@hotmeshio/long-tail 0.4.17 → 0.4.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +0 -2
- package/build/adapters/express.js +4 -0
- package/build/api/auth-sso.d.ts +12 -0
- package/build/api/auth-sso.js +54 -0
- package/build/api/escalations/bulk.js +2 -2
- package/build/api/escalations/claim.js +3 -13
- package/build/api/escalations/create.js +3 -2
- package/build/api/escalations/helpers.d.ts +1 -0
- package/build/api/escalations/helpers.js +6 -4
- package/build/api/escalations/list.d.ts +1 -0
- package/build/api/escalations/list.js +1 -0
- package/build/api/escalations/metadata.js +4 -4
- package/build/api/escalations/single.js +3 -2
- package/build/api/settings.js +6 -1
- package/build/api/topics.d.ts +9 -0
- package/build/api/topics.js +31 -2
- package/build/lib/events/index.d.ts +1 -0
- package/build/lib/events/index.js +4 -0
- package/build/lib/events/nats.d.ts +5 -0
- package/build/lib/events/nats.js +9 -0
- package/build/lib/events/publish.d.ts +12 -9
- package/build/lib/events/publish.js +27 -17
- package/build/modules/auth.d.ts +7 -0
- package/build/modules/auth.js +104 -2
- package/build/modules/sso.d.ts +6 -0
- package/build/modules/sso.js +20 -0
- package/build/routes/auth-sso.d.ts +2 -0
- package/build/routes/auth-sso.js +51 -0
- package/build/routes/bot-accounts.js +1 -1
- package/build/routes/controlplane.js +6 -6
- package/build/routes/escalations/list.js +1 -0
- package/build/routes/index.js +2 -0
- package/build/routes/mcp-endpoint.d.ts +17 -0
- package/build/routes/mcp-endpoint.js +70 -0
- package/build/routes/nats-credentials.js +1 -1
- package/build/routes/roles.js +5 -5
- package/build/routes/topics.js +2 -0
- package/build/routes/users.js +31 -5
- package/build/sdk/index.d.ts +1 -0
- package/build/services/agent/input-mapper.js +17 -1
- package/build/services/escalation/crud.js +14 -1
- package/build/services/escalation/queries.d.ts +1 -0
- package/build/services/escalation/queries.js +7 -0
- package/build/services/mcp/exposure.d.ts +15 -0
- package/build/services/mcp/exposure.js +18 -0
- package/build/services/mcp/external-server.d.ts +15 -0
- package/build/services/mcp/external-server.js +125 -0
- package/build/services/mcp/seed-service-account.d.ts +11 -0
- package/build/services/mcp/seed-service-account.js +77 -0
- package/build/services/role/index.d.ts +1 -1
- package/build/services/role/index.js +2 -2
- package/build/services/topics/system-topics.js +29 -25
- package/build/services/user/index.d.ts +1 -1
- package/build/services/user/index.js +2 -1
- package/build/services/user/rbac.d.ts +11 -0
- package/build/services/user/rbac.js +17 -0
- package/build/services/user/sso-provision.d.ts +19 -0
- package/build/services/user/sso-provision.js +62 -0
- package/build/services/workflow-invocation.js +5 -3
- package/build/start/config.js +6 -0
- package/build/start/server.js +2 -0
- package/build/start/workers.js +15 -0
- package/build/system/index.js +53 -35
- package/build/system/mcp-servers/admin/agent-subscriptions.d.ts +5 -0
- package/build/system/mcp-servers/admin/agent-subscriptions.js +78 -0
- package/build/system/mcp-servers/admin/agents.d.ts +5 -0
- package/build/system/mcp-servers/admin/agents.js +103 -0
- package/build/system/mcp-servers/admin/bot-accounts.d.ts +5 -0
- package/build/system/mcp-servers/admin/bot-accounts.js +126 -0
- package/build/system/mcp-servers/admin/controlplane.d.ts +5 -0
- package/build/system/mcp-servers/admin/controlplane.js +107 -0
- package/build/system/mcp-servers/admin/escalations.js +88 -0
- package/build/system/mcp-servers/admin/exports.d.ts +5 -0
- package/build/system/mcp-servers/admin/exports.js +101 -0
- package/build/system/mcp-servers/admin/index.d.ts +16 -8
- package/build/system/mcp-servers/admin/index.js +36 -21
- package/build/system/mcp-servers/admin/pipelines.d.ts +5 -0
- package/build/system/mcp-servers/admin/pipelines.js +96 -0
- package/build/system/mcp-servers/admin/schemas.d.ts +614 -6
- package/build/system/mcp-servers/admin/schemas.js +239 -1
- package/build/system/mcp-servers/admin/settings.d.ts +5 -0
- package/build/system/mcp-servers/admin/settings.js +53 -0
- package/build/system/mcp-servers/admin/topics.d.ts +5 -0
- package/build/system/mcp-servers/admin/topics.js +101 -0
- package/build/system/seed/tool-manifests-admin.d.ts +5077 -188
- package/build/system/seed/tool-manifests-admin.js +79 -30
- package/build/system/seed/tool-manifests-data.d.ts +20 -0
- package/build/system/seed/tool-manifests-data.js +24 -6
- package/build/system/seed/tool-manifests-escalation.d.ts +5 -0
- package/build/system/seed/tool-manifests-escalation.js +5 -0
- package/build/system/seed/tool-manifests-events.d.ts +4 -0
- package/build/system/seed/tool-manifests-events.js +4 -0
- package/build/system/seed/tool-manifests-knowledge.d.ts +6 -0
- package/build/system/seed/tool-manifests-knowledge.js +7 -0
- package/build/system/seed/tool-manifests-workflows.d.ts +8 -0
- package/build/system/seed/tool-manifests-workflows.js +8 -0
- package/build/tsconfig.tsbuildinfo +1 -1
- package/build/types/auth.d.ts +71 -0
- package/build/types/events.d.ts +17 -6
- package/build/types/index.d.ts +1 -1
- package/build/types/startup.d.ts +22 -1
- package/dashboard/dist/assets/{AdminDashboard-Cfo0mwL2.js → AdminDashboard-BwUGcCxQ.js} +2 -2
- package/dashboard/dist/assets/{AdminDashboard-Cfo0mwL2.js.map → AdminDashboard-BwUGcCxQ.js.map} +1 -1
- package/dashboard/dist/assets/AgentConfigPage-DgrYzLwq.js +16 -0
- package/dashboard/dist/assets/AgentConfigPage-DgrYzLwq.js.map +1 -0
- package/dashboard/dist/assets/{AgentDetailPage-3mZA7SOb.js → AgentDetailPage-XJpl7wfJ.js} +4 -4
- package/dashboard/dist/assets/AgentDetailPage-XJpl7wfJ.js.map +1 -0
- package/dashboard/dist/assets/{AgentsPage-CTVocfBb.js → AgentsPage-CGpVG6r8.js} +2 -2
- package/dashboard/dist/assets/{AgentsPage-CTVocfBb.js.map → AgentsPage-CGpVG6r8.js.map} +1 -1
- package/dashboard/dist/assets/AvailableEscalationsPage-DR1e0TQZ.js +2 -0
- package/dashboard/dist/assets/{AvailableEscalationsPage-CA9x9o5s.js.map → AvailableEscalationsPage-DR1e0TQZ.js.map} +1 -1
- package/dashboard/dist/assets/BotPicker-BKtjl6IL.js +2 -0
- package/dashboard/dist/assets/{BotPicker-BQp_Vs73.js.map → BotPicker-BKtjl6IL.js.map} +1 -1
- package/dashboard/dist/assets/{CapabilitiesPage-wpVtkGeU.js → CapabilitiesPage-kCB8fyOj.js} +2 -2
- package/dashboard/dist/assets/{CapabilitiesPage-wpVtkGeU.js.map → CapabilitiesPage-kCB8fyOj.js.map} +1 -1
- package/dashboard/dist/assets/{CollapsibleSection-2eZMMZiG.js → CollapsibleSection-C3tU61hB.js} +2 -2
- package/dashboard/dist/assets/{CollapsibleSection-2eZMMZiG.js.map → CollapsibleSection-C3tU61hB.js.map} +1 -1
- package/dashboard/dist/assets/{CredentialsPage-DJGLssm0.js → CredentialsPage-Dt4nJs_B.js} +2 -2
- package/dashboard/dist/assets/{CredentialsPage-DJGLssm0.js.map → CredentialsPage-Dt4nJs_B.js.map} +1 -1
