@promptbook/cli 0.112.0-101 → 0.112.0-103

package/apps/agents-server/src/languages/translations/english.yaml

@@ -124,6 +124,7 @@ header.menuLabel: Menu
 header.myAccount: My Account
 header.superAdmin: Super Admin
 header.administration: Administration
+header.loginMethods: Login Methods
 header.monitoringAndUsage: Monitoring & Usage
 header.integrationsAndKeys: Integrations & Keys
 header.developerDebug: Developer / Debug
@@ -164,6 +165,7 @@ header.errorSimulation: Error simulation
 header.imagesGallery: Images gallery
 header.files: Files
 header.users: Users
+header.shibboleth: Shibboleth
 header.versionInfo: Version info
 header.experiments: Experiments
 header.story: Story
@@ -194,8 +196,8 @@ login.passwordLabel: Password
 login.passwordPlaceholder: Enter your password
 login.loggingIn: Logging in...
 login.loginAction: Log in
-login.shibbolethAction: Continue with {provider}
-login.methodDivider: or
+login.shibbolethLoginAction: Continue with Shibboleth
+login.shibbolethNotConfigured: Shibboleth login is active but needs administrator setup.
 login.forgottenPassword: Forgotten password?
 login.registerNewUser: Register new user
 login.errorOccurred: An error occurred
@@ -382,7 +384,7 @@ footer.logosAndBranding: Logos & Branding
 footer.connectSectionTitle: Connect
 footer.linksSectionTitle: Links
 footer.allRightsReserved: All rights reserved.
-footer.madeInCzechRepublic: Made with ❤️ in the Czech Republic.
+footer.madeInCzechRepublic: Made with ❤️ in the Czech Republic
 footer.engineVersion: Promptbook engine version
 forbidden.title: 403 Forbidden
 forbidden.message: You do not have permission to access this page.

package/apps/agents-server/src/tools/$provideCdnForServer.ts

@@ -1,4 +1,5 @@
 import { $provideSupabaseForServer } from '../database/$provideSupabaseForServer';
+import { DigitalOceanSpaces } from '../utils/cdn/classes/DigitalOceanSpaces';
 import { TrackedFilesStorage } from '../utils/cdn/classes/TrackedFilesStorage';
 import { VercelBlobStorage } from '../utils/cdn/classes/VercelBlobStorage';
 import { IIFilesStorageWithCdn } from '../utils/cdn/interfaces/IFilesStorage';
@@ -15,29 +16,71 @@ let cdn: IIFilesStorageWithCdn | null = null;
  */
 export function $provideCdnForServer(): IIFilesStorageWithCdn {
     if (!cdn) {
-        const inner = new VercelBlobStorage({
-            token: process.env.VERCEL_BLOB_READ_WRITE_TOKEN!,
-            pathPrefix: process.env.NEXT_PUBLIC_CDN_PATH_PREFIX!,
-            cdnPublicUrl: new URL(process.env.NEXT_PUBLIC_CDN_PUBLIC_URL!),
-        });
-
+        const inner = createCdnStorageForServer();
         const supabase = $provideSupabaseForServer();
         cdn = new TrackedFilesStorage(inner, supabase);
+    }
+
+    return cdn;
+}
 
-        /*
-        cdn = new DigitalOceanSpaces({
+/**
+ * Creates the configured CDN storage implementation for server-side file operations.
+ *
+ * @private helper of `$provideCdnForServer`
+ */
+function createCdnStorageForServer(): IIFilesStorageWithCdn {
+    if (isS3CompatibleStorageSelected()) {
+        return new DigitalOceanSpaces({
             bucket: process.env.CDN_BUCKET!,
-            pathPrefix: process.env.NEXT_PUBLIC_CDN_PATH_PREFIX!,
+            pathPrefix: process.env.NEXT_PUBLIC_CDN_PATH_PREFIX || '',
             endpoint: process.env.CDN_ENDPOINT!,
             accessKeyId: process.env.CDN_ACCESS_KEY_ID!,
             secretAccessKey: process.env.CDN_SECRET_ACCESS_KEY!,
             cdnPublicUrl: new URL(process.env.NEXT_PUBLIC_CDN_PUBLIC_URL!),
             gzip: true,
+            forcePathStyle: process.env.CDN_FORCE_PATH_STYLE === 'true',
+            region: process.env.CDN_REGION || 'auto',
         });
-        */
     }
 
