availsync 0.1.0

package/src/server.ts

@@ -0,0 +1,36 @@
+import path from 'path';
+import { createRequire } from 'module';
+import app, { validateEnv } from './index';
+import { runMigrations } from './db/migrations';
+import { log } from './lib/logger';
+
+const PORT = Number(process.env.PORT || 3000);
+const frontendDir = path.resolve(process.cwd(), 'frontend');
+const frontendRequire = createRequire(path.join(frontendDir, 'package.json'));
+const next = frontendRequire('next');
+
+async function start() {
+  validateEnv();
+  await runMigrations();
+
+  const nextApp = next({
+    dev: process.env.NODE_ENV !== 'production',
+    dir: frontendDir,
+    hostname: '0.0.0.0',
+    port: PORT,
+  });
+  const handle = nextApp.getRequestHandler();
+
+  await nextApp.prepare();
+
+  app.all('*', (req, res) => handle(req, res));
+
+  app.listen(PORT, () => {
+    log.info(`Availsync web and API running on :${PORT}`);
+  });
+}
+
+start().catch((err) => {
+  log.error('Server failed to start', { message: err.message, stack: err.stack });
+  process.exit(1);
+});

package/src/types/index.ts

@@ -0,0 +1,109 @@
+import type { Request } from 'express';
+
+export interface Org {
+  id: string;
+  name: string;
+  plan: 'free' | 'individual' | 'team';
+  agent_limit: number;
+  verified_at?: Date | null;
+  created_at: Date;
+}
+
+export interface Agent {
+  id: string;
+  org_id: string;
+  name: string;
+  api_key_hash: string;
+  agent_type: 'external_meeting' | 'internal' | 'focus' | 'generic';
+  priority: number;
+  enforcement_mode: 'enforce' | 'observe';
+  last_seen_at?: Date | null;
+  mcp_last_seen_at?: Date | null;
+  mcp_client_name?: string | null;
+  created_at: Date;
+}
+
+export interface WorkspaceUser {
+  id: string;
+  org_id: string;
+  email: string;
+  password_hash: string;
+  role: 'owner' | 'admin';
+  created_at: Date;
+}
+
+export interface Hold {
+  id: string;
+  agent_id: string;
+  org_id: string;
+  start_at: Date;
+  end_at: Date;
+  reason?: string;
+  status: 'confirmed' | 'superseded' | 'released';
+  booked_by_agent_id?: string;
+  metadata?: Record<string, unknown>;
+  created_at: Date;
+}
+
+export interface WorkResource {
+  id: string;
+  org_id: string;
+  resource_type: string;
+  resource_key: string;
+  label: string;
+  created_at: Date;
+}
+
+export interface WorkClaim {
+  id: string;
+  agent_id: string;
+  org_id: string;
+  resource_id: string;
+  start_at: Date;
+  end_at: Date;
+  expires_at: Date;
+  last_renewed_at: Date;
+  renewal_count: number;
+  idempotency_key?: string | null;
+  status: 'active' | 'superseded' | 'released' | 'expired' | 'blocked';
+  reason?: string;
+  metadata?: Record<string, unknown>;
+  created_at: Date;
+}
+
+export interface AvailabilityWindow {
+  id: string;
+  agent_id: string;
+  start_at: Date;
+  end_at: Date;
+  window_type: 'available' | 'focus' | 'blocked';
+  recurrence?: string;
+}
+
+export interface AgentPreferences {
+  agent_id: string;
+  buffer_minutes_after: number;
+  buffer_minutes_before: number;
+  focus_blocks: FocusBlock[];
+  priority_over_agents: string[];
+  booking_window_days: number;
+  allow_back_to_back: boolean;
+}
+
+export interface FocusBlock {
+  weekday: number;
+  start_time: string;
+  end_time: string;
+}
+
+export interface AvailableSlot {
+  start: Date;
+  end: Date;
+  confidence: number;
+  competing_holds_count: number;
+}
+
+export interface RequestWithAgent extends Request {
+  agent: Agent;
+  org: Org;
+}

