ofiere-openclaw-plugin 4.54.1 → 4.55.0

package/src/agent-tier.ts

@@ -1,192 +1,192 @@
-// src/agent-tier.ts — Plugin-side agent tier resolver.
-// Manual override (agent_tier_overrides) wins over auto-detection.
-// Mirrors dashboard/lib/agentTier.ts contracts so the dashboard UI
-// and plugin enforcement agree on every agent's tier.
-
-import type { SupabaseClient } from "@supabase/supabase-js";
-
-export type AgentTier = "c-suite" | "staff" | null;
-export type TierSource =
-  | "manual"
-  | "executiveRole"
-  | "roster"
-  | "subagent"
-  | "departmentRole"
-  | "none";
-
-export interface TierResolution {
-  tier: AgentTier;
-  source: TierSource;
-}
-
-// Hard-coded executive roster ids — match dashboard/lib/agentRoster.ts.
-// Anything in this set defaults to c-suite when no manual override exists.
-const ROSTER_IDS = new Set<string>([
-  "ofie",
-  "daisy",
-  "ivy",
-  "celia",
-  "thalia",
-  "sasha",
-  "agent-zero",
-]);
-
-interface CacheEntry { value: TierResolution; expires: number; }
-const TTL_MS = 5 * 60 * 1000;
-const cache = new Map<string, CacheEntry>();
-const k = (userId: string, agentId: string) => `${userId}::${agentId}`;
-
-export function invalidateAgentTier(userId: string, agentId?: string): void {
-  if (!agentId) {
-    for (const key of cache.keys()) if (key.startsWith(`${userId}::`)) cache.delete(key);
-    return;
-  }
-  cache.delete(k(userId, agentId));
-}
-
-export async function resolveAgentTier(
-  supabase: SupabaseClient,
-  agentId: string,
-  userId: string,
-): Promise<TierResolution> {
-  const id = (agentId || "").trim();
-  if (!id || !userId) return { tier: null, source: "none" };
-
-  const key = k(userId, id);
-
-  // 1. Manual override — ALWAYS fresh (uncached). Direct-SQL writes to
-  //    agent_tier_overrides must win immediately, even when a non-override
-  //    branch is already cached from a prior call.
-  let overrideRow: { tier?: string | null } | null = null;
-  let overrideQueryFailed = false;
-  try {
-    const { data } = await supabase
-      .from("agent_tier_overrides")
-      .select("tier")
-      .eq("user_id", userId)
-      .eq("agent_id", id)
-      .maybeSingle();
-    overrideRow = data ?? null;
-  } catch {
-    // Table missing in older installs — skip override path
-    overrideQueryFailed = true;
-  }
-
-  if (overrideRow?.tier === "c-suite" || overrideRow?.tier === "staff") {
-    const result: TierResolution = { tier: overrideRow.tier, source: "manual" };
-    cache.set(key, { value: result, expires: Date.now() + TTL_MS });
-    return result;
-  }
-
-  // Override absent: if cache holds a stale `manual` entry from a deleted
-  // override row, drop it so the auto branches re-resolve.
-  if (!overrideQueryFailed) {
-    const cachedManual = cache.get(key);
-    if (cachedManual && cachedManual.value.source === "manual") {
-      cache.delete(key);
-    }
-  }
-
-  // 2. Cache lookup for non-override branches.
