04173b341d
## Thinking Path > - Paperclip is the control plane operators use to manage agent execution environments, including plugin-declared sandbox providers. > - The failing user path here was `Test draft` for an unsaved sandbox environment using a schema field marked `format: "secret-ref"`. > - Saved environments already resolve secret refs before provider use, but the unsaved probe path was forwarding the selected secret UUID directly to the provider, which made Novita draft probes fail. > - Fixing that safely required a probe-only secret resolution path with explicit actor authorization and audit context, because an unsaved draft has no persisted environment binding to authorize against. > - Once that was fixed, CI and review surfaced follow-up hardening work: preserve actor source through the draft-probe path, prevent late heartbeat finalization from overwriting already-terminal runs, avoid duplicate successful-run handoff wakes for comment-driven runs, make SSH git ref updates tolerate concurrent managed-runtime restores, and keep the skills catalog build from failing on transient GitHub errors for pinned references. > - The result is that Novita draft probes now behave like saved environments, the new secret access path is constrained and audited, and the PR is green end-to-end with Greptile at 5/5. ## Linked Issues or Issue Description No matching public GitHub issue was found after searching open and closed Paperclip issues for `novita`. Related PR search found [#8255](https://github.com/paperclipai/paperclip/pull/8255), but it addresses Novita/dev-SDK linking rather than this draft probe bug. Bug summary: - What happened? When a board user configured a sandbox environment backed by a schema-driven plugin provider such as Novita, selecting an existing company secret for `apiKey` and clicking `Test draft` failed because the probe received the secret UUID instead of the resolved secret value. - Expected behavior `Test draft` should resolve secret-ref fields before calling the provider probe, just like the saved runtime path does. - Steps to reproduce 1. Open `Company Settings -> Environments`. 2. Create or edit a `Sandbox` environment using a provider with a `format: "secret-ref"` field such as `Novita Agent Sandbox`. 3. Select an existing company secret for `apiKey`. 4. Click `Test draft`. 5. Observe the probe failure before this patch. - Paperclip version or commit Reproduced on a local `master` dev checkout; fixed and verified on branch commit `ed982d0c0`. - Deployment mode Local dev (`pnpm dev`). - Installation method Built from source (`pnpm dev` / `pnpm build`). - Agent adapter(s) involved Not adapter-specific in the core bug path; affects schema-driven sandbox provider plugins such as Novita. - Database mode Not database-related. - Access context Board (human operator). - Node.js version `v25.6.1`. - Operating system `macOS 15.7.4`. - Relevant logs or output The user-visible failure was `Novita sandbox probe failed` during `Test draft`. ## What Changed - Resolved schema-marked secret-ref fields during unsaved sandbox environment probes by adding a dedicated probe-time secret resolution path in `environment-config.ts`. - Passed `companyId` plus the full authenticated actor context into the draft probe normalization route so secret resolution stays company-scoped, authorized, and auditable. - Hardened ephemeral secret resolution so unsaved probes require `secrets:read`, preserve the original actor source (`local_implicit`, `agent_jwt`, etc.), and emit usable audit metadata. - Added a conditional heartbeat run-status update so late adapter completions cannot overwrite runs that were already cancelled or otherwise terminal. - Skipped successful-run handoff synthesis for comment-driven wakes, which removes the extra wake/run that was breaking `heartbeat-comment-wake-batching`. - Retried managed-runtime SSH git ref updates on concurrent ref-lock races instead of failing the restore path. - Reused the previous skills-catalog manifest entry when a pinned GitHub reference fails with a recoverable transient error during CI catalog generation. - Added focused regression coverage for the draft probe, ephemeral secret access, heartbeat handoff behavior, SSH ref-lock