agent-relay 2.0.23 → 2.0.25

package/packages/cloud/dist/api/git.js

@@ -1,269 +0,0 @@
-/**
- * Git Gateway API Routes
- *
- * Provides fresh GitHub tokens to workspace containers for git operations.
- * This gateway pattern ensures tokens are always valid (Nango handles refresh).
- */
-import crypto from 'crypto';
-import { Router } from 'express';
-import { db } from '../db/index.js';
-import { nangoService } from '../services/nango.js';
-import { getConfig } from '../config.js';
-export const gitRouter = Router();
-/**
- * Generate expected workspace token using HMAC
- */
-function generateExpectedToken(workspaceId) {
-    const config = getConfig();
-    return crypto
-        .createHmac('sha256', config.sessionSecret)
-        .update(`workspace:${workspaceId}`)
-        .digest('hex');
-}
-/**
- * Verify workspace access token
- * Workspaces authenticate with a secret passed at provisioning time
- *
- * Returns:
- * - { valid: true } if token matches
- * - { valid: false, reason: string } if token is invalid or missing
- */
-function verifyWorkspaceToken(req, workspaceId) {
-    const authHeader = req.get('authorization');
-    if (!authHeader) {
-        return { valid: false, reason: 'No Authorization header. WORKSPACE_TOKEN may not be set in the container.' };
-    }
-    if (!authHeader.startsWith('Bearer ')) {
-        return { valid: false, reason: 'Invalid Authorization header format. Expected: Bearer <token>' };
-    }
-    const providedToken = authHeader.slice(7);
-    if (!providedToken) {
-        return { valid: false, reason: 'Empty bearer token provided.' };
-    }
-    const expectedToken = generateExpectedToken(workspaceId);
-    // Use timing-safe comparison to prevent timing attacks
-    try {
-        const isValid = crypto.timingSafeEqual(Buffer.from(providedToken), Buffer.from(expectedToken));
-        if (!isValid) {
-            return { valid: false, reason: 'Token mismatch. Workspace may need reprovisioning or SESSION_SECRET changed.' };
-        }
-        return { valid: true };
-    }
-    catch {
-        return { valid: false, reason: 'Token comparison failed (length mismatch). Workspace may need reprovisioning.' };
-    }
-}
-/**
- * GET /api/git/token
- * Get a fresh GitHub token for git operations
- *
- * Query params:
- *   - workspaceId: The workspace requesting the token
- *
- * Returns: { token: string, expiresAt?: string }
- *
- * This endpoint is called by the git credential helper in workspace containers.
- * It fetches a fresh GitHub App installation token via Nango.
- */
-gitRouter.get('/token', async (req, res) => {
-    const { workspaceId } = req.query;
-    if (!workspaceId || typeof workspaceId !== 'string') {
-        return res.status(400).json({ error: 'workspaceId is required' });
-    }
-    // Verify the request is from a valid workspace
-    const tokenVerification = verifyWorkspaceToken(req, workspaceId);
-    if (!tokenVerification.valid) {
-        console.warn(`[git] Token verification failed for workspace ${workspaceId.substring(0, 8)}: ${tokenVerification.reason}`);
-        return res.status(401).json({
-            error: 'Invalid workspace token',
-            code: 'INVALID_WORKSPACE_TOKEN',
-            hint: tokenVerification.reason,
-        });
-    }
-    try {
-        // Get workspace to find the user
-        const workspace = await db.workspaces.findById(workspaceId);
-        if (!workspace) {
-            console.warn(`[git] Workspace not found: ${workspaceId}`);
-            return res.status(404).json({
-                error: 'Workspace not found',
-                code: 'WORKSPACE_NOT_FOUND',
-                hint: 'The workspace may have been deleted. Try reprovisioning.',
-            });
-        }
-        const userId = workspace.userId;
-        console.log(`[git] Token request for workspace ${workspaceId.substring(0, 8)}, user ${userId.substring(0, 8)}`);
-        // Find a repository with a Nango connection for this user
-        const repos = await db.repositories.findByUserId(userId);
-        const repoWithConnection = repos.find(r => r.nangoConnectionId);
-        if (!repoWithConnection?.nangoConnectionId) {
-            console.warn(`[git] No Nango connection found for user ${userId.substring(0, 8)}. Repos: ${repos.length}, with connections: ${repos.filter(r => r.nangoConnectionId).length}`);
-            return res.status(404).json({
-                error: 'No GitHub App connection found',
-                code: 'NO_GITHUB_APP_CONNECTION',
-                hint: 'Install the GitHub App on your repositories at https://github.com/apps/agent-relay',