-  const hit = cache.get(key);
-  if (hit && hit.expires > Date.now()) return hit.value;
-
-  let result: TierResolution = { tier: null, source: "none" };
-
-  // 3. C-Suite: hardcoded roster
-  if (ROSTER_IDS.has(id)) {
-    result = { tier: "c-suite", source: "roster" };
-    cache.set(key, { value: result, expires: Date.now() + TTL_MS });
-    return result;
-  }
-
-  // 4. agent_architectures.executive_role / department_role
-  try {
-    const { data } = await supabase
-      .from("agent_architectures")
-      .select("executive_role, department_role")
-      .eq("user_id", userId)
-      .eq("agent_id", id)
-      .maybeSingle();
-    if (data?.department_role === "chief" ||
-        (data?.executive_role && String(data.executive_role).trim())) {
-      result = { tier: "c-suite", source: "executiveRole" };
-      cache.set(key, { value: result, expires: Date.now() + TTL_MS });
-      return result;
-    }
-    if (data?.department_role === "staff") {
-      result = { tier: "staff", source: "departmentRole" };
-      cache.set(key, { value: result, expires: Date.now() + TTL_MS });
-      return result;
-    }
-  } catch {
-    // Table missing — fall through
-  }
-
-  // 5. Staff: registered as subagent
-  try {
-    const { data } = await supabase
-      .from("agent_subagents")
-      .select("id")
-      .eq("user_id", userId)
-      .eq("id", id)
-      .maybeSingle();
-    if (data?.id) {
-      result = { tier: "staff", source: "subagent" };
-      cache.set(key, { value: result, expires: Date.now() + TTL_MS });
-      return result;
-    }
-  } catch {
-    // ignore
-  }
-
-  cache.set(key, { value: result, expires: Date.now() + TTL_MS });
-  return result;
-}
-
-export async function getAgentTier(
-  supabase: SupabaseClient,
-  agentId: string,
-  userId: string,
-): Promise<AgentTier> {
-  return (await resolveAgentTier(supabase, agentId, userId)).tier;
-}
-
-// Target-aware resolution: when a work target carries a subagent_id, the
-// work is staff-tier regardless of which chief routes it. Uncached lookup —
-// subagent rows can be deleted out from under us.
-export interface TargetTierInput {
-  agentId: string | null;
-  subagentId?: string | null;
-}
-
-export async function resolveTargetTier(
-  supabase: SupabaseClient,
-  target: TargetTierInput,
-  userId: string,
-): Promise<TierResolution> {
-  if (target.subagentId) {
-    try {
-      const { data } = await supabase
-        .from("agent_subagents")
-        .select("id")
-        .eq("user_id", userId)
-        .eq("id", target.subagentId)
-        .maybeSingle();
-      if (data?.id) return { tier: "staff", source: "subagent" };
-    } catch {
-      // Fall through to chief lookup
-    }
-  }
-  if (target.agentId) return resolveAgentTier(supabase, target.agentId, userId);
-  return { tier: null, source: "none" };
-}
-
-export function isDocKindValidForTier(
-  docKind: "sop" | "framework",
-  tier: AgentTier,
-): boolean {
-  if (tier === "c-suite") return docKind === "framework";
-  if (tier === "staff") return docKind === "sop";
-  return false;
-}
+// src/agent-tier.ts — Plugin-side agent tier resolver.
+// Manual override (agent_tier_overrides) wins over auto-detection.
+// Mirrors dashboard/lib/agentTier.ts contracts so the dashboard UI
+// and plugin enforcement agree on every agent's tier.
+
+import type { SupabaseClient } from "@supabase/supabase-js";
+
+export type AgentTier = "c-suite" | "staff" | null;
+export type TierSource =
+  | "manual"
+  | "executiveRole"
+  | "roster"
+  | "subagent"
+  | "departmentRole"
+  | "none";
+
+export interface TierResolution {
+  tier: AgentTier;
+  source: TierSource;
+}
+
+// Hard-coded executive roster ids — match dashboard/lib/agentRoster.ts.
+// Anything in this set defaults to c-suite when no manual override exists.
+const ROSTER_IDS = new Set<string>([
+  "ofie",
+  "daisy",
+  "ivy",
+  "celia",
+  "thalia",
+  "sasha",
+  "agent-zero",
+]);
+
+interface CacheEntry { value: TierResolution; expires: number; }
+const TTL_MS = 5 * 60 * 1000;
+const cache = new Map<string, CacheEntry>();
+const k = (userId: string, agentId: string) => `${userId}::${agentId}`;
+
+export function invalidateAgentTier(userId: string, agentId?: string): void {
+  if (!agentId) {
+    for (const key of cache.keys()) if (key.startsWith(`${userId}::`)) cache.delete(key);
+    return;
+  }
+  cache.delete(k(userId, agentId));
+}
+
+export async function resolveAgentTier(
+  supabase: SupabaseClient,
+  agentId: string,
+  userId: string,
+): Promise<TierResolution> {
+  const id = (agentId || "").trim();
+  if (!id || !userId) return { tier: null, source: "none" };
+
+  const key = k(userId, id);
+
+  // 1. Manual override — ALWAYS fresh (uncached). Direct-SQL writes to
+  //    agent_tier_overrides must win immediately, even when a non-override
+  //    branch is already cached from a prior call.
