skill-base 2.0.1

package/src/routes/init.js

@@ -0,0 +1,86 @@
+const bcrypt = require('bcryptjs');
+const db = require('../database');
+
+/**
+ * 系统初始化路由
+ * @param {import('fastify').FastifyInstance} fastify
+ */
+async function initRoutes(fastify) {
+    /**
+     * GET /api/v1/init/status
+     * 检查系统是否需要初始化（是否存在管理员用户）
+     */
+    fastify.get('/status', async (request, reply) => {
+        const adminCount = db.prepare(
+            "SELECT COUNT(*) as count FROM users WHERE role = 'admin'"
+        ).get();
+        
+        return {
+            initialized: adminCount.count > 0
+        };
+    });
+
+    /**
+     * POST /api/v1/init/setup
+     * 初始化系统管理员账号
+     * Body: { username, password }
+     */
+    fastify.post('/setup', async (request, reply) => {
+        // 检查是否已经初始化
+        const adminCount = db.prepare(
+            "SELECT COUNT(*) as count FROM users WHERE role = 'admin'"
+        ).get();
+        
+        if (adminCount.count > 0) {
+            return reply.code(400).send({ 
+                error: 'System already initialized' 
+            });
+        }
+        
+        const { username, password } = request.body || {};
+        
+        // 验证输入
+        if (!username || !password) {
+            return reply.code(400).send({ 
+                error: 'Username and password are required' 
+            });
+        }
+        
+        if (username.length < 3 || username.length > 50) {
+            return reply.code(400).send({ 
+                error: 'Username must be 3-50 characters' 
+            });
+        }
+        
+        if (password.length < 6) {
+            return reply.code(400).send({ 
+                error: 'Password must be at least 6 characters' 
+            });
+        }
+        
+        // 检查用户名是否已存在
+        const existingUser = db.prepare(
+            'SELECT id FROM users WHERE username = ?'
+        ).get(username);
+        
+        if (existingUser) {
+            return reply.code(400).send({ 
+                error: 'Username already exists' 
+            });
+        }
+        
+        // 创建管理员账号
+        const passwordHash = bcrypt.hashSync(password, 10);
+        const result = db.prepare(
+            'INSERT INTO users (username, password_hash, role) VALUES (?, ?, ?)'
+        ).run(username, passwordHash, 'admin');
+        
+        return {
+            success: true,
+            message: 'Admin account created successfully',
+            userId: result.lastInsertRowid
+        };
+    });
+}
+
+module.exports = initRoutes;

package/src/routes/publish.js

@@ -0,0 +1,108 @@
+const fs = require('fs');
+const db = require('../database');
+const SkillModel = require('../models/skill');
+const VersionModel = require('../models/version');
+const { ensureSkillDir, generateVersionNumber, getZipPath, getZipRelativePath } = require('../utils/zip');
+const { canPublishSkill } = require('../utils/permission');
+
+async function publishRoutes(fastify, options) {
+  // POST /publish - 发布新版本
+  fastify.post('/publish', {
+    preHandler: [fastify.authenticate]
+  }, async (request, reply) => {
+    const fields = {};
+    let zipBuffer = null;
+    let zipFilename = null;
+
+    // 解析 multipart 数据
+    const parts = request.parts();
+    for await (const part of parts) {
+      if (part.type === 'file') {
+        if (part.fieldname === 'zip_file') {
+          // 读取文件到 buffer
+          const chunks = [];
+          for await (const chunk of part.file) {
+            chunks.push(chunk);
+          }
+          zipBuffer = Buffer.concat(chunks);
+          zipFilename = part.filename;
+        }
+      } else if (part.type === 'field') {
+        fields[part.fieldname] = part.value;
+      }
+    }
+
+    // 检查必须的 zip 文件
+    if (!zipBuffer) {
+      return reply.code(400).send({ detail: 'zip_file is required' });
+    }
+
+    const { skill_id, name, description, changelog } = fields;
+
+    // 检查 skill_id
+    if (!skill_id) {
+      return reply.code(400).send({ detail: 'skill_id is required' });
+    }
+
+    // 检查发布权限
+    if (!canPublishSkill(request.user, skill_id)) {
+      return reply.code(403).send({
+        ok: false,
+        error: 'permission_denied',
+        detail: 'You do not have publish permission for this Skill'
+      });
+    }
+
+    // 检查 skill 是否存在
+    const skillExists = SkillModel.exists(skill_id);
+
+    // 如果 skill 不存在，需要 name 字段来创建新 skill
+    if (!skillExists) {
+      if (!name) {
+        return reply.code(400).send({ detail: 'name is required for new skill' });
+      }
+      // 使用事务创建新 skill 和添加 owner 协作者记录
+      const createSkillTx = db.transaction(() => {
+        SkillModel.create(skill_id, name, description || '', request.user.id);
+        db.prepare(
+          'INSERT INTO skill_collaborators (skill_id, user_id, role, created_by) VALUES (?, ?, ?, ?)'
+        ).run(skill_id, request.user.id, 'owner', request.user.id);
+      });
+      createSkillTx();
+    }
+
+    // 生成版本号
+    const version = generateVersionNumber();
+
+    // 确保目录存在
+    ensureSkillDir(skill_id);
+
+    // 写入 zip 文件
+    const zipPath = getZipPath(skill_id, version);
+    fs.writeFileSync(zipPath, zipBuffer);
+
+    // 获取相对路径（存入数据库）
+    const zipRelativePath = getZipRelativePath(skill_id, version);
+
+    // 创建版本记录
+    const versionRecord = VersionModel.create(
+      skill_id,
+      version,
+      changelog || '',
+      zipRelativePath,
+      request.user.id
+    );
+
+    // 更新 skill 的最新版本
+    SkillModel.updateLatestVersion(skill_id, version);
+
+    return {
+      ok: true,
+      skill_id,
+      version,
+      created_at: versionRecord.created_at
+    };
+  });
+}
+
+module.exports = publishRoutes;

