studiograph 1.3.3 → 1.3.4

package/dist/server/routes/sync-api.js

@@ -0,0 +1,757 @@
+/**
+ * Sync API routes
+ *
+ * REST endpoints for collection-scoped sync:
+ *   POST /api/repos/:repo/sync              — run sync for a collection
+ *   POST /api/repos/:repo/entities/:type/:id/refresh       — get refresh diff
+ *   POST /api/repos/:repo/entities/:type/:id/refresh/apply — apply refresh
+ *   GET  /api/repos/:repo/sync/status       — sync config and last sync time
+ *   GET  /api/sources                        — list source definitions
+ *   GET  /api/sources/:name                  — get a single source definition
+ *   POST /api/sources/:name                  — create/update source definition
+ *   DELETE /api/sources/:name                — remove source definition
+ *   GET  /api/connectors                     — list available MCP connectors
+ *   GET  /api/connectors/:name/config        — get connector config (secrets masked)
+ *   POST /api/connectors/:name/config        — create/update connector config
+ *   DELETE /api/connectors/:name/config      — remove connector config
+ *   POST /api/connectors/:name/oauth/authorize  — initiate OAuth flow
+ *   GET  /api/oauth/callback/:name              — OAuth callback (browser redirect)
+ *   GET  /api/connectors/:name/oauth/status     — poll OAuth connection status
+ *   POST /api/connectors/:name/oauth/disconnect — clear OAuth tokens
+ */
+import { Workspace } from '../../core/workspace.js';
+import { syncRepo, syncWorkspaceRule } from '../../services/sync/collection-sync.js';
+import { refreshEntity } from '../../services/sync/entity-refresh.js';
+import { SourceConfigManager } from '../../services/sync/source-config.js';
+import { ConnectorManager, KNOWN_CONNECTORS } from '../../mcp/connector-manager.js';
+import { ServerOAuthProvider, decodeOAuthState } from '../../mcp/server-oauth-provider.js';
+import { auth as mcpAuth } from '@modelcontextprotocol/sdk/client/auth.js';
+/**
+ * Creates a fetch wrapper for OAuth that handles providers with broken or missing
+ * metadata discovery endpoints. When custom OAuth endpoints are configured, returns
+ * synthetic metadata so the SDK uses the correct authorize/token URLs.
+ */
+function createOAuthFetch(oauthApp) {
+    return async (input, init) => {
+        const url = typeof input === 'string' ? input : input instanceof URL ? input.toString() : input.url;
+        // Intercept .well-known discovery requests
+        if (url.includes('.well-known/')) {
+            // If we have custom endpoints, return synthetic metadata
+            if (oauthApp?.authorization_endpoint && oauthApp?.token_endpoint) {
+                const metadata = {
+                    issuer: new URL(oauthApp.authorization_endpoint).origin,
+                    authorization_endpoint: oauthApp.authorization_endpoint,
+                    token_endpoint: oauthApp.token_endpoint,
+                    response_types_supported: ['code'],
+                    code_challenge_methods_supported: ['S256'],
+                };
+                return new Response(JSON.stringify(metadata), {
+                    status: 200,
+                    headers: { 'Content-Type': 'application/json' },
+                });
+            }
+            // Otherwise, try the real endpoint but convert 5xx to 404
+            const res = await fetch(input, init);
+            if (res.status >= 500) {
+                return new Response(null, { status: 404 });
+            }
+            return res;
+        }
+        return fetch(input, init);
+    };
+}
+import { SOURCE_DEFINITIONS } from '../../services/sync/source-definitions/definitions.js';
+import { join } from 'path';
+/** Check if the current user is an admin (or API key mode). */
+function isAdmin(req) {
+    const user = req.user;
+    if (!user)
+        return true; // API key / open mode
+    return user.role === 'admin';
+}
+/** Check if user can access a repo (admin, or has collection access, or owns private collection). */
+function hasRepoAccess(req, repoName, workspaceManager, authService) {
+    const user = req.user;
+    if (!user)
+        return true; // API key / open mode
+    const repoConfig = workspaceManager.getRepoConfig(repoName);
