npm - agent-relay - Versions diffs - 1.2.3 → 1.3.0 - Mend

agent-relay 1.2.3 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (200) hide show

package/dist/cloud/api/providers.js CHANGED Viewed

@@ -9,7 +9,6 @@ import { createClient } from 'redis';
 import { requireAuth } from './auth.js';
 import { getConfig } from '../config.js';
 import { db } from '../db/index.js';
-import { vault } from '../vault/index.js';
 export const providersRouter = Router();
 // All routes require authentication
 providersRouter.use(requireAuth);
@@ -243,19 +242,18 @@ providersRouter.post('/:provider/verify', async (req, res) => {
     // For self-hosted: we trust the user completed the CLI flow
     // In production, we'd verify by making a test API call with the credentials
     try {
-        // For now, mark as connected (in production, verify credentials exist)
-        // This would be called after the user's workspace detects valid credentials
+        // Mark as connected (tokens are not stored centrally - CLI tools
+        // authenticate directly on workspace instances)
         await db.credentials.upsert({
             userId,
             provider,
-            accessToken: 'cli-authenticated', // Placeholder - real token from CLI
             scopes: [], // CLI auth doesn't use scopes
             providerAccountEmail: req.body.email, // User can optionally provide
         });
         res.json({
             success: true,
             message: `${providerConfig.displayName} connected via CLI`,
-            note: 'Credentials will be synced when workspace starts',
+            note: 'CLI credentials remain on your local machine',
         });
     }
     catch (error) {
@@ -306,17 +304,18 @@ providersRouter.post('/:provider/api-key', async (req, res) => {
         if (!isValid) {
             return res.status(400).json({ error: 'Invalid API key' });
         }
-        // Store the API key - use scopes from device flow providers, empty for CLI providers
+        // Mark provider as connected (tokens are not stored centrally - CLI tools
+        // authenticate directly on workspace instances)
         const scopes = isDeviceFlowProvider(providerConfig) ? providerConfig.scopes : [];
-        await vault.storeCredential({
+        await db.credentials.upsert({
             userId,
             provider,
-            accessToken: apiKey,
             scopes,
         });
         res.json({
             success: true,
             message: `${providerConfig.displayName} connected`,
+            note: 'API key validated. Configure this key on your workspace for usage.',
         });
     }
     catch (error) {
@@ -469,7 +468,9 @@ async function pollForToken(flowId, provider, clientId) {
         .catch((err) => console.error('Poll start error:', err));
 }
 /**
- * Store tokens after successful device flow
+ * Mark provider as connected after successful device flow
+ * Note: Tokens are not stored centrally - CLI tools authenticate directly
+ * on workspace instances. We only record the connection status and user info.
  */
 async function storeProviderTokens(userId, provider, tokens) {
     const providerConfig = PROVIDERS[provider];
@@ -490,15 +491,10 @@ async function storeProviderTokens(userId, provider, tokens) {
             console.error('Error fetching user info:', error);
         }
     }
-    // Encrypt and store
-    await vault.storeCredential({
+    // Mark provider as connected (without storing tokens)
+    await db.credentials.upsert({
         userId,
         provider,
-        accessToken: tokens.accessToken,
-        refreshToken: tokens.refreshToken,
-        tokenExpiresAt: tokens.expiresIn
-            ? new Date(Date.now() + tokens.expiresIn * 1000)
-            : undefined,
         scopes: tokens.scope?.split(' '),
         providerAccountId: userInfo.id,
         providerAccountEmail: userInfo.email,

