@devosurf/tesser-server 0.1.0-alpha.0

package/src/registry/loader.ts

@@ -0,0 +1,41 @@
+// Artifact loader: versionId → the automation def from its immutable bundle. Bundles are
+// content-addressed and immutable, so the cache never invalidates. Test seam included.
+
+import { pathToFileURL } from "node:url";
+import type { AutomationDef } from "@devosurf/tesser-sdk";
+import type { Db } from "../db/db.js";
+
+export class ArtifactLoader {
+  private cache = new Map<string, Promise<AutomationDef<any, any, any, any, any, any, any>>>();
+  private injected = new Map<string, AutomationDef<any, any, any, any, any, any, any>>();
+
+  constructor(private readonly db: Db) {}
+
+  /** Tests (and the reconciler, right after extraction) hand defs over directly. */
+  inject(versionId: string, def: AutomationDef<any, any, any, any, any, any, any>): void {
+    this.injected.set(versionId, def);
+  }
+
+  load = async (versionId: string): Promise<AutomationDef<any, any, any, any, any, any, any>> => {
+    const injected = this.injected.get(versionId);
+    if (injected) return injected;
+    let p = this.cache.get(versionId);
+    if (!p) {
+      p = (async () => {
+        const { rows } = await this.db.query<{ bundle_path: string }>(
+          `SELECT bundle_path FROM automation_versions WHERE id=$1`,
+          [versionId],
+        );
+        if (!rows[0]) throw new Error(`no automation version ${versionId}`);
+        const mod = (await import(pathToFileURL(rows[0].bundle_path).href)) as {
+          default?: AutomationDef<any, any, any, any, any, any, any>;
+        };
+        if (!mod.default) throw new Error(`bundle missing default export: ${rows[0].bundle_path}`);
+        return mod.default;
+      })();
+      this.cache.set(versionId, p);
+      p.catch(() => this.cache.delete(versionId));
+    }
+    return p;
+  };
+}

package/src/scheduler/cron.ts

@@ -0,0 +1,115 @@
+// Cron scheduler: schedules are synced from manifests on promote; a tick fires due ones
+// by creating runs (overlap policy is the automation's own `concurrency` — the engine
+// gates it). Cron parsing/tz via an internal dependency, never in the public surface.
+
+import { Cron } from "croner";
+import type { Db } from "../db/db.js";
+import { createRun } from "../engine/runs.js";
+
+export interface ScheduleSpec {
+  automationId: string;
+  cron: string;
+  tz?: string | undefined;
+}
+
+export function nextFire(cron: string, tz: string | undefined, after = new Date()): Date | null {
+  const c = new Cron(cron, { timezone: tz ?? "UTC" });
+  return c.nextRun(after);
+}
+
+/** Reconcile a project+env's schedules to exactly `specs` (called on promote). */
+export async function syncSchedules(
+  db: Db,
+  projectId: string,
+  env: string,
+  specs: ScheduleSpec[],
+): Promise<void> {
+  await db.tx(async (c) => {
+    const ids = specs.map((s) => s.automationId);
+    if (ids.length === 0) {
+      await c.query(`DELETE FROM schedules WHERE project_id=$1 AND env=$2`, [projectId, env]);
+      return;
+    }
+    await c.query(
+      `DELETE FROM schedules WHERE project_id=$1 AND env=$2 AND NOT (automation_id = ANY($3))`,
+      [projectId, env, ids],
+    );
+    for (const spec of specs) {
+      const fire = nextFire(spec.cron, spec.tz);
+      await c.query(
+        `INSERT INTO schedules (project_id, automation_id, env, cron, tz, enabled, next_fire)
+         VALUES ($1,$2,$3,$4,$5,true,$6)
+         ON CONFLICT (project_id, automation_id, env) DO UPDATE
+           SET cron = EXCLUDED.cron,
+               tz = EXCLUDED.tz,
+               enabled = true,
+               -- recompute only when the cron/tz changed; otherwise keep the watermark
+               next_fire = CASE
+                 WHEN schedules.cron <> EXCLUDED.cron OR schedules.tz IS DISTINCT FROM EXCLUDED.tz
+                 THEN EXCLUDED.next_fire
+                 ELSE schedules.next_fire
+               END`,
+        [projectId, spec.automationId, env, spec.cron, spec.tz ?? null, fire?.toISOString() ?? null],
+      );
+    }
+  });
+}
+
+/** Fire everything due. Returns created run ids. Safe under concurrent tickers
+ *  (FOR UPDATE SKIP LOCKED on the schedule rows). */
+export async function schedulerTick(db: Db, now = new Date()): Promise<string[]> {
+  const created: string[] = [];
+  // Claim due schedules one at a time — each fire commits independently.
