waypoi 0.0.0

package/src/middleware/auth.ts

@@ -0,0 +1,251 @@
+import { FastifyInstance, FastifyRequest, FastifyReply, HookHandlerDoneFunction } from "fastify";
+import { loadConfig, StoragePaths } from "../storage/files";
+
+/**
+ * Auth Middleware (No-op Implementation)
+ * 
+ * This middleware is a placeholder for future authentication.
+ * When authEnabled is false (default), it passes through all requests.
+ * 
+ * Extension points for implementing auth:
+ * 1. JWT validation
+ * 2. API key verification  
+ * 3. OAuth2/OIDC integration
+ * 4. Basic auth for simple deployments
+ * 
+ * The middleware adds req.user typing for downstream handlers.
+ */
+
+declare module "fastify" {
+  interface FastifyRequest {
+    user?: {
+      id: string;
+      email?: string;
+      roles?: string[];
+    };
+  }
+}
+
+export interface AuthConfig {
+  enabled: boolean;
+  // Future config options:
+  // jwtSecret?: string;
+  // apiKeys?: string[];
+  // oauthProvider?: string;
+}
+
+let authConfig: AuthConfig = {
+  enabled: false,
+};
+
+/**
+ * Load auth configuration from the main config file.
+ */
+export async function loadAuthConfig(paths: StoragePaths): Promise<AuthConfig> {
+  try {
+    const config = await loadConfig(paths);
+    return {
+      enabled: config.authEnabled ?? false,
+    };
+  } catch {
+    return { enabled: false };
+  }
+}
+
+/**
+ * Update auth config (e.g., after config hot-reload).
+ */
+export function updateAuthConfig(config: AuthConfig): void {
+  authConfig = config;
+}
+
+/**
+ * Get current auth config.
+ */
+export function getAuthConfig(): AuthConfig {
+  return authConfig;
+}
+
+/**
+ * Auth guard for protected routes.
+ * 
+ * When auth is disabled: passes through all requests.
+ * When auth is enabled: checks for valid authentication.
+ */
+export function authGuard(
+  req: FastifyRequest,
+  reply: FastifyReply,
+  done: HookHandlerDoneFunction
+): void {
+  // Auth disabled - pass through
+  if (!authConfig.enabled) {
+    done();
+    return;
+  }
+
+  // ─────────────────────────────────────────────────────────────────────────
+  // Auth enabled - implement your auth logic here
+  // ─────────────────────────────────────────────────────────────────────────
+  
+  // Example: Check for Authorization header
+  const authHeader = req.headers.authorization;
+  
+  if (!authHeader) {
+    reply.status(401).send({
+      error: {
+        message: "Authentication required",
+        type: "auth_error",
+        code: "missing_auth",
+      },
+    });
+    return;
+  }
+
+  // Placeholder validation - replace with real auth logic
+  // For now, any Bearer token is accepted
+  if (authHeader.startsWith("Bearer ")) {
+    const token = authHeader.slice(7);
+    
+    // TODO: Validate token (JWT decode, database lookup, etc.)
+    // For now, we just set a placeholder user
+    req.user = {
+      id: "placeholder",
+      email: undefined,
+      roles: ["user"],
+    };
+    
+    done();
+    return;
+  }
+
+  reply.status(401).send({
+    error: {
+      message: "Invalid authentication",
+      type: "auth_error", 
+      code: "invalid_auth",
+    },
+  });
+}
+
+/**
+ * Optional: API key auth guard for simpler use cases.
