@tuturuuu/ai 0.0.10

package/src/tools/executors/helpers/encryption.ts

@@ -0,0 +1,107 @@
+/**
+ * Shared encryption/decryption helpers for AI tool executors.
+ *
+ * Uses dynamic imports to avoid pulling server-only modules into the
+ * `packages/ai` dependency graph at build time. This mirrors the pattern
+ * used by the image generation tool for `createAdminClient`.
+ */
+
+type CalendarEventRow = {
+  id: string;
+  title: string;
+  description?: string;
+  location?: string | null;
+  is_encrypted?: boolean;
+  [key: string]: unknown;
+};
+
+/**
+ * Retrieve the workspace encryption key (read-only).
+ * Returns `null` when E2EE is not configured for the workspace.
+ */
+export async function getWorkspaceKeyForTools(
+  wsId: string
+): Promise<Buffer | null> {
+  try {
+    const { isEncryptionEnabled, getMasterKey, decryptWorkspaceKey } =
+      await import('@tuturuuu/utils/encryption');
+
+    if (!isEncryptionEnabled()) return null;
+
+    const { createAdminClient } = await import(
+      '@tuturuuu/supabase/next/server'
+    );
+    const sbAdmin = await createAdminClient();
+    const masterKey = getMasterKey();
+
+    const { data, error } = await sbAdmin
+      .from('workspace_encryption_keys')
+      .select('encrypted_key')
+      .eq('ws_id', wsId)
+      .maybeSingle();
+
+    if (error || !data) return null;
+
+    return await decryptWorkspaceKey(
+      (data as { encrypted_key: string }).encrypted_key,
+      masterKey
+    );
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Decrypt an array of calendar events in-place if any are encrypted.
+ */
+export async function decryptEventsForTools<T extends CalendarEventRow>(
+  events: T[],
+  wsId: string
+): Promise<T[]> {
+  const hasEncrypted = events.some((e) => e.is_encrypted);
+  if (!hasEncrypted) return events;
+
+  const key = await getWorkspaceKeyForTools(wsId);
+  if (!key) return events;
+
+  const { decryptCalendarEvents } = await import('@tuturuuu/utils/encryption');
+  return decryptCalendarEvents(events, key);
+}
+
+/**
+ * Encrypt the sensitive fields of a calendar event before storage.
+ * Returns the original data untouched when E2EE is not enabled.
+ */
+export async function encryptEventFieldsForTools(
+  fields: { title: string; description: string; location: string | null },
+  wsId: string
+): Promise<{
+  title: string;
+  description: string;
+  location: string | null;
+  is_encrypted: boolean;
+}> {
+  const key = await getWorkspaceKeyForTools(wsId);
+  if (!key) {
+    return { ...fields, is_encrypted: false };
+  }
+
+  const { encryptCalendarEventFields } = await import(
+    '@tuturuuu/utils/encryption'
+  );
+  const encrypted = encryptCalendarEventFields(
+    {
+      title: fields.title,
+      description: fields.description,
+      location: fields.location ?? undefined,
+    },
+    key
+  );
+
+  return {
+    title: encrypted.title,
+    description: encrypted.description,
+    location: encrypted.location ?? null,
+    is_encrypted: true,
+  };
+}

