chore: import upstream snapshot with attribution
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-13 13:20:55 +08:00
commit d25d482dc2
13754 changed files with 4996608 additions and 0 deletions
@@ -0,0 +1,160 @@
import { createLogger } from '@sim/logger'
import { toError } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { vantaDownloadContract } from '@/lib/api/contracts/tools/vanta'
import { parseRequest } from '@/lib/api/server'
import { checkInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import {
buildVantaUrl,
extractVantaError,
fetchVantaWithAuth,
getVantaBaseUrl,
VANTA_READ_SCOPE,
} from '@/tools/vanta/utils'
export const dynamic = 'force-dynamic'
const logger = createLogger('VantaDownloadAPI')
const MAX_DOWNLOAD_SIZE_BYTES = 100 * 1024 * 1024
function downloadSizeError(bytes: number): NextResponse {
const sizeMB = (bytes / (1024 * 1024)).toFixed(2)
return NextResponse.json(
{ success: false, error: `File size (${sizeMB}MB) exceeds download limit of 100MB` },
{ status: 400 }
)
}
/**
* Reads a response body incrementally, aborting as soon as the accumulated
* size exceeds the limit so oversized files are never fully buffered.
* Returns null when the limit is exceeded.
*/
async function readBodyWithLimit(response: Response, maxBytes: number): Promise<Buffer | null> {
const reader = response.body?.getReader()
if (!reader) {
const buffer = Buffer.from(await response.arrayBuffer())
return buffer.length > maxBytes ? null : buffer
}
const chunks: Uint8Array[] = []
let total = 0
while (true) {
const { done, value } = await reader.read()
if (done) break
total += value.byteLength
if (total > maxBytes) {
await reader.cancel()
return null
}
chunks.push(value)
}
return Buffer.concat(chunks)
}
/**
* Extracts the filename from a Content-Disposition header, if present.
*/
function getFileNameFromContentDisposition(header: string | null): string | null {
if (!header) return null
const utf8Match = header.match(/filename\*=UTF-8''([^;]+)/i)
if (utf8Match) {
try {
return decodeURIComponent(utf8Match[1])
} catch {
return null
}
}
const plainMatch = header.match(/filename="?([^";]+)"?/i)
return plainMatch ? plainMatch[1] : null
}
export const POST = withRouteHandler(async (request: NextRequest) => {
const requestId = generateRequestId()
try {
const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
if (!authResult.success) {
logger.warn(`[${requestId}] Unauthorized Vanta download attempt`, {
error: authResult.error || 'Unauthorized',
})
return NextResponse.json(
{ success: false, error: authResult.error || 'Unauthorized' },
{ status: 401 }
)
}
const parsed = await parseRequest(vantaDownloadContract, request, {})
if (!parsed.success) return parsed.response
const params = parsed.data.body
const mediaUrl = buildVantaUrl(
getVantaBaseUrl(params.region),
`/documents/${encodeURIComponent(params.documentId)}/uploads/${encodeURIComponent(params.uploadedFileId)}/media`
)
logger.info(`[${requestId}] Downloading Vanta document file`, {
documentId: params.documentId,
uploadedFileId: params.uploadedFileId,
})
const response = await fetchVantaWithAuth(
{
clientId: params.clientId,
clientSecret: params.clientSecret,
region: params.region,
scope: VANTA_READ_SCOPE,
},
(accessToken) =>
fetch(mediaUrl, {
method: 'GET',
headers: { Authorization: `Bearer ${accessToken}` },
cache: 'no-store',
})
)
if (!response.ok) {
const errorData: unknown = await response.json().catch(() => null)
const message = extractVantaError(errorData, 'Failed to download Vanta document file')
logger.error(`[${requestId}] Vanta download failed`, { status: response.status, message })
return NextResponse.json({ success: false, error: message }, { status: response.status })
}
const contentLength = Number(response.headers.get('content-length'))
if (Number.isFinite(contentLength) && contentLength > MAX_DOWNLOAD_SIZE_BYTES) {
return downloadSizeError(contentLength)
}
const buffer = await readBodyWithLimit(response, MAX_DOWNLOAD_SIZE_BYTES)
if (buffer === null) {
return NextResponse.json(
{ success: false, error: 'File exceeds download limit of 100MB' },
{ status: 400 }
)
}
const mimeType = response.headers.get('content-type') || 'application/octet-stream'
const name =
getFileNameFromContentDisposition(response.headers.get('content-disposition')) ||
