agentgate 0.1.0

package/src/lib/hsyncManager.js

@@ -0,0 +1,57 @@
+import { createConnection } from 'hsync';
+import { getSetting } from './db.js';
+
+let currentConnection = null;
+let currentUrl = null;
+
+export async function connectHsync(port) {
+  const config = getSetting('hsync');
+  if (!config?.enabled) {
+    return null;
+  }
+
+  // Disconnect existing connection first
+  await disconnectHsync();
+
+  try {
+    const options = {
+      port,
+      hsyncServer: config.url,
+      hsyncSecret: config.token || undefined
+    };
+
+    currentConnection = await createConnection(options);
+    currentUrl = currentConnection.publicUrl || currentConnection.url || config.url || null;
+    console.log(`hsync connected: ${currentUrl || 'connected'}`);
+    return currentConnection;
+  } catch (err) {
+    console.error('hsync connection failed:', err.message);
+    currentConnection = null;
+    currentUrl = null;
+    return null;
+  }
+}
+
+export async function disconnectHsync() {
+  if (currentConnection) {
+    try {
+      if (typeof currentConnection.close === 'function') {
+        await currentConnection.close();
+      } else if (typeof currentConnection.disconnect === 'function') {
+        await currentConnection.disconnect();
+      }
+    } catch {
+      // Disconnect errors are non-fatal
+    }
+    currentConnection = null;
+    currentUrl = null;
+  }
+}
+
+export function getHsyncUrl() {
+  return currentUrl;
+}
+
+export function isHsyncConnected() {
+  return currentConnection !== null;
+}

package/src/lib/queueExecutor.js

@@ -0,0 +1,362 @@
+import { getAccountCredentials, setAccountCredentials, updateQueueStatus } from './db.js';
+
+// Service base URLs
+const SERVICE_URLS = {
+  github: 'https://api.github.com',
+  bluesky: 'https://bsky.social/xrpc',
+  reddit: 'https://oauth.reddit.com',
+  mastodon: null, // Dynamic: https://{instance}
+  calendar: 'https://www.googleapis.com/calendar/v3',
+  google_calendar: 'https://www.googleapis.com/calendar/v3',
+  youtube: 'https://www.googleapis.com/youtube/v3',
+  linkedin: 'https://api.linkedin.com/v2',
+  jira: null, // Dynamic: https://{domain}/rest/api/3
+  fitbit: 'https://api.fitbit.com'
+};
+
+// Get access token for a service, refreshing if needed
+async function getAccessToken(service, accountName) {
+  const creds = getAccountCredentials(service, accountName);
+  if (!creds) return null;
+
+  switch (service) {
+  case 'github':
+    return creds.token || null;
+
+  case 'bluesky':
+    return await getBlueskyToken(accountName, creds);
+
+  case 'reddit':
+    return await getOAuthToken(accountName, creds, 'reddit', refreshRedditToken);
+
+  case 'calendar':
+  case 'google_calendar':
+    return await getOAuthToken(accountName, creds, 'google_calendar', refreshGoogleToken);
+
+  case 'youtube':
+    return await getOAuthToken(accountName, creds, 'youtube', refreshGoogleToken);
+
+  case 'linkedin':
+    return await getOAuthToken(accountName, creds, 'linkedin', refreshLinkedInToken);
+
+  case 'mastodon':
+    return creds.accessToken || null;
+
+  case 'jira':
+    // Jira uses basic auth, return the creds object
+    return creds;
+
+  case 'fitbit':
+    return await getOAuthToken(accountName, creds, 'fitbit', refreshFitbitToken);
+
+  default:
+    return null;
+  }
+}
+
+// Generic OAuth token getter with refresh
+async function getOAuthToken(accountName, creds, service, refreshFn) {
+  if (creds.accessToken && creds.expiresAt && Date.now() < creds.expiresAt) {
+    return creds.accessToken;
+  }
+
+  if (!creds.refreshToken) return null;
+
+  const newToken = await refreshFn(accountName, creds, service);
+  return newToken;
+}
+
+// Bluesky session token
+async function getBlueskyToken(accountName, creds) {
+  if (creds.accessJwt && creds.expiresAt && Date.now() < creds.expiresAt) {
+    return creds.accessJwt;
+  }
+
+  try {
+    const response = await fetch('https://bsky.social/xrpc/com.atproto.server.createSession', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        identifier: creds.identifier,
