npm - iec-builder - Versions diffs - 0.1.0 - Mend

iec-builder 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/.claude/settings.local.json +111 -0
package/.iec.yaml +5 -0
package/CLAUDE.md +174 -0
package/Dockerfile +34 -0
package/README.md +84 -0
package/catalog-info.yaml +11 -0
package/dist/config/env.d.ts +219 -0
package/dist/config/env.d.ts.map +1 -0
package/dist/config/env.js +89 -0
package/dist/config/env.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +148 -0
package/dist/index.js.map +1 -0
package/dist/middleware/auth.d.ts +43 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +217 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/org-access.d.ts +28 -0
package/dist/middleware/org-access.d.ts.map +1 -0
package/dist/middleware/org-access.js +102 -0
package/dist/middleware/org-access.js.map +1 -0
package/dist/models/types.d.ts +254 -0
package/dist/models/types.d.ts.map +1 -0
package/dist/models/types.js +2 -0
package/dist/models/types.js.map +1 -0
package/dist/routes/ai.d.ts +2 -0
package/dist/routes/ai.d.ts.map +1 -0
package/dist/routes/ai.js +77 -0
package/dist/routes/ai.js.map +1 -0
package/dist/routes/audit.d.ts +2 -0
package/dist/routes/audit.d.ts.map +1 -0
package/dist/routes/audit.js +102 -0
package/dist/routes/audit.js.map +1 -0
package/dist/routes/builds.d.ts +2 -0
package/dist/routes/builds.d.ts.map +1 -0
package/dist/routes/builds.js +262 -0
package/dist/routes/builds.js.map +1 -0
package/dist/routes/cluster.d.ts +2 -0
package/dist/routes/cluster.d.ts.map +1 -0
package/dist/routes/cluster.js +181 -0
package/dist/routes/cluster.js.map +1 -0
package/dist/routes/config.d.ts +2 -0
package/dist/routes/config.d.ts.map +1 -0
package/dist/routes/config.js +291 -0
package/dist/routes/config.js.map +1 -0
package/dist/routes/databases.d.ts +2 -0
package/dist/routes/databases.d.ts.map +1 -0
package/dist/routes/databases.js +161 -0
package/dist/routes/databases.js.map +1 -0
package/dist/routes/db-whitelist.d.ts +2 -0
package/dist/routes/db-whitelist.d.ts.map +1 -0
package/dist/routes/db-whitelist.js +148 -0
package/dist/routes/db-whitelist.js.map +1 -0
package/dist/routes/domains.d.ts +2 -0
package/dist/routes/domains.d.ts.map +1 -0
package/dist/routes/domains.js +449 -0
package/dist/routes/domains.js.map +1 -0
package/dist/routes/oauth.d.ts +2 -0
package/dist/routes/oauth.d.ts.map +1 -0
package/dist/routes/oauth.js +180 -0
package/dist/routes/oauth.js.map +1 -0
package/dist/routes/observability.d.ts +2 -0
package/dist/routes/observability.d.ts.map +1 -0
package/dist/routes/observability.js +167 -0
package/dist/routes/observability.js.map +1 -0
package/dist/routes/orgs.d.ts +2 -0
package/dist/routes/orgs.d.ts.map +1 -0
package/dist/routes/orgs.js +270 -0
package/dist/routes/orgs.js.map +1 -0
package/dist/routes/platform.d.ts +2 -0
package/dist/routes/platform.d.ts.map +1 -0
package/dist/routes/platform.js +107 -0
package/dist/routes/platform.js.map +1 -0
package/dist/routes/push.d.ts +2 -0
package/dist/routes/push.d.ts.map +1 -0
package/dist/routes/push.js +233 -0
package/dist/routes/push.js.map +1 -0
package/dist/routes/rotation.d.ts +3 -0
package/dist/routes/rotation.d.ts.map +1 -0
package/dist/routes/rotation.js +154 -0
package/dist/routes/rotation.js.map +1 -0
package/dist/routes/services.d.ts +2 -0
package/dist/routes/services.d.ts.map +1 -0
package/dist/routes/services.js +246 -0
package/dist/routes/services.js.map +1 -0
package/dist/routes/storage.d.ts +2 -0
package/dist/routes/storage.d.ts.map +1 -0
package/dist/routes/storage.js +118 -0
package/dist/routes/storage.js.map +1 -0
package/dist/routes/users.d.ts +2 -0
package/dist/routes/users.d.ts.map +1 -0
package/dist/routes/users.js +183 -0
package/dist/routes/users.js.map +1 -0
package/dist/routes/versions.d.ts +2 -0
package/dist/routes/versions.d.ts.map +1 -0
package/dist/routes/versions.js +195 -0
package/dist/routes/versions.js.map +1 -0
package/dist/routes/webhooks.d.ts +2 -0
package/dist/routes/webhooks.d.ts.map +1 -0
package/dist/routes/webhooks.js +334 -0
package/dist/routes/webhooks.js.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts +2 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js +482 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js.map +1 -0
package/dist/services/bio-client.d.ts +68 -0
package/dist/services/bio-client.d.ts.map +1 -0
package/dist/services/bio-client.js +110 -0
package/dist/services/bio-client.js.map +1 -0
package/dist/services/build-queue.d.ts +7 -0
package/dist/services/build-queue.d.ts.map +1 -0
package/dist/services/build-queue.js +114 -0
package/dist/services/build-queue.js.map +1 -0
package/dist/services/builder.d.ts +7 -0
package/dist/services/builder.d.ts.map +1 -0
package/dist/services/builder.js +1384 -0
package/dist/services/builder.js.map +1 -0
package/dist/services/catalog.d.ts +177 -0
package/dist/services/catalog.d.ts.map +1 -0
