ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-16 02:40:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

Add SSH environment support (#4358)

Browse source 
## Thinking Path

> - Paperclip orchestrates AI agents for zero-human companies
> - The environments subsystem already models execution environments,
but before this branch there was no end-to-end SSH-backed runtime path
for agents to actually run work against a remote box
> - That meant agents could be configured around environment concepts
without a reliable way to execute adapter sessions remotely, sync
workspace state, and preserve run context across supported adapters
> - We also need environment selection to participate in normal
Paperclip control-plane behavior: agent defaults, project/issue
selection, route validation, and environment probing
> - Because this capability is still experimental, the UI surface should
be easy to hide and easy to remove later without undoing the underlying
implementation
> - This pull request adds SSH environment execution support across the
runtime, adapters, routes, schema, and tests, then puts the visible
environment-management UI behind an experimental flag
> - The benefit is that we can validate real SSH-backed agent execution
now while keeping the user-facing controls safely gated until the
feature is ready to come out of experimentation

## What Changed

- Added SSH-backed execution target support in the shared adapter
runtime, including remote workspace preparation, skill/runtime asset
sync, remote session handling, and workspace restore behavior after
runs.
- Added SSH execution coverage for supported local adapters, plus remote
execution tests across Claude, Codex, Cursor, Gemini, OpenCode, and Pi.
- Added environment selection and environment-management backend support
needed for SSH execution, including route/service work, validation,
probing, and agent default environment persistence.
- Added CLI support for SSH environment lab verification and updated
related docs/tests.
- Added the `enableEnvironments` experimental flag and gated the
environment UI behind it on company settings, agent configuration, and
project configuration surfaces.

## Verification

- `pnpm exec vitest run
packages/adapters/claude-local/src/server/execute.remote.test.ts
packages/adapters/cursor-local/src/server/execute.remote.test.ts
packages/adapters/gemini-local/src/server/execute.remote.test.ts
packages/adapters/opencode-local/src/server/execute.remote.test.ts
packages/adapters/pi-local/src/server/execute.remote.test.ts`
- `pnpm exec vitest run server/src/__tests__/environment-routes.test.ts`
- `pnpm exec vitest run
server/src/__tests__/instance-settings-routes.test.ts`
- `pnpm exec vitest run ui/src/lib/new-agent-hire-payload.test.ts
ui/src/lib/new-agent-runtime-config.test.ts`
- `pnpm -r typecheck`
- `pnpm build`
- Manual verification on a branch-local dev server:
  - enabled the experimental flag
  - created an SSH environment
  - created a Linux Claude agent using that environment
- confirmed a run executed on the Linux box and synced workspace changes
back

## Risks

- Medium: this touches runtime execution flow across multiple adapters,
so regressions would likely show up in remote session setup, workspace
sync, or environment selection precedence.
- The UI flag reduces exposure, but the underlying runtime and route
changes are still substantial and rely on migration correctness.
- The change set is broad across adapters, control-plane services,
migrations, and UI gating, so review should pay close attention to
environment-selection precedence and remote workspace lifecycle
behavior.

## Model Used

- OpenAI Codex via Paperclip's local Codex adapter, GPT-5-class coding
model with tool use and code execution in the local repo workspace. The
local adapter does not surface a more specific public model version
string in this branch workflow.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [ ] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
This commit is contained in:
Devin Foley 2026-04-23 19:15:22 -07:00 committed by GitHub
parent f98c348e2b
commit e4995bbb1c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
95 changed files with 10162 additions and 315 deletions
Download patch file Download diff file Expand all files Collapse all files

