agent-relay 1.2.3 → 1.3.1

package/dist/cloud/services/intro-expiration.js

@@ -0,0 +1,211 @@
+/**
+ * Intro Expiration Service
+ *
+ * Handles auto-resize of workspaces when the free tier introductory period expires.
+ * Free users get Pro-level resources (2 CPU / 4GB) for the first 14 days,
+ * then get automatically downsized to standard free tier (1 CPU / 2GB).
+ */
+import { db } from '../db/index.js';
+import { getProvisioner } from '../provisioner/index.js';
+export const INTRO_PERIOD_DAYS = 14;
+const DEFAULT_CONFIG = {
+    enabled: true,
+    checkIntervalMs: 60 * 60 * 1000, // 1 hour
+};
+/**
+ * Get intro period status for a user
+ */
+export function getIntroStatus(userCreatedAt, plan) {
+    const introPeriodDays = INTRO_PERIOD_DAYS;
+    // Only free tier users get intro bonus
+    if (plan !== 'free' || !userCreatedAt) {
+        return {
+            isIntroPeriod: false,
+            daysRemaining: 0,
+            introPeriodDays,
+            expiresAt: null,
+        };
+    }
+    const createdAt = typeof userCreatedAt === 'string' ? new Date(userCreatedAt) : userCreatedAt;
+    const daysSinceSignup = (Date.now() - createdAt.getTime()) / (1000 * 60 * 60 * 24);
+    const isIntroPeriod = daysSinceSignup < introPeriodDays;
+    const daysRemaining = Math.max(0, Math.ceil(introPeriodDays - daysSinceSignup));
+    const expiresAt = new Date(createdAt.getTime() + introPeriodDays * 24 * 60 * 60 * 1000);
+    return {
+        isIntroPeriod,
+        daysRemaining,
+        introPeriodDays,
+        expiresAt,
+    };
+}
+export class IntroExpirationService {
+    config;
+    checkTimer = null;
+    isRunning = false;
+    constructor(config = {}) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+    }
+    /**
+     * Start the expiration service
+     */
+    start() {
+        if (!this.config.enabled) {
+            console.log('[intro-expiration] Service disabled');
+            return;
+        }
+        if (this.isRunning) {
+            console.warn('[intro-expiration] Service already running');
+            return;
+        }
+        this.isRunning = true;
+        console.log(`[intro-expiration] Started (checking every ${this.config.checkIntervalMs / 1000 / 60} minutes)`);
+        // Run immediately on start
+        this.runExpirationCheck().catch((err) => {
+            console.error('[intro-expiration] Initial run failed:', err);
+        });
+        // Then run periodically
+        this.checkTimer = setInterval(() => {
+            this.runExpirationCheck().catch((err) => {
+                console.error('[intro-expiration] Periodic run failed:', err);
+            });
+        }, this.config.checkIntervalMs);
+    }
+    /**
+     * Stop the expiration service
+     */
+    stop() {
+        if (this.checkTimer) {
+            clearInterval(this.checkTimer);
+            this.checkTimer = null;
+        }
+        this.isRunning = false;
+        console.log('[intro-expiration] Stopped');
+    }
+    /**
+     * Run expiration check for all free tier users with expired intro periods
+     */
+    async runExpirationCheck() {
+        const results = [];
+        try {
+            // Get all users on free tier
+            const freeUsers = await db.users.findByPlan('free');
+            // Filter to users whose intro period has expired
+            const expiredUsers = freeUsers.filter((user) => {
+                const status = getIntroStatus(user.createdAt, user.plan || 'free');
+                return !status.isIntroPeriod && status.expiresAt !== null;
+            });
+            if (expiredUsers.length === 0) {
+                return results;
+            }
+            console.log(`[intro-expiration] Checking ${expiredUsers.length} users with expired intro periods`);
+            for (const user of expiredUsers) {
+                try {
+                    const userResults = await this.checkAndResizeUserWorkspaces(user.id);
+                    results.push(...userResults);
+                }
+                catch (err) {
+                    console.error(`[intro-expiration] Error checking user ${user.id}:`, err);
+                }
+            }
+            // Summary
+            const resized = results.filter((r) => r.action === 'resized').length;
