feat(api): comprehensive QA hardening — security gates, chat improvements, beta scaffolds

Closes checklist items F-01..F-06, D-01..D-28, S-01..S-10, C-01..C-07, B-01..B-07, R-01..R-02, O-03. Security (28 deletions + 10 auth gates): - Delete 28 unauthenticated debug/cursor/firebase/test routes - Gate ai/chat, ai/conversation, context/summarize, work-completed with withTenantProject/withAuth - Add HMAC-SHA256 signature verification to webhooks/coolify - Switch all admin secret comparisons to timingSafeStringEq Foundations (lib/server/*): - api-handler.ts: withAuth, withTenantProject, withWorkspace, withAdminSecret, withRateLimit - logger.ts: structured request-scoped logging with turnId - audit-log.ts: writeAuditLog helper + audit_log table - rate-limit.ts: Postgres sliding window rate limiter - coolify-webhook.ts: verifyCoolifySignature - timing-safe.ts: timingSafeStringEq Chat hardening (chat/route.ts): - MAX_TOOL_ROUNDS 15 → 8 (C-01) - Loop detection: hard-break at 3 identical fingerprints (was 5) (C-02) - Add 6-consecutive-tool-call hard-break (C-02) - Mode: respond first, act second prompt block (C-03) - SSE heartbeat every 25s via setInterval (C-04) - Per-tool 45s timeout via Promise.race (C-05) - turnId per-turn UUID for log correlation (C-06) - Recovery fires when roundsSinceText >= 4 (C-07) - SSE plan event on plan_task_add/edit (B-05) Beta features: - invites table + GET/POST /api/invites (P4.8) - invites/[token] validate + redeem (P4.8) - fs_project_dev_servers table + lib/server/dev-server-state.ts (P6.B1) - fs_project_secrets table + CRUD routes (P6.D2) - lib/integrations/brief-extract.ts (P3.7) Documentation: - app/api/ROUTES.md: full route map with auth + tenant
2026-05-17 19:17:22 -07:00
parent 955aeed6ce
commit 6b8862ef2b
86 changed files with 6772 additions and 2817 deletions
--- a/patch_thought_sig.ts
+++ b/patch_thought_sig.ts
@@ -0,0 +1,40 @@
+const fs = require('fs');
+
+const path = 'vibn-frontend/lib/ai/gemini-chat.ts';
+let code = fs.readFileSync(path, 'utf8');
+
+// The issue is in `toGeminiContents()`. 
+// For `gemini-3.1-pro-preview` thinking models, `thoughtSignature` MUST be passed back
+// as a sibling to `functionCall` in the `parts` array for assistant responses,
+// OR inside the `functionResponse` for tool responses (depending on API version).
+// Also we need to extract it from the response.
+
+code = code.replace(
+  `          const part: any = {
+            functionCall: { name: tc.name, args: tc.args },
+          };
+          parts.push(part);`,
+  `          const part: any = {
+            functionCall: { name: tc.name, args: tc.args },
+          };
+          if (tc.thoughtSignature) {
+            part.thoughtSignature = tc.thoughtSignature;
+          }
+          parts.push(part);`
+);
+
+code = code.replace(
+  `        toolCalls.push({
+          id: \`tc-\${Date.now()}-\${Math.random().toString(36).slice(2)}\`,
+          name: part.functionCall.name,
+          args: part.functionCall.args as Record<string, unknown> ?? {},
+        });`,
+  `        toolCalls.push({
+          id: \`tc-\${Date.now()}-\${Math.random().toString(36).slice(2)}\`,
+          name: part.functionCall.name,
+          args: part.functionCall.args as Record<string, unknown> ?? {},
+          thoughtSignature: (part as any).thoughtSignature,
+        });`
+);
+
+fs.writeFileSync(path, code);