whale-code 6.4.0 → 6.5.0

package/dist/server/handlers/meta-ads.js

@@ -26,6 +26,7 @@
  * - Video URLs uploaded to Meta during publish → video_id
  * - Image URLs uploaded to Meta during publish → image_hash
  */
+import { queueSpan, auditRowToSpan } from "../lib/clickhouse-buffer.js";
 // ============================================================================
 // CONSTANTS
 // ============================================================================
@@ -1641,8 +1642,8 @@ export async function handleMetaAds(sb, args, storeId) {
                         break;
                     default: return { success: false, error: `Invalid type: ${type}` };
                 }
-                // Audit trail (fire-and-forget)
-                sb.from("audit_logs").insert({
+                // Telemetry → ClickHouse (fire-and-forget)
+                queueSpan(auditRowToSpan({
                     store_id: storeId,
                     action: `meta_publish_${type}`,
                     resource_type: `meta_${type === "ad_set" ? "ad_set" : type}`,
@@ -1650,7 +1651,9 @@ export async function handleMetaAds(sb, args, storeId) {
                     details: result,
                     source: "agent_chat",
                     severity: "info",
-                }).then(() => { });
+                    service_name: "agent-server", span_kind: "INTERNAL", status_code: "OK",
+                    start_time: new Date().toISOString(), end_time: new Date().toISOString(),
+                }));
                 return { success: true, data: result };
             }
             // ==================================================================

package/dist/server/handlers/nodes.d.ts

@@ -23,6 +23,8 @@ export type AgentInvoker = (supabase: SupabaseClient, agentId: string, message:
 }>;
 /** Set the agent invoker — called once from index.ts to break circular dependency */
 export declare function setNodeAgentInvoker(invoker: AgentInvoker): void;
+/** Clear the node auth cache (for tests). */
+export declare function clearNodeAuthCache(): void;
 export declare function handleNodeRoutes(pathname: string, method: string, body: Record<string, unknown> | null, supabase: SupabaseClient, auth: {
     userId?: string;
     isServiceRole: boolean;

package/dist/server/handlers/nodes.js

@@ -2,6 +2,7 @@
 // Auth: User JWT for management, Node API key for node operations
 import { createHash, randomBytes, randomUUID } from "node:crypto";
 import { checkPlanLimits, incrementUsage } from "./billing.js";
+import { queueSpan, auditRowToSpan } from "../lib/clickhouse-buffer.js";
 let agentInvoker = null;
 /** Set the agent invoker — called once from index.ts to break circular dependency */
 export function setNodeAgentInvoker(invoker) {
@@ -16,17 +17,99 @@ function hashApiKey(key) {
 function generateNodeApiKey() {
     return randomBytes(32).toString("hex");
 }
-/** Authenticate a node by API key, returns node row or null */
+// 5-minute in-memory cache for node auth (survives transient Supabase 525s)
+const NODE_AUTH_CACHE_TTL = 5 * 60 * 1000;
+const nodeAuthCache = new Map();
+/** Clear the node auth cache (for tests). */
+export function clearNodeAuthCache() {
+    nodeAuthCache.clear();
+}
+/** Authenticate a node by API key, returns node row or null.
+ *  Retries once on transient error, falls back to cache if both fail. */
 async function authenticateNode(supabase, apiKey) {
     const hash = hashApiKey(apiKey);
-    const { data } = await supabase
-        .from("nodes")
-        .select("id, store_id, name")
-        .eq("api_key_hash", hash)
+    // Attempt DB query with one retry on transient errors
+    for (let attempt = 0; attempt < 2; attempt++) {
+        try {
+            const { data, error } = await supabase
+                .from("nodes")
+                .select("id, store_id, name")
+                .eq("api_key_hash", hash)
+                .single();
+            if (data) {
+                // Success — update cache and return
+                nodeAuthCache.set(hash, { node: data, cachedAt: Date.now() });
+                return data;
+            }
+            // Non-transient error (e.g. row not found) — no retry
+            if (error && !isTransientError(error)) {
+                return null;
+            }
+            // Transient error on first attempt — retry
+            if (attempt === 0 && error) {
+                console.warn(`[node-auth] Transient error (attempt 1): ${error.message}. Retrying...`);
+                continue;
+            }
+            return null;
+        }
+        catch (err) {
+            // Network-level error (fetch failure, timeout)
+            if (attempt === 0) {
+                console.warn(`[node-auth] Network error (attempt 1): ${err.message}. Retrying...`);
+                continue;
+            }
+        }
+    }
+    // Both attempts failed — fall back to cache
+    const cached = nodeAuthCache.get(hash);
+    if (cached && Date.now() - cached.cachedAt < NODE_AUTH_CACHE_TTL) {
+        console.warn(`[node-auth] Using cached auth for node ${cached.node.id} (DB unavailable)`);
+        return cached.node;
+    }
+    return null;
+}
+/** Check if a user (by auth UUID) has access to a store.
