kaffa/cloud-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: kaffa:9f3d3a245a8ab0a65843badef46100fe71164246
Branches Tags
kaffa:main
...
compare: kaffa:1e750a863b2a76cf769f77e36a86020a81abd762
Branches Tags
kaffa:main

4 Commits
9f3d3a245a ... 1e750a863b

Author SHA1 Message Date
kappa
1e750a863b refactor: 추천 시스템 제거 
삭제된 파일:
- src/routes/recommend.ts
- src/services/recommendation.ts
- src/services/recommendation.test.ts
- src/services/stackConfig.ts
- src/services/regionFilter.ts

수정된 파일:
- src/index.ts: /recommend 라우트 제거
- src/routes/index.ts: handleRecommend export 제거
- src/constants.ts: RECOMMENDATIONS TTL, rate limit 제거
- src/middleware/rateLimit.ts: /recommend 설정 제거
- src/types.ts: 추천 관련 타입 제거
- scripts/e2e-tester.ts: recommend 시나리오 제거
- scripts/api-tester.ts: recommend 테스트 제거

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-26 00:35:59 +09:00
kappa
01b062f86a docs: KV 캐시 인덱스 구현 문서 추가 
- CACHE_KV_IMPLEMENTATION.md: 구현 상세 문서
- docs/cache-kv-usage.md: 사용 가이드

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-26 00:23:38 +09:00
kappa
5a9362bf43 feat: P1 보안/성능 개선 및 마이그레이션 자동화 
Security fixes:
- migrate.ts: SQL/Command Injection 방지 (spawnSync 사용)
- migrate.ts: Path Traversal 검증 추가
- api-tester.ts: API 키 마스킹 (4자만 노출)
- api-tester.ts: 최소 16자 키 길이 검증
- cache.ts: ReDoS 방지 (패턴 길이/와일드카드 제한)

Performance improvements:
- cache.ts: 순차 삭제 → 병렬 배치 처리 (50개씩)
- cache.ts: KV 등록 fire-and-forget (non-blocking)
- cache.ts: 메모리 제한 (5000키)
- cache.ts: 25초 실행 시간 가드
- cache.ts: 패턴 매칭 prefix 최적화

New features:
- 마이그레이션 자동화 시스템 (scripts/migrate.ts)
- KV 기반 캐시 인덱스 (invalidatePattern, clearAll)
- 글로벌 CacheService 싱글톤

Other:
- .env.example 추가, API 키 환경변수 처리
- CACHE_TTL.RECOMMENDATIONS (10분) 분리
- e2e-tester.ts JSON 파싱 에러 핸들링 개선

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-26 00:23:13 +09:00
kappa
3a8dd705e6 refactor: comprehensive code review fixes (security, performance, QA) 
## Security Improvements
- Fix timing attack in verifyApiKey with fixed 256-byte buffer
- Fix sortOrder SQL injection with whitelist validation
- Fix rate limiting bypass for non-Cloudflare traffic (fail-closed)
- Remove stack trace exposure in error responses
- Add request_id for audit trail (X-Request-ID header)
- Sanitize origin header to prevent log injection
- Add content-length validation for /sync endpoint (10KB limit)
- Replace Math.random() with crypto.randomUUID() for sync IDs
- Expand sensitive data masking patterns (8 → 18)

## Performance Improvements
- Reduce rate limiter KV reads from 3 to 1 per request (66% reduction)
- Increase sync batch size from 100 to 500 (80% fewer batches)
- Fix health check N+1 query with efficient JOINs
- Fix COUNT(*) Cartesian product with COUNT(DISTINCT)
- Implement shared logger cache pattern across repositories
- Add CacheService singleton pattern in recommend.ts
- Add composite index for recommendation queries
- Implement Anvil pricing query batching (100 per chunk)

## QA Improvements
- Add BATCH_SIZE bounds validation (1-1000)
- Add pagination bounds (page >= 1, MAX_OFFSET = 100000)
- Add min/max range consistency validation
- Add DB reference validation for singleton services
- Add type guards for database result validation
- Add timeout mechanism for external API calls (10-60s)
- Use SUPPORTED_PROVIDERS constant instead of hardcoded list

## Removed
- Remove Vault integration (using Wrangler secrets)
- Remove 6-hour pricing cron (daily sync only)

## Configuration
- Add idx_instance_types_specs_filter composite index
- Add CORS Access-Control-Expose-Headers

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-25 23:50:37 +09:00
61 changed files with 3632 additions and 3978 deletions
Expand all files Collapse all files

9
.env.example Normal file
View File

@@ -0,0 +1,9 @@
# API Configuration for Testing Scripts
# Copy this file to .env and replace with your actual API key
# API URL (defaults to production if not set)
API_URL=https://cloud-instances-api.kappa-d8e.workers.dev
# API Key - REQUIRED for test scripts
# Get your API key from the project administrator
API_KEY=your-api-key-here

