hub/gateway/server.mjs · aaronrene/knowtation — MuseHub

aaronrene / knowtation public

server.mjs

3,469 lines 137.4 KB

Raw

sha256:0d530f9ef27b8b75547d1db7701a74bc77b77aa8f3d7fa3a8672cf2af36e63bb reconcile: import GitHub-direct RBAC/OAuth/companion and ho… Human minor ⚠ breaking 4 hours ago

1	/**
2	* Knowtation Hub Gateway — OAuth (Google/GitHub) + proxy to ICP canister with X-User-Id.
3	* For hosted product: user logs in here; all /api/* requests are proxied to canister with proof.
4	* Run: node server.mjs
5	* Env: SESSION_SECRET, CANISTER_URL, HUB_BASE_URL; optional GOOGLE_, GITHUB_, HUB_UI_ORIGIN, GATEWAY_PORT.
6	*/
7
8	import crypto from 'crypto';
9	import fs from 'fs';
10	import path from 'path';
11	import { fileURLToPath } from 'url';
12	import dotenv from 'dotenv';
13	import express from 'express';
14	import cookieParser from 'cookie-parser';
15	import jwt from 'jsonwebtoken';
16	import passport from 'passport';
17	import { Strategy as GoogleStrategy } from 'passport-google-oauth20';
18	import { Strategy as GitHubStrategy } from 'passport-github2';
19	import { stripeWebhookHandler, createCheckoutSession, createPortalSession } from './billing-stripe.mjs';
20	import { handleBillingSummary } from './billing-http.mjs';
21	import { isSubscriptionPriceId, isPackPriceId, priceIdFromTierShorthand, billingEnforced, MONTHLY_INCLUDED_CENTS_BY_TIER } from './billing-constants.mjs';
22	import { recordIndexingTokensAfterBridgeIndex } from './billing-index-usage.mjs';
23	import { runBillingGate } from './billing-middleware.mjs';
24	import { mergeHostedNoteBodyForCanister, isPostApiV1Notes, isNoteWriteRequest } from './apply-note-provenance.mjs';
25	import { deriveFacetsFromCanisterNotes, materializeListFrontmatter } from './note-facets.mjs';
26	import { applyGatewayCors } from './cors-middleware.mjs';
27	import { upstreamPathAndQuery, pathPartNoQuery, effectiveRequestPath } from './request-path.mjs';
28	import { applyScopeFilterToNotes } from '../lib/scope-filter.mjs';
29	import { createMetadataBulkHandlers } from './metadata-bulk-canister.mjs';
30	import { filterUpstreamResponseHeadersForDecodedBody } from './upstream-response-headers.mjs';
31	import { loadProposalRubric } from '../../lib/hub-proposal-rubric.mjs';
32	import { commitImageToRepo, validateImageExtension, validateMagicBytes } from '../../lib/github-commit-image.mjs';
33	import { parseMultipartFile } from './parse-multipart.mjs';
34	import { proposalPolicyEnvLocked } from '../../lib/hub-proposal-policy.mjs';
35	import {
36	loadHostedProposalLlmPrefs,
37	mergeHostedProposalLlmPrefs,
38	effectiveHostedEvaluationRequired,
39	effectiveHostedReviewHints,
40	effectiveHostedEnrich,
41	} from './proposal-llm-store.mjs';
42	import { augmentProposalEvaluationBodyForCanister } from './proposal-evaluation-canister-body.mjs';
43	import { augmentProposalCreateForHosted } from './proposal-create-hosted-body.mjs';
44	import { maybeScheduleHostedProposalReviewHints } from './proposal-review-hints-async.mjs';
45	import { proposalDataForHostedReviewHintsFromCreate } from './proposal-hints-create-context.mjs';
46	import { runHostedProposalEnrichAndPost } from './proposal-enrich-hosted.mjs';
47	import { isAttestationConfigured, createAttestation, verifyAttestation, verifyWithIcp, anchorPendingAttestations } from './attest-store.mjs';
48	import { loadBillingDb, mutateBillingDb } from './billing-store.mjs';
49	import { normalizeBillingUser, defaultUserRecord } from './billing-logic.mjs';
50	import {
51	mergeConsolidateRequestBodyWithBillingDefaults,
52	validateHostedSettingsConsolidationAdvanced,
53	} from '../../lib/hosted-consolidation-advanced.mjs';
54	import {
55	parseMuseConfigFromEnv,
56	resolveExternalRefForApprove,
57	proposalIdFromApprovePath,
58	fetchMuseProxiedGet,
59	} from '../../lib/muse-thin-bridge.mjs';
60	import { exportNoteRecordToContent } from '../../lib/export.mjs';
61	import { canisterAuthHeaders as canisterAuthHeadersFromEnv } from './canister-auth-headers.mjs';
62	import {
63	issueRefreshCookie,
64	createRefreshHandler,
65	createLogoutHandler,
66	refreshCookieOptions,
67	} from '../auth-session.mjs';
68	import {
69	createGatewayRefreshStore,
70	pruneRefreshTokens as pruneGatewayRefreshTokens,
71	} from './refresh-token-store.mjs';
72	import { createScoolingNoteOutlineSmokeRouter } from './scooling-note-outline-smoke.mjs';
73	import { createScoolingWriteBackSmokeRouter } from './scooling-write-back-smoke.mjs';
74	import { buildNoteOutline } from '../../lib/note-outline.mjs';
75	import { buildDocumentTree } from '../../lib/document-tree.mjs';
76	import { buildSectionSource } from '../../lib/section-source.mjs';
77	import { normalizeMetadataFacets } from '../../lib/vault.mjs';
78
79	// Safe when bundled (e.g. Netlify Functions CJS) where import.meta may be undefined
80	let projectRoot;
81	try {
82	const __dirname = path.dirname(fileURLToPath(import.meta.url));
83	projectRoot = path.resolve(__dirname, '..', '..');
84	} catch (_) {
85	projectRoot = process.cwd();
86	}
87	const envPath = path.join(projectRoot, '.env');
88	if (fs.existsSync(envPath)) dotenv.config({ path: envPath });
89
90	const PORT = parseInt(process.env.GATEWAY_PORT \|\| process.env.PORT \|\| '3340', 10);
91	const BASE_URL = process.env.HUB_BASE_URL \|\| `http://localhost:${PORT}`;
92
93	// AIR Improvement D: when ATTESTATION_SECRET is set and no explicit AIR endpoint
94	// is provided, point AIR at this gateway's own /api/v1/attest route.
95	if (
96	process.env.ATTESTATION_SECRET &&
97	process.env.ATTESTATION_SECRET.length >= 32 &&
98	!process.env.KNOWTATION_AIR_ENDPOINT
99	) {
100	process.env.KNOWTATION_AIR_ENDPOINT = `${BASE_URL}/api/v1/attest`;
101	console.log('[gateway] AIR auto-configured: KNOWTATION_AIR_ENDPOINT =', process.env.KNOWTATION_AIR_ENDPOINT);
102	}
103	const CANISTER_URL = (process.env.CANISTER_URL \|\| '').replace(/\/$/, '');
104	const CANISTER_AUTH_SECRET = process.env.CANISTER_AUTH_SECRET \|\| '';
105	const BRIDGE_URL = (process.env.BRIDGE_URL \|\| '').replace(/\/$/, '');
106	if (BRIDGE_URL) {
107	try {
108	const u = new URL(BRIDGE_URL);
109	if (u.protocol !== 'http:' && u.protocol !== 'https:') {
110	throw new Error('BRIDGE_URL must use http: or https:');
111	}
112	} catch (e) {
113	console.error(
114	'[gateway] BRIDGE_URL must be an absolute URL with scheme (no path after host), e.g. https://your-bridge.netlify.app. Got:',
115	JSON.stringify(BRIDGE_URL),
116	e.message \|\| e,
117	);
118	process.exit(1);
119	}
120	}
121	const HUB_UI_ORIGIN = (process.env.HUB_UI_ORIGIN \|\| BASE_URL).replace(/\/$/, '');
122	const SESSION_SECRET = process.env.SESSION_SECRET \|\| process.env.HUB_JWT_SECRET;
123	const JWT_EXPIRY = process.env.HUB_JWT_EXPIRY \|\| '24h';
124
125	// Optional: comma-separated list of user IDs (e.g. google:123,github:456) who get role admin on hosted. Others get member.
126	const HUB_ADMIN_USER_IDS = (process.env.HUB_ADMIN_USER_IDS \|\| '')
127	.split(',')
128	.map((s) => s.trim())
129	.filter(Boolean);
130	const adminUserIdsSet = new Set(HUB_ADMIN_USER_IDS);
131
132	function roleForSub(sub) {
133	return sub && adminUserIdsSet.has(sub) ? 'admin' : 'member';
134	}
135
136	function canisterAuthHeaders() {
137	return canisterAuthHeadersFromEnv();
138	}
139
140	passport.serializeUser((user, done) => done(null, user));
141	passport.deserializeUser((obj, done) => done(null, obj));
142
143	if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
144	passport.use(
145	new GoogleStrategy(
146	{
147	clientID: process.env.GOOGLE_CLIENT_ID,
148	clientSecret: process.env.GOOGLE_CLIENT_SECRET,
149	callbackURL: `${BASE_URL}/auth/callback/google`,
150	},
151	(_accessToken, _refreshToken, profile, done) => {
152	return done(null, { provider: 'google', id: profile.id, displayName: profile.displayName ?? '' });
153	}
154	)
155	);
156	}
157	if (process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET) {
158	passport.use(
159	new GitHubStrategy(
160	{
161	clientID: process.env.GITHUB_CLIENT_ID,
162	clientSecret: process.env.GITHUB_CLIENT_SECRET,
163	callbackURL: `${BASE_URL}/auth/callback/github`,
164	},
165	(_accessToken, _refreshToken, profile, done) => {
166	return done(null, { provider: 'github', id: profile.id, displayName: profile.displayName ?? profile.username ?? '' });
167	}
168	)
169	);
170	}
171
172	function userId(user) {
173	if (!user \|\| !user.provider \|\| !user.id) return null;
174	return `${user.provider}:${user.id}`;
175	}
176
177	function issueToken(user) {
178	const sub = userId(user);
179	if (!sub) return null;
180	const role = roleForSub(sub);
181	return jwt.sign(
182	{
183	sub,
184	provider: user.provider,
185	id: user.id,
186	name: user.displayName ?? '',
187	role,
188	},
189	SESSION_SECRET,
190	{ expiresIn: JWT_EXPIRY }
191	);
192	}
193
194	function verifyToken(token) {
195	try {
196	const payload = jwt.verify(token, SESSION_SECRET);
197	return payload.sub ?? null;
198	} catch (_) {
199	return null;
200	}
201	}
202
203	/**
204	* Verify the token and return the full decoded payload, or null if invalid/expired.
205	* Used only by the session-introspection endpoint; callers that only need `sub` use verifyToken.
206	* @param {string} token
207	* @returns {object\|null}
208	*/
209	function decodeVerifiedToken(token) {
210	try {
211	return jwt.verify(token, SESSION_SECRET);
212	} catch (_) {
213	return null;
214	}
215	}
216
217	/**
218	* Derive the set of API scopes from a role string.
219	* This is the C7 → C4 bridge: Scooling can read `scopes` today; when explicit per-user
220	* scope management (C4) is wired in, this function will be replaced with a real lookup
221	* without changing the C7 response shape.
222	* @param {string} role - 'admin' \| 'member'
223	* @returns {string[]}
224	*/
225	function scopesForRole(role) {
226	if (role === 'admin') return ['vault:read', 'vault:write', 'admin'];
227	return ['vault:read', 'vault:write'];
228	}
229
230	/**
231	* Re-mint a short-lived access token from a `sub` alone (used by POST /api/v1/auth/refresh,
232	* which only knows the user id carried by the refresh-token record). The `sub` is the canonical
233	* `provider:id`, so provider/id are reconstructed from it and the role is re-derived from the
234	* current admin allowlist — a refreshed token always reflects the latest role, exactly like
235	* login. Display name is omitted (cosmetic; the UI reads it from /settings).
236	* @param {string} sub
237	* @returns {string\|null} signed JWT, or null when sub is missing
238	*/
239	function issueAccessTokenForSub(sub) {
240	if (!sub \|\| typeof sub !== 'string') return null;
241	const idx = sub.indexOf(':');
242	const provider = idx > 0 ? sub.slice(0, idx) : '';
243	const id = idx > 0 ? sub.slice(idx + 1) : sub;
244	return jwt.sign(
245	{ sub, provider, id, name: '', role: roleForSub(sub) },
246	SESSION_SECRET,
247	{ expiresIn: JWT_EXPIRY }
248	);
249	}
250
251	const IMAGE_PROXY_TOKEN_TTL_SECONDS = 300;
252
253	function signImageProxyToken(secret, uid) {
254	const exp = Math.floor(Date.now() / 1000) + IMAGE_PROXY_TOKEN_TTL_SECONDS;
255	const payload = `img\0${uid}\0${exp}`;
256	const sig = crypto.createHmac('sha256', secret).update(payload).digest('base64url');
257	return `${exp}.${Buffer.from(uid).toString('base64url')}.${sig}`;
258	}
259
260	function verifyImageProxyToken(secret, token) {
261	if (typeof token !== 'string') return null;
262	const parts = token.split('.');
263	if (parts.length !== 3) return null;
264	const [expStr, uidB64, sig] = parts;
265	const exp = parseInt(expStr, 10);
266	if (!exp \|\| Math.floor(Date.now() / 1000) > exp) return null;
267	let uid;
268	try { uid = Buffer.from(uidB64, 'base64url').toString(); } catch (_) { return null; }
269	if (!uid) return null;
270	const payload = `img\0${uid}\0${exp}`;
271	const expected = crypto.createHmac('sha256', secret).update(payload).digest('base64url');
272	const sigBuf = Buffer.from(sig);
273	const expectedBuf = Buffer.from(expected);
274	if (sigBuf.length !== expectedBuf.length \|\| !crypto.timingSafeEqual(sigBuf, expectedBuf)) return null;
275	return uid;
276	}
277
278	const app = express();
279	// Trust the first downstream proxy so express-rate-limit (and any future IP-based middleware)
280	// reads the real client IP from X-Forwarded-For instead of the CDN/load-balancer address.
281	app.set('trust proxy', 1);
282
283	// Remove X-Powered-By: Express — leaking server technology is unnecessary attack surface.
284	app.disable('x-powered-by');
285
286	// Netlify rewrites /* -> /.netlify/functions/gateway/:splat, so the function may receive
287	// a path like /.netlify/functions/gateway/api/v1/notes. Express would not match /api/v1/* routes.
288	const NETLIFY_GW_PREFIX = '/.netlify/functions/gateway';
289	app.use((req, _res, next) => {
290	const raw = req.url \|\| '/';
291	const q = raw.indexOf('?');
292	const pathPart = q >= 0 ? raw.slice(0, q) : raw;
293	const queryPart = q >= 0 ? raw.slice(q) : '';
294	if (pathPart === NETLIFY_GW_PREFIX \|\| pathPart.startsWith(`${NETLIFY_GW_PREFIX}/`)) {
295	const rest =
296	pathPart === NETLIFY_GW_PREFIX ? '/' : pathPart.slice(NETLIFY_GW_PREFIX.length) \|\| '/';
297	const nextUrl = rest + queryPart;
298	req.url = nextUrl;
299	// Express may set originalUrl to the internal function path; keep it aligned with req.path.
300	req.originalUrl = nextUrl;
301	delete req._parsedUrl;
302	delete req._parsedOriginalUrl;
303	}
304	next();
305	});
306
307	app.use(cookieParser());
308	app.post('/api/v1/billing/webhook', express.raw({ type: 'application/json' }), (req, res) => {
309	stripeWebhookHandler(req, res);
310	});
311	app.use(express.json({ limit: '10mb' }));
312	app.use(passport.initialize());
313
314	// CORS: production MUST set HUB_CORS_ORIGIN (apex + www) for credentialed-style responses.
315	// If unset, we use * and omit Allow-Credentials — otherwise browsers block (* + credentials = Failed to fetch).
316	// See hub/gateway/cors-middleware.mjs.
317	const corsOrigins = process.env.HUB_CORS_ORIGIN
318	? process.env.HUB_CORS_ORIGIN.split(',').map((o) => o.trim()).filter(Boolean)
319	: [];
320	app.use((req, res, next) => {
321	applyGatewayCors(res, req.get('Origin'), corsOrigins);
322	next();
323	});
324
325	// Persistent sessions (refresh-token rotation), hosted edition. The durable, hashed refresh
326	// token is delivered as an HttpOnly cookie; the security logic lives in
327	// hub/lib/refresh-token-core.mjs via the blob-backed store below (shared with self-hosted).
328	const refreshStore = createGatewayRefreshStore();
329
330	/**
331	* Cookie policy for the hosted refresh token.
332	* - When the UI and gateway share an origin (HUB_CORS_ORIGIN unset), the cookie is first-party
333	* and SameSite=Lax is correct and most robust.
334	* - When HUB_CORS_ORIGIN is set the UI is on another origin, so the credentialed cross-site
335	* request requires SameSite=None (which forces Secure). NOTE: a cross-site cookie is only
336	* delivered reliably when the gateway is a subdomain of the UI's registrable domain (e.g.
337	* UI knowtation.store + gateway api.knowtation.store); browsers increasingly block
338	* unrelated third-party cookies. Same-origin (single origin for UI + API) is recommended.
339	* Scoped to the auth path so the cookie is only ever sent to /api/v1/auth endpoints.
340	*/
341	function refreshCookiePolicy() {
342	const crossOrigin = corsOrigins.length > 0;
343	return refreshCookieOptions({
344	secure: crossOrigin \|\| BASE_URL.startsWith('https://'),
345	sameSite: crossOrigin ? 'none' : 'lax',
346	maxAgeMs: 90 * 24 * 60 * 60 * 1000,
347	});
348	}
349
350	/**
351	* Issue the HttpOnly refresh cookie at the end of a successful OAuth login. Best-effort: a
352	* refresh-store write failure must never block login (the access token still works).
353	* @param {import('express').Response} res
354	* @param {import('express').Request} req
355	* @param {string\|null} sub
356	*/
357	async function issueRefreshCookieSafe(res, req, sub) {
358	if (!sub) {
359	console.warn('[gateway] refresh cookie skipped: no sub resolved from req.user');
360	return;
361	}
362	try {
363	await issueRefreshCookie(res, {
364	store: refreshStore,
365	sub,
366	cookieOptions: refreshCookiePolicy,
367	meta: { ua: String(req.headers['user-agent'] \|\| '').slice(0, 256) },
368	});
369	console.info('[gateway] refresh cookie issued for sub=%s', sub);
370	} catch (err) {
371	// Login still proceeds with the access token even if the refresh store is unavailable, but
372	// the failure MUST be surfaced — swallowing it silently made a persistent-login outage
373	// undiagnosable. `authBlobPresent` distinguishes the two failure modes:
374	// false → the Netlify Blob was not provisioned for this invocation, so the store fell back
375	// to a file write that fails on the read-only function FS;
376	// true → the blob was provisioned but the read/write itself was rejected.
377	const authBlobPresent = Boolean(globalThis.__knowtation_gateway_auth_blob);
378	console.error(
379	'[gateway] refresh cookie FAILED for sub=%s authBlobPresent=%s: %s',
380	sub,
381	authBlobPresent,
382	err && err.stack ? err.stack : (err && err.message) \|\| String(err),
383	);
384	}
385	}
386
387	// Authenticated Hub JSON must not be cached (browser 304 / CDN reuse shows stale frontmatter).
388	app.use('/api/v1', (req, res, next) => {
389	res.set('Cache-Control', 'private, no-store, must-revalidate');
390	next();
391	});
392
393	// Health (no auth) — returns { ok: true }. If a CDN or host wrapper returns usage_exceeded, that is outside this app (check Netlify site / account limits and which commit is deployed).
394	app.get('/health', (_req, res) => res.json({ ok: true }));
395	app.get('/api/v1/health', (_req, res) => res.json({ ok: true }));
396	app.use(createScoolingNoteOutlineSmokeRouter());
397	app.use(createScoolingWriteBackSmokeRouter());
398
399	// Which OAuth providers are configured (no auth)
400	app.get('/api/v1/auth/providers', (_req, res) => {
401	res.json({
402	google: Boolean(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET),
403	github: Boolean(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET),
404	});
405	});
406
407	// C7 Session introspection — returns the verified identity and derived scopes for the bearer.
408	// Designed for Scooling (cross-origin, Bearer auth) and the Hub UI alike.
409	// GET /api/v1/auth/session → { sub, provider, id, name, role, iat, exp, scopes }
410	// Only reads what is already in the signed JWT — no extra DB call, no data elevation.
411	app.options('/api/v1/auth/session', (_req, res) => res.status(204).end());
412	app.get('/api/v1/auth/session', (req, res) => {
413	const auth = req.headers.authorization;
414	if (!auth \|\| !auth.startsWith('Bearer ')) {
415	return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
416	}
417	const token = auth.slice(7);
418	const payload = decodeVerifiedToken(token);
419	if (!payload \|\| !payload.sub) {
420	return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
421	}
422	return res.json({
423	sub: payload.sub,
424	provider: payload.provider ?? '',
425	id: payload.id ?? '',
426	name: payload.name ?? '',
427	role: payload.role ?? 'member',
428	iat: payload.iat,
429	exp: payload.exp,
430	scopes: scopesForRole(payload.role ?? 'member'),
431	});
432	});
433
434	// Persistent sessions: exchange the HttpOnly refresh cookie for a fresh access token, and real
435	// server-side logout (revokes the refresh token, not just the client cookie). Mounted BEFORE the
436	// bridge/canister proxies so these are handled locally and never forwarded upstream.
437	//
438	// Rate limiting note: an in-memory express-rate-limit is ineffective on Netlify (each function
439	// invocation is isolated, no shared counter) and trips ERR_ERL_* under serverless proxies. Brute
440	// force is bounded instead by edge limits (see hub/gateway/README.md) and, more fundamentally, by
441	// the opaque high-entropy token + rotation/reuse detection in refresh-token-core.mjs.
442	app.options(['/api/v1/auth/refresh', '/api/v1/auth/logout'], (_req, res) => res.status(204).end());
443	app.post(
444	'/api/v1/auth/refresh',
445	createRefreshHandler({
446	store: refreshStore,
447	issueAccessToken: issueAccessTokenForSub,
448	cookieOptions: refreshCookiePolicy,
