ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-15 18:30:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

Add routine revision history and restore flow (#5285)

Browse source 
## Thinking Path

> - Paperclip is the control plane for autonomous AI companies.
> - Routines are the scheduled/recurring work surface that keeps a
company operating without manual kicks.
> - Operators need routine edits to be auditable and recoverable,
especially when routines control assignments, prompts, triggers, and
webhook secrets.
> - Documents already have revision-style safety, but routines did not
have equivalent history or restore semantics.
> - This pull request adds append-only routine revisions across the
database, shared contracts, server routes, and board UI.
> - The benefit is safer routine iteration: users can inspect history,
compare changes, restore older definitions, and avoid overwriting newer
edits.

## What Changed

- Added `routine_revisions` storage, latest revision pointers on
routines, shared types, validators, and API docs for routine revision
history.
- Added server service/route support for listing routine revisions,
conflict-aware routine saves, and append-only restore operations.
- Added a History tab on routine detail with revision preview,
structured change summaries, description line diffs, dirty-edit
blocking, restore confirmation, and restored webhook secret surfacing.
- Extracted the line diff helper from `DocumentDiffModal` into
`ui/src/lib/line-diff.ts` for reuse.
- Rebased the branch onto current `public-gh/master` and renumbered the
routine revision migration to `0077_unusual_karnak` after upstream
`0076_useful_elektra`.
- Made the `0077` routine revision migration idempotent so installs that
already applied the branch-local `0076_unusual_karnak` can safely
advance.
- Updated the plugin SDK test harness routine fixture with the new
revision fields required by the shared `Routine` contract.

## Verification

- `pnpm --filter @paperclipai/db run check:migrations` passed.
- `pnpm exec vitest run --project @paperclipai/shared
packages/shared/src/validators/routine.test.ts` passed.
- `pnpm exec vitest run --project @paperclipai/ui
ui/src/lib/line-diff.test.ts
ui/src/components/RoutineHistoryTab.test.tsx
ui/src/lib/workspace-routines.test.ts ui/src/pages/Routines.test.tsx`
passed.
- `pnpm exec vitest run --project @paperclipai/server
server/src/__tests__/routines-service.test.ts --pool=forks
--poolOptions.forks.isolate=true` passed.
- `pnpm exec vitest run --project @paperclipai/server
server/src/__tests__/routines-routes.test.ts --pool=forks
--poolOptions.forks.isolate=true` passed.
- `pnpm --filter @paperclipai/plugin-sdk typecheck` passed after
updating the SDK test harness fixture.
- `pnpm --filter @paperclipai/plugin-sdk build` passed; this refreshed
local generated SDK output needed by plugin example typechecks.
- `pnpm -r typecheck` passed.

## Risks

- Medium migration risk: this adds routine revision storage and
backfills existing routines. The migration is ordered after upstream
`0076` and uses `IF NOT EXISTS` / duplicate-object guards to tolerate
earlier branch-local migration application.
- Restore behavior intentionally appends a new revision instead of
mutating history; callers expecting an in-place rollback need to follow
the new latest revision pointer.
- Restoring webhook triggers recreates webhook secret material, so users
must copy newly surfaced secrets after restore.
- Conflict-aware saves now reject stale routine edits when the client
sends an older `baseRevisionId`.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

- OpenAI Codex, GPT-5-based coding agent, with shell/tool use in a local
git worktree. Exact context-window size is not exposed in this runtime.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

Screenshots: not attached in this draft PR; the new UI flow is covered
by component tests listed above.

