npm - @poncho-ai/harness - Versions diffs - 0.34.1 → 0.35.0 - Mend

@poncho-ai/harness 0.34.1 → 0.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/src/secrets-store.ts ADDED Viewed

@@ -0,0 +1,252 @@
+import { createCipheriv, createDecipheriv, randomBytes, createHash } from "node:crypto";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { dirname, resolve } from "node:path";
+import {
+  ensureAgentIdentity,
+  getAgentStoreDirectory,
+  slugifyStorageComponent,
+  STORAGE_SCHEMA_VERSION,
+} from "./agent-identity.js";
+import { createRawKVStore, type RawKVStore } from "./kv-store.js";
+import type { StateConfig } from "./state.js";
+// ---------------------------------------------------------------------------
+// Interface
+// ---------------------------------------------------------------------------
+export interface SecretsStore {
+  get(tenantId: string): Promise<Record<string, string>>;
+  set(tenantId: string, key: string, value: string): Promise<void>;
+  delete(tenantId: string, key: string): Promise<void>;
+  list(tenantId: string): Promise<string[]>;
+}
+// ---------------------------------------------------------------------------
+// Encryption helpers (AES-256-GCM)
+// ---------------------------------------------------------------------------
+type EncryptedBlob = { iv: string; ct: string; tag: string };
+function deriveKey(signingKey: string): Buffer {
+  // HKDF-like derivation: SHA-256 of fixed salt + signing key
+  return createHash("sha256")
+    .update("poncho-secrets-v1:" + signingKey)
+    .digest();
+}
+function encrypt(plaintext: string, key: Buffer): EncryptedBlob {
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ct = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    iv: iv.toString("base64"),
+    ct: ct.toString("base64"),
+    tag: tag.toString("base64"),
+  };
+}
+function decrypt(blob: EncryptedBlob, key: Buffer): string {
+  const decipher = createDecipheriv(
+    "aes-256-gcm",
+    key,
+    Buffer.from(blob.iv, "base64"),
+  );
+  decipher.setAuthTag(Buffer.from(blob.tag, "base64"));
+  return Buffer.concat([
+    decipher.update(Buffer.from(blob.ct, "base64")),
+    decipher.final(),
+  ]).toString("utf8");
+}
+// ---------------------------------------------------------------------------
+// File-based implementation
+// ---------------------------------------------------------------------------
+class FileSecretsStore implements SecretsStore {
+  private readonly workingDir: string;
+  private readonly encKey: Buffer;
+  constructor(workingDir: string, signingKey: string) {
+    this.workingDir = workingDir;
+    this.encKey = deriveKey(signingKey);
+  }
+  private async filePath(tenantId: string): Promise<string> {
+    const identity = await ensureAgentIdentity(this.workingDir);
+    const dir = resolve(
+      getAgentStoreDirectory(identity),
+      "tenants",
+      slugifyStorageComponent(tenantId),
+    );
+    return resolve(dir, "secrets.json");
+  }
+  private async readAll(tenantId: string): Promise<Record<string, EncryptedBlob>> {
+    try {
+      const raw = await readFile(await this.filePath(tenantId), "utf8");
+      return JSON.parse(raw) as Record<string, EncryptedBlob>;
+    } catch {
+      return {};
+    }
+  }
+  private async writeAll(
+    tenantId: string,
+    data: Record<string, EncryptedBlob>,
+  ): Promise<void> {
+    const fp = await this.filePath(tenantId);
+    await mkdir(dirname(fp), { recursive: true });
+    await writeFile(fp, JSON.stringify(data, null, 2), "utf8");
+  }
+  async get(tenantId: string): Promise<Record<string, string>> {
+    const data = await this.readAll(tenantId);
+    const result: Record<string, string> = {};
+    for (const [k, blob] of Object.entries(data)) {
+      try {
+        result[k] = decrypt(blob, this.encKey);
+      } catch {
+        // Skip entries that can't be decrypted (key rotation)
+      }
+    }
+    return result;
+  }
+  async set(tenantId: string, key: string, value: string): Promise<void> {
+    const data = await this.readAll(tenantId);
+    data[key] = encrypt(value, this.encKey);
+    await this.writeAll(tenantId, data);