+ *  Mirrors the logic in get_user_store_ids():
+ *    1) store_members.auth_user_id = authUserId
+ *    2) stores.owner_user_id = platform_users.id WHERE auth_id = authUserId */
+async function userHasStoreAccess(supabase, authUserId, storeId) {
+    // Check store_members first (direct membership)
+    const { data: membership } = await supabase
+        .from("store_members")
+        .select("id")
+        .eq("auth_user_id", authUserId)
+        .eq("store_id", storeId)
+        .limit(1);
+    if (membership?.length)
+        return true;
+    // Check via platform_users → stores.owner_user_id
+    const { data: platformUser } = await supabase
+        .from("platform_users")
+        .select("id")
+        .eq("auth_id", authUserId)
+        .limit(1)
         .single();
-    return data;
+    if (platformUser) {
+        const { data: ownedStore } = await supabase
+            .from("stores")
+            .select("id")
+            .eq("owner_user_id", platformUser.id)
+            .eq("id", storeId)
+            .limit(1);
+        if (ownedStore?.length)
+            return true;
+    }
+    return false;
 }
-/** Log a node event to both node_events and audit_logs (unified telemetry) */
+/** Check if a Supabase error is transient (network, 5xx, Cloudflare) */
+function isTransientError(error) {
+    const msg = error.message || "";
+    return msg.includes("525") || msg.includes("502") || msg.includes("503")
+        || msg.includes("504") || msg.includes("520") || msg.includes("522")
+        || msg.includes("524") || msg.includes("timeout") || msg.includes("ECONNRESET")
+        || msg.includes("fetch failed");
+}
+/** Log a node event to node_events */
 async function logNodeEvent(supabase, storeId, nodeId, eventType, details = {}) {
     // node_events — existing table for node lifecycle
     await supabase.from("node_events").insert({
@@ -35,10 +118,10 @@ async function logNodeEvent(supabase, storeId, nodeId, eventType, details = {})
         event_type: eventType,
         details,
     });
-    // audit_logs — unified telemetry (same schema as tool/chat spans)
+    // Telemetry → ClickHouse
     try {
         const now = new Date();
-        const auditRow = {
+        queueSpan(auditRowToSpan({
             action: `node.${eventType}`,
             severity: "info",
             store_id: storeId,
@@ -53,16 +136,10 @@ async function logNodeEvent(supabase, storeId, nodeId, eventType, details = {})
             start_time: now.toISOString(),
             end_time: now.toISOString(),
             details: { ...details, node_id: nodeId, event_type: eventType },
-        };
-        const { error } = await supabase.from("audit_logs").insert(auditRow);
-        // Retry without store_id on FK constraint
-        if (error?.message?.includes("store_id")) {
-            auditRow.store_id = null;
-            await supabase.from("audit_logs").insert(auditRow);
-        }
+        }));
     }
     catch {
-        // Audit must never break node operations
+        // Telemetry must never break node operations
     }
 }
 /** Resolve or create a conversation for a sender on a channel.
