availsync 0.1.0

package/src/routes/auth.ts

@@ -0,0 +1,203 @@
+import { randomBytes } from 'crypto';
+import bcrypt from 'bcrypt';
+import express from 'express';
+import { z } from 'zod';
+import pool from '../db/client';
+import { log } from '../lib/logger';
+import { createAgentApiKey } from '../lib/apiKeys';
+import { PLAN_CONFIG } from '../lib/plans';
+import {
+  WORKSPACE_SESSION_DAYS,
+  WORKSPACE_SESSION_COOKIE,
+  clearWorkspaceSessionCookie,
+  getCookie,
+  hashSessionToken,
+  requireAgentKey,
+  setWorkspaceSessionCookie,
+  type AgentAuthenticatedRequest,
+} from '../middleware/auth';
+
+const router = express.Router();
+
+const AgentSchema = z.object({
+  name: z.string().min(1),
+  agent_type: z
+    .enum(['external_meeting', 'internal', 'focus', 'generic'])
+    .optional()
+    .default('generic'),
+  priority: z.number().int().optional().default(0),
+});
+
+const SignupSchema = z.object({
+  workspace_name: z.string().min(1),
+  email: z.string().email(),
+  password: z.string().min(8),
+  agent: AgentSchema,
+});
+
+const LoginSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(1),
+});
+
+const ClaimSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+});
+
+async function createAgent(
+  client: Pick<typeof pool, 'query'>,
+  orgId: string,
+  input: z.infer<typeof AgentSchema>,
+) {
+  const { apiKey, apiKeyHash, apiKeyPrefix } = await createAgentApiKey();
+
+  const created = await client.query(
+    `INSERT INTO agents (org_id, name, api_key_hash, api_key_prefix, agent_type, priority)
+     VALUES ($1, $2, $3, $4, $5, $6)
+     RETURNING *`,
+    [orgId, input.name, apiKeyHash, apiKeyPrefix, input.agent_type, input.priority],
+  );
+  await client.query('INSERT INTO agent_preferences (agent_id) VALUES ($1)', [
+    created.rows[0].id,
+  ]);
+
+  const { api_key_hash: _apiKeyHash, api_key_prefix: _apiKeyPrefix, ...agent } = created.rows[0];
+  return { agent, apiKey };
+}
+
+async function createWorkspaceSession(userId: string) {
+  const token = randomBytes(32).toString('hex');
+  const expiresAt = new Date(Date.now() + WORKSPACE_SESSION_DAYS * 24 * 60 * 60 * 1000);
+
+  await pool.query(
+    `INSERT INTO workspace_sessions (user_id, token_hash, expires_at)
+     VALUES ($1, $2, $3)`,
+    [userId, hashSessionToken(token), expiresAt],
+  );
+
+  return token;
+}
+
+router.post('/auth/signup', async (req, res) => {
+  const parsed = SignupSchema.safeParse(req.body);
+  if (!parsed.success) {
+    return res.status(422).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  const client = await pool.connect();
+  try {
+    const saltRounds = Number.parseInt(process.env.API_KEY_SALT_ROUNDS || '10', 10);
+    const passwordHash = await bcrypt.hash(parsed.data.password, saltRounds);
+
+    await client.query('BEGIN');
+    const org = await client.query(
+      "INSERT INTO orgs (name, plan, agent_limit, subscription_status) VALUES ($1, 'free', $2, 'free') RETURNING *",
+      [parsed.data.workspace_name, PLAN_CONFIG.free.db_agent_limit],
+    );
+    const user = await client.query(
+      `INSERT INTO workspace_users (org_id, email, password_hash, role)
+       VALUES ($1, $2, $3, 'owner')
+       RETURNING id, org_id, email, role, created_at`,
+      [org.rows[0].id, parsed.data.email.toLowerCase(), passwordHash],
+    );
+    const createdAgent = await createAgent(client, org.rows[0].id, parsed.data.agent);
+    await client.query('COMMIT');
+
+    const token = await createWorkspaceSession(user.rows[0].id);
+    setWorkspaceSessionCookie(res, token);
+
+    return res.status(201).json({
+      org: org.rows[0],
+      user: user.rows[0],
+      agent: createdAgent.agent,
+      api_key: createdAgent.apiKey,
+    });
+  } catch (err) {
+    await client.query('ROLLBACK').catch(() => {});
+    if ((err as { code?: string }).code === '23505') {
+      return res.status(409).json({ error: 'email_taken', message: 'Email already has a workspace' });
+    }
+    log.error('[auth] signup error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  } finally {
+    client.release();
+  }
+});
+
+router.post('/auth/login', async (req, res) => {
+  const parsed = LoginSchema.safeParse(req.body);
+  if (!parsed.success) {
+    return res.status(422).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  try {
+    const result = await pool.query(
+      `SELECT id, password_hash
+       FROM workspace_users
+       WHERE email = $1`,
+      [parsed.data.email.toLowerCase()],
+    );
