@aion0/forge 0.10.46 → 0.10.48

package/proxy.ts

@@ -1,6 +1,17 @@
-import { NextResponse, type NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import { auth } from './lib/auth';
+import { hasValidApiKey } from './lib/api-auth';
+import { isValidToken } from './app/api/auth/verify/route';
 
-export function proxy(req: NextRequest) {
+// Node runtime: the auth() wrapper decodes the NextAuth session JWT with the
+// AUTH_SECRET that the route layer also uses (auto-generated in-process when
+// unset). That secret is NOT visible to the Edge runtime, and lib/auth pulls in
+// node:crypto — so this proxy must run in Node. The wrapper populates
+// req.auth with the VALIDATED session (null for a forged/unsigned cookie),
+// replacing the old presence-only cookie check that let any cookie through.
+// (Next 16 renamed middleware.ts → proxy.ts; the auth() handler is exported
+// under the `proxy` name the new convention expects.)
+export const proxy = auth((req) => {
   // Skip auth entirely in dev mode
   const isDev = process.env.NODE_ENV !== 'production' || process.env.FORGE_DEV === '1';
   if (isDev) {
@@ -11,6 +22,8 @@ export function proxy(req: NextRequest) {
 
   // Allow auth endpoints, version probe (used by IDE plugins to detect a live
   // server before prompting for password), and static assets without login.
+  // These /api/auth/* routes self-validate any credential at the handler, so they
+  // need no edge check.
   if (
     pathname.startsWith('/login') ||
     pathname.startsWith('/api/auth') ||
@@ -27,7 +40,7 @@ export function proxy(req: NextRequest) {
 
   // /api/connector-tool — loopback-only, no auth (used by Forge-internal
   // callers: pipelines via curl, jobs scheduler, CLI). Non-loopback hosts
-  // fall through to the normal token check.
+  // fall through to the normal check.
   if (pathname === '/api/connector-tool') {
     const host = req.headers.get('host') || '';
     if (host.startsWith('127.0.0.1:') || host.startsWith('localhost:')) {
@@ -35,21 +48,16 @@ export function proxy(req: NextRequest) {
     }
   }
 
-  // Check for NextAuth session cookie (browser login)
-  const hasSession =
-    req.cookies.has('authjs.session-token') ||
-    req.cookies.has('__Secure-authjs.session-token');
-
-  if (hasSession) {
+  // Validated NextAuth session (browser login). req.auth is the decoded session
+  // or null — a forged/unsigned session-token cookie does not pass.
+  if (req.auth) {
     return NextResponse.next();
   }
 
-  // Check for Forge API token (Help AI / CLI tools)
-  // Token obtained via POST /api/auth/verify with admin password
-  const forgeToken = req.headers.get('x-forge-token') || req.cookies.get('forge-api-token')?.value;
-  if (forgeToken) {
-    // Token validation happens in API route layer via isValidToken()
-    // Middleware passes it through — only localhost can obtain tokens
+  // A valid API key or admin-minted token authorizes any route; a bare or forged
+  // credential does not. Both checks run because x-forge-token/forge-api-token can
+  // carry either kind. /api/mcp still re-validates in its own handler.
+  if (hasValidApiKey(req) || isValidToken(req)) {
     return NextResponse.next();
   }
 
@@ -57,8 +65,11 @@ export function proxy(req: NextRequest) {
     return NextResponse.json({ error: 'unauthorized' }, { status: 401 });
   }
   return NextResponse.redirect(new URL('/login', req.url));
-}
+});
 
+// Next.js 16: Proxy is always Node runtime — declaring `runtime: 'nodejs'`
+// here errors out at build time (`Route segment config is not allowed in
+// Proxy file`). Keep only the matcher.
 export const config = {
   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
 };

package/src/core/db/database.ts

@@ -32,51 +32,14 @@ function initSchema(db: Database.Database) {
       console.error('[db] Migration failed:', sql, e.message);
     }
   };
-  migrate('ALTER TABLE tasks ADD COLUMN scheduled_at TEXT');
-  migrate("ALTER TABLE tasks ADD COLUMN mode TEXT NOT NULL DEFAULT 'prompt'");
-  migrate('ALTER TABLE tasks ADD COLUMN watch_config TEXT');
-  migrate("ALTER TABLE skills ADD COLUMN type TEXT NOT NULL DEFAULT 'skill'");
-  migrate('ALTER TABLE skills ADD COLUMN archive TEXT');
-  migrate("ALTER TABLE skills ADD COLUMN installed_version TEXT NOT NULL DEFAULT ''");
-  migrate('ALTER TABLE skills ADD COLUMN rating REAL DEFAULT 0');
-  migrate('ALTER TABLE skills ADD COLUMN deleted_remotely INTEGER NOT NULL DEFAULT 0');
-  // 'registry' (synced from forge-skills) vs 'local' (uploaded by user).
-  // Local skills are kept across syncs (they're not in the remote registry,
-  // so the deleted_remotely housekeeping would otherwise wipe them).
-  migrate("ALTER TABLE skills ADD COLUMN source TEXT NOT NULL DEFAULT 'registry'");
-  migrate('ALTER TABLE project_pipelines ADD COLUMN last_run_at TEXT');
-  migrate('ALTER TABLE pipeline_runs ADD COLUMN dedup_key TEXT');
-  migrate("ALTER TABLE tasks ADD COLUMN agent TEXT DEFAULT 'claude'");
-  // Recreate token_usage with day column (drop old version if schema changed)
+
+  // token_usage is RECREATED when its schema is stale (missing the `day` column).
+  // This must run BEFORE the CREATE block below so the CREATE rebuilds it.
   try { db.exec("SELECT day FROM token_usage LIMIT 1"); } catch { try { db.exec("DROP TABLE IF EXISTS token_usage"); db.exec("DROP TABLE IF EXISTS usage_scan_state"); } catch {} }
-  // Unique index for dedup (only applies when dedup_key is NOT NULL)
-  try { db.exec('CREATE UNIQUE INDEX IF NOT EXISTS idx_pipeline_runs_dedup ON pipeline_runs(project_path, workflow_name, dedup_key)'); } catch {}
-  // One-shot migration of old issue_autofix_processed → pipeline_runs.
-  // Previously this ran every startup (reading + re-inserting all rows on
-  // every cold worker boot — visible as `[db] Migrated N records …`).
-  // Now: skip entirely if the source table has zero rows OR if any rows
-  // have already been migrated (presence of issue: dedup keys is the
-  // tell — INSERT OR IGNORE already protects against dups, the loop
-  // itself was just wasted work).
-  try {
-    const alreadyMigrated = db.prepare("SELECT 1 FROM pipeline_runs WHERE dedup_key LIKE 'issue:%' LIMIT 1").get();
-    if (!alreadyMigrated) {
-      const old = db.prepare('SELECT * FROM issue_autofix_processed').all() as any[];
-      if (old.length > 0) {
-        const ins = db.prepare('INSERT OR IGNORE INTO pipeline_runs (id, project_path, workflow_name, pipeline_id, status, dedup_key, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)');
-        for (const r of old) {
-          ins.run(
-            r.pipeline_id?.slice(0, 8) || ('mig-' + r.issue_number),
-            r.project_path, 'issue-fix-and-review', r.pipeline_id || '',
-            r.status === 'processing' ? 'running' : (r.status || 'done'),
-            `issue:${r.issue_number}`, r.created_at || new Date().toISOString()
-          );
-        }
-        console.log(`[db] Migrated ${old.length} issue_autofix_processed records to pipeline_runs (one-shot)`);
-      }
-    }
-  } catch {}
 