+    if (repoConfig?.private && repoConfig?.owner_id === user.id)
+        return true;
+    if (user.role === 'admin')
+        return true;
+    return authService.getUserCollections(user.id).includes(repoName);
+}
+/** Check if user can run sync on a repo (admin for shared, owner for private). */
+function canSync(req, repoName, workspaceManager, authService) {
+    const user = req.user;
+    if (!user)
+        return true; // API key / open mode
+    const repoConfig = workspaceManager.getRepoConfig(repoName);
+    if (repoConfig?.private && repoConfig?.owner_id === user.id)
+        return true;
+    return user.role === 'admin';
+}
+export async function registerSyncApiRoutes(fastify, workspaceManager, authService, workspacePath, wsHub) {
+    // POST /api/repos/:repo/sync — run all sync rules that apply to a collection
+    // (collection-level rules + any workspace-level rules targeting this collection)
+    fastify.post('/api/repos/:repo/sync', async (req, reply) => {
+        const { repo } = req.params;
+        if (!canSync(req, repo, workspaceManager, authService)) {
+            return reply.status(403).send({ error: 'Only admins can sync shared collections' });
+        }
+        const actor = req.user?.displayName ?? 'sync';
+        const progress = (msg) => {
+            console.log(`[sync] ${msg}`);
+            wsHub?.broadcast({ type: 'sync_progress', repo, message: msg, actor, timestamp: new Date().toISOString() });
+        };
+        try {
+            const workspace = new Workspace(workspacePath);
+            const config = await workspace.loadConfig();
+            const user = req.user;
+            const { collectionResults, workspaceResults } = await syncRepo({
+                workspacePath,
+                collectionName: repo,
+                workspaceConfig: config,
+                schemaExtensions: config.schema_extensions,
+                onProgress: progress,
+                userId: user?.id,
+                authService,
+                serverUrl: await getServerUrl(req),
+            });
+            const allCreated = collectionResults.reduce((s, r) => s + r.created, 0) +
+                workspaceResults.reduce((s, r) => r.targets.reduce((ts, t) => ts + t.created, 0) + s, 0);
+            const sources = [
+                ...collectionResults.map(r => r.source),
+                ...workspaceResults.map(r => r.source),
+            ].join(', ') || repo;
+            wsHub?.broadcast({
+                type: 'sync_complete',
+                repo,
+                source: sources,
+                created: allCreated,
+                updated: 0,
+                deleted: 0,
+                actor,
+                timestamp: new Date().toISOString(),
+            });
+            return { success: true, collectionResults, workspaceResults };
+        }
+        catch (err) {
+            return reply.status(400).send({
+                success: false,
+                error: err instanceof Error ? err.message : 'Unknown error',
+            });
+        }
+    });
+    // POST /api/sync — run all sync rules (collection-level + workspace-level)
+    fastify.post('/api/sync', async (req, reply) => {
+        if (!isAdmin(req)) {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const user = req.user;
+        const actor = user?.displayName ?? 'sync';
+        try {
+            const workspace = new Workspace(workspacePath);
+            const config = await workspace.loadConfig();
+            const sUrl = await getServerUrl(req);
+            const workspaceResults = [];
+            // All events from the global sync are keyed to 'workspace' so the sidebar
+            // toast (started with startSyncToast('workspace')) receives progress updates.
+            const broadcast = (msg) => {
+                console.log(`[sync] ${msg}`);
+                wsHub?.broadcast({ type: 'sync_progress', repo: 'workspace', message: msg, actor, timestamp: new Date().toISOString() });
+            };
+            const authCtx = { userId: user?.id, authService, serverUrl: sUrl };
+            // Group collection-level rules by (source, entity_type) so each source is
+            // fetched exactly once and results are distributed to all matching collections.