- package/dashboard/dist/assets/CronLabel-BdE6mHyA.js +2 -0
- package/dashboard/dist/assets/CronLabel-BdE6mHyA.js.map +1 -0
- package/dashboard/dist/assets/{CustomDurationPicker-DbyqfK35.js → CustomDurationPicker-B_Yxfb-u.js} +2 -2
- package/dashboard/dist/assets/{CustomDurationPicker-DbyqfK35.js.map → CustomDurationPicker-B_Yxfb-u.js.map} +1 -1
- package/dashboard/dist/assets/{DropZone-BkfRoUcm.js → DropZone-CptiQ0wc.js} +2 -2
- package/dashboard/dist/assets/{DropZone-BkfRoUcm.js.map → DropZone-CptiQ0wc.js.map} +1 -1
- package/dashboard/dist/assets/ElapsedCell-tcGx5PFI.js +2 -0
- package/dashboard/dist/assets/{ElapsedCell-BPYm8RA7.js.map → ElapsedCell-tcGx5PFI.js.map} +1 -1
- package/dashboard/dist/assets/{EscalationsOverview-kYGHfnLf.js → EscalationsOverview-1KO5dXzk.js} +2 -2
- package/dashboard/dist/assets/{EscalationsOverview-kYGHfnLf.js.map → EscalationsOverview-1KO5dXzk.js.map} +1 -1
- package/dashboard/dist/assets/{EventTable-DSDzJMer.js → EventTable-DnpsQ6Ew.js} +2 -2
- package/dashboard/dist/assets/{EventTable-DSDzJMer.js.map → EventTable-DnpsQ6Ew.js.map} +1 -1
- package/dashboard/dist/assets/HomePage-B2Jgo1J1.js +2 -0
- package/dashboard/dist/assets/HomePage-B2Jgo1J1.js.map +1 -0
- package/dashboard/dist/assets/ListToolbar-jrVba7QN.js +2 -0
- package/dashboard/dist/assets/{ListToolbar-DEef1_-T.js.map → ListToolbar-jrVba7QN.js.map} +1 -1
- package/dashboard/dist/assets/{McpOverview-CZFW5qMb.js → McpOverview-BzyxJyc9.js} +2 -2
- package/dashboard/dist/assets/{McpOverview-CZFW5qMb.js.map → McpOverview-BzyxJyc9.js.map} +1 -1
- package/dashboard/dist/assets/{McpQueryDetailPage-q9xH-QRo.js → McpQueryDetailPage-DXNseeKl.js} +2 -2
- package/dashboard/dist/assets/{McpQueryDetailPage-q9xH-QRo.js.map → McpQueryDetailPage-DXNseeKl.js.map} +1 -1
- package/dashboard/dist/assets/{McpQueryPage-D14466yi.js → McpQueryPage-WZfTY43_.js} +2 -2
- package/dashboard/dist/assets/{McpQueryPage-D14466yi.js.map → McpQueryPage-WZfTY43_.js.map} +1 -1
- package/dashboard/dist/assets/McpRunDetailPage-DKZp-p7S.js +2 -0
- package/dashboard/dist/assets/McpRunDetailPage-DKZp-p7S.js.map +1 -0
- package/dashboard/dist/assets/McpRunsPage-SXyiwc0d.js +2 -0
- package/dashboard/dist/assets/{McpRunsPage-aZg057y3.js.map → McpRunsPage-SXyiwc0d.js.map} +1 -1
- package/dashboard/dist/assets/OperatorDashboard-Cy7ySMXj.js +2 -0
- package/dashboard/dist/assets/OperatorDashboard-Cy7ySMXj.js.map +1 -0
- package/dashboard/dist/assets/{PageHeader-CR6TpJG_.js → PageHeader-BuJpMxyu.js} +2 -2
- package/dashboard/dist/assets/{PageHeader-CR6TpJG_.js.map → PageHeader-BuJpMxyu.js.map} +1 -1
- package/dashboard/dist/assets/{PageHeaderWithStats-CRcQEAO1.js → PageHeaderWithStats-yD_PTbOl.js} +2 -2
- package/dashboard/dist/assets/{PageHeaderWithStats-CRcQEAO1.js.map → PageHeaderWithStats-yD_PTbOl.js.map} +1 -1
- package/dashboard/dist/assets/{ProcessDetailPage-DyzNjwu8.js → ProcessDetailPage-DYIfvWyc.js} +2 -2
- package/dashboard/dist/assets/{ProcessDetailPage-DyzNjwu8.js.map → ProcessDetailPage-DYIfvWyc.js.map} +1 -1
- package/dashboard/dist/assets/{ProcessesListPage-CT_3b5Wt.js → ProcessesListPage-DR1RGaMl.js} +2 -2
- package/dashboard/dist/assets/{ProcessesListPage-CT_3b5Wt.js.map → ProcessesListPage-DR1RGaMl.js.map} +1 -1
- package/dashboard/dist/assets/{RolePill-BC54Vn-U.js → RolePill-SasQKc_B.js} +2 -2
- package/dashboard/dist/assets/{RolePill-BC54Vn-U.js.map → RolePill-SasQKc_B.js.map} +1 -1
- package/dashboard/dist/assets/{RolesPage-CpRJq-sg.js → RolesPage-pMERxj15.js} +2 -2
- package/dashboard/dist/assets/{RolesPage-CpRJq-sg.js.map → RolesPage-pMERxj15.js.map} +1 -1
- package/dashboard/dist/assets/{RunAsSelector-C20rdNsC.js → RunAsSelector-B-ksMoEj.js} +2 -2
- package/dashboard/dist/assets/{RunAsSelector-C20rdNsC.js.map → RunAsSelector-B-ksMoEj.js.map} +1 -1
- package/dashboard/dist/assets/ServerName-CHspudaC.js +2 -0
- package/dashboard/dist/assets/{ServerName-Q6okiv4f.js.map → ServerName-CHspudaC.js.map} +1 -1
- package/dashboard/dist/assets/{SwimlaneTimeline-CbFaU4bq.js → SwimlaneTimeline-Cr_K5qpu.js} +2 -2
- package/dashboard/dist/assets/{SwimlaneTimeline-CbFaU4bq.js.map → SwimlaneTimeline-Cr_K5qpu.js.map} +1 -1
- package/dashboard/dist/assets/{TagInput-D6l1SPWd.js → TagInput-DvF3j8MA.js} +2 -2
- package/dashboard/dist/assets/{TagInput-D6l1SPWd.js.map → TagInput-DvF3j8MA.js.map} +1 -1
- package/dashboard/dist/assets/{TaskDetailPage-22cJsFmM.js → TaskDetailPage-BO5p7AEe.js} +2 -2
- package/dashboard/dist/assets/{TaskDetailPage-22cJsFmM.js.map → TaskDetailPage-BO5p7AEe.js.map} +1 -1
- package/dashboard/dist/assets/{TaskQueuePill-iDBVCEQQ.js → TaskQueuePill-BCQrS2oK.js} +2 -2
- package/dashboard/dist/assets/{TaskQueuePill-iDBVCEQQ.js.map → TaskQueuePill-BCQrS2oK.js.map} +1 -1
- package/dashboard/dist/assets/{TasksListPage-BDmaUIKu.js → TasksListPage-BRg-uFtF.js} +2 -2
- package/dashboard/dist/assets/{TasksListPage-BDmaUIKu.js.map → TasksListPage-BRg-uFtF.js.map} +1 -1
- package/dashboard/dist/assets/{TimeAgo-7wqEp87-.js → TimeAgo-BSzN6rAH.js} +2 -2
- package/dashboard/dist/assets/{TimeAgo-7wqEp87-.js.map → TimeAgo-BSzN6rAH.js.map} +1 -1
- package/dashboard/dist/assets/{TimestampCell-BBCf8zsN.js → TimestampCell-DL6zMNEQ.js} +2 -2
- package/dashboard/dist/assets/{TimestampCell-BBCf8zsN.js.map → TimestampCell-DL6zMNEQ.js.map} +1 -1
- package/dashboard/dist/assets/{ToolPill-HcRTggHo.js → ToolPill-1aTqYtzp.js} +2 -2
- package/dashboard/dist/assets/{ToolPill-HcRTggHo.js.map → ToolPill-1aTqYtzp.js.map} +1 -1
- package/dashboard/dist/assets/{ToolTestPanel-Dosq1cqG.js → ToolTestPanel-fLzNp79U.js} +2 -2
- package/dashboard/dist/assets/{ToolTestPanel-Dosq1cqG.js.map → ToolTestPanel-fLzNp79U.js.map} +1 -1
- package/dashboard/dist/assets/TopicDetailPage-D7gCsPKB.js +9 -0
- package/dashboard/dist/assets/TopicDetailPage-D7gCsPKB.js.map +1 -0
- package/dashboard/dist/assets/{TopicsPage-tVPdz-k0.js → TopicsPage-B3Aa8Haz.js} +2 -2
- package/dashboard/dist/assets/{TopicsPage-tVPdz-k0.js.map → TopicsPage-B3Aa8Haz.js.map} +1 -1
- package/dashboard/dist/assets/{UserName-DX7IBjFn.js → UserName-BjHIJWgh.js} +2 -2
- package/dashboard/dist/assets/{UserName-DX7IBjFn.js.map → UserName-BjHIJWgh.js.map} +1 -1
- package/dashboard/dist/assets/{WorkflowExecutionPage-BjC0j9_L.js → WorkflowExecutionPage-BQ7AYlQA.js} +2 -2
- package/dashboard/dist/assets/{WorkflowExecutionPage-BjC0j9_L.js.map → WorkflowExecutionPage-BQ7AYlQA.js.map} +1 -1
- package/dashboard/dist/assets/{WorkflowPill-54px0YiY.js → WorkflowPill-Z-zHRKOK.js} +2 -2
- package/dashboard/dist/assets/{WorkflowPill-54px0YiY.js.map → WorkflowPill-Z-zHRKOK.js.map} +1 -1
- package/dashboard/dist/assets/WorkflowsDashboard-D-G8Xudz.js +2 -0
- package/dashboard/dist/assets/WorkflowsDashboard-D-G8Xudz.js.map +1 -0
- package/dashboard/dist/assets/{WorkflowsOverview-DaJRDkNy.js → WorkflowsOverview-B4DUcVxs.js} +2 -2
- package/dashboard/dist/assets/{WorkflowsOverview-DaJRDkNy.js.map → WorkflowsOverview-B4DUcVxs.js.map} +1 -1
