@naisys/supervisor 3.0.0-beta.6

package/dist/routes/users.js

@@ -0,0 +1,420 @@
+import { ChangePasswordSchema, CreateAgentUserSchema, CreateUserSchema, GrantPermissionSchema, PermissionEnum, UpdateUserSchema, } from "@naisys/supervisor-shared";
+import { z } from "zod/v4";
+import { authCache, requirePermission } from "../auth-middleware.js";
+import { conflict, notFound } from "../error-helpers.js";
+import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../hateoas.js";
+import { getHubAgentById, getHubAgentByUuid, } from "../services/agentService.js";
+import * as userService from "../services/userService.js";
+function userItemLinks(username, agentUsername) {
+    const links = [
+        selfLink(`/users/${username}`),
+        collectionLink("users"),
+        schemaLink("UpdateUser"),
+    ];
+    if (agentUsername != null) {
+        links.push({
+            rel: "agent",
+            href: `${API_PREFIX}/agents/${agentUsername}`,
+            title: "View Agent",
+        });
+    }
+    return links;
+}
+function userActions(username, isSelf, isAdmin) {
+    const href = `${API_PREFIX}/users/${username}`;
+    const actions = [];
+    // Admins can edit any user (username + password)
+    if (isAdmin) {
+        actions.push({
+            rel: "update",
+            href,
+            method: "PUT",
+            title: "Update",
+            schema: `${API_PREFIX}/schemas/UpdateUser`,
+            body: { username: "" },
+        });
+    }
+    // Any authenticated user can change their own password
+    if (isSelf) {
+        actions.push({
+            rel: "change-password",
+            href: `${API_PREFIX}/users/me/password`,
+            method: "POST",
+            title: "Change Password",
+            schema: `${API_PREFIX}/schemas/ChangePassword`,
+            body: { password: "" },
+        });
+    }
+    if (isAdmin) {
+        actions.push({
+            rel: "grant-permission",
+            href: `${href}/permissions`,
+            method: "POST",
+            title: "Grant Permission",
+            schema: `${API_PREFIX}/schemas/GrantPermission`,
+            body: { permission: "" },
+        });
+        actions.push({
+            rel: "rotate-key",
+            href: `${href}/rotate-key`,
+            method: "POST",
+            title: "Rotate API Key",
+        });
+        if (!isSelf) {
+            actions.push({
+                rel: "delete",
+                href,
+                method: "DELETE",
+                title: "Delete",
+            });
+        }
+    }
+    return actions;
+}
+function permissionActions(username, permission, isSelf, isAdmin) {
+    if (!isAdmin)
+        return [];
+    const actions = [];
+    // Cannot revoke own supervisor_admin
+    if (!(isSelf && permission === "supervisor_admin")) {
+        actions.push({
+            rel: "revoke",
+            href: `${API_PREFIX}/users/${username}/permissions/${permission}`,
+            method: "DELETE",
+            title: "Revoke",
+        });
+    }
+    return actions;
+}
+function formatUser(user, currentUserId, currentUserPermissions, options) {
+    if (!user)
+        return null;
+    const isSelf = user.id === currentUserId;
+    const isAdmin = currentUserPermissions.includes("supervisor_admin");
+    return {
+        id: user.id,
+        username: user.username,
+        isAgent: user.isAgent,
+        createdAt: user.createdAt.toISOString(),
+        updatedAt: user.updatedAt.toISOString(),
+        apiKey: isAdmin ? (options?.apiKey ?? null) : undefined,
+        permissions: user.permissions.map((p) => ({
+            permission: p.permission,
+            grantedAt: p.grantedAt.toISOString(),
+            grantedBy: p.grantedBy,
+            _actions: permissionActions(user.username, p.permission, isSelf, isAdmin),
+        })),
+        _links: userItemLinks(user.username, options?.agentUsername),
+        _actions: userActions(user.username, isSelf, isAdmin),
+    };
+}
+function formatListUser(user) {
+    return {
+        id: user.id,
+        uuid: user.uuid,
+        username: user.username,
+        isAgent: user.isAgent,
+        createdAt: user.createdAt.toISOString(),
+        permissionCount: user.permissions.length,
+    };
+}
+export default function userRoutes(fastify, _options) {
+    const app = fastify.withTypeProvider();
+    const adminPreHandler = [requirePermission("supervisor_admin")];
+    const requireAdminOrSelf = async (request, reply) => {
+        if (!request.supervisorUser) {
+            reply.status(401).send({
+                statusCode: 401,
+                error: "Unauthorized",
+                message: "Authentication required",
+            });
+            return;
+        }
+        const isAdmin = request.supervisorUser.permissions.includes("supervisor_admin");
+        const isSelf = request.params.username === request.supervisorUser.username;
+        if (!isAdmin && !isSelf) {
+            reply.status(403).send({
+                statusCode: 403,
+                error: "Forbidden",
+                message: "Permission 'supervisor_admin' required",
+            });
+            return;
+        }
+    };
+    // LIST USERS
+    app.get("/", {
