fix(agent-jobs): validate claims before claiming

This commit is contained in:
Gabriel Brown
2026-07-10 17:26:17 -04:00
parent 926008fd3a
commit cf45404b7d
3 changed files with 281 additions and 17 deletions
+60 -2
View File
@@ -1074,6 +1074,65 @@ export const claimNextInternal = internalMutation({
secrets.push(secret); secrets.push(secret);
} }
} }
const ownedProfile =
aiProviderProfile?.ownerId === job.ownerId && aiProviderProfile.enabled
? aiProviderProfile
: null;
const failClaim = async (reason: string) => {
const failedAt = Date.now();
await ctx.db.patch(job._id, {
status: 'failed',
error: reason,
completedAt: failedAt,
updatedAt: failedAt,
});
await ctx.db.patch(job.agentRequestId, {
status: 'failed',
updatedAt: failedAt,
});
if (job.threadId) {
await ctx.db.patch(job.threadId, {
status: 'failed',
updatedAt: failedAt,
resolvedAt: failedAt,
});
}
await ctx.db.insert('agentJobEvents', {
jobId: job._id,
spoonId: job.spoonId,
ownerId: job.ownerId,
level: 'error',
phase: 'queued',
message: `Job could not be claimed: ${reason}`,
createdAt: failedAt,
});
};
if (!spoon) {
await failClaim('The Spoon for this job no longer exists.');
return null;
}
if (!ownedProfile) {
await failClaim(
'AI is not configured for this user. Add an AI provider in settings.',
);
return null;
}
if (ownedProfile.authType !== 'none' && !ownedProfile.encryptedSecret) {
await failClaim('Selected AI provider is missing credentials.');
return null;
}
if (agentSettings && !agentSettings.enabled) {
await failClaim('Agent jobs are disabled for this Spoon.');
return null;
}
if ((job.runtime ?? 'opencode') !== 'opencode') {
await failClaim('Legacy OpenAI direct jobs are no longer supported.');
return null;
}
if (secrets.length !== job.selectedSecretIds.length) {
await failClaim('Selected secrets must belong to this Spoon.');
return null;
}
const now = Date.now(); const now = Date.now();
await ctx.db.patch(job._id, { await ctx.db.patch(job._id, {
status: 'claimed', status: 'claimed',
@@ -1098,8 +1157,7 @@ export const claimNextInternal = internalMutation({
job: { ...job, status: 'claimed' as const, claimedBy: workerId }, job: { ...job, status: 'claimed' as const, claimedBy: workerId },
spoon, spoon,
aiSettings, aiSettings,
aiProviderProfile: aiProviderProfile: ownedProfile,
aiProviderProfile?.ownerId === job.ownerId ? aiProviderProfile : null,
agentSettings, agentSettings,
secrets, secrets,
}; };
+2 -15
View File
@@ -1,6 +1,6 @@
'use node'; 'use node';
import { ConvexError, v } from 'convex/values'; import { v } from 'convex/values';
import type { Doc } from './_generated/dataModel'; import type { Doc } from './_generated/dataModel';
import { internal } from './_generated/api'; import { internal } from './_generated/api';
@@ -56,20 +56,7 @@ export const claimNextForWorker = action({
}, },
)) as ClaimedJob | null; )) as ClaimedJob | null;
if (!claimed) return null; if (!claimed) return null;
if (!claimed.spoon) { if (!claimed.spoon || !claimed.aiProviderProfile) return null;
throw new ConvexError('Claimed job points at a missing Spoon.');
}
if (!claimed.aiProviderProfile) {
throw new ConvexError(
'AI is not configured for this user. Add an AI provider in settings.',
);
}
if (
claimed.aiProviderProfile.authType !== 'none' &&
!claimed.aiProviderProfile.encryptedSecret
) {
throw new ConvexError('Selected AI provider is missing credentials.');
}
const profile = claimed.aiProviderProfile; const profile = claimed.aiProviderProfile;
return { return {
job: claimed.job, job: claimed.job,
@@ -0,0 +1,219 @@
import { convexTest } from 'convex-test';
import { describe, expect, test } from 'vitest';
import type { Id } from '../../convex/_generated/dataModel.js';
import { internal } from '../../convex/_generated/api.js';
import schema from '../../convex/schema';
const modules = import.meta.glob('../../convex/**/*.*s');
type SeedOptions = {
profile?: 'valid' | 'disabled' | 'missing-credentials' | 'none';
settingsEnabled?: boolean;
runtime?: 'opencode' | 'openai_direct';
secret?: 'valid' | 'foreign';
};
const seedQueuedJob = async (
t: ReturnType<typeof convexTest>,
options: SeedOptions = {},
) =>
await t.mutation(async (ctx) => {
const now = Date.now();
const ownerId = await ctx.db.insert('users', {
email: 'owner@example.com',
name: 'Owner',
});
const spoonId = await ctx.db.insert('spoons', {
ownerId,
name: 'Editor Spoon',
provider: 'github',
upstreamOwner: 'upstream',
upstreamRepo: 'editor',
upstreamDefaultBranch: 'main',
upstreamUrl: 'https://github.com/upstream/editor',
forkOwner: 'team',
forkRepo: 'editor-spoon',
forkUrl: 'https://github.com/team/editor-spoon',
