agent-relay 2.0.23 → 2.0.25

package/packages/cloud/dist/api/policy.js

@@ -1,229 +0,0 @@
-/**
- * Agent Policy API Routes
- *
- * Provides endpoints for managing workspace-level agent policies.
- * These policies serve as fallbacks when repos don't have .claude/policies/ files.
- */
-import { Router } from 'express';
-import { db } from '../db/index.js';
-export const policyRouter = Router();
-/**
- * GET /api/policy/:workspaceId
- * Get the agent policy for a workspace
- */
-policyRouter.get('/:workspaceId', async (req, res) => {
-    const workspaceId = req.params.workspaceId;
-    const userId = req.userId;
-    if (!userId) {
-        return res.status(401).json({ error: 'Unauthorized' });
-    }
-    try {
-        const workspace = await db.workspaces.findById(workspaceId);
-        if (!workspace) {
-            return res.status(404).json({ error: 'Workspace not found' });
-        }
-        // Check user has access to this workspace
-        if (workspace.userId !== userId) {
-            const members = await db.workspaceMembers.findByWorkspaceId(workspaceId);
-            const member = members.find(m => m.userId === userId);
-            if (!member) {
-                return res.status(403).json({ error: 'Access denied' });
-            }
-        }
-        // Return the policy (or default if not set)
-        const policy = workspace.config?.agentPolicy ?? getDefaultPolicy();
-        res.json({
-            workspaceId,
-            policy,
-            source: workspace.config?.agentPolicy ? 'workspace' : 'default',
-        });
-    }
-    catch (error) {
-        console.error('[policy] Error getting policy:', error);
-        res.status(500).json({ error: 'Failed to get policy' });
-    }
-});
-/**
- * PUT /api/policy/:workspaceId
- * Update the agent policy for a workspace
- */
-policyRouter.put('/:workspaceId', async (req, res) => {
-    const workspaceId = req.params.workspaceId;
-    const userId = req.userId;
-    const policy = req.body.policy;
-    if (!userId) {
-        return res.status(401).json({ error: 'Unauthorized' });
-    }
-    if (!policy || typeof policy !== 'object') {
-        return res.status(400).json({ error: 'Policy object is required' });
-    }
-    try {
-        const workspace = await db.workspaces.findById(workspaceId);
-        if (!workspace) {
-            return res.status(404).json({ error: 'Workspace not found' });
-        }
-        // Only owner can update policy
-        if (workspace.userId !== userId) {
-            const members = await db.workspaceMembers.findByWorkspaceId(workspaceId);
-            const member = members.find(m => m.userId === userId);
-            if (!member || !['owner', 'admin'].includes(member.role)) {
-                return res.status(403).json({ error: 'Only owners and admins can update policy' });
-            }
-        }
-        // Validate policy structure
-        const validationError = validatePolicy(policy);
-        if (validationError) {
-            return res.status(400).json({ error: validationError });
-        }
-        // Update workspace config with new policy
-        const newConfig = {
-            ...workspace.config,
-            agentPolicy: policy,
-        };
-        await db.workspaces.updateConfig(workspaceId, newConfig);
-        res.json({
-            success: true,
-            workspaceId,
-            policy,
-        });
-    }
-    catch (error) {
-        console.error('[policy] Error updating policy:', error);
-        res.status(500).json({ error: 'Failed to update policy' });
-    }
-});
-/**
- * DELETE /api/policy/:workspaceId
- * Reset workspace policy to defaults
- */
-policyRouter.delete('/:workspaceId', async (req, res) => {
-    const workspaceId = req.params.workspaceId;
-    const userId = req.userId;
-    if (!userId) {
-        return res.status(401).json({ error: 'Unauthorized' });
-    }
-    try {
-        const workspace = await db.workspaces.findById(workspaceId);
-        if (!workspace) {
-            return res.status(404).json({ error: 'Workspace not found' });
-        }
-        // Only owner can reset policy
-        if (workspace.userId !== userId) {
-            const members = await db.workspaceMembers.findByWorkspaceId(workspaceId);
-            const member = members.find(m => m.userId === userId);