package/tests/integration/activity.route.test.ts

@@ -0,0 +1,103 @@
+import { afterAll, beforeAll, describe, expect, test } from '@jest/globals';
+import {
+  api,
+  closeDatabase,
+  createOrgAndAgent,
+  createWindow,
+  getWorkspaceCookie,
+  migrateTestDatabase,
+  resetDatabase,
+} from './helpers';
+
+describe('activity routes', () => {
+  let orgId: string;
+  let agentId: string;
+  let apiKey: string;
+
+  beforeAll(async () => {
+    await migrateTestDatabase();
+    await resetDatabase();
+    const created = await createOrgAndAgent('Activity Agent', 'generic');
+    orgId = created.orgId;
+    agentId = created.agentId;
+    apiKey = created.apiKey;
+    await createWindow(agentId, apiKey, '2030-04-01T09:00:00Z', '2030-04-01T17:00:00Z');
+  });
+
+  afterAll(async () => {
+    await resetDatabase();
+    await closeDatabase();
+  });
+
+  test('runtime calls write metadata-only activity rows', async () => {
+    await api
+      .post('/v1/mcp/heartbeat')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ client_name: 'jest-mcp' })
+      .expect(200);
+
+    await api
+      .get('/v1/availability')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .query({
+        agent_id: agentId,
+        from: '2030-04-01T09:00:00Z',
+        to: '2030-04-01T10:00:00Z',
+        duration_minutes: 30,
+      })
+      .expect(200);
+
+    await api
+      .post('/v1/conflicts/check')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        agent_id: agentId,
+        start_at: '2030-04-01T09:00:00Z',
+        end_at: '2030-04-01T09:30:00Z',
+      })
+      .expect(200);
+
+    const response = await api
+      .get('/v1/activity')
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+
+    expect(response.body.events.map((event: { activity_type: string }) => event.activity_type)).toEqual(
+      expect.arrayContaining(['mcp_heartbeat', 'availability_check', 'conflict_preview']),
+    );
+    expect(JSON.stringify(response.body.events)).not.toContain(apiKey);
+    expect(JSON.stringify(response.body.events)).not.toContain('Authorization');
+  });
+
+  test('agent key cannot list workspace activity', async () => {
+    await api.get('/v1/activity').set('Authorization', `Bearer ${apiKey}`).expect(401);
+  });
+
+  test('agent can report token usage for itself', async () => {
+    await api
+      .post('/v1/activity/usage')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        activity_type: 'agent_run',
+        provider: 'openai',
+        model: 'gpt-test',
+        input_tokens: 120,
+        output_tokens: 80,
+        estimated_cost_usd: 0.001,
+      })
+      .expect(201);
+
+    const response = await api
+      .get('/v1/activity?activity_type=agent_run')
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+
+    expect(response.body.events[0]).toMatchObject({
+      provider: 'openai',
+      model: 'gpt-test',
+      input_tokens: 120,
+      output_tokens: 80,
+      total_tokens: 200,
+    });
+  });
+});

