npm - @desplega.ai/agent-swarm - Versions diffs - 1.83.1 → 1.83.2 - Mend

@desplega.ai/agent-swarm 1.83.1 → 1.83.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/openapi.json +139 -8
package/package.json +1 -1
package/src/artifact-sdk/server.ts +23 -1
package/src/be/budget-admission.ts +28 -4
package/src/be/budget-refusal-notify.ts +19 -3
package/src/be/db-queries/oauth.ts +43 -0
package/src/be/db.ts +35 -2
package/src/be/migrations/074_user_budget_scope.sql +85 -0
package/src/commands/resume-session.ts +118 -0
package/src/commands/runner.ts +137 -67
package/src/http/core.ts +4 -1
package/src/http/index.ts +16 -0
package/src/http/integrations.ts +26 -0
package/src/http/mcp-user.ts +111 -0
package/src/http/poll.ts +19 -5
package/src/http/schedules.ts +1 -1
package/src/http/users.ts +107 -2
package/src/jira/client.ts +3 -5
package/src/jira/oauth.ts +1 -0
package/src/jira/sync.ts +2 -2
package/src/oauth/ensure-token.ts +1 -0
package/src/oauth/wrapper.ts +38 -7
package/src/providers/claude-adapter.ts +7 -2
package/src/providers/claude-managed-adapter.ts +1 -1
package/src/providers/codex-adapter.ts +30 -0
package/src/providers/opencode-adapter.ts +149 -14
package/src/providers/pi-mono-adapter.ts +41 -1
package/src/providers/types.ts +1 -1
package/src/server-user.ts +117 -0
package/src/tests/artifact-sdk.test.ts +23 -19
package/src/tests/budget-user-scope.test.ts +376 -0
package/src/tests/claude-managed-adapter.test.ts +6 -0
package/src/tests/codex-adapter.test.ts +192 -0
package/src/tests/codex-rate-limit-parse.test.ts +256 -0
package/src/tests/db-queries-oauth.test.ts +43 -0
package/src/tests/ensure-token.test.ts +93 -0
package/src/tests/error-tracker.test.ts +52 -0
package/src/tests/fetch-resolved-env.test.ts +33 -20
package/src/tests/http-users.test.ts +29 -1
package/src/tests/mcp-user-route.test.ts +325 -0
package/src/tests/opencode-adapter.test.ts +75 -0
package/src/tests/pi-mono-adapter.test.ts +21 -1
package/src/tests/rate-limit-event.test.ts +69 -6
package/src/tests/resume-session.test.ts +93 -0
package/src/tests/task-tools-ctx.test.ts +100 -0
package/src/tests/task-tools-ownership.test.ts +167 -0
package/src/tests/user-token-routes.test.ts +221 -0
package/src/tools/cancel-task.ts +137 -83
package/src/tools/get-task-details.ts +73 -59
package/src/tools/get-tasks.ts +134 -126
package/src/tools/send-task.ts +312 -312
package/src/tools/task-action.ts +464 -367
package/src/tools/task-tool-ctx.ts +43 -0
package/src/types.ts +6 -2
package/src/utils/error-tracker.ts +122 -9

package/src/tests/task-tools-ctx.test.ts ADDED Viewed

@@ -0,0 +1,100 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import { closeDb, createTaskExtended, createUser, getTaskById, initDb } from "../be/db";
+import { getTasksHandler } from "../tools/get-tasks";
+import { sendTaskHandler } from "../tools/send-task";
+import { assertOwnsTask, ownerCtx, userCtx } from "../tools/task-tool-ctx";
+const TEST_DB_PATH = "./test-task-tools-ctx.sqlite";
+beforeAll(async () => {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(`${TEST_DB_PATH}${suffix}`);
+    } catch {}
+  }
+  initDb(TEST_DB_PATH);
+});
+afterAll(async () => {
+  closeDb();
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(`${TEST_DB_PATH}${suffix}`);
+    } catch {}
+  }
+});
+describe("task tool ctx", () => {
+  test("sendTaskHandler with user ctx writes requestedByUserId", async () => {
+    const user = createUser({ name: "MCP User" });
+    const result = await sendTaskHandler(userCtx(user), {
+      task: "user requested task",
+      offerMode: false,
+      allowDuplicate: false,
+    });
+    const structured = result.structuredContent as {
+      success: boolean;
+      task: { id: string; requestedByUserId?: string };
+    };
+    expect(structured.success).toBe(true);
+    expect(structured.task.requestedByUserId).toBe(user.id);
+    const stored = getTaskById(structured.task.id);
