💄 style: improve server agent harness (#12611)

* add device gateway * improve persona memory * support auto renaming * support memory * fix memory captureAt * add more db testing * add more db testing * add agent tracing tool * add agent tracing tool * fix lint * fix lint * update skills * Potential fix for code scanning alert no. 178: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-03-26 13:19:34 +07:00 · 2026-03-03 17:35:18 +08:00
parent f234397bf8
commit a1a89b3531
66 changed files with 6542 additions and 37 deletions
--- a/apps/device-gateway/package.json
+++ b/apps/device-gateway/package.json
@@ -0,0 +1,18 @@
+{
+  "name": "@lobechat/device-gateway",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "wrangler dev",
+    "deploy": "wrangler deploy",
+    "type-check": "tsc --noEmit"
+  },
+  "dependencies": {
+    "jose": "^6.1.3"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20250214.0",
+    "typescript": "^5.9.3",
+    "wrangler": "^4.14.4"
+  }
+}
--- a/apps/device-gateway/scripts/extract-public-key.mjs
+++ b/apps/device-gateway/scripts/extract-public-key.mjs
@@ -0,0 +1,48 @@
+#!/usr/bin/env node
+
+/**
+ * Extract RS256 public key from JWKS_KEY environment variable.
+ * Output is the JSON string to use with `wrangler secret put JWKS_PUBLIC_KEY`.
+ *
+ * Usage:
+ *   JWKS_KEY='{"keys":[...]}' node scripts/extract-public-key.mjs
+ *   # or load from .env
+ *   node --env-file=../../.env scripts/extract-public-key.mjs
+ */
+
+const jwksString = process.env.JWKS_KEY;
+
+if (!jwksString) {
+  console.error('Error: JWKS_KEY environment variable is not set.');
+  process.exit(1);
+}
+
+const jwks = JSON.parse(jwksString);
+const privateKey = jwks.keys?.find((k) => k.alg === 'RS256' && k.kty === 'RSA');
+
+if (!privateKey) {
+  console.error('Error: No RS256 RSA key found in JWKS_KEY.');
+  process.exit(1);
+}
+
+const publicJwks = {
+  keys: [
+    {
+      alg: privateKey.alg,
+      e: privateKey.e,
+      kid: privateKey.kid,
+      kty: privateKey.kty,
+      n: privateKey.n,
+      use: privateKey.use,
+    },
+  ],
+};
+
+// Remove undefined fields
+for (const key of publicJwks.keys) {
+  for (const [k, v] of Object.entries(key)) {
+    if (v === undefined) delete key[k];
+  }
+}
+
+console.log(JSON.stringify(publicJwks));
--- a/apps/device-gateway/src/DeviceGatewayDO.ts
+++ b/apps/device-gateway/src/DeviceGatewayDO.ts
@@ -0,0 +1,147 @@
+import { DurableObject } from 'cloudflare:workers';
+
+import { DeviceAttachment, Env } from './types';
+
+export class DeviceGatewayDO extends DurableObject<Env> {
+  private pendingRequests = new Map<
+    string,
+    {
+      resolve: (result: any) => void;
+      timer: ReturnType<typeof setTimeout>;
+    }
+  >();
+
+  async fetch(request: Request): Promise<Response> {
+    const url = new URL(request.url);
+
+    // ─── WebSocket upgrade (from Desktop) ───
+    if (request.headers.get('Upgrade') === 'websocket') {
+      const pair = new WebSocketPair();
+      const [client, server] = Object.values(pair);
+
+      this.ctx.acceptWebSocket(server);
+
+      const deviceId = url.searchParams.get('deviceId') || 'unknown';
+      const hostname = url.searchParams.get('hostname') || '';
+      const platform = url.searchParams.get('platform') || '';
+
+      server.serializeAttachment({
+        connectedAt: Date.now(),
+        deviceId,
+        hostname,
+        platform,
+      } satisfies DeviceAttachment);
+
+      return new Response(null, { status: 101, webSocket: client });
+    }
+
+    // ─── HTTP API (from Vercel Agent) ───
+    if (url.pathname === '/api/device/status') {
+      const sockets = this.ctx.getWebSockets();
+      return Response.json({
+        deviceCount: sockets.length,
+        online: sockets.length > 0,
+      });
+    }
+
+    if (url.pathname === '/api/device/tool-call') {
+      return this.handleToolCall(request);