+  let overrideRow: { tier?: string | null } | null = null;
+  let overrideQueryFailed = false;
+  try {
+    const { data } = await supabase
+      .from("agent_tier_overrides")
+      .select("tier")
+      .eq("user_id", userId)
+      .eq("agent_id", id)
+      .maybeSingle();
+    overrideRow = data ?? null;
+  } catch {
+    // Table missing in older installs — skip override path
+    overrideQueryFailed = true;
+  }
+
+  if (overrideRow?.tier === "c-suite" || overrideRow?.tier === "staff") {
+    const result: TierResolution = { tier: overrideRow.tier, source: "manual" };
+    cache.set(key, { value: result, expires: Date.now() + TTL_MS });
+    return result;
+  }
+
+  // Override absent: if cache holds a stale `manual` entry from a deleted
+  // override row, drop it so the auto branches re-resolve.
+  if (!overrideQueryFailed) {
+    const cachedManual = cache.get(key);
+    if (cachedManual && cachedManual.value.source === "manual") {
+      cache.delete(key);
+    }
+  }
+
+  // 2. Cache lookup for non-override branches.
+  const hit = cache.get(key);
+  if (hit && hit.expires > Date.now()) return hit.value;
+
+  let result: TierResolution = { tier: null, source: "none" };
+
+  // 3. C-Suite: hardcoded roster
+  if (ROSTER_IDS.has(id)) {
+    result = { tier: "c-suite", source: "roster" };
+    cache.set(key, { value: result, expires: Date.now() + TTL_MS });
+    return result;
+  }
+
+  // 4. agent_architectures.executive_role / department_role
+  try {
+    const { data } = await supabase
+      .from("agent_architectures")
+      .select("executive_role, department_role")
+      .eq("user_id", userId)
+      .eq("agent_id", id)
+      .maybeSingle();
+    if (data?.department_role === "chief" ||
+        (data?.executive_role && String(data.executive_role).trim())) {
+      result = { tier: "c-suite", source: "executiveRole" };
+      cache.set(key, { value: result, expires: Date.now() + TTL_MS });
+      return result;
+    }
+    if (data?.department_role === "staff") {
+      result = { tier: "staff", source: "departmentRole" };
+      cache.set(key, { value: result, expires: Date.now() + TTL_MS });
+      return result;
+    }
+  } catch {
+    // Table missing — fall through
+  }
+
+  // 5. Staff: registered as subagent
+  try {
+    const { data } = await supabase
+      .from("agent_subagents")
+      .select("id")
+      .eq("user_id", userId)
+      .eq("id", id)
+      .maybeSingle();
+    if (data?.id) {
+      result = { tier: "staff", source: "subagent" };
+      cache.set(key, { value: result, expires: Date.now() + TTL_MS });
+      return result;
+    }
+  } catch {
+    // ignore
+  }
+
+  cache.set(key, { value: result, expires: Date.now() + TTL_MS });
+  return result;
+}
+
+export async function getAgentTier(
+  supabase: SupabaseClient,
+  agentId: string,
+  userId: string,
+): Promise<AgentTier> {
+  return (await resolveAgentTier(supabase, agentId, userId)).tier;
+}
+
+// Target-aware resolution: when a work target carries a subagent_id, the
+// work is staff-tier regardless of which chief routes it. Uncached lookup —
+// subagent rows can be deleted out from under us.
+export interface TargetTierInput {
+  agentId: string | null;
+  subagentId?: string | null;
+}
+
+export async function resolveTargetTier(
+  supabase: SupabaseClient,
+  target: TargetTierInput,
+  userId: string,
+): Promise<TierResolution> {
+  if (target.subagentId) {
+    try {
+      const { data } = await supabase
+        .from("agent_subagents")
+        .select("id")
+        .eq("user_id", userId)
+        .eq("id", target.subagentId)
+        .maybeSingle();
+      if (data?.id) return { tier: "staff", source: "subagent" };
+    } catch {
+      // Fall through to chief lookup
+    }
+  }
+  if (target.agentId) return resolveAgentTier(supabase, target.agentId, userId);
+  return { tier: null, source: "none" };
+}
+
+export function isDocKindValidForTier(
+  docKind: "sop" | "framework",
+  tier: AgentTier,
+): boolean {
+  if (tier === "c-suite") return docKind === "framework";
+  if (tier === "staff") return docKind === "sop";
+  return false;
+}

package/src/attach-token.ts

@@ -1,106 +1,106 @@
-// src/attach-token.ts — HMAC confirmation token for agent self-attach.