package/dist/services/catalog.js +805 -0
package/dist/services/catalog.js.map +1 -0
package/dist/services/catalog.test.d.ts +2 -0
package/dist/services/catalog.test.d.ts.map +1 -0
package/dist/services/catalog.test.js +467 -0
package/dist/services/catalog.test.js.map +1 -0
package/dist/services/cloudflare.d.ts +43 -0
package/dist/services/cloudflare.d.ts.map +1 -0
package/dist/services/cloudflare.js +182 -0
package/dist/services/cloudflare.js.map +1 -0
package/dist/services/config-validator.d.ts +28 -0
package/dist/services/config-validator.d.ts.map +1 -0
package/dist/services/config-validator.js +68 -0
package/dist/services/config-validator.js.map +1 -0
package/dist/services/config-validator.test.d.ts +2 -0
package/dist/services/config-validator.test.d.ts.map +1 -0
package/dist/services/config-validator.test.js +151 -0
package/dist/services/config-validator.test.js.map +1 -0
package/dist/services/crypto.d.ts +19 -0
package/dist/services/crypto.d.ts.map +1 -0
package/dist/services/crypto.js +63 -0
package/dist/services/crypto.js.map +1 -0
package/dist/services/database.d.ts +26 -0
package/dist/services/database.d.ts.map +1 -0
package/dist/services/database.js +100 -0
package/dist/services/database.js.map +1 -0
package/dist/services/db-credential-manager.d.ts +73 -0
package/dist/services/db-credential-manager.d.ts.map +1 -0
package/dist/services/db-credential-manager.js +342 -0
package/dist/services/db-credential-manager.js.map +1 -0
package/dist/services/db-provisioner.d.ts +57 -0
package/dist/services/db-provisioner.d.ts.map +1 -0
package/dist/services/db-provisioner.js +400 -0
package/dist/services/db-provisioner.js.map +1 -0
package/dist/services/db-provisioner.test.d.ts +2 -0
package/dist/services/db-provisioner.test.d.ts.map +1 -0
package/dist/services/db-provisioner.test.js +141 -0
package/dist/services/db-provisioner.test.js.map +1 -0
package/dist/services/db-whitelist.d.ts +58 -0
package/dist/services/db-whitelist.d.ts.map +1 -0
package/dist/services/db-whitelist.js +379 -0
package/dist/services/db-whitelist.js.map +1 -0
package/dist/services/dependency-resolver.d.ts +58 -0
package/dist/services/dependency-resolver.d.ts.map +1 -0
package/dist/services/dependency-resolver.js +180 -0
package/dist/services/dependency-resolver.js.map +1 -0
package/dist/services/dependency-resolver.test.d.ts +2 -0
package/dist/services/dependency-resolver.test.d.ts.map +1 -0
package/dist/services/dependency-resolver.test.js +195 -0
package/dist/services/dependency-resolver.test.js.map +1 -0
package/dist/services/deploy-gate.d.ts +19 -0
package/dist/services/deploy-gate.d.ts.map +1 -0
package/dist/services/deploy-gate.js +56 -0
package/dist/services/deploy-gate.js.map +1 -0
package/dist/services/deploy-gate.test.d.ts +2 -0
package/dist/services/deploy-gate.test.d.ts.map +1 -0
package/dist/services/deploy-gate.test.js +199 -0
package/dist/services/deploy-gate.test.js.map +1 -0
package/dist/services/dockerfile-generator.d.ts +31 -0
package/dist/services/dockerfile-generator.d.ts.map +1 -0
package/dist/services/dockerfile-generator.js +544 -0
package/dist/services/dockerfile-generator.js.map +1 -0
package/dist/services/dockerfile-generator.test.d.ts +2 -0
package/dist/services/dockerfile-generator.test.d.ts.map +1 -0
package/dist/services/dockerfile-generator.test.js +144 -0
package/dist/services/dockerfile-generator.test.js.map +1 -0
package/dist/services/forgejo.d.ts +58 -0
package/dist/services/forgejo.d.ts.map +1 -0
package/dist/services/forgejo.js +131 -0
package/dist/services/forgejo.js.map +1 -0
package/dist/services/koko.d.ts +153 -0
package/dist/services/koko.d.ts.map +1 -0
package/dist/services/koko.js +260 -0
package/dist/services/koko.js.map +1 -0
package/dist/services/kubernetes.d.ts +16 -0
package/dist/services/kubernetes.d.ts.map +1 -0
package/dist/services/kubernetes.js +102 -0
package/dist/services/kubernetes.js.map +1 -0
package/dist/services/oauth-provisioner.d.ts +30 -0
package/dist/services/oauth-provisioner.d.ts.map +1 -0
package/dist/services/oauth-provisioner.js +182 -0
package/dist/services/oauth-provisioner.js.map +1 -0
package/dist/services/oauth-provisioner.test.d.ts +2 -0
package/dist/services/oauth-provisioner.test.d.ts.map +1 -0
package/dist/services/oauth-provisioner.test.js +349 -0
package/dist/services/oauth-provisioner.test.js.map +1 -0
package/dist/services/pod-diagnostics.d.ts +11 -0
package/dist/services/pod-diagnostics.d.ts.map +1 -0
package/dist/services/pod-diagnostics.js +201 -0
package/dist/services/pod-diagnostics.js.map +1 -0
package/dist/services/rotation-scheduler.d.ts +2 -0
package/dist/services/rotation-scheduler.d.ts.map +1 -0
package/dist/services/rotation-scheduler.js +215 -0
package/dist/services/rotation-scheduler.js.map +1 -0
package/dist/services/storage-credential-manager.d.ts +43 -0
package/dist/services/storage-credential-manager.d.ts.map +1 -0
