@nordsym/apiclaw 1.3.6 → 1.3.7

package/convex/webhooks.ts

@@ -0,0 +1,494 @@
+import { v } from "convex/values";
+import { mutation, query, action, internalAction, internalQuery, internalMutation } from "./_generated/server";
+import { internal } from "./_generated/api";
+import { Doc, Id } from "./_generated/dataModel";
+
+// Event types available for webhooks
+export const WEBHOOK_EVENTS = [
+  "usage.threshold.80",
+  "usage.threshold.100",
+  "api.error",
+  "agent.connected",
+  "agent.revoked",
+] as const;
+
+// Generate a random secret for webhook signature verification
+function generateSecret(): string {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  let result = "whsec_";
+  for (let i = 0; i < 32; i++) {
+    result += chars.charAt(Math.floor(Math.random() * chars.length));
+  }
+  return result;
+}
+
+// ============================================
+// QUERIES
+// ============================================
+
+export const getWebhooks = query({
+  args: { token: v.string() },
+  handler: async (ctx, args) => {
+    // Verify session
+    const session = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
+      .first();
+
+    if (!session) {
+      return { error: "Invalid session" };
+    }
+
+    // Get webhooks for workspace
+    const webhooks = await ctx.db
+      .query("webhooks")
+      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", session.workspaceId))
+      .collect();
+
+    // Return webhooks without exposing full secret
+    return {
+      webhooks: webhooks.map((wh) => ({
+        id: wh._id,
+        url: wh.url,
+        events: wh.events,
+        enabled: wh.enabled,
+        lastTriggeredAt: wh.lastTriggeredAt,
+        lastStatus: wh.lastStatus,
+        failCount: wh.failCount,
+        createdAt: wh.createdAt,
+        // Only show hint of secret
+        secretHint: wh.secret.slice(0, 10) + "..." + wh.secret.slice(-4),
+      })),
+    };
+  },
+});
+
+// ============================================
+// MUTATIONS
+// ============================================
+
+export const createWebhook = mutation({
+  args: {
+    token: v.string(),
+    url: v.string(),
+    events: v.array(v.string()),
+  },
+  handler: async (ctx, args) => {
+    // Verify session
+    const session = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
+      .first();
+
+    if (!session) {
+      return { error: "Invalid session" };
+    }
+
+    // Validate URL
+    try {
+      new URL(args.url);
+    } catch {
+      return { error: "Invalid URL format" };
+    }
+
+    // Validate URL is HTTPS
+    if (!args.url.startsWith("https://")) {
+      return { error: "Webhook URL must use HTTPS" };
+    }
+
+    // Validate events
+    const validEvents = args.events.filter((e) =>
+      WEBHOOK_EVENTS.includes(e as typeof WEBHOOK_EVENTS[number])
+    );
+
+    if (validEvents.length === 0) {
+      return { error: "At least one valid event is required" };
+    }
+
+    // Check webhook limit (max 5 per workspace)
+    const existingWebhooks = await ctx.db
+      .query("webhooks")
+      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", session.workspaceId))
+      .collect();
+
+    if (existingWebhooks.length >= 5) {
+      return { error: "Maximum 5 webhooks per workspace" };
+    }
+
+    // Check for duplicate URL
+    const duplicate = existingWebhooks.find((wh) => wh.url === args.url);
+    if (duplicate) {
+      return { error: "A webhook with this URL already exists" };
+    }
+
+    // Generate secret
+    const secret = generateSecret();
+
+    // Create webhook
+    const webhookId = await ctx.db.insert("webhooks", {
+      workspaceId: session.workspaceId,
+      url: args.url,
+      events: validEvents,
+      secret,
+      enabled: true,
+      failCount: 0,
+      createdAt: Date.now(),
+    });
+
+    return {
+      success: true,
+      webhookId,
+      secret, // Return secret only once on creation
+    };
+  },
+});
+
+export const updateWebhook = mutation({
+  args: {
+    token: v.string(),
+    webhookId: v.id("webhooks"),
