aaronrene / knowtation public
server.mjs
3,496 lines 138.7 KB
Raw
sha256:94ec65bd2b200240ac785a97cf14c5db066832bd608a24d6a9c151f17b918b02 feat(calendar): hosted bridge/gateway route parity and time… Human minor ⚠ breaking 1 day ago
1 /**
2 * Knowtation Hub Gateway — OAuth (Google/GitHub) + proxy to ICP canister with X-User-Id.
3 * For hosted product: user logs in here; all /api/* requests are proxied to canister with proof.
4 * Run: node server.mjs
5 * Env: SESSION_SECRET, CANISTER_URL, HUB_BASE_URL; optional GOOGLE_*, GITHUB_*, HUB_UI_ORIGIN, GATEWAY_PORT.
6 */
7
8 import crypto from 'crypto';
9 import fs from 'fs';
10 import path from 'path';
11 import { fileURLToPath } from 'url';
12 import dotenv from 'dotenv';
13 import express from 'express';
14 import cookieParser from 'cookie-parser';
15 import jwt from 'jsonwebtoken';
16 import passport from 'passport';
17 import { Strategy as GoogleStrategy } from 'passport-google-oauth20';
18 import { Strategy as GitHubStrategy } from 'passport-github2';
19 import { stripeWebhookHandler, createCheckoutSession, createPortalSession } from './billing-stripe.mjs';
20 import { handleBillingSummary } from './billing-http.mjs';
21 import { isSubscriptionPriceId, isPackPriceId, priceIdFromTierShorthand, billingEnforced, MONTHLY_INCLUDED_CENTS_BY_TIER } from './billing-constants.mjs';
22 import { recordIndexingTokensAfterBridgeIndex } from './billing-index-usage.mjs';
23 import { runBillingGate } from './billing-middleware.mjs';
24 import { mergeHostedNoteBodyForCanister, isPostApiV1Notes, isNoteWriteRequest } from './apply-note-provenance.mjs';
25 import { deriveFacetsFromCanisterNotes, materializeListFrontmatter } from './note-facets.mjs';
26 import { applyGatewayCors } from './cors-middleware.mjs';
27 import { upstreamPathAndQuery, pathPartNoQuery, effectiveRequestPath } from './request-path.mjs';
28 import { applyScopeFilterToNotes } from '../lib/scope-filter.mjs';
29 import { createMetadataBulkHandlers } from './metadata-bulk-canister.mjs';
30 import { filterUpstreamResponseHeadersForDecodedBody } from './upstream-response-headers.mjs';
31 import { loadProposalRubric } from '../../lib/hub-proposal-rubric.mjs';
32 import { commitImageToRepo, validateImageExtension, validateMagicBytes } from '../../lib/github-commit-image.mjs';
33 import { parseMultipartFile } from './parse-multipart.mjs';
34 import { proposalPolicyEnvLocked } from '../../lib/hub-proposal-policy.mjs';
35 import {
36 loadHostedProposalLlmPrefs,
37 mergeHostedProposalLlmPrefs,
38 effectiveHostedEvaluationRequired,
39 effectiveHostedReviewHints,
40 effectiveHostedEnrich,
41 } from './proposal-llm-store.mjs';
42 import { augmentProposalEvaluationBodyForCanister } from './proposal-evaluation-canister-body.mjs';
43 import { augmentProposalCreateForHosted } from './proposal-create-hosted-body.mjs';
44 import { maybeScheduleHostedProposalReviewHints } from './proposal-review-hints-async.mjs';
45 import { proposalDataForHostedReviewHintsFromCreate } from './proposal-hints-create-context.mjs';
46 import { runHostedProposalEnrichAndPost } from './proposal-enrich-hosted.mjs';
47 import { isAttestationConfigured, createAttestation, verifyAttestation, verifyWithIcp, anchorPendingAttestations } from './attest-store.mjs';
48 import { loadBillingDb, mutateBillingDb } from './billing-store.mjs';
49 import { normalizeBillingUser, defaultUserRecord } from './billing-logic.mjs';
50 import {
51 mergeConsolidateRequestBodyWithBillingDefaults,
52 validateHostedSettingsConsolidationAdvanced,
53 } from '../../lib/hosted-consolidation-advanced.mjs';
54 import {
55 parseMuseConfigFromEnv,
56 resolveExternalRefForApprove,
57 proposalIdFromApprovePath,
58 fetchMuseProxiedGet,
59 } from '../../lib/muse-thin-bridge.mjs';
60 import { exportNoteRecordToContent } from '../../lib/export.mjs';
61 import { canisterAuthHeaders as canisterAuthHeadersFromEnv } from './canister-auth-headers.mjs';
62 import {
63 issueRefreshCookie,
64 createRefreshHandler,
65 createLogoutHandler,
66 refreshCookieOptions,
67 } from '../auth-session.mjs';
68 import {
69 createGatewayRefreshStore,
70 pruneRefreshTokens as pruneGatewayRefreshTokens,
71 } from './refresh-token-store.mjs';
72 import { createScoolingNoteOutlineSmokeRouter } from './scooling-note-outline-smoke.mjs';
73 import { createScoolingWriteBackSmokeRouter } from './scooling-write-back-smoke.mjs';
74 import { buildNoteOutline } from '../../lib/note-outline.mjs';
75 import { buildDocumentTree } from '../../lib/document-tree.mjs';
76 import { buildSectionSource } from '../../lib/section-source.mjs';
77 import { normalizeMetadataFacets } from '../../lib/vault.mjs';
78
79 // Safe when bundled (e.g. Netlify Functions CJS) where import.meta may be undefined
80 let projectRoot;
81 try {
82 const __dirname = path.dirname(fileURLToPath(import.meta.url));
83 projectRoot = path.resolve(__dirname, '..', '..');
84 } catch (_) {
85 projectRoot = process.cwd();
86 }
87 const envPath = path.join(projectRoot, '.env');
88 if (fs.existsSync(envPath)) dotenv.config({ path: envPath });
89
90 const PORT = parseInt(process.env.GATEWAY_PORT || process.env.PORT || '3340', 10);
91 const BASE_URL = process.env.HUB_BASE_URL || `http://localhost:${PORT}`;
92
93 // AIR Improvement D: when ATTESTATION_SECRET is set and no explicit AIR endpoint
94 // is provided, point AIR at this gateway's own /api/v1/attest route.
95 if (
96 process.env.ATTESTATION_SECRET &&
97 process.env.ATTESTATION_SECRET.length >= 32 &&
98 !process.env.KNOWTATION_AIR_ENDPOINT
99 ) {
100 process.env.KNOWTATION_AIR_ENDPOINT = `${BASE_URL}/api/v1/attest`;
101 console.log('[gateway] AIR auto-configured: KNOWTATION_AIR_ENDPOINT =', process.env.KNOWTATION_AIR_ENDPOINT);
102 }
103 const CANISTER_URL = (process.env.CANISTER_URL || '').replace(/\/$/, '');
104 const CANISTER_AUTH_SECRET = process.env.CANISTER_AUTH_SECRET || '';
105 const BRIDGE_URL = (process.env.BRIDGE_URL || '').replace(/\/$/, '');
106 if (BRIDGE_URL) {
107 try {
108 const u = new URL(BRIDGE_URL);
109 if (u.protocol !== 'http:' && u.protocol !== 'https:') {
110 throw new Error('BRIDGE_URL must use http: or https:');
111 }
112 } catch (e) {
113 console.error(
114 '[gateway] BRIDGE_URL must be an absolute URL with scheme (no path after host), e.g. https://your-bridge.netlify.app. Got:',
115 JSON.stringify(BRIDGE_URL),
116 e.message || e,
117 );
118 process.exit(1);
119 }
120 }
121 const HUB_UI_ORIGIN = (process.env.HUB_UI_ORIGIN || BASE_URL).replace(/\/$/, '');
122 const SESSION_SECRET = process.env.SESSION_SECRET || process.env.HUB_JWT_SECRET;
123 const JWT_EXPIRY = process.env.HUB_JWT_EXPIRY || '24h';
124
125 // Optional: comma-separated list of user IDs (e.g. google:123,github:456) who get role admin on hosted. Others get member.
126 const HUB_ADMIN_USER_IDS = (process.env.HUB_ADMIN_USER_IDS || '')
127 .split(',')
128 .map((s) => s.trim())
129 .filter(Boolean);
130 const adminUserIdsSet = new Set(HUB_ADMIN_USER_IDS);
131
132 function roleForSub(sub) {
133 return sub && adminUserIdsSet.has(sub) ? 'admin' : 'member';
134 }
135
136 function canisterAuthHeaders() {
137 return canisterAuthHeadersFromEnv();
138 }
139
140 passport.serializeUser((user, done) => done(null, user));
141 passport.deserializeUser((obj, done) => done(null, obj));
142
143 if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
144 passport.use(
145 new GoogleStrategy(
146 {
147 clientID: process.env.GOOGLE_CLIENT_ID,
148 clientSecret: process.env.GOOGLE_CLIENT_SECRET,
149 callbackURL: `${BASE_URL}/auth/callback/google`,
150 },
151 (_accessToken, _refreshToken, profile, done) => {
152 return done(null, { provider: 'google', id: profile.id, displayName: profile.displayName ?? '' });
153 }
154 )
155 );
156 }
157 if (process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET) {
158 passport.use(
159 new GitHubStrategy(
160 {
161 clientID: process.env.GITHUB_CLIENT_ID,
162 clientSecret: process.env.GITHUB_CLIENT_SECRET,
163 callbackURL: `${BASE_URL}/auth/callback/github`,
164 },
165 (_accessToken, _refreshToken, profile, done) => {
166 return done(null, { provider: 'github', id: profile.id, displayName: profile.displayName ?? profile.username ?? '' });
167 }
168 )
169 );
170 }
171
172 function userId(user) {
173 if (!user || !user.provider || !user.id) return null;
174 return `${user.provider}:${user.id}`;
175 }
176
177 function issueToken(user) {
178 const sub = userId(user);
179 if (!sub) return null;
180 const role = roleForSub(sub);
181 return jwt.sign(
182 {
183 sub,
184 provider: user.provider,
185 id: user.id,
186 name: user.displayName ?? '',
187 role,
188 },
189 SESSION_SECRET,
190 { expiresIn: JWT_EXPIRY }
191 );
192 }
193
194 function verifyToken(token) {
195 try {
196 const payload = jwt.verify(token, SESSION_SECRET);
197 return payload.sub ?? null;
198 } catch (_) {
199 return null;
200 }
201 }
202
203 /**
204 * Verify the token and return the full decoded payload, or null if invalid/expired.
205 * Used only by the session-introspection endpoint; callers that only need `sub` use verifyToken.
206 * @param {string} token
207 * @returns {object|null}
208 */
209 function decodeVerifiedToken(token) {
210 try {
211 return jwt.verify(token, SESSION_SECRET);
212 } catch (_) {
213 return null;
214 }
215 }
216
217 /**
218 * Derive the set of API scopes from a role string.
219 * This is the C7 → C4 bridge: Scooling can read `scopes` today; when explicit per-user
220 * scope management (C4) is wired in, this function will be replaced with a real lookup
221 * without changing the C7 response shape.
222 * @param {string} role - 'admin' | 'member'
223 * @returns {string[]}
224 */
225 function scopesForRole(role) {
226 if (role === 'admin') return ['vault:read', 'vault:write', 'admin'];
227 return ['vault:read', 'vault:write'];
228 }
229
230 /**
231 * Re-mint a short-lived access token from a `sub` alone (used by POST /api/v1/auth/refresh,
232 * which only knows the user id carried by the refresh-token record). The `sub` is the canonical
233 * `provider:id`, so provider/id are reconstructed from it and the role is re-derived from the
234 * current admin allowlist — a refreshed token always reflects the latest role, exactly like
235 * login. Display name is omitted (cosmetic; the UI reads it from /settings).
236 * @param {string} sub
237 * @returns {string|null} signed JWT, or null when sub is missing
238 */
239 function issueAccessTokenForSub(sub) {
240 if (!sub || typeof sub !== 'string') return null;
241 const idx = sub.indexOf(':');
242 const provider = idx > 0 ? sub.slice(0, idx) : '';
243 const id = idx > 0 ? sub.slice(idx + 1) : sub;
244 return jwt.sign(
245 { sub, provider, id, name: '', role: roleForSub(sub) },
246 SESSION_SECRET,
247 { expiresIn: JWT_EXPIRY }
248 );
249 }
250
251 const IMAGE_PROXY_TOKEN_TTL_SECONDS = 300;
252
253 function signImageProxyToken(secret, uid) {
254 const exp = Math.floor(Date.now() / 1000) + IMAGE_PROXY_TOKEN_TTL_SECONDS;
255 const payload = `img\0${uid}\0${exp}`;
256 const sig = crypto.createHmac('sha256', secret).update(payload).digest('base64url');
257 return `${exp}.${Buffer.from(uid).toString('base64url')}.${sig}`;
258 }
259
260 function verifyImageProxyToken(secret, token) {
261 if (typeof token !== 'string') return null;
262 const parts = token.split('.');
263 if (parts.length !== 3) return null;
264 const [expStr, uidB64, sig] = parts;
265 const exp = parseInt(expStr, 10);
266 if (!exp || Math.floor(Date.now() / 1000) > exp) return null;
267 let uid;
268 try { uid = Buffer.from(uidB64, 'base64url').toString(); } catch (_) { return null; }
269 if (!uid) return null;
270 const payload = `img\0${uid}\0${exp}`;
271 const expected = crypto.createHmac('sha256', secret).update(payload).digest('base64url');
272 const sigBuf = Buffer.from(sig);
273 const expectedBuf = Buffer.from(expected);
274 if (sigBuf.length !== expectedBuf.length || !crypto.timingSafeEqual(sigBuf, expectedBuf)) return null;
275 return uid;
276 }
277
278 const app = express();
279 // Trust the first downstream proxy so express-rate-limit (and any future IP-based middleware)
280 // reads the real client IP from X-Forwarded-For instead of the CDN/load-balancer address.
281 app.set('trust proxy', 1);
282
283 // Remove X-Powered-By: Express — leaking server technology is unnecessary attack surface.
284 app.disable('x-powered-by');
285
286 // Netlify rewrites /* -> /.netlify/functions/gateway/:splat, so the function may receive
287 // a path like /.netlify/functions/gateway/api/v1/notes. Express would not match /api/v1/* routes.
288 const NETLIFY_GW_PREFIX = '/.netlify/functions/gateway';
289 app.use((req, _res, next) => {
290 const raw = req.url || '/';
291 const q = raw.indexOf('?');
292 const pathPart = q >= 0 ? raw.slice(0, q) : raw;
293 const queryPart = q >= 0 ? raw.slice(q) : '';
294 if (pathPart === NETLIFY_GW_PREFIX || pathPart.startsWith(`${NETLIFY_GW_PREFIX}/`)) {
295 const rest =
296 pathPart === NETLIFY_GW_PREFIX ? '/' : pathPart.slice(NETLIFY_GW_PREFIX.length) || '/';
297 const nextUrl = rest + queryPart;
298 req.url = nextUrl;
299 // Express may set originalUrl to the internal function path; keep it aligned with req.path.
300 req.originalUrl = nextUrl;
301 delete req._parsedUrl;
302 delete req._parsedOriginalUrl;
303 }
304 next();
305 });
306
307 app.use(cookieParser());
308 app.post('/api/v1/billing/webhook', express.raw({ type: 'application/json' }), (req, res) => {
309 stripeWebhookHandler(req, res);
310 });
311 app.use(express.json({ limit: '10mb' }));
312 app.use(passport.initialize());
313
314 // CORS: production MUST set HUB_CORS_ORIGIN (apex + www) for credentialed-style responses.
315 // If unset, we use * and omit Allow-Credentials — otherwise browsers block (* + credentials = Failed to fetch).
316 // See hub/gateway/cors-middleware.mjs.
317 const corsOrigins = process.env.HUB_CORS_ORIGIN
318 ? process.env.HUB_CORS_ORIGIN.split(',').map((o) => o.trim()).filter(Boolean)
319 : [];
320 app.use((req, res, next) => {
321 applyGatewayCors(res, req.get('Origin'), corsOrigins);
322 next();
323 });
324
325 // Persistent sessions (refresh-token rotation), hosted edition. The durable, hashed refresh
326 // token is delivered as an HttpOnly cookie; the security logic lives in
327 // hub/lib/refresh-token-core.mjs via the blob-backed store below (shared with self-hosted).
328 const refreshStore = createGatewayRefreshStore();
329
330 /**
331 * Cookie policy for the hosted refresh token.
332 * - When the UI and gateway share an origin (HUB_CORS_ORIGIN unset), the cookie is first-party
333 * and SameSite=Lax is correct and most robust.
334 * - When HUB_CORS_ORIGIN is set the UI is on another origin, so the credentialed cross-site
335 * request requires SameSite=None (which forces Secure). NOTE: a cross-site cookie is only
336 * delivered reliably when the gateway is a subdomain of the UI's registrable domain (e.g.
337 * UI knowtation.store + gateway api.knowtation.store); browsers increasingly block
338 * unrelated third-party cookies. Same-origin (single origin for UI + API) is recommended.
339 * Scoped to the auth path so the cookie is only ever sent to /api/v1/auth endpoints.
340 */
341 function refreshCookiePolicy() {
342 const crossOrigin = corsOrigins.length > 0;
343 return refreshCookieOptions({
344 secure: crossOrigin || BASE_URL.startsWith('https://'),
345 sameSite: crossOrigin ? 'none' : 'lax',
346 maxAgeMs: 90 * 24 * 60 * 60 * 1000,
347 });
348 }
349
350 /**
351 * Issue the HttpOnly refresh cookie at the end of a successful OAuth login. Best-effort: a
352 * refresh-store write failure must never block login (the access token still works).
353 * @param {import('express').Response} res
354 * @param {import('express').Request} req
355 * @param {string|null} sub
356 */
357 async function issueRefreshCookieSafe(res, req, sub) {
358 if (!sub) {
359 console.warn('[gateway] refresh cookie skipped: no sub resolved from req.user');
360 return;
361 }
362 try {
363 await issueRefreshCookie(res, {
364 store: refreshStore,
365 sub,
366 cookieOptions: refreshCookiePolicy,
367 meta: { ua: String(req.headers['user-agent'] || '').slice(0, 256) },
368 });
369 console.info('[gateway] refresh cookie issued for sub=%s', sub);
370 } catch (err) {
371 // Login still proceeds with the access token even if the refresh store is unavailable, but
372 // the failure MUST be surfaced — swallowing it silently made a persistent-login outage
373 // undiagnosable. `authBlobPresent` distinguishes the two failure modes:
374 // false → the Netlify Blob was not provisioned for this invocation, so the store fell back
375 // to a file write that fails on the read-only function FS;
376 // true → the blob was provisioned but the read/write itself was rejected.
377 const authBlobPresent = Boolean(globalThis.__knowtation_gateway_auth_blob);
378 console.error(
379 '[gateway] refresh cookie FAILED for sub=%s authBlobPresent=%s: %s',
380 sub,
381 authBlobPresent,
382 err && err.stack ? err.stack : (err && err.message) || String(err),
383 );
384 }
385 }
386
387 // Authenticated Hub JSON must not be cached (browser 304 / CDN reuse shows stale frontmatter).