package/dist/services/storage-credential-manager.js +159 -0
package/dist/services/storage-credential-manager.js.map +1 -0
package/dist/services/storage-provisioner.d.ts +32 -0
package/dist/services/storage-provisioner.d.ts.map +1 -0
package/dist/services/storage-provisioner.js +136 -0
package/dist/services/storage-provisioner.js.map +1 -0
package/dist/services/storage.d.ts +65 -0
package/dist/services/storage.d.ts.map +1 -0
package/dist/services/storage.js +204 -0
package/dist/services/storage.js.map +1 -0
package/dist/services/troubleshooter.d.ts +22 -0
package/dist/services/troubleshooter.d.ts.map +1 -0
package/dist/services/troubleshooter.js +168 -0
package/dist/services/troubleshooter.js.map +1 -0
package/dist/services/vault-client.d.ts +114 -0
package/dist/services/vault-client.d.ts.map +1 -0
package/dist/services/vault-client.js +411 -0
package/dist/services/vault-client.js.map +1 -0
package/dist/utils/logger.d.ts +2 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +6 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/response.d.ts +13 -0
package/dist/utils/response.d.ts.map +1 -0
package/dist/utils/response.js +12 -0
package/dist/utils/response.js.map +1 -0
package/docs/registry-migration.md +301 -0
package/docs/registry-quickstart.md +169 -0
package/ecosystem.config.cjs +14 -0
package/findings.md +168 -0
package/helm/default-service/Chart.yaml +6 -0
package/helm/default-service/templates/deployment.yaml +97 -0
package/helm/default-service/templates/ingress.yaml +43 -0
package/helm/default-service/templates/service.yaml +17 -0
package/helm/default-service/values.yaml +82 -0
package/helm/services/iec-builder/Chart.yaml +6 -0
package/helm/services/iec-builder/templates/_helpers.tpl +61 -0
package/helm/services/iec-builder/templates/deployment.yaml +73 -0
package/helm/services/iec-builder/templates/service.yaml +15 -0
package/helm/services/iec-builder/templates/serviceaccount.yaml +12 -0
package/helm/services/iec-builder/values.yaml +56 -0
package/helm/vault-values.yaml +127 -0
package/package.json +45 -0
package/progress.md +156 -0
package/scripts/.vault-init-keys.json +23 -0
package/scripts/backfill-ownership.ts +113 -0
package/scripts/finalize-mongo-auth.sh +212 -0
package/scripts/setup-ipset.sh +107 -0
package/scripts/setup-mongo-auth.sh +163 -0
package/scripts/setup-neo4j-auth.sh +62 -0
package/scripts/setup-redis-auth.sh +55 -0
package/scripts/setup-registry-secret.sh +71 -0
package/scripts/setup-vault.sh +308 -0
package/src/config/env.ts +117 -0
package/src/index.ts +153 -0
package/src/middleware/auth.ts +294 -0
package/src/middleware/org-access.ts +126 -0
package/src/models/types.ts +288 -0
package/src/routes/ai.ts +115 -0
package/src/routes/audit.ts +121 -0
package/src/routes/builds.ts +320 -0
package/src/routes/cluster.ts +235 -0
package/src/routes/config.ts +369 -0
package/src/routes/databases.ts +201 -0
package/src/routes/db-whitelist.ts +204 -0
package/src/routes/domains.ts +547 -0
package/src/routes/oauth.ts +195 -0
package/src/routes/observability.ts +205 -0
package/src/routes/orgs.ts +330 -0
package/src/routes/platform.ts +134 -0
package/src/routes/rotation.ts +191 -0
package/src/routes/services.ts +290 -0
package/src/routes/storage.ts +153 -0
package/src/routes/users.ts +235 -0
package/src/routes/webhooks.ts +384 -0
package/src/services/__tests__/catalog-storage.test.ts +186 -0
package/src/services/__tests__/deploy-pipeline.integration.test.ts +624 -0
package/src/services/__tests__/pod-diagnostics.test.ts +332 -0
package/src/services/__tests__/storage-credential-manager.test.ts +129 -0
package/src/services/__tests__/storage-provisioner.test.ts +166 -0
package/src/services/__tests__/troubleshooter.test.ts +329 -0
package/src/services/bio-client.ts +189 -0
package/src/services/build-queue.ts +137 -0
package/src/services/builder.ts +1800 -0
package/src/services/catalog.test.ts +1389 -0
package/src/services/catalog.ts +1187 -0
package/src/services/cloudflare.ts +259 -0
package/src/services/config-validator.test.ts +190 -0
package/src/services/config-validator.ts +108 -0
package/src/services/crypto.ts +78 -0
package/src/services/database.ts +122 -0
package/src/services/db-credential-manager.test.ts +101 -0
package/src/services/db-credential-manager.ts +447 -0
package/src/services/db-provisioner.test.ts +602 -0
package/src/services/db-provisioner.ts +589 -0
package/src/services/db-whitelist.test.ts +671 -0
package/src/services/db-whitelist.ts +496 -0
package/src/services/dependency-resolver.test.ts +677 -0
package/src/services/dependency-resolver.ts +319 -0
package/src/services/deploy-gate.test.ts +247 -0
package/src/services/deploy-gate.ts +75 -0
package/src/services/dockerfile-generator.test.ts +401 -0
package/src/services/dockerfile-generator.ts +606 -0
package/src/services/forgejo.ts +212 -0
package/src/services/koko.ts +492 -0
package/src/services/kubernetes.ts +141 -0
