rotifex 0.1.0

package/src/server/routes/admin.js

@@ -0,0 +1,276 @@
+import { readFileSync, writeFileSync, existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { loadSchema, parseModelDef } from '../../engine/schemaLoader.js';
+import { getProviders } from '../../ai/ai.config.js';
+import { listAgents } from '../../ai/agents.config.js';
+import { getUsageSummary } from '../../ai/ai.usage.js';
+import { upsertModel, removeModel } from '../../engine/schemaStore.js';
+import { syncTables } from '../../engine/tableSync.js';
+import { getLogs } from '../../lib/logBuffer.js';
+
+// ── .env file helpers ─────────────────────────────────────────────────────────
+
+function readEnvFile() {
+  const abs = resolve('.env');
+  if (!existsSync(abs)) return {};
+  const vars = {};
+  for (const line of readFileSync(abs, 'utf-8').split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eq = trimmed.indexOf('=');
+    if (eq === -1) continue;
+    const key = trimmed.slice(0, eq).trim();
+    const val = trimmed.slice(eq + 1).trim().replace(/^["']|["']$/g, '');
+    vars[key] = val;
+  }
+  return vars;
+}
+
+function writeEnvFile(vars) {
+  const lines = Object.entries(vars)
+    .filter(([, v]) => v !== '' && v !== null && v !== undefined)
+    .map(([k, v]) => `${k}=${String(v).includes(' ') ? `"${v}"` : v}`);
+  writeFileSync(resolve('.env'), lines.join('\n') + '\n');
+}
+
+/**
+ * Admin-only API routes, registered under `/admin/api`.
+ *
+ * All routes are guarded by an `onRequest` hook that checks
+ * `x-user-role: admin`.
+ *
+ * @param {import('fastify').FastifyInstance} app
+ * @param {{ db: import('../../db/adapters/base.js').DatabaseAdapter }} opts
+ */
+export async function adminRoutes(app, { db }) {
+
+  // ── Admin guard ─────────────────────────────────────────────────────
+  app.addHook('onRequest', async (request, reply) => {
+    const role = request.headers['x-user-role'];
+    if (role !== 'admin') {
+      reply.status(403).send({
+        error: 'Forbidden',
+        message: 'Admin access required',
+        statusCode: 403,
+      });
+    }
+  });
+
+  // ── GET /admin/api/schema ─────────────────────────────────────────
+  app.get('/admin/api/schema', () => {
+    const models = loadSchema();
+    const result = {};
+    for (const [name, model] of models) {
+      result[name] = model;
+    }
+    return { data: result };
+  });
+
+  // ── GET /admin/api/stats ──────────────────────────────────────────
+  app.get('/admin/api/stats', () => {
+    const models = loadSchema();
+    const modelStats = [];
+
+    for (const [name, model] of models) {
+      const row = db.get(`SELECT COUNT(*) AS count FROM ${model.tableName}`);
+      modelStats.push({
+        model: name,
+        table: model.tableName,
+        count: row?.count ?? 0,
+      });
+    }
+
+    // User stats
+    let userCount = 0;
+    try {
+      const userRow = db.get('SELECT COUNT(*) AS count FROM users');
+      userCount = userRow?.count ?? 0;
+    } catch {}
+
+    // File stats
+    let fileCount = 0;
+    let storageBytes = 0;
+    try {
+      const fileRow = db.get('SELECT COUNT(*) AS count, COALESCE(SUM(size_bytes), 0) AS total FROM _files');
+      fileCount = fileRow?.count ?? 0;
+      storageBytes = fileRow?.total ?? 0;
+    } catch {
+      // _files table may not exist yet
+    }
+
+    // AI stats
+    const providers    = getProviders();
+    const connectedLLMs = Object.values(providers).filter(p => p.enabled && p.apiKey).length;
+    const enabledLLMs   = Object.values(providers).filter(p => p.enabled).length;
+    const providerList  = Object.entries(providers)
+      .filter(([, p]) => p.enabled)
+      .map(([id, p]) => ({ id, label: p.label, hasKey: !!p.apiKey }));
+
+    const agentList  = listAgents();
+    const usageSummary = getUsageSummary();
+
+    return {
+      data: {
+        models: modelStats,
+        users: { count: userCount },
+        files: { count: fileCount, storageMB: +(storageBytes / 1024 / 1024).toFixed(2) },
+        uptime: process.uptime(),
+        ai: {
+          connectedLLMs,
+          enabledLLMs,
+          providers: providerList,
+          agentsCount: agentList.length,
+          agents: agentList.map(a => ({ id: a.id, name: a.name, provider: a.provider, model: a.model, tools: a.tools })),
+          usage: usageSummary,
+        },
+      },
+    };
+  });
+
+  // ── GET /admin/api/logs ───────────────────────────────────────────
+  app.get('/admin/api/logs', (request) => {
+    const { after, level } = request.query;
+    return getLogs({
+      after: after ? Number(after) : undefined,