package/tests/integration/admin.route.test.ts

@@ -0,0 +1,143 @@
+import { afterAll, afterEach, beforeEach, describe, expect, test } from '@jest/globals';
+import pool from '../../src/db/client';
+import {
+  api,
+  closeDatabase,
+  createAgent,
+  createOrgAndAgent,
+  getWorkspaceCookie,
+  migrateTestDatabase,
+  resetDatabase,
+} from './helpers';
+
+async function ownerEmail(orgId: string): Promise<string> {
+  const result = await pool.query(
+    `SELECT email
+     FROM workspace_users
+     WHERE org_id = $1
+     ORDER BY created_at ASC
+     LIMIT 1`,
+    [orgId],
+  );
+  return result.rows[0].email;
+}
+
+describe('admin routes', () => {
+  const previousAdminEmails = process.env.ADMIN_EMAILS;
+
+  beforeEach(async () => {
+    await migrateTestDatabase();
+    await resetDatabase();
+    process.env.ADMIN_EMAILS = '';
+  });
+
+  afterEach(() => {
+    process.env.ADMIN_EMAILS = previousAdminEmails;
+  });
+
+  afterAll(async () => {
+    await resetDatabase();
+    await closeDatabase();
+  });
+
+  test('requires a workspace session and admin email', async () => {
+    const { orgId } = await createOrgAndAgent('Non Admin', 'generic', 0);
+
+    await api.get('/v1/admin/overview').expect(401);
+    await api
+      .get('/v1/admin/overview')
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(403);
+  });
+
+  test('admin overview returns workspace, plan, activity, and work metrics', async () => {
+    const first = await createOrgAndAgent('Admin Agent', 'generic', 0);
+    const second = await createOrgAndAgent('Team Agent', 'generic', 0);
+    process.env.ADMIN_EMAILS = await ownerEmail(first.orgId);
+
+    await pool.query(
+      `UPDATE orgs
+       SET plan = 'team',
+           agent_limit = 9999,
+           stripe_customer_id = 'cus_test',
+           stripe_subscription_id = 'sub_test'
+       WHERE id = $1`,
+      [second.orgId],
+    );
+    await api
+      .post('/v1/mcp/heartbeat')
+      .set('Authorization', `Bearer ${first.apiKey}`)
+      .send({ client_name: 'admin-test' })
+      .expect(200);
+
+    const response = await api
+      .get('/v1/admin/overview')
+      .set('Cookie', getWorkspaceCookie(first.orgId))
+      .expect(200);
+
+    expect(response.body).toMatchObject({
+      total_workspaces: 2,
+      free_workspaces: 1,
+      team_workspaces: 1,
+      paid_workspaces: 1,
+      total_agents: 2,
+      api_calls_today: expect.any(Number),
+    });
+  });
+
+  test('admin org list supports plan and search filters', async () => {
+    const first = await createOrgAndAgent('Searchable Owner', 'generic', 0);
+    const second = await createOrgAndAgent('Paid Team', 'generic', 0);
+    process.env.ADMIN_EMAILS = await ownerEmail(first.orgId);
+    await pool.query("UPDATE orgs SET plan = 'individual', agent_limit = 15 WHERE id = $1", [
+      second.orgId,
+    ]);
+    await createAgent(second.orgId, 'Second Agent', 'generic', 0);
+
+    const byPlan = await api
+      .get('/v1/admin/orgs?plan=individual')
+      .set('Cookie', getWorkspaceCookie(first.orgId))
+      .expect(200);
+
+    expect(byPlan.body.orgs).toHaveLength(1);
+    expect(byPlan.body.orgs[0]).toMatchObject({
+      id: second.orgId,
+      plan: 'individual',
+      agent_count: 2,
+      owner_email: expect.stringContaining('@'),
+    });
+
+    const byQuery = await api
+      .get('/v1/admin/orgs?q=Searchable')
+      .set('Cookie', getWorkspaceCookie(first.orgId))
+      .expect(200);
+
+    expect(byQuery.body.orgs).toHaveLength(1);
+    expect(byQuery.body.orgs[0].id).toBe(first.orgId);
+  });
+
+  test('admin org detail redacts secrets', async () => {
+    const { orgId, apiKey } = await createOrgAndAgent('Secret Check', 'generic', 0);
+    process.env.ADMIN_EMAILS = await ownerEmail(orgId);
+    await api
+      .post('/v1/mcp/heartbeat')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ client_name: 'admin-redaction-test' })
+      .expect(200);
+
+    const response = await api
+      .get(`/v1/admin/orgs/${orgId}`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+
+    const serialized = JSON.stringify(response.body);
+    expect(serialized).not.toContain('api_key_hash');
+    expect(serialized).not.toContain('password_hash');
+    expect(serialized).not.toContain('token_hash');
+    expect(serialized).not.toContain(apiKey);
+    expect(response.body.users[0]).toMatchObject({
+      email: expect.stringContaining('@'),
+      role: 'owner',
+    });
+  });
+});