388 app.use('/api/v1', (req, res, next) => {
389 res.set('Cache-Control', 'private, no-store, must-revalidate');
390 next();
391 });
392
393 // Health (no auth) — returns { ok: true }. If a CDN or host wrapper returns usage_exceeded, that is outside this app (check Netlify site / account limits and which commit is deployed).
394 app.get('/health', (_req, res) => res.json({ ok: true }));
395 app.get('/api/v1/health', (_req, res) => res.json({ ok: true }));
396 app.use(createScoolingNoteOutlineSmokeRouter());
397 app.use(createScoolingWriteBackSmokeRouter());
398
399 // Which OAuth providers are configured (no auth)
400 app.get('/api/v1/auth/providers', (_req, res) => {
401 res.json({
402 google: Boolean(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET),
403 github: Boolean(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET),
404 });
405 });
406
407 // C7 Session introspection — returns the verified identity and derived scopes for the bearer.
408 // Designed for Scooling (cross-origin, Bearer auth) and the Hub UI alike.
409 // GET /api/v1/auth/session → { sub, provider, id, name, role, iat, exp, scopes }
410 // Only reads what is already in the signed JWT — no extra DB call, no data elevation.
411 app.options('/api/v1/auth/session', (_req, res) => res.status(204).end());
412 app.get('/api/v1/auth/session', (req, res) => {
413 const auth = req.headers.authorization;
414 if (!auth || !auth.startsWith('Bearer ')) {
415 return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
416 }
417 const token = auth.slice(7);
418 const payload = decodeVerifiedToken(token);
419 if (!payload || !payload.sub) {
420 return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
421 }
422 return res.json({
423 sub: payload.sub,
424 provider: payload.provider ?? '',
425 id: payload.id ?? '',
426 name: payload.name ?? '',
427 role: payload.role ?? 'member',
428 iat: payload.iat,
429 exp: payload.exp,
430 scopes: scopesForRole(payload.role ?? 'member'),
431 });
432 });
433
434 // Persistent sessions: exchange the HttpOnly refresh cookie for a fresh access token, and real
435 // server-side logout (revokes the refresh token, not just the client cookie). Mounted BEFORE the
436 // bridge/canister proxies so these are handled locally and never forwarded upstream.
437 //
438 // Rate limiting note: an in-memory express-rate-limit is ineffective on Netlify (each function
439 // invocation is isolated, no shared counter) and trips ERR_ERL_* under serverless proxies. Brute
440 // force is bounded instead by edge limits (see hub/gateway/README.md) and, more fundamentally, by
441 // the opaque high-entropy token + rotation/reuse detection in refresh-token-core.mjs.
442 app.options(['/api/v1/auth/refresh', '/api/v1/auth/logout'], (_req, res) => res.status(204).end());
443 app.post(
444 '/api/v1/auth/refresh',
445 createRefreshHandler({
446 store: refreshStore,
447 issueAccessToken: issueAccessTokenForSub,
448 cookieOptions: refreshCookiePolicy,
449 meta: (req) => ({ ua: String(req.headers['user-agent'] || '').slice(0, 256) }),
450 })
451 );
452 app.post(
453 '/api/v1/auth/logout',
454 createLogoutHandler({ store: refreshStore, cookieOptions: refreshCookiePolicy })
455 );
456 // On a persistent gateway (local/Docker/VPS) opportunistically prune dead refresh records at
457 // startup. Skipped on Netlify, where the blob store is provisioned per-invocation and a cold-start
458 // prune would add latency to the first request; rely on rotation/expiry to keep the store small.
459 if (!process.env.NETLIFY) {
460 Promise.resolve()
461 .then(() => pruneGatewayRefreshTokens())
462 .catch(() => { /* best effort; never fatal */ });
463 }
464
465 // Auth: login redirect — plan routes GET /auth/login, GET /auth/callback/google|github. Preserve invite in state for post-login redirect.
466 // Phase D3: mcp_state query param is passed through OAuth state for MCP authorization flow.
467 // C1/C3 (COMPANION-APP-OAUTH-SERVERSIDE-GATE §6): native_state query param is passed
468 // through OAuth state for the native client authorization flow (prefix "native:").
469 app.get('/auth/login', (req, res, next) => {
470 const provider = (req.query.provider || 'google').toLowerCase();
471 const invite = typeof req.query.invite === 'string' ? req.query.invite.trim() : '';
472 const mcpState = typeof req.query.mcp_state === 'string' ? req.query.mcp_state.trim() : '';
473 const nativeState = typeof req.query.native_state === 'string' ? req.query.native_state.trim() : '';
474 let state;
475 if (mcpState) {
476 state = `mcp:${mcpState}`;
477 } else if (nativeState) {
478 // Prefix distinguishes native auth round-trips from MCP round-trips in the IDP callback.
479 state = `native:${nativeState}`;
480 } else {
481 state = invite || undefined;
482 }
483 if (provider === 'google' && process.env.GOOGLE_CLIENT_ID) {
484 return passport.authenticate('google', { scope: ['profile'], state })(req, res, next);
485 }
486 if (provider === 'github' && process.env.GITHUB_CLIENT_ID) {
487 return passport.authenticate('github', { scope: ['user:email'], state })(req, res, next);
488 }
489 return res.status(400).json({ error: `Unknown or disabled provider: ${provider}`, code: 'BAD_REQUEST' });
490 });
491
492 function postLoginRedirect(token, req) {
493 if (!token) return HUB_UI_ORIGIN + '/hub/?auth_error=1';
494 const invite = typeof req.query.state === 'string' ? req.query.state.trim() : '';
495 let fragment = `token=${encodeURIComponent(token)}`;
496 if (invite && invite.length > 0) fragment += '&invite=' + encodeURIComponent(invite);
497 return `${HUB_UI_ORIGIN}/hub/#${fragment}`;
498 }
499
500 app.get(
501 '/auth/callback/google',
502 passport.authenticate('google', { session: false }),
503 async (req, res) => {
504 const state = typeof req.query.state === 'string' ? req.query.state : '';
505 if (state.startsWith('mcp:') && app._mcpOAuthProvider) {
506 const sub = userId(req.user);
507 if (!sub) return res.status(401).json({ error: 'auth_failed' });
508 return app._mcpOAuthProvider.completeMcpAuthorization(state.slice(4), sub, res);
509 }
510 // C1/C3: native client authorization flow (COMPANION-APP-OAUTH-SERVERSIDE-GATE §6).
511 if (state.startsWith('native:') && app._nativeOAuthProvider) {
512 const sub = userId(req.user);
513 if (!sub) return res.status(401).json({ error: 'auth_failed' });
514 return app._nativeOAuthProvider.completeNativeAuthorization(state.slice(7), sub, res);
515 }
516 const token = issueToken(req.user);
517 await issueRefreshCookieSafe(res, req, userId(req.user));
518 res.redirect(postLoginRedirect(token, req));
519 }
520 );
521 app.get(
522 '/auth/callback/github',
523 passport.authenticate('github', { session: false }),
524 async (req, res) => {
525 const state = typeof req.query.state === 'string' ? req.query.state : '';
526 if (state.startsWith('mcp:') && app._mcpOAuthProvider) {
527 const sub = userId(req.user);
528 if (!sub) return res.status(401).json({ error: 'auth_failed' });
529 return app._mcpOAuthProvider.completeMcpAuthorization(state.slice(4), sub, res);
530 }
531 // C1/C3: native client authorization flow (COMPANION-APP-OAUTH-SERVERSIDE-GATE §6).
532 if (state.startsWith('native:') && app._nativeOAuthProvider) {
533 const sub = userId(req.user);
534 if (!sub) return res.status(401).json({ error: 'auth_failed' });
535 return app._nativeOAuthProvider.completeNativeAuthorization(state.slice(7), sub, res);
536 }
537 const token = issueToken(req.user);
538 await issueRefreshCookieSafe(res, req, userId(req.user));
539 res.redirect(postLoginRedirect(token, req));
540 }
541 );
542
543 // Hub UI may call login under /api/v1/auth for consistency — redirect to /auth (preserve invite for post-login consume)
544 app.get('/api/v1/auth/login', (req, res) => {
545 const provider = (req.query.provider || 'google').toLowerCase();
546 let url = `${BASE_URL}/auth/login?provider=${encodeURIComponent(provider)}`;
547 const invite = typeof req.query.invite === 'string' ? req.query.invite.trim() : '';
548 if (invite) url += '&invite=' + encodeURIComponent(invite);
549 res.redirect(url);
550 });
551
552 // Phase D2/D3: MCP gateway + OAuth 2.1.
553 // MCP requires stateful sessions (SSE, session pool) that are incompatible with Netlify's
554 // serverless function model (26s timeout, no shared memory between invocations).
555 // On Netlify, only the OAuth discovery endpoints are mounted (lightweight, stateless).
556 // The full /mcp session endpoint requires a persistent Express server (local dev, Docker, VPS,
557 // or a dedicated MCP host like Railway/Fly.io). See docs/AGENT-INTEGRATION.md §2 (hosted MCP).
558 if (SESSION_SECRET && !process.env.NETLIFY) {
559 import('./mcp-oauth-provider.mjs').then(async ({ KnowtationOAuthProvider }) => {
560 const { mcpAuthRouter } = await import('@modelcontextprotocol/sdk/server/auth/router.js');
561 const oauthProvider = new KnowtationOAuthProvider({
562 sessionSecret: SESSION_SECRET,
563 baseUrl: BASE_URL,
564 });
565 app._mcpOAuthProvider = oauthProvider;
566 // @modelcontextprotocol/sdk OAuth routes use express-rate-limit behind Nginx. The limiter's
567 // default validations (X-Forwarded-For vs Express trust proxy) still throw ERR_ERL_* on some
568 // Express/SDK mount combinations. Disable express-rate-limit validations for these routes only;
569 // limits stay on; edge limits remain in Nginx (gateway deploy notes in hub/gateway/README.md).
570 const mcpOAuthSdkRateLimitOpts = {
571 rateLimit: { validate: false },
572 };
573 app.use(mcpAuthRouter({
574 provider: oauthProvider,
575 issuerUrl: new URL(BASE_URL),
576 scopesSupported: ['vault:read', 'vault:write', 'vault:admin'],
577 authorizationOptions: mcpOAuthSdkRateLimitOpts,
578 tokenOptions: mcpOAuthSdkRateLimitOpts,
579 clientRegistrationOptions: mcpOAuthSdkRateLimitOpts,
580 revocationOptions: mcpOAuthSdkRateLimitOpts,
581 }));
582 console.log('[gateway] MCP OAuth 2.1 endpoints mounted');
583
584 // C1–C6 (COMPANION-APP-OAUTH-SERVERSIDE-GATE §6): native client OAuth 2.1 endpoints.
585 // The native path issues web-session JWTs (issueToken shape) instead of mcp_access
586 // tokens, uses refresh-token-core for durable rotation, enforces loopback-only
587 // redirect URIs, validates redirect_uri at exchange, and applies a scope ceiling.
588 // Mounted only on the persistent gateway host — same guard as the MCP router.
589 try {
590 const { createNativeOAuthRouter } = await import('./native-oauth-provider.mjs');
591 const { router: nativeRouter, completeNativeAuthorization } = createNativeOAuthRouter({
592 baseUrl: BASE_URL,
593 loginUrl: `${BASE_URL}/auth/login`,
594 issueAccessToken: issueAccessTokenForSub,
595 // C6: grantedScopes resolves the scope ceiling via roleForSub; unknown sub → member.
596 grantedScopes: (sub) => scopesForRole(roleForSub(sub)),
597 // C2/C4: reuse the same durable refresh store as the web session so rotation +
598 // reuse-detection use the same family records. Store is file-backed on this host.
599 refreshStore,
600 });
601 // Bind completeNativeAuthorization so IDP callbacks can reach it (see /auth/callback/*).
602 app._nativeOAuthProvider = { completeNativeAuthorization };
603 app.use('/api/v1/auth/native', nativeRouter);
604 console.log('[gateway] Native OAuth 2.1 endpoints mounted at /api/v1/auth/native');
605
606 // C4: opportunistically prune expired native auth codes at startup.
607 const { pruneExpiredCodes } = await import('./native-as-store.mjs');
608 pruneExpiredCodes().catch(() => { /* best effort; never fatal */ });
609 } catch (e) {
610 console.error('[gateway] Native OAuth router failed to load:', e.message || e);
611 }
612 }).catch((e) => {
613 console.error('[gateway] MCP OAuth router failed to load:', e.message || e);
614 });
615 } else if (SESSION_SECRET && process.env.NETLIFY) {
616 console.log('[gateway] MCP OAuth/session endpoints skipped on Netlify (stateful sessions require persistent server)');
617 }
618
619 if (BRIDGE_URL && CANISTER_URL && !process.env.NETLIFY) {
620 import('./mcp-proxy.mjs').then(({ createMcpProxyRouter }) => {
621 const mcpRouter = createMcpProxyRouter({
622 getUserId,
623 getHostedAccessContext,
624 canisterUrl: CANISTER_URL,
625 canisterAuthSecret: CANISTER_AUTH_SECRET,
626 bridgeUrl: BRIDGE_URL,
627 gatewayApiBaseUrl: BASE_URL.replace(/\/$/, ''),
628 sessionSecret: SESSION_SECRET || '',
629 });
630 app.use('/mcp', mcpRouter);
631 console.log('[gateway] MCP endpoint mounted at /mcp');
632 if (!CANISTER_AUTH_SECRET) {
633 console.warn(
634 '[gateway] MCP /mcp: CANISTER_AUTH_SECRET is empty. Direct canister HTTP calls from hosted MCP (list_notes, get_note, write, enrich; summarize note fetches) send no X-Gateway-Auth and the canister returns GATEWAY_AUTH_REQUIRED. Set the same CANISTER_AUTH_SECRET as the Netlify gateway and as configured on the canister (admin_set_gateway_auth_secret), then pm2 restart with --update-env.'
635 );
636 }
637 }).catch((e) => {
638 console.error('[gateway] MCP proxy failed to load:', e.message || e);
639 });
640 } else if (process.env.NETLIFY) {
641 app.all('/mcp', (_req, res) => {
642 res.status(503).json({
643 error: 'MCP endpoint requires a persistent server. Connect to the dedicated MCP host or use self-hosted deployment.',
644 code: 'MCP_NETLIFY_UNSUPPORTED',
645 docs: 'https://github.com/aaronrene/knowtation/blob/main/docs/AGENT-INTEGRATION.md',
646 });
647 });
648 }
649
650 // Connect GitHub + Back up now: proxy to bridge when BRIDGE_URL is set (single origin for UI)
651 if (BRIDGE_URL) {
652 app.get('/api/v1/auth/github-connect', (req, res) => {
653 const q = new URLSearchParams(req.query).toString();
654 res.redirect(`${BRIDGE_URL}/auth/github-connect${q ? '?' + q : ''}`);
655 });
656 // Browsers send OPTIONS preflight before POST with Authorization + JSON body. The bridge only
657 // registers POST /api/v1/vault/sync, so proxying OPTIONS returns 404 and surfaces as "Failed to fetch".
658 app.all('/api/v1/vault/sync', async (req, res) => {
659 if (req.method === 'OPTIONS') {
660 return res.status(204).end();
661 }
662 const url = BRIDGE_URL + '/api/v1/vault/sync' + (req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '');
663 await proxyTo(BRIDGE_URL, url, req, res);
664 });
665 app.all('/api/v1/vaults/:vaultId', async (req, res) => {
666 if (req.method === 'OPTIONS') {
667 return res.status(204).end();
668 }
669 if (req.method !== 'DELETE') {
670 return res.status(405).json({ error: 'Method not allowed', code: 'METHOD_NOT_ALLOWED' });
671 }
672 if (!(await runBillingGate(req, res, getUserId))) return;
673 const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
674 const url =
675 BRIDGE_URL + '/api/v1/vaults/' + encodeURIComponent(req.params.vaultId) + q;
676 await proxyTo(BRIDGE_URL, url, req, res);
677 });
678 app.get('/api/v1/vault/github-status', async (req, res) => {
679 const url = BRIDGE_URL + '/api/v1/vault/github-status' + (req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '');
680 await proxyTo(BRIDGE_URL, url, req, res);
681 });
682 app.post('/api/v1/search', async (req, res) => {
683 if (!(await runBillingGate(req, res, getUserId))) return;
684 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/search', req, res);
685 });
686 app.post('/api/v1/index', async (req, res) => {
687 if (!(await runBillingGate(req, res, getUserId))) return;
688 const uid = getUserId(req);
689 const headers = { ...req.headers, host: new URL(BRIDGE_URL).host };
690 delete headers.origin;
691 delete headers.referer;
692 const opts = { method: 'POST', headers };
693 const payload =
694 req.body === undefined ? undefined : typeof req.body === 'string' ? req.body : JSON.stringify(req.body);
695 if (payload !== undefined) {
696 opts.body = payload;
697 stripStaleOutboundBodyHeaders(headers);
698 }
699 try {
700 const upstream = await fetch(BRIDGE_URL + '/api/v1/index', opts);
701 const body = await upstream.text();
702 if (uid) await recordIndexingTokensAfterBridgeIndex(uid, upstream.status, body);
703 const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries());
704 res.status(upstream.status).set(Object.fromEntries(hop));
705 res.send(body);
706 } catch (e) {
707 console.error('Gateway proxy (bridge) error:', e.message);
708 res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
709 }
710 });
711 // GET /api/v1/index/status — read-only sidecar describing the last successful
712 // index + whether a background job is currently in flight. Added in May 2026
713 // alongside the auto-routing index path (PR #205) so the Hub UI can render
714 // `Last indexed: N minutes ago` next to the Re-index button.
715 //
716 // Auth scoping happens at the bridge (`requireBridgeAuth` + vault-scoping).
717 // We deliberately DO NOT run `runBillingGate` here — this is a passive read,
718 // not a billable index operation, and the Hub UI calls this on every page
719 // load (so charging would be both incorrect and abusive).
720 //
721 // See `test/gateway-index-status-proxy.test.mjs` for the contract test that
722 // prevents this handler from being silently removed.
