feat(app): add lightweight status access tracking

2026-04-04 14:16:02 +02:00
parent 7c41a3e846
commit 50870dd369
8 changed files with 405 additions and 63 deletions
--- a/internal/app/app.go
+++ b/internal/app/app.go
@@ -158,7 +158,9 @@ func Run(ctx context.Context, configPath string) error {

 func routes(logger *slog.Logger, cfg *config.Config, info buildinfo.Info, db *store.DB, provider ai.Provider, keyring *auth.Keyring, oauthRegistry *auth.OAuthRegistry, tokenStore *auth.TokenStore, authCodes *auth.AuthCodeStore, dynClients *auth.DynamicClientStore, activeProjects *session.ActiveProjects) (http.Handler, error) {
 	mux := http.NewServeMux()
-	authMiddleware := auth.Middleware(cfg.Auth, keyring, oauthRegistry, tokenStore, logger)
+	accessTracker := auth.NewAccessTracker()
+	oauthEnabled := oauthRegistry != nil && tokenStore != nil
+	authMiddleware := auth.Middleware(cfg.Auth, keyring, oauthRegistry, tokenStore, accessTracker, logger)
 	filesTool := tools.NewFilesTool(db, activeProjects)
 	metadataRetryer := tools.NewMetadataRetryer(context.Background(), db, provider, cfg.Capture, cfg.AI.Metadata.Timeout, activeProjects, logger)

@@ -198,7 +200,7 @@ func routes(logger *slog.Logger, cfg *config.Config, info buildinfo.Info, db *st
 	mux.Handle(cfg.MCP.Path, authMiddleware(mcpHandler))
 	mux.Handle("/files", authMiddleware(fileHandler(filesTool)))
 	mux.Handle("/files/{id}", authMiddleware(fileHandler(filesTool)))
-	if oauthRegistry != nil && tokenStore != nil {
+	if oauthEnabled {
 		mux.HandleFunc("/.well-known/oauth-authorization-server", oauthMetadataHandler())
 		mux.HandleFunc("/oauth-authorization-server", oauthMetadataHandler())
 		mux.HandleFunc("/oauth/register", oauthRegisterHandler(dynClients, logger))
@@ -227,59 +229,7 @@ func routes(logger *slog.Logger, cfg *config.Config, info buildinfo.Info, db *st
 		_, _ = w.Write([]byte("ready"))
 	})

-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		if r.URL.Path != "/" {
-			http.NotFound(w, r)
-			return
-		}
-
-		if r.Method != http.MethodGet && r.Method != http.MethodHead {
-			w.Header().Set("Allow", "GET, HEAD")
-			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
-			return
-		}
-
-		const homePage = `<!doctype html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>AMCS</title>
-  <style>
-    body { margin: 0; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background: #f5f7fb; color: #172033; }
-    main { max-width: 860px; margin: 48px auto; background: #fff; border-radius: 12px; box-shadow: 0 10px 28px rgba(23, 32, 51, 0.12); overflow: hidden; }
-    .content { padding: 28px; }
-    h1 { margin: 0 0 12px 0; font-size: 2rem; }
-    p { margin: 0; line-height: 1.5; color: #334155; }
-    .actions { margin-top: 18px; }
-    .link { display: inline-block; padding: 10px 14px; border-radius: 8px; background: #172033; color: #fff; text-decoration: none; font-weight: 600; }
-    .link:hover { background: #0f172a; }
-    img { display: block; width: 100%; height: auto; }
-  </style>
-</head>
-<body>
-  <main>
-    <img src="/images/project.jpg" alt="Avelon Memory Crystal project image">
-    <div class="content">
-      <h1>Avelon Memory Crystal Server (AMCS)</h1>
-      <p>AMCS is a memory server that captures, links, and retrieves structured project thoughts for AI assistants using semantic search, summaries, and MCP tools.</p>
-      <div class="actions">
-        <a class="link" href="/llm">LLM Instructions</a>
-        <a class="link" href="/oauth-authorization-server">OAuth Authorization Server</a>
-        <a class="link" href="/healthz">Health Check</a>
-      </div>
-    </div>
-  </main>
-</body>
-</html>`
-		w.Header().Set("Content-Type", "text/html; charset=utf-8")
-		w.WriteHeader(http.StatusOK)
-		if r.Method == http.MethodHead {
-			return
-		}
-
-		_, _ = w.Write([]byte(homePage))
-	})
+	mux.HandleFunc("/", homeHandler(info, accessTracker, oauthEnabled))

