403 lines
26 KiB
TypeScript
403 lines
26 KiB
TypeScript
import { createHash, randomUUID } from "node:crypto";
|
|
import type { BackendProfile, CreateCommandInput, CreateQueueTaskInput, CreateRunInput, ExecutionPolicy, JsonRecord, JsonValue, QueueTaskState, ResourceBundleRef, SecretRef, SessionListState, SessionRef } from "./types.js";
|
|
import { AgentRunError } from "./errors.js";
|
|
import { backendProfileIdPattern, backendProfileSpec, isBackendProfile } from "./backend-profiles.js";
|
|
|
|
const backendProfilePatternText = String(backendProfileIdPattern);
|
|
|
|
const allowedTenants = new Set(["unidesk", "hwlab"]);
|
|
const allowedToolCredentials = ["github", "unidesk-ssh"] as const;
|
|
|
|
export function nowIso(): string {
|
|
return new Date().toISOString();
|
|
}
|
|
|
|
export function newId(prefix: string): string {
|
|
return `${prefix}_${randomUUID().replace(/-/gu, "")}`;
|
|
}
|
|
|
|
export function stableHash(value: JsonValue): string {
|
|
return createHash("sha256").update(JSON.stringify(sortJson(value))).digest("hex");
|
|
}
|
|
|
|
function sortJson(value: JsonValue): JsonValue {
|
|
if (Array.isArray(value)) return value.map(sortJson);
|
|
if (typeof value !== "object" || value === null) return value;
|
|
return Object.fromEntries(Object.entries(value).sort(([a], [b]) => a.localeCompare(b)).map(([key, entry]) => [key, sortJson(entry)]));
|
|
}
|
|
|
|
export function asRecord(value: unknown, fieldName: string): JsonRecord {
|
|
if (typeof value === "object" && value !== null && !Array.isArray(value)) return value as JsonRecord;
|
|
throw new AgentRunError("schema-invalid", `${fieldName} must be an object`, { httpStatus: 400 });
|
|
}
|
|
|
|
function requiredString(record: JsonRecord, key: string): string {
|
|
const value = record[key];
|
|
if (typeof value !== "string" || value.trim().length === 0) throw new AgentRunError("schema-invalid", `${key} is required`, { httpStatus: 400 });
|
|
return value.trim();
|
|
}
|
|
|
|
function requiredRecord(record: JsonRecord, key: string): JsonRecord {
|
|
return asRecord(record[key], key);
|
|
}
|
|
|
|
export function validateCreateRun(input: unknown): CreateRunInput {
|
|
const record = asRecord(input, "run");
|
|
const tenantId = requiredString(record, "tenantId");
|
|
if (!allowedTenants.has(tenantId)) throw new AgentRunError("tenant-policy-denied", `tenantId ${tenantId} is not allowed`, { httpStatus: 403 });
|
|
const backendProfileValue = requiredString(record, "backendProfile");
|
|
if (!isBackendProfile(backendProfileValue)) throw new AgentRunError("schema-invalid", `backendProfile ${backendProfileValue} must be a lowercase slug`, { httpStatus: 400, details: { pattern: backendProfilePatternText } });
|
|
const backendProfile = backendProfileValue as BackendProfile;
|
|
const executionPolicy = validateExecutionPolicy(requiredRecord(record, "executionPolicy"));
|
|
validateBackendSecretScope(backendProfile, executionPolicy);
|
|
return {
|
|
tenantId,
|
|
projectId: requiredString(record, "projectId"),
|
|
workspaceRef: requiredRecord(record, "workspaceRef") as CreateRunInput["workspaceRef"],
|
|
sessionRef: validateSessionRef(record.sessionRef),
|
|
resourceBundleRef: validateResourceBundleRef(record.resourceBundleRef),
|
|
providerId: requiredString(record, "providerId"),
|
|
backendProfile,
|
|
executionPolicy,
|
|
traceSink: record.traceSink ?? null,
|
|
};
|
|
}
|
|
|
|
export function validateSessionRef(value: unknown): SessionRef | null {
|
|