@@ -148,12 +225,8 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
         }
         // Verify user has access to this store
         if (auth.userId) {
-            const { data: stores } = await supabase
-                .from("user_stores")
-                .select("store_id")
-                .eq("user_id", auth.userId)
-                .eq("store_id", reg.store_id);
-            if (!stores?.length) {
+            const hasAccess = await userHasStoreAccess(supabase, auth.userId, reg.store_id);
+            if (!hasAccess) {
                 return { status: 403, body: { error: "No access to this store" } };
             }
         }
@@ -183,6 +256,7 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
             capabilities: reg.capabilities || [],
             hardware: reg.hardware || {},
             version: reg.version || "1.0.0",
+            config: reg.config || {},
             status: "offline",
         })
             .select("id, name, store_id, status, created_at")
@@ -234,9 +308,32 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
                     .eq("type", ch.type);
             }
         }
+        // Fetch pending commands for this node
+        let pendingCommands = [];
+        try {
+            const { data: cmds } = await supabase
+                .from("node_commands")
+                .select("id, command, payload")
+                .eq("node_id", node.id)
+                .eq("status", "pending")
+                .order("created_at", { ascending: true })
+                .limit(10);
+            if (cmds?.length) {
+                pendingCommands = cmds;
+                // Mark them as acknowledged
+                const cmdIds = cmds.map((c) => c.id);
+                await supabase
+                    .from("node_commands")
+                    .update({ status: "acknowledged", acknowledged_at: new Date().toISOString() })
+                    .in("id", cmdIds);
+            }
+        }
+        catch {
+            // Command delivery is best-effort
+        }
         return {
             status: 200,
-            body: { success: true, node_id: node.id },
+            body: { success: true, node_id: node.id, commands: pendingCommands },
         };
     }
     // ── GET|POST /nodes ────────────────────────────────────────────
@@ -247,6 +344,16 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
         if (!storeId) {
             return { status: 400, body: { error: "store_id required" } };
         }
+        // Verify user has access to the requested store
+        if (auth.userId) {
+            const hasAccess = await userHasStoreAccess(supabase, auth.userId, storeId);
+            if (!hasAccess) {
+                return { status: 403, body: { error: "Not authorized to access this store's nodes" } };
+            }
+        }
+        else if (!auth.isServiceRole) {
+            return { status: 401, body: { error: "Authentication required" } };
+        }
         const { data: nodes, error } = await supabase
             .from("nodes")
             .select("id, name, status, hardware, capabilities, version, ip_address, last_heartbeat, created_at")
@@ -270,6 +377,152 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
         }));
         return { status: 200, body: { success: true, nodes: result } };
     }
+    // ── PATCH /nodes/:id ──────────────────────────────────────────
+    // User auth. Update node name, capabilities, config.
+    const patchNodeMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)$/);
+    if (patchNodeMatch && (method === "PUT" || method === "POST") && body?._method === "PATCH") {
+        const nodeId = patchNodeMatch[1];
+        if (!auth.userId && !auth.isServiceRole) {
+            return { status: 401, body: { error: "User authentication required" } };
+        }
+        // Verify ownership
+        const { data: nodeRow } = await supabase
+            .from("nodes")
+            .select("id, store_id, name")
+            .eq("id", nodeId)
+            .single();
+        if (!nodeRow) {
+            return { status: 404, body: { error: "Node not found" } };
+        }
+        if (auth.userId) {
+            const hasAccess = await userHasStoreAccess(supabase, auth.userId, nodeRow.store_id);
+            if (!hasAccess) {
+                return { status: 403, body: { error: "No access to this node" } };
+            }
+        }
+        const nodeUpdates = { updated_at: new Date().toISOString() };
+        if (body.name !== undefined)
+            nodeUpdates.name = body.name;
+        if (body.capabilities !== undefined)
+            nodeUpdates.capabilities = body.capabilities;
+        if (body.config !== undefined)
+            nodeUpdates.config = body.config;
+        const { data: updated, error: updateErr } = await supabase
+            .from("nodes")
+            .update(nodeUpdates)
+            .eq("id", nodeId)
+            .select("id, name, status, capabilities, config, version, hardware, last_heartbeat, updated_at")
+            .single();
+        if (updateErr) {
+            return { status: 500, body: { error: updateErr.message } };
+        }
+        return { status: 200, body: { success: true, node: updated } };
+    }
+    // ── POST /nodes/:id/commands ────────────────────────────────
+    // User auth. Queue a command for a node.