races, and catalog fallback behavior. ## Verification - `pnpm vitest run server/src/__tests__/environment-routes.test.ts` - `pnpm vitest run server/src/__tests__/secrets-service.test.ts` - `pnpm vitest run server/src/__tests__/heartbeat-comment-wake-batching.test.ts` - `pnpm vitest run server/src/services/recovery/successful-run-handoff.test.ts` - `pnpm vitest run server/src/__tests__/openclaw-gateway-adapter.test.ts` - `pnpm exec vitest run packages/adapter-utils/src/ssh-fixture.test.ts -t "merges concurrent remote commits through the managed runtime restore path"` - `pnpm exec vitest run packages/skills-catalog/src/catalog-builder.test.ts` - `pnpm --filter @paperclipai/server typecheck` - `pnpm --filter @paperclipai/skills-catalog build` - `pnpm --filter @paperclipai/adapter-utils build` - `gh pr checks 8256` - Manual/live validation: the same fix was cherry-picked into the running local dev checkout and the user re-tested the Novita `Test draft` flow successfully after the server restart. ## Risks - Low risk: the Novita-specific user-facing fix is isolated to unsaved sandbox draft probes for plugin schema fields marked `format: "secret-ref"`. - The new ephemeral secret resolution path is intentionally stricter than the original broken behavior; regressions would most likely show up as denied draft probes rather than accidental secret exposure. - The heartbeat, SSH, and catalog changes are all defensive; if they regress, they should affect test/CI orchestration paths rather than persisted company data. ## Model Used - OpenAI Codex Local (`codex_local` in Paperclip). The runtime does not expose the exact backend model ID in agent metadata. GPT-5-class coding model with shell/tool use, repository editing, test execution, GitHub review handling, and issue-thread coordination. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have searched GitHub for duplicate or related PRs and linked them above - [x] I have either (a) linked existing issues with `Fixes: #` / `Closes #` / `Refs #` OR (b) described the issue in-PR following the relevant issue template - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots - [ ] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] All Paperclip CI gates are green - [x] Greptile is 5/5 with no open P2s, recommendations, or follow-ups - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
653 lines
22 KiB
TypeScript
653 lines
22 KiB
TypeScript
import { z } from "zod";
|
|
import { randomUUID } from "node:crypto";
|
|
import type { Db } from "@paperclipai/db";
|
|
import type {
|
|
Environment,
|
|
EnvironmentDriver,
|
|
FakeSandboxEnvironmentConfig,
|
|
LocalEnvironmentConfig,
|
|
PluginEnvironmentConfig,
|
|
PluginSandboxEnvironmentConfig,
|
|
SandboxEnvironmentConfig,
|
|
SecretProvider,
|
|
SecretVersionSelector,
|
|
SshEnvironmentConfig,
|
|
} from "@paperclipai/shared";
|
|
import { unprocessable } from "../errors.js";
|
|
import { parseObject } from "../adapters/utils.js";
|
|
import { secretService } from "./secrets.js";
|
|
import {
|
|
resolvePluginSandboxProviderDriverByKey,
|
|
validatePluginEnvironmentDriverConfig,
|
|
validatePluginSandboxProviderConfig,
|
|
} from "./plugin-environment-driver.js";
|
|
import type { PluginWorkerManager } from "./plugin-worker-manager.js";
|
|
import {
|
|
collectSecretRefPaths,
|
|
isUuidSecretRef,
|
|
readConfigValueAtPath,
|
|
writeConfigValueAtPath,
|
|
} from "./json-schema-secret-refs.js";
|
|
|
|
const secretRefSchema = z.object({
|
|
type: z.literal("secret_ref"),
|
|
secretId: z.string().uuid(),
|
|
version: z.union([z.literal("latest"), z.number().int().positive()]).optional().default("latest"),
|
|
}).strict();
|
|
|
|
const sshEnvironmentConfigSchema = z.object({
|
|
host: z.string({ required_error: "SSH environments require a host." }).trim().min(1, "SSH environments require a host."),
|
|
port: z.coerce.number().int().min(1).max(65535).default(22),
|
|
username: z.string({ required_error: "SSH environments require a username." }).trim().min(1, "SSH environments require a username."),
|
|
remoteWorkspacePath: z
|
|
.string({ required_error: "SSH environments require a remote workspace path." })
|
|
.trim()
|
|
.min(1, "SSH environments require a remote workspace path.")