+            const skipped = results.filter((r) => r.action === 'skipped').length;
+            const errors = results.filter((r) => r.action === 'error').length;
+            if (resized > 0 || errors > 0) {
+                console.log(`[intro-expiration] Results: ${resized} resized, ${skipped} skipped, ${errors} errors`);
+            }
+            return results;
+        }
+        catch (err) {
+            console.error('[intro-expiration] Run failed:', err);
+            return results;
+        }
+    }
+    /**
+     * Check and resize workspaces for a user whose intro period has expired
+     */
+    async checkAndResizeUserWorkspaces(userId) {
+        const results = [];
+        const provisioner = getProvisioner();
+        // Get user's workspaces
+        const workspaces = await db.workspaces.findByUserId(userId);
+        for (const workspace of workspaces) {
+            try {
+                // Check if workspace has intro-sized resources
+                // We detect this by checking if it has 4GB memory (intro size) vs 2GB (standard)
+                const config = workspace.config;
+                const resourceTier = config?.resourceTier;
+                // Skip if already resized to standard free tier
+                // Intro workspaces would have been provisioned with medium tier (4GB)
+                // Standard free tier is small (2GB)
+                if (resourceTier === 'small') {
+                    results.push({
+                        userId,
+                        workspaceId: workspace.id,
+                        workspaceName: workspace.name,
+                        action: 'skipped',
+                        reason: 'Already at standard free tier size',
+                    });
+                    continue;
+                }
+                // Skip if workspace is not running (resize happens on next start)
+                if (workspace.status !== 'running') {
+                    results.push({
+                        userId,
+                        workspaceId: workspace.id,
+                        workspaceName: workspace.name,
+                        action: 'skipped',
+                        reason: `Workspace status is ${workspace.status}`,
+                    });
+                    continue;
+                }
+                // Resize to standard free tier (small: 1 CPU / 2GB)
+                // Use skipRestart=true to not disrupt running agents
+                // The config is saved and will apply on next restart
+                console.log(`[intro-expiration] Resizing workspace ${workspace.name} to standard free tier`);
+                await provisioner.resize(workspace.id, {
+                    name: 'small',
+                    cpuCores: 1,
+                    cpuKind: 'shared',
+                    memoryMb: 2048,
+                    maxAgents: 2,
+                }, true); // skipRestart = true for graceful resize
+                results.push({
+                    userId,
+                    workspaceId: workspace.id,
+                    workspaceName: workspace.name,
+                    action: 'resized',
+                    reason: 'Intro period expired, downsized to standard free tier (applies on next restart)',
+                });
+            }
+            catch (err) {
+                console.error(`[intro-expiration] Failed to resize workspace ${workspace.id}:`, err);
+                results.push({
+                    userId,
+                    workspaceId: workspace.id,
+                    workspaceName: workspace.name,
+                    action: 'error',
+                    reason: err instanceof Error ? err.message : 'Unknown error',
+                });
+            }
+        }
+        return results;
+    }
+}
+// Singleton instance
+let _service = null;
+export function getIntroExpirationService() {
+    if (!_service) {
+        _service = new IntroExpirationService();
+    }
+    return _service;
+}
+export function startIntroExpirationService() {
+    getIntroExpirationService().start();
+}
+export function stopIntroExpirationService() {
+    if (_service) {
+        _service.stop();
+    }
+}
+//# sourceMappingURL=intro-expiration.js.map

