remote-codex 0.11.3 → 0.11.4

package/packages/db/src/schema.ts

@@ -1,4 +1,4 @@
-import { integer, sqliteTable, text, uniqueIndex } from 'drizzle-orm/sqlite-core';
+import { integer, real, sqliteTable, text, uniqueIndex } from 'drizzle-orm/sqlite-core';
 
 export const hosts = sqliteTable('hosts', {
   id: text('id').primaryKey(),
@@ -176,3 +176,307 @@ export const policies = sqliteTable('policies', {
   createdAt: text('created_at').notNull(),
   updatedAt: text('updated_at').notNull()
 });
+
+export const controlUsers = sqliteTable(
+  'control_users',
+  {
+    id: text('id').primaryKey(),
+    authProvider: text('auth_provider').notNull(),
+    authSubject: text('auth_subject').notNull(),
+    email: text('email').notNull(),
+    displayName: text('display_name'),
+    status: text('status').notNull().default('active'),
+    plan: text('plan').notNull().default('developer'),
+    billingCustomerId: text('billing_customer_id'),
+    quotaProfile: text('quota_profile').notNull().default('developer'),
+    createdAt: text('created_at').notNull(),
+    updatedAt: text('updated_at').notNull(),
+    lastSeenAt: text('last_seen_at'),
+  },
+  (table) => ({
+    authSubjectUnique: uniqueIndex('control_users_auth_subject_idx').on(
+      table.authProvider,
+      table.authSubject,
+    ),
+  }),
+);
+
+export const controlAuthIdentities = sqliteTable(
+  'control_auth_identities',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    authProvider: text('auth_provider').notNull(),
+    authSubject: text('auth_subject').notNull(),
+    email: text('email'),
+    displayName: text('display_name'),
+    createdAt: text('created_at').notNull(),
+    updatedAt: text('updated_at').notNull(),
+  },
+  (table) => ({
+    authSubjectUnique: uniqueIndex('control_auth_identities_subject_idx').on(
+      table.authProvider,
+      table.authSubject,
+    ),
+  }),
+);
+
+export const controlPasswordCredentials = sqliteTable(
+  'control_password_credentials',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    email: text('email').notNull(),
+    passwordHash: text('password_hash').notNull(),
+    createdAt: text('created_at').notNull(),
+    updatedAt: text('updated_at').notNull(),
+    lastUsedAt: text('last_used_at'),
+  },
+  (table) => ({
+    emailUnique: uniqueIndex('control_password_credentials_email_idx').on(table.email),
+    userUnique: uniqueIndex('control_password_credentials_user_idx').on(table.userId),
+  }),
+);
+
+export const controlProjects = sqliteTable('control_projects', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull(),
+  name: text('name').notNull(),
+  slug: text('slug').notNull(),
+  status: text('status').notNull().default('active'),
+  createdAt: text('created_at').notNull(),
+  updatedAt: text('updated_at').notNull(),
+});
+
+export const controlSandboxes = sqliteTable('control_sandboxes', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull().unique(),
+  state: text('state').notNull(),
+  image: text('image').notNull(),
+  region: text('region').notNull(),
+  resourceProfile: text('resource_profile').notNull().default('standard'),
+  k8sNamespace: text('k8s_namespace'),
+  k8sPodName: text('k8s_pod_name'),
+  routerBaseUrl: text('router_base_url'),
+  workerServiceName: text('worker_service_name'),
+  s3Prefix: text('s3_prefix').notNull(),
+  gatewayKeyId: text('gateway_key_id'),
+  lastStartedAt: text('last_started_at'),
+  lastSeenAt: text('last_seen_at'),
+  idleTimeoutAt: text('idle_timeout_at'),
+  statusReason: text('status_reason'),
+  startupProgress: integer('startup_progress').notNull().default(0),
+  lastFailureCode: text('last_failure_code'),
+  lastFailureMessage: text('last_failure_message'),
+  createdAt: text('created_at').notNull(),
+  updatedAt: text('updated_at').notNull(),
+});
+
+export const controlWorkspaces = sqliteTable(
+  'control_workspaces',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    projectId: text('project_id'),
+    sandboxId: text('sandbox_id').notNull(),
+    name: text('name').notNull(),
+    slug: text('slug').notNull(),
+    status: text('status').notNull().default('active'),
+    path: text('path').notNull(),
+    sourceType: text('source_type').notNull(),
+    gitUrl: text('git_url'),
+    defaultBranch: text('default_branch'),
+    createdAt: text('created_at').notNull(),
+    updatedAt: text('updated_at').notNull(),
+  },
+  (table) => ({
+    sandboxSlugUnique: uniqueIndex('control_workspaces_sandbox_slug_idx').on(
+      table.sandboxId,
+      table.slug,
+    ),
+  }),
+);
+
+export const controlSessions = sqliteTable('control_sessions', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull(),
+  sandboxId: text('sandbox_id').notNull(),
+  workspaceId: text('workspace_id').notNull(),
+  provider: text('provider').notNull(),
+  workerSessionId: text('worker_session_id'),
+  title: text('title').notNull(),
+  status: text('status').notNull(),
+  lastActivityAt: text('last_activity_at'),
+  createdAt: text('created_at').notNull(),
+  updatedAt: text('updated_at').notNull(),
+});
+
+export const controlGatewayUsers = sqliteTable(
+  'control_gateway_users',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    provider: text('provider').notNull(),
+    externalUserId: text('external_user_id').notNull(),
+    createdAt: text('created_at').notNull(),
+  },
+  (table) => ({
+    userProviderUnique: uniqueIndex('control_gateway_users_user_provider_idx').on(
+      table.userId,