`vanta-document-file-${params.uploadedFileId}`
logger.info(`[${requestId}] Vanta download successful`, { name, size: buffer.length })
return NextResponse.json({
success: true,
output: {
file: { name, mimeType, data: buffer.toString('base64'), size: buffer.length },
name,
mimeType,
size: buffer.length,
},
})
} catch (error) {
const message = toError(error).message
logger.error(`[${requestId}] Vanta download failed`, { error: message })
return NextResponse.json({ success: false, error: message }, { status: 500 })
}
})
+423
View File
@@ -0,0 +1,423 @@
import { createLogger } from '@sim/logger'
import { toError } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import type { VantaQueryBody } from '@/lib/api/contracts/tools/vanta'
import { vantaQueryContract } from '@/lib/api/contracts/tools/vanta'
import { parseRequest } from '@/lib/api/server'
import { checkInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import {
asVantaRecord,
buildVantaUrl,
extractVantaError,
fetchVantaWithAuth,
getVantaBaseUrl,
getVantaListResults,
normalizeVantaControl,
normalizeVantaControlDetail,
normalizeVantaDocument,
normalizeVantaDocumentDetail,
normalizeVantaFramework,
normalizeVantaFrameworkDetail,
normalizeVantaMonitoredComputer,
normalizeVantaPerson,
normalizeVantaPolicy,
normalizeVantaRiskScenario,
normalizeVantaTest,
normalizeVantaTestEntity,
normalizeVantaUploadedFile,
normalizeVantaVendor,
normalizeVantaVulnerability,
normalizeVantaVulnerabilityRemediation,
normalizeVantaVulnerableAsset,
splitVantaCommaList,
VANTA_READ_SCOPE,
VANTA_WRITE_SCOPE,
} from '@/tools/vanta/utils'
export const dynamic = 'force-dynamic'
const logger = createLogger('VantaQueryAPI')
interface VantaApiRequest {
method: 'GET' | 'POST'
url: string
}
/**
* Maps a validated query operation to the Vanta API request it performs.
*/
function buildVantaApiRequest(baseUrl: string, params: VantaQueryBody): VantaApiRequest {
const id = encodeURIComponent
switch (params.operation) {
case 'vanta_list_frameworks':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/frameworks', {
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_get_framework':
return { method: 'GET', url: buildVantaUrl(baseUrl, `/frameworks/${id(params.frameworkId)}`) }
case 'vanta_list_framework_controls':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, `/frameworks/${id(params.frameworkId)}/controls`, {
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_list_controls':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/controls', {
frameworkMatchesAny: splitVantaCommaList(params.frameworkMatchesAny),
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_get_control':
return { method: 'GET', url: buildVantaUrl(baseUrl, `/controls/${id(params.controlId)}`) }
case 'vanta_list_control_tests':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, `/controls/${id(params.controlId)}/tests`, {
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_list_control_documents':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, `/controls/${id(params.controlId)}/documents`, {
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_list_tests':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/tests', {
statusFilter: params.statusFilter,
frameworkFilter: params.frameworkFilter,
integrationFilter: params.integrationFilter,
controlFilter: params.controlFilter,
ownerFilter: params.ownerFilter,
categoryFilter: params.categoryFilter,
isInRollout: params.isInRollout,
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_get_test':
return { method: 'GET', url: buildVantaUrl(baseUrl, `/tests/${id(params.testId)}`) }
case 'vanta_list_test_entities':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, `/tests/${id(params.testId)}/entities`, {
entityStatus: params.entityStatus,
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_list_documents':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/documents', {
frameworkMatchesAny: splitVantaCommaList(params.frameworkMatchesAny),
statusMatchesAny: splitVantaCommaList(params.statusMatchesAny),
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_get_document':
return { method: 'GET', url: buildVantaUrl(baseUrl, `/documents/${id(params.documentId)}`) }