+  }
+  async delete(tenantId: string, key: string): Promise<void> {
+    const data = await this.readAll(tenantId);
+    delete data[key];
+    await this.writeAll(tenantId, data);
+  }
+  async list(tenantId: string): Promise<string[]> {
+    const data = await this.readAll(tenantId);
+    return Object.keys(data);
+  }
+}
+// ---------------------------------------------------------------------------
+// KV-backed implementation
+// ---------------------------------------------------------------------------
+class KVSecretsStore implements SecretsStore {
+  private readonly kv: RawKVStore;
+  private readonly baseKey: string;
+  private readonly encKey: Buffer;
+  private readonly ttl?: number;
+  constructor(kv: RawKVStore, baseKey: string, signingKey: string, ttl?: number) {
+    this.kv = kv;
+    this.baseKey = baseKey;
+    this.encKey = deriveKey(signingKey);
+    this.ttl = ttl;
+  }
+  private kvKey(tenantId: string): string {
+    return `${this.baseKey}:t:${slugifyStorageComponent(tenantId)}:secrets`;
+  }
+  private async readAll(tenantId: string): Promise<Record<string, EncryptedBlob>> {
+    try {
+      const raw = await this.kv.get(this.kvKey(tenantId));
+      if (!raw) return {};
+      return JSON.parse(raw) as Record<string, EncryptedBlob>;
+    } catch {
+      return {};
+    }
+  }
+  private async writeAll(
+    tenantId: string,
+    data: Record<string, EncryptedBlob>,
+  ): Promise<void> {
+    const key = this.kvKey(tenantId);
+    const value = JSON.stringify(data);
+    if (this.ttl) {
+      await this.kv.setWithTtl(key, value, this.ttl);
+    } else {
+      await this.kv.set(key, value);
+    }
+  }
+  async get(tenantId: string): Promise<Record<string, string>> {
+    const data = await this.readAll(tenantId);
+    const result: Record<string, string> = {};
+    for (const [k, blob] of Object.entries(data)) {
+      try {
+        result[k] = decrypt(blob, this.encKey);
+      } catch {
+        // Skip entries that can't be decrypted
+      }
+    }
+    return result;
+  }
+  async set(tenantId: string, key: string, value: string): Promise<void> {
+    const data = await this.readAll(tenantId);
+    data[key] = encrypt(value, this.encKey);
+    await this.writeAll(tenantId, data);
+  }
+  async delete(tenantId: string, key: string): Promise<void> {
+    const data = await this.readAll(tenantId);
+    delete data[key];
+    await this.writeAll(tenantId, data);
+  }
+  async list(tenantId: string): Promise<string[]> {
+    const data = await this.readAll(tenantId);
+    return Object.keys(data);
+  }
+}
+// ---------------------------------------------------------------------------
+// Factory
+// ---------------------------------------------------------------------------
+export const createSecretsStore = (
+  agentId: string,
+  signingKey: string,
+  config?: StateConfig,
+  options?: { workingDir?: string },
+): SecretsStore => {
+  const provider = config?.provider ?? "local";
+  const ttl = typeof config?.ttl === "number" ? config.ttl : undefined;
+  const workingDir = options?.workingDir ?? process.cwd();
+  if (provider === "local" || provider === "memory") {
+    return new FileSecretsStore(workingDir, signingKey);
+  }
+  const kv = createRawKVStore(config);
+  if (kv) {
+    const baseKey = `poncho:${STORAGE_SCHEMA_VERSION}:${slugifyStorageComponent(agentId)}`;
+    return new KVSecretsStore(kv, baseKey, signingKey, ttl);
+  }
+  return new FileSecretsStore(workingDir, signingKey);
+};
+// ---------------------------------------------------------------------------
+// Env resolution helper
+// ---------------------------------------------------------------------------
+/**
+ * Resolve an env var name: check tenant secrets first, then process.env.
+ */
+export async function resolveEnv(
+  secretsStore: SecretsStore | undefined,
+  tenantId: string | null | undefined,
+  envName: string,
+): Promise<string | undefined> {
+  if (tenantId && secretsStore) {
+    const secrets = await secretsStore.get(tenantId);
+    if (secrets[envName]) return secrets[envName];
+  }
+  return process.env[envName];
+}