-            if (!member || member.role !== 'owner') {
-                return res.status(403).json({ error: 'Only owners can reset policy' });
-            }
-        }
-        // Remove policy from config
-        const { agentPolicy: _agentPolicy, ...restConfig } = workspace.config ?? {};
-        await db.workspaces.updateConfig(workspaceId, restConfig);
-        res.json({
-            success: true,
-            workspaceId,
-            policy: getDefaultPolicy(),
-            source: 'default',
-        });
-    }
-    catch (error) {
-        console.error('[policy] Error resetting policy:', error);
-        res.status(500).json({ error: 'Failed to reset policy' });
-    }
-});
-/**
- * GET /api/policy/:workspaceId/internal
- * Internal endpoint for workspace containers to fetch policy
- * Uses workspace token authentication (not user auth)
- */
-policyRouter.get('/:workspaceId/internal', async (req, res) => {
-    const workspaceId = req.params.workspaceId;
-    // This endpoint should be called with the workspace token
-    // The git.ts file has the token verification logic we can reuse
-    // For now, we'll trust the workspace ID from container requests
-    try {
-        const workspace = await db.workspaces.findById(workspaceId);
-        if (!workspace) {
-            return res.status(404).json({ error: 'Workspace not found' });
-        }
-        const policy = workspace.config?.agentPolicy ?? getDefaultPolicy();
-        res.json({
-            defaultPolicy: policy.defaultPolicy,
-            agents: policy.agents ?? [],
-            settings: policy.settings ?? {
-                requireExplicitAgents: false,
-                auditEnabled: true,
-                maxTotalAgents: 50,
-            },
-        });
-    }
-    catch (error) {
-        console.error('[policy] Error getting internal policy:', error);
-        res.status(500).json({ error: 'Failed to get policy' });
-    }
-});
-/**
- * Get default policy
- */
-function getDefaultPolicy() {
-    return {
-        defaultPolicy: {
-            name: '*',
-            allowedTools: undefined, // All tools allowed
-            canSpawn: undefined, // Can spawn any
-            canMessage: undefined, // Can message any
-            maxSpawns: 10,
-            rateLimit: 60,
-            canBeSpawned: true,
-        },
-        agents: [],
-        settings: {
-            requireExplicitAgents: false,
-            auditEnabled: true,
-            maxTotalAgents: 50,
-        },
-    };
-}
-/**
- * Validate policy structure
- */
-function validatePolicy(policy) {
-    // Validate defaultPolicy
-    if (policy.defaultPolicy && typeof policy.defaultPolicy !== 'object') {
-        return 'defaultPolicy must be an object';
-    }
-    // Validate agents array
-    if (policy.agents) {
-        if (!Array.isArray(policy.agents)) {
-            return 'agents must be an array';
-        }
-        for (let i = 0; i < policy.agents.length; i++) {
-            const agent = policy.agents[i];
-            if (!agent.name || typeof agent.name !== 'string') {
-                return `agents[${i}].name is required and must be a string`;
-            }
-            // Validate arrays
-            if (agent.allowedTools && !Array.isArray(agent.allowedTools)) {
-                return `agents[${i}].allowedTools must be an array`;
-            }
-            if (agent.canSpawn && !Array.isArray(agent.canSpawn)) {
-                return `agents[${i}].canSpawn must be an array`;
-            }
-            if (agent.canMessage && !Array.isArray(agent.canMessage)) {
-                return `agents[${i}].canMessage must be an array`;
-            }
-            // Validate numbers
-            if (agent.maxSpawns !== undefined && typeof agent.maxSpawns !== 'number') {
-                return `agents[${i}].maxSpawns must be a number`;
-            }
-            if (agent.rateLimit !== undefined && typeof agent.rateLimit !== 'number') {
-                return `agents[${i}].rateLimit must be a number`;
-            }
-        }
-    }
-    // Validate settings
-    if (policy.settings && typeof policy.settings !== 'object') {
-        return 'settings must be an object';
-    }
-    return null;
-}
-//# sourceMappingURL=policy.js.map

