feat: v2 rewrite — hexagonal arch, ActivityPub federation, NATS, deployment-ready (#1)

2026-05-16 09:42:40 +00:00
parent 071809bc3f
commit 9aee4ceb6d
224 changed files with 35418 additions and 1469 deletions
--- a/crates/bootstrap/Cargo.toml
+++ b/crates/bootstrap/Cargo.toml
@@ -0,0 +1,31 @@
+[package]
+name = "bootstrap"
+version = "0.1.0"
+edition = "2021"
+
+[[bin]]
+name = "thoughts"
+path = "src/main.rs"
+
+[dependencies]
+presentation        = { workspace = true }
+domain              = { workspace = true }
+postgres            = { workspace = true }
+postgres-search     = { workspace = true }
+postgres-federation = { workspace = true }
+activitypub         = { workspace = true }
+activitypub-base    = { workspace = true }
+nats                = { workspace = true }
+event-transport     = { workspace = true }
+auth                = { workspace = true }
+sqlx                = { workspace = true }
+async-nats          = { workspace = true }
+async-trait         = { workspace = true }
+tokio               = { workspace = true, features = ["full"] }
+axum                = { workspace = true }
+tower-http          = { workspace = true }
+tracing             = { workspace = true }
+tracing-subscriber  = { workspace = true }
+dotenvy             = { workspace = true }
+tower_governor      = "0.8"
+http                = "1"
--- a/crates/bootstrap/src/config.rs
+++ b/crates/bootstrap/src/config.rs
@@ -0,0 +1,41 @@
+/// All configuration read from environment variables at startup.
+pub struct Config {
+    pub database_url: String,
+    pub jwt_secret: String,
+    pub base_url: String,
+    pub nats_url: Option<String>,
+    pub port: u16,
+    pub allow_registration: bool,
+    /// true when RUST_ENV != "production" — enables AP debug mode
+    pub debug: bool,
+    pub host: String,
+    pub cors_origins: String,
+    pub rate_limit: Option<u32>,
+}
+
+impl Config {
+    pub fn from_env() -> Self {
+        dotenvy::dotenv().ok();
+        Self {
+            database_url: std::env::var("DATABASE_URL").expect("DATABASE_URL is required"),
+            jwt_secret: std::env::var("JWT_SECRET").expect("JWT_SECRET is required"),
+            base_url: std::env::var("BASE_URL").unwrap_or_else(|_| "http://localhost:3000".into()),
+            nats_url: std::env::var("NATS_URL").ok(),
+            port: std::env::var("PORT")
+                .ok()
+                .and_then(|p| p.parse().ok())
+                .unwrap_or(3000),
+            allow_registration: std::env::var("ALLOW_REGISTRATION")
+                .map(|v| v == "true")
+                .unwrap_or(true),
+            debug: std::env::var("RUST_ENV")
+                .map(|v| v != "production")
+                .unwrap_or(true),
+            host: std::env::var("HOST").unwrap_or_else(|_| "0.0.0.0".into()),
+            cors_origins: std::env::var("CORS_ORIGINS").unwrap_or_else(|_| "*".into()),
+            rate_limit: std::env::var("RATE_LIMIT")
+                .ok()
+                .and_then(|v| v.parse().ok()),
+        }
+    }
+}
--- a/crates/bootstrap/src/factory.rs
+++ b/crates/bootstrap/src/factory.rs
@@ -0,0 +1,139 @@
+const JWT_TTL_SECS: i64 = 86_400; // 24 hours (was 30 days)
+const JWT_SECRET_MIN_BYTES: usize = 32; // 256 bits minimum for HS256
+
+use async_trait::async_trait;
+use sqlx::PgPool;
+use std::sync::Arc;
+
+use activitypub::ThoughtsObjectHandler;
+use activitypub_base::service::ActivityPubService;
+use auth::ApiKeyServiceImpl;
+use domain::{errors::DomainError, events::DomainEvent, ports::{EventPublisher, OutboxWriter}};
+use event_transport::EventPublisherAdapter;
+use nats::NatsTransport;
+use postgres::activitypub::PgActivityPubRepository;
+use postgres::engagement::PgEngagementRepository;
+use postgres::outbox::PgOutboxWriter;
+use postgres::remote_actor_connections::PgRemoteActorConnectionRepository;
+use postgres_federation::{PostgresApUserRepository, PostgresFederationRepository};
+use presentation::state::AppState;
+
+use crate::config::Config;
+
+/// Everything the binary needs to start serving.
