@lobu/gateway 3.0.7 → 3.0.9

package/src/auth/external/device-code-client.ts

@@ -10,6 +10,8 @@ export interface DeviceCodeClientConfig {
   tokenUrl: string;
   deviceAuthorizationUrl: string;
   scope: string;
+  /** RFC 8707 resource indicator included in token requests. */
+  resource?: string;
   tokenEndpointAuthMethod?:
     | "none"
     | "client_secret_post"
@@ -68,10 +70,14 @@ export class GenericDeviceCodeClient extends BaseOAuth2Client {
   }
 
   async requestDeviceCode(): Promise<DeviceAuthorizationStartResult> {
-    const { headers, body } = this.buildAuthenticatedFormBody({
+    const params: Record<string, string> = {
       client_id: this.config.clientId,
       scope: this.config.scope,
-    });
+    };
+    if (this.config.resource) {
+      params.resource = this.config.resource;
+    }
+    const { headers, body } = this.buildAuthenticatedFormBody(params);
 
     const response = await fetch(this.config.deviceAuthorizationUrl, {
       method: "POST",
@@ -103,11 +109,15 @@ export class GenericDeviceCodeClient extends BaseOAuth2Client {
     deviceAuthId: string,
     intervalSeconds?: number
   ): Promise<DeviceAuthorizationPollResult> {
-    const { headers, body } = this.buildAuthenticatedFormBody({
+    const params: Record<string, string> = {
       grant_type: DEVICE_CODE_GRANT_TYPE,
       device_code: deviceAuthId,
       client_id: this.config.clientId,
-    });
+    };
+    if (this.config.resource) {
+      params.resource = this.config.resource;
+    }
+    const { headers, body } = this.buildAuthenticatedFormBody(params);
 
     const response = await fetch(this.config.tokenUrl, {
       method: "POST",

package/src/auth/mcp/config-service.ts

@@ -1,4 +1,8 @@
-import { createLogger, verifyWorkerToken } from "@lobu/core";
+import {
+  type McpOAuthConfig,
+  createLogger,
+  verifyWorkerToken,
+} from "@lobu/core";
 import type { SystemConfigResolver } from "../../services/system-config-resolver";
 import type { AgentSettingsStore } from "../settings/agent-settings-store";
 
@@ -10,14 +14,12 @@ interface McpInput {
   description: string;
 }
 
-interface HttpMcpServerConfig {
+export interface HttpMcpServerConfig {
   id: string;
   upstreamUrl: string;
-  oauth?: unknown;
+  oauth?: McpOAuthConfig;
   inputs?: McpInput[];
   headers?: Record<string, string>;
-  loginUrl?: string;
-  resource?: string;
 }
 
 interface WorkerMcpConfig {
@@ -182,9 +184,7 @@ export class McpConfigService {
     const statuses: McpStatus[] = [];
 
     for (const [id, httpServer] of httpServers) {
-      const hasOAuth = !!httpServer.oauth;
-      const hasLoginUrl = !!httpServer.loginUrl;
-      const requiresAuth = hasOAuth || hasLoginUrl;
+      const requiresAuth = !!httpServer.oauth;
       const requiresInput = !!(
         httpServer.inputs && httpServer.inputs.length > 0
       );
@@ -280,6 +280,45 @@ export class McpConfigService {
   }
 }
 
