whale-code 6.4.0

package/dist/server/providers/shared.js

@@ -0,0 +1,124 @@
+/**
+ * Provider Shared Utilities — credential resolution, SSE helpers, error emission.
+ *
+ * Extracted from proxy-handlers.ts. Used by all provider adapters.
+ */
+import { createClient } from "@supabase/supabase-js";
+// ============================================================================
+// JSON + SSE HELPERS
+// ============================================================================
+export function jsonResponse(res, status, data, corsHeaders) {
+    res.writeHead(status, { "Content-Type": "application/json", ...corsHeaders });
+    res.end(JSON.stringify(data));
+}
+export function writeSSEHeaders(res, corsHeaders) {
+    res.writeHead(200, {
+        "Content-Type": "text/event-stream",
+        "Cache-Control": "no-cache",
+        Connection: "keep-alive",
+        "X-Accel-Buffering": "no",
+        ...corsHeaders,
+    });
+    res.flushHeaders();
+}
+/**
+ * Emit an error — as SSE if headers already sent, otherwise as JSON response.
+ * Always emits message_delta + message_stop so clients don't hang.
+ */
+export function emitError(res, err, corsHeaders, sanitize, opts) {
+    const errMsg = err?.message || String(err);
+    const provider = opts?.provider || "proxy";
+    console.error(`[${provider}-proxy] Error:`, errMsg);
+    if (res.headersSent) {
+        res.write(`data: ${JSON.stringify({ type: "error", error: sanitize(err) })}\n\n`);
+        const usage = {
+            input_tokens: opts?.inputTokens || 0,
+            output_tokens: opts?.outputTokens || 0,
+        };
+        if (opts?.thinkingTokens && opts.thinkingTokens > 0)
+            usage.thinking_tokens = opts.thinkingTokens;
+        if (opts?.cacheReadTokens && opts.cacheReadTokens > 0)
+            usage.cache_read_input_tokens = opts.cacheReadTokens;
+        res.write(`data: ${JSON.stringify({
+            type: "message_delta",
+            delta: { stop_reason: "error", stop_sequence: null },
+            usage,
+        })}\n\n`);
+        res.write(`data: ${JSON.stringify({ type: "message_stop" })}\n\n`);
+        res.write("data: [DONE]\n\n");
+    }
+    else {
+        jsonResponse(res, 502, { error: `${provider} error: ${sanitize(err)}` }, corsHeaders);
+    }
+}
+// ============================================================================
+// CREDENTIAL RESOLUTION
+// ============================================================================
+/** Credential cache — keyed by provider+store_id, 5-minute TTL, LRU capped at 50 */
+const providerCredCacheMap = new Map();
+export async function resolveProviderCredentials(provider, storeId) {
+    const cacheKey = `${provider}:${storeId || "__default__"}`;
+    const cached = providerCredCacheMap.get(cacheKey);
+    if (cached && Date.now() - cached.fetchedAt < 300_000) {
+        return cached;
+    }
+    const SUPABASE_URL = process.env.SUPABASE_URL;
+    const SUPABASE_SERVICE_ROLE_KEY = process.env.SUPABASE_SERVICE_ROLE_KEY;
+    const sb = createClient(SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY);
+    const result = { fetchedAt: Date.now() };
+    if (provider === "google") {
+        try {
+            const { data, error } = await sb.rpc("decrypt_secret", { p_name: "GOOGLE_AI_API_KEY", p_store_id: storeId || null });
+            if (error)
+                console.error(`[cred-resolve] Google key lookup failed for store=${storeId}:`, error.message);
+            if (data)
+                result.google = { apiKey: data };
+            else
+                console.error(`[cred-resolve] No Google key found for store=${storeId}`);
+        }
+        catch (err) {
+            console.error(`[cred-resolve] Google key RPC error for store=${storeId}:`, err?.message);
+        }
+    }
+    if (provider === "bedrock") {
+        try {
+            const [akRes, skRes, rgRes] = await Promise.all([
+                sb.rpc("decrypt_secret", { p_name: "AWS_ACCESS_KEY_ID", p_store_id: storeId || null }),
+                sb.rpc("decrypt_secret", { p_name: "AWS_SECRET_ACCESS_KEY", p_store_id: storeId || null }),
+                sb.rpc("decrypt_secret", { p_name: "AWS_REGION", p_store_id: storeId || null }),
+            ]);
+            if (akRes.data && skRes.data) {
+                result.bedrock = {
+                    accessKeyId: akRes.data,
+                    secretAccessKey: skRes.data,
+                    region: rgRes.data || "us-east-1",
+                };
+            }
+        }
+        catch (err) {
+            console.error(`[cred-resolve] Bedrock key RPC error for store=${storeId}:`, err?.message);
+        }
+    }
+    if (provider === "openai") {
+        try {
+            const { data, error } = await sb.rpc("decrypt_secret", { p_name: "OPENAI_API_KEY", p_store_id: storeId || null });
+            if (error)
+                console.error(`[cred-resolve] OpenAI key lookup failed for store=${storeId}:`, error.message);
+            if (data)
+                result.openai = { apiKey: data };
+            else
+                console.error(`[cred-resolve] No OpenAI key found for store=${storeId}`);
+        }
+        catch (err) {
+            console.error(`[cred-resolve] OpenAI key RPC error for store=${storeId}:`, err?.message);
+        }
+    }
+    providerCredCacheMap.set(cacheKey, result);
+    // LRU: cap cache at 50 stores
+    if (providerCredCacheMap.size > 50) {
+        const firstKey = providerCredCacheMap.keys().next().value;
+        if (firstKey)
+            providerCredCacheMap.delete(firstKey);
+    }
+    return result;
+}