package/src/services/oauth-provisioner.test.ts +477 -0
package/src/services/oauth-provisioner.ts +286 -0
package/src/services/pod-diagnostics.ts +261 -0
package/src/services/rotation-scheduler.ts +293 -0
package/src/services/storage-credential-manager.ts +223 -0
package/src/services/storage-provisioner.ts +216 -0
package/src/services/storage.ts +274 -0
package/src/services/troubleshooter.ts +208 -0
package/src/services/vault-client.test.ts +272 -0
package/src/services/vault-client.ts +587 -0
package/src/utils/logger.ts +6 -0
package/src/utils/response.ts +23 -0
package/task_plan.md +171 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +19 -0

package/src/config/env.ts ADDED Viewed

@@ -0,0 +1,117 @@
+import { z } from 'zod'
+import { config } from 'dotenv'
+import { fileURLToPath } from 'node:url'
+import { dirname, resolve } from 'node:path'
+const __dirname = dirname(fileURLToPath(import.meta.url))
+config({ path: resolve(__dirname, '../../.env'), override: true })
+const envSchema = z.object({
+  NODE_ENV: z.enum(['development', 'staging', 'production', 'test']).default('development'),
+  PORT: z.string().transform(Number).default('3002'),
+  LOG_LEVEL: z.enum(['fatal', 'error', 'warn', 'info', 'debug', 'trace']).default('info'),
+  // Database
+  MONGODB_URI: z.string().default('mongodb://localhost:27017/builder'),
+  BIO_MONGODB_URI: z.string().default('mongodb://localhost:27017/bio'),
+  REDIS_URL: z.string().default('redis://localhost:6379'),
+  // Database provisioning hosts (used by db-provisioner for tenant DBs)
+  DB_MONGODB_ADMIN_URI: z.string().default(''),  // Admin connection for per-service credential management
+  DB_MONGODB_HOST: z.string().default('localhost'),
+  DB_MONGODB_PUBLIC_HOST: z.string().default(''),  // Public IP for external DB connections (whitelist feature)
+  DB_MONGODB_PORT: z.string().transform(Number).default('27017'),
+  DB_REDIS_ADMIN_URL: z.string().default(''),  // Admin connection for per-service Redis ACL management
+  DB_REDIS_HOST: z.string().default('localhost'),
+  DB_REDIS_PORT: z.string().transform(Number).default('6379'),
+  DB_NEO4J_ADMIN_URI: z.string().default(''),  // Admin connection for per-service Neo4j auth management
+  DB_NEO4J_ADMIN_USER: z.string().default(''),
+  DB_NEO4J_ADMIN_PASSWORD: z.string().default(''),
+  DB_NEO4J_HOST: z.string().default('localhost'),
+  DB_NEO4J_PORT: z.string().transform(Number).default('7687'),
+  // MinIO object storage (Vault-managed — admin creds live in Vault KV only)
+  MINIO_HOST: z.string().default('64.23.181.20'),
+  MINIO_PORT: z.string().transform(Number).default('9000'),
+  // Koko integration
+  KOKO_URL: z.string().default('https://koko.tawa.insureco.io'),
+  // Bio-ID OAuth provider
+  BIO_ID_URL: z.string().default('https://bio.tawa.insureco.io'),
+  BIO_INTERNAL_KEY: z.string().default(''),
+  // Build configuration
+  WORKSPACE_DIR: z.string().default('/tmp/iec-builds'),
+  DOCKER_REGISTRY: z.string().default('registry.insureco.io/insureco'),
+  DOCKER_REGISTRY_USER: z.string().default(''),  // Username for Docker registry auth
+  DOCKER_REGISTRY_TOKEN: z.string().default(''),  // Token/password for Docker registry auth
+  // Tarball upload limits
+  MAX_UPLOAD_SIZE_MB: z.string().transform(Number).default('500'),
+  // Framework detection and Dockerfile generation
+  ENABLE_AUTO_DOCKERFILE: z.string().default('true'),
+  // Catalog version enforcement (reject deploys below minimum catalog schema version)
+  ENFORCE_MINIMUM_CATALOG_VERSION: z.string().default('false'),
+  // Kubernetes
+  KUBECONFIG: z.string().default(''),
+  K8S_NAMESPACE: z.string().default('iec-platform'),
+  ENABLE_K8S_DEPLOY: z.string().default('false'),
+  // Cloudflare DNS
+  CLOUDFLARE_API_TOKEN: z.string().default(''),
+  CLOUDFLARE_ZONE_ID: z.string().default('0945f68a0f28faa9d93721b572586737'),
+  INGRESS_TARGET: z.string().default(''),
+  ENABLE_DNS_MANAGEMENT: z.string().default('false'),
+  // Forgejo (git.insureco.io) access for cloning private repos
+  FORGEJO_URL: z.string().default('https://git.insureco.io'),
+  FORGEJO_TOKEN: z.string().default(''),
+  FORGEJO_ADMIN_USER: z.string().default(''),
+  FORGEJO_ADMIN_PASSWORD: z.string().default(''),
+  // GitHub access for cloning private repos (PAT with repo scope)
+  GITHUB_TOKEN: z.string().default(''),
+  // Webhook secrets (for verifying GitHub/GitLab signatures)
+  GITHUB_WEBHOOK_SECRET: z.string().default(''),
+  GITLAB_WEBHOOK_SECRET: z.string().default(''),
+  // Wallet (deploy gate)
+  WALLET_URL: z.string().default(''),
+  INTERNAL_SERVICE_KEY: z.string().default(''),
+  // Build worker concurrency (max parallel builds)
+  BUILD_CONCURRENCY: z.string().transform(Number).default('3'),
+  // HashiCorp Vault (Phase 2: dynamic credentials)
+  VAULT_ADDR: z.string().default(''),      // Vault API address (e.g., http://vault.vault.svc.cluster.local:8200)