- package/dashboard/dist/assets/{YamlWorkflowsPage-CkpQaUmz.js → YamlWorkflowsPage-CnTNOku0.js} +2 -2
- package/dashboard/dist/assets/{YamlWorkflowsPage-CkpQaUmz.js.map → YamlWorkflowsPage-CnTNOku0.js.map} +1 -1
- package/dashboard/dist/assets/{agents-B-P5MlEx.js → agents-CkvQDr9b.js} +2 -2
- package/dashboard/dist/assets/{agents-B-P5MlEx.js.map → agents-CkvQDr9b.js.map} +1 -1
- package/dashboard/dist/assets/{bots-CZz9iVys.js → bots-CzuMCVgU.js} +2 -2
- package/dashboard/dist/assets/{bots-CZz9iVys.js.map → bots-CzuMCVgU.js.map} +1 -1
- package/dashboard/dist/assets/{capabilities-DrZ8Vw_v.js → capabilities-CbGmS0ty.js} +2 -2
- package/dashboard/dist/assets/{capabilities-DrZ8Vw_v.js.map → capabilities-CbGmS0ty.js.map} +1 -1
- package/dashboard/dist/assets/{controlplane-cj-1c-1C.js → controlplane-DGvwkuYx.js} +2 -2
- package/dashboard/dist/assets/{controlplane-cj-1c-1C.js.map → controlplane-DGvwkuYx.js.map} +1 -1
- package/dashboard/dist/assets/{escalation-BEVFyQnE.js → escalation-B7ysVToF.js} +2 -2
- package/dashboard/dist/assets/{escalation-BEVFyQnE.js.map → escalation-B7ysVToF.js.map} +1 -1
- package/dashboard/dist/assets/{escalation-columns-Beox3TXH.js → escalation-columns-CHQEJU1j.js} +2 -2
- package/dashboard/dist/assets/{escalation-columns-Beox3TXH.js.map → escalation-columns-CHQEJU1j.js.map} +1 -1
- package/dashboard/dist/assets/{helpers-B4gzNq9h.js → helpers-BFOjXa4r.js} +2 -2
- package/dashboard/dist/assets/{helpers-B4gzNq9h.js.map → helpers-BFOjXa4r.js.map} +1 -1
- package/dashboard/dist/assets/index-B9_1AZaG.js +2 -0
- package/dashboard/dist/assets/{index-3n5VREXN.js.map → index-B9_1AZaG.js.map} +1 -1
- package/dashboard/dist/assets/{index-BCQ65lNu.js → index-BFaDxPxA.js} +2 -2
- package/dashboard/dist/assets/{index-BCQ65lNu.js.map → index-BFaDxPxA.js.map} +1 -1
- package/dashboard/dist/assets/index-BduDiGcw.js +15 -0
- package/dashboard/dist/assets/{index-UtAfnStw.js.map → index-BduDiGcw.js.map} +1 -1
- package/dashboard/dist/assets/{index-Bh-PnP17.js → index-BeLphL59.js} +2 -2
- package/dashboard/dist/assets/{index-Bh-PnP17.js.map → index-BeLphL59.js.map} +1 -1
- package/dashboard/dist/assets/index-C--SEsU7.css +1 -0
- package/dashboard/dist/assets/{index-_DfbFHXk.js → index-CRiBkHPb.js} +2 -2
- package/dashboard/dist/assets/{index-_DfbFHXk.js.map → index-CRiBkHPb.js.map} +1 -1
- package/dashboard/dist/assets/{index-DdKbIZNE.js → index-CbrMW-gM.js} +2 -2
- package/dashboard/dist/assets/{index-DdKbIZNE.js.map → index-CbrMW-gM.js.map} +1 -1
- package/dashboard/dist/assets/{index-aJRDh4zW.js → index-CvOGgvzP.js} +2 -2
- package/dashboard/dist/assets/{index-aJRDh4zW.js.map → index-CvOGgvzP.js.map} +1 -1
- package/dashboard/dist/assets/{index-D1MywQ2z.js → index-DDlrQeTj.js} +2 -2
- package/dashboard/dist/assets/{index-D1MywQ2z.js.map → index-DDlrQeTj.js.map} +1 -1
- package/dashboard/dist/assets/{index-BYXiz05a.js → index-DQHmfTPo.js} +2 -2
- package/dashboard/dist/assets/{index-BYXiz05a.js.map → index-DQHmfTPo.js.map} +1 -1
- package/dashboard/dist/assets/{index-BpN31nuC.js → index-_BRA9uFL.js} +25 -25
- package/dashboard/dist/assets/index-_BRA9uFL.js.map +1 -0
- package/dashboard/dist/assets/index-a98qWLB-.js +2 -0
- package/dashboard/dist/assets/index-a98qWLB-.js.map +1 -0
- package/dashboard/dist/assets/index-l_8R6U4r.js +6 -0
- package/dashboard/dist/assets/index-l_8R6U4r.js.map +1 -0
- package/dashboard/dist/assets/{index-D4KGadbW.js → index-v0OQpgXS.js} +2 -2
- package/dashboard/dist/assets/{index-D4KGadbW.js.map → index-v0OQpgXS.js.map} +1 -1
- package/dashboard/dist/assets/{knowledge-DhtKWMON.js → knowledge-BlF8UMrk.js} +2 -2
- package/dashboard/dist/assets/{knowledge-DhtKWMON.js.map → knowledge-BlF8UMrk.js.map} +1 -1
- package/dashboard/dist/assets/{mcp-BXN7-wGF.js → mcp-MtXuky8q.js} +2 -2
- package/dashboard/dist/assets/{mcp-BXN7-wGF.js.map → mcp-MtXuky8q.js.map} +1 -1
- package/dashboard/dist/assets/{mcp-query-BIJP4mQJ.js → mcp-query-DQ-J1Q0K.js} +2 -2
- package/dashboard/dist/assets/{mcp-query-BIJP4mQJ.js.map → mcp-query-DQ-J1Q0K.js.map} +1 -1
- package/dashboard/dist/assets/{namespaces-ne_yDQZX.js → namespaces-DtsT_GoV.js} +2 -2
- package/dashboard/dist/assets/{namespaces-ne_yDQZX.js.map → namespaces-DtsT_GoV.js.map} +1 -1
- package/dashboard/dist/assets/{pipelines-Bcz62DoS.js → pipelines-BjlCm9VH.js} +2 -2
- package/dashboard/dist/assets/{pipelines-Bcz62DoS.js.map → pipelines-BjlCm9VH.js.map} +1 -1
- package/dashboard/dist/assets/{roles-De2CzGCy.js → roles-D-LhJ82d.js} +2 -2
- package/dashboard/dist/assets/{roles-De2CzGCy.js.map → roles-D-LhJ82d.js.map} +1 -1
- package/dashboard/dist/assets/{tasks-4yL5EfxI.js → tasks-BrP_8uEN.js} +2 -2
- package/dashboard/dist/assets/{tasks-4yL5EfxI.js.map → tasks-BrP_8uEN.js.map} +1 -1
- package/dashboard/dist/assets/topics-DUk-zX5D.js +2 -0
- package/dashboard/dist/assets/{topics-DDKHpRwP.js.map → topics-DUk-zX5D.js.map} +1 -1
- package/dashboard/dist/assets/useEventHooks-XNNzwADV.js +2 -0
- package/dashboard/dist/assets/useEventHooks-XNNzwADV.js.map +1 -0
- package/dashboard/dist/assets/{useYamlActivityEvents-Dv6GhDkh.js → useYamlActivityEvents-DANQ5jIY.js} +2 -2
- package/dashboard/dist/assets/{useYamlActivityEvents-Dv6GhDkh.js.map → useYamlActivityEvents-DANQ5jIY.js.map} +1 -1
- package/dashboard/dist/assets/{users-pSMWP58G.js → users-vj0JgOkA.js} +2 -2
- package/dashboard/dist/assets/{users-pSMWP58G.js.map → users-vj0JgOkA.js.map} +1 -1
- package/dashboard/dist/assets/{vendor-icons-CrrAvF2g.js → vendor-icons-Doy0g69_.js} +116 -111
- package/dashboard/dist/assets/vendor-icons-Doy0g69_.js.map +1 -0
- package/dashboard/dist/assets/{workflows-COYPOe2I.js → workflows-CmqgGPzI.js} +2 -2
- package/dashboard/dist/assets/{workflows-COYPOe2I.js.map → workflows-CmqgGPzI.js.map} +1 -1
- package/dashboard/dist/assets/{yaml-workflows-1dF3ig6u.js → yaml-workflows-DNFyjBXH.js} +2 -2
- package/dashboard/dist/assets/{yaml-workflows-1dF3ig6u.js.map → yaml-workflows-DNFyjBXH.js.map} +1 -1
- package/dashboard/dist/index.html +3 -3
- package/docs/api/http/controlplane.md +1 -1
- package/docs/api/http/mcp-endpoint.md +133 -0
- package/docs/api/http/roles.md +46 -0
- package/docs/api/http/service-accounts.md +15 -0
- package/docs/api/http/settings.md +6 -0
- package/docs/api/mcp/admin.md +1187 -0
- package/docs/api/mcp/claude-code.md +47 -0
- package/docs/api/mcp/docs.md +54 -0
- package/docs/api/mcp/events.md +80 -0
- package/docs/api/mcp/file-storage.md +76 -0
- package/docs/api/mcp/http-fetch.md +64 -0
- package/docs/api/mcp/human-queue.md +101 -0
- package/docs/api/mcp/index.md +52 -0
- package/docs/api/mcp/knowledge.md +125 -0
- package/docs/api/mcp/oauth.md +62 -0
- package/docs/api/mcp/schema-exchange.md +56 -0
- package/docs/api/mcp/translation.md +28 -0
- package/docs/api/mcp/vision.md +46 -0
- package/docs/api/sdk/settings.md +3 -1
- package/docs/auth.md +109 -0
- package/docs/dashboard.md +1 -1
