@castlekit/castle 0.1.6 → 0.3.1

package/src/app/api/openclaw/chat/channels/route.ts

@@ -0,0 +1,217 @@
+import { NextRequest, NextResponse } from "next/server";
+import { checkCsrf, sanitizeForApi } from "@/lib/api-security";
+import {
+  createChannel,
+  getChannels,
+  getChannel,
+  updateChannel,
+  deleteChannel,
+  archiveChannel,
+  restoreChannel,
+  touchChannel,
+  getLastAccessedChannelId,
+} from "@/lib/db/queries";
+
+const MAX_CHANNEL_NAME_LENGTH = 100;
+
+/** Strip control characters from a string (keep printable + whitespace) */
+function sanitizeName(name: string): string {
+  // eslint-disable-next-line no-control-regex
+  return name.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "").trim();
+}
+
+/** Validate agent ID format */
+function isValidAgentId(id: string): boolean {
+  return /^[a-zA-Z0-9._-]+$/.test(id);
+}
+
+// ============================================================================
+// GET /api/openclaw/chat/channels — List channels
+// ============================================================================
+
+export async function GET(request: NextRequest) {
+  const { searchParams } = new URL(request.url);
+
+  try {
+    // GET /api/openclaw/chat/channels?last=1 — get last accessed channel ID
+    if (searchParams.get("last")) {
+      const lastId = getLastAccessedChannelId();
+      return NextResponse.json({ channelId: lastId });
+    }
+
+    const archived = searchParams.get("archived") === "1";
+    const all = getChannels(archived);
+    console.log(`[Channels API] GET list OK — ${all.length} channels (archived=${archived})`);
+    return NextResponse.json({ channels: all });
+  } catch (err) {
+    console.error("[Channels API] GET list FAILED:", (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 500 }
+    );
+  }
+}
+
+// ============================================================================
+// POST /api/openclaw/chat/channels — Create / update / delete channel
+// ============================================================================
+
+export async function POST(request: NextRequest) {
+  const csrf = checkCsrf(request);
+  if (csrf) return csrf;
+
+  let body: {
+    action?: "create" | "update" | "delete" | "archive" | "restore" | "touch";
+    id?: string;
+    name?: string;
+    defaultAgentId?: string;
+    agents?: string[];
+  };
+
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+
+  const action = body.action || "create";
+
+  // ------ TOUCH (mark as last accessed) ------
+  if (action === "touch") {
+    if (!body.id) {
+      return NextResponse.json({ error: "id is required" }, { status: 400 });
+    }
+    touchChannel(body.id);
+    return NextResponse.json({ ok: true });
+  }
+
+  // ------ ARCHIVE ------
+  if (action === "archive") {
+    if (!body.id) {
+      return NextResponse.json({ error: "id is required" }, { status: 400 });
+    }
+    const archived = archiveChannel(body.id);
+    if (!archived) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    return NextResponse.json({ ok: true });
+  }
+
+  // ------ RESTORE ------
+  if (action === "restore") {
+    if (!body.id) {
+      return NextResponse.json({ error: "id is required" }, { status: 400 });
+    }
+    const restored = restoreChannel(body.id);
+    if (!restored) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    return NextResponse.json({ ok: true });
+  }
+
+  // ------ DELETE (permanent — only for archived channels) ------
+  if (action === "delete") {
+    if (!body.id) {
+      return NextResponse.json({ error: "id is required" }, { status: 400 });
+    }
+    // Only allow deleting archived channels
+    const ch = getChannel(body.id);
+    if (!ch) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    if (!ch.archivedAt) {
+      return NextResponse.json(
+        { error: "Channel must be archived before it can be permanently deleted" },
+        { status: 400 }
+      );
+    }
+    try {
+      const deleted = deleteChannel(body.id);
+      if (!deleted) {
+        return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+      }
+      console.log(`[Channels API] POST delete OK — id=${body.id}`);
+      return NextResponse.json({ ok: true });
+    } catch (err) {
+      console.error(`[Channels API] POST delete FAILED — id=${body.id}:`, (err as Error).message);
+      return NextResponse.json(
+        { error: sanitizeForApi((err as Error).message) },
+        { status: 500 }
+      );
+    }
+  }
+
+  // ------ UPDATE ------
+  if (action === "update") {
+    if (!body.id) {
+      return NextResponse.json({ error: "id is required" }, { status: 400 });
+    }
+    const updates: { name?: string; defaultAgentId?: string } = {};
