@okrlinkhub/agent-bridge 0.2.0 → 2.0.1

package/src/component/permissions.ts

@@ -1,9 +1,9 @@
 import { v } from "convex/values";
-import { mutation, query, internalQuery } from "./_generated/server.js";
+import { mutation, query } from "./_generated/server.js";
+import { patternMatchesAvailableFunctions } from "./agentBridgeUtils.js";
 
-// --- Permission result type ---
-
-const permissionResultValidator = v.object({
+const permissionRuleValidator = v.object({
+  pattern: v.string(),
   permission: v.union(
     v.literal("allow"),
     v.literal("deny"),
@@ -12,180 +12,57 @@ const permissionResultValidator = v.object({
   rateLimitConfig: v.optional(
     v.object({
       requestsPerHour: v.number(),
-      tokenBudget: v.number(),
+      tokenBudget: v.optional(v.number()),
     }),
   ),
-  matchedPattern: v.optional(v.string()),
 });
 
-// --- Pattern matching utilities ---
-
-/**
- * Calculate specificity score for a pattern.
- * More specific patterns (longer fixed prefix before the first wildcard)
- * get higher scores.
- */
-function patternSpecificity(pattern: string): number {
-  const wildcardIndex = pattern.indexOf("*");
-  if (wildcardIndex === -1) return pattern.length;
-  return wildcardIndex;
-}
-
-/**
- * Check if a function name matches a permission pattern.
- * Supports "*" as a wildcard that matches any characters.
- * Examples: "okr:*" matches "okr:getObjectives", "*" matches anything.
- */
-function matchesPattern(functionName: string, pattern: string): boolean {
-  if (pattern === "*") return true;
-  // Escape regex special chars except *, then replace * with .*
-  const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
-  const regexStr = "^" + escaped.replace(/\*/g, ".*") + "$";
-  const regex = new RegExp(regexStr);
-  return regex.test(functionName);
-}
-
-// --- Public functions ---
-
-/**
- * Set a permission for an agent on a specific app.
- * If a permission with the same agentId + appName + functionPattern exists, it is updated.
- */
-export const setPermission = mutation({
+export const setAgentPermissions = mutation({
   args: {
-    agentId: v.string(),
-    appName: v.string(),
-    functionPattern: v.string(),
-    permission: v.union(
-      v.literal("allow"),
-      v.literal("deny"),
-      v.literal("rate_limited"),
-    ),
-    rateLimitConfig: v.optional(
-      v.object({
-        requestsPerHour: v.number(),
-        tokenBudget: v.number(),
-      }),
-    ),
-    createdBy: v.string(),
+    agentId: v.id("agents"),
+    rules: v.array(permissionRuleValidator),
+    availableFunctionKeys: v.array(v.string()),
   },
-  returns: v.string(),
+  returns: v.number(),
   handler: async (ctx, args) => {
-    // Check for existing permission with same pattern
-    const existing = await ctx.db
-      .query("functionPermissions")
-      .withIndex("by_agent_and_app", (q) =>
-        q.eq("agentId", args.agentId).eq("appName", args.appName),
-      )
-      .collect();
-
-    const match = existing.find(
-      (p) => p.functionPattern === args.functionPattern,
-    );
-
-    if (match) {
-      await ctx.db.patch(match._id, {
-        permission: args.permission,
-        rateLimitConfig: args.rateLimitConfig,
-        createdBy: args.createdBy,
-        createdAt: Date.now(),
-      });
-      return match._id;
+    for (const rule of args.rules) {
+      const isValid = patternMatchesAvailableFunctions(
+        rule.pattern,
+        args.availableFunctionKeys,
+      );
+      if (!isValid) {
+        throw new Error(
+          `Pattern "${rule.pattern}" does not match any configured function`,
+        );
+      }
     }
 