if (value === undefined || value === null) return null;
|
|
const record = asRecord(value, "sessionRef");
|
|
const sessionId = requiredString(record, "sessionId");
|
|
const result: SessionRef = { sessionId };
|
|
const conversationId = optionalString(record.conversationId);
|
|
const threadId = optionalString(record.threadId);
|
|
const expiresAt = optionalString(record.expiresAt);
|
|
const metadata = record.metadata === undefined ? undefined : asRecord(record.metadata, "sessionRef.metadata");
|
|
if (conversationId) result.conversationId = conversationId;
|
|
if (threadId) result.threadId = threadId;
|
|
if (expiresAt) result.expiresAt = expiresAt;
|
|
if (metadata) result.metadata = metadata;
|
|
return result;
|
|
}
|
|
|
|
export function validateResourceBundleRef(value: unknown): ResourceBundleRef | null {
|
|
if (value === undefined || value === null) return null;
|
|
const record = asRecord(value, "resourceBundleRef");
|
|
const kind = requiredString(record, "kind");
|
|
if (kind !== "gitbundle") throw new AgentRunError("schema-invalid", "resourceBundleRef.kind must be gitbundle", { httpStatus: 400 });
|
|
const repoUrl = requiredString(record, "repoUrl");
|
|
const commitId = optionalString(record.commitId);
|
|
if (commitId) validateCommitId(commitId, "resourceBundleRef.commitId");
|
|
const ref = validateGitRef(record.ref, "resourceBundleRef.ref");
|
|
rejectLegacyResourceBundleFields(record);
|
|
const gitMirror = validateGitMirror(record.gitMirror);
|
|
const result: ResourceBundleRef = { kind: "gitbundle", repoUrl, ...(commitId ? { commitId } : {}), ...(ref ? { ref } : {}), ...(gitMirror ? { gitMirror } : {}), bundles: validateResourceGitBundles(record.bundles, repoUrl, commitId, ref) };
|
|
if (record.promptRefs !== undefined) result.promptRefs = validateResourcePromptRefs(record.promptRefs);
|
|
if (record.requiredSkills !== undefined) result.requiredSkills = validateResourceRequiredSkills(record.requiredSkills);
|
|
if (record.submodules !== undefined && record.submodules !== false) throw new AgentRunError("schema-invalid", "resourceBundleRef.submodules can only be false in v0.1", { httpStatus: 400 });
|
|
if (record.lfs !== undefined && record.lfs !== false) throw new AgentRunError("schema-invalid", "resourceBundleRef.lfs can only be false in v0.1", { httpStatus: 400 });
|
|
if (record.submodules === false) result.submodules = false;
|
|
if (record.lfs === false) result.lfs = false;
|
|
if (record.credentialRef !== undefined) result.credentialRef = validateSecretRef(asRecord(record.credentialRef, "resourceBundleRef.credentialRef"));
|
|
return result;
|
|
}
|
|
|
|
function validateGitMirror(value: unknown): NonNullable<ResourceBundleRef["gitMirror"]> | undefined {
|
|
if (value === undefined) return undefined;
|
|
const record = asRecord(value, "resourceBundleRef.gitMirror");
|
|
const enabled = record.enabled === undefined ? true : record.enabled;
|
|
if (typeof enabled !== "boolean") throw new AgentRunError("schema-invalid", "resourceBundleRef.gitMirror.enabled must be boolean", { httpStatus: 400 });
|
|
const baseUrl = optionalString(record.baseUrl);
|
|
if (baseUrl) validateGitMirrorBaseUrl(baseUrl);
|
|
return { enabled, ...(baseUrl ? { baseUrl } : {}) };
|
|
}
|
|
|
|
function validateGitMirrorBaseUrl(value: string): void {
|
|
let parsed: URL;
|
|
try {
|
|
parsed = new URL(value);
|
|
} catch {
|
|
throw new AgentRunError("schema-invalid", "resourceBundleRef.gitMirror.baseUrl must be an http(s) URL", { httpStatus: 400 });
