4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
smart_ide/docs/API/global-api.md
Nicolas Cantu 58cc2493e5 chore: consolidate ia_dev module, sync tooling, and harden gateways (0.0.5) 
Initial state:
- ia_dev was historically referenced as ./ia_dev in docs and integrations, while the vendored module lives under services/ia_dev.
- AnythingLLM sync and hook installation had error masking / weak exit signaling.
- Proxy layers did not validate proxy path segments, allowing path normalization tricks.

Motivation:
- Make the IDE-oriented workflow usable (sync -> act -> deploy/preview) with explicit errors.
- Reduce security footguns in proxying and script automation.

Resolution:
- Standardize IA_DEV_ROOT usage and documentation to services/ia_dev.
- Add SSH remote data mirroring + optional AnythingLLM ingestion.
- Extend AnythingLLM pull sync to support upload-all/prefix and fail on upload errors.
- Harden smart-ide-sso-gateway and smart-ide-global-api proxying with safe-path checks and non-leaking error responses.
- Improve ia-dev-gateway runner validation and reduce sensitive path leakage.
- Add site scaffold tool (Vite/React) with OIDC + chat via sso-gateway -> orchestrator.

Root cause:
- Historical layout changes (submodule -> vendored tree) and missing central contracts for path resolution.
- Missing validation for proxy path traversal patterns.
- Overuse of silent fallbacks (|| true, exit 0 on partial failures) in automation scripts.

Impacted features:
- Project sync: git pull + AnythingLLM sync + remote data mirror ingestion.
- Site frontends: SSO gateway proxy and orchestrator intents (rag.query, chat.local).
- Agent execution: ia-dev-gateway script runner and SSE output.

Code modified:
- scripts/remote-data-ssh-sync.sh
- scripts/anythingllm-pull-sync/sync.mjs
- scripts/install-anythingllm-post-merge-hook.sh
- cron/git-pull-project-clones.sh
- services/smart-ide-sso-gateway/src/server.ts
- services/smart-ide-global-api/src/server.ts
- services/smart-ide-orchestrator/src/server.ts
- services/ia-dev-gateway/src/server.ts
- services/ia_dev/tools/site-generate.sh

Documentation modified:
- docs/** (architecture, API docs, ia_dev module + integration, scripts)

Configurations modified:
- config/services.local.env.example
- services/*/.env.example

Files in deploy modified:
- services/ia_dev/deploy/*

Files in logs impacted:
- logs/ia_dev.log (runtime only)
- .logs/* (runtime only)

Databases and other sources modified:
- None

Off-project modifications:
- None

Files in .smartIde modified:
- .smartIde/agents/*.md
- services/ia_dev/.smartIde/**

Files in .secrets modified:
- None

New patch version in VERSION:
- 0.0.5

CHANGELOG.md updated:
- yes
2026-04-04 18:36:43 +02:00

2.8 KiB
Raw Blame History

API — smart-ide-global-api

Écoute par défaut : 127.0.0.1:37149. Configuration : services/smart-ide-global-api/.env.example, agrégat config/services.local.env.example.

Rôle

Agrégateur HTTP interne : reçoit les requêtes authentifiées par Authorization: Bearer <GLOBAL_API_INTERNAL_TOKEN> (fourni par smart-ide-sso-gateway), relaie vers chaque micro-service avec son jeton technique et propage les en-têtes X-OIDC-Sub / X-OIDC-Email lorsquils sont présents.

Les navigateurs et applications utilisateur ne doivent pas appeler ce port directement : passer par la passerelle SSO (/proxy/<clé>/...).

Authentification

Route Auth
GET /health Aucune
Toutes les autres Authorization: Bearer égal à GLOBAL_API_INTERNAL_TOKEN

Endpoints

GET /health

Réponse 200 : { "status": "ok", "service": "smart-ide-global-api" }.

GET /v1/upstreams

Liste les clés damont connues : { "upstreams": [ "orchestrator", ... ] }. La passerelle SSO peut renvoyer un sous-ensemble (allowlist via SSO_ALLOWED_UPSTREAMS).

Proxy — ANY /v1/upstream/<upstream_key>/<path>

  • <upstream_key> : orchestrator, repos_devtools, ia_dev_gateway, anythingllm_devtools, tools_bridge, langextract, regex_search, claw_proxy, local_office.
  • <path> : transmis à lURL de base du service (ex. /v1/upstream/orchestrator/v1/...http://127.0.0.1:37145/v1/...).
  • Corps : relayé (limite GLOBAL_API_MAX_BODY_BYTES, défaut 32 MiB).
  • Erreurs : 401 si Bearer interne absent ou incorrect ; 404 si clé inconnue ; 503 si jeton manquant pour lamont (ex. ORCHESTRATOR_TOKEN, LOCAL_OFFICE_API_KEY, etc.).

Journaux

Fichier .logs/global-api/access.log : lignes JSON (ts, method, path, upstream, status, durationMs, oidcSub si présent).

Variables denvironnement

Variable Rôle
GLOBAL_API_HOST / GLOBAL_API_PORT Bind HTTP
GLOBAL_API_INTERNAL_TOKEN Obligatoire — secret partagé avec la passerelle SSO
GLOBAL_API_MAX_BODY_BYTES Taille max du corps
SMART_IDE_MONOREPO_ROOT Racine monorepo pour .logs/ (sinon déduction depuis le module)

Jetons et hôtes des micro-services : mêmes noms que dans config/services.local.env.example.

Source des amonts

Les clés et la résolution host:port / jetons sont définies dans le paquet partagé packages/smart-ide-upstreams/ (@4nk/smart-ide-upstreams). Toute nouvelle clé damont doit y être ajoutée une seule fois, puis npm run build dans ce paquet et commit du répertoire dist/.

Voir aussi