+ */
+export function apiKeyGuard(validKeys: Set<string>) {
+  return (
+    req: FastifyRequest,
+    reply: FastifyReply,
+    done: HookHandlerDoneFunction
+  ): void => {
+    if (!authConfig.enabled) {
+      done();
+      return;
+    }
+
+    const authHeader = req.headers.authorization;
+    const apiKey = req.headers["x-api-key"] as string | undefined;
+    
+    // Check X-API-Key header
+    if (apiKey && validKeys.has(apiKey)) {
+      req.user = { id: "api-key-user", roles: ["api"] };
+      done();
+      return;
+    }
+    
+    // Check Bearer token as API key
+    if (authHeader?.startsWith("Bearer ")) {
+      const key = authHeader.slice(7);
+      if (validKeys.has(key)) {
+        req.user = { id: "api-key-user", roles: ["api"] };
+        done();
+        return;
+      }
+    }
+
+    reply.status(401).send({
+      error: {
+        message: "Invalid API key",
+        type: "auth_error",
+        code: "invalid_api_key",
+      },
+    });
+  };
+}
+
+/**
+ * Register auth hooks on protected route prefixes.
+ * 
+ * Usage:
+ *   await registerAuthHooks(app, paths, ["/admin", "/ui"]);
+ */
+export async function registerAuthHooks(
+  app: FastifyInstance,
+  paths: StoragePaths,
+  protectedPrefixes: string[] = ["/admin", "/ui"]
+): Promise<void> {
+  // Load initial config
+  authConfig = await loadAuthConfig(paths);
+  
+  app.log.info(
+    { authEnabled: authConfig.enabled, protectedPrefixes },
+    "Auth middleware initialized"
+  );
+
+  // Add hook for protected routes
+  app.addHook("onRequest", (req, reply, done) => {
+    const isProtected = protectedPrefixes.some((prefix) =>
+      req.url.startsWith(prefix)
+    );
+
+    if (isProtected) {
+      authGuard(req, reply, done);
+    } else {
+      done();
+    }
+  });
+}
+
+/**
+ * Middleware factory for route-level auth.
+ * 
+ * Usage in route handlers:
+ *   app.get("/admin/something", { preHandler: [requireAuth()] }, handler);
+ */
+export function requireAuth() {
+  return (
+    req: FastifyRequest,
+    reply: FastifyReply,
+    done: HookHandlerDoneFunction
+  ): void => {
+    authGuard(req, reply, done);
+  };
+}
+
+/**
+ * Check if a user has a specific role.
+ */
+export function requireRole(role: string) {
+  return (
+    req: FastifyRequest,
+    reply: FastifyReply,
+    done: HookHandlerDoneFunction
+  ): void => {
+    // First check auth
+    if (authConfig.enabled) {
+      if (!req.user) {
+        reply.status(401).send({
+          error: { message: "Authentication required", type: "auth_error" },
+        });
+        return;
+      }
+      
+      if (!req.user.roles?.includes(role)) {
+        reply.status(403).send({
+          error: { message: "Insufficient permissions", type: "auth_error" },
+        });
+        return;
+      }
+    }
+    
+    done();
+  };
+}

package/src/middleware/requestCapture.ts

@@ -0,0 +1,245 @@
+import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
+import { randomUUID } from "crypto";
+import { StoragePaths } from "../storage/files";
+import { CaptureRoutingInfo, isCaptureEnabled, persistCaptureRecord } from "../storage/captureRepository";
+
+interface CaptureContext {
+  id: string;
+  startedAt: number;
+  enabled: boolean;
+  requestBody?: unknown;
+  responseBody?: unknown;
+  responseHeaders?: Record<string, string | string[] | undefined>;
+  routing?: CaptureRoutingInfo;
+  derivedRequest?: Record<string, unknown>;
+  error?: { type?: string; message?: string };
+}
+
+interface CaptureStreamBody {
+  $type: "stream";
+  contentType: string;
+  bytes: number;
+  text?: string;
+  note?: string;
+}
