@promptbook/cli 0.104.0-1 → 0.104.0-11

package/apps/agents-server/src/tools/$provideBrowserForServer.ts

@@ -0,0 +1,32 @@
+import { locateChrome } from 'locate-app';
+import { join } from 'path';
+import { BrowserContext, chromium } from 'playwright';
+
+/**
+ * Cache of browser instance
+ *
+ * @private internal cache for `$provideBrowserForServer`
+ */
+let browserInstance: BrowserContext | null = null;
+
+/**
+ * @@@
+ */
+export async function $provideBrowserForServer(): Promise<BrowserContext> {
+    if (browserInstance !== null && browserInstance.browser() && browserInstance.browser()!.isConnected()) {
+        return browserInstance;
+    }
+
+    console.log('Launching new browser instance...');
+    browserInstance = await chromium.launchPersistentContext(
+        join(process.cwd(), '.promptbook', 'puppeteer', 'user-data'),
+        {
+            executablePath: await locateChrome(),
+            headless: false,
+            // defaultViewport: null,
+            // downloadsPath
+        },
+    );
+
+    return browserInstance;
+}

package/apps/agents-server/src/tools/$provideCdnForServer.ts

@@ -1,3 +1,5 @@
+import { $provideSupabaseForServer } from '../database/$provideSupabaseForServer';
+import { TrackedFilesStorage } from '../utils/cdn/classes/TrackedFilesStorage';
 import { VercelBlobStorage } from '../utils/cdn/classes/VercelBlobStorage';
 import { IIFilesStorageWithCdn } from '../utils/cdn/interfaces/IFilesStorage';
 
@@ -9,16 +11,19 @@ import { IIFilesStorageWithCdn } from '../utils/cdn/interfaces/IFilesStorage';
 let cdn: IIFilesStorageWithCdn | null = null;
 
 /**
- * [🐱‍🚀]
+ * @@@
  */
 export function $provideCdnForServer(): IIFilesStorageWithCdn {
     if (!cdn) {
-        cdn = new VercelBlobStorage({
+        const inner = new VercelBlobStorage({
             token: process.env.VERCEL_BLOB_READ_WRITE_TOKEN!,
             pathPrefix: process.env.NEXT_PUBLIC_CDN_PATH_PREFIX!,
             cdnPublicUrl: new URL(process.env.NEXT_PUBLIC_CDN_PUBLIC_URL!),
         });
 
+        const supabase = $provideSupabaseForServer();
+        cdn = new TrackedFilesStorage(inner, supabase);
+
         /*
         cdn = new DigitalOceanSpaces({
             bucket: process.env.CDN_BUCKET!,

package/apps/agents-server/src/utils/auth.ts

@@ -1,33 +1,133 @@
-import { randomBytes, scrypt, timingSafeEqual } from 'crypto';
+import { createHash, randomBytes, scrypt, timingSafeEqual } from 'crypto';
 import { promisify } from 'util';
+import { PASSWORD_SECURITY_CONFIG } from '../../../../security.config';
 
 const scryptAsync = promisify(scrypt);
 
