kozou 1.1.0 → 1.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/dev-runtime.d.ts +7 -0
- package/dist/commands/dev-runtime.d.ts.map +1 -1
- package/dist/commands/dev-runtime.js +65 -1
- package/dist/commands/dev-runtime.js.map +1 -1
- package/dist/commands/dev.d.ts.map +1 -1
- package/dist/commands/dev.js +31 -13
- package/dist/commands/dev.js.map +1 -1
- package/dist/templates/docker-compose.yml +19 -1
- package/package.json +7 -7
|
@@ -2,6 +2,9 @@ import type { KozouConfig } from '../config.js';
|
|
|
2
2
|
export declare function resolveAdminUiEntry(): string;
|
|
3
3
|
export declare function resolveOrigin(config: KozouConfig, env: NodeJS.ProcessEnv): string;
|
|
4
4
|
export declare function buildAdminUiEnv(config: KozouConfig, origin: string, baseEnv: NodeJS.ProcessEnv, apiAdapterUrl?: string, apiToken?: string): NodeJS.ProcessEnv;
|
|
5
|
+
export declare function describeApiAuth(auth: KozouConfig['auth']): string;
|
|
6
|
+
export type AdminUiExposure = 'unauthenticated' | 'service-token' | 'anon-role' | 'rejected';
|
|
7
|
+
export declare function classifyAdminUiExposure(auth: KozouConfig['auth'], tokenResult: AdminUiTokenResult | undefined, inhouseApi: boolean): AdminUiExposure;
|
|
5
8
|
export type ServiceTokenMinter = {
|
|
6
9
|
signServiceToken(opts: {
|
|
7
10
|
secret: string;
|
|
@@ -16,6 +19,10 @@ export type AdminUiTokenResult = {
|
|
|
16
19
|
token?: string;
|
|
17
20
|
/** Operator-facing reason the UI will be rejected, when no usable token. */
|
|
18
21
|
warning?: string;
|
|
22
|
+
/** The resolver already knows the API will reject this token with 403
|
|
23
|
+
* (minted with no role and no defaultRole, or a role outside
|
|
24
|
+
* allowedRoles). Lets the exposure classification below stay honest. */
|
|
25
|
+
knownRejected?: boolean;
|
|
19
26
|
};
|
|
20
27
|
export declare function resolveAdminUiToken(config: KozouConfig, minter: ServiceTokenMinter, env: NodeJS.ProcessEnv): Promise<AdminUiTokenResult>;
|
|
21
28
|
//# sourceMappingURL=dev-runtime.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dev-runtime.d.ts","sourceRoot":"","sources":["../../src/commands/dev-runtime.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAOhD,wBAAgB,mBAAmB,IAAI,MAAM,CAI5C;AAMD,wBAAgB,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAEjF;AAYD,wBAAgB,eAAe,CAC7B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,CAAC,UAAU,EAC1B,aAAa,CAAC,EAAE,MAAM,EACtB,QAAQ,CAAC,EAAE,MAAM,GAChB,MAAM,CAAC,UAAU,
|
|
1
|
+
{"version":3,"file":"dev-runtime.d.ts","sourceRoot":"","sources":["../../src/commands/dev-runtime.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAOhD,wBAAgB,mBAAmB,IAAI,MAAM,CAI5C;AAMD,wBAAgB,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAEjF;AAYD,wBAAgB,eAAe,CAC7B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,CAAC,UAAU,EAC1B,aAAa,CAAC,EAAE,MAAM,EACtB,QAAQ,CAAC,EAAE,MAAM,GAChB,MAAM,CAAC,UAAU,CAqCnB;AAqBD,wBAAgB,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,MAAM,CAqBjE;AAgBD,MAAM,MAAM,eAAe,GAAG,iBAAiB,GAAG,eAAe,GAAG,WAAW,GAAG,UAAU,CAAC;AAE7F,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,EACzB,WAAW,EAAE,kBAAkB,GAAG,SAAS,EAC3C,UAAU,EAAE,OAAO,GAClB,eAAe,CAQjB;AAID,MAAM,MAAM,kBAAkB,GAAG;IAC/B,gBAAgB,CAAC,IAAI,EAAE;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;KAC9B,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,yEAAyE;IACzE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4EAA4E;IAC5E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;6EAEyE;IACzE,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC;AAWF,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,kBAAkB,EAC1B,GAAG,EAAE,MAAM,CAAC,UAAU,GACrB,OAAO,CAAC,kBAAkB,CAAC,CA8B7B"}
|
|
@@ -41,6 +41,15 @@ export function buildAdminUiEnv(config, origin, baseEnv, apiAdapterUrl, apiToken
|
|
|
41
41
|
ORIGIN: origin,
|
|
42
42
|
NODE_ENV: 'production',
|
|
43
43
|
};
|
|
44
|
+
// JWT verifier / signing inputs are a CLI-process concern. The
|
|
45
|
+
// network-facing UI child only ever consumes KOZOU_ADAPTER_*, so the
|
|
46
|
+
// HS256 secret (or key / JWKS settings) must not extend into it — with
|
|
47
|
+
// the scaffold compose forwarding KOZOU_JWT_* these are present in the
|
|
48
|
+
// parent environment on the default path.