+
+const captureContexts = new WeakMap<FastifyRequest, CaptureContext>();
+
+interface ReplyCaptureMeta {
+  captureRouting?: CaptureRoutingInfo;
+  captureDerivedRequest?: Record<string, unknown>;
+  captureResponseOverride?: {
+    body: unknown;
+    headers?: Record<string, string | string[] | undefined>;
+  };
+  captureError?: { type?: string; message?: string };
+}
+
+function meta(reply: FastifyReply): ReplyCaptureMeta {
+  return reply as unknown as ReplyCaptureMeta;
+}
+
+export async function registerRequestCaptureMiddleware(
+  app: FastifyInstance,
+  paths: StoragePaths
+): Promise<void> {
+  app.addHook("onRequest", async (req: FastifyRequest) => {
+    if (!req.url.startsWith("/v1/")) return;
+    let enabled = false;
+    try {
+      enabled = await isCaptureEnabled(paths);
+    } catch {
+      enabled = false;
+    }
+    captureContexts.set(req, {
+      id: randomUUID(),
+      startedAt: Date.now(),
+      enabled,
+    });
+  });
+
+  app.addHook("preHandler", async (req: FastifyRequest) => {
+    const context = captureContexts.get(req);
+    if (!context?.enabled) return;
+    context.requestBody = safeClone(req.body);
+  });
+
+  app.addHook("onSend", async (req: FastifyRequest, reply: FastifyReply, payload: unknown) => {
+    const context = captureContexts.get(req);
+    if (!context?.enabled) return payload;
+    if (!meta(reply).captureResponseOverride) {
+      context.responseBody = payloadToBody(payload);
+      context.responseHeaders = reply.getHeaders() as Record<string, string | string[] | undefined>;
+    }
+    return payload;
+  });
+
+  app.addHook("onResponse", async (req: FastifyRequest, reply: FastifyReply) => {
+    const context = captureContexts.get(req);
+    if (!context) return;
+    try {
+      if (!context.enabled) return;
+      const replyMeta = meta(reply);
+      context.routing = replyMeta.captureRouting;
+      context.derivedRequest = replyMeta.captureDerivedRequest;
+      context.error = replyMeta.captureError;
+      if (replyMeta.captureResponseOverride) {
+        context.responseBody = replyMeta.captureResponseOverride.body;
+        context.responseHeaders = replyMeta.captureResponseOverride.headers;
+      }
+
+      await persistCaptureRecord(paths, {
+        route: req.url,
+        method: req.method,
+        statusCode: reply.statusCode,
+        latencyMs: Date.now() - context.startedAt,
+        requestHeaders: req.headers as Record<string, string | string[] | undefined>,
+        responseHeaders:
+          context.responseHeaders ??
+          (reply.getHeaders() as Record<string, string | string[] | undefined>),
+        requestBody: context.requestBody,
+        responseBody: context.responseBody,
+        derivedRequest: context.derivedRequest,
+        routing: context.routing,
+        error: context.error,
+      });
+    } catch (error) {
+      app.log.warn({ err: error }, "Failed to persist request capture");
+    } finally {
+      captureContexts.delete(req);
+    }
+  });
+}
+
+export function setCaptureRouting(reply: FastifyReply, routing: CaptureRoutingInfo): void {
+  meta(reply).captureRouting = routing;
+  const context = captureContexts.get(reply.request);
+  if (context?.enabled) {
+    context.routing = routing;
+  }
+}
+
+export function setCaptureDerivedRequest(reply: FastifyReply, payload: Record<string, unknown>): void {
+  meta(reply).captureDerivedRequest = payload;
+  const context = captureContexts.get(reply.request);
+  if (context?.enabled) {
+    context.derivedRequest = payload;
+  }
+}
+
+export function setCaptureResponseOverride(
+  reply: FastifyReply,