package/tests/integration/agent-keys.route.test.ts

@@ -0,0 +1,237 @@
+import { afterAll, beforeAll, describe, expect, test } from '@jest/globals';
+import pool from '../../src/db/client';
+import {
+  api,
+  closeDatabase,
+  createOrgAndAgent,
+  createWindow,
+  getWorkspaceCookie,
+  migrateTestDatabase,
+  resetDatabase,
+} from './helpers';
+
+describe('agent connection and key management', () => {
+  let orgId: string;
+  let agentId: string;
+  let apiKey: string;
+
+  beforeAll(async () => {
+    await migrateTestDatabase();
+    await resetDatabase();
+    const created = await createOrgAndAgent('Key Agent', 'generic');
+    orgId = created.orgId;
+    agentId = created.agentId;
+    apiKey = created.apiKey;
+    await createWindow(agentId, apiKey, '2030-05-01T09:00:00Z', '2030-05-01T17:00:00Z');
+  });
+
+  afterAll(async () => {
+    await resetDatabase();
+    await closeDatabase();
+  });
+
+  test('test connection returns setup readiness and last activity', async () => {
+    await api
+      .post('/v1/mcp/heartbeat')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ client_name: 'connection-test' })
+      .expect(200);
+    await api
+      .post('/v1/work/check')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo' })
+      .expect(200);
+    const claim = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo' })
+      .expect(201);
+    await api
+      .post(`/v1/work/claims/${claim.body.claim.id}/extend`)
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ duration_minutes: 15 })
+      .expect(200);
+    await api
+      .delete(`/v1/work/claims/${claim.body.claim.id}`)
+      .set('Authorization', `Bearer ${apiKey}`)
+      .expect(200);
+
+    const response = await api
+      .post(`/v1/orgs/${orgId}/agents/${agentId}/test-connection`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+
+    expect(response.body).toMatchObject({
+      agent_id: agentId,
+      last_seen_at: expect.any(String),
+      mcp_status: 'online',
+      setup_readiness: {
+        agent_created: true,
+        mcp_heartbeat_seen: true,
+        first_work_check: true,
+        first_work_claim: true,
+        first_work_extend: true,
+        first_work_release: true,
+        work: {
+          first_work_check: true,
+          first_work_claim: true,
+          first_work_extend: true,
+          first_work_release: true,
+        },
+        activity: {
+          latest_activity_type: 'work_release',
+        },
+      },
+    });
+    expect(response.body.last_successful_api_call).toBeTruthy();
+    expect(JSON.stringify(response.body)).not.toContain(apiKey);
+    expect(JSON.stringify(response.body)).not.toContain('api_key_hash');
+  });
+
+  test('valid agent API key updates general last_seen_at without changing MCP heartbeat', async () => {
+    const before = await pool.query('SELECT last_seen_at, mcp_last_seen_at FROM agents WHERE id = $1', [agentId]);
+
+    await api
+      .post('/v1/work/check')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/last-seen' })
+      .expect(200);
+
+    const after = await pool.query('SELECT last_seen_at, mcp_last_seen_at FROM agents WHERE id = $1', [agentId]);
+    expect(after.rows[0].last_seen_at).toBeTruthy();
+    if (before.rows[0].last_seen_at) {
+      expect(after.rows[0].last_seen_at.getTime()).toBeGreaterThanOrEqual(before.rows[0].last_seen_at.getTime());
+    }
+    expect(after.rows[0].mcp_last_seen_at?.toISOString()).toBe(before.rows[0].mcp_last_seen_at?.toISOString());
+  });
+
+  test('new keys use prefixed format and agent responses do not expose secrets', async () => {
+    expect(apiKey).toMatch(/^avs_live_[a-f0-9]{16}_[a-f0-9]{64}$/);
+
+    const response = await api
+      .get(`/v1/orgs/${orgId}/agents`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+
+    const agent = response.body.agents.find((row: { id: string }) => row.id === agentId);
+    expect(JSON.stringify(agent)).not.toContain('api_key_hash');
+    expect(JSON.stringify(agent)).not.toContain('api_key_prefix');
+    expect(JSON.stringify(agent)).not.toContain(apiKey);
