availsync 0.1.0

package/src/mcp/server.ts

@@ -0,0 +1,350 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { z } from 'zod';
+import { createHash } from 'crypto';
+
+type JsonObject = Record<string, unknown>;
+
+function printHelp(): void {
+  console.log(`Availsync MCP server
+
+Environment:
+  AVAILSYNC_API_URL   Base URL for Availsync, default http://localhost:3000
+  AVAILSYNC_API_KEY   Bearer token for the scheduling agent
+
+Tools:
+  check_availability  Check available slots before booking
+  preview_conflict    Preview who would win before booking
+  book_slot           Reserve a slot
+  release_slot        Release a booked hold
+  check_work_slot     Check whether a coding agent can work on a repo/project
+  claim_work_slot     Claim a repo/project before a coding agent starts
+  extend_work_slot    Extend a live work claim while the agent is still working
+  release_work_slot   Release a repo/project work claim
+
+Status:
+  The server sends a heartbeat to Availsync on startup and then every 60 seconds.
+
+Production flow:
+  heartbeat -> check_work_slot -> claim_work_slot -> extend_work_slot while working -> release_work_slot
+`);
+}
+
+function getConfig(): { apiUrl: string; apiKey: string } {
+  const apiUrl = process.env.AVAILSYNC_API_URL || 'http://localhost:3000';
+  const apiKey = process.env.AVAILSYNC_API_KEY;
+
+  if (!apiKey) {
+    throw new Error('AVAILSYNC_API_KEY is required');
+  }
+
+  return { apiUrl: apiUrl.replace(/\/$/, ''), apiKey };
+}
+
+async function requestAvailsync(
+  method: string,
+  path: string,
+  body?: JsonObject,
+  extraHeaders: Record<string, string> = {},
+): Promise<unknown> {
+  const { apiUrl, apiKey } = getConfig();
+  const response = await fetch(`${apiUrl}${path}`, {
+    method,
+    headers: {
+      Authorization: `Bearer ${apiKey}`,
+      'Content-Type': 'application/json',
+      ...extraHeaders,
+    },
+    body: body ? JSON.stringify(body) : undefined,
+  });
+
+  const text = await response.text();
+  const payload = text ? (JSON.parse(text) as unknown) : {};
+
+  if (!response.ok) {
+    return {
+      status: response.status,
+      error: payload,
+    };
+  }
+
+  return payload;
+}
+
+function deterministicWorkKey(input: {
+  agent_id: string;
+  resource_type: string;
+  resource_key: string;
+  start_at?: string;
+  reason?: string;
+}): string {
+  return createHash('sha256')
+    .update(`${input.agent_id}:${input.resource_type}:${input.resource_key}:${input.start_at ?? 'now'}:${input.reason ?? ''}`)
+    .digest('hex');
+}
+
+async function sendHeartbeat(): Promise<void> {
+  await requestAvailsync('POST', '/v1/mcp/heartbeat', {
+    client_name: 'availsync-mcp',
+  });
+}
+
+function jsonContent(payload: unknown) {
+  return {
+    content: [
+      {
+        type: 'text' as const,
+        text: JSON.stringify(payload, null, 2),
+      },
+    ],
+  };
+}
+
+const usageSchema = z
+  .object({
+    provider: z.string().optional(),
+    model: z.string().optional(),
+    input_tokens: z.number().int().min(0).optional(),
+    output_tokens: z.number().int().min(0).optional(),
+    total_tokens: z.number().int().min(0).optional(),
+    estimated_cost_usd: z.number().min(0).optional(),
+  })
+  .optional();
+
+async function reportUsage(activityType: string, usage?: z.infer<typeof usageSchema>): Promise<void> {
+  if (!usage) return;
+  await requestAvailsync('POST', '/v1/activity/usage', {
+    activity_type: activityType,
+    client_name: 'availsync-mcp',
+    ...usage,
+  });
+}
+
+function createServer(): McpServer {
+  const server = new McpServer({
+    name: 'availsync',
+    version: '0.1.0',
+  });
+
+  server.registerTool(