+            const grouped = new Map();
+            for (const repo of config.repos) {
+                const collectionRules = repo.sync;
+                if (!collectionRules || collectionRules.length === 0)
+                    continue;
+                for (const rule of collectionRules) {
+                    const key = `${rule.source}::${rule.entity_type ?? ''}`;
+                    if (!grouped.has(key)) {
+                        grouped.set(key, { source: rule.source, entity_type: rule.entity_type, targets: [] });
+                    }
+                    grouped.get(key).targets.push({ repo: repo.name, filter: rule.filter });
+                }
+            }
+            // Run each group as a single workspace rule (one fetch, N writes)
+            for (const syntheticRule of grouped.values()) {
+                try {
+                    const result = await syncWorkspaceRule({
+                        workspacePath,
+                        rule: syntheticRule,
+                        workspaceConfig: config,
+                        schemaExtensions: config.schema_extensions,
+                        onProgress: broadcast,
+                        ...authCtx,
+                    });
+                    workspaceResults.push(result);
+                }
+                catch (err) {
+                    const msg = err instanceof Error ? err.message : String(err);
+                    workspaceResults.push({ source: syntheticRule.source, targets: syntheticRule.targets.map(t => ({ repo: t.repo, created: 0, skipped: 0, derived: 0, errors: [msg] })) });
+                }
+            }
+            // Run explicit workspace-level rules from config.sync
+            for (const rule of config.sync ?? []) {
+                try {
+                    const result = await syncWorkspaceRule({
+                        workspacePath,
+                        rule,
+                        workspaceConfig: config,
+                        schemaExtensions: config.schema_extensions,
+                        onProgress: broadcast,
+                        ...authCtx,
+                    });
+                    workspaceResults.push(result);
+                }
+                catch (err) {
+                    const msg = err instanceof Error ? err.message : String(err);
+                    workspaceResults.push({ source: rule.source, targets: rule.targets.map(t => ({ repo: t.repo, created: 0, skipped: 0, derived: 0, errors: [msg] })) });
+                }
+            }
+            return { success: true, collectionResults: [], workspaceResults };
+        }
+        catch (err) {
+            return reply.status(400).send({
+                success: false,
+                error: err instanceof Error ? err.message : 'Unknown error',
+            });
+        }
+    });
+    // POST /api/repos/:repo/entities/:type/:id/refresh — get refresh diff
+    fastify.post('/api/repos/:repo/entities/:type/:id/refresh', async (req, reply) => {
+        const { repo, type, id } = req.params;
+        if (!hasRepoAccess(req, repo, workspaceManager, authService)) {
+            return reply.status(403).send({ error: 'Access denied' });
+        }
+        try {
+            const workspace = new Workspace(workspacePath);
+            const config = await workspace.loadConfig();
+            const user = req.user;
+            const result = await refreshEntity({
+                workspacePath,
+                collectionName: repo,
+                entityType: type,
+                entityId: id,
+                workspaceConfig: config,
+                schemaExtensions: config.schema_extensions,
+                apply: false,
+                userId: user?.id,
+                authService,
+                serverUrl: getServerUrl(req),
+            });
+            return { success: true, result };
+        }
+        catch (err) {
+            return reply.status(400).send({
+                success: false,
+                error: err instanceof Error ? err.message : 'Unknown error',
+            });
+        }
+    });
+    // POST /api/repos/:repo/entities/:type/:id/refresh/apply — apply refresh
+    fastify.post('/api/repos/:repo/entities/:type/:id/refresh/apply', async (req, reply) => {
+        const { repo, type, id } = req.params;
+        if (!hasRepoAccess(req, repo, workspaceManager, authService)) {
+            return reply.status(403).send({ error: 'Access denied' });
+        }
+        try {
+            const workspace = new Workspace(workspacePath);
+            const config = await workspace.loadConfig();
+            const user = req.user;
