apteva 0.4.18 → 0.4.19

package/src/channels/telegram.ts

@@ -0,0 +1,306 @@
+import { Bot } from "grammy";
+import { AgentDB, ChannelDB } from "../db";
+import { decryptObject } from "../crypto";
+import { agentFetch } from "../routes/api/agent-utils";
+
+interface TelegramConfig {
+  botToken: string;
+  allowList?: string[]; // Telegram user IDs allowed to chat
+}
+
+// In-memory map of running bot instances
+const activeBots = new Map<string, Bot>();
+
+export function isChannelActive(channelId: string): boolean {
+  return activeBots.has(channelId);
+}
+
+export async function startTelegramChannel(channelId: string): Promise<{ success: boolean; error?: string }> {
+  // Stop existing if running
+  if (activeBots.has(channelId)) {
+    await stopTelegramChannel(channelId);
+  }
+
+  const channel = ChannelDB.findById(channelId);
+  if (!channel) return { success: false, error: "Channel not found" };
+
+  let config: TelegramConfig;
+  try {
+    config = decryptObject(channel.config) as unknown as TelegramConfig;
+  } catch {
+    ChannelDB.setStatus(channelId, "error", "Failed to decrypt config");
+    return { success: false, error: "Failed to decrypt config" };
+  }
+
+  if (!config.botToken) {
+    ChannelDB.setStatus(channelId, "error", "Missing bot token");
+    return { success: false, error: "Missing bot token" };
+  }
+
+  const agent = AgentDB.findById(channel.agent_id);
+  if (!agent) {
+    ChannelDB.setStatus(channelId, "error", "Agent not found");
+    return { success: false, error: "Agent not found" };
+  }
+
+  try {
+    const bot = new Bot(config.botToken);
+
+    // /start command
+    bot.command("start", async (ctx) => {
+      await ctx.reply(`Connected to agent: ${agent.name}`);
+    });
+
+    // Handle text messages
+    bot.on("message:text", async (ctx) => {
+      // Access control
+      if (config.allowList?.length) {
+        const senderId = String(ctx.from.id);
+        if (!config.allowList.includes(senderId)) return;
+      }
+
+      // Check agent is running
+      const currentAgent = AgentDB.findById(channel.agent_id);
+      if (!currentAgent || currentAgent.status !== "running" || !currentAgent.port) {
+        await ctx.reply("Agent is not running.");
+        return;
+      }
+
+      // Send typing indicator
+      await ctx.replyWithChatAction("typing");
+
+      try {
+        // Map telegram chat → agent thread
+        const threadId = `telegram-${ctx.chat.id}`;
+
+        // Proxy to agent via agentFetch (same path as web UI chat)
+        const res = await agentFetch(currentAgent.id, currentAgent.port, "/chat", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            message: ctx.message.text,
+            thread_id: threadId,
+          }),
+        });
+
+        if (!res.ok) {
+          await ctx.reply("Error: agent returned an error.");
+          return;
+        }
+
+        // Stream response and send messages progressively as segments complete
+        await streamAndSend(res, ctx);
+      } catch (err) {
+        console.error(`[telegram:${channelId}] Message handling error:`, err);
+        await ctx.reply("Error processing your message.");
+      }
+    });
+
+    // Error handler
+    bot.catch((err) => {
+      console.error(`[telegram:${channelId}] Bot error:`, err);
+    });
+
+    // Start long-polling (non-blocking)
+    bot.start({
+      onStart: () => {
+        console.log(`[telegram:${channelId}] Bot started for agent ${agent.name}`);
+      },
+    });
+
+    activeBots.set(channelId, bot);
+    ChannelDB.setStatus(channelId, "running");
+    return { success: true };
+  } catch (err: any) {
+    const errorMsg = err.message || String(err);
+    console.error(`[telegram:${channelId}] Failed to start:`, errorMsg);
+    ChannelDB.setStatus(channelId, "error", errorMsg);
+    return { success: false, error: errorMsg };
+  }
+}
+
+export async function stopTelegramChannel(channelId: string): Promise<void> {
+  const bot = activeBots.get(channelId);
+  if (bot) {
+    try {
+      await bot.stop();
+    } catch {
+      // Ignore stop errors
+    }
+    activeBots.delete(channelId);
+  }
+  ChannelDB.setStatus(channelId, "stopped");
+  console.log(`[telegram:${channelId}] Bot stopped`);
+}
+
+/**
+ * Stream SSE response from agent and send Telegram messages progressively.
+ * Mirrors the chunk types from apteva-kit's chat component:
+ *   content/token → accumulate text, send when a boundary is hit
+ *   tool_call → flush pending text, send tool indicator immediately
+ *   tool_use, tool_input_delta, tool_result, tool_stream → skipped
+ *
+ * Messages are sent as soon as each segment completes (tool boundary or end of stream),
