@lobu/gateway 3.0.5 → 3.0.7

package/src/services/image-generation-service.ts

@@ -0,0 +1,257 @@
+import type { AuthProfile } from "@lobu/core";
+import { createLogger } from "@lobu/core";
+import type { AuthProfilesManager } from "../auth/settings/auth-profiles-manager";
+
+const logger = createLogger("image-generation-service");
+
+export type ImageGenerationProvider = "openai";
+
+interface ImageGenerationConfig {
+  profileProviderId: string;
+  displayName: string;
+  provider: ImageGenerationProvider;
+  apiKey: string;
+}
+
+export interface ImageGenerationSuccess {
+  imageBuffer: Buffer;
+  mimeType: string;
+  provider: ImageGenerationProvider;
+}
+
+export interface ImageGenerationError {
+  error: string;
+  availableProviders: ImageGenerationProvider[];
+}
+
+export type ImageGenerationResult =
+  | ImageGenerationSuccess
+  | ImageGenerationError;
+
+export interface ImageGenerationOptions {
+  size?: "1024x1024" | "1024x1536" | "1536x1024" | "auto";
+  quality?: "low" | "medium" | "high" | "auto";
+  background?: "transparent" | "opaque" | "auto";
+  format?: "png" | "jpeg" | "webp";
+}
+
+const IMAGE_CAPABLE_PROVIDERS: {
+  profileProviderId: string;
+  provider: ImageGenerationProvider;
+  displayName: string;
+}[] = [
+  {
+    profileProviderId: "chatgpt",
+    provider: "openai",
+    displayName: "OpenAI",
+  },
+  {
+    profileProviderId: "openai",
+    provider: "openai",
+    displayName: "OpenAI-compatible",
+  },
+];
+
+function parseJwtScopes(token: string): Set<string> | null {
+  const parts = token.split(".");
+  if (parts.length < 2) return null;
+  try {
+    const payload = JSON.parse(
+      Buffer.from(parts[1] || "", "base64url").toString("utf-8")
+    ) as {
+      scope?: unknown;
+      scp?: unknown;
+    };
+    const scopes: string[] = [];
+    if (typeof payload.scope === "string") {
+      scopes.push(...payload.scope.split(/\s+/));
+    }
+    if (typeof payload.scp === "string") {
+      scopes.push(...payload.scp.split(/\s+/));
+    }
+    if (Array.isArray(payload.scp)) {
+      scopes.push(
+        ...payload.scp.filter(
+          (value): value is string => typeof value === "string"
+        )
+      );
+    }
+    const cleaned = scopes.map((scope) => scope.trim()).filter(Boolean);
+    return cleaned.length > 0 ? new Set(cleaned) : null;
+  } catch {
+    return null;
+  }
+}
+
+function hasImageGenerationAccess(
+  profileProviderId: string,
+  profile: AuthProfile
+): boolean {
+  if (profileProviderId !== "chatgpt") return true;
+  if (profile.authType === "api-key") return true;
+
+  const scopes = parseJwtScopes(profile.credential);
+  if (!scopes) return true;
+  return (
+    scopes.has("api.model.image.request") ||
+    scopes.has("api.model.request") ||
+    scopes.has("model.image.request")
+  );
+}
+
+export class ImageGenerationService {
+  constructor(private readonly authProfilesManager: AuthProfilesManager) {}
+
+  async getConfig(agentId: string): Promise<ImageGenerationConfig | null> {
+    for (const {
+      profileProviderId,
+      provider,
+      displayName,
+    } of IMAGE_CAPABLE_PROVIDERS) {
+      const profile = await this.authProfilesManager.getBestProfile(
+        agentId,
+        profileProviderId
+      );
+      if (!profile?.credential) continue;
+      if (!hasImageGenerationAccess(profileProviderId, profile)) {
+        logger.info("Skipping provider without image-generation scope", {
+          agentId,
+          profileProviderId,
+          authType: profile.authType,
+        });
+        continue;
+      }
+      return {
+        profileProviderId,
+        displayName,
+        provider,
+        apiKey: profile.credential,
+      };
+    }
+    return null;
+  }
+
+  getProviderInfo(): Array<{
+    provider: ImageGenerationProvider;
+    name: string;
+  }> {
+    return IMAGE_CAPABLE_PROVIDERS.map(({ provider, displayName }) => ({
+      provider,
+      name: displayName,
+    }));
+  }
