agentgate 0.1.0

package/src/routes/fitbit.js

@@ -0,0 +1,127 @@
+import { Router } from 'express';
+import { getAccountCredentials, setAccountCredentials } from '../lib/db.js';
+
+const router = Router();
+const FITBIT_API = 'https://api.fitbit.com';
+const FITBIT_AUTH = 'https://api.fitbit.com/oauth2/token';
+
+// Service metadata - exported for /api/readme and /api/skill
+export const serviceInfo = {
+  key: 'fitbit',
+  name: 'Fitbit',
+  shortDesc: 'Activity, sleep, heart rate, profile',
+  description: 'Fitbit API proxy',
+  authType: 'oauth',
+  docs: 'https://dev.fitbit.com/build/reference/web-api/',
+  examples: [
+    'GET /api/fitbit/{accountName}/1/user/-/profile.json',
+    'GET /api/fitbit/{accountName}/1/user/-/activities/date/today.json',
+    'GET /api/fitbit/{accountName}/1/user/-/sleep/date/today.json',
+    'GET /api/fitbit/{accountName}/1/user/-/body/log/weight/date/today.json'
+  ]
+};
+
+// Get a valid access token, refreshing if needed
+async function getAccessToken(accountName) {
+  const creds = getAccountCredentials('fitbit', accountName);
+  if (!creds) {
+    return null;
+  }
+
+  // If we have an access token and it's not expired, use it
+  if (creds.accessToken && creds.expiresAt && Date.now() < creds.expiresAt) {
+    return creds.accessToken;
+  }
+
+  // Need to refresh the token
+  if (!creds.refreshToken) {
+    return null;
+  }
+
+  try {
+    const basicAuth = Buffer.from(`${creds.clientId}:${creds.clientSecret}`).toString('base64');
+
+    const response = await fetch(FITBIT_AUTH, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Authorization': `Basic ${basicAuth}`
+      },
+      body: new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: creds.refreshToken
+      })
+    });
+
+    if (!response.ok) {
+      console.error('Fitbit token refresh failed:', await response.text());
+      return null;
+    }
+
+    const tokens = await response.json();
+
+    // Store the new tokens
+    setAccountCredentials('fitbit', accountName, {
+      ...creds,
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token || creds.refreshToken,
+      expiresAt: Date.now() + (tokens.expires_in * 1000) - 60000 // 1 min buffer
+    });
+
+    return tokens.access_token;
+  } catch (error) {
+    console.error('Fitbit token refresh failed:', error);
+    return null;
+  }
+}
+
+// Export for queue executor
+export { getAccessToken };
+
+// Proxy GET requests to Fitbit API
+// Route: /api/fitbit/:accountName/*
+router.get('/:accountName/*', async (req, res) => {
+  try {
+    const { accountName } = req.params;
+    const accessToken = await getAccessToken(accountName);
+    if (!accessToken) {
+      return res.status(401).json({
+        error: 'Fitbit account not configured',
+        message: `Set up Fitbit account "${accountName}" in the admin UI`
+      });
+    }
+
+    const path = req.params[0] || '';
+    const queryString = new URLSearchParams(req.query).toString();
+    const url = `${FITBIT_API}/${path}${queryString ? '?' + queryString : ''}`;
+
+    const response = await fetch(url, {
+      headers: {
+        'Authorization': `Bearer ${accessToken}`,
+        'Accept': 'application/json'
+      }
+    });
+
+    const data = await response.json();
+    res.status(response.status).json(data);
+  } catch (error) {
+    res.status(500).json({ error: 'Fitbit API request failed', message: error.message });
+  }
+});
+
+// Handle root path for account
+router.get('/:accountName', async (req, res) => {
+  res.json({
+    service: 'fitbit',
+    account: req.params.accountName,
+    description: 'Fitbit API proxy. Append API path after account name.',
+    examples: [
+      `GET /api/fitbit/${req.params.accountName}/1/user/-/profile.json`,
+      `GET /api/fitbit/${req.params.accountName}/1/user/-/activities/date/today.json`,
+      `GET /api/fitbit/${req.params.accountName}/1/user/-/sleep/date/today.json`,
+      `GET /api/fitbit/${req.params.accountName}/1/user/-/body/log/weight/date/today.json`
+    ]
+  });
+});
+
+export default router;

