mirror of
https://github.com/alkimake/paperclip.git
synced 2026-06-14 01:50:39 +09:00
e4995bbb1c
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - The environments subsystem already models execution environments, but before this branch there was no end-to-end SSH-backed runtime path for agents to actually run work against a remote box > - That meant agents could be configured around environment concepts without a reliable way to execute adapter sessions remotely, sync workspace state, and preserve run context across supported adapters > - We also need environment selection to participate in normal Paperclip control-plane behavior: agent defaults, project/issue selection, route validation, and environment probing > - Because this capability is still experimental, the UI surface should be easy to hide and easy to remove later without undoing the underlying implementation > - This pull request adds SSH environment execution support across the runtime, adapters, routes, schema, and tests, then puts the visible environment-management UI behind an experimental flag > - The benefit is that we can validate real SSH-backed agent execution now while keeping the user-facing controls safely gated until the feature is ready to come out of experimentation ## What Changed - Added SSH-backed execution target support in the shared adapter runtime, including remote workspace preparation, skill/runtime asset sync, remote session handling, and workspace restore behavior after runs. - Added SSH execution coverage for supported local adapters, plus remote execution tests across Claude, Codex, Cursor, Gemini, OpenCode, and Pi. - Added environment selection and environment-management backend support needed for SSH execution, including route/service work, validation, probing, and agent default environment persistence. - Added CLI support for SSH environment lab verification and updated related docs/tests. - Added the `enableEnvironments` experimental flag and gated the environment UI behind it on company settings, agent configuration, and project configuration surfaces. ## Verification - `pnpm exec vitest run packages/adapters/claude-local/src/server/execute.remote.test.ts packages/adapters/cursor-local/src/server/execute.remote.test.ts packages/adapters/gemini-local/src/server/execute.remote.test.ts packages/adapters/opencode-local/src/server/execute.remote.test.ts packages/adapters/pi-local/src/server/execute.remote.test.ts` - `pnpm exec vitest run server/src/__tests__/environment-routes.test.ts` - `pnpm exec vitest run server/src/__tests__/instance-settings-routes.test.ts` - `pnpm exec vitest run ui/src/lib/new-agent-hire-payload.test.ts ui/src/lib/new-agent-runtime-config.test.ts` - `pnpm -r typecheck` - `pnpm build` - Manual verification on a branch-local dev server: - enabled the experimental flag - created an SSH environment - created a Linux Claude agent using that environment - confirmed a run executed on the Linux box and synced workspace changes back ## Risks - Medium: this touches runtime execution flow across multiple adapters, so regressions would likely show up in remote session setup, workspace sync, or environment selection precedence. - The UI flag reduces exposure, but the underlying runtime and route changes are still substantial and rely on migration correctness. - The change set is broad across adapters, control-plane services, migrations, and UI gating, so review should pay close attention to environment-selection precedence and remote workspace lifecycle behavior. ## Model Used - OpenAI Codex via Paperclip's local Codex adapter, GPT-5-class coding model with tool use and code execution in the local repo workspace. The local adapter does not surface a more specific public model version string in this branch workflow. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge
198 lines
6.8 KiB
TypeScript
198 lines
6.8 KiB
TypeScript
import express from "express";
|
|
import request from "supertest";
|
|
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
|
|
|
|
function createSelectChain(rows: unknown[]) {
|
|
const query = {
|
|
then(resolve: (value: unknown[]) => unknown) {
|
|
return Promise.resolve(rows).then(resolve);
|
|
},
|
|
where() {
|
|
return query;
|
|
},
|
|
};
|
|
return {
|
|
from() {
|
|
return query;
|
|
},
|
|
};
|
|
}
|
|
|
|
function createDbStub(inviteRows: unknown[]) {
|
|
return {
|
|
select() {
|
|
return createSelectChain(inviteRows);
|
|
},
|
|
};
|
|
}
|
|
|
|
function createInvite(overrides: Record<string, unknown> = {}) {
|
|
return {
|
|
id: "invite-1",
|
|
companyId: "company-1",
|
|
inviteType: "company_join",
|
|
allowedJoinTypes: "agent",
|
|
tokenHash: "hash",
|
|
defaultsPayload: null,
|
|
expiresAt: new Date("2027-03-07T00:10:00.000Z"),
|
|
invitedByUserId: null,
|
|
revokedAt: null,
|
|
acceptedAt: null,
|
|
createdAt: new Date("2026-03-07T00:00:00.000Z"),
|
|
updatedAt: new Date("2026-03-07T00:00:00.000Z"),
|
|
...overrides,
|
|
};
|
|
}
|
|
|
|
let currentAccessModule: Awaited<ReturnType<typeof vi.importActual<typeof import("../routes/access.js")>>> | null = null;
|
|
|
|
async function createApp(
|
|
db: Record<string, unknown>,
|
|
network: {
|
|
lookup: ReturnType<typeof vi.fn>;
|
|
requestHead: ReturnType<typeof vi.fn>;
|
|
},
|
|
) {
|
|
const [access, middleware] = await Promise.all([
|
|
vi.importActual<typeof import("../routes/access.js")>("../routes/access.js"),
|
|
vi.importActual<typeof import("../middleware/index.js")>("../middleware/index.js"),
|
|
]);
|
|
currentAccessModule = access;
|
|
access.setInviteResolutionNetworkForTest(network);
|
|
const app = express();
|
|
app.use((req, _res, next) => {
|
|
(req as any).actor = { type: "anon" };
|
|
next();
|
|
});
|
|
app.use(
|
|
"/api",
|
|
access.accessRoutes(db as any, {
|
|
deploymentMode: "local_trusted",
|
|
deploymentExposure: "private",
|
|
bindHost: "127.0.0.1",
|
|
allowedHostnames: [],
|
|
}),
|
|
);
|
|
app.use(middleware.errorHandler);
|
|
return app;
|
|
}
|
|
|
|
describe.sequential("GET /invites/:token/test-resolution", () => {
|
|
beforeEach(() => {
|
|
currentAccessModule = null;
|
|
});
|
|
|
|
afterEach(async () => {
|
|
currentAccessModule?.setInviteResolutionNetworkForTest(null);
|
|
});
|
|
|
|
it.each([
|
|
["localhost", "http://localhost:3100/api/health", "127.0.0.1"],
|
|
["IPv4 loopback", "http://127.0.0.1:3100/api/health", "127.0.0.1"],
|
|
["IPv6 loopback", "http://[::1]:3100/api/health", "::1"],
|
|
["IPv4-mapped IPv6 loopback hex", "http://[::ffff:7f00:1]/api/health", "::ffff:7f00:1"],
|
|
["IPv4-mapped IPv6 RFC1918 hex", "http://[::ffff:c0a8:101]/api/health", "::ffff:c0a8:101"],
|
|
["RFC1918 10/8", "http://10.0.0.5/api/health", "10.0.0.5"],
|
|
["RFC1918 172.16/12", "http://172.16.10.5/api/health", "172.16.10.5"],
|
|
["RFC1918 192.168/16", "http://192.168.1.10/api/health", "192.168.1.10"],
|
|
["link-local metadata", "http://169.254.169.254/latest/meta-data", "169.254.169.254"],
|
|
["multicast", "http://224.0.0.1/probe", "224.0.0.1"],
|
|
["NAT64 well-known prefix", "https://gateway.example.test/health", "64:ff9b::0a00:0001"],
|
|
["NAT64 local-use prefix", "https://gateway.example.test/health", "64:ff9b:1::0a00:0001"],
|
|
])("rejects %s targets before probing", async (_label, url, address) => {
|
|
const lookup = vi.fn().mockResolvedValue([{ address, family: address.includes(":") ? 6 : 4 }]);