+    const user = result.rows[0];
+
+    if (!user || !(await bcrypt.compare(parsed.data.password, user.password_hash))) {
+      return res.status(401).json({ error: 'invalid_credentials' });
+    }
+
+    const token = await createWorkspaceSession(user.id);
+    setWorkspaceSessionCookie(res, token);
+    return res.json({ ok: true });
+  } catch (err) {
+    log.error('[auth] login error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.post('/auth/logout', async (req, res) => {
+  const token = getCookie(req, WORKSPACE_SESSION_COOKIE);
+  if (token) {
+    await pool
+      .query('DELETE FROM workspace_sessions WHERE token_hash = $1', [hashSessionToken(token)])
+      .catch((err) => log.warn('[auth] logout cleanup failed', { error: (err as Error).message }));
+  }
+  clearWorkspaceSessionCookie(res);
+  return res.json({ ok: true });
+});
+
+router.post('/auth/claim', requireAgentKey, async (req, res) => {
+  const parsed = ClaimSchema.safeParse(req.body);
+  if (!parsed.success) {
+    return res.status(422).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  const authReq = req as AgentAuthenticatedRequest;
+  try {
+    const existing = await pool.query('SELECT 1 FROM workspace_users WHERE org_id = $1', [
+      authReq.org.id,
+    ]);
+    if (existing.rows.length > 0) {
+      return res.status(409).json({ error: 'workspace_already_claimed' });
+    }
+
+    const saltRounds = Number.parseInt(process.env.API_KEY_SALT_ROUNDS || '10', 10);
+    const passwordHash = await bcrypt.hash(parsed.data.password, saltRounds);
+    const user = await pool.query(
+      `INSERT INTO workspace_users (org_id, email, password_hash, role)
+       VALUES ($1, $2, $3, 'owner')
+       RETURNING id, org_id, email, role, created_at`,
+      [authReq.org.id, parsed.data.email.toLowerCase(), passwordHash],
+    );
+    const token = await createWorkspaceSession(user.rows[0].id);
+    setWorkspaceSessionCookie(res, token);
+
+    return res.status(201).json({ org: authReq.org, user: user.rows[0] });
+  } catch (err) {
+    if ((err as { code?: string }).code === '23505') {
+      return res.status(409).json({ error: 'email_taken', message: 'Email already has a workspace' });
+    }
+    log.error('[auth] claim error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+export default router;

package/src/routes/availability.ts

@@ -0,0 +1,325 @@
+import express from 'express';
+import { z } from 'zod';
+import pool from '../db/client';
+import { log } from '../lib/logger';
+import { getAvailableSlots } from '../core/availability';
+import { actorFromAuth, durationSince, logActivity } from '../lib/activity';
+import { enforcePlanLimit } from '../lib/plans';
+import {
+  canAccessAgent,
+  requireWorkspaceOrAgent,
+  type AnyAuthenticatedRequest,
+} from '../middleware/auth';
+
+const router = express.Router();
+
+const AvailabilityQuerySchema = z
+  .object({
+    agent_id: z.string().uuid(),
+    from: z.string().datetime({ offset: true }),
+    to: z.string().datetime({ offset: true }),
+    duration_minutes: z.coerce.number().int().min(1).max(480),
+    include_competing_agents: z
+      .preprocess((value) => value === 'true' || value === true, z.boolean())
+      .optional()
+      .default(true),
+  })
+  .refine((data) => new Date(data.to) > new Date(data.from), {
+    path: ['to'],
+    message: 'to must be after from',
+  });
+
+const WindowSchema = z
+  .object({
+    agent_id: z.string().uuid(),
+    start_at: z.string().datetime({ offset: true }),
+    end_at: z.string().datetime({ offset: true }),
+    window_type: z.enum(['available', 'focus', 'blocked']),
+    recurrence: z.enum(['daily', 'weekly']).optional(),
+  })
+  .refine((data) => new Date(data.end_at) > new Date(data.start_at), {
+    path: ['end_at'],
+    message: 'end_at must be after start_at',
+  });
+
+const WindowUpdateSchema = z
+  .object({
+    start_at: z.string().datetime({ offset: true }),
+    end_at: z.string().datetime({ offset: true }),
+    window_type: z.enum(['available', 'focus', 'blocked']),
+    recurrence: z.enum(['daily', 'weekly']).nullable().optional(),
+  })
+  .refine((data) => new Date(data.end_at) > new Date(data.start_at), {
+    path: ['end_at'],
+    message: 'end_at must be after start_at',
+  });
+
+async function agentBelongsToOrg(agentId: string, orgId: string): Promise<boolean> {
+  const result = await pool.query('SELECT 1 FROM agents WHERE id = $1 AND org_id = $2', [
+    agentId,
+  orgId,
+  ]);