case 'vanta_list_document_uploads':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, `/documents/${id(params.documentId)}/uploads`, {
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_submit_document':
return {
method: 'POST',
url: buildVantaUrl(baseUrl, `/documents/${id(params.documentId)}/submit`),
}
case 'vanta_list_people':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/people', {
emailAndNameFilter: params.emailAndNameFilter,
employmentStatus: params.employmentStatus,
groupIdsMatchesAny: splitVantaCommaList(params.groupIdsMatchesAny),
tasksSummaryStatusMatchesAny: splitVantaCommaList(params.tasksSummaryStatusMatchesAny),
taskTypeMatchesAny: splitVantaCommaList(params.taskTypeMatchesAny),
taskStatusMatchesAny: splitVantaCommaList(params.taskStatusMatchesAny),
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_get_person':
return { method: 'GET', url: buildVantaUrl(baseUrl, `/people/${id(params.personId)}`) }
case 'vanta_list_policies':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/policies', {
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_get_policy':
return { method: 'GET', url: buildVantaUrl(baseUrl, `/policies/${id(params.policyId)}`) }
case 'vanta_list_vendors':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/vendors', {
name: params.name,
statusMatchesAny: splitVantaCommaList(params.statusMatchesAny),
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_get_vendor':
return { method: 'GET', url: buildVantaUrl(baseUrl, `/vendors/${id(params.vendorId)}`) }
case 'vanta_list_monitored_computers':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/monitored-computers', {
complianceStatusFilterMatchesAny: splitVantaCommaList(
params.complianceStatusFilterMatchesAny
),
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_list_vulnerabilities':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/vulnerabilities', {
q: params.q,
severity: params.severity,
isFixAvailable: params.isFixAvailable,
isDeactivated: params.isDeactivated,
includeVulnerabilitiesWithoutSlas: params.includeVulnerabilitiesWithoutSlas,
packageIdentifier: params.packageIdentifier,
externalVulnerabilityId: params.externalVulnerabilityId,
integrationId: params.integrationId,
vulnerableAssetId: params.vulnerableAssetId,
slaDeadlineAfterDate: params.slaDeadlineAfterDate,
slaDeadlineBeforeDate: params.slaDeadlineBeforeDate,
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_list_vulnerability_remediations':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/vulnerability-remediations', {
integrationId: params.integrationId,
severity: params.severity,
isRemediatedOnTime: params.isRemediatedOnTime,
remediatedAfterDate: params.remediatedAfterDate,
remediatedBeforeDate: params.remediatedBeforeDate,
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_list_vulnerable_assets':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/vulnerable-assets', {
q: params.q,
integrationId: params.integrationId,
assetType: params.assetType,
assetExternalAccountId: params.assetExternalAccountId,
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_get_vulnerable_asset':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, `/vulnerable-assets/${id(params.vulnerableAssetId)}`),
}
case 'vanta_list_risk_scenarios':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, '/risk-scenarios', {
searchString: params.searchString,
includeIgnored: params.includeIgnored,
type: params.type,
ownerMatchesAny: splitVantaCommaList(params.ownerMatchesAny),
categoryMatchesAny: splitVantaCommaList(params.categoryMatchesAny),
ciaCategoryMatchesAny: splitVantaCommaList(params.ciaCategoryMatchesAny),
treatmentTypeMatchesAny: splitVantaCommaList(params.treatmentTypeMatchesAny),
inherentScoreGroupMatchesAny: splitVantaCommaList(params.inherentScoreGroupMatchesAny),
residualScoreGroupMatchesAny: splitVantaCommaList(params.residualScoreGroupMatchesAny),
reviewStatusMatchesAny: splitVantaCommaList(params.reviewStatusMatchesAny),
orderBy: params.orderBy,
pageSize: params.pageSize,
pageCursor: params.pageCursor,
}),
}
case 'vanta_get_risk_scenario':
return {
method: 'GET',
url: buildVantaUrl(baseUrl, `/risk-scenarios/${id(params.riskScenarioId)}`),
}
}
}
/**
* Normalizes a successful Vanta API response body into the operation's
* documented output shape.
