forked from farhoodlabs/paperclip
70679a3321
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies. > - The environment/runtime layer decides where agent work executes and how the control plane reaches those runtimes. > - Today Paperclip can run locally and over SSH, but sandboxed execution needs a first-class environment model instead of one-off adapter behavior. > - We also want sandbox providers to be pluggable so the core does not hardcode every provider implementation. > - This branch adds the Sandbox environment path, the provider contract, and a deterministic fake provider plugin. > - That required synchronized changes across shared contracts, plugin SDK surfaces, server runtime orchestration, and the UI environment/workspace flows. > - The result is that sandbox execution becomes a core control-plane capability while keeping provider implementations extensible and testable. ## What Changed - Added sandbox runtime support to the environment execution path, including runtime URL discovery, sandbox execution targeting, orchestration, and heartbeat integration. - Added plugin-provider support for sandbox environments so providers can be supplied via plugins instead of hardcoded server logic. - Added the fake sandbox provider plugin with deterministic behavior suitable for local and automated testing. - Updated shared types, validators, plugin protocol definitions, and SDK helpers to carry sandbox provider and workspace-runtime contracts across package boundaries. - Updated server routes and services so companies can create sandbox environments, select them for work, and execute work through the sandbox runtime path. - Updated the UI environment and workspace surfaces to expose sandbox environment configuration and selection. - Added test coverage for sandbox runtime behavior, provider seams, environment route guards, orchestration, and the fake provider plugin. ## Verification - Ran locally before the final fixture-only scrub: - `pnpm -r typecheck` - `pnpm test:run` - `pnpm build` - Ran locally after the final scrub amend: - `pnpm vitest run server/src/__tests__/runtime-api.test.ts` - Reviewer spot checks: - create a sandbox environment backed by the fake provider plugin - run work through that environment - confirm sandbox provider execution does not inherit host secrets implicitly ## Risks - This touches shared contracts, plugin SDK plumbing, server runtime orchestration, and UI environment/workspace flows, so regressions would likely show up as cross-layer mismatches rather than isolated type errors. - Runtime URL discovery and sandbox callback selection are sensitive to host/bind configuration; if that logic is wrong, sandbox-backed callbacks may fail even when execution succeeds. - The fake provider plugin is intentionally deterministic and test-oriented; future providers may expose capability gaps that this branch does not yet cover. ## Model Used - OpenAI Codex coding agent on a GPT-5-class backend in the Paperclip/Codex harness. Exact backend model ID is not exposed in-session. Tool-assisted workflow with shell execution, file editing, git history inspection, and local test execution. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge
317 lines
12 KiB
TypeScript
317 lines
12 KiB
TypeScript
import { Router, type Request } from "express";
|
|
import type { Db } from "@paperclipai/db";
|
|
import {
|
|
createRoutineSchema,
|
|
createRoutineTriggerSchema,
|
|
rotateRoutineTriggerSecretSchema,
|
|
runRoutineSchema,
|
|
updateRoutineSchema,
|
|
updateRoutineTriggerSchema,
|
|
} from "@paperclipai/shared";
|
|
import { trackRoutineCreated } from "@paperclipai/shared/telemetry";
|
|
import { validate } from "../middleware/validate.js";
|
|
import { accessService, logActivity, routineService } from "../services/index.js";
|
|
import { assertCompanyAccess, getActorInfo } from "./authz.js";
|
|
import { forbidden, unauthorized } from "../errors.js";
|
|
import { getTelemetryClient } from "../telemetry.js";
|
|
import type { PluginWorkerManager } from "../services/plugin-worker-manager.js";
|
|
|
|
export function routineRoutes(
|
|
db: Db,
|
|
options: { pluginWorkerManager?: PluginWorkerManager } = {},
|
|
) {
|
|
const router = Router();
|
|
const svc = routineService(db, {
|
|
pluginWorkerManager: options.pluginWorkerManager,
|
|
});
|
|
const access = accessService(db);
|
|
|
|
async function assertBoardCanAssignTasks(req: Request, companyId: string) {
|
|
assertCompanyAccess(req, companyId);
|
|
