studiograph 1.3.2 → 1.3.3-next.10

package/dist/server/routes/git-http.js

@@ -0,0 +1,213 @@
+/**
+ * Embedded Git Smart HTTP Server
+ *
+ * Enables authenticated git clone, fetch, and push over HTTP.
+ * Uses Basic Auth against AuthService for credentials.
+ *
+ * Endpoints:
+ *   GET  /git/:repo/info/refs?service=git-upload-pack   — advertise refs (clone/fetch)
+ *   GET  /git/:repo/info/refs?service=git-receive-pack  — advertise refs (push)
+ *   POST /git/:repo/git-upload-pack                     — clone/fetch data
+ *   POST /git/:repo/git-receive-pack                    — push data
+ *
+ * Access rules:
+ *   - No users configured (open mode) → full access
+ *   - Admin → all collections
+ *   - Member → only granted collections
+ *   - Private repos → excluded entirely
+ */
+import { spawn } from 'child_process';
+import { join } from 'path';
+/**
+ * Resolve Basic Auth header to an AuthUser, or null if open mode.
+ * Returns { user } on success, or { error, statusCode } on failure.
+ */
+function authenticateBasic(authHeader, authService) {
+    // Open mode — no users configured, allow everything
+    if (!authService.hasUsers()) {
+        return { user: null };
+    }
+    if (!authHeader || !authHeader.startsWith('Basic ')) {
+        return { error: 'Authentication required', statusCode: 401 };
+    }
+    const decoded = Buffer.from(authHeader.slice(6), 'base64').toString('utf-8');
+    const colonIdx = decoded.indexOf(':');
+    if (colonIdx === -1) {
+        return { error: 'Invalid credentials', statusCode: 401 };
+    }
+    const email = decoded.slice(0, colonIdx);
+    const password = decoded.slice(colonIdx + 1);
+    const result = authService.authenticate(email, password);
+    if (!result) {
+        return { error: 'Invalid credentials', statusCode: 401 };
+    }
+    return { user: result.user };
+}
+/**
+ * Check whether a user can access the named collection.
+ */
+function canAccessCollection(user, repoName, authService) {
+    if (!user)
+        return true; // open mode / API key
+    if (user.role === 'admin')
+        return true;
+    return authService.getUserCollections(user.id).includes(repoName);
+}
+/**
+ * Resolve a repo name to its absolute path on disk.
+ * Returns null if the repo doesn't exist or is private.
+ */
+function resolveRepoPath(repoName, workspaceManager, workspacePath) {
+    const config = workspaceManager.getRepoConfig(repoName);
+    if (!config || config.private)
+        return null;
+    return join(workspacePath, config.path);
+}
+export async function registerGitHttpRoutes(fastify, workspaceManager, authService, workspacePath, wsHub) {
+    // GET /git/:repo/info/refs?service=git-upload-pack|git-receive-pack
+    fastify.get('/git/:repo/info/refs', async (req, reply) => {
+        const { repo } = req.params;
+        const service = req.query.service;
+        if (service !== 'git-upload-pack' && service !== 'git-receive-pack') {
+            return reply.status(403).send('Dumb HTTP protocol not supported');
+        }
+        // Authenticate
+        const auth = authenticateBasic(req.headers.authorization, authService);
+        if ('error' in auth) {
+            reply.header('WWW-Authenticate', 'Basic realm="Studiograph Git"');
+            return reply.status(auth.statusCode).send(auth.error);
+        }
+        // Resolve repo
+        const repoPath = resolveRepoPath(repo, workspaceManager, workspacePath);
+        if (!repoPath) {
+            return reply.status(404).send('Repository not found');
+        }
+        // Check collection access
+        if (!canAccessCollection(auth.user, repo, authService)) {
+            return reply.status(404).send('Repository not found');
+        }
+        // Push requires collection access (admin → all, member → granted only)
+        if (service === 'git-receive-pack' && !canAccessCollection(auth.user, repo, authService)) {
+            return reply.status(403).send('Push access denied');
+        }
+        // Spawn git to advertise refs
+        const gitService = service === 'git-upload-pack' ? 'upload-pack' : 'receive-pack';
+        reply.raw.writeHead(200, {
+            'Content-Type': `application/x-${service}-advertisement`,
+            'Cache-Control': 'no-cache',
+        });
+        // Write the pkt-line header for smart HTTP
+        const header = `# service=${service}\n`;
+        const headerLen = (header.length + 4).toString(16).padStart(4, '0');
+        reply.raw.write(`${headerLen}${header}`);
+        reply.raw.write('0000');
+        const proc = spawn('git', [gitService, '--stateless-rpc', '--advertise-refs', repoPath], {
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        proc.stdout.pipe(reply.raw, { end: false });
+        proc.stderr.on('data', (data) => {
+            fastify.log.warn(`git ${gitService} stderr: ${data.toString()}`);
+        });
+        proc.on('close', () => {
+            reply.raw.end();
+        });
+        proc.on('error', (err) => {
+            fastify.log.error(err, `Failed to spawn git ${gitService}`);
+            if (!reply.raw.headersSent) {
+                reply.raw.writeHead(500);
+            }
+            reply.raw.end();
+        });
+        // Don't let Fastify auto-send a response
+        return reply;
+    });
+    // POST /git/:repo/git-upload-pack — clone/fetch
+    fastify.post('/git/:repo/git-upload-pack', async (req, reply) => {
+        const { repo } = req.params;
+        const auth = authenticateBasic(req.headers.authorization, authService);
+        if ('error' in auth) {
+            reply.header('WWW-Authenticate', 'Basic realm="Studiograph Git"');