+      table.provider,
+    ),
+    providerExternalUnique: uniqueIndex('control_gateway_users_provider_external_idx').on(
+      table.provider,
+      table.externalUserId,
+    ),
+  }),
+);
+
+export const controlGatewayKeys = sqliteTable(
+  'control_gateway_keys',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    sandboxId: text('sandbox_id').notNull(),
+    provider: text('provider').notNull(),
+    externalKeyId: text('external_key_id').notNull(),
+    keyCiphertext: text('key_ciphertext'),
+    status: text('status').notNull(),
+    createdAt: text('created_at').notNull(),
+    rotatedAt: text('rotated_at'),
+    revokedAt: text('revoked_at'),
+  },
+  (table) => ({
+    sandboxProviderUnique: uniqueIndex('control_gateway_keys_sandbox_provider_idx').on(
+      table.sandboxId,
+      table.provider,
+    ),
+    providerExternalUnique: uniqueIndex('control_gateway_keys_provider_external_idx').on(
+      table.provider,
+      table.externalKeyId,
+    ),
+  }),
+);
+
+export const controlHarnessUsers = sqliteTable(
+  'control_harness_users',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    provider: text('provider').notNull(),
+    externalUserId: text('external_user_id').notNull(),
+    createdAt: text('created_at').notNull(),
+  },
+  (table) => ({
+    userProviderUnique: uniqueIndex('control_harness_users_user_provider_idx').on(
+      table.userId,
+      table.provider,
+    ),
+    providerExternalUnique: uniqueIndex('control_harness_users_provider_external_idx').on(
+      table.provider,
+      table.externalUserId,
+    ),
+  }),
+);
+
+export const controlHarnessKeys = sqliteTable(
+  'control_harness_keys',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    sandboxId: text('sandbox_id').notNull(),
+    provider: text('provider').notNull(),
+    externalKeyId: text('external_key_id').notNull(),
+    keyCiphertext: text('key_ciphertext'),
+    secretName: text('secret_name'),
+    secretKey: text('secret_key'),
+    status: text('status').notNull(),
+    createdAt: text('created_at').notNull(),
+    rotatedAt: text('rotated_at'),
+    revokedAt: text('revoked_at'),
+  },
+  (table) => ({
+    sandboxProviderUnique: uniqueIndex('control_harness_keys_sandbox_provider_idx').on(
+      table.sandboxId,
+      table.provider,
+    ),
+    providerExternalUnique: uniqueIndex('control_harness_keys_provider_external_idx').on(
+      table.provider,
+      table.externalKeyId,
+    ),
+  }),
+);
+
+export const controlUsageEvents = sqliteTable('control_usage_events', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull(),
+  sandboxId: text('sandbox_id').notNull(),
+  workspaceId: text('workspace_id'),
+  sessionId: text('session_id'),
+  gatewayKeyId: text('gateway_key_id'),
+  provider: text('provider').notNull(),
+  model: text('model').notNull(),
+  inputTokens: integer('input_tokens').notNull().default(0),
+  outputTokens: integer('output_tokens').notNull().default(0),
+  cachedTokens: integer('cached_tokens').notNull().default(0),
+  costUsd: real('cost_usd').notNull().default(0),
+  externalRequestId: text('external_request_id'),
+  occurredAt: text('occurred_at').notNull(),
+  importedAt: text('imported_at').notNull(),
+});
+
+export const controlHarnessUsageEvents = sqliteTable(
+  'control_harness_usage_events',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    sandboxId: text('sandbox_id').notNull(),
+    workspaceId: text('workspace_id'),
+    sessionId: text('session_id'),
+    provider: text('provider').notNull(),
+    module: text('module').notNull(),
+    tool: text('tool'),
+    runId: text('run_id'),
+    jobId: text('job_id'),
+    externalEventId: text('external_event_id'),
+    computeUnits: real('compute_units').notNull().default(0),
+    costUsd: real('cost_usd').notNull().default(0),
+    status: text('status').notNull().default('unknown'),
+    metadataJson: text('metadata_json').notNull().default('{}'),
+    occurredAt: text('occurred_at').notNull(),
+    importedAt: text('imported_at').notNull(),
+  },
+  (table) => ({
+    providerExternalEventUnique: uniqueIndex('control_harness_usage_provider_event_idx')
+      .on(table.provider, table.externalEventId),
+  }),
+);
+
+export const controlUsageImportState = sqliteTable('control_usage_import_state', {
+  id: text('id').primaryKey(),
+  provider: text('provider').notNull(),
+  source: text('source').notNull(),
+  cursor: text('cursor'),
+  lastStartedAt: text('last_started_at'),
+  lastSucceededAt: text('last_succeeded_at'),
+  lastFailedAt: text('last_failed_at'),
+  lastFailureMessage: text('last_failure_message'),
+  lastSourceCount: integer('last_source_count').notNull().default(0),
+  lastImportedCount: integer('last_imported_count').notNull().default(0),
+  lastDuplicateCount: integer('last_duplicate_count').notNull().default(0),
+  lastFailureCount: integer('last_failure_count').notNull().default(0),
+  updatedAt: text('updated_at').notNull(),
+}, (table) => ({
+  providerSourceIdx: uniqueIndex('control_usage_import_state_provider_source_idx')
+    .on(table.provider, table.source),
+}));
+
+export const controlAuditLogs = sqliteTable('control_audit_logs', {
+  id: text('id').primaryKey(),
+  userId: text('user_id'),
+  action: text('action').notNull(),
+  resourceType: text('resource_type').notNull(),
+  resourceId: text('resource_id'),
+  metadataJson: text('metadata_json').notNull(),
+  createdAt: text('created_at').notNull(),
+});