|
|
const requestHead = vi.fn();
|
|
const app = await createApp(createDbStub([createInvite()]), { lookup, requestHead });
|
|
|
|
const res = await request(app)
|
|
.get("/api/invites/pcp_invite_test/test-resolution")
|
|
.query({ url });
|
|
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe(
|
|
"url resolves to a private, local, multicast, or reserved address",
|
|
);
|
|
expect(requestHead).not.toHaveBeenCalled();
|
|
}, 15_000);
|
|
|
|
it("rejects hostnames that resolve to private addresses", async () => {
|
|
const lookup = vi.fn().mockResolvedValue([{ address: "10.1.2.3", family: 4 }]);
|
|
const requestHead = vi.fn();
|
|
const app = await createApp(createDbStub([createInvite()]), { lookup, requestHead });
|
|
|
|
const res = await request(app)
|
|
.get("/api/invites/pcp_invite_test/test-resolution")
|
|
.query({ url: "https://gateway.example.test/health" });
|
|
|
|
expect(res.status).toBe(400);
|
|
expect(res.body.error).toBe(
|
|
"url resolves to a private, local, multicast, or reserved address",
|
|
);
|
|
expect(lookup).toHaveBeenCalledWith("gateway.example.test");
|
|
expect(requestHead).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("rejects hostnames when any resolved address is private", async () => {
|
|
const lookup = vi.fn().mockResolvedValue([
|
|
{ address: "127.0.0.1", family: 4 },
|
|
{ address: "93.184.216.34", family: 4 },
|
|
]);
|
|
const requestHead = vi.fn();
|
|
const app = await createApp(createDbStub([createInvite()]), { lookup, requestHead });
|
|
|
|
const res = await request(app)
|
|
.get("/api/invites/pcp_invite_test/test-resolution")
|
|
.query({ url: "https://mixed.example.test/health" });
|
|
|
|
expect(res.status).toBe(400);
|
|
expect(requestHead).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("allows public HTTPS targets through the resolved and pinned probe path", async () => {
|
|
const lookup = vi.fn().mockResolvedValue([{ address: "93.184.216.34", family: 4 }]);
|
|
const requestHead = vi.fn().mockResolvedValue({ httpStatus: 204 });
|
|
const app = await createApp(createDbStub([createInvite()]), { lookup, requestHead });
|
|
|
|
const res = await request(app)
|
|
.get("/api/invites/pcp_invite_test/test-resolution")
|
|
.query({ url: "https://gateway.example.test/health", timeoutMs: "2500" });
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toMatchObject({
|
|
inviteId: "invite-1",
|
|
requestedUrl: "https://gateway.example.test/health",
|
|
timeoutMs: 2500,
|
|
status: "reachable",
|
|
method: "HEAD",
|
|
httpStatus: 204,
|
|
});
|
|
expect(requestHead).toHaveBeenCalledWith(
|
|
expect.objectContaining({
|
|
resolvedAddress: "93.184.216.34",
|
|
resolvedAddresses: ["93.184.216.34"],
|
|
hostHeader: "gateway.example.test",
|
|
tlsServername: "gateway.example.test",
|
|
}),
|
|
2500,
|
|
);
|
|
});
|
|
|
|
it.each([
|
|
["missing invite", []],
|
|
["revoked invite", [createInvite({ revokedAt: new Date("2026-03-07T00:05:00.000Z") })]],
|
|
["expired invite", [createInvite({ expiresAt: new Date("2020-03-07T00:10:00.000Z") })]],
|
|
])("returns not found for %s tokens before DNS lookup", async (_label, inviteRows) => {
|
|
const lookup = vi.fn();
|
|
const requestHead = vi.fn();
|
|
const app = await createApp(createDbStub(inviteRows), { lookup, requestHead });
|
|
|
|
const res = await request(app)
|
|
.get("/api/invites/pcp_invite_test/test-resolution")
|
|
.query({ url: "https://gateway.example.test/health" });
|
|
|
|
expect(res.status).toBe(404);
|
|
expect(res.body.error).toBe("Invite not found");
|
|
expect(lookup).not.toHaveBeenCalled();
|
|
expect(requestHead).not.toHaveBeenCalled();
|
|
});
|
|
});
|