@openparachute/agent 0.1.0

package/src/db/migrations/014-secrets.ts

@@ -0,0 +1,44 @@
+/**
+ * Local secrets store: AES-256-GCM encryption with a master key at
+ * `~/.parachute/agent/master.key`, decrypted in-process at session spawn,
+ * injected into per-session containers as env vars.
+ *
+ *   - `value_encrypted` is `iv || ciphertext || authTag` (12 + N + 16 bytes),
+ *     base64-encoded. Storing IV alongside ciphertext keeps each row
+ *     self-contained.
+ *   - `agent_group_id` is nullable: NULL = global, non-NULL = scoped to that
+ *     group only.
+ *   - `assigned_mode` is `all` (every agent sees this secret) or `selective`
+ *     (allowlist join table — not yet wired; column reserved for the UI's
+ *     per-agent-group injection picker).
+ *
+ * Migration 015 drops the now-vestigial `host_pattern` column.
+ */
+import type { Database } from '../connection.js';
+import type { Migration } from './index.js';
+
+export const migration014: Migration = {
+  version: 14,
+  name: 'secrets',
+  up(db: Database) {
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS secrets (
+        id              TEXT PRIMARY KEY,            -- ULID
+        name            TEXT NOT NULL,
+        value_encrypted TEXT NOT NULL,               -- base64(iv|ct|tag)
+        kind            TEXT NOT NULL DEFAULT 'generic',
+                                                     -- channel-token | api-key | generic
+        agent_group_id  TEXT REFERENCES agent_groups(id),
+                                                     -- NULL = global
+        assigned_mode   TEXT NOT NULL DEFAULT 'all',
+                                                     -- all | selective
+        host_pattern    TEXT,                        -- optional host glob
+        created_at      TEXT NOT NULL,
+        updated_at      TEXT NOT NULL,
+        UNIQUE (name, agent_group_id)
+      );
+      CREATE INDEX IF NOT EXISTS idx_secrets_agent_group ON secrets(agent_group_id);
+      CREATE INDEX IF NOT EXISTS idx_secrets_name ON secrets(name);
+    `);
+  },
+};

package/src/db/migrations/015-secrets-drop-host-pattern.ts

@@ -0,0 +1,18 @@
+/**
+ * Drop the vestigial `host_pattern` column from `secrets`. It was added when
+ * the schema mirrored an external gateway's row shape and was meant to gate
+ * which outbound requests a credential could attach to. Paraclaw injects
+ * secrets as env vars at container spawn time — there's no proxy in the
+ * request path to enforce the glob against — so the column was never read.
+ * Lying schemas mislead future readers; pull it.
+ */
+import type { Database } from '../connection.js';
+import type { Migration } from './index.js';
+
+export const migration015: Migration = {
+  version: 15,
+  name: 'secrets-drop-host-pattern',
+  up(db: Database) {
+    db.exec(`ALTER TABLE secrets DROP COLUMN host_pattern;`);
+  },
+};

package/src/db/migrations/016-secret-assignments.ts

@@ -0,0 +1,30 @@
+/**
+ * Selective-mode enforcement: a secret with `assigned_mode = 'selective'`
+ * is injected only into agent groups with an explicit row here. `'all'`-mode
+ * secrets ignore this table entirely (current resolveInjectableSecrets
+ * behaviour). The composite PK keeps assignments idempotent — re-assigning
+ * is a no-op rather than a duplicate row.
+ *
+ * ON DELETE CASCADE on both FKs: when a secret or agent group is deleted,
+ * its assignments evaporate. There's no soft-delete / audit row here — the
+ * activity log (PR2) is the audit surface.
+ */
+import type { Database } from '../connection.js';
+import type { Migration } from './index.js';
+
+export const migration016: Migration = {
+  version: 16,
+  name: 'secret-assignments',
+  up(db: Database) {
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS secret_assignments (
+        secret_id      TEXT NOT NULL REFERENCES secrets(id) ON DELETE CASCADE,
+        agent_group_id TEXT NOT NULL REFERENCES agent_groups(id) ON DELETE CASCADE,
+        created_at     TEXT NOT NULL,
+        PRIMARY KEY (secret_id, agent_group_id)
+      );
+      CREATE INDEX IF NOT EXISTS idx_secret_assignments_agent_group
+        ON secret_assignments(agent_group_id);
+    `);
+  },
+};

