npm - @promptbook/cli - Versions diffs - 0.104.0-1 → 0.104.0-3 - Mend

@promptbook/cli 0.104.0-1 → 0.104.0-3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (128) hide show

package/apps/agents-server/src/utils/auth.ts CHANGED Viewed

@@ -1,33 +1,133 @@
-import { randomBytes, scrypt, timingSafeEqual } from 'crypto';
+import { createHash, randomBytes, scrypt, timingSafeEqual } from 'crypto';
 import { promisify } from 'util';
+import { PASSWORD_SECURITY_CONFIG } from '../../../../security.config';
 const scryptAsync = promisify(scrypt);
 /**
- * Hashes a password using scrypt
- *
- * @param password The plain text password
+ * Validates password input to prevent edge cases and DoS attacks
+ *
+ * @param password The password to validate
+ * @throws Error if password is invalid
+ */
+function validatePasswordInput(password: string): void {
+    if (typeof password !== 'string') {
+        throw new Error('Password must be a string');
+    }
+    if (password.length === 0) {
+        throw new Error('Password cannot be empty');
+    }
+    if (password.length < PASSWORD_SECURITY_CONFIG.MIN_PASSWORD_LENGTH) {
+        throw new Error(`Password must be at least ${PASSWORD_SECURITY_CONFIG.MIN_PASSWORD_LENGTH} characters`);
+    }
+    // Note: No hard max limit - long passwords are compacted via compactPassword()
+}
+/**
+ * Compacts a password for secure processing
+ *
+ * If the password is within MAX_PASSWORD_LENGTH, it is returned as-is.
+ * If longer, the password is split at MAX_PASSWORD_LENGTH and the second part
+ * is hashed with SHA256 before being appended to the first part.
+ *
+ * This prevents DoS attacks via extremely long passwords while still utilizing
+ * the full entropy of longer passwords.
+ *
+ * @param password The password to compact
+ * @returns The compacted password
+ */
+function compactPassword(password: string): string {
+    if (password.length <= PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH) {
+        return password;
+    }
+    const firstPart = password.slice(0, PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH);
+    const secondPart = password.slice(PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH);
+    // Hash the overflow part with SHA256 to bound its length while preserving entropy
+    const secondPartHash = createHash('sha256').update(secondPart, 'utf8').digest('hex');
+    return firstPart + secondPartHash;
+}
+/**
+ * Hashes a password using scrypt with secure parameters
+ *
+ * @param password The plain text password (minimum 8 characters, no maximum - long passwords are compacted)
  * @returns The salt and hash formatted as "salt:hash"
+ * @throws Error if password validation fails
  */
 export async function hashPassword(password: string): Promise<string> {
-    const salt = randomBytes(16).toString('hex');
-    const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;
+    validatePasswordInput(password);
+    // Compact long passwords to prevent DoS while preserving entropy
+    const compactedPassword = compactPassword(password);
+    const salt = randomBytes(PASSWORD_SECURITY_CONFIG.SALT_LENGTH).toString('hex');
+    const derivedKey = (await scryptAsync(compactedPassword, salt, PASSWORD_SECURITY_CONFIG.KEY_LENGTH)) as Buffer;
+    // Clear password from memory as soon as possible (best effort)
+    // Note: JavaScript strings are immutable, so this is limited in effectiveness
     return `${salt}:${derivedKey.toString('hex')}`;
 }
 /**
- * Verifies a password against a stored hash
- *
- * @param password The plain text password
+ * Verifies a password against a stored hash using constant-time comparison
+ *
+ * @param password The plain text password to verify
  * @param storedHash The stored hash in format "salt:hash"
- * @returns True if the password matches
+ * @returns True if the password matches, false otherwise
  */
 export async function verifyPassword(password: string, storedHash: string): Promise<boolean> {
-    const [salt, key] = storedHash.split(':');
-    if (!salt || !key) return false;
-    const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;
-    const keyBuffer = Buffer.from(key, 'hex');
-    return timingSafeEqual(derivedKey, keyBuffer);
+    // Validate inputs
+    if (typeof password !== 'string' || typeof storedHash !== 'string') {
+        return false;
+    }
+    if (password.length === 0) {
+        return false;
+    }
+    // Compact long passwords the same way as during hashing
+    const compactedPassword = compactPassword(password);
+    const parts = storedHash.split(':');
+    if (parts.length !== 2) {
+        return false;
+    }
+    const [salt, key] = parts;
+    if (!salt || !key) {
+        return false;
+    }
+    // Validate salt and key format (should be hex strings of expected length)
+    const expectedSaltLength = PASSWORD_SECURITY_CONFIG.SALT_LENGTH * 2; // hex encoding doubles length
+    const expectedKeyLength = PASSWORD_SECURITY_CONFIG.KEY_LENGTH * 2;
+    if (salt.length !== expectedSaltLength || key.length !== expectedKeyLength) {
+        return false;
+    }
+    // Validate hex format
+    const hexRegex = /^[0-9a-fA-F]+$/;
+    if (!hexRegex.test(salt) || !hexRegex.test(key)) {
+        return false;
+    }
+    try {
+        const derivedKey = (await scryptAsync(compactedPassword, salt, PASSWORD_SECURITY_CONFIG.KEY_LENGTH)) as Buffer;
+        const keyBuffer = Buffer.from(key, 'hex');
+        // Ensure buffers are same length before timing-safe comparison
+        // This should always be true given our validation, but defense in depth
+        if (derivedKey.length !== keyBuffer.length) {
+            return false;
+        }
+        return timingSafeEqual(derivedKey, keyBuffer);
+    } catch {
+        // Any error during verification should return false, not leak information
+        return false;
+    }
 }

package/apps/agents-server/src/utils/cdn/classes/TrackedFilesStorage.ts ADDED Viewed

@@ -0,0 +1,57 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import { $getTableName } from '../../../database/$getTableName';
+import { AgentsServerDatabase } from '../../../database/schema';
+import type { IFile, IIFilesStorageWithCdn } from '../interfaces/IFilesStorage';
+export class TrackedFilesStorage implements IIFilesStorageWithCdn {
+    public constructor(
+        private readonly inner: IIFilesStorageWithCdn,
+        private readonly supabase: SupabaseClient<AgentsServerDatabase>,
+    ) {}
+    public get cdnPublicUrl(): URL {
+        return this.inner.cdnPublicUrl;
+    }
+    public get pathPrefix(): string | undefined {
+        return this.inner.pathPrefix;
+    }
+    public getItemUrl(key: string): URL {
+        return this.inner.getItemUrl(key);
+    }
+    public async getItem(key: string): Promise<IFile | null> {
+        return this.inner.getItem(key);
+    }
+    public async removeItem(key: string): Promise<void> {
+        return this.inner.removeItem(key);
+    }
+    public async setItem(key: string, file: IFile): Promise<void> {
+        console.log('!!! 0', { key, file });
+        await this.inner.setItem(key, file);
+        try {
+            const { userId, purpose } = file;
+            const cdnUrl = this.getItemUrl(key).href;
+            console.log('!!! 1', { userId, purpose, cdnUrl, key, file });
+            await this.supabase.from(await $getTableName('File')).insert({
+                userId: userId || null,
+                fileName: key,
+                fileSize: file.fileSize ?? file.data.length,
+                fileType: file.type,
+                cdnUrl,
+                purpose: purpose || 'UNKNOWN',
+            });
+            console.log('!!! 2', { userId, purpose, cdnUrl, key, file });
+        } catch (error) {
+            console.error('Failed to track upload:', error);
+        }
+    }
+}

package/apps/agents-server/src/utils/cdn/classes/VercelBlobStorage.ts CHANGED Viewed

@@ -14,6 +14,10 @@ export class VercelBlobStorage implements IIFilesStorageWithCdn {
         return this.config.cdnPublicUrl;
     }
+    public get pathPrefix() {
+        return this.config.pathPrefix;
+    }
     public constructor(private readonly config: IVercelBlobStorageConfig) {}
     public getItemUrl(key: string): URL {

package/apps/agents-server/src/utils/cdn/interfaces/IFilesStorage.ts CHANGED Viewed

@@ -5,6 +5,23 @@ export type IFile = {
     // Maybe TODO name: string_name;
     type: string_mime_type;
     data: Buffer;
+    /**
+     * User who uploaded the file
+     */
+    userId?: number;
+    /**
+     * Purpose of the upload (e.g. KNOWLEDGE, SERVER_FAVICON_URL)
+     */
+    purpose?: string;
+    /**
+     * Size of the file in bytes
+     *
+     * Note: This is optional, if not provided, the size of the buffer is used
+     */
+    fileSize?: number;
 };
 /**
@@ -17,6 +34,7 @@ export type IFilesStorage = Omit<IStorage<IFile>, 'length' | 'clear' | 'key'>;
  */
 export type IIFilesStorageWithCdn = IFilesStorage & {
     readonly cdnPublicUrl: URL;
+    readonly pathPrefix?: string;
     getItemUrl(key: string): URL;
 };

