fix: 支持 AgentRun render-only REST 入口 (#170)

Co-authored-by: AgentRun Codex <agentrun-codex@users.noreply.github.com>
This commit is contained in:
Lyon
2026-06-11 15:39:52 +08:00
committed by GitHub
parent 83a303959e
commit 8cf6534bec
12 changed files with 338 additions and 12 deletions
+2
View File
@@ -3,6 +3,8 @@ export type JsonValue = JsonPrimitive | JsonValue[] | { [key: string]: JsonValue
export type JsonRecord = { [key: string]: JsonValue };
export type FailureKind =
| "auth-missing"
| "auth-failed"
| "schema-invalid"
| "tenant-policy-denied"
| "secret-unavailable"
+102
View File
@@ -0,0 +1,102 @@
import { existsSync, readFileSync } from "node:fs";
import type { IncomingMessage } from "node:http";
import { AgentRunError } from "../common/errors.js";
import type { JsonRecord } from "../common/types.js";
export interface ManagerAuthConfig {
apiKey: string | null;
source: string;
required?: boolean;
}
export function managerServerAuthConfigFromEnv(env: NodeJS.ProcessEnv = process.env): ManagerAuthConfig {
const direct = normalizedSecret(env.AGENTRUN_API_KEY);
if (direct) return { apiKey: direct, source: "AGENTRUN_API_KEY", required: true };
const file = normalizedSecret(env.AGENTRUN_API_KEY_FILE);
if (file) {
const fileKey = readEnvFileSecret(file, ["AGENTRUN_API_KEY", "HWLAB_API_KEY"]);
return { apiKey: fileKey, source: "AGENTRUN_API_KEY_FILE", required: true };
}
return { apiKey: null, source: "not-configured", required: false };
}
export function managerClientAuthConfigFromEnv(env: NodeJS.ProcessEnv = process.env): ManagerAuthConfig {
const agentRunKey = normalizedSecret(env.AGENTRUN_API_KEY);
if (agentRunKey) return { apiKey: agentRunKey, source: "AGENTRUN_API_KEY" };
const hwlabKey = normalizedSecret(env.HWLAB_API_KEY);
if (hwlabKey) return { apiKey: hwlabKey, source: "HWLAB_API_KEY" };
const agentRunFile = normalizedSecret(env.AGENTRUN_API_KEY_FILE);
if (agentRunFile) return { apiKey: readEnvFileSecret(agentRunFile, ["AGENTRUN_API_KEY", "HWLAB_API_KEY"]), source: "AGENTRUN_API_KEY_FILE" };
const hwlabFile = normalizedSecret(env.HWLAB_API_KEY_FILE);
if (hwlabFile) return { apiKey: readEnvFileSecret(hwlabFile, ["HWLAB_API_KEY", "AGENTRUN_API_KEY"]), source: "HWLAB_API_KEY_FILE" };
return { apiKey: null, source: "not-configured" };
}
export function assertManagerRequestAuthorized(req: IncomingMessage, path: string, auth: ManagerAuthConfig): void {
if (isManagerPublicPath(path)) return;
if (!auth.apiKey) {
if (auth.required !== true) return;
throw new AgentRunError("auth-missing", "agentrun-mgr API key is not configured", {
httpStatus: 503,
details: { auth: managerAuthSummary(auth) },
});
}
const actual = bearerToken(req.headers.authorization);
if (actual !== auth.apiKey) {
throw new AgentRunError("auth-failed", "agentrun-mgr API requires Authorization: Bearer <redacted>", {
httpStatus: 401,
details: { auth: managerAuthSummary(auth) },
});
}
}
export function managerAuthSummary(auth: ManagerAuthConfig): JsonRecord {
return {
required: auth.required === true || auth.apiKey !== null,
scheme: "Bearer",
source: auth.source,
valuesPrinted: false,
};
}
export function managerAuthorizationHeader(apiKey: string | null): string | null {
return apiKey ? `Bearer ${apiKey}` : null;
}
function isManagerPublicPath(path: string): boolean {
return path === "/health" || path === "/health/live" || path === "/health/readiness";
}
function bearerToken(value: string | string[] | undefined): string | null {
const header = Array.isArray(value) ? value[0] : value;
if (!header) return null;
const match = header.match(/^Bearer\s+(.+)$/iu);
return match ? normalizedSecret(match[1]) : null;
}
function readEnvFileSecret(file: string, keys: string[]): string | null {
if (!existsSync(file)) return null;
const text = readFileSync(file, "utf8");
