70b1a9109d
## Thinking Path > - Paperclip is a control plane for AI-agent companies, with the CLI acting as a scriptable operator and agent interface to that control plane. > - The REST API surface has grown across companies, agents, issues, routines, plugins, auth, workspaces, secrets, and operational inspection commands. > - The CLI had drifted from that API surface: some commands were missing, some command shapes differed from docs/reference material, and several edge cases only failed during end-to-end local-source testing. > - The local development runbook requires these tests to be disposable and isolated from a real `~/.paperclip`, `~/.codex`, or `~/.claude` installation. > - This pull request adds broad CLI/API parity coverage, fixes the actionable bugs found during that pass, and records the reproducible test log under `doc/logs`. > - The benefit is a more complete, scriptable CLI surface with regression coverage for the command families exercised by the parity run. ## What Changed - Added or expanded CLI command coverage for access/auth, companies, agents, projects, goals, issues and subresources, routines, plugins, workspaces, activity/run/cost/dashboard inspection, assets, skills, secrets, tokens, prompt/wake flows, and local setup helpers. - Fixed CLI/API parity bugs found during the run, including context profile patching, issue interaction optional payloads, malformed tree-hold errors, environment duplicate handling, configure invalid-section exit codes, worktree pnpm invocation, token agent ID resolution, plugin tool worker lookup, and routine webhook secret cleanup. - Added missing CLI wrappers and route coverage for health/access, invite resolution URL forwarding, join status normalization, secret lifecycle commands, LLM docs routes, available-skill isolation, positive board-claim coverage, and interactive `connect` prompt-flow tests. - Added a schema-backed `/api/openapi.json` route sufficient for CLI parity and `paperclipai openapi --json` smoke coverage. - Added `doc/logs/2026-05-24-cli-api-parity-e2e-log.md` with the detailed living test/bug log and renamed the log directory from `doc/bugs` to `doc/logs`. - Added `doc/plans/2026-05-23-cli-api-parity.md` and the OpenAPI parity reference used during the pass. OpenAPI note: this PR intentionally does not try to subsume `feature/openapi-spec`. The OpenAPI implementation here is schema-backed and better than the earlier route-inventory stub, but `feature/openapi-spec` is the fuller/better OpenAPI branch because it includes exact mounted-route coverage tests and additional current route coverage. That branch should stay as its own PR and can supersede this OpenAPI route implementation. ## Verification Targeted automated checks run: - `pnpm exec vitest run server/src/__tests__/openapi-routes.test.ts` - `pnpm exec vitest run server/src/__tests__/board-claim.test.ts` - `pnpm exec vitest run cli/src/__tests__/connect.test.ts` - `pnpm exec vitest run cli/src/__tests__/agent-lifecycle.test.ts` - `pnpm exec vitest run server/src/__tests__/plugin-database.test.ts` - `pnpm exec vitest run server/src/__tests__/routines-service.test.ts` - `pnpm --dir cli typecheck` - `pnpm --dir server typecheck` Manual/local