mirror of
https://github.com/alkimake/paperclip.git
synced 2026-06-17 19:20:39 +09:00
[codex] Add routine env secrets support (#6212)
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies. > - Scheduled routines are the control-plane path for recurring agent work. > - Routines already had dispatch/history, but their runtime environment did not carry routine-owned secret bindings through execution. > - Operators need routine-specific secrets that can override project/agent env without exposing secret values in history, logs, or access events. > - This pull request adds the routine env runtime contract, wires it into execution, and makes the routine UI/history surfaces show safe secret metadata. > - The benefit is that routine executions can use scoped secret refs predictably while preserving company boundaries and auditability. ## What Changed - Added routine env persistence/runtime support, including `routines.env`, `routine_runs.routine_revision_id`, revision snapshots, and idempotent migration `0086_routine_env_runtime_contract`. - Resolved routine env during heartbeat adapter config assembly with precedence `agent < project < routine` and secret access events recorded against the routine consumer. - Added secret binding synchronization for routine create/update/restore flows and guarded cross-company, missing, disabled, and deleted secret cases. - Added a Secrets tab to routine detail, env/secret history diff rendering, and Storybook coverage for the new UI states. - Added server/UI regression tests, including an embedded-Postgres QA path for routine secret execution and restore behavior. - Updated implementation/database docs for routine env and secret-binding behavior. ## Verification - `pnpm install --frozen-lockfile` after rebasing onto `public-gh/master` to refresh workspace links for the newly-added upstream Grok adapter package. - `pnpm exec vitest run server/src/__tests__/heartbeat-project-env.test.ts server/src/__tests__/routines-service.test.ts server/src/__tests__/secrets-service.test.ts server/src/__tests__/qa-routine-secrets-e2e.test.ts ui/src/components/RoutineHistoryTab.test.tsx` passed: 5 files, 92 tests. - `pnpm -r typecheck` passed across the workspace. - `pnpm build` passed. Vite emitted the existing large-chunk/dynamic-import warnings. - UI screenshots were captured locally during QA in `artifacts/pap-9521/` and `artifacts/pap-9522/`; generated screenshots are not committed to avoid adding binary artifacts to the repo. ## Risks - Migration risk is limited by `IF NOT EXISTS` guards for the new columns, FK, and index, and the migration is ordered as `0086` immediately after upstream `0085`. - Runtime behavior changes env precedence for routine executions by adding routine env as the highest-precedence layer; tests cover agent/project/routine precedence. - Secret handling is security-sensitive; tests cover value-free manifests/events/errors, disabled/missing/deleted secrets, and cross-company rejection. - UI history now renders routine env/secret diffs; tests and Storybook stories cover the main rendering paths. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex coding agent based on GPT-5, with shell/tool use and medium reasoning effort. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Dotta
GitHub
parent
3e6610fb93
commit
705c1b8d81
20 changed files with 1736 additions and 50 deletions
|
|
@ -18,6 +18,7 @@ import {
|
|||
type IssueExecutionMonitorPolicy,
|
||||
type IssueExecutionMonitorRecoveryPolicy,
|
||||
type ModelProfileKey,
|
||||
type RoutineRevisionSnapshotV1,
|
||||
type RunLivenessState,
|
||||
} from "@paperclipai/shared";
|
||||
import {
|
||||
|
|
@ -40,6 +41,9 @@ import {
