npm - create-workframe - Versions diffs - 0.1.0 - Mend

create-workframe 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (415) hide show

package/workframe-api/time-bind-chat.py ADDED Viewed

@@ -0,0 +1,99 @@
+#!/usr/bin/env python3
+"""Time bind + credential lease on running workframe-api (docker exec)."""
+from __future__ import annotations
+import sqlite3
+import sys
+import time
+import server
+def main() -> int:
+    conn = sqlite3.connect(str(server.DATA_DIR / "workframe.db"))
+    conn.row_factory = sqlite3.Row
+    room = conn.execute(
+        """
+        SELECT r.id, r.workspace_id, r.agent_profile_id, ap.slug AS agent_slug
+        FROM rooms r
+        JOIN agent_profiles ap ON ap.id = r.agent_profile_id
+        JOIN room_memberships rm ON rm.room_id = r.id AND rm.status = 'active'
+        WHERE r.room_type = 'direct' AND r.deleted_at IS NULL
+          AND ap.slug = 'workframe-agent'
+        ORDER BY r.updated_at DESC
+        LIMIT 1
+        """,
+    ).fetchone()
+    if not room:
+        print("no workframe-agent room", file=sys.stderr)
+        return 1
+    user = conn.execute(
+        """
+        SELECT u.id FROM users u
+        JOIN room_memberships rm ON rm.user_id = u.id AND rm.room_id = ?
+        WHERE u.status = 'active'
+        LIMIT 1
+        """,
+        (str(room["id"]),),
+    ).fetchone()
+    conn.close()
+    if not room or not user:
+        print("no room/user", file=sys.stderr)
+        return 1
+    user_id = str(user["id"])
+    room_id = str(room["id"])
+    workspace_id = str(room["workspace_id"])
+    payload = {
+        "room_id": room_id,
+        "workspace_id": workspace_id,
+        "source_id": "timing",
+        "client_id": "timing",
+        "binding_version": 2,
+    }
+    t_rt = time.perf_counter()
+    prof = server._resolve_chat_hermes_profile("workframe-agent", user_id, room_id, workspace_id)
+    rt_ms = (time.perf_counter() - t_rt) * 1000
+    print(f"resolve_runtime_ms={rt_ms:.0f} profile={prof}")
+    provider = server._llm_billing_provider(prof)
+    t_api = time.perf_counter()
+    server.ensure_profile_api(prof, user_id, workspace_id)
+    api_ms = (time.perf_counter() - t_api) * 1000
+    t_llm = time.perf_counter()
+    server._overlay_chat_llm_env(prof, user_id, workspace_id, provider)
+    llm_ms = (time.perf_counter() - t_llm) * 1000
+    print(f"ensure_profile_api_ms={api_ms:.0f} overlay_llm_ms={llm_ms:.0f}")
+    t0 = time.perf_counter()
+    session = server.profile_chat_session("workframe-agent", payload, user_id=user_id)
+    session_ms = (time.perf_counter() - t0) * 1000
+    sid = str(session.get("session_id") or "")
+    print(f"session_ms={session_ms:.0f} session={sid[:40]}")
+    t_hist = time.perf_counter()
+    history = server.chat_messages(prof, sid)
+    hist_ms = (time.perf_counter() - t_hist) * 1000
+    print(f"history_ms={hist_ms:.0f} messages={len(history.get('messages') or [])}")
+    healthy = server._profile_api_healthy(prof)
+    print(f"profile_api_healthy={healthy} port={server._profile_api_port(prof)}")
+    run_a = "timing-run-a"
+    run_b = "timing-run-b"
+    t1 = time.perf_counter()
+    server._apply_turn_credential_lease(prof, user_id, workspace_id, provider, run_a)
+    lease1_ms = (time.perf_counter() - t1) * 1000
+    t2 = time.perf_counter()
+    server._apply_turn_credential_lease(prof, user_id, workspace_id, provider, run_b)
+    lease2_ms = (time.perf_counter() - t2) * 1000
+    print(f"lease_cold_ms={lease1_ms:.0f} lease_reuse_ms={lease2_ms:.0f} provider={provider}")
+    _, model = server._read_model_from_config(prof)
+    print(f"model={model}")
+    return 0
+if __name__ == "__main__":
+    raise SystemExit(main())