package/dist/cloud/api/repos.js CHANGED Viewed

@@ -4,10 +4,60 @@
  * GitHub repository management - list, import, sync.
  * Includes Nango-based GitHub permission checking for dashboard access control.
  */
+import crypto from 'crypto';
 import { Router } from 'express';
 import { requireAuth } from './auth.js';
 import { db } from '../db/index.js';
 import { nangoService } from '../services/nango.js';
+import { getConfig } from '../config.js';
+/**
+ * Generate workspace token for API calls to workspace containers
+ */
+function generateWorkspaceToken(workspaceId) {
+    const config = getConfig();
+    return crypto
+        .createHmac('sha256', config.sessionSecret)
+        .update(`workspace:${workspaceId}`)
+        .digest('hex');
+}
+/**
+ * Call workspace API endpoint
+ */
+async function callWorkspaceApi(publicUrl, workspaceId, method, endpoint, body) {
+    const token = generateWorkspaceToken(workspaceId);
+    const url = `${publicUrl.replace(/\/$/, '')}${endpoint}`;
+    try {
+        const response = await fetch(url, {
+            method,
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${token}`,
+            },
+            body: body ? JSON.stringify(body) : undefined,
+        });
+        const data = await response.json().catch((parseError) => {
+            console.error('Failed to parse JSON from workspace response', {
+                url,
+                status: response.status,
+                error: parseError instanceof Error ? parseError.message : parseError,
+            });
+            return null;
+        });
+        return {
+            ok: response.ok,
+            status: response.status,
+            data,
+            error: response.ok ? undefined : (data?.error || `HTTP ${response.status}`),
+        };
+    }
+    catch (err) {
+        return {
+            ok: false,
+            status: 0,
+            error: err instanceof Error ? err.message : 'Network error',
+        };
+    }
+}
 export const reposRouter = Router();
 // All routes require authentication
 reposRouter.use(requireAuth);
@@ -190,83 +240,49 @@ reposRouter.post('/bulk', async (req, res) => {
     });
 });
 /**
- * GET /api/repos/:id
- * Get repository details
+ * GET /api/repos/accessible
+ * List all GitHub repositories the authenticated user has access to.
+ * Uses Nango proxy with user's GitHub OAuth token.
  */
-reposRouter.get('/:id', async (req, res) => {
+reposRouter.get('/accessible', async (req, res) => {
     const userId = req.session.userId;
-    const { id } = req.params;
+    const { page, perPage, type, sort } = req.query;
     try {
-        const repositories = await db.repositories.findByUserId(userId);
-        const repo = repositories.find((r) => r.id === id);
-        if (!repo) {
-            return res.status(404).json({ error: 'Repository not found' });
+        // Get user's Nango connection ID
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        if (!user.nangoConnectionId) {
+            return res.status(400).json({
+                error: 'GitHub not connected via Nango',
+                code: 'NANGO_NOT_CONNECTED',
+                message: 'Please reconnect your GitHub account',
+            });
         }
+        // List accessible repos via Nango proxy
+        const result = await nangoService.listUserAccessibleRepos(user.nangoConnectionId, {
+            page: page ? parseInt(page, 10) : undefined,
+            perPage: perPage ? Math.min(parseInt(perPage, 10), 100) : undefined,
+            type: type,
+            sort: sort,
+        });
         res.json({
-            id: repo.id,
-            fullName: repo.githubFullName,
-            defaultBranch: repo.defaultBranch,
-            isPrivate: repo.isPrivate,
-            syncStatus: repo.syncStatus,
-            lastSyncedAt: repo.lastSyncedAt,
-            workspaceId: repo.workspaceId,
-            createdAt: repo.createdAt,
+            repositories: result.repositories,
+            pagination: {
+                page: page ? parseInt(page, 10) : 1,
+                perPage: perPage ? Math.min(parseInt(perPage, 10), 100) : 100,
+                hasMore: result.hasMore,
+            },
+            checkedBy: {
+                userId: user.id,
+                githubUsername: user.githubUsername,
+            },
         });
     }
     catch (error) {
-        console.error('Error getting repo:', error);
-        res.status(500).json({ error: 'Failed to get repository' });
-    }
-});
-/**
- * POST /api/repos/:id/sync
- * Trigger repository sync (clone/pull to workspace)
- */
-reposRouter.post('/:id/sync', async (req, res) => {
-    const userId = req.session.userId;
-    const { id } = req.params;
-    try {
-        const repositories = await db.repositories.findByUserId(userId);
-        const repo = repositories.find((r) => r.id === id);
-        if (!repo) {
-            return res.status(404).json({ error: 'Repository not found' });
-        }
-        if (!repo.workspaceId) {
-            return res.status(400).json({ error: 'Repository not assigned to a workspace' });
-        }
-        // Update sync status
-        await db.repositories.updateSyncStatus(id, 'syncing');
-        // In production, this would trigger the workspace to pull the repo
-        // For now, simulate success after a short delay
-        setTimeout(async () => {
-            await db.repositories.updateSyncStatus(id, 'synced', new Date());
-        }, 2000);
-        res.json({ message: 'Sync started', syncStatus: 'syncing' });
-    }
-    catch (error) {
-        console.error('Error syncing repo:', error);
-        res.status(500).json({ error: 'Failed to sync repository' });
-    }
-});
-/**
- * DELETE /api/repos/:id
- * Remove a repository
- */
-reposRouter.delete('/:id', async (req, res) => {
-    const userId = req.session.userId;
-    const { id } = req.params;
-    try {
-        const repositories = await db.repositories.findByUserId(userId);
-        const repo = repositories.find((r) => r.id === id);
-        if (!repo) {
-            return res.status(404).json({ error: 'Repository not found' });
-        }
-        await db.repositories.delete(id);
-        res.json({ success: true });
-    }
-    catch (error) {
-        console.error('Error deleting repo:', error);
-        res.status(500).json({ error: 'Failed to delete repository' });
+        console.error('Error listing accessible repos:', error);
+        res.status(500).json({ error: 'Failed to list accessible repositories' });
     }
 });
 /**
@@ -365,61 +381,6 @@ reposRouter.get('/check-access/:owner/:repo', async (req, res) => {
         res.status(500).json({ error: 'Failed to check repository access' });
     }
 });
-/**
- * GET /api/repos/accessible