package/dist/server/providers/types.d.ts

@@ -0,0 +1,92 @@
+/**
+ * Provider Adapter Pattern — shared types for multi-provider proxy handlers.
+ *
+ * Phase 7.1: Unified ProviderAdapter interface so each provider encapsulates
+ * its own message formatting, streaming normalization, tool schema adaptation,
+ * thinking config, context management, and output token limits.
+ *
+ * Config types (ThinkingConfig, ContextManagementConfig, CompactionConfig) are
+ * defined in shared/agent-core.ts and re-exported here so adapters can import
+ * from a single location without creating shared→server circular dependencies.
+ */
+import type http from "node:http";
+import type { ProviderCapabilities } from "../lib/provider-capabilities.js";
+export type { ThinkingConfig, ContextManagementConfig, CompactionConfig, ToolChoice, } from "../../shared/agent-core.js";
+export type { ProviderCapabilities } from "../lib/provider-capabilities.js";
+export interface NormalizedStreamEvent {
+    type: "text" | "tool_use_start" | "tool_use_delta" | "tool_use_end" | "thinking" | "usage" | "done" | "error";
+    /** Text delta content */
+    text?: string;
+    /** Tool use fields */
+    toolId?: string;
+    toolName?: string;
+    toolInput?: string;
+    /** Usage data */
+    usage?: {
+        inputTokens: number;
+        outputTokens: number;
+        cacheReadTokens: number;
+        cacheCreationTokens: number;
+    };
+    /** Error message */
+    error?: string;
+}
+export interface ProviderStreamConfig {
+    model: string;
+    messages: any[];
+    system: any;
+    tools?: any[];
+    max_tokens: number;
+    temperature?: number;
+    stream?: boolean;
+    betas?: string[];
+    context_management?: any;
+    thinking?: any;
+    tool_choice?: import("../../shared/agent-core.js").ToolChoice;
+    storeId?: string;
+    /** Source documents for Anthropic Citations API — enables cite content blocks in responses */
+    documents?: any[];
+}
+export interface ThinkingConfigResult {
+    thinking: import("../../shared/agent-core.js").ThinkingConfig;
+    beta: string;
+}
+export interface ProviderAdapter {
+    /** Provider identifier: "anthropic" | "bedrock" | "gemini" | "openai" */
+    name: string;
+    /**
+     * Handle streaming (or non-streaming) proxy request.
+     * Writes SSE events to res, converting from native provider format
+     * to Anthropic-compatible SSE where applicable.
+     */
+    handleStream(res: http.ServerResponse, config: ProviderStreamConfig, corsHeaders: Record<string, string>): Promise<void>;
+    /**
+     * Returns thinking configuration for the given model.
+     * Each provider handles thinking differently:
+     * - Anthropic: adaptive/enabled with beta strings
+     * - Gemini: always-on for 2.5+/3.x
+     * - OpenAI: reasoning models have built-in reasoning
+     * - Bedrock: same as Anthropic
+     */
+    getThinkingConfig(model: string, enabled: boolean): ThinkingConfigResult;
+    /**
+     * Returns max output tokens for the given model.
+     * If agentMax is provided, it's capped at the model's maximum.
+     */
+    getMaxOutputTokens(model: string, agentMax?: number): number;
+    /**
+     * Returns context management configuration (betas + edits) for the given model.
+     * Non-Anthropic providers return empty config.
+     */
+    getContextManagement(model: string): import("../../shared/agent-core.js").ContextManagementConfig;
+    /**
+     * Returns compaction configuration for the provider.
+     * Controls when/how context compaction is triggered.
+     */
+    getCompactionConfig(model: string): import("../../shared/agent-core.js").CompactionConfig;
+    /**
+     * Returns the static capability matrix for this provider.
+     * Used for pre-flight checks and capability-aware routing/failover.
+     */
+    getCapabilities(): ProviderCapabilities;
+}