1
.gitignore vendored
View File

@@ -2,5 +2,6 @@ node_modules/
dist/
.wrangler/
.dev.vars
.env
*.log
.DS_Store

303
ANVIL_IMPLEMENTATION.md
View File

@@ -2,249 +2,178 @@
## Overview
Implemented complete database schema and repositories for Anvil-branded cloud products, including regions, instances, pricing, and transfer pricing.
Anvil-branded cloud products with automated pricing sync from source providers (Linode, Vultr).
## Implementation Summary
**Key Features:**
- USD retail pricing only (simplified schema)
- Automatic pricing sync: wholesale × 1.21 = retail
- Source mapping via `source_instance_id` and `source_region_id`
### 1. Database Migration (004_anvil_tables.sql)
## Database Schema
Created 4 new tables with proper indexes, triggers, and foreign key constraints:
#### anvil_regions
- Maps Anvil-branded regions to source provider regions
- Contains 6 initial regions (Tokyo 1-3, Osaka 1-2, Seoul 1)
- Links to existing `regions` table via `source_region_id`
### anvil_regions
Maps Anvil regions to source provider regions.
**Columns:**
- `id`, `name` (unique), `display_name`, `country_code`
- `source_provider`, `source_region_code`, `source_region_id` (FK)
- `source_provider` (linode, vultr)
- `source_region_code`, `source_region_id` (FK to `regions.id`)
- `active`, `created_at`, `updated_at`
**Initial Data:**
```
anvil-tyo1 → Linode ap-northeast (region_id: 26)
anvil-tyo2 → Linode jp-tyo-3 (region_id: 3)
anvil-tyo3 → Vultr nrt (region_id: 323)
anvil-osa1 → Linode jp-osa (region_id: 13)
anvil-osa2 → Vultr itm (region_id: 314)
anvil-sel1 → Vultr icn (region_id: 313)
```
**Region Mappings:**
| Anvil Region | Source Provider | Source Region |
|-------------|-----------------|---------------|
| anvil-tyo1 | Linode | ap-northeast |
| anvil-tyo2 | Linode | jp-tyo-3 |
| anvil-tyo3 | Vultr | nrt |
| anvil-osa1 | Linode | jp-osa |
| anvil-osa2 | Vultr | itm |
| anvil-sel1 | Vultr | icn |
#### anvil_instances
- Defines Anvil product specifications
- Supports categories: vm, gpu, g8, vpu
- GPU-specific fields: `gpu_model`, `gpu_vram_gb`
### anvil_instances
Anvil product specifications.
**Columns:**
- `id`, `name` (unique), `display_name`, `category`
- `id`, `name` (unique), `display_name`, `category` (vm, gpu, g8, vpu)
- `vcpus`, `memory_gb`, `disk_gb`
- `transfer_tb`, `network_gbps`
- `gpu_model`, `gpu_vram_gb` (nullable)
- `gpu_model`, `gpu_vram_gb` (nullable, for GPU instances)
- `active`, `created_at`, `updated_at`
#### anvil_pricing
- Retail pricing with cost tracking
- Auto-calculates KRW prices using exchange rates
- Links to both Anvil instances/regions and source instances
### anvil_pricing
Retail pricing in USD. Auto-synced from source provider pricing.
**Columns:**
- `id`, `anvil_instance_id` (FK), `anvil_region_id` (FK)
- `hourly_price`, `monthly_price` (retail USD)
- `hourly_price_krw`, `monthly_price_krw` (retail KRW)
- `cost_hourly`, `cost_monthly` (wholesale USD)
- `source_instance_id` (optional FK to source tables)
- `source_instance_id` (FK to `instance_types.id`)
- `active`, `created_at`, `updated_at`
- UNIQUE constraint on (anvil_instance_id, anvil_region_id)
#### anvil_transfer_pricing
- Data transfer pricing per region
- KRW conversion support
### anvil_transfer_pricing
Data transfer pricing per region.
**Columns:**
- `id`, `anvil_region_id` (FK)
- `price_per_gb` (USD), `price_per_gb_krw` (KRW)
- `price_per_gb` (USD)
- `included_tb` (reference only)
- `active`, `created_at`, `updated_at`
- UNIQUE constraint on anvil_region_id
### 2. TypeScript Types (src/types.ts)
## Pricing Sync Flow
Added 8 new type definitions:
Provider sync automatically updates Anvil pricing via `syncAnvilPricing()`.
### Flow Diagram
```
Provider API → pricing table (wholesale USD) → anvil_pricing (retail USD)
syncProvider()
syncAnvilPricing()
retail = wholesale × 1.21
```
### Retail Markup Calculation
```typescript
AnvilRegion
AnvilInstance
AnvilPricing
AnvilTransferPricing
AnvilRegionInput
AnvilInstanceInput
AnvilPricingInput
AnvilTransferPricingInput
// src/constants.ts
export const USD_RETAIL_DEFAULTS = {
MARGIN_MULTIPLIER: 1.1, // 10% margin
VAT_MULTIPLIER: 1.1, // 10% VAT
TOTAL_MULTIPLIER: 1.21, // Combined
};
// Hourly: rounded to 4 decimal places
calculateRetailHourly(0.0075) // → 0.0091
// Monthly: rounded to nearest $1
calculateRetailMonthly(5) // → 6
```
All Input types auto-derive from their base types, excluding `id`, `created_at`, and `updated_at`.
### Source Mapping
`anvil_pricing` links to source data via:
- `source_instance_id``instance_types.id`
- `anvil_region_id``anvil_regions.source_region_id``regions.id`
### 3. Repositories
When sync runs, it:
1. Finds anvil_pricing records with `source_instance_id` set
2. Looks up wholesale price from `pricing` table using source_instance_id + source_region_id
3. Calculates retail price (×1.21)
4. Updates anvil_pricing with new retail prices
Created 4 repository classes following existing BaseRepository pattern:
## API Authentication
#### AnvilRegionsRepository
- `findByName(name: string)` - Find by Anvil region name
- `findByCountry(countryCode: string)` - Get all regions in a country
- `findBySourceRegion(sourceRegionId: number)` - Reverse lookup
- `findActive()` - Get all active regions
- `updateActive(id: number, active: boolean)` - Toggle active status
- `upsertMany(regions: AnvilRegionInput[])` - Bulk insert/update
API key stored in Vault:
```
Path: secret/data/cloud-instances-api
Key: api_key
```
#### AnvilInstancesRepository
- `findByName(name: string)` - Find by instance name
- `findByCategory(category)` - Filter by vm/gpu/g8/vpu
- `findActive(category?)` - Get active instances with optional category filter
- `searchByResources(minVcpus?, minMemoryGb?, minDiskGb?, category?)` - Resource-based search
- `updateActive(id: number, active: boolean)` - Toggle active status
- `upsertMany(instances: AnvilInstanceInput[])` - Bulk insert/update
Set wrangler secret:
```bash
wrangler secret put API_KEY
```
#### AnvilPricingRepository
- `findByInstance(anvilInstanceId: number)` - All pricing for an instance
- `findByRegion(anvilRegionId: number)` - All pricing in a region
- `findByInstanceAndRegion(instanceId, regionId)` - Specific pricing record
- `findActive(instanceId?, regionId?)` - Active pricing with optional filters
- `searchByPriceRange(minHourly?, maxHourly?, minMonthly?, maxMonthly?)` - Price range search
- `updateActive(id: number, active: boolean)` - Toggle active status
- `upsertMany(pricing: AnvilPricingInput[])` - Bulk insert/update with auto KRW calculation
#### AnvilTransferPricingRepository
- `findByRegion(anvilRegionId: number)` - Get transfer pricing for a region
- `findActive()` - Get all active transfer pricing
- `updateActive(id: number, active: boolean)` - Toggle active status
- `upsertMany(pricing: AnvilTransferPricingInput[])` - Bulk insert/update with KRW conversion
### 4. Repository Factory Updates
Updated `RepositoryFactory` class to include:
- `anvilRegions: AnvilRegionsRepository`
- `anvilInstances: AnvilInstancesRepository`
- `anvilPricing: AnvilPricingRepository`
- `anvilTransferPricing: AnvilTransferPricingRepository`
All repositories use lazy singleton pattern for efficient caching.
### 5. KRW Pricing Support
Pricing repositories automatically calculate KRW prices using environment variables:
- `KRW_EXCHANGE_RATE` - Base USD to KRW conversion rate (default: 1450)
- `KRW_VAT_RATE` - VAT multiplier (default: 1.1 for 10% VAT)
- `KRW_MARKUP_RATE` - Markup multiplier (default: 1.1 for 10% markup)
KRW prices are auto-calculated during `upsertMany()` operations.
## Database Schema
## Database Relationships
```
anvil_regions (1) ──< anvil_pricing (M)
anvil_instances (1) ──< anvil_pricing (M)
anvil_regions (1) ──< anvil_transfer_pricing (1)
regions (1) ──< anvil_regions (M) [source mapping]
providers (1) ──< instance_types (M) ──< pricing (M)
↑ ↑
source_instance_id source_region_id
↓ ↓
anvil_instances (1) ──< anvil_pricing (M) >── anvil_regions (1)
```
## Deployment Status
✅ Migration 004 applied to remote database (2026-01-25)
17 queries executed successfully
6 initial regions inserted
✅ All 4 tables created with indexes and triggers
✅ TypeScript compilation successful
✅ Deployed to production (Version: 5905e5df-7265-4872-b05e-e3fe4b7d0619)
✅ Migration 004 applied to remote database
6 Anvil regions configured
Source instance mappings for tyo1, tyo2, tyo3, osa1, osa2, sel1
✅ Auto-sync working: retail = wholesale × 1.21
## Usage Examples
### Query Anvil Regions
### Trigger Sync
```bash
curl -X POST "https://cloud-instances-api.kappa-d8e.workers.dev/sync" \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"providers": ["linode", "vultr"]}'
```
### Query Anvil Pricing
```typescript
const repos = new RepositoryFactory(env.DB, env);
// Get all Japan regions
const jpRegions = await repos.anvilRegions.findByCountry('JP');
// Returns: anvil-tyo1, anvil-tyo2, anvil-tyo3, anvil-osa1, anvil-osa2
// Get pricing for a region
const pricing = await repos.anvilPricing.findByRegion(regionId);
// Find specific region
const tyo1 = await repos.anvilRegions.findByName('anvil-tyo1');
// Get pricing for an instance
const instancePricing = await repos.anvilPricing.findByInstance(instanceId);
```
### Create Anvil Instance
```typescript
await repos.anvilInstances.create({
name: 'anvil-1g-1c',
display_name: 'Basic 1GB',
category: 'vm',
vcpus: 1,
memory_gb: 1,
disk_gb: 25,
transfer_tb: 1,
network_gbps: 1,
gpu_model: null,
gpu_vram_gb: null,
active: 1,
});
### Add Source Mapping
```sql
-- Map anvil_pricing to source instance
UPDATE anvil_pricing
SET source_instance_id = (
SELECT id FROM instance_types
WHERE instance_id = 'vc2-1c-1gb' AND provider_id = 2
)
WHERE anvil_instance_id = 1 AND anvil_region_id = 3;
```
### Set Pricing (Auto KRW Calculation)
```typescript
await repos.anvilPricing.upsertMany([
{
anvil_instance_id: 1,
anvil_region_id: 1,
hourly_price: 0.015,
monthly_price: 10,
cost_hourly: 0.012,
cost_monthly: 8,
source_instance_id: 123,
active: 1,
}
]);
// KRW prices auto-calculated:
// hourly_price_krw = 0.015 × 1450 × 1.1 × 1.1 ≈ 26.37
// monthly_price_krw = 10 × 1450 × 1.1 × 1.1 ≈ 17,545
```
## Files
### Search by Resources
```typescript
// Find instances with at least 2 vCPUs and 4GB RAM
const instances = await repos.anvilInstances.searchByResources(
2, // minVcpus
4, // minMemoryGb
null, // minDiskGb
'vm' // category
);
```
### Repositories
- `/src/repositories/anvil-regions.ts`
- `/src/repositories/anvil-instances.ts`
- `/src/repositories/anvil-pricing.ts`
- `/src/repositories/anvil-transfer-pricing.ts`
## Files Changed
### Sync Service
- `/src/services/sync.ts` - Contains `syncAnvilPricing()` method
### Created
- `/migrations/004_anvil_tables.sql` - Database schema
- `/src/repositories/anvil-regions.ts` - Regions repository
- `/src/repositories/anvil-instances.ts` - Instances repository
- `/src/repositories/anvil-pricing.ts` - Pricing repository
- `/src/repositories/anvil-transfer-pricing.ts` - Transfer pricing repository
- `/src/repositories/anvil-regions.test.ts` - Unit tests
### Modified
- `/src/types.ts` - Added 8 new types
- `/src/repositories/index.ts` - Added 4 new repository exports and factory getters
## Next Steps
To complete the Anvil product implementation:
1. **Populate Instance Data**: Create Anvil instance definitions (VM, GPU, G8, VPU tiers)
2. **Set Pricing**: Map Anvil instances to source providers and set retail pricing
3. **API Endpoints**: Create endpoints for querying Anvil products
4. **Sync Service**: Implement sync logic to update costs from source providers
5. **Documentation**: Add API documentation for Anvil endpoints
## Testing
Basic repository tests created in `anvil-regions.test.ts`. Additional test coverage recommended for:
- Instance search and filtering
- Pricing calculations and KRW conversion
- Transfer pricing queries
- Edge cases and error handling
### Constants
- `/src/constants.ts` - `USD_RETAIL_DEFAULTS`, `calculateRetailHourly()`, `calculateRetailMonthly()`

311
CACHE_KV_IMPLEMENTATION.md Normal file
View File

@@ -0,0 +1,311 @@
# KV-Based Cache Index Implementation
## Overview
Implemented KV-based cache index for `CacheService` to enable pattern-based cache invalidation and enumeration. This resolves the TODO at line 274 in `src/services/cache.ts`.
## Changes Summary
### 1. Core Implementation (`src/services/cache.ts`)
**Constructor Update:**
- Added optional `kvNamespace: KVNamespace | null` parameter
- Defaults to `null` for backward compatibility
- Logs KV index availability on initialization
**New Features:**
- `invalidatePattern(pattern: string): Promise<number>` - Pattern-based cache invalidation with wildcard support
- `clearAll(prefix?: string): Promise<number>` - Actually clears and counts entries when KV is available
- `getStats(): Promise<{ supported: boolean; indexed_keys?: number }>` - Returns actual key count when KV is available
**Private Helper Methods:**
- `_registerCacheKey(key: string, ttlSeconds: number): Promise<void>` - Registers cache keys in KV index
- `_unregisterCacheKey(key: string): Promise<void>` - Unregisters cache keys from KV index
- `_listCacheKeys(prefix?: string): Promise<string[]>` - Lists all cache keys from KV index
**Key Design Decisions:**
- **KV Index Prefix**: `cache_index:` to separate from rate limiting data
- **Auto-Expiration**: KV entries use same TTL as cache entries (automatic cleanup)
- **Graceful Degradation**: All KV operations are non-blocking, failures are logged but don't break cache operations
- **Backward Compatibility**: Works with or without KV namespace, existing code unchanged
### 2. Route Updates
**`src/routes/instances.ts`:**
- Updated `getCacheService()` to accept `env: Env` parameter
- Passes `env.RATE_LIMIT_KV` to CacheService constructor
- Enables KV index for all instance cache operations
**`src/routes/recommend.ts`:**
- Updated `getCacheService()` to accept `env: Env` parameter
- Passes `env.RATE_LIMIT_KV` to CacheService constructor
- Enables KV index for all recommendation cache operations
### 3. Test Coverage (`src/services/cache-kv.test.ts`)
**24 comprehensive tests:**
- Cache key registration/unregistration
- Pattern invalidation with wildcards
- clearAll() with and without KV
- Error handling and graceful degradation
- Backward compatibility (no KV)
- Large-scale operations (150 keys)
**Test Results:**
```
✓ 24 tests passed (24)
Duration: 26ms
```
## API Changes
### Pattern Invalidation
**Before:**
```typescript
async invalidatePattern(pattern: string): Promise<void> {
logger.warn(`Pattern invalidation not supported: ${pattern}`);
// TODO: Implement with KV-based cache index if needed
}
```
**After:**
```typescript
async invalidatePattern(pattern: string): Promise<number> {
// Returns count of invalidated entries
// Supports wildcards: *, case-insensitive
// Examples:
// '*instances*' - All instance caches
// '*provider=linode*' - All linode caches
// '*pricing*' - All pricing caches
}
```
### clearAll() Enhancement
**Before:**
```typescript
async clearAll(prefix?: string): Promise<number> {
logger.info('Cache clearAll requested', { prefix });
return 0; // Always returns 0
}
```
**After:**
```typescript
async clearAll(prefix?: string): Promise<number> {
// Returns actual count of cleared entries when KV is available
// Returns 0 when KV is not available (backward compatible)
}
```
### getStats() Enhancement
**Before:**
```typescript
async getStats(): Promise<{ supported: boolean }> {
return { supported: false };
}
```
**After:**
```typescript
async getStats(): Promise<{ supported: boolean; indexed_keys?: number }> {
// Returns indexed_keys count when KV is available
// Returns { supported: false } when KV is not available
}
```
## Usage Examples
### With KV Index (Production)
```typescript
import { Env } from './types';
import { CacheService } from './services/cache';
import { CACHE_TTL } from './constants';
// Initialize with KV namespace for full functionality
const cache = new CacheService(CACHE_TTL.INSTANCES, env.RATE_LIMIT_KV);
// Set cache entries
await cache.set('https://cache.internal/instances?provider=linode', instancesData);
await cache.set('https://cache.internal/instances?provider=vultr', vultrData);
await cache.set('https://cache.internal/pricing?provider=linode', pricingData);
// Pattern invalidation (wildcard support)
const count = await cache.invalidatePattern('*instances*');
console.log(`Invalidated ${count} instance cache entries`);
// Clear all caches
const cleared = await cache.clearAll();
console.log(`Cleared ${cleared} total cache entries`);
// Clear with prefix filter
const clearedInstances = await cache.clearAll('https://cache.internal/instances');
console.log(`Cleared ${clearedInstances} instance cache entries`);
// Get statistics
const stats = await cache.getStats();
console.log(`Cache has ${stats.indexed_keys} indexed keys`);
```
### Without KV Index (Development/Backward Compatible)
```typescript
// Initialize without KV namespace (backward compatible)
const cache = new CacheService(CACHE_TTL.INSTANCES);
// Basic cache operations work normally
await cache.set('key', data);
const result = await cache.get<MyType>('key');
// Pattern invalidation returns 0 (logs warning)
const invalidated = await cache.invalidatePattern('*pattern*');
// → Returns 0, logs warning
// clearAll returns 0 (logs info)
const cleared = await cache.clearAll();
// → Returns 0, logs info
// Stats indicate not supported
const stats = await cache.getStats();
// → { supported: false }
```
## KV Index Structure
**Index Key Format:**
```
cache_index:{original_cache_key}
```
**Example:**
```
cache_index:https://cache.internal/instances?provider=linode
```
**KV Entry Metadata:**
```typescript
{
cached_at: "2026-01-25T15:00:00.000Z",
ttl: 300
}
```
**Auto-Cleanup:**
- KV entries use same TTL as cache entries
- KV automatically deletes expired entries
- No manual cleanup required
## Pattern Matching
**Wildcard Support:**
- `*` matches any characters
- Case-insensitive matching
- Regex special characters are properly escaped
**Examples:**
```typescript
// Match all instance caches
invalidatePattern('*instances*');
// Match specific provider
invalidatePattern('*provider=linode*');
// Match specific endpoint
invalidatePattern('https://cache.internal/pricing*');
// Match exact pattern
invalidatePattern('*instances?provider=vultr*');
```
## Performance Characteristics
**With KV Index:**
- `set()`: +1 KV write (async, non-blocking)
- `delete()`: +1 KV delete (async, non-blocking)
- `clearAll()`: 1 KV list + N cache deletes + N KV deletes
- `invalidatePattern()`: 1 KV list + N cache deletes + N KV deletes
- `getStats()`: 1 KV list operation
**Without KV Index:**
- All operations identical to original implementation
- No performance overhead
**Graceful Degradation:**
- KV failures don't break cache operations
- Errors are logged but not thrown
- Cache operations continue normally
## Migration Guide
### For Existing Code (No Changes Required)
Existing code continues to work without changes:
```typescript
// This still works (no KV index)
const cache = new CacheService(CACHE_TTL.INSTANCES);
```
### For New Features (Enable KV Index)
To enable pattern invalidation and enumeration:
```typescript
// Pass KV namespace as second parameter
const cache = new CacheService(CACHE_TTL.INSTANCES, env.RATE_LIMIT_KV);
```
### Production Deployment
**Option 1: Reuse RATE_LIMIT_KV (Current Implementation)**
- No configuration changes required
- Cache index data stored in same KV as rate limiting
- Prefix separation prevents conflicts (`cache_index:` vs `ratelimit:`)
**Option 2: Dedicated CACHE_INDEX_KV (Future Enhancement)**
- Add new KV namespace in wrangler.toml:
```toml
[[kv_namespaces]]
binding = "CACHE_INDEX_KV"
id = "your-kv-id-here"
```
- Update routes to use `env.CACHE_INDEX_KV` instead of `env.RATE_LIMIT_KV`
## Testing
**Run all cache tests:**
```bash
npm run test -- cache-kv.test.ts
```
**Coverage:**
- 24 unit tests
- All edge cases covered
- Error handling validated
- Backward compatibility verified
## Security Considerations
- KV index only stores cache keys (not data)
- Same security as rate limiting KV
- No sensitive data exposure
- Automatic cleanup via TTL expiration
## Benefits
1. **Pattern Invalidation**: Invalidate multiple cache entries at once
2. **Accurate Counts**: `clearAll()` now returns actual count
3. **Cache Statistics**: Monitor cache usage and size
4. **Backward Compatible**: Works with or without KV
5. **Automatic Cleanup**: KV TTL keeps index clean
6. **Graceful Degradation**: KV failures don't break cache operations
## Known Limitations
- KV eventual consistency: Recent writes may not appear immediately in list operations
- Pattern matching is done in-memory after KV list (not server-side)
- Large cache sizes (>1000 keys) may require pagination handling
- KV list operations have ~100ms latency

274
CODE_REVIEW_FIXES.md Normal file
View File

@@ -0,0 +1,274 @@
# Code Review Fixes Summary
**Date:** 2026-01-25
**Project:** cloud-instances-api
**Review Type:** Comprehensive (QA, Security, Performance)
## Overview
코드 리뷰를 통해 발견된 Critical, High, Medium 이슈들을 모두 수정했습니다.
### Score Improvements
| Category | Before | After | Change |
|----------|--------|-------|--------|
| QA | 7/10 | 8/10 | +1 |
| Security | 6/10 | 8/10 | +2 |
| Performance | 7/10 | 8/10 | +1 |
### Issue Resolution
| Priority | Found | Fixed | Skip |
|----------|-------|-------|------|
| Critical | 4 | 4 | 0 |
| High | 6 | 5 | 1 |
| Medium | 10 | 8 | 2 |
---
## Critical Issues (4/4 Fixed)
### 1. Rate Limiter Triple KV Read
**File:** `src/middleware/rateLimit.ts`
**Fix:** verification read 제거, 1 read/request로 최적화
**Impact:** 30-150ms → 30-50ms (66% 개선)
### 2. BATCH_SIZE Unbounded
**File:** `src/services/sync.ts` (6곳)
**Fix:** `Math.min(Math.max(parseInt(...) || 500, 1), 1000)` 범위 제한
**Impact:** DoS 방지
### 3. sortOrder SQL Injection
**File:** `src/services/query.ts`
**Fix:** whitelist 검증 추가 (`validatedSortOrder`)
**Impact:** SQL Injection 방지
### 4. Health Check N+1 Subquery
**File:** `src/routes/health.ts`
**Fix:** correlated subquery → efficient JOIN
**Impact:** N+1 쿼리 제거
---
## High Priority Issues (5/6 Fixed)
### 1. Timing Attack in verifyApiKey ✅
**File:** `src/middleware/auth.ts`
**Fix:** 고정 256바이트 버퍼 사용, 길이 정보 노출 방지
### 2. Rate Limiting Bypass (non-CF) ✅
**File:** `src/middleware/rateLimit.ts`
**Fix:** `'non-cloudflare-traffic'` 고정 식별자 (fail-closed)
### 3. Error Message Information Disclosure ✅
**Files:** `src/routes/instances.ts`, `sync.ts`, `recommend.ts`
**Fix:** 내부 에러 숨김, `request_id` 추가
### 4. Singleton Stale DB Reference ✅
**File:** `src/routes/instances.ts`
**Fix:** `cachedDb !== db` 체크로 rolling deploy 대응
### 5. COUNT(*) Cartesian Product ✅
**File:** `src/services/query.ts`
**Fix:** `COUNT(DISTINCT it.id)` 사용
### 6. Rate Limit TOCTOU ⏭️
**Status:** Skip (설계상 허용, 문서화됨)
---
## Medium Priority Issues (8/10 Fixed)
### 1. Pagination Negative Page ✅
**File:** `src/services/query.ts`
**Fix:** `Math.max(page, 1)`, `Math.max(limit, 1)`
### 2. min/max Range Validation ✅
**File:** `src/routes/instances.ts`
**Fix:** vcpu, memory 범위 일관성 검증
### 3. Logger Sensitive Keys ✅
**File:** `src/utils/logger.ts`
**Fix:** 8개 → 18개 패턴 확장
### 4. Request ID / Audit Trail ✅
**File:** `src/index.ts`
**Fix:** CF-Ray 또는 UUID, `X-Request-ID` 헤더
### 5. CORS Expose-Headers ✅
**File:** `src/index.ts`
**Fix:** Rate limit + Request ID 헤더 노출
### 6. Sync Batch Size ✅
**File:** `src/services/sync.ts` (7곳)
**Fix:** 100 → 500 (batch 수 80% 감소)
### 7. Anvil Pricing IN Query ✅
**File:** `src/services/sync.ts`
**Fix:** Cartesian → paired OR, 100개 batch
### 8. Logger Instance Duplication ✅
**File:** `src/repositories/base.ts` + 14개 subclass
**Fix:** static 캐시 패턴으로 공유
### 9. QueryService Tests ⏭️
**Status:** Skip (대규모 작업, 별도 진행)
### 10. Price History Triggers ⏭️
**Status:** Skip (스키마 변경, 별도 검토)
---
## Additional Fixes (Round 2)
### High Priority
| Issue | File | Fix |
|-------|------|-----|
| Sync ID Math.random() | `src/routes/sync.ts` | `crypto.randomUUID()` |
| Missing Timeout | `src/services/sync.ts` | `withTimeout()` 10-60초 |
| /sync Body Size | `src/routes/sync.ts` | 10KB content-length 제한 |
### Medium Priority
| Issue | File | Fix |
|-------|------|-----|
| Stack Trace Exposure | `src/services/sync.ts` | error_details에서 stack 제거 |
| Log Injection | `src/index.ts` | origin sanitization |
| Unsafe Type Casting | `src/services/sync.ts` | 타입 검증 로직 |
| CacheService Singleton | `src/routes/recommend.ts` | singleton 패턴 |
| Page Upper Bound | `src/services/query.ts` | MAX_OFFSET = 100000 |
| Hardcoded Providers | `src/services/sync.ts` | SUPPORTED_PROVIDERS 상수 |
| Large OR Clause | `src/services/sync.ts` | 100개 batch 처리 |
| Missing Index | `schema.sql` | idx_instance_types_specs_filter |
---
## Removed Components
### Vault Integration
Vault 연동 코드 완전 제거 (API 키는 Wrangler secrets 사용)
**Deleted Files:**
- `src/connectors/vault.ts`
- `src/connectors/vault.test.ts`
- `tests/vault.test.ts`
- `src/connectors/README.md`
- `src/connectors/linode.README.md`
---
## Configuration Changes
### wrangler.toml
```toml
# 6시간 pricing cron 제거
[triggers]
crons = ["0 0 * * *"] # Daily sync only
```
### schema.sql
```sql
-- 추가된 인덱스
CREATE INDEX IF NOT EXISTS idx_instance_types_specs_filter
ON instance_types(provider_id, memory_mb, vcpu);
```
---
## Security Improvements Summary
1. **Authentication:** SHA-256 constant-time 비교, 256바이트 고정 버퍼
2. **SQL Injection:** Parameterized queries, whitelist 검증
3. **Rate Limiting:** Fail-closed for non-CF traffic
4. **Information Disclosure:** Stack trace 제거, request_id 추가
5. **Input Validation:** Content-length, page bounds, range consistency
6. **Logging:** Sensitive data masking (18 patterns), log injection 방지
7. **CORS:** Explicit origins, expose headers
8. **Timeout:** External API 호출 타임아웃 (10-60초)
---
## Performance Improvements Summary
1. **Rate Limiter:** KV reads 66% 감소
2. **Batch Size:** 100 → 500 (batch 수 80% 감소)
3. **Health Query:** N+1 → single JOIN
4. **COUNT Query:** Cartesian → DISTINCT
5. **Logger:** 공유 캐시 패턴
6. **CacheService:** Singleton 패턴
7. **Composite Index:** Recommendation 쿼리 최적화
---
## Remaining Items
| Item | Priority | Reason |
|------|----------|--------|
| QueryService Tests | Medium | 대규모 테스트 작성 필요 |
| Price History Triggers | Low | 스키마 변경, 성능 영향 분석 |
| Rate Limit TOCTOU | Info | 설계상 의도된 eventual consistency |
---
## Files Modified (44 files)
### Core
- `src/index.ts`
- `src/types.ts`
- `src/constants.ts`
- `wrangler.toml`
- `schema.sql`
### Middleware
- `src/middleware/auth.ts`
- `src/middleware/auth.test.ts`
- `src/middleware/rateLimit.ts`
- `src/middleware/rateLimit.test.ts`
### Services
- `src/services/sync.ts`
- `src/services/query.ts`
- `src/services/recommendation.ts`
- `src/services/recommendation.test.ts`
- `src/services/cache.ts`
### Routes
- `src/routes/health.ts`
- `src/routes/instances.ts`
- `src/routes/sync.ts`
- `src/routes/recommend.ts`
### Repositories (15 files)
- `src/repositories/base.ts`
- `src/repositories/providers.ts`
- `src/repositories/regions.ts`
- `src/repositories/instances.ts`
- `src/repositories/pricing.ts`
- `src/repositories/gpu-instances.ts`
- `src/repositories/gpu-pricing.ts`
- `src/repositories/g8-instances.ts`
- `src/repositories/g8-pricing.ts`
- `src/repositories/vpu-instances.ts`
- `src/repositories/vpu-pricing.ts`
- `src/repositories/anvil-instances.ts`
- `src/repositories/anvil-pricing.ts`
- `src/repositories/anvil-regions.ts`
- `src/repositories/anvil-transfer-pricing.ts`
### Connectors
- `src/connectors/base.ts`
- `src/connectors/linode.ts`
- `src/connectors/vultr.ts`
- `src/connectors/aws.ts`
### Utils
- `src/utils/logger.ts`
- `src/utils/logger.test.ts`
### Deleted
- `src/connectors/vault.ts`
- `src/connectors/vault.test.ts`
- `tests/vault.test.ts`
- `src/connectors/README.md`
- `src/connectors/linode.README.md`

174
docs/cache-kv-usage.md Normal file
View File

@@ -0,0 +1,174 @@
# Cache Service - KV Index Usage Guide
## Quick Start
### Initialization
**With KV Index (Recommended):**
```typescript
import { CacheService } from './services/cache';
import { CACHE_TTL } from './constants';
const cache = new CacheService(CACHE_TTL.INSTANCES, env.RATE_LIMIT_KV);
```
**Without KV Index (Backward Compatible):**
```typescript
const cache = new CacheService(CACHE_TTL.INSTANCES);
```
## Common Operations
### Pattern-Based Invalidation
```typescript
// Invalidate all instance caches
const count = await cache.invalidatePattern('*instances*');
console.log(`Invalidated ${count} entries`);
// Invalidate specific provider caches
await cache.invalidatePattern('*provider=linode*');
// Invalidate pricing caches
await cache.invalidatePattern('*pricing*');
// Invalidate with exact pattern
await cache.invalidatePattern('https://cache.internal/instances?provider=vultr*');
```
### Clear All Caches
```typescript
// Clear all cache entries
const totalCleared = await cache.clearAll();
// Clear with prefix filter
const instancesCleared = await cache.clearAll('https://cache.internal/instances');
```
### Cache Statistics
```typescript
const stats = await cache.getStats();
if (stats.supported) {
console.log(`Cache has ${stats.indexed_keys} entries`);
} else {
console.log('KV index not available');
}
```
## Use Cases
### After Data Sync
```typescript
// Clear all cached instance data after sync
const invalidated = await cache.invalidatePattern('*instances*');
logger.info(`Invalidated ${invalidated} instance cache entries after sync`);
```
### Provider-Specific Updates
```typescript
// Update only Linode data, invalidate Linode caches
await syncLinodeData();
await cache.invalidatePattern('*provider=linode*');
```
### Cache Cleanup
```typescript
// Daily cache cleanup (optional, caches auto-expire)
const cleared = await cache.clearAll();
logger.info(`Cache cleanup: ${cleared} entries cleared`);
```
## Pattern Syntax
**Wildcards:**
- `*` - Matches any characters
- Case-insensitive by default
**Examples:**
```typescript
// Match all
'*'
// Match endpoint
'*instances*'
'*pricing*'
// Match specific parameter
'*provider=linode*'
'*region_code=us-east*'
// Match exact URL
'https://cache.internal/instances?provider=linode'
// Match with prefix
'https://cache.internal/instances*'
```
## Performance
**Operation Costs:**
- `invalidatePattern()`: 1 KV list + N cache deletes + N KV deletes
- `clearAll()`: 1 KV list + N cache deletes + N KV deletes
- `getStats()`: 1 KV list
**KV List Performance:**
- ~100ms for <1000 keys
- Pagination handled automatically
- Results cached during operation
## Error Handling
All KV operations use graceful degradation:
```typescript
// KV failures don't break cache operations
await cache.set(key, data); // Succeeds even if KV registration fails
await cache.delete(key); // Succeeds even if KV unregistration fails
// Pattern operations return 0 on KV failures
const count = await cache.invalidatePattern('*pattern*');
// Returns 0 if KV list fails, logs error
```
## Monitoring
**Log Levels:**
- `DEBUG`: Cache hits/misses, KV operations
- `INFO`: Pattern invalidation results, clear operations
- `WARN`: KV not available, unsupported operations
- `ERROR`: KV failures (non-blocking)
**Key Metrics:**
```typescript
const stats = await cache.getStats();
// { supported: true, indexed_keys: 42 }
```
## Best Practices
1. **Enable KV Index in Production**: Pass `env.RATE_LIMIT_KV` for full functionality
2. **Use Pattern Invalidation**: Prefer `invalidatePattern()` over individual `delete()` calls
3. **Monitor Stats**: Use `getStats()` to track cache size
4. **Prefix Organization**: Use consistent URL prefixes for easy filtering
5. **Handle Failures**: Always check return values from invalidation operations
## Limitations
- **KV Eventual Consistency**: Recent writes may not appear immediately in list operations
- **Pattern Matching**: Done in-memory after KV list (not server-side)
- **Large Caches**: >1000 keys may have higher latency for pattern operations
- **No Dedicated Namespace**: Currently reuses RATE_LIMIT_KV (future: add CACHE_INDEX_KV)
## Future Enhancements
- Dedicated `CACHE_INDEX_KV` namespace
- Server-side pattern filtering
- Batch invalidation optimization
- Cache warming strategies
- Advanced statistics (hit rate, size, etc.)

34
migrations/000_migration_history.sql Normal file
View File

@@ -0,0 +1,34 @@
-- Migration 000: Migration History Tracking
-- Description: Creates table to track which migrations have been applied
-- Date: 2026-01-25
-- Author: Claude Code
-- ============================================================
-- Table: migration_history
-- Purpose: Track applied database migrations
-- ============================================================
CREATE TABLE IF NOT EXISTS migration_history (
id INTEGER PRIMARY KEY AUTOINCREMENT,
migration_name TEXT NOT NULL UNIQUE, -- e.g., "002_add_composite_indexes"
applied_at TEXT NOT NULL DEFAULT (datetime('now')),
execution_time_ms INTEGER, -- Time taken to execute
success INTEGER NOT NULL DEFAULT 1, -- 0=failed, 1=succeeded
error_message TEXT, -- Error details if failed
checksum TEXT -- Future: file content hash for validation
);
-- Index for quick lookup of applied migrations
CREATE INDEX IF NOT EXISTS idx_migration_history_name
ON migration_history(migration_name);
-- Index for status queries
CREATE INDEX IF NOT EXISTS idx_migration_history_success
ON migration_history(success);
-- ============================================================
-- Notes
-- ============================================================
-- This table is created first (000) to track all subsequent migrations.
-- Safe to re-run: uses IF NOT EXISTS for idempotency.
-- Migrations are tracked by filename without .sql extension.

75
migrations/README.md
View File

@@ -2,7 +2,43 @@
This directory contains SQL migration files for database schema changes.
## Migration Files
## Automated Migration System
The project uses an **automated migration tracking system** that:
- ✅ Automatically detects and runs unapplied migrations
- ✅ Tracks migration history in the database
- ✅ Executes migrations in numerical order
- ✅ Safe to run multiple times (idempotent)
- ✅ Records execution time and errors
### Quick Start
```bash
# Check migration status
npm run db:migrate:status
# Run all pending migrations (local)
npm run db:migrate
# Run all pending migrations (remote)
npm run db:migrate:remote
```
### Migration Files
All migration files are named with a numeric prefix for ordering:
- `000_migration_history.sql` - Creates migration tracking table (always runs first)
- `002_add_composite_indexes.sql` - Query performance optimization
- `003_add_retail_pricing.sql` - Add retail pricing columns
- `004_anvil_tables.sql` - Anvil-branded product tables
## Migration Details
### 000_migration_history.sql
**Date**: 2026-01-25
**Purpose**: Create migration tracking system
- Creates `migration_history` table to track applied migrations
- Records execution time, success/failure status, and error messages
### 002_add_composite_indexes.sql
**Date**: 2026-01-21
@@ -18,16 +54,45 @@ This directory contains SQL migration files for database schema changes.
- Improves JOIN performance between instance_types, pricing, and regions tables
- Enables efficient ORDER BY on hourly_price without additional sort operations
### 003_add_retail_pricing.sql
**Date**: 2026-01-23
**Purpose**: Add retail pricing fields to all pricing tables
- Adds `hourly_price_retail` and `monthly_price_retail` columns
- Backfills existing data with 1.21x markup
### 004_anvil_tables.sql
**Date**: 2026-01-25
**Purpose**: Create Anvil-branded product tables
- `anvil_regions` - Anvil regional datacenters
- `anvil_instances` - Anvil instance specifications
- `anvil_pricing` - Anvil retail pricing with cost tracking
- `anvil_transfer_pricing` - Data transfer pricing
## Running Migrations
### Local Development
### Automated (Recommended)
```bash
npm run db:migrate
# Check current status
npm run db:migrate:status # Local database
npm run db:migrate:status:remote # Remote database
# Run all pending migrations
npm run db:migrate # Local database
npm run db:migrate:remote # Remote database
```
### Production
### Manual (Backward Compatibility)
Individual migration scripts are still available:
```bash
npm run db:migrate:remote
npm run db:migrate:002 # Local
npm run db:migrate:002:remote # Remote
npm run db:migrate:003 # Local
npm run db:migrate:003:remote # Remote
npm run db:migrate:004 # Local
npm run db:migrate:004:remote # Remote
```
## Migration Best Practices

11
package.json
View File

@@ -15,14 +15,21 @@
"db:init:remote": "wrangler d1 execute cloud-instances-db --remote --file=./schema.sql",
"db:seed": "wrangler d1 execute cloud-instances-db --local --file=./seed.sql",
"db:seed:remote": "wrangler d1 execute cloud-instances-db --remote --file=./seed.sql",
"db:migrate": "wrangler d1 execute cloud-instances-db --local --file=./migrations/002_add_composite_indexes.sql",
"db:migrate:remote": "wrangler d1 execute cloud-instances-db --remote --file=./migrations/002_add_composite_indexes.sql",
"db:migrate": "tsx scripts/migrate.ts",
"db:migrate:remote": "tsx scripts/migrate.ts --remote",
"db:migrate:status": "tsx scripts/migrate.ts --status",
"db:migrate:status:remote": "tsx scripts/migrate.ts --status --remote",
"db:migrate:002": "wrangler d1 execute cloud-instances-db --local --file=./migrations/002_add_composite_indexes.sql",
"db:migrate:002:remote": "wrangler d1 execute cloud-instances-db --remote --file=./migrations/002_add_composite_indexes.sql",
"db:migrate:003": "wrangler d1 execute cloud-instances-db --local --file=./migrations/003_add_retail_pricing.sql",
