@codemation/host 0.0.1

package/src/domain/credentials/WorkflowCredentialNodeResolver.ts

@@ -0,0 +1,246 @@
+import type { CredentialRequirement, WorkflowDefinition } from "@codemation/core";
+import {
+  AgentConfigInspector,
+  ConnectionNodeIdFactory,
+  WorkflowExecutableNodeClassifierFactory,
+} from "@codemation/core";
+
+import { injectable } from "@codemation/core";
+
+export type WorkflowCredentialSlotRef = Readonly<{
+  workflowId: string;
+  nodeId: string;
+  nodeName: string;
+  requirement: CredentialRequirement;
+}>;
+
+/**
+ * Resolves credential requirements for workflow node ids, including connection-owned LLM/tool children.
+ */
+@injectable()
+export class WorkflowCredentialNodeResolver {
+  /**
+   * Human-readable label for credential errors (workflow node name or agent › attachment).
+   */
+  describeCredentialNodeDisplay(workflow: WorkflowDefinition, nodeId: string): string {
+    const direct = workflow.nodes.find((n) => n.id === nodeId);
+    if (direct) {
+      return direct.name ?? direct.config.name ?? direct.id;
+    }
+    if (ConnectionNodeIdFactory.isLanguageModelConnectionNodeId(nodeId)) {
+      const parentId = this.parseParentForLanguageModelConnectionNodeId(nodeId);
+      const parent = parentId ? workflow.nodes.find((n) => n.id === parentId) : undefined;
+      const agentLabel = parent?.name ?? parentId ?? "Agent";
+      return `${agentLabel} › Language model`;
+    }
+    if (ConnectionNodeIdFactory.isToolConnectionNodeId(nodeId)) {
+      const parsed = this.parseToolConnectionNodeId(nodeId);
+      if (!parsed) {
+        return nodeId;
+      }
+      const parent = workflow.nodes.find((n) => n.id === parsed.parentNodeId);
+      const agentLabel = parent?.name ?? parsed.parentNodeId;
+      const toolConfig =
+        parent && AgentConfigInspector.isAgentNodeConfig(parent.config)
+          ? parent.config.tools?.find(
+              (tool) => ConnectionNodeIdFactory.normalizeToolName(tool.name) === parsed.normalizedToolName,
+            )
+          : undefined;
+      const toolLabel = toolConfig?.presentation?.label ?? toolConfig?.name ?? parsed.normalizedToolName;
+      return `${agentLabel} › ${toolLabel}`;
+    }
+    return nodeId;
+  }
+
+  isCredentialNodeIdInWorkflow(workflow: WorkflowDefinition, nodeId: string): boolean {
+    if (workflow.nodes.some((n) => n.id === nodeId)) {
+      return true;
+    }
+    if (ConnectionNodeIdFactory.isLanguageModelConnectionNodeId(nodeId)) {
+      const parent = this.parseParentForLanguageModelConnectionNodeId(nodeId);
+      if (parent && workflow.nodes.some((n) => n.id === parent)) {
+        return true;
+      }
+    }
+    if (ConnectionNodeIdFactory.isToolConnectionNodeId(nodeId)) {
+      const parsed = this.parseToolConnectionNodeId(nodeId);
+      if (parsed && workflow.nodes.some((n) => n.id === parsed.parentNodeId)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  findRequirement(
+    workflow: WorkflowDefinition,
+    nodeId: string,
+    slotKey: string,
+  ): Readonly<{ nodeName: string; requirement: CredentialRequirement }> | undefined {
+    const direct = this.findDirectRequirement(workflow, nodeId, slotKey);
+    if (direct) {
+      return direct;
+    }
+    if (ConnectionNodeIdFactory.isLanguageModelConnectionNodeId(nodeId)) {
+      const parent = this.parseParentForLanguageModelConnectionNodeId(nodeId);
+      if (parent) {
+        const fromConn = this.findLanguageModelRequirement(workflow, parent, slotKey);
+        if (fromConn) {
+          return fromConn;
+        }
+      }
+    }
+    if (ConnectionNodeIdFactory.isToolConnectionNodeId(nodeId)) {
+      const parsed = this.parseToolConnectionNodeId(nodeId);
+      if (parsed) {
+        const fromConn = this.findToolRequirement(workflow, parsed.parentNodeId, parsed.normalizedToolName, slotKey);
+        if (fromConn) {
+          return fromConn;
+        }
+      }
+    }
+    return undefined;
+  }
+
