agent-relay 1.3.1 → 1.3.3

package/dist/cloud/api/consensus.js

@@ -0,0 +1,259 @@
+/**
+ * Consensus API Routes (Read-Only)
+ *
+ * Provides API endpoints for observing multi-agent consensus decisions.
+ * The dashboard is read-only - agents handle all consensus activity via relay messages.
+ *
+ * Architecture:
+ * - Agents create proposals and vote via ->relay:_consensus messages
+ * - The daemon processes these and syncs state to cloud via /sync endpoint
+ * - Dashboard reads consensus state for display only
+ */
+import { Router } from 'express';
+import { createHash } from 'crypto';
+import { requireAuth } from './auth.js';
+/**
+ * Hash an API key for lookup
+ */
+function hashApiKey(apiKey) {
+    return createHash('sha256').update(apiKey).digest('hex');
+}
+export const consensusRouter = Router();
+// ============================================================================
+// In-Memory Consensus State (synced from daemon)
+// ============================================================================
+// Stores proposals synced from the daemon
+// In production, this would be backed by a database
+const workspaceProposals = new Map();
+function getProposalsForWorkspace(workspaceId) {
+    let proposals = workspaceProposals.get(workspaceId);
+    if (!proposals) {
+        proposals = new Map();
+        workspaceProposals.set(workspaceId, proposals);
+    }
+    return proposals;
+}
+function computeStats(proposals) {
+    let pending = 0;
+    let approved = 0;
+    let rejected = 0;
+    let expired = 0;
+    let cancelled = 0;
+    for (const proposal of proposals.values()) {
+        switch (proposal.status) {
+            case 'pending':
+                pending++;
+                break;
+            case 'approved':
+                approved++;
+                break;
+            case 'rejected':
+                rejected++;
+                break;
+            case 'expired':
+                expired++;
+                break;
+            case 'cancelled':
+                cancelled++;
+                break;
+        }
+    }
+    return {
+        total: proposals.size,
+        pending,
+        approved,
+        rejected,
+        expired,
+        cancelled,
+    };
+}
+// ============================================================================
+// Read-Only Routes (require user authentication)
+// ============================================================================
+/**
+ * GET /api/workspaces/:workspaceId/consensus/proposals
+ * List all proposals for a workspace (read-only)
+ */
+consensusRouter.get('/workspaces/:workspaceId/consensus/proposals', requireAuth, async (req, res) => {
+    try {
+        const { workspaceId } = req.params;
+        const { status, agent } = req.query;
+        const proposalsMap = getProposalsForWorkspace(workspaceId);
+        let proposals = Array.from(proposalsMap.values());
+        // Filter by agent if provided
+        if (agent && typeof agent === 'string') {
+            proposals = proposals.filter(p => p.proposer === agent || p.participants.includes(agent));
+        }
+        // Filter by status if provided
+        if (status && typeof status === 'string') {
+            proposals = proposals.filter(p => p.status === status);
+        }
+        // Sort by creation time (most recent first)
+        proposals.sort((a, b) => b.createdAt - a.createdAt);
+        const stats = computeStats(proposalsMap);
+        res.json({
+            proposals,
+            stats,
+        });
+    }
+    catch (error) {
+        console.error('Error listing proposals:', error);
+        res.status(500).json({ error: 'Failed to list proposals' });
+    }
+});
+/**
+ * GET /api/workspaces/:workspaceId/consensus/proposals/:proposalId
+ * Get a specific proposal (read-only)
+ */
+consensusRouter.get('/workspaces/:workspaceId/consensus/proposals/:proposalId', requireAuth, async (req, res) => {
+    try {
+        const { workspaceId, proposalId } = req.params;
+        const proposalsMap = getProposalsForWorkspace(workspaceId);
+        const proposal = proposalsMap.get(proposalId);
+        if (!proposal) {
+            return res.status(404).json({ error: 'Proposal not found' });
+        }
+        res.json({ proposal });
+    }
+    catch (error) {
+        console.error('Error getting proposal:', error);
+        res.status(500).json({ error: 'Failed to get proposal' });
+    }
+});
+/**
+ * GET /api/workspaces/:workspaceId/consensus/agents/:agentName/pending
+ * Get pending votes for an agent (read-only)
+ */
+consensusRouter.get('/workspaces/:workspaceId/consensus/agents/:agentName/pending', requireAuth, async (req, res) => {
+    try {
+        const { workspaceId, agentName } = req.params;
+        const proposalsMap = getProposalsForWorkspace(workspaceId);
+        const proposals = Array.from(proposalsMap.values()).filter(p => {
+            if (p.status !== 'pending')
+                return false;
+            if (!p.participants.includes(agentName))
+                return false;
+            // Check if agent hasn't voted yet
+            return !p.votes.some(v => v.agent === agentName);
+        });