package/src/state.ts CHANGED Viewed

@@ -97,10 +97,16 @@ export interface Conversation {
 }
 export interface ConversationStore {
-  list(ownerId?: string): Promise<Conversation[]>;
-  listSummaries(ownerId?: string): Promise<ConversationSummary[]>;
+  /**
+   * List conversations. tenantId semantics:
+   *   undefined = no filter (builder/admin sees everything)
+   *   null      = legacy single-user only
+   *   string    = tenant-scoped
+   */
+  list(ownerId?: string, tenantId?: string | null): Promise<Conversation[]>;
+  listSummaries(ownerId?: string, tenantId?: string | null): Promise<ConversationSummary[]>;
   get(conversationId: string): Promise<Conversation | undefined>;
-  create(ownerId?: string, title?: string): Promise<Conversation>;
+  create(ownerId?: string, title?: string, tenantId?: string | null): Promise<Conversation>;
   update(conversation: Conversation): Promise<void>;
   rename(conversationId: string, title: string): Promise<Conversation | undefined>;
   delete(conversationId: string): Promise<boolean>;
@@ -275,17 +281,19 @@ export class InMemoryConversationStore implements ConversationStore {
     }
   }
-  async list(ownerId?: string): Promise<Conversation[]> {
+  async list(ownerId?: string, tenantId?: string | null): Promise<Conversation[]> {
     this.purgeExpired();
     return Array.from(this.conversations.values())
       .filter((conversation) => !ownerId || conversation.ownerId === ownerId)
+      .filter((c) => tenantId === undefined || c.tenantId === tenantId)
       .sort((a, b) => b.updatedAt - a.updatedAt);
   }
-  async listSummaries(ownerId?: string): Promise<ConversationSummary[]> {
+  async listSummaries(ownerId?: string, tenantId?: string | null): Promise<ConversationSummary[]> {
     this.purgeExpired();
     return Array.from(this.conversations.values())
       .filter((c) => !ownerId || c.ownerId === ownerId)
+      .filter((c) => tenantId === undefined || c.tenantId === tenantId)
       .sort((a, b) => b.updatedAt - a.updatedAt)
       .map((c) => ({
         conversationId: c.conversationId,
@@ -293,6 +301,7 @@ export class InMemoryConversationStore implements ConversationStore {
         updatedAt: c.updatedAt,
         createdAt: c.createdAt,
         ownerId: c.ownerId,
+        tenantId: c.tenantId,
         parentConversationId: c.parentConversationId,
         messageCount: c.messages.length,
         hasPendingApprovals: Array.isArray(c.pendingApprovals) && c.pendingApprovals.length > 0,
@@ -305,14 +314,14 @@ export class InMemoryConversationStore implements ConversationStore {
     return this.conversations.get(conversationId);
   }
-  async create(ownerId = DEFAULT_OWNER, title?: string): Promise<Conversation> {
+  async create(ownerId = DEFAULT_OWNER, title?: string, tenantId: string | null = null): Promise<Conversation> {
     const now = Date.now();
     const conversation: Conversation = {
       conversationId: globalThis.crypto?.randomUUID?.() ?? `${now}-${Math.random()}`,
       title: normalizeTitle(title),
       messages: [],
       ownerId,
-      tenantId: null,
+      tenantId,
       createdAt: now,
       updatedAt: now,
     };
@@ -368,6 +377,7 @@ export type ConversationSummary = {
   updatedAt: number;
   createdAt?: number;
   ownerId: string;
+  tenantId?: string | null;
   parentConversationId?: string;
   messageCount?: number;
   hasPendingApprovals?: boolean;
@@ -386,6 +396,7 @@ type ConversationStoreFile = {
     updatedAt: number;
     createdAt?: number;
     ownerId: string;
+    tenantId?: string | null;
     fileName: string;
     parentConversationId?: string;
     messageCount?: number;
@@ -465,6 +476,7 @@ class FileConversationStore implements ConversationStore {
           updatedAt: conversation.updatedAt,
           createdAt: conversation.createdAt,
           ownerId: conversation.ownerId,
+          tenantId: conversation.tenantId,
           fileName: entry.name,
           parentConversationId: conversation.parentConversationId,
           messageCount: conversation.messages.length,
@@ -523,6 +535,7 @@ class FileConversationStore implements ConversationStore {
         updatedAt: conversation.updatedAt,
         createdAt: conversation.createdAt,
         ownerId: conversation.ownerId,
+        tenantId: conversation.tenantId,
         fileName,
         parentConversationId: conversation.parentConversationId,
         messageCount: conversation.messages.length,
@@ -534,10 +547,11 @@ class FileConversationStore implements ConversationStore {
     await this.writing;
   }
-  async list(ownerId?: string): Promise<Conversation[]> {
+  async list(ownerId?: string, tenantId?: string | null): Promise<Conversation[]> {
     await this.ensureLoaded();
     const summaries = Array.from(this.conversations.values())
       .filter((conversation) => !ownerId || conversation.ownerId === ownerId)
+      .filter((c) => tenantId === undefined || (c.tenantId ?? null) === tenantId)
       .sort((a, b) => b.updatedAt - a.updatedAt);
     const conversations: Conversation[] = [];
     for (const summary of summaries) {
@@ -549,10 +563,11 @@ class FileConversationStore implements ConversationStore {