 /**
- * Hashes a password using scrypt
- * 
- * @param password The plain text password
+ * Validates password input to prevent edge cases and DoS attacks
+ *
+ * @param password The password to validate
+ * @throws Error if password is invalid
+ */
+function validatePasswordInput(password: string): void {
+    if (typeof password !== 'string') {
+        throw new Error('Password must be a string');
+    }
+    if (password.length === 0) {
+        throw new Error('Password cannot be empty');
+    }
+    if (password.length < PASSWORD_SECURITY_CONFIG.MIN_PASSWORD_LENGTH) {
+        throw new Error(`Password must be at least ${PASSWORD_SECURITY_CONFIG.MIN_PASSWORD_LENGTH} characters`);
+    }
+    // Note: No hard max limit - long passwords are compacted via compactPassword()
+}
+
+/**
+ * Compacts a password for secure processing
+ *
+ * If the password is within MAX_PASSWORD_LENGTH, it is returned as-is.
+ * If longer, the password is split at MAX_PASSWORD_LENGTH and the second part
+ * is hashed with SHA256 before being appended to the first part.
+ *
+ * This prevents DoS attacks via extremely long passwords while still utilizing
+ * the full entropy of longer passwords.
+ *
+ * @param password The password to compact
+ * @returns The compacted password
+ */
+function compactPassword(password: string): string {
+    if (password.length <= PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH) {
+        return password;
+    }
+
+    const firstPart = password.slice(0, PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH);
+    const secondPart = password.slice(PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH);
+
+    // Hash the overflow part with SHA256 to bound its length while preserving entropy
+    const secondPartHash = createHash('sha256').update(secondPart, 'utf8').digest('hex');
+
+    return firstPart + secondPartHash;
+}
+
+/**
+ * Hashes a password using scrypt with secure parameters
+ *
+ * @param password The plain text password (minimum 8 characters, no maximum - long passwords are compacted)
  * @returns The salt and hash formatted as "salt:hash"
+ * @throws Error if password validation fails
  */
 export async function hashPassword(password: string): Promise<string> {
-    const salt = randomBytes(16).toString('hex');
-    const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;
+    validatePasswordInput(password);
+
+    // Compact long passwords to prevent DoS while preserving entropy
+    const compactedPassword = compactPassword(password);
+
+    const salt = randomBytes(PASSWORD_SECURITY_CONFIG.SALT_LENGTH).toString('hex');
+    const derivedKey = (await scryptAsync(compactedPassword, salt, PASSWORD_SECURITY_CONFIG.KEY_LENGTH)) as Buffer;
+
+    // Clear password from memory as soon as possible (best effort)
+    // Note: JavaScript strings are immutable, so this is limited in effectiveness
     return `${salt}:${derivedKey.toString('hex')}`;
 }
 
 /**
- * Verifies a password against a stored hash
- * 
- * @param password The plain text password
+ * Verifies a password against a stored hash using constant-time comparison
+ *
+ * @param password The plain text password to verify
  * @param storedHash The stored hash in format "salt:hash"
- * @returns True if the password matches
+ * @returns True if the password matches, false otherwise
  */
 export async function verifyPassword(password: string, storedHash: string): Promise<boolean> {
-    const [salt, key] = storedHash.split(':');
-    if (!salt || !key) return false;
-    
-    const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;
-    const keyBuffer = Buffer.from(key, 'hex');
-    
-    return timingSafeEqual(derivedKey, keyBuffer);
+    // Validate inputs
+    if (typeof password !== 'string' || typeof storedHash !== 'string') {
+        return false;
+    }
+
+    if (password.length === 0) {
+        return false;
+    }
+
+    // Compact long passwords the same way as during hashing
+    const compactedPassword = compactPassword(password);
+
+    const parts = storedHash.split(':');
+    if (parts.length !== 2) {
+        return false;
+    }
+
+    const [salt, key] = parts;
+    if (!salt || !key) {
+        return false;
+    }
+
+    // Validate salt and key format (should be hex strings of expected length)
+    const expectedSaltLength = PASSWORD_SECURITY_CONFIG.SALT_LENGTH * 2; // hex encoding doubles length
+    const expectedKeyLength = PASSWORD_SECURITY_CONFIG.KEY_LENGTH * 2;
+
+    if (salt.length !== expectedSaltLength || key.length !== expectedKeyLength) {
+        return false;
+    }
+
+    // Validate hex format
+    const hexRegex = /^[0-9a-fA-F]+$/;
+    if (!hexRegex.test(salt) || !hexRegex.test(key)) {
+        return false;
+    }
+
+    try {
+        const derivedKey = (await scryptAsync(compactedPassword, salt, PASSWORD_SECURITY_CONFIG.KEY_LENGTH)) as Buffer;
+        const keyBuffer = Buffer.from(key, 'hex');
+
+        // Ensure buffers are same length before timing-safe comparison
+        // This should always be true given our validation, but defense in depth
+        if (derivedKey.length !== keyBuffer.length) {
+            return false;
+        }
+
+        return timingSafeEqual(derivedKey, keyBuffer);
+    } catch {
+        // Any error during verification should return false, not leak information
+        return false;
+    }
 }