+            const result = await refreshEntity({
+                workspacePath,
+                collectionName: repo,
+                entityType: type,
+                entityId: id,
+                workspaceConfig: config,
+                schemaExtensions: config.schema_extensions,
+                apply: true,
+                userId: user?.id,
+                authService,
+                serverUrl: getServerUrl(req),
+            });
+            return { success: true, result };
+        }
+        catch (err) {
+            return reply.status(400).send({
+                success: false,
+                error: err instanceof Error ? err.message : 'Unknown error',
+            });
+        }
+    });
+    // GET /api/repos/:repo/sync/status — sync config and last sync time
+    fastify.get('/api/repos/:repo/sync/status', async (req, reply) => {
+        const { repo } = req.params;
+        if (!hasRepoAccess(req, repo, workspaceManager, authService)) {
+            return reply.status(403).send({ error: 'Access denied' });
+        }
+        try {
+            const workspace = new Workspace(workspacePath);
+            const config = await workspace.loadConfig();
+            const repoConfig = workspaceManager.getRepoConfig(repo);
+            const syncRules = repoConfig?.sync;
+            // Get synced entity count and last sync time
+            let syncedCount = 0;
+            let lastSync = null;
+            try {
+                const graph = workspaceManager.getGraph(repo);
+                const entities = graph.list();
+                for (const entity of entities) {
+                    const syncedAt = entity.data?.synced_at;
+                    if (syncedAt) {
+                        syncedCount++;
+                        if (!lastSync || syncedAt > lastSync)
+                            lastSync = syncedAt;
+                    }
+                }
+            }
+            catch {
+                // collection may be empty
+            }
+            const workspaceSyncRules = (config.sync ?? []).filter(r => r.targets.some(t => t.repo === repo));
+            return {
+                success: true,
+                collection: repo,
+                syncRules: syncRules ?? [],
+                workspaceSyncRules,
+                syncedCount,
+                lastSync,
+            };
+        }
+        catch (err) {
+            return reply.status(400).send({
+                success: false,
+                error: err instanceof Error ? err.message : 'Unknown error',
+            });
+        }
+    });
+    // GET /api/sources — list all source definitions
+    fastify.get('/api/sources', async (req, reply) => {
+        if (!isAdmin(req)) {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const configMgr = new SourceConfigManager(workspacePath);
+        const sources = [];
+        const connectorConfigs = ConnectorManager.loadConfigs(workspacePath);
+        // Scan on-disk source files
+        const { readdirSync, existsSync } = await import('fs');
+        const sourcesDir = join(workspacePath, '.studiograph', 'sources');
+        const seen = new Set();
+        if (existsSync(sourcesDir)) {
+            for (const file of readdirSync(sourcesDir)) {
+                if (!file.endsWith('.json'))
+                    continue;
+                const name = file.replace('.json', '');
+                seen.add(name);
+                const def = configMgr.getDefinition(name);
+                if (def) {
+                    sources.push({
+                        name,
+                        format: 'new',
+                        connector: def.connector,
+                        entityTypes: Object.keys(def.entities),
+                        localOnly: false,
+                        filterFields: def.filter_fields ?? [],
+                        configured: connectorConfigs.some(c => c.name === def.connector),
+                    });
+                }
+                else {
+                    const old = configMgr.get(name);
+                    if (old) {
+                        sources.push({
+                            name: old.name,
+                            format: 'legacy',
+                            connector: old.connector,
+                            entityTypes: old.entity_mappings.map(m => m.entity_type),
+                            localOnly: false,
+                            filterFields: SOURCE_DEFINITIONS[old.connector]?.filter_fields ?? [],
+                            configured: connectorConfigs.some(c => c.name === old.connector),