+    enabled: v.optional(v.boolean()),
+    events: v.optional(v.array(v.string())),
+  },
+  handler: async (ctx, args) => {
+    // Verify session
+    const session = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
+      .first();
+
+    if (!session) {
+      return { error: "Invalid session" };
+    }
+
+    // Get webhook
+    const webhook = await ctx.db.get(args.webhookId);
+
+    if (!webhook || webhook.workspaceId !== session.workspaceId) {
+      return { error: "Webhook not found" };
+    }
+
+    // Build update object
+    const updates: Partial<{
+      enabled: boolean;
+      events: string[];
+    }> = {};
+
+    if (args.enabled !== undefined) {
+      updates.enabled = args.enabled;
+    }
+
+    if (args.events !== undefined) {
+      const validEvents = args.events.filter((e) =>
+        WEBHOOK_EVENTS.includes(e as typeof WEBHOOK_EVENTS[number])
+      );
+      if (validEvents.length === 0) {
+        return { error: "At least one valid event is required" };
+      }
+      updates.events = validEvents;
+    }
+
+    // Update webhook
+    await ctx.db.patch(args.webhookId, updates);
+
+    return { success: true };
+  },
+});
+
+export const deleteWebhook = mutation({
+  args: {
+    token: v.string(),
+    webhookId: v.id("webhooks"),
+  },
+  handler: async (ctx, args) => {
+    // Verify session
+    const session = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
+      .first();
+
+    if (!session) {
+      return { error: "Invalid session" };
+    }
+
+    // Get webhook
+    const webhook = await ctx.db.get(args.webhookId);
+
+    if (!webhook || webhook.workspaceId !== session.workspaceId) {
+      return { error: "Webhook not found" };
+    }
+
+    // Delete webhook
+    await ctx.db.delete(args.webhookId);
+
+    return { success: true };
+  },
+});
+
+export const regenerateSecret = mutation({
+  args: {
+    token: v.string(),
+    webhookId: v.id("webhooks"),
+  },
+  handler: async (ctx, args) => {
+    // Verify session
+    const session = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
+      .first();
+
+    if (!session) {
+      return { error: "Invalid session" };
+    }
+
+    // Get webhook
+    const webhook = await ctx.db.get(args.webhookId);
+
+    if (!webhook || webhook.workspaceId !== session.workspaceId) {
+      return { error: "Webhook not found" };
+    }
+
+    // Generate new secret
+    const newSecret = generateSecret();
+
+    // Update webhook
+    await ctx.db.patch(args.webhookId, { secret: newSecret });
+
+    return {
+      success: true,
+      secret: newSecret, // Return new secret
+    };
+  },
+});
+
+// ============================================
+// ACTIONS (for HTTP calls)
+// ============================================
+
+export const testWebhook = action({
+  args: {
+    token: v.string(),
+    webhookId: v.id("webhooks"),
+  },
+  returns: v.union(
+    v.object({ error: v.string() }),
+    v.object({ success: v.literal(true), status: v.number(), message: v.string() }),
+    v.object({ success: v.literal(false), status: v.optional(v.number()), message: v.string() })
+  ),
+  handler: async (ctx, args): Promise<
+    | { error: string }
+    | { success: true; status: number; message: string }
+    | { success: false; status?: number; message: string }
+  > => {
+    // Get webhook from database
+    const queryResult = await ctx.runQuery(internal.webhooks.getWebhookInternal, {
+      token: args.token,
+      webhookId: args.webhookId,
+    });
+
+    if (!queryResult || "error" in queryResult) {
+      return { error: queryResult?.error || "Webhook not found" };
+    }
+
+    const webhook = queryResult.webhook;
+
+    // Create test payload
+    const payload = {
+      event: "test",
+      workspace: webhook.workspaceId,
+      timestamp: new Date().toISOString(),
+      data: {
+        message: "This is a test webhook from APIClaw",
+        webhookId: args.webhookId,
+      },
+    };
+
+    // Sign the payload
+    const signature = await signPayload(JSON.stringify(payload), webhook.secret);
+
+    try {