-    return cdn;
+    return new VercelBlobStorage({
+        token: process.env.VERCEL_BLOB_READ_WRITE_TOKEN!,
+        pathPrefix: process.env.NEXT_PUBLIC_CDN_PATH_PREFIX || '',
+        cdnPublicUrl: new URL(process.env.NEXT_PUBLIC_CDN_PUBLIC_URL!),
+    });
+}
+
+/**
+ * Checks whether the current environment should use the S3-compatible storage implementation.
+ *
+ * @private helper of `$provideCdnForServer`
+ */
+function isS3CompatibleStorageSelected(): boolean {
+    const storageMode = (process.env.PTBK_FILE_STORAGE_MODE || process.env.CDN_PROVIDER || '').toLowerCase();
+    const isS3StorageMode =
+        storageMode === 's3' || storageMode === 'external-s3' || storageMode === 'self-contained-s3';
+
+    if (isS3StorageMode) {
+        return hasS3CompatibleStorageConfiguration();
+    }
+
+    return !process.env.VERCEL_BLOB_READ_WRITE_TOKEN && hasS3CompatibleStorageConfiguration();
+}
+
+/**
+ * Checks whether all S3-compatible storage environment variables are present.
+ *
+ * @private helper of `$provideCdnForServer`
+ */
+function hasS3CompatibleStorageConfiguration(): boolean {
+    return Boolean(
+        process.env.CDN_BUCKET &&
+            process.env.CDN_ENDPOINT &&
+            process.env.CDN_ACCESS_KEY_ID &&
+            process.env.CDN_SECRET_ACCESS_KEY &&
+            process.env.NEXT_PUBLIC_CDN_PUBLIC_URL,
+    );
 }
 
 // TODO: [🏓] Unite `xxxForServer` and `xxxForNode` naming

package/apps/agents-server/src/utils/cdn/classes/DigitalOceanSpaces.ts

@@ -16,6 +16,8 @@ type IDigitalOceanSpacesConfig = {
     readonly secretAccessKey: string;
     readonly cdnPublicUrl: URL;
     readonly gzip: boolean;
+    readonly forcePathStyle?: boolean;
+    readonly region?: string;
 
     // TODO: [⛳️] Probbably prefix should be in this config not on the consumer side
 };
@@ -32,8 +34,9 @@ export class DigitalOceanSpaces implements IIFilesStorageWithCdn {
 
     public constructor(private readonly config: IDigitalOceanSpacesConfig) {
         this.s3 = new S3Client({
-            region: 'auto',
-            endpoint: 'https://' + config.endpoint,
+            region: config.region || 'auto',
+            endpoint: normalizeS3Endpoint(config.endpoint),
+            forcePathStyle: config.forcePathStyle,
             credentials: {
                 accessKeyId: config.accessKeyId,
                 secretAccessKey: config.secretAccessKey,
@@ -119,5 +122,18 @@ export class DigitalOceanSpaces implements IIFilesStorageWithCdn {
     }
 }
 