723 app.get('/api/v1/index/status', async (req, res) => {
724 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/index/status', req, res);
725 });
726 // Roles & invites: proxy to bridge (bridge has persistent storage)
727 app.get('/api/v1/roles', requireAdmin, async (req, res) => {
728 await proxyTo(BRIDGE_URL, BRIDGE_URL + req.originalUrl, req, res);
729 });
730 app.post('/api/v1/roles', requireAdmin, async (req, res) => {
731 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/roles', req, res);
732 });
733 app.post('/api/v1/roles/evaluator-may-approve', requireAdmin, async (req, res) => {
734 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/roles/evaluator-may-approve', req, res);
735 });
736 app.get('/api/v1/invites', requireAdmin, async (req, res) => {
737 await proxyTo(BRIDGE_URL, BRIDGE_URL + req.originalUrl, req, res);
738 });
739 app.post('/api/v1/invites', requireAdmin, async (req, res) => {
740 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/invites', req, res);
741 });
742 app.delete('/api/v1/invites/:token', requireAdmin, async (req, res) => {
743 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/invites/' + encodeURIComponent(req.params.token), req, res);
744 });
745 app.post('/api/v1/invites/consume', (req, res, next) => {
746 const uid = getUserId(req);
747 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
748 next();
749 }, async (req, res) => {
750 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/invites/consume', req, res);
751 });
752 app.get('/api/v1/workspace', requireAdmin, async (req, res) => {
753 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/workspace', req, res);
754 });
755 app.post('/api/v1/workspace', requireAdmin, async (req, res) => {
756 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/workspace', req, res);
757 });
758 app.get('/api/v1/vault-access', requireAdmin, async (req, res) => {
759 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/vault-access', req, res);
760 });
761 app.post('/api/v1/vault-access', requireAdmin, async (req, res) => {
762 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/vault-access', req, res);
763 });
764 app.get('/api/v1/scope', requireAdmin, async (req, res) => {
765 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/scope', req, res);
766 });
767 app.post('/api/v1/scope', requireAdmin, async (req, res) => {
768 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/scope', req, res);
769 });
770 app.get('/api/v1/hosted-context', async (req, res, next) => {
771 const uid = getUserId(req);
772 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
773 next();
774 }, async (req, res) => {
775 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/hosted-context', req, res);
776 });
777
778 // Memory routes: proxy to bridge (per-user/vault isolation handled by bridge)
779 app.get('/api/v1/memory/:key', async (req, res) => {
780 const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
781 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/' + encodeURIComponent(req.params.key) + q, req, res);
782 });
783 app.post('/api/v1/memory/store', async (req, res) => {
784 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/store', req, res);
785 });
786 app.get('/api/v1/memory', async (req, res) => {
787 const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
788 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory' + q, req, res);
789 });
790 app.post('/api/v1/memory/search', async (req, res) => {
791 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/search', req, res);
792 });
793 app.delete('/api/v1/memory/clear', async (req, res) => {
794 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/clear', req, res);
795 });
796 app.get('/api/v1/memory-stats', async (req, res) => {
797 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory-stats', req, res);
798 });
799 // Consolidation routes: proxy to bridge with billing gate on POST
800 app.post('/api/v1/memory/consolidate', async (req, res) => {
801 if (!(await runBillingGate(req, res, getUserId))) return;
802 const uid = getUserId(req);
803 try {
804 const db = await loadBillingDb();
805 const raw = db.users?.[uid] || defaultUserRecord(uid);
806 const u = normalizeBillingUser(raw);
807 req.body = mergeConsolidateRequestBodyWithBillingDefaults(
808 req.body && typeof req.body === 'object' ? req.body : {},
809 u,
810 );
811 } catch (_) {
812 /* fail open: bridge merges with billing file / defaults */
813 }
814 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/consolidate', req, res);
815 });
816 app.get('/api/v1/memory/consolidate/status', async (req, res) => {
817 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/memory/consolidate/status', req, res);
818 });
819
820 // Calendar routes (hosted parity — step 12): proxy read + toggle PATCH to bridge event store.
821 app.get('/api/v1/calendar/timeline', async (req, res) => {
822 const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
823 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/calendar/timeline' + q, req, res);
824 });
825 app.get('/api/v1/calendar/agent-context', async (req, res) => {
826 const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
827 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/calendar/agent-context' + q, req, res);
828 });
829 app.get('/api/v1/calendar/source-calendars', async (req, res) => {
830 const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
831 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/calendar/source-calendars' + q, req, res);
832 });
833 app.patch('/api/v1/calendar/source-calendars/:id', async (req, res) => {
834 const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
835 await proxyTo(
836 BRIDGE_URL,
837 BRIDGE_URL + '/api/v1/calendar/source-calendars/' + encodeURIComponent(req.params.id) + q,
838 req,
839 res,
840 );
841 });
842 app.post('/api/v1/calendar/events/import', async (req, res) => {
843 const q = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
844 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/calendar/events/import' + q, req, res);
845 });
846
847 // Phase 18: image upload — gateway buffers the file, fetches GitHub token from bridge,
848 // then commits directly to GitHub (avoids forwarding a multipart body to another Lambda).
849 app.post(/^\/api\/v1\/notes\/(.+)\/upload-image$/, async (req, res) => {
850 const uid = getUserId(req);
851 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
852
853 // 1. Get GitHub connection (token + repo) from bridge.
854 let ghToken, ghRepo;
855 try {
856 const tokenRes = await fetch(`${BRIDGE_URL}/api/v1/vault/github-token`, {
857 headers: { authorization: req.headers.authorization || '' },
858 });
859 if (!tokenRes.ok) {
860 const errData = await tokenRes.json().catch(() => ({}));
861 return res.status(tokenRes.status).json({
862 error: errData.error || 'GitHub not connected',
863 code: errData.code || 'GITHUB_NOT_CONNECTED',
864 });
865 }
866 const data = await tokenRes.json();
867 ghToken = data.token;
868 ghRepo = data.repo;
869 } catch (e) {
870 return res.status(502).json({ error: 'Could not reach bridge', code: 'BAD_GATEWAY' });
871 }
872 if (!ghToken) return res.status(400).json({ error: 'GitHub not connected', code: 'GITHUB_NOT_CONNECTED' });
873 if (!ghRepo) return res.status(400).json({ error: 'GitHub repo not set. Back up once first to set the remote.', code: 'GITHUB_NOT_CONFIGURED' });
874
875 // 2. Buffer the uploaded file from the multipart body.
876 let fileBuffer, originalName, mimeType;
877 try {
878 const raw = await bufferImportRequestBody(req);
879 const ct = req.headers['content-type'] || '';
880 const boundaryMatch = ct.match(/boundary=([^\s;]+)/i);
881 if (!boundaryMatch) return res.status(400).json({ error: 'Content-Type boundary missing', code: 'BAD_REQUEST' });
882 const boundary = boundaryMatch[1];
883 // Parse the first file part from the multipart body manually (avoids multer dependency).
884 const parsed = parseMultipartFile(raw, boundary);
885 if (!parsed) return res.status(400).json({ error: 'image file required', code: 'BAD_REQUEST' });
886 fileBuffer = parsed.data;
887 originalName = parsed.filename || 'image.jpg';
888 mimeType = parsed.contentType || 'application/octet-stream';
889 } catch (e) {
890 return res.status(500).json({ error: 'Could not read upload body', code: 'INTERNAL_ERROR' });
891 }
892
893 // 3. Validate extension, content-type, and magic bytes.
894 try { validateImageExtension(originalName); } catch (e) {
895 return res.status(400).json({ error: e.message, code: 'BAD_REQUEST' });
896 }
897 if (!mimeType.toLowerCase().startsWith('image/')) {
898 return res.status(400).json({ error: 'File content-type must be image/*', code: 'BAD_REQUEST' });
899 }
900 const ext = originalName.split('.').pop().toLowerCase();
901 const magicOk = validateMagicBytes(fileBuffer, ext);
902 if (!magicOk) {
903 return res.status(400).json({ error: 'File content does not match declared image type', code: 'BAD_REQUEST' });
904 }
905
906 // 4. Commit to GitHub directly from the gateway.
907 try {
908 const now = new Date();
909 const yearMonth = `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, '0')}`;
910 const safeName = originalName.replace(/[^a-zA-Z0-9._-]/g, '_').slice(0, 128);
911 const uniqueName = `${Date.now()}-${safeName}`;
912 const repoFilePath = `media/images/${yearMonth}/${uniqueName}`;
913 const result = await commitImageToRepo({
914 accessToken: ghToken,
915 repoUrl: ghRepo,
916 filePath: repoFilePath,
917 fileBuffer,
918 commitMessage: `Add image: ${safeName}`,
919 });
920 return res.json({
921 url: result.url,
922 inserted_markdown: `![${safeName}](${result.url})`,
923 sha: result.sha,
924 repo_path: repoFilePath,
925 repo_private: result.isPrivate === true,
926 });
927 } catch (e) {
928 const msg = e.message || String(e);
929 const clientErr = /not found|not connected|lacks permission|lacks repo|Reconnect|scope|remote/i.test(msg);
930 return res.status(clientErr ? 400 : 500).json({ error: msg, code: clientErr ? 'BAD_REQUEST' : 'RUNTIME_ERROR' });
931 }
932 });
933
934 app.get('/api/v1/vault/image-proxy-token', (req, res) => {
935 const uid = getUserId(req);
936 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
937 if (!SESSION_SECRET) return res.status(503).json({ error: 'Not configured', code: 'NOT_CONFIGURED' });
938 const token = signImageProxyToken(SESSION_SECRET, uid);
939 res.json({ token, expires_in: IMAGE_PROXY_TOKEN_TTL_SECONDS });
940 });
941
942 app.get('/api/v1/vault/image-proxy', async (req, res) => {
943 const auth = req.headers.authorization || '';
944 const headerToken = auth.startsWith('Bearer ') ? auth.slice(7) : null;
945 const queryToken = typeof req.query.token === 'string' ? req.query.token : null;
946 let uid = headerToken ? getUserId({ headers: { authorization: `Bearer ${headerToken}` } }) : null;
947 let jwtTokenForBridge = headerToken || '';
948 if (!uid && queryToken && SESSION_SECRET) {
949 uid = verifyImageProxyToken(SESSION_SECRET, queryToken);
950 }
951 // Backward compat: old hub.js sends full JWT as ?token= (pre-signed-token change).
952 if (!uid && queryToken) {
953 const fromJwt = getUserId({ headers: { authorization: `Bearer ${queryToken}` } });
954 if (fromJwt) { uid = fromJwt; jwtTokenForBridge = queryToken; }
955 }
956 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
957
958 // When uid is known but no JWT to forward (HMAC token auth path), mint a
959 // short-lived gateway JWT so the bridge can identify the user.
960 if (!jwtTokenForBridge && SESSION_SECRET) {
961 try { jwtTokenForBridge = jwt.sign({ sub: uid }, SESSION_SECRET, { expiresIn: '5m' }); } catch (_) {}
962 }
963
964 const rawUrl = typeof req.query.url === 'string' ? req.query.url : '';
965 if (!rawUrl) return res.status(400).json({ error: 'url parameter required', code: 'BAD_REQUEST' });
966
967 // Only proxy raw.githubusercontent.com URLs to prevent SSRF.
968 const rawMatch = rawUrl.match(
969 /^https:\/\/raw\.githubusercontent\.com\/([^/]+)\/([^/]+)\/([^/]+)\/(.+)$/i,
970 );
971 if (!rawMatch) {
972 return res.status(400).json({ error: 'Only raw.githubusercontent.com URLs are supported', code: 'BAD_REQUEST' });
973 }
974 const [, owner, repo, ref, filePath] = rawMatch;
975
976 let ghToken = null;
977 if (jwtTokenForBridge) {
978 try {
979 const tokenRes = await fetch(`${BRIDGE_URL}/api/v1/vault/github-token`, {
980 headers: { authorization: `Bearer ${jwtTokenForBridge}` },
981 });
982 if (tokenRes.ok) {
983 const data = await tokenRes.json();
984 ghToken = data.token || null;
985 }
986 } catch (_) { /* bridge unreachable — fall through, public repos still work */ }
987 }
988
989 if (!ghToken) {
990 // No stored GitHub token — assume the repo is public and redirect directly.
991 return res.redirect(302, rawUrl);
992 }
993
994 // Use the GitHub Contents API to get a signed, short-lived download_url for the file.
995 // This avoids sending the PAT in the redirect URL while still letting private-repo images load.
996 const apiUrl =
997 `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}` +
998 `?ref=${encodeURIComponent(ref)}`;
999 try {
1000 const apiRes = await fetch(apiUrl, {
1001 headers: {
1002 Authorization: `token ${ghToken}`,
1003 Accept: 'application/vnd.github.v3+json',
1004 'User-Agent': 'Knowtation-Hub/1.0',
1005 },
1006 });
1007 if (apiRes.ok) {
1008 const data = await apiRes.json();
1009 const dlUrl = data.download_url || rawUrl;
1010 res.setHeader('Cache-Control', 'private, max-age=300');
1011 return res.redirect(302, dlUrl);
1012 }
1013 // GitHub returned an error (e.g. 404 file missing, 403 large-file).
1014 const errBody = await apiRes.json().catch(() => ({}));
1015 return res.status(apiRes.status).json({
1016 error: errBody.message || 'Image not found on GitHub',
1017 code: 'UPSTREAM_ERROR',
1018 });
1019 } catch (e) {
1020 return res.status(502).json({ error: 'Failed to fetch image metadata from GitHub', code: 'BAD_GATEWAY' });
1021 }
1022 });
1023 }
1024
1025 /**
1026 * Safe client request headers that may be forwarded to upstream services.
1027 * Using an explicit allowlist prevents host-header injection, internal proxy header leakage,
1028 * and forwarding of security-sensitive headers (cookies, x-forwarded-for, etc.) to upstreams.
1029 */
1030 const PROXY_HEADER_ALLOWLIST = new Set([
1031 'content-type',
1032 'accept',
1033 'accept-language',
1034 'accept-encoding',
1035 ]);
1036
1037 /**
1038 * Incoming headers describe the *client* body. We often re-serialize JSON (provenance merge), so
1039 * length and transfer-related headers must not be forwarded: Undici can hang or mis-send if
1040 * Content-Length still matches the old, shorter body.
1041 */
1042 function stripStaleOutboundBodyHeaders(headers) {
1043 for (const k of Object.keys(headers)) {
1044 const l = k.toLowerCase();
1045 if (
1046 l === 'content-length' ||
1047 l === 'transfer-encoding' ||
1048 l === 'content-encoding'
1049 ) {
1050 delete headers[k];
1051 }
1052 }
1053 }
1054
1055 async function proxyTo(baseUrl, url, req, res) {
1056 const headers = { host: new URL(baseUrl).host };
1057 // Allowlist: only forward safe headers; also forward authorization for bridge JWT auth
1058 // and x-vault-id for vault routing. Never forward origin, referer, cookies, or proxy headers.
1059 for (const k of PROXY_HEADER_ALLOWLIST) {
1060 if (req.headers[k] !== undefined) headers[k] = req.headers[k];
1061 }
1062 if (req.headers.authorization) headers.authorization = req.headers.authorization;
1063 if (req.headers['x-vault-id']) headers['x-vault-id'] = req.headers['x-vault-id'];
1064 const opts = { method: req.method, headers };
1065 if (req.method !== 'GET' && req.method !== 'HEAD' && req.body !== undefined) {
1066 opts.body = typeof req.body === 'string' ? req.body : JSON.stringify(req.body);
1067 stripStaleOutboundBodyHeaders(headers);
1068 }
1069 try {
1070 const upstream = await fetch(url, opts);
1071 const body = await upstream.text();
1072 const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries());
1073 res.status(upstream.status).set(Object.fromEntries(hop));
1074 res.send(body);
1075 } catch (e) {
1076 console.error('Gateway proxy (bridge) error:', e.message);
1077 res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
1078 }
1079 }
1080
1081 /**
1082 * Read multipart/raw POST body for import proxy.
1083 * Netlify (serverless-http) attaches the Lambda body as Buffer on `req.body` and uses a synthetic stream;
1084 * `fetch(req, { duplex })` is unreliable there — always buffer then POST bytes.
1085 * @param {import('express').Request} req
1086 * @returns {Promise<Buffer>}
1087 */
1088 async function bufferImportRequestBody(req) {
1089 if (Buffer.isBuffer(req.body)) return req.body;
1090 if (req.body instanceof Uint8Array) return Buffer.from(req.body);
1091 if (typeof req.body === 'string') return Buffer.from(req.body, 'latin1');
1092 const chunks = [];
1093 for await (const chunk of req) {
1094 chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
1095 }
1096 return Buffer.concat(chunks);
1097 }
1098
1099
1100 /**
1101 * Multipart import: forward body bytes to bridge (do not use proxyTo — body is not JSON in req.body).
1102 * @param {string} _baseUrl - bridge origin (reserved for diagnostics; fetch URL is `url`)
1103 * @param {string} url - full URL to bridge /api/v1/import
1104 * @param {import('express').Request} req
1105 * @param {import('express').Response} res
1106 */
1107 async function proxyImportToBridge(_baseUrl, url, req, res) {
1108 let raw;
1109 try {
1110 raw = await bufferImportRequestBody(req);
1111 } catch (e) {
1112 console.error('Gateway import proxy (read body):', e.message || e);
1113 return res.status(500).json({ error: 'Could not read upload body', code: 'INTERNAL_ERROR' });
1114 }
1115 if (!raw.length) {
1116 return res.status(400).json({ error: 'Empty upload body', code: 'BAD_REQUEST' });
1117 }
1118 // Do not set `Host` manually — undici derives it from the request URL; a wrong Host breaks some upstreams.
1119 const headers = {
1120 authorization: req.headers.authorization || '',
1121 'x-vault-id': String(req.headers['x-vault-id'] || 'default'),
1122 };
1123 const ct = req.headers['content-type'];
1124 if (ct) headers['content-type'] = ct;
1125 headers['content-length'] = String(raw.length);
1126 let upstream;
1127 try {
1128 upstream = await fetch(url, {
1129 method: 'POST',
1130 headers,
1131 body: raw,
1132 });
1133 } catch (e) {
1134 console.error('Gateway import proxy error:', e.message, e.cause);
1135 const detail = e.cause?.message || e.message || String(e);
1136 return res.status(502).json({
1137 error: 'Bad Gateway',
1138 code: 'BAD_GATEWAY',
1139 detail,
1140 });
1141 }
1142 const body = await upstream.text();
1143 const upstreamCt = upstream.headers.get('content-type') || '';
1144 if (
1145 upstream.status >= 400 &&
1146 !/application\/json/i.test(upstreamCt) &&
1147 body.trimStart().startsWith('<')
1148 ) {
1149 return res.status(upstream.status).json({
1150 error: 'Import service returned a non-JSON error (check bridge Netlify function logs).',
1151 code: 'BAD_GATEWAY',
1152 detail: `HTTP ${upstream.status}`,
1153 });
1154 }
1155 const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries());
1156 res.status(upstream.status).set(Object.fromEntries(hop));
1157 res.send(body);
1158 }
1159
1160 // Proxy /api/* to canister with X-User-Id from JWT
1161 function getUserId(req) {
1162 const auth = req.headers.authorization;
1163 const token = auth && auth.startsWith('Bearer ') ? auth.slice(7) : null;
1164 return token ? verifyToken(token) : null;
1165 }
1166
1167 /**
1168 * Validate a hosted SectionSource note path before any upstream fetch.
1169 * @param {unknown} rawPath
1170 * @returns {string}
1171 */
1172 function normalizeGatewaySectionSourcePath(rawPath) {
1173 if (typeof rawPath !== 'string' || rawPath.trim() === '') {
1174 throw new Error('Invalid path');
1175 }
1176 const forward = rawPath.trim().replace(/\\/g, '/');
1177 if (forward.startsWith('/') || /^[A-Za-z]:\//.test(forward)) {
1178 throw new Error('Invalid path');
1179 }
1180 const parts = forward.split('/').filter(Boolean);
1181 if (parts.includes('..')) {
1182 throw new Error('Invalid path');
1183 }
1184 return parts.join('/');
1185 }
1186
1187 /**
1188 * Validate a hosted NoteOutline note path before any upstream fetch.
1189 * @param {unknown} rawPath
1190 * @returns {string}
1191 */
1192 function normalizeGatewayNoteOutlinePath(rawPath) {
1193 return normalizeGatewaySectionSourcePath(rawPath);
1194 }
1195
1196 /**
1197 * Validate a hosted DocumentTree note path before any upstream fetch.
