@downcity/agent 1.1.7 → 1.1.8

package/src/http/auth/RoutePolicy.ts

@@ -1,255 +0,0 @@
-/**
- * 统一账户路由策略与全局守卫。
- *
- * 关键点（中文）
- * - 这里负责把“哪些接口需要登录、需要什么权限”集中配置。
- * - 当系统还没有任何统一账户用户时，受保护接口默认放行，避免首次 bootstrap 被锁死。
- */
-
-import type { MiddlewareHandler } from "hono";
-import type { AuthRoutePolicy } from "@/shared/types/auth/AuthRoute.js";
-import type { AuthPermissionKey } from "@/shared/types/auth/AuthPermission.js";
-import { isAuthError as isAuthDomainError } from "./AuthError.js";
-import type { AuthService } from "./AuthService.js";
-import { AUTH_PRINCIPAL_CONTEXT_KEY, type AuthMiddlewareVariables } from "./AuthMiddleware.js";
-
-/**
- * Server 侧路由权限矩阵。
- */
-export const SERVER_AUTH_ROUTE_POLICIES: AuthRoutePolicy[] = [
-  { path: "/api/auth/*", method: "*", requireAuth: false },
-  { path: "/health", method: "GET", requireAuth: false },
-  {
-    path: "/api/execute",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["agent.execute"],
-  },
-  {
-    path: "/api/services/list",
-    method: "GET",
-    requireAuth: true,
-    anyPermissions: ["service.read"],
-  },
-  {
-    path: "/api/services/control",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["service.write"],
-  },
-  {
-    path: "/api/services/command",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["service.write"],
-  },
-  {
-    path: "/api/plugins/list",
-    method: "GET",
-    requireAuth: true,
-    anyPermissions: ["plugin.read"],
-  },
-  {
-    path: "/api/plugins/availability",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["plugin.read"],
-  },
-  {
-    path: "/api/plugins/action",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["plugin.write"],
-  },
-  {
-    path: "/api/control/authorization",
-    method: "GET",
-    requireAuth: true,
-    anyPermissions: ["auth.read"],
-  },
-  {
-    path: "/api/control/authorization/config",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["auth.write"],
-  },
-  {
-    path: "/api/control/authorization/action",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["auth.write"],
-  },
-  {
-    path: "/api/control/*",
-    method: "*",
-    requireAuth: true,
-  },
-];
-
-/**
- * 控制面网关侧路由权限矩阵。
- */
-export const CONTROL_PLANE_AUTH_ROUTE_POLICIES: AuthRoutePolicy[] = [
-  { path: "/api/auth/*", method: "*", requireAuth: false },
-  { path: "/health", method: "GET", requireAuth: false },
-  {
-    path: "/api/ui/agents",
-    method: "GET",
-    requireAuth: true,
-    anyPermissions: ["agent.read"],
-  },
-  {
-    path: "/api/ui/agents/create",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["agent.write"],
-  },
-  {
-    path: "/api/ui/agents/start",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["agent.write"],
-  },
-  {
-    path: "/api/ui/agents/restart",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["agent.write"],
-  },
-  {
-    path: "/api/ui/agents/stop",
-    method: "POST",
-    requireAuth: true,
-    anyPermissions: ["agent.write"],
-  },
-  {
-    path: "/api/ui/model*",
-    method: "*",
-    requireAuth: true,
-    anyPermissions: ["model.read"],
-  },
-  {
-    path: "/api/ui/env*",
-    method: "*",
-    requireAuth: true,
-    anyPermissions: ["env.read"],
-  },
-  {
-    path: "/api/ui/channel*",
-    method: "*",
-    requireAuth: true,
-    anyPermissions: ["channel.read"],
-  },
-  {
-    path: "/api/ui/plugins*",
-    method: "*",
-    requireAuth: true,
-    anyPermissions: ["plugin.read"],
-  },
-  {
-    path: "/api/ui/*",
-    method: "*",
-    requireAuth: true,
-  },
-];
-
-/**
- * 根据路径与方法解析匹配的策略。
- */
-export function resolveAuthRoutePolicy(
-  path: string,
-  method: string,
-  policies: AuthRoutePolicy[],
-): AuthRoutePolicy | null {
-  const normalizedPath = String(path || "").trim() || "/";
-  const normalizedMethod = String(method || "GET").trim().toUpperCase();
-  for (const policy of policies) {
-    if (!matchesMethod(policy.method, normalizedMethod)) continue;
-    if (!matchesPath(policy.path, normalizedPath)) continue;
-    return policy;
-  }
-  return null;
-}
-
-/**
- * 创建全局路由鉴权中间件。
- */
-export function createRouteAuthGuardMiddleware(
-  authService: AuthService,
-  policies: AuthRoutePolicy[] = SERVER_AUTH_ROUTE_POLICIES,
-): MiddlewareHandler<{ Variables: AuthMiddlewareVariables }> {
-  return async (c, next) => {
-    const policy = resolveAuthRoutePolicy(c.req.path, c.req.method, policies);
-    if (!policy || policy.requireAuth !== true) {
-      await next();
-      return;
-    }
-    if (!authService.hasLocalCliAccess()) {
-      await next();
-      return;
-    }
-    try {
-      const principal = authService.authenticateBearerHeader(
-        c.req.header("authorization"),
-      );
-      ensurePermissions(principal.permissions, policy.anyPermissions);
-      c.set(AUTH_PRINCIPAL_CONTEXT_KEY, principal);
-      await next();
-    } catch (error) {
-      if (isRouteGuardError(error)) {
-        return c.json(
-          { success: false, error: error.message },
-          error.status as 200,
-        );
-      }
-      return c.json({ success: false, error: String(error) }, 500);
-    }
-  };
-}
-
-function matchesMethod(expectedMethod: string, actualMethod: string): boolean {
-  const expected = String(expectedMethod || "*").trim().toUpperCase();
-  return expected === "*" || expected === actualMethod;
-}
-
-function matchesPath(patternInput: string, actualPath: string): boolean {
-  const pattern = String(patternInput || "").trim();
-  if (!pattern) return false;
-  if (pattern.endsWith("*")) {
-    const prefix = pattern.slice(0, -1);
-    return actualPath.startsWith(prefix);
-  }
-  return actualPath === pattern;
-}
-
-function ensurePermissions(
-  userPermissions: AuthPermissionKey[],
-  anyPermissions: AuthRoutePolicy["anyPermissions"],
-): void {
-  if (!anyPermissions || anyPermissions.length === 0) return;
-  if (anyPermissions.some((permission) => userPermissions.includes(permission))) return;
-  throw new ErrorWithStatus("Permission denied", 403);
-}
-
-class ErrorWithStatus extends Error {
-  readonly status: number;
-
-  constructor(message: string, status: number) {
-    super(message);
-    this.name = "AuthPermissionError";
-    this.status = status;
-  }
-}
-
-function isAuthErrorLike(error: unknown): error is { message: string; status: number } {
-  return (
-    typeof error === "object" &&
-    error !== null &&
-    "status" in error &&
-    typeof (error as { status?: unknown }).status === "number"
-  );
-}
-
-function isRouteGuardError(error: unknown): error is { message: string; status: number } {
-  return isAuthDomainError(error) || isAuthErrorLike(error);
-}