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Dotta 2026-05-05 11:54:52 -05:00 committed by GitHub
parent 9578dc3da7
commit d6d7a7cea6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
27 changed files with 19593 additions and 238 deletions
Download patch file Download diff file Expand all files Collapse all files

678
server/src/services/routines.ts
View file

@ -1,8 +1,9 @@
import crypto from "node:crypto";
import { and, asc, desc, eq, inArray, isNotNull, isNull, lte, ne, or, sql } from "drizzle-orm";
import { and, asc, desc, eq, inArray, isNotNull, isNull, lte, ne, not, or, sql } from "drizzle-orm";
import type { Db } from "@paperclipai/db";
import {
agents,
companySecretVersions,
companySecrets,
executionWorkspaces,
goals,
@ -13,6 +14,7 @@ import {
pluginManagedResources,
plugins,
projects,
routineRevisions,
routineRuns,
routines,
routineTriggers,
@ -24,6 +26,8 @@ import type {
RoutineDetail,
RoutineListItem,
RoutineManagedByPlugin,
RoutineRevision,
RoutineRevisionSnapshotV1,
RoutineRunSummary,
RoutineTrigger,
RoutineTriggerSecretMaterial,
@ -47,6 +51,7 @@ import { logger } from "../middleware/logger.js";
import { getTelemetryClient } from "../telemetry.js";
import { issueService } from "./issues.js";
import { secretService } from "./secrets.js";
import { getSecretProvider } from "../secrets/provider-registry.js";
import { parseCron, validateCron } from "./cron.js";
import { heartbeatService } from "./heartbeat.js";
import { queueIssueAssignmentWakeup, type IssueAssignmentWakeupDeps } from "./issue-assignment-wakeup.js";
@ -57,6 +62,7 @@ const OPEN_ISSUE_STATUSES = ["backlog", "todo", "in_progress", "in_review", "blo
const LIVE_HEARTBEAT_RUN_STATUSES = ["queued", "running", "scheduled_retry"];
const TERMINAL_ISSUE_STATUSES = new Set(["done", "cancelled"]);
const MAX_CATCH_UP_RUNS = 25;
const MAX_ROUTINE_REVISIONS = 100;
const WEEKDAY_INDEX: Record<string, number> = {
Sun: 0,
Mon: 1,
@ -67,7 +73,13 @@ const WEEKDAY_INDEX: Record<string, number> = {
Sat: 6,
};
type Actor = { agentId?: string | null; userId?: string | null };
type Actor = { agentId?: string | null; userId?: string | null; runId?: string | null };
type RoutineRow = typeof routines.$inferSelect;
type RoutineTriggerRow = typeof routineTriggers.$inferSelect;
interface RoutineTriggerSecretRestoreMaterial extends RoutineTriggerSecretMaterial {
triggerId: string;
}
function assertTimeZone(timeZone: string) {
try {
@ -373,6 +385,77 @@ function routineUsesWorkspaceBranch(routine: typeof routines.$inferSelect) {
|| extractRoutineVariableNames([routine.title, routine.description]).includes(WORKSPACE_BRANCH_ROUTINE_VARIABLE);
}
function routineRevisionSnapshotRoutine(routine: RoutineRow): RoutineRevisionSnapshotV1["routine"] {
return {
id: routine.id,
companyId: routine.companyId,
projectId: routine.projectId,
goalId: routine.goalId,
parentIssueId: routine.parentIssueId,
title: routine.title,
description: routine.description,
assigneeAgentId: routine.assigneeAgentId,
priority: routine.priority as RoutineRevisionSnapshotV1["routine"]["priority"],
status: routine.status as RoutineRevisionSnapshotV1["routine"]["status"],
concurrencyPolicy: routine.concurrencyPolicy as RoutineRevisionSnapshotV1["routine"]["concurrencyPolicy"],
catchUpPolicy: routine.catchUpPolicy as RoutineRevisionSnapshotV1["routine"]["catchUpPolicy"],
variables: routine.variables ?? [],
};
}
function routineRevisionSnapshotTrigger(trigger: RoutineTriggerRow): RoutineRevisionSnapshotV1["triggers"][number] {
return {
id: trigger.id,
kind: trigger.kind as RoutineRevisionSnapshotV1["triggers"][number]["kind"],
label: trigger.label,
enabled: trigger.enabled,
cronExpression: trigger.cronExpression,
timezone: trigger.timezone,
publicId: trigger.publicId,
signingMode: trigger.signingMode as RoutineRevisionSnapshotV1["triggers"][number]["signingMode"],
replayWindowSec: trigger.replayWindowSec,
};
}
async function buildRoutineRevisionSnapshot(
