npm - teamcopilot - Versions diffs - 0.3.4 → 0.3.5 - Mend

teamcopilot 0.3.4 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/dist/utils/workflow-api-keys.js ADDED Viewed

@@ -0,0 +1,88 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertCanManageWorkflowApiKeys = assertCanManageWorkflowApiKeys;
+exports.listWorkflowApiKeys = listWorkflowApiKeys;
+exports.createWorkflowApiKey = createWorkflowApiKey;
+exports.deleteWorkflowApiKey = deleteWorkflowApiKey;
+const crypto_1 = require("crypto");
+const client_1 = __importDefault(require("../prisma/client"));
+const resource_access_1 = require("./resource-access");
+const workflow_approval_snapshot_1 = require("./workflow-approval-snapshot");
+const workflow_1 = require("./workflow");
+async function assertCanManageWorkflowApiKeys(slug, userId) {
+    await (0, workflow_1.readWorkflowManifestAndEnsurePermissions)(slug);
+    const approvalState = await (0, workflow_approval_snapshot_1.getWorkflowSnapshotApprovalState)(slug);
+    if (!approvalState.is_current_code_approved) {
+        throw {
+            status: 403,
+            message: "Workflow must be approved before managing API keys"
+        };
+    }
+    const access = await (0, resource_access_1.getResourceAccessSummary)("workflow", slug, userId);
+    if (!access.can_edit) {
+        throw {
+            status: 403,
+            message: "You do not have permission to manage API keys for this workflow"
+        };
+    }
+}
+async function ensureWorkflowApiKey(slug, createdByUserId) {
+    const existing = await client_1.default.workflow_api_keys.findFirst({
+        where: { workflow_slug: slug },
+        orderBy: { created_at: "asc" }
+    });
+    if (existing) {
+        return existing;
+    }
+    return await client_1.default.workflow_api_keys.create({
+        data: {
+            workflow_slug: slug,
+            api_key: (0, crypto_1.randomUUID)(),
+            created_by_user_id: createdByUserId,
+            created_at: BigInt(Date.now()),
+        }
+    });
+}
+async function listWorkflowApiKeys(slug, createdByUserId) {
+    await ensureWorkflowApiKey(slug, createdByUserId);
+    return await client_1.default.workflow_api_keys.findMany({
+        where: { workflow_slug: slug },
+        orderBy: { created_at: "asc" }
+    });
+}
+async function createWorkflowApiKey(slug, createdByUserId) {
+    return await client_1.default.workflow_api_keys.create({
+        data: {
+            workflow_slug: slug,
+            api_key: (0, crypto_1.randomUUID)(),
+            created_by_user_id: createdByUserId,
+            created_at: BigInt(Date.now()),
+        }
+    });
+}
+async function deleteWorkflowApiKey(slug, keyId) {
+    const key = await client_1.default.workflow_api_keys.findUnique({
+        where: { id: keyId }
+    });
+    if (!key || key.workflow_slug !== slug) {
+        throw {
+            status: 404,
+            message: "Workflow API key not found"
+        };
+    }
+    const keyCount = await client_1.default.workflow_api_keys.count({
+        where: { workflow_slug: slug }
+    });
+    if (keyCount <= 1) {
+        throw {
+            status: 400,
+            message: "Each workflow must always have at least one API key"
+        };
+    }
+    await client_1.default.workflow_api_keys.delete({
+        where: { id: keyId }
+    });
+}

package/dist/utils/workflow-interruption.js CHANGED Viewed

@@ -8,8 +8,8 @@ exports.markWorkflowSessionAborted = markWorkflowSessionAborted;
 const client_1 = __importDefault(require("../prisma/client"));
 const opencode_client_1 = require("./opencode-client");
 async function isWorkflowSessionInterrupted(sessionId, workspaceDir) {
-    const isManualSession = sessionId.startsWith("manual-");
-    if (isManualSession) {
+    const usesDatabaseAbortMarker = sessionId.startsWith("manual-") || sessionId.startsWith("api-");
+    if (usesDatabaseAbortMarker) {
         const aborted = await client_1.default.workflow_aborted_sessions.findUnique({
             where: { session_id: sessionId }
         });

