yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add boards and tasks management endpoints

Browse Source
This commit is contained in:
Abhimanyu Saharan
2026-02-04 02:28:51 +05:30
parent 23faa0865b
commit 1abc8f68f3
170 changed files with 6860 additions and 10706 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
backend/app/__init__.py Normal file
View File

0
backend/app/api/__init__.py Normal file
View File

32
backend/app/api/activities.py
View File

@@ -1,32 +0,0 @@
from __future__ import annotations
import json
from fastapi import APIRouter, Depends
from sqlmodel import Session, select
from app.db.session import get_session
from app.models.activity import Activity
router = APIRouter(prefix="/activities", tags=["activities"])
@router.get("")
def list_activities(limit: int = 50, session: Session = Depends(get_session)):
items = session.exec(
select(Activity).order_by(Activity.id.desc()).limit(max(1, min(limit, 200)))
).all()
out = []
for a in items:
out.append(
{
"id": a.id,
"actor_employee_id": a.actor_employee_id,
"entity_type": a.entity_type,
"entity_id": a.entity_id,
"verb": a.verb,
"payload": json.loads(a.payload_json) if a.payload_json else None,
"created_at": a.created_at,
}
)
return out

26
backend/app/api/activity.py Normal file
View File

@@ -0,0 +1,26 @@
from __future__ import annotations
from fastapi import APIRouter, Depends, Query
from sqlmodel import Session, select
from app.core.auth import get_auth_context
from app.db.session import get_session
from app.models.activity_events import ActivityEvent
from app.schemas.activity_events import ActivityEventRead
from app.services.admin_access import require_admin
router = APIRouter(prefix="/activity", tags=["activity"])
@router.get("", response_model=list[ActivityEventRead])
def list_activity(
limit: int = Query(50, ge=1, le=200),
offset: int = Query(0, ge=0),
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> list[ActivityEvent]:
require_admin(auth)
statement = (
select(ActivityEvent).order_by(ActivityEvent.created_at.desc()).offset(offset).limit(limit)
)
return list(session.exec(statement))

205
backend/app/api/agents.py Normal file
View File

@@ -0,0 +1,205 @@
from __future__ import annotations
import re
from datetime import datetime, timedelta
from uuid import uuid4
from fastapi import APIRouter, Depends, HTTPException, status
from sqlmodel import Session, select
from app.core.auth import get_auth_context
from app.db.session import get_session
from app.integrations.openclaw_gateway import OpenClawGatewayError, openclaw_call
from app.models.activity_events import ActivityEvent
from app.models.agents import Agent
from app.schemas.agents import (
AgentCreate,
AgentHeartbeat,
AgentHeartbeatCreate,
AgentRead,
AgentUpdate,
)
from app.services.admin_access import require_admin
router = APIRouter(prefix="/agents", tags=["agents"])
OFFLINE_AFTER = timedelta(minutes=10)
DEFAULT_GATEWAY_CHANNEL = "openclaw-agency"
def _slugify(value: str) -> str:
slug = re.sub(r"[^a-z0-9]+", "-", value.lower()).strip("-")
return slug or uuid4().hex
def _build_session_label(agent_name: str) -> str:
return f"{DEFAULT_GATEWAY_CHANNEL}-{_slugify(agent_name)}"
async def _create_gateway_session(agent_name: str) -> str:
label = _build_session_label(agent_name)
try:
await openclaw_call("sessions.patch", {"key": label, "label": agent_name})
except OpenClawGatewayError as exc:
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
return label
def _with_computed_status(agent: Agent) -> Agent:
now = datetime.utcnow()
if agent.last_seen_at and now - agent.last_seen_at > OFFLINE_AFTER:
agent.status = "offline"
return agent
def _record_heartbeat(session: Session, agent: Agent) -> None:
event = ActivityEvent(
event_type="agent.heartbeat",
message=f"Heartbeat received from {agent.name}.",
agent_id=agent.id,
)
session.add(event)
@router.get("", response_model=list[AgentRead])
def list_agents(
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> list[Agent]:
require_admin(auth)
agents = list(session.exec(select(Agent)))
return [_with_computed_status(agent) for agent in agents]
@router.post("", response_model=AgentRead)
async def create_agent(
payload: AgentCreate,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> Agent:
require_admin(auth)
agent = Agent.model_validate(payload)
agent.openclaw_session_id = await _create_gateway_session(agent.name)
session.add(agent)
session.commit()
session.refresh(agent)
session.add(
ActivityEvent(
event_type="agent.session.created",
message=f"Session created for {agent.name}.",
agent_id=agent.id,
)
)
session.commit()
return agent
@router.get("/{agent_id}", response_model=AgentRead)
def get_agent(
agent_id: str,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> Agent:
require_admin(auth)
agent = session.get(Agent, agent_id)
if agent is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
return _with_computed_status(agent)
@router.patch("/{agent_id}", response_model=AgentRead)
def update_agent(
agent_id: str,
payload: AgentUpdate,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> Agent:
require_admin(auth)
agent = session.get(Agent, agent_id)
if agent is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
updates = payload.model_dump(exclude_unset=True)
for key, value in updates.items():
setattr(agent, key, value)
agent.updated_at = datetime.utcnow()
session.add(agent)
session.commit()
session.refresh(agent)
return _with_computed_status(agent)
@router.post("/{agent_id}/heartbeat", response_model=AgentRead)
def heartbeat_agent(
agent_id: str,
payload: AgentHeartbeat,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> Agent:
require_admin(auth)
agent = session.get(Agent, agent_id)
if agent is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
if payload.status:
agent.status = payload.status
agent.last_seen_at = datetime.utcnow()
agent.updated_at = datetime.utcnow()
_record_heartbeat(session, agent)
session.add(agent)
session.commit()
session.refresh(agent)
return _with_computed_status(agent)
@router.post("/heartbeat", response_model=AgentRead)
async def heartbeat_or_create_agent(
payload: AgentHeartbeatCreate,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> Agent:
require_admin(auth)
agent = session.exec(select(Agent).where(Agent.name == payload.name)).first()
if agent is None:
agent = Agent(name=payload.name, status=payload.status or "online")
agent.openclaw_session_id = await _create_gateway_session(agent.name)
session.add(agent)
session.commit()
session.refresh(agent)
session.add(
ActivityEvent(
event_type="agent.session.created",
message=f"Session created for {agent.name}.",
agent_id=agent.id,
)
)
elif not agent.openclaw_session_id:
agent.openclaw_session_id = await _create_gateway_session(agent.name)
session.add(
ActivityEvent(
event_type="agent.session.created",
message=f"Session created for {agent.name}.",
agent_id=agent.id,
)
)
if payload.status:
agent.status = payload.status
agent.last_seen_at = datetime.utcnow()
agent.updated_at = datetime.utcnow()
_record_heartbeat(session, agent)
session.add(agent)
session.commit()
session.refresh(agent)
return _with_computed_status(agent)
@router.delete("/{agent_id}")
def delete_agent(
agent_id: str,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> dict[str, bool]:
require_admin(auth)
agent = session.get(Agent, agent_id)
if agent:
session.delete(agent)
session.commit()
return {"ok": True}

15
backend/app/api/auth.py Normal file
View File

@@ -0,0 +1,15 @@
from __future__ import annotations
from fastapi import APIRouter, Depends, HTTPException, status
from app.core.auth import get_auth_context
from app.schemas.users import UserRead
router = APIRouter(prefix="/auth", tags=["auth"])
@router.post("/bootstrap", response_model=UserRead)
async def bootstrap_user(auth=Depends(get_auth_context)) -> UserRead:
if auth.actor_type != "user" or auth.user is None:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)
return auth.user

82
backend/app/api/boards.py Normal file
View File

@@ -0,0 +1,82 @@
from __future__ import annotations
from fastapi import APIRouter, Depends, HTTPException, status
from sqlmodel import Session, select
from app.core.auth import get_auth_context
from app.db.session import get_session
from app.models.boards import Board
from app.schemas.boards import BoardCreate, BoardRead, BoardUpdate
from app.services.admin_access import require_admin
router = APIRouter(prefix="/boards", tags=["boards"])
@router.get("", response_model=list[BoardRead])
def list_boards(
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> list[Board]:
require_admin(auth)
return list(session.exec(select(Board)))
@router.post("", response_model=BoardRead)
def create_board(
payload: BoardCreate,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> Board:
require_admin(auth)
board = Board.model_validate(payload)
session.add(board)
session.commit()
session.refresh(board)
return board
@router.get("/{board_id}", response_model=BoardRead)
def get_board(
board_id: str,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> Board:
require_admin(auth)
board = session.get(Board, board_id)
if board is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
return board
@router.patch("/{board_id}", response_model=BoardRead)
def update_board(
board_id: str,
payload: BoardUpdate,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> Board:
require_admin(auth)
board = session.get(Board, board_id)
if board is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
updates = payload.model_dump(exclude_unset=True)
for key, value in updates.items():
setattr(board, key, value)
session.add(board)
session.commit()
session.refresh(board)
return board
@router.delete("/{board_id}")
def delete_board(
board_id: str,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> dict[str, bool]:
require_admin(auth)
board = session.get(Board, board_id)
if board:
session.delete(board)
session.commit()
return {"ok": True}