- package/package.json +1 -1
- package/build/system/mcp-servers/playwright/browser-lifecycle.d.ts +0 -26
- package/build/system/mcp-servers/playwright/browser-lifecycle.js +0 -125
- package/build/system/mcp-servers/playwright/index.d.ts +0 -25
- package/build/system/mcp-servers/playwright/index.js +0 -42
- package/build/system/mcp-servers/playwright/schemas.d.ts +0 -394
- package/build/system/mcp-servers/playwright/schemas.js +0 -90
- package/build/system/mcp-servers/playwright/tools-atomic.d.ts +0 -2
- package/build/system/mcp-servers/playwright/tools-atomic.js +0 -9
- package/build/system/mcp-servers/playwright/tools-navigation.d.ts +0 -2
- package/build/system/mcp-servers/playwright/tools-navigation.js +0 -153
- package/build/system/mcp-servers/playwright/tools-page-interaction.d.ts +0 -2
- package/build/system/mcp-servers/playwright/tools-page-interaction.js +0 -162
- package/build/system/mcp-servers/playwright/tools-run-script.d.ts +0 -2
- package/build/system/mcp-servers/playwright/tools-run-script.js +0 -207
- package/build/system/mcp-servers/playwright/types.d.ts +0 -8
- package/build/system/mcp-servers/playwright/types.js +0 -30
- package/build/system/mcp-servers/playwright/vision-helper.d.ts +0 -12
- package/build/system/mcp-servers/playwright/vision-helper.js +0 -81
- package/build/system/mcp-servers/playwright-cli/helpers.d.ts +0 -11
- package/build/system/mcp-servers/playwright-cli/helpers.js +0 -20
- package/build/system/mcp-servers/playwright-cli/index.d.ts +0 -4
- package/build/system/mcp-servers/playwright-cli/index.js +0 -15
- package/build/system/mcp-servers/playwright-cli/schemas.d.ts +0 -219
- package/build/system/mcp-servers/playwright-cli/schemas.js +0 -75
- package/build/system/mcp-servers/playwright-cli/tools-auth.d.ts +0 -2
- package/build/system/mcp-servers/playwright-cli/tools-auth.js +0 -183
- package/build/system/mcp-servers/playwright-cli/tools-capture.d.ts +0 -2
- package/build/system/mcp-servers/playwright-cli/tools-capture.js +0 -273
- package/build/system/seed/tool-manifests-browser.d.ts +0 -577
- package/build/system/seed/tool-manifests-browser.js +0 -158
- package/dashboard/dist/assets/AgentConfigPage-DBtvb2x5.js +0 -16
- package/dashboard/dist/assets/AgentConfigPage-DBtvb2x5.js.map +0 -1
- package/dashboard/dist/assets/AgentDetailPage-3mZA7SOb.js.map +0 -1
- package/dashboard/dist/assets/AvailableEscalationsPage-CA9x9o5s.js +0 -2
- package/dashboard/dist/assets/BotPicker-BQp_Vs73.js +0 -2
- package/dashboard/dist/assets/CronLabel-DY8VdTS9.js +0 -2
- package/dashboard/dist/assets/CronLabel-DY8VdTS9.js.map +0 -1
- package/dashboard/dist/assets/ElapsedCell-BPYm8RA7.js +0 -2
- package/dashboard/dist/assets/EventTopicPill-CCWCs07y.js +0 -2
- package/dashboard/dist/assets/EventTopicPill-CCWCs07y.js.map +0 -1
- package/dashboard/dist/assets/HomePage-CwRebzmO.js +0 -2
- package/dashboard/dist/assets/HomePage-CwRebzmO.js.map +0 -1
- package/dashboard/dist/assets/ListToolbar-DEef1_-T.js +0 -2
- package/dashboard/dist/assets/McpRunDetailPage-X0sfRFTk.js +0 -2
- package/dashboard/dist/assets/McpRunDetailPage-X0sfRFTk.js.map +0 -1
- package/dashboard/dist/assets/McpRunsPage-aZg057y3.js +0 -2
- package/dashboard/dist/assets/OperatorDashboard-iZEHnndU.js +0 -2
- package/dashboard/dist/assets/OperatorDashboard-iZEHnndU.js.map +0 -1
- package/dashboard/dist/assets/ServerName-Q6okiv4f.js +0 -2
- package/dashboard/dist/assets/TopicDetailPage-DW97-YHQ.js +0 -9
- package/dashboard/dist/assets/TopicDetailPage-DW97-YHQ.js.map +0 -1
- package/dashboard/dist/assets/WorkflowsDashboard-eCH4gpAk.js +0 -2
- package/dashboard/dist/assets/WorkflowsDashboard-eCH4gpAk.js.map +0 -1
- package/dashboard/dist/assets/index-3n5VREXN.js +0 -2
- package/dashboard/dist/assets/index-BAXzN-QB.js +0 -6
- package/dashboard/dist/assets/index-BAXzN-QB.js.map +0 -1
- package/dashboard/dist/assets/index-BpN31nuC.js.map +0 -1
- package/dashboard/dist/assets/index-C37LMzJa.css +0 -1
- package/dashboard/dist/assets/index-C5dHozmW.js +0 -2
- package/dashboard/dist/assets/index-C5dHozmW.js.map +0 -1
- package/dashboard/dist/assets/index-UtAfnStw.js +0 -15
- package/dashboard/dist/assets/topics-DDKHpRwP.js +0 -2
- package/dashboard/dist/assets/useEventHooks-NzIyvoGY.js +0 -2
- package/dashboard/dist/assets/useEventHooks-NzIyvoGY.js.map +0 -1
- package/dashboard/dist/assets/vendor-icons-CrrAvF2g.js.map +0 -1
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Unified MCP server for external clients.
|
|
3
|
+
*
|
|
4
|
+
* Aggregates tools from all shipped built-in servers into a single
|
|
5
|
+
* McpServer instance that can be connected to a StreamableHTTPServerTransport.
|
|
6
|
+
* Created per-request in stateless mode (pure in-memory, no IO).
|
|
7
|
+
*/
|
|
8
|
+
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
9
|
+
import type { ExposureConfig } from './exposure';
|
|
10
|
+
/**
|
|
11
|
+
* Create a unified McpServer with tools from all qualifying shipped servers.
|
|
12
|
+
* Called per-request in stateless mode. Server instances are cached; only
|
|
13
|
+
* the McpServer wrapper and tool registrations are fresh (pure in-memory).
|
|
14
|
+
*/
|
|
15
|
+
export declare function createUnifiedMcpServer(exposure?: ExposureConfig, callerScopes?: string[]): Promise<McpServer>;
|
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Unified MCP server for external clients.
|
|
4
|
+
*
|
|
5
|
+
* Aggregates tools from all shipped built-in servers into a single
|
|
6
|
+
* McpServer instance that can be connected to a StreamableHTTPServerTransport.
|
|
7
|
+
* Created per-request in stateless mode (pure in-memory, no IO).
|
|
8
|
+
*/
|
|
9
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
+
exports.createUnifiedMcpServer = createUnifiedMcpServer;
|
|
11
|
+
const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
|
|
12
|
+
const logger_1 = require("../../lib/logger");
|
|
13
|
+
const system_1 = require("../../system");
|
|
14
|
+
// ── Shipped server allowlist ─────────────────────────────────────────────────
|
|
15
|
+
// Only these servers are exposed via the /mcp endpoint.
|
|
16
|
+
// Example servers (playwright, gmail, image-tools) are excluded.
|
|
17
|
+
const SHIPPED_SERVERS = new Set([
|
|
18
|
+
'long-tail-admin',
|
|
19
|
+
'long-tail-human-queue',
|
|
20
|
+
'long-tail-file-storage',
|
|
21
|
+
'long-tail-http-fetch',
|
|
22
|
+
'long-tail-schema-exchange',
|
|
23
|
+
'long-tail-oauth',
|
|
24
|
+
'long-tail-knowledge',
|
|
25
|
+
'long-tail-docs',
|
|
26
|
+
'long-tail-events',
|
|
27
|
+
'long-tail-vision',
|
|
28
|
+
'long-tail-translation',
|
|
29
|
+
'long-tail-claude-code',
|
|
30
|
+
]);
|
|
31
|
+
// ── Server instance cache ────────────────────────────────────────────────────
|
|
32
|
+
// Built-in servers are lazily created once and reused across requests.
|
|
33
|
+
// Tool handlers are stateless — safe to share.