|
|
}
|
|
if (parsed.protocol !== "http:" && parsed.protocol !== "https:") throw new AgentRunError("schema-invalid", "resourceBundleRef.gitMirror.baseUrl must use http or https", { httpStatus: 400 });
|
|
if (parsed.username || parsed.password || parsed.search || parsed.hash) throw new AgentRunError("schema-invalid", "resourceBundleRef.gitMirror.baseUrl must not include credentials, query, or fragment", { httpStatus: 400 });
|
|
}
|
|
|
|
function rejectLegacyResourceBundleFields(record: JsonRecord): void {
|
|
for (const field of ["toolAliases", "skillRefs", "workspaceFiles", "subdir", "sparsePaths"] as const) {
|
|
if (record[field] !== undefined) throw new AgentRunError("schema-invalid", `resourceBundleRef.${field} is removed; use resourceBundleRef.bundles[] with kind=gitbundle`, { httpStatus: 400 });
|
|
}
|
|
}
|
|
|
|
function validateResourceGitBundles(value: unknown, defaultRepoUrl: string, defaultCommitId?: string, defaultRef?: string): ResourceBundleRef["bundles"] {
|
|
if (!Array.isArray(value)) throw new AgentRunError("schema-invalid", "resourceBundleRef.bundles must be an array", { httpStatus: 400 });
|
|
if (value.length === 0) throw new AgentRunError("schema-invalid", "resourceBundleRef.bundles must contain at least one entry", { httpStatus: 400 });
|
|
if (value.length > 64) throw new AgentRunError("schema-invalid", "resourceBundleRef.bundles must contain at most 64 entries", { httpStatus: 400 });
|
|
const seen = new Set<string>();
|
|
return value.map((entry, index) => {
|
|
const record = asRecord(entry, `resourceBundleRef.bundles[${index}]`);
|
|
const name = optionalString(record.name);
|
|
if (name) validateResourceName(name, `resourceBundleRef.bundles[${index}].name`);
|
|
const repoUrl = optionalString(record.repoUrl) ?? defaultRepoUrl;
|
|
const commitId = optionalString(record.commitId) ?? defaultCommitId;
|
|
if (commitId) validateCommitId(commitId, `resourceBundleRef.bundles[${index}].commitId`);
|
|
const ref = validateGitRef(record.ref, `resourceBundleRef.bundles[${index}].ref`) ?? (commitId ? undefined : defaultRef);
|
|
const subpath = validateBundleSubpath(requiredString(record, "subpath"), `resourceBundleRef.bundles[${index}].subpath`);
|
|
const rawTargetPath = typeof record.targetPath === "string" ? record.targetPath : record.target_path;
|
|
if (typeof rawTargetPath !== "string" || rawTargetPath.trim().length === 0) throw new AgentRunError("schema-invalid", `resourceBundleRef.bundles[${index}].target_path is required`, { httpStatus: 400 });
|
|
const targetPath = validateWorkspaceRelativePath(rawTargetPath.trim(), `resourceBundleRef.bundles[${index}].target_path`);
|
|
const identity = `${repoUrl}\0${commitId ?? ""}\0${ref ?? ""}\0${subpath}\0${targetPath}`;
|
|
if (seen.has(identity)) throw new AgentRunError("schema-invalid", `resourceBundleRef.bundles[${index}] duplicates an earlier bundle target`, { httpStatus: 400 });
|
|
seen.add(identity);
|
|
return { ...(name ? { name } : {}), ...(repoUrl === defaultRepoUrl ? {} : { repoUrl }), ...(commitId && commitId !== defaultCommitId ? { commitId } : {}), ...(ref && ref !== defaultRef ? { ref } : {}), subpath, targetPath };
|
|
});
|
|
}
|
|
|
|
function validateCommitId(commitId: string, fieldName: string): void {
|
|
if (!/^[0-9a-f]{40}$/u.test(commitId)) throw new AgentRunError("schema-invalid", `${fieldName} must be a full 40-character git commit sha`, { httpStatus: 400 });
|
|
}
|
|
|
|