+        preHandler: adminPreHandler,
+        schema: {
+            description: "List all users with pagination",
+            tags: ["Users"],
+            querystring: z.object({
+                page: z.coerce.number().int().min(1).default(1),
+                pageSize: z.coerce.number().int().min(1).max(100).default(20),
+                search: z.string().optional(),
+            }),
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request) => {
+        const { page, pageSize, search } = request.query;
+        const result = await userService.listUsers({ page, pageSize, search });
+        const actions = [
+            {
+                rel: "create",
+                href: `${API_PREFIX}/users`,
+                method: "POST",
+                title: "Create User",
+                schema: `${API_PREFIX}/schemas/CreateUser`,
+                body: { username: "", password: "" },
+            },
+            {
+                rel: "create-from-agent",
+                href: `${API_PREFIX}/users/from-agent`,
+                method: "POST",
+                title: "Import User from Agent",
+                schema: `${API_PREFIX}/schemas/CreateAgentUser`,
+                body: { agentId: 0 },
+            },
+        ];
+        return {
+            items: result.items.map(formatListUser),
+            total: result.total,
+            pageSize: result.pageSize,
+            _links: paginationLinks("users", page, pageSize, result.total, {
+                search,
+            }),
+            _linkTemplates: [
+                { rel: "item", hrefTemplate: `${API_PREFIX}/users/{username}` },
+            ],
+            _actions: actions,
+        };
+    });
+    // CHANGE OWN PASSWORD (must be registered before /:username routes)
+    app.post("/me/password", {
+        schema: {
+            description: "Change the current user's password",
+            tags: ["Users"],
+            body: ChangePasswordSchema,
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        if (!request.supervisorUser) {
+            reply.status(401).send({
+                statusCode: 401,
+                error: "Unauthorized",
+                message: "Authentication required",
+            });
+            return;
+        }
+        await userService.updateUser(request.supervisorUser.id, {
+            password: request.body.password,
+        });
+        authCache.clear();
+        return { success: true, message: "Password changed" };
+    });
+    // CREATE USER
+    app.post("/", {
+        preHandler: adminPreHandler,
+        schema: {
+            description: "Create a new user",
+            tags: ["Users"],
+            body: CreateUserSchema,
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        try {
+            const user = await userService.createUserWithPassword(request.body);
+            reply.code(201);
+            return {
+                success: true,
+                message: "User created",
+                id: user.id,
+                username: user.username,
+            };
+        }
+        catch (err) {
+            if (err instanceof Error && err.message.includes("Unique constraint")) {
+                return conflict(reply, "Username already exists");
+            }
+            throw err;
+        }
+    });
+    // CREATE AGENT USER (from hub agent)
+    app.post("/from-agent", {
+        preHandler: adminPreHandler,
+        schema: {
+            description: "Create a supervisor user from an existing hub agent",
+            tags: ["Users"],
+            body: CreateAgentUserSchema,
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        const { agentId } = request.body;
+        const hubAgent = await getHubAgentById(agentId);
+        if (!hubAgent) {
+            return notFound(reply, "Agent not found");
+        }
+        const existingByUuid = await userService.getUserByUuid(hubAgent.uuid);
+        if (existingByUuid) {
+            return conflict(reply, "A user with this agent's UUID already exists");
+        }
+        const existingByUsername = await userService.getUserByUsername(hubAgent.username);
+        if (existingByUsername) {
+            return conflict(reply, "Username already exists");
+        }
+        const user = await userService.createUserForAgent(hubAgent.username, hubAgent.uuid);
+        reply.code(201);
+        return {
+            success: true,
+            message: "Agent user created",
+            id: user.id,
+            username: user.username,
+        };
+    });
+    const usernameParams = z.object({ username: z.string() });
+    // GET USER (admin or self)
+    app.get("/:username", {
+        preHandler: [requireAdminOrSelf],
+        schema: {
+            description: "Get user details",
+            tags: ["Users"],
+            params: usernameParams,
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        const user = await userService.getUserByUsernameWithPermissions(request.params.username);
+        if (!user) {
+            return notFound(reply, "User not found");
+        }
+        let agentUsername = null;
+        if (user.isAgent && user.uuid) {
+            const hubAgent = await getHubAgentByUuid(user.uuid);
+            agentUsername = hubAgent?.username ?? null;
+        }
+        const apiKey = await userService.getUserApiKey(user.id);
+        return formatUser(user, request.supervisorUser.id, request.supervisorUser.permissions, { agentUsername, apiKey });
+    });
+    // UPDATE USER (admin can update any field; non-admin can only change own password)
+    app.put("/:username", {
+        preHandler: [requireAdminOrSelf],
+        schema: {
+            description: "Update a user",
+            tags: ["Users"],
+            params: usernameParams,
+            body: UpdateUserSchema,
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        const targetUser = await userService.getUserByUsernameWithPermissions(request.params.username);
+        if (!targetUser) {
+            return notFound(reply, "User not found");
+        }
+        const isAdmin = request.supervisorUser.permissions.includes("supervisor_admin");
+        // Non-admins can only change their own password
+        const body = isAdmin ? request.body : { password: request.body.password };
+        try {
+            await userService.updateUser(targetUser.id, body);
+            authCache.clear();
+            return { success: true, message: "User updated" };
+        }
+        catch (err) {
+            if (err instanceof Error && err.message.includes("Unique constraint")) {
+                return conflict(reply, "Username already exists");
+            }
+            throw err;
+        }
+    });
+    // DELETE USER
+    app.delete("/:username", {
+        preHandler: adminPreHandler,
+        schema: {
+            description: "Delete a user",
+            tags: ["Users"],
+            params: usernameParams,
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        if (request.params.username === request.supervisorUser.username) {
+            return conflict(reply, "Cannot delete yourself");
+        }
+        const targetUser = await userService.getUserByUsernameWithPermissions(request.params.username);
+        if (!targetUser) {
+            return notFound(reply, "User not found");
+        }
+        await userService.deleteUser(targetUser.id);
+        authCache.clear();
+        return { success: true, message: "User deleted" };
+    });
+    // ROTATE API KEY
+    app.post("/:username/rotate-key", {
+        preHandler: adminPreHandler,
+        schema: {
+            description: "Rotate a user's API key",
+            tags: ["Users"],
+            params: usernameParams,
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        const targetUser = await userService.getUserByUsernameWithPermissions(request.params.username);
+        if (!targetUser) {
+            return notFound(reply, "User not found");
+        }
+        await userService.rotateUserApiKey(targetUser.id);
+        authCache.clear();
+        return { success: true, message: "API key rotated" };
+    });
+    // GRANT PERMISSION
+    app.post("/:username/permissions", {
+        preHandler: adminPreHandler,
+        schema: {
+            description: "Grant a permission to a user",
+            tags: ["Users"],
+            params: usernameParams,
+            body: GrantPermissionSchema,
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        const targetUser = await userService.getUserByUsernameWithPermissions(request.params.username);
+        if (!targetUser) {
+            return notFound(reply, "User not found");
+        }
+        try {
+            await userService.grantPermission(targetUser.id, request.body.permission, request.supervisorUser.id);
+            authCache.clear();
+            return { success: true, message: "Permission granted" };
+        }
+        catch (err) {
+            if (err instanceof Error && err.message.includes("Unique constraint")) {
+                return conflict(reply, "Permission already granted");
+            }
+            throw err;
+        }
+    });
+    // REVOKE PERMISSION
+    app.delete("/:username/permissions/:permission", {
+        preHandler: adminPreHandler,
+        schema: {
+            description: "Revoke a permission from a user",
+            tags: ["Users"],
+            params: z.object({
+                username: z.string(),
+                permission: PermissionEnum,
+            }),
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        const { username, permission } = request.params;
+        // Cannot revoke own supervisor_admin
+        if (username === request.supervisorUser.username &&
+            permission === "supervisor_admin") {
+            return conflict(reply, "Cannot revoke your own supervisor_admin permission");
+        }
+        const targetUser = await userService.getUserByUsernameWithPermissions(username);
+        if (!targetUser) {
+            return notFound(reply, "User not found");
+        }
+        await userService.revokePermission(targetUser.id, permission);
+        authCache.clear();
+        return { success: true, message: "Permission revoked" };
+    });
+}
+//# sourceMappingURL=users.js.map

package/dist/routes/variables.js

@@ -0,0 +1,103 @@
