apteva 0.4.57 → 0.7.1

package/src/routes/api/webhooks.ts

@@ -1,171 +0,0 @@
-import { json } from "./helpers";
-import { AgentDB, SubscriptionDB, SettingsDB } from "../../db";
-import { getTriggerProvider } from "../../triggers";
-import { agentFetch } from "./agent-utils";
-
-/**
- * Central webhook receiver for trigger providers.
- * POST /api/webhooks/:provider — receives trigger events from any registered provider,
- * verifies HMAC, looks up local subscriptions, and dispatches to the appropriate agent(s).
- *
- * This endpoint is public (HMAC-verified, no JWT/API key auth).
- */
-export async function handleWebhookRoutes(
-  req: Request,
-  path: string,
-  method: string,
-): Promise<Response | null> {
-
-  // POST /api/webhooks/composio
-  if (path === "/api/webhooks/composio" && method === "POST") {
-    return handleProviderWebhook(req, "composio");
-  }
-
-  // POST /api/webhooks/agentdojo
-  if (path === "/api/webhooks/agentdojo" && method === "POST") {
-    return handleProviderWebhook(req, "agentdojo");
-  }
-
-  return null;
-}
-
-async function handleProviderWebhook(req: Request, providerId: string): Promise<Response> {
-  const provider = getTriggerProvider(providerId);
-  if (!provider) {
-    return json({ error: `${providerId} provider not registered` }, 500);
-  }
-
-  // Read raw body for HMAC verification
-  let rawBody: string;
-  try {
-    rawBody = await req.text();
-  } catch {
-    return json({ error: "Failed to read request body" }, 400);
-  }
-
-  // Verify HMAC signature using stored webhook secret
-  const webhookSecret = SettingsDB.get(`${providerId}_webhook_secret`);
-  if (webhookSecret) {
-    const valid = provider.verifyWebhook(req, rawBody, webhookSecret);
-    if (!valid) {
-      console.warn(`[webhook] Invalid HMAC signature for ${providerId} webhook`);
-      return json({ error: "Invalid signature" }, 401);
-    }
-  } else {
-    console.warn(`[webhook] No ${providerId} webhook secret configured — skipping HMAC verification`);
-  }
-
-  // Parse the payload
-  let body: Record<string, unknown>;
-  try {
-    body = JSON.parse(rawBody);
-  } catch {
-    return json({ error: "Invalid JSON" }, 400);
-  }
-
-  // Log raw webhook for debugging
-  console.log(`[webhook:${providerId}] Raw payload:`, JSON.stringify(body, null, 2));
-
-  const { triggerSlug, triggerInstanceId, payload } = provider.parseWebhookPayload(body);
-  console.log(`[webhook:${providerId}] Parsed:`, { triggerSlug, triggerInstanceId });
-
-  // Respond 200 immediately — dispatch async
-  const dispatchPromise = dispatchToSubscribers(providerId, triggerSlug, triggerInstanceId, payload);
-
-  // Fire and forget — but log errors
-  dispatchPromise.catch(err => {
-    console.error(`[webhook:${providerId}] Dispatch error:`, err);
-  });
-
-  return json({ received: true, provider: providerId, trigger: triggerSlug });
-}
-
-async function dispatchToSubscribers(
-  providerId: string,
-  triggerSlug: string,
-  triggerInstanceId: string | null,
-  payload: Record<string, unknown>,
-): Promise<void> {
-  // Find matching subscriptions:
-  // 1. Exact match by trigger_instance_id (most specific)
-  // 2. Match by trigger_slug (broader)
-  let subscriptions = triggerInstanceId
-    ? SubscriptionDB.findByTriggerInstanceId(triggerInstanceId)
-    : [];
-
-  // If no instance-level matches, fall back to slug-level
-  if (subscriptions.length === 0) {
-    subscriptions = SubscriptionDB.findByTriggerSlug(triggerSlug);
-  }
-
-  // Filter to enabled only
-  subscriptions = subscriptions.filter(s => s.enabled);
-
-  if (subscriptions.length === 0) {
