ndomo 0.1.0

package/src/http/__tests__/sse.test.ts

@@ -0,0 +1,317 @@
+/**
+ * Tests for SSE events route (src/http/routes/events.ts) + sse helpers.
+ *
+ * Validates:
+ * - formatSseEvent / formatKeepalive (unit)
+ * - GET /api/events → 200 with Content-Type: text/event-stream
+ * - Events streamed as `data: {json}\n\n` format
+ * - Cleanup on client disconnect (abort signal)
+ * - Type filter via ?types=session.idle,session.error
+ * - 503 when SDK client is null
+ * - Auth required
+ *
+ * Mocks SDK client with a simple async generator.
+ * Uses Elysia app.handle(new Request(...)) pattern.
+ */
+
+import { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import type { HttpConfig } from "../../config/schema.ts";
+import { runMigrations } from "../../db/migrations.ts";
+import { buildHttpServer } from "../server.ts";
+import { formatKeepalive, formatSseEvent } from "../sse.ts";
+
+let db: Database;
+
+const AUTH_CONFIG: HttpConfig = {
+  enabled: true,
+  port: 4097,
+  cors: { origins: ["*"] },
+  auth: { required: true },
+};
+
+let savedPassword: string | undefined;
+
+function basicAuthHeader(password: string): string {
+  const encoded = Buffer.from(`user:${password}`).toString("base64");
+  return `Basic ${encoded}`;
+}
+
+/**
+ * Create a mock SDK client that yields events from a provided array.
+ * Returns a minimal object compatible with OpencodeClient.event.subscribe().
+ */
+function mockSdkClient(events: Array<{ type?: string; data?: unknown }>) {
+  return {
+    event: {
+      subscribe: async () => ({
+        stream: (async function* () {
+          for (const event of events) {
+            yield event;
+          }
+        })(),
+      }),
+    },
+  } as unknown as import("@opencode-ai/sdk/client").OpencodeClient;
+}
+
+/**
+ * Create a mock SDK client that throws on subscribe.
+ */
+function mockFailingSdkClient(errorMessage = "SDK connection failed") {
+  return {
+    event: {
+      subscribe: async () => {
+        throw new Error(errorMessage);
+      },
+    },
+  } as unknown as import("@opencode-ai/sdk/client").OpencodeClient;
+}
+
+beforeEach(() => {
+  savedPassword = process.env.OPENCODE_SERVER_PASSWORD;
+  process.env.OPENCODE_SERVER_PASSWORD = "test-password";
+  db = new Database(":memory:");
+  db.exec("PRAGMA foreign_keys = ON");
+  runMigrations(db);
+});
+
+afterEach(() => {
+  if (savedPassword === undefined) {
+    delete process.env.OPENCODE_SERVER_PASSWORD;
+  } else {
+    process.env.OPENCODE_SERVER_PASSWORD = savedPassword;
+  }
+  db.close();
+});
+
+// ─── Unit tests for sse helpers ─────────────────────────────────────────────
+
+describe("formatSseEvent", () => {
+  test("formats data-only event", () => {
+    const result = formatSseEvent({ data: { hello: "world" } });
+    expect(result).toBe('data: {"hello":"world"}\n\n');
+  });
+
+  test("formats event with name", () => {
+    const result = formatSseEvent({ eventName: "message", data: { key: 1 } });
+    expect(result).toBe('event: message\ndata: {"key":1}\n\n');
+  });
+
+  test("formats event with id", () => {
+    const result = formatSseEvent({ data: "test", id: "42" });
+    expect(result).toBe('id: 42\ndata: "test"\n\n');
+  });
+
+  test("formats event with all fields", () => {
+    const result = formatSseEvent({
+      eventName: "update",
+      data: { value: true },
+      id: "100",
+    });
+    expect(result).toBe('event: update\nid: 100\ndata: {"value":true}\n\n');
+  });
+
+  test("multi-line data splits into multiple data: lines", () => {
+    // JSON with newlines would split — but JSON.stringify doesn't produce
+    // newlines for flat objects. Test with string containing newline.
+    const result = formatSseEvent({ data: "line1\nline2" });
+    expect(result).toBe('data: "line1\\nline2"\n\n');
+  });
+});
+
+describe("formatKeepalive", () => {
+  test("returns SSE keepalive comment", () => {
+    const result = formatKeepalive();
+    expect(result).toBe(": keepalive\n\n\n");
+  });
+});
+
+// ─── Integration tests for /api/events ──────────────────────────────────────
+
+describe("GET /api/events — SSE stream", () => {
+  test("returns 200 with correct SSE headers", async () => {
+    const sdkClient = mockSdkClient([]);
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      sdkClient,
+    });
+
+    const req = new Request("http://localhost/api/events", {
+      headers: { Authorization: basicAuthHeader("test-password") },
+    });
+    const res = await app.handle(req);
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toBe("text/event-stream");
+    expect(res.headers.get("Cache-Control")).toContain("no-cache");
+    expect(res.headers.get("Connection")).toBe("keep-alive");
+    expect(res.headers.get("X-Accel-Buffering")).toBe("no");
+  });
+
+  test("streams hello event on connection", async () => {