-// Mirrors dashboard/lib/attachmentToken.ts EXACTLY so tokens issued
-// here verify against the dashboard and vice-versa.
-//
-// Format: base64url(payload).base64url(sig)
-//   payload = JSON({ u, k, t, d, dk, exp })
-//   sig     = HMAC_SHA256(secret, payload)
-
-import { createHmac, timingSafeEqual } from "crypto";
-
-const TOKEN_TTL_MS = 5 * 60 * 1000;
-
-function getSecret(): string {
-  const s = process.env.OFIERE_ATTACH_SECRET;
-  if (!s) throw new Error("OFIERE_ATTACH_SECRET is not configured");
-  return s;
-}
-
-function b64urlEncode(buf: Buffer | string): string {
-  const b = typeof buf === "string" ? Buffer.from(buf, "utf8") : buf;
-  return b.toString("base64").replace(/=+$/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-
-function b64urlDecode(s: string): Buffer {
-  const pad = s.length % 4 === 0 ? "" : "=".repeat(4 - (s.length % 4));
-  return Buffer.from(s.replace(/-/g, "+").replace(/_/g, "/") + pad, "base64");
-}
-
-interface TokenPayload {
-  u: string;
-  k: string;
-  t: string;
-  d: string[];
-  dk: "sop" | "framework";
-  exp: number;
-}
-
-export interface IssueArgs {
-  userId: string;
-  targetKind: string;
-  targetId: string;
-  docKind: "sop" | "framework";
-  docIds: string[];
-  ttlMs?: number;
-}
-
-export function issueAttachmentToken(args: IssueArgs): string {
-  const exp = Date.now() + (args.ttlMs ?? TOKEN_TTL_MS);
-  const payload: TokenPayload = {
-    u: args.userId,
-    k: args.targetKind,
-    t: args.targetId,
-    d: [...args.docIds].sort(),
-    dk: args.docKind,
-    exp,
-  };
-  const json = JSON.stringify(payload);
-  const sig = createHmac("sha256", getSecret()).update(json).digest();
-  return `${b64urlEncode(json)}.${b64urlEncode(sig)}`;
-}
-
-export interface VerifyArgs {
-  token: string;
-  userId: string;
-  targetKind: string;
-  targetId: string;
-  docKind: "sop" | "framework";
-  docIds: string[];
-}
-
-export type VerifyResult =
-  | { ok: true }
-  | { ok: false; reason: "malformed" | "bad_signature" | "expired" | "mismatch" };
-
-export function verifyAttachmentToken(args: VerifyArgs): VerifyResult {
-  const parts = args.token.split(".");
-  if (parts.length !== 2) return { ok: false, reason: "malformed" };
-  let payload: TokenPayload;
-  try {
-    payload = JSON.parse(b64urlDecode(parts[0]).toString("utf8"));
-  } catch {
-    return { ok: false, reason: "malformed" };
-  }
-
-  const expectedJson = JSON.stringify(payload);
-  const expectedSig = createHmac("sha256", getSecret()).update(expectedJson).digest();
-  const providedSig = b64urlDecode(parts[1]);
-  if (expectedSig.length !== providedSig.length) return { ok: false, reason: "bad_signature" };
-  if (!timingSafeEqual(expectedSig, providedSig)) return { ok: false, reason: "bad_signature" };
-
-  if (typeof payload.exp !== "number" || payload.exp < Date.now()) {
-    return { ok: false, reason: "expired" };
-  }
-  if (payload.u !== args.userId) return { ok: false, reason: "mismatch" };
-  if (payload.k !== args.targetKind || payload.t !== args.targetId) return { ok: false, reason: "mismatch" };
-  if (payload.dk !== args.docKind) return { ok: false, reason: "mismatch" };
-
-  const sortedRequested = [...args.docIds].sort();
-  if (
-    payload.d.length !== sortedRequested.length ||
-    payload.d.some((v, i) => v !== sortedRequested[i])
-  ) {
-    return { ok: false, reason: "mismatch" };
-  }
-  return { ok: true };
-}
+// src/attach-token.ts — HMAC confirmation token for agent self-attach.