+    if (body.name) {
+      const cleanName = sanitizeName(body.name);
+      if (!cleanName || cleanName.length > MAX_CHANNEL_NAME_LENGTH) {
+        return NextResponse.json(
+          { error: `Channel name must be 1-${MAX_CHANNEL_NAME_LENGTH} characters` },
+          { status: 400 }
+        );
+      }
+      updates.name = cleanName;
+    }
+    if (body.defaultAgentId) {
+      if (!isValidAgentId(body.defaultAgentId)) {
+        return NextResponse.json({ error: "Invalid agent ID format" }, { status: 400 });
+      }
+      updates.defaultAgentId = body.defaultAgentId;
+    }
+    const updated = updateChannel(body.id, updates);
+    if (!updated) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    const channel = getChannel(body.id);
+    return NextResponse.json({ channel });
+  }
+
+  // ------ CREATE ------
+  if (!body.name || typeof body.name !== "string") {
+    return NextResponse.json({ error: "name is required" }, { status: 400 });
+  }
+  if (!body.defaultAgentId || typeof body.defaultAgentId !== "string") {
+    return NextResponse.json({ error: "defaultAgentId is required" }, { status: 400 });
+  }
+
+  const cleanName = sanitizeName(body.name);
+  if (!cleanName || cleanName.length > MAX_CHANNEL_NAME_LENGTH) {
+    return NextResponse.json(
+      { error: `Channel name must be 1-${MAX_CHANNEL_NAME_LENGTH} characters` },
+      { status: 400 }
+    );
+  }
+
+  if (!isValidAgentId(body.defaultAgentId)) {
+    return NextResponse.json({ error: "Invalid agent ID format" }, { status: 400 });
+  }
+
+  // Validate all agent IDs
+  if (body.agents) {
+    for (const agentId of body.agents) {
+      if (!isValidAgentId(agentId)) {
+        return NextResponse.json(
+          { error: `Invalid agent ID format: ${agentId}` },
+          { status: 400 }
+        );
+      }
+    }
+  }
+
+  try {
+    const channel = createChannel(cleanName, body.defaultAgentId, body.agents);
+    console.log(`[Channels API] POST create OK — id=${channel.id} name="${cleanName}"`);
+    return NextResponse.json({ channel }, { status: 201 });
+  } catch (err) {
+    console.error(`[Channels API] POST create FAILED — name="${cleanName}":`, (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/openclaw/chat/route.ts

@@ -0,0 +1,283 @@
+import { NextRequest, NextResponse } from "next/server";
+import { randomUUID } from "crypto";
+import { checkCsrf, sanitizeForApi, checkRateLimit, rateLimitKey } from "@/lib/api-security";
+import { ensureGateway } from "@/lib/gateway-connection";
+import {
+  createMessage,
+  updateMessage,
+  deleteMessage,
+  getMessagesByChannel,
+  getMessagesAfter,
+  getMessagesAround,
+  getMessageByRunId,
+  getLatestSessionKey,
+  createSession,
+} from "@/lib/db/queries";
+import type { ChatSendRequest, ChatCompleteRequest } from "@/lib/types/chat";
+
+const MAX_MESSAGE_LENGTH = 32768; // 32KB
+
+// ============================================================================
+// POST /api/openclaw/chat — Send a message
+// ============================================================================
+
+export async function POST(request: NextRequest) {
+  const _start = Date.now();
+  const csrf = checkCsrf(request);
+  if (csrf) return csrf;
+
+  // Rate limit: 30 messages per minute
+  const rl = checkRateLimit(rateLimitKey(request, "chat:send"), 30);
+  if (rl) {
+    console.warn("[Chat API] Rate limited on chat:send");
+    return rl;
+  }
+
+  let body: ChatSendRequest;
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+
+  // Validate
+  if (!body.channelId || typeof body.channelId !== "string") {
+    return NextResponse.json({ error: "channelId is required" }, { status: 400 });
+  }
+  if (!body.content || typeof body.content !== "string") {
+    return NextResponse.json({ error: "content is required" }, { status: 400 });
+  }
+  if (body.content.length > MAX_MESSAGE_LENGTH) {
+    return NextResponse.json(
+      { error: `Message too long (max ${MAX_MESSAGE_LENGTH} chars)` },
+      { status: 400 }
+    );
+  }
+
+  // Persist user message to DB
+  const userMsg = createMessage({
+    channelId: body.channelId,
+    senderType: "user",
+    senderId: "local-user",
+    senderName: "You",
+    content: body.content,
+    mentionedAgentId: body.agentId,
+  });
+
+  try {
+    const gateway = ensureGateway();
+
+    // Get existing session key for this channel (if any)
+    let sessionKey = getLatestSessionKey(body.channelId);
+
+    // If no existing session, create one with a proper structured key:
+    //   agent:<agentId>:castle:<channelId>
+    // This maps Castle channels to Gateway sessions 1:1, so the session
+    // is stable and traceable between Castle DB and Gateway transcripts.
