@poncho-ai/harness 0.34.1 → 0.36.0

package/src/reminder-store.ts

@@ -1,13 +1,4 @@
-import { mkdir, readFile, rename, writeFile } from "node:fs/promises";
-import { dirname, resolve } from "node:path";
 import type { StateConfig } from "./state.js";
-import {
-  ensureAgentIdentity,
-  getAgentStoreDirectory,
-  slugifyStorageComponent,
-  STORAGE_SCHEMA_VERSION,
-} from "./agent-identity.js";
-import { createRawKVStore, type RawKVStore } from "./kv-store.js";
 
 // ---------------------------------------------------------------------------
 // Data model
@@ -24,6 +15,7 @@ export interface Reminder {
   createdAt: number;
   conversationId: string;
   ownerId?: string;
+  tenantId?: string | null;
 }
 
 export interface ReminderStore {
@@ -34,6 +26,7 @@ export interface ReminderStore {
     timezone?: string;
     conversationId: string;
     ownerId?: string;
+    tenantId?: string | null;
   }): Promise<Reminder>;
   cancel(id: string): Promise<Reminder>;
   delete(id: string): Promise<void>;
@@ -43,29 +36,8 @@ export interface ReminderStore {
 // Helpers
 // ---------------------------------------------------------------------------
 
-const REMINDERS_FILE = "reminders.json";
 const STALE_CANCELLED_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
 
-const writeJsonAtomic = async (filePath: string, payload: unknown): Promise<void> => {
-  await mkdir(dirname(filePath), { recursive: true });
-  const tmpPath = `${filePath}.tmp`;
-  await writeFile(tmpPath, JSON.stringify(payload, null, 2), "utf8");
-  await rename(tmpPath, filePath);
-};
-
-const isValidReminder = (item: unknown): item is Reminder =>
-  typeof item === "object" &&
-  item !== null &&
-  typeof (item as Record<string, unknown>).id === "string" &&
-  typeof (item as Record<string, unknown>).task === "string" &&
-  typeof (item as Record<string, unknown>).scheduledAt === "number" &&
-  typeof (item as Record<string, unknown>).status === "string";
-
-const parseReminderList = (raw: unknown): Reminder[] => {
-  if (!Array.isArray(raw)) return [];
-  return raw.filter(isValidReminder);
-};
-
 /** Remove all fired reminders and cancelled reminders older than 7 days. */
 const pruneStale = (reminders: Reminder[]): Reminder[] => {
   const cutoff = Date.now() - STALE_CANCELLED_MS;
@@ -97,6 +69,7 @@ class InMemoryReminderStore implements ReminderStore {
     timezone?: string;
     conversationId: string;
     ownerId?: string;
+    tenantId?: string | null;
   }): Promise<Reminder> {
     const reminder: Reminder = {
       id: generateId(),
@@ -107,6 +80,7 @@ class InMemoryReminderStore implements ReminderStore {
       createdAt: Date.now(),
       conversationId: input.conversationId,
       ownerId: input.ownerId,
+      tenantId: input.tenantId,
     };
     this.reminders = pruneStale(this.reminders);
     this.reminders.push(reminder);
@@ -128,216 +102,14 @@ class InMemoryReminderStore implements ReminderStore {
   }
 }
 