executor: Db,
routine: RoutineRow,
): Promise<RoutineRevisionSnapshotV1> {
const triggers = await executor
.select()
.from(routineTriggers)
.where(and(eq(routineTriggers.companyId, routine.companyId), eq(routineTriggers.routineId, routine.id)))
.orderBy(asc(routineTriggers.createdAt), asc(routineTriggers.id));
return {
version: 1,
routine: routineRevisionSnapshotRoutine(routine),
triggers: triggers.map(routineRevisionSnapshotTrigger),
};
}
function canonicalSnapshot(value: RoutineRevisionSnapshotV1) {
return JSON.stringify(value);
}
function snapshotsMatch(left: RoutineRevisionSnapshotV1, right: RoutineRevisionSnapshotV1) {
return canonicalSnapshot(left) === canonicalSnapshot(right);
}
function routineCurrentFieldsMatch(left: RoutineRow, right: RoutineRow) {
return snapshotsMatch(
{ version: 1, routine: routineRevisionSnapshotRoutine(left), triggers: [] },
{ version: 1, routine: routineRevisionSnapshotRoutine(right), triggers: [] },
);
}
function mapRoutineRevision(row: typeof routineRevisions.$inferSelect): RoutineRevision {
return {
...row,
snapshot: row.snapshot as RoutineRevisionSnapshotV1,
};
}
export function routineService(
db: Db,
deps: {
@ -459,6 +542,52 @@ export function routineService(
.then((rows) => rows[0] ?? null);
}
async function appendRoutineRevision(
executor: Db,
routine: RoutineRow,
actor: Actor,
options: {
changeSummary?: string | null;
restoredFromRevisionId?: string | null;
} = {},
) {
const snapshot = await buildRoutineRevisionSnapshot(executor, routine);
const nextRevisionNumber = routine.latestRevisionId ? routine.latestRevisionNumber + 1 : 1;
const now = new Date();
const [revision] = await executor
.insert(routineRevisions)
.values({
companyId: routine.companyId,
routineId: routine.id,
revisionNumber: nextRevisionNumber,
title: snapshot.routine.title,
description: snapshot.routine.description,
snapshot,
changeSummary: options.changeSummary ?? null,
restoredFromRevisionId: options.restoredFromRevisionId ?? null,
createdByAgentId: actor.agentId ?? null,
createdByUserId: actor.userId ?? null,
createdByRunId: actor.runId ?? null,
createdAt: now,
})
.returning();
const [updatedRoutine] = await executor
.update(routines)
.set({
latestRevisionId: revision.id,
latestRevisionNumber: nextRevisionNumber,
updatedAt: now,
})
.where(eq(routines.id, routine.id))
.returning();
return {
routine: updatedRoutine ?? { ...routine, latestRevisionId: revision.id, latestRevisionNumber: nextRevisionNumber, updatedAt: now },
revision: mapRoutineRevision(revision),
};
}
async function assertRoutineAccess(companyId: string, routineId: string) {
const routine = await getRoutineById(routineId);
if (!routine) throw notFound("Routine not found");
@ -479,6 +608,17 @@ export function routineService(
if (agent.status === "terminated") throw conflict("Cannot assign routines to terminated agents");
}
async function assertRestorableAssignee(
companyId: string,
assigneeAgentId: string | null | undefined,
actor: Actor,
) {
await assertAssignableAgent(companyId, assigneeAgentId);
if (actor.agentId && assigneeAgentId !== actor.agentId) {
throw forbidden("Agents can only restore routine revisions assigned to themselves");
}
}
async function assertProject(companyId: string, projectId: string | null | undefined) {
if (!projectId) return;
const project = await db
@ -807,18 +947,52 @@ export function routineService(
companyId: string,
routineId: string,
actor: Actor,
executor?: Db,
) {
const secretValue = crypto.randomBytes(24).toString("hex");
const secret = await secretsSvc.create(
companyId,
{
name: `routine-${routineId}-${crypto.randomBytes(6).toString("hex")}`,
provider: "local_encrypted",
value: secretValue,
description: `Webhook auth for routine ${routineId}`,
},
actor,
);
const input = {
name: `routine-${routineId}-${crypto.randomBytes(6).toString("hex")}`,
provider: "local_encrypted" as const,
value: secretValue,
description: `Webhook auth for routine ${routineId}`,
