bopodev-api 0.1.15 → 0.1.16

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bopodev-api",
-  "version": "0.1.15",
+  "version": "0.1.16",
   "license": "MIT",
   "type": "module",
   "files": [
@@ -17,9 +17,9 @@
     "nanoid": "^5.1.5",
     "ws": "^8.19.0",
     "zod": "^4.1.5",
-    "bopodev-agent-sdk": "0.1.15",
-    "bopodev-contracts": "0.1.15",
-    "bopodev-db": "0.1.15"
+    "bopodev-agent-sdk": "0.1.16",
+    "bopodev-contracts": "0.1.16",
+    "bopodev-db": "0.1.16"
   },
   "devDependencies": {
     "@types/cors": "^2.8.19",

package/src/app.ts

@@ -6,6 +6,7 @@ import { RepositoryValidationError } from "bopodev-db";
 import { nanoid } from "nanoid";
 import type { AppContext } from "./context";
 import { createAgentsRouter } from "./routes/agents";
+import { createAuthRouter } from "./routes/auth";
 import { createCompaniesRouter } from "./routes/companies";
 import { createGoalsRouter } from "./routes/goals";
 import { createGovernanceRouter } from "./routes/governance";
@@ -14,12 +15,40 @@ import { createIssuesRouter } from "./routes/issues";
 import { createObservabilityRouter } from "./routes/observability";
 import { createProjectsRouter } from "./routes/projects";
 import { createPluginsRouter } from "./routes/plugins";
+import { createTemplatesRouter } from "./routes/templates";
 import { sendError } from "./http";
 import { attachRequestActor } from "./middleware/request-actor";
+import { resolveAllowedOrigins, resolveDeploymentMode } from "./security/deployment-mode";
 
 export function createApp(ctx: AppContext) {
   const app = express();
-  app.use(cors());
+  const deploymentMode = ctx.deploymentMode ?? resolveDeploymentMode();
+  const allowedOrigins = ctx.allowedOrigins ?? resolveAllowedOrigins(deploymentMode);
+  app.use(
+    cors({
+      origin(origin, callback) {
+        if (!origin) {
+          callback(null, true);
+          return;
+        }
+        if (
+          deploymentMode === "local" &&
+          (origin.startsWith("http://localhost:") || origin.startsWith("http://127.0.0.1:"))
+        ) {
+          callback(null, true);
+          return;
+        }
+        if (allowedOrigins.includes(origin)) {
+          callback(null, true);
+          return;
+        }
+        callback(new Error(`CORS origin denied: ${origin}`));
+      },
+      credentials: true,
+      methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+      allowedHeaders: ["content-type", "x-company-id", "authorization", "x-client-trace-id", "x-bopo-actor-token"]
+    })
+  );
   app.use(express.json());
   app.use(attachRequestActor);
 
@@ -29,6 +58,27 @@ export function createApp(ctx: AppContext) {
     res.setHeader("x-request-id", requestId);
     next();
   });
+  const logApiRequests = process.env.BOPO_LOG_API_REQUESTS !== "0";
+  if (logApiRequests) {
+    app.use((req, res, next) => {
+      if (req.path === "/health") {
+        next();
+        return;
+      }
+      const method = req.method.toUpperCase();
+      if (!isCrudMethod(method)) {
+        next();
+        return;
+      }
+      const startedAt = Date.now();
+      res.on("finish", () => {
+        const elapsedMs = Date.now() - startedAt;
+        const timestamp = new Date().toTimeString().slice(0, 8);
+        process.stderr.write(`[${timestamp}] INFO: ${method} ${req.originalUrl} ${res.statusCode} ${elapsedMs}ms\n`);
+      });
+      next();
+    });
+  }
 
   app.get("/health", async (_req, res) => {
     let dbReady = false;
@@ -55,6 +105,7 @@ export function createApp(ctx: AppContext) {
     });
   });
 
