| import type { ExecApprovalForwarder } from "../../infra/exec-approval-forwarder.js"; |
| import type { ExecApprovalManager } from "../exec-approval-manager.js"; |
| import type { GatewayRequestHandlers } from "./types.js"; |
| import { |
| DEFAULT_EXEC_APPROVAL_TIMEOUT_MS, |
| type ExecApprovalDecision, |
| } from "../../infra/exec-approvals.js"; |
| import { |
| ErrorCodes, |
| errorShape, |
| formatValidationErrors, |
| validateExecApprovalRequestParams, |
| validateExecApprovalResolveParams, |
| } from "../protocol/index.js"; |
|
|
| export function createExecApprovalHandlers( |
| manager: ExecApprovalManager, |
| opts?: { forwarder?: ExecApprovalForwarder }, |
| ): GatewayRequestHandlers { |
| return { |
| "exec.approval.request": async ({ params, respond, context, client }) => { |
| if (!validateExecApprovalRequestParams(params)) { |
| respond( |
| false, |
| undefined, |
| errorShape( |
| ErrorCodes.INVALID_REQUEST, |
| `invalid exec.approval.request params: ${formatValidationErrors( |
| validateExecApprovalRequestParams.errors, |
| )}`, |
| ), |
| ); |
| return; |
| } |
| const p = params as { |
| id?: string; |
| command: string; |
| cwd?: string; |
| host?: string; |
| security?: string; |
| ask?: string; |
| agentId?: string; |
| resolvedPath?: string; |
| sessionKey?: string; |
| timeoutMs?: number; |
| twoPhase?: boolean; |
| }; |
| const twoPhase = p.twoPhase === true; |
| const timeoutMs = |
| typeof p.timeoutMs === "number" ? p.timeoutMs : DEFAULT_EXEC_APPROVAL_TIMEOUT_MS; |
| const explicitId = typeof p.id === "string" && p.id.trim().length > 0 ? p.id.trim() : null; |
| if (explicitId && manager.getSnapshot(explicitId)) { |
| respond( |
| false, |
| undefined, |
| errorShape(ErrorCodes.INVALID_REQUEST, "approval id already pending"), |
| ); |
| return; |
| } |
| const request = { |
| command: p.command, |
| cwd: p.cwd ?? null, |
| host: p.host ?? null, |
| security: p.security ?? null, |
| ask: p.ask ?? null, |
| agentId: p.agentId ?? null, |
| resolvedPath: p.resolvedPath ?? null, |
| sessionKey: p.sessionKey ?? null, |
| }; |
| const record = manager.create(request, timeoutMs, explicitId); |
| record.requestedByConnId = client?.connId ?? null; |
| record.requestedByDeviceId = client?.connect?.device?.id ?? null; |
| record.requestedByClientId = client?.connect?.client?.id ?? null; |
| |
| |
| let decisionPromise: Promise< |
| import("../../infra/exec-approvals.js").ExecApprovalDecision | null |
| >; |
| try { |
| decisionPromise = manager.register(record, timeoutMs); |
| } catch (err) { |
| respond( |
| false, |
| undefined, |
| errorShape(ErrorCodes.INVALID_REQUEST, `registration failed: ${String(err)}`), |
| ); |
| return; |
| } |
| context.broadcast( |
| "exec.approval.requested", |
| { |
| id: record.id, |
| request: record.request, |
| createdAtMs: record.createdAtMs, |
| expiresAtMs: record.expiresAtMs, |
| }, |
| { dropIfSlow: true }, |
| ); |
| void opts?.forwarder |
| ?.handleRequested({ |
| id: record.id, |
| request: record.request, |
| createdAtMs: record.createdAtMs, |
| expiresAtMs: record.expiresAtMs, |
| }) |
| .catch((err) => { |
| context.logGateway?.error?.(`exec approvals: forward request failed: ${String(err)}`); |
| }); |
|
|
| |
| |
| if (twoPhase) { |
| respond( |
| true, |
| { |
| status: "accepted", |
| id: record.id, |
| createdAtMs: record.createdAtMs, |
| expiresAtMs: record.expiresAtMs, |
| }, |
| undefined, |
| ); |
| } |
|
|
| const decision = await decisionPromise; |
| |
| respond( |
| true, |
| { |
| id: record.id, |
| decision, |
| createdAtMs: record.createdAtMs, |
| expiresAtMs: record.expiresAtMs, |
| }, |
| undefined, |
| ); |
| }, |
| "exec.approval.waitDecision": async ({ params, respond }) => { |
| const p = params as { id?: string }; |
| const id = typeof p.id === "string" ? p.id.trim() : ""; |
| if (!id) { |
| respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "id is required")); |
| return; |
| } |
| const decisionPromise = manager.awaitDecision(id); |
| if (!decisionPromise) { |
| respond( |
| false, |
| undefined, |
| errorShape(ErrorCodes.INVALID_REQUEST, "approval expired or not found"), |
| ); |
| return; |
| } |
| |
| const snapshot = manager.getSnapshot(id); |
| const decision = await decisionPromise; |
| |
| respond( |
| true, |
| { |
| id, |
| decision, |
| createdAtMs: snapshot?.createdAtMs, |
| expiresAtMs: snapshot?.expiresAtMs, |
| }, |
| undefined, |
| ); |
| }, |
| "exec.approval.resolve": async ({ params, respond, client, context }) => { |
| if (!validateExecApprovalResolveParams(params)) { |
| respond( |
| false, |
| undefined, |
| errorShape( |
| ErrorCodes.INVALID_REQUEST, |
| `invalid exec.approval.resolve params: ${formatValidationErrors( |
| validateExecApprovalResolveParams.errors, |
| )}`, |
| ), |
| ); |
| return; |
| } |
| const p = params as { id: string; decision: string }; |
| const decision = p.decision as ExecApprovalDecision; |
| if (decision !== "allow-once" && decision !== "allow-always" && decision !== "deny") { |
| respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "invalid decision")); |
| return; |
| } |
| const resolvedBy = client?.connect?.client?.displayName ?? client?.connect?.client?.id; |
| const ok = manager.resolve(p.id, decision, resolvedBy ?? null); |
| if (!ok) { |
| respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "unknown approval id")); |
| return; |
| } |
| context.broadcast( |
| "exec.approval.resolved", |
| { id: p.id, decision, resolvedBy, ts: Date.now() }, |
| { dropIfSlow: true }, |
| ); |
| void opts?.forwarder |
| ?.handleResolved({ id: p.id, decision, resolvedBy, ts: Date.now() }) |
| .catch((err) => { |
| context.logGateway?.error?.(`exec approvals: forward resolve failed: ${String(err)}`); |
| }); |
| respond(true, { ok: true }, undefined); |
| }, |
| }; |
| } |
|
|