+  for (;;) {
+    const fired = await db.tx(async (c) => {
+      const { rows } = await c.query<{
+        project_id: string;
+        automation_id: string;
+        env: string;
+        cron: string;
+        tz: string | null;
+        next_fire: string;
+      }>(
+        `SELECT project_id, automation_id, env, cron, tz, next_fire FROM schedules
+         WHERE enabled AND next_fire IS NOT NULL AND next_fire <= $1
+         FOR UPDATE SKIP LOCKED LIMIT 1`,
+        [now.toISOString()],
+      );
+      const due = rows[0];
+      if (!due) return null;
+
+      const next = nextFire(due.cron, due.tz ?? undefined, now);
+      await c.query(
+        `UPDATE schedules SET next_fire=$4 WHERE project_id=$1 AND automation_id=$2 AND env=$3`,
+        [due.project_id, due.automation_id, due.env, next?.toISOString() ?? null],
+      );
+
+      const alias = await c.query<{ version_id: string }>(
+        `SELECT version_id FROM aliases WHERE project_id=$1 AND automation_id=$2 AND env=$3`,
+        [due.project_id, due.automation_id, due.env],
+      );
+      const versionId = alias.rows[0]?.version_id;
+      if (!versionId) return "no-alias";
+
+      const runId = await createRun(c, {
+        projectId: due.project_id,
+        automationId: due.automation_id,
+        versionId,
+        env: due.env,
+        trigger: { kind: "schedule", cron: due.cron, scheduledFor: due.next_fire },
+      });
+      return runId;
+    });
+    if (fired === null) break;
+    if (typeof fired === "string" && fired !== "no-alias") created.push(fired);
+  }
+  return created;
+}
+
+export function startScheduler(db: Db, opts: { intervalMs?: number; onError?: (e: unknown) => void } = {}): () => void {
+  const interval = setInterval(() => {
+    schedulerTick(db).catch((e) => opts.onError?.(e));
+  }, opts.intervalMs ?? 5_000);
+  interval.unref?.();
+  return () => clearInterval(interval);
+}

package/src/scheduler/reaper.ts

@@ -0,0 +1,105 @@
+// Dead-work reaper: repairs queue/run states that cannot make progress, while leaving
+// intentionally suspended runs alone (Signal waits, wake times, durable waits).