+  app.use("/auth", createAuthRouter(ctx));
   app.use("/companies", createCompaniesRouter(ctx));
   app.use("/projects", createProjectsRouter(ctx));
   app.use("/issues", createIssuesRouter(ctx));
@@ -64,6 +115,7 @@ export function createApp(ctx: AppContext) {
   app.use("/heartbeats", createHeartbeatRouter(ctx));
   app.use("/observability", createObservabilityRouter(ctx));
   app.use("/plugins", createPluginsRouter(ctx));
+  app.use("/templates", createTemplatesRouter(ctx));
 
   app.use((error: unknown, _req: Request, res: Response, _next: NextFunction) => {
     if (error instanceof RepositoryValidationError) {
@@ -76,3 +128,7 @@ export function createApp(ctx: AppContext) {
 
   return app;
 }
+
+function isCrudMethod(method: string) {
+  return method === "GET" || method === "POST" || method === "PUT" || method === "PATCH" || method === "DELETE";
+}

package/src/context.ts

@@ -1,8 +1,11 @@
 import type { BopoDb } from "bopodev-db";
 import type { RealtimeHub } from "./realtime/hub";
+import type { DeploymentMode } from "./security/deployment-mode";
 
 export interface AppContext {
   db: BopoDb;
+  deploymentMode?: DeploymentMode;
+  allowedOrigins?: string[];
   getRuntimeHealth?: () => Promise<Record<string, unknown>>;
   realtimeHub?: RealtimeHub;
 }

package/src/lib/agent-config.ts

@@ -1,4 +1,5 @@
 import { AgentRuntimeConfigSchema, type AgentRuntimeConfig, type ThinkingEffort } from "bopodev-contracts";
+import { normalizeAbsolutePath } from "./instance-paths";
 
 export type LegacyRuntimeFields = {
   runtimeCommand?: string;
@@ -120,7 +121,7 @@ export function normalizeRuntimeConfig(input: {
   return {
     runtimeCommand: parsed.runtimeCommand?.trim() || undefined,
     runtimeArgs: parsed.runtimeArgs ?? [],
-    runtimeCwd: parsed.runtimeCwd?.trim() || input.defaultRuntimeCwd || undefined,
+    runtimeCwd: normalizeRuntimeCwd(parsed.runtimeCwd, input.defaultRuntimeCwd),
     runtimeEnv: parsed.runtimeEnv ?? {},
     runtimeModel: parsed.runtimeModel?.trim() || undefined,
     runtimeThinkingEffort: parsed.runtimeThinkingEffort ?? "auto",
@@ -134,6 +135,14 @@ export function normalizeRuntimeConfig(input: {
   };
 }
 
+function normalizeRuntimeCwd(runtimeCwd: string | undefined, defaultRuntimeCwd: string | undefined) {
+  const selected = runtimeCwd?.trim() || defaultRuntimeCwd || undefined;
+  if (!selected) {
+    return undefined;
+  }
+  return normalizeAbsolutePath(selected, { requireAbsoluteInput: true });
+}
+
 export function parseRuntimeConfigFromAgentRow(agent: Record<string, unknown>): NormalizedRuntimeConfig {
   const fallback = parseRuntimeFromStateBlob(agent.stateBlob);
   const runtimeArgs = parseStringArray(agent.runtimeArgsJson) ?? fallback.args ?? [];