|
|||
issueWorkProducts,
|
||||
projects,
|
||||
projectWorkspaces,
|
||||
routineRevisions,
|
||||
routineRuns,
|
||||
routines,
|
||||
workspaceOperations,
|
||||
} from "@paperclipai/db";
|
||||
import { conflict, HttpError, notFound } from "../errors.js";
|
||||
|
|
@ -327,19 +331,44 @@ type RuntimeConfigSecretResolver = Pick<
|
|||
"resolveAdapterConfigForRuntime" | "resolveEnvBindings"
|
||||
>;
|
||||
|
||||
function isPaperclipRuntimeEnvKey(key: string) {
|
||||
return key.startsWith("PAPERCLIP_");
|
||||
}
|
||||
|
||||
function stripPaperclipRuntimeEnvBindings(envValue: unknown): Record<string, unknown> | null {
|
||||
const record = parseObject(envValue);
|
||||
const filtered = Object.fromEntries(
|
||||
Object.entries(record).filter(([key]) => !isPaperclipRuntimeEnvKey(key)),
|
||||
);
|
||||
return Object.keys(filtered).length > 0 ? filtered : null;
|
||||
}
|
||||
|
||||
function stripPaperclipRuntimeEnvFromAdapterConfig(config: Record<string, unknown>): Record<string, unknown> {
|
||||
if (!Object.prototype.hasOwnProperty.call(config, "env")) return config;
|
||||
return {
|
||||
...config,
|
||||
env: stripPaperclipRuntimeEnvBindings(config.env) ?? {},
|
||||
};
|
||||
}
|
||||
|
||||
export async function resolveExecutionRunAdapterConfig(input: {
|
||||
companyId: string;
|
||||
agentId?: string | null;
|
||||
issueId?: string | null;
|
||||
heartbeatRunId?: string | null;
|
||||
projectId?: string | null;
|
||||
routineId?: string | null;
|
||||
executionRunConfig: Record<string, unknown>;
|
||||
projectEnv: unknown;
|
||||
routineEnv?: unknown;
|
||||
secretsSvc: RuntimeConfigSecretResolver;
|
||||
}) {
|
||||
const executionRunConfig = stripPaperclipRuntimeEnvFromAdapterConfig(input.executionRunConfig);
|
||||
const projectEnv = stripPaperclipRuntimeEnvBindings(input.projectEnv);
|
||||
const routineEnv = stripPaperclipRuntimeEnvBindings(input.routineEnv);
|
||||
const { config: resolvedConfig, secretKeys, manifest } = await input.secretsSvc.resolveAdapterConfigForRuntime(
|
||||
input.companyId,
|
||||
input.executionRunConfig,
|
||||
executionRunConfig,
|
||||
input.agentId
|
||||
? {
|
||||
consumerType: "agent",
|
||||
|
|
@ -351,10 +380,10 @@ export async function resolveExecutionRunAdapterConfig(input: {
|
|||
}
|
||||
: undefined,
|
||||
);
|
||||
const projectEnvResolution = input.projectEnv
|
||||
const projectEnvResolution = projectEnv
|
||||
? await input.secretsSvc.resolveEnvBindings(
|
||||
input.companyId,
|
||||
input.projectEnv,
|
||||
projectEnv,
|
||||
input.projectId
|
||||
? {
|
||||
consumerType: "project",
|
||||
|
|
@ -376,10 +405,39 @@ export async function resolveExecutionRunAdapterConfig(input: {
|
|||
secretKeys.add(key);
|
||||
}
|
||||
}
|
||||
const routineEnvResolution = routineEnv
|
||||
? await input.secretsSvc.resolveEnvBindings(
|
||||
input.companyId,
|
||||
routineEnv,
|
||||
input.routineId
|
||||
? {
|
||||
consumerType: "routine",
|
||||
consumerId: input.routineId,
|
||||
actorType: "agent",
|
||||
actorId: input.agentId ?? null,
|
||||
issueId: input.issueId ?? null,
|
||||
heartbeatRunId: input.heartbeatRunId ?? null,
|
||||
}
|
||||
: undefined,
|
||||
)
|
||||
: { env: {}, secretKeys: new Set<string>(), manifest: [] };
|
||||
if (Object.keys(routineEnvResolution.env).length > 0) {
|
||||
resolvedConfig.env = {
|
||||
...parseObject(resolvedConfig.env),
|
||||
...routineEnvResolution.env,
|
||||
};
|
||||
for (const key of routineEnvResolution.secretKeys) {
|
||||
secretKeys.add(key);
|
||||
}
|
||||
}
|
||||
return {
|
||||
resolvedConfig,
|
||||
secretKeys,
|
||||
secretManifest: [...(manifest ?? []), ...(projectEnvResolution.manifest ?? [])],
|
||||