+    const sdkClient = mockSdkClient([]);
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      sdkClient,
+    });
+
+    const req = new Request("http://localhost/api/events", {
+      headers: { Authorization: basicAuthHeader("test-password") },
+    });
+    const res = await app.handle(req);
+
+    expect(res.body).not.toBeNull();
+    const reader = res.body!.getReader();
+    const decoder = new TextDecoder();
+
+    // Read first chunk — should contain hello event
+    const { value } = await reader.read();
+    const chunk = decoder.decode(value);
+    expect(chunk).toContain("event: hello");
+    expect(chunk).toContain('"timestamp"');
+
+    reader.cancel();
+  });
+
+  test("streams SDK events as SSE data", async () => {
+    const sdkClient = mockSdkClient([
+      { type: "session.idle", data: { sessionId: "ses_1" } },
+      { type: "session.error", data: { error: "timeout" } },
+    ]);
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      sdkClient,
+    });
+
+    const req = new Request("http://localhost/api/events", {
+      headers: { Authorization: basicAuthHeader("test-password") },
+    });
+    const res = await app.handle(req);
+
+    const reader = res.body!.getReader();
+    const decoder = new TextDecoder();
+
+    // Read all chunks until stream ends
+    const chunks: string[] = [];
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      chunks.push(decoder.decode(value));
+    }
+
+    const fullOutput = chunks.join("");
+
+    // Should contain hello event
+    expect(fullOutput).toContain("event: hello");
+
+    // Should contain the SDK events
+    expect(fullOutput).toContain("event: session.idle");
+    expect(fullOutput).toContain("event: session.error");
+    expect(fullOutput).toContain('"sessionId":"ses_1"');
+    expect(fullOutput).toContain('"error":"timeout"');
+  });
+
+  test("type filter passes only matching events", async () => {
+    const sdkClient = mockSdkClient([
+      { type: "session.idle", data: { sessionId: "ses_1" } },
+      { type: "session.error", data: { error: "timeout" } },
+      { type: "task.complete", data: { taskId: "t_1" } },
+    ]);
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      sdkClient,
+    });
+
+    const req = new Request("http://localhost/api/events?types=session.idle,session.error", {
+      headers: { Authorization: basicAuthHeader("test-password") },
+    });
+    const res = await app.handle(req);
+
+    const reader = res.body!.getReader();
+    const decoder = new TextDecoder();
+
+    const chunks: string[] = [];
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      chunks.push(decoder.decode(value));
+    }
+
+    const fullOutput = chunks.join("");
+
+    // Should contain filtered events
+    expect(fullOutput).toContain("event: session.idle");
+    expect(fullOutput).toContain("event: session.error");
+
+    // Should NOT contain non-matching event
+    expect(fullOutput).not.toContain("task.complete");
+  });
+
+  test("503 when SDK client is not provided", async () => {
+    // Omit sdkClient entirely (not undefined — exactOptionalPropertyTypes)
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+    });
+
+    const req = new Request("http://localhost/api/events", {
+      headers: { Authorization: basicAuthHeader("test-password") },
+    });
+    const res = await app.handle(req);
+
+    expect(res.status).toBe(503);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("sdk_unavailable");
+  });
+
+  test("requires auth → 401 without credentials", async () => {
+    const sdkClient = mockSdkClient([]);
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      sdkClient,
+    });
+
+    const res = await app.handle(new Request("http://localhost/api/events"));
+    expect(res.status).toBe(401);
+  });
+
+  test("SDK subscribe error → streams error event then closes", async () => {
+    const sdkClient = mockFailingSdkClient("connection refused");
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      sdkClient,
+    });
+
+    const req = new Request("http://localhost/api/events", {
+      headers: { Authorization: basicAuthHeader("test-password") },
+    });
+    const res = await app.handle(req);
+
+    const reader = res.body!.getReader();
+    const decoder = new TextDecoder();
+
+    const chunks: string[] = [];
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      chunks.push(decoder.decode(value));
+    }
+
+    const fullOutput = chunks.join("");
+
+    // Should contain hello event first
+    expect(fullOutput).toContain("event: hello");
+
+    // Should contain error event with SDK error message
+    expect(fullOutput).toContain("event: error");
+    expect(fullOutput).toContain("connection refused");
+    expect(fullOutput).toContain("sdk_subscribe_failed");
+  });
+});

