@castlekit/castle 0.1.5 → 0.3.0

package/src/app/api/openclaw/agents/status/route.ts

@@ -0,0 +1,55 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getAgentStatuses, setAgentStatus, type AgentStatusValue } from "@/lib/db/queries";
+import { checkCsrf } from "@/lib/api-security";
+
+const VALID_STATUSES: AgentStatusValue[] = ["idle", "thinking", "active"];
+
+// ============================================================================
+// GET /api/openclaw/agents/status — Get all agent statuses
+// ============================================================================
+
+export async function GET() {
+  try {
+    const statuses = getAgentStatuses();
+    return NextResponse.json({ statuses });
+  } catch (err) {
+    console.error("[Agent Status] GET failed:", (err as Error).message);
+    return NextResponse.json({ error: "Failed to get agent statuses" }, { status: 500 });
+  }
+}
+
+// ============================================================================
+// POST /api/openclaw/agents/status — Set an agent's status
+// ============================================================================
+
+export async function POST(request: NextRequest) {
+  const csrfError = checkCsrf(request);
+  if (csrfError) return csrfError;
+
+  let body: { agentId?: string; status?: string };
+
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+
+  if (!body.agentId || typeof body.agentId !== "string") {
+    return NextResponse.json({ error: "agentId is required" }, { status: 400 });
+  }
+
+  if (!body.status || !VALID_STATUSES.includes(body.status as AgentStatusValue)) {
+    return NextResponse.json(
+      { error: `status must be one of: ${VALID_STATUSES.join(", ")}` },
+      { status: 400 }
+    );
+  }
+
+  try {
+    setAgentStatus(body.agentId, body.status as AgentStatusValue);
+    return NextResponse.json({ ok: true });
+  } catch (err) {
+    console.error("[Agent Status] POST failed:", (err as Error).message);
+    return NextResponse.json({ error: "Failed to set agent status" }, { status: 500 });
+  }
+}

package/src/app/api/openclaw/chat/attachments/route.ts

@@ -0,0 +1,230 @@
+import { NextRequest, NextResponse } from "next/server";
+import { existsSync, mkdirSync, writeFileSync, readFileSync, statSync } from "fs";
+import { join, resolve } from "path";
+import { platform } from "os";
+import { v4 as uuid } from "uuid";
+import { checkCsrf } from "@/lib/api-security";
+import { getCastleDir } from "@/lib/config";
+import { createAttachment, getAttachmentsByMessage } from "@/lib/db/queries";
+
+const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+const ALLOWED_MIME_TYPES = new Set([
+  "image/png",
+  "image/jpeg",
+  "image/webp",
+  "image/gif",
+  "audio/mpeg",
+  "audio/ogg",
+  "audio/wav",
+]);
+
+function getAttachmentsDir(): string {
+  return join(getCastleDir(), "data", "attachments");
+}
+
+/** Validate that resolved path stays within the attachments directory */
+function isPathSafe(filePath: string, baseDir: string): boolean {
+  const resolved = resolve(filePath);
+  const resolvedBase = resolve(baseDir);
+  return resolved.startsWith(resolvedBase);
+}
+
+function getMimeForExt(ext: string): string {
+  const map: Record<string, string> = {
+    ".png": "image/png",
+    ".jpg": "image/jpeg",
+    ".jpeg": "image/jpeg",
+    ".webp": "image/webp",
+    ".gif": "image/gif",
+    ".mp3": "audio/mpeg",
+    ".ogg": "audio/ogg",
+    ".wav": "audio/wav",
+  };
+  return map[ext.toLowerCase()] || "application/octet-stream";
+}
+
+// ============================================================================
+// POST /api/openclaw/chat/attachments — Upload attachment
+// ============================================================================
+
+export async function POST(request: NextRequest) {
+  const csrf = checkCsrf(request);
+  if (csrf) return csrf;
+
+  const formData = await request.formData();
