chore: import upstream snapshot with attribution
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,439 @@
|
||||
import { z } from 'zod'
|
||||
import { defineRouteContract } from '@/lib/api/contracts/types'
|
||||
import {
|
||||
ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID,
|
||||
type OAuthProvider,
|
||||
SLACK_CUSTOM_BOT_PROVIDER_ID,
|
||||
} from '@/lib/oauth/types'
|
||||
|
||||
const ENV_VAR_NAME_REGEX = /^[A-Za-z0-9_]+$/
|
||||
|
||||
export function normalizeCredentialEnvKey(raw: string): string {
|
||||
const trimmed = raw.trim()
|
||||
const wrappedMatch = /^\{\{\s*([A-Za-z0-9_]+)\s*\}\}$/.exec(trimmed)
|
||||
return wrappedMatch ? wrappedMatch[1] : trimmed
|
||||
}
|
||||
|
||||
export const workspaceCredentialTypeSchema = z.enum([
|
||||
'oauth',
|
||||
'env_workspace',
|
||||
'env_personal',
|
||||
'service_account',
|
||||
])
|
||||
export const workspaceCredentialRoleSchema = z.enum(['admin', 'member'])
|
||||
export const workspaceCredentialMemberStatusSchema = z.enum(['active', 'pending', 'revoked'])
|
||||
|
||||
export const workspaceCredentialSchema = z.object({
|
||||
id: z.string(),
|
||||
workspaceId: z.string(),
|
||||
type: workspaceCredentialTypeSchema,
|
||||
displayName: z.string(),
|
||||
description: z.string().nullable(),
|
||||
providerId: z.string().nullable(),
|
||||
accountId: z.string().nullable(),
|
||||
envKey: z.string().nullable(),
|
||||
envOwnerUserId: z.string().nullable(),
|
||||
createdBy: z.string(),
|
||||
createdAt: z.string(),
|
||||
updatedAt: z.string(),
|
||||
role: workspaceCredentialRoleSchema.optional(),
|
||||
status: workspaceCredentialMemberStatusSchema.optional(),
|
||||
})
|
||||
|
||||
export type WorkspaceCredentialType = z.output<typeof workspaceCredentialTypeSchema>
|
||||
export type WorkspaceCredentialRole = z.output<typeof workspaceCredentialRoleSchema>
|
||||
export type WorkspaceCredentialMemberStatus = z.output<typeof workspaceCredentialMemberStatusSchema>
|
||||
export type WorkspaceCredential = z.output<typeof workspaceCredentialSchema>
|
||||
|
||||
export const credentialsListQuerySchema = z.object({
|
||||
workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
|
||||
type: workspaceCredentialTypeSchema.optional(),
|
||||
providerId: z.string().optional(),
|
||||
})
|
||||
|
||||
export const credentialIdParamsSchema = z.object({
|
||||
id: z.string().min(1),
|
||||
})
|
||||
|
||||
export const credentialsListGetQuerySchema = z.object({
|
||||
workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
|
||||
type: workspaceCredentialTypeSchema.optional(),
|
||||
providerId: z.string().optional(),
|
||||
credentialId: z.string().optional(),
|
||||
})
|
||||
|
||||
export const serviceAccountJsonSchema = z
|
||||
.string()
|
||||
.min(1, 'Service account JSON key is required')
|
||||
.transform((val, ctx) => {
|
||||
try {
|
||||
const parsed = JSON.parse(val)
|
||||
if (parsed.type !== 'service_account') {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'JSON key must have type "service_account"',
|
||||
})
|
||||
return z.NEVER
|
||||
}
|
||||
if (!parsed.client_email || typeof parsed.client_email !== 'string') {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'JSON key must contain a valid client_email',
|
||||
})
|
||||
return z.NEVER
|
||||
}
|
||||
if (!parsed.private_key || typeof parsed.private_key !== 'string') {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'JSON key must contain a valid private_key',
|
||||
})
|
||||
return z.NEVER
|
||||
}
|
||||
if (!parsed.project_id || typeof parsed.project_id !== 'string') {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'JSON key must contain a valid project_id',
|
