@agentrix/shared 2.10.0 → 2.13.0

package/dist/node.cjs

@@ -4,6 +4,8 @@ var node_fs = require('node:fs');
 var node_path = require('node:path');
 var errors = require('./errors-myQvpVrM.cjs');
 var os = require('node:os');
+var gitlabWebhook = require('./gitlabWebhook.cjs');
+var node_crypto = require('node:crypto');
 require('zod');
 
 function _interopNamespaceDefault(e) {
@@ -213,11 +215,14 @@ async function loadSystemPrompt(claudeDir, promptFile) {
   }
 }
 function replacePromptPlaceholders(template, cwd, extra) {
+  const now = /* @__PURE__ */ new Date();
   const vars = {
     WORKING_DIR: cwd,
     PLATFORM: process.platform,
     OS_VERSION: `${os__namespace.type()} ${os__namespace.release()}`,
-    DATE: (/* @__PURE__ */ new Date()).toISOString().split("T")[0],
+    DATE: now.toISOString().split("T")[0],
+    TIME: now.toLocaleTimeString("en-GB", { hour: "2-digit", minute: "2-digit", hour12: false }),
+    TIMEZONE: Intl.DateTimeFormat().resolvedOptions().timeZone,
     ...extra
   };
   let result = template.replace(
@@ -234,6 +239,296 @@ function replacePromptPlaceholders(template, cwd, extra) {
   return result;
 }
 
+const ALGORITHM = "aes-256-gcm";
+const DEFAULT_PAT_VALIDATE_TIMEOUT_MS = 1e4;
+const DEFAULT_GITLAB_PAT_REQUIRED_SCOPES = ["api", "read_repository", "write_repository"];
+function hmacSha512(key, data) {
+  const hmac = node_crypto.createHmac("sha512", key);
+  hmac.update(data);
+  return new Uint8Array(hmac.digest());
+}
+function deriveLocalGitServerEncryptionKey(masterSecret) {
+  const decoded = Buffer.from(masterSecret, "base64");
+  const rootSeedKey = new TextEncoder().encode("Agentrix EnCoder Master Seed");
+  const rootI = hmacSha512(rootSeedKey, decoded);
+  const chainCode = rootI.slice(32);
+  const childData = new Uint8Array([0, ...new TextEncoder().encode("content")]);
+  const childI = hmacSha512(chainCode, childData);
+  return childI.slice(0, 32);
+}
+function parseScopes(rawScopes) {
+  if (!rawScopes) return [];
+  return rawScopes.split(",").map((scope) => scope.trim()).filter(Boolean);
+}
+function makeFailedResult(status, error, extras = {}) {
+  return { valid: false, status, error, ...extras };
+}
+function validateRequiredScopes(scopes, requiredScopes) {
+  if (!requiredScopes.length) return [];
+  const actual = new Set(scopes);
+  return requiredScopes.filter((scope) => !actual.has(scope));
+}
+async function fetchPatSelfInfo(apiUrl, pat, timeoutMs, log) {
+  let response;
+  try {
+    response = await fetch(`${apiUrl}/personal_access_tokens/self`, {
+      headers: { Authorization: `Bearer ${pat}` },
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+  } catch (err) {
+    log?.warn?.("[PAT] Failed to fetch PAT expiry:", err);
+    return void 0;
+  }
+  if (!response.ok) {
+    return void 0;
+  }
+  try {
+    const tokenInfo = await response.json();
+    return {
+      expiresAt: tokenInfo.expires_at ?? void 0,
+      scopes: Array.isArray(tokenInfo.scopes) ? tokenInfo.scopes.map((scope) => scope.trim()).filter(Boolean) : void 0
+    };
+  } catch (err) {
+    log?.warn?.("[PAT] Failed to parse PAT self response:", err);
+    return void 0;
+  }
+}
+async function validateGitLabPatToken(apiUrl, pat, options = {}) {
+  const requiredScopes = options.requiredScopes ?? DEFAULT_GITLAB_PAT_REQUIRED_SCOPES;
+  const timeoutMs = options.timeoutMs ?? DEFAULT_PAT_VALIDATE_TIMEOUT_MS;
+  if (!pat.trim()) {
+    return { result: makeFailedResult("invalid", "Token is empty") };
+  }
+  let response;
+  try {
+    response = await fetch(`${apiUrl}/user`, {
+      headers: { Authorization: `Bearer ${pat}` },
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+  } catch (err) {
+    options.log?.error?.("[PAT] GitLab API validation failed:", err);