|
|
34
|
+
const serverCache = new Map();
|
|
35
|
+
async function getOrCreateServer(name) {
|
|
36
|
+
if (serverCache.has(name))
|
|
37
|
+
return serverCache.get(name);
|
|
38
|
+
const entry = system_1.builtinMcpServerFactories[name];
|
|
39
|
+
if (!entry)
|
|
40
|
+
return null;
|
|
41
|
+
const server = await entry.factory();
|
|
42
|
+
serverCache.set(name, server);
|
|
43
|
+
return server;
|
|
44
|
+
}
|
|
45
|
+
// ── Exposure filtering ───────────────────────────────────────────────────────
|
|
46
|
+
function isServerAllowed(name, exposure) {
|
|
47
|
+
if (!SHIPPED_SERVERS.has(name))
|
|
48
|
+
return false;
|
|
49
|
+
if (exposure?.allowServers?.length) {
|
|
50
|
+
if (!exposure.allowServers.includes(name))
|
|
51
|
+
return false;
|
|
52
|
+
}
|
|
53
|
+
if (exposure?.denyServers?.length) {
|
|
54
|
+
if (exposure.denyServers.includes(name))
|
|
55
|
+
return false;
|
|
56
|
+
}
|
|
57
|
+
if (exposure?.hideAiWhenUnavailable !== false) {
|
|
58
|
+
const config = system_1.builtinMcpServerFactories[name]?.config;
|
|
59
|
+
if (config?.aiRequired) {
|
|
60
|
+
const hasKey = !!(process.env.OPENAI_API_KEY || process.env.ANTHROPIC_API_KEY);
|
|
61
|
+
if (!hasKey)
|
|
62
|
+
return false;
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
return true;
|
|
66
|
+
}
|
|
67
|
+
function isToolAllowed(toolName, serverName, exposure, callerScopes) {
|
|
68
|
+
// Per-caller scope filtering: mcp:read callers only see read_safe tools
|
|
69
|
+
const isReadOnly = exposure?.readOnly
|
|
70
|
+
|| (callerScopes?.length && callerScopes.includes('mcp:read') && !callerScopes.includes('mcp:full'));
|
|
71
|
+
if (!isReadOnly)
|
|
72
|
+
return true;
|
|
73
|
+
// Check read_safe in the tool manifest
|
|
74
|
+
const config = system_1.builtinMcpServerFactories[serverName]?.config;
|
|
75
|
+
const manifest = config?.toolManifest;
|
|
76
|
+
if (!manifest)
|
|
77
|
+
return true; // no manifest = allow (conservative)
|
|
78
|
+
const entry = manifest.find((t) => t.name === toolName);
|
|
79
|
+
return entry?.read_safe !== false; // allow if read_safe is true or absent
|
|
80
|
+
}
|
|
81
|
+
// ── Unified server creation ──────────────────────────────────────────────────
|
|
82
|
+
/**
|
|
83
|
+
* Create a unified McpServer with tools from all qualifying shipped servers.
|
|
84
|
+
* Called per-request in stateless mode. Server instances are cached; only
|
|
85
|
+
* the McpServer wrapper and tool registrations are fresh (pure in-memory).
|
|
86
|
+
*/
|
|
87
|
+
async function createUnifiedMcpServer(exposure, callerScopes) {
|
|
88
|
+
const unified = new mcp_js_1.McpServer({ name: 'long-tail', version: '1.0.0' });
|
|
89
|
+
const registered = new Set();
|
|
90
|
+
for (const [name, entry] of Object.entries(system_1.builtinMcpServerFactories)) {
|
|
91
|
+
if (!isServerAllowed(name, exposure))
|
|
92
|
+
continue;
|
|
93
|
+
const server = await getOrCreateServer(name);
|
|
94
|
+
if (!server)
|
|
95
|
+
continue;
|
|
96
|
+
const tools = server._registeredTools;
|
|
97
|
+
if (!tools)
|
|
98
|
+
continue;
|
|
99
|
+
for (const [toolName, tool] of Object.entries(tools)) {
|
|
100
|
+
if (!tool?.handler || !tool.enabled)
|
|
101
|
+
continue;
|
|
102
|
+
if (!isToolAllowed(toolName, name, exposure, callerScopes))
|
|
103
|
+
continue;
|
|
104
|
+
// Deduplicate: prefix with server short name on collision
|
|
105
|
+
let finalName = toolName;
|
|
106
|
+
if (registered.has(toolName)) {
|
|
107
|
+
const prefix = name.replace('long-tail-', '').replace(/-/g, '_');
|
|
108
|
+
finalName = `${prefix}_${toolName}`;
|
|
109
|
+
if (registered.has(finalName))
|
|
110
|
+
continue; // still a collision — skip
|
|
111
|
+
}
|
|
112
|
+
registered.add(finalName);
|
|
113
|
+
// Re-register the tool handler on the unified server.
|
|
114
|
+
// Use the low-level `tool()` API since we already have the parsed handler.
|
|
115
|
+
unified.registerTool(finalName, {
|
|
116
|
+
title: tool.title,
|
|
117
|
+
description: tool.description,
|
|
118
|
+
inputSchema: tool.inputSchema,
|
|
119
|
+
annotations: tool.annotations,
|
|
120
|
+
}, tool.handler);
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
logger_1.loggerRegistry.info(`[lt-mcp:endpoint] unified server ready (${registered.size} tools)`);
|
|
124
|
+
return unified;
|
|
125
|
+
}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Seed the MCP service account at startup.
|
|
3
|
+
*
|
|
4
|
+
* Creates a single `mcp-service` bot account with two API keys:
|
|
5
|
+
* - `mcp:read` — read-safe tools only (discovery, monitoring)
|
|
6
|
+
* - `mcp:full` — all tools (automation, orchestration)
|
|
7
|
+
*
|
|
8
|
+
* Idempotent — skips creation if the account already exists.
|
|
9
|
+
* Keys are generated once and logged; they cannot be retrieved again.
|
|
10
|
+
*/
|
|
11
|
+
export declare function seedMcpServiceAccount(): Promise<void>;
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Seed the MCP service account at startup.
|
|
4
|
+
*
|
|
5
|
+
* Creates a single `mcp-service` bot account with two API keys:
|
|
6
|
+
* - `mcp:read` — read-safe tools only (discovery, monitoring)
|
|
7
|
+
* - `mcp:full` — all tools (automation, orchestration)
|
|
8
|
+
*
|
|
9
|
+
* Idempotent — skips creation if the account already exists.
|
|
10
|
+
* Keys are generated once and logged; they cannot be retrieved again.
|
|
11
|
+
*/
|
|
12
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
13
|
+
if (k2 === undefined) k2 = k;
|
|
14
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
15
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
16
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
17
|
+
}
|
|
18
|
+
Object.defineProperty(o, k2, desc);
|
|
19
|
+
}) : (function(o, m, k, k2) {
|
|
20
|
+
if (k2 === undefined) k2 = k;
|
|
21
|
+
o[k2] = m[k];
|
|
22
|
+
}));
|
|
23
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
24
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
25
|
+
}) : function(o, v) {
|
|
26
|
+
o["default"] = v;
|
|
27
|
+
});
|
|
28
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
29
|
+
var ownKeys = function(o) {
|
|
30
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
31
|
+
var ar = [];
|
|
32
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
33
|
+
return ar;
|
|
34
|
+
};
|
|
35
|
+
return ownKeys(o);
|
|
36
|
+
};
|
|
37
|
+
return function (mod) {
|
|
38
|
+
if (mod && mod.__esModule) return mod;
|
|
39
|
+
var result = {};
|
|
40
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
41
|
+
__setModuleDefault(result, mod);
|
|
42
|
+
return result;
|
|
43
|
+
};
|
|
44
|
+
})();
|
|
45
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
46
|
+
exports.seedMcpServiceAccount = seedMcpServiceAccount;
|
|
47
|
+
const logger_1 = require("../../lib/logger");
|
|
48
|
+
const crud_1 = require("../user/crud");
|
|
49
|
+
const iam = __importStar(require("../iam"));
|
|
50
|
+
const SERVICE_ACCOUNT_NAME = 'mcp-service';
|
|
51
|
+
async function seedMcpServiceAccount() {
|
|
52
|
+
try {
|
|
53
|
+
// Check if account already exists (bot external_id = name)
|
|
54
|
+
const existing = await (0, crud_1.getUserByExternalId)(SERVICE_ACCOUNT_NAME);
|
|
55
|
+
if (existing) {
|
|
56
|
+
logger_1.loggerRegistry.info(`[seed-mcp] ${SERVICE_ACCOUNT_NAME} already exists, skipping`);
|
|
57
|
+
return;
|
|
58
|
+
}
|
|
59
|
+
// Create the service account
|
|
60
|
+
const bot = await iam.createBot({
|
|
61
|
+
name: SERVICE_ACCOUNT_NAME,
|
|
62
|
+
description: 'MCP service account for external tool access. Use the read key to explore, full key to automate.',
|
|
63
|
+
display_name: 'MCP Service',
|
|
64
|
+
roles: [{ role: 'system', type: 'member' }],
|
|
65
|
+
});
|
|
66
|
+
// Generate read key (scoped to mcp:read)
|
|
67
|
+
const readKey = await iam.createBotKey(bot.id, 'read', ['mcp:read']);
|
|
68
|
+
logger_1.loggerRegistry.info(`[seed-mcp] read key: ${readKey.rawKey}`);
|
|
69
|
+
// Generate full key (scoped to mcp:full)
|
|
70
|
+
const fullKey = await iam.createBotKey(bot.id, 'full', ['mcp:read', 'mcp:full']);
|
|
71
|
+
logger_1.loggerRegistry.info(`[seed-mcp] full key: ${fullKey.rawKey}`);
|
|
72
|
+
logger_1.loggerRegistry.info(`[seed-mcp] ${SERVICE_ACCOUNT_NAME} created with read + full API keys`);
|
|
73
|
+
}
|
|
74
|
+
catch (err) {
|
|
75
|
+
logger_1.loggerRegistry.warn(`[seed-mcp] failed to seed: ${err.message}`);
|
|
76
|
+
}
|
|
77
|
+
}
|
|
@@ -21,7 +21,7 @@ export declare function removeEscalationChain(sourceRole: string, targetRole: st
|
|
|
21
21
|
export declare function replaceEscalationTargets(sourceRole: string, targets: string[]): Promise<void>;
|
|
22
22
|
/**
|
|
23
23
|
* Check whether a user can escalate from sourceRole to targetRole.
