@devosurf/tesser-server 0.1.0-alpha.0

package/src/http/api.ts

@@ -0,0 +1,425 @@
+// Control-plane API (ADR-0007: the CLI is a thin shell over this). JSON in/out,
+// bearer-token auth, deterministic error shapes: { error: { code, message } }.
+
+import { Hono } from "hono";
+import type { Db } from "../db/db.js";
+import type { Broker } from "../broker/broker.js";
+import {
+  computeMissingRequirements,
+  connectLinkStatus,
+  getConnectLink,
+  mintConnectLink,
+} from "../broker/connect.js";
+import { createRun, deliverSignal, cancelRun } from "../engine/runs.js";
+import { enqueue } from "../queue/queue.js";
+import { mintToken, verifyToken } from "./tokens.js";
+import { runtimeStatus, type RuntimeStatusDeps } from "./status.js";
+import {
+  generateDeployKeyPair,
+  hashWebhookSetupToken,
+  mintWebhookSetupToken,
+  mintWebhookSigningSecret,
+} from "../gitsync/deploy-keys.js";
+
+export interface ApiEnv {
+  Variables: { workspaceId: string };
+}
+
+export interface ApiDeps extends RuntimeStatusDeps {
+  broker: Broker;
+  /** Filled by git-sync (task: reconciler); returns latest deploy state for a project. */
+  deployStatus?: (projectId: string, env: string) => Promise<unknown>;
+}
+
+const err = (code: string, message: string) => ({ error: { code, message } });
+
+type ProjectBootstrap = {
+  deployKeyPublic: string;
+  webhookSetupUrl: string;
+};
+
+async function ensureProjectBootstrap(deps: ApiDeps, workspaceId: string, projectId: string): Promise<ProjectBootstrap> {
+  const { rows } = await deps.db.query<{
+    deploy_key_public: string | null;
+    deploy_key_private_cipher: string | null;
+    push_webhook_secret_cipher: string | null;
+  }>(
+    `SELECT deploy_key_public, deploy_key_private_cipher, push_webhook_secret_cipher FROM projects WHERE id=$1 AND workspace_id=$2`,
+    [projectId, workspaceId],
+  );
+  const project = rows[0];
+  if (!project) throw new Error(`project ${projectId} not found`);
+
+  let deployKeyPublic = project.deploy_key_public;
+  let deployPrivateCipher = project.deploy_key_private_cipher;
+  if (!deployKeyPublic || !deployPrivateCipher) {
+    const key = generateDeployKeyPair();
+    deployKeyPublic = key.publicKey;
+    deployPrivateCipher = await deps.broker.encryptValue(workspaceId, key.privateKey, "deploykey");
+  }
+
+  let pushWebhookSecretCipher = project.push_webhook_secret_cipher;
+  if (!pushWebhookSecretCipher) {
+    pushWebhookSecretCipher = await deps.broker.encryptValue(workspaceId, mintWebhookSigningSecret(), "project.webhook.signing");
+  }
+
+  const setupToken = mintWebhookSetupToken();
+  await deps.db.query(
+    `UPDATE projects
+     SET deploy_key_public=$3,
+         deploy_key_private_cipher=$4,
+         push_webhook_secret_cipher=$5,
+         push_webhook_setup_token_hash=$6
+     WHERE id=$1 AND workspace_id=$2`,
+    [projectId, workspaceId, deployKeyPublic, deployPrivateCipher, pushWebhookSecretCipher, hashWebhookSetupToken(setupToken)],
+  );
+
+  return {
+    deployKeyPublic,
+    webhookSetupUrl: `${deps.baseUrl.replace(/\/$/, "")}/setup/git/${setupToken}`,
+  };
+}
+
+export function createApi(deps: ApiDeps): Hono<ApiEnv> {
+  const api = new Hono<ApiEnv>();
+
+  api.use("*", async (c, next) => {
+    const header = c.req.header("authorization") ?? "";
+    const token = header.startsWith("Bearer ") ? header.slice(7) : "";
+    const auth = token ? await verifyToken(deps.db, token) : null;
+    if (!auth) return c.json(err("unauthorized", "missing or invalid bearer token"), 401);
+    c.set("workspaceId", auth.workspaceId);
+    await next();
+    return;
+  });
+
+  api.get("/health", (c) => c.json({ ok: true }));
+  api.get("/status", async (c) => c.json(await runtimeStatus(deps, c.get("workspaceId"))));
+
+  // ---- projects ----
+
+  api.post("/projects", async (c) => {