};
const provider = getSecretProvider(input.provider);
const prepared = await provider.createVersion({
value: input.value,
externalRef: null,
});
const insertSecret = async (secretDb: Db) => {
const secret = await secretDb
.insert(companySecrets)
.values({
companyId,
name: input.name,
provider: input.provider,
externalRef: prepared.externalRef,
latestVersion: 1,
description: input.description,
createdByAgentId: actor.agentId ?? null,
createdByUserId: actor.userId ?? null,
})
.returning()
.then((rows) => rows[0]);
await secretDb.insert(companySecretVersions).values({
secretId: secret.id,
version: 1,
material: prepared.material,
valueSha256: prepared.valueSha256,
createdByAgentId: actor.agentId ?? null,
createdByUserId: actor.userId ?? null,
});
return secret;
};
const secret = executor
? await insertSecret(executor)
: await db.transaction(async (tx) => insertSecret(tx as unknown as Db));
return { secret, secretValue };
}
@ -1305,28 +1479,34 @@ export function routineService(
);
assertRoutineVariableDefinitions(variables);
const status = normalizeDraftRoutineStatus(input.status, input.assigneeAgentId);
const [created] = await db
.insert(routines)
.values({
companyId,
projectId: input.projectId ?? null,
goalId: input.goalId ?? null,
parentIssueId: input.parentIssueId ?? null,
title: input.title,
description: input.description ?? null,
assigneeAgentId: input.assigneeAgentId ?? null,
priority: input.priority,
status,
concurrencyPolicy: input.concurrencyPolicy,
catchUpPolicy: input.catchUpPolicy,
variables,
createdByAgentId: actor.agentId ?? null,
createdByUserId: actor.userId ?? null,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
})
.returning();
return created;
return db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
const [created] = await txDb
.insert(routines)
.values({
companyId,
projectId: input.projectId ?? null,
goalId: input.goalId ?? null,
parentIssueId: input.parentIssueId ?? null,
title: input.title,
description: input.description ?? null,
assigneeAgentId: input.assigneeAgentId ?? null,
priority: input.priority,
status,
concurrencyPolicy: input.concurrencyPolicy,
catchUpPolicy: input.catchUpPolicy,
variables,
createdByAgentId: actor.agentId ?? null,
createdByUserId: actor.userId ?? null,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
})
.returning();
const { routine } = await appendRoutineRevision(txDb, created, actor, {
changeSummary: "Created routine",
});
return routine;
});
},
update: async (id: string, patch: UpdateRoutine, actor: Actor): Promise<Routine | null> => {
@ -1367,34 +1547,94 @@ export function routineService(
if (enabledScheduleTriggers) {
assertScheduleCompatibleVariables(nextVariables);
}
const [updated] = await db
.update(routines)
.set({
return db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
await tx.execute(sql`select id from ${routines} where ${routines.id} = ${id} for update`);
const locked = await txDb
.select()
.from(routines)
.where(eq(routines.id, id))
.then((rows) => rows[0] ?? null);
if (!locked) return null;
if (patch.baseRevisionId && patch.baseRevisionId !== locked.latestRevisionId) {
throw conflict("Routine was updated by someone else", {
currentRevisionId: locked.latestRevisionId,
});
}
const candidate: RoutineRow = {
...locked,
projectId: nextProjectId,
goalId: patch.goalId === undefined ? existing.goalId : patch.goalId,
parentIssueId: patch.parentIssueId === undefined ? existing.parentIssueId : patch.parentIssueId,
goalId: patch.goalId === undefined ? locked.goalId : patch.goalId,
parentIssueId: patch.parentIssueId === undefined ? locked.parentIssueId : patch.parentIssueId,
title: nextTitle,
description: nextDescription,
assigneeAgentId: nextAssigneeAgentId,
priority: patch.priority ?? existing.priority,
priority: patch.priority ?? locked.priority,
status: nextStatus,
concurrencyPolicy: patch.concurrencyPolicy ?? existing.concurrencyPolicy,