+            return reply.status(auth.statusCode).send(auth.error);
+        }
+        const repoPath = resolveRepoPath(repo, workspaceManager, workspacePath);
+        if (!repoPath) {
+            return reply.status(404).send('Repository not found');
+        }
+        if (!canAccessCollection(auth.user, repo, authService)) {
+            return reply.status(404).send('Repository not found');
+        }
+        reply.raw.writeHead(200, {
+            'Content-Type': 'application/x-git-upload-pack-result',
+            'Cache-Control': 'no-cache',
+        });
+        const proc = spawn('git', ['upload-pack', '--stateless-rpc', repoPath], {
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        // Pipe request body into git process
+        req.raw.pipe(proc.stdin);
+        proc.stdout.pipe(reply.raw, { end: false });
+        proc.stderr.on('data', (data) => {
+            fastify.log.warn(`git upload-pack stderr: ${data.toString()}`);
+        });
+        proc.on('close', () => {
+            reply.raw.end();
+        });
+        proc.on('error', (err) => {
+            fastify.log.error(err, 'Failed to spawn git upload-pack');
+            if (!reply.raw.headersSent) {
+                reply.raw.writeHead(500);
+            }
+            reply.raw.end();
+        });
+        return reply;
+    });
+    // POST /git/:repo/git-receive-pack — push
+    fastify.post('/git/:repo/git-receive-pack', async (req, reply) => {
+        const { repo } = req.params;
+        const auth = authenticateBasic(req.headers.authorization, authService);
+        if ('error' in auth) {
+            reply.header('WWW-Authenticate', 'Basic realm="Studiograph Git"');
+            return reply.status(auth.statusCode).send(auth.error);
+        }
+        const repoPath = resolveRepoPath(repo, workspaceManager, workspacePath);
+        if (!repoPath) {
+            return reply.status(404).send('Repository not found');
+        }
+        // Push requires collection access (admin → all, member → granted only)
+        if (!canAccessCollection(auth.user, repo, authService)) {
+            return reply.status(403).send('Push access denied');
+        }
+        reply.raw.writeHead(200, {
+            'Content-Type': 'application/x-git-receive-pack-result',
+            'Cache-Control': 'no-cache',
+        });
+        const proc = spawn('git', ['receive-pack', '--stateless-rpc', repoPath], {
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        req.raw.pipe(proc.stdin);
+        proc.stdout.pipe(reply.raw, { end: false });
+        proc.stderr.on('data', (data) => {
+            fastify.log.warn(`git receive-pack stderr: ${data.toString()}`);
+        });
+        proc.on('close', (code) => {
+            reply.raw.end();
+            if (code === 0) {
+                wsHub?.broadcast({
+                    type: 'repo_sync', repo,
+                    source: 'git-push',
+                    actor: auth.user?.displayName ?? 'Git',
+                    timestamp: new Date().toISOString(),
+                });
+            }
+        });
+        proc.on('error', (err) => {
+            fastify.log.error(err, 'Failed to spawn git receive-pack');
+            if (!reply.raw.headersSent) {
+                reply.raw.writeHead(500);
+            }
+            reply.raw.end();
+        });
+        return reply;
+    });
+}
+//# sourceMappingURL=git-http.js.map

package/dist/server/routes/git-http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-http.js","sourceRoot":"","sources":["../../../src/server/routes/git-http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AACtC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAS5B;;;GAGG;AACH,SAAS,iBAAiB,CACxB,UAA8B,EAC9B,WAAwB;IAExB,oDAAoD;IACpD,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC;QAC5B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;IAC/D,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC7E,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;QACpB,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;IAC3D,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IAE7C,MAAM,MAAM,GAAG,WAAW,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACzD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;IAC3D,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAC1B,IAAqB,EACrB,QAAgB,EAChB,WAAwB;IAExB,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC,CAAyB,sBAAsB;IACtE,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,WAAW,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACpE,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CACtB,QAAgB,EAChB,gBAAkC,EAClC,aAAqB;IAErB,MAAM,MAAM,GAAG,gBAAgB,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;IACxD,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,OAAwB,EACxB,gBAAkC,EAClC,WAAwB,EACxB,aAAqB,EACrB,KAAa;IAGb,oEAAoE;IACpE,OAAO,CAAC,GAAG,CACT,sBAAsB,EACtB,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;QAC5B,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC;QAElC,IAAI,OAAO,KAAK,iBAAiB,IAAI,OAAO,KAAK,kBAAkB,EAAE,CAAC;YACpE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QACpE,CAAC;QAED,eAAe;QACf,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;QACvE,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;YACpB,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE,+BAA+B,CAAC,CAAC;YAClE,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxD,CAAC;QAED,eAAe;QACf,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,EAAE,gBAAgB,EAAE,aAAa,CAAC,CAAC;QACxE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACxD,CAAC;QAED,0BAA0B;QAC1B,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