-    console.log(`[webhook:${providerId}] No subscriptions for trigger ${triggerSlug} (instance: ${triggerInstanceId || "none"})`);
-    return;
-  }
-
-  // Dispatch to each subscribed agent
-  const results = await Promise.allSettled(
-    subscriptions.map(sub => dispatchToAgent(sub.agent_id, triggerSlug, payload)),
-  );
-
-  for (let i = 0; i < results.length; i++) {
-    const result = results[i];
-    const sub = subscriptions[i];
-    if (result.status === "rejected") {
-      console.error(`[webhook:${providerId}] Failed to dispatch to agent ${sub.agent_id}:`, result.reason);
-    } else {
-      console.log(`[webhook:${providerId}] Dispatched ${triggerSlug} to agent ${sub.agent_id}: ${result.value}`);
-    }
-  }
-}
-
-async function dispatchToAgent(
-  agentId: string,
-  triggerSlug: string,
-  payload: Record<string, unknown>,
-): Promise<string> {
-  const agent = AgentDB.findById(agentId);
-  if (!agent) {
-    return "agent_not_found";
-  }
-
-  if (agent.status !== "running" || !agent.port) {
-    return "agent_not_running";
-  }
-
-  // Format the trigger event as a chat message
-  const triggerName = triggerSlug.replace(/_/g, " ").replace(/:/g, " → ");
-  const message = [
-    `[Trigger: ${triggerName}]`,
-    "",
-    "```json",
-    JSON.stringify(payload, null, 2),
-    "```",
-    "",
-    "Process this event and take appropriate action.",
-  ].join("\n");
-
-  const response = await agentFetch(agent.id, agent.port, "/chat", {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ message }),
-  });
-
-  // Consume the streaming response
-  if (response.body) {
-    try {
-      const reader = response.body.getReader();
-      while (true) {
-        const { done } = await reader.read();
-        if (done) break;
-      }
-    } catch {
-      // Ignore read errors
-    }
-  }
-
-  return response.ok ? "sent" : "agent_error";
-}

package/src/routes/api.ts

@@ -1,53 +0,0 @@
-import type { AuthContext } from "../auth/middleware";
-import { json } from "./api/helpers";
-import { handleSystemRoutes } from "./api/system";
-import { handleProviderRoutes } from "./api/providers";
-import { handleUserRoutes } from "./api/users";
-import { handleProjectRoutes } from "./api/projects";
-import { handleAgentRoutes } from "./api/agents";
-import { handleMcpRoutes } from "./api/mcp";
-import { handleSkillRoutes } from "./api/skills";
-import { handleIntegrationRoutes } from "./api/integrations";
-import { handleTriggerRoutes } from "./api/triggers";
-import { handleWebhookRoutes } from "./api/webhooks";
-import { handleMetaAgentRoutes } from "./api/meta-agent";
-import { handleTelemetryRoutes } from "./api/telemetry";
-import { handleTestRoutes } from "./api/tests";
-import { handleApiKeyRoutes } from "./api/api-keys";
-import { handleChannelRoutes } from "./api/channels";
-import { handlePlatformMcpRequest } from "../mcp-platform";
-
-// Re-export for backward compatibility (server.ts dynamic import)
-export { startAgentProcess } from "./api/agent-utils";
-
-export async function handleApiRequest(
-  req: Request,
-  path: string,
-  authContext?: AuthContext,
-): Promise<Response> {
-  const method = req.method;
-
-  // Built-in platform MCP server (for meta agent)
-  if (path === "/api/mcp/platform" && method === "POST") {
-    return handlePlatformMcpRequest(req);
-  }
-
-  return (
-    (await handleWebhookRoutes(req, path, method)) ?? // Public, HMAC-verified — before auth
-    (await handleSystemRoutes(req, path, method, authContext)) ??
-    (await handleApiKeyRoutes(req, path, method, authContext)) ?? // Must be before provider routes to handle /api/keys/personal
-    (await handleProviderRoutes(req, path, method, authContext)) ??
