apteva 0.4.17 → 0.4.19

package/src/routes/api/agent-utils.ts

@@ -2,7 +2,7 @@ import { spawn } from "bun";
 import { join } from "path";
 import { homedir } from "os";
 import { mkdirSync, existsSync, rmSync } from "fs";
-import { agentProcesses, agentsStarting, getBinaryPathForAgent, getBinaryStatus, BIN_DIR, telemetryBroadcaster, type TelemetryEvent } from "../../server";
+import { agentProcesses, agentsStarting, getBinaryPathForAgent, getBinaryStatus, BIN_DIR, telemetryBroadcaster, isShuttingDown, type TelemetryEvent } from "../../server";
 import { AgentDB, McpServerDB, SkillDB, TelemetryDB, generateId, getMultiAgentConfig, type Agent, type Project } from "../../db";
 import { ProviderKeys, PROVIDERS, type ProviderId } from "../../providers";
 import { binaryExists } from "../../binary";
@@ -520,8 +520,9 @@ export async function startAgentProcess(
     // Store process with port for tracking
     agentProcesses.set(agent.id, { proc, port });
 
-    // Detect unexpected process exits (crashes)
+    // Detect unexpected process exits (crashes) — but not during server shutdown
     proc.exited.then((code) => {
+      if (isShuttingDown()) return; // Don't update DB during shutdown — keeps status "running" for auto-restart
       if (agentProcesses.has(agent.id)) {
         agentProcesses.delete(agent.id);
         setAgentStatus(agent.id, "stopped", code === 0 ? "exited" : "crashed");
@@ -632,6 +633,41 @@ export function toApiAgent(agent: Agent) {
   };
 }
 
+// Batch transform: fetch all MCP servers + skills in 2 queries instead of N per agent
+export function toApiAgentsBatch(agents: Agent[]) {
+  // Collect all unique IDs
+  const allMcpIds = new Set<string>();
+  const allSkillIds = new Set<string>();
+  for (const agent of agents) {
+    for (const id of agent.mcp_servers || []) allMcpIds.add(id);
+    for (const id of agent.skills || []) allSkillIds.add(id);
+  }
+
+  // Batch load in 2 queries
+  const mcpMap = McpServerDB.findByIds([...allMcpIds]);
+  const skillMap = SkillDB.findByIds([...allSkillIds]);
+
+  return agents.map(agent => {
+    const mcpServerDetails = (agent.mcp_servers || [])
+      .map(id => mcpMap.get(id))
+      .filter((s): s is NonNullable<typeof s> => !!s)
+      .map(s => ({ id: s.id, name: s.name, type: s.type, status: s.status, port: s.port, url: s.url }));
+
+    const skillDetails = (agent.skills || [])
+      .map(id => skillMap.get(id))
+      .filter((s): s is NonNullable<typeof s> => !!s)
+      .map(s => ({ id: s.id, name: s.name, description: s.description, version: s.version, enabled: s.enabled }));
+
+    return {
+      id: agent.id, name: agent.name, model: agent.model, provider: agent.provider,
+      systemPrompt: agent.system_prompt, status: agent.status, port: agent.port,
+      features: agent.features, mcpServers: agent.mcp_servers, mcpServerDetails,
+      skills: agent.skills, skillDetails, projectId: agent.project_id,
+      createdAt: agent.created_at, updatedAt: agent.updated_at,
+    };
+  });
+}
+
 // Transform DB project to API response format
 export function toApiProject(project: Project) {
   return {

package/src/routes/api/agents.ts

@@ -3,7 +3,7 @@ import { join } from "path";
 import { json, isDev } from "./helpers";
 import {
   agentFetch,
-  toApiAgent,
+  toApiAgent, toApiAgentsBatch,
   checkPortFree,
   startAgentProcess,
   buildAgentConfig,
@@ -30,7 +30,7 @@ export async function handleAgentRoutes(
   // GET /api/agents - List all agents (excludes meta agent)
   if (path === "/api/agents" && method === "GET") {
     const agents = AgentDB.findAll().filter(a => a.id !== META_AGENT_ID);
-    return json({ agents: agents.map(toApiAgent) });
+    return json({ agents: toApiAgentsBatch(agents) });
   }
 
   // POST /api/agents - Create a new agent
@@ -345,6 +345,69 @@ export async function handleAgentRoutes(
     }
   }
 