if (req.actor.type !== "board") return;
|
|
if (req.actor.source === "local_implicit" || req.actor.isInstanceAdmin) return;
|
|
const allowed = await access.canUser(companyId, req.actor.userId, "tasks:assign");
|
|
if (!allowed) {
|
|
throw forbidden("Missing permission: tasks:assign");
|
|
}
|
|
}
|
|
|
|
function assertCanManageCompanyRoutine(req: Request, companyId: string, assigneeAgentId?: string | null) {
|
|
assertCompanyAccess(req, companyId);
|
|
if (req.actor.type === "board") return;
|
|
if (req.actor.type !== "agent" || !req.actor.agentId) throw unauthorized();
|
|
if (assigneeAgentId !== req.actor.agentId) {
|
|
throw forbidden("Agents can only manage routines assigned to themselves");
|
|
}
|
|
}
|
|
|
|
async function assertCanManageExistingRoutine(req: Request, routineId: string) {
|
|
const routine = await svc.get(routineId);
|
|
if (!routine) return null;
|
|
assertCompanyAccess(req, routine.companyId);
|
|
if (req.actor.type === "board") return routine;
|
|
if (req.actor.type !== "agent" || !req.actor.agentId) throw unauthorized();
|
|
if (routine.assigneeAgentId !== req.actor.agentId) {
|
|
throw forbidden("Agents can only manage routines assigned to themselves");
|
|
}
|
|
return routine;
|
|
}
|
|
|
|
router.get("/companies/:companyId/routines", async (req, res) => {
|
|
const companyId = req.params.companyId as string;
|
|
assertCompanyAccess(req, companyId);
|
|
const result = await svc.list(companyId);
|
|
res.json(result);
|
|
});
|
|
|
|
router.post("/companies/:companyId/routines", validate(createRoutineSchema), async (req, res) => {
|
|
const companyId = req.params.companyId as string;
|
|
await assertBoardCanAssignTasks(req, companyId);
|
|
assertCanManageCompanyRoutine(req, companyId, req.body.assigneeAgentId);
|
|
const created = await svc.create(companyId, req.body, {
|
|
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
|
|
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,
|
|
});
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.created",
|
|
entityType: "routine",
|
|
entityId: created.id,
|
|
details: { title: created.title, assigneeAgentId: created.assigneeAgentId },
|
|
});
|
|
const telemetryClient = getTelemetryClient();
|
|
if (telemetryClient) {
|
|
trackRoutineCreated(telemetryClient);
|
|
}
|
|
res.status(201).json(created);
|
|
});
|
|
|
|
router.get("/routines/:id", async (req, res) => {
|
|
const detail = await svc.getDetail(req.params.id as string);
|
|
if (!detail) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
assertCompanyAccess(req, detail.companyId);
|
|
res.json(detail);
|
|
});
|
|
|
|
router.patch("/routines/:id", validate(updateRoutineSchema), async (req, res) => {
|
|
const routine = await assertCanManageExistingRoutine(req, req.params.id as string);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
const assigneeWillChange =
|
|
req.body.assigneeAgentId !== undefined &&
|
|
req.body.assigneeAgentId !== routine.assigneeAgentId;
|
|
if (assigneeWillChange) {
|
|
await assertBoardCanAssignTasks(req, routine.companyId);
|
|
}
|
|
const statusWillActivate =
|
|
req.body.status !== undefined &&
|
|
req.body.status === "active" &&
|
|
routine.status !== "active";
|
|
if (statusWillActivate) {
|
|
await assertBoardCanAssignTasks(req, routine.companyId);
|
|
}
|
|
if (
|
|
req.actor.type === "agent" &&
|
|
req.body.assigneeAgentId !== undefined &&
|
|
req.body.assigneeAgentId !== req.actor.agentId
|
|
) {
|
|
throw forbidden("Agents can only assign routines to themselves");
|
|
}
|
|
const updated = await svc.update(routine.id, req.body, {
|
|
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
|
|
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,
|
|
});
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.updated",
|
|
entityType: "routine",
|
|
entityId: routine.id,
|
|
details: { title: updated?.title ?? routine.title },
|
|
});
|
|
res.json(updated);
|
|
});
|
|
|
|
router.get("/routines/:id/runs", async (req, res) => {
|
|
const routine = await svc.get(req.params.id as string);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
assertCompanyAccess(req, routine.companyId);
|
|
const limit = Number(req.query.limit ?? 50);
|
|
const result = await svc.listRuns(routine.id, Number.isFinite(limit) ? limit : 50);
|
|
res.json(result);
|
|
});
|
|
|
|
router.post("/routines/:id/triggers", validate(createRoutineTriggerSchema), async (req, res) => {
|
|
const routine = await assertCanManageExistingRoutine(req, req.params.id as string);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
