dxcomplete 0.2.1 → 0.3.0

package/src/runtime/auth.ts

@@ -1,673 +0,0 @@
-import { createHash, randomBytes, randomUUID } from "node:crypto";
-import type { Db } from "mongodb";
-import { createGoogleActorContext, normalizeEmail, type ActorContext } from "./actor.js";
-import type { RuntimeConfig } from "./config.js";
-import type { DxcRecord } from "./records.js";
-import type { WorkspaceConfig } from "./workspace.js";
-
-export const WORKSPACE_MEMBERSHIPS_COLLECTION = "workspace_memberships";
-export const OAUTH_CLIENTS_COLLECTION = "oauth_clients";
-export const OAUTH_AUTH_REQUESTS_COLLECTION = "oauth_authorization_requests";
-export const OAUTH_CODES_COLLECTION = "oauth_authorization_codes";
-export const OAUTH_TOKENS_COLLECTION = "oauth_tokens";
-export const WORKSPACE_SERVICE_CLIENTS_COLLECTION = "workspace_service_clients";
-
-export type WorkspaceRole = "owner" | "engineer" | "tester" | "operator" | "support_agent" | "end_user";
-
-export type WorkspaceMembership = {
-  _id: string;
-  workspaceId: string;
-  email: string;
-  roles: WorkspaceRole[];
-  role?: "owner" | "member";
-  provider?: "google";
-  providerSubject?: string;
-  createdAt: string;
-  updatedAt: string;
-  updatedBy: string;
-};
-
-export type WorkspaceServiceClientRecord = {
-  _id: string;
-  workspaceId: string;
-  clientId: string;
-  secretHash: string;
-  name: string;
-  createdAt: string;
-  createdBy: string;
-  updatedAt: string;
-  updatedBy: string;
-  revokedAt?: string;
-  revokedBy?: string;
-};
-
-export type OAuthClientRecord = {
-  _id: string;
-  clientId: string;
-  clientName?: string;
-  redirectUris: string[];
-  grantTypes: string[];
-  responseTypes: string[];
-  createdAt: string;
-  updatedAt: string;
-};
-
-export type OAuthAuthorizationRequest = {
-  _id: string;
-  clientId: string;
-  redirectUri: string;
-  codeChallenge: string;
-  codeChallengeMethod: "S256";
-  state?: string;
-  scope: string;
-  resource: string;
-  workspaceId: string;
-  createdAt: string;
-  expiresAt: Date;
-};
-
-export type OAuthAuthorizationCode = OAuthAuthorizationRequest & {
-  actor: ActorContext;
-};
-
-export type OAuthTokenRecord = {
-  _id: string;
-  kind: "access" | "refresh";
-  clientId: string;
-  workspaceId: string;
-  actor: ActorContext;
-  scope: string;
-  resource: string;
-  createdAt: string;
-  expiresAt: Date;
-  revokedAt?: string;
-};
-
-export type GoogleProfile = {
-  email: string;
-  subject: string;
-  displayName?: string;
-};
-
-const MCP_SCOPE = "mcp:tools";
-const ACCESS_TOKEN_TTL_SECONDS = 60 * 60;
-const REFRESH_TOKEN_TTL_SECONDS = 60 * 60 * 24 * 30;
-const AUTH_REQUEST_TTL_SECONDS = 10 * 60;
-const SERVICE_CLIENT_SECRET_PREFIX = "dxc_service_secret_";
-const SERVICE_CLIENT_HASH_PREFIX = "sha256:";
-
-export async function ensureWorkspaceBootstrap(db: Db, config: WorkspaceConfig, actorId: string): Promise<void> {
-  const now = new Date().toISOString();
-
-  await db.collection<DxcRecord>("workspaces").updateOne(
-    { _id: config.workspaceId },
-    {
-      $set: {
-        recordType: "workspaces",
-        title: config.name,
-        fields: {
-          name: config.name,
-          ...(config.mode ? { mode: config.mode } : {})
-        },
-        updatedAt: now,
-        updatedBy: actorId
-      },
-      $setOnInsert: {
-        _id: config.workspaceId,
-        links: [],
-        createdAt: now,
-        createdBy: actorId
-      }
-    },
-    { upsert: true }
-  );
-
-  await Promise.all(
-    config.bootstrapMembers.map((member) =>
-      upsertWorkspaceMembership(db, {
-        workspaceId: config.workspaceId,
-        email: member.email,
-        roles: member.roles,
-        actorId
-      })
-    )
-  );
-}
-
-export async function upsertWorkspaceMembership(
-  db: Db,
-  input: {
-    workspaceId: string;
-    email: string;
-    role?: WorkspaceRole | "member";
-    roles?: WorkspaceRole[];
-    actorId: string;
-    provider?: "google";
-    providerSubject?: string;
-  }
-): Promise<WorkspaceMembership> {
-  const email = normalizeEmail(input.email);
