xcodeai 2.1.0

Autonomous AI coding agent — zero human intervention, sbox sandboxed, OpenAI-compatible
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402

//! HTTP API server module for xcodeai.
//!
//! This module provides a REST API so that xcodeai can be controlled
//! programmatically — e.g. from 企业微信 (WeChat Work) bots, web UIs, or
//! any HTTP client.
//!
//! Architecture:
//! - `start_server(config, addr)` — builds the axum Router and binds to `addr`
//! - `routes` sub-module — individual handler functions for each endpoint
//! - `AppState` — shared state passed to every handler (session store, etc.)
//!
//! The server intentionally has NO authentication — xcodeai is a single-user
//! local tool.  CORS is enabled so a local web front-end can call the API from
//! a browser without proxy configuration.
//!
//! ## Thread-safety note
//!
//! rusqlite's `Connection` uses `RefCell` internally and is therefore `!Sync`.
//! We wrap `SessionStore` inside `tokio::sync::Mutex` so it can be shared
//! across tokio tasks safely.  Axum's state type must be `Send + Sync + 'static`,
//! so the wrapping is:
//!
//!   `Arc<AppState>` where `AppState { store: Mutex<SessionStore>, ... }`
//!
//! Every handler acquires `.store.lock().await` before touching the DB.
pub mod routes;

use crate::config::Config;
use crate::session::store::SessionStore;
use anyhow::Result;
use axum::Router;
use std::collections::HashSet;
use std::net::SocketAddr;
use std::sync::Arc;
use tokio::sync::Mutex;
use tower_http::cors::CorsLayer;

/// Shared state cloned into every request handler via axum `State<Arc<AppState>>`.
///
/// We keep it behind `Arc` so multiple requests can hold references
/// simultaneously without copying.
pub struct AppState {
    /// Session storage (SQLite-backed).
    ///
    /// Wrapped in `Mutex` because rusqlite's `Connection` is `!Sync`.
    /// Handlers must call `.store.lock().await` before DB operations.
    pub store: Mutex<SessionStore>,
    /// The loaded xcodeai configuration (model, provider URL, etc.).
    pub config: Config,
    /// Set of session IDs that are currently executing an agent loop.
    ///
    /// Used by `POST /sessions/:id/messages` to prevent two concurrent agent
    /// executions on the same session.  The handler inserts the session ID before
    /// spawning the agent and removes it when the agent finishes (or on error).
    /// Returns HTTP 409 Conflict if the session is already active.
    pub active_sessions: Mutex<HashSet<String>>,
}

impl AppState {
    /// Create a new `AppState` using the same database path that the CLI uses.
    pub fn new(config: Config) -> Result<Self> {
        // Derive the DB path the same way AgentContext does so that `xcodeai
        // serve` shares the same session database as the REPL and `run`
        // subcommands.
        let db_path = crate::session::SessionStore::default_path()?;
        let store = SessionStore::new(&db_path)?;
        Ok(Self {
            store: Mutex::new(store),
            config,
            active_sessions: Mutex::new(HashSet::new()),
        })
    }
}

/// Start the HTTP API server and block until it exits.
///
/// # Arguments
/// * `config` — loaded xcodeai config
/// * `addr`   — socket address to listen on (e.g. `0.0.0.0:8080`)
pub async fn start_server(config: Config, addr: SocketAddr) -> Result<()> {
    // Build shared application state.
    let state = Arc::new(AppState::new(config)?);

    // Build the router.
    //   - CORS: wide-open (Access-Control-Allow-Origin: *) so a local browser
    //     UI doesn't need a proxy.  This is fine for a single-user local tool.
    //   - All routes are defined in the `routes` sub-module.
    let app = Router::new()
        .merge(routes::session_router())
        .layer(CorsLayer::permissive())
        .with_state(state);

    // Bind and serve.
    let listener = tokio::net::TcpListener::bind(addr).await?;
    tracing::info!("xcodeai HTTP server listening on {}", addr);
    axum::serve(listener, app).await?;

    Ok(())
}

// ─── Tests ────────────────────────────────────────────────────────────────────

#[cfg(test)]
mod tests {
    use super::*;
    use axum::body::Body;
    use axum::http::{Request, StatusCode};
    use tower::ServiceExt; // for `.oneshot()`