+  listSlots(workflow: WorkflowDefinition): ReadonlyArray<WorkflowCredentialSlotRef> {
+    const slots: WorkflowCredentialSlotRef[] = [];
+    const classifier = WorkflowExecutableNodeClassifierFactory.create(workflow);
+    const hasConnectionMetadata = (workflow.connections?.length ?? 0) > 0;
+
+    for (const node of workflow.nodes) {
+      if (classifier.isConnectionOwnedNodeId(node.id)) {
+        for (const requirement of node.config.getCredentialRequirements?.() ?? []) {
+          slots.push({
+            workflowId: workflow.id,
+            nodeId: node.id,
+            nodeName: node.name ?? node.config.name ?? node.id,
+            requirement,
+          });
+        }
+        continue;
+      }
+
+      if (AgentConfigInspector.isAgentNodeConfig(node.config)) {
+        if (!hasConnectionMetadata) {
+          const lmNodeId = ConnectionNodeIdFactory.languageModelConnectionNodeId(node.id);
+          const lmLabel = node.config.chatModel.presentation?.label ?? node.config.chatModel.name;
+          for (const requirement of node.config.chatModel.getCredentialRequirements?.() ?? []) {
+            slots.push({
+              workflowId: workflow.id,
+              nodeId: lmNodeId,
+              nodeName: lmLabel,
+              requirement,
+            });
+          }
+          for (const toolConfig of node.config.tools ?? []) {
+            const toolNodeId = ConnectionNodeIdFactory.toolConnectionNodeId(node.id, toolConfig.name);
+            const toolLabel = toolConfig.presentation?.label ?? toolConfig.name;
+            for (const requirement of toolConfig.getCredentialRequirements?.() ?? []) {
+              slots.push({
+                workflowId: workflow.id,
+                nodeId: toolNodeId,
+                nodeName: toolLabel,
+                requirement,
+              });
+            }
+          }
+        }
+        continue;
+      }
+
+      for (const requirement of node.config.getCredentialRequirements?.() ?? []) {
+        slots.push({
+          workflowId: workflow.id,
+          nodeId: node.id,
+          nodeName: node.name ?? node.config.name ?? node.id,
+          requirement,
+        });
+      }
+    }
+    return slots;
+  }
+
+  private findDirectRequirement(
+    workflow: WorkflowDefinition,
+    nodeId: string,
+    slotKey: string,
+  ): Readonly<{ nodeName: string; requirement: CredentialRequirement }> | undefined {
+    const node = workflow.nodes.find((entry) => entry.id === nodeId);
+    if (!node || AgentConfigInspector.isAgentNodeConfig(node.config)) {
+      return undefined;
+    }
+    const requirement = node.config.getCredentialRequirements?.()?.find((entry) => entry.slotKey === slotKey);
+    if (!requirement) {
+      return undefined;
+    }
+    return { nodeName: node.name ?? node.config.name ?? node.id, requirement };
+  }
+
+  private findLanguageModelRequirement(
+    workflow: WorkflowDefinition,
+    parentNodeId: string,
+    slotKey: string,
+  ): Readonly<{ nodeName: string; requirement: CredentialRequirement }> | undefined {
+    const parent = workflow.nodes.find((entry) => entry.id === parentNodeId);
+    if (!parent || !AgentConfigInspector.isAgentNodeConfig(parent.config)) {
+      return undefined;
+    }
+    const requirement = parent.config.chatModel
+      .getCredentialRequirements?.()
+      ?.find((entry) => entry.slotKey === slotKey);
+    if (!requirement) {
+      return undefined;
+    }
+    const nodeName =
+      parent.config.chatModel.presentation?.label ?? parent.config.chatModel.name ?? parent.name ?? parent.id;
+    return { nodeName, requirement };
+  }
+
+  private findToolRequirement(
+    workflow: WorkflowDefinition,
+    parentNodeId: string,
+    normalizedToolName: string,
+    slotKey: string,
+  ): Readonly<{ nodeName: string; requirement: CredentialRequirement }> | undefined {
+    const parent = workflow.nodes.find((entry) => entry.id === parentNodeId);
