stagent 0.5.0 → 0.6.1

package/src/app/api/channels/route.ts

@@ -0,0 +1,72 @@
+import { NextRequest, NextResponse } from "next/server";
+import { db } from "@/lib/db";
+import { channelConfigs } from "@/lib/db/schema";
+import { desc, eq } from "drizzle-orm";
+import { maskChannelRow } from "@/lib/channels/types";
+
+const VALID_CHANNEL_TYPES = ["slack", "telegram", "webhook"] as const;
+
+export async function GET() {
+  const result = await db
+    .select()
+    .from(channelConfigs)
+    .orderBy(desc(channelConfigs.createdAt));
+
+  return NextResponse.json(result.map(maskChannelRow));
+}
+
+export async function POST(req: NextRequest) {
+  const body = await req.json();
+  const { channelType, name, config } = body as {
+    channelType?: string;
+    name?: string;
+    config?: Record<string, unknown>;
+  };
+
+  if (!name?.trim()) {
+    return NextResponse.json({ error: "Name is required" }, { status: 400 });
+  }
+
+  if (!channelType || !VALID_CHANNEL_TYPES.includes(channelType as typeof VALID_CHANNEL_TYPES[number])) {
+    return NextResponse.json(
+      { error: `Invalid channel type. Must be one of: ${VALID_CHANNEL_TYPES.join(", ")}` },
+      { status: 400 }
+    );
+  }
+
+  if (!config || typeof config !== "object") {
+    return NextResponse.json({ error: "Config object is required" }, { status: 400 });
+  }
+
+  // Validate required fields per type
+  if (channelType === "slack" && !config.webhookUrl) {
+    return NextResponse.json({ error: "Slack channels require a webhookUrl" }, { status: 400 });
+  }
+  if (channelType === "telegram" && (!config.botToken || !config.chatId)) {
+    return NextResponse.json({ error: "Telegram channels require botToken and chatId" }, { status: 400 });
+  }
+  if (channelType === "webhook" && !config.url) {
+    return NextResponse.json({ error: "Webhook channels require a url" }, { status: 400 });
+  }
+
+  const id = crypto.randomUUID();
+  const now = new Date();
+
+  await db.insert(channelConfigs).values({
+    id,
+    channelType: channelType as typeof VALID_CHANNEL_TYPES[number],
+    name: name.trim(),
+    config: JSON.stringify(config),
+    status: "active",
+    testStatus: "untested",
+    createdAt: now,
+    updatedAt: now,
+  });
+
+  const [created] = await db
+    .select()
+    .from(channelConfigs)
+    .where(eq(channelConfigs.id, id));
+
+  return NextResponse.json(maskChannelRow(created), { status: 201 });
+}

package/src/app/api/chat/conversations/route.ts

@@ -3,6 +3,10 @@ import {
   createConversation,
   listConversations,
 } from "@/lib/data/chat";
+import { db } from "@/lib/db";
+import { projects } from "@/lib/db/schema";
+import { eq } from "drizzle-orm";
+import { ensureFreshScan } from "@/lib/environment/auto-scan";
 
 /**
  * GET /api/chat/conversations?status=active&projectId=xxx&limit=50
@@ -48,6 +52,17 @@ export async function POST(req: NextRequest) {
     );
   }
 
+  // Auto-scan environment when starting a conversation for a project
+  if (projectId) {
+    const [project] = await db
+      .select()
+      .from(projects)
+      .where(eq(projects.id, projectId));
+    if (project?.workingDirectory) {
+      ensureFreshScan(project.workingDirectory, projectId);
+    }
+  }
+
   const conversation = await createConversation({
     projectId: projectId ?? null,
     title: title ?? null,

package/src/app/api/chat/entities/search/route.ts

@@ -21,48 +21,47 @@ interface EntityResult {
 export async function GET(request: Request) {
   const url = new URL(request.url);
   const query = url.searchParams.get("q") ?? "";
-  const limit = Math.min(parseInt(url.searchParams.get("limit") ?? "10", 10), 20);
+  const limit = Math.min(parseInt(url.searchParams.get("limit") ?? "20", 10), 30);
 