|
|
24
|
-
* Superadmins can escalate to any role.
|
|
24
|
+
* Superadmins and admin/admin can escalate to any role.
|
|
25
25
|
* Others must hold the sourceRole AND the chain must exist.
|
|
26
26
|
*/
|
|
27
27
|
export declare function canEscalateTo(userId: string, sourceRole: string, targetRole: string): Promise<boolean>;
|
|
@@ -74,11 +74,11 @@ async function replaceEscalationTargets(sourceRole, targets) {
|
|
|
74
74
|
}
|
|
75
75
|
/**
|
|
76
76
|
* Check whether a user can escalate from sourceRole to targetRole.
|
|
77
|
-
* Superadmins can escalate to any role.
|
|
77
|
+
* Superadmins and admin/admin can escalate to any role.
|
|
78
78
|
* Others must hold the sourceRole AND the chain must exist.
|
|
79
79
|
*/
|
|
80
80
|
async function canEscalateTo(userId, sourceRole, targetRole) {
|
|
81
|
-
if (await (0, user_1.
|
|
81
|
+
if (await (0, user_1.hasGlobalEscalationAccess)(userId))
|
|
82
82
|
return true;
|
|
83
83
|
if (!(await (0, user_1.hasRole)(userId, sourceRole)))
|
|
84
84
|
return false;
|
|
@@ -19,7 +19,7 @@ function objectSchema(properties) {
|
|
|
19
19
|
const SYSTEM_TOPICS = [
|
|
20
20
|
// Task lifecycle
|
|
21
21
|
{
|
|
22
|
-
topic: 'task
|
|
22
|
+
topic: 'system.task.*.created',
|
|
23
23
|
description: 'A new task has been created and queued for execution.',
|
|
24
24
|
category: 'task',
|
|
25
25
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, taskId: { type: 'string', description: 'Task ID' }, status: STATUS_FIELD, data: { type: 'object', description: 'Task input data' } }),
|
|
@@ -27,7 +27,7 @@ const SYSTEM_TOPICS = [
|
|
|
27
27
|
tags: ['lifecycle', 'core'],
|
|
28
28
|
},
|
|
29
29
|
{
|
|
30
|
-
topic: 'task
|
|
30
|
+
topic: 'system.task.*.started',
|
|
31
31
|
description: 'A task has begun execution.',
|
|
32
32
|
category: 'task',
|
|
33
33
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, taskId: { type: 'string' }, status: STATUS_FIELD }),
|
|
@@ -35,7 +35,7 @@ const SYSTEM_TOPICS = [
|
|
|
35
35
|
tags: ['lifecycle', 'core'],
|
|
36
36
|
},
|
|
37
37
|
{
|
|
38
|
-
topic: 'task
|
|
38
|
+
topic: 'system.task.*.completed',
|
|
39
39
|
description: 'A task has finished successfully.',
|
|
40
40
|
category: 'task',
|
|
41
41
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, taskId: { type: 'string' }, status: STATUS_FIELD, milestones: { type: 'array', items: { type: 'object' }, description: 'Milestones reported' }, data: { type: 'object', description: 'Task result data' } }),
|
|
@@ -43,7 +43,7 @@ const SYSTEM_TOPICS = [
|
|
|
43
43
|
tags: ['lifecycle', 'core'],
|
|
44
44
|
},
|
|
45
45
|
{
|
|
46
|
-
topic: 'task
|
|
46
|
+
topic: 'system.task.*.escalated',
|
|
47
47
|
description: 'A task has been escalated for human review.',
|
|
48
48
|
category: 'task',
|
|
49
49
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, taskId: { type: 'string' }, status: STATUS_FIELD, data: { type: 'object' } }),
|
|
@@ -51,7 +51,7 @@ const SYSTEM_TOPICS = [
|
|
|
51
51
|
tags: ['lifecycle', 'escalation'],
|
|
52
52
|
},
|
|
53
53
|
{
|
|
54
|
-
topic: 'task
|
|
54
|
+
topic: 'system.task.*.failed',
|
|
55
55
|
description: 'A task has failed execution.',
|
|
56
56
|
category: 'task',
|
|
57
57
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, taskId: { type: 'string' }, status: STATUS_FIELD, data: { type: 'object', description: 'Error details' } }),
|
|
@@ -60,7 +60,7 @@ const SYSTEM_TOPICS = [
|
|
|
60
60
|
},
|
|
61
61
|
// Workflow lifecycle
|
|
62
62
|
{
|
|
63
|
-
topic: 'workflow
|
|
63
|
+
topic: 'system.workflow.*.started',
|
|
64
64
|
description: 'A workflow execution has started.',
|
|
65
65
|
category: 'workflow',
|
|
66
66
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, taskId: { type: 'string' }, status: STATUS_FIELD }),
|
|
@@ -68,7 +68,7 @@ const SYSTEM_TOPICS = [
|
|
|
68
68
|
tags: ['lifecycle', 'core'],
|
|
69
69
|
},
|
|
70
70
|
{
|
|
71
|
-
topic: 'workflow
|
|
71
|
+
topic: 'system.workflow.*.completed',
|
|
72
72
|
description: 'A workflow execution has completed successfully.',
|
|
73
73
|
category: 'workflow',
|
|
74
74
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, taskId: { type: 'string' }, status: STATUS_FIELD, data: { type: 'object' } }),
|
|
@@ -76,7 +76,7 @@ const SYSTEM_TOPICS = [
|
|
|
76
76
|
tags: ['lifecycle', 'core'],
|
|
77
77
|
},
|
|
78
78
|
{
|
|
79
|
-
topic: 'workflow
|
|
79
|
+
topic: 'system.workflow.*.failed',
|
|
80
80
|
description: 'A workflow execution has failed.',
|
|
81
81
|
category: 'workflow',
|
|
82
82
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, taskId: { type: 'string' }, status: STATUS_FIELD, data: { type: 'object', description: 'Error details' } }),
|
|
@@ -85,7 +85,7 @@ const SYSTEM_TOPICS = [
|
|
|
85
85
|
},
|
|
86
86
|
// Escalation lifecycle
|
|
87
87
|
{
|
|
88
|
-
topic: 'escalation
|
|
88
|
+
topic: 'system.escalation.*.created',
|
|
89
89
|
description: 'A new escalation has been created for human review.',
|
|
90
90
|
category: 'escalation',
|
|
91
91
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, escalationId: { type: 'string' }, status: STATUS_FIELD, data: { type: 'object' } }),
|
|
@@ -93,7 +93,7 @@ const SYSTEM_TOPICS = [
|
|
|
93
93
|
tags: ['lifecycle', 'hitl'],
|
|
94
94
|
},
|
|
95
95
|
{
|
|
96
|
-
topic: 'escalation
|
|
96
|
+
topic: 'system.escalation.*.resolved',
|
|
97
97
|
description: 'An escalation has been resolved by a human operator.',
|
|
98
98
|
category: 'escalation',
|
|
99
99
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, escalationId: { type: 'string' }, status: STATUS_FIELD, data: { type: 'object' } }),
|
|
@@ -101,7 +101,7 @@ const SYSTEM_TOPICS = [
|
|
|
101
101
|
tags: ['lifecycle', 'hitl'],
|
|
102
102
|
},
|
|
103
103
|
{
|
|
104
|
-
topic: 'escalation
|
|
104
|
+
topic: 'system.escalation.*.claimed',
|
|
105
105
|
description: 'An escalation has been claimed by an operator.',
|
|
106
106
|
category: 'escalation',
|
|
107
107
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, escalationId: { type: 'string' }, status: STATUS_FIELD }),
|
|
@@ -109,7 +109,7 @@ const SYSTEM_TOPICS = [
|
|
|
109
109
|
tags: ['lifecycle', 'hitl'],
|
|
110
110
|
},
|
|
111
111
|
{
|
|
112
|
-
topic: 'escalation
|
|
112
|
+
topic: 'system.escalation.*.released',
|
|
113
113
|
description: 'An escalation has been released back to the queue.',
|
|
114
114
|
category: 'escalation',
|
|
115
115
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, escalationId: { type: 'string' }, status: STATUS_FIELD }),
|
|
@@ -118,7 +118,7 @@ const SYSTEM_TOPICS = [
|
|
|
118
118
|
},
|
|
119
119
|
// Activity lifecycle
|
|
120
120
|
{
|
|
121
|
-
topic: 'activity
|
|
121
|
+
topic: 'system.activity.*.*.started',
|
|
122
122
|
description: 'A YAML workflow activity step has started.',
|
|
123
123
|
category: 'activity',
|
|
124
124
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, activityName: { type: 'string', description: 'Activity step name' } }),
|
|
@@ -126,7 +126,7 @@ const SYSTEM_TOPICS = [
|
|
|
126
126
|
tags: ['lifecycle', 'yaml'],
|
|
127
127
|
},
|
|
128
128
|
{
|
|
129
|
-
topic: 'activity
|
|
129
|
+
topic: 'system.activity.*.*.completed',
|
|
130
130
|
description: 'A YAML workflow activity step has completed.',
|
|
131
131
|
category: 'activity',
|
|
132
132
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, activityName: { type: 'string' }, data: { type: 'object' } }),
|
|
@@ -134,7 +134,7 @@ const SYSTEM_TOPICS = [
|
|
|
134
134
|
tags: ['lifecycle', 'yaml'],
|
|
135
135
|
},
|
|
136
136
|
{
|
|
137
|
-
topic: 'activity
|
|
137
|
+
topic: 'system.activity.*.*.failed',
|
|
138
138
|
description: 'A YAML workflow activity step has failed.',