function validateGitRef(value: unknown, fieldName: string): string | undefined {
|
|
const ref = optionalString(value);
|
|
if (!ref) return undefined;
|
|
if (ref.length > 200 || ref.startsWith("-") || ref.includes("..") || ref.includes("@{") || ref.endsWith("/") || ref.endsWith(".") || /[\s~^:?*[\\\x00-\x1f\x7f]/u.test(ref)) {
|
|
throw new AgentRunError("schema-invalid", `${fieldName} must be a bounded git ref name`, { httpStatus: 400 });
|
|
}
|
|
return ref;
|
|
}
|
|
|
|
function validateResourcePromptRefs(value: unknown): NonNullable<ResourceBundleRef["promptRefs"]> {
|
|
if (!Array.isArray(value)) throw new AgentRunError("schema-invalid", "resourceBundleRef.promptRefs must be an array", { httpStatus: 400 });
|
|
if (value.length > 16) throw new AgentRunError("schema-invalid", "resourceBundleRef.promptRefs must contain at most 16 entries", { httpStatus: 400 });
|
|
const seen = new Set<string>();
|
|
return value.map((entry, index) => {
|
|
const record = asRecord(entry, `resourceBundleRef.promptRefs[${index}]`);
|
|
const name = validateResourceName(requiredString(record, "name"), `resourceBundleRef.promptRefs[${index}].name`);
|
|
if (seen.has(name)) throw new AgentRunError("schema-invalid", `resourceBundleRef.promptRefs name ${name} is duplicated`, { httpStatus: 400 });
|
|
seen.add(name);
|
|
const promptPath = validateBundleRelativePath(requiredString(record, "path"), `resourceBundleRef.promptRefs[${index}].path`);
|
|
const inject = optionalString(record.inject) ?? "thread-start";
|
|
if (inject !== "thread-start") throw new AgentRunError("schema-invalid", `resourceBundleRef.promptRefs[${index}].inject must be thread-start in v0.1`, { httpStatus: 400 });
|
|
const required = record.required === undefined ? false : record.required;
|
|
if (typeof required !== "boolean") throw new AgentRunError("schema-invalid", `resourceBundleRef.promptRefs[${index}].required must be boolean`, { httpStatus: 400 });
|
|
return { name, path: promptPath, inject: "thread-start" as const, required };
|
|
});
|
|
}
|
|
|
|
function validateResourceRequiredSkills(value: unknown): NonNullable<ResourceBundleRef["requiredSkills"]> {
|
|
if (!Array.isArray(value)) throw new AgentRunError("schema-invalid", "resourceBundleRef.requiredSkills must be an array", { httpStatus: 400 });
|
|
if (value.length > 32) throw new AgentRunError("schema-invalid", "resourceBundleRef.requiredSkills must contain at most 32 entries", { httpStatus: 400 });
|
|
const seen = new Set<string>();
|
|
return value.map((entry, index) => {
|
|
const record = asRecord(entry, `resourceBundleRef.requiredSkills[${index}]`);
|
|
const allowedKeys = new Set(["name"]);
|
|
const extraKeys = Object.keys(record).filter((key) => !allowedKeys.has(key));
|
|
if (extraKeys.length > 0) throw new AgentRunError("schema-invalid", `resourceBundleRef.requiredSkills[${index}] only supports name`, { httpStatus: 400, details: { rejectedKeys: extraKeys.sort(), valuesPrinted: false } });
|
|
const name = validateResourceName(requiredString(record, "name"), `resourceBundleRef.requiredSkills[${index}].name`);
|
|
if (seen.has(name)) throw new AgentRunError("schema-invalid", `resourceBundleRef.requiredSkills name ${name} is duplicated`, { httpStatus: 400 });
|
|
seen.add(name);
|
|
return { name };
|
|
});
|
|
}
|
|
|
|
function validateResourceName(name: string, fieldName: string): string {
|
|
if (!/^[a-z][a-z0-9._-]{0,62}$/u.test(name)) throw new AgentRunError("schema-invalid", `${fieldName} must be a lowercase resource name`, { httpStatus: 400 });