package/src/lib/git-runtime.ts

@@ -0,0 +1,447 @@
+import { mkdir, readdir, rm, stat } from "node:fs/promises";
+import { join } from "node:path";
+import { spawn } from "node:child_process";
+import {
+  assertPathInsideCompanyWorkspaceRoot,
+  assertPathInsidePath,
+  isInsidePath,
+  normalizeAbsolutePath,
+  resolveAgentProjectWorktreeRootPath,
+  resolveProjectWorkspacePath
+} from "./instance-paths";
+import type { ProjectExecutionWorkspacePolicy } from "./workspace-policy";
+
+const DEFAULT_GIT_TIMEOUT_MS = 30_000;
+const MAX_OUTPUT_CHARS = 4_096;
+
+export class GitRuntimeError extends Error {
+  readonly code:
+    | "git_unavailable"
+    | "git_failed"
+    | "auth_missing"
+    | "policy_violation"
+    | "invalid_repo_url"
+    | "timeout";
+  readonly details: Record<string, unknown>;
+
+  constructor(
+    code:
+      | "git_unavailable"
+      | "git_failed"
+      | "auth_missing"
+      | "policy_violation"
+      | "invalid_repo_url"
+      | "timeout",
+    message: string,
+    details: Record<string, unknown> = {}
+  ) {
+    super(message);
+    this.name = "GitRuntimeError";
+    this.code = code;
+    this.details = details;
+  }
+}
+
+type GitAuthResolution = {
+  mode: "host" | "env_token";
+  extraArgs: string[];
+};
+
+type GitCommandResult = {
+  stdout: string;
+  stderr: string;
+};
+
+export async function bootstrapRepositoryWorkspace(input: {
+  companyId: string;
+  projectId: string;
+  cwd: string | null | undefined;
+  repoUrl: string;
+  repoRef?: string | null;
+  policy?: ProjectExecutionWorkspacePolicy | null;
+  runtimeEnv?: Record<string, string>;
+  timeoutMs?: number;
+}) {
+  const repoUrl = input.repoUrl.trim();
+  if (!repoUrl) {
+    throw new GitRuntimeError("invalid_repo_url", "Project workspace repoUrl is empty.");
+  }
+  enforceRemoteAllowlist(repoUrl, input.policy);
+  const targetCwd = normalizeAbsolutePath(
+    input.cwd?.trim() || resolveProjectWorkspacePath(input.companyId, input.projectId)
+  );
+  assertPathInsideCompanyWorkspaceRoot(input.companyId, targetCwd, "project workspace cwd");
+  await mkdir(targetCwd, { recursive: true });
+  const auth = resolveGitAuth({
+    policy: input.policy,
+    runtimeEnv: input.runtimeEnv ?? {},
+    repoUrl
+  });
+  const timeoutMs = sanitizeTimeoutMs(input.timeoutMs);
+  const gitDirPath = join(targetCwd, ".git");
+  const hasGitDir = await pathExists(gitDirPath);
+  const actions: string[] = [];
+  if (!hasGitDir) {
+    await runGit(["clone", repoUrl, targetCwd], {
+      extraArgs: auth.extraArgs,
+      timeoutMs
+    });
+    actions.push("clone");
+  } else {
+    actions.push("reuse");
+  }
+  await runGit(["remote", "set-url", "origin", repoUrl], {
+    cwd: targetCwd,
+    extraArgs: auth.extraArgs,
+    timeoutMs
+  });
+  await runGit(["fetch", "origin", "--prune"], {
+    cwd: targetCwd,
+    extraArgs: auth.extraArgs,
+    timeoutMs
+  });
+  actions.push("fetch");
+  const targetRef = (input.repoRef ?? "").trim() || (await resolveDefaultRemoteHead(targetCwd, auth.extraArgs, timeoutMs));
+  if (targetRef) {
+    await checkoutRef(targetCwd, targetRef, auth.extraArgs, timeoutMs);
+    actions.push(`checkout:${targetRef}`);
+  }
+  return {
+    cwd: targetCwd,
+    authMode: auth.mode,
+    resolvedRef: targetRef || null,
+    actions
+  };
+}
+
+export async function ensureIsolatedGitWorktree(input: {
+  companyId: string;
+  repoCwd: string;
+  projectId: string;
+  agentId: string;
+  issueId?: string | null;
+  repoRef?: string | null;
+  policy?: ProjectExecutionWorkspacePolicy | null;
+  timeoutMs?: number;
