@promptbook/cli 0.104.0-2 → 0.104.0-4

package/apps/agents-server/src/message-providers/email/zeptomail/ZeptomailMessageProvider.ts

@@ -0,0 +1,43 @@
+import { removeMarkdownFormatting } from '@promptbook-local/markdown-utils';
+import type { really_any } from '@promptbook-local/types';
+import { marked } from 'marked';
+// @ts-expect-error: Zeptomail types are not resolving correctly
+import { SendMailClient } from 'zeptomail';
+import { MessageProvider } from '../../interfaces/MessageProvider';
+import { OutboundEmail } from '../_common/Email';
+
+export class ZeptomailMessageProvider implements MessageProvider {
+    constructor(private readonly apiKey: string) {}
+
+    public async send(message: OutboundEmail): Promise<really_any> {
+        const client = new SendMailClient({ url: 'api.zeptomail.com/', token: this.apiKey });
+
+        const sender = message.sender as really_any;
+        const recipients = (Array.isArray(message.recipients) ? message.recipients : [message.recipients]).filter(
+            Boolean,
+        ) as really_any[];
+
+        const textbody = removeMarkdownFormatting(message.content);
+        const htmlbody = await marked.parse(message.content);
+
+        const response = await client.sendMail({
+            from: {
+                address: sender.email || sender.baseEmail || sender,
+                name: sender.name || sender.fullName || undefined,
+            },
+            to: recipients.map((r) => ({
+                email_address: {
+                    address: r.email || r.baseEmail || r,
+                    name: r.name || r.fullName || undefined,
+                },
+            })),
+            subject: message.metadata?.subject || 'No Subject',
+            textbody,
+            htmlbody,
+            track_clicks: true,
+            track_opens: true,
+        });
+
+        return response;
+    }
+}

package/apps/agents-server/src/message-providers/index.ts

@@ -0,0 +1,13 @@
+import { SendgridMessageProvider } from './email/sendgrid/SendgridMessageProvider';
+import { ZeptomailMessageProvider } from './email/zeptomail/ZeptomailMessageProvider';
+import { MessageProvider } from './interfaces/MessageProvider';
+
+export const EMAIL_PROVIDERS: Record<string, MessageProvider> = {};
+
+if (process.env.ZEPTOMAIL_API_KEY) {
+    EMAIL_PROVIDERS['ZEPTOMAIL'] = new ZeptomailMessageProvider(process.env.ZEPTOMAIL_API_KEY);
+}
+
+if (process.env.SENDGRID_API_KEY) {
+    EMAIL_PROVIDERS['SENDGRID'] = new SendgridMessageProvider(process.env.SENDGRID_API_KEY);
+}

package/apps/agents-server/src/message-providers/interfaces/MessageProvider.ts

@@ -0,0 +1,11 @@
+import type { Message, really_any, string_email } from '@promptbook-local/types';
+
+export type MessageProvider = {
+    /**
+     * Sends a message through the provider
+     *
+     * @param message The message to send
+     * @returns Raw response from the provider
+     */
+    send(message: Message<string_email>): Promise<really_any>;
+};

package/apps/agents-server/src/middleware.ts

@@ -1,7 +1,7 @@
 import { TODO_any } from '@promptbook-local/types';
 import { createClient } from '@supabase/supabase-js';
 import { NextRequest, NextResponse } from 'next/server';
-import { SERVERS, SUPABASE_TABLE_PREFIX } from '../config';
+import { SERVERS } from '../config';
 import { $getTableName } from './database/$getTableName';
 import { RESERVED_PATHS } from './generated/reservedPaths';
 import { isIpAllowed } from './utils/isIpAllowed';
@@ -9,7 +9,7 @@ import { isIpAllowed } from './utils/isIpAllowed';
 // Note: Re-implementing normalizeTo_PascalCase to avoid importing from @promptbook-local/utils which might have Node.js dependencies !!!!
 function normalizeTo_PascalCase(text: string): string {
     return text
-        .replace(/(?:^\w|[A-Z]|\b\w)/g, (word, index) => {
+        .replace(/(?:^\w|[A-Z]|\b\w)/g, (word) => {
             return word.toUpperCase();
         })
         .replace(/\s+/g, '');
@@ -35,8 +35,12 @@ export async function middleware(req: NextRequest) {
     const host = req.headers.get('host');
 
     if (host) {
+        /*
+        Note: [🐔] This code was commented out because results of it are unused
+
         let tablePrefix = SUPABASE_TABLE_PREFIX;
 