+    expect(stored?.creatorAgentId).toBeUndefined();
+    expect(stored?.requestedByUserId).toBe(user.id);
+  });
+  test("getTasksHandler with user ctx only returns that user's tasks", async () => {
+    const userA = createUser({ name: "List User A" });
+    const userB = createUser({ name: "List User B" });
+    const a1 = createTaskExtended("owned task one", { requestedByUserId: userA.id });
+    const a2 = createTaskExtended("owned task two", { requestedByUserId: userA.id });
+    const b1 = createTaskExtended("foreign task", { requestedByUserId: userB.id });
+    createTaskExtended("owner-only task");
+    const result = await getTasksHandler(userCtx(userA), {
+      includeFull: true,
+      includeHeartbeat: true,
+      limit: 50,
+      mineOnly: true,
+      offeredToMe: true,
+    });
+    const structured = result.structuredContent as {
+      tasks: Array<{ id: string; task?: string }>;
+    };
+    const ids = structured.tasks.map((task) => task.id);
+    expect(ids).toContain(a1.id);
+    expect(ids).toContain(a2.id);
+    expect(ids).not.toContain(b1.id);
+    expect(structured.tasks.every((task) => task.task?.startsWith("owned task"))).toBe(true);
+  });
+  test("assertOwnsTask gates user tasks and allows owned or owner ctx", () => {
+    const owner = createUser({ name: "Task Owner" });
+    const foreignUser = createUser({ name: "Foreign User" });
+    const ownedTask = createTaskExtended("owned", { requestedByUserId: owner.id });
+    expect(assertOwnsTask(userCtx(owner), ownedTask)).toBeNull();
+    expect(
+      assertOwnsTask(
+        ownerCtx({
+          agentId: "00000000-0000-4000-8000-000000000001",
+          sourceTaskId: undefined,
+          sessionId: "session-1",
+        }),
+        ownedTask,
+      ),
+    ).toBeNull();
+    const forbidden = assertOwnsTask(userCtx(foreignUser), ownedTask);
+    expect(forbidden?.isError).toBe(true);
+    expect(forbidden?.content[0]?.type).toBe("text");
+    expect(forbidden?.content[0]?.text).toContain("this task is not yours");
+    expect((forbidden?.structuredContent as { code?: string })?.code).toBe("forbidden");
+  });
+});

package/src/tests/task-tools-ownership.test.ts ADDED Viewed

@@ -0,0 +1,167 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import {
+  closeDb,
+  createAgent,
+  createTaskExtended,
+  createUser,
+  getDb,
+  getTaskById,
+  initDb,
+} from "../be/db";
+import { cancelTaskHandler } from "../tools/cancel-task";
+import { getTaskDetailsHandler } from "../tools/get-task-details";
+import { taskActionHandler } from "../tools/task-action";
+import { ownerCtx, userCtx } from "../tools/task-tool-ctx";
+const TEST_DB_PATH = "./test-task-tools-ownership.sqlite";
+async function removeDbFiles(path: string): Promise<void> {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(path + suffix);
+    } catch {}
+  }
+}
+beforeAll(async () => {
+  await removeDbFiles(TEST_DB_PATH);
+  initDb(TEST_DB_PATH);
+});
+afterAll(async () => {
+  closeDb();
+  await removeDbFiles(TEST_DB_PATH);
+});
+beforeEach(() => {
+  const db = getDb();
+  db.prepare("DELETE FROM agent_tasks").run();
+  db.prepare("DELETE FROM agents").run();
+  db.prepare("DELETE FROM users").run();
+});
+function expectForbidden(result: Awaited<ReturnType<typeof getTaskDetailsHandler>>): void {
+  expect(result.isError).toBe(true);
+  expect(result.content[0]?.type).toBe("text");
+  expect(result.content[0]?.text).toContain("this task is not yours");
+  expect((result.structuredContent as { code?: string })?.code).toBe("forbidden");
+}
+describe("ownership-gated task tools", () => {
+  test("getTaskDetailsHandler gates user ctx and leaves owner ctx visible", async () => {
+    const owner = createUser({ name: "Task Owner" });
+    const foreignUser = createUser({ name: "Foreign User" });
+    const task = createTaskExtended("owned details", { requestedByUserId: owner.id });
+    expectForbidden(await getTaskDetailsHandler(userCtx(foreignUser), { taskId: task.id }));
