Implement local agent JWT authentication for adapters
Add HS256 JWT-based authentication for local adapters (claude_local, codex_local) so agents authenticate automatically without manual API key configuration. The server mints short-lived JWTs per heartbeat run and injects them as PAPERCLIP_API_KEY. The auth middleware verifies JWTs alongside existing static API keys. Includes: CLI onboard/doctor JWT secret management, env command for deployment, config path resolution from ancestor directories, dotenv loading on server startup, event payload secret redaction, multi-status issue filtering, and adapter transcript parsing for thinking/user message kinds. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Forgotten
@@ -1,8 +1,9 @@
|
||||
import * as p from "@clack/prompts";
|
||||
import pc from "picocolors";
|
||||
import type { PaperclipConfig } from "../config/schema.js";
|
||||
import { readConfig } from "../config/store.js";
|
||||
import { readConfig, resolveConfigPath } from "../config/store.js";
|
||||
import {
|
||||
agentJwtSecretCheck,
|
||||
configCheck,
|
||||
databaseCheck,
|
||||
llmCheck,
|
||||
@@ -24,6 +25,7 @@ export async function doctor(opts: {
|
||||
}): Promise<void> {
|
||||
p.intro(pc.bgCyan(pc.black(" paperclip doctor ")));
|
||||
|
||||
const configPath = resolveConfigPath(opts.config);
|
||||
const results: CheckResult[] = [];
|
||||
|
||||
// 1. Config check (must pass before others)
|
||||
@@ -53,24 +55,30 @@ export async function doctor(opts: {
|
||||
return;
|
||||
}
|
||||
|
||||
// 2. Database check
|
||||
const dbResult = await databaseCheck(config);
|
||||
// 2. Agent JWT check
|
||||
const jwtResult = agentJwtSecretCheck();
|
||||
results.push(jwtResult);
|
||||
printResult(jwtResult);
|
||||
await maybeRepair(jwtResult, opts);
|
||||
|
||||
// 3. Database check
|
||||
const dbResult = await databaseCheck(config, configPath);
|
||||
results.push(dbResult);
|
||||
printResult(dbResult);
|
||||
await maybeRepair(dbResult, opts);
|
||||
|
||||
// 3. LLM check
|
||||
// 4. LLM check
|
||||
const llmResult = await llmCheck(config);
|
||||
results.push(llmResult);
|
||||
printResult(llmResult);
|
||||
|
||||
// 4. Log directory check
|
||||
const logResult = logCheck(config);
|
||||
// 5. Log directory check
|
||||
const logResult = logCheck(config, configPath);
|
||||
results.push(logResult);
|
||||
printResult(logResult);
|
||||
await maybeRepair(logResult, opts);
|
||||
|
||||
// 5. Port check
|
||||
// 6. Port check
|
||||
const portResult = await portCheck(config);
|
||||
results.push(portResult);
|
||||
printResult(portResult);
|
||||
|
||||
209
cli/src/commands/env.ts
Normal file
209
cli/src/commands/env.ts
Normal file
@@ -0,0 +1,209 @@
|
||||
import * as p from "@clack/prompts";
|
||||
import pc from "picocolors";
|
||||
import type { PaperclipConfig } from "../config/schema.js";
|
||||
import { configExists, readConfig, resolveConfigPath } from "../config/store.js";
|
||||
import {
|
||||
readAgentJwtSecretFromEnv,
|
||||
readAgentJwtSecretFromEnvFile,
|
||||
resolveAgentJwtEnvFile,
|
||||
} from "../config/env.js";
|
||||
|
||||
type EnvSource = "env" | "config" | "file" | "default" | "missing";
|
||||
|
||||
type EnvVarRow = {
|
||||
key: string;
|
||||
value: string;
|
||||
source: EnvSource;
|
||||
required: boolean;
|
||||
note: string;
|
||||
};
|
||||
|
||||
const DEFAULT_AGENT_JWT_TTL_SECONDS = "172800";
|
||||
const DEFAULT_AGENT_JWT_ISSUER = "paperclip";
|
||||
const DEFAULT_AGENT_JWT_AUDIENCE = "paperclip-api";
|
||||
const DEFAULT_HEARTBEAT_SCHEDULER_INTERVAL_MS = "30000";
|
||||
|
||||
export async function envCommand(opts: { config?: string }): Promise<void> {
|
||||
p.intro(pc.bgCyan(pc.black(" paperclip env ")));
|
||||
|
||||
const configPath = resolveConfigPath(opts.config);
|
||||
let config: PaperclipConfig | null = null;
|
||||
let configReadError: string | null = null;
|
||||
|
||||
if (configExists(opts.config)) {
|
||||
p.log.message(pc.dim(`Config file: ${configPath}`));
|
||||
try {
|
||||
config = readConfig(opts.config);
|
||||
} catch (err) {
|
||||
configReadError = err instanceof Error ? err.message : String(err);