+
+import type { Db } from "../db/db.js";
+
+export interface DeadWorkRecoveryOpts {
+  now?: Date | undefined;
+  /** How old a queued/running run must be before missing run jobs are repaired. */
+  leaseGraceMs?: number | undefined;
+}
+
+export interface DeadWorkRecoveryReport {
+  deadRunJobsFailed: number;
+  orphanedRunsReenqueued: number;
+}
+
+const DEFAULT_LEASE_GRACE_MS = 2 * 60 * 1000;
+const DEFAULT_REAPER_INTERVAL_MS = 30_000;
+
+export async function recoverDeadWork(db: Db, opts: DeadWorkRecoveryOpts = {}): Promise<DeadWorkRecoveryReport> {
+  const now = opts.now ?? new Date();
+  const staleBefore = new Date(now.getTime() - (opts.leaseGraceMs ?? DEFAULT_LEASE_GRACE_MS));
+
+  const failed = await db.query(
+    `WITH dead_run_jobs AS (
+       SELECT q.id, q.kind, q.payload->>'runId' AS run_id, q.last_error
+       FROM queue_jobs q
+       JOIN runs r ON r.id::text = q.payload->>'runId'
+       WHERE q.kind = 'run'
+         AND q.status = 'dead'
+         AND r.status IN ('queued','running')
+     )
+     UPDATE runs r
+     SET status = 'failed',
+         error = jsonb_build_object(
+           'name', 'DeadRunJob',
+           'code', 'dead_run_job',
+           'message', 'run job attempts exhausted',
+           'jobId', dead_run_jobs.id::text,
+           'jobKind', dead_run_jobs.kind,
+           'lastError', dead_run_jobs.last_error
+         ),
+         finished_at = $1
+     FROM dead_run_jobs
+     WHERE r.id::text = dead_run_jobs.run_id`,
+    [now.toISOString()],
+  );
+
+  const reenqueue = await db.query<{ count: string }>(
+    `WITH stale_runs AS (
+       SELECT r.id
+       FROM runs r
+       WHERE r.status IN ('queued','running')
+         AND COALESCE(r.started_at, r.created_at) <= $1
+         AND NOT EXISTS (
+           SELECT 1 FROM queue_jobs q
+           WHERE q.kind = 'run'
+             AND q.payload->>'runId' = r.id::text
+             AND q.status = 'ready'
+         )
+         AND NOT EXISTS (
+           SELECT 1 FROM queue_jobs q
+           WHERE q.kind = 'run'
+             AND q.payload->>'runId' = r.id::text
+             AND q.status = 'dead'
+         )
+     ), inserted AS (
+       INSERT INTO queue_jobs (kind, payload, dedupe_key, run_at)
+       SELECT 'run', jsonb_build_object('runId', id::text), 'run:' || id::text, $2
+       FROM stale_runs
+       ON CONFLICT (dedupe_key) WHERE dedupe_key IS NOT NULL DO UPDATE
+         SET run_at = LEAST(queue_jobs.run_at, EXCLUDED.run_at),
+             status = 'ready',
+             payload = EXCLUDED.payload
+       RETURNING 1
+     )
+     SELECT count(*)::text AS count FROM inserted`,
+    [staleBefore.toISOString(), now.toISOString()],
+  );
+
+  return {
+    deadRunJobsFailed: failed.rowCount,
+    orphanedRunsReenqueued: Number(reenqueue.rows[0]?.count ?? 0),
+  };
+}
+
+export function startReaper(
+  db: Db,
+  opts: { intervalMs?: number | undefined; leaseGraceMs?: number | undefined; onError?: (e: unknown) => void } = {},
+): () => void {
+  let inFlight = false;
+  const tick = () => {
+    if (inFlight) return;
+    inFlight = true;
+    void recoverDeadWork(db, { leaseGraceMs: opts.leaseGraceMs })
+      .catch((e) => opts.onError?.(e))
+      .finally(() => {
+        inFlight = false;
+      });
+  };
+  const interval = setInterval(tick, opts.intervalMs ?? DEFAULT_REAPER_INTERVAL_MS);
+  interval.unref?.();
+  tick();
+  return () => clearInterval(interval);
+}

package/src/server.ts

@@ -0,0 +1,162 @@
+// Instance composition: one process hosts api + worker + scheduler + reconciler by
+// default (TESSER_ROLES splits them; ~3 services in prod: this, workers, Postgres).