-  if (!query.trim()) {
-    return NextResponse.json({ results: [] });
-  }
-
-  const pattern = `%${query}%`;
+  const hasQuery = query.trim().length > 0;
+  const pattern = hasQuery ? `%${query}%` : "";
   const perType = Math.max(2, Math.floor(limit / 5));
 
   const results: EntityResult[] = [];
 
+  // Build queries — apply LIKE filter only when query is non-empty
+  const projectQuery = db
+    .select({ id: projects.id, name: projects.name, status: projects.status, description: projects.description })
+    .from(projects);
+  const taskQuery = db
+    .select({ id: tasks.id, title: tasks.title, status: tasks.status, description: tasks.description })
+    .from(tasks);
+  const workflowQuery = db
+    .select({ id: workflows.id, name: workflows.name, status: workflows.status })
+    .from(workflows);
+  const documentQuery = db
+    .select({ id: documents.id, name: documents.originalName, status: documents.status, mimeType: documents.mimeType, size: documents.size })
+    .from(documents);
+  const scheduleQuery = db
+    .select({ id: schedules.id, name: schedules.name, status: schedules.status })
+    .from(schedules);
+
   // Search in parallel across all entity types
   const [projectRows, taskRows, workflowRows, documentRows, scheduleRows] =
     await Promise.all([
-      db
-        .select({ id: projects.id, name: projects.name, status: projects.status, description: projects.description })
-        .from(projects)
-        .where(like(projects.name, pattern))
+      (hasQuery ? projectQuery.where(like(projects.name, pattern)) : projectQuery)
         .orderBy(desc(projects.updatedAt))
         .limit(perType),
-      db
-        .select({ id: tasks.id, title: tasks.title, status: tasks.status, description: tasks.description })
-        .from(tasks)
-        .where(like(tasks.title, pattern))
+      (hasQuery ? taskQuery.where(like(tasks.title, pattern)) : taskQuery)
         .orderBy(desc(tasks.updatedAt))
         .limit(perType),
-      db
-        .select({ id: workflows.id, name: workflows.name, status: workflows.status })
-        .from(workflows)
-        .where(like(workflows.name, pattern))
+      (hasQuery ? workflowQuery.where(like(workflows.name, pattern)) : workflowQuery)
         .orderBy(desc(workflows.updatedAt))
         .limit(perType),
-      db
-        .select({ id: documents.id, name: documents.originalName, status: documents.status, mimeType: documents.mimeType, size: documents.size })
-        .from(documents)
-        .where(like(documents.originalName, pattern))
+      (hasQuery ? documentQuery.where(like(documents.originalName, pattern)) : documentQuery)
         .orderBy(desc(documents.createdAt))
         .limit(perType),
-      db
-        .select({ id: schedules.id, name: schedules.name, status: schedules.status })
-        .from(schedules)
-        .where(like(schedules.name, pattern))
+      (hasQuery ? scheduleQuery.where(like(schedules.name, pattern)) : scheduleQuery)
         .orderBy(desc(schedules.updatedAt))
         .limit(perType),
     ]);
@@ -84,13 +83,29 @@ export async function GET(request: Request) {
   }
 
   // Search profiles in-memory (file-based registry)
-  const lowerQuery = query.toLowerCase();
-  const profileMatches = listProfiles()
-    .filter((p) => p.name.toLowerCase().includes(lowerQuery) || p.id.toLowerCase().includes(lowerQuery))
-    .slice(0, perType);
+  const allProfiles = listProfiles();
+  const q = query.toLowerCase();
+  const profileMatches = hasQuery
+    ? allProfiles
+        .filter((p) =>
+          p.name.toLowerCase().includes(q) ||
+          p.id.toLowerCase().includes(q) ||
+          p.description?.toLowerCase().includes(q) ||
+          p.tags?.some((t) => t.toLowerCase().includes(q))
+        )
+        .slice(0, perType)
+    : allProfiles.slice(0, perType);
 
