takos-runtime-service 1.0.0

package/src/routes/actions/index.ts

@@ -0,0 +1,17 @@
+import { Hono } from 'hono';
+import executionRoutes from './execution.js';
+import jobLifecycleRoutes from './job-lifecycle.js';
+import jobQueryRoutes from './job-queries.js';
+
+const app = new Hono();
+
+// Mount execution routes (checkout + step)
+app.route('/', executionRoutes);
+
+// Mount job lifecycle routes (start, complete, cancel)
+app.route('/', jobLifecycleRoutes);
+
+// Mount job query routes (status, logs)
+app.route('/', jobQueryRoutes);
+
+export default app;

package/src/routes/actions/job-lifecycle.ts

@@ -0,0 +1,242 @@
+import { Hono } from 'hono';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+import { SANDBOX_LIMITS } from '../../shared/config.js';
+import { createSandboxEnv } from '../../utils/sandbox-env.js';
+import { createSecretsSanitizer } from '../../runtime/actions/secrets.js';
+import { pushLog } from '../../runtime/logging.js';
+import { isR2Configured, s3Client } from '../../storage/r2.js';
+import { PutObjectCommand } from '@aws-sdk/client-s3';
+import { R2_BUCKET } from '../../shared/config.js';
+import {
+  getScopedSpaceId,
+  hasSpaceScopeMismatch,
+  SPACE_SCOPE_MISMATCH_ERROR,
+} from '../../middleware/space-scope.js';
+import {
+  jobManager,
+  removeJobDirSafe,
+} from '../../runtime/actions/job-manager.js';
+import type { ActiveJob } from '../../runtime/actions/job-manager.js';
+import { collectSensitiveEnvValues } from '../../runtime/actions/secrets.js';
+import type { StartJobRequest } from './action-types.js';
+import { badRequest, forbidden, internalError, notFound } from 'takos-common/middleware/hono';
+import { ErrorCodes } from 'takos-common/errors';
+
+const app = new Hono();
+
+// ---------------------------------------------------------------------------
+// Job lifecycle
+// ---------------------------------------------------------------------------
+
+app.post('/actions/jobs/:jobId/start', async (c) => {
+  const jobId = c.req.param('jobId');
+  const body = await c.req.json() as StartJobRequest | undefined;
+
+  try {
+    if (body?.space_id !== undefined) {
+      if (typeof body.space_id !== 'string' || body.space_id.length === 0) {
+        return badRequest(c, 'space_id must be a non-empty string when provided');
+      }
+    }
+
+    const scopedSpaceId = getScopedSpaceId(c);
+    if (scopedSpaceId && !body?.space_id) {
+      return badRequest(c, 'space_id is required for space-scoped token');
+    }
+    if (hasSpaceScopeMismatch(c, body?.space_id)) {
+      return forbidden(c, SPACE_SCOPE_MISMATCH_ERROR);
+    }
+
+    if (!body || !body.repoId || !body.ref || !body.sha) {
+      return badRequest(c, 'Missing required fields: repoId, ref, sha');
+    }
+
+    if (!body.steps || !Array.isArray(body.steps) || body.steps.length === 0) {
+      return badRequest(c, 'Missing or invalid steps array');
+    }
+    if (body.steps.length > SANDBOX_LIMITS.maxStepsPerJob) {
+      return badRequest(c, `Steps exceed per-job limit (max ${SANDBOX_LIMITS.maxStepsPerJob})`);
+    }
+
+    if (jobManager.jobs.has(jobId)) {
+      return c.json({ error: { code: ErrorCodes.CONFLICT, message: 'Job already exists' } }, 409);
+    }
+
+    const jobSpaceId = body.space_id ?? scopedSpaceId ?? '__unspecified_workspace__';
+
+    const runningJobs = jobManager.countRunningJobsForSpace(jobSpaceId);
+    if (runningJobs >= SANDBOX_LIMITS.maxConcurrentJobs) {
+      return c.json({ error: { code: ErrorCodes.RATE_LIMITED, message: `Concurrent job limit reached (max ${SANDBOX_LIMITS.maxConcurrentJobs})` } }, 429);
+    }
+
+    const workspacePath = path.join(
+      os.tmpdir(),
+      `takos-actions-${jobId.slice(0, 8)}-${Date.now()}`
+    );
+    await fs.mkdir(workspacePath, { recursive: true });
+
+    const logs: string[] = [];
+    pushLog(logs, `Starting job: ${body.jobName || jobId}`);
+    pushLog(logs, `Repository: ${body.repoId}`);
+    pushLog(logs, `Ref: ${body.ref} (${body.sha})`);
+
+    const baseEnv = createSandboxEnv({
+      ...body.env,
+      GITHUB_ACTIONS: 'true',
+      CI: 'true',
+      GITHUB_WORKSPACE: workspacePath,
+      GITHUB_REPOSITORY: body.repoId,
+      GITHUB_REF: body.ref,
+      GITHUB_SHA: body.sha,
+      GITHUB_JOB: body.jobName || jobId,
+      GITHUB_RUN_ID: jobId,
+      GITHUB_WORKFLOW: body.workflowPath,
+    }, SANDBOX_LIMITS.maxEnvValueLength);