package/workframe-api/turn_credentials.py ADDED Viewed

@@ -0,0 +1,226 @@
+"""Per-run credential leases — opaque tokens for Hermes; real secrets stay in API vault."""
+from __future__ import annotations
+import hashlib
+import os
+import secrets
+import sqlite3
+import time
+from datetime import datetime, timedelta, timezone
+from pathlib import Path
+from typing import Any
+import credential_vault
+DATA_DIR = Path(os.environ.get("WORKFRAME_API_DATA_DIR", "/app/data"))
+WORKFRAME_DB = DATA_DIR / "workframe.db"
+LEASE_PREFIX = "wf_rt_"
+DEFAULT_TTL = int(os.environ.get("WORKFRAME_TURN_LEASE_TTL", "900"))
+def _connect() -> sqlite3.Connection:
+    conn = sqlite3.connect(str(WORKFRAME_DB), timeout=5.0)
+    conn.row_factory = sqlite3.Row
+    return conn
+# ponytail: schema DDL ran on every validate_lease/issue — ~38ms/call on bind-mounted
+# sqlite. Guard by DB path so it runs once per process (tests reassign WORKFRAME_DB → re-run).
+_SCHEMA_READY: set[str] = set()
+def ensure_schema() -> None:
+    credential_vault.ensure_schema()
+    key = str(WORKFRAME_DB)
+    if key in _SCHEMA_READY:
+        return
+    conn = _connect()
+    try:
+        conn.execute(
+            """
+            CREATE TABLE IF NOT EXISTS turn_credential_leases (
+                run_id TEXT PRIMARY KEY,
+                token_hash TEXT NOT NULL UNIQUE,
+                payer_user_id TEXT NOT NULL,
+                workspace_id TEXT NOT NULL,
+                provider TEXT NOT NULL,
+                credential_binding_id TEXT DEFAULT NULL,
+                profile_slug TEXT NOT NULL,
+                expires_at TEXT NOT NULL,
+                revoked_at TEXT DEFAULT NULL,
+                created_at TEXT NOT NULL
+            )
+            """
+        )
+        conn.execute(
+            "CREATE INDEX IF NOT EXISTS idx_turn_leases_token "
+            "ON turn_credential_leases(token_hash)"
+        )
+        conn.execute(
+            "CREATE INDEX IF NOT EXISTS idx_turn_leases_expiry "
+            "ON turn_credential_leases(expires_at)"
+        )
+        conn.commit()
+    finally:
+        conn.close()
+    _SCHEMA_READY.add(key)
+def _hash_token(token: str) -> str:
+    return hashlib.sha256(str(token or "").encode("utf-8")).hexdigest()
+def _expired(expires_at: str) -> bool:
+    value = str(expires_at or "").strip()
+    if not value:
+        return True
+    if value.isdigit():
+        return int(value) < int(time.time())
+    try:
+        return datetime.fromisoformat(value.replace("Z", "+00:00")) < datetime.now(timezone.utc)
+    except ValueError:
+        return True
+def issue_lease(
+    run_id: str,
+    payer_user_id: str,
+    workspace_id: str,
+    provider: str,
+    profile_slug: str,
+    credential_binding_id: str | None,
+    *,
+    ttl_seconds: int = DEFAULT_TTL,
+) -> str:
+    """Create lease; return full token value for profile env (wf_rt_…)."""
+    run_id = str(run_id or "").strip()
+    payer_user_id = str(payer_user_id or "").strip()
+    workspace_id = str(workspace_id or "").strip()
+    provider = str(provider or "openrouter").strip().lower()
+    profile_slug = str(profile_slug or "").strip()
+    if not run_id or not payer_user_id or not profile_slug:
+        raise ValueError("run_id, payer_user_id, and profile_slug required")
+    ttl = int(ttl_seconds or DEFAULT_TTL)
+    if ttl <= 0:
+        raise ValueError("ttl_seconds must be positive")
+    ensure_schema()
+    raw = secrets.token_hex(32)
+    token = f"{LEASE_PREFIX}{raw}"
+    now = datetime.now(timezone.utc)
+    expires_at = (now + timedelta(seconds=ttl)).isoformat()
+    created_at = now.isoformat()
+    conn = _connect()
+    try:
+        conn.execute(
+            """
+            INSERT INTO turn_credential_leases (