+  // ==================== WEBHOOK ENDPOINT ====================
+
+  // POST /api/agents/:id/webhook - Receive external trigger events and forward to agent chat
+  const webhookMatch = path.match(/^\/api\/agents\/([^/]+)\/webhook$/);
+  if (webhookMatch && method === "POST") {
+    const agent = AgentDB.findById(webhookMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const body = await req.json();
+
+      // Format the webhook payload as a chat message
+      const triggerSlug = body.trigger_name || body.type || "unknown_trigger";
+      const eventPayload = body.payload || body.data || body;
+
+      const triggerName = String(triggerSlug).replace(/_/g, " ");
+      const message = [
+        `[Trigger: ${triggerName}]`,
+        "",
+        "```json",
+        JSON.stringify(eventPayload, null, 2),
+        "```",
+        "",
+        "Process this event and take appropriate action.",
+      ].join("\n");
+
+      // Forward to agent's /chat endpoint
+      const response = await agentFetch(agent.id, agent.port, "/chat", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ message }),
+      });
+
+      // Consume the streaming response (we don't need the agent's reply)
+      if (response.body) {
+        try {
+          const reader = response.body.getReader();
+          while (true) {
+            const { done } = await reader.read();
+            if (done) break;
+          }
+        } catch {
+          // Ignore read errors
+        }
+      }
+
+      if (!response.ok) {
+        return json({ error: "Agent failed to process webhook" }, 502);
+      }
+
+      return json({ received: true, agent_id: agent.id, trigger: triggerSlug });
+    } catch (err) {
+      console.error(`Webhook proxy error for agent ${webhookMatch[1]}:`, err);
+      return json({ error: `Failed to process webhook: ${err}` }, 500);
+    }
+  }
+
   // ==================== THREAD & MESSAGE PROXY ====================
 