package/apps/agents-server/src/utils/cdn/classes/TrackedFilesStorage.ts

@@ -0,0 +1,57 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import { $getTableName } from '../../../database/$getTableName';
+import { AgentsServerDatabase } from '../../../database/schema';
+import type { IFile, IIFilesStorageWithCdn } from '../interfaces/IFilesStorage';
+
+export class TrackedFilesStorage implements IIFilesStorageWithCdn {
+    public constructor(
+        private readonly inner: IIFilesStorageWithCdn,
+        private readonly supabase: SupabaseClient<AgentsServerDatabase>,
+    ) {}
+
+    public get cdnPublicUrl(): URL {
+        return this.inner.cdnPublicUrl;
+    }
+
+    public get pathPrefix(): string | undefined {
+        return this.inner.pathPrefix;
+    }
+
+    public getItemUrl(key: string): URL {
+        return this.inner.getItemUrl(key);
+    }
+
+    public async getItem(key: string): Promise<IFile | null> {
+        return this.inner.getItem(key);
+    }
+
+    public async removeItem(key: string): Promise<void> {
+        return this.inner.removeItem(key);
+    }
+
+    public async setItem(key: string, file: IFile): Promise<void> {
+        console.log('!!! 0', { key, file });
+
+        await this.inner.setItem(key, file);
+
+        try {
+            const { userId, purpose } = file;
+            const cdnUrl = this.getItemUrl(key).href;
+
+            console.log('!!! 1', { userId, purpose, cdnUrl, key, file });
+
+            await this.supabase.from(await $getTableName('File')).insert({
+                userId: userId || null,
+                fileName: key,
+                fileSize: file.fileSize ?? file.data.length,
+                fileType: file.type,
+                cdnUrl,
+                purpose: purpose || 'UNKNOWN',
+            });
+
+            console.log('!!! 2', { userId, purpose, cdnUrl, key, file });
+        } catch (error) {
+            console.error('Failed to track upload:', error);
+        }
+    }
+}

package/apps/agents-server/src/utils/cdn/classes/VercelBlobStorage.ts

@@ -14,6 +14,10 @@ export class VercelBlobStorage implements IIFilesStorageWithCdn {
         return this.config.cdnPublicUrl;
     }
 
+    public get pathPrefix() {
+        return this.config.pathPrefix;
+    }
+
     public constructor(private readonly config: IVercelBlobStorageConfig) {}
 
     public getItemUrl(key: string): URL {

package/apps/agents-server/src/utils/cdn/interfaces/IFilesStorage.ts

@@ -5,6 +5,23 @@ export type IFile = {
     // Maybe TODO name: string_name;
     type: string_mime_type;
     data: Buffer;
+
+    /**
+     * User who uploaded the file
+     */
+    userId?: number;
+
+    /**
+     * Purpose of the upload (e.g. KNOWLEDGE, SERVER_FAVICON_URL)
+     */
+    purpose?: string;
+
+    /**
+     * Size of the file in bytes
+     *
+     * Note: This is optional, if not provided, the size of the buffer is used
+     */
+    fileSize?: number;
 };
 
