npm - @promptbook/cli - Versions diffs - 0.112.0-96 → 0.112.0-98 - Mend

@promptbook/cli 0.112.0-96 → 0.112.0-98

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/apps/agents-server/src/utils/serverManagement/standaloneVpsServerMetadata.ts ADDED Viewed

@@ -0,0 +1,145 @@
+import type { SupabaseClient } from '@supabase/supabase-js';
+import { spaceTrim } from 'spacetrim';
+import { DatabaseError } from '../../../../../src/errors/DatabaseError';
+import { $provideSupabaseForServer } from '../../database/$provideSupabaseForServer';
+import type { ServerRecord } from '../serverRegistry';
+/**
+ * Metadata key storing the human-facing server name.
+ *
+ * @private constant of standalone VPS server management.
+ */
+const SERVER_NAME_METADATA_KEY = 'SERVER_NAME';
+/**
+ * Metadata keys that use the uploaded server icon.
+ *
+ * @private constant of standalone VPS server management.
+ */
+const SERVER_ICON_METADATA_KEYS = ['SERVER_LOGO_URL', 'SERVER_FAVICON_URL'] as const;
+/**
+ * Minimal metadata row used by standalone VPS server setup.
+ *
+ * @private type of standalone VPS server management.
+ */
+type StandaloneVpsMetadataRow = {
+    /**
+     * Metadata key.
+     */
+    readonly key: string;
+    /**
+     * Metadata value.
+     */
+    readonly value: string;
+    /**
+     * Optional admin-facing note.
+     */
+    readonly note: string | null;
+    /**
+     * Last update timestamp.
+     */
+    readonly updatedAt: string;
+};
+/**
+ * Applies visible standalone VPS setup values into the prefixed metadata table.
+ *
+ * @param input - Server prefix and optional metadata values.
+ *
+ * @private internal standalone VPS server management helper.
+ */
+export async function applyStandaloneVpsServerMetadata(input: {
+    readonly tablePrefix: string;
+    readonly name?: string | null;
+    readonly iconUrl?: string | null;
+}): Promise<void> {
+    const metadataRows = createStandaloneVpsMetadataRows(input);
+    if (metadataRows.length === 0) {
+        return;
+    }
+    const metadataTableName = `${input.tablePrefix}Metadata`;
+    const supabase = $provideSupabaseForServer() as SupabaseClient;
+    const { error } = await supabase.from(metadataTableName).upsert([...metadataRows], {
+        onConflict: 'key',
+    });
+    if (error) {
+        throw new DatabaseError(
+            spaceTrim(`
+                Failed to update standalone VPS server metadata.
+                ${error.message}
+            `),
+        );
+    }
+}
+/**
+ * Resolves the configured display name for a standalone VPS virtual server.
+ *
+ * @param server - Virtual server row derived from the `SERVERS` environment variable.
+ * @returns Metadata server name or the virtual row name when metadata is missing.
+ *
+ * @private internal standalone VPS server management helper.
+ */
+export async function resolveStandaloneVpsServerDisplayName(server: ServerRecord): Promise<string> {
+    const metadataTableName = `${server.tablePrefix}Metadata`;
+    const supabase = $provideSupabaseForServer() as SupabaseClient;
+    const { data, error } = await supabase
+        .from(metadataTableName)
+        .select('value')
+        .eq('key', SERVER_NAME_METADATA_KEY)
+        .maybeSingle<{ readonly value: string | null }>();
+    if (error) {
+        return server.name;
+    }
+    const metadataName = typeof data?.value === 'string' ? data.value.trim() : '';
+    return metadataName || server.name;
+}
+/**
+ * Creates metadata rows from visible setup fields.
+ *
+ * @param input - Raw setup values.
+ * @returns Metadata rows ready for upsert.
+ *
+ * @private function of standalone VPS server management.
+ */
+function createStandaloneVpsMetadataRows(input: {
+    readonly name?: string | null;
+    readonly iconUrl?: string | null;
+}): ReadonlyArray<StandaloneVpsMetadataRow> {
+    const updatedAt = new Date().toISOString();
+    const rows: Array<StandaloneVpsMetadataRow> = [];
+    const name = typeof input.name === 'string' ? input.name.trim() : '';
+    const iconUrl = typeof input.iconUrl === 'string' ? input.iconUrl.trim() : '';
+    if (name) {
+        rows.push({
+            key: SERVER_NAME_METADATA_KEY,
+            value: name,
+            note: null,
+            updatedAt,
+        });
+    }
+    if (iconUrl) {
+        for (const key of SERVER_ICON_METADATA_KEYS) {
+            rows.push({
+                key,
+                value: iconUrl,
+                note: null,
+                updatedAt,
+            });
+        }
+    }
+    return rows;
+}