for (const line of text.split(/\r?\n/u)) {
const trimmed = line.trim();
if (!trimmed || trimmed.startsWith("#")) continue;
const match = trimmed.match(/^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/u);
if (!match || !keys.includes(match[1] ?? "")) continue;
return normalizedSecret(unquoteEnvValue(match[2] ?? ""));
}
return null;
}
function unquoteEnvValue(value: string): string {
const trimmed = value.trim();
if ((trimmed.startsWith('"') && trimmed.endsWith('"')) || (trimmed.startsWith("'") && trimmed.endsWith("'"))) {
return trimmed.slice(1, -1);
}
return trimmed;
}
function normalizedSecret(value: string | undefined | null): string | null {
if (typeof value !== "string") return null;
const trimmed = value.trim();
return trimmed.length > 0 ? trimmed : null;
}
+11 -3
View File
@@ -1,8 +1,13 @@
import type { JsonRecord, JsonValue } from "../common/types.js";
import { AgentRunError } from "../common/errors.js";
import { managerAuthorizationHeader, managerClientAuthConfigFromEnv } from "./auth.js";
export interface ManagerClientOptions {
apiKey?: string | null;
}
export class ManagerClient {
constructor(readonly baseUrl: string) {}
constructor(readonly baseUrl: string, readonly options: ManagerClientOptions = {}) {}
async get(path: string): Promise<JsonValue> {
return this.request("GET", path);
@@ -25,9 +30,12 @@ export class ManagerClient {
}
private async request(method: string, path: string, body?: JsonValue): Promise<JsonValue> {
const init: RequestInit = { method };
const headers: Record<string, string> = {};
const authHeader = managerAuthorizationHeader(this.options.apiKey === undefined ? managerClientAuthConfigFromEnv().apiKey : this.options.apiKey);
if (authHeader) headers.authorization = authHeader;
const init: RequestInit = { method, headers };
if (body !== undefined) {
init.headers = { "content-type": "application/json" };
headers["content-type"] = "application/json";
init.body = JSON.stringify(body);
}
const response = await fetch(new URL(path, this.baseUrl), init);
+8 -3
View File
@@ -14,6 +14,7 @@ import { runnerJobStatusSummary } from "./runner-job-status.js";
import { createSessionPvc, deleteSessionPvc, getSessionPvcSummary, refreshSessionPvcSummary, runSessionStorageGc } from "./session-pvc.js";
import type { SessionPvcSummary } from "./session-pvc.js";
import type { SessionPvcOptions } from "./session-pvc.js";
import { assertManagerRequestAuthorized, managerAuthSummary, managerServerAuthConfigFromEnv, type ManagerAuthConfig } from "./auth.js";
import { getProviderProfileConfig, getProviderProfileValidation, listBackendCapabilities, listProviderProfiles, removeProviderProfile, setProviderProfileConfig, setProviderProfileCredential, showProviderProfile, validateProviderProfile } from "./provider-profiles.js";
import { listToolCredentials, setGithubSshToolCredential, showToolCredential } from "./tool-credentials.js";
import { aipodSpecFromInput, applyAipodSpec, deleteAipodSpec, listAipodSpecs, renderAipodSpecByName, showAipodSpec } from "../common/aipod-specs.js";
@@ -53,6 +54,7 @@ export interface ManagerServerOptions {
providerProfileOptions?: { namespace?: string; kubectlCommand?: string };
toolCredentialOptions?: { namespace?: string; kubectlCommand?: string };
aipodSpecDir?: string;
auth?: ManagerAuthConfig;
}
export interface StartedManagerServer {
@@ -69,12 +71,15 @@ export async function startManagerServer(options: ManagerServerOptions = {}): Pr
const providerProfileDefaults = options.providerProfileOptions;
const toolCredentialDefaults = options.toolCredentialOptions;
const aipodSpecDir = options.aipodSpecDir ?? process.env.AGENTRUN_AIPOD_SPEC_DIR;
const auth = options.auth ?? managerServerAuthConfigFromEnv();
const authSummary = managerAuthSummary(auth);
const server = createServer(async (req, res) => {