catchUpPolicy: patch.catchUpPolicy ?? existing.catchUpPolicy,
concurrencyPolicy: patch.concurrencyPolicy ?? locked.concurrencyPolicy,
catchUpPolicy: patch.catchUpPolicy ?? locked.catchUpPolicy,
variables: nextVariables,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
updatedAt: new Date(),
})
.where(eq(routines.id, id))
.returning();
return updated ?? null;
};
if (locked.latestRevisionId && routineCurrentFieldsMatch(locked, candidate)) {
return locked;
}
const nextSnapshot = await buildRoutineRevisionSnapshot(txDb, candidate);
if (locked.latestRevisionId) {
const latestRevision = await txDb
.select({ snapshot: routineRevisions.snapshot })
.from(routineRevisions)
.where(
and(
eq(routineRevisions.companyId, locked.companyId),
eq(routineRevisions.routineId, locked.id),
eq(routineRevisions.id, locked.latestRevisionId),
),
)
.then((rows) => rows[0] ?? null);
if (latestRevision && snapshotsMatch(nextSnapshot, latestRevision.snapshot as RoutineRevisionSnapshotV1)) {
return locked;
}
}
const [updated] = await txDb
.update(routines)
.set({
projectId: candidate.projectId,
goalId: candidate.goalId,
parentIssueId: candidate.parentIssueId,
title: candidate.title,
description: candidate.description,
assigneeAgentId: candidate.assigneeAgentId,
priority: candidate.priority,
status: candidate.status,
concurrencyPolicy: candidate.concurrencyPolicy,
catchUpPolicy: candidate.catchUpPolicy,
variables: candidate.variables,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
updatedAt: new Date(),
})
.where(eq(routines.id, id))
.returning();
if (!updated) return null;
const { routine } = await appendRoutineRevision(txDb, updated, actor, {
changeSummary: "Updated routine",
});
return routine;
});
},
createTrigger: async (
routineId: string,
input: CreateRoutineTrigger,
actor: Actor,
): Promise<{ trigger: RoutineTrigger; secretMaterial: RoutineTriggerSecretMaterial | null }> => {
): Promise<{ trigger: RoutineTrigger; secretMaterial: RoutineTriggerSecretMaterial | null; revision: RoutineRevision }> => {
const routine = await getRoutineById(routineId);
if (!routine) throw notFound("Routine not found");
@ -1422,36 +1662,50 @@ export function routineService(
};
}
const [trigger] = await db
.insert(routineTriggers)
.values({
companyId: routine.companyId,
routineId: routine.id,
kind: input.kind,
label: input.label ?? null,
enabled: input.enabled ?? true,
cronExpression: input.kind === "schedule" ? input.cronExpression : null,
timezone: input.kind === "schedule" ? (input.timezone || "UTC") : null,
nextRunAt,
publicId,
secretId,
signingMode: input.kind === "webhook" ? input.signingMode : null,
replayWindowSec: input.kind === "webhook" ? input.replayWindowSec : null,
lastRotatedAt: input.kind === "webhook" ? new Date() : null,
createdByAgentId: actor.agentId ?? null,
createdByUserId: actor.userId ?? null,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
})
.returning();
const { trigger, revision } = await db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
await tx.execute(sql`select id from ${routines} where ${routines.id} = ${routine.id} for update`);
const [createdTrigger] = await txDb
.insert(routineTriggers)
.values({
companyId: routine.companyId,
routineId: routine.id,
kind: input.kind,
label: input.label ?? null,
enabled: input.enabled ?? true,
cronExpression: input.kind === "schedule" ? input.cronExpression : null,
timezone: input.kind === "schedule" ? (input.timezone || "UTC") : null,
nextRunAt,
publicId,
secretId,
signingMode: input.kind === "webhook" ? input.signingMode : null,
replayWindowSec: input.kind === "webhook" ? input.replayWindowSec : null,
lastRotatedAt: input.kind === "webhook" ? new Date() : null,
createdByAgentId: actor.agentId ?? null,
createdByUserId: actor.userId ?? null,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
})
.returning();
const latestRoutine = await txDb.select().from(routines).where(eq(routines.id, routine.id)).then((rows) => rows[0] ?? routine);