secretManifest: [
|
||||
...(manifest ?? []),
|
||||
...(projectEnvResolution.manifest ?? []),
|
||||
...(routineEnvResolution.manifest ?? []),
|
||||
],
|
||||
};
|
||||
}
|
||||
|
||||
|
|
@ -2433,12 +2491,67 @@ export function heartbeatService(db: Db, options: HeartbeatServiceOptions = {})
|
|||
assigneeAgentId: issues.assigneeAgentId,
|
||||
assigneeAdapterOverrides: issues.assigneeAdapterOverrides,
|
||||
executionWorkspaceSettings: issues.executionWorkspaceSettings,
|
||||
originKind: issues.originKind,
|
||||
originId: issues.originId,
|
||||
originRunId: issues.originRunId,
|
||||
})
|
||||
.from(issues)
|
||||
.where(and(eq(issues.id, issueId), eq(issues.companyId, companyId)))
|
||||
.then((rows) => rows[0] ?? null);
|
||||
}
|
||||
|
||||
async function getRoutineEnvForExecutionIssue(
|
||||
companyId: string,
|
||||
issueContext: Awaited<ReturnType<typeof getIssueExecutionContext>> | null,
|
||||
) {
|
||||
if (!issueContext || issueContext.originKind !== "routine_execution" || !issueContext.originId) {
|
||||
return { routineId: null, env: null };
|
||||
}
|
||||
|
||||
const routineRun = issueContext.originRunId
|
||||
? await db
|
||||
.select({
|
||||
routineRevisionId: routineRuns.routineRevisionId,
|
||||
})
|
||||
.from(routineRuns)
|
||||
.where(
|
||||
and(
|
||||
eq(routineRuns.id, issueContext.originRunId),
|
||||
eq(routineRuns.companyId, companyId),
|
||||
eq(routineRuns.routineId, issueContext.originId),
|
||||
),
|
||||
)
|
||||
.then((rows) => rows[0] ?? null)
|
||||
: null;
|
||||
|
||||
if (routineRun?.routineRevisionId) {
|
||||
const revision = await db
|
||||
.select({
|
||||
snapshot: routineRevisions.snapshot,
|
||||
})
|
||||
.from(routineRevisions)
|
||||
.where(
|
||||
and(
|
||||
eq(routineRevisions.id, routineRun.routineRevisionId),
|
||||
eq(routineRevisions.companyId, companyId),
|
||||
eq(routineRevisions.routineId, issueContext.originId),
|
||||
),
|
||||
)
|
||||
.then((rows) => rows[0] ?? null);
|
||||
const snapshot = revision?.snapshot as RoutineRevisionSnapshotV1 | undefined;
|
||||
if (snapshot?.version === 1) {
|
||||
return { routineId: issueContext.originId, env: snapshot.routine.env ?? null };
|
||||
}
|
||||
}
|
||||
|
||||
const routine = await db
|
||||
.select({ env: routines.env })
|
||||
.from(routines)
|
||||
.where(and(eq(routines.id, issueContext.originId), eq(routines.companyId, companyId)))
|
||||
.then((rows) => rows[0] ?? null);
|
||||
return { routineId: issueContext.originId, env: routine?.env ?? null };
|
||||
}
|
||||
|
||||
async function getRuntimeState(agentId: string) {
|
||||
return db
|
||||
.select()
|
||||
|
|
@ -6870,6 +6983,7 @@ export function heartbeatService(db: Db, options: HeartbeatServiceOptions = {})
|
|||
.where(and(eq(projects.id, executionProjectId), eq(projects.companyId, agent.companyId)))
|
||||
.then((rows) => rows[0] ?? null)
|
||||
: null;
|
||||
const routineEnvContext = await getRoutineEnvForExecutionIssue(agent.companyId, issueContext);
|
||||
const projectExecutionWorkspacePolicy = gateProjectExecutionWorkspacePolicy(
|
||||
parseProjectExecutionWorkspacePolicy(projectContext?.executionWorkspacePolicy),
|
||||
isolatedWorkspacesEnabled,
|
||||
|
|
@ -7074,8 +7188,10 @@ export function heartbeatService(db: Db, options: HeartbeatServiceOptions = {})
|
|||
issueId,
|
||||
heartbeatRunId: run.id,
|
||||
projectId: projectContext?.id ?? null,
|
||||
routineId: routineEnvContext.routineId,
|
||||
executionRunConfig,
|
||||
projectEnv: projectContext?.env ?? null,
|
||||
routineEnv: routineEnvContext.env,
|
||||
secretsSvc,
|
||||
});
|
||||
if (secretManifest.length > 0) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue