ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-16 10:50:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

feat(plugin): scope secret-ref config by company

Browse source
This commit is contained in:
Paperclip Bot 2026-06-03 06:31:01 +00:00 committed by Alkim Ake Gozen
parent 62863126a3
commit db0ef46900
19 changed files with 587 additions and 102 deletions
Download patch file Download diff file Expand all files Collapse all files

6
server/src/services/plugin-host-services.ts
View file

@ -489,7 +489,7 @@ export function buildHostServices(
const registry = pluginRegistryService(db);
const stateStore = pluginStateStore(db);
const pluginDb = pluginDatabaseService(db);
const secretsHandler = createPluginSecretsHandler({ db, pluginId });
const secretsHandler = createPluginSecretsHandler({ db, pluginId, manifest: options.manifest });
const companies = companyService(db);
const agents = agentService(db);
const managedAgents = pluginManagedAgentService(db, {
@ -1053,8 +1053,8 @@ export function buildHostServices(
return {
config: {
async get() {
const configRow = await registry.getConfig(pluginId);
async get(params) {
const configRow = await registry.getConfig(pluginId, params?.companyId ?? null);
return configRow?.configJson ?? {};
},
},

37
server/src/services/plugin-registry.ts
View file

@ -1,4 +1,4 @@
import { asc, eq, ne, sql, and } from "drizzle-orm";
import { asc, eq, ne, sql, and, isNull } from "drizzle-orm";
import type { Db } from "@paperclipai/db";
import {
plugins,
@ -44,6 +44,13 @@ function isPluginKeyConflict(error: unknown): boolean {
return err.code === "23505" && constraint === "plugins_plugin_key_idx";
}
function pluginConfigScopeCondition(pluginId: string, companyId?: string | null) {
return and(
eq(pluginConfig.pluginId, pluginId),
companyId ? eq(pluginConfig.companyId, companyId) : isNull(pluginConfig.companyId),
);
}
// ---------------------------------------------------------------------------
// Service
// ---------------------------------------------------------------------------
@ -280,12 +287,12 @@ export function pluginRegistryService(db: Db) {
// ----- Config ---------------------------------------------------------
/** Retrieve a plugin's instance configuration. */
getConfig: (pluginId: string) =>
/** Retrieve a plugin's company-scoped config, or the legacy global fallback. */
getConfig: (pluginId: string, companyId?: string | null) =>
db
.select()
.from(pluginConfig)
.where(eq(pluginConfig.pluginId, pluginId))
.where(pluginConfigScopeCondition(pluginId, companyId))
.then((rows) => rows[0] ?? null),
/**
@ -293,14 +300,14 @@ export function pluginRegistryService(db: Db) {
* If a config row already exists for the plugin it is replaced;
* otherwise a new row is inserted.
*/
upsertConfig: async (pluginId: string, input: UpsertPluginConfig) => {
upsertConfig: async (pluginId: string, input: UpsertPluginConfig, companyId?: string | null) => {
const plugin = await getById(pluginId);
if (!plugin) throw notFound("Plugin not found");
const existing = await db
.select()
.from(pluginConfig)
.where(eq(pluginConfig.pluginId, pluginId))
.where(pluginConfigScopeCondition(pluginId, companyId))
.then((rows) => rows[0] ?? null);
if (existing) {
@ -311,7 +318,7 @@ export function pluginRegistryService(db: Db) {
lastError: null,
updatedAt: new Date(),
})
.where(eq(pluginConfig.pluginId, pluginId))
.where(pluginConfigScopeCondition(pluginId, companyId))
.returning()
.then((rows) => rows[0]);
}
@ -320,6 +327,7 @@ export function pluginRegistryService(db: Db) {
.insert(pluginConfig)
.values({
pluginId,
companyId: companyId ?? null,
configJson: input.configJson,
})
.returning()
@ -330,14 +338,14 @@ export function pluginRegistryService(db: Db) {
* Partially update a plugin's instance configuration via shallow merge.
* If no config row exists yet one is created with the supplied values.
*/
patchConfig: async (pluginId: string, input: PatchPluginConfig) => {
patchConfig: async (pluginId: string, input: PatchPluginConfig, companyId?: string | null) => {
const plugin = await getById(pluginId);
if (!plugin) throw notFound("Plugin not found");
const existing = await db
.select()
.from(pluginConfig)
.where(eq(pluginConfig.pluginId, pluginId))
.where(pluginConfigScopeCondition(pluginId, companyId))
.then((rows) => rows[0] ?? null);
if (existing) {
@ -349,7 +357,7 @@ export function pluginRegistryService(db: Db) {
lastError: null,
updatedAt: new Date(),
})
.where(eq(pluginConfig.pluginId, pluginId))
.where(pluginConfigScopeCondition(pluginId, companyId))
.returning()
.then((rows) => rows[0]);
}
@ -358,6 +366,7 @@ export function pluginRegistryService(db: Db) {
.insert(pluginConfig)
.values({
pluginId,
companyId: companyId ?? null,
configJson: input.configJson,
})
.returning()
@ -368,11 +377,11 @@ export function pluginRegistryService(db: Db) {
* Record an error against a plugin's config (e.g. validation failure
* against the plugin's instanceConfigSchema).
*/
setConfigError: async (pluginId: string, lastError: string | null) => {
setConfigError: async (pluginId: string, lastError: string | null, companyId?: string | null) => {
const rows = await db
.update(pluginConfig)
.set({ lastError, updatedAt: new Date() })
.where(eq(pluginConfig.pluginId, pluginId))
.where(pluginConfigScopeCondition(pluginId, companyId))
.returning();
if (rows.length === 0) throw notFound("Plugin config not found");
@ -380,10 +389,10 @@ export function pluginRegistryService(db: Db) {
},
/** Delete a plugin's config row. */
deleteConfig: async (pluginId: string) => {
deleteConfig: async (pluginId: string, companyId?: string | null) => {
const rows = await db
.delete(pluginConfig)
.where(eq(pluginConfig.pluginId, pluginId))
.where(pluginConfigScopeCondition(pluginId, companyId))
.returning();
return rows[0] ?? null;