+
+import { serve, type ServerType } from "@hono/node-server";
+import type { Hono } from "hono";
+import { loadConfig, type ServerConfig } from "./config.js";
+import { createDb, type Db } from "./db/db.js";
+import { migrate } from "./db/migrate.js";
+import { Broker } from "./broker/broker.js";
+import { Masker } from "./broker/masking.js";
+import { makeEngineBindings } from "./broker/connections.js";
+import { executeRun } from "./engine/executor.js";
+import type { EngineDeps } from "./engine/types.js";
+import { fanoutEvent } from "./events/fanout.js";
+import { createApp } from "./http/app.js";
+import { ensureAdminToken } from "./http/tokens.js";
+import { Worker } from "./queue/worker.js";
+import type { ClaimedJob } from "./queue/queue.js";
+import { startScheduler } from "./scheduler/cron.js";
+import { startReaper } from "./scheduler/reaper.js";
+import { ArtifactLoader } from "./registry/loader.js";
+import { createConnectorIngress } from "./triggers/ingress.js";
+import { runPoll, type PollJobPayload } from "./triggers/poll.js";
+import type { TriggerLayerDeps } from "./triggers/shared.js";
+import { deployStatus, reconcileProject, type ReconcilerDeps } from "./gitsync/reconciler.js";
+
+export interface TesserServer {
+  config: ServerConfig;
+  db: Db;
+  broker: Broker;
+  masker: Masker;
+  loader: ArtifactLoader;
+  engineDeps: EngineDeps;
+  triggerDeps: TriggerLayerDeps;
+  reconcilerDeps: ReconcilerDeps;
+  worker: Worker;
+  app: Hono;
+  /** Set when roles.api and started via listen(). */
+  httpServer?: ServerType;
+  adminToken?: string;
+  start(): Promise<void>;
+  stop(): Promise<void>;
+}
+
+export async function createTesserServer(
+  overrides: Partial<ServerConfig> = {},
+): Promise<TesserServer> {
+  const config = { ...loadConfig(), ...overrides };
+  const db = await createDb({
+    databaseUrl: config.databaseUrl,
+    dataDir: config.databaseUrl ? undefined : `${config.dataDir}/pglite`,
+  });
+  await migrate(db);
+
+  const masker = new Masker();
+  const broker = new Broker(db, config.masterKey, masker);
+  const workspaceId = await broker.ensureDefaultWorkspace();
+  const adminToken = await ensureAdminToken(db, workspaceId);
+
+  const loader = new ArtifactLoader(db);
+  const bindings = makeEngineBindings({ db, broker });
+  const engineDeps: EngineDeps = {
+    db,
+    loadAutomation: loader.load,
+    buildConnections: bindings.buildConnections,
+    resolveSecrets: bindings.resolveSecrets,
+    ...(bindings.callModel !== undefined ? { callModel: bindings.callModel } : {}),
+    ...(bindings.callHarness !== undefined ? { callHarness: bindings.callHarness } : {}),
+    mask: (s) => masker.mask(s),
+  };
+  const triggerDeps: TriggerLayerDeps = {
+    db,
+    broker,
+    baseUrl: config.baseUrl,
+    loadAutomation: loader.load,
+  };
+  const reconcilerDeps: ReconcilerDeps = {
+    db,
+    broker,
+    loader,
+    dataDir: config.dataDir,
+    baseUrl: config.baseUrl,
+    triggerDeps,
+  };
+
+  const workerHandlers = {
+    run: async (job: ClaimedJob) => {
+      await executeRun(engineDeps, (job.payload as { runId: string }).runId);
+    },
+    "event-fanout": async (job: ClaimedJob) => {
+      await fanoutEvent(db, (job.payload as { eventId: string }).eventId);
+    },
+    "trigger-poll": async (job: ClaimedJob) => {
+      await runPoll(triggerDeps, job.payload as never as PollJobPayload);
+    },
+    reconcile: async (job: ClaimedJob) => {
+      const p = job.payload as { projectId: string; ref?: string; localPath?: string };
+      await reconcileProject(reconcilerDeps, p.projectId, { ref: p.ref, localPath: p.localPath });
+    },
+  };
+  const workerKinds = [
+    ...(config.roles.worker ? (["run", "event-fanout", "trigger-poll"] as const) : []),
+    ...(config.roles.reconciler ? (["reconcile"] as const) : []),
+  ];
+  const worker = new Worker(
+    db,
+    Object.fromEntries(workerKinds.map((kind) => [kind, workerHandlers[kind]])),
+    {
+      tags: config.workerTags,
+      kinds: workerKinds,
+      pollIntervalMs: config.pollIntervalMs,