- * List all GitHub repositories the authenticated user has access to.
- * Uses Nango proxy with user's GitHub OAuth token.
- *
- * Query params:
- * - page: Page number (default: 1)
- * - perPage: Results per page (default: 100, max: 100)
- * - type: Filter by type (all, owner, public, private, member)
- * - sort: Sort by (created, updated, pushed, full_name)
- *
- * Use this to determine which dashboards/workspaces a user can access.
- */
-reposRouter.get('/accessible', async (req, res) => {
-    const userId = req.session.userId;
-    const { page, perPage, type, sort } = req.query;
-    try {
-        // Get user's Nango connection ID
-        const user = await db.users.findById(userId);
-        if (!user) {
-            return res.status(404).json({ error: 'User not found' });
-        }
-        if (!user.nangoConnectionId) {
-            return res.status(400).json({
-                error: 'GitHub not connected via Nango',
-                code: 'NANGO_NOT_CONNECTED',
-                message: 'Please reconnect your GitHub account',
-            });
-        }
-        // List accessible repos via Nango proxy
-        const result = await nangoService.listUserAccessibleRepos(user.nangoConnectionId, {
-            page: page ? parseInt(page, 10) : undefined,
-            perPage: perPage ? Math.min(parseInt(perPage, 10), 100) : undefined,
-            type: type,
-            sort: sort,
-        });
-        res.json({
-            repositories: result.repositories,
-            pagination: {
-                page: page ? parseInt(page, 10) : 1,
-                perPage: perPage ? Math.min(parseInt(perPage, 10), 100) : 100,
-                hasMore: result.hasMore,
-            },
-            // Include user info for context
-            checkedBy: {
-                userId: user.id,
-                githubUsername: user.githubUsername,
-            },
-        });
-    }
-    catch (error) {
-        console.error('Error listing accessible repos:', error);
-        res.status(500).json({ error: 'Failed to list accessible repositories' });
-    }
-});
 /**
  * POST /api/repos/check-access-bulk
  * Check access to multiple repositories at once.
@@ -497,4 +458,119 @@ reposRouter.post('/check-access-bulk', async (req, res) => {
         res.status(500).json({ error: 'Failed to check repository access' });
     }
 });
+// ============================================================================
+// WILDCARD ROUTES BELOW - All specific routes must be defined ABOVE this line
+// ============================================================================
+/**
+ * GET /api/repos/:id
+ * Get repository details
+ */
+reposRouter.get('/:id', async (req, res) => {
+    const userId = req.session.userId;
+    const { id } = req.params;
+    try {
+        const repositories = await db.repositories.findByUserId(userId);
+        const repo = repositories.find((r) => r.id === id);
+        if (!repo) {
+            return res.status(404).json({ error: 'Repository not found' });
+        }
+        res.json({
+            id: repo.id,
+            fullName: repo.githubFullName,
+            defaultBranch: repo.defaultBranch,
+            isPrivate: repo.isPrivate,
+            syncStatus: repo.syncStatus,
+            lastSyncedAt: repo.lastSyncedAt,
+            workspaceId: repo.workspaceId,
+            createdAt: repo.createdAt,
+        });
+    }
+    catch (error) {
+        console.error('Error getting repo:', error);
+        res.status(500).json({ error: 'Failed to get repository' });
+    }
+});
+/**
+ * POST /api/repos/:id/sync
+ * Trigger repository sync (clone/pull to workspace)
+ *
+ * Calls the workspace's /repos/sync API endpoint to clone or update the repo.
+ * This enables dynamic repo management without workspace restart.
+ */
+reposRouter.post('/:id/sync', async (req, res) => {
+    const userId = req.session.userId;
+    const { id } = req.params;
+    try {
+        const repositories = await db.repositories.findByUserId(userId);
+        const repo = repositories.find((r) => r.id === id);
+        if (!repo) {
+            return res.status(404).json({ error: 'Repository not found' });
+        }
+        if (!repo.workspaceId) {
+            return res.status(400).json({ error: 'Repository not assigned to a workspace' });
+        }
+        // Get the workspace to find its public URL
+        const workspace = await db.workspaces.findById(repo.workspaceId);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (workspace.status !== 'running') {
+            return res.status(400).json({
+                error: 'Workspace is not running',
+                workspaceStatus: workspace.status,
+            });
+        }
+        if (!workspace.publicUrl) {
+            return res.status(400).json({ error: 'Workspace has no public URL' });
+        }
+        // Update sync status
+        await db.repositories.updateSyncStatus(id, 'syncing');
+        // Call the workspace's repo sync API
+        const result = await callWorkspaceApi(workspace.publicUrl, workspace.id, 'POST', '/repos/sync', { repo: repo.githubFullName });
+        if (result.ok) {
+            // Update sync status to synced
+            await db.repositories.updateSyncStatus(id, 'synced', new Date());
+            res.json({
+                message: 'Repository synced successfully',
+                syncStatus: 'synced',
+                result: result.data,
+            });
+        }
+        else {
+            // Update sync status to error
+            await db.repositories.updateSyncStatus(id, 'error');
+            console.error('Workspace sync failed:', result.error);
+            res.status(502).json({
+                error: 'Failed to sync repository to workspace',
+                details: result.error,
+                syncStatus: 'error',
+            });
+        }
+    }
+    catch (error) {
+        console.error('Error syncing repo:', error);
+        res.status(500).json({ error: 'Failed to sync repository' });
+    }
+});
+/**
+ * DELETE /api/repos/:id
+ * Remove a repository
+ */
+reposRouter.delete('/:id', async (req, res) => {
+    const userId = req.session.userId;
+    const { id } = req.params;
+    try {
+        const repositories = await db.repositories.findByUserId(userId);
+        const repo = repositories.find((r) => r.id === id);
+        if (!repo) {
+            return res.status(404).json({ error: 'Repository not found' });
+        }
+        await db.repositories.delete(id);
+        res.json({ success: true });
+    }
+    catch (error) {
+        console.error('Error deleting repo:', error);
+        res.status(500).json({ error: 'Failed to delete repository' });
+    }
+});
 //# sourceMappingURL=repos.js.map

