npm - @pixelbyte-software/pixcode - Versions diffs - 1.42.3 → 1.42.4 - Mend

@pixelbyte-software/pixcode 1.42.3 → 1.42.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/server/modules/orchestration/workflows/workflow.routes.ts CHANGED Viewed

@@ -9,6 +9,14 @@ import {
 import { workflowStore } from '@/modules/orchestration/workflows/workflow-store.js';
 import { buildWorkflowTrace } from '@/modules/orchestration/workflows/workflow-trace.js';
 import { findPixcodeAppRoot } from '@/modules/orchestration/workflows/workspace-target.js';
+import {
+  DEFAULT_PERMISSION_POLICY,
+  PERMISSION_CAPABILITIES,
+  PERMISSION_POLICY_MODES,
+  PIXCODE_PERMISSION_POLICY_PROTOCOL,
+  evaluatePermissionRequest,
+  normalizePermissionPolicy,
+} from '@/modules/orchestration/security/permission-policy.js';
 const TERMINAL_RUN_STATES = new Set(['completed', 'failed', 'canceled']);
@@ -73,6 +81,36 @@ function replayOptions(req: express.Request): {
   };
 }
+function readRunArray(run: { metadata?: Record<string, unknown> }, key: string): Array<Record<string, unknown>> {
+  const value = run.metadata?.[key];
+  return Array.isArray(value)
+    ? value.filter((item): item is Record<string, unknown> => Boolean(item && typeof item === 'object'))
+    : [];
+}
+function updateApproval(
+  run: { metadata?: Record<string, unknown> },
+  requestId: string,
+  patch: Record<string, unknown>,
+): boolean {
+  const approvals = readRunArray(run, 'pendingPermissionApprovals');
+  let changed = false;
+  const nextApprovals = approvals.map((approval) => {
+    if (approval.id !== requestId) return approval;
+    changed = true;
+    return {
+      ...approval,
+      ...patch,
+    };
+  });
+  if (!changed) return false;
+  run.metadata = {
+    ...run.metadata,
+    pendingPermissionApprovals: nextApprovals,
+  };
+  return true;
+}
 function sendRunSnapshot(res: express.Response, runId: string): boolean {
   const run = workflowStore.getRun(runId);
   if (!run) {
@@ -162,6 +200,89 @@ export function createWorkflowRouter(): Router {
     });
   });
+  router.get('/workflows/permission-policy', (_req, res) => {
+    res.json({
+      protocol: PIXCODE_PERMISSION_POLICY_PROTOCOL,
+      capabilities: PERMISSION_CAPABILITIES,
+      modes: PERMISSION_POLICY_MODES,
+      defaultPolicy: DEFAULT_PERMISSION_POLICY,
+    });
+  });
+  router.post('/workflows/permission-policy/evaluate', (req, res) => {
+    try {
+      res.json({
+        decision: evaluatePermissionRequest({
+          policy: normalizePermissionPolicy(req.body?.policy),
+          request: req.body?.request ?? { source: 'api' },
+        }),
+      });
+    } catch (error) {
+      res.status(400).json({
+        error: {
+          code: 'PERMISSION_POLICY_INVALID',
+          message: error instanceof Error ? error.message : String(error),
+        },
+      });
+    }
+  });
+  router.get('/workflows/runs/:runId/permission-approvals', (req, res) => {
+    const run = workflowStore.getRun(req.params.runId);
+    if (!run) {
+      res.status(404).json({ error: { code: 'RUN_NOT_FOUND', message: req.params.runId } });
+      return;
+    }
+    res.json({
+      runId: run.id,
+      pendingApprovals: readRunArray(run, 'pendingPermissionApprovals')
+        .filter((approval) => approval.status === 'pending'),
+      approvalHistory: readRunArray(run, 'pendingPermissionApprovals')
+        .filter((approval) => approval.status !== 'pending'),
+    });
+  });
+  router.post('/workflows/runs/:runId/permission-approvals/:requestId', (req, res) => {
+    const run = workflowStore.getRun(req.params.runId);
+    if (!run) {
+      res.status(404).json({ error: { code: 'RUN_NOT_FOUND', message: req.params.runId } });
+      return;
+    }
+    const allow = req.body?.allow === true;
+    const deny = req.body?.allow === false;
+    if (!allow && !deny) {
+      res.status(400).json({
+        error: {
+          code: 'PERMISSION_DECISION_REQUIRED',
+          message: 'Permission approval requires allow=true or allow=false.',
+        },
+      });
+      return;
+    }
+    const updated = updateApproval(run, req.params.requestId, {
+      status: allow ? 'allowed' : 'denied',
+      resolvedAt: Date.now(),
+      resolvedBy: readRequestUserId(req),
+      resolutionMessage: readOptionalString(req.body?.message),
+    });
+    if (!updated) {
+      res.status(404).json({ error: { code: 'APPROVAL_NOT_FOUND', message: req.params.requestId } });
+      return;
+    }
+    workflowStore.setRun(run);
+    res.json({
+      runId: run.id,
+      pendingApprovals: readRunArray(run, 'pendingPermissionApprovals')
+        .filter((approval) => approval.status === 'pending'),
+      approvalHistory: readRunArray(run, 'pendingPermissionApprovals')
+        .filter((approval) => approval.status !== 'pending'),
+    });
+  });
   router.get('/workflows/runs/:runId/replay-plan', (req, res) => {
     const run = workflowStore.getRun(req.params.runId);
     if (!run) {

package/server/modules/orchestration/workflows/workflow.types.ts CHANGED Viewed

@@ -1,6 +1,10 @@
 import type { WorkflowContextPacket } from '@/modules/orchestration/workflows/context-packet.js';
 import type { WorkflowFallbackTrigger } from '@/modules/orchestration/workflows/workflow-fallback-policy.js';
 import type { WorkflowHandoffArtifact } from '@/modules/orchestration/workflows/handoff-artifact.js';
+import type {
+  PermissionDecision,
+  PermissionPolicy,
+} from '@/modules/orchestration/security/permission-policy.js';
 export type WorkflowRunStatus = 'queued' | 'running' | 'completed' | 'failed' | 'canceled';
 export type WorkflowNodeStatus = WorkflowRunStatus | 'skipped';
@@ -18,6 +22,8 @@ export interface WorkflowNode {
   assignment?: string;
   model?: string;
   permissionMode?: string;
+  permissionPolicy?: PermissionPolicy;
+  permissionDecisions?: PermissionDecision[];
   toolsSettings?: Record<string, unknown>;
   isolation?: 'host' | 'worktree' | 'docker';
   timeoutMs?: number;
@@ -44,6 +50,8 @@ export interface WorkflowNodeRun {
   promptPreview?: string;
   model?: string;
   permissionMode?: string;
+  permissionPolicy?: PermissionPolicy;
+  permissionDecisions?: PermissionDecision[];
   timeoutMs?: number;
   stage?: string;
   internal?: boolean;
@@ -84,7 +92,7 @@ export interface WorkflowRun {
 export interface WorkflowTraceEvent {
   id: string;
-  type: 'run' | 'node' | 'provider' | 'message' | 'artifact' | 'file' | 'error';
+  type: 'run' | 'node' | 'provider' | 'message' | 'artifact' | 'file' | 'error' | 'permission_policy';
   severity: 'info' | 'warning' | 'error';
   status: WorkflowRunStatus | WorkflowNodeStatus | 'submitted';
   timestamp: number;