|
|
.refine((value) => value.startsWith("/"), "SSH remote workspace path must be absolute."),
|
|
privateKey: z.null().optional().default(null),
|
|
privateKeySecretRef: secretRefSchema.optional().nullable().default(null),
|
|
knownHosts: z
|
|
.string()
|
|
.trim()
|
|
.optional()
|
|
.nullable()
|
|
.transform((value) => (value && value.length > 0 ? value : null)),
|
|
strictHostKeyChecking: z.boolean().optional().default(true),
|
|
}).strict();
|
|
|
|
const sshEnvironmentConfigProbeSchema = sshEnvironmentConfigSchema.extend({
|
|
privateKey: z
|
|
.string()
|
|
.trim()
|
|
.optional()
|
|
.nullable()
|
|
.transform((value) => (value && value.length > 0 ? value : null)),
|
|
}).strict();
|
|
|
|
const sshEnvironmentConfigPersistenceSchema = sshEnvironmentConfigProbeSchema;
|
|
|
|
const fakeSandboxEnvironmentConfigSchema = z.object({
|
|
provider: z.literal("fake").default("fake"),
|
|
image: z
|
|
.string()
|
|
.trim()
|
|
.min(1, "Fake sandbox environments require an image.")
|
|
.default("ubuntu:24.04"),
|
|
reuseLease: z.boolean().optional().default(false),
|
|
}).strict();
|
|
|
|
const pluginSandboxProviderKeySchema = z.string()
|
|
.trim()
|
|
.min(1, "Sandbox provider is required.")
|
|
.regex(
|
|
/^[a-z0-9][a-z0-9._-]*$/,
|
|
"Sandbox provider key must start with a lowercase alphanumeric and contain only lowercase letters, digits, dots, hyphens, or underscores",
|
|
);
|
|
|
|
const pluginSandboxEnvironmentConfigSchema = z.object({
|
|
provider: pluginSandboxProviderKeySchema,
|
|
timeoutMs: z.coerce.number().int().min(1).max(86_400_000).optional(),
|
|
reuseLease: z.boolean().optional().default(false),
|
|
}).catchall(z.unknown());
|
|
|
|
const pluginEnvironmentConfigSchema = z.object({
|
|
pluginKey: z.string().min(1),
|
|
driverKey: z.string().min(1).regex(
|
|
/^[a-z0-9][a-z0-9._-]*$/,
|
|
"Environment driver key must start with a lowercase alphanumeric and contain only lowercase letters, digits, dots, hyphens, or underscores",
|
|
),
|
|
driverConfig: z.record(z.unknown()).optional().default({}),
|
|
}).strict();
|
|
|
|
export type ParsedEnvironmentConfig =
|
|
| { driver: "local"; config: LocalEnvironmentConfig }
|
|
| { driver: "ssh"; config: SshEnvironmentConfig }
|
|
| { driver: "sandbox"; config: SandboxEnvironmentConfig }
|
|
| { driver: "plugin"; config: PluginEnvironmentConfig };
|
|
|
|
function toErrorMessage(error: z.ZodError) {
|
|
const first = error.issues[0];
|
|
if (!first) return "Invalid environment config.";
|
|
return first.message;
|
|
}
|
|
|
|
function getSandboxProvider(raw: Record<string, unknown>) {
|
|
return typeof raw.provider === "string" && raw.provider.trim().length > 0 ? raw.provider.trim() : "fake";
|
|
}
|
|
|
|
function parseSandboxEnvironmentConfig(
|
|
input: Record<string, unknown> | null | undefined,
|
|
) {
|
|
const raw = parseObject(input);
|
|
const provider = getSandboxProvider(raw);
|
|
|
|
if (provider === "fake") {
|
|
const parsed = fakeSandboxEnvironmentConfigSchema.safeParse(raw);
|
|
return parsed.success
|
|
? ({ success: true as const, data: parsed.data satisfies FakeSandboxEnvironmentConfig })
|
|
: ({ success: false as const, error: parsed.error });
|
|
}
|
|
|
|
const parsed = pluginSandboxEnvironmentConfigSchema.safeParse(raw);
|
|
return parsed.success
|
|
? ({ success: true as const, data: parsed.data satisfies PluginSandboxEnvironmentConfig })
|
|
: ({ success: false as const, error: parsed.error });