E2E verification: - Ran the full disposable local-source CLI/API parity pass with isolated `PAPERCLIP_HOME`, `PAPERCLIP_CONFIG`, `PAPERCLIP_CONTEXT`, `PAPERCLIP_AUTH_STORE`, `CODEX_HOME`, and `CLAUDE_HOME` under `tmp/cli-api-parity`. - Verified `DATABASE_URL` and `DATABASE_MIGRATION_URL` stayed unset for the scratch server. - Verified live health and schema-backed OpenAPI responses on non-default port `3197`. - Revoked created board/agent tokens and cleaned up temporary plugins, secrets, non-default environments, and project workspaces. - See `doc/logs/2026-05-24-cli-api-parity-e2e-log.md` for the full command-by-command reproduction log. Not run: - Full `pnpm test`, `pnpm test:run`, or `pnpm build` were not run after the entire branch because the branch is broad and the parity pass used focused test/typecheck verification plus live isolated CLI reruns. ## Risks - This is a broad PR and touches many CLI command modules, so review surface is high. The changes are grouped around one theme, but a split may be easier if maintainers prefer narrower PRs. - The OpenAPI route in this PR is not the final/best OpenAPI implementation. `feature/openapi-spec` has stronger exact-route coverage and should remain the source for the dedicated OpenAPI PR. - The living log is intentionally detailed and large. It is useful for reproducibility but adds documentation weight. - No UI changes are intended; screenshots are not applicable. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5-based coding agent in Codex desktop. Exact served model/context-window identifier was not exposed in the local app. Work used shell/Git/GitHub CLI tooling, local source inspection, targeted test execution, and live isolated Paperclip CLI/API smoke testing. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Devin Foley <devin@devinfoley.com>
333 lines
11 KiB
TypeScript
333 lines
11 KiB
TypeScript
import { Command } from "commander";
|
|
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
|
|
import type { Agent, CompanySecret } from "@paperclipai/shared";
|
|
import type { PaperclipConfig } from "../config/schema.js";
|
|
import { secretsCheck } from "../checks/secrets-check.js";
|
|
import {
|
|
buildInlineMigrationSecretName,
|
|
buildMigratedAgentEnv,
|
|
collectInlineSecretMigrationCandidates,
|
|
parseSecretsInclude,
|
|
registerSecretCommands,
|
|
toPlainEnvValue,
|
|
} from "../commands/client/secrets.js";
|
|
|
|
function agent(partial: Partial<Agent>): Agent {
|
|
return {
|
|
id: "agent-12345678",
|
|
companyId: "company-1",
|
|
name: "Coder",
|
|
urlKey: "coder",
|
|
role: "engineer",
|
|
title: null,
|
|
icon: null,
|
|
status: "idle",
|
|
reportsTo: null,
|
|
capabilities: null,
|
|
adapterType: "codex_local",
|
|
adapterConfig: {},
|
|
runtimeConfig: {},
|
|
budgetMonthlyCents: 0,
|
|
spentMonthlyCents: 0,
|
|
pauseReason: null,
|
|
pausedAt: null,
|
|
permissions: {
|
|
canCreateAgents: false,
|
|
},
|
|
lastHeartbeatAt: null,
|
|
metadata: null,
|
|
createdAt: new Date("2026-04-26T00:00:00.000Z"),
|
|
updatedAt: new Date("2026-04-26T00:00:00.000Z"),
|
|
...partial,
|
|
};
|
|
}
|
|
|
|
function secret(partial: Partial<CompanySecret>): CompanySecret {
|
|
return {
|
|
id: "secret-1",
|