package/src/routes/skills.js

@@ -0,0 +1,119 @@
+const fs = require('fs');
+const path = require('path');
+const SkillModel = require('../models/skill');
+const VersionModel = require('../models/version');
+const { getZipPath } = require('../utils/zip');
+
+// 格式化 skill，将 owner 转为对象
+function formatSkill(skill) {
+  if (!skill) return null;
+  return {
+    id: skill.id,
+    name: skill.name,
+    description: skill.description,
+    latest_version: skill.latest_version,
+    owner: {
+      id: skill.owner_id,
+      username: skill.owner_username,
+      name: skill.owner_name
+    },
+    created_at: skill.created_at,
+    updated_at: skill.updated_at
+  };
+}
+
+// 格式化 version，将 uploader 转为对象
+function formatVersion(version) {
+  if (!version) return null;
+  return {
+    id: version.id,
+    skill_id: version.skill_id,
+    version: version.version,
+    changelog: version.changelog,
+    zip_path: version.zip_path,
+    uploader: {
+      id: version.uploader_id,
+      username: version.uploader_username,
+      name: version.uploader_name
+    },
+    created_at: version.created_at
+  };
+}
+
+async function skillsRoutes(fastify, options) {
+  // GET / - 获取 skills 列表
+  fastify.get('/', async (request, reply) => {
+    const { q } = request.query;
+    const skills = SkillModel.search(q);
+    const formattedSkills = skills.map(formatSkill);
+
+    return {
+      skills: formattedSkills,
+      total: formattedSkills.length
+    };
+  });
+
+  // GET /:skill_id - 获取单个 skill
+  fastify.get('/:skill_id', async (request, reply) => {
+    const { skill_id } = request.params;
+    const skill = SkillModel.findById(skill_id);
+
+    if (!skill) {
+      return reply.code(404).send({ detail: 'Skill not found' });
+    }
+
+    return formatSkill(skill);
+  });
+
+  // GET /:skill_id/versions - 获取 skill 的所有版本
+  fastify.get('/:skill_id/versions', async (request, reply) => {
+    const { skill_id } = request.params;
+
+    // 先检查 skill 是否存在
+    if (!SkillModel.exists(skill_id)) {
+      return reply.code(404).send({ detail: 'Skill not found' });
+    }
+
+    const versions = VersionModel.listBySkillId(skill_id);
+    const formattedVersions = versions.map(formatVersion);
+
+    return {
+      skill_id,
+      versions: formattedVersions
+    };
+  });
+
+  // GET /:skill_id/versions/:version/download - 下载版本 zip 文件
+  fastify.get('/:skill_id/versions/:version/download', async (request, reply) => {
+    const { skill_id, version } = request.params;
+
+    let versionRecord;
+
+    if (version === 'latest') {
+      versionRecord = VersionModel.getLatest(skill_id);
+    } else {
+      versionRecord = VersionModel.findByVersion(skill_id, version);
+    }
+
+    if (!versionRecord) {
+      return reply.code(404).send({ detail: 'Version not found' });
+    }
+
+    // 获取文件路径
+    const zipPath = getZipPath(skill_id, versionRecord.version);
+
+    // 检查文件是否存在
+    if (!fs.existsSync(zipPath)) {
+      return reply.code(404).send({ detail: 'Version not found' });
+    }
+
+    // 设置响应头并返回文件流
+    const fileName = `${skill_id}-${versionRecord.version}.zip`;
+    reply.header('Content-Type', 'application/zip');
+    reply.header('Content-Disposition', `attachment; filename="${fileName}"`);
+
+    return fs.createReadStream(zipPath);
+  });
+}
+
+module.exports = skillsRoutes;