+        
         if (SERVERS && SERVERS.length > 0) {
             // Logic mirrored from src/tools/$provideServer.ts
             if (SERVERS.some((server) => server === host)) {
@@ -46,6 +50,7 @@ export async function middleware(req: NextRequest) {
                 tablePrefix = `server_${serverName}_`;
             }
         }
+        */
 
         const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
         const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
@@ -84,6 +89,9 @@ export async function middleware(req: NextRequest) {
         const token = authHeader.split(' ')[1];
 
         if (token.startsWith('ptbk_')) {
+            /*
+            Note: [🐔] This code was commented out because results of it are unused
+            
             const host = req.headers.get('host');
             let tablePrefix = SUPABASE_TABLE_PREFIX;
 
@@ -95,6 +103,7 @@ export async function middleware(req: NextRequest) {
                     tablePrefix = `server_${serverName}_`;
                 }
             }
+            */
 
             const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
             const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
@@ -230,7 +239,7 @@ export async function middleware(req: NextRequest) {
                 let serverName = serverHost;
                 serverName = serverName.replace(/\.ptbk\.io$/, '');
                 serverName = normalizeTo_PascalCase(serverName);
-                const prefix = `server_${serverName}_`;
+                // const prefix = `server_${serverName}_`;
 
                 // Search for agent with matching META LINK
                 // agentProfile->links is an array of strings

package/apps/agents-server/src/utils/auth.ts

@@ -1,33 +1,133 @@
-import { randomBytes, scrypt, timingSafeEqual } from 'crypto';
+import { createHash, randomBytes, scrypt, timingSafeEqual } from 'crypto';
 import { promisify } from 'util';
+import { PASSWORD_SECURITY_CONFIG } from '../../../../security.config';
 
 const scryptAsync = promisify(scrypt);
 
 /**
- * Hashes a password using scrypt
- * 
- * @param password The plain text password
+ * Validates password input to prevent edge cases and DoS attacks
+ *
+ * @param password The password to validate
+ * @throws Error if password is invalid
+ */
+function validatePasswordInput(password: string): void {
+    if (typeof password !== 'string') {
+        throw new Error('Password must be a string');
+    }
+    if (password.length === 0) {
+        throw new Error('Password cannot be empty');
+    }
+    if (password.length < PASSWORD_SECURITY_CONFIG.MIN_PASSWORD_LENGTH) {
+        throw new Error(`Password must be at least ${PASSWORD_SECURITY_CONFIG.MIN_PASSWORD_LENGTH} characters`);
+    }
+    // Note: No hard max limit - long passwords are compacted via compactPassword()
+}
+
+/**
+ * Compacts a password for secure processing
+ *
+ * If the password is within MAX_PASSWORD_LENGTH, it is returned as-is.
+ * If longer, the password is split at MAX_PASSWORD_LENGTH and the second part
+ * is hashed with SHA256 before being appended to the first part.
+ *
+ * This prevents DoS attacks via extremely long passwords while still utilizing
+ * the full entropy of longer passwords.
+ *
+ * @param password The password to compact
+ * @returns The compacted password
+ */
+function compactPassword(password: string): string {
+    if (password.length <= PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH) {
+        return password;
+    }
+
+    const firstPart = password.slice(0, PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH);
+    const secondPart = password.slice(PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH);
+
+    // Hash the overflow part with SHA256 to bound its length while preserving entropy
+    const secondPartHash = createHash('sha256').update(secondPart, 'utf8').digest('hex');
+
+    return firstPart + secondPartHash;
+}
+
+/**
+ * Hashes a password using scrypt with secure parameters
+ *
+ * @param password The plain text password (minimum 8 characters, no maximum - long passwords are compacted)
  * @returns The salt and hash formatted as "salt:hash"
+ * @throws Error if password validation fails
  */
 export async function hashPassword(password: string): Promise<string> {
-    const salt = randomBytes(16).toString('hex');
-    const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;
+    validatePasswordInput(password);
+
+    // Compact long passwords to prevent DoS while preserving entropy
+    const compactedPassword = compactPassword(password);
+
+    const salt = randomBytes(PASSWORD_SECURITY_CONFIG.SALT_LENGTH).toString('hex');
+    const derivedKey = (await scryptAsync(compactedPassword, salt, PASSWORD_SECURITY_CONFIG.KEY_LENGTH)) as Buffer;
+
+    // Clear password from memory as soon as possible (best effort)
+    // Note: JavaScript strings are immutable, so this is limited in effectiveness
     return `${salt}:${derivedKey.toString('hex')}`;
 }
 