package/dist/server/providers/types.js

@@ -0,0 +1,12 @@
+/**
+ * Provider Adapter Pattern — shared types for multi-provider proxy handlers.
+ *
+ * Phase 7.1: Unified ProviderAdapter interface so each provider encapsulates
+ * its own message formatting, streaming normalization, tool schema adaptation,
+ * thinking config, context management, and output token limits.
+ *
+ * Config types (ThinkingConfig, ContextManagementConfig, CompactionConfig) are
+ * defined in shared/agent-core.ts and re-exported here so adapters can import
+ * from a single location without creating shared→server circular dependencies.
+ */
+export {};

package/dist/server/proxy-handlers.d.ts

@@ -0,0 +1,6 @@
+import type http from "node:http";
+import "./providers/anthropic.js";
+import "./providers/bedrock.js";
+import "./providers/gemini.js";
+import "./providers/openai.js";
+export declare function handleProxy(res: http.ServerResponse, body: any, corsHeaders: Record<string, string>): Promise<void>;

package/dist/server/proxy-handlers.js

@@ -0,0 +1,89 @@
+// server/proxy-handlers.ts — Multi-provider API proxy router
+// Thin dispatcher that delegates to provider adapters via the registry.
+//
+// Phase 7.1: Uses getProviderAdapter() from the registry instead of
+// maintaining its own adapter map. Provider adapters self-register on import.
+import { ALLOWED_MODELS, MODELS, MODEL_MAP, getProvider, isOpenAIReasoningModel } from "../shared/constants.js";
+import { getProviderAdapter } from "./providers/registry.js";
+import { jsonResponse } from "./providers/shared.js";
+import { canProviderHandleRequest, getBestProviderForRequest } from "./lib/provider-capabilities.js";
+// Import adapters to trigger self-registration via registerProvider()
+import "./providers/anthropic.js";
+import "./providers/bedrock.js";
+import "./providers/gemini.js";
+import "./providers/openai.js";
+// ============================================================================
+// MAX TOKEN LIMITS (per provider — used for proxy request clamping)
+// ============================================================================
+const ANTHROPIC_MAX_TOKENS = 128000;
+const GEMINI_MAX_TOKENS = 65536;
+const OPENAI_MAX_TOKENS = 128000;
+const OPENAI_REASONING_MAX_TOKENS = 100000;
+// ============================================================================
+// MAIN PROXY DISPATCHER
+// ============================================================================
+export async function handleProxy(res, body, corsHeaders) {
+    const { messages, system, tools, model: requestedModel = MODELS.SONNET, max_tokens: requestedMaxTokens = 4096, temperature, stream = true, betas, context_management, thinking, store_id: storeId, tool_choice: rawToolChoice, documents, } = body;
+    if (!messages || !Array.isArray(messages)) {
+        jsonResponse(res, 400, { error: "messages array required" }, corsHeaders);
+        return;
+    }
+    // Resolve aliases (e.g. "whale/agent" → "claude-opus-4-6", "opus" → "claude-opus-4-6")
+    const resolved = MODEL_MAP[requestedModel] || requestedModel;
+    const model = ALLOWED_MODELS.includes(resolved) ? resolved : MODELS.SONNET;
+    let provider = getProvider(model);
+    // Detect request capabilities from message content
+    const requirements = detectRequestCapabilities(messages, { hasCitations: !!documents?.length });
+    // If the selected provider can't handle the request, re-route to a capable one
+    if (!canProviderHandleRequest(provider, requirements)) {
+        const betterProvider = getBestProviderForRequest(requirements);
+        console.log(`[proxy] ${provider} lacks capabilities for this request, re-routing to ${betterProvider}`);
+        provider = betterProvider;
+    }
+    const maxTokensLimit = provider === "gemini" ? GEMINI_MAX_TOKENS
+        : provider === "openai" ? (isOpenAIReasoningModel(model) ? OPENAI_REASONING_MAX_TOKENS : OPENAI_MAX_TOKENS)
+            : ANTHROPIC_MAX_TOKENS;
+    const max_tokens = Math.min(Math.max(1, Number(requestedMaxTokens) || 4096), maxTokensLimit);
+    // Delegate to provider adapter via registry
+    const adapter = getProviderAdapter(provider);
+    // Normalize tool_choice: accept string or object from client
+    const tool_choice = rawToolChoice;
+    await adapter.handleStream(res, {
+        model, messages, system, tools, max_tokens,
+        temperature, stream, betas, context_management, thinking, tool_choice, storeId, documents,
+    }, corsHeaders);
+}
+// ============================================================================
+// REQUEST CAPABILITY DETECTION
+// ============================================================================
+/**
+ * Scan messages to detect what capabilities the request requires.
+ * Looks for image blocks, PDF content types, computer_use tools, etc.
+ */
+function detectRequestCapabilities(messages, hints) {
+    const requirements = {};
+    if (hints?.hasCitations) {
+        requirements.needsCitations = true;
+    }
+    for (const msg of messages) {
+        if (!Array.isArray(msg.content))
+            continue;
+        for (const block of msg.content) {
+            // Image detection: Anthropic image blocks
+            if (block.type === "image" && block.source) {
+                requirements.hasImages = true;
+            }
+            // PDF detection: document blocks with PDF media type
+            if (block.type === "document" ||
+                (block.source?.media_type && block.source.media_type === "application/pdf")) {
+                requirements.hasPdf = true;
+            }
+            // Computer use detection: tool_use with computer_use-related tools
+            if (block.type === "tool_use" &&
+                (block.name === "computer" || block.name === "computer_use")) {
+                requirements.needsComputerUse = true;
+            }
+        }
+    }
+    return requirements;
+}