+ * so the user sees them appear progressively in real-time.
+ */
+async function streamAndSend(
+  res: Response,
+  ctx: { reply: (text: string, opts?: any) => Promise<any>; replyWithChatAction: (action: string) => Promise<any> },
+  onActivity?: () => void,
+): Promise<void> {
+  if (!res.body) {
+    await ctx.reply("(No response from agent)");
+    return;
+  }
+
+  const reader = res.body.getReader();
+  const decoder = new TextDecoder();
+  let textBuffer = "";
+  let buffer = "";
+  let messagesSent = 0;
+
+  async function flushText() {
+    const trimmed = textBuffer.trim();
+    if (trimmed) {
+      const chunks = splitMessage(trimmed, 4096);
+      for (const chunk of chunks) {
+        try {
+          await ctx.reply(chunk, { parse_mode: "Markdown" });
+        } catch {
+          await ctx.reply(chunk);
+        }
+        messagesSent++;
+      }
+    }
+    textBuffer = "";
+  }
+
+  // Periodically send typing indicator while streaming
+  const typingInterval = setInterval(() => {
+    ctx.replyWithChatAction("typing").catch(() => {});
+  }, 4000);
+
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      buffer += decoder.decode(value, { stream: true });
+
+      const lines = buffer.split("\n");
+      buffer = lines.pop() || "";
+
+      for (const line of lines) {
+        if (!line.startsWith("data: ")) continue;
+        const data = line.slice(6).trim();
+        if (data === "[DONE]") continue;
+
+        try {
+          const chunk = JSON.parse(data);
+
+          switch (chunk.type) {
+            // Text content — accumulate
+            case "content":
+            case "token":
+              if (chunk.content) textBuffer += chunk.content;
+              else if (chunk.text) textBuffer += chunk.text;
+              break;
+
+            // Tool starting — flush text immediately, then send tool indicator
+            case "tool_call": {
+              await flushText();
+              const name = chunk.tool_display_name || chunk.tool_name || "tool";
+              try {
+                await ctx.reply(`🔧 _${escapeMarkdown(name)}_`, { parse_mode: "Markdown" });
+              } catch {
+                await ctx.reply(`🔧 ${name}`);
+              }
+              messagesSent++;
+              break;
+            }
+
+            // Intermediate tool events — skip, but signal activity
+            case "tool_input_delta":
+            case "tool_use":
+            case "tool_stream":
+            case "tool_result":
+              onActivity?.();
+              break;
+
+            // Fallback: older SSE formats
+            case "message_delta":
+              if (chunk.delta?.text) textBuffer += chunk.delta.text;
+              break;
+            case "content_block_delta":
+              if (chunk.delta?.text) textBuffer += chunk.delta.text;
+              break;
+
+            default:
+              if (chunk.content && typeof chunk.content === "string") {
+                textBuffer += chunk.content;
+              } else if (typeof chunk.text === "string") {
+                textBuffer += chunk.text;
+              }
+              break;
+          }
+        } catch {
+          if (data && data !== "[DONE]") {
+            textBuffer += data;
+          }
+        }
+      }
+    }
+  } catch {
+    // Stream read error — flush what we have
+  } finally {
+    clearInterval(typingInterval);
+  }
+
+  // Flush remaining text
+  await flushText();
+
+  if (messagesSent === 0) {
+    await ctx.reply("(No response from agent)");
+  }
+}
+
+/**
+ * Escape special Markdown characters for Telegram Markdown parse mode.
+ */
+function escapeMarkdown(text: string): string {
+  return text.replace(/([_*\[\]()~`>#+\-=|{}.!\\])/g, "\\$1");
+}
+
+/**
+ * Split a message into chunks respecting the max length.
+ * Tries to split at newlines when possible.
+ */
+function splitMessage(text: string, maxLength: number): string[] {
+  if (text.length <= maxLength) return [text];
+
+  const chunks: string[] = [];
+  let remaining = text;
+
+  while (remaining.length > 0) {
+    if (remaining.length <= maxLength) {
+      chunks.push(remaining);
+      break;
+    }
+
+    // Try to find a newline near the limit
+    let splitAt = remaining.lastIndexOf("\n", maxLength);
+    if (splitAt < maxLength * 0.5) {
+      // No good newline found — split at space
+      splitAt = remaining.lastIndexOf(" ", maxLength);
+    }
+    if (splitAt < maxLength * 0.3) {
+      // No good split point — hard split
+      splitAt = maxLength;
+    }
+
+    chunks.push(remaining.slice(0, splitAt));
+    remaining = remaining.slice(splitAt).trimStart();
+  }
+
+  return chunks;
+}

