humanenv 0.1.0

package/packages/server/src/db/mongo.ts

@@ -0,0 +1,166 @@
+import { MongoClient, Db } from 'mongodb'
+import { IDatabaseProvider } from './interface'
+import { HumanEnvError, ErrorCode } from 'humanenv-shared'
+import crypto from 'node:crypto'
+
+const COLLECTIONS = {
+  projects: 'projects',
+  envs: 'envs',
+  apiKeys: 'apiKeys',
+  whitelist: 'whitelist',
+  serverConfig: 'serverConfig',
+} as const
+
+export class MongoProvider implements IDatabaseProvider {
+  private client: MongoClient | null = null
+  private db: Db | null = null
+  private reconnectInterval: ReturnType<typeof setInterval> | null = null
+
+  constructor(private uri: string) {}
+
+  async connect(): Promise<void> {
+    this.client = new MongoClient(this.uri)
+    await this.client.connect()
+    this.db = this.client.db('humanenv')
+    this.initIndexes()
+  }
+
+  async disconnect(): Promise<void> {
+    if (this.reconnectInterval) clearInterval(this.reconnectInterval)
+    if (this.client) await this.client.close()
+  }
+
+  private initIndexes(): void {
+    const d = this.db!
+    d.collection(COLLECTIONS.projects).createIndex({ name: 1 }, { unique: true })
+    d.collection(COLLECTIONS.envs).createIndex({ projectId: 1, key: 1 }, { unique: true })
+    d.collection(COLLECTIONS.apiKeys).createIndex({ projectId: 1, lookupHash: 1 }, { unique: true })
+    d.collection(COLLECTIONS.whitelist).createIndex({ projectId: 1, fingerprint: 1 }, { unique: true })
+    d.collection(COLLECTIONS.serverConfig).createIndex({ key: 1 }, { unique: true })
+  }
+
+  async createProject(name: string): Promise<{ id: string }> {
+    const doc = { id: crypto.randomUUID(), name, createdAt: Date.now() }
+    await this.col('projects').insertOne(doc)
+    return { id: doc.id }
+  }
+
+  async getProject(name: string): Promise<{ id: string; name: string; createdAt: number } | null> {
+    const doc = await this.col('projects').findOne({ name }) as any
+    return doc ? { id: doc.id, name: doc.name, createdAt: doc.createdAt } : null
+  }
+
+  async listProjects(): Promise<Array<{ id: string; name: string; createdAt: number }>> {
+    return await this.col('projects').find({}).sort({ createdAt: -1 }).toArray() as any
+  }
+
+  async deleteProject(id: string): Promise<void> {
+    await this.col('projects').deleteOne({ id })
+    await this.col('envs').deleteMany({ projectId: id })
+    await this.col('apiKeys').deleteMany({ projectId: id })
+    await this.col('whitelist').deleteMany({ projectId: id })
+  }
+
+  async createEnv(projectId: string, key: string, encryptedValue: string, apiModeOnly: boolean): Promise<{ id: string }> {
+    const doc = { id: crypto.randomUUID(), projectId, key, encryptedValue, apiModeOnly, createdAt: Date.now() }
+    await this.col('envs').updateOne(
+      { projectId, key },
+      { $set: doc },
+      { upsert: true }
+    )
+    return { id: doc.id }
+  }
+
+  async getEnv(projectId: string, key: string): Promise<{ encryptedValue: string; apiModeOnly: boolean } | null> {
+    const doc = await this.col('envs').findOne({ projectId, key }) as any
+    return doc ? { encryptedValue: doc.encryptedValue, apiModeOnly: doc.apiModeOnly } : null
+  }
+
+  async listEnvs(projectId: string): Promise<Array<{ id: string; key: string; apiModeOnly: boolean; createdAt: number }>> {
+    return await this.col('envs').find({ projectId }).sort({ key: 1 }).toArray() as any
+  }
+
+  async updateEnv(projectId: string, key: string, encryptedValue: string, apiModeOnly: boolean): Promise<void> {
+    await this.col('envs').updateOne(
+      { projectId, key },
+      { $set: { encryptedValue, apiModeOnly } }
+    )
+  }
+
+  async deleteEnv(projectId: string, key: string): Promise<void> {
+    await this.col('envs').deleteOne({ projectId, key })
+  }
+
+  async createApiKey(projectId: string, encryptedValue: string, plainValue: string, ttl?: number): Promise<{ id: string }> {