449	meta: (req) => ({ ua: String(req.headers['user-agent'] \|\| '').slice(0, 256) }),
450	})
451	);
452	app.post(
453	'/api/v1/auth/logout',
454	createLogoutHandler({ store: refreshStore, cookieOptions: refreshCookiePolicy })
455	);
456	// On a persistent gateway (local/Docker/VPS) opportunistically prune dead refresh records at
457	// startup. Skipped on Netlify, where the blob store is provisioned per-invocation and a cold-start
458	// prune would add latency to the first request; rely on rotation/expiry to keep the store small.
459	if (!process.env.NETLIFY) {
460	Promise.resolve()
461	.then(() => pruneGatewayRefreshTokens())
462	.catch(() => { /* best effort; never fatal */ });
463	}
464
465	// Auth: login redirect — plan routes GET /auth/login, GET /auth/callback/google\|github. Preserve invite in state for post-login redirect.
466	// Phase D3: mcp_state query param is passed through OAuth state for MCP authorization flow.
467	// C1/C3 (COMPANION-APP-OAUTH-SERVERSIDE-GATE §6): native_state query param is passed
468	// through OAuth state for the native client authorization flow (prefix "native:").
469	app.get('/auth/login', (req, res, next) => {
470	const provider = (req.query.provider \|\| 'google').toLowerCase();
471	const invite = typeof req.query.invite === 'string' ? req.query.invite.trim() : '';
472	const mcpState = typeof req.query.mcp_state === 'string' ? req.query.mcp_state.trim() : '';
473	const nativeState = typeof req.query.native_state === 'string' ? req.query.native_state.trim() : '';
474	let state;
475	if (mcpState) {
476	state = `mcp:${mcpState}`;
477	} else if (nativeState) {
478	// Prefix distinguishes native auth round-trips from MCP round-trips in the IDP callback.
479	state = `native:${nativeState}`;
480	} else {
481	state = invite \|\| undefined;
482	}
483	if (provider === 'google' && process.env.GOOGLE_CLIENT_ID) {
484	return passport.authenticate('google', { scope: ['profile'], state })(req, res, next);
485	}
486	if (provider === 'github' && process.env.GITHUB_CLIENT_ID) {
487	return passport.authenticate('github', { scope: ['user:email'], state })(req, res, next);
488	}
489	return res.status(400).json({ error: `Unknown or disabled provider: ${provider}`, code: 'BAD_REQUEST' });
490	});
491
492	function postLoginRedirect(token, req) {
493	if (!token) return HUB_UI_ORIGIN + '/hub/?auth_error=1';
494	const invite = typeof req.query.state === 'string' ? req.query.state.trim() : '';
495	let fragment = `token=${encodeURIComponent(token)}`;
496	if (invite && invite.length > 0) fragment += '&invite=' + encodeURIComponent(invite);
497	return `${HUB_UI_ORIGIN}/hub/#${fragment}`;
498	}
499
500	app.get(
501	'/auth/callback/google',
502	passport.authenticate('google', { session: false }),
503	async (req, res) => {
504	const state = typeof req.query.state === 'string' ? req.query.state : '';
505	if (state.startsWith('mcp:') && app._mcpOAuthProvider) {
506	const sub = userId(req.user);
507	if (!sub) return res.status(401).json({ error: 'auth_failed' });
508	return app._mcpOAuthProvider.completeMcpAuthorization(state.slice(4), sub, res);
509	}
510	// C1/C3: native client authorization flow (COMPANION-APP-OAUTH-SERVERSIDE-GATE §6).
511	if (state.startsWith('native:') && app._nativeOAuthProvider) {
512	const sub = userId(req.user);
513	if (!sub) return res.status(401).json({ error: 'auth_failed' });
514	return app._nativeOAuthProvider.completeNativeAuthorization(state.slice(7), sub, res);
515	}
516	const token = issueToken(req.user);
517	await issueRefreshCookieSafe(res, req, userId(req.user));
518	res.redirect(postLoginRedirect(token, req));
519	}
520	);
521	app.get(
522	'/auth/callback/github',
523	passport.authenticate('github', { session: false }),
524	async (req, res) => {
525	const state = typeof req.query.state === 'string' ? req.query.state : '';
526	if (state.startsWith('mcp:') && app._mcpOAuthProvider) {
527	const sub = userId(req.user);
528	if (!sub) return res.status(401).json({ error: 'auth_failed' });
529	return app._mcpOAuthProvider.completeMcpAuthorization(state.slice(4), sub, res);
530	}
531	// C1/C3: native client authorization flow (COMPANION-APP-OAUTH-SERVERSIDE-GATE §6).
532	if (state.startsWith('native:') && app._nativeOAuthProvider) {
533	const sub = userId(req.user);
534	if (!sub) return res.status(401).json({ error: 'auth_failed' });
535	return app._nativeOAuthProvider.completeNativeAuthorization(state.slice(7), sub, res);
536	}
537	const token = issueToken(req.user);
538	await issueRefreshCookieSafe(res, req, userId(req.user));
539	res.redirect(postLoginRedirect(token, req));
540	}
541	);
542
543	// Hub UI may call login under /api/v1/auth for consistency — redirect to /auth (preserve invite for post-login consume)
544	app.get('/api/v1/auth/login', (req, res) => {
545	const provider = (req.query.provider \|\| 'google').toLowerCase();
546	let url = `${BASE_URL}/auth/login?provider=${encodeURIComponent(provider)}`;
547	const invite = typeof req.query.invite === 'string' ? req.query.invite.trim() : '';
548	if (invite) url += '&invite=' + encodeURIComponent(invite);
549	res.redirect(url);
550	});
551
552	// Phase D2/D3: MCP gateway + OAuth 2.1.
553	// MCP requires stateful sessions (SSE, session pool) that are incompatible with Netlify's
554	// serverless function model (26s timeout, no shared memory between invocations).
555	// On Netlify, only the OAuth discovery endpoints are mounted (lightweight, stateless).
556	// The full /mcp session endpoint requires a persistent Express server (local dev, Docker, VPS,
557	// or a dedicated MCP host like Railway/Fly.io). See docs/AGENT-INTEGRATION.md §2 (hosted MCP).
558	if (SESSION_SECRET && !process.env.NETLIFY) {
559	import('./mcp-oauth-provider.mjs').then(async ({ KnowtationOAuthProvider }) => {
560	const { mcpAuthRouter } = await import('@modelcontextprotocol/sdk/server/auth/router.js');
561	const oauthProvider = new KnowtationOAuthProvider({
562	sessionSecret: SESSION_SECRET,
563	baseUrl: BASE_URL,
564	});
565	app._mcpOAuthProvider = oauthProvider;
566	// @modelcontextprotocol/sdk OAuth routes use express-rate-limit behind Nginx. The limiter's
567	// default validations (X-Forwarded-For vs Express trust proxy) still throw ERR_ERL_* on some
568	// Express/SDK mount combinations. Disable express-rate-limit validations for these routes only;
569	// limits stay on; edge limits remain in Nginx (gateway deploy notes in hub/gateway/README.md).
570	const mcpOAuthSdkRateLimitOpts = {
571	rateLimit: { validate: false },
572	};
573	app.use(mcpAuthRouter({
574	provider: oauthProvider,
575	issuerUrl: new URL(BASE_URL),
576	scopesSupported: ['vault:read', 'vault:write', 'vault:admin'],
577	authorizationOptions: mcpOAuthSdkRateLimitOpts,
578	tokenOptions: mcpOAuthSdkRateLimitOpts,
579	clientRegistrationOptions: mcpOAuthSdkRateLimitOpts,
580	revocationOptions: mcpOAuthSdkRateLimitOpts,
581	}));
582	console.log('[gateway] MCP OAuth 2.1 endpoints mounted');
583
584	// C1–C6 (COMPANION-APP-OAUTH-SERVERSIDE-GATE §6): native client OAuth 2.1 endpoints.
585	// The native path issues web-session JWTs (issueToken shape) instead of mcp_access
586	// tokens, uses refresh-token-core for durable rotation, enforces loopback-only
587	// redirect URIs, validates redirect_uri at exchange, and applies a scope ceiling.
588	// Mounted only on the persistent gateway host — same guard as the MCP router.
589	try {
590	const { createNativeOAuthRouter } = await import('./native-oauth-provider.mjs');
591	const { router: nativeRouter, completeNativeAuthorization } = createNativeOAuthRouter({
592	baseUrl: BASE_URL,
593	loginUrl: `${BASE_URL}/auth/login`,
594	issueAccessToken: issueAccessTokenForSub,
595	// C6: grantedScopes resolves the scope ceiling via roleForSub; unknown sub → member.
596	grantedScopes: (sub) => scopesForRole(roleForSub(sub)),
597	// C2/C4: reuse the same durable refresh store as the web session so rotation +
598	// reuse-detection use the same family records. Store is file-backed on this host.
599	refreshStore,
600	});
601	// Bind completeNativeAuthorization so IDP callbacks can reach it (see /auth/callback/*).
602	app._nativeOAuthProvider = { completeNativeAuthorization };
603	app.use('/api/v1/auth/native', nativeRouter);
604	console.log('[gateway] Native OAuth 2.1 endpoints mounted at /api/v1/auth/native');
605
606	// C4: opportunistically prune expired native auth codes at startup.
607	const { pruneExpiredCodes } = await import('./native-as-store.mjs');
608	pruneExpiredCodes().catch(() => { /* best effort; never fatal */ });
609	} catch (e) {
610	console.error('[gateway] Native OAuth router failed to load:', e.message \|\| e);
611	}
612	}).catch((e) => {
613	console.error('[gateway] MCP OAuth router failed to load:', e.message \|\| e);
614	});
615	} else if (SESSION_SECRET && process.env.NETLIFY) {
616	console.log('[gateway] MCP OAuth/session endpoints skipped on Netlify (stateful sessions require persistent server)');
617	}
618
619	if (BRIDGE_URL && CANISTER_URL && !process.env.NETLIFY) {
620	import('./mcp-proxy.mjs').then(({ createMcpProxyRouter }) => {
621	const mcpRouter = createMcpProxyRouter({
622	getUserId,
623	getHostedAccessContext,
624	canisterUrl: CANISTER_URL,
625	canisterAuthSecret: CANISTER_AUTH_SECRET,
626	bridgeUrl: BRIDGE_URL,
627	gatewayApiBaseUrl: BASE_URL.replace(/\/$/, ''),
628	sessionSecret: SESSION_SECRET \|\| '',
629	});
630	app.use('/mcp', mcpRouter);
631	console.log('[gateway] MCP endpoint mounted at /mcp');
632	if (!CANISTER_AUTH_SECRET) {
633	console.warn(
634	'[gateway] MCP /mcp: CANISTER_AUTH_SECRET is empty. Direct canister HTTP calls from hosted MCP (list_notes, get_note, write, enrich; summarize note fetches) send no X-Gateway-Auth and the canister returns GATEWAY_AUTH_REQUIRED. Set the same CANISTER_AUTH_SECRET as the Netlify gateway and as configured on the canister (admin_set_gateway_auth_secret), then pm2 restart with --update-env.'
635	);
636	}
637	}).catch((e) => {
638	console.error('[gateway] MCP proxy failed to load:', e.message \|\| e);
639	});
640	} else if (process.env.NETLIFY) {
641	app.all('/mcp', (_req, res) => {
642	res.status(503).json({
643	error: 'MCP endpoint requires a persistent server. Connect to the dedicated MCP host or use self-hosted deployment.',
644	code: 'MCP_NETLIFY_UNSUPPORTED',
645	docs: 'https://github.com/aaronrene/knowtation/blob/main/docs/AGENT-INTEGRATION.md',
646	});
647	});
648	}
649
650	// Connect GitHub + Back up now: proxy to bridge when BRIDGE_URL is set (single origin for UI)
651	if (BRIDGE_URL) {
652	app.get('/api/v1/auth/github-connect', (req, res) => {
653	const q = new URLSearchParams(req.query).toString();
654	res.redirect(`${BRIDGE_URL}/auth/github-connect${q ? '?' + q : ''}`);
655	});
656	// Browsers send OPTIONS preflight before POST with Authorization + JSON body. The bridge only
657	// registers POST /api/v1/vault/sync, so proxying OPTIONS returns 404 and surfaces as "Failed to fetch".
658	app.all('/api/v1/vault/sync', async (req, res) => {
659	if (req.method === 'OPTIONS') {
660	return res.status(204).end();
661	}
662	const url = BRIDGE_URL + '/api/v1/vault/sync' + (req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '');
663	await proxyTo(BRIDGE_URL, url, req, res);
664	});
665	app.all('/api/v1/vaults/:vaultId', async (req, res) => {
666	if (req.method === 'OPTIONS') {
667	return res.status(204).end();
668	}
669	if (req.method !== 'DELETE') {
670	return res.status(405).json({ error: 'Method not allowed', code: 'METHOD_NOT_ALLOWED' });
671	}
672	if (!(await runBillingGate(req, res, getUserId))) return;
673	const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
674	const url =
675	BRIDGE_URL + '/api/v1/vaults/' + encodeURIComponent(req.params.vaultId) + q;
676	await proxyTo(BRIDGE_URL, url, req, res);
677	});
678	app.get('/api/v1/vault/github-status', async (req, res) => {
679	const url = BRIDGE_URL + '/api/v1/vault/github-status' + (req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '');
680	await proxyTo(BRIDGE_URL, url, req, res);
681	});
682	app.post('/api/v1/search', async (req, res) => {
683	if (!(await runBillingGate(req, res, getUserId))) return;
684	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/search', req, res);
685	});
686	app.post('/api/v1/index', async (req, res) => {
687	if (!(await runBillingGate(req, res, getUserId))) return;
688	const uid = getUserId(req);
689	const headers = { ...req.headers, host: new URL(BRIDGE_URL).host };
690	delete headers.origin;
691	delete headers.referer;
692	const opts = { method: 'POST', headers };
693	const payload =
694	req.body === undefined ? undefined : typeof req.body === 'string' ? req.body : JSON.stringify(req.body);
695	if (payload !== undefined) {
696	opts.body = payload;
697	stripStaleOutboundBodyHeaders(headers);
698	}
699	try {
700	const upstream = await fetch(BRIDGE_URL + '/api/v1/index', opts);
701	const body = await upstream.text();
702	if (uid) await recordIndexingTokensAfterBridgeIndex(uid, upstream.status, body);
703	const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries());
704	res.status(upstream.status).set(Object.fromEntries(hop));
705	res.send(body);
706	} catch (e) {
707	console.error('Gateway proxy (bridge) error:', e.message);
708	res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
709	}
710	});
711	// GET /api/v1/index/status — read-only sidecar describing the last successful
712	// index + whether a background job is currently in flight. Added in May 2026
713	// alongside the auto-routing index path (PR #205) so the Hub UI can render
714	// `Last indexed: N minutes ago` next to the Re-index button.
715	//
716	// Auth scoping happens at the bridge (`requireBridgeAuth` + vault-scoping).
717	// We deliberately DO NOT run `runBillingGate` here — this is a passive read,
718	// not a billable index operation, and the Hub UI calls this on every page
719	// load (so charging would be both incorrect and abusive).
720	//
721	// See `test/gateway-index-status-proxy.test.mjs` for the contract test that
722	// prevents this handler from being silently removed.
723	app.get('/api/v1/index/status', async (req, res) => {
724	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/index/status', req, res);
725	});
726	// Roles & invites: proxy to bridge (bridge has persistent storage)
727	app.get('/api/v1/roles', requireAdmin, async (req, res) => {
728	await proxyTo(BRIDGE_URL, BRIDGE_URL + req.originalUrl, req, res);
729	});
730	app.post('/api/v1/roles', requireAdmin, async (req, res) => {
731	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/roles', req, res);
732	});
733	app.post('/api/v1/roles/evaluator-may-approve', requireAdmin, async (req, res) => {
734	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/roles/evaluator-may-approve', req, res);
735	});
736	app.get('/api/v1/invites', requireAdmin, async (req, res) => {
737	await proxyTo(BRIDGE_URL, BRIDGE_URL + req.originalUrl, req, res);
738	});
739	app.post('/api/v1/invites', requireAdmin, async (req, res) => {
740	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/invites', req, res);
741	});
742	app.delete('/api/v1/invites/:token', requireAdmin, async (req, res) => {
743	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/invites/' + encodeURIComponent(req.params.token), req, res);
744	});
745	app.post('/api/v1/invites/consume', (req, res, next) => {
746	const uid = getUserId(req);
747	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
748	next();
749	}, async (req, res) => {
750	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/invites/consume', req, res);
751	});
752	app.get('/api/v1/workspace', requireAdmin, async (req, res) => {
753	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/workspace', req, res);
754	});
755	app.post('/api/v1/workspace', requireAdmin, async (req, res) => {
756	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/workspace', req, res);
757	});
758	app.get('/api/v1/vault-access', requireAdmin, async (req, res) => {
759	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/vault-access', req, res);
760	});
761	app.post('/api/v1/vault-access', requireAdmin, async (req, res) => {
762	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/vault-access', req, res);
763	});
764	app.get('/api/v1/scope', requireAdmin, async (req, res) => {
765	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/scope', req, res);
766	});
767	app.post('/api/v1/scope', requireAdmin, async (req, res) => {
768	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/scope', req, res);
769	});
770	app.get('/api/v1/hosted-context', async (req, res, next) => {
771	const uid = getUserId(req);
772	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
773	next();
774	}, async (req, res) => {
775	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/hosted-context', req, res);
776	});
777
778	// Memory routes: proxy to bridge (per-user/vault isolation handled by bridge)
779	app.get('/api/v1/memory/:key', async (req, res) => {
780	const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
781	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/' + encodeURIComponent(req.params.key) + q, req, res);
782	});
783	app.post('/api/v1/memory/store', async (req, res) => {
784	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/store', req, res);
785	});
786	app.get('/api/v1/memory', async (req, res) => {
787	const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
788	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory' + q, req, res);
789	});
790	app.post('/api/v1/memory/search', async (req, res) => {
791	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/search', req, res);
792	});
793	app.delete('/api/v1/memory/clear', async (req, res) => {
794	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/clear', req, res);
795	});
796	app.get('/api/v1/memory-stats', async (req, res) => {
797	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory-stats', req, res);
798	});
799	// Consolidation routes: proxy to bridge with billing gate on POST
800	app.post('/api/v1/memory/consolidate', async (req, res) => {
801	if (!(await runBillingGate(req, res, getUserId))) return;
802	const uid = getUserId(req);
803	try {
804	const db = await loadBillingDb();
805	const raw = db.users?.[uid] \|\| defaultUserRecord(uid);
806	const u = normalizeBillingUser(raw);
807	req.body = mergeConsolidateRequestBodyWithBillingDefaults(
808	req.body && typeof req.body === 'object' ? req.body : {},
809	u,
810	);
811	} catch (_) {
812	/* fail open: bridge merges with billing file / defaults */
813	}
814	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/consolidate', req, res);
815	});
816	app.get('/api/v1/memory/consolidate/status', async (req, res) => {
817	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/consolidate/status', req, res);
818	});
819
820	// Phase 18: image upload — gateway buffers the file, fetches GitHub token from bridge,
821	// then commits directly to GitHub (avoids forwarding a multipart body to another Lambda).
822	app.post(/^\/api\/v1\/notes\/(.+)\/upload-image$/, async (req, res) => {
823	const uid = getUserId(req);
824	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
825
826	// 1. Get GitHub connection (token + repo) from bridge.
827	let ghToken, ghRepo;
828	try {
829	const tokenRes = await fetch(`${BRIDGE_URL}/api/v1/vault/github-token`, {
830	headers: { authorization: req.headers.authorization \|\| '' },
831	});
832	if (!tokenRes.ok) {
833	const errData = await tokenRes.json().catch(() => ({}));
834	return res.status(tokenRes.status).json({
835	error: errData.error \|\| 'GitHub not connected',
836	code: errData.code \|\| 'GITHUB_NOT_CONNECTED',
837	});
838	}
839	const data = await tokenRes.json();
840	ghToken = data.token;
841	ghRepo = data.repo;
842	} catch (e) {
843	return res.status(502).json({ error: 'Could not reach bridge', code: 'BAD_GATEWAY' });
844	}
845	if (!ghToken) return res.status(400).json({ error: 'GitHub not connected', code: 'GITHUB_NOT_CONNECTED' });
846	if (!ghRepo) return res.status(400).json({ error: 'GitHub repo not set. Back up once first to set the remote.', code: 'GITHUB_NOT_CONFIGURED' });
847
848	// 2. Buffer the uploaded file from the multipart body.
849	let fileBuffer, originalName, mimeType;
850	try {