package/src/db.ts

@@ -217,6 +217,33 @@ export interface SubscriptionRow {
   updated_at: string;
 }
 
+// Channel: external messaging platform bound to an agent
+export interface Channel {
+  id: string;
+  type: "telegram"; // future: "slack", "discord"
+  name: string;
+  agent_id: string;
+  config: string; // encrypted JSON
+  status: "stopped" | "running" | "error";
+  error: string | null;
+  project_id: string | null;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface ChannelRow {
+  id: string;
+  type: string;
+  name: string;
+  agent_id: string;
+  config: string;
+  status: string;
+  error: string | null;
+  project_id: string | null;
+  created_at: string;
+  updated_at: string;
+}
+
 export interface McpServerRow {
   id: string;
   name: string;
@@ -737,6 +764,33 @@ function runMigrations() {
         CREATE INDEX IF NOT EXISTS idx_subscriptions_trigger_instance ON subscriptions(trigger_instance_id);
       `,
     },
+    {
+      name: "032_create_channels",
+      sql: `
+        CREATE TABLE IF NOT EXISTS channels (
+          id TEXT PRIMARY KEY,
+          type TEXT NOT NULL,
+          name TEXT NOT NULL,
+          agent_id TEXT NOT NULL,
+          config TEXT NOT NULL,
+          status TEXT DEFAULT 'stopped',
+          error TEXT,
+          project_id TEXT,
+          created_at TEXT DEFAULT CURRENT_TIMESTAMP,
+          updated_at TEXT DEFAULT CURRENT_TIMESTAMP,
+          FOREIGN KEY (agent_id) REFERENCES agents(id) ON DELETE CASCADE
+        );
+        CREATE INDEX IF NOT EXISTS idx_channels_agent ON channels(agent_id);
+        CREATE INDEX IF NOT EXISTS idx_channels_status ON channels(status);
+      `,
+    },
+    {
+      name: "033_add_telemetry_seen",
+      sql: `
+        ALTER TABLE telemetry_events ADD COLUMN seen INTEGER DEFAULT 0;
+        CREATE INDEX IF NOT EXISTS idx_telemetry_seen ON telemetry_events(seen);
+      `,
+    },
     {
       name: "029_fix_provider_keys_unique_constraint",
       sql: `
@@ -1768,6 +1822,7 @@ export interface TelemetryEvent {
   duration_ms: number | null;
   error: string | null;
   received_at: string;
+  seen?: boolean;
 }
 
 interface TelemetryEventRow {
@@ -1785,6 +1840,7 @@ interface TelemetryEventRow {
   duration_ms: number | null;
   error: string | null;
   received_at: string;
+  seen?: number;
 }
 