-                repoCount: repos.length,
-            });
-        }
-        console.log(`[git] Fetching token from Nango for connection ${repoWithConnection.nangoConnectionId.substring(0, 8)}...`);
-        // Get fresh tokens from Nango (auto-refreshes if needed)
-        // - installationToken: for git operations (clone, push, pull)
-        // - userToken: for gh CLI operations (requires user context)
-        let installationToken;
-        try {
-            installationToken = await nangoService.getGithubAppToken(repoWithConnection.nangoConnectionId);
-        }
-        catch (nangoError) {
-            const errorMessage = nangoError instanceof Error ? nangoError.message : 'Unknown error';
-            console.error(`[git] Nango token fetch failed for connection ${repoWithConnection.nangoConnectionId}:`, errorMessage);
-            // Provide specific hints based on error type
-            if (errorMessage.includes('not found') || errorMessage.includes('404')) {
-                return res.status(500).json({
-                    error: 'GitHub App connection expired or revoked',
-                    code: 'NANGO_CONNECTION_EXPIRED',
-                    hint: 'Reconnect your GitHub App at https://github.com/apps/agent-relay',
-                    details: errorMessage,
-                });
-            }
-            return res.status(500).json({
-                error: 'Failed to fetch GitHub token from Nango',
-                code: 'NANGO_TOKEN_FETCH_FAILED',
-                hint: 'This may be a temporary issue. Try again in a few seconds.',
-                details: errorMessage,
-            });
-        }
-        // Try to get user OAuth token from github-app-oauth connection_config first
-        // Fall back to separate 'github' user connection if available
-        let userToken = null;
-        try {
-            userToken = await nangoService.getGithubUserOAuthToken(repoWithConnection.nangoConnectionId);
-        }
-        catch {
-            // Try the separate github user connection if available
-            const userRepo = repos.find(r => r.nangoConnectionId && r.nangoConnectionId !== repoWithConnection.nangoConnectionId);
-            if (userRepo?.nangoConnectionId) {
-                try {
-                    userToken = await nangoService.getGithubUserToken(userRepo.nangoConnectionId);
-                }
-                catch {
-                    console.log('[git] No github user token available');
-                }
-            }
-        }
-        // GitHub App installation tokens expire after 1 hour
-        const expiresAt = new Date(Date.now() + 55 * 60 * 1000).toISOString(); // 55 min buffer
-        // Prefer userToken for git operations - installation tokens (ghs_*) are API-only
-        // and don't work with git credential helpers. User OAuth tokens work for both
-        // git operations (clone, push, pull) AND gh CLI commands.
-        const primaryToken = userToken || installationToken;
-        const tokenType = userToken ? 'user' : 'installation';
-        console.log(`[git] Token fetched successfully for workspace ${workspaceId.substring(0, 8)} (type: ${tokenType})`);
-        res.json({
-            token: primaryToken, // Primary token for git/gh operations (prefer user token)
-            userToken, // Explicit user token field (may be null)
-            installationToken, // GitHub App installation token for API operations
-            expiresAt,
-            username: 'x-access-token', // Works with both token types
-            tokenType, // 'user' or 'installation' - helps clients know what they got
-        });
-    }
-    catch (error) {
-        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-        console.error('[git] Unexpected error getting token:', error);
-        res.status(500).json({
-            error: 'Failed to get GitHub token',
-            code: 'UNEXPECTED_ERROR',
-            details: errorMessage,
-        });
-    }
-});
-/**
- * POST /api/git/token
- * Same as GET but accepts body params (for compatibility with some git credential helpers)
- */
-gitRouter.post('/token', async (req, res) => {
-    const workspaceId = req.body.workspaceId || req.query.workspaceId;
-    if (!workspaceId || typeof workspaceId !== 'string') {
-        return res.status(400).json({ error: 'workspaceId is required' });
-    }
-    const tokenVerification = verifyWorkspaceToken(req, workspaceId);
-    if (!tokenVerification.valid) {
-        console.warn(`[git] POST: Token verification failed for workspace ${workspaceId.substring(0, 8)}: ${tokenVerification.reason}`);
-        return res.status(401).json({