-// ---------------------------------------------------------------------------
-// FileReminderStore — single JSON file for all reminders
-// ---------------------------------------------------------------------------
-
-class FileReminderStore implements ReminderStore {
-  private readonly workingDir: string;
-  private filePath = "";
-
-  constructor(workingDir: string) {
-    this.workingDir = workingDir;
-  }
-
-  private async ensureFilePath(): Promise<string> {
-    if (this.filePath) return this.filePath;
-    const identity = await ensureAgentIdentity(this.workingDir);
-    this.filePath = resolve(getAgentStoreDirectory(identity), REMINDERS_FILE);
-    return this.filePath;
-  }
-
-  private async readAll(): Promise<Reminder[]> {
-    try {
-      const fp = await this.ensureFilePath();
-      const raw = await readFile(fp, "utf8");
-      return parseReminderList(JSON.parse(raw));
-    } catch {
-      return [];
-    }
-  }
-
-  private async writeAll(reminders: Reminder[]): Promise<void> {
-    const fp = await this.ensureFilePath();
-    await writeJsonAtomic(fp, reminders);
-  }
-
-  async list(): Promise<Reminder[]> {
-    const all = await this.readAll();
-    const pruned = pruneStale(all);
-    if (pruned.length !== all.length) await this.writeAll(pruned);
-    return pruned;
-  }
-
-  async create(input: {
-    task: string;
-    scheduledAt: number;
-    timezone?: string;
-    conversationId: string;
-    ownerId?: string;
-  }): Promise<Reminder> {
-    const reminder: Reminder = {
-      id: generateId(),
-      task: input.task,
-      scheduledAt: input.scheduledAt,
-      timezone: input.timezone,
-      status: "pending",
-      createdAt: Date.now(),
-      conversationId: input.conversationId,
-      ownerId: input.ownerId,
-    };
-    let reminders = await this.readAll();
-    reminders = pruneStale(reminders);
-    reminders.push(reminder);
-    await this.writeAll(reminders);
-    return reminder;
-  }
-
-  async cancel(id: string): Promise<Reminder> {
-    const reminders = await this.readAll();
-    const reminder = reminders.find((r) => r.id === id);
-    if (!reminder) throw new Error(`Reminder "${id}" not found`);
-    if (reminder.status !== "pending") {
-      throw new Error(`Reminder "${id}" is already ${reminder.status}`);
-    }
-    reminder.status = "cancelled";
-    await this.writeAll(reminders);
-    return reminder;
-  }
-
-  async delete(id: string): Promise<void> {
-    const reminders = await this.readAll();
-    await this.writeAll(reminders.filter((r) => r.id !== id));
-  }
-}
-
-// ---------------------------------------------------------------------------
-// KVBackedReminderStore — wraps any RawKVStore (Upstash, Redis, DynamoDB)
-// ---------------------------------------------------------------------------
-
-class KVBackedReminderStore implements ReminderStore {
-  private readonly kv: RawKVStore;
-  private readonly key: string;
-  private readonly ttl?: number;
-  private readonly memoryFallback = new InMemoryReminderStore();
-
-  constructor(kv: RawKVStore, key: string, ttl?: number) {
-    this.kv = kv;
-    this.key = key;
-    this.ttl = ttl;
-  }
-
-  private async readAll(): Promise<Reminder[]> {
-    try {
-      const raw = await this.kv.get(this.key);
-      if (!raw) return [];
-      return parseReminderList(JSON.parse(raw));
-    } catch {
-      return this.memoryFallback.list();
-    }
-  }
-
-  private async writeAll(reminders: Reminder[]): Promise<void> {
-    try {
-      const serialized = JSON.stringify(reminders);
-      if (typeof this.ttl === "number") {
-        await this.kv.setWithTtl(this.key, serialized, Math.max(1, this.ttl));
-      } else {
-        await this.kv.set(this.key, serialized);
-      }
-    } catch {
-      // KV write failed; operations already applied in-memory via caller
-    }
-  }
-
-  async list(): Promise<Reminder[]> {
-    const all = await this.readAll();
-    const pruned = pruneStale(all);
-    if (pruned.length !== all.length) await this.writeAll(pruned);
-    return pruned;
-  }
-
-  async create(input: {
-    task: string;
-    scheduledAt: number;
-    timezone?: string;
-    conversationId: string;
-    ownerId?: string;
-  }): Promise<Reminder> {
-    let reminders: Reminder[];
-    try {
-      reminders = await this.readAll();
-    } catch {
-      return this.memoryFallback.create(input);
-    }
-    const reminder: Reminder = {
-      id: generateId(),
-      task: input.task,
-      scheduledAt: input.scheduledAt,
-      timezone: input.timezone,
-      status: "pending",
-      createdAt: Date.now(),
-      conversationId: input.conversationId,
-      ownerId: input.ownerId,
-    };
-    reminders = pruneStale(reminders);
-    reminders.push(reminder);
-    await this.writeAll(reminders);
-    return reminder;
-  }
-
-  async cancel(id: string): Promise<Reminder> {
-    let reminders: Reminder[];
-    try {
-      reminders = await this.readAll();
-    } catch {
-      return this.memoryFallback.cancel(id);
-    }
-    const reminder = reminders.find((r) => r.id === id);
-    if (!reminder) throw new Error(`Reminder "${id}" not found`);
-    if (reminder.status !== "pending") {
-      throw new Error(`Reminder "${id}" is already ${reminder.status}`);
-    }
-    reminder.status = "cancelled";
-    await this.writeAll(reminders);
-    return reminder;
-  }
-
-  async delete(id: string): Promise<void> {
-    let reminders: Reminder[];
-    try {
-      reminders = await this.readAll();
-    } catch {
-      return this.memoryFallback.delete(id);
-    }
-    await this.writeAll(reminders.filter((r) => r.id !== id));
-  }
-}
-
 // ---------------------------------------------------------------------------
 // Factory
 // ---------------------------------------------------------------------------
 