package/packages/cloud/dist/api/provider-env.d.ts

@@ -1,26 +0,0 @@
-/**
- * Set provider API key as environment variable on workspace(s)
- * and write credential files for providers that need them.
- *
- * @param userId - User ID
- * @param provider - Provider name (e.g., 'google', 'gemini')
- * @param apiKey - API key to set
- * @param workspaceId - Optional: specific workspace to update. If not provided, updates all user workspaces (legacy behavior)
- */
-export declare function setProviderApiKeyEnv(userId: string, provider: string, apiKey: string, workspaceId?: string): Promise<{
-    updated: number;
-    skipped: number;
-}>;
-/**
- * Clear provider credentials from workspace(s).
- * Deletes credential files and unsets environment variables.
- *
- * @param userId - User ID
- * @param provider - Provider name (e.g., 'google', 'anthropic', 'codex')
- * @param workspaceId - Workspace to clear credentials from
- */
-export declare function clearProviderCredentials(userId: string, provider: string, workspaceId: string): Promise<{
-    cleared: boolean;
-    error?: string;
-}>;
-//# sourceMappingURL=provider-env.d.ts.map

package/packages/cloud/dist/api/provider-env.js

@@ -1,141 +0,0 @@
-import { db } from '../db/index.js';
-import { getProvisioner } from '../provisioner/index.js';
-const PROVIDER_ENV_VARS = {
-    google: 'GEMINI_API_KEY',
-    gemini: 'GEMINI_API_KEY',
-};
-/**
- * All providers that may have credential files on the workspace.
- * This includes CLI-based providers that store auth locally.
- */
-const ALL_CREDENTIAL_PROVIDERS = [
-    'anthropic', 'claude',
-    'codex', 'openai',
-    'google', 'gemini',
-    'opencode',
-    'droid', 'factory',
-    'cursor',
-];
-/**
- * Providers that need credential files written to the workspace filesystem.
- * These providers have CLIs that read from files rather than just env vars.
- */
-const PROVIDERS_NEEDING_CREDENTIAL_FILES = ['google', 'gemini'];
-/**
- * Set provider API key as environment variable on workspace(s)
- * and write credential files for providers that need them.
- *
- * @param userId - User ID
- * @param provider - Provider name (e.g., 'google', 'gemini')
- * @param apiKey - API key to set
- * @param workspaceId - Optional: specific workspace to update. If not provided, updates all user workspaces (legacy behavior)
- */
-export async function setProviderApiKeyEnv(userId, provider, apiKey, workspaceId) {
-    const envVarName = PROVIDER_ENV_VARS[provider];
-    const needsCredentialFile = PROVIDERS_NEEDING_CREDENTIAL_FILES.includes(provider);
-    // If no env var and no credential file needed, nothing to do
-    if (!envVarName && !needsCredentialFile) {
-        return { updated: 0, skipped: 0 };
-    }
-    // If workspaceId is provided, only update that workspace
-    // Otherwise, update all user workspaces (legacy behavior)
-    let workspaces;
-    if (workspaceId) {
-        const workspace = await db.workspaces.findById(workspaceId);
-        workspaces = workspace ? [workspace] : [];
-    }
-    else {
-        workspaces = await db.workspaces.findByUserId(userId);
-    }
-    if (workspaces.length === 0) {
-        return { updated: 0, skipped: 0 };
-    }
-    const provisioner = getProvisioner();
-    const results = await Promise.all(workspaces.map(async (workspace) => {
-        if (!workspace.computeId) {
-            return 'skipped';
-        }
-        // Set environment variable if applicable
-        if (envVarName) {
-            await provisioner.setWorkspaceEnvVars(workspace, { [envVarName]: apiKey });
-        }
-        // Write credential file to workspace for providers that need it
-        if (needsCredentialFile && workspace.publicUrl) {
-            try {
-                const response = await fetch(`${workspace.publicUrl}/api/credentials/apikey`, {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json' },