 	return observability.Chain(
 		mux,
--- a/internal/app/status.go
+++ b/internal/app/status.go
@@ -0,0 +1,171 @@
+package app
+
+import (
+	"fmt"
+	"html"
+	"net/http"
+	"strings"
+	"time"
+
+	"git.warky.dev/wdevs/amcs/internal/auth"
+	"git.warky.dev/wdevs/amcs/internal/buildinfo"
+)
+
+const connectedWindow = 10 * time.Minute
+
+type statusPageData struct {
+	Version        string
+	BuildDate      string
+	Commit         string
+	ConnectedCount int
+	TotalKnown     int
+	Entries        []auth.AccessSnapshot
+	OAuthEnabled   bool
+}
+
+func renderHomePage(info buildinfo.Info, tracker *auth.AccessTracker, oauthEnabled bool, now time.Time) string {
+	entries := tracker.Snapshot()
+	data := statusPageData{
+		Version:        fallback(info.Version, "dev"),
+		BuildDate:      fallback(info.BuildDate, "unknown"),
+		Commit:         fallback(info.Commit, "unknown"),
+		ConnectedCount: tracker.ConnectedCount(now, connectedWindow),
+		TotalKnown:     len(entries),
+		Entries:        entries,
+		OAuthEnabled:   oauthEnabled,
+	}
+
+	var b strings.Builder
+	b.WriteString(`<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>AMCS</title>
+  <style>
+    body { margin: 0; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background: #f5f7fb; color: #172033; }
+    main { max-width: 980px; margin: 48px auto; background: #fff; border-radius: 12px; box-shadow: 0 10px 28px rgba(23, 32, 51, 0.12); overflow: hidden; }
+    .content { padding: 28px; }
+    h1, h2 { margin: 0 0 12px 0; }
+    p { margin: 0; line-height: 1.5; color: #334155; }
+    .actions { margin-top: 18px; display: flex; flex-wrap: wrap; gap: 10px; }
+    .link { display: inline-block; padding: 10px 14px; border-radius: 8px; background: #172033; color: #fff; text-decoration: none; font-weight: 600; }
+    .link:hover { background: #0f172a; }
+    .stats { display: grid; grid-template-columns: repeat(auto-fit, minmax(160px, 1fr)); gap: 12px; margin-top: 24px; }
+    .card { background: #eef2ff; border-radius: 10px; padding: 16px; }
+    .label { display: block; font-size: 0.85rem; text-transform: uppercase; letter-spacing: 0.04em; color: #475569; }
+    .value { display: block; margin-top: 6px; font-size: 1.4rem; font-weight: 700; color: #0f172a; }
+    .meta { margin-top: 28px; color: #475569; font-size: 0.95rem; }
+    table { width: 100%; border-collapse: collapse; margin-top: 16px; }
+    th, td { text-align: left; padding: 10px 8px; border-bottom: 1px solid #e2e8f0; vertical-align: top; }
+    th { font-size: 0.85rem; text-transform: uppercase; letter-spacing: 0.04em; color: #475569; }
+    .empty { margin-top: 16px; color: #64748b; }
+    code { font-family: ui-monospace, SFMono-Regular, Menlo, monospace; }
+    img { display: block; width: 100%; height: auto; }
+  </style>
+</head>
+<body>
+  <main>
+    <img src="/images/project.jpg" alt="Avelon Memory Crystal project image">
+    <div class="content">
+      <h1>Avelon Memory Crystal Server (AMCS)</h1>
+      <p>AMCS is a memory server that captures, links, and retrieves structured project thoughts for AI assistants using semantic search, summaries, and MCP tools.</p>
+      <div class="actions">
+        <a class="link" href="/llm">LLM Instructions</a>
+        <a class="link" href="/healthz">Health Check</a>
+        <a class="link" href="/readyz">Readiness Check</a>`)
+	if data.OAuthEnabled {
+		b.WriteString(`
+        <a class="link" href="/oauth-authorization-server">OAuth Authorization Server</a>`)
+	}
+	b.WriteString(`
+      </div>
+
+      <div class="stats">
+        <div class="card">
+          <span class="label">Connected users</span>
+          <span class="value">` + fmt.Sprintf("%d", data.ConnectedCount) + `</span>
+        </div>
+        <div class="card">
+          <span class="label">Known principals</span>
+          <span class="value">` + fmt.Sprintf("%d", data.TotalKnown) + `</span>
+        </div>
+        <div class="card">
+          <span class="label">Version</span>
+          <span class="value">` + html.EscapeString(data.Version) + `</span>
+        </div>
+      </div>
+
+      <div class="meta">
+        <strong>Build date:</strong> ` + html.EscapeString(data.BuildDate) + ` &nbsp;•&nbsp;
+        <strong>Commit:</strong> <code>` + html.EscapeString(data.Commit) + `</code> &nbsp;•&nbsp;