||||
})
|
||||
return z.NEVER
|
||||
}
|
||||
return parsed as {
|
||||
type: 'service_account'
|
||||
client_email: string
|
||||
private_key: string
|
||||
project_id: string
|
||||
[key: string]: unknown
|
||||
}
|
||||
} catch {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'Invalid JSON format',
|
||||
})
|
||||
return z.NEVER
|
||||
}
|
||||
})
|
||||
|
||||
export const createCredentialBodySchema = z
|
||||
.object({
|
||||
workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
|
||||
type: workspaceCredentialTypeSchema,
|
||||
displayName: z.string().trim().min(1).max(255).optional(),
|
||||
description: z.string().trim().max(500).optional(),
|
||||
providerId: z.string().trim().min(1).optional(),
|
||||
accountId: z.string().trim().min(1).optional(),
|
||||
envKey: z.string().trim().min(1).optional(),
|
||||
envOwnerUserId: z.string().trim().min(1).optional(),
|
||||
serviceAccountJson: z.string().optional(),
|
||||
apiToken: z.string().trim().min(1).optional(),
|
||||
domain: z.string().trim().min(1).optional(),
|
||||
/**
|
||||
* Client-supplied credential id, honored only for `slack-custom-bot` creates:
|
||||
* the setup modal shows the ingest URL `/api/webhooks/slack/custom/{id}`
|
||||
* before secrets exist, so the id must be known up front.
|
||||
*/
|
||||
id: z.string().uuid('id must be a valid UUID').optional(),
|
||||
signingSecret: z.string().trim().min(1).optional(),
|
||||
botToken: z.string().trim().min(1).optional(),
|
||||
})
|
||||
.superRefine((data, ctx) => {
|
||||
if (data.type === 'oauth') {
|
||||
if (!data.accountId) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'accountId is required for oauth credentials',
|
||||
path: ['accountId'],
|
||||
})
|
||||
}
|
||||
if (!data.providerId) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'providerId is required for oauth credentials',
|
||||
path: ['providerId'],
|
||||
})
|
||||
}
|
||||
if (!data.displayName) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'displayName is required for oauth credentials',
|
||||
path: ['displayName'],
|
||||
})
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
if (data.type === 'service_account') {
|
||||
if (data.providerId === ATLASSIAN_SERVICE_ACCOUNT_PROVIDER_ID) {
|
||||
if (!data.apiToken) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'apiToken is required for Atlassian service account credentials',
|
||||
path: ['apiToken'],
|
||||
})
|
||||
}
|
||||
if (!data.domain) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'domain is required for Atlassian service account credentials',
|
||||
path: ['domain'],
|
||||
})
|
||||
}
|
||||
return
|
||||
}
|
||||
if (data.providerId === SLACK_CUSTOM_BOT_PROVIDER_ID) {
|
||||
if (!data.signingSecret) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'signingSecret is required for a custom Slack bot credential',
|
||||
path: ['signingSecret'],
|
||||
})
|
||||
}
|
||||
if (!data.botToken) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'botToken is required for a custom Slack bot credential',
|
||||
path: ['botToken'],
|
||||
})
|
||||
}
|
||||
return
|
||||
}
|
||||
if (!data.serviceAccountJson) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'serviceAccountJson is required for service account credentials',
|
||||
path: ['serviceAccountJson'],
|
||||
})
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
const normalizedEnvKey = data.envKey ? normalizeCredentialEnvKey(data.envKey) : ''
|
||||
if (!normalizedEnvKey) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'envKey is required for env credentials',
|
||||
path: ['envKey'],
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
if (!ENV_VAR_NAME_REGEX.test(normalizedEnvKey)) {
|
||||
ctx.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: 'envKey must contain only letters, numbers, and underscores',
|
||||
path: ['envKey'],
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
export const updateCredentialByIdBodySchema = z
|
||||
.object({
|
||||
displayName: z.string().trim().min(1).max(255).optional(),
|
||||
description: z.string().trim().max(500).nullish(),
|
||||
serviceAccountJson: z.string().min(1).optional(),
|
||||
/** Slack custom-bot secret rotation (reconnect). */
|
||||
signingSecret: z.string().trim().min(1).optional(),
|
||||
botToken: z.string().trim().min(1).optional(),
|
||||
/** Atlassian service-account secret rotation (reconnect). */
|
||||
apiToken: z.string().trim().min(1).optional(),
|
||||
domain: z.string().trim().min(1).optional(),
|
||||
})
|
||||
.strict()
|
||||
.refine(
|
||||
(data) =>
|
||||
data.displayName !== undefined ||
|
||||
data.description !== undefined ||
|
||||
data.serviceAccountJson !== undefined ||
|
||||
data.signingSecret !== undefined ||
|
||||
data.botToken !== undefined ||
|
||||
data.apiToken !== undefined ||
|
||||
data.domain !== undefined,
|
||||
{
|
||||
message: 'At least one field must be provided',
|
||||
path: ['displayName'],
|
||||
}
|
||||
)
|
||||
|
||||
export const leaveCredentialQuerySchema = z.object({
|
||||
credentialId: z.string().min(1),
|
||||
})
|
||||
|
||||
export const workspaceCredentialMemberSchema = z.object({
|
||||
id: z.string(),
|
||||
userId: z.string(),
|
||||
role: workspaceCredentialRoleSchema,
|
||||
status: workspaceCredentialMemberStatusSchema,
|
||||
joinedAt: z.string().nullable(),
|
||||
invitedBy: z.string().nullable().optional(),
|
||||
createdAt: z.string().optional(),
|
||||
updatedAt: z.string().optional(),
|
||||
userName: z.string().nullable(),
|
||||
userEmail: z.string().nullable(),
|
||||
userImage: z.string().nullable().optional(),
|
||||
/** `workspace-admin` roles are derived from workspace admin and cannot be changed. */
|
||||
roleSource: z.enum(['explicit', 'workspace-admin']).optional(),
|
||||
})
|
||||
|
||||
export type WorkspaceCredentialMember = z.output<typeof workspaceCredentialMemberSchema>
|
||||
|
||||
export const createCredentialDraftBodySchema = z.object({
|
||||
workspaceId: z.string().min(1),
|
||||
providerId: z.string().min(1),
|
||||
displayName: z.string().min(1),
|
||||
description: z.string().trim().max(500).optional(),
|
||||
credentialId: z.string().min(1).optional(),
|
||||
})
|
||||
|
||||
export const upsertWorkspaceCredentialMemberBodySchema = z.object({
|
||||
userId: z.string().min(1),
|
||||
role: workspaceCredentialRoleSchema.default('member'),
|
||||
})
|
||||
|
||||
export const removeWorkspaceCredentialMemberQuerySchema = z.object({
|
||||
userId: z.string().min(1),
|
||||
})
|
||||
|
||||
export const oauthCredentialSchema = z.object({
|
||||
id: z.string(),
|
||||
name: z.string(),
|
||||
provider: z.custom<OAuthProvider>((value) => typeof value === 'string'),
|
||||
type: z.enum(['oauth', 'service_account']).optional(),
|
||||
serviceId: z.string().optional(),
|
||||
lastUsed: z.string().optional(),
|
||||
isDefault: z.boolean().optional(),
|
||||
scopes: z.array(z.string()).optional(),
|
||||
})
|
||||
|
||||
export const oauthCredentialsQuerySchema = z
|
||||
.object({
|
||||
provider: z.string().nullish(),
|
||||
workflowId: z.string().uuid('Workflow ID must be a valid UUID').nullish(),
|
||||
workspaceId: z.string().uuid('Workspace ID must be a valid UUID').nullish(),
|
||||
credentialId: z.string().min(1, 'Credential ID must not be empty').max(255).nullish(),
|
||||
})
|
||||
.refine((data) => data.provider || data.credentialId, {