-            error: 'Invalid workspace token',
-            code: 'INVALID_WORKSPACE_TOKEN',
-            hint: tokenVerification.reason,
-        });
-    }
-    try {
-        const workspace = await db.workspaces.findById(workspaceId);
-        if (!workspace) {
-            console.warn(`[git] POST: Workspace not found: ${workspaceId}`);
-            return res.status(404).json({
-                error: 'Workspace not found',
-                code: 'WORKSPACE_NOT_FOUND',
-            });
-        }
-        const repos = await db.repositories.findByUserId(workspace.userId);
-        const repoWithConnection = repos.find(r => r.nangoConnectionId);
-        if (!repoWithConnection?.nangoConnectionId) {
-            console.warn(`[git] POST: No Nango connection for user ${workspace.userId.substring(0, 8)}`);
-            return res.status(404).json({
-                error: 'No GitHub App connection found',
-                code: 'NO_GITHUB_APP_CONNECTION',
-            });
-        }
-        let installationToken;
-        try {
-            installationToken = await nangoService.getGithubAppToken(repoWithConnection.nangoConnectionId);
-        }
-        catch (nangoError) {
-            const errorMessage = nangoError instanceof Error ? nangoError.message : 'Unknown error';
-            console.error(`[git] POST: Nango token fetch failed:`, errorMessage);
-            return res.status(500).json({
-                error: 'Failed to fetch GitHub token',
-                code: 'NANGO_TOKEN_FETCH_FAILED',
-                details: errorMessage,
-            });
-        }
-        // Try to get user OAuth token (preferred for git operations)
-        let userToken = null;
-        try {
-            userToken = await nangoService.getGithubUserOAuthToken(repoWithConnection.nangoConnectionId);
-        }
-        catch {
-            // Try the separate github user connection if available
-            const userRepo = repos.find(r => r.nangoConnectionId && r.nangoConnectionId !== repoWithConnection.nangoConnectionId);
-            if (userRepo?.nangoConnectionId) {
-                try {
-                    userToken = await nangoService.getGithubUserToken(userRepo.nangoConnectionId);
-                }
-                catch {
-                    console.log('[git] POST: No github user token available');
-                }
-            }
-        }
-        const expiresAt = new Date(Date.now() + 55 * 60 * 1000).toISOString();
-        // Prefer userToken for git operations
-        const primaryToken = userToken || installationToken;
-        const tokenType = userToken ? 'user' : 'installation';
-        res.json({
-            token: primaryToken,
-            userToken,
-            installationToken,
-            expiresAt,
-            username: 'x-access-token',
-            tokenType,
-        });
-    }
-    catch (error) {
-        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-        console.error('[git] POST: Unexpected error:', error);
-        res.status(500).json({
-            error: 'Failed to get GitHub token',
-            code: 'UNEXPECTED_ERROR',
-            details: errorMessage,
-        });
-    }
-});
-//# sourceMappingURL=git.js.map

package/packages/cloud/dist/api/github-app.d.ts

@@ -1,11 +0,0 @@
-/**
- * GitHub App API Routes
- *
- * Repo operations via Nango's github-app-oauth connection:
- * - Get clone token for repositories
- * - Create issues, PRs, and comments
- *
- * Auth flow is handled by nango-auth.ts
- */
-export declare const githubAppRouter: import("express-serve-static-core").Router;
-//# sourceMappingURL=github-app.d.ts.map

package/packages/cloud/dist/api/github-app.js

@@ -1,223 +0,0 @@
-/**
- * GitHub App API Routes
- *
- * Repo operations via Nango's github-app-oauth connection:
- * - Get clone token for repositories
- * - Create issues, PRs, and comments
- *
- * Auth flow is handled by nango-auth.ts
- */
-import { Router } from 'express';
-import { requireAuth } from './auth.js';
-import { db } from '../db/index.js';
-import { nangoService, NANGO_INTEGRATIONS } from '../services/nango.js';
-export const githubAppRouter = Router();
-// All routes require authentication
-githubAppRouter.use(requireAuth);
-/**
- * GET /api/github-app/status
- * Check if Nango GitHub App OAuth is configured
- */
-githubAppRouter.get('/status', (_req, res) => {
-    res.json({
-        configured: true,
-        integrations: NANGO_INTEGRATIONS,
-        connectUrl: '/connect-repos',
-    });
-});
-/**
- * GET /api/github-app/repos
- * List repositories the user has access to
- *
- * First tries database (populated by GitHub App OAuth).