+        res.json({ proposals });
+    }
+    catch (error) {
+        console.error('Error getting pending votes:', error);
+        res.status(500).json({ error: 'Failed to get pending votes' });
+    }
+});
+/**
+ * GET /api/workspaces/:workspaceId/consensus/stats
+ * Get consensus statistics for a workspace (read-only)
+ */
+consensusRouter.get('/workspaces/:workspaceId/consensus/stats', requireAuth, async (req, res) => {
+    try {
+        const { workspaceId } = req.params;
+        const proposalsMap = getProposalsForWorkspace(workspaceId);
+        const stats = computeStats(proposalsMap);
+        res.json({ stats });
+    }
+    catch (error) {
+        console.error('Error getting consensus stats:', error);
+        res.status(500).json({ error: 'Failed to get consensus stats' });
+    }
+});
+// ============================================================================
+// Sync Endpoint (daemon -> cloud)
+// ============================================================================
+/**
+ * POST /api/daemons/consensus/sync
+ * Sync consensus state from daemon (called by daemon on proposal events)
+ *
+ * This endpoint receives state updates from the daemon and stores them
+ * so the dashboard can display agent consensus activity.
+ *
+ * Authentication options (in order of precedence):
+ * 1. Daemon API key (Authorization: Bearer ar_live_xxx) - workspace from daemon record
+ * 2. Workspace ID in request body - for self-hosted setups
+ * 3. Default workspace "local" - for simple local development
+ */
+consensusRouter.post('/daemons/consensus/sync', async (req, res) => {
+    try {
+        const { proposal, event, workspaceId: bodyWorkspaceId } = req.body;
+        if (!proposal || !event) {
+            return res.status(400).json({ error: 'Missing proposal or event' });
+        }
+        let workspaceId;
+        // Try to authenticate via API key first
+        const authHeader = req.headers.authorization;
+        if (authHeader?.startsWith('Bearer ar_live_')) {
+            const apiKey = authHeader.replace('Bearer ', '');
+            const apiKeyHash = hashApiKey(apiKey);
+            const { db } = await import('../db/index.js');
+            const daemon = await db.linkedDaemons.findByApiKeyHash(apiKeyHash);
+            if (daemon?.workspaceId) {
+                workspaceId = daemon.workspaceId;
+            }
+            else if (bodyWorkspaceId) {
+                workspaceId = bodyWorkspaceId;
+            }
+            else {
+                return res.status(400).json({ error: 'Daemon not associated with a workspace' });
+            }
+        }
+        else if (bodyWorkspaceId) {
+            // Self-hosted: workspace specified in body
+            workspaceId = bodyWorkspaceId;
+        }
+        else {
+            // Default for simple local setups
+            workspaceId = 'local';
+        }
+        // Store/update the proposal
+        const proposalsMap = getProposalsForWorkspace(workspaceId);
+        proposalsMap.set(proposal.id, proposal);
+        console.log(`[consensus] Synced ${event} for proposal "${proposal.title}" (${proposal.id}) in workspace ${workspaceId}`);
+        res.json({ success: true, workspaceId });
+    }
+    catch (error) {
+        console.error('Error syncing consensus:', error);
+        res.status(500).json({ error: 'Failed to sync consensus' });
+    }
+});
+/**
+ * DELETE /api/daemons/consensus/proposals/:proposalId
+ * Remove a proposal from the sync cache (daemon cleanup)
+ *
+ * Authentication: Uses daemon API key (Authorization: Bearer ar_live_xxx)
+ * Workspace is derived from the linked daemon's record.
+ */
+consensusRouter.delete('/daemons/consensus/proposals/:proposalId', async (req, res) => {
+    try {
+        // Check for daemon API key (Bearer token)
+        const authHeader = req.headers.authorization;
+        if (!authHeader?.startsWith('Bearer ar_live_')) {
+            return res.status(401).json({ error: 'Unauthorized - daemon API key required' });
+        }
+        // Validate the API key
+        const apiKey = authHeader.replace('Bearer ', '');
+        const apiKeyHash = hashApiKey(apiKey);
+        const { db } = await import('../db/index.js');
+        const daemon = await db.linkedDaemons.findByApiKeyHash(apiKeyHash);
+        if (!daemon) {
+            return res.status(401).json({ error: 'Invalid API key' });
+        }
+        if (!daemon.workspaceId) {
+            return res.status(400).json({ error: 'Daemon not associated with a workspace' });
+        }
+        const { proposalId } = req.params;
+        const proposalsMap = getProposalsForWorkspace(daemon.workspaceId);
+        const deleted = proposalsMap.delete(proposalId);
+        if (!deleted) {
+            return res.status(404).json({ error: 'Proposal not found' });
+        }
+        console.log(`[consensus] Removed proposal ${proposalId} from workspace ${daemon.workspaceId}`);
+        res.json({ success: true });
+    }
+    catch (error) {
+        console.error('Error removing proposal:', error);
+        res.status(500).json({ error: 'Failed to remove proposal' });
+    }
+});
+//# sourceMappingURL=consensus.js.map