package/dist/utils/workflow-runner.js CHANGED Viewed

@@ -382,9 +382,16 @@ async function startWorkflowRunViaBackend(options) {
     if (!validation.valid) {
         throw new Error(`Input validation failed: ${JSON.stringify(validation.errors)}`);
     }
-    const secretResolution = await (0, secrets_1.resolveSecretsForUser)(options.authUserId, requiredSecrets);
+    const secretResolutionMode = options.secretResolutionMode;
+    if (secretResolutionMode === "user" && !options.authUserId) {
+        throw new Error("authUserId is required for user secret resolution.");
+    }
+    const secretResolution = secretResolutionMode === "global"
+        ? await (0, secrets_1.resolveGlobalSecrets)(requiredSecrets)
+        : await (0, secrets_1.resolveSecretsForUser)(options.authUserId, requiredSecrets);
     if (secretResolution.missingKeys.length > 0) {
-        throw new Error(`Missing required secrets: ${secretResolution.missingKeys.join(", ")}. Add these keys in your profile secrets before running this workflow.`);
+        const secretLocation = secretResolutionMode === "global" ? "global secrets" : "your profile secrets";
+        throw new Error(`Missing required secrets: ${secretResolution.missingKeys.join(", ")}. Add these keys in ${secretLocation} before running this workflow.`);
     }
     const timeoutSeconds = parseTimeoutSeconds(workflowJson.runtime?.timeout_seconds);
     if (!timeoutSeconds) {
@@ -400,6 +407,8 @@ async function startWorkflowRunViaBackend(options) {
             args: JSON.stringify(options.inputs),
             session_id: options.sessionId,
             message_id: options.messageId,
+            run_source: options.runSource,
+            workflow_api_key_id: options.workflowApiKeyId ?? null,
         }
     });
     const workflowRunsDir = path.join(options.workspaceDir, "workflow-runs");

package/dist/utils/workflow.js CHANGED Viewed

@@ -45,6 +45,9 @@ async function deleteWorkflow(slug) {
     await client_1.default.workflow_runs.deleteMany({
         where: { workflow_slug: slug }
     });
+    await client_1.default.workflow_api_keys.deleteMany({
+        where: { workflow_slug: slug }
+    });
     await client_1.default.resource_metadata.deleteMany({
         where: {
             resource_kind: "workflow",

