@lobu/gateway 3.0.5 → 3.0.7

package/src/api/index.ts

@@ -0,0 +1 @@
+export { ApiPlatform, type ApiPlatformConfig } from "./platform";

package/src/api/platform.ts

@@ -0,0 +1,292 @@
+#!/usr/bin/env bun
+
+/**
+ * API Platform Adapter
+ * Handles direct API access for browser extensions, CLI clients, etc.
+ * Does not require external platform integration (no Slack, Discord, etc.)
+ */
+
+import { randomUUID } from "node:crypto";
+import { createLogger, type InstructionProvider } from "@lobu/core";
+import type { CoreServices, PlatformAdapter } from "../platform";
+import type { ResponseRenderer } from "../platform/response-renderer";
+import { broadcastToAgent } from "../routes/public/agent";
+import { ApiResponseRenderer } from "./response-renderer";
+
+const logger = createLogger("api-platform");
+
+/**
+ * API Platform configuration
+ */
+export interface ApiPlatformConfig {
+  /** Whether the API platform is enabled */
+  enabled?: boolean;
+}
+
+/**
+ * API Platform adapter for direct access via HTTP/SSE
+ * This platform doesn't interact with external services like Slack or Discord.
+ * Instead, it provides endpoints for:
+ * - Creating sessions
+ * - Sending messages
+ * - Receiving streaming responses via SSE
+ * - Handling tool approvals
+ */
+export class ApiPlatform implements PlatformAdapter {
+  readonly name = "api";
+
+  private responseRenderer?: ApiResponseRenderer;
+  private isRunning = false;
+  private services?: CoreServices;
+
+  /**
+   * Initialize with core services
+   */
+  async initialize(services: CoreServices): Promise<void> {
+    logger.debug("Initializing API platform...");
+
+    this.services = services;
+
+    // Create response renderer for routing worker responses to SSE clients
+    this.responseRenderer = new ApiResponseRenderer();
+
+    // Subscribe to interaction events to broadcast to SSE clients
+    const interactionService = services.getInteractionService();
+
+    interactionService.on("question:created", (event: any) => {
+      if (event.teamId !== "api") return;
+      broadcastToAgent(event.conversationId, "question", {
+        type: "question",
+        questionId: event.id,
+        question: event.question,
+        options: event.options,
+        timestamp: Date.now(),
+      });
+    });
+
+    interactionService.on("link-button:created", (event: any) => {
+      if (event.platform !== "api") return;
+      broadcastToAgent(event.conversationId, "link-button", {
+        type: "link-button",
+        url: event.url,
+        label: event.label,
+        linkType: event.linkType,
+        timestamp: Date.now(),
+      });
+    });
+
+    interactionService.on("grant:requested", (event: any) => {
+      if (event.teamId !== "api") return;
+      broadcastToAgent(event.conversationId, "grant-request", {
+        type: "grant-request",
+        requestId: event.id,
+        domains: event.domains,
+        reason: event.reason,
+        timestamp: Date.now(),
+      });
+    });
+
+    interactionService.on("package:requested", (event: any) => {
+      if (event.teamId !== "api") return;
+      broadcastToAgent(event.conversationId, "package-request", {
+        type: "package-request",
+        requestId: event.id,
+        packages: event.packages,
+        reason: event.reason,
+        timestamp: Date.now(),
+      });
+    });
+
+    interactionService.on("config:requested", (event: any) => {
+      if (event.teamId !== "api") return;
+      broadcastToAgent(event.conversationId, "config-request", {
+        type: "config-request",
+        requestId: event.id,
+        text: event.text,
+        timestamp: Date.now(),
+      });
+    });
+
+    interactionService.on("suggestion:created", (event: any) => {
+      if (event.teamId !== "api") return;
+      broadcastToAgent(event.conversationId, "suggestion", {
+        type: "suggestion",
+        prompts: event.prompts,
+        timestamp: Date.now(),
+      });
+    });
+
+    logger.debug("✅ API platform initialized");
+  }
+
+  /**
+   * Start the platform
+   * For API platform, this is mostly a no-op since routes are registered separately
+   */
+  async start(): Promise<void> {
+    this.isRunning = true;
+    logger.debug("✅ API platform started");
+  }
+
+  /**
+   * Stop the platform
+   */
+  async stop(): Promise<void> {
