iec-builder 0.1.0

package/dist/routes/oauth.js

@@ -0,0 +1,180 @@
+import { Router } from 'express';
+import { z } from 'zod';
+import { apiResponse, apiError } from '../utils/response.js';
+import { getBioClient, extractRequestMeta } from '../services/bio-client.js';
+import { logger } from '../utils/logger.js';
+export const oauthRouter = Router();
+// Zod schemas for first-pass validation
+const CreateClientSchema = z.object({
+    name: z.string().min(1).max(100),
+    description: z.string().optional(),
+    redirectUris: z.array(z.string().url()).min(1),
+    allowedScopes: z.array(z.string()).default(['openid', 'profile', 'email']),
+    allowedGrantTypes: z.array(z.string()).default(['authorization_code', 'refresh_token']),
+    isConfidential: z.boolean().default(true),
+    accessTokenTtl: z.number().int().min(60).max(86400).optional(),
+    refreshTokenTtl: z.number().int().min(3600).max(2592000).optional(),
+});
+const UpdateClientSchema = z.object({
+    name: z.string().min(1).max(100).optional(),
+    description: z.string().optional(),
+    redirectUris: z.array(z.string().url()).optional(),
+    allowedScopes: z.array(z.string()).optional(),
+    allowedGrantTypes: z.array(z.string()).optional(),
+    isActive: z.boolean().optional(),
+    accessTokenTtl: z.number().int().min(60).max(86400).optional(),
+    refreshTokenTtl: z.number().int().min(3600).max(2592000).optional(),
+});
+function handleUpstreamResponse(res, result, successStatus = 200) {
+    if (result.success) {
+        res.status(successStatus).json(apiResponse(result.data));
+    }
+    else if (result.error?.code === 'UPSTREAM_ERROR') {
+        res.status(502).json(apiError('UPSTREAM_ERROR', result.error.message));
+    }
+    else {
+        const status = result.error?.code === 'NOT_FOUND' ? 404
+            : result.error?.code === 'CONFLICT' ? 409
+                : result.error?.code === 'UNAUTHORIZED' ? 401
+                    : result.error?.code === 'FORBIDDEN' ? 403
+                        : result.error?.code === 'VALIDATION_ERROR' ? 400
+                            : 500;
+        res.status(status).json(apiError(result.error?.code || 'ERROR', result.error?.message || 'Unknown error'));
+    }
+}
+// List all OAuth clients
+oauthRouter.get('/clients', async (req, res, next) => {
+    try {
+        const bio = getBioClient();
+        const meta = extractRequestMeta(req);
+        const result = await bio.listClients(meta);
+        handleUpstreamResponse(res, result);
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// Get single OAuth client
+oauthRouter.get('/clients/:clientId', async (req, res, next) => {
+    try {
+        const { clientId } = req.params;
+        const bio = getBioClient();
+        const meta = extractRequestMeta(req);
+        const result = await bio.getClient(clientId, meta);
+        handleUpstreamResponse(res, result);
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// Create new OAuth client
+oauthRouter.post('/clients', async (req, res, next) => {
+    try {
+        const parsed = CreateClientSchema.safeParse(req.body);
+        if (!parsed.success) {
+            res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid request', parsed.error.flatten()));
+            return;
+        }
+        const bio = getBioClient();
+        const meta = extractRequestMeta(req);
+        const result = await bio.createClient(parsed.data, meta);
+        logger.info({ name: parsed.data.name }, 'OAuth client creation proxied to bio-id');
+        handleUpstreamResponse(res, result, 201);
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// Update OAuth client
+oauthRouter.patch('/clients/:clientId', async (req, res, next) => {
+    try {
+        const { clientId } = req.params;
+        const parsed = UpdateClientSchema.safeParse(req.body);
+        if (!parsed.success) {
+            res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid request', parsed.error.flatten()));
+            return;
+        }
+        const bio = getBioClient();
+        const meta = extractRequestMeta(req);
+        const result = await bio.updateClient(clientId, parsed.data, meta);
+        logger.info({ clientId }, 'OAuth client update proxied to bio-id');
+        handleUpstreamResponse(res, result);
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// Add redirect URI to client
+oauthRouter.post('/clients/:clientId/redirect-uris', async (req, res, next) => {
+    try {
+        const { clientId } = req.params;
+        const { uri } = req.body;
+        if (!uri || typeof uri !== 'string') {
+            res.status(400).json(apiError('VALIDATION_ERROR', 'URI is required'));
+            return;
+        }
+        try {
+            new URL(uri);
+        }
+        catch {
+            res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid URI format'));
+            return;
+        }
+        const bio = getBioClient();
+        const meta = extractRequestMeta(req);