+
+  async generate(
+    prompt: string,
+    agentId: string,
+    options: ImageGenerationOptions = {}
+  ): Promise<ImageGenerationResult> {
+    const config = await this.getConfig(agentId);
+    if (!config) {
+      return this.noProviderError(
+        "No image generation provider configured",
+        agentId
+      );
+    }
+
+    logger.info("Generating image", {
+      agentId,
+      provider: config.provider,
+      profileProviderId: config.profileProviderId,
+      promptLength: prompt.length,
+      size: options.size,
+      quality: options.quality,
+      background: options.background,
+      format: options.format,
+    });
+
+    try {
+      const result = await this.generateWithOpenAI(
+        prompt,
+        config.apiKey,
+        options
+      );
+      return {
+        imageBuffer: result.imageBuffer,
+        mimeType: result.mimeType,
+        provider: config.provider,
+      };
+    } catch (error) {
+      const errorMessage =
+        error instanceof Error ? error.message : String(error);
+      logger.error("Image generation failed", {
+        agentId,
+        provider: config.provider,
+        profileProviderId: config.profileProviderId,
+        error: errorMessage,
+      });
+      return {
+        error: `Image generation failed with ${config.displayName}: ${errorMessage}`,
+        availableProviders: [config.provider],
+      };
+    }
+  }
+
+  private noProviderError(
+    message: string,
+    agentId: string
+  ): ImageGenerationError {
+    const availableProviders = IMAGE_CAPABLE_PROVIDERS.map((p) => p.provider);
+    logger.info(message, { agentId, availableProviders });
+    return { error: message, availableProviders };
+  }
+
+  private async generateWithOpenAI(
+    prompt: string,
+    apiKey: string,
+    options: ImageGenerationOptions
+  ): Promise<{ imageBuffer: Buffer; mimeType: string }> {
+    const format = options.format || "png";
+    const response = await fetch(
+      "https://api.openai.com/v1/images/generations",
+      {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${apiKey}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          model: "gpt-image-1",
+          prompt,
+          size: options.size || "1024x1024",
+          quality: options.quality || "auto",
+          background: options.background || "auto",
+          output_format: format,
+          response_format: "b64_json",
+        }),
+      }
+    );
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(
+        `OpenAI Images API error: ${response.status} - ${errorText}`
+      );
+    }
+
+    const data = (await response.json()) as {
+      data?: Array<{ b64_json?: string }>;
+    };
+    const b64 = data.data?.[0]?.b64_json;
+    if (!b64) {
+      throw new Error("OpenAI Images API returned no image payload");
+    }
+
+    const mimeType =
+      format === "jpeg"
+        ? "image/jpeg"
+        : format === "webp"
+          ? "image/webp"
+          : "image/png";
+
+    return {
+      imageBuffer: Buffer.from(b64, "base64"),
+      mimeType,
+    };
+  }
+}

package/src/services/instruction-service.ts

@@ -0,0 +1,318 @@
+#!/usr/bin/env bun
+
+import {
+  buildUnconfiguredAgentNotice,
+  createLogger,
+  type InstructionContext,
+  type InstructionProvider,
+} from "@lobu/core";
+import type { McpConfigService } from "../auth/mcp/config-service";
+import type { AgentSettingsStore } from "../auth/settings/agent-settings-store";
+
+const logger = createLogger("instruction-service");
+
+interface McpStatus {
+  id: string;
+  name: string;
+  requiresAuth: boolean;
+  requiresInput: boolean;
+}
+
+interface SessionContextData {
+  agentInstructions: string;
+  platformInstructions: string;
+  networkInstructions: string;
+  skillsInstructions: string;
+  mcpStatus: McpStatus[];
+}
+
+/**
+ * Provides instructions from enabled skills for the agent.
+ * Fetches skill content from AgentSettings and injects as instructions.