|
companyId: "company-1",
|
|
key: "agent_agent-12_anthropic_api_key",
|
|
name: "agent_agent-12_anthropic_api_key",
|
|
provider: "local_encrypted",
|
|
status: "active",
|
|
managedMode: "paperclip_managed",
|
|
externalRef: null,
|
|
providerConfigId: null,
|
|
providerMetadata: null,
|
|
latestVersion: 1,
|
|
description: null,
|
|
lastResolvedAt: null,
|
|
lastRotatedAt: null,
|
|
deletedAt: null,
|
|
createdByAgentId: null,
|
|
createdByUserId: null,
|
|
createdAt: new Date("2026-04-26T00:00:00.000Z"),
|
|
updatedAt: new Date("2026-04-26T00:00:00.000Z"),
|
|
...partial,
|
|
};
|
|
}
|
|
|
|
function configWithSecretsProvider(provider: PaperclipConfig["secrets"]["provider"]): PaperclipConfig {
|
|
return {
|
|
$meta: {
|
|
version: 1,
|
|
updatedAt: "2026-05-02T00:00:00.000Z",
|
|
source: "configure",
|
|
},
|
|
database: {
|
|
mode: "embedded-postgres",
|
|
embeddedPostgresDataDir: "/tmp/paperclip/db",
|
|
embeddedPostgresPort: 55432,
|
|
backup: {
|
|
enabled: true,
|
|
intervalMinutes: 60,
|
|
retentionDays: 30,
|
|
dir: "/tmp/paperclip/backups",
|
|
},
|
|
},
|
|
logging: {
|
|
mode: "file",
|
|
logDir: "/tmp/paperclip/logs",
|
|
},
|
|
server: {
|
|
deploymentMode: "local_trusted",
|
|
exposure: "private",
|
|
host: "127.0.0.1",
|
|
port: 3100,
|
|
allowedHostnames: [],
|
|
serveUi: true,
|
|
},
|
|
auth: {
|
|
baseUrlMode: "auto",
|
|
disableSignUp: false,
|
|
},
|
|
telemetry: {
|
|
enabled: true,
|
|
},
|
|
storage: {
|
|
provider: "local_disk",
|
|
localDisk: {
|
|
baseDir: "/tmp/paperclip/storage",
|
|
},
|
|
s3: {
|
|
bucket: "paperclip",
|
|
region: "us-east-1",
|
|
prefix: "",
|
|
forcePathStyle: false,
|
|
},
|
|
},
|
|
secrets: {
|
|
provider,
|
|
strictMode: true,
|
|
localEncrypted: {
|
|
keyFilePath: "/tmp/paperclip/secrets/master.key",
|
|
},
|
|
},
|
|
};
|
|
}
|
|
|
|
describe("secrets CLI helpers", () => {
|
|
const originalEnv = { ...process.env };
|
|
|
|
beforeEach(() => {
|
|
process.env = { ...originalEnv };
|
|
delete process.env.PAPERCLIP_SECRETS_AWS_REGION;
|
|
delete process.env.AWS_REGION;
|
|
delete process.env.AWS_DEFAULT_REGION;
|
|
delete process.env.PAPERCLIP_SECRETS_AWS_DEPLOYMENT_ID;
|
|
delete process.env.PAPERCLIP_SECRETS_AWS_KMS_KEY_ID;
|
|
});
|
|
|
|
afterEach(() => {
|
|
process.env = { ...originalEnv };
|
|
});
|
|
|
|
it("parses declaration include filters", () => {
|
|
expect(parseSecretsInclude("agents,projects,tasks")).toEqual({
|
|
company: false,
|
|
agents: true,
|
|
projects: true,
|
|
issues: true,
|
|
skills: false,
|
|
});
|
|
});
|
|
|
|
it("detects inline sensitive env values that need migration", () => {
|
|
const rows = collectInlineSecretMigrationCandidates(
|
|
[
|
|
agent({
|
|
id: "agent-12345678",
|
|
adapterConfig: {
|
|
env: {
|
|
ANTHROPIC_API_KEY: "sk-ant-test",
|
|
GH_TOKEN: {
|
|
type: "plain",
|
|
value: "ghp-test",
|
|
},
|
|
PATH: {
|
|
type: "plain",
|
|
value: "/usr/bin",
|
|
},
|
|
OPENAI_API_KEY: {
|
|
type: "secret_ref",
|
|
secretId: "secret-existing",
|
|
},
|
|
},
|
|
},
|
|
}),
|
|
],
|
|
[
|
|
secret({
|
|
id: "secret-gh-token",
|
|
name: buildInlineMigrationSecretName("agent-12345678", "GH_TOKEN"),
|
|
}),
|
|
],
|
|
);
|
|
|
|
expect(rows).toEqual([
|
|
{
|
|
agentId: "agent-12345678",