-    const id = await ctx.db.insert("functionPermissions", {
-      agentId: args.agentId,
-      appName: args.appName,
-      functionPattern: args.functionPattern,
-      permission: args.permission,
-      rateLimitConfig: args.rateLimitConfig,
-      createdAt: Date.now(),
-      createdBy: args.createdBy,
-    });
-    return id;
-  },
-});
-
-/**
- * Remove a specific permission.
- */
-export const removePermission = mutation({
-  args: {
-    agentId: v.string(),
-    appName: v.string(),
-    functionPattern: v.string(),
-  },
-  returns: v.boolean(),
-  handler: async (ctx, args) => {
-    const perms = await ctx.db
-      .query("functionPermissions")
-      .withIndex("by_agent_and_app", (q) =>
-        q.eq("agentId", args.agentId).eq("appName", args.appName),
-      )
-      .collect();
-
-    const match = perms.find(
-      (p) => p.functionPattern === args.functionPattern,
-    );
-
-    if (!match) return false;
-
-    await ctx.db.delete(match._id);
-    return true;
-  },
-});
-
-/**
- * Check permission for a specific function call.
- * Applies pattern matching with specificity ordering (most specific pattern wins).
- * Default: deny if no matching pattern is found.
- */
-export const checkPermission = query({
-  args: {
-    agentId: v.string(),
-    appName: v.string(),
-    functionName: v.string(),
-  },
-  returns: permissionResultValidator,
-  handler: async (ctx, args) => {
-    const permissions = await ctx.db
-      .query("functionPermissions")
-      .withIndex("by_agent_and_app", (q) =>
-        q.eq("agentId", args.agentId).eq("appName", args.appName),
-      )
+    const existingRules = await ctx.db
+      .query("agentPermissions")
+      .withIndex("by_agentId", (q) => q.eq("agentId", args.agentId))
       .collect();
 
-    // Find all matching patterns and sort by specificity (most specific first)
-    const matches = permissions
-      .filter((p) => matchesPattern(args.functionName, p.functionPattern))
-      .sort(
-        (a, b) =>
-          patternSpecificity(b.functionPattern) -
-          patternSpecificity(a.functionPattern),
-      );
+    for (const existingRule of existingRules) {
+      await ctx.db.delete(existingRule._id);
+    }
 
-    if (matches.length === 0) {
-      // Default: deny
-      return { permission: "deny" as const };
+    for (const rule of args.rules) {
+      await ctx.db.insert("agentPermissions", {
+        agentId: args.agentId,
+        functionPattern: rule.pattern,
+        permission: rule.permission,
+        rateLimitConfig: rule.rateLimitConfig,
+        updatedAt: Date.now(),
+      });
     }
 
-    // Most specific pattern wins
-    const best = matches[0];
-    return {
-      permission: best.permission,
-      rateLimitConfig: best.rateLimitConfig,
-      matchedPattern: best.functionPattern,
-    };
+    return args.rules.length;
   },
 });
 
-/**
- * List all permissions for an agent on a specific app.
- */
-export const listPermissions = query({
+export const listAgentPermissions = query({
   args: {
-    agentId: v.string(),
-    appName: v.string(),
+    agentId: v.id("agents"),
   },
   returns: v.array(
     v.object({
@@ -198,124 +75,77 @@ export const listPermissions = query({
       rateLimitConfig: v.optional(
         v.object({
           requestsPerHour: v.number(),
-          tokenBudget: v.number(),
+          tokenBudget: v.optional(v.number()),
         }),
       ),
-      createdAt: v.number(),
-      createdBy: v.string(),
+      updatedAt: v.number(),
     }),
   ),
   handler: async (ctx, args) => {
-    const perms = await ctx.db
-      .query("functionPermissions")
-      .withIndex("by_agent_and_app", (q) =>
-        q.eq("agentId", args.agentId).eq("appName", args.appName),
-      )
+    const rules = await ctx.db
+      .query("agentPermissions")
+      .withIndex("by_agentId", (q) => q.eq("agentId", args.agentId))
       .collect();
 
-    return perms.map((p) => ({
-      functionPattern: p.functionPattern,
-      permission: p.permission,
-      rateLimitConfig: p.rateLimitConfig,
-      createdAt: p.createdAt,
-      createdBy: p.createdBy,
+    return rules.map((rule) => ({
+      functionPattern: rule.functionPattern,
+      permission: rule.permission,
+      rateLimitConfig: rule.rateLimitConfig,
+      updatedAt: rule.updatedAt,
     }));
   },
 });
 