|
|
139
139
|
category: 'activity',
|
|
140
140
|
payload_schema: objectSchema({ ...WORKFLOW_CONTEXT_PROPS, activityName: { type: 'string' }, data: { type: 'object', description: 'Error details' } }),
|
|
@@ -143,7 +143,7 @@ const SYSTEM_TOPICS = [
|
|
|
143
143
|
},
|
|
144
144
|
// Knowledge lifecycle
|
|
145
145
|
{
|
|
146
|
-
topic: 'knowledge
|
|
146
|
+
topic: 'system.knowledge.*.stored',
|
|
147
147
|
description: 'A knowledge entry has been written to the knowledge store.',
|
|
148
148
|
category: 'knowledge',
|
|
149
149
|
payload_schema: objectSchema({ domain: { type: 'string', description: 'Knowledge domain' }, key: { type: 'string', description: 'Knowledge entry key' } }),
|
|
@@ -151,7 +151,7 @@ const SYSTEM_TOPICS = [
|
|
|
151
151
|
tags: ['lifecycle', 'knowledge'],
|
|
152
152
|
},
|
|
153
153
|
{
|
|
154
|
-
topic: 'knowledge
|
|
154
|
+
topic: 'system.knowledge.*.deleted',
|
|
155
155
|
description: 'A knowledge entry has been removed from the knowledge store.',
|
|
156
156
|
category: 'knowledge',
|
|
157
157
|
payload_schema: objectSchema({ domain: { type: 'string', description: 'Knowledge domain' }, key: { type: 'string', description: 'Knowledge entry key' } }),
|
|
@@ -160,7 +160,7 @@ const SYSTEM_TOPICS = [
|
|
|
160
160
|
},
|
|
161
161
|
// File storage
|
|
162
162
|
{
|
|
163
|
-
topic: 'file.stored',
|
|
163
|
+
topic: 'system.file.stored',
|
|
164
164
|
description: 'A file has been written to storage.',
|
|
165
165
|
category: 'file',
|
|
166
166
|
payload_schema: objectSchema({
|
|
@@ -175,7 +175,7 @@ const SYSTEM_TOPICS = [
|
|
|
175
175
|
tags: ['lifecycle', 'file', 'storage'],
|
|
176
176
|
},
|
|
177
177
|
{
|
|
178
|
-
topic: 'file.deleted',
|
|
178
|
+
topic: 'system.file.deleted',
|
|
179
179
|
description: 'A file has been removed from storage.',
|
|
180
180
|
category: 'file',
|
|
181
181
|
payload_schema: objectSchema({
|
|
@@ -189,7 +189,7 @@ const SYSTEM_TOPICS = [
|
|
|
189
189
|
},
|
|
190
190
|
// Agent lifecycle
|
|
191
191
|
{
|
|
192
|
-
topic: 'agent
|
|
192
|
+
topic: 'system.agent.*.started',
|
|
193
193
|
description: 'An agent reaction workflow has started in response to an event.',
|
|
194
194
|
category: 'agent',
|
|
195
195
|
payload_schema: objectSchema({ agentId: { type: 'string', description: 'Agent ID' }, agentName: { type: 'string', description: 'Agent name' }, status: STATUS_FIELD, data: { type: 'object', description: 'Trigger context' } }),
|
|
@@ -197,7 +197,7 @@ const SYSTEM_TOPICS = [
|
|
|
197
197
|
tags: ['lifecycle', 'agent'],
|
|
198
198
|
},
|
|
199
199
|
{
|
|
200
|
-
topic: 'agent
|
|
200
|
+
topic: 'system.agent.*.completed',
|
|
201
201
|
description: 'An agent reaction workflow has completed successfully.',
|
|
202
202
|
category: 'agent',
|
|
203
203
|
payload_schema: objectSchema({ agentId: { type: 'string' }, agentName: { type: 'string' }, status: STATUS_FIELD, data: { type: 'object' } }),
|
|
@@ -205,7 +205,7 @@ const SYSTEM_TOPICS = [
|
|
|
205
205
|
tags: ['lifecycle', 'agent'],
|
|
206
206
|
},
|
|
207
207
|
{
|
|
208
|
-
topic: 'agent
|
|
208
|
+
topic: 'system.agent.*.failed',
|
|
209
209
|
description: 'An agent reaction workflow has failed.',
|
|
210
210
|
category: 'agent',
|
|
211
211
|
payload_schema: objectSchema({ agentId: { type: 'string' }, agentName: { type: 'string' }, status: STATUS_FIELD, data: { type: 'object', description: 'Error details' } }),
|
|
@@ -213,7 +213,7 @@ const SYSTEM_TOPICS = [
|
|
|
213
213
|
tags: ['lifecycle', 'agent', 'error'],
|
|
214
214
|
},
|
|
215
215
|
{
|
|
216
|
-
topic: 'agent
|
|
216
|
+
topic: 'system.agent.*.status_changed',
|
|
217
217
|
description: 'An agent\'s status has changed (activated, paused, errored).',
|
|
218
218
|
category: 'agent',
|
|
219
219
|
payload_schema: objectSchema({ agentId: { type: 'string' }, agentName: { type: 'string' }, status: STATUS_FIELD }),
|
|
@@ -222,7 +222,7 @@ const SYSTEM_TOPICS = [
|
|
|
222
222
|
},
|
|
223
223
|
// Milestone
|
|
224
224
|
{
|
|
225
|
-
topic: 'milestone',
|
|
225
|
+
topic: 'system.milestone.*',
|
|
226
226
|
description: 'A workflow or activity has reported progress milestones.',
|
|
227
227
|
category: 'milestone',
|
|
228
228
|
payload_schema: objectSchema({
|
|
@@ -240,7 +240,11 @@ const SYSTEM_TOPICS = [
|
|
|
240
240
|
* `app.*` → 'app', everything else → first segment.
|
|
241
241
|
*/
|
|
242
242
|
function inferCategory(topic) {
|
|
243
|
-
|
|
243
|
+
if (topic.startsWith('app.'))
|
|
244
|
+
return 'app';
|
|
245
|
+
if (topic.startsWith('system.'))
|
|
246
|
+
return topic.split('.')[1]; // system.workflow.* → 'workflow'
|
|
247
|
+
return topic.split('.')[0];
|
|
244
248
|
}
|
|
245
249
|
/**
|
|
246
250
|
* Seed all 22 built-in system topics into the catalog.
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
export { CreateUserInput, UpdateUserInput, VALID_ROLE_TYPES } from './types';
|
|
2
2
|
export { createUser, getUser, getUserByExternalId, getUserByEmail, updateUser, deleteUser, listUsers, } from './crud';
|
|
3
3
|
export { isValidRoleType, addUserRole, removeUserRole, getUserRoles, hasRole, hasRoleType, } from './roles';
|
|
4
|
-
export { isSuperAdmin, isGroupAdmin, canManageRole } from './rbac';
|
|
4
|
+
export { isSuperAdmin, isGroupAdmin, canManageRole, hasGlobalEscalationAccess } from './rbac';
|
|
5
5
|
export { verifyPassword } from './auth';
|
|
6
6
|
export { seedAdmin } from './seed-admin';
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.seedAdmin = exports.verifyPassword = exports.canManageRole = exports.isGroupAdmin = exports.isSuperAdmin = exports.hasRoleType = exports.hasRole = exports.getUserRoles = exports.removeUserRole = exports.addUserRole = exports.isValidRoleType = exports.listUsers = exports.deleteUser = exports.updateUser = exports.getUserByEmail = exports.getUserByExternalId = exports.getUser = exports.createUser = exports.VALID_ROLE_TYPES = void 0;
|
|
3
|
+
exports.seedAdmin = exports.verifyPassword = exports.hasGlobalEscalationAccess = exports.canManageRole = exports.isGroupAdmin = exports.isSuperAdmin = exports.hasRoleType = exports.hasRole = exports.getUserRoles = exports.removeUserRole = exports.addUserRole = exports.isValidRoleType = exports.listUsers = exports.deleteUser = exports.updateUser = exports.getUserByEmail = exports.getUserByExternalId = exports.getUser = exports.createUser = exports.VALID_ROLE_TYPES = void 0;
|
|
4
4
|
var types_1 = require("./types");
|
|
5
5
|
Object.defineProperty(exports, "VALID_ROLE_TYPES", { enumerable: true, get: function () { return types_1.VALID_ROLE_TYPES; } });
|
|
6
6
|
var crud_1 = require("./crud");
|
|
@@ -22,6 +22,7 @@ var rbac_1 = require("./rbac");
|
|
|
22
22
|
Object.defineProperty(exports, "isSuperAdmin", { enumerable: true, get: function () { return rbac_1.isSuperAdmin; } });
|
|
23
23
|
Object.defineProperty(exports, "isGroupAdmin", { enumerable: true, get: function () { return rbac_1.isGroupAdmin; } });
|
|
24
24
|
Object.defineProperty(exports, "canManageRole", { enumerable: true, get: function () { return rbac_1.canManageRole; } });
|
|
25
|
+
Object.defineProperty(exports, "hasGlobalEscalationAccess", { enumerable: true, get: function () { return rbac_1.hasGlobalEscalationAccess; } });
|
|
25
26
|
var auth_1 = require("./auth");
|
|
26
27
|
Object.defineProperty(exports, "verifyPassword", { enumerable: true, get: function () { return auth_1.verifyPassword; } });
|
|
27
28
|
var seed_admin_1 = require("./seed-admin");
|
|
@@ -13,3 +13,14 @@ export declare function isGroupAdmin(userId: string, role: string): Promise<bool
|
|
|
13
13
|
* Superadmins can manage any role. Admins can manage roles they belong to.
