npm - synapse-orch-ai - Versions diffs - 1.3.5 → 1.4.3 - Mend

synapse-orch-ai 1.3.5 → 1.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/README.md CHANGED Viewed

@@ -55,6 +55,14 @@ pip install synapse-orch-ai
 synapse
 ```
+### Upgrading
+| Install method | Upgrade command |
+|---|---|
+| Bash / PowerShell installer (recommended) | `synapse upgrade` |
+| pip | `pip install --upgrade synapse-orch-ai` |
+| npm | `npm update -g synapse-orch-ai` |
 ---
 ## CLI

package/backend/core/agent_logger.py CHANGED Viewed

@@ -3,8 +3,9 @@ Plain-text debug logging for individual agent runs.
 Logs each call to an agent (from chat or orchestration) including all tools
 used and their responses, in the same terminal-style format as orchestration logs.
 """
-import asyncio
 import json
+import queue
+import threading
 import time
 from pathlib import Path
@@ -43,6 +44,9 @@ class AgentLogger:
         self.run_id = f"agentrun_{short_id}_{int(time.time() * 1000)}"
         self.path = LOGS_DIR / f"{self.run_id}.log"
         self._start_time = time.time()
+        self._q: queue.SimpleQueue = queue.SimpleQueue()
+        self._thread = threading.Thread(target=self._drain, daemon=True, name=f"agent-log-{self.run_id}")
+        self._thread.start()
         self._write(f"""
 {'='*80}
@@ -61,18 +65,23 @@ class AgentLogger:
     # ── Core write ─────────────────────────────────────────────────
     def _write(self, text: str):
-        """Sync write — only call from a thread (via _write_async) or startup."""
         with open(self.path, "a", encoding="utf-8") as f:
             f.write(text)
     def _write_bg(self, text: str):
-        """Fire-and-forget write that offloads to a thread so the event loop isn't blocked."""
-        try:
-            loop = asyncio.get_running_loop()
-            loop.run_in_executor(None, self._write, text)
-        except RuntimeError:
-            # No running loop (e.g. called from sync context at startup)
-            self._write(text)
+        """Fire-and-forget: enqueue for the background writer thread."""
+        self._q.put(text)
+    def _drain(self):
+        """Background thread: drains the write queue in order."""
+        while True:
+            text = self._q.get()
+            if text is None:
+                break
+            try:
+                self._write(text)
+            except Exception:
+                pass
     # ── Run lifecycle ──────────────────────────────────────────────

package/backend/core/api_key_middleware.py ADDED Viewed

@@ -0,0 +1,39 @@
+"""
+API Key Authentication Dependency
+----------------------------------
+FastAPI dependency that validates Bearer tokens on /api/v1/* routes.
+Usage in route handlers:
+    from core.api_key_middleware import require_api_key
+    @router.post("/chat")
+    async def chat(key_record: dict = Depends(require_api_key)):
+        # key_record contains id, name, key_prefix, etc.
+        ...
+"""
+from fastapi import HTTPException, Security
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from core.api_keys import validate_api_key
+_security = HTTPBearer(
+    scheme_name="API Key",
+    description="API key in Bearer format: `Authorization: Bearer sk-syn-...`",
+)
+async def require_api_key(
+    credentials: HTTPAuthorizationCredentials = Security(_security),
+) -> dict:
+    """FastAPI dependency: validates Bearer token and returns the key record.
+    Raises 401 if the key is missing, invalid, or revoked.
+    """
+    record = validate_api_key(credentials.credentials)
+    if not record:
+        raise HTTPException(
+            status_code=401,
+            detail="Invalid or revoked API key",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    return record

package/backend/core/api_keys.py ADDED Viewed

@@ -0,0 +1,143 @@
+"""
+API Key Management
+------------------
+Generate, validate, list, revoke, and delete API keys.
+Keys use the format: sk-syn-<32 hex chars>
+Only the SHA-256 hash is persisted — the raw key is returned exactly once
+at generation time and never stored.
+Storage: DATA_DIR/api_keys.json
+"""
+import hashlib
+import json
+import os
+import secrets
+import threading
+import uuid
+from datetime import datetime, timezone
+from typing import Optional
+from core.config import DATA_DIR
+API_KEYS_FILE = os.path.join(DATA_DIR, "api_keys.json")
+_lock = threading.Lock()
+# Key prefix format
+_KEY_PREFIX = "sk-syn-"
+_KEY_HEX_LENGTH = 32  # 32 hex chars = 128 bits of entropy
+def _load_keys() -> list[dict]:
+    """Load all key records from disk."""
+    if not os.path.exists(API_KEYS_FILE):
+        return []
+    try:
+        with open(API_KEYS_FILE, "r", encoding="utf-8") as f:
+            return json.load(f)
+    except Exception:
+        return []
+def _save_keys(keys: list[dict]):
+    """Persist key records to disk."""
