package handler import ( "context" "crypto/rand" "encoding/hex" "encoding/json" "errors" "log/slog" "net/http" "github.com/go-chi/chi/v5" "github.com/jackc/pgx/v5" "github.com/jackc/pgx/v5/pgconn" "github.com/jackc/pgx/v5/pgtype" "github.com/multica-ai/multica/server/internal/analytics" "github.com/multica-ai/multica/server/internal/auth" "github.com/multica-ai/multica/server/internal/daemonws" "github.com/multica-ai/multica/server/internal/events" "github.com/multica-ai/multica/server/internal/middleware" "github.com/multica-ai/multica/server/internal/realtime" "github.com/multica-ai/multica/server/internal/service" "github.com/multica-ai/multica/server/internal/storage" "github.com/multica-ai/multica/server/internal/util" db "github.com/multica-ai/multica/server/pkg/db/generated" ) // randomID returns a random 16-byte hex string used as a request ID for // in-memory stores (model list, local skills, CLI update, etc.). func randomID() string { b := make([]byte, 16) rand.Read(b) return hex.EncodeToString(b) } type txStarter interface { Begin(ctx context.Context) (pgx.Tx, error) } type dbExecutor interface { Exec(ctx context.Context, sql string, arguments ...any) (pgconn.CommandTag, error) Query(ctx context.Context, sql string, args ...any) (pgx.Rows, error) QueryRow(ctx context.Context, sql string, args ...any) pgx.Row } type Config struct { AllowSignup bool AllowedEmails []string AllowedEmailDomains []string // UseDailyRollupForRuntimeUsage routes ListRuntimeUsage to the // task_usage_daily rollup table when true. Default false: the read // path stays on the raw task_usage stream so rollup-related issues // (pg_cron not running, backfill not yet performed, watermark stuck) // can never make the dashboard return empty/stale data. Operators // flip this on per environment AFTER: // 1) migrations 072..076 applied, // 2) backfill_task_usage_daily ran successfully, // 3) cron job scheduled and task_usage_rollup_lag_seconds() < 900. UseDailyRollupForRuntimeUsage bool } type Handler struct { Queries *db.Queries DB dbExecutor TxStarter txStarter Hub *realtime.Hub DaemonHub *daemonws.Hub Bus *events.Bus TaskService *service.TaskService AutopilotService *service.AutopilotService EmailService *service.EmailService UpdateStore UpdateStore ModelListStore ModelListStore LocalSkillListStore LocalSkillListStore LocalSkillImportStore LocalSkillImportStore LivenessStore LivenessStore HeartbeatScheduler HeartbeatScheduler Storage storage.Storage CFSigner *auth.CloudFrontSigner Analytics analytics.Client PATCache *auth.PATCache DaemonTokenCache *auth.DaemonTokenCache cfg Config } func New(queries *db.Queries, txStarter txStarter, hub *realtime.Hub, bus *events.Bus, emailService *service.EmailService, store storage.Storage, cfSigner *auth.CloudFrontSigner, analyticsClient analytics.Client, cfg Config, daemonHubs ...*daemonws.Hub) *Handler { var executor dbExecutor if candidate, ok := txStarter.(dbExecutor); ok { executor = candidate } if analyticsClient == nil { analyticsClient = analytics.NoopClient{} } var daemonHub *daemonws.Hub if len(daemonHubs) > 0 { daemonHub = daemonHubs[0] } taskSvc := service.NewTaskService(queries, txStarter, hub, bus, daemonHub) return &Handler{ Queries: queries, DB: executor, TxStarter: txStarter, Hub: hub, DaemonHub: daemonHub, Bus: bus, TaskService: taskSvc, AutopilotService: service.NewAutopilotService(queries, txStarter, bus, taskSvc), EmailService: emailService, UpdateStore: NewInMemoryUpdateStore(), ModelListStore: NewInMemoryModelListStore(), LocalSkillListStore: NewInMemoryLocalSkillListStore(), LocalSkillImportStore: NewInMemoryLocalSkillImportStore(), LivenessStore: NewNoopLivenessStore(), HeartbeatScheduler: NewPassthroughHeartbeatScheduler(queries), Storage: store, CFSigner: cfSigner, Analytics: analyticsClient, cfg: cfg, } } func writeJSON(w http.ResponseWriter, status int, v any) { w.Header().Set("Content-Type", "application/json") w.WriteHeader(status) json.NewEncoder(w).Encode(v) } func writeError(w http.ResponseWriter, status int, msg string) { writeJSON(w, status, map[string]string{"error": msg}) } // Thin wrappers around util functions. // // parseUUID is intentionally the panicking variant: any handler call site // reachable here is expected to feed a UUID that is either (a) a sqlc round-trip // of a DB-sourced value, or (b) a raw request input that has already been // validated upstream. A panic here means an unguarded user-input string slipped // in — that is a real bug we want surfaced loudly (chi's middleware.Recoverer // converts it to a 500) instead of silently corrupting data via a zero UUID. // // For unvalidated user input at request boundaries, use parseUUIDOrBadRequest // (writes 400) — never feed raw chi.URLParam / request-body strings into // parseUUID directly when the call writes to the database. func parseUUID(s string) pgtype.UUID { return util.MustParseUUID(s) } func uuidToString(u pgtype.UUID) string { return util.UUIDToString(u) } func textToPtr(t pgtype.Text) *string { return util.TextToPtr(t) } func ptrToText(s *string) pgtype.Text { return util.PtrToText(s) } func strToText(s string) pgtype.Text { return util.StrToText(s) } func timestampToString(t pgtype.Timestamptz) string { return util.TimestampToString(t) } func timestampToPtr(t pgtype.Timestamptz) *string { return util.TimestampToPtr(t) } func uuidToPtr(u pgtype.UUID) *string { return util.UUIDToPtr(u) } func int8ToPtr(v pgtype.Int8) *int64 { return util.Int8ToPtr(v) } // parseUUIDOrBadRequest validates a UUID string sourced from user input // (URL params, request body, headers). On invalid input it writes a 400 // response and returns ok=false; callers must return immediately. // // Use this anywhere a malformed UUID would otherwise reach a write query // (DELETE / UPDATE) — the silent zero-UUID behavior of the old ParseUUID // caused real silent-data-loss bugs (#1661). func parseUUIDOrBadRequest(w http.ResponseWriter, s, fieldName string) (pgtype.UUID, bool) { u, err := util.ParseUUID(s) if err != nil { writeError(w, http.StatusBadRequest, "invalid "+fieldName) return pgtype.UUID{}, false } return u, true } func parseUUIDSliceOrBadRequest(w http.ResponseWriter, ids []string, fieldName string) ([]pgtype.UUID, bool) { uuids := make([]pgtype.UUID, len(ids)) for i, id := range ids { u, err := util.ParseUUID(id) if err != nil { writeError(w, http.StatusBadRequest, "invalid "+fieldName) return nil, false } uuids[i] = u } return uuids, true } // publish sends a domain event through the event bus. func (h *Handler) publish(eventType, workspaceID, actorType, actorID string, payload any) { h.Bus.Publish(events.Event{ Type: eventType, WorkspaceID: workspaceID, ActorType: actorType, ActorID: actorID, Payload: payload, }) } // publishTask is publish() plus a TaskID hint so the realtime layer can route // the event to the per-task scope rather than the whole workspace. func (h *Handler) publishTask(eventType, workspaceID, actorType, actorID, taskID string, payload any) { h.Bus.Publish(events.Event{ Type: eventType, WorkspaceID: workspaceID, ActorType: actorType, ActorID: actorID, TaskID: taskID, Payload: payload, }) } // publishChat is publish() plus a ChatSessionID hint so the realtime layer // can route the event to the per-chat-session