+        const result = await bio.addRedirectUri(clientId, uri, meta);
+        logger.info({ clientId, uri }, 'Redirect URI add proxied to bio-id');
+        handleUpstreamResponse(res, result);
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// Remove redirect URI from client
+oauthRouter.delete('/clients/:clientId/redirect-uris', async (req, res, next) => {
+    try {
+        const { clientId } = req.params;
+        const { uri } = req.body;
+        if (!uri || typeof uri !== 'string') {
+            res.status(400).json(apiError('VALIDATION_ERROR', 'URI is required'));
+            return;
+        }
+        const bio = getBioClient();
+        const meta = extractRequestMeta(req);
+        const result = await bio.removeRedirectUri(clientId, uri, meta);
+        logger.info({ clientId, uri }, 'Redirect URI remove proxied to bio-id');
+        handleUpstreamResponse(res, result);
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// Regenerate client secret
+oauthRouter.post('/clients/:clientId/regenerate-secret', async (req, res, next) => {
+    try {
+        const { clientId } = req.params;
+        const bio = getBioClient();
+        const meta = extractRequestMeta(req);
+        const result = await bio.regenerateSecret(clientId, meta);
+        logger.info({ clientId }, 'OAuth client secret regeneration proxied to bio-id');
+        handleUpstreamResponse(res, result);
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// Delete OAuth client
+oauthRouter.delete('/clients/:clientId', async (req, res, next) => {
+    try {
+        const { clientId } = req.params;
+        const bio = getBioClient();
+        const meta = extractRequestMeta(req);
+        const result = await bio.deleteClient(clientId, meta);
+        logger.info({ clientId }, 'OAuth client deletion proxied to bio-id');
+        handleUpstreamResponse(res, result);
+    }
+    catch (err) {
+        next(err);
+    }
+});
+//# sourceMappingURL=oauth.js.map

package/dist/routes/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../src/routes/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AAC5D,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC5E,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAE3C,MAAM,CAAC,MAAM,WAAW,GAAG,MAAM,EAAE,CAAA;AAEnC,wCAAwC;AACxC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IAChC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9C,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAC1E,iBAAiB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,oBAAoB,EAAE,eAAe,CAAC,CAAC;IACvF,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACzC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE;IAC9D,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE;CACpE,CAAC,CAAA;AAEF,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC3C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE;IAClD,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC7C,iBAAiB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACjD,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAChC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE;IAC9D,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE;CACpE,CAAC,CAAA;AAEF,SAAS,sBAAsB,CAAC,GAAQ,EAAE,MAAW,EAAE,aAAa,GAAG,GAAG;IACxE,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAA;IAC1D,CAAC;SAAM,IAAI,MAAM,CAAC,KAAK,EAAE,IAAI,KAAK,gBAAgB,EAAE,CAAC;QACnD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;IACxE,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GACV,MAAM,CAAC,KAAK,EAAE,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,GAAG;YACxC,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG;gBACzC,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,KAAK,cAAc,CAAC,CAAC,CAAC,GAAG;oBAC7C,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,GAAG;wBAC1C,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,KAAK,kBAAkB,CAAC,CAAC,CAAC,GAAG;4BACjD,CAAC,CAAC,GAAG,CAAA;QACP,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,IAAI,OAAO,EAAE,MAAM,CAAC,KAAK,EAAE,OAAO,IAAI,eAAe,CAAC,CAAC,CAAA;IAC5G,CAAC;AACH,CAAC;AAED,yBAAyB;AACzB,WAAW,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IACnD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,EAAE,CAAA;QAC1B,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAA;QAC1C,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CAAC,CAAA;AAEF,0BAA0B;AAC1B,WAAW,CAAC,GAAG,CAAC,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IAC7D,IAAI,CAAC;QACH,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,MAAM,CAAA;QAC/B,MAAM,GAAG,GAAG,YAAY,EAAE,CAAA;QAC1B,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;QAClD,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CAAC,CAAA;AAEF,0BAA0B;AAC1B,WAAW,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IACpD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACrD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;YAC7F,OAAM;QACR,CAAC;QAED,MAAM,GAAG,GAAG,YAAY,EAAE,CAAA;QAC1B,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;QAExD