await assertBoardCanAssignTasks(req, routine.companyId);
|
|
const created = await svc.createTrigger(routine.id, req.body, {
|
|
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
|
|
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,
|
|
});
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.trigger_created",
|
|
entityType: "routine_trigger",
|
|
entityId: created.trigger.id,
|
|
details: { routineId: routine.id, kind: created.trigger.kind },
|
|
});
|
|
res.status(201).json(created);
|
|
});
|
|
|
|
router.patch("/routine-triggers/:id", validate(updateRoutineTriggerSchema), async (req, res) => {
|
|
const trigger = await svc.getTrigger(req.params.id as string);
|
|
if (!trigger) {
|
|
res.status(404).json({ error: "Routine trigger not found" });
|
|
return;
|
|
}
|
|
const routine = await assertCanManageExistingRoutine(req, trigger.routineId);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
await assertBoardCanAssignTasks(req, routine.companyId);
|
|
const updated = await svc.updateTrigger(trigger.id, req.body, {
|
|
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
|
|
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,
|
|
});
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.trigger_updated",
|
|
entityType: "routine_trigger",
|
|
entityId: trigger.id,
|
|
details: { routineId: routine.id, kind: updated?.kind ?? trigger.kind },
|
|
});
|
|
res.json(updated);
|
|
});
|
|
|
|
router.delete("/routine-triggers/:id", async (req, res) => {
|
|
const trigger = await svc.getTrigger(req.params.id as string);
|
|
if (!trigger) {
|
|
res.status(404).json({ error: "Routine trigger not found" });
|
|
return;
|
|
}
|
|
const routine = await assertCanManageExistingRoutine(req, trigger.routineId);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
await svc.deleteTrigger(trigger.id);
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.trigger_deleted",
|
|
entityType: "routine_trigger",
|
|
entityId: trigger.id,
|
|
details: { routineId: routine.id, kind: trigger.kind },
|
|
});
|
|
res.status(204).end();
|
|
});
|
|
|
|
router.post(
|
|
"/routine-triggers/:id/rotate-secret",
|
|
validate(rotateRoutineTriggerSecretSchema),
|
|
async (req, res) => {
|
|
const trigger = await svc.getTrigger(req.params.id as string);
|
|
if (!trigger) {
|
|
res.status(404).json({ error: "Routine trigger not found" });
|
|
return;
|
|
}
|
|
const routine = await assertCanManageExistingRoutine(req, trigger.routineId);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
const rotated = await svc.rotateTriggerSecret(trigger.id, {
|
|
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
|
|
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,
|
|
});
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.trigger_secret_rotated",
|
|
entityType: "routine_trigger",
|
|
entityId: trigger.id,
|
|
details: { routineId: routine.id },
|
|
});
|
|
res.json(rotated);
|
|
},
|
|
);
|
|
|
|
router.post("/routines/:id/run", validate(runRoutineSchema), async (req, res) => {
|
|
const routine = await assertCanManageExistingRoutine(req, req.params.id as string);
|
|
if (!routine) {
|
|
res.status(404).json({ error: "Routine not found" });
|
|
return;
|
|
}
|
|
await assertBoardCanAssignTasks(req, routine.companyId);
|
|
const run = await svc.runRoutine(routine.id, req.body);
|
|
const actor = getActorInfo(req);
|
|
await logActivity(db, {
|
|
companyId: routine.companyId,
|
|
actorType: actor.actorType,
|
|
actorId: actor.actorId,
|
|
agentId: actor.agentId,
|
|
runId: actor.runId,
|
|
action: "routine.run_triggered",
|
|
entityType: "routine_run",
|
|
entityId: run.id,
|
|
details: { routineId: routine.id, source: run.source, status: run.status },
|
|
});
|
|
res.status(202).json(run);
|
|
});
|
|
|
|
router.post("/routine-triggers/public/:publicId/fire", async (req, res) => {
|
|
const result = await svc.firePublicTrigger(req.params.publicId as string, {
|
|
authorizationHeader: req.header("authorization"),
|
|
signatureHeader: req.header("x-paperclip-signature"),
|
|
hubSignatureHeader: req.header("x-hub-signature-256"),
|
|
timestampHeader: req.header("x-paperclip-timestamp"),
|
|
idempotencyKey: req.header("idempotency-key"),
|
|
rawBody: (req as { rawBody?: Buffer }).rawBody ?? null,
|
|
payload: typeof req.body === "object" && req.body !== null ? req.body as Record<string, unknown> : null,
|
|
});
|
|
res.status(202).json(result);
|
|
});
|
|
|
|
return router;
|
|
}
|