-  const now = new Date().toISOString();
-  const id = membershipId(input.workspaceId, email);
-  const roles = normalizeWorkspaceRoles(input.roles ?? (input.role ? [input.role] : []));
-
-  await db.collection<WorkspaceMembership>(WORKSPACE_MEMBERSHIPS_COLLECTION).updateOne(
-    { _id: id },
-    {
-      $set: {
-        workspaceId: input.workspaceId,
-        email,
-        roles,
-        ...(input.provider ? { provider: input.provider } : {}),
-        ...(input.providerSubject ? { providerSubject: input.providerSubject } : {}),
-        updatedAt: now,
-        updatedBy: input.actorId
-      },
-      $unset: {
-        role: ""
-      },
-      $setOnInsert: {
-        _id: id,
-        createdAt: now
-      }
-    },
-    { upsert: true }
-  );
-
-  const record = await db.collection<WorkspaceMembership>(WORKSPACE_MEMBERSHIPS_COLLECTION).findOne({ _id: id });
-  if (!record) {
-    throw new Error("Workspace membership was not written.");
-  }
-
-  return record;
-}
-
-export async function assertWorkspaceMembership(
-  db: Db,
-  workspaceId: string,
-  actor: ActorContext
-): Promise<WorkspaceMembership> {
-  if (!actor.email) {
-    throw new Error("Authenticated actor email is required for workspace authorization.");
-  }
-
-  const email = normalizeEmail(actor.email);
-  const membership = await db
-    .collection<WorkspaceMembership>(WORKSPACE_MEMBERSHIPS_COLLECTION)
-    .findOne({ _id: membershipId(workspaceId, email) });
-
-  if (!membership) {
-    throw new Error(`Workspace access denied for ${email}.`);
-  }
-
-  if (membership.providerSubject && actor.providerSubject && membership.providerSubject !== actor.providerSubject) {
-    throw new Error(`Workspace access denied for ${email}.`);
-  }
-
-  if (actor.provider === "google" && actor.providerSubject && !membership.providerSubject) {
-    await upsertWorkspaceMembership(db, {
-      workspaceId,
-      email,
-      roles: membershipRoles(membership),
-      actorId: actor.actorId,
-      provider: "google",
-      providerSubject: actor.providerSubject
-    });
-  }
-
-  if (!Array.isArray(membership.roles) || membership.roles.length === 0 || membership.role) {
-    return upsertWorkspaceMembership(db, {
-      workspaceId,
-      email,
-      roles: membershipRoles(membership),
-      actorId: actor.actorId,
-      ...(membership.provider ? { provider: membership.provider } : {}),
-      ...(membership.providerSubject ? { providerSubject: membership.providerSubject } : {})
-    });
-  }
-
-  return membership;
-}
-
-export async function createWorkspaceServiceClient(
-  db: Db,
-  input: {
-    workspaceId: string;
-    name: string;
-    actorId: string;
-  }
-): Promise<{ record: WorkspaceServiceClientRecord; secret: string }> {
-  const now = new Date().toISOString();
-  const clientId = `dxc_service_client_${randomUUID()}`;
-  const secret = `${SERVICE_CLIENT_SECRET_PREFIX}${randomBytes(32).toString("base64url")}`;
-  const record: WorkspaceServiceClientRecord = {
-    _id: clientId,
-    workspaceId: input.workspaceId,
-    clientId,
-    secretHash: hashServiceClientSecret(secret),
-    name: input.name,
-    createdAt: now,
-    createdBy: input.actorId,
-    updatedAt: now,
-    updatedBy: input.actorId
-  };
-
-  await db.collection<WorkspaceServiceClientRecord>(WORKSPACE_SERVICE_CLIENTS_COLLECTION).insertOne(record);
-  return { record, secret };
-}
-
-export async function verifyWorkspaceServiceClient(
-  db: Db,
-  input: {
-    clientId?: string;
-    secret?: string;
-    workspaceId?: string;
-  }
-): Promise<WorkspaceServiceClientRecord> {
-  if (!input.clientId || !input.secret) {
-    throw new Error("DX Complete workspace service credentials are required.");
-  }
-
-  const record = await db
-    .collection<WorkspaceServiceClientRecord>(WORKSPACE_SERVICE_CLIENTS_COLLECTION)
-    .findOne({ _id: input.clientId });
-
-  if (!record || record.revokedAt) {
-    throw new Error("DX Complete workspace service client was not found or is revoked.");
-  }
-
-  if (input.workspaceId && record.workspaceId !== input.workspaceId) {