   // GET/POST /api/agents/:id/threads

package/src/routes/api/channels.ts

@@ -0,0 +1,182 @@
+import { json } from "./helpers";
+import { ChannelDB, AgentDB } from "../../db";
+import { encryptObject } from "../../crypto";
+import { startChannel, stopChannel } from "../../channels";
+
+export async function handleChannelRoutes(
+  req: Request,
+  path: string,
+  method: string,
+): Promise<Response | null> {
+  // GET /api/channels - List all channels
+  if (path === "/api/channels" && method === "GET") {
+    const channels = ChannelDB.findAll();
+    // Strip encrypted config from list response
+    const safe = channels.map(ch => ({
+      id: ch.id,
+      type: ch.type,
+      name: ch.name,
+      agent_id: ch.agent_id,
+      status: ch.status,
+      error: ch.error,
+      project_id: ch.project_id,
+      created_at: ch.created_at,
+      updated_at: ch.updated_at,
+    }));
+    return json({ channels: safe });
+  }
+
+  // POST /api/channels - Create a new channel
+  if (path === "/api/channels" && method === "POST") {
+    const body = await req.json();
+    const { type, name, agent_id, config, project_id } = body;
+
+    if (!type || !name || !agent_id || !config) {
+      return json({ error: "Missing required fields: type, name, agent_id, config" }, 400);
+    }
+
+    if (type !== "telegram") {
+      return json({ error: `Unsupported channel type: ${type}. Supported: telegram` }, 400);
+    }
+
+    // Validate agent exists
+    const agent = AgentDB.findById(agent_id);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    // Validate config has required fields
+    if (!config.botToken) {
+      return json({ error: "Missing botToken in config" }, 400);
+    }
+
+    // Encrypt config before storing
+    const encryptedConfig = encryptObject(config);
+
+    const channel = ChannelDB.create({
+      type,
+      name,
+      agent_id,
+      config: encryptedConfig,
+      project_id: project_id || null,
+    });
+
+    return json({
+      channel: {
+        id: channel.id,
+        type: channel.type,
+        name: channel.name,
+        agent_id: channel.agent_id,
+        status: channel.status,
+        error: channel.error,
+        project_id: channel.project_id,
+        created_at: channel.created_at,
+      },
+    }, 201);
+  }
+
+  // Routes with channel ID
+  const channelMatch = path.match(/^\/api\/channels\/([^/]+)$/);
+  const channelActionMatch = path.match(/^\/api\/channels\/([^/]+)\/(start|stop)$/);
+
+  // GET /api/channels/:id - Get channel detail
+  if (channelMatch && method === "GET") {
+    const channel = ChannelDB.findById(channelMatch[1]);
+    if (!channel) return json({ error: "Channel not found" }, 404);
+
+    return json({
+      channel: {
+        id: channel.id,
+        type: channel.type,
+        name: channel.name,
+        agent_id: channel.agent_id,
+        status: channel.status,
+        error: channel.error,
+        project_id: channel.project_id,
+        created_at: channel.created_at,
+        updated_at: channel.updated_at,
+      },
+    });
+  }
+
+  // PUT /api/channels/:id - Update channel
+  if (channelMatch && method === "PUT") {
+    const channel = ChannelDB.findById(channelMatch[1]);
+    if (!channel) return json({ error: "Channel not found" }, 404);
+
+    if (channel.status === "running") {
+      return json({ error: "Stop the channel before updating" }, 400);
+    }
+
+    const body = await req.json();
+    const updates: Record<string, any> = {};
+
+    if (body.name !== undefined) updates.name = body.name;
+    if (body.agent_id !== undefined) {
+      const agent = AgentDB.findById(body.agent_id);
+      if (!agent) return json({ error: "Agent not found" }, 404);
+      updates.agent_id = body.agent_id;
+    }
+    if (body.config !== undefined) {
+      if (!body.config.botToken) {
+        return json({ error: "Missing botToken in config" }, 400);
+      }
+      updates.config = encryptObject(body.config);
+    }
+    if (body.project_id !== undefined) updates.project_id = body.project_id;
+
+    const updated = ChannelDB.update(channelMatch[1], updates);
+    return json({
+      channel: updated ? {
+        id: updated.id,
+        type: updated.type,
+        name: updated.name,
+        agent_id: updated.agent_id,
+        status: updated.status,
+        project_id: updated.project_id,
+      } : null,
+    });
+  }
+
+  // DELETE /api/channels/:id - Delete channel
+  if (channelMatch && method === "DELETE") {
+    const channel = ChannelDB.findById(channelMatch[1]);
+    if (!channel) return json({ error: "Channel not found" }, 404);
+
+    // Stop if running
+    if (channel.status === "running") {
+      await stopChannel(channel.id);
+    }
+
+    ChannelDB.delete(channelMatch[1]);
+    return json({ deleted: true });
+  }
+
+  // POST /api/channels/:id/start - Start channel
+  if (channelActionMatch && channelActionMatch[2] === "start" && method === "POST") {
+    const channel = ChannelDB.findById(channelActionMatch[1]);
+    if (!channel) return json({ error: "Channel not found" }, 404);
+
+    if (channel.status === "running") {
+      return json({ error: "Channel is already running" }, 400);
+    }
+
+    const result = await startChannel(channel.id);
+    if (!result.success) {
+      return json({ error: result.error || "Failed to start channel" }, 500);
+    }
+
+    return json({ started: true });
+  }
+
+  // POST /api/channels/:id/stop - Stop channel
+  if (channelActionMatch && channelActionMatch[2] === "stop" && method === "POST") {
+    const channel = ChannelDB.findById(channelActionMatch[1]);
+    if (!channel) return json({ error: "Channel not found" }, 404);
+
+    await stopChannel(channel.id);
+    return json({ stopped: true });
+  }
+
+  return null;
+}

package/src/routes/api/integrations.ts

@@ -77,19 +77,25 @@ export async function handleIntegrationRoutes(
 
     const url = new URL(req.url);
     const projectId = url.searchParams.get("project_id") || null;
+    console.log(`[integrations/connected] provider=${providerId}, projectId=${projectId}`);
     const apiKey = ProviderKeys.getDecryptedForProject(providerId, projectId);
+    console.log(`[integrations/connected] apiKey found: ${!!apiKey}, length: ${apiKey?.length || 0}`);
     if (!apiKey) {
+      console.log(`[integrations/connected] NO API KEY for ${providerId}`);
       return json({ error: `${provider.name} API key not configured`, accounts: [] }, 200);
     }
 
     // Use Apteva user ID as the entity ID for the provider
-    const userId = user?.id || "default";
+    if (!user?.id) {
+      return json({ error: "Authentication required" }, 401);
+    }
 
     try {
-      const accounts = await provider.listConnectedAccounts(apiKey, userId);
+      const accounts = await provider.listConnectedAccounts(apiKey, user.id);
+      console.log(`[integrations/connected] Got ${accounts.length} accounts from ${providerId}`);
       return json({ accounts });
     } catch (e) {
-      console.error(`Failed to list connected accounts from ${providerId}:`, e);
+      console.error(`[integrations/connected] Failed from ${providerId}:`, e);
       return json({ error: "Failed to fetch connected accounts" }, 500);
     }
   }
@@ -116,12 +122,14 @@ export async function handleIntegrationRoutes(
       }
 