 /**
- * Verifies a password against a stored hash
- * 
- * @param password The plain text password
+ * Verifies a password against a stored hash using constant-time comparison
+ *
+ * @param password The plain text password to verify
  * @param storedHash The stored hash in format "salt:hash"
- * @returns True if the password matches
+ * @returns True if the password matches, false otherwise
  */
 export async function verifyPassword(password: string, storedHash: string): Promise<boolean> {
-    const [salt, key] = storedHash.split(':');
-    if (!salt || !key) return false;
-    
-    const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;
-    const keyBuffer = Buffer.from(key, 'hex');
-    
-    return timingSafeEqual(derivedKey, keyBuffer);
+    // Validate inputs
+    if (typeof password !== 'string' || typeof storedHash !== 'string') {
+        return false;
+    }
+
+    if (password.length === 0) {
+        return false;
+    }
+
+    // Compact long passwords the same way as during hashing
+    const compactedPassword = compactPassword(password);
+
+    const parts = storedHash.split(':');
+    if (parts.length !== 2) {
+        return false;
+    }
+
+    const [salt, key] = parts;
+    if (!salt || !key) {
+        return false;
+    }
+
+    // Validate salt and key format (should be hex strings of expected length)
+    const expectedSaltLength = PASSWORD_SECURITY_CONFIG.SALT_LENGTH * 2; // hex encoding doubles length
+    const expectedKeyLength = PASSWORD_SECURITY_CONFIG.KEY_LENGTH * 2;
+
+    if (salt.length !== expectedSaltLength || key.length !== expectedKeyLength) {
+        return false;
+    }
+
+    // Validate hex format
+    const hexRegex = /^[0-9a-fA-F]+$/;
+    if (!hexRegex.test(salt) || !hexRegex.test(key)) {
+        return false;
+    }
+
+    try {
+        const derivedKey = (await scryptAsync(compactedPassword, salt, PASSWORD_SECURITY_CONFIG.KEY_LENGTH)) as Buffer;
+        const keyBuffer = Buffer.from(key, 'hex');
+
+        // Ensure buffers are same length before timing-safe comparison
+        // This should always be true given our validation, but defense in depth
+        if (derivedKey.length !== keyBuffer.length) {
+            return false;
+        }
+
+        return timingSafeEqual(derivedKey, keyBuffer);
+    } catch {
+        // Any error during verification should return false, not leak information
+        return false;
+    }
 }

package/apps/agents-server/src/utils/getUserIdFromRequest.ts

@@ -1,9 +1,12 @@
 import { NextRequest } from 'next/server';
+import { keepUnused } from '../../../../src/utils/organization/keepUnused';
 import { $getTableName } from '../database/$getTableName';
 import { $provideSupabaseForServer } from '../database/$provideSupabaseForServer';
 import { getSession } from './session';
 
 export async function getUserIdFromRequest(request: NextRequest): Promise<number | null> {
+    keepUnused(request); // Unused because we get user from session cookie for now
+
     try {
         // 1. Try to get user from session (cookie)
         const session = await getSession();
@@ -24,7 +27,6 @@ export async function getUserIdFromRequest(request: NextRequest): Promise<number
         // TODO: [🧠] Implement linking API keys to users if needed
         // const authHeader = request.headers.get('authorization');
         // ...
-
     } catch (error) {
         console.error('Error getting user ID from request:', error);
     }

package/apps/agents-server/src/utils/handleChatCompletion.ts

@@ -3,12 +3,11 @@ import { $provideSupabaseForServer } from '@/src/database/$provideSupabaseForSer
 import { $provideAgentCollectionForServer } from '@/src/tools/$provideAgentCollectionForServer';
 import { $provideOpenAiAssistantExecutionToolsForServer } from '@/src/tools/$provideOpenAiAssistantExecutionToolsForServer';
 import { Agent, computeAgentHash, parseAgentSource, PROMPTBOOK_ENGINE_VERSION } from '@promptbook-local/core';
-import { OpenAiAssistantExecutionTools } from '@promptbook-local/openai';
 import { ChatMessage, ChatPromptResult, Prompt, string_book, TODO_any } from '@promptbook-local/types';
 import { computeHash } from '@promptbook-local/utils';
 import { NextRequest, NextResponse } from 'next/server';
-import { validateApiKey } from './validateApiKey';
 import { isAgentDeleted } from '../app/agents/[agentName]/_utils';
+import { validateApiKey } from './validateApiKey';
 
 export async function handleChatCompletion(
     request: NextRequest,
@@ -125,7 +124,9 @@ export async function handleChatCompletion(
         let openAiAssistantExecutionTools = await $provideOpenAiAssistantExecutionToolsForServer();
 