|
|
agentName: "Coder",
|
|
envKey: "ANTHROPIC_API_KEY",
|
|
secretName: "agent_agent-12_anthropic_api_key",
|
|
existingSecretId: null,
|
|
},
|
|
{
|
|
agentId: "agent-12345678",
|
|
agentName: "Coder",
|
|
envKey: "GH_TOKEN",
|
|
secretName: "agent_agent-12_gh_token",
|
|
existingSecretId: "secret-gh-token",
|
|
},
|
|
]);
|
|
});
|
|
|
|
it("builds migrated env bindings without preserving secret values", () => {
|
|
const next = buildMigratedAgentEnv(
|
|
{
|
|
ANTHROPIC_API_KEY: "sk-ant-test",
|
|
NODE_ENV: {
|
|
type: "plain",
|
|
value: "development",
|
|
},
|
|
},
|
|
new Map([["ANTHROPIC_API_KEY", "secret-1"]]),
|
|
);
|
|
|
|
expect(next).toEqual({
|
|
ANTHROPIC_API_KEY: {
|
|
type: "secret_ref",
|
|
secretId: "secret-1",
|
|
version: "latest",
|
|
},
|
|
NODE_ENV: {
|
|
type: "plain",
|
|
value: "development",
|
|
},
|
|
});
|
|
expect(JSON.stringify(next)).not.toContain("sk-ant-test");
|
|
});
|
|
|
|
it("reads only explicit plain env values", () => {
|
|
expect(toPlainEnvValue("plain-value")).toBe("plain-value");
|
|
expect(toPlainEnvValue({ type: "plain", value: "wrapped" })).toBe("wrapped");
|
|
expect(toPlainEnvValue({ type: "secret_ref", secretId: "secret-1" })).toBeNull();
|
|
});
|
|
|
|
it("reports the AWS bootstrap config required by doctor", () => {
|
|
const result = secretsCheck(configWithSecretsProvider("aws_secrets_manager"));
|
|
|
|
expect(result.status).toBe("fail");
|
|
expect(result.message).toContain("PAPERCLIP_SECRETS_AWS_DEPLOYMENT_ID");
|
|
expect(result.repairHint).toContain("AWS SDK default credential chain");
|
|
expect(result.repairHint).toContain("Do not store AWS root credentials");
|
|
});
|
|
|
|
it("passes AWS doctor checks when non-secret provider config is present", () => {
|
|
process.env.PAPERCLIP_SECRETS_AWS_REGION = "us-east-1";
|
|
process.env.PAPERCLIP_SECRETS_AWS_DEPLOYMENT_ID = "prod-us-1";
|
|
process.env.PAPERCLIP_SECRETS_AWS_KMS_KEY_ID =
|
|
"arn:aws:kms:us-east-1:123456789012:key/test";
|
|
process.env.AWS_PROFILE = "paperclip-prod";
|
|
|
|
const result = secretsCheck(configWithSecretsProvider("aws_secrets_manager"));
|
|
|
|
expect(result.status).toBe("pass");
|
|
expect(result.message).toContain("prod-us-1");
|
|
expect(result.message).toContain("AWS_PROFILE/shared config");
|
|
});
|
|
});
|
|
|
|
describe("secrets API parity commands", () => {
|
|
beforeEach(() => {
|
|
vi.restoreAllMocks();
|
|
delete process.env.PAPERCLIP_API_KEY;
|
|
delete process.env.PAPERCLIP_API_URL;
|
|
vi.spyOn(console, "log").mockImplementation(() => {});
|
|
});
|
|
|
|
afterEach(() => {
|
|
vi.restoreAllMocks();
|
|
});
|
|
|
|
it("wraps provider config and remote import endpoints", async () => {
|
|
const fetchMock = vi.fn().mockImplementation(() => Promise.resolve(jsonResponse()));
|
|
vi.stubGlobal("fetch", fetchMock);
|
|
|
|
await runSecretCommand(["secrets", "provider-configs", "--company-id", "company-1"]);
|
|
await runSecretCommand(["secrets", "provider-config:create", "--company-id", "company-1", "--payload-json", "{}"]);
|
|
await runSecretCommand(["secrets", "provider-config:discovery-preview", "--company-id", "company-1", "--payload-json", "{}"]);
|
|
await runSecretCommand(["secrets", "provider-config:get", "config-1"]);