+    with open(API_KEYS_FILE, "w", encoding="utf-8") as f:
+        json.dump(keys, f, indent=2, ensure_ascii=False)
+def _hash_key(raw_key: str) -> str:
+    """SHA-256 hash of the raw API key."""
+    return hashlib.sha256(raw_key.encode("utf-8")).hexdigest()
+def generate_api_key(name: str) -> tuple[str, dict]:
+    """Generate a new API key.
+    Returns:
+        (plaintext_key, key_record) — the plaintext key is shown ONCE.
+    """
+    hex_part = secrets.token_hex(_KEY_HEX_LENGTH)
+    raw_key = f"{_KEY_PREFIX}{hex_part}"
+    now = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+    record = {
+        "id": str(uuid.uuid4()),
+        "name": name or "Unnamed Key",
+        "key_hash": _hash_key(raw_key),
+        "key_prefix": raw_key[:12],  # "sk-syn-XXXX" for display
+        "created_at": now,
+        "last_used_at": None,
+        "is_active": True,
+    }
+    with _lock:
+        keys = _load_keys()
+        keys.append(record)
+        _save_keys(keys)
+    return raw_key, record
+def validate_api_key(raw_key: str) -> Optional[dict]:
+    """Validate a raw API key.
+    Returns the key record if valid and active, None otherwise.
+    Also updates last_used_at on success.
+    """
+    if not raw_key or not raw_key.startswith(_KEY_PREFIX):
+        return None
+    key_hash = _hash_key(raw_key)
+    with _lock:
+        keys = _load_keys()
+        for key in keys:
+            if key["key_hash"] == key_hash and key.get("is_active", True):
+                key["last_used_at"] = datetime.now(timezone.utc).strftime(
+                    "%Y-%m-%dT%H:%M:%SZ"
+                )
+                _save_keys(keys)
+                return key
+    return None
+def list_api_keys() -> list[dict]:
+    """Return all key records with metadata (no hashes)."""
+    with _lock:
+        keys = _load_keys()
+    # Strip sensitive fields
+    return [
+        {
+            "id": k["id"],
+            "name": k["name"],
+            "key_prefix": k["key_prefix"],
+            "created_at": k["created_at"],
+            "last_used_at": k.get("last_used_at"),
+            "is_active": k.get("is_active", True),
+        }
+        for k in keys
+    ]
+def revoke_api_key(key_id: str) -> bool:
+    """Soft-revoke a key (set is_active=False). Returns True if found."""
+    with _lock:
+        keys = _load_keys()
+        for key in keys:
+            if key["id"] == key_id:
+                key["is_active"] = False
+                _save_keys(keys)
+                return True
+    return False
+def delete_api_key(key_id: str) -> bool:
+    """Hard-delete a key. Returns True if found and deleted."""
+    with _lock:
+        keys = _load_keys()
+        original_count = len(keys)
+        keys = [k for k in keys if k["id"] != key_id]
+        if len(keys) < original_count:
+            _save_keys(keys)
+            return True
+    return False

package/backend/core/config.py CHANGED Viewed

@@ -1,5 +1,6 @@
 import os
 import json
+import secrets as _secrets
 from pathlib import Path
 from urllib.parse import urlparse, urlunparse
@@ -57,6 +58,9 @@ def load_settings():
         "messaging_enabled": True,
         "embed_code": False,
         "bash_allowed_dirs": [],
+        "login_enabled": False,
+        "login_username": "",
+        "login_password_hash": "",
     }
     if not os.path.exists(SETTINGS_FILE):
@@ -72,6 +76,41 @@ def load_settings():
         return default_settings
+def get_or_create_jwt_secret() -> str:
+    """Return SYNAPSE_JWT_SECRET from the environment or .env file.
+    Persistence is handled by the CLI (synapse/cli.py) before the server starts.
+    If the secret is missing here (e.g. server run directly without the CLI),
+    an ephemeral in-memory value is used for this session only.
+    """
+    env_file = _PROJECT_ROOT / ".env"
+    var = "SYNAPSE_JWT_SECRET"
+    existing = os.environ.get(var, "")
+    if existing:
+        return existing
+    if env_file.exists():
+        try:
+            for line in env_file.read_text().splitlines():
+                line = line.strip()
+                if line.startswith(f"{var}=") and len(line) > len(f"{var}="):
+                    val = line.split("=", 1)[1].strip()
+                    if val:
+                        os.environ[var] = val
+                        return val
+        except Exception:
+            pass
+    secret = _secrets.token_hex(32)
+    os.environ[var] = secret
+    print(
+        f"Warning: {var} was not found; generated an ephemeral in-memory secret. "
+        f"Set {var} in the environment (or run 'synapse start') to persist across restarts."
+    )
+    return secret
 def sanitize_db_url(raw: str) -> str:
     """Normalize a PostgreSQL URL for use with psycopg (not SQLAlchemy).

package/backend/core/internal_auth.py ADDED Viewed

@@ -0,0 +1,62 @@
+"""
+Internal Token Middleware
+-------------------------
+Protects all /api/* routes from direct external access.