-    throw new Error("DX Complete workspace service client is not bound to this workspace.");
-  }
-
-  if (record.secretHash !== hashServiceClientSecret(input.secret)) {
-    throw new Error("DX Complete workspace service client secret is invalid.");
-  }
-
-  return record;
-}
-
-export async function registerOAuthClient(
-  db: Db,
-  input: {
-    clientName?: string;
-    redirectUris: string[];
-    grantTypes?: string[];
-    responseTypes?: string[];
-  }
-): Promise<OAuthClientRecord> {
-  if (input.redirectUris.length === 0) {
-    throw new Error("redirect_uris must contain at least one URI.");
-  }
-
-  const now = new Date().toISOString();
-  const clientId = `dxc_client_${randomUUID()}`;
-  const record: OAuthClientRecord = {
-    _id: clientId,
-    clientId,
-    clientName: input.clientName,
-    redirectUris: input.redirectUris,
-    grantTypes: input.grantTypes?.length ? input.grantTypes : ["authorization_code", "refresh_token"],
-    responseTypes: input.responseTypes?.length ? input.responseTypes : ["code"],
-    createdAt: now,
-    updatedAt: now
-  };
-
-  await db.collection<OAuthClientRecord>(OAUTH_CLIENTS_COLLECTION).insertOne(record);
-  return record;
-}
-
-export async function getOAuthClient(db: Db, clientId: string): Promise<OAuthClientRecord | null> {
-  return db.collection<OAuthClientRecord>(OAUTH_CLIENTS_COLLECTION).findOne({ _id: clientId });
-}
-
-export async function createOAuthAuthorizationRequest(
-  db: Db,
-  input: Omit<OAuthAuthorizationRequest, "_id" | "createdAt" | "expiresAt">
-): Promise<OAuthAuthorizationRequest> {
-  const now = new Date();
-  const record: OAuthAuthorizationRequest = {
-    _id: `dxc_state_${randomBytes(24).toString("base64url")}`,
-    ...input,
-    createdAt: now.toISOString(),
-    expiresAt: new Date(now.getTime() + AUTH_REQUEST_TTL_SECONDS * 1000)
-  };
-
-  await db.collection<OAuthAuthorizationRequest>(OAUTH_AUTH_REQUESTS_COLLECTION).insertOne(record);
-  return record;
-}
-
-export async function consumeOAuthAuthorizationRequest(
-  db: Db,
-  state: string
-): Promise<OAuthAuthorizationRequest> {
-  const collection = db.collection<OAuthAuthorizationRequest>(OAUTH_AUTH_REQUESTS_COLLECTION);
-  const record = await collection.findOne({ _id: state });
-
-  if (!record || isExpired(record.expiresAt)) {
-    throw new Error("OAuth authorization request expired or was not found.");
-  }
-
-  await collection.deleteOne({ _id: state });
-  return record;
-}
-
-export async function createOAuthAuthorizationCode(
-  db: Db,
-  request: OAuthAuthorizationRequest,
-  actor: ActorContext
-): Promise<string> {
-  const code = `dxc_code_${randomBytes(32).toString("base64url")}`;
-  const record: OAuthAuthorizationCode = {
-    ...request,
-    _id: code,
-    actor
-  };
-
-  await db.collection<OAuthAuthorizationCode>(OAUTH_CODES_COLLECTION).insertOne(record);
-  return code;
-}
-
-export async function exchangeOAuthAuthorizationCode(
-  db: Db,
-  input: {
-    code: string;
-    clientId: string;
-    redirectUri: string;
-    codeVerifier: string;
-    resource: string;
-  }
-): Promise<{ accessToken: string; refreshToken: string; expiresIn: number; scope: string }> {
-  const collection = db.collection<OAuthAuthorizationCode>(OAUTH_CODES_COLLECTION);
-  const record = await collection.findOne({ _id: input.code });
-
-  if (!record || isExpired(record.expiresAt)) {
-    throw new Error("Authorization code expired or was not found.");
-  }
-
-  if (
-    record.clientId !== input.clientId ||
-    record.redirectUri !== input.redirectUri ||
-    record.resource !== input.resource
-  ) {
-    throw new Error("Authorization code request does not match the original authorization.");
-  }
-
-  if (!verifyPkce(input.codeVerifier, record.codeChallenge)) {
-    throw new Error("Invalid PKCE verifier.");
-  }
-
-  await collection.deleteOne({ _id: input.code });
-  return issueMcpTokenPair(db, record);
-}
-
-export async function exchangeOAuthRefreshToken(
-  db: Db,
-  input: {
-    refreshToken: string;
-    clientId: string;
-    resource: string;
-  }