+
+    const secretsSanitizer = createSecretsSanitizer(
+      body.secrets || {},
+      collectSensitiveEnvValues(body.env)
+    );
+
+    const job: ActiveJob = {
+      id: jobId,
+      spaceId: jobSpaceId,
+      repoId: body.repoId,
+      ref: body.ref,
+      sha: body.sha,
+      workflowPath: body.workflowPath,
+      jobName: body.jobName || jobId,
+      workspacePath,
+      status: 'running',
+      steps: body.steps,
+      env: baseEnv,
+      secrets: body.secrets || {},
+      secretsSanitizer,
+      logs,
+      currentStep: 0,
+      startedAt: Date.now(),
+      outputs: {},
+    };
+
+    jobManager.jobs.set(jobId, job);
+
+    pushLog(logs, 'Job directory created successfully');
+    pushLog(logs, `Working path: ${workspacePath}`);
+
+    return c.json({
+      jobId,
+      status: 'running',
+      workspacePath,
+      message: 'Job started successfully',
+    });
+  } catch (err) {
+    c.get('log')?.error('Error starting job', { jobId, error: err });
+    return internalError(c, 'Failed to start job');
+  }
+});
+
+app.post('/actions/jobs/:jobId/complete', async (c) => {
+  const jobId = c.req.param('jobId');
+  const { conclusion, uploadLogs } = await c.req.json() as {
+    conclusion?: 'success' | 'failure' | 'cancelled';
+    uploadLogs?: boolean;
+  };
+
+  try {
+    const job = jobManager.jobs.get(jobId);
+    if (!job) return notFound(c, 'Job not found');
+
+    job.status = conclusion === 'success' ? 'completed' : 'failed';
+    job.conclusion = conclusion || 'success';
+    job.completedAt = Date.now();
+
+    pushLog(job.logs, `\n=== Job ${job.conclusion} ===`, job.secretsSanitizer);
+    pushLog(job.logs, `Duration: ${(job.completedAt - job.startedAt) / 1000}s`, job.secretsSanitizer);
+
+    let logsUrl: string | undefined;
+    if (uploadLogs && isR2Configured()) {
+      try {
+        const logsKey = `actions/jobs/${jobId}/logs.txt`;
+        const sanitizedLogs = job.secretsSanitizer.sanitizeLogs(job.logs);
+        await s3Client.send(
+          new PutObjectCommand({
+            Bucket: R2_BUCKET,
+            Key: logsKey,
+            Body: sanitizedLogs.join('\n'),
+            ContentType: 'text/plain',
+            Metadata: {
+              'job-id': jobId,
+              'conclusion': job.conclusion,
+              'completed-at': new Date(job.completedAt).toISOString(),
+            },
+          })
+        );
+        logsUrl = logsKey;
+        pushLog(job.logs, `Logs uploaded to R2: ${logsKey}`, job.secretsSanitizer);
+      } catch (uploadErr) {
+        c.get('log')?.error('Failed to upload logs', { jobId, error: uploadErr });
+      }
+    }
+
+    try {
+      await fs.rm(job.workspacePath, { recursive: true, force: true });
+      pushLog(job.logs, 'Job directory cleaned up', job.secretsSanitizer);
+    } catch {
+      c.get('log')?.warn('Failed to cleanup job directory', { jobId });
+    }
+
+    const response = {
+      jobId,
+      status: job.status,
+      conclusion: job.conclusion,
+      duration: (job.completedAt - job.startedAt) / 1000,
+      outputs: job.outputs,
+      logsUrl,
+    };
+
+    jobManager.scheduleJobCleanup(jobId);
+
+    return c.json(response);
+  } catch (err) {
+    c.get('log')?.error('Error completing job', { jobId, error: err });
+    return internalError(c, 'Failed to complete job');
+  }
+});
+
+// ---------------------------------------------------------------------------
+// Job cancellation
+// ---------------------------------------------------------------------------
+
+app.delete('/actions/jobs/:jobId', async (c) => {
+  const jobId = c.req.param('jobId');
+
+  try {
+    const job = jobManager.jobs.get(jobId);
+    if (!job) return notFound(c, 'Job not found');
+
+    job.status = 'failed';
+    job.conclusion = 'cancelled';
+    job.completedAt = Date.now();
+
+    pushLog(job.logs, '\n=== Job cancelled ===', job.secretsSanitizer);
+
+    job.secretsSanitizer.clear();
+
+    await removeJobDirSafe(job.workspacePath, jobId, 'cancelled job');
+
+    jobManager.jobs.delete(jobId);
+
+    return c.json({
+      jobId,
+      status: 'cancelled',
+      message: 'Job cancelled and cleaned up',
+    });
+  } catch (err) {
+    c.get('log')?.error('Error cancelling job', { jobId, error: err });
+    return internalError(c, 'Failed to cancel job');
+  }
+});
+
+export default app;