 export const createReminderStore = (
-  agentId: string,
-  config?: StateConfig,
-  options?: { workingDir?: string },
+  _agentId: string,
+  _config?: StateConfig,
+  _options?: { workingDir?: string },
 ): ReminderStore => {
-  const provider = config?.provider ?? "local";
-  const ttl = config?.ttl;
-  const workingDir = options?.workingDir ?? process.cwd();
-
-  if (provider === "local") {
-    return new FileReminderStore(workingDir);
-  }
-  if (provider === "memory") {
-    return new InMemoryReminderStore();
-  }
-
-  const kv = createRawKVStore(config);
-  if (kv) {
-    const key = `poncho:${STORAGE_SCHEMA_VERSION}:${slugifyStorageComponent(agentId)}:reminders`;
-    return new KVBackedReminderStore(kv, key, ttl);
-  }
   return new InMemoryReminderStore();
 };

package/src/reminder-tools.ts

@@ -84,6 +84,7 @@ export const createReminderTools = (store: ReminderStore): ToolDefinition[] => [
         scheduledAt,
         timezone,
         conversationId,
+        tenantId: context.tenantId,
       });
 
       return {
@@ -116,8 +117,12 @@ export const createReminderTools = (store: ReminderStore): ToolDefinition[] => [
       },
       additionalProperties: false,
     },
-    handler: async (input) => {
+    handler: async (input, context) => {
       let reminders = await store.list();
+      // Tenant-scoped: only show reminders belonging to the current tenant
+      if (context.tenantId) {
+        reminders = reminders.filter((r) => r.tenantId === context.tenantId);
+      }
       const status = typeof input.status === "string" ? input.status : undefined;
       if (status && VALID_STATUSES.includes(status as ReminderStatus)) {
         reminders = reminders.filter((r) => r.status === status);
@@ -150,9 +155,17 @@ export const createReminderTools = (store: ReminderStore): ToolDefinition[] => [
       required: ["id"],
       additionalProperties: false,
     },
-    handler: async (input) => {
+    handler: async (input, context) => {
       const id = typeof input.id === "string" ? input.id.trim() : "";
       if (!id) throw new Error("id is required");
+      // Validate tenant ownership before cancelling
+      if (context.tenantId) {
+        const all = await store.list();
+        const target = all.find((r) => r.id === id);
+        if (target && target.tenantId !== context.tenantId) {
+          throw new Error("Reminder not found");
+        }
+      }
       const cancelled = await store.cancel(id);
       return {
         ok: true,

