retold-facto 1.0.1 → 1.0.2

package/bin/retold-facto.js

@@ -327,6 +327,37 @@ function commandServe()
 			_Fable.log.info(`API:     http://localhost:${_Settings.APIServerPort}/1.0/`);
 			_Fable.log.info(`Facto:   http://localhost:${_Settings.APIServerPort}/facto/`);
 			_Fable.log.info(`Web UI:  http://localhost:${_Settings.APIServerPort}/`);
+
+			// Optional auto-connect to an Ultravisor coordinator.  Only
+			// runs when FACTO_ULTRAVISOR_URL is set; standalone users
+			// with no Ultravisor in the loop see no behavior change.
+			// Failures are logged but don't kill the process — facto
+			// stays useful as a local REST surface.  This also triggers
+			// the beacon-side WebAuth proxy install, which gates the web
+			// UI's session-bearing routes against UV's auth beacon when
+			// the upstream UV is in non-promiscuous mode.
+			let tmpUVUrl = process.env.FACTO_ULTRAVISOR_URL || '';
+			if (tmpUVUrl && _Fable.RetoldFactoBeaconProvider)
+			{
+				let tmpBeaconConfig =
+					{
+						ServerURL:     tmpUVUrl,
+						Name:          process.env.FACTO_BEACON_NAME || 'retold-facto',
+						Password:      process.env.FACTO_BEACON_PASSWORD || '',
+						MaxConcurrent: parseInt(process.env.FACTO_MAX_CONCURRENT || '2', 10)
+					};
+				_Fable.log.info(`Auto-connecting to Ultravisor at ${tmpUVUrl} as "${tmpBeaconConfig.Name}"...`);
+				_Fable.RetoldFactoBeaconProvider.connectBeacon(tmpBeaconConfig,
+					(pConnectError) =>
+					{
+						if (pConnectError)
+						{
+							_Fable.log.error(`Ultravisor auto-connect failed: ${pConnectError.message || pConnectError}`);
+							return;
+						}
+						_Fable.log.info(`Ultravisor auto-connect succeeded — registered as "${tmpBeaconConfig.Name}".`);
+					});
+			}
 		});
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "retold-facto",
-	"version": "1.0.1",
+	"version": "1.0.2",
 	"description": "Data warehouse and knowledge graph storage for the Retold ecosystem.",
 	"main": "source/Retold-Facto.js",
 	"bin": {
@@ -115,7 +115,7 @@
 		"puppeteer": "^24.40.0",
 		"quackage": "^1.2.3",
 		"retold-sharp": "^1.0.0",
-		"stricture": "^4.0.3",
+		"stricture": "^4.0.6",
 		"supertest": "^7.2.2"
 	},
 	"dependencies": {
@@ -124,29 +124,31 @@
 		"@codemirror/view": "^6.41.0",
 		"bibliograph": "^1.0.0",
 		"codemirror": "^6.0.2",
-		"fable": "^3.1.73",
+		"fable": "^3.1.75",
 		"fable-serviceproviderbase": "^3.0.19",
 		"fast-xml-parser": "^5.5.10",
-		"meadow": "^2.0.39",
+		"meadow": "^2.0.41",
 		"meadow-connection-manager": "^1.1.2",
 		"meadow-connection-mysql": "^1.0.19",
 		"meadow-connection-sqlite": "^1.0.20",
-		"meadow-endpoints": "^4.0.21",
-		"meadow-integration": "^1.0.40",
+		"meadow-endpoints": "^4.0.22",
+		"meadow-integration": "^1.0.41",
 		"orator": "^6.1.2",
 		"orator-serviceserver-restify": "^2.0.11",
 		"orator-static-server": "^2.1.4",
-		"pict": "^1.0.369",
+		"pict": "^1.0.371",
 		"pict-provider-theme": "^1.0.1",
 		"pict-router": "^1.0.10",
 		"pict-section-connection-form": "^1.0.0",
 		"pict-section-flow": "^1.0.1",
 		"pict-section-histogram": "^1.0.1",
+		"pict-section-login": "^1.0.0",
 		"pict-section-markdowneditor": "^1.0.15",
 		"pict-section-modal": "^1.1.1",
 		"pict-section-objecteditor": "^1.0.3",
 		"pict-section-theme": "^1.0.5",
-		"stricture": "^4.0.3",
+		"stricture": "^4.0.6",
+		"ultravisor-beacon": "^1.0.1",
 		"xlsx": "^0.18.5"
 	},
 	"retold": {