+    expect(JSON.stringify(agent)).not.toContain(apiKey.split('_')[2]);
+  });
+
+  test('dashboard setup test runs safely, releases temporary claim, and does not expose secrets', async () => {
+    await api
+      .post(`/v1/orgs/${orgId}/agents/${agentId}/setup-test`)
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({})
+      .expect(401);
+
+    const before = await pool.query('SELECT mcp_last_seen_at FROM agents WHERE id = $1', [agentId]);
+    const response = await api
+      .post(`/v1/orgs/${orgId}/agents/${agentId}/setup-test`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .send({ resource_key: 'setup/demo-repo' })
+      .expect((res) => {
+        expect([200, 409]).toContain(res.status);
+      });
+
+    expect(response.body).toMatchObject({
+      run_id: expect.any(String),
+      steps: expect.arrayContaining([
+        expect.objectContaining({ name: 'mcp_status_observed' }),
+        expect.objectContaining({ name: 'availability_check' }),
+        expect.objectContaining({ name: 'conflict_preview' }),
+        expect.objectContaining({ name: 'work_check' }),
+      ]),
+    });
+    expect(JSON.stringify(response.body)).not.toContain(apiKey);
+    expect(JSON.stringify(response.body)).not.toContain('api_key_hash');
+    expect(JSON.stringify(response.body)).not.toContain('cookie');
+
+    const after = await pool.query('SELECT mcp_last_seen_at FROM agents WHERE id = $1', [agentId]);
+    expect(after.rows[0].mcp_last_seen_at?.toISOString()).toBe(before.rows[0].mcp_last_seen_at?.toISOString());
+
+    const activeClaims = await pool.query(
+      `SELECT COUNT(*)::int AS count
+       FROM work_claims
+       JOIN work_resources ON work_resources.id = work_claims.resource_id
+       WHERE work_claims.agent_id = $1
+         AND work_resources.resource_key = 'setup/demo-repo'
+         AND work_claims.status = 'active'`,
+      [agentId],
+    );
+    expect(activeClaims.rows[0].count).toBe(0);
+
+    const activity = await pool.query(
+      `SELECT activity_type, metadata
+       FROM agent_activity_events
+       WHERE agent_id = $1
+         AND (activity_type LIKE 'setup_test%' OR metadata->>'source' = 'setup_test')`,
+      [agentId],
+    );
+    expect(activity.rows.length).toBeGreaterThan(0);
+    expect(activity.rows).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({ activity_type: 'setup_test' }),
+        expect.objectContaining({ activity_type: 'setup_test_work_claim' }),
+      ]),
+    );
+
+    const readiness = await api
+      .post(`/v1/orgs/${orgId}/agents/${agentId}/test-connection`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+    expect(readiness.body.setup_readiness.work).toMatchObject({
+      first_work_check: true,
+      first_work_claim: true,
+      first_work_extend: true,
+      first_work_release: true,
+    });
+  });
+
+  test('rotate key invalidates old key and returns new key once', async () => {
+    const response = await api
+      .post(`/v1/orgs/${orgId}/agents/${agentId}/rotate-key`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+
+    const newKey = response.body.api_key;
+    expect(newKey).toEqual(expect.any(String));
+    expect(newKey).toMatch(/^avs_live_[a-f0-9]{16}_[a-f0-9]{64}$/);
+    expect(newKey).not.toBe(apiKey);
+
+    await api
+      .get('/v1/availability')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .query({
+        agent_id: agentId,
+        from: '2030-05-01T09:00:00Z',
+        to: '2030-05-01T10:00:00Z',
+        duration_minutes: 30,
+      })
+      .expect(401);
+
+    await api
+      .get('/v1/availability')
+      .set('Authorization', 'Bearer avs_live_malformed')
+      .query({
+        agent_id: agentId,
+        from: '2030-05-01T09:00:00Z',
+        to: '2030-05-01T10:00:00Z',
+        duration_minutes: 30,
+      })
+      .expect(401);
+
+    await api
+      .get('/v1/availability')
+      .set('Authorization', `Bearer ${newKey}`)
+      .query({
+        agent_id: agentId,
+        from: '2030-05-01T09:00:00Z',
+        to: '2030-05-01T10:00:00Z',
+        duration_minutes: 30,
+      })
+      .expect(200);
+  });
+});