+    return { result: makeFailedResult("network_error", `Cannot reach GitLab: ${err.message}`) };
+  }
+  if (!response.ok) {
+    if (response.status === 401 || response.status === 403) {
+      return { result: makeFailedResult("expired", `GitLab returned ${response.status}`) };
+    }
+    return { result: makeFailedResult("invalid", `GitLab returned ${response.status}`) };
+  }
+  let user;
+  try {
+    user = await response.json();
+  } catch {
+    return { result: makeFailedResult("invalid", "GitLab returned an invalid response") };
+  }
+  if (!user?.username) {
+    return { result: makeFailedResult("invalid", "GitLab response missing username") };
+  }
+  const scopesFromHeader = parseScopes(response.headers.get("x-oauth-scopes"));
+  const selfInfo = await fetchPatSelfInfo(apiUrl, pat, timeoutMs, options.log);
+  const scopesFromSelf = selfInfo?.scopes ?? [];
+  const effectiveScopes = scopesFromHeader.length > 0 ? scopesFromHeader : scopesFromSelf;
+  const expiresAt = selfInfo?.expiresAt;
+  const shouldEnforceScopes = effectiveScopes.length > 0;
+  const missingScopes = shouldEnforceScopes ? validateRequiredScopes(effectiveScopes, requiredScopes) : [];
+  if (shouldEnforceScopes && missingScopes.length > 0) {
+    return {
+      result: makeFailedResult(
+        "insufficient_scope",
+        `Token is missing required scopes: ${missingScopes.join(", ")}`,
+        { username: user.username, scopes: effectiveScopes, missingScopes, expiresAt }
+      ),
+      user
+    };
+  }
+  return {
+    result: { valid: true, status: "valid", username: user.username, scopes: effectiveScopes, expiresAt },
+    user
+  };
+}
+class GitServerLocalStore {
+  credentialsDir;
+  constructor(options) {
+    this.credentialsDir = options.credentialsDir;
+  }
+  ensureCredentialsDir() {
+    if (!node_fs.existsSync(this.credentialsDir)) {
+      node_fs.mkdirSync(this.credentialsDir, { recursive: true });
+    }
+  }
+  getPatFilePath(gitServerId) {
+    return node_path.join(this.credentialsDir, `${gitServerId}.pat.enc`);
+  }
+  getPatMetaFilePath(gitServerId) {
+    return node_path.join(this.credentialsDir, `${gitServerId}.pat.meta.json`);
+  }
+  getGitServerConfigFilePath(gitServerId) {
+    return node_path.join(this.credentialsDir, `${gitServerId}.git-server.json`);
+  }
+  getGitLabWebhookBridgeFilePath(gitServerId) {
+    return node_path.join(this.credentialsDir, `${gitServerId}.gitlab-webhook.enc`);
+  }
+  encryptJsonFile(filePath, value, encryptionKey) {
+    this.ensureCredentialsDir();
+    const iv = node_crypto.randomBytes(16);
+    const key = encryptionKey.slice(0, 32);
+    const cipher = node_crypto.createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(JSON.stringify(value), "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+    const payload = {
+      iv: iv.toString("hex"),
+      authTag: authTag.toString("hex"),
+      encrypted
+    };
+    node_fs.writeFileSync(filePath, JSON.stringify(payload), { mode: 384 });
+  }
+  decryptJsonFile(filePath, encryptionKey) {
+    if (!node_fs.existsSync(filePath)) return null;
+    try {
+      const raw = node_fs.readFileSync(filePath, "utf8");
+      const { iv, authTag, encrypted } = JSON.parse(raw);
+      const key = encryptionKey.slice(0, 32);
+      const decipher = node_crypto.createDecipheriv(ALGORITHM, key, Buffer.from(iv, "hex"));
+      decipher.setAuthTag(Buffer.from(authTag, "hex"));
+      let decrypted = decipher.update(encrypted, "hex", "utf8");
+      decrypted += decipher.final("utf8");
+      return JSON.parse(decrypted);
+    } catch {
+      return null;
+    }
+  }
+  saveGitServerConfig(gitServerId, input) {
+    this.ensureCredentialsDir();
+    const existing = this.loadGitServerConfig(gitServerId) ?? {};
+    const next = {
+      ...existing,
+      ...input