"db:migrate:003:remote": "wrangler d1 execute cloud-instances-db --remote --file=./migrations/003_add_retail_pricing.sql",
"db:migrate:004": "wrangler d1 execute cloud-instances-db --local --file=./migrations/004_anvil_tables.sql",
"db:migrate:004:remote": "wrangler d1 execute cloud-instances-db --remote --file=./migrations/004_anvil_tables.sql",
"db:query": "wrangler d1 execute cloud-instances-db --local --command"
},
"devDependencies": {
"@cloudflare/workers-types": "^4.20241205.0",
"tsx": "^4.7.0",
"typescript": "^5.7.2",
"vitest": "^2.1.8",
"wrangler": "^4.59.3"

16
schema.sql
View File

@@ -77,6 +77,11 @@ CREATE INDEX IF NOT EXISTS idx_instance_types_memory_mb ON instance_types(memory
CREATE INDEX IF NOT EXISTS idx_instance_types_instance_family ON instance_types(instance_family);
CREATE INDEX IF NOT EXISTS idx_instance_types_gpu_count ON instance_types(gpu_count);
-- Composite index for recommendation service query pattern
-- Optimizes: WHERE provider_id = ? AND memory_mb >= ? AND vcpu >= ?
CREATE INDEX IF NOT EXISTS idx_instance_types_specs_filter
ON instance_types(provider_id, memory_mb, vcpu);
-- ============================================================
-- Table: pricing
-- Description: Region-specific pricing for instance types
@@ -105,6 +110,17 @@ CREATE INDEX IF NOT EXISTS idx_pricing_hourly_price ON pricing(hourly_price);
CREATE INDEX IF NOT EXISTS idx_pricing_monthly_price ON pricing(monthly_price);
CREATE INDEX IF NOT EXISTS idx_pricing_available ON pricing(available);
-- Composite partial indexes for optimized price sorting with availability filter
-- These optimize the most common query pattern: filtering by available=1 and sorting by price
-- Partial indexes reduce index size by only indexing available instances
CREATE INDEX IF NOT EXISTS idx_pricing_available_hourly_price
ON pricing(available, hourly_price)
WHERE available = 1;
CREATE INDEX IF NOT EXISTS idx_pricing_available_monthly_price
ON pricing(available, monthly_price)
WHERE available = 1;
-- ============================================================
-- Table: price_history
-- Description: Historical price tracking for trend analysis

158
scripts/api-tester.ts
View File

@@ -4,10 +4,18 @@
* Comprehensive test suite for API endpoints with colorful console output.
* Tests all endpoints with various parameter combinations and validates responses.
*
* Requirements:
* API_KEY environment variable must be set
*
* Usage:
* export API_KEY=your-api-key-here
* npx tsx scripts/api-tester.ts
* npx tsx scripts/api-tester.ts --endpoint /health
* npx tsx scripts/api-tester.ts --verbose
*
* Or use npm scripts:
* npm run test:api
* npm run test:api:verbose
*/
// ============================================================
@@ -15,7 +23,23 @@
// ============================================================
const API_URL = process.env.API_URL || 'https://cloud-instances-api.kappa-d8e.workers.dev';
const API_KEY = process.env.API_KEY || '0f955192075f7d36b1432ec985713ac6aba7fe82ffa556e6f45381c5530ca042';
const API_KEY = process.env.API_KEY;
if (!API_KEY) {
console.error('\n❌ ERROR: API_KEY environment variable is required');
console.error('Please set API_KEY before running the tests:');
console.error(' export API_KEY=your-api-key-here');
console.error(' npm run test:api');
console.error('\nOr create a .env file (see .env.example for reference)');
process.exit(1);
}
if (API_KEY.length < 16) {
console.error('\n❌ ERROR: API_KEY must be at least 16 characters');
console.error('The provided API key is too short to be valid.');
console.error('Please check your API_KEY environment variable.');
process.exit(1);
}
// CLI flags
const args = process.argv.slice(2);
@@ -257,38 +281,6 @@ function validateSyncResponse(data: unknown): boolean | string {
return true;
}
function validateRecommendResponse(data: unknown): boolean | string {
if (typeof data !== 'object' || data === null) {
return 'Response is not an object';
}
const response = data as Record<string, unknown>;
if (!response.success) {
return 'Response success field is false or missing';
}
if (!response.data || typeof response.data !== 'object') {
return 'Missing or invalid data field';
}
const responseData = response.data as Record<string, unknown>;
if (!Array.isArray(responseData.recommendations)) {
return 'Missing or invalid recommendations array';
}
if (!responseData.requirements || typeof responseData.requirements !== 'object') {
return 'Missing or invalid requirements field';
}
if (!responseData.metadata || typeof responseData.metadata !== 'object') {
return 'Missing or invalid metadata field';
}
return true;
}
// ============================================================
// Test Suites
// ============================================================
@@ -460,95 +452,6 @@ async function testSyncEndpoint(): Promise<TestResult[]> {
return tests;
}
async function testRecommendEndpoint(): Promise<TestResult[]> {
console.log(color('\n📍 Testing /recommend', colors.cyan));
const tests: TestResult[] = [];
// Test basic recommendation
tests.push(
await testWithDelay('POST /recommend (nginx+mysql)', '/recommend', {
method: 'POST',
headers: { 'X-API-Key': API_KEY },
body: {
stack: ['nginx', 'mysql'],
scale: 'small',
},
expectStatus: 200,
validateResponse: validateRecommendResponse,
})
);
// Test with budget constraint
tests.push(
await testWithDelay('POST /recommend (with budget)', '/recommend', {
method: 'POST',
headers: { 'X-API-Key': API_KEY },
body: {
stack: ['nginx', 'mysql', 'redis'],
scale: 'medium',
budget_max: 100,
},
expectStatus: 200,
validateResponse: validateRecommendResponse,
})
);
// Test large scale
tests.push(
await testWithDelay('POST /recommend (large scale)', '/recommend', {
method: 'POST',
headers: { 'X-API-Key': API_KEY },
body: {
stack: ['nginx', 'nodejs', 'postgresql', 'redis'],
scale: 'large',
},
expectStatus: 200,
validateResponse: validateRecommendResponse,
})
);
// Test invalid stack (should fail with 400)
tests.push(
await testWithDelay('POST /recommend (invalid stack - error)', '/recommend', {
method: 'POST',
headers: { 'X-API-Key': API_KEY },
body: {
stack: ['invalid-technology'],
scale: 'small',
},
expectStatus: 400, // Invalid stack returns 400 Bad Request
})
);
// Test invalid scale (should fail with 400)
tests.push(
await testWithDelay('POST /recommend (invalid scale - error)', '/recommend', {
method: 'POST',
headers: { 'X-API-Key': API_KEY },
body: {
stack: ['nginx'],
scale: 'invalid',
},
expectStatus: 400, // Invalid scale returns 400 Bad Request
})
);
// Test without auth (should fail)
tests.push(
await testWithDelay('POST /recommend (no auth - error)', '/recommend', {
method: 'POST',
body: {
stack: ['nginx'],
scale: 'small',
},
expectStatus: 401,
})
);
return tests;
}
// ============================================================
// Test Runner
// ============================================================
@@ -585,7 +488,10 @@ async function runTests(): Promise<TestReport> {
console.log(bold(color('\n🧪 Cloud Instances API Tester', colors.cyan)));
console.log(color('================================', colors.cyan));
console.log(`${color('Target:', colors.white)} ${API_URL}`);
console.log(`${color('API Key:', colors.white)} ${API_KEY.substring(0, 20)}...`);
const maskedKey = API_KEY.length > 4
? `${API_KEY.substring(0, 4)}${'*'.repeat(8)}`
: '****';
console.log(`${color('API Key:', colors.white)} ${maskedKey}`);
if (VERBOSE) {
console.log(color('Mode: VERBOSE', colors.yellow));
}
@@ -612,12 +518,6 @@ async function runTests(): Promise<TestReport> {
allResults.push(...syncResults);
}
if (!TARGET_ENDPOINT || TARGET_ENDPOINT === '/recommend') {
const recommendResults = await testRecommendEndpoint();
recommendResults.forEach(printTestResult);
allResults.push(...recommendResults);
}
const duration = Date.now() - startTime;
const passed = allResults.filter(r => r.passed).length;
const failed = allResults.filter(r => !r.passed).length;

163
scripts/e2e-tester.ts
View File

@@ -3,7 +3,17 @@
* E2E Scenario Tester for Cloud Instances API
*
* Tests complete user workflows against the deployed API
* Run: npx tsx scripts/e2e-tester.ts [--scenario <name>] [--dry-run]
*
* Requirements:
* API_KEY environment variable must be set
*
* Usage:
* export API_KEY=your-api-key-here
* npx tsx scripts/e2e-tester.ts [--scenario <name>] [--dry-run]
*
* Or use npm scripts:
* npm run test:e2e
* npm run test:e2e:dry
*/
import process from 'process';
@@ -12,8 +22,17 @@ import process from 'process';
// Configuration
// ============================================================
const API_URL = 'https://cloud-instances-api.kappa-d8e.workers.dev';
const API_KEY = '0f955192075f7d36b1432ec985713ac6aba7fe82ffa556e6f45381c5530ca042';
const API_URL = process.env.API_URL || 'https://cloud-instances-api.kappa-d8e.workers.dev';
const API_KEY = process.env.API_KEY;
if (!API_KEY) {
console.error('\n❌ ERROR: API_KEY environment variable is required');
console.error('Please set API_KEY before running E2E tests:');
console.error(' export API_KEY=your-api-key-here');
console.error(' npm run test:e2e');
console.error('\nOr create a .env file (see .env.example for reference)');
process.exit(1);
}
interface TestContext {
recommendedInstanceId?: string;
@@ -49,9 +68,14 @@ async function apiRequest(
let data: unknown;
try {
data = await response.json();
const text = await response.text();
try {
data = JSON.parse(text);
} catch (err) {
data = { error: 'Failed to parse JSON response', rawText: await response.text() };
data = { error: 'Failed to parse JSON response', rawText: text };
}
} catch (err) {
data = { error: 'Failed to read response body' };
}
return {
@@ -97,119 +121,15 @@ function sleep(ms: number): Promise<void> {
// ============================================================
/**
* Scenario 1: WordPress Server Recommendation → Detail Lookup
*
* Flow:
* 1. POST /recommend with WordPress stack (nginx, php-fpm, mysql)
* 2. Extract first recommended instance ID
* 3. GET /instances with instance_id filter
* 4. Validate specs meet requirements
*/
async function scenario1WordPress(context: TestContext, dryRun: boolean): Promise<boolean> {
console.log('\n▶ Scenario 1: WordPress Server Recommendation → Detail Lookup');
if (dryRun) {
console.log(' [DRY RUN] Would execute:');
console.log(' 1. POST /recommend with stack: nginx, php-fpm, mysql');
console.log(' 2. Extract instance_id from first recommendation');
console.log(' 3. GET /instances?instance_id={id}');
console.log(' 4. Validate memory >= 3072MB, vCPU >= 2');
return true;
}
try {
// Step 1: Request recommendation
logStep(1, 'Request WordPress server recommendation...');
const recommendResp = await apiRequest('/recommend', {
method: 'POST',
body: JSON.stringify({
stack: ['nginx', 'php-fpm', 'mysql'],
scale: 'medium',
}),
});
logResponse('POST', '/recommend', recommendResp.status, recommendResp.duration);
if (recommendResp.status !== 200) {
console.log(` ❌ Expected 200, got ${recommendResp.status}`);
return false;
}
const recommendData = recommendResp.data as {
success: boolean;
data?: {
recommendations?: Array<{ instance: string; provider: string; price: { monthly: number }; region: string }>;
};
};
if (!recommendData.success || !recommendData.data?.recommendations?.[0]) {
console.log(' ❌ No recommendations returned');
return false;
}
const firstRec = recommendData.data.recommendations[0];
console.log(` Recommended: ${firstRec.instance} ($${firstRec.price.monthly}/mo) in ${firstRec.region}`);
// Step 2: Extract instance identifier (we'll use provider + instance name for search)
const instanceName = firstRec.instance;
const provider = firstRec.provider;
context.recommendedInstanceId = instanceName;
// Step 3: Fetch instance details
logStep(2, 'Fetch instance details...');
const detailsResp = await apiRequest(
`/instances?provider=${encodeURIComponent(provider)}&limit=100`,
{ method: 'GET' }
);
logResponse('GET', '/instances', detailsResp.status, detailsResp.duration);
if (detailsResp.status !== 200) {
console.log(` ❌ Expected 200, got ${detailsResp.status}`);
return false;
}
const detailsData = detailsResp.data as {
success: boolean;
data?: {
instances?: Array<{ instance_name: string; vcpu: number; memory_mb: number }>;
};
};
const instance = detailsData.data?.instances?.find((i) => i.instance_name === instanceName);
if (!instance) {
console.log(` ❌ Instance ${instanceName} not found in details`);
return false;
}
// Step 4: Validate specs
logStep(3, 'Validate specs meet requirements...');
const memoryOk = instance.memory_mb >= 3072; // nginx 256 + php-fpm 1024 + mysql 2048 + OS 768 = 4096
const vcpuOk = instance.vcpu >= 2;
logValidation(memoryOk, `Memory: ${instance.memory_mb}MB >= 3072MB required`);
logValidation(vcpuOk, `vCPU: ${instance.vcpu} >= 2 required`);
const passed = memoryOk && vcpuOk;
console.log(` ${passed ? '✅' : '❌'} Scenario ${passed ? 'PASSED' : 'FAILED'} (${recommendResp.duration + detailsResp.duration}ms)`);
return passed;
} catch (error) {
console.log(` ❌ Scenario FAILED with error: ${error instanceof Error ? error.message : String(error)}`);
return false;
}
}
/**
* Scenario 2: Budget-Constrained Instance Search
* Scenario 1: Budget-Constrained Instance Search
*
* Flow:
* 1. GET /instances?max_price=50&sort_by=price&order=asc
* 2. Validate all results <= $50/month
* 3. Validate price sorting is correct
*/
async function scenario2Budget(context: TestContext, dryRun: boolean): Promise<boolean> {
console.log('\n▶ Scenario 2: Budget-Constrained Instance Search');
async function scenario1Budget(context: TestContext, dryRun: boolean): Promise<boolean> {
console.log('\n▶ Scenario 1: Budget-Constrained Instance Search');
if (dryRun) {
console.log(' [DRY RUN] Would execute:');
@@ -273,15 +193,15 @@ async function scenario2Budget(context: TestContext, dryRun: boolean): Promise<b
}
/**
* Scenario 3: Cross-Region Price Comparison
* Scenario 2: Cross-Region Price Comparison
*
* Flow:
* 1. GET /instances?region=ap-northeast-1 (Tokyo)
* 2. GET /instances?region=ap-northeast-2 (Seoul)
* 3. Compare average prices and instance counts
*/
async function scenario3RegionCompare(context: TestContext, dryRun: boolean): Promise<boolean> {
console.log('\n▶ Scenario 3: Cross-Region Price Comparison (Tokyo vs Seoul)');
async function scenario2RegionCompare(context: TestContext, dryRun: boolean): Promise<boolean> {
console.log('\n▶ Scenario 2: Cross-Region Price Comparison (Tokyo vs Seoul)');
if (dryRun) {
console.log(' [DRY RUN] Would execute:');
@@ -371,15 +291,15 @@ async function scenario3RegionCompare(context: TestContext, dryRun: boolean): Pr
}
/**
* Scenario 4: Provider Sync and Data Verification
* Scenario 3: Provider Sync and Data Verification
*
* Flow:
* 1. POST /sync with provider: linode
* 2. GET /health to check sync_status
* 3. GET /instances?provider=linode to verify data exists
*/
async function scenario4ProviderSync(context: TestContext, dryRun: boolean): Promise<boolean> {
console.log('\n▶ Scenario 4: Provider Sync and Data Verification');
async function scenario3ProviderSync(context: TestContext, dryRun: boolean): Promise<boolean> {
console.log('\n▶ Scenario 3: Provider Sync and Data Verification');
if (dryRun) {
console.log(' [DRY RUN] Would execute:');
@@ -538,10 +458,9 @@ interface ScenarioFunction {
}
const scenarios: Record<string, ScenarioFunction> = {
wordpress: scenario1WordPress,
budget: scenario2Budget,
region: scenario3RegionCompare,
sync: scenario4ProviderSync,
budget: scenario1Budget,
region: scenario2RegionCompare,
sync: scenario3ProviderSync,
ratelimit: scenario5RateLimit,
};

404
scripts/migrate.ts Normal file
View File

@@ -0,0 +1,404 @@
#!/usr/bin/env tsx
/**
* Database Migration Runner
* Automatically detects and executes unapplied SQL migrations
*
* Usage:
* npm run db:migrate # Run on local database
* npm run db:migrate:remote # Run on remote database
* npm run db:migrate:status # Show migration status
*/
import { spawnSync } from 'child_process';
import { readdirSync, readFileSync, existsSync } from 'fs';
import { join, basename, resolve } from 'path';
// ============================================================
// Configuration
// ============================================================
const DB_NAME = 'cloud-instances-db';
const MIGRATIONS_DIR = join(process.cwd(), 'migrations');
const MIGRATION_HISTORY_TABLE = 'migration_history';
type Environment = 'local' | 'remote';
type Command = 'migrate' | 'status';
// ============================================================
// Utility Functions
// ============================================================
/**
* Sanitize migration name (prevent SQL injection)
* Only allows alphanumeric characters, underscores, and hyphens
*/
function sanitizeMigrationName(name: string): string {
if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
throw new Error(`Invalid migration name: ${name} (only alphanumeric, underscore, and hyphen allowed)`);
}
return name;
}
/**
* Validate file path (prevent path traversal)
* Ensures the file is within the migrations directory
*/
function validateFilePath(filename: string): string {
// Check filename format
if (!/^[a-zA-Z0-9_-]+\.sql$/.test(filename)) {
throw new Error(`Invalid filename format: ${filename}`);
}
const filePath = join(MIGRATIONS_DIR, filename);
const resolvedPath = resolve(filePath);
const resolvedMigrationsDir = resolve(MIGRATIONS_DIR);
// Ensure resolved path is within migrations directory
if (!resolvedPath.startsWith(resolvedMigrationsDir + '/') && resolvedPath !== resolvedMigrationsDir) {
throw new Error(`Path traversal detected: ${filename}`);
}
return filePath;
}
/**
* Execute wrangler d1 command and return output
* Uses spawnSync to prevent command injection
*/
function executeD1Command(sql: string, env: Environment): string {
const envFlag = env === 'remote' ? '--remote' : '--local';
const args = ['d1', 'execute', DB_NAME, envFlag, '--command', sql];
try {
const result = spawnSync('wrangler', args, {
encoding: 'utf-8',
stdio: ['pipe', 'pipe', 'pipe']
});
if (result.error) {
throw new Error(`Failed to execute wrangler: ${result.error.message}`);
}
if (result.status !== 0) {
throw new Error(`D1 command failed with exit code ${result.status}: ${result.stderr}`);
}
return result.stdout;
} catch (error: any) {
throw new Error(`D1 command failed: ${error.message}`);
}
}
/**
* Execute SQL file using wrangler d1
* Uses spawnSync to prevent command injection
*/
function executeD1File(filePath: string, env: Environment): void {
const envFlag = env === 'remote' ? '--remote' : '--local';
const args = ['d1', 'execute', DB_NAME, envFlag, '--file', filePath];
try {
const result = spawnSync('wrangler', args, {
encoding: 'utf-8',
stdio: 'inherit'
});
if (result.error) {
throw new Error(`Failed to execute wrangler: ${result.error.message}`);
}
if (result.status !== 0) {
throw new Error(`Migration file execution failed with exit code ${result.status}`);
}
} catch (error: any) {
throw new Error(`Migration file execution failed: ${error.message}`);
}
}
/**
* Get list of applied migrations from database
*/
function getAppliedMigrations(env: Environment): Set<string> {
try {
const sql = `SELECT migration_name FROM ${MIGRATION_HISTORY_TABLE} WHERE success = 1`;
const output = executeD1Command(sql, env);
const migrations = new Set<string>();
const lines = output.split('\n');
for (const line of lines) {
const trimmed = line.trim();
if (trimmed && !trimmed.includes('migration_name') && !trimmed.includes('─')) {
migrations.add(trimmed);
}
}
return migrations;
} catch (error: any) {
// If table doesn't exist, return empty set
if (error.message.includes('no such table')) {
return new Set<string>();
}
throw error;
}
}
/**
* Get list of migration files from migrations directory
*/
function getMigrationFiles(): string[] {
if (!existsSync(MIGRATIONS_DIR)) {
throw new Error(`Migrations directory not found: ${MIGRATIONS_DIR}`);
}
const files = readdirSync(MIGRATIONS_DIR)
.filter(f => f.endsWith('.sql'))
.filter(f => f !== 'README.md')
.sort(); // Alphabetical sort ensures numeric order (000, 002, 003, 004)
return files;
}
/**
* Extract migration name from filename (without .sql extension)
*/
function getMigrationName(filename: string): string {
return basename(filename, '.sql');
}
/**
* Record migration execution in history table
*/
function recordMigration(
migrationName: string,
executionTimeMs: number,
success: boolean,
errorMessage: string | null,
env: Environment
): void {
// Sanitize migration name to prevent SQL injection
const safeMigrationName = sanitizeMigrationName(migrationName);
// Escape error message (if any) to prevent SQL injection
const safeErrorMessage = errorMessage
? `'${errorMessage.replace(/'/g, "''")}'`
: 'NULL';
const sql = `
INSERT INTO ${MIGRATION_HISTORY_TABLE}
(migration_name, execution_time_ms, success, error_message)
VALUES
('${safeMigrationName}', ${executionTimeMs}, ${success ? 1 : 0}, ${safeErrorMessage})
`;
try {
executeD1Command(sql, env);
} catch (error: any) {
console.error(`[ERROR] Failed to record migration: ${error.message}`);
}
}
/**
* Execute a single migration file
*/
function executeMigration(filename: string, env: Environment): boolean {
const migrationName = getMigrationName(filename);
// Validate file path to prevent path traversal attacks
const filePath = validateFilePath(filename);
console.log(`\n[Migrate] Executing: ${migrationName}`);
console.log(`[Migrate] File: ${filename}`);
const startTime = Date.now();
try {
executeD1File(filePath, env);
const executionTime = Date.now() - startTime;
console.log(`[Migrate] ✅ Success (${executionTime}ms)`);
// Record success (only if not 000_migration_history itself)
if (migrationName !== '000_migration_history') {
recordMigration(migrationName, executionTime, true, null, env);
}
return true;
} catch (error: any) {
const executionTime = Date.now() - startTime;
const errorMessage = error.message || 'Unknown error';
console.error(`[Migrate] ❌ Failed (${executionTime}ms)`);
console.error(`[Migrate] Error: ${errorMessage}`);
// Record failure (only if not 000_migration_history itself)
if (migrationName !== '000_migration_history') {
recordMigration(migrationName, executionTime, false, errorMessage, env);
}
return false;
}
}
// ============================================================
// Main Migration Logic
// ============================================================
/**
* Run all pending migrations
*/
function runMigrations(env: Environment): void {
console.log(`\n${'='.repeat(60)}`);
console.log(`[Migrate] Database Migration Runner`);
console.log(`[Migrate] Environment: ${env}`);
console.log(`[Migrate] Database: ${DB_NAME}`);
console.log(`${'='.repeat(60)}\n`);
const allMigrations = getMigrationFiles();
console.log(`[Migrate] Found ${allMigrations.length} migration files`);
// Ensure migration history table exists first
const historyMigration = allMigrations.find(f => f.startsWith('000_migration_history'));
if (!historyMigration) {
console.error('[Migrate] ❌ Migration history table file (000_migration_history.sql) not found!');
process.exit(1);
}
// Execute history table migration first
console.log(`[Migrate] Ensuring migration tracking table exists...`);
if (!executeMigration(historyMigration, env)) {
console.error('[Migrate] ❌ Failed to create migration history table');
process.exit(1);
}
// Get applied migrations
const appliedMigrations = getAppliedMigrations(env);
console.log(`[Migrate] ${appliedMigrations.size} migrations already applied`);
// Filter pending migrations (excluding 000_migration_history)
const pendingMigrations = allMigrations
.filter(f => !f.startsWith('000_migration_history'))
.filter(f => !appliedMigrations.has(getMigrationName(f)));
if (pendingMigrations.length === 0) {
console.log('\n[Migrate] ✅ All migrations are up to date. Nothing to do.');
return;
}
console.log(`\n[Migrate] ${pendingMigrations.length} pending migrations to execute:`);
pendingMigrations.forEach(f => console.log(` - ${getMigrationName(f)}`));
// Execute each pending migration
let successCount = 0;
let failureCount = 0;
for (const filename of pendingMigrations) {
const success = executeMigration(filename, env);
if (success) {
successCount++;
} else {
failureCount++;
console.error(`\n[Migrate] ❌ Migration failed: ${filename}`);
console.error(`[Migrate] Stopping migration process.`);
break; // Stop on first failure
}
}
// Summary
console.log(`\n${'='.repeat(60)}`);
console.log(`[Migrate] Migration Summary:`);
console.log(`[Migrate] ✅ Successful: ${successCount}`);
if (failureCount > 0) {
console.log(`[Migrate] ❌ Failed: ${failureCount}`);
}
console.log(`${'='.repeat(60)}\n`);
if (failureCount > 0) {
process.exit(1);
}
}
/**
* Show migration status
*/
function showStatus(env: Environment): void {
console.log(`\n${'='.repeat(60)}`);
console.log(`[Migrate] Migration Status`);
console.log(`[Migrate] Environment: ${env}`);
console.log(`[Migrate] Database: ${DB_NAME}`);
console.log(`${'='.repeat(60)}\n`);
const allMigrations = getMigrationFiles();
console.log(`[Migrate] Total migration files: ${allMigrations.length}`);
try {
const appliedMigrations = getAppliedMigrations(env);
console.log(`[Migrate] Applied migrations: ${appliedMigrations.size}`);
// Show detailed status
console.log(`\n[Migrate] Detailed Status:\n`);
for (const filename of allMigrations) {
const migrationName = getMigrationName(filename);
const isApplied = appliedMigrations.has(migrationName);
const status = isApplied ? '✅' : '⏳';
const label = isApplied ? 'Applied' : 'Pending';
console.log(` ${status} ${migrationName.padEnd(40)} [${label}]`);
}
const pendingCount = allMigrations.length - appliedMigrations.size;
if (pendingCount > 0) {
console.log(`\n[Migrate] ⚠️ ${pendingCount} migrations pending execution`);
console.log(`[Migrate] Run 'npm run db:migrate' to apply pending migrations`);
} else {
console.log(`\n[Migrate] ✅ All migrations are up to date`);
}
} catch (error: any) {
console.error(`[Migrate] ❌ Error reading migration status: ${error.message}`);
console.error(`[Migrate] The migration_history table may not exist yet.`);
console.error(`[Migrate] Run 'npm run db:migrate' to initialize the system.`);
process.exit(1);
}
console.log(`\n${'='.repeat(60)}\n`);
}
// ============================================================
// CLI Entry Point
// ============================================================
function main(): void {
const args = process.argv.slice(2);
// Parse command
let command: Command = 'migrate';
if (args.includes('--status')) {
command = 'status';
}
// Parse environment
let env: Environment = 'local';
if (args.includes('--remote')) {
env = 'remote';
}
// Execute command
try {
if (command === 'status') {
showStatus(env);
} else {
runMigrations(env);
}
} catch (error: any) {
console.error(`\n[Migrate] ❌ Fatal error: ${error.message}`);
process.exit(1);
}
}
// Run if executed directly
if (require.main === module) {
main();
}

439
src/connectors/README.md
View File

@@ -1,439 +0,0 @@
# Vault Connector
TypeScript client for HashiCorp Vault integration in Cloudflare Workers.
## Features
- **Secure Credential Retrieval**: Fetch provider API credentials from Vault
- **Automatic Caching**: 1-hour TTL in-memory cache to reduce API calls
- **Comprehensive Error Handling**: Type-safe error handling with specific error codes
- **Timeout Protection**: 10-second request timeout with abort controller
- **Type Safety**: Full TypeScript support with strict typing
- **Logging**: Structured logging for debugging and monitoring
## Installation
The VaultClient is part of this project. Import it directly:
```typescript
import { VaultClient, VaultError } from './connectors/vault';
```
## Quick Start
### Basic Usage
```typescript
import { VaultClient } from './connectors/vault';
const vault = new VaultClient(
'https://vault.anvil.it.com',
'hvs.your-token-here'
);
// Retrieve credentials
const credentials = await vault.getCredentials('linode');
// Use credentials for API calls (DO NOT log sensitive data)
```
### Cloudflare Workers Integration
```typescript
export default {
async fetch(request: Request, env: Env) {
const vault = new VaultClient(env.VAULT_URL, env.VAULT_TOKEN);
try {
const creds = await vault.getCredentials('linode');
// Use credentials for API calls
} catch (error) {
if (error instanceof VaultError) {
return new Response(error.message, {
status: error.statusCode || 500
});
}
}
}
};
```
## API Reference
### VaultClient
#### Constructor
```typescript
new VaultClient(baseUrl: string, token: string)
```
**Parameters:**
- `baseUrl`: Vault server URL (e.g., `https://vault.anvil.it.com`)
- `token`: Vault authentication token (e.g., `hvs.gvtS2U0TCnGkVXlfBP7MGddi`)
#### Methods
##### `getCredentials(provider: string): Promise<VaultCredentials>`
Retrieve credentials for a provider from Vault.
**Parameters:**
- `provider`: Provider name (`linode`, `vultr`, `aws`)
**Returns:**
```typescript
{
provider: string;
api_token: string;
}
```
**Throws:**
- `VaultError` on authentication, authorization, or network failures
**Example:**
```typescript
const creds = await vault.getCredentials('linode');
```
##### `clearCache(provider?: string): void`
Clear cached credentials.
**Parameters:**
- `provider` (optional): Specific provider to clear, or omit to clear all
**Example:**
```typescript
// Clear specific provider
vault.clearCache('linode');
// Clear all cache
vault.clearCache();
```
##### `getCacheStats(): { size: number; providers: string[] }`
Get current cache statistics.
**Returns:**
```typescript
{
size: number; // Number of cached providers
providers: string[]; // List of cached provider names
}
```
**Example:**
```typescript
const stats = vault.getCacheStats();
console.log(`Cached: ${stats.size} providers`);
```
### VaultError
Custom error class for Vault operations.
**Properties:**
```typescript
{
name: 'VaultError';
message: string;
statusCode?: number; // HTTP status code
provider?: string; // Provider name that caused error
}
```
## Error Handling
### HTTP Status Codes
| Code | Meaning | Action |
|------|---------|--------|
| 401 | Invalid/expired token | Check authentication token |
| 403 | Insufficient permissions | Verify token has access to provider path |
| 404 | Provider not found | Check provider name spelling |
| 500-503 | Server error | Retry request after delay |
| 504 | Timeout | Check network connectivity |
### Error Handling Pattern
```typescript
try {
const creds = await vault.getCredentials('linode');
} catch (error) {
if (error instanceof VaultError) {
switch (error.statusCode) {
case 401:
console.error('Auth failed:', error.message);
break;
case 403:
console.error('Permission denied:', error.message);
break;
case 404:
console.error('Provider not found:', error.provider);
break;
default:
console.error('Vault error:', error.message);
}
} else {
console.error('Unexpected error:', error);
}
}
```
## Caching
### Cache Behavior
- **TTL**: 1 hour (3600 seconds)
- **Storage**: In-memory (Map)
- **Automatic**: Transparent caching on first request
- **Cache Hit**: Subsequent requests within TTL use cached data
- **Cache Miss**: Expired or cleared entries fetch from Vault
### Cache Example
```typescript
const vault = new VaultClient(url, token);
// First call - fetches from Vault
const creds1 = await vault.getCredentials('linode');
console.log('[VaultClient] Cache miss, fetching from Vault');
// Second call - uses cache (no API call)
const creds2 = await vault.getCredentials('linode');
console.log('[VaultClient] Cache hit');
// Check cache
const stats = vault.getCacheStats();
console.log(`Cached: ${stats.providers.join(', ')}`);
// Manual cache clear
vault.clearCache('linode');
```
## Configuration
### Environment Variables
Store Vault configuration in environment variables for security:
```toml
# wrangler.toml
[vars]
VAULT_URL = "https://vault.anvil.it.com"
[[env.production.vars]]
VAULT_TOKEN = "hvs.production-token"
[[env.development.vars]]
VAULT_TOKEN = "hvs.development-token"
```
### Usage with Environment Variables
```typescript
export default {
async fetch(request: Request, env: Env) {
const vault = new VaultClient(env.VAULT_URL, env.VAULT_TOKEN);
// ...
}
};
```
## Vault Server Configuration
### Secret Path Structure
Credentials are stored at:
```
secret/data/{provider}
```
Example paths:
- `secret/data/linode`
- `secret/data/vultr`
- `secret/data/aws`
### Expected Secret Format
```json
{
"data": {
"data": {
"provider": "linode",
"api_token": "your-api-token-here"
},
"metadata": {
"created_time": "2024-01-21T10:00:00Z",
"version": 1
}
}
}
```
### Required Vault Permissions
Your token must have read access to the secret paths:
```hcl
path "secret/data/linode" {
capabilities = ["read"]
}
path "secret/data/vultr" {
capabilities = ["read"]
}
path "secret/data/aws" {
capabilities = ["read"]
}
```
## Performance
### Request Timeout
- Default: 10 seconds
- Implemented via `AbortController`
- Throws `VaultError` with status code 504 on timeout
### Cache Performance
- **Cache Hit**: <1ms (memory lookup)
- **Cache Miss**: ~100-500ms (network request + parsing)
- **Memory Usage**: ~1KB per cached provider
### Optimization Tips
1. **Parallel Requests**: Fetch multiple providers in parallel
```typescript
const [linode, vultr] = await Promise.all([
vault.getCredentials('linode'),
vault.getCredentials('vultr'),
]);
```
2. **Warm Cache**: Preload frequently used providers
```typescript
// Warm cache at worker startup
await Promise.all([
vault.getCredentials('linode'),
vault.getCredentials('vultr'),
]);
```
3. **Monitor Cache**: Track cache hit rate
```typescript
const stats = vault.getCacheStats();
console.log(`Cache efficiency: ${stats.size} providers cached`);
```
## Testing
Comprehensive test suite included:
```bash
npm test vault.test.ts
```
**Test Coverage:**
- ✅ Constructor initialization
- ✅ Successful credential retrieval
- ✅ Caching behavior
- ✅ HTTP error handling (401, 403, 404, 500)
- ✅ Timeout handling
- ✅ Invalid response structure
- ✅ Missing required fields
- ✅ Network errors
- ✅ Cache management
- ✅ VaultError creation
## Logging
Structured logging for debugging:
```
[VaultClient] Initialized { baseUrl: 'https://vault.anvil.it.com' }
[VaultClient] Retrieving credentials { provider: 'linode' }
[VaultClient] Cache miss, fetching from Vault { provider: 'linode' }
[VaultClient] Credentials cached { provider: 'linode', expiresIn: '3600s' }
[VaultClient] Credentials retrieved successfully { provider: 'linode' }
```
Error logging:
```
[VaultClient] HTTP error { provider: 'linode', statusCode: 401, errorMessage: 'permission denied' }
[VaultClient] Unexpected error { provider: 'linode', error: Error(...) }
```
## Examples
See [vault.example.ts](/Users/kaffa/cloud-server/src/connectors/vault.example.ts) for comprehensive usage examples:
- Basic usage
- Environment variables
- Caching demonstration
- Cache management
- Error handling patterns
- Cloudflare Workers integration
- Parallel provider fetching
- Retry logic
## Security Best Practices
1. **Never commit tokens**: Use environment variables
2. **Rotate tokens regularly**: Update tokens periodically
3. **Use least privilege**: Grant only required Vault permissions
4. **Monitor access**: Track Vault access logs
5. **Secure transmission**: Always use HTTPS
6. **Cache clearing**: Clear cache on token rotation
## Troubleshooting
### Common Issues
#### Authentication Failed (401)
**Problem**: Invalid or expired Vault token
**Solution**:
```typescript
// Verify token format
console.log('Token:', env.VAULT_TOKEN);
// Should start with 'hvs.'
```
#### Permission Denied (403)
**Problem**: Token lacks read access to provider path
**Solution**: Update Vault policy to grant read access
#### Provider Not Found (404)
**Problem**: Provider doesn't exist in Vault
**Solution**: Verify provider name and path in Vault
#### Request Timeout (504)
**Problem**: Network connectivity or slow Vault response
**Solution**:
- Check network connectivity
- Verify Vault server is responsive
- Consider increasing timeout (requires code modification)
#### Invalid Response Structure
**Problem**: Vault response format doesn't match expected structure
**Solution**: Verify Vault secret format matches documentation
## License
Internal use only - Part of Cloud Instances API project.

56
src/connectors/aws.ts
View File

@@ -1,7 +1,7 @@
import type { RegionInput, InstanceTypeInput, InstanceFamily } from '../types';
import { VaultClient, VaultError } from './vault';
import type { Env, RegionInput, InstanceTypeInput, InstanceFamily } from '../types';
import { RateLimiter } from './base';
import { TIMEOUTS, HTTP_STATUS } from '../constants';
import { createLogger } from '../utils/logger';
/**
* AWS connector error class
@@ -56,10 +56,10 @@ interface EC2ShopResponse {
* - Rate limiting: 20 requests/second
* - Hardcoded region list (relatively static)
* - Comprehensive error handling
* - Optional AWS credentials from environment for future API integration
*
* @example
* const vault = new VaultClient(vaultUrl, vaultToken);
* const connector = new AWSConnector(vault);
* const connector = new AWSConnector(env);
* await connector.initialize();
* const regions = await connector.fetchRegions();
*/
@@ -68,6 +68,7 @@ export class AWSConnector {
private readonly instanceDataUrl = 'https://ec2.shop/?json';
private readonly rateLimiter: RateLimiter;
private readonly requestTimeout = TIMEOUTS.AWS_REQUEST;
private readonly logger = createLogger('[AWSConnector]');
/**
* AWS regions list (relatively static data)
@@ -105,42 +106,27 @@ export class AWSConnector {
{ code: 'il-central-1', name: 'Israel (Tel Aviv)' },
];
constructor(private vaultClient: VaultClient) {
constructor(private env: Env) {
// Rate limit: 20 requests/second per region