package/dist/workflow-api.js ADDED Viewed

@@ -0,0 +1,185 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = __importDefault(require("express"));
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+const crypto_1 = require("crypto");
+const client_1 = __importDefault(require("./prisma/client"));
+const workflow_1 = require("./utils/workflow");
+const workflow_approval_snapshot_1 = require("./utils/workflow-approval-snapshot");
+const workspace_sync_1 = require("./utils/workspace-sync");
+const workflow_runner_1 = require("./utils/workflow-runner");
+const workflow_interruption_1 = require("./utils/workflow-interruption");
+function sanitizeFilenamePart(value) {
+    return value.replace(/[^a-zA-Z0-9._-]/g, "_");
+}
+function isPathInside(childPath, parentPath) {
+    const parent = path_1.default.resolve(parentPath) + path_1.default.sep;
+    const child = path_1.default.resolve(childPath) + path_1.default.sep;
+    return child.startsWith(parent);
+}
+function workflowApiHandler(handler) {
+    return async (req, res, next) => {
+        try {
+            const authHeader = req.headers.authorization;
+            if (!authHeader) {
+                throw {
+                    status: 401,
+                    message: "Missing authorization header. Please pass the workflow API key as an authorization bearer token."
+                };
+            }
+            const rawToken = authHeader.split(" ")[1];
+            if (!rawToken) {
+                throw {
+                    status: 401,
+                    message: "Missing authorization bearer token"
+                };
+            }
+            const key = await client_1.default.workflow_api_keys.findUnique({
+                where: { api_key: rawToken },
+                select: { id: true, workflow_slug: true, api_key: true }
+            });
+            if (!key) {
+                throw {
+                    status: 401,
+                    message: "Invalid workflow API key"
+                };
+            }
+            const apiReq = req;
+            apiReq.workflowApiKey = key;
+            await handler(apiReq, res);
+        }
+        catch (err) {
+            next(err);
+        }
+    };
+}
+async function assertWorkflowCanRunViaApi(slug) {
+    await (0, workflow_1.readWorkflowManifestAndEnsurePermissions)(slug);
+    const approvalState = await (0, workflow_approval_snapshot_1.getWorkflowSnapshotApprovalState)(slug);
+    if (!approvalState.is_current_code_approved) {
+        throw {
+            status: 403,
+            message: "Workflow is not approved for the current code version"
+        };
+    }
+}
+async function assertApiKeyCanAccessRun(req, runHandle) {
+    const run = await client_1.default.workflow_runs.findUnique({
+        where: { id: runHandle }
+    });
+    if (!run) {
+        throw {
+            status: 404,
+            message: "Workflow run not found"
+        };
+    }
+    if (req.workflowApiKey.workflow_slug !== run.workflow_slug) {
+        throw {
+            status: 403,
+            message: "Workflow API key does not have access to this run"
+        };
+    }
+    return run;
+}
+async function readWorkflowRunLogs(run) {
+    if (!run.session_id || !run.message_id) {
+        return null;
+    }
+    const workspaceDir = (0, workspace_sync_1.getWorkspaceDirFromEnv)();
+    const workflowRunsDir = path_1.default.join(workspaceDir, "workflow-runs");
+    const logPath = path_1.default.join(workflowRunsDir, `${sanitizeFilenamePart(run.session_id)}-${sanitizeFilenamePart(run.message_id)}.txt`);
+    if (!isPathInside(logPath, workflowRunsDir)) {
+        throw {
+            status: 400,
+            message: "Invalid log path"
+        };
+    }
+    try {
+        return await promises_1.default.readFile(logPath, "utf-8");
+    }
+    catch {
+        return null;
+    }
+}
+function parseRunInputs(args) {
+    if (args === null || args === "") {
+        return {};
+    }
+    return JSON.parse(args);
+}
+const workflowApiRouter = express_1.default.Router();
+workflowApiRouter.post("/runs", workflowApiHandler(async (req, res) => {
+    const body = req.body;
+    if (typeof body.workflow_slug !== "string" || body.workflow_slug.trim().length === 0) {
+        throw {
+            status: 400,
+            message: "workflow_slug is required"
+        };
+    }
+    if (body.inputs !== undefined && (!body.inputs || typeof body.inputs !== "object" || Array.isArray(body.inputs))) {
+        throw {
+            status: 400,
+            message: "inputs must be an object"
+        };
+    }
+    const slug = body.workflow_slug;
+    if (req.workflowApiKey.workflow_slug !== slug) {
+        throw {
+            status: 403,
+            message: "Workflow API key does not belong to this workflow"
+        };
+    }
+    await assertWorkflowCanRunViaApi(slug);
+    const startedRun = await (0, workflow_runner_1.startWorkflowRunViaBackend)({
+        workspaceDir: (0, workspace_sync_1.getWorkspaceDirFromEnv)(),
+        slug,
+        inputs: (body.inputs ?? {}),
+        authUserId: null,
+        sessionId: `api-${req.workflowApiKey.id}-${(0, crypto_1.randomUUID)()}`,
+        messageId: `api-message-${(0, crypto_1.randomUUID)()}`,
+        callId: `api-call-${(0, crypto_1.randomUUID)()}`,
+        requirePermissionPrompt: false,
+        secretResolutionMode: "global",
+        runSource: "api",
+        workflowApiKeyId: req.workflowApiKey.id,
+    });
+    void startedRun.completion.catch(() => undefined);
+    res.json({
+        run_handle: startedRun.runId
+    });
+}));
+workflowApiRouter.get("/runs/:runHandle", workflowApiHandler(async (req, res) => {
+    const runHandle = req.params.runHandle;
+    const run = await assertApiKeyCanAccessRun(req, runHandle);
+    const logs = await readWorkflowRunLogs(run);
+    const inputs = parseRunInputs(run.args);
+    res.json({
+        run_handle: run.id,
+        workflow_slug: run.workflow_slug,
+        status: run.status,
+        logs,
+        error_message: run.error_message,
+        started_at: run.started_at,
+        completed_at: run.completed_at,
+        inputs,
+    });
+}));
+workflowApiRouter.post("/runs/:runHandle/stop", workflowApiHandler(async (req, res) => {
+    const runHandle = req.params.runHandle;
+    const run = await assertApiKeyCanAccessRun(req, runHandle);
+    if (run.status === "running") {
+        if (!run.session_id) {
+            throw {
+                status: 404,
+                message: "Workflow run session not found"
+            };
+        }
+        await (0, workflow_interruption_1.markWorkflowSessionAborted)(run.session_id);
+    }
+    res.json({ success: true });
+}));
+exports.default = workflowApiRouter;