const traceId = `trc_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
try {
const method = req.method ?? "GET";
const url = new URL(req.url ?? "/", "http://agentrun.local");
const data = await route({ method, url, body: await readBody(req), store, sourceCommit, ...(runnerJobDefaults ? { runnerJobDefaults } : {}), ...(sessionPvcDefaults ? { sessionPvcDefaults } : {}), ...(providerProfileDefaults ? { providerProfileDefaults } : {}), ...(toolCredentialDefaults ? { toolCredentialDefaults } : {}), ...(aipodSpecDir ? { aipodSpecDir } : {}) });
assertManagerRequestAuthorized(req, url.pathname, auth);
const data = await route({ method, url, body: await readBody(req), store, sourceCommit, authSummary, ...(runnerJobDefaults ? { runnerJobDefaults } : {}), ...(sessionPvcDefaults ? { sessionPvcDefaults } : {}), ...(providerProfileDefaults ? { providerProfileDefaults } : {}), ...(toolCredentialDefaults ? { toolCredentialDefaults } : {}), ...(aipodSpecDir ? { aipodSpecDir } : {}) });
writeJson(res, 200, { ok: true, data, traceId });
} catch (error) {
const agentError = normalizeError(error);
@@ -237,12 +242,12 @@ function compactRecoveryActions(value: JsonValue | undefined): JsonValue[] {
});
}
async function route({ method, url, body, store, sourceCommit, runnerJobDefaults, sessionPvcDefaults, providerProfileDefaults, toolCredentialDefaults, aipodSpecDir }: { method: string; url: URL; body: unknown; store: AgentRunStore; sourceCommit: string; runnerJobDefaults?: NonNullable<ManagerServerOptions["runnerJobDefaults"]>; sessionPvcDefaults?: NonNullable<ManagerServerOptions["sessionPvcOptions"]>; providerProfileDefaults?: NonNullable<ManagerServerOptions["providerProfileOptions"]>; toolCredentialDefaults?: NonNullable<ManagerServerOptions["toolCredentialOptions"]>; aipodSpecDir?: string }): Promise<JsonValue> {
async function route({ method, url, body, store, sourceCommit, authSummary, runnerJobDefaults, sessionPvcDefaults, providerProfileDefaults, toolCredentialDefaults, aipodSpecDir }: { method: string; url: URL; body: unknown; store: AgentRunStore; sourceCommit: string; authSummary?: JsonRecord; runnerJobDefaults?: NonNullable<ManagerServerOptions["runnerJobDefaults"]>; sessionPvcDefaults?: NonNullable<ManagerServerOptions["sessionPvcOptions"]>; providerProfileDefaults?: NonNullable<ManagerServerOptions["providerProfileOptions"]>; toolCredentialDefaults?: NonNullable<ManagerServerOptions["toolCredentialOptions"]>; aipodSpecDir?: string }): Promise<JsonValue> {
const path = url.pathname;
if (method === "GET" && (path === "/health" || path === "/health/live" || path === "/health/readiness")) {
const database = await store.health();
const ready = path === "/health/live" ? true : database.ready;
return { serviceId: "agentrun-mgr", live: true, ready, database, sourceCommit, runnerWorkReady: staticWorkReadyCapabilitySummary(), secretRefs: { databaseUrl: database.adapter === "postgres" ? "redacted" : "not-used", valuesPrinted: false } };
return { serviceId: "agentrun-mgr", live: true, ready, database, sourceCommit, auth: authSummary ?? null, runnerWorkReady: staticWorkReadyCapabilitySummary(), secretRefs: { databaseUrl: database.adapter === "postgres" ? "redacted" : "not-used", valuesPrinted: false } };
}
if (method === "GET" && path === "/api/v1/backends") return await listBackendCapabilities(providerProfileDefaults) as JsonValue;
if (method === "GET" && path === "/api/v1/tool-credentials") return await listToolCredentials(toolCredentialDefaults) as JsonValue;
+1
View File
@@ -231,6 +231,7 @@ function runnerEnv(options: RunnerJobRenderOptions, context: { namespace: string
const codexHome = selectedSecret?.runtimeMountPath ?? defaultRuntimeHome(options.run.backendProfile);
return dedupeEnvVars([
{ name: "AGENTRUN_MGR_URL", value: options.managerUrl },