+/**
+ * Normalizes endpoint values from legacy host-only configuration and full S3 URLs.
+ *
+ * @private helper of `DigitalOceanSpaces`
+ */
+function normalizeS3Endpoint(endpoint: string): string {
+    if (/^https?:\/\//i.test(endpoint)) {
+        return endpoint;
+    }
+
+    return `https://${endpoint}`;
+}
+
 // TODO: Implement Read-only mode
 // TODO: [☹️] Unite with `PromptbookStorage` and move to `/src/...`

package/apps/agents-server/src/utils/cdn/classes/TrackedFilesStorage.ts

@@ -33,24 +33,25 @@ export class TrackedFilesStorage implements IIFilesStorageWithCdn {
     }
 
     public async setItem(key: string, file: IFile): Promise<void> {
-
         await this.inner.setItem(key, file);
 
         try {
             const { userId, purpose } = file;
             const cdnUrl = this.getItemUrl(key).href;
+            const securityResult =
+                file.securityResult as AgentsServerDatabase['public']['Tables']['File']['Insert']['securityResult'];
 
-     
             await this.supabase.from(await $getTableName('File')).insert({
                 userId: userId || null,
                 fileName: key,
                 fileSize: file.fileSize ?? file.data.length,
                 fileType: file.type,
-                cdnUrl,
+                storageUrl: cdnUrl,
+                shortUrl: null,
                 purpose: purpose || 'UNKNOWN',
+                status: 'COMPLETED',
+                securityResult: securityResult || null,
             });
-
-           
         } catch (error) {
             console.error('Failed to track upload:', error);
         }

package/apps/agents-server/src/utils/cdn/interfaces/IFilesStorage.ts

@@ -25,6 +25,11 @@ export type IFile = {
      * Note: This is optional, if not provided, the size of the buffer is used
      */
     fileSize?: number;
+
+    /**
+     * Optional file security result collected before the file is tracked.
+     */
+    securityResult?: Record<string, unknown>;
 };
 
 /**

package/apps/agents-server/src/utils/chatExport/renderHtmlToPdfOnServer.ts

@@ -9,6 +9,16 @@ const CHAT_EXPORT_PDF_VIEWPORT = {
     height: 1600,
 } as const;
 
+/**
+ * Page margins applied to every exported PDF page.
+ */
+const CHAT_EXPORT_PDF_MARGIN = {
+    top: '0.5in',
+    right: '0.5in',
+    bottom: '0.5in',
+    left: '0.5in',
+} as const;
+
 /**
  * Prints standalone HTML into a PDF using a short-lived headless Chromium instance.
  *
@@ -31,6 +41,7 @@ export async function renderHtmlToPdfOnServer(html: string): Promise<Buffer> {
 
             return await page.pdf({
                 format: 'Letter',
+                margin: CHAT_EXPORT_PDF_MARGIN,
                 printBackground: true,
                 preferCSSPageSize: true,
             });