+                        });
+                    }
+                }
+            }
+        }
+        // Add built-in templates that don't have an on-disk file
+        for (const [name, def] of Object.entries(SOURCE_DEFINITIONS)) {
+            if (seen.has(name))
+                continue;
+            sources.push({
+                name,
+                format: 'new',
+                connector: def.connector,
+                entityTypes: Object.keys(def.entities),
+                localOnly: false,
+                filterFields: def.filter_fields ?? [],
+                configured: connectorConfigs.some(c => c.name === def.connector),
+            });
+        }
+        return { success: true, sources };
+    });
+    // GET /api/sources/:name — get a single source definition (full JSON)
+    fastify.get('/api/sources/:name', async (req, reply) => {
+        if (!isAdmin(req)) {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const { name } = req.params;
+        const configMgr = new SourceConfigManager(workspacePath);
+        const def = configMgr.getDefinition(name);
+        if (def) {
+            return { success: true, source: def };
+        }
+        const old = configMgr.get(name);
+        if (old) {
+            return { success: true, source: old };
+        }
+        return reply.status(404).send({ success: false, error: `Source "${name}" not found` });
+    });
+    // POST /api/sources/:name — create or update a source definition
+    fastify.post('/api/sources/:name', async (req, reply) => {
+        if (!isAdmin(req)) {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const { name } = req.params;
+        const body = req.body;
+        const configMgr = new SourceConfigManager(workspacePath);
+        // Auto-create from built-in template
+        if (body && body.fromTemplate === true) {
+            const template = SOURCE_DEFINITIONS[name];
+            if (!template) {
+                return reply.status(400).send({
+                    success: false,
+                    error: `No built-in template found for "${name}"`,
+                });
+            }
+            if (!template.entities || Object.keys(template.entities).length === 0) {
+                return reply.status(400).send({
+                    success: false,
+                    error: `Template for "${name}" has no entity configs`,
+                });
+            }
+            const savedDef = { ...template, name, enabled: true, added_at: new Date().toISOString() };
+            configMgr.saveDefinition(name, savedDef);
+            return { success: true, message: `Source "${name}" created from template` };
+        }
+        // Standard create/update with full definition
+        const validation = configMgr.validateDefinition(body);
+        if (!validation.valid) {
+            return reply.status(400).send({
+                success: false,
+                errors: validation.errors,
+            });
+        }
+        configMgr.saveDefinition(name, body);
+        return { success: true, message: `Source "${name}" saved` };
+    });
+    // DELETE /api/sources/:name — remove a source definition
+    fastify.delete('/api/sources/:name', async (req, reply) => {
+        if (!isAdmin(req)) {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const { name } = req.params;
+        const configMgr = new SourceConfigManager(workspacePath);
+        const removed = configMgr.remove(name);
+        if (removed) {
+            return { success: true, message: `Source "${name}" removed` };
+        }
+        return reply.status(404).send({ success: false, error: `Source "${name}" not found` });
+    });
+    // GET /api/connectors — list known + installed MCP connectors with status
+    fastify.get('/api/connectors', async (req, reply) => {
+        const user = req.user;
+        const userId = user?.id;
+        const configMgr = new SourceConfigManager(workspacePath);
+        const installedConfigs = ConnectorManager.loadConfigs(workspacePath);
+        const installedMap = new Map(installedConfigs.map(c => [c.name, c]));
+        const connectors = [];
+        // 1. All known connectors (always listed)
+        for (const [name, known] of Object.entries(KNOWN_CONNECTORS)) {
+            const installed = installedMap.get(name);
+            const hasSource = configMgr.getDefinition(name) !== null || configMgr.get(name) !== null;
+            const template = SOURCE_DEFINITIONS[name];
+            const hasTemplate = !!(template?.entities && Object.keys(template.entities).length > 0);
+            // Connected if: OAuth tokens exist for this user, or manual headers present