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,yCAAyC,CAAC,CAAA;QAClF,sBAAsB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,CAAA;IAC1C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CAAC,CAAA;AAEF,sBAAsB;AACtB,WAAW,CAAC,KAAK,CAAC,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IAC/D,IAAI,CAAC;QACH,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,MAAM,CAAA;QAC/B,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QAErD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;YAC7F,OAAM;QACR,CAAC;QAED,MAAM,GAAG,GAAG,YAAY,EAAE,CAAA;QAC1B,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;QAElE,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,uCAAuC,CAAC,CAAA;QAClE,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CAAC,CAAA;AAEF,6BAA6B;AAC7B,WAAW,CAAC,IAAI,CAAC,kCAAkC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IAC5E,IAAI,CAAC;QACH,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,MAAM,CAAA;QAC/B,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAExB,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,iBAAiB,CAAC,CAAC,CAAA;YACrE,OAAM;QACR,CAAC;QAED,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;QACd,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,oBAAoB,CAAC,CAAC,CAAA;YACxE,OAAM;QACR,CAAC;QAED,MAAM,GAAG,GAAG,YAAY,EAAE,CAAA;QAC1B,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,cAAc,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,CAAC,CAAA;QAE5D,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE,oCAAoC,CAAC,CAAA;QACpE,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CAAC,CAAA;AAEF,kCAAkC;AAClC,WAAW,CAAC,MAAM,CAAC,kCAAkC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IAC9E,IAAI,CAAC;QACH,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,MAAM,CAAA;QAC/B,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAExB,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,iBAAiB,CAAC,CAAC,CAAA;YACrE,OAAM;QACR,CAAC;QAED,MAAM,GAAG,GAAG,YAAY,EAAE,CAAA;QAC1B,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,CAAC,CAAA;QAE/D,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE,uCAAuC,CAAC,CAAA;QACvE,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CAAC,CAAA;AAEF,2BAA2B;AAC3B,WAAW,CAAC,IAAI,CAAC,sCAAsC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IAChF,IAAI,CAAC;QACH,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,MAAM,CAAA;QAC/B,MAAM,GAAG,GAAG,YAAY,EAAE,CAAA;QAC1B,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,gBAAgB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;QAEzD,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,oDAAoD,CAAC,CAAA;QAC/E,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CAAC,CAAA;AAEF,sBAAsB;AACtB,WAAW,CAAC,MAAM,CAAC,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IAChE,IAAI,CAAC;QACH,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,MAAM,CAAA;QAC/B,MAAM,GAAG,GAAG,YAAY,EAAE,CAAA;QAC1B,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;QAErD,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,yCAAyC,CAAC,CAAA;QACpE,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CAAC,CAAA"}

package/dist/routes/observability.d.ts

@@ -0,0 +1,2 @@
+export declare const observabilityRouter: import("express-serve-static-core").Router;
+//# sourceMappingURL=observability.d.ts.map

package/dist/routes/observability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"observability.d.ts","sourceRoot":"","sources":["../../src/routes/observability.ts"],"names":[],"mappings":"AAWA,eAAO,MAAM,mBAAmB,4CAAW,CAAA"}

package/dist/routes/observability.js

@@ -0,0 +1,167 @@
+import { Router } from 'express';
+import { spawn } from 'child_process';
+import { z } from 'zod';
+import { apiResponse, apiError } from '../utils/response.js';
+import { requireOrgAccess } from '../middleware/org-access.js';
+import { logger } from '../utils/logger.js';
+import { getPods } from '../services/pod-diagnostics.js';
+import { troubleshoot } from '../services/troubleshooter.js';
+import { getServicesCollection } from '../services/database.js';
+export const observabilityRouter = Router();
+const EnvironmentSchema = z.object({
+    environment: z.enum(['prod', 'sandbox', 'uat']).default('sandbox'),
+});
+const K8S_NAME_REGEX = /^[a-z0-9][a-z0-9._-]{0,252}$/;
+const LogQuerySchema = z.object({
+    environment: z.enum(['prod', 'sandbox', 'uat']).default('sandbox'),
+    previous: z.enum(['true', 'false']).default('false'),
+    tail: z.string().default('100').transform(Number).pipe(z.number().int().min(1).max(1000)),
+    container: z.string().regex(K8S_NAME_REGEX).optional(),
+});
+async function resolveService(req) {
+    if (req.service)
+        return req.service;
+    const serviceName = req.params.serviceName;
+    if (!serviceName)
+        return null;
+    const services = getServicesCollection();
+    return services.findOne({ $or: [{ id: serviceName }, { name: serviceName }] });
+}
+/**
+ * GET /services/:serviceName/pods
+ * Returns pod list with status, restartCount, containerStatuses, recent events.