+    if (!parent || !AgentConfigInspector.isAgentNodeConfig(parent.config)) {
+      return undefined;
+    }
+    const toolConfig = parent.config.tools?.find(
+      (tool) => ConnectionNodeIdFactory.normalizeToolName(tool.name) === normalizedToolName,
+    );
+    if (!toolConfig) {
+      return undefined;
+    }
+    const requirement = toolConfig.getCredentialRequirements?.()?.find((entry) => entry.slotKey === slotKey);
+    if (!requirement) {
+      return undefined;
+    }
+    const nodeName = toolConfig.presentation?.label ?? toolConfig.name ?? parent.name ?? parent.id;
+    return { nodeName, requirement };
+  }
+
+  private parseParentForLanguageModelConnectionNodeId(nodeId: string): string | undefined {
+    if (!ConnectionNodeIdFactory.isLanguageModelConnectionNodeId(nodeId)) {
+      return undefined;
+    }
+    const suffix = `${ConnectionNodeIdFactory.connectionSegment}llm`;
+    return nodeId.slice(0, -suffix.length);
+  }
+
+  private parseToolConnectionNodeId(nodeId: string): { parentNodeId: string; normalizedToolName: string } | undefined {
+    if (!ConnectionNodeIdFactory.isToolConnectionNodeId(nodeId)) {
+      return undefined;
+    }
+    const marker = `${ConnectionNodeIdFactory.connectionSegment}tool${ConnectionNodeIdFactory.connectionSegment}`;
+    const idx = nodeId.indexOf(marker);
+    if (idx < 0) {
+      return undefined;
+    }
+    const parentNodeId = nodeId.slice(0, idx);
+    const normalizedToolName = nodeId.slice(idx + marker.length);
+    if (!parentNodeId || !normalizedToolName) {
+      return undefined;
+    }
+    return { parentNodeId, normalizedToolName };
+  }
+}

package/src/domain/runs/WorkflowRunRepository.ts

@@ -0,0 +1,11 @@
+import type { PersistedRunState, RunId, RunSummary } from "@codemation/core";
+
+export interface WorkflowRunRepository {
+  load(runId: string): Promise<PersistedRunState | undefined>;
+
+  save(state: PersistedRunState): Promise<void>;
+
+  listRuns(args: Readonly<{ workflowId?: string; limit?: number }>): Promise<ReadonlyArray<RunSummary>>;
+
+  deleteRun(runId: RunId): Promise<void>;
+}

package/src/domain/users/UserAccountServiceRegistry.ts

@@ -0,0 +1,315 @@
+import { hash } from "bcryptjs";
+import { createHash, randomBytes } from "node:crypto";
+import { ApplicationRequestError } from "../../application/ApplicationRequestError";
+import type {
+  InviteUserResponseDto,
+  UpsertLocalBootstrapUserResultDto,
+  UserAccountDto,
+  UserAccountStatus,
+  VerifyUserInviteResponseDto,
+} from "../../application/contracts/userDirectoryContracts.types";
+import { PrismaClient } from "../../infrastructure/persistence/generated/prisma-client/client.js";
+import type { CodemationAuthConfig } from "../../presentation/config/CodemationAuthConfig";
+import { labelForLinkedAuthAccount } from "./userLoginMethodLabels.types";
+
+const INVITE_TTL_MS = 7 * 24 * 60 * 60 * 1000;
+
+export class UserAccountService {
+  constructor(
+    private readonly authConfig: CodemationAuthConfig | undefined,
+    private readonly prisma: PrismaClient | undefined,
+  ) {}
+
+  async listUsers(): Promise<ReadonlyArray<UserAccountDto>> {
+    this.assertLocalAuth();
+    const prisma = this.requirePrisma();
+    const rows = await prisma.user.findMany({
+      orderBy: { email: "asc" },
+      include: {
+        invites: {
+          where: { revokedAt: null },
+          orderBy: { createdAt: "desc" },
+        },
+        accounts: {
+          select: { provider: true, type: true },
+        },
+      },
+    });
+    return rows.map((row) => this.toDto(row));
+  }
+
+  async inviteUser(email: string, requestOrigin: string): Promise<InviteUserResponseDto> {
+    this.assertLocalAuth();
+    const prisma = this.requirePrisma();
+    const normalized = email.trim().toLowerCase();
+    if (!normalized || !normalized.includes("@")) {
+      throw new ApplicationRequestError(400, "Invalid email.");
+    }