+      const response = await fetch(webhook.url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-APIClaw-Signature": signature,
+          "X-APIClaw-Event": "test",
+          "X-APIClaw-Timestamp": payload.timestamp,
+        },
+        body: JSON.stringify(payload),
+      });
+
+      if (response.ok) {
+        return {
+          success: true as const,
+          status: response.status,
+          message: "Webhook delivered successfully",
+        };
+      } else {
+        return {
+          success: false as const,
+          status: response.status,
+          message: `Webhook returned status ${response.status}`,
+        };
+      }
+    } catch (error) {
+      return {
+        success: false as const,
+        message: error instanceof Error ? error.message : "Failed to deliver webhook",
+      };
+    }
+  },
+});
+
+// Internal action to trigger webhooks (called from other parts of the system)
+export const triggerWebhooks = internalAction({
+  args: {
+    workspaceId: v.id("workspaces"),
+    event: v.string(),
+    data: v.any(),
+  },
+  returns: v.object({ triggered: v.number(), total: v.optional(v.number()) }),
+  handler: async (ctx, args): Promise<{ triggered: number; total?: number }> => {
+    // Get all enabled webhooks for this workspace that subscribe to this event
+    const webhooksResult = await ctx.runQuery(internal.webhooks.getWebhooksForEvent, {
+      workspaceId: args.workspaceId,
+      event: args.event,
+    });
+
+    if (!webhooksResult || webhooksResult.length === 0) {
+      return { triggered: 0 };
+    }
+
+    const payload = {
+      event: args.event,
+      workspace: args.workspaceId,
+      timestamp: new Date().toISOString(),
+      data: args.data,
+    };
+
+    const payloadString = JSON.stringify(payload);
+    let successCount = 0;
+
+    // Send to each webhook
+    for (const webhook of webhooksResult) {
+      const signature = await signPayload(payloadString, webhook.secret);
+
+      try {
+        const response = await fetch(webhook.url, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "X-APIClaw-Signature": signature,
+            "X-APIClaw-Event": args.event,
+            "X-APIClaw-Timestamp": payload.timestamp,
+          },
+          body: payloadString,
+        });
+
+        // Update webhook status
+        await ctx.runMutation(internal.webhooks.updateWebhookStatus, {
+          webhookId: webhook._id,
+          success: response.ok,
+        });
+
+        if (response.ok) {
+          successCount++;
+        }
+      } catch {
+        // Update webhook with failure
+        await ctx.runMutation(internal.webhooks.updateWebhookStatus, {
+          webhookId: webhook._id,
+          success: false,
+        });
+      }
+    }
+
+    return { triggered: successCount, total: webhooksResult.length };
+  },
+});
+
+// ============================================
+// INTERNAL QUERIES/MUTATIONS (for actions)
+// ============================================
+
+export const getWebhookInternal = internalQuery({
+  args: {
+    token: v.string(),
+    webhookId: v.id("webhooks"),
+  },
+  handler: async (ctx, args): Promise<{ error: string } | { webhook: Doc<"webhooks"> }> => {
+    // Verify session
+    const session = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", args.token))
+      .first();
+
+    if (!session) {
+      return { error: "Invalid session" };
+    }
+
+    // Get webhook
+    const webhook = await ctx.db.get(args.webhookId);
+
+    if (!webhook || webhook.workspaceId !== session.workspaceId) {
+      return { error: "Webhook not found" };
+    }
+
+    return { webhook };
+  },
+});
+
+export const getWebhooksForEvent = internalQuery({
+  args: {
+    workspaceId: v.id("workspaces"),
+    event: v.string(),
+  },
+  handler: async (ctx, args): Promise<Doc<"webhooks">[]> => {
+    const webhooks = await ctx.db
+      .query("webhooks")
+      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", args.workspaceId))
+      .collect();
+
+    // Filter for enabled webhooks that subscribe to this event
+    return webhooks.filter(