package/dist/cloud/api/test-helpers.js CHANGED Viewed

@@ -227,6 +227,46 @@ testHelpersRouter.post('/create-mock-repo', async (req, res) => {
         res.status(500).json({ error: 'Failed to create mock repo' });
     }
 });
+/**
+ * GET /api/test/auto-login
+ * Browser-friendly auto-login - visit this URL to login and redirect
+ * Usage: /api/test/auto-login?redirect=/providers/setup/claude?workspace=xxx
+ */
+testHelpersRouter.get('/auto-login', async (req, res) => {
+    if (!isTestMode) {
+        return res.status(403).json({ error: 'Test endpoints disabled in production' });
+    }
+    try {
+        const db = getDb();
+        const redirect = req.query.redirect || '/app';
+        // Find or create test user
+        let user;
+        const existingUsers = await db.select().from(users).limit(1);
+        if (existingUsers.length > 0) {
+            user = existingUsers[0];
+        }
+        else {
+            const testId = `test-${randomUUID()}`;
+            const [newUser] = await db.insert(users).values({
+                email: `${testId}@test.local`,
+                githubId: testId,
+                githubUsername: 'test-user',
+                avatarUrl: null,
+                plan: 'free',
+            }).returning();
+            user = newUser;
+        }
+        // Set session and CSRF token
+        req.session.userId = user.id;
+        req.session.csrfToken = randomUUID();
+        // Redirect to requested page
+        res.redirect(redirect);
+    }
+    catch (error) {
+        console.error('Error in auto-login:', error);
+        res.status(500).json({ error: 'Failed to auto-login' });
+    }
+});
 /**
  * POST /api/test/login-as
  * Quick login for testing - creates session for existing or new test user

