ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-10 08:30:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

fix(plugin): address scoped config review findings

Browse source
This commit is contained in:
Alkim Ake Gozen 2026-06-04 11:53:05 +09:00
parent db0ef46900
commit 06a9428a36
6 changed files with 19844 additions and 93 deletions
Download patch file Download diff file Expand all files Collapse all files

19615
packages/db/src/migrations/meta/0094_snapshot.json Normal file
View file

File diff suppressed because it is too large Load diff

10
packages/plugins/sdk/src/worker-rpc-host.ts
View file

@ -419,8 +419,10 @@ export function startWorkerRpcHost(options: WorkerRpcHostOptions): WorkerRpcHost
config: {
async get(params) {
const companyId =
params?.companyId ?? runtimeCompanyContext.getStore()?.companyId ?? null;
if (params && "companyId" in params) {
return callHost("config.get", { companyId: params.companyId ?? null });
}
const companyId = runtimeCompanyContext.getStore()?.companyId ?? null;
return callHost("config.get", companyId ? { companyId } : {});
},
},
@ -572,7 +574,9 @@ export function startWorkerRpcHost(options: WorkerRpcHostOptions): WorkerRpcHost
secrets: {
async resolve(secretRef: string, companyId?: string | null): Promise<string> {
const scopedCompanyId = companyId ?? runtimeCompanyContext.getStore()?.companyId ?? null;
const scopedCompanyId = arguments.length >= 2
? companyId ?? null
: runtimeCompanyContext.getStore()?.companyId ?? null;
return callHost("secrets.resolve", { secretRef, companyId: scopedCompanyId });
},
},

