diff --git a/packages/backend/convex/agentJobs.ts b/packages/backend/convex/agentJobs.ts index eca649b..0572de4 100644 --- a/packages/backend/convex/agentJobs.ts +++ b/packages/backend/convex/agentJobs.ts @@ -1074,6 +1074,65 @@ export const claimNextInternal = internalMutation({ secrets.push(secret); } } + const ownedProfile = + aiProviderProfile?.ownerId === job.ownerId && aiProviderProfile.enabled + ? aiProviderProfile + : null; + const failClaim = async (reason: string) => { + const failedAt = Date.now(); + await ctx.db.patch(job._id, { + status: 'failed', + error: reason, + completedAt: failedAt, + updatedAt: failedAt, + }); + await ctx.db.patch(job.agentRequestId, { + status: 'failed', + updatedAt: failedAt, + }); + if (job.threadId) { + await ctx.db.patch(job.threadId, { + status: 'failed', + updatedAt: failedAt, + resolvedAt: failedAt, + }); + } + await ctx.db.insert('agentJobEvents', { + jobId: job._id, + spoonId: job.spoonId, + ownerId: job.ownerId, + level: 'error', + phase: 'queued', + message: `Job could not be claimed: ${reason}`, + createdAt: failedAt, + }); + }; + if (!spoon) { + await failClaim('The Spoon for this job no longer exists.'); + return null; + } + if (!ownedProfile) { + await failClaim( + 'AI is not configured for this user. Add an AI provider in settings.', + ); + return null; + } + if (ownedProfile.authType !== 'none' && !ownedProfile.encryptedSecret) { + await failClaim('Selected AI provider is missing credentials.'); + return null; + } + if (agentSettings && !agentSettings.enabled) { + await failClaim('Agent jobs are disabled for this Spoon.'); + return null; + } + if ((job.runtime ?? 'opencode') !== 'opencode') { + await failClaim('Legacy OpenAI direct jobs are no longer supported.'); + return null; + } + if (secrets.length !== job.selectedSecretIds.length) { + await failClaim('Selected secrets must belong to this Spoon.'); + return null; + } const now = Date.now(); await ctx.db.patch(job._id, { status: 'claimed', @@ -1098,8 +1157,7 @@ export const claimNextInternal = internalMutation({ job: { ...job, status: 'claimed' as const, claimedBy: workerId }, spoon, aiSettings, - aiProviderProfile: - aiProviderProfile?.ownerId === job.ownerId ? aiProviderProfile : null, + aiProviderProfile: ownedProfile, agentSettings, secrets, }; diff --git a/packages/backend/convex/agentJobsNode.ts b/packages/backend/convex/agentJobsNode.ts index eef3810..4c36a0a 100644 --- a/packages/backend/convex/agentJobsNode.ts +++ b/packages/backend/convex/agentJobsNode.ts @@ -1,6 +1,6 @@ 'use node'; -import { ConvexError, v } from 'convex/values'; +import { v } from 'convex/values'; import type { Doc } from './_generated/dataModel'; import { internal } from './_generated/api'; @@ -56,20 +56,7 @@ export const claimNextForWorker = action({ }, )) as ClaimedJob | null; if (!claimed) return null; - if (!claimed.spoon) { - throw new ConvexError('Claimed job points at a missing Spoon.'); - } - if (!claimed.aiProviderProfile) { - throw new ConvexError( - 'AI is not configured for this user. Add an AI provider in settings.', - ); - } - if ( - claimed.aiProviderProfile.authType !== 'none' && - !claimed.aiProviderProfile.encryptedSecret - ) { - throw new ConvexError('Selected AI provider is missing credentials.'); - } + if (!claimed.spoon || !claimed.aiProviderProfile) return null; const profile = claimed.aiProviderProfile; return { job: claimed.job, diff --git a/packages/backend/tests/unit/claim-validation.test.ts b/packages/backend/tests/unit/claim-validation.test.ts new file mode 100644 index 0000000..8d2f461 --- /dev/null +++ b/packages/backend/tests/unit/claim-validation.test.ts @@ -0,0 +1,219 @@ +import { convexTest } from 'convex-test'; +import { describe, expect, test } from 'vitest'; + +import type { Id } from '../../convex/_generated/dataModel.js'; +import { internal } from '../../convex/_generated/api.js'; +import schema from '../../convex/schema'; + +const modules = import.meta.glob('../../convex/**/*.*s'); + +type SeedOptions = { + profile?: 'valid' | 'disabled' | 'missing-credentials' | 'none'; + settingsEnabled?: boolean; + runtime?: 'opencode' | 'openai_direct'; + secret?: 'valid' | 'foreign'; +}; + +const seedQueuedJob = async ( + t: ReturnType, + options: SeedOptions = {}, +) => + await t.mutation(async (ctx) => { + const now = Date.now(); + const ownerId = await ctx.db.insert('users', { + email: 'owner@example.com', + name: 'Owner', + }); + const spoonId = await ctx.db.insert('spoons', { + ownerId, + name: 'Editor Spoon', + provider: 'github', + upstreamOwner: 'upstream', + upstreamRepo: 'editor', + upstreamDefaultBranch: 'main', + upstreamUrl: 'https://github.com/upstream/editor', + forkOwner: 'team', + forkRepo: 'editor-spoon', + forkUrl: 'https://github.com/team/editor-spoon', + visibility: 'private', + maintenanceMode: 'watch', + syncCadence: 'daily', + productionRefStrategy: 'default_branch', + status: 'active', + createdAt: now, + updatedAt: now, + }); + await ctx.db.insert('spoonAgentSettings', { + spoonId, + ownerId, + enabled: options.settingsEnabled ?? true, + runtime: 'opencode', + defaultBaseBranch: 'main', + branchPrefix: 'spoon/', + agentModel: 'gpt-5.1-codex', + reasoningEffort: 'medium', + maxJobDurationMs: 60_000, + maxOutputBytes: 1_000_000, + createdAt: now, + updatedAt: now, + }); + const profileKind = options.profile ?? 