package/apps/agents-server/src/utils/createAdminTerminalRouteHandlers.ts

@@ -0,0 +1,264 @@
+import { NextResponse } from 'next/server';
+import { createInteractiveTerminalEventStream } from './createInteractiveTerminalEventStream';
+import { isUserGlobalAdmin } from './isUserGlobalAdmin';
+import type { InteractiveTerminalSessionSubscriber } from './interactiveTerminalSession';
+
+/**
+ * Minimal browser-safe terminal session shape handled by the shared admin API routes.
+ */
+type AdminTerminalRouteSession = {
+    /**
+     * Whether the terminal process is still active.
+     */
+    readonly isRunning: boolean;
+};
+
+/**
+ * Browser stream callbacks accepted by one admin terminal route.
+ */
+type AdminTerminalRouteSubscriber<TSession extends AdminTerminalRouteSession> = {
+    /**
+     * Called whenever the terminal backend emits output.
+     */
+    readonly onOutput: InteractiveTerminalSessionSubscriber['onOutput'];
+
+    /**
+     * Called once the terminal backend exits.
+     */
+    readonly onExit: (event: { readonly type: 'exit'; readonly snapshot: TSession }) => void;
+};
+
+/**
+ * Terminal backend operations provided by each specific admin terminal.
+ */
+type AdminTerminalRouteBackend<TSession extends AdminTerminalRouteSession> = {
+    /**
+     * Returns the latest session for the terminal purpose.
+     */
+    readonly getLatestSession: (request: Request) => Promise<TSession | null> | TSession | null;
+
+    /**
+     * Looks up one session by id.
+     */
+    readonly getSession: (sessionId: string) => Promise<TSession | null> | TSession | null;
+
+    /**
+     * Starts or reconnects to the terminal session.
+     */
+    readonly startSession: (request: Request) => Promise<TSession> | TSession;
+
+    /**
+     * Sends raw input to the terminal session.
+     */
+    readonly writeSessionInput: (sessionId: string, input: string) => Promise<TSession> | TSession;
+
+    /**
+     * Stops one terminal session.
+     */
+    readonly stopSession: (sessionId: string) => Promise<TSession> | TSession;
+
+    /**
+     * Subscribes one browser stream to live terminal events.
+     */
+    readonly subscribeToSession: (
+        sessionId: string,
+        subscriber: AdminTerminalRouteSubscriber<TSession>,
+    ) => (() => void) | null;
+};
+
+/**
+ * User-facing error messages used by the generated terminal route handlers.
+ */
+type AdminTerminalRouteMessages = {
+    /**
+     * Error used when loading the latest session fails.
+     */
+    readonly loadErrorMessage: string;
+
+    /**
+     * Error used when the stream request omits a session id.
+     */
+    readonly missingStreamSessionIdMessage: string;
+
+    /**
+     * Error used when the requested stream session does not exist.
+     */
+    readonly sessionNotFoundMessage: string;
+
+    /**
+     * Error used when starting a session fails.
+     */
+    readonly startErrorMessage: string;
+
+    /**
+     * Error used when the input request is malformed.
+     */
+    readonly missingInputMessage: string;
+
+    /**
+     * Error used when writing input fails.
+     */
+    readonly sendErrorMessage: string;
+
+    /**
+     * Error used when the stop request omits a session id.
+     */
+    readonly missingStopSessionIdMessage: string;
+
+    /**
+     * Error used when stopping a session fails.
+     */
+    readonly stopErrorMessage: string;
+};
+
+/**
+ * Generated Next.js route handlers for one admin terminal endpoint.
+ */
+type AdminTerminalRouteHandlers = {
+    /**
+     * Loads the latest terminal session or streams a specific session.
+     */
+    readonly GET: (request: Request) => Promise<Response>;
+
+    /**
+     * Starts or reconnects to the terminal session.
+     */
+    readonly POST: (request: Request) => Promise<Response>;
+
+    /**
+     * Sends raw input to a running terminal session.
+     */
+    readonly PATCH: (request: Request) => Promise<Response>;
+
+    /**
+     * Stops one terminal session.
+     */
+    readonly DELETE: (request: Request) => Promise<Response>;
+};
+
+/**
+ * Creates consistent admin terminal API handlers for GET/stream, POST, PATCH, and DELETE.
+ *
+ * @param backend - Terminal-specific backend operations.
+ * @param messages - Terminal-specific error messages.
+ * @returns Next.js route handlers ready to export from an API route.
+ */
+export function createAdminTerminalRouteHandlers<TSession extends AdminTerminalRouteSession>(
+    backend: AdminTerminalRouteBackend<TSession>,