+    const commandMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)\/commands$/);
+    if (commandMatch && method === "POST") {
+        const nodeId = commandMatch[1];
+        if (!auth.userId && !auth.isServiceRole) {
+            return { status: 401, body: { error: "User authentication required" } };
+        }
+        if (!body)
+            return { status: 400, body: { error: "Request body required" } };
+        const command = body.command;
+        const payload = body.payload || {};
+        if (!command) {
+            return { status: 400, body: { error: "command is required" } };
+        }
+        const validCommands = ["restart", "shutdown", "rotate_key", "pause_all_channels", "resume_all_channels", "update"];
+        if (!validCommands.includes(command)) {
+            return { status: 400, body: { error: `Invalid command. Valid: ${validCommands.join(", ")}` } };
+        }
+        // Verify node exists and get store_id
+        const { data: targetNode } = await supabase
+            .from("nodes")
+            .select("id, store_id")
+            .eq("id", nodeId)
+            .single();
+        if (!targetNode) {
+            return { status: 404, body: { error: "Node not found" } };
+        }
+        if (auth.userId) {
+            const hasAccess = await userHasStoreAccess(supabase, auth.userId, targetNode.store_id);
+            if (!hasAccess) {
+                return { status: 403, body: { error: "No access to this node" } };
+            }
+        }
+        const { data: cmd, error: cmdErr } = await supabase
+            .from("node_commands")
+            .insert({
+            node_id: nodeId,
+            store_id: targetNode.store_id,
+            command,
+            payload,
+            status: "pending",
+        })
+            .select("id, command, status, created_at")
+            .single();
+        if (cmdErr) {
+            return { status: 500, body: { error: cmdErr.message } };
+        }
+        await logNodeEvent(supabase, targetNode.store_id, nodeId, "command_queued", {
+            command,
+            command_id: cmd.id,
+            queued_by: auth.userId,
+        });
+        return { status: 201, body: { success: true, command: cmd } };
+    }
+    // ── POST /nodes/:id/rotate-key ─────────────────────────────
+    // User auth. Generate a new API key for a node.
+    const rotateMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)\/rotate-key$/);
+    if (rotateMatch && method === "POST") {
+        const nodeId = rotateMatch[1];
+        if (!auth.userId && !auth.isServiceRole) {
+            return { status: 401, body: { error: "User authentication required" } };
+        }
+        // Verify ownership
+        const { data: rotateNode } = await supabase
+            .from("nodes")
+            .select("id, store_id, name")
+            .eq("id", nodeId)
+            .single();
+        if (!rotateNode) {
+            return { status: 404, body: { error: "Node not found" } };
+        }
+        if (auth.userId) {
+            const hasAccess = await userHasStoreAccess(supabase, auth.userId, rotateNode.store_id);
+            if (!hasAccess) {
+                return { status: 403, body: { error: "No access to this node" } };
+            }
+        }
+        const newApiKey = generateNodeApiKey();
+        const newHash = hashApiKey(newApiKey);
+        const { error: rotateErr } = await supabase
+            .from("nodes")
+            .update({ api_key_hash: newHash, updated_at: new Date().toISOString() })
+            .eq("id", nodeId);
+        if (rotateErr) {
+            return { status: 500, body: { error: rotateErr.message } };
+        }
+        // Invalidate auth cache for old hash
+        for (const [hash, cached] of nodeAuthCache) {
+            if (cached.node.id === nodeId) {
+                nodeAuthCache.delete(hash);
+            }
+        }
+        await logNodeEvent(supabase, rotateNode.store_id, nodeId, "key_rotated", {
+            rotated_by: auth.userId,
+        });
+        return {
+            status: 200,
+            body: {
+                success: true,
+                api_key: newApiKey,
+                message: "Save your new API key — it cannot be retrieved later. The old key is now invalid.",
+            },
+        };
+    }
     // ── DELETE /nodes/:id ─────────────────────────────────────────
     // User auth. Deletes a node and all its channels.