204
packages/plugins/sdk/tests/worker-rpc-host.test.ts
View file

@ -355,65 +355,163 @@ describe("startWorkerRpcHost runtime company context", () => {
const host = startWorkerRpcHost({ plugin, stdin, stdout });
writeMessage(stdin, {
jsonrpc: "2.0",
id: 1,
method: "initialize",
params: {
manifest: { id: "test-plugin", name: "test-plugin", version: "1.0.0" },
config: {},
instanceInfo: { instanceId: "inst-1", hostVersion: "0.0.0-test" },
apiVersion: 1,
},
});
await expect(nextMessage()).resolves.toMatchObject({ id: 1, result: { ok: true } });
writeMessage(stdin, {
jsonrpc: "2.0",
id: 2,
method: "executeTool",
params: {
toolName: "check-context",
parameters: {},
runContext: {
agentId: "agent-1",
runId: "run-1",
companyId: "company-1",
projectId: "project-1",
try {
writeMessage(stdin, {
jsonrpc: "2.0",
id: 1,
method: "initialize",
params: {
manifest: { id: "test-plugin", name: "test-plugin", version: "1.0.0" },
config: {},
instanceInfo: { instanceId: "inst-1", hostVersion: "0.0.0-test" },
apiVersion: 1,
},
});
await expect(nextMessage()).resolves.toMatchObject({ id: 1, result: { ok: true } });
writeMessage(stdin, {
jsonrpc: "2.0",
id: 2,
method: "executeTool",
params: {
toolName: "check-context",
parameters: {},
runContext: {
agentId: "agent-1",
runId: "run-1",
companyId: "company-1",
projectId: "project-1",
},
},
});
const configRequest = await nextMessage();
expect(configRequest).toMatchObject({
method: "config.get",
params: { companyId: "company-1" },
});
writeMessage(stdin, {
jsonrpc: "2.0",
id: configRequest.id,
result: { mode: "company-config" },
});
const secretRequest = await nextMessage();
expect(secretRequest).toMatchObject({
method: "secrets.resolve",
params: {
secretRef: "77777777-7777-4777-8777-777777777777",
companyId: "company-1",
},
});
writeMessage(stdin, {
jsonrpc: "2.0",
id: secretRequest.id,
result: "company-secret",
});
await expect(nextMessage()).resolves.toMatchObject({
id: 2,
result: { content: "company-config:company-secret" },
});
} finally {
host.stop();
stdin.destroy();
stdout.destroy();
}
});
it("preserves explicit null company context in config and secret host calls", async () => {
const stdin = new PassThrough();
const stdout = new PassThrough();
const nextMessage = collectJsonLines(stdout);
const plugin = definePlugin({
async setup(ctx) {
ctx.tools.register(
"check-explicit-null",
{
displayName: "Check Explicit Null",
description: "Checks explicit null runtime context propagation",
parametersSchema: { type: "object", properties: {} },
},
async () => {
const config = await ctx.config.get({ companyId: null });
const token = await ctx.secrets.resolve(
"77777777-7777-4777-8777-777777777777",
null,
);
return { content: `${config.mode}:${token}` };
},
);
},
});
const configRequest = await nextMessage();
expect(configRequest).toMatchObject({
method: "config.get",
params: { companyId: "company-1" },
});
writeMessage(stdin, {
jsonrpc: "2.0",
id: configRequest.id,
result: { mode: "company-config" },
});
const host = startWorkerRpcHost({ plugin, stdin, stdout });
const secretRequest = await nextMessage();
expect(secretRequest).toMatchObject({
method: "secrets.resolve",
params: {
secretRef: "77777777-7777-4777-8777-777777777777",
companyId: "company-1",
},
});
writeMessage(stdin, {
jsonrpc: "2.0",
id: secretRequest.id,
result: "company-secret",
});
try {
writeMessage(stdin, {
jsonrpc: "2.0",
id: 1,
method: "initialize",
params: {
manifest: { id: "test-plugin", name: "test-plugin", version: "1.0.0" },
config: {},
instanceInfo: { instanceId: "inst-1", hostVersion: "0.0.0-test" },
apiVersion: 1,
},
});
await expect(nextMessage()).resolves.toMatchObject({ id: 1, result: { ok: true } });
await expect(nextMessage()).resolves.toMatchObject({
id: 2,
result: { content: "company-config:company-secret" },
});
writeMessage(stdin, {
jsonrpc: "2.0",
id: 2,
method: "executeTool",
params: {
toolName: "check-explicit-null",
parameters: {},
runContext: {
agentId: "agent-1",
runId: "run-1",
companyId: "company-1",
projectId: "project-1",
},
},
});
host.stop();
const configRequest = await nextMessage();
expect(configRequest).toMatchObject({
method: "config.get",
params: { companyId: null },
});
writeMessage(stdin, {
jsonrpc: "2.0",
id: configRequest.id,
result: { mode: "global-config" },
});
const secretRequest = await nextMessage();
expect(secretRequest).toMatchObject({
method: "secrets.resolve",
params: {
secretRef: "77777777-7777-4777-8777-777777777777",
companyId: null,
},
});
writeMessage(stdin, {
jsonrpc: "2.0",
id: secretRequest.id,
result: "global-secret",
});
await expect(nextMessage()).resolves.toMatchObject({
id: 2,
result: { content: "global-config:global-secret" },
});
} finally {
host.stop();
stdin.destroy();
stdout.destroy();
}
});
});