+        password: creds.appPassword
+      })
+    });
+
+    if (!response.ok) return null;
+
+    const session = await response.json();
+    setAccountCredentials('bluesky', accountName, {
+      identifier: creds.identifier,
+      appPassword: creds.appPassword,
+      accessJwt: session.accessJwt,
+      refreshJwt: session.refreshJwt,
+      did: session.did,
+      expiresAt: Date.now() + (90 * 60 * 1000)
+    });
+
+    return session.accessJwt;
+  } catch {
+    return null;
+  }
+}
+
+// Refresh Google OAuth token (Calendar/YouTube)
+async function refreshGoogleToken(accountName, creds, service) {
+  try {
+    const response = await fetch('https://oauth2.googleapis.com/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: creds.clientId,
+        client_secret: creds.clientSecret,
+        refresh_token: creds.refreshToken,
+        grant_type: 'refresh_token'
+      })
+    });
+
+    if (!response.ok) return null;
+
+    const tokens = await response.json();
+    setAccountCredentials(service, accountName, {
+      ...creds,
+      accessToken: tokens.access_token,
+      expiresAt: Date.now() + (tokens.expires_in * 1000) - 60000
+    });
+
+    return tokens.access_token;
+  } catch {
+    return null;
+  }
+}
+
+// Refresh Reddit OAuth token
+async function refreshRedditToken(accountName, creds) {
+  try {
+    const basicAuth = Buffer.from(`${creds.clientId}:${creds.clientSecret}`).toString('base64');
+
+    const response = await fetch('https://www.reddit.com/api/v1/access_token', {
+      method: 'POST',
+      headers: {
+        'Authorization': `Basic ${basicAuth}`,
+        'Content-Type': 'application/x-www-form-urlencoded'
+      },
+      body: new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: creds.refreshToken
+      })
+    });
+
+    if (!response.ok) return null;
+
+    const tokens = await response.json();
+    setAccountCredentials('reddit', accountName, {
+      ...creds,
+      accessToken: tokens.access_token,
+      expiresAt: Date.now() + (tokens.expires_in * 1000) - 60000
+    });
+
+    return tokens.access_token;
+  } catch {
+    return null;
+  }
+}
+
+// Refresh LinkedIn OAuth token
+async function refreshLinkedInToken(accountName, creds) {
+  try {
+    const response = await fetch('https://www.linkedin.com/oauth/v2/accessToken', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: creds.refreshToken,
+        client_id: creds.clientId,
+        client_secret: creds.clientSecret
+      })
+    });
+
+    if (!response.ok) return null;
+
+    const tokens = await response.json();
+    setAccountCredentials('linkedin', accountName, {
+      ...creds,
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token || creds.refreshToken,
+      expiresAt: Date.now() + (tokens.expires_in * 1000) - 60000
+    });
+
+    return tokens.access_token;
+  } catch {
+    return null;
+  }
+}
+
+// Refresh Fitbit OAuth token
+async function refreshFitbitToken(accountName, creds) {
+  try {
+    const basicAuth = Buffer.from(`${creds.clientId}:${creds.clientSecret}`).toString('base64');
+
+    const response = await fetch('https://api.fitbit.com/oauth2/token', {
+      method: 'POST',
+      headers: {
+        'Authorization': `Basic ${basicAuth}`,
+        'Content-Type': 'application/x-www-form-urlencoded'
+      },
+      body: new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: creds.refreshToken
+      })
+    });
+
+    if (!response.ok) return null;
+
+    const tokens = await response.json();
+    setAccountCredentials('fitbit', accountName, {
+      ...creds,
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token || creds.refreshToken,
+      expiresAt: Date.now() + (tokens.expires_in * 1000) - 60000
+    });
+
+    return tokens.access_token;
+  } catch {
+    return null;
+  }
+}
+
+// Build the full URL for a service request
+function buildUrl(service, accountName, path) {