99
backend/app/api/gateway.py Normal file
View File

@@ -0,0 +1,99 @@
from __future__ import annotations
from fastapi import APIRouter, Body, Depends, HTTPException, status
from app.core.auth import get_auth_context
from app.core.config import settings
from app.integrations.openclaw_gateway import (
OpenClawGatewayError,
get_chat_history,
openclaw_call,
send_message,
)
from app.services.admin_access import require_admin
router = APIRouter(prefix="/gateway", tags=["gateway"])
@router.get("/status")
async def gateway_status(auth=Depends(get_auth_context)) -> dict[str, object]:
require_admin(auth)
gateway_url = settings.openclaw_gateway_url or "ws://127.0.0.1:18789"
try:
sessions = await openclaw_call("sessions.list")
if isinstance(sessions, dict):
sessions_list = list(sessions.get("sessions") or [])
else:
sessions_list = list(sessions or [])
return {
"connected": True,
"gateway_url": gateway_url,
"sessions_count": len(sessions_list),
"sessions": sessions_list,
}
except OpenClawGatewayError as exc:
return {
"connected": False,
"gateway_url": gateway_url,
"error": str(exc),
}
@router.get("/sessions")
async def list_sessions(auth=Depends(get_auth_context)) -> dict[str, object]:
require_admin(auth)
try:
sessions = await openclaw_call("sessions.list")
except OpenClawGatewayError as exc:
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
if isinstance(sessions, dict):
return {"sessions": list(sessions.get("sessions") or [])}
return {"sessions": list(sessions or [])}
@router.get("/sessions/{session_id}")
async def get_session(session_id: str, auth=Depends(get_auth_context)) -> dict[str, object]:
require_admin(auth)
try:
sessions = await openclaw_call("sessions.list")
except OpenClawGatewayError as exc:
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
if isinstance(sessions, dict):
sessions_list = list(sessions.get("sessions") or [])
else:
sessions_list = list(sessions or [])
session = next((item for item in sessions_list if item.get("key") == session_id), None)
if session is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Session not found")
return {"session": session}
@router.get("/sessions/{session_id}/history")
async def get_session_history(session_id: str, auth=Depends(get_auth_context)) -> dict[str, object]:
require_admin(auth)
try:
history = await get_chat_history(session_id)
except OpenClawGatewayError as exc:
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
if isinstance(history, dict) and isinstance(history.get("messages"), list):
return {"history": history["messages"]}
return {"history": list(history or [])}
@router.post("/sessions/{session_id}/message")
async def send_session_message(
session_id: str,
payload: dict = Body(...),
auth=Depends(get_auth_context),
) -> dict[str, bool]:
require_admin(auth)
content = payload.get("content")
if not content:
raise HTTPException(
status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, detail="content is required"
)
try:
await send_message(content, session_key=session_id)
except OpenClawGatewayError as exc:
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail=str(exc)) from exc
return {"ok": True}

474
backend/app/api/org.py
View File

@@ -1,474 +0,0 @@
from __future__ import annotations
from fastapi import APIRouter, Depends, HTTPException
from sqlalchemy.exc import IntegrityError
from sqlmodel import Session, select
from app.api.utils import get_actor_employee_id, log_activity
from app.core.urls import public_api_base_url
from app.db.session import get_session
from app.integrations.openclaw import OpenClawClient
from app.models.org import Department, Employee, Team
from app.schemas.org import (
DepartmentCreate,
DepartmentUpdate,
EmployeeCreate,
EmployeeUpdate,
TeamCreate,
TeamUpdate,
)
router = APIRouter(tags=["org"])
def _enforce_employee_create_policy(
session: Session, *, actor_employee_id: int, target_employee_type: str
) -> None:
"""Enforce: agents can only create/provision agents; humans can create humans + agents."""
actor = session.get(Employee, actor_employee_id)
if actor is None:
# Actor header is required; if it points to nothing, treat as invalid.
raise HTTPException(status_code=400, detail="Actor employee not found")
target = (target_employee_type or "").lower()
actor_type = (actor.employee_type or "").lower()
if actor_type == "agent" and target != "agent":
raise HTTPException(
status_code=403,
detail="Agent employees may only create/provision agent employees",
)
def _default_agent_prompt(emp: Employee) -> str:
"""Generate a conservative default prompt for a newly-created agent employee.
We keep this short and deterministic; the human can refine later.
"""
title = emp.title or "Agent"
dept = str(emp.department_id) if emp.department_id is not None else "(unassigned)"
return (
f"You are {emp.name}, an AI agent employee in Mission Control.\n"
f"Your employee_id is {emp.id}.\n"
f"Title: {title}. Department id: {dept}.\n\n"
"Mission Control API access (no UI):\n"
f"- Base URL: {public_api_base_url()}\n"
"- Auth: none. REQUIRED header on ALL write operations: X-Actor-Employee-Id: <your_employee_id>\n"
f" Example for you: X-Actor-Employee-Id: {emp.id}\n\n"
"How to execute writes from an OpenClaw agent (IMPORTANT):\n"
"- Use the exec tool to run curl against the Base URL above.\n"
"- Example: start a task\n"
" curl -sS -X PATCH $BASE/tasks/<TASK_ID> -H 'X-Actor-Employee-Id: <your_employee_id>' -H 'Content-Type: application/json' -d '{\"status\":\"in_progress\"}'\n"
"- Example: add a progress comment\n"
" curl -sS -X POST $BASE/task-comments -H 'X-Actor-Employee-Id: <your_employee_id>' -H 'Content-Type: application/json' -d '{\"task_id\":<TASK_ID>,\"body\":\"...\"}'\n\n"
"Common endpoints (JSON):\n"
"- GET /tasks, POST /tasks\n"
"- GET /task-comments, POST /task-comments\n"
"- GET /projects, GET /employees, GET /departments\n"
"- OpenAPI schema: GET /openapi.json\n\n"
"Rules:\n"
"- Use the Mission Control API only (no UI).\n"
"- You are responsible for driving assigned work to completion.\n"
"- For every task you own: (1) read it, (2) plan next steps, (3) post progress comments, (4) update status as it moves (backlog/ready/in_progress/review/done/blocked).\n"
"- Always leave an audit trail: add a comment whenever you start work, whenever you learn something important, and whenever you change status.\n"
"- If blocked, set status=blocked and comment what you need (missing access, unclear requirements, etc.).\n"
"- When notified about tasks/comments, respond with concise, actionable updates and immediately sync the task state in Mission Control.\n"
"- Do not invent facts; ask for missing context.\n"
)
def _maybe_auto_provision_agent(session: Session, *, emp: Employee, actor_employee_id: int) -> None:
"""Auto-provision an OpenClaw session for an agent employee.
This is intentionally best-effort. If OpenClaw is not configured or the call fails,
we leave the employee as-is (openclaw_session_key stays null).
"""
# Enforce: agent actors may only provision agents (humans can provision agents).
_enforce_employee_create_policy(
session, actor_employee_id=actor_employee_id, target_employee_type=emp.employee_type
)
if emp.employee_type != "agent":
return
if emp.status != "active":
return
if emp.openclaw_session_key:
return
client = OpenClawClient.from_env()
if client is None:
return
# FULL IMPLEMENTATION: ensure a dedicated OpenClaw agent profile exists per employee.
try:
from app.integrations.openclaw_agents import ensure_full_agent_profile
info = ensure_full_agent_profile(
client=client,
employee_id=int(emp.id),
employee_name=emp.name,
)
emp.openclaw_agent_id = info["agent_id"]
session.add(emp)
session.flush()
except Exception as e:
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="employee",
entity_id=emp.id,
verb="agent_profile_failed",
payload={"error": f"{type(e).__name__}: {e}"},
)
# Do not block employee creation on provisioning.
return
label = f"employee:{emp.id}:{emp.name}"
try:
resp = client.tools_invoke(
"sessions_spawn",
{
"task": _default_agent_prompt(emp),
"label": label,
"agentId": emp.openclaw_agent_id,
"cleanup": "keep",
"runTimeoutSeconds": 600,
},
timeout_s=20.0,
)
except Exception as e:
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="employee",
entity_id=emp.id,
verb="provision_failed",
payload={"error": f"{type(e).__name__}: {e}"},
)
return
session_key = None
if isinstance(resp, dict):
session_key = resp.get("sessionKey")
if not session_key:
result = resp.get("result") or {}
if isinstance(result, dict):
session_key = result.get("sessionKey") or result.get("childSessionKey")
details = (result.get("details") if isinstance(result, dict) else None) or {}
if isinstance(details, dict):
session_key = session_key or details.get("sessionKey") or details.get("childSessionKey")
if not session_key:
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="employee",
entity_id=emp.id,
verb="provision_incomplete",
payload={"label": label},
)
return
emp.openclaw_session_key = session_key
session.add(emp)
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="employee",
entity_id=emp.id,
verb="provisioned",
payload={"session_key": session_key, "label": label},
)
@router.get("/departments", response_model=list[Department])
def list_departments(session: Session = Depends(get_session)):
return session.exec(select(Department).order_by(Department.name.asc())).all()
@router.get("/teams", response_model=list[Team])
def list_teams(department_id: int | None = None, session: Session = Depends(get_session)):
q = select(Team)
if department_id is not None:
q = q.where(Team.department_id == department_id)
return session.exec(q.order_by(Team.name.asc())).all()
@router.post("/teams", response_model=Team)
def create_team(
payload: TeamCreate,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
team = Team(**payload.model_dump())
session.add(team)
try:
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="team",
entity_id=team.id,
verb="created",
payload={
"name": team.name,
"department_id": team.department_id,
"lead_employee_id": team.lead_employee_id,
},
)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(status_code=409, detail="Team already exists or violates constraints")
session.refresh(team)
return team
@router.patch("/teams/{team_id}", response_model=Team)
def update_team(
team_id: int,
payload: TeamUpdate,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
team = session.get(Team, team_id)
if not team:
raise HTTPException(status_code=404, detail="Team not found")
data = payload.model_dump(exclude_unset=True)
for k, v in data.items():
setattr(team, k, v)
session.add(team)
try:
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="team",
entity_id=team.id,
verb="updated",
payload=data,
)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(status_code=409, detail="Team update violates constraints")
session.refresh(team)
return team
@router.post("/departments", response_model=Department)
def create_department(
payload: DepartmentCreate,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
"""Create a department.
Important: keep the operation atomic. We flush to get dept.id, log the activity,
then commit once. We also translate common DB integrity errors into 409s.
"""
dept = Department(name=payload.name, head_employee_id=payload.head_employee_id)
session.add(dept)
try:
session.flush() # assigns dept.id without committing
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="department",
entity_id=dept.id,
verb="created",
payload={"name": dept.name},
)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(
status_code=409, detail="Department already exists or violates constraints"
)
session.refresh(dept)
return dept
@router.patch("/departments/{department_id}", response_model=Department)
def update_department(
department_id: int,
payload: DepartmentUpdate,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
dept = session.get(Department, department_id)
if not dept:
raise HTTPException(status_code=404, detail="Department not found")
data = payload.model_dump(exclude_unset=True)
for k, v in data.items():
setattr(dept, k, v)
session.add(dept)
session.commit()
session.refresh(dept)
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="department",
entity_id=dept.id,
verb="updated",
payload=data,
)
session.commit()
return dept
@router.get("/employees", response_model=list[Employee])
def list_employees(session: Session = Depends(get_session)):
return session.exec(select(Employee).order_by(Employee.id.asc())).all()
@router.post("/employees", response_model=Employee)
def create_employee(
payload: EmployeeCreate,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
_enforce_employee_create_policy(
session, actor_employee_id=actor_employee_id, target_employee_type=payload.employee_type
)
emp = Employee(**payload.model_dump())
session.add(emp)
try:
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="employee",
entity_id=emp.id,
verb="created",
payload={"name": emp.name, "type": emp.employee_type},
)
# AUTO-PROVISION: if this is an agent employee, try to create an OpenClaw session.
_maybe_auto_provision_agent(session, emp=emp, actor_employee_id=actor_employee_id)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(status_code=409, detail="Employee create violates constraints")
session.refresh(emp)
return Employee.model_validate(emp)
@router.patch("/employees/{employee_id}", response_model=Employee)
def update_employee(
employee_id: int,
payload: EmployeeUpdate,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
emp = session.get(Employee, employee_id)
if not emp:
raise HTTPException(status_code=404, detail="Employee not found")
data = payload.model_dump(exclude_unset=True)
for k, v in data.items():
setattr(emp, k, v)
session.add(emp)
try:
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="employee",
entity_id=emp.id,
verb="updated",
payload=data,
)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(status_code=409, detail="Employee update violates constraints")
session.refresh(emp)
return Employee.model_validate(emp)
@router.post("/employees/{employee_id}/provision", response_model=Employee)
def provision_employee_agent(
employee_id: int,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
emp = session.get(Employee, employee_id)
if not emp:
raise HTTPException(status_code=404, detail="Employee not found")
if emp.employee_type != "agent":
raise HTTPException(status_code=400, detail="Only agent employees can be provisioned")
_maybe_auto_provision_agent(session, emp=emp, actor_employee_id=actor_employee_id)
session.commit()
session.refresh(emp)
return Employee.model_validate(emp)
@router.post("/employees/{employee_id}/deprovision", response_model=Employee)
def deprovision_employee_agent(
employee_id: int,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
emp = session.get(Employee, employee_id)
if not emp:
raise HTTPException(status_code=404, detail="Employee not found")
if emp.employee_type != "agent":
raise HTTPException(status_code=400, detail="Only agent employees can be deprovisioned")
client = OpenClawClient.from_env()
if client is not None and emp.openclaw_session_key:
try:
client.tools_invoke(
"sessions_send",
{
"sessionKey": emp.openclaw_session_key,
"message": "You are being deprovisioned. Stop all work and ignore future messages.",
},
timeout_s=5.0,
)
except Exception:
pass
emp.notify_enabled = False
emp.openclaw_session_key = None
session.add(emp)
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="employee",
entity_id=emp.id,
verb="deprovisioned",
payload={},
)
session.commit()
session.refresh(emp)
return Employee.model_validate(emp)