+    'check_availability',
+    {
+      description:
+        'Check available time slots for an AI scheduling agent before booking. Always call this before book_slot.',
+      inputSchema: {
+        agent_id: z.string().uuid().describe('UUID of the agent to check availability for'),
+        from: z.string().datetime().describe('Start of search window (ISO 8601 UTC)'),
+        to: z.string().datetime().describe('End of search window (ISO 8601 UTC)'),
+        duration_minutes: z.number().describe('Required meeting duration in minutes'),
+        usage: usageSchema,
+      },
+    },
+    async ({ agent_id, from, to, duration_minutes, usage }) => {
+      const query = new URLSearchParams({
+        agent_id,
+        from,
+        to,
+        duration_minutes: String(duration_minutes),
+      });
+      const result = await requestAvailsync('GET', `/v1/availability?${query.toString()}`);
+      await reportUsage('mcp_check_availability', usage);
+      return jsonContent(result);
+    },
+  );
+
+  server.registerTool(
+    'preview_conflict',
+    {
+      description:
+        'Preview whether a proposed slot would be available, win, or lose before booking. Call this after check_availability and before book_slot.',
+      inputSchema: {
+        agent_id: z.string().uuid(),
+        start_at: z.string().datetime(),
+        end_at: z.string().datetime(),
+        reason: z.string().max(500).optional(),
+        usage: usageSchema,
+      },
+    },
+    async ({ agent_id, start_at, end_at, reason, usage }) => {
+      const result = await requestAvailsync('POST', '/v1/conflicts/check', {
+        agent_id,
+        start_at,
+        end_at,
+        ...(reason ? { reason } : {}),
+      });
+      await reportUsage('mcp_preview_conflict', usage);
+      return jsonContent(result);
+    },
+  );
+
+  server.registerTool(
+    'book_slot',
+    {
+      description:
+        'Reserve a time slot. Returns confirmed hold or 409 with alternative suggestions if slot is taken by higher-priority agent.',
+      inputSchema: {
+        agent_id: z.string().uuid(),
+        start_at: z.string().datetime(),
+        end_at: z.string().datetime(),
+        reason: z.string().max(500).optional(),
+        usage: usageSchema,
+      },
+    },
+    async ({ agent_id, start_at, end_at, reason, usage }) => {
+      const result = await requestAvailsync('POST', '/v1/holds', {
+        agent_id,
+        start_at,
+        end_at,
+        ...(reason ? { reason } : {}),
+      });
+      await reportUsage('mcp_book_slot', usage);
+      return jsonContent(result);
+    },
+  );
+
+  server.registerTool(
+    'release_slot',
+    {
+      description: 'Release a previously booked hold so other agents can use the time.',
+      inputSchema: {
+        hold_id: z.string().uuid(),
+        usage: usageSchema,
+      },
+    },
+    async ({ hold_id, usage }) => {
+      const result = await requestAvailsync('DELETE', `/v1/holds/${hold_id}`);
+      await reportUsage('mcp_release_slot', usage);
+      return jsonContent(result);
+    },
+  );
+
+  server.registerTool(
+    'check_work_slot',
+    {
+      description:
+        'Check whether a coding agent can work on a repo or project before it starts. If status is would_lose, skip the run.',
+      inputSchema: {
+        agent_id: z.string().uuid(),
+        resource_type: z.enum(['repo', 'project']),
+        resource_key: z.string().min(1),
+        label: z.string().optional(),
+        start_at: z.string().datetime().optional(),
+        duration_minutes: z.number().int().min(1).max(240).optional(),
+        reason: z.string().max(500).optional(),
+        usage: usageSchema,