package/src/db/migrations/017-agent-activity.ts

@@ -0,0 +1,40 @@
+/**
+ * Tool-invocation activity log.
+ *
+ * `agent_activity` is a central, append-only ledger of every tool/MCP/cmd
+ * call an agent makes. The container writes a per-session row to its own
+ * `outbound.db` `activity` table (created on demand in
+ * container/agent-runner/src/db/connection.ts); the host's delivery loop
+ * merges undrained rows here during `drainSession`. `sessions.activity_synced_seq`
+ * is the per-session merge cursor so a slow host doesn't double-import.
+ *
+ * Privacy note: `summary` MUST NOT carry secret values or full Bash command
+ * strings — env-injected secrets can leak into argv. The container side is
+ * responsible for sanitization; this layer just stores what arrives.
+ */
+import type { Database } from '../connection.js';
+import type { Migration } from './index.js';
+
+export const migration017: Migration = {
+  version: 17,
+  name: 'agent-activity',
+  up(db: Database) {
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS agent_activity (
+        id              TEXT PRIMARY KEY,
+        agent_group_id  TEXT NOT NULL REFERENCES agent_groups(id) ON DELETE CASCADE,
+        session_id      TEXT NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
+        kind            TEXT NOT NULL,
+        target          TEXT,
+        summary         TEXT,
+        created_at      TEXT NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_agent_activity_group_created
+        ON agent_activity(agent_group_id, created_at DESC);
+      CREATE INDEX IF NOT EXISTS idx_agent_activity_session_created
+        ON agent_activity(session_id, created_at DESC);
+
+      ALTER TABLE sessions ADD COLUMN activity_synced_seq INTEGER NOT NULL DEFAULT 0;
+    `);
+  },
+};

package/src/db/migrations/018-oauth-app-configs.ts

@@ -0,0 +1,34 @@
+/**
+ * OAuth provider client configs (BYOC — Bring Your Own Client).
+ *
+ * One row per provider. The user (operator) registers their own OAuth
+ * client with the provider (e.g. Google Cloud Console), then drops the
+ * `client_id` + `client_secret` here. paraclaw uses these to mint
+ * authorize URLs and exchange codes for tokens.
+ *
+ *   - `client_secret_encrypted` is `iv || ciphertext || authTag` (base64),
+ *     same wire format as `secrets.value_encrypted`. Encryption key is
+ *     HKDF-derived from the master key with info `paraclaw.oauth.v1`.
+ *   - `scopes_default` is a space-separated OAuth scope string applied
+ *     when the operator doesn't override at authorize-time.
+ */
+import type { Database } from '../connection.js';
+import type { Migration } from './index.js';
+
+export const migration018: Migration = {
+  version: 18,
+  name: 'oauth-app-configs',
+  up(db: Database) {
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS app_configs (
+        id                       TEXT PRIMARY KEY,
+        provider                 TEXT NOT NULL UNIQUE,
+        client_id                TEXT NOT NULL,
+        client_secret_encrypted  TEXT NOT NULL,
+        scopes_default           TEXT NOT NULL DEFAULT '',
+        created_at               TEXT NOT NULL,
+        updated_at               TEXT NOT NULL
+      );
+    `);
+  },
+};