+    };
+    node_fs.writeFileSync(this.getGitServerConfigFilePath(gitServerId), JSON.stringify(next, null, 2), { mode: 384 });
+  }
+  loadGitServerConfig(gitServerId) {
+    const filePath = this.getGitServerConfigFilePath(gitServerId);
+    if (!node_fs.existsSync(filePath)) return null;
+    try {
+      return JSON.parse(node_fs.readFileSync(filePath, "utf8"));
+    } catch {
+      return null;
+    }
+  }
+  deleteGitServerConfig(gitServerId) {
+    const configPath = this.getGitServerConfigFilePath(gitServerId);
+    if (node_fs.existsSync(configPath)) {
+      node_fs.unlinkSync(configPath);
+    }
+    const bridgePath = this.getGitLabWebhookBridgeFilePath(gitServerId);
+    if (node_fs.existsSync(bridgePath)) {
+      node_fs.unlinkSync(bridgePath);
+    }
+  }
+  listGitServerIds() {
+    this.ensureCredentialsDir();
+    const ids = /* @__PURE__ */ new Set();
+    for (const file of node_fs.readdirSync(this.credentialsDir)) {
+      if (file.endsWith(".git-server.json")) {
+        ids.add(file.slice(0, -".git-server.json".length));
+      } else if (file.endsWith(".pat.enc")) {
+        ids.add(file.slice(0, -".pat.enc".length));
+      } else if (file.endsWith(".gitlab-webhook.enc")) {
+        ids.add(file.slice(0, -".gitlab-webhook.enc".length));
+      }
+    }
+    return [...ids].sort();
+  }
+  listPats() {
+    this.ensureCredentialsDir();
+    const files = node_fs.readdirSync(this.credentialsDir).filter((file) => file.endsWith(".pat.enc"));
+    return files.map((file) => ({
+      gitServerId: file.replace(".pat.enc", ""),
+      exists: true
+    }));
+  }
+  loadGitLabWebhookBridgeSecrets(gitServerId, encryptionKey) {
+    return this.decryptJsonFile(
+      this.getGitLabWebhookBridgeFilePath(gitServerId),
+      encryptionKey
+    );
+  }
+  saveGitLabWebhookBridgeSecrets(gitServerId, secrets, encryptionKey) {
+    this.encryptJsonFile(this.getGitLabWebhookBridgeFilePath(gitServerId), secrets, encryptionKey);
+  }
+  ensureGitLabWebhookSecret(gitServerId, encryptionKey) {
+    const current = this.loadGitLabWebhookBridgeSecrets(gitServerId, encryptionKey);
+    if (current?.webhookSecret) {
+      return current.webhookSecret;
+    }
+    const webhookSecret = node_crypto.randomBytes(32).toString("hex");
+    this.saveGitLabWebhookBridgeSecrets(gitServerId, {
+      ...current ?? {},
+      webhookSecret,
+      projectTriggerTokens: current?.projectTriggerTokens ?? {}
+    }, encryptionKey);
+    return webhookSecret;
+  }
+  loadPatMeta(gitServerId) {
+    const filePath = this.getPatMetaFilePath(gitServerId);
+    if (!node_fs.existsSync(filePath)) return null;
+    try {
+      return JSON.parse(node_fs.readFileSync(filePath, "utf8"));
+    } catch {
+      return null;
+    }
+  }
+  savePatMeta(gitServerId, meta) {
+    this.ensureCredentialsDir();
+    node_fs.writeFileSync(this.getPatMetaFilePath(gitServerId), JSON.stringify(meta, null, 2), { mode: 384 });
+  }
+  savePat(gitServerId, pat, encryptionKey) {
+    this.ensureCredentialsDir();
+    const iv = node_crypto.randomBytes(16);
+    const key = encryptionKey.slice(0, 32);
+    const cipher = node_crypto.createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(pat, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+    const payload = {
+      iv: iv.toString("hex"),
+      authTag: authTag.toString("hex"),
+      encrypted
+    };
+    node_fs.writeFileSync(this.getPatFilePath(gitServerId), JSON.stringify(payload), { mode: 384 });
+  }
+  loadPat(gitServerId, encryptionKey) {
+    const filePath = this.getPatFilePath(gitServerId);
+    if (!node_fs.existsSync(filePath)) return null;
+    try {
+      const raw = node_fs.readFileSync(filePath, "utf8");
+      const { iv, authTag, encrypted } = JSON.parse(raw);
+      const key = encryptionKey.slice(0, 32);