+    const userResult = await getTaskDetailsHandler(userCtx(owner), { taskId: task.id });
+    expect(
+      (userResult.structuredContent as { success: boolean; task?: { id: string } }).success,
+    ).toBe(true);
+    expect((userResult.structuredContent as { task?: { id: string } }).task?.id).toBe(task.id);
+    const ownerResult = await getTaskDetailsHandler(
+      ownerCtx({
+        agentId: "00000000-0000-4000-8000-000000000001",
+      }),
+      { taskId: task.id },
+    );
+    expect((ownerResult.structuredContent as { success: boolean }).success).toBe(true);
+  });
+  test("cancelTaskHandler gates user ctx and preserves owner lead permission", async () => {
+    const owner = createUser({ name: "Cancel Owner" });
+    const foreignUser = createUser({ name: "Cancel Foreign" });
+    const task = createTaskExtended("owned cancellation", { requestedByUserId: owner.id });
+    expectForbidden(
+      await cancelTaskHandler(userCtx(foreignUser), {
+        taskId: task.id,
+        reason: "foreign attempt",
+      }),
+    );
+    expect(getTaskById(task.id)?.status).toBe("unassigned");
+    const userResult = await cancelTaskHandler(userCtx(owner), {
+      taskId: task.id,
+      reason: "owned cancel",
+    });
+    expect(
+      (userResult.structuredContent as { success: boolean; task?: { status: string } }).success,
+    ).toBe(true);
+    expect((userResult.structuredContent as { task?: { status: string } }).task?.status).toBe(
+      "cancelled",
+    );
+    const lead = createAgent({ name: "lead", isLead: true, status: "idle", maxTasks: 1 });
+    const leadTask = createTaskExtended("lead cancellation");
+    const ownerResult = await cancelTaskHandler(ownerCtx({ agentId: lead.id }), {
+      taskId: leadTask.id,
+      reason: "lead cancel",
+    });
+    expect((ownerResult.structuredContent as { success: boolean }).success).toBe(true);
+  });
+  test("taskActionHandler gates user backlog moves and rejects agent-only actions", async () => {
+    const owner = createUser({ name: "Backlog Owner" });
+    const foreignUser = createUser({ name: "Backlog Foreign" });
+    const task = createTaskExtended("owned backlog move", { requestedByUserId: owner.id });
+    expectForbidden(
+      await taskActionHandler(userCtx(foreignUser), {
+        action: "to_backlog",
+        taskId: task.id,
+      }),
+    );
+    expect(getTaskById(task.id)?.status).toBe("unassigned");
+    const toBacklog = await taskActionHandler(userCtx(owner), {
+      action: "to_backlog",
+      taskId: task.id,
+    });
+    expect(
+      (toBacklog.structuredContent as { success: boolean; task?: { status: string } }).success,
+    ).toBe(true);
+    expect((toBacklog.structuredContent as { task?: { status: string } }).task?.status).toBe(
+      "backlog",
+    );
+    const fromBacklog = await taskActionHandler(userCtx(owner), {
+      action: "from_backlog",
+      taskId: task.id,
+    });
+    expect(
+      (fromBacklog.structuredContent as { success: boolean; task?: { status: string } }).success,
+    ).toBe(true);
+    expect((fromBacklog.structuredContent as { task?: { status: string } }).task?.status).toBe(
+      "unassigned",
+    );
+    const rejected = await taskActionHandler(userCtx(owner), {
+      action: "create",
+      task: "duplicate create path",
+    });
+    expect(rejected.isError).toBe(true);
+    expect(rejected.content[0]?.type).toBe("text");
+    expect(rejected.content[0]?.text).toContain("only available to worker agents");
+  });
+  test("taskActionHandler owner ctx preserves worker release behavior", async () => {
+    const worker = createAgent({ name: "worker", isLead: false, status: "idle", maxTasks: 1 });
+    const task = createTaskExtended("assigned task", { agentId: worker.id });
+    const result = await taskActionHandler(ownerCtx({ agentId: worker.id }), {
+      action: "release",