   for (const p of profileMatches) {
-    results.push({ entityType: "profile", entityId: p.id, label: p.name });
+    results.push({
+      entityType: "profile",
+      entityId: p.id,
+      label: p.name,
+      description: p.description
+        ? `${p.domain} · ${p.description.slice(0, 100)}`
+        : p.domain,
+      status: p.domain,
+    });
   }
 
   return NextResponse.json({ results: results.slice(0, limit) });

package/src/app/api/data/clear/route.ts

@@ -2,6 +2,10 @@ import { NextResponse } from "next/server";
 import { clearAllData } from "@/lib/data/clear";
 
 export async function POST() {
+  if (process.env.NODE_ENV === "production") {
+    return NextResponse.json(null, { status: 404 });
+  }
+
   try {
     const deleted = clearAllData();
     return NextResponse.json({ success: true, deleted });

package/src/app/api/data/seed/route.ts

@@ -2,6 +2,10 @@ import { NextResponse } from "next/server";
 import { seedSampleData } from "@/lib/data/seed";
 
 export async function POST() {
+  if (process.env.NODE_ENV === "production") {
+    return NextResponse.json(null, { status: 404 });
+  }
+
   try {
     const seeded = await seedSampleData();
     return NextResponse.json({ success: true, seeded });

package/src/app/api/documents/route.ts

@@ -1,9 +1,10 @@
 import { NextRequest, NextResponse } from "next/server";
 import { db } from "@/lib/db";
 import { documents, tasks, projects } from "@/lib/db/schema";
-import { eq, and, like, or, desc, sql } from "drizzle-orm";
+import { eq, and, like, or, desc } from "drizzle-orm";
 import { access, stat, copyFile, mkdir } from "fs/promises";
-import { basename, extname, join } from "path";
+import path, { basename, extname, join } from "path";
+import { homedir } from "os";
 import crypto from "crypto";
 import { getStagentUploadsDir } from "@/lib/utils/stagent-paths";
 import { processDocument } from "@/lib/documents/processor";
@@ -120,18 +121,47 @@ export async function POST(req: NextRequest) {
 
   const body = parsed.data;
 
+  // Path traversal protection: resolve and validate the file path
+  const resolvedPath = path.resolve(body.file_path);
+  const home = homedir();
+  const SENSITIVE_PREFIXES = ["/etc", "/var", "/proc", "/sys", "/dev", "/root"];
+  const SENSITIVE_HOME_DIRS = [".ssh", ".gnupg", ".aws", ".config", ".env"];
+
+  if (SENSITIVE_PREFIXES.some((prefix) => resolvedPath.startsWith(prefix))) {
+    return NextResponse.json(
+      { error: "Access denied: path points to a restricted system directory" },
+      { status: 403 }
+    );
+  }
+
+  if (resolvedPath.startsWith(home)) {
+    const relativeToHome = resolvedPath.slice(home.length + 1);
+    if (SENSITIVE_HOME_DIRS.some((dir) => relativeToHome.startsWith(dir))) {
+      return NextResponse.json(
+        { error: "Access denied: path points to a sensitive home directory" },
+        { status: 403 }
+      );
+    }
+  } else if (!resolvedPath.startsWith("/tmp")) {
+    // Outside home and not /tmp — reject
+    return NextResponse.json(
+      { error: "Access denied: path must be under the user's home directory or /tmp" },
+      { status: 403 }
+    );
+  }
+
   try {
-    await access(body.file_path);
+    await access(resolvedPath);
   } catch {
     return NextResponse.json({ error: `File not found: ${body.file_path}` }, { status: 400 });
   }
 
-  const stats = await stat(body.file_path);
+  const stats = await stat(resolvedPath);
   if (!stats.isFile()) {
     return NextResponse.json({ error: `Not a file: ${body.file_path}` }, { status: 400 });
   }
 