+                run_id, token_hash, payer_user_id, workspace_id, provider,
+                credential_binding_id, profile_slug, expires_at, created_at
+            ) VALUES (?,?,?,?,?,?,?,?,?)
+            ON CONFLICT(run_id) DO UPDATE SET
+                token_hash = excluded.token_hash,
+                payer_user_id = excluded.payer_user_id,
+                workspace_id = excluded.workspace_id,
+                provider = excluded.provider,
+                credential_binding_id = excluded.credential_binding_id,
+                profile_slug = excluded.profile_slug,
+                expires_at = excluded.expires_at,
+                revoked_at = NULL,
+                created_at = excluded.created_at
+            """,
+            (
+                run_id,
+                _hash_token(token),
+                payer_user_id,
+                workspace_id,
+                provider,
+                str(credential_binding_id or "") or None,
+                profile_slug,
+                expires_at,
+                created_at,
+            ),
+        )
+        conn.commit()
+    finally:
+        conn.close()
+    return token
+def parse_lease_token(value: str) -> str:
+    raw = str(value or "").strip()
+    if raw.startswith(LEASE_PREFIX):
+        return raw
+    if raw and not raw.startswith(LEASE_PREFIX):
+        return f"{LEASE_PREFIX}{raw}"
+    return ""
+def validate_lease(token: str) -> dict[str, Any] | None:
+    """Return lease metadata if token is active (not revoked/expired)."""
+    token = parse_lease_token(token)
+    if not token:
+        return None
+    ensure_schema()
+    conn = _connect()
+    try:
+        row = conn.execute(
+            """
+            SELECT run_id, payer_user_id, workspace_id, provider,
+                   credential_binding_id, profile_slug, expires_at, revoked_at
+            FROM turn_credential_leases
+            WHERE token_hash = ?
+            """,
+            (_hash_token(token),),
+        ).fetchone()
+    finally:
+        conn.close()
+    if not row or row["revoked_at"] or _expired(str(row["expires_at"] or "")):
+        return None
+    return {
+        "run_id": str(row["run_id"]),
+        "payer_user_id": str(row["payer_user_id"]),
+        "workspace_id": str(row["workspace_id"]),
+        "provider": str(row["provider"]),
+        "credential_binding_id": str(row["credential_binding_id"] or ""),
+        "profile_slug": str(row["profile_slug"]),
+    }
+def revoke_lease(run_id: str) -> None:
+    run_id = str(run_id or "").strip()
+    if not run_id:
+        return
+    ensure_schema()
+    now = datetime.now(timezone.utc).isoformat()
+    conn = _connect()
+    try:
+        conn.execute(
+            "UPDATE turn_credential_leases SET revoked_at = ? WHERE run_id = ? AND revoked_at IS NULL",
+            (now, run_id),
+        )
+        conn.commit()
+    finally:
+        conn.close()
+def resolve_lease_secret(lease: dict[str, Any], resolve_secret_fn) -> tuple[str, str]:
+    """resolve_secret_fn(user_id, workspace_id, provider, binding_id) -> (env_var, secret)."""
+    binding_id = str(lease.get("credential_binding_id") or "").strip()
+    provider = str(lease.get("provider") or "openrouter")
+    payer = str(lease.get("payer_user_id") or "")
+    workspace = str(lease.get("workspace_id") or "")
+    return resolve_secret_fn(payer, workspace, provider, binding_id)
+if __name__ == "__main__":
+    ensure_schema()
+    rid = "run-selfcheck"
+    tok = issue_lease(rid, "user-a", "ws-1", "openrouter", "u-user-a-architect", "bind-1")
+    assert tok.startswith(LEASE_PREFIX)
+    meta = validate_lease(tok)
+    assert meta and meta["run_id"] == rid
+    revoke_lease(rid)
+    assert validate_lease(tok) is None
+    print("turn_credentials ok")