851	const raw = await bufferImportRequestBody(req);
852	const ct = req.headers['content-type'] \|\| '';
853	const boundaryMatch = ct.match(/boundary=([^\s;]+)/i);
854	if (!boundaryMatch) return res.status(400).json({ error: 'Content-Type boundary missing', code: 'BAD_REQUEST' });
855	const boundary = boundaryMatch[1];
856	// Parse the first file part from the multipart body manually (avoids multer dependency).
857	const parsed = parseMultipartFile(raw, boundary);
858	if (!parsed) return res.status(400).json({ error: 'image file required', code: 'BAD_REQUEST' });
859	fileBuffer = parsed.data;
860	originalName = parsed.filename \|\| 'image.jpg';
861	mimeType = parsed.contentType \|\| 'application/octet-stream';
862	} catch (e) {
863	return res.status(500).json({ error: 'Could not read upload body', code: 'INTERNAL_ERROR' });
864	}
865
866	// 3. Validate extension, content-type, and magic bytes.
867	try { validateImageExtension(originalName); } catch (e) {
868	return res.status(400).json({ error: e.message, code: 'BAD_REQUEST' });
869	}
870	if (!mimeType.toLowerCase().startsWith('image/')) {
871	return res.status(400).json({ error: 'File content-type must be image/*', code: 'BAD_REQUEST' });
872	}
873	const ext = originalName.split('.').pop().toLowerCase();
874	const magicOk = validateMagicBytes(fileBuffer, ext);
875	if (!magicOk) {
876	return res.status(400).json({ error: 'File content does not match declared image type', code: 'BAD_REQUEST' });
877	}
878
879	// 4. Commit to GitHub directly from the gateway.
880	try {
881	const now = new Date();
882	const yearMonth = `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, '0')}`;
883	const safeName = originalName.replace(/[^a-zA-Z0-9._-]/g, '_').slice(0, 128);
884	const uniqueName = `${Date.now()}-${safeName}`;
885	const repoFilePath = `media/images/${yearMonth}/${uniqueName}`;
886	const result = await commitImageToRepo({
887	accessToken: ghToken,
888	repoUrl: ghRepo,
889	filePath: repoFilePath,
890	fileBuffer,
891	commitMessage: `Add image: ${safeName}`,
892	});
893	return res.json({
894	url: result.url,
895	inserted_markdown: `![${safeName}](${result.url})`,
896	sha: result.sha,
897	repo_path: repoFilePath,
898	repo_private: result.isPrivate === true,
899	});
900	} catch (e) {
901	const msg = e.message \|\| String(e);
902	const clientErr = /not found\|not connected\|lacks permission\|lacks repo\|Reconnect\|scope\|remote/i.test(msg);
903	return res.status(clientErr ? 400 : 500).json({ error: msg, code: clientErr ? 'BAD_REQUEST' : 'RUNTIME_ERROR' });
904	}
905	});
906
907	app.get('/api/v1/vault/image-proxy-token', (req, res) => {
908	const uid = getUserId(req);
909	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
910	if (!SESSION_SECRET) return res.status(503).json({ error: 'Not configured', code: 'NOT_CONFIGURED' });
911	const token = signImageProxyToken(SESSION_SECRET, uid);
912	res.json({ token, expires_in: IMAGE_PROXY_TOKEN_TTL_SECONDS });
913	});
914
915	app.get('/api/v1/vault/image-proxy', async (req, res) => {
916	const auth = req.headers.authorization \|\| '';
917	const headerToken = auth.startsWith('Bearer ') ? auth.slice(7) : null;
918	const queryToken = typeof req.query.token === 'string' ? req.query.token : null;
919	let uid = headerToken ? getUserId({ headers: { authorization: `Bearer ${headerToken}` } }) : null;
920	let jwtTokenForBridge = headerToken \|\| '';
921	if (!uid && queryToken && SESSION_SECRET) {
922	uid = verifyImageProxyToken(SESSION_SECRET, queryToken);
923	}
924	// Backward compat: old hub.js sends full JWT as ?token= (pre-signed-token change).
925	if (!uid && queryToken) {
926	const fromJwt = getUserId({ headers: { authorization: `Bearer ${queryToken}` } });
927	if (fromJwt) { uid = fromJwt; jwtTokenForBridge = queryToken; }
928	}
929	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
930
931	// When uid is known but no JWT to forward (HMAC token auth path), mint a
932	// short-lived gateway JWT so the bridge can identify the user.
933	if (!jwtTokenForBridge && SESSION_SECRET) {
934	try { jwtTokenForBridge = jwt.sign({ sub: uid }, SESSION_SECRET, { expiresIn: '5m' }); } catch (_) {}
935	}
936
937	const rawUrl = typeof req.query.url === 'string' ? req.query.url : '';
938	if (!rawUrl) return res.status(400).json({ error: 'url parameter required', code: 'BAD_REQUEST' });
939
940	// Only proxy raw.githubusercontent.com URLs to prevent SSRF.
941	const rawMatch = rawUrl.match(
942	/^https:\/\/raw\.githubusercontent\.com\/([^/]+)\/([^/]+)\/([^/]+)\/(.+)$/i,
943	);
944	if (!rawMatch) {
945	return res.status(400).json({ error: 'Only raw.githubusercontent.com URLs are supported', code: 'BAD_REQUEST' });
946	}
947	const [, owner, repo, ref, filePath] = rawMatch;
948
949	let ghToken = null;
950	if (jwtTokenForBridge) {
951	try {
952	const tokenRes = await fetch(`${BRIDGE_URL}/api/v1/vault/github-token`, {
953	headers: { authorization: `Bearer ${jwtTokenForBridge}` },
954	});
955	if (tokenRes.ok) {
956	const data = await tokenRes.json();
957	ghToken = data.token \|\| null;
958	}
959	} catch (_) { /* bridge unreachable — fall through, public repos still work */ }
960	}
961
962	if (!ghToken) {
963	// No stored GitHub token — assume the repo is public and redirect directly.
964	return res.redirect(302, rawUrl);
965	}
966
967	// Use the GitHub Contents API to get a signed, short-lived download_url for the file.
968	// This avoids sending the PAT in the redirect URL while still letting private-repo images load.
969	const apiUrl =
970	`https://api.github.com/repos/${owner}/${repo}/contents/${filePath}` +
971	`?ref=${encodeURIComponent(ref)}`;
972	try {
973	const apiRes = await fetch(apiUrl, {
974	headers: {
975	Authorization: `token ${ghToken}`,
976	Accept: 'application/vnd.github.v3+json',
977	'User-Agent': 'Knowtation-Hub/1.0',
978	},
979	});
980	if (apiRes.ok) {
981	const data = await apiRes.json();
982	const dlUrl = data.download_url \|\| rawUrl;
983	res.setHeader('Cache-Control', 'private, max-age=300');
984	return res.redirect(302, dlUrl);
985	}
986	// GitHub returned an error (e.g. 404 file missing, 403 large-file).
987	const errBody = await apiRes.json().catch(() => ({}));
988	return res.status(apiRes.status).json({
989	error: errBody.message \|\| 'Image not found on GitHub',
990	code: 'UPSTREAM_ERROR',
991	});
992	} catch (e) {
993	return res.status(502).json({ error: 'Failed to fetch image metadata from GitHub', code: 'BAD_GATEWAY' });
994	}
995	});
996	}
997
998	/**
999	* Safe client request headers that may be forwarded to upstream services.
1000	* Using an explicit allowlist prevents host-header injection, internal proxy header leakage,
1001	* and forwarding of security-sensitive headers (cookies, x-forwarded-for, etc.) to upstreams.
1002	*/
1003	const PROXY_HEADER_ALLOWLIST = new Set([
1004	'content-type',
1005	'accept',
1006	'accept-language',
1007	'accept-encoding',
1008	]);
1009
1010	/**
1011	* Incoming headers describe the client body. We often re-serialize JSON (provenance merge), so
1012	* length and transfer-related headers must not be forwarded: Undici can hang or mis-send if
1013	* Content-Length still matches the old, shorter body.
1014	*/
1015	function stripStaleOutboundBodyHeaders(headers) {
1016	for (const k of Object.keys(headers)) {
1017	const l = k.toLowerCase();
1018	if (
1019	l === 'content-length' \|\|
1020	l === 'transfer-encoding' \|\|
1021	l === 'content-encoding'
1022	) {
1023	delete headers[k];
1024	}
1025	}
1026	}
1027
1028	async function proxyTo(baseUrl, url, req, res) {
1029	const headers = { host: new URL(baseUrl).host };
1030	// Allowlist: only forward safe headers; also forward authorization for bridge JWT auth
1031	// and x-vault-id for vault routing. Never forward origin, referer, cookies, or proxy headers.
1032	for (const k of PROXY_HEADER_ALLOWLIST) {
1033	if (req.headers[k] !== undefined) headers[k] = req.headers[k];
1034	}
1035	if (req.headers.authorization) headers.authorization = req.headers.authorization;
1036	if (req.headers['x-vault-id']) headers['x-vault-id'] = req.headers['x-vault-id'];
1037	const opts = { method: req.method, headers };
1038	if (req.method !== 'GET' && req.method !== 'HEAD' && req.body !== undefined) {
1039	opts.body = typeof req.body === 'string' ? req.body : JSON.stringify(req.body);
1040	stripStaleOutboundBodyHeaders(headers);
1041	}
1042	try {
1043	const upstream = await fetch(url, opts);
1044	const body = await upstream.text();
1045	const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries());
1046	res.status(upstream.status).set(Object.fromEntries(hop));
1047	res.send(body);
1048	} catch (e) {
1049	console.error('Gateway proxy (bridge) error:', e.message);
1050	res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
1051	}
1052	}
1053
1054	/**
1055	* Read multipart/raw POST body for import proxy.
1056	* Netlify (serverless-http) attaches the Lambda body as Buffer on `req.body` and uses a synthetic stream;
1057	* `fetch(req, { duplex })` is unreliable there — always buffer then POST bytes.
1058	* @param {import('express').Request} req
1059	* @returns {Promise<Buffer>}
1060	*/
1061	async function bufferImportRequestBody(req) {
1062	if (Buffer.isBuffer(req.body)) return req.body;
1063	if (req.body instanceof Uint8Array) return Buffer.from(req.body);
1064	if (typeof req.body === 'string') return Buffer.from(req.body, 'latin1');
1065	const chunks = [];
1066	for await (const chunk of req) {
1067	chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
1068	}
1069	return Buffer.concat(chunks);
1070	}
1071
1072
1073	/**
1074	* Multipart import: forward body bytes to bridge (do not use proxyTo — body is not JSON in req.body).
1075	* @param {string} _baseUrl - bridge origin (reserved for diagnostics; fetch URL is `url`)
1076	* @param {string} url - full URL to bridge /api/v1/import
1077	* @param {import('express').Request} req
1078	* @param {import('express').Response} res
1079	*/
1080	async function proxyImportToBridge(_baseUrl, url, req, res) {
1081	let raw;
1082	try {
1083	raw = await bufferImportRequestBody(req);
1084	} catch (e) {
1085	console.error('Gateway import proxy (read body):', e.message \|\| e);
1086	return res.status(500).json({ error: 'Could not read upload body', code: 'INTERNAL_ERROR' });
1087	}
1088	if (!raw.length) {
1089	return res.status(400).json({ error: 'Empty upload body', code: 'BAD_REQUEST' });
1090	}
1091	// Do not set `Host` manually — undici derives it from the request URL; a wrong Host breaks some upstreams.
1092	const headers = {
1093	authorization: req.headers.authorization \|\| '',
1094	'x-vault-id': String(req.headers['x-vault-id'] \|\| 'default'),
1095	};
1096	const ct = req.headers['content-type'];
1097	if (ct) headers['content-type'] = ct;
1098	headers['content-length'] = String(raw.length);
1099	let upstream;
1100	try {
1101	upstream = await fetch(url, {
1102	method: 'POST',
1103	headers,
1104	body: raw,
1105	});
1106	} catch (e) {
1107	console.error('Gateway import proxy error:', e.message, e.cause);
1108	const detail = e.cause?.message \|\| e.message \|\| String(e);
1109	return res.status(502).json({
1110	error: 'Bad Gateway',
1111	code: 'BAD_GATEWAY',
1112	detail,
1113	});
1114	}
1115	const body = await upstream.text();
1116	const upstreamCt = upstream.headers.get('content-type') \|\| '';
1117	if (
1118	upstream.status >= 400 &&
1119	!/application\/json/i.test(upstreamCt) &&
1120	body.trimStart().startsWith('<')
1121	) {
1122	return res.status(upstream.status).json({
1123	error: 'Import service returned a non-JSON error (check bridge Netlify function logs).',
1124	code: 'BAD_GATEWAY',
1125	detail: `HTTP ${upstream.status}`,
1126	});
1127	}
1128	const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries());
1129	res.status(upstream.status).set(Object.fromEntries(hop));
1130	res.send(body);
1131	}
1132
1133	// Proxy /api/* to canister with X-User-Id from JWT
1134	function getUserId(req) {
1135	const auth = req.headers.authorization;
1136	const token = auth && auth.startsWith('Bearer ') ? auth.slice(7) : null;
1137	return token ? verifyToken(token) : null;
1138	}
1139
1140	/**
1141	* Validate a hosted SectionSource note path before any upstream fetch.
1142	* @param {unknown} rawPath
1143	* @returns {string}
1144	*/
1145	function normalizeGatewaySectionSourcePath(rawPath) {
1146	if (typeof rawPath !== 'string' \|\| rawPath.trim() === '') {
1147	throw new Error('Invalid path');
1148	}
1149	const forward = rawPath.trim().replace(/\\/g, '/');
1150	if (forward.startsWith('/') \|\| /^[A-Za-z]:\//.test(forward)) {
1151	throw new Error('Invalid path');
1152	}
1153	const parts = forward.split('/').filter(Boolean);
1154	if (parts.includes('..')) {
1155	throw new Error('Invalid path');
1156	}
1157	return parts.join('/');
1158	}
1159
1160	/**
1161	* Validate a hosted NoteOutline note path before any upstream fetch.
1162	* @param {unknown} rawPath
1163	* @returns {string}
1164	*/
1165	function normalizeGatewayNoteOutlinePath(rawPath) {
1166	return normalizeGatewaySectionSourcePath(rawPath);
1167	}
1168
1169	/**
1170	* Validate a hosted DocumentTree note path before any upstream fetch.
1171	* @param {unknown} rawPath
1172	* @returns {string}
1173	*/
1174	function normalizeGatewayDocumentTreePath(rawPath) {
1175	return normalizeGatewaySectionSourcePath(rawPath);
1176	}
1177
1178	/**
1179	* Validate a hosted MetadataFacets note path before any upstream fetch.
1180	* @param {unknown} rawPath
1181	* @returns {string}
1182	*/
1183	function normalizeGatewayMetadataFacetsPath(rawPath) {
1184	return normalizeGatewaySectionSourcePath(rawPath);
1185	}
1186
1187	/**
1188	* @param {unknown} error
1189	*/
1190	function sanitizedSectionSourceGatewayError(error) {
1191	const msg = error?.message \|\| String(error ?? '');
1192	if (/^Invalid path\b/.test(msg)) return { status: 400, error: 'Invalid path', code: 'INVALID_PATH' };
1193	return { status: 502, error: 'Bad Gateway', code: 'BAD_GATEWAY' };
1194	}
1195
1196	/**
1197	* @param {unknown} error
1198	*/
1199	function sanitizedNoteOutlineGatewayError(error) {
1200	return sanitizedSectionSourceGatewayError(error);
1201	}
1202
1203	/**
1204	* @param {unknown} error
1205	*/
1206	function sanitizedDocumentTreeGatewayError(error) {
1207	return sanitizedSectionSourceGatewayError(error);
1208	}
1209
1210	/**
1211	* @param {unknown} error
1212	*/
1213	function sanitizedMetadataFacetsGatewayError(error) {
1214	return sanitizedSectionSourceGatewayError(error);
1215	}
1216
1217	const hostedCtxCache = new Map();
1218	const HOSTED_CTX_TTL_MS = 60_000;
1219	const HOSTED_CONTEXT_FETCH_TIMEOUT_MS = (() => {
1220	const n = parseInt(String(process.env.HOSTED_CONTEXT_FETCH_TIMEOUT_MS \|\| ''), 10);
1221	if (!Number.isFinite(n)) return 3000;
1222	return Math.min(10_000, Math.max(250, n));
1223	})();
1224
1225	function hostedContextAbortSignal() {
1226	return typeof AbortSignal !== 'undefined' && typeof AbortSignal.timeout === 'function'
1227	? AbortSignal.timeout(HOSTED_CONTEXT_FETCH_TIMEOUT_MS)
1228	: undefined;
1229	}
1230
1231	/**
1232	* Bridge-hosted team context (vault allowlist + scope + effective canister user). Cached briefly per (sub, vaultId).
1233	* @param {import('express').Request} req
1234	* @returns {Promise<Record<string, unknown>\|null>}
1235	*/
1236	async function getHostedAccessContext(req) {
1237	if (!BRIDGE_URL) return null;
1238	const auth = req.headers.authorization;
1239	if (!auth \|\| !auth.startsWith('Bearer ')) return null;
1240	const sub = getUserId(req);
1241	if (!sub) return null;
1242	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
1243	const cacheKey = `${sub}\0${vaultId}`;
1244	const now = Date.now();
1245	const hit = hostedCtxCache.get(cacheKey);
1246	if (hit && hit.expires > now) return hit.data;
1247	try {
1248	const signal = hostedContextAbortSignal();
1249	const r = await fetch(BRIDGE_URL + '/api/v1/hosted-context', {
1250	method: 'GET',
1251	headers: {
1252	Authorization: auth,
1253	Accept: 'application/json',
1254	'X-Vault-Id': vaultId,
1255	},
1256	...(signal ? { signal } : {}),
1257	});
1258	if (!r.ok) return null;
1259	const data = await r.json();
1260	if (data && data.error && !data.effective_canister_user_id) return null;
1261	hostedCtxCache.set(cacheKey, { expires: now + HOSTED_CTX_TTL_MS, data });
1262	return data;
1263	} catch (_) {
1264	return null;
1265	}
1266	}
1267
1268	/**
1269	* Hosted team context for an explicit vault (e.g. cross-vault copy source/target checks).
1270	* @param {string} authorization Bearer JWT
1271	* @param {string} vaultId
1272	* @returns {Promise<Record<string, unknown>\|null>}
1273	*/
1274	async function fetchHostedAccessContextForVault(authorization, vaultId) {
1275	if (!BRIDGE_URL \|\| !authorization \|\| !authorization.startsWith('Bearer ')) return null;
1276	const token = authorization.slice(7);
1277	const sub = verifyToken(token);
1278	if (!sub) return null;
1279	const vid = String(vaultId \|\| 'default').trim() \|\| 'default';
1280	const cacheKey = `${sub}\0${vid}`;
1281	const now = Date.now();
1282	const hit = hostedCtxCache.get(cacheKey);
1283	if (hit && hit.expires > now) return hit.data;
1284	try {
1285	const signal = hostedContextAbortSignal();
1286	const r = await fetch(BRIDGE_URL + '/api/v1/hosted-context', {
1287	method: 'GET',
1288	headers: {
1289	Authorization: authorization,
1290	Accept: 'application/json',
1291	'X-Vault-Id': vid,
1292	},
1293	...(signal ? { signal } : {}),
1294	});
1295	if (!r.ok) return null;
1296	const data = await r.json();
1297	if (data && data.error && !data.effective_canister_user_id) return null;
1298	hostedCtxCache.set(cacheKey, { expires: now + HOSTED_CTX_TTL_MS, data });
1299	return data;
1300	} catch (_) {
1301	return null;
1302	}
1303	}
1304
1305	const metadataBulkHandlers = createMetadataBulkHandlers({
1306	CANISTER_URL,
1307	CANISTER_AUTH_SECRET,
1308	BRIDGE_URL,
1309	SESSION_SECRET: SESSION_SECRET \|\| '',
1310	getUserId,
1311	getHostedAccessContext,
1312	});
1313
1314	app.get('/api/v1/billing/summary', (req, res) => handleBillingSummary(req, res, getUserId));
1315
1316	/**
1317	* POST /api/v1/admin/billing/repair
1318	*
1319	* Admin-only endpoint to directly write billing tier and Stripe linkage fields for a user.
1320	* Used to recover from missed or unprocessable Stripe webhook deliveries (e.g. webhook pointed
1321	* at old URL, checkout session never had user_id metadata, billing DB was empty on a new deploy).
1322	*
1323	* Auth: Bearer JWT with admin role (sub must be in HUB_ADMIN_USER_IDS env var).
1324	* Body: { uid?, tier, stripe_subscription_id?, stripe_customer_id?, has_active_subscription? }
1325	* - uid: target Knowtation user ID (defaults to the calling admin's own uid)
1326	* - tier: required — one of: free \| beta \| plus \| growth \| pro \| starter \| team
1327	* - stripe_subscription_id: if provided (non-null), also sets has_active_subscription = true
1328	* - has_active_subscription: optional boolean override; when omitted, defaults to true
1329	* whenever a non-null stripe_subscription_id is supplied, and no-op otherwise
1330	* - stripe_customer_id: if provided, links the user to their Stripe customer so future
1331	* webhook events (subscription.updated, etc.) can find them
1332	*
1333	* All mutations are logged. This endpoint does NOT create a Stripe subscription — it only
1334	* repairs the local billing DB record.
1335	*/
1336	const VALID_REPAIR_TIERS = new Set(['free', 'beta', 'plus', 'growth', 'pro', 'starter', 'team']);
1337
1338	app.post('/api/v1/admin/billing/repair', async (req, res) => {
1339	const callerUid = getUserId(req);
1340	if (!callerUid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1341	if (roleForSub(callerUid) !== 'admin') return res.status(403).json({ error: 'Forbidden', code: 'FORBIDDEN' });
1342
1343	const body = req.body && typeof req.body === 'object' ? req.body : {};
1344	const targetUid = typeof body.uid === 'string' && body.uid.trim() ? body.uid.trim() : callerUid;
1345	const tier = typeof body.tier === 'string' ? body.tier.trim() : '';
1346
1347	if (!VALID_REPAIR_TIERS.has(tier)) {
1348	return res.status(400).json({
1349	error: 'Invalid or missing tier',
1350	code: 'BAD_REQUEST',
1351	valid_tiers: [...VALID_REPAIR_TIERS],
1352	});
1353	}
1354
1355	const stripeSubId =