+    const existing = await prisma.user.findUnique({ where: { email: normalized } });
+    if (existing?.accountStatus === "active") {
+      throw new ApplicationRequestError(409, "User is already active.");
+    }
+    if (existing?.accountStatus === "inactive") {
+      throw new ApplicationRequestError(409, "User is inactive.");
+    }
+
+    const rawToken = this.generateRawToken();
+    const tokenHash = this.hashToken(rawToken);
+    const expiresAt = new Date(Date.now() + INVITE_TTL_MS);
+    const now = new Date();
+
+    if (existing) {
+      await prisma.$transaction(async (tx) => {
+        await tx.userInvite.updateMany({
+          where: { userId: existing.id, revokedAt: null },
+          data: { revokedAt: now },
+        });
+        await tx.userInvite.create({
+          data: { userId: existing.id, tokenHash, expiresAt, createdAt: now },
+        });
+      });
+      const user = await this.getUserDto(existing.id);
+      return { user, inviteUrl: this.buildInviteUrl(requestOrigin, rawToken) };
+    }
+
+    const created = await prisma.$transaction(async (tx) => {
+      const u = await tx.user.create({
+        data: {
+          email: normalized,
+          name: normalized.split("@")[0] ?? normalized,
+          accountStatus: "invited",
+        },
+      });
+      await tx.userInvite.create({
+        data: { userId: u.id, tokenHash, expiresAt, createdAt: now },
+      });
+      return u;
+    });
+    const user = await this.getUserDto(created.id);
+    return { user, inviteUrl: this.buildInviteUrl(requestOrigin, rawToken) };
+  }
+
+  async regenerateInvite(userId: string, requestOrigin: string): Promise<InviteUserResponseDto> {
+    this.assertLocalAuth();
+    const prisma = this.requirePrisma();
+    const row = await prisma.user.findUnique({ where: { id: userId } });
+    if (!row) {
+      throw new ApplicationRequestError(404, "Unknown user.");
+    }
+    if (row.accountStatus !== "invited") {
+      throw new ApplicationRequestError(409, "Can only regenerate invites for invited users.");
+    }
+
+    const rawToken = this.generateRawToken();
+    const tokenHash = this.hashToken(rawToken);
+    const expiresAt = new Date(Date.now() + INVITE_TTL_MS);
+    const now = new Date();
+
+    await prisma.$transaction(async (tx) => {
+      await tx.userInvite.updateMany({
+        where: { userId, revokedAt: null },
+        data: { revokedAt: now },
+      });
+      await tx.userInvite.create({
+        data: { userId, tokenHash, expiresAt, createdAt: now },
+      });
+    });
+
+    const user = await this.getUserDto(userId);
+    return { user, inviteUrl: this.buildInviteUrl(requestOrigin, rawToken) };
+  }
+
+  async verifyInviteToken(rawToken: string): Promise<VerifyUserInviteResponseDto> {
+    const prisma = this.requirePrisma();
+    const trimmed = rawToken.trim();
+    if (!trimmed) {
+      return { valid: false };
+    }
+    const tokenHash = this.hashToken(trimmed);
+    const invite = await prisma.userInvite.findFirst({
+      where: { tokenHash, revokedAt: null },
+    });
+    if (!invite || invite.expiresAt <= new Date()) {
+      return { valid: false };
+    }
+    const user = await prisma.user.findUnique({ where: { id: invite.userId } });
+    if (!user?.email || user.accountStatus !== "invited") {
+      return { valid: false };
+    }
+    return { valid: true, email: user.email };
+  }
+
+  async acceptInvite(rawToken: string, password: string): Promise<void> {
+    const prisma = this.requirePrisma();
+    const trimmed = rawToken.trim();
+    if (!trimmed) {
+      throw new ApplicationRequestError(400, "Missing invite token.");
+    }
+    if (password.length < 8) {
+      throw new ApplicationRequestError(400, "Password must be at least 8 characters.");
+    }
+    const tokenHash = this.hashToken(trimmed);
+    const invite = await prisma.userInvite.findFirst({
+      where: { tokenHash, revokedAt: null },
+    });
+    if (!invite || invite.expiresAt <= new Date()) {