*/
function buildVantaOutput(params: VantaQueryBody, data: unknown): Record<string, unknown> {
switch (params.operation) {
case 'vanta_list_frameworks': {
const { data: items, pageInfo } = getVantaListResults(data)
return { frameworks: items.map(normalizeVantaFramework), pageInfo }
}
case 'vanta_get_framework':
return { framework: normalizeVantaFrameworkDetail(asVantaRecord(data)) }
case 'vanta_list_framework_controls':
case 'vanta_list_controls': {
const { data: items, pageInfo } = getVantaListResults(data)
return { controls: items.map(normalizeVantaControl), pageInfo }
}
case 'vanta_get_control':
return { control: normalizeVantaControlDetail(asVantaRecord(data)) }
case 'vanta_list_control_tests':
case 'vanta_list_tests': {
const { data: items, pageInfo } = getVantaListResults(data)
return { tests: items.map(normalizeVantaTest), pageInfo }
}
case 'vanta_get_test':
return { test: normalizeVantaTest(asVantaRecord(data)) }
case 'vanta_list_test_entities': {
const { data: items, pageInfo } = getVantaListResults(data)
return { entities: items.map(normalizeVantaTestEntity), pageInfo }
}
case 'vanta_list_control_documents':
case 'vanta_list_documents': {
const { data: items, pageInfo } = getVantaListResults(data)
return { documents: items.map(normalizeVantaDocument), pageInfo }
}
case 'vanta_get_document':
return { document: normalizeVantaDocumentDetail(asVantaRecord(data)) }
case 'vanta_list_document_uploads': {
const { data: items, pageInfo } = getVantaListResults(data)
return { uploads: items.map(normalizeVantaUploadedFile), pageInfo }
}
case 'vanta_submit_document':
return { documentId: params.documentId, submitted: true }
case 'vanta_list_people': {
const { data: items, pageInfo } = getVantaListResults(data)
return { people: items.map(normalizeVantaPerson), pageInfo }
}
case 'vanta_get_person':
return { person: normalizeVantaPerson(asVantaRecord(data)) }
case 'vanta_list_policies': {
const { data: items, pageInfo } = getVantaListResults(data)
return { policies: items.map(normalizeVantaPolicy), pageInfo }
}
case 'vanta_get_policy':
return { policy: normalizeVantaPolicy(asVantaRecord(data)) }
case 'vanta_list_vendors': {
const { data: items, pageInfo } = getVantaListResults(data)
return { vendors: items.map(normalizeVantaVendor), pageInfo }
}
case 'vanta_get_vendor':
return { vendor: normalizeVantaVendor(asVantaRecord(data)) }
case 'vanta_list_monitored_computers': {
const { data: items, pageInfo } = getVantaListResults(data)
return { computers: items.map(normalizeVantaMonitoredComputer), pageInfo }
}
case 'vanta_list_vulnerabilities': {
const { data: items, pageInfo } = getVantaListResults(data)
return { vulnerabilities: items.map(normalizeVantaVulnerability), pageInfo }
}
case 'vanta_list_vulnerability_remediations': {
const { data: items, pageInfo } = getVantaListResults(data)
return { remediations: items.map(normalizeVantaVulnerabilityRemediation), pageInfo }
}
case 'vanta_list_vulnerable_assets': {
const { data: items, pageInfo } = getVantaListResults(data)
return { assets: items.map(normalizeVantaVulnerableAsset), pageInfo }
}
case 'vanta_get_vulnerable_asset':
return { asset: normalizeVantaVulnerableAsset(asVantaRecord(data)) }
case 'vanta_list_risk_scenarios': {
const { data: items, pageInfo } = getVantaListResults(data)
return { riskScenarios: items.map(normalizeVantaRiskScenario), pageInfo }
}
case 'vanta_get_risk_scenario':