+      },
+    },
+    async ({ agent_id, resource_type, resource_key, label, start_at, duration_minutes, reason, usage }) => {
+      const result = await requestAvailsync('POST', '/v1/work/check', {
+        agent_id,
+        resource_type,
+        resource_key,
+        ...(label ? { label } : {}),
+        ...(start_at ? { start_at } : {}),
+        ...(duration_minutes ? { duration_minutes } : {}),
+        ...(reason ? { reason } : {}),
+      });
+      await reportUsage('mcp_check_work_slot', usage);
+      return jsonContent(result);
+    },
+  );
+
+  server.registerTool(
+    'claim_work_slot',
+    {
+      description:
+        'Claim a repo or project before a coding agent starts. Use the returned claim id and release it when done.',
+      inputSchema: {
+        agent_id: z.string().uuid(),
+        resource_type: z.enum(['repo', 'project']),
+        resource_key: z.string().min(1),
+        label: z.string().optional(),
+        start_at: z.string().datetime().optional(),
+        duration_minutes: z.number().int().min(1).max(240).optional(),
+        reason: z.string().max(500).optional(),
+        idempotency_key: z.string().min(1).max(200).optional(),
+        usage: usageSchema,
+      },
+    },
+    async ({ agent_id, resource_type, resource_key, label, start_at, duration_minutes, reason, idempotency_key, usage }) => {
+      const key = idempotency_key ?? deterministicWorkKey({ agent_id, resource_type, resource_key, start_at, reason });
+      const result = await requestAvailsync(
+        'POST',
+        '/v1/work/claim',
+        {
+          agent_id,
+          resource_type,
+          resource_key,
+          ...(label ? { label } : {}),
+          ...(start_at ? { start_at } : {}),
+          ...(duration_minutes ? { duration_minutes } : {}),
+          ...(reason ? { reason } : {}),
+        },
+        { 'Idempotency-Key': key },
+      );
+      await reportUsage('mcp_claim_work_slot', usage);
+      return jsonContent(result);
+    },
+  );
+
+  server.registerTool(
+    'extend_work_slot',
+    {
+      description:
+        'Extend an active work claim while a coding agent is still working. Call periodically before expires_at.',
+      inputSchema: {
+        claim_id: z.string().uuid(),
+        duration_minutes: z.number().int().min(1).max(120).optional(),
+        usage: usageSchema,
+      },
+    },
+    async ({ claim_id, duration_minutes, usage }) => {
+      const result = await requestAvailsync('POST', `/v1/work/claims/${claim_id}/extend`, {
+        ...(duration_minutes ? { duration_minutes } : {}),
+      });
+      await reportUsage('mcp_extend_work_slot', usage);
+      return jsonContent(result);
+    },
+  );
+
+  server.registerTool(
+    'release_work_slot',
+    {
+      description: 'Release a repo or project work claim so another coding agent can work.',
+      inputSchema: {
+        claim_id: z.string().uuid(),
+        usage: usageSchema,
+      },
+    },
+    async ({ claim_id, usage }) => {
+      const result = await requestAvailsync('DELETE', `/v1/work/claims/${claim_id}`);
+      await reportUsage('mcp_release_work_slot', usage);
+      return jsonContent(result);
+    },
+  );
+
+  return server;
+}
+
+export async function main(): Promise<void> {
+  if (process.argv.includes('--help') || process.argv.includes('-h')) {
+    printHelp();
+    return;
+  }
+
+  const server = createServer();
+  const transport = new StdioServerTransport();
+  void sendHeartbeat().catch(() => {});
+  const heartbeat = setInterval(() => {
+    void sendHeartbeat().catch(() => {});
+  }, 60_000);
+  heartbeat.unref?.();
+  await server.connect(transport);
+}
+