+  VAULT_TOKEN: z.string().default(''),     // Builder's Vault token for role management
+  VAULT_ENABLED: z.string().default('false'),  // Feature flag: 'true' to use Vault dynamic credentials
+  // Credential rotation
+  ROTATION_TTL_DAYS: z.string().transform(Number).default('30'),
+  RELAY_DIRECT_URL: z.string().default(''),      // InsureRelay URL for rotation notifications
+  RELAY_INTERNAL_KEY: z.string().default(''),     // Auth key for relay service
+  // AI proxy
+  ANTHROPIC_API_KEY: z.string().default(''),
+})
+export type Env = z.infer<typeof envSchema>
+export function loadEnv(): Env {
+  const result = envSchema.safeParse(process.env)
+  if (!result.success) {
+    const formatted = result.error.format()
+    throw new Error(`Invalid environment configuration: ${JSON.stringify(formatted, null, 2)}`)
+  }
+  return result.data
+}
+export const env = loadEnv()

package/src/index.ts ADDED Viewed

@@ -0,0 +1,153 @@
+import express from 'express'
+import { pinoHttp } from 'pino-http'
+import { env } from './config/env.js'
+import { logger } from './utils/logger.js'
+import { apiError } from './utils/response.js'
+import { authenticate } from './middleware/auth.js'
+import { connectDatabase, connectRedis, checkConnections, closeConnections } from './services/database.js'
+import { recoverStaleBuilds } from './services/builder.js'
+import { initBuildQueue, initBuildWorker, closeBuildQueue } from './services/build-queue.js'
+import { webhooksRouter } from './routes/webhooks.js'
+import { buildsRouter } from './routes/builds.js'
+import { servicesRouter } from './routes/services.js'
+import { oauthRouter } from './routes/oauth.js'
+import { configRouter } from './routes/config.js'
+import { aiRouter } from './routes/ai.js'
+import { usersRouter } from './routes/users.js'
+import { domainsRouter } from './routes/domains.js'
+import { databasesRouter } from './routes/databases.js'
+import { clusterRouter } from './routes/cluster.js'
+import { orgsRouter } from './routes/orgs.js'
+import { dbWhitelistRouter } from './routes/db-whitelist.js'
+import { storageRouter } from './routes/storage.js'
+import { rotationRouter, rotationDashboardRouter } from './routes/rotation.js'
+import { observabilityRouter } from './routes/observability.js'
+import { auditRouter } from './routes/audit.js'
+import { platformRouter } from './routes/platform.js'
+import { reconcileOnStartup } from './services/db-whitelist.js'
+import { startRotationScheduler } from './services/rotation-scheduler.js'
+const app = express()
+// Middleware
+app.use(express.json({ limit: `${env.MAX_UPLOAD_SIZE_MB}mb` }))
+app.use(pinoHttp({ logger }))
+// Health check
+app.get('/health', (_req, res) => {
+  res.json({ status: 'ok', service: 'iec-builder' })
+})
+// Readiness check
+app.get('/ready', async (_req, res) => {
+  const connections = await checkConnections()
+  if (connections.mongodb && connections.redis) {
+    res.json({ status: 'ready', connections })
+  } else {
+    res.status(503).json({ status: 'not ready', connections })
+  }
+})
+// Routes
+app.use('/webhooks', webhooksRouter)
+app.use('/builds', authenticate, buildsRouter)
+app.use('/services', authenticate, servicesRouter)
+app.use('/oauth', authenticate, oauthRouter)
+app.use('/services', authenticate, configRouter)  // Config sub-routes: /services/:name/config
+app.use('/ai', authenticate, aiRouter)
+app.use('/users', authenticate, usersRouter)
+app.use('/domains', authenticate, domainsRouter)
+app.use('/services', authenticate, databasesRouter)  // Database credential sub-routes: /services/:name/databases
+app.use('/cluster', authenticate, clusterRouter)
+app.use('/orgs', authenticate, orgsRouter)
+app.use('/services', authenticate, dbWhitelistRouter)  // DB whitelist sub-routes: /services/:name/databases/whitelist
+app.use('/databases', authenticate, dbWhitelistRouter)  // Global whitelist: /databases/whitelist
+app.use('/services', authenticate, storageRouter)       // Storage sub-routes: /services/:name/storage
+app.use('/services', authenticate, rotationRouter)      // Rotation sub-routes: /services/:name/rotation
+app.use('/rotation', authenticate, rotationDashboardRouter)  // Platform-wide: /rotation/upcoming
+app.use('/services', authenticate, observabilityRouter)  // Observability sub-routes: /services/:name/pods, /pods/logs, /troubleshoot
+app.use('/audit', authenticate, auditRouter)  // Audit log: /audit/events
+app.use('/platform', authenticate, platformRouter)  // Platform admin: /platform/dashboard
+// Error handler
+app.use((err: Error, _req: express.Request, res: express.Response, _next: express.NextFunction) => {
+  logger.error({ err }, 'Unhandled error')
+  res.status(500).json(apiError('INTERNAL_ERROR', 'Internal server error'))
+})
+// Start server
+async function start(): Promise<void> {
+  try {
+    logger.info('Connecting to MongoDB...')