package/dist/cloud/services/nango.d.ts

@@ -174,6 +174,20 @@ declare class NangoService {
         }>;
         hasMore: boolean;
     }>;
+    /**
+     * List collaborators for a repository via Nango Proxy.
+     * Uses the GitHub App connection to access repository collaborators.
+     * @param connectionId - GitHub App connection ID
+     * @param owner - Repository owner
+     * @param repo - Repository name
+     * @returns List of collaborators with their permissions
+     */
+    listRepoCollaborators(connectionId: string, owner: string, repo: string): Promise<Array<{
+        id: number;
+        login: string;
+        avatarUrl: string;
+        permission: 'admin' | 'write' | 'read' | 'none';
+    }>>;
     /**
      * Verify webhook signature sent by Nango.
      * Uses the new verifyIncomingWebhookRequest method.

package/dist/cloud/services/nango.js

@@ -46,23 +46,35 @@ class NangoService {
      * For API calls, use the proxy methods instead.
      */
     async getGithubAppToken(connectionId) {
-        const token = await this.client.getToken(NANGO_INTEGRATIONS.GITHUB_APP, connectionId, false, true);
-        // Handle different return formats from Nango
-        if (typeof token === 'string') {
-            return token;
-        }
-        // Nango may return an object with access_token
-        if (token && typeof token === 'object') {
-            const tokenObj = token;
-            if (tokenObj.access_token) {
-                return tokenObj.access_token;
+        try {
+            const token = await this.client.getToken(NANGO_INTEGRATIONS.GITHUB_APP, connectionId, false, true);
+            // Handle different return formats from Nango
+            if (typeof token === 'string') {
+                return token;
             }
-            if (tokenObj.token) {
-                return tokenObj.token;
+            // Nango may return an object with access_token
+            if (token && typeof token === 'object') {
+                const tokenObj = token;
+                if (tokenObj.access_token) {
+                    return tokenObj.access_token;
+                }
+                if (tokenObj.token) {
+                    return tokenObj.token;
+                }
+            }
+            console.error('[nango] Unexpected token format:', typeof token, token);
+            throw new Error('Expected GitHub App token to be a string');
+        }
+        catch (err) {
+            // Handle 404 (connection not found) gracefully
+            const error = err;
+            const status = error.response?.status || error.status;
+            if (status === 404) {
+                throw new Error(`GitHub App connection not found: ${connectionId} (may have been disconnected)`);
             }
+            // Re-throw with cleaner message
+            throw new Error(`Failed to get GitHub App token: ${err.message || 'Unknown error'}`);
         }
-        console.error('[nango] Unexpected token format:', typeof token, token);
-        throw new Error('Expected GitHub App token to be a string');
     }
     /**
      * Retrieve the user's OAuth access token from a GitHub App OAuth connection.
@@ -315,6 +327,54 @@ class NangoService {
             hasMore: repos.length === perPage,
         };
     }
+    /**
+     * List collaborators for a repository via Nango Proxy.
+     * Uses the GitHub App connection to access repository collaborators.
+     * @param connectionId - GitHub App connection ID
+     * @param owner - Repository owner
+     * @param repo - Repository name
+     * @returns List of collaborators with their permissions
+     */
+    async listRepoCollaborators(connectionId, owner, repo) {
+        try {
+            const response = await this.client.get({
+                connectionId,
+                providerConfigKey: NANGO_INTEGRATIONS.GITHUB_APP,
+                endpoint: `/repos/${owner}/${repo}/collaborators`,
+                params: { per_page: '100' },
+            });
+            return (response.data || []).map(collab => {
+                let permission = 'none';
+                if (collab.permissions) {
+                    if (collab.permissions.admin) {
+                        permission = 'admin';
+                    }
+                    else if (collab.permissions.push) {
+                        permission = 'write';
+                    }
+                    else if (collab.permissions.pull) {
+                        permission = 'read';
+                    }
+                }
+                return {
+                    id: collab.id,
+                    login: collab.login,
+                    avatarUrl: collab.avatar_url,
+                    permission,
+                };
+            });
+        }
+        catch (err) {
+            const error = err;
+            // 403 = no permission to view collaborators, 404 = repo not found
+            if (error.response?.status === 403 || error.response?.status === 404) {
+                console.warn(`[nango] Cannot list collaborators for ${owner}/${repo}: status ${error.response.status}`);
+                return [];
+            }
+            console.error('[nango] listRepoCollaborators error:', err);
+            throw err;
+        }
+    }
     /**
      * Verify webhook signature sent by Nango.
      * Uses the new verifyIncomingWebhookRequest method.

