kumiho-construct 2026.5.11

Construct — memory-native AI agent runtime powered by Kumiho
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525

//! REST API handlers for auth-profile dropdown surface.
//!
//! Two endpoints:
//!   - `GET /api/auth/profiles` — bearer-auth — lists profile metadata
//!     for the editor dropdown. **Token bytes never appear in the response.**
//!   - `POST /api/auth/profiles/{id}/resolve` — service-token-auth —
//!     decrypts and returns the bound credential for a single profile.
//!     Used only by the operator-mcp runtime at step-execution time.
//!
//! The actual encryption + storage lives in `crate::auth::profiles::AuthProfilesStore`
//! (ChaCha20-Poly1305 AEAD via `crate::security::SecretStore`). This module is a
//! thin readonly view over that store.

use super::AppState;
use super::api::require_auth;
use super::client_key_from_request;
use crate::auth::profiles::{AuthProfile, AuthProfileKind, profile_id};
use axum::{
    extract::{ConnectInfo, Path, State},
    http::{HeaderMap, StatusCode, header},
    response::{IntoResponse, Json},
};
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use std::net::SocketAddr;

const SERVICE_TOKEN_HEADER: &str = "X-Construct-Service-Token";

// ── Response shapes ─────────────────────────────────────────────────────

/// Metadata-only profile summary returned from `GET /api/auth/profiles`.
///
/// **Audit point:** confirm by code-read that this struct contains no token,
/// access_token, refresh_token, id_token, or any other decrypted material —
/// only display metadata + safe lifecycle hints.
#[derive(Serialize, Clone)]
pub struct AuthProfileSummary {
    pub id: String,
    pub provider: String,
    pub profile_name: String,
    /// "oauth" or "token".
    pub kind: String,
    pub account_id: Option<String>,
    pub workspace_id: Option<String>,
    /// OAuth profiles only — used by the editor to show expiry chips.
    pub expires_at: Option<DateTime<Utc>>,
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
}

/// Resolved credential — only ever returned from the service-token-gated
/// resolve endpoint. **Never serialized into list responses or YAML.**
#[derive(Serialize)]
pub struct ResolvedAuth {
    pub token: String,
    /// "oauth" or "token".
    pub kind: String,
    pub provider: String,
    pub profile_name: String,
    pub expires_at: Option<DateTime<Utc>>,
}

// ── List handler ────────────────────────────────────────────────────────

/// `GET /api/auth/profiles` — bearer-auth, metadata-only listing.
pub async fn handle_list_auth_profiles(
    State(state): State<AppState>,
    headers: HeaderMap,
) -> impl IntoResponse {
    if let Err(e) = require_auth(&state, &headers) {
        return e.into_response();
    }

    let Some(store) = state.auth_profiles.as_ref() else {
        // Auth profile store not configured — return empty list rather than 500.
        return Json(serde_json::json!({ "profiles": [] })).into_response();
    };

    let data = match store.load().await {
        Ok(d) => d,
        Err(err) => {
            tracing::warn!(error = %err, "auth-profiles list failed");
            return (
                StatusCode::INTERNAL_SERVER_ERROR,
                Json(serde_json::json!({ "error": "Failed to load auth profiles" })),
            )
                .into_response();
        }
    };

    let mut profiles: Vec<AuthProfileSummary> = data
        .profiles
        .into_values()
        .map(|p| AuthProfileSummary {
            id: p.id,
            provider: p.provider,
            profile_name: p.profile_name,
            kind: match p.kind {
                AuthProfileKind::OAuth => "oauth".to_string(),
                AuthProfileKind::Token => "token".to_string(),
            },
            account_id: p.account_id,
            workspace_id: p.workspace_id,
            expires_at: p.token_set.as_ref().and_then(|t| t.expires_at),
            created_at: p.created_at,
            updated_at: p.updated_at,
        })
        .collect();
    profiles.sort_by(|a, b| {
        a.provider
            .cmp(&b.provider)
            .then_with(|| a.profile_name.cmp(&b.profile_name))
    });

