agentgate 0.1.0

package/src/index.js

@@ -0,0 +1,344 @@
+import express from 'express';
+import cookieParser from 'cookie-parser';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+import { validateApiKey, getAccountsByService, getCookieSecret } from './lib/db.js';
+import { connectHsync } from './lib/hsyncManager.js';
+import githubRoutes, { serviceInfo as githubInfo } from './routes/github.js';
+import blueskyRoutes, { serviceInfo as blueskyInfo } from './routes/bluesky.js';
+import redditRoutes, { serviceInfo as redditInfo } from './routes/reddit.js';
+import calendarRoutes, { serviceInfo as calendarInfo } from './routes/calendar.js';
+import mastodonRoutes, { serviceInfo as mastodonInfo } from './routes/mastodon.js';
+import linkedinRoutes, { serviceInfo as linkedinInfo } from './routes/linkedin.js';
+import youtubeRoutes, { serviceInfo as youtubeInfo } from './routes/youtube.js';
+import jiraRoutes, { serviceInfo as jiraInfo } from './routes/jira.js';
+import fitbitRoutes, { serviceInfo as fitbitInfo } from './routes/fitbit.js';
+import queueRoutes from './routes/queue.js';
+import uiRoutes from './routes/ui.js';
+
+// Aggregate service metadata from all routes
+const SERVICE_REGISTRY = {
+  [githubInfo.key]: githubInfo,
+  [blueskyInfo.key]: blueskyInfo,
+  [mastodonInfo.key]: mastodonInfo,
+  [redditInfo.key]: redditInfo,
+  [calendarInfo.key]: calendarInfo,
+  [youtubeInfo.key]: youtubeInfo,
+  [linkedinInfo.key]: linkedinInfo,
+  [jiraInfo.key]: jiraInfo,
+  [fitbitInfo.key]: fitbitInfo
+};
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const app = express();
+const PORT = process.env.PORT || 3050;
+const BASE_URL = process.env.BASE_URL || `http://localhost:${PORT}`;
+
+app.use(express.json());
+app.use(express.urlencoded({ extended: true }));
+app.use(cookieParser(getCookieSecret()));
+app.use('/public', express.static(join(__dirname, '../public')));
+
+// API key auth middleware for /api routes
+async function apiKeyAuth(req, res, next) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return res.status(401).json({ error: 'Missing or invalid Authorization header' });
+  }
+
+  const key = authHeader.slice(7);
+  const valid = await validateApiKey(key);
+  if (!valid) {
+    return res.status(401).json({ error: 'Invalid API key' });
+  }
+
+  req.apiKeyInfo = valid;
+  next();
+}
+
+// Read-only enforcement - only allow GET requests to API
+function readOnlyEnforce(req, res, next) {
+  if (req.method !== 'GET') {
+    return res.status(405).json({ error: 'Only GET requests allowed (read-only access)' });
+  }
+  next();
+}
+
+// API routes - require auth and read-only
+// Pattern: /api/{service}/{accountName}/...
+app.use('/api/github', apiKeyAuth, readOnlyEnforce, githubRoutes);
+app.use('/api/bluesky', apiKeyAuth, readOnlyEnforce, blueskyRoutes);
+app.use('/api/reddit', apiKeyAuth, readOnlyEnforce, redditRoutes);
+app.use('/api/calendar', apiKeyAuth, readOnlyEnforce, calendarRoutes);
+app.use('/api/mastodon', apiKeyAuth, readOnlyEnforce, mastodonRoutes);
+app.use('/api/linkedin', apiKeyAuth, readOnlyEnforce, linkedinRoutes);
+app.use('/api/youtube', apiKeyAuth, readOnlyEnforce, youtubeRoutes);
+app.use('/api/jira', apiKeyAuth, readOnlyEnforce, jiraRoutes);
+app.use('/api/fitbit', apiKeyAuth, readOnlyEnforce, fitbitRoutes);
+
+// Queue routes - require auth but allow POST for submitting write requests
+// Pattern: /api/queue/{service}/{accountName}/submit
+app.use('/api/queue', apiKeyAuth, queueRoutes);
+
+// UI routes - no API key needed (local admin access)
+app.use('/ui', uiRoutes);
+
+// Agent readme endpoint - requires auth
+app.get('/api/readme', apiKeyAuth, (req, res) => {
+  const accountsByService = getAccountsByService();
+
+  // Build services object from registry
+  const services = {};
+  for (const [key, info] of Object.entries(SERVICE_REGISTRY)) {
+    const dbKey = info.dbKey || key;
+    services[key] = {
+      accounts: accountsByService[dbKey] || [],
+      authType: info.authType,
+      description: info.description
+    };
+  }
+
+  // Build endpoints object from registry