+    const body = (await c.req.json().catch(() => ({}))) as { name?: string; repoUrl?: string; prodBranch?: string };
+    if (!body.name || !/^[a-z][a-z0-9-]{0,63}$/.test(body.name)) {
+      return c.json(err("invalid", "project name must be kebab-case"), 400);
+    }
+    const { rows } = await deps.db.query<{ id: string }>(
+      `INSERT INTO projects (workspace_id, name, repo_url, prod_branch)
+       VALUES ($1,$2,$3,$4)
+       ON CONFLICT (workspace_id, name) DO UPDATE SET repo_url = COALESCE(EXCLUDED.repo_url, projects.repo_url)
+       RETURNING id`,
+      [c.get("workspaceId"), body.name, body.repoUrl ?? null, body.prodBranch ?? "main"],
+    );
+    const projectId = rows[0]!.id;
+    await deps.db.query(
+      `INSERT INTO repo_state (project_id) VALUES ($1) ON CONFLICT (project_id) DO NOTHING`,
+      [projectId],
+    );
+    const bootstrap = await ensureProjectBootstrap(deps, c.get("workspaceId"), projectId);
+    return c.json({ id: projectId, name: body.name, ...bootstrap });
+  });
+
+  api.get("/projects", async (c) => {
+    const { rows } = await deps.db.query(
+      `SELECT p.id, p.name, p.repo_url, p.prod_branch, r.last_sha, r.status AS sync_status, r.last_synced_at
+       FROM projects p LEFT JOIN repo_state r ON r.project_id = p.id
+       WHERE p.workspace_id = $1 ORDER BY p.name`,
+      [c.get("workspaceId")],
+    );
+    return c.json({ projects: rows });
+  });
+
+  const findProject = async (workspaceId: string, name: string) => {
+    const { rows } = await deps.db.query<{ id: string; name: string; repo_url: string | null; prod_branch: string }>(
+      `SELECT id, name, repo_url, prod_branch FROM projects WHERE workspace_id=$1 AND name=$2`,
+      [workspaceId, name],
+    );
+    return rows[0] ?? null;
+  };
+
+  api.post("/projects/:name/sync", async (c) => {
+    const project = await findProject(c.get("workspaceId"), c.req.param("name"));
+    if (!project) return c.json(err("not-found", "no such project"), 404);
+    const body = (await c.req.json().catch(() => ({}))) as { ref?: string; localPath?: string };
+    await deps.db.tx((t) =>
+      enqueue(t, {
+        kind: "reconcile",
+        payload: {
+          projectId: project.id,
+          ...(body.ref !== undefined ? { ref: body.ref } : {}),
+          ...(body.localPath !== undefined ? { localPath: body.localPath } : {}),
+        },
+        dedupeKey: `reconcile:${project.id}:${body.ref ?? "default"}`,
+        maxAttempts: 1,
+      }),
+    );
+    return c.json({ queued: true });
+  });
+
+  api.get("/projects/:name/deploys/latest", async (c) => {
+    const project = await findProject(c.get("workspaceId"), c.req.param("name"));
+    if (!project) return c.json(err("not-found", "no such project"), 404);
+    const env = c.req.query("env") ?? "production";
+    if (deps.deployStatus) {
+      return c.json((await deps.deployStatus(project.id, env)) as Record<string, unknown>);
+    }
+    const { rows } = await deps.db.query(
+      `SELECT status, error, last_sha, last_synced_at FROM repo_state WHERE project_id=$1`,
+      [project.id],
+    );
+    return c.json({ repo: rows[0] ?? null });
+  });
+
+  api.get("/projects/:name/automations", async (c) => {
+    const project = await findProject(c.get("workspaceId"), c.req.param("name"));
+    if (!project) return c.json(err("not-found", "no such project"), 404);
+    const { rows } = await deps.db.query(
+      `SELECT a.automation_id, a.env, v.version, v.git_sha, v.status, v.created_at, v.manifest
+       FROM aliases a JOIN automation_versions v ON v.id = a.version_id
+       WHERE a.project_id = $1 ORDER BY a.automation_id, a.env`,
+      [project.id],
+    );
+    return c.json({ automations: rows });
+  });
+
+  api.post("/projects/:name/rollback", async (c) => {
+    const project = await findProject(c.get("workspaceId"), c.req.param("name"));
+    if (!project) return c.json(err("not-found", "no such project"), 404);