package/src/http/auth.ts

@@ -0,0 +1,72 @@
+// ─── HTTP Basic Auth Middleware ───────────────────────────────────────────────
+/**
+ * HTTP Basic authentication middleware.
+ *
+ * Reads OPENCODE_SERVER_PASSWORD from env directly (not via HttpConfig).
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * Uses onRequest so the hook propagates across Elysia .use() boundaries.
+ * Exempts /health from auth (public liveness probe).
+ *
+ * Behavior:
+ * - auth.required === false → skip entirely
+ * - /health path → skip (always public)
+ * - Password unset/empty → 503 auth_not_configured
+ * - Missing/malformed Authorization → 401 + WWW-Authenticate
+ * - Wrong password → 401 + WWW-Authenticate
+ * - Correct → continue (no return value)
+ */
+import { timingSafeEqual } from "node:crypto";
+import { Elysia } from "elysia";
+import type { HttpConfig } from "../config/schema.ts";
+
+function constantTimeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) return false;
+  const bufA = Buffer.from(a);
+  const bufB = Buffer.from(b);
+  return timingSafeEqual(bufA, bufB);
+}
+
+export function httpBasicAuth(httpConfig: HttpConfig) {
+  return new Elysia({ name: "http-basic-auth" }).onRequest(({ request, set }) => {
+    // Skip if auth not required
+    if (!httpConfig.auth.required) return;
+
+    // Exempt /health — public liveness probe
+    const url = new URL(request.url);
+    if (url.pathname === "/health") return;
+
+    const password = process.env.OPENCODE_SERVER_PASSWORD;
+
+    // Password not configured → 503
+    if (!password) {
+      set.status = 503;
+      set.headers["WWW-Authenticate"] = 'Basic realm="ndomo"';
+      return { error: "auth_not_configured", message: "set OPENCODE_SERVER_PASSWORD" };
+    }
+
+    const authHeader = request.headers.get("Authorization");
+
+    // Missing or malformed header → 401
+    if (!authHeader?.startsWith("Basic ")) {
+      set.status = 401;
+      set.headers["WWW-Authenticate"] = 'Basic realm="ndomo", charset="UTF-8"';
+      return { error: "invalid_credentials" };
+    }
+
+    // Decode base64 — format is "user:pass"
+    const decoded = Buffer.from(authHeader.slice(6), "base64").toString("utf-8");
+    const colonIdx = decoded.indexOf(":");
+    const providedPassword = colonIdx >= 0 ? decoded.slice(colonIdx + 1) : decoded;
+
+    // Timing-safe comparison
+    if (!constantTimeEqual(providedPassword, password)) {
+      set.status = 401;
+      set.headers["WWW-Authenticate"] = 'Basic realm="ndomo", charset="UTF-8"';
+      return { error: "invalid_credentials" };
+    }
+
+    // Auth success — continue to handler (return undefined = no short-circuit)
+    return;
+  });
+}