+pub struct Infrastructure {
+    pub state: AppState,
+    pub ap_service: Arc<ActivityPubService>,
+}
+
+struct NoOpEventPublisher;
+
+#[async_trait]
+impl EventPublisher for NoOpEventPublisher {
+    async fn publish(&self, _e: &DomainEvent) -> Result<(), DomainError> {
+        Ok(())
+    }
+}
+
+pub async fn build(cfg: &Config) -> Infrastructure {
+    // 1. Database connection + migrations
+    let pool = PgPool::connect(&cfg.database_url)
+        .await
+        .expect("Failed to connect to database");
+    sqlx::migrate!("../adapters/postgres/migrations")
+        .run(&pool)
+        .await
+        .expect("Failed to run migrations");
+    tracing::info!("Database connected and migrations applied");
+
+    // 2. Event publisher — real NATS or no-op fallback
+    let event_publisher: Arc<dyn EventPublisher> = match &cfg.nats_url {
+        Some(url) => match async_nats::connect(url).await {
+            Ok(client) => {
+                tracing::info!("Connected to NATS at {url}");
+                if let Err(e) = nats::ensure_stream(&client).await {
+                    tracing::warn!("JetStream stream setup failed: {e} — events may be lost");
+                }
+                Arc::new(EventPublisherAdapter::new(NatsTransport::new(client)))
+            }
+            Err(e) => {
+                tracing::warn!("NATS connect failed ({e}) — falling back to no-op publisher");
+                Arc::new(NoOpEventPublisher)
+            }
+        },
+        None => {
+            tracing::info!("NATS_URL not set — using no-op event publisher");
+            Arc::new(NoOpEventPublisher)
+        }
+    };
+
+    // 3. ActivityPub federation
+    let ap_service = Arc::new(
+        ActivityPubService::new(
+            Arc::new(PostgresFederationRepository::new(pool.clone())),
+            Arc::new(PostgresApUserRepository::new(
+                pool.clone(),
+                cfg.base_url.clone(),
+            )),
+            Arc::new(ThoughtsObjectHandler::new(
+                Arc::new(PgActivityPubRepository::new(pool.clone())),
+                &cfg.base_url,
+                Some(event_publisher.clone()),
+                Arc::new(postgres::tag::PgTagRepository::new(pool.clone())),
+            )),
+            cfg.base_url.clone(),
+            cfg.allow_registration,
+            "thoughts".to_string(),
+            cfg.debug,
+            None,
+        )
+        .await
+        .expect("Failed to build ActivityPubService"),
+    );
+
+    // 4. Application state
+    let state = AppState {
+        users: Arc::new(postgres::user::PgUserRepository::new(pool.clone())),
+        thoughts: Arc::new(postgres::thought::PgThoughtRepository::new(pool.clone())),
+        likes: Arc::new(postgres::like::PgLikeRepository::new(pool.clone())),
+        boosts: Arc::new(postgres::boost::PgBoostRepository::new(pool.clone())),
+        follows: Arc::new(postgres::follow::PgFollowRepository::new(pool.clone())),
+        blocks: Arc::new(postgres::block::PgBlockRepository::new(pool.clone())),
+        tags: Arc::new(postgres::tag::PgTagRepository::new(pool.clone())),
+        api_keys: Arc::new(postgres::api_key::PgApiKeyRepository::new(pool.clone())),
+        top_friends: Arc::new(postgres::top_friend::PgTopFriendRepository::new(
+            pool.clone(),
+        )),
+        notifications: Arc::new(postgres::notification::PgNotificationRepository::new(
+            pool.clone(),
+        )),
+        remote_actors: Arc::new(postgres::remote_actor::PgRemoteActorRepository::new(
+            pool.clone(),
+        )),
+        feed: Arc::new(postgres::feed::PgFeedRepository::new(pool.clone())),
+        search: Arc::new(postgres_search::PgSearchRepository::new(pool.clone())),
+        auth: Arc::new({
+            if cfg.jwt_secret.len() < JWT_SECRET_MIN_BYTES {
+                panic!(