+    this.isRunning = false;
+    logger.debug("✅ API platform stopped");
+  }
+
+  /**
+   * Check if platform is healthy
+   */
+  isHealthy(): boolean {
+    return this.isRunning;
+  }
+
+  /**
+   * No custom instruction provider for API platform
+   */
+  getInstructionProvider(): InstructionProvider | null {
+    return null;
+  }
+
+  /**
+   * Build deployment metadata
+   * For API sessions, we include session ID and source
+   */
+  buildDeploymentMetadata(
+    conversationId: string,
+    channelId: string,
+    platformMetadata: Record<string, any>
+  ): Record<string, string> {
+    return {
+      sessionId: platformMetadata.sessionId || conversationId,
+      source: "direct-api",
+      channelId,
+    };
+  }
+
+  /**
+   * Get the response renderer for routing worker responses
+   */
+  getResponseRenderer(): ResponseRenderer | undefined {
+    return this.responseRenderer;
+  }
+
+  /**
+   * Suggestions are broadcast via interaction events above
+   */
+  async renderSuggestion(): Promise<void> {
+    /* noop — suggestions broadcast via interaction events */
+  }
+
+  /**
+   * API platform doesn't have thread status indicators
+   */
+  async setThreadStatus(): Promise<void> {
+    // Status is sent via SSE events
+  }
+
+  /**
+   * Send a message via API platform
+   * Creates or reuses a session and queues the message for processing
+   *
+   * @param token - Auth token (used to derive userId)
+   * @param message - Message content
+   * @param options - Routing info (agentId = channelId = conversationId for API)
+   */
+  async sendMessage(
+    token: string,
+    message: string,
+    options: {
+      agentId: string;
+      channelId: string;
+      conversationId: string;
+      teamId: string;
+      files?: Array<{ buffer: Buffer; filename: string }>;
+    }
+  ): Promise<{
+    messageId: string;
+    eventsUrl?: string;
+    queued?: boolean;
+  }> {
+    if (!this.services) {
+      throw new Error("API platform not initialized");
+    }
+
+    const { agentId } = options;
+    const sessionManager = this.services.getSessionManager();
+    const queueProducer = this.services.getQueueProducer();
+    const messageId = randomUUID();
+    const userId = `api-${token.slice(0, 8) || "anonymous"}`;
+
+    // For API platform: agentId = channelId = conversationId (all same)
+    // Try to get existing session or create new one
+    let session = await sessionManager.getSession(agentId);
+
+    if (!session) {
+      session = {
+        conversationId: agentId,
+        channelId: agentId,
+        userId,
+        threadCreator: userId,
+        lastActivity: Date.now(),
+        createdAt: Date.now(),
+        status: "created",
+        provider: "claude",
+      };
+
+      await sessionManager.setSession(session);
+      logger.info(`Created new API session: ${agentId}`);
+    }
+
+    if (!session) {
+      throw new Error("Session not found after creation");
+    }
+
+    // Update session activity
+    await sessionManager.touchSession(agentId);
+
+    // Prepare message with file info if provided
+    const platformMetadata: Record<string, any> = {
+      agentId,
+      source: "messaging-api",
+    };
+
+    if (options.files && options.files.length > 0) {
+      platformMetadata.fileCount = options.files.length;
+      platformMetadata.fileNames = options.files.map((f) => f.filename);
+      logger.info(
+        `Message includes ${options.files.length} file(s): ${platformMetadata.fileNames.join(", ")}`
+      );
+    }
+
+    // Enqueue message for worker processing
+    await queueProducer.enqueueMessage({
+      userId,
+      conversationId: agentId,
+      messageId,
+      channelId: agentId,
+      teamId: "api",
+      agentId: agentId, // agentId is the isolation boundary
+      botId: "lobu-api",
+      platform: "api",
+      messageText: message,
+      platformMetadata,
+      agentOptions: {
+        provider: session.provider || "claude",
+      },
+    });
+
+    logger.info(`Queued message ${messageId} for agent ${agentId}`);
+
+    const publicUrl = this.services.getPublicGatewayUrl();
+    const baseUrl = publicUrl || "http://localhost:8080";
+
+    return {
+      messageId,
+      eventsUrl: `${baseUrl}/api/v1/agents/${agentId}/events`,
+      queued: true,
+    };
+  }
+}