package/src/routes/users.js

@@ -0,0 +1,169 @@
+const UserModel = require('../models/user');
+const { hashPassword } = require('../utils/crypto');
+const db = require('../database');
+
+async function usersRoutes(fastify, options) {
+  // GET /search - 用户搜索（仅需登录，不需要管理员权限）
+  // 注意：必须在 /:user_id 之前注册
+  fastify.get('/search', {
+    preHandler: [fastify.authenticate]
+  }, async (request, reply) => {
+    const { q } = request.query;
+    
+    if (!q || q.trim().length < 1) {
+      return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'Search keyword must be at least 1 character' });
+    }
+    
+    const pattern = `%${q.trim()}%`;
+    const users = db.prepare(`
+      SELECT id, username, name, status
+      FROM users
+      WHERE (username LIKE ? OR name LIKE ?) AND status = 'active'
+      LIMIT 10
+    `).all(pattern, pattern);
+    
+    return reply.send({ users });
+  });
+
+  // 以下路由都需要管理员权限
+  fastify.register(async function adminRoutes(fastify) {
+    fastify.addHook('preHandler', fastify.requireAdmin);
+
+  // GET / - 用户列表
+  fastify.get('/', async (request, reply) => {
+    const { q, status, page = 1, limit = 20 } = request.query;
+    const result = UserModel.list({
+      q,
+      status,
+      page: parseInt(page) || 1,
+      limit: Math.min(parseInt(limit) || 20, 100)
+    });
+    return reply.send(result);
+  });
+
+  // POST / - 创建用户
+  fastify.post('/', async (request, reply) => {
+    const { username, password, role = 'developer', name } = request.body || {};
+    
+    if (!username || !password) {
+      return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'Username and password are required' });
+    }
+    if (password.length < 6) {
+      return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'Password must be at least 6 characters' });
+    }
+    if (!['admin', 'developer'].includes(role)) {
+      return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'Role must be admin or developer' });
+    }
+    
+    // Check if username already exists
+    const existing = UserModel.findByUsername(username.trim());
+    if (existing) {
+      return reply.code(400).send({ ok: false, error: 'username_exists', detail: 'Username already exists' });
+    }
+    
+    const passwordHash = await hashPassword(password);
+    // 创建用户时记录 created_by
+    const result = db.prepare(
+      "INSERT INTO users (username, password_hash, role, name, status, created_by, created_at, updated_at) VALUES (?, ?, ?, ?, 'active', ?, datetime('now'), datetime('now'))"
+    ).run(username.trim(), passwordHash, role, name || null, request.user.id);
+    
+    const user = UserModel.findById(result.lastInsertRowid);
+    return reply.code(201).send({ ok: true, user });
+  });
+
+  // GET /:user_id - 用户详情
+  fastify.get('/:user_id', async (request, reply) => {
+    const { user_id } = request.params;
+    const user = UserModel.findByIdWithCreator(parseInt(user_id));
+    
+    if (!user) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'User not found' });
+    }
+    
+    // Format created_by
+    const result = {
+      id: user.id,
+      username: user.username,
+      name: user.name,
+      role: user.role,
+      status: user.status,
+      created_at: user.created_at,
+      updated_at: user.updated_at
+    };
+    if (user.creator_id) {
+      result.created_by = { id: user.creator_id, username: user.creator_username };
+    }
+    
+    return reply.send(result);
+  });
+
+  // PATCH /:user_id - 更新用户
+  fastify.patch('/:user_id', async (request, reply) => {
+    const userId = parseInt(request.params.user_id);
+    const { role, status, name } = request.body || {};
+    
+    const user = UserModel.findById(userId);
+    if (!user) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'User not found' });
+    }
+    
+    // Self-protection for admins
+    if (userId === request.user.id) {
+      if (status === 'disabled') {
+        return reply.code(400).send({ ok: false, error: 'self_protection', detail: 'Cannot disable your own account' });
+      }
+      if (role === 'developer') {
+        return reply.code(400).send({ ok: false, error: 'self_protection', detail: 'Cannot downgrade your own role' });
+      }
+    }
+    
+    // Validate field values
+    const fields = {};
+    if (role !== undefined) {
+      if (!['admin', 'developer'].includes(role)) {
+        return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'Role must be admin or developer' });
+      }
+      fields.role = role;
+    }
+    if (status !== undefined) {
+      if (!['active', 'disabled'].includes(status)) {
+        return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'Status must be active or disabled' });
+      }
+      fields.status = status;
+    }
+    if (name !== undefined) {
+      fields.name = name;
+    }
+    
+    if (Object.keys(fields).length === 0) {
+      return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'No fields to update' });
+    }
+    
+    UserModel.update(userId, fields);
+    const updated = UserModel.findById(userId);
+    return reply.send({ ok: true, user: updated });
+  });
+
+  // POST /:user_id/reset-password - 重置密码
+  fastify.post('/:user_id/reset-password', async (request, reply) => {
+    const userId = parseInt(request.params.user_id);
+    const { new_password } = request.body || {};
+    
+    if (!new_password || new_password.length < 6) {
+      return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'New password must be at least 6 characters' });
+    }
+    
+    const user = UserModel.findById(userId);
+    if (!user) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'User not found' });
+    }
+    
+    const passwordHash = await hashPassword(new_password);
+    UserModel.resetPassword(userId, passwordHash);
+    
+    return reply.send({ ok: true, message: 'Password has been reset' });
+  });
+  });
+}
+
+module.exports = usersRoutes;