package/src/routes/github.js

@@ -0,0 +1,72 @@
+import { Router } from 'express';
+import { getAccountCredentials } from '../lib/db.js';
+
+const router = Router();
+const GITHUB_API = 'https://api.github.com';
+
+// Service metadata - exported for /api/readme and /api/skill
+export const serviceInfo = {
+  key: 'github',
+  name: 'GitHub',
+  shortDesc: 'Repos, issues, PRs, commits',
+  description: 'GitHub API proxy',
+  authType: 'personal access token',
+  docs: 'https://docs.github.com/en/rest',
+  examples: [
+    'GET /api/github/{accountName}/users/{username}',
+    'GET /api/github/{accountName}/repos/{owner}/{repo}',
+    'GET /api/github/{accountName}/repos/{owner}/{repo}/commits'
+  ],
+  writeGuidelines: [
+    'NEVER push directly to main/master branches (except for initial commits on new projects)',
+    'Always create a new branch for changes to existing projects',
+    'Run tests locally before submitting PRs (if tests exist)',
+    'Create a pull request for review',
+    'Workflow: create branch → commit changes → run tests → create PR'
+  ]
+};
+
+// Proxy all GET requests to GitHub API
+// Route: /api/github/:accountName/*
+// Uses PAT if configured (5000 req/hr), falls back to unauthenticated (60 req/hr)
+router.get('/:accountName/*', async (req, res) => {
+  try {
+    const { accountName } = req.params;
+    const path = req.params[0] || '';
+    const queryString = new URLSearchParams(req.query).toString();
+    const url = `${GITHUB_API}/${path}${queryString ? '?' + queryString : ''}`;
+
+    const headers = {
+      'Accept': 'application/vnd.github+json',
+      'User-Agent': 'agentgate-gateway'
+    };
+
+    // Add auth if configured for this account
+    const creds = getAccountCredentials('github', accountName);
+    if (creds?.token) {
+      headers['Authorization'] = `Bearer ${creds.token}`;
+    }
+
+    const response = await fetch(url, { headers });
+
+    const data = await response.json();
+    res.status(response.status).json(data);
+  } catch (error) {
+    res.status(500).json({ error: 'GitHub API request failed', message: error.message });
+  }
+});
+
+// Also handle root path for account (e.g., /api/github/personal)
+router.get('/:accountName', async (req, res) => {
+  res.json({
+    service: 'github',
+    account: req.params.accountName,
+    description: 'GitHub API proxy. Append path after account name.',
+    examples: [
+      `GET /api/github/${req.params.accountName}/users/octocat`,
+      `GET /api/github/${req.params.accountName}/repos/owner/repo`
+    ]
+  });
+});
+
+export default router;

package/src/routes/jira.js

@@ -0,0 +1,77 @@
+import { Router } from 'express';
+import { getAccountCredentials } from '../lib/db.js';
+
+const router = Router();
+
+// Service metadata - exported for /api/readme and /api/skill
+export const serviceInfo = {
+  key: 'jira',
+  name: 'Jira',
+  shortDesc: 'Issues, projects, search',
+  description: 'Jira API proxy',
+  authType: 'api token',
+  docs: 'https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/',
+  examples: [
+    'GET /api/jira/{accountName}/myself',
+    'GET /api/jira/{accountName}/project',
+    'GET /api/jira/{accountName}/search?jql=assignee=currentUser()',
+    'GET /api/jira/{accountName}/issue/{issueKey}'
+  ]
+};
+
+// Get Jira config for an account
+function getJiraConfig(accountName) {
+  const creds = getAccountCredentials('jira', accountName);
+  if (!creds || !creds.domain || !creds.email || !creds.apiToken) {
+    return null;
+  }
+  return creds;
+}
+
+// Proxy GET requests to Jira API
+// Route: /api/jira/:accountName/*
+router.get('/:accountName/*', async (req, res) => {
+  try {
+    const { accountName } = req.params;
+    const config = getJiraConfig(accountName);
+    if (!config) {
+      return res.status(401).json({
+        error: 'Jira account not configured',
+        message: `Set up Jira account "${accountName}" in the admin UI`
+      });
+    }
+
+    const path = req.params[0] || '';
+    const queryString = new URLSearchParams(req.query).toString();
+    const url = `https://${config.domain}/rest/api/3/${path}${queryString ? '?' + queryString : ''}`;
+
+    const basicAuth = Buffer.from(`${config.email}:${config.apiToken}`).toString('base64');
+
+    const response = await fetch(url, {
+      headers: {
+        'Authorization': `Basic ${basicAuth}`,
+        'Accept': 'application/json'
+      }
+    });
+
+    const data = await response.json();
+    res.status(response.status).json(data);
+  } catch (error) {
+    res.status(500).json({ error: 'Jira API request failed', message: error.message });
+  }
+});
+
+// Handle root path for account
+router.get('/:accountName', async (req, res) => {
+  res.json({
+    service: 'jira',
+    account: req.params.accountName,
+    description: 'Jira API proxy. Append API path after account name.',
+    examples: [
+      `GET /api/jira/${req.params.accountName}/myself`,
+      `GET /api/jira/${req.params.accountName}/search?jql=assignee=currentUser()`
+    ]
+  });
+});
+
+export default router;