+import { DeleteVariableParamsSchema, DeleteVariableResponseSchema, ErrorResponseSchema, SaveVariableRequestSchema, SaveVariableResponseSchema, VariablesResponseSchema, } from "@naisys/supervisor-shared";
+import { hasPermission, requirePermission } from "../auth-middleware.js";
+import { API_PREFIX } from "../hateoas.js";
+import { sendVariablesChanged } from "../services/hubConnectionService.js";
+import { deleteVariable, getVariables, saveVariable, } from "../services/variableService.js";
+function variableActions(hasManagePermission) {
+    const actions = [];
+    if (hasManagePermission) {
+        actions.push({
+            rel: "save",
+            href: `${API_PREFIX}/variables/:key`,
+            method: "PUT",
+            title: "Save Variable",
+            schema: `${API_PREFIX}/schemas/SaveVariable`,
+            body: { value: "", exportToShell: false },
+        }, {
+            rel: "delete",
+            href: `${API_PREFIX}/variables/:key`,
+            method: "DELETE",
+            title: "Delete Variable",
+        });
+    }
+    return actions;
+}
+export default function variablesRoutes(fastify, _options) {
+    // GET / — list all variables
+    fastify.get("/", {
+        preHandler: [requirePermission("manage_variables")],
+        schema: {
+            description: "List all variables",
+            tags: ["Variables"],
+            response: {
+                200: VariablesResponseSchema,
+                500: ErrorResponseSchema,
+            },
+        },
+    }, async (request, _reply) => {
+        const items = await getVariables();
+        const hasManagePermission = hasPermission(request.supervisorUser, "manage_variables");
+        const actions = variableActions(hasManagePermission);
+        return {
+            items: items.map((v) => ({
+                key: v.key,
+                value: v.value,
+                exportToShell: v.export_to_shell,
+            })),
+            _actions: actions.length > 0 ? actions : undefined,
+        };
+    });
+    // PUT /:key — upsert a variable
+    fastify.put("/:key", {
+        preHandler: [requirePermission("manage_variables")],
+        schema: {
+            description: "Create or update a variable",
+            tags: ["Variables"],
+            params: DeleteVariableParamsSchema,
+            body: SaveVariableRequestSchema,
+            response: {
+                200: SaveVariableResponseSchema,
+                400: ErrorResponseSchema,
+                500: ErrorResponseSchema,
+            },
+        },
+    }, async (request, reply) => {
+        try {
+            const { key } = request.params;
+            const { value, exportToShell } = request.body;
+            const result = await saveVariable(key, value, exportToShell, request.supervisorUser.uuid);
+            sendVariablesChanged();
+            return result;
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to save variable";
+            return reply.code(500).send({ success: false, message });
+        }
+    });
+    // DELETE /:key — delete a variable
+    fastify.delete("/:key", {
+        preHandler: [requirePermission("manage_variables")],
+        schema: {
+            description: "Delete a variable",
+            tags: ["Variables"],
+            params: DeleteVariableParamsSchema,
+            response: {
+                200: DeleteVariableResponseSchema,
+                400: ErrorResponseSchema,
+                500: ErrorResponseSchema,
+            },
+        },
+    }, async (request, reply) => {
+        try {
+            const { key } = request.params;
+            const result = await deleteVariable(key);
+            sendVariablesChanged();
+            return result;
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Failed to delete variable";
+            return reply.code(500).send({ success: false, message });
+        }
+    });
+}
+//# sourceMappingURL=variables.js.map

package/dist/schema-registry.js

@@ -0,0 +1,23 @@
+import { AgentStartRequestSchema, ChangePasswordSchema, CreateAgentConfigRequestSchema, CreateUserSchema, GrantPermissionSchema, LoginRequestSchema, SaveImageModelRequestSchema, SaveLlmModelRequestSchema, SaveVariableRequestSchema, SendChatRequestSchema, SendMailRequestSchema, SetLeadAgentRequestSchema, UpdateAgentConfigRequestSchema, UpdateUserSchema, } from "@naisys/supervisor-shared";
+import { z } from "zod/v4";
+export const schemaRegistry = {
+    CreateAgent: CreateAgentConfigRequestSchema,
+    UpdateAgentConfig: UpdateAgentConfigRequestSchema,
+    StartAgent: AgentStartRequestSchema,
+    SetLeadAgent: SetLeadAgentRequestSchema,
+    SendChat: SendChatRequestSchema,
+    SendMail: SendMailRequestSchema,
+    ChangePassword: ChangePasswordSchema,
+    CreateUser: CreateUserSchema,
+    UpdateUser: UpdateUserSchema,
+    GrantPermission: GrantPermissionSchema,
+    LoginRequest: LoginRequestSchema,
+    SaveLlmModel: SaveLlmModelRequestSchema,
+    SaveImageModel: SaveImageModelRequestSchema,
+    SaveVariable: SaveVariableRequestSchema,
+};
+// Register schemas with Zod global registry for OpenAPI components/schemas population
+for (const [name, schema] of Object.entries(schemaRegistry)) {
+    z.globalRegistry.add(schema, { id: name });
+}
+//# sourceMappingURL=schema-registry.js.map