1356	typeof body.stripe_subscription_id === 'string' ? body.stripe_subscription_id.trim() \|\| null : undefined;
1357	const stripeCustomerId =
1358	typeof body.stripe_customer_id === 'string' ? body.stripe_customer_id.trim() \|\| null : undefined;
1359	// Explicit override: caller may pass has_active_subscription=false to deactivate.
1360	// When stripe_subscription_id is provided: truthy value → true, null (cleared) → false.
1361	// When stripe_subscription_id is omitted entirely: no-op (undefined).
1362	const hasActiveSub =
1363	typeof body.has_active_subscription === 'boolean'
1364	? body.has_active_subscription
1365	: stripeSubId !== undefined
1366	? (stripeSubId !== null)
1367	: undefined;
1368
1369	let before;
1370	try {
1371	await mutateBillingDb((db) => {
1372	if (!db.users[targetUid]) db.users[targetUid] = defaultUserRecord(targetUid);
1373	const u = db.users[targetUid];
1374	before = {
1375	tier: u.tier,
1376	has_active_subscription: u.has_active_subscription,
1377	stripe_subscription_id: u.stripe_subscription_id,
1378	stripe_customer_id: u.stripe_customer_id,
1379	};
1380	u.tier = tier;
1381	if (MONTHLY_INCLUDED_CENTS_BY_TIER[tier] !== undefined) {
1382	u.monthly_included_cents = MONTHLY_INCLUDED_CENTS_BY_TIER[tier];
1383	}
1384	if (stripeSubId !== undefined) u.stripe_subscription_id = stripeSubId;
1385	if (stripeCustomerId !== undefined) u.stripe_customer_id = stripeCustomerId;
1386	if (hasActiveSub !== undefined) u.has_active_subscription = hasActiveSub;
1387	});
1388	} catch (e) {
1389	console.error('[admin/billing/repair] mutateBillingDb failed:', e?.message);
1390	return res.status(500).json({ error: 'Internal Server Error', code: 'INTERNAL' });
1391	}
1392
1393	console.log(
1394	`[admin/billing/repair] caller=${callerUid} target=${targetUid}` +
1395	` tier: ${before?.tier} → ${tier}` +
1396	(hasActiveSub !== undefined ? ` has_active_subscription: ${before?.has_active_subscription} → ${hasActiveSub}` : '') +
1397	(stripeSubId !== undefined ? ` sub: ${before?.stripe_subscription_id} → ${stripeSubId}` : '') +
1398	(stripeCustomerId !== undefined ? ` cus: ${before?.stripe_customer_id} → ${stripeCustomerId}` : ''),
1399	);
1400
1401	return res.json({
1402	ok: true,
1403	uid: targetUid,
1404	tier,
1405	has_active_subscription: hasActiveSub !== undefined ? hasActiveSub : '(unchanged)',
1406	stripe_subscription_id: stripeSubId !== undefined ? stripeSubId : '(unchanged)',
1407	stripe_customer_id: stripeCustomerId !== undefined ? stripeCustomerId : '(unchanged)',
1408	before,
1409	});
1410	});
1411
1412	/**
1413	* POST /api/v1/billing/checkout
1414	* Body: { price_id, success_url, cancel_url } OR { tier, success_url, cancel_url }
1415	* Returns: { url } — Stripe Checkout Session URL.
1416	* mode is automatically determined: subscription for tiers, payment for token packs.
1417	*/
1418	app.post('/api/v1/billing/checkout', async (req, res) => {
1419	const uid = getUserId(req);
1420	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1421
1422	const body = req.body && typeof req.body === 'object' ? req.body : {};
1423	let priceId = typeof body.price_id === 'string' ? body.price_id.trim() : null;
1424
1425	if (!priceId && typeof body.tier === 'string') {
1426	priceId = priceIdFromTierShorthand(body.tier.trim());
1427	if (!priceId) {
1428	return res.status(400).json({
1429	error: `Unknown tier '${body.tier}' or Stripe price env var not configured.`,
1430	code: 'BAD_REQUEST',
1431	});
1432	}
1433	}
1434
1435	if (!priceId && typeof body.pack_size === 'string') {
1436	const packSizeMap = {
1437	small: process.env.STRIPE_PRICE_PACK_10 \|\| null,
1438	medium: process.env.STRIPE_PRICE_PACK_25 \|\| null,
1439	large: process.env.STRIPE_PRICE_PACK_50 \|\| null,
1440	};
1441	priceId = packSizeMap[body.pack_size.toLowerCase()] \|\| null;
1442	if (!priceId) {
1443	return res.status(400).json({
1444	error: `Unknown pack_size '${body.pack_size}' or Stripe pack price env var not configured.`,
1445	code: 'BAD_REQUEST',
1446	});
1447	}
1448	}
1449
1450	if (!priceId) {
1451	return res.status(400).json({ error: 'price_id, tier, or pack_size is required', code: 'BAD_REQUEST' });
1452	}
1453
1454	const isSub = isSubscriptionPriceId(priceId);
1455	const isPack = isPackPriceId(priceId);
1456
1457	if (!isSub && !isPack) {
1458	return res.status(400).json({
1459	error: 'price_id is not a recognised Knowtation subscription or token pack price.',
1460	code: 'BAD_REQUEST',
1461	});
1462	}
1463
1464	const mode = isSub ? 'subscription' : 'payment';
1465
1466	const rawSuccessUrl = typeof body.success_url === 'string' ? body.success_url.trim() : '';
1467	const rawCancelUrl = typeof body.cancel_url === 'string' ? body.cancel_url.trim() : '';
1468
1469	const fallbackBase = HUB_UI_ORIGIN \|\| BASE_URL;
1470	const successUrl = rawSuccessUrl \|\| `${fallbackBase}/hub/#settings`;
1471	const cancelUrl = rawCancelUrl \|\| `${fallbackBase}/hub/#settings`;
1472
1473	try {
1474	const { url } = await createCheckoutSession({
1475	priceId,
1476	userId: uid,
1477	successUrl,
1478	cancelUrl,
1479	mode,
1480	stripeCustomerId: null,
1481	});
1482	return res.json({ url });
1483	} catch (e) {
1484	const code = e.code \|\| 'STRIPE_ERROR';
1485	if (code === 'NOT_CONFIGURED') {
1486	return res.status(503).json({ error: e.message, code });
1487	}
1488	console.error('[billing/checkout] Stripe error:', e.message);
1489	return res.status(502).json({ error: e.message \|\| 'Stripe checkout failed', code });
1490	}
1491	});
1492
1493	/**
1494	* POST /api/v1/billing/portal
1495	* Body: { return_url? }
1496	* Returns: { url } — Stripe Billing Portal session URL.
1497	*/
1498	app.post('/api/v1/billing/portal', async (req, res) => {
1499	const uid = getUserId(req);
1500	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1501
1502	const body = req.body && typeof req.body === 'object' ? req.body : {};
1503	const rawReturnUrl = typeof body.return_url === 'string' ? body.return_url.trim() : '';
1504	const fallbackBase = HUB_UI_ORIGIN \|\| BASE_URL;
1505	const returnUrl = rawReturnUrl \|\| `${fallbackBase}/hub/#settings`;
1506
1507	try {
1508	const { url } = await createPortalSession({ userId: uid, returnUrl });
1509	return res.json({ url });
1510	} catch (e) {
1511	const code = e.code \|\| 'STRIPE_ERROR';
1512	if (code === 'NOT_CONFIGURED') {
1513	return res.status(503).json({ error: e.message, code });
1514	}
1515	console.error('[billing/portal] Stripe error:', e.message);
1516	return res.status(502).json({ error: e.message \|\| 'Stripe portal failed', code });
1517	}
1518	});
1519
1520	// GET /api/v1/settings and GET /api/v1/setup — hosted: vault_list from canister; bridge fields when BRIDGE_URL set
1521	app.get('/api/v1/settings', async (req, res) => {
1522	const uid = getUserId(req);
1523	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1524	let vault_list = [{ id: 'default', label: 'Default' }];
1525	let allowed_vault_ids = ['default'];
1526	let canisterVaultUserId = uid;
1527	/** @type {string\|null} */
1528	let workspace_owner_id = null;
1529	let hosted_delegating = false;
1530	/** @type {string[]\|null} */
1531	let allowedFromBridge = null;
1532	if (BRIDGE_URL && req.headers.authorization) {
1533	try {
1534	const signal = hostedContextAbortSignal();
1535	const hRes = await fetch(BRIDGE_URL + '/api/v1/hosted-context/settings', {
1536	method: 'GET',
1537	headers: {
1538	Authorization: req.headers.authorization,
1539	Accept: 'application/json',
1540	},
1541	...(signal ? { signal } : {}),
1542	});
1543	if (hRes.ok) {
1544	const hc = await hRes.json();
1545	if (hc.effective_canister_user_id && typeof hc.effective_canister_user_id === 'string') {
1546	canisterVaultUserId = hc.effective_canister_user_id;
1547	}
1548	if (Array.isArray(hc.allowed_vault_ids) && hc.allowed_vault_ids.length > 0) {
1549	allowedFromBridge = hc.allowed_vault_ids.map((x) => String(x));
1550	}
1551	if (hc.workspace_owner_id != null && String(hc.workspace_owner_id).trim() !== '') {
1552	workspace_owner_id = String(hc.workspace_owner_id).trim();
1553	}
1554	if (hc.delegating === true) hosted_delegating = true;
1555	} else if (hRes.status === 403) {
1556	allowedFromBridge = [];
1557	}
1558	} catch (_) {
1559	/* use uid-only fallback */
1560	}
1561	}
1562	if (CANISTER_URL) {
1563	try {
1564	const signal = hostedContextAbortSignal();
1565	const vRes = await fetch(CANISTER_URL + '/api/v1/vaults', {
1566	method: 'GET',
1567	headers: { 'X-User-Id': canisterVaultUserId, Accept: 'application/json', ...canisterAuthHeaders() },
1568	...(signal ? { signal } : {}),
1569	});
1570	if (vRes.ok) {
1571	const data = await vRes.json();
1572	const vaults = Array.isArray(data.vaults) ? data.vaults : [];
1573	if (vaults.length > 0) {
1574	const mapped = vaults.map((v) => ({
1575	id: String(v.id \|\| 'default'),
1576	label: String(v.label != null && v.label !== '' ? v.label : v.id \|\| 'default'),
1577	}));
1578	if (allowedFromBridge !== null) {
1579	allowed_vault_ids = allowedFromBridge.filter((id) => mapped.some((m) => m.id === id));
1580	vault_list = allowed_vault_ids.map((id) => {
1581	const m = mapped.find((x) => x.id === id);
1582	return m \|\| { id, label: id };
1583	});
1584	} else {
1585	vault_list = mapped;
1586	allowed_vault_ids = vault_list.map((v) => v.id);
1587	}
1588	} else if (allowedFromBridge && allowedFromBridge.length > 0) {
1589	allowed_vault_ids = [...allowedFromBridge];
1590	vault_list = allowedFromBridge.map((id) => ({ id, label: id }));
1591	}
1592	} else {
1593	console.warn('[gateway] canister vaults non-ok', vRes.status);
1594	}
1595	} catch (e) {
1596	console.warn('[gateway] canister vaults unreachable', e?.message \|\| String(e));
1597	}
1598	}
1599	let github_connected = false;
1600	let github_repo = null;
1601	let role = roleForSub(uid);
1602	let hub_evaluator_may_approve = process.env.HUB_EVALUATOR_MAY_APPROVE === '1';
1603	if (BRIDGE_URL && req.headers.authorization) {
1604	try {
1605	const ghRes = await fetch(BRIDGE_URL + '/api/v1/vault/github-status', {
1606	method: 'GET',
1607	headers: { Authorization: req.headers.authorization, Accept: 'application/json' },
1608	});
1609	if (ghRes.ok) {
1610	const data = await ghRes.json();
1611	github_connected = Boolean(data.github_connected);
1612	github_repo = data.repo \|\| null;
1613	} else {
1614	console.warn('[gateway] bridge github-status non-ok', ghRes.status);
1615	}
1616	const roleRes = await fetch(BRIDGE_URL + '/api/v1/role', {
1617	method: 'GET',
1618	headers: { Authorization: req.headers.authorization, Accept: 'application/json' },
1619	});
1620	if (roleRes.ok) {
1621	const data = await roleRes.json();
1622	if (data.role) role = data.role;
1623	if (typeof data.may_approve_proposals === 'boolean') hub_evaluator_may_approve = data.may_approve_proposals;
1624	}
1625	} catch (e) {
1626	console.warn('[gateway] bridge unreachable', e?.message \|\| String(e));
1627	}
1628	}
1629	const vault_git = {
1630	enabled: github_connected,
1631	has_remote: Boolean(github_repo),
1632	auto_commit: false,
1633	auto_push: false,
1634	};
1635	const dataDir = path.join(projectRoot, 'data');
1636	const llmPrefs = await loadHostedProposalLlmPrefs();
1637	res.json({
1638	role,
1639	user_id: uid,
1640	vault_id: 'default',
1641	vault_list,
1642	allowed_vault_ids,
1643	vault_path_display: 'Canister',
1644	vault_git,
1645	github_connect_available: Boolean(BRIDGE_URL),
1646	github_connected,
1647	repo: github_repo,
1648	workspace_owner_id,
1649	hosted_delegating,
1650	embedding_display: { provider: '—', model: '—', ollama_url: '—' },
1651	proposal_enrich_enabled: effectiveHostedEnrich(llmPrefs),
1652	proposal_evaluation_required: effectiveHostedEvaluationRequired(llmPrefs, dataDir),
1653	proposal_review_hints_enabled: effectiveHostedReviewHints(llmPrefs),
1654	proposal_policy_stored: {
1655	proposal_evaluation_required: llmPrefs.proposal_evaluation_required,
1656	review_hints_enabled: llmPrefs.review_hints_enabled,
1657	enrich_enabled: llmPrefs.enrich_enabled,
1658	},
1659	proposal_policy_env_locked: proposalPolicyEnvLocked(),
1660	hub_evaluator_may_approve,
1661	proposal_rubric: loadProposalRubric(path.join(projectRoot, 'data')),
1662	daemon: await (async () => {
1663	try {
1664	const db = await loadBillingDb();
1665	const raw = db.users?.[uid] \|\| defaultUserRecord(uid);
1666	const u = normalizeBillingUser(raw);
1667	return {
1668	enabled: false,
1669	interval_minutes: u.consolidation_interval_minutes \|\| 120,
1670	idle_only: true,
1671	idle_threshold_minutes: 15,
1672	run_on_start: false,
1673	max_cost_per_day_usd: null,
1674	passes: u.consolidation_passes,
1675	lookback_hours: u.consolidation_lookback_hours,
1676	max_events_per_pass: u.consolidation_max_events_per_pass,
1677	max_topics_per_pass: u.consolidation_max_topics_per_pass,
1678	llm: {
1679	provider: '',
1680	model: '',
1681	base_url: '',
1682	max_tokens: u.consolidation_llm_max_tokens,
1683	},
1684	hosted_enabled: u.consolidation_enabled,
1685	};
1686	} catch (_) {
1687	return {
1688	enabled: false,
1689	interval_minutes: 120,
1690	idle_only: true,
1691	idle_threshold_minutes: 15,
1692	run_on_start: false,
1693	max_cost_per_day_usd: null,
1694	passes: { consolidate: true, verify: true, discover: false },
1695	lookback_hours: 24,
1696	max_events_per_pass: 200,
1697	max_topics_per_pass: 10,
1698	llm: { provider: '', model: '', base_url: '', max_tokens: 1024 },
1699	hosted_enabled: false,
1700	};
1701	}
1702	})(),
1703	muse_bridge: (() => {
1704	const envOverride = process.env.MUSE_URL != null && String(process.env.MUSE_URL).trim() !== '';
1705	const mc = parseMuseConfigFromEnv();
1706	let origin = null;
1707	if (mc) {
1708	try {
1709	origin = new URL(mc.baseUrl).origin;
1710	} catch (_) {
1711	/* ignore */
1712	}
1713	}
1714	return {
1715	enabled: Boolean(mc),
1716	origin,
1717	source: envOverride ? 'env' : 'none',
1718	env_override_active: envOverride,
1719	url_editable: false,
1720	yaml_url_for_edit: '',
1721	};
1722	})(),
1723	});
1724	});
1725
1726	/** Hosted: Muse base URL is operator env only (not writable from Hub Settings). */
1727	app.post('/api/v1/settings/muse', express.json(), (req, res) => {
1728	res.status(501).json({
1729	error: 'Knowtation Cloud configures the optional Muse link on the server; it cannot be set from this screen.',
1730	code: 'NOT_IMPLEMENTED',
1731	});
1732	});
1733
1734	/**
1735	* POST /api/v1/settings/consolidation
1736	* Hosted mode: save consolidation schedule + pass preferences to the billing store.
1737	* Self-hosted daemon settings are not writable here; respond with an appropriate note.
1738	*/
1739	app.post('/api/v1/settings/consolidation', express.json(), async (req, res) => {
1740	const uid = getUserId(req);
1741	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1742	const body = req.body && typeof req.body === 'object' ? req.body : {};
1743	const mode = typeof body.mode === 'string' ? body.mode : (body.enabled ? 'daemon' : 'hosted');
1744	const advCheck = validateHostedSettingsConsolidationAdvanced(body);
1745	if (!advCheck.ok) {
1746	return res.status(400).json({ error: advCheck.error, code: advCheck.code });
1747	}
1748	try {
1749	let saved = {};
1750	await mutateBillingDb((db) => {
1751	if (!db.users) db.users = {};
1752	if (!db.users[uid]) db.users[uid] = defaultUserRecord(uid);
1753	const u = normalizeBillingUser(db.users[uid]);
1754	if (mode === 'off') {
1755	u.consolidation_enabled = false;
1756	} else {
1757	u.consolidation_enabled = true;
1758	const iv = Math.floor(Number(body.interval_minutes) \|\| 120);
1759	if (iv >= 1 && iv <= 43200) u.consolidation_interval_minutes = iv;
1760	}
1761	if (body.passes && typeof body.passes === 'object') {
1762	u.consolidation_passes = {
1763	consolidate: body.passes.consolidate !== false,
1764	verify: body.passes.verify !== false,
1765	discover: Boolean(body.passes.discover),
1766	};
1767	}
1768	if (body.lookback_hours !== undefined) {
1769	u.consolidation_lookback_hours = Math.floor(Number(body.lookback_hours));
1770	}
1771	if (body.max_events_per_pass !== undefined) {
1772	u.consolidation_max_events_per_pass = Math.floor(Number(body.max_events_per_pass));
1773	}
1774	if (body.max_topics_per_pass !== undefined) {
1775	u.consolidation_max_topics_per_pass = Math.floor(Number(body.max_topics_per_pass));
1776	}
1777	if (body.llm !== undefined && typeof body.llm === 'object' && body.llm.max_tokens !== undefined) {
1778	u.consolidation_llm_max_tokens = Math.floor(Number(body.llm.max_tokens));
1779	}
1780	normalizeBillingUser(u);
1781	saved = {
1782	hosted_enabled: u.consolidation_enabled,
1783	interval_minutes: u.consolidation_interval_minutes,
1784	passes: u.consolidation_passes,
1785	lookback_hours: u.consolidation_lookback_hours,
1786	max_events_per_pass: u.consolidation_max_events_per_pass,
1787	max_topics_per_pass: u.consolidation_max_topics_per_pass,
1788	llm: {
1789	provider: '',
1790	model: '',
1791	base_url: '',
1792	max_tokens: u.consolidation_llm_max_tokens,
1793	},
1794	};
1795	});
1796	res.json({ ok: true, hosted: true, daemon: { enabled: false, ...saved } });
1797	} catch (e) {
1798	res.status(500).json({ error: e.message \|\| 'Failed to save', code: 'RUNTIME_ERROR' });
1799	}
1800	});
1801
1802	app.post('/api/v1/settings/proposal-policy', requireAdmin, async (req, res) => {
1803	try {
1804	const body = req.body && typeof req.body === 'object' ? req.body : {};
1805	await mergeHostedProposalLlmPrefs({
1806	proposal_evaluation_required: body.proposal_evaluation_required,
1807	review_hints_enabled: body.review_hints_enabled,
1808	enrich_enabled: body.enrich_enabled,
1809	});
1810	res.json({ ok: true });
1811	} catch (e) {
1812	res.status(500).json({ error: e.message, code: 'RUNTIME_ERROR' });
1813	}
1814	});
1815
1816	app.get('/api/v1/setup', (req, res) => {
1817	const uid = getUserId(req);
1818	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1819	res.json({
1820	vault_path: '',
1821	vault_git: { enabled: false, remote: '' },
1822	});
1823	});
1824
1825	// --- Admin routes: HUB_ADMIN_USER_IDS, or bridge GET /api/v1/role → role "admin" (Team tab) ---
1826	function requireAdmin(req, res, next) {
1827	const uid = getUserId(req);
1828	if (!uid) {
1829	res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1830	return;
1831	}
1832	if (roleForSub(uid) === 'admin') {
1833	next();
1834	return;
1835	}
1836	if (!BRIDGE_URL \|\| !req.headers.authorization) {
1837	res.status(403).json({ error: 'Admin only', code: 'FORBIDDEN' });
1838	return;
1839	}
1840	void (async () => {
1841	try {
1842	const roleRes = await fetch(BRIDGE_URL + '/api/v1/role', {
1843	method: 'GET',
1844	headers: { Authorization: req.headers.authorization, Accept: 'application/json' },
1845	});
1846	if (!roleRes.ok) {
1847	if (!res.headersSent) res.status(403).json({ error: 'Admin only', code: 'FORBIDDEN' });
1848	return;
1849	}
1850	const data = await roleRes.json();
1851	if (data && data.role === 'admin') {
1852	next();
1853	return;
1854	}
1855	if (!res.headersSent) res.status(403).json({ error: 'Admin only', code: 'FORBIDDEN' });
1856	} catch (e) {
1857	console.warn('[gateway] requireAdmin bridge /role', e?.message \|\| String(e));
1858	if (!res.headersSent) res.status(403).json({ error: 'Admin only', code: 'FORBIDDEN' });
1859	}
1860	})();
1861	}
1862
1863	if (!BRIDGE_URL) {
1864	app.get('/api/v1/workspace', requireAdmin, (_req, res) => {
1865	res.json({ owner_user_id: null });
1866	});
1867	app.post('/api/v1/workspace', requireAdmin, (_req, res) => {
1868	res.status(503).json({ error: 'Workspace owner requires bridge (BRIDGE_URL).', code: 'NOT_AVAILABLE' });
1869	});
1870	app.get('/api/v1/vault-access', requireAdmin, (_req, res) => {
1871	res.json({ access: {} });
1872	});
1873	app.post('/api/v1/vault-access', requireAdmin, (_req, res) => {
1874	res.status(503).json({ error: 'Vault access requires bridge (BRIDGE_URL).', code: 'NOT_AVAILABLE' });
1875	});
1876	app.get('/api/v1/scope', requireAdmin, (_req, res) => {
1877	res.json({ scope: {} });
1878	});
1879	app.post('/api/v1/scope', requireAdmin, (_req, res) => {
1880	res.status(503).json({ error: 'Scope requires bridge (BRIDGE_URL).', code: 'NOT_AVAILABLE' });
1881	});
1882	app.get('/api/v1/hosted-context', (req, res) => {
1883	const uid = getUserId(req);