package/source/Retold-Facto.js

@@ -22,6 +22,7 @@ const libRetoldFactoRecordManager = require('./services/Retold-Facto-RecordManag
 const libRetoldFactoDatasetManager = require('./services/Retold-Facto-DatasetManager.js');
 const libRetoldFactoIngestEngine = require('./services/Retold-Facto-IngestEngine.js');
 const libRetoldFactoProjectionEngine = require('./services/Retold-Facto-ProjectionEngine.js');
+const libRetoldFactoBeaconProvider = require('./services/Retold-Facto-BeaconProvider.js');
 const libRetoldFactoCatalogManager = require('./services/Retold-Facto-CatalogManager.js');
 const libRetoldFactoStoreConnectionManager = require('./services/Retold-Facto-StoreConnectionManager.js');
 const libRetoldFactoDataLakeService = require('./services/Retold-Facto-DataLakeService.js');
@@ -356,6 +357,16 @@ class RetoldFacto extends libFableServiceProviderBase
 				RoutePrefix: this.options.Facto.RoutePrefix
 			});
 
+		// BeaconProvider — exposes connectBeacon() so the CLI can wire
+		// facto into the Ultravisor mesh at startup.  Registering the
+		// type here doesn't initiate a connection; bin/retold-facto.js
+		// invokes connectBeacon() when FACTO_ULTRAVISOR_URL is set.
+		this.fable.serviceManager.addServiceType('RetoldFactoBeaconProvider', libRetoldFactoBeaconProvider);
+		this.fable.serviceManager.instantiateServiceProvider('RetoldFactoBeaconProvider',
+			{
+				RoutePrefix: this.options.Facto.RoutePrefix
+			});
+
 		this.fable.serviceManager.addServiceType('RetoldFactoCatalogManager', libRetoldFactoCatalogManager);
 		this.fable.serviceManager.instantiateServiceProvider('RetoldFactoCatalogManager',
 			{

package/source/services/Retold-Facto-BeaconProvider.js

@@ -461,10 +461,56 @@ class RetoldFactoBeaconProvider extends libFableServiceProviderBase
 				}
 
 				this.log.info(`RetoldFactoBeaconProvider: beacon connected as ${pBeaconInfo.BeaconID}`);
+				// Install the beacon-side web-UI auth proxy now that
+				// connectBeacon has succeeded.  Same pattern as the
+				// databeacon — see Ultravisor-Beacon-WebAuth.cjs for the
+				// install signature.  Non-fatal if it fails (the beacon
+				// is still useful; the UI just stays open).
+				try { this._installWebAuth(pBeaconConfig); }
+				catch (pWebAuthErr)
+				{
+					this.log.warn(`RetoldFactoBeaconProvider: WebAuth install skipped: ${pWebAuthErr && pWebAuthErr.message}`);
+				}
 				return fCallback(null, pBeaconInfo);
 			});
 	}
 
+	/**
+	 * Wire the SDK's WebAuth helper into facto's Orator server so the
+	 * web UI's login flow proxies through UV's auth beacon.  Idempotent
+	 * — calling twice just re-registers the same routes (the helper's
+	 * internal WeakMap tracks installs).  Gating list scopes the gate
+	 * to facto's own data-mutating routes; static assets + the auth
+	 * routes themselves are always public.
+	 */
+	_installWebAuth(pBeaconConfig)
+	{
+		if (!libBeaconService || !libBeaconService.WebAuth)
+		{
+			return;
+		}
+		if (!this.fable.OratorServiceServer)
+		{
+			this.log.warn('RetoldFactoBeaconProvider: WebAuth install: OratorServiceServer unavailable on fable; skipping.');
+			return;
+		}
+		this._WebAuthHandle = libBeaconService.WebAuth.install(this.fable.OratorServiceServer,
+			{
+				UltravisorURL:     pBeaconConfig.ServerURL,
+				BeaconName:        pBeaconConfig.Name || 'retold-facto',
+				BeaconID:          () => this._BeaconService && this._BeaconService.getBeaconID
+					? this._BeaconService.getBeaconID() : '',
+				CookieName:        'SessionID',
+				RoutePrefix:       '/1.0/',
+				StatusPath:        '/status',
+				// Gate facto's mutation + read endpoints.  Auth + status
+				// + static UI stay public so login itself can render.
+				GatedPathPrefixes: ['/1.0/Source', '/1.0/Dataset', '/1.0/Record', '/1.0/Ingest'],
+				Log:               this.fable.log
+			});
+		this.log.info('RetoldFactoBeaconProvider: WebAuth mounted /1.0/{Authenticate,Deauthenticate,CheckSession} + /status proxy');
+	}
+
 	/**
 	 * Disconnect the beacon from the Ultravisor coordinator.
 	 *