+      level: level || undefined,
+    });
+  });
+
+  const RESERVED = new Set(['user', 'users', '_files', 'files']);
+  const SYSTEM_MODELS = new Set(['User']);
+
+  // ── POST /admin/api/schema — create or replace a model ───────────
+  app.post('/admin/api/schema', (request, reply) => {
+    const { name, fields } = request.body || {};
+    if (!name || !fields || typeof fields !== 'object') {
+      return reply.status(400).send({
+        error: 'Bad Request',
+        message: 'name (string) and fields (object) are required',
+        statusCode: 400,
+      });
+    }
+
+    if (RESERVED.has(name.toLowerCase())) {
+      return reply.status(400).send({
+        error: 'Bad Request',
+        message: `"${name}" is a reserved name and cannot be used as a model.`,
+        statusCode: 400,
+      });
+    }
+
+    // 1. Persist to schema.json
+    const schemaPath = resolve('schema.json');
+    let schema = {};
+    if (existsSync(schemaPath)) {
+      try { schema = JSON.parse(readFileSync(schemaPath, 'utf-8')); } catch {}
+    }
+
+    if (schema[name]) {
+      return reply.status(409).send({
+        error: 'Conflict',
+        message: `Model "${name}" already exists. Delete it first if you want to redefine it.`,
+        statusCode: 409,
+      });
+    }
+
+    schema[name] = { fields };
+    writeFileSync(schemaPath, JSON.stringify(schema, null, 2));
+
+    // 2. Parse into normalised model definition
+    const modelDef = parseModelDef(name, { fields });
+
+    // 3. Create DB table if it doesn't exist yet (idempotent)
+    syncTables(db, new Map([[name, modelDef]]));
+
+    // 4. Add to live store — routes are active immediately
+    upsertModel(name, modelDef);
+
+    return reply.status(201).send({
+      data: { name, tableName: modelDef.tableName, fields: modelDef.fields },
+      message: `Model "${name}" is live. Routes /${modelDef.tableName} are active now.`,
+    });
+  });
+
+  // ── DELETE /admin/api/schema/:name — remove a model ──────────────
+  app.delete('/admin/api/schema/:name', (request, reply) => {
+    const { name } = request.params;
+    const schemaPath = resolve('schema.json');
+    let schema = {};
+    if (existsSync(schemaPath)) {
+      try { schema = JSON.parse(readFileSync(schemaPath, 'utf-8')); } catch {}
+    }
+
+    if (SYSTEM_MODELS.has(name)) {
+      return reply.status(400).send({
+        error: 'Bad Request',
+        message: `"${name}" is a system model and cannot be deleted.`,
+        statusCode: 400,
+      });
+    }
+
+    if (!schema[name]) {
+      return reply.status(404).send({
+        error: 'Not Found',
+        message: `Model "${name}" not found`,
+        statusCode: 404,
+      });
+    }
+
+    // 1. Remove from schema.json
+    delete schema[name];
+    writeFileSync(schemaPath, JSON.stringify(schema, null, 2));
+
+    // 2. Remove from live store — routes stop resolving immediately
+    removeModel(name);
+
+    return reply.status(204).send();
+  });
+
+  // ── GET /admin/api/env — read current .env values ─────────────────
+  app.get('/admin/api/env', () => {
+    const fileVars = readEnvFile();
+    // Merge: file values take precedence over process.env for display,
+    // but fall back to process.env so already-set vars are visible too.
+    const merged = {};
+    for (const key of ENV_KEYS) {
+      merged[key] = fileVars[key] ?? process.env[key] ?? '';
+    }
+    return { data: merged };
+  });
+
+  // ── POST /admin/api/env — write .env file ─────────────────────────
+  app.post('/admin/api/env', (request, reply) => {
+    const incoming = request.body?.vars;
+    if (!incoming || typeof incoming !== 'object') {
+      return reply.status(400).send({ error: 'Bad Request', message: 'vars (object) is required', statusCode: 400 });
+    }
+
+    // Only allow known keys — never let arbitrary keys be written
+    const existing = readEnvFile();
+    for (const key of ENV_KEYS) {
+      if (incoming[key] !== undefined) {
+        if (incoming[key] === '') {
+          delete existing[key]; // empty = remove the key
+        } else {
+          existing[key] = incoming[key];
+        }
+      }
+    }
+
+    writeEnvFile(existing);
+    return { message: 'Environment saved. Restart the server for changes to take effect.' };
+  });
+}
+
+// Keys the settings UI is allowed to read/write.
+const ENV_KEYS = [
+  'JWT_SECRET',
+  'JWT_REFRESH_SECRET',
+  'ROTIFEX_PORT',
+  'ROTIFEX_HOST',
+  'ROTIFEX_CORS_ORIGIN',
+  'ROTIFEX_RATE_LIMIT_MAX',
+  'ROTIFEX_LOG_LEVEL',
+  'ROTIFEX_STORAGE_MAX_FILE_SIZE_MB',
+  'ROTIFEX_STORAGE_SIGNED_URL_SECRET',
+];