package/src/routes/actions/job-queries.ts

@@ -0,0 +1,52 @@
+import { Hono } from 'hono';
+import {
+  jobManager,
+  sanitizeOutputs,
+} from '../../runtime/actions/job-manager.js';
+import { notFound } from 'takos-common/middleware/hono';
+
+const app = new Hono();
+
+// ---------------------------------------------------------------------------
+// Job status & logs
+// ---------------------------------------------------------------------------
+
+app.get('/actions/jobs/:jobId/status', (c) => {
+  const jobId = c.req.param('jobId');
+
+  const job = jobManager.jobs.get(jobId);
+  if (!job) return notFound(c, 'Job not found');
+
+  return c.json({
+    jobId,
+    status: job.status,
+    conclusion: job.conclusion,
+    currentStep: job.currentStep,
+    totalSteps: job.steps.length,
+    startedAt: job.startedAt,
+    completedAt: job.completedAt,
+    outputs: sanitizeOutputs(job.outputs, job.secretsSanitizer),
+  });
+});
+
+app.get('/actions/jobs/:jobId/logs', (c) => {
+  const jobId = c.req.param('jobId');
+  const offset = c.req.query('offset');
+
+  const job = jobManager.jobs.get(jobId);
+  if (!job) return notFound(c, 'Job not found');
+
+  const rawOffset = offset ? parseInt(offset, 10) : 0;
+  const startOffset = Number.isFinite(rawOffset) ? rawOffset : 0;
+  const rawLogs = job.logs.slice(startOffset);
+  const logs = job.secretsSanitizer.sanitizeLogs(rawLogs);
+
+  return c.json({
+    logs,
+    offset: startOffset,
+    total: job.logs.length,
+    hasMore: startOffset + logs.length < job.logs.length,
+  });
+});
+
+export default app;