package/src/db/migrations/019-oauth-app-connections.ts

@@ -0,0 +1,48 @@
+/**
+ * OAuth user grants — one row per (provider × authorized account).
+ *
+ *   - `app_config_id` FKs to `app_configs(id)`. ON DELETE CASCADE: if the
+ *     operator drops their Google client config, every connection minted
+ *     against it is gone too (the tokens were issued to that client_id
+ *     and would 401 anyway).
+ *   - `account_email` + `account_id` come from the provider's userinfo
+ *     endpoint at callback time. `(app_config_id, account_id)` is unique
+ *     so re-authorizing the same account just refreshes tokens in place.
+ *   - `access_token_encrypted` / `refresh_token_encrypted` are AES-GCM
+ *     ciphertext (base64) with the same `paraclaw.oauth.v1` derived key
+ *     as `app_configs.client_secret_encrypted`.
+ *   - `scopes_granted` is space-separated; what the provider actually
+ *     gave us, not what we asked for.
+ *   - `expires_at` is ISO-8601; refresh-token flow renews `access_token`
+ *     and bumps this. NULL means provider didn't return an expiry.
+ *   - `metadata_json` is a freeform JSON blob for provider-specific
+ *     fields (e.g. Google's `id_token`, GitHub's `installation_id`).
+ */
+import type { Database } from '../connection.js';
+import type { Migration } from './index.js';
+
+export const migration019: Migration = {
+  version: 19,
+  name: 'oauth-app-connections',
+  up(db: Database) {
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS app_connections (
+        id                        TEXT PRIMARY KEY,
+        app_config_id             TEXT NOT NULL REFERENCES app_configs(id) ON DELETE CASCADE,
+        account_email             TEXT,
+        account_id                TEXT NOT NULL,
+        access_token_encrypted    TEXT NOT NULL,
+        refresh_token_encrypted   TEXT,
+        scopes_granted            TEXT NOT NULL DEFAULT '',
+        expires_at                TEXT,
+        label                     TEXT NOT NULL,
+        metadata_json             TEXT,
+        created_at                TEXT NOT NULL,
+        updated_at                TEXT NOT NULL,
+        UNIQUE (app_config_id, account_id)
+      );
+      CREATE INDEX IF NOT EXISTS idx_app_connections_config ON app_connections(app_config_id);
+      CREATE INDEX IF NOT EXISTS idx_app_connections_email ON app_connections(account_email);
+    `);
+  },
+};

package/src/db/migrations/020-agent-app-connections.ts

@@ -0,0 +1,28 @@
+/**
+ * Per-agent allowlist for OAuth connections — same shape as
+ * `secret_assignments` from migration 016. A connection is visible to an
+ * agent group only if there's a row here joining the two.
+ *
+ * Composite PK on (agent_group_id, app_connection_id) prevents duplicate
+ * grants. Both FKs cascade so a deleted agent group or revoked
+ * connection cleans up the join rows automatically.
+ */
+import type { Database } from '../connection.js';
+import type { Migration } from './index.js';
+
+export const migration020: Migration = {
+  version: 20,
+  name: 'agent-app-connections',
+  up(db: Database) {
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS agent_app_connections (
+        agent_group_id     TEXT NOT NULL REFERENCES agent_groups(id) ON DELETE CASCADE,
+        app_connection_id  TEXT NOT NULL REFERENCES app_connections(id) ON DELETE CASCADE,
+        created_at         TEXT NOT NULL,
+        PRIMARY KEY (agent_group_id, app_connection_id)
+      );
+      CREATE INDEX IF NOT EXISTS idx_agent_app_connections_conn
+        ON agent_app_connections(app_connection_id);
+    `);
+  },
+};

package/src/db/migrations/021-pending-oauth-states.ts

@@ -0,0 +1,35 @@
+/**
+ * pending_oauth_states — DB-backed CSRF tokens for the OAuth authorize→callback
+ * round-trip. The `state` parameter passed in the authorize redirect is a
+ * CSPRNG-random opaque string mapped here to the originating context
+ * (provider, optional agentGroupId, redirect URI, expires_at).
+ *
+ * Row lifecycle:
+ *   - INSERT at /authorize, ~10min TTL
+ *   - DELETE at /callback (single-use; second redemption is a 400)
+ *   - sweep prunes anything past expires_at
+ *
+ * DB-backed (vs in-memory) so daemon restart mid-flow doesn't drop a
+ * legitimate user's authorize attempt — they finish in their browser and
+ * the callback still finds the row.
+ */
+import type { Database } from '../connection.js';
+import type { Migration } from './index.js';
+
+export const migration021: Migration = {
+  version: 21,
+  name: 'pending-oauth-states',
+  up(db: Database) {
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS pending_oauth_states (
+        state           TEXT PRIMARY KEY,
+        provider        TEXT NOT NULL,
+        agent_group_id  TEXT,
+        redirect_uri    TEXT NOT NULL,
+        created_at      TEXT NOT NULL,
+        expires_at      TEXT NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_pending_oauth_states_expires ON pending_oauth_states(expires_at);
+    `);
+  },
+};