visibility: 'private',
maintenanceMode: 'watch',
syncCadence: 'daily',
productionRefStrategy: 'default_branch',
status: 'active',
createdAt: now,
updatedAt: now,
});
await ctx.db.insert('spoonAgentSettings', {
spoonId,
ownerId,
enabled: options.settingsEnabled ?? true,
runtime: 'opencode',
defaultBaseBranch: 'main',
branchPrefix: 'spoon/',
agentModel: 'gpt-5.1-codex',
reasoningEffort: 'medium',
maxJobDurationMs: 60_000,
maxOutputBytes: 1_000_000,
createdAt: now,
updatedAt: now,
});
const profileKind = options.profile ?? 'none';
const aiProviderProfileId =
profileKind === 'none'
? undefined
: await ctx.db.insert('aiProviderProfiles', {
ownerId,
name: 'Test provider',
provider: 'openai',
authType:
profileKind === 'missing-credentials' ? 'api_key' : 'none',
defaultModel: 'gpt-5.1-codex',
modelOptions: ['gpt-5.1-codex'],
reasoningEffort: 'medium',
enabled: profileKind !== 'disabled',
createdAt: now,
updatedAt: now,
});
const selectedSecretIds: Id<'spoonSecrets'>[] = [];
if (options.secret) {
const secretOwnerId =
options.secret === 'foreign'
? await ctx.db.insert('users', {
email: 'other@example.com',
name: 'Other',
})
: ownerId;
selectedSecretIds.push(
await ctx.db.insert('spoonSecrets', {
spoonId,
ownerId: secretOwnerId,
name: 'TOKEN',
encryptedValue: 'encrypted',
createdAt: now,
updatedAt: now,
}),
);
}
const requestId = await ctx.db.insert('agentRequests', {
spoonId,
ownerId,
prompt: 'Fix the editor',
status: 'queued',
createdAt: now,
updatedAt: now,
});
const jobId = await ctx.db.insert('agentJobs', {
spoonId,
ownerId,
agentRequestId: requestId,
status: 'queued',
prompt: 'Fix the editor',
runtime: options.runtime ?? 'opencode',
workspaceStatus: 'not_started',
baseBranch: 'main',
workBranch: 'spoon/fix-editor',
forkOwner: 'team',
forkRepo: 'editor-spoon',
forkUrl: 'https://github.com/team/editor-spoon',
upstreamOwner: 'upstream',
upstreamRepo: 'editor',
selectedSecretIds,
aiProviderProfileId,
model: 'gpt-5.1-codex',
reasoningEffort: 'medium',
createdAt: now,
updatedAt: now,
});
await ctx.db.patch(requestId, { agentJobId: jobId });
return { jobId, requestId, spoonId };
});
const expectFailedClaim = async (
t: ReturnType<typeof convexTest>,
jobId: Id<'agentJobs'>,
) => {
const result = await t.mutation(internal.agentJobs.claimNextInternal, {
workerId: 'w1',
});
expect(result).toBeNull();
const job = await t.run(async (ctx) => await ctx.db.get(jobId));
expect(job?.status).toBe('failed');
expect(job?.error).toBeTruthy();
};
describe('claimNextInternal validation', () => {
test('fails a queued job when its owner has no configured profile', async () => {
const t = convexTest(schema, modules);
const { jobId } = await seedQueuedJob(t);
await expectFailedClaim(t, jobId);
});
test('claims a fully valid queued job', async () => {
const t = convexTest(schema, modules);
const { jobId } = await seedQueuedJob(t, { profile: 'valid' });
const result = await t.mutation(internal.agentJobs.claimNextInternal, {
workerId: 'w1',
});
const job = await t.run(async (ctx) => await ctx.db.get(jobId));
expect(result).not.toBeNull();
expect(result?.aiProviderProfile?.enabled).toBe(true);
expect(job?.status).toBe('claimed');
});
test('fails a queued job when its profile is disabled', async () => {
const t = convexTest(schema, modules);
const { jobId } = await seedQueuedJob(t, { profile: 'disabled' });
await expectFailedClaim(t, jobId);
});
test('fails a queued job when its profile is missing credentials', async () => {
const t = convexTest(schema, modules);
const { jobId } = await seedQueuedJob(t, {
profile: 'missing-credentials',
});
await expectFailedClaim(t, jobId);
});
test('fails a queued job when Spoon agent jobs are disabled', async () => {
const t = convexTest(schema, modules);
const { jobId } = await seedQueuedJob(t, {
profile: 'valid',
settingsEnabled: false,
});
await expectFailedClaim(t, jobId);
});
test('fails a queued job with an unsupported legacy runtime', async () => {
const t = convexTest(schema, modules);
const { jobId } = await seedQueuedJob(t, {
profile: 'valid',
runtime: 'openai_direct',
});
await expectFailedClaim(t, jobId);
});
test('fails a queued job with a secret owned by another user', async () => {
const t = convexTest(schema, modules);
const { jobId } = await seedQueuedJob(t, {
profile: 'valid',
secret: 'foreign',
});
await expectFailedClaim(t, jobId);
});
test('fails a queued job whose Spoon was deleted', async () => {
const t = convexTest(schema, modules);
const { jobId, spoonId } = await seedQueuedJob(t, { profile: 'valid' });
await t.mutation(async (ctx) => await ctx.db.delete(spoonId));
await expectFailedClaim(t, jobId);
});
});