+}) {
+  const timeoutMs = sanitizeTimeoutMs(input.timeoutMs);
+  const normalizedRepoCwd = normalizeAbsolutePath(input.repoCwd, { requireAbsoluteInput: true });
+  assertPathInsideCompanyWorkspaceRoot(input.companyId, normalizedRepoCwd, "repo workspace cwd");
+  const strategy = input.policy?.strategy;
+  const branchPrefix = (strategy?.branchPrefix?.trim() || "bopo").replace(/[^a-zA-Z0-9/_-]/g, "-");
+  enforceBranchPrefixAllowlist(branchPrefix, input.policy);
+  const issuePart = (input.issueId?.trim() || "run").replace(/[^a-zA-Z0-9_-]/g, "-");
+  const agentPart = input.agentId.replace(/[^a-zA-Z0-9_-]/g, "-");
+  const projectPart = input.projectId.replace(/[^a-zA-Z0-9_-]/g, "-");
+  const branch = `${branchPrefix}/${projectPart}/${agentPart}/${issuePart}`;
+  const rootDir = strategy?.rootDir?.trim()
+    ? assertPathInsideCompanyWorkspaceRoot(
+        input.companyId,
+        normalizeAbsolutePath(strategy.rootDir, { requireAbsoluteInput: true }),
+        "execution workspace strategy.rootDir"
+      )
+    : resolveAgentProjectWorktreeRootPath(input.companyId, input.agentId, input.projectId);
+  await mkdir(rootDir, { recursive: true });
+  await cleanupStaleWorktrees({ rootDir, ttlMs: resolveWorktreeTtlMs() });
+  const targetPath = join(rootDir, `${projectPart}-${agentPart}-${issuePart}`);
+  assertPathInsidePath(rootDir, targetPath, "isolated worktree path");
+  const hasWorktree = await pathExists(targetPath);
+  if (!hasWorktree) {
+    const baseRef = (input.repoRef ?? "").trim() || "HEAD";
+    await runGit(["worktree", "add", "-B", branch, targetPath, baseRef], {
+      cwd: normalizedRepoCwd,
+      timeoutMs
+    });
+  } else {
+    await runGit(["-C", targetPath, "checkout", branch], { timeoutMs });
+  }
+  return {
+    cwd: targetPath,
+    branch,
+    rootDir
+  };
+}
+
+export async function cleanupStaleWorktrees(input: { rootDir: string; ttlMs: number }) {
+  if (input.ttlMs <= 0) {
+    return { removed: 0 };
+  }
+  const now = Date.now();
+  const rootDir = normalizeAbsolutePath(input.rootDir, { requireAbsoluteInput: true });
+  let removed = 0;
+  let entries: string[] = [];
+  try {
+    entries = await readdir(rootDir);
+  } catch {
+    return { removed: 0 };
+  }
+  for (const entry of entries) {
+    const absolute = join(rootDir, entry);
+    if (!isInsidePath(rootDir, absolute)) {
+      continue;
+    }
+    try {
+      const entryStat = await stat(absolute);
+      if (!entryStat.isDirectory()) {
+        continue;
+      }
+      if (now - entryStat.mtimeMs < input.ttlMs) {
+        continue;
+      }
+      await rm(absolute, { recursive: true, force: true });
+      removed += 1;
+    } catch {
+      // Best effort cleanup only.
+    }
+  }
+  return { removed };
+}
+
+function resolveGitAuth(input: {
+  policy?: ProjectExecutionWorkspacePolicy | null;
+  runtimeEnv: Record<string, string>;
+  repoUrl: string;
+}): GitAuthResolution {
+  const configured = input.policy?.credentials;
+  const mode = configured?.mode ?? "host";
+  if (mode === "host") {
+    return { mode: "host", extraArgs: [] };
+  }
+  const tokenEnvVar = configured?.tokenEnvVar?.trim();
+  if (!tokenEnvVar) {
+    throw new GitRuntimeError("auth_missing", "Workspace git auth policy requires credentials.tokenEnvVar.");
+  }
+  const token = input.runtimeEnv[tokenEnvVar] ?? process.env[tokenEnvVar];
+  const normalizedToken = token?.trim();
+  if (!normalizedToken) {
+    throw new GitRuntimeError("auth_missing", `Git token env var '${tokenEnvVar}' is missing for repository access.`);
+  }