package/dist/cloud/api/daemons.js

@@ -40,11 +40,25 @@ function hashApiKey(apiKey) {
  */
 daemonsRouter.post('/link', requireAuth, async (req, res) => {
     const userId = req.session.userId;
-    const { name, machineId, metadata } = req.body;
+    const { name, machineId, metadata, workspaceId } = req.body;
     if (!machineId || typeof machineId !== 'string') {
         return res.status(400).json({ error: 'machineId is required' });
     }
     try {
+        // Validate workspace ownership if provided
+        if (workspaceId) {
+            const workspace = await db.workspaces.findById(workspaceId);
+            if (!workspace) {
+                return res.status(404).json({ error: 'Workspace not found' });
+            }
+            if (workspace.userId !== userId) {
+                // Check if user is a member of the workspace
+                const member = await db.workspaceMembers.findMembership(workspaceId, userId);
+                if (!member) {
+                    return res.status(403).json({ error: 'Not authorized to link to this workspace' });
+                }
+            }
+        }
         // Check if this machine is already linked
         const existing = await db.linkedDaemons.findByMachineId(userId, machineId);
         if (existing) {
@@ -54,6 +68,7 @@ daemonsRouter.post('/link', requireAuth, async (req, res) => {
             await db.linkedDaemons.update(existing.id, {
                 name: name || existing.name,
                 apiKeyHash,
+                workspaceId: workspaceId || existing.workspaceId,
                 metadata: metadata || existing.metadata,
                 status: 'online',
                 lastSeenAt: new Date(),
@@ -61,6 +76,7 @@ daemonsRouter.post('/link', requireAuth, async (req, res) => {
             return res.json({
                 success: true,
                 daemonId: existing.id,
+                workspaceId: workspaceId || existing.workspaceId,
                 apiKey, // Only returned once!
                 message: 'Daemon re-linked with new API key',
             });
@@ -70,6 +86,7 @@ daemonsRouter.post('/link', requireAuth, async (req, res) => {
         const apiKeyHash = hashApiKey(apiKey);
         const daemon = await db.linkedDaemons.create({
             userId,
+            workspaceId: workspaceId || null,
             name: name || `Daemon on ${machineId.substring(0, 8)}`,
             machineId,
             apiKeyHash,
@@ -79,6 +96,7 @@ daemonsRouter.post('/link', requireAuth, async (req, res) => {
         res.status(201).json({
             success: true,
             daemonId: daemon.id,
+            workspaceId: workspaceId || null,
             apiKey, // Only returned once - user must save this!
             message: 'Daemon linked successfully. Save your API key - it cannot be retrieved later.',
         });
@@ -113,6 +131,59 @@ daemonsRouter.get('/', requireAuth, async (req, res) => {
         res.status(500).json({ error: 'Failed to list daemons' });
     }
 });
+/**
+ * GET /api/daemons/workspace/:workspaceId/agents
+ * Get local agents for a specific workspace
+ */
+daemonsRouter.get('/workspace/:workspaceId/agents', requireAuth, async (req, res) => {
+    const userId = req.session.userId;
+    const { workspaceId } = req.params;
+    try {
+        // Verify user has access to this workspace
+        const workspace = await db.workspaces.findById(workspaceId);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Check if user owns the workspace or is a member
+        if (workspace.userId !== userId) {
+            const member = await db.workspaceMembers.findMembership(workspaceId, userId);
+            if (!member) {
+                return res.status(403).json({ error: 'Not authorized to access this workspace' });
+            }
+        }
+        // Get all linked daemons for this workspace
+        const daemons = await db.linkedDaemons.findByWorkspaceId(workspaceId);
+        // Extract agents from each daemon's metadata
+        const localAgents = daemons.flatMap((daemon) => {
+            const metadata = daemon.metadata;
+            const agents = metadata?.agents || [];
+            return agents.map((agent) => ({
+                name: agent.name,
+                status: agent.status,
+                isLocal: true,
+                daemonId: daemon.id,
+                daemonName: daemon.name,
+                daemonStatus: daemon.status,
+                machineId: daemon.machineId,
+                lastSeenAt: daemon.lastSeenAt,
+            }));
+        });
+        res.json({
+            agents: localAgents,
+            daemons: daemons.map((d) => ({
+                id: d.id,
+                name: d.name,
+                machineId: d.machineId,
+                status: d.status,
+                lastSeenAt: d.lastSeenAt,
+            })),
+        });
+    }
+    catch (error) {
+        console.error('Error fetching local agents:', error);
+        res.status(500).json({ error: 'Failed to fetch local agents' });
+    }
+});
 /**
  * DELETE /api/daemons/:id
  * Unlink a daemon
@@ -321,4 +392,137 @@ daemonsRouter.get('/messages', requireDaemonAuth, async (req, res) => {
         res.status(500).json({ error: 'Failed to fetch messages' });
     }
 });
+/**
+ * POST /api/daemons/messages/sync
