pass giteaRepo to agent runner; add runner secret auth on PATCH

- Sessions route now reads giteaRepo from project.data and forwards it to /agent/execute so the runner can clone/update the correct repo - PATCH route now validates x-agent-runner-secret header to prevent unauthorized session output injection Made-with: Cursor
2026-03-06 18:01:33 -08:00
parent ad3abd427b
commit 61a43ad9b4
2 changed files with 13 additions and 6 deletions
--- a/app/api/projects/[projectId]/agent/sessions/route.ts
+++ b/app/api/projects/[projectId]/agent/sessions/route.ts
@@ -65,9 +65,9 @@ export async function POST(

    await ensureTable();

-    // Verify ownership
-    const owns = await query<{ id: string }>(
-      `SELECT p.id FROM fs_projects p
+    // Verify ownership and fetch giteaRepo
+    const owns = await query<{ id: string; data: Record<string, unknown> }>(
+      `SELECT p.id, p.data FROM fs_projects p
       JOIN fs_users u ON u.id = p.user_id
       WHERE p.id = $1 AND u.data->>'email' = $2 LIMIT 1`,
      [projectId, session.user.email]
@@ -76,6 +76,8 @@ export async function POST(
      return NextResponse.json({ error: "Project not found" }, { status: 404 });
    }

+    const giteaRepo = owns[0].data?.giteaRepo as string | undefined;
+
    // Create the session row
    const rows = await query<{ id: string }>(
      `INSERT INTO agent_sessions (project_id, app_name, app_path, task, status, started_at)
@@ -95,6 +97,7 @@ export async function POST(
        projectId,
        appName,
        appPath,
+        giteaRepo,   // e.g. "mark/sportsy" — agent runner uses this to clone/update the repo
        task: task.trim(),
      }),
    }).catch(err => {