-  const originalName = basename(body.file_path);
+  const originalName = basename(resolvedPath);
   const ext = extname(originalName).toLowerCase();
   const mimeType = MIME_TYPES[ext] ?? "application/octet-stream";
   const id = crypto.randomUUID();
@@ -140,7 +170,7 @@ export async function POST(req: NextRequest) {
   const uploadsDir = getStagentUploadsDir();
   await mkdir(uploadsDir, { recursive: true });
   const storagePath = join(uploadsDir, filename);
-  await copyFile(body.file_path, storagePath);
+  await copyFile(resolvedPath, storagePath);
 
   const now = new Date();
   await db.insert(documents).values({

package/src/app/api/environment/profiles/suggest/route.ts

@@ -1,23 +1,39 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getLatestScan } from "@/lib/environment/data";
-import { suggestProfiles } from "@/lib/environment/profile-generator";
+import { suggestProfiles, suggestProfilesTiered } from "@/lib/environment/profile-generator";
 
 /** GET: Suggest profiles based on latest (or specified) scan. */
 export async function GET(req: NextRequest) {
   const url = new URL(req.url);
   const scanId = url.searchParams.get("scanId");
+  const tiered = url.searchParams.get("tiered") === "true";
 
   let resolvedScanId = scanId;
   if (!resolvedScanId) {
     const latest = getLatestScan();
     if (!latest) {
-      return NextResponse.json({ suggestions: [], message: "No scan found" });
+      return NextResponse.json({
+        suggestions: [],
+        curated: [],
+        discovered: [],
+        message: "No scan found",
+      });
     }
     resolvedScanId = latest.id;
   }
 
-  const suggestions = suggestProfiles(resolvedScanId);
+  if (tiered) {
+    const { curated, discovered } = suggestProfilesTiered(resolvedScanId);
+    return NextResponse.json({
+      curated,
+      discovered,
+      curatedCount: curated.length,
+      discoveredCount: discovered.length,
+    });
+  }
 
+  // Legacy flat response (backward-compatible)
+  const suggestions = suggestProfiles(resolvedScanId);
   return NextResponse.json({
     suggestions,
     count: suggestions.length,

package/src/app/api/environment/scan/route.ts

@@ -8,6 +8,7 @@ import {
   getArtifactCounts,
   getToolCounts,
 } from "@/lib/environment/data";
+import { ensureFreshScan } from "@/lib/environment/auto-scan";
 
 /** POST: Trigger a new environment scan. */
 export async function POST(req: NextRequest) {
@@ -33,11 +34,17 @@ export async function POST(req: NextRequest) {
   });
 }
 
-/** GET: Return the latest scan result from cache. */
+/** GET: Return the latest scan result from cache. Auto-scans if stale and projectDir is provided. */
 export async function GET(req: NextRequest) {
   const url = new URL(req.url);
   const projectId = url.searchParams.get("projectId");
   const scanId = url.searchParams.get("scanId");
+  const projectDir = url.searchParams.get("projectDir");
+
+  // Auto-scan if a projectDir was provided and the latest scan is stale
+  if (projectDir && !scanId) {
+    ensureFreshScan(projectDir, projectId || undefined);
+  }
 