package/src/api/response-renderer.ts

@@ -0,0 +1,157 @@
+#!/usr/bin/env bun
+
+/**
+ * API Response Renderer
+ * Broadcasts worker responses to SSE connections for direct API clients
+ */
+
+import { createLogger } from "@lobu/core";
+import type { ThreadResponsePayload } from "../infrastructure/queue/types";
+import type { ResponseRenderer } from "../platform/response-renderer";
+import { broadcastToAgent } from "../routes/public/agent";
+
+const logger = createLogger("api-response-renderer");
+
+/**
+ * Response renderer for API platform
+ * Broadcasts responses to SSE clients instead of external platforms
+ */
+export class ApiResponseRenderer implements ResponseRenderer {
+  /**
+   * Handle streaming delta content
+   * Broadcasts delta to SSE connections
+   */
+  async handleDelta(
+    payload: ThreadResponsePayload,
+    _sessionKey: string
+  ): Promise<string | null> {
+    const sessionId =
+      (payload.platformMetadata?.sessionId as string) || payload.conversationId;
+
+    if (!sessionId) {
+      logger.warn("No session ID found in payload for delta broadcast");
+      return null;
+    }
+
+    // Broadcast delta to SSE clients
+    broadcastToAgent(sessionId, "output", {
+      type: "delta",
+      content: payload.delta,
+      timestamp: payload.timestamp || Date.now(),
+      messageId: payload.messageId,
+    });
+
+    logger.debug(
+      `Broadcast delta to session ${sessionId}: ${payload.delta?.length || 0} chars`
+    );
+
+    return payload.messageId;
+  }
+
+  /**
+   * Handle completion of response processing
+   * Sends completion event to SSE clients
+   */
+  async handleCompletion(
+    payload: ThreadResponsePayload,
+    _sessionKey: string
+  ): Promise<void> {
+    const sessionId =
+      (payload.platformMetadata?.sessionId as string) || payload.conversationId;
+
+    if (!sessionId) {
+      logger.warn("No session ID found in payload for completion broadcast");
+      return;
+    }
+
+    // Broadcast completion to SSE clients
+    broadcastToAgent(sessionId, "complete", {
+      type: "complete",
+      messageId: payload.messageId,
+      processedMessageIds: payload.processedMessageIds,
+      timestamp: payload.timestamp || Date.now(),
+    });
+
+    logger.info(`Broadcast completion to session ${sessionId}`);
+  }
+
+  /**
+   * Handle error response
+   * Sends error event to SSE clients
+   */
+  async handleError(
+    payload: ThreadResponsePayload,
+    _sessionKey: string
+  ): Promise<void> {
+    const sessionId =
+      (payload.platformMetadata?.sessionId as string) || payload.conversationId;
+
+    if (!sessionId) {
+      logger.warn("No session ID found in payload for error broadcast");
+      return;
+    }
+
+    // Broadcast error to SSE clients
+    broadcastToAgent(sessionId, "error", {
+      type: "error",
+      error: payload.error,
+      messageId: payload.messageId,
+      timestamp: payload.timestamp || Date.now(),
+    });
+
+    logger.error(`Broadcast error to session ${sessionId}: ${payload.error}`);
+  }
+
+  /**
+   * Handle status updates (heartbeat with elapsed time)
+   * Sends status event to SSE clients
+   */
+  async handleStatusUpdate(payload: ThreadResponsePayload): Promise<void> {
+    const sessionId =
+      (payload.platformMetadata?.sessionId as string) || payload.conversationId;
+
+    if (!sessionId) {
+      return;
+    }
+
+    // Broadcast status to SSE clients
+    broadcastToAgent(sessionId, "status", {
+      type: "status",
+      status: payload.statusUpdate,
+      messageId: payload.messageId,
+      timestamp: payload.timestamp || Date.now(),
+    });
+  }
+
+  /**
+   * Handle ephemeral messages
+   * For API platform, these are just broadcast as regular events
+   */
+  async handleEphemeral(payload: ThreadResponsePayload): Promise<void> {
+    const sessionId =
+      (payload.platformMetadata?.sessionId as string) || payload.conversationId;
+
+    if (!sessionId) {
+      return;
+    }
+
+    // Broadcast ephemeral content to SSE clients
+    broadcastToAgent(sessionId, "ephemeral", {
+      type: "ephemeral",
+      content: payload.content,
+      messageId: payload.messageId,
+      timestamp: payload.timestamp || Date.now(),
+    });
+  }
+
+  /**
+   * Stop stream for conversation - no-op for API platform
+   * SSE connections handle their own lifecycle
+   */
+  async stopStreamForConversation(
+    _userId: string,
+    _conversationId: string
+  ): Promise<void> {
+    // No-op - SSE connections manage their own lifecycle
+  }
+}