+  return result.rows.length > 0;
+}
+
+async function getWindowInOrg(windowId: string, orgId: string) {
+  const result = await pool.query(
+    `SELECT availability_windows.*
+     FROM availability_windows
+     JOIN agents ON agents.id = availability_windows.agent_id
+     WHERE availability_windows.id = $1
+       AND agents.org_id = $2`,
+    [windowId, orgId],
+  );
+  return result.rows[0];
+}
+
+router.get('/availability', requireWorkspaceOrAgent, async (req, res) => {
+  const startedAt = Date.now();
+  const parsed = AvailabilityQuerySchema.safeParse(req.query);
+  if (!parsed.success) {
+    return res.status(400).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  const authReq = req as AnyAuthenticatedRequest;
+  const from = new Date(parsed.data.from);
+  const to = new Date(parsed.data.to);
+
+  if (from < new Date()) {
+    return res.status(400).json({ error: 'past_datetime' });
+  }
+
+  try {
+    if (!(await agentBelongsToOrg(parsed.data.agent_id, authReq.org.id))) {
+      return res.status(403).json({ error: 'forbidden', message: 'Agent is outside your org' });
+    }
+    if (!canAccessAgent(authReq, parsed.data.agent_id)) {
+      return res.status(403).json({ error: 'forbidden', message: 'Agent key cannot act for another agent' });
+    }
+    if (!(await enforcePlanLimit({
+      org_id: authReq.org.id,
+      limit_type: 'api_calls_month',
+      res,
+    }))) {
+      return;
+    }
+
+    const prefs = await pool.query(
+      'SELECT booking_window_days, buffer_minutes_after, focus_blocks FROM agent_preferences WHERE agent_id = $1',
+      [parsed.data.agent_id],
+    );
+    const preference = prefs.rows[0];
+    const bookingWindowDays = preference?.booking_window_days ?? 30;
+    const maxTo = new Date(Date.now() + bookingWindowDays * 24 * 60 * 60 * 1000);
+
+    if (to > maxTo) {
+      return res.status(400).json({ error: 'outside_booking_window' });
+    }
+
+    const slots = await getAvailableSlots({
+      agent_id: parsed.data.agent_id,
+      org_id: authReq.org.id,
+      from,
+      to,
+      duration_minutes: parsed.data.duration_minutes,
+      include_competing_agents: parsed.data.include_competing_agents,
+    });
+
+    await logActivity({
+      org_id: authReq.org.id,
+      agent_id: parsed.data.agent_id,
+      activity_type: 'availability_check',
+      endpoint: '/v1/availability',
+      method: 'GET',
+      status_code: 200,
+      status: 'success',
+      ...actorFromAuth(authReq),
+      latency_ms: durationSince(startedAt),
+      metadata: {
+        from: from.toISOString(),
+        to: to.toISOString(),
+        duration_minutes: parsed.data.duration_minutes,
+        total_slots: slots.length,
+        include_competing_agents: parsed.data.include_competing_agents,
+      },
+    });
+
+    const rulesApplied = [
+      `buffer_${preference?.buffer_minutes_after ?? 15}min`,
+      ...(Array.isArray(preference?.focus_blocks) && preference.focus_blocks.length > 0
+        ? ['focus_block_mornings']
+        : []),
+    ];
+
+    return res.json({
+      slots: slots.map((slot) => ({
+        start: slot.start.toISOString(),
+        end: slot.end.toISOString(),
+        confidence: slot.confidence,
+        competing_holds_count: slot.competing_holds_count,
+      })),
+      rules_applied: rulesApplied,
+      generated_at: new Date().toISOString(),
+      total_slots: slots.length,
+    });
+  } catch (err) {
+    log.error('[availability] unexpected error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.post('/availability-windows', requireWorkspaceOrAgent, async (req, res) => {
+  const parsed = WindowSchema.safeParse(req.body);
+  if (!parsed.success) {
+    return res.status(422).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  const authReq = req as AnyAuthenticatedRequest;
+
+  try {
+    if (!(await agentBelongsToOrg(parsed.data.agent_id, authReq.org.id))) {
+      return res.status(403).json({ error: 'forbidden', message: 'Agent is outside your org' });
+    }
+    if (!canAccessAgent(authReq, parsed.data.agent_id)) {
+      return res.status(403).json({ error: 'forbidden', message: 'Agent key cannot act for another agent' });
+    }
+
+    const created = await pool.query(
+      `INSERT INTO availability_windows (agent_id, start_at, end_at, window_type, recurrence)
+       VALUES ($1, $2, $3, $4, $5)
+       RETURNING *`,
+      [
+        parsed.data.agent_id,
+        new Date(parsed.data.start_at),
+        new Date(parsed.data.end_at),