|
|
}
|
|
|
|
async function getSandboxProviderConfigSchema(
|
|
db: Db,
|
|
provider: string,
|
|
): Promise<Record<string, unknown> | null> {
|
|
const resolved = await resolvePluginSandboxProviderDriverByKey({
|
|
db,
|
|
driverKey: provider,
|
|
});
|
|
const schema = resolved?.driver.configSchema;
|
|
return schema && typeof schema === "object" && !Array.isArray(schema)
|
|
? schema as Record<string, unknown>
|
|
: null;
|
|
}
|
|
|
|
function secretName(input: {
|
|
environmentName: string;
|
|
driver: EnvironmentDriver;
|
|
field: string;
|
|
}) {
|
|
const slug = input.environmentName
|
|
.toLowerCase()
|
|
.replace(/[^a-z0-9]+/g, "-")
|
|
.replace(/^-+|-+$/g, "")
|
|
.slice(0, 48) || "environment";
|
|
return `environment-${input.driver}-${slug}-${input.field}-${randomUUID().slice(0, 8)}`;
|
|
}
|
|
|
|
async function createEnvironmentSecret(input: {
|
|
db: Db;
|
|
companyId: string;
|
|
environmentName: string;
|
|
driver: EnvironmentDriver;
|
|
field: string;
|
|
provider: SecretProvider;
|
|
value: string;
|
|
actor?: { userId?: string | null; agentId?: string | null };
|
|
}) {
|
|
const created = await secretService(input.db).create(
|
|
input.companyId,
|
|
{
|
|
name: secretName(input),
|
|
provider: input.provider,
|
|
value: input.value,
|
|
description: `Secret for ${input.environmentName} ${input.field}.`,
|
|
},
|
|
input.actor,
|
|
);
|
|
return {
|
|
type: "secret_ref" as const,
|
|
secretId: created.id,
|
|
version: "latest" as const,
|
|
};
|
|
}
|
|
|
|
async function persistConfigSecretRefs(input: {
|
|
db: Db;
|
|
companyId: string;
|
|
environmentName: string;
|
|
driver: EnvironmentDriver;
|
|
secretProvider: SecretProvider;
|
|
config: Record<string, unknown>;
|
|
schema: Record<string, unknown> | null;
|
|
actor?: { userId?: string | null; agentId?: string | null };
|
|
}): Promise<Record<string, unknown>> {
|
|
let nextConfig = { ...input.config };
|
|
for (const path of collectSecretRefPaths(input.schema)) {
|
|
const rawValue = readConfigValueAtPath(nextConfig, path);
|
|
if (typeof rawValue !== "string") continue;
|
|
const trimmed = rawValue.trim();
|
|
if (trimmed.length === 0) {
|
|
nextConfig = writeConfigValueAtPath(nextConfig, path, undefined);
|
|
continue;
|
|
}
|
|
if (isUuidSecretRef(trimmed)) {
|
|
nextConfig = writeConfigValueAtPath(nextConfig, path, trimmed);
|
|
continue;
|
|
}
|
|
const created = await createEnvironmentSecret({
|
|
db: input.db,
|
|
companyId: input.companyId,
|
|
environmentName: input.environmentName,
|
|
driver: input.driver,
|
|
field: path.replace(/[^a-z0-9]+/gi, "-").toLowerCase(),
|
|
provider: input.secretProvider,
|
|
value: trimmed,
|
|
actor: input.actor,
|
|
});
|
|
nextConfig = writeConfigValueAtPath(nextConfig, path, created.secretId);
|
|
}
|
|
return nextConfig;
|
|
}
|
|
|
|
async function resolveConfigSecretRefsForRuntime(input: {
|
|
db: Db;
|
|
companyId: string;
|
|
config: Record<string, unknown>;
|
|
schema: Record<string, unknown> | null;
|
|
context: {
|
|
consumerId: string;
|
|
issueId?: string | null;
|
|
heartbeatRunId?: string | null;
|
|
};
|
|
}): Promise<Record<string, unknown>> {
|
|
const secrets = secretService(input.db);
|
|
let nextConfig = { ...input.config };
|
|
for (const path of collectSecretRefPaths(input.schema)) {
|
|
const current = readConfigValueAtPath(nextConfig, path);
|
|
if (typeof current !== "string") continue;
|
|
const trimmed = current.trim();