scope. func (h *Handler) publishChat(eventType, workspaceID, actorType, actorID, chatSessionID string, payload any) { h.Bus.Publish(events.Event{ Type: eventType, WorkspaceID: workspaceID, ActorType: actorType, ActorID: actorID, ChatSessionID: chatSessionID, Payload: payload, }) } func isNotFound(err error) bool { return errors.Is(err, pgx.ErrNoRows) } func isUniqueViolation(err error) bool { var pgErr *pgconn.PgError return errors.As(err, &pgErr) && pgErr.Code == "23505" } func requestUserID(r *http.Request) string { return r.Header.Get("X-User-ID") } // resolveActor determines whether the request is from an agent or a human member. // If X-Agent-ID and X-Task-ID headers are both set, validates that the task // belongs to the claimed agent (defense-in-depth against manual header spoofing). // If only X-Agent-ID is set, validates that the agent belongs to the workspace. // Returns ("agent", agentID) on success, ("member", userID) otherwise. func (h *Handler) resolveActor(r *http.Request, userID, workspaceID string) (actorType, actorID string) { agentID := r.Header.Get("X-Agent-ID") if agentID == "" { return "member", userID } agentUUID, err := util.ParseUUID(agentID) if err != nil { slog.Debug("resolveActor: X-Agent-ID is not a valid UUID, falling back to member", "agent_id", agentID) return "member", userID } // Validate the agent exists in the target workspace. agent, err := h.Queries.GetAgent(r.Context(), agentUUID) if err != nil || uuidToString(agent.WorkspaceID) != workspaceID { slog.Debug("resolveActor: X-Agent-ID rejected, agent not found or workspace mismatch", "agent_id", agentID, "workspace_id", workspaceID) return "member", userID } // When X-Task-ID is provided, cross-check that the task belongs to this agent. if taskID := r.Header.Get("X-Task-ID"); taskID != "" { taskUUID, err := util.ParseUUID(taskID) if err != nil { slog.Debug("resolveActor: X-Task-ID is not a valid UUID, falling back to member", "task_id", taskID) return "member", userID } task, err := h.Queries.GetAgentTask(r.Context(), taskUUID) if err != nil || uuidToString(task.AgentID) != agentID { slog.Debug("resolveActor: X-Task-ID rejected, task not found or agent mismatch", "agent_id", agentID, "task_id", taskID) return "member", userID } } return "agent", agentID } func requireUserID(w http.ResponseWriter, r *http.Request) (string, bool) { userID := requestUserID(r) if userID == "" { writeError(w, http.StatusUnauthorized, "user not authenticated") return "", false } return userID, true } // resolveWorkspaceID returns the workspace UUID for this request. Delegates // to middleware.ResolveWorkspaceIDFromRequest so middleware-protected routes // and middleware-less routes (e.g. /api/upload-file) share identical // resolution behavior — including slug → UUID translation via the DB. // // Returns "" when no workspace identifier was provided or a slug was provided // but doesn't match any workspace. func (h *Handler) resolveWorkspaceID(r *http.Request) string { return middleware.ResolveWorkspaceIDFromRequest(r, h.Queries) } // ctxMember returns the workspace member from context (set by workspace middleware). func ctxMember(ctx context.Context) (db.Member, bool) { return middleware.MemberFromContext(ctx) } // ctxWorkspaceID returns the workspace ID from context (set by workspace middleware). func ctxWorkspaceID(ctx context.Context) string { return middleware.WorkspaceIDFromContext(ctx) } // workspaceIDFromURL returns the workspace ID from context (preferred) or chi URL param (fallback). func workspaceIDFromURL(r *http.Request, param string) string { if id := middleware.WorkspaceIDFromContext(r.Context()); id != "" { return id } return chi.URLParam(r, param) } // workspaceMember returns the member from middleware context, or falls back to a DB // lookup when the handler is called directly (e.g. in tests). func (h *Handler) workspaceMember(w http.ResponseWriter, r *http.Request, workspaceID string) (db.Member, bool) { if m, ok := ctxMember(r.Context()); ok { return m, true } return h.requireWorkspaceMember(w, r, workspaceID, "workspace not found") } func roleAllowed(role string, roles ...string) bool { for _, candidate := range roles { if role == candidate { return true } } return false } func countOwners(members []db.Member) int { owners := 0 for _, member := range members { if member.Role == "owner" { owners++ } } return owners } func (h *Handler) getWorkspaceMember(ctx context.Context, userID, workspaceID string) (db.Member, error) { userUUID, err := util.ParseUUID(userID) if err != nil { return db.Member{}, err } wsUUID, err := util.ParseUUID(workspaceID) if err != nil { return db.Member{}, err } return h.Queries.GetMemberByUserAndWorkspace(ctx, db.GetMemberByUserAndWorkspaceParams{ UserID: userUUID, WorkspaceID: wsUUID, }) } func (h *Handler) requireWorkspaceMember(w http.ResponseWriter, r *http.Request, workspaceID, notFoundMsg string) (db.Member, bool) { if workspaceID == "" { writeError(w, http.StatusBadRequest, "workspace_id is required") return db.Member{}, false } userID, ok := requireUserID(w, r) if !ok { return db.Member{}, false } member, err := h.getWorkspaceMember(r.Context(), userID, workspaceID) if err != nil { writeError(w, http.StatusNotFound, notFoundMsg) return db.Member{}, false } return member, true } func (h *Handler) requireWorkspaceRole(w http.ResponseWriter, r *http.Request, workspaceID, notFoundMsg string, roles ...string) (db.Member, bool) { member, ok := h.requireWorkspaceMember(w, r, workspaceID, notFoundMsg) if !ok { return db.Member{}, false } if !roleAllowed(member.Role, roles...) { writeError(w, http.StatusForbidden, "insufficient permissions") return db.Member{}, false } return member, true } // isWorkspaceEntity checks whether a user_id belongs to the given workspace, // as either a member or an agent depending on userType. func (h *Handler) isWorkspaceEntity(ctx context.Context, userType, userID, workspaceID string) bool { switch userType { case "member": _, err := h.getWorkspaceMember(ctx, userID, workspaceID) return err == nil case "agent": userUUID, err := util.ParseUUID(userID) if err != nil { return false } wsUUID, err := util.ParseUUID(workspaceID) if err != nil { return false } _, err = h.Queries.GetAgentInWorkspace(ctx, db.GetAgentInWorkspaceParams{ ID: userUUID, WorkspaceID: wsUUID, }) return err == nil default: return false } } func (h *Handler) loadIssueForUser(w http.ResponseWriter, r *http.Request, issueID string) (db.Issue, bool) { if _, ok := requireUserID(w, r); !ok { return db.Issue{}, false } workspaceID := h.resolveWorkspaceID(r) if workspaceID == "" { writeError(w, http.StatusBadRequest, "workspace_id is required") return db.Issue{}, false } // Try identifier format first (e.g., "JIA-42"). resolveIssueByIdentifier // silently returns false for non-identifier strings, falling through to // the UUID path below. if issue, ok := h.resolveIssueByIdentifier(r.Context(), issueID, workspaceID); ok { return issue, true } issueUUID, err := util.ParseUUID(issueID) if err != nil { // Not a valid UUID and didn't match identifier format → 404 (consistent // with previous silent-zero behavior, which would also have produced 404). writeError(w, http.StatusNotFound, "issue not found") return db.Issue{}, false } wsUUID, err := util.ParseUUID(workspaceID) if err != nil { writeError(w, http.StatusBadRequest, "invalid workspace_id") return db.Issue{}, false } issue, err := h.Queries.GetIssueInWorkspace(r.Context(), db.GetIssueInWorkspaceParams{ ID: issueUUID, WorkspaceID: wsUUID, }) if err != nil { writeError(w, http.StatusNotFound, "issue not found") return db.Issue{}, false } return issue, true } // resolveIssueByIdentifier tries to look up an issue by "PREFIX-NUMBER" format. func (h *Handler) resolveIssueByIdentifier(ctx context.Context, id, workspaceID string) (db.Issue, bool) { parts := splitIdentifier(id) if parts == nil { return db.Issue{}, false } if workspaceID == "" { return db.Issue{}, false } wsUUID, err := util.ParseUUID(workspaceID) if err != nil { return db.Issue{}, false } issue, err := h.Queries.GetIssueByNumber(ctx, db.GetIssueByNumberParams{ WorkspaceID: wsUUID, Number: parts.number, }) if err != nil { return db.Issue{}, false } return issue, true } type identifierParts struct { prefix string number int32 } func splitIdentifier(id string) *identifierParts { idx := -1 for i := len(id) - 1; i >= 0; i-- { if id[i] == '-' { idx = i break } } if idx <= 0 || idx >= len(id)-1 { return nil } numStr := id[idx+1:] num := 0 for _, c := range numStr { if c < '0' || c > '9' { return nil } num = num*10 + int(c-'0') } if num <= 0 { return nil } return &identifierParts{prefix: id[:idx], number: int32(num)} } // getIssuePrefix fetches the issue_prefix for a workspace. // Falls back to generating a prefix from the workspace name if the stored // prefix is empty (e.g. workspaces created before the prefix was introduced). func (h *Handler) getIssuePrefix(ctx context.Context, workspaceID pgtype.UUID) string { ws, err := h.Queries.GetWorkspace(ctx, workspaceID) if err != nil { return "" } if ws.IssuePrefix != "" { return ws.IssuePrefix } return generateIssuePrefix(ws.Name) } func (h *Handler) loadAgentForUser(w http.ResponseWriter, r *http.Request, agentID string) (db.Agent, bool) { if _, ok := requireUserID(w, r); !ok { return db.Agent{}, false } workspaceID := h.resolveWorkspaceID(r) if workspaceID == "" { writeError(w, http.StatusBadRequest, "workspace_id is required") return db.Agent{}, false } agentUUID, ok := parseUUIDOrBadRequest(w, agentID, "agent id") if !ok { return db.Agent{}, false } wsUUID, ok := parseUUIDOrBadRequest(w, workspaceID, "workspace id") if !ok { return db.Agent{}, false } agent, err := h.Queries.GetAgentInWorkspace(r.Context(), db.GetAgentInWorkspaceParams{ ID: agentUUID, WorkspaceID: wsUUID, }) if err != nil { writeError(w, http.StatusNotFound, "agent not found") return db.Agent{}, false } return agent, true } func (h *Handler) loadInboxItemForUser(w http.ResponseWriter, r *http.Request, itemID string) (db.InboxItem, bool) { userID, ok := requireUserID(w, r) if !ok { return db.InboxItem{}, false } workspaceID := h.resolveWorkspaceID(r) if workspaceID == "" { writeError(w, http.StatusBadRequest, "workspace_id is required") return db.InboxItem{}, false } itemUUID, ok := parseUUIDOrBadRequest(w, itemID, "inbox item id") if !ok { return db.InboxItem{}, false } wsUUID, ok := parseUUIDOrBadRequest(w, workspaceID, "workspace id") if !ok { return db.InboxItem{}, false } item, err := h.Queries.GetInboxItemInWorkspace(r.Context(), db.GetInboxItemInWorkspaceParams{ ID: itemUUID, WorkspaceID: wsUUID, }) if err != nil { writeError(w, http.StatusNotFound, "inbox item not found") return db.InboxItem{}, false } if item.RecipientType != "member" || uuidToString(item.RecipientID) != userID { writeError(w, http.StatusNotFound, "inbox item not found") return db.InboxItem{}, false } return item, true }