+      onError: (e) => console.error("[worker]", e),
+    },
+  );
+
+  const app = createApp({
+    db,
+    broker,
+    baseUrl: config.baseUrl,
+    dataDir: config.dataDir,
+    roles: config.roles,
+    connectorIngress: createConnectorIngress(triggerDeps),
+    deployStatus: (projectId, env) => deployStatus(db, projectId, env),
+  });
+
+  let stopScheduler: (() => void) | undefined;
+  let stopReaper: (() => void) | undefined;
+  let httpServer: ServerType | undefined;
+
+  const server: TesserServer = {
+    config,
+    db,
+    broker,
+    masker,
+    loader,
+    engineDeps,
+    triggerDeps,
+    reconcilerDeps,
+    worker,
+    app,
+    ...(adminToken !== null ? { adminToken } : {}),
+    async start() {
+      if (config.roles.api) {
+        httpServer = serve({ fetch: app.fetch, port: config.port, hostname: "0.0.0.0" });
+        server.httpServer = httpServer;
+      }
+      if (config.roles.worker || config.roles.reconciler) worker.start();
+      if (config.roles.scheduler) {
+        stopScheduler = startScheduler(db, { onError: (e) => console.error("[scheduler]", e) });
+        stopReaper = startReaper(db, { onError: (e) => console.error("[reaper]", e) });
+      }
+    },
+    async stop() {
+      stopScheduler?.();
+      stopReaper?.();
+      await worker.stop();
+      if (httpServer) await new Promise<void>((r) => httpServer!.close(() => r()));
+      await db.close();
+    },
+  };
+  return server;
+}

package/src/triggers/ingress.ts

@@ -0,0 +1,154 @@
+// Connector-webhook ingress demux (ADR-0013): verify by the connector's declared scheme,
+// answer endpoint challenges, identify the event, dedup by delivery id, fan out across
+// every registration sharing the connector+connection (app-level URLs like Slack's serve
+// several triggers), map → typed payload → one durable run each.
+
+import type { InboundWebhookEvent } from "@devosurf/tesser-sdk/connector";
+import { validateSchema, verifyInboundEvent } from "@devosurf/tesser-sdk/internal";
+import { createHash } from "node:crypto";
+import { createRun } from "../engine/runs.js";
+import {
+  isWebhookDecl,
+  loadTriggerState,
+  pruneSeen,
+  resolveLiveTrigger,
+  saveTriggerState,
+  type TriggerLayerDeps,
+} from "./shared.js";
+
+interface IngressResult {
+  status: number;
+  body: string;
+  contentType?: string;
+}
+
+const json = (status: number, body: unknown): IngressResult => ({ status, body: JSON.stringify(body) });
+
+export function createConnectorIngress(deps: TriggerLayerDeps) {
+  return async function connectorIngress(
+    ingressToken: string,
+    req: { headers: Record<string, string>; query: Record<string, string>; rawBody: Uint8Array },
+  ): Promise<IngressResult> {
+    const { rows } = await deps.db.query<{
+      id: string;
+      project_id: string;
+      automation_id: string;
+      trigger_id: string;
+      connector_id: string;
+      connection_id: string;
+      env: string;
+      status: string;
+      signing_secret_cipher: string | null;
+    }>(`SELECT * FROM webhook_registrations WHERE ingress_token=$1`, [ingressToken]);
+    const reg = rows[0];
+    if (!reg || !["registered", "manual-pending"].includes(reg.status)) {
+      return json(404, { error: "unknown ingress" });
+    }
+
+    const resolved = await resolveLiveTrigger(deps, reg.project_id, reg.automation_id, reg.env).catch(() => null);
+    if (!resolved || !isWebhookDecl(resolved.decl)) return json(404, { error: "trigger not live" });
+    const webhook = resolved.connector.__connector.webhook;
+    if (!webhook) return json(500, { error: "connector has no webhook config" });
+
+    let body: unknown;
+    try {
+      body = JSON.parse(new TextDecoder().decode(req.rawBody));
+    } catch {
+      body = undefined;
+    }
+    const event: InboundWebhookEvent = { headers: req.headers, query: req.query, rawBody: req.rawBody, json: body };
+
+    // Endpoint verification handshakes (Slack url_verification) answer BEFORE signature
+    // checks — Slack signs them, but a manual-pending registration has no secret yet.