+    await connectDatabase()
+    logger.info('MongoDB connected ✓')
+    logger.info('GridFS initialized for tarball storage ✓')
+    logger.info('Connecting to Redis...')
+    await connectRedis()
+    logger.info('Redis connected ✓')
+    // Recover builds left in active states from previous crash/restart
+    const recovered = await recoverStaleBuilds(0)
+    if (recovered > 0) {
+      logger.info({ recovered }, 'Recovered stale builds on startup')
+    }
+    // Initialize BullMQ build queue and worker
+    await initBuildQueue()
+    initBuildWorker()
+    // Graceful shutdown: drain active builds before exiting
+    const shutdown = async () => {
+      logger.info('Shutdown signal received — draining builds...')
+      await closeBuildQueue()
+      await closeConnections()
+      process.exit(0)
+    }
+    process.once('SIGTERM', shutdown)
+    process.once('SIGINT', shutdown)
+    // Reconcile ipset whitelist entries with DB records
+    reconcileOnStartup().catch(err => {
+      logger.error({ err }, 'Whitelist reconciliation failed')
+    })
+    // Start credential rotation scheduler
+    startRotationScheduler().catch(err => {
+      logger.error({ err }, 'Rotation scheduler crashed')
+    })
+    // Validate critical env vars at startup
+    const criticalWarnings: string[] = []
+    if (!process.env.CONFIG_ENCRYPTION_KEY) criticalWarnings.push('CONFIG_ENCRYPTION_KEY not set — managed secrets will fail')
+    if (!env.BIO_INTERNAL_KEY) criticalWarnings.push('BIO_INTERNAL_KEY not set — OAuth provisioning will fail')
+    if (!env.CLOUDFLARE_API_TOKEN) criticalWarnings.push('CLOUDFLARE_API_TOKEN not set — DNS management will fail')
+    if (!env.KUBECONFIG) criticalWarnings.push('KUBECONFIG not set — K8s deployments may fail')
+    if (!env.DB_MONGODB_ADMIN_URI) criticalWarnings.push('DB_MONGODB_ADMIN_URI not set — MongoDB credentials will not be provisioned')
+    if (!env.DB_REDIS_ADMIN_URL) criticalWarnings.push('DB_REDIS_ADMIN_URL not set — Redis credentials will not be provisioned')
+    if (!env.DB_NEO4J_ADMIN_URI) criticalWarnings.push('DB_NEO4J_ADMIN_URI not set — Neo4j credentials will not be provisioned')
+    if (env.VAULT_ENABLED !== 'true') criticalWarnings.push('VAULT_ENABLED not set — storage provisioning (MinIO) will not be available')
+    for (const warning of criticalWarnings) {
+      logger.warn(`STARTUP: ${warning}`)
+    }
+    app.listen(env.PORT, () => {
+      logger.info(`iec-builder running on port ${env.PORT}`)
+      logger.info(`Environment: ${env.NODE_ENV}`)
+      logger.info(`Workspace: ${env.WORKSPACE_DIR}`)
+      logger.info(`Registry: ${env.DOCKER_REGISTRY}`)
+      logger.info(`K8s deploy: ${env.ENABLE_K8S_DEPLOY}`)
+      logger.info(`DNS management: ${env.ENABLE_DNS_MANAGEMENT}`)
+      logger.info(`Auto-Dockerfile: ${env.ENABLE_AUTO_DOCKERFILE}`)
+      logger.info(`Max upload size: ${env.MAX_UPLOAD_SIZE_MB}MB`)
+      if (criticalWarnings.length > 0) {
+        logger.warn(`${criticalWarnings.length} critical warning(s) — check logs above`)
+      }
+    })
+  } catch (error) {
+    logger.error({ error }, 'Failed to start server')
+    process.exit(1)
+  }
+}
+start()

package/src/middleware/auth.ts ADDED Viewed

@@ -0,0 +1,294 @@
+import { Request, Response, NextFunction } from 'express'
+import { env } from '../config/env.js'
+import { logger } from '../utils/logger.js'
+import { apiError } from '../utils/response.js'
+export interface AuthenticatedUser {
+  id: string
+  email: string
+  name?: string
+  roles: string[]
+  org?: string      // Org slug (for service ownership, wallet derivation)
+  orgId?: string    // Canonical ORG-xxx identifier (for Bio-ID admin calls)
+}
+export type OrgRole = 'viewer' | 'member' | 'admin'
+export const ORG_ROLE_HIERARCHY: Record<OrgRole, number> = {
+  viewer: 1,
+  member: 2,
+  admin: 3,
+}
+/**
+ * Derive the effective org role from a user's roles array.