178
backend/app/api/projects.py
View File

@@ -1,178 +0,0 @@
from __future__ import annotations
from fastapi import APIRouter, Depends, HTTPException
from sqlalchemy.exc import IntegrityError
from sqlmodel import Session, select
from app.api.utils import get_actor_employee_id, log_activity
from app.db.session import get_session
from app.models.projects import Project, ProjectMember
from app.schemas.projects import ProjectCreate, ProjectUpdate
router = APIRouter(prefix="/projects", tags=["projects"])
@router.get("", response_model=list[Project])
def list_projects(session: Session = Depends(get_session)):
return session.exec(select(Project).order_by(Project.name.asc())).all()
@router.post("", response_model=Project)
def create_project(
payload: ProjectCreate,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
"""Create a project.
Keep operation atomic: flush to get id, log activity, then commit once.
Translate DB integrity errors to 409s.
"""
proj = Project(**payload.model_dump())
session.add(proj)
try:
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="project",
entity_id=proj.id,
verb="created",
payload={"name": proj.name},
)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(
status_code=409, detail="Project already exists or violates constraints"
)
session.refresh(proj)
return proj
@router.patch("/{project_id}", response_model=Project)
def update_project(
project_id: int,
payload: ProjectUpdate,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
proj = session.get(Project, project_id)
if not proj:
raise HTTPException(status_code=404, detail="Project not found")
data = payload.model_dump(exclude_unset=True)
for k, v in data.items():
setattr(proj, k, v)
session.add(proj)
session.commit()
session.refresh(proj)
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="project",
entity_id=proj.id,
verb="updated",
payload=data,
)
session.commit()
return proj
@router.get("/{project_id}/members", response_model=list[ProjectMember])
def list_project_members(project_id: int, session: Session = Depends(get_session)):
return session.exec(
select(ProjectMember)
.where(ProjectMember.project_id == project_id)
.order_by(ProjectMember.id.asc())
).all()
@router.post("/{project_id}/members", response_model=ProjectMember)
def add_project_member(
project_id: int,
payload: ProjectMember,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
existing = session.exec(
select(ProjectMember).where(
ProjectMember.project_id == project_id, ProjectMember.employee_id == payload.employee_id
)
).first()
if existing:
raise HTTPException(status_code=409, detail="Member already added")
member = ProjectMember(
project_id=project_id, employee_id=payload.employee_id, role=payload.role
)
session.add(member)
session.commit()
session.refresh(member)
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="project_member",
entity_id=member.id,
verb="added",
payload={"project_id": project_id, "employee_id": member.employee_id, "role": member.role},
)
session.commit()
return member
@router.delete("/{project_id}/members/{member_id}")
def remove_project_member(
project_id: int,
member_id: int,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
member = session.get(ProjectMember, member_id)
if not member or member.project_id != project_id:
raise HTTPException(status_code=404, detail="Project member not found")
session.delete(member)
session.commit()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="project_member",
entity_id=member_id,
verb="removed",
payload={"project_id": project_id},
)
session.commit()
return {"ok": True}
@router.patch("/{project_id}/members/{member_id}", response_model=ProjectMember)
def update_project_member(
project_id: int,
member_id: int,
payload: ProjectMember,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
member = session.get(ProjectMember, member_id)
if not member or member.project_id != project_id:
raise HTTPException(status_code=404, detail="Project member not found")
if payload.role is not None:
member.role = payload.role
session.add(member)
session.commit()
session.refresh(member)
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="project_member",
entity_id=member.id,
verb="updated",
payload={"project_id": project_id, "role": member.role},
)
session.commit()
return member

115
backend/app/api/tasks.py Normal file
View File

@@ -0,0 +1,115 @@
from __future__ import annotations
from datetime import datetime
from fastapi import APIRouter, Depends, HTTPException, status
from sqlmodel import Session, select
from app.core.auth import get_auth_context
from app.db.session import get_session
from app.models.activity_events import ActivityEvent
from app.models.boards import Board
from app.models.tasks import Task
from app.schemas.tasks import TaskCreate, TaskRead, TaskUpdate
from app.services.admin_access import require_admin
router = APIRouter(prefix="/boards/{board_id}/tasks", tags=["tasks"])
@router.get("", response_model=list[TaskRead])
def list_tasks(
board_id: str,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> list[Task]:
require_admin(auth)
board = session.get(Board, board_id)
if board is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
return list(session.exec(select(Task).where(Task.board_id == board.id)))
@router.post("", response_model=TaskRead)
def create_task(
board_id: str,
payload: TaskCreate,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> Task:
require_admin(auth)
board = session.get(Board, board_id)
if board is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
task = Task.model_validate(payload)
task.board_id = board.id
if task.created_by_user_id is None and auth.user is not None:
task.created_by_user_id = auth.user.id
session.add(task)
session.commit()
session.refresh(task)
event = ActivityEvent(
event_type="task.created",
task_id=task.id,
message=f"Task created: {task.title}.",
)
session.add(event)
session.commit()
return task
@router.patch("/{task_id}", response_model=TaskRead)
def update_task(
board_id: str,
task_id: str,
payload: TaskUpdate,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> Task:
require_admin(auth)
board = session.get(Board, board_id)
if board is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
task = session.get(Task, task_id)
if task is None or task.board_id != board.id:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
previous_status = task.status
updates = payload.model_dump(exclude_unset=True)
for key, value in updates.items():
setattr(task, key, value)
task.updated_at = datetime.utcnow()
session.add(task)
session.commit()
session.refresh(task)
if "status" in updates and task.status != previous_status:
event_type = "task.status_changed"
message = f"Task moved to {task.status}: {task.title}."
else:
event_type = "task.updated"
message = f"Task updated: {task.title}."
event = ActivityEvent(event_type=event_type, task_id=task.id, message=message)
session.add(event)
session.commit()
return task
@router.delete("/{task_id}")
def delete_task(
board_id: str,
task_id: str,
session: Session = Depends(get_session),
auth=Depends(get_auth_context),
) -> dict[str, bool]:
require_admin(auth)
board = session.get(Board, board_id)
if board is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
task = session.get(Task, task_id)
if task and task.board_id == board.id:
session.delete(task)
session.commit()
return {"ok": True}

37
backend/app/api/utils.py
View File

@@ -1,37 +0,0 @@
from __future__ import annotations
import json
from typing import Any
from fastapi import Header, HTTPException
from sqlmodel import Session
from app.models.activity import Activity
def log_activity(
session: Session,
*,
actor_employee_id: int | None,
entity_type: str,
entity_id: int | None,
verb: str,
payload: dict[str, Any] | None = None,
) -> None:
session.add(
Activity(
actor_employee_id=actor_employee_id,
entity_type=entity_type,
entity_id=entity_id,
verb=verb,
payload_json=json.dumps(payload) if payload is not None else None,
)
)
def get_actor_employee_id(
x_actor_employee_id: int | None = Header(default=None, alias="X-Actor-Employee-Id"),
) -> int:
if x_actor_employee_id is None:
raise HTTPException(status_code=400, detail="X-Actor-Employee-Id required")
return x_actor_employee_id