56
server/src/routes/plugins.ts
View file

@ -2169,23 +2169,24 @@ export function pluginRoutes(
res.status(400).json({ error: '"configJson" is required and must be an object' });
return;
}
const configJson = body.configJson;
const companyId = resolvePluginConfigCompanyId(req);
// Strip devUiUrl unless the caller is an instance admin. devUiUrl activates
// a dev-proxy in the static file route that could be abused for SSRF if any
// board-level user were allowed to set it.
if (
"devUiUrl" in body.configJson &&
"devUiUrl" in configJson &&
!(req.actor.type === "board" && req.actor.isInstanceAdmin)
) {
delete body.configJson.devUiUrl;
delete configJson.devUiUrl;
}
// Validate configJson against the plugin's instanceConfigSchema (if declared).
// This ensures CLI/API callers get the same validation the UI performs client-side.
const schema = plugin.manifestJson?.instanceConfigSchema;
if (schema && Object.keys(schema).length > 0) {
const validation = validateInstanceConfig(body.configJson, schema);
const validation = validateInstanceConfig(configJson, schema);
if (!validation.valid) {
res.status(400).json({
error: "Configuration does not match the plugin's instanceConfigSchema",
@ -2196,30 +2197,45 @@ export function pluginRoutes(
}
try {
const secretRefsByPath = extractSecretRefPathsFromConfig(body.configJson, schema);
const secretRefsByPath = extractSecretRefPathsFromConfig(configJson, schema);
if (secretRefsByPath.size > 0 && !companyId) {
res.status(422).json({ error: "Plugin secret references require companyId" });
return;
}
if (companyId) {
const refs = [...secretRefsByPath.entries()].flatMap(([secretId, paths]) =>
[...paths].map((configPath) => ({ secretId, configPath })),
);
await secrets.syncSecretRefsForTarget(
companyId,
{ targetType: "plugin", targetId: plugin.id },
refs,
);
}
const result = await registry.upsertConfig(plugin.id, {
configJson: body.configJson,
}, companyId);
const refs = [...secretRefsByPath.entries()].flatMap(([secretId, paths]) =>
[...paths].map((configPath) => ({ secretId, configPath })),
);
const persistConfig = async (
scopedSecrets: typeof secrets,
scopedRegistry: typeof registry,
secretDb?: Db,
) => {
if (companyId) {
const target = { targetType: "plugin" as const, targetId: plugin.id };
if (secretDb) {
await scopedSecrets.syncSecretRefsForTarget(companyId, target, refs, { db: secretDb });
} else {
await scopedSecrets.syncSecretRefsForTarget(companyId, target, refs);
}
}
return scopedRegistry.upsertConfig(plugin.id, {
configJson,
}, companyId);
};
const result = typeof db.transaction === "function"
? await db.transaction((tx) =>
persistConfig(
secretService(tx as unknown as Db),
pluginRegistryService(tx as unknown as Db),
tx as unknown as Db,
)
)
: await persistConfig(secrets, registry);
await logPluginMutationActivity(req, "plugin.config.updated", plugin.id, {
pluginId: plugin.id,
pluginKey: plugin.pluginKey,
companyId,
configKeyCount: Object.keys(body.configJson).length,
configKeyCount: Object.keys(configJson).length,
});
// Only legacy/global config is still pushed into the process-global worker state.
@ -2229,7 +2245,7 @@ export function pluginRoutes(
await bridgeDeps.workerManager.call(
plugin.id,
"configChanged",
{ config: body.configJson },
{ config: configJson },
);
} catch (rpcErr) {
if (

