Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .agent-guidance/architecture/cloud-job-execution.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions apps/api/src/handlers/github/handlePrComment.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import {
enqueueCloudTask,
getTaskUrl,
routeGitHubTask,
resolveUserIdForCloudJob,
resolveCredentialUserIdForCloudJob,
} from '@roomote/cloud-agents/server';
import {
findActiveGitHubPrReviewTask,
Expand Down Expand Up @@ -841,7 +841,7 @@ async function resolveReusableTaskSenderUserId({

return (
latestJob.actingUserId ??
(await resolveUserIdForCloudJob({
(await resolveCredentialUserIdForCloudJob({
id: latestJob.id,
userId: latestJob.userId,
}))
Expand Down Expand Up @@ -1030,7 +1030,7 @@ async function resumeExistingTaskAndDeliverFollowUp({
const senderUserId =
userId ??
sourceJob.actingUserId ??
(await resolveUserIdForCloudJob({
(await resolveCredentialUserIdForCloudJob({
id: sourceJob.id,
userId: sourceJob.userId,
}));
Expand Down
22 changes: 12 additions & 10 deletions apps/api/src/handlers/github/handleWorkflowRunCompleted.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@ import { getRedis } from '@roomote/redis';
import {
buildCiFailureTriagePrompt,
buildRepositoryCoverage,
deploymentHasActiveCredentialUser,
enqueueCloudTask,
getTaskUrl,
resolveUserIdForCloudJob,
} from '@roomote/cloud-agents/server';
import {
and,
Expand Down Expand Up @@ -249,14 +249,14 @@ export async function handleWorkflowRunCompleted(
};
}

const adminUserId = await resolveUserIdForCloudJob({
id: 0,
userId: null,
});

if (!adminUserId) {
console.warn(`${LOG_PREFIX} No user available for CI failure triage`);
return { status: 'ok', message: 'No user available' };
// Automation tasks enqueue with a null userId, but token minting still
// needs at least one active user's credentials. Bail up front so no run or
// announcement is recorded for a job that could never start.
if (!(await deploymentHasActiveCredentialUser())) {
console.warn(
`${LOG_PREFIX} No active user available to resolve credentials for CI failure triage`,
);
return { status: 'ok', message: 'No active user available' };
}

const workflowName = run.name ?? payload.workflow?.name ?? 'unknown';
Expand Down Expand Up @@ -328,7 +328,9 @@ export async function handleWorkflowRunCompleted(

const launchResult = await enqueueCloudTask(
{
userId: adminUserId,
// Automation-initiated: no stamped user id. Attribution comes from
// the suggestion source, and credentials resolve at token-mint time.
userId: null,
type: CloudTaskType.SuggestedTasks,
payload: {
repo: match.repositoryFullName,
Expand Down
8 changes: 5 additions & 3 deletions apps/api/src/handlers/github/reviewTaskRelayPayload.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,12 @@ function hasRoomoteTaskAttribution(prBody: string | null | undefined): boolean {
}

const hasTaskLink = /\[[^\]]+\]\([^)]*\/task\/[^)]*\)/.test(prBody);
// The attribution line names either a human ("Opened on behalf of ...") or
// the initiating automation ("Created by PR Reviewer.", "Created by
// Roomote."). Combined with the task-link requirement above this stays
// specific to Roomote-authored PR bodies.
const hasRoomoteAttributionLine =
/Opened on behalf of|Created by Roomote(?: from an unlinked [^.]+)?\./.test(
prBody,
);
/Opened on behalf of|Created by [^.\n]{1,100}\./.test(prBody);

return hasTaskLink && hasRoomoteAttributionLine;
}
Expand Down
2 changes: 1 addition & 1 deletion apps/api/src/handlers/mcp/__tests__/asana-auth.test.ts

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion apps/api/src/handlers/mcp/__tests__/grafana-auth.test.ts

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion apps/api/src/handlers/mcp/__tests__/vercel-auth.test.ts

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions apps/api/src/handlers/mcp/asana/index.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { Hono } from 'hono';
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js';
import { resolveUserIdForCloudJob } from '@roomote/cloud-agents/server';
import { resolveCredentialUserIdForCloudJob } from '@roomote/cloud-agents/server';
import {
and,
cloudJobs,
Expand Down Expand Up @@ -52,7 +52,7 @@ async function resolveAsanaMcpAuth(
throw new McpProxyError(404, 'Cloud job not found for this MCP token');
}

const resolvedUserId = await resolveUserIdForCloudJob(cloudJob);
const resolvedUserId = await resolveCredentialUserIdForCloudJob(cloudJob);
if (!resolvedUserId) {
throw new McpProxyError(
403,
Expand Down
4 changes: 2 additions & 2 deletions apps/api/src/handlers/mcp/grafana/index.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { Hono } from 'hono';
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js';
import { resolveUserIdForCloudJob } from '@roomote/cloud-agents/server';
import { resolveCredentialUserIdForCloudJob } from '@roomote/cloud-agents/server';
import {
and,
cloudJobs,
Expand Down Expand Up @@ -52,7 +52,7 @@ async function resolveGrafanaMcpAuth(
throw new McpProxyError(404, 'Cloud job not found for this MCP token');
}

const resolvedUserId = await resolveUserIdForCloudJob(cloudJob);
const resolvedUserId = await resolveCredentialUserIdForCloudJob(cloudJob);
if (!resolvedUserId) {
throw new McpProxyError(
403,
Expand Down
6 changes: 3 additions & 3 deletions apps/api/src/handlers/mcp/proxy-utils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import {
isUserToken,
parseMcpJsonRpcPayload,
} from '@roomote/types';
import { resolveUserIdForCloudJob } from '@roomote/cloud-agents/server';
import { resolveCredentialUserIdForCloudJob } from '@roomote/cloud-agents/server';
import { cloudJobs, db, eq } from '@roomote/db/server';