+  const creds = getAccountCredentials(service, accountName);
+
+  // Handle dynamic URLs
+  if (service === 'mastodon' && creds?.instance) {
+    return `https://${creds.instance}/${path.replace(/^\//, '')}`;
+  }
+  if (service === 'jira' && creds?.domain) {
+    return `https://${creds.domain}/rest/api/3/${path.replace(/^\//, '')}`;
+  }
+
+  const baseUrl = SERVICE_URLS[service];
+  if (!baseUrl) return null;
+
+  return `${baseUrl}/${path.replace(/^\//, '')}`;
+}
+
+// Build headers for a service request
+function buildHeaders(service, token, customHeaders = {}) {
+  const headers = {
+    'Accept': 'application/json',
+    'Content-Type': 'application/json',
+    ...customHeaders
+  };
+
+  if (service === 'jira' && token?.email && token?.apiToken) {
+    // Jira uses basic auth
+    const basicAuth = Buffer.from(`${token.email}:${token.apiToken}`).toString('base64');
+    headers['Authorization'] = `Basic ${basicAuth}`;
+  } else if (token && typeof token === 'string') {
+    headers['Authorization'] = `Bearer ${token}`;
+  }
+
+  // Service-specific headers
+  if (service === 'github') {
+    headers['Accept'] = 'application/vnd.github+json';
+    headers['User-Agent'] = 'agentgate-gateway';
+  }
+  if (service === 'reddit') {
+    headers['User-Agent'] = 'agentgate-gateway/1.0';
+  }
+
+  return headers;
+}
+
+// Execute a single queued entry (batch of requests)
+export async function executeQueueEntry(entry) {
+  const results = [];
+  const { service, account_name, requests } = entry;
+
+  // Mark as executing
+  updateQueueStatus(entry.id, 'executing');
+
+  for (let i = 0; i < requests.length; i++) {
+    const req = requests[i];
+
+    try {
+      // Get fresh token for each request (in case of expiry during batch)
+      const token = await getAccessToken(service, account_name);
+      if (!token) {
+        results.push({
+          index: i,
+          ok: false,
+          error: `Failed to get access token for ${service}/${account_name}`
+        });
+        updateQueueStatus(entry.id, 'failed', { results });
+        return { success: false, results };
+      }
+
+      // Build URL
+      const url = buildUrl(service, account_name, req.path);
+      if (!url) {
+        results.push({
+          index: i,
+          ok: false,
+          error: `Unknown service or invalid configuration: ${service}`
+        });
+        updateQueueStatus(entry.id, 'failed', { results });
+        return { success: false, results };
+      }
+
+      // Build headers
+      const headers = buildHeaders(service, token, req.headers);
+
+      // Make the request
+      const fetchOptions = {
+        method: req.method,
+        headers
+      };
+
+      if (req.body && ['POST', 'PUT', 'PATCH'].includes(req.method.toUpperCase())) {
+        fetchOptions.body = typeof req.body === 'string' ? req.body : JSON.stringify(req.body);
+      }
+
+      const response = await fetch(url, fetchOptions);
+
+      // Parse response
+      let responseBody;
+      const contentType = response.headers.get('content-type') || '';
+      if (contentType.includes('application/json')) {
+        responseBody = await response.json();
+      } else {
+        responseBody = await response.text();
+      }
+
+      const result = {
+        index: i,
+        ok: response.ok,
+        status: response.status,
+        body: responseBody
+      };
+
+      results.push(result);
+
+      // Stop on first failure
+      if (!response.ok) {
+        updateQueueStatus(entry.id, 'failed', { results });
+        return { success: false, results };
+      }
+
+    } catch (err) {
+      results.push({
+        index: i,
+        ok: false,
+        error: err.message
+      });
+      updateQueueStatus(entry.id, 'failed', { results });
+      return { success: false, results };
+    }
+  }
+
+  // All requests succeeded
+  updateQueueStatus(entry.id, 'completed', { results });
+  return { success: true, results };
+}