-/**
- * Remove all permissions for a specific agent on a specific app.
- */
-export const clearPermissions = mutation({
+export const setFunctionOverrides = mutation({
   args: {
-    agentId: v.string(),
-    appName: v.string(),
+    overrides: v.array(
+      v.object({
+        key: v.string(),
+        enabled: v.boolean(),
+        globalRateLimit: v.optional(v.number()),
+      }),
+    ),
+    availableFunctionKeys: v.array(v.string()),
   },
   returns: v.number(),
   handler: async (ctx, args) => {
-    const perms = await ctx.db
-      .query("functionPermissions")
-      .withIndex("by_agent_and_app", (q) =>
-        q.eq("agentId", args.agentId).eq("appName", args.appName),
-      )
-      .collect();
-
-    for (const perm of perms) {
-      await ctx.db.delete(perm._id);
+    for (const override of args.overrides) {
+      if (!args.availableFunctionKeys.includes(override.key)) {
+        throw new Error(`Function "${override.key}" is not exposed in config`);
+      }
+
+      const existing = await ctx.db
+        .query("agentFunctions")
+        .withIndex("by_key", (q) => q.eq("key", override.key))
+        .unique();
+      if (existing) {
+        await ctx.db.patch(existing._id, {
+          enabled: override.enabled,
+          globalRateLimit: override.globalRateLimit,
+        });
+      } else {
+        await ctx.db.insert("agentFunctions", {
+          key: override.key,
+          enabled: override.enabled,
+          globalRateLimit: override.globalRateLimit,
+        });
+      }
     }
 
-    return perms.length;
+    return args.overrides.length;
   },
 });
 
-/**
- * Debug helper: show permission matching for a specific function call.
- */
-export const debugMatchPermission = query({
-  args: {
-    agentId: v.string(),
-    appName: v.string(),
-    functionName: v.string(),
-  },
-  returns: v.object({
-    functionName: v.string(),
-    permissions: v.array(
-      v.object({
-        functionPattern: v.string(),
-        permission: v.union(
-          v.literal("allow"),
-          v.literal("deny"),
-          v.literal("rate_limited"),
-        ),
-        specificity: v.number(),
-      }),
-    ),
-    matches: v.array(
-      v.object({
-        functionPattern: v.string(),
-        permission: v.union(
-          v.literal("allow"),
-          v.literal("deny"),
-          v.literal("rate_limited"),
-        ),
-        specificity: v.number(),
-      }),
-    ),
-    bestMatch: v.optional(
-      v.object({
-        functionPattern: v.string(),
-        permission: v.union(
-          v.literal("allow"),
-          v.literal("deny"),
-          v.literal("rate_limited"),
-        ),
-        specificity: v.number(),
-      }),
-    ),
-  }),
-  handler: async (ctx, args) => {
-    const permissions = await ctx.db
-      .query("functionPermissions")
-      .withIndex("by_agent_and_app", (q) =>
-        q.eq("agentId", args.agentId).eq("appName", args.appName),
-      )
-      .collect();
-
-    const withSpecificity = permissions.map((p) => ({
-      functionPattern: p.functionPattern,
-      permission: p.permission,
-      specificity: patternSpecificity(p.functionPattern),
-    }));
-
-    const matches = withSpecificity
-      .filter((p) => matchesPattern(args.functionName, p.functionPattern))
-      .sort((a, b) => b.specificity - a.specificity);
-
-    return {
-      functionName: args.functionName,
-      permissions: withSpecificity,
-      matches,
-      bestMatch: matches[0],
-    };
+export const listFunctionOverrides = query({
+  args: {},
+  returns: v.array(
+    v.object({
+      key: v.string(),
+      enabled: v.boolean(),
+      globalRateLimit: v.optional(v.number()),
+    }),
+  ),
+  handler: async (ctx) => {
+    return await ctx.db.query("agentFunctions").collect();
   },
 });

