@desplega.ai/agent-swarm 1.69.1 → 1.71.0

package/src/http/core.ts

@@ -11,12 +11,14 @@ import {
   updateAgentStatus,
 } from "../be/db";
 import { initGitHub, resetGitHub } from "../github";
+import { initJira, resetJira } from "../jira";
 import { initLinear, resetLinear } from "../linear";
 import { startSlackApp, stopSlackApp } from "../slack";
 import type { AgentStatus } from "../types";
 import { refreshSecretScrubberCache } from "../utils/secret-scrubber";
 import { generateOpenApiSpec, SCALAR_HTML } from "./openapi";
-import { agentWithCapacity, parseQueryParams } from "./utils";
+import { isPublicRoute } from "./route-def";
+import { agentWithCapacity, getPathSegments, parseQueryParams } from "./utils";
 
 /**
  * Load global swarm_config entries into process.env.
@@ -68,6 +70,9 @@ export async function reloadGlobalConfigsAndIntegrations(): Promise<ReloadConfig
   resetLinear();
   if (initLinear()) integrations.push("linear");
 
+  resetJira();
+  if (initJira()) integrations.push("jira");
+
   await stopSlackApp();
   await startSlackApp();
   integrations.push("slack");
@@ -121,31 +126,21 @@ export async function handleCore(
     return true;
   }
 
-  // API key authentication (if API_KEY is configured)
-  // Skip auth for webhooks (they have their own signature verification)
-  const isGitHubWebhook = req.url?.startsWith("/api/github/webhook");
-  const isGitLabWebhook = req.url?.startsWith("/api/gitlab/webhook");
-  const isAgentMailWebhook = req.url?.startsWith("/api/agentmail/webhook");
-  const isTrackerAuth =
-    req.url?.startsWith("/api/trackers/linear/authorize") ||
-    req.url?.startsWith("/api/trackers/linear/callback") ||
-    req.url?.startsWith("/api/trackers/linear/webhook");
-  const isWorkflowWebhook = req.url?.startsWith("/api/webhooks/");
-  if (
-    apiKey &&
-    !isGitHubWebhook &&
-    !isGitLabWebhook &&
-    !isAgentMailWebhook &&
-    !isTrackerAuth &&
-    !isWorkflowWebhook
-  ) {
-    const authHeader = req.headers.authorization;
-    const providedKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
-
-    if (providedKey !== apiKey) {
-      res.writeHead(401, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Unauthorized" }));
-      return true;
+  // API-key authentication (if API_KEY is configured). Routes that opt out via
+  // `route({ auth: { apiKey: false } })` — webhooks, OAuth provider callbacks,
+  // etc. — are skipped based on the central `routeRegistry`. Unknown paths
+  // fall through to the bearer check (fail-closed).
+  if (apiKey) {
+    const pathSegments = getPathSegments(req.url || "");
+    if (!isPublicRoute(req.method, pathSegments)) {
+      const authHeader = req.headers.authorization;
+      const providedKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+
+      if (providedKey !== apiKey) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Unauthorized" }));
+        return true;
+      }
     }
   }
 

package/src/http/index.ts

@@ -12,6 +12,7 @@ import { closeDb, getSwarmConfigs, upsertSwarmConfig } from "../be/db";
 import { initGitHub } from "../github";
 import { initGitLab } from "../gitlab";
 import { stopHeartbeat } from "../heartbeat";
+import { initJira } from "../jira";
 import { initLinear } from "../linear";
 import { startSlackApp, stopSlackApp } from "../slack";
 import { initTelemetry, telemetry } from "../telemetry";
@@ -245,13 +246,17 @@ httpServer
       );
     }
 
-    // Initialize anonymized telemetry (opt-out via ANONYMIZED_TELEMETRY=false)
+    // Initialize anonymized telemetry (opt-out via ANONYMIZED_TELEMETRY=false).
+    // The api-server is the sole authority for the install identity — pass
+    // generateIfMissing so it mints a new install ID on first boot. Workers
+    // must NOT mint (see src/commands/runner.ts).
     await initTelemetry(
       "api-server",
       (key) => getSwarmConfigs({ scope: "global", key })?.[0]?.value,
       (key, value) => {
         upsertSwarmConfig({ scope: "global", key, value });
       },
+      { generateIfMissing: true },
     );
     telemetry.server("started", { port });
 
@@ -270,6 +275,9 @@ httpServer
     // Initialize Linear tracker integration (if configured)
     initLinear();
 
+    // Initialize Jira tracker integration (if configured)
+    initJira();
+
     // Initialize workflow engine (trigger subscriptions + resume listener)
     initWorkflows();
 

package/src/http/mcp-oauth.ts

@@ -158,6 +158,27 @@ const authorizeRoute = route({
   },
 });
 