+      (wh) => wh.enabled && wh.events.includes(args.event)
+    );
+  },
+});
+
+export const updateWebhookStatus = internalMutation({
+  args: {
+    webhookId: v.id("webhooks"),
+    success: v.boolean(),
+  },
+  handler: async (ctx, args) => {
+    const webhook = await ctx.db.get(args.webhookId);
+    if (!webhook) return;
+
+    await ctx.db.patch(args.webhookId, {
+      lastTriggeredAt: Date.now(),
+      lastStatus: args.success ? "success" : "failed",
+      failCount: args.success ? 0 : webhook.failCount + 1,
+    });
+
+    // Disable webhook after 5 consecutive failures
+    if (!args.success && webhook.failCount + 1 >= 5) {
+      await ctx.db.patch(args.webhookId, { enabled: false });
+    }
+  },
+});
+
+// ============================================
+// HELPERS
+// ============================================
+
+async function signPayload(payload: string, secret: string): Promise<string> {
+  // Simple HMAC-like signature using SHA-256
+  // In a production environment, use proper crypto
+  const encoder = new TextEncoder();
+  const data = encoder.encode(payload + secret);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `sha256=${hashHex}`;
+}

package/convex/workspaces.ts

@@ -67,7 +67,7 @@ export const verifyMagicLink = mutation({
         status: "active",
         tier: "free",
         usageCount: 0,
-        usageLimit: 1000, // 1000 free API calls
+        usageLimit: 50, // 50 free API calls
         createdAt: Date.now(),
         updatedAt: Date.now(),
       });
@@ -219,6 +219,8 @@ export const getConnectedAgents = query({
     return agentSessions.map((s) => ({
       id: s._id,
       fingerprint: s.fingerprint || "Unknown",
+      customName: s.customName || null,
+      name: s.customName || s.fingerprint || "Unknown",
       lastUsedAt: s.lastUsedAt,
       createdAt: s.createdAt,
       isCurrent: s.sessionToken === token,
@@ -226,6 +228,77 @@ export const getConnectedAgents = query({
   },
 });
 
+// Admin: Delete session by ID (for cleanup)
+export const adminDeleteSession = mutation({
+  args: { sessionId: v.id("agentSessions") },
+  handler: async (ctx, { sessionId }) => {
+    await ctx.db.delete(sessionId);
+    return { success: true };
+  },
+});
+
+// Debug: Get sessions by workspace email
+export const getSessionsByEmail = query({
+  args: { email: v.string() },
+  handler: async (ctx, { email }) => {
+    const workspace = await ctx.db
+      .query("workspaces")
+      .withIndex("by_email", (q) => q.eq("email", email.toLowerCase()))
+      .first();
+
+    if (!workspace) {
+      return { error: "Workspace not found", sessions: [] };
+    }
+
+    const sessions = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_workspaceId", (q) => q.eq("workspaceId", workspace._id))
+      .collect();
+
+    return {
+      workspaceId: workspace._id,
+      email: workspace.email,
+      sessions: sessions.map(s => ({
+        id: s._id,
+        fingerprint: s.fingerprint,
+        createdAt: s.createdAt,
+        lastUsedAt: s.lastUsedAt,
+      })),
+    };
+  },
+});
+
+// Rename an agent session
+export const renameAgent = mutation({
+  args: {
+    token: v.string(),
+    sessionId: v.id("agentSessions"),
+    name: v.string(),
+  },
+  handler: async (ctx, { token, sessionId, name }) => {
+    // Verify the requesting session
+    const session = await ctx.db
+      .query("agentSessions")
+      .withIndex("by_sessionToken", (q) => q.eq("sessionToken", token))
+      .first();
+
+    if (!session) {
+      throw new Error("Invalid session");
+    }
+
+    // Get the session to rename
+    const targetSession = await ctx.db.get(sessionId);
+    if (!targetSession || targetSession.workspaceId !== session.workspaceId) {
+      throw new Error("Session not found or access denied");
+    }
+
+    // Update the name (stored as customName field)
+    await ctx.db.patch(sessionId, { customName: name });
+
+    return { success: true };
+  },
+});
+
 // Get usage breakdown by provider
 export const getUsageBreakdown = query({
   args: { token: v.string() },