+/**
+ * Parse and validate an oauth config from raw MCP server config.
+ * Handles backward compat: migrates top-level `resource` into `oauth.resource`,
+ * and treats `loginUrl` presence as `oauth: {}` (requiresAuth flag).
+ */
+function parseOAuthConfig(raw: any): McpOAuthConfig | undefined {
+  const hasLoginUrl = typeof raw.loginUrl === "string";
+  const hasOAuth = raw.oauth && typeof raw.oauth === "object";
+
+  if (!hasOAuth && !hasLoginUrl && typeof raw.resource !== "string") {
+    return undefined;
+  }
+
+  const config: McpOAuthConfig = {};
+
+  if (hasOAuth) {
+    const obj = raw.oauth;
+    if (typeof obj.authUrl === "string") config.authUrl = obj.authUrl;
+    if (typeof obj.tokenUrl === "string") config.tokenUrl = obj.tokenUrl;
+    if (typeof obj.clientId === "string") config.clientId = obj.clientId;
+    if (typeof obj.clientSecret === "string")
+      config.clientSecret = obj.clientSecret;
+    if (Array.isArray(obj.scopes))
+      config.scopes = obj.scopes.filter((s: unknown) => typeof s === "string");
+    if (typeof obj.deviceAuthorizationUrl === "string")
+      config.deviceAuthorizationUrl = obj.deviceAuthorizationUrl;
+    if (typeof obj.registrationUrl === "string")
+      config.registrationUrl = obj.registrationUrl;
+    if (typeof obj.resource === "string") config.resource = obj.resource;
+  }
+
+  // Migrate top-level resource into oauth.resource (backward compat)
+  if (typeof raw.resource === "string" && !config.resource) {
+    config.resource = raw.resource;
+  }
+
+  return config;
+}
+
 function normalizeConfig(config: { mcpServers: Record<string, any> }) {
   const rawServers: Record<string, any> = {};
   const httpServers = new Map<string, HttpMcpServerConfig>();
@@ -296,10 +335,7 @@ function normalizeConfig(config: { mcpServers: Record<string, any> }) {
       httpServers.set(id, {
         id,
         upstreamUrl: cloned.url,
-        oauth:
-          cloned.oauth && typeof cloned.oauth === "object"
-            ? cloned.oauth
-            : undefined,
+        oauth: parseOAuthConfig(cloned),
         inputs: Array.isArray(cloned.inputs)
           ? cloned.inputs.filter(
               (input: any) =>
@@ -312,10 +348,6 @@ function normalizeConfig(config: { mcpServers: Record<string, any> }) {
           cloned.headers && typeof cloned.headers === "object"
             ? cloned.headers
             : undefined,
-        loginUrl:
-          typeof cloned.loginUrl === "string" ? cloned.loginUrl : undefined,
-        resource:
-          typeof cloned.resource === "string" ? cloned.resource : undefined,
       });
     }
   }
@@ -343,10 +375,7 @@ function toHttpServerConfig(
   return {
     id,
     upstreamUrl: cloned.url,
-    oauth:
-      cloned.oauth && typeof cloned.oauth === "object"
-        ? cloned.oauth
-        : undefined,
+    oauth: parseOAuthConfig(cloned),
     inputs: Array.isArray(cloned.inputs)
       ? cloned.inputs.filter(
           (input: any) =>
@@ -357,7 +386,6 @@ function toHttpServerConfig(
       cloned.headers && typeof cloned.headers === "object"
         ? cloned.headers
         : undefined,
-    loginUrl: typeof cloned.loginUrl === "string" ? cloned.loginUrl : undefined,
   };
 }
 

package/src/auth/mcp/proxy.ts

@@ -85,11 +85,9 @@ interface JsonRpcResponse {
 interface HttpMcpServerConfig {
   id: string;
   upstreamUrl: string;
-  oauth?: unknown;
+  oauth?: import("@lobu/core").McpOAuthConfig;
   inputs?: unknown[];
   headers?: Record<string, string>;
-  loginUrl?: string;
-  resource?: string;
 }
 
 interface McpConfigSource {

package/src/cli/gateway.ts

@@ -136,6 +136,14 @@ export function createGatewayApp(
     logger.debug("Secret proxy enabled at :8080/api/proxy");
   }
 
+  if (coreServices) {
+    const bedrockOpenAIService = coreServices.getBedrockOpenAIService?.();
+    if (bedrockOpenAIService) {
+      app.route("/api/bedrock", bedrockOpenAIService.getApp());
+      logger.debug("Bedrock routes enabled at :8080/api/bedrock/*");
+    }
+  }
+
   // Worker Gateway routes (Hono)
   if (workerGateway) {
     app.route("/worker", workerGateway.getApp());

package/src/cli/index.ts

@@ -34,8 +34,8 @@ async function main() {
         initTracing({
           serviceName: "lobu-gateway",
           serviceVersion: process.env.npm_package_version || "2.0.0",
-          tempoEndpoint: process.env.TEMPO_ENDPOINT,
-          enabled: !!process.env.TEMPO_ENDPOINT,
+          otlpEndpoint: process.env.OTEL_EXPORTER_OTLP_ENDPOINT,
+          enabled: !!process.env.OTEL_EXPORTER_OTLP_ENDPOINT,
         });
 
         const config = buildGatewayConfig();

package/src/connections/message-handler-bridge.ts

@@ -4,7 +4,12 @@
  * settings links, allowlist, audio transcription, etc.
  */
 
-import { createLogger, generateTraceId } from "@lobu/core";
+import {
+  createLogger,
+  createRootSpan,
+  flushTracing,
+  generateTraceId,
+} from "@lobu/core";
 import type Redis from "ioredis";
 import type { CommandDispatcher } from "../commands/command-dispatcher";
 import { createChatReply } from "../commands/command-reply-adapters";
@@ -290,62 +295,82 @@ class MessageHandlerBridge {
     const traceId = generateTraceId(messageId);
     const agentSettingsStore = this.services.getAgentSettingsStore();
 