package/src/auth/agent-metadata-store.ts

@@ -0,0 +1,168 @@
+import { BaseRedisStore, createLogger } from "@lobu/core";
+import type Redis from "ioredis";
+
+const logger = createLogger("agent-metadata-store");
+
+/**
+ * Agent metadata - user-facing info about an agent
+ */
+export interface AgentMetadata {
+  agentId: string;
+  /** User-friendly name (e.g., "Work Agent", "Personal Assistant") */
+  name: string;
+  description?: string;
+  owner: {
+    platform: string;
+    userId: string;
+  };
+  /** Whether this is the workspace default agent */
+  isWorkspaceAgent?: boolean;
+  /** Workspace/team ID for workspace agents */
+  workspaceId?: string;
+  /** Connection that auto-created this agent (makes it a "sandbox") */
+  parentConnectionId?: string;
+  createdAt: number;
+  lastUsedAt?: number;
+}
+
+/**
+ * Store agent metadata in Redis.
+ * Pattern: agent_metadata:{agentId}
+ */
+export class AgentMetadataStore extends BaseRedisStore<AgentMetadata> {
+  constructor(redis: Redis) {
+    super({
+      redis,
+      keyPrefix: "agent_metadata",
+      loggerName: "agent-metadata-store",
+    });
+  }
+
+  /**
+   * Create a new agent with metadata
+   */
+  async createAgent(
+    agentId: string,
+    name: string,
+    platform: string,
+    userId: string,
+    options?: {
+      description?: string;
+      isWorkspaceAgent?: boolean;
+      workspaceId?: string;
+      parentConnectionId?: string;
+    }
+  ): Promise<AgentMetadata> {
+    const metadata: AgentMetadata = {
+      agentId,
+      name,
+      owner: { platform, userId },
+      isWorkspaceAgent: options?.isWorkspaceAgent,
+      workspaceId: options?.workspaceId,
+      parentConnectionId: options?.parentConnectionId,
+      createdAt: Date.now(),
+    };
+
+    if (options?.description) {
+      metadata.description = options.description;
+    }
+
+    const key = this.buildKey(agentId);
+    await this.set(key, metadata);
+
+    // Index sandbox under its parent connection
+    if (options?.parentConnectionId) {
+      await this.redis.sadd(
+        `sandboxes:connection:${options.parentConnectionId}`,
+        agentId
+      );
+    }
+
+    logger.info(`Created agent metadata for ${agentId}: "${name}"`);
+    return metadata;
+  }
+
+  /**
+   * Get metadata for an agent
+   */
+  async getMetadata(agentId: string): Promise<AgentMetadata | null> {
+    const key = this.buildKey(agentId);
+    return this.get(key);
+  }
+
+  /**
+   * Update agent metadata (partial update)
+   */
+  async updateMetadata(
+    agentId: string,
+    updates: Partial<Pick<AgentMetadata, "name" | "description" | "lastUsedAt">>
+  ): Promise<void> {
+    const existing = await this.getMetadata(agentId);
+    if (!existing) {
+      logger.warn(`Cannot update metadata: agent ${agentId} not found`);
+      return;
+    }
+
+    const updated: AgentMetadata = { ...existing, ...updates };
+    const key = this.buildKey(agentId);
+    await this.set(key, updated);
+    logger.info(`Updated metadata for agent ${agentId}`);
+  }
+
+  /**
+   * Delete agent metadata
+   */
+  async deleteAgent(agentId: string): Promise<void> {
+    // Clean up sandbox index if this agent has a parent connection
+    const metadata = await this.getMetadata(agentId);
+    if (metadata?.parentConnectionId) {
+      await this.redis.srem(
+        `sandboxes:connection:${metadata.parentConnectionId}`,
+        agentId
+      );
+    }
+
+    const key = this.buildKey(agentId);
+    await this.delete(key);
+    logger.info(`Deleted metadata for agent ${agentId}`);
+  }
+
+  /**
+   * Check if agent exists
+   */
+  async hasAgent(agentId: string): Promise<boolean> {
+    const key = this.buildKey(agentId);
+    return this.exists(key);
+  }
+
+  /**
+   * List sandbox agents belonging to a connection
+   */
+  async listSandboxes(connectionId: string): Promise<AgentMetadata[]> {
+    const agentIds = await this.redis.smembers(
+      `sandboxes:connection:${connectionId}`
+    );
+    const sandboxes: AgentMetadata[] = [];
+    for (const agentId of agentIds) {
+      const data = await this.getMetadata(agentId);
+      if (data) sandboxes.push(data);
+    }
+    sandboxes.sort((a, b) => (b.lastUsedAt ?? 0) - (a.lastUsedAt ?? 0));
+    return sandboxes;
+  }
+
+  /**
+   * List all agents in the system, sorted by lastUsedAt descending
+   */
+  async listAllAgents(): Promise<AgentMetadata[]> {
+    const prefix = `${this.keyPrefix}:`;
+    const keys = await this.scanByPrefix(prefix);
+    const agents: AgentMetadata[] = [];
+    for (const key of keys) {
+      const data = await this.get(key);
+      if (data) agents.push(data);
+    }
+    agents.sort((a, b) => (b.lastUsedAt ?? 0) - (a.lastUsedAt ?? 0));
+    return agents;
+  }
+}