package/source/services/web-app/pict-app/Pict-Application-Facto.js

@@ -1,9 +1,12 @@
 const libPictApplication = require('pict-application');
 
 const libPictSectionModal = require('pict-section-modal');
+const libPictSectionLogin = require('pict-section-login');
+const libBeaconWebAuthClient = require('ultravisor-beacon/webinterface/Pict-Beacon-WebAuth-Client.js');
 const libProvider = require('./providers/Pict-Provider-Facto.js');
 
 const libViewLayout = require('./views/PictView-Facto-Layout.js');
+const libViewLogin = require('./views/PictView-Facto-Login.js');
 const libViewSources = require('./views/PictView-Facto-Sources.js');
 const libViewRecords = require('./views/PictView-Facto-Records.js');
 const libViewDatasets = require('./views/PictView-Facto-Datasets.js');
@@ -27,6 +30,7 @@ class FactoApplication extends libPictApplication
 
 		// Register views
 		this.pict.addView('Facto-Layout', libViewLayout.default_configuration, libViewLayout);
+		this.pict.addView('Facto-Login', libViewLogin.default_configuration, libViewLogin);
 		this.pict.addView('Facto-Sources', libViewSources.default_configuration, libViewSources);
 		this.pict.addView('Facto-Records', libViewRecords.default_configuration, libViewRecords);
 		this.pict.addView('Facto-Datasets', libViewDatasets.default_configuration, libViewDatasets);
@@ -35,6 +39,29 @@ class FactoApplication extends libPictApplication
 		this.pict.addView('Facto-Catalog', libViewCatalog.default_configuration, libViewCatalog);
 		this.pict.addView('Facto-Scanner', libViewScanner.default_configuration, libViewScanner);
 		this.pict.addView('Facto-Throughput', libViewThroughput.default_configuration, libViewThroughput);
+
+		// Beacon-side login section + client helper.  The helper hooks
+		// pict-section-login's lifecycle callbacks back into this
+		// application so login success / logout / session-check flow
+		// through `_showLoginOverlay()` and `_hideLoginOverlay()`.  See
+		// modules/fable/ultravisor-beacon/webinterface/Pict-Beacon-
+		// WebAuth-Client.js for the install signature.  When facto's
+		// server-side WebAuth proxy reports the UV is in promiscuous
+		// mode, the gate stays armed but invisible.
+		this._WebAuthClient = libBeaconWebAuthClient.install(this.pict,
+			{
+				Section:              libPictSectionLogin,
+				AuthStateAddress:     'AppData.Facto.Auth',
+				LoginRoute:           'Facto-Login',
+				HomeRoute:            'Facto-Layout',
+				StatusURL:            '/status',
+				LoginEndpoint:        '/1.0/Authenticate',
+				LogoutEndpoint:       '/1.0/Deauthenticate',
+				CheckSessionEndpoint: '/1.0/CheckSession',
+				OnAfterLogin:         () => this._hideLoginOverlay(),
+				OnAfterLogout:        () => this._showLoginOverlay(),
+				OnSessionChecked:     (pSess) => { if (!(pSess && pSess.LoggedIn)) { this._showLoginOverlay(); } else { this._hideLoginOverlay(); } }
+			});
 	}
 
 	onAfterInitializeAsync(fCallback)
@@ -58,10 +85,67 @@ class FactoApplication extends libPictApplication
 		// Make pict available for inline onclick handlers
 		window.pict = this.pict;
 
-		// Render layout (which cascades child view renders)
+		// Ensure the login overlay mount point exists in the DOM
+		// before the section view tries to render into it.  This is
+		// a one-time append so re-renders of the wrapper view don't
+		// stack additional overlays.
+		this._ensureLoginOverlayMount();
+
+		// Render layout (which cascades child view renders).  We render
+		// the layout regardless of auth state; the overlay sits on top
+		// of it (z-index 9999) so an unauthenticated user simply can't
+		// interact with the underlying UI.
 		this.pict.views['Facto-Layout'].render();
 