+ */
+observabilityRouter.get('/:serviceName/pods', requireOrgAccess(), async (req, res, next) => {
+    try {
+        const service = await resolveService(req);
+        if (!service) {
+            res.status(404).json(apiError('NOT_FOUND', 'Service not found'));
+            return;
+        }
+        const query = EnvironmentSchema.safeParse(req.query);
+        if (!query.success) {
+            res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid query', query.error.flatten()));
+            return;
+        }
+        const namespace = service.namespace || `${service.name}-${query.data.environment}`;
+        const pods = await getPods(namespace, service.name);
+        res.json(apiResponse({
+            service: service.name,
+            namespace,
+            environment: query.data.environment,
+            pods,
+            count: pods.length,
+        }));
+    }
+    catch (err) {
+        next(err);
+    }
+});
+/**
+ * GET /services/:serviceName/pods/logs
+ * SSE stream of pod logs via kubectl logs --follow.
+ */
+observabilityRouter.get('/:serviceName/pods/logs', requireOrgAccess(), async (req, res, next) => {
+    try {
+        const service = await resolveService(req);
+        if (!service) {
+            res.status(404).json(apiError('NOT_FOUND', 'Service not found'));
+            return;
+        }
+        const query = LogQuerySchema.safeParse(req.query);
+        if (!query.success) {
+            res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid query', query.error.flatten()));
+            return;
+        }
+        const namespace = service.namespace || `${service.name}-${query.data.environment}`;
+        const usePrevious = query.data.previous === 'true';
+        const tail = Math.min(Math.max(query.data.tail, 1), 1000);
+        const args = ['logs', '-n', namespace, '-l', `app=${service.name}`, `--tail=${tail}`];
+        if (!usePrevious) {
+            args.push('--follow');
+        }
+        if (usePrevious) {
+            args.push('--previous');
+        }
+        if (query.data.container) {
+            args.push('-c', query.data.container);
+        }
+        res.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Connection': 'keep-alive',
+            'X-Accel-Buffering': 'no',
+        });
+        res.write(': connected\n\n');
+        const kubectl = spawn('kubectl', args);
+        // Keepalive every 30 seconds to prevent proxy timeouts
+        const keepalive = setInterval(() => {
+            res.write(': keepalive\n\n');
+        }, 30_000);
+        // Safety timeout: close after 10 minutes
+        const timeout = setTimeout(() => {
+            kubectl.kill('SIGTERM');
+            res.write(`data: ${JSON.stringify({ event: 'timeout', message: 'Stream closed after 10 minutes' })}\n\n`);
+            res.end();
+        }, 10 * 60 * 1000);
+        const cleanup = () => {
+            clearInterval(keepalive);
+            clearTimeout(timeout);
+        };
+        kubectl.stdout.on('data', (chunk) => {
+            const lines = chunk.toString().split('\n').filter((l) => l.trim());
+            for (const line of lines) {
+                res.write(`data: ${JSON.stringify({ log: line, timestamp: new Date().toISOString() })}\n\n`);
+            }
+        });
+        kubectl.stderr.on('data', (chunk) => {
+            const msg = chunk.toString().trim();
+            if (msg) {
+                res.write(`data: ${JSON.stringify({ error: msg })}\n\n`);
+            }
+        });
+        kubectl.on('close', (code) => {
+            cleanup();
+            res.write(`data: ${JSON.stringify({ event: 'close', code })}\n\n`);
+            res.end();
+        });
+        kubectl.on('error', (err) => {
+            logger.warn({ err, namespace, service: service.name }, 'kubectl logs spawn error');
+            cleanup();
+            res.write(`data: ${JSON.stringify({ error: err.message })}\n\n`);
+            res.end();
+        });
+        req.on('close', () => {
+            cleanup();
+            kubectl.kill('SIGTERM');
+        });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+/**
+ * GET /services/:serviceName/troubleshoot
+ * Structured diagnostic analysis with actionable suggestions.