// Use 10 tokens with 10/second refill to be conservative
this.rateLimiter = new RateLimiter(20, 10);
console.log('[AWSConnector] Initialized');
this.logger.info('Initialized');
}
/**
* Initialize connector by fetching credentials from Vault
* Note: Currently not required for public API access,
* Initialize connector by loading credentials from environment
* Note: Currently not required for public API access (ec2.shop),
* but included for future AWS API integration
*/
async initialize(): Promise<void> {
console.log('[AWSConnector] Fetching credentials from Vault');
this.logger.info('Loading credentials from environment');
try {
const credentials = await this.vaultClient.getCredentials(this.provider);
// AWS uses different credential keys
const awsCreds = credentials as unknown as {
aws_access_key_id?: string;
aws_secret_access_key?: string;
};
// Credentials loaded for future AWS API direct access
console.log('[AWSConnector] Credentials loaded successfully', {
hasAccessKey: !!awsCreds.aws_access_key_id,
hasSecretKey: !!awsCreds.aws_secret_access_key,
});
} catch (error) {
if (error instanceof VaultError) {
console.warn('[AWSConnector] Vault credentials not available, using public API only');
// Not critical for public API access
// AWS credentials are optional since we use public ec2.shop API
// They would be required for direct AWS API access
if (this.env.AWS_ACCESS_KEY_ID && this.env.AWS_SECRET_ACCESS_KEY) {
this.logger.info('AWS credentials available for future API access');
} else {
throw error;
}
this.logger.info('Using public ec2.shop API (no AWS credentials required)');
}
}
@@ -151,7 +137,7 @@ export class AWSConnector {
* @returns Array of AWS regions
*/
async fetchRegions(): Promise<AWSRegion[]> {
console.log('[AWSConnector] Fetching regions', { count: this.awsRegions.length });
this.logger.info('Fetching regions', { count: this.awsRegions.length });
return this.awsRegions;
}
@@ -162,7 +148,7 @@ export class AWSConnector {
* @throws AWSError on API failures
*/
async fetchInstanceTypes(): Promise<AWSInstanceType[]> {
console.log('[AWSConnector] Fetching instance types from ec2.shop');
this.logger.info('Fetching instance types from ec2.shop');
await this.rateLimiter.waitForToken();
@@ -190,13 +176,13 @@ export class AWSConnector {
const data = await response.json() as EC2ShopResponse;
const instances = data.Prices || [];
console.log('[AWSConnector] Instance types fetched', { count: instances.length });
this.logger.info('Instance types fetched', { count: instances.length });
return instances;
} catch (error) {
// Handle timeout
if (error instanceof Error && error.name === 'AbortError') {
console.error('[AWSConnector] Request timeout', { timeout: this.requestTimeout });
this.logger.error('Request timeout', { timeout: this.requestTimeout });
throw new AWSError(
`Request to ec2.shop API timed out after ${this.requestTimeout}ms`,
504
@@ -209,7 +195,7 @@ export class AWSConnector {
}
// Handle unexpected errors
console.error('[AWSConnector] Unexpected error', { error });
this.logger.error('Unexpected error', { error });
throw new AWSError(
`Failed to fetch instance types: ${error instanceof Error ? error.message : 'Unknown error'}`,
HTTP_STATUS.INTERNAL_ERROR,
@@ -515,7 +501,7 @@ export class AWSConnector {
}
// Default to general for unknown types
console.warn('[AWSConnector] Unknown instance family, defaulting to general', { type: instanceType });
this.logger.warn('Unknown instance family, defaulting to general', { type: instanceType });
return 'general';
}
}

128
src/connectors/base.ts
View File

@@ -1,5 +1,4 @@
import type { VaultClient } from './vault';
import type { VaultCredentials, RegionInput, InstanceTypeInput } from '../types';
import type { RegionInput, InstanceTypeInput } from '../types';
import { logger } from '../utils/logger';
/**
@@ -123,126 +122,7 @@ export class RateLimiter {
}
/**
* CloudConnector - Abstract base class for cloud provider connectors
*
* Implements common authentication, rate limiting, and data fetching patterns.
* Each provider (Linode, Vultr, etc.) extends this class and implements
* provider-specific API calls and data normalization.
*
* @abstract
*
* @example
* class LinodeConnector extends CloudConnector {
* provider = 'linode';
*
* async fetchRegions() {
* await this.rateLimiter.waitForToken();
* // Fetch regions from Linode API
* }
*
* normalizeRegion(raw: RawRegion): RegionInput {
* // Transform Linode region data to standard format
* }
* }
* Note: CloudConnector base class has been deprecated.
* Each connector now uses Env directly for credentials instead of Vault.
* See LinodeConnector, VultrConnector, AWSConnector for current implementation patterns.
*/
export abstract class CloudConnector {
/**
* Provider identifier (e.g., 'linode', 'vultr', 'aws')
* Must be implemented by subclass
*/
abstract provider: string;
/**
* Cached credentials from Vault
* Populated after calling authenticate()
*/
protected credentials: VaultCredentials | null = null;
/**
* Rate limiter for API requests
* Configured with provider-specific limits
*/
protected rateLimiter: RateLimiter;
/**
* Create a new cloud connector
*
* @param vault - VaultClient instance for credential management
*/
constructor(protected vault: VaultClient) {
// Default rate limiter: 10 requests, refill 2 per second
this.rateLimiter = new RateLimiter(10, 2);
}
/**
* Authenticate with provider using Vault credentials
* Fetches and caches credentials for API calls
*
* @throws ConnectorError if authentication fails
*/
async authenticate(): Promise<void> {
try {
logger.info('[CloudConnector] Authenticating', { provider: this.provider });
this.credentials = await this.vault.getCredentials(this.provider);
if (!this.credentials || !this.credentials.api_token) {
throw new ConnectorError(
this.provider,
'authenticate',
undefined,
'Invalid credentials received from Vault'
);
}
logger.info('[CloudConnector] Authentication successful', { provider: this.provider });
} catch (error) {
logger.error('[CloudConnector] Authentication failed', { provider: this.provider, error });
throw new ConnectorError(
this.provider,
'authenticate',
undefined,
`Authentication failed: ${error instanceof Error ? error.message : 'Unknown error'}`
);
}
}
/**
* Fetch raw region data from provider API
* Must be implemented by subclass
*
* @returns Array of raw region objects from provider API
* @throws ConnectorError on API failure
*/
abstract fetchRegions(): Promise<RawRegion[]>;
/**
* Fetch raw instance type data from provider API
* Must be implemented by subclass
*
* @returns Array of raw instance type objects from provider API
* @throws ConnectorError on API failure
*/
abstract fetchInstanceTypes(): Promise<RawInstanceType[]>;
/**
* Normalize raw region data to standard format
* Transforms provider-specific region structure to RegionInput
* Must be implemented by subclass
*
* @param raw - Raw region data from provider API
* @returns Normalized region data ready for database insertion
*/
abstract normalizeRegion(raw: RawRegion): RegionInput;
/**
* Normalize raw instance type data to standard format
* Transforms provider-specific instance structure to InstanceTypeInput
* Must be implemented by subclass
*
* @param raw - Raw instance type data from provider API
* @returns Normalized instance type data ready for database insertion
*/
abstract normalizeInstance(raw: RawInstanceType): InstanceTypeInput;
}

527
src/connectors/linode.README.md
View File

@@ -1,527 +0,0 @@
# Linode Connector
TypeScript client for Linode API integration in Cloudflare Workers.
## Features
- **Complete API Coverage**: Fetch regions and instance types
- **Rate Limiting**: Automatic compliance with Linode's 1600 requests/hour limit
- **Data Normalization**: Transform Linode data to standardized database format
- **Comprehensive Error Handling**: Type-safe error handling with specific codes
- **Vault Integration**: Secure credential management via VaultClient
- **Timeout Protection**: 10-second request timeout with abort controller
- **Type Safety**: Full TypeScript support with strict typing
- **Logging**: Structured logging for debugging and monitoring
## Installation
The LinodeConnector is part of this project. Import it directly:
```typescript
import { LinodeConnector, LinodeError } from './connectors/linode';
import { VaultClient } from './connectors/vault';
```
## Quick Start
### Basic Usage
```typescript
import { VaultClient } from './connectors/vault';
import { LinodeConnector } from './connectors/linode';
const vault = new VaultClient(
'https://vault.anvil.it.com',
'hvs.your-token-here'
);
const connector = new LinodeConnector(vault);
// Initialize (fetches credentials from Vault)
await connector.initialize();
// Fetch regions
const regions = await connector.fetchRegions();
// Fetch instance types
const instances = await connector.fetchInstanceTypes();
```
### Data Normalization
```typescript
const providerId = 1; // Database provider ID
// Normalize regions for database storage
const normalizedRegions = regions.map(region =>
connector.normalizeRegion(region, providerId)
);
// Normalize instance types for database storage
const normalizedInstances = instances.map(instance =>
connector.normalizeInstance(instance, providerId)
);
```
## API Reference
### LinodeConnector
#### Constructor
```typescript
new LinodeConnector(vaultClient: VaultClient)
```
**Parameters:**
- `vaultClient`: Initialized VaultClient instance for credential retrieval
#### Properties
```typescript
readonly provider = 'linode';
```
#### Methods
##### `initialize(): Promise<void>`
Initialize connector by fetching credentials from Vault. **Must be called before making API requests.**
**Throws:**
- `LinodeError` on Vault or credential loading failures
**Example:**
```typescript
await connector.initialize();
```
##### `fetchRegions(): Promise<LinodeRegion[]>`
Fetch all regions from Linode API.
**Returns:**
- Array of raw Linode region data
**Throws:**
- `LinodeError` on API failures
**Example:**
```typescript
const regions = await connector.fetchRegions();
console.log(`Fetched ${regions.length} regions`);
```
##### `fetchInstanceTypes(): Promise<LinodeInstanceType[]>`
Fetch all instance types from Linode API.
**Returns:**
- Array of raw Linode instance type data
**Throws:**
- `LinodeError` on API failures
**Example:**
```typescript
const instances = await connector.fetchInstanceTypes();
console.log(`Fetched ${instances.length} instance types`);
```
##### `normalizeRegion(raw: LinodeRegion, providerId: number): RegionInput`
Normalize Linode region data for database storage.
**Parameters:**
- `raw`: Raw Linode region data
- `providerId`: Database provider ID
**Returns:**
- Normalized region data ready for insertion
**Example:**
```typescript
const normalized = connector.normalizeRegion(rawRegion, 1);
```
**Normalization Details:**
- `region_code`: Linode region ID (e.g., "us-east")
- `region_name`: Human-readable name (e.g., "Newark, NJ")
- `country_code`: ISO 3166-1 alpha-2 lowercase
- `latitude/longitude`: Not provided by Linode (set to null)
- `available`: 1 if status is "ok", 0 otherwise
##### `normalizeInstance(raw: LinodeInstanceType, providerId: number): InstanceTypeInput`
Normalize Linode instance type data for database storage.
**Parameters:**
- `raw`: Raw Linode instance type data
- `providerId`: Database provider ID
**Returns:**
- Normalized instance type data ready for insertion
**Example:**
```typescript
const normalized = connector.normalizeInstance(rawInstance, 1);
```
**Normalization Details:**
- `memory_mb`: Already in MB (no conversion)
- `storage_gb`: Converted from MB to GB (divide by 1024)
- `transfer_tb`: Converted from GB to TB (divide by 1000)
- `network_speed_gbps`: Converted from Mbps to Gbps (divide by 1000)
- `gpu_type`: Set to "nvidia" if GPUs > 0
- `instance_family`: Mapped from Linode class (see mapping below)
### LinodeError
Custom error class for Linode operations.
**Properties:**
```typescript
{
name: 'LinodeError';
message: string;
statusCode?: number; // HTTP status code
details?: unknown; // Additional error details from API
}
```
## Instance Family Mapping
Linode instance classes are mapped to standardized families:
| Linode Class | Instance Family | Description |
|--------------|----------------|-------------|
| `nanode` | `general` | Entry-level shared instances |
| `standard` | `general` | Standard shared instances |
| `highmem` | `memory` | High-memory optimized instances |
| `dedicated` | `compute` | Dedicated CPU instances |
| `gpu` | `gpu` | GPU-accelerated instances |
| Unknown | `general` | Default fallback |
## Rate Limiting
### Linode API Limits
- **Rate Limit**: 1600 requests per hour
- **Requests Per Second**: ~0.44 (calculated from hourly limit)
- **Implementation**: Conservative 0.4 requests/second
### How It Works
The connector automatically throttles requests to comply with Linode's rate limits:
```typescript
// These requests are automatically rate-limited
await connector.fetchRegions(); // Request 1 at 0ms
await connector.fetchInstanceTypes(); // Request 2 at 2500ms
await connector.fetchRegions(); // Request 3 at 5000ms
```
**Benefits:**
- No manual rate limiting required
- Prevents 429 "Too Many Requests" errors
- Ensures API access remains available
- Transparent to the caller
## Error Handling
### HTTP Status Codes
| Code | Meaning | Action |
|------|---------|--------|
| 401 | Invalid/expired token | Check API token in Vault |
| 403 | Insufficient permissions | Verify token scope |
| 429 | Rate limit exceeded | Wait and retry (should not occur with rate limiter) |
| 500-599 | Server error | Retry request after delay |
| 504 | Timeout | Check network connectivity |
### Error Handling Pattern
```typescript
try {
await connector.initialize();
const regions = await connector.fetchRegions();
} catch (error) {
if (error instanceof LinodeError) {
switch (error.statusCode) {
case 401:
console.error('Auth failed:', error.message);
// Check Vault credentials
break;
case 403:
console.error('Permission denied:', error.message);
// Verify token permissions
break;
case 429:
console.error('Rate limit exceeded:', error.message);
// Should not occur with rate limiter, but handle gracefully
break;
case 504:
console.error('Timeout:', error.message);
// Check network or retry
break;
default:
console.error('Linode error:', error.message);
console.error('Details:', error.details);
}
} else {
console.error('Unexpected error:', error);
}
}
```
## Cloudflare Workers Integration
### Complete Example
```typescript
import { VaultClient } from './connectors/vault';
import { LinodeConnector, LinodeError } from './connectors/linode';
import type { Env } from './types';
export default {
async fetch(request: Request, env: Env) {
const vault = new VaultClient(env.VAULT_URL, env.VAULT_TOKEN);
const connector = new LinodeConnector(vault);
try {
// Initialize
await connector.initialize();
// Fetch data in parallel
const [regions, instances] = await Promise.all([
connector.fetchRegions(),
connector.fetchInstanceTypes(),
]);
// Normalize data
const providerId = 1;
const normalizedData = {
regions: regions.map(r => connector.normalizeRegion(r, providerId)),
instances: instances.map(i => connector.normalizeInstance(i, providerId)),
};
return new Response(JSON.stringify({
success: true,
data: normalizedData,
}), {
status: 200,
headers: { 'Content-Type': 'application/json' },
});
} catch (error) {
if (error instanceof LinodeError) {
return new Response(JSON.stringify({
success: false,
error: error.message,
}), {
status: error.statusCode || 500,
headers: { 'Content-Type': 'application/json' },
});
}
return new Response('Internal server error', { status: 500 });
}
}
};
```
## Vault Configuration
### Secret Path
Linode credentials are stored at:
```
secret/data/linode
```
### Expected Secret Format
```json
{
"data": {
"data": {
"provider": "linode",
"api_token": "your-linode-api-token-here"
},
"metadata": {
"created_time": "2024-01-21T10:00:00Z",
"version": 1
}
}
}
```
### Required Vault Permissions
```hcl
path "secret/data/linode" {
capabilities = ["read"]
}
```
## API Response Examples
### Region Response
```json
{
"data": [
{
"id": "us-east",
"label": "Newark, NJ",
"country": "us",
"capabilities": ["Linodes", "Block Storage"],
"status": "ok"
}
]
}
```
### Instance Type Response
```json
{
"data": [
{
"id": "g6-nanode-1",
"label": "Nanode 1GB",
"price": {
"hourly": 0.0075,
"monthly": 5.0
},
"memory": 1024,
"vcpus": 1,
"disk": 25600,
"transfer": 1000,
"network_out": 1000,
"gpus": 0,
"class": "nanode"
}
]
}
```
## Performance
### Request Timing
- **Rate Limiter**: ~2.5 seconds between requests (0.4 req/s)
- **API Response**: ~100-500ms per request
- **Timeout**: 10 seconds maximum per request
### Optimization Tips
1. **Parallel Initialization**: Warm Vault cache during startup
```typescript
// Pre-load credentials during worker startup
await connector.initialize();
```
2. **Batch Processing**: Process normalized data in batches
```typescript
const normalizedRegions = regions.map(r =>
connector.normalizeRegion(r, providerId)
);
```
3. **Error Recovery**: Implement retry logic for transient failures
```typescript
async function fetchWithRetry(fn: () => Promise<any>, retries = 3) {
for (let i = 0; i < retries; i++) {
try {
return await fn();
} catch (error) {
if (i === retries - 1) throw error;
await new Promise(resolve => setTimeout(resolve, 1000 * (i + 1)));
}
}
}
```
## Logging
Structured logging for debugging:
```
[LinodeConnector] Initialized
[LinodeConnector] Fetching credentials from Vault
[LinodeConnector] Credentials loaded successfully
[LinodeConnector] Fetching regions
[LinodeConnector] Making request { endpoint: '/regions' }
[LinodeConnector] Regions fetched { count: 25 }
[LinodeConnector] Fetching instance types
[LinodeConnector] Making request { endpoint: '/linode/types' }
[LinodeConnector] Instance types fetched { count: 50 }
```
Error logging:
```
[LinodeConnector] HTTP error { statusCode: 401, errorMessage: 'Invalid token' }
[LinodeConnector] Request timeout { endpoint: '/regions', timeout: 10000 }
[LinodeConnector] Unexpected error { endpoint: '/regions', error: Error(...) }
```
## Examples
See [linode.example.ts](/Users/kaffa/cloud-server/src/connectors/linode.example.ts) for comprehensive usage examples:
- Basic usage
- Data normalization
- Error handling patterns
- Cloudflare Workers integration
- Rate limiting demonstration
- Instance family mapping
## Security Best Practices
1. **Never commit tokens**: Store API tokens in Vault
2. **Rotate tokens regularly**: Update tokens periodically
3. **Use least privilege**: Grant only required API permissions
4. **Monitor access**: Track API usage and rate limits
5. **Secure transmission**: Always use HTTPS
6. **Cache credentials**: VaultClient handles credential caching
## Troubleshooting
### Connector Not Initialized
**Problem**: "Connector not initialized" error
**Solution**: Call `initialize()` before making API requests
```typescript
await connector.initialize();
```
### Rate Limit Exceeded (429)
**Problem**: Too many requests error
**Solution**: Should not occur with rate limiter, but if it does:
- Check if multiple connector instances are being used
- Verify rate limiter is functioning correctly
- Add additional delay between requests if needed
### Request Timeout (504)
**Problem**: Requests timing out after 10 seconds
**Solution**:
- Check network connectivity
- Verify Linode API status
- Consider increasing timeout (requires code modification)
### Invalid Instance Family
**Problem**: Warning about unknown instance class
**Solution**: Update `mapInstanceFamily()` method with new class mapping
## License
Internal use only - Part of Cloud Instances API project.

29
src/connectors/linode.ts
View File

@@ -1,5 +1,4 @@
import type { Env, RegionInput, InstanceTypeInput, InstanceFamily, GpuInstanceInput, G8InstanceInput, VpuInstanceInput } from '../types';
import { VaultClient, VaultError } from './vault';
import { RateLimiter } from './base';
import { createLogger } from '../utils/logger';
import { HTTP_STATUS } from '../constants';
@@ -60,11 +59,11 @@ interface LinodeApiResponse<T> {
* - Rate limiting: 1600 requests/hour
* - Data normalization for database storage
* - Comprehensive error handling
* - Vault integration for credentials
* - Credentials from environment variables
*
* @example
* const vault = new VaultClient(vaultUrl, vaultToken);
* const connector = new LinodeConnector(vault);
* const connector = new LinodeConnector(env);
* await connector.initialize();
* const regions = await connector.fetchRegions();
*/
export class LinodeConnector {
@@ -75,7 +74,7 @@ export class LinodeConnector {
private readonly logger: ReturnType<typeof createLogger>;
private apiToken: string | null = null;
constructor(private vaultClient: VaultClient, env?: Env) {
constructor(private env: Env) {
// Rate limit: 1600 requests/hour = ~0.44 requests/second
// Token bucket: maxTokens=5 (allow burst), refillRate=0.5 (conservative)
this.rateLimiter = new RateLimiter(5, 0.5);
@@ -84,25 +83,21 @@ export class LinodeConnector {
}
/**
* Initialize connector by fetching credentials from Vault
* Initialize connector by loading credentials from environment
* Must be called before making API requests
*/
async initialize(): Promise<void> {
this.logger.info('Fetching credentials from Vault');
this.logger.info('Loading credentials from environment');
try {
const credentials = await this.vaultClient.getCredentials(this.provider);
this.apiToken = credentials.api_token || null;
this.logger.info('Credentials loaded successfully');
} catch (error) {
if (error instanceof VaultError) {
if (!this.env.LINODE_API_TOKEN) {
throw new LinodeError(
`Failed to load Linode credentials: ${error.message}`,
error.statusCode
'LINODE_API_TOKEN not found in environment',
HTTP_STATUS.INTERNAL_ERROR
);
}
throw error;
}
this.apiToken = this.env.LINODE_API_TOKEN;
this.logger.info('Credentials loaded successfully');
}
/**

286
src/connectors/vault.ts
View File

@@ -1,286 +0,0 @@
import type { Env, VaultCredentials, VaultSecretResponse, CacheEntry } from '../types';
import { createLogger } from '../utils/logger';
import { HTTP_STATUS } from '../constants';
/**
* Custom error class for Vault operations
*/
export class VaultError extends Error {
constructor(
message: string,
public statusCode?: number,
public provider?: string
) {
super(message);
this.name = 'VaultError';
}
}
/**
* VaultClient - Manages secure credential retrieval from HashiCorp Vault
*
* Features:
* - In-memory caching with TTL (1 hour)
* - Automatic cache invalidation
* - Comprehensive error handling
* - Type-safe credential access
*
* @example
* const vault = new VaultClient('https://vault.anvil.it.com', token);
* const creds = await vault.getCredentials('linode');
*/
export class VaultClient {
private baseUrl: string;
private token: string;
private cache: Map<string, CacheEntry<VaultCredentials>>;
private readonly CACHE_TTL = 3600 * 1000; // 1 hour in milliseconds
private readonly REQUEST_TIMEOUT = 10000; // 10 seconds
private readonly logger: ReturnType<typeof createLogger>;
constructor(baseUrl: string, token: string, env?: Env) {
this.baseUrl = baseUrl.replace(/\/$/, ''); // Remove trailing slash
this.token = token;
this.cache = new Map();
this.logger = createLogger('[VaultClient]', env);
this.logger.info('Initialized', { baseUrl: this.baseUrl });
}
/**
* Retrieve credentials for a provider from Vault
* Implements caching to reduce API calls
*
* @param provider - Provider name (linode, vultr, aws)
* @returns Provider credentials with API token
* @throws VaultError on authentication, authorization, or network failures
*/
async getCredentials(provider: string): Promise<VaultCredentials> {
this.logger.info('Retrieving credentials', { provider });
// Check cache first
const cached = this.getFromCache(provider);
if (cached) {
this.logger.debug('Cache hit', { provider });
return cached;
}
this.logger.debug('Cache miss, fetching from Vault', { provider });
// Fetch from Vault
const path = `secret/data/${provider}`;
const url = `${this.baseUrl}/v1/${path}`;
try {
const controller = new AbortController();
const timeoutId = setTimeout(() => controller.abort(), this.REQUEST_TIMEOUT);
const response = await fetch(url, {
method: 'GET',
headers: {
'X-Vault-Token': this.token,
'Content-Type': 'application/json',
},
signal: controller.signal,
});
clearTimeout(timeoutId);
// Handle HTTP errors
if (!response.ok) {
await this.handleHttpError(response, provider);
}
// Parse and validate response
const data = await response.json() as VaultSecretResponse;
if (!this.isValidVaultResponse(data)) {
throw new VaultError(
`Invalid response structure from Vault for provider: ${provider}`,
HTTP_STATUS.INTERNAL_ERROR,
provider
);
}
const vaultData = data.data.data;
const credentials: VaultCredentials = {
provider: provider,
api_token: vaultData.api_token, // Linode
api_key: vaultData.api_key, // Vultr
aws_access_key_id: vaultData.aws_access_key_id, // AWS
aws_secret_access_key: vaultData.aws_secret_access_key, // AWS
};
// Validate credentials content based on provider
const hasValidCredentials =
credentials.api_token || // Linode
credentials.api_key || // Vultr
(credentials.aws_access_key_id && credentials.aws_secret_access_key); // AWS
if (!hasValidCredentials) {
throw new VaultError(
`Missing credentials in Vault response for provider: ${provider}`,
HTTP_STATUS.INTERNAL_ERROR,
provider
);
}
// Store in cache
this.setCache(provider, credentials);
this.logger.info('Credentials retrieved successfully', { provider });
return credentials;
} catch (error) {
// Handle timeout
if (error instanceof Error && error.name === 'AbortError') {
this.logger.error('Request timeout', { provider, timeout_ms: this.REQUEST_TIMEOUT });
throw new VaultError(
`Request to Vault timed out after ${this.REQUEST_TIMEOUT}ms`,
504,
provider
);
}
// Re-throw VaultError
if (error instanceof VaultError) {
throw error;
}
// Handle unexpected errors
this.logger.error('Unexpected error', { provider, error: error instanceof Error ? error.message : String(error) });
throw new VaultError(
`Failed to retrieve credentials: ${error instanceof Error ? error.message : 'Unknown error'}`,
HTTP_STATUS.INTERNAL_ERROR,
provider
);
}
}
/**
* Handle HTTP error responses from Vault
* This method always throws a VaultError
*/
private async handleHttpError(response: Response, provider: string): Promise<never> {
const statusCode = response.status;
let errorMessage: string;
try {
const errorData = await response.json() as { errors?: string[] };
errorMessage = errorData.errors?.join(', ') || response.statusText;
} catch {
errorMessage = response.statusText;
}
this.logger.error('HTTP error', { provider, statusCode, errorMessage });
// Always throw an error - TypeScript knows execution stops here
if (statusCode === 401) {
throw new VaultError(
'Vault authentication failed: Invalid or expired token',
401,
provider
);
} else if (statusCode === 403) {
throw new VaultError(
`Vault authorization failed: No permission to access ${provider} credentials`,
403,
provider
);
} else if (statusCode === 404) {
throw new VaultError(
`Provider not found in Vault: ${provider}`,
404,
provider
);
} else if (statusCode >= 500 && statusCode < 600) {
throw new VaultError(
`Vault server error: ${errorMessage}`,
statusCode,
provider
);
} else {
throw new VaultError(
`Vault request failed: ${errorMessage}`,
statusCode,
provider
);
}
}
/**
* Type guard to validate Vault API response structure
*/
private isValidVaultResponse(data: unknown): data is VaultSecretResponse {
if (typeof data !== 'object' || data === null) {
return false;
}
const response = data as VaultSecretResponse;
return (
typeof response.data === 'object' &&
response.data !== null &&
typeof response.data.data === 'object' &&
response.data.data !== null
);
}
/**
* Retrieve credentials from cache if not expired
*/
private getFromCache(provider: string): VaultCredentials | null {
const entry = this.cache.get(provider);
if (!entry) {
return null;
}
// Check if cache entry expired
if (Date.now() > entry.expiresAt) {
this.logger.debug('Cache entry expired', { provider });
this.cache.delete(provider);
return null;
}
return entry.data;
}
/**
* Store credentials in cache with TTL
*/
private setCache(provider: string, credentials: VaultCredentials): void {
const entry: CacheEntry<VaultCredentials> = {
data: credentials,
expiresAt: Date.now() + this.CACHE_TTL,
};
this.cache.set(provider, entry);
this.logger.debug('Credentials cached', {
provider,
expiresIn_seconds: this.CACHE_TTL / 1000
});
}
/**
* Clear cache for a specific provider or all providers
*/
clearCache(provider?: string): void {
if (provider) {
this.cache.delete(provider);
this.logger.info('Cache cleared', { provider });
} else {
this.cache.clear();
this.logger.info('All cache cleared');
}
}
/**
* Get cache statistics
*/
getCacheStats(): { size: number; providers: string[] } {
return {
size: this.cache.size,
providers: Array.from(this.cache.keys()),
};
}
}

41
src/connectors/vultr.ts
View File

@@ -1,5 +1,4 @@
import type { Env, RegionInput, InstanceTypeInput, InstanceFamily, GpuInstanceInput } from '../types';
import { VaultClient, VaultError } from './vault';
import { RateLimiter } from './base';
import { createLogger } from '../utils/logger';
import { HTTP_STATUS } from '../constants';
@@ -53,18 +52,18 @@ interface VultrApiResponse<T> {
* - Rate limiting: 3000 requests/hour
* - Data normalization for database storage
* - Comprehensive error handling
* - Vault integration for credentials
* - Credentials from environment variables
*
* @example
* const vault = new VaultClient(vaultUrl, vaultToken);
* const connector = new VultrConnector(vault);
* const connector = new VultrConnector(env);
* await connector.initialize();
* const regions = await connector.fetchRegions();
*
* @example
* // Using custom relay URL
* const connector = new VultrConnector(vault, 'https://custom-relay.example.com');
* const connector = new VultrConnector(env, 'https://custom-relay.example.com');
*
* @param vaultClient - Vault client for credential management
* @param env - Environment with credentials
* @param relayUrl - Optional relay server URL (defaults to 'https://vultr-relay.anvil.it.com')
*/
export class VultrConnector {
@@ -76,9 +75,8 @@ export class VultrConnector {
private apiKey: string | null = null;
constructor(
private vaultClient: VaultClient,
relayUrl?: string,
env?: Env
private env: Env,
relayUrl?: string
) {
// Use relay server by default, allow override via parameter or environment variable
// Relay server mirrors Vultr API structure: /v2/regions, /v2/plans
@@ -92,36 +90,21 @@ export class VultrConnector {
}
/**
* Initialize connector by fetching credentials from Vault
* Initialize connector by loading credentials from environment
* Must be called before making API requests
*/
async initialize(): Promise<void> {
this.logger.info('Fetching credentials from Vault');
this.logger.info('Loading credentials from environment');
try {
const credentials = await this.vaultClient.getCredentials(this.provider);
// Vultr uses 'api_key' field (unlike Linode which uses 'api_token')
const apiKey = credentials.api_key || null;
if (!apiKey || apiKey.trim() === '') {
if (!this.env.VULTR_API_KEY) {
throw new VultrError(
'Vultr API key is missing or empty. Please configure api_key in Vault.',
'VULTR_API_KEY not found in environment',
HTTP_STATUS.INTERNAL_ERROR
);
}
this.apiKey = apiKey;
this.apiKey = this.env.VULTR_API_KEY;
this.logger.info('Credentials loaded successfully');
} catch (error) {
if (error instanceof VaultError) {
throw new VultrError(
`Failed to load Vultr credentials: ${error.message}`,
error.statusCode
);
}
throw error;
}
}
/**

17
src/constants.ts
View File

@@ -165,19 +165,22 @@ export type InstanceFamily = typeof INSTANCE_FAMILIES[number];
/**
* CORS configuration
*
* NOTE: localhost origin is included for development purposes.
* In production, filter allowed origins based on environment.
* Example: const allowedOrigins = CORS.ALLOWED_ORIGINS.filter(o => !o.includes('localhost'))
* Security: Explicit allowed origins only. No wildcard fallback.
* Development origins are separated and only used in development environment.
*/
export const CORS = {
/** Default CORS origin */
DEFAULT_ORIGIN: '*',
/** Allowed origins for CORS */
/** Default CORS origin - explicit production origin */
DEFAULT_ORIGIN: 'https://anvil.it.com',
/** Allowed production origins for CORS */
ALLOWED_ORIGINS: [
'https://anvil.it.com',
'https://cloud.anvil.it.com',
'https://hosting.anvil.it.com',
'http://localhost:3000', // DEVELOPMENT ONLY - exclude in production
] as string[],
/** Development origins - only used when ENVIRONMENT === 'development' */
DEVELOPMENT_ORIGINS: [
'http://localhost:3000',
'http://127.0.0.1:3000',
] as string[],
/** Max age for CORS preflight cache (24 hours) */
MAX_AGE: '86400',

137
src/index.ts
View File

@@ -5,7 +5,7 @@
*/
import { Env } from './types';
import { handleSync, handleInstances, handleHealth, handleRecommend } from './routes';
import { handleSync, handleInstances, handleHealth } from './routes';
import {
authenticateRequest,
verifyApiKey,
@@ -15,7 +15,6 @@ import {
} from './middleware';
import { CORS, HTTP_STATUS } from './constants';
import { createLogger } from './utils/logger';
import { VaultClient } from './connectors/vault';
import { SyncOrchestrator } from './services/sync';
/**
@@ -29,21 +28,42 @@ function validateEnv(env: Env): { valid: boolean; missing: string[] } {
/**
* Get CORS origin for request
*
* Security: No wildcard fallback. Returns explicit allowed origin or default.
* Logs unmatched origins for monitoring.
*/
function getCorsOrigin(request: Request, env: Env): string {
const origin = request.headers.get('Origin');
const logger = createLogger('[CORS]', env);
// Environment variable has explicit origin configured (highest priority)
if (env.CORS_ORIGIN && env.CORS_ORIGIN !== '*') {
return env.CORS_ORIGIN;
}
// Build allowed origins list based on environment
const isDevelopment = env.ENVIRONMENT === 'development';
const allowedOrigins = isDevelopment
? [...CORS.ALLOWED_ORIGINS, ...CORS.DEVELOPMENT_ORIGINS]
: CORS.ALLOWED_ORIGINS;
// Request origin is in allowed list
if (origin && CORS.ALLOWED_ORIGINS.includes(origin)) {
if (origin && allowedOrigins.includes(origin)) {
return origin;
}
// Default fallback
// Log unmatched origins for security monitoring
if (origin && !allowedOrigins.includes(origin)) {
// Sanitize origin to prevent log injection (remove control characters)
const sanitizedOrigin = origin.replace(/[\r\n\t]/g, '').substring(0, 256);
logger.warn('Unmatched origin - using default', {
requested_origin: sanitizedOrigin,
environment: env.ENVIRONMENT || 'production',
default_origin: CORS.DEFAULT_ORIGIN
});
}
// Return explicit default (no wildcard)
return CORS.DEFAULT_ORIGIN;
}
@@ -58,7 +78,7 @@ function getCorsOrigin(request: Request, env: Env): string {
*
* Note: response.body can be null for 204 No Content or empty responses
*/
function addSecurityHeaders(response: Response, corsOrigin?: string): Response {
function addSecurityHeaders(response: Response, corsOrigin?: string, requestId?: string): Response {
const headers = new Headers(response.headers);
// Basic security headers
@@ -71,12 +91,18 @@ function addSecurityHeaders(response: Response, corsOrigin?: string): Response {
headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
headers.set('Access-Control-Allow-Headers', 'Content-Type, X-API-Key');
headers.set('Access-Control-Max-Age', CORS.MAX_AGE);
headers.set('Access-Control-Expose-Headers', 'X-RateLimit-Retry-After, Retry-After, X-Request-ID');
// Additional security headers
headers.set('Content-Security-Policy', "default-src 'none'");
headers.set('X-XSS-Protection', '1; mode=block');
headers.set('Referrer-Policy', 'no-referrer');
// Request ID for audit trail
if (requestId) {
headers.set('X-Request-ID', requestId);
}
// Create new Response with same body reference (no copy) and updated headers
return new Response(response.body, {
status: response.status,
@@ -93,25 +119,30 @@ export default {
const url = new URL(request.url);
const path = url.pathname;
// Generate request ID for audit trail (use CF-Ray if available, otherwise generate UUID)
const requestId = request.headers.get('CF-Ray') || crypto.randomUUID();
// Get CORS origin based on request and configuration
const corsOrigin = getCorsOrigin(request, env);
try {
// Handle OPTIONS preflight requests
if (request.method === 'OPTIONS') {
return addSecurityHeaders(new Response(null, { status: 204 }), corsOrigin);
return addSecurityHeaders(new Response(null, { status: 204 }), corsOrigin, requestId);
}
// Validate required environment variables
const envValidation = validateEnv(env);
if (!envValidation.valid) {
console.error('[Worker] Missing required environment variables:', envValidation.missing);
const logger = createLogger('[Worker]');
logger.error('Missing required environment variables', { missing: envValidation.missing, request_id: requestId });
return addSecurityHeaders(
Response.json(
{ error: 'Service Unavailable', message: 'Service configuration error' },
{ status: 503 }
),
corsOrigin
corsOrigin,
requestId
);
}
@@ -119,34 +150,29 @@ export default {
if (path === '/health') {
const apiKey = request.headers.get('X-API-Key');
const authenticated = apiKey ? verifyApiKey(apiKey, env) : false;
return addSecurityHeaders(await handleHealth(env, authenticated), corsOrigin);
return addSecurityHeaders(await handleHealth(env, authenticated), corsOrigin, requestId);
}
// Authentication required for all other endpoints