|
|
if (!isUuidSecretRef(trimmed)) continue;
|
|
if (!input.context.consumerId) {
|
|
throw unprocessable("Runtime secret resolution requires an environment id");
|
|
}
|
|
nextConfig = writeConfigValueAtPath(
|
|
nextConfig,
|
|
path,
|
|
await secrets.resolveSecretValue(input.companyId, trimmed, "latest", {
|
|
consumerType: "environment",
|
|
consumerId: input.context.consumerId,
|
|
actorType: "system",
|
|
actorId: null,
|
|
issueId: input.context.issueId ?? null,
|
|
heartbeatRunId: input.context.heartbeatRunId ?? null,
|
|
configPath: path,
|
|
}),
|
|
);
|
|
}
|
|
return nextConfig;
|
|
}
|
|
|
|
async function resolveConfigSecretRefsForProbe(input: {
|
|
db: Db;
|
|
companyId: string;
|
|
config: Record<string, unknown>;
|
|
schema: Record<string, unknown> | null;
|
|
accessContext?: {
|
|
actorType: "agent" | "user";
|
|
actorId: string;
|
|
actorSource?: "local_implicit" | "session" | "board_key" | "agent_key" | "agent_jwt" | "cloud_tenant";
|
|
heartbeatRunId?: string | null;
|
|
};
|
|
}): Promise<Record<string, unknown>> {
|
|
const secrets = secretService(input.db);
|
|
let nextConfig = { ...input.config };
|
|
for (const path of collectSecretRefPaths(input.schema)) {
|
|
const current = readConfigValueAtPath(nextConfig, path);
|
|
if (typeof current !== "string") continue;
|
|
const trimmed = current.trim();
|
|
if (!isUuidSecretRef(trimmed)) continue;
|
|
// Unsaved draft probes do not have an environment record yet, so they
|
|
// cannot rely on environment-bound secret resolution. Resolve directly for
|
|
// this ephemeral board-only probe and never persist the plaintext value.
|
|
nextConfig = writeConfigValueAtPath(
|
|
nextConfig,
|
|
path,
|
|
await secrets.resolveSecretValueForEphemeralAccess(input.companyId, trimmed, "latest", {
|
|
consumerType: "system",
|
|
consumerId: "environment-probe-config",
|
|
configPath: path,
|
|
actorType: input.accessContext?.actorType ?? "system",
|
|
actorId: input.accessContext?.actorId ?? null,
|
|
actorSource: input.accessContext?.actorSource,
|
|
heartbeatRunId: input.accessContext?.heartbeatRunId ?? null,
|
|
}),
|
|
);
|
|
}
|
|
return nextConfig;
|
|
}
|
|
|
|
export async function collectEnvironmentSecretRefs(input: {
|
|
db: Db;
|
|
environment: Pick<Environment, "id" | "driver" | "config">;
|
|
}): Promise<Array<{ secretId: string; configPath: string; versionSelector?: SecretVersionSelector }>> {
|
|
const parsed = parseEnvironmentDriverConfig(input.environment);
|
|
if (parsed.driver === "ssh" && parsed.config.privateKeySecretRef) {
|
|
return [{
|
|
secretId: parsed.config.privateKeySecretRef.secretId,
|
|
configPath: "privateKeySecretRef",
|
|
versionSelector: parsed.config.privateKeySecretRef.version ?? "latest",
|
|
}];
|
|
}
|
|
if (parsed.driver === "sandbox" && parsed.config.provider !== "fake") {
|
|
const schema = await getSandboxProviderConfigSchema(input.db, parsed.config.provider);
|
|
const refs: Array<{ secretId: string; configPath: string; versionSelector?: SecretVersionSelector }> = [];
|
|
for (const path of collectSecretRefPaths(schema)) {
|
|
const current = readConfigValueAtPath(parsed.config as Record<string, unknown>, path);
|
|
if (typeof current === "string" && isUuidSecretRef(current.trim())) {
|
|
refs.push({ secretId: current.trim(), configPath: path, versionSelector: "latest" });
|
|
}
|
|
}
|
|
return refs;
|
|
}
|
|
return [];
|
|
}
|
|
|
|