 /**
@@ -17,6 +34,7 @@ export type IFilesStorage = Omit<IStorage<IFile>, 'length' | 'clear' | 'key'>;
  */
 export type IIFilesStorageWithCdn = IFilesStorage & {
     readonly cdnPublicUrl: URL;
+    readonly pathPrefix?: string;
     getItemUrl(key: string): URL;
 };
 

package/apps/agents-server/src/utils/content/extractBodyContentFromHtml.ts

@@ -0,0 +1,19 @@
+import type { string_html } from '@promptbook-local/types';
+
+/**
+ * Extract the first heading from HTML
+ *
+ * @param contentText HTML
+ * @returns heading
+ */
+export function extractBodyContentFromHtml(html: string_html): string_html {
+    // Note: Not using DOMParser, because it's overkill for this simple task
+
+    const match = html.match(/<body[^>]*>(?<bodyContent>[\s\S]*)<\/body>/s);
+
+    if (!match) {
+        return html;
+    }
+
+    return match.groups!.bodyContent!;
+}

package/apps/agents-server/src/utils/getUserIdFromRequest.ts

@@ -0,0 +1,35 @@
+import { NextRequest } from 'next/server';
+import { keepUnused } from '../../../../src/utils/organization/keepUnused';
+import { $getTableName } from '../database/$getTableName';
+import { $provideSupabaseForServer } from '../database/$provideSupabaseForServer';
+import { getSession } from './session';
+
+export async function getUserIdFromRequest(request: NextRequest): Promise<number | null> {
+    keepUnused(request); // Unused because we get user from session cookie for now
+
+    try {
+        // 1. Try to get user from session (cookie)
+        const session = await getSession();
+        if (session && session.username) {
+            const supabase = $provideSupabaseForServer();
+            const { data } = await supabase
+                .from(await $getTableName('User'))
+                .select('id')
+                .eq('username', session.username)
+                .single();
+
+            if (data) {
+                return data.id;
+            }
+        }
+
+        // 2. Try to get user from API key (Authorization header)
+        // TODO: [🧠] Implement linking API keys to users if needed
+        // const authHeader = request.headers.get('authorization');
+        // ...
+    } catch (error) {
+        console.error('Error getting user ID from request:', error);
+    }
+
+    return null;
+}

package/apps/agents-server/src/utils/handleChatCompletion.ts

@@ -2,10 +2,11 @@ import { $getTableName } from '@/src/database/$getTableName';
 import { $provideSupabaseForServer } from '@/src/database/$provideSupabaseForServer';
 import { $provideAgentCollectionForServer } from '@/src/tools/$provideAgentCollectionForServer';
 import { $provideOpenAiAssistantExecutionToolsForServer } from '@/src/tools/$provideOpenAiAssistantExecutionToolsForServer';
-import { Agent, computeAgentHash, PROMPTBOOK_ENGINE_VERSION } from '@promptbook-local/core';
+import { Agent, computeAgentHash, parseAgentSource, PROMPTBOOK_ENGINE_VERSION } from '@promptbook-local/core';
 import { ChatMessage, ChatPromptResult, Prompt, string_book, TODO_any } from '@promptbook-local/types';
 import { computeHash } from '@promptbook-local/utils';
 import { NextRequest, NextResponse } from 'next/server';
+import { isAgentDeleted } from '../app/agents/[agentName]/_utils';
 import { validateApiKey } from './validateApiKey';
 
 export async function handleChatCompletion(
@@ -60,6 +61,19 @@ export async function handleChatCompletion(
             );
         }
 
+        // Check if agent is deleted
+        if (await isAgentDeleted(agentName)) {
+            return NextResponse.json(
+                {
+                    error: {
+                        message: 'This agent has been deleted. You can restore it from the Recycle Bin.',
+                        type: 'agent_deleted',
+                    },
+                },
+                { status: 410 }, // Gone - indicates the resource is no longer available
+            );
+        }
+
         const collection = await $provideAgentCollectionForServer();
         let agentSource: string_book;
         try {
@@ -99,7 +113,54 @@ export async function handleChatCompletion(
             );
         }
 