package/src/component/schema.ts

@@ -2,66 +2,22 @@ import { defineSchema, defineTable } from "convex/server";
 import { v } from "convex/values";
 
 export default defineSchema({
-  // Provisioning Tokens (generated by IT admin, distributed to employees)
-  provisioningTokens: defineTable({
-    tokenHash: v.string(), // SHA-256 hash of the APT (e.g. "apt_live_xxx")
-    employeeEmail: v.string(),
-    department: v.string(),
-    maxApps: v.number(), // How many apps this token can register (default 5)
-    usedCount: v.number(),
-    expiresAt: v.number(), // Token expiration timestamp
-    isActive: v.boolean(),
-    createdBy: v.string(), // Admin email who created the token
-  })
-    .index("by_token_hash", ["tokenHash"])
-    .index("by_email", ["employeeEmail"]),
-
-  // Registered agents (created on first provisioning)
-  registeredAgents: defineTable({
-    agentId: v.string(), // UUID generated at first provisioning
-    employeeEmail: v.string(),
-    department: v.string(),
-    firstRegisteredAt: v.number(),
-    lastSeenAt: v.number(),
-    isActive: v.boolean(),
-    revokedAt: v.optional(v.number()),
-    revokedBy: v.optional(v.string()),
-  })
-    .index("by_agent_id", ["agentId"])
-    .index("by_email", ["employeeEmail"]),
-
-  // Per-app per-agent instances (one per app per agent)
-  agentAppInstances: defineTable({
-    agentId: v.string(),
-    appName: v.string(),
-    instanceTokenHash: v.string(), // SHA-256 hash of the instance token
-    registeredAt: v.number(),
-    expiresAt: v.number(),
-    lastActivityAt: v.number(),
-    monthlyRequests: v.number(), // Request counter for this app
+  agents: defineTable({
+    name: v.string(),
+    appKey: v.optional(v.string()),
+    apiKeyHash: v.string(),
+    enabled: v.boolean(),
+    rateLimit: v.number(),
+    lastUsed: v.optional(v.number()),
+    createdAt: v.number(),
   })
-    .index("by_instance_token_hash", ["instanceTokenHash"])
-    .index("by_agent_and_app", ["agentId", "appName"]),
+    .index("by_apiKeyHash", ["apiKeyHash"])
+    .index("by_appKey", ["appKey"])
+    .index("by_enabled", ["enabled"]),
 