- * If empty, queries GitHub directly via user OAuth connection.
- */
-githubAppRouter.get('/repos', async (req, res) => {
-    const userId = req.session.userId;
-    try {
-        // Try database first (from GitHub App OAuth flow)
-        const dbRepos = await db.repositories.findByUserId(userId);
-        if (dbRepos.length > 0) {
-            // Return repos from database
-            return res.json({
-                repositories: dbRepos.map((r) => ({
-                    id: r.id,
-                    fullName: r.githubFullName,
-                    isPrivate: r.isPrivate,
-                    defaultBranch: r.defaultBranch,
-                    syncStatus: r.syncStatus,
-                    hasNangoConnection: !!r.nangoConnectionId,
-                    lastSyncedAt: r.lastSyncedAt,
-                })),
-                source: 'database',
-            });
-        }
-        // Database empty - query GitHub directly via user OAuth
-        const user = await db.users.findById(userId);
-        if (!user?.nangoConnectionId) {
-            return res.json({
-                repositories: [],
-                source: 'none',
-                hint: 'User not connected to GitHub',
-            });
-        }
-        console.log(`[github-app/repos] Database empty, querying GitHub for user ${user.githubUsername}`);
-        const { repositories } = await nangoService.listUserAccessibleRepos(user.nangoConnectionId, {
-            perPage: 100,
-            type: 'all',
-        });
-        res.json({
-            repositories: repositories.map((r) => ({
-                id: null, // No database ID yet
-                fullName: r.fullName,
-                isPrivate: r.isPrivate,
-                defaultBranch: r.defaultBranch,
-                syncStatus: 'live', // Queried from GitHub, not cached
-                hasNangoConnection: true,
-                lastSyncedAt: null,
-            })),
-            source: 'github-api',
-        });
-    }
-    catch (error) {
-        console.error('Error listing repos:', error);
-        res.status(500).json({ error: 'Failed to list repositories' });
-    }
-});
-/**
- * GET /api/github-app/clone-token
- * Get a clone token for a repository
- * Used by workspace provisioner to clone private repos
- */
-githubAppRouter.get('/clone-token', async (req, res) => {
-    const userId = req.session.userId;
-    const { repo } = req.query;
-    if (!repo || typeof repo !== 'string') {
-        return res.status(400).json({ error: 'Repository name is required (owner/repo)' });
-    }
-    try {
-        // Find the repository in our database
-        const userRepos = await db.repositories.findByUserId(userId);
-        const repository = userRepos.find((r) => r.githubFullName === repo);
-        if (!repository) {
-            return res.status(404).json({ error: 'Repository not found' });
-        }
-        if (!repository.nangoConnectionId) {
-            return res.status(400).json({
-                error: 'Repository not connected via Nango',
-                hint: 'Connect your GitHub repos through the Nango flow first',
-            });
-        }
-        // Get token from Nango connection
-        const token = await nangoService.getGithubAppToken(repository.nangoConnectionId);
-        const cloneUrl = `https://x-access-token:${token}@github.com/${repo}.git`;
-        res.json({
-            token,
-            cloneUrl,
-            expiresIn: '1 hour',
-        });
-    }
-    catch (error) {
-        console.error('Error getting clone token:', error);
-        res.status(500).json({ error: 'Failed to get clone token' });
-    }
-});
-/**
- * POST /api/github-app/repos/:id/issues
- * Create an issue on a repository
- */
-githubAppRouter.post('/repos/:id/issues', async (req, res) => {
-    const userId = req.session.userId;
-    const id = req.params.id;
-    const { title, body, labels } = req.body;
-    if (!title || typeof title !== 'string') {
-        return res.status(400).json({ error: 'Issue title is required' });
-    }
-    try {
-        // Find the repository
-        const repository = await db.repositories.findById(id);
-        if (!repository || repository.userId !== userId) {
-            return res.status(404).json({ error: 'Repository not found' });
-        }
-        if (!repository.nangoConnectionId) {
-            return res.status(400).json({ error: 'Repository not connected via Nango' });
-        }
-        // Create issue via Nango Proxy (handles token injection automatically)
-        const [owner, repo] = repository.githubFullName.split('/');
-        const issue = await nangoService.createGithubIssue(repository.nangoConnectionId, owner, repo, { title, body: body || '', labels });
-        res.json({