export function stripSandboxProviderEnvelope(config: SandboxEnvironmentConfig): Record<string, unknown> {
|
|
const { provider: _provider, ...driverConfig } = config as Record<string, unknown>;
|
|
return driverConfig;
|
|
}
|
|
|
|
export function normalizeEnvironmentConfig(input: {
|
|
driver: EnvironmentDriver;
|
|
config: Record<string, unknown> | null | undefined;
|
|
}): Record<string, unknown> {
|
|
if (input.driver === "local") {
|
|
return { ...parseObject(input.config) };
|
|
}
|
|
|
|
if (input.driver === "ssh") {
|
|
const parsed = sshEnvironmentConfigSchema.safeParse(parseObject(input.config));
|
|
if (!parsed.success) {
|
|
throw unprocessable(toErrorMessage(parsed.error), {
|
|
issues: parsed.error.issues,
|
|
});
|
|
}
|
|
return parsed.data satisfies SshEnvironmentConfig;
|
|
}
|
|
|
|
if (input.driver === "sandbox") {
|
|
const parsed = parseSandboxEnvironmentConfig(input.config);
|
|
if (!parsed.success) {
|
|
throw unprocessable(toErrorMessage(parsed.error), {
|
|
issues: parsed.error.issues,
|
|
});
|
|
}
|
|
return parsed.data;
|
|
}
|
|
|
|
if (input.driver === "plugin") {
|
|
const parsed = pluginEnvironmentConfigSchema.safeParse(parseObject(input.config));
|
|
if (!parsed.success) {
|
|
throw unprocessable(toErrorMessage(parsed.error), {
|
|
issues: parsed.error.issues,
|
|
});
|
|
}
|
|
return parsed.data satisfies PluginEnvironmentConfig;
|
|
}
|
|
|
|
throw unprocessable(`Unsupported environment driver "${input.driver}".`);
|
|
}
|
|
|
|
export function normalizeEnvironmentConfigForProbe(input: {
|
|
db: Db;
|
|
companyId: string;
|
|
driver: EnvironmentDriver;
|
|
config: Record<string, unknown> | null | undefined;
|
|
accessContext?: {
|
|
actorType: "agent" | "user";
|
|
actorId: string;
|
|
actorSource?: "local_implicit" | "session" | "board_key" | "agent_key" | "agent_jwt" | "cloud_tenant";
|
|
heartbeatRunId?: string | null;
|
|
};
|
|
pluginWorkerManager?: PluginWorkerManager;
|
|
}): Promise<Record<string, unknown>> | Record<string, unknown> {
|
|
if (input.driver === "ssh") {
|
|
const parsed = sshEnvironmentConfigProbeSchema.safeParse(parseObject(input.config));
|
|
if (!parsed.success) {
|
|
throw unprocessable(toErrorMessage(parsed.error), {
|
|
issues: parsed.error.issues,
|
|
});
|
|
}
|
|
return parsed.data satisfies SshEnvironmentConfig;
|
|
}
|
|
|
|
if (input.driver === "sandbox") {
|
|
const parsed = parseSandboxEnvironmentConfig(input.config);
|
|
if (!parsed.success) {
|
|
throw unprocessable(toErrorMessage(parsed.error), {
|
|
issues: parsed.error.issues,
|
|
});
|
|
}
|
|
if (parsed.data.provider === "fake") {
|
|
return parsed.data;
|
|
}
|
|
if (!input.pluginWorkerManager) {
|
|
throw unprocessable("Sandbox provider config validation requires a running plugin worker manager.");
|
|
}
|
|
return validatePluginSandboxProviderConfig({
|
|
db: input.db,
|
|
workerManager: input.pluginWorkerManager,
|
|
provider: parsed.data.provider,
|
|
config: stripSandboxProviderEnvelope(parsed.data),
|
|
}).then(async (validated) => ({
|
|
provider: parsed.data.provider,
|
|
...(await resolveConfigSecretRefsForProbe({
|
|
db: input.db,
|
|
companyId: input.companyId,
|
|
config: validated.normalizedConfig,
|
|
accessContext: input.accessContext,
|
|
schema:
|
|
validated.driver.configSchema &&
|
|
typeof validated.driver.configSchema === "object" &&
|
|
!Array.isArray(validated.driver.configSchema)
|
|
? validated.driver.configSchema as Record<string, unknown>
|
|
: null,
