fix(api): route host cli through controller auth

Author: skulidropek

packages/api/src/api/contracts.ts

@@ -28,6 +28,38 @@ export type ProjectDetails = ProjectSummary & {
   readonly clonedOnHostname?: string | undefined
 }
 
+export type GithubAuthTokenStatus = {
+  readonly key: string
+  readonly label: string
+  readonly status: "valid" | "invalid" | "unknown"
+  readonly login: string | null
+}
+
+export type GithubAuthStatus = {
+  readonly summary: string
+  readonly tokens: ReadonlyArray<GithubAuthTokenStatus>
+}
+
+export type GithubAuthLoginRequest = {
+  readonly label?: string | null | undefined
+  readonly token?: string | null | undefined
+  readonly scopes?: string | null | undefined
+}
+
+export type GithubAuthLogoutRequest = {
+  readonly label?: string | null | undefined
+}
+
+export type ApplyAllRequest = {
+  readonly activeOnly?: boolean | undefined
+}
+
+export type ApiAuthRequired = {
+  readonly provider: "github"
+  readonly message: string
+  readonly command: string
+}
+
 export type CreateProjectRequest = {
   readonly repoUrl?: string | undefined
   readonly repoRef?: string | undefined
@@ -57,6 +89,7 @@ export type CreateProjectRequest = {
   readonly openSsh?: boolean | undefined
   readonly force?: boolean | undefined
   readonly forceEnv?: boolean | undefined
+  readonly waitForClone?: boolean | undefined
 }
 
 export type AgentEnvVar = {

packages/api/src/api/errors.ts

@@ -1,5 +1,11 @@
 import { Data } from "effect"
 
+export class ApiAuthRequiredError extends Data.TaggedError("ApiAuthRequiredError")<{
+  readonly provider: "github"
+  readonly message: string
+  readonly command: string
+}> {}
+
 export class ApiBadRequestError extends Data.TaggedError("ApiBadRequestError")<{
   readonly message: string
   readonly details?: unknown
@@ -19,6 +25,7 @@ export class ApiInternalError extends Data.TaggedError("ApiInternalError")<{
 }> {}
 
 export type ApiKnownError =
+  | ApiAuthRequiredError
   | ApiBadRequestError
   | ApiNotFoundError
   | ApiConflictError

packages/api/src/api/schema.ts

@@ -2,6 +2,7 @@ import * as Schema from "effect/Schema"
 
 const OptionalString = Schema.optional(Schema.String)
 const OptionalBoolean = Schema.optional(Schema.Boolean)
+const OptionalNullableString = Schema.optional(Schema.NullOr(Schema.String))
 
 export const CreateProjectRequestSchema = Schema.Struct({
   repoUrl: OptionalString,
@@ -31,7 +32,22 @@ export const CreateProjectRequestSchema = Schema.Struct({
   up: OptionalBoolean,
   openSsh: OptionalBoolean,
   force: OptionalBoolean,
-  forceEnv: OptionalBoolean
+  forceEnv: OptionalBoolean,
+  waitForClone: OptionalBoolean
+})
+
+export const GithubAuthLoginRequestSchema = Schema.Struct({
+  label: OptionalNullableString,
+  token: OptionalNullableString,
+  scopes: OptionalNullableString
+})
+
+export const GithubAuthLogoutRequestSchema = Schema.Struct({
+  label: OptionalNullableString
+})
+
+export const ApplyAllRequestSchema = Schema.Struct({
+  activeOnly: OptionalBoolean
 })
 
 export const AgentProviderSchema = Schema.Literal("codex", "opencode", "claude", "custom")
@@ -84,5 +100,8 @@ export const AgentLogLineSchema = Schema.Struct({
 })
 
 export type CreateProjectRequestInput = Schema.Schema.Type<typeof CreateProjectRequestSchema>
+export type GithubAuthLoginRequestInput = Schema.Schema.Type<typeof GithubAuthLoginRequestSchema>
+export type GithubAuthLogoutRequestInput = Schema.Schema.Type<typeof GithubAuthLogoutRequestSchema>
+export type ApplyAllRequestInput = Schema.Schema.Type<typeof ApplyAllRequestSchema>
 export type CreateAgentRequestInput = Schema.Schema.Type<typeof CreateAgentRequestSchema>
 export type CreateFollowRequestInput = Schema.Schema.Type<typeof CreateFollowRequestSchema>

packages/api/src/http.ts

@@ -9,9 +9,10 @@ import * as HttpServerError from "@effect/platform/HttpServerError"
 import * as ParseResult from "effect/ParseResult"
 import * as Schema from "effect/Schema"
 