+Only the Next.js frontend knows the SYNAPSE_INTERNAL_TOKEN and injects it
+as an X-Synapse-Internal header on every proxied request. External callers
+that try to hit /api/settings, /api/agents, etc. directly will get 403.
+Rules:
+- /api/v1/*          → SKIP (uses API key auth instead)
+- /docs, /openapi.json, /redoc  → SKIP (FastAPI docs)
+- /chat*, /auth/*    → SKIP (direct backend routes, not under /api/)
+- /api/*             → REQUIRE X-Synapse-Internal header
+- If SYNAPSE_INTERNAL_TOKEN is not set → permissive (backward compatible)
+"""
+import os
+from fastapi import Request
+from fastapi.responses import JSONResponse
+from starlette.middleware.base import BaseHTTPMiddleware
+class InternalTokenMiddleware(BaseHTTPMiddleware):
+    """Block direct access to internal /api/* routes without the internal token."""
+    def __init__(self, app):
+        super().__init__(app)
+        self.token = os.getenv("SYNAPSE_INTERNAL_TOKEN", "")
+    async def dispatch(self, request: Request, call_next):
+        path = request.url.path
+        # If no token configured, be permissive (local dev / backward compat)
+        if not self.token:
+            return await call_next(request)
+        # Skip: V1 API routes (they use API key auth)
+        if path.startswith("/api/v1/") or path == "/api/v1":
+            return await call_next(request)
+        # Skip: MCP OAuth callback — called by external OAuth providers, not frontend
+        if path == "/api/mcp/oauth/callback":
+            return await call_next(request)
+        # Skip: FastAPI docs
+        if path in ("/docs", "/openapi.json", "/redoc"):
+            return await call_next(request)
+        # Skip: non-API routes (chat, auth, health, websocket, etc.)
+        if not path.startswith("/api/"):
+            return await call_next(request)
+        # This is an /api/* route — require internal token
+        provided = request.headers.get("X-Synapse-Internal", "")
+        if provided != self.token:
+            return JSONResponse(
+                status_code=403,
+                content={"detail": "Forbidden"},
+            )
+        return await call_next(request)

package/backend/core/models.py CHANGED Viewed

@@ -112,6 +112,9 @@ class Settings(BaseModel):
     report_agent_enabled: bool = True
     coding_agent_enabled: bool = True
     messaging_enabled: bool = True
+    login_enabled: bool = False
+    login_username: str = ""
+    login_password_hash: str = ""
 class PersonalAddress(BaseModel):

package/backend/core/orchestration/engine.py CHANGED Viewed

@@ -239,17 +239,18 @@ class OrchestrationEngine:
             except Exception as e:
                 import traceback; print(f"DEBUG ENGINE: ❌ EXCEPTION in step '{step.id}': {e}\n{traceback.format_exc()}", flush=True)
+                safe_error = "An internal error occurred while executing this step."
                 run.step_history.append({
                     "step_id": step.id,
                     "step_name": step.name,
                     "step_type": step.type.value,
                     "status": "failed",
-                    "error": str(e),
+                    "error": safe_error,
                 })
                 run.status = "failed"
                 if logger:
-                    logger.step_end(step.id, "failed", str(e))
-                yield {"type": "step_error", "orch_step_id": step.id, "error": str(e)}
+                    logger.step_end(step.id, "failed", safe_error)
+                yield {"type": "step_error", "orch_step_id": step.id, "error": safe_error}
                 break
         # Finalize

package/backend/core/routes/api_keys.py ADDED Viewed

@@ -0,0 +1,46 @@
+"""
+API Key Management Endpoints
+-----------------------------
+CRUD endpoints for managing API keys from the frontend Settings page
+and the CLI.
+"""
+from fastapi import APIRouter, HTTPException
+from pydantic import BaseModel
+from core.api_keys import generate_api_key, list_api_keys, delete_api_key
+router = APIRouter()
+class CreateKeyRequest(BaseModel):
+    name: str = "Unnamed Key"
+@router.get("/api/settings/api-keys")
+async def list_keys():
+    """List all API keys (metadata only — no raw keys or hashes)."""
+    return list_api_keys()
+@router.post("/api/settings/api-keys")
+async def create_key(body: CreateKeyRequest):
+    """Generate a new API key.
+    The raw key is returned in this response ONLY — it is never stored
+    and cannot be retrieved again.
+    """
+    raw_key, record = generate_api_key(body.name)
+    return {
+        "key": raw_key,  # shown once
+        "id": record["id"],
+        "name": record["name"],
+        "key_prefix": record["key_prefix"],
+        "created_at": record["created_at"],
+    }
+@router.delete("/api/settings/api-keys/{key_id}")
+async def remove_key(key_id: str):
+    """Delete an API key permanently."""
+    if delete_api_key(key_id):
+        return {"status": "deleted", "id": key_id}
+    raise HTTPException(status_code=404, detail="API key not found")