+        parsed.data.window_type,
+        parsed.data.recurrence ?? null,
+      ],
+    );
+
+    return res.status(201).json({ window: created.rows[0] });
+  } catch (err) {
+    log.error('[availability] unexpected error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.get('/availability-windows', requireWorkspaceOrAgent, async (req, res) => {
+  const query = z
+    .object({
+      agent_id: z.string().uuid(),
+      from: z.string().datetime({ offset: true }).optional(),
+      to: z.string().datetime({ offset: true }).optional(),
+    })
+    .safeParse(req.query);
+
+  if (!query.success) {
+    return res.status(400).json({ error: 'validation_error', details: query.error.flatten() });
+  }
+
+  const authReq = req as AnyAuthenticatedRequest;
+
+  try {
+    if (!(await agentBelongsToOrg(query.data.agent_id, authReq.org.id))) {
+      return res.status(403).json({ error: 'forbidden', message: 'Agent is outside your org' });
+    }
+    if (!canAccessAgent(authReq, query.data.agent_id)) {
+      return res.status(403).json({ error: 'forbidden', message: 'Agent key cannot act for another agent' });
+    }
+
+    const windows = await pool.query(
+      `SELECT *
+       FROM availability_windows
+       WHERE agent_id = $1
+         AND ($2::timestamptz IS NULL OR end_at > $2)
+         AND ($3::timestamptz IS NULL OR start_at < $3)
+       ORDER BY start_at ASC`,
+      [
+        query.data.agent_id,
+        query.data.from ? new Date(query.data.from) : null,
+        query.data.to ? new Date(query.data.to) : null,
+      ],
+    );
+    return res.json({ windows: windows.rows });
+  } catch (err) {
+    log.error('[availability] unexpected error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.put('/availability-windows/:window_id', requireWorkspaceOrAgent, async (req, res) => {
+  const windowId = z.string().uuid().safeParse(req.params.window_id);
+  if (!windowId.success) {
+    return res.status(400).json({ error: 'validation_error', details: windowId.error.flatten() });
+  }
+
+  const parsed = WindowUpdateSchema.safeParse(req.body);
+  if (!parsed.success) {
+    return res.status(422).json({ error: 'validation_error', details: parsed.error.flatten() });
+  }
+
+  const authReq = req as AnyAuthenticatedRequest;
+
+  try {
+    const existing = await getWindowInOrg(windowId.data, authReq.org.id);
+    if (!existing) {
+      return res.status(404).json({ error: 'window_not_found', message: 'Availability window not found' });
+    }
+    if (!canAccessAgent(authReq, existing.agent_id)) {
+      return res.status(403).json({ error: 'forbidden', message: 'Agent key cannot act for another agent' });
+    }
+
+    const updated = await pool.query(
+      `UPDATE availability_windows
+       SET start_at = $1,
+           end_at = $2,
+           window_type = $3,
+           recurrence = $4
+       WHERE id = $5
+       RETURNING *`,
+      [
+        new Date(parsed.data.start_at),
+        new Date(parsed.data.end_at),
+        parsed.data.window_type,
+        parsed.data.recurrence ?? null,
+        windowId.data,
+      ],
+    );
+
+    return res.json({ window: updated.rows[0] });
+  } catch (err) {
+    log.error('[availability] unexpected error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+router.delete('/availability-windows/:window_id', requireWorkspaceOrAgent, async (req, res) => {
+  const windowId = z.string().uuid().safeParse(req.params.window_id);
+  if (!windowId.success) {
+    return res.status(400).json({ error: 'validation_error', details: windowId.error.flatten() });
+  }
+
+  const authReq = req as AnyAuthenticatedRequest;
+
+  try {
+    const existing = await getWindowInOrg(windowId.data, authReq.org.id);
+    if (!existing) {
+      return res.status(404).json({ error: 'window_not_found', message: 'Availability window not found' });
+    }
+    if (!canAccessAgent(authReq, existing.agent_id)) {
+      return res.status(403).json({ error: 'forbidden', message: 'Agent key cannot act for another agent' });
+    }
+
+    const deleted = await pool.query(
+      'DELETE FROM availability_windows WHERE id = $1 RETURNING *',
+      [windowId.data],
+    );
+
+    return res.json({ window: deleted.rows[0] });
+  } catch (err) {
+    log.error('[availability] unexpected error', { error: (err as Error).message });
+    return res.status(500).json({ error: 'internal_error', message: 'An unexpected error occurred' });
+  }
+});
+
+export default router;