package/packages/shared/src/index.ts

@@ -21,6 +21,12 @@ export type ApiErrorCode =
   | 'conflict'
   | 'provider_goal_error'
   | 'forbidden'
+  | 'unauthorized'
+  | 'invalid_route_token'
+  | 'gateway_unavailable'
+  | 'account_inactive'
+  | 'quota_exceeded'
+  | 'harness_unavailable'
   | 'goal_feature_disabled'
   | 'internal_error'
   | 'service_unavailable';
@@ -444,6 +450,30 @@ export interface WorkspaceTreeDto {
   nodes: WorkspaceTreeNodeDto[];
 }
 
+export interface WorkspaceFileDto {
+  path: string;
+  absPath: string;
+  kind: 'file' | 'directory';
+  size: number;
+  updatedAt: string;
+}
+
+export interface WriteWorkspaceFileInput {
+  path: string;
+  content: string;
+}
+
+export interface MoveWorkspaceFileInput {
+  fromPath: string;
+  toPath: string;
+  overwrite?: boolean;
+}
+
+export interface DeleteWorkspaceFileInput {
+  path: string;
+  recursive?: boolean;
+}
+
 export interface ThreadWorkspaceTreeNodeDto {
   name: string;
   path: string;
@@ -662,6 +692,7 @@ export interface UpdatePluginInput {
 export interface ImportPluginInput {
   manifest?: unknown;
   manifestJson?: string;
+  manifestUrl?: string;
   enabled?: boolean;
 }
 