+    const body = (await c.req.json().catch(() => ({}))) as { automation?: string; toVersion?: number; env?: string };
+    if (!body.automation || typeof body.toVersion !== "number") {
+      return c.json(err("invalid", "need { automation, toVersion }"), 400);
+    }
+    const env = body.env ?? "production";
+    const { rows } = await deps.db.query<{ id: string }>(
+      `SELECT id FROM automation_versions WHERE project_id=$1 AND automation_id=$2 AND version=$3`,
+      [project.id, body.automation, body.toVersion],
+    );
+    if (!rows[0]) return c.json(err("not-found", "no such version"), 404);
+    const { rowCount } = await deps.db.query(
+      `UPDATE aliases SET version_id=$4, updated_at=now()
+       WHERE project_id=$1 AND automation_id=$2 AND env=$3`,
+      [project.id, body.automation, env, rows[0].id],
+    );
+    if (rowCount === 0) return c.json(err("not-found", "automation has no live alias in this env"), 404);
+    return c.json({ rolledBack: true, automation: body.automation, env, toVersion: body.toVersion });
+  });
+
+  // ---- runs ----
+
+  api.post("/runs", async (c) => {
+    const body = (await c.req.json().catch(() => ({}))) as {
+      project?: string;
+      automation?: string;
+      input?: unknown;
+      env?: string;
+    };
+    if (!body.project || !body.automation) return c.json(err("invalid", "need { project, automation }"), 400);
+    const project = await findProject(c.get("workspaceId"), body.project);
+    if (!project) return c.json(err("not-found", "no such project"), 404);
+    const env = body.env ?? "production";
+    const { rows } = await deps.db.query<{ version_id: string }>(
+      `SELECT version_id FROM aliases WHERE project_id=$1 AND automation_id=$2 AND env=$3`,
+      [project.id, body.automation, env],
+    );
+    if (!rows[0]) return c.json(err("not-found", `automation "${body.automation}" has no live version in ${env}`), 404);
+    const runId = await createRun(deps.db, {
+      projectId: project.id,
+      automationId: body.automation,
+      versionId: rows[0].version_id,
+      env,
+      trigger: { kind: "manual" },
+      ...(body.input !== undefined ? { input: body.input } : {}),
+    });
+    return c.json({ runId }, 202);
+  });
+
+  api.get("/runs", async (c) => {
+    const limit = Math.min(Number(c.req.query("limit") ?? 50), 200);
+    const params: unknown[] = [c.get("workspaceId")];
+    let filter = "";
+    if (c.req.query("project")) {
+      params.push(c.req.query("project"));
+      filter += ` AND p.name = $${params.length}`;
+    }
+    if (c.req.query("automation")) {
+      params.push(c.req.query("automation"));
+      filter += ` AND r.automation_id = $${params.length}`;
+    }
+    if (c.req.query("status")) {
+      params.push(c.req.query("status"));
+      filter += ` AND r.status = $${params.length}`;
+    }
+    params.push(limit);
+    const { rows } = await deps.db.query(
+      `SELECT r.id, p.name AS project, r.automation_id, r.env, r.status, r.attempt,
+              r.trigger->>'kind' AS trigger_kind, r.created_at, r.started_at, r.finished_at
+       FROM runs r JOIN projects p ON p.id = r.project_id
+       WHERE p.workspace_id = $1 ${filter}
+       ORDER BY r.created_at DESC LIMIT $${params.length}`,
+      params,
+    );
+    return c.json({ runs: rows });
+  });
+
+  api.get("/runs/:id", async (c) => {
+    const { rows } = await deps.db.query(
+      `SELECT r.*, p.name AS project FROM runs r JOIN projects p ON p.id = r.project_id
+       WHERE r.id = $1 AND p.workspace_id = $2`,
+      [c.req.param("id"), c.get("workspaceId")],
+    );
+    if (!rows[0]) return c.json(err("not-found", "no such run"), 404);
+    const steps = await deps.db.query(
+      `SELECT name, occurrence, status, attempts, result, error, undone, started_at, finished_at
+       FROM run_steps WHERE run_id = $1 ORDER BY started_at, occurrence`,