-): Promise<{ accessToken: string; refreshToken: string; expiresIn: number; scope: string }> {
-  const existing = await findUsableToken(db, input.refreshToken, "refresh");
-  if (existing.clientId !== input.clientId || existing.resource !== input.resource) {
-    throw new Error("Refresh token does not match this client or resource.");
-  }
-
-  await db.collection<OAuthTokenRecord>(OAUTH_TOKENS_COLLECTION).updateOne(
-    { _id: existing._id },
-    {
-      $set: {
-        revokedAt: new Date().toISOString()
-      }
-    }
-  );
-
-  return issueMcpTokenPair(db, {
-    clientId: existing.clientId,
-    scope: existing.scope,
-    resource: existing.resource,
-    workspaceId: existing.workspaceId,
-    actor: existing.actor
-  });
-}
-
-export async function issueMcpTokenPair(
-  db: Db,
-  input: {
-    clientId: string;
-    scope: string;
-    resource: string;
-    workspaceId: string;
-    actor: ActorContext;
-  }
-): Promise<{ accessToken: string; refreshToken: string; expiresIn: number; scope: string }> {
-  const accessToken = `dxc_access_${randomBytes(32).toString("base64url")}`;
-  const refreshToken = `dxc_refresh_${randomBytes(32).toString("base64url")}`;
-  const now = new Date();
-
-  await db.collection<OAuthTokenRecord>(OAUTH_TOKENS_COLLECTION).insertMany([
-    {
-      _id: hashToken(accessToken),
-      kind: "access",
-      clientId: input.clientId,
-      workspaceId: input.workspaceId,
-      actor: input.actor,
-      scope: input.scope || MCP_SCOPE,
-      resource: input.resource,
-      createdAt: now.toISOString(),
-      expiresAt: new Date(now.getTime() + ACCESS_TOKEN_TTL_SECONDS * 1000)
-    },
-    {
-      _id: hashToken(refreshToken),
-      kind: "refresh",
-      clientId: input.clientId,
-      workspaceId: input.workspaceId,
-      actor: input.actor,
-      scope: input.scope || MCP_SCOPE,
-      resource: input.resource,
-      createdAt: now.toISOString(),
-      expiresAt: new Date(now.getTime() + REFRESH_TOKEN_TTL_SECONDS * 1000)
-    }
-  ]);
-
-  return {
-    accessToken,
-    refreshToken,
-    expiresIn: ACCESS_TOKEN_TTL_SECONDS,
-    scope: input.scope || MCP_SCOPE
-  };
-}
-
-export async function verifyMcpAccessToken(
-  db: Db,
-  input: {
-    token: string;
-    workspaceId: string;
-    resource: string;
-  }
-): Promise<OAuthTokenRecord> {
-  const record = await findUsableToken(db, input.token, "access");
-
-  if (record.workspaceId !== input.workspaceId || record.resource !== input.resource) {
-    throw new Error("Access token is not valid for this workspace resource.");
-  }
-
-  await assertWorkspaceMembership(db, input.workspaceId, record.actor);
-  return record;
-}
-
-export async function exchangeGoogleCodeForProfile(
-  config: RuntimeConfig,
-  input: {
-    code: string;
-    redirectUri: string;
-  }
-): Promise<GoogleProfile> {
-  if (!config.googleClientId || !config.googleClientSecret) {
-    throw new Error("Google OAuth is not configured.");
-  }
-
-  const response = await fetch("https://oauth2.googleapis.com/token", {
-    method: "POST",
-    headers: {
-      "content-type": "application/x-www-form-urlencoded"
-    },
-    body: new URLSearchParams({
-      code: input.code,
-      client_id: config.googleClientId,
-      client_secret: config.googleClientSecret,
-      redirect_uri: input.redirectUri,
-      grant_type: "authorization_code"
-    })
-  });
-
-  if (!response.ok) {
-    throw new Error(`Google token exchange failed: ${await response.text()}`);
-  }
-
-  const tokens = (await response.json()) as { id_token?: string };
-  if (!tokens.id_token) {
-    throw new Error("Google token exchange did not return an id_token.");
-  }
-
-  const profileResponse = await fetch(
-    `https://oauth2.googleapis.com/tokeninfo?id_token=${encodeURIComponent(tokens.id_token)}`
-  );
-
-  if (!profileResponse.ok) {
-    throw new Error(`Google token verification failed: ${await profileResponse.text()}`);
-  }
-
-  const profile = (await profileResponse.json()) as {
-    aud?: string;
-    sub?: string;
-    email?: string;
-    email_verified?: string | boolean;
