diff options
Diffstat (limited to 'makima/src/server/handlers/mesh_red_team.rs')
| -rw-r--r-- | makima/src/server/handlers/mesh_red_team.rs | 497 |
1 files changed, 0 insertions, 497 deletions
diff --git a/makima/src/server/handlers/mesh_red_team.rs b/makima/src/server/handlers/mesh_red_team.rs deleted file mode 100644 index c5af60e..0000000 --- a/makima/src/server/handlers/mesh_red_team.rs +++ /dev/null @@ -1,497 +0,0 @@ -//! HTTP handlers for red team mesh operations. -//! -//! These endpoints are used by red team tasks (via the makima CLI) to notify -//! supervisors of potential issues and query their own status. - -use axum::{ - extract::State, - http::{HeaderMap, StatusCode}, - response::IntoResponse, - Json, -}; -use serde::{Deserialize, Serialize}; -use utoipa::ToSchema; -use uuid::Uuid; - -use crate::db::repository; -use crate::server::handlers::mesh::{extract_auth, AuthSource}; -use crate::server::messages::ApiError; -use crate::server::state::{DaemonCommand, SharedState}; - -// ============================================================================= -// Request/Response Types -// ============================================================================= - -/// Severity level for red team notifications. -#[derive(Debug, Clone, Serialize, Deserialize, ToSchema)] -#[serde(rename_all = "lowercase")] -pub enum RedTeamSeverity { - /// Informational notice - minor issue or suggestion - Info, - /// Warning - potential problem that should be reviewed - Warning, - /// Critical - serious issue requiring immediate attention - Critical, -} - -impl Default for RedTeamSeverity { - fn default() -> Self { - Self::Warning - } -} - -impl std::fmt::Display for RedTeamSeverity { - fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { - match self { - Self::Info => write!(f, "INFO"), - Self::Warning => write!(f, "WARNING"), - Self::Critical => write!(f, "CRITICAL"), - } - } -} - -/// Request to notify the supervisor of a potential issue. -#[derive(Debug, Deserialize, ToSchema)] -#[serde(rename_all = "camelCase")] -pub struct RedTeamNotifyRequest { - /// The issue description/message to send to the supervisor - pub message: String, - /// Severity level of the issue - #[serde(default)] - pub severity: RedTeamSeverity, - /// ID of the task being reviewed (optional - if not provided, assumes general contract concern) - pub related_task_id: Option<Uuid>, - /// File path related to the issue (optional) - pub file_path: Option<String>, - /// Additional context about the issue - pub context: Option<String>, -} - -/// Response from the notify endpoint. -#[derive(Debug, Serialize, ToSchema)] -#[serde(rename_all = "camelCase")] -pub struct RedTeamNotifyResponse { - /// Unique ID for this notification - pub notification_id: Uuid, - /// Whether the notification was successfully delivered to the supervisor - pub delivered: bool, - /// The supervisor task ID that received the notification - pub supervisor_task_id: Option<Uuid>, -} - -/// Response from the status endpoint. -#[derive(Debug, Serialize, ToSchema)] -#[serde(rename_all = "camelCase")] -pub struct RedTeamStatusResponse { - /// Contract ID being monitored - pub contract_id: Uuid, - /// Red team task ID - pub red_team_task_id: Uuid, - /// Current task status - pub status: String, - /// Number of notifications sent so far - pub notifications_sent: i64, -} - -/// Red team notification record stored in database. -#[derive(Debug, Clone, Serialize, ToSchema)] -#[serde(rename_all = "camelCase")] -pub struct RedTeamNotification { - pub id: Uuid, - pub red_team_task_id: Uuid, - pub contract_id: Uuid, - pub message: String, - pub severity: String, - pub related_task_id: Option<Uuid>, - pub file_path: Option<String>, - pub context: Option<String>, - pub delivered: bool, - pub created_at: chrono::DateTime<chrono::Utc>, -} - -// ============================================================================= -// Helper Functions -// ============================================================================= - -/// Verify the request comes from a red team task and extract ownership info. -/// -/// Returns (task_id, owner_id, contract_id) on success. -async fn verify_red_team_auth( - state: &SharedState, - headers: &HeaderMap, -) -> Result<(Uuid, Uuid, Uuid), (StatusCode, Json<ApiError>)> { - let auth = extract_auth(state, headers); - - let task_id = match auth { - AuthSource::ToolKey(task_id) => task_id, - _ => { - return Err(( - StatusCode::UNAUTHORIZED, - Json(ApiError::new( - "UNAUTHORIZED", - "Red team endpoints require tool key auth", - )), - )); - } - }; - - // Get the task to verify it's a red team task and get owner_id - let pool = state.db_pool.as_ref().ok_or_else(|| { - ( - StatusCode::SERVICE_UNAVAILABLE, - Json(ApiError::new("DB_UNAVAILABLE", "Database not configured")), - ) - })?; - - let task = repository::get_task(pool, task_id) - .await - .map_err(|e| { - tracing::error!