package/dist/cloud/services/ssh-security.d.ts

@@ -0,0 +1,31 @@
+/**
+ * SSH Security Utilities
+ *
+ * Provides secure SSH password derivation for workspace containers.
+ * Uses a deterministic approach based on workspace ID + secret salt,
+ * ensuring each workspace has a unique password without storage.
+ */
+/**
+ * Derive a unique SSH password for a workspace.
+ *
+ * Uses SHA-256 hash of (workspaceId + salt) to generate a deterministic
+ * but unique password for each workspace. This approach:
+ * - Ensures each workspace has a unique password
+ * - Requires no database storage
+ * - Produces consistent results across cloud server and container
+ *
+ * SECURITY: Set SSH_PASSWORD_SALT environment variable in production!
+ * The default salt is insecure and should never be used in production.
+ *
+ * @param workspaceId - The workspace UUID
+ * @returns A 24-character hex password (96 bits of entropy)
+ */
+export declare function deriveSshPassword(workspaceId: string): string;
+/**
+ * Validate that SSH security is properly configured.
+ * Call this at server startup to catch configuration issues early.
+ *
+ * @returns true if properly configured, false otherwise
+ */
+export declare function validateSshSecurityConfig(): boolean;
+//# sourceMappingURL=ssh-security.d.ts.map

package/dist/cloud/services/ssh-security.js

@@ -0,0 +1,63 @@
+/**
+ * SSH Security Utilities
+ *
+ * Provides secure SSH password derivation for workspace containers.
+ * Uses a deterministic approach based on workspace ID + secret salt,
+ * ensuring each workspace has a unique password without storage.
+ */
+import * as crypto from 'crypto';
+const DEFAULT_SALT = 'default-salt-change-in-prod';
+/**
+ * Derive a unique SSH password for a workspace.
+ *
+ * Uses SHA-256 hash of (workspaceId + salt) to generate a deterministic
+ * but unique password for each workspace. This approach:
+ * - Ensures each workspace has a unique password
+ * - Requires no database storage
+ * - Produces consistent results across cloud server and container
+ *
+ * SECURITY: Set SSH_PASSWORD_SALT environment variable in production!
+ * The default salt is insecure and should never be used in production.
+ *
+ * @param workspaceId - The workspace UUID
+ * @returns A 24-character hex password (96 bits of entropy)
+ */
+export function deriveSshPassword(workspaceId) {
+    const salt = process.env.SSH_PASSWORD_SALT;
+    // Warn if using default salt in production
+    if (!salt) {
+        const isProduction = process.env.NODE_ENV === 'production' || process.env.FLY_APP_NAME;
+        if (isProduction) {
+            console.warn('[SECURITY WARNING] SSH_PASSWORD_SALT is not set! ' +
+                'Using default salt is INSECURE in production. ' +
+                'Set SSH_PASSWORD_SALT to a random 32+ character secret.');
+        }
+    }
+    const effectiveSalt = salt || DEFAULT_SALT;
+    return crypto
+        .createHash('sha256')
+        .update(`${workspaceId}:${effectiveSalt}`)
+        .digest('hex')
+        .substring(0, 24); // 24 hex chars = 96 bits of entropy
+}
+/**
+ * Validate that SSH security is properly configured.
+ * Call this at server startup to catch configuration issues early.
+ *
+ * @returns true if properly configured, false otherwise
+ */
+export function validateSshSecurityConfig() {
+    const salt = process.env.SSH_PASSWORD_SALT;
+    const isProduction = process.env.NODE_ENV === 'production' || process.env.FLY_APP_NAME;
+    if (isProduction && !salt) {
+        console.error('[SECURITY ERROR] SSH_PASSWORD_SALT must be set in production! ' +
+            'Generate one with: openssl rand -hex 32');
+        return false;
+    }
+    if (salt && salt.length < 16) {
+        console.warn('[SECURITY WARNING] SSH_PASSWORD_SALT should be at least 16 characters. ' +
+            'Current length: ' + salt.length);
+    }
+    return true;
+}
+//# sourceMappingURL=ssh-security.js.map