|
|
49
|
+
for (const key of Object.keys(env)) {
|
|
50
|
+
if (key.startsWith('KOZOU_JWT_'))
|
|
51
|
+
delete env[key];
|
|
52
|
+
}
|
|
44
53
|
if (apiAdapterUrl !== undefined) {
|
|
45
54
|
// In-house @kozou/api backend: point the UI at it and attach the token
|
|
46
55
|
// when one was resolved, clearing any inherited stale token otherwise.
|
|
@@ -64,6 +73,61 @@ export function buildAdminUiEnv(config, origin, baseEnv, apiAdapterUrl, apiToken
|
|
|
64
73
|
}
|
|
65
74
|
return env;
|
|
66
75
|
}
|
|
76
|
+
// Strip anything that could carry a credential out of a URL before it is
|
|
77
|
+
// written to a log: userinfo (https://user:pass@host/...), query (?token=...)
|
|
78
|
+
// and fragment. Keeps scheme + host + path, which is enough to recognize
|
|
79
|
+
// the endpoint.
|
|
80
|
+
function redactUrlForLog(raw) {
|
|
81
|
+
try {
|
|
82
|
+
const url = new URL(raw);
|
|
83
|
+
return `${url.origin}${url.pathname}`;
|
|
84
|
+
}
|
|
85
|
+
catch {
|
|
86
|
+
return '<invalid URL>';
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
// One unambiguous startup line about the in-house API's auth state, so a
|
|
90
|
+
// stack whose auth never reached the process (for instance env vars a
|
|
91
|
+
// compose file did not forward) is visible immediately instead of
|
|
92
|
+
// failing open silently. Never includes secret material: only the
|
|
93
|
+
// verification mode and the role configuration (the JWKS URL is redacted
|
|
94
|
+
// to scheme + host + path in case it embeds a credential).
|
|
95
|
+
export function describeApiAuth(auth) {
|
|
96
|
+
if (auth === undefined) {
|
|
97
|
+
return 'disabled (no JWT verification configured; requests run as the connection role)';
|
|
98
|
+
}
|
|
99
|
+
const mode = auth.jwt.secret !== undefined && auth.jwt.secret.length > 0
|
|
100
|
+
? 'HS256 (shared secret)'
|
|
101
|
+
: auth.jwt.jwksUri !== undefined && auth.jwt.jwksUri.length > 0
|
|
102
|
+
? `JWKS (${redactUrlForLog(auth.jwt.jwksUri)})`
|
|
103
|
+
: auth.jwt.publicKey !== undefined && auth.jwt.publicKey.length > 0
|
|
104
|
+
? 'static public key'
|
|
105
|
+
: 'misconfigured (auth set but no secret / publicKey / jwksUri)';
|
|
106
|
+
const parts = [mode];
|
|
107
|
+
if (auth.allowedRoles !== undefined && auth.allowedRoles.length > 0) {
|
|
108
|
+
parts.push(`allowedRoles=[${auth.allowedRoles.join(', ')}]`);
|
|
109
|
+
}
|
|
110
|
+
if (auth.defaultRole !== undefined)
|
|
111
|
+
parts.push(`defaultRole=${auth.defaultRole}`);
|
|
112
|
+
if (auth.anonRole !== undefined)
|
|
113
|
+
parts.push(`anonRole=${auth.anonRole}`);
|
|
114
|
+
if (auth.ui?.role !== undefined)
|
|
115
|
+
parts.push(`ui role=${auth.ui.role}`);
|
|
116
|
+
else if (auth.ui?.token !== undefined)
|
|
117
|
+
parts.push('ui token=supplied');
|
|
118
|
+
return parts.join(', ');
|
|
119
|
+
}
|
|
120
|
+
export function classifyAdminUiExposure(auth, tokenResult, inhouseApi) {
|
|
121
|
+
if (!inhouseApi || auth === undefined)
|
|
122
|
+
return 'unauthenticated';
|
|
123
|
+
const token = tokenResult?.token;
|
|
124
|
+
if (token !== undefined && token.length > 0) {
|
|
125
|
+
return tokenResult?.knownRejected === true ? 'rejected' : 'service-token';
|
|
126
|
+
}
|
|
127
|
+
if (auth.anonRole !== undefined && auth.anonRole.length > 0)
|
|
128
|
+
return 'anon-role';
|
|
129
|
+
return 'rejected';
|
|
130
|
+
}
|
|
67
131
|
// Decide what token (if any) the bundled Admin UI should send to @kozou/api,
|
|
68
132
|
// given the resolved config. Pure except for the injected minter:
|
|
69
133
|
// (a) an explicit token (auth.ui.token / KOZOU_ADAPTER_TOKEN) is passed
|
|
@@ -92,7 +156,7 @@ export async function resolveAdminUiToken(config, minter, env) {
|
|
|
92
156
|
audience: auth.jwt.audience,
|
|
93
157
|
});
|
|
94
158
|
const warning = mintedRoleWarning(auth, role);
|
|
95
|
-
return warning !== undefined ? { token, warning } : { token };
|
|
159
|
+
return warning !== undefined ? { token, warning, knownRejected: true } : { token };
|
|
96
160
|
}
|
|
97
161
|
return {
|
|
98
162
|
warning: 'auth uses an RS256 public key, so the CLI cannot mint a token for the ' +