package/dist/server/tool-router.d.ts

@@ -0,0 +1,149 @@
+/**
+ * Tool Router — unified tool registry, dispatch, and execution.
+ *
+ * SINGLE SOURCE OF TRUTH for all AI systems (MCP server, HTTP agent, workflows, CLI).
+ *
+ * Architecture:
+ * - ai_tool_registry (DB):   tool definitions (name, description, schema) — queried by ALL clients
+ * - TOOL_HANDLERS (code):    name → handler function mapping — the only place handler routing lives
+ * - user_tools (DB):         per-store custom tools — additive, never filtered from built-ins
+ * - getToolsForAgent():      consistent tool set — all registry tools always available
+ * - executeTool():           unified dispatch — handler lookup + timeout + audit logging
+ *
+ * To add a new tool:
+ *   1. Add handler in src/server/handlers/
+ *   2. Import and register in TOOL_HANDLERS below
+ *   3. Add row to ai_tool_registry table (defines schema for all clients)
+ *   That's it — MCP, WhaleChat, workflows, CLI all pick it up automatically.
+ */
+import type { SupabaseClient } from "@supabase/supabase-js";
+export declare function flushAuditLogs(supabase: SupabaseClient): Promise<void>;
+export declare function getToolMetrics(): Record<string, {
+    invocations: number;
+    errors: number;
+    avgMs: number;
+    lastMs: number;
+}>;
+export interface ToolDef {
+    name: string;
+    description: string;
+    input_schema: Record<string, unknown>;
+}
+export interface UserToolRow {
+    id: string;
+    name: string;
+    display_name: string;
+    description: string;
+    input_schema: Record<string, unknown>;
+    execution_type: "rpc" | "http" | "sql";
+    is_read_only: boolean;
+    requires_approval: boolean;
+    http_config: Record<string, unknown> | null;
+    rpc_function: string | null;
+    sql_template: string | null;
+    allowed_tables: string[] | null;
+    max_execution_time_ms: number;
+}
+export interface AgentConfig {
+    id: string;
+    name: string;
+    description: string;
+    system_prompt: string;
+    model: string;
+    max_tokens: number;
+    max_tool_calls: number;
+    temperature: number;
+    enabled_tools: string[];
+    can_query: boolean;
+    can_send: boolean;
+    can_modify: boolean;
+    tone: string;
+    verbosity: string;
+    api_key: string | null;
+    store_id: string | null;
+    context_config: {
+        includeLocations?: boolean;
+        locationIds?: string[];
+        includeCustomers?: boolean;
+        customerSegments?: string[];
+        max_history_chars?: number;
+        max_tool_result_chars?: number;
+        max_message_chars?: number;
+    } | null;
+}
+export interface ToolLoadResult {
+    /** Core tools — always sent to the model (auto_load=true + discover_tools) */
+    core: ToolDef[];
+    /** Extended tools — only name+description sent; full schema loaded on demand */
+    extended: ToolDef[];
+    /** All tools combined (backward compat for callers that don't need the split) */
+    all: ToolDef[];
+}
+/**
+ * Load tools from ai_tool_registry, split into core (auto_load=true) and extended.
+ * The `discover_tools` meta-tool is always injected into core.
+ * Descriptions are truncated to 150 chars at load time.
+ */
+export declare function loadTools(supabase: SupabaseClient, forceRefresh?: boolean): Promise<ToolLoadResult>;