-                    body: JSON.stringify({ userId, provider, apiKey }),
-                });
-                if (!response.ok) {
-                    console.warn(`[provider-env] Failed to write credential file for ${provider} on workspace ${workspace.id}: ${response.status}`);
-                }
-                else {
-                    console.log(`[provider-env] Wrote ${provider} credential file for user ${userId} on workspace ${workspace.id}`);
-                }
-            }
-            catch (err) {
-                console.warn(`[provider-env] Error writing credential file for ${provider} on workspace ${workspace.id}:`, err);
-                // Don't fail the whole operation if credential file write fails
-            }
-        }
-        return 'updated';
-    }));
-    const updated = results.filter((result) => result === 'updated').length;
-    return { updated, skipped: results.length - updated };
-}
-/**
- * Clear provider credentials from workspace(s).
- * Deletes credential files and unsets environment variables.
- *
- * @param userId - User ID
- * @param provider - Provider name (e.g., 'google', 'anthropic', 'codex')
- * @param workspaceId - Workspace to clear credentials from
- */
-export async function clearProviderCredentials(userId, provider, workspaceId) {
-    const envVarName = PROVIDER_ENV_VARS[provider];
-    const needsCredentialFileClear = ALL_CREDENTIAL_PROVIDERS.includes(provider);
-    // Get the workspace
-    const workspace = await db.workspaces.findById(workspaceId);
-    if (!workspace) {
-        return { cleared: false, error: 'Workspace not found' };
-    }
-    if (!workspace.publicUrl) {
-        // Workspace not running, credentials will be gone when it restarts anyway
-        return { cleared: true };
-    }
-    // Clear environment variable if applicable
-    if (envVarName && workspace.computeId) {
-        const provisioner = getProvisioner();
-        try {
-            // Set to empty string to clear
-            await provisioner.setWorkspaceEnvVars(workspace, { [envVarName]: '' });
-        }
-        catch (err) {
-            console.warn(`[provider-env] Failed to clear env var ${envVarName} on workspace ${workspace.id}:`, err);
-        }
-    }
-    // Delete credential files from workspace
-    if (needsCredentialFileClear) {
-        try {
-            const response = await fetch(`${workspace.publicUrl}/api/credentials/apikey`, {
-                method: 'DELETE',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ userId, provider }),
-            });
-            if (!response.ok) {
-                const data = await response.json().catch(() => ({}));
-                console.warn(`[provider-env] Failed to delete credential files for ${provider} on workspace ${workspace.id}: ${response.status}`, data);
-                return { cleared: false, error: 'Failed to delete credential files on workspace' };
-            }
-            const data = await response.json();
-            console.log(`[provider-env] Deleted ${provider} credentials for user ${userId} on workspace ${workspace.id}:`, data.deletedPaths);
-        }
-        catch (err) {
-            console.warn(`[provider-env] Error deleting credential files for ${provider} on workspace ${workspace.id}:`, err);
-            return { cleared: false, error: 'Error connecting to workspace' };
-        }
-    }
-    return { cleared: true };
-}
-//# sourceMappingURL=provider-env.js.map

package/packages/cloud/dist/api/providers.d.ts

@@ -1,7 +0,0 @@
-/**
- * Providers API Routes
- *
- * Handles device flow authentication for AI providers (Claude, Codex, etc.)
- */
-export declare const providersRouter: import("express-serve-static-core").Router;
-//# sourceMappingURL=providers.d.ts.map