feat(api): /v1 REST surface for external clients (v0.2.0)

Bearer-auth REST endpoints for humans, scripts, bots — anyone without browser-side ed25519. Same key model as broker WS, scoped by capability and optional topic whitelist. Endpoints (v0.2.0 minimum): - POST /v1/messages - GET /v1/topics - GET /v1/topics/:name/messages (limit, before cursor) - GET /v1/peers Auth: Authorization: Bearer cm_<secret>. Middleware verifies prefix + SHA-256 hash with constant-time compare; capability + topic-scope asserted per route. Cross-mesh isolation: every endpoint scopes to apiKey.meshId. Live delivery: writes to messageQueue + topic_message; broker's existing pendingTimer drains and pushes to live peers. Real-time push from REST writes is a follow-up. Spec: .artifacts/specs/2026-05-02-v0.2.0-scope.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 02:19:12 +01:00
parent 13d691980a
commit 56d7cc1c48
3 changed files with 374 additions and 0 deletions
--- a/packages/api/src/index.ts
+++ b/packages/api/src/index.ts
@@ -14,6 +14,7 @@ import { adminRouter } from "./modules/admin/router";
 import { authRouter } from "./modules/auth/router";
 import { billingRouter } from "./modules/billing/router";
 import { myRouter } from "./modules/mesh/router";
+import { v1Router } from "./modules/mesh/v1-router";
 import { organizationRouter } from "./modules/organization/router";
 import { publicRouter } from "./modules/public/router";
 import { storageRouter } from "./modules/storage/router";
@@ -51,6 +52,7 @@ const appRouter = new Hono()
  .route("/auth", authRouter)
  .route("/billing", billingRouter)
  .route("/my", myRouter)
+  .route("/", v1Router)
  .route("/organizations", organizationRouter)
  .route("/public", publicRouter)
  .route("/storage", storageRouter)