+ * Sync messages from daemon to cloud storage
+ *
+ * Accepts batches of messages and stores them in agent_messages table.
+ * Uses upsert logic to handle duplicates (based on workspace_id + original_id).
+ *
+ * Request body:
+ * {
+ *   messages: SyncMessageInput[]
+ * }
+ *
+ * Response:
+ * {
+ *   success: true,
+ *   synced: number,    // Count of messages synced
+ *   duplicates: number // Count of messages skipped (already existed)
+ * }
+ */
+daemonsRouter.post('/messages/sync', requireDaemonAuth, async (req, res) => {
+    const daemon = req.daemon;
+    const { messages, repoFullName } = req.body;
+    if (!messages || !Array.isArray(messages)) {
+        return res.status(400).json({ error: 'messages array is required' });
+    }
+    if (messages.length === 0) {
+        return res.json({ success: true, synced: 0, duplicates: 0 });
+    }
+    // Limit batch size to prevent abuse
+    if (messages.length > 500) {
+        return res.status(400).json({ error: 'Maximum batch size is 500 messages' });
+    }
+    // Resolve workspace from git remote if not already linked
+    let workspaceId = daemon.workspaceId;
+    if (!workspaceId && repoFullName) {
+        // Try to find workspace by repository
+        const workspace = await db.workspaces.findByRepoFullName(repoFullName);
+        if (workspace) {
+            // Auto-link daemon to workspace
+            await db.linkedDaemons.update(daemon.id, { workspaceId: workspace.id });
+            workspaceId = workspace.id;
+            console.log(`[message-sync] Auto-linked daemon ${daemon.id} to workspace ${workspace.id} via repo ${repoFullName}`);
+        }
+    }
+    // Require workspace to be linked
+    if (!workspaceId) {
+        const hint = repoFullName
+            ? `Repository '${repoFullName}' not found in any workspace. Link the repo in the dashboard first.`
+            : 'Daemon must be linked to a workspace to sync messages. Re-link with a workspace ID.';
+        return res.status(400).json({ error: hint });
+    }
+    try {
+        // Get user plan to determine retention policy
+        const user = await db.users.findById(daemon.userId);
+        const plan = user?.plan || 'free';
+        // Calculate expires_at based on plan
+        let expiresAt = null;
+        if (plan === 'free') {
+            expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000); // 30 days
+        }
+        else if (plan === 'pro') {
+            expiresAt = new Date(Date.now() + 90 * 24 * 60 * 60 * 1000); // 90 days
+        }
+        // Enterprise: null (never expires)
+        // Transform to NewAgentMessage format
+        const dbMessages = messages.map((msg) => ({
+            workspaceId,
+            daemonId: daemon.id,
+            originalId: msg.id,
+            fromAgent: msg.from,
+            toAgent: msg.to,
+            body: msg.body,
+            kind: msg.kind || 'message',
+            topic: msg.topic || null,
+            thread: msg.thread || null,
+            channel: msg.channel || null,
+            isBroadcast: msg.is_broadcast || msg.to === '*',
+            isUrgent: msg.is_urgent || false,
+            data: msg.data || null,
+            payloadMeta: msg.payload_meta || null,
+            messageTs: new Date(msg.ts),
+            expiresAt,
+        }));
+        // Use optimized bulk insert for high-volume message sync
+        // - Batches < 100: multi-row INSERT
+        // - Batches 100-1000: chunked multi-row INSERT
+        // - Batches > 1000: streaming COPY with staging table
+        const result = await db.bulk.optimizedInsert(db.getRawPool(), dbMessages);
+        const synced = result.inserted;
+        const duplicates = result.duplicates;
+        console.log(`[message-sync] Synced ${synced} messages for daemon ${daemon.id}, ${duplicates} duplicates skipped (${result.durationMs}ms)`);
+        res.json({
+            success: true,
+            synced,
+            duplicates,
+        });
+    }
+    catch (error) {
+        console.error('Error syncing messages:', error);
+        res.status(500).json({ error: 'Failed to sync messages' });
+    }
+});
+/**
+ * GET /api/daemons/messages/stats
+ * Get message sync statistics for this daemon's workspace
+ */
+daemonsRouter.get('/messages/stats', requireDaemonAuth, async (req, res) => {
+    const daemon = req.daemon;
+    if (!daemon.workspaceId) {
+        return res.status(400).json({ error: 'Daemon must be linked to a workspace' });
+    }
+    try {
+        // Get message count and pool health in parallel
+        const [count, poolHealth, poolStats] = await Promise.all([
+            db.agentMessages.countByWorkspace(daemon.workspaceId),
+            db.bulk.checkHealth(),
+            Promise.resolve(db.bulk.getPoolStats()),
+        ]);
+        res.json({
+            workspaceId: daemon.workspaceId,
+            messageCount: count,
+            database: {
+                healthy: poolHealth.healthy,
+                latencyMs: poolHealth.latencyMs,
+                pool: poolStats,
+            },
+        });
+    }
+    catch (error) {
+        console.error('Error fetching message stats:', error);
+        res.status(500).json({ error: 'Failed to fetch message stats' });
+    }
+});
 //# sourceMappingURL=daemons.js.map

