.metadataCid - IPFS Content Identifier for the atlas sprite sheet metadata JSON (fast-json-stable-stringify)
@@ -155,13 +160,12 @@ ObjectLayerSchema.index(
 );
 
 // Pre-save hook to ensure data consistency
-ObjectLayerSchema.pre('save', function (next) {
+ObjectLayerSchema.pre('save', function () {
   // Ensure all required fields are present
   if (!this.data.stats || !this.data.item || !this.sha256) {
     throw new Error('Missing required fields');
   }
   // cid (object layer data JSON) and data.render.cid (atlas PNG) are optional – default to ''
-  next();
 });
 
 // Create and export the model