    /// Build an in-memory `AppState` pointing at a temp SQLite database.
    /// This lets tests exercise the full handler stack without a real TCP socket.
    pub fn test_state() -> Arc<AppState> {
        let config = Config::default();
        // Use an in-memory DB so tests don't collide with the user's real sessions.
        let store = SessionStore::new(std::path::Path::new(":memory:")).unwrap();
        Arc::new(AppState {
            store: Mutex::new(store),
            config,
            active_sessions: Mutex::new(HashSet::new()),
        })
    }

    /// Helper that builds the full axum `Router` wired to `state`.
    pub fn test_app(state: Arc<AppState>) -> Router {
        Router::new()
            .merge(routes::session_router())
            .layer(CorsLayer::permissive())
            .with_state(state)
    }

    // ── GET /sessions ──────────────────────────────────────────────────────────

    #[tokio::test]
    async fn test_list_sessions_empty() {
        let app = test_app(test_state());
        let resp = app
            .oneshot(
                Request::builder()
                    .method("GET")
                    .uri("/sessions")
                    .body(Body::empty())
                    .unwrap(),
            )
            .await
            .unwrap();

        assert_eq!(resp.status(), StatusCode::OK);

        let body = axum::body::to_bytes(resp.into_body(), usize::MAX)
            .await
            .unwrap();
        let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
        assert!(json.is_array());
        assert_eq!(json.as_array().unwrap().len(), 0);
    }

    // ── POST /sessions ─────────────────────────────────────────────────────────

    #[tokio::test]
    async fn test_create_session_returns_id() {
        let app = test_app(test_state());
        let resp = app
            .oneshot(
                Request::builder()
                    .method("POST")
                    .uri("/sessions")
                    .header("content-type", "application/json")
                    .body(Body::from(r#"{"title":"my task"}"#))
                    .unwrap(),
            )
            .await
            .unwrap();

        assert_eq!(resp.status(), StatusCode::CREATED);

        let body = axum::body::to_bytes(resp.into_body(), usize::MAX)
            .await
            .unwrap();
        let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
        // Response must contain a non-empty "session_id" string.
        assert!(json["session_id"].is_string());
        assert!(!json["session_id"].as_str().unwrap().is_empty());
    }

    // ── GET /sessions/:id ──────────────────────────────────────────────────────

    #[tokio::test]
    async fn test_get_session_not_found() {
        let app = test_app(test_state());
        let resp = app
            .oneshot(
                Request::builder()
                    .method("GET")
                    .uri("/sessions/does-not-exist")
                    .body(Body::empty())
                    .unwrap(),
            )
            .await
            .unwrap();

        assert_eq!(resp.status(), StatusCode::NOT_FOUND);
    }

    #[tokio::test]
    async fn test_create_then_get_session() {
        let state = test_state();
        let app = test_app(Arc::clone(&state));

        // Create a session.
        let create_resp = app
            .oneshot(
                Request::builder()
                    .method("POST")
                    .uri("/sessions")
                    .header("content-type", "application/json")
                    .body(Body::from(r#"{"title":"hello"}"#))
                    .unwrap(),
            )
            .await
            .unwrap();
        assert_eq!(create_resp.status(), StatusCode::CREATED);
        let create_body = axum::body::to_bytes(create_resp.into_body(), usize::MAX)
            .await
            .unwrap();
        let create_json: serde_json::Value = serde_json::from_slice(&create_body).unwrap();
        let session_id = create_json["session_id"].as_str().unwrap().to_string();

        // Fetch it back — must use a fresh router instance on the SAME state.
        let app2 = test_app(Arc::clone(&state));
        let get_resp = app2
            .oneshot(
                Request::builder()
                    .method("GET")
                    .uri(format!("/sessions/{session_id}"))
                    .body(Body::empty())
                    .unwrap(),
            )
            .await
            .unwrap();
        assert_eq!(get_resp.status(), StatusCode::OK);
        let get_body = axum::body::to_bytes(get_resp.into_body(), usize::MAX)
            .await
            .unwrap();
        let get_json: serde_json::Value = serde_json::from_slice(&get_body).unwrap();
        assert_eq!(get_json["id"].as_str().unwrap(), session_id);
    }

    // ── DELETE /sessions/:id ───────────────────────────────────────────────────

    #[tokio::test]
    async fn test_delete_session() {
        let state = test_state();
        let app = test_app(Arc::clone(&state));