package/src/server/routes/files.js

@@ -0,0 +1,188 @@
+import { createReadStream } from 'node:fs';
+
+/**
+ * File upload / download routes.
+ *
+ * Registered under `/files`.  Uses header-based identity for the MVP
+ * (`x-user-id` and `x-user-role`) since Rotifex does not yet have an
+ * auth layer.
+ *
+ * @param {import('fastify').FastifyInstance} app
+ * @param {{ storage: import('../../storage/storageManager.js').StorageManager, config: object }} opts
+ */
+export async function fileRoutes(app, { storage, config }) {
+
+  // ── Helper: extract identity from headers ─────────────────────────
+  function getIdentity(request) {
+    return {
+      userId: request.headers['x-user-id'] || 'anonymous',
+      role:   request.headers['x-user-role'] || 'user',
+    };
+  }
+
+  // ── Helper: ownership / role gate ─────────────────────────────────
+  function assertAccess(meta, identity, reply) {
+    if (identity.role === 'admin') return true;
+    if (meta.uploader_id === identity.userId) return true;
+    reply.status(403).send({
+      error: 'Forbidden',
+      message: 'You do not have access to this file',
+      statusCode: 403,
+    });
+    return false;
+  }
+
+  // ── UPLOAD ────────────────────────────────────────────────────────
+  app.post('/files/upload', async (request, reply) => {
+    const identity = getIdentity(request);
+
+    const data = await request.file();
+    if (!data) {
+      return reply.status(400).send({
+        error: 'Bad Request',
+        message: 'No file provided. Send a multipart form with a "file" field.',
+        statusCode: 400,
+      });
+    }
+
+    // Consume the file stream into a buffer
+    const chunks = [];
+    for await (const chunk of data.file) {
+      chunks.push(chunk);
+    }
+    const buffer = Buffer.concat(chunks);
+
+    // Check max file size
+    const maxBytes = (config.storage.maxFileSizeMB || 10) * 1024 * 1024;
+    if (buffer.length > maxBytes) {
+      return reply.status(413).send({
+        error: 'Payload Too Large',
+        message: `File exceeds the ${config.storage.maxFileSizeMB} MB limit`,
+        statusCode: 413,
+      });
+    }
+
+    const visibility = data.fields?.visibility?.value || 'public';
+    if (!['public', 'private'].includes(visibility)) {
+      return reply.status(400).send({
+        error: 'Bad Request',
+        message: 'visibility must be "public" or "private"',
+        statusCode: 400,
+      });
+    }
+
+    const fileMeta = storage.save(
+      { filename: data.filename, mimetype: data.mimetype, data: buffer },
+      { visibility, uploaderId: identity.userId },
+    );
+
+    return reply.status(201).send({ data: fileMeta });
+  });
+
+  // ── LIST FILES ────────────────────────────────────────────────────
+  app.get('/files', (request, reply) => {
+    const identity = getIdentity(request);
+    const filters = identity.role === 'admin'
+      ? {}
+      : { uploaderId: identity.userId };
+
+    const files = storage.listFiles(filters);
+    return { data: files, meta: { total: files.length } };
+  });
+
+  // ── GET FILE METADATA ─────────────────────────────────────────────
+  app.get('/files/:id', (request, reply) => {
+    const identity = getIdentity(request);
+    const meta = storage.getFileMeta(request.params.id);
+    if (!meta) {
+      return reply.status(404).send({
+        error: 'Not Found',
+        message: 'File not found',
+        statusCode: 404,
+      });
+    }
+
+    if (!assertAccess(meta, identity, reply)) return;
+    return { data: meta };
+  });
+
+  // ── DOWNLOAD ──────────────────────────────────────────────────────
+  app.get('/files/:id/download', (request, reply) => {
+    const meta = storage.getFileMeta(request.params.id);
+    if (!meta) {
+      return reply.status(404).send({
+        error: 'Not Found',
+        message: 'File not found',
+        statusCode: 404,
+      });
+    }
+
+    // Private files require a valid signed URL
+    if (meta.visibility === 'private') {
+      const { token, expires } = request.query;
+      if (!token || !expires) {
+        return reply.status(403).send({
+          error: 'Forbidden',
+          message: 'Private files require a signed URL. Use GET /files/:id/signed-url to obtain one.',
+          statusCode: 403,
+        });
+      }
+      if (!storage.verifySignedUrl(meta.id, token, expires)) {
+        return reply.status(403).send({
+          error: 'Forbidden',
+          message: 'Invalid or expired signed URL',
+          statusCode: 403,
+        });
+      }
+    }
+
+    const filepath = storage.getFilePath(meta);
+    reply.header('Content-Type', meta.mime_type);
+    reply.header('Content-Disposition', `inline; filename="${meta.original_name}"`);
+    return reply.send(createReadStream(filepath));
+  });
+
+  // ── GENERATE SIGNED URL ───────────────────────────────────────────
+  app.get('/files/:id/signed-url', (request, reply) => {
+    const identity = getIdentity(request);
+    const meta = storage.getFileMeta(request.params.id);
+    if (!meta) {
+      return reply.status(404).send({
+        error: 'Not Found',
+        message: 'File not found',
+        statusCode: 404,
+      });
+    }
+
+    if (!assertAccess(meta, identity, reply)) return;
+
+    if (meta.visibility !== 'private') {
+      return reply.status(400).send({
+        error: 'Bad Request',
+        message: 'Signed URLs are only for private files',
+        statusCode: 400,
+      });
+    }
+
+    const signed = storage.generateSignedUrl(meta.id, request);
+    return { data: signed };
+  });
+
+  // ── DELETE ────────────────────────────────────────────────────────
+  app.delete('/files/:id', (request, reply) => {
+    const identity = getIdentity(request);
+    const meta = storage.getFileMeta(request.params.id);
+    if (!meta) {
+      return reply.status(404).send({
+        error: 'Not Found',
+        message: 'File not found',
+        statusCode: 404,
+      });
+    }
+
+    if (!assertAccess(meta, identity, reply)) return;
+
+    storage.deleteFile(meta.id);
+    return reply.status(204).send();
+  });
+}