+  const endpoints = {};
+  for (const [key, info] of Object.entries(SERVICE_REGISTRY)) {
+    endpoints[key] = {
+      base: `/api/${key}/{accountName}`,
+      description: info.description,
+      docs: info.docs,
+      examples: info.examples
+    };
+    if (info.writeGuidelines) {
+      endpoints[key].writeGuidelines = info.writeGuidelines;
+    }
+  }
+
+  res.json({
+    name: 'agentgate',
+    description: 'API gateway for personal data with human-in-the-loop write approval. Read requests (GET) execute immediately. Write requests (POST/PUT/DELETE) are queued for human approval before execution.',
+    urlPattern: '/api/{service}/{accountName}/...',
+    services,
+    endpoints,
+    auth: {
+      type: 'bearer',
+      header: 'Authorization: Bearer {your_api_key}'
+    },
+    writeQueue: {
+      description: 'For write operations (POST/PUT/DELETE), you must submit requests to the write queue. A human will review and approve or reject your request. You cannot execute write operations directly.',
+      workflow: [
+        '1. Submit your write request(s) with a comment explaining your intent',
+        '2. Poll the status endpoint to check if approved/rejected',
+        '3. If rejected, check rejection_reason and adjust your approach',
+        '4. If approved and completed, results contain the API responses',
+        '5. If failed, results show which request failed and why'
+      ],
+      importantNotes: [
+        'Always include a clear comment explaining WHY you want to make these changes',
+        'Include markdown links to relevant resources (issues, PRs, docs) so the reviewer has context',
+        'Batch requests execute in order and stop on first failure',
+        'You cannot approve your own requests - a human must review them',
+        'Be patient - approval requires human action'
+      ],
+      commentFormat: {
+        description: 'Comments support markdown. Include links to help the reviewer understand context.',
+        example: 'Closing issue [#42](https://github.com/owner/repo/issues/42) as completed. See related PR [#45](https://github.com/owner/repo/pull/45) for the fix.'
+      },
+      submit: {
+        method: 'POST',
+        path: '/api/queue/{service}/{accountName}/submit',
+        body: {
+          requests: '[{ method: "POST"|"PUT"|"PATCH"|"DELETE", path: "/api/path", body?: {}, headers?: {} }, ...]',
+          comment: 'Required: Explain what you are trying to do and why'
+        },
+        response: '{ id: "queue_entry_id", status: "pending" }'
+      },
+      checkStatus: {
+        method: 'GET',
+        path: '/api/queue/{service}/{accountName}/status/{id}',
+        responses: {
+          pending: '{ id, status: "pending", submitted_at }',
+          rejected: '{ id, status: "rejected", rejection_reason: "why it was rejected", reviewed_at }',
+          completed: '{ id, status: "completed", results: [{ ok: true, status: 200, body: {...} }, ...], completed_at }',
+          failed: '{ id, status: "failed", results: [{ ok: true, ... }, { ok: false, status: 404, body: {...} }], completed_at }'
+        }
+      },
+      listMyRequests: {
+        description: 'List all queue entries you have submitted. Returns summary info only (no full request bodies or results). Use checkStatus with a specific ID to get full details.',
+        methods: [
+          { method: 'GET', path: '/api/queue/list', description: 'List all your submissions across all services' },
+          { method: 'GET', path: '/api/queue/{service}/{accountName}/list', description: 'List your submissions for a specific service/account' }
+        ],
+        response: '{ count: number, entries: [{ id, service, account_name, comment, status, rejection_reason?, submitted_at, reviewed_at?, completed_at? }, ...] }'
+      },
+      statuses: {
+        pending: 'Waiting for human approval',
+        approved: 'Approved, about to execute',
+        executing: 'Currently running the requests',
+        completed: 'All requests succeeded',
+        failed: 'One or more requests failed (check results)',