|
|
})),
|
|
}));
|
|
}
|
|
|
|
return normalizeEnvironmentConfig({
|
|
driver: input.driver,
|
|
config: input.config,
|
|
});
|
|
}
|
|
|
|
export async function normalizeEnvironmentConfigForPersistence(input: {
|
|
db: Db;
|
|
companyId: string;
|
|
environmentName: string;
|
|
driver: EnvironmentDriver;
|
|
secretProvider: SecretProvider;
|
|
config: Record<string, unknown> | null | undefined;
|
|
actor?: { userId?: string | null; agentId?: string | null };
|
|
pluginWorkerManager?: PluginWorkerManager;
|
|
}): Promise<Record<string, unknown>> {
|
|
if (input.driver === "ssh") {
|
|
const parsed = sshEnvironmentConfigPersistenceSchema.safeParse(parseObject(input.config));
|
|
if (!parsed.success) {
|
|
throw unprocessable(toErrorMessage(parsed.error), {
|
|
issues: parsed.error.issues,
|
|
});
|
|
}
|
|
const secrets = secretService(input.db);
|
|
const { privateKey, ...stored } = parsed.data;
|
|
let nextPrivateKeySecretRef = stored.privateKeySecretRef;
|
|
if (privateKey) {
|
|
nextPrivateKeySecretRef = await createEnvironmentSecret({
|
|
db: input.db,
|
|
companyId: input.companyId,
|
|
environmentName: input.environmentName,
|
|
driver: input.driver,
|
|
field: "private-key",
|
|
provider: input.secretProvider,
|
|
value: privateKey,
|
|
actor: input.actor,
|
|
});
|
|
if (
|
|
stored.privateKeySecretRef &&
|
|
stored.privateKeySecretRef.secretId !== nextPrivateKeySecretRef.secretId
|
|
) {
|
|
await secrets.remove(stored.privateKeySecretRef.secretId);
|
|
}
|
|
}
|
|
return {
|
|
...stored,
|
|
privateKey: null,
|
|
privateKeySecretRef: nextPrivateKeySecretRef,
|
|
} satisfies SshEnvironmentConfig;
|
|
}
|
|
|
|
if (input.driver === "sandbox") {
|
|
const parsed = parseSandboxEnvironmentConfig(input.config);
|
|
if (!parsed.success) {
|
|
throw unprocessable(toErrorMessage(parsed.error), {
|
|
issues: parsed.error.issues,
|
|
});
|
|
}
|
|
if (parsed.data.provider === "fake") {
|
|
throw unprocessable(
|
|
"Built-in fake sandbox environments are reserved for internal probes and cannot be saved.",
|
|
);
|
|
}
|
|
if (!input.pluginWorkerManager) {
|
|
throw unprocessable("Sandbox provider config validation requires a running plugin worker manager.");
|
|
}
|
|
const validated = await validatePluginSandboxProviderConfig({
|
|
db: input.db,
|
|
workerManager: input.pluginWorkerManager,
|
|
provider: parsed.data.provider,
|
|
config: stripSandboxProviderEnvelope(parsed.data),
|
|
});
|
|
return await persistConfigSecretRefs({
|
|
db: input.db,
|
|
companyId: input.companyId,
|
|
environmentName: input.environmentName,
|
|
driver: input.driver,
|
|
secretProvider: input.secretProvider,
|
|
config: {
|
|
provider: parsed.data.provider,
|
|
...validated.normalizedConfig,
|
|
},
|
|
schema:
|
|
validated.driver.configSchema && typeof validated.driver.configSchema === "object" && !Array.isArray(validated.driver.configSchema)
|
|
? validated.driver.configSchema as Record<string, unknown>
|
|
: null,
|
|
actor: input.actor,
|
|
});
|
|
}
|
|
|
|
if (input.driver === "plugin") {
|
|
const parsed = pluginEnvironmentConfigSchema.safeParse(parseObject(input.config));
|
|
if (!parsed.success) {
|
|
throw unprocessable(toErrorMessage(parsed.error), {
|
|
issues: parsed.error.issues,
|
|
});
|
|
}
|
|
if (!input.pluginWorkerManager) {
|
|
throw unprocessable("Plugin environment config validation requires a running plugin worker manager.");
|
|
}
|
|
return { ...(await validatePluginEnvironmentDriverConfig({