+if (require.main === module) {
+  main().catch((error) => {
+    console.error('Server error:', error);
+    process.exit(1);
+  });
+}

package/src/middleware/auth.ts

@@ -0,0 +1,342 @@
+import crypto from 'crypto';
+import type { NextFunction, Request, Response } from 'express';
+import bcrypt from 'bcrypt';
+import pool from '../db/client';
+import { log } from '../lib/logger';
+import { parseAgentApiKey } from '../lib/apiKeys';
+import type { Agent, Org, WorkspaceUser } from '../types';
+
+export const WORKSPACE_SESSION_COOKIE = 'availsync_session';
+export const WORKSPACE_SESSION_DAYS = 30;
+
+export interface AgentAuthenticatedRequest extends Request {
+  auth: { kind: 'agent' };
+  agent: Agent;
+  org: Org;
+}
+
+export interface WorkspaceAuthenticatedRequest extends Request {
+  auth: { kind: 'workspace' };
+  user: WorkspaceUser;
+  org: Org;
+}
+
+export type AuthenticatedRequest = AgentAuthenticatedRequest;
+export type AnyAuthenticatedRequest = AgentAuthenticatedRequest | WorkspaceAuthenticatedRequest;
+export type AdminAuthenticatedRequest = WorkspaceAuthenticatedRequest;
+
+type AgentAuthRow = {
+  agent_id: string;
+  agent_name: string;
+  api_key_hash: string;
+  agent_type: Agent['agent_type'];
+  priority: number;
+  enforcement_mode: Agent['enforcement_mode'];
+  last_seen_at?: Date | null;
+  mcp_last_seen_at?: Date | null;
+  mcp_client_name?: string | null;
+  agent_created_at: Date;
+  org_id: string;
+  org_name: string;
+  plan: Org['plan'];
+  agent_limit: number;
+  org_verified_at?: Date | null;
+  org_created_at: Date;
+};
+
+const DUMMY_AGENT_API_KEY_HASH = '$2b$10$uqpuuBbmijjr1bD0L6pBDezy0ACGhT0ZaLkUXAvWSA4LgyaviWC9q';
+
+type WorkspaceAuthRow = {
+  user_id: string;
+  email: string;
+  password_hash: string;
+  role: WorkspaceUser['role'];
+  user_created_at: Date;
+  org_id: string;
+  org_name: string;
+  plan: Org['plan'];
+  agent_limit: number;
+  org_verified_at?: Date | null;
+  org_created_at: Date;
+};
+
+function sessionSecret() {
+  return process.env.SESSION_SECRET || 'dev-session-secret';
+}
+
+export function hashSessionToken(token: string): string {
+  return crypto.createHmac('sha256', sessionSecret()).update(token).digest('hex');
+}
+
+export function getCookie(req: Request, name: string): string | null {
+  const header = req.header('cookie');
+  if (!header) return null;
+
+  const cookies = header.split(';').map((cookie) => cookie.trim());
+  for (const cookie of cookies) {
+    const separator = cookie.indexOf('=');
+    if (separator === -1) continue;
+    const key = cookie.slice(0, separator);
+    if (key === name) {
+      return decodeURIComponent(cookie.slice(separator + 1));
+    }
+  }
+  return null;
+}
+
+export function setWorkspaceSessionCookie(res: Response, token: string) {
+  res.cookie(WORKSPACE_SESSION_COOKIE, token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: WORKSPACE_SESSION_DAYS * 24 * 60 * 60 * 1000,
+  });
+}
+
+export function clearWorkspaceSessionCookie(res: Response) {
+  res.clearCookie(WORKSPACE_SESSION_COOKIE, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+  });
+}
+
+function buildAgent(row: AgentAuthRow): Agent {
+  return {
+    id: row.agent_id,
+    org_id: row.org_id,
+    name: row.agent_name,
+    api_key_hash: row.api_key_hash,
+    agent_type: row.agent_type,
+    priority: row.priority,
+    enforcement_mode: row.enforcement_mode,
+    last_seen_at: row.last_seen_at ?? null,
+    mcp_last_seen_at: row.mcp_last_seen_at ?? null,
+    mcp_client_name: row.mcp_client_name ?? null,
+    created_at: row.agent_created_at,
+  };
+}
+
+function buildOrg(row: AgentAuthRow | WorkspaceAuthRow): Org {
+  return {
+    id: row.org_id,