package/src/utils/crypto.js

@@ -0,0 +1,35 @@
+const bcrypt = require('bcryptjs');
+const { v4: uuidv4 } = require('uuid');
+
+// 密码哈希（10 rounds）
+function hashPassword(password) {
+  return bcrypt.hashSync(password, 10);
+}
+
+// 验证密码
+function verifyPassword(password, hash) {
+  return bcrypt.compareSync(password, hash);
+}
+
+// 生成 PAT Token，格式：sk-base-{uuid去掉横线}
+function generatePAT() {
+  return 'sk-base-' + uuidv4().replace(/-/g, '');
+}
+
+// 生成 CLI 验证码，格式：XXXX-XXXX（大写字母+数字）
+function generateCliCode() {
+  const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'; // 排除易混淆字符
+  let code = '';
+  for (let i = 0; i < 8; i++) {
+    if (i === 4) code += '-';
+    code += chars[Math.floor(Math.random() * chars.length)];
+  }
+  return code;
+}
+
+// 生成 Session ID
+function generateSessionId() {
+  return uuidv4();
+}
+
+module.exports = { hashPassword, verifyPassword, generatePAT, generateCliCode, generateSessionId };

package/src/utils/permission.js

@@ -0,0 +1,45 @@
+const db = require('../database');
+
+/**
+ * 检查用户是否有 Skill 的指定权限
+ * @param {object} user - request.user 对象
+ * @param {string} skillId - Skill ID
+ * @param {string} requiredRole - 'owner' | 'collaborator' | 'any'
+ * @returns {boolean}
+ */
+function hasSkillPermission(user, skillId, requiredRole = 'any') {
+  // 管理员拥有所有权限
+  if (user.role === 'admin') return true;
+  
+  const collaborator = db.prepare(
+    'SELECT role FROM skill_collaborators WHERE skill_id = ? AND user_id = ?'
+  ).get(skillId, user.id);
+  
+  if (!collaborator) return false;
+  if (requiredRole === 'any') return true;
+  if (requiredRole === 'owner') return collaborator.role === 'owner';
+  if (requiredRole === 'collaborator') return true; // owner 也有 collaborator 权限
+  return false;
+}
+
+/**
+ * 检查用户是否可以发布 Skill
+ */
+function canPublishSkill(user, skillId) {
+  const skill = db.prepare('SELECT id FROM skills WHERE id = ?').get(skillId);
+  if (!skill) return true;  // 新 Skill，任何登录用户都可创建
+  return hasSkillPermission(user, skillId, 'any');
+}
+
+/**
+ * 检查用户是否可以管理协作者/删除 Skill
+ */
+function canManageSkill(user, skillId) {
+  return hasSkillPermission(user, skillId, 'owner');
+}
+
+module.exports = {
+  hasSkillPermission,
+  canPublishSkill,
+  canManageSkill
+};

package/src/utils/zip.js

@@ -0,0 +1,35 @@
+const path = require('path');
+const fs = require('fs');
+
+// 获取 zip 存储目录
+function getDataDir() {
+  return process.env.DATA_DIR || path.join(__dirname, '../../data');
+}
+
+// 确保 skill 的存储目录存在
+function ensureSkillDir(skillId) {
+  const dir = path.join(getDataDir(), skillId);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  return dir;
+}
+
+// 生成时间戳版本号 vYYYYMMDD.HHMMSS
+function generateVersionNumber() {
+  const now = new Date();
+  const pad = (n) => String(n).padStart(2, '0');
+  return `v${now.getFullYear()}${pad(now.getMonth() + 1)}${pad(now.getDate())}.${pad(now.getHours())}${pad(now.getMinutes())}${pad(now.getSeconds())}`;
+}
+
+// 获取 zip 文件的完整路径
+function getZipPath(skillId, version) {
+  return path.join(getDataDir(), skillId, `${version}.zip`);
+}
+
+// 获取 zip 文件相对路径（存入数据库）
+function getZipRelativePath(skillId, version) {
+  return `${skillId}/${version}.zip`;
+}
+
+module.exports = { getDataDir, ensureSkillDir, generateVersionNumber, getZipPath, getZipRelativePath };