|
|
return name;
|
|
}
|
|
|
|
function validateBundleSubpath(relativePath: string, fieldName: string): string {
|
|
if (relativePath.startsWith("/") || relativePath.includes("..") || relativePath.includes("\\")) throw new AgentRunError("schema-invalid", `${fieldName} must stay within the checkout`, { httpStatus: 400 });
|
|
return relativePath;
|
|
}
|
|
|
|
function validateBundleRelativePath(relativePath: string, fieldName: string): string {
|
|
if (relativePath === "." || relativePath.startsWith("/") || relativePath.includes("..") || relativePath.includes("\\")) throw new AgentRunError("schema-invalid", `${fieldName} must stay within the checkout`, { httpStatus: 400 });
|
|
return relativePath;
|
|
}
|
|
|
|
function validateWorkspaceRelativePath(relativePath: string, fieldName: string): string {
|
|
if (relativePath === "." || relativePath.startsWith("/") || relativePath.includes("..") || relativePath.includes("\\")) throw new AgentRunError("schema-invalid", `${fieldName} must stay within the workspace`, { httpStatus: 400 });
|
|
return relativePath;
|
|
}
|
|
|
|
export function validateExecutionPolicy(record: JsonRecord): ExecutionPolicy {
|
|
const timeout = record.timeoutMs;
|
|
if (typeof timeout !== "number" || !Number.isFinite(timeout) || timeout <= 0) throw new AgentRunError("schema-invalid", "executionPolicy.timeoutMs must be a positive number", { httpStatus: 400 });
|
|
const secretScope = asRecord(record.secretScope ?? {}, "executionPolicy.secretScope");
|
|
if (secretScope.allowCredentialEcho !== undefined && secretScope.allowCredentialEcho !== false) throw new AgentRunError("tenant-policy-denied", "allowCredentialEcho must be false", { httpStatus: 403 });
|
|
const rawProviderCredentials = Array.isArray(secretScope.providerCredentials) ? secretScope.providerCredentials : [];
|
|
const providerCredentials: NonNullable<ExecutionPolicy["secretScope"]["providerCredentials"]> = [];
|
|
for (const credential of rawProviderCredentials) {
|
|
const item = asRecord(credential, "providerCredential");
|
|
const profile = typeof item.profile === "string" ? item.profile.trim() : "";
|
|
if (profile.length === 0) throw new AgentRunError("schema-invalid", "provider credential profile is required", { httpStatus: 400 });
|
|
if (!isBackendProfile(profile)) throw new AgentRunError("schema-invalid", `provider credential profile ${profile} must be a lowercase slug`, { httpStatus: 400, details: { pattern: backendProfilePatternText } });
|
|
const secretRef = validateSecretRef(asRecord(item.secretRef, "providerCredential.secretRef"));
|
|
const keys = [...new Set([...(secretRef.keys ?? []), ...(backendProfileSpec(profile)?.requiredSecretKeys ?? [])])];
|
|
providerCredentials.push({ profile, secretRef: { ...secretRef, ...(keys.length > 0 ? { keys } : {}) } });
|
|
}
|
|
const toolCredentials = validateToolCredentials(secretScope.toolCredentials);
|
|
const secretScopeResult: ExecutionPolicy["secretScope"] = { allowCredentialEcho: false };
|
|
if (providerCredentials.length > 0) secretScopeResult.providerCredentials = providerCredentials as NonNullable<ExecutionPolicy["secretScope"]["providerCredentials"]>;
|
|
if (toolCredentials.length > 0) secretScopeResult.toolCredentials = toolCredentials;
|
|
return {
|
|
sandbox: requiredString(record, "sandbox"),
|
|
approval: requiredString(record, "approval"),
|
|
timeoutMs: timeout,
|
|
network: requiredString(record, "network"),
|
|
secretScope: secretScopeResult,
