work-agent 0.1.0

package/app/api/tickets/[id]/approve/route.ts

@@ -0,0 +1,129 @@
+/**
+ * 审批 API - POST
+ *
+ * 安全措施：审批操作只能通过前端界面进行，不允许通过 API 自动调用。
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { approveTicket, rejectTicket, submitTicket, resubmitTicket } from '@/lib/workflow';
+import { getTicket } from '@/lib/db';
+import { createAuditLog } from '@/lib/db';
+
+type RouteContext = {
+	params: Promise<{ id: string }>;
+};
+
+/**
+ * 检查请求是否来自浏览器（而非程序化调用如 curl）
+ */
+function isBrowserRequest(request: NextRequest): boolean {
+	const userAgent = request.headers.get('user-agent') || '';
+
+	// 检查是否是常见的程序化调用工具
+	const automatedAgents = ['curl', 'wget', 'python', 'node', 'axios', 'fetch', 'httpie'];
+	const isAutomated = automatedAgents.some(agent =>
+		userAgent.toLowerCase().includes(agent)
+	);
+
+	// 如果是程序化调用，返回 false
+	if (isAutomated) {
+		return false;
+	}
+
+	// 检查是否有 Origin 或 Referer header（浏览器请求通常会有）
+	const origin = request.headers.get('origin');
+	const referer = request.headers.get('referer');
+
+	// 如果有 Origin 或 Referer，认为是浏览器请求
+	return !!(origin || referer);
+}
+
+/**
+ * POST /api/tickets/[id]/approve - 处理审批操作
+ */
+export async function POST(request: NextRequest, context: RouteContext) {
+	try {
+		const { id } = await context.params;
+		const body = await request.json();
+		const { action, approver, comment } = body;
+
+		// 安全检查：审批操作必须来自浏览器
+		if (action === 'approve' || action === 'reject') {
+			if (!isBrowserRequest(request)) {
+				console.warn(`[approve] Blocked automated approval request for ticket ${id}. User-Agent: ${request.headers.get('user-agent')}`);
+
+				// 记录审计日志
+				await createAuditLog({
+					action: 'blocked_automated_approval',
+					userId: approver || 'unknown',
+					ticketId: id,
+					details: {
+						action,
+						userAgent: request.headers.get('user-agent'),
+						reason: 'Approval must be done through the web interface'
+					},
+					status: 'failure',
+				});
+
+				return NextResponse.json(
+					{
+						error: '审批操作必须通过网页界面进行',
+						message: '出于安全考虑，审批和拒绝操作不能通过 API 自动调用。请在工单管理界面进行审批。'
+					},
+					{ status: 403 },
+				);
+			}
+		}
+
+		if (!approver) {
+			return NextResponse.json(
+				{ error: '缺少必填字段: approver' },
+				{ status: 400 },
+			);
+		}
+
+		const ticket = await getTicket(id);
+		if (!ticket) {
+			return NextResponse.json(
+				{ error: '工单不存在' },
+				{ status: 404 },
+			);
+		}
+
+		let result;
+		switch (action) {
+			case 'submit':
+				result = await submitTicket(id, approver);
+				break;
+			case 'approve':
+				result = await approveTicket(id, approver, comment);
+				break;
+			case 'reject':
+				result = await rejectTicket(id, approver, comment);
+				break;
+			case 'resubmit':
+				result = await resubmitTicket(id, approver);
+				break;
+			default:
+				return NextResponse.json(
+					{ error: `无效的操作: ${action}。必须是: submit, approve, reject, resubmit` },
+					{ status: 400 },
+				);
+		}
+
+		await createAuditLog({
+			action: `ticket_${action}`,
+			userId: approver,
+			ticketId: id,
+			details: { comment },
+			status: 'success',
+		});
+
+		return NextResponse.json({ ticket: result });
+	} catch (error) {
+		return NextResponse.json(
+			{ error: error instanceof Error ? error.message : '处理审批失败' },
+			{ status: 500 },
+		);
+	}
+}

