Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
65 commits
Select commit Hold shift + click to select a range
f99277e
feat(measurement-jobs): free-tier card gate (setup mode) + instant ba…
sweetmantech Jun 16, 2026
158a1d4
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 16, 2026
5fa5e3a
fix(songstats-backfill): backoff on 429 + defer instead of churn (cha…
sweetmantech Jun 16, 2026
1e9deac
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 16, 2026
5f45946
refactor(songstats): remove local quota ledger + budget gate (chat#17…
sweetmantech Jun 16, 2026
5472795
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 16, 2026
f24d4c7
feat: POST /api/catalogs (create + materialize from valuation snapsho…
sweetmantech Jun 18, 2026
ace0b01
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 18, 2026
a520a1d
fix: LEFT-join artists in catalog-songs read (materialized tracks wer…
sweetmantech Jun 18, 2026
76b5739
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 18, 2026
709ea0c
feat: add X (Twitter) + LinkedIn to the Composio connector whitelist …
sweetmantech Jun 18, 2026
8a3c3cb
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 18, 2026
66cc2fe
chore: remove unused ALLOWED_ARTIST_CONNECTORS from api (chat#1793) (…
sweetmantech Jun 18, 2026
79c22da
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 18, 2026
6fc10cc
fix: enrich valuation-captured songs (artists + notes) so they render…
sweetmantech Jun 18, 2026
0e42d02
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 18, 2026
2fa7029
fix(tasks): let admins fetch any task by id alone (cross-account read…
sweetmantech Jun 19, 2026
bd2ae10
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 19, 2026
cdb34d0
feat(connectors): POST /api/connectors/files — stage images for Linke…
sweetmantech Jun 20, 2026
acae4d8
Merge main into test (sync #692 Songstats work)
sweetmantech Jun 23, 2026
2a7af68
feat(artists): account_id override for DELETE /api/artists/{id} (#693)
sweetmantech Jun 23, 2026
8c962ef
Merge main into test (sync #696)
sweetmantech Jun 23, 2026
8b6a3bb
feat(chats): admins (RECOUP_ORG) can access any chat — read + write (…
sweetmantech Jun 23, 2026
03e0ef5
Enforce account_api_keys.expires_at in x-api-key auth (chat#1813) (#700)
sweetmantech Jun 24, 2026
bff29ae
Merge branch 'main' into test
sweetmantech Jun 24, 2026
78bd71b
refactor(chat): extract shared buildRunAgentInput (chat#1813) (#701)
sweetmantech Jun 24, 2026
2209b7d
Re-point POST /api/chat/generate onto runAgentWorkflow + ephemeral ke…
sweetmantech Jun 24, 2026
af7eaa5
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 24, 2026
b84e4a1
Merge remote-tracking branch 'origin/main' into HEAD
sweetmantech Jun 24, 2026
4c09cf0
Retire OpenClaw prompt_sandbox → run-sandbox-command bridge (chat#181…
sweetmantech Jun 24, 2026
f1ade64
Merge remote-tracking branch 'origin/main' into HEAD
sweetmantech Jun 24, 2026
4ecca44
feat: POST /api/emails + route ephemeral key to RECOUP_API_KEY (#1815…
sweetmantech Jun 25, 2026
27f0532
Merge origin/main into test (sync after #709 test→main promotion)
sweetmantech Jun 25, 2026
6d9e74e
fix(skills): install the renamed global skills into sandboxes (chat#1…
sweetmantech Jun 25, 2026
a463e59
Merge origin/main into test (sync after #713 test→main promotion)
sweetmantech Jun 25, 2026
18d20f7
feat(emails): make `to` and `subject` optional on POST /api/emails (#…
sweetmantech Jun 25, 2026
d981536
chore: remove POST /api/notifications (superseded by /api/emails) (#711)
sweetmantech Jun 25, 2026
cae9f35
Merge origin/main into test (sync for #715 promotion)
sweetmantech Jun 25, 2026
be2abcc
fix: repoint dead .com hosts to live .dev (recoupable/chat#1819 §A+§B…
sweetmantech Jun 29, 2026
0e0bac0
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 29, 2026
e6610b4
fix: repoint remaining .com refs missed by api#719 (domain cutover) (…
sweetmantech Jun 30, 2026
bdcd796
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 30, 2026
c5e3e1f
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 30, 2026
8a3d084
fix(chat/runs): install global skills in the headless run path (#722)
sweetmantech Jun 30, 2026
71c920e
Merge origin/main into test (sync after #727 test->main release)
sweetmantech Jun 30, 2026
d7b06ce
HOLD MERGE — api brand email → @recoupable.dev (+ inbound @mail.recou…
sweetmantech Jun 30, 2026
fba3b60
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jun 30, 2026
cd74805
Merge origin/main into test (sync direct-to-main merges: #729 guard, …
sweetmantech Jul 1, 2026
868fcef
Merge origin/main into test (sync #734 /api/artists id-consistency di…
sweetmantech Jul 1, 2026
8b1998e
Merge origin/main into test (sync #735 /socials id-consistency direct…
sweetmantech Jul 1, 2026
c2d9fb2
Merge origin/main into test (sync #737 LinkedIn scraper direct-to-mai…
sweetmantech Jul 1, 2026
53c9028
Merge origin/main into test (sync #738 registry + LinkedIn persistenc…
sweetmantech Jul 1, 2026
791e393
Merge origin/main into test (sync #740 remaining-platforms persistenc…
sweetmantech Jul 2, 2026
e734c61
Merge origin/main into test (sync #742 headless artist-context direct…
sweetmantech Jul 2, 2026
4290c72
feat(apify): optional posts depth on social scrape endpoints (#741)
sweetmantech Jul 2, 2026
d5f649f
Merge origin/main into test (sync after #743 test→main release: #741 …
sweetmantech Jul 2, 2026
d72c826
Merge origin/main into test (sync #744 credit-gate direct-to-main merge)
sweetmantech Jul 2, 2026
60a4164
Merge origin/main into test (sync #745 LinkedIn-posts-scrape direct-t…
sweetmantech Jul 2, 2026
84a3a01
Merge origin/main into test (sync after #746)
sweetmantech Jul 3, 2026
c67af06
Merge remote-tracking branch 'origin/main' into test
sweetmantech Jul 3, 2026
cbb4d7a
feat(apify): account-scope GET /api/apify/runs/{runId} (chat#1840)
sweetmantech Jul 3, 2026
6563b83
rework: any authenticated caller can poll scraper runs (chat#1840 dec…
sweetmantech Jul 3, 2026
0550e9f
Merge origin/main into test (sync: enterprise credits + org endpoints…
sweetmantech Jul 3, 2026
38e9cc5
Merge branch 'test' into feat/apify-runs-account-scope
sweetmantech Jul 3, 2026
2c1911e
Merge branch 'main' into feat/apify-runs-account-scope
sweetmantech Jul 3, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 6 additions & 12 deletions lib/apify/__tests__/validateGetScraperResultsRequest.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ import { describe, it, expect, vi, beforeEach } from "vitest";
import { NextRequest, NextResponse } from "next/server";