package/apps/agents-server/src/utils/getUserIdFromRequest.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import { NextRequest } from 'next/server';
+import { keepUnused } from '../../../../src/utils/organization/keepUnused';
+import { $getTableName } from '../database/$getTableName';
+import { $provideSupabaseForServer } from '../database/$provideSupabaseForServer';
+import { getSession } from './session';
+export async function getUserIdFromRequest(request: NextRequest): Promise<number | null> {
+    keepUnused(request); // Unused because we get user from session cookie for now
+    try {
+        // 1. Try to get user from session (cookie)
+        const session = await getSession();
+        if (session && session.username) {
+            const supabase = $provideSupabaseForServer();
+            const { data } = await supabase
+                .from(await $getTableName('User'))
+                .select('id')
+                .eq('username', session.username)
+                .single();
+            if (data) {
+                return data.id;
+            }
+        }
+        // 2. Try to get user from API key (Authorization header)
+        // TODO: [🧠] Implement linking API keys to users if needed
+        // const authHeader = request.headers.get('authorization');
+        // ...
+    } catch (error) {
+        console.error('Error getting user ID from request:', error);
+    }
+    return null;
+}

package/apps/agents-server/src/utils/handleChatCompletion.ts CHANGED Viewed

@@ -2,10 +2,11 @@ import { $getTableName } from '@/src/database/$getTableName';
 import { $provideSupabaseForServer } from '@/src/database/$provideSupabaseForServer';
 import { $provideAgentCollectionForServer } from '@/src/tools/$provideAgentCollectionForServer';
 import { $provideOpenAiAssistantExecutionToolsForServer } from '@/src/tools/$provideOpenAiAssistantExecutionToolsForServer';
-import { Agent, computeAgentHash, PROMPTBOOK_ENGINE_VERSION } from '@promptbook-local/core';
+import { Agent, computeAgentHash, parseAgentSource, PROMPTBOOK_ENGINE_VERSION } from '@promptbook-local/core';
 import { ChatMessage, ChatPromptResult, Prompt, string_book, TODO_any } from '@promptbook-local/types';
 import { computeHash } from '@promptbook-local/utils';
 import { NextRequest, NextResponse } from 'next/server';
+import { isAgentDeleted } from '../app/agents/[agentName]/_utils';
 import { validateApiKey } from './validateApiKey';
 export async function handleChatCompletion(
@@ -60,6 +61,19 @@ export async function handleChatCompletion(
             );
         }
+        // Check if agent is deleted
+        if (await isAgentDeleted(agentName)) {
+            return NextResponse.json(
+                {
+                    error: {
+                        message: 'This agent has been deleted. You can restore it from the Recycle Bin.',
+                        type: 'agent_deleted',
+                    },
+                },
+                { status: 410 }, // Gone - indicates the resource is no longer available
+            );
+        }
         const collection = await $provideAgentCollectionForServer();
         let agentSource: string_book;
         try {
@@ -99,7 +113,54 @@ export async function handleChatCompletion(
             );
         }
-        const openAiAssistantExecutionTools = await $provideOpenAiAssistantExecutionToolsForServer();
+        const agentHash = computeAgentHash(agentSource);
+        const supabase = $provideSupabaseForServer();
+        const { data: assistantCache } = await supabase
+            .from(await $getTableName('OpenAiAssistantCache'))
+            .select('assistantId')
+            .eq('agentHash', agentHash)
+            .single();
+        let openAiAssistantExecutionTools = await $provideOpenAiAssistantExecutionToolsForServer();
+        if (assistantCache?.assistantId) {
+            console.log(
+                `[🐱‍🚀] Reusing assistant ${assistantCache.assistantId} for agent ${agentName} (hash: ${agentHash})`,
+            );
+            openAiAssistantExecutionTools = openAiAssistantExecutionTools.getAssistant(assistantCache.assistantId);
+        } else {
+            console.log(`[🐱‍🚀] Creating NEW assistant for agent ${agentName} (hash: ${agentHash})`);
+            // Parse to get instructions and name
+            const parsed = parseAgentSource(agentSource);
+            const name = parsed.agentName || agentName;
+            // Extract PERSONA
+            const baseInstructions = parsed.personaDescription || 'You are a helpful assistant.';
+            // Note: Append context to instructions
+            const contextLines = agentSource.split('\n').filter((line) => line.startsWith('CONTEXT '));
+            const contextInstructions = contextLines.join('\n');
+            const instructions = contextInstructions
+                ? `${baseInstructions}\n\n${contextInstructions}`
+                : baseInstructions;
+            // Create assistant
+            const newAssistantTools = await openAiAssistantExecutionTools.createNewAssistant({
+                name,
+                instructions,
+                // knowledgeSources?
+            });
+            // Save to cache
+            const newAssistantId = newAssistantTools.assistantId;
+            if (newAssistantId) {
+                await supabase.from(await $getTableName('OpenAiAssistantCache')).insert({
+                    agentHash,
+                    assistantId: newAssistantId,
+                });
+                openAiAssistantExecutionTools = newAssistantTools;
+            }
+        }
         const agent = new Agent({
             agentSource,
             executionTools: {
@@ -108,7 +169,6 @@ export async function handleChatCompletion(
             isVerbose: true, // or false
         });
-        const agentHash = computeAgentHash(agentSource);
         const userAgent = request.headers.get('user-agent');
         const ip =
             request.headers.get('x-forwarded-for') ||
@@ -125,8 +185,9 @@ export async function handleChatCompletion(
         const previousMessages = threadMessages.slice(0, -1);
         const thread: ChatMessage[] = previousMessages.map((msg: TODO_any, index: number) => ({
+            // channel: 'PROMPTBOOK_CHAT',
             id: `msg-${index}`, // Placeholder ID
-            from: msg.role === 'assistant' ? 'agent' : 'user', // Mapping standard OpenAI roles
+            sender: msg.role === 'assistant' ? 'agent' : 'user', // Mapping standard OpenAI roles
             content: msg.content,
             isComplete: true,
             date: new Date(), // We don't have the real date, using current
@@ -138,7 +199,6 @@ export async function handleChatCompletion(
             content: lastMessage.content,
         };
-        const supabase = $provideSupabaseForServer();
         await supabase.from(await $getTableName('ChatHistory')).insert({
             createdAt: new Date().toISOString(),
             messageHash: computeHash(userMessageContent),