28
server/src/routes/agents.ts
View file

@ -23,6 +23,7 @@ import {
updateAgentInstructionsPathSchema,
wakeAgentSchema,
updateAgentSchema,
supportedEnvironmentDriversForAdapter,
} from "@paperclipai/shared";
import {
readPaperclipSkillSyncPreference,
@ -37,6 +38,7 @@ import {
approvalService,
companySkillService,
budgetService,
environmentService,
heartbeatService,
ISSUE_LIST_DEFAULT_LIMIT,
issueApprovalService,
@ -76,6 +78,7 @@ import {
resolveDefaultAgentInstructionsBundleRole,
} from "../services/default-agent-instructions.js";
import { getTelemetryClient } from "../telemetry.js";
import { assertEnvironmentSelectionForCompany } from "./environment-selection.js";
const RUN_LOG_DEFAULT_LIMIT_BYTES = 256_000;
const RUN_LOG_MAX_LIMIT_BYTES = 1024 * 1024;
@ -139,6 +142,17 @@ export function agentRoutes(db: Db) {
const instanceSettings = instanceSettingsService(db);
const strictSecretsMode = process.env.PAPERCLIP_SECRETS_STRICT_MODE === "true";
async function assertAgentEnvironmentSelection(
companyId: string,
adapterType: string,
environmentId: string | null | undefined,
) {
if (environmentId === undefined || environmentId === null) return;
await assertEnvironmentSelectionForCompany(environmentService(db), companyId, environmentId, {
allowedDrivers: allowedEnvironmentDriversForAgent(adapterType),
});
}
async function getCurrentUserRedactionOptions() {
return {
enabled: (await instanceSettings.getGeneral()).censorUsernameInLogs,
@ -407,6 +421,10 @@ export function agentRoutes(db: Db) {
return Object.hasOwn(value, key);
}
function allowedEnvironmentDriversForAgent(adapterType: string): string[] {
return supportedEnvironmentDriversForAdapter(adapterType);
}
async function resolveCompanyIdForAgentReference(req: Request): Promise<string | null> {
const companyIdQuery = req.query.companyId;
const requestedCompanyId =
@ -1609,6 +1627,7 @@ export function agentRoutes(db: Db) {
createInput.adapterType,
normalizedAdapterConfig,
);
await assertAgentEnvironmentSelection(companyId, createInput.adapterType, createInput.defaultEnvironmentId);
const createdAgent = await svc.create(companyId, {
...createInput,
@ -2065,6 +2084,15 @@ export function agentRoutes(db: Db) {
effectiveAdapterConfig,
);
}
if (touchesAdapterConfiguration || Object.prototype.hasOwnProperty.call(patchData, "defaultEnvironmentId")) {
await assertAgentEnvironmentSelection(
existing.companyId,
requestedAdapterType,
Object.prototype.hasOwnProperty.call(patchData, "defaultEnvironmentId")
? (typeof patchData.defaultEnvironmentId === "string" ? patchData.defaultEnvironmentId : null)
: existing.defaultEnvironmentId,
);
}
const actor = getActorInfo(req);
const agent = await svc.update(id, patchData, {

32
server/src/routes/environment-selection.ts Normal file
View file

@ -0,0 +1,32 @@
import { unprocessable } from "../errors.js";
export async function assertEnvironmentSelectionForCompany(
environmentsSvc: {
getById(environmentId: string): Promise<{
id: string;
companyId: string;
driver: string;
status?: string | null;
config: Record<string, unknown> | null;
} | null>;
},
companyId: string,
environmentId: string | null | undefined,
options?: {
allowedDrivers?: string[];
},
) {
if (environmentId === undefined || environmentId === null) return;
const environment = await environmentsSvc.getById(environmentId);
if (!environment || environment.companyId !== companyId) {
throw unprocessable("Environment not found.");
}
if (environment.status === "archived") {
throw unprocessable("Environment is archived.");
}
if (options?.allowedDrivers && !options.allowedDrivers.includes(environment.driver)) {
throw unprocessable(
`Environment driver "${environment.driver}" is not allowed here. Allowed drivers: ${options.allowedDrivers.join(", ")}`,
);
}
}