+      throw new ApplicationRequestError(400, "Invite is invalid or has expired.");
+    }
+    const user = await prisma.user.findUnique({ where: { id: invite.userId } });
+    if (!user || user.accountStatus !== "invited") {
+      throw new ApplicationRequestError(400, "Invite cannot be used for this account.");
+    }
+    const passwordHash = await hash(password, 12);
+    const now = new Date();
+    await prisma.$transaction(async (tx) => {
+      await tx.user.update({
+        where: { id: user.id },
+        data: { passwordHash, accountStatus: "active" },
+      });
+      await tx.userInvite.updateMany({
+        where: { userId: user.id, revokedAt: null },
+        data: { revokedAt: now },
+      });
+    });
+  }
+
+  async updateAccountStatus(userId: string, status: UserAccountStatus): Promise<UserAccountDto> {
+    this.assertLocalAuth();
+    const prisma = this.requirePrisma();
+    if (status === "invited") {
+      throw new ApplicationRequestError(400, "Cannot set status to invited via this endpoint.");
+    }
+    const row = await prisma.user.findUnique({ where: { id: userId } });
+    if (!row) {
+      throw new ApplicationRequestError(404, "Unknown user.");
+    }
+    await prisma.user.update({
+      where: { id: userId },
+      data: { accountStatus: status },
+    });
+    return await this.getUserDto(userId);
+  }
+
+  /**
+   * Bootstrap path for `codemation user create`: create or update an active local user with a password hash.
+   * Not used for invite-based onboarding (see {@link inviteUser} / {@link acceptInvite}).
+   */
+  async upsertBootstrapLocalUser(email: string, password: string): Promise<UpsertLocalBootstrapUserResultDto> {
+    this.assertLocalAuth();
+    const prisma = this.requirePrisma();
+    const normalized = email.trim().toLowerCase();
+    if (!normalized || !normalized.includes("@")) {
+      throw new ApplicationRequestError(400, "Invalid email.");
+    }
+    if (password.length < 8) {
+      throw new ApplicationRequestError(400, "Password must be at least 8 characters.");
+    }
+    const passwordHash = await hash(password, 12);
+    const existing = await prisma.user.findUnique({ where: { email: normalized } });
+    if (existing) {
+      await prisma.user.update({
+        where: { email: normalized },
+        data: { passwordHash, accountStatus: "active" },
+      });
+      return { outcome: "updated" };
+    }
+    await prisma.user.create({
+      data: {
+        email: normalized,
+        passwordHash,
+        name: normalized.split("@")[0] ?? normalized,
+        accountStatus: "active",
+      },
+    });
+    return { outcome: "created" };
+  }
+
+  private buildInviteUrl(origin: string, rawToken: string): string {
+    const base = origin.replace(/\/$/, "");
+    return `${base}/invite/${encodeURIComponent(rawToken)}`;
+  }
+
+  private hashToken(raw: string): string {
+    return createHash("sha256").update(raw, "utf8").digest("hex");
+  }
+
+  private generateRawToken(): string {
+    return randomBytes(32).toString("base64url");
+  }
+
+  private assertLocalAuth(): void {
+    if (this.authConfig?.kind !== "local") {
+      throw new ApplicationRequestError(403, "User management requires local authentication.");
+    }
+  }
+
+  private requirePrisma(): PrismaClient {
+    if (!this.prisma) {
+      throw new ApplicationRequestError(503, "User management requires a database.");
+    }
+    return this.prisma;
+  }
+
+  private async getUserDto(userId: string): Promise<UserAccountDto> {
+    const prisma = this.requirePrisma();
+    const row = await prisma.user.findUniqueOrThrow({
+      where: { id: userId },
+      include: {
+        invites: {
+          where: { revokedAt: null },
+          orderBy: { createdAt: "desc" },
+          take: 1,
+        },
+        accounts: {
+          select: { provider: true, type: true },
+        },
+      },
+    });
+    return this.toDto(row);
+  }
+