    Json(serde_json::json!({ "profiles": profiles })).into_response()
}

// ── Create handler ──────────────────────────────────────────────────────

/// Body for `POST /api/auth/profiles`. Only static-token / API-key flows
/// are supported here — OAuth profiles must be created through the existing
/// /config flow that drives the gateway's interactive consent dance.
#[derive(Deserialize)]
pub struct CreateAuthProfileBody {
    pub provider: String,
    pub profile_name: String,
    /// Raw bearer / API key. Encrypted by the store before being persisted.
    pub token: String,
    #[serde(default)]
    pub account_id: Option<String>,
    /// Defaults to "token". "api_key" is accepted as a synonym; "oauth" is
    /// rejected with 400 because the runtime requires a refresh-token flow.
    #[serde(default)]
    pub kind: Option<String>,
}

/// `POST /api/auth/profiles` — bearer-auth, creates a static-token profile.
///
/// 201 with the new `AuthProfileSummary` on success. 400 for missing
/// fields or unsupported `kind` (e.g. "oauth"). 409 if a profile with the
/// same provider+name already exists. The token is encrypted by the
/// underlying `AuthProfilesStore` before persist; the response never
/// echoes it back.
///
/// Rate-limited via the shared `AuthRateLimiter` (see `auth_rate_limit.rs`,
/// 10 attempts per 60s window per peer IP, then a 5-minute lockout). The
/// 409-on-duplicate response is otherwise a weak `{provider, profile_name}`
/// enumeration oracle. Loopback peers are exempt — the limiter only
/// trusts the socket peer, never `X-Forwarded-For`.
pub async fn handle_create_auth_profile(
    State(state): State<AppState>,
    ConnectInfo(peer_addr): ConnectInfo<SocketAddr>,
    headers: HeaderMap,
    Json(body): Json<CreateAuthProfileBody>,
) -> impl IntoResponse {
    if let Err(e) = require_auth(&state, &headers) {
        return e.into_response();
    }

    // Rate-limit before any work — applies even to authenticated callers
    // because the duplicate-detection response (409) is a side-channel.
    let rate_key =
        client_key_from_request(Some(peer_addr), &headers, state.trust_forwarded_headers);
    let peer_is_loopback = peer_addr.ip().is_loopback();
    if let Err(e) = state
        .auth_limiter
        .check_rate_limit(&rate_key, peer_is_loopback)
    {
        tracing::warn!("auth-profiles create: rate limit exceeded for {rate_key}");
        return (
            StatusCode::TOO_MANY_REQUESTS,
            Json(serde_json::json!({
                "error": format!("Too many create attempts. Try again in {}s.", e.retry_after_secs),
                "retry_after": e.retry_after_secs,
                "code": "auth_profile_rate_limited"
            })),
        )
            .into_response();
    }
    state
        .auth_limiter
        .record_attempt(&rate_key, peer_is_loopback);

    // Trim early so empty-after-trim is treated as missing.
    let provider = body.provider.trim().to_string();
    let profile_name = body.profile_name.trim().to_string();
    let token = body.token.clone();
    let account_id = body.account_id.and_then(|s| {
        let trimmed = s.trim().to_string();
        if trimmed.is_empty() {
            None
        } else {
            Some(trimmed)
        }
    });

    if provider.is_empty() || profile_name.is_empty() {
        return (
            StatusCode::BAD_REQUEST,
            Json(serde_json::json!({
                "error": "provider and profile_name are required",
                "code": "auth_profile_missing_fields"
            })),
        )
            .into_response();
    }

    if token.trim().is_empty() {
        return (
            StatusCode::BAD_REQUEST,
            Json(serde_json::json!({
                "error": "token is required",
                "code": "auth_profile_missing_token"
            })),
        )
            .into_response();
    }

    let kind = body.kind.as_deref().unwrap_or("token").to_ascii_lowercase();
    match kind.as_str() {
        "token" | "api_key" => {}
        "oauth" => {
            return (
                StatusCode::BAD_REQUEST,
                Json(serde_json::json!({
                    "error": "OAuth profiles must be created via the /config flow",
                    "code": "auth_profile_oauth_unsupported"
                })),
            )
                .into_response();
        }
        other => {
            return (
                StatusCode::BAD_REQUEST,
                Json(serde_json::json!({
                    "error": format!("unsupported auth profile kind: {other}"),
                    "code": "auth_profile_invalid_kind"
                })),
            )
                .into_response();
        }
    }

    let Some(store) = state.auth_profiles.as_ref() else {
        return (
            StatusCode::SERVICE_UNAVAILABLE,
            Json(serde_json::json!({
                "error": "auth profile store not configured on this gateway",
                "code": "auth_store_unavailable"
            })),
        )
            .into_response();
    };