package/src/routes/linkedin.js

@@ -0,0 +1,137 @@
+import { Router } from 'express';
+import { getAccountCredentials, setAccountCredentials } from '../lib/db.js';
+
+const router = Router();
+const LINKEDIN_API = 'https://api.linkedin.com/v2';
+
+// Service metadata - exported for /api/readme and /api/skill
+export const serviceInfo = {
+  key: 'linkedin',
+  name: 'LinkedIn',
+  shortDesc: 'Profile (messaging blocked)',
+  description: 'LinkedIn API proxy (messaging blocked)',
+  authType: 'oauth',
+  docs: 'https://learn.microsoft.com/en-us/linkedin/shared/integrations/people/profile-api',
+  examples: [
+    'GET /api/linkedin/{accountName}/me',
+    'GET /api/linkedin/{accountName}/userinfo'
+  ]
+};
+
+// Blocked routes - no messaging
+const BLOCKED_PATTERNS = [
+  /^messaging/,                 // all messaging endpoints
+  /^conversations/             // conversations
+];
+
+// Get a valid access token, refreshing if needed
+async function getAccessToken(accountName) {
+  const creds = getAccountCredentials('linkedin', accountName);
+  if (!creds) {
+    return null;
+  }
+
+  // If we have an access token and it's not expired, use it
+  if (creds.accessToken && creds.expiresAt && Date.now() < creds.expiresAt) {
+    return creds.accessToken;
+  }
+
+  // LinkedIn access tokens last 60 days, refresh tokens 365 days
+  // Need to refresh the token
+  if (!creds.refreshToken) {
+    return null;
+  }
+
+  try {
+    const response = await fetch('https://www.linkedin.com/oauth/v2/accessToken', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded'
+      },
+      body: new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: creds.refreshToken,
+        client_id: creds.clientId,
+        client_secret: creds.clientSecret
+      })
+    });
+
+    if (!response.ok) {
+      console.error('LinkedIn token refresh failed:', await response.text());
+      return null;
+    }
+
+    const tokens = await response.json();
+
+    // Store the new tokens
+    setAccountCredentials('linkedin', accountName, {
+      ...creds,
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token || creds.refreshToken,
+      expiresAt: Date.now() + (tokens.expires_in * 1000) - 60000 // 1 min buffer
+    });
+
+    return tokens.access_token;
+  } catch (error) {
+    console.error('LinkedIn token refresh failed:', error);
+    return null;
+  }
+}
+
+// Proxy GET requests to LinkedIn API
+// Route: /api/linkedin/:accountName/*
+router.get('/:accountName/*', async (req, res) => {
+  try {
+    const { accountName } = req.params;
+    const accessToken = await getAccessToken(accountName);
+    if (!accessToken) {
+      return res.status(401).json({
+        error: 'LinkedIn account not configured',
+        message: `Set up LinkedIn account "${accountName}" in the admin UI`
+      });
+    }
+
+    const path = req.params[0] || '';
+
+    // Check blocked routes
+    for (const pattern of BLOCKED_PATTERNS) {
+      if (pattern.test(path)) {
+        return res.status(403).json({
+          error: 'Route blocked',
+          message: 'This endpoint is blocked for privacy (messaging)'
+        });
+      }
+    }
+
+    const queryString = new URLSearchParams(req.query).toString();
+    const url = `${LINKEDIN_API}/${path}${queryString ? '?' + queryString : ''}`;
+
+    const response = await fetch(url, {
+      headers: {
+        'Authorization': `Bearer ${accessToken}`,
+        'X-Restli-Protocol-Version': '2.0.0',
+        'Accept': 'application/json'
+      }
+    });
+
+    const data = await response.json();
+    res.status(response.status).json(data);
+  } catch (error) {
+    res.status(500).json({ error: 'LinkedIn API request failed', message: error.message });
+  }
+});
+
+// Handle root path for account
+router.get('/:accountName', async (req, res) => {
+  res.json({
+    service: 'linkedin',
+    account: req.params.accountName,
+    description: 'LinkedIn API proxy (messaging blocked). Append API path after account name.',
+    examples: [
+      `GET /api/linkedin/${req.params.accountName}/me`,
+      `GET /api/linkedin/${req.params.accountName}/userinfo`
+    ]
+  });
+});
+
+export default router;