+    const id = crypto.randomUUID()
+    const expiresAt = ttl ? Date.now() + ttl * 1000 : undefined
+    const lookupHash = crypto.createHash('sha256').update(plainValue).digest('hex')
+    const doc = { id, projectId, encryptedValue, lookupHash, ttl: ttl ?? null, expiresAt: expiresAt ?? null, createdAt: Date.now() }
+    await this.col('apiKeys').insertOne(doc)
+    return { id }
+  }
+
+  async getApiKey(projectId: string, plainValue: string): Promise<{ id: string; expiresAt?: number } | null> {
+    const lookupHash = crypto.createHash('sha256').update(plainValue).digest('hex')
+    const doc = await this.col('apiKeys').findOne({ projectId, lookupHash }) as any
+    if (!doc) return null
+    if (doc.expiresAt && doc.expiresAt < Date.now()) return null
+    return { id: doc.id, expiresAt: doc.expiresAt }
+  }
+
+  async listApiKeys(projectId: string): Promise<Array<{ id: string; maskedPreview: string; ttl?: number; expiresAt?: number; createdAt: number }>> {
+    const docs = await this.col('apiKeys').find({ projectId }).sort({ createdAt: -1 }).toArray() as any[]
+    return docs.map(d => ({
+      id: d.id,
+      maskedPreview: d.lookupHash.slice(0, 8) + '...',
+      ttl: d.ttl,
+      expiresAt: d.expiresAt,
+      createdAt: d.createdAt,
+    }))
+  }
+
+  async revokeApiKey(projectId: string, id: string): Promise<void> {
+    await this.col('apiKeys').deleteOne({ id, projectId })
+  }
+
+  async createWhitelistEntry(projectId: string, fingerprint: string, status: 'pending' | 'approved' | 'rejected'): Promise<{ id: string }> {
+    const doc = { id: crypto.randomUUID(), projectId, fingerprint, status, createdAt: Date.now() }
+    await this.col('whitelist').updateOne(
+      { projectId, fingerprint },
+      { $set: doc },
+      { upsert: true }
+    )
+    return { id: doc.id }
+  }
+
+  async getWhitelistEntry(projectId: string, fingerprint: string): Promise<{ id: string; status: 'pending' | 'approved' | 'rejected' } | null> {
+    const doc = await this.col('whitelist').findOne({ projectId, fingerprint }) as any
+    return doc ? { id: doc.id, status: doc.status } : null
+  }
+
+  async listWhitelistEntries(projectId: string): Promise<Array<{ id: string; fingerprint: string; status: 'pending' | 'approved' | 'rejected'; createdAt: number }>> {
+    return await this.col('whitelist').find({ projectId }).sort({ createdAt: -1 }).toArray() as any
+  }
+
+  async updateWhitelistStatus(id: string, status: 'approved' | 'rejected'): Promise<void> {
+    await this.col('whitelist').updateOne({ id }, { $set: { status } })
+  }
+
+  async storePkHash(hash: string): Promise<void> {
+    await this.col('serverConfig').updateOne(
+      { key: 'pk_hash' },
+      { $set: { key: 'pk_hash', value: hash } },
+      { upsert: true }
+    )
+  }
+
+  async getPkHash(): Promise<string | null> {
+    const doc = await this.col('serverConfig').findOne({ key: 'pk_hash' }) as any
+    return doc?.value ?? null
+  }
+
+  private col(name: string) {
+    if (!this.db) throw new HumanEnvError(ErrorCode.DB_OPERATION_FAILED, 'MongoDB not connected')
+    return this.db.collection(name)
+  }
+}

package/packages/server/src/db/sqlite.ts

@@ -0,0 +1,180 @@
+import BetterSqlite3 from 'better-sqlite3'
+import { IDatabaseProvider } from './interface'
+import crypto from 'node:crypto'
+
+export class SqliteProvider implements IDatabaseProvider {
+  private db!: BetterSqlite3.Database
+
+  constructor(private dbPath: string) {}
+
+  async connect(): Promise<void> {
+    this.db = new BetterSqlite3(this.dbPath)
+    this.db.pragma('journal_mode = WAL')
+    this.initTables()
+  }
+
+  async disconnect(): Promise<void> {
+    this.db.close()
+  }
+
+  private initTables(): void {
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS projects (
+        id TEXT PRIMARY KEY,
+        name TEXT UNIQUE NOT NULL,
+        created_at INTEGER NOT NULL