+/**
+ * Get pre-computed API-ready tool definitions. Returns frozen objects keyed by name
+ * so the agent loop can look up defs without re-mapping every turn.
+ * Falls back to building from a ToolDef[] if cache not yet populated.
+ */
+export declare function getCachedToolDefs(tools: ToolDef[]): Array<{
+    name: string;
+    description: string;
+    input_schema: Record<string, unknown>;
+}>;
+export declare function loadUserTools(supabase: SupabaseClient, storeId: string): Promise<{
+    rows: UserToolRow[];
+    defs: ToolDef[];
+}>;
+export declare function getUserToolByPrefixedName(rows: UserToolRow[], prefixedName: string): UserToolRow | undefined;
+export declare function getToolsForAgent(agent: AgentConfig, coreTools: ToolDef[], userToolDefs?: ToolDef[]): ToolDef[];
+export type ToolProgressCallback = (toolName: string, progress: unknown) => void;
+type ToolHandler = (sb: SupabaseClient, args: Record<string, unknown>, storeId?: string, onToolProgress?: (progress: unknown) => void) => Promise<{
+    success: boolean;
+    data?: unknown;
+    error?: string;
+}>;
+interface ToolHandlerEntry {
+    handler: ToolHandler;
+    timeout: number;
+    requiresStore: boolean;
+    supportsProgress?: boolean;
+}
+/**
+ * Every built-in tool MUST be registered here. This map is the single source
+ * of truth for handler routing, timeouts, and store requirements.
+ * Adding a tool to ai_tool_registry without an entry here → "Unknown tool" error.
+ */
+export declare const TOOL_HANDLERS: Record<string, ToolHandlerEntry>;
+/** Get all registered built-in tool names */
+export declare function getRegisteredToolNames(): string[];
+/** Called by index.ts after loadTools() to populate the discover_tools cache.
+ *  Stores full schemas for on-demand loading, plus a lightweight index for the system prompt. */
+export declare function setExtendedToolsCache(tools: ToolDef[]): void;
+/** Get full extended tools with schemas (for discover_tools handler) */
+export declare function getExtendedToolsCache(): ToolDef[];
+/** Get lightweight extended tools index — name + short description only (for system prompt).
+ *  Avoids serializing full schemas into the prompt. */
+export declare function getExtendedToolsIndex(): Array<{
+    name: string;
+    description: string;
+}>;
+/**
+ * Get full tool schemas for specific tool names from the extended tools cache.
+ * Used by the agent loop to inject discovered tool schemas into the active tool set.
+ * Returns only tools that exist in the cache; unknown names are silently skipped.
+ */
+export declare function getFullToolSchemas(toolNames: string[]): ToolDef[];
+export declare function executeTool(supabase: SupabaseClient, toolName: string, args: Record<string, unknown>, storeId?: string, traceId?: string, userId?: string | null, userEmail?: string | null, source?: string, conversationId?: string, userToolRows?: UserToolRow[], agentId?: string, onToolProgress?: ToolProgressCallback, 
+/** Skip per-tool audit when called within a conversation — persistAgentTurn handles it */
+skipAudit?: boolean): Promise<{
+    success: boolean;
+    data?: unknown;
+    error?: string;
+}>;
+export declare function loadAgentConfig(supabase: SupabaseClient, agentId: string, storeId?: string): Promise<AgentConfig | null>;
+export {};