+  const file = formData.get("file") as File | null;
+  const channelId = formData.get("channelId") as string | null;
+  const messageId = formData.get("messageId") as string | null;
+
+  if (!file || !channelId) {
+    return NextResponse.json(
+      { error: "file and channelId are required" },
+      { status: 400 }
+    );
+  }
+
+  // Validate file size
+  if (file.size > MAX_FILE_SIZE) {
+    return NextResponse.json(
+      { error: `File too large (max ${MAX_FILE_SIZE / 1024 / 1024}MB)` },
+      { status: 400 }
+    );
+  }
+
+  // Validate MIME type
+  if (!ALLOWED_MIME_TYPES.has(file.type)) {
+    return NextResponse.json(
+      { error: `Unsupported file type: ${file.type}` },
+      { status: 400 }
+    );
+  }
+
+  try {
+    // Determine file extension from MIME type
+    const extMap: Record<string, string> = {
+      "image/png": ".png",
+      "image/jpeg": ".jpg",
+      "image/webp": ".webp",
+      "image/gif": ".gif",
+      "audio/mpeg": ".mp3",
+      "audio/ogg": ".ogg",
+      "audio/wav": ".wav",
+    };
+    const ext = extMap[file.type] || ".bin";
+
+    // Create UUID-based filename (never use user-supplied names)
+    const filename = `${uuid()}${ext}`;
+    const channelDir = join(getAttachmentsDir(), channelId);
+
+    // Ensure directory exists
+    if (!existsSync(channelDir)) {
+      mkdirSync(channelDir, { recursive: true, mode: 0o700 });
+    }
+
+    const filePath = join(channelDir, filename);
+
+    // Path traversal check
+    if (!isPathSafe(filePath, getAttachmentsDir())) {
+      return NextResponse.json(
+        { error: "Invalid path" },
+        { status: 400 }
+      );
+    }
+
+    // Write file
+    const buffer = Buffer.from(await file.arrayBuffer());
+    writeFileSync(filePath, buffer);
+
+    // Secure permissions
+    if (platform() !== "win32") {
+      try {
+        const { chmodSync } = await import("fs");
+        chmodSync(filePath, 0o600);
+      } catch {
+        // May fail on some filesystems
+      }
+    }
+
+    // Persist to DB (if messageId provided)
+    const attachmentType = file.type.startsWith("image/") ? "image" : "audio";
+    let attachmentRecord = null;
+
+    if (messageId) {
+      attachmentRecord = createAttachment({
+        messageId,
+        attachmentType: attachmentType as "image" | "audio",
+        filePath: `${channelId}/${filename}`,
+        mimeType: file.type,
+        fileSize: file.size,
+        originalName: file.name,
+      });
+    }
+
+    return NextResponse.json({
+      id: attachmentRecord?.id ?? uuid(),
+      filePath: `${channelId}/${filename}`,
+      mimeType: file.type,
+      fileSize: file.size,
+      originalName: file.name,
+    }, { status: 201 });
+  } catch (err) {
+    console.error("[Attachments] Upload failed:", (err as Error).message);
+    return NextResponse.json(
+      { error: "Upload failed" },
+      { status: 500 }
+    );
+  }
+}
+
+// ============================================================================
+// GET /api/openclaw/chat/attachments?path=... — Serve attachment
+// ============================================================================
+
+export async function GET(request: NextRequest) {
+  const { searchParams } = new URL(request.url);
+  const filePath = searchParams.get("path");
+  const messageId = searchParams.get("messageId");
+
+  // If messageId provided, return all attachments for that message
+  if (messageId) {
+    try {
+      const attachments = getAttachmentsByMessage(messageId);
+      return NextResponse.json({ attachments });
+    } catch (err) {
+      console.error("[Attachments] List failed:", (err as Error).message);
+      return NextResponse.json(
+        { error: "Failed to list attachments" },
+        { status: 500 }
+      );
+    }
+  }
+
+  // Serve individual file
+  if (!filePath) {
+    return NextResponse.json(