+      );
+      CREATE TABLE IF NOT EXISTS envs (
+        id TEXT PRIMARY KEY,
+        project_id TEXT NOT NULL,
+        key TEXT NOT NULL,
+        encrypted_value TEXT NOT NULL,
+        api_mode_only INTEGER NOT NULL DEFAULT 0,
+        created_at INTEGER NOT NULL,
+        UNIQUE(project_id, key),
+        FOREIGN KEY(project_id) REFERENCES projects(id)
+      );
+      CREATE TABLE IF NOT EXISTS api_keys (
+        id TEXT PRIMARY KEY,
+        project_id TEXT NOT NULL,
+        encrypted_value TEXT NOT NULL,
+        lookup_hash TEXT UNIQUE NOT NULL,
+        ttl INTEGER,
+        expires_at INTEGER,
+        created_at INTEGER NOT NULL,
+        FOREIGN KEY(project_id) REFERENCES projects(id)
+      );
+      CREATE TABLE IF NOT EXISTS whitelist (
+        id TEXT PRIMARY KEY,
+        project_id TEXT NOT NULL,
+        fingerprint TEXT NOT NULL,
+        status TEXT NOT NULL DEFAULT 'pending',
+        created_at INTEGER NOT NULL,
+        UNIQUE(project_id, fingerprint),
+        FOREIGN KEY(project_id) REFERENCES projects(id)
+      );
+      CREATE TABLE IF NOT EXISTS server_config (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL
+      );
+    `)
+  }
+
+  async createProject(name: string): Promise<{ id: string }> {
+    const id = crypto.randomUUID()
+    this.db.prepare('INSERT INTO projects (id, name, created_at) VALUES (?, ?, ?)').run(id, name, Date.now())
+    return { id }
+  }
+
+  async getProject(name: string): Promise<{ id: string; name: string; createdAt: number } | null> {
+    const row = this.db.prepare('SELECT id, name, created_at FROM projects WHERE name = ?').get(name) as any
+    return row ? { id: row.id, name: row.name, createdAt: row.created_at } : null
+  }
+
+  async listProjects(): Promise<Array<{ id: string; name: string; createdAt: number }>> {
+    const rows = this.db.prepare('SELECT id, name, created_at FROM projects ORDER BY created_at DESC').all() as any[]
+    return rows.map(r => ({ id: r.id, name: r.name, createdAt: r.created_at }))
+  }
+
+  async deleteProject(id: string): Promise<void> {
+    const tx = this.db.transaction(() => {
+      this.db.prepare('DELETE FROM envs WHERE project_id = ?').run(id)
+      this.db.prepare('DELETE FROM api_keys WHERE project_id = ?').run(id)
+      this.db.prepare('DELETE FROM whitelist WHERE project_id = ?').run(id)
+      this.db.prepare('DELETE FROM projects WHERE id = ?').run(id)
+    })
+    tx()
+  }
+
+  async createEnv(projectId: string, key: string, encryptedValue: string, apiModeOnly: boolean): Promise<{ id: string }> {
+    const id = crypto.randomUUID()
+    this.db.prepare('INSERT OR REPLACE INTO envs (id, project_id, key, encrypted_value, api_mode_only, created_at) VALUES (?, ?, ?, ?, ?, ?)').run(
+      id, projectId, key, encryptedValue, apiModeOnly ? 1 : 0, Date.now()
+    )
+    return { id }
+  }
+
+  async getEnv(projectId: string, key: string): Promise<{ encryptedValue: string; apiModeOnly: boolean } | null> {
+    const row = this.db.prepare('SELECT encrypted_value, api_mode_only FROM envs WHERE project_id = ? AND key = ?').get(projectId, key) as any
+    return row ? { encryptedValue: row.encrypted_value, apiModeOnly: !!row.api_mode_only } : null
+  }
+
+  async listEnvs(projectId: string): Promise<Array<{ id: string; key: string; apiModeOnly: boolean; createdAt: number }>> {
+    const rows = this.db.prepare('SELECT id, key, api_mode_only, created_at FROM envs WHERE project_id = ? ORDER BY key').all(projectId) as any[]
+    return rows.map(r => ({ id: r.id, key: r.key, apiModeOnly: !!r.api_mode_only, createdAt: r.created_at }))
+  }
+
+  async updateEnv(projectId: string, key: string, encryptedValue: string, apiModeOnly: boolean): Promise<void> {
+    this.db.prepare('UPDATE envs SET encrypted_value = ?, api_mode_only = ? WHERE project_id = ? AND key = ?').run(
+      encryptedValue, apiModeOnly ? 1 : 0, projectId, key