|
|
};
|
|
}
|
|
|
|
function validateToolCredentials(value: unknown): NonNullable<ExecutionPolicy["secretScope"]["toolCredentials"]> {
|
|
if (value === undefined) return [];
|
|
if (!Array.isArray(value)) throw new AgentRunError("schema-invalid", "toolCredentials must be an array", { httpStatus: 400 });
|
|
if (value.length > 8) throw new AgentRunError("schema-invalid", "toolCredentials must contain at most 8 entries", { httpStatus: 400 });
|
|
const seen = new Set<string>();
|
|
return value.map((credential, index) => {
|
|
const item = asRecord(credential, `toolCredentials[${index}]`);
|
|
const tool = requiredString(item, "tool");
|
|
if (!allowedToolCredentials.includes(tool as (typeof allowedToolCredentials)[number])) throw new AgentRunError("schema-invalid", `tool credential ${tool} is not supported in v0.1`, { httpStatus: 400, details: { allowedTools: [...allowedToolCredentials] } });
|
|
const purpose = optionalString(item.purpose);
|
|
const secretRef = validateSecretRef(asRecord(item.secretRef, `toolCredentials[${index}].secretRef`));
|
|
const keys = secretRef.keys ?? [];
|
|
if (keys.length === 0) throw new AgentRunError("schema-invalid", `tool credential ${tool} secretRef.keys must not be empty`, { httpStatus: 400 });
|
|
const projection = asRecord(item.projection, `toolCredentials[${index}].projection`);
|
|
const kind = requiredString(projection, "kind");
|
|
const normalizedProjection = validateToolCredentialProjection(tool, projection, keys, index);
|
|
const identity = `${tool}:${purpose ?? ""}:${kind}:${normalizedProjection.kind === "env" ? normalizedProjection.envName : normalizedProjection.mountPath}`;
|
|
if (seen.has(identity)) throw new AgentRunError("schema-invalid", `tool credential projection ${identity} is duplicated`, { httpStatus: 400 });
|
|
seen.add(identity);
|
|
return { tool, ...(purpose ? { purpose } : {}), secretRef, projection: normalizedProjection };
|
|
});
|
|
}
|
|
|
|
function validateToolCredentialProjection(tool: string, projection: JsonRecord, keys: string[], index: number): NonNullable<ExecutionPolicy["secretScope"]["toolCredentials"]>[number]["projection"] {
|
|
const kind = requiredString(projection, "kind");
|
|
if (kind === "env") {
|
|
const envName = requiredString(projection, "envName");
|
|
validateEnvName(envName, `toolCredentials[${index}].projection.envName`);
|
|
const secretKey = optionalString(projection.secretKey) ?? keys[0];
|
|
if (!secretKey || !keys.includes(secretKey)) throw new AgentRunError("schema-invalid", `tool credential ${tool} projection.secretKey must be included in secretRef.keys`, { httpStatus: 400 });
|
|
if (tool === "unidesk-ssh") validateUnideskSshProjection(envName, secretKey, keys, index);
|
|
return { kind: "env", envName, secretKey };
|
|
}
|
|
|
|
if (kind === "volume") {
|
|
const mountPath = requiredString(projection, "mountPath");
|
|
if (!mountPath.startsWith("/home/agentrun/") || mountPath.includes("..")) {
|
|
throw new AgentRunError("schema-invalid", `toolCredentials[${index}].projection.mountPath must stay under /home/agentrun`, { httpStatus: 400 });
|
|
}
|
|
if (tool === "unidesk-ssh") throw new AgentRunError("schema-invalid", `toolCredentials[${index}] unidesk-ssh must use env projection`, { httpStatus: 400 });
|
|
return { kind: "volume", mountPath };
|
|
}
|
|
|
|
throw new AgentRunError("schema-invalid", "toolCredentials[].projection.kind must be env or volume in v0.1", { httpStatus: 400 });
|
|
}
|
|
|
|