   let scan;
   if (scanId) {

package/src/app/api/handoffs/[id]/route.ts

@@ -0,0 +1,76 @@
+import { NextRequest, NextResponse } from "next/server";
+import { db } from "@/lib/db";
+import { agentMessages } from "@/lib/db/schema";
+import { eq } from "drizzle-orm";
+
+export async function GET(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+
+  const [message] = await db
+    .select()
+    .from(agentMessages)
+    .where(eq(agentMessages.id, id));
+
+  if (!message) {
+    return NextResponse.json({ error: "Handoff not found" }, { status: 404 });
+  }
+
+  return NextResponse.json(message);
+}
+
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const body = await req.json();
+  const { action, approvedBy } = body as {
+    action?: "approve" | "reject";
+    approvedBy?: string;
+  };
+
+  const [message] = await db
+    .select()
+    .from(agentMessages)
+    .where(eq(agentMessages.id, id));
+
+  if (!message) {
+    return NextResponse.json({ error: "Handoff not found" }, { status: 404 });
+  }
+
+  if (!action || !["approve", "reject"].includes(action)) {
+    return NextResponse.json(
+      { error: "action must be 'approve' or 'reject'" },
+      { status: 400 }
+    );
+  }
+
+  if (message.status !== "pending") {
+    return NextResponse.json(
+      { error: `Cannot ${action} a handoff with status: ${message.status}` },
+      { status: 409 }
+    );
+  }
+
+  const now = new Date();
+  const newStatus = action === "approve" ? "accepted" : "rejected";
+
+  await db
+    .update(agentMessages)
+    .set({
+      status: newStatus,
+      approvedBy: approvedBy ?? "user",
+      respondedAt: now,
+    })
+    .where(eq(agentMessages.id, id));
+
+  const [updated] = await db
+    .select()
+    .from(agentMessages)
+    .where(eq(agentMessages.id, id));
+
+  return NextResponse.json(updated);
+}

package/src/app/api/handoffs/route.ts

@@ -0,0 +1,89 @@
+import { NextRequest, NextResponse } from "next/server";
+import { db } from "@/lib/db";
+import { agentMessages } from "@/lib/db/schema";
+import { desc, eq, and } from "drizzle-orm";
+import { sendHandoff } from "@/lib/agents/handoff/bus";
+
+export async function GET(req: NextRequest) {
+  const { searchParams } = new URL(req.url);
+  const status = searchParams.get("status");
+  const profileId = searchParams.get("profileId");
+
+  const conditions = [];
+  if (status) {
+    conditions.push(eq(agentMessages.status, status as "pending" | "accepted" | "in_progress" | "completed" | "rejected" | "expired"));
+  }
+  if (profileId) {
+    conditions.push(eq(agentMessages.toProfileId, profileId));
+  }
+
+  const result = await db
+    .select()
+    .from(agentMessages)
+    .where(conditions.length > 0 ? and(...conditions) : undefined)
+    .orderBy(desc(agentMessages.createdAt))
+    .limit(100);
+
+  return NextResponse.json(result);
+}
+
+export async function POST(req: NextRequest) {
+  const body = await req.json();
+  const {
+    fromProfileId,
+    toProfileId,
+    sourceTaskId,
+    subject,
+    body: messageBody,
+    priority,
+    requiresApproval,
+    parentMessageId,
+  } = body as {
+    fromProfileId?: string;
+    toProfileId?: string;
+    sourceTaskId?: string;
+    subject?: string;
+    body?: string;
+    priority?: number;
+    requiresApproval?: boolean;
+    parentMessageId?: string;
+  };
+
+  if (!fromProfileId?.trim()) {
+    return NextResponse.json({ error: "fromProfileId is required" }, { status: 400 });
+  }
+  if (!toProfileId?.trim()) {
+    return NextResponse.json({ error: "toProfileId is required" }, { status: 400 });
+  }
+  if (!subject?.trim()) {
+    return NextResponse.json({ error: "subject is required" }, { status: 400 });
+  }
+  if (!messageBody?.trim()) {
+    return NextResponse.json({ error: "body is required" }, { status: 400 });
+  }
+
+  try {
+    const messageId = await sendHandoff({
+      fromProfileId: fromProfileId.trim(),
+      toProfileId: toProfileId.trim(),
+      sourceTaskId: sourceTaskId ?? "",
+      subject: subject.trim(),
+      body: messageBody.trim(),
+      priority,
+      requiresApproval,
+      parentMessageId,
+    });
+
+    const [created] = await db
+      .select()
+      .from(agentMessages)
+      .where(eq(agentMessages.id, messageId));
+
+    return NextResponse.json(created, { status: 201 });
+  } catch (err) {
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : String(err) },
+      { status: 400 }
+    );
+  }
+}