+      { error: "path or messageId parameter required" },
+      { status: 400 }
+    );
+  }
+
+  const baseDir = getAttachmentsDir();
+  const fullPath = join(baseDir, filePath);
+
+  // Path traversal check
+  if (!isPathSafe(fullPath, baseDir)) {
+    return NextResponse.json(
+      { error: "Invalid path" },
+      { status: 400 }
+    );
+  }
+
+  if (!existsSync(fullPath)) {
+    return NextResponse.json(
+      { error: "Attachment not found" },
+      { status: 404 }
+    );
+  }
+
+  try {
+    const data = readFileSync(fullPath);
+    const ext = fullPath.substring(fullPath.lastIndexOf("."));
+    const mimeType = getMimeForExt(ext);
+    const stat = statSync(fullPath);
+
+    return new NextResponse(data, {
+      status: 200,
+      headers: {
+        "Content-Type": mimeType,
+        "Content-Length": String(stat.size),
+        "Content-Disposition": "inline",
+        "Cache-Control": "public, max-age=86400", // 24h cache
+      },
+    });
+  } catch (err) {
+    console.error("[Attachments] Serve failed:", (err as Error).message);
+    return NextResponse.json(
+      { error: "Failed to serve attachment" },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/openclaw/chat/channels/route.ts

@@ -0,0 +1,214 @@
+import { NextRequest, NextResponse } from "next/server";
+import { checkCsrf, sanitizeForApi } from "@/lib/api-security";
+import {
+  createChannel,
+  getChannels,
+  getChannel,
+  updateChannel,
+  deleteChannel,
+  archiveChannel,
+  restoreChannel,
+  touchChannel,
+  getLastAccessedChannelId,
+} from "@/lib/db/queries";
+
+const MAX_CHANNEL_NAME_LENGTH = 100;
+
+/** Strip control characters from a string (keep printable + whitespace) */
+function sanitizeName(name: string): string {
+  // eslint-disable-next-line no-control-regex
+  return name.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "").trim();
+}
+
+/** Validate agent ID format */
+function isValidAgentId(id: string): boolean {
+  return /^[a-zA-Z0-9._-]+$/.test(id);
+}
+
+// ============================================================================
+// GET /api/openclaw/chat/channels — List channels
+// ============================================================================
+
+export async function GET(request: NextRequest) {
+  const { searchParams } = new URL(request.url);
+
+  try {
+    // GET /api/openclaw/chat/channels?last=1 — get last accessed channel ID
+    if (searchParams.get("last")) {
+      const lastId = getLastAccessedChannelId();
+      return NextResponse.json({ channelId: lastId });
+    }
+
+    const archived = searchParams.get("archived") === "1";
+    const all = getChannels(archived);
+    return NextResponse.json({ channels: all });
+  } catch (err) {
+    console.error("[Chat Channels] List failed:", (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 500 }
+    );
+  }
+}
+
+// ============================================================================
+// POST /api/openclaw/chat/channels — Create / update / delete channel
+// ============================================================================
+
+export async function POST(request: NextRequest) {
+  const csrf = checkCsrf(request);
+  if (csrf) return csrf;
+
+  let body: {
+    action?: "create" | "update" | "delete" | "archive" | "restore" | "touch";
+    id?: string;
+    name?: string;
+    defaultAgentId?: string;
+    agents?: string[];
+  };
+
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+
+  const action = body.action || "create";
+
+  // ------ TOUCH (mark as last accessed) ------
+  if (action === "touch") {
+    if (!body.id) {
+      return NextResponse.json({ error: "id is required" }, { status: 400 });
+    }
+    touchChannel(body.id);
+    return NextResponse.json({ ok: true });
+  }
+
+  // ------ ARCHIVE ------
+  if (action === "archive") {
+    if (!body.id) {
+      return NextResponse.json({ error: "id is required" }, { status: 400 });