1884	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1885	res.status(503).json({ error: 'Hosted context requires bridge (BRIDGE_URL).', code: 'NOT_AVAILABLE' });
1886	});
1887	}
1888
1889	// Hosted: vault list is derived from the canister; YAML vault editor is self-hosted only
1890	app.post('/api/v1/vaults', requireAdmin, (_req, res) => {
1891	res.status(501).json({
1892	error:
1893	'Editing the vault list in Settings is not available on hosted. Vaults appear when you add notes; use the vault switcher or API with X-Vault-Id.',
1894	code: 'NOT_AVAILABLE',
1895	});
1896	});
1897
1898	// GET /api/v1/roles — hosted stub: no role store; admin sees empty list (parity: only admins can open Team)
1899	app.get('/api/v1/roles', requireAdmin, (_req, res) => {
1900	res.json({ roles: [] });
1901	});
1902
1903	// POST /api/v1/roles — no-op on hosted (no persistent role store yet)
1904	app.post('/api/v1/roles', requireAdmin, (_req, res) => {
1905	res.json({ ok: true });
1906	});
1907
1908	// GET /api/v1/invites — hosted stub: no invite store
1909	app.get('/api/v1/invites', requireAdmin, (_req, res) => {
1910	res.json({ invites: [] });
1911	});
1912
1913	// POST /api/v1/invites — not supported on hosted (no invite store; full parity in Phase 2)
1914	app.post('/api/v1/invites', requireAdmin, (_req, res) => {
1915	res.status(400).json({
1916	error: 'Invites are not supported on hosted yet. Use self-hosted Hub for team invites, or wait for Phase 2.',
1917	code: 'NOT_SUPPORTED',
1918	});
1919	});
1920
1921	// Optional Muse read-only proxy (admin; Option C). 404 when MUSE_URL unset.
1922	app.get(
1923	'/api/v1/operator/muse/proxy',
1924	(req, res, next) => {
1925	if (!parseMuseConfigFromEnv()) {
1926	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
1927	}
1928	requireAdmin(req, res, next);
1929	},
1930	async (req, res) => {
1931	const cfg = parseMuseConfigFromEnv();
1932	if (!cfg) return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
1933	const rel = typeof req.query.path === 'string' ? req.query.path.trim() : '';
1934	if (!rel) return res.status(400).json({ error: 'path query required', code: 'BAD_REQUEST' });
1935	const result = await fetchMuseProxiedGet({ config: cfg, relativePath: rel });
1936	if (!result.ok && result.code === 'BAD_REQUEST') {
1937	return res.status(400).json({ error: 'Invalid path', code: 'BAD_REQUEST' });
1938	}
1939	if (!result.ok && !result.body) {
1940	return res.status(result.status).json({ error: 'Bad gateway', code: result.code });
1941	}
1942	if (!result.ok && result.body && result.contentType) {
1943	res.status(result.status).set('Content-Type', result.contentType);
1944	res.set('X-Content-Type-Options', 'nosniff');
1945	return res.send(result.body);
1946	}
1947	if (result.ok && result.body) {
1948	res.status(200).set('Content-Type', result.contentType);
1949	res.set('X-Content-Type-Options', 'nosniff');
1950	return res.send(result.body);
1951	}
1952	return res.status(502).json({ error: 'Bad gateway', code: 'BAD_GATEWAY' });
1953	},
1954	);
1955
1956	// DELETE /api/v1/invites/:token — no-op on hosted
1957	app.delete('/api/v1/invites/:token', requireAdmin, (_req, res) => {
1958	res.json({ ok: true });
1959	});
1960
1961	// POST /api/v1/setup — no-op on hosted (vault is canister; nothing to persist)
1962	app.post('/api/v1/setup', (req, res) => {
1963	const uid = getUserId(req);
1964	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1965	res.json({ ok: true });
1966	});
1967
1968	// POST /api/v1/import — bridge runs importers and writes notes to canister when BRIDGE_URL is set
1969	app.post('/api/v1/import', async (req, res) => {
1970	const uid = getUserId(req);
1971	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1972	if (BRIDGE_URL) {
1973	if (!(await runBillingGate(req, res, getUserId))) return;
1974	const q = req.originalUrl.includes('?') ? req.originalUrl.slice(req.originalUrl.indexOf('?')) : '';
1975	await proxyImportToBridge(BRIDGE_URL, BRIDGE_URL + '/api/v1/import' + q, req, res);
1976	return;
1977	}
1978	res.status(501).json({
1979	error: 'Import is not yet available on hosted (set BRIDGE_URL for bridge-backed import).',
1980	code: 'NOT_AVAILABLE',
1981	});
1982	});
1983
1984	// POST /api/v1/import-url — JSON body; bridge runs URL importer (same auth as import).
1985	app.post('/api/v1/import-url', async (req, res) => {
1986	const uid = getUserId(req);
1987	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1988	if (BRIDGE_URL) {
1989	if (!(await runBillingGate(req, res, getUserId))) return;
1990	await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/import-url', req, res);
1991	return;
1992	}
1993	res.status(501).json({
1994	error: 'Import URL is not available on hosted (set BRIDGE_URL for bridge-backed import).',
1995	code: 'NOT_AVAILABLE',
1996	});
1997	});
1998
1999	// GET /api/v1/notes/facets — aggregate from canister list (Hub filter dropdowns / overview parity)
2000	app.get('/api/v1/notes/facets', async (req, res) => {
2001	const uid = getUserId(req);
2002	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2003	if (!CANISTER_URL) {
2004	return res.json({ projects: [], tags: [], folders: [] });
2005	}
2006	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2007	const hctx = await getHostedAccessContext(req);
2008	const effective = (hctx && hctx.effective_canister_user_id) \|\| uid;
2009	if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2010	return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2011	}
2012	try {
2013	const url = `${CANISTER_URL}/api/v1/notes`;
2014	const upstream = await fetch(url, {
2015	method: 'GET',
2016	headers: {
2017	Accept: 'application/json',
2018	'x-user-id': effective,
2019	'x-actor-id': uid,
2020	'x-vault-id': vaultId,
2021	},
2022	});
2023	const text = await upstream.text();
2024	if (!upstream.ok) {
2025	console.warn('[gateway] facets canister list non-ok', upstream.status);
2026	return res.json({ projects: [], tags: [], folders: [] });
2027	}
2028	let data;
2029	try {
2030	data = text ? JSON.parse(text) : {};
2031	} catch (e) {
2032	console.warn('[gateway] facets canister list JSON parse', e?.message \|\| String(e));
2033	return res.json({ projects: [], tags: [], folders: [] });
2034	}
2035	const rows = Array.isArray(data.notes) ? data.notes : [];
2036	let notesForFacets = rows;
2037	const scope = hctx && hctx.scope && typeof hctx.scope === 'object' ? hctx.scope : null;
2038	if (scope && (scope.projects?.length \|\| scope.folders?.length)) {
2039	const withProj = rows.map((n) => ({
2040	path: n.path,
2041	project: materializeListFrontmatter(n.frontmatter).project ?? null,
2042	}));
2043	const scoped = applyScopeFilterToNotes(withProj, scope);
2044	const pathSet = new Set(scoped.map((n) => n.path).filter(Boolean));
2045	notesForFacets = rows.filter((n) => pathSet.has(n.path));
2046	}
2047	const facets = deriveFacetsFromCanisterNotes(notesForFacets);
2048	res.json(facets);
2049	} catch (e) {
2050	console.warn('[gateway] facets error', e?.message \|\| String(e));
2051	res.json({ projects: [], tags: [], folders: [] });
2052	}
2053	});
2054
2055	// GET /api/v1/vault/folders — no canister filesystem; UI falls back to inbox + custom path
2056	app.get('/api/v1/vault/folders', async (req, res) => {
2057	const uid = getUserId(req);
2058	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2059	if (!CANISTER_URL) {
2060	return res.json({ folders: ['inbox'] });
2061	}
2062	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2063	const hctx = await getHostedAccessContext(req);
2064	if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2065	return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2066	}
2067	res.json({ folders: ['inbox'] });
2068	});
2069
2070	app.get('/api/v1/note-outline', async (req, res) => {
2071	const uid = getUserId(req);
2072	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2073	if (!CANISTER_URL) {
2074	return res.status(503).json({ error: 'Hosted NoteOutline is not configured', code: 'SERVICE_UNAVAILABLE' });
2075	}
2076
2077	let requestedPath;
2078	try {
2079	requestedPath = normalizeGatewayNoteOutlinePath(req.query.path);
2080	} catch (e) {
2081	const err = sanitizedNoteOutlineGatewayError(e);
2082	return res.status(err.status).json({ error: err.error, code: err.code });
2083	}
2084
2085	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2086	const hctx = await getHostedAccessContext(req);
2087	if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2088	return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2089	}
2090	const effective =
2091	hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2092	? hctx.effective_canister_user_id
2093	: uid;
2094	const url = `${CANISTER_URL}/api/v1/notes/${encodeURIComponent(requestedPath)}`;
2095
2096	try {
2097	const upstream = await fetch(url, {
2098	method: 'GET',
2099	headers: {
2100	Accept: 'application/json',
2101	'x-user-id': effective,
2102	'x-actor-id': uid,
2103	'x-vault-id': vaultId,
2104	...canisterAuthHeaders(),
2105	},
2106	});
2107	const text = await upstream.text();
2108	if (upstream.status === 401 \|\| upstream.status === 403) {
2109	return res.status(403).json({ error: 'Forbidden', code: 'FORBIDDEN' });
2110	}
2111	if (upstream.status === 404) {
2112	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2113	}
2114	if (!upstream.ok) {
2115	return res.status(502).json({ error: `Upstream ${upstream.status}`, code: 'BAD_GATEWAY' });
2116	}
2117
2118	let note;
2119	try {
2120	note = text ? JSON.parse(text) : {};
2121	} catch {
2122	return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
2123	}
2124
2125	const frontmatter = materializeListFrontmatter(note.frontmatter);
2126	const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2127	if (scope) {
2128	const scoped = applyScopeFilterToNotes(
2129	[
2130	{
2131	path: requestedPath,
2132	project: frontmatter.project ?? null,
2133	},
2134	],
2135	scope
2136	);
2137	if (scoped.length === 0) {
2138	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2139	}
2140	}
2141
2142	return res.json(
2143	buildNoteOutline({
2144	path: requestedPath,
2145	frontmatter,
2146	body: note.body != null ? String(note.body) : '',
2147	})
2148	);
2149	} catch (e) {
2150	const err = sanitizedNoteOutlineGatewayError(e);
2151	return res.status(err.status).json({ error: err.error, code: err.code });
2152	}
2153	});
2154
2155	app.get('/api/v1/document-tree', async (req, res) => {
2156	const uid = getUserId(req);
2157	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2158	if (!CANISTER_URL) {
2159	return res.status(503).json({ error: 'Hosted DocumentTree is not configured', code: 'SERVICE_UNAVAILABLE' });
2160	}
2161
2162	let requestedPath;
2163	try {
2164	requestedPath = normalizeGatewayDocumentTreePath(req.query.path);
2165	} catch (e) {
2166	const err = sanitizedDocumentTreeGatewayError(e);
2167	return res.status(err.status).json({ error: err.error, code: err.code });
2168	}
2169
2170	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2171	const hctx = await getHostedAccessContext(req);
2172	if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2173	return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2174	}
2175	const effective =
2176	hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2177	? hctx.effective_canister_user_id
2178	: uid;
2179	const url = `${CANISTER_URL}/api/v1/notes/${encodeURIComponent(requestedPath)}`;
2180
2181	try {
2182	const upstream = await fetch(url, {
2183	method: 'GET',
2184	headers: {
2185	Accept: 'application/json',
2186	'x-user-id': effective,
2187	'x-actor-id': uid,
2188	'x-vault-id': vaultId,
2189	...canisterAuthHeaders(),
2190	},
2191	});
2192	const text = await upstream.text();
2193	if (upstream.status === 401 \|\| upstream.status === 403) {
2194	return res.status(403).json({ error: 'Forbidden', code: 'FORBIDDEN' });
2195	}
2196	if (upstream.status === 404) {
2197	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2198	}
2199	if (!upstream.ok) {
2200	return res.status(502).json({ error: `Upstream ${upstream.status}`, code: 'BAD_GATEWAY' });
2201	}
2202
2203	let note;
2204	try {
2205	note = text ? JSON.parse(text) : {};
2206	} catch {
2207	return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
2208	}
2209
2210	const frontmatter = materializeListFrontmatter(note.frontmatter);
2211	const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2212	if (scope) {
2213	const scoped = applyScopeFilterToNotes(
2214	[
2215	{
2216	path: requestedPath,
2217	project: frontmatter.project ?? null,
2218	},
2219	],
2220	scope
2221	);
2222	if (scoped.length === 0) {
2223	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2224	}
2225	}
2226
2227	return res.json(
2228	buildDocumentTree({
2229	path: requestedPath,
2230	frontmatter,
2231	body: note.body != null ? String(note.body) : '',
2232	})
2233	);
2234	} catch (e) {
2235	const err = sanitizedDocumentTreeGatewayError(e);
2236	return res.status(err.status).json({ error: err.error, code: err.code });
2237	}
2238	});
2239
2240	app.get('/api/v1/metadata-facets', async (req, res) => {
2241	const uid = getUserId(req);
2242	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2243	if (!CANISTER_URL) {
2244	return res.status(503).json({ error: 'Hosted MetadataFacets is not configured', code: 'SERVICE_UNAVAILABLE' });
2245	}
2246
2247	let requestedPath;
2248	try {
2249	requestedPath = normalizeGatewayMetadataFacetsPath(req.query.path);
2250	} catch (e) {
2251	const err = sanitizedMetadataFacetsGatewayError(e);
2252	return res.status(err.status).json({ error: err.error, code: err.code });
2253	}
2254
2255	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2256	const hctx = await getHostedAccessContext(req);
2257	if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2258	return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2259	}
2260	const effective =
2261	hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2262	? hctx.effective_canister_user_id
2263	: uid;
2264	const url = `${CANISTER_URL}/api/v1/notes/${encodeURIComponent(requestedPath)}`;
2265
2266	try {
2267	const upstream = await fetch(url, {
2268	method: 'GET',
2269	headers: {
2270	Accept: 'application/json',
2271	'x-user-id': effective,
2272	'x-actor-id': uid,
2273	'x-vault-id': vaultId,
2274	...canisterAuthHeaders(),
2275	},
2276	});
2277	const text = await upstream.text();
2278	if (upstream.status === 401 \|\| upstream.status === 403) {
2279	return res.status(403).json({ error: 'Forbidden', code: 'FORBIDDEN' });
2280	}
2281	if (upstream.status === 404) {
2282	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2283	}
2284	if (!upstream.ok) {
2285	return res.status(502).json({ error: `Upstream ${upstream.status}`, code: 'BAD_GATEWAY' });
2286	}
2287
2288	let note;
2289	try {
2290	note = text ? JSON.parse(text) : {};
2291	} catch {
2292	return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
2293	}
2294
2295	const frontmatter = materializeListFrontmatter(note.frontmatter);
2296	const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2297	if (scope) {
2298	const scoped = applyScopeFilterToNotes(
2299	[
2300	{
2301	path: requestedPath,
2302	project: frontmatter.project ?? null,
2303	},
2304	],
2305	scope
2306	);
2307	if (scoped.length === 0) {
2308	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2309	}
2310	}
2311
2312	return res.json(normalizeMetadataFacets(requestedPath, frontmatter));
2313	} catch (e) {
2314	const err = sanitizedMetadataFacetsGatewayError(e);
2315	return res.status(err.status).json({ error: err.error, code: err.code });
2316	}
2317	});
2318
2319	app.get('/api/v1/section-source', async (req, res) => {
2320	const uid = getUserId(req);
2321	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2322	if (!CANISTER_URL) {
2323	return res.status(503).json({ error: 'Hosted SectionSource is not configured', code: 'SERVICE_UNAVAILABLE' });
2324	}
2325
2326	let requestedPath;
2327	try {
2328	requestedPath = normalizeGatewaySectionSourcePath(req.query.path);
2329	} catch (e) {
2330	const err = sanitizedSectionSourceGatewayError(e);
2331	return res.status(err.status).json({ error: err.error, code: err.code });
2332	}
2333
2334	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2335	const hctx = await getHostedAccessContext(req);
2336	if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2337	return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2338	}
2339	const effective =
2340	hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2341	? hctx.effective_canister_user_id
2342	: uid;
2343	const url = `${CANISTER_URL}/api/v1/notes/${encodeURIComponent(requestedPath)}`;
2344
2345	try {
2346	const upstream = await fetch(url, {
2347	method: 'GET',
2348	headers: {
2349	Accept: 'application/json',
2350	'x-user-id': effective,
2351	'x-actor-id': uid,
2352	'x-vault-id': vaultId,
2353	...canisterAuthHeaders(),
2354	},
2355	});
2356	const text = await upstream.text();
2357	if (upstream.status === 401 \|\| upstream.status === 403) {
2358	return res.status(403).json({ error: 'Forbidden', code: 'FORBIDDEN' });
2359	}
2360	if (upstream.status === 404) {
2361	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2362	}
2363	if (!upstream.ok) {
2364	return res.status(502).json({ error: `Upstream ${upstream.status}`, code: 'BAD_GATEWAY' });
2365	}
2366
2367	let note;
2368	try {
2369	note = text ? JSON.parse(text) : {};
2370	} catch {
2371	return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
2372	}
2373
2374	const frontmatter = materializeListFrontmatter(note.frontmatter);
2375	const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2376	if (scope) {
2377	const scoped = applyScopeFilterToNotes(
2378	[
2379	{
2380	path: requestedPath,
2381	project: frontmatter.project ?? null,
2382	},
2383	],
2384	scope
2385	);
2386	if (scoped.length === 0) {
2387	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2388	}
2389	}
2390
2391	return res.json(
2392	buildSectionSource({
2393	path: requestedPath,
2394	frontmatter,
2395	body: note.body != null ? String(note.body) : '',
2396	})
2397	);
2398	} catch (e) {
2399	const err = sanitizedSectionSourceGatewayError(e);
2400	return res.status(err.status).json({ error: err.error, code: err.code });
2401	}
2402	});
2403
2404	/**
2405	* @param {Record<string, unknown>\|null} hctx
2406	*/
2407	function scopeActiveForGateway(hctx) {
2408	const s = hctx && hctx.scope && typeof hctx.scope === 'object' ? hctx.scope : null;
2409	return Boolean(s && (s.projects?.length \|\| s.folders?.length));
2410	}
2411
2412	/**
2413	* Normalize hosted canister note records before returning them to Hub clients.
2414	* The canister wire shape may store frontmatter as object JSON text; clients
2415	* should always receive the direct-read/list API contract object.
2416	* @param {unknown} note
2417	* @returns {unknown}
2418	*/
2419	function normalizeGatewayNoteFrontmatter(note) {
2420	if (!note \|\| typeof note !== 'object' \|\| Array.isArray(note)) return note;
2421	return {
2422	...note,
2423	frontmatter: materializeListFrontmatter(note.frontmatter),
2424	};
2425	}
2426
2427	async function gatewayProxyGetNotesList(req, res, uid, effective, hctx) {
2428	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2429	const raw = upstreamPathAndQuery(req);
2430	const qIdx = raw.indexOf('?');
2431	const searchPart = qIdx >= 0 ? raw.slice(qIdx + 1) : '';
2432	const params = new URLSearchParams(searchPart);
2433	const limit = Math.min(100, Math.max(0, parseInt(params.get('limit') \|\| '20', 10) \|\| 20));
2434	const offset = Math.max(0, parseInt(params.get('offset') \|\| '0', 10) \|\| 0);
2435	const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2436	// Phase 12 — blockchain filters applied client-side (canister stores frontmatter as opaque JSON)
2437	const filterNetwork = (params.get('network') \|\| '').trim().toLowerCase();
2438	const filterWallet = (params.get('wallet_address') \|\| '').trim().toLowerCase();
2439	const filterPaymentStatus = (params.get('payment_status') \|\| '').trim().toLowerCase();
2440	const needsClientFilter = Boolean(scope \|\| filterNetwork \|\| filterWallet \|\| filterPaymentStatus);
2441	if (needsClientFilter) {
2442	params.set('limit', '10000');
2443	params.set('offset', '0');
2444	}
2445	// Remove Phase 12 params before forwarding to canister (canister ignores them, but keep URL clean)
2446	params.delete('network');
2447	params.delete('wallet_address');