+  private toDto(row: {
+    id: string;
+    email: string | null;
+    accountStatus: string;
+    passwordHash: string | null;
+    accounts: ReadonlyArray<{ provider: string; type: string }>;
+    invites: ReadonlyArray<{ expiresAt: Date }>;
+  }): UserAccountDto {
+    const now = new Date();
+    const open = row.invites[0];
+    const inviteExpiresAt = open && open.expiresAt > now ? open.expiresAt.toISOString() : null;
+    return {
+      id: row.id,
+      email: row.email ?? "",
+      status: row.accountStatus as UserAccountStatus,
+      inviteExpiresAt,
+      loginMethods: UserAccountService.buildLoginMethods(row),
+    };
+  }
+
+  private static buildLoginMethods(row: {
+    passwordHash: string | null;
+    accounts: ReadonlyArray<{ provider: string; type: string }>;
+  }): ReadonlyArray<string> {
+    const labels: string[] = [];
+    const seen = new Set<string>();
+    if (row.passwordHash && row.passwordHash.length > 0) {
+      labels.push("Password");
+      seen.add("Password");
+    }
+    for (const account of row.accounts) {
+      if (account.provider === "credentials") {
+        continue;
+      }
+      const label = labelForLinkedAuthAccount(account.provider, account.type);
+      if (!seen.has(label)) {
+        seen.add(label);
+        labels.push(label);
+      }
+    }
+    const password = labels.filter((l) => l === "Password");
+    const rest = labels.filter((l) => l !== "Password").sort((a, b) => a.localeCompare(b));
+    return [...password, ...rest];
+  }
+}

package/src/domain/users/userLoginMethodLabels.types.ts

@@ -0,0 +1,29 @@
+/**
+ * Human-readable labels for Auth.js Account.provider / type (users list, admin UI).
+ */
+const KNOWN_PROVIDER_LABELS: Readonly<Record<string, string>> = {
+  google: "Google",
+  github: "GitHub",
+  "microsoft-entra-id": "Microsoft Entra ID",
+  "azure-ad": "Microsoft Entra ID",
+  email: "Email link",
+};
+
+function titleCaseProviderId(provider: string): string {
+  return provider
+    .split(/[-_.]+/)
+    .filter(Boolean)
+    .map((w) => w.charAt(0).toUpperCase() + w.slice(1).toLowerCase())
+    .join(" ");
+}
+
+export function labelForLinkedAuthAccount(provider: string, accountType: string): string {
+  const known = KNOWN_PROVIDER_LABELS[provider];
+  if (known) {
+    return known;
+  }
+  if (accountType === "oidc") {
+    return `SSO (${titleCaseProviderId(provider)})`;
+  }
+  return titleCaseProviderId(provider);
+}

package/src/domain/workflows/WorkflowActivationPreflight.ts

@@ -0,0 +1,32 @@
+import { ApplicationRequestError } from "../../application/ApplicationRequestError";
+import { CoreTokens, inject, injectable, type WorkflowRepository } from "@codemation/core";
+import { CredentialBindingService } from "../credentials/CredentialServices";
+import { WorkflowActivationPreflightRules } from "./WorkflowActivationPreflightRules";
+
+@injectable()
+export class WorkflowActivationPreflight {
+  constructor(
+    @inject(CoreTokens.WorkflowRepository)
+    private readonly workflowRepository: WorkflowRepository,
+    @inject(CredentialBindingService)
+    private readonly credentialBindingService: CredentialBindingService,
+    @inject(WorkflowActivationPreflightRules)
+    private readonly rules: WorkflowActivationPreflightRules,
+  ) {}
+
+  async assertCanActivate(workflowId: string): Promise<void> {
+    const decodedId = decodeURIComponent(workflowId);
+    const workflow = this.workflowRepository.get(decodedId);
+    if (!workflow) {
+      throw new ApplicationRequestError(404, `Unknown workflowId: ${decodedId}`);
+    }
+    const health = await this.credentialBindingService.listWorkflowHealth(decodedId);
+    const errors = [
+      ...this.rules.collectNonManualTriggerErrors(workflow),
+      ...this.rules.collectRequiredCredentialErrors(health),
+    ];
+    if (errors.length > 0) {
+      throw new ApplicationRequestError(400, "Workflow cannot be activated.", errors);
+    }
+  }
+}