4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
smart_ide/docs/features/ia-dev-service.md
Nicolas Cantu 58cc2493e5 chore: consolidate ia_dev module, sync tooling, and harden gateways (0.0.5) 
Initial state:
- ia_dev was historically referenced as ./ia_dev in docs and integrations, while the vendored module lives under services/ia_dev.
- AnythingLLM sync and hook installation had error masking / weak exit signaling.
- Proxy layers did not validate proxy path segments, allowing path normalization tricks.

Motivation:
- Make the IDE-oriented workflow usable (sync -> act -> deploy/preview) with explicit errors.
- Reduce security footguns in proxying and script automation.

Resolution:
- Standardize IA_DEV_ROOT usage and documentation to services/ia_dev.
- Add SSH remote data mirroring + optional AnythingLLM ingestion.
- Extend AnythingLLM pull sync to support upload-all/prefix and fail on upload errors.
- Harden smart-ide-sso-gateway and smart-ide-global-api proxying with safe-path checks and non-leaking error responses.
- Improve ia-dev-gateway runner validation and reduce sensitive path leakage.
- Add site scaffold tool (Vite/React) with OIDC + chat via sso-gateway -> orchestrator.

Root cause:
- Historical layout changes (submodule -> vendored tree) and missing central contracts for path resolution.
- Missing validation for proxy path traversal patterns.
- Overuse of silent fallbacks (|| true, exit 0 on partial failures) in automation scripts.

Impacted features:
- Project sync: git pull + AnythingLLM sync + remote data mirror ingestion.
- Site frontends: SSO gateway proxy and orchestrator intents (rag.query, chat.local).
- Agent execution: ia-dev-gateway script runner and SSE output.

Code modified:
- scripts/remote-data-ssh-sync.sh
- scripts/anythingllm-pull-sync/sync.mjs
- scripts/install-anythingllm-post-merge-hook.sh
- cron/git-pull-project-clones.sh
- services/smart-ide-sso-gateway/src/server.ts
- services/smart-ide-global-api/src/server.ts
- services/smart-ide-orchestrator/src/server.ts
- services/ia-dev-gateway/src/server.ts
- services/ia_dev/tools/site-generate.sh

Documentation modified:
- docs/** (architecture, API docs, ia_dev module + integration, scripts)

Configurations modified:
- config/services.local.env.example
- services/*/.env.example

Files in deploy modified:
- services/ia_dev/deploy/*

Files in logs impacted:
- logs/ia_dev.log (runtime only)
- .logs/* (runtime only)

Databases and other sources modified:
- None

Off-project modifications:
- None

Files in .smartIde modified:
- .smartIde/agents/*.md
- services/ia_dev/.smartIde/**

Files in .secrets modified:
- None

New patch version in VERSION:
- 0.0.5

CHANGELOG.md updated:
- yes
2026-04-04 18:36:43 +02:00

3.2 KiB
Raw Blame History

Service ia-dev-gateway — exécution agents et déploiements

Objectif

Remplacer à terme lappel direct au répertoire module ia_dev par un service HTTP sous services/ia-dev-gateway/ qui :

  • Pointe vers un fork de 4nk/ia_dev (même historique Git, gouvernance dans le monorepo smart_ide).
  • Nimplémente pas la logique métier des projets : il oriente les jobs vers projects/<id>/, deploy/, scripts existants, avec policy et journalisation.
  • Expose un registre dagents et des runs pour Lapce, le front web et lorchestrateur.

Périmètre

Inclus Exclus
Auth service-to-service (Bearer) Duplication des recettes métier dans smart_ide
Soumission de jobs (deploy, agent, script) Exécution hors sandbox / OpenShell si policy impose un runtime
Stream dévénements (SSE ou WebSocket) UI complète (reste Lapce / front)
Lecture du registre agents depuis le checkout ia_dev Modification des secrets des projets cibles

Cohabitation avec le sous-module

Le binaire ia-dev-gateway reçoit IA_DEV_ROOT (chemin racine du checkout ia_dev). Si IA_DEV_ROOT nest pas défini, il tente une résolution locale dans le monorepo (priorité ./ia_dev, puis ./services/ia_dev).

API (spécification)

Référence détaillée : API/ia-dev-gateway.md.

Résumé :

  • GET /health — liveness.
  • GET /v1/agents — liste des agents enregistrés (métadonnées dérivées du registre ia_dev).
  • GET /v1/agents/{id} — descripteur stable (rôle, droits, commandes déclenchantes).
  • POST /v1/runs — corps JSON : { "agentId", "projectId", "intent", "payload"?, "env"? } ; réponse : { "runId", "status" }.
  • GET /v1/runs/{runId} — statut et sortie partielle.
  • GET /v1/runs/{runId}/eventsSSE (ou upgrade WebSocket selon implémentation) : flux started, tool_selected, completed, failed, etc. (aligné system-architecture.md).

Les codes derreur 401/403/404/409/422 sont explicites ; pas de fallback silencieux.

Variables denvironnement (cible)

Variable Obligatoire Description
IA_DEV_GATEWAY_TOKEN oui Bearer attendu des clients autorisés
IA_DEV_GATEWAY_HOST non Bind (défaut 127.0.0.1)
IA_DEV_GATEWAY_PORT non Port (défaut 37144)
IA_DEV_ROOT non Chemin racine du checkout ia_dev (fork)

Implémentation

Le répertoire services/ia-dev-gateway/ contient un serveur Node/TypeScript (npm run build && npm start) :

  • scan des agents .md depuis IA_DEV_ROOT/.smartIde/agents
  • POST /v1/runs : runner script-backed (subset allowlist) qui spawn des scripts bash sous IA_DEV_ROOT/ et stream stdout/stderr via SSE
  • GET /v1/runs/{runId}/events : SSE avec replay (Last-Event-ID) + keep-alive

Lorchestrateur peut cibler ce service via lintent agent.run.

Voir aussi