443
backend/app/api/work.py
View File

@@ -1,443 +0,0 @@
from __future__ import annotations
import logging
from datetime import datetime
from fastapi import APIRouter, BackgroundTasks, Depends, HTTPException
from sqlalchemy.exc import IntegrityError
from sqlmodel import Session, select
from app.api.utils import get_actor_employee_id, log_activity
from app.db.session import get_session
from app.integrations.notify import NotifyContext, notify_openclaw
from app.integrations.openclaw import OpenClawClient
from app.models.org import Employee
from app.models.work import Task, TaskComment
from app.schemas.work import TaskCommentCreate, TaskCreate, TaskReviewDecision, TaskUpdate
logger = logging.getLogger("app.work")
router = APIRouter(tags=["work"])
ALLOWED_STATUSES = {"backlog", "ready", "in_progress", "review", "done", "blocked"}
def _validate_task_assignee(session: Session, assignee_employee_id: int) -> None:
"""Enforce that only provisioned agents can be assigned tasks.
Humans can be assigned regardless.
Agents must be active, notify_enabled, and have openclaw_session_key.
"""
emp = session.get(Employee, assignee_employee_id)
if emp is None:
raise HTTPException(status_code=400, detail="Assignee employee not found")
if emp.employee_type == "agent":
if emp.status != "active":
raise HTTPException(status_code=400, detail="Cannot assign task to inactive agent")
if not emp.notify_enabled:
raise HTTPException(
status_code=400, detail="Cannot assign task to agent with notifications disabled"
)
if not emp.openclaw_session_key:
raise HTTPException(status_code=400, detail="Cannot assign task to unprovisioned agent")
@router.get("/tasks", response_model=list[Task])
def list_tasks(project_id: int | None = None, session: Session = Depends(get_session)):
stmt = select(Task).order_by(Task.id.asc())
if project_id is not None:
stmt = stmt.where(Task.project_id == project_id)
return session.exec(stmt).all()
@router.post("/tasks", response_model=Task)
def create_task(
payload: TaskCreate,
background: BackgroundTasks,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
# SECURITY / AUDIT: never allow spoofing task creator.
# The creator is always the actor making the request.
payload = TaskCreate(**{**payload.model_dump(), "created_by_employee_id": actor_employee_id})
if payload.assignee_employee_id is not None:
_validate_task_assignee(session, payload.assignee_employee_id)
# Default reviewer to the manager of the assignee (if not explicitly provided).
if payload.reviewer_employee_id is None and payload.assignee_employee_id is not None:
assignee = session.get(Employee, payload.assignee_employee_id)
if assignee is not None and assignee.manager_id is not None:
payload = TaskCreate(
**{**payload.model_dump(), "reviewer_employee_id": assignee.manager_id}
)
task = Task(**payload.model_dump())
if task.status not in ALLOWED_STATUSES:
raise HTTPException(status_code=400, detail="Invalid status")
task.updated_at = datetime.utcnow()
session.add(task)
try:
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="task",
entity_id=task.id,
verb="created",
payload={"project_id": task.project_id, "title": task.title},
)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(status_code=409, detail="Task create violates constraints")
session.refresh(task)
background.add_task(
notify_openclaw,
NotifyContext(event="task.created", actor_employee_id=actor_employee_id, task_id=task.id),
)
# Explicitly return a serializable payload (guards against empty {} responses)
return Task.model_validate(task)
@router.post("/tasks/{task_id}/dispatch")
def dispatch_task(
task_id: int,
background: BackgroundTasks,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
logger.info("dispatch_task: called", extra={"task_id": task_id, "actor": actor_employee_id})
task = session.get(Task, task_id)
if not task:
raise HTTPException(status_code=404, detail="Task not found")
logger.info(
"dispatch_task: loaded",
extra={
"task_id": getattr(task, "id", None),
"assignee_employee_id": getattr(task, "assignee_employee_id", None),
},
)
if task.assignee_employee_id is None:
raise HTTPException(status_code=400, detail="Task has no assignee")
_validate_task_assignee(session, task.assignee_employee_id)
client = OpenClawClient.from_env()
if client is None:
logger.warning("dispatch_task: missing OpenClaw env")
raise HTTPException(
status_code=503,
detail="OpenClaw gateway is not configured (set OPENCLAW_GATEWAY_URL/TOKEN)",
)
# Best-effort: enqueue a dispatch notification.
# IMPORTANT: if a task is already in review, the reviewer (not the assignee) should be notified.
status = (getattr(task, "status", None) or "").lower()
if status in {"review", "ready_for_review"}:
background.add_task(
notify_openclaw,
NotifyContext(
event="status.changed",
actor_employee_id=actor_employee_id,
task_id=task.id,
changed_fields={"status": {"to": task.status}},
),
)
else:
background.add_task(
notify_openclaw,
NotifyContext(event="task.assigned", actor_employee_id=actor_employee_id, task_id=task.id),
)
return {"ok": True}
def _require_reviewer_comment(body: str | None) -> str:
if body is None or not body.strip():
raise HTTPException(status_code=400, detail="Reviewer must provide a comment for audit")
return body.strip()
@router.post("/tasks/{task_id}/review", response_model=Task)
def review_task(
task_id: int,
payload: TaskReviewDecision,
background: BackgroundTasks,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
"""Reviewer approves or requests changes.
- Approve => status=done
- Changes => status=in_progress
Always writes a TaskComment by the reviewer for audit.
"""
task = session.get(Task, task_id)
if not task:
raise HTTPException(status_code=404, detail="Task not found")
if task.reviewer_employee_id is None:
raise HTTPException(status_code=400, detail="Task has no reviewer")
if actor_employee_id != task.reviewer_employee_id:
raise HTTPException(status_code=403, detail="Only the reviewer can approve/request changes")
decision = (payload.decision or "").strip().lower()
if decision not in {"approve", "changes"}:
raise HTTPException(status_code=400, detail="Invalid decision")
comment_body = _require_reviewer_comment(payload.comment_body)
new_status = "done" if decision == "approve" else "in_progress"
before_status = task.status
task.status = new_status
task.updated_at = datetime.utcnow()
session.add(task)
c = TaskComment(task_id=task.id, author_employee_id=actor_employee_id, body=comment_body)
session.add(c)
try:
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="task",
entity_id=task.id,
verb="reviewed",
payload={"decision": decision, "status": new_status},
)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(status_code=409, detail="Review action violates constraints")
session.refresh(task)
session.refresh(c)
# Notify assignee (comment.created will exclude author)
background.add_task(
notify_openclaw,
NotifyContext(
event="comment.created",
actor_employee_id=actor_employee_id,
task_id=task.id,
comment_id=c.id,
),
)
# Notify reviewer/PMs about status change
if before_status != task.status:
background.add_task(
notify_openclaw,
NotifyContext(
event="status.changed",
actor_employee_id=actor_employee_id,
task_id=task.id,
changed_fields={"status": {"from": before_status, "to": task.status}},
),
)
return Task.model_validate(task)
@router.patch("/tasks/{task_id}", response_model=Task)
def update_task(
task_id: int,
payload: TaskUpdate,
background: BackgroundTasks,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
logger.info("dispatch_task: called", extra={"task_id": task_id, "actor": actor_employee_id})
task = session.get(Task, task_id)
if not task:
raise HTTPException(status_code=404, detail="Task not found")
before = {
"assignee_employee_id": task.assignee_employee_id,
"reviewer_employee_id": task.reviewer_employee_id,
"status": task.status,
}
data = payload.model_dump(exclude_unset=True)
if "assignee_employee_id" in data and data["assignee_employee_id"] is not None:
_validate_task_assignee(session, data["assignee_employee_id"])
if "status" in data and data["status"] not in ALLOWED_STATUSES:
raise HTTPException(status_code=400, detail="Invalid status")
# Enforce review workflow: agent assignees cannot mark tasks done directly.
if data.get("status") == "done":
assignee = (
session.get(Employee, task.assignee_employee_id) if task.assignee_employee_id else None
)
if assignee is not None and assignee.employee_type == "agent":
if actor_employee_id == task.assignee_employee_id:
raise HTTPException(
status_code=403,
detail="Assignee agents cannot mark tasks done; set status=review for manager approval",
)
if task.reviewer_employee_id is not None and actor_employee_id != task.reviewer_employee_id:
raise HTTPException(status_code=403, detail="Only the reviewer can mark a task done")
# If a task is sent to review and no reviewer is set, default reviewer to assignee's manager.
if (
data.get("status") in {"review", "ready_for_review"}
and data.get("reviewer_employee_id") is None
):
assignee_id = data.get("assignee_employee_id", task.assignee_employee_id)
if assignee_id is not None:
assignee = session.get(Employee, assignee_id)
if assignee is not None and assignee.manager_id is not None:
data["reviewer_employee_id"] = assignee.manager_id
for k, v in data.items():
setattr(task, k, v)
task.updated_at = datetime.utcnow()
session.add(task)
try:
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="task",
entity_id=task.id,
verb="updated",
payload=data,
)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(status_code=409, detail="Task update violates constraints")
session.refresh(task)
# notify based on meaningful changes
changed = {}
if before.get("assignee_employee_id") != task.assignee_employee_id:
changed["assignee_employee_id"] = {
"from": before.get("assignee_employee_id"),
"to": task.assignee_employee_id,
}
background.add_task(
notify_openclaw,
NotifyContext(
event="task.assigned",
actor_employee_id=actor_employee_id,
task_id=task.id,
changed_fields=changed,
),
)
if before.get("status") != task.status:
changed["status"] = {"from": before.get("status"), "to": task.status}
background.add_task(
notify_openclaw,
NotifyContext(
event="status.changed",
actor_employee_id=actor_employee_id,
task_id=task.id,
changed_fields=changed,
),
)
if not changed and data:
background.add_task(
notify_openclaw,
NotifyContext(
event="task.updated",
actor_employee_id=actor_employee_id,
task_id=task.id,
changed_fields=data,
),
)
return Task.model_validate(task)
@router.delete("/tasks/{task_id}")
def delete_task(
task_id: int,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
logger.info("dispatch_task: called", extra={"task_id": task_id, "actor": actor_employee_id})
task = session.get(Task, task_id)
if not task:
raise HTTPException(status_code=404, detail="Task not found")
session.delete(task)
try:
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="task",
entity_id=task_id,
verb="deleted",
)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(status_code=409, detail="Task delete violates constraints")
return {"ok": True}
@router.get("/task-comments", response_model=list[TaskComment])
def list_task_comments(task_id: int, session: Session = Depends(get_session)):
return session.exec(
select(TaskComment).where(TaskComment.task_id == task_id).order_by(TaskComment.id.asc())
).all()
@router.post("/task-comments", response_model=TaskComment)
def create_task_comment(
payload: TaskCommentCreate,
background: BackgroundTasks,
session: Session = Depends(get_session),
actor_employee_id: int = Depends(get_actor_employee_id),
):
# SECURITY / AUDIT: never allow spoofing comment authorship.
# The author is always the actor making the request.
payload = TaskCommentCreate(**{**payload.model_dump(), "author_employee_id": actor_employee_id})
c = TaskComment(**payload.model_dump())
session.add(c)
try:
session.flush()
log_activity(
session,
actor_employee_id=actor_employee_id,
entity_type="task",
entity_id=c.task_id,
verb="commented",
)
session.commit()
except IntegrityError:
session.rollback()
raise HTTPException(status_code=409, detail="Comment create violates constraints")
session.refresh(c)
task = session.get(Task, c.task_id)
if task is not None:
background.add_task(
notify_openclaw,
NotifyContext(
event="comment.created",
actor_employee_id=actor_employee_id,
task_id=task.id,
comment_id=c.id,
),
)
return TaskComment.model_validate(c)