+ * Falls back to generic skills.sh discovery instructions if no skills configured.
+ */
+class SkillsInstructionProvider implements InstructionProvider {
+  name = "skills";
+  priority = 15;
+
+  constructor(private agentSettingsStore?: AgentSettingsStore) {}
+
+  async getInstructions(context: InstructionContext): Promise<string> {
+    // If no settings store or agentId, return generic skills.sh instructions
+    if (!this.agentSettingsStore || !context.agentId) {
+      return this.getGenericSkillsInstructions();
+    }
+
+    try {
+      const settings = await this.agentSettingsStore.getSettings(
+        context.agentId
+      );
+      const skills = settings?.skillsConfig?.skills || [];
+      const enabledSkills = skills.filter((s) => s.enabled && s.content);
+
+      if (enabledSkills.length === 0) {
+        return this.getGenericSkillsInstructions();
+      }
+
+      // Progressive disclosure: inject only metadata (name + description + model/thinking tags)
+      // to reduce prompt size. Agent reads full SKILL.md on demand.
+      const skillSummaries = enabledSkills
+        .map((skill) => {
+          const desc = skill.description ? ` - ${skill.description}` : "";
+          const tags: string[] = [];
+          if (skill.modelPreference) {
+            tags.push(`[model: ${skill.modelPreference}]`);
+          }
+          if (skill.thinkingLevel) {
+            tags.push(`[thinking: ${skill.thinkingLevel}]`);
+          }
+          const tagStr = tags.length > 0 ? ` ${tags.join(" ")}` : "";
+          const line = `- **${skill.name}**${desc} (\`${skill.repo}\`)${tagStr}`;
+          if (skill.instructions?.trim()) {
+            return `${line}\n  → ${skill.instructions.trim()}`;
+          }
+          return line;
+        })
+        .join("\n");
+
+      return `# Enabled Skills
+
+The following skills are installed and available. When a task matches a skill, read the full skill instructions before using it. Skills tagged with [model: ...] prefer a specific model — delegate to the corresponding coding agent when available.
+
+${skillSummaries}
+
+**To read full skill instructions:** \`cat .skills/*/SKILL.md\` to read the relevant SKILL.md file.
+
+---
+
+${this.getGenericSkillsInstructions()}`;
+    } catch (error) {
+      logger.error("Failed to get skills instructions", { error });
+      return this.getGenericSkillsInstructions();
+    }
+  }
+
+  private getGenericSkillsInstructions(): string {
+    return `## Skills
+
+Your available skills are listed above. To read full instructions for a skill, use: \`cat .skills/{skillName}/SKILL.md\``;
+  }
+}
+
+/**
+ * Provides information about network access rules and allowed domains
+ */
+class NetworkInstructionProvider implements InstructionProvider {
+  name = "network";
+  priority = 20;
+
+  getInstructions(_context: InstructionContext): string {
+    const allowedDomains = process.env.WORKER_ALLOWED_DOMAINS?.trim() || "";
+    const disallowedDomains =
+      process.env.WORKER_DISALLOWED_DOMAINS?.trim() || "";
+
+    // Unrestricted mode
+    if (allowedDomains === "*") {
+      if (disallowedDomains) {
+        const blockedList = disallowedDomains
+          .split(",")
+          .map((d) => `  - ${d.trim()}`)
+          .filter((d) => d.length > 4)
+          .join("\n");
+        return `## Network Access
+
+**Internet Access:** Unrestricted (all domains allowed)
+
+**Blocked domains:**
+${blockedList}
+
+You can access any external service except the blocked domains listed above.`;
+      }
+      return `## Network Access
+
+**Internet Access:** Unrestricted (all domains allowed)
+
+You can access any external service without restrictions.`;
+    }
+
+    // Complete isolation
+    if (!allowedDomains) {
+      return `## Network Access
+
+**Internet Access:** Complete isolation (no external access)
+
+You do NOT have access to the internet. All external requests (curl, wget, npm, pip, etc.) will fail. Network access is configured via lobu.toml or the gateway configuration APIs. Only local operations and MCP tools are available.`;
+    }
+