+            let connected = false;
+            if (known.auth === 'oauth' && userId) {
+                connected = authService.hasOAuthTokens(userId, name);
+            }
+            else if (known.auth === 'none') {
+                connected = !!installed; // local connectors are "connected" when configured
+            }
+            else if (installed?.headers?.['Authorization']) {
+                connected = true;
+            }
+            connectors.push({
+                name,
+                url: known.url,
+                description: installed?.description || known.description,
+                configured: !!installed,
+                connected,
+                auth: known.auth,
+                hasSource,
+                hasTemplate,
+                isKnown: true,
+            });
+            installedMap.delete(name);
+        }
+        // 2. Custom user-added connectors (not in KNOWN_CONNECTORS)
+        for (const config of installedMap.values()) {
+            const hasSource = configMgr.getDefinition(config.name) !== null || configMgr.get(config.name) !== null;
+            const template = SOURCE_DEFINITIONS[config.name];
+            const hasTemplate = !!(template?.entities && Object.keys(template.entities).length > 0);
+            connectors.push({
+                name: config.name,
+                url: config.url,
+                description: config.description || '',
+                configured: true,
+                connected: !!config.headers?.['Authorization'],
+                auth: config.auth ?? 'headers',
+                hasSource,
+                hasTemplate,
+                isKnown: false,
+            });
+        }
+        return { success: true, connectors };
+    });
+    // GET /api/connectors/:name/config — get connector config with masked secrets
+    fastify.get('/api/connectors/:name/config', async (req, reply) => {
+        if (!isAdmin(req)) {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const { name } = req.params;
+        const config = ConnectorManager.loadConfig(name, workspacePath);
+        if (!config) {
+            return { success: true, config: null };
+        }
+        // Mask Authorization header
+        const masked = { ...config };
+        if (masked.headers) {
+            masked.headers = { ...masked.headers };
+            for (const key of Object.keys(masked.headers)) {
+                if (key.toLowerCase() === 'authorization') {
+                    masked.headers[key] = '••••••••';
+                }
+            }
+        }
+        return { success: true, config: masked };
+    });
+    // POST /api/connectors/:name/config — create or update connector config
+    fastify.post('/api/connectors/:name/config', async (req, reply) => {
+        if (!isAdmin(req)) {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const { name } = req.params;
+        const body = req.body;
+        if (!body || !body.url) {
+            return reply.status(400).send({ error: 'url is required' });
+        }
+        const config = {
+            name,
+            url: body.url,
+            headers: body.headers,
+            description: body.description ?? name,
+        };
+        ConnectorManager.saveConfig(config);
+        ConnectorManager.saveWorkspaceConfig(config, workspacePath);
+        // Auto-create source definition from template if one exists
+        const template = SOURCE_DEFINITIONS[name];
+        if (template) {
+            const configMgr = new SourceConfigManager(workspacePath);
+            const existingSource = configMgr.getDefinition(name);
+            if (!existingSource && template.entities && Object.keys(template.entities).length > 0) {
+                const savedDef = { ...template, name, enabled: true, added_at: new Date().toISOString() };
+                configMgr.saveDefinition(name, savedDef);
+            }
+        }
+        return { success: true, message: `Connector "${name}" configured` };
+    });
+    // DELETE /api/connectors/:name/config — remove connector config
+    fastify.delete('/api/connectors/:name/config', async (req, reply) => {
+        if (!isAdmin(req)) {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const { name } = req.params;
+        const removed = ConnectorManager.removeConfig(name, workspacePath);
+        if (removed) {
+            return { success: true, message: `Connector "${name}" removed` };
+        }
+        return reply.status(404).send({ success: false, error: `No config for "${name}"` });
+    });
+    // ── OAuth flow routes ────────────────────────────────────────────────────