(error = %e, "Failed to get red team task"); - ( - StatusCode::INTERNAL_SERVER_ERROR, - Json(ApiError::new("DB_ERROR", "Failed to verify red team task")), - ) - })? - .ok_or_else(|| { - ( - StatusCode::NOT_FOUND, - Json(ApiError::new("NOT_FOUND", "Task not found")), - ) - })?; - - // Verify task is a red team task - // NOTE: This requires the is_red_team field to be added to the Task struct. - // For now, we check if the task name contains "red-team" or "red_team" as a fallback. - let is_red_team = task.name.to_lowercase().contains("red-team") - || task.name.to_lowercase().contains("red_team") - || task.name.to_lowercase().contains("redteam"); - - if !is_red_team { - return Err(( - StatusCode::FORBIDDEN, - Json(ApiError::new( - "NOT_RED_TEAM", - "Only red team tasks can use these endpoints", - )), - )); - } - - // Red team tasks must be associated with a contract - let contract_id = task.contract_id.ok_or_else(|| { - ( - StatusCode::BAD_REQUEST, - Json(ApiError::new( - "NO_CONTRACT", - "Red team task must be associated with a contract", - )), - ) - })?; - - Ok((task_id, task.owner_id, contract_id)) -} - -/// Format an alert message for the supervisor. -/// -/// Creates a formatted alert with clear visual markers to grab attention. -fn format_alert_message( - severity: &RedTeamSeverity, - message: &str, - related_task_id: Option<Uuid>, - file_path: Option<&str>, - context: Option<&str>, -) -> String { - let severity_marker = match severity { - RedTeamSeverity::Info => "âšī¸", - RedTeamSeverity::Warning => "â ī¸", - RedTeamSeverity::Critical => "đ¨", - }; - - let border = match severity { - RedTeamSeverity::Info => "â".repeat(60), - RedTeamSeverity::Warning => "â".repeat(60), - RedTeamSeverity::Critical => "â".repeat(60), - }; - - let mut alert = format!( - r#" -{} -{} [RED TEAM ALERT] - {} -{} - -Issue: {} -"#, - border, severity_marker, severity, border, message - ); - - if let Some(task_id) = related_task_id { - alert.push_str(&format!("\nRelated Task: {}\n", task_id)); - } - - if let Some(path) = file_path { - alert.push_str(&format!("File: {}\n", path)); - } - - if let Some(ctx) = context { - alert.push_str(&format!("\nContext:\n{}\n", ctx)); - } - - // Add action suggestions based on severity - let actions = match severity { - RedTeamSeverity::Info => { - "Suggested Actions:\n- Review when convenient\n- Consider if changes are needed" - } - RedTeamSeverity::Warning => { - "Suggested Actions:\n- Review the flagged item soon\n- Check if this deviates from the contract\n- Consider pausing related work until reviewed" - } - RedTeamSeverity::Critical => { - "Suggested Actions:\n- STOP related work immediately\n- Review the flagged item urgently\n- Verify compliance with contract requirements\n- Consider reverting recent changes if necessary" - } - }; - - alert.push_str(&format!("\n{}\n{}\n", actions, border)); - - alert -} - -// ============================================================================= -// Handlers -// ============================================================================= - -/// Notify the supervisor of a potential issue. -/// -/// POST /api/v1/mesh/red-team/notify -/// -/// This endpoint allows red team tasks to alert supervisors about issues they've -/// identified during code review. The notification is sent as a message to the -/// supervisor task. -#[utoipa::path( - post, - path = "/api/v1/mesh/red-team/notify", - request_body = RedTeamNotifyRequest, - responses( - (status = 200, description = "Notification sent", body = RedTeamNotifyResponse), - (status = 401, description = "Unauthorized - tool key required"), - (status = 403, description = "Forbidden - not a red team task"), - (status = 404, description = "Task not found"), - (status = 503, description = "Database not available"), - (status = 500, description = "Internal server error"), - ), - security( - ("tool_key" = []) - ), - tag = "Mesh Red Team" -)] -pub async fn notify_supervisor( - State(state): State<SharedState>, - headers: HeaderMap, - Json(request): Json<RedTeamNotifyRequest>, -) -> impl IntoResponse { - let (red_team_task_id, owner_id, contract_id) = - match verify_red_team_auth(&state, &headers).await { - Ok(ids) => ids, - Err(e) => return e.into_response(), - }; - - let pool = state.db_pool.as_ref().unwrap(); - - // Generate notification ID - let notification_id = Uuid::new_v4(); - - // Get the contract to find the supervisor task - let contract = match repository::get_contract_for_owner(pool, contract_id, owner_id).await { - Ok(Some(c)) => c, - Ok(None) => { - return ( - StatusCode::NOT_FOUND, - Json(ApiError::new("NOT_FOUND", "Contract not found")), - ) - .into_response(); - } - Err(e) => { - tracing::error!