|
|
await runSecretCommand(["secrets", "provider-config:update", "config-1", "--payload-json", "{}"]);
|
|
await runSecretCommand(["secrets", "provider-config:default", "config-1"]);
|
|
await runSecretCommand(["secrets", "provider-config:health", "config-1"]);
|
|
await runSecretCommand(["secrets", "provider-config:delete", "config-1"]);
|
|
await runSecretCommand(["secrets", "remote-import:preview", "--company-id", "company-1", "--payload-json", "{}"]);
|
|
await runSecretCommand(["secrets", "remote-import", "--company-id", "company-1", "--payload-json", "{}"]);
|
|
|
|
expect(fetchMock.mock.calls.map((call) => [call[1]?.method ?? "GET", call[0]])).toEqual([
|
|
["GET", "http://localhost:3100/api/companies/company-1/secret-provider-configs"],
|
|
["POST", "http://localhost:3100/api/companies/company-1/secret-provider-configs"],
|
|
["POST", "http://localhost:3100/api/companies/company-1/secret-provider-configs/discovery/preview"],
|
|
["GET", "http://localhost:3100/api/secret-provider-configs/config-1"],
|
|
["PATCH", "http://localhost:3100/api/secret-provider-configs/config-1"],
|
|
["POST", "http://localhost:3100/api/secret-provider-configs/config-1/default"],
|
|
["POST", "http://localhost:3100/api/secret-provider-configs/config-1/health"],
|
|
["DELETE", "http://localhost:3100/api/secret-provider-configs/config-1"],
|
|
["POST", "http://localhost:3100/api/companies/company-1/secrets/remote-import/preview"],
|
|
["POST", "http://localhost:3100/api/companies/company-1/secrets/remote-import"],
|
|
]);
|
|
});
|
|
|
|
it("wraps secret metadata, rotation, usage, access event, and delete endpoints", async () => {
|
|
const fetchMock = vi.fn().mockImplementation(() => Promise.resolve(jsonResponse()));
|
|
vi.stubGlobal("fetch", fetchMock);
|
|
|
|
await runSecretCommand(["secrets", "update", "secret-1", "--payload-json", "{\"description\":\"updated\"}"]);
|
|
await runSecretCommand(["secrets", "rotate", "secret-1", "--value", "new-value"]);
|
|
await runSecretCommand(["secrets", "usage", "secret-1"]);
|
|
await runSecretCommand(["secrets", "access-events", "secret-1"]);
|
|
await runSecretCommand(["secrets", "delete", "secret-1", "--yes", "--confirm", "secret-1"]);
|
|
|
|
expect(fetchMock.mock.calls.map((call) => [call[1]?.method ?? "GET", call[0]])).toEqual([
|
|
["PATCH", "http://localhost:3100/api/secrets/secret-1"],
|
|
["POST", "http://localhost:3100/api/secrets/secret-1/rotate"],
|
|
["GET", "http://localhost:3100/api/secrets/secret-1/usage"],
|
|
["GET", "http://localhost:3100/api/secrets/secret-1/access-events"],
|
|
["DELETE", "http://localhost:3100/api/secrets/secret-1"],
|
|
]);
|
|
});
|
|
});
|
|
|
|
async function runSecretCommand(args: string[]): Promise<void> {
|
|
const program = new Command();
|
|
program.exitOverride();
|
|
program.configureOutput({ writeOut: () => {}, writeErr: () => {} });
|
|
registerSecretCommands(program);
|
|
await program.parseAsync([...args, "--api-base", "http://localhost:3100", "--api-key", "board-token"], { from: "user" });
|
|
}
|
|
|
|
function jsonResponse(body: unknown = { ok: true }, init: ResponseInit = { status: 200 }): Response {
|
|
return new Response(JSON.stringify(body), init);
|
|
}
|