+    )
+  }
+
+  async deleteEnv(projectId: string, key: string): Promise<void> {
+    this.db.prepare('DELETE FROM envs WHERE project_id = ? AND key = ?').run(projectId, key)
+  }
+
+  async createApiKey(projectId: string, encryptedValue: string, plainValue: string, ttl?: number): Promise<{ id: string }> {
+    const id = crypto.randomUUID()
+    const expiresAt = ttl ? Date.now() + ttl * 1000 : undefined
+    const lookupHash = crypto.createHash('sha256').update(plainValue).digest('hex')
+    this.db.prepare('INSERT INTO api_keys (id, project_id, encrypted_value, lookup_hash, ttl, expires_at, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)').run(
+      id, projectId, encryptedValue, lookupHash, ttl ?? null, expiresAt ?? null, Date.now()
+    )
+    return { id }
+  }
+
+  async getApiKey(projectId: string, plainValue: string): Promise<{ id: string; expiresAt?: number } | null> {
+    const lookupHash = crypto.createHash('sha256').update(plainValue).digest('hex')
+    const row = this.db.prepare('SELECT id, lookup_hash, expires_at FROM api_keys WHERE project_id = ? AND lookup_hash = ?').get(projectId, lookupHash) as any
+    if (!row) return null
+    if (row.expires_at && row.expires_at < Date.now()) return null
+    return { id: row.id, expiresAt: row.expires_at }
+  }
+
+  async listApiKeys(projectId: string): Promise<Array<{ id: string; maskedPreview: string; ttl?: number; expiresAt?: number; createdAt: number }>> {
+    const rows = this.db.prepare('SELECT id, lookup_hash, ttl, expires_at, created_at FROM api_keys WHERE project_id = ? ORDER BY created_at DESC').all(projectId) as any[]
+    return rows.map(r => ({
+      id: r.id,
+      maskedPreview: r.lookup_hash.slice(0, 8) + '...',
+      ttl: r.ttl,
+      expiresAt: r.expires_at,
+      createdAt: r.created_at,
+    }))
+  }
+
+  async revokeApiKey(projectId: string, id: string): Promise<void> {
+    this.db.prepare('DELETE FROM api_keys WHERE id = ? AND project_id = ?').run(id, projectId)
+  }
+
+  async createWhitelistEntry(projectId: string, fingerprint: string, status: 'pending' | 'approved' | 'rejected'): Promise<{ id: string }> {
+    const id = crypto.randomUUID()
+    this.db.prepare('INSERT OR REPLACE INTO whitelist (id, project_id, fingerprint, status, created_at) VALUES (?, ?, ?, ?, ?)').run(
+      id, projectId, fingerprint, status, Date.now()
+    )
+    return { id }
+  }
+
+  async getWhitelistEntry(projectId: string, fingerprint: string): Promise<{ id: string; status: 'pending' | 'approved' | 'rejected' } | null> {
+    const row = this.db.prepare('SELECT id, status FROM whitelist WHERE project_id = ? AND fingerprint = ?').get(projectId, fingerprint) as any
+    return row ? { id: row.id, status: row.status } : null
+  }
+
+  async listWhitelistEntries(projectId: string): Promise<Array<{ id: string; fingerprint: string; status: 'pending' | 'approved' | 'rejected'; createdAt: number }>> {
+    const rows = this.db.prepare('SELECT id, fingerprint, status, created_at FROM whitelist WHERE project_id = ? ORDER BY created_at DESC').all(projectId) as any[]
+    return rows.map(r => ({ id: r.id, fingerprint: r.fingerprint, status: r.status, createdAt: r.created_at }))
+  }
+
+  async updateWhitelistStatus(id: string, status: 'approved' | 'rejected'): Promise<void> {
+    this.db.prepare('UPDATE whitelist SET status = ? WHERE id = ?').run(status, id)
+  }
+
+  async storePkHash(hash: string): Promise<void> {
+    this.db.prepare('INSERT OR REPLACE INTO server_config (key, value) VALUES (?, ?)').run('pk_hash', hash)
+  }
+
+  async getPkHash(): Promise<string | null> {
+    const row = this.db.prepare('SELECT value FROM server_config WHERE key = ?').get('pk_hash') as { value: string } | undefined
+    return row?.value ?? null
+  }
+}

package/packages/server/src/index.ts

@@ -0,0 +1,123 @@
+import express from 'express'