package/app/api/tickets/[id]/execute/route.ts

@@ -0,0 +1,201 @@
+/**
+ * 工单执行 API - POST /api/tickets/[id]/execute
+ *
+ * 执行已审批的工单中的命令。
+ *
+ * 安全措施：
+ * 1. 只能执行特定工单，不能传入任意命令
+ * 2. 工单必须是已审批状态
+ * 3. 请求必须来自浏览器（阻止 curl 等自动化工具）
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getTicket, updateTicket, createAuditLog } from '@/lib/db';
+import { startExecution, failExecution } from '@/lib/workflow';
+import { processCommand } from '@/lib/skill-engine';
+
+type RouteContext = {
+	params: Promise<{ id: string }>;
+};
+
+/**
+ * 检查请求是否来自浏览器（而非程序化调用如 curl）
+ */
+function isBrowserRequest(request: NextRequest): boolean {
+	const userAgent = request.headers.get('user-agent') || '';
+
+	// 检查是否是常见的程序化调用工具
+	const automatedAgents = ['curl', 'wget', 'python', 'node', 'axios', 'httpie'];
+	const isAutomated = automatedAgents.some(agent =>
+		userAgent.toLowerCase().includes(agent)
+	);
+
+	if (isAutomated) {
+		return false;
+	}
+
+	// 检查是否有 Origin 或 Referer header（浏览器请求通常会有）
+	const origin = request.headers.get('origin');
+	const referer = request.headers.get('referer');
+
+	return !!(origin || referer);
+}
+
+/**
+ * POST /api/tickets/[id]/execute - 执行已审批的工单
+ */
+export async function POST(request: NextRequest, context: RouteContext) {
+	try {
+		const { id } = await context.params;
+		const body = await request.json();
+		const { userId = 'user' } = body;
+
+		// 安全检查：执行请求必须来自浏览器
+		if (!isBrowserRequest(request)) {
+			console.warn(`[execute] Blocked automated execution request for ticket ${id}. User-Agent: ${request.headers.get('user-agent')}`);
+
+			await createAuditLog({
+				action: 'blocked_automated_execution',
+				userId,
+				ticketId: id,
+				details: {
+					userAgent: request.headers.get('user-agent'),
+					reason: 'Execution must be done through the web interface'
+				},
+				status: 'failure',
+			});
+
+			return NextResponse.json(
+				{
+					error: '执行操作必须通过网页界面进行',
+					message: '出于安全考虑，执行已审批的工单不能通过 API 自动调用。请在工单管理界面进行执行。'
+				},
+				{ status: 403 },
+			);
+		}
+
+		// 获取工单
+		const ticket = await getTicket(id);
+		if (!ticket) {
+			return NextResponse.json(
+				{ error: '工单不存在' },
+				{ status: 404 },
+			);
+		}
+
+		// 检查工单状态
+		if (ticket.status !== 'approved') {
+			return NextResponse.json(
+				{
+					error: '工单必须已批准才能执行',
+					message: `工单状态为 ${ticket.status}，必须是已批准状态才能执行。`
+				},
+				{ status: 400 },
+			);
+		}
+
+		// 检查工单是否有命令
+		if (!ticket.command && !ticket.scriptContent) {
+			return NextResponse.json(
+				{ error: '工单缺少命令或脚本内容' },
+				{ status: 400 },
+			);
+		}
+
+		// 开始执行
+		await startExecution(id, userId);
+
+		try {
+			// 执行命令（forceExecute: true 因为工单已经审批通过）
+			const result = await processCommand({
+				command: ticket.command || ticket.scriptContent || '',
+				skillName: ticket.skillName,
+				userId,
+				sessionId: ticket.aiSessionId,
+				forceExecute: true,
+			});
+
+			if (result.result?.success) {
+				// 执行成功
+				const updatedTicket = await updateTicket(id, {
+					status: 'completed',
+					output: result.result.output,
+				});
+
+				await createAuditLog({
+					action: 'ticket_executed',
+					userId,
+					ticketId: id,
+					sessionId: ticket.aiSessionId || undefined,
+					details: {
+						command: ticket.command,
+						skillName: ticket.skillName,
+						riskLevel: ticket.riskLevel,
+						output: result.result.output,
+						executionTime: result.result.executionTime,
+					},
+					status: 'success',
+				});
+
+				return NextResponse.json({
+					success: true,
+					status: 'completed',
+					output: result.result.output,
+					executionTime: result.result.executionTime,
+					ticket: updatedTicket,
+				});
+			} else {
+				// 执行失败
+				const updatedTicket = await failExecution(id, userId, result.result?.error);
+
+				await createAuditLog({
+					action: 'ticket_execution_failed',
+					userId,
+					ticketId: id,
+					sessionId: ticket.aiSessionId || undefined,
+					details: {
+						command: ticket.command,
+						skillName: ticket.skillName,
+						error: result.result?.error,
+					},
+					status: 'failure',
+				});
+
+				return NextResponse.json({
+					success: false,
+					status: 'failed',
+					error: result.result?.error,
+					ticket: updatedTicket,
+				}, { status: 500 });
+			}
+		} catch (execError) {
+			// 执行过程中发生异常
+			const updatedTicket = await failExecution(id, userId, execError instanceof Error ? execError.message : '执行异常');
+
+			await createAuditLog({
+				action: 'ticket_execution_error',
+				userId,
+				ticketId: id,
+				sessionId: ticket.aiSessionId || undefined,
+				details: {
+					command: ticket.command,
+					error: execError instanceof Error ? execError.message : '执行异常',
+				},
+				status: 'failure',
+			});
+
+			return NextResponse.json({
+				success: false,
+				status: 'failed',
+				error: execError instanceof Error ? execError.message : '执行异常',
+				ticket: updatedTicket,
+			}, { status: 500 });
+		}
+	} catch (error) {
+		console.error('[execute] Error:', error);
+		return NextResponse.json(
+			{ error: error instanceof Error ? error.message : '执行失败' },
+			{ status: 500 },
+		);
+	}
+}