-        const openAiAssistantExecutionTools = await $provideOpenAiAssistantExecutionToolsForServer();
+        const agentHash = computeAgentHash(agentSource);
+        const supabase = $provideSupabaseForServer();
+        const { data: assistantCache } = await supabase
+            .from(await $getTableName('OpenAiAssistantCache'))
+            .select('assistantId')
+            .eq('agentHash', agentHash)
+            .single();
+
+        let openAiAssistantExecutionTools = await $provideOpenAiAssistantExecutionToolsForServer();
+
+        if (assistantCache?.assistantId) {
+            console.log(
+                `[🐱‍🚀] Reusing assistant ${assistantCache.assistantId} for agent ${agentName} (hash: ${agentHash})`,
+            );
+            openAiAssistantExecutionTools = openAiAssistantExecutionTools.getAssistant(assistantCache.assistantId);
+        } else {
+            console.log(`[🐱‍🚀] Creating NEW assistant for agent ${agentName} (hash: ${agentHash})`);
+            // Parse to get instructions and name
+            const parsed = parseAgentSource(agentSource);
+            const name = parsed.agentName || agentName;
+            // Extract PERSONA
+            const baseInstructions = parsed.personaDescription || 'You are a helpful assistant.';
+
+            // Note: Append context to instructions
+            const contextLines = agentSource.split('\n').filter((line) => line.startsWith('CONTEXT '));
+            const contextInstructions = contextLines.join('\n');
+            const instructions = contextInstructions
+                ? `${baseInstructions}\n\n${contextInstructions}`
+                : baseInstructions;
+
+            // Create assistant
+            const newAssistantTools = await openAiAssistantExecutionTools.createNewAssistant({
+                name,
+                instructions,
+                // knowledgeSources?
+            });
+
+            // Save to cache
+            const newAssistantId = newAssistantTools.assistantId;
+            if (newAssistantId) {
+                await supabase.from(await $getTableName('OpenAiAssistantCache')).insert({
+                    agentHash,
+                    assistantId: newAssistantId,
+                });
+                openAiAssistantExecutionTools = newAssistantTools;
+            }
+        }
+
         const agent = new Agent({
             agentSource,
             executionTools: {
@@ -108,7 +169,6 @@ export async function handleChatCompletion(
             isVerbose: true, // or false
         });
 
-        const agentHash = computeAgentHash(agentSource);
         const userAgent = request.headers.get('user-agent');
         const ip =
             request.headers.get('x-forwarded-for') ||
@@ -125,8 +185,9 @@ export async function handleChatCompletion(
         const previousMessages = threadMessages.slice(0, -1);
 
         const thread: ChatMessage[] = previousMessages.map((msg: TODO_any, index: number) => ({
+            // channel: 'PROMPTBOOK_CHAT',
             id: `msg-${index}`, // Placeholder ID
-            from: msg.role === 'assistant' ? 'agent' : 'user', // Mapping standard OpenAI roles
+            sender: msg.role === 'assistant' ? 'agent' : 'user', // Mapping standard OpenAI roles
             content: msg.content,
             isComplete: true,
             date: new Date(), // We don't have the real date, using current
@@ -138,7 +199,6 @@ export async function handleChatCompletion(
             content: lastMessage.content,
         };
 
-        const supabase = $provideSupabaseForServer();
         await supabase.from(await $getTableName('ChatHistory')).insert({
             createdAt: new Date().toISOString(),
             messageHash: computeHash(userMessageContent),