package/dist/workflows/index.js CHANGED Viewed

@@ -25,6 +25,8 @@ const resource_file_routes_1 = require("../utils/resource-file-routes");
 const resource_access_1 = require("../utils/resource-access");
 const secrets_1 = require("../utils/secrets");
 const secret_contract_validation_1 = require("../utils/secret-contract-validation");
+const workflow_api_keys_1 = require("../utils/workflow-api-keys");
+const external_host_1 = require("../utils/external-host");
 const router = express_1.default.Router({ mergeParams: true });
 const uploadTmpDir = path_1.default.join(os_1.default.tmpdir(), "teamcopilot-workflow-uploads");
 fs_1.default.mkdirSync(uploadTmpDir, { recursive: true });
@@ -317,6 +319,8 @@ router.post('/:slug/manual-run', (0, index_1.apiHandler)(async (req, res) => {
         messageId: manualMessageId,
         callId: manualCallId,
         requirePermissionPrompt: false,
+        runSource: "user",
+        secretResolutionMode: "user",
     });
     void startedRun.completion.catch(() => undefined);
     res.json({
@@ -356,6 +360,8 @@ router.post('/execute', (0, index_1.apiHandler)(async (req, res) => {
         messageId,
         callId,
         requirePermissionPrompt: true,
+        runSource: "user",
+        secretResolutionMode: "user",
     });
     const executionId = (0, crypto_1.randomUUID)();
     const executionRecord = {
@@ -532,6 +538,35 @@ router.delete('/:slug', (0, index_1.apiHandler)(async (req, res) => {
     await (0, workflow_1.deleteWorkflow)(slug);
     res.json({ success: true });
 }, true));
+// GET /api/workflows/:slug/api-keys - List API keys for an approved workflow
+router.get('/:slug/api-keys', (0, index_1.apiHandler)(async (req, res) => {
+    const slug = req.params.slug;
+    await (0, workflow_api_keys_1.assertCanManageWorkflowApiKeys)(slug, req.userId);
+    const apiKeys = await (0, workflow_api_keys_1.listWorkflowApiKeys)(slug, req.userId);
+    res.locals.skipResponseSanitization = true;
+    res.json({
+        api_base_url: (0, external_host_1.getWorkflowApiBaseUrl)(),
+        api_keys: apiKeys,
+    });
+}, true));
+// POST /api/workflows/:slug/api-keys - Add an API key for an approved workflow
+router.post('/:slug/api-keys', (0, index_1.apiHandler)(async (req, res) => {
+    const slug = req.params.slug;
+    await (0, workflow_api_keys_1.assertCanManageWorkflowApiKeys)(slug, req.userId);
+    const apiKey = await (0, workflow_api_keys_1.createWorkflowApiKey)(slug, req.userId);
+    res.locals.skipResponseSanitization = true;
+    res.json({
+        api_key: apiKey,
+    });
+}, true));
+// DELETE /api/workflows/:slug/api-keys/:keyId - Remove an API key
+router.delete('/:slug/api-keys/:keyId', (0, index_1.apiHandler)(async (req, res) => {
+    const slug = req.params.slug;
+    const keyId = req.params.keyId;
+    await (0, workflow_api_keys_1.assertCanManageWorkflowApiKeys)(slug, req.userId);
+    await (0, workflow_api_keys_1.deleteWorkflowApiKey)(slug, keyId);
+    res.json({ success: true });
+}, true));
 // GET /api/workflows/:slug/approval-diff - Preview current code diff vs approved snapshot
 router.get('/:slug/approval-diff', (0, index_1.apiHandler)(async (req, res) => {
     const slug = req.params.slug;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "teamcopilot",
-  "version": "0.3.4",
+  "version": "0.3.5",
   "description": "A shared AI Agent for Teams",
   "homepage": "https://teamcopilot.ai",
   "repository": {