1198 * @param {unknown} rawPath
1199 * @returns {string}
1200 */
1201 function normalizeGatewayDocumentTreePath(rawPath) {
1202 return normalizeGatewaySectionSourcePath(rawPath);
1203 }
1204
1205 /**
1206 * Validate a hosted MetadataFacets note path before any upstream fetch.
1207 * @param {unknown} rawPath
1208 * @returns {string}
1209 */
1210 function normalizeGatewayMetadataFacetsPath(rawPath) {
1211 return normalizeGatewaySectionSourcePath(rawPath);
1212 }
1213
1214 /**
1215 * @param {unknown} error
1216 */
1217 function sanitizedSectionSourceGatewayError(error) {
1218 const msg = error?.message || String(error ?? '');
1219 if (/^Invalid path\b/.test(msg)) return { status: 400, error: 'Invalid path', code: 'INVALID_PATH' };
1220 return { status: 502, error: 'Bad Gateway', code: 'BAD_GATEWAY' };
1221 }
1222
1223 /**
1224 * @param {unknown} error
1225 */
1226 function sanitizedNoteOutlineGatewayError(error) {
1227 return sanitizedSectionSourceGatewayError(error);
1228 }
1229
1230 /**
1231 * @param {unknown} error
1232 */
1233 function sanitizedDocumentTreeGatewayError(error) {
1234 return sanitizedSectionSourceGatewayError(error);
1235 }
1236
1237 /**
1238 * @param {unknown} error
1239 */
1240 function sanitizedMetadataFacetsGatewayError(error) {
1241 return sanitizedSectionSourceGatewayError(error);
1242 }
1243
1244 const hostedCtxCache = new Map();
1245 const HOSTED_CTX_TTL_MS = 60_000;
1246 const HOSTED_CONTEXT_FETCH_TIMEOUT_MS = (() => {
1247 const n = parseInt(String(process.env.HOSTED_CONTEXT_FETCH_TIMEOUT_MS || ''), 10);
1248 if (!Number.isFinite(n)) return 3000;
1249 return Math.min(10_000, Math.max(250, n));
1250 })();
1251
1252 function hostedContextAbortSignal() {
1253 return typeof AbortSignal !== 'undefined' && typeof AbortSignal.timeout === 'function'
1254 ? AbortSignal.timeout(HOSTED_CONTEXT_FETCH_TIMEOUT_MS)
1255 : undefined;
1256 }
1257
1258 /**
1259 * Bridge-hosted team context (vault allowlist + scope + effective canister user). Cached briefly per (sub, vaultId).
1260 * @param {import('express').Request} req
1261 * @returns {Promise<Record<string, unknown>|null>}
1262 */
1263 async function getHostedAccessContext(req) {
1264 if (!BRIDGE_URL) return null;
1265 const auth = req.headers.authorization;
1266 if (!auth || !auth.startsWith('Bearer ')) return null;
1267 const sub = getUserId(req);
1268 if (!sub) return null;
1269 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
1270 const cacheKey = `${sub}\0${vaultId}`;
1271 const now = Date.now();
1272 const hit = hostedCtxCache.get(cacheKey);
1273 if (hit && hit.expires > now) return hit.data;
1274 try {
1275 const signal = hostedContextAbortSignal();
1276 const r = await fetch(BRIDGE_URL + '/api/v1/hosted-context', {
1277 method: 'GET',
1278 headers: {
1279 Authorization: auth,
1280 Accept: 'application/json',
1281 'X-Vault-Id': vaultId,
1282 },
1283 ...(signal ? { signal } : {}),
1284 });
1285 if (!r.ok) return null;
1286 const data = await r.json();
1287 if (data && data.error && !data.effective_canister_user_id) return null;
1288 hostedCtxCache.set(cacheKey, { expires: now + HOSTED_CTX_TTL_MS, data });
1289 return data;
1290 } catch (_) {
1291 return null;
1292 }
1293 }
1294
1295 /**
1296 * Hosted team context for an explicit vault (e.g. cross-vault copy source/target checks).
1297 * @param {string} authorization Bearer JWT
1298 * @param {string} vaultId
1299 * @returns {Promise<Record<string, unknown>|null>}
1300 */
1301 async function fetchHostedAccessContextForVault(authorization, vaultId) {
1302 if (!BRIDGE_URL || !authorization || !authorization.startsWith('Bearer ')) return null;
1303 const token = authorization.slice(7);
1304 const sub = verifyToken(token);
1305 if (!sub) return null;
1306 const vid = String(vaultId || 'default').trim() || 'default';
1307 const cacheKey = `${sub}\0${vid}`;
1308 const now = Date.now();
1309 const hit = hostedCtxCache.get(cacheKey);
1310 if (hit && hit.expires > now) return hit.data;
1311 try {
1312 const signal = hostedContextAbortSignal();
1313 const r = await fetch(BRIDGE_URL + '/api/v1/hosted-context', {
1314 method: 'GET',
1315 headers: {
1316 Authorization: authorization,
1317 Accept: 'application/json',
1318 'X-Vault-Id': vid,
1319 },
1320 ...(signal ? { signal } : {}),
1321 });
1322 if (!r.ok) return null;
1323 const data = await r.json();
1324 if (data && data.error && !data.effective_canister_user_id) return null;
1325 hostedCtxCache.set(cacheKey, { expires: now + HOSTED_CTX_TTL_MS, data });
1326 return data;
1327 } catch (_) {
1328 return null;
1329 }
1330 }
1331
1332 const metadataBulkHandlers = createMetadataBulkHandlers({
1333 CANISTER_URL,
1334 CANISTER_AUTH_SECRET,
1335 BRIDGE_URL,
1336 SESSION_SECRET: SESSION_SECRET || '',
1337 getUserId,
1338 getHostedAccessContext,
1339 });
1340
1341 app.get('/api/v1/billing/summary', (req, res) => handleBillingSummary(req, res, getUserId));
1342
1343 /**
1344 * POST /api/v1/admin/billing/repair
1345 *
1346 * Admin-only endpoint to directly write billing tier and Stripe linkage fields for a user.
1347 * Used to recover from missed or unprocessable Stripe webhook deliveries (e.g. webhook pointed
1348 * at old URL, checkout session never had user_id metadata, billing DB was empty on a new deploy).
1349 *
1350 * Auth: Bearer JWT with admin role (sub must be in HUB_ADMIN_USER_IDS env var).
1351 * Body: { uid?, tier, stripe_subscription_id?, stripe_customer_id?, has_active_subscription? }
1352 * - uid: target Knowtation user ID (defaults to the calling admin's own uid)
1353 * - tier: required — one of: free | beta | plus | growth | pro | starter | team
1354 * - stripe_subscription_id: if provided (non-null), also sets has_active_subscription = true
1355 * - has_active_subscription: optional boolean override; when omitted, defaults to true
1356 * whenever a non-null stripe_subscription_id is supplied, and no-op otherwise
1357 * - stripe_customer_id: if provided, links the user to their Stripe customer so future
1358 * webhook events (subscription.updated, etc.) can find them
1359 *
1360 * All mutations are logged. This endpoint does NOT create a Stripe subscription — it only
1361 * repairs the local billing DB record.
1362 */
1363 const VALID_REPAIR_TIERS = new Set(['free', 'beta', 'plus', 'growth', 'pro', 'starter', 'team']);
1364
1365 app.post('/api/v1/admin/billing/repair', async (req, res) => {
1366 const callerUid = getUserId(req);
1367 if (!callerUid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1368 if (roleForSub(callerUid) !== 'admin') return res.status(403).json({ error: 'Forbidden', code: 'FORBIDDEN' });
1369
1370 const body = req.body && typeof req.body === 'object' ? req.body : {};
1371 const targetUid = typeof body.uid === 'string' && body.uid.trim() ? body.uid.trim() : callerUid;
1372 const tier = typeof body.tier === 'string' ? body.tier.trim() : '';
1373
1374 if (!VALID_REPAIR_TIERS.has(tier)) {
1375 return res.status(400).json({
1376 error: 'Invalid or missing tier',
1377 code: 'BAD_REQUEST',
1378 valid_tiers: [...VALID_REPAIR_TIERS],
1379 });
1380 }
1381
1382 const stripeSubId =
1383 typeof body.stripe_subscription_id === 'string' ? body.stripe_subscription_id.trim() || null : undefined;
1384 const stripeCustomerId =
1385 typeof body.stripe_customer_id === 'string' ? body.stripe_customer_id.trim() || null : undefined;
1386 // Explicit override: caller may pass has_active_subscription=false to deactivate.
1387 // When stripe_subscription_id is provided: truthy value → true, null (cleared) → false.
1388 // When stripe_subscription_id is omitted entirely: no-op (undefined).
1389 const hasActiveSub =
1390 typeof body.has_active_subscription === 'boolean'
1391 ? body.has_active_subscription
1392 : stripeSubId !== undefined
1393 ? (stripeSubId !== null)
1394 : undefined;
1395
1396 let before;
1397 try {
1398 await mutateBillingDb((db) => {
1399 if (!db.users[targetUid]) db.users[targetUid] = defaultUserRecord(targetUid);
1400 const u = db.users[targetUid];
1401 before = {
1402 tier: u.tier,
1403 has_active_subscription: u.has_active_subscription,
1404 stripe_subscription_id: u.stripe_subscription_id,
1405 stripe_customer_id: u.stripe_customer_id,
1406 };
1407 u.tier = tier;
1408 if (MONTHLY_INCLUDED_CENTS_BY_TIER[tier] !== undefined) {
1409 u.monthly_included_cents = MONTHLY_INCLUDED_CENTS_BY_TIER[tier];
1410 }
1411 if (stripeSubId !== undefined) u.stripe_subscription_id = stripeSubId;
1412 if (stripeCustomerId !== undefined) u.stripe_customer_id = stripeCustomerId;
1413 if (hasActiveSub !== undefined) u.has_active_subscription = hasActiveSub;
1414 });
1415 } catch (e) {
1416 console.error('[admin/billing/repair] mutateBillingDb failed:', e?.message);
1417 return res.status(500).json({ error: 'Internal Server Error', code: 'INTERNAL' });
1418 }
1419
1420 console.log(
1421 `[admin/billing/repair] caller=${callerUid} target=${targetUid}` +
1422 ` tier: ${before?.tier} → ${tier}` +
1423 (hasActiveSub !== undefined ? ` has_active_subscription: ${before?.has_active_subscription} → ${hasActiveSub}` : '') +
1424 (stripeSubId !== undefined ? ` sub: ${before?.stripe_subscription_id} → ${stripeSubId}` : '') +
1425 (stripeCustomerId !== undefined ? ` cus: ${before?.stripe_customer_id} → ${stripeCustomerId}` : ''),
1426 );
1427
1428 return res.json({
1429 ok: true,
1430 uid: targetUid,
1431 tier,
1432 has_active_subscription: hasActiveSub !== undefined ? hasActiveSub : '(unchanged)',
1433 stripe_subscription_id: stripeSubId !== undefined ? stripeSubId : '(unchanged)',
1434 stripe_customer_id: stripeCustomerId !== undefined ? stripeCustomerId : '(unchanged)',
1435 before,
1436 });
1437 });
1438
1439 /**
1440 * POST /api/v1/billing/checkout
1441 * Body: { price_id, success_url, cancel_url } OR { tier, success_url, cancel_url }
1442 * Returns: { url } — Stripe Checkout Session URL.
1443 * mode is automatically determined: subscription for tiers, payment for token packs.
1444 */
1445 app.post('/api/v1/billing/checkout', async (req, res) => {
1446 const uid = getUserId(req);
1447 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1448
1449 const body = req.body && typeof req.body === 'object' ? req.body : {};
1450 let priceId = typeof body.price_id === 'string' ? body.price_id.trim() : null;
1451
1452 if (!priceId && typeof body.tier === 'string') {
1453 priceId = priceIdFromTierShorthand(body.tier.trim());
1454 if (!priceId) {
1455 return res.status(400).json({
1456 error: `Unknown tier '${body.tier}' or Stripe price env var not configured.`,
1457 code: 'BAD_REQUEST',
1458 });
1459 }
1460 }
1461
1462 if (!priceId && typeof body.pack_size === 'string') {
1463 const packSizeMap = {
1464 small: process.env.STRIPE_PRICE_PACK_10 || null,
1465 medium: process.env.STRIPE_PRICE_PACK_25 || null,
1466 large: process.env.STRIPE_PRICE_PACK_50 || null,
1467 };
1468 priceId = packSizeMap[body.pack_size.toLowerCase()] || null;
1469 if (!priceId) {
1470 return res.status(400).json({
1471 error: `Unknown pack_size '${body.pack_size}' or Stripe pack price env var not configured.`,
1472 code: 'BAD_REQUEST',
1473 });
1474 }
1475 }
1476
1477 if (!priceId) {
1478 return res.status(400).json({ error: 'price_id, tier, or pack_size is required', code: 'BAD_REQUEST' });
1479 }
1480
1481 const isSub = isSubscriptionPriceId(priceId);
1482 const isPack = isPackPriceId(priceId);
1483
1484 if (!isSub && !isPack) {
1485 return res.status(400).json({
1486 error: 'price_id is not a recognised Knowtation subscription or token pack price.',
1487 code: 'BAD_REQUEST',
1488 });
1489 }
1490
1491 const mode = isSub ? 'subscription' : 'payment';
1492
1493 const rawSuccessUrl = typeof body.success_url === 'string' ? body.success_url.trim() : '';
1494 const rawCancelUrl = typeof body.cancel_url === 'string' ? body.cancel_url.trim() : '';
1495
1496 const fallbackBase = HUB_UI_ORIGIN || BASE_URL;
1497 const successUrl = rawSuccessUrl || `${fallbackBase}/hub/#settings`;
1498 const cancelUrl = rawCancelUrl || `${fallbackBase}/hub/#settings`;
1499
1500 try {
1501 const { url } = await createCheckoutSession({
1502 priceId,
1503 userId: uid,
1504 successUrl,
1505 cancelUrl,
1506 mode,
1507 stripeCustomerId: null,
1508 });
1509 return res.json({ url });
1510 } catch (e) {
1511 const code = e.code || 'STRIPE_ERROR';
1512 if (code === 'NOT_CONFIGURED') {
1513 return res.status(503).json({ error: e.message, code });
1514 }
1515 console.error('[billing/checkout] Stripe error:', e.message);
1516 return res.status(502).json({ error: e.message || 'Stripe checkout failed', code });
1517 }
1518 });
1519
1520 /**
1521 * POST /api/v1/billing/portal
1522 * Body: { return_url? }
1523 * Returns: { url } — Stripe Billing Portal session URL.