423
server/src/routes/environments.ts Normal file
View file

@ -0,0 +1,423 @@
import { Router, type Request } from "express";
import type { Db } from "@paperclipai/db";
import {
AGENT_ADAPTER_TYPES,
createEnvironmentSchema,
getEnvironmentCapabilities,
probeEnvironmentConfigSchema,
updateEnvironmentSchema,
} from "@paperclipai/shared";
import { forbidden } from "../errors.js";
import { validate } from "../middleware/validate.js";
import {
accessService,
agentService,
environmentService,
executionWorkspaceService,
issueService,
logActivity,
projectService,
} from "../services/index.js";
import {
normalizeEnvironmentConfigForPersistence,
normalizeEnvironmentConfigForProbe,
parseEnvironmentDriverConfig,
readSshEnvironmentPrivateKeySecretId,
type ParsedEnvironmentConfig,
} from "../services/environment-config.js";
import { probeEnvironment } from "../services/environment-probe.js";
import { secretService } from "../services/secrets.js";
import { assertCompanyAccess, getActorInfo } from "./authz.js";
export function environmentRoutes(db: Db) {
const router = Router();
const agents = agentService(db);
const access = accessService(db);
const svc = environmentService(db);
const executionWorkspaces = executionWorkspaceService(db);
const issues = issueService(db);
const projects = projectService(db);
const secrets = secretService(db);
function parseObject(value: unknown): Record<string, unknown> {
return value && typeof value === "object" && !Array.isArray(value)
? (value as Record<string, unknown>)
: {};
}
function canCreateAgents(agent: { permissions: Record<string, unknown> | null | undefined }) {
if (!agent.permissions || typeof agent.permissions !== "object") return false;
return Boolean((agent.permissions as Record<string, unknown>).canCreateAgents);
}
async function assertCanMutateEnvironments(req: Request, companyId: string) {
assertCompanyAccess(req, companyId);
if (req.actor.type === "board") {
if (req.actor.source === "local_implicit" || req.actor.isInstanceAdmin) return;
const allowed = await access.canUser(companyId, req.actor.userId, "environments:manage");
if (!allowed) {
throw forbidden("Missing permission: environments:manage");
}
return;
}
if (!req.actor.agentId) {
throw forbidden("Agent authentication required");
}
const actorAgent = await agents.getById(req.actor.agentId);
if (!actorAgent || actorAgent.companyId !== companyId) {
throw forbidden("Agent key cannot access another company");
}
const allowedByGrant = await access.hasPermission(companyId, "agent", actorAgent.id, "environments:manage");
if (allowedByGrant || canCreateAgents(actorAgent)) {
return;
}
throw forbidden("Missing permission: environments:manage");
}
async function actorCanReadEnvironmentConfigurations(req: Request, companyId: string) {
assertCompanyAccess(req, companyId);
if (req.actor.type === "board") {
if (req.actor.source === "local_implicit" || req.actor.isInstanceAdmin) return true;
return access.canUser(companyId, req.actor.userId, "environments:manage");
}
if (!req.actor.agentId) return false;
const actorAgent = await agents.getById(req.actor.agentId);
if (!actorAgent || actorAgent.companyId !== companyId) return false;
const allowedByGrant = await access.hasPermission(companyId, "agent", actorAgent.id, "environments:manage");
return allowedByGrant || canCreateAgents(actorAgent);
}
function redactEnvironmentForRestrictedView<T extends {
config: Record<string, unknown>;
metadata: Record<string, unknown> | null;
}>(environment: T): T & { configRedacted: true; metadataRedacted: true } {
return {
...environment,
config: {},
metadata: null,
configRedacted: true,
metadataRedacted: true,
};
}
function summarizeEnvironmentUpdate(
patch: Record<string, unknown>,
environment: {
name: string;
driver: string;
status: string;
},
): Record<string, unknown> {
const details: Record<string, unknown> = {
changedFields: Object.keys(patch).sort(),
};
if (patch.name !== undefined) details.name = environment.name;
if (patch.driver !== undefined) details.driver = environment.driver;
if (patch.status !== undefined) details.status = environment.status;
if (patch.description !== undefined) details.descriptionChanged = true;
if (patch.config !== undefined) {