+  const username = configured?.username?.trim() || "x-access-token";
+  if (!isHttpsRepoUrl(input.repoUrl)) {
+    return { mode: "env_token", extraArgs: [] };
+  }
+  const basicHeader = Buffer.from(`${username}:${normalizedToken}`, "utf8").toString("base64");
+  return {
+    mode: "env_token",
+    extraArgs: ["-c", `http.extraHeader=Authorization: Basic ${basicHeader}`]
+  };
+}
+
+function enforceRemoteAllowlist(repoUrl: string, policy?: ProjectExecutionWorkspacePolicy | null) {
+  const allowRemotes = policy?.allowRemotes ?? null;
+  if (!allowRemotes || allowRemotes.length === 0) {
+    return;
+  }
+  const identity = parseRepositoryIdentity(repoUrl);
+  if (!identity) {
+    throw new GitRuntimeError("invalid_repo_url", `Repository '${repoUrl}' is not a recognized git URL.`);
+  }
+  const allowed = allowRemotes.some((candidate) => {
+    return matchesAllowRemoteCandidate(identity, candidate);
+  });
+  if (!allowed) {
+    throw new GitRuntimeError("policy_violation", `Repository '${repoUrl}' is not in execution allowRemotes policy.`);
+  }
+}
+
+function enforceBranchPrefixAllowlist(prefix: string, policy?: ProjectExecutionWorkspacePolicy | null) {
+  const allowBranchPrefixes = policy?.allowBranchPrefixes ?? null;
+  if (!allowBranchPrefixes || allowBranchPrefixes.length === 0) {
+    return;
+  }
+  const allowed = allowBranchPrefixes.some((candidate) => prefix.startsWith(candidate.trim()));
+  if (!allowed) {
+    throw new GitRuntimeError(
+      "policy_violation",
+      `Branch prefix '${prefix}' is not allowed by execution policy allowBranchPrefixes.`
+    );
+  }
+}
+
+async function checkoutRef(cwd: string, ref: string, extraArgs: string[], timeoutMs: number) {
+  await runGit(["checkout", ref], { cwd, extraArgs, timeoutMs });
+}
+
+async function resolveDefaultRemoteHead(cwd: string, extraArgs: string[], timeoutMs: number) {
+  const symbolic = await runGit(["symbolic-ref", "--short", "refs/remotes/origin/HEAD"], {
+    cwd,
+    extraArgs,
+    timeoutMs,
+    allowFailure: true
+  });
+  const symbolicRef = symbolic.stdout.trim();
+  if (symbolicRef.startsWith("origin/")) {
+    return symbolicRef.slice("origin/".length);
+  }
+  for (const fallbackRef of ["main", "master"]) {
+    const probe = await runGit(["rev-parse", "--verify", `origin/${fallbackRef}`], {
+      cwd,
+      extraArgs,
+      timeoutMs,
+      allowFailure: true
+    });
+    if (probe.exitCode === 0) {
+      return fallbackRef;
+    }
+  }
+  return "";
+}
+
+async function runGit(
+  args: string[],
+  options?: {
+    cwd?: string;
+    extraArgs?: string[];
+    timeoutMs?: number;
+    allowFailure?: boolean;
+  }
+): Promise<GitCommandResult & { exitCode: number }> {
+  const timeoutMs = sanitizeTimeoutMs(options?.timeoutMs);
+  const fullArgs = [...(options?.extraArgs ?? []), ...args];
+  return new Promise((resolve, reject) => {
+    const child = spawn("git", fullArgs, {
+      cwd: options?.cwd,
+      env: process.env
+    });
+    let stdout = "";
+    let stderr = "";
+    let timeout: NodeJS.Timeout | null = setTimeout(() => {
+      child.kill("SIGTERM");
+      timeout = null;
+      reject(new GitRuntimeError("timeout", `git command timed out after ${timeoutMs}ms`, { args: redactArgs(fullArgs) }));
+    }, timeoutMs);
+    child.stdout.on("data", (chunk) => {
+      stdout = truncateOutput(stdout + String(chunk));
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr = truncateOutput(stderr + String(chunk));
+    });
+    child.on("error", (error) => {
+      if (timeout) {
+        clearTimeout(timeout);
+      }