0
backend/app/core/__init__.py Normal file
View File

97
backend/app/core/auth.py Normal file
View File

@@ -0,0 +1,97 @@
from __future__ import annotations
from dataclasses import dataclass
from functools import lru_cache
from typing import Literal
from fastapi import Depends, HTTPException, Request, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from fastapi_clerk_auth import ClerkConfig, ClerkHTTPBearer
from fastapi_clerk_auth import HTTPAuthorizationCredentials as ClerkCredentials
from pydantic import BaseModel, ValidationError
from sqlmodel import Session, select
from app.core.config import settings
from app.db.session import get_session
from app.models.users import User
security = HTTPBearer(auto_error=False)
class ClerkTokenPayload(BaseModel):
sub: str
@lru_cache
def _build_clerk_http_bearer(auto_error: bool) -> ClerkHTTPBearer:
if not settings.clerk_jwks_url:
raise RuntimeError("CLERK_JWKS_URL is not set.")
clerk_config = ClerkConfig(
jwks_url=settings.clerk_jwks_url,
verify_iat=settings.clerk_verify_iat,
leeway=settings.clerk_leeway,
)
return ClerkHTTPBearer(config=clerk_config, auto_error=auto_error, add_state=True)
@dataclass
class AuthContext:
actor_type: Literal["user"]
user: User | None = None
def _resolve_clerk_auth(
request: Request, fallback: ClerkCredentials | None
) -> ClerkCredentials | None:
auth_data = getattr(request.state, "clerk_auth", None)
return auth_data or fallback
def _parse_subject(auth_data: ClerkCredentials | None) -> str | None:
if not auth_data or not auth_data.decoded:
return None
payload = ClerkTokenPayload.model_validate(auth_data.decoded)
return payload.sub
async def get_auth_context(
request: Request,
credentials: HTTPAuthorizationCredentials | None = Depends(security),
session: Session = Depends(get_session),
) -> AuthContext:
if credentials is None:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)
try:
guard = _build_clerk_http_bearer(auto_error=False)
clerk_credentials = await guard(request)
except (RuntimeError, ValueError) as exc:
raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR) from exc
except HTTPException as exc:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED) from exc
auth_data = _resolve_clerk_auth(request, clerk_credentials)
try:
clerk_user_id = _parse_subject(auth_data)
except ValidationError as exc:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED) from exc
if not clerk_user_id:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)
user = session.exec(select(User).where(User.clerk_user_id == clerk_user_id)).first()
if user is None:
claims = auth_data.decoded if auth_data and auth_data.decoded else {}
user = User(
clerk_user_id=clerk_user_id,
email=claims.get("email"),
name=claims.get("name"),
)
session.add(user)
session.commit()
session.refresh(user)
return AuthContext(
actor_type="user",
user=user,
)

25
backend/app/core/config.py
View File

@@ -4,10 +4,29 @@ from pydantic_settings import BaseSettings, SettingsConfigDict
class Settings(BaseSettings):
model_config = SettingsConfigDict(env_file=".env", extra="ignore")
model_config = SettingsConfigDict(
env_file=".env",
env_file_encoding="utf-8",
extra="ignore",
)
environment: str = "dev"
database_url: str = "postgresql+psycopg://postgres:postgres@localhost:5432/openclaw_agency"
redis_url: str = "redis://localhost:6379/0"
# Clerk auth (auth only; roles stored in DB)
clerk_jwks_url: str = ""
clerk_verify_iat: bool = True
clerk_leeway: float = 10.0
# OpenClaw Gateway
openclaw_gateway_url: str = ""
openclaw_gateway_token: str = ""
database_url: str
cors_origins: str = ""
# Database lifecycle
db_auto_migrate: bool = False
settings = Settings() # type: ignore
settings = Settings()

60
backend/app/core/logging.py
View File

@@ -2,59 +2,13 @@ from __future__ import annotations
import logging
import os
import sys
from typing import Any
def _level() -> str:
return (os.environ.get("LOG_LEVEL") or os.environ.get("UVICORN_LOG_LEVEL") or "INFO").upper()
def configure_logging() -> None:
"""Configure app logging to stream to stdout.
Uvicorn already logs requests, but we want our app/integrations logs to be visible
in the same console stream.
"""
level = getattr(logging, _level(), logging.INFO)
root = logging.getLogger()
root.setLevel(level)
# Avoid duplicate handlers (e.g., when autoreload imports twice)
if not any(isinstance(h, logging.StreamHandler) for h in root.handlers):
handler = logging.StreamHandler(sys.stdout)
handler.setLevel(level)
formatter = logging.Formatter(
fmt="%(asctime)s | %(levelname)s | %(name)s | %(message)s",
datefmt="%Y-%m-%dT%H:%M:%SZ",
)
handler.setFormatter(formatter)
root.addHandler(handler)
# Make common noisy loggers respect our level
for name in [
"uvicorn",
"uvicorn.error",
"uvicorn.access",
"httpx",
"requests",
]:
logging.getLogger(name).setLevel(level)
# Hide SQLAlchemy engine chatter unless explicitly debugging.
# (You can still enable it by setting LOG_LEVEL=DEBUG and adjusting this.)
logging.getLogger("sqlalchemy").setLevel(logging.WARNING)
logging.getLogger("sqlalchemy.engine").setLevel(logging.WARNING)
logging.getLogger("sqlalchemy.pool").setLevel(logging.WARNING)
logging.getLogger("sqlalchemy.dialects").setLevel(logging.WARNING)
def log_kv(logger: logging.Logger, msg: str, **kv: Any) -> None:
# Lightweight key-value logging without requiring JSON logging.
if kv:
suffix = " ".join(f"{k}={v!r}" for k, v in kv.items())
logger.info(f"{msg} | {suffix}")
else:
logger.info(msg)
level_name = os.getenv("LOG_LEVEL", "INFO").upper()
level = logging._nameToLevel.get(level_name, logging.INFO)
logging.basicConfig(
level=level,
format="%(asctime)s %(levelname)s %(name)s %(message)s",
force=True,
)

35
backend/app/core/urls.py
View File

@@ -1,35 +0,0 @@
from __future__ import annotations
def public_api_base_url() -> str:
"""Return a LAN-reachable base URL for the Mission Control API.
Priority:
1) MISSION_CONTROL_BASE_URL env var (recommended)
2) First non-loopback IPv4 from `hostname -I`
Never returns localhost because agents may run on another machine.
"""
import os
import re
import subprocess
explicit = os.environ.get("MISSION_CONTROL_BASE_URL")
if explicit:
return explicit.rstrip("/")
try:
out = subprocess.check_output(["bash", "-lc", "hostname -I"], text=True).strip()
ips = re.findall(r"\b(?:\d{1,3}\.){3}\d{1,3}\b", out)
for ip in ips:
if ip.startswith("127."):
continue
if ip.startswith("172.17."):
continue
if ip.startswith(("192.168.", "10.", "172.")):
return f"http://{ip}:8000"
except Exception:
pass
return "http://<dev-machine-ip>:8000"

0
backend/app/db/__init__.py Normal file
View File

33
backend/app/db/session.py
View File

@@ -1,16 +1,45 @@
from __future__ import annotations
import logging
from collections.abc import Generator
from pathlib import Path
from sqlmodel import Session, SQLModel, create_engine
from alembic import command
from alembic.config import Config
from app import models # noqa: F401
from app.core.config import settings
engine = create_engine(settings.database_url, echo=False)
engine = create_engine(settings.database_url, pool_pre_ping=True)
logger = logging.getLogger(__name__)
def _alembic_config() -> Config:
alembic_ini = Path(__file__).resolve().parents[2] / "alembic.ini"
alembic_cfg = Config(str(alembic_ini))
alembic_cfg.attributes["configure_logger"] = False
return alembic_cfg
def run_migrations() -> None:
logger.info("Running database migrations.")
command.upgrade(_alembic_config(), "head")
logger.info("Database migrations complete.")
def init_db() -> None:
if settings.db_auto_migrate:
versions_dir = Path(__file__).resolve().parents[2] / "alembic" / "versions"
if any(versions_dir.glob("*.py")):
logger.info("Running Alembic migrations on startup")
run_migrations()
return
logger.warning("No Alembic revisions found; falling back to create_all")
SQLModel.metadata.create_all(engine)
def get_session():
def get_session() -> Generator[Session, None, None]:
with Session(engine) as session:
yield session