@@ -1072,6 +1103,7 @@ export interface CreateThreadInput {
   title?: string;
   provider?: AgentBackendIdDto;
   model: string;
+  reasoningEffort?: ReasoningEffortDto | null;
   approvalMode: ApprovalMode;
 }
 

package/packages/shared/src/tokens.ts

@@ -0,0 +1,137 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+
+function base64UrlEncode(value: Buffer | string): string {
+  return Buffer.from(value)
+    .toString('base64')
+    .replaceAll('+', '-')
+    .replaceAll('/', '_')
+    .replaceAll('=', '');
+}
+
+function base64UrlDecode(value: string): Buffer {
+  const normalized = value.replaceAll('-', '+').replaceAll('_', '/');
+  const padding = '='.repeat((4 - (normalized.length % 4)) % 4);
+  return Buffer.from(`${normalized}${padding}`, 'base64');
+}
+
+function sign(input: string, secret: string): string {
+  return base64UrlEncode(createHmac('sha256', secret).update(input).digest());
+}
+
+export interface RouteTokenPayload extends SignedTokenPayload {
+  sandbox_id: string;
+  project_id?: string;
+  workspace_id?: string;
+  session_id?: string;
+  scopes: string[];
+  iat: number;
+  jti: string;
+}
+
+export interface SignedTokenPayload {
+  sub: string;
+  iat?: number;
+  exp: number;
+  jti?: string;
+  [key: string]: unknown;
+}
+
+export interface SigningKey {
+  id: string;
+  secret: string;
+}
+
+export function createSignedToken(
+  payload: SignedTokenPayload,
+  secret: string,
+  options: { kid?: string } = {},
+): string {
+  const header = {
+    alg: 'HS256',
+    typ: 'JWT',
+    ...(options.kid ? { kid: options.kid } : {}),
+  };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  return `${signingInput}.${sign(signingInput, secret)}`;
+}
+
+function decodeHeader(token: string) {
+  const [encodedHeader] = token.split('.');
+  if (!encodedHeader) {
+    throw new Error('Invalid token shape.');
+  }
+  return JSON.parse(base64UrlDecode(encodedHeader).toString('utf8')) as {
+    alg?: string;
+    typ?: string;
+    kid?: string;
+  };
+}
+
+export function verifySignedToken<
+  TPayload extends { sub: string; exp: number } = RouteTokenPayload,
+>(
+  token: string,
+  secret: string,
+  nowSeconds = Math.floor(Date.now() / 1000),
+) {
+  const parts = token.split('.');
+  if (parts.length !== 3 || !parts[0] || !parts[1] || !parts[2]) {
+    throw new Error('Invalid token shape.');
+  }
+
+  const signingInput = `${parts[0]}.${parts[1]}`;
+  const expected = sign(signingInput, secret);
+  const actualBuffer = Buffer.from(parts[2]);
+  const expectedBuffer = Buffer.from(expected);
+  if (
+    actualBuffer.length !== expectedBuffer.length ||
+    !timingSafeEqual(actualBuffer, expectedBuffer)
+  ) {
+    throw new Error('Invalid token signature.');
+  }
+
+  const payload = JSON.parse(base64UrlDecode(parts[1]).toString('utf8')) as TPayload;
+  if (payload.exp <= nowSeconds) {
+    throw new Error('Token expired.');
+  }
+
+  return payload;
+}
+
+export function verifySignedTokenWithKeys<
+  TPayload extends { sub: string; exp: number } = RouteTokenPayload,
+>(
+  token: string,
+  keys: SigningKey[],
+  nowSeconds = Math.floor(Date.now() / 1000),
+) {
+  if (keys.length === 0) {
+    throw new Error('No signing keys configured.');
+  }
+
+  const header = decodeHeader(token);
+  if (header.alg !== 'HS256') {
+    throw new Error('Unsupported token algorithm.');
+  }
+
+  if (header.kid) {
+    const key = keys.find((candidate) => candidate.id === header.kid);
+    if (!key) {
+      throw new Error('Unknown token key id.');
+    }
+    return verifySignedToken<TPayload>(token, key.secret, nowSeconds);
+  }
+
+  let lastError: unknown = null;
+  for (const key of keys) {
+    try {
+      return verifySignedToken<TPayload>(token, key.secret, nowSeconds);
+    } catch (error) {
+      lastError = error;
+    }
+  }
+
+  throw lastError instanceof Error ? lastError : new Error('Invalid token.');
+}