,CAAC;YACvD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACxD,CAAC;QAED,uEAAuE;QACvE,IAAI,OAAO,KAAK,kBAAkB,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,CAAC;YACzF,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACtD,CAAC;QAED,8BAA8B;QAC9B,MAAM,UAAU,GAAG,OAAO,KAAK,iBAAiB,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,cAAc,CAAC;QAElF,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACvB,cAAc,EAAE,iBAAiB,OAAO,gBAAgB;YACxD,eAAe,EAAE,UAAU;SAC5B,CAAC,CAAC;QAEH,2CAA2C;QAC3C,MAAM,MAAM,GAAG,aAAa,OAAO,IAAI,CAAC;QACxC,MAAM,SAAS,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACpE,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,SAAS,GAAG,MAAM,EAAE,CAAC,CAAC;QACzC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAExB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC,UAAU,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,QAAQ,CAAC,EAAE;YACvF,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QAE5C,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACtC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,UAAU,YAAY,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACpB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACvB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,uBAAuB,UAAU,EAAE,CAAC,CAAC;YAC5D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBAC3B,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;YACD,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,yCAAyC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC,CACF,CAAC;IAEF,gDAAgD;IAChD,OAAO,CAAC,IAAI,CACV,4BAA4B,EAC5B,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;QAE5B,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;QACvE,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;YACpB,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE,+BAA+B,CAAC,CAAC;YAClE,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,EAAE,gBAAgB,EAAE,aAAa,CAAC,CAAC;QACxE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACxD,CAAC;QAED,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,CAAC;YACvD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACxD,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACvB,cAAc,EAAE,sCAAsC;YACtD,eAAe,EAAE,UAAU;SAC5B,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC,aAAa,EAAE,iBAAiB,EAAE,QAAQ,CAAC,EAAE;YACtE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QAEH,qCAAqC;QACrC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEzB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QAE5C,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACtC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,2BAA2B,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACpB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACvB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,iCAAiC,CAAC,CAAC;YAC1D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBAC3B,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;YACD,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC,CACF,CAAC;IAEF,0CAA0C;IAC1C,OAAO,CAAC,IAAI,CACV,6BAA6B,EAC7B,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;QAE5B,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;QACvE,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;YACpB,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE,+BAA+B,CAAC,CAAC;YAClE,OAAO,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,EAAE,gBAAgB,EAAE,aAAa,CAAC,CAAC;QACxE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACxD,CAAC;QAED,uEAAuE;QACvE,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,CAAC;YACvD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACtD,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACvB,cAAc,EAAE,uCAAuC;YACvD,eAAe,EAAE,UAAU;SAC5B,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC,cAAc,EAAE,iBAAiB,EAAE,QAAQ,CAAC,EAAE;YACvE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QAEH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEzB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QAE5C,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACtC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,4BAA4B,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YAChB,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACf,KAAK,EAAE,SAAS,CAAC;oBACf,IAAI,EAAE,WAAW,EAAE,IAAI;oBACvB,MAAM,EAAE,UAAU;oBAClB,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,WAAW,IAAI,KAAK;oBACtC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACpC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACvB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,kCAAkC,CAAC,CAAC;YAC3D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBAC3B,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;YACD,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/server/routes/graph-api.d.ts

@@ -2,8 +2,12 @@
  * Graph API routes
  *
  * REST façade over WorkspaceManager.
- * Read endpoints are unauthenticated; write endpoints require auth.
+ * Enforces per-collection access when users are authenticated via JWT.
+ * API key / open mode → full access (no filtering).
  */
 import type { FastifyInstance } from 'fastify';
 import { WorkspaceManager } from '../../core/workspace-manager.js';
-export declare function registerGraphApiRoutes(fastify: FastifyInstance, workspaceManager: WorkspaceManager): Promise<void>;
+import { AuthService } from '../../services/auth-service.js';
+import type { WsHub } from '../ws-hub.js';
+import type { CommitScheduler } from '../commit-scheduler.js';
+export declare function registerGraphApiRoutes(fastify: FastifyInstance, workspaceManager: WorkspaceManager, authService: AuthService, wsHub?: WsHub, commitScheduler?: CommitScheduler): Promise<void>;