|
||||
p.log.message(pc.yellow(`Could not parse config: ${configReadError}`));
|
||||
}
|
||||
} else {
|
||||
p.log.message(pc.dim(`Config file missing: ${configPath}`));
|
||||
}
|
||||
|
||||
const rows = collectDeploymentEnvRows(config, configPath);
|
||||
const missingRequired = rows.filter((row) => row.required && row.source === "missing");
|
||||
const sortedRows = rows.sort((a, b) => Number(b.required) - Number(a.required) || a.key.localeCompare(b.key));
|
||||
|
||||
const requiredRows = sortedRows.filter((row) => row.required);
|
||||
const optionalRows = sortedRows.filter((row) => !row.required);
|
||||
|
||||
const formatSection = (title: string, entries: EnvVarRow[]) => {
|
||||
if (entries.length === 0) return;
|
||||
|
||||
p.log.message(pc.bold(title));
|
||||
for (const entry of entries) {
|
||||
const status = entry.source === "missing" ? pc.red("missing") : entry.source === "default" ? pc.yellow("default") : pc.green("set");
|
||||
const sourceNote = {
|
||||
env: "environment",
|
||||
config: "config",
|
||||
file: "file",
|
||||
default: "default",
|
||||
missing: "missing",
|
||||
}[entry.source];
|
||||
p.log.message(
|
||||
`${pc.cyan(entry.key)} ${status.padEnd(7)} ${pc.dim(`[${sourceNote}] ${entry.note}`)}${entry.source === "missing" ? "" : ` ${pc.dim("=>")} ${pc.white(quoteShellValue(entry.value))}`}`,
|
||||
);
|
||||
}
|
||||
};
|
||||
|
||||
formatSection("Required environment variables", requiredRows);
|
||||
formatSection("Optional environment variables", optionalRows);
|
||||
|
||||
const exportRows = rows.map((row) => (row.source === "missing" ? { ...row, value: "<set-this-value>" } : row));
|
||||
const uniqueRows = uniqueByKey(exportRows);
|
||||
const exportBlock = uniqueRows.map((row) => `export ${row.key}=${quoteShellValue(row.value)}`).join("\n");
|
||||
|
||||
if (configReadError) {
|
||||
p.log.error(`Could not load config cleanly: ${configReadError}`);
|
||||
}
|
||||
|
||||
p.note(
|
||||
exportBlock || "No values detected. Set required variables manually.",
|
||||
"Deployment export block",
|
||||
);
|
||||
|
||||
if (missingRequired.length > 0) {
|
||||
p.log.message(
|
||||
pc.yellow(
|
||||
`Missing required values: ${missingRequired.map((row) => row.key).join(", ")}. Set these before deployment.`,
|
||||
),
|
||||
);
|
||||
} else {
|
||||
p.log.message(pc.green("All required deployment variables are present."));
|
||||
}
|
||||
p.outro("Done");
|
||||
}
|
||||
|
||||
function collectDeploymentEnvRows(config: PaperclipConfig | null, configPath: string): EnvVarRow[] {
|
||||
const agentJwtEnvFile = resolveAgentJwtEnvFile();
|
||||
const jwtEnv = readAgentJwtSecretFromEnv();
|
||||
const jwtFile = jwtEnv ? null : readAgentJwtSecretFromEnvFile(agentJwtEnvFile);
|
||||
const jwtSource = jwtEnv ? "env" : jwtFile ? "file" : "missing";
|
||||
|
||||
const dbUrl = process.env.DATABASE_URL ?? config?.database?.connectionString ?? "";
|
||||
const databaseMode = config?.database?.mode ?? "embedded-postgres";
|
||||
const dbUrlSource: EnvSource = process.env.DATABASE_URL ? "env" : config?.database?.connectionString ? "config" : "missing";
|
||||
|
||||
const heartbeatInterval = process.env.HEARTBEAT_SCHEDULER_INTERVAL_MS ?? DEFAULT_HEARTBEAT_SCHEDULER_INTERVAL_MS;
|
||||
const heartbeatEnabled = process.env.HEARTBEAT_SCHEDULER_ENABLED ?? "true";
|
||||
|
||||
const rows: EnvVarRow[] = [
|
||||
{
|
||||
key: "PAPERCLIP_AGENT_JWT_SECRET",
|
||||
value: jwtEnv ?? jwtFile ?? "",
|
||||
source: jwtSource,
|
||||
required: true,
|
||||
note:
|
||||
jwtSource === "missing"
|
||||
? "Generate during onboard or set manually (required for local adapter authentication)"
|
||||
: jwtSource === "env"
|
||||
? "Set in process environment"
|
||||
: `Set in ${agentJwtEnvFile}`,
|
||||
},
|
||||
{
|
||||
key: "DATABASE_URL",
|
||||
value: dbUrl,
|
||||
source: dbUrlSource,
|
||||
required: true,
|
||||
note:
|
||||
databaseMode === "postgres"
|
||||
? "Configured for postgres mode (required)"
|
||||
: "Required for live deployment with managed PostgreSQL",
|
||||
},
|
||||
{
|
||||
key: "PORT",
|
||||
value:
|
||||
process.env.PORT ??