-    (await handleUserRoutes(req, path, method, authContext)) ??
-    (await handleProjectRoutes(req, path, method, authContext)) ??
-    (await handleAgentRoutes(req, path, method, authContext)) ??
-    (await handleMcpRoutes(req, path, method)) ??
-    (await handleSkillRoutes(req, path, method)) ??
-    (await handleIntegrationRoutes(req, path, method, authContext)) ??
-    (await handleTriggerRoutes(req, path, method, authContext)) ??
-    (await handleChannelRoutes(req, path, method)) ??
-    (await handleMetaAgentRoutes(req, path, method)) ??
-    (await handleTelemetryRoutes(req, path, method)) ??
-    (await handleTestRoutes(req, path, method)) ??
-    json({ error: "Not found" }, 404)
-  );
-}

package/src/routes/auth.ts

@@ -1,251 +0,0 @@
-import { UserDB } from "../db";
-import {
-  login,
-  refreshSession,
-  invalidateSession,
-  getAuthStatus,
-  verifyAccessToken,
-  hashPassword,
-  validatePassword,
-  REFRESH_TOKEN_EXPIRY,
-} from "../auth";
-import { Onboarding } from "../providers";
-import {
-  getTokenFromRequest,
-  getRefreshTokenFromCookie,
-  createRefreshTokenCookie,
-  clearRefreshTokenCookie,
-} from "../auth/middleware";
-
-function json(data: unknown, status = 200, headers: Record<string, string> = {}): Response {
-  return new Response(JSON.stringify(data), {
-    status,
-    headers: { "Content-Type": "application/json", ...headers },
-  });
-}
-
-export async function handleAuthRequest(req: Request, path: string): Promise<Response> {
-  const method = req.method;
-
-  // GET /api/auth/check - Check authentication status (includes onboarding to avoid extra round trip)
-  if (path === "/api/auth/check" && method === "GET") {
-    const token = getTokenFromRequest(req);
-    const status = getAuthStatus(token || undefined);
-    const onboarding = Onboarding.getStatus();
-    return json({ ...status, onboarding });
-  }
-
-  // POST /api/auth/login - Login with username and password
-  if (path === "/api/auth/login" && method === "POST") {
-    try {
-      const body = await req.json();
-      const { username, password } = body;
-
-      if (!username || !password) {
-        return json({ error: "Username and password are required" }, 400);
-      }
-
-      const result = await login(username, password);
-
-      if (!result.success) {
-        return json({ error: result.error }, 401);
-      }
-
-      // Set refresh token as httpOnly cookie
-      const cookieHeader = createRefreshTokenCookie(result.tokens!.refreshToken, REFRESH_TOKEN_EXPIRY);
-
-      return json(
-        {
-          user: result.user,
-          accessToken: result.tokens!.accessToken,
-          expiresIn: result.tokens!.expiresIn,
-        },
-        200,
-        { "Set-Cookie": cookieHeader }
-      );
-    } catch (e) {
-      return json({ error: "Invalid request body" }, 400);
-    }
-  }
-
-  // POST /api/auth/logout - Logout (invalidate refresh token)
-  if (path === "/api/auth/logout" && method === "POST") {
-    const refreshToken = getRefreshTokenFromCookie(req);
-
-    if (refreshToken) {
-      invalidateSession(refreshToken);
-    }
-
-    // Clear the cookie
-    return json(
-      { success: true },
-      200,
-      { "Set-Cookie": clearRefreshTokenCookie() }
-    );
-  }
-
-  // POST /api/auth/refresh - Refresh access token
-  if (path === "/api/auth/refresh" && method === "POST") {
-    // No users = no valid sessions possible
-    if (!UserDB.hasUsers()) {
-      return json({ error: "No users exist" }, 401, { "Set-Cookie": clearRefreshTokenCookie() });
-    }
-
-    const refreshToken = getRefreshTokenFromCookie(req);
-
-    if (!refreshToken) {
-      return json({ error: "No refresh token" }, 401);
-    }
-
-    const result = await refreshSession(refreshToken);
-
-    if (!result) {
-      return json(