+// Mirrors dashboard/lib/attachmentToken.ts EXACTLY so tokens issued
+// here verify against the dashboard and vice-versa.
+//
+// Format: base64url(payload).base64url(sig)
+//   payload = JSON({ u, k, t, d, dk, exp })
+//   sig     = HMAC_SHA256(secret, payload)
+
+import { createHmac, timingSafeEqual } from "crypto";
+
+const TOKEN_TTL_MS = 5 * 60 * 1000;
+
+function getSecret(): string {
+  const s = process.env.OFIERE_ATTACH_SECRET;
+  if (!s) throw new Error("OFIERE_ATTACH_SECRET is not configured");
+  return s;
+}
+
+function b64urlEncode(buf: Buffer | string): string {
+  const b = typeof buf === "string" ? Buffer.from(buf, "utf8") : buf;
+  return b.toString("base64").replace(/=+$/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+
+function b64urlDecode(s: string): Buffer {
+  const pad = s.length % 4 === 0 ? "" : "=".repeat(4 - (s.length % 4));
+  return Buffer.from(s.replace(/-/g, "+").replace(/_/g, "/") + pad, "base64");
+}
+
+interface TokenPayload {
+  u: string;
+  k: string;
+  t: string;
+  d: string[];
+  dk: "sop" | "framework";
+  exp: number;
+}
+
+export interface IssueArgs {
+  userId: string;
+  targetKind: string;
+  targetId: string;
+  docKind: "sop" | "framework";
+  docIds: string[];
+  ttlMs?: number;
+}
+
+export function issueAttachmentToken(args: IssueArgs): string {
+  const exp = Date.now() + (args.ttlMs ?? TOKEN_TTL_MS);
+  const payload: TokenPayload = {
+    u: args.userId,
+    k: args.targetKind,
+    t: args.targetId,
+    d: [...args.docIds].sort(),
+    dk: args.docKind,
+    exp,
+  };
+  const json = JSON.stringify(payload);
+  const sig = createHmac("sha256", getSecret()).update(json).digest();
+  return `${b64urlEncode(json)}.${b64urlEncode(sig)}`;
+}
+
+export interface VerifyArgs {
+  token: string;
+  userId: string;
+  targetKind: string;
+  targetId: string;
+  docKind: "sop" | "framework";
+  docIds: string[];
+}
+
+export type VerifyResult =
+  | { ok: true }
+  | { ok: false; reason: "malformed" | "bad_signature" | "expired" | "mismatch" };
+
+export function verifyAttachmentToken(args: VerifyArgs): VerifyResult {
+  const parts = args.token.split(".");
+  if (parts.length !== 2) return { ok: false, reason: "malformed" };
+  let payload: TokenPayload;
+  try {
+    payload = JSON.parse(b64urlDecode(parts[0]).toString("utf8"));
+  } catch {
+    return { ok: false, reason: "malformed" };
+  }
+
+  const expectedJson = JSON.stringify(payload);
+  const expectedSig = createHmac("sha256", getSecret()).update(expectedJson).digest();
+  const providedSig = b64urlDecode(parts[1]);
+  if (expectedSig.length !== providedSig.length) return { ok: false, reason: "bad_signature" };
+  if (!timingSafeEqual(expectedSig, providedSig)) return { ok: false, reason: "bad_signature" };
+
+  if (typeof payload.exp !== "number" || payload.exp < Date.now()) {
+    return { ok: false, reason: "expired" };
+  }
+  if (payload.u !== args.userId) return { ok: false, reason: "mismatch" };
+  if (payload.k !== args.targetKind || payload.t !== args.targetId) return { ok: false, reason: "mismatch" };
+  if (payload.dk !== args.docKind) return { ok: false, reason: "mismatch" };
+
+  const sortedRequested = [...args.docIds].sort();
+  if (
+    payload.d.length !== sortedRequested.length ||
+    payload.d.some((v, i) => v !== sortedRequested[i])
+  ) {
+    return { ok: false, reason: "mismatch" };
+  }
+  return { ok: true };
+}