2448	params.delete('payment_status');
2449	const fetchUrl = `${CANISTER_URL}/api/v1/notes${params.toString() ? `?${params.toString()}` : ''}`;
2450	try {
2451	const upstream = await fetch(fetchUrl, {
2452	method: 'GET',
2453	headers: {
2454	Accept: 'application/json',
2455	'x-user-id': effective,
2456	'x-actor-id': uid,
2457	'x-vault-id': vaultId,
2458	...canisterAuthHeaders(),
2459	},
2460	});
2461	const text = await upstream.text();
2462	const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries()).filter(
2463	([k]) => !['cache-control', 'etag', 'last-modified'].includes(k.toLowerCase()),
2464	);
2465	res.status(upstream.status).set(Object.fromEntries(hop));
2466	res.set('Cache-Control', 'private, no-store, must-revalidate');
2467	if (!upstream.ok \|\| !text) {
2468	res.send(text);
2469	return;
2470	}
2471	let data;
2472	try {
2473	data = JSON.parse(text);
2474	} catch (_) {
2475	res.send(text);
2476	return;
2477	}
2478	if (Array.isArray(data.notes)) {
2479	data = { ...data, notes: data.notes.map(normalizeGatewayNoteFrontmatter) };
2480	}
2481	if (needsClientFilter && Array.isArray(data.notes)) {
2482	let filtered = data.notes;
2483	// Scope filter (project/folder access control)
2484	if (scope) {
2485	const withProj = filtered.map((n) => ({
2486	path: n.path,
2487	project: materializeListFrontmatter(n.frontmatter).project ?? null,
2488	}));
2489	const kept = applyScopeFilterToNotes(withProj, scope);
2490	const keptPaths = new Set(kept.map((r) => r.path).filter(Boolean));
2491	filtered = filtered.filter((n) => n.path && keptPaths.has(n.path));
2492	}
2493	// Phase 12 blockchain filters
2494	if (filterNetwork \|\| filterWallet \|\| filterPaymentStatus) {
2495	filtered = filtered.filter((n) => {
2496	const fm = materializeListFrontmatter(n.frontmatter);
2497	if (filterNetwork && String(fm.network ?? '').trim().toLowerCase() !== filterNetwork) return false;
2498	if (filterWallet && String(fm.wallet_address ?? '').trim().toLowerCase() !== filterWallet) return false;
2499	if (filterPaymentStatus && String(fm.payment_status ?? '').trim().toLowerCase() !== filterPaymentStatus) return false;
2500	return true;
2501	});
2502	}
2503	const total = filtered.length;
2504	const page = filtered.slice(offset, offset + limit);
2505	res.json({ notes: page, total });
2506	return;
2507	}
2508	if (Array.isArray(data.notes)) {
2509	res.json(data);
2510	return;
2511	}
2512	res.send(text);
2513	} catch (e) {
2514	console.error('Gateway GET notes list error:', e.message);
2515	res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
2516	}
2517	}
2518
2519	async function gatewayProxyGetNoteOne(req, res, uid, effective, hctx) {
2520	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2521	const url = CANISTER_URL + upstreamPathAndQuery(req);
2522	const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2523	try {
2524	const upstream = await fetch(url, {
2525	method: 'GET',
2526	headers: {
2527	Accept: 'application/json',
2528	'x-user-id': effective,
2529	'x-actor-id': uid,
2530	'x-vault-id': vaultId,
2531	...canisterAuthHeaders(),
2532	},
2533	});
2534	const body = await upstream.text();
2535	if (upstream.status >= 400) {
2536	console.warn('[gateway] canister GET note:', upstream.status, 'url:', url.slice(0, 120));
2537	}
2538	const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries()).filter(
2539	([k]) => !['cache-control', 'etag', 'last-modified'].includes(k.toLowerCase()),
2540	);
2541	res.status(upstream.status).set(Object.fromEntries(hop));
2542	res.set('Cache-Control', 'private, no-store, must-revalidate');
2543	if (!scope \|\| upstream.status !== 200 \|\| !body) {
2544	if (upstream.status === 200 && body) {
2545	try {
2546	const note = JSON.parse(body);
2547	res.json(normalizeGatewayNoteFrontmatter(note));
2548	return;
2549	} catch (_) {
2550	// Preserve the upstream response when it is not valid JSON.
2551	}
2552	}
2553	res.send(body);
2554	return;
2555	}
2556	let note;
2557	try {
2558	note = normalizeGatewayNoteFrontmatter(JSON.parse(body));
2559	const withProj = {
2560	path: note.path,
2561	project: materializeListFrontmatter(note.frontmatter).project ?? null,
2562	};
2563	const filtered = applyScopeFilterToNotes([withProj], scope);
2564	if (filtered.length === 0) {
2565	res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2566	return;
2567	}
2568	} catch (_) {
2569	res.send(body);
2570	return;
2571	}
2572	res.json(note);
2573	} catch (e) {
2574	console.error('Gateway GET note error:', e.message);
2575	res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
2576	}
2577	}
2578
2579	const PROPOSAL_APPROVE_OR_DISCARD_RE = /^\/api\/v1\/proposals\/[^/]+\/(approve\|discard)\/?$/;
2580
2581	/**
2582	* Bridge / JWT actor role for proposal RBAC (canister only sees effective X-User-Id).
2583	* @param {import('express').Request} req
2584	* @param {Record<string, unknown>\|null} hctx
2585	* @returns {Promise<{ role: string, mayApproveProposals: boolean }>}
2586	*/
2587	async function resolveHostedActorRole(req, hctx) {
2588	const envFallback = process.env.HUB_EVALUATOR_MAY_APPROVE === '1';
2589	let role = 'member';
2590	let mayApproveProposals = false;
2591	if (hctx && typeof hctx.role === 'string') {
2592	role = hctx.role;
2593	if (typeof hctx.may_approve_proposals === 'boolean') {
2594	mayApproveProposals = hctx.may_approve_proposals;
2595	} else if (role === 'evaluator') {
2596	mayApproveProposals = envFallback;
2597	}
2598	} else if (BRIDGE_URL && req.headers.authorization) {
2599	let bridgeResolved = false;
2600	try {
2601	const roleRes = await fetch(BRIDGE_URL + '/api/v1/role', {
2602	method: 'GET',
2603	headers: { Authorization: req.headers.authorization, Accept: 'application/json' },
2604	});
2605	if (roleRes.ok) {
2606	const data = await roleRes.json();
2607	if (data.role) {
2608	role = data.role;
2609	bridgeResolved = true;
2610	}
2611	if (typeof data.may_approve_proposals === 'boolean') {
2612	mayApproveProposals = data.may_approve_proposals;
2613	} else if (role === 'evaluator') {
2614	mayApproveProposals = envFallback;
2615	}
2616	}
2617	} catch (_) {}
2618	// Bridge unreachable or rejected the JWT (e.g. SESSION_SECRET mismatch after a redeploy).
2619	// Fall back to the JWT payload role so the gateway owner is never locked out by bridge state.
2620	if (!bridgeResolved) {
2621	try {
2622	const auth = req.headers.authorization;
2623	const token = auth && auth.startsWith('Bearer ') ? auth.slice(7) : null;
2624	if (token && SESSION_SECRET) {
2625	const payload = jwt.verify(token, SESSION_SECRET);
2626	role = payload.role \|\| roleForSub(payload.sub);
2627	mayApproveProposals = role === 'admin' \|\| (role === 'evaluator' && envFallback);
2628	}
2629	} catch (_) {}
2630	}
2631	} else {
2632	try {
2633	const auth = req.headers.authorization;
2634	const token = auth && auth.startsWith('Bearer ') ? auth.slice(7) : null;
2635	if (token && SESSION_SECRET) {
2636	const payload = jwt.verify(token, SESSION_SECRET);
2637	role = payload.role \|\| roleForSub(payload.sub);
2638	mayApproveProposals = role === 'admin' \|\| (role === 'evaluator' && envFallback);
2639	}
2640	} catch (_) {}
2641	}
2642	// Gateway-level admin override: HUB_ADMIN_USER_IDS is the authoritative owner list.
2643	// A sub in that list is always admin — the gateway owner must never be locked out by a
2644	// bridge state reset, role-store loss, or SESSION_SECRET mismatch between gateway and bridge.
2645	const actorSub = getUserId(req);
2646	if (actorSub && role !== 'admin' && roleForSub(actorSub) === 'admin') {
2647	role = 'admin';
2648	mayApproveProposals = true;
2649	}
2650	return { role, mayApproveProposals };
2651	}
2652
2653	/**
2654	* Approve/discard: enforce actor role on gateway (canister only sees effective X-User-Id).
2655	* @param {import('express').Request} req
2656	* @param {import('express').Response} res
2657	* @param {string} pathNoQuery
2658	* @param {string} method
2659	* @param {Record<string, unknown>\|null} hctx from getHostedAccessContext (null if no bridge / not delegated)
2660	*/
2661	async function assertHostedProposalApproveDiscard(req, res, pathNoQuery, method, hctx) {
2662	if (method !== 'POST' \|\| !PROPOSAL_APPROVE_OR_DISCARD_RE.test(pathNoQuery)) return true;
2663
2664	const uid = getUserId(req);
2665	if (!uid) {
2666	res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2667	return false;
2668	}
2669
2670	const { role, mayApproveProposals } = await resolveHostedActorRole(req, hctx);
2671
2672	if (/\/discard\/?$/.test(pathNoQuery)) {
2673	if (role !== 'admin') {
2674	res.status(403).json({ error: 'Discard requires admin.', code: 'FORBIDDEN' });
2675	return false;
2676	}
2677	return true;
2678	}
2679
2680	const canApprove = role === 'admin' \|\| (role === 'evaluator' && mayApproveProposals);
2681	if (!canApprove) {
2682	res.status(403).json({
2683	error:
2684	'Approve requires admin, or an evaluator with approve permission (per-user in Team, or HUB_EVALUATOR_MAY_APPROVE=1 when no per-user value).',
2685	code: 'FORBIDDEN',
2686	});
2687	return false;
2688	}
2689	return true;
2690	}
2691
2692	/**
2693	* Fetch the current note count for a user from the canister.
2694	* Used by the billing storage cap gate before note CREATE.
2695	* Fails open — returns 0 on any error so the gate never blocks due to a canister outage.
2696	*
2697	* @param {string} userId
2698	* @param {import('express').Request} req
2699	* @returns {Promise<number>}
2700	*/
2701	async function getNoteCountForUser(userId, req) {
2702	if (!CANISTER_URL) return 0;
2703	try {
2704	let vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2705	const pathOnly = effectiveRequestPath(req).replace(/\/+$/, '') \|\| '/';
2706	if (req.method === 'POST' && pathOnly === '/api/v1/notes/copy') {
2707	const b = req.body && typeof req.body === 'object' ? req.body : {};
2708	const toV = typeof b.to_vault_id === 'string' ? b.to_vault_id.replace(/\\/g, '/').trim() : '';
2709	if (toV) vaultId = toV;
2710	}
2711	const hctx = await getHostedAccessContext(req);
2712	const effective =
2713	hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2714	? hctx.effective_canister_user_id
2715	: userId;
2716	const url = `${CANISTER_URL}/api/v1/notes?limit=1&offset=0`;
2717	const upstream = await fetch(url, {
2718	method: 'GET',
2719	headers: {
2720	Accept: 'application/json',
2721	'x-user-id': effective,
2722	'x-actor-id': userId,
2723	'x-vault-id': vaultId,
2724	...canisterAuthHeaders(),
2725	},
2726	});
2727	if (!upstream.ok) return 0;
2728	const data = await upstream.json();
2729	const total = typeof data.total === 'number' ? data.total : (Array.isArray(data.notes) ? data.notes.length : 0);
2730	return Math.max(0, Math.floor(total));
2731	} catch (_) {
2732	return 0;
2733	}
2734	}
2735
2736	async function proxyToCanister(req, res) {
2737	const uid = getUserId(req);
2738	if (!uid) {
2739	return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2740	}
2741	const pathOnly = effectiveRequestPath(req);
2742	const pathNoQuery = pathPartNoQuery(req);
2743	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2744	const hctx = await getHostedAccessContext(req);
2745	if (!(await assertHostedProposalApproveDiscard(req, res, pathNoQuery, req.method, hctx))) return;
2746	const effective =
2747	hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2748	? hctx.effective_canister_user_id
2749	: uid;
2750	if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2751	return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2752	}
2753
2754	if (req.method === 'GET' && pathOnly === '/api/v1/notes') {
2755	return gatewayProxyGetNotesList(req, res, uid, effective, hctx);
2756	}
2757	const noteSubPrefix = '/api/v1/notes/';
2758	if (
2759	req.method === 'GET' &&
2760	pathOnly.startsWith(noteSubPrefix) &&
2761	pathOnly !== '/api/v1/notes/facets'
2762	) {
2763	const rest = pathOnly.slice(noteSubPrefix.length);
2764	if (rest) {
2765	return gatewayProxyGetNoteOne(req, res, uid, effective, hctx);
2766	}
2767	}
2768
2769	const url = CANISTER_URL + upstreamPathAndQuery(req);
2770	const headers = {
2771	host: new URL(CANISTER_URL).host,
2772	'x-user-id': effective,
2773	'x-actor-id': uid,
2774	'x-vault-id': req.headers['x-vault-id'] \|\| 'default',
2775	...canisterAuthHeaders(),
2776	};
2777	// Allowlist: only forward safe body/content headers; canister auth is via x-user-id + x-gateway-auth.
2778	// Never forward origin, referer, cookies, authorization, or other proxy headers to the canister.
2779	for (const k of PROXY_HEADER_ALLOWLIST) {
2780	if (req.headers[k] !== undefined) headers[k] = req.headers[k];
2781	}
2782	const opts = { method: req.method, headers };
2783	let bodyOut = req.body;
2784	const pathOnlyForBody = pathPartNoQuery(req);
2785	const dataDir = path.join(projectRoot, 'data');
2786	let hostedLlmPrefs = null;
2787	if (
2788	req.method === 'POST' &&
2789	(pathOnlyForBody === '/api/v1/proposals' \|\| pathOnlyForBody === '/api/v1/proposals/')
2790	) {
2791	hostedLlmPrefs = await loadHostedProposalLlmPrefs();
2792	}
2793	// Improvement B: AIR attestation for hosted gateway note writes.
2794	// Guarded by KNOWTATION_AIR_ENDPOINT being set; always non-blocking (gateway has no air.required config).
2795	let gatewayAirId = null;
2796	if (
2797	process.env.KNOWTATION_AIR_ENDPOINT &&
2798	bodyOut !== undefined &&
2799	typeof bodyOut === 'object' &&
2800	!Buffer.isBuffer(bodyOut) &&
2801	isNoteWriteRequest(req.method, pathOnlyForBody)
2802	) {
2803	try {
2804	const notePath =
2805	req.method === 'POST'
2806	? (typeof bodyOut.path === 'string' ? bodyOut.path.replace(/\\/g, '/') : '')
2807	: pathOnlyForBody
2808	.slice('/api/v1/notes/'.length)
2809	.split('/')
2810	.map(decodeURIComponent)
2811	.join('/');
2812	const { attestBeforeWrite: gwAttest } = await import('../../lib/air.mjs');
2813	const airId = await gwAttest(
2814	{ air: { enabled: true, required: false, endpoint: process.env.KNOWTATION_AIR_ENDPOINT } },
2815	notePath
2816	);
2817	if (airId && airId !== 'air-placeholder-write') {
2818	gatewayAirId = airId;
2819	}
2820	} catch (e) {
2821	// Never let an AIR failure block a hosted write; log and continue.
2822	console.error('[gateway] AIR attestation error (non-fatal):', e?.message \|\| String(e));
2823	}
2824	}
2825
2826	if (
2827	bodyOut !== undefined &&
2828	typeof bodyOut === 'object' &&
2829	!Buffer.isBuffer(bodyOut) &&
2830	isPostApiV1Notes(req.method, pathOnlyForBody)
2831	) {
2832	bodyOut = mergeHostedNoteBodyForCanister(bodyOut, uid, gatewayAirId);
2833	} else if (
2834	gatewayAirId &&
2835	bodyOut !== undefined &&
2836	typeof bodyOut === 'object' &&
2837	!Buffer.isBuffer(bodyOut) &&
2838	req.method === 'PUT' &&
2839	pathOnlyForBody.startsWith('/api/v1/notes/')
2840	) {
2841	// PUT note write: inject air_id into frontmatter alongside existing fields
2842	bodyOut = mergeHostedNoteBodyForCanister(bodyOut, uid, gatewayAirId);
2843	}
2844	if (bodyOut !== undefined && typeof bodyOut === 'object' && !Buffer.isBuffer(bodyOut)) {
2845	bodyOut = augmentProposalEvaluationBodyForCanister(req.method, pathOnlyForBody, bodyOut);
2846	const policyOpts =
2847	hostedLlmPrefs != null
2848	? { evaluationRequired: effectiveHostedEvaluationRequired(hostedLlmPrefs, dataDir) }
2849	: {};
2850	bodyOut = augmentProposalCreateForHosted(req.method, pathOnlyForBody, bodyOut, dataDir, policyOpts);
2851	if (req.method === 'POST') {
2852	const approveId = proposalIdFromApprovePath(pathOnlyForBody);
2853	if (approveId) {
2854	try {
2855	const museCfg = parseMuseConfigFromEnv();
2856	const resolved = await resolveExternalRefForApprove({
2857	clientRef: bodyOut.external_ref,
2858	proposalId: approveId,
2859	vaultId,
2860	config: museCfg,
2861	logWarn: (msg, extra) => console.warn(msg, extra != null ? JSON.stringify(extra) : ''),
2862	});
2863	if (resolved) {
2864	bodyOut = { ...bodyOut, external_ref: resolved };
2865	}
2866	} catch (e) {
2867	console.warn('[gateway] muse approve merge (non-fatal):', e?.message \|\| String(e));
2868	}
2869	}
2870	}
2871	}
2872	if (req.method !== 'GET' && req.method !== 'HEAD' && bodyOut !== undefined) {
2873	opts.body = typeof bodyOut === 'string' ? bodyOut : JSON.stringify(bodyOut);
2874	stripStaleOutboundBodyHeaders(headers);
2875	}
2876	try {
2877	const upstream = await fetch(url, opts);
2878	const body = await upstream.text();
2879	// For a successful proposal CREATE, extract path+body so the hints job can skip
2880	// its own canister GET (saves one ICP round trip, ~1–3 s, from the hints path).
2881	let parsedProposalData = null;
2882	if (
2883	req.method === 'POST' &&
2884	(pathOnlyForBody === '/api/v1/proposals' \|\| pathOnlyForBody === '/api/v1/proposals/') &&
2885	upstream.status >= 200 && upstream.status < 300
2886	) {
2887	try {
2888	const j = JSON.parse(body);
2889	const merged = proposalDataForHostedReviewHintsFromCreate(j, bodyOut);
2890	if (merged) parsedProposalData = merged;
2891	} catch (_) {}
2892	}
2893	try {
2894	await maybeScheduleHostedProposalReviewHints({
2895	method: req.method,
2896	pathOnly: pathOnlyForBody,
2897	upstreamStatus: upstream.status,
2898	responseText: body,
2899	canisterUrl: CANISTER_URL,
2900	effectiveUserId: effective,
2901	actorUserId: uid,
2902	vaultId,
2903	hintsEnabled: hostedLlmPrefs ? effectiveHostedReviewHints(hostedLlmPrefs) : false,
2904	proposalData: parsedProposalData,
2905	});
2906	} catch (e) {
2907	// Never let a hints failure affect the primary proxy response.
2908	console.error('[gateway] hints exception (non-fatal):', e?.message \|\| String(e));
2909	}
2910	if (upstream.status >= 400 && req.method === 'GET' && url.includes('/api/v1/notes/')) {
2911	console.warn('[gateway] canister GET note:', upstream.status, 'url:', url.slice(0, 120));
2912	}
2913	if (
2914	upstream.status === 404 &&
2915	req.method === 'POST' &&
2916	/\/api\/v1\/proposals\/[^/]+\/evaluation\/?(\?\|$)/.test(pathOnlyForBody)
2917	) {
2918	console.warn(
2919	'[gateway] canister returned 404 for POST …/evaluation. If the body is {"error":"Not found","code":"NOT_FOUND"}, the hub canister on mainnet likely predates the evaluation route or HTTP upgrade for it — redeploy `hub` from this repo (`hub/icp/README.md` §ICP HTTP gateway behavior).',
2920	);
2921	}
2922	const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries()).filter(
2923	([k]) => !['cache-control', 'etag', 'last-modified'].includes(k.toLowerCase()),
2924	);
2925	res.status(upstream.status).set(Object.fromEntries(hop));
2926	res.set('Cache-Control', 'private, no-store, must-revalidate');
2927	res.send(body);
2928	} catch (e) {
2929	console.error('Gateway proxy error:', e.message);
2930	res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
2931	}
2932	}
2933
2934	// Bulk metadata by effective project slug (canister orchestration; not a canister route)
2935	app.post('/api/v1/notes/delete-by-project', async (req, res) => {
2936	if (!(await runBillingGate(req, res, getUserId))) return;
2937	return metadataBulkHandlers.deleteByProject(req, res);
2938	});
2939	app.post('/api/v1/notes/rename-project', async (req, res) => {
2940	if (!(await runBillingGate(req, res, getUserId))) return;
2941	return metadataBulkHandlers.renameProject(req, res);
2942	});
2943
2944	/** Hosted Enrich: gateway runs LLM and POSTs to canister (not proxied as opaque POST). */
2945	app.post('/api/v1/proposals/:proposalId/enrich', async (req, res) => {
2946	// Express 4 does not auto-catch async route handler exceptions; wrap everything so a
2947	// rejected promise never leaves the request hanging until Netlify's Lambda timeout.
2948	try {
2949	if (!(await runBillingGate(req, res, getUserId))) return;
2950	const uid = getUserId(req);
2951	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2952	const proposalId = req.params.proposalId;
2953	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
2954	const hctx = await getHostedAccessContext(req);
2955	if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2956	return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2957	}
2958	const { role } = await resolveHostedActorRole(req, hctx);
2959	if (role === 'viewer') {
2960	return res.status(403).json({ error: 'This action requires a different role.', code: 'FORBIDDEN' });
2961	}
2962	const effective =
2963	hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2964	? hctx.effective_canister_user_id