+      const decipher = node_crypto.createDecipheriv(ALGORITHM, key, Buffer.from(iv, "hex"));
+      decipher.setAuthTag(Buffer.from(authTag, "hex"));
+      let decrypted = decipher.update(encrypted, "hex", "utf8");
+      decrypted += decipher.final("utf8");
+      return decrypted;
+    } catch {
+      return null;
+    }
+  }
+  hasPat(gitServerId) {
+    return node_fs.existsSync(this.getPatFilePath(gitServerId));
+  }
+  deletePat(gitServerId) {
+    const filePath = this.getPatFilePath(gitServerId);
+    if (node_fs.existsSync(filePath)) {
+      node_fs.unlinkSync(filePath);
+    }
+    const metaPath = this.getPatMetaFilePath(gitServerId);
+    if (node_fs.existsSync(metaPath)) {
+      node_fs.unlinkSync(metaPath);
+    }
+  }
+}
+
 exports.AgentConfigValidationError = errors.AgentConfigValidationError;
 exports.AgentError = errors.AgentError;
 exports.AgentLoadError = errors.AgentLoadError;
@@ -245,10 +540,16 @@ exports.FrameworkNotSupportedError = errors.FrameworkNotSupportedError;
 exports.MissingAgentFileError = errors.MissingAgentFileError;
 exports.getAgentContext = errors.getAgentContext;
 exports.setAgentContext = errors.setAgentContext;
+exports.buildGitLabWebhookEndpointPath = gitlabWebhook.buildGitLabWebhookEndpointPath;
+exports.buildGitLabWebhookUrl = gitlabWebhook.buildGitLabWebhookUrl;
+exports.DEFAULT_GITLAB_PAT_REQUIRED_SCOPES = DEFAULT_GITLAB_PAT_REQUIRED_SCOPES;
+exports.GitServerLocalStore = GitServerLocalStore;
 exports.assertAgentExists = assertAgentExists;
 exports.assertFileExists = assertFileExists;
+exports.deriveLocalGitServerEncryptionKey = deriveLocalGitServerEncryptionKey;
 exports.discoverPlugins = discoverPlugins;
 exports.loadAgentConfig = loadAgentConfig;
 exports.replacePromptPlaceholders = replacePromptPlaceholders;
 exports.validateAgentDirectory = validateAgentDirectory;
 exports.validateFrameworkDirectory = validateFrameworkDirectory;
+exports.validateGitLabPatToken = validateGitLabPatToken;

package/dist/node.d.cts

@@ -1,5 +1,6 @@
-import { dC as LoadAgentOptions, dA as AgentConfig, dB as ValidationResult, dx as FrameworkType } from './errors-CjePCqwd.cjs';
-export { dK as AgentConfigValidationError, dt as AgentContext, dI as AgentError, dM as AgentLoadError, dy as AgentMetadata, dG as AgentMetadataSchema, dJ as AgentNotFoundError, du as AgentrixContext, dz as ClaudeAgentConfig, dH as ClaudeConfigSchema, dF as FRAMEWORK_TYPES, dL as FrameworkNotSupportedError, dE as HookFactory, dN as MissingAgentFileError, dD as RepositoryInitHookInput, dw as getAgentContext, dv as setAgentContext } from './errors-CjePCqwd.cjs';
+import { dE as LoadAgentOptions, dC as AgentConfig, dD as ValidationResult, dz as FrameworkType } from './errors-B5CcMP8s.cjs';
+export { dM as AgentConfigValidationError, dv as AgentContext, dK as AgentError, dO as AgentLoadError, dA as AgentMetadata, dI as AgentMetadataSchema, dL as AgentNotFoundError, dw as AgentrixContext, dB as ClaudeAgentConfig, dJ as ClaudeConfigSchema, dH as FRAMEWORK_TYPES, dN as FrameworkNotSupportedError, dG as HookFactory, dP as MissingAgentFileError, dF as RepositoryInitHookInput, dy as getAgentContext, dx as setAgentContext } from './errors-B5CcMP8s.cjs';
+export { buildGitLabWebhookEndpointPath, buildGitLabWebhookUrl } from './gitlabWebhook.cjs';
 import '@anthropic-ai/claude-agent-sdk';
 import 'zod';
 
@@ -49,4 +50,77 @@ declare function assertAgentExists(agentDir: string, agentId: string): void;
  */
 declare function discoverPlugins(pluginsDir: string): string[];
 
-export { AgentConfig, FrameworkType, LoadAgentOptions, ValidationResult, assertAgentExists, assertFileExists, discoverPlugins, loadAgentConfig, replacePromptPlaceholders, validateAgentDirectory, validateFrameworkDirectory };