+  body: unknown,
+  headers?: Record<string, string | string[] | undefined>
+): void {
+  meta(reply).captureResponseOverride = { body, headers };
+  const context = captureContexts.get(reply.request);
+  if (context?.enabled) {
+    context.responseBody = body;
+    if (headers) {
+      context.responseHeaders = headers;
+    }
+  }
+}
+
+export function setCaptureError(reply: FastifyReply, error: { type?: string; message?: string }): void {
+  meta(reply).captureError = error;
+  const context = captureContexts.get(reply.request);
+  if (context?.enabled) {
+    context.error = error;
+  }
+}
+
+export function startCaptureStreamResponse(
+  reply: FastifyReply,
+  headers: Record<string, string | string[] | undefined>,
+  contentType: string,
+  note?: string
+): void {
+  const body: CaptureStreamBody = {
+    $type: "stream",
+    contentType,
+    bytes: 0,
+  };
+  if (note) {
+    body.note = note;
+  }
+  setCaptureResponseOverride(reply, body, headers);
+}
+
+export function appendCaptureStreamChunk(
+  reply: FastifyReply,
+  chunk: Buffer,
+  options?: {
+    contentType?: string;
+    headers?: Record<string, string | string[] | undefined>;
+  }
+): void {
+  const context = captureContexts.get(reply.request);
+  if (!context?.enabled) return;
+  const body = ensureCaptureStreamBody(context, options?.contentType);
+  body.bytes += chunk.byteLength;
+  if (isTextLikeStream(body.contentType)) {
+    body.text = (body.text ?? "") + chunk.toString("utf8");
+  }
+  context.responseBody = body;
+  if (options?.headers) {
+    context.responseHeaders = options.headers;
+  }
+  meta(reply).captureResponseOverride = {
+    body,
+    headers: context.responseHeaders,
+  };
+}
+
+function safeClone<T>(value: T): T {
+  try {
+    return JSON.parse(JSON.stringify(value)) as T;
+  } catch {
+    return value;
+  }
+}
+
+function payloadToBody(payload: unknown): unknown {
+  if (payload === null || payload === undefined) return payload;
+  if (Buffer.isBuffer(payload)) {
+    return { $type: "buffer", base64: payload.toString("base64"), bytes: payload.byteLength };
+  }
+  if (typeof payload === "string") {
+    try {
+      return JSON.parse(payload);
+    } catch {
+      return payload;
+    }
+  }
+  return payload;
+}
+
+function ensureCaptureStreamBody(
+  context: CaptureContext,
+  contentType?: string
+): CaptureStreamBody {
+  const existing = context.responseBody as CaptureStreamBody | undefined;
+  if (existing?.$type === "stream") {
+    if (contentType) {
+      existing.contentType = contentType;
+    }
+    return existing;
+  }
+  const body: CaptureStreamBody = {
+    $type: "stream",
+    contentType: contentType ?? "application/octet-stream",
+    bytes: 0,
+  };
+  context.responseBody = body;
+  return body;
+}
+
+function isTextLikeStream(contentType: string): boolean {
+  return (
+    contentType.includes("text/") ||
+    contentType.includes("json") ||
+    contentType.includes("xml") ||
+    contentType.includes("event-stream")
+  );
+}

package/src/middleware/requestStats.ts

@@ -0,0 +1,163 @@
+import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
+import { randomUUID } from "crypto";
+import { RequestStats } from "../types";
+import { appendStats } from "../storage/statsRepository";
+import { StoragePaths } from "../storage/files";
+
+/**
+ * Request Statistics Middleware
+ * 
+ * Captures metrics for all /v1/* requests:
+ * - Latency (start/end timestamps)
+ * - Request/response sizes
+ * - Token usage (from upstream response or estimated)
+ * - Error classification
+ * 
+ * Does NOT break streaming responses.