2965	: uid;
2966	const llmPrefs = await loadHostedProposalLlmPrefs();
2967	const enrichEnabled = effectiveHostedEnrich(llmPrefs);
2968	// Diagnostic: log which LLM provider will be used (visible in Netlify function logs).
2969	console.log(
2970	'[gateway/enrich] proposalId=%s enrichEnabled=%s provider=%s',
2971	proposalId,
2972	enrichEnabled,
2973	process.env.OPENAI_API_KEY ? 'openai' : process.env.ANTHROPIC_API_KEY ? 'anthropic' : 'ollama(NO KEY)',
2974	);
2975	const out = await runHostedProposalEnrichAndPost({
2976	canisterUrl: CANISTER_URL,
2977	effectiveUserId: effective,
2978	actorUserId: uid,
2979	vaultId,
2980	proposalId,
2981	enrichEnabled,
2982	});
2983	if (!out.ok) {
2984	if (out.status === 404 && out.code === 'NOT_FOUND') {
2985	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2986	}
2987	if (out.status === 404) {
2988	return res.status(404).json({ error: 'Proposal not found', code: 'NOT_FOUND' });
2989	}
2990	if (out.status === 400) {
2991	return res.status(400).json({ error: out.detail \|\| 'Bad request', code: out.code \|\| 'BAD_REQUEST' });
2992	}
2993	return res.status(out.status \|\| 500).json({
2994	error: out.detail \|\| out.code \|\| 'Enrich failed',
2995	code: out.code \|\| 'RUNTIME_ERROR',
2996	});
2997	}
2998	// Return immediately — the frontend calls openProposal() + loadProposals() after this
2999	// which re-fetches the updated proposal. Eliminating the extra canister GET here removes
3000	// one full ICP round trip (~1–3 s) from the critical path and prevents Netlify timeout.
3001	return res.set('Cache-Control', 'private, no-store, must-revalidate').json({ ok: true });
3002	} catch (e) {
3003	console.error('[gateway/enrich] unhandled exception:', e?.stack \|\| e?.message \|\| e);
3004	if (!res.headersSent) {
3005	res.status(500).json({ error: e?.message \|\| 'Internal error', code: 'INTERNAL_ERROR' });
3006	}
3007	}
3008	});
3009
3010	// ---------------------------------------------------------------------------
3011	// AIR Improvement D — built-in attestation endpoint
3012	// ---------------------------------------------------------------------------
3013
3014	app.post('/api/v1/attest', async (req, res) => {
3015	const uid = getUserId(req);
3016	if (!uid) {
3017	return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
3018	}
3019	if (!isAttestationConfigured()) {
3020	return res.status(503).json({
3021	error: 'Attestation service not configured (ATTESTATION_SECRET missing or too short).',
3022	code: 'NOT_CONFIGURED',
3023	});
3024	}
3025	const body = req.body && typeof req.body === 'object' ? req.body : {};
3026	const action = typeof body.action === 'string' ? body.action.trim() : '';
3027	if (!action) {
3028	return res.status(400).json({ error: 'action is required', code: 'BAD_REQUEST' });
3029	}
3030	const notePath = typeof body.path === 'string' ? body.path : '';
3031	const contentHash = typeof body.content_hash === 'string' ? body.content_hash : null;
3032	try {
3033	const result = await createAttestation(action, notePath, contentHash);
3034	return res.json(result);
3035	} catch (e) {
3036	console.error('[gateway] POST /api/v1/attest error:', e?.message \|\| e);
3037	return res.status(500).json({ error: 'Attestation failed', code: 'INTERNAL_ERROR' });
3038	}
3039	});
3040
3041	app.get('/api/v1/attest/:id', async (req, res) => {
3042	if (!isAttestationConfigured()) {
3043	return res.status(503).json({
3044	error: 'Attestation service not configured (ATTESTATION_SECRET missing or too short).',
3045	code: 'NOT_CONFIGURED',
3046	});
3047	}
3048	const id = req.params.id;
3049	if (!id \|\| !id.startsWith('air-')) {
3050	return res.status(400).json({ error: 'Invalid attestation id format', code: 'BAD_REQUEST' });
3051	}
3052	try {
3053	const result = await verifyAttestation(id);
3054	if (!result.record) {
3055	return res.status(404).json({ error: 'Attestation not found', code: 'NOT_FOUND' });
3056	}
3057	return res.json(result);
3058	} catch (e) {
3059	console.error('[gateway] GET /api/v1/attest/:id error:', e?.message \|\| e);
3060	return res.status(500).json({ error: 'Verification failed', code: 'INTERNAL_ERROR' });
3061	}
3062	});
3063
3064	// ---------------------------------------------------------------------------
3065	// AIR Improvement E — ICP blockchain anchor verification + reconciliation
3066	// ---------------------------------------------------------------------------
3067
3068	app.get('/api/v1/attest/:id/verify', async (req, res) => {
3069	if (!isAttestationConfigured()) {
3070	return res.status(503).json({
3071	error: 'Attestation service not configured (ATTESTATION_SECRET missing or too short).',
3072	code: 'NOT_CONFIGURED',
3073	});
3074	}
3075	const id = req.params.id;
3076	if (!id \|\| !id.startsWith('air-')) {
3077	return res.status(400).json({ error: 'Invalid attestation id format', code: 'BAD_REQUEST' });
3078	}
3079	try {
3080	const result = await verifyWithIcp(id);
3081	if (!result.sources.blobs.found && !result.sources.icp.found) {
3082	return res.status(404).json({ error: 'Attestation not found', code: 'NOT_FOUND', ...result });
3083	}
3084	return res.json(result);
3085	} catch (e) {
3086	console.error('[gateway] GET /api/v1/attest/:id/verify error:', e?.message \|\| e);
3087	return res.status(500).json({ error: 'Verification failed', code: 'INTERNAL_ERROR' });
3088	}
3089	});
3090
3091	app.post('/api/v1/attest/anchor-pending', requireAdmin, async (req, res) => {
3092	if (!isAttestationConfigured()) {
3093	return res.status(503).json({
3094	error: 'Attestation service not configured (ATTESTATION_SECRET missing or too short).',
3095	code: 'NOT_CONFIGURED',
3096	});
3097	}
3098	const body = req.body && typeof req.body === 'object' ? req.body : {};
3099	const ids = Array.isArray(body.ids) ? body.ids.filter((x) => typeof x === 'string' && x.startsWith('air-')) : [];
3100	if (ids.length === 0) {
3101	return res.status(400).json({ error: 'ids array with air-* entries is required', code: 'BAD_REQUEST' });
3102	}
3103	if (ids.length > 100) {
3104	return res.status(400).json({ error: 'Maximum 100 IDs per batch', code: 'BAD_REQUEST' });
3105	}
3106	try {
3107	const result = await anchorPendingAttestations(ids);
3108	return res.json(result);
3109	} catch (e) {
3110	console.error('[gateway] POST /api/v1/attest/anchor-pending error:', e?.message \|\| e);
3111	return res.status(500).json({ error: 'Anchor failed', code: 'INTERNAL_ERROR' });
3112	}
3113	});
3114
3115	/**
3116	* Hosted: single-note export for Hub UI (POST /api/v1/export). Self-hosted Node Hub implements
3117	* this with filesystem; the ICP canister only supports GET /api/v1/export (full vault JSON), so
3118	* POST was returning 404 from the canister. We fetch the note and build the same download payload
3119	* as lib/export.mjs.
3120	*/
3121	app.post('/api/v1/export', async (req, res) => {
3122	if (!CANISTER_URL) {
3123	return res.status(503).json({ error: 'Hosted export not configured', code: 'SERVICE_UNAVAILABLE' });
3124	}
3125	if (!(await runBillingGate(req, res, getUserId, { getNoteCount: getNoteCountForUser }))) return;
3126	const uid = getUserId(req);
3127	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
3128	const body = req.body && typeof req.body === 'object' ? req.body : {};
3129	const notePath = typeof body.path === 'string' ? body.path.replace(/\\/g, '/').trim() : '';
3130	const fmt = body.format === 'html' ? 'html' : 'md';
3131	if (!notePath \|\| notePath.includes('..') \|\| notePath.startsWith('/')) {
3132	return res.status(400).json({ error: 'path required', code: 'BAD_REQUEST' });
3133	}
3134	const vaultId = String(req.headers['x-vault-id'] \|\| 'default').trim() \|\| 'default';
3135	const hctx = await getHostedAccessContext(req);
3136	if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
3137	return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
3138	}
3139	const effective =
3140	hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
3141	? hctx.effective_canister_user_id
3142	: uid;
3143	const enc = notePath.split('/').map(encodeURIComponent).join('/');
3144	const url = `${CANISTER_URL}/api/v1/notes/${enc}`;
3145	let upstream;
3146	try {
3147	upstream = await fetch(url, {
3148	method: 'GET',
3149	headers: {
3150	Accept: 'application/json',
3151	'x-user-id': effective,
3152	'x-actor-id': uid,
3153	'x-vault-id': vaultId,
3154	...canisterAuthHeaders(),
3155	},
3156	});
3157	} catch (e) {
3158	console.error('[gateway] export fetch note:', e?.message \|\| e);
3159	return res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
3160	}
3161	const text = await upstream.text();
3162	if (upstream.status === 404) {
3163	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
3164	}
3165	if (!upstream.ok) {
3166	return res.status(upstream.status).type('application/json').send(text);
3167	}
3168	let note;
3169	try {
3170	note = JSON.parse(text);
3171	} catch {
3172	return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
3173	}
3174	const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
3175	if (scope) {
3176	const withProj = {
3177	path: note.path,
3178	project: materializeListFrontmatter(note.frontmatter).project ?? null,
3179	};
3180	const filtered = applyScopeFilterToNotes([withProj], scope);
3181	if (filtered.length === 0) {
3182	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
3183	}
3184	}
3185	const fm = materializeListFrontmatter(note.frontmatter);
3186	const { content, filename } = exportNoteRecordToContent(
3187	{ body: note.body != null ? String(note.body) : '', frontmatter: fm },
3188	note.path \|\| notePath,
3189	{ format: fmt },
3190	);
3191	res.set('Cache-Control', 'private, no-store, must-revalidate');
3192	return res.json({ content, filename });
3193	});
3194
3195	/**
3196	* Cross-vault copy/move (hosted gateway): GET note from canister vault A, POST to vault B, optional DELETE on A.
3197	* Conflicts: if `path` already exists in the target vault, the write overwrites (same as POST /notes).
3198	* After success, triggers bridge Re-index for the target vault and, when moving, the source vault (fire-and-forget).
3199	*/
3200	app.post('/api/v1/notes/copy', async (req, res) => {
3201	if (!CANISTER_URL) {
3202	return res.status(503).json({ error: 'Hosted copy not configured', code: 'SERVICE_UNAVAILABLE' });
3203	}
3204	if (!(await runBillingGate(req, res, getUserId, { getNoteCount: getNoteCountForUser }))) return;
3205	const uid = getUserId(req);
3206	if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
3207	const authHeader = req.headers.authorization \|\| '';
3208	const body = req.body && typeof req.body === 'object' ? req.body : {};
3209	const fromVault = typeof body.from_vault_id === 'string' ? body.from_vault_id.replace(/\\/g, '/').trim() : '';
3210	const toVault = typeof body.to_vault_id === 'string' ? body.to_vault_id.replace(/\\/g, '/').trim() : '';
3211	const notePath = typeof body.path === 'string' ? body.path.replace(/\\/g, '/').trim() : '';
3212	const deleteSource = body.delete_source === true;
3213	if (!fromVault \|\| !toVault \|\| !notePath \|\| notePath.includes('..') \|\| notePath.startsWith('/')) {
3214	return res.status(400).json({
3215	error: 'from_vault_id, to_vault_id, and path are required (vault-relative path)',
3216	code: 'BAD_REQUEST',
3217	});
3218	}
3219	if (fromVault === toVault) {
3220	return res.status(400).json({ error: 'from_vault_id and to_vault_id must differ', code: 'BAD_REQUEST' });
3221	}
3222	/** @type {Record<string, unknown>\|null} */
3223	let hctxFrom = null;
3224	if (BRIDGE_URL) {
3225	hctxFrom = await fetchHostedAccessContextForVault(authHeader, fromVault);
3226	if (!hctxFrom) {
3227	return res.status(403).json({ error: 'Hosted workspace context unavailable.', code: 'FORBIDDEN' });
3228	}
3229	if (Array.isArray(hctxFrom.allowed_vault_ids)) {
3230	if (!hctxFrom.allowed_vault_ids.includes(fromVault) \|\| !hctxFrom.allowed_vault_ids.includes(toVault)) {
3231	return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
3232	}
3233	}
3234	}
3235	const { role } = await resolveHostedActorRole(req, hctxFrom);
3236	if (role === 'viewer') {
3237	return res.status(403).json({ error: 'This action requires editor or admin.', code: 'FORBIDDEN' });
3238	}
3239	const effective =
3240	hctxFrom && typeof hctxFrom.effective_canister_user_id === 'string' && hctxFrom.effective_canister_user_id
3241	? hctxFrom.effective_canister_user_id
3242	: uid;
3243	const enc = notePath.split('/').map(encodeURIComponent).join('/');
3244	const getUrl = `${CANISTER_URL}/api/v1/notes/${enc}`;
3245	let upstream;
3246	try {
3247	upstream = await fetch(getUrl, {
3248	method: 'GET',
3249	headers: {
3250	Accept: 'application/json',
3251	'x-user-id': effective,
3252	'x-actor-id': uid,
3253	'x-vault-id': fromVault,
3254	...canisterAuthHeaders(),
3255	},
3256	});
3257	} catch (e) {
3258	console.error('[gateway] notes/copy fetch source:', e?.message \|\| e);
3259	return res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
3260	}
3261	const getText = await upstream.text();
3262	if (upstream.status === 404) {
3263	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
3264	}
3265	if (!upstream.ok) {
3266	return res.status(upstream.status).type('application/json').send(getText);
3267	}
3268	let note;
3269	try {
3270	note = JSON.parse(getText);
3271	} catch {
3272	return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
3273	}
3274	const scope = scopeActiveForGateway(hctxFrom) ? hctxFrom.scope : null;
3275	if (scope) {
3276	const withProj = {
3277	path: note.path,
3278	project: materializeListFrontmatter(note.frontmatter).project ?? null,
3279	};
3280	const filtered = applyScopeFilterToNotes([withProj], scope);
3281	if (filtered.length === 0) {
3282	return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
3283	}
3284	}
3285	const outPath = note.path \|\| notePath;
3286	let fmRaw = note.frontmatter;
3287	if (typeof fmRaw === 'string') {
3288	try {
3289	fmRaw = fmRaw.trim() ? JSON.parse(fmRaw) : {};
3290	} catch {
3291	fmRaw = {};
3292	}
3293	}
3294	if (!fmRaw \|\| typeof fmRaw !== 'object' \|\| Array.isArray(fmRaw)) {
3295	fmRaw = {};
3296	}
3297	let gatewayAirId = null;
3298	if (process.env.KNOWTATION_AIR_ENDPOINT) {
3299	try {
3300	const { attestBeforeWrite: gwAttest } = await import('../../lib/air.mjs');
3301	const airId = await gwAttest(
3302	{ air: { enabled: true, required: false, endpoint: process.env.KNOWTATION_AIR_ENDPOINT } },
3303	outPath,
3304	);
3305	if (airId && airId !== 'air-placeholder-write') {
3306	gatewayAirId = airId;
3307	}
3308	} catch (e) {
3309	console.error('[gateway] AIR attestation (copy, non-fatal):', e?.message \|\| String(e));
3310	}
3311	}
3312	const postBody = mergeHostedNoteBodyForCanister(
3313	{
3314	path: outPath,
3315	body: note.body != null ? String(note.body) : '',
3316	frontmatter: fmRaw,
3317	},
3318	uid,
3319	gatewayAirId,
3320	);
3321	const postHeaders = {
3322	'Content-Type': 'application/json',
3323	Accept: 'application/json',
3324	host: new URL(CANISTER_URL).host,
3325	'x-user-id': effective,
3326	'x-actor-id': uid,
3327	'x-vault-id': toVault,
3328	...canisterAuthHeaders(),
3329	};
3330	const postOpts = { method: 'POST', headers: postHeaders, body: JSON.stringify(postBody) };
3331	stripStaleOutboundBodyHeaders(postHeaders);
3332	let postUpstream;
3333	try {
3334	postUpstream = await fetch(`${CANISTER_URL}/api/v1/notes`, postOpts);
3335	} catch (e) {
3336	console.error('[gateway] notes/copy post target:', e?.message \|\| e);
3337	return res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
3338	}
3339	const postText = await postUpstream.text();
3340	if (!postUpstream.ok) {
3341	return res.status(postUpstream.status).type('application/json').send(postText);
3342	}
3343	if (deleteSource) {
3344	let delUpstream;
3345	try {
3346	delUpstream = await fetch(getUrl, {
3347	method: 'DELETE',
3348	headers: {
3349	Accept: 'application/json',
3350	'x-user-id': effective,
3351	'x-actor-id': uid,
3352	'x-vault-id': fromVault,
3353	...canisterAuthHeaders(),
3354	},
3355	});
3356	} catch (e) {
3357	console.error('[gateway] notes/copy delete source:', e?.message \|\| e);
3358	return res.status(502).json({
3359	error:
3360	'Note was copied to the target vault but deleting the source failed. Remove the duplicate from the target vault if you retry.',
3361	code: 'DELETE_FAILED',
3362	});
3363	}
3364	const delText = await delUpstream.text();
3365	if (!delUpstream.ok && delUpstream.status !== 404) {
3366	return res.status(delUpstream.status).json({
3367	error: 'Note was copied to the target vault but deleting the source failed.',
3368	code: 'DELETE_FAILED',
3369	detail: typeof delText === 'string' ? delText.slice(0, 500) : '',
3370	});
3371	}
3372	}
3373	const reindexVaults = deleteSource ? [toVault, fromVault] : [toVault];
3374	void (async () => {
3375	if (!BRIDGE_URL) return;
3376	for (const vid of reindexVaults) {
3377	try {
3378	const idxRes = await fetch(BRIDGE_URL + '/api/v1/index', {
3379	method: 'POST',
3380	headers: {
3381	Authorization: authHeader,
3382	Accept: 'application/json',
3383	'Content-Type': 'application/json',
3384	'X-Vault-Id': String(vid \|\| 'default').trim() \|\| 'default',
3385	},
3386	body: '{}',
3387	});
3388	const idxText = await idxRes.text();
3389	await recordIndexingTokensAfterBridgeIndex(uid, idxRes.status, idxText);
3390	} catch (e) {
3391	console.warn('[gateway] notes/copy reindex:', e?.message \|\| e);
3392	}
3393	}
3394	})();
3395	res.set('Cache-Control', 'private, no-store, must-revalidate');
3396	return res.json({
3397	ok: true,
3398	path: outPath,
3399	from_vault_id: fromVault,
3400	to_vault_id: toVault,
3401	moved: deleteSource,
3402	});
3403	});
3404
3405	app.use('/api/v1', async (req, res) => {
3406	if (req.method === 'OPTIONS') return res.status(204).end();
3407	if (!(await runBillingGate(req, res, getUserId, { getNoteCount: getNoteCountForUser }))) return;
3408	return proxyToCanister(req, res);
3409	});
3410
3411	// Health from canister if UI calls /health via same origin
3412	app.get('/api/v1/health-canister', async (_req, res) => {
3413	try {
3414	const r = await fetch(CANISTER_URL + '/health');
3415	const body = await r.text();
3416	res.status(r.status).set('Content-Type', 'application/json').send(body);
3417	} catch (e) {
3418	res.status(502).json({ ok: false, error: e.message });
3419	}
3420	});
3421
3422	app.use((err, req, res, next) => {
3423	if (res.headersSent) return next(err);
3424	console.error('[gateway] unhandled error:', err?.stack \|\| err?.message \|\| err);
3425	const status =
3426	typeof err.status === 'number' && err.status >= 400 && err.status < 600
3427	? err.status
3428	: typeof err.statusCode === 'number' && err.statusCode >= 400 && err.statusCode < 600
3429	? err.statusCode
3430	: 500;
3431	res.status(status).json({
3432	error: err.message \|\| 'Internal error',
3433	code: err.code \|\| 'INTERNAL_ERROR',
3434	});
3435	});
3436
3437	// When running on Netlify, the app is imported by netlify/functions/gateway.mjs and not started here.
3438	if (!process.env.NETLIFY) {
3439	if (!CANISTER_URL) {
3440	console.error('Gateway: CANISTER_URL is required (e.g. https://<canister-id>.ic0.app)');
3441	process.exit(1);
3442	}
3443	if (!SESSION_SECRET) {
3444	console.error('Gateway: SESSION_SECRET or HUB_JWT_SECRET is required');
3445	process.exit(1);
3446	}
3447	if (!CANISTER_AUTH_SECRET && CANISTER_URL) {
3448	console.warn(
3449	'\x1b[33m[SECURITY] CANISTER_AUTH_SECRET is not set. ' +
3450	'The canister will not verify gateway identity. ' +
3451	'Set CANISTER_AUTH_SECRET and call admin_set_gateway_auth_secret on the canister before public launch.\x1b[0m'
3452	);
3453	}
3454	if (CANISTER_URL && !billingEnforced()) {
3455	console.warn(
3456	'\x1b[33m[SECURITY] BILLING_ENFORCE is not set to true. ' +
3457	'Billing limits (storage cap, usage gates) are not enforced. ' +
3458	'Set BILLING_ENFORCE=true before public launch on hosted deployment.\x1b[0m'
3459	);
3460	}
3461	app.listen(PORT, () => {
3462	console.log(`Knowtation Hub Gateway listening on http://localhost:${PORT}`);
3463	console.log(' Canister: ' + CANISTER_URL);
3464	console.log(' UI origin: ' + HUB_UI_ORIGIN);
3465	console.log(' Login: GET /auth/login?provider=google\|github');
3466	});
3467	}
3468
3469	export { app };