+    }
+
+    if (url.pathname === '/api/device/devices') {
+      const sockets = this.ctx.getWebSockets();
+      const devices = sockets.map((ws) => ws.deserializeAttachment() as DeviceAttachment);
+      return Response.json({ devices });
+    }
+
+    return new Response('Not Found', { status: 404 });
+  }
+
+  // ─── Hibernation Handlers ───
+
+  async webSocketMessage(ws: WebSocket, message: string | ArrayBuffer) {
+    const data = JSON.parse(message as string);
+
+    if (data.type === 'tool_call_response') {
+      const pending = this.pendingRequests.get(data.requestId);
+      if (pending) {
+        clearTimeout(pending.timer);
+        pending.resolve(data.result);
+        this.pendingRequests.delete(data.requestId);
+      }
+    }
+
+    if (data.type === 'heartbeat') {
+      ws.send(JSON.stringify({ type: 'heartbeat_ack' }));
+    }
+  }
+
+  async webSocketClose(_ws: WebSocket, _code: number) {
+    // Hibernation API handles connection cleanup automatically
+  }
+
+  async webSocketError(ws: WebSocket, _error: unknown) {
+    ws.close(1011, 'Internal error');
+  }
+
+  // ─── Tool Call RPC ───
+
+  private async handleToolCall(request: Request): Promise<Response> {
+    const sockets = this.ctx.getWebSockets();
+    if (sockets.length === 0) {
+      return Response.json(
+        { content: '桌面设备不在线', error: 'DEVICE_OFFLINE', success: false },
+        { status: 503 },
+      );
+    }
+
+    const { deviceId, timeout = 30_000, toolCall } = (await request.json()) as {
+      deviceId?: string;
+      timeout?: number;
+      toolCall: unknown;
+    };
+    const requestId = crypto.randomUUID();
+
+    // Select target device (specified > first available)
+    const targetWs = deviceId
+      ? sockets.find((ws) => {
+          const att = ws.deserializeAttachment() as DeviceAttachment;
+          return att.deviceId === deviceId;
+        })
+      : sockets[0];
+
+    if (!targetWs) {
+      return Response.json({ error: 'DEVICE_NOT_FOUND', success: false }, { status: 503 });
+    }
+
+    try {
+      const result = await new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+          this.pendingRequests.delete(requestId);
+          reject(new Error('TIMEOUT'));
+        }, timeout);
+
+        this.pendingRequests.set(requestId, { resolve, timer });
+
+        targetWs.send(
+          JSON.stringify({
+            requestId,
+            toolCall,
+            type: 'tool_call_request',
+          }),
+        );
+      });
+
+      return Response.json({ success: true, ...(result as object) });
+    } catch (err) {
+      return Response.json(
+        {
+          content: `工具调用超时（${timeout / 1000}s）`,
+          error: (err as Error).message,
+          success: false,
+        },
+        { status: 504 },
+      );
+    }
+  }
+}
--- a/apps/device-gateway/src/auth.ts
+++ b/apps/device-gateway/src/auth.ts
@@ -0,0 +1,36 @@
+import { importJWK, jwtVerify } from 'jose';
+
+import { Env } from './types';
+
+let cachedKey: CryptoKey | null = null;
+
+async function getPublicKey(env: Env): Promise<CryptoKey> {
+  if (cachedKey) return cachedKey;
+
+  const jwks = JSON.parse(env.JWKS_PUBLIC_KEY);
+  const rsaKey = jwks.keys.find((k: any) => k.alg === 'RS256');
+
+  if (!rsaKey) {
+    throw new Error('No RS256 key found in JWKS_PUBLIC_KEY');
+  }
+
+  cachedKey = (await importJWK(rsaKey, 'RS256')) as CryptoKey;
+  return cachedKey;
+}
+
+export async function verifyDesktopToken(
+  env: Env,
+  token: string,
+): Promise<{ clientId: string; userId: string }> {
+  const publicKey = await getPublicKey(env);
+  const { payload } = await jwtVerify(token, publicKey, {
+    algorithms: ['RS256'],
+  });
+
+  if (!payload.sub) throw new Error('Missing sub claim');
+
+  return {
+    clientId: payload.client_id as string,
+    userId: payload.sub,
+  };
+}