     return conversations;
   }
-  async listSummaries(ownerId?: string): Promise<ConversationSummary[]> {
+  async listSummaries(ownerId?: string, tenantId?: string | null): Promise<ConversationSummary[]> {
     await this.ensureLoaded();
     return Array.from(this.conversations.values())
       .filter((c) => !ownerId || c.ownerId === ownerId)
+      .filter((c) => tenantId === undefined || (c.tenantId ?? null) === tenantId)
       .sort((a, b) => b.updatedAt - a.updatedAt)
       .map((c) => ({
         conversationId: c.conversationId,
@@ -560,6 +575,7 @@ class FileConversationStore implements ConversationStore {
         updatedAt: c.updatedAt,
         createdAt: c.createdAt,
         ownerId: c.ownerId,
+        tenantId: c.tenantId,
         parentConversationId: c.parentConversationId,
         messageCount: c.messageCount,
         hasPendingApprovals: c.hasPendingApprovals,
@@ -576,7 +592,7 @@ class FileConversationStore implements ConversationStore {
     return await this.readConversationFile(summary.fileName);
   }
-  async create(ownerId = DEFAULT_OWNER, title?: string): Promise<Conversation> {
+  async create(ownerId = DEFAULT_OWNER, title?: string, tenantId: string | null = null): Promise<Conversation> {
     await this.ensureLoaded();
     const now = Date.now();
     const conversation: Conversation = {
@@ -584,7 +600,7 @@ class FileConversationStore implements ConversationStore {
       title: normalizeTitle(title),
       messages: [],
       ownerId,
-      tenantId: null,
+      tenantId,
       createdAt: now,
       updatedAt: now,
     };
@@ -770,6 +786,7 @@ type ConversationMeta = {
   updatedAt: number;
   createdAt?: number;
   ownerId: string;
+  tenantId?: string | null;
   parentConversationId?: string;
   messageCount?: number;
   hasPendingApprovals?: boolean;
@@ -887,10 +904,10 @@ abstract class KeyValueConversationStoreBase implements ConversationStore {
     }
   }
-  async list(ownerId?: string): Promise<Conversation[]> {
+  async list(ownerId?: string, tenantId?: string | null): Promise<Conversation[]> {
     const kv = await this.client();
     if (!kv) {
-      return await this.memoryFallback.list(ownerId);
+      return await this.memoryFallback.list(ownerId, tenantId);
     }
     if (!ownerId) {
       return [];
@@ -903,16 +920,19 @@ abstract class KeyValueConversationStoreBase implements ConversationStore {
     for (const raw of rawValues) {
       if (!raw) continue;
       try {
-        conversations.push(JSON.parse(raw) as Conversation);
+        const conv = JSON.parse(raw) as Conversation;
+        if (tenantId === undefined || conv.tenantId === tenantId) {
+          conversations.push(conv);
+        }
       } catch { /* skip invalid records */ }
     }
     return conversations.sort((a, b) => b.updatedAt - a.updatedAt);
   }
-  async listSummaries(ownerId?: string): Promise<ConversationSummary[]> {
+  async listSummaries(ownerId?: string, tenantId?: string | null): Promise<ConversationSummary[]> {
     const kv = await this.client();
     if (!kv) {
-      return await this.memoryFallback.listSummaries(ownerId);
+      return await this.memoryFallback.listSummaries(ownerId, tenantId);
     }
     if (!ownerId) {
       return [];
@@ -926,13 +946,14 @@ abstract class KeyValueConversationStoreBase implements ConversationStore {
       if (!raw) continue;
       try {
         const meta = JSON.parse(raw) as ConversationMeta;
-        if (meta.ownerId === ownerId) {
+        if (meta.ownerId === ownerId && (tenantId === undefined || (meta.tenantId ?? null) === tenantId)) {
           summaries.push({
             conversationId: meta.conversationId,
             title: meta.title,
             updatedAt: meta.updatedAt,
             createdAt: meta.createdAt,
             ownerId: meta.ownerId,
+            tenantId: meta.tenantId,
             parentConversationId: meta.parentConversationId,
             messageCount: meta.messageCount,
             hasPendingApprovals: meta.hasPendingApprovals,
@@ -960,14 +981,14 @@ abstract class KeyValueConversationStoreBase implements ConversationStore {
     }
   }
-  async create(ownerId = DEFAULT_OWNER, title?: string): Promise<Conversation> {
+  async create(ownerId = DEFAULT_OWNER, title?: string, tenantId: string | null = null): Promise<Conversation> {
     const now = Date.now();
     const conversation: Conversation = {
       conversationId: globalThis.crypto?.randomUUID?.() ?? `${now}-${Math.random()}`,
       title: normalizeTitle(title),
       messages: [],
       ownerId,
-      tenantId: null,
+      tenantId,
       createdAt: now,
       updatedAt: now,
     };
@@ -997,6 +1018,7 @@ abstract class KeyValueConversationStoreBase implements ConversationStore {
         updatedAt: nextConversation.updatedAt,
         createdAt: nextConversation.createdAt,
         ownerId: nextConversation.ownerId,
+        tenantId: nextConversation.tenantId,
         parentConversationId: nextConversation.parentConversationId,
         messageCount: nextConversation.messages.length,
         hasPendingApprovals: Array.isArray(nextConversation.pendingApprovals) && nextConversation.pendingApprovals.length > 0,