+    if (!sessionKey) {
+      const agentId = body.agentId || "main";
+      sessionKey = `agent:${agentId}:castle:${body.channelId}`;
+
+      createSession({
+        channelId: body.channelId,
+        sessionKey,
+      });
+    }
+
+    // Build chat.send params per Gateway protocol
+    const rpcParams: Record<string, unknown> = {
+      message: body.content,
+      sessionKey,
+      idempotencyKey: randomUUID(),
+      timeoutMs: 120000,
+    };
+
+    const result = await gateway.request<{
+      runId: string;
+      status?: string;
+    }>("chat.send", rpcParams);
+
+    // Update user message with runId and sessionKey
+    const runId = result.runId;
+    updateMessage(userMsg.id, {
+      runId,
+      sessionKey,
+    });
+
+    console.log(`[Chat API] POST send OK — runId=${runId} channel=${body.channelId} (${Date.now() - _start}ms)`);
+    return NextResponse.json({
+      runId,
+      messageId: userMsg.id,
+      sessionKey,
+    });
+  } catch (err) {
+    // RPC failed — try to remove the optimistic user message
+    try {
+      deleteMessage(userMsg.id);
+    } catch (delErr) {
+      console.error("[Chat API] Cleanup of optimistic message failed:", (delErr as Error).message);
+    }
+    console.error(`[Chat API] POST send FAILED — channel=${body.channelId} (${Date.now() - _start}ms):`, (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 502 }
+    );
+  }
+}
+
+// ============================================================================
+// PUT /api/openclaw/chat — Complete/update an agent message
+// ============================================================================
+
+export async function PUT(request: NextRequest) {
+  const _start = Date.now();
+  const csrf = checkCsrf(request);
+  if (csrf) return csrf;
+
+  let body: ChatCompleteRequest;
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+
+  if (!body.runId || !body.channelId || !body.content) {
+    return NextResponse.json(
+      { error: "runId, channelId, and content are required" },
+      { status: 400 }
+    );
+  }
+
+  try {
+    // Check if we already have a message for this runId (from a previous partial save)
+    const existing = getMessageByRunId(body.runId);
+
+    if (existing) {
+      // Already complete with same content — idempotent, skip update to avoid
+      // triggering FTS5 update trigger with identical content (causes SQL error)
+      if (existing.status === "complete" && existing.content === body.content) {
+        return NextResponse.json({ messageId: existing.id, updated: false });
+      }
+
+      // Update existing message (e.g. partial → complete, or content changed)
+      updateMessage(existing.id, {
+        content: body.content,
+        status: body.status,
+        sessionKey: body.sessionKey,
+        inputTokens: body.inputTokens,
+        outputTokens: body.outputTokens,
+      });
+      return NextResponse.json({ messageId: existing.id, updated: true });
+    }
+
+    // Create new agent message
+    const agentMsg = createMessage({
+      channelId: body.channelId,
+      senderType: "agent",
+      senderId: body.agentId,
+      senderName: body.agentName,
+      content: body.content,
+      status: body.status,
+      runId: body.runId,
+      sessionKey: body.sessionKey,
+      inputTokens: body.inputTokens,
+      outputTokens: body.outputTokens,
+    });
+
+    console.log(`[Chat API] PUT complete OK — runId=${body.runId} new msg=${agentMsg.id} (${Date.now() - _start}ms)`);
+    return NextResponse.json({ messageId: agentMsg.id, updated: false });
+  } catch (err) {
+    console.error(`[Chat API] PUT complete FAILED — runId=${body.runId} (${Date.now() - _start}ms):`, (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 500 }
+    );
+  }
+}
+
+// ============================================================================
+// DELETE /api/openclaw/chat — Abort streaming
+// ============================================================================
+
+export async function DELETE(request: NextRequest) {
+  const csrf = checkCsrf(request);
+  if (csrf) return csrf;
+
+  console.log("[Chat API] DELETE abort requested");
+  try {
+    const gateway = ensureGateway();
+    await gateway.request("chat.abort", {});
+    console.log("[Chat API] DELETE abort OK");
+    return NextResponse.json({ ok: true });