package/app/api/tickets/[id]/route.ts

@@ -0,0 +1,127 @@
+/**
+ * 工单详情 API - GET, PUT, DELETE
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getTicket, updateTicket, deleteTicket } from '@/lib/db';
+import { canTransition } from '@/lib/workflow';
+import { createAuditLog } from '@/lib/db';
+
+type RouteContext = {
+	params: Promise<{ id: string }>;
+};
+
+/**
+ * GET /api/tickets/[id] - 获取工单详情
+ */
+export async function GET(request: NextRequest, context: RouteContext) {
+	try {
+		const { id } = await context.params;
+		const ticket = await getTicket(id);
+
+		if (!ticket) {
+			return NextResponse.json(
+				{ error: '工单不存在' },
+				{ status: 404 },
+			);
+		}
+
+		return NextResponse.json({ ticket });
+	} catch (error) {
+		return NextResponse.json(
+			{ error: error instanceof Error ? error.message : '获取工单失败' },
+			{ status: 500 },
+		);
+	}
+}
+
+/**
+ * PUT /api/tickets/[id] - 更新工单
+ */
+export async function PUT(request: NextRequest, context: RouteContext) {
+	try {
+		const { id } = await context.params;
+		const ticket = await getTicket(id);
+
+		if (!ticket) {
+			return NextResponse.json(
+				{ error: '工单不存在' },
+				{ status: 404 },
+			);
+		}
+
+		const body = await request.json();
+		const { status } = body;
+
+		// 如果要更新状态，检查转换是否合法
+		if (status && status !== ticket.status) {
+			if (!canTransition(ticket.status, status)) {
+				return NextResponse.json(
+					{ error: `不能将工单从 ${ticket.status} 转换为 ${status}` },
+					{ status: 400 },
+				);
+			}
+		}
+
+		// 更新工单
+		const updated = await updateTicket(id, body);
+
+		return NextResponse.json({ ticket: updated });
+	} catch (error) {
+		return NextResponse.json(
+			{ error: error instanceof Error ? error.message : '更新工单失败' },
+			{ status: 500 },
+		);
+	}
+}
+
+/**
+ * DELETE /api/tickets/[id] - 删除工单
+ */
+export async function DELETE(request: NextRequest, context: RouteContext) {
+	try {
+		const { id } = await context.params;
+		const ticket = await getTicket(id);
+
+		if (!ticket) {
+			return NextResponse.json(
+				{ error: '工单不存在' },
+				{ status: 404 },
+			);
+		}
+
+		// 只有草稿状态的工单可以删除
+		if (ticket.status !== 'draft') {
+			return NextResponse.json(
+				{ error: '只有草稿状态的工单可以删除' },
+				{ status: 400 },
+			);
+		}
+
+		// 记录审计日志
+		await createAuditLog({
+			action: 'ticket_deleted',
+			userId: 'user',
+			ticketId: id,
+			details: { title: ticket.title },
+			status: 'success',
+		});
+
+		// 删除工单
+		const deleted = await deleteTicket(id);
+
+		if (!deleted) {
+			return NextResponse.json(
+				{ error: '删除工单失败' },
+				{ status: 500 },
+			);
+		}
+
+		return NextResponse.json({ success: true });
+	} catch (error) {
+		return NextResponse.json(
+			{ error: error instanceof Error ? error.message : '删除工单失败' },
+			{ status: 500 },
+		);
+	}
+}