const isAuthenticated = await authenticateRequest(request, env);
if (!isAuthenticated) {
return addSecurityHeaders(createUnauthorizedResponse(), corsOrigin);
return addSecurityHeaders(createUnauthorizedResponse(), corsOrigin, requestId);
}
// Rate limiting for authenticated endpoints
const rateLimitCheck = await checkRateLimit(request, path, env);
if (!rateLimitCheck.allowed) {
return addSecurityHeaders(createRateLimitResponse(rateLimitCheck.retryAfter!), corsOrigin);
return addSecurityHeaders(createRateLimitResponse(rateLimitCheck.retryAfter!), corsOrigin, requestId);
}
// Query instances
if (path === '/instances' && request.method === 'GET') {
return addSecurityHeaders(await handleInstances(request, env), corsOrigin);
return addSecurityHeaders(await handleInstances(request, env), corsOrigin, requestId);
}
// Sync trigger
if (path === '/sync' && request.method === 'POST') {
return addSecurityHeaders(await handleSync(request, env), corsOrigin);
}
// Tech stack recommendation
if (path === '/recommend' && request.method === 'POST') {
return addSecurityHeaders(await handleRecommend(request, env), corsOrigin);
return addSecurityHeaders(await handleSync(request, env), corsOrigin, requestId);
}
// 404 Not Found
@@ -155,17 +181,20 @@ export default {
{ error: 'Not Found', path },
{ status: HTTP_STATUS.NOT_FOUND }
),
corsOrigin
corsOrigin,
requestId
);
} catch (error) {
console.error('[Worker] Request error:', error);
const logger = createLogger('[Worker]');
logger.error('Request error', { error, request_id: requestId });
return addSecurityHeaders(
Response.json(
{ error: 'Internal Server Error' },
{ status: HTTP_STATUS.INTERNAL_ERROR }
),
corsOrigin
corsOrigin,
requestId
);
}
},
@@ -185,15 +214,32 @@ export default {
scheduled_time: new Date(event.scheduledTime).toISOString()
});
// Validate required environment variables
const requiredVars = ['DB'];
const missing = requiredVars.filter(v => !env[v as keyof Env]);
if (missing.length > 0) {
logger.error('Missing required environment variables', { missing, cron });
throw new Error(`Cron job failed: missing env vars: ${missing.join(', ')}`);
}
// Daily full sync at 00:00 UTC
if (cron === '0 0 * * *') {
const vault = new VaultClient(env.VAULT_URL, env.VAULT_TOKEN);
const orchestrator = new SyncOrchestrator(env.DB, vault, env);
const MAX_RETRIES = 3;
const executeSyncWithRetry = async (): Promise<void> => {
const orchestrator = new SyncOrchestrator(env.DB, env);
for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
try {
logger.info('Starting sync attempt', {
attempt_number: attempt,
max_retries: MAX_RETRIES
});
const report = await orchestrator.syncAll(['linode', 'vultr', 'aws']);
ctx.waitUntil(
orchestrator.syncAll(['linode', 'vultr', 'aws'])
.then(report => {
logger.info('Daily sync complete', {
attempt_number: attempt,
total_regions: report.summary.total_regions,
total_instances: report.summary.total_instances,
successful_providers: report.summary.successful_providers,
@@ -215,20 +261,39 @@ export default {
.map(p => ({ provider: p.provider, error: p.error }))
});
}
})
.catch(error => {
logger.error('Daily sync failed', {
// Success - exit retry loop
return;
} catch (error) {
const willRetry = attempt < MAX_RETRIES;
const retryDelayMs = willRetry ? Math.min(Math.pow(2, attempt - 1) * 1000, 10000) : 0;
logger.error('Sync attempt failed', {
attempt_number: attempt,
max_retries: MAX_RETRIES,
will_retry: willRetry,
retry_delay_ms: retryDelayMs,
error: error instanceof Error ? error.message : String(error),
stack: error instanceof Error ? error.stack : undefined
});
})
);
}
// Pricing update every 6 hours
if (cron === '0 */6 * * *') {
// Skip full sync, just log for now (pricing update logic can be added later)
logger.info('Pricing update check (not implemented yet)');
if (willRetry) {
// Wait before retry with exponential backoff
await new Promise(resolve => setTimeout(resolve, retryDelayMs));
} else {
// Final failure - re-throw to make cron failure visible
logger.error('Daily sync failed after all retries', {
total_attempts: MAX_RETRIES,
error: error instanceof Error ? error.message : String(error)
});
throw error;
}
}
}
};
ctx.waitUntil(executeSyncWithRetry());
}
},
};

2
src/middleware/auth.test.ts
View File

@@ -19,8 +19,6 @@ const createMockEnv = (apiKey?: string): Env => ({
API_KEY: apiKey || 'test-api-key-12345',
DB: {} as any,
RATE_LIMIT_KV: {} as any,
VAULT_URL: 'https://vault.example.com',
VAULT_TOKEN: 'test-token',
});
/**

49
src/middleware/auth.ts
View File

@@ -6,6 +6,9 @@
*/
import { Env } from '../types';
import { createLogger } from '../utils/logger';
const logger = createLogger('[Auth]');
/**
* Authenticate incoming request using API key
@@ -25,19 +28,19 @@ export async function authenticateRequest(request: Request, env: Env): Promise<b
// Validate environment variable
const expectedKey = env.API_KEY;
if (!expectedKey) {
console.error('[Auth] API_KEY environment variable is not configured');
logger.error('API_KEY environment variable is not configured');
return false;
}
// Length comparison with safety check
if (providedKey.length !== expectedKey.length) {
return false;
}
// Pad both keys to same length to prevent timing leak on length comparison
const maxLength = Math.max(providedKey.length, expectedKey.length);
const paddedProvided = providedKey.padEnd(maxLength, '\0');
const paddedExpected = expectedKey.padEnd(maxLength, '\0');
// Use Web Crypto API for constant-time comparison
const encoder = new TextEncoder();
const providedBuffer = encoder.encode(providedKey);
const expectedBuffer = encoder.encode(expectedKey);
const providedBuffer = encoder.encode(paddedProvided);
const expectedBuffer = encoder.encode(paddedExpected);
const providedHash = await crypto.subtle.digest('SHA-256', providedBuffer);
const expectedHash = await crypto.subtle.digest('SHA-256', expectedBuffer);
@@ -45,15 +48,13 @@ export async function authenticateRequest(request: Request, env: Env): Promise<b
const providedArray = new Uint8Array(providedHash);
const expectedArray = new Uint8Array(expectedHash);
// Compare hashes byte by byte
let equal = true;
// Truly constant-time comparison using XOR to avoid branching
let result = 0;
for (let i = 0; i < providedArray.length; i++) {
if (providedArray[i] !== expectedArray[i]) {
equal = false;
}
result |= providedArray[i] ^ expectedArray[i];
}
return equal;
return result === 0;
}
/**
@@ -65,23 +66,21 @@ export async function authenticateRequest(request: Request, env: Env): Promise<b
* @returns true if key matches, false otherwise
*/
export function verifyApiKey(providedKey: string, env: Env): boolean {
// Validate environment variable
const expectedKey = env.API_KEY;
if (!expectedKey || !providedKey) {
return false;
}
// Length comparison with safety check
if (providedKey.length !== expectedKey.length) {
return false;
}
// Use fixed-size buffers to prevent length leakage
const FIXED_SIZE = 256;
const provided = (providedKey || '').slice(0, FIXED_SIZE).padEnd(FIXED_SIZE, '\0');
const expected = (expectedKey || '').slice(0, FIXED_SIZE).padEnd(FIXED_SIZE, '\0');
// Constant-time comparison to prevent timing attacks
// Constant-time comparison
let result = 0;
for (let i = 0; i < providedKey.length; i++) {
result |= providedKey.charCodeAt(i) ^ expectedKey.charCodeAt(i);
for (let i = 0; i < FIXED_SIZE; i++) {
result |= provided.charCodeAt(i) ^ expected.charCodeAt(i);
}
return result === 0;
// Both must be non-empty and match
return result === 0 && !!providedKey && !!expectedKey;
}
/**

118
src/middleware/rateLimit.test.ts
View File

@@ -21,20 +21,40 @@ import type { Env } from '../types';
*/
const createMockKV = () => {
const store = new Map<string, string>();
const metadata = new Map<string, Record<string, any>>();
return {
get: vi.fn(async (key: string) => store.get(key) || null),
put: vi.fn(async (key: string, value: string) => {
put: vi.fn(async (key: string, value: string, options?: { expirationTtl?: number; metadata?: Record<string, any> }) => {
store.set(key, value);
if (options?.metadata) {
metadata.set(key, options.metadata);
}
}),
delete: vi.fn(async (key: string) => {
store.delete(key);
metadata.delete(key);
}),
list: vi.fn(),
getWithMetadata: vi.fn(),
getWithMetadata: vi.fn(async (key: string) => {
const value = store.get(key) || null;
const meta = metadata.get(key) || null;
return {
value,
metadata: meta,
};
}),
// Helper to manually set values for testing
_setStore: (key: string, value: string) => store.set(key, value),
_clearStore: () => store.clear(),
_setStore: (key: string, value: string, meta?: Record<string, any>) => {
store.set(key, value);
if (meta) {
metadata.set(key, meta);
}
},
_clearStore: () => {
store.clear();
metadata.clear();
},
};
};
@@ -44,8 +64,6 @@ const createMockKV = () => {
const createMockEnv = (kv: ReturnType<typeof createMockKV>): Env => ({
DB: {} as any,
RATE_LIMIT_KV: kv as any,
VAULT_URL: 'https://vault.example.com',
VAULT_TOKEN: 'test-token',
API_KEY: 'test-api-key',
});
@@ -92,12 +110,12 @@ describe('Rate Limiting Middleware', () => {
const request = createMockRequest('192.168.1.1');
const now = Date.now();
// Set existing entry at limit
// Set existing entry at limit with version metadata
const entry = {
count: 100, // Already at limit
windowStart: now,
};
mockKV._setStore('ratelimit:192.168.1.1:/instances', JSON.stringify(entry));
mockKV._setStore('ratelimit:192.168.1.1:/instances', JSON.stringify(entry), { version: 1 });
const result = await checkRateLimit(request, '/instances', env);
@@ -114,11 +132,11 @@ describe('Rate Limiting Middleware', () => {
count: 100,
windowStart: now - 120000, // 2 minutes ago (window is 1 minute)
};
mockKV._setStore('ratelimit:192.168.1.1:/instances', JSON.stringify(entry));
mockKV._setStore('ratelimit:192.168.1.1:/instances', JSON.stringify(entry), { version: 99 });
const result = await checkRateLimit(request, '/instances', env);
// Should allow because window expired
// Should allow because window expired (version resets to 0)
expect(result.allowed).toBe(true);
});
@@ -166,8 +184,8 @@ describe('Rate Limiting Middleware', () => {
it('should fail-closed on KV errors for security', async () => {
const request = createMockRequest('192.168.1.1');
// Mock KV error
mockKV.get.mockRejectedValue(new Error('KV connection failed'));
// Mock KV error on getWithMetadata
mockKV.getWithMetadata.mockRejectedValue(new Error('KV connection failed'));
const result = await checkRateLimit(request, '/instances', env);
@@ -214,12 +232,12 @@ describe('Rate Limiting Middleware', () => {
const request = createMockRequest('192.168.1.1');
const now = Date.now();
// Set entry at limit with known window start
// Set entry at limit with known window start and version metadata
const entry = {
count: 100,
windowStart: now - 30000, // 30 seconds ago
};
mockKV._setStore('ratelimit:192.168.1.1:/instances', JSON.stringify(entry));
mockKV._setStore('ratelimit:192.168.1.1:/instances', JSON.stringify(entry), { version: 5 });
const result = await checkRateLimit(request, '/instances', env);
@@ -228,6 +246,78 @@ describe('Rate Limiting Middleware', () => {
expect(result.retryAfter).toBeGreaterThan(25);
expect(result.retryAfter).toBeLessThan(35);
});
it('should use optimistic locking with version metadata', async () => {
const request = createMockRequest('192.168.1.1');
// First request - should create entry with version 0
await checkRateLimit(request, '/instances', env);
// Verify version metadata was set
const putCall = mockKV.put.mock.calls[0];
expect(putCall[2]).toMatchObject({ metadata: { version: 0 } });
});
it('should increment version on each write', async () => {
const request = createMockRequest('192.168.1.1');
const now = Date.now();
// Set existing entry with version 5
const entry = {
count: 10,
windowStart: now,
};
mockKV._setStore('ratelimit:192.168.1.1:/instances', JSON.stringify(entry), { version: 5 });
// Second request - should increment version to 6
await checkRateLimit(request, '/instances', env);
// Find the put call with version 6
const putCalls = mockKV.put.mock.calls;
const versionedCall = putCalls.find(call => call[2]?.metadata?.version === 6);
expect(versionedCall).toBeDefined();
});
it('should reset version to 0 on new window', async () => {
const request = createMockRequest('192.168.1.1');
const now = Date.now();
// Set expired entry with high version
const entry = {
count: 50,
windowStart: now - 120000, // Expired
};
mockKV._setStore('ratelimit:192.168.1.1:/instances', JSON.stringify(entry), { version: 999 });
// Request in new window - should reset version to 0
await checkRateLimit(request, '/instances', env);
// Verify version was reset
const putCall = mockKV.put.mock.calls[0];
expect(putCall[2]).toMatchObject({ metadata: { version: 0 } });
});
it('should handle backward compatibility with entries without version metadata', async () => {
const request = createMockRequest('192.168.1.1');
const now = Date.now();
// Set entry without version metadata (old format)
const entry = {
count: 5,
windowStart: now,
};
mockKV._setStore('ratelimit:192.168.1.1:/instances', JSON.stringify(entry));
// No version metadata set
// Should treat as version 0 and increment to 1
const result = await checkRateLimit(request, '/instances', env);
expect(result.allowed).toBe(true);
// Verify version was set to 1
const putCall = mockKV.put.mock.calls[0];
expect(putCall[2]).toMatchObject({ metadata: { version: 1 } });
});
});
describe('createRateLimitResponse', () => {

113
src/middleware/rateLimit.ts
View File

@@ -3,10 +3,37 @@
*
* Distributed rate limiting using Cloudflare KV for multi-worker support.
* Different limits for different endpoints.
*
* CONCURRENCY CONTROL:
*
* Uses optimistic locking with versioned metadata for race condition safety.
* Each KV entry includes a version number that is incremented on every write.
* Accepts eventual consistency - no post-write verification needed for
* abuse prevention use case.
*
* KNOWN LIMITATIONS:
*
* 1. EVENTUAL CONSISTENCY: KV writes are eventually consistent, which may
* cause slight inaccuracies in rate counting across edge locations.
* This is acceptable for abuse prevention.
*
* 2. RACE CONDITIONS: Multiple concurrent requests may all succeed if they
* read before any writes complete. This is acceptable - rate limiting
* provides statistical protection, not strict guarantees.
*
* For strict rate limiting requirements (billing, quotas), consider:
* - Cloudflare Durable Objects for atomic counters with strong consistency
* - Cloudflare's built-in Rate Limiting rules for global enforcement
*
* This implementation is suitable for abuse prevention with single KV read
* per request (30-50ms overhead).
*/
import { Env } from '../types';
import { RATE_LIMIT_DEFAULTS, HTTP_STATUS } from '../constants';
import { createLogger } from '../utils/logger';
const logger = createLogger('[RateLimit]');
/**
* Rate limit configuration per endpoint
@@ -53,15 +80,25 @@ function getClientIP(request: Request): string {
const cfIP = request.headers.get('CF-Connecting-IP');
if (cfIP) return cfIP;
// If CF-Connecting-IP is missing, request may not be from Cloudflare
// Use unique identifier to still apply rate limit
console.warn('[RateLimit] CF-Connecting-IP missing, possible direct access');
return `unknown-${Date.now()}-${Math.random().toString(36).substring(7)}`;
// For non-Cloudflare requests, fail-closed: use a fixed identifier
// This applies a shared rate limit to all non-Cloudflare traffic
logger.warn('CF-Connecting-IP missing - applying shared rate limit');
return 'non-cloudflare-traffic';
}
/**
* Check if request is rate limited using Cloudflare KV
*
* Simplified flow accepting eventual consistency:
* 1. Read entry with version from KV metadata
* 2. Check if limit exceeded
* 3. Increment counter and version
* 4. Write with new version
* 5. Return decision based on pre-increment count
*
* No post-write verification - accepts eventual consistency for rate limiting.
* Version metadata is still incremented for race condition safety.
*
* @param request - HTTP request to check
* @param path - Request path for rate limit lookup
* @param env - Cloudflare Worker environment with KV binding
@@ -80,71 +117,75 @@ export async function checkRateLimit(
try {
const clientIP = getClientIP(request);
const now = Date.now();
const key = `ratelimit:${clientIP}:${path}`;
const now = Date.now();
// Get current entry from KV
const entryJson = await env.RATE_LIMIT_KV.get(key);
// 1. Read current entry with version metadata (single read)
const kvResult = await env.RATE_LIMIT_KV.getWithMetadata<{ version?: number }>(key);
const currentVersion = kvResult.metadata?.version ?? 0;
let entry: RateLimitEntry | null = null;
if (entryJson) {
if (kvResult.value) {
try {
entry = JSON.parse(entryJson);
entry = JSON.parse(kvResult.value);
} catch {
// Invalid JSON, treat as no entry
entry = null;
}
}
// Check if window has expired
// 2. Check if window has expired or no entry exists
if (!entry || entry.windowStart + config.windowMs <= now) {
// New window - allow and create new entry
// New window - create entry with count 1
const newEntry: RateLimitEntry = {
count: 1,
windowStart: now,
};
// Store with TTL (convert ms to seconds, round up)
const ttlSeconds = Math.ceil(config.windowMs / 1000);
// Write with version 0 (reset on new window) - no verification
await env.RATE_LIMIT_KV.put(key, JSON.stringify(newEntry), {
expirationTtl: ttlSeconds,
metadata: { version: 0 },
});
// Allow request - first in new window
return { allowed: true };
}
// Increment count
entry.count++;
// 3. Check current count against limit
const currentCount = entry.count;
const isOverLimit = currentCount >= config.maxRequests;
// 4. Increment count and version for next request
const newVersion = currentVersion + 1;
const updatedEntry: RateLimitEntry = {
count: currentCount + 1,
windowStart: entry.windowStart,
};
// Check if over limit
if (entry.count > config.maxRequests) {
const windowEnd = entry.windowStart + config.windowMs;
const ttlSeconds = Math.ceil((windowEnd - now) / 1000);
// 5. Write updated count (only if TTL valid) - no verification
if (ttlSeconds > 0) {
await env.RATE_LIMIT_KV.put(key, JSON.stringify(updatedEntry), {
expirationTtl: ttlSeconds,
metadata: { version: newVersion },
});
}
// 6. Return decision based on pre-increment count
if (isOverLimit) {
const retryAfter = Math.ceil((windowEnd - now) / 1000);
// Still update KV to persist the attempt
const ttlSeconds = Math.ceil((windowEnd - now) / 1000);
if (ttlSeconds > 0) {
await env.RATE_LIMIT_KV.put(key, JSON.stringify(entry), {
expirationTtl: ttlSeconds,
});
}
return { allowed: false, retryAfter };
}
// Update entry in KV
const windowEnd = entry.windowStart + config.windowMs;
const ttlSeconds = Math.ceil((windowEnd - now) / 1000);
if (ttlSeconds > 0) {
await env.RATE_LIMIT_KV.put(key, JSON.stringify(entry), {
expirationTtl: ttlSeconds,
});
}
return { allowed: true };
} catch (error) {
// Fail-closed on KV errors for security
console.error('[RateLimit] KV error, blocking request for safety:', error);
logger.error('KV error, blocking request for safety', { error });
return { allowed: false, retryAfter: 60 };
}
}
@@ -214,7 +255,7 @@ export async function getRateLimitStatus(
resetAt: entry.windowStart + config.windowMs,
};
} catch (error) {
console.error('[RateLimit] Status check error:', error);
logger.error('Status check error', { error });
return null;
}
}

9
src/repositories/anvil-instances.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { AnvilInstance, AnvilInstanceInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class AnvilInstancesRepository extends BaseRepository<AnvilInstance> {
protected tableName = 'anvil_instances';
protected logger = createLogger('[AnvilInstancesRepository]');
protected allowedColumns = [
'name',
'display_name',
@@ -243,12 +241,7 @@ export class AnvilInstancesRepository extends BaseRepository<AnvilInstance> {
);
});
const results = await this.executeBatch(statements);
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted Anvil instances', { count: successCount });
return successCount;

9
src/repositories/anvil-pricing.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { AnvilPricing, AnvilPricingInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class AnvilPricingRepository extends BaseRepository<AnvilPricing> {
protected tableName = 'anvil_pricing';
protected logger = createLogger('[AnvilPricingRepository]');
protected allowedColumns = [
'anvil_instance_id',
'anvil_region_id',
@@ -186,12 +184,7 @@ export class AnvilPricingRepository extends BaseRepository<AnvilPricing> {
);
});
const results = await this.executeBatch(statements);
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted Anvil pricing records', { count: successCount });
return successCount;

9
src/repositories/anvil-regions.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { AnvilRegion, AnvilRegionInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class AnvilRegionsRepository extends BaseRepository<AnvilRegion> {
protected tableName = 'anvil_regions';
protected logger = createLogger('[AnvilRegionsRepository]');
protected allowedColumns = [
'name',
'display_name',
@@ -186,12 +184,7 @@ export class AnvilRegionsRepository extends BaseRepository<AnvilRegion> {
);
});
const results = await this.executeBatch(statements);
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted Anvil regions', { count: successCount });
return successCount;

9
src/repositories/anvil-transfer-pricing.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { AnvilTransferPricing, AnvilTransferPricingInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class AnvilTransferPricingRepository extends BaseRepository<AnvilTransferPricing> {
protected tableName = 'anvil_transfer_pricing';
protected logger = createLogger('[AnvilTransferPricingRepository]');
protected allowedColumns = [
'anvil_region_id',
'price_per_gb',
@@ -67,12 +65,7 @@ export class AnvilTransferPricingRepository extends BaseRepository<AnvilTransfer
);
});
const results = await this.executeBatch(statements);
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted Anvil transfer pricing records', { count: successCount });
return successCount;

326
src/repositories/base.test.ts Normal file
View File

@@ -0,0 +1,326 @@
/**
* Base Repository Tests
* Tests for table name validation and security
*/
import { describe, it, expect, beforeEach, vi } from 'vitest';
import { BaseRepository } from './base';
import { RepositoryError } from '../types';
// Mock D1Database
const createMockD1Database = () => {
return {
prepare: vi.fn(),
dump: vi.fn(),
batch: vi.fn(),
exec: vi.fn(),
withSession: vi.fn(),
};
};
// Concrete implementation for testing
class TestRepository extends BaseRepository<any> {
protected allowedColumns: string[] = ['id', 'name', 'value'];
constructor(db: D1Database, protected tableName: string) {
super(db);
}
}
describe('BaseRepository - Table Name Validation', () => {
let db: D1Database;
beforeEach(() => {
db = createMockD1Database();
});
describe('Valid table names', () => {
it('should accept lowercase table name', async () => {
const repo = new TestRepository(db, 'users');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).resolves.toBe(0);
});
it('should accept table name with underscores', async () => {
const repo = new TestRepository(db, 'user_profiles');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).resolves.toBe(0);
});
it('should accept table name starting with underscore', async () => {
const repo = new TestRepository(db, '_internal_table');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).resolves.toBe(0);
});
it('should accept uppercase table name', async () => {
const repo = new TestRepository(db, 'USERS');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).resolves.toBe(0);
});
it('should accept mixed case table name', async () => {
const repo = new TestRepository(db, 'User_Profiles');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).resolves.toBe(0);
});
it('should accept table name with numbers', async () => {
const repo = new TestRepository(db, 'users_v2');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).resolves.toBe(0);
});
it('should accept long valid table name (64 chars)', async () => {
const longName = 'a'.repeat(64);
const repo = new TestRepository(db, longName);
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).resolves.toBe(0);
});
});
describe('Invalid table names - Format', () => {
it('should reject table name with spaces', async () => {
const repo = new TestRepository(db, 'user profiles');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
await expect(repo.count()).rejects.toThrow('Invalid table name');
});
it('should reject table name with hyphens', async () => {
const repo = new TestRepository(db, 'user-profiles');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject table name with special characters', async () => {
const repo1 = new TestRepository(db, 'users@table');
const repo2 = new TestRepository(db, 'users#table');
const repo3 = new TestRepository(db, 'users$table');
const repo4 = new TestRepository(db, 'users!table');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo1.count()).rejects.toThrow(RepositoryError);
await expect(repo2.count()).rejects.toThrow(RepositoryError);
await expect(repo3.count()).rejects.toThrow(RepositoryError);
await expect(repo4.count()).rejects.toThrow(RepositoryError);
});
it('should reject table name starting with number', async () => {
const repo = new TestRepository(db, '123users');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
await expect(repo.count()).rejects.toThrow('Invalid table name');
});
it('should reject empty table name', async () => {
const repo = new TestRepository(db, '');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject table name with dots', async () => {
const repo = new TestRepository(db, 'schema.users');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
});
describe('Invalid table names - SQL Keywords', () => {
it('should reject SELECT keyword', async () => {
const repo = new TestRepository(db, 'SELECT');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
await expect(repo.count()).rejects.toThrow('SQL keyword');
});
it('should reject INSERT keyword', async () => {
const repo = new TestRepository(db, 'INSERT');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject UPDATE keyword', async () => {
const repo = new TestRepository(db, 'UPDATE');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject DELETE keyword', async () => {
const repo = new TestRepository(db, 'DELETE');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject DROP keyword', async () => {
const repo = new TestRepository(db, 'DROP');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject CREATE keyword', async () => {
const repo = new TestRepository(db, 'CREATE');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject ALTER keyword', async () => {
const repo = new TestRepository(db, 'ALTER');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject TRUNCATE keyword', async () => {
const repo = new TestRepository(db, 'TRUNCATE');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject GRANT keyword', async () => {
const repo = new TestRepository(db, 'GRANT');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject REVOKE keyword', async () => {
const repo = new TestRepository(db, 'REVOKE');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
it('should reject lowercase SQL keywords', async () => {
const repo1 = new TestRepository(db, 'select');
const repo2 = new TestRepository(db, 'delete');
const repo3 = new TestRepository(db, 'drop');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo1.count()).rejects.toThrow(RepositoryError);
await expect(repo2.count()).rejects.toThrow(RepositoryError);
await expect(repo3.count()).rejects.toThrow(RepositoryError);
});
it('should reject mixed case SQL keywords', async () => {
const repo1 = new TestRepository(db, 'Select');
const repo2 = new TestRepository(db, 'DeLeTe');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo1.count()).rejects.toThrow(RepositoryError);
await expect(repo2.count()).rejects.toThrow(RepositoryError);
});
});
describe('Invalid table names - Length', () => {
it('should reject table name longer than 64 characters', async () => {
const tooLongName = 'a'.repeat(65);
const repo = new TestRepository(db, tooLongName);
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
await expect(repo.count()).rejects.toThrow('too long');
});
it('should reject extremely long table name', async () => {
const extremelyLongName = 'users_' + 'x'.repeat(100);
const repo = new TestRepository(db, extremelyLongName);
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
});
describe('Edge cases', () => {
it('should accept single character table name', async () => {
const repo1 = new TestRepository(db, 'a');
const repo2 = new TestRepository(db, '_');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo1.count()).resolves.toBe(0);
await expect(repo2.count()).resolves.toBe(0);
});
it('should accept table name at exact 64 character limit', async () => {
const exactLimit = 'a'.repeat(64);
const repo = new TestRepository(db, exactLimit);
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).resolves.toBe(0);
});
it('should reject SQL keyword even with different casing', async () => {
const repo = new TestRepository(db, 'sElEcT');
db.prepare = () => ({
first: async () => ({ count: 0 }),
}) as any;
await expect(repo.count()).rejects.toThrow(RepositoryError);
});
});
});

162
src/repositories/base.ts
View File

@@ -9,14 +9,69 @@ import { createLogger } from '../utils/logger';
export abstract class BaseRepository<T> {
protected abstract tableName: string;
protected abstract allowedColumns: string[];
protected logger = createLogger('[BaseRepository]');
private static _loggerCache = new Map<string, ReturnType<typeof createLogger>>();
private _tableNameValidated = false;
constructor(protected db: D1Database) {}
/**
* Shared logger getter with per-class caching
* Creates one logger instance per class type instead of per repository instance
*/
protected get logger(): ReturnType<typeof createLogger> {
const className = this.constructor.name;
if (!BaseRepository._loggerCache.has(className)) {
BaseRepository._loggerCache.set(className, createLogger(`[${className}]`));
}
return BaseRepository._loggerCache.get(className)!;
}
/**
* Validate table name to prevent SQL injection
* Called lazily on first use to ensure tableName is initialized
* @throws RepositoryError if table name is invalid
*/
private validateTableName(): void {
// Only validate once
if (this._tableNameValidated) {
return;
}
// Validate format: only alphanumeric and underscores, starting with letter or underscore
if (!/^[a-z_][a-z0-9_]*$/i.test(this.tableName)) {
throw new RepositoryError(
`Invalid table name: ${this.tableName}`,
ErrorCodes.VALIDATION_ERROR
);
}
// Prevent SQL keywords
const sqlKeywords = ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'DROP', 'CREATE', 'ALTER', 'TRUNCATE', 'GRANT', 'REVOKE'];
if (sqlKeywords.includes(this.tableName.toUpperCase())) {
throw new RepositoryError(
`Table name cannot be SQL keyword: ${this.tableName}`,
ErrorCodes.VALIDATION_ERROR
);
}
// Max length check (SQLite identifier limit is 64 characters)
if (this.tableName.length > 64) {
throw new RepositoryError(
`Table name too long: ${this.tableName}`,
ErrorCodes.VALIDATION_ERROR
);
}
this._tableNameValidated = true;
}
/**
* Find a record by ID
*/
async findById(id: number): Promise<T | null> {
this.validateTableName();
try {
const result = await this.db
.prepare(`SELECT * FROM ${this.tableName} WHERE id = ?`)
@@ -42,6 +97,7 @@ export abstract class BaseRepository<T> {
* Find all records with optional pagination
*/
async findAll(options?: PaginationOptions): Promise<T[]> {
this.validateTableName();
try {
const limit = options?.limit ?? 100;
const offset = options?.offset ?? 0;
@@ -71,6 +127,7 @@ export abstract class BaseRepository<T> {
* Create a new record
*/
async create(data: Partial<T>): Promise<T> {
this.validateTableName();
try {
const columnNames = Object.keys(data);
@@ -129,6 +186,7 @@ export abstract class BaseRepository<T> {
* Update a record by ID
*/
async update(id: number, data: Partial<T>): Promise<T> {
this.validateTableName();
try {
const columnNames = Object.keys(data);
@@ -179,6 +237,7 @@ export abstract class BaseRepository<T> {
* Delete a record by ID
*/
async delete(id: number): Promise<boolean> {
this.validateTableName();
try {
const result = await this.db
.prepare(`DELETE FROM ${this.tableName} WHERE id = ?`)
@@ -204,6 +263,7 @@ export abstract class BaseRepository<T> {
* Count total records
*/
async count(): Promise<number> {
this.validateTableName();
try {
const result = await this.db
.prepare(`SELECT COUNT(*) as count FROM ${this.tableName}`)
@@ -253,6 +313,7 @@ export abstract class BaseRepository<T> {
* Automatically chunks operations into batches of 100 (D1 limit)
*/
protected async executeBatch(statements: D1PreparedStatement[]): Promise<D1Result[]> {
this.validateTableName();
try {
const BATCH_SIZE = 100;
const totalStatements = statements.length;
@@ -338,4 +399,103 @@ export abstract class BaseRepository<T> {
);
}
}
/**
* Execute batch operations and return only the total count of changes
* Optimized for large batches to avoid memory accumulation
* @returns Total number of rows affected across all operations
*/
protected async executeBatchCount(statements: D1PreparedStatement[]): Promise<number> {
this.validateTableName();
try {
const BATCH_SIZE = 100;
const totalStatements = statements.length;
let totalChanges = 0;
// If statements fit within single batch, execute directly
if (totalStatements <= BATCH_SIZE) {
this.logger.info('Executing batch (count mode)', {
table: this.tableName,
statements: totalStatements
});
const results = await this.db.batch(statements);
totalChanges = results.reduce((sum, r) => sum + (r.meta.changes ?? 0), 0);
this.logger.info('Batch completed successfully', {
table: this.tableName,
changes: totalChanges
});
return totalChanges;
}
// Process chunks and aggregate counts without storing all results
const chunks = Math.ceil(totalStatements / BATCH_SIZE);
this.logger.info('Executing large batch (count mode)', {
table: this.tableName,
statements: totalStatements,
chunks
});
for (let i = 0; i < chunks; i++) {
const start = i * BATCH_SIZE;
const end = Math.min(start + BATCH_SIZE, totalStatements);
const chunk = statements.slice(start, end);
this.logger.info('Processing chunk', {
table: this.tableName,
chunk: i + 1,
total: chunks,
range: `${start + 1}-${end}`
});
try {
const chunkResults = await this.db.batch(chunk);
const chunkChanges = chunkResults.reduce((sum, r) => sum + (r.meta.changes ?? 0), 0);
totalChanges += chunkChanges;
this.logger.info('Chunk completed successfully', {
table: this.tableName,
chunk: i + 1,
total: chunks,
changes: chunkChanges,
totalChanges
});
} catch (chunkError) {
this.logger.error('Chunk failed', {
table: this.tableName,
chunk: i + 1,
total: chunks,
range: `${start + 1}-${end}`,
error: chunkError instanceof Error ? chunkError.message : 'Unknown error'
});
throw new RepositoryError(
`Batch chunk ${i + 1}/${chunks} failed for ${this.tableName} (statements ${start + 1}-${end})`,
ErrorCodes.TRANSACTION_FAILED,
chunkError
);
}
}
this.logger.info('All chunks completed successfully', {
table: this.tableName,
chunks,
totalChanges
});
return totalChanges;
} catch (error) {
// Re-throw RepositoryError from chunk processing
if (error instanceof RepositoryError) {
throw error;
}
this.logger.error('Batch count execution failed', {
table: this.tableName,
error: error instanceof Error ? error.message : 'Unknown error'
});
throw new RepositoryError(
`Batch count operation failed for ${this.tableName}`,
ErrorCodes.TRANSACTION_FAILED,
error
);
}
}
}

2
src/repositories/g8-instances.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { G8Instance, G8InstanceInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class G8InstancesRepository extends BaseRepository<G8Instance> {
protected tableName = 'g8_instances';
protected logger = createLogger('[G8InstancesRepository]');
protected allowedColumns = [
'provider_id',
'instance_id',

25
src/repositories/g8-pricing.ts
View File

@@ -5,19 +5,14 @@
import { BaseRepository } from './base';
import { G8Pricing, G8PricingInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
import { calculateRetailHourly, calculateRetailMonthly } from '../constants';
export class G8PricingRepository extends BaseRepository<G8Pricing> {
protected tableName = 'g8_pricing';
protected logger = createLogger('[G8PricingRepository]');
protected allowedColumns = [
'g8_instance_id',
'region_id',
'hourly_price',
'monthly_price',
'hourly_price_retail',
'monthly_price_retail',
'currency',
'available',
];
@@ -85,42 +80,28 @@ export class G8PricingRepository extends BaseRepository<G8Pricing> {
try {
const statements = pricingData.map((pricing) => {
const hourlyRetail = calculateRetailHourly(pricing.hourly_price);
const monthlyRetail = calculateRetailMonthly(pricing.monthly_price);
return this.db.prepare(
`INSERT INTO g8_pricing (
g8_instance_id, region_id, hourly_price, monthly_price,
hourly_price_retail, monthly_price_retail,
currency, available
) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
) VALUES (?, ?, ?, ?, ?, ?)
ON CONFLICT(g8_instance_id, region_id)
DO UPDATE SET
hourly_price = excluded.hourly_price,
monthly_price = excluded.monthly_price,
hourly_price_retail = excluded.hourly_price_retail,
monthly_price_retail = excluded.monthly_price_retail,
currency = excluded.currency,
available = excluded.available,
updated_at = datetime('now')`