0
backend/app/integrations/__init__.py Normal file
View File

282
backend/app/integrations/notify.py
View File

@@ -1,282 +0,0 @@
from __future__ import annotations
import logging
from dataclasses import dataclass
from typing import Iterable
from sqlmodel import Session, select
from app.db.session import engine
from app.integrations.openclaw import OpenClawClient
from app.models.org import Employee
from app.models.projects import ProjectMember
from app.models.work import Task, TaskComment
logger = logging.getLogger("app.notify")
@dataclass(frozen=True)
class NotifyContext:
"""Notification context.
IMPORTANT: this is passed into FastAPI BackgroundTasks.
Do not store live SQLAlchemy/SQLModel objects here; only ids/primitive data.
"""
event: str # task.created | task.updated | task.assigned | comment.created | status.changed
actor_employee_id: int
task_id: int
comment_id: int | None = None
changed_fields: dict | None = None
def _employees_with_session_keys(session: Session, employee_ids: Iterable[int]) -> list[Employee]:
ids = sorted({i for i in employee_ids if i is not None})
if not ids:
return []
emps = session.exec(select(Employee).where(Employee.id.in_(ids))).all()
out: list[Employee] = []
for e in emps:
if not getattr(e, "notify_enabled", True):
continue
if getattr(e, "openclaw_session_key", None):
out.append(e)
return out
def _project_pm_employee_ids(session: Session, project_id: int) -> set[int]:
pms = session.exec(select(ProjectMember).where(ProjectMember.project_id == project_id)).all()
pm_ids: set[int] = set()
for m in pms:
role = (m.role or "").lower()
if role in {"pm", "product", "product_manager", "manager"}:
pm_ids.add(m.employee_id)
return pm_ids
def resolve_recipients(
session: Session, ctx: NotifyContext, task: Task, comment: TaskComment | None
) -> set[int]:
recipients: set[int] = set()
if ctx.event == "task.created":
if task.assignee_employee_id:
recipients.add(task.assignee_employee_id)
recipients |= _project_pm_employee_ids(session, task.project_id)
elif ctx.event == "task.assigned":
if task.assignee_employee_id:
recipients.add(task.assignee_employee_id)
recipients |= _project_pm_employee_ids(session, task.project_id)
elif ctx.event == "comment.created":
if task.assignee_employee_id:
recipients.add(task.assignee_employee_id)
if task.reviewer_employee_id:
recipients.add(task.reviewer_employee_id)
recipients |= _project_pm_employee_ids(session, task.project_id)
if comment and comment.author_employee_id:
recipients.discard(comment.author_employee_id)
elif ctx.event == "status.changed":
new_status = (getattr(task, "status", None) or "").lower()
if new_status in {"review", "ready_for_review"} and task.reviewer_employee_id:
recipients.add(task.reviewer_employee_id)
recipients |= _project_pm_employee_ids(session, task.project_id)
elif ctx.event == "task.updated":
recipients |= _project_pm_employee_ids(session, task.project_id)
recipients.discard(ctx.actor_employee_id)
return recipients
def ensure_employee_provisioned(session: Session, employee_id: int) -> None:
"""Best-effort provisioning of a reviewer/manager so notifications can be delivered."""
emp = session.get(Employee, employee_id)
if emp is None:
return
if not getattr(emp, "notify_enabled", True):
return
if getattr(emp, "openclaw_session_key", None):
return
client = OpenClawClient.from_env()
if client is None:
logger.warning(
"ensure_employee_provisioned: missing OpenClaw env", extra={"employee_id": employee_id}
)
return
prompt = (
f"You are {emp.name} (employee_id={emp.id}).\n"
"You are a reviewer/manager in Mission Control.\n\n"
"Your job is to REVIEW work within the bounds of what the task requester asked for, using only the task + comments + current system state.\n"
"Do NOT wait for the requester to provide more info by default.\n\n"
"When a task is in review you must:\n"
"1) Read the task title/description and all comments\n"
"2) Verify the requested changes were actually made (check via Mission Control API if needed)\n"
"3) Decide: approve or request changes\n"
"4) Leave an audit comment explaining your decision (required)\n\n"
"If something is ambiguous or missing, request changes with a clear checklist. Only ask the human if it's truly impossible to decide.\n"
)
try:
res = client.tools_invoke(
"sessions_spawn",
{"task": prompt, "label": f"employee:{emp.id}:{emp.name}"},
timeout_s=20.0,
)
details = (res.get("result") or {}).get("details") or {}
sk = details.get("childSessionKey") or details.get("sessionKey")
if sk:
emp.openclaw_session_key = sk
session.add(emp)
session.commit()
logger.info(
"ensure_employee_provisioned: provisioned",
extra={"employee_id": emp.id, "session_key": sk},
)
except Exception:
session.rollback()
logger.exception("ensure_employee_provisioned: failed", extra={"employee_id": employee_id})
def build_message(
*,
ctx: NotifyContext,
task: Task,
comment: TaskComment | None,
recipient: Employee,
base_url: str,
) -> str:
base = f"Task #{task.id}: {task.title}" if task.id is not None else f"Task: {task.title}"
if ctx.event in {"task.created", "task.assigned"} and recipient.employee_type == "agent":
desc = (task.description or "").strip()
if len(desc) > 500:
desc = desc[:497] + "..."
desc_block = f"\n\nDescription:\n{desc}" if desc else ""
return (
f"{base}\n\n"
f"Set BASE={base_url}\n\n"
"You are the assignee. Start NOW (use the exec tool to run these curl commands):\n"
f"1) curl -sS -X PATCH $BASE/tasks/{task.id} -H 'X-Actor-Employee-Id: {recipient.id}' -H 'Content-Type: application/json' -d '{{\"status\":\"in_progress\"}}'\n"
f"2) curl -sS -X POST $BASE/task-comments -H 'X-Actor-Employee-Id: {recipient.id}' -H 'Content-Type: application/json' -d '{{\"task_id\":{task.id},\"body\":\"Plan: ... Next: ...\"}}'\n"
"3) Do the work\n"
"4) Post progress updates via POST $BASE/task-comments (same headers)\n"
f"5) When complete: set status=review (assignee cannot set done) and wait for manager approval\n"
f"{desc_block}"
)
if ctx.event == "comment.created":
snippet = ""
if comment and comment.body:
snippet = comment.body.strip().replace("\n", " ")
if len(snippet) > 180:
snippet = snippet[:177] + "..."
snippet = f"\nComment: {snippet}"
return f"New comment on {base}.{snippet}\nPlease review and respond in Mission Control."
if ctx.event == "status.changed":
new_status = (getattr(task, "status", None) or "").lower()
if new_status in {"review", "ready_for_review"}:
return (
f"Review requested for {base}.\n"
"As the reviewer/manager, you must:\n"
"1) Read the task + latest assignee comments\n"
"2) Decide: approve or request changes\n"
"3) Leave an audit comment explaining your decision (required)\n"
f"4) Submit decision via POST /tasks/{task.id}/review (decision=approve|changes)\n"
"Approve → task becomes done. Changes → task returns to in_progress and assignee is notified."
)
return (
f"Status changed on {base}{task.status}.\n"
"Please review and respond in Mission Control."
)
if ctx.event == "task.created":
return f"New task created: {base}.\nPlease review and respond in Mission Control."
if ctx.event == "task.assigned":
return f"Assigned: {base}.\nPlease review and respond in Mission Control."
return f"Update on {base}.\nPlease review and respond in Mission Control."
def notify_openclaw(ctx: NotifyContext) -> None:
"""Send OpenClaw notifications.
Runs in BackgroundTasks; opens its own DB session for safety.
"""
client = OpenClawClient.from_env()
logger.info(
"notify_openclaw: start",
extra={"event": ctx.event, "task_id": ctx.task_id, "actor": ctx.actor_employee_id},
)
if client is None:
logger.warning("notify_openclaw: skipped (missing OpenClaw env)")
return
with Session(engine) as session:
task = session.get(Task, ctx.task_id)
if task is None:
logger.warning("notify_openclaw: task not found", extra={"task_id": ctx.task_id})
return
comment = session.get(TaskComment, ctx.comment_id) if ctx.comment_id else None
if ctx.event == "status.changed":
new_status = (getattr(task, "status", None) or "").lower()
if new_status in {"review", "ready_for_review"} and task.reviewer_employee_id:
ensure_employee_provisioned(session, int(task.reviewer_employee_id))
recipient_ids = resolve_recipients(session, ctx, task, comment)
logger.info(
"notify_openclaw: recipients resolved", extra={"recipient_ids": sorted(recipient_ids)}
)
recipients = _employees_with_session_keys(session, recipient_ids)
if not recipients:
logger.info("notify_openclaw: no recipients with session keys")
return
# base URL used in agent messages
base_url = __import__(
"app.core.urls", fromlist=["public_api_base_url"]
).public_api_base_url()
for e in recipients:
sk = getattr(e, "openclaw_session_key", None)
if not sk:
continue
message = build_message(
ctx=ctx,
task=task,
comment=comment,
recipient=e,
base_url=base_url,
)
try:
client.tools_invoke(
"sessions_send",
{"sessionKey": sk, "message": message},
timeout_s=30.0,
)
except Exception:
# keep the log, but avoid giant stack spam unless debugging
logger.warning(
"notify_openclaw: sessions_send failed",
extra={
"event": ctx.event,
"task_id": ctx.task_id,
"to_employee_id": getattr(e, "id", None),
"session_key": sk,
},
)
continue

88
backend/app/integrations/openclaw.py
View File

@@ -1,88 +0,0 @@
from __future__ import annotations
import logging
import os
import time
from typing import Any
import requests
from requests.exceptions import ReadTimeout, RequestException
logger = logging.getLogger("app.openclaw")
class OpenClawClient:
def __init__(self, base_url: str, token: str):
self.base_url = base_url.rstrip("/")
self.token = token
@classmethod
def from_env(cls) -> "OpenClawClient | None":
# Ensure .env is loaded into os.environ (pydantic Settings reads env_file but
# does not automatically populate os.environ).
try:
from dotenv import load_dotenv
load_dotenv(override=False)
except Exception:
pass
url = os.environ.get("OPENCLAW_GATEWAY_URL")
token = os.environ.get("OPENCLAW_GATEWAY_TOKEN")
if not url or not token:
return None
return cls(url, token)
def tools_invoke(
self,
tool: str,
args: dict[str, Any],
*,
session_key: str | None = None,
timeout_s: float = 10.0,
) -> dict[str, Any]:
payload: dict[str, Any] = {"tool": tool, "args": args}
logger.info(
"openclaw.tools_invoke",
extra={"tool": tool, "has_session_key": bool(session_key), "timeout_s": timeout_s},
)
if session_key is not None:
payload["sessionKey"] = session_key
last_err: Exception | None = None
# Retry a few times; the gateway can be busy and respond slowly.
for attempt in range(4):
try:
r = requests.post(
f"{self.base_url}/tools/invoke",
headers={
"Authorization": f"Bearer {self.token}",
"Content-Type": "application/json",
},
json=payload,
# connect timeout, read timeout
timeout=(2.0, timeout_s),
)
r.raise_for_status()
logger.info(
"openclaw.tools_invoke: ok",
extra={"tool": tool, "status": r.status_code, "attempt": attempt + 1},
)
return r.json()
except ReadTimeout as e:
last_err = e
logger.warning(
"openclaw.tools_invoke: timeout",
extra={"tool": tool, "attempt": attempt + 1, "timeout_s": timeout_s},
)
time.sleep(0.5 * (2**attempt))
except RequestException as e:
last_err = e
logger.warning(
"openclaw.tools_invoke: request error",
extra={"tool": tool, "attempt": attempt + 1, "error": str(e)},
)
time.sleep(0.5 * (2**attempt))
assert last_err is not None
raise last_err