package/src/routes/mastodon.js

@@ -0,0 +1,91 @@
+import { Router } from 'express';
+import { getAccountCredentials } from '../lib/db.js';
+
+const router = Router();
+
+// Service metadata - exported for /api/readme and /api/skill
+export const serviceInfo = {
+  key: 'mastodon',
+  name: 'Mastodon',
+  shortDesc: 'Timeline, notifications, profile (DMs blocked)',
+  description: 'Mastodon API proxy (DMs blocked)',
+  authType: 'oauth',
+  docs: 'https://docs.joinmastodon.org/api/',
+  examples: [
+    'GET /api/mastodon/{accountName}/api/v1/timelines/home',
+    'GET /api/mastodon/{accountName}/api/v1/accounts/verify_credentials',
+    'GET /api/mastodon/{accountName}/api/v1/notifications'
+  ]
+};
+
+// Blocked routes - no DMs or conversations
+const BLOCKED_PATTERNS = [
+  /^api\/v1\/conversations/,
+  /^api\/v1\/markers/  // read position markers (privacy)
+];
+
+// Get the configured instance and access token for an account
+function getMastodonConfig(accountName) {
+  const creds = getAccountCredentials('mastodon', accountName);
+  if (!creds || !creds.accessToken || !creds.instance) {
+    return null;
+  }
+  return creds;
+}
+
+// Proxy GET requests to Mastodon API
+// Route: /api/mastodon/:accountName/*
+router.get('/:accountName/*', async (req, res) => {
+  try {
+    const { accountName } = req.params;
+    const config = getMastodonConfig(accountName);
+    if (!config) {
+      return res.status(401).json({
+        error: 'Mastodon account not configured',
+        message: `Set up Mastodon account "${accountName}" in the admin UI`
+      });
+    }
+
+    const path = req.params[0] || '';
+
+    // Check blocked routes
+    for (const pattern of BLOCKED_PATTERNS) {
+      if (pattern.test(path)) {
+        return res.status(403).json({
+          error: 'Route blocked',
+          message: 'This endpoint is blocked for privacy (DMs/conversations)'
+        });
+      }
+    }
+
+    const queryString = new URLSearchParams(req.query).toString();
+    const url = `https://${config.instance}/${path}${queryString ? '?' + queryString : ''}`;
+
+    const response = await fetch(url, {
+      headers: {
+        'Authorization': `Bearer ${config.accessToken}`,
+        'Accept': 'application/json'
+      }
+    });
+
+    const data = await response.json();
+    res.status(response.status).json(data);
+  } catch (error) {
+    res.status(500).json({ error: 'Mastodon API request failed', message: error.message });
+  }
+});
+
+// Handle root path for account
+router.get('/:accountName', async (req, res) => {
+  res.json({
+    service: 'mastodon',
+    account: req.params.accountName,
+    description: 'Mastodon API proxy (DMs blocked). Append API path after account name.',
+    examples: [
+      `GET /api/mastodon/${req.params.accountName}/api/v1/timelines/home`,
+      `GET /api/mastodon/${req.params.accountName}/api/v1/accounts/verify_credentials`
+    ]
+  });
+});
+
+export default router;