+        <strong>Connected window:</strong> last 10 minutes
+      </div>
+
+      <h2 style="margin-top: 28px;">Recent access</h2>`)
+	if len(data.Entries) == 0 {
+		b.WriteString(`
+      <p class="empty">No authenticated access recorded yet.</p>`)
+	} else {
+		b.WriteString(`
+      <table>
+        <thead>
+          <tr>
+            <th>Principal</th>
+            <th>Last accessed</th>
+            <th>Last path</th>
+            <th>Requests</th>
+          </tr>
+        </thead>
+        <tbody>`)
+		for _, entry := range data.Entries {
+			b.WriteString(`
+          <tr>
+            <td><code>` + html.EscapeString(entry.KeyID) + `</code></td>
+            <td>` + html.EscapeString(entry.LastAccessedAt.UTC().Format(time.RFC3339)) + `</td>
+            <td>` + html.EscapeString(entry.LastPath) + `</td>
+            <td>` + fmt.Sprintf("%d", entry.RequestCount) + `</td>
+          </tr>`)
+		}
+		b.WriteString(`
+        </tbody>
+      </table>`)
+	}
+	b.WriteString(`
+    </div>
+  </main>
+</body>
+</html>`)
+
+	return b.String()
+}
+
+func fallback(value, defaultValue string) string {
+	if strings.TrimSpace(value) == "" {
+		return defaultValue
+	}
+	return value
+}
+
+func homeHandler(info buildinfo.Info, tracker *auth.AccessTracker, oauthEnabled bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/" {
+			http.NotFound(w, r)
+			return
+		}
+
+		if r.Method != http.MethodGet && r.Method != http.MethodHead {
+			w.Header().Set("Allow", "GET, HEAD")
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(http.StatusOK)
+		if r.Method == http.MethodHead {
+			return
+		}
+
+		_, _ = w.Write([]byte(renderHomePage(info, tracker, oauthEnabled, time.Now())))
+	}
+}
--- a/internal/app/status_test.go
+++ b/internal/app/status_test.go
@@ -0,0 +1,84 @@
+package app
+
+import (
+	"io"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"git.warky.dev/wdevs/amcs/internal/auth"
+	"git.warky.dev/wdevs/amcs/internal/buildinfo"
+	"git.warky.dev/wdevs/amcs/internal/config"
+)
+
+func TestRenderHomePageHidesOAuthLinkWhenDisabled(t *testing.T) {
+	tracker := auth.NewAccessTracker()
+	page := renderHomePage(buildinfo.Info{Version: "v1.2.3", BuildDate: "2026-04-04", Commit: "abc123"}, tracker, false, time.Date(2026, 4, 4, 12, 0, 0, 0, time.UTC))
+
+	if strings.Contains(page, "/oauth-authorization-server") {
+		t.Fatal("page unexpectedly contains OAuth link")
+	}
+	if !strings.Contains(page, "Connected users") {
+		t.Fatal("page missing Connected users stat")
+	}
+}
+
+func TestRenderHomePageShowsTrackedAccess(t *testing.T) {
+	tracker := auth.NewAccessTracker()
+	now := time.Date(2026, 4, 4, 12, 0, 0, 0, time.UTC)
+	tracker.Record("client-a", "/files", "127.0.0.1:1234", "tester", now)
+
+	page := renderHomePage(buildinfo.Info{Version: "v1.2.3"}, tracker, true, now)
+
+	for _, needle := range []string{"client-a", "/files", "1</span>", "/oauth-authorization-server"} {
+		if !strings.Contains(page, needle) {
+			t.Fatalf("page missing %q", needle)
+		}
+	}
+}
+
+func TestHomeHandlerAllowsHead(t *testing.T) {
+	handler := homeHandler(buildinfo.Info{Version: "v1"}, auth.NewAccessTracker(), false)
+	req := httptest.NewRequest(http.MethodHead, "/", nil)
+	rec := httptest.NewRecorder()
+
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK)
+	}
+	if body := rec.Body.String(); body != "" {
+		t.Fatalf("body = %q, want empty for HEAD", body)
+	}
+}
+
+func TestMiddlewareRecordsAuthenticatedAccess(t *testing.T) {
+	keyring, err := auth.NewKeyring([]config.APIKey{{ID: "client-a", Value: "secret"}})
+	if err != nil {
+		t.Fatalf("NewKeyring() error = %v", err)
+	}
+	tracker := auth.NewAccessTracker()
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+	handler := auth.Middleware(config.AuthConfig{HeaderName: "x-brain-key"}, keyring, nil, nil, tracker, logger)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/files", nil)
+	req.Header.Set("x-brain-key", "secret")
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusNoContent {
+		t.Fatalf("status = %d, want %d", rec.Code, http.StatusNoContent)
+	}
+	snap := tracker.Snapshot()
+	if len(snap) != 1 {
+		t.Fatalf("len(snapshot) = %d, want 1", len(snap))
+	}
+	if snap[0].KeyID != "client-a" || snap[0].LastPath != "/files" {
+		t.Fatalf("snapshot[0] = %+v, want keyID client-a and path /files", snap[0])
+	}
+}