@agent-foundry/replay-server 1.0.0 → 1.0.2

package/src/services/OSSClient.ts

@@ -0,0 +1,286 @@
+/**
+ * OSS Client
+ *
+ * Handles authenticated downloads from Alibaba Cloud OSS using STS credentials
+ * obtained from the BFF API.
+ */
+
+import OSS from 'ali-oss';
+import * as fs from 'fs';
+import * as path from 'path';
+import type { STSCredentials, OSSClientConfig } from './types.js';
+
+/**
+ * Error thrown by OSS client operations
+ */
+export class OSSClientError extends Error {
+    constructor(
+        message: string,
+        public readonly code: string,
+        public readonly statusCode?: number
+    ) {
+        super(message);
+        this.name = 'OSSClientError';
+    }
+}
+
+/**
+ * OSS Client for downloading bundles with STS authentication
+ */
+export class OSSClient {
+    private readonly bffBaseUrl: string;
+    private readonly serviceToken?: string;
+    private readonly timeout: number;
+
+    private cachedCredentials: STSCredentials | null = null;
+    private credentialsExpiresAt: Date | null = null;
+
+    constructor(config: OSSClientConfig) {
+        this.bffBaseUrl = config.bffBaseUrl.replace(/\/$/, '');
+        this.serviceToken = config.serviceToken;
+        this.timeout = config.timeout ?? 30000;
+    }
+
+    /**
+     * Get STS credentials from BFF API
+     * Caches credentials until they expire (with 5 minute buffer)
+     * 
+     * Uses the /studio/service/sts endpoint which requires BFF_SERVICE_TOKEN
+     * (set to SUPABASE_JWT_SECRET) for service-to-service authentication.
+     */
+    async getSTSCredentials(): Promise<STSCredentials> {
+        // Check if cached credentials are still valid (with 5 minute buffer)
+        if (this.cachedCredentials && this.credentialsExpiresAt) {
+            const bufferMs = 5 * 60 * 1000; // 5 minutes
+            if (new Date().getTime() + bufferMs < this.credentialsExpiresAt.getTime()) {
+                return this.cachedCredentials;
+            }
+        }
+
+        if (!this.serviceToken) {
+            throw new OSSClientError(
+                'BFF_SERVICE_TOKEN is required for STS credentials. Set it to the value of SUPABASE_JWT_SECRET from BFF.',
+                'SERVICE_TOKEN_MISSING'
+            );
+        }
+
+        console.log('[OSSClient] Requesting STS credentials from BFF...');
+
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+
+        try {
+            const headers: Record<string, string> = {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${this.serviceToken}`,
+            };
+
+            // Use the service-to-service endpoint
+            const response = await fetch(`${this.bffBaseUrl}/studio/service/sts`, {
+                method: 'POST',
+                headers,
+                signal: controller.signal,
+            });
+
+            clearTimeout(timeoutId);
+
+            if (!response.ok) {
+                let detail = response.statusText;
+                try {
+                    const error = await response.json();
+                    detail = error.detail || error.message || response.statusText;
+                } catch {
+                    // Ignore JSON parse error
+                }
+                throw new OSSClientError(
+                    `Failed to get STS credentials: ${detail}`,
+                    'STS_REQUEST_FAILED',
+                    response.status
+                );
+            }
+
+            const data = await response.json();
+
+            // Extract credentials from response
+            // BFF /studio/service/sts returns: { credentials: { accessKeyId, ... }, bucket, region }
+            const creds = data.credentials || data;
+            const credentials: STSCredentials = {
+                accessKeyId: creds.accessKeyId || creds.access_key_id,
+                accessKeySecret: creds.accessKeySecret || creds.access_key_secret,
+                securityToken: creds.securityToken || creds.security_token,
+                expiration: creds.expiration,
+                bucket: data.bucket,
+                region: data.region,
+            };
+
+            // Validate credentials
+            if (!credentials.accessKeyId || !credentials.accessKeySecret || !credentials.securityToken) {
+                throw new OSSClientError(
+                    'Invalid STS credentials response from BFF',
+                    'INVALID_STS_RESPONSE'
+                );
+            }
+
+            // Validate bucket and region
+            if (!credentials.bucket || !credentials.region) {
+                throw new OSSClientError(
+                    'Invalid STS credentials response from BFF: missing bucket or region',
+                    'INVALID_STS_RESPONSE'
+                );
+            }
+
+            // Cache credentials
+            this.cachedCredentials = credentials;
+            this.credentialsExpiresAt = new Date(credentials.expiration);
+
+            console.log('[OSSClient] STS credentials obtained, expires:', credentials.expiration);
+
+            return credentials;
+        } catch (error) {
+            clearTimeout(timeoutId);
+
+            if (error instanceof OSSClientError) {
+                throw error;
+            }
+
+            if (error instanceof Error && error.name === 'AbortError') {
+                throw new OSSClientError(
+                    'STS credentials request timeout',
+                    'STS_TIMEOUT',
+                    408
+                );
+            }
+
+            throw new OSSClientError(
+                `Failed to get STS credentials: ${error instanceof Error ? error.message : String(error)}`,
+                'STS_REQUEST_ERROR'
+            );
+        }
+    }
+
+    /**
+     * Download file from OSS URL with STS authentication
+     *
+     * @param url - OSS URL to download from
+     * @param destPath - Local destination path
+     * @param onProgress - Optional progress callback (0-100)
+     */
+    async downloadFile(
+        url: string,
+        destPath: string,
+        onProgress?: (percent: number) => void
+    ): Promise<void> {
+        console.log(`[OSSClient] Downloading ${url} to ${destPath}`);
+
+        // Get STS credentials
+        const credentials = await this.getSTSCredentials();
+
+        if (!credentials.bucket || !credentials.region) {
+            throw new OSSClientError(
+                'Missing bucket or region in STS credentials',
+                'INVALID_CREDENTIALS'
+            );
+        }
+
+        // Parse URL to extract object key
+        // URL format: https://bucket.oss-region.aliyuncs.com/path/to/object
+        // or: https://oss-region.aliyuncs.com/bucket/path/to/object
+        const parsedUrl = new URL(url);
+        let objectKey = parsedUrl.pathname.slice(1); // Remove leading /
+
+        // Handle case where bucket is in the path (not subdomain)
+        if (parsedUrl.hostname.includes('aliyuncs.com') && !parsedUrl.hostname.startsWith(credentials.bucket)) {
+            // Format: https://oss-region.aliyuncs.com/bucket/path/to/object
+            const pathParts = objectKey.split('/');
+            if (pathParts[0] === credentials.bucket) {
+                objectKey = pathParts.slice(1).join('/');
+            }
+        }
+
+        console.log(`[OSSClient] Extracted object key: ${objectKey}`);
+
+        try {
+            // Create OSS client with STS credentials
+            const client = new OSS({
+                accessKeyId: credentials.accessKeyId,
+                accessKeySecret: credentials.accessKeySecret,
+                stsToken: credentials.securityToken,
+                bucket: credentials.bucket,
+                region: credentials.region,
+                timeout: 10 * 60 * 1000, // 10 minutes
+            });
+
+            // Ensure destination directory exists
+            const destDir = path.dirname(destPath);
+            fs.mkdirSync(destDir, { recursive: true });
+
+            // Download file
+            // Note: ali-oss client.get() for Node.js doesn't support progress callbacks
+            // Progress tracking would require streaming the response manually
+            const result = await client.get(objectKey, destPath, {
+                timeout: 10 * 60 * 1000,
+            });
+
+            if (onProgress) {
+                onProgress(100);
+            }
+
+            console.log(`[OSSClient] Download complete: ${destPath}`);
+        } catch (error: any) {
+            // Clean up partial download
+            if (fs.existsSync(destPath)) {
+                try {
+                    fs.unlinkSync(destPath);
+                } catch {
+                    // Ignore cleanup error
+                }
+            }
+
+            // Handle OSS SDK errors
+            if (error.code === 'ConnectionTimeoutError' || error.code === 'RequestTimeout') {
+                throw new OSSClientError(
+                    'Download timeout',
+                    'DOWNLOAD_TIMEOUT',
+                    408
+                );
+            }
+
+            if (error.status === 403 || error.code === 'AccessDenied') {
+                throw new OSSClientError(
+                    'Access denied - check STS credentials and permissions',
+                    'DOWNLOAD_FORBIDDEN',
+                    403
+                );
+            }
+
+            if (error.status === 404 || error.code === 'NoSuchKey') {
+                throw new OSSClientError(
+                    `Object not found: ${objectKey}`,
+                    'OBJECT_NOT_FOUND',
+                    404
+                );
+            }
+
+            throw new OSSClientError(
+                `Download failed: ${error.message || String(error)}`,
+                'DOWNLOAD_ERROR',
+                error.status
+            );
+        }
+    }
+
+    /**
+     * Clear cached credentials
+     */
+    clearCredentialsCache(): void {
+        this.cachedCredentials = null;
+        this.credentialsExpiresAt = null;
+    }
+}
+
+/**
+ * Create an OSS client instance
+ */
+export function createOSSClient(config: OSSClientConfig): OSSClient {
+    return new OSSClient(config);
+}