package/src/routes/bluesky.js

@@ -0,0 +1,130 @@
+import { Router } from 'express';
+import { getAccountCredentials, setAccountCredentials } from '../lib/db.js';
+
+const router = Router();
+const BSKY_API = 'https://bsky.social/xrpc';
+
+// Service metadata - exported for /api/readme and /api/skill
+export const serviceInfo = {
+  key: 'bluesky',
+  name: 'Bluesky',
+  shortDesc: 'Timeline, posts, profile (DMs blocked)',
+  description: 'Bluesky/AT Protocol proxy (DMs blocked)',
+  authType: 'app password',
+  docs: 'https://docs.bsky.app/docs/api/',
+  examples: [
+    'GET /api/bluesky/{accountName}/app.bsky.feed.getTimeline',
+    'GET /api/bluesky/{accountName}/app.bsky.feed.getAuthorFeed?actor={handle}',
+    'GET /api/bluesky/{accountName}/app.bsky.actor.getProfile?actor={handle}'
+  ]
+};
+
+// Blocked routes - no DMs/chat
+const BLOCKED_PATTERNS = [
+  /^chat\./,                    // all chat.bsky.* endpoints
+  /^com\.atproto\.admin/       // admin endpoints
+];
+
+// Get a valid access token, refreshing if needed
+async function getAccessToken(accountName) {
+  const creds = getAccountCredentials('bluesky', accountName);
+  if (!creds) {
+    return null;
+  }
+
+  // If we have an access token and it's not expired, use it
+  if (creds.accessJwt && creds.expiresAt && Date.now() < creds.expiresAt) {
+    return creds.accessJwt;
+  }
+
+  // Need to create a new session with app password
+  try {
+    const response = await fetch(`${BSKY_API}/com.atproto.server.createSession`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        identifier: creds.identifier,
+        password: creds.appPassword
+      })
+    });
+
+    if (!response.ok) {
+      console.error('Bluesky auth failed:', await response.text());
+      return null;
+    }
+
+    const session = await response.json();
+
+    // Store the new tokens (access token valid for ~2 hours)
+    setAccountCredentials('bluesky', accountName, {
+      identifier: creds.identifier,
+      appPassword: creds.appPassword,
+      accessJwt: session.accessJwt,
+      refreshJwt: session.refreshJwt,
+      did: session.did,
+      expiresAt: Date.now() + (90 * 60 * 1000) // 90 minutes to be safe
+    });
+
+    return session.accessJwt;
+  } catch (error) {
+    console.error('Bluesky session creation failed:', error);
+    return null;
+  }
+}
+
+// Proxy GET requests to Bluesky API
+// Route: /api/bluesky/:accountName/*
+router.get('/:accountName/*', async (req, res) => {
+  try {
+    const { accountName } = req.params;
+    const accessToken = await getAccessToken(accountName);
+    if (!accessToken) {
+      return res.status(401).json({
+        error: 'Bluesky account not configured',
+        message: `Set up Bluesky account "${accountName}" in the admin UI`
+      });
+    }
+
+    const path = req.params[0] || '';
+
+    // Check blocked routes
+    for (const pattern of BLOCKED_PATTERNS) {
+      if (pattern.test(path)) {
+        return res.status(403).json({
+          error: 'Route blocked',
+          message: 'This endpoint is blocked for privacy (DMs/chat)'
+        });
+      }
+    }
+
+    const queryString = new URLSearchParams(req.query).toString();
+    const url = `${BSKY_API}/${path}${queryString ? '?' + queryString : ''}`;
+
+    const response = await fetch(url, {
+      headers: {
+        'Authorization': `Bearer ${accessToken}`,
+        'Accept': 'application/json'
+      }
+    });
+
+    const data = await response.json();
+    res.status(response.status).json(data);
+  } catch (error) {
+    res.status(500).json({ error: 'Bluesky API request failed', message: error.message });
+  }
+});
+
+// Handle root path for account
+router.get('/:accountName', async (req, res) => {
+  res.json({
+    service: 'bluesky',
+    account: req.params.accountName,
+    description: 'Bluesky/AT Protocol proxy (DMs blocked). Append XRPC method after account name.',
+    examples: [
+      `GET /api/bluesky/${req.params.accountName}/app.bsky.feed.getTimeline`,