+      const message = String(error);
+      reject(new GitRuntimeError("git_unavailable", "Unable to execute git binary.", { message }));
+    });
+    child.on("close", (code) => {
+      if (timeout) {
+        clearTimeout(timeout);
+      }
+      const exitCode = code ?? 1;
+      if (exitCode !== 0 && !options?.allowFailure) {
+        reject(
+          new GitRuntimeError("git_failed", "git command failed.", {
+            exitCode,
+            args: redactArgs(fullArgs),
+            stderr: redactSensitive(stderr)
+          })
+        );
+        return;
+      }
+      resolve({ stdout, stderr, exitCode });
+    });
+  });
+}
+
+function sanitizeTimeoutMs(timeoutMs: number | undefined) {
+  const parsed = Number(timeoutMs ?? DEFAULT_GIT_TIMEOUT_MS);
+  if (!Number.isFinite(parsed) || parsed < 1_000) {
+    return DEFAULT_GIT_TIMEOUT_MS;
+  }
+  return Math.floor(parsed);
+}
+
+function resolveWorktreeTtlMs() {
+  const parsedMinutes = Number(process.env.BOPO_GIT_WORKTREE_TTL_MINUTES ?? "240");
+  if (!Number.isFinite(parsedMinutes) || parsedMinutes < 5) {
+    return 240 * 60_000;
+  }
+  return Math.floor(parsedMinutes * 60_000);
+}
+
+function truncateOutput(value: string) {
+  return value.length > MAX_OUTPUT_CHARS ? value.slice(value.length - MAX_OUTPUT_CHARS) : value;
+}
+
+function redactArgs(args: string[]) {
+  return args.map((value) => redactSensitive(value));
+}
+
+function redactSensitive(value: string) {
+  return value
+    .replace(/(authorization:\s*basic\s+)[a-z0-9+/=]+/gi, "$1[REDACTED]")
+    .replace(/(authorization:\s*bearer\s+)[^\s]+/gi, "$1[REDACTED]");
+}
+
+function isHttpsRepoUrl(value: string) {
+  try {
+    const parsed = new URL(value);
+    return parsed.protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+
+type RepositoryIdentity = {
+  host: string;
+  path: string;
+};
+
+function parseRepositoryIdentity(repoUrl: string): RepositoryIdentity | null {
+  const trimmed = repoUrl.trim();
+  if (!trimmed) {
+    return null;
+  }
+  const scpLike = trimmed.match(/^(?:[^@]+@)?([^:\/]+):(.+)$/);
+  if (scpLike) {
+    return {
+      host: scpLike[1]!.toLowerCase(),
+      path: normalizeRepoPath(scpLike[2]!)
+    };
+  }
+  try {
+    const parsed = new URL(trimmed);
+    const host = parsed.hostname.toLowerCase();
+    if (!host) {
+      return null;
+    }
+    const path = normalizeRepoPath(parsed.pathname);
+    return { host, path };
+  } catch {
+    return null;
+  }
+}
+
+function normalizeRepoPath(path: string) {
+  return path
+    .replace(/^\/+/, "")
+    .replace(/\.git$/i, "")
+    .toLowerCase();
+}
+
+function matchesAllowRemoteCandidate(identity: RepositoryIdentity, candidate: string) {
+  const normalizedCandidate = candidate.trim().toLowerCase();
+  if (!normalizedCandidate) {
+    return false;
+  }
+  const hostPathMatch = normalizedCandidate.match(/^([^/]+)\/(.+)$/);
+  if (hostPathMatch) {
+    const candidateHost = hostPathMatch[1]!;
+    const candidatePath = normalizeRepoPath(hostPathMatch[2]!);
+    return identity.host === candidateHost && (identity.path === candidatePath || identity.path.startsWith(`${candidatePath}/`));
+  }
+  if (normalizedCandidate.includes(".") || normalizedCandidate.includes(":")) {
+    return identity.host === normalizedCandidate;
+  }
+  const candidatePathOnly = normalizeRepoPath(normalizedCandidate);
+  return identity.path === candidatePathOnly || identity.path.startsWith(`${candidatePathOnly}/`);
+}
+
+async function pathExists(path: string) {
+  try {
+    await stat(path);
+    return true;
+  } catch {
+    return false;
+  }
+}