package/dist/cloud/api/git.js

@@ -152,12 +152,19 @@ gitRouter.get('/token', async (req, res) => {
         }
         // GitHub App installation tokens expire after 1 hour
         const expiresAt = new Date(Date.now() + 55 * 60 * 1000).toISOString(); // 55 min buffer
-        console.log(`[git] Token fetched successfully for workspace ${workspaceId.substring(0, 8)}`);
+        // Prefer userToken for git operations - installation tokens (ghs_*) are API-only
+        // and don't work with git credential helpers. User OAuth tokens work for both
+        // git operations (clone, push, pull) AND gh CLI commands.
+        const primaryToken = userToken || installationToken;
+        const tokenType = userToken ? 'user' : 'installation';
+        console.log(`[git] Token fetched successfully for workspace ${workspaceId.substring(0, 8)} (type: ${tokenType})`);
         res.json({
-            token: installationToken,
-            userToken, // For gh CLI - may be null if not available
+            token: primaryToken, // Primary token for git/gh operations (prefer user token)
+            userToken, // Explicit user token field (may be null)
+            installationToken, // GitHub App installation token for API operations
             expiresAt,
-            username: 'x-access-token', // GitHub App tokens use this as username
+            username: 'x-access-token', // Works with both token types
+            tokenType, // 'user' or 'installation' - helps clients know what they got
         });
     }
     catch (error) {
@@ -206,9 +213,9 @@ gitRouter.post('/token', async (req, res) => {
                 code: 'NO_GITHUB_APP_CONNECTION',
             });
         }
-        let token;
+        let installationToken;
         try {
-            token = await nangoService.getGithubAppToken(repoWithConnection.nangoConnectionId);
+            installationToken = await nangoService.getGithubAppToken(repoWithConnection.nangoConnectionId);
         }
         catch (nangoError) {
             const errorMessage = nangoError instanceof Error ? nangoError.message : 'Unknown error';
@@ -219,11 +226,34 @@ gitRouter.post('/token', async (req, res) => {
                 details: errorMessage,
             });
         }
+        // Try to get user OAuth token (preferred for git operations)
+        let userToken = null;
+        try {
+            userToken = await nangoService.getGithubUserOAuthToken(repoWithConnection.nangoConnectionId);
+        }
+        catch {
+            // Try the separate github user connection if available
+            const userRepo = repos.find(r => r.nangoConnectionId && r.nangoConnectionId !== repoWithConnection.nangoConnectionId);
+            if (userRepo?.nangoConnectionId) {
+                try {
+                    userToken = await nangoService.getGithubUserToken(userRepo.nangoConnectionId);
+                }
+                catch {
+                    console.log('[git] POST: No github user token available');
+                }
+            }
+        }
         const expiresAt = new Date(Date.now() + 55 * 60 * 1000).toISOString();
+        // Prefer userToken for git operations
+        const primaryToken = userToken || installationToken;
+        const tokenType = userToken ? 'user' : 'installation';
         res.json({
-            token,
+            token: primaryToken,
+            userToken,
+            installationToken,
             expiresAt,
             username: 'x-access-token',
+            tokenType,
         });
     }
     catch (error) {