-    // Check if agent has any provider credentials before enqueuing
-    if (!(await hasConfiguredProvider(agentId, agentSettingsStore))) {
-      await thread.post(
-        "No AI provider is configured yet. Provider setup is not available in the end-user chat flow yet. Ask an admin to connect a provider for the base agent."
-      );
-      return;
-    }
+    // Create root span for distributed tracing
+    const { span: rootSpan, traceparent } = createRootSpan("message_received", {
+      "lobu.agent_id": agentId,
+      "lobu.message_id": messageId,
+      "lobu.platform": platform,
+      "lobu.connection_id": this.connection.id,
+    });
 
-    const agentOptions = await resolveAgentOptions(
-      agentId,
-      {},
-      agentSettingsStore
-    );
+    try {
+      // Check if agent has any provider credentials before enqueuing
+      if (!(await hasConfiguredProvider(agentId, agentSettingsStore))) {
+        await thread.post(
+          "No AI provider is configured yet. Provider setup is not available in the end-user chat flow yet. Ask an admin to connect a provider for the base agent."
+        );
+        return;
+      }
 
-    const payload = buildMessagePayload({
-      platform,
-      userId,
-      botId: platform,
-      conversationId: isGroup ? messageId : channelId,
-      teamId: isGroup ? channelId : platform,
-      agentId,
-      messageId,
-      messageText,
-      channelId,
-      platformMetadata: {
-        traceId,
+      const agentOptions = await resolveAgentOptions(
         agentId,
-        chatId: channelId,
-        senderId: userId,
-        senderUsername: message.author?.userName,
-        senderDisplayName: message.author?.fullName,
-        isGroup,
-        connectionId: this.connection.id,
-        responseChannel: channelId,
-        responseId: messageId,
-        responseThreadId: thread.id,
-        conversationHistory:
-          conversationHistory.length > 0 ? conversationHistory : undefined,
-        ...(sessionReset && { sessionReset: true }),
-      },
-      agentOptions,
-    });
+        {},
+        agentSettingsStore
+      );
 
-    const queueProducer = this.services.getQueueProducer();
-    await queueProducer.enqueueMessage(payload);
+      const payload = buildMessagePayload({
+        platform,
+        userId,
+        botId: platform,
+        conversationId: isGroup ? messageId : channelId,
+        teamId: isGroup ? channelId : platform,
+        agentId,
+        messageId,
+        messageText,
+        channelId,
+        platformMetadata: {
+          traceId,
+          traceparent: traceparent || undefined,
+          agentId,
+          chatId: channelId,
+          senderId: userId,
+          senderUsername: message.author?.userName,
+          senderDisplayName: message.author?.fullName,
+          isGroup,
+          connectionId: this.connection.id,
+          responseChannel: channelId,
+          responseId: messageId,
+          responseThreadId: thread.id,
+          conversationHistory:
+            conversationHistory.length > 0 ? conversationHistory : undefined,
+          ...(sessionReset && { sessionReset: true }),
+        },
+        agentOptions,
+      });
+
+      const queueProducer = this.services.getQueueProducer();
+      await queueProducer.enqueueMessage(payload);
 
-    logger.info(
-      { traceId, messageId, agentId, connectionId: this.connection.id },
-      "Message enqueued via Chat SDK bridge"
-    );
+      logger.info(
+        {
+          traceId,
+          traceparent,
+          messageId,
+          agentId,
+          connectionId: this.connection.id,
+        },
+        "Message enqueued via Chat SDK bridge"
+      );
 
-    // Show typing indicator
-    try {
-      await thread.startTyping?.("Processing...");
-    } catch {
-      // best effort
+      // Show typing indicator
+      try {
+        await thread.startTyping?.("Processing...");
+      } catch {
+        // best effort
+      }
+    } finally {
+      rootSpan?.end();
+      void flushTracing();
     }
   }
 

package/src/gateway/index.ts

@@ -662,9 +662,7 @@ export class WorkerGateway {
     if (primaryProvider) {
       result.credentialEnvVarName = primaryProvider.getCredentialEnvVarName();
       const upstream = primaryProvider.getUpstreamConfig?.();
-      if (upstream?.slug) {
-        result.defaultProvider = upstream.slug;
-      }
+      result.defaultProvider = upstream?.slug || primaryProvider.providerId;
     }
 
     if (agentModel) {

package/src/orchestration/base-deployment-manager.ts

@@ -480,15 +480,15 @@ export abstract class BaseDeploymentManager {
       envVars.TRACE_ID = traceId;
     }
 