--- a/apps/device-gateway/src/index.ts
+++ b/apps/device-gateway/src/index.ts
@@ -0,0 +1,51 @@
+import { verifyDesktopToken } from './auth';
+import { DeviceGatewayDO } from './DeviceGatewayDO';
+import { Env } from './types';
+
+export { DeviceGatewayDO };
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const url = new URL(request.url);
+
+    // ─── Health check ───
+    if (url.pathname === '/health') {
+      return new Response('OK', { status: 200 });
+    }
+
+    // ─── Desktop WebSocket connection ───
+    if (url.pathname === '/ws') {
+      const token = url.searchParams.get('token');
+      if (!token) return new Response('Missing token', { status: 401 });
+
+      try {
+        const { userId } = await verifyDesktopToken(env, token);
+
+        const id = env.DEVICE_GATEWAY.idFromName(`user:${userId}`);
+        const stub = env.DEVICE_GATEWAY.get(id);
+
+        // Forward WebSocket upgrade to DO
+        const headers = new Headers(request.headers);
+        headers.set('X-User-Id', userId);
+        return stub.fetch(new Request(request, { headers }));
+      } catch {
+        return new Response('Invalid token', { status: 401 });
+      }
+    }
+
+    // ─── Vercel Agent HTTP API ───
+    if (url.pathname.startsWith('/api/device/')) {
+      const authHeader = request.headers.get('Authorization');
+      if (authHeader !== `Bearer ${env.SERVICE_TOKEN}`) {
+        return new Response('Unauthorized', { status: 401 });
+      }
+
+      const body = (await request.clone().json()) as { userId: string };
+      const id = env.DEVICE_GATEWAY.idFromName(`user:${body.userId}`);
+      const stub = env.DEVICE_GATEWAY.get(id);
+      return stub.fetch(request);
+    }
+
+    return new Response('Not Found', { status: 404 });
+  },
+};
--- a/apps/device-gateway/src/types.ts
+++ b/apps/device-gateway/src/types.ts
@@ -0,0 +1,53 @@
+export interface Env {
+  DEVICE_GATEWAY: DurableObjectNamespace;
+  JWKS_PUBLIC_KEY: string;
+  SERVICE_TOKEN: string;
+}
+
+// ─── Device Info ───
+
+export interface DeviceAttachment {
+  connectedAt: number;
+  deviceId: string;
+  hostname: string;
+  platform: string;
+}
+
+// ─── WebSocket Protocol Messages ───
+
+// Desktop → CF
+export interface HeartbeatMessage {
+  type: 'heartbeat';
+}
+
+export interface ToolCallResponseMessage {
+  requestId: string;
+  result: {
+    content: string;
+    error?: string;
+    success: boolean;
+  };
+  type: 'tool_call_response';
+}
+
+// CF → Desktop
+export interface HeartbeatAckMessage {
+  type: 'heartbeat_ack';
+}
+
+export interface AuthExpiredMessage {
+  type: 'auth_expired';
+}
+
+export interface ToolCallRequestMessage {
+  requestId: string;
+  toolCall: {
+    apiName: string;
+    arguments: string;
+    identifier: string;
+  };
+  type: 'tool_call_request';
+}
+
+export type ClientMessage = HeartbeatMessage | ToolCallResponseMessage;
+export type ServerMessage = AuthExpiredMessage | HeartbeatAckMessage | ToolCallRequestMessage;
--- a/apps/device-gateway/tsconfig.json
+++ b/apps/device-gateway/tsconfig.json
@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "lib": ["ESNext"],
+    "types": ["@cloudflare/workers-types"],
+    "strict": true,
+    "noEmit": true,
+    "skipLibCheck": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "isolatedModules": true
+  },
+  "include": ["src"]
+}
--- a/apps/device-gateway/wrangler.toml
+++ b/apps/device-gateway/wrangler.toml
@@ -0,0 +1,16 @@
+name = "device-gateway"
+main = "src/index.ts"
+compatibility_date = "2025-01-01"
+
+[durable_objects]
+bindings = [
+  { name = "DEVICE_GATEWAY", class_name = "DeviceGatewayDO" }
+]
+
+[[migrations]]
+tag = "v1"
+new_classes = ["DeviceGatewayDO"]
+
+# Secrets (injected via `wrangler secret put`):
+# - JWKS_PUBLIC_KEY: RS256 public key JSON (extracted from JWKS_KEY)
+# - SERVICE_TOKEN: Vercel → CF service-to-service auth secret