1524 */
1525 app.post('/api/v1/billing/portal', async (req, res) => {
1526 const uid = getUserId(req);
1527 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1528
1529 const body = req.body && typeof req.body === 'object' ? req.body : {};
1530 const rawReturnUrl = typeof body.return_url === 'string' ? body.return_url.trim() : '';
1531 const fallbackBase = HUB_UI_ORIGIN || BASE_URL;
1532 const returnUrl = rawReturnUrl || `${fallbackBase}/hub/#settings`;
1533
1534 try {
1535 const { url } = await createPortalSession({ userId: uid, returnUrl });
1536 return res.json({ url });
1537 } catch (e) {
1538 const code = e.code || 'STRIPE_ERROR';
1539 if (code === 'NOT_CONFIGURED') {
1540 return res.status(503).json({ error: e.message, code });
1541 }
1542 console.error('[billing/portal] Stripe error:', e.message);
1543 return res.status(502).json({ error: e.message || 'Stripe portal failed', code });
1544 }
1545 });
1546
1547 // GET /api/v1/settings and GET /api/v1/setup — hosted: vault_list from canister; bridge fields when BRIDGE_URL set
1548 app.get('/api/v1/settings', async (req, res) => {
1549 const uid = getUserId(req);
1550 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1551 let vault_list = [{ id: 'default', label: 'Default' }];
1552 let allowed_vault_ids = ['default'];
1553 let canisterVaultUserId = uid;
1554 /** @type {string|null} */
1555 let workspace_owner_id = null;
1556 let hosted_delegating = false;
1557 /** @type {string[]|null} */
1558 let allowedFromBridge = null;
1559 if (BRIDGE_URL && req.headers.authorization) {
1560 try {
1561 const signal = hostedContextAbortSignal();
1562 const hRes = await fetch(BRIDGE_URL + '/api/v1/hosted-context/settings', {
1563 method: 'GET',
1564 headers: {
1565 Authorization: req.headers.authorization,
1566 Accept: 'application/json',
1567 },
1568 ...(signal ? { signal } : {}),
1569 });
1570 if (hRes.ok) {
1571 const hc = await hRes.json();
1572 if (hc.effective_canister_user_id && typeof hc.effective_canister_user_id === 'string') {
1573 canisterVaultUserId = hc.effective_canister_user_id;
1574 }
1575 if (Array.isArray(hc.allowed_vault_ids) && hc.allowed_vault_ids.length > 0) {
1576 allowedFromBridge = hc.allowed_vault_ids.map((x) => String(x));
1577 }
1578 if (hc.workspace_owner_id != null && String(hc.workspace_owner_id).trim() !== '') {
1579 workspace_owner_id = String(hc.workspace_owner_id).trim();
1580 }
1581 if (hc.delegating === true) hosted_delegating = true;
1582 } else if (hRes.status === 403) {
1583 allowedFromBridge = [];
1584 }
1585 } catch (_) {
1586 /* use uid-only fallback */
1587 }
1588 }
1589 if (CANISTER_URL) {
1590 try {
1591 const signal = hostedContextAbortSignal();
1592 const vRes = await fetch(CANISTER_URL + '/api/v1/vaults', {
1593 method: 'GET',
1594 headers: { 'X-User-Id': canisterVaultUserId, Accept: 'application/json', ...canisterAuthHeaders() },
1595 ...(signal ? { signal } : {}),
1596 });
1597 if (vRes.ok) {
1598 const data = await vRes.json();
1599 const vaults = Array.isArray(data.vaults) ? data.vaults : [];
1600 if (vaults.length > 0) {
1601 const mapped = vaults.map((v) => ({
1602 id: String(v.id || 'default'),
1603 label: String(v.label != null && v.label !== '' ? v.label : v.id || 'default'),
1604 }));
1605 if (allowedFromBridge !== null) {
1606 allowed_vault_ids = allowedFromBridge.filter((id) => mapped.some((m) => m.id === id));
1607 vault_list = allowed_vault_ids.map((id) => {
1608 const m = mapped.find((x) => x.id === id);
1609 return m || { id, label: id };
1610 });
1611 } else {
1612 vault_list = mapped;
1613 allowed_vault_ids = vault_list.map((v) => v.id);
1614 }
1615 } else if (allowedFromBridge && allowedFromBridge.length > 0) {
1616 allowed_vault_ids = [...allowedFromBridge];
1617 vault_list = allowedFromBridge.map((id) => ({ id, label: id }));
1618 }
1619 } else {
1620 console.warn('[gateway] canister vaults non-ok', vRes.status);
1621 }
1622 } catch (e) {
1623 console.warn('[gateway] canister vaults unreachable', e?.message || String(e));
1624 }
1625 }
1626 let github_connected = false;
1627 let github_repo = null;
1628 let role = roleForSub(uid);
1629 let hub_evaluator_may_approve = process.env.HUB_EVALUATOR_MAY_APPROVE === '1';
1630 if (BRIDGE_URL && req.headers.authorization) {
1631 try {
1632 const ghRes = await fetch(BRIDGE_URL + '/api/v1/vault/github-status', {
1633 method: 'GET',
1634 headers: { Authorization: req.headers.authorization, Accept: 'application/json' },
1635 });
1636 if (ghRes.ok) {
1637 const data = await ghRes.json();
1638 github_connected = Boolean(data.github_connected);
1639 github_repo = data.repo || null;
1640 } else {
1641 console.warn('[gateway] bridge github-status non-ok', ghRes.status);
1642 }
1643 const roleRes = await fetch(BRIDGE_URL + '/api/v1/role', {
1644 method: 'GET',
1645 headers: { Authorization: req.headers.authorization, Accept: 'application/json' },
1646 });
1647 if (roleRes.ok) {
1648 const data = await roleRes.json();
1649 if (data.role) role = data.role;
1650 if (typeof data.may_approve_proposals === 'boolean') hub_evaluator_may_approve = data.may_approve_proposals;
1651 }
1652 } catch (e) {
1653 console.warn('[gateway] bridge unreachable', e?.message || String(e));
1654 }
1655 }
1656 const vault_git = {
1657 enabled: github_connected,
1658 has_remote: Boolean(github_repo),
1659 auto_commit: false,
1660 auto_push: false,
1661 };
1662 const dataDir = path.join(projectRoot, 'data');
1663 const llmPrefs = await loadHostedProposalLlmPrefs();
1664 res.json({
1665 role,
1666 user_id: uid,
1667 vault_id: 'default',
1668 vault_list,
1669 allowed_vault_ids,
1670 vault_path_display: 'Canister',
1671 vault_git,
1672 github_connect_available: Boolean(BRIDGE_URL),
1673 github_connected,
1674 repo: github_repo,
1675 workspace_owner_id,
1676 hosted_delegating,
1677 embedding_display: { provider: '—', model: '—', ollama_url: '—' },
1678 proposal_enrich_enabled: effectiveHostedEnrich(llmPrefs),
1679 proposal_evaluation_required: effectiveHostedEvaluationRequired(llmPrefs, dataDir),
1680 proposal_review_hints_enabled: effectiveHostedReviewHints(llmPrefs),
1681 proposal_policy_stored: {
1682 proposal_evaluation_required: llmPrefs.proposal_evaluation_required,
1683 review_hints_enabled: llmPrefs.review_hints_enabled,
1684 enrich_enabled: llmPrefs.enrich_enabled,
1685 },
1686 proposal_policy_env_locked: proposalPolicyEnvLocked(),
1687 hub_evaluator_may_approve,
1688 proposal_rubric: loadProposalRubric(path.join(projectRoot, 'data')),
1689 daemon: await (async () => {
1690 try {
1691 const db = await loadBillingDb();
1692 const raw = db.users?.[uid] || defaultUserRecord(uid);
1693 const u = normalizeBillingUser(raw);
1694 return {
1695 enabled: false,
1696 interval_minutes: u.consolidation_interval_minutes || 120,
1697 idle_only: true,
1698 idle_threshold_minutes: 15,
1699 run_on_start: false,
1700 max_cost_per_day_usd: null,
1701 passes: u.consolidation_passes,
1702 lookback_hours: u.consolidation_lookback_hours,
1703 max_events_per_pass: u.consolidation_max_events_per_pass,
1704 max_topics_per_pass: u.consolidation_max_topics_per_pass,
1705 llm: {
1706 provider: '',
1707 model: '',
1708 base_url: '',
1709 max_tokens: u.consolidation_llm_max_tokens,
1710 },
1711 hosted_enabled: u.consolidation_enabled,
1712 };
1713 } catch (_) {
1714 return {
1715 enabled: false,
1716 interval_minutes: 120,
1717 idle_only: true,
1718 idle_threshold_minutes: 15,
1719 run_on_start: false,
1720 max_cost_per_day_usd: null,
1721 passes: { consolidate: true, verify: true, discover: false },
1722 lookback_hours: 24,
1723 max_events_per_pass: 200,
1724 max_topics_per_pass: 10,
1725 llm: { provider: '', model: '', base_url: '', max_tokens: 1024 },
1726 hosted_enabled: false,
1727 };
1728 }
1729 })(),
1730 muse_bridge: (() => {
1731 const envOverride = process.env.MUSE_URL != null && String(process.env.MUSE_URL).trim() !== '';
1732 const mc = parseMuseConfigFromEnv();
1733 let origin = null;
1734 if (mc) {
1735 try {
1736 origin = new URL(mc.baseUrl).origin;
1737 } catch (_) {
1738 /* ignore */
1739 }
1740 }
1741 return {
1742 enabled: Boolean(mc),
1743 origin,
1744 source: envOverride ? 'env' : 'none',
1745 env_override_active: envOverride,
1746 url_editable: false,
1747 yaml_url_for_edit: '',
1748 };
1749 })(),
1750 });
1751 });
1752
1753 /** Hosted: Muse base URL is operator env only (not writable from Hub Settings). */
1754 app.post('/api/v1/settings/muse', express.json(), (req, res) => {
1755 res.status(501).json({
1756 error: 'Knowtation Cloud configures the optional Muse link on the server; it cannot be set from this screen.',
1757 code: 'NOT_IMPLEMENTED',
1758 });
1759 });
1760
1761 /**
1762 * POST /api/v1/settings/consolidation
1763 * Hosted mode: save consolidation schedule + pass preferences to the billing store.
1764 * Self-hosted daemon settings are not writable here; respond with an appropriate note.
1765 */
1766 app.post('/api/v1/settings/consolidation', express.json(), async (req, res) => {
1767 const uid = getUserId(req);
1768 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1769 const body = req.body && typeof req.body === 'object' ? req.body : {};
1770 const mode = typeof body.mode === 'string' ? body.mode : (body.enabled ? 'daemon' : 'hosted');
1771 const advCheck = validateHostedSettingsConsolidationAdvanced(body);
1772 if (!advCheck.ok) {
1773 return res.status(400).json({ error: advCheck.error, code: advCheck.code });
1774 }
1775 try {
1776 let saved = {};
1777 await mutateBillingDb((db) => {
1778 if (!db.users) db.users = {};
1779 if (!db.users[uid]) db.users[uid] = defaultUserRecord(uid);
1780 const u = normalizeBillingUser(db.users[uid]);
1781 if (mode === 'off') {
1782 u.consolidation_enabled = false;
1783 } else {
1784 u.consolidation_enabled = true;
1785 const iv = Math.floor(Number(body.interval_minutes) || 120);
1786 if (iv >= 1 && iv <= 43200) u.consolidation_interval_minutes = iv;
1787 }
1788 if (body.passes && typeof body.passes === 'object') {
1789 u.consolidation_passes = {
1790 consolidate: body.passes.consolidate !== false,
1791 verify: body.passes.verify !== false,
1792 discover: Boolean(body.passes.discover),
1793 };
1794 }
1795 if (body.lookback_hours !== undefined) {
1796 u.consolidation_lookback_hours = Math.floor(Number(body.lookback_hours));
1797 }
1798 if (body.max_events_per_pass !== undefined) {
1799 u.consolidation_max_events_per_pass = Math.floor(Number(body.max_events_per_pass));
1800 }
1801 if (body.max_topics_per_pass !== undefined) {
1802 u.consolidation_max_topics_per_pass = Math.floor(Number(body.max_topics_per_pass));
1803 }
1804 if (body.llm !== undefined && typeof body.llm === 'object' && body.llm.max_tokens !== undefined) {
1805 u.consolidation_llm_max_tokens = Math.floor(Number(body.llm.max_tokens));
1806 }
1807 normalizeBillingUser(u);
1808 saved = {
1809 hosted_enabled: u.consolidation_enabled,
1810 interval_minutes: u.consolidation_interval_minutes,
1811 passes: u.consolidation_passes,
1812 lookback_hours: u.consolidation_lookback_hours,
1813 max_events_per_pass: u.consolidation_max_events_per_pass,
1814 max_topics_per_pass: u.consolidation_max_topics_per_pass,
1815 llm: {
1816 provider: '',
1817 model: '',
1818 base_url: '',
1819 max_tokens: u.consolidation_llm_max_tokens,
1820 },
1821 };
1822 });
1823 res.json({ ok: true, hosted: true, daemon: { enabled: false, ...saved } });
1824 } catch (e) {
1825 res.status(500).json({ error: e.message || 'Failed to save', code: 'RUNTIME_ERROR' });
1826 }
1827 });
1828
1829 app.post('/api/v1/settings/proposal-policy', requireAdmin, async (req, res) => {
1830 try {
1831 const body = req.body && typeof req.body === 'object' ? req.body : {};
1832 await mergeHostedProposalLlmPrefs({
1833 proposal_evaluation_required: body.proposal_evaluation_required,
1834 review_hints_enabled: body.review_hints_enabled,
1835 enrich_enabled: body.enrich_enabled,
1836 });
1837 res.json({ ok: true });
1838 } catch (e) {
1839 res.status(500).json({ error: e.message, code: 'RUNTIME_ERROR' });
1840 }
1841 });
1842
1843 app.get('/api/v1/setup', (req, res) => {
1844 const uid = getUserId(req);
1845 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1846 res.json({
1847 vault_path: '',
1848 vault_git: { enabled: false, remote: '' },
1849 });
1850 });
1851
1852 // --- Admin routes: HUB_ADMIN_USER_IDS, or bridge GET /api/v1/role → role "admin" (Team tab) ---
1853 function requireAdmin(req, res, next) {
1854 const uid = getUserId(req);
1855 if (!uid) {
1856 res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1857 return;
1858 }
1859 if (roleForSub(uid) === 'admin') {
1860 next();
1861 return;
1862 }
1863 if (!BRIDGE_URL || !req.headers.authorization) {
1864 res.status(403).json({ error: 'Admin only', code: 'FORBIDDEN' });
1865 return;
1866 }
1867 void (async () => {
1868 try {
1869 const roleRes = await fetch(BRIDGE_URL + '/api/v1/role', {
1870 method: 'GET',
1871 headers: { Authorization: req.headers.authorization, Accept: 'application/json' },
1872 });
1873 if (!roleRes.ok) {
1874 if (!res.headersSent) res.status(403).json({ error: 'Admin only', code: 'FORBIDDEN' });
1875 return;
1876 }
1877 const data = await roleRes.json();
1878 if (data && data.role === 'admin') {
1879 next();
1880 return;
1881 }
1882 if (!res.headersSent) res.status(403).json({ error: 'Admin only', code: 'FORBIDDEN' });
1883 } catch (e) {
1884 console.warn('[gateway] requireAdmin bridge /role', e?.message || String(e));
1885 if (!res.headersSent) res.status(403).json({ error: 'Admin only', code: 'FORBIDDEN' });
1886 }
1887 })();
1888 }
1889
1890 if (!BRIDGE_URL) {
1891 app.get('/api/v1/workspace', requireAdmin, (_req, res) => {
1892 res.json({ owner_user_id: null });
1893 });
1894 app.post('/api/v1/workspace', requireAdmin, (_req, res) => {
1895 res.status(503).json({ error: 'Workspace owner requires bridge (BRIDGE_URL).', code: 'NOT_AVAILABLE' });
1896 });
1897 app.get('/api/v1/vault-access', requireAdmin, (_req, res) => {
1898 res.json({ access: {} });
1899 });
1900 app.post('/api/v1/vault-access', requireAdmin, (_req, res) => {
1901 res.status(503).json({ error: 'Vault access requires bridge (BRIDGE_URL).', code: 'NOT_AVAILABLE' });
1902 });
1903 app.get('/api/v1/scope', requireAdmin, (_req, res) => {
1904 res.json({ scope: {} });
1905 });
1906 app.post('/api/v1/scope', requireAdmin, (_req, res) => {
1907 res.status(503).json({ error: 'Scope requires bridge (BRIDGE_URL).', code: 'NOT_AVAILABLE' });
1908 });
1909 app.get('/api/v1/hosted-context', (req, res) => {
1910 const uid = getUserId(req);
1911 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1912 res.status(503).json({ error: 'Hosted context requires bridge (BRIDGE_URL).', code: 'NOT_AVAILABLE' });
1913 });
1914 }
1915
1916 // Hosted: vault list is derived from the canister; YAML vault editor is self-hosted only
1917 app.post('/api/v1/vaults', requireAdmin, (_req, res) => {
1918 res.status(501).json({
1919 error:
1920 'Editing the vault list in Settings is not available on hosted. Vaults appear when you add notes; use the vault switcher or API with X-Vault-Id.',
1921 code: 'NOT_AVAILABLE',
1922 });
1923 });
1924
1925 // GET /api/v1/roles — hosted stub: no role store; admin sees empty list (parity: only admins can open Team)
1926 app.get('/api/v1/roles', requireAdmin, (_req, res) => {
1927 res.json({ roles: [] });
1928 });
1929
1930 // POST /api/v1/roles — no-op on hosted (no persistent role store yet)
1931 app.post('/api/v1/roles', requireAdmin, (_req, res) => {
1932 res.json({ ok: true });
1933 });
1934
1935 // GET /api/v1/invites — hosted stub: no invite store
1936 app.get('/api/v1/invites', requireAdmin, (_req, res) => {
1937 res.json({ invites: [] });
1938 });
1939
1940 // POST /api/v1/invites — not supported on hosted (no invite store; full parity in Phase 2)
1941 app.post('/api/v1/invites', requireAdmin, (_req, res) => {
1942 res.status(400).json({
1943 error: 'Invites are not supported on hosted yet. Use self-hosted Hub for team invites, or wait for Phase 2.',
1944 code: 'NOT_SUPPORTED',
1945 });
1946 });
1947
1948 // Optional Muse read-only proxy (admin; Option C). 404 when MUSE_URL unset.
1949 app.get(
1950 '/api/v1/operator/muse/proxy',
1951 (req, res, next) => {
1952 if (!parseMuseConfigFromEnv()) {
1953 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
1954 }
1955 requireAdmin(req, res, next);
1956 },
1957 async (req, res) => {
1958 const cfg = parseMuseConfigFromEnv();
1959 if (!cfg) return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
1960 const rel = typeof req.query.path === 'string' ? req.query.path.trim() : '';
1961 if (!rel) return res.status(400).json({ error: 'path query required', code: 'BAD_REQUEST' });
1962 const result = await fetchMuseProxiedGet({ config: cfg, relativePath: rel });
1963 if (!result.ok && result.code === 'BAD_REQUEST') {
1964 return res.status(400).json({ error: 'Invalid path', code: 'BAD_REQUEST' });
1965 }
1966 if (!result.ok && !result.body) {
1967 return res.status(result.status).json({ error: 'Bad gateway', code: result.code });
1968 }
1969 if (!result.ok && result.body && result.contentType) {
1970 res.status(result.status).set('Content-Type', result.contentType);
1971 res.set('X-Content-Type-Options', 'nosniff');
1972 return res.send(result.body);
1973 }
1974 if (result.ok && result.body) {
1975 res.status(200).set('Content-Type', result.contentType);
1976 res.set('X-Content-Type-Options', 'nosniff');
1977 return res.send(result.body);
1978 }
1979 return res.status(502).json({ error: 'Bad gateway', code: 'BAD_GATEWAY' });
1980 },
1981 );
1982
1983 // DELETE /api/v1/invites/:token — no-op on hosted
1984 app.delete('/api/v1/invites/:token', requireAdmin, (_req, res) => {
1985 res.json({ ok: true });
1986 });
1987
1988 // POST /api/v1/setup — no-op on hosted (vault is canister; nothing to persist)
1989 app.post('/api/v1/setup', (req, res) => {
1990 const uid = getUserId(req);
1991 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1992 res.json({ ok: true });
1993 });
1994
1995 // POST /api/v1/import — bridge runs importers and writes notes to canister when BRIDGE_URL is set
1996 app.post('/api/v1/import', async (req, res) => {
1997 const uid = getUserId(req);
1998 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
1999 if (BRIDGE_URL) {
2000 if (!(await runBillingGate(req, res, getUserId))) return;
2001 const q = req.originalUrl.includes('?') ? req.originalUrl.slice(req.originalUrl.indexOf('?')) : '';
2002 await proxyImportToBridge(BRIDGE_URL, BRIDGE_URL + '/api/v1/import' + q, req, res);
2003 return;
2004 }
2005 res.status(501).json({
2006 error: 'Import is not yet available on hosted (set BRIDGE_URL for bridge-backed import).',
2007 code: 'NOT_AVAILABLE',
2008 });
2009 });
2010
2011 // POST /api/v1/import-url — JSON body; bridge runs URL importer (same auth as import).