details.configChanged = true;
details.configTopLevelKeyCount =
patch.config && typeof patch.config === "object" && !Array.isArray(patch.config)
? Object.keys(patch.config as Record<string, unknown>).length
: 0;
}
if (patch.metadata !== undefined) {
details.metadataChanged = true;
details.metadataTopLevelKeyCount =
patch.metadata && typeof patch.metadata === "object" && !Array.isArray(patch.metadata)
? Object.keys(patch.metadata as Record<string, unknown>).length
: 0;
}
return details;
}
router.get("/companies/:companyId/environments", async (req, res) => {
const companyId = req.params.companyId as string;
assertCompanyAccess(req, companyId);
const rows = await svc.list(companyId, {
status: req.query.status as string | undefined,
driver: req.query.driver as string | undefined,
});
const canReadConfigs = await actorCanReadEnvironmentConfigurations(req, companyId);
if (canReadConfigs) {
res.json(rows);
return;
}
res.json(rows.map((environment) => redactEnvironmentForRestrictedView(environment)));
});
router.get("/companies/:companyId/environments/capabilities", async (req, res) => {
const companyId = req.params.companyId as string;
assertCompanyAccess(req, companyId);
res.json(getEnvironmentCapabilities(AGENT_ADAPTER_TYPES));
});
router.post("/companies/:companyId/environments", validate(createEnvironmentSchema), async (req, res) => {
const companyId = req.params.companyId as string;
await assertCanMutateEnvironments(req, companyId);
const actor = getActorInfo(req);
const input = {
...req.body,
config: await normalizeEnvironmentConfigForPersistence({
db,
companyId,
environmentName: req.body.name,
driver: req.body.driver,
config: req.body.config,
actor: {
agentId: actor.agentId,
userId: actor.actorType === "user" ? actor.actorId : null,
},
}),
};
const environment = await svc.create(companyId, input);
await logActivity(db, {
companyId,
actorType: actor.actorType,
actorId: actor.actorId,
agentId: actor.agentId,
runId: actor.runId,
action: "environment.created",
entityType: "environment",
entityId: environment.id,
details: {
name: environment.name,
driver: environment.driver,
status: environment.status,
},
});
res.status(201).json(environment);
});
router.get("/environments/:id", async (req, res) => {
const environment = await svc.getById(req.params.id as string);
if (!environment) {
res.status(404).json({ error: "Environment not found" });
return;
}
assertCompanyAccess(req, environment.companyId);
const canReadConfigs = await actorCanReadEnvironmentConfigurations(req, environment.companyId);
if (canReadConfigs) {
res.json(environment);
return;
}
res.json(redactEnvironmentForRestrictedView(environment));
});
router.get("/environments/:id/leases", async (req, res) => {
const environment = await svc.getById(req.params.id as string);
if (!environment) {
res.status(404).json({ error: "Environment not found" });
return;
}
assertCompanyAccess(req, environment.companyId);
const canReadConfigs = await actorCanReadEnvironmentConfigurations(req, environment.companyId);
if (!canReadConfigs) {
throw forbidden("Missing permission: environments:manage");
}
const leases = await svc.listLeases(environment.id, {
status: req.query.status as string | undefined,
});
res.json(leases);
});
router.get("/environment-leases/:leaseId", async (req, res) => {
const lease = await svc.getLeaseById(req.params.leaseId as string);
if (!lease) {
res.status(404).json({ error: "Environment lease not found" });
return;
}
assertCompanyAccess(req, lease.companyId);
const canReadConfigs = await actorCanReadEnvironmentConfigurations(req, lease.companyId);
if (!canReadConfigs) {
throw forbidden("Missing permission: environments:manage");
}
res.json(lease);
});
router.patch("/environments/:id", validate(updateEnvironmentSchema), async (req, res) => {
const existing = await svc.getById(req.params.id as string);
if (!existing) {
res.status(404).json({ error: "Environment not found" });
return;
}
await assertCanMutateEnvironments(req, existing.companyId);
const actor = getActorInfo(req);
const nextDriver = req.body.driver ?? existing.driver;
const nextName = req.body.name ?? existing.name;
const configSource =
req.body.config !== undefined
? req.body.driver !== undefined && req.body.driver !== existing.driver