+ */
+observabilityRouter.get('/:serviceName/troubleshoot', requireOrgAccess(), async (req, res, next) => {
+    try {
+        const service = await resolveService(req);
+        if (!service) {
+            res.status(404).json(apiError('NOT_FOUND', 'Service not found'));
+            return;
+        }
+        const query = EnvironmentSchema.safeParse(req.query);
+        if (!query.success) {
+            res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid query', query.error.flatten()));
+            return;
+        }
+        const namespace = service.namespace || `${service.name}-${query.data.environment}`;
+        const result = await troubleshoot(service.name, namespace, query.data.environment);
+        res.json(apiResponse(result));
+    }
+    catch (err) {
+        next(err);
+    }
+});
+//# sourceMappingURL=observability.js.map

package/dist/routes/observability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"observability.js","sourceRoot":"","sources":["../../src/routes/observability.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AACrC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AAC5D,OAAO,EAAE,gBAAgB,EAA6B,MAAM,6BAA6B,CAAA;AACzF,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,gCAAgC,CAAA;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAA;AAC5D,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAA;AAG/D,MAAM,CAAC,MAAM,mBAAmB,GAAG,MAAM,EAAE,CAAA;AAE3C,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;CACnE,CAAC,CAAA;AAEF,MAAM,cAAc,GAAG,8BAA8B,CAAA;AAErD,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9B,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAClE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IACpD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACzF,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE;CACvD,CAAC,CAAA;AAEF,KAAK,UAAU,cAAc,CAAC,GAAyB;IACrD,IAAI,GAAG,CAAC,OAAO;QAAE,OAAO,GAAG,CAAC,OAAO,CAAA;IACnC,MAAM,WAAW,GAAG,GAAG,CAAC,MAAM,CAAC,WAAW,CAAA;IAC1C,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAA;IAC7B,MAAM,QAAQ,GAAG,qBAAqB,EAAE,CAAA;IACxC,OAAO,QAAQ,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,CAAA;AAChF,CAAC;AAED;;;GAGG;AACH,mBAAmB,CAAC,GAAG,CACrB,oBAAoB,EACpB,gBAAgB,EAAE,EAClB,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IACvB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,GAA2B,CAAC,CAAA;QAEjE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC,CAAA;YAChE,OAAM;QACR,CAAC;QAED,MAAM,KAAK,GAAG,iBAAiB,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,eAAe,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;YAC1F,OAAM;QACR,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAA;QAClF,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,CAAC,CAAA;QAEnD,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;YACnB,OAAO,EAAE,OAAO,CAAC,IAAI;YACrB,SAAS;YACT,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW;YACnC,IAAI;YACJ,KAAK,EAAE,IAAI,CAAC,MAAM;SACnB,CAAC,CAAC,CAAA;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CACF,CAAA;AAED;;;GAGG;AACH,mBAAmB,CAAC,GAAG,CACrB,yBAAyB,EACzB,gBAAgB,EAAE,EAClB,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IACvB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,GAA2B,CAAC,CAAA;QAEjE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC,CAAA;YAChE,OAAM;QACR,CAAC;QAED,MAAM,KAAK,GAAG,cAAc,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,eAAe,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;YAC1F,OAAM;QACR,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAA;QAClF,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAA;QAClD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,CAAA;QAEzD,MAAM,IAAI,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,OAAO,CAAC,IAAI,EAAE,EAAE,UAAU,IAAI,EAAE,CAAC,CAAA;QACrF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QACvB,CAAC;QACD,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QACzB,CAAC;QACD,IAAI,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACzB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QACvC,CAAC;QAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACjB,cAAc,EAAE,mBAAmB;YACnC,eAAe,EAAE,UAAU;YAC3B,YAAY,EAAE,YAAY;YAC1B,mBAAmB,EAAE,IAAI;SAC1B,CAAC,CAAA;QAEF,GAAG,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;QAE5B,MAAM,OAAO,GAAG,KAAK,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;QAEtC,uDAAuD;QACvD,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE;YACjC,GAAG,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;QAC9B,CAAC,EAAE,MAAM,CAAC,CAAA;QAEV,yCAAyC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YACvB,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,MAAM,CAAC,CAAA;YACzG,GAAG,CAAC,GAAG,EAAE,CAAA;QACX,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QAElB,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,aAAa,CAAC,SAAS,CAAC,CAAA;YACxB,YAAY,CAAC,OAAO,CAAC,CAAA;QACvB,CAAC,CAAA;QAED,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC1C,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;YAC1E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,MAAM,CAAC,CAAA;YAC9F,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,CAAA;YACnC,IAAI,GAAG,EAAE,CAAC;gBACR,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,CAAA;YAC1D,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YAC3B,OAAO,EAAE,CAAA;YACT,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,CAAA;YAClE,GAAG,CAAC,GAAG,EAAE,CAAA;QACX,CAAC,CAAC,CAAA;QAEF,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAC1B,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,0BAA0B,CAAC,CAAA;YAClF,OAAO,EAAE,CAAA;YACT,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,MAAM,CAAC,CAAA;YAChE,GAAG,CAAC,GAAG,EAAE,CAAA;QACX,CAAC,CAAC,CAAA;QAEF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACnB,OAAO,EAAE,CAAA;YACT,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QACzB,CAAC,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CACF,CAAA;AAED;;;GAGG;AACH,mBAAmB,CAAC,GAAG,CACrB,4BAA4B,EAC5B,gBAAgB,EAAE,EAClB,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IACvB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,GAA2B,CAAC,CAAA;QAEjE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC,CAAA;YAChE,OAAM;QACR,CAAC;QAED,MAAM,KAAK,GAAG,iBAAiB,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACnB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,eAAe,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;YAC1F,OAAM;QACR,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAA;QAClF,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAElF,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAA;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,CAAC;AACH,CAAC,CACF,CAAA"}

package/dist/routes/orgs.d.ts

@@ -0,0 +1,2 @@
+export declare const orgsRouter: import("express-serve-static-core").Router;
+//# sourceMappingURL=orgs.d.ts.map

package/dist/routes/orgs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"orgs.d.ts","sourceRoot":"","sources":["../../src/routes/orgs.ts"],"names":[],"mappings":"AAiBA,eAAO,MAAM,UAAU,4CAAW,CAAA"}

package/dist/routes/orgs.js

@@ -0,0 +1,270 @@
+import { Router } from 'express';
+import { z } from 'zod';
+import { randomBytes } from 'crypto';
+import { apiResponse, apiError } from '../utils/response.js';
+import { env } from '../config/env.js';
+import { logger } from '../utils/logger.js';
+import { deriveOrgRole } from '../middleware/auth.js';
+import { getOrgInvitesCollection } from '../services/database.js';
+import { forgejoAdminRequest, deriveUsername, ensureOrgMembership, } from '../services/forgejo.js';
+export const orgsRouter = Router();
+/**
+ * Generate a human-readable invite code: WORD-WORD-WORD-WORD
+ */
+function generateInviteCode() {
+    const words = [
+        'alpha', 'bravo', 'cedar', 'delta', 'eagle', 'flame', 'grove', 'harbor',
+        'ivory', 'jasper', 'karma', 'lunar', 'maple', 'noble', 'orbit', 'prism',
+        'quartz', 'ridge', 'solar', 'terra', 'ultra', 'vivid', 'wave', 'xenon',
+        'yield', 'zenith', 'atlas', 'blade', 'coral', 'drift', 'ember', 'forge',
+    ];
+    const parts = Array.from({ length: 4 }, () => words[randomBytes(1)[0] % words.length]);
+    return parts.join('-').toUpperCase();
+}
+const CreateInviteSchema = z.object({
+    maxUses: z.number().int().min(0).max(1000).default(0),
+    expiresInDays: z.number().int().min(1).max(90).default(7),
+});
+const JoinOrgSchema = z.object({
+    code: z.string().min(1).max(100),
+});
+/**
+ * POST /orgs/:org/invites
+ * Create an invite code for an org. Only org admins can create invites.