+      taskId: task.id,
+    });
+    expect(
+      (result.structuredContent as { success: boolean; task?: { status: string } }).success,
+    ).toBe(true);
+    expect((result.structuredContent as { task?: { status: string } }).task?.status).toBe(
+      "unassigned",
+    );
+  });
+});

package/src/tests/user-token-routes.test.ts ADDED Viewed

@@ -0,0 +1,221 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import {
+  createServer as createHttpServer,
+  type IncomingMessage,
+  type Server,
+  type ServerResponse,
+} from "node:http";
+import { closeDb, createUser, getDb, initDb } from "../be/db";
+import { fingerprintApiKey } from "../be/users";
+import { handleCore } from "../http/core";
+import { handleUsers } from "../http/users";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+const TEST_DB_PATH = "./test-user-token-routes.sqlite";
+const API_KEY = "test-user-token-key";
+const ORIGINAL_API_KEY = process.env.AGENT_SWARM_API_KEY;
+async function removeDbFiles(path: string): Promise<void> {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(path + suffix);
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code !== "ENOENT") throw error;
+    }
+  }
+}
+async function listen(server: Server): Promise<number> {
+  const port = 15174;
+  await new Promise<void>((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(port, "127.0.0.1", () => {
+      server.off("error", reject);
+      resolve();
+    });
+  });
+  const addr = server.address();
+  if (!addr || typeof addr === "string") throw new Error("no port");
+  return addr.port;
+}
+function createTestServer(apiKey: string): Server {
+  return createHttpServer(async (req: IncomingMessage, res: ServerResponse) => {
+    const myAgentId = req.headers["x-agent-id"] as string | undefined;
+    const handled = await handleCore(req, res, myAgentId, apiKey);
+    if (handled) return;
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const ok = await handleUsers(req, res, pathSegments, queryParams);
+    if (!ok) {
+      res.writeHead(404);
+      res.end("Not Found");
+    }
+  });
+}
+let server: Server;
+let port: number;
+beforeAll(async () => {
+  await removeDbFiles(TEST_DB_PATH);
+  initDb(TEST_DB_PATH);
+  process.env.AGENT_SWARM_API_KEY = API_KEY;
+  server = createTestServer(API_KEY);
+  port = await listen(server);
+});
+afterAll(async () => {
+  await new Promise<void>((resolve) => server.close(() => resolve()));
+  closeDb();
+  await removeDbFiles(TEST_DB_PATH);
+  if (ORIGINAL_API_KEY === undefined) {
+    delete process.env.AGENT_SWARM_API_KEY;
+  } else {
+    process.env.AGENT_SWARM_API_KEY = ORIGINAL_API_KEY;
+  }
+});
+beforeEach(() => {
+  const db = getDb();
+  db.run("DELETE FROM user_identity_events");
+  db.run("DELETE FROM user_tokens");
+  db.run("DELETE FROM users");
+});
+function url(path: string): string {
+  return `http://127.0.0.1:${port}${path}`;
+}
+function authedFetch(path: string, init: RequestInit = {}): Promise<Response> {
+  const headers: Record<string, string> = {
+    Authorization: `Bearer ${API_KEY}`,
+    "Content-Type": "application/json",
+    ...((init.headers as Record<string, string>) ?? {}),
+  };
+  return fetch(url(path), { ...init, headers });
+}
+type TokenSummary = {
+  id: string;
+  userId: string;
+  label: string | null;
+  tokenPreview: string;
+  createdAt: string;
+  lastUsedAt: string | null;
+  revokedAt: string | null;
+};
+describe("operator MCP token routes", () => {
+  test("POST mints an aswt_ plaintext once and persists only hash + preview", async () => {
+    const user = createUser({ name: "Token User", email: "token@example.com" });
+    const response = await authedFetch(`/api/users/${user.id}/mcp-tokens`, {
+      method: "POST",
+      body: JSON.stringify({ label: "laptop" }),
+    });
+    expect(response.status).toBe(200);
+    const body = (await response.json()) as {
+      plaintext: string;
