@promptbook/cli 0.112.0-137 → 0.112.0-138
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/apps/agents-server/README.md +6 -0
- package/apps/agents-server/env-manual/GITHUB_APP.md +1 -1
- package/apps/agents-server/playwright.config.ts +2 -0
- package/apps/agents-server/src/utils/userChat/resolveUserChatWorkerInternalToken.ts +63 -9
- package/apps/agents-server/src/utils/vpsConfiguration.ts +2 -0
- package/esm/index.es.js +3 -1
- package/esm/index.es.js.map +1 -1
- package/esm/src/commitments/_common/teamInternalAgentAccess.d.ts +9 -1
- package/esm/src/version.d.ts +1 -1
- package/package.json +1 -1
- package/src/cli/cli-commands/agents-server/ensureAgentsServerEnvFile.ts +2 -0
- package/src/commitments/_common/teamInternalAgentAccess.ts +10 -5
- package/src/other/templates/getTemplatesPipelineCollection.ts +854 -760
- package/src/version.ts +2 -2
- package/src/versions.txt +1 -0
- package/umd/index.umd.js +3 -1
- package/umd/index.umd.js.map +1 -1
- package/umd/src/commitments/_common/teamInternalAgentAccess.d.ts +9 -1
- package/umd/src/version.d.ts +1 -1
|
@@ -44,6 +44,12 @@ ptbk agents-server start --harness github-copilot --model gpt-5.4 --thinking-lev
|
|
|
44
44
|
<a id="agents-server-env-session-secret"></a>
|
|
45
45
|
- `SESSION_SECRET`: HMAC signing key used to sign the session cookie. Must be set explicitly in production — the server refuses to start session signing when missing instead of falling back to a hardcoded default. Use a long random string, for example the output of `openssl rand -hex 32`. Keep it separate from `ADMIN_PASSWORD` so a leak of either credential cannot forge the other.
|
|
46
46
|
|
|
47
|
+
<a id="agents-server-env-ptbk-agents-server-user-chat-worker-token"></a>
|
|
48
|
+
- `PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN`: Shared internal token used to authorize background worker routes (`/api/internal/user-chat-jobs/run`, `/api/internal/user-chat-timeouts/run`, and `/api/internal/agent-runner-limits`). Must be set explicitly in production — the server refuses to resolve the worker token when missing instead of falling back to `ADMIN_PASSWORD`, `SUPABASE_SERVICE_ROLE_KEY`, or a hardcoded constant. Use a long random string, for example the output of `openssl rand -hex 32`. The CLI launcher (`ptbk agents-server start`) generates a per-process value automatically when the variable is empty so local development works without configuration.
|
|
49
|
+
|
|
50
|
+
<a id="agents-server-env-promptbook-team-agent-access-token"></a>
|
|
51
|
+
- `PROMPTBOOK_TEAM_AGENT_ACCESS_TOKEN`: Dedicated secret used by same-server `TEAM` calls to authorize access to private teammate agents. Must be a dedicated random string — falling back to `ADMIN_PASSWORD` or `SUPABASE_SERVICE_ROLE_KEY` would let a leak of one credential compromise both authentication boundaries. When not configured, same-server team access stays disabled (the integration fails closed) so leaving the variable empty is safe but disables the feature. Use a long random string, for example the output of `openssl rand -hex 32`.
|
|
52
|
+
|
|
47
53
|
## Creating servers
|
|
48
54
|
|
|
49
55
|
When creating new Agents server, search across the repository for [☁]
|
|
@@ -32,7 +32,7 @@ GitHub App configuration now lives in **Metadata** so you can customize it per s
|
|
|
32
32
|
- **GITHUB_APP_ID** – numeric GitHub App ID from the app settings.
|
|
33
33
|
- **GITHUB_APP_SLUG** – slug used in `https://github.com/apps/<slug>`.
|
|
34
34
|
- **GITHUB_APP_PRIVATE_KEY** – PEM-encoded private key. Replace literal newlines with `\n` when editing through the UI and keep the `BEGIN/END` markers.