-        { error: "Invalid or expired refresh token" },
-        401,
-        { "Set-Cookie": clearRefreshTokenCookie() }
-      );
-    }
-
-    // Set new refresh token cookie
-    const cookieHeader = createRefreshTokenCookie(result.refreshToken, REFRESH_TOKEN_EXPIRY);
-
-    // Include user info + onboarding to avoid extra /api/auth/me round trip
-    const payload = verifyAccessToken(result.accessToken);
-    const user = payload ? UserDB.findById(payload.userId) : null;
-    const onboarding = Onboarding.getStatus();
-
-    return json(
-      {
-        accessToken: result.accessToken,
-        expiresIn: result.expiresIn,
-        user: user ? { id: user.id, username: user.username, role: user.role } : undefined,
-        onboarding,
-      },
-      200,
-      { "Set-Cookie": cookieHeader }
-    );
-  }
-
-  // GET /api/auth/me - Get current user
-  if (path === "/api/auth/me" && method === "GET") {
-    const token = getTokenFromRequest(req);
-
-    if (!token) {
-      return json({ error: "Unauthorized" }, 401);
-    }
-
-    const payload = verifyAccessToken(token);
-    if (!payload) {
-      return json({ error: "Invalid or expired token" }, 401);
-    }
-
-    const user = UserDB.findById(payload.userId);
-    if (!user) {
-      return json({ error: "User not found" }, 404);
-    }
-
-    return json({
-      user: {
-        id: user.id,
-        username: user.username,
-        email: user.email,
-        role: user.role,
-        createdAt: user.created_at,
-        lastLoginAt: user.last_login_at,
-      },
-    });
-  }
-
-  // PUT /api/auth/me - Update current user profile
-  if (path === "/api/auth/me" && method === "PUT") {
-    const token = getTokenFromRequest(req);
-
-    if (!token) {
-      return json({ error: "Unauthorized" }, 401);
-    }
-
-    const payload = verifyAccessToken(token);
-    if (!payload) {
-      return json({ error: "Invalid or expired token" }, 401);
-    }
-
-    const user = UserDB.findById(payload.userId);
-    if (!user) {
-      return json({ error: "User not found" }, 404);
-    }
-
-    try {
-      const body = await req.json();
-      const updates: Parameters<typeof UserDB.update>[1] = {};
-
-      if (body.email !== undefined) updates.email = body.email;
-
-      const updated = UserDB.update(user.id, updates);
-
-      return json({
-        user: updated ? {
-          id: updated.id,
-          username: updated.username,
-          email: updated.email,
-          role: updated.role,
-          createdAt: updated.created_at,
-          lastLoginAt: updated.last_login_at,
-        } : null,
-      });
-    } catch (e) {
-      return json({ error: "Invalid request body" }, 400);
-    }
-  }
-
-  // PUT /api/auth/password - Change password
-  if (path === "/api/auth/password" && method === "PUT") {
-    const token = getTokenFromRequest(req);
-
-    if (!token) {
-      return json({ error: "Unauthorized" }, 401);
-    }
-
-    const payload = verifyAccessToken(token);
-    if (!payload) {
-      return json({ error: "Invalid or expired token" }, 401);
-    }
-
-    const user = UserDB.findById(payload.userId);
-    if (!user) {
-      return json({ error: "User not found" }, 404);
-    }
-
-    try {
-      const body = await req.json();
-      const { currentPassword, newPassword } = body;
-
-      if (!currentPassword || !newPassword) {
-        return json({ error: "Current and new password are required" }, 400);
-      }
-
-      // Verify current password
-      const { verifyPassword } = await import("../auth");
-      const isValid = await verifyPassword(currentPassword, user.password_hash);
-      if (!isValid) {
-        return json({ error: "Current password is incorrect" }, 401);
-      }
-
-      // Validate new password