return { riskScenario: normalizeVantaRiskScenario(asVantaRecord(data)) }
}
}
export const POST = withRouteHandler(async (request: NextRequest) => {
const requestId = generateRequestId()
try {
const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
if (!authResult.success) {
logger.warn(`[${requestId}] Unauthorized Vanta query attempt`, {
error: authResult.error || 'Unauthorized',
})
return NextResponse.json(
{ success: false, error: authResult.error || 'Unauthorized' },
{ status: 401 }
)
}
const parsed = await parseRequest(vantaQueryContract, request, {})
if (!parsed.success) return parsed.response
const params = parsed.data.body
const baseUrl = getVantaBaseUrl(params.region)
const scope =
params.operation === 'vanta_submit_document' ? VANTA_WRITE_SCOPE : VANTA_READ_SCOPE
logger.info(`[${requestId}] Vanta query request`, { operation: params.operation })
const apiRequest = buildVantaApiRequest(baseUrl, params)
const response = await fetchVantaWithAuth(
{
clientId: params.clientId,
clientSecret: params.clientSecret,
region: params.region,
scope,
},
(accessToken) =>
fetch(apiRequest.url, {
method: apiRequest.method,
headers: {
Accept: 'application/json',
Authorization: `Bearer ${accessToken}`,
},
cache: 'no-store',
})
)
if (!response.ok) {
const errorData: unknown = await response.json().catch(() => null)
return NextResponse.json(
{ success: false, error: extractVantaError(errorData, 'Vanta request failed') },
{ status: response.status }
)
}
const data: unknown = response.status === 204 ? null : await response.json().catch(() => null)
return NextResponse.json({ success: true, output: buildVantaOutput(params, data) })
} catch (error) {
const message = toError(error).message
logger.error(`[${requestId}] Vanta query failed`, { error: message })
return NextResponse.json({ success: false, error: message }, { status: 500 })
}
})
@@ -0,0 +1,160 @@
import { createLogger } from '@sim/logger'
import { getErrorMessage, toError } from '@sim/utils/errors'
import { type NextRequest, NextResponse } from 'next/server'
import { vantaUploadContract } from '@/lib/api/contracts/tools/vanta'
import { parseRequest } from '@/lib/api/server'
import { checkInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import { processFilesToUserFiles, type RawFileInput } from '@/lib/uploads/utils/file-utils'
import { downloadServableFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
import { docNotReadyResponse } from '@/lib/uploads/utils/servable-file-response'
import { assertToolFileAccess } from '@/app/api/files/authorization'
import {
asVantaRecord,
buildVantaUrl,
extractVantaError,
fetchVantaWithAuth,
getVantaBaseUrl,
normalizeVantaUploadedFile,
VANTA_DOCUMENT_UPLOAD_SCOPE,
} from '@/tools/vanta/utils'
export const dynamic = 'force-dynamic'
const logger = createLogger('VantaUploadAPI')
const MAX_UPLOAD_SIZE_BYTES = 100 * 1024 * 1024
function uploadSizeError(bytes: number): NextResponse {
const sizeMB = (bytes / (1024 * 1024)).toFixed(2)
return NextResponse.json(
{ success: false, error: `File size (${sizeMB}MB) exceeds upload limit of 100MB` },
{ status: 400 }
)
}
export const POST = withRouteHandler(async (request: NextRequest) => {
const requestId = generateRequestId()
try {
const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
if (!authResult.success || !authResult.userId) {
logger.warn(`[${requestId}] Unauthorized Vanta upload attempt`, {
error: authResult.error || 'Missing userId',