+import http from 'http'
+import path from 'path'
+import fs from 'fs'
+import os from 'os'
+import { PkManager } from './pk-manager'
+import { createDatabase } from './db'
+import { createBasicAuthMiddleware } from './auth'
+import { createProjectsRouter, createEnvsRouter, createApiKeysRouter, createWhitelistRouter } from './routes'
+import { WsRouter } from './ws/router'
+
+// ============================================================
+// Config resolution
+// ============================================================
+
+function parseIntOr(val: string | undefined, fallback: number): number {
+  if (!val) return fallback
+  const n = parseInt(val, 10)
+  return isNaN(n) ? fallback : n
+}
+
+const PORT = parseIntOr(
+  process.argv.find(a => a.startsWith('--port='))?.split('=')[1] ||
+  process.argv[process.argv.indexOf('--port') + 1] ||
+  process.env.PORT,
+  3056
+)
+const BASIC_AUTH_ARG = process.argv.find(a => a.startsWith('--basicAuth'))
+const dataDir = path.join(os.homedir(), '.humanenv')
+const dbPath = path.join(dataDir, 'humanenv.db')
+
+if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true })
+
+// ============================================================
+// App bootstrap
+// ============================================================
+
+async function main() {
+  console.log('Starting HumanEnv server...')
+  console.log('Data directory:', dataDir)
+
+  // Database
+  const mongoUri = process.env.MONGODB_URI
+  const { provider: db, active: activeDb } = await createDatabase(dbPath, mongoUri)
+  console.log('Database:', activeDb)
+
+  // PK Manager
+  const pk = new PkManager()
+  const storedHash = await db.getPkHash()
+  const bootstrapResult = await pk.bootstrap(storedHash)
+
+  // App
+  const app = express()
+  const server = http.createServer(app)
+
+  app.use(express.json())
+
+  // Basic auth for admin UI
+  if (BASIC_AUTH_ARG) {
+    const username = process.env.BASIC_AUTH_USERNAME || 'admin'
+    const password = process.env.BASIC_AUTH_PASSWORD || 'admin'
+    app.use(createBasicAuthMiddleware(username, password))
+  }
+
+  // WS Router
+  const wsRouter = new WsRouter(server, db, pk)
+
+  // REST routes
+  app.use('/api/projects', createProjectsRouter(db, pk))
+  app.use('/api/envs', createEnvsRouter(db, pk))
+  app.use('/api/apikeys', createApiKeysRouter(db, pk))
+  app.use('/api/whitelist', createWhitelistRouter(db))
+
+  // PK setup endpoints
+  app.post('/api/pk/setup', async (req, res) => {
+    const { mnemonic } = req.body || {}
+    if (!mnemonic) return res.status(400).json({ error: 'mnemonic required' })
+    try {
+      const result = pk.submitMnemonic(mnemonic, storedHash)
+      await db.storePkHash(result.hash)
+      res.json({ ok: true, firstSetup: result.firstSetup })
+    } catch (e: any) {
+      res.status(400).json({ error: e.message })
+    }
+  })
+
+  app.get('/api/pk/generate', (_req, res) => {
+    const mnemonic = pk.getMnemonic()
+    res.json({ mnemonic })
+  })
+
+  app.get('/api/pk/status', (_req, res) => {
+    res.json({ ready: pk.isReady(), existing: bootstrapResult.existing })
+  })
+
+  // Serve admin UI
+  app.get('/', (_req, res) => {
+    const status = pk.isReady() ? 'ready' : bootstrapResult.status === 'needs_input' ? 'needs-pk' : 'ready'
+    const existing = bootstrapResult.existing || 'hash'
+    console.log('pk status for ejs:', status, existing)
+    res.render('index', {
+      pkStatus: status,
+      existing: existing,
+      activeDb: activeDb,
+      pkVerified: pk.isReady(),
+    })
+  })
+
+  app.set('view engine', 'ejs')
+  app.set('views', path.join(__dirname, 'views'))
+
+  // Start
+  server.listen(PORT, () => {
+    console.log('HumanEnv server listening on port', PORT)
+    console.log('Admin UI:', `http://localhost:${PORT}`)
+    if (!pk.isReady()) console.log('WARNING: PK not loaded. Admin must enter mnemonic to activate server.')