+        rejected: 'Human rejected the request (check rejection_reason)'
+      },
+      example: {
+        submit: {
+          method: 'POST',
+          url: '/api/queue/github/personal/submit',
+          body: {
+            requests: [
+              { method: 'POST', path: '/repos/owner/repo/issues', body: { title: 'Bug report', body: 'Description here' } }
+            ],
+            comment: 'Creating an issue to track the bug we discussed in the conversation'
+          }
+        },
+        checkStatus: {
+          method: 'GET',
+          url: '/api/queue/github/personal/status/{id_from_submit_response}'
+        }
+      }
+    },
+    skill: {
+      description: 'Generate a SKILL.md file for OpenClaw/AgentSkills compatible systems',
+      endpoint: 'GET /api/skill',
+      docs: 'https://docs.openclaw.ai/tools/skills',
+      queryParams: {
+        base_url: 'Override the base URL in the generated skill (optional)'
+      }
+    }
+  });
+});
+
+// Generate SKILL.md for OpenClaw/AgentSkills compatible systems
+// See: https://docs.openclaw.ai/tools/skills
+app.get('/api/skill', apiKeyAuth, (req, res) => {
+  const baseUrl = req.query.base_url || BASE_URL;
+  const accountsByService = getAccountsByService();
+
+  // Build list of configured services dynamically
+  const configuredServices = [];
+  for (const [serviceKey, info] of Object.entries(SERVICE_REGISTRY)) {
+    const dbKey = info.dbKey || serviceKey;
+    const accounts = accountsByService[dbKey] || [];
+    if (accounts.length > 0) {
+      configuredServices.push(`- **${info.name}**: ${accounts.join(', ')}`);
+    }
+  }
+
+  // Build supported services list for description
+  const supportedServices = Object.values(SERVICE_REGISTRY).map(s => s.name).join(', ');
+
+  // Generate example read endpoints from configured services
+  const readExamples = [];
+  for (const [serviceKey, info] of Object.entries(SERVICE_REGISTRY)) {
+    const dbKey = info.dbKey || serviceKey;
+    const accounts = accountsByService[dbKey] || [];
+    if (accounts.length > 0 && info.examples && info.examples.length > 0) {
+      // Take first example, replace {accountName} with actual account
+      const example = info.examples[0].replace('{accountName}', accounts[0]);
+      readExamples.push(`- \`${example.replace('GET ', baseUrl)}\``);
+      if (readExamples.length >= 3) break;
+    }
+  }
+
+  // Collect any write guidelines
+  const writeGuidelines = [];
+  for (const [_serviceKey, info] of Object.entries(SERVICE_REGISTRY)) {
+    if (info.writeGuidelines) {
+      writeGuidelines.push(`### ${info.name}\n${info.writeGuidelines.map(g => `- ${g}`).join('\n')}`);
+    }
+  }
+
+  const skillMd = `---
+name: agentgate
+description: Access personal data through agentgate API gateway. Supports ${supportedServices}. Read requests execute immediately. Write requests are queued for human approval.
+metadata: { "openclaw": { "emoji": "🚪", "requires": { "env": ["AGENTGATE_API_KEY"] } } }
+---
+
+# agentgate
+
+API gateway for accessing personal data with human-in-the-loop write approval.
+
+## Configuration
+
+- **Base URL**: \`${baseUrl}\`
+- **API Key**: Use the \`AGENTGATE_API_KEY\` environment variable
+
+## Configured Services
+
+${configuredServices.length > 0 ? configuredServices.join('\n') : '_No services configured yet_'}
+
+## Authentication
+
+All requests require the API key in the Authorization header:
+
+\`\`\`
+Authorization: Bearer $AGENTGATE_API_KEY
+\`\`\`
+
+## Read Requests (Immediate)
+
+Make GET requests to \`${baseUrl}/api/{service}/{accountName}/...\`
+
+${readExamples.length > 0 ? 'Examples:\n' + readExamples.join('\n') : ''}
+
+## Write Requests (Queued for Approval)
+
+Write operations (POST/PUT/DELETE) must go through the queue:
+
+1. **Submit request**:
+   \`\`\`
+   POST ${baseUrl}/api/queue/{service}/{accountName}/submit
+   {
+     "requests": [{ "method": "POST", "path": "/path", "body": {...} }],
+     "comment": "Explain what you're doing and why. Include [links](url) to relevant issues/PRs."