package/src/subagent-manager.ts CHANGED Viewed

@@ -24,6 +24,7 @@ export interface SubagentManager {
     task: string;
     parentConversationId: string;
     ownerId: string;
+    tenantId?: string | null;
   }): Promise<SubagentSpawnResult>;
   sendMessage(subagentId: string, message: string): Promise<SubagentSpawnResult>;

package/src/subagent-tools.ts CHANGED Viewed

@@ -44,6 +44,7 @@ export const createSubagentTools = (
         task: task.trim(),
         parentConversationId: conversationId,
         ownerId,
+        tenantId: context.tenantId,
       });
       return { subagentId, status: "running" };
     },

package/src/telemetry.ts CHANGED Viewed

@@ -1,9 +1,13 @@
 import type { AgentEvent } from "@poncho-ai/sdk";
 const MAX_FIELD_LENGTH = 200;
+const OMIT_FROM_LOG = new Set(["continuationMessages", "_harnessMessages", "messages", "compactedHistory"]);
 function sanitizeEventForLog(event: AgentEvent): string {
-  return JSON.stringify(event, (_key, value) => {
+  return JSON.stringify(event, (key, value) => {
+    if (OMIT_FROM_LOG.has(key) && Array.isArray(value)) {
+      return `[${value.length} messages]`;
+    }
     if (typeof value === "string" && value.length > MAX_FIELD_LENGTH) {
       return `${value.slice(0, 80)}...[${value.length} chars]`;
     }

package/src/tenant-token.ts ADDED Viewed

@@ -0,0 +1,42 @@
+import { jwtVerify, type JWTPayload } from "jose";
+export interface TenantTokenPayload {
+  tenantId: string;
+  metadata?: Record<string, unknown>;
+}
+/**
+ * Verify a tenant JWT (HS256) signed with the given key.
+ * Returns the decoded payload on success, or undefined on any failure.
+ */
+export async function verifyTenantToken(
+  signingKey: string,
+  token: string,
+): Promise<TenantTokenPayload | undefined> {
+  try {
+    const secret = new TextEncoder().encode(signingKey);
+    const { payload } = await jwtVerify(token, secret, {
+      algorithms: ["HS256"],
+    });
+    const tenantId = payload.sub;
+    if (!tenantId || typeof tenantId !== "string") {
+      return undefined;
+    }
+    const metadata = extractMetadata(payload);
+    return { tenantId, metadata };
+  } catch {
+    return undefined;
+  }
+}
+function extractMetadata(
+  payload: JWTPayload,
+): Record<string, unknown> | undefined {
+  const meta = payload.meta;
+  if (meta && typeof meta === "object" && !Array.isArray(meta)) {
+    return meta as Record<string, unknown>;
+  }
+  return undefined;
+}