+                    "JWT_SECRET is {} bytes — minimum is {} bytes for HS256 security",
+                    cfg.jwt_secret.len(),
+                    JWT_SECRET_MIN_BYTES,
+                );
+            }
+            auth::JwtAuthService::new(cfg.jwt_secret.clone(), JWT_TTL_SECS)
+        }),
+        hasher: Arc::new(auth::Argon2PasswordHasher),
+        events: event_publisher,
+        outbox: Arc::new(PgOutboxWriter::new(pool.clone())) as Arc<dyn OutboxWriter>,
+        federation: ap_service.clone() as Arc<dyn domain::ports::FederationActionPort>,
+        ap_repo: Arc::new(PgActivityPubRepository::new(pool.clone())),
+        remote_actor_connections: Arc::new(PgRemoteActorConnectionRepository::new(pool.clone())),
+        federation_scheduler: ap_service.clone() as Arc<dyn domain::ports::FederationSchedulerPort>,
+        api_key_auth: Arc::new(ApiKeyServiceImpl::new(
+            Arc::new(postgres::api_key::PgApiKeyRepository::new(pool.clone())),
+        )),
+        engagement: Arc::new(PgEngagementRepository::new(pool.clone())),
+    };
+
+    Infrastructure { state, ap_service }
+}
--- a/crates/bootstrap/src/main.rs
+++ b/crates/bootstrap/src/main.rs
@@ -0,0 +1,83 @@
+mod config;
+mod factory;
+
+const MS_PER_MINUTE: u64 = 60_000;
+const RATE_LIMITER_CLEANUP_INTERVAL_SECS: u64 = 60;
+
+use std::net::SocketAddr;
+use std::sync::Arc;
+use tower_http::cors::{AllowOrigin, CorsLayer};
+use tracing_subscriber::EnvFilter;
+
+#[tokio::main]
+async fn main() {
+    let cfg = config::Config::from_env();
+
+    tracing_subscriber::fmt()
+        .with_env_filter(EnvFilter::from_default_env())
+        .init();
+
+    let infra = factory::build(&cfg).await;
+
+    // CORS
+    let cors = if cfg.cors_origins.trim() == "*" {
+        CorsLayer::permissive()
+    } else {
+        let origins: Vec<http::HeaderValue> = cfg
+            .cors_origins
+            .split(',')
+            .map(|o| o.trim())
+            .filter_map(|o| o.parse().ok())
+            .collect();
+        CorsLayer::new()
+            .allow_origin(AllowOrigin::list(origins))
+            .allow_methods(tower_http::cors::Any)
+            .allow_headers(tower_http::cors::Any)
+    };
+
+    let base = presentation::routes::router()
+        .merge(infra.ap_service.router::<presentation::state::AppState>())
+        .with_state(infra.state)
+        .layer(cors);
+
+    let addr = format!("{}:{}", cfg.host, cfg.port);
+    tracing::info!("Listening on {addr}");
+    let listener = tokio::net::TcpListener::bind(&addr).await.unwrap();
+
+    if let Some(rate_limit) = cfg.rate_limit {
+        use tower_governor::{governor::GovernorConfigBuilder, GovernorLayer}; // crate: tower_governor
+
+        // per_millisecond sets the token replenishment interval.
+        // rate_limit = max requests/minute => replenish every (60000 / rate_limit) ms.
+        let ms = MS_PER_MINUTE.saturating_div(rate_limit as u64).max(1);
+        let governor_conf = Arc::new(
+            GovernorConfigBuilder::default()
+                .per_millisecond(ms)
+                .burst_size(rate_limit)
+                .use_headers()
+                .finish()
+                .expect("valid rate limit config"),
+        );
+
+        let limiter = governor_conf.limiter().clone();
+        tokio::spawn(async move {
+            let mut interval = tokio::time::interval(std::time::Duration::from_secs(
+                RATE_LIMITER_CLEANUP_INTERVAL_SECS,
+            ));
+            loop {
+                interval.tick().await;
+                limiter.retain_recent();
+            }
+        });
+
+        let app = base.layer(GovernorLayer::new(governor_conf));
+        axum::serve(
+            listener,
+            app.into_make_service_with_connect_info::<SocketAddr>(),
+        )
+        .await
+        .unwrap();
+    } else {
+        axum::serve(listener, base).await.unwrap();
+    }
+}