package/src/routes/cli/proxy.ts

@@ -0,0 +1,105 @@
+import { Hono } from 'hono';
+import type { ContentfulStatusCode } from 'hono/utils/http-status';
+import { PROXY_BASE_URL } from '../../shared/config.js';
+import { isValidSessionId } from '../../runtime/validation.js';
+import { sessionStore } from '../sessions/storage.js';
+import { badRequest, internalError, forbidden } from 'takos-common/middleware/hono';
+
+const app = new Hono();
+
+const ALLOWED_PATHS = [
+  /^\/api\/repos\/[^/]+\/import$/,
+  /^\/api\/repos\/[^/]+\/export$/,
+  /^\/api\/repos\/[^/]+\/status$/,
+  /^\/api\/repos\/[^/]+\/log$/,
+  /^\/api\/repos\/[^/]+\/commit$/,
+];
+
+function getProxyPathAndQuery(c: import('hono').Context): { apiPath: string; apiQuery: string } {
+  // In Hono, c.req.path gives us the path matched by the route.
+  // c.req.url gives the full URL. We need to extract the proxy target.
+  const url = new URL(c.req.url);
+  const fullPath = url.pathname;
+  const rawProxyTarget = fullPath.startsWith('/cli-proxy')
+    ? fullPath.slice('/cli-proxy'.length)
+    : fullPath;
+  const [apiPath, ...queryParts] = rawProxyTarget.split('?');
+  return {
+    apiPath: apiPath ?? '',
+    apiQuery: queryParts.join('?') || url.search.slice(1),
+  };
+}
+
+app.all('/cli-proxy/*', async (c) => {
+  try {
+    const sessionId = c.req.header('X-Takos-Session-Id');
+    if (!sessionId) {
+      return badRequest(c, 'Missing X-Takos-Session-Id header');
+    }
+    if (!isValidSessionId(sessionId)) {
+      return badRequest(c, 'Invalid X-Takos-Session-Id');
+    }
+
+    const session = sessionStore.getSession(sessionId);
+    if (!session) {
+      return forbidden(c, 'Session not found');
+    }
+    const spaceId = c.req.header('X-Takos-Space-Id');
+    if (spaceId && session.spaceId !== spaceId) {
+      return forbidden(c, 'Session does not belong to workspace');
+    }
+    session.lastAccessedAt = Date.now();
+
+    const { apiPath, apiQuery } = getProxyPathAndQuery(c);
+    if (!apiPath) {
+      return badRequest(c, 'API path required');
+    }
+    if (apiPath.includes('..') || apiPath.includes('//')) {
+      return badRequest(c, 'Invalid API path');
+    }
+
+    if (!ALLOWED_PATHS.some(pattern => pattern.test(apiPath))) {
+      return forbidden(c, `Path not allowed: ${apiPath}`);
+    }
+
+    const proxyToken = session.proxyToken;
+    if (!PROXY_BASE_URL || !proxyToken) {
+      return internalError(c, 'PROXY_BASE_URL or proxy token not configured');
+    }
+
+    const headers: Record<string, string> = {
+      'Content-Type': c.req.header('content-type') || 'application/json',
+      'X-Takos-Session-Id': sessionId,
+      'Authorization': `Bearer ${proxyToken}`,
+    };
+
+    const fetchOptions: RequestInit = {
+      method: c.req.method,
+      headers,
+    };
+
+    if (c.req.method !== 'GET' && c.req.method !== 'HEAD') {
+      const body = await c.req.json();
+      fetchOptions.body = JSON.stringify(body);
+    }
+
+    const baseUrl = PROXY_BASE_URL.endsWith('/') ? PROXY_BASE_URL.slice(0, -1) : PROXY_BASE_URL;
+    const targetUrl = new URL(`/forward/cli-proxy${apiPath}`, baseUrl);
+    if (apiQuery) {
+      targetUrl.search = `?${apiQuery}`;
+    }
+    const response = await fetch(targetUrl.toString(), fetchOptions);
+    const text = await response.text();
+    try {
+      const data = JSON.parse(text);
+      return c.json(data, response.status as ContentfulStatusCode);
+    } catch {
+      return c.text(text, response.status as ContentfulStatusCode);
+    }
+  } catch (err) {
+    c.get('log')?.error('CLI proxy error', { error: err });
+    return internalError(c, 'Failed to proxy request');
+  }
+});
+
+export default app;