package/src/tools/executors/image.ts

@@ -0,0 +1,247 @@
+import { google } from '@ai-sdk/google';
+import { isGoogleModelId, toBareModelName } from '../../credits/model-mapping';
+import {
+  PlanModelResolutionError,
+  resolvePlanModel,
+} from '../../credits/resolve-plan-model';
+import type { MiraToolContext } from '../mira-tools';
+
+export async function executeGenerateImage(
+  args: Record<string, unknown>,
+  ctx: MiraToolContext
+): Promise<unknown> {
+  const billingWsId = ctx.creditWsId ?? ctx.wsId;
+  const prompt = args.prompt as string;
+  const aspectRatio = (args.aspectRatio as string) ?? '1:1';
+  let selectedModel: string;
+
+  try {
+    const resolvedModel = await resolvePlanModel({
+      capability: 'image',
+      requestedModel:
+        typeof args.model === 'string' ? (args.model as string) : undefined,
+      wsId: billingWsId,
+    });
+    selectedModel = resolvedModel.modelId;
+  } catch (error) {
+    if (error instanceof PlanModelResolutionError) {
+      return {
+        success: false,
+        error: error.message,
+      };
+    }
+
+    throw error;
+  }
+
+  const { checkAiCredits } = await import('../../credits/check-credits');
+  const {
+    commitFixedAiCreditReservation,
+    releaseFixedAiCreditReservation,
+    reserveFixedAiCredits,
+  } = await import('../../credits/reservations');
+  let commitResult: Awaited<
+    ReturnType<typeof commitFixedAiCreditReservation>
+  > | null = null;
+  const { createAdminClient } = await import('@tuturuuu/supabase/next/server');
+  const creditCheck = await checkAiCredits(
+    billingWsId,
+    selectedModel,
+    'image_generation',
+    { userId: ctx.userId }
+  );
+
+  if (!creditCheck.allowed) {
+    const errorMessages: Record<string, string> = {
+      FEATURE_NOT_ALLOWED:
+        'Image generation is not available on your current plan.',
+      MODEL_NOT_ALLOWED: `The model ${selectedModel} is not enabled for your workspace.`,
+      CREDITS_EXHAUSTED: 'You have run out of AI credits for image generation.',
+      NO_ALLOCATION: 'Image generation is not configured for your workspace.',
+    };
+    return {
+      success: false,
+      error:
+        errorMessages[creditCheck.errorCode ?? ''] ??
+        'Image generation is not available. Please check your AI credit settings.',
+    };
+  }
+
+  const sbAdmin = await createAdminClient();
+  const reservationMetadata = {
+    aspectRatio,
+    model: selectedModel,
+    feature: 'image_generation',
+  };
+  // Full metadata including prompt for storage — never logged directly.
+  const fullReservationMetadata = {
+    prompt,
+    wsId: billingWsId,
+    userId: ctx.userId,
+    ...reservationMetadata,
+  };
+
+  const reservation = await reserveFixedAiCredits(
+    {
+      wsId: billingWsId,
+      userId: ctx.userId,
+      amount: 1,
+      modelId: selectedModel,
+      feature: 'image_generation',
+      metadata: fullReservationMetadata,
+    },
+    sbAdmin
+  );
+
+  if (!reservation.success || !reservation.reservationId) {
+    return {
+      success: false,
+      error:
+        reservation.errorCode === 'INSUFFICIENT_CREDITS'
+          ? 'You have run out of AI credits for image generation.'
+          : 'Failed to reserve AI credits for image generation.',
+    };
+  }
+
+  const { generateImage, gateway } = await import('ai');
+
+  const imageId = crypto.randomUUID();
+  const storagePath = `${ctx.wsId}/mira/images/${imageId}.png`;
+
+  try {
+    const model = isGoogleModelId(selectedModel)
+      ? google.image(toBareModelName(selectedModel))
+      : gateway.image(selectedModel);
+    const { image } = await generateImage({
+      model,
+      prompt,
+      aspectRatio: aspectRatio as `${number}:${number}`,
+    });
+
+    const { error: uploadError } = await sbAdmin.storage
+      .from('workspaces')
+      .upload(storagePath, image.uint8Array, {
+        contentType: 'image/png',
+        upsert: false,
+      });
+
+    if (uploadError) {
+      throw new Error(`Upload failed: ${uploadError.message}`);
+    }
+
+    const { data: urlData, error: urlError } = await sbAdmin.storage
+      .from('workspaces')
+      .createSignedUrl(storagePath, 60 * 60 * 24 * 30);
+
+    if (urlError || !urlData) {
+      throw new Error(
+        `Signed URL failed: ${urlError?.message ?? 'No data returned'}`
+      );
+    }
+
+    commitResult = await commitFixedAiCreditReservation(
+      reservation.reservationId,
+      {
+        ...fullReservationMetadata,
+        storagePath,
+      },
+      sbAdmin
+    );
+
+    if (!commitResult.success) {
+      throw new Error('Failed to finalize AI credit deduction.');
+    }
+
+    return {
+      success: true,
+      imageUrl: urlData.signedUrl,
+      storagePath,
+      prompt,
+    };
+  } catch (error) {
+    let commitOrReleaseError: Error | null = null;
+
+    // Attempt to release the reservation first, with defensive error handling.
+    // Releasing before storage cleanup ensures we know the reservation's final
+    // state before deciding whether to keep or remove the image.
+    let releaseResult: Awaited<
+      ReturnType<typeof releaseFixedAiCreditReservation>
+    > | null = null;
+    try {
+      releaseResult = await releaseFixedAiCreditReservation(
+        reservation.reservationId,
+        {
+          ...reservationMetadata,
+          storagePath,
+          error:
+            error instanceof Error
+              ? error.message
+              : 'Unknown image generation error',
+        },
+        sbAdmin
+      );
+
+      if (!releaseResult.success) {
+        console.error('Failed to release AI credit reservation', {
+          reservationId: reservation.reservationId,
+          storagePath,
+          releaseResult,
+          commitResult,
+        });
+        commitOrReleaseError = new Error(
+          `AI credit reservation release failed (${releaseResult.errorCode ?? 'UNKNOWN'}): ${JSON.stringify(
+            {
+              commitResult,
+              releaseResult,
+            }
+          )}`
+        );
+      }
+    } catch (releaseError) {
+      console.error('Failed to release AI credit reservation', {
+        reservationId: reservation.reservationId,
+        storagePath,
+        releaseError:
+          releaseError instanceof Error
+            ? releaseError.message
+            : String(releaseError),
+      });
+      commitOrReleaseError = new Error(
+        `Failed to release reservation: ${
+          releaseError instanceof Error
+            ? releaseError.message
+            : 'Unknown release error'
+        }`
+      );
+    }
+
+    // Only delete the image if the credit commit did NOT succeed AND
+    // the reservation was not already committed (confirmed by release).
+    // If commit succeeded (e.g. HTTP response was lost), keep the image
+    // so the user isn't charged for nothing.
+    const alreadyCommitted =
+      releaseResult?.errorCode === 'RESERVATION_ALREADY_COMMITTED';
+    if (storagePath && !commitResult?.success && !alreadyCommitted) {
+      const { error: removeError } = await sbAdmin.storage
+        .from('workspaces')
+        .remove([storagePath]);
+      if (removeError) {
+        console.error('Failed to cleanup image upload', {
+          storagePath,
+          error: removeError.message,
+        });
+      }
+    }
+
+    return {
+      success: false,
+      error: commitOrReleaseError?.message
+        ? `${commitOrReleaseError.message} ${
+            error instanceof Error ? `Original error: ${error.message}` : ''
+          }`.trim()
+        : error instanceof Error
+          ? error.message
+          : 'Image generation failed. Please try again.',
+    };
+  }
+}