         if (assistantCache?.assistantId) {
-            console.log(`[🐱‍🚀] Reusing assistant ${assistantCache.assistantId} for agent ${agentName} (hash: ${agentHash})`);
+            console.log(
+                `[🐱‍🚀] Reusing assistant ${assistantCache.assistantId} for agent ${agentName} (hash: ${agentHash})`,
+            );
             openAiAssistantExecutionTools = openAiAssistantExecutionTools.getAssistant(assistantCache.assistantId);
         } else {
             console.log(`[🐱‍🚀] Creating NEW assistant for agent ${agentName} (hash: ${agentHash})`);
@@ -138,7 +139,9 @@ export async function handleChatCompletion(
             // Note: Append context to instructions
             const contextLines = agentSource.split('\n').filter((line) => line.startsWith('CONTEXT '));
             const contextInstructions = contextLines.join('\n');
-            const instructions = contextInstructions ? `${baseInstructions}\n\n${contextInstructions}` : baseInstructions;
+            const instructions = contextInstructions
+                ? `${baseInstructions}\n\n${contextInstructions}`
+                : baseInstructions;
 
             // Create assistant
             const newAssistantTools = await openAiAssistantExecutionTools.createNewAssistant({
@@ -182,8 +185,9 @@ export async function handleChatCompletion(
         const previousMessages = threadMessages.slice(0, -1);
 
         const thread: ChatMessage[] = previousMessages.map((msg: TODO_any, index: number) => ({
+            // channel: 'PROMPTBOOK_CHAT',
             id: `msg-${index}`, // Placeholder ID
-            from: msg.role === 'assistant' ? 'agent' : 'user', // Mapping standard OpenAI roles
+            sender: msg.role === 'assistant' ? 'agent' : 'user', // Mapping standard OpenAI roles
             content: msg.content,
             isComplete: true,
             date: new Date(), // We don't have the real date, using current

package/apps/agents-server/src/utils/messages/sendMessage.ts

@@ -0,0 +1,91 @@
+import type { really_any } from '@promptbook-local/types';
+import { $getTableName } from '../../database/$getTableName';
+import { $provideSupabaseForServer } from '../../database/$provideSupabaseForServer';
+import { EMAIL_PROVIDERS } from '../../message-providers';
+import { OutboundEmail } from '../../message-providers/email/_common/Email';
+
+/**
+ * Sends a message
+ */
+export async function sendMessage(message: OutboundEmail): Promise<void> {
+    const supabase = await $provideSupabaseForServer();
+    // @ts-expect-error: Tables are not yet in types
+    const messageTable = await $getTableName('Message');
+    // @ts-expect-error: Tables are not yet in types
+    const messageSendAttemptTable = await $getTableName('MessageSendAttempt');
+
+    // 1. Insert message
+    const { data: insertedMessage, error: insertError } = await supabase
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        .from(messageTable as any)
+        .insert({
+            channel: message.channel || 'UNKNOWN',
+            direction: message.direction || 'OUTBOUND',
+            sender: message.sender,
+            recipients: message.recipients,
+            content: message.content,
+            threadId: message.threadId,
+            metadata: message.metadata,
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        } as any)
+        .select()
+        .single();
+
+    if (insertError) {
+        throw new Error(`Failed to insert message: ${insertError.message}`);
+    }
+
+    if (!insertedMessage) {
+        throw new Error('Failed to insert message: No data returned');
+    }
+
+    // 2. If outbound and email, try to send
+    if (message.direction === 'OUTBOUND' && message.channel === 'EMAIL') {
+        const providers = Object.keys(EMAIL_PROVIDERS);
+
+        if (providers.length === 0) {
+            console.warn('No email providers configured');
+            return;
+        }
+
+        let isSent = false;
+
+        for (const providerName of providers) {
+            const provider = EMAIL_PROVIDERS[providerName];
+            let isSuccessful = false;
+            let raw: really_any = null;
+
+            try {
+                raw = await provider.send(message);
+                isSuccessful = true;
+                isSent = true;
+            } catch (error) {
+                console.error(`Failed to send email via ${providerName}`, error);
+                raw = { error: error instanceof Error ? error.message : String(error) };
+            }
+
+            // 3. Log attempt
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            await supabase.from(messageSendAttemptTable as any).insert({
+                // @ts-expect-error: insertedMessage is any
+                messageId: insertedMessage.id,
+                providerName,
+                isSuccessful,
+                raw,
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            } as any);
+
+            if (isSuccessful) {
+                break;
+            }
+        }
+
+        if (!isSent) {
+            throw new Error('Failed to send email via any provider');
+        }
+    }
+}
+
+/**
+ * TODO: !!!! Move to `message-providers` and rename `message-providers` -> `messages`
+ */