|
||||
(config?.server?.port !== undefined ? String(config.server.port) : "3100"),
|
||||
source: process.env.PORT ? "env" : config?.server?.port !== undefined ? "config" : "default",
|
||||
required: false,
|
||||
note: "HTTP listen port",
|
||||
},
|
||||
{
|
||||
key: "PAPERCLIP_AGENT_JWT_TTL_SECONDS",
|
||||
value: process.env.PAPERCLIP_AGENT_JWT_TTL_SECONDS ?? DEFAULT_AGENT_JWT_TTL_SECONDS,
|
||||
source: process.env.PAPERCLIP_AGENT_JWT_TTL_SECONDS ? "env" : "default",
|
||||
required: false,
|
||||
note: "JWT lifetime in seconds",
|
||||
},
|
||||
{
|
||||
key: "PAPERCLIP_AGENT_JWT_ISSUER",
|
||||
value: process.env.PAPERCLIP_AGENT_JWT_ISSUER ?? DEFAULT_AGENT_JWT_ISSUER,
|
||||
source: process.env.PAPERCLIP_AGENT_JWT_ISSUER ? "env" : "default",
|
||||
required: false,
|
||||
note: "JWT issuer",
|
||||
},
|
||||
{
|
||||
key: "PAPERCLIP_AGENT_JWT_AUDIENCE",
|
||||
value: process.env.PAPERCLIP_AGENT_JWT_AUDIENCE ?? DEFAULT_AGENT_JWT_AUDIENCE,
|
||||
source: process.env.PAPERCLIP_AGENT_JWT_AUDIENCE ? "env" : "default",
|
||||
required: false,
|
||||
note: "JWT audience",
|
||||
},
|
||||
{
|
||||
key: "HEARTBEAT_SCHEDULER_INTERVAL_MS",
|
||||
value: heartbeatInterval,
|
||||
source: process.env.HEARTBEAT_SCHEDULER_INTERVAL_MS ? "env" : "default",
|
||||
required: false,
|
||||
note: "Heartbeat worker interval in ms",
|
||||
},
|
||||
{
|
||||
key: "HEARTBEAT_SCHEDULER_ENABLED",
|
||||
value: heartbeatEnabled,
|
||||
source: process.env.HEARTBEAT_SCHEDULER_ENABLED ? "env" : "default",
|
||||
required: false,
|
||||
note: "Set to `false` to disable timer scheduling",
|
||||
},
|
||||
];
|
||||
|
||||
const defaultConfigPath = resolveConfigPath();
|
||||
if (process.env.PAPERCLIP_CONFIG || configPath !== defaultConfigPath) {
|
||||
rows.push({
|
||||
key: "PAPERCLIP_CONFIG",
|
||||
value: process.env.PAPERCLIP_CONFIG ?? configPath,
|
||||
source: process.env.PAPERCLIP_CONFIG ? "env" : "default",
|
||||
required: false,
|
||||
note: "Optional path override for config file",
|
||||
});
|
||||
}
|
||||
|
||||
return rows;
|
||||
}
|
||||
|
||||
function uniqueByKey(rows: EnvVarRow[]): EnvVarRow[] {
|
||||
const seen = new Set<string>();
|
||||
const result: EnvVarRow[] = [];
|
||||
for (const row of rows) {
|
||||
if (seen.has(row.key)) continue;
|
||||
seen.add(row.key);
|
||||
result.push(row);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
function quoteShellValue(value: string): string {
|
||||
if (value === "") return "\"\"";
|
||||
return `'${value.replaceAll("'", "'\\''")}'`;
|
||||
}
|
||||
@@ -1,7 +1,8 @@
|
||||
import * as p from "@clack/prompts";
|
||||
import pc from "picocolors";
|
||||
import { configExists, readConfig, writeConfig } from "../config/store.js";
|
||||
import { configExists, readConfig, resolveConfigPath, writeConfig } from "../config/store.js";
|
||||
import type { PaperclipConfig } from "../config/schema.js";