package/apps/agents-server/src/utils/serverRegistry.ts CHANGED Viewed

@@ -171,13 +171,14 @@ export async function listRegisteredServersUsingServiceRole(options?: {
 /**
  * Loads virtual server records from the comma-separated `SERVERS` environment variable.
  *
- * @returns Server records with deterministic table prefixes derived from normalized domains.
+ * @returns Server records with deterministic table prefixes from the configured server prefix or normalized domains.
  */
 export function listEnvironmentRegisteredServers(): Array<ServerRecord> {
     const rawServers = process.env[SERVERS_ENV_NAME];
     if (!rawServers) {
         return [];
     }
+    const configuredTablePrefix = process.env.SUPABASE_TABLE_PREFIX?.trim() || '';
     const normalizedDomains = uniqueStrings(
         rawServers
@@ -191,7 +192,7 @@ export function listEnvironmentRegisteredServers(): Array<ServerRecord> {
         name: domain,
         environment: SERVER_ENVIRONMENT.PRODUCTION,
         domain,
-        tablePrefix: buildEnvironmentServerTablePrefix(domain),
+        tablePrefix: configuredTablePrefix || buildEnvironmentServerTablePrefix(domain),
         createdAt: ENVIRONMENT_SERVER_TIMESTAMP,
         updatedAt: ENVIRONMENT_SERVER_TIMESTAMP,
     }));

package/apps/agents-server/src/utils/session.ts CHANGED Viewed

@@ -1,6 +1,8 @@
 import { createHmac } from 'crypto';
 import { cookies, headers } from 'next/headers';
 import { cache } from 'react';
+import { isStandaloneVpsRawIpBootstrapActive } from './standaloneVpsRawIpBootstrap';
+import { writeShibbolethAuthenticationLog } from './shibboleth/writeShibbolethAuthenticationLog';
 /**
  * Cookie name used to store the signed user session.
@@ -50,6 +52,10 @@ export type SessionCookieSecurityContext = {
      * Raw forwarded protocol header emitted by the reverse proxy.
      */
     readonly forwardedProto: string | null;
+    /**
+     * Canonical public site URL from `NEXT_PUBLIC_SITE_URL`.
+     */
+    readonly nextPublicSiteUrl: string | null | undefined;
     /**
      * Comma-separated configured domain list from `SERVERS`.
      */
@@ -121,7 +127,13 @@ export function shouldUseSecureSessionCookieForRequest(context: SessionCookieSec
         return false;
     }
-    if (parseConfiguredServers(context.configuredServers).length > 0) {
+    if (
+        parseConfiguredServers(context.configuredServers).length > 0 &&
+        !isStandaloneVpsRawIpBootstrapActive({
+            nextPublicSiteUrl: context.nextPublicSiteUrl,
+            publicIpAddress: context.publicIpAddress,
+        })
+    ) {
         return true;
     }
@@ -150,9 +162,17 @@ export function shouldUseSecureSessionCookieForRequest(context: SessionCookieSec
  */
 export async function setSession(user: SessionUser) {
     const token = serializeSessionToken(user);
-    const secure = await shouldUseSecureSessionCookie();
+    const headerStore = await headers();
+    const cookieStore = await cookies();
+    const secure = shouldUseSecureSessionCookieForHeaders(headerStore);
-    (await cookies()).set(SESSION_COOKIE_NAME, token, {
+    writeShibbolethAuthenticationLog(headerStore, {
+        event: 'session-set',
+        hasSessionCookie: cookieStore.has(SESSION_COOKIE_NAME),
+        isSecureSessionCookie: secure,
+    });
+    cookieStore.set(SESSION_COOKIE_NAME, token, {
         httpOnly: true,
         secure,
         path: '/',
@@ -164,9 +184,17 @@ export async function setSession(user: SessionUser) {
  * Clears the current authenticated session cookie.
  */
 export async function clearSession() {
-    (await cookies()).delete(SESSION_COOKIE_NAME);
+    const headerStore = await headers();
+    const cookieStore = await cookies();
+    writeShibbolethAuthenticationLog(headerStore, {
+        event: 'session-cleared',
+        hasSessionCookie: cookieStore.has(SESSION_COOKIE_NAME),
+    });
+    cookieStore.delete(SESSION_COOKIE_NAME);
     // Also clear legacy adminToken
-    (await cookies()).delete('adminToken');
+    cookieStore.delete('adminToken');
 }
 /**
@@ -189,18 +217,18 @@ export async function getSession(): Promise<SessionUser | null> {
 }
 /**
- * Resolves the runtime cookie security decision from the current request headers.
+ * Resolves the runtime cookie security decision from one request header snapshot.
  *
+ * @param headerStore - Request headers from the active request.
  * @returns `true` when the session cookie should keep the `Secure` flag.
  */
-async function shouldUseSecureSessionCookie(): Promise<boolean> {
-    const headerStore = await headers();
+function shouldUseSecureSessionCookieForHeaders(headerStore: Pick<Headers, 'get'>): boolean {
     return shouldUseSecureSessionCookieForRequest({
         isProduction: process.env.NODE_ENV === 'production',
         host: headerStore.get('host'),
         forwardedHost: headerStore.get('x-forwarded-host'),
         forwardedProto: headerStore.get('x-forwarded-proto'),
+        nextPublicSiteUrl: process.env.NEXT_PUBLIC_SITE_URL,
         configuredServers: process.env.SERVERS,
         publicIpAddress: process.env.PTBK_PUBLIC_IP_ADDRESS,
     });