 // Telemetry operations
@@ -2066,6 +2122,45 @@ export const TelemetryDB = {
     const row = db.query("SELECT COUNT(*) as count FROM telemetry_events").get() as { count: number };
     return row.count;
   },
+
+  // --- Notification helpers (piggyback on telemetry with `seen` flag) ---
+
+  // Notification-worthy filter: errors + agent crashes
+  getNotifications(limit = 50): TelemetryEvent[] {
+    const rows = db.query(`
+      SELECT * FROM telemetry_events
+      WHERE (level = 'error' OR (category = 'system' AND type = 'agent_stopped') OR category = 'ERROR')
+      ORDER BY timestamp DESC
+      LIMIT ?
+    `).all(limit) as TelemetryEventRow[];
+    return rows.map(rowToTelemetryEvent);
+  },
+
+  getUnseenCount(): number {
+    const row = db.query(`
+      SELECT COUNT(*) as count FROM telemetry_events
+      WHERE seen = 0
+        AND (level = 'error' OR (category = 'system' AND type = 'agent_stopped') OR category = 'ERROR')
+    `).get() as { count: number };
+    return row.count;
+  },
+
+  markSeen(ids: string[]): number {
+    if (ids.length === 0) return 0;
+    const placeholders = ids.map(() => "?").join(",");
+    const result = db.run(
+      `UPDATE telemetry_events SET seen = 1 WHERE id IN (${placeholders})`,
+      ids
+    );
+    return result.changes;
+  },
+
+  markAllSeen(): number {
+    const result = db.run(
+      `UPDATE telemetry_events SET seen = 1 WHERE seen = 0 AND (level = 'error' OR (category = 'system' AND type = 'agent_stopped') OR category = 'ERROR')`
+    );
+    return result.changes;
+  },
 };
 
 function rowToTelemetryEvent(row: TelemetryEventRow): TelemetryEvent {
@@ -2084,6 +2179,7 @@ function rowToTelemetryEvent(row: TelemetryEventRow): TelemetryEvent {
     duration_ms: row.duration_ms,
     error: row.error,
     received_at: row.received_at,
+    seen: row.seen === 1,
   };
 }
 
@@ -2726,6 +2822,90 @@ export const SubscriptionDB = {
   },
 };
 