+ * Explicit org:admin > admin > org:member > member > default viewer
+ */
+export function deriveOrgRole(roles: string[]): OrgRole {
+  if (roles.includes('org:admin') || roles.includes('admin')) return 'admin'
+  if (roles.includes('org:member') || roles.includes('member')) return 'member'
+  if (roles.includes('org:viewer') || roles.includes('viewer')) return 'viewer'
+  return 'viewer'
+}
+export interface AuthenticatedRequest extends Request {
+  user?: AuthenticatedUser
+}
+/**
+ * Validate Bearer token from Authorization header
+ * Tries Koko CLI token verification first, then bio-id JWT introspection
+ */
+export async function validateToken(
+  req: AuthenticatedRequest,
+  res: Response,
+  next: NextFunction
+): Promise<void> {
+  const authHeader = req.headers.authorization
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    res.status(401).json(apiError('UNAUTHORIZED', 'Missing or invalid authorization header'))
+    return
+  }
+  const token = authHeader.substring(7)
+  try {
+    // Try Koko CLI token verification first (iec CLI uses these)
+    const kokoUrl = env.KOKO_URL || 'https://koko.tawa.insureco.io'
+    const kokoResponse = await fetch(`${kokoUrl}/api/auth/verify`, {
+      headers: {
+        Authorization: `Bearer ${token}`,
+      },
+    })
+    if (kokoResponse.ok) {
+      const kokoResult = await kokoResponse.json() as {
+        success: boolean
+        data?: { id: string; email: string; name: string; org?: string; orgId?: string; roles?: string[] }
+      }
+      if (kokoResult.success && kokoResult.data) {
+        req.user = {
+          id: kokoResult.data.id,
+          email: kokoResult.data.email,
+          name: kokoResult.data.name,
+          roles: kokoResult.data.roles || ['admin'],
+          org: kokoResult.data.org,
+          orgId: kokoResult.data.orgId,
+        }
+        next()
+        return
+      }
+    }
+    // Fall back to bio-id JWT introspection
+    const bioIdUrl = env.BIO_ID_URL || 'https://bio.tawa.insureco.io'
+    const response = await fetch(`${bioIdUrl}/api/auth/introspect`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ token }),
+    })
+    if (!response.ok) {
+      logger.warn({ status: response.status }, 'Token validation failed (both Koko and bio-id)')
+      res.status(401).json(apiError('UNAUTHORIZED', 'Invalid or expired token'))
+      return
+    }
+    const result = await response.json() as {
+      active: boolean
+      user?: AuthenticatedUser
+      org_id?: string    // ORG-xxx (canonical)
+      org_slug?: string  // URL-friendly slug
+      organization_name?: string
+    }
+    if (!result.active || !result.user) {
+      res.status(401).json(apiError('UNAUTHORIZED', 'Token is not active'))
+      return
+    }
+    // Populate org (slug) and orgId (ORG-xxx) from introspection response.
+    const org = result.user.org
+      || result.org_slug
+    const orgId = result.org_id
+    req.user = { ...result.user, org, orgId }
+    next()
+  } catch (error) {
+    logger.error({ error }, 'Token validation error')
+    res.status(500).json(apiError('AUTH_ERROR', 'Failed to validate token'))
+  }
+}
+/**
+ * Simple API key authentication for CLI tools
+ * API keys are scoped to services and stored in the service record
+ */
+export async function validateApiKey(
+  req: AuthenticatedRequest,
+  res: Response,
+  next: NextFunction
+): Promise<void> {
+  const apiKey = req.headers['x-api-key'] as string
+  if (!apiKey) {
+    res.status(401).json(apiError('UNAUTHORIZED', 'Missing API key'))
+    return
+  }
+  try {
+    // Validate API key format: iec_<service-id>_<random-bytes>
+    if (!apiKey.startsWith('iec_')) {
+      res.status(401).json(apiError('UNAUTHORIZED', 'Invalid API key format'))
+      return
+    }
+    // Extract service ID from API key
+    const parts = apiKey.split('_')
+    if (parts.length < 3) {
+      res.status(401).json(apiError('UNAUTHORIZED', 'Invalid API key format'))
+      return
+    }
+    const serviceId = parts[1]
+    // Validate with koko service registry
+    const kokoUrl = env.KOKO_URL || 'https://koko.tawa.insureco.io'
+    const response = await fetch(`${kokoUrl}/api/services/${serviceId}/validate-key`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ apiKey }),
+    })
+    if (!response.ok) {
+      logger.warn({ serviceId, status: response.status }, 'API key validation failed')
+      res.status(401).json(apiError('UNAUTHORIZED', 'Invalid API key'))
+      return
+    }
+    const result = await response.json() as { valid: boolean; serviceId: string; serviceName: string }
+    if (!result.valid) {
+      res.status(401).json(apiError('UNAUTHORIZED', 'API key is not valid'))
+      return
+    }
+    // Set user info from API key validation
+    const user: AuthenticatedUser = {
+      id: `service:${result.serviceId}`,
+      email: `${result.serviceName}@services.iec`,
+      name: result.serviceName,
+      roles: ['service'],
+    }
+    req.user = user
+    // Store service info for downstream use
+    ;(req as Request & { serviceId: string }).serviceId = result.serviceId
+    next()
+  } catch (error) {
+    logger.error({ error }, 'API key validation error')
+    res.status(500).json(apiError('AUTH_ERROR', 'Failed to validate API key'))
+  }
+}
+/**
+ * Combined auth middleware - accepts internal key, Bearer token, or API key.
+ * Internal key is used for trusted platform services (tawa-web, etc).