+ */
+orgsRouter.post('/:org/invites', async (req, res, next) => {
+    try {
+        const authReq = req;
+        const { org } = req.params;
+        if (!authReq.user) {
+            res.status(401).json(apiError('UNAUTHORIZED', 'Authentication required'));
+            return;
+        }
+        // Must be admin of the target org (or platform service)
+        const role = deriveOrgRole(authReq.user.roles);
+        const isOwnOrg = authReq.user.org === org;
+        if (role !== 'admin' && !authReq.user.roles.includes('service')) {
+            res.status(403).json(apiError('FORBIDDEN', 'Only org admins can create invites'));
+            return;
+        }
+        if (!isOwnOrg && !authReq.user.roles.includes('service') && !authReq.user.roles.includes('super_admin')) {
+            res.status(403).json(apiError('FORBIDDEN', 'Cannot create invites for other orgs'));
+            return;
+        }
+        const parsed = CreateInviteSchema.safeParse(req.body);
+        if (!parsed.success) {
+            res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid request body', parsed.error.flatten()));
+            return;
+        }
+        const { maxUses, expiresInDays } = parsed.data;
+        const now = new Date();
+        const expiresAt = new Date(now.getTime() + expiresInDays * 24 * 60 * 60 * 1000);
+        const invite = {
+            id: randomBytes(16).toString('hex'),
+            org,
+            code: generateInviteCode(),
+            createdBy: authReq.user.email,
+            createdAt: now.toISOString(),
+            expiresAt: expiresAt.toISOString(),
+            maxUses,
+            uses: 0,
+            usedBy: [],
+        };
+        const collection = getOrgInvitesCollection();
+        await collection.insertOne(invite);
+        logger.info({ org, code: invite.code, createdBy: invite.createdBy, expiresInDays }, 'Org invite created');
+        res.status(201).json(apiResponse({
+            code: invite.code,
+            org: invite.org,
+            expiresAt: invite.expiresAt,
+            maxUses: invite.maxUses,
+        }));
+    }
+    catch (err) {
+        next(err);
+    }
+});
+/**
+ * GET /orgs/:org/invites
+ * List active invites for an org. Only org admins.
+ */
+orgsRouter.get('/:org/invites', async (req, res, next) => {
+    try {
+        const authReq = req;
+        const { org } = req.params;
+        if (!authReq.user) {
+            res.status(401).json(apiError('UNAUTHORIZED', 'Authentication required'));
+            return;
+        }
+        const role = deriveOrgRole(authReq.user.roles);
+        const isOwnOrg = authReq.user.org === org;
+        if (role !== 'admin' && !authReq.user.roles.includes('service')) {
+            res.status(403).json(apiError('FORBIDDEN', 'Only org admins can list invites'));
+            return;
+        }
+        if (!isOwnOrg && !authReq.user.roles.includes('service') && !authReq.user.roles.includes('super_admin')) {
+            res.status(403).json(apiError('FORBIDDEN', 'Cannot list invites for other orgs'));
+            return;
+        }
+        const collection = getOrgInvitesCollection();
+        const invites = await collection
+            .find({ org, expiresAt: { $gt: new Date().toISOString() } })
+            .sort({ createdAt: -1 })
+            .toArray();
+        const sanitized = invites.map(inv => ({
+            code: inv.code,
+            org: inv.org,
+            createdBy: inv.createdBy,
+            createdAt: inv.createdAt,
+            expiresAt: inv.expiresAt,
+            maxUses: inv.maxUses,
+            uses: inv.uses,
+        }));
+        res.json(apiResponse(sanitized));
+    }
+    catch (err) {
+        next(err);
+    }
+});
+/**
+ * DELETE /orgs/:org/invites/:code
+ * Revoke an invite. Only org admins.
+ */
+orgsRouter.delete('/:org/invites/:code', async (req, res, next) => {
+    try {
+        const authReq = req;
+        const { org, code } = req.params;
+        if (!authReq.user) {
+            res.status(401).json(apiError('UNAUTHORIZED', 'Authentication required'));
+            return;
+        }
+        const role = deriveOrgRole(authReq.user.roles);
+        const isOwnOrg = authReq.user.org === org;
+        if (role !== 'admin' && !authReq.user.roles.includes('service')) {
+            res.status(403).json(apiError('FORBIDDEN', 'Only org admins can revoke invites'));
+            return;
+        }
+        if (!isOwnOrg && !authReq.user.roles.includes('service') && !authReq.user.roles.includes('super_admin')) {
+            res.status(403).json(apiError('FORBIDDEN', 'Cannot revoke invites for other orgs'));
+            return;
+        }
+        const collection = getOrgInvitesCollection();
+        const result = await collection.deleteOne({ org, code: code.toUpperCase() });
+        if (result.deletedCount === 0) {
+            res.status(404).json(apiError('NOT_FOUND', 'Invite not found'));
+            return;
+        }
+        logger.info({ org, code, revokedBy: authReq.user.email }, 'Org invite revoked');
+        res.json(apiResponse({ revoked: true }));
+    }
+    catch (err) {
+        next(err);
+    }
+});
+/**
+ * POST /orgs/join
+ * Accept an invite code and join the org in Forgejo.
+ * Requires an existing Forgejo account (run provision-git first).
+ */
+orgsRouter.post('/join', async (req, res, next) => {
+    try {
+        const authReq = req;
+        if (!authReq.user) {
+            res.status(401).json(apiError('UNAUTHORIZED', 'Authentication required'));
+            return;
+        }
+        if (!env.FORGEJO_TOKEN) {
+            res.status(503).json(apiError('SERVICE_UNAVAILABLE', 'Git provisioning is not configured'));
+            return;
+        }
+        const parsed = JoinOrgSchema.safeParse(req.body);
+        if (!parsed.success) {
+            res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid request body', parsed.error.flatten()));
+            return;
+        }
+        const code = parsed.data.code.toUpperCase();
+        const collection = getOrgInvitesCollection();
+        // Find and validate the invite
+        const invite = await collection.findOne({ code });
+        if (!invite) {
+            res.status(404).json(apiError('INVITE_NOT_FOUND', 'Invalid or expired invite code'));
+            return;
+        }
+        if (new Date(invite.expiresAt) < new Date()) {
+            res.status(410).json(apiError('INVITE_EXPIRED', 'This invite has expired'));
+            return;
+        }
+        if (invite.maxUses > 0 && invite.uses >= invite.maxUses) {
+            res.status(410).json(apiError('INVITE_EXHAUSTED', 'This invite has reached its usage limit'));
+            return;
+        }
+        if (invite.usedBy.includes(authReq.user.email)) {
+            res.status(409).json(apiError('ALREADY_JOINED', 'You have already used this invite'));
+            return;
+        }
+        // Resolve the user's Forgejo username
+        const username = deriveUsername(authReq.user.email);
+        const userCheck = await forgejoAdminRequest('GET', `/users/${encodeURIComponent(username)}`);
+        if (userCheck.status !== 200 || !userCheck.data) {
+            res.status(400).json(apiError('NO_GIT_ACCOUNT', 'No Forgejo account found. Run `tawa login` first.'));
+            return;
+        }
+        const forgejoUsername = userCheck.data.login;
+        // Add user to the org
+        const membership = await ensureOrgMembership(invite.org, forgejoUsername);
+        if (!membership) {
+            res.status(500).json(apiError('JOIN_FAILED', 'Failed to add you to the org'));
+            return;
+        }
+        // Record usage
+        await collection.updateOne({ code }, {
+            $inc: { uses: 1 },
+            $push: { usedBy: authReq.user.email },
+        });
+        logger.info({ org: invite.org, username: forgejoUsername, email: authReq.user.email, code }, 'User joined org via invite');
+        res.json(apiResponse({
+            org: invite.org,
+            username: forgejoUsername,
+            role: membership.role,
+        }));
+    }
+    catch (err) {
+        next(err);
+    }
+});
+/**
+ * GET /orgs/:org/members
+ * List members of a Forgejo org. Org members can view.
+ */
+orgsRouter.get('/:org/members', async (req, res, next) => {
+    try {
+        const authReq = req;
+        const { org } = req.params;
+        if (!authReq.user) {
+            res.status(401).json(apiError('UNAUTHORIZED', 'Authentication required'));
+            return;
+        }
+        if (!env.FORGEJO_TOKEN) {
+            res.status(503).json(apiError('SERVICE_UNAVAILABLE', 'Git provisioning is not configured'));
+            return;
+        }
+        const result = await forgejoAdminRequest('GET', `/orgs/${encodeURIComponent(org)}/members`);
+        if (result.status === 404) {
+            res.status(404).json(apiError('NOT_FOUND', 'Org not found'));
+            return;
+        }
+        if (result.status !== 200 || !result.data) {
+            res.status(502).json(apiError('UPSTREAM_ERROR', 'Failed to fetch org members'));
+            return;
+        }
+        const members = result.data.map(m => ({
+            username: m.login,
+            id: m.id,
+        }));
+        res.json(apiResponse(members));
+    }
+    catch (err) {
+        next(err);
+    }
+});
+//# sourceMappingURL=orgs.js.map