File History 10 commits

sha256:0d530f9ef27b8b75547d1db7701a74bc77b77aa8f3d7fa3a8672cf2af36e63bb reconcile: import GitHub-direct RBAC/OAuth/companion and ho… Human minor ⚠ 4 hours ago

sha256:6f47d53a6adbcf105ba1b9cfc126c788d6a0f461d197f84f78794914305b4bd5 fix(mcp): bound hosted discovery context Human patch 2 days ago

sha256:2827ba9e7632a4b141c50caf1e8f7d77abbc3515be20e7465f2bccb0ac4edf91 fix: repair endpoint now sets has_active_subscription when … Human minor ⚠ 7 days ago

sha256:75b9b3ba09df2ea3ca5f64ae1b823c3b157771ef12447a0fc89b806d9e9ea050 Add admin billing repair endpoint with 7-tier tests Human minor ⚠ 7 days ago

sha256:8d46372e39d2d5a54fd93a8b1c27922fe0d9b22a72197345f1d2c71701cc4ce2 feat(auth): persistent login system + C7 session introspection Human minor ⚠ 7 days ago

sha256:733a05568d553ecc0c294f0048a2c8a7d0a4e6538d3b5618cc3c93fa55472757 Add structural REST bridges Human minor ⚠ 15 days ago

sha256:d2f3bd616fe6df6241df70aad61b452c736422931fc6a20518a344f33337e619 Add NoteOutline REST bridge Human minor ⚠ 15 days ago

sha256:a1fb9436e34e4a809871df484bffcc498b4f6ddf661d2e5079600b0bc7b6727a Add SectionSource Hub REST runtime Human patch 16 days ago

sha256:2967f1973b9f865fe5fd4945e35d3e4b43847fbdcee8c7ab4d41f0fd57b5282a feat(gateway): add Scooling write-back smoke endpoint Human minor ⚠ 18 days ago

sha256:aeff9d7c077329f4ec5e6617ecf10b1fcb7d08b110a3018b315ef974f8e01cb4 fix(hub): restore note detail actions for viewer and evaluator Human minor ⚠ 27 days ago

patch server.mjs 10× 4 hours ago

replace gatewayProxyGetNoteOne 4 hours ago

replace gatewayProxyGetNotesList 4 hours ago

insert normalizeGatewayNoteFrontmatter 4 hours ago

replace resolveHostedActorRole 4 hours ago

replace fetchHostedAccessContextForVault 2 days ago

replace getHostedAccessContext 2 days ago

insert hostedContextAbortSignal 2 days ago

insert decodeVerifiedToken 7 days ago

insert issueAccessTokenForSub 7 days ago

insert issueRefreshCookieSafe 7 days ago

insert refreshCookiePolicy 7 days ago

insert scopesForRole 7 days ago

insert normalizeGatewayDocumentTreePath 15 days ago

insert normalizeGatewayMetadataFacetsPath 15 days ago

insert sanitizedDocumentTreeGatewayError 15 days ago

insert sanitizedMetadataFacetsGatewayError 15 days ago

insert normalizeGatewayNoteOutlinePath 15 days ago

insert sanitizedNoteOutlineGatewayError 15 days ago

insert normalizeGatewaySectionSourcePath 16 days ago

insert sanitizedSectionSourceGatewayError 16 days ago

Pathhub/gateway/server.mjs

Lines3,469

Size137.4 KB

Refsha256:0d530f9ef27b8b75547d1db7701a74bc77b77aa8f3d7fa3a8672cf2af36e63bb

Object ID

sha256:02a10703839b1c6e1c1b7c6c51896567dc391e84b23634e40dee965eba4afeb9…

Last commit

sha256:0d530f9ef27b8b75547d1db7701a74bc77b77aa8f3d7fa3a8672cf2af36e63bb

reconcile: import GitHub-direct RBAC/OAuth/compan…

4 hours ago

Quick links

Blame History