package/app/api/tickets/route.ts

@@ -0,0 +1,103 @@
+/**
+ * 工单 API - GET/POST
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getTickets, createTicket } from '@/lib/db';
+import { createAuditLog } from '@/lib/db';
+import type { TicketType, RiskLevel } from '@/lib/db';
+
+/**
+ * GET /api/tickets - 获取工单列表
+ */
+export async function GET(request: NextRequest) {
+	try {
+		const { searchParams } = new URL(request.url);
+		const filters = {
+			status: searchParams.get('status') ?? undefined,
+			type: searchParams.get('type') as TicketType | undefined,
+			createdBy: searchParams.get('createdBy') ?? undefined,
+			aiSessionId: searchParams.get('aiSessionId') ?? undefined,
+			limit: searchParams.get('limit') ? parseInt(searchParams.get('limit')!) : undefined,
+		};
+
+		const tickets = await getTickets(filters);
+
+		return NextResponse.json({ tickets });
+	} catch (error) {
+		return NextResponse.json(
+			{ error: error instanceof Error ? error.message : '获取工单失败' },
+			{ status: 500 },
+		);
+	}
+}
+
+/**
+ * POST /api/tickets - 创建新工单
+ */
+export async function POST(request: NextRequest) {
+	try {
+		const body = await request.json();
+		const { 
+			type, 
+			title, 
+			description, 
+			priority, 
+			cluster, 
+			command,
+			skillName,
+			scriptContent,
+			riskLevel,
+			createdBy 
+		} = body;
+
+		// 验证必填字段
+		if (!type || !title || !createdBy) {
+			return NextResponse.json(
+				{ error: '缺少必填字段: type, title, createdBy' },
+				{ status: 400 },
+			);
+		}
+
+		// 验证工单类型
+		const validTypes: TicketType[] = ['bash-execute', 'skill-script'];
+		if (!validTypes.includes(type)) {
+			return NextResponse.json(
+				{ error: `无效的操作类型，必须是: ${validTypes.join(', ')}` },
+				{ status: 400 },
+			);
+		}
+
+		// 创建工单
+		const ticket = await createTicket({
+			type,
+			title,
+			description: description ?? '',
+			status: 'draft',
+			priority: (priority as RiskLevel) ?? 'medium',
+			command,
+			commandType: command ? 'kubectl' : undefined,
+			skillName,
+			scriptContent,
+			riskLevel: (riskLevel as RiskLevel) ?? 'medium',
+			approvals: [],
+			createdBy,
+			aiGenerated: false,
+		});
+
+		await createAuditLog({
+			action: 'ticket_created',
+			userId: createdBy,
+			ticketId: ticket.id,
+			details: { ticketId: ticket.id, type, title },
+			status: 'success',
+		});
+
+		return NextResponse.json({ ticket }, { status: 201 });
+	} catch (error) {
+		return NextResponse.json(
+			{ error: error instanceof Error ? error.message : '创建工单失败' },
+			{ status: 500 },
+		);
+	}
+}