-    // Add Tempo endpoint for distributed tracing
-    const tempoEndpoint = process.env.TEMPO_ENDPOINT;
-    if (tempoEndpoint) {
-      envVars.TEMPO_ENDPOINT = tempoEndpoint;
+    // Add OTLP endpoint for distributed tracing
+    const otlpEndpoint = process.env.OTEL_EXPORTER_OTLP_ENDPOINT;
+    if (otlpEndpoint) {
+      envVars.OTEL_EXPORTER_OTLP_ENDPOINT = otlpEndpoint;
       try {
-        const tempoUrl = new URL(tempoEndpoint);
-        envVars.NO_PROXY = `${envVars.NO_PROXY},${tempoUrl.hostname}`;
+        const otlpUrl = new URL(otlpEndpoint);
+        envVars.NO_PROXY = `${envVars.NO_PROXY},${otlpUrl.hostname}`;
       } catch {
-        envVars.NO_PROXY = `${envVars.NO_PROXY},lobu-tempo`;
+        envVars.NO_PROXY = `${envVars.NO_PROXY},tempo`;
       }
     }
 

package/src/platform/unified-thread-consumer.ts

@@ -4,7 +4,7 @@
  * via the PlatformRegistry, eliminating duplicate queue filtering logic.
  */
 
-import { createLogger } from "@lobu/core";
+import { createChildSpan, createLogger, flushTracing } from "@lobu/core";
 import type { ChatResponseBridge } from "../connections/chat-response-bridge";
 import type {
   IMessageQueue,
@@ -77,61 +77,68 @@ export class UnifiedThreadResponseConsumer {
       return;
     }
 
-    // Check if this response belongs to a Chat SDK connection — handle before legacy routing
-    if (this.chatResponseBridge?.canHandle(data)) {
-      const sessionKey = `${data.userId}:${data.originalMessageId || data.messageId}`;
-      try {
+    // Create child span for response processing (linked to original trace)
+    const traceparent = data.platformMetadata?.traceparent as
+      | string
+      | undefined;
+    const span = createChildSpan("response_delivery", traceparent, {
+      "lobu.message_id": data.messageId,
+      "lobu.user_id": data.userId,
+      "lobu.platform": data.platform || data.teamId || "unknown",
+    });
+
+    try {
+      // Check if this response belongs to a Chat SDK connection — handle before legacy routing
+      if (this.chatResponseBridge?.canHandle(data)) {
+        const sessionKey = `${data.userId}:${data.originalMessageId || data.messageId}`;
         await this.routeToRenderer(this.chatResponseBridge, data, sessionKey);
-      } catch (error) {
-        logger.error("Error processing Chat SDK response:", error);
-        throw error;
+        return;
       }
-      return;
-    }
 
-    // Use platform field, fall back to teamId
-    const platformName = data.platform || data.teamId;
-    if (!platformName) {
-      logger.warn(
-        `Missing platform in thread response for message ${data.messageId}, skipping`
-      );
-      return;
-    }
+      // Use platform field, fall back to teamId
+      const platformName = data.platform || data.teamId;
+      if (!platformName) {
+        logger.warn(
+          `Missing platform in thread response for message ${data.messageId}, skipping`
+        );
+        return;
+      }
 
-    // Get platform adapter from registry
-    const platform = this.platformRegistry.get(platformName);
-    if (!platform) {
-      logger.warn(
-        `No platform adapter registered for: ${platformName}, skipping message ${data.messageId}`
-      );
-      return;
-    }
+      // Get platform adapter from registry
+      const platform = this.platformRegistry.get(platformName);
+      if (!platform) {
+        logger.warn(
+          `No platform adapter registered for: ${platformName}, skipping message ${data.messageId}`
+        );
+        return;
+      }
 
-    // Get renderer from platform
-    const renderer = platform.getResponseRenderer?.();
-    if (!renderer) {
-      logger.warn(
-        `Platform ${platformName} does not provide a response renderer, skipping message ${data.messageId}`
-      );
-      return;
-    }
+      // Get renderer from platform
+      const renderer = platform.getResponseRenderer?.();
+      if (!renderer) {
+        logger.warn(
+          `Platform ${platformName} does not provide a response renderer, skipping message ${data.messageId}`
+        );
+        return;
+      }
 
-    // Create session key for tracking
-    const sessionKey = `${data.userId}:${data.originalMessageId || data.messageId}`;
+      // Create session key for tracking
+      const sessionKey = `${data.userId}:${data.originalMessageId || data.messageId}`;
 
-    logger.info(
-      `Processing thread response for platform=${platformName}, message=${data.messageId}, session=${sessionKey}`
-    );
+      logger.info(
+        `Processing thread response for platform=${platformName}, message=${data.messageId}, session=${sessionKey}`
+      );
 
-    try {
       await this.routeToRenderer(renderer, data, sessionKey);
     } catch (error) {
       logger.error(
-        `Error processing thread response for ${platformName}:`,
+        `Error processing thread response for message ${data.messageId}:`,
         error
       );
-      // Let queue handle retry logic
       throw error;
+    } finally {
+      span?.end();
+      void flushTracing();
     }
   }