+      token: TokenSummary;
+      user: { id: string; tokens: TokenSummary[]; recentEvents: Array<{ eventType: string }> };
+    };
+    expect(body.plaintext.startsWith("aswt_")).toBe(true);
+    expect(body.token.label).toBe("laptop");
+    expect(body.token.tokenPreview).toBe(body.plaintext.slice(-4));
+    expect(body.token.userId).toBe(user.id);
+    expect(body.user.tokens).toContainEqual(body.token);
+    expect(body.user.recentEvents.map((event) => event.eventType)).toContain("token_minted");
+    const stored = getDb()
+      .prepare<{ tokenHash: string; tokenPreview: string }, string>(
+        "SELECT tokenHash, tokenPreview FROM user_tokens WHERE id = ?",
+      )
+      .get(body.token.id);
+    expect(stored).toBeTruthy();
+    expect(stored!.tokenHash).not.toBe(body.plaintext);
+    expect(stored!.tokenHash).toHaveLength(64);
+    expect(stored!.tokenPreview).toBe(body.plaintext.slice(-4));
+    const reread = await authedFetch(`/api/users/${user.id}`);
+    const rereadBody = (await reread.json()) as {
+      user: { tokens: TokenSummary[]; recentEvents: Array<{ eventType: string }> };
+    };
+    expect(JSON.stringify(rereadBody)).not.toContain(body.plaintext);
+    expect(rereadBody.user.tokens[0]!.tokenPreview).toBe(body.plaintext.slice(-4));
+  });
+  test("DELETE revokes a token and records token_revoked", async () => {
+    const user = createUser({ name: "Revoked User" });
+    const mintResponse = await authedFetch(`/api/users/${user.id}/mcp-tokens`, {
+      method: "POST",
+      body: JSON.stringify({ label: null }),
+    });
+    const minted = (await mintResponse.json()) as { token: TokenSummary };
+    const revokeResponse = await authedFetch(
+      `/api/users/${user.id}/mcp-tokens/${minted.token.id}`,
+      { method: "DELETE" },
+    );
+    expect(revokeResponse.status).toBe(200);
+    const body = (await revokeResponse.json()) as {
+      user: { tokens: TokenSummary[]; recentEvents: Array<{ eventType: string }> };
+    };
+    expect(body.user.tokens[0]!.id).toBe(minted.token.id);
+    expect(body.user.tokens[0]!.revokedAt).toBeTruthy();
+    expect(body.user.recentEvents.map((event) => event.eventType)).toEqual(
+      expect.arrayContaining(["token_minted", "token_revoked"]),
+    );
+  });
+  test("POST and DELETE reject without the swarm key", async () => {
+    const user = createUser({ name: "Auth User" });
+    const post = await fetch(url(`/api/users/${user.id}/mcp-tokens`), {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ label: "missing-auth" }),
+    });
+    expect(post.status).toBe(401);
+    const deleteResponse = await fetch(url(`/api/users/${user.id}/mcp-tokens/unknown`), {
+      method: "DELETE",
+    });
+    expect(deleteResponse.status).toBe(401);
+  });
+  test("DELETE unknown token returns 404", async () => {
+    const user = createUser({ name: "Unknown Token User" });
+    const response = await authedFetch(`/api/users/${user.id}/mcp-tokens/not-a-token`, {
+      method: "DELETE",
+    });
+    expect(response.status).toBe(404);
+  });
+  test("POST unknown user returns 404", async () => {
+    const response = await authedFetch("/api/users/not-a-user/mcp-tokens", {
+      method: "POST",
+      body: JSON.stringify({ label: "nope" }),
+    });
+    expect(response.status).toBe(404);
+  });
+  test("operator events are tagged with the API-key fingerprint", async () => {
+    const user = createUser({ name: "Actor User" });
+    const response = await authedFetch(`/api/users/${user.id}/mcp-tokens`, {
+      method: "POST",
+      body: JSON.stringify({ label: "actor" }),
+    });
+    expect(response.status).toBe(200);
+    const row = getDb()
+      .prepare<{ actor: string }, string>(
+        "SELECT actor FROM user_identity_events WHERE userId = ? AND eventType = 'token_minted'",
+      )
+      .get(user.id);
+    expect(row?.actor).toBe(`operator:${fingerprintApiKey(API_KEY)}`);
+  });
+});