-import { ApiBadRequestError, ApiConflictError, ApiInternalError, ApiNotFoundError, describeUnknown } from "./api/errors.js"
-import { CreateAgentRequestSchema, CreateFollowRequestSchema, CreateProjectRequestSchema } from "./api/schema.js"
+import { ApiAuthRequiredError, ApiBadRequestError, ApiConflictError, ApiInternalError, ApiNotFoundError, describeUnknown } from "./api/errors.js"
+import { ApplyAllRequestSchema, CreateAgentRequestSchema, CreateFollowRequestSchema, CreateProjectRequestSchema, GithubAuthLoginRequestSchema, GithubAuthLogoutRequestSchema } from "./api/schema.js"
 import { uiHtml, uiScript, uiStyles } from "./ui.js"
+import { loginGithubAuth, logoutGithubAuth, readGithubAuthStatus } from "./services/auth.js"
 import { getAgent, getAgentAttachInfo, listAgents, readAgentLogs, startAgent, stopAgent } from "./services/agents.js"
 import { latestProjectCursor, listProjectEventsSince } from "./services/events.js"
 import {
@@ -27,8 +28,10 @@ import {
   makeFederationOutboxCollection
 } from "./services/federation.js"
 import {
+  applyAllProjects,
   createProjectFromRequest,
   deleteProjectById,
+  downAllProjects,
   downProject,
   getProject,
   listProjects,
@@ -48,6 +51,7 @@ const AgentParamsSchema = Schema.Struct({
 })
 
 type ApiError =
+  | ApiAuthRequiredError
   | ApiBadRequestError
   | ApiNotFoundError
   | ApiConflictError
@@ -93,6 +97,20 @@ const errorResponse = (error: ApiError | unknown) => {
     return jsonResponse({ error: { type: error._tag, message: error.message, details: error.details } }, 400)
   }
 
+  if (error instanceof ApiAuthRequiredError) {
+    return jsonResponse(
+      {
+        error: {
+          type: error._tag,
+          message: error.message,
+          provider: error.provider,
+          command: error.command
+        }
+      },
+      401
+    )
+  }
+
   if (error instanceof ApiNotFoundError) {
     return jsonResponse({ error: { type: error._tag, message: error.message } }, 404)
   }
@@ -121,6 +139,9 @@ const agentParams = HttpRouter.schemaParams(AgentParamsSchema)
 
 const readCreateProjectRequest = () => HttpServerRequest.schemaBodyJson(CreateProjectRequestSchema)
 const readCreateFollowRequest = () => HttpServerRequest.schemaBodyJson(CreateFollowRequestSchema)
+const readGithubAuthLoginRequest = () => HttpServerRequest.schemaBodyJson(GithubAuthLoginRequestSchema)
+const readGithubAuthLogoutRequest = () => HttpServerRequest.schemaBodyJson(GithubAuthLogoutRequestSchema)
+const readApplyAllRequest = () => HttpServerRequest.schemaBodyJson(ApplyAllRequestSchema)
 const readInboxPayload = () => HttpServerRequest.schemaBodyJson(Schema.Unknown)
 
 const configuredFederationPublicOrigin =
@@ -184,6 +205,29 @@ export const makeRouter = () => {
     HttpRouter.get("/ui/styles.css", textResponse(uiStyles, "text/css; charset=utf-8", 200)),
     HttpRouter.get("/ui/app.js", textResponse(uiScript, "application/javascript; charset=utf-8", 200)),
     HttpRouter.get("/health", jsonResponse({ ok: true }, 200)),
+    HttpRouter.get(
+      "/auth/github/status",
+      Effect.gen(function*(_) {
+        const status = yield* _(readGithubAuthStatus())
+        return yield* _(jsonResponse({ status }, 200))
+      }).pipe(Effect.catchAll(errorResponse))
+    ),
+    HttpRouter.post(
+      "/auth/github/login",
+      Effect.gen(function*(_) {
+        const request = yield* _(readGithubAuthLoginRequest())
+        const status = yield* _(loginGithubAuth(request))
+        return yield* _(jsonResponse({ ok: true, status }, 201))
+      }).pipe(Effect.catchAll(errorResponse))
+    ),
+    HttpRouter.post(
+      "/auth/github/logout",
+      Effect.gen(function*(_) {
+        const request = yield* _(readGithubAuthLogoutRequest())
+        const status = yield* _(logoutGithubAuth(request))
+        return yield* _(jsonResponse({ ok: true, status }, 200))
+      }).pipe(Effect.catchAll(errorResponse))
+    ),
     HttpRouter.get(
       "/federation/issues",
       Effect.sync(() => ({ issues: listFederationIssues() })).pipe(
@@ -274,6 +318,21 @@ export const makeRouter = () => {
         return yield* _(jsonResponse({ project }, 201))
       }).pipe(Effect.catchAll(errorResponse))
     ),
+    HttpRouter.post(
+      "/projects/apply-all",
+      Effect.gen(function*(_) {
+        const request = yield* _(readApplyAllRequest())
+        yield* _(applyAllProjects(request.activeOnly ?? false))
+        return yield* _(jsonResponse({ ok: true }, 200))
+      }).pipe(Effect.catchAll(errorResponse))
+    ),
+    HttpRouter.post(
+      "/projects/down-all",
+      downAllProjects().pipe(
+        Effect.flatMap(() => jsonResponse({ ok: true }, 200)),
+        Effect.catchAll(errorResponse)
+      )
+    ),
     HttpRouter.get(
       "/projects/:projectId",
       projectParams.pipe(