? req.body.config
: {
...parseObject(existing.config),
...parseObject(req.body.config),
}
: req.body.driver !== undefined && req.body.driver !== existing.driver
? {}
: existing.config;
const patch = {
...req.body,
...(req.body.config !== undefined || req.body.driver !== undefined
? {
config: await normalizeEnvironmentConfigForPersistence({
db,
companyId: existing.companyId,
environmentName: nextName,
driver: nextDriver,
config: configSource,
actor: {
agentId: actor.agentId,
userId: actor.actorType === "user" ? actor.actorId : null,
},
}),
}
: {}),
};
const environment = await svc.update(existing.id, patch);
if (!environment) {
res.status(404).json({ error: "Environment not found" });
return;
}
await logActivity(db, {
companyId: environment.companyId,
actorType: actor.actorType,
actorId: actor.actorId,
agentId: actor.agentId,
runId: actor.runId,
action: "environment.updated",
entityType: "environment",
entityId: environment.id,
details: summarizeEnvironmentUpdate(patch as Record<string, unknown>, environment),
});
res.json(environment);
});
router.delete("/environments/:id", async (req, res) => {
const existing = await svc.getById(req.params.id as string);
if (!existing) {
res.status(404).json({ error: "Environment not found" });
return;
}
await assertCanMutateEnvironments(req, existing.companyId);
await Promise.all([
executionWorkspaces.clearEnvironmentSelection(existing.companyId, existing.id),
issues.clearExecutionWorkspaceEnvironmentSelection(existing.companyId, existing.id),
projects.clearExecutionWorkspaceEnvironmentSelection(existing.companyId, existing.id),
]);
const removed = await svc.remove(existing.id);
if (!removed) {
res.status(404).json({ error: "Environment not found" });
return;
}
const secretId = readSshEnvironmentPrivateKeySecretId(existing);
if (secretId) {
await secrets.remove(secretId);
}
const actor = getActorInfo(req);
await logActivity(db, {
companyId: existing.companyId,
actorType: actor.actorType,
actorId: actor.actorId,
agentId: actor.agentId,
runId: actor.runId,
action: "environment.deleted",
entityType: "environment",
entityId: removed.id,
details: {
name: removed.name,
driver: removed.driver,
status: removed.status,
},
});
res.json(removed);
});
router.post("/environments/:id/probe", async (req, res) => {
const environment = await svc.getById(req.params.id as string);
if (!environment) {
res.status(404).json({ error: "Environment not found" });
return;
}
await assertCanMutateEnvironments(req, environment.companyId);
const actor = getActorInfo(req);
const probe = await probeEnvironment(db, environment);
await logActivity(db, {
companyId: environment.companyId,
actorType: actor.actorType,
actorId: actor.actorId,
agentId: actor.agentId,
runId: actor.runId,
action: "environment.probed",
entityType: "environment",
entityId: environment.id,
details: {
driver: environment.driver,
ok: probe.ok,
summary: probe.summary,
},
});
res.json(probe);
});
router.post(
"/companies/:companyId/environments/probe-config",
validate(probeEnvironmentConfigSchema),
async (req, res) => {
const companyId = req.params.companyId as string;
await assertCanMutateEnvironments(req, companyId);
const actor = getActorInfo(req);
const normalizedConfig = normalizeEnvironmentConfigForProbe({
driver: req.body.driver,
config: req.body.config,
});
const environment = {
id: "unsaved",
companyId,
name: req.body.name?.trim() || "Unsaved environment",
description: req.body.description ?? null,
driver: req.body.driver,
status: "active" as const,
config: normalizedConfig,
metadata: req.body.metadata ?? null,
createdAt: new Date(),
updatedAt: new Date(),
};
const probe = await probeEnvironment(db, environment, {
resolvedConfig: {
driver: req.body.driver,
config: normalizedConfig,
} as ParsedEnvironmentConfig,
});
await logActivity(db, {
companyId,
actorType: actor.actorType,
actorId: actor.actorId,
agentId: actor.agentId,
runId: actor.runId,
action: "environment.probed_unsaved",
entityType: "environment",
entityId: "unsaved",
details: {
driver: environment.driver,
ok: probe.ok,
summary: probe.summary,
configTopLevelKeyCount: Object.keys(environment.config).length,
},
});
res.json(probe);
},
);
return router;
}