+      [c.req.param("id")],
+    );
+    const logs = await deps.db.query(
+      `SELECT step, level, msg, meta, created_at FROM run_logs WHERE run_id = $1 ORDER BY id LIMIT 500`,
+      [c.req.param("id")],
+    );
+    return c.json({ run: rows[0], steps: steps.rows, logs: logs.rows });
+  });
+
+  api.get("/runs/:id/replay", async (c) => {
+    const { rows } = await deps.db.query(
+      `SELECT r.id, r.automation_id, r.env, r.trigger, r.input, r.output, r.status, r.error
+       FROM runs r JOIN projects p ON p.id = r.project_id
+       WHERE r.id = $1 AND p.workspace_id = $2`,
+      [c.req.param("id"), c.get("workspaceId")],
+    );
+    if (!rows[0]) return c.json(err("not-found", "no such run"), 404);
+    const steps = await deps.db.query(
+      `SELECT name, occurrence, status, attempts, result, error FROM run_steps WHERE run_id=$1 ORDER BY started_at, occurrence`,
+      [c.req.param("id")],
+    );
+    return c.json({ replay: { ...rows[0], journal: steps.rows } });
+  });
+
+  api.post("/runs/:id/signals/:name", async (c) => {
+    const body = (await c.req.json().catch(() => ({}))) as { payload?: unknown };
+    const ok = await deliverSignal(deps.db, {
+      runId: c.req.param("id"),
+      name: c.req.param("name"),
+      payload: body.payload,
+    });
+    if (!ok) return c.json(err("not-found", "no such run"), 404);
+    return c.json({ delivered: true });
+  });
+
+  api.post("/runs/:id/cancel", async (c) => {
+    const ok = await cancelRun(deps.db, c.req.param("id"), "cancelled via API");
+    return c.json({ cancelled: ok });
+  });
+
+  // ---- connections & secrets (agent lane: names/status only — never values) ----
+
+  api.get("/connections", async (c) => {
+    return c.json({ connections: await deps.broker.listConnections(c.get("workspaceId")) });
+  });
+
+  api.get("/secrets", async (c) => {
+    return c.json({ secrets: await deps.broker.listSecretNames(c.get("workspaceId")) });
+  });
+
+  // The piped human/CI lane (`tesser secrets set NAME --value-stdin`): value travels
+  // request-body → TLS → encrypted store; it is never echoed back.
+  api.put("/secrets/:name", async (c) => {
+    const name = c.req.param("name");
+    if (!/^[a-zA-Z][a-zA-Z0-9_-]{0,127}$/.test(name)) return c.json(err("invalid", "bad secret name"), 400);
+    const body = (await c.req.json().catch(() => ({}))) as { value?: string };
+    if (typeof body.value !== "string" || body.value.length === 0) {
+      return c.json(err("invalid", "need { value }"), 400);
+    }
+    await deps.broker.setSecret(c.get("workspaceId"), name, body.value);
+    return c.json({ set: name });
+  });
+
+  api.delete("/secrets/:name", async (c) => {
+    const ok = await deps.broker.deleteSecret(c.get("workspaceId"), c.req.param("name"));
+    return c.json({ deleted: ok });
+  });
+
+  // ---- connect links ----
+
+  api.post("/connect-links", async (c) => {
+    const body = (await c.req.json().catch(() => ({}))) as {
+      project?: string;
+      env?: string;
+    };
+    let projectId: string | undefined;
+    let requirements: import("../broker/connect.js").Requirement[] = [];
+    if (body.project) {
+      const project = await findProject(c.get("workspaceId"), body.project);
+      if (!project) return c.json(err("not-found", "no such project"), 404);
+      projectId = project.id;
+      const env = body.env ?? "production";
+      const versions = await deps.db.query<{ manifest: { connections?: never; secrets?: never; id: string }; automation_id: string }>(
+        `SELECT v.manifest, a.automation_id FROM aliases a JOIN automation_versions v ON v.id=a.version_id
+         WHERE a.project_id=$1 AND a.env=$2`,
+        [project.id, env],
+      );
+      const staged = await deps.db.query<{ manifest: never; automation_id: string }>(
+        `SELECT DISTINCT ON (automation_id) manifest, automation_id FROM automation_versions