|
|
db: input.db,
|
|
workerManager: input.pluginWorkerManager,
|
|
config: parsed.data,
|
|
})) };
|
|
}
|
|
|
|
return normalizeEnvironmentConfig({
|
|
driver: input.driver,
|
|
config: input.config,
|
|
});
|
|
}
|
|
|
|
export async function resolveEnvironmentDriverConfigForRuntime(
|
|
db: Db,
|
|
companyId: string,
|
|
environment: Pick<Environment, "driver" | "config"> & Partial<Pick<Environment, "id">>,
|
|
context?: { issueId?: string | null; heartbeatRunId?: string | null },
|
|
): Promise<ParsedEnvironmentConfig> {
|
|
const parsed = parseEnvironmentDriverConfig(environment);
|
|
const secrets = secretService(db);
|
|
const environmentId = environment.id;
|
|
if (parsed.driver === "ssh" && parsed.config.privateKeySecretRef && !environmentId) {
|
|
throw unprocessable("Runtime secret resolution requires an environment id");
|
|
}
|
|
|
|
if (parsed.driver === "ssh" && parsed.config.privateKeySecretRef) {
|
|
return {
|
|
driver: "ssh",
|
|
config: {
|
|
...parsed.config,
|
|
privateKey: await secrets.resolveSecretValue(
|
|
companyId,
|
|
parsed.config.privateKeySecretRef.secretId,
|
|
parsed.config.privateKeySecretRef.version ?? "latest",
|
|
{
|
|
consumerType: "environment",
|
|
consumerId: environmentId!,
|
|
actorType: "system",
|
|
actorId: null,
|
|
issueId: context?.issueId ?? null,
|
|
heartbeatRunId: context?.heartbeatRunId ?? null,
|
|
configPath: "privateKeySecretRef",
|
|
},
|
|
),
|
|
},
|
|
};
|
|
}
|
|
|
|
if (parsed.driver === "sandbox" && parsed.config.provider !== "fake") {
|
|
return {
|
|
driver: "sandbox",
|
|
config: await resolveConfigSecretRefsForRuntime({
|
|
db,
|
|
companyId,
|
|
config: parsed.config as Record<string, unknown>,
|
|
schema: await getSandboxProviderConfigSchema(db, parsed.config.provider),
|
|
context: {
|
|
consumerId: environmentId!,
|
|
issueId: context?.issueId ?? null,
|
|
heartbeatRunId: context?.heartbeatRunId ?? null,
|
|
},
|
|
}) as SandboxEnvironmentConfig,
|
|
};
|
|
}
|
|
|
|
return parsed;
|
|
}
|
|
|
|
export function readSshEnvironmentPrivateKeySecretId(
|
|
environment: Pick<Environment, "driver" | "config">,
|
|
): string | null {
|
|
if (environment.driver !== "ssh") return null;
|
|
const parsed = sshEnvironmentConfigSchema.safeParse(parseObject(environment.config));
|
|
if (!parsed.success) return null;
|
|
return parsed.data.privateKeySecretRef?.secretId ?? null;
|
|
}
|
|
|
|
export function parseEnvironmentDriverConfig(
|
|
environment: Pick<Environment, "driver" | "config">,
|
|
): ParsedEnvironmentConfig {
|
|
if (environment.driver === "local") {
|
|
return {
|
|
driver: "local",
|
|
config: { ...parseObject(environment.config) },
|
|
};
|
|
}
|
|
|
|
if (environment.driver === "ssh") {
|
|
const parsed = sshEnvironmentConfigSchema.parse(parseObject(environment.config));
|
|
return {
|
|
driver: "ssh",
|
|
config: parsed,
|
|
};
|
|
}
|
|
|
|
if (environment.driver === "sandbox") {
|
|
const parsed = parseSandboxEnvironmentConfig(environment.config);
|
|
if (!parsed.success) {
|
|
throw parsed.error;
|
|
}
|
|
return {
|
|
driver: "sandbox",
|
|
config: parsed.data,
|
|
};
|
|
}
|
|
|
|
if (environment.driver === "plugin") {
|
|
const parsed = pluginEnvironmentConfigSchema.parse(parseObject(environment.config));
|
|
return {
|
|
driver: "plugin",
|
|
config: parsed,
|
|
};
|
|
}
|
|
|
|
throw new Error(`Unsupported environment driver "${environment.driver}".`);
|
|
}
|