import { validateGetScraperResultsRequest } from "../validateGetScraperResultsRequest";
import { validateAdminAuth } from "@/lib/admins/validateAdminAuth";
import { validateAuthContext } from "@/lib/auth/validateAuthContext";

vi.mock("@/lib/admins/validateAdminAuth", () => ({ validateAdminAuth: vi.fn() }));
vi.mock("@/lib/auth/validateAuthContext", () => ({ validateAuthContext: vi.fn() }));
vi.mock("@/lib/networking/getCorsHeaders", () => ({ getCorsHeaders: () => ({}) }));

const RUN_ID = "run_abc_123";
Expand All @@ -17,27 +17,21 @@ const makeRequest = (path = `/api/apify/runs/${RUN_ID}`) =>
describe("validateGetScraperResultsRequest", () => {
beforeEach(() => {
vi.clearAllMocks();
vi.mocked(validateAdminAuth).mockResolvedValue(authResult);
vi.mocked(validateAuthContext).mockResolvedValue(authResult);
});

it("propagates auth error before checking runId", async () => {
const err = NextResponse.json({}, { status: 401 });
vi.mocked(validateAdminAuth).mockResolvedValue(err);
vi.mocked(validateAuthContext).mockResolvedValue(err);
expect(await validateGetScraperResultsRequest(makeRequest(), "")).toBe(err);
});

it("propagates 403 from non-admin auth", async () => {
const err = NextResponse.json({}, { status: 403 });
vi.mocked(validateAdminAuth).mockResolvedValue(err);
expect(await validateGetScraperResultsRequest(makeRequest(), RUN_ID)).toBe(err);
});

it("returns 400 when runId is empty after admin auth succeeds", async () => {
it("returns 400 when runId is empty after auth succeeds", async () => {
const res = (await validateGetScraperResultsRequest(makeRequest(), "")) as NextResponse;
expect(res.status).toBe(400);
});

it("returns validated runId on happy path", async () => {
it("passes any authenticated caller through — no admin or ownership check", async () => {
expect(await validateGetScraperResultsRequest(makeRequest(), RUN_ID)).toEqual({
runId: RUN_ID,
});
Expand Down
18 changes: 11 additions & 7 deletions lib/apify/validateGetScraperResultsRequest.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { NextRequest, NextResponse } from "next/server";
import { z } from "zod";
import { getCorsHeaders } from "@/lib/networking/getCorsHeaders";
import { validateAdminAuth } from "@/lib/admins/validateAdminAuth";
import { validateAuthContext } from "@/lib/auth/validateAuthContext";

export const getScraperResultsParamsSchema = z.object({
runId: z.string().min(1),
Expand All @@ -10,18 +10,22 @@ export const getScraperResultsParamsSchema = z.object({
export type GetScraperResultsParams = z.infer<typeof getScraperResultsParamsSchema>;

/**
* Authenticates the request as an admin, then validates the runId path param.
* Authenticates the request (any valid API key or Bearer token), then
* validates the runId path param.
*
* Admin-only: Apify run identifiers are not account-scoped, and the poller
* is a backend-only caller (tasks).
* Deliberately not owner-scoped (chat#1840 decision, 2026-07-03): scrape
* datasets are public social content and Apify run ids are unguessable,
* so possession of a runId plus any valid credential is sufficient.
* Authentication still gates the endpoint so anonymous callers can't use
* it as a free Apify proxy.
*/
export async function validateGetScraperResultsRequest(
request: NextRequest,
runId: string,
): Promise<GetScraperResultsParams | NextResponse> {
const authResult = await validateAdminAuth(request);
if (authResult instanceof NextResponse) {
return authResult;
const auth = await validateAuthContext(request);
if (auth instanceof NextResponse) {
return auth;
}

const parsed = getScraperResultsParamsSchema.safeParse({ runId });
Expand Down
Loading