package/apps/agents-server/src/utils/shibboleth/createShibbolethAuthenticationLogPayload.ts ADDED Viewed

@@ -0,0 +1,173 @@
+/**
+ * Minimal read-only header accessor shared by middleware, route handlers, and server utilities.
+ *
+ * @private Internal helper of the Shibboleth authentication diagnostics.
+ */
+export type ReadonlyHeadersLike = Pick<Headers, 'get'>;
+/**
+ * One resolved Shibboleth-related attribute included in the diagnostic payload.
+ *
+ * @private Internal helper of the Shibboleth authentication diagnostics.
+ */
+export type ShibbolethAuthenticationLogAttribute = {
+    readonly fieldName: string;
+    readonly headerName: string;
+    readonly fingerprint: string;
+    readonly valueLength: number;
+};
+/**
+ * Structured, privacy-preserving diagnostic payload for one Shibboleth-related request event.
+ *
+ * @private Internal helper of the Agents Server authentication diagnostics.
+ */
+export type ShibbolethAuthenticationLogPayload = {
+    readonly event: string;
+    readonly pathname?: string;
+    readonly method?: string;
+    readonly hasSessionCookie?: boolean;
+    readonly isSecureSessionCookie?: boolean;
+    readonly headerNames: ReadonlyArray<string>;
+    readonly attributeFields: ReadonlyArray<string>;
+    readonly attributes: ReadonlyArray<ShibbolethAuthenticationLogAttribute>;
+};
+/**
+ * Context describing where the Shibboleth diagnostic event happened.
+ *
+ * @private Internal helper of the Shibboleth authentication diagnostics.
+ */
+export type CreateShibbolethAuthenticationLogPayloadOptions = {
+    readonly event: string;
+    readonly pathname?: string;
+    readonly method?: string;
+    readonly hasSessionCookie?: boolean;
+    readonly isSecureSessionCookie?: boolean;
+};
+type ShibbolethHeaderDefinition = {
+    readonly fieldName: string;
+    readonly headerNames: ReadonlyArray<string>;
+};
+const SHIBBOLETH_HEADER_DEFINITIONS: ReadonlyArray<ShibbolethHeaderDefinition> = [
+    { fieldName: 'sessionId', headerNames: ['shib-session-id', 'x-shib-session-id'] },
+    { fieldName: 'sessionIndex', headerNames: ['shib-session-index', 'x-shib-session-index'] },
+    { fieldName: 'sessionExpires', headerNames: ['shib-session-expires', 'x-shib-session-expires'] },
+    { fieldName: 'applicationId', headerNames: ['shib-application-id', 'x-shib-application-id'] },
+    { fieldName: 'remoteUser', headerNames: ['remote-user', 'x-remote-user'] },
+    { fieldName: 'displayName', headerNames: ['displayname', 'x-displayname'] },
+    { fieldName: 'mail', headerNames: ['mail', 'x-mail'] },
+    { fieldName: 'unstructuredName', headerNames: ['unstructuredname', 'x-unstructuredname'] },
+    {
+        fieldName: 'eduPersonPrincipalName',
+        headerNames: ['edupersonprincipalname', 'eppn', 'x-edupersonprincipalname', 'x-eppn'],
+    },
+    { fieldName: 'persistentId', headerNames: ['persistent-id', 'x-persistent-id'] },
+    { fieldName: 'nameId', headerNames: ['name-id', 'x-name-id'] },
+];
+/**
+ * Builds a privacy-preserving Shibboleth diagnostic payload from incoming request headers.
+ *
+ * Only the presence of relevant headers plus short fingerprints of their values are logged,
+ * never the raw personally identifiable header contents.
+ *
+ * @param headers - Request headers or another read-only header accessor.
+ * @param options - Event metadata describing where the diagnostic event originated.
+ * @returns Structured log payload, or `null` when the request does not look Shibboleth-related.
+ *
+ * @private Internal helper of the Agents Server authentication diagnostics.
+ */
+export function createShibbolethAuthenticationLogPayload(
+    headers: ReadonlyHeadersLike,
+    options: CreateShibbolethAuthenticationLogPayloadOptions,
+): ShibbolethAuthenticationLogPayload | null {
+    const attributes = SHIBBOLETH_HEADER_DEFINITIONS.map((definition) => resolveShibbolethHeader(headers, definition)).filter(
+        (attribute): attribute is ShibbolethAuthenticationLogAttribute => attribute !== null,