|
|
35
|
-
- **GITHUB_APP_STATE_SECRET** (optional, recommended) – random string used to sign OAuth/connect state.
|
|
35
|
+
- **GITHUB_APP_STATE_SECRET** (optional, recommended) – random string used to sign OAuth/connect state.
|
|
36
36
|
|
|
37
37
|
The values stored in Metadata override any legacy `.env` entries and can differ per server host.
|
|
38
38
|
|
|
@@ -27,6 +27,8 @@ const APP_URL = `http://127.0.0.1:${APP_PORT}`;
|
|
|
27
27
|
const APP_E2E_ENV = {
|
|
28
28
|
ADMIN_PASSWORD: 'e2e-admin-password',
|
|
29
29
|
SESSION_SECRET: 'e2e-session-secret-must-differ-from-admin-password',
|
|
30
|
+
PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN: 'e2e-user-chat-worker-token-must-differ-from-admin-password',
|
|
31
|
+
PROMPTBOOK_TEAM_AGENT_ACCESS_TOKEN: 'e2e-team-agent-access-token-must-differ-from-admin-password',
|
|
30
32
|
NEXT_DIST_DIR: '.next-e2e',
|
|
31
33
|
NEXT_PUBLIC_SITE_URL: APP_URL,
|
|
32
34
|
PTBK_AGENTS_SERVER_DATABASE: 'supabase',
|
|
@@ -1,18 +1,72 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { randomBytes } from 'crypto';
|
|
2
|
+
import { spaceTrim } from 'spacetrim';
|
|
3
|
+
import { EnvironmentMismatchError } from '../../../../../src/errors/EnvironmentMismatchError';
|
|
4
|
+
|
|
5
|
+
/**
|
|
6
|
+
* Cached internal worker token resolved from `PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN` on first use.
|
|
7
|
+
*
|
|
8
|
+
* Computed lazily so module imports never fail eagerly at build time and the
|
|
9
|
+
* environment can still be configured before the first internal worker request.
|
|
10
|
+
*
|
|
11
|
+
* @private internal cache of `resolveUserChatWorkerInternalToken`
|
|
12
|
+
*/
|
|
13
|
+
let resolvedUserChatWorkerInternalToken: string | null = null;
|
|
2
14
|
|
|
3
15
|
/**
|
|
4
16
|
* Resolves the shared internal token used to protect background worker routes.
|
|
17
|
+
*
|
|
18
|
+
* In production, `PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN` must be configured
|
|
19
|
+
* explicitly — falling back to any shared credential (in particular
|
|
20
|
+
* `ADMIN_PASSWORD` or `SUPABASE_SERVICE_ROLE_KEY`) or a hardcoded literal would
|
|
21
|
+
* let anyone who learns that value (or computes its publicly-known hash) drive
|
|
22
|
+
* internal worker jobs at will. Outside production, a per-process random token
|
|
23
|
+
* is generated on first use so local development works without configuration
|
|
24
|
+
* while still rejecting unsafe shared fallbacks.
|
|
25
|
+
*
|
|
26
|
+
* @returns Shared internal worker token.
|
|
27
|
+
* @throws {EnvironmentMismatchError} When the environment variable is missing in production.
|
|
28
|
+
*
|
|
29
|
+
* @private internal utility of Agents Server
|
|
5
30
|
*/
|
|
6
31
|
export function resolveUserChatWorkerInternalToken(): string {
|
|
7
|
-
if (
|
|
8
|
-
return
|
|
32
|
+
if (resolvedUserChatWorkerInternalToken !== null) {
|
|
33
|
+
return resolvedUserChatWorkerInternalToken;
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
const configuredToken = process.env.PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN?.trim();
|
|
37
|
+
if (configuredToken) {
|
|
38
|
+
resolvedUserChatWorkerInternalToken = configuredToken;
|
|
39
|
+
return resolvedUserChatWorkerInternalToken;
|
|
9
40
|
}
|
|
10
41
|
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
42
|
+
if (process.env.NODE_ENV === 'production') {
|
|
43
|
+
throw new EnvironmentMismatchError(
|
|
44
|
+
spaceTrim(`
|
|
45
|
+
Missing required \`PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN\` environment variable in production.