+      `GET /api/bluesky/${req.params.accountName}/app.bsky.actor.getProfile?actor=handle.bsky.social`
+    ]
+  });
+});
+
+export default router;

package/src/routes/calendar.js

@@ -0,0 +1,120 @@
+import { Router } from 'express';
+import { getAccountCredentials, setAccountCredentials } from '../lib/db.js';
+
+const router = Router();
+const GOOGLE_API = 'https://www.googleapis.com/calendar/v3';
+const GOOGLE_AUTH = 'https://oauth2.googleapis.com';
+
+// Service metadata - exported for /api/readme and /api/skill
+export const serviceInfo = {
+  key: 'calendar',
+  name: 'Google Calendar',
+  shortDesc: 'Events, calendars',
+  description: 'Google Calendar API proxy',
+  authType: 'oauth',
+  dbKey: 'google_calendar',
+  docs: 'https://developers.google.com/calendar/api/v3/reference',
+  examples: [
+    'GET /api/calendar/{accountName}/users/me/calendarList',
+    'GET /api/calendar/{accountName}/calendars/primary/events',
+    'GET /api/calendar/{accountName}/calendars/{calendarId}/events?timeMin={ISO8601}&timeMax={ISO8601}'
+  ]
+};
+
+// Get a valid access token, refreshing if needed
+async function getAccessToken(accountName) {
+  const creds = getAccountCredentials('google_calendar', accountName);
+  if (!creds) {
+    return null;
+  }
+
+  // If we have an access token and it's not expired, use it
+  if (creds.accessToken && creds.expiresAt && Date.now() < creds.expiresAt) {
+    return creds.accessToken;
+  }
+
+  // Need to refresh the token
+  if (!creds.refreshToken) {
+    return null;
+  }
+
+  try {
+    const response = await fetch(`${GOOGLE_AUTH}/token`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded'
+      },
+      body: new URLSearchParams({
+        client_id: creds.clientId,
+        client_secret: creds.clientSecret,
+        refresh_token: creds.refreshToken,
+        grant_type: 'refresh_token'
+      })
+    });
+
+    if (!response.ok) {
+      console.error('Google token refresh failed:', await response.text());
+      return null;
+    }
+
+    const tokens = await response.json();
+
+    // Store the new tokens
+    setAccountCredentials('google_calendar', accountName, {
+      ...creds,
+      accessToken: tokens.access_token,
+      expiresAt: Date.now() + (tokens.expires_in * 1000) - 60000 // 1 min buffer
+    });
+
+    return tokens.access_token;
+  } catch (error) {
+    console.error('Google token refresh failed:', error);
+    return null;
+  }
+}
+
+// Proxy GET requests to Google Calendar API
+// Route: /api/calendar/:accountName/*
+router.get('/:accountName/*', async (req, res) => {
+  try {
+    const { accountName } = req.params;
+    const accessToken = await getAccessToken(accountName);
+    if (!accessToken) {
+      return res.status(401).json({
+        error: 'Google Calendar account not configured',
+        message: `Set up Google Calendar account "${accountName}" in the admin UI`
+      });
+    }
+
+    const path = req.params[0] || '';
+    const queryString = new URLSearchParams(req.query).toString();
+    const url = `${GOOGLE_API}/${path}${queryString ? '?' + queryString : ''}`;
+
+    const response = await fetch(url, {
+      headers: {
+        'Authorization': `Bearer ${accessToken}`,
+        'Accept': 'application/json'
+      }
+    });
+
+    const data = await response.json();
+    res.status(response.status).json(data);
+  } catch (error) {
+    res.status(500).json({ error: 'Google Calendar API request failed', message: error.message });
+  }
+});
+
+// Handle root path for account
+router.get('/:accountName', async (req, res) => {
+  res.json({
+    service: 'google_calendar',
+    account: req.params.accountName,
+    description: 'Google Calendar API proxy. Append API path after account name.',
+    examples: [
+      `GET /api/calendar/${req.params.accountName}/users/me/calendarList`,
+      `GET /api/calendar/${req.params.accountName}/calendars/primary/events`
+    ]
+  });
+});
+
+export default router;