-      const validation = validatePassword(newPassword);
-      if (!validation.valid) {
-        return json({ error: validation.errors.join(". ") }, 400);
-      }
-
-      // Update password
-      const newHash = await hashPassword(newPassword);
-      UserDB.update(user.id, { password_hash: newHash });
-
-      return json({ success: true, message: "Password updated successfully" });
-    } catch (e) {
-      return json({ error: "Invalid request body" }, 400);
-    }
-  }
-
-  return json({ error: "Not found" }, 404);
-}

package/src/routes/share.ts

@@ -1,86 +0,0 @@
-import { createHash } from "crypto";
-import { AgentDB, isRealtimeEnabled, type Agent } from "../db";
-import { agentFetch } from "./api/agent-utils";
-
-function deriveShareToken(apiKey: string, agentId: string): string {
-  return createHash("sha256")
-    .update(apiKey + ":" + agentId + ":share")
-    .digest("hex")
-    .substring(0, 32);
-}
-
-export function findAgentByShareToken(token: string): Agent | null {
-  const agents = AgentDB.findAll();
-  for (const agent of agents) {
-    const apiKey = AgentDB.getApiKey(agent.id);
-    if (!apiKey) continue;
-    if (deriveShareToken(apiKey, agent.id) === token) return agent;
-  }
-  return null;
-}
-
-/** Get the share token for an agent (used by API route for the UI) */
-export function getShareToken(agentId: string): string | null {
-  const apiKey = AgentDB.getApiKey(agentId);
-  if (!apiKey) return null;
-  return deriveShareToken(apiKey, agentId);
-}
-
-export async function handleShareRequest(req: Request, path: string): Promise<Response | null> {
-  // Match /share/<32 hex chars> sub-paths for API calls
-  const infoMatch = path.match(/^\/share\/([a-f0-9]{32})\/info$/);
-  const chatMatch = path.match(/^\/share\/([a-f0-9]{32})\/chat$/);
-
-  if (!infoMatch && !chatMatch) return null;
-
-  const token = (infoMatch || chatMatch)![1];
-  const agent = findAgentByShareToken(token);
-
-  // Intentionally vague 404 — don't reveal whether token exists
-  if (!agent) {
-    return new Response("Not found", { status: 404 });
-  }
-
-  // GET /share/:token/info — agent info (no secrets)
-  if (infoMatch && req.method === "GET") {
-    return Response.json({
-      name: agent.name,
-      status: agent.status,
-      voiceEnabled: isRealtimeEnabled(agent.features),
-    });
-  }
-
-  // POST /share/:token/chat — proxy to agent
-  if (chatMatch && req.method === "POST") {
-    if (agent.status !== "running" || !agent.port) {
-      return Response.json({ error: "Agent is currently offline" }, { status: 503 });
-    }
-
-    try {
-      const body = await req.json();
-      const response = await agentFetch(agent.id, agent.port, "/chat", {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(body),
-      });
-
-      if (!response.ok) {
-        const errorText = await response.text();
-        return Response.json({ error: `Agent error: ${errorText}` }, { status: response.status });
-      }
-
-      return new Response(response.body, {
-        status: 200,
-        headers: {
-          "Content-Type": response.headers.get("Content-Type") || "text/event-stream",
-          "Cache-Control": "no-cache",
-          "Connection": "keep-alive",
-        },
-      });
-    } catch (err) {
-      return Response.json({ error: "Failed to connect to agent" }, { status: 500 });
-    }
-  }
-
-  return null;
-}

package/src/routes/static.ts

@@ -1,131 +0,0 @@
-import { join } from "path";
-import { existsSync, statSync } from "fs";
-
-// Find dist directory - handle development, npx, and compiled binary contexts
-function findDistDir(): string {
-  const candidates = [
-    join(import.meta.dir, "../../dist"),
-    join(import.meta.dir, "../dist"),
-    join(import.meta.dir, "dist"),    // compiled binary: dist/ alongside the executable