available = excluded.available`
).bind(
pricing.g8_instance_id,
pricing.region_id,
pricing.hourly_price,
pricing.monthly_price,
hourlyRetail,
monthlyRetail,
pricing.currency,
pricing.available
);
});
const results = await this.executeBatch(statements);
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted G8 pricing records', { count: successCount });
return successCount;

9
src/repositories/gpu-instances.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { GpuInstance, GpuInstanceInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class GpuInstancesRepository extends BaseRepository<GpuInstance> {
protected tableName = 'gpu_instances';
protected logger = createLogger('[GpuInstancesRepository]');
protected allowedColumns = [
'provider_id',
'instance_id',
@@ -144,13 +142,8 @@ export class GpuInstancesRepository extends BaseRepository<GpuInstance> {
);
});
const results = await this.executeBatch(statements);
// Count successful operations
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted GPU instances', {
providerId,

22
src/repositories/gpu-pricing.ts
View File

@@ -5,19 +5,14 @@
import { BaseRepository } from './base';
import { GpuPricing, GpuPricingInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
import { calculateRetailHourly, calculateRetailMonthly } from '../constants';
export class GpuPricingRepository extends BaseRepository<GpuPricing> {
protected tableName = 'gpu_pricing';
protected logger = createLogger('[GpuPricingRepository]');
protected allowedColumns = [
'gpu_instance_id',
'region_id',
'hourly_price',
'monthly_price',
'hourly_price_retail',
'monthly_price_retail',
'currency',
'available',
];
@@ -113,21 +108,15 @@ export class GpuPricingRepository extends BaseRepository<GpuPricing> {
try {
const statements = pricingData.map((pricing) => {
const hourlyRetail = calculateRetailHourly(pricing.hourly_price);
const monthlyRetail = calculateRetailMonthly(pricing.monthly_price);
return this.db.prepare(
`INSERT INTO gpu_pricing (
gpu_instance_id, region_id, hourly_price, monthly_price,
hourly_price_retail, monthly_price_retail,
currency, available
) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
) VALUES (?, ?, ?, ?, ?, ?)
ON CONFLICT(gpu_instance_id, region_id)
DO UPDATE SET
hourly_price = excluded.hourly_price,
monthly_price = excluded.monthly_price,
hourly_price_retail = excluded.hourly_price_retail,
monthly_price_retail = excluded.monthly_price_retail,
currency = excluded.currency,
available = excluded.available`
).bind(
@@ -135,19 +124,12 @@ export class GpuPricingRepository extends BaseRepository<GpuPricing> {
pricing.region_id,
pricing.hourly_price,
pricing.monthly_price,
hourlyRetail,
monthlyRetail,
pricing.currency,
pricing.available
);
});
const results = await this.executeBatch(statements);
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted GPU pricing records', { count: successCount });
return successCount;

9
src/repositories/instances.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { InstanceType, InstanceTypeInput, InstanceFamily, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class InstancesRepository extends BaseRepository<InstanceType> {
protected tableName = 'instance_types';
protected logger = createLogger('[InstancesRepository]');
protected allowedColumns = [
'provider_id',
'instance_id',
@@ -144,13 +142,8 @@ export class InstancesRepository extends BaseRepository<InstanceType> {
);
});
const results = await this.executeBatch(statements);
// Count successful operations
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted instance types', {
providerId,

9
src/repositories/pricing.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { Pricing, PricingInput, PriceHistory, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class PricingRepository extends BaseRepository<Pricing> {
protected tableName = 'pricing';
protected logger = createLogger('[PricingRepository]');
protected allowedColumns = [
'instance_type_id',
'region_id',
@@ -132,13 +130,8 @@ export class PricingRepository extends BaseRepository<Pricing> {
);
});
const results = await this.executeBatch(statements);
// Count successful operations
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted pricing records', { count: successCount });
return successCount;

2
src/repositories/providers.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { Provider, ProviderInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class ProvidersRepository extends BaseRepository<Provider> {
protected tableName = 'providers';
protected logger = createLogger('[ProvidersRepository]');
protected allowedColumns = [
'name',
'display_name',

9
src/repositories/regions.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { Region, RegionInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class RegionsRepository extends BaseRepository<Region> {
protected tableName = 'regions';
protected logger = createLogger('[RegionsRepository]');
protected allowedColumns = [
'provider_id',
'region_code',
@@ -104,13 +102,8 @@ export class RegionsRepository extends BaseRepository<Region> {
);
});
const results = await this.executeBatch(statements);
// Count successful operations
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted regions', {
providerId,

2
src/repositories/vpu-instances.ts
View File

@@ -5,11 +5,9 @@
import { BaseRepository } from './base';
import { VpuInstance, VpuInstanceInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
export class VpuInstancesRepository extends BaseRepository<VpuInstance> {
protected tableName = 'vpu_instances';
protected logger = createLogger('[VpuInstancesRepository]');
protected allowedColumns = [
'provider_id',
'instance_id',

25
src/repositories/vpu-pricing.ts
View File

@@ -5,19 +5,14 @@
import { BaseRepository } from './base';
import { VpuPricing, VpuPricingInput, RepositoryError, ErrorCodes } from '../types';
import { createLogger } from '../utils/logger';
import { calculateRetailHourly, calculateRetailMonthly } from '../constants';
export class VpuPricingRepository extends BaseRepository<VpuPricing> {
protected tableName = 'vpu_pricing';
protected logger = createLogger('[VpuPricingRepository]');
protected allowedColumns = [
'vpu_instance_id',
'region_id',
'hourly_price',
'monthly_price',
'hourly_price_retail',
'monthly_price_retail',
'currency',
'available',
];
@@ -85,42 +80,28 @@ export class VpuPricingRepository extends BaseRepository<VpuPricing> {
try {
const statements = pricingData.map((pricing) => {
const hourlyRetail = calculateRetailHourly(pricing.hourly_price);
const monthlyRetail = calculateRetailMonthly(pricing.monthly_price);
return this.db.prepare(
`INSERT INTO vpu_pricing (
vpu_instance_id, region_id, hourly_price, monthly_price,
hourly_price_retail, monthly_price_retail,
currency, available
) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
) VALUES (?, ?, ?, ?, ?, ?)
ON CONFLICT(vpu_instance_id, region_id)
DO UPDATE SET
hourly_price = excluded.hourly_price,
monthly_price = excluded.monthly_price,
hourly_price_retail = excluded.hourly_price_retail,
monthly_price_retail = excluded.monthly_price_retail,
currency = excluded.currency,
available = excluded.available,
updated_at = datetime('now')`
available = excluded.available`
).bind(
pricing.vpu_instance_id,
pricing.region_id,
pricing.hourly_price,
pricing.monthly_price,
hourlyRetail,
monthlyRetail,
pricing.currency,
pricing.available
);
});
const results = await this.executeBatch(statements);
const successCount = results.reduce(
(sum, result) => sum + (result.meta.changes ?? 0),
0
);
const successCount = await this.executeBatchCount(statements);
this.logger.info('Upserted VPU pricing records', { count: successCount });

19
src/routes/health.ts
View File

@@ -5,6 +5,9 @@
import { Env } from '../types';
import { HTTP_STATUS } from '../constants';
import { createLogger } from '../utils/logger';
const logger = createLogger('[Health]');
/**
* Component health status
@@ -74,7 +77,7 @@ async function checkDatabaseHealth(db: D1Database): Promise<DatabaseHealth> {
latency_ms: latency,
};
} catch (error) {
console.error('[Health] Database check failed:', error);
logger.error('Database check failed', { error });
return {
status: 'unhealthy',
error: error instanceof Error ? error.message : 'Database connection failed',
@@ -212,9 +215,17 @@ export async function handleHealth(
p.last_sync_at,
p.sync_status,
p.sync_error,
(SELECT COUNT(*) FROM regions WHERE provider_id = p.id) as regions_count,
(SELECT COUNT(*) FROM instance_types WHERE provider_id = p.id) as instances_count
COALESCE(r.regions_count, 0) as regions_count,
COALESCE(i.instances_count, 0) as instances_count
FROM providers p
LEFT JOIN (
SELECT provider_id, COUNT(*) as regions_count
FROM regions GROUP BY provider_id
) r ON r.provider_id = p.id
LEFT JOIN (
SELECT provider_id, COUNT(*) as instances_count
FROM instance_types GROUP BY provider_id
) i ON i.provider_id = p.id
`).all<{
id: number;
name: string;
@@ -304,7 +315,7 @@ export async function handleHealth(
return Response.json(detailedResponse, { status: statusCode });
} catch (error) {
console.error('[Health] Health check failed:', error);
logger.error('Health check failed', { error });
// Public response: minimal information
if (!authenticated) {

1
src/routes/index.ts
View File

@@ -6,4 +6,3 @@
export { handleSync } from './sync';
export { handleInstances } from './instances';
export { handleHealth } from './health';
export { handleRecommend } from './recommend';

56
src/routes/instances.ts
View File

@@ -7,7 +7,7 @@
import type { Env, InstanceQueryParams } from '../types';
import { QueryService } from '../services/query';
import { CacheService } from '../services/cache';
import { getGlobalCacheService } from '../services/cache';
import { logger } from '../utils/logger';
import {
SUPPORTED_PROVIDERS,
@@ -31,32 +31,23 @@ import {
* Note: Worker instances are recreated periodically, preventing memory leaks
*/
let cachedQueryService: QueryService | null = null;
let cachedCacheService: CacheService | null = null;
let cachedDb: D1Database | null = null;
/**
* Get or create QueryService singleton
* Lazy initialization on first request, then reused for subsequent requests
* Invalidates cache if database binding changes (rolling deploy scenario)
*/
function getQueryService(db: D1Database, env: Env): QueryService {
if (!cachedQueryService) {
// Invalidate cache if db binding changed (rolling deploy scenario)
if (!cachedQueryService || cachedDb !== db) {
cachedQueryService = new QueryService(db, env);
logger.debug('[Instances] QueryService singleton initialized');
cachedDb = db;
logger.debug('[Instances] QueryService singleton initialized/refreshed');
}
return cachedQueryService;
}
/**
* Get or create CacheService singleton
* Lazy initialization on first request, then reused for subsequent requests
*/
function getCacheService(): CacheService {
if (!cachedCacheService) {
cachedCacheService = new CacheService(CACHE_TTL.INSTANCES);
logger.debug('[Instances] CacheService singleton initialized');
}
return cachedCacheService;
}
/**
* Parsed and validated query parameters
*/
@@ -288,6 +279,31 @@ function parseQueryParams(url: URL): {
params.offset = offset;
}
// Range consistency validation
if (params.min_vcpu !== undefined && params.max_vcpu !== undefined) {
if (params.min_vcpu > params.max_vcpu) {
return {
error: {
code: 'INVALID_RANGE',
message: 'min_vcpu cannot be greater than max_vcpu',
parameter: 'min_vcpu',
},
};
}
}
if (params.min_memory_gb !== undefined && params.max_memory_gb !== undefined) {
if (params.min_memory_gb > params.max_memory_gb) {
return {
error: {
code: 'INVALID_RANGE',
message: 'min_memory_gb cannot be greater than max_memory_gb',
parameter: 'min_memory_gb',
},
};
}
}
return { params };
}
@@ -330,8 +346,8 @@ export async function handleInstances(
const params = parseResult.params!;
logger.info('[Instances] Query params validated', params as unknown as Record<string, unknown>);
// Get cache service singleton (reused across requests)
const cacheService = getCacheService();
// Get global cache service singleton (shared across all routes)
const cacheService = getGlobalCacheService(CACHE_TTL.INSTANCES, env.RATE_LIMIT_KV);
// Generate cache key from query parameters
const cacheKey = cacheService.generateKey(params as unknown as Record<string, unknown>);
@@ -463,8 +479,8 @@ export async function handleInstances(
success: false,
error: {
code: 'QUERY_FAILED',
message: 'Instance query failed',
details: error instanceof Error ? error.message : 'Unknown error',
message: 'Instance query failed. Please try again later.',
request_id: crypto.randomUUID(),
},
},
{ status: HTTP_STATUS.INTERNAL_ERROR }

282
src/routes/recommend.ts
View File

@@ -1,282 +0,0 @@
/**
* Recommendation Route Handler
*
* Endpoint for getting cloud instance recommendations based on tech stack.
* Validates request parameters and returns ranked instance recommendations.
*/
import type { Env, ScaleType } from '../types';
import { RecommendationService } from '../services/recommendation';
import { validateStack, STACK_REQUIREMENTS } from '../services/stackConfig';
import { CacheService } from '../services/cache';
import { logger } from '../utils/logger';
import { HTTP_STATUS, CACHE_TTL, REQUEST_LIMITS } from '../constants';
import {
parseJsonBody,
validateStringArray,
validateEnum,
validatePositiveNumber,
createErrorResponse,
} from '../utils/validation';
/**
* Request body interface for recommendation endpoint
*/
interface RecommendRequestBody {
stack?: unknown;
scale?: unknown;
budget_max?: unknown;
}
/**
* Supported scale types
*/
const SUPPORTED_SCALES: readonly ScaleType[] = ['small', 'medium', 'large'] as const;
/**
* Handle POST /recommend endpoint
*
* @param request - HTTP request object
* @param env - Cloudflare Worker environment bindings
* @returns JSON response with recommendations
*
* @example
* POST /recommend
* {
* "stack": ["nginx", "mysql", "redis"],
* "scale": "medium",
* "budget_max": 100
* }
*/
export async function handleRecommend(request: Request, env: Env): Promise<Response> {
const startTime = Date.now();
logger.info('[Recommend] Request received');
try {
// 1. Validate request size to prevent memory exhaustion attacks
const contentLength = request.headers.get('content-length');
if (contentLength) {
const bodySize = parseInt(contentLength, 10);
if (isNaN(bodySize) || bodySize > REQUEST_LIMITS.MAX_BODY_SIZE) {
logger.error('[Recommend] Request body too large', {
contentLength: bodySize,
maxAllowed: REQUEST_LIMITS.MAX_BODY_SIZE,
});
return Response.json(
{
success: false,
error: {
code: 'PAYLOAD_TOO_LARGE',
message: `Request body exceeds maximum size of ${REQUEST_LIMITS.MAX_BODY_SIZE} bytes`,
details: {
max_size_bytes: REQUEST_LIMITS.MAX_BODY_SIZE,
received_bytes: bodySize,
},
},
},
{ status: HTTP_STATUS.PAYLOAD_TOO_LARGE }
);
}
}
// 2. Parse request body
const parseResult = await parseJsonBody<RecommendRequestBody>(request);
if (!parseResult.success) {
logger.error('[Recommend] JSON parsing failed', {
code: parseResult.error.code,
message: parseResult.error.message,
});
return createErrorResponse(parseResult.error);
}
const body = parseResult.data;
// 3. Validate stack parameter
const stackResult = validateStringArray(body.stack, 'stack');
if (!stackResult.success) {
logger.error('[Recommend] Stack validation failed', {
code: stackResult.error.code,
message: stackResult.error.message,
});
// Add supported stacks to error details
const enrichedError = {
...stackResult.error,
details: {
...((stackResult.error.details as object) || {}),
supported: Object.keys(STACK_REQUIREMENTS),
},
};
return createErrorResponse(enrichedError);
}
const stack = stackResult.data;
// 4. Validate scale parameter
const scaleResult = validateEnum(body.scale, 'scale', SUPPORTED_SCALES);
if (!scaleResult.success) {
logger.error('[Recommend] Scale validation failed', {
code: scaleResult.error.code,
message: scaleResult.error.message,
});
return createErrorResponse(scaleResult.error);
}
const scale = scaleResult.data;
// 5. Validate budget_max parameter (optional)
let budgetMax: number | undefined;
if (body.budget_max !== undefined) {
const budgetResult = validatePositiveNumber(body.budget_max, 'budget_max');
if (!budgetResult.success) {
logger.error('[Recommend] Budget validation failed', {
code: budgetResult.error.code,
message: budgetResult.error.message,
});
return createErrorResponse(budgetResult.error);
}
budgetMax = budgetResult.data;
}
// 6. Validate stack components against supported technologies
const validation = validateStack(stack);
if (!validation.valid) {
logger.error('[Recommend] Unsupported stack components', {
invalidStacks: validation.invalidStacks,
});
return createErrorResponse({
code: 'INVALID_STACK',
message: `Unsupported stacks: ${validation.invalidStacks.join(', ')}`,
details: {
invalid: validation.invalidStacks,
supported: Object.keys(STACK_REQUIREMENTS),
},
});
}
// 7. Initialize cache service and generate cache key
logger.info('[Recommend] Validation passed', { stack, scale, budgetMax });
const cacheService = new CacheService(CACHE_TTL.INSTANCES);
// Generate cache key from sorted stack, scale, and budget
// Sort stack to ensure consistent cache keys regardless of order
const sortedStack = [...stack].sort();
const cacheKey = cacheService.generateKey({
endpoint: 'recommend',
stack: sortedStack.join(','),
scale,
budget_max: budgetMax ?? 'none',
});
logger.info('[Recommend] Cache key generated', { cacheKey });
// 8. Check cache first
interface CachedRecommendation {
recommendations: unknown[];
stack_analysis: unknown;
metadata: {
cached?: boolean;
cache_age_seconds?: number;
cached_at?: string;
query_time_ms: number;
};
}
const cached = await cacheService.get<CachedRecommendation>(cacheKey);
if (cached) {
logger.info('[Recommend] Cache hit', {
cacheKey,
age: cached.cache_age_seconds,
});
return Response.json(
{
success: true,
data: {
...cached.data,
metadata: {
...cached.data.metadata,
cached: true,
cache_age_seconds: cached.cache_age_seconds,
cached_at: cached.cached_at,
},
},
},
{
status: HTTP_STATUS.OK,
headers: {
'Cache-Control': `public, max-age=${CACHE_TTL.INSTANCES}`,
},
}
);
}
logger.info('[Recommend] Cache miss');
// 9. Call recommendation service
const service = new RecommendationService(env.DB);
const result = await service.recommend({
stack,
scale,
budget_max: budgetMax,
});
const duration = Date.now() - startTime;
logger.info('[Recommend] Recommendation completed', {
duration_ms: duration,
recommendations_count: result.recommendations.length,
});
// Prepare response data with metadata
const responseData = {
...result,
metadata: {
cached: false,
query_time_ms: duration,
},
};
// 10. Store result in cache
try {
await cacheService.set(cacheKey, responseData, CACHE_TTL.INSTANCES);
} catch (error) {
// Graceful degradation: log error but don't fail the request
logger.error('[Recommend] Cache write failed',
error instanceof Error ? { message: error.message } : { error: String(error) });
}
return Response.json(
{
success: true,
data: responseData,
},
{
status: HTTP_STATUS.OK,
headers: {
'Cache-Control': `public, max-age=${CACHE_TTL.INSTANCES}`,
},
}
);
} catch (error) {
logger.error('[Recommend] Unexpected error', { error });
const duration = Date.now() - startTime;
return Response.json(
{
success: false,
error: {
code: 'INTERNAL_ERROR',
message: error instanceof Error ? error.message : 'Unknown error',
details: {
duration_ms: duration,
},
},
},
{ status: HTTP_STATUS.INTERNAL_ERROR }
);
}
}

24
src/routes/sync.ts
View File

@@ -7,7 +7,6 @@
import type { Env } from '../types';
import { SyncOrchestrator } from '../services/sync';
import { VaultClient } from '../connectors/vault';
import { logger } from '../utils/logger';
import { SUPPORTED_PROVIDERS, HTTP_STATUS } from '../constants';
import { parseJsonBody, validateProviders, createErrorResponse } from '../utils/validation';
@@ -45,6 +44,18 @@ export async function handleSync(
logger.info('[Sync] Request received', { timestamp: startedAt });
try {
// Validate content-length before parsing body
const contentLength = request.headers.get('content-length');
if (contentLength) {
const bodySize = parseInt(contentLength, 10);
if (isNaN(bodySize) || bodySize > 10240) { // 10KB limit for sync
return Response.json(
{ success: false, error: { code: 'PAYLOAD_TOO_LARGE', message: 'Request body too large' } },
{ status: 413 }
);
}
}
// Parse and validate request body
const contentType = request.headers.get('content-type');
let body: SyncRequestBody = {};
@@ -78,18 +89,15 @@ export async function handleSync(
logger.info('[Sync] Validation passed', { providers, force });
// Initialize Vault client
const vault = new VaultClient(env.VAULT_URL, env.VAULT_TOKEN, env);
// Initialize SyncOrchestrator
const orchestrator = new SyncOrchestrator(env.DB, vault, env);
const orchestrator = new SyncOrchestrator(env.DB, env);
// Execute synchronization
logger.info('[Sync] Starting synchronization', { providers });
const syncReport = await orchestrator.syncAll(providers);
// Generate unique sync ID
const syncId = `sync_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
const syncId = `sync_${Date.now()}_${crypto.randomUUID().substring(0, 9)}`;
logger.info('[Sync] Synchronization completed', {
syncId,
@@ -120,9 +128,9 @@ export async function handleSync(
success: false,
error: {
code: 'SYNC_FAILED',
message: 'Sync operation failed',
message: 'Sync operation failed. Please try again later.',
request_id: crypto.randomUUID(),
details: {
error: error instanceof Error ? error.message : 'Unknown error',
duration_ms: totalDuration,
started_at: startedAt,
completed_at: completedAt

374
src/services/cache-kv.test.ts Normal file
View File

@@ -0,0 +1,374 @@
/**
* CacheService KV Index Tests
*
* Tests for KV-based cache index functionality:
* - Cache key registration and unregistration
* - Pattern-based cache invalidation
* - clearAll() with KV enumeration
* - Backward compatibility without KV
*/
import { describe, it, expect, beforeEach, vi } from 'vitest';
import { CacheService } from './cache';
/**
* Mock Cloudflare Cache API
*/
const createMockCache = () => {
const store = new Map<string, Response>();
return {
async match(key: string) {
return store.get(key) || null;
},
async put(key: string, response: Response) {
store.set(key, response);
},
async delete(key: string) {
return store.delete(key);
},
// For testing: expose internal store
_getStore: () => store
} as any as Cache;
};
/**
* Mock KV namespace
*/
const createMockKV = () => {
const store = new Map<string, { value: string; metadata?: any; expirationTtl?: number }>();
return {
async get(key: string) {
const entry = store.get(key);
return entry ? entry.value : null;
},
async put(key: string, value: string, options?: { expirationTtl?: number; metadata?: any }) {
store.set(key, { value, metadata: options?.metadata, expirationTtl: options?.expirationTtl });
},
async delete(key: string) {
return store.delete(key);
},
async list(options?: { prefix?: string; cursor?: string }) {
const prefix = options?.prefix || '';
const keys = Array.from(store.keys())
.filter(k => k.startsWith(prefix))
.map(name => ({ name }));
return {
keys,
list_complete: true,
cursor: undefined
};
},
// For testing: expose internal store
_getStore: () => store
} as any as KVNamespace;
};
describe('CacheService - KV Index Integration', () => {
let mockCache: ReturnType<typeof createMockCache>;
let mockKV: ReturnType<typeof createMockKV>;
let cache: CacheService;
beforeEach(() => {
// Mock global caches
mockCache = createMockCache();
(global as any).caches = {
default: mockCache
};
mockKV = createMockKV();
cache = new CacheService(300, mockKV);
});
describe('Cache Key Registration', () => {
it('should register cache keys in KV index when setting cache', async () => {
const key = 'https://cache.internal/instances?provider=linode';
await cache.set(key, { data: 'test' });
const kvStore = mockKV._getStore();
const indexKey = `cache_index:${key}`;
expect(kvStore.has(indexKey)).toBe(true);
const entry = kvStore.get(indexKey);
expect(entry?.metadata.ttl).toBe(300);
});
it('should unregister cache keys when deleting cache', async () => {
const key = 'https://cache.internal/instances?provider=linode';
await cache.set(key, { data: 'test' });
await cache.delete(key);
const kvStore = mockKV._getStore();
const indexKey = `cache_index:${key}`;
expect(kvStore.has(indexKey)).toBe(false);
});
it('should use cache TTL for KV index expiration', async () => {
const key = 'https://cache.internal/instances?provider=linode';
const customTTL = 600;
await cache.set(key, { data: 'test' }, customTTL);
const kvStore = mockKV._getStore();
const indexKey = `cache_index:${key}`;
const entry = kvStore.get(indexKey);
expect(entry?.expirationTtl).toBe(customTTL);
});
});
describe('Pattern Invalidation', () => {
beforeEach(async () => {
// Setup test cache entries
await cache.set('https://cache.internal/instances?provider=linode', { data: 'linode-1' });
await cache.set('https://cache.internal/instances?provider=vultr', { data: 'vultr-1' });
await cache.set('https://cache.internal/pricing?provider=linode', { data: 'pricing-1' });
await cache.set('https://cache.internal/pricing?provider=vultr', { data: 'pricing-2' });
});
it('should invalidate cache entries matching wildcard pattern', async () => {
const invalidated = await cache.invalidatePattern('*instances*');
expect(invalidated).toBe(2);
// Verify only instances entries were deleted
const stats = await cache.getStats();
expect(stats.indexed_keys).toBe(2); // Only pricing entries remain
});
it('should invalidate cache entries matching specific provider pattern', async () => {
const invalidated = await cache.invalidatePattern('*provider=linode*');
expect(invalidated).toBe(2); // Both instances and pricing for linode
const stats = await cache.getStats();
expect(stats.indexed_keys).toBe(2); // Only vultr entries remain
});
it('should invalidate cache entries matching exact pattern', async () => {
const invalidated = await cache.invalidatePattern('*pricing?provider=vultr*');
expect(invalidated).toBe(1);
const stats = await cache.getStats();
expect(stats.indexed_keys).toBe(3);
});
it('should return 0 when no entries match pattern', async () => {
const invalidated = await cache.invalidatePattern('*nonexistent*');
expect(invalidated).toBe(0);
const stats = await cache.getStats();
expect(stats.indexed_keys).toBe(4); // All entries remain
});
it('should handle regex special characters in pattern', async () => {
const keyWithSpecialChars = 'https://cache.internal/test?query=value+test';
await cache.set(keyWithSpecialChars, { data: 'test' });
const invalidated = await cache.invalidatePattern('*query=value+test*');
expect(invalidated).toBe(1);
});
it('should be case-insensitive', async () => {
const invalidated = await cache.invalidatePattern('*INSTANCES*');
expect(invalidated).toBe(2);
});
});
describe('clearAll() with KV Index', () => {
beforeEach(async () => {
await cache.set('https://cache.internal/instances?provider=linode', { data: 'test-1' });
await cache.set('https://cache.internal/instances?provider=vultr', { data: 'test-2' });
await cache.set('https://cache.internal/pricing?provider=linode', { data: 'test-3' });
});
it('should clear all cache entries', async () => {
const cleared = await cache.clearAll();
expect(cleared).toBe(3);
const stats = await cache.getStats();
expect(stats.indexed_keys).toBe(0);
});
it('should clear cache entries with prefix filter', async () => {
const cleared = await cache.clearAll('https://cache.internal/instances');
expect(cleared).toBe(2);
const stats = await cache.getStats();
expect(stats.indexed_keys).toBe(1); // Only pricing entry remains
});
it('should return 0 when no entries exist', async () => {
await cache.clearAll();
const cleared = await cache.clearAll();
expect(cleared).toBe(0);
});
});
describe('Cache Statistics', () => {
it('should return indexed key count when KV is available', async () => {
await cache.set('https://cache.internal/test1', { data: 'test' });
await cache.set('https://cache.internal/test2', { data: 'test' });
const stats = await cache.getStats();
expect(stats.supported).toBe(true);
expect(stats.indexed_keys).toBe(2);
});
it('should return 0 indexed keys when cache is empty', async () => {
const stats = await cache.getStats();
expect(stats.supported).toBe(true);
expect(stats.indexed_keys).toBe(0);
});
});
describe('Error Handling', () => {
it('should gracefully handle KV registration failures', async () => {
const mockKVWithError = {
...mockKV,
put: vi.fn().mockRejectedValue(new Error('KV write failed'))
} as any;
const cacheWithError = new CacheService(300, mockKVWithError);
// Should not throw error, should gracefully degrade
await expect(cacheWithError.set('test-key', { data: 'test' })).resolves.toBeUndefined();
});
it('should gracefully handle KV unregistration failures', async () => {
await cache.set('test-key', { data: 'test' });
const mockKVWithError = {
...mockKV,
delete: vi.fn().mockRejectedValue(new Error('KV delete failed'))
} as any;
// Replace KV namespace with error mock
(cache as any).kvNamespace = mockKVWithError;
// Should not throw error, should gracefully degrade
const deleted = await cache.delete('test-key');
expect(deleted).toBe(true); // Cache delete succeeded
});
it('should return empty array on KV list failures', async () => {
await cache.set('test-key', { data: 'test' });
const mockKVWithError = {
...mockKV,
list: vi.fn().mockRejectedValue(new Error('KV list failed'))
} as any;
// Replace KV namespace with error mock
(cache as any).kvNamespace = mockKVWithError;
const cleared = await cache.clearAll();
expect(cleared).toBe(0); // Graceful degradation
});
});
describe('KV Index Pagination', () => {
it('should handle large numbers of cache keys', async () => {
// Create 150 cache entries to test pagination
const promises = [];
for (let i = 0; i < 150; i++) {
promises.push(cache.set(`https://cache.internal/test${i}`, { data: `test-${i}` }));
}
await Promise.all(promises);
const stats = await cache.getStats();
expect(stats.indexed_keys).toBe(150);
const cleared = await cache.clearAll();
expect(cleared).toBe(150);
});
});
});
describe('CacheService - Backward Compatibility (No KV)', () => {
let mockCache: ReturnType<typeof createMockCache>;
let cache: CacheService;
beforeEach(() => {
mockCache = createMockCache();
(global as any).caches = {
default: mockCache
};
// Initialize without KV namespace
cache = new CacheService(300);
});
describe('Pattern Invalidation without KV', () => {
it('should return 0 and log warning when KV is not available', async () => {
const invalidated = await cache.invalidatePattern('*instances*');
expect(invalidated).toBe(0);
});
});
describe('clearAll() without KV', () => {
it('should return 0 and log info when KV is not available', async () => {
const cleared = await cache.clearAll();
expect(cleared).toBe(0);
});
it('should return 0 with prefix filter when KV is not available', async () => {
const cleared = await cache.clearAll('https://cache.internal/instances');
expect(cleared).toBe(0);
});
});
describe('Statistics without KV', () => {
it('should indicate not supported when KV is not available', async () => {
const stats = await cache.getStats();
expect(stats.supported).toBe(false);
expect(stats.indexed_keys).toBeUndefined();
});
});
describe('Basic Cache Operations (no KV impact)', () => {
it('should set and get cache entries normally without KV', async () => {
const key = 'https://cache.internal/test';
const data = { value: 'test-data' };
await cache.set(key, data);
const result = await cache.get<typeof data>(key);
expect(result).not.toBeNull();
expect(result?.data).toEqual(data);
});
it('should delete cache entries normally without KV', async () => {
const key = 'https://cache.internal/test';
await cache.set(key, { data: 'test' });
const deleted = await cache.delete(key);
expect(deleted).toBe(true);
const result = await cache.get(key);
expect(result).toBeNull();
});
});
});

121
src/services/cache.manual-test.md
View File

@@ -80,6 +80,65 @@
* Post-sync invalidation:
* - After sync operation, call cache.delete(key) for all relevant keys
* - Verify next request fetches fresh data from database
*
* Test 9: clearAll Method
* -----------------------
* 1. Set multiple cache entries:
* - await cache.set('key1', { data: 'test1' }, 300)
* - await cache.set('key2', { data: 'test2' }, 300)
* - await cache.set('key3', { data: 'test3' }, 300)
* 2. Call clearAll: const count = await cache.clearAll()
* 3. Expected: count === 0 (enumeration not supported)
* 4. Expected: Log message about TTL-based expiration
* 5. Note: Individual entries will expire based on TTL
*
* Test 10: clearAll with Prefix
* ------------------------------
* 1. Set entries with different prefixes:
* - await cache.set('https://cache.internal/instances?foo=bar', data1)
* - await cache.set('https://cache.internal/pricing?foo=bar', data2)
* 2. Call with prefix: await cache.clearAll('https://cache.internal/instances')
* 3. Expected: count === 0, log shows prefix parameter
* 4. Note: Prefix is logged but enumeration not supported by Cache API
*
* Test 11: clearByEndpoint Method
* --------------------------------
* 1. Set endpoint cache: await cache.set('https://cache.internal/instances', data, 300)
* 2. Clear by endpoint: const deleted = await cache.clearByEndpoint('instances')
* 3. Expected: deleted === true if cache entry existed
* 4. Get data: const result = await cache.get('https://cache.internal/instances')
* 5. Expected: result === null (entry deleted)
* 6. Note: Only exact matches deleted, parameterized queries remain cached
*
* Test 12: clearByEndpoint with Non-existent Endpoint
* ----------------------------------------------------
* 1. Clear non-existent: const deleted = await cache.clearByEndpoint('non-existent')
* 2. Expected: deleted === false
* 3. Expected: Log message about non-existent endpoint
*
* Test 13: Cache Invalidation Strategy
* -------------------------------------
* 1. Set parameterized cache entries:
* - cache.generateKey({ provider: 'linode', region: 'us-east' })
* - cache.generateKey({ provider: 'linode', region: 'eu-west' })
* - cache.generateKey({ provider: 'vultr', region: 'us-east' })
* 2. After schema change or full sync, call clearAll()
* 3. Verify entries expire based on TTL
* 4. For production: Consider using KV-backed cache index for enumeration
*
* Test 14: Error Handling in clearAll
* ------------------------------------
* 1. Mock cache.delete to throw error
* 2. Call clearAll: await cache.clearAll()
* 3. Expected: Error is logged and re-thrown
* 4. Verify error message includes context
*
* Test 15: Error Handling in clearByEndpoint
* -------------------------------------------
* 1. Mock cache.delete to throw error
* 2. Call clearByEndpoint: await cache.clearByEndpoint('instances')
* 3. Expected: Returns false, error logged
* 4. Application continues without crashing
*/
import { CacheService } from './cache';
@@ -146,4 +205,64 @@ async function exampleCacheInvalidationAfterSync(
console.log('[Sync] Cache invalidation complete');
}
export { exampleInstanceEndpointWithCache, exampleCacheInvalidationAfterSync };
/**
* Example: Using clearAll after schema changes
*/
async function exampleClearAllAfterSchemaChange(): Promise<void> {
const cache = new CacheService();
// After major schema changes or data migrations
console.log('[Migration] Clearing all cache entries');
const count = await cache.clearAll();
console.log(`[Migration] Cache clear requested. Entries will expire based on TTL.`);
console.log('[Migration] Consider using KV-backed cache index for enumeration in production.');
}
/**
* Example: Using clearByEndpoint for targeted invalidation
*/
async function exampleClearByEndpointAfterUpdate(endpoint: string): Promise<void> {
const cache = new CacheService();
// Clear cache for specific endpoint after data update
console.log(`[Update] Clearing cache for endpoint: ${endpoint}`);
const deleted = await cache.clearByEndpoint(endpoint);
if (deleted) {
console.log(`[Update] Successfully cleared ${endpoint} cache`);
} else {
console.log(`[Update] No cache entry found for ${endpoint}`);
}
}
/**
* Example: Force cache refresh strategy
*/
async function exampleForceCacheRefresh(
endpoint: string,
fetchFunction: () => Promise<unknown>
): Promise<void> {
const cache = new CacheService();
// Strategy 1: Clear specific endpoint
await cache.clearByEndpoint(endpoint);
// Strategy 2: Clear with prefix (logged but not enumerated)
await cache.clearAll(`https://cache.internal/${endpoint}`);
// Strategy 3: Fetch fresh data and update cache
const freshData = await fetchFunction();
const cacheKey = `https://cache.internal/${endpoint}`;
await cache.set(cacheKey, freshData, 3600);
console.log(`[Refresh] Cache refreshed for ${endpoint}`);
}
export {
exampleInstanceEndpointWithCache,
exampleCacheInvalidationAfterSync,
exampleClearAllAfterSchemaChange,
exampleClearByEndpointAfterUpdate,
exampleForceCacheRefresh
};

429
src/services/cache.ts
View File

@@ -7,14 +7,23 @@
* - Cache key generation with sorted parameters
* - Cache age tracking and metadata
* - Graceful degradation on cache failures
* - KV-based cache index for pattern invalidation and enumeration
*
* @example
* // Basic usage (no KV index)
* const cache = new CacheService(CACHE_TTL.INSTANCES);
* await cache.set('key', data, CACHE_TTL.PRICING);
* const result = await cache.get<MyType>('key');
* if (result) {
* console.log(result.cache_age_seconds);
* }
*
* @example
* // With KV index (enables pattern invalidation)
* const cache = new CacheService(CACHE_TTL.INSTANCES, env.RATE_LIMIT_KV);
* await cache.set('https://cache.internal/instances?provider=linode', data);
