mark/master-ai
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-06-07. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
6b8862ef2bf0e61efd9be553bab3f7ca79f669db
master-ai/vibn-frontend/app/api/ROUTES.md
mawkone 6b8862ef2b feat(api): comprehensive QA hardening — security gates, chat improvements, beta scaffolds 
Closes checklist items F-01..F-06, D-01..D-28, S-01..S-10, C-01..C-07,
B-01..B-07, R-01..R-02, O-03.

Security (28 deletions + 10 auth gates):
- Delete 28 unauthenticated debug/cursor/firebase/test routes
- Gate ai/chat, ai/conversation, context/summarize, work-completed with withTenantProject/withAuth
- Add HMAC-SHA256 signature verification to webhooks/coolify
- Switch all admin secret comparisons to timingSafeStringEq

Foundations (lib/server/*):
- api-handler.ts: withAuth, withTenantProject, withWorkspace, withAdminSecret, withRateLimit
- logger.ts: structured request-scoped logging with turnId
- audit-log.ts: writeAuditLog helper + audit_log table
- rate-limit.ts: Postgres sliding window rate limiter
- coolify-webhook.ts: verifyCoolifySignature
- timing-safe.ts: timingSafeStringEq

Chat hardening (chat/route.ts):
- MAX_TOOL_ROUNDS 15 → 8 (C-01)
- Loop detection: hard-break at 3 identical fingerprints (was 5) (C-02)
- Add 6-consecutive-tool-call hard-break (C-02)
- Mode: respond first, act second prompt block (C-03)
- SSE heartbeat every 25s via setInterval (C-04)
- Per-tool 45s timeout via Promise.race (C-05)
- turnId per-turn UUID for log correlation (C-06)
- Recovery fires when roundsSinceText >= 4 (C-07)
- SSE plan event on plan_task_add/edit (B-05)

Beta features:
- invites table + GET/POST /api/invites (P4.8)
- invites/[token] validate + redeem (P4.8)
- fs_project_dev_servers table + lib/server/dev-server-state.ts (P6.B1)
- fs_project_secrets table + CRUD routes (P6.D2)
- lib/integrations/brief-extract.ts (P3.7)

Documentation:
- app/api/ROUTES.md: full route map with auth + tenant
2026-05-17 19:17:22 -07:00