package/src/server/routes/health.js

@@ -0,0 +1,14 @@
+/**
+ * Health-check route.
+ *
+ * GET /health → { status, uptime, timestamp }
+ *
+ * @param {import('fastify').FastifyInstance} app
+ */
+export async function healthRoutes(app) {
+  app.get('/health', async () => ({
+    status:    'ok',
+    uptime:    process.uptime(),
+    timestamp: new Date().toISOString(),
+  }));
+}

package/src/server/server.js

@@ -0,0 +1,149 @@
+import { mkdirSync, existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+import Fastify from 'fastify';
+import { registerPlugins } from './plugins.js';
+import { registerRequestLogger } from './middleware/requestLogger.js';
+import { registerErrorHandler } from './middleware/errorHandler.js';
+import { healthRoutes } from './routes/health.js';
+import { fileRoutes } from './routes/files.js';
+import { adminRoutes } from './routes/admin.js';
+import { authRoutes } from '../auth/auth.routes.js';
+import { aiRoutes } from '../ai/ai.routes.js';
+import { agentRoutes } from '../ai/agent.routes.js';
+import { registerJwtMiddleware } from '../auth/jwt.middleware.js';
+import { getDatabase } from '../db/index.js';
+import { bootstrapEngine } from '../engine/index.js';
+import { StorageManager } from '../storage/index.js';
+import { logBufferStream } from '../lib/logBuffer.js';
+import { logger } from '../lib/logger.js';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname  = dirname(__filename);
+
+/**
+ * Create and configure a Fastify server instance.
+ *
+ * @param {object} config  Merged Rotifex config (from `loadConfig()`).
+ * @returns {Promise<import('fastify').FastifyInstance>}
+ */
+export async function createServer(config) {
+  // ── Ensure storage directories exist BEFORE plugin registration ────
+  for (const dir of [config.storage?.publicDir, config.storage?.privateDir]) {
+    if (dir && !existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+    }
+  }
+
+  const app = Fastify({
+    logger: {
+      level: config.logging.level,
+      stream: {
+        write(msg) {
+          // Only feed the in-memory buffer (admin Logs page).
+          // Nothing goes to the terminal — startup messages use the chalk
+          // logger directly and are already printed there.
+          logBufferStream.write(msg);
+        },
+      },
+    },
+    disableRequestLogging: true,
+  });
+
+  // ── Plugins ─────────────────────────────────────────────────────────
+  await registerPlugins(app, config);
+
+  // ── Middleware ───────────────────────────────────────────────────────
+  registerRequestLogger(app);
+  registerErrorHandler(app);
+  registerJwtMiddleware(app);   // verifies Bearer tokens, injects x-user-id / x-user-role
+
+  // ── Routes ──────────────────────────────────────────────────────────
+  await app.register(healthRoutes);
+
+  // ── Database + Auth (auth routes registered before engine so /auth/* ─
+  // ── is a concrete path and always wins over parametric /api/:table)  ─
+  const db = getDatabase();
+  await app.register(authRoutes, { db });
+
+  // ── Dynamic REST Engine ─────────────────────────────────────────────
+  bootstrapEngine(app, db);
+
+  // ── File Storage ────────────────────────────────────────────────────
+  const storage = new StorageManager(db, config.storage);
+  storage.init();
+  await app.register(fileRoutes, { storage, config });
+
+  // ── AI Routes ───────────────────────────────────────────────────────