package/dist/cloud/api/onboarding.js

@@ -13,6 +13,7 @@ import { Router } from 'express';
 import * as crypto from 'crypto';
 import { requireAuth } from './auth.js';
 import { db } from '../db/index.js';
+import { setProviderApiKeyEnv } from './provider-env.js';
 // Import for local use
 import { CLI_AUTH_CONFIG, runCLIAuthViaPTY, stripAnsiCodes, matchesSuccessPattern, findMatchingPrompt, validateProviderConfig, validateAllProviderConfigs, getSupportedProviders, } from './cli-pty-runner.js';
 // Re-export from shared module for backward compatibility
@@ -121,10 +122,11 @@ onboardingRouter.post('/cli/:provider/start', async (req, res) => {
         }
         const targetUrl = `${workspaceUrl}/auth/cli/${provider}/start`;
         console.log('[onboarding] Forwarding to workspace daemon:', targetUrl);
+        // Pass userId to enable per-user credential storage in multi-user workspaces
         const authResponse = await fetch(targetUrl, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({ useDeviceFlow }),
+            body: JSON.stringify({ useDeviceFlow, userId }),
         });
         console.log('[onboarding] Workspace daemon response:', authResponse.status);
         if (!authResponse.ok) {
@@ -469,6 +471,7 @@ onboardingRouter.post('/token/:provider', async (req, res) => {
             scopes: getProviderScopes(provider),
             providerAccountEmail: email,
         });
+        await setProviderApiKeyEnv(userId, provider, token);
         res.json({
             success: true,
             message: `${provider} connected successfully`,

package/dist/cloud/api/provider-env.d.ts

@@ -0,0 +1,5 @@
+export declare function setProviderApiKeyEnv(userId: string, provider: string, apiKey: string): Promise<{
+    updated: number;
+    skipped: number;
+}>;
+//# sourceMappingURL=provider-env.d.ts.map

package/dist/cloud/api/provider-env.js

@@ -0,0 +1,27 @@
+import { db } from '../db/index.js';
+import { getProvisioner } from '../provisioner/index.js';
+const PROVIDER_ENV_VARS = {
+    google: 'GEMINI_API_KEY',
+    gemini: 'GEMINI_API_KEY',
+};
+export async function setProviderApiKeyEnv(userId, provider, apiKey) {
+    const envVarName = PROVIDER_ENV_VARS[provider];
+    if (!envVarName) {
+        return { updated: 0, skipped: 0 };
+    }
+    const workspaces = await db.workspaces.findByUserId(userId);
+    if (workspaces.length === 0) {
+        return { updated: 0, skipped: 0 };
+    }
+    const provisioner = getProvisioner();
+    const results = await Promise.all(workspaces.map(async (workspace) => {
+        if (!workspace.computeId) {
+            return 'skipped';
+        }
+        await provisioner.setWorkspaceEnvVars(workspace, { [envVarName]: apiKey });
+        return 'updated';
+    }));
+    const updated = results.filter((result) => result === 'updated').length;
+    return { updated, skipped: results.length - updated };
+}
+//# sourceMappingURL=provider-env.js.map

package/dist/cloud/api/providers.js

@@ -9,6 +9,7 @@ import { createClient } from 'redis';
 import { requireAuth } from './auth.js';
 import { getConfig } from '../config.js';
 import { db } from '../db/index.js';
+import { setProviderApiKeyEnv } from './provider-env.js';
 export const providersRouter = Router();
 // All routes require authentication
 providersRouter.use(requireAuth);
@@ -312,6 +313,7 @@ providersRouter.post('/:provider/api-key', async (req, res) => {
             provider,
             scopes,
         });
+        await setProviderApiKeyEnv(userId, provider, apiKey);
         res.json({
             success: true,
             message: `${providerConfig.displayName} connected`,