{ name: "AGENTRUN_API_KEY", valueFrom: { secretKeyRef: { name: "agentrun-v01-api-key", key: "HWLAB_API_KEY" } } },
{ name: "AGENTRUN_RUN_ID", value: options.run.id },
{ name: "AGENTRUN_COMMAND_ID", value: options.commandId },
{ name: "AGENTRUN_ATTEMPT_ID", value: context.attemptId },
+24 -1
View File
@@ -18,13 +18,36 @@ const selfTest: SelfTestCase = async () => {
assert.equal(((health.runnerWorkReady as { valuesPrinted?: unknown } | undefined)?.valuesPrinted), false);
assert.ok((((health.runnerWorkReady as { requiredImageTools?: string[] } | undefined)?.requiredImageTools) ?? []).includes("npm"));
assert.equal(health.secretRefs?.valuesPrinted, false);
await assertManagerAuthBoundary();
await assertLongResultUsesTerminalAssistant(client, store);
return { name: "manager-memory", tests: ["manager-memory-lifecycle", "manager-result-long-trace"] };
return { name: "manager-memory", tests: ["manager-memory-lifecycle", "manager-auth-boundary", "manager-result-long-trace"] };
} finally {
await new Promise<void>((resolve) => server.server.close(() => resolve()));
}
};
async function assertManagerAuthBoundary(): Promise<void> {
const store = new MemoryAgentRunStore();
const server = await startManagerServer({ port: 0, host: "127.0.0.1", sourceCommit: "self-test", store, auth: { apiKey: "self-test-secret", source: "self-test" } });
try {
const healthResponse = await fetch(new URL("/health/readiness", server.baseUrl));
assert.equal(healthResponse.status, 200);
const healthEnvelope = await healthResponse.json() as JsonRecord;
assert.equal(healthEnvelope.ok, true);
const deniedResponse = await fetch(new URL("/api/v1/queue/tasks", server.baseUrl));
assert.equal(deniedResponse.status, 401);
const deniedEnvelope = await deniedResponse.json() as JsonRecord;
assert.equal(deniedEnvelope.ok, false);
assert.equal(deniedEnvelope.failureKind, "auth-failed");
assert.equal((deniedEnvelope.message as string).includes("Bearer"), true);
const client = new ManagerClient(server.baseUrl, { apiKey: "self-test-secret" });
const page = await client.get("/api/v1/queue/tasks") as JsonRecord;
assert.equal(Array.isArray(page.items), true);
} finally {
await new Promise<void>((resolve) => server.server.close(() => resolve()));
}
}
async function assertLongResultUsesTerminalAssistant(client: ManagerClient, store: MemoryAgentRunStore): Promise<void> {
const run = store.createRun({
tenantId: "unidesk",
+8
View File
@@ -33,6 +33,10 @@ type SelfTestRunContext = Pick<SelfTestContext, "workspace" | "codexHome"> & Par
export async function createSelfTestContext(root: string): Promise<SelfTestContext> {
const tmp = await mkdtemp(path.join(os.tmpdir(), "agentrun-selftest-"));
const previousSelftestWorkReadyBinPath = process.env.AGENTRUN_SELFTEST_WORK_READY_BIN_PATH;
const previousAgentRunApiKey = process.env.AGENTRUN_API_KEY;
const previousAgentRunApiKeyFile = process.env.AGENTRUN_API_KEY_FILE;
delete process.env.AGENTRUN_API_KEY;
delete process.env.AGENTRUN_API_KEY_FILE;
const codexHome = path.join(tmp, "codex-home");
const deepseekHome = path.join(tmp, "deepseek-home");
const minimaxM3Home = path.join(tmp, "minimax-m3-home");
@@ -67,6 +71,10 @@ export async function createSelfTestContext(root: string): Promise<SelfTestConte
cleanup: async () => {
if (previousSelftestWorkReadyBinPath === undefined) delete process.env.AGENTRUN_SELFTEST_WORK_READY_BIN_PATH;
else process.env.AGENTRUN_SELFTEST_WORK_READY_BIN_PATH = previousSelftestWorkReadyBinPath;
if (previousAgentRunApiKey === undefined) delete process.env.AGENTRUN_API_KEY;
else process.env.AGENTRUN_API_KEY = previousAgentRunApiKey;
if (previousAgentRunApiKeyFile === undefined) delete process.env.AGENTRUN_API_KEY_FILE;
else process.env.AGENTRUN_API_KEY_FILE = previousAgentRunApiKeyFile;
await rm(tmp, { recursive: true, force: true });
},
};