const appended = await appendRoutineRevision(txDb, latestRoutine, actor, {
changeSummary: `Created ${input.kind} trigger`,
});
return { trigger: createdTrigger, revision: appended.revision };
});
return {
trigger: trigger as RoutineTrigger,
secretMaterial,
revision,
};
},
updateTrigger: async (id: string, patch: UpdateRoutineTrigger, actor: Actor): Promise<RoutineTrigger | null> => {
updateTrigger: async (
id: string,
patch: UpdateRoutineTrigger,
actor: Actor,
): Promise<{ trigger: RoutineTrigger; revision: RoutineRevision } | null> => {
const existing = await getTriggerById(id);
if (!existing) return null;
@ -1481,37 +1735,63 @@ export function routineService(
}
}
const [updated] = await db
.update(routineTriggers)
.set({
label: patch.label === undefined ? existing.label : patch.label,
enabled: patch.enabled ?? existing.enabled,
cronExpression,
timezone,
nextRunAt,
signingMode: patch.signingMode === undefined ? existing.signingMode : patch.signingMode,
replayWindowSec: patch.replayWindowSec === undefined ? existing.replayWindowSec : patch.replayWindowSec,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
updatedAt: new Date(),
})
.where(eq(routineTriggers.id, id))
.returning();
return (updated as RoutineTrigger | undefined) ?? null;
return db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
await tx.execute(sql`select id from ${routines} where ${routines.id} = ${existing.routineId} for update`);
const [updated] = await txDb
.update(routineTriggers)
.set({
label: patch.label === undefined ? existing.label : patch.label,
enabled: patch.enabled ?? existing.enabled,
cronExpression,
timezone,
nextRunAt,
signingMode: patch.signingMode === undefined ? existing.signingMode : patch.signingMode,
replayWindowSec: patch.replayWindowSec === undefined ? existing.replayWindowSec : patch.replayWindowSec,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
updatedAt: new Date(),
})
.where(eq(routineTriggers.id, id))
.returning();
if (!updated) return null;
const routine = await txDb
.select()
.from(routines)
.where(eq(routines.id, existing.routineId))
.then((rows) => rows[0] ?? null);
if (!routine) throw notFound("Routine not found");
const appended = await appendRoutineRevision(txDb, routine, actor, {
changeSummary: `Updated ${existing.kind} trigger`,
});
return { trigger: updated as RoutineTrigger, revision: appended.revision };
});
},
deleteTrigger: async (id: string): Promise<boolean> => {
deleteTrigger: async (id: string, actor: Actor = {}): Promise<{ deleted: boolean; revision: RoutineRevision | null }> => {
const existing = await getTriggerById(id);
if (!existing) return false;
await db.delete(routineTriggers).where(eq(routineTriggers.id, id));
return true;
if (!existing) return { deleted: false, revision: null };
return db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
await tx.execute(sql`select id from ${routines} where ${routines.id} = ${existing.routineId} for update`);
await txDb.delete(routineTriggers).where(eq(routineTriggers.id, id));
const routine = await txDb
.select()
.from(routines)
.where(eq(routines.id, existing.routineId))
.then((rows) => rows[0] ?? null);
if (!routine) throw notFound("Routine not found");
const appended = await appendRoutineRevision(txDb, routine, actor, {
changeSummary: `Deleted ${existing.kind} trigger`,
});
return { deleted: true, revision: appended.revision };
});
},
rotateTriggerSecret: async (
id: string,
actor: Actor,
): Promise<{ trigger: RoutineTrigger; secretMaterial: RoutineTriggerSecretMaterial }> => {
): Promise<{ trigger: RoutineTrigger; secretMaterial: RoutineTriggerSecretMaterial; revision: RoutineRevision }> => {
const existing = await getTriggerById(id);
if (!existing) throw notFound("Routine trigger not found");
if (existing.kind !== "webhook" || !existing.publicId || !existing.secretId) {
@ -1520,26 +1800,214 @@ export function routineService(
const secretValue = crypto.randomBytes(24).toString("hex");