+// --- Channel DB ---
+
+function rowToChannel(row: ChannelRow): Channel {
+  return {
+    id: row.id,
+    type: row.type as Channel["type"],
+    name: row.name,
+    agent_id: row.agent_id,
+    config: row.config,
+    status: row.status as Channel["status"],
+    error: row.error,
+    project_id: row.project_id,
+    created_at: row.created_at,
+    updated_at: row.updated_at,
+  };
+}
+
+export const ChannelDB = {
+  create(channel: { type: string; name: string; agent_id: string; config: string; project_id?: string | null }): Channel {
+    const id = generateId();
+    const now = new Date().toISOString();
+    db.run(
+      `INSERT INTO channels (id, type, name, agent_id, config, status, project_id, created_at, updated_at)
+       VALUES (?, ?, ?, ?, ?, 'stopped', ?, ?, ?)`,
+      [id, channel.type, channel.name, channel.agent_id, channel.config, channel.project_id || null, now, now]
+    );
+    return this.findById(id)!;
+  },
+
+  findById(id: string): Channel | null {
+    const row = db.query("SELECT * FROM channels WHERE id = ?").get(id) as ChannelRow | null;
+    return row ? rowToChannel(row) : null;
+  },
+
+  findAll(): Channel[] {
+    const rows = db.query("SELECT * FROM channels ORDER BY created_at DESC").all() as ChannelRow[];
+    return rows.map(rowToChannel);
+  },
+
+  findByAgentId(agentId: string): Channel[] {
+    const rows = db.query("SELECT * FROM channels WHERE agent_id = ?").all(agentId) as ChannelRow[];
+    return rows.map(rowToChannel);
+  },
+
+  findRunning(): Channel[] {
+    const rows = db.query("SELECT * FROM channels WHERE status = 'running'").all() as ChannelRow[];
+    return rows.map(rowToChannel);
+  },
+
+  update(id: string, updates: { name?: string; agent_id?: string; config?: string; project_id?: string | null }): Channel | null {
+    const channel = this.findById(id);
+    if (!channel) return null;
+
+    const fields: string[] = [];
+    const values: (string | null)[] = [];
+
+    if (updates.name !== undefined) { fields.push("name = ?"); values.push(updates.name); }
+    if (updates.agent_id !== undefined) { fields.push("agent_id = ?"); values.push(updates.agent_id); }
+    if (updates.config !== undefined) { fields.push("config = ?"); values.push(updates.config); }
+    if (updates.project_id !== undefined) { fields.push("project_id = ?"); values.push(updates.project_id || null); }
+
+    if (fields.length === 0) return channel;
+
+    fields.push("updated_at = ?");
+    values.push(new Date().toISOString());
+    values.push(id);
+
+    db.run(`UPDATE channels SET ${fields.join(", ")} WHERE id = ?`, values);
+    return this.findById(id);
+  },
+
+  setStatus(id: string, status: Channel["status"], error?: string | null): void {
+    db.run(
+      "UPDATE channels SET status = ?, error = ?, updated_at = ? WHERE id = ?",
+      [status, error || null, new Date().toISOString(), id]
+    );
+  },
+
+  delete(id: string): boolean {
+    const result = db.run("DELETE FROM channels WHERE id = ?", [id]);
+    return result.changes > 0;
+  },
+};
+
 // Generate unique ID
 export function generateId(): string {
   return Math.random().toString(36).substring(2, 15);

package/src/integrations/agentdojo.ts

@@ -127,7 +127,7 @@ export const AgentDojoProvider: IntegrationProvider = {
 
     return credentials.map((cred: any) => ({
       id: String(cred.id),
-      appId: String(cred.provider_id || cred.toolkit_id || cred.provider_name),
+      appId: cred.provider_name || cred.toolkit_name || String(cred.provider_id || cred.toolkit_id),
       appName: cred.provider_name || cred.name || cred.toolkit_name || String(cred.provider_id),
       status: (cred.status === "active" || cred.is_valid !== false) ? "active" as const : "failed" as const,
       createdAt: cred.created_at || new Date().toISOString(),

package/src/mcp-handler.ts

@@ -73,34 +73,28 @@ function evaluateExpression(
   args: Record<string, any>,
   helpers: ReturnType<typeof templateHelpers>,
 ): any {
-  // Handle args.* references
+  // Handle args.* references (e.g. args.name, args.query)
   if (expr.startsWith("args.")) {
     const key = expr.slice(5);
     return args[key] ?? null;
   }
 
-  // Handle helper functions and values
-  try {
-    const fn = new Function(
-      "args",
-      "uuid",
-      "now",
-      "timestamp",
-      "random_int",
-      "random_float",
-      `return ${expr}`,
-    );
-    return fn(
-      args,
-      helpers.uuid,
-      helpers.now,
-      helpers.timestamp,
-      helpers.random_int,
-      helpers.random_float,
-    );
-  } catch {
-    return expr;
-  }
+  // Handle known helper values
+  if (expr === "now") return helpers.now;
+  if (expr === "timestamp") return helpers.timestamp;
+
+  // Handle known helper function calls
+  const uuidMatch = expr.match(/^uuid\(\)$/);
+  if (uuidMatch) return helpers.uuid();
+
+  const randIntMatch = expr.match(/^random_int\(\s*(\d+)\s*,\s*(\d+)\s*\)$/);
+  if (randIntMatch) return helpers.random_int(Number(randIntMatch[1]), Number(randIntMatch[2]));
+
+  const randFloatMatch = expr.match(/^random_float\(\s*([\d.]+)\s*,\s*([\d.]+)\s*\)$/);
+  if (randFloatMatch) return helpers.random_float(Number(randFloatMatch[1]), Number(randFloatMatch[2]));
+
+  // Return expression as-is if not recognized — never execute arbitrary code
+  return expr;
 }
 