+declare const DEFAULT_GITLAB_PAT_REQUIRED_SCOPES: readonly ["api", "read_repository", "write_repository"];
+interface GitServerLocalConfig {
+    baseUrl?: string;
+    apiUrl?: string;
+}
+interface GitLabWebhookBridgeSecrets {
+    webhookSecret?: string;
+    projectTriggerTokens?: Record<string, string>;
+}
+interface PatMeta {
+    username: string;
+    email: string;
+    lastValidatedAt?: string;
+    expiresAt?: string | null;
+}
+interface PatValidationResult {
+    valid: boolean;
+    status: 'valid' | 'invalid' | 'expired' | 'insufficient_scope' | 'network_error';
+    username?: string;
+    scopes?: string[];
+    missingScopes?: string[];
+    expiresAt?: string | null;
+    error?: string;
+}
+interface GitServerLocalStoreOptions {
+    credentialsDir: string;
+}
+interface GitLabPatValidationOptions {
+    requiredScopes?: readonly string[];
+    timeoutMs?: number;
+    log?: {
+        warn?: (message: string, error?: unknown) => void;
+        error?: (message: string, error?: unknown) => void;
+    };
+}
+declare function deriveLocalGitServerEncryptionKey(masterSecret: string): Uint8Array;
+declare function validateGitLabPatToken(apiUrl: string, pat: string, options?: GitLabPatValidationOptions): Promise<{
+    result: PatValidationResult;
+    user?: {
+        username: string;
+        email?: string;
+    };
+}>;
+declare class GitServerLocalStore {
+    private readonly credentialsDir;
+    constructor(options: GitServerLocalStoreOptions);
+    private ensureCredentialsDir;
+    private getPatFilePath;
+    private getPatMetaFilePath;
+    private getGitServerConfigFilePath;
+    private getGitLabWebhookBridgeFilePath;
+    private encryptJsonFile;
+    private decryptJsonFile;
+    saveGitServerConfig(gitServerId: string, input: GitServerLocalConfig): void;
+    loadGitServerConfig(gitServerId: string): GitServerLocalConfig | null;
+    deleteGitServerConfig(gitServerId: string): void;
+    listGitServerIds(): string[];
+    listPats(): Array<{
+        gitServerId: string;
+        exists: boolean;
+    }>;
+    loadGitLabWebhookBridgeSecrets(gitServerId: string, encryptionKey: Uint8Array): GitLabWebhookBridgeSecrets | null;
+    saveGitLabWebhookBridgeSecrets(gitServerId: string, secrets: GitLabWebhookBridgeSecrets, encryptionKey: Uint8Array): void;
+    ensureGitLabWebhookSecret(gitServerId: string, encryptionKey: Uint8Array): string;
+    loadPatMeta(gitServerId: string): PatMeta | null;
+    savePatMeta(gitServerId: string, meta: PatMeta): void;
+    savePat(gitServerId: string, pat: string, encryptionKey: Uint8Array): void;
+    loadPat(gitServerId: string, encryptionKey: Uint8Array): string | null;
+    hasPat(gitServerId: string): boolean;
+    deletePat(gitServerId: string): void;
+}
+
+export { AgentConfig, DEFAULT_GITLAB_PAT_REQUIRED_SCOPES, FrameworkType, GitServerLocalStore, LoadAgentOptions, ValidationResult, assertAgentExists, assertFileExists, deriveLocalGitServerEncryptionKey, discoverPlugins, loadAgentConfig, replacePromptPlaceholders, validateAgentDirectory, validateFrameworkDirectory, validateGitLabPatToken };
+export type { GitLabPatValidationOptions, GitLabWebhookBridgeSecrets, GitServerLocalConfig, GitServerLocalStoreOptions, PatMeta, PatValidationResult };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentrix/shared",
-  "version": "2.10.0",
+  "version": "2.13.0",
   "description": "Shared types and schemas for Agentrix projects",
   "main": "./dist/index.cjs",
   "types": "./dist/index.d.cts",
@@ -12,6 +12,11 @@
     "./node": {
       "types": "./dist/node.d.cts",
       "default": "./dist/node.cjs"
+    },
+    "./gitlab-webhook": {
+      "types": "./dist/gitlabWebhook.d.cts",
+      "import": "./dist/gitlabWebhook.mjs",
+      "default": "./dist/gitlabWebhook.cjs"
     }
   },
   "scripts": {