    // Conflict check — load existing profiles first, refuse if the id is taken.
    // The store has no separate "create-only" entry point; reusing
    // `upsert_profile` would silently overwrite, so we gate it explicitly.
    let id = profile_id(&provider, &profile_name);
    match store.load().await {
        Ok(data) => {
            if data.profiles.contains_key(&id) {
                return (
                    StatusCode::CONFLICT,
                    Json(serde_json::json!({
                        "error": format!("auth profile already exists: {id}"),
                        "code": "auth_profile_already_exists"
                    })),
                )
                    .into_response();
            }
        }
        Err(err) => {
            tracing::warn!(error = %err, "auth-profiles create: load failed");
            return (
                StatusCode::INTERNAL_SERVER_ERROR,
                Json(serde_json::json!({
                    "error": "Failed to load auth profiles",
                    "code": "auth_store_load_failed"
                })),
            )
                .into_response();
        }
    }

    let mut profile = AuthProfile::new_token(&provider, &profile_name, token);
    profile.account_id = account_id;

    if let Err(err) = store.upsert_profile(profile.clone(), false).await {
        tracing::warn!(error = %err, "auth-profiles create: persist failed");
        return (
            StatusCode::INTERNAL_SERVER_ERROR,
            Json(serde_json::json!({
                "error": "Failed to save auth profile",
                "code": "auth_store_save_failed"
            })),
        )
            .into_response();
    }

    let summary = AuthProfileSummary {
        id: profile.id.clone(),
        provider: profile.provider.clone(),
        profile_name: profile.profile_name.clone(),
        kind: match profile.kind {
            AuthProfileKind::OAuth => "oauth".to_string(),
            AuthProfileKind::Token => "token".to_string(),
        },
        account_id: profile.account_id.clone(),
        workspace_id: profile.workspace_id.clone(),
        // Static-token profiles never carry an expires_at.
        expires_at: None,
        created_at: profile.created_at,
        updated_at: profile.updated_at,
    };

    (StatusCode::CREATED, Json(summary)).into_response()
}

// ── Delete handler ──────────────────────────────────────────────────────

/// `DELETE /api/auth/profiles/{id}` — bearer-auth, removes a stored profile.
///
/// 204 on successful delete, 404 if the profile id doesn't exist. The
/// underlying `AuthProfilesStore::remove_profile` is idempotent on cleared
/// active references — no separate purge call needed.
pub async fn handle_delete_auth_profile(
    State(state): State<AppState>,
    headers: HeaderMap,
    Path(id): Path<String>,
) -> impl IntoResponse {
    if let Err(e) = require_auth(&state, &headers) {
        return e.into_response();
    }

    let Some(store) = state.auth_profiles.as_ref() else {
        return (
            StatusCode::SERVICE_UNAVAILABLE,
            Json(serde_json::json!({
                "error": "auth profile store not configured",
                "code": "auth_store_unavailable"
            })),
        )
            .into_response();
    };

    match store.remove_profile(&id).await {
        Ok(true) => StatusCode::NO_CONTENT.into_response(),
        Ok(false) => (
            StatusCode::NOT_FOUND,
            Json(serde_json::json!({
                "error": format!("auth profile not found: {id}"),
                "code": "auth_profile_not_found"
            })),
        )
            .into_response(),
        Err(err) => {
            tracing::warn!(error = %err, "auth-profile delete failed");
            (
                StatusCode::INTERNAL_SERVER_ERROR,
                Json(serde_json::json!({
                    "error": "Failed to delete auth profile",
                    "code": "auth_store_delete_failed"
                })),
            )
                .into_response()
        }
    }
}