package/dist/cloud/api/usage.js CHANGED Viewed

@@ -6,6 +6,7 @@
 import { Router } from 'express';
 import { requireAuth } from './auth.js';
 import { getRemainingQuota, getUserUsage, getPlanLimits } from '../services/planLimits.js';
+import { getIntroStatus } from '../services/intro-expiration.js';
 import { db } from '../db/index.js';
 export const usageRouter = Router();
 // All routes require authentication
@@ -23,6 +24,8 @@ usageRouter.get('/', async (req, res) => {
         }
         const plan = user.plan || 'free';
         const quota = await getRemainingQuota(userId);
+        // Get intro period status for free tier users
+        const introStatus = getIntroStatus(user.createdAt, plan);
         const calcPercent = (current, limit) => limit === Infinity ? 0 : Math.round((current / limit) * 100);
         res.json({
             plan,
@@ -51,6 +54,16 @@ usageRouter.get('/', async (req, res) => {
                 concurrentAgents: calcPercent(quota.usage.concurrentAgents, quota.limits.maxConcurrentAgents),
                 computeHours: calcPercent(quota.usage.computeHoursThisMonth, quota.limits.maxComputeHoursPerMonth),
             },
+            // Intro period bonus for free tier users (2 CPU / 4GB for first 14 days)
+            introBonus: {
+                isActive: introStatus.isIntroPeriod,
+                daysRemaining: introStatus.daysRemaining,
+                totalDays: introStatus.introPeriodDays,
+                expiresAt: introStatus.expiresAt?.toISOString() || null,
+                resources: introStatus.isIntroPeriod
+                    ? { cpus: 2, memoryGb: 4, description: 'Pro-level resources' }
+                    : { cpus: 1, memoryGb: 2, description: 'Standard free tier' },
+            },
         });
     }
     catch (error) {

package/dist/cloud/api/webhooks.js CHANGED Viewed

@@ -76,7 +76,7 @@ async function wakeWorkspaceMachine(workspaceId) {
  *   http://{workspace-internal}/webhooks/your/path
  */
 // Handler for workspace webhook forwarding - matches any path under /workspace/:workspaceId
-async function handleWorkspaceWebhook(req, res) {
+async function _handleWorkspaceWebhook(req, res) {
     // Extract workspaceId from URL path
     const pathMatch = req.originalUrl.match(/\/workspace\/([^/]+)\/?(.*)$/);
     if (!pathMatch) {

package/dist/cloud/api/workspaces.d.ts CHANGED Viewed

@@ -2,6 +2,24 @@
  * Workspaces API Routes
  *
  * One-click workspace provisioning and management.
+ * Includes auto-access based on GitHub repo permissions.
  */
+import { Request, Response, NextFunction } from 'express';
+/**
+ * Check if user has access to a workspace via:
+ * 1. Workspace ownership (userId matches)
+ * 2. Explicit workspace_members record
+ * 3. GitHub repo access (just-in-time check via Nango)
+ */
+export declare function checkWorkspaceAccess(userId: string, workspaceId: string): Promise<{
+    hasAccess: boolean;
+    accessType: 'owner' | 'member' | 'contributor' | 'none';
+    permission?: 'admin' | 'write' | 'read';
+}>;
+/**
+ * Middleware to require workspace access.
+ * Checks ownership, membership, or GitHub repo access.
+ */
+export declare function requireWorkspaceAccess(req: Request, res: Response, next: NextFunction): void;
 export declare const workspacesRouter: import("express-serve-static-core").Router;
 //# sourceMappingURL=workspaces.d.ts.map