+  })
+}
+
+main().catch((e) => {
+  console.error('Fatal:', e)
+  process.exit(1)
+})

package/packages/server/src/pk-manager.ts

@@ -0,0 +1,79 @@
+import { derivePkFromMnemonic, hashPkForVerification, validateMnemonic, generateMnemonic, decryptWithPk, encryptWithPk, generateFingerprint } from 'humanenv-shared'
+import { HumanEnvError, ErrorCode } from 'humanenv-shared'
+
+export class PkManager {
+  private pk: Buffer | null = null
+  private mnemonic: string | null = null
+
+  async bootstrap(storedHash: string | null): Promise<{ status: 'ready' | 'needs_input'; existing?: 'hash' | 'first' }> {
+    const envMnemonic = process.env.HUMANENV_MNEMONIC
+    if (envMnemonic) {
+      const trimmed = envMnemonic.trim()
+      if (!validateMnemonic(trimmed)) {
+        throw new HumanEnvError(ErrorCode.SERVER_INTERNAL_ERROR, 'HUMANENV_MNEMONIC env contains invalid mnemonic')
+      }
+      this.mnemonic = trimmed
+      this.pk = derivePkFromMnemonic(trimmed)
+      const derivedHash = hashPkForVerification(this.pk)
+      if (storedHash && derivedHash !== storedHash) {
+        console.warn('WARN: Derived PK hash does not match stored hash. Data may be unrecoverable.')
+      }
+      console.log('PK restored from HUMANENV_MNEMONIC env var.')
+      return { status: 'ready', existing: storedHash ? 'hash' : 'first' }
+    }
+
+    if (!storedHash) {
+      return { status: 'needs_input', existing: 'first' }
+    }
+
+    return { status: 'needs_input', existing: 'hash' }
+  }
+
+  isReady(): boolean {
+    return this.pk !== null
+  }
+
+  getPk(): Uint8Array {
+    if (!this.pk) throw new HumanEnvError(ErrorCode.SERVER_PK_NOT_AVAILABLE)
+    return this.pk as unknown as Uint8Array
+  }
+
+  getMnemonic(): string {
+    if (!this.mnemonic) {
+      this.mnemonic = generateMnemonic()
+    }
+    return this.mnemonic
+  }
+
+  submitMnemonic(mnemonic: string, storedHash: string | null): { hash: string; verified: boolean; firstSetup: boolean } {
+    const trimmed = mnemonic.trim()
+    if (!validateMnemonic(trimmed)) {
+      throw new Error('Invalid mnemonic: must be a 12-word BIP39-compatible phrase')
+    }
+    const derived = derivePkFromMnemonic(trimmed)
+    const hash = hashPkForVerification(derived)
+    
+    if (storedHash && hash !== storedHash) {
+      throw new Error('Mnemonic does not match the stored hash. Data was encrypted with a different key.')