package/apps/agents-server/src/utils/normalization/filenameToPrompt.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { capitalize } from '../../../../../src/utils/normalization/capitalize';
+/**
+ * Converts a filename like "cat-sitting-on-keyboard.png" to a prompt like "Cat sitting on keyboard"
+ *
+ * @param filename - The filename to convert
+ * @returns The normalized prompt
+ */
+export function filenameToPrompt(filename: string): string {
+    // Remove file extension
+    const withoutExtension = filename.replace(/\.[^/.]+$/, '');
+    // Replace dashes and underscores with spaces
+    const withSpaces = withoutExtension.replace(/[-_]/g, ' ');
+    // Capitalize each word
+    const words = withSpaces.split(' ');
+    const capitalizedWords = words.map(word => capitalize(word));
+    return capitalizedWords.join(' ');
+}

package/apps/agents-server/src/utils/validateApiKey.ts CHANGED Viewed

@@ -1,15 +1,6 @@
 import { createClient } from '@supabase/supabase-js';
 import { NextRequest } from 'next/server';
-import { SERVERS, SUPABASE_TABLE_PREFIX } from '../../config';
-// Note: Re-implementing normalizeTo_PascalCase to avoid importing from @promptbook-local/utils which might have Node.js dependencies
-function normalizeTo_PascalCase(text: string): string {
-    return text
-        .replace(/(?:^\w|[A-Z]|\b\w)/g, (word) => {
-            return word.toUpperCase();
-        })
-        .replace(/\s+/g, '');
-}
+import { $getTableName } from '../database/$getTableName';
 export type ApiKeyValidationResult = {
     isValid: boolean;
@@ -62,10 +53,14 @@ export async function validateApiKey(request: NextRequest): Promise<ApiKeyValida
         };
     }
+    /*
+    Note: [🐔] This code was commented out because results of it are unused
     // Determine the table prefix based on the host
     const host = request.headers.get('host');
     let tablePrefix = SUPABASE_TABLE_PREFIX;
     if (host && SERVERS && SERVERS.length > 0) {
         if (SERVERS.some((server) => server === host)) {
             let serverName = host;
@@ -74,6 +69,7 @@ export async function validateApiKey(request: NextRequest): Promise<ApiKeyValida
             tablePrefix = `server_${serverName}_`;
         }
     }
+    */
     const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
     const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
@@ -95,7 +91,7 @@ export async function validateApiKey(request: NextRequest): Promise<ApiKeyValida
         });
         const { data, error } = await supabase
-            .from(`${tablePrefix}ApiTokens`)
+            .from(await $getTableName(`ApiTokens`))
             .select('id, isRevoked')
             .eq('token', token)
             .single();