+const authorizeUrlRoute = route({
+  method: "get",
+  path: "/api/mcp-oauth/{mcpServerId}/authorize-url",
+  pattern: ["api", "mcp-oauth", null, "authorize-url"],
+  summary:
+    "Build an OAuth authorize URL. Returns JSON so the browser can navigate without losing the Bearer auth header.",
+  tags: ["MCP OAuth"],
+  auth: { apiKey: true },
+  params: z.object({ mcpServerId: z.string() }),
+  query: z.object({
+    redirect: z.string().optional(),
+    userId: z.string().optional(),
+    scopes: z.string().optional(),
+  }),
+  responses: {
+    200: { description: "{ providerUrl: string }" },
+    400: { description: "MCP has no URL / does not require OAuth" },
+    404: { description: "MCP server not found" },
+  },
+});
+
 const callbackRoute = route({
   method: "get",
   path: "/api/mcp-oauth/callback",
@@ -236,6 +257,86 @@ const manualClientRoute = route({
   },
 });
 
+// ─── Shared authorize flow ───────────────────────────────────────────────────
+
+interface AuthorizeFlowQuery {
+  redirect?: string;
+  userId?: string;
+  scopes?: string;
+}
+
+/**
+ * Discover metadata, DCR-register (or fail), build the authorize URL, and
+ * persist the pending session. Returns the provider `providerUrl` the caller
+ * should redirect to / respond with. On failure, writes a JSON error response
+ * and returns null.
+ */
+async function prepareAuthorizeFlow(
+  res: ServerResponse,
+  mcpServerId: string,
+  server: NonNullable<ReturnType<typeof getMcpServerById>>,
+  q: AuthorizeFlowQuery,
+): Promise<string | null> {
+  const discovery = await discoverForMcp(server.url!);
+  if (!discovery) {
+    jsonError(res, "MCP server does not require OAuth", 400);
+    return null;
+  }
+
+  let clientId: string | null = null;
+  let clientSecret: string | null = null;
+  if (discovery.dcrSupported && discovery.registrationEndpoint) {
+    const dcr = await registerClient(discovery.registrationEndpoint, {
+      client_name: `agent-swarm (${server.name})`,
+      redirect_uris: [callbackRedirectUri()],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: "client_secret_basic",
+      application_type: "web",
+      scope: (q.scopes ?? discovery.scopes.join(" ")) || undefined,
+    });
+    clientId = dcr.client_id;
+    clientSecret = dcr.client_secret ?? null;
+  } else {
+    jsonError(
+      res,
+      "DCR not supported — paste client_id/client_secret via POST /api/mcp-oauth/:id/manual-client first.",
+      400,
+    );
+    return null;
+  }
+
+  const scopes = q.scopes ? q.scopes.split(" ").filter(Boolean) : discovery.scopes;
+
+  const built = await buildAuthorizeUrl({
+    authorizeUrl: discovery.authorizeUrl,
+    tokenUrl: discovery.tokenUrl,
+    clientId: clientId!,
+    redirectUri: callbackRedirectUri(),
+    scopes,
+    resource: discovery.resourceUrl,
+  });
+
+  insertMcpOAuthPending({
+    state: built.state,
+    mcpServerId,
+    userId: q.userId ?? null,
+    codeVerifier: built.codeVerifier,
+    resourceUrl: discovery.resourceUrl,
+    authorizationServerIssuer: discovery.authorizationServerIssuer,
+    authorizeUrl: discovery.authorizeUrl,
+    tokenUrl: discovery.tokenUrl,
+    revocationUrl: discovery.revocationUrl,
+    scopes: scopes.join(" "),
+    dcrClientId: clientId!,
+    dcrClientSecret: clientSecret,
+    redirectUri: callbackRedirectUri(),
+    finalRedirect: q.redirect ?? null,
+  });
+
+  return built.url;
+}
+
 // ─── Handler ─────────────────────────────────────────────────────────────────
 
 export async function handleMcpOAuth(
@@ -398,69 +499,40 @@ export async function handleMcpOAuth(
     if (!server) return true;
 
     try {
-      const discovery = await discoverForMcp(server.url!);
-      if (!discovery) {
-        jsonError(res, "MCP server does not require OAuth", 400);
-        return true;
-      }
-
-      // Dynamic Client Registration if supported, otherwise expect the user to
-      // have already called /manual-client.
-      let clientId: string | null = null;
-      let clientSecret: string | null = null;
-      if (discovery.dcrSupported && discovery.registrationEndpoint) {
-        const dcr = await registerClient(discovery.registrationEndpoint, {
-          client_name: `agent-swarm (${server.name})`,
-          redirect_uris: [callbackRedirectUri()],
-          grant_types: ["authorization_code", "refresh_token"],
-          response_types: ["code"],
-          token_endpoint_auth_method: "client_secret_basic",
-          application_type: "web",
-          scope: (parsed.query.scopes ?? discovery.scopes.join(" ")) || undefined,
-        });
-        clientId = dcr.client_id;
-        clientSecret = dcr.client_secret ?? null;
-      } else {
-        jsonError(
-          res,
-          "DCR not supported — paste client_id/client_secret via POST /api/mcp-oauth/:id/manual-client first.",
-          400,
-        );
-        return true;
-      }
+      const providerUrl = await prepareAuthorizeFlow(
+        res,
+        parsed.params.mcpServerId,
+        server,
+        parsed.query,
+      );
+      if (!providerUrl) return true;
+      res.writeHead(302, { Location: providerUrl });
+      res.end();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      jsonError(res, `Authorize failed: ${message}`, 502);
+    }
+    return true;
+  }
 