2012 app.post('/api/v1/import-url', async (req, res) => {
2013 const uid = getUserId(req);
2014 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2015 if (BRIDGE_URL) {
2016 if (!(await runBillingGate(req, res, getUserId))) return;
2017 await proxyTo(BRIDGE_URL, BRIDGE_URL + '/api/v1/import-url', req, res);
2018 return;
2019 }
2020 res.status(501).json({
2021 error: 'Import URL is not available on hosted (set BRIDGE_URL for bridge-backed import).',
2022 code: 'NOT_AVAILABLE',
2023 });
2024 });
2025
2026 // GET /api/v1/notes/facets — aggregate from canister list (Hub filter dropdowns / overview parity)
2027 app.get('/api/v1/notes/facets', async (req, res) => {
2028 const uid = getUserId(req);
2029 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2030 if (!CANISTER_URL) {
2031 return res.json({ projects: [], tags: [], folders: [] });
2032 }
2033 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2034 const hctx = await getHostedAccessContext(req);
2035 const effective = (hctx && hctx.effective_canister_user_id) || uid;
2036 if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2037 return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2038 }
2039 try {
2040 const url = `${CANISTER_URL}/api/v1/notes`;
2041 const upstream = await fetch(url, {
2042 method: 'GET',
2043 headers: {
2044 Accept: 'application/json',
2045 'x-user-id': effective,
2046 'x-actor-id': uid,
2047 'x-vault-id': vaultId,
2048 },
2049 });
2050 const text = await upstream.text();
2051 if (!upstream.ok) {
2052 console.warn('[gateway] facets canister list non-ok', upstream.status);
2053 return res.json({ projects: [], tags: [], folders: [] });
2054 }
2055 let data;
2056 try {
2057 data = text ? JSON.parse(text) : {};
2058 } catch (e) {
2059 console.warn('[gateway] facets canister list JSON parse', e?.message || String(e));
2060 return res.json({ projects: [], tags: [], folders: [] });
2061 }
2062 const rows = Array.isArray(data.notes) ? data.notes : [];
2063 let notesForFacets = rows;
2064 const scope = hctx && hctx.scope && typeof hctx.scope === 'object' ? hctx.scope : null;
2065 if (scope && (scope.projects?.length || scope.folders?.length)) {
2066 const withProj = rows.map((n) => ({
2067 path: n.path,
2068 project: materializeListFrontmatter(n.frontmatter).project ?? null,
2069 }));
2070 const scoped = applyScopeFilterToNotes(withProj, scope);
2071 const pathSet = new Set(scoped.map((n) => n.path).filter(Boolean));
2072 notesForFacets = rows.filter((n) => pathSet.has(n.path));
2073 }
2074 const facets = deriveFacetsFromCanisterNotes(notesForFacets);
2075 res.json(facets);
2076 } catch (e) {
2077 console.warn('[gateway] facets error', e?.message || String(e));
2078 res.json({ projects: [], tags: [], folders: [] });
2079 }
2080 });
2081
2082 // GET /api/v1/vault/folders — no canister filesystem; UI falls back to inbox + custom path
2083 app.get('/api/v1/vault/folders', async (req, res) => {
2084 const uid = getUserId(req);
2085 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2086 if (!CANISTER_URL) {
2087 return res.json({ folders: ['inbox'] });
2088 }
2089 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2090 const hctx = await getHostedAccessContext(req);
2091 if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2092 return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2093 }
2094 res.json({ folders: ['inbox'] });
2095 });
2096
2097 app.get('/api/v1/note-outline', async (req, res) => {
2098 const uid = getUserId(req);
2099 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2100 if (!CANISTER_URL) {
2101 return res.status(503).json({ error: 'Hosted NoteOutline is not configured', code: 'SERVICE_UNAVAILABLE' });
2102 }
2103
2104 let requestedPath;
2105 try {
2106 requestedPath = normalizeGatewayNoteOutlinePath(req.query.path);
2107 } catch (e) {
2108 const err = sanitizedNoteOutlineGatewayError(e);
2109 return res.status(err.status).json({ error: err.error, code: err.code });
2110 }
2111
2112 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2113 const hctx = await getHostedAccessContext(req);
2114 if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2115 return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2116 }
2117 const effective =
2118 hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2119 ? hctx.effective_canister_user_id
2120 : uid;
2121 const url = `${CANISTER_URL}/api/v1/notes/${encodeURIComponent(requestedPath)}`;
2122
2123 try {
2124 const upstream = await fetch(url, {
2125 method: 'GET',
2126 headers: {
2127 Accept: 'application/json',
2128 'x-user-id': effective,
2129 'x-actor-id': uid,
2130 'x-vault-id': vaultId,
2131 ...canisterAuthHeaders(),
2132 },
2133 });
2134 const text = await upstream.text();
2135 if (upstream.status === 401 || upstream.status === 403) {
2136 return res.status(403).json({ error: 'Forbidden', code: 'FORBIDDEN' });
2137 }
2138 if (upstream.status === 404) {
2139 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2140 }
2141 if (!upstream.ok) {
2142 return res.status(502).json({ error: `Upstream ${upstream.status}`, code: 'BAD_GATEWAY' });
2143 }
2144
2145 let note;
2146 try {
2147 note = text ? JSON.parse(text) : {};
2148 } catch {
2149 return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
2150 }
2151
2152 const frontmatter = materializeListFrontmatter(note.frontmatter);
2153 const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2154 if (scope) {
2155 const scoped = applyScopeFilterToNotes(
2156 [
2157 {
2158 path: requestedPath,
2159 project: frontmatter.project ?? null,
2160 },
2161 ],
2162 scope
2163 );
2164 if (scoped.length === 0) {
2165 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2166 }
2167 }
2168
2169 return res.json(
2170 buildNoteOutline({
2171 path: requestedPath,
2172 frontmatter,
2173 body: note.body != null ? String(note.body) : '',
2174 })
2175 );
2176 } catch (e) {
2177 const err = sanitizedNoteOutlineGatewayError(e);
2178 return res.status(err.status).json({ error: err.error, code: err.code });
2179 }
2180 });
2181
2182 app.get('/api/v1/document-tree', async (req, res) => {
2183 const uid = getUserId(req);
2184 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2185 if (!CANISTER_URL) {
2186 return res.status(503).json({ error: 'Hosted DocumentTree is not configured', code: 'SERVICE_UNAVAILABLE' });
2187 }
2188
2189 let requestedPath;
2190 try {
2191 requestedPath = normalizeGatewayDocumentTreePath(req.query.path);
2192 } catch (e) {
2193 const err = sanitizedDocumentTreeGatewayError(e);
2194 return res.status(err.status).json({ error: err.error, code: err.code });
2195 }
2196
2197 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2198 const hctx = await getHostedAccessContext(req);
2199 if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2200 return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2201 }
2202 const effective =
2203 hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2204 ? hctx.effective_canister_user_id
2205 : uid;
2206 const url = `${CANISTER_URL}/api/v1/notes/${encodeURIComponent(requestedPath)}`;
2207
2208 try {
2209 const upstream = await fetch(url, {
2210 method: 'GET',
2211 headers: {
2212 Accept: 'application/json',
2213 'x-user-id': effective,
2214 'x-actor-id': uid,
2215 'x-vault-id': vaultId,
2216 ...canisterAuthHeaders(),
2217 },
2218 });
2219 const text = await upstream.text();
2220 if (upstream.status === 401 || upstream.status === 403) {
2221 return res.status(403).json({ error: 'Forbidden', code: 'FORBIDDEN' });
2222 }
2223 if (upstream.status === 404) {
2224 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2225 }
2226 if (!upstream.ok) {
2227 return res.status(502).json({ error: `Upstream ${upstream.status}`, code: 'BAD_GATEWAY' });
2228 }
2229
2230 let note;
2231 try {
2232 note = text ? JSON.parse(text) : {};
2233 } catch {
2234 return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
2235 }
2236
2237 const frontmatter = materializeListFrontmatter(note.frontmatter);
2238 const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2239 if (scope) {
2240 const scoped = applyScopeFilterToNotes(
2241 [
2242 {
2243 path: requestedPath,
2244 project: frontmatter.project ?? null,
2245 },
2246 ],
2247 scope
2248 );
2249 if (scoped.length === 0) {
2250 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2251 }
2252 }
2253
2254 return res.json(
2255 buildDocumentTree({
2256 path: requestedPath,
2257 frontmatter,
2258 body: note.body != null ? String(note.body) : '',
2259 })
2260 );
2261 } catch (e) {
2262 const err = sanitizedDocumentTreeGatewayError(e);
2263 return res.status(err.status).json({ error: err.error, code: err.code });
2264 }
2265 });
2266
2267 app.get('/api/v1/metadata-facets', async (req, res) => {
2268 const uid = getUserId(req);
2269 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2270 if (!CANISTER_URL) {
2271 return res.status(503).json({ error: 'Hosted MetadataFacets is not configured', code: 'SERVICE_UNAVAILABLE' });
2272 }
2273
2274 let requestedPath;
2275 try {
2276 requestedPath = normalizeGatewayMetadataFacetsPath(req.query.path);
2277 } catch (e) {
2278 const err = sanitizedMetadataFacetsGatewayError(e);
2279 return res.status(err.status).json({ error: err.error, code: err.code });
2280 }
2281
2282 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2283 const hctx = await getHostedAccessContext(req);
2284 if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2285 return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2286 }
2287 const effective =
2288 hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2289 ? hctx.effective_canister_user_id
2290 : uid;
2291 const url = `${CANISTER_URL}/api/v1/notes/${encodeURIComponent(requestedPath)}`;
2292
2293 try {
2294 const upstream = await fetch(url, {
2295 method: 'GET',
2296 headers: {
2297 Accept: 'application/json',
2298 'x-user-id': effective,
2299 'x-actor-id': uid,
2300 'x-vault-id': vaultId,
2301 ...canisterAuthHeaders(),
2302 },
2303 });
2304 const text = await upstream.text();
2305 if (upstream.status === 401 || upstream.status === 403) {
2306 return res.status(403).json({ error: 'Forbidden', code: 'FORBIDDEN' });
2307 }
2308 if (upstream.status === 404) {
2309 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2310 }
2311 if (!upstream.ok) {
2312 return res.status(502).json({ error: `Upstream ${upstream.status}`, code: 'BAD_GATEWAY' });
2313 }
2314
2315 let note;
2316 try {
2317 note = text ? JSON.parse(text) : {};
2318 } catch {
2319 return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
2320 }
2321
2322 const frontmatter = materializeListFrontmatter(note.frontmatter);
2323 const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2324 if (scope) {
2325 const scoped = applyScopeFilterToNotes(
2326 [
2327 {
2328 path: requestedPath,
2329 project: frontmatter.project ?? null,
2330 },
2331 ],
2332 scope
2333 );
2334 if (scoped.length === 0) {
2335 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2336 }
2337 }
2338
2339 return res.json(normalizeMetadataFacets(requestedPath, frontmatter));
2340 } catch (e) {
2341 const err = sanitizedMetadataFacetsGatewayError(e);
2342 return res.status(err.status).json({ error: err.error, code: err.code });
2343 }
2344 });
2345
2346 app.get('/api/v1/section-source', async (req, res) => {
2347 const uid = getUserId(req);
2348 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2349 if (!CANISTER_URL) {
2350 return res.status(503).json({ error: 'Hosted SectionSource is not configured', code: 'SERVICE_UNAVAILABLE' });
2351 }
2352
2353 let requestedPath;
2354 try {
2355 requestedPath = normalizeGatewaySectionSourcePath(req.query.path);
2356 } catch (e) {
2357 const err = sanitizedSectionSourceGatewayError(e);
2358 return res.status(err.status).json({ error: err.error, code: err.code });
2359 }
2360
2361 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2362 const hctx = await getHostedAccessContext(req);
2363 if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2364 return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2365 }
2366 const effective =
2367 hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2368 ? hctx.effective_canister_user_id
2369 : uid;
2370 const url = `${CANISTER_URL}/api/v1/notes/${encodeURIComponent(requestedPath)}`;
2371
2372 try {
2373 const upstream = await fetch(url, {
2374 method: 'GET',
2375 headers: {
2376 Accept: 'application/json',
2377 'x-user-id': effective,
2378 'x-actor-id': uid,
2379 'x-vault-id': vaultId,
2380 ...canisterAuthHeaders(),
2381 },
2382 });
2383 const text = await upstream.text();
2384 if (upstream.status === 401 || upstream.status === 403) {
2385 return res.status(403).json({ error: 'Forbidden', code: 'FORBIDDEN' });
2386 }
2387 if (upstream.status === 404) {
2388 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2389 }
2390 if (!upstream.ok) {
2391 return res.status(502).json({ error: `Upstream ${upstream.status}`, code: 'BAD_GATEWAY' });
2392 }
2393
2394 let note;
2395 try {
2396 note = text ? JSON.parse(text) : {};
2397 } catch {
2398 return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
2399 }
2400
2401 const frontmatter = materializeListFrontmatter(note.frontmatter);
2402 const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2403 if (scope) {
2404 const scoped = applyScopeFilterToNotes(
2405 [
2406 {
2407 path: requestedPath,
2408 project: frontmatter.project ?? null,
2409 },
2410 ],
2411 scope
2412 );
2413 if (scoped.length === 0) {
2414 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2415 }
2416 }
2417
2418 return res.json(
2419 buildSectionSource({
2420 path: requestedPath,
2421 frontmatter,
2422 body: note.body != null ? String(note.body) : '',
2423 })
2424 );
2425 } catch (e) {
2426 const err = sanitizedSectionSourceGatewayError(e);
2427 return res.status(err.status).json({ error: err.error, code: err.code });
2428 }
2429 });
2430
2431 /**
2432 * @param {Record<string, unknown>|null} hctx
2433 */
2434 function scopeActiveForGateway(hctx) {
2435 const s = hctx && hctx.scope && typeof hctx.scope === 'object' ? hctx.scope : null;
2436 return Boolean(s && (s.projects?.length || s.folders?.length));
2437 }
2438
2439 /**
2440 * Normalize hosted canister note records before returning them to Hub clients.
2441 * The canister wire shape may store frontmatter as object JSON text; clients
2442 * should always receive the direct-read/list API contract object.
2443 * @param {unknown} note
2444 * @returns {unknown}
2445 */
2446 function normalizeGatewayNoteFrontmatter(note) {
2447 if (!note || typeof note !== 'object' || Array.isArray(note)) return note;
2448 return {
2449 ...note,
2450 frontmatter: materializeListFrontmatter(note.frontmatter),
2451 };
2452 }
2453
2454 async function gatewayProxyGetNotesList(req, res, uid, effective, hctx) {
2455 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2456 const raw = upstreamPathAndQuery(req);
2457 const qIdx = raw.indexOf('?');
2458 const searchPart = qIdx >= 0 ? raw.slice(qIdx + 1) : '';
2459 const params = new URLSearchParams(searchPart);
2460 const limit = Math.min(100, Math.max(0, parseInt(params.get('limit') || '20', 10) || 20));
2461 const offset = Math.max(0, parseInt(params.get('offset') || '0', 10) || 0);
2462 const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2463 // Phase 12 — blockchain filters applied client-side (canister stores frontmatter as opaque JSON)
2464 const filterNetwork = (params.get('network') || '').trim().toLowerCase();
2465 const filterWallet = (params.get('wallet_address') || '').trim().toLowerCase();
2466 const filterPaymentStatus = (params.get('payment_status') || '').trim().toLowerCase();
2467 const needsClientFilter = Boolean(scope || filterNetwork || filterWallet || filterPaymentStatus);
2468 if (needsClientFilter) {
2469 params.set('limit', '10000');
2470 params.set('offset', '0');
2471 }
2472 // Remove Phase 12 params before forwarding to canister (canister ignores them, but keep URL clean)
2473 params.delete('network');
2474 params.delete('wallet_address');
2475 params.delete('payment_status');
2476 const fetchUrl = `${CANISTER_URL}/api/v1/notes${params.toString() ? `?${params.toString()}` : ''}`;
2477 try {
2478 const upstream = await fetch(fetchUrl, {
2479 method: 'GET',
2480 headers: {
2481 Accept: 'application/json',
2482 'x-user-id': effective,
2483 'x-actor-id': uid,
2484 'x-vault-id': vaultId,
2485 ...canisterAuthHeaders(),
2486 },
2487 });
2488 const text = await upstream.text();
2489 const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries()).filter(
2490 ([k]) => !['cache-control', 'etag', 'last-modified'].includes(k.toLowerCase()),
2491 );
2492 res.status(upstream.status).set(Object.fromEntries(hop));
2493 res.set('Cache-Control', 'private, no-store, must-revalidate');
2494 if (!upstream.ok || !text) {
2495 res.send(text);
2496 return;
2497 }
2498 let data;
2499 try {
2500 data = JSON.parse(text);
2501 } catch (_) {
2502 res.send(text);
2503 return;
2504 }
2505 if (Array.isArray(data.notes)) {
2506 data = { ...data, notes: data.notes.map(normalizeGatewayNoteFrontmatter) };
2507 }
2508 if (needsClientFilter && Array.isArray(data.notes)) {
2509 let filtered = data.notes;
2510 // Scope filter (project/folder access control)
2511 if (scope) {
2512 const withProj = filtered.map((n) => ({
2513 path: n.path,
2514 project: materializeListFrontmatter(n.frontmatter).project ?? null,
2515 }));
2516 const kept = applyScopeFilterToNotes(withProj, scope);
2517 const keptPaths = new Set(kept.map((r) => r.path).filter(Boolean));
2518 filtered = filtered.filter((n) => n.path && keptPaths.has(n.path));
2519 }
2520 // Phase 12 blockchain filters
2521 if (filterNetwork || filterWallet || filterPaymentStatus) {
2522 filtered = filtered.filter((n) => {
2523 const fm = materializeListFrontmatter(n.frontmatter);
2524 if (filterNetwork && String(fm.network ?? '').trim().toLowerCase() !== filterNetwork) return false;
2525 if (filterWallet && String(fm.wallet_address ?? '').trim().toLowerCase() !== filterWallet) return false;
2526 if (filterPaymentStatus && String(fm.payment_status ?? '').trim().toLowerCase() !== filterPaymentStatus) return false;
2527 return true;
2528 });
2529 }
2530 const total = filtered.length;
2531 const page = filtered.slice(offset, offset + limit);
2532 res.json({ notes: page, total });
2533 return;
2534 }
2535 if (Array.isArray(data.notes)) {
2536 res.json(data);
2537 return;
2538 }
2539 res.send(text);
2540 } catch (e) {
2541 console.error('Gateway GET notes list error:', e.message);
2542 res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
2543 }
2544 }
2545
2546 async function gatewayProxyGetNoteOne(req, res, uid, effective, hctx) {
2547 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2548 const url = CANISTER_URL + upstreamPathAndQuery(req);
2549 const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
2550 try {
2551 const upstream = await fetch(url, {
2552 method: 'GET',
2553 headers: {
2554 Accept: 'application/json',
2555 'x-user-id': effective,
2556 'x-actor-id': uid,
2557 'x-vault-id': vaultId,
2558 ...canisterAuthHeaders(),
2559 },
2560 });
2561 const body = await upstream.text();
2562 if (upstream.status >= 400) {
2563 console.warn('[gateway] canister GET note:', upstream.status, 'url:', url.slice(0, 120));
2564 }
2565 const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries()).filter(
2566 ([k]) => !['cache-control', 'etag', 'last-modified'].includes(k.toLowerCase()),
2567 );
2568 res.status(upstream.status).set(Object.fromEntries(hop));
2569 res.set('Cache-Control', 'private, no-store, must-revalidate');
2570 if (!scope || upstream.status !== 200 || !body) {
2571 if (upstream.status === 200 && body) {
2572 try {
2573 const note = JSON.parse(body);
2574 res.json(normalizeGatewayNoteFrontmatter(note));
2575 return;
2576 } catch (_) {
2577 // Preserve the upstream response when it is not valid JSON.
2578 }
2579 }
2580 res.send(body);
2581 return;
2582 }
2583 let note;
2584 try {
2585 note = normalizeGatewayNoteFrontmatter(JSON.parse(body));
2586 const withProj = {
2587 path: note.path,
2588 project: materializeListFrontmatter(note.frontmatter).project ?? null,
2589 };
2590 const filtered = applyScopeFilterToNotes([withProj], scope);
2591 if (filtered.length === 0) {
2592 res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
2593 return;
2594 }
2595 } catch (_) {
2596 res.send(body);
2597 return;
2598 }
2599 res.json(note);
2600 } catch (e) {
2601 console.error('Gateway GET note error:', e.message);
2602 res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
2603 }
2604 }
2605
2606 const PROPOSAL_APPROVE_OR_DISCARD_RE = /^\/api\/v1\/proposals\/[^/]+\/(approve|discard)\/?$/;
2607
2608 /**
2609 * Bridge / JWT actor role for proposal RBAC (canister only sees effective X-User-Id).
2610 * @param {import('express').Request} req
2611 * @param {Record<string, unknown>|null} hctx
2612 * @returns {Promise<{ role: string, mayApproveProposals: boolean }>}
2613 */
2614 async function resolveHostedActorRole(req, hctx) {
2615 const envFallback = process.env.HUB_EVALUATOR_MAY_APPROVE === '1';
2616 let role = 'member';
2617 let mayApproveProposals = false;
2618 if (hctx && typeof hctx.role === 'string') {
2619 role = hctx.role;
2620 if (typeof hctx.may_approve_proposals === 'boolean') {
2621 mayApproveProposals = hctx.may_approve_proposals;
2622 } else if (role === 'evaluator') {
2623 mayApproveProposals = envFallback;
2624 }
2625 } else if (BRIDGE_URL && req.headers.authorization) {
2626 let bridgeResolved = false;
2627 try {
2628 const roleRes = await fetch(BRIDGE_URL + '/api/v1/role', {
2629 method: 'GET',
2630 headers: { Authorization: req.headers.authorization, Accept: 'application/json' },
2631 });
2632 if (roleRes.ok) {
2633 const data = await roleRes.json();
2634 if (data.role) {
2635 role = data.role;
2636 bridgeResolved = true;
2637 }
2638 if (typeof data.may_approve_proposals === 'boolean') {
2639 mayApproveProposals = data.may_approve_proposals;
2640 } else if (role === 'evaluator') {
2641 mayApproveProposals = envFallback;
2642 }
2643 }
2644 } catch (_) {}
2645 // Bridge unreachable or rejected the JWT (e.g. SESSION_SECRET mismatch after a redeploy).