64
server/src/services/plugin-secrets-handler.ts
View file

@ -34,14 +34,17 @@
*/
import type { Db } from "@paperclipai/db";
import type { PaperclipPluginManifestV1 } from "@paperclipai/shared";
import {
collectSecretRefPaths,
isUuidSecretRef,
readConfigValueAtPath,
} from "./json-schema-secret-refs.js";
import { pluginRegistryService } from "./plugin-registry.js";
import { secretService } from "./secrets.js";
export const PLUGIN_SECRET_REFS_DISABLED_MESSAGE =
"Plugin secret references are disabled until company-scoped plugin config lands";
export const PLUGIN_SECRET_REFS_REQUIRE_COMPANY_MESSAGE =
"Plugin secret references require an active company-scoped runtime context";
// ---------------------------------------------------------------------------
// Error helpers
@ -125,6 +128,8 @@ export function extractSecretRefPathsFromConfig(
export interface PluginSecretsResolveParams {
/** The secret reference string (a secret UUID). */
secretRef: string;
/** The company whose scoped plugin config is active for this invocation. */
companyId?: string | null;
}
/**
@ -139,6 +144,8 @@ export interface PluginSecretsHandlerOptions {
* that reach the plugin worker.
*/
pluginId: string;
/** Plugin manifest, used to extract schema-declared secret-ref paths. */
manifest?: PaperclipPluginManifestV1 | null;
}
/**
@ -199,24 +206,17 @@ function createRateLimiter(maxAttempts: number, windowMs: number) {
export function createPluginSecretsHandler(
options: PluginSecretsHandlerOptions,
): PluginSecretsService {
const { pluginId } = options;
const { pluginId, manifest } = options;
const registry = pluginRegistryService(options.db);
const secrets = secretService(options.db);
// Rate limit: max 30 resolution attempts per plugin per minute
// Rate limit: max 30 resolution attempts per plugin+company per minute.
const rateLimiter = createRateLimiter(30, 60_000);
return {
async resolve(params: PluginSecretsResolveParams): Promise<string> {
const { secretRef } = params;
// ---------------------------------------------------------------
// 0. Rate limiting — prevent brute-force UUID enumeration
// ---------------------------------------------------------------
if (!rateLimiter.check(pluginId)) {
const err = new Error("Rate limit exceeded for secret resolution");
err.name = "RateLimitExceededError";
throw err;
}
// ---------------------------------------------------------------
// 1. Validate the ref format
// ---------------------------------------------------------------
@ -230,9 +230,41 @@ export function createPluginSecretsHandler(
throw invalidSecretRef(trimmedRef);
}
// Fail closed until plugin config and worker runtime both carry an
// explicit company scope for secret bindings and resolution.
throw new Error(PLUGIN_SECRET_REFS_DISABLED_MESSAGE);
const companyId = typeof params.companyId === "string" ? params.companyId.trim() : "";
const rateLimitKey = `${pluginId}:${companyId || "__no_company__"}`;
if (!rateLimiter.check(rateLimitKey)) {
const err = new Error("Rate limit exceeded for secret resolution");
err.name = "RateLimitExceededError";
throw err;
}
if (!companyId) {
throw new Error(PLUGIN_SECRET_REFS_REQUIRE_COMPANY_MESSAGE);
}
const configRow = await registry.getConfig(pluginId, companyId);
const refsBySecret = extractSecretRefPathsFromConfig(
configRow?.configJson ?? {},
manifest?.instanceConfigSchema,
);
const paths = [...(refsBySecret.get(trimmedRef) ?? [])];
if (paths.length === 0) {
throw new Error("Secret is not referenced by this company's plugin config");
}
if (paths.length > 1) {
throw new Error(
`Secret reference is ambiguous in this company's plugin config at: ${paths.join(", ")}`,
);
}
return secrets.resolveSecretValue(companyId, trimmedRef, "latest", {
consumerType: "plugin",
consumerId: pluginId,
configPath: paths[0],
actorType: "plugin",
actorId: pluginId,
pluginId,
});
},
};
}