package/src/auth/api-auth-middleware.ts

@@ -0,0 +1,69 @@
+import { timingSafeEqual } from "node:crypto";
+import { verifyWorkerToken } from "@lobu/core";
+import type { Context, Next } from "hono";
+import { verifySettingsSession } from "../routes/public/settings-auth";
+import type { CliTokenService } from "./cli/token-service";
+import type { ExternalAuthClient } from "./external/client";
+
+export const TOKEN_EXPIRATION_MS = 24 * 60 * 60 * 1000;
+
+/**
+ * Creates a Hono middleware that enforces the standard auth check:
+ *   1. Settings session cookie  2. CLI JWT  3. External OAuth  4. Admin password  5. Worker token
+ */
+export function createApiAuthMiddleware(opts: {
+  adminPassword?: string;
+  cliTokenService?: CliTokenService;
+  externalAuthClient?: ExternalAuthClient;
+  allowWorkerToken?: boolean;
+  allowSettingsSession?: boolean;
+}) {
+  return async (c: Context, next: Next) => {
+    // 1. Try settings session cookie when explicitly allowed.
+    if (opts.allowSettingsSession && verifySettingsSession(c)) return next();
+
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      return c.json({ success: false, error: "Unauthorized" }, 401);
+    }
+    const token = authHeader.substring(7);
+
+    // 2. Try CLI JWT
+    if (opts.cliTokenService) {
+      const identity = await opts.cliTokenService.verifyAccessToken(token);
+      if (identity) return next();
+    }
+
+    // 3. Try external OAuth token (validated against MEMORY_URL userinfo)
+    if (opts.externalAuthClient) {
+      try {
+        const userInfo = await opts.externalAuthClient.fetchUserInfo(token);
+        if (userInfo?.sub) return next();
+      } catch {
+        // Token not valid for external auth, continue to next method
+      }
+    }
+
+    // 4. Try admin password
+    if (opts.adminPassword) {
+      const a = Buffer.from(token);
+      const b = Buffer.from(opts.adminPassword);
+      if (a.length === b.length && timingSafeEqual(a, b)) {
+        return next();
+      }
+    }
+
+    // 5. Try worker token when explicitly allowed for the route
+    if (opts.allowWorkerToken !== false) {
+      const workerData = verifyWorkerToken(token);
+      if (workerData) {
+        const tokenAge = Date.now() - workerData.timestamp;
+        if (tokenAge <= TOKEN_EXPIRATION_MS) {
+          return next();
+        }
+      }
+    }
+
+    return c.json({ success: false, error: "Unauthorized" }, 401);
+  };
+}