       // Use Apteva user ID as the entity ID
-      const userId = user?.id || "default";
+      if (!user?.id) {
+        return json({ error: "Authentication required" }, 401);
+      }
 
       // Default redirect URL back to our integrations page
       const callbackUrl = redirectUrl || `http://localhost:${process.env.PORT || 4280}/mcp?tab=hosted&connected=${appSlug}`;
 
-      const result = await provider.initiateConnection(apiKey, userId, appSlug, callbackUrl, credentials);
+      const result = await provider.initiateConnection(apiKey, user.id, appSlug, callbackUrl, credentials);
       return json(result);
     } catch (e) {
       console.error(`Failed to initiate connection for ${providerId}:`, e);

package/src/routes/api/mcp.ts

@@ -221,6 +221,21 @@ export async function handleMcpRoutes(
       });
     };
 
+    // Validate package/command names to prevent injection
+    const SAFE_PACKAGE_RE = /^(@[a-z0-9._-]+\/)?[a-z0-9._-]+(@[a-z0-9^~>=<.*-]+)?(\[[\w,]+\])?$/i;
+
+    // Parse args safely — split on whitespace but respect quoted strings
+    const parseArgs = (raw: string, env: Record<string, string>): string[] => {
+      const substituted = substituteEnvVars(raw, env);
+      const args: string[] = [];
+      const re = /"([^"]*?)"|'([^']*?)'|(\S+)/g;
+      let m;
+      while ((m = re.exec(substituted)) !== null) {
+        args.push(m[1] ?? m[2] ?? m[3]);
+      }
+      return args;
+    };
+
     let cmd: string[];
     const serverEnv = server.env || {};
 
@@ -228,17 +243,19 @@ export async function handleMcpRoutes(
       // Custom command - substitute env vars in args
       cmd = server.command.split(" ");
       if (server.args) {
-        const substitutedArgs = substituteEnvVars(server.args, serverEnv);
-        cmd.push(...substitutedArgs.split(" "));
+        cmd.push(...parseArgs(server.args, serverEnv));
       }
     } else if (server.type === "pip" && server.package) {
       // Python pip package - install first, then run module
       const pipPackage = server.package;
+      if (!SAFE_PACKAGE_RE.test(pipPackage)) {
+        return json({ error: "Invalid pip package name" }, 400);
+      }
       const pipModule = server.pip_module || server.package.split("[")[0]; // Default: package name without extras
 
       console.log(`Installing pip package: ${pipPackage}...`);
       const installResult = spawn({
-        cmd: ["pip", "install", "--quiet", "--break-system-packages", pipPackage],
+        cmd: ["pip", "install", "--quiet", "--no-scripts", pipPackage],
         env: { ...process.env as Record<string, string>, ...serverEnv },
         stdout: "pipe",
         stderr: "pipe",
@@ -254,15 +271,16 @@ export async function handleMcpRoutes(
       // Now run the module
       cmd = ["python", "-m", pipModule];
       if (server.args) {
-        const substitutedArgs = substituteEnvVars(server.args, serverEnv);
-        cmd.push(...substitutedArgs.split(" "));
+        cmd.push(...parseArgs(server.args, serverEnv));
       }
     } else if (server.package) {
-      // npm package - use npx
-      cmd = ["npx", "-y", server.package];
+      // npm package - use npx with --ignore-scripts to prevent supply chain attacks
+      if (!SAFE_PACKAGE_RE.test(server.package)) {
+        return json({ error: "Invalid npm package name" }, 400);
+      }
+      cmd = ["npx", "--ignore-scripts", "-y", server.package];
       if (server.args) {
-        const substitutedArgs = substituteEnvVars(server.args, serverEnv);
-        cmd.push(...substitutedArgs.split(" "));
+        cmd.push(...parseArgs(server.args, serverEnv));
       }
     } else {
       return json({ error: "No command or package specified" }, 400);

package/src/routes/api/projects.ts

@@ -1,6 +1,7 @@
 import { json } from "./helpers";
 import { AgentDB, ProjectDB, type Project } from "../../db";
-import { toApiAgent, toApiProject } from "./agent-utils";
+import { toApiAgent, toApiAgentsBatch, toApiProject, setAgentStatus } from "./agent-utils";
+import { agentProcesses } from "../../server";
 
 export async function handleProjectRoutes(
   req: Request,
@@ -54,7 +55,7 @@ export async function handleProjectRoutes(
     const agents = AgentDB.findByProject(project.id);
     return json({
       project: toApiProject(project),
-      agents: agents.map(toApiAgent),
+      agents: toApiAgentsBatch(agents),
     });
   }
 