-		return fCallback();
+		// Boot gate: fetch /status to discover whether UV is running in
+		// authenticated mode.  In promiscuous mode the overlay stays
+		// hidden and the UI works as before.  In authenticated mode the
+		// pict-section-login's CheckSessionOnLoad fires (its default is
+		// true); the helper's OnSessionChecked hook then shows/hides
+		// the overlay based on whether the user's cookie is still good.
+		this._WebAuthClient.loadAuthStatus((pStatusErr) =>
+			{
+				if (pStatusErr)
+				{
+					this.pict.log.warn('Facto: /status fetch failed during boot: ' + pStatusErr.message);
+				}
+				let tmpAuth = (this.pict.AppData.Facto && this.pict.AppData.Facto.Auth) || {};
+				if (tmpAuth.Mode === 'authenticated')
+				{
+					// Show overlay; the section's auto-CheckSession will
+					// hide it back if there's a valid cookie.
+					this._showLoginOverlay();
+					this.pict.views['Facto-Login'].render();
+				}
+				return fCallback();
+			});
+	}
+
+	/**
+	 * Append `<div id="Facto-Login-Overlay">` to <body> if it isn't
+	 * already there.  The Facto-Login wrapper view targets this element
+	 * via its DefaultDestinationAddress, so it must exist before the
+	 * wrapper's first render() call.
+	 */
+	_ensureLoginOverlayMount()
+	{
+		if (typeof document === 'undefined') { return; }
+		if (document.getElementById('Facto-Login-Overlay')) { return; }
+		let tmpDiv = document.createElement('div');
+		tmpDiv.id = 'Facto-Login-Overlay';
+		document.body.appendChild(tmpDiv);
+	}
+
+	_showLoginOverlay()
+	{
+		let tmpEl = (typeof document !== 'undefined') && document.getElementById('Facto-Login-Overlay');
+		if (tmpEl) { tmpEl.classList.add('is-active'); }
+	}
+
+	_hideLoginOverlay()
+	{
+		let tmpEl = (typeof document !== 'undefined') && document.getElementById('Facto-Login-Overlay');
+		if (tmpEl) { tmpEl.classList.remove('is-active'); }
 	}
 }
 

package/source/services/web-app/pict-app/views/PictView-Facto-Login.js

@@ -0,0 +1,91 @@
+/**
+ * PictView-Facto-Login — full-viewport login overlay
+ *
+ * Different shape from the databeacon login view because facto's
+ * layout is accordion-based (no panel-toggle pattern) and doesn't have
+ * a routed content panel we can slot into.  Instead this wrapper
+ * renders a full-viewport overlay (`position:fixed; inset:0`) that
+ * stacks on top of the accordion layout when the boot gate requires
+ * login.  Hidden by default; the application's boot gate flips
+ * `display:block` when the user needs to authenticate.
+ *
+ * Inside the overlay is `#Pict-Login-Container` — the same mount
+ * point name pict-section-login defaults to, so the section's render()
+ * targets it without further config.
+ */
+
+const libPictView = require('pict-view');
+
+const _ViewConfiguration =
+{
+	ViewIdentifier: 'Facto-Login',
+	AutoInitialize: true,
+	AutoRender: false,
+
+	DefaultRenderable: 'Facto-Login-Overlay',
+	DefaultDestinationAddress: '#Facto-Login-Overlay',
+
+	Templates:
+	[
+		{
+			Hash: 'Facto-Login-Overlay-Template',
+			Template: /*html*/`
+<div class="facto-login-overlay-card">
+	<div id="Pict-Login-Container"></div>
+</div>`
+		}
+	],
+
+	Renderables:
+	[
+		{
+			RenderableHash: 'Facto-Login-Overlay',
+			TemplateHash: 'Facto-Login-Overlay-Template',
+			ContentDestinationAddress: '#Facto-Login-Overlay',
+			RenderMethod: 'replace'
+		}
+	],
+
+	CSS: /*css*/`
+		#Facto-Login-Overlay
+		{
+			position: fixed;
+			inset: 0;
+			z-index: 9999;
+			display: none;
+			background: rgba(15, 19, 26, 0.92);
+			align-items: center;
+			justify-content: center;
+			padding: 24px;
+			overflow: auto;
+		}
+		#Facto-Login-Overlay.is-active
+		{
+			display: flex;
+		}
+		.facto-login-overlay-card
+		{
+			width: 100%;
+			max-width: 420px;
+		}
+	`
+};
+
+class FactoLoginView extends libPictView
+{
+	onAfterRender(pRenderable, pAddress, pRecord, pContent)
+	{
+		// Render pict-section-login into the mount point we just
+		// painted.  The section's DefaultDestinationAddress is the
+		// same `#Pict-Login-Container`, so a plain render() routes.
+		let tmpInner = this.pict && this.pict.views && this.pict.views['Pict-Section-Login'];
+		if (tmpInner) { tmpInner.render(); }
+		this.pict.CSSMap.injectCSS();
+		return super.onAfterRender
+			? super.onAfterRender(pRenderable, pAddress, pRecord, pContent)
+			: undefined;
+	}
+}
+
+module.exports = FactoLoginView;
+module.exports.default_configuration = _ViewConfiguration;