-    name?: string;
-  };
-
-  if (profile.aud !== config.googleClientId) {
-    throw new Error("Google token audience did not match this DX Complete deployment.");
-  }
-
-  if (profile.email_verified !== true && profile.email_verified !== "true") {
-    throw new Error("Google email is not verified.");
-  }
-
-  if (!profile.email || !profile.sub) {
-    throw new Error("Google profile did not include email and subject.");
-  }
-
-  return {
-    email: normalizeEmail(profile.email),
-    subject: profile.sub,
-    displayName: profile.name
-  };
-}
-
-export function googleAuthorizationUrl(
-  config: RuntimeConfig,
-  input: {
-    redirectUri: string;
-    state: string;
-  }
-): string {
-  if (!config.googleClientId) {
-    throw new Error("Google OAuth is not configured.");
-  }
-
-  const url = new URL("https://accounts.google.com/o/oauth2/v2/auth");
-  url.searchParams.set("client_id", config.googleClientId);
-  url.searchParams.set("redirect_uri", input.redirectUri);
-  url.searchParams.set("response_type", "code");
-  url.searchParams.set("scope", "openid email profile");
-  url.searchParams.set("state", input.state);
-  url.searchParams.set("prompt", "select_account");
-  return url.href;
-}
-
-export function createGoogleActor(profile: GoogleProfile): ActorContext {
-  return createGoogleActorContext({
-    email: profile.email,
-    subject: profile.subject,
-    displayName: profile.displayName
-  });
-}
-
-export function membershipRoles(membership: WorkspaceMembership): WorkspaceRole[] {
-  return normalizeWorkspaceRoles(
-    Array.isArray(membership.roles) && membership.roles.length > 0
-      ? membership.roles
-      : membership.role
-        ? [membership.role]
-        : []
-  );
-}
-
-async function findUsableToken(db: Db, token: string, kind: "access" | "refresh"): Promise<OAuthTokenRecord> {
-  const record = await db.collection<OAuthTokenRecord>(OAUTH_TOKENS_COLLECTION).findOne({
-    _id: hashToken(token),
-    kind,
-    revokedAt: { $exists: false }
-  });
-
-  if (!record || isExpired(record.expiresAt)) {
-    throw new Error("Token expired or was not found.");
-  }
-
-  return record;
-}
-
-function verifyPkce(verifier: string, challenge: string): boolean {
-  const actual = createHash("sha256").update(verifier).digest("base64url");
-  return actual === challenge;
-}
-
-function hashToken(token: string): string {
-  return createHash("sha256").update(token).digest("hex");
-}
-
-function hashServiceClientSecret(secret: string): string {
-  return `${SERVICE_CLIENT_HASH_PREFIX}${createHash("sha256").update(secret).digest("hex")}`;
-}
-
-function isExpired(value: string | Date): boolean {
-  return new Date(value).getTime() <= Date.now();
-}
-
-function membershipId(workspaceId: string, email: string): string {
-  return `${workspaceId}:${normalizeEmail(email)}`;
-}
-
-function normalizeWorkspaceRoles(values: Array<WorkspaceRole | "member">): WorkspaceRole[] {
-  const roles = new Set<WorkspaceRole>();
-
-  for (const value of values) {
-    if (value === "member") {
-      roles.add("end_user");
-      continue;
-    }
-
-    if (isWorkspaceRole(value)) {
-      roles.add(value);
-    }
-  }
-
-  if (roles.size === 0) {
-    roles.add("end_user");
-  }
-
-  return [...roles].sort();
-}
-
-function isWorkspaceRole(value: string): value is WorkspaceRole {
-  return (
-    value === "owner" ||
-    value === "engineer" ||
-    value === "tester" ||
-    value === "operator" ||
-    value === "support_agent" ||
-    value === "end_user"
-  );
-}

package/src/runtime/check.ts

@@ -1,18 +0,0 @@
-import type { RuntimeOptions } from "./config.js";
-import { connectRuntime } from "./mongo.js";
-import { COLLECTION_NAMES } from "./records.js";
-
-export async function checkRuntime(options: RuntimeOptions = {}) {
-  const runtime = await connectRuntime(options);
-
-  try {
-    return {
-      ok: true,
-      databaseName: runtime.config.databaseName,
-      envFilePath: runtime.config.envFilePath,
-      collections: COLLECTION_NAMES
-    };
-  } finally {
-    await runtime.close();
-  }
-}