Http server and Session manager

[shivammittal274]

No description provided.

[greptile-apps]

Greptile Overview

Greptile Summary

Replaced WebSocket-based agent architecture with HTTP/SSE server using Hono, dramatically simplifying the codebase by removing ~4,400 lines of complex session management, protocol handling, and agent factory code.

Key changes:

• Introduced HttpServer.ts with Hono framework providing /chat endpoint for streaming agent responses via SSE, /health endpoint, and DELETE endpoint for session cleanup
• Simplified SessionManager from 500+ lines to 48 lines - now only stores GeminiAgent instances in a Map without WebSocket coupling
• Created GeminiAgent class that integrates Gemini CLI core with Vercel AI SDK adapter for multi-provider LLM support
• Refactored VercelAIContentGenerator from multi-provider registry pattern to single provider instance, added setHonoStream() for stream reuse across requests
• Removed entire WebSocket server implementation (websocket/server.ts, websocket/protocol.ts) and complex agent abstractions (BaseAgent, AgentFactory, ClaudeSDKAgent, CodexSDKAgent, ControllerToolsAdapter)
• Introduced structured error hierarchy (HttpAgentError, ValidationError