+  await app.register(aiRoutes);
+  await app.register(agentRoutes, { db });
+
+  // ── Admin API ───────────────────────────────────────────────────────
+  await app.register(adminRoutes, { db });
+
+  // ── SPA (served at /) ────────────────────────────────────────────────
+  // Resolve admin/dist from the package directory so it works when installed via npx/npm
+  const adminDist = join(__dirname, '../../admin/dist');
+  if (existsSync(adminDist)) {
+    const fastifyStatic = (await import('@fastify/static')).default;
+    await app.register(fastifyStatic, {
+      root:    adminDist,
+      prefix:  '/',
+      wildcard: false,
+    });
+    logger.success('Dashboard is live at / — go click things!');
+  } else {
+    logger.warn('Admin dashboard not built yet. Run "npm run build:admin" first.');
+  }
+
+  // ── 404 handler ──────────────────────────────────────────────────────
+  app.setNotFoundHandler((request, reply) => {
+    reply.status(404).type('text/html').send(`<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>404 — Rotifex</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+      background: #f5f6f8; color: #1a1d23;
+      display: flex; align-items: center; justify-content: center; min-height: 100vh;
+    }
+    .box {
+      text-align: center; padding: 48px 40px; background: #fff;
+      border: 1px solid #e2e5ea; border-radius: 12px;
+      box-shadow: 0 4px 24px rgba(0,0,0,0.06); max-width: 420px; width: 100%;
+    }
+    .code { font-size: 72px; font-weight: 800; color: #4f6ef7; letter-spacing: -2px; line-height: 1; }
+    .title { font-size: 20px; font-weight: 600; margin: 12px 0 8px; }
+    .path {
+      font-family: 'SF Mono', monospace; font-size: 13px;
+      background: #f3f4f6; color: #6b7280; padding: 4px 10px;
+      border-radius: 4px; display: inline-block; margin-bottom: 28px;
+    }
+    a {
+      display: inline-block; padding: 10px 24px; background: #4f6ef7;
+      color: #fff; text-decoration: none; border-radius: 8px;
+      font-size: 14px; font-weight: 500; transition: background 0.15s;
+    }
+    a:hover { background: #3b5de7; }
+  </style>
+</head>
+<body>
+  <div class="box">
+    <div class="code">404</div>
+    <div class="title">Nothing here</div>
+    <div class="path">${request.url}</div>
+    <a href="/">← Back to Dashboard</a>
+  </div>
+</body>
+</html>`);
+  });
+
+  logger.success('File storage is up — ready to hoard your files.');
+
+  return app;
+}

package/src/storage/fileTable.js

@@ -0,0 +1,22 @@
+/**
+ * Ensure the `_files` metadata table exists.
+ *
+ * Uses the `_` prefix to avoid collisions with user-defined models
+ * generated from `schema.json`.
+ *
+ * @param {import('../db/adapters/base.js').DatabaseAdapter} db
+ */
+export function ensureFileTable(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS _files (
+      id            TEXT PRIMARY KEY,
+      original_name TEXT NOT NULL,
+      stored_name   TEXT NOT NULL,
+      mime_type     TEXT NOT NULL,
+      size_bytes    INTEGER NOT NULL,
+      visibility    TEXT NOT NULL DEFAULT 'public',
+      uploader_id   TEXT NOT NULL,
+      created_at    TEXT NOT NULL
+    )
+  `);
+}

package/src/storage/index.js

@@ -0,0 +1,5 @@
+/**
+ * Public API for the Rotifex storage layer.
+ */
+export { StorageManager } from './storageManager.js';
+export { ensureFileTable } from './fileTable.js';