+  } catch (err) {
+    console.error("[Chat API] DELETE abort FAILED:", (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 502 }
+    );
+  }
+}
+
+// ============================================================================
+// GET /api/openclaw/chat?channelId=X&limit=50&before=Y — Load history
+//   ?around=msgId — Load a window centered on a specific message
+//   ?after=msgId  — Forward pagination (newer messages)
+//   ?before=msgId — Backward pagination (older messages, existing)
+// ============================================================================
+
+export async function GET(request: NextRequest) {
+  const _start = Date.now();
+  const { searchParams } = new URL(request.url);
+  const channelId = searchParams.get("channelId");
+  const limit = Math.min(parseInt(searchParams.get("limit") || "50", 10), 200);
+  const around = searchParams.get("around") || undefined;
+  const after = searchParams.get("after") || undefined;
+  const before = searchParams.get("before") || undefined;
+
+  if (!channelId) {
+    return NextResponse.json({ error: "channelId is required" }, { status: 400 });
+  }
+
+  try {
+    // Anchor mode: load a window of messages around a specific message
+    if (around) {
+      const result = getMessagesAround(channelId, around, limit);
+      if (!result) {
+        // Anchor message not found — fall back to latest messages
+        const msgs = getMessagesByChannel(channelId, limit);
+        return NextResponse.json({
+          messages: msgs,
+          hasMore: msgs.length === limit,
+        });
+      }
+      return NextResponse.json({
+        messages: result.messages,
+        hasMoreBefore: result.hasMoreBefore,
+        hasMoreAfter: result.hasMoreAfter,
+      });
+    }
+
+    // Forward pagination: load messages newer than cursor
+    if (after) {
+      const msgs = getMessagesAfter(channelId, after, limit);
+      return NextResponse.json({
+        messages: msgs,
+        hasMore: msgs.length === limit,
+      });
+    }
+
+    // Default / backward pagination
+    const msgs = getMessagesByChannel(channelId, limit, before);
+    console.log(`[Chat API] GET history OK — channel=${channelId} msgs=${msgs.length} (${Date.now() - _start}ms)`);
+    return NextResponse.json({
+      messages: msgs,
+      hasMore: msgs.length === limit,
+    });
+  } catch (err) {
+    console.error(`[Chat API] GET history FAILED — channel=${channelId} (${Date.now() - _start}ms):`, (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/openclaw/chat/search/route.ts

@@ -0,0 +1,150 @@
+import { NextRequest, NextResponse } from "next/server";
+import { sanitizeForApi, checkRateLimit, rateLimitKey, checkCsrf } from "@/lib/api-security";
+import { searchMessages, getChannels, getRecentSearches, addRecentSearch, clearRecentSearches } from "@/lib/db/queries";
+import type { MessageSearchResult, SearchResult } from "@/lib/types/search";
+
+const MAX_QUERY_LENGTH = 500;
+
+// ============================================================================
+// GET /api/openclaw/chat/search?q=X — Universal full-text search
+// ============================================================================
+
+export async function GET(request: NextRequest) {
+  // Rate limit: 60 searches per minute
+  const rl = checkRateLimit(rateLimitKey(request, "chat:search"), 60);
+  if (rl) return rl;
+
+  const { searchParams } = new URL(request.url);
+
+  // GET /api/openclaw/chat/search?recent=1 — return recent searches
+  if (searchParams.get("recent") === "1") {
+    try {
+      const recent = getRecentSearches();
+      return NextResponse.json({ recent });
+    } catch (err) {
+      console.error("[Chat Search] Recent failed:", (err as Error).message);
+      return NextResponse.json({ recent: [] });
+    }
+  }
+
+  const q = searchParams.get("q");
+  const limit = Math.min(parseInt(searchParams.get("limit") || "30", 10), 100);
+
+  if (!q || !q.trim()) {
+    return NextResponse.json({ results: [] });
+  }
+
+  if (q.length > MAX_QUERY_LENGTH) {
+    return NextResponse.json(
+      { error: `Search query too long (max ${MAX_QUERY_LENGTH} chars)` },
+      { status: 400 }
+    );
+  }
+
+  try {
+    // Build channel name lookup — include archived channels so their
+    // names still resolve in search results.