+ */
+
+interface RequestContext {
+  requestId: string;
+  startTime: number;
+  requestBytes: number;
+  route: string;
+  method: string;
+  publicModel?: string;
+}
+
+// WeakMap to store request context without polluting request object
+const requestContexts = new WeakMap<FastifyRequest, RequestContext>();
+
+export async function registerRequestStatsMiddleware(
+  app: FastifyInstance,
+  paths: StoragePaths
+): Promise<void> {
+  // Decorate request with stats context
+  app.decorateRequest("statsContext", null);
+
+  // Hook: onRequest - capture start time and request size
+  app.addHook("onRequest", async (req: FastifyRequest) => {
+    // Only track /v1/* routes
+    if (!req.url.startsWith("/v1/")) {
+      return;
+    }
+
+    const context: RequestContext = {
+      requestId: randomUUID(),
+      startTime: Date.now(),
+      requestBytes: 0,
+      route: req.url,
+      method: req.method
+    };
+
+    // Estimate request size from content-length header
+    const contentLength = req.headers["content-length"];
+    if (contentLength) {
+      context.requestBytes = parseInt(contentLength, 10) || 0;
+    }
+
+    requestContexts.set(req, context);
+  });
+
+  // Hook: preHandler - extract model from parsed body
+  app.addHook("preHandler", async (req: FastifyRequest) => {
+    const context = requestContexts.get(req);
+    if (!context) return;
+
+    const body = req.body as { model?: string } | undefined;
+    if (body?.model) {
+      context.publicModel = body.model;
+    }
+  });
+
+  // Hook: onResponse - log the stats
+  app.addHook("onResponse", async (req: FastifyRequest, reply: FastifyReply) => {
+    const context = requestContexts.get(req);
+    if (!context) return;
+
+    const latencyMs = Date.now() - context.startTime;
+    const statusCode = reply.statusCode;
+
+    // Try to get response size from content-length header
+    let responseBytes = 0;
+    const respContentLength = reply.getHeader("content-length");
+    if (respContentLength) {
+      responseBytes = typeof respContentLength === "number" 
+        ? respContentLength 
+        : parseInt(String(respContentLength), 10) || 0;
+    }
+
+    // Determine if there was an error
+    let errorType: string | undefined;
+    if (statusCode >= 400) {
+      if (statusCode >= 500) {
+        errorType = "server_error";
+      } else if (statusCode === 429) {
+        errorType = "rate_limit";
+      } else if (statusCode === 401 || statusCode === 403) {
+        errorType = "auth_error";
+      } else {
+        errorType = "client_error";
+      }
+    }
+
+    // Extract token info from reply (if stored during route handling)
+    const statsPayload = (reply as unknown as { statsPayload?: StatsPayload }).statsPayload;
+    
+    const stats: RequestStats = {
+      requestId: context.requestId,
+      timestamp: new Date(),
+      route: context.route,
+      method: context.method,
+      publicModel: context.publicModel,
+      endpointId: statsPayload?.endpointId,
+      endpointName: statsPayload?.endpointName,
+      upstreamModel: statsPayload?.upstreamModel,
+      requestBytes: context.requestBytes,
+      responseBytes,
+      latencyMs,
+      statusCode,
+      errorType,
+      totalTokens: statsPayload?.totalTokens ?? estimateTokens(context.requestBytes, responseBytes),
+      promptTokens: statsPayload?.promptTokens ?? null,
+      completionTokens: statsPayload?.completionTokens ?? null
+    };
+
+    // Append stats asynchronously (don't block response)
+    appendStats(paths, stats).catch((err) => {
+      app.log.error({ err }, "Failed to append request stats");
+    });
+
+    // Cleanup
+    requestContexts.delete(req);
+  });
+}
+
+interface StatsPayload {
+  endpointId?: string;
+  endpointName?: string;
+  upstreamModel?: string;
+  totalTokens?: number | null;
+  promptTokens?: number | null;
+  completionTokens?: number | null;
+}
+
+/**
+ * Helper to set stats payload from route handlers
+ */
+export function setStatsPayload(reply: FastifyReply, payload: StatsPayload): void {
+  (reply as unknown as { statsPayload?: StatsPayload }).statsPayload = payload;
+}
+
+/**
+ * Estimate token count from byte sizes when actual usage is not available.
+ * Uses rough approximation: ~4 characters per token, ~1 byte per character for English.
+ * This is intentionally conservative.
+ */
+function estimateTokens(requestBytes: number, responseBytes: number): number | null {
+  if (requestBytes === 0 && responseBytes === 0) {
+    return null;
+  }
+  // Rough estimate: 4 bytes per token average
+  return Math.ceil((requestBytes + responseBytes) / 4);
+}