feat(tools): implement CRUD operations for thoughts and projects

* Add tools for creating, retrieving, updating, and deleting thoughts.
* Implement project management tools for creating and listing projects.
* Introduce linking functionality between thoughts.
* Add search and recall capabilities for thoughts based on semantic queries.
* Implement statistics and summarization tools for thought analysis.
* Create database migrations for thoughts, projects, and links.
* Add helper functions for UUID parsing and project resolution.

internal/auth/keyring.go

@@ -0,0 +1,29 @@
+package auth
+
+import (
+	"crypto/subtle"
+	"fmt"
+
+	"git.warky.dev/wdevs/amcs/internal/config"
+)
+
+type Keyring struct {
+	keys []config.APIKey
+}
+
+func NewKeyring(keys []config.APIKey) (*Keyring, error) {
+	if len(keys) == 0 {
+		return nil, fmt.Errorf("keyring requires at least one key")
+	}
+
+	return &Keyring{keys: append([]config.APIKey(nil), keys...)}, nil
+}
+
+func (k *Keyring) Lookup(value string) (string, bool) {
+	for _, key := range k.keys {
+		if subtle.ConstantTimeCompare([]byte(key.Value), []byte(value)) == 1 {
+			return key.ID, true
+		}
+	}
+	return "", false
+}

internal/auth/keyring_test.go

@@ -0,0 +1,107 @@
+package auth
+
+import (
+	"io"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"git.warky.dev/wdevs/amcs/internal/config"
+)
+
+func testLogger() *slog.Logger {
+	return slog.New(slog.NewTextHandler(io.Discard, nil))
+}
+
+func TestNewKeyringAndLookup(t *testing.T) {
+	_, err := NewKeyring(nil)
+	if err == nil {
+		t.Fatal("NewKeyring(nil) error = nil, want error")
+	}
+
+	keyring, err := NewKeyring([]config.APIKey{{ID: "client-a", Value: "secret"}})
+	if err != nil {
+		t.Fatalf("NewKeyring() error = %v", err)
+	}
+
+	if got, ok := keyring.Lookup("secret"); !ok || got != "client-a" {
+		t.Fatalf("Lookup(secret) = (%q, %v), want (client-a, true)", got, ok)
+	}
+	if _, ok := keyring.Lookup("wrong"); ok {
+		t.Fatal("Lookup(wrong) = true, want false")
+	}
+}
+
+func TestMiddlewareAllowsHeaderAuthAndSetsContext(t *testing.T) {
+	keyring, err := NewKeyring([]config.APIKey{{ID: "client-a", Value: "secret"}})
+	if err != nil {
+		t.Fatalf("NewKeyring() error = %v", err)
+	}
+
+	handler := Middleware(config.AuthConfig{HeaderName: "x-brain-key"}, keyring, testLogger())(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		keyID, ok := KeyIDFromContext(r.Context())
+		if !ok || keyID != "client-a" {
+			t.Fatalf("KeyIDFromContext() = (%q, %v), want (client-a, true)", keyID, ok)
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/mcp", nil)
+	req.Header.Set("x-brain-key", "secret")
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK)
+	}
+}
+
+func TestMiddlewareAllowsQueryParamWhenEnabled(t *testing.T) {
+	keyring, err := NewKeyring([]config.APIKey{{ID: "client-a", Value: "secret"}})
+	if err != nil {
+		t.Fatalf("NewKeyring() error = %v", err)
+	}
+
+	handler := Middleware(config.AuthConfig{
+		HeaderName:      "x-brain-key",
+		QueryParam:      "key",
+		AllowQueryParam: true,
+	}, keyring, testLogger())(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNoContent)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/mcp?key=secret", nil)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusNoContent {
+		t.Fatalf("status = %d, want %d", rec.Code, http.StatusNoContent)
+	}
+}
+
+func TestMiddlewareRejectsMissingOrInvalidKey(t *testing.T) {
+	keyring, err := NewKeyring([]config.APIKey{{ID: "client-a", Value: "secret"}})
+	if err != nil {
+		t.Fatalf("NewKeyring() error = %v", err)
+	}
+
+	handler := Middleware(config.AuthConfig{HeaderName: "x-brain-key"}, keyring, testLogger())(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next handler should not be called")
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/mcp", nil)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("missing key status = %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+
+	req = httptest.NewRequest(http.MethodGet, "/mcp", nil)
+	req.Header.Set("x-brain-key", "wrong")
+	rec = httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("invalid key status = %d, want %d", rec.Code, http.StatusUnauthorized)
+	}
+}

internal/auth/middleware.go

@@ -0,0 +1,49 @@
+package auth
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"strings"
+
+	"git.warky.dev/wdevs/amcs/internal/config"
+)
+
+type contextKey string
+
+const keyIDContextKey contextKey = "auth.key_id"
+
+func Middleware(cfg config.AuthConfig, keyring *Keyring, log *slog.Logger) func(http.Handler) http.Handler {
+	headerName := cfg.HeaderName
+	if headerName == "" {
+		headerName = "x-brain-key"
+	}
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			token := strings.TrimSpace(r.Header.Get(headerName))
+			if token == "" && cfg.AllowQueryParam {
+				token = strings.TrimSpace(r.URL.Query().Get(cfg.QueryParam))
+			}
+
+			if token == "" {
+				http.Error(w, "missing API key", http.StatusUnauthorized)
+				return
+			}
+
+			keyID, ok := keyring.Lookup(token)
+			if !ok {
+				log.Warn("authentication failed", slog.String("remote_addr", r.RemoteAddr))
+				http.Error(w, "invalid API key", http.StatusUnauthorized)
+				return
+			}
+
+			next.ServeHTTP(w, r.WithContext(context.WithValue(r.Context(), keyIDContextKey, keyID)))
+		})
+	}
+}
+
+func KeyIDFromContext(ctx context.Context) (string, bool) {
+	value, ok := ctx.Value(keyIDContextKey).(string)
+	return value, ok
+}