package/src/services/index.ts

@@ -0,0 +1,7 @@
+/**
+ * Services exports
+ */
+
+export * from './types.js';
+export * from './OSSClient.js';
+export * from './BundleManager.js';

package/src/services/types.ts

@@ -0,0 +1,78 @@
+/**
+ * Shared types for replay-server services
+ */
+
+/**
+ * STS credentials from BFF API for OSS access
+ */
+export interface STSCredentials {
+    accessKeyId: string;
+    accessKeySecret: string;
+    securityToken: string;
+    expiration: string;
+    bucket?: string;
+    region?: string;
+}
+
+/**
+ * OSS client configuration
+ */
+export interface OSSClientConfig {
+    /** BFF API base URL for STS credentials */
+    bffBaseUrl: string;
+    /** Optional service-to-service auth token */
+    serviceToken?: string;
+    /** Request timeout in milliseconds (default: 30000) */
+    timeout?: number;
+}
+
+/**
+ * Bundle information
+ */
+export interface BundleInfo {
+    bundleId: string;
+    bundleUrl?: string;
+    status: 'pending' | 'downloading' | 'ready' | 'error';
+    size?: number;
+    cachedAt?: Date;
+    lastAccessedAt?: Date;
+    error?: string;
+    /** Download progress percentage (0-100) */
+    progress?: number;
+}
+
+/**
+ * Bundle manager configuration
+ */
+export interface BundleManagerConfig {
+    /** Directory to store bundles (default: /tmp/bundles) */
+    bundlesDir: string;
+    /** Maximum cache size in bytes (default: 10GB) */
+    maxCacheSize: number;
+}
+
+/**
+ * Cache statistics
+ */
+export interface CacheStats {
+    /** Used cache size in bytes */
+    used: number;
+    /** Maximum cache size in bytes */
+    max: number;
+    /** Usage percentage (0-100) */
+    usedPercent: number;
+    /** Number of cached bundles */
+    bundleCount: number;
+}
+
+/**
+ * Download statistics
+ */
+export interface DownloadStats {
+    /** Number of active downloads */
+    active: number;
+    /** Total completed downloads */
+    completed: number;
+    /** Total failed downloads */
+    failed: number;
+}