-  // Function Handle Registry: maps function aliases to actual function handles
-  functionRegistry: defineTable({
-    appName: v.string(),
-    functionName: v.string(), // Alias e.g. "okr:getObjectives"
-    functionHandle: v.string(), // Function handle string from createFunctionHandle()
-    functionType: v.union(
-      v.literal("query"),
-      v.literal("mutation"),
-      v.literal("action"),
-    ),
-    description: v.optional(v.string()),
-    registeredAt: v.number(),
-  }).index("by_app_and_function", ["appName", "functionName"]),
-
-  // Dynamic permissions: who can do what on which app
-  functionPermissions: defineTable({
-    agentId: v.string(),
-    appName: v.string(),
-    functionPattern: v.string(), // e.g. "okr:*", "okr:createObjective", "*"
+  agentPermissions: defineTable({
+    agentId: v.id("agents"),
+    functionPattern: v.string(),
     permission: v.union(
       v.literal("allow"),
       v.literal("deny"),
@@ -70,96 +26,28 @@ export default defineSchema({
     rateLimitConfig: v.optional(
       v.object({
         requestsPerHour: v.number(),
-        tokenBudget: v.number(),
+        tokenBudget: v.optional(v.number()),
       }),
     ),
-    createdAt: v.number(),
-    createdBy: v.string(), // Admin email
-  })
-    .index("by_agent_and_app", ["agentId", "appName"])
-    .index("by_app_and_pattern", ["appName", "functionPattern"]),
-
-  // Audit log for all access attempts
-  accessLog: defineTable({
+    updatedAt: v.number(),
+  }).index("by_agentId", ["agentId"]),
+
+  agentFunctions: defineTable({
+    key: v.string(),
+    enabled: v.boolean(),
+    globalRateLimit: v.optional(v.number()),
+  }).index("by_key", ["key"]),
+
+  agentLogs: defineTable({
+    agentId: v.id("agents"),
+    functionKey: v.string(),
+    args: v.any(),
+    result: v.optional(v.any()),
+    error: v.optional(v.string()),
+    duration: v.number(),
     timestamp: v.number(),
-    agentId: v.string(),
-    appName: v.string(),
-    functionCalled: v.string(),
-    permission: v.string(), // "allow", "deny", "rate_limited"
-    errorMessage: v.optional(v.string()),
-    durationMs: v.optional(v.number()),
   })
-    .index("by_agent_and_timestamp", ["agentId", "timestamp"])
-    .index("by_app_and_function", ["appName", "functionCalled"]),
-
-  // Circuit breaker counters (per agent, per app, per hour window)
-  circuitCounters: defineTable({
-    agentId: v.string(),
-    appName: v.string(),
-    windowHour: v.string(), // "2026-02-08T14" (ISO truncated to hour)
-    requestCount: v.number(),
-    tokenEstimate: v.number(),
-    isBlocked: v.boolean(),
-    blockedReason: v.optional(v.string()),
-    blockedAt: v.optional(v.number()),
-  })
-    .index("by_agentId_and_appName_and_windowHour", [
-      "agentId",
-      "appName",
-      "windowHour",
-    ])
-    .index("by_isBlocked", ["isBlocked"]),
-
-  // A2A intra-app channels (thematic channels within an app)
-  appChannels: defineTable({
-    appName: v.string(),
-    channelName: v.string(),
-    description: v.optional(v.string()),
-    createdAt: v.number(),
-    isActive: v.boolean(),
-  }).index("by_appName_and_channelName", ["appName", "channelName"]),
-
-  // A2A channel messages
-  channelMessages: defineTable({
-    appName: v.string(),
-    channelName: v.string(),
-    messageId: v.string(), // UUID
-    fromAgentId: v.string(),
-    payload: v.string(), // JSON serialized
-    metadata: v.object({
-      priority: v.number(), // 1-10
-      ttl: v.number(), // TTL in ms
-    }),
-    sentAt: v.number(),
-    expiresAt: v.number(),
-    readBy: v.array(v.string()), // Array of agentIds that have read this message
-  })
-    .index("by_appName_and_channelName_and_sentAt", [
-      "appName",
-      "channelName",
-      "sentAt",
-    ])
-    .index("by_expiresAt", ["expiresAt"]),
-
-  // Per-app configuration (no global singleton)
-  appConfigs: defineTable({
-    appName: v.string(),
-    defaultPermissions: v.array(
-      v.object({
-        pattern: v.string(),
-        permission: v.union(
-          v.literal("allow"),
-          v.literal("deny"),
-          v.literal("rate_limited"),
-        ),
-        rateLimitConfig: v.optional(
-          v.object({
-            requestsPerHour: v.number(),
-            tokenBudget: v.number(),
-          }),
-        ),
-      }),
-    ),
-    configuredAt: v.number(),
-  }).index("by_app_name", ["appName"]),
+    .index("by_agentId_and_timestamp", ["agentId", "timestamp"])
+    .index("by_functionKey", ["functionKey"])
+    .index("by_timestamp", ["timestamp"]),
 });

package/src/react/index.ts

@@ -1,11 +1,10 @@
 "use client";
 
-// React hooks and components for the Agent Bridge admin panel.
-// These will be expanded in future versions.
-
-export { AgentBridge } from "../client/index.js";
+// React helpers for Agent Bridge integrations.
+export { registerRoutes, normalizeAgentBridgeConfig } from "../client/index.js";
 export type {
   AgentBridgeConfig,
-  FunctionDef,
-  DefaultPermission,
+  AgentBridgeFunctionDefinition,
+  AgentBridgeFunctionMetadata,
+  AgentBridgeFunctionType,
 } from "../client/index.js";