+         WHERE project_id=$1 AND status='staged' ORDER BY automation_id, version DESC`,
+        [project.id],
+      );
+      const sources = [...versions.rows, ...staged.rows].map((r) => {
+        const m = r.manifest as { connections?: Record<string, { connector: string; scope: "workspace" | "per_user" }>; secrets?: Record<string, { describe?: string }> };
+        return { automationId: r.automation_id, connections: m.connections ?? {}, secrets: m.secrets ?? {} };
+      });
+      const connectorManifests = await collectConnectorManifests(deps.db, project.id);
+      requirements = await computeMissingRequirements({
+        db: deps.db,
+        broker: deps.broker,
+        workspaceId: c.get("workspaceId"),
+        projectId: project.id,
+        env,
+        automations: sources,
+        connectorManifests,
+      });
+    }
+    if (requirements.length === 0) return c.json({ url: null, requirements: [] });
+    const token = await mintConnectLink({
+      db: deps.db,
+      workspaceId: c.get("workspaceId"),
+      projectId,
+      requirements,
+    });
+    return c.json({ url: `${deps.baseUrl}/connect/${token}`, token, requirements });
+  });
+
+  api.get("/connect-links/:token/status", async (c) => {
+    const link = await getConnectLink(deps.db, c.req.param("token"));
+    if (!link || link.workspace_id !== c.get("workspaceId")) return c.json(err("not-found", "no such link"), 404);
+    const status = await connectLinkStatus(deps.db, deps.broker, link);
+    return c.json(status);
+  });
+
+  // ---- tokens ----
+
+  api.post("/tokens", async (c) => {
+    const body = (await c.req.json().catch(() => ({}))) as { name?: string };
+    const token = await mintToken(deps.db, c.get("workspaceId"), body.name ?? "cli");
+    return c.json({ token });
+  });
+
+  return api;
+}
+
+/** Connector manifests embedded in this project's built versions (per-project facts). */
+export async function collectConnectorManifests(
+  db: Db,
+  projectId: string,
+): Promise<Record<string, import("@devosurf/tesser-sdk/internal").ConnectorManifest>> {
+  const { rows } = await db.query<{ manifest: { connectors?: Record<string, never> } }>(
+    `SELECT manifest FROM automation_versions WHERE project_id=$1 ORDER BY created_at DESC LIMIT 50`,
+    [projectId],
+  );
+  const out: Record<string, never> = {};
+  for (const row of rows) {
+    for (const [id, m] of Object.entries(row.manifest?.connectors ?? {})) {
+      if (!(id in out)) out[id as never] = m;
+    }
+  }
+  return out;
+}

package/src/http/app.ts

@@ -0,0 +1,33 @@
+// Assemble the HTTP surface: /api (control plane), connect pages + OAuth callback,
+// trigger ingress, and a minimal index.
+
+import { Hono } from "hono";
+import { createApi, type ApiDeps } from "./api.js";
+import { createConnectRoutes, type ConnectDeps } from "./connect.js";
+import { createIngress, type IngressDeps } from "./ingress.js";
+import { readinessStatus, RUNTIME_VERSION, type RuntimeStatusDeps } from "./status.js";
+
+export interface HttpDeps extends ApiDeps, ConnectDeps, IngressDeps, RuntimeStatusDeps {}
+
+export function createApp(deps: HttpDeps): Hono {
+  const app = new Hono();
+  const version = deps.version ?? RUNTIME_VERSION;
+  app.get("/", (c) =>
+    c.json({
+      service: "tesser",
+      docs: "https://github.com/tesser — self-hosted automation instance",
+      api: "/api/health",
+      health: "/healthz",
+      readiness: "/readyz",
+    }),
+  );
+  app.get("/healthz", (c) => c.json({ ok: true, service: "tesser", version }));
+  app.get("/readyz", async (c) => {
+    const status = await readinessStatus(deps);
+    return c.json(status, status.ok ? 200 : 503);
+  });
+  app.route("/api", createApi(deps));
+  app.route("/", createConnectRoutes(deps));
+  app.route("/", createIngress(deps));
+  return app;
+}