package/src/http/middleware/cors.ts

@@ -0,0 +1,53 @@
+// ─── CORS Middleware ──────────────────────────────────────────────────────────
+/**
+ * Custom CORS middleware — no external deps.
+ *
+ * Uses onRequest (not onBeforeHandle) so the hook propagates across
+ * Elysia .use() boundaries.
+ *
+ * Behavior:
+ * - origins includes "*" → ACAO: *, credentials NOT allowed (security)
+ * - Otherwise → echo request Origin if in allowed list, else no header
+ * - Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
+ * - Headers: Content-Type, Authorization, X-Opencode-Directory
+ * - Max-Age: 86400
+ * - OPTIONS preflight → 204
+ */
+import { Elysia } from "elysia";
+
+const ALLOWED_METHODS = "GET, POST, PUT, PATCH, DELETE, OPTIONS";
+const ALLOWED_HEADERS = "Content-Type, Authorization, X-Opencode-Directory";
+const MAX_AGE = "86400";
+
+export function corsMiddleware(origins: string[]) {
+  const allowAll = origins.includes("*");
+  const originSet = new Set(origins);
+
+  return new Elysia({ name: "cors" }).onRequest(({ request, set }) => {
+    const origin = request.headers.get("Origin");
+
+    // Determine allowed origin
+    if (allowAll) {
+      set.headers["Access-Control-Allow-Origin"] = "*";
+    } else if (origin && originSet.has(origin)) {
+      set.headers["Access-Control-Allow-Origin"] = origin;
+      set.headers["Vary"] = "Origin";
+    }
+
+    // Common preflight headers
+    set.headers["Access-Control-Allow-Methods"] = ALLOWED_METHODS;
+    set.headers["Access-Control-Allow-Headers"] = ALLOWED_HEADERS;
+    set.headers["Access-Control-Max-Age"] = MAX_AGE;
+
+    // Only set credentials when NOT wildcard (browser rejects wildcard+credentials)
+    if (!allowAll) {
+      set.headers["Access-Control-Allow-Credentials"] = "true";
+    }
+
+    // Handle OPTIONS preflight
+    if (request.method === "OPTIONS") {
+      set.status = 204;
+      return "";
+    }
+  });
+}

package/src/http/middleware/security-headers.ts

@@ -0,0 +1,21 @@
+// ─── Security Headers Middleware ──────────────────────────────────────────────
+/**
+ * Applies OWASP security baseline headers to all HTTP responses.
+ * Uses onRequest so headers propagate across Elysia .use() boundaries.
+ * Adds X-Powered-By for server identification and HSTS in production.
+ */
+import { Elysia } from "elysia";
+import { SECURITY_HEADERS } from "../../config/schema.ts";
+
+export const securityHeaders = new Elysia({ name: "security-headers" }).onRequest(({ set }) => {
+  const headers: Record<string, string> = {
+    ...SECURITY_HEADERS,
+    "X-Powered-By": "ndomo",
+  };
+  if (process.env.NODE_ENV === "production") {
+    headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains";
+  }
+  for (const [k, v] of Object.entries(headers)) {
+    set.headers[k] = v;
+  }
+});