function validateUnideskSshProjection(envName: string, secretKey: string, keys: string[], index: number): void {
|
|
if (!keys.includes("UNIDESK_SSH_CLIENT_TOKEN")) {
|
|
throw new AgentRunError("schema-invalid", `toolCredentials[${index}] unidesk-ssh secretRef.keys must include UNIDESK_SSH_CLIENT_TOKEN`, { httpStatus: 400 });
|
|
}
|
|
if (envName !== "UNIDESK_SSH_CLIENT_TOKEN" || secretKey !== "UNIDESK_SSH_CLIENT_TOKEN") {
|
|
throw new AgentRunError("schema-invalid", `toolCredentials[${index}] unidesk-ssh must project UNIDESK_SSH_CLIENT_TOKEN from the same Secret key`, { httpStatus: 400 });
|
|
}
|
|
}
|
|
|
|
export function validateEnvName(name: string, fieldName: string): void {
|
|
if (!/^[A-Z_][A-Z0-9_]{0,63}$/u.test(name)) throw new AgentRunError("schema-invalid", `${fieldName} must be an uppercase env name`, { httpStatus: 400 });
|
|
}
|
|
|
|
function validateSecretRef(record: JsonRecord): SecretRef {
|
|
const name = requiredString(record, "name");
|
|
const result: SecretRef = { name };
|
|
const namespace = optionalString(record.namespace);
|
|
const mountPath = optionalString(record.mountPath);
|
|
if (namespace) result.namespace = namespace;
|
|
if (mountPath) result.mountPath = mountPath;
|
|
if (record.keys !== undefined) {
|
|
if (!Array.isArray(record.keys) || !record.keys.every((item) => typeof item === "string" && item.length > 0)) throw new AgentRunError("schema-invalid", "secretRef.keys must be non-empty strings", { httpStatus: 400 });
|
|
result.keys = record.keys as string[];
|
|
}
|
|
return result;
|
|
}
|
|
|
|
function optionalString(value: unknown): string | undefined {
|
|
return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
|
|
}
|
|
|
|
function validateBackendSecretScope(backendProfile: BackendProfile, executionPolicy: ExecutionPolicy): void {
|
|
const credentials = executionPolicy.secretScope.providerCredentials ?? [];
|
|
const matching = credentials.filter((item) => item.profile === backendProfile);
|
|
if (matching.length === 0) {
|
|
throw new AgentRunError("secret-unavailable", `backendProfile ${backendProfile} requires a matching provider credential SecretRef`, { httpStatus: 400, details: { backendProfile, requiredSecretName: backendProfileSpec(backendProfile)?.defaultSecretName ?? null } });
|
|
}
|
|
if (matching.length > 1) throw new AgentRunError("schema-invalid", `backendProfile ${backendProfile} has multiple matching provider credentials`, { httpStatus: 400 });
|
|
}
|
|
|
|
export function validateCreateCommand(input: unknown): CreateCommandInput {
|
|
const record = asRecord(input, "command");
|
|
const type = requiredString(record, "type");
|
|
if (type !== "turn" && type !== "steer" && type !== "interrupt") throw new AgentRunError("schema-invalid", `command type ${type} is not supported`, { httpStatus: 400 });
|
|
const payload = asRecord(record.payload ?? {}, "payload");
|
|
if (type === "steer" && !steerPrompt(payload)) throw new AgentRunError("schema-invalid", "steer command payload requires a non-empty prompt, message, or text", { httpStatus: 400 });
|
|
const idempotencyKey = typeof record.idempotencyKey === "string" && record.idempotencyKey.trim().length > 0 ? record.idempotencyKey.trim() : undefined;
|
|
return { type, payload, ...(idempotencyKey ? { idempotencyKey } : {}) };
|
|
}
|
|
|
|
function steerPrompt(payload: JsonRecord): string | null {
|
|
for (const key of ["prompt", "message", "text"]) {
|
|
const value = payload[key];
|
|