+    // Allowlist mode
+    const allowedList = allowedDomains
+      .split(",")
+      .map((d) => `  - ${d.trim()}`)
+      .filter((d) => d.length > 4)
+      .join("\n");
+
+    let instructions = `## Network Access
+
+**Internet Access:** Filtered (allowlist mode)
+
+**Allowed domains:**
+${allowedList}`;
+
+    if (disallowedDomains) {
+      const blockedList = disallowedDomains
+        .split(",")
+        .map((d) => `  - ${d.trim()}`)
+        .filter((d) => d.length > 4)
+        .join("\n");
+      instructions += `
+
+**Blocked domains:**
+${blockedList}`;
+    }
+
+    instructions += `
+
+You can only access the allowed domains listed above. All other external requests will be blocked by the proxy. Network access is configured via lobu.toml or the gateway configuration APIs. Plan your work accordingly and use available MCP tools when possible.`;
+
+    return instructions;
+  }
+}
+
+/**
+ * Aggregates session context data for workers
+ * Returns raw data (not built instructions) so workers can format as needed
+ */
+export class InstructionService {
+  private platformProviders = new Map<string, InstructionProvider>();
+  private mcpConfigService?: McpConfigService;
+  private agentSettingsStore?: AgentSettingsStore;
+  private skillsProvider: SkillsInstructionProvider;
+
+  constructor(
+    mcpConfigService?: McpConfigService,
+    agentSettingsStore?: AgentSettingsStore
+  ) {
+    this.mcpConfigService = mcpConfigService;
+    this.agentSettingsStore = agentSettingsStore;
+    this.skillsProvider = new SkillsInstructionProvider(agentSettingsStore);
+  }
+
+  /**
+   * Register a platform-specific instruction provider
+   * Called by platform adapters during initialization
+   */
+  registerPlatformProvider(
+    platform: string,
+    provider: InstructionProvider
+  ): void {
+    this.platformProviders.set(platform, provider);
+    logger.info(
+      `Registered instruction provider for platform: ${platform} (${provider.name})`
+    );
+  }
+
+  /**
+   * Get session context data for a worker
+   */
+  async getSessionContext(
+    platform: string,
+    context: InstructionContext,
+    options?: { settingsUrl?: string }
+  ): Promise<SessionContextData> {
+    // Get platform-specific instructions
+    let platformInstructions = "";
+    const platformProvider = this.platformProviders.get(platform);
+    if (platformProvider) {
+      try {
+        platformInstructions = await platformProvider.getInstructions(context);
+        logger.info(
+          `Got ${platform} platform instructions (${platformInstructions.length} chars)`
+        );
+      } catch (error) {
+        logger.error(
+          `Failed to get instructions from ${platform} provider:`,
+          error
+        );
+      }
+    }
+
+    // Get network access instructions
+    let networkInstructions = "";
+    const networkProvider = new NetworkInstructionProvider();
+    try {
+      networkInstructions = await networkProvider.getInstructions(context);
+      logger.info(
+        `Got network instructions (${networkInstructions.length} chars)`
+      );
+    } catch (error) {
+      logger.error("Failed to get network instructions:", error);
+    }
+
+    // Build agent instructions from identity/soul/user settings
+    let agentInstructions = "";
+    if (this.agentSettingsStore && context.agentId) {
+      try {
+        const settings = await this.agentSettingsStore.getSettings(
+          context.agentId
+        );
+        if (settings) {
+          const sections: string[] = [];
+          if (settings.identityMd?.trim()) {
+            sections.push(`## Agent Identity\n\n${settings.identityMd.trim()}`);
+          }
+          if (settings.soulMd?.trim()) {
+            sections.push(`## Agent Instructions\n\n${settings.soulMd.trim()}`);
+          }
+          if (settings.userMd?.trim()) {
+            sections.push(`## User Context\n\n${settings.userMd.trim()}`);
+          }
+          agentInstructions = sections.join("\n\n");
+        }
+
+        // When soul is unconfigured, tell the agent to defer to admin config.