+    name: row.org_name,
+    plan: row.plan,
+    agent_limit: row.agent_limit,
+    verified_at: row.org_verified_at ?? null,
+    created_at: row.org_created_at,
+  };
+}
+
+function buildUser(row: WorkspaceAuthRow): WorkspaceUser {
+  return {
+    id: row.user_id,
+    org_id: row.org_id,
+    email: row.email,
+    password_hash: row.password_hash,
+    role: row.role,
+    created_at: row.user_created_at,
+  };
+}
+
+async function authenticateAgentKey(req: Request): Promise<{ agent: Agent; org: Org } | null> {
+  const header = req.header('Authorization');
+  if (!header?.startsWith('Bearer ')) return null;
+
+  const token = header.slice('Bearer '.length).trim();
+
+  const parsedKey = parseAgentApiKey(token);
+  if (!parsedKey) {
+    return null;
+  }
+
+  const result = await pool.query<AgentAuthRow>(
+    `SELECT
+       agents.id AS agent_id,
+       agents.name AS agent_name,
+       agents.api_key_hash,
+       agents.agent_type,
+       agents.priority,
+       agents.enforcement_mode,
+       agents.last_seen_at,
+       agents.mcp_last_seen_at,
+       agents.mcp_client_name,
+       agents.created_at AS agent_created_at,
+       orgs.id AS org_id,
+       orgs.name AS org_name,
+       orgs.plan,
+       orgs.agent_limit,
+       orgs.verified_at AS org_verified_at,
+       orgs.created_at AS org_created_at
+     FROM agents
+     JOIN orgs ON agents.org_id = orgs.id
+     WHERE agents.api_key_prefix = $1`,
+    [parsedKey.prefix],
+  );
+
+  const row = result.rows[0];
+  const hashToCompare = row?.api_key_hash ?? DUMMY_AGENT_API_KEY_HASH;
+  const ok = await bcrypt.compare(token, hashToCompare);
+  if (!row || !ok) {
+    return null;
+  }
+  Promise.resolve(pool.query('UPDATE agents SET last_seen_at = NOW() WHERE id = $1', [row.agent_id])).catch((err) => {
+    log.warn('[auth] failed to update agent last_seen_at', {
+      agent_id: row.agent_id,
+      error: (err as Error).message,
+    });
+  });
+  return { agent: buildAgent(row), org: buildOrg(row) };
+}
+
+export async function authenticateWorkspaceSession(req: Request): Promise<{ user: WorkspaceUser; org: Org } | null> {
+  const token = getCookie(req, WORKSPACE_SESSION_COOKIE);
+  if (!token) return null;
+
+  const result = await pool.query<WorkspaceAuthRow>(
+    `SELECT
+       workspace_users.id AS user_id,
+       workspace_users.email,
+       workspace_users.password_hash,
+       workspace_users.role,
+       workspace_users.created_at AS user_created_at,
+       orgs.id AS org_id,
+       orgs.name AS org_name,
+       orgs.plan,
+       orgs.agent_limit,
+       orgs.verified_at AS org_verified_at,
+       orgs.created_at AS org_created_at
+     FROM workspace_sessions
+     JOIN workspace_users ON workspace_users.id = workspace_sessions.user_id
+     JOIN orgs ON orgs.id = workspace_users.org_id
+     WHERE workspace_sessions.token_hash = $1
+       AND workspace_sessions.expires_at > NOW()`,
+    [hashSessionToken(token)],
+  );
+
+  if (result.rows.length === 0) return null;
+  return { user: buildUser(result.rows[0]), org: buildOrg(result.rows[0]) };
+}
+
+export function adminEmails(): string[] {
+  return (process.env.ADMIN_EMAILS || '')
+    .split(',')
+    .map((email) => email.trim().toLowerCase())
+    .filter(Boolean);
+}
+
+export function isAdminEmail(email: string): boolean {
+  return adminEmails().includes(email.toLowerCase());
+}
+
+export async function requireAgentKey(
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): Promise<Response | void> {
+  try {
+    const authenticated = await authenticateAgentKey(req);
+    if (!authenticated) {
+      return res.status(401).json({ error: req.header('Authorization') ? 'invalid_key' : 'missing_auth' });