+    messages: AdminTerminalRouteMessages,
+): AdminTerminalRouteHandlers {
+    return {
+        async GET(request: Request): Promise<Response> {
+            if (!(await isUserGlobalAdmin())) {
+                return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+            }
+
+            try {
+                const { searchParams } = new URL(request.url);
+                const sessionId = searchParams.get('sessionId')?.trim() || '';
+                const isStreamRequested = searchParams.get('stream') === '1';
+
+                if (isStreamRequested) {
+                    if (!sessionId) {
+                        return NextResponse.json({ error: messages.missingStreamSessionIdMessage }, { status: 400 });
+                    }
+
+                    const session = await backend.getSession(sessionId);
+                    if (!session) {
+                        return NextResponse.json({ error: messages.sessionNotFoundMessage }, { status: 404 });
+                    }
+
+                    return createInteractiveTerminalEventStream(
+                        request,
+                        sessionId,
+                        session,
+                        backend.subscribeToSession,
+                    );
+                }
+
+                return NextResponse.json({
+                    session: await backend.getLatestSession(request),
+                });
+            } catch (error) {
+                return createAdminTerminalErrorResponse(error, messages.loadErrorMessage);
+            }
+        },
+
+        async POST(request: Request): Promise<Response> {
+            if (!(await isUserGlobalAdmin())) {
+                return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+            }
+
+            try {
+                return NextResponse.json({
+                    session: await backend.startSession(request),
+                });
+            } catch (error) {
+                return createAdminTerminalErrorResponse(error, messages.startErrorMessage);
+            }
+        },
+
+        async PATCH(request: Request): Promise<Response> {
+            if (!(await isUserGlobalAdmin())) {
+                return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+            }
+
+            try {
+                const body = (await request.json().catch(() => null)) as
+                    | {
+                          readonly sessionId?: string;
+                          readonly input?: string;
+                      }
+                    | null;
+
+                if (!body?.sessionId || typeof body.input !== 'string') {
+                    return NextResponse.json({ error: messages.missingInputMessage }, { status: 400 });
+                }
+
+                return NextResponse.json({
+                    session: await backend.writeSessionInput(body.sessionId, body.input),
+                });
+            } catch (error) {
+                return createAdminTerminalErrorResponse(error, messages.sendErrorMessage);
+            }
+        },
+
+        async DELETE(request: Request): Promise<Response> {
+            if (!(await isUserGlobalAdmin())) {
+                return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+            }
+
+            try {
+                const body = (await request.json().catch(() => null)) as
+                    | {
+                          readonly sessionId?: string;
+                      }
+                    | null;
+
+                if (!body?.sessionId) {
+                    return NextResponse.json({ error: messages.missingStopSessionIdMessage }, { status: 400 });
+                }
+
+                return NextResponse.json({
+                    session: await backend.stopSession(body.sessionId),
+                });
+            } catch (error) {
+                return createAdminTerminalErrorResponse(error, messages.stopErrorMessage);
+            }
+        },
+    };
+}
+
+/**
+ * Converts one thrown backend failure into a consistent JSON error response.
+ *
+ * @param error - Thrown backend error.
+ * @param fallbackMessage - Message used when the thrown value is not an `Error`.
+ * @returns JSON error response.
+ */
+function createAdminTerminalErrorResponse(error: unknown, fallbackMessage: string): Response {
+    return NextResponse.json(
+        { error: error instanceof Error ? error.message : fallbackMessage },
+        { status: 500 },
+    );
+}