2646 // Fall back to the JWT payload role so the gateway owner is never locked out by bridge state.
2647 if (!bridgeResolved) {
2648 try {
2649 const auth = req.headers.authorization;
2650 const token = auth && auth.startsWith('Bearer ') ? auth.slice(7) : null;
2651 if (token && SESSION_SECRET) {
2652 const payload = jwt.verify(token, SESSION_SECRET);
2653 role = payload.role || roleForSub(payload.sub);
2654 mayApproveProposals = role === 'admin' || (role === 'evaluator' && envFallback);
2655 }
2656 } catch (_) {}
2657 }
2658 } else {
2659 try {
2660 const auth = req.headers.authorization;
2661 const token = auth && auth.startsWith('Bearer ') ? auth.slice(7) : null;
2662 if (token && SESSION_SECRET) {
2663 const payload = jwt.verify(token, SESSION_SECRET);
2664 role = payload.role || roleForSub(payload.sub);
2665 mayApproveProposals = role === 'admin' || (role === 'evaluator' && envFallback);
2666 }
2667 } catch (_) {}
2668 }
2669 // Gateway-level admin override: HUB_ADMIN_USER_IDS is the authoritative owner list.
2670 // A sub in that list is always admin — the gateway owner must never be locked out by a
2671 // bridge state reset, role-store loss, or SESSION_SECRET mismatch between gateway and bridge.
2672 const actorSub = getUserId(req);
2673 if (actorSub && role !== 'admin' && roleForSub(actorSub) === 'admin') {
2674 role = 'admin';
2675 mayApproveProposals = true;
2676 }
2677 return { role, mayApproveProposals };
2678 }
2679
2680 /**
2681 * Approve/discard: enforce actor role on gateway (canister only sees effective X-User-Id).
2682 * @param {import('express').Request} req
2683 * @param {import('express').Response} res
2684 * @param {string} pathNoQuery
2685 * @param {string} method
2686 * @param {Record<string, unknown>|null} hctx from getHostedAccessContext (null if no bridge / not delegated)
2687 */
2688 async function assertHostedProposalApproveDiscard(req, res, pathNoQuery, method, hctx) {
2689 if (method !== 'POST' || !PROPOSAL_APPROVE_OR_DISCARD_RE.test(pathNoQuery)) return true;
2690
2691 const uid = getUserId(req);
2692 if (!uid) {
2693 res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2694 return false;
2695 }
2696
2697 const { role, mayApproveProposals } = await resolveHostedActorRole(req, hctx);
2698
2699 if (/\/discard\/?$/.test(pathNoQuery)) {
2700 if (role !== 'admin') {
2701 res.status(403).json({ error: 'Discard requires admin.', code: 'FORBIDDEN' });
2702 return false;
2703 }
2704 return true;
2705 }
2706
2707 const canApprove = role === 'admin' || (role === 'evaluator' && mayApproveProposals);
2708 if (!canApprove) {
2709 res.status(403).json({
2710 error:
2711 'Approve requires admin, or an evaluator with approve permission (per-user in Team, or HUB_EVALUATOR_MAY_APPROVE=1 when no per-user value).',
2712 code: 'FORBIDDEN',
2713 });
2714 return false;
2715 }
2716 return true;
2717 }
2718
2719 /**
2720 * Fetch the current note count for a user from the canister.
2721 * Used by the billing storage cap gate before note CREATE.
2722 * Fails open — returns 0 on any error so the gate never blocks due to a canister outage.
2723 *
2724 * @param {string} userId
2725 * @param {import('express').Request} req
2726 * @returns {Promise<number>}
2727 */
2728 async function getNoteCountForUser(userId, req) {
2729 if (!CANISTER_URL) return 0;
2730 try {
2731 let vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2732 const pathOnly = effectiveRequestPath(req).replace(/\/+$/, '') || '/';
2733 if (req.method === 'POST' && pathOnly === '/api/v1/notes/copy') {
2734 const b = req.body && typeof req.body === 'object' ? req.body : {};
2735 const toV = typeof b.to_vault_id === 'string' ? b.to_vault_id.replace(/\\/g, '/').trim() : '';
2736 if (toV) vaultId = toV;
2737 }
2738 const hctx = await getHostedAccessContext(req);
2739 const effective =
2740 hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2741 ? hctx.effective_canister_user_id
2742 : userId;
2743 const url = `${CANISTER_URL}/api/v1/notes?limit=1&offset=0`;
2744 const upstream = await fetch(url, {
2745 method: 'GET',
2746 headers: {
2747 Accept: 'application/json',
2748 'x-user-id': effective,
2749 'x-actor-id': userId,
2750 'x-vault-id': vaultId,
2751 ...canisterAuthHeaders(),
2752 },
2753 });
2754 if (!upstream.ok) return 0;
2755 const data = await upstream.json();
2756 const total = typeof data.total === 'number' ? data.total : (Array.isArray(data.notes) ? data.notes.length : 0);
2757 return Math.max(0, Math.floor(total));
2758 } catch (_) {
2759 return 0;
2760 }
2761 }
2762
2763 async function proxyToCanister(req, res) {
2764 const uid = getUserId(req);
2765 if (!uid) {
2766 return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2767 }
2768 const pathOnly = effectiveRequestPath(req);
2769 const pathNoQuery = pathPartNoQuery(req);
2770 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2771 const hctx = await getHostedAccessContext(req);
2772 if (!(await assertHostedProposalApproveDiscard(req, res, pathNoQuery, req.method, hctx))) return;
2773 const effective =
2774 hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2775 ? hctx.effective_canister_user_id
2776 : uid;
2777 if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2778 return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2779 }
2780
2781 if (req.method === 'GET' && pathOnly === '/api/v1/notes') {
2782 return gatewayProxyGetNotesList(req, res, uid, effective, hctx);
2783 }
2784 const noteSubPrefix = '/api/v1/notes/';
2785 if (
2786 req.method === 'GET' &&
2787 pathOnly.startsWith(noteSubPrefix) &&
2788 pathOnly !== '/api/v1/notes/facets'
2789 ) {
2790 const rest = pathOnly.slice(noteSubPrefix.length);
2791 if (rest) {
2792 return gatewayProxyGetNoteOne(req, res, uid, effective, hctx);
2793 }
2794 }
2795
2796 const url = CANISTER_URL + upstreamPathAndQuery(req);
2797 const headers = {
2798 host: new URL(CANISTER_URL).host,
2799 'x-user-id': effective,
2800 'x-actor-id': uid,
2801 'x-vault-id': req.headers['x-vault-id'] || 'default',
2802 ...canisterAuthHeaders(),
2803 };
2804 // Allowlist: only forward safe body/content headers; canister auth is via x-user-id + x-gateway-auth.
2805 // Never forward origin, referer, cookies, authorization, or other proxy headers to the canister.
2806 for (const k of PROXY_HEADER_ALLOWLIST) {
2807 if (req.headers[k] !== undefined) headers[k] = req.headers[k];
2808 }
2809 const opts = { method: req.method, headers };
2810 let bodyOut = req.body;
2811 const pathOnlyForBody = pathPartNoQuery(req);
2812 const dataDir = path.join(projectRoot, 'data');
2813 let hostedLlmPrefs = null;
2814 if (
2815 req.method === 'POST' &&
2816 (pathOnlyForBody === '/api/v1/proposals' || pathOnlyForBody === '/api/v1/proposals/')
2817 ) {
2818 hostedLlmPrefs = await loadHostedProposalLlmPrefs();
2819 }
2820 // Improvement B: AIR attestation for hosted gateway note writes.
2821 // Guarded by KNOWTATION_AIR_ENDPOINT being set; always non-blocking (gateway has no air.required config).
2822 let gatewayAirId = null;
2823 if (
2824 process.env.KNOWTATION_AIR_ENDPOINT &&
2825 bodyOut !== undefined &&
2826 typeof bodyOut === 'object' &&
2827 !Buffer.isBuffer(bodyOut) &&
2828 isNoteWriteRequest(req.method, pathOnlyForBody)
2829 ) {
2830 try {
2831 const notePath =
2832 req.method === 'POST'
2833 ? (typeof bodyOut.path === 'string' ? bodyOut.path.replace(/\\/g, '/') : '')
2834 : pathOnlyForBody
2835 .slice('/api/v1/notes/'.length)
2836 .split('/')
2837 .map(decodeURIComponent)
2838 .join('/');
2839 const { attestBeforeWrite: gwAttest } = await import('../../lib/air.mjs');
2840 const airId = await gwAttest(
2841 { air: { enabled: true, required: false, endpoint: process.env.KNOWTATION_AIR_ENDPOINT } },
2842 notePath
2843 );
2844 if (airId && airId !== 'air-placeholder-write') {
2845 gatewayAirId = airId;
2846 }
2847 } catch (e) {
2848 // Never let an AIR failure block a hosted write; log and continue.
2849 console.error('[gateway] AIR attestation error (non-fatal):', e?.message || String(e));
2850 }
2851 }
2852
2853 if (
2854 bodyOut !== undefined &&
2855 typeof bodyOut === 'object' &&
2856 !Buffer.isBuffer(bodyOut) &&
2857 isPostApiV1Notes(req.method, pathOnlyForBody)
2858 ) {
2859 bodyOut = mergeHostedNoteBodyForCanister(bodyOut, uid, gatewayAirId);
2860 } else if (
2861 gatewayAirId &&
2862 bodyOut !== undefined &&
2863 typeof bodyOut === 'object' &&
2864 !Buffer.isBuffer(bodyOut) &&
2865 req.method === 'PUT' &&
2866 pathOnlyForBody.startsWith('/api/v1/notes/')
2867 ) {
2868 // PUT note write: inject air_id into frontmatter alongside existing fields
2869 bodyOut = mergeHostedNoteBodyForCanister(bodyOut, uid, gatewayAirId);
2870 }
2871 if (bodyOut !== undefined && typeof bodyOut === 'object' && !Buffer.isBuffer(bodyOut)) {
2872 bodyOut = augmentProposalEvaluationBodyForCanister(req.method, pathOnlyForBody, bodyOut);
2873 const policyOpts =
2874 hostedLlmPrefs != null
2875 ? { evaluationRequired: effectiveHostedEvaluationRequired(hostedLlmPrefs, dataDir) }
2876 : {};
2877 bodyOut = augmentProposalCreateForHosted(req.method, pathOnlyForBody, bodyOut, dataDir, policyOpts);
2878 if (req.method === 'POST') {
2879 const approveId = proposalIdFromApprovePath(pathOnlyForBody);
2880 if (approveId) {
2881 try {
2882 const museCfg = parseMuseConfigFromEnv();
2883 const resolved = await resolveExternalRefForApprove({
2884 clientRef: bodyOut.external_ref,
2885 proposalId: approveId,
2886 vaultId,
2887 config: museCfg,
2888 logWarn: (msg, extra) => console.warn(msg, extra != null ? JSON.stringify(extra) : ''),
2889 });
2890 if (resolved) {
2891 bodyOut = { ...bodyOut, external_ref: resolved };
2892 }
2893 } catch (e) {
2894 console.warn('[gateway] muse approve merge (non-fatal):', e?.message || String(e));
2895 }
2896 }
2897 }
2898 }
2899 if (req.method !== 'GET' && req.method !== 'HEAD' && bodyOut !== undefined) {
2900 opts.body = typeof bodyOut === 'string' ? bodyOut : JSON.stringify(bodyOut);
2901 stripStaleOutboundBodyHeaders(headers);
2902 }
2903 try {
2904 const upstream = await fetch(url, opts);
2905 const body = await upstream.text();
2906 // For a successful proposal CREATE, extract path+body so the hints job can skip
2907 // its own canister GET (saves one ICP round trip, ~1–3 s, from the hints path).
2908 let parsedProposalData = null;
2909 if (
2910 req.method === 'POST' &&
2911 (pathOnlyForBody === '/api/v1/proposals' || pathOnlyForBody === '/api/v1/proposals/') &&
2912 upstream.status >= 200 && upstream.status < 300
2913 ) {
2914 try {
2915 const j = JSON.parse(body);
2916 const merged = proposalDataForHostedReviewHintsFromCreate(j, bodyOut);
2917 if (merged) parsedProposalData = merged;
2918 } catch (_) {}
2919 }
2920 try {
2921 await maybeScheduleHostedProposalReviewHints({
2922 method: req.method,
2923 pathOnly: pathOnlyForBody,
2924 upstreamStatus: upstream.status,
2925 responseText: body,
2926 canisterUrl: CANISTER_URL,
2927 effectiveUserId: effective,
2928 actorUserId: uid,
2929 vaultId,
2930 hintsEnabled: hostedLlmPrefs ? effectiveHostedReviewHints(hostedLlmPrefs) : false,
2931 proposalData: parsedProposalData,
2932 });
2933 } catch (e) {
2934 // Never let a hints failure affect the primary proxy response.
2935 console.error('[gateway] hints exception (non-fatal):', e?.message || String(e));
2936 }
2937 if (upstream.status >= 400 && req.method === 'GET' && url.includes('/api/v1/notes/')) {
2938 console.warn('[gateway] canister GET note:', upstream.status, 'url:', url.slice(0, 120));
2939 }
2940 if (
2941 upstream.status === 404 &&
2942 req.method === 'POST' &&
2943 /\/api\/v1\/proposals\/[^/]+\/evaluation\/?(\?|$)/.test(pathOnlyForBody)
2944 ) {
2945 console.warn(
2946 '[gateway] canister returned 404 for POST …/evaluation. If the body is {"error":"Not found","code":"NOT_FOUND"}, the hub canister on mainnet likely predates the evaluation route or HTTP upgrade for it — redeploy `hub` from this repo (`hub/icp/README.md` §ICP HTTP gateway behavior).',
2947 );
2948 }
2949 const hop = filterUpstreamResponseHeadersForDecodedBody(upstream.headers.entries()).filter(
2950 ([k]) => !['cache-control', 'etag', 'last-modified'].includes(k.toLowerCase()),
2951 );
2952 res.status(upstream.status).set(Object.fromEntries(hop));
2953 res.set('Cache-Control', 'private, no-store, must-revalidate');
2954 res.send(body);
2955 } catch (e) {
2956 console.error('Gateway proxy error:', e.message);
2957 res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
2958 }
2959 }
2960
2961 // Bulk metadata by effective project slug (canister orchestration; not a canister route)
2962 app.post('/api/v1/notes/delete-by-project', async (req, res) => {
2963 if (!(await runBillingGate(req, res, getUserId))) return;
2964 return metadataBulkHandlers.deleteByProject(req, res);
2965 });
2966 app.post('/api/v1/notes/rename-project', async (req, res) => {
2967 if (!(await runBillingGate(req, res, getUserId))) return;
2968 return metadataBulkHandlers.renameProject(req, res);
2969 });
2970
2971 /** Hosted Enrich: gateway runs LLM and POSTs to canister (not proxied as opaque POST). */
2972 app.post('/api/v1/proposals/:proposalId/enrich', async (req, res) => {
2973 // Express 4 does not auto-catch async route handler exceptions; wrap everything so a
2974 // rejected promise never leaves the request hanging until Netlify's Lambda timeout.
2975 try {
2976 if (!(await runBillingGate(req, res, getUserId))) return;
2977 const uid = getUserId(req);
2978 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
2979 const proposalId = req.params.proposalId;
2980 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
2981 const hctx = await getHostedAccessContext(req);
2982 if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
2983 return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
2984 }
2985 const { role } = await resolveHostedActorRole(req, hctx);
2986 if (role === 'viewer') {
2987 return res.status(403).json({ error: 'This action requires a different role.', code: 'FORBIDDEN' });
2988 }
2989 const effective =
2990 hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
2991 ? hctx.effective_canister_user_id
2992 : uid;
2993 const llmPrefs = await loadHostedProposalLlmPrefs();
2994 const enrichEnabled = effectiveHostedEnrich(llmPrefs);
2995 // Diagnostic: log which LLM provider will be used (visible in Netlify function logs).
2996 console.log(
2997 '[gateway/enrich] proposalId=%s enrichEnabled=%s provider=%s',
2998 proposalId,
2999 enrichEnabled,
3000 process.env.OPENAI_API_KEY ? 'openai' : process.env.ANTHROPIC_API_KEY ? 'anthropic' : 'ollama(NO KEY)',
3001 );
3002 const out = await runHostedProposalEnrichAndPost({
3003 canisterUrl: CANISTER_URL,
3004 effectiveUserId: effective,
3005 actorUserId: uid,
3006 vaultId,
3007 proposalId,
3008 enrichEnabled,
3009 });
3010 if (!out.ok) {
3011 if (out.status === 404 && out.code === 'NOT_FOUND') {
3012 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
3013 }
3014 if (out.status === 404) {
3015 return res.status(404).json({ error: 'Proposal not found', code: 'NOT_FOUND' });
3016 }
3017 if (out.status === 400) {
3018 return res.status(400).json({ error: out.detail || 'Bad request', code: out.code || 'BAD_REQUEST' });
3019 }
3020 return res.status(out.status || 500).json({
3021 error: out.detail || out.code || 'Enrich failed',
3022 code: out.code || 'RUNTIME_ERROR',
3023 });
3024 }
3025 // Return immediately — the frontend calls openProposal() + loadProposals() after this
3026 // which re-fetches the updated proposal. Eliminating the extra canister GET here removes
3027 // one full ICP round trip (~1–3 s) from the critical path and prevents Netlify timeout.