32
server/src/services/plugin-registry.ts
View file

@ -44,7 +44,7 @@ function isPluginKeyConflict(error: unknown): boolean {
return err.code === "23505" && constraint === "plugins_plugin_key_idx";
}
function pluginConfigScopeCondition(pluginId: string, companyId?: string | null) {
function pluginConfigExactScopeCondition(pluginId: string, companyId?: string | null) {
return and(
eq(pluginConfig.pluginId, pluginId),
companyId ? eq(pluginConfig.companyId, companyId) : isNull(pluginConfig.companyId),
@ -288,12 +288,22 @@ export function pluginRegistryService(db: Db) {
// ----- Config ---------------------------------------------------------
/** Retrieve a plugin's company-scoped config, or the legacy global fallback. */
getConfig: (pluginId: string, companyId?: string | null) =>
db
getConfig: async (pluginId: string, companyId?: string | null) => {
if (companyId) {
const scoped = await db
.select()
.from(pluginConfig)
.where(pluginConfigExactScopeCondition(pluginId, companyId))
.then((rows) => rows[0] ?? null);
if (scoped) return scoped;
}
return db
.select()
.from(pluginConfig)
.where(pluginConfigScopeCondition(pluginId, companyId))
.then((rows) => rows[0] ?? null),
.where(pluginConfigExactScopeCondition(pluginId, null))
.then((rows) => rows[0] ?? null);
},
/**
* Create or fully replace a plugin's instance configuration.
@ -307,7 +317,7 @@ export function pluginRegistryService(db: Db) {
const existing = await db
.select()
.from(pluginConfig)
.where(pluginConfigScopeCondition(pluginId, companyId))
.where(pluginConfigExactScopeCondition(pluginId, companyId))
.then((rows) => rows[0] ?? null);
if (existing) {
@ -318,7 +328,7 @@ export function pluginRegistryService(db: Db) {
lastError: null,
updatedAt: new Date(),
})
.where(pluginConfigScopeCondition(pluginId, companyId))
.where(pluginConfigExactScopeCondition(pluginId, companyId))
.returning()
.then((rows) => rows[0]);
}
@ -345,7 +355,7 @@ export function pluginRegistryService(db: Db) {
const existing = await db
.select()
.from(pluginConfig)
.where(pluginConfigScopeCondition(pluginId, companyId))
.where(pluginConfigExactScopeCondition(pluginId, companyId))
.then((rows) => rows[0] ?? null);
if (existing) {
@ -357,7 +367,7 @@ export function pluginRegistryService(db: Db) {
lastError: null,
updatedAt: new Date(),
})
.where(pluginConfigScopeCondition(pluginId, companyId))
.where(pluginConfigExactScopeCondition(pluginId, companyId))
.returning()
.then((rows) => rows[0]);
}
@ -381,7 +391,7 @@ export function pluginRegistryService(db: Db) {
const rows = await db
.update(pluginConfig)
.set({ lastError, updatedAt: new Date() })
.where(pluginConfigScopeCondition(pluginId, companyId))
.where(pluginConfigExactScopeCondition(pluginId, companyId))
.returning();
if (rows.length === 0) throw notFound("Plugin config not found");
@ -392,7 +402,7 @@ export function pluginRegistryService(db: Db) {
deleteConfig: async (pluginId: string, companyId?: string | null) => {
const rows = await db
.delete(pluginConfig)
.where(pluginConfigScopeCondition(pluginId, companyId))
.where(pluginConfigExactScopeCondition(pluginId, companyId))
.returning();
return rows[0] ?? null;

20
server/src/services/secrets.ts
View file

@ -2034,6 +2034,7 @@ export function secretService(db: Db) {
required?: boolean;
label?: string | null;
}>,
options?: { db?: SecretBindingDb },
) => {
const normalizedRefs: Array<{
secretId: string;
@ -2042,8 +2043,9 @@ export function secretService(db: Db) {
required: boolean;
label: string | null;
}> = [];
const bindingDb = options?.db ?? db;
for (const ref of refs) {
await assertSecretInCompany(companyId, ref.secretId);
await assertSecretInCompany(companyId, ref.secretId, bindingDb);
normalizedRefs.push({
secretId: ref.secretId,
configPath: ref.configPath,
@ -2055,10 +2057,10 @@ export function secretService(db: Db) {
const pathPrefixes = [...new Set(normalizedRefs.map((ref) => ref.configPath.split(".")[0]))];
await db.transaction(async (tx) => {
const writeBindings = async (targetDb: SecretBindingDb) => {
if (pathPrefixes.length > 0) {
for (const pathPrefix of pathPrefixes) {
await tx
await targetDb
.delete(companySecretBindings)
.where(
and(
@ -2070,7 +2072,7 @@ export function secretService(db: Db) {
);
}
} else {
await tx
await targetDb
.delete(companySecretBindings)
.where(
and(
@ -2081,7 +2083,7 @@ export function secretService(db: Db) {
);
}
if (normalizedRefs.length === 0) return;
await tx.insert(companySecretBindings).values(
await targetDb.insert(companySecretBindings).values(
normalizedRefs.map((ref) => ({
companyId,
secretId: ref.secretId,
@ -2093,7 +2095,13 @@ export function secretService(db: Db) {
label: ref.label,
})),
);
});
};
if (options?.db) {
await writeBindings(options.db);
} else {
await db.transaction(async (tx) => writeBindings(tx));
}
return normalizedRefs;
},