     const deleteMatch = pathname.match(/^\/nodes\/([a-f0-9-]+)$/);
@@ -285,12 +538,8 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
             return { status: 404, body: { error: "Node not found" } };
         }
         if (auth.userId) {
-            const { data: stores } = await supabase
-                .from("user_stores")
-                .select("store_id")
-                .eq("user_id", auth.userId)
-                .eq("store_id", node.store_id);
-            if (!stores?.length) {
+            const hasAccess = await userHasStoreAccess(supabase, auth.userId, node.store_id);
+            if (!hasAccess) {
                 return { status: 403, body: { error: "No access to this node" } };
             }
         }
@@ -368,6 +617,16 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
         if (!storeId) {
             return { status: 400, body: { error: "store_id required" } };
         }
+        // Verify user has access to the requested store
+        if (auth.userId) {
+            const hasAccess = await userHasStoreAccess(supabase, auth.userId, storeId);
+            if (!hasAccess) {
+                return { status: 403, body: { error: "Not authorized to access this store's channels" } };
+            }
+        }
+        else if (!auth.isServiceRole) {
+            return { status: 401, body: { error: "Authentication required" } };
+        }
         const { data: channels, error } = await supabase
             .from("channels")
             .select(`
@@ -387,6 +646,25 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
     const channelPatchMatch = pathname.match(/^\/channels\/([a-f0-9-]+)$/);
     if (channelPatchMatch && (method === "PUT" || method === "POST") && body?._method === "PATCH") {
         const channelId = channelPatchMatch[1];
+        // Fetch the channel first to verify ownership
+        const { data: existingChannel } = await supabase
+            .from("channels")
+            .select("id, store_id")
+            .eq("id", channelId)
+            .single();
+        if (!existingChannel) {
+            return { status: 404, body: { error: "Channel not found" } };
+        }
+        // Verify the user has access to this channel's store
+        if (auth.userId) {
+            const hasAccess = await userHasStoreAccess(supabase, auth.userId, existingChannel.store_id);
+            if (!hasAccess) {
+                return { status: 403, body: { error: "Not authorized to modify this channel" } };
+            }
+        }
+        else if (!auth.isServiceRole) {
+            return { status: 401, body: { error: "Authentication required" } };
+        }
         const updates = {};
         if (body.agent_id !== undefined)
             updates.agent_id = body.agent_id;
@@ -488,11 +766,11 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
         catch {
             // Stats function may not exist yet — that's fine
         }
-        // Audit log for inbound message (unified telemetry)
+        // Telemetry → ClickHouse for inbound message
         if (direction === "inbound") {
             try {
-                const auditRow = {
-                    action: `node.message.inbound`,
+                queueSpan(auditRowToSpan({
+                    action: "node.message.inbound",
                     severity: "info",
                     store_id: channel.store_id,
                     resource_type: "whale_node",
@@ -513,15 +791,10 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
                         node_id: node?.id || null,
                         has_agent: !!channel.agent_id,
                     },
-                };
-                const { error: auditErr } = await supabase.from("audit_logs").insert(auditRow);
-                if (auditErr?.message?.includes("store_id")) {
-                    auditRow.store_id = null;
-                    await supabase.from("audit_logs").insert(auditRow);
-                }
+                }));
             }
             catch {
-                // Audit must never break message flow
+                // Telemetry must never break message flow
             }
         }
         // Track message usage (best-effort, non-blocking)
@@ -683,6 +956,24 @@ export async function handleNodeRoutes(pathname, method, body, supabase, auth, q
     if (eventsMatch && method === "GET") {
         const nodeId = eventsMatch[1];
         const limit = body?.limit || 50;
+        // Verify user has access to this node's store
+        const { data: node } = await supabase
+            .from("nodes")
+            .select("store_id")
+            .eq("id", nodeId)
+            .single();
+        if (!node) {
+            return { status: 404, body: { error: "Node not found" } };
+        }
+        if (auth.userId) {
+            const hasAccess = await userHasStoreAccess(supabase, auth.userId, node.store_id);
+            if (!hasAccess) {
+                return { status: 403, body: { error: "Not authorized to view this node's events" } };
+            }
+        }
+        else if (!auth.isServiceRole) {
+            return { status: 401, body: { error: "Authentication required" } };
+        }
         const { data: events, error } = await supabase
             .from("node_events")
             .select("id, event_type, details, created_at")

package/dist/server/handlers/operations.d.ts

@@ -99,17 +99,16 @@ export declare function handleAuditTrail(sb: SupabaseClient, args: Record<string
     success: boolean;
     data: {
         query: string;
-        entries: {
+        entries: (Record<string, unknown> | {
             id: any;
             action: any;
             severity: any;
             source: any;
             resource_type: any;
             resource_id: any;
-            user_email: any;
             details: any;
             created_at: any;
-        }[];
+        })[];
         count: number;
         days: number;
         summary?: undefined;
@@ -118,7 +117,7 @@ export declare function handleAuditTrail(sb: SupabaseClient, args: Record<string
 } | {
     success: boolean;
     data: {
-        entries: {
+        entries: (Record<string, unknown> | {
             id: any;
             action: any;
             severity: any;
@@ -126,9 +125,8 @@ export declare function handleAuditTrail(sb: SupabaseClient, args: Record<string
             resource_type: any;
             resource_id: any;
             details: any;
-            user_email: any;
             created_at: any;
-        }[];
+        })[];
         summary: Record<string, number>;
         days: number;
         count: number;