+    }
+
+    this.pk = derived
+    this.mnemonic = trimmed
+    return { hash, verified: true, firstSetup: !storedHash }
+  }
+
+  encrypt(value: string, aad: string): string {
+    return encryptWithPk(value, this.getPk() as any, aad)
+  }
+
+  decrypt(encryptedValue: string, aad: string): string {
+    return decryptWithPk(encryptedValue, this.getPk() as any, aad)
+  }
+
+  clear(): void {
+    this.pk = null
+    this.mnemonic = null
+  }
+}
+
+export { generateFingerprint }

package/packages/server/src/routes/index.ts

@@ -0,0 +1,110 @@
+import { Router } from 'express'
+import { IDatabaseProvider } from '../db/interface'
+import { PkManager } from '../pk-manager'
+import crypto from 'node:crypto'
+
+export function createProjectsRouter(db: IDatabaseProvider, pk: PkManager): Router {
+  const router = Router()
+
+  router.get('/', async (_req, res) => {
+    const projects = await db.listProjects()
+    res.json(projects)
+  })
+
+  router.post('/', async (req, res) => {
+    const { name } = req.body || {}
+    if (!name || typeof name !== 'string') return res.status(400).json({ error: 'name required' })
+    const existing = await db.getProject(name)
+    if (existing) return res.status(409).json({ error: 'Project already exists' })
+    const result = await db.createProject(name)
+    res.status(201).json({ id: result.id })
+  })
+
+  router.delete('/:id', async (req, res) => {
+    await db.deleteProject(req.params.id)
+    res.json({ ok: true })
+  })
+
+  return router
+}
+
+export function createEnvsRouter(db: IDatabaseProvider, pk: PkManager): Router {
+  const router = Router()
+
+  router.get('/project/:projectId', async (req, res) => {
+    const envs = await db.listEnvs(req.params.projectId)
+    res.json(envs)
+  })
+
+  router.post('/project/:projectId', async (req, res) => {
+    const { key, value, apiModeOnly } = req.body || {}
+    if (!key || value === undefined) return res.status(400).json({ error: 'key and value required' })
+    const encrypted = pk.encrypt(value, `${req.params.projectId}:${key}`)
+    const result = await db.createEnv(req.params.projectId, key, encrypted, !!apiModeOnly)
+    res.status(201).json({ id: result.id })
+  })
+
+  router.put('/project/:projectId', async (req, res) => {
+    const { key, value, apiModeOnly } = req.body || {}
+    if (!key || value === undefined) return res.status(400).json({ error: 'key and value required' })
+    const encrypted = pk.encrypt(value, `${req.params.projectId}:${key}`)
+    await db.updateEnv(req.params.projectId, key, encrypted, !!apiModeOnly)
+    res.json({ ok: true })
+  })
+
+  router.delete('/project/:projectId/:key', async (req, res) => {
+    await db.deleteEnv(req.params.projectId, decodeURIComponent(req.params.key))
+    res.json({ ok: true })
+  })
+
+  return router
+}
+
+export function createApiKeysRouter(db: IDatabaseProvider, pk: PkManager): Router {
+  const router = Router()
+
+  router.get('/project/:projectId', async (req, res) => {
+    const keys = await db.listApiKeys(req.params.projectId)
+    res.json(keys)
+  })
+
+  router.post('/project/:projectId', async (req, res) => {
+    const { plainKey, ttl } = req.body || {}
+    const keyToStore = plainKey || crypto.randomUUID()
+    const encrypted = pk.encrypt(keyToStore, `${req.params.projectId}:apikey:${keyToStore.slice(0, 8)}`)
+    const result = await db.createApiKey(req.params.projectId, encrypted, keyToStore, ttl)
+    res.status(201).json({ id: result.id, plainKey: keyToStore })
+  })
+
+  router.delete('/project/:projectId/:id', async (req, res) => {
+    await db.revokeApiKey(req.params.projectId, req.params.id)
+    res.json({ ok: true })
+  })
+
+  return router
+}
+
+export function createWhitelistRouter(db: IDatabaseProvider): Router {
+  const router = Router()
+
+  router.get('/project/:projectId', async (req, res) => {
+    const entries = await db.listWhitelistEntries(req.params.projectId)
+    res.json(entries)
+  })
+
+  router.post('/project/:projectId', async (req, res) => {
+    const { fingerprint, status } = req.body || {}
+    if (!fingerprint) return res.status(400).json({ error: 'fingerprint required' })
+    const result = await db.createWhitelistEntry(req.params.projectId, fingerprint, status || 'approved')
+    res.status(201).json({ id: result.id })
+  })
+
+  router.put('/project/:projectId/:id', async (req, res) => {
+    const { status } = req.body || {}
+    if (!status || !['approved', 'rejected'].includes(status)) return res.status(400).json({ error: 'status must be approved or rejected' })
+    await db.updateWhitelistStatus(req.params.id, status)
+    res.json({ ok: true })
+  })
+
+  return router
+}