})
return NextResponse.json(
{ success: false, error: authResult.error || 'Unauthorized' },
{ status: 401 }
)
}
const parsed = await parseRequest(vantaUploadContract, request, {})
if (!parsed.success) return parsed.response
const params = parsed.data.body
let fileBuffer: Buffer
let fileName: string
let mimeType: string
if (params.file) {
const userFiles = processFilesToUserFiles([params.file as RawFileInput], requestId, logger)
if (userFiles.length === 0) {
return NextResponse.json({ success: false, error: 'Invalid file input' }, { status: 400 })
}
const userFile = userFiles[0]
const denied = await assertToolFileAccess(userFile.key, authResult.userId, requestId, logger)
if (denied) return denied
if (userFile.size > MAX_UPLOAD_SIZE_BYTES) {
return uploadSizeError(userFile.size)
}
try {
const resolved = await downloadServableFileFromStorage(userFile, requestId, logger)
fileBuffer = resolved.buffer
fileName = params.fileName || userFile.name
mimeType =
resolved.contentType || userFile.type || params.mimeType || 'application/octet-stream'
} catch (error) {
const notReady = docNotReadyResponse(error)
if (notReady) return notReady
logger.error(`[${requestId}] Failed to download Vanta upload file`, {
error: getErrorMessage(error),
})
return NextResponse.json(
{ success: false, error: getErrorMessage(error, 'Failed to download file') },
{ status: 500 }
)
}
} else if (params.fileContent) {
fileBuffer = Buffer.from(params.fileContent, 'base64')
fileName = params.fileName || 'file'
mimeType = params.mimeType || 'application/octet-stream'
} else {
return NextResponse.json({ success: false, error: 'File is required' }, { status: 400 })
}
if (fileBuffer.length > MAX_UPLOAD_SIZE_BYTES) {
return uploadSizeError(fileBuffer.length)
}
logger.info(`[${requestId}] Uploading file to Vanta document`, {
documentId: params.documentId,
fileName,
size: fileBuffer.length,
})
const uploadUrl = buildVantaUrl(
getVantaBaseUrl(params.region),
`/documents/${encodeURIComponent(params.documentId)}/uploads`
)
const response = await fetchVantaWithAuth(
{
clientId: params.clientId,
clientSecret: params.clientSecret,
region: params.region,
scope: VANTA_DOCUMENT_UPLOAD_SCOPE,
},
(accessToken) => {
const formData = new FormData()
formData.append(
'file',
new Blob([new Uint8Array(fileBuffer)], { type: mimeType }),
fileName
)
if (params.description) {
formData.append('description', params.description)
}
if (params.effectiveAtDate) {
formData.append('effectiveAtDate', params.effectiveAtDate)
}
return fetch(uploadUrl, {
method: 'POST',
headers: { Authorization: `Bearer ${accessToken}` },
body: formData,
cache: 'no-store',
})
}
)
const data: unknown = await response.json().catch(() => null)
if (!response.ok) {
const message = extractVantaError(data, 'Failed to upload file to Vanta document')
logger.error(`[${requestId}] Vanta upload failed`, { status: response.status, message })
return NextResponse.json({ success: false, error: message }, { status: response.status })
}
logger.info(`[${requestId}] Vanta upload successful`, { documentId: params.documentId })
return NextResponse.json({
success: true,
output: { upload: normalizeVantaUploadedFile(asVantaRecord(data)) },
})
} catch (error) {
const message = toError(error).message
logger.error(`[${requestId}] Vanta upload failed`, { error: message })
return NextResponse.json({ success: false, error: message }, { status: 500 })
}
})