|
|
14
14
|
*/
|
|
15
15
|
export declare function canManageRole(actorId: string, role: string): Promise<boolean>;
|
|
16
|
+
/**
|
|
17
|
+
* Can this user act on escalations across all roles?
|
|
18
|
+
*
|
|
19
|
+
* True for:
|
|
20
|
+
* - superadmin (any role with type 'superadmin')
|
|
21
|
+
* - admin/admin (the named 'admin' role with type 'admin')
|
|
22
|
+
*
|
|
23
|
+
* These users see all escalations, can claim/resolve/escalate across
|
|
24
|
+
* all roles, and can perform bulk actions.
|
|
25
|
+
*/
|
|
26
|
+
export declare function hasGlobalEscalationAccess(userId: string): Promise<boolean>;
|
|
@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.isSuperAdmin = isSuperAdmin;
|
|
4
4
|
exports.isGroupAdmin = isGroupAdmin;
|
|
5
5
|
exports.canManageRole = canManageRole;
|
|
6
|
+
exports.hasGlobalEscalationAccess = hasGlobalEscalationAccess;
|
|
6
7
|
const db_1 = require("../../lib/db");
|
|
7
8
|
const roles_1 = require("./roles");
|
|
8
9
|
const sql_1 = require("./sql");
|
|
@@ -30,3 +31,19 @@ async function isGroupAdmin(userId, role) {
|
|
|
30
31
|
async function canManageRole(actorId, role) {
|
|
31
32
|
return isGroupAdmin(actorId, role);
|
|
32
33
|
}
|
|
34
|
+
/**
|
|
35
|
+
* Can this user act on escalations across all roles?
|
|
36
|
+
*
|
|
37
|
+
* True for:
|
|
38
|
+
* - superadmin (any role with type 'superadmin')
|
|
39
|
+
* - admin/admin (the named 'admin' role with type 'admin')
|
|
40
|
+
*
|
|
41
|
+
* These users see all escalations, can claim/resolve/escalate across
|
|
42
|
+
* all roles, and can perform bulk actions.
|
|
43
|
+
*/
|
|
44
|
+
async function hasGlobalEscalationAccess(userId) {
|
|
45
|
+
if (await isSuperAdmin(userId))
|
|
46
|
+
return true;
|
|
47
|
+
const roles = await (0, roles_1.getUserRoles)(userId);
|
|
48
|
+
return roles.some((r) => r.role === 'admin' && r.type === 'admin');
|
|
49
|
+
}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import type { SSOIdentity, LTSSOConfig } from '../../types/auth';
|
|
2
|
+
export interface ProvisionedUser {
|
|
3
|
+
userId: string;
|
|
4
|
+
roles: Array<{
|
|
5
|
+
role: string;
|
|
6
|
+
type: string;
|
|
7
|
+
}>;
|
|
8
|
+
created: boolean;
|
|
9
|
+
}
|
|
10
|
+
/**
|
|
11
|
+
* JIT provision or sync an SSO identity to lt_users.
|
|
12
|
+
*
|
|
13
|
+
* Lookup by `external_id`. If not found, create with resolved roles.
|
|
14
|
+
* If found, sync any new roles from the identity.
|
|
15
|
+
*
|
|
16
|
+
* Returns the internal `lt_users.id` (UUID) that all RBAC and
|
|
17
|
+
* escalation queries use.
|
|
18
|
+
*/
|
|
19
|
+
export declare function ssoProvision(identity: SSOIdentity, ssoConfig: LTSSOConfig): Promise<ProvisionedUser>;
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.ssoProvision = ssoProvision;
|
|
4
|
+
const logger_1 = require("../../lib/logger");
|
|
5
|
+
const crud_1 = require("./crud");
|
|
6
|
+
const roles_1 = require("./roles");
|
|
7
|
+
/**
|
|
8
|
+
* JIT provision or sync an SSO identity to lt_users.
|
|
9
|
+
*
|
|
10
|
+
* Lookup by `external_id`. If not found, create with resolved roles.
|
|
11
|
+
* If found, sync any new roles from the identity.
|
|
12
|
+
*
|
|
13
|
+
* Returns the internal `lt_users.id` (UUID) that all RBAC and
|
|
14
|
+
* escalation queries use.
|
|
15
|
+
*/
|
|
16
|
+
async function ssoProvision(identity, ssoConfig) {
|
|
17
|
+
const defaultRoleType = ssoConfig.defaultRoleType || 'member';
|
|
18
|
+
const ltRoles = resolveRoles(identity.roles || [], defaultRoleType, ssoConfig.roleMap);
|
|
19
|
+
const existing = await (0, crud_1.getUserByExternalId)(identity.externalId);
|
|
20
|
+
if (existing) {
|
|
21
|
+
// Sync roles: ensure all resolved roles exist on the user
|
|
22
|
+
const currentRoles = await (0, roles_1.getUserRoles)(existing.id);
|
|
23
|
+
for (const lr of ltRoles) {
|
|
24
|
+
const has = currentRoles.some((r) => r.role === lr.role);
|
|
25
|
+
if (!has) {
|
|
26
|
+
await (0, roles_1.addUserRole)(existing.id, lr.role, lr.type);
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
const updatedRoles = await (0, roles_1.getUserRoles)(existing.id);
|
|
30
|
+
return {
|
|
31
|
+
userId: existing.id,
|
|
32
|
+
roles: updatedRoles.map((r) => ({ role: r.role, type: r.type })),
|
|
33
|
+
created: false,
|
|
34
|
+
};
|
|
35
|
+
}
|
|
36
|
+
// Create new user
|
|
37
|
+
const user = await (0, crud_1.createUser)({
|
|
38
|
+
external_id: identity.externalId,
|
|
39
|
+
email: identity.email || undefined,
|
|
40
|
+
display_name: identity.displayName || identity.externalId,
|
|
41
|
+
roles: ltRoles.map((r) => ({ role: r.role, type: r.type })),
|
|
42
|
+
metadata: identity.metadata,
|
|
43
|
+
});
|
|
44
|
+
logger_1.loggerRegistry.info(`[lt-sso] provisioned user: ${identity.externalId} → ${user.id}`);
|
|
45
|
+
return {
|
|
46
|
+
userId: user.id,
|
|
47
|
+
roles: (user.roles || []).map((r) => ({ role: r.role, type: r.type })),
|
|
48
|
+
created: true,
|
|
49
|
+
};
|
|
50
|
+
}
|
|
51
|
+
function resolveRoles(hostRoles, defaultRoleType, roleMap) {
|
|
52
|
+
const mapped = roleMap
|
|
53
|
+
? hostRoles.filter((r) => roleMap[r]).map((r) => roleMap[r])
|
|
54
|
+
: hostRoles;
|
|
55
|
+
if (mapped.length === 0) {
|
|
56
|
+
return [{ role: defaultRoleType, type: defaultRoleType }];
|
|
57
|
+
}
|
|
58
|
+
return mapped.map((role) => ({
|
|
59
|
+
role,
|
|
60
|
+
type: role === 'superadmin' ? 'superadmin' : role === 'admin' ? 'admin' : 'member',
|
|
61
|
+
}));
|
|
62
|
+
}
|
|
@@ -148,15 +148,17 @@ async function checkInvocationRoles(workflowType, userId, authRole) {
|
|
|
148
148
|
// Superadmin from JWT bypasses all invocation role checks
|
|
149
149
|
if (authRole === 'superadmin')
|
|
150
150
|
return;
|
|
151
|
-
const user = await userService.
|
|
151
|
+
const user = await userService.getUser(userId);
|
|
152
152
|
if (!user) {
|
|
153
153
|
throw new InvocationError('User not registered', 403);
|
|
154
154
|
}
|
|
155
155
|
const userRoles = user.roles.map((r) => r.role);
|
|
156
156
|
const hasInvocationRole = wfConfig.invocation_roles.some((r) => userRoles.includes(r));
|
|
157
157
|
if (!hasInvocationRole) {
|
|
158
|
-
|
|
159
|
-
|
|
158
|
+
// superadmin and admin/admin bypass role checks
|
|
159
|
+
const hasGlobalAccess = user.roles.some((r) => r.type === 'superadmin')
|
|
160
|
+
|| user.roles.some((r) => r.role === 'admin' && r.type === 'admin');
|
|
161
|
+
if (!hasGlobalAccess) {
|
|
160
162
|
throw new InvocationError('Insufficient role for invocation', 403);
|
|
161
163
|
}
|
|
162
164
|
}
|