129
backend/app/integrations/openclaw_agents.py
View File

@@ -1,129 +0,0 @@
from __future__ import annotations
import json
import re
import time
from typing import Any
from app.integrations.openclaw import OpenClawClient
def _slug(s: str) -> str:
s = (s or "").strip().lower()
s = re.sub(r"[^a-z0-9]+", "-", s)
s = re.sub(r"-+", "-", s).strip("-")
return s or "agent"
def desired_agent_id(*, employee_id: int, name: str) -> str:
return f"employee-{employee_id}-{_slug(name)}"
def ensure_full_agent_profile(
*,
client: OpenClawClient,
employee_id: int,
employee_name: str,
) -> dict[str, str]:
"""Ensure an OpenClaw agent profile exists for this employee.
Returns {"agent_id": ..., "workspace": ...}.
Implementation strategy:
- Create per-agent workspace + agent dir on the gateway host.
- Add/ensure entry in openclaw.json agents.list.
NOTE: This uses OpenClaw gateway tools via /tools/invoke (gateway + exec).
"""
agent_id = desired_agent_id(employee_id=employee_id, name=employee_name)
workspace = f"/home/asaharan/.openclaw/workspaces/{agent_id}"
agent_dir = f"/home/asaharan/.openclaw/agents/{agent_id}/agent"
# 1) Create dirs
client.tools_invoke(
"exec",
{
"command": f"mkdir -p {workspace} {agent_dir}",
},
timeout_s=20.0,
)
# 2) Write minimal identity files in the per-agent workspace
identity_md = (
"# IDENTITY.md\n\n"
"- **Name:** " + employee_name + "\n"
"- **Creature:** AI agent employee (Mission Control)\n"
"- **Vibe:** Direct, action-oriented, leaves audit trails\n"
)
user_md = (
"# USER.md\n\n"
"You work for Abhimanyu.\n"
"You must execute Mission Control tasks via the API and keep state synced.\n"
)
# Use cat heredocs to avoid dependency on extra tooling.
client.tools_invoke(
"exec",
{
"command": "bash -lc "
+ json.dumps(
"""
cat > {ws}/IDENTITY.md <<'EOF'
{identity}
EOF
cat > {ws}/USER.md <<'EOF'
{user}
EOF
""".format(ws=workspace, identity=identity_md, user=user_md)
),
},
timeout_s=20.0,
)
# 3) Update openclaw.json agents.list (idempotent)
cfg_resp = client.tools_invoke("gateway", {"action": "config.get"}, timeout_s=20.0)
raw = (
(((cfg_resp or {}).get("result") or {}).get("content") or [{}])[0].get("text")
if isinstance((((cfg_resp or {}).get("result") or {}).get("content") or [{}]), list)
else None
)
if not raw:
# fallback: tool may return {ok:true,result:{raw:...}}
raw = ((cfg_resp.get("result") or {}).get("raw")) if isinstance(cfg_resp, dict) else None
if not raw:
raise RuntimeError("Unable to read gateway config via tools")
cfg = json.loads(raw)
agents = cfg.get("agents") or {}
agents_list = agents.get("list") or []
if not isinstance(agents_list, list):
agents_list = []
exists = any(isinstance(a, dict) and a.get("id") == agent_id for a in agents_list)
if not exists:
agents_list.append(
{
"id": agent_id,
"name": employee_name,
"workspace": workspace,
"agentDir": agent_dir,
"identity": {"name": employee_name, "emoji": "🜁"},
}
)
agents["list"] = agents_list
cfg["agents"] = agents
client.tools_invoke(
"gateway",
{"action": "config.apply", "raw": json.dumps(cfg)},
timeout_s=30.0,
)
# give the gateway a moment to reload the agent registry
time.sleep(2.5)
return {"agent_id": agent_id, "workspace": workspace}

126
backend/app/integrations/openclaw_gateway.py Normal file
View File

@@ -0,0 +1,126 @@
from __future__ import annotations
import asyncio
import json
from dataclasses import dataclass
from typing import Any
from urllib.parse import urlencode, urlparse, urlunparse
from uuid import uuid4
import websockets
from app.core.config import settings
class OpenClawGatewayError(RuntimeError):
pass
@dataclass
class OpenClawResponse:
payload: Any
def _build_gateway_url() -> str:
base_url = settings.openclaw_gateway_url or "ws://127.0.0.1:18789"
token = settings.openclaw_gateway_token
if not token:
return base_url
parsed = urlparse(base_url)
query = urlencode({"token": token})
return urlunparse(parsed._replace(query=query))
async def _await_response(ws: websockets.WebSocketClientProtocol, request_id: str) -> Any:
while True:
raw = await ws.recv()
data = json.loads(raw)
if data.get("type") == "res" and data.get("id") == request_id:
if data.get("ok") is False:
error = data.get("error", {}).get("message", "Gateway error")
raise OpenClawGatewayError(error)
return data.get("payload")
if data.get("id") == request_id:
if data.get("error"):
raise OpenClawGatewayError(data["error"].get("message", "Gateway error"))
return data.get("result")
async def _send_request(
ws: websockets.WebSocketClientProtocol, method: str, params: dict[str, Any] | None
) -> Any:
request_id = str(uuid4())
message = {"type": "req", "id": request_id, "method": method, "params": params or {}}
await ws.send(json.dumps(message))
return await _await_response(ws, request_id)
async def _handle_challenge(
ws: websockets.WebSocketClientProtocol, first_message: str | None
) -> None:
if not first_message:
return
data = json.loads(first_message)
if data.get("type") != "event" or data.get("event") != "connect.challenge":
return
connect_id = str(uuid4())
response = {
"type": "req",
"id": connect_id,
"method": "connect",
"params": {
"minProtocol": 3,
"maxProtocol": 3,
"client": {
"id": "gateway-client",
"version": "1.0.0",
"platform": "web",
"mode": "ui",
},
"auth": {"token": settings.openclaw_gateway_token},
},
}
await ws.send(json.dumps(response))
await _await_response(ws, connect_id)
async def openclaw_call(method: str, params: dict[str, Any] | None = None) -> Any:
gateway_url = _build_gateway_url()
try:
async with websockets.connect(gateway_url, ping_interval=None) as ws:
first_message = None
try:
first_message = await asyncio.wait_for(ws.recv(), timeout=2)
except asyncio.TimeoutError:
first_message = None
await _handle_challenge(ws, first_message)
return await _send_request(ws, method, params)
except OpenClawGatewayError:
raise
except Exception as exc: # pragma: no cover - network errors
raise OpenClawGatewayError(str(exc)) from exc
async def send_message(
message: str,
*,
session_key: str,
deliver: bool = False,
) -> Any:
params: dict[str, Any] = {
"sessionKey": session_key,
"message": message,
"deliver": deliver,
"idempotencyKey": str(uuid4()),
}
return await openclaw_call("chat.send", params)
async def get_chat_history(session_key: str, limit: int | None = None) -> Any:
params: dict[str, Any] = {"sessionKey": session_key}
if limit is not None:
params["limit"] = limit
return await openclaw_call("chat.history", params)

32
backend/app/main.py
View File

@@ -1,19 +1,21 @@
from __future__ import annotations
from fastapi import FastAPI
from fastapi import APIRouter, FastAPI
from fastapi.middleware.cors import CORSMiddleware
from app.api.activities import router as activities_router
from app.api.org import router as org_router
from app.api.projects import router as projects_router
from app.api.work import router as work_router
from app.api.activity import router as activity_router
from app.api.agents import router as agents_router
from app.api.auth import router as auth_router
from app.api.boards import router as boards_router
from app.api.gateway import router as gateway_router
from app.api.tasks import router as tasks_router
from app.core.config import settings
from app.core.logging import configure_logging
from app.db.session import init_db
configure_logging()
app = FastAPI(title="OpenClaw Agency API", version="0.3.0")
app = FastAPI(title="Mission Control API", version="0.1.0")
origins = [o.strip() for o in settings.cors_origins.split(",") if o.strip()]
if origins:
@@ -31,12 +33,16 @@ def on_startup() -> None:
init_db()
app.include_router(org_router)
app.include_router(projects_router)
app.include_router(work_router)
app.include_router(activities_router)
@app.get("/health")
def health():
def health() -> dict[str, bool]:
return {"ok": True}
api_v1 = APIRouter(prefix="/api/v1")
api_v1.include_router(auth_router)
api_v1.include_router(agents_router)
api_v1.include_router(activity_router)
api_v1.include_router(gateway_router)
api_v1.include_router(boards_router)
api_v1.include_router(tasks_router)
app.include_router(api_v1)

20
backend/app/models/__init__.py
View File

@@ -1,15 +1,13 @@
from app.models.activity import Activity
from app.models.org import Department, Employee, Team
from app.models.projects import Project, ProjectMember
from app.models.work import Task, TaskComment
from app.models.activity_events import ActivityEvent
from app.models.agents import Agent
from app.models.boards import Board
from app.models.tasks import Task
from app.models.users import User
__all__ = [
"Department",
"Employee",
"Team",
"Project",
"ProjectMember",
"ActivityEvent",
"Agent",
"Board",
"Task",
"TaskComment",
"Activity",
"User",
]

19
backend/app/models/activity.py
View File

@@ -1,19 +0,0 @@
from __future__ import annotations
from datetime import datetime
from sqlmodel import Field, SQLModel
class Activity(SQLModel, table=True):
__tablename__ = "activities"
id: int | None = Field(default=None, primary_key=True)
actor_employee_id: int | None = Field(default=None, foreign_key="employees.id")
entity_type: str
entity_id: int | None = None
verb: str
payload_json: str | None = None
created_at: datetime = Field(default_factory=datetime.utcnow)

17
backend/app/models/activity_events.py Normal file
View File

@@ -0,0 +1,17 @@
from __future__ import annotations
from datetime import datetime
from uuid import UUID, uuid4
from sqlmodel import Field, SQLModel
class ActivityEvent(SQLModel, table=True):
__tablename__ = "activity_events"
id: UUID = Field(default_factory=uuid4, primary_key=True)
event_type: str = Field(index=True)
message: str | None = None
agent_id: UUID | None = Field(default=None, foreign_key="agents.id", index=True)
task_id: UUID | None = Field(default=None, foreign_key="tasks.id", index=True)
created_at: datetime = Field(default_factory=datetime.utcnow)

18
backend/app/models/agents.py Normal file
View File

@@ -0,0 +1,18 @@
from __future__ import annotations
from datetime import datetime
from uuid import UUID, uuid4
from sqlmodel import Field, SQLModel
class Agent(SQLModel, table=True):
__tablename__ = "agents"
id: UUID = Field(default_factory=uuid4, primary_key=True)
name: str = Field(index=True)
status: str = Field(default="online", index=True)
openclaw_session_id: str | None = Field(default=None, index=True)
last_seen_at: datetime = Field(default_factory=datetime.utcnow)
created_at: datetime = Field(default_factory=datetime.utcnow)
updated_at: datetime = Field(default_factory=datetime.utcnow)

18
backend/app/models/boards.py Normal file
View File

@@ -0,0 +1,18 @@
from __future__ import annotations
from datetime import datetime
from uuid import UUID, uuid4
from sqlmodel import Field
from app.models.tenancy import TenantScoped
class Board(TenantScoped, table=True):
__tablename__ = "boards"
id: UUID = Field(default_factory=uuid4, primary_key=True)
name: str
slug: str = Field(index=True)
created_at: datetime = Field(default_factory=datetime.utcnow)
updated_at: datetime = Field(default_factory=datetime.utcnow)