* await cache.invalidatePattern('*instances*'); // Invalidate all instance caches
* const count = await cache.clearAll(); // Clear all cache entries (returns actual count)
*/
import { logger } from '../utils/logger';
@@ -34,23 +43,57 @@ export interface CacheResult<T> {
cached_at: string;
}
/**
* Global CacheService singleton
* Prevents race conditions from multiple route-level singletons
*/
let globalCacheService: CacheService | null = null;
/**
* Get or create global CacheService singleton
* Thread-safe factory function that ensures only one CacheService instance exists
*
* @param ttl - TTL in seconds for cache entries
* @param kv - KV namespace for cache index (enables pattern invalidation)
* @returns Global CacheService singleton instance
*
* @example
* const cache = getGlobalCacheService(CACHE_TTL.INSTANCES, env.RATE_LIMIT_KV);
*/
export function getGlobalCacheService(ttl: number, kv: KVNamespace | null): CacheService {
if (!globalCacheService) {
globalCacheService = new CacheService(ttl, kv);
logger.debug('[CacheService] Global singleton initialized');
}
return globalCacheService;
}
/**
* CacheService - Manages cache operations using Cloudflare Workers Cache API
*/
export class CacheService {
private cache: Cache;
private defaultTTL: number;
private kvNamespace: KVNamespace | null;
private readonly CACHE_INDEX_PREFIX = 'cache_index:';
private readonly BATCH_SIZE = 50;
private readonly MAX_KEYS_LIMIT = 5000;
private readonly MAX_PATTERN_LENGTH = 200;
private readonly MAX_WILDCARD_COUNT = 5;
private readonly OPERATION_TIMEOUT_MS = 25000;
/**
* Initialize cache service
*
* @param ttlSeconds - Default TTL in seconds (default: CACHE_TTL.DEFAULT)
* @param kvNamespace - Optional KV namespace for cache index (enables pattern invalidation)
*/
constructor(ttlSeconds = CACHE_TTL.DEFAULT) {
constructor(ttlSeconds: number = CACHE_TTL.DEFAULT, kvNamespace: KVNamespace | null = null) {
// Use Cloudflare Workers global caches.default
this.cache = caches.default;
this.defaultTTL = ttlSeconds;
logger.debug(`[CacheService] Initialized with default TTL: ${ttlSeconds}s`);
this.kvNamespace = kvNamespace;
logger.debug(`[CacheService] Initialized with default TTL: ${ttlSeconds}s, KV index: ${!!kvNamespace}`);
}
/**
@@ -123,6 +166,17 @@ export class CacheService {
// Store in cache
await this.cache.put(key, response);
// Register key in KV index if available (fire-and-forget)
if (this.kvNamespace) {
this._registerCacheKey(key, ttl).catch(error => {
logger.error('[CacheService] Failed to register cache key (non-blocking)', {
key,
error: error instanceof Error ? error.message : String(error)
});
});
}
logger.debug(`[CacheService] Cached: ${key} (TTL: ${ttl}s)`);
} catch (error) {
@@ -143,6 +197,11 @@ export class CacheService {
try {
const deleted = await this.cache.delete(key);
// Unregister key from KV index if available
if (this.kvNamespace && deleted) {
await this._unregisterCacheKey(key);
}
if (deleted) {
logger.debug(`[CacheService] Deleted: ${key}`);
} else {
@@ -181,15 +240,213 @@ export class CacheService {
}
/**
* Invalidate all cache entries matching a pattern
* Note: Cloudflare Workers Cache API doesn't support pattern matching
* This method is for future implementation with KV or custom cache index
* Clear all cache entries with optional prefix filter
*
* @param pattern - Pattern to match (e.g., 'instances:*')
* With KV index: Enumerates and deletes all matching cache entries
* Without KV index: Logs operation only (entries expire based on TTL)
*
* @param prefix - Optional URL prefix to filter entries (e.g., 'https://cache.internal/instances')
* @returns Number of entries cleared
*
* @example
* // Clear all cache entries
* const count = await cache.clearAll();
*
* // Clear entries with specific prefix
* const count = await cache.clearAll('https://cache.internal/instances');
*/
async invalidatePattern(pattern: string): Promise<void> {
logger.warn(`[CacheService] Pattern invalidation not supported: ${pattern}`);
// TODO: Implement with KV-based cache index if needed
async clearAll(prefix?: string): Promise<number> {
try {
const targetPrefix = prefix ?? 'https://cache.internal/';
// If KV index is not available, log and return 0
if (!this.kvNamespace) {
logger.info('[CacheService] Cache clearAll requested (no KV index)', {
prefix: targetPrefix,
note: 'Individual entries will expire based on TTL. Enable KV namespace for enumeration.'
});
return 0;
}
// List all cache keys from KV index
const cacheKeys = await this._listCacheKeys(targetPrefix);
if (cacheKeys.length === 0) {
logger.info('[CacheService] No cache entries to clear', { prefix: targetPrefix });
return 0;
}
// Delete cache entries in parallel batches with timeout
const startTime = Date.now();
let deletedCount = 0;
for (let i = 0; i < cacheKeys.length; i += this.BATCH_SIZE) {
// Check timeout
if (Date.now() - startTime > this.OPERATION_TIMEOUT_MS) {
logger.warn('[CacheService] clearAll timeout reached', {
deleted_count: deletedCount,
total_keys: cacheKeys.length,
timeout_ms: this.OPERATION_TIMEOUT_MS
});
break;
}
const batch = cacheKeys.slice(i, i + this.BATCH_SIZE);
const deletePromises = batch.map(key => this.delete(key));
const results = await Promise.all(deletePromises);
deletedCount += results.filter(deleted => deleted).length;
}
logger.info('[CacheService] Cache cleared', {
prefix: targetPrefix,
total_keys: cacheKeys.length,
deleted_count: deletedCount
});
return deletedCount;
} catch (error) {
logger.error('[CacheService] Cache clearAll failed', {
error: error instanceof Error ? error.message : String(error),
prefix
});
throw error;
}
}
/**
* Clear cache entries for a specific endpoint
*
* This method deletes cache entries matching a specific endpoint pattern.
* Useful for targeted cache invalidation after data updates.
*
* @param endpoint - Endpoint path (e.g., 'instances', 'pricing')
* @returns true if at least one entry was deleted, false otherwise
*
* @example
* // Clear all instance cache entries
* await cache.clearByEndpoint('instances');
*/
async clearByEndpoint(endpoint: string): Promise<boolean> {
try {
const cacheKey = `https://cache.internal/${endpoint}`;
// Delete the base endpoint cache entry
// Note: This only deletes exact matches, not parameterized queries
const deleted = await this.cache.delete(new Request(cacheKey, { method: 'GET' }));
logger.info('[CacheService] Endpoint cache cleared', {
endpoint,
success: deleted,
note: 'Only exact matches are deleted. Parameterized queries remain cached until TTL expiry.'
});
return deleted;
} catch (error) {
logger.error('[CacheService] Endpoint cache clear failed', {
endpoint,
error: error instanceof Error ? error.message : String(error)
});
return false;
}
}
/**
* Invalidate all cache entries matching a pattern
*
* Supports wildcards and pattern matching via KV index.
* Without KV index, logs warning and returns 0.
*
* @param pattern - Pattern to match (supports * wildcard)
* @returns Number of entries invalidated
*
* @example
* // Invalidate all instance cache entries
* await cache.invalidatePattern('*instances*');
*
* // Invalidate all cache entries for a specific provider
* await cache.invalidatePattern('*provider=linode*');
*
* // Invalidate all pricing cache entries
* await cache.invalidatePattern('*pricing*');
*/
async invalidatePattern(pattern: string): Promise<number> {
try {
// If KV index is not available, log warning
if (!this.kvNamespace) {
logger.warn('[CacheService] Pattern invalidation not available (no KV index)', { pattern });
return 0;
}
// ReDoS prevention: validate pattern
this._validatePattern(pattern);
// Extract prefix from pattern for KV-level filtering
// e.g., "instances*" -> prefix "instances"
// e.g., "*instances*" -> no prefix (full scan)
const prefixMatch = pattern.match(/^([^*?]+)/);
const kvPrefix = prefixMatch ? prefixMatch[1] : undefined;
if (kvPrefix) {
logger.debug(`[CacheService] Using KV prefix filter: "${kvPrefix}" for pattern: "${pattern}"`);
}
// List cache keys with KV-side prefix filtering
const allKeys = await this._listCacheKeys(kvPrefix);
// Convert pattern to regex (escape special chars except *)
const regexPattern = pattern
.replace(/[.+?^${}()|[\]\\]/g, '\\$&') // Escape special regex chars
.replace(/\*/g, '.*'); // Convert * to .*
const regex = new RegExp(`^${regexPattern}$`, 'i');
// Filter keys matching pattern
const matchingKeys = allKeys.filter(key => regex.test(key));
if (matchingKeys.length === 0) {
logger.info('[CacheService] No cache entries match pattern', { pattern });
return 0;
}
// Delete matching cache entries in parallel batches with timeout
const startTime = Date.now();
let deletedCount = 0;
for (let i = 0; i < matchingKeys.length; i += this.BATCH_SIZE) {
// Check timeout
if (Date.now() - startTime > this.OPERATION_TIMEOUT_MS) {
logger.warn('[CacheService] invalidatePattern timeout reached', {
deleted_count: deletedCount,
total_matches: matchingKeys.length,
timeout_ms: this.OPERATION_TIMEOUT_MS
});
break;
}
const batch = matchingKeys.slice(i, i + this.BATCH_SIZE);
const deletePromises = batch.map(key => this.delete(key));
const results = await Promise.all(deletePromises);
deletedCount += results.filter(deleted => deleted).length;
}
logger.info('[CacheService] Pattern invalidation complete', {
pattern,
total_matches: matchingKeys.length,
deleted_count: deletedCount
});
return deletedCount;
} catch (error) {
logger.error('[CacheService] Pattern invalidation failed', {
pattern,
error: error instanceof Error ? error.message : String(error)
});
throw error;
}
}
/**
@@ -199,8 +456,160 @@ export class CacheService {
*
* @returns Cache statistics (not available in Cloudflare Workers)
*/
async getStats(): Promise<{ supported: boolean }> {
async getStats(): Promise<{ supported: boolean; indexed_keys?: number }> {
if (!this.kvNamespace) {
logger.warn('[CacheService] Cache statistics not available in Cloudflare Workers');
return { supported: false };
}
try {
const allKeys = await this._listCacheKeys();
return {
supported: true,
indexed_keys: allKeys.length
};
} catch (error) {
logger.error('[CacheService] Failed to get cache stats', {
error: error instanceof Error ? error.message : String(error)
});
return { supported: false };
}
}
/**
* Register cache key in KV index
*
* @param key - Cache key (URL format)
* @param ttlSeconds - TTL in seconds
*/
private async _registerCacheKey(key: string, ttlSeconds: number): Promise<void> {
if (!this.kvNamespace) {
return;
}
try {
const indexKey = `${this.CACHE_INDEX_PREFIX}${key}`;
const metadata = {
cached_at: new Date().toISOString(),
ttl: ttlSeconds
};
// Store with same TTL as cache entry
// KV will auto-delete when expired, keeping index clean
await this.kvNamespace.put(indexKey, '1', {
expirationTtl: ttlSeconds,
metadata
});
logger.debug(`[CacheService] Registered cache key in index: ${key}`);
} catch (error) {
// Graceful degradation: log error but don't fail cache operation
logger.error('[CacheService] Failed to register cache key', {
key,
error: error instanceof Error ? error.message : String(error)
});
}
}
/**
* Unregister cache key from KV index
*
* @param key - Cache key (URL format)
*/
private async _unregisterCacheKey(key: string): Promise<void> {
if (!this.kvNamespace) {
return;
}
try {
const indexKey = `${this.CACHE_INDEX_PREFIX}${key}`;
await this.kvNamespace.delete(indexKey);
logger.debug(`[CacheService] Unregistered cache key from index: ${key}`);
} catch (error) {
// Graceful degradation: log error but don't fail delete operation
logger.error('[CacheService] Failed to unregister cache key', {
key,
error: error instanceof Error ? error.message : String(error)
});
}
}
/**
* List all cache keys from KV index
*
* @param prefix - Optional prefix to filter keys (matches original cache key, not index key)
* @param maxKeys - Maximum number of keys to return (default: 5000)
* @returns Array of cache keys
*/
private async _listCacheKeys(prefix?: string, maxKeys = this.MAX_KEYS_LIMIT): Promise<string[]> {
if (!this.kvNamespace) {
return [];
}
try {
const keys: string[] = [];
let cursor: string | undefined;
// List all keys with cache_index: prefix
do {
const result = await this.kvNamespace.list({
prefix: this.CACHE_INDEX_PREFIX,
cursor
});
// Extract original cache keys (remove cache_index: prefix)
const extractedKeys = result.keys
.map(k => k.name.substring(this.CACHE_INDEX_PREFIX.length))
.filter(k => !prefix || k.startsWith(prefix));
keys.push(...extractedKeys);
// Check if we've exceeded the max keys limit
if (keys.length >= maxKeys) {
logger.warn('[CacheService] Cache key limit reached', {
max_keys: maxKeys,
current_count: keys.length,
note: 'Consider increasing MAX_KEYS_LIMIT or implementing pagination'
});
return keys.slice(0, maxKeys);
}
cursor = result.list_complete ? undefined : result.cursor;
} while (cursor);
logger.debug(`[CacheService] Listed ${keys.length} cache keys from index`, { prefix });
return keys;
} catch (error) {
logger.error('[CacheService] Failed to list cache keys', {
prefix,
error: error instanceof Error ? error.message : String(error)
});
return [];
}
}
/**
* Validate pattern for ReDoS prevention
*
* @param pattern - Pattern to validate
* @throws Error if pattern is invalid
*/
private _validatePattern(pattern: string): void {
// Check pattern length
if (pattern.length > this.MAX_PATTERN_LENGTH) {
throw new Error(`Pattern too long (max ${this.MAX_PATTERN_LENGTH} chars): ${pattern.length} chars`);
}
// Check for consecutive wildcards (**) which can cause ReDoS
if (pattern.includes('**')) {
throw new Error('Consecutive wildcards (**) not allowed (ReDoS prevention)');
}
// Count wildcards
const wildcardCount = (pattern.match(/\*/g) || []).length;
if (wildcardCount > this.MAX_WILDCARD_COUNT) {
throw new Error(`Too many wildcards (max ${this.MAX_WILDCARD_COUNT}): ${wildcardCount} wildcards`);
}
}
}

60
src/services/query.ts
View File

@@ -89,25 +89,55 @@ export class QueryService {
this.logger.debug('Executing query', { sql });
this.logger.debug('Main query bindings', { bindings });
this.logger.debug('Count query bindings', { countBindings });
// Calculate pagination metadata
const page = Math.max(params.page ?? 1, 1);
const perPage = Math.min(Math.max(params.limit ?? 50, 1), 100); // Min 1, Max 100
const offset = (page - 1) * perPage;
// Performance optimization: Only run COUNT query on first page or when explicitly requested
// This avoids expensive full table scan with JOINs on every paginated request
const shouldRunCount = offset === 0 || params.include_count === true;
let totalResults = 0;
let queryResult: D1Result;
if (shouldRunCount) {
this.logger.debug('Running COUNT query (first page or explicit request)', { countBindings });
// Execute count and main queries in a single batch for performance
const [countResult, queryResult] = await this.db.batch([
const [countResult, mainResult] = await this.db.batch([
this.db.prepare(countSql).bind(...countBindings),
this.db.prepare(sql).bind(...bindings),
]);
// Validate batch results and extract data with type safety
if (!countResult.success || !queryResult.success) {
if (!countResult.success || !mainResult.success) {
const errors = [
!countResult.success ? `Count query failed: ${countResult.error}` : null,
!queryResult.success ? `Main query failed: ${queryResult.error}` : null,
!mainResult.success ? `Main query failed: ${mainResult.error}` : null,
].filter(Boolean);
throw new Error(`Batch query execution failed: ${errors.join(', ')}`);
}
// Extract total count with type casting and fallback
const totalResults = (countResult.results?.[0] as { total: number } | undefined)?.total ?? 0;
totalResults = (countResult.results?.[0] as { total: number } | undefined)?.total ?? 0;
queryResult = mainResult;
} else {
// Skip COUNT query for subsequent pages (performance optimization)
this.logger.debug('Skipping COUNT query (subsequent page)', { page, offset });
queryResult = await this.db.prepare(sql).bind(...bindings).all();
if (!queryResult.success) {
throw new Error(`Main query failed: ${queryResult.error}`);
}
// Estimate total based on current results for pagination metadata
// If we got full page of results, there might be more pages
const resultCount = queryResult.results?.length ?? 0;
totalResults = resultCount === perPage ? offset + perPage + 1 : offset + resultCount;
}
// Extract main query results with type casting
const results = (queryResult.results ?? []) as RawQueryResult[];
@@ -116,8 +146,6 @@ export class QueryService {
const instances = this.transformResults(results);
// Calculate pagination metadata
const page = params.page ?? 1;
const perPage = Math.min(params.limit ?? 50, 100); // Max 100
const totalPages = Math.ceil(totalResults / perPage);
const hasNext = page < totalPages;
const hasPrevious = page > 1;
@@ -268,6 +296,9 @@ export class QueryService {
const sortBy = params.sort_by ?? 'hourly_price';
const sortOrder = params.sort_order ?? 'asc';
// Validate sort order at service level (defense in depth)
const validatedSortOrder = sortOrder?.toLowerCase() === 'desc' ? 'DESC' : 'ASC';
// Map sort fields to actual column names
const sortFieldMap: Record<string, string> = {
price: 'pr.hourly_price',
@@ -285,15 +316,17 @@ export class QueryService {
// Handle NULL values in pricing columns (NULL values go last)
if (sortColumn.startsWith('pr.')) {
// Use CASE to put NULL values last regardless of sort order
orderByClause = ` ORDER BY CASE WHEN ${sortColumn} IS NULL THEN 1 ELSE 0 END, ${sortColumn} ${sortOrder.toUpperCase()}`;
orderByClause = ` ORDER BY CASE WHEN ${sortColumn} IS NULL THEN 1 ELSE 0 END, ${sortColumn} ${validatedSortOrder}`;
} else {
orderByClause = ` ORDER BY ${sortColumn} ${sortOrder.toUpperCase()}`;
orderByClause = ` ORDER BY ${sortColumn} ${validatedSortOrder}`;
}
// Build LIMIT and OFFSET
const page = params.page ?? 1;
const limit = Math.min(params.limit ?? 50, 100); // Max 100
const offset = (page - 1) * limit;
const MAX_OFFSET = 100000; // Reasonable limit for pagination to prevent extreme offsets
const page = Math.max(params.page ?? 1, 1);
const limit = Math.min(Math.max(params.limit ?? 50, 1), 100); // Min 1, Max 100
const rawOffset = (page - 1) * limit;
const offset = Math.min(rawOffset, MAX_OFFSET);
bindings.push(limit);
bindings.push(offset);
@@ -304,8 +337,9 @@ export class QueryService {
const sql = selectClause + whereClause + orderByClause + limitClause;
// Count query (without ORDER BY and LIMIT)
// Use COUNT(DISTINCT it.id) to avoid Cartesian product from LEFT JOINs
const countSql = `
SELECT COUNT(*) as total
SELECT COUNT(DISTINCT it.id) as total
FROM instance_types it
JOIN providers p ON it.provider_id = p.id
LEFT JOIN pricing pr ON pr.instance_type_id = it.id

388
src/services/recommendation.test.ts
View File

@@ -1,388 +0,0 @@
/**
* Recommendation Service Tests
*
* Tests the RecommendationService class for:
* - Score calculation algorithm
* - Stack validation and requirements calculation
* - Budget filtering
* - Asia-Pacific region filtering
*/
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { RecommendationService } from './recommendation';
import type { RecommendationRequest } from '../types';
/**
* Mock D1Database for testing
*/
const createMockD1Database = () => {
const mockPrepare = vi.fn().mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({
results: [],
}),
});
return {
prepare: mockPrepare,
dump: vi.fn(),
batch: vi.fn(),
exec: vi.fn(),
};
};
/**
* Mock instance data for testing
*/
const createMockInstanceRow = (overrides = {}) => ({
id: 1,
instance_id: 'test-instance',
instance_name: 'Standard-2GB',
vcpu: 2,
memory_mb: 2048,
storage_gb: 50,
metadata: null,
provider_name: 'linode',
region_code: 'ap-south-1',
region_name: 'Mumbai',
hourly_price: 0.015,
monthly_price: 10,
...overrides,
});
describe('RecommendationService', () => {
let service: RecommendationService;
let mockDb: ReturnType<typeof createMockD1Database>;
beforeEach(() => {
mockDb = createMockD1Database();
service = new RecommendationService(mockDb as any);
});
describe('recommend', () => {
it('should validate stack components and throw error for invalid stacks', async () => {
const request: RecommendationRequest = {
stack: ['nginx', 'invalid-stack', 'unknown-tech'],
scale: 'small',
};
await expect(service.recommend(request)).rejects.toThrow(
'Invalid stacks: invalid-stack, unknown-tech'
);
});
it('should calculate resource requirements for valid stack', async () => {
const request: RecommendationRequest = {
stack: ['nginx', 'mysql'],
scale: 'medium',
};
// Mock database response with empty results
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [] }),
});
const result = await service.recommend(request);
// nginx (256MB) + mysql (2048MB) + OS overhead (768MB) = 3072MB
expect(result.requirements.min_memory_mb).toBe(3072);
// 3072MB / 2048 = 1.5, rounded up = 2 vCPU
expect(result.requirements.min_vcpu).toBe(2);
expect(result.requirements.breakdown).toHaveProperty('nginx');
expect(result.requirements.breakdown).toHaveProperty('mysql');
expect(result.requirements.breakdown).toHaveProperty('os_overhead');
});
it('should return top 5 recommendations sorted by match score', async () => {
const request: RecommendationRequest = {
stack: ['nginx'],
scale: 'small',
};
// Mock database with 10 instances
const mockInstances = Array.from({ length: 10 }, (_, i) =>
createMockInstanceRow({
id: i + 1,
instance_name: `Instance-${i + 1}`,
vcpu: i % 4 + 1,
memory_mb: (i % 4 + 1) * 1024,
monthly_price: 10 + i * 5,
})
);
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: mockInstances }),
});
const result = await service.recommend(request);
// Should return max 5 recommendations
expect(result.recommendations).toHaveLength(5);
// Should be sorted by match_score descending
for (let i = 0; i < result.recommendations.length - 1; i++) {
expect(result.recommendations[i].match_score).toBeGreaterThanOrEqual(
result.recommendations[i + 1].match_score
);
}
// Should have rank assigned (1-5)
expect(result.recommendations[0].rank).toBe(1);
expect(result.recommendations[4].rank).toBe(5);
});
it('should filter instances by budget when budget_max is specified', async () => {
const request: RecommendationRequest = {
stack: ['nginx'],
scale: 'small',
budget_max: 20,
};
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [] }),
});
await service.recommend(request);
// Verify SQL includes budget filter
const prepareCall = mockDb.prepare.mock.calls[0][0];
expect(prepareCall).toContain('pr.monthly_price <= ?');
});
});
describe('scoreInstance (via recommend)', () => {
it('should score optimal memory fit with high score', async () => {
const request: RecommendationRequest = {
stack: ['nginx'], // min 128MB
scale: 'small',
};
// Memory ratio 1.4x (optimal range 1-1.5x): should get 40 points
const mockInstance = createMockInstanceRow({
memory_mb: 1024, // nginx min is 128MB + 768MB OS = 896MB total, ratio = 1.14x
vcpu: 1,
monthly_price: 10,
});
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [mockInstance] }),
});
const result = await service.recommend(request);
// Should have high score for optimal fit
expect(result.recommendations[0].match_score).toBeGreaterThan(70);
expect(result.recommendations[0].pros).toContain('메모리 최적 적합');
});
it('should penalize oversized instances', async () => {
const request: RecommendationRequest = {
stack: ['nginx'], // min 896MB total
scale: 'small',
};
// Memory ratio >2x: should get only 20 points for memory
const mockInstance = createMockInstanceRow({
memory_mb: 4096, // Ratio = 4096/896 = 4.57x (oversized)
vcpu: 2,
monthly_price: 30,
});
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [mockInstance] }),
});
const result = await service.recommend(request);
// Should have cons about over-provisioning
expect(result.recommendations[0].cons).toContain('메모리 과다 프로비저닝');
});
it('should give price efficiency bonus for budget-conscious instances', async () => {
const request: RecommendationRequest = {
stack: ['nginx'],
scale: 'small',
budget_max: 100,
};
// Price ratio 0.3 (30% of budget): should get 20 points
const mockInstance = createMockInstanceRow({
memory_mb: 2048,
vcpu: 2,
monthly_price: 30,
});
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [mockInstance] }),
});
const result = await service.recommend(request);
// Should have pros about price efficiency
expect(result.recommendations[0].pros).toContain('예산 대비 저렴');
});
it('should give storage bonus for instances with good storage', async () => {
const request: RecommendationRequest = {
stack: ['nginx'],
scale: 'small',
};
// Storage >= 80GB: should get 10 points
const mockInstanceWithStorage = createMockInstanceRow({
memory_mb: 2048,
vcpu: 2,
storage_gb: 100,
monthly_price: 20,
});
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [mockInstanceWithStorage] }),
});
const result = await service.recommend(request);
// Should have pros about storage
expect(result.recommendations[0].pros.some((p) => p.includes('스토리지'))).toBe(true);
});
it('should note EBS storage separately for instances without storage', async () => {
const request: RecommendationRequest = {
stack: ['nginx'],
scale: 'small',
};
// Storage = 0: should have cons
const mockInstanceNoStorage = createMockInstanceRow({
memory_mb: 2048,
vcpu: 2,
storage_gb: 0,
monthly_price: 20,
});
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [mockInstanceNoStorage] }),
});
const result = await service.recommend(request);
// Should have cons about separate storage
expect(result.recommendations[0].cons).toContain('EBS 스토리지 별도');
});
});
describe('getMonthlyPrice (via scoring)', () => {
it('should extract monthly price from monthly_price column', async () => {
const request: RecommendationRequest = {
stack: ['nginx'],
scale: 'small',
};
const mockInstance = createMockInstanceRow({
monthly_price: 15,
hourly_price: null,
metadata: null,
});
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [mockInstance] }),
});
const result = await service.recommend(request);
expect(result.recommendations[0].price.monthly).toBe(15);
});
it('should extract monthly price from metadata JSON', async () => {
const request: RecommendationRequest = {
stack: ['nginx'],
scale: 'small',
};
const mockInstance = createMockInstanceRow({
monthly_price: null,
hourly_price: null,
metadata: JSON.stringify({ monthly_price: 25 }),
});
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [mockInstance] }),
});
const result = await service.recommend(request);
expect(result.recommendations[0].price.monthly).toBe(25);
});
it('should calculate monthly price from hourly price', async () => {
const request: RecommendationRequest = {
stack: ['nginx'],
scale: 'small',
};
const mockInstance = createMockInstanceRow({
monthly_price: null,
hourly_price: 0.02, // 0.02 * 730 = 14.6
metadata: null,
});
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [mockInstance] }),
});
const result = await service.recommend(request);
expect(result.recommendations[0].price.monthly).toBe(14.6);
});
});
describe('queryInstances', () => {
it('should query instances from Asia-Pacific regions', async () => {
const request: RecommendationRequest = {
stack: ['nginx'],
scale: 'small',
};
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockResolvedValue({ results: [] }),
});
await service.recommend(request);
// Verify SQL query structure
const prepareCall = mockDb.prepare.mock.calls[0][0];
expect(prepareCall).toContain('WHERE p.name IN');
expect(prepareCall).toContain('AND r.region_code IN');
expect(prepareCall).toContain('AND it.memory_mb >= ?');
expect(prepareCall).toContain('AND it.vcpu >= ?');
});
it('should handle database query errors gracefully', async () => {
const request: RecommendationRequest = {
stack: ['nginx'],
scale: 'small',
};
mockDb.prepare.mockReturnValue({
bind: vi.fn().mockReturnThis(),
all: vi.fn().mockRejectedValue(new Error('Database connection failed')),
});
await expect(service.recommend(request)).rejects.toThrow(
'Failed to query instances from database'
);
});
});
});

363
src/services/recommendation.ts
View File

@@ -1,363 +0,0 @@
/**
* Recommendation Service
*
* Provides intelligent instance recommendations based on:
* - Technology stack requirements
* - Deployment scale
* - Budget constraints
* - Asia-Pacific region filtering
*/
import type { D1Database } from '@cloudflare/workers-types';
import type {
RecommendationRequest,
RecommendationResponse,
InstanceRecommendation,
ResourceRequirements,
} from '../types';
import { validateStack, calculateRequirements } from './stackConfig';
import { getAsiaRegionCodes, getRegionDisplayName } from './regionFilter';
import { logger } from '../utils/logger';
/**
* Database row interface for instance query results
*/
interface InstanceQueryRow {
id: number;
instance_id: string;
instance_name: string;
vcpu: number;
memory_mb: number;
storage_gb: number;
metadata: string | null;
provider_name: string;
region_code: string;
region_name: string;
hourly_price: number | null;
monthly_price: number | null;
}
/**
* Recommendation Service
* Calculates and ranks cloud instances based on stack requirements
*/
export class RecommendationService {
// Cache parsed metadata to avoid repeated JSON.parse calls
private metadataCache = new Map<number, { monthly_price?: number }>();
constructor(private db: D1Database) {}
/**
* Generate instance recommendations based on stack and scale
*
* Process:
* 1. Validate stack components
* 2. Calculate resource requirements
* 3. Query Asia-Pacific instances matching requirements
* 4. Score and rank instances
* 5. Return top 5 recommendations
*
* @param request - Recommendation request with stack, scale, and budget
* @returns Recommendation response with requirements and ranked instances
* @throws Error if stack validation fails or database query fails
*/
async recommend(request: RecommendationRequest): Promise<RecommendationResponse> {
// Clear metadata cache for new recommendation request
this.metadataCache.clear();
logger.info('[Recommendation] Processing request', {
stack: request.stack,
scale: request.scale,
budget_max: request.budget_max,
});
// 1. Validate stack components
const validation = validateStack(request.stack);
if (!validation.valid) {
const errorMsg = `Invalid stacks: ${validation.invalidStacks.join(', ')}`;
logger.error('[Recommendation] Stack validation failed', {
invalidStacks: validation.invalidStacks,
});
throw new Error(errorMsg);
}
// 2. Calculate resource requirements based on stack and scale
const requirements = calculateRequirements(request.stack, request.scale);
logger.info('[Recommendation] Resource requirements calculated', {
min_memory_mb: requirements.min_memory_mb,
min_vcpu: requirements.min_vcpu,
});
// 3. Query instances from Asia-Pacific regions
const instances = await this.queryInstances(requirements, request.budget_max);
logger.info('[Recommendation] Found instances', { count: instances.length });
// 4. Calculate match scores and sort by score (highest first)
const scored = instances.map(inst =>
this.scoreInstance(inst, requirements, request.budget_max)
);
scored.sort((a, b) => b.match_score - a.match_score);
// 5. Return top 5 recommendations with rank
const recommendations = scored.slice(0, 5).map((inst, idx) => ({
...inst,
rank: idx + 1,
}));
logger.info('[Recommendation] Generated recommendations', {
count: recommendations.length,
top_score: recommendations[0]?.match_score,
});
return { requirements, recommendations };
}
/**
* Query instances from Asia-Pacific regions matching requirements
*
* Single query optimization: queries all providers (Linode, Vultr, AWS) in one database call
* - Uses IN clause for provider names and region codes
* - Filters by minimum memory and vCPU requirements
* - Optionally filters by maximum budget
* - Returns up to 50 instances across all providers
*
* @param requirements - Minimum resource requirements
* @param budgetMax - Optional maximum monthly budget in USD
* @returns Array of instance query results
*/
private async queryInstances(
requirements: ResourceRequirements,
budgetMax?: number
): Promise<InstanceQueryRow[]> {
// Collect all providers and their Asia-Pacific region codes
const providers = ['linode', 'vultr', 'aws'];
const allRegionCodes: string[] = [];
for (const provider of providers) {
const regionCodes = getAsiaRegionCodes(provider);
if (regionCodes.length === 0) {
logger.warn('[Recommendation] No Asia regions found for provider', {
provider,
});
}
allRegionCodes.push(...regionCodes);
}
// If no regions found across all providers, return empty
if (allRegionCodes.length === 0) {
logger.error('[Recommendation] No Asia regions found for any provider');
return [];
}
// Build single query with IN clauses for providers and regions
const providerPlaceholders = providers.map(() => '?').join(',');
const regionPlaceholders = allRegionCodes.map(() => '?').join(',');
let sql = `
SELECT
it.id,
it.instance_id,
it.instance_name,
it.vcpu,
it.memory_mb,
it.storage_gb,
it.metadata,
p.name as provider_name,
r.region_code,
r.region_name,
pr.hourly_price,
pr.monthly_price
FROM instance_types it
JOIN providers p ON it.provider_id = p.id
JOIN regions r ON r.provider_id = p.id
LEFT JOIN pricing pr ON pr.instance_type_id = it.id AND pr.region_id = r.id
WHERE p.name IN (${providerPlaceholders})
AND r.region_code IN (${regionPlaceholders})
AND it.memory_mb >= ?
AND it.vcpu >= ?
`;
const params: (string | number)[] = [
...providers,
...allRegionCodes,
requirements.min_memory_mb,
requirements.min_vcpu,
];
// Add budget filter if specified
if (budgetMax) {
sql += ` AND (pr.monthly_price <= ? OR pr.monthly_price IS NULL)`;
params.push(budgetMax);
}
// Sort by price (cheapest first) and limit results
sql += ` ORDER BY COALESCE(pr.monthly_price, 9999) ASC LIMIT 50`;
try {
const result = await this.db.prepare(sql).bind(...params).all();
logger.info('[Recommendation] Single query executed for all providers', {
providers,
region_count: allRegionCodes.length,
found: result.results?.length || 0,
});
return (result.results as unknown as InstanceQueryRow[]) || [];
} catch (error) {
logger.error('[Recommendation] Query failed', { error });
throw new Error('Failed to query instances from database');
}
}
/**
* Calculate match score for an instance
*
* Scoring algorithm (0-100 points):
* - Memory fit (40 points): How well memory matches requirements
* - Perfect fit (1-1.5x): 40 points
* - Comfortable (1.5-2x): 30 points
* - Oversized (>2x): 20 points
* - vCPU fit (30 points): How well vCPU matches requirements
* - Good fit (1-2x): 30 points
* - Oversized (>2x): 20 points
* - Price efficiency (20 points): Budget utilization
* - Under 50% budget: 20 points
* - Under 80% budget: 15 points
* - Over 80% budget: 10 points
* - Storage bonus (10 points): Included storage
* - ≥80GB: 10 points
* - >0GB: 5 points
* - No storage: 0 points
*
* @param instance - Instance query result
* @param requirements - Resource requirements
* @param budgetMax - Optional maximum budget
* @returns Instance recommendation with score, pros, and cons
*/
private scoreInstance(
instance: InstanceQueryRow,
requirements: ResourceRequirements,
budgetMax?: number
): InstanceRecommendation {
let score = 0;
const pros: string[] = [];
const cons: string[] = [];
// Memory score (40 points) - measure fit against requirements
const memoryRatio = instance.memory_mb / requirements.min_memory_mb;
if (memoryRatio >= 1 && memoryRatio <= 1.5) {
score += 40;
pros.push('메모리 최적 적합');
} else if (memoryRatio > 1.5 && memoryRatio <= 2) {
score += 30;
pros.push('메모리 여유 있음');
} else if (memoryRatio > 2) {
score += 20;
cons.push('메모리 과다 프로비저닝');
}
// vCPU score (30 points) - measure fit against requirements
const vcpuRatio = instance.vcpu / requirements.min_vcpu;
if (vcpuRatio >= 1 && vcpuRatio <= 2) {
score += 30;
pros.push('vCPU 적합');
} else if (vcpuRatio > 2) {
score += 20;
}
// Price score (20 points) - budget efficiency
const monthlyPrice = this.getMonthlyPrice(instance);
if (budgetMax && monthlyPrice > 0) {
const priceRatio = monthlyPrice / budgetMax;
if (priceRatio <= 0.5) {
score += 20;
pros.push('예산 대비 저렴');
} else if (priceRatio <= 0.8) {
score += 15;
pros.push('합리적 가격');
} else {
score += 10;
}
} else if (monthlyPrice > 0) {
score += 15; // Default score when no budget specified
}
// Storage score (10 points) - included storage bonus
if (instance.storage_gb >= 80) {
score += 10;
pros.push(`스토리지 ${instance.storage_gb}GB 포함`);
} else if (instance.storage_gb > 0) {
score += 5;
} else {
cons.push('EBS 스토리지 별도');
}
// Build recommendation object
return {
rank: 0, // Will be set by caller after sorting
provider: instance.provider_name,
instance: instance.instance_name,
region: `${getRegionDisplayName(instance.region_code)} (${instance.region_code})`,
specs: {
vcpu: instance.vcpu,
memory_mb: instance.memory_mb,
storage_gb: instance.storage_gb || 0,
},
price: {
monthly: monthlyPrice,
hourly: instance.hourly_price || monthlyPrice / 730,
},
match_score: Math.min(100, score), // Cap at 100
pros,
cons,
};
}
/**
* Extract monthly price from instance data
*
* Pricing sources:
* 1. Direct monthly_price column (Linode)
* 2. metadata JSON field (Vultr, AWS) - cached to avoid repeated JSON.parse
* 3. Calculate from hourly_price if available
*
* @param instance - Instance query result
* @returns Monthly price in USD, or 0 if not available
*/
private getMonthlyPrice(instance: InstanceQueryRow): number {
// Direct monthly price (from pricing table)
if (instance.monthly_price) {
return instance.monthly_price;
}
// Extract from metadata (Vultr, AWS) with caching
if (instance.metadata) {
// Check cache first
if (!this.metadataCache.has(instance.id)) {
try {
const meta = JSON.parse(instance.metadata) as { monthly_price?: number };
this.metadataCache.set(instance.id, meta);