package/apps/agents-server/src/utils/normalization/filenameToPrompt.test.ts

@@ -0,0 +1,36 @@
+import { describe, expect, it } from '@jest/globals';
+import { filenameToPrompt } from './filenameToPrompt';
+
+describe('how filenameToPrompt works', () => {
+    it('will convert filename with dashes', () => {
+        expect(filenameToPrompt('cat-sitting-on-keyboard.png')).toEqual('Cat sitting on keyboard');
+        expect(filenameToPrompt('hello-world.jpg')).toEqual('Hello world');
+    });
+
+    it('will convert filename with underscores', () => {
+        expect(filenameToPrompt('cat_sitting_on_keyboard.png')).toEqual('Cat sitting on keyboard');
+        expect(filenameToPrompt('hello_world.jpg')).toEqual('Hello world');
+    });
+
+    it('will convert filename with mixed separators', () => {
+        expect(filenameToPrompt('cat-sitting_on-keyboard.png')).toEqual('Cat sitting on keyboard');
+    });
+
+    it('will handle single word filename', () => {
+        expect(filenameToPrompt('cat.png')).toEqual('Cat');
+        expect(filenameToPrompt('HELLO.jpg')).toEqual('HELLO');
+    });
+
+    it('will handle filename without extension', () => {
+        expect(filenameToPrompt('cat-sitting-on-keyboard')).toEqual('Cat sitting on keyboard');
+    });
+
+    it('will handle filename with multiple dots', () => {
+        expect(filenameToPrompt('cat.sitting.on.keyboard.png')).toEqual('Cat.sitting.on.keyboard');
+    });
+
+    it('will handle capitalized words after first word', () => {
+        expect(filenameToPrompt('Cat-Sitting-On-Keyboard.png')).toEqual('Cat sitting on keyboard');
+        expect(filenameToPrompt('HELLO-WORLD.png')).toEqual('HELLO world');
+    });
+});

package/apps/agents-server/src/utils/normalization/filenameToPrompt.ts

@@ -1,4 +1,4 @@
-import { capitalize } from '../../../../../src/utils/normalization/capitalize';
+import { capitalize } from '@promptbook/utils';
 
 /**
  * Converts a filename like "cat-sitting-on-keyboard.png" to a prompt like "Cat sitting on keyboard"
@@ -15,7 +15,11 @@ export function filenameToPrompt(filename: string): string {
 
     // Capitalize each word
     const words = withSpaces.split(' ');
-    const capitalizedWords = words.map(word => capitalize(word));
+    const capitalizedWords = words.map((word, index) => (index === 0 ? capitalize(word) : word.toLowerCase()));
 
     return capitalizedWords.join(' ');
 }
+
+/**
+ * TODO: [🧠][🏰] Make standard normalization function exported from `@promptbook/utils`
+ */

package/apps/agents-server/src/utils/validateApiKey.ts

@@ -1,17 +1,7 @@
 import { createClient } from '@supabase/supabase-js';
 import { NextRequest } from 'next/server';
-import { SERVERS, SUPABASE_TABLE_PREFIX } from '../../config';
 import { $getTableName } from '../database/$getTableName';
 
-// Note: Re-implementing normalizeTo_PascalCase to avoid importing from @promptbook-local/utils which might have Node.js dependencies
-function normalizeTo_PascalCase(text: string): string {
-    return text
-        .replace(/(?:^\w|[A-Z]|\b\w)/g, (word) => {
-            return word.toUpperCase();
-        })
-        .replace(/\s+/g, '');
-}
-
 export type ApiKeyValidationResult = {
     isValid: boolean;
     token?: string;
@@ -63,10 +53,14 @@ export async function validateApiKey(request: NextRequest): Promise<ApiKeyValida
         };
     }
 
+    /*
+    Note: [🐔] This code was commented out because results of it are unused
+    
     // Determine the table prefix based on the host
     const host = request.headers.get('host');
     let tablePrefix = SUPABASE_TABLE_PREFIX;
 
+    
     if (host && SERVERS && SERVERS.length > 0) {
         if (SERVERS.some((server) => server === host)) {
             let serverName = host;
@@ -75,6 +69,7 @@ export async function validateApiKey(request: NextRequest): Promise<ApiKeyValida
             tablePrefix = `server_${serverName}_`;
         }
     }
+    */
 
     const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
     const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;