await secretsSvc.rotate(existing.secretId, { value: secretValue }, actor);
const [updated] = await db
.update(routineTriggers)
.set({
lastRotatedAt: new Date(),
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
updatedAt: new Date(),
})
.where(eq(routineTriggers.id, id))
.returning();
const { trigger, revision } = await db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
await tx.execute(sql`select id from ${routines} where ${routines.id} = ${existing.routineId} for update`);
const [updated] = await txDb
.update(routineTriggers)
.set({
lastRotatedAt: new Date(),
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
updatedAt: new Date(),
})
.where(eq(routineTriggers.id, id))
.returning();
const routine = await txDb
.select()
.from(routines)
.where(eq(routines.id, existing.routineId))
.then((rows) => rows[0] ?? null);
if (!routine) throw notFound("Routine not found");
const appended = await appendRoutineRevision(txDb, routine, actor, {
changeSummary: "Rotated webhook trigger secret",
});
return { trigger: updated, revision: appended.revision };
});
return {
trigger: updated as RoutineTrigger,
trigger: trigger as RoutineTrigger,
secretMaterial: {
webhookUrl: `${process.env.PAPERCLIP_API_URL}/api/routine-triggers/public/${existing.publicId}/fire`,
webhookSecret: secretValue,
},
revision,
};
},
listRevisions: async (routineId: string): Promise<RoutineRevision[]> => {
const routine = await getRoutineById(routineId);
if (!routine) throw notFound("Routine not found");
const rows = await db
.select()
.from(routineRevisions)
.where(and(eq(routineRevisions.companyId, routine.companyId), eq(routineRevisions.routineId, routine.id)))
.orderBy(desc(routineRevisions.revisionNumber), desc(routineRevisions.createdAt))
.limit(MAX_ROUTINE_REVISIONS);
return rows.map(mapRoutineRevision);
},
restoreRevision: async (
routineId: string,
revisionId: string,
actor: Actor,
): Promise<{
routine: Routine;
revision: RoutineRevision;
restoredFromRevisionId: string;
restoredFromRevisionNumber: number;
secretMaterials: RoutineTriggerSecretRestoreMaterial[];
}> => {
const existingRoutine = await getRoutineById(routineId);
if (!existingRoutine) throw notFound("Routine not found");
const targetRevision = await db
.select()
.from(routineRevisions)
.where(
and(
eq(routineRevisions.companyId, existingRoutine.companyId),
eq(routineRevisions.routineId, existingRoutine.id),
eq(routineRevisions.id, revisionId),
),
)
.then((rows) => rows[0] ?? null);
if (!targetRevision) throw notFound("Routine revision not found");
const snapshot = targetRevision.snapshot as RoutineRevisionSnapshotV1;
const routineSnapshot = snapshot.routine;
await assertRestorableAssignee(existingRoutine.companyId, routineSnapshot.assigneeAgentId, actor);
return db.transaction(async (tx) => {
const txDb = tx as unknown as Db;
await tx.execute(sql`select id from ${routines} where ${routines.id} = ${existingRoutine.id} for update`);
const locked = await txDb
.select()
.from(routines)
.where(eq(routines.id, existingRoutine.id))
.then((rows) => rows[0] ?? null);
if (!locked) throw notFound("Routine not found");
if (locked.latestRevisionId === targetRevision.id) {
throw conflict("Selected revision is already the latest revision", {
currentRevisionId: locked.latestRevisionId,
});
}
const currentTriggers = await txDb
.select({ id: routineTriggers.id })
.from(routineTriggers)
.where(and(eq(routineTriggers.companyId, locked.companyId), eq(routineTriggers.routineId, locked.id)));
const currentTriggerIds = new Set(currentTriggers.map((trigger) => trigger.id));
const missingWebhookTriggers = snapshot.triggers
.filter((trigger) => trigger.kind === "webhook" && !currentTriggerIds.has(trigger.id));
const recreatedWebhookSecrets = new Map<string, { publicId: string; secretId: string; secretMaterial: RoutineTriggerSecretRestoreMaterial }>();
for (const trigger of missingWebhookTriggers) {
const publicId = crypto.randomBytes(12).toString("hex");