|
||||
message: 'Provider or credentialId is required',
|
||||
path: ['provider'],
|
||||
})
|
||||
|
||||
export const listWorkspaceCredentialsContract = defineRouteContract({
|
||||
method: 'GET',
|
||||
path: '/api/credentials',
|
||||
query: credentialsListQuerySchema,
|
||||
response: {
|
||||
mode: 'json',
|
||||
schema: z.object({
|
||||
credentials: z.array(workspaceCredentialSchema),
|
||||
}),
|
||||
},
|
||||
})
|
||||
|
||||
export const getWorkspaceCredentialContract = defineRouteContract({
|
||||
method: 'GET',
|
||||
path: '/api/credentials/[id]',
|
||||
params: credentialIdParamsSchema,
|
||||
response: {
|
||||
mode: 'json',
|
||||
schema: z.object({
|
||||
credential: workspaceCredentialSchema.nullable(),
|
||||
}),
|
||||
},
|
||||
})
|
||||
|
||||
export const listOAuthCredentialsContract = defineRouteContract({
|
||||
method: 'GET',
|
||||
path: '/api/auth/oauth/credentials',
|
||||
query: oauthCredentialsQuerySchema,
|
||||
response: {
|
||||
mode: 'json',
|
||||
schema: z.object({
|
||||
credentials: z.array(oauthCredentialSchema),
|
||||
}),
|
||||
},
|
||||
})
|
||||
|
||||
export const listWorkspaceCredentialMembersContract = defineRouteContract({
|
||||
method: 'GET',
|
||||
path: '/api/credentials/[id]/members',
|
||||
params: credentialIdParamsSchema,
|
||||
response: {
|
||||
mode: 'json',
|
||||
schema: z.object({
|
||||
members: z.array(workspaceCredentialMemberSchema).optional(),
|
||||
}),
|
||||
},
|
||||
})
|
||||
|
||||
export const createCredentialDraftContract = defineRouteContract({
|
||||
method: 'POST',
|
||||
path: '/api/credentials/draft',
|
||||
body: createCredentialDraftBodySchema,
|
||||
response: {
|
||||
mode: 'json',
|
||||
schema: z.object({
|
||||
success: z.literal(true),
|
||||
}),
|
||||
},
|
||||
})
|
||||
|
||||
export const createWorkspaceCredentialContract = defineRouteContract({
|
||||
method: 'POST',
|
||||
path: '/api/credentials',
|
||||
body: createCredentialBodySchema,
|
||||
response: {
|
||||
mode: 'json',
|
||||
schema: z.object({
|
||||
credential: workspaceCredentialSchema,
|
||||
}),
|
||||
},
|
||||
})
|
||||
|
||||
export const updateWorkspaceCredentialContract = defineRouteContract({
|
||||
method: 'PUT',
|
||||
path: '/api/credentials/[id]',
|
||||
params: credentialIdParamsSchema,
|
||||
body: updateCredentialByIdBodySchema,
|
||||
response: {
|
||||
mode: 'json',
|
||||
schema: z.object({
|
||||
credential: workspaceCredentialSchema.nullable(),
|
||||
}),
|
||||
},
|
||||
})
|
||||
|
||||
export const deleteWorkspaceCredentialContract = defineRouteContract({
|
||||
method: 'DELETE',
|
||||
path: '/api/credentials/[id]',
|
||||
params: credentialIdParamsSchema,
|
||||
response: {
|
||||
mode: 'json',
|
||||
schema: z.object({
|
||||
success: z.literal(true),
|
||||
}),
|
||||
},
|
||||
})
|
||||
|
||||
export const upsertWorkspaceCredentialMemberContract = defineRouteContract({
|
||||
method: 'POST',
|
||||
path: '/api/credentials/[id]/members',
|
||||
params: credentialIdParamsSchema,
|
||||
body: upsertWorkspaceCredentialMemberBodySchema,
|
||||
response: {
|
||||
mode: 'json',
|
||||
schema: z.object({
|
||||
success: z.literal(true),
|
||||
member: workspaceCredentialMemberSchema.optional(),
|
||||
}),
|
||||
},
|
||||
})
|
||||
|
||||
export const removeWorkspaceCredentialMemberContract = defineRouteContract({
|
||||
method: 'DELETE',
|
||||
path: '/api/credentials/[id]/members',
|
||||
params: credentialIdParamsSchema,
|
||||
query: removeWorkspaceCredentialMemberQuerySchema,
|
||||
response: {
|
||||
mode: 'json',
|
||||
schema: z.object({
|
||||
success: z.literal(true),
|
||||
}),
|
||||
},
|
||||
})
|
||||
Reference in New Issue
Block a user