package/dist/continuity/manager.d.ts

@@ -102,6 +102,11 @@ export declare class ContinuityManager {
      * Filter placeholder values from a handoff (defensive)
      */
     private filterHandoffPlaceholders;
+    /**
+     * Filter placeholder values from ledger updates (for object input to saveLedger).
+     * This ensures placeholder values like "...", "task1", etc. don't get saved.
+     */
+    private filterUpdatesPlaceholders;
     /**
      * Format a ledger for display/injection
      */

package/dist/continuity/manager.js

@@ -91,8 +91,16 @@ export class ContinuityManager {
      */
     async saveLedger(agentName, content, options = {}) {
         await this.initialize();
-        // Parse content if string
-        const updates = typeof content === 'string' ? parseSaveContent(content) : content;
+        // Parse content if string, otherwise filter placeholders from object input
+        // This ensures placeholder values like "...", "task1", etc. never get saved
+        let updates;
+        if (typeof content === 'string') {
+            updates = parseSaveContent(content);
+        }
+        else {
+            // Filter placeholders from object input (e.g., from [[SUMMARY]] blocks)
+            updates = this.filterUpdatesPlaceholders(content);
+        }
         // Get or create existing ledger
         let ledger = await this.ledgerStore.load(agentName);
         if (ledger) {
@@ -329,6 +337,52 @@ export class ContinuityManager {
             learnings: handoff.learnings ? filterPlaceholders(handoff.learnings) : undefined,
         };
     }
+    /**
+     * Filter placeholder values from ledger updates (for object input to saveLedger).
+     * This ensures placeholder values like "...", "task1", etc. don't get saved.
+     */
+    filterUpdatesPlaceholders(updates) {
+        const filtered = { ...updates };
+        // Filter string fields
+        if (filtered.currentTask !== undefined) {
+            filtered.currentTask = isPlaceholderValue(filtered.currentTask) ? undefined : filtered.currentTask;
+            if (filtered.currentTask === undefined)
+                delete filtered.currentTask;
+        }
+        // Filter array fields
+        if (filtered.completed) {
+            filtered.completed = filterPlaceholders(filtered.completed);
+            if (filtered.completed.length === 0)
+                delete filtered.completed;
+        }
+        if (filtered.inProgress) {
+            filtered.inProgress = filterPlaceholders(filtered.inProgress);
+            if (filtered.inProgress.length === 0)
+                delete filtered.inProgress;
+        }
+        if (filtered.blocked) {
+            filtered.blocked = filterPlaceholders(filtered.blocked);
+            if (filtered.blocked.length === 0)
+                delete filtered.blocked;
+        }
+        if (filtered.uncertainItems) {
+            filtered.uncertainItems = filterPlaceholders(filtered.uncertainItems);
+            if (filtered.uncertainItems.length === 0)
+                delete filtered.uncertainItems;
+        }
+        // Filter complex array fields
+        if (filtered.fileContext) {
+            filtered.fileContext = filtered.fileContext.filter(f => !isPlaceholderValue(f.path));
+            if (filtered.fileContext.length === 0)
+                delete filtered.fileContext;
+        }
+        if (filtered.keyDecisions) {
+            filtered.keyDecisions = filtered.keyDecisions.filter(d => !isPlaceholderValue(d.decision));
+            if (filtered.keyDecisions.length === 0)
+                delete filtered.keyDecisions;
+        }
+        return filtered;
+    }
     /**
      * Format a ledger for display/injection
      */

package/dist/daemon/api.d.ts

@@ -14,6 +14,8 @@ export declare class DaemonApi extends EventEmitter {
     private config;
     private allowedOrigins;
     private allowAllOrigins;
+    private clientAlive;
+    private pingInterval?;
     constructor(config: ApiDaemonConfig);
     /**
      * Resolve allowed origins from config/env (comma-separated list).