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dev-runtime.js","sourceRoot":"","sources":["../../src/commands/dev-runtime.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAC7D,EAAE;AACF,kEAAkE;AAClE,wEAAwE;AACxE,wCAAwC;AAExC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAI1C,mEAAmE;AACnE,wEAAwE;AACxE,yEAAyE;AACzE,yEAAyE;AACzE,eAAe;AACf,MAAM,UAAU,mBAAmB;IACjC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/C,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,+BAA+B,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;AACzD,CAAC;AAED,sEAAsE;AACtE,yEAAyE;AACzE,wEAAwE;AACxE,gDAAgD;AAChD,MAAM,UAAU,aAAa,CAAC,MAAmB,EAAE,GAAsB;IACvE,OAAO,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,YAAY,IAAI,oBAAoB,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;AACvF,CAAC;AAED,uEAAuE;AACvE,oEAAoE;AACpE,EAAE;AACF,2EAA2E;AAC3E,8EAA8E;AAC9E,wEAAwE;AACxE,6EAA6E;AAC7E,8EAA8E;AAC9E,8EAA8E;AAC9E,0BAA0B;AAC1B,MAAM,UAAU,eAAe,CAC7B,MAAmB,EACnB,MAAc,EACd,OAA0B,EAC1B,aAAsB,EACtB,QAAiB;IAEjB,MAAM,GAAG,GAAsB;QAC7B,GAAG,OAAO;QACV,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG;QACjC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC;QACnC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI;QAC3B,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,YAAY;KACvB,CAAC;IACF,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,uEAAuE;QACvE,uEAAuE;QACvE,GAAG,CAAC,kBAAkB,GAAG,KAAK,CAAC;QAC/B,GAAG,CAAC,iBAAiB,GAAG,aAAa,CAAC;QACtC,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClD,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,CAAC,mBAAmB,CAAC;QACjC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,wDAAwD;QACxD,OAAO,GAAG,CAAC,kBAAkB,CAAC;QAC9B,OAAO,GAAG,CAAC,mBAAmB,CAAC;QAC/B,GAAG,CAAC,iBAAiB,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;IAC7C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;
|
|
1
|
+
{"version":3,"file":"dev-runtime.js","sourceRoot":"","sources":["../../src/commands/dev-runtime.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAC7D,EAAE;AACF,kEAAkE;AAClE,wEAAwE;AACxE,wCAAwC;AAExC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAI1C,mEAAmE;AACnE,wEAAwE;AACxE,yEAAyE;AACzE,yEAAyE;AACzE,eAAe;AACf,MAAM,UAAU,mBAAmB;IACjC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/C,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,+BAA+B,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;AACzD,CAAC;AAED,sEAAsE;AACtE,yEAAyE;AACzE,wEAAwE;AACxE,gDAAgD;AAChD,MAAM,UAAU,aAAa,CAAC,MAAmB,EAAE,GAAsB;IACvE,OAAO,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,YAAY,IAAI,oBAAoB,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;AACvF,CAAC;AAED,uEAAuE;AACvE,oEAAoE;AACpE,EAAE;AACF,2EAA2E;AAC3E,8EAA8E;AAC9E,wEAAwE;AACxE,6EAA6E;AAC7E,8EAA8E;AAC9E,8EAA8E;AAC9E,0BAA0B;AAC1B,MAAM,UAAU,eAAe,CAC7B,MAAmB,EACnB,MAAc,EACd,OAA0B,EAC1B,aAAsB,EACtB,QAAiB;IAEjB,MAAM,GAAG,GAAsB;QAC7B,GAAG,OAAO;QACV,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG;QACjC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC;QACnC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI;QAC3B,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,YAAY;KACvB,CAAC;IACF,+DAA+D;IAC/D,qEAAqE;IACrE,uEAAuE;IACvE,uEAAuE;IACvE,0CAA0C;IAC1C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC;YAAE,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,uEAAuE;QACvE,uEAAuE;QACvE,GAAG,CAAC,kBAAkB,GAAG,KAAK,CAAC;QAC/B,GAAG,CAAC,iBAAiB,GAAG,aAAa,CAAC;QACtC,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClD,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,CAAC,mBAAmB,CAAC;QACjC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,wDAAwD;QACxD,OAAO,GAAG,CAAC,kBAAkB,CAAC;QAC9B,OAAO,GAAG,CAAC,mBAAmB,CAAC;QAC/B,GAAG,CAAC,iBAAiB,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;IAC7C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,yEAAyE;AACzE,8EAA8E;AAC9E,yEAAyE;AACzE,gBAAgB;AAChB,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,eAAe,CAAC;IACzB,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,sEAAsE;AACtE,kEAAkE;AAClE,kEAAkE;AAClE,yEAAyE;AACzE,2DAA2D;AAC3D,MAAM,UAAU,eAAe,CAAC,IAAyB;IACvD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