+    }
+
+    const authReq = req as AgentAuthenticatedRequest;
+    authReq.auth = { kind: 'agent' };
+    authReq.agent = authenticated.agent;
+    authReq.org = authenticated.org;
+    return next();
+  } catch (err) {
+    log.error('[auth] agent auth error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+}
+
+export async function requireWorkspaceSession(
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): Promise<Response | void> {
+  try {
+    const authenticated = await authenticateWorkspaceSession(req);
+    if (!authenticated) {
+      return res.status(401).json({ error: 'missing_workspace_session' });
+    }
+
+    const authReq = req as WorkspaceAuthenticatedRequest;
+    authReq.auth = { kind: 'workspace' };
+    authReq.user = authenticated.user;
+    authReq.org = authenticated.org;
+    return next();
+  } catch (err) {
+    log.error('[auth] workspace auth error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+}
+
+export async function requireAdminSession(
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): Promise<Response | void> {
+  try {
+    const authenticated = await authenticateWorkspaceSession(req);
+    if (!authenticated) {
+      return res.status(401).json({ error: 'missing_workspace_session' });
+    }
+    if (!isAdminEmail(authenticated.user.email)) {
+      return res.status(403).json({ error: 'forbidden', message: 'Admin access required' });
+    }
+
+    const authReq = req as AdminAuthenticatedRequest;
+    authReq.auth = { kind: 'workspace' };
+    authReq.user = authenticated.user;
+    authReq.org = authenticated.org;
+    return next();
+  } catch (err) {
+    log.error('[auth] admin auth error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+}
+
+export async function requireWorkspaceOrAgent(
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): Promise<Response | void> {
+  try {
+    const workspace = await authenticateWorkspaceSession(req);
+    if (workspace) {
+      const authReq = req as WorkspaceAuthenticatedRequest;
+      authReq.auth = { kind: 'workspace' };
+      authReq.user = workspace.user;
+      authReq.org = workspace.org;
+      return next();
+    }
+
+    const agent = await authenticateAgentKey(req);
+    if (agent) {
+      const authReq = req as AgentAuthenticatedRequest;
+      authReq.auth = { kind: 'agent' };
+      authReq.agent = agent.agent;
+      authReq.org = agent.org;
+      return next();
+    }
+
+    return res.status(401).json({ error: 'missing_auth' });
+  } catch (err) {
+    log.error('[auth] mixed auth error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+}
+
+export function canAccessAgent(req: AnyAuthenticatedRequest, agentId: string): boolean {
+  return !isAgentAuth(req) || req.agent.id === agentId;
+}
+
+export function isAgentAuth(req: AnyAuthenticatedRequest): req is AgentAuthenticatedRequest {
+  return req.auth.kind === 'agent';
+}
+
+export const authMiddleware = requireAgentKey;

package/src/middleware/requestId.ts

@@ -0,0 +1,16 @@
+import { randomUUID } from 'crypto';
+import type { NextFunction, Request, Response } from 'express';
+
+export const REQUEST_ID_HEADER = 'X-Request-Id';
+
+export function requestIdMiddleware(req: Request, res: Response, next: NextFunction) {
+  const incoming = req.header(REQUEST_ID_HEADER);
+  const requestId = incoming && incoming.length <= 128 ? incoming : randomUUID();
+  res.locals.requestId = requestId;
+  res.setHeader(REQUEST_ID_HEADER, requestId);
+  next();
+}
+
+export function requestIdFrom(res: Response) {
+  return typeof res.locals.requestId === 'string' ? res.locals.requestId : undefined;
+}