package/apps/agents-server/src/utils/shareTargetPayloads.ts

@@ -2,12 +2,12 @@ import { $getTableName } from '@/src/database/$getTableName';
 import { $provideSupabaseForServer } from '@/src/database/$provideSupabaseForServer';
 import type { Json } from '@/src/database/schema';
 import { FILE_SECURITY_CHECKERS } from '@/src/file-security-checkers';
+import { $provideCdnForServer } from '@/src/tools/$provideCdnForServer';
 import { $provideServer } from '@/src/tools/$provideServer';
 import { getUserFileCdnKey } from '@/src/utils/cdn/utils/getUserFileCdnKey';
 import { validateMimeType } from '@/src/utils/validators/validateMimeType';
 import { normalizeChatAttachments } from '@promptbook-local/core';
 import type { TODO_any } from '@promptbook-local/types';
-import { put } from '@vercel/blob';
 import { after } from 'next/server';
 import { spaceTrim } from 'spacetrim';
 import { DatabaseError } from '../../../../src/errors/DatabaseError';
@@ -231,12 +231,14 @@ async function createShareTargetAttachment(file: File, maxFileUploadBytes: numbe
 
     const mimeType = resolveShareTargetMimeType(file.type);
     const blobPath = getUserFileCdnKey(buffer, normalizedFilename);
-    const uploadedBlob = await put(blobPath, buffer, {
-        access: 'public',
-        addRandomSuffix: false,
-        allowOverwrite: true,
-        contentType: mimeType,
-        token: process.env.VERCEL_BLOB_READ_WRITE_TOKEN!,
+    const cdn = $provideCdnForServer();
+    const storageUrl = cdn.getItemUrl(blobPath).href;
+
+    await cdn.setItem(blobPath, {
+        type: mimeType,
+        data: buffer,
+        purpose: SHARE_TARGET_FILE_PURPOSE,
+        fileSize: buffer.byteLength,
     }).catch((error) => {
         throw new DatabaseError(
             spaceTrim(`
@@ -246,75 +248,26 @@ async function createShareTargetAttachment(file: File, maxFileUploadBytes: numbe
             `),
         );
     });
-    const fileRecordId = await insertShareTargetFileRecord({
-        fileName: normalizedFilename,
-        fileSize: buffer.byteLength,
-        fileType: mimeType,
-        storageUrl: uploadedBlob.url,
-    });
 
-    if (fileRecordId !== null) {
-        after(() =>
-            populateShareTargetFileSecurityResult({
-                fileId: fileRecordId,
-                storageUrl: uploadedBlob.url,
-            }).catch((error) => {
-                console.error('[share-target] Failed to finalize file security result', error);
-            }),
-        );
-    }
+    after(() =>
+        populateShareTargetFileSecurityResult({
+            storageUrl,
+        }).catch((error) => {
+            console.error('[share-target] Failed to finalize file security result', error);
+        }),
+    );
 
     return {
         name: normalizedFilename,
         type: mimeType,
-        url: uploadedBlob.url,
+        url: storageUrl,
     };
 }
 
-/**
- * Inserts one admin-visible file row for a shared attachment.
- */
-async function insertShareTargetFileRecord(options: {
-    fileName: string;
-    fileSize: number;
-    fileType: string;
-    storageUrl: string;
-}): Promise<number | null> {
-    try {
-        const supabase = $provideSupabaseForServer() as TODO_any;
-        const fileTableName = await $getTableName('File');
-        const { data, error } = await supabase
-            .from(fileTableName)
-            .insert({
-                fileName: options.fileName,
-                fileSize: options.fileSize,
-                fileType: options.fileType,
-                storageUrl: options.storageUrl,
-                shortUrl: null,
-                purpose: SHARE_TARGET_FILE_PURPOSE,
-                status: 'COMPLETED',
-                agentId: null,
-                securityResult: null,
-            })
-            .select('id')
-            .maybeSingle();
-
-        if (error) {
-            console.error('[share-target] Failed to store uploaded file metadata', error);
-            return null;
-        }
-
-        return typeof data?.id === 'number' ? data.id : null;
-    } catch (error) {
-        console.error('[share-target] Failed to insert shared file metadata', error);
-        return null;
-    }
-}
-
 /**
  * Populates best-effort file-security results after the share redirect has already returned.
  */
-async function populateShareTargetFileSecurityResult(options: { fileId: number; storageUrl: string }): Promise<void> {
+async function populateShareTargetFileSecurityResult(options: { storageUrl: string }): Promise<void> {
     const securityResult: Record<string, unknown> = {};
 
     for (const checkerId of Object.keys(FILE_SECURITY_CHECKERS)) {
@@ -342,7 +295,7 @@ async function populateShareTargetFileSecurityResult(options: { fileId: number;
         .update({
             securityResult,
         })
-        .eq('id', options.fileId);
+        .eq('storageUrl', options.storageUrl);
 
     if (error) {
         throw new DatabaseError(