package/src/secrets-store.ts

@@ -0,0 +1,163 @@
+import { createCipheriv, createDecipheriv, randomBytes, createHash } from "node:crypto";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { dirname, resolve } from "node:path";
+import {
+  ensureAgentIdentity,
+  getAgentStoreDirectory,
+  slugifyStorageComponent,
+} from "./agent-identity.js";
+import type { StateConfig } from "./state.js";
+
+// ---------------------------------------------------------------------------
+// Interface
+// ---------------------------------------------------------------------------
+
+export interface SecretsStore {
+  get(tenantId: string): Promise<Record<string, string>>;
+  set(tenantId: string, key: string, value: string): Promise<void>;
+  delete(tenantId: string, key: string): Promise<void>;
+  list(tenantId: string): Promise<string[]>;
+}
+
+// ---------------------------------------------------------------------------
+// Encryption helpers (AES-256-GCM)
+// ---------------------------------------------------------------------------
+
+type EncryptedBlob = { iv: string; ct: string; tag: string };
+
+function deriveKey(signingKey: string): Buffer {
+  // HKDF-like derivation: SHA-256 of fixed salt + signing key
+  return createHash("sha256")
+    .update("poncho-secrets-v1:" + signingKey)
+    .digest();
+}
+
+function encrypt(plaintext: string, key: Buffer): EncryptedBlob {
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ct = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    iv: iv.toString("base64"),
+    ct: ct.toString("base64"),
+    tag: tag.toString("base64"),
+  };
+}
+
+function decrypt(blob: EncryptedBlob, key: Buffer): string {
+  const decipher = createDecipheriv(
+    "aes-256-gcm",
+    key,
+    Buffer.from(blob.iv, "base64"),
+  );
+  decipher.setAuthTag(Buffer.from(blob.tag, "base64"));
+  return Buffer.concat([
+    decipher.update(Buffer.from(blob.ct, "base64")),
+    decipher.final(),
+  ]).toString("utf8");
+}
+
+// ---------------------------------------------------------------------------
+// File-based implementation
+// ---------------------------------------------------------------------------
+
+class FileSecretsStore implements SecretsStore {
+  private readonly workingDir: string;
+  private readonly encKey: Buffer;
+
+  constructor(workingDir: string, signingKey: string) {
+    this.workingDir = workingDir;
+    this.encKey = deriveKey(signingKey);
+  }
+
+  private async filePath(tenantId: string): Promise<string> {
+    const identity = await ensureAgentIdentity(this.workingDir);
+    const dir = resolve(
+      getAgentStoreDirectory(identity),
+      "tenants",
+      slugifyStorageComponent(tenantId),
+    );
+    return resolve(dir, "secrets.json");
+  }
+
+  private async readAll(tenantId: string): Promise<Record<string, EncryptedBlob>> {
+    try {
+      const raw = await readFile(await this.filePath(tenantId), "utf8");
+      return JSON.parse(raw) as Record<string, EncryptedBlob>;
+    } catch {
+      return {};
+    }
+  }
+
+  private async writeAll(
+    tenantId: string,
+    data: Record<string, EncryptedBlob>,
+  ): Promise<void> {
+    const fp = await this.filePath(tenantId);
+    await mkdir(dirname(fp), { recursive: true });
+    await writeFile(fp, JSON.stringify(data, null, 2), "utf8");
+  }
+
+  async get(tenantId: string): Promise<Record<string, string>> {
+    const data = await this.readAll(tenantId);
+    const result: Record<string, string> = {};
+    for (const [k, blob] of Object.entries(data)) {
+      try {
+        result[k] = decrypt(blob, this.encKey);
+      } catch {
+        // Skip entries that can't be decrypted (key rotation)
+      }
+    }
+    return result;
+  }
+
+  async set(tenantId: string, key: string, value: string): Promise<void> {
+    const data = await this.readAll(tenantId);
+    data[key] = encrypt(value, this.encKey);
+    await this.writeAll(tenantId, data);
+  }
+
+  async delete(tenantId: string, key: string): Promise<void> {
+    const data = await this.readAll(tenantId);
+    delete data[key];
+    await this.writeAll(tenantId, data);
+  }
+
+  async list(tenantId: string): Promise<string[]> {
+    const data = await this.readAll(tenantId);
+    return Object.keys(data);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Factory
+// ---------------------------------------------------------------------------
+
+export const createSecretsStore = (
+  _agentId: string,
+  signingKey: string,
+  _config?: StateConfig,
+  options?: { workingDir?: string },
+): SecretsStore => {
+  const workingDir = options?.workingDir ?? process.cwd();
+  return new FileSecretsStore(workingDir, signingKey);
+};
+
+// ---------------------------------------------------------------------------
+// Env resolution helper
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve an env var name: check tenant secrets first, then process.env.
+ */
+export async function resolveEnv(
+  secretsStore: SecretsStore | undefined,
+  tenantId: string | null | undefined,
+  envName: string,
+): Promise<string | undefined> {
+  if (tenantId && secretsStore) {
+    const secrets = await secretsStore.get(tenantId);
+    if (secrets[envName]) return secrets[envName];
+  }
+  return process.env[envName];
+}