aaronrene / knowtation public

scooling-write-back-smoke.mjs file-level

at sha256:8 · View file ↗ · Intel ↗

History
1 files
1 commits
0 hotspots
0 🧊 dead
0 💥 blast risk
sha256:4 fix(security): pin patched transitive deps to clear Dependabot moderate… · aaronrene · Jun 11, 2026
1 import express from 'express';
2
3 const REQUIRED_ACTIONS = new Set([
4 'metadata_read',
5 'proposal_dry_run',
6 'conflict_check_dry_run',
7 'live_write_denial_check',
8 ]);
9
10 function normalizeBooleanFlag(value) {
11 return value === true || value === '1' || value === 'true';
12 }
13
14 function configuredEnvironment() {
15 return String(
16 process.env.SCOOLING_WRITE_BACK_SMOKE_ENV ||
17 process.env.KNOWTATION_ENV ||
18 process.env.HUB_ENV ||
19 '',
20 )
21 .trim()
22 .toLowerCase();
23 }
24
25 function smokeEnabled() {
26 return normalizeBooleanFlag(process.env.SCOOLING_WRITE_BACK_SMOKE_ENABLED);
27 }
28
29 function validSmokeRequest(body) {
30 if (!body || typeof body !== 'object' || Array.isArray(body)) return false;
31 const allowed = new Set([
32 'requestId',
33 'targetId',
34 'kind',
35 'environment',
36 'vaultId',
37 'actions',
38 'includeRawCredentials',
39 'allowLiveWrite',
40 ]);
41 if (Object.keys(body).some((key) => !allowed.has(key))) return false;
42 if (typeof body.requestId !== 'string' || body.requestId.trim() === '') return false;
43 if (typeof body.targetId !== 'string' || body.targetId.trim() === '') return false;
44 if (body.kind !== 'hosted_knowtation') return false;
45 if (body.environment !== 'staging') return false;
46 if (typeof body.vaultId !== 'string' || body.vaultId.trim() === '') return false;
47 if (body.includeRawCredentials !== false) return false;
48 if (body.allowLiveWrite !== false) return false;
49 if (!Array.isArray(body.actions) || body.actions.length !== REQUIRED_ACTIONS.size) return false;
50 return body.actions.every((action) => REQUIRED_ACTIONS.has(action)) &&
51 new Set(body.actions).size === REQUIRED_ACTIONS.size;
52 }
53
54 async function canisterMetadataAvailable({ canisterUrl, fetchImpl }) {
55 if (!canisterUrl) return false;
56 try {
57 const response = await fetchImpl(`${canisterUrl.replace(/\/$/, '')}/health`, {
58 method: 'GET',
59 headers: { Accept: 'application/json' },
60 });
61 return response.ok === true;
62 } catch (_) {
63 return false;
64 }
65 }
66
67 function createScoolingWriteBackSmokeRouter({
68 canisterUrl = process.env.CANISTER_URL || '',
69 fetchImpl = globalThis.fetch,
70 nowIso = () => new Date().toISOString(),
71 isEnabled = smokeEnabled,
72 environment = configuredEnvironment,
73 } = {}) {
74 const router = express.Router();
75
76 router.post('/scooling/write-back/smoke', async (req, res) => {
77 if (!isEnabled() || environment() !== 'staging') {
78 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
79 }
80
81 if (!validSmokeRequest(req.body)) {
82 return res.status(400).json({
83 error: 'Invalid metadata-only Scooling smoke request.',
84 code: 'BAD_REQUEST',
85 containsRawCredentials: false,
86 performedLiveWrite: false,
87 });
88 }
89
90 const metadataAvailable = await canisterMetadataAvailable({ canisterUrl, fetchImpl });
91 if (!metadataAvailable) {
92 return res.status(503).json({
93 error: 'Hosted Knowtation canister metadata is unavailable.',
94 code: 'SERVICE_UNAVAILABLE',
95 containsRawCredentials: false,
96 performedLiveWrite: false,
97 });
98 }
99
100 return res.json({
101 ok: true,
102 checkedAtIso: nowIso(),
103 targetId: req.body.targetId,
104 metadataRead: true,
105 proposalDryRun: true,
106 conflictCheckDryRun: true,
107 liveWriteDenied: true,
108 containsRawCredentials: false,
109 performedLiveWrite: false,
110 });
111 });
112
113 return router;
114 }
115
116 export {
117 createScoolingWriteBackSmokeRouter,
118 validSmokeRequest,
119 };