package/apps/agents-server/src/utils/messages/sendMessage.ts

@@ -0,0 +1,91 @@
+import type { really_any } from '@promptbook-local/types';
+import { serializeError } from '@promptbook-local/utils';
+import { assertsError } from '../../../../../src/errors/assertsError';
+import { $getTableName } from '../../database/$getTableName';
+import { $provideSupabaseForServer } from '../../database/$provideSupabaseForServer';
+import { EMAIL_PROVIDERS } from '../../message-providers';
+import { OutboundEmail } from '../../message-providers/email/_common/Email';
+
+/**
+ * Sends a message
+ */
+export async function sendMessage(message: OutboundEmail): Promise<void> {
+    const supabase = await $provideSupabaseForServer();
+
+    // 1. Insert message
+    const { data: insertedMessage, error: insertError } = await supabase
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        .from(await $getTableName('Message'))
+        .insert({
+            channel: message.channel || 'UNKNOWN',
+            direction: message.direction || 'OUTBOUND',
+            sender: message.sender,
+            recipients: message.recipients,
+            content: message.content,
+            threadId: message.threadId,
+            metadata: message.metadata,
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        } as any)
+        .select()
+        .single();
+
+    if (insertError) {
+        throw new Error(`Failed to insert message: ${insertError.message}`);
+    }
+
+    if (!insertedMessage) {
+        throw new Error('Failed to insert message: No data returned');
+    }
+
+    // 2. If outbound and email, try to send
+    if (message.direction === 'OUTBOUND' && message.channel === 'EMAIL') {
+        const providers = Object.keys(EMAIL_PROVIDERS);
+
+        if (providers.length === 0) {
+            console.warn('No email providers configured');
+            return;
+        }
+
+        let isSent = false;
+
+        for (const providerName of providers) {
+            const provider = EMAIL_PROVIDERS[providerName];
+            let isSuccessful = false;
+            let raw: really_any = null;
+
+            try {
+                console.log(`📤 Sending email via ${providerName}`);
+                raw = await provider.send(message);
+                isSuccessful = true;
+                isSent = true;
+            } catch (error) {
+                assertsError(error);
+                console.error(`Failed to send email via ${providerName}`, error);
+                raw = { error: serializeError(error) };
+            }
+
+            // 3. Log attempt
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            await supabase.from(await $getTableName('MessageSendAttempt')).insert({
+                // @ts-expect-error: insertedMessage is any
+                messageId: insertedMessage.id,
+                providerName,
+                isSuccessful,
+                raw,
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            } as any);
+
+            if (isSuccessful) {
+                break;
+            }
+        }
+
+        if (!isSent) {
+            throw new Error('Failed to send email via any provider');
+        }
+    }
+}
+
+/**
+ * TODO: !!!! Move to `message-providers` and rename `message-providers` -> `messages`
+ */

package/apps/agents-server/src/utils/messagesAdmin.ts

@@ -0,0 +1,72 @@
+import type { Json } from '../database/schema';
+
+export type MessageRow = {
+    id: number;
+    createdAt: string;
+    channel: string;
+    direction: string;
+    sender: Json;
+    recipients: Json;
+    content: string;
+    threadId: string | null;
+    metadata: Json;
+    // Joined fields
+    sendAttempts?: MessageSendAttemptRow[];
+};
+
+export type MessageSendAttemptRow = {
+    id: number;
+    createdAt: string;
+    messageId: number;
+    providerName: string;
+    isSuccessful: boolean;
+    raw: Json;
+};
+
+export type MessagesListResponse = {
+    items: MessageRow[];
+    total: number;
+    page: number;
+    pageSize: number;
+};
+
+export type MessagesListParams = {
+    page?: number;
+    pageSize?: number;
+    search?: string;
+    channel?: string;
+    direction?: string;
+};
+
+/**
+ * Build query string for messages listing.
+ */
+function buildQuery(params: MessagesListParams): string {
+    const searchParams = new URLSearchParams();
+
+    if (params.page && params.page > 0) searchParams.set('page', String(params.page));
+    if (params.pageSize && params.pageSize > 0) searchParams.set('pageSize', String(params.pageSize));
+    if (params.search) searchParams.set('search', params.search);
+    if (params.channel) searchParams.set('channel', params.channel);
+    if (params.direction) searchParams.set('direction', params.direction);
+
+    const qs = searchParams.toString();
+    return qs ? `?${qs}` : '';
+}
+
+/**
+ * Fetch messages from the admin API.
+ */
+export async function $fetchMessages(params: MessagesListParams = {}): Promise<MessagesListResponse> {
+    const qs = buildQuery(params);
+    const response = await fetch(`/api/messages${qs}`, {
+        method: 'GET',
+    });
+
+    if (!response.ok) {
+        const data = await response.json().catch(() => ({}));
+        throw new Error(data.error || 'Failed to load messages');
+    }
+
+    return (await response.json()) as MessagesListResponse;
+}