'none'; + const aiProviderProfileId = + profileKind === 'none' + ? undefined + : await ctx.db.insert('aiProviderProfiles', { + ownerId, + name: 'Test provider', + provider: 'openai', + authType: + profileKind === 'missing-credentials' ? 'api_key' : 'none', + defaultModel: 'gpt-5.1-codex', + modelOptions: ['gpt-5.1-codex'], + reasoningEffort: 'medium', + enabled: profileKind !== 'disabled', + createdAt: now, + updatedAt: now, + }); + const selectedSecretIds: Id<'spoonSecrets'>[] = []; + if (options.secret) { + const secretOwnerId = + options.secret === 'foreign' + ? await ctx.db.insert('users', { + email: 'other@example.com', + name: 'Other', + }) + : ownerId; + selectedSecretIds.push( + await ctx.db.insert('spoonSecrets', { + spoonId, + ownerId: secretOwnerId, + name: 'TOKEN', + encryptedValue: 'encrypted', + createdAt: now, + updatedAt: now, + }), + ); + } + const requestId = await ctx.db.insert('agentRequests', { + spoonId, + ownerId, + prompt: 'Fix the editor', + status: 'queued', + createdAt: now, + updatedAt: now, + }); + const jobId = await ctx.db.insert('agentJobs', { + spoonId, + ownerId, + agentRequestId: requestId, + status: 'queued', + prompt: 'Fix the editor', + runtime: options.runtime ?? 'opencode', + workspaceStatus: 'not_started', + baseBranch: 'main', + workBranch: 'spoon/fix-editor', + forkOwner: 'team', + forkRepo: 'editor-spoon', + forkUrl: 'https://github.com/team/editor-spoon', + upstreamOwner: 'upstream', + upstreamRepo: 'editor', + selectedSecretIds, + aiProviderProfileId, + model: 'gpt-5.1-codex', + reasoningEffort: 'medium', + createdAt: now, + updatedAt: now, + }); + await ctx.db.patch(requestId, { agentJobId: jobId }); + return { jobId, requestId, spoonId }; + }); + +const expectFailedClaim = async ( + t: ReturnType, + jobId: Id<'agentJobs'>, +) => { + const result = await t.mutation(internal.agentJobs.claimNextInternal, { + workerId: 'w1', + }); + expect(result).toBeNull(); + const job = await t.run(async (ctx) => await ctx.db.get(jobId)); + expect(job?.status).toBe('failed'); + expect(job?.error).toBeTruthy(); +}; + +describe('claimNextInternal validation', () => { + test('fails a queued job when its owner has no configured profile', async () => { + const t = convexTest(schema, modules); + const { jobId } = await seedQueuedJob(t); + + await expectFailedClaim(t, jobId); + }); + + test('claims a fully valid queued job', async () => { + const t = convexTest(schema, modules); + const { jobId } = await seedQueuedJob(t, { profile: 'valid' }); + + const result = await t.mutation(internal.agentJobs.claimNextInternal, { + workerId: 'w1', + }); + const job = await t.run(async (ctx) => await ctx.db.get(jobId)); + + expect(result).not.toBeNull(); + expect(result?.aiProviderProfile?.enabled).toBe(true); + expect(job?.status).toBe('claimed'); + }); + + test('fails a queued job when its profile is disabled', async () => { + const t = convexTest(schema, modules); + const { jobId } = await seedQueuedJob(t, { profile: 'disabled' }); + + await expectFailedClaim(t, jobId); + }); + + test('fails a queued job when its profile is missing credentials', async () => { + const t = convexTest(schema, modules); + const { jobId } = await seedQueuedJob(t, { + profile: 'missing-credentials', + }); + + await expectFailedClaim(t, jobId); + }); + + test('fails a queued job when Spoon agent jobs are disabled', async () => { + const t = convexTest(schema, modules); + const { jobId } = await seedQueuedJob(t, { + profile: 'valid', + settingsEnabled: false, + }); + + await expectFailedClaim(t, jobId); + }); + + test('fails a queued job with an unsupported legacy runtime', async () => { + const t = convexTest(schema, modules); + const { jobId } = await seedQueuedJob(t, { + profile: 'valid', + runtime: 'openai_direct', + }); + + await expectFailedClaim(t, jobId); + }); + + test('fails a queued job with a secret owned by another user', async () => { + const t = convexTest(schema, modules); + const { jobId } = await seedQueuedJob(t, { + profile: 'valid', + secret: 'foreign', + }); + + await expectFailedClaim(t, jobId); + }); + + test('fails a queued job whose Spoon was deleted', async () => { + const t = convexTest(schema, modules); + const { jobId, spoonId } = await seedQueuedJob(t, { profile: 'valid' }); + await t.mutation(async (ctx) => await ctx.db.delete(spoonId)); + + await expectFailedClaim(t, jobId); + }); +});