+    }
+    const archived = archiveChannel(body.id);
+    if (!archived) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    return NextResponse.json({ ok: true });
+  }
+
+  // ------ RESTORE ------
+  if (action === "restore") {
+    if (!body.id) {
+      return NextResponse.json({ error: "id is required" }, { status: 400 });
+    }
+    const restored = restoreChannel(body.id);
+    if (!restored) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    return NextResponse.json({ ok: true });
+  }
+
+  // ------ DELETE (permanent — only for archived channels) ------
+  if (action === "delete") {
+    if (!body.id) {
+      return NextResponse.json({ error: "id is required" }, { status: 400 });
+    }
+    // Only allow deleting archived channels
+    const ch = getChannel(body.id);
+    if (!ch) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    if (!ch.archivedAt) {
+      return NextResponse.json(
+        { error: "Channel must be archived before it can be permanently deleted" },
+        { status: 400 }
+      );
+    }
+    try {
+      const deleted = deleteChannel(body.id);
+      if (!deleted) {
+        return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+      }
+      return NextResponse.json({ ok: true });
+    } catch (err) {
+      console.error("[Chat Channels] Delete failed:", (err as Error).message);
+      return NextResponse.json(
+        { error: sanitizeForApi((err as Error).message) },
+        { status: 500 }
+      );
+    }
+  }
+
+  // ------ UPDATE ------
+  if (action === "update") {
+    if (!body.id) {
+      return NextResponse.json({ error: "id is required" }, { status: 400 });
+    }
+    const updates: { name?: string; defaultAgentId?: string } = {};
+    if (body.name) {
+      const cleanName = sanitizeName(body.name);
+      if (!cleanName || cleanName.length > MAX_CHANNEL_NAME_LENGTH) {
+        return NextResponse.json(
+          { error: `Channel name must be 1-${MAX_CHANNEL_NAME_LENGTH} characters` },
+          { status: 400 }
+        );
+      }
+      updates.name = cleanName;
+    }
+    if (body.defaultAgentId) {
+      if (!isValidAgentId(body.defaultAgentId)) {
+        return NextResponse.json({ error: "Invalid agent ID format" }, { status: 400 });
+      }
+      updates.defaultAgentId = body.defaultAgentId;
+    }
+    const updated = updateChannel(body.id, updates);
+    if (!updated) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    const channel = getChannel(body.id);
+    return NextResponse.json({ channel });
+  }
+
+  // ------ CREATE ------
+  if (!body.name || typeof body.name !== "string") {
+    return NextResponse.json({ error: "name is required" }, { status: 400 });
+  }
+  if (!body.defaultAgentId || typeof body.defaultAgentId !== "string") {
+    return NextResponse.json({ error: "defaultAgentId is required" }, { status: 400 });
+  }
+
+  const cleanName = sanitizeName(body.name);
+  if (!cleanName || cleanName.length > MAX_CHANNEL_NAME_LENGTH) {
+    return NextResponse.json(
+      { error: `Channel name must be 1-${MAX_CHANNEL_NAME_LENGTH} characters` },
+      { status: 400 }
+    );
+  }
+
+  if (!isValidAgentId(body.defaultAgentId)) {
+    return NextResponse.json({ error: "Invalid agent ID format" }, { status: 400 });
+  }
+
+  // Validate all agent IDs
+  if (body.agents) {
+    for (const agentId of body.agents) {
+      if (!isValidAgentId(agentId)) {
+        return NextResponse.json(
+          { error: `Invalid agent ID format: ${agentId}` },
+          { status: 400 }
+        );
+      }
+    }
+  }
+
+  try {
+    const channel = createChannel(cleanName, body.defaultAgentId, body.agents);
+    return NextResponse.json({ channel }, { status: 201 });
+  } catch (err) {
+    console.error("[Chat Channels] Create failed:", (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 500 }
+    );
+  }
+}