} catch (error) {
logger.warn('[Recommendation] Failed to parse metadata', {
instance: instance.instance_name,
error,
});
// Cache empty object to prevent repeated parse attempts
this.metadataCache.set(instance.id, {});
}
}
const cachedMeta = this.metadataCache.get(instance.id);
if (cachedMeta?.monthly_price) {
return cachedMeta.monthly_price;
}
}
// Calculate from hourly price (730 hours per month average)
if (instance.hourly_price) {
return instance.hourly_price * 730;
}
return 0;
}
}

67
src/services/regionFilter.ts
View File

@@ -1,67 +0,0 @@
/**
* Region Filter Service
* Manages Asia-Pacific region filtering (Seoul, Tokyo, Osaka, Singapore, Hong Kong)
*/
/**
* Asia-Pacific region codes by provider
* Limited to 5 major cities in East/Southeast Asia
*/
export const ASIA_REGIONS: Record<string, string[]> = {
linode: ['jp-tyo-3', 'jp-osa', 'sg-sin-2'],
vultr: ['icn', 'nrt', 'itm'],
aws: ['ap-northeast-1', 'ap-northeast-2', 'ap-northeast-3', 'ap-southeast-1', 'ap-east-1'],
};
/**
* Region code to display name mapping
*/
export const REGION_DISPLAY_NAMES: Record<string, string> = {
// Linode
'jp-tyo-3': 'Tokyo',
'jp-osa': 'Osaka',
'sg-sin-2': 'Singapore',
// Vultr
'icn': 'Seoul',
'nrt': 'Tokyo',
'itm': 'Osaka',
// AWS
'ap-northeast-1': 'Tokyo',
'ap-northeast-2': 'Seoul',
'ap-northeast-3': 'Osaka',
'ap-southeast-1': 'Singapore',
'ap-east-1': 'Hong Kong',
};
/**
* Check if a region code is in the Asia-Pacific filter list
*
* @param provider - Cloud provider name (case-insensitive)
* @param regionCode - Region code to check (case-insensitive)
* @returns true if region is in Asia-Pacific filter list
*/
export function isAsiaRegion(provider: string, regionCode: string): boolean {
const regions = ASIA_REGIONS[provider.toLowerCase()];
if (!regions) return false;
return regions.includes(regionCode.toLowerCase());
}
/**
* Get all Asia-Pacific region codes for a provider
*
* @param provider - Cloud provider name (case-insensitive)
* @returns Array of region codes, empty if provider not found
*/
export function getAsiaRegionCodes(provider: string): string[] {
return ASIA_REGIONS[provider.toLowerCase()] || [];
}
/**
* Get display name for a region code
*
* @param regionCode - Region code to look up
* @returns Display name (e.g., "Tokyo"), or original code if not found
*/
export function getRegionDisplayName(regionCode: string): string {
return REGION_DISPLAY_NAMES[regionCode] || regionCode;
}

93
src/services/stackConfig.ts
View File

@@ -1,93 +0,0 @@
/**
* Stack Configuration Service
* Manages technology stack requirements and resource calculations
*/
import type { ScaleType, ResourceRequirements } from '../types';
/**
* Memory requirements for each stack component (in MB)
*/
export const STACK_REQUIREMENTS: Record<string, { min: number; recommended: number }> = {
nginx: { min: 128, recommended: 256 },
'php-fpm': { min: 512, recommended: 1024 },
mysql: { min: 1024, recommended: 2048 },
mariadb: { min: 1024, recommended: 2048 },
postgresql: { min: 1024, recommended: 2048 },
redis: { min: 256, recommended: 512 },
elasticsearch: { min: 2048, recommended: 4096 },
nodejs: { min: 512, recommended: 1024 },
docker: { min: 1024, recommended: 2048 },
mongodb: { min: 1024, recommended: 2048 },
};
/**
* Base OS overhead (in MB)
*/
export const OS_OVERHEAD_MB = 768;
/**
* Validate stack components against supported technologies
*
* @param stack - Array of technology stack components
* @returns Validation result with list of invalid stacks
*/
export function validateStack(stack: string[]): { valid: boolean; invalidStacks: string[] } {
const invalidStacks = stack.filter(s => !STACK_REQUIREMENTS[s.toLowerCase()]);
return {
valid: invalidStacks.length === 0,
invalidStacks,
};
}
/**
* Calculate resource requirements based on stack and scale
*
* Memory calculation:
* - small: minimum requirements
* - medium: recommended requirements
* - large: 1.5x recommended requirements
*
* vCPU calculation:
* - 1 vCPU per 2GB memory (rounded up)
* - Minimum 1 vCPU
*
* @param stack - Array of technology stack components
* @param scale - Deployment scale (small/medium/large)
* @returns Calculated resource requirements with breakdown
*/
export function calculateRequirements(stack: string[], scale: ScaleType): ResourceRequirements {
const breakdown: Record<string, string> = {};
let totalMemory = 0;
// Calculate memory for each stack component
for (const s of stack) {
const req = STACK_REQUIREMENTS[s.toLowerCase()];
if (req) {
let memoryMb: number;
if (scale === 'small') {
memoryMb = req.min;
} else if (scale === 'large') {
memoryMb = Math.ceil(req.recommended * 1.5);
} else {
// medium
memoryMb = req.recommended;
}
breakdown[s] = memoryMb >= 1024 ? `${memoryMb / 1024}GB` : `${memoryMb}MB`;
totalMemory += memoryMb;
}
}
// Add OS overhead
breakdown['os_overhead'] = `${OS_OVERHEAD_MB}MB`;
totalMemory += OS_OVERHEAD_MB;
// Calculate vCPU: 1 vCPU per 2GB memory, minimum 1
const minVcpu = Math.max(1, Math.ceil(totalMemory / 2048));
return {
min_memory_mb: totalMemory,
min_vcpu: minVcpu,
breakdown,
};
}

274
src/services/sync.ts
View File

@@ -8,17 +8,16 @@
* - Batch operations for efficiency
*
* @example
* const orchestrator = new SyncOrchestrator(db, vault);
* const orchestrator = new SyncOrchestrator(db, env);
* const report = await orchestrator.syncAll(['linode']);
*/
import { VaultClient } from '../connectors/vault';
import { LinodeConnector } from '../connectors/linode';
import { VultrConnector } from '../connectors/vultr';
import { AWSConnector } from '../connectors/aws';
import { RepositoryFactory } from '../repositories';
import { createLogger } from '../utils/logger';
import { calculateRetailHourly, calculateRetailMonthly } from '../constants';
import { calculateRetailHourly, calculateRetailMonthly, SUPPORTED_PROVIDERS } from '../constants';
import type {
Env,
ProviderSyncResult,
@@ -28,9 +27,34 @@ import type {
PricingInput,
GpuInstanceInput,
GpuPricingInput,
G8InstanceInput,
G8PricingInput,
VpuInstanceInput,
VpuPricingInput,
} from '../types';
import { SyncStage } from '../types';
/**
* Wraps a promise with a timeout
* @param promise - The promise to wrap
* @param ms - Timeout in milliseconds
* @param operation - Operation name for error message
* @returns Promise result if completed within timeout
* @throws Error if operation times out
*/
async function withTimeout<T>(promise: Promise<T>, ms: number, operation: string): Promise<T> {
let timeoutId: ReturnType<typeof setTimeout>;
const timeoutPromise = new Promise<never>((_, reject) => {
timeoutId = setTimeout(() => reject(new Error(`${operation} timed out after ${ms}ms`)), ms);
});
try {
return await Promise.race([promise, timeoutPromise]);
} finally {
clearTimeout(timeoutId!);
}
}
/**
* Cloud provider connector interface for SyncOrchestrator
*
@@ -53,10 +77,10 @@ export interface SyncConnectorAdapter {
getGpuInstances?(): Promise<GpuInstanceInput[]>;
/** Fetch G8 instances (optional, only for Linode) */
getG8Instances?(): Promise<any[]>;
getG8Instances?(): Promise<G8InstanceInput[]>;
/** Fetch VPU instances (optional, only for Linode) */
getVpuInstances?(): Promise<any[]>;
getVpuInstances?(): Promise<VpuInstanceInput[]>;
/**
* Fetch pricing data for instances and regions
@@ -84,15 +108,12 @@ export interface SyncConnectorAdapter {
export class SyncOrchestrator {
private repos: RepositoryFactory;
private logger: ReturnType<typeof createLogger>;
private env?: Env;
constructor(
db: D1Database,
private vault: VaultClient,
env?: Env
private env: Env
) {
this.repos = new RepositoryFactory(db, env);
this.env = env;
this.logger = createLogger('[SyncOrchestrator]', env);
this.logger.info('Initialized');
}
@@ -121,21 +142,20 @@ export class SyncOrchestrator {
await this.repos.providers.updateSyncStatus(provider, 'syncing');
this.logger.info(`${provider}${stage}`);
// Stage 2: Fetch credentials from Vault
stage = SyncStage.FETCH_CREDENTIALS;
// Stage 2: Initialize connector and authenticate
const connector = await this.createConnector(provider, providerRecord.id);
await connector.authenticate();
this.logger.info(`${provider}${stage}`);
await withTimeout(connector.authenticate(), 10000, `${provider} authentication`);
this.logger.info(`${provider}initialized`);
// Stage 3: Fetch regions from provider API
stage = SyncStage.FETCH_REGIONS;
const regions = await connector.getRegions();
const regions = await withTimeout(connector.getRegions(), 15000, `${provider} fetch regions`);
this.logger.info(`${provider}${stage}`, { regions: regions.length });
// Stage 4: Fetch instance types from provider API
stage = SyncStage.FETCH_INSTANCES;
const instances = await connector.getInstanceTypes();
const instances = await withTimeout(connector.getInstanceTypes(), 30000, `${provider} fetch instances`);
this.logger.info(`${provider}${stage}`, { instances: instances.length });
// Stage 5: Normalize data (add provider_id)
@@ -170,8 +190,8 @@ export class SyncOrchestrator {
if (provider.toLowerCase() === 'linode') {
// GPU instances
if ('getGpuInstances' in connector) {
const gpuInstances = await (connector as any).getGpuInstances();
if (connector.getGpuInstances) {
const gpuInstances = await withTimeout(connector.getGpuInstances(), 15000, `${provider} fetch GPU instances`);
if (gpuInstances && gpuInstances.length > 0) {
gpuInstancesCount = await this.repos.gpuInstances.upsertMany(
providerRecord.id,
@@ -181,8 +201,8 @@ export class SyncOrchestrator {
}
// G8 instances
if ('getG8Instances' in connector) {
const g8Instances = await (connector as any).getG8Instances();
if (connector.getG8Instances) {
const g8Instances = await withTimeout(connector.getG8Instances(), 15000, `${provider} fetch G8 instances`);
if (g8Instances && g8Instances.length > 0) {
g8InstancesCount = await this.repos.g8Instances.upsertMany(
providerRecord.id,
@@ -192,8 +212,8 @@ export class SyncOrchestrator {
}
// VPU instances
if ('getVpuInstances' in connector) {
const vpuInstances = await (connector as any).getVpuInstances();
if (connector.getVpuInstances) {
const vpuInstances = await withTimeout(connector.getVpuInstances(), 15000, `${provider} fetch VPU instances`);
if (vpuInstances && vpuInstances.length > 0) {
vpuInstancesCount = await this.repos.vpuInstances.upsertMany(
providerRecord.id,
@@ -205,8 +225,8 @@ export class SyncOrchestrator {
// Handle Vultr GPU instances
if (provider.toLowerCase() === 'vultr') {
if ('getGpuInstances' in connector) {
const gpuInstances = await (connector as any).getGpuInstances();
if (connector.getGpuInstances) {
const gpuInstances = await withTimeout(connector.getGpuInstances(), 15000, `${provider} fetch GPU instances`);
if (gpuInstances && gpuInstances.length > 0) {
gpuInstancesCount = await this.repos.gpuInstances.upsertMany(
providerRecord.id,
@@ -234,9 +254,27 @@ export class SyncOrchestrator {
throw new Error('Failed to fetch regions/instances for pricing');
}
// Type-safe extraction of IDs and mapping data from batch results
const regionIds = (dbRegionsResult.results as Array<{ id: number }>).map(r => r.id);
const dbInstancesData = dbInstancesResult.results as Array<{ id: number; instance_id: string }>;
// Validate and extract region IDs
if (!Array.isArray(dbRegionsResult.results)) {
throw new Error('Unexpected database result format for regions');
}
const regionIds = dbRegionsResult.results.map((r: any) => {
if (typeof r?.id !== 'number') {
throw new Error('Invalid region id in database result');
}
return r.id;
});
// Validate and extract instance type data
if (!Array.isArray(dbInstancesResult.results)) {
throw new Error('Unexpected database result format for instances');
}
const dbInstancesData = dbInstancesResult.results.map((i: any) => {
if (typeof i?.id !== 'number' || typeof i?.instance_id !== 'string') {
throw new Error('Invalid instance data in database result');
}
return { id: i.id, instance_id: i.instance_id };
});
const instanceTypeIds = dbInstancesData.map(i => i.id);
// Create instance mapping to avoid redundant queries in getPricing
@@ -244,26 +282,56 @@ export class SyncOrchestrator {
dbInstancesData.map(i => [i.id, { instance_id: i.instance_id }])
);
// Create specialized instance mappings
// Create specialized instance mappings with validation
if (!Array.isArray(dbGpuResult.results)) {
throw new Error('Unexpected database result format for GPU instances');
}
const dbGpuMap = new Map(
(dbGpuResult.results as Array<{ id: number; instance_id: string }>).map(i => [i.id, { instance_id: i.instance_id }])
dbGpuResult.results.map((i: any) => {
if (typeof i?.id !== 'number' || typeof i?.instance_id !== 'string') {
throw new Error('Invalid GPU instance data in database result');
}
return [i.id, { instance_id: i.instance_id }];
})
);
if (!Array.isArray(dbG8Result.results)) {
throw new Error('Unexpected database result format for G8 instances');
}
const dbG8Map = new Map(
(dbG8Result.results as Array<{ id: number; instance_id: string }>).map(i => [i.id, { instance_id: i.instance_id }])
dbG8Result.results.map((i: any) => {
if (typeof i?.id !== 'number' || typeof i?.instance_id !== 'string') {
throw new Error('Invalid G8 instance data in database result');
}
return [i.id, { instance_id: i.instance_id }];
})
);
if (!Array.isArray(dbVpuResult.results)) {
throw new Error('Unexpected database result format for VPU instances');
}
const dbVpuMap = new Map(
(dbVpuResult.results as Array<{ id: number; instance_id: string }>).map(i => [i.id, { instance_id: i.instance_id }])
dbVpuResult.results.map((i: any) => {
if (typeof i?.id !== 'number' || typeof i?.instance_id !== 'string') {
throw new Error('Invalid VPU instance data in database result');
}
return [i.id, { instance_id: i.instance_id }];
})
);
// Get pricing data - may return array or count depending on provider
// Pass all instance maps for specialized pricing
const pricingResult = await connector.getPricing(
const pricingResult = await withTimeout(
connector.getPricing(
instanceTypeIds,
regionIds,
dbInstanceMap,
dbGpuMap,
dbG8Map,
dbVpuMap
),
60000,
`${provider} fetch pricing`
);
// Handle both return types: array (Linode, Vultr) or number (AWS with generator)
@@ -294,7 +362,7 @@ export class SyncOrchestrator {
this.logger.info(`${provider}${stage}`);
// Stage 8: Sync Anvil Pricing (if applicable)
stage = 'SYNC_ANVIL_PRICING' as SyncStage;
stage = SyncStage.SYNC_ANVIL_PRICING;
let anvilPricingCount = 0;
try {
anvilPricingCount = await this.syncAnvilPricing(provider);
@@ -349,7 +417,7 @@ export class SyncOrchestrator {
error_details: {
stage,
message: errorMessage,
stack: error instanceof Error ? error.stack : undefined,
// Stack trace logged server-side only, not exposed to clients
},
};
}
@@ -357,46 +425,51 @@ export class SyncOrchestrator {
/**
* Synchronize all providers
* Runs synchronizations in parallel for efficiency
*
* IMPORTANT: Providers are synced sequentially (not in parallel) to avoid
* exceeding Cloudflare Workers' 30-second CPU time limit. Each provider
* sync involves multiple API calls and database operations.
*
* For production deployments with large datasets, consider using
* Cloudflare Queues to process each provider as a separate job.
*
* @param providers - Array of provider names to sync (defaults to all supported providers)
* @returns Complete sync report with statistics
*/
async syncAll(providers = ['linode', 'vultr', 'aws']): Promise<SyncReport> {
async syncAll(providers: string[] = [...SUPPORTED_PROVIDERS]): Promise<SyncReport> {
const startedAt = new Date().toISOString();
const startTime = Date.now();
this.logger.info('Starting sync for providers', { providers: providers.join(', ') });
this.logger.info('Starting sequential sync for providers', { providers: providers.join(', ') });
// Run all provider syncs in parallel
const results = await Promise.allSettled(
providers.map(p => this.syncProvider(p))
);
// Run provider syncs sequentially to avoid CPU timeout
// Each provider sync is independent and can complete within time limits
const providerResults: ProviderSyncResult[] = [];
// Extract results
const providerResults: ProviderSyncResult[] = results.map((result, index) => {
if (result.status === 'fulfilled') {
return result.value;
} else {
// Handle rejected promises
const provider = providers[index];
const errorMessage = result.reason instanceof Error
? result.reason.message
: 'Unknown error';
for (const provider of providers) {
try {
const result = await this.syncProvider(provider);
providerResults.push(result);
this.logger.error(`${provider} promise rejected`, { error: result.reason instanceof Error ? result.reason.message : String(result.reason) });
return {
// Log progress after each provider
this.logger.info('Provider sync completed', {
provider,
success: result.success,
elapsed_ms: Date.now() - startTime
});
} catch (error) {
// Handle unexpected errors
providerResults.push({
provider,
success: false,
regions_synced: 0,
instances_synced: 0,
pricing_synced: 0,
duration_ms: 0,
error: errorMessage,
};
}
error: error instanceof Error ? error.message : 'Unknown error',
});
}
}
const completedAt = new Date().toISOString();
const totalDuration = Date.now() - startTime;
@@ -452,7 +525,7 @@ export class SyncOrchestrator {
dbInstanceMap: Map<number, { instance_id: string }>,
rawInstanceMap: Map<string, { Cost: number; MonthlyPrice: number }>
): Generator<PricingInput[], void, void> {
const BATCH_SIZE = 100;
const BATCH_SIZE = 500;
let batch: PricingInput[] = [];
for (const regionId of regionIds) {
@@ -515,7 +588,10 @@ export class SyncOrchestrator {
rawInstanceMap: Map<string, { id: string; price: { hourly: number; monthly: number } }>,
env?: Env
): Generator<PricingInput[], void, void> {
const BATCH_SIZE = parseInt(env?.SYNC_BATCH_SIZE || '100', 10);
const BATCH_SIZE = Math.min(
Math.max(parseInt(env?.SYNC_BATCH_SIZE || '500', 10) || 500, 1),
1000
);
let batch: PricingInput[] = [];
for (const regionId of regionIds) {
@@ -578,7 +654,10 @@ export class SyncOrchestrator {
rawPlanMap: Map<string, { id: string; monthly_cost: number }>,
env?: Env
): Generator<PricingInput[], void, void> {
const BATCH_SIZE = parseInt(env?.SYNC_BATCH_SIZE || '100', 10);
const BATCH_SIZE = Math.min(
Math.max(parseInt(env?.SYNC_BATCH_SIZE || '500', 10) || 500, 1),
1000
);
let batch: PricingInput[] = [];
for (const regionId of regionIds) {
@@ -644,7 +723,10 @@ export class SyncOrchestrator {
rawInstanceMap: Map<string, { id: string; price: { hourly: number; monthly: number } }>,
env?: Env
): Generator<GpuPricingInput[], void, void> {
const BATCH_SIZE = parseInt(env?.SYNC_BATCH_SIZE || '100', 10);
const BATCH_SIZE = Math.min(
Math.max(parseInt(env?.SYNC_BATCH_SIZE || '500', 10) || 500, 1),
1000
);
let batch: GpuPricingInput[] = [];
for (const regionId of regionIds) {
@@ -707,7 +789,10 @@ export class SyncOrchestrator {
rawPlanMap: Map<string, { id: string; monthly_cost: number }>,
env?: Env
): Generator<GpuPricingInput[], void, void> {
const BATCH_SIZE = parseInt(env?.SYNC_BATCH_SIZE || '100', 10);
const BATCH_SIZE = Math.min(
Math.max(parseInt(env?.SYNC_BATCH_SIZE || '500', 10) || 500, 1),
1000
);
let batch: GpuPricingInput[] = [];
for (const regionId of regionIds) {
@@ -759,9 +844,12 @@ export class SyncOrchestrator {
dbG8InstanceMap: Map<number, { instance_id: string }>,
rawInstanceMap: Map<string, { id: string; price: { hourly: number; monthly: number } }>,
env?: Env
): Generator<any[], void, void> {
const BATCH_SIZE = parseInt(env?.SYNC_BATCH_SIZE || '100', 10);
let batch: any[] = [];
): Generator<G8PricingInput[], void, void> {
const BATCH_SIZE = Math.min(
Math.max(parseInt(env?.SYNC_BATCH_SIZE || '500', 10) || 500, 1),
1000
);
let batch: G8PricingInput[] = [];
for (const regionId of regionIds) {
for (const g8InstanceId of g8InstanceTypeIds) {
@@ -809,9 +897,12 @@ export class SyncOrchestrator {
dbVpuInstanceMap: Map<number, { instance_id: string }>,
rawInstanceMap: Map<string, { id: string; price: { hourly: number; monthly: number } }>,
env?: Env
): Generator<any[], void, void> {
const BATCH_SIZE = parseInt(env?.SYNC_BATCH_SIZE || '100', 10);
let batch: any[] = [];
): Generator<VpuPricingInput[], void, void> {
const BATCH_SIZE = Math.min(
Math.max(parseInt(env?.SYNC_BATCH_SIZE || '500', 10) || 500, 1),
1000
);
let batch: VpuPricingInput[] = [];
for (const regionId of regionIds) {
for (const vpuInstanceId of vpuInstanceTypeIds) {
@@ -910,8 +1001,26 @@ export class SyncOrchestrator {
count: anvilPricingRecords.length
});
// Step 4: Fetch source pricing data in batch
const sourcePricingResult = await this.repos.db
// Step 4: Fetch source pricing data with paired conditions
// Batch queries to avoid SQLite limits (max 100 pairs per query)
const CHUNK_SIZE = 100;
const allSourcePricing: Array<{
instance_type_id: number;
region_id: number;
hourly_price: number;
monthly_price: number;
}> = [];
for (let i = 0; i < anvilPricingRecords.length; i += CHUNK_SIZE) {
const chunk = anvilPricingRecords.slice(i, i + CHUNK_SIZE);
if (chunk.length === 0) continue;
const conditions = chunk
.map(() => '(instance_type_id = ? AND region_id = ?)')
.join(' OR ');
const params = chunk.flatMap(r => [r.source_instance_id, r.source_region_id]);
const chunkResult = await this.repos.db
.prepare(`
SELECT
instance_type_id,
@@ -919,13 +1028,9 @@ export class SyncOrchestrator {
hourly_price,
monthly_price
FROM pricing
WHERE instance_type_id IN (${anvilPricingRecords.map(() => '?').join(',')})
AND region_id IN (${anvilPricingRecords.map(() => '?').join(',')})
WHERE ${conditions}
`)
.bind(
...anvilPricingRecords.map(r => r.source_instance_id),
...anvilPricingRecords.map(r => r.source_region_id)
)
.bind(...params)
.all<{
instance_type_id: number;
region_id: number;
@@ -933,14 +1038,19 @@ export class SyncOrchestrator {
monthly_price: number;
}>();
if (!sourcePricingResult.success || sourcePricingResult.results.length === 0) {
if (chunkResult.success && chunkResult.results) {
allSourcePricing.push(...chunkResult.results);
}
}
if (allSourcePricing.length === 0) {
this.logger.warn('No source pricing data found', { provider });
return 0;
}
// Step 5: Build lookup map: `${instance_type_id}_${region_id}` → pricing
const sourcePricingMap = new Map<string, { hourly_price: number; monthly_price: number }>(
sourcePricingResult.results.map(p => [
allSourcePricing.map(p => [
`${p.instance_type_id}_${p.region_id}`,
{ hourly_price: p.hourly_price, monthly_price: p.monthly_price }
])
@@ -1021,7 +1131,7 @@ export class SyncOrchestrator {
private async createConnector(provider: string, providerId: number): Promise<SyncConnectorAdapter> {
switch (provider.toLowerCase()) {
case 'linode': {
const connector = new LinodeConnector(this.vault);
const connector = new LinodeConnector(this.env);
// Cache instance types for pricing extraction
let cachedInstanceTypes: Awaited<ReturnType<typeof connector.fetchInstanceTypes>> | null = null;
@@ -1059,7 +1169,7 @@ export class SyncOrchestrator {
const gpuInstances = cachedInstanceTypes.filter(i => i.gpus > 0);
return gpuInstances.map(i => connector.normalizeGpuInstance(i, providerId));
},
getG8Instances: async (): Promise<any[]> => {
getG8Instances: async (): Promise<G8InstanceInput[]> => {
// Use cached instances if available to avoid redundant API calls
if (!cachedInstanceTypes) {
this.logger.info('Fetching instance types for G8 extraction');
@@ -1072,7 +1182,7 @@ export class SyncOrchestrator {
);
return g8Instances.map(i => connector.normalizeG8Instance(i, providerId));
},
getVpuInstances: async (): Promise<any[]> => {
getVpuInstances: async (): Promise<VpuInstanceInput[]> => {
// Use cached instances if available to avoid redundant API calls
if (!cachedInstanceTypes) {
this.logger.info('Fetching instance types for VPU extraction');
@@ -1239,7 +1349,7 @@ export class SyncOrchestrator {
}
case 'vultr': {
const connector = new VultrConnector(this.vault);
const connector = new VultrConnector(this.env);
// Cache plans for pricing extraction
let cachedPlans: Awaited<ReturnType<typeof connector.fetchPlans>> | null = null;
@@ -1356,7 +1466,7 @@ export class SyncOrchestrator {
}
case 'aws': {
const connector = new AWSConnector(this.vault);
const connector = new AWSConnector(this.env);
// Cache instance types for pricing extraction
let cachedInstanceTypes: Awaited<ReturnType<typeof connector.fetchInstanceTypes>> | null = null;

133
src/types.ts
View File

@@ -1,38 +1,3 @@
/**
* Vault Credentials Types - supports different providers
*/
export interface VaultCredentials {
provider: string;
api_token?: string; // Linode
api_key?: string; // Vultr
aws_access_key_id?: string; // AWS
aws_secret_access_key?: string; // AWS
}
/**
* Vault API Response Structure - flexible for different providers
*/
export interface VaultSecretResponse {
data: {
data: Record<string, string>; // Flexible key-value pairs
metadata: {
created_time: string;
custom_metadata: null;
deletion_time: string;
destroyed: boolean;
version: number;
};
};
}
/**
* Cache Entry Structure
*/
export interface CacheEntry<T> {
data: T;
expiresAt: number;
}
// ============================================================
// Database Entity Types
// ============================================================
@@ -283,6 +248,8 @@ export interface InstanceQueryParams {
page?: number;
/** Number of results per page */
limit?: number;
/** Force total count calculation (performance optimization: only runs on first page by default) */
include_count?: boolean;
}
/**
@@ -430,20 +397,23 @@ export interface Env {
DB: D1Database;
/** KV namespace for rate limiting */
RATE_LIMIT_KV: KVNamespace;
/** Vault server URL for credentials management */
VAULT_URL: string;
/** Vault authentication token */
VAULT_TOKEN: string;
/** API key for request authentication */
API_KEY: string;
/** Provider API credentials (from Wrangler secrets) */
LINODE_API_TOKEN?: string;
VULTR_API_KEY?: string;
AWS_ACCESS_KEY_ID?: string;
AWS_SECRET_ACCESS_KEY?: string;
/** Batch size for synchronization operations */
SYNC_BATCH_SIZE?: string;
/** Cache TTL in seconds */
CACHE_TTL_SECONDS?: string;
/** Log level (debug, info, warn, error, none) - Controls logging verbosity */
LOG_LEVEL?: string;
/** CORS origin for Access-Control-Allow-Origin header (default: '*') */
/** CORS origin for Access-Control-Allow-Origin header */
CORS_ORIGIN?: string;
/** Environment (development|production) - Controls development-specific features */
ENVIRONMENT?: string;
}
// ============================================================
@@ -458,8 +428,6 @@ export enum SyncStage {
IDLE = 'idle',
/** Initialization stage */
INIT = 'init',
/** Fetching provider credentials from Vault */
FETCH_CREDENTIALS = 'fetch_credentials',
/** Fetching regions from provider API */
FETCH_REGIONS = 'fetch_regions',
/** Fetching instance types from provider API */
@@ -476,6 +444,8 @@ export enum SyncStage {
STORE_DATA = 'store_data',
/** Validation stage */
VALIDATE = 'validate',
/** Synchronizing Anvil pricing from source provider */
SYNC_ANVIL_PRICING = 'sync_anvil_pricing',
/** Sync completed successfully */
COMPLETE = 'complete',
/** Legacy alias for COMPLETE */
@@ -518,85 +488,6 @@ export interface ApiError {
path?: string;
}
// ============================================================
// Recommendation API Types
// ============================================================
/**
* Scale type for resource requirements
*/
export type ScaleType = 'small' | 'medium' | 'large';
/**
* Request body for instance recommendations
*/
export interface RecommendationRequest {
/** Technology stack components (e.g., ['nginx', 'mysql', 'redis']) */
stack: string[];
/** Deployment scale (small/medium/large) */
scale: ScaleType;
/** Maximum monthly budget in USD (optional) */
budget_max?: number;
}
/**
* Calculated resource requirements based on stack and scale
*/
export interface ResourceRequirements {
/** Minimum required memory in MB */
min_memory_mb: number;
/** Minimum required vCPU count */
min_vcpu: number;
/** Memory breakdown by component */
breakdown: Record<string, string>;
}
/**
* Individual instance recommendation with scoring
*/
export interface InstanceRecommendation {
/** Recommendation rank (1 = best match) */
rank: number;
/** Cloud provider name */
provider: string;
/** Instance type identifier */
instance: string;
/** Region code */
region: string;
/** Instance specifications */
specs: {
/** Virtual CPU count */
vcpu: number;
/** Memory in MB */
memory_mb: number;
/** Storage in GB */
storage_gb: number;
};
/** Pricing information */
price: {
/** Monthly price in USD */
monthly: number;
/** Hourly price in USD */
hourly: number;
};
/** Match score (0-100) */
match_score: number;
/** Advantages of this instance */
pros: string[];
/** Disadvantages or considerations */
cons: string[];
}
/**
* Complete recommendation response
*/
export interface RecommendationResponse {
/** Calculated resource requirements */
requirements: ResourceRequirements;
/** List of recommended instances (sorted by match score) */
recommendations: InstanceRecommendation[];
}
// ============================================================
// Anvil Product Types
// ============================================================

2
src/utils/logger.test.ts
View File

@@ -20,8 +20,6 @@ const createMockEnv = (logLevel?: string): Env => ({
LOG_LEVEL: logLevel,
DB: {} as any,
RATE_LIMIT_KV: {} as any,
VAULT_URL: 'https://vault.example.com',
VAULT_TOKEN: 'test-token',
API_KEY: 'test-api-key',
});

7
src/utils/logger.ts
View File

@@ -59,7 +59,12 @@ export class Logger {
const MAX_DEPTH = 5; // Prevent infinite recursion
if (depth > MAX_DEPTH) return data;
const sensitiveKeys = ['api_key', 'api_token', 'password', 'secret', 'token', 'key', 'authorization', 'credential'];
const sensitiveKeys = [
'api_key', 'api_token', 'password', 'secret', 'token', 'key',
'authorization', 'credential', 'access_key', 'private_key',
'bearer', 'auth', 'session', 'cookie', 'jwt', 'refresh_token',
'client_secret', 'aws_secret', 'linode_token', 'vultr_key'
];
const masked: Record<string, unknown> = {};
for (const [key, value] of Object.entries(data)) {

325
tests/vault.test.ts
View File

@@ -1,325 +0,0 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
import { VaultClient, VaultError } from '../src/connectors/vault';
import type { VaultSecretResponse } from '../src/types';
// Mock fetch globally
const mockFetch = vi.fn();
global.fetch = mockFetch;
describe('VaultClient', () => {
const baseUrl = 'https://vault.anvil.it.com';
const token = 'hvs.test-token';
let client: VaultClient;
beforeEach(() => {
client = new VaultClient(baseUrl, token);
mockFetch.mockClear();
});
afterEach(() => {
vi.clearAllTimers();
});
describe('constructor', () => {
it('should initialize with correct baseUrl and token', () => {
expect(client).toBeInstanceOf(VaultClient);
});
it('should remove trailing slash from baseUrl', () => {
const clientWithSlash = new VaultClient('https://vault.anvil.it.com/', token);
expect(clientWithSlash).toBeInstanceOf(VaultClient);
});
});
describe('getCredentials', () => {
const mockSuccessResponse: VaultSecretResponse = {
data: {
data: {
provider: 'linode',
api_token: 'test-api-token-123',
},
metadata: {
created_time: '2024-01-21T10:00:00Z',
custom_metadata: null,
deletion_time: '',
destroyed: false,
version: 1,
},
},
};
it('should successfully retrieve credentials from Vault', async () => {
mockFetch.mockResolvedValueOnce({
ok: true,
status: 200,
json: async () => mockSuccessResponse,
});
const credentials = await client.getCredentials('linode');
expect(credentials).toEqual({
provider: 'linode',
api_token: 'test-api-token-123',
});
expect(mockFetch).toHaveBeenCalledWith(
'https://vault.anvil.it.com/v1/secret/data/linode',
expect.objectContaining({
method: 'GET',
headers: {
'X-Vault-Token': token,
'Content-Type': 'application/json',
},
})
);
});
it('should use cached credentials on second call', async () => {
mockFetch.mockResolvedValueOnce({
ok: true,
status: 200,
json: async () => mockSuccessResponse,
});
// First call - should fetch from Vault
const credentials1 = await client.getCredentials('linode');
expect(mockFetch).toHaveBeenCalledTimes(1);
// Second call - should use cache
const credentials2 = await client.getCredentials('linode');
expect(mockFetch).toHaveBeenCalledTimes(1); // No additional fetch
expect(credentials2).toEqual(credentials1);
});
it('should throw VaultError on 401 Unauthorized', async () => {
mockFetch.mockResolvedValue({
ok: false,
status: 401,
statusText: 'Unauthorized',
json: async () => ({ errors: ['permission denied'] }),
});
await expect(client.getCredentials('linode')).rejects.toThrow(VaultError);
});
it('should throw VaultError on 403 Forbidden', async () => {
mockFetch.mockResolvedValue({
ok: false,
status: 403,
statusText: 'Forbidden',
json: async () => ({ errors: ['permission denied'] }),
});
await expect(client.getCredentials('linode')).rejects.toThrow(VaultError);
});
it('should throw VaultError on 404 Not Found', async () => {
mockFetch.mockResolvedValue({
ok: false,
status: 404,
statusText: 'Not Found',
json: async () => ({}),
});
await expect(client.getCredentials('unknown')).rejects.toThrow(VaultError);
});
it('should throw VaultError on 500 Server Error', async () => {
mockFetch.mockResolvedValue({
ok: false,
status: 500,
statusText: 'Internal Server Error',
json: async () => ({ errors: ['internal server error'] }),
});
await expect(client.getCredentials('linode')).rejects.toThrow(VaultError);
});
it('should throw VaultError on timeout', async () => {
// Mock fetch to simulate AbortError
mockFetch.mockImplementation(() => {
const error = new Error('This operation was aborted');
error.name = 'AbortError';
return Promise.reject(error);
});
await expect(client.getCredentials('linode')).rejects.toThrow(VaultError);
});
it('should throw VaultError on invalid response structure', async () => {
mockFetch.mockResolvedValue({
ok: true,
status: 200,
json: async () => ({ invalid: 'structure' }),
});
await expect(client.getCredentials('linode')).rejects.toThrow(VaultError);
});
it('should throw VaultError on missing required fields', async () => {
mockFetch.mockResolvedValue({
ok: true,
status: 200,
json: async () => ({
data: {
data: {
provider: 'linode',
api_token: '', // Empty token
},
metadata: mockSuccessResponse.data.metadata,
},
}),
});
await expect(client.getCredentials('linode')).rejects.toThrow(VaultError);
});
it('should handle network errors gracefully', async () => {
mockFetch.mockRejectedValue(new Error('Network error'));
await expect(client.getCredentials('linode')).rejects.toThrow(VaultError);
});
});
describe('cache management', () => {
it('should clear cache for specific provider', async () => {
const mockResponse: VaultSecretResponse = {
data: {
data: { provider: 'linode', api_token: 'token1' },
metadata: {
created_time: '2024-01-21T10:00:00Z',
custom_metadata: null,
deletion_time: '',
destroyed: false,
version: 1,
},
},
};
mockFetch.mockResolvedValue({
ok: true,
status: 200,
json: async () => mockResponse,
});
// Fetch and cache
await client.getCredentials('linode');
expect(mockFetch).toHaveBeenCalledTimes(1);
// Clear cache
client.clearCache('linode');
// Should fetch again
await client.getCredentials('linode');
expect(mockFetch).toHaveBeenCalledTimes(2);
});
it('should clear all cache', async () => {
const mockLinode: VaultSecretResponse = {
data: {
data: { provider: 'linode', api_token: 'token1' },
metadata: {
created_time: '2024-01-21T10:00:00Z',
custom_metadata: null,
deletion_time: '',
destroyed: false,
version: 1,
},
},
};
const mockVultr: VaultSecretResponse = {
data: {
data: { provider: 'vultr', api_token: 'token2' },
metadata: {
created_time: '2024-01-21T10:00:00Z',
custom_metadata: null,
deletion_time: '',
destroyed: false,
version: 1,
},
},
};
mockFetch
.mockResolvedValueOnce({
ok: true,
status: 200,
json: async () => mockLinode,
})
.mockResolvedValueOnce({
ok: true,
status: 200,
json: async () => mockVultr,
});
// Cache both providers
await client.getCredentials('linode');
await client.getCredentials('vultr');
const statsBefore = client.getCacheStats();
expect(statsBefore.size).toBe(2);
expect(statsBefore.providers).toContain('linode');
expect(statsBefore.providers).toContain('vultr');
// Clear all cache
client.clearCache();
const statsAfter = client.getCacheStats();
expect(statsAfter.size).toBe(0);
expect(statsAfter.providers).toEqual([]);
});
it('should provide cache statistics', async () => {
const mockResponse: VaultSecretResponse = {
data: {
data: { provider: 'linode', api_token: 'token1' },
metadata: {
created_time: '2024-01-21T10:00:00Z',
custom_metadata: null,
deletion_time: '',
destroyed: false,
version: 1,
},
},
};
mockFetch.mockResolvedValue({
ok: true,
status: 200,
json: async () => mockResponse,
});
// Initially empty
let stats = client.getCacheStats();
expect(stats.size).toBe(0);
expect(stats.providers).toEqual([]);
// After caching
await client.getCredentials('linode');
stats = client.getCacheStats();
expect(stats.size).toBe(1);
expect(stats.providers).toEqual(['linode']);
});
});
describe('VaultError', () => {
it('should create error with all properties', () => {
const error = new VaultError('Test error', 404, 'linode');
expect(error).toBeInstanceOf(Error);
expect(error.name).toBe('VaultError');
expect(error.message).toBe('Test error');
expect(error.statusCode).toBe(404);
expect(error.provider).toBe('linode');
});
it('should create error without optional properties', () => {
const error = new VaultError('Test error');
expect(error.message).toBe('Test error');
expect(error.statusCode).toBeUndefined();
expect(error.provider).toBeUndefined();
});
});
});

3
wrangler.toml
View File

@@ -24,6 +24,5 @@ CORS_ORIGIN = "*"
# Cron Triggers
[triggers]
crons = [
"0 0 * * *",
"0 */6 * * *"
"0 0 * * *"
]