package/src/routes/queue.js

@@ -0,0 +1,186 @@
+import { Router } from 'express';
+import { createQueueEntry, getQueueEntry, getAccountCredentials, listQueueEntriesBySubmitter } from '../lib/db.js';
+
+const router = Router();
+
+// Valid services that support write operations
+const VALID_SERVICES = ['github', 'bluesky', 'reddit', 'mastodon', 'calendar', 'google_calendar', 'youtube', 'linkedin', 'jira', 'fitbit'];
+
+// Valid HTTP methods for write operations
+const VALID_METHODS = ['POST', 'PUT', 'PATCH', 'DELETE'];
+
+// Submit a batch of write requests for approval
+// POST /api/queue/:service/:accountName/submit
+router.post('/:service/:accountName/submit', (req, res) => {
+  try {
+    const { service, accountName } = req.params;
+    const { requests, comment } = req.body;
+
+    // Validate service
+    if (!VALID_SERVICES.includes(service)) {
+      return res.status(400).json({
+        error: 'Invalid service',
+        message: `Service must be one of: ${VALID_SERVICES.join(', ')}`
+      });
+    }
+
+    // Check account exists
+    const creds = getAccountCredentials(service, accountName);
+    if (!creds) {
+      return res.status(404).json({
+        error: 'Account not found',
+        message: `No ${service} account named "${accountName}" is configured`
+      });
+    }
+
+    // Validate requests array
+    if (!Array.isArray(requests) || requests.length === 0) {
+      return res.status(400).json({
+        error: 'Invalid requests',
+        message: 'requests must be a non-empty array'
+      });
+    }
+
+    // Validate each request in the batch
+    for (let i = 0; i < requests.length; i++) {
+      const req_item = requests[i];
+
+      if (!req_item.method || !VALID_METHODS.includes(req_item.method.toUpperCase())) {
+        return res.status(400).json({
+          error: 'Invalid request method',
+          message: `Request ${i}: method must be one of: ${VALID_METHODS.join(', ')}`
+        });
+      }
+
+      if (!req_item.path || typeof req_item.path !== 'string') {
+        return res.status(400).json({
+          error: 'Invalid request path',
+          message: `Request ${i}: path is required and must be a string`
+        });
+      }
+
+      // Normalize method to uppercase
+      requests[i].method = req_item.method.toUpperCase();
+    }
+
+    // Get the API key name for audit trail
+    const submittedBy = req.apiKeyInfo?.name || 'unknown';
+
+    // Create the queue entry
+    const entry = createQueueEntry(service, accountName, requests, comment, submittedBy);
+
+    res.status(201).json({
+      id: entry.id,
+      status: entry.status,
+      message: 'Request queued for approval'
+    });
+
+  } catch (error) {
+    res.status(500).json({
+      error: 'Failed to queue request',
+      message: error.message
+    });
+  }
+});
+
+// List all queue entries submitted by the requesting API key
+// GET /api/queue/list (all services) or /api/queue/:service/:accountName/list (filtered)
+router.get('/list', (req, res) => {
+  try {
+    const submittedBy = req.apiKeyInfo?.name || 'unknown';
+    const entries = listQueueEntriesBySubmitter(submittedBy);
+
+    res.json({
+      count: entries.length,
+      entries: entries
+    });
+  } catch (error) {
+    res.status(500).json({
+      error: 'Failed to list queue entries',
+      message: error.message
+    });
+  }
+});
+
+router.get('/:service/:accountName/list', (req, res) => {
+  try {
+    const { service, accountName } = req.params;
+    const submittedBy = req.apiKeyInfo?.name || 'unknown';
+
+    // Validate service
+    if (!VALID_SERVICES.includes(service)) {
+      return res.status(400).json({
+        error: 'Invalid service',
+        message: `Service must be one of: ${VALID_SERVICES.join(', ')}`
+      });
+    }
+
+    const entries = listQueueEntriesBySubmitter(submittedBy, service, accountName);
+
+    res.json({
+      count: entries.length,
+      entries: entries
+    });
+  } catch (error) {
+    res.status(500).json({
+      error: 'Failed to list queue entries',
+      message: error.message
+    });
+  }
+});
+
+// Check status of a queued request
+// GET /api/queue/:service/:accountName/status/:id
+router.get('/:service/:accountName/status/:id', (req, res) => {
+  try {
+    const { service, accountName, id } = req.params;
+
+    const entry = getQueueEntry(id);
+
+    if (!entry) {
+      return res.status(404).json({
+        error: 'Not found',
+        message: `No queue entry with id "${id}"`
+      });
+    }
+
+    // Verify the entry belongs to this service/account
+    if (entry.service !== service || entry.account_name !== accountName) {
+      return res.status(404).json({
+        error: 'Not found',
+        message: `No queue entry with id "${id}" for ${service}/${accountName}`
+      });
+    }
+
+    // Build response based on status
+    const response = {
+      id: entry.id,
+      status: entry.status,
+      submitted_at: entry.submitted_at
+    };
+
+    if (entry.status === 'rejected') {
+      response.rejection_reason = entry.rejection_reason;
+      response.reviewed_at = entry.reviewed_at;
+    }
+
+    if (entry.status === 'completed' || entry.status === 'failed') {
+      response.results = entry.results;
+      response.completed_at = entry.completed_at;
+    }
+
+    if (entry.status === 'executing') {
+      response.message = 'Request is currently being executed';
+    }
+
+    res.json(response);
+
+  } catch (error) {
+    res.status(500).json({
+      error: 'Failed to get status',
+      message: error.message
+    });
+  }
+});
+
+export default router;