        // Create a session first.
        let create_resp = app
            .oneshot(
                Request::builder()
                    .method("POST")
                    .uri("/sessions")
                    .header("content-type", "application/json")
                    .body(Body::from(r#"{}"#))
                    .unwrap(),
            )
            .await
            .unwrap();
        let create_body = axum::body::to_bytes(create_resp.into_body(), usize::MAX)
            .await
            .unwrap();
        let session_id = serde_json::from_slice::<serde_json::Value>(&create_body).unwrap()
            ["session_id"]
            .as_str()
            .unwrap()
            .to_string();

        // Delete it.
        let app2 = test_app(Arc::clone(&state));
        let del_resp = app2
            .oneshot(
                Request::builder()
                    .method("DELETE")
                    .uri(format!("/sessions/{session_id}"))
                    .body(Body::empty())
                    .unwrap(),
            )
            .await
            .unwrap();
        assert_eq!(del_resp.status(), StatusCode::NO_CONTENT);

        // Should be gone now.
        let app3 = test_app(Arc::clone(&state));
        let get_resp = app3
            .oneshot(
                Request::builder()
                    .method("GET")
                    .uri(format!("/sessions/{session_id}"))
                    .body(Body::empty())
                    .unwrap(),
            )
            .await
            .unwrap();
        assert_eq!(get_resp.status(), StatusCode::NOT_FOUND);
    }

    // ── CORS header ───────────────────────────────────────────────────────────

    #[tokio::test]
    async fn test_cors_header_present() {
        let app = test_app(test_state());
        let resp = app
            .oneshot(
                Request::builder()
                    .method("GET")
                    .uri("/sessions")
                    // Simulate a browser cross-origin request.
                    .header("origin", "http://localhost:3000")
                    .body(Body::empty())
                    .unwrap(),
            )
            .await
            .unwrap();

        assert_eq!(resp.status(), StatusCode::OK);
        // tower-http's CorsLayer::permissive() adds this header.
        assert!(resp.headers().contains_key("access-control-allow-origin"));
    }
    // ── POST /sessions/:id/messages — Task 34 ────────────────────────────────

    /// POST /sessions/:id/messages returns 404 when the session does not exist.
    /// The agent loop should never be started for a non-existent session.
    #[tokio::test]
    async fn test_post_message_session_not_found() {
        let app = test_app(test_state());
        let resp = app
            .oneshot(
                Request::builder()
                    .method("POST")
                    .uri("/sessions/nonexistent-session-id/messages")
                    .header("content-type", "application/json")
                    .body(Body::from(r#"{"content":"hello"}"#))
                    .unwrap(),
            )
            .await
            .unwrap();
        assert_eq!(resp.status(), StatusCode::NOT_FOUND);
    }

    /// POST /sessions/:id/messages returns 409 Conflict when the same session
    /// already has an active agent execution running.
    ///
    /// We simulate "already active" by manually inserting the session ID into
    /// `active_sessions` before sending the request.
    #[tokio::test]
    async fn test_post_message_conflict_when_active() {
        let state = test_state();

        // 1. Create a real session so the 404 check passes.
        let app = test_app(Arc::clone(&state));
        let create_resp = app
            .oneshot(
                Request::builder()
                    .method("POST")
                    .uri("/sessions")
                    .header("content-type", "application/json")
                    .body(Body::from(r#"{}"#))
                    .unwrap(),
            )
            .await
            .unwrap();
        assert_eq!(create_resp.status(), StatusCode::CREATED);
        let create_body = axum::body::to_bytes(create_resp.into_body(), usize::MAX)
            .await
            .unwrap();
        let session_id = serde_json::from_slice::<serde_json::Value>(&create_body).unwrap()
            ["session_id"]
            .as_str()
            .unwrap()
            .to_string();

        // 2. Mark the session as already active — simulating a running agent.
        state
            .active_sessions
            .lock()
            .await
            .insert(session_id.clone());

        // 3. A second POST to the same session must return 409.
        let app2 = test_app(Arc::clone(&state));
        let resp = app2
            .oneshot(
                Request::builder()
                    .method("POST")
                    .uri(format!("/sessions/{session_id}/messages"))
                    .header("content-type", "application/json")
                    .body(Body::from(r#"{"content":"duplicate task"}"#))
                    .unwrap(),
            )
            .await
            .unwrap();
        assert_eq!(resp.status(), StatusCode::CONFLICT);
    }
}