+        if (!agentInstructions.trim()) {
+          agentInstructions = buildUnconfiguredAgentNotice(
+            options?.settingsUrl
+          );
+        }
+
+        logger.info(
+          `Built agent instructions (${agentInstructions.length} chars)`
+        );
+      } catch (error) {
+        logger.error("Failed to build agent instructions:", error);
+      }
+    }
+
+    // Get skills instructions (includes enabled skills from agent settings)
+    let skillsInstructions = "";
+    try {
+      skillsInstructions = await this.skillsProvider.getInstructions(context);
+      logger.info(
+        `Got skills instructions (${skillsInstructions.length} chars)`
+      );
+    } catch (error) {
+      logger.error("Failed to get skills instructions:", error);
+    }
+
+    // Get MCP status data
+    let mcpStatus: McpStatus[] = [];
+    if (this.mcpConfigService) {
+      try {
+        mcpStatus =
+          (await this.mcpConfigService.getMcpStatus(context.agentId)) || [];
+        logger.info(`Got MCP status for ${mcpStatus.length} MCPs`);
+      } catch (error) {
+        logger.error("Failed to get MCP status:", error);
+      }
+    }
+
+    return {
+      agentInstructions,
+      platformInstructions,
+      networkInstructions,
+      skillsInstructions,
+      mcpStatus,
+    };
+  }
+}

package/src/services/mcp-registry.ts

@@ -0,0 +1,94 @@
+import { createLogger } from "@lobu/core";
+import type { SystemConfigResolver } from "./system-config-resolver";
+
+const logger = createLogger("mcp-registry");
+
+/**
+ * MCP server entry from the registry
+ */
+export interface McpRegistryEntry {
+  id: string;
+  name: string;
+  description: string;
+  type: "oauth" | "stdio" | "sse" | "api-key";
+  config: Record<string, unknown>;
+  setupInstructions?: string;
+}
+
+/**
+ * Service for accessing the MCP server registry.
+ */
+export class McpRegistryService {
+  /**
+   * Curated list of popular MCPs for quick-add chips in the settings UI.
+   */
+  static readonly CURATED_MCP_IDS = [
+    "sentry",
+    "playwright",
+    "github",
+    "notion",
+    "linear",
+  ];
+
+  private registry: McpRegistryEntry[] = [];
+  private loaded = false;
+
+  constructor(private readonly resolver?: SystemConfigResolver) {}
+
+  private async ensureLoaded(): Promise<void> {
+    if (this.loaded) return;
+    this.loaded = true;
+
+    if (!this.resolver) {
+      logger.warn("MCP registry resolver not configured");
+      return;
+    }
+
+    const resolved = await this.resolver.getMcpRegistryServers();
+    this.registry = resolved.map((entry) => ({
+      id: entry.id,
+      name: entry.name,
+      description: entry.description,
+      type: entry.type,
+      config: entry.config,
+    }));
+
+    logger.info(`Loaded ${this.registry.length} MCPs from resolver`);
+  }
+
+  async getCurated(): Promise<McpRegistryEntry[]> {
+    await this.ensureLoaded();
+
+    const curated = this.registry.filter((mcp) =>
+      McpRegistryService.CURATED_MCP_IDS.includes(mcp.id)
+    );
+
+    return curated.length > 0 ? curated : this.registry.slice(0, 5);
+  }
+
+  async search(query: string, limit = 20): Promise<McpRegistryEntry[]> {
+    await this.ensureLoaded();
+
+    const trimmed = query.toLowerCase().trim();
+    if (!trimmed) return this.registry.slice(0, limit);
+
+    return this.registry
+      .filter(
+        (entry) =>
+          entry.name.toLowerCase().includes(trimmed) ||
+          entry.description.toLowerCase().includes(trimmed) ||
+          entry.id.toLowerCase().includes(trimmed)
+      )
+      .slice(0, limit);
+  }
+
+  async getAll(): Promise<McpRegistryEntry[]> {
+    await this.ensureLoaded();
+    return this.registry;
+  }
+
+  async getById(id: string): Promise<McpRegistryEntry | null> {
+    await this.ensureLoaded();
+    return this.registry.find((entry) => entry.id === id) || null;
+  }
+}