package/src/http/routes/events.ts

@@ -0,0 +1,112 @@
+// ─── SSE Events Route ────────────────────────────────────────────────────────
+/**
+ * GET /api/events — Server-Sent Events stream bridging OpenCode SDK events.
+ *
+ * Auth: inherited from apiProtected sub-app (httpBasicAuth).
+ *
+ * Query params:
+ *   ?types=session.idle,session.error  — comma-separated event type filter (default: all)
+ *
+ * Behavior:
+ * - 503 if SDK client is null (server reachable but SDK unreachable)
+ * - Sends `hello` event on connection establish (client can detect connect)
+ * - Streams events from `sdkClient.event.subscribe()` as SSE
+ * - Keepalive comment every 30s to prevent proxy timeouts
+ * - Cleanup on client disconnect (abort signal)
+ * - On SDK error, sends `error` event then closes stream
+ *
+ * SSE spec: https://html.spec.whatwg.org/multipage/server-sent-events.html
+ */
+
+import type { OpencodeClient } from "@opencode-ai/sdk/client";
+import { Elysia, t } from "elysia";
+import { createSseWriter } from "../sse.ts";
+
+const KEEPALIVE_INTERVAL_MS = 30_000;
+
+/**
+ * Create the SSE events route.
+ *
+ * @param sdkClient - OpenCode SDK client (may be null if SDK unreachable)
+ */
+export function eventsRoute(sdkClient: OpencodeClient | null) {
+  return new Elysia({ name: "events" }).get(
+    "/api/events",
+    async ({ request, query, set }) => {
+      // 503 if SDK client is null (server reachable but no client)
+      if (!sdkClient) {
+        set.status = 503;
+        return {
+          error: "sdk_unavailable",
+          message: "OpenCode SDK client not initialized",
+        };
+      }
+
+      // Parse optional event type filter
+      const filterTypes = query.types
+        ? new Set(
+            query.types
+              .split(",")
+              .map((s) => s.trim())
+              .filter(Boolean),
+          )
+        : null; // null = all events
+
+      const stream = new ReadableStream<Uint8Array>({
+        async start(controller) {
+          const signal = request.signal;
+          const writer = createSseWriter(controller, signal);
+
+          // Keepalive timer — prevents proxy/load-balancer timeouts
+          const keepaliveTimer = setInterval(() => writer.writeKeepalive(), KEEPALIVE_INTERVAL_MS);
+          writer.onCleanup(() => clearInterval(keepaliveTimer));
+
+          try {
+            // Hello event — client can detect connection established
+            writer.write("hello", { timestamp: Date.now() });
+
+            // Subscribe to SDK events (async generator)
+            const result = await sdkClient.event.subscribe();
+
+            for await (const event of result.stream) {
+              if (signal.aborted) break;
+              // Apply type filter if specified
+              if (filterTypes && event.type && !filterTypes.has(event.type)) continue;
+              const eventName = event.type ?? "message";
+              writer.write(eventName, event);
+            }
+          } catch (err) {
+            // On SDK error, send a final error event then end
+            writer.write("error", {
+              message: err instanceof Error ? err.message : String(err),
+              code: "sdk_subscribe_failed",
+            });
+          } finally {
+            clearInterval(keepaliveTimer);
+            writer.end();
+          }
+        },
+      });
+
+      // SSE response headers
+      set.headers["Content-Type"] = "text/event-stream";
+      set.headers["Cache-Control"] = "no-cache, no-transform";
+      set.headers["Connection"] = "keep-alive";
+      set.headers["X-Accel-Buffering"] = "no"; // disable nginx buffering
+
+      return new Response(stream, {
+        headers: {
+          "Content-Type": "text/event-stream",
+          "Cache-Control": "no-cache, no-transform",
+          Connection: "keep-alive",
+          "X-Accel-Buffering": "no",
+        },
+      });
+    },
+    {
+      query: t.Object({
+        types: t.Optional(t.String()), // comma-separated event type filter
+      }),
+    },
+  );
+}

