mark/vibn-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pass giteaRepo to agent runner; add runner secret auth on PATCH

Browse Source 
- Sessions route now reads giteaRepo from project.data and forwards it
  to /agent/execute so the runner can clone/update the correct repo
- PATCH route now validates x-agent-runner-secret header to prevent
  unauthorized session output injection

Made-with: Cursor
This commit is contained in:
Mark Henderson
2026-03-06 18:01:33 -08:00
parent ad3abd427b
commit 61a43ad9b4
2 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/api/projects/[projectId]/agent/sessions/[sessionId]/route.ts
View File

@@ -64,10 +64,14 @@ export async function PATCH(
) { ) {
/** /**
* Internal endpoint called by vibn-agent-runner to append output lines * Internal endpoint called by vibn-agent-runner to append output lines
* and update status. Not exposed to users directly. * and update status. Requires x-agent-runner-secret header.
*
* Body: { status?, outputLine?, changedFile? }
*/ */
const secret = process.env.AGENT_RUNNER_SECRET ?? "";
const incomingSecret = req.headers.get("x-agent-runner-secret") ?? "";
if (secret && incomingSecret !== secret) {
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
try { try {
const { sessionId } = await params; const { sessionId } = await params;
const body = await req.json() as { const body = await req.json() as {

9
app/api/projects/[projectId]/agent/sessions/route.ts
View File

@@ -65,9 +65,9 @@ export async function POST(
await ensureTable(); await ensureTable();
// Verify ownership // Verify ownership and fetch giteaRepo
const owns = await query<{ id: string }>( const owns = await query<{ id: string; data: Record<string, unknown> }>(
`SELECT p.id FROM fs_projects p `SELECT p.id, p.data FROM fs_projects p
JOIN fs_users u ON u.id = p.user_id JOIN fs_users u ON u.id = p.user_id
WHERE p.id = $1 AND u.data->>'email' = $2 LIMIT 1`, WHERE p.id = $1 AND u.data->>'email' = $2 LIMIT 1`,
[projectId, session.user.email] [projectId, session.user.email]
@@ -76,6 +76,8 @@ export async function POST(
return NextResponse.json({ error: "Project not found" }, { status: 404 }); return NextResponse.json({ error: "Project not found" }, { status: 404 });
} }
const giteaRepo = owns[0].data?.giteaRepo as string | undefined;
// Create the session row // Create the session row
const rows = await query<{ id: string }>( const rows = await query<{ id: string }>(
`INSERT INTO agent_sessions (project_id, app_name, app_path, task, status, started_at) `INSERT INTO agent_sessions (project_id, app_name, app_path, task, status, started_at)
@@ -95,6 +97,7 @@ export async function POST(
projectId, projectId,
appName, appName,
appPath, appPath,
giteaRepo, // e.g. "mark/sportsy" — agent runner uses this to clone/update the repo
task: task.trim(), task: task.trim(),
}), }),
}).catch(err => { }).catch(err => {