const created = await createWebhookSecret(locked.companyId, locked.id, actor, txDb);
recreatedWebhookSecrets.set(trigger.id, {
publicId,
secretId: created.secret.id,
secretMaterial: {
triggerId: trigger.id,
webhookUrl: `${process.env.PAPERCLIP_API_URL}/api/routine-triggers/public/${publicId}/fire`,
webhookSecret: created.secretValue,
},
});
}
const now = new Date();
const [restoredRoutine] = await txDb
.update(routines)
.set({
projectId: routineSnapshot.projectId,
goalId: routineSnapshot.goalId,
parentIssueId: routineSnapshot.parentIssueId,
title: routineSnapshot.title,
description: routineSnapshot.description,
assigneeAgentId: routineSnapshot.assigneeAgentId,
priority: routineSnapshot.priority,
status: routineSnapshot.status,
concurrencyPolicy: routineSnapshot.concurrencyPolicy,
catchUpPolicy: routineSnapshot.catchUpPolicy,
variables: routineSnapshot.variables,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
updatedAt: now,
})
.where(eq(routines.id, locked.id))
.returning();
const snapshotTriggerIds = new Set(snapshot.triggers.map((trigger) => trigger.id));
if (snapshotTriggerIds.size === 0) {
await txDb
.delete(routineTriggers)
.where(and(eq(routineTriggers.companyId, locked.companyId), eq(routineTriggers.routineId, locked.id)));
} else {
await txDb
.delete(routineTriggers)
.where(
and(
eq(routineTriggers.companyId, locked.companyId),
eq(routineTriggers.routineId, locked.id),
not(inArray(routineTriggers.id, snapshot.triggers.map((trigger) => trigger.id))),
),
);
}
for (const triggerSnapshot of snapshot.triggers) {
const current = await txDb
.select()
.from(routineTriggers)
.where(and(eq(routineTriggers.companyId, locked.companyId), eq(routineTriggers.id, triggerSnapshot.id)))
.then((rows) => rows[0] ?? null);
const webhookSecret = recreatedWebhookSecrets.get(triggerSnapshot.id);
const restoredNextRunAt = triggerSnapshot.kind === "schedule" && triggerSnapshot.enabled
&& triggerSnapshot.cronExpression && triggerSnapshot.timezone
? nextCronTickInTimeZone(triggerSnapshot.cronExpression, triggerSnapshot.timezone, now)
: null;
const baseValues = {
companyId: locked.companyId,
routineId: locked.id,
kind: triggerSnapshot.kind,
label: triggerSnapshot.label,
enabled: triggerSnapshot.enabled,
cronExpression: triggerSnapshot.kind === "schedule" ? triggerSnapshot.cronExpression : null,
timezone: triggerSnapshot.kind === "schedule" ? triggerSnapshot.timezone : null,
publicId: triggerSnapshot.kind === "webhook" ? (current?.publicId ?? webhookSecret?.publicId ?? triggerSnapshot.publicId) : null,
secretId: triggerSnapshot.kind === "webhook" ? (current?.secretId ?? webhookSecret?.secretId ?? null) : null,
signingMode: triggerSnapshot.kind === "webhook" ? triggerSnapshot.signingMode : null,
replayWindowSec: triggerSnapshot.kind === "webhook" ? triggerSnapshot.replayWindowSec : null,
nextRunAt: restoredNextRunAt,
updatedByAgentId: actor.agentId ?? null,
updatedByUserId: actor.userId ?? null,
updatedAt: now,
};
if (current) {
await txDb.update(routineTriggers).set(baseValues).where(eq(routineTriggers.id, triggerSnapshot.id));
} else {
await txDb.insert(routineTriggers).values({
id: triggerSnapshot.id,
...baseValues,
createdByAgentId: actor.agentId ?? null,
createdByUserId: actor.userId ?? null,
createdAt: now,
});
}
}
const appended = await appendRoutineRevision(txDb, restoredRoutine ?? locked, actor, {
changeSummary: `Restored from revision ${targetRevision.revisionNumber}`,
restoredFromRevisionId: targetRevision.id,
});
return {
routine: appended.routine,
revision: appended.revision,
restoredFromRevisionId: targetRevision.id,
restoredFromRevisionNumber: targetRevision.revisionNumber,
secretMaterials: [...recreatedWebhookSecrets.values()].map((entry) => entry.secretMaterial),
};
});
},
runRoutine: async (id: string, input: RunRoutine, actor?: Actor) => {
const routine = await getRoutineById(id);
if (!routine) throw notFound("Routine not found");