,gFAAgF,CAAC;IAC1F,CAAC;IACD,MAAM,IAAI,GACR,IAAI,CAAC,GAAG,CAAC,MAAM,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;QACzD,CAAC,CAAC,uBAAuB;QACzB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;YAC7D,CAAC,CAAC,SAAS,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG;YAC/C,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;gBACjE,CAAC,CAAC,mBAAmB;gBACrB,CAAC,CAAC,8DAA8D,CAAC;IACzE,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,CAAC;IACrB,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpE,KAAK,CAAC,IAAI,CAAC,iBAAiB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAClF,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzE,IAAI,IAAI,CAAC,EAAE,EAAE,IAAI,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAClE,IAAI,IAAI,CAAC,EAAE,EAAE,KAAK,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACvE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAkBD,MAAM,UAAU,uBAAuB,CACrC,IAAyB,EACzB,WAA2C,EAC3C,UAAmB;IAEnB,IAAI,CAAC,UAAU,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,iBAAiB,CAAC;IAChE,MAAM,KAAK,GAAG,WAAW,EAAE,KAAK,CAAC;IACjC,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5C,OAAO,WAAW,EAAE,aAAa,KAAK,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,eAAe,CAAC;IAC5E,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,WAAW,CAAC;IAChF,OAAO,UAAU,CAAC;AACpB,CAAC;AAyBD,6EAA6E;AAC7E,kEAAkE;AAClE,0EAA0E;AAC1E,6EAA6E;AAC7E,cAAc;AACd,4EAA4E;AAC5E,yEAAyE;AACzE,6EAA6E;AAC7E,kDAAkD;AAClD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAmB,EACnB,MAA0B,EAC1B,GAAsB;IAEtB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;IACzB,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC,CAAC,+CAA+C;IAElF,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE,EAAE,KAAK,IAAI,GAAG,CAAC,mBAAmB,CAAC;IAC3D,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IAC7B,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC;IAC/B,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC;QAC3B,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC;YAC1C,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,IAAI;YACJ,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM;YACvB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ;SAC5B,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC9C,OAAO,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC;IACrF,CAAC;IAED,OAAO;QACL,OAAO,EACL,wEAAwE;YACxE,wEAAwE;YACxE,yEAAyE;YACzE,uCAAuC;KAC1C,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,uEAAuE;AACvE,4CAA4C;AAC5C,SAAS,iBAAiB,CACxB,IAAsC,EACtC,IAAwB;IAExB,MAAM,SAAS,GAAG,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC;IAClF,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,OAAO,iEAAiE;YACtE,wEAAwE;YACxE,+DAA+D,CAAC;IACpE,CAAC;IACD,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9E,OAAO,8BAA8B,SAAS,+BAA+B;YAC3E,oEAAoE;YACpE,eAAe,CAAC;IACpB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dev.d.ts","sourceRoot":"","sources":["../../src/commands/dev.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"dev.d.ts","sourceRoot":"","sources":["../../src/commands/dev.ts"],"names":[],"mappings":"AAqCA,MAAM,MAAM,UAAU,GAAG;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;iFAC6E;IAC7E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gFAAgF;IAChF,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AA8FF,wBAAsB,UAAU,CAAC,IAAI,GAAE,UAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CA2HrE"}
|
package/dist/commands/dev.js
CHANGED
|
@@ -8,8 +8,9 @@
|
|
|
8
8
|
// startHttpServer (spec §7.1).
|
|
9
9
|
//
|
|
10
10
|
// Both default to 0.0.0.0 (spec §9.1, so `docker compose` port mapping
|
|
11
|
-
// works); a loud warning fires on a non-loopback bind because
|
|
12
|
-
//
|
|
11
|
+
// works); a loud warning fires on a non-loopback bind because the UI and
|
|
12
|
+
// MCP listeners have no authentication of their own (the in-house API may
|
|
13
|
+
// enforce JWT auth; the Admin UI warning distinguishes that case).
|
|
13
14
|
//
|
|
14
15
|
// The Admin UI is an adapter-node (SvelteKit) server: without ORIGIN it
|
|
15
16
|
// assumes https and rejects every form POST over plain http with a 403.
|
|
@@ -20,7 +21,7 @@ import { existsSync } from 'node:fs';
|
|
|
20
21
|
import { SchemaCache, startHttpServer, isLoopbackHost } from '@kozou/mcp';
|
|
21
22
|
import { loadConfig, ADAPTER_KINDS } from '../config.js';
|
|
22
23
|
import { PACKAGE_VERSION } from '../version.js';
|
|
23
|
-
import { buildAdminUiEnv, resolveAdminUiEntry, resolveAdminUiToken, resolveOrigin, } from './dev-runtime.js';
|
|
24
|
+
import { buildAdminUiEnv, classifyAdminUiExposure, describeApiAuth, resolveAdminUiEntry, resolveAdminUiToken, resolveOrigin, } from './dev-runtime.js';
|
|
24
25
|
const PREFIX = '[kozou dev]';
|
|
25
26
|
// The in-house @kozou/api server is reached only by the Admin UI's
|
|
26
27
|
// server-side fetch (same host), so bind it to loopback — no need to
|
|
@@ -77,13 +78,27 @@ async function startInhouseApi(config, port) {
|
|
|
77
78
|
},
|
|
78
79
|
};
|
|
79
80
|
}
|
|
80
|
-
|
|
81
|
+
// Warn when a surface with no authentication of its own binds beyond
|
|
82
|
+
// loopback. The Admin UI never has a login of its own; what varies is how
|
|
83
|
+
// the API behind it treats the UI's requests, so the warning states the
|
|
84
|
+
// resolved exposure mode instead of implying nothing (or everything) is
|
|
85
|
+
// protected.
|
|
86
|
+
function warnIfPublic(label, host, exposure) {
|
|
81
87
|
if (isLoopbackHost(host))
|
|
82
88
|
return;
|
|
89
|
+
const detail = {
|
|
90
|
+
unauthenticated: `${PREFIX} It has NO authentication. Anyone who can reach ${host} can use it.\n`,
|
|
91
|
+
'service-token': `${PREFIX} The API behind it verifies JWTs, but ${label} itself has no login —\n` +
|
|
92
|
+
`${PREFIX} anyone who can reach ${host} acts with its service token.\n`,
|
|
93
|
+
'anon-role': `${PREFIX} The API behind it verifies JWTs and ${label} holds no token, so\n` +
|
|
94
|
+
`${PREFIX} anyone who can reach ${host} acts as the anonymous role.\n`,
|
|
95
|
+
rejected: `${PREFIX} The API behind it verifies JWTs and ${label} holds no usable token,\n` +
|
|
96
|
+
`${PREFIX} so the API rejects its requests; the port itself stays reachable.\n`,
|
|
97
|
+
};
|
|
83
98
|
process.stderr.write(`${PREFIX} WARNING: ${label} bound to non-loopback host "${host}".\n` +
|
|
84
|
-
|
|
85
|
-
`${PREFIX}
|
|
86
|
-
`${PREFIX}
|
|
99
|
+
detail[exposure] +
|
|
100
|
+
`${PREFIX} This is expected inside docker compose; avoid it on an untrusted\n` +
|
|
101
|
+
`${PREFIX} network or put an auth proxy in front.\n`);
|
|
87
102
|
}
|
|
88
103
|
export async function devCommand(opts = {}) {
|
|
89
104
|
if (opts.adapter !== undefined && !ADAPTER_KINDS.includes(opts.adapter)) {
|
|
@@ -109,20 +124,23 @@ export async function devCommand(opts = {}) {
|
|
|
109
124
|
: null;
|
|
110
125
|
if (api) {
|
|
111
126
|
process.stderr.write(`${PREFIX} in-house @kozou/api on ${api.url}\n`);
|
|
127
|
+
// State the auth mode unambiguously: a stack whose KOZOU_JWT_* env never
|
|
128
|
+
// reached this process fails open, and this line is what surfaces it.
|
|
129
|
+
process.stderr.write(`${PREFIX} api auth: ${describeApiAuth(config.auth)}\n`);
|
|
112
130
|
}
|
|
113
131
|
// When the in-house API enforces auth, resolve the token the bundled Admin
|
|
114
132
|
// UI presents to it: a minted HS256 token, a supplied RS256 / external one,
|
|
115
133
|
// or none (with a warning) when neither is available. @kozou/api is already
|
|
116
134
|
// imported (startInhouseApi succeeded), so this dynamic import is cached.
|
|
117
|
-
let
|
|
135
|
+
let tokenResult;
|
|
118
136
|
if (api && config.auth) {
|
|
119
137
|
const apiModule = await import('@kozou/api');
|
|
120
|
-
|
|
121
|
-
if (
|
|
122
|
-
process.stderr.write(`${PREFIX} WARNING: ${
|
|
138
|
+
tokenResult = await resolveAdminUiToken(config, apiModule, process.env);
|
|
139
|
+
if (tokenResult.warning) {
|
|
140
|
+
process.stderr.write(`${PREFIX} WARNING: ${tokenResult.warning}\n`);
|
|
123
141
|
}
|
|
124
|
-
apiToken = resolved.token;
|
|
125
142
|
}
|
|
143
|
+
const apiToken = tokenResult?.token;
|
|
126
144
|
const cache = new SchemaCache({
|
|
127
145
|
connection: config.database.url,
|
|
128
146
|
schemas: config.database.schemas,
|
|
@@ -136,7 +154,7 @@ export async function devCommand(opts = {}) {
|
|
|
136
154
|
logPrefix: `${PREFIX} mcp`,
|
|
137
155
|
});
|
|
138
156
|
// 2. Admin UI, as a child process.
|
|
139
|
-
warnIfPublic('Admin UI', config.server.ui.host);
|
|
157
|
+
warnIfPublic('Admin UI', config.server.ui.host, classifyAdminUiExposure(config.auth, tokenResult, api !== null));
|
|
140
158
|
const origin = resolveOrigin(config, process.env);
|
|
141
159
|
const child = spawn('node', [adminUiEntry], {
|
|
142
160
|
env: buildAdminUiEnv(config, origin, process.env, api?.url, apiToken),
|
package/dist/commands/dev.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dev.js","sourceRoot":"","sources":["../../src/commands/dev.ts"],"names":[],"mappings":"AAAA,sCAAsC;AACtC,EAAE;AACF,sEAAsE;AACtE,wEAAwE;AACxE,uEAAuE;AACvE,iEAAiE;AACjE,sEAAsE;AACtE,mCAAmC;AACnC,EAAE;AACF,uEAAuE;AACvE,
|
|
1
|
+
{"version":3,"file":"dev.js","sourceRoot":"","sources":["../../src/commands/dev.ts"],"names":[],"mappings":"AAAA,sCAAsC;AACtC,EAAE;AACF,sEAAsE;AACtE,wEAAwE;AACxE,uEAAuE;AACvE,iEAAiE;AACjE,sEAAsE;AACtE,mCAAmC;AACnC,EAAE;AACF,uEAAuE;AACvE,yEAAyE;AACzE,0EAA0E;AAC1E,mEAAmE;AACnE,EAAE;AACF,wEAAwE;AACxE,wEAAwE;AACxE,oEAAoE;AACpE,oEAAoE;AAEpE,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE1E,OAAO,EAAE,UAAU,EAAoB,aAAa,EAAoB,MAAM,cAAc,CAAC;AAC7F,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EACL,eAAe,EACf,uBAAuB,EACvB,eAAe,EACf,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,GAGd,MAAM,kBAAkB,CAAC;AAW1B,MAAM,MAAM,GAAG,aAAa,CAAC;AAE7B,mEAAmE;AACnE,qEAAqE;AACrE,2CAA2C;AAC3C,MAAM,QAAQ,GAAG,WAAW,CAAC;AAC7B,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAI9B,kEAAkE;AAClE,uEAAuE;AACvE,yEAAyE;AACzE,2EAA2E;AAC3E,iEAAiE;AACjE,KAAK,UAAU,eAAe,CAAC,MAAmB,EAAE,IAAY;IAC9D,IAAI,SAAsC,CAAC;IAC3C,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,GAAG,MAAM,gEAAgE;YACvE,yEAAyE;YACzE,4DAA4D;YAC5D,yEAAyE;YACzE,gEAAgE,CACnE,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IACzD,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IAC3D,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAE3C,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC;QAC3B,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG;QAC/B,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO;KACjC,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,gBAAgB,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,cAAc,CAAC;QAC5C,MAAM;QACN,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,IAAY,EAAE,MAAkB,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE;QAC7E,yEAAyE;QACzE,0EAA0E;QAC1E,iEAAiE;QACjE,sDAAsD;QACtD,IAAI;QACJ,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,mEAAmE;QACnE,qEAAqE;QACrE,OAAO,EAAE,eAAe;QACxB,SAAS,EAAE,GAAG,MAAM,MAAM;KAC3B,CAAC,CAAC;IAEH,OAAO;QACL,GAAG,EAAE,UAAU,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE;QACxC,KAAK,EAAE,KAAK,IAAI,EAAE;YAChB,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;YACrB,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,qEAAqE;AACrE,0EAA0E;AAC1E,wEAAwE;AACxE,wEAAwE;AACxE,aAAa;AACb,SAAS,YAAY,CAAC,KAAa,EAAE,IAAY,EAAE,QAAyB;IAC1E,IAAI,cAAc,CAAC,IAAI,CAAC;QAAE,OAAO;IACjC,MAAM,MAAM,GAAoC;QAC9C,eAAe,EAAE,GAAG,MAAM,mDAAmD,IAAI,gBAAgB;QACjG,eAAe,EACb,GAAG,MAAM,yCAAyC,KAAK,0BAA0B;YACjF,GAAG,MAAM,yBAAyB,IAAI,iCAAiC;QACzE,WAAW,EACT,GAAG,MAAM,wCAAwC,KAAK,uBAAuB;YAC7E,GAAG,MAAM,yBAAyB,IAAI,gCAAgC;QACxE,QAAQ,EACN,GAAG,MAAM,wCAAwC,KAAK,2BAA2B;YACjF,GAAG,MAAM,sEAAsE;KAClF,CAAC;IACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,GAAG,MAAM,aAAa,KAAK,gCAAgC,IAAI,MAAM;QACnE,MAAM,CAAC,QAAQ,CAAC;QAChB,GAAG,MAAM,qEAAqE;QAC9E,GAAG,MAAM,2CAA2C,CACvD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAmB,EAAE;IACpD,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,IAAI,CAAE,aAAmC,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/F,MAAM,IAAI,KAAK,CACb,GAAG,MAAM,uBAAuB,IAAI,CAAC,OAAO,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAC5F,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAEvD,2EAA2E;IAC3E,2EAA2E;IAC3E,0EAA0E;IAC1E,MAAM,WAAW,GAAiB,IAAI,CAAC,OAAmC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;IAClG,MAAM,aAAa,GAAG,WAAW,KAAK,KAAK,CAAC;IAE5C,MAAM,YAAY,GAAG,mBAAmB,EAAE,CAAC;IAC3C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CACb,GAAG,MAAM,gCAAgC,YAAY,IAAI;YACvD,yEAAyE;YACzE,4EAA4E,CAC/E,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,2EAA2E;IAC3E,yBAAyB;IACzB,MAAM,GAAG,GAAsB,aAAa;QAC1C,CAAC,CAAC,MAAM,eAAe,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,IAAI,gBAAgB,CAAC;QACjE,CAAC,CAAC,IAAI,CAAC;IACT,IAAI,GAAG,EAAE,CAAC;QACR,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,2BAA2B,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QACtE,yEAAyE;QACzE,sEAAsE;QACtE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,cAAc,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChF,CAAC;IAED,2EAA2E;IAC3E,4EAA4E;IAC5E,4EAA4E;IAC5E,0EAA0E;IAC1E,IAAI,WAA2C,CAAC;IAChD,IAAI,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QAC7C,WAAW,GAAG,MAAM,mBAAmB,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QACxE,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,aAAa,WAAW,CAAC,OAAO,IAAI,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IACD,MAAM,QAAQ,GAAG,WAAW,EAAE,KAAK,CAAC;IAEpC,MAAM,KAAK,GAAG,IAAI,WAAW,CAAC;QAC5B,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG;QAC/B,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO;QAChC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK;KAC1B,CAAC,CAAC;IAEH,8DAA8D;IAC9D,yDAAyD;IACzD,MAAM,GAAG,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE;QACvC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI;QACjC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI;QACjC,SAAS,EAAE,GAAG,MAAM,MAAM;KAC3B,CAAC,CAAC;IAEH,mCAAmC;IACnC,YAAY,CACV,UAAU,EACV,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,EACrB,uBAAuB,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,KAAK,IAAI,CAAC,CAChE,CAAC;IACF,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,YAAY,CAAC,EAAE;QAC1C,GAAG,EAAE,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC;QACrE,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;KAClC,CAAC,CAAC;IACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;IACrF,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;IAErF,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,GAAG,MAAM,uBAAuB,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9E,YAAY,MAAM,KAAK,CAC1B,CAAC;IAEF,wEAAwE;IACxE,8DAA8D;IAC9D,MAAM,aAAa,GAAG,GAAqB,EAAE,CAC3C,OAAO,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAE3E,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QAClC,IAAI,YAAY,GAAG,KAAK,CAAC;QAEzB,MAAM,QAAQ,GAAG,CAAC,MAAc,EAAQ,EAAE;YACxC,IAAI,YAAY;gBAAE,OAAO;YACzB,YAAY,GAAG,IAAI,CAAC;YACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,IAAI,MAAM,mBAAmB,CAAC,CAAC;YAC7D,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI,IAAI,KAAK,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;gBACzD,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;YACD,KAAK,aAAa,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,CAAC,CAAC;QAEF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACxD,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAE1D,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;YAChC,IAAI,YAAY;gBAAE,OAAO;YACzB,iEAAiE;YACjE,yCAAyC;YACzC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,GAAG,MAAM,0BAA0B,IAAI,IAAI,MAAM,YAAY,MAAM,IAAI,MAAM,KAAK,CACnF,CAAC;YACF,OAAO,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,CAAC;YAC7B,YAAY,GAAG,IAAI,CAAC;YACpB,KAAK,aAAa,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,8BAA8B,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;YAC7E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -34,7 +34,7 @@ services:
|
|
|
34
34
|
# `kozou dev` spawns the bundled @kozou/svelte-ui Admin UI, the MCP HTTP
|
|
35
35
|
# server, and Kozou's in-house REST backend (all in-process). Each binds
|
|
36
36
|
# 0.0.0.0 inside the container so the port mappings below reach your host.
|
|
37
|
-
image: ghcr.io/kozou-dev/kozou:v1.1.