@@ -87,6 +88,22 @@ export async function handleProjectRoutes(
       return json({ error: "Project not found" }, 404);
     }
 
+    // Stop any running agents in this project first
+    const projectAgents = AgentDB.findByProject(projectMatch[1]);
+    for (const agent of projectAgents) {
+      if (agent.status === "running") {
+        const entry = agentProcesses.get(agent.id);
+        if (entry) {
+          try {
+            await fetch(`http://localhost:${entry.port}/shutdown`, { method: "POST", signal: AbortSignal.timeout(1000) }).catch(() => {});
+            entry.proc.kill();
+          } catch {}
+          agentProcesses.delete(agent.id);
+        }
+        setAgentStatus(agent.id, "stopped", "project_deleted");
+      }
+    }
+
     ProjectDB.delete(projectMatch[1]);
     return json({ success: true });
   }

package/src/routes/api/system.ts

@@ -139,17 +139,21 @@ export async function handleSystemRoutes(
 
     const allTasks: any[] = [];
 
-    for (const agent of runningAgents) {
-      const data = await fetchFromAgent(agent.id, agent.port!, `/tasks?status=${status}`);
-      if (data?.tasks) {
-        // Add agent info to each task
-        for (const task of data.tasks) {
-          allTasks.push({
-            ...task,
-            agentId: agent.id,
-            agentName: agent.name,
-          });
+    // Fetch tasks from all agents in parallel
+    const results = await Promise.all(
+      runningAgents.map(async (agent) => {
+        try {
+          const data = await fetchFromAgent(agent.id, agent.port!, `/tasks?status=${status}`);
+          return { agent, tasks: data?.tasks || [] };
+        } catch {
+          return { agent, tasks: [] };
         }
+      })
+    );
+
+    for (const { agent, tasks } of results) {
+      for (const task of tasks) {
+        allTasks.push({ ...task, agentId: agent.id, agentName: agent.name });
       }
     }
 
@@ -191,8 +195,18 @@ export async function handleSystemRoutes(
     let completedTasks = 0;
     let runningTasks = 0;
 
-    for (const agent of runningAgents) {
-      const data = await fetchFromAgent(agent.id, agent.port!, "/tasks?status=all");
+    // Fetch task stats from all agents in parallel
+    const taskResults = await Promise.all(
+      runningAgents.map(async (agent) => {
+        try {
+          return await fetchFromAgent(agent.id, agent.port!, "/tasks?status=all");
+        } catch {
+          return null;
+        }
+      })
+    );
+
+    for (const data of taskResults) {
       if (data?.tasks) {
         totalTasks += data.tasks.length;
         for (const task of data.tasks) {

package/src/routes/api/telemetry.ts

@@ -139,5 +139,35 @@ export async function handleTelemetryRoutes(
     return json({ deleted });
   }
 
+  // --- Notification endpoints (piggyback on telemetry `seen` flag) ---
+
+  // GET /api/notifications - Get notification-worthy events
+  if (path === "/api/notifications" && method === "GET") {
+    const url = new URL(req.url);
+    const limit = parseInt(url.searchParams.get("limit") || "50");
+    const notifications = TelemetryDB.getNotifications(limit);
+    return json({ notifications });
+  }
+
+  // GET /api/notifications/count - Get unseen notification count
+  if (path === "/api/notifications/count" && method === "GET") {
+    const count = TelemetryDB.getUnseenCount();
+    return json({ count });
+  }
+
+  // POST /api/notifications/mark-seen - Mark specific notifications as seen
+  if (path === "/api/notifications/mark-seen" && method === "POST") {
+    const body = await req.json() as { ids?: string[]; all?: boolean };
+    if (body.all) {
+      const updated = TelemetryDB.markAllSeen();
+      return json({ updated });
+    }
+    if (body.ids && body.ids.length > 0) {
+      const updated = TelemetryDB.markSeen(body.ids);
+      return json({ updated });
+    }
+    return json({ error: "Provide ids array or all: true" }, 400);
+  }
+
   return null;
 }