+   }
+   \`\`\`
+
+2. **Poll for status**:
+   \`\`\`
+   GET ${baseUrl}/api/queue/{service}/{accountName}/status/{id}
+   \`\`\`
+
+3. **Check response**: \`pending\`, \`completed\`, \`failed\`, or \`rejected\` (with reason)
+
+## Important Notes
+
+- Always include a clear comment explaining your intent
+- Include markdown links to relevant resources (issues, PRs, docs)
+- Be patient - approval requires human action
+
+${writeGuidelines.length > 0 ? '## Service-Specific Guidelines\n\n' + writeGuidelines.join('\n\n') : ''}
+
+## Full API Documentation
+
+For complete endpoint documentation, fetch:
+\`\`\`
+GET ${baseUrl}/api/readme
+\`\`\`
+`;
+
+  res.type('text/markdown').send(skillMd);
+});
+
+// Root redirect to UI
+app.get('/', (req, res) => {
+  res.redirect('/ui');
+});
+
+const server = app.listen(PORT, async () => {
+  console.log(`agentgate gateway running at http://localhost:${PORT}`);
+  console.log(`Admin UI: http://localhost:${PORT}/ui`);
+
+  // Start hsync if configured
+  try {
+    await connectHsync(PORT);
+  } catch (err) {
+    console.error('hsync connection error:', err);
+  }
+});
+
+server.on('error', (err) => {
+  if (err.code === 'EADDRINUSE') {
+    console.error(`Error: Port ${PORT} is already in use. Is another instance running?`);
+  } else {
+    console.error('Server error:', err.message);
+  }
+  process.exit(1);
+});

package/src/lib/db.js

@@ -0,0 +1,325 @@
+import Database from 'better-sqlite3';
+import { nanoid } from 'nanoid';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+import bcrypt from 'bcrypt';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const dbPath = join(__dirname, '../../data.db');
+
+const db = new Database(dbPath);
+
+// Initialize other tables first
+db.exec(`
+  CREATE TABLE IF NOT EXISTS service_accounts (
+    id TEXT PRIMARY KEY,
+    service TEXT NOT NULL,
+    name TEXT NOT NULL,
+    credentials TEXT NOT NULL,
+    created_at TEXT DEFAULT CURRENT_TIMESTAMP,
+    updated_at TEXT DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(service, name)
+  );
+
+  CREATE TABLE IF NOT EXISTS settings (
+    key TEXT PRIMARY KEY,
+    value TEXT NOT NULL,
+    updated_at TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+
+  CREATE TABLE IF NOT EXISTS write_queue (
+    id TEXT PRIMARY KEY,
+    service TEXT NOT NULL,
+    account_name TEXT NOT NULL,
+    requests TEXT NOT NULL,
+    comment TEXT,
+    status TEXT NOT NULL DEFAULT 'pending',
+    rejection_reason TEXT,
+    results TEXT,
+    submitted_by TEXT,
+    submitted_at TEXT DEFAULT CURRENT_TIMESTAMP,
+    reviewed_at TEXT,
+    completed_at TEXT
+  );
+`);
+
+// Initialize api_keys table with migration support for old schema
+// Old schema had: id, name, key, created_at
+// New schema has: id, name, key_prefix, key_hash, created_at
+try {
+  const tableInfo = db.prepare('PRAGMA table_info(api_keys)').all();
+
+  if (tableInfo.length === 0) {
+    // Table doesn't exist, create with new schema
+    db.exec(`
+      CREATE TABLE api_keys (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL,
+        key_prefix TEXT NOT NULL,
+        key_hash TEXT NOT NULL,
+        created_at TEXT DEFAULT CURRENT_TIMESTAMP
+      );
+    `);
+  } else {
+    const hasOldSchema = tableInfo.some(col => col.name === 'key') && !tableInfo.some(col => col.name === 'key_hash');
+
+    if (hasOldSchema) {
+      console.log('Migrating api_keys table to new schema...');
+      console.log('NOTE: Old API keys cannot be migrated (bcrypt is one-way) and will be removed.');
+      console.log('Please create new API keys after migration.');
+
+      db.exec(`
+        DROP TABLE api_keys;
+        CREATE TABLE api_keys (
+          id TEXT PRIMARY KEY,
+          name TEXT NOT NULL,
+          key_prefix TEXT NOT NULL,
+          key_hash TEXT NOT NULL,
+          created_at TEXT DEFAULT CURRENT_TIMESTAMP
+        );
+      `);
+      console.log('Migration complete.');
+    }
+    // else: table exists with new schema, nothing to do
+  }
+} catch (err) {
+  console.error('Error initializing api_keys table:', err.message);
+}
+
+// API Keys
+export async function createApiKey(name) {
+  const id = nanoid();