(error = %e, "Failed to get contract"); - return ( - StatusCode::INTERNAL_SERVER_ERROR, - Json(ApiError::new("DB_ERROR", "Failed to get contract")), - ) - .into_response(); - } - }; - - let supervisor_task_id = contract.supervisor_task_id; - - // Format the alert message - let alert_message = format_alert_message( - &request.severity, - &request.message, - request.related_task_id, - request.file_path.as_deref(), - request.context.as_deref(), - ); - - // Record the notification in the database as a history event - let event_data = serde_json::json!({ - "notification_id": notification_id.to_string(), - "red_team_task_id": red_team_task_id.to_string(), - "severity": request.severity.to_string(), - "message": request.message, - "related_task_id": request.related_task_id.map(|id| id.to_string()), - "file_path": request.file_path, - "context": request.context, - }); - - let _ = repository::record_history_event( - pool, - owner_id, - Some(contract_id), - Some(red_team_task_id), - "red_team_alert", - Some(&request.severity.to_string().to_lowercase()), - Some(&request.message), - event_data, - ) - .await; - - // Try to send the message to the supervisor - let mut delivered = false; - if let Some(sup_task_id) = supervisor_task_id { - // Get the supervisor task to find its daemon - if let Ok(Some(supervisor_task)) = repository::get_task(pool, sup_task_id).await { - if let Some(daemon_id) = supervisor_task.daemon_id { - // Send the alert message to the supervisor - let cmd = DaemonCommand::SendMessage { - task_id: sup_task_id, - message: alert_message.clone(), - }; - - if let Err(e) = state.send_daemon_command(daemon_id, cmd).await { - tracing::warn!( - error = %e, - supervisor_task_id = %sup_task_id, - daemon_id = %daemon_id, - "Failed to send red team alert to supervisor" - ); - } else { - delivered = true; - tracing::info!( - notification_id = %notification_id, - red_team_task_id = %red_team_task_id, - supervisor_task_id = %sup_task_id, - severity = %request.severity, - "Red team alert delivered to supervisor" - ); - } - } else { - tracing::warn!( - supervisor_task_id = %sup_task_id, - "Supervisor task has no assigned daemon - alert not delivered" - ); - } - } - } else { - tracing::warn!( - contract_id = %contract_id, - "Contract has no supervisor task - alert not delivered" - ); - } - - ( - StatusCode::OK, - Json(RedTeamNotifyResponse { - notification_id, - delivered, - supervisor_task_id, - }), - ) - .into_response() -} - -/// Get the status of the red team task. -/// -/// GET /api/v1/mesh/red-team/status -/// -/// Returns information about the current red team task including the contract -/// being monitored and notification statistics. -#[utoipa::path( - get, - path = "/api/v1/mesh/red-team/status", - responses( - (status = 200, description = "Red team status", body = RedTeamStatusResponse), - (status = 401, description = "Unauthorized - tool key required"), - (status = 403, description = "Forbidden - not a red team task"), - (status = 404, description = "Task not found"), - (status = 503, description = "Database not available"), - (status = 500, description = "Internal server error"), - ), - security( - ("tool_key" = []) - ), - tag = "Mesh Red Team" -)] -pub async fn get_status( - State(state): State<SharedState>, - headers: HeaderMap, -) -> impl IntoResponse { - let (red_team_task_id, owner_id, contract_id) = - match verify_red_team_auth(&state, &headers).await { - Ok(ids) => ids, - Err(e) => return e.into_response(), - }; - - let pool = state.db_pool.as_ref().unwrap(); - - // Get the red team task status - let task = match repository::get_task(pool, red_team_task_id).await { - Ok(Some(t)) => t, - Ok(None) => { - return ( - StatusCode::NOT_FOUND, - Json(ApiError::new("NOT_FOUND", "Red team task not found")), - ) - .into_response(); - } - Err(e) => { - tracing::error!(error = %e, "Failed to get red team task"); - return ( - StatusCode::INTERNAL_SERVER_ERROR, - Json(ApiError::new("DB_ERROR", "Failed to get task")), - ) - .into_response(); - } - }; - - // Count notifications sent by this red team task - // Query history_events for red_team_alert events from this task - let notifications_sent = match sqlx::query_scalar::<_, i64>( - r#" - SELECT COUNT(*) - FROM history_events - WHERE owner_id = $1 - AND contract_id = $2 - AND task_id = $3 - AND event_type = 'red_team_alert' - "#, - ) - .bind(owner_id) - .bind(contract_id) - .bind(red_team_task_id) - .fetch_one(pool) - .await - { - Ok(count) => count, - Err(e) => { - tracing::warn!(error = %e, "Failed to count red team notifications"); - 0 - } - }; - - ( - StatusCode::OK, - Json(RedTeamStatusResponse { - contract_id, - red_team_task_id, - status: task.status, - notifications_sent, - }), - ) - .into_response() -} |