|
|
46
|
+
|
|
47
|
+
The Agents Server protects its internal worker routes
|
|
48
|
+
(\`/api/internal/user-chat-jobs/run\`,
|
|
49
|
+
\`/api/internal/user-chat-timeouts/run\`, and
|
|
50
|
+
\`/api/internal/agent-runner-limits\`) with this shared token.
|
|
51
|
+
Reusing \`ADMIN_PASSWORD\`, \`SUPABASE_SERVICE_ROLE_KEY\`, or a
|
|
52
|
+
hardcoded fallback would let anyone who learns that value drive
|
|
53
|
+
background jobs at will.
|
|
54
|
+
|
|
55
|
+
**Fix:** set \`PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN\` to a long
|
|
56
|
+
random string (for example the output of \`openssl rand -hex 32\`)
|
|
57
|
+
in the deployment environment and restart the server.
|
|
58
|
+
`),
|
|
59
|
+
);
|
|
60
|
+
}
|
|
16
61
|
|
|
17
|
-
|
|
62
|
+
resolvedUserChatWorkerInternalToken = randomBytes(32).toString('hex');
|
|
63
|
+
console.warn(
|
|
64
|
+
spaceTrim(`
|
|
65
|
+
\`PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN\` is not configured — generated
|
|
66
|
+
a random per-process internal worker token for this non-production run.
|
|
67
|
+
Pending internal worker invocations will be invalidated on every restart
|
|
68
|
+
until \`PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN\` is set.
|
|
69
|
+
`),
|
|
70
|
+
);
|
|
71
|
+
return resolvedUserChatWorkerInternalToken;
|
|
18
72
|
}
|
|
@@ -23,6 +23,8 @@ export const VPS_ENVIRONMENT_VARIABLE_KEYS = [
|
|
|
23
23
|
'NEXT_PUBLIC_SITE_URL',
|
|
24
24
|
'ADMIN_PASSWORD',
|
|
25
25
|
'SESSION_SECRET',
|
|
26
|
+
'PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN',
|
|
27
|
+
'PROMPTBOOK_TEAM_AGENT_ACCESS_TOKEN',
|
|
26
28
|
'OPENAI_API_KEY',
|
|
27
29
|
'PTBK_HARNESS',
|
|
28
30
|
'PTBK_MODEL',
|
package/esm/index.es.js
CHANGED
|
@@ -59,7 +59,7 @@ const BOOK_LANGUAGE_VERSION = '2.0.0';
|
|
|
59
59
|
* @generated
|
|
60
60
|
* @see https://github.com/webgptorg/promptbook
|
|
61
61
|
*/
|
|
62
|
-
const PROMPTBOOK_ENGINE_VERSION = '0.112.0-
|
|
62
|
+
const PROMPTBOOK_ENGINE_VERSION = '0.112.0-138';
|
|
63
63
|
/**
|
|
64
64
|
* TODO: string_promptbook_version should be constrained to the all versions of Promptbook engine
|
|
65
65
|
* Note: [💞] Ignore a discrepancy between file name and entity name
|
|
@@ -2671,6 +2671,8 @@ const REQUIRED_AGENTS_SERVER_ENV_VARIABLES = [
|
|
|
2671
2671
|
createAgentsServerEnvVariable('SUPABASE_SERVICE_ROLE_KEY', ''),
|
|
2672
2672
|
createAgentsServerEnvVariable('SUPABASE_AUTO_MIGRATE', 'true'),
|
|
2673
2673
|
createAgentsServerEnvVariable('ADMIN_PASSWORD', ''),
|
|
2674
|
+
createAgentsServerEnvVariable('PTBK_AGENTS_SERVER_USER_CHAT_WORKER_TOKEN', ''),
|
|
2675
|
+
createAgentsServerEnvVariable('PROMPTBOOK_TEAM_AGENT_ACCESS_TOKEN', ''),
|
|
2674
2676
|
];
|
|
2675
2677
|
/**
|
|
2676
2678
|
* Ensures `.env` contains all required Agents Server configuration entries.
|