feat(server): integrate Better Auth, access control, and deployment mode startup
Wire up Better Auth for session-based authentication. Add actor middleware that resolves local_trusted mode to an implicit board actor and authenticated mode to Better Auth sessions. Add access service with membership, permission, invite, and join-request management. Register access routes for member/invite/ join-request CRUD. Update health endpoint to report deployment mode and bootstrap status. Enforce tasks:assign and agents:create permissions in issue and agent routes. Add deployment mode validation at startup with guardrails (loopback-only for local_trusted, auth config required for authenticated). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Forgotten
@@ -4,6 +4,7 @@ import {
|
||||
agents,
|
||||
assets,
|
||||
companies,
|
||||
companyMemberships,
|
||||
goals,
|
||||
heartbeatRuns,
|
||||
issueAttachments,
|
||||
@@ -77,6 +78,24 @@ export function issueService(db: Db) {
|
||||
}
|
||||
}
|
||||
|
||||
async function assertAssignableUser(companyId: string, userId: string) {
|
||||
const membership = await db
|
||||
.select({ id: companyMemberships.id })
|
||||
.from(companyMemberships)
|
||||
.where(
|
||||
and(
|
||||
eq(companyMemberships.companyId, companyId),
|
||||
eq(companyMemberships.principalType, "user"),
|
||||
eq(companyMemberships.principalId, userId),
|
||||
eq(companyMemberships.status, "active"),
|
||||
),
|
||||
)
|
||||
.then((rows) => rows[0] ?? null);
|
||||
if (!membership) {
|
||||
throw notFound("Assignee user not found");
|
||||
}
|
||||
}
|
||||
|
||||
async function isTerminalOrMissingHeartbeatRun(runId: string) {
|
||||
const run = await db
|
||||
.select({ status: heartbeatRuns.status })
|
||||
@@ -157,9 +176,18 @@ export function issueService(db: Db) {
|
||||
.then((rows) => rows[0] ?? null),
|
||||
|
||||
create: async (companyId: string, data: Omit<typeof issues.$inferInsert, "companyId">) => {
|
||||
if (data.assigneeAgentId && data.assigneeUserId) {
|
||||
throw unprocessable("Issue can only have one assignee");
|
||||
}
|
||||
if (data.assigneeAgentId) {
|
||||
await assertAssignableAgent(companyId, data.assigneeAgentId);
|
||||
}
|
||||
if (data.assigneeUserId) {
|
||||
await assertAssignableUser(companyId, data.assigneeUserId);
|
||||
}
|
||||
if (data.status === "in_progress" && !data.assigneeAgentId && !data.assigneeUserId) {
|
||||
throw unprocessable("in_progress issues require an assignee");
|
||||
}
|
||||
return db.transaction(async (tx) => {
|
||||
const [company] = await tx
|
||||
.update(companies)
|
||||
@@ -203,12 +231,23 @@ export function issueService(db: Db) {
|
||||
updatedAt: new Date(),
|
||||
};
|
||||
|
||||
if (patch.status === "in_progress" && !patch.assigneeAgentId && !existing.assigneeAgentId) {
|
||||
const nextAssigneeAgentId =
|
||||
data.assigneeAgentId !== undefined ? data.assigneeAgentId : existing.assigneeAgentId;
|
||||
const nextAssigneeUserId =
|
||||
data.assigneeUserId !== undefined ? data.assigneeUserId : existing.assigneeUserId;
|
||||
|
||||
if (nextAssigneeAgentId && nextAssigneeUserId) {
|
||||
throw unprocessable("Issue can only have one assignee");
|
||||
}
|
||||
if (patch.status === "in_progress" && !nextAssigneeAgentId && !nextAssigneeUserId) {
|
||||
throw unprocessable("in_progress issues require an assignee");
|
||||
}
|
||||
if (data.assigneeAgentId) {
|
||||
await assertAssignableAgent(existing.companyId, data.assigneeAgentId);
|
||||
}
|
||||
if (data.assigneeUserId) {
|
||||
await assertAssignableUser(existing.companyId, data.assigneeUserId);
|
||||
}
|
||||
|
||||
applyStatusSideEffects(data.status, patch);
|
||||
if (data.status && data.status !== "done") {
|
||||
@@ -220,7 +259,10 @@ export function issueService(db: Db) {
|
||||
if (data.status && data.status !== "in_progress") {
|
||||
patch.checkoutRunId = null;
|
||||
}
|
||||
if (data.assigneeAgentId !== undefined && data.assigneeAgentId !== existing.assigneeAgentId) {
|
||||
if (
|
||||
(data.assigneeAgentId !== undefined && data.assigneeAgentId !== existing.assigneeAgentId) ||
|
||||
(data.assigneeUserId !== undefined && data.assigneeUserId !== existing.assigneeUserId)
|
||||
) {
|
||||
patch.checkoutRunId = null;
|
||||
}
|
||||
|
||||
@@ -277,6 +319,7 @@ export function issueService(db: Db) {
|
||||
.update(issues)
|
||||
.set({
|
||||
assigneeAgentId: agentId,
|
||||
assigneeUserId: null,
|
||||
checkoutRunId,
|
||||
executionRunId: checkoutRunId,
|
||||
status: "in_progress",
|
||||
|
||||
Reference in New Issue
Block a user