package/src/db/migrations/022-app-connections-provider.ts

@@ -0,0 +1,25 @@
+/**
+ * Denormalize `provider` onto `app_connections` for query speed and to
+ * avoid a join+lookup for every list-connection / single-get call. The
+ * source of truth stays `app_configs.provider`; this column is filled
+ * at upsert time from the parent config.
+ *
+ * On apply: backfill any existing rows by joining to app_configs. New
+ * rows from this point set it directly.
+ */
+import type { Database } from '../connection.js';
+import type { Migration } from './index.js';
+
+export const migration022: Migration = {
+  version: 22,
+  name: 'app-connections-provider',
+  up(db: Database) {
+    db.exec(`
+      ALTER TABLE app_connections ADD COLUMN provider TEXT NOT NULL DEFAULT '';
+      UPDATE app_connections
+         SET provider = (SELECT provider FROM app_configs WHERE app_configs.id = app_connections.app_config_id)
+       WHERE provider = '';
+      CREATE INDEX IF NOT EXISTS idx_app_connections_provider ON app_connections(provider);
+    `);
+  },
+};

package/src/db/migrations/023-agent-group-secret-mode.test.ts

@@ -0,0 +1,124 @@
+/**
+ * Coverage for migration 023 (paraclaw#9). Real installs have either no
+ * secrets or a single mode per group, so the interesting paths — mixed-mode
+ * collapse and group-level fan-out — only get exercised with fixtures.
+ *
+ * Strategy: skip 023 (and 025, which assumes the column 023 adds) via the
+ * `applyMigrationsExcept` helper, build the pre-023 DB shape (no
+ * `secret_mode` column on `agent_groups`, `assigned_mode` still present on
+ * `secrets`), seed fixtures, then call `migration023.up(db)` directly and
+ * assert. 024 doesn't depend on either, so it runs cleanly between the gaps.
+ */
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+
+import { closeDb, getDb } from '../index.js';
+import { migration023 } from './023-agent-group-secret-mode.js';
+import { migration025 } from './025-secret-mode-check.js';
+import { applyMigrationsExcept } from './_test-helpers.js';
+
+function applyAllExcept023(): void {
+  applyMigrationsExcept([migration023, migration025]);
+}
+
+function seedAgentGroup(id: string): void {
+  // Pre-023: agent_groups has no secret_mode column.
+  getDb()
+    .prepare(
+      `INSERT INTO agent_groups (id, name, folder, agent_provider, created_at)
+       VALUES (?, ?, ?, NULL, datetime('now'))`,
+    )
+    .run(id, id, id);
+}
+
+function seedSecret(id: string, agentGroupId: string | null, assignedMode: 'all' | 'selective'): void {
+  // Pre-023: secrets still has assigned_mode.
+  getDb()
+    .prepare(
+      `INSERT INTO secrets (id, name, value_encrypted, kind, agent_group_id, assigned_mode, created_at, updated_at)
+       VALUES (?, ?, 'enc-stub', 'generic', ?, ?, datetime('now'), datetime('now'))`,
+    )
+    .run(id, id, agentGroupId, assignedMode);
+}
+
+beforeEach(() => {
+  applyAllExcept023();
+});
+
+afterEach(() => {
+  closeDb();
+});
+
+describe('migration 023 — agent_groups.secret_mode backfill', () => {
+  it('uniform "all" backfills group to all', () => {
+    seedAgentGroup('ag-all');
+    seedSecret('s1', 'ag-all', 'all');
+    seedSecret('s2', 'ag-all', 'all');
+
+    migration023.up(getDb());
+
+    const row = getDb().prepare(`SELECT secret_mode FROM agent_groups WHERE id = ?`).get('ag-all') as {
+      secret_mode: string;
+    };
+    expect(row.secret_mode).toBe('all');
+  });
+
+  it('uniform "selective" backfills group to selective', () => {
+    seedAgentGroup('ag-sel');
+    seedSecret('s3', 'ag-sel', 'selective');
+    seedSecret('s4', 'ag-sel', 'selective');
+
+    migration023.up(getDb());
+
+    const row = getDb().prepare(`SELECT secret_mode FROM agent_groups WHERE id = ?`).get('ag-sel') as {
+      secret_mode: string;
+    };
+    expect(row.secret_mode).toBe('selective');
+  });
+
+  it('mixed-mode collapses to "all" (errs on the side of injecting)', () => {
+    seedAgentGroup('ag-mix');
+    seedSecret('s5', 'ag-mix', 'all');
+    seedSecret('s6', 'ag-mix', 'selective');
+
+    migration023.up(getDb());
+
+    const row = getDb().prepare(`SELECT secret_mode FROM agent_groups WHERE id = ?`).get('ag-mix') as {
+      secret_mode: string;
+    };
+    expect(row.secret_mode).toBe('all');
+  });
+
+  it('group with no in-scope secrets keeps the new default (selective)', () => {
+    seedAgentGroup('ag-empty');
+    // No secrets seeded for ag-empty. No globals either.
+
+    migration023.up(getDb());
+
+    const row = getDb().prepare(`SELECT secret_mode FROM agent_groups WHERE id = ?`).get('ag-empty') as {
+      secret_mode: string;
+    };
+    expect(row.secret_mode).toBe('selective');
+  });
+
+  it('global "all" secret pulls otherwise-empty group to all', () => {
+    seedAgentGroup('ag-only-global');
+    seedSecret('s-glob', null, 'all');
+
+    migration023.up(getDb());
+
+    const row = getDb().prepare(`SELECT secret_mode FROM agent_groups WHERE id = ?`).get('ag-only-global') as {
+      secret_mode: string;
+    };
+    expect(row.secret_mode).toBe('all');
+  });
+
+  it('drops the now-vestigial secrets.assigned_mode column', () => {
+    seedAgentGroup('ag-drop');
+    seedSecret('s-drop', 'ag-drop', 'all');
+
+    migration023.up(getDb());
+
+    const cols = getDb().prepare(`PRAGMA table_info(secrets)`).all() as { name: string }[];
+    expect(cols.map((c) => c.name)).not.toContain('assigned_mode');
+  });
+});

