agentdev-webui 1.0.0

package/migrations/009_unified_oauth.sql

@@ -0,0 +1,153 @@
+-- Migration 009: Unified OAuth Provider Tables
+-- Follows the data-tamer-dashboard pattern for OAuth provider configuration and user connections.
+-- Creates two tables:
+--   1. agentdev_oauth_provider_configs - Provider definitions (auth URLs, scopes, token exchange settings)
+--   2. agentdev_oauth_providers - Per-user OAuth connections with encrypted tokens
+-- Then migrates existing github_token_encrypted and project github_token data.
+
+-- Enable UUID generation if not already available
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+
+-- ============================================================================
+-- Table: agentdev_oauth_provider_configs
+-- Platform-level OAuth provider definitions (GitHub, Google, etc.)
+-- ============================================================================
+CREATE TABLE IF NOT EXISTS agentdev_oauth_provider_configs (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  provider_key VARCHAR(50) UNIQUE NOT NULL,
+  name VARCHAR(100) NOT NULL,
+  client_id TEXT,                         -- Encrypted client ID (null for PAT-only providers)
+  client_secret TEXT,                     -- Encrypted client secret (null for PAT-only providers)
+  authorize_payload JSONB NOT NULL DEFAULT '{}',
+  callback_payload JSONB NOT NULL DEFAULT '{}',
+  is_active BOOLEAN DEFAULT true,
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- ============================================================================
+-- Table: agentdev_oauth_providers
+-- User-specific OAuth connections with encrypted tokens
+-- ============================================================================
+CREATE TABLE IF NOT EXISTS agentdev_oauth_providers (
+  id SERIAL PRIMARY KEY,
+  user_id INT NOT NULL REFERENCES agentdev_users(id) ON DELETE CASCADE,
+  config_id UUID NOT NULL REFERENCES agentdev_oauth_provider_configs(id) ON DELETE CASCADE,
+  provider_key VARCHAR(50) NOT NULL,
+  access_token TEXT,                      -- Encrypted access token
+  refresh_token TEXT,                     -- Encrypted refresh token (nullable)
+  token_expires_at TIMESTAMPTZ,
+  scopes TEXT[] DEFAULT '{}',
+  status VARCHAR(20) DEFAULT 'active',
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW(),
+  UNIQUE(user_id, provider_key)
+);
+
+-- Index for quick lookups
+CREATE INDEX IF NOT EXISTS idx_oauth_providers_user_id ON agentdev_oauth_providers(user_id);
+CREATE INDEX IF NOT EXISTS idx_oauth_providers_provider_key ON agentdev_oauth_providers(provider_key);
+
+-- ============================================================================
+-- Seed: GitHub provider config
+-- ============================================================================
+INSERT INTO agentdev_oauth_provider_configs (
+  provider_key,
+  name,
+  client_id,
+  client_secret,
+  authorize_payload,
+  callback_payload,
+  is_active
+) VALUES (
+  'github',
+  'GitHub',
+  NULL,  -- PAT-based, no OAuth app client ID needed yet
+  NULL,  -- PAT-based, no OAuth app client secret needed yet
+  '{
+    "name": "GitHub",
+    "authUrl": "https://github.com/login/oauth/authorize",
+    "scope": ["user:email", "read:user", "repo", "read:org", "project"],
+    "redirectUriPath": "/api/oauth/callback",
+    "additionalParams": {
+      "allow_signup": "true"
+    }
+  }'::jsonb,
+  '{
+    "settings": {},
+    "oauth_provider": {
+      "name": "GitHub",
+      "tokenUrl": "https://github.com/login/oauth/access_token",
+      "headers": {
+        "Accept": "application/json",
+        "Content-Type": "application/json"
+      },
+      "bodyFormat": "json",
+      "redirectPath": "/api/oauth/callback",
+      "successParam": "github_connected",
+      "defaultExpiration": 31536000000,
+      "supportsRefreshToken": false,
+      "useBasicAuth": false
+    }
+  }'::jsonb,
+  true
+) ON CONFLICT (provider_key) DO NOTHING;
+
+-- LinkedIn provider config
+INSERT INTO agentdev_oauth_provider_configs (
+  provider_key,
+  name,
+  client_id,
+  client_secret,
+  authorize_payload,
+  callback_payload,
+  is_active
+) VALUES (
+  'linkedin',
+  'LinkedIn',
+  NULL,
+  NULL,
+  '{
+    "name": "LinkedIn",
+    "authUrl": "https://www.linkedin.com/oauth/v2/authorization",
+    "scope": ["openid", "profile", "email", "w_member_social"],
+    "redirectUriPath": "/api/oauth/callback"
+  }'::jsonb,
+  '{
+    "settings": {},
+    "oauth_provider": {
+      "name": "LinkedIn",
+      "tokenUrl": "https://www.linkedin.com/oauth/v2/accessToken",
+      "headers": {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      "bodyFormat": "form",
+      "redirectPath": "/api/oauth/callback",
+      "successParam": "linkedin_connected",
+      "supportsRefreshToken": true,
+      "useBasicAuth": false
+    }
+  }'::jsonb,
+  true
+) ON CONFLICT (provider_key) DO NOTHING;
+
+-- ============================================================================
+-- Data Migration: Move existing LinkedIn tokens to new table (if they exist)
+-- ============================================================================
+INSERT INTO agentdev_oauth_providers (user_id, config_id, provider_key, access_token, refresh_token, token_expires_at, scopes, status)
+SELECT
+  u.id,
+  (SELECT id FROM agentdev_oauth_provider_configs WHERE provider_key = 'linkedin'),
+  'linkedin',
+  u.linkedin_token_encrypted,
+  u.linkedin_refresh_token_encrypted,
+  u.linkedin_token_expires_at,
+  ARRAY['openid', 'profile', 'email', 'w_member_social'],
+  'active'
+FROM agentdev_users u
+WHERE u.linkedin_token_encrypted IS NOT NULL
+ON CONFLICT (user_id, provider_key) DO NOTHING;
+
+-- Note: github_token_encrypted column does not exist in production schema.
+-- GitHub tokens are saved to the new unified table via the application code
+-- when users save their token through the profile page.

package/migrations/README.md

@@ -0,0 +1,97 @@
+# Database Migrations
+
+## Setup
+
+The AgentDev distributed system uses a **dedicated PostgreSQL database** for isolation and better management.
+
+## Running Migrations
+
+### Step 1: Create Database and User
+
+```bash
+# Get PostgreSQL password from secret
+export POSTGRES_PASSWORD=$(kubectl get secret postgresql -n datatamer -o jsonpath='{.data.postgresql-password}' | base64 -d)
+
+# Port forward to PostgreSQL
+kubectl port-forward svc/pgbouncer -n datatamer 6432:6432 &
+
+# Create database and user
+PGPASSWORD=$POSTGRES_PASSWORD psql -h localhost -p 6432 -U postgres -f migrations/000_create_database.sql
+```
+
+This creates:
+- Database: `agentdev`
+- User: `agentdev` with password `agentdev_secure_password_change_me`
+- Extensions: `uuid-ossp`
+
+### Step 2: Run Schema Migration
+
+```bash
+# Run schema migration
+PGPASSWORD=agentdev_secure_password_change_me psql -h localhost -p 6432 -U agentdev -d agentdev -f migrations/001_create_agentdev_schema.sql
+```
+
+### Step 3: Verify Tables Created
+
+```bash
+PGPASSWORD=agentdev_secure_password_change_me psql -h localhost -p 6432 -U agentdev -d agentdev -c "\dt"
+```
+
+Expected output:
+```
+                   List of relations
+ Schema |           Name            | Type  |  Owner
+--------+---------------------------+-------+----------
+ public | agentdev_agents           | table | agentdev
+ public | agentdev_device_codes     | table | agentdev
+ public | agentdev_logs             | table | agentdev
+ public | agentdev_tickets          | table | agentdev
+ public | agentdev_users            | table | agentdev
+```
+
+### Production Deployment
+
+For production, update the Helm chart with a **sealed secret** for the database password:
+
+```bash
+# Generate sealed secret for production
+kubectl create secret generic agentdev-db-password \
+  --from-literal=password='<strong-random-password>' \
+  --dry-run=client -o yaml | \
+  kubeseal -o yaml > production-secrets.yaml
+```
+
+Then update Helm values to reference the secret:
+
+```yaml
+config:
+  DATABASE_URL: "postgresql://agentdev:$(AGENTDEV_DB_PASSWORD)@pgbouncer.datatamer.svc.cluster.local:6432/agentdev"
+
+envFrom:
+  - secretRef:
+      name: agentdev-db-password
+```
+
+## Schema Overview
+
+| Table | Purpose |
+|-------|---------|
+| `agentdev_users` | User accounts with OAuth configuration |
+| `agentdev_agents` | Registered agents with status tracking |
+| `agentdev_tickets` | GitHub tickets being processed |
+| `agentdev_logs` | Persistent agent logs |
+| `agentdev_device_codes` | OAuth device flow authorization |
+
+## Indexes
+
+Optimized for:
+- Agent lookup by user and status
+- Ticket assignment and priority queries
+- Log retrieval by agent and timestamp
+- Device code validation
+
+## Constraints
+
+- Foreign keys with CASCADE delete for cleanup
+- Status enums for data integrity
+- Unique constraints on email, user_code, and ticket identifiers

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "agentdev-webui",
+  "version": "1.0.0",
+  "description": "Multi-agent workflow dashboard for auto-ticket processing",
+  "main": "server.js",
+  "bin": {
+    "agentdev-webui": "server.js"
+  },
+  "files": [
+    "server.js",
+    "lib/",
+    "public/",
+    "migrations/"
+  ],
+  "scripts": {
+    "start": "node server.js",
+    "dev": "nodemon --watch server.js --watch lib --watch public --ext js,html,css,json --delay 500ms server.js",
+    "test": "echo \"No tests yet\" && exit 0"
+  },
+  "keywords": ["agent", "workflow", "dashboard", "pwa"],
+  "author": "DataTamer",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/data-tamer/agentdev-webui.git"
+  },
+  "dependencies": {
+    "playwright": "^1.58.1",
+    "ioredis": "^5.3.2",
+    "pg": "^8.11.3",
+    "jsonwebtoken": "^9.0.2",
+    "nodemailer": "^6.9.8"
+  },
+  "devDependencies": {
+    "nodemon": "^3.1.11"
+  }
+}