18
server/src/routes/issues.ts
View file

@ -55,6 +55,7 @@ import {
projectService,
routineService,
workProductService,
environmentService,
} from "../services/index.js";
import { logger } from "../middleware/logger.js";
import { conflict, forbidden, HttpError, notFound, unauthorized } from "../errors.js";
@ -71,6 +72,7 @@ import {
SVG_CONTENT_TYPE,
} from "../attachment-types.js";
import { queueIssueAssignmentWakeup } from "../services/issue-assignment-wakeup.js";
import { assertEnvironmentSelectionForCompany } from "./environment-selection.js";
import {
applyIssueExecutionPolicyTransition,
normalizeIssueExecutionPolicy,
@ -415,6 +417,19 @@ export function issueRoutes(
return value === true || value === "true" || value === "1";
}
async function assertIssueEnvironmentSelection(
companyId: string,
environmentId: string | null | undefined,
) {
if (environmentId === undefined || environmentId === null) return;
await assertEnvironmentSelectionForCompany(
environmentService(db),
companyId,
environmentId,
{ allowedDrivers: ["local", "ssh"] },
);
}
async function logExpiredRequestConfirmations(input: {
issue: { id: string; companyId: string; identifier?: string | null };
interactions: Array<{ id: string; kind: string; status: string; result?: unknown }>;
@ -1635,6 +1650,7 @@ export function issueRoutes(
if (req.body.assigneeAgentId || req.body.assigneeUserId) {
await assertCanAssignTasks(req, companyId);
}
await assertIssueEnvironmentSelection(companyId, req.body.executionWorkspaceSettings?.environmentId);
const actor = getActorInfo(req);
const executionPolicy = normalizeIssueExecutionPolicy(req.body.executionPolicy);
@ -1701,6 +1717,7 @@ export function issueRoutes(
if (req.body.assigneeAgentId || req.body.assigneeUserId) {
await assertCanAssignTasks(req, parent.companyId);
}
await assertIssueEnvironmentSelection(parent.companyId, req.body.executionWorkspaceSettings?.environmentId);
const actor = getActorInfo(req);
const executionPolicy = normalizeIssueExecutionPolicy(req.body.executionPolicy);
@ -1775,6 +1792,7 @@ export function issueRoutes(
hiddenAt: hiddenAtRaw,
...updateFields
} = req.body;
await assertIssueEnvironmentSelection(existing.companyId, updateFields.executionWorkspaceSettings?.environmentId);
const requestedAssigneeAgentId =
normalizedAssigneeAgentId === undefined ? existing.assigneeAgentId : normalizedAssigneeAgentId;
const effectiveMoveToTodoRequested =

27
server/src/routes/projects.ts
View file

@ -13,7 +13,7 @@ import {
import type { WorkspaceRuntimeDesiredState, WorkspaceRuntimeServiceStateMap } from "@paperclipai/shared";
import { trackProjectCreated } from "@paperclipai/shared/telemetry";
import { validate } from "../middleware/validate.js";
import { projectService, logActivity, secretService, workspaceOperationService } from "../services/index.js";
import { environmentService, projectService, logActivity, secretService, workspaceOperationService } from "../services/index.js";
import { conflict } from "../errors.js";
import { assertCompanyAccess, getActorInfo } from "./authz.js";
import {
@ -31,6 +31,7 @@ import {
import { assertCanManageProjectWorkspaceRuntimeServices } from "./workspace-runtime-service-authz.js";
import { getTelemetryClient } from "../telemetry.js";
import { appendWithCap } from "../adapters/utils.js";
import { assertEnvironmentSelectionForCompany } from "./environment-selection.js";
const WORKSPACE_CONTROL_OUTPUT_MAX_CHARS = 256 * 1024;
@ -40,6 +41,22 @@ export function projectRoutes(db: Db) {
const secretsSvc = secretService(db);
const workspaceOperations = workspaceOperationService(db);
const strictSecretsMode = process.env.PAPERCLIP_SECRETS_STRICT_MODE === "true";
const environmentsSvc = environmentService(db);
async function assertProjectEnvironmentSelection(companyId: string, environmentId: string | null | undefined) {
if (environmentId === undefined || environmentId === null) return;
await assertEnvironmentSelectionForCompany(environmentsSvc, companyId, environmentId, {
allowedDrivers: ["local", "ssh"],
});
}
function readProjectPolicyEnvironmentId(policy: unknown): string | null | undefined {
if (!policy || typeof policy !== "object" || !("environmentId" in policy)) {
return undefined;
}
const environmentId = (policy as { environmentId?: unknown }).environmentId;
return typeof environmentId === "string" || environmentId === null ? environmentId : undefined;
}
async function resolveCompanyIdForProjectReference(req: Request) {
const companyIdQuery = req.query.companyId;
@ -103,6 +120,10 @@ export function projectRoutes(db: Db) {
};
const { workspace, ...projectData } = req.body as CreateProjectPayload;
await assertProjectEnvironmentSelection(
companyId,
readProjectPolicyEnvironmentId(projectData.executionWorkspacePolicy),
);
assertNoAgentHostWorkspaceCommandMutation(
req,
[
@ -165,6 +186,10 @@ export function projectRoutes(db: Db) {
req,
collectProjectExecutionWorkspaceCommandPaths(body.executionWorkspacePolicy),
);
await assertProjectEnvironmentSelection(
existing.companyId,
readProjectPolicyEnvironmentId(body.executionWorkspacePolicy),
);
if (typeof body.archivedAt === "string") {
body.archivedAt = new Date(body.archivedAt);
}