package/src/db/migrations/023-agent-group-secret-mode.ts

@@ -0,0 +1,65 @@
+/**
+ * Move `assigned_mode` from `secrets` (per-secret) to `agent_groups.secret_mode`
+ * (per-group). Mode is a property of the recipient agent group ("how should
+ * this group's secrets get injected?"), not of each individual credential.
+ *
+ * Default for new groups is `selective` — operators must opt a credential in
+ * before it lands in container env. This errs on the side of withholding
+ * (cf. paraclaw#9), unlike the per-secret default of `all` we're replacing.
+ *
+ * Backfill rule: per agent_group, look at every in-scope secret (rows scoped
+ * to that group OR global). If all such secrets shared one mode, adopt it.
+ * If modes were mixed, adopt the most-permissive (`all`) and warn so the
+ * operator notices any previously-selective scoped secret is now injected.
+ * Groups with no in-scope secrets keep the new default (`selective`).
+ */
+import { log } from '../../log.js';
+import type { Database } from '../connection.js';
+import type { Migration } from './index.js';
+
+export const migration023: Migration = {
+  version: 23,
+  name: 'agent-group-secret-mode',
+  up(db: Database) {
+    db.exec(`
+      ALTER TABLE agent_groups
+        ADD COLUMN secret_mode TEXT NOT NULL DEFAULT 'selective';
+    `);
+
+    interface Row {
+      id: string;
+      modes: string | null;
+    }
+    const rows = db
+      .prepare<Row>(
+        `SELECT g.id AS id,
+                GROUP_CONCAT(DISTINCT s.assigned_mode) AS modes
+           FROM agent_groups g
+           LEFT JOIN secrets s
+             ON s.agent_group_id = g.id OR s.agent_group_id IS NULL
+          GROUP BY g.id`,
+      )
+      .all();
+
+    const updateMode = db.prepare(`UPDATE agent_groups SET secret_mode = @mode WHERE id = @id`);
+
+    for (const r of rows) {
+      if (!r.modes) continue;
+      const modes = r.modes.split(',').filter(Boolean);
+      if (modes.length === 0) continue;
+      let chosen: 'all' | 'selective';
+      if (modes.length === 1) {
+        chosen = modes[0] as 'all' | 'selective';
+      } else {
+        chosen = 'all';
+        log.warn('agent_group has mixed-mode secrets — collapsing to all', {
+          agent_group_id: r.id,
+          modes,
+        });
+      }
+      updateMode.run({ id: r.id, mode: chosen });
+    }
+
+    db.exec(`ALTER TABLE secrets DROP COLUMN assigned_mode;`);
+  },
+};