|
|
37
|
+
image: ghcr.io/kozou-dev/kozou:v1.1.1
|
|
38
38
|
command: ["dev"]
|
|
39
39
|
environment:
|
|
40
40
|
DATABASE_URL: postgres://${POSTGRES_USER:-kozou}:${POSTGRES_PASSWORD:-kozou}@postgres:5432/${POSTGRES_DB:-kozou}
|
|
@@ -44,6 +44,24 @@ services:
|
|
|
44
44
|
# Set it to the exact URL you open in the browser; override if you
|
|
45
45
|
# publish the Admin UI on a different host or port.
|
|
46
46
|
ORIGIN: ${KOZOU_ORIGIN:-http://localhost:3333}
|
|
47
|
+
# JWT auth (see .env.example). Compose reads .env for ${VAR}
|
|
48
|
+
# interpolation only, so every variable must be forwarded here
|
|
49
|
+
# explicitly to reach the container. An empty value means unset:
|
|
50
|
+
# kozou treats empty auth variables as absent, so leaving these
|
|
51
|
+
# blank keeps auth off (it never means "HS256 with empty secret").
|
|
52
|
+
KOZOU_JWT_SECRET: ${KOZOU_JWT_SECRET:-}
|
|
53
|
+
KOZOU_JWT_PUBLIC_KEY: ${KOZOU_JWT_PUBLIC_KEY:-}
|
|
54
|
+
KOZOU_JWT_JWKS_URI: ${KOZOU_JWT_JWKS_URI:-}
|
|
55
|
+
KOZOU_JWT_ALGORITHMS: ${KOZOU_JWT_ALGORITHMS:-}
|
|
56
|
+
KOZOU_JWT_ISSUER: ${KOZOU_JWT_ISSUER:-}
|
|
57
|
+
KOZOU_JWT_AUDIENCE: ${KOZOU_JWT_AUDIENCE:-}
|
|
58
|
+
KOZOU_JWT_ROLE_CLAIM: ${KOZOU_JWT_ROLE_CLAIM:-}
|
|
59
|
+
KOZOU_JWT_ALLOWED_ROLES: ${KOZOU_JWT_ALLOWED_ROLES:-}
|
|
60
|
+
KOZOU_JWT_DEFAULT_ROLE: ${KOZOU_JWT_DEFAULT_ROLE:-}
|
|
61
|
+
KOZOU_JWT_ANON_ROLE: ${KOZOU_JWT_ANON_ROLE:-}
|
|
62
|
+
KOZOU_JWT_CLAIMS_GUC: ${KOZOU_JWT_CLAIMS_GUC:-}
|
|
63
|
+
KOZOU_UI_ROLE: ${KOZOU_UI_ROLE:-}
|
|
64
|
+
KOZOU_ADAPTER_TOKEN: ${KOZOU_ADAPTER_TOKEN:-}
|
|
47
65
|
depends_on:
|
|
48
66
|
postgres:
|
|
49
67
|
condition: service_healthy
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "kozou",
|
|
3
|
-
"version": "1.1.
|
|
3
|
+
"version": "1.1.1",
|
|
4
4
|
"description": "Kozou CLI: scaffolding, schema introspection, and MCP server entry points.",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"repository": {
|
|
@@ -38,11 +38,11 @@
|
|
|
38
38
|
"pg": "^8.13.0",
|
|
39
39
|
"yaml": "^2.9.0",
|
|
40
40
|
"zod": "^4.4.3",
|
|
41
|
-
"@kozou/
|
|
42
|
-
"@kozou/
|
|
43
|
-
"@kozou/
|
|
44
|
-
"@kozou/svelte-ui": "1.1.
|
|
45
|
-
"@kozou/
|
|
41
|
+
"@kozou/introspect": "1.1.1",
|
|
42
|
+
"@kozou/api": "1.1.1",
|
|
43
|
+
"@kozou/core": "1.1.1",
|
|
44
|
+
"@kozou/svelte-ui": "1.1.1",
|
|
45
|
+
"@kozou/mcp": "1.1.1"
|
|
46
46
|
},
|
|
47
47
|
"devDependencies": {
|
|
48
48
|
"@modelcontextprotocol/sdk": "^1.0.0",
|
|
@@ -51,7 +51,7 @@
|
|
|
51
51
|
"@types/pg": "^8.11.10",
|
|
52
52
|
"testcontainers": "^12.0.0",
|
|
53
53
|
"tsx": "^4.19.0",
|
|
54
|
-
"@kozou/codegen": "1.1.
|
|
54
|
+
"@kozou/codegen": "1.1.1"
|
|
55
55
|
},
|
|
56
56
|
"scripts": {
|
|
57
57
|
"typecheck": "tsc --noEmit",
|