+  const key = `rms_${nanoid(32)}`;
+  const keyPrefix = key.substring(0, 8) + '...' + key.substring(key.length - 4);
+  const keyHash = await bcrypt.hash(key, 10);
+  db.prepare('INSERT INTO api_keys (id, name, key_prefix, key_hash) VALUES (?, ?, ?, ?)').run(id, name, keyPrefix, keyHash);
+  return { id, name, key, keyPrefix }; // Return full key only at creation
+}
+
+export function listApiKeys() {
+  return db.prepare('SELECT id, name, key_prefix, created_at FROM api_keys').all();
+}
+
+export function deleteApiKey(id) {
+  return db.prepare('DELETE FROM api_keys WHERE id = ?').run(id);
+}
+
+export async function validateApiKey(key) {
+  // Must check all keys since we can't look up by hash directly
+  const allKeys = db.prepare('SELECT * FROM api_keys').all();
+  for (const row of allKeys) {
+    const match = await bcrypt.compare(key, row.key_hash);
+    if (match) {
+      return { id: row.id, name: row.name };
+    }
+  }
+  return null;
+}
+
+// Service Accounts
+export function setAccountCredentials(service, name, credentials) {
+  const id = nanoid();
+  const json = JSON.stringify(credentials);
+  db.prepare(`
+    INSERT INTO service_accounts (id, service, name, credentials)
+    VALUES (?, ?, ?, ?)
+    ON CONFLICT(service, name) DO UPDATE SET
+      credentials = excluded.credentials,
+      updated_at = CURRENT_TIMESTAMP
+  `).run(id, service, name, json);
+}
+
+export function getAccountCredentials(service, name) {
+  const row = db.prepare('SELECT credentials FROM service_accounts WHERE service = ? AND name = ?').get(service, name);
+  return row ? JSON.parse(row.credentials) : null;
+}
+
+export function listAccounts(service) {
+  if (service) {
+    return db.prepare('SELECT id, service, name, created_at, updated_at FROM service_accounts WHERE service = ?').all(service);
+  }
+  return db.prepare('SELECT id, service, name, created_at, updated_at FROM service_accounts ORDER BY service, name').all();
+}
+
+export function deleteAccount(service, name) {
+  return db.prepare('DELETE FROM service_accounts WHERE service = ? AND name = ?').run(service, name);
+}
+
+export function deleteAccountById(id) {
+  return db.prepare('DELETE FROM service_accounts WHERE id = ?').run(id);
+}
+
+// Get all accounts grouped by service (for /api/readme)
+export function getAccountsByService() {
+  const rows = db.prepare('SELECT service, name FROM service_accounts ORDER BY service, name').all();
+  const grouped = {};
+  for (const row of rows) {
+    if (!grouped[row.service]) {
+      grouped[row.service] = [];
+    }
+    grouped[row.service].push(row.name);
+  }
+  return grouped;
+}
+
+// Settings (for things like hsync config)
+export function setSetting(key, value) {
+  const json = JSON.stringify(value);
+  db.prepare(`
+    INSERT INTO settings (key, value)
+    VALUES (?, ?)
+    ON CONFLICT(key) DO UPDATE SET
+      value = excluded.value,
+      updated_at = CURRENT_TIMESTAMP
+  `).run(key, json);
+}
+
+export function getSetting(key) {
+  const row = db.prepare('SELECT value FROM settings WHERE key = ?').get(key);
+  return row ? JSON.parse(row.value) : null;
+}
+
+export function deleteSetting(key) {
+  return db.prepare('DELETE FROM settings WHERE key = ?').run(key);
+}
+
+// Admin Password
+export async function setAdminPassword(password) {
+  const hash = await bcrypt.hash(password, 10);
+  setSetting('admin_password', hash);
+}
+
+export async function verifyAdminPassword(password) {
+  const hash = getSetting('admin_password');
+  if (!hash) return false;
+  return bcrypt.compare(password, hash);
+}
+
+export function hasAdminPassword() {
+  return getSetting('admin_password') !== null;
+}
+
+// Cookie secret (generated once, persisted)
+export function getCookieSecret() {
+  let secret = getSetting('cookie_secret');
+  if (!secret) {
+    secret = nanoid(64);
+    setSetting('cookie_secret', secret);
+  }
+  return secret;
+}
+
+// Write Queue
+export function createQueueEntry(service, accountName, requests, comment, submittedBy) {
+  const id = nanoid();
+  db.prepare(`
+    INSERT INTO write_queue (id, service, account_name, requests, comment, submitted_by)
+    VALUES (?, ?, ?, ?, ?, ?)