if (typeof value === "string" && value.trim().length > 0) return value.trim();
|
|
}
|
|
return null;
|
|
}
|
|
|
|
export function validateCreateQueueTask(input: unknown): CreateQueueTaskInput {
|
|
const record = asRecord(input, "queueTask");
|
|
const tenantId = requiredString(record, "tenantId");
|
|
if (!allowedTenants.has(tenantId)) throw new AgentRunError("tenant-policy-denied", `tenantId ${tenantId} is not allowed`, { httpStatus: 403 });
|
|
const backendProfileValue = optionalString(record.backendProfile) ?? "codex";
|
|
if (!isBackendProfile(backendProfileValue)) throw new AgentRunError("schema-invalid", `backendProfile ${backendProfileValue} must be a lowercase slug`, { httpStatus: 400, details: { pattern: backendProfilePatternText } });
|
|
const queue = optionalString(record.queue) ?? "default";
|
|
const lane = optionalString(record.lane) ?? "default";
|
|
const priorityValue = record.priority ?? 0;
|
|
if (typeof priorityValue !== "number" || !Number.isFinite(priorityValue)) throw new AgentRunError("schema-invalid", "priority must be a finite number", { httpStatus: 400 });
|
|
const referencesValue = record.references ?? [];
|
|
if (!Array.isArray(referencesValue)) throw new AgentRunError("schema-invalid", "references must be an array", { httpStatus: 400 });
|
|
const result: CreateQueueTaskInput = {
|
|
tenantId,
|
|
projectId: requiredString(record, "projectId"),
|
|
queue,
|
|
lane,
|
|
title: requiredString(record, "title"),
|
|
priority: priorityValue,
|
|
backendProfile: backendProfileValue,
|
|
providerId: optionalString(record.providerId) ?? null,
|
|
workspaceRef: record.workspaceRef === undefined || record.workspaceRef === null ? null : requiredRecord(record, "workspaceRef") as CreateQueueTaskInput["workspaceRef"],
|
|
sessionRef: validateSessionRef(record.sessionRef),
|
|
executionPolicy: record.executionPolicy === undefined || record.executionPolicy === null ? null : validateExecutionPolicy(requiredRecord(record, "executionPolicy")),
|
|
resourceBundleRef: validateResourceBundleRef(record.resourceBundleRef),
|
|
payload: record.payload === undefined ? {} : asRecord(record.payload, "payload"),
|
|
references: referencesValue.map((item, index) => asRecord(item, `references[${index}]`)),
|
|
metadata: record.metadata === undefined ? {} : asRecord(record.metadata, "metadata"),
|
|
};
|
|
const idempotencyKey = optionalString(record.idempotencyKey);
|
|
if (idempotencyKey) result.idempotencyKey = idempotencyKey;
|
|
return result;
|
|
}
|
|
|
|
export function validateQueueTaskState(value: string): QueueTaskState {
|
|
if (value === "pending" || value === "running" || value === "completed" || value === "failed" || value === "blocked" || value === "cancelled") return value;
|
|
throw new AgentRunError("schema-invalid", `queue task state ${value} is not supported`, { httpStatus: 400 });
|
|
}
|
|
|
|
export function validateSessionListState(value: string): SessionListState {
|
|
if (value === "default" || value === "running" || value === "unread" || value === "terminal" || value === "idle" || value === "all") return value;
|
|
throw new AgentRunError("schema-invalid", `session state ${value} is not supported`, { httpStatus: 400 });
|
|
}
|
|
|
|
export function validateBackendProfile(value: string): BackendProfile {
|
|
if (isBackendProfile(value)) return value;
|
|
throw new AgentRunError("schema-invalid", `backendProfile ${value} must be a lowercase slug`, { httpStatus: 400, details: { pattern: backendProfilePatternText } });
|
|
}
|