40
backend/app/models/org.py
View File

@@ -1,40 +0,0 @@
from __future__ import annotations
from sqlmodel import Field, SQLModel
class Department(SQLModel, table=True):
__tablename__ = "departments"
id: int | None = Field(default=None, primary_key=True)
name: str = Field(index=True, unique=True)
head_employee_id: int | None = Field(default=None, foreign_key="employees.id")
class Team(SQLModel, table=True):
__tablename__ = "teams"
id: int | None = Field(default=None, primary_key=True)
name: str = Field(index=True)
department_id: int = Field(foreign_key="departments.id")
lead_employee_id: int | None = Field(default=None, foreign_key="employees.id")
class Employee(SQLModel, table=True):
__tablename__ = "employees"
id: int | None = Field(default=None, primary_key=True)
name: str
employee_type: str # human | agent
department_id: int | None = Field(default=None, foreign_key="departments.id")
team_id: int | None = Field(default=None, foreign_key="teams.id")
manager_id: int | None = Field(default=None, foreign_key="employees.id")
title: str | None = None
status: str = Field(default="active")
# OpenClaw integration
openclaw_session_key: str | None = None
notify_enabled: bool = Field(default=True)

23
backend/app/models/projects.py
View File

@@ -1,23 +0,0 @@
from __future__ import annotations
from sqlmodel import Field, SQLModel
class Project(SQLModel, table=True):
__tablename__ = "projects"
id: int | None = Field(default=None, primary_key=True)
name: str = Field(index=True, unique=True)
status: str = Field(default="active")
# Project ownership: projects are assigned to teams (not departments)
team_id: int | None = Field(default=None, foreign_key="teams.id")
class ProjectMember(SQLModel, table=True):
__tablename__ = "project_members"
id: int | None = Field(default=None, primary_key=True)
project_id: int = Field(foreign_key="projects.id")
employee_id: int = Field(foreign_key="employees.id")
role: str | None = None

26
backend/app/models/tasks.py Normal file
View File

@@ -0,0 +1,26 @@
from __future__ import annotations
from datetime import datetime
from uuid import UUID, uuid4
from sqlmodel import Field
from app.models.tenancy import TenantScoped
class Task(TenantScoped, table=True):
__tablename__ = "tasks"
id: UUID = Field(default_factory=uuid4, primary_key=True)
board_id: UUID | None = Field(default=None, foreign_key="boards.id", index=True)
title: str
description: str | None = None
status: str = Field(default="inbox", index=True)
priority: str = Field(default="medium", index=True)
due_at: datetime | None = None
created_by_user_id: UUID | None = Field(default=None, foreign_key="users.id", index=True)
created_at: datetime = Field(default_factory=datetime.utcnow)
updated_at: datetime = Field(default_factory=datetime.utcnow)

7
backend/app/models/tenancy.py Normal file
View File

@@ -0,0 +1,7 @@
from __future__ import annotations
from sqlmodel import SQLModel
class TenantScoped(SQLModel, table=False):
pass

15
backend/app/models/users.py Normal file
View File

@@ -0,0 +1,15 @@
from __future__ import annotations
from uuid import UUID, uuid4
from sqlmodel import Field, SQLModel
class User(SQLModel, table=True):
__tablename__ = "users"
id: UUID = Field(default_factory=uuid4, primary_key=True)
clerk_user_id: str = Field(index=True, unique=True)
email: str | None = Field(default=None, index=True)
name: str | None = None
is_super_admin: bool = Field(default=False)

38
backend/app/models/work.py
View File

@@ -1,38 +0,0 @@
from __future__ import annotations
from datetime import datetime
from sqlmodel import Field, SQLModel
class Task(SQLModel, table=True):
__tablename__ = "tasks"
id: int | None = Field(default=None, primary_key=True)
project_id: int = Field(foreign_key="projects.id", index=True)
title: str
description: str | None = None
status: str = Field(default="backlog", index=True)
assignee_employee_id: int | None = Field(default=None, foreign_key="employees.id")
reviewer_employee_id: int | None = Field(default=None, foreign_key="employees.id")
created_by_employee_id: int | None = Field(default=None, foreign_key="employees.id")
created_at: datetime = Field(default_factory=datetime.utcnow)
updated_at: datetime = Field(default_factory=datetime.utcnow)
class TaskComment(SQLModel, table=True):
__tablename__ = "task_comments"
id: int | None = Field(default=None, primary_key=True)
task_id: int = Field(foreign_key="tasks.id", index=True)
author_employee_id: int | None = Field(default=None, foreign_key="employees.id")
# Optional reply threading
reply_to_comment_id: int | None = Field(default=None, foreign_key="task_comments.id")
body: str
created_at: datetime = Field(default_factory=datetime.utcnow)

20
backend/app/schemas/__init__.py Normal file
View File

@@ -0,0 +1,20 @@
from app.schemas.activity_events import ActivityEventRead
from app.schemas.agents import AgentCreate, AgentRead, AgentUpdate
from app.schemas.boards import BoardCreate, BoardRead, BoardUpdate
from app.schemas.tasks import TaskCreate, TaskRead, TaskUpdate
from app.schemas.users import UserCreate, UserRead
__all__ = [
"ActivityEventRead",
"AgentCreate",
"AgentRead",
"AgentUpdate",
"BoardCreate",
"BoardRead",
"BoardUpdate",
"TaskCreate",
"TaskRead",
"TaskUpdate",
"UserCreate",
"UserRead",
]

15
backend/app/schemas/activity_events.py Normal file
View File

@@ -0,0 +1,15 @@
from __future__ import annotations
from datetime import datetime
from uuid import UUID
from sqlmodel import SQLModel
class ActivityEventRead(SQLModel):
id: UUID
event_type: str
message: str | None
agent_id: UUID | None
task_id: UUID | None
created_at: datetime

36
backend/app/schemas/agents.py Normal file
View File

@@ -0,0 +1,36 @@
from __future__ import annotations
from datetime import datetime
from uuid import UUID
from sqlmodel import SQLModel
class AgentBase(SQLModel):
name: str
status: str = "online"
class AgentCreate(AgentBase):
pass
class AgentUpdate(SQLModel):
name: str | None = None
status: str | None = None
class AgentRead(AgentBase):
id: UUID
openclaw_session_id: str | None = None
last_seen_at: datetime
created_at: datetime
updated_at: datetime
class AgentHeartbeat(SQLModel):
status: str | None = None
class AgentHeartbeatCreate(AgentHeartbeat):
name: str

26
backend/app/schemas/boards.py Normal file
View File

@@ -0,0 +1,26 @@
from __future__ import annotations
from datetime import datetime
from uuid import UUID
from sqlmodel import SQLModel
class BoardBase(SQLModel):
name: str
slug: str
class BoardCreate(BoardBase):
pass
class BoardUpdate(SQLModel):
name: str | None = None
slug: str | None = None
class BoardRead(BoardBase):
id: UUID
created_at: datetime
updated_at: datetime

53
backend/app/schemas/org.py
View File

@@ -1,53 +0,0 @@
from __future__ import annotations
from sqlmodel import SQLModel
class DepartmentCreate(SQLModel):
name: str
head_employee_id: int | None = None
class DepartmentUpdate(SQLModel):
name: str | None = None
head_employee_id: int | None = None
class TeamCreate(SQLModel):
name: str
department_id: int
lead_employee_id: int | None = None
class TeamUpdate(SQLModel):
name: str | None = None
department_id: int | None = None
lead_employee_id: int | None = None
class EmployeeCreate(SQLModel):
name: str
employee_type: str
department_id: int | None = None
team_id: int | None = None
manager_id: int | None = None
title: str | None = None
status: str = "active"
# OpenClaw integration
openclaw_session_key: str | None = None
notify_enabled: bool = True
class EmployeeUpdate(SQLModel):
name: str | None = None
employee_type: str | None = None
department_id: int | None = None
team_id: int | None = None
manager_id: int | None = None
title: str | None = None
status: str | None = None
# OpenClaw integration
openclaw_session_key: str | None = None
notify_enabled: bool | None = None

15
backend/app/schemas/projects.py
View File

@@ -1,15 +0,0 @@
from __future__ import annotations
from sqlmodel import SQLModel
class ProjectCreate(SQLModel):
name: str
status: str = "active"
team_id: int | None = None
class ProjectUpdate(SQLModel):
name: str | None = None
status: str | None = None
team_id: int | None = None

34
backend/app/schemas/tasks.py Normal file
View File

@@ -0,0 +1,34 @@
from __future__ import annotations
from datetime import datetime
from uuid import UUID
from sqlmodel import SQLModel
class TaskBase(SQLModel):
title: str
description: str | None = None
status: str = "inbox"
priority: str = "medium"
due_at: datetime | None = None
class TaskCreate(TaskBase):
created_by_user_id: UUID | None = None
class TaskUpdate(SQLModel):
title: str | None = None
description: str | None = None
status: str | None = None
priority: str | None = None
due_at: datetime | None = None
class TaskRead(TaskBase):
id: UUID
board_id: UUID | None
created_by_user_id: UUID | None
created_at: datetime
updated_at: datetime

20
backend/app/schemas/users.py Normal file
View File

@@ -0,0 +1,20 @@
from __future__ import annotations
from uuid import UUID
from sqlmodel import SQLModel
class UserBase(SQLModel):
clerk_user_id: str
email: str | None = None
name: str | None = None
class UserCreate(UserBase):
pass
class UserRead(UserBase):
id: UUID
is_super_admin: bool

33
backend/app/schemas/work.py
View File

@@ -1,33 +0,0 @@
from __future__ import annotations
from sqlmodel import SQLModel
class TaskCreate(SQLModel):
project_id: int
title: str
description: str | None = None
status: str = "backlog"
assignee_employee_id: int | None = None
reviewer_employee_id: int | None = None
created_by_employee_id: int | None = None
class TaskUpdate(SQLModel):
title: str | None = None
description: str | None = None
status: str | None = None
assignee_employee_id: int | None = None
reviewer_employee_id: int | None = None
class TaskCommentCreate(SQLModel):
task_id: int
author_employee_id: int | None = None
reply_to_comment_id: int | None = None
body: str
class TaskReviewDecision(SQLModel):
decision: str # approve | changes
comment_body: str

0
backend/app/services/__init__.py Normal file
View File

10
backend/app/services/admin_access.py Normal file
View File

@@ -0,0 +1,10 @@
from __future__ import annotations
from fastapi import HTTPException, status
from app.core.auth import AuthContext
def require_admin(auth: AuthContext) -> None:
if auth.actor_type != "user" or auth.user is None:
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

0
backend/app/workers/__init__.py Normal file
View File

14
backend/app/workers/queue.py Normal file
View File

@@ -0,0 +1,14 @@
from __future__ import annotations
from redis import Redis
from rq import Queue
from app.core.config import settings
def get_redis() -> Redis:
return Redis.from_url(settings.redis_url)
def get_queue(name: str) -> Queue:
return Queue(name, connection=get_redis())