-      const scopes = parsed.query.scopes
-        ? parsed.query.scopes.split(" ").filter(Boolean)
-        : discovery.scopes;
-
-      const built = await buildAuthorizeUrl({
-        authorizeUrl: discovery.authorizeUrl,
-        tokenUrl: discovery.tokenUrl,
-        clientId: clientId!,
-        redirectUri: callbackRedirectUri(),
-        scopes,
-        resource: discovery.resourceUrl,
-      });
+  // GET /api/mcp-oauth/:id/authorize-url — JSON variant of /authorize so the
+  // dashboard can fetch the provider URL with Bearer auth and then navigate.
+  if (authorizeUrlRoute.match(req.method, pathSegments)) {
+    const parsed = await authorizeUrlRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
 
-      insertMcpOAuthPending({
-        state: built.state,
-        mcpServerId: parsed.params.mcpServerId,
-        userId: parsed.query.userId ?? null,
-        codeVerifier: built.codeVerifier,
-        resourceUrl: discovery.resourceUrl,
-        authorizationServerIssuer: discovery.authorizationServerIssuer,
-        authorizeUrl: discovery.authorizeUrl,
-        tokenUrl: discovery.tokenUrl,
-        revocationUrl: discovery.revocationUrl,
-        scopes: scopes.join(" "),
-        dcrClientId: clientId!,
-        dcrClientSecret: clientSecret,
-        redirectUri: callbackRedirectUri(),
-        finalRedirect: parsed.query.redirect ?? null,
-      });
+    const server = getMcpOrError(res, parsed.params.mcpServerId);
+    if (!server) return true;
 
-      res.writeHead(302, { Location: built.url });
-      res.end();
+    try {
+      const providerUrl = await prepareAuthorizeFlow(
+        res,
+        parsed.params.mcpServerId,
+        server,
+        parsed.query,
+      );
+      if (!providerUrl) return true;
+      json(res, { providerUrl });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
       jsonError(res, `Authorize failed: ${message}`, 502);

package/src/http/mcp-servers.ts

@@ -243,7 +243,11 @@ export async function handleMcpServers(
             try {
               const token = await ensureMcpToken(server.id);
               if (token && token.status === "connected") {
-                const prefix = token.tokenType || "Bearer";
+                // Normalize the bearer scheme to capital "Bearer": some resource
+                // servers reject the lowercase "bearer" RFC 6749 returns (issue #368).
+                // Non-bearer schemes (e.g. "MAC") are preserved verbatim.
+                const rawType = token.tokenType || "Bearer";
+                const prefix = rawType.toLowerCase() === "bearer" ? "Bearer" : rawType;
                 resolvedHeaders.Authorization = `${prefix} ${token.accessToken}`;
               } else if (!token) {
                 authError = "No OAuth token for this MCP server";

package/src/http/route-def.ts

@@ -60,6 +60,25 @@ interface RouteHandle<TParams, TQuery, TBody> {
 /** Global registry — populated at import time, read by OpenAPI generator */
 export const routeRegistry: RouteDef[] = [];
 
+/**
+ * Check whether a request targets a route declared (via the `route()` factory)
+ * with `auth: { apiKey: false }` — i.e. one that opts out of the API-key
+ * bearer check. Handler files must use the `route()` factory for this to take
+ * effect; unknown paths fail closed (auth required).
+ */
+export function isPublicRoute(method: string | undefined, pathSegments: string[]): boolean {
+  for (const def of routeRegistry) {
+    if (def.auth?.apiKey === false) {
+      if (
+        matchRoute(method, pathSegments, def.method.toUpperCase(), def.pattern, def.exact ?? true)
+      ) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
 // ─── Factory ─────────────────────────────────────────────────────────────────
 
 export function route<

package/src/http/trackers/index.ts

@@ -1,4 +1,5 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
+import { handleJiraTracker } from "./jira";
 import { handleLinearTracker } from "./linear";
 
 export async function handleTrackers(
@@ -6,5 +7,17 @@ export async function handleTrackers(
   res: ServerResponse,
   pathSegments: string[],
 ): Promise<boolean> {
+  // Provider-specific dispatch based on the third path segment
+  // (e.g. "api", "trackers", "<provider>", ...).
+  if (pathSegments[0] === "api" && pathSegments[1] === "trackers") {
+    if (pathSegments[2] === "jira") {
+      return await handleJiraTracker(req, res, pathSegments);
+    }
+    if (pathSegments[2] === "linear") {
+      return await handleLinearTracker(req, res, pathSegments);
+    }
+  }
+  // Fallback: try Linear (preserves existing behavior for any path that
+  // somehow falls through without an explicit provider segment).
   return await handleLinearTracker(req, res, pathSegments);
 }