+    /** Resolve the server's public URL for OAuth callbacks. Uses request headers so it works on both localhost and production. */
+    function getServerUrl(req) {
+        const proto = req.headers['x-forwarded-proto'] || req.protocol || 'http';
+        const host = req.headers['x-forwarded-host'] || req.headers.host || req.hostname;
+        return `${proto}://${host}`;
+    }
+    // POST /api/connectors/:name/oauth/authorize — initiate OAuth flow
+    fastify.post('/api/connectors/:name/oauth/authorize', async (req, reply) => {
+        const user = req.user;
+        if (!user)
+            return reply.status(401).send({ error: 'Authentication required' });
+        const { name } = req.params;
+        const known = KNOWN_CONNECTORS[name];
+        if (!known) {
+            return reply.status(400).send({ error: `Unknown connector "${name}". OAuth is only available for known connectors.` });
+        }
+        // Ensure connector config exists
+        let config = ConnectorManager.loadConfig(name, workspacePath);
+        if (!config) {
+            config = { name, url: known.url, auth: 'oauth', description: known.description };
+            ConnectorManager.saveConfig(config);
+            ConnectorManager.saveWorkspaceConfig(config, workspacePath);
+        }
+        const serverUrl = getServerUrl(req);
+        const provider = new ServerOAuthProvider(name, user.id, authService, serverUrl, known.oauth);
+        try {
+            const result = await mcpAuth(provider, { serverUrl: known.url, fetchFn: createOAuthFetch(known.oauth) });
+            if (result === 'AUTHORIZED') {
+                // Already authorized (tokens valid)
+                return { success: true, connected: true };
+            }
+            // result === 'REDIRECT' — provider.authorizationUrl is set
+            if (!provider.authorizationUrl) {
+                return reply.status(500).send({ error: 'OAuth flow did not produce an authorization URL' });
+            }
+            return { success: true, authorizationUrl: provider.authorizationUrl };
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.error(`[oauth] authorize error for ${name}:`, msg);
+            return reply.status(500).send({ error: `OAuth initialization failed: ${msg}` });
+        }
+    });
+    // GET /api/oauth/callback/:name — OAuth callback (browser redirect from OAuth provider)
+    // Public endpoint — user identity comes from the state parameter (cross-site redirects don't carry cookies).
+    fastify.get('/api/oauth/callback/:name', async (req, reply) => {
+        const { name } = req.params;
+        try {
+            const { code, state } = req.query;
+            const known = KNOWN_CONNECTORS[name];
+            if (!code) {
+                const error = req.query.error || 'missing authorization code';
+                return reply.type('text/html').send(`<html><body><h2>Authorization failed</h2><p>${error}</p><p>You can close this tab.</p></body></html>`);
+            }
+            if (!known) {
+                return reply.status(400).type('text/html').send(`<html><body><h2>Unknown connector</h2><p>"${name}" is not a known connector.</p></body></html>`);
+            }
+            const decoded = state ? decodeOAuthState(state) : null;
+            if (!decoded) {
+                return reply.status(400).type('text/html').send('<html><body><h2>Authorization failed</h2><p>Invalid or missing state parameter. Please try connecting again.</p></body></html>');
+            }
+            const serverUrl = getServerUrl(req);
+            const provider = new ServerOAuthProvider(decoded.connectorName, decoded.userId, authService, serverUrl, known?.oauth);
+            await mcpAuth(provider, { serverUrl: known.url, authorizationCode: code, fetchFn: createOAuthFetch(known?.oauth) });
+            return reply.type('text/html').send(`<html><body><h2>Connected to ${name}</h2><p>You can close this tab and return to Studiograph.</p></body></html>`);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.error(`[oauth] callback error for ${name}:`, msg);
+            return reply.type('text/html').send(`<html><body><h2>Authorization failed</h2><p>${msg}</p><p>You can close this tab and try again.</p></body></html>`);
+        }
+    });
+    // GET /api/connectors/:name/oauth/status — poll for OAuth connection status
+    fastify.get('/api/connectors/:name/oauth/status', async (req, reply) => {
+        const user = req.user;
+        if (!user)
+            return reply.status(401).send({ error: 'Authentication required' });