+    const challenge = webhook.challenge?.(event);
+    if (challenge !== null && challenge !== undefined) {
+      return { status: 200, body: challenge, contentType: "text/plain" };
+    }
+
+    if (reg.status !== "registered" || reg.signing_secret_cipher === null) {
+      return json(409, { error: "registration incomplete — signing secret not configured" });
+    }
+    const { rows: wsRows } = await deps.db.query<{ workspace_id: string }>(
+      `SELECT workspace_id FROM projects WHERE id=$1`,
+      [reg.project_id],
+    );
+    const secret = await deps.broker.decryptValue(wsRows[0]!.workspace_id, reg.signing_secret_cipher, "webhook.signing");
+    if (!(await verifyInboundEvent(webhook.verify, event, secret))) {
+      return json(401, { error: "signature verification failed" });
+    }
+
+    const identified = webhook.identify(event);
+    if (!identified) return json(400, { error: "unrecognized event" });
+    const deliveryId =
+      identified.deliveryId ?? createHash("sha256").update(req.rawBody).digest("hex").slice(0, 24);
+
+    // Fan out across all live registrations sharing connector+connection (one app-level
+    // URL can serve several triggers) — the receiving registration's siblings included.
+    const { rows: siblings } = await deps.db.query<{
+      id: string;
+      automation_id: string;
+      trigger_id: string;
+      connection_id: string;
+      status: string;
+    }>(
+      `SELECT id, automation_id, trigger_id, connection_id, status FROM webhook_registrations
+       WHERE project_id=$1 AND env=$2 AND connector_id=$3 AND connection_id=$4 AND status='registered'`,
+      [reg.project_id, reg.env, reg.connector_id, reg.connection_id],
+    );
+
+    let fired = 0;
+    for (const sib of siblings) {
+      const sibResolved =
+        sib.id === reg.id
+          ? resolved
+          : await resolveLiveTrigger(deps, reg.project_id, sib.automation_id, reg.env).catch(() => null);
+      if (!sibResolved || !isWebhookDecl(sibResolved.decl)) continue;
+      if (sibResolved.decl.event !== identified.event) continue;
+
+      const stateKey = {
+        projectId: reg.project_id,
+        automationId: sib.automation_id,
+        triggerId: sib.trigger_id,
+        connectionId: sib.connection_id,
+      };
+      const state = await loadTriggerState(deps.db, stateKey, "webhook");
+      const seen = new Map(pruneSeen(state.seen, Date.now()));
+      if (seen.has(deliveryId)) continue; // provider redelivery → drop
+
+      const mapped = await sibResolved.decl.map(identified.payload ?? body, sibResolved.params);
+      if (mapped === null) {
+        seen.set(deliveryId, Date.now());
+        await saveTriggerState(deps.db, stateKey, { seen: [...seen.entries()], seeded: true });
+        continue;
+      }
+      const validated = await validateSchema(
+        sibResolved.decl.output,
+        mapped,
+        `${reg.connector_id}.triggers.${sib.trigger_id} payload`,
+      );
+      await createRun(deps.db, {
+        projectId: reg.project_id,
+        automationId: sib.automation_id,
+        versionId: sibResolved.versionId,
+        env: reg.env,
+        trigger: {
+          kind: "connector",
+          connector: reg.connector_id,
+          trigger: sib.trigger_id,
+          strategy: "webhook",
+          deliveryId,
+          event: identified.event,
+          connectionId: sib.connection_id,
+          ...(sibResolved.connection.end_user_id !== null
+            ? { endUserId: sibResolved.connection.end_user_id }
+            : {}),
+        },
+        input: validated,
+      });
+      seen.set(deliveryId, Date.now());
+      await saveTriggerState(deps.db, stateKey, { seen: [...seen.entries()], seeded: true, touch: "delivery" });
+      fired++;
+    }
+    return json(202, { ok: true, fired });
+  };
+}