@desplega.ai/agent-swarm 1.80.2 → 1.81.0

package/src/gitlab/handlers.ts

@@ -8,12 +8,14 @@
  * - Detects bot mentions
  */
 
-import { failTask, findTaskByVcs, getAllAgents, resolveUser } from "../be/db";
+import { failTask, findTaskByVcs, getAllAgents, incrKv, upsertKv } from "../be/db";
+import { findOrCreateUserByEmail, findUserByExternalId, linkIdentity } from "../be/users";
 import { resolveTemplate } from "../prompts/resolver";
 import { gitlabContextKey } from "../tasks/context-key";
 import { createTaskWithSiblingAwareness } from "../tasks/sibling-awareness";
 import { GITLAB_BOT_NAME } from "./auth";
 import { addGitLabNoteReaction, addGitLabReaction } from "./reactions";
+import type { GitLabUser } from "./types";
 // Side-effect import: registers all GitLab event templates in the in-memory registry
 import "./templates";
 import type { IssueEvent, MergeRequestEvent, NoteEvent, PipelineEvent } from "./types";
@@ -53,6 +55,62 @@ function findLeadAgent() {
   );
 }
 
+// ── Identity resolution ──
+
+const UNMAPPED_NAMESPACE = "integration:unmapped:gitlab";
+const UNMAPPED_TTL_MS = 30 * 24 * 60 * 60 * 1000; // 30 days
+const GITLAB_WEBHOOK_ACTOR = { kind: "system", id: "webhook:gitlab" } as const;
+
+/**
+ * Resolve a GitLab webhook sender to a `users.id`.
+ *
+ * Cascade (Q17):
+ *   1. Fast path — `findUserByExternalId('gitlab', user.username)`.
+ *   2. If missing AND `user.email` is a real non-empty string (some GitLab
+ *      installations send `email: ""` instead of omitting the field — Q17.E
+ *      manual spot-check), run `findOrCreateUserByEmail` + `linkIdentity`.
+ *   3. Otherwise record an unmapped tracker entry (kv) for operator triage.
+ *
+ * Returns `undefined` when no mapping could be established — callers pass
+ * that straight to `requestedByUserId`.
+ */
+function resolveGitLabSender(
+  user: GitLabUser,
+  sampleEventType: string,
+  sampleContext: string,
+): string | undefined {
+  const existing = findUserByExternalId("gitlab", user.username);
+  if (existing) return existing.id;
+
+  // Inline-email cascade — only run when email is a real non-empty string.
+  // Some GitLab installations emit `email: ""` instead of omitting the field.
+  const inlineEmail = typeof user.email === "string" ? user.email.trim() : "";
+  if (inlineEmail !== "") {
+    const { user: linked } = findOrCreateUserByEmail(
+      inlineEmail,
+      { name: user.name },
+      GITLAB_WEBHOOK_ACTOR,
+    );
+    linkIdentity(linked.id, "gitlab", user.username, GITLAB_WEBHOOK_ACTOR);
+    return linked.id;
+  }
+
+  // No mapping + no inline email → unmapped tracker.
+  upsertKv({
+    namespace: UNMAPPED_NAMESPACE,
+    key: `${user.username}:meta`,
+    value: {
+      lastSeenAt: new Date().toISOString(),
+      sampleEventType,
+      sampleContext: sampleContext.slice(0, 100),
+    },
+    valueType: "json",
+    expiresAt: Date.now() + UNMAPPED_TTL_MS,
+  });
+  incrKv(UNMAPPED_NAMESPACE, `${user.username}:count`, 1);
+  return undefined;
+}
+
 // ── Event Handlers ──
 
 export async function handleMergeRequest(
@@ -63,7 +121,11 @@ export async function handleMergeRequest(
   const repo = project.path_with_namespace;
 
   // Resolve canonical user from GitLab sender
-  const requestedByUserId = resolveUser({ gitlabUsername: user.username })?.id;
+  const requestedByUserId = resolveGitLabSender(
+    user,
+    "merge_request",
+    `MR !${mr.iid}: ${mr.title}`,
+  );
 
   console.log(`[GitLab] MR #${mr.iid} ${action} by ${user.username} in ${repo}`);
 