3028 return res.set('Cache-Control', 'private, no-store, must-revalidate').json({ ok: true });
3029 } catch (e) {
3030 console.error('[gateway/enrich] unhandled exception:', e?.stack || e?.message || e);
3031 if (!res.headersSent) {
3032 res.status(500).json({ error: e?.message || 'Internal error', code: 'INTERNAL_ERROR' });
3033 }
3034 }
3035 });
3036
3037 // ---------------------------------------------------------------------------
3038 // AIR Improvement D — built-in attestation endpoint
3039 // ---------------------------------------------------------------------------
3040
3041 app.post('/api/v1/attest', async (req, res) => {
3042 const uid = getUserId(req);
3043 if (!uid) {
3044 return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
3045 }
3046 if (!isAttestationConfigured()) {
3047 return res.status(503).json({
3048 error: 'Attestation service not configured (ATTESTATION_SECRET missing or too short).',
3049 code: 'NOT_CONFIGURED',
3050 });
3051 }
3052 const body = req.body && typeof req.body === 'object' ? req.body : {};
3053 const action = typeof body.action === 'string' ? body.action.trim() : '';
3054 if (!action) {
3055 return res.status(400).json({ error: 'action is required', code: 'BAD_REQUEST' });
3056 }
3057 const notePath = typeof body.path === 'string' ? body.path : '';
3058 const contentHash = typeof body.content_hash === 'string' ? body.content_hash : null;
3059 try {
3060 const result = await createAttestation(action, notePath, contentHash);
3061 return res.json(result);
3062 } catch (e) {
3063 console.error('[gateway] POST /api/v1/attest error:', e?.message || e);
3064 return res.status(500).json({ error: 'Attestation failed', code: 'INTERNAL_ERROR' });
3065 }
3066 });
3067
3068 app.get('/api/v1/attest/:id', async (req, res) => {
3069 if (!isAttestationConfigured()) {
3070 return res.status(503).json({
3071 error: 'Attestation service not configured (ATTESTATION_SECRET missing or too short).',
3072 code: 'NOT_CONFIGURED',
3073 });
3074 }
3075 const id = req.params.id;
3076 if (!id || !id.startsWith('air-')) {
3077 return res.status(400).json({ error: 'Invalid attestation id format', code: 'BAD_REQUEST' });
3078 }
3079 try {
3080 const result = await verifyAttestation(id);
3081 if (!result.record) {
3082 return res.status(404).json({ error: 'Attestation not found', code: 'NOT_FOUND' });
3083 }
3084 return res.json(result);
3085 } catch (e) {
3086 console.error('[gateway] GET /api/v1/attest/:id error:', e?.message || e);
3087 return res.status(500).json({ error: 'Verification failed', code: 'INTERNAL_ERROR' });
3088 }
3089 });
3090
3091 // ---------------------------------------------------------------------------
3092 // AIR Improvement E — ICP blockchain anchor verification + reconciliation
3093 // ---------------------------------------------------------------------------
3094
3095 app.get('/api/v1/attest/:id/verify', async (req, res) => {
3096 if (!isAttestationConfigured()) {
3097 return res.status(503).json({
3098 error: 'Attestation service not configured (ATTESTATION_SECRET missing or too short).',
3099 code: 'NOT_CONFIGURED',
3100 });
3101 }
3102 const id = req.params.id;
3103 if (!id || !id.startsWith('air-')) {
3104 return res.status(400).json({ error: 'Invalid attestation id format', code: 'BAD_REQUEST' });
3105 }
3106 try {
3107 const result = await verifyWithIcp(id);
3108 if (!result.sources.blobs.found && !result.sources.icp.found) {
3109 return res.status(404).json({ error: 'Attestation not found', code: 'NOT_FOUND', ...result });
3110 }
3111 return res.json(result);
3112 } catch (e) {
3113 console.error('[gateway] GET /api/v1/attest/:id/verify error:', e?.message || e);
3114 return res.status(500).json({ error: 'Verification failed', code: 'INTERNAL_ERROR' });
3115 }
3116 });
3117
3118 app.post('/api/v1/attest/anchor-pending', requireAdmin, async (req, res) => {
3119 if (!isAttestationConfigured()) {
3120 return res.status(503).json({
3121 error: 'Attestation service not configured (ATTESTATION_SECRET missing or too short).',
3122 code: 'NOT_CONFIGURED',
3123 });
3124 }
3125 const body = req.body && typeof req.body === 'object' ? req.body : {};
3126 const ids = Array.isArray(body.ids) ? body.ids.filter((x) => typeof x === 'string' && x.startsWith('air-')) : [];
3127 if (ids.length === 0) {
3128 return res.status(400).json({ error: 'ids array with air-* entries is required', code: 'BAD_REQUEST' });
3129 }
3130 if (ids.length > 100) {
3131 return res.status(400).json({ error: 'Maximum 100 IDs per batch', code: 'BAD_REQUEST' });
3132 }
3133 try {
3134 const result = await anchorPendingAttestations(ids);
3135 return res.json(result);
3136 } catch (e) {
3137 console.error('[gateway] POST /api/v1/attest/anchor-pending error:', e?.message || e);
3138 return res.status(500).json({ error: 'Anchor failed', code: 'INTERNAL_ERROR' });
3139 }
3140 });
3141
3142 /**
3143 * Hosted: single-note export for Hub UI (POST /api/v1/export). Self-hosted Node Hub implements
3144 * this with filesystem; the ICP canister only supports GET /api/v1/export (full vault JSON), so
3145 * POST was returning 404 from the canister. We fetch the note and build the same download payload
3146 * as lib/export.mjs.
3147 */
3148 app.post('/api/v1/export', async (req, res) => {
3149 if (!CANISTER_URL) {
3150 return res.status(503).json({ error: 'Hosted export not configured', code: 'SERVICE_UNAVAILABLE' });
3151 }
3152 if (!(await runBillingGate(req, res, getUserId, { getNoteCount: getNoteCountForUser }))) return;
3153 const uid = getUserId(req);
3154 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
3155 const body = req.body && typeof req.body === 'object' ? req.body : {};
3156 const notePath = typeof body.path === 'string' ? body.path.replace(/\\/g, '/').trim() : '';
3157 const fmt = body.format === 'html' ? 'html' : 'md';
3158 if (!notePath || notePath.includes('..') || notePath.startsWith('/')) {
3159 return res.status(400).json({ error: 'path required', code: 'BAD_REQUEST' });
3160 }
3161 const vaultId = String(req.headers['x-vault-id'] || 'default').trim() || 'default';
3162 const hctx = await getHostedAccessContext(req);
3163 if (hctx && Array.isArray(hctx.allowed_vault_ids) && !hctx.allowed_vault_ids.includes(vaultId)) {
3164 return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
3165 }
3166 const effective =
3167 hctx && typeof hctx.effective_canister_user_id === 'string' && hctx.effective_canister_user_id
3168 ? hctx.effective_canister_user_id
3169 : uid;
3170 const enc = notePath.split('/').map(encodeURIComponent).join('/');
3171 const url = `${CANISTER_URL}/api/v1/notes/${enc}`;
3172 let upstream;
3173 try {
3174 upstream = await fetch(url, {
3175 method: 'GET',
3176 headers: {
3177 Accept: 'application/json',
3178 'x-user-id': effective,
3179 'x-actor-id': uid,
3180 'x-vault-id': vaultId,
3181 ...canisterAuthHeaders(),
3182 },
3183 });
3184 } catch (e) {
3185 console.error('[gateway] export fetch note:', e?.message || e);
3186 return res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
3187 }
3188 const text = await upstream.text();
3189 if (upstream.status === 404) {
3190 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
3191 }
3192 if (!upstream.ok) {
3193 return res.status(upstream.status).type('application/json').send(text);
3194 }
3195 let note;
3196 try {
3197 note = JSON.parse(text);
3198 } catch {
3199 return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
3200 }
3201 const scope = scopeActiveForGateway(hctx) ? hctx.scope : null;
3202 if (scope) {
3203 const withProj = {
3204 path: note.path,
3205 project: materializeListFrontmatter(note.frontmatter).project ?? null,
3206 };
3207 const filtered = applyScopeFilterToNotes([withProj], scope);
3208 if (filtered.length === 0) {
3209 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
3210 }
3211 }
3212 const fm = materializeListFrontmatter(note.frontmatter);
3213 const { content, filename } = exportNoteRecordToContent(
3214 { body: note.body != null ? String(note.body) : '', frontmatter: fm },
3215 note.path || notePath,
3216 { format: fmt },
3217 );
3218 res.set('Cache-Control', 'private, no-store, must-revalidate');
3219 return res.json({ content, filename });
3220 });
3221
3222 /**
3223 * Cross-vault copy/move (hosted gateway): GET note from canister vault A, POST to vault B, optional DELETE on A.
3224 * Conflicts: if `path` already exists in the target vault, the write **overwrites** (same as POST /notes).
3225 * After success, triggers bridge **Re-index** for the target vault and, when moving, the source vault (fire-and-forget).
3226 */
3227 app.post('/api/v1/notes/copy', async (req, res) => {
3228 if (!CANISTER_URL) {
3229 return res.status(503).json({ error: 'Hosted copy not configured', code: 'SERVICE_UNAVAILABLE' });
3230 }
3231 if (!(await runBillingGate(req, res, getUserId, { getNoteCount: getNoteCountForUser }))) return;
3232 const uid = getUserId(req);
3233 if (!uid) return res.status(401).json({ error: 'Unauthorized', code: 'UNAUTHORIZED' });
3234 const authHeader = req.headers.authorization || '';
3235 const body = req.body && typeof req.body === 'object' ? req.body : {};
3236 const fromVault = typeof body.from_vault_id === 'string' ? body.from_vault_id.replace(/\\/g, '/').trim() : '';
3237 const toVault = typeof body.to_vault_id === 'string' ? body.to_vault_id.replace(/\\/g, '/').trim() : '';
3238 const notePath = typeof body.path === 'string' ? body.path.replace(/\\/g, '/').trim() : '';
3239 const deleteSource = body.delete_source === true;
3240 if (!fromVault || !toVault || !notePath || notePath.includes('..') || notePath.startsWith('/')) {
3241 return res.status(400).json({
3242 error: 'from_vault_id, to_vault_id, and path are required (vault-relative path)',
3243 code: 'BAD_REQUEST',
3244 });
3245 }
3246 if (fromVault === toVault) {
3247 return res.status(400).json({ error: 'from_vault_id and to_vault_id must differ', code: 'BAD_REQUEST' });
3248 }
3249 /** @type {Record<string, unknown>|null} */
3250 let hctxFrom = null;
3251 if (BRIDGE_URL) {
3252 hctxFrom = await fetchHostedAccessContextForVault(authHeader, fromVault);
3253 if (!hctxFrom) {
3254 return res.status(403).json({ error: 'Hosted workspace context unavailable.', code: 'FORBIDDEN' });
3255 }
3256 if (Array.isArray(hctxFrom.allowed_vault_ids)) {
3257 if (!hctxFrom.allowed_vault_ids.includes(fromVault) || !hctxFrom.allowed_vault_ids.includes(toVault)) {
3258 return res.status(403).json({ error: 'Access to this vault is not allowed.', code: 'FORBIDDEN' });
3259 }
3260 }
3261 }
3262 const { role } = await resolveHostedActorRole(req, hctxFrom);
3263 if (role === 'viewer') {
3264 return res.status(403).json({ error: 'This action requires editor or admin.', code: 'FORBIDDEN' });
3265 }
3266 const effective =
3267 hctxFrom && typeof hctxFrom.effective_canister_user_id === 'string' && hctxFrom.effective_canister_user_id
3268 ? hctxFrom.effective_canister_user_id
3269 : uid;
3270 const enc = notePath.split('/').map(encodeURIComponent).join('/');
3271 const getUrl = `${CANISTER_URL}/api/v1/notes/${enc}`;
3272 let upstream;
3273 try {
3274 upstream = await fetch(getUrl, {
3275 method: 'GET',
3276 headers: {
3277 Accept: 'application/json',
3278 'x-user-id': effective,
3279 'x-actor-id': uid,
3280 'x-vault-id': fromVault,
3281 ...canisterAuthHeaders(),
3282 },
3283 });
3284 } catch (e) {
3285 console.error('[gateway] notes/copy fetch source:', e?.message || e);
3286 return res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
3287 }
3288 const getText = await upstream.text();
3289 if (upstream.status === 404) {
3290 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
3291 }
3292 if (!upstream.ok) {
3293 return res.status(upstream.status).type('application/json').send(getText);
3294 }
3295 let note;
3296 try {
3297 note = JSON.parse(getText);
3298 } catch {
3299 return res.status(502).json({ error: 'Invalid note response', code: 'BAD_GATEWAY' });
3300 }
3301 const scope = scopeActiveForGateway(hctxFrom) ? hctxFrom.scope : null;
3302 if (scope) {
3303 const withProj = {
3304 path: note.path,
3305 project: materializeListFrontmatter(note.frontmatter).project ?? null,
3306 };
3307 const filtered = applyScopeFilterToNotes([withProj], scope);
3308 if (filtered.length === 0) {
3309 return res.status(404).json({ error: 'Not found', code: 'NOT_FOUND' });
3310 }
3311 }
3312 const outPath = note.path || notePath;
3313 let fmRaw = note.frontmatter;
3314 if (typeof fmRaw === 'string') {
3315 try {
3316 fmRaw = fmRaw.trim() ? JSON.parse(fmRaw) : {};
3317 } catch {
3318 fmRaw = {};
3319 }
3320 }
3321 if (!fmRaw || typeof fmRaw !== 'object' || Array.isArray(fmRaw)) {
3322 fmRaw = {};
3323 }
3324 let gatewayAirId = null;
3325 if (process.env.KNOWTATION_AIR_ENDPOINT) {
3326 try {
3327 const { attestBeforeWrite: gwAttest } = await import('../../lib/air.mjs');
3328 const airId = await gwAttest(
3329 { air: { enabled: true, required: false, endpoint: process.env.KNOWTATION_AIR_ENDPOINT } },
3330 outPath,
3331 );
3332 if (airId && airId !== 'air-placeholder-write') {
3333 gatewayAirId = airId;
3334 }
3335 } catch (e) {
3336 console.error('[gateway] AIR attestation (copy, non-fatal):', e?.message || String(e));
3337 }
3338 }
3339 const postBody = mergeHostedNoteBodyForCanister(
3340 {
3341 path: outPath,
3342 body: note.body != null ? String(note.body) : '',
3343 frontmatter: fmRaw,
3344 },
3345 uid,
3346 gatewayAirId,
3347 );
3348 const postHeaders = {
3349 'Content-Type': 'application/json',
3350 Accept: 'application/json',
3351 host: new URL(CANISTER_URL).host,
3352 'x-user-id': effective,
3353 'x-actor-id': uid,
3354 'x-vault-id': toVault,
3355 ...canisterAuthHeaders(),
3356 };
3357 const postOpts = { method: 'POST', headers: postHeaders, body: JSON.stringify(postBody) };
3358 stripStaleOutboundBodyHeaders(postHeaders);
3359 let postUpstream;
3360 try {
3361 postUpstream = await fetch(`${CANISTER_URL}/api/v1/notes`, postOpts);
3362 } catch (e) {
3363 console.error('[gateway] notes/copy post target:', e?.message || e);
3364 return res.status(502).json({ error: 'Bad Gateway', code: 'BAD_GATEWAY' });
3365 }
3366 const postText = await postUpstream.text();
3367 if (!postUpstream.ok) {
3368 return res.status(postUpstream.status).type('application/json').send(postText);
3369 }
3370 if (deleteSource) {
3371 let delUpstream;
3372 try {
3373 delUpstream = await fetch(getUrl, {
3374 method: 'DELETE',
3375 headers: {
3376 Accept: 'application/json',
3377 'x-user-id': effective,
3378 'x-actor-id': uid,
3379 'x-vault-id': fromVault,
3380 ...canisterAuthHeaders(),
3381 },
3382 });
3383 } catch (e) {
3384 console.error('[gateway] notes/copy delete source:', e?.message || e);
3385 return res.status(502).json({
3386 error:
3387 'Note was copied to the target vault but deleting the source failed. Remove the duplicate from the target vault if you retry.',
3388 code: 'DELETE_FAILED',
3389 });
3390 }
3391 const delText = await delUpstream.text();
3392 if (!delUpstream.ok && delUpstream.status !== 404) {
3393 return res.status(delUpstream.status).json({
3394 error: 'Note was copied to the target vault but deleting the source failed.',
3395 code: 'DELETE_FAILED',
3396 detail: typeof delText === 'string' ? delText.slice(0, 500) : '',
3397 });
3398 }
3399 }
3400 const reindexVaults = deleteSource ? [toVault, fromVault] : [toVault];
3401 void (async () => {
3402 if (!BRIDGE_URL) return;
3403 for (const vid of reindexVaults) {
3404 try {
3405 const idxRes = await fetch(BRIDGE_URL + '/api/v1/index', {
3406 method: 'POST',
3407 headers: {
3408 Authorization: authHeader,
3409 Accept: 'application/json',
3410 'Content-Type': 'application/json',
3411 'X-Vault-Id': String(vid || 'default').trim() || 'default',
3412 },
3413 body: '{}',
3414 });
3415 const idxText = await idxRes.text();
3416 await recordIndexingTokensAfterBridgeIndex(uid, idxRes.status, idxText);
3417 } catch (e) {
3418 console.warn('[gateway] notes/copy reindex:', e?.message || e);
3419 }
3420 }
3421 })();
3422 res.set('Cache-Control', 'private, no-store, must-revalidate');
3423 return res.json({
3424 ok: true,
3425 path: outPath,
3426 from_vault_id: fromVault,
3427 to_vault_id: toVault,
3428 moved: deleteSource,
3429 });
3430 });
3431
3432 app.use('/api/v1', async (req, res) => {
3433 if (req.method === 'OPTIONS') return res.status(204).end();
3434 if (!(await runBillingGate(req, res, getUserId, { getNoteCount: getNoteCountForUser }))) return;
3435 return proxyToCanister(req, res);
3436 });
3437
3438 // Health from canister if UI calls /health via same origin
3439 app.get('/api/v1/health-canister', async (_req, res) => {
3440 try {
3441 const r = await fetch(CANISTER_URL + '/health');
3442 const body = await r.text();
3443 res.status(r.status).set('Content-Type', 'application/json').send(body);
3444 } catch (e) {
3445 res.status(502).json({ ok: false, error: e.message });
3446 }
3447 });
3448
3449 app.use((err, req, res, next) => {
3450 if (res.headersSent) return next(err);
3451 console.error('[gateway] unhandled error:', err?.stack || err?.message || err);
3452 const status =
3453 typeof err.status === 'number' && err.status >= 400 && err.status < 600
3454 ? err.status
3455 : typeof err.statusCode === 'number' && err.statusCode >= 400 && err.statusCode < 600
3456 ? err.statusCode
3457 : 500;
3458 res.status(status).json({
3459 error: err.message || 'Internal error',
3460 code: err.code || 'INTERNAL_ERROR',
3461 });
3462 });
3463
3464 // When running on Netlify, the app is imported by netlify/functions/gateway.mjs and not started here.
3465 if (!process.env.NETLIFY) {
3466 if (!CANISTER_URL) {
3467 console.error('Gateway: CANISTER_URL is required (e.g. https://<canister-id>.ic0.app)');
3468 process.exit(1);
3469 }
3470 if (!SESSION_SECRET) {
3471 console.error('Gateway: SESSION_SECRET or HUB_JWT_SECRET is required');
3472 process.exit(1);
3473 }
3474 if (!CANISTER_AUTH_SECRET && CANISTER_URL) {
3475 console.warn(
3476 '\x1b[33m[SECURITY] CANISTER_AUTH_SECRET is not set. ' +
3477 'The canister will not verify gateway identity. ' +
3478 'Set CANISTER_AUTH_SECRET and call admin_set_gateway_auth_secret on the canister before public launch.\x1b[0m'
3479 );
3480 }
3481 if (CANISTER_URL && !billingEnforced()) {
3482 console.warn(
3483 '\x1b[33m[SECURITY] BILLING_ENFORCE is not set to true. ' +
3484 'Billing limits (storage cap, usage gates) are not enforced. ' +
3485 'Set BILLING_ENFORCE=true before public launch on hosted deployment.\x1b[0m'
3486 );
3487 }
3488 app.listen(PORT, () => {
3489 console.log(`Knowtation Hub Gateway listening on http://localhost:${PORT}`);
3490 console.log(' Canister: ' + CANISTER_URL);
3491 console.log(' UI origin: ' + HUB_UI_ORIGIN);
3492 console.log(' Login: GET /auth/login?provider=google|github');
3493 });
3494 }
3495
3496 export { app };
File History 1 commit
sha256:94ec65bd2b200240ac785a97cf14c5db066832bd608a24d6a9c151f17b918b02 feat(calendar): hosted bridge/gateway route parity and time… Human minor 1 day ago