160 lines
9.0 KiB
Markdown
Raw Blame History

# API Route Map
> Generated 2026-05-17. Auth column: `session` = NextAuth cookie,
> `api_key` = `vibn_sk_…` bearer, `admin_secret` = env-var secret,
> `webhook_sig` = HMAC-SHA256, `public` = no auth.
>
> Tenant column: `workspace` = must belong to caller's workspace,
> `project` = must own project, `user` = must match session user,
> `global` = cross-workspace admin op.
## Chat
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/chat` | session | workspace | Main SSE chat with Gemini + tool loop |
| GET | `/api/chat/threads` | session | user | List threads |
| POST | `/api/chat/threads` | session | user | Create thread |
| GET | `/api/chat/threads/[id]` | session | user | Get thread + messages |
| PATCH | `/api/chat/threads/[id]` | session | user | Rename thread |
| DELETE | `/api/chat/threads/[id]` | session | user | Delete thread |
## AI (legacy, plan to deprecate)
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/ai/chat` | session | project | Old collector-mode chat (pre-tool) |
| GET | `/api/ai/conversation` | session | project | Fetch saved conversation history |
| DELETE | `/api/ai/conversation` | session | project | Wipe conversation history |
| POST | `/api/ai/conversation/reset` | session | project | Alias for DELETE |
## Projects
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| GET | `/api/projects` | session | user | List user's projects |
| POST | `/api/projects/create` | session | user | Create project (enforces quota) |
| POST | `/api/projects/delete` | session | project | Delete project |
| GET/PATCH | `/api/projects/[projectId]` | session | project | Get / update project |
| GET | `/api/projects/[projectId]/activity` | session | project | Activity feed |
| POST | `/api/projects/[projectId]/advisor` | session | project | AI advisor |
| GET/POST | `/api/projects/[projectId]/anatomy` | session | project | Anatomy read/update |
| GET/POST | `/api/projects/[projectId]/apps` | session | project | App list / create |
| GET/POST | `/api/projects/[projectId]/design-kit` | session | project | Design kit CRUD |
| GET/POST | `/api/projects/[projectId]/plan` | session | project | Plan read/update |
| POST | `/api/projects/[projectId]/plan/intelligent` | session | project | AI plan generation |
| POST | `/api/projects/[projectId]/plan/mvp` | session | project | MVP plan |
| POST | `/api/projects/[projectId]/plan/marketing` | session | project | Marketing plan |
| POST | `/api/projects/[projectId]/documents/upload` | session | project | Upload brief |
| GET/POST | `/api/projects/[projectId]/secrets` | session | project | List/set project secrets (B-06) |
| GET/DELETE | `/api/projects/[projectId]/secrets/[key]` | session | project | Reveal/delete secret (B-06) |
| GET | `/api/projects/[projectId]/knowledge` | session | project | Knowledge items |
| POST | `/api/projects/[projectId]/knowledge/batch-extract` | session | project | Batch extract knowledge |
| GET/POST | `/api/projects/[projectId]/agent/sessions` | session | project | Agent session CRUD |
| GET | `/api/projects/[projectId]/agent/sessions/[sessionId]` | session | project | Session state |
| POST | `/api/projects/[projectId]/agent/sessions/[sessionId]/approve` | session | project | Approve session commit |
| POST | `/api/projects/[projectId]/agent/sessions/[sessionId]/stop` | session | project | Stop agent |
| GET | `/api/projects/[projectId]/agent/sessions/[sessionId]/events` | session | project | Event list |
| GET | `/api/projects/[projectId]/agent/sessions/[sessionId]/events/stream` | session | project | SSE event tail |
## Workspaces
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| GET | `/api/workspaces` | session/api_key | user | List workspaces |
| POST | `/api/workspaces/delete` | session | user | Delete workspace |
| GET | `/api/workspaces/[slug]` | session/api_key | workspace | Get workspace |
| GET/POST | `/api/workspaces/[slug]/apps` | session/api_key | workspace | List/create apps |
| GET/PATCH/DELETE | `/api/workspaces/[slug]/apps/[uuid]` | session/api_key | workspace | App CRUD |
| POST | `/api/workspaces/[slug]/apps/[uuid]/deploy` | session/api_key | workspace | Trigger deploy |
| GET | `/api/workspaces/[slug]/apps/[uuid]/logs` | session/api_key | workspace | Runtime logs |
| GET/PATCH | `/api/workspaces/[slug]/apps/[uuid]/envs` | session/api_key | workspace | Env vars |
| POST | `/api/workspaces/[slug]/apps/[uuid]/exec` | session/api_key | workspace | Remote exec |
| GET/POST | `/api/workspaces/[slug]/databases` | session/api_key | workspace | Database CRUD |
| GET | `/api/workspaces/[slug]/domains` | session/api_key | workspace | Domain list |
| GET/POST | `/api/workspaces/[slug]/keys` | session/api_key | workspace | API keys |
| POST | `/api/workspaces/[slug]/provision` | session/api_key | workspace | Provision workspace |
## MCP
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/mcp` | session/api_key | workspace | All 40+ MCP tools |
| GET/POST/DELETE | `/api/mcp/generate-key` | session | user | Manage MCP API keys |
## Auth / Sessions
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| GET/POST | `/api/auth/[...nextauth]` | public | - | NextAuth handlers |
| GET | `/api/user/api-key` | session | user | Get/create user API key |
| GET | `/api/sessions` | session | user | Session history |
| POST | `/api/sessions/track` | session | user | Track session event |
| POST | `/api/sessions/associate-project` | session | user | Link session to project |
## GitHub Integrations
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| GET/POST/DELETE | `/api/github/connect` | session | user | Legacy GitHub OAuth connect |
| GET | `/api/github/repos` | session | user | List connected repos |
| GET | `/api/github/repo-tree` | session | user | Repo file tree |
| GET | `/api/github/file-content` | session | user | Single file content |
| POST | `/api/github/oauth/token` | public | - | OAuth token exchange |
| GET | `/api/integrations/github/connect` | session | user | New OAuth connect |
| GET | `/api/integrations/github/callback` | public | - | OAuth callback |
| POST | `/api/integrations/github/disconnect` | session | user | Disconnect GitHub |
| GET | `/api/integrations/github/repos` | session | user | New integration repos |
## Webhooks
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/webhooks/gitea` | webhook_sig | project | Gitea push events → context snapshot |
| POST | `/api/webhooks/coolify` | webhook_sig | project | Deploy status → context snapshot |
## Invites (P4.8)
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| GET/POST | `/api/invites` | admin_secret | global | Create / list invite tokens |
| GET | `/api/invites/[token]` | public | - | Validate token (used by auth page) |
| POST | `/api/invites/[token]` | session | user | Redeem token on signup |
## Admin / Ops
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/admin/migrate` | admin_secret | global | Run SQL migrations |
| GET | `/api/admin/path-b` | admin_secret | global | Path B kill-switch state |
| POST | `/api/admin/path-b/disable` | admin_secret | global | Disable Path B |
| POST | `/api/admin/path-b/enable` | admin_secret | global | Enable Path B |
| POST | `/api/admin/path-b/idle-sweep` | admin_secret | global | Suspend idle dev containers |
| POST | `/api/admin/path-b/autosave` | admin_secret | global | Autosave workspace |
| POST | `/api/admin/backfill-isolation` | admin_secret | global | Backfill tenant isolation |
| POST | `/api/admin/path-b` | admin_secret | global | Path B bulk status |
| GET | `/api/internal/infra-health` | admin_secret | global | Coolify + SSH probe |
## Utilities
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/context/summarize` | session | user | Gemini one-shot doc summary |
| GET | `/api/activity` | session | user | Workspace activity feed |
| GET | `/api/work-completed` | session | project | Work completed items |
| GET | `/api/stats` | session | user | Usage stats |
| GET | `/api/preview/embed` | session | user | HTML proxy for preview iframes |
| GET/POST | `/api/extension/link-project` | session | user | Browser extension project link |
| POST | `/api/vision/update` | session | project | Update project vision |
| GET | `/api/keys` | session | user | User key management |
| GET | `/api/design-systems/[id]/preview` | public | - | Design system preview HTML |
| GET | `/api/design-systems/[id]/showcase` | public | - | Design system showcase |
## Deprecated / V0
| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| * | `/api/v0/*` | varies | varies | Legacy v0 integration (verify still used) |
| * | `/api/openai/*` | session | user | OpenAI GPT import (verify still used) |
| * | `/api/chatgpt/*` | session | user | ChatGPT conversation import |
Reference in New Issue View Git Blame Copy Permalink