@@ -163,7 +225,11 @@ export async function handleIssue(
   const repo = project.path_with_namespace;
 
   // Resolve canonical user from GitLab sender
-  const requestedByUserId = resolveUser({ gitlabUsername: user.username })?.id;
+  const requestedByUserId = resolveGitLabSender(
+    user,
+    "issue",
+    `Issue #${issue.iid}: ${issue.title}`,
+  );
 
   console.log(`[GitLab] Issue #${issue.iid} ${action} by ${user.username} in ${repo}`);
 
@@ -246,8 +312,10 @@ export async function handleNote(event: NoteEvent): Promise<{ created: boolean;
   const { user, project, object_attributes: note } = event;
   const repo = project.path_with_namespace;
 
-  // Resolve canonical user from GitLab sender
-  const _requestedByUserId = resolveUser({ gitlabUsername: user.username })?.id;
+  // Resolve canonical user from GitLab sender — currently dead-coded
+  // (underscore prefix). Rewired for parity with live sites; if a future
+  // change uses the value, the resolution path is already correct.
+  const _requestedByUserId = resolveGitLabSender(user, "note", note.note);
 
   // Only handle comments with bot mentions
   if (!detectMention(note.note)) {

package/src/http/operator-actor.ts

@@ -0,0 +1,59 @@
+/**
+ * Operator-auth middleware producing the `op:<sha256(rawKey)[:16]>` fingerprint
+ * (Q16) that is embedded as `actor` in `user_identity_events` rows.
+ *
+ * The bearer-key check already gates every `route({ auth: { apiKey: true } })`
+ * route via `src/http/core.ts::handleCore` — so by the time we reach the route
+ * handler we know the caller's `Authorization: Bearer <key>` matches the
+ * configured swarm key. This helper just re-reads that key, hashes it with
+ * `fingerprintApiKey`, and packages it as an `IdentityActor` for the identity
+ * mutation helpers in `src/be/users.ts`.
+ *
+ * MUST read the swarm key via `getApiKey()` from `src/utils/api-key.ts` —
+ * direct `process.env.{API_KEY,AGENT_SWARM_API_KEY}` reads are rejected by
+ * `scripts/check-api-key-boundary.sh` (CI).
+ */
+
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { fingerprintApiKey, type IdentityActor } from "../be/users";
+import { getApiKey } from "../utils/api-key";
+import { jsonError } from "./utils";
+
+/**
+ * Extract the raw bearer key from the request. Returns null if the header is
+ * missing or malformed.
+ */
+function extractBearer(req: IncomingMessage): string | null {
+  const raw = req.headers.authorization;
+  const header = Array.isArray(raw) ? raw[0] : raw;
+  if (!header || !header.startsWith("Bearer ")) return null;
+  return header.slice(7);
+}
+
+/**
+ * Resolve the calling operator's `IdentityActor`. Assumes `handleCore` already
+ * 401'd unauthenticated requests; on the off chance the header is missing here
+ * (e.g. a route mistakenly opted out of api-key gating), we respond with 401
+ * and return null so the caller can short-circuit.
+ *
+ * Returns null after writing a 401 response. The caller MUST stop processing
+ * the request when this returns null.
+ */
+export function getOperatorActor(req: IncomingMessage, res: ServerResponse): IdentityActor | null {
+  const rawKey = extractBearer(req);
+  const swarmKey = getApiKey();
+
+  // If no key is configured server-side, the public-route guard already
+  // skipped the bearer check. We still need *some* fingerprint for the audit
+  // event — fall back to a stable placeholder so callers see consistent shapes.
+  if (!swarmKey) {
+    return { kind: "operator", id: fingerprintApiKey("") };
+  }
+
+  if (!rawKey || rawKey !== swarmKey) {
+    jsonError(res, "Unauthorized", 401);
+    return null;
+  }
+
+  return { kind: "operator", id: fingerprintApiKey(rawKey) };
+}