+        const { name } = req.params;
+        const connected = authService.hasOAuthTokens(user.id, name);
+        return { connected };
+    });
+    // POST /api/connectors/:name/oauth/disconnect — clear OAuth tokens
+    fastify.post('/api/connectors/:name/oauth/disconnect', async (req, reply) => {
+        const user = req.user;
+        if (!user)
+            return reply.status(401).send({ error: 'Authentication required' });
+        const { name } = req.params;
+        authService.clearOAuthData(user.id, name);
+        return { success: true };
+    });
+    // GET /api/config/bundle — export all shareable workspace config (admin only)
+    fastify.get('/api/config/bundle', async (req, reply) => {
+        if (!isAdmin(req)) {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const { readdirSync, readFileSync, existsSync } = await import('fs');
+        const workspace = new Workspace(workspacePath);
+        const config = await workspace.loadConfig();
+        const about = workspace.loadAbout();
+        const seed = authService.getSeedData();
+        // Source definitions
+        const sources = {};
+        const sourcesDir = join(workspacePath, '.studiograph', 'sources');
+        if (existsSync(sourcesDir)) {
+            for (const entry of readdirSync(sourcesDir)) {
+                if (!entry.endsWith('.json'))
+                    continue;
+                try {
+                    sources[entry.replace('.json', '')] = JSON.parse(readFileSync(join(sourcesDir, entry), 'utf-8'));
+                }
+                catch { /* skip malformed */ }
+            }
+        }
+        // Workspace connector configs (already stripped of secrets)
+        const connectors = ConnectorManager.loadWorkspaceConfigs(workspacePath);
+        return reply.send({ workspace: config, about, authSeed: seed, sources, connectors });
+    });
+    // POST /api/config/bundle — import config bundle from a remote admin (admin only)
+    fastify.post('/api/config/bundle', async (req, reply) => {
+        if (!isAdmin(req)) {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const { mkdirSync, writeFileSync } = await import('fs');
+        const bundle = req.body;
+        if (!bundle) {
+            return reply.status(400).send({ error: 'Request body is required' });
+        }
+        const sgDir = join(workspacePath, '.studiograph');
+        const applied = [];
+        // 1. Workspace config — merge: keep server-local fields, update shared fields
+        if (bundle.workspace) {
+            const workspace = new Workspace(workspacePath);
+            const local = await workspace.loadConfig().catch(() => ({}));
+            const merged = { ...local, ...bundle.workspace };
+            // Preserve server-local fields
+            if (local.server_url)
+                merged.server_url = local.server_url;
+            writeFileSync(join(sgDir, 'workspace.json'), JSON.stringify(merged, null, 2), 'utf-8');
+            applied.push('workspace');
+        }
+        // 2. ABOUT.md
+        if (bundle.about !== undefined && bundle.about !== null) {
+            writeFileSync(join(sgDir, 'ABOUT.md'), bundle.about, 'utf-8');
+            applied.push('about');
+        }
+        // 3. Auth seed
+        if (bundle.authSeed) {
+            writeFileSync(join(sgDir, 'auth-seed.json'), JSON.stringify(bundle.authSeed, null, 2), 'utf-8');
+            authService.applySeed();
+            applied.push(`auth (${bundle.authSeed.users?.length ?? 0} users)`);
+        }
+        // 4. Sources
+        if (bundle.sources && Object.keys(bundle.sources).length > 0) {
+            const sourcesDir = join(sgDir, 'sources');
+            mkdirSync(sourcesDir, { recursive: true });
+            for (const [name, def] of Object.entries(bundle.sources)) {
+                writeFileSync(join(sourcesDir, `${name}.json`), JSON.stringify(def, null, 2), 'utf-8');
+            }
+            applied.push(`sources (${Object.keys(bundle.sources).join(', ')})`);
+        }
+        // 5. Connectors (sanitized)
+        if (bundle.connectors && bundle.connectors.length > 0) {
+            const connectorsDir = join(sgDir, 'connectors');
+            mkdirSync(connectorsDir, { recursive: true });
+            for (const conn of bundle.connectors) {
+                writeFileSync(join(connectorsDir, `${conn.name}.json`), JSON.stringify(conn, null, 2), 'utf-8');
+            }
+            applied.push(`connectors (${bundle.connectors.map((c) => c.name).join(', ')})`);
+        }
+        return reply.send({ success: true, applied });
+    });
+}
+//# sourceMappingURL=sync-api.js.map