+    );
+    if (attributes.length === 0) {
+        return null;
+    }
+    return {
+        event: options.event,
+        pathname: options.pathname,
+        method: options.method,
+        hasSessionCookie: options.hasSessionCookie,
+        isSecureSessionCookie: options.isSecureSessionCookie,
+        headerNames: attributes.map(({ headerName }) => headerName),
+        attributeFields: attributes.map(({ fieldName }) => fieldName),
+        attributes,
+    };
+}
+/**
+ * Resolves one Shibboleth attribute from any of its expected header aliases.
+ *
+ * @param headers - Request header accessor.
+ * @param definition - Logical Shibboleth field with supported header aliases.
+ * @returns Sanitized attribute snapshot or `null` when absent.
+ */
+function resolveShibbolethHeader(
+    headers: ReadonlyHeadersLike,
+    definition: ShibbolethHeaderDefinition,
+): ShibbolethAuthenticationLogAttribute | null {
+    for (const headerName of definition.headerNames) {
+        const rawValue = headers.get(headerName);
+        const value = normalizeHeaderValue(rawValue);
+        if (!value) {
+            continue;
+        }
+        return {
+            fieldName: definition.fieldName,
+            headerName,
+            fingerprint: createHeaderValueFingerprint(value),
+            valueLength: value.length,
+        };
+    }
+    return null;
+}
+/**
+ * Normalizes one header value before diagnostic processing.
+ *
+ * @param value - Raw header value.
+ * @returns Trimmed non-empty value or `null`.
+ */
+function normalizeHeaderValue(value: string | null): string | null {
+    const normalizedValue = value?.trim() || '';
+    return normalizedValue === '' ? null : normalizedValue;
+}
+/**
+ * Creates a short stable fingerprint so logs can correlate the same identity/session
+ * without storing the raw Shibboleth attribute value.
+ *
+ * @param value - Raw Shibboleth header value.
+ * @returns Short deterministic fingerprint.
+ */
+function createHeaderValueFingerprint(value: string): string {
+    let hashPrimary = 0xdeadbeef ^ value.length;
+    let hashSecondary = 0x41c6ce57 ^ value.length;
+    for (const character of value) {
+        const codePoint = character.codePointAt(0) || 0;
+        hashPrimary = Math.imul(hashPrimary ^ codePoint, 2654435761);
+        hashSecondary = Math.imul(hashSecondary ^ codePoint, 1597334677);
+    }
+    hashPrimary =
+        Math.imul(hashPrimary ^ (hashPrimary >>> 16), 2246822507) ^ Math.imul(hashSecondary ^ (hashSecondary >>> 13), 3266489909);
+    hashSecondary =
+        Math.imul(hashSecondary ^ (hashSecondary >>> 16), 2246822507) ^
+        Math.imul(hashPrimary ^ (hashPrimary >>> 13), 3266489909);
+    const combinedHash = 4294967296 * (2097151 & hashSecondary) + (hashPrimary >>> 0);
+    return combinedHash.toString(16).padStart(14, '0').slice(0, 12);
+}

package/apps/agents-server/src/utils/shibboleth/writeShibbolethAuthenticationLog.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import {
+    createShibbolethAuthenticationLogPayload,
+    type CreateShibbolethAuthenticationLogPayloadOptions,
+    type ReadonlyHeadersLike,
+} from './createShibbolethAuthenticationLogPayload';
+/**
+ * Writes one sanitized Shibboleth diagnostic event to the application logs when
+ * the current request carries Shibboleth-related headers.
+ *
+ * @param headers - Request headers or another read-only header accessor.
+ * @param options - Event metadata describing where the diagnostic event originated.
+ *
+ * @private Internal helper of the Agents Server authentication diagnostics.
+ */
+export function writeShibbolethAuthenticationLog(
+    headers: ReadonlyHeadersLike,
+    options: CreateShibbolethAuthenticationLogPayloadOptions,
+): void {
+    const payload = createShibbolethAuthenticationLogPayload(headers, options);
+    if (!payload) {
+        return;
+    }
+    console.info(`[auth][shibboleth] ${JSON.stringify(payload)}`);
+}