import type { Variables } from '../../types';
Expand Down Expand Up @@ -102,7 +102,7 @@ export async function resolveActingUserId(
throw new McpProxyError(404, 'Cloud job not found for this MCP token');
}

const resolvedUserId = await resolveUserIdForCloudJob({
const resolvedUserId = await resolveCredentialUserIdForCloudJob({
id: auth.cloudJobId,
userId: cloudJob.userId,
});
Expand Down Expand Up @@ -133,7 +133,7 @@ async function verifyCloudJobHasRealUser(
);
}

const resolvedUserId = await resolveUserIdForCloudJob(cloudJob);
const resolvedUserId = await resolveCredentialUserIdForCloudJob(cloudJob);

if (!hasRealCloudJobUser(resolvedUserId)) {
return jsonRpcErrorResponse(
Expand Down
44 changes: 34 additions & 10 deletions apps/api/src/handlers/mcp/slack.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import type { ContentfulStatusCode } from 'hono/utils/http-status';
import { Hono } from 'hono';

import { Env } from '@roomote/env';
import { resolveUserIdForCloudJob } from '@roomote/cloud-agents/server';
import { resolveCredentialUserIdForCloudJob } from '@roomote/cloud-agents/server';
import {
and,
backgroundAutomationSlackThreads,
Expand Down Expand Up @@ -885,7 +885,7 @@ slackMcp.post('/thread_reply', async (c) => {
return c.json({ error: 'Cloud job not found for this MCP token' }, 404);
}

const resolvedUserId = await resolveUserIdForCloudJob(cloudJob);
const resolvedUserId = await resolveCredentialUserIdForCloudJob(cloudJob);

if (!hasRealCloudJobUser(resolvedUserId)) {
return c.json(
Expand Down Expand Up @@ -1505,14 +1505,20 @@ slackMcp.post('/thread_lookup', async (c) => {
return c.json({ error: 'Cloud job not found for this MCP token' }, 404);
}

if (!hasRealCloudJobUser(cloudJob.userId)) {
// Automation-initiated jobs carry a null userId; their tokens are minted
// from the lazily resolved credential user, so validate against that same
// resolution instead of the raw job owner column.
const tokenCredentialUserId =
await resolveCredentialUserIdForCloudJob(cloudJob);

if (!hasRealCloudJobUser(tokenCredentialUserId)) {
return c.json(
{ error: 'MCP proxy requires a cloud job associated with a real user' },
403,
);
}

if (cloudJob.userId !== authContext.userId) {
if (tokenCredentialUserId !== authContext.userId) {
return c.json(
{ error: 'MCP token user does not match cloud job user' },
403,
Expand Down Expand Up @@ -1577,14 +1583,20 @@ slackMcp.post('/reaction_add', async (c) => {
return c.json({ error: 'Cloud job not found for this MCP token' }, 404);
}

if (!hasRealCloudJobUser(cloudJob.userId)) {
// Automation-initiated jobs carry a null userId; their tokens are minted
// from the lazily resolved credential user, so validate against that same
// resolution instead of the raw job owner column.
const tokenCredentialUserId =
await resolveCredentialUserIdForCloudJob(cloudJob);

if (!hasRealCloudJobUser(tokenCredentialUserId)) {
return c.json(
{ error: 'MCP proxy requires a cloud job associated with a real user' },
403,
);
}

if (cloudJob.userId !== authContext.userId) {
if (tokenCredentialUserId !== authContext.userId) {
return c.json(
{ error: 'MCP token user does not match cloud job user' },
403,
Expand Down Expand Up @@ -1697,14 +1709,20 @@ slackMcp.post('/channel_messages', async (c) => {
return c.json({ error: 'Cloud job not found for this MCP token' }, 404);
}

if (!hasRealCloudJobUser(cloudJob.userId)) {
// Automation-initiated jobs carry a null userId; their tokens are minted
// from the lazily resolved credential user, so validate against that same
// resolution instead of the raw job owner column.
const tokenCredentialUserId =
await resolveCredentialUserIdForCloudJob(cloudJob);

if (!hasRealCloudJobUser(tokenCredentialUserId)) {
return c.json(
{ error: 'MCP proxy requires a cloud job associated with a real user' },
403,
);
}

if (cloudJob.userId !== authContext.userId) {
if (tokenCredentialUserId !== authContext.userId) {
return c.json(
{ error: 'MCP token user does not match cloud job user' },
403,
Expand Down Expand Up @@ -1777,14 +1795,20 @@ slackMcp.post('/channel_post', async (c) => {
return c.json({ error: 'Cloud job not found for this MCP token' }, 404);
}

if (!hasRealCloudJobUser(cloudJob.userId)) {
// Automation-initiated jobs carry a null userId; their tokens are minted
// from the lazily resolved credential user, so validate against that same
// resolution instead of the raw job owner column.
const tokenCredentialUserId =
await resolveCredentialUserIdForCloudJob(cloudJob);

if (!hasRealCloudJobUser(tokenCredentialUserId)) {
return c.json(
{ error: 'MCP proxy requires a cloud job associated with a real user' },
403,
);
}

if (cloudJob.userId !== authContext.userId) {
if (tokenCredentialUserId !== authContext.userId) {
return c.json(
{ error: 'MCP token user does not match cloud job user' },
403,
Expand Down
Loading