-    join(process.cwd(), "dist"),
-  ];
-
-  for (const dir of candidates) {
-    try {
-      if (existsSync(dir) && statSync(dir).isDirectory()) {
-        const indexPath = join(dir, "index.html");
-        if (existsSync(indexPath)) {
-          return dir;
-        }
-      }
-    } catch {
-      continue;
-    }
-  }
-
-  return candidates[0]; // Default to first candidate
-}
-
-const DIST_DIR = findDistDir();
-
-// MIME types for common file extensions
-const MIME_TYPES: Record<string, string> = {
-  ".html": "text/html; charset=utf-8",
-  ".js": "application/javascript; charset=utf-8",
-  ".css": "text/css; charset=utf-8",
-  ".json": "application/json; charset=utf-8",
-  ".png": "image/png",
-  ".jpg": "image/jpeg",
-  ".jpeg": "image/jpeg",
-  ".gif": "image/gif",
-  ".svg": "image/svg+xml",
-  ".ico": "image/x-icon",
-  ".woff": "font/woff",
-  ".woff2": "font/woff2",
-  ".ttf": "font/ttf",
-  ".eot": "application/vnd.ms-fontobject",
-};
-
-function getMimeType(path: string): string {
-  const ext = path.substring(path.lastIndexOf(".")).toLowerCase();
-  return MIME_TYPES[ext] || "application/octet-stream";
-}
-
-export async function serveStatic(req: Request, path: string): Promise<Response> {
-  try {
-    // Default to index.html for root
-    let filePath = path === "/" ? "/index.html" : path;
-
-    // Prevent directory traversal attacks
-    if (filePath.includes("..")) {
-      return new Response("Forbidden", { status: 403 });
-    }
-
-    const fullPath = join(DIST_DIR, filePath);
-
-    // Check if file exists using sync API (more reliable)
-    if (existsSync(fullPath)) {
-      try {
-        const stat = statSync(fullPath);
-        if (stat.isFile()) {
-          const file = Bun.file(fullPath);
-          const mimeType = getMimeType(filePath);
-          const headers: Record<string, string> = { "Content-Type": mimeType };
-
-          // Hashed assets (e.g. App.fq4xbpcz.js) are immutable — cache aggressively
-          // index.html must never be cached (it references the hashed assets)
-          const hasHash = /\.[a-z0-9]{6,}\.(js|css|map)$/.test(filePath);
-          if (hasHash) {
-            headers["Cache-Control"] = "public, max-age=31536000, immutable";
-          } else if (filePath !== "/index.html") {
-            headers["Cache-Control"] = "public, max-age=3600";
-          }
-
-          return new Response(file, { headers });
-        }
-      } catch {
-        // Fall through to SPA handling
-      }
-    }
-
-    // For SPA: if file doesn't exist and it's not a static asset, serve index.html
-    if (!path.includes(".")) {
-      const indexPath = join(DIST_DIR, "index.html");
-      if (existsSync(indexPath)) {
-        const indexFile = Bun.file(indexPath);
-        return new Response(indexFile, {
-          headers: { "Content-Type": "text/html; charset=utf-8" },
-        });
-      }
-    }
-
-    // If dist doesn't exist, serve a development message
-    return new Response(
-      `<!DOCTYPE html>
-<html>
-<head>
-  <title>apteva</title>
-  <style>
-    body { font-family: system-ui; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #0f172a; color: #e2e8f0; }
-    .container { text-align: center; }
-    code { background: #1e293b; padding: 4px 8px; border-radius: 4px; }
-  </style>
-</head>
-<body>
-  <div class="container">
-    <h1>apteva</h1>
-    <p>Run <code>bun run build</code> to build the frontend</p>
-    <p>API available at <a href="/api/health" style="color: #60a5fa">/api/health</a></p>
-  </div>
-</body>
-</html>`,
-      {
-        status: 200,
-        headers: { "Content-Type": "text/html; charset=utf-8" }
-      }
-    );
-  } catch (error) {
-    console.error("Static file error:", error);
-    return new Response("Internal Server Error", { status: 500 });
-  }
-}