package/src/plugin/Lifecycle.ts

@@ -1,116 +0,0 @@
-/**
- * Plugin 生命周期配置模块。
- *
- * 关键点（中文）
- * - Plugin enable/disable 属于 city 级全局配置，不再写入 agent `downcity.json`。
- * - 当前实现把 lifecycle 配置存入 PlatformStore 的统一 JSON 设置。
- * - 默认策略：除显式关闭外，内建 plugin 视为启用。
- */
-
-import { PlatformStore } from "@/shared/utils/store/index.js";
-import type {
-  CityPluginLifecycleConfig,
-  CityPluginLifecycleItem,
-} from "@/shared/types/PluginLifecycle.js";
-
-const PLUGIN_LIFECYCLE_SETTING_KEY = "plugins.lifecycle";
-
-function normalizeLifecycleItem(input: unknown): CityPluginLifecycleItem | null {
-  if (!input || typeof input !== "object" || Array.isArray(input)) return null;
-  const record = input as Record<string, unknown>;
-  if (typeof record.enabled !== "boolean") return null;
-  const updatedAt = String(record.updatedAt || "").trim() || new Date().toISOString();
-  return {
-    enabled: record.enabled,
-    updatedAt,
-  };
-}
-
-function normalizeLifecycleConfig(input: unknown): CityPluginLifecycleConfig {
-  if (!input || typeof input !== "object" || Array.isArray(input)) return {};
-  const out: CityPluginLifecycleConfig = {};
-  for (const [pluginName, raw] of Object.entries(input as Record<string, unknown>)) {
-    const key = String(pluginName || "").trim();
-    if (!key) continue;
-    const item = normalizeLifecycleItem(raw);
-    if (!item) continue;
-    out[key] = item;
-  }
-  return out;
-}
-
-/**
- * 读取当前 city 级 plugin lifecycle 配置。
- */
-export function readCityPluginLifecycleConfig(): CityPluginLifecycleConfig {
-  const store = new PlatformStore();
-  try {
-    return normalizeLifecycleConfig(
-      store.getSecureSettingJsonSync<CityPluginLifecycleConfig>(
-        PLUGIN_LIFECYCLE_SETTING_KEY,
-      ),
-    );
-  } finally {
-    store.close();
-  }
-}
-
-/**
- * 写入完整 city 级 plugin lifecycle 配置。
- */
-export function writeCityPluginLifecycleConfig(
-  value: CityPluginLifecycleConfig,
-): CityPluginLifecycleConfig {
-  const normalized = normalizeLifecycleConfig(value);
-  const store = new PlatformStore();
-  try {
-    store.setSecureSettingJsonSync(PLUGIN_LIFECYCLE_SETTING_KEY, normalized);
-    return normalized;
-  } finally {
-    store.close();
-  }
-}
-
-/**
- * 读取单个 plugin 的 city 级 lifecycle 状态。
- */
-export function readCityPluginLifecycleItem(
-  pluginName: string,
-): CityPluginLifecycleItem | null {
-  const key = String(pluginName || "").trim();
-  if (!key) return null;
-  return readCityPluginLifecycleConfig()[key] || null;
-}
-
-/**
- * 读取单个 plugin 是否启用。
- *
- * 关键点（中文）
- * - 除显式关闭外，一律默认启用。
- */
-export function isCityPluginEnabled(pluginName: string): boolean {
-  const item = readCityPluginLifecycleItem(pluginName);
-  if (!item) return true;
-  return item.enabled === true;
-}
-
-/**
- * 设置单个 plugin 的 city 级启用态。
- */
-export function setCityPluginEnabled(
-  pluginName: string,
-  enabled: boolean,
-): CityPluginLifecycleConfig {
-  const key = String(pluginName || "").trim();
-  if (!key) {
-    throw new Error("pluginName is required");
-  }
-  const current = readCityPluginLifecycleConfig();
-  return writeCityPluginLifecycleConfig({
-    ...current,
-    [key]: {
-      enabled,
-      updatedAt: new Date().toISOString(),
-    },
-  });
-}