+  // Create all base tables FIRST so the ALTER / INDEX / one-shot steps below have
+  // tables to operate on. Previously the ALTERs ran before CREATE and failed
+  // ("no such table") on a FRESH db — leaving e.g. tasks.agent missing on first boot.
   db.exec(`
     CREATE TABLE IF NOT EXISTS sessions (
       id TEXT PRIMARY KEY,
@@ -268,6 +231,50 @@ function initSchema(db: Database.Database) {
       last_scan TEXT NOT NULL DEFAULT (datetime('now'))
     );
   `);
+
+  // Column migrations — now that the tables above exist, add columns that
+  // postdate their original CREATE (duplicate-column errors are ignored).
+  migrate('ALTER TABLE tasks ADD COLUMN scheduled_at TEXT');
+  migrate("ALTER TABLE tasks ADD COLUMN mode TEXT NOT NULL DEFAULT 'prompt'");
+  migrate('ALTER TABLE tasks ADD COLUMN watch_config TEXT');
+  migrate("ALTER TABLE skills ADD COLUMN type TEXT NOT NULL DEFAULT 'skill'");
+  migrate('ALTER TABLE skills ADD COLUMN archive TEXT');
+  migrate("ALTER TABLE skills ADD COLUMN installed_version TEXT NOT NULL DEFAULT ''");
+  migrate('ALTER TABLE skills ADD COLUMN rating REAL DEFAULT 0');
+  migrate('ALTER TABLE skills ADD COLUMN deleted_remotely INTEGER NOT NULL DEFAULT 0');
+  // 'registry' (synced from forge-skills) vs 'local' (uploaded by user).
+  // Local skills are kept across syncs (they're not in the remote registry,
+  // so the deleted_remotely housekeeping would otherwise wipe them).
+  migrate("ALTER TABLE skills ADD COLUMN source TEXT NOT NULL DEFAULT 'registry'");
+  migrate('ALTER TABLE project_pipelines ADD COLUMN last_run_at TEXT');
+  migrate('ALTER TABLE pipeline_runs ADD COLUMN dedup_key TEXT');
+  migrate("ALTER TABLE tasks ADD COLUMN agent TEXT DEFAULT 'claude'");
+
+  // Unique index for dedup (needs pipeline_runs to exist; only applies when dedup_key is NOT NULL).
+  try { db.exec('CREATE UNIQUE INDEX IF NOT EXISTS idx_pipeline_runs_dedup ON pipeline_runs(project_path, workflow_name, dedup_key)'); } catch {}
+
+  // One-shot migration of old issue_autofix_processed → pipeline_runs.
+  // Skip entirely if the source table has zero rows OR if any rows have already
+  // been migrated (presence of issue: dedup keys is the tell — INSERT OR IGNORE
+  // already protects against dups, the loop itself was just wasted work).
+  try {
+    const alreadyMigrated = db.prepare("SELECT 1 FROM pipeline_runs WHERE dedup_key LIKE 'issue:%' LIMIT 1").get();
+    if (!alreadyMigrated) {
+      const old = db.prepare('SELECT * FROM issue_autofix_processed').all() as any[];
+      if (old.length > 0) {
+        const ins = db.prepare('INSERT OR IGNORE INTO pipeline_runs (id, project_path, workflow_name, pipeline_id, status, dedup_key, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)');
+        for (const r of old) {
+          ins.run(
+            r.pipeline_id?.slice(0, 8) || ('mig-' + r.issue_number),
+            r.project_path, 'issue-fix-and-review', r.pipeline_id || '',
+            r.status === 'processing' ? 'running' : (r.status || 'done'),
+            `issue:${r.issue_number}`, r.created_at || new Date().toISOString()
+          );
+        }
+        console.log(`[db] Migrated ${old.length} issue_autofix_processed records to pipeline_runs (one-shot)`);
+      }
+    }
+  } catch {}
 }
 
 export function closeDb() {