+ */
+export async function authenticate(
+  req: AuthenticatedRequest,
+  res: Response,
+  next: NextFunction
+): Promise<void> {
+  // Platform service-to-service auth via shared internal key
+  const internalKey = req.headers['x-internal-key'] as string
+  if (internalKey && env.INTERNAL_SERVICE_KEY && internalKey === env.INTERNAL_SERVICE_KEY) {
+    req.user = {
+      id: 'service:platform',
+      email: 'platform@internal.iec',
+      name: 'Platform Service',
+      roles: ['admin', 'service'],
+    }
+    next()
+    return
+  }
+  const authHeader = req.headers.authorization
+  const apiKey = req.headers['x-api-key']
+  if (authHeader && authHeader.startsWith('Bearer ')) {
+    return validateToken(req, res, next)
+  }
+  if (apiKey) {
+    return validateApiKey(req, res, next)
+  }
+  res.status(401).json(apiError('UNAUTHORIZED', 'Authentication required'))
+}
+/**
+ * Require specific roles
+ */
+export function requireRoles(...roles: string[]) {
+  return (req: AuthenticatedRequest, res: Response, next: NextFunction): void => {
+    if (!req.user) {
+      res.status(401).json(apiError('UNAUTHORIZED', 'Authentication required'))
+      return
+    }
+    const hasRole = roles.some(role => req.user!.roles.includes(role))
+    if (!hasRole) {
+      res.status(403).json(apiError('FORBIDDEN', `Required roles: ${roles.join(', ')}`))
+      return
+    }
+    next()
+  }
+}
+/**
+ * Validate webhook signature from GitHub
+ */
+export function validateGitHubWebhook(
+  req: Request,
+  res: Response,
+  next: NextFunction
+): void {
+  const signature = req.headers['x-hub-signature-256'] as string
+  const secret = env.GITHUB_WEBHOOK_SECRET
+  if (!secret) {
+    logger.warn('GitHub webhook secret not configured')
+    next()
+    return
+  }
+  if (!signature) {
+    res.status(401).json(apiError('UNAUTHORIZED', 'Missing webhook signature'))
+    return
+  }
+  const payload = JSON.stringify(req.body)
+  const expectedSignature = `sha256=${createHmacSignature(payload, secret)}`
+  if (signature !== expectedSignature) {
+    logger.warn('Invalid GitHub webhook signature')
+    res.status(401).json(apiError('UNAUTHORIZED', 'Invalid webhook signature'))
+    return
+  }
+  next()
+}
+function createHmacSignature(payload: string, secret: string): string {
+  const { createHmac } = require('crypto')
+  return createHmac('sha256', secret).update(payload).digest('hex')
+}

package/src/middleware/org-access.ts ADDED Viewed

@@ -0,0 +1,126 @@
+import { Response, NextFunction } from 'express'
+import { getServicesCollection } from '../services/database.js'
+import { apiError } from '../utils/response.js'
+import { logger } from '../utils/logger.js'
+import type { AuthenticatedRequest, OrgRole } from './auth.js'
+import { deriveOrgRole, ORG_ROLE_HIERARCHY } from './auth.js'
+import type { Service } from '../models/types.js'
+export interface ServiceScopedRequest extends AuthenticatedRequest {
+  service?: Service
+}
+/**
+ * Extract a service identifier from the request.
+ * Checks route params first, then request body.
+ */
+function extractServiceIdentifier(req: ServiceScopedRequest): string | undefined {
+  return (
+    req.params.serviceId ||
+    req.params.serviceName ||
+    req.body?.serviceId ||
+    req.body?.serviceName
+  )
+}
+/**
+ * Middleware: Verify the authenticated user belongs to the same org as the service.
+ *
+ * - Loads the service from DB and attaches it to `req.service`
+ * - Super admins and platform services bypass the check
+ * - Legacy services without `org` allow access (will be backfilled)
+ */
+export function requireOrgAccess() {
+  return async (req: ServiceScopedRequest, res: Response, next: NextFunction): Promise<void> => {
+    if (!req.user) {
+      res.status(401).json(apiError('UNAUTHORIZED', 'Authentication required'))
+      return
+    }
+    // Platform service and super_admin bypass
+    if (req.user.roles.includes('super_admin') || req.user.roles.includes('service')) {
+      next()
+      return
+    }
+    const serviceId = extractServiceIdentifier(req)
+    if (!serviceId) {
+      // Let the route handler deal with missing params
+      next()
+      return
+    }
+    try {
+      const services = getServicesCollection()
+      const service = await services.findOne({
+        $or: [{ id: serviceId }, { name: serviceId }],
+      })
+      if (!service) {
+        res.status(404).json(apiError('NOT_FOUND', 'Service not found'))
+        return
+      }
+      // Legacy services without org: allow access, log for visibility
+      if (!service.org) {
+        logger.debug({ serviceName: service.name }, 'Service has no org set — allowing access (legacy)')
+        req.service = service
+        next()
+        return
+      }
+      // Org match check
+      if (req.user.org !== service.org) {
+        res.status(403).json(apiError('FORBIDDEN', 'Service belongs to a different organization'))
+        return
+      }
+      req.service = service
+      next()
+    } catch (error) {
+      logger.error({ error }, 'Error in requireOrgAccess middleware')
+      next(error)
+    }
+  }
+}
+/**
+ * Middleware: Require a minimum org role level.
+ *
+ * Role hierarchy: viewer (1) < member (2) < admin (3)
+ * Roles are derived from the user's JWT/token claims:
+ *   - org:admin or admin → admin
+ *   - org:member or member → member
+ *   - org:viewer or viewer → viewer
+ *   - default → viewer
+ *
+ * Super admins and platform services always pass.
+ */
+export function requireOrgRole(minimumRole: OrgRole) {
+  const minimumLevel = ORG_ROLE_HIERARCHY[minimumRole]
+  return (req: ServiceScopedRequest, res: Response, next: NextFunction): void => {
+    if (!req.user) {
+      res.status(401).json(apiError('UNAUTHORIZED', 'Authentication required'))
+      return
+    }
+    // Super admin and platform service bypass
+    if (req.user.roles.includes('super_admin') || req.user.roles.includes('service')) {
+      next()
+      return
+    }
+    const effectiveRole = deriveOrgRole(req.user.roles)
+    const effectiveLevel = ORG_ROLE_HIERARCHY[effectiveRole]
+    if (effectiveLevel < minimumLevel) {
+      res.status(403).json(
+        apiError('FORBIDDEN', `Requires org role: ${minimumRole} (you have: ${effectiveRole})`)
+      )
+      return
+    }
+    next()
+  }
+}