+    const activeChannels = getChannels(false);
+    const archivedChannels = getChannels(true);
+    const channelMap = new Map<string, { name: string; archived: boolean }>();
+    for (const ch of activeChannels) {
+      channelMap.set(ch.id, { name: ch.name, archived: false });
+    }
+    for (const ch of archivedChannels) {
+      channelMap.set(ch.id, { name: ch.name, archived: true });
+    }
+
+    // Search messages across all channels
+    const rawMessages = searchMessages(q, undefined, limit);
+
+    // Map raw ChatMessage[] into typed MessageSearchResult[]
+    const results: SearchResult[] = rawMessages.map((msg): MessageSearchResult => {
+      const ch = channelMap.get(msg.channelId);
+      const channelName = ch?.name || "Unknown";
+      const archived = ch?.archived ?? false;
+      const senderName =
+        msg.senderType === "user"
+          ? "You"
+          : msg.senderName || msg.senderId;
+
+      // Truncate snippet to ~200 chars
+      const snippet =
+        msg.content.length > 200
+          ? msg.content.slice(0, 200) + "…"
+          : msg.content;
+
+      return {
+        id: msg.id,
+        type: "message",
+        title: `#${channelName}`,
+        subtitle: senderName,
+        snippet,
+        timestamp: msg.createdAt,
+        href: `/chat/${msg.channelId}?m=${msg.id}`,
+        channelId: msg.channelId,
+        channelName,
+        messageId: msg.id,
+        senderType: msg.senderType,
+        senderName,
+        archived,
+      };
+    });
+
+    // Future: merge results from searchTasks(), searchNotes(), etc.
+    // Sort by timestamp descending (already sorted by FTS query)
+
+    console.log(`[Search API] GET OK — query="${q.slice(0, 50)}" results=${results.length}`);
+    return NextResponse.json({ results });
+  } catch (err) {
+    console.error(`[Search API] GET FAILED — query="${q?.slice(0, 50)}":`, (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 500 }
+    );
+  }
+}
+
+// ============================================================================
+// POST /api/openclaw/chat/search — Save a recent search
+// ============================================================================
+
+export async function POST(request: NextRequest) {
+  const csrf = checkCsrf(request);
+  if (csrf) return csrf;
+
+  try {
+    const body = await request.json();
+    const q = body.query;
+    if (!q || typeof q !== "string" || !q.trim()) {
+      return NextResponse.json({ error: "query is required" }, { status: 400 });
+    }
+    addRecentSearch(q.trim());
+    return NextResponse.json({ ok: true });
+  } catch (err) {
+    console.error("[Chat Search] Save recent failed:", (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 500 }
+    );
+  }
+}
+
+// ============================================================================
+// DELETE /api/openclaw/chat/search — Clear all recent searches
+// ============================================================================
+
+export async function DELETE(request: NextRequest) {
+  const csrf = checkCsrf(request);
+  if (csrf) return csrf;
+
+  try {
+    clearRecentSearches();
+    return NextResponse.json({ ok: true });
+  } catch (err) {
+    console.error("[Chat Search] Clear recent failed:", (err as Error).message);
+    return NextResponse.json(
+      { error: sanitizeForApi((err as Error).message) },
+      { status: 500 }
+    );
+  }
+}