 // Execute a mock handler — returns the rendered mock_response
@@ -197,7 +191,11 @@ async function executeHttp(
   }
 }
 
-// Execute a JavaScript handler — runs code string with args + credentials
+// Execute a JavaScript handler — runs user-defined code in a restricted scope.
+// SECURITY NOTE: This intentionally allows authenticated admins to define custom tool logic.
+// The code runs in a restricted Function scope with only args, credentials, and helpers exposed.
+// process, require, import, Bun, fetch etc. are NOT passed in — but note that new Function()
+// still has access to globalThis. For full sandboxing, consider using a Worker or subprocess.
 function executeJavascript(
   tool: McpServerTool,
   args: Record<string, any>,
@@ -210,6 +208,15 @@ function executeJavascript(
     };
   }
 
+  // Basic static checks — block obvious dangerous patterns
+  const dangerous = /\b(process|require|import|Bun|Deno|eval|Function|child_process|exec|spawn)\b/;
+  if (dangerous.test(tool.code)) {
+    return {
+      content: [{ type: "text", text: "Error: Tool code contains disallowed keywords (process, require, import, eval, exec, spawn)" }],
+      isError: true,
+    };
+  }
+
   try {
     const helpers = templateHelpers();
     const fn = new Function(

package/src/providers.ts

@@ -198,35 +198,48 @@ export const ProviderKeys = {
     }
   },
 
-  // Get decrypted API key for a provider (global key)
+  // Get decrypted API key for a provider (global key, falls back to env var)
   getDecrypted(providerId: string): string | null {
     const record = ProviderKeysDB.findByProvider(providerId);
-    if (!record) return null;
+    if (record) {
+      try {
+        return decrypt(record.encrypted_key);
+      } catch (err) {
+        console.error(`Failed to decrypt key for ${providerId}:`, err);
+      }
+    }
 
-    try {
-      return decrypt(record.encrypted_key);
-    } catch (err) {
-      console.error(`Failed to decrypt key for ${providerId}:`, err);
-      return null;
+    // Fall back to environment variable
+    const provider = PROVIDERS[providerId as ProviderId];
+    if (provider?.envVar) {
+      const envVal = process.env[provider.envVar];
+      if (envVal) return envVal;
     }
+    return null;
   },
 
   // Get decrypted API key for a provider and project
   // Falls back to global key if no project-specific key exists
   getDecryptedForProject(providerId: string, projectId: string | null): string | null {
+    console.log(`[ProviderKeys.getDecryptedForProject] providerId=${providerId}, projectId=${projectId}`);
     // Try project-specific key first
     if (projectId) {
       const projectRecord = ProviderKeysDB.findByProviderAndProject(providerId, projectId);
+      console.log(`[ProviderKeys.getDecryptedForProject] project record found: ${!!projectRecord}`);
       if (projectRecord) {
         try {
-          return decrypt(projectRecord.encrypted_key);
+          const key = decrypt(projectRecord.encrypted_key);
+          console.log(`[ProviderKeys.getDecryptedForProject] decrypted project key OK, length=${key?.length}`);
+          return key;
         } catch (err) {
           console.error(`Failed to decrypt project key for ${providerId}/${projectId}:`, err);
         }
       }
     }
     // Fall back to global key
-    return this.getDecrypted(providerId);
+    const globalKey = this.getDecrypted(providerId);
+    console.log(`[ProviderKeys.getDecryptedForProject] global fallback: found=${!!globalKey}, length=${globalKey?.length || 0}`);
+    return globalKey;
   },
 
   // Check if a provider has a key configured (global)