package/src/http/routes/health.ts

@@ -0,0 +1,51 @@
+// ─── Health Route ─────────────────────────────────────────────────────────────
+/**
+ * GET /health — public liveness probe (no auth required).
+ *
+ * Returns server status, version, uptime, and DB health check.
+ * Status is "ok" when DB responds, "degraded" when DB query fails.
+ */
+import type { Database } from "bun:sqlite";
+import { Elysia, t } from "elysia";
+
+// Read version once at import time — static for process lifetime
+let cachedVersion = "0.1.0";
+try {
+  const pkg = await import("../../../package.json", { with: { type: "json" } });
+  cachedVersion = pkg.default?.version ?? "0.1.0";
+} catch {
+  // Fallback if package.json not accessible
+}
+
+export function healthRoute(db: Database) {
+  return new Elysia({ name: "health" }).get(
+    "/health",
+    async () => {
+      let dbHealthy = true;
+      try {
+        db.query("SELECT 1").get();
+      } catch {
+        dbHealthy = false;
+      }
+
+      return {
+        status: dbHealthy ? ("ok" as const) : ("degraded" as const),
+        version: cachedVersion,
+        uptime: Math.floor(process.uptime() * 1000),
+        timestamp: Date.now(),
+        dbHealthy,
+      };
+    },
+    {
+      response: {
+        200: t.Object({
+          status: t.Union([t.Literal("ok"), t.Literal("degraded")]),
+          version: t.String(),
+          uptime: t.Number(),
+          timestamp: t.Number(),
+          dbHealthy: t.Boolean(),
+        }),
+      },
+    },
+  );
+}

package/src/http/routes/plans.ts

@@ -0,0 +1,66 @@
+// ─── Plans Routes ─────────────────────────────────────────────────────────────
+/**
+ * GET /api/plans           — list plans (optional filters: status, sessionId, limit)
+ * GET /api/plans/search    — FTS5 search (required: q, optional: limit)
+ * GET /api/plans/:id       — get single plan by id
+ */
+import type { Database } from "bun:sqlite";
+import { Elysia, t } from "elysia";
+import { getPlan, listPlans, searchPlans } from "../../db/plans.ts";
+import type { PlanStatus } from "../../db/types.ts";
+
+const PlanStatusValues = [
+  "draft",
+  "approved",
+  "executing",
+  "completed",
+  "failed",
+  "abandoned",
+] as const;
+
+export function plansRoute(db: Database) {
+  return new Elysia({ name: "plans" })
+    .get(
+      "/api/plans",
+      async ({ query }) => {
+        const opts: { status?: PlanStatus; sessionId?: string; limit?: number } = {};
+        if (query.status) opts.status = query.status as PlanStatus;
+        if (query.sessionId) opts.sessionId = query.sessionId;
+        if (query.limit) opts.limit = query.limit;
+        return listPlans(db, opts);
+      },
+      {
+        query: t.Object({
+          status: t.Optional(t.UnionEnum(PlanStatusValues)),
+          sessionId: t.Optional(t.String()),
+          limit: t.Optional(t.Number({ minimum: 1, maximum: 500 })),
+        }),
+      },
+    )
+    .get(
+      "/api/plans/search",
+      async ({ query }) => {
+        return searchPlans(db, query.q, query.limit ?? 20);
+      },
+      {
+        query: t.Object({
+          q: t.String({ minLength: 1 }),
+          limit: t.Optional(t.Number({ minimum: 1, maximum: 100 })),
+        }),
+      },
+    )
+    .get(
+      "/api/plans/:id",
+      async ({ params: { id }, set }) => {
+        const plan = getPlan(db, id);
+        if (!plan) {
+          set.status = 404;
+          return { error: "not_found", message: `plan ${id} not found` };
+        }
+        return plan;
+      },
+      {
+        params: t.Object({ id: t.String() }),
+      },
+    );
+}