-            number: issue.number,
-            url: issue.html_url,
-        });
-    }
-    catch (error) {
-        console.error('Error creating issue:', error);
-        res.status(500).json({ error: 'Failed to create issue' });
-    }
-});
-/**
- * POST /api/github-app/repos/:id/pulls
- * Create a pull request on a repository
- */
-githubAppRouter.post('/repos/:id/pulls', async (req, res) => {
-    const userId = req.session.userId;
-    const id = req.params.id;
-    const { title, body, head, base } = req.body;
-    if (!title || !head || !base) {
-        return res.status(400).json({ error: 'title, head, and base are required' });
-    }
-    try {
-        // Find the repository
-        const repository = await db.repositories.findById(id);
-        if (!repository || repository.userId !== userId) {
-            return res.status(404).json({ error: 'Repository not found' });
-        }
-        if (!repository.nangoConnectionId) {
-            return res.status(400).json({ error: 'Repository not connected via Nango' });
-        }
-        // Create PR via Nango Proxy (handles token injection automatically)
-        const [owner, repo] = repository.githubFullName.split('/');
-        const pr = await nangoService.createGithubPullRequest(repository.nangoConnectionId, owner, repo, { title, body: body || '', head, base });
-        res.json({
-            number: pr.number,
-            url: pr.html_url,
-        });
-    }
-    catch (error) {
-        console.error('Error creating PR:', error);
-        res.status(500).json({ error: 'Failed to create pull request' });
-    }
-});
-/**
- * POST /api/github-app/repos/:id/comments
- * Add a comment to an issue or PR
- */
-githubAppRouter.post('/repos/:id/comments', async (req, res) => {
-    const userId = req.session.userId;
-    const id = req.params.id;
-    const { issueNumber, body } = req.body;
-    if (!issueNumber || !body) {
-        return res.status(400).json({ error: 'issueNumber and body are required' });
-    }
-    try {
-        const repository = await db.repositories.findById(id);
-        if (!repository || repository.userId !== userId) {
-            return res.status(404).json({ error: 'Repository not found' });
-        }
-        if (!repository.nangoConnectionId) {
-            return res.status(400).json({ error: 'Repository not connected via Nango' });
-        }
-        // Add comment via Nango Proxy (handles token injection automatically)
-        const [owner, repo] = repository.githubFullName.split('/');
-        const comment = await nangoService.addGithubIssueComment(repository.nangoConnectionId, owner, repo, issueNumber, body);
-        res.json({
-            id: comment.id,
-            url: comment.html_url,
-        });
-    }
-    catch (error) {
-        console.error('Error adding comment:', error);
-        res.status(500).json({ error: 'Failed to add comment' });
-    }
-});
-//# sourceMappingURL=github-app.js.map

package/packages/cloud/dist/api/middleware/planLimits.d.ts

@@ -1,43 +0,0 @@
-/**
- * Plan Limits Middleware
- *
- * Express middleware to enforce plan-based resource limits.
- */
-import { Request, Response, NextFunction } from 'express';
-/**
- * Middleware to check workspace creation limit
- *
- * Use this middleware on workspace creation endpoints.
- * Requires userId in session (use after requireAuth).
- */
-export declare function checkWorkspaceLimit(req: Request, res: Response, next: NextFunction): Promise<void>;
-/**
- * Middleware to check repository limit
- *
- * Use this middleware on repo connection endpoints.
- * Requires userId in session (use after requireAuth).
- */
-export declare function checkRepoLimit(req: Request, res: Response, next: NextFunction): Promise<void>;
-/**
- * Middleware to check concurrent agent limit
- *
- * Use this middleware on agent spawn endpoints.
- * Requires userId in session (use after requireAuth).
- * Optionally pass currentRunningAgents in request body for accurate count.
- */
-export declare function checkAgentLimit(req: Request, res: Response, next: NextFunction): Promise<void>;
-/**
- * Middleware to check coordinator access
- *
- * Use this middleware on coordinator-related endpoints.
- * Coordinators are only available on Pro plan and above.
- */
-export declare function checkCoordinatorAccess(req: Request, res: Response, next: NextFunction): Promise<void>;
-/**
- * Middleware to check session persistence access
- *
- * Use this middleware on endpoints that enable cloud session persistence.
- * Session persistence is only available on Pro plan and above.
- */
-export declare function checkSessionPersistenceAccess(req: Request, res: Response, next: NextFunction): Promise<void>;
-//# sourceMappingURL=planLimits.d.ts.map