|
||||
import { ensureAgentJwtSecret, resolveAgentJwtEnvFile } from "../config/env.js";
|
||||
import { promptDatabase } from "../prompts/database.js";
|
||||
import { promptLlm } from "../prompts/llm.js";
|
||||
import { promptLogging } from "../prompts/logging.js";
|
||||
@@ -12,25 +13,18 @@ export async function onboard(opts: { config?: string }): Promise<void> {
|
||||
|
||||
// Check for existing config
|
||||
if (configExists(opts.config)) {
|
||||
const configPath = resolveConfigPath(opts.config);
|
||||
p.log.message(pc.dim(`${configPath} exists, updating config`));
|
||||
|
||||
try {
|
||||
readConfig(opts.config);
|
||||
} catch (err) {
|
||||
p.log.message(
|
||||
pc.yellow(
|
||||
`Existing config appears invalid and will be replaced if you continue.\n${err instanceof Error ? err.message : String(err)}`,
|
||||
`Existing config appears invalid and will be updated.\n${err instanceof Error ? err.message : String(err)}`,
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
const overwrite = await p.confirm({
|
||||
message: "A config file already exists. Overwrite it?",
|
||||
initialValue: false,
|
||||
});
|
||||
|
||||
if (p.isCancel(overwrite) || !overwrite) {
|
||||
p.cancel("Keeping existing configuration.");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Database
|
||||
@@ -104,6 +98,16 @@ export async function onboard(opts: { config?: string }): Promise<void> {
|
||||
p.log.step(pc.bold("Server"));
|
||||
const server = await promptServer();
|
||||
|
||||
const jwtSecret = ensureAgentJwtSecret();
|
||||
const envFilePath = resolveAgentJwtEnvFile();
|
||||
if (jwtSecret.created) {
|
||||
p.log.success(`Created ${pc.cyan("PAPERCLIP_AGENT_JWT_SECRET")} in ${pc.dim(envFilePath)}`);
|
||||
} else if (process.env.PAPERCLIP_AGENT_JWT_SECRET?.trim()) {
|
||||
p.log.info(`Using existing ${pc.cyan("PAPERCLIP_AGENT_JWT_SECRET")} from environment`);
|
||||
} else {
|
||||
p.log.info(`Using existing ${pc.cyan("PAPERCLIP_AGENT_JWT_SECRET")} in ${pc.dim(envFilePath)}`);
|
||||
}
|
||||
|
||||
// Assemble and write config
|
||||
const config: PaperclipConfig = {
|
||||
$meta: {
|
||||
@@ -125,10 +129,14 @@ export async function onboard(opts: { config?: string }): Promise<void> {
|
||||
llm ? `LLM: ${llm.provider}` : "LLM: not configured",
|
||||
`Logging: ${logging.mode} → ${logging.logDir}`,
|
||||
`Server: port ${server.port}`,
|
||||
`Agent auth: PAPERCLIP_AGENT_JWT_SECRET configured`,
|
||||
].join("\n"),
|
||||
"Configuration saved",
|
||||
);
|
||||
|
||||
p.log.info(`Run ${pc.cyan("pnpm paperclip doctor")} to verify your setup.`);
|
||||
p.log.message(
|
||||
`Before starting Paperclip, export ${pc.cyan("PAPERCLIP_AGENT_JWT_SECRET")} from ${pc.dim(envFilePath)} (for example: ${pc.dim(`set -a; source ${envFilePath}; set +a`)})`,
|
||||
);
|
||||
p.outro("You're all set!");
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user