// ── Resolve handler ─────────────────────────────────────────────────────

fn require_service_token(
    state: &AppState,
    headers: &HeaderMap,
) -> Result<(), (StatusCode, Json<serde_json::Value>)> {
    let provided = headers
        .get(SERVICE_TOKEN_HEADER)
        .and_then(|v| v.to_str().ok())
        .unwrap_or("");
    let expected = state.service_token.as_ref();
    if expected.is_empty() {
        return Err((
            StatusCode::SERVICE_UNAVAILABLE,
            Json(serde_json::json!({
                "error": "service token not configured on this gateway"
            })),
        ));
    }
    // Constant-time compare to dodge timing oracles even though both bytes
    // are local — same posture the rest of the gateway uses for shared secrets.
    if crate::security::pairing::constant_time_eq(provided, expected) {
        Ok(())
    } else {
        Err((
            StatusCode::UNAUTHORIZED,
            Json(serde_json::json!({
                "error": "missing or invalid X-Construct-Service-Token header"
            })),
        ))
    }
}

/// `POST /api/auth/profiles/{id}/resolve` — service-token only.
///
/// Loads the named profile, returns the decrypted credential. 404 if the
/// profile doesn't exist; 410 Gone for OAuth profiles whose `expires_at` is
/// in the past (the runtime should fail the step rather than silently send
/// a stale token).
pub async fn handle_resolve_auth_profile(
    State(state): State<AppState>,
    headers: HeaderMap,
    Path(id): Path<String>,
) -> impl IntoResponse {
    if let Err(e) = require_service_token(&state, &headers) {
        return e.into_response();
    }

    let Some(store) = state.auth_profiles.as_ref() else {
        return (
            StatusCode::SERVICE_UNAVAILABLE,
            Json(serde_json::json!({
                "error": "auth profile store not configured",
                "code": "auth_store_unavailable"
            })),
        )
            .into_response();
    };

    let data = match store.load().await {
        Ok(d) => d,
        Err(err) => {
            tracing::warn!(error = %err, "auth-profile resolve: load failed");
            return (
                StatusCode::INTERNAL_SERVER_ERROR,
                Json(serde_json::json!({
                    "error": "Failed to load auth profiles",
                    "code": "auth_store_load_failed"
                })),
            )
                .into_response();
        }
    };

    let Some(profile) = data.profiles.get(&id) else {
        return (
            StatusCode::NOT_FOUND,
            Json(serde_json::json!({
                "error": format!("auth profile not found: {id}"),
                "code": "auth_profile_not_found"
            })),
        )
            .into_response();
    };

    match profile.kind {
        AuthProfileKind::Token => {
            let token = profile
                .token
                .clone()
                .filter(|t| !t.trim().is_empty())
                .unwrap_or_default();
            if token.is_empty() {
                return (
                    StatusCode::GONE,
                    Json(serde_json::json!({
                        "error": "auth profile is empty",
                        "code": "auth_profile_empty"
                    })),
                )
                    .into_response();
            }
            // Avoid the X-Construct-Service-Token bouncing back into proxies'
            // shared cache layers.
            let mut resp = Json(ResolvedAuth {
                token,
                kind: "token".into(),
                provider: profile.provider.clone(),
                profile_name: profile.profile_name.clone(),
                expires_at: None,
            })
            .into_response();
            resp.headers_mut()
                .insert(header::CACHE_CONTROL, "no-store".parse().unwrap());
            resp
        }
        AuthProfileKind::OAuth => {
            let Some(token_set) = profile.token_set.as_ref() else {
                return (
                    StatusCode::GONE,
                    Json(serde_json::json!({
                        "error": "OAuth profile missing token_set",
                        "code": "auth_profile_missing_tokens"
                    })),
                )
                    .into_response();
            };
            // Already-expired? 410 Gone — the runtime should classify this as
            // auth_resolve_failed with the structured reason.
            if let Some(expires_at) = token_set.expires_at {
                if expires_at <= Utc::now() {
                    return (
                        StatusCode::GONE,
                        Json(serde_json::json!({
                            "error": "OAuth profile expired",
                            "code": "auth_profile_expired",
                            "expired_at": expires_at,
                        })),
                    )
                        .into_response();
                }
            }
            let mut resp = Json(ResolvedAuth {
                token: token_set.access_token.clone(),
                kind: "oauth".into(),
                provider: profile.provider.clone(),
                profile_name: profile.profile_name.clone(),
                expires_at: token_set.expires_at,
            })
            .into_response();
            resp.headers_mut()
                .insert(header::CACHE_CONTROL, "no-store".parse().unwrap());
            resp
        }
    }
}