+  `).run(id, service, accountName, JSON.stringify(requests), comment || null, submittedBy);
+  return { id, status: 'pending' };
+}
+
+export function getQueueEntry(id) {
+  const row = db.prepare('SELECT * FROM write_queue WHERE id = ?').get(id);
+  if (!row) return null;
+  return {
+    ...row,
+    requests: JSON.parse(row.requests),
+    results: row.results ? JSON.parse(row.results) : null
+  };
+}
+
+export function listQueueEntries(status) {
+  let rows;
+  if (status) {
+    rows = db.prepare('SELECT * FROM write_queue WHERE status = ? ORDER BY submitted_at DESC').all(status);
+  } else {
+    rows = db.prepare('SELECT * FROM write_queue ORDER BY submitted_at DESC').all();
+  }
+  return rows.map(row => ({
+    ...row,
+    requests: JSON.parse(row.requests),
+    results: row.results ? JSON.parse(row.results) : null
+  }));
+}
+
+export function updateQueueStatus(id, status, extra = {}) {
+  const updates = ['status = ?'];
+  const values = [status];
+
+  if (extra.rejection_reason !== undefined) {
+    updates.push('rejection_reason = ?');
+    values.push(extra.rejection_reason);
+  }
+  if (extra.results !== undefined) {
+    updates.push('results = ?');
+    values.push(JSON.stringify(extra.results));
+  }
+  if (status === 'approved' || status === 'rejected') {
+    updates.push('reviewed_at = CURRENT_TIMESTAMP');
+  }
+  if (status === 'completed' || status === 'failed') {
+    updates.push('completed_at = CURRENT_TIMESTAMP');
+  }
+
+  values.push(id);
+  db.prepare(`UPDATE write_queue SET ${updates.join(', ')} WHERE id = ?`).run(...values);
+}
+
+export function clearQueueByStatus(status) {
+  if (status === 'all') {
+    return db.prepare("DELETE FROM write_queue WHERE status IN ('completed', 'failed', 'rejected')").run();
+  }
+  return db.prepare('DELETE FROM write_queue WHERE status = ?').run(status);
+}
+
+export function deleteQueueEntry(id) {
+  return db.prepare('DELETE FROM write_queue WHERE id = ?').run(id);
+}
+
+// Legacy alias
+export function clearCompletedQueue() {
+  return clearQueueByStatus('all');
+}
+
+export function getPendingQueueCount() {
+  const row = db.prepare("SELECT COUNT(*) as count FROM write_queue WHERE status = 'pending'").get();
+  return row.count;
+}
+
+export function getQueueCounts() {
+  const rows = db.prepare('SELECT status, COUNT(*) as count FROM write_queue GROUP BY status').all();
+  const counts = { all: 0, pending: 0, completed: 0, failed: 0, rejected: 0 };
+  for (const row of rows) {
+    counts[row.status] = row.count;
+    counts.all += row.count;
+  }
+  return counts;
+}
+
+// List queue entries by submitter (for agent's own submissions)
+// Returns summary info only - no full request bodies or results
+export function listQueueEntriesBySubmitter(submittedBy, service = null, accountName = null) {
+  let sql = `
+    SELECT id, service, account_name, comment, status, rejection_reason,
+           submitted_at, reviewed_at, completed_at
+    FROM write_queue
+    WHERE submitted_by = ?
+  `;
+  const params = [submittedBy];
+
+  if (service) {
+    sql += ' AND service = ?';
+    params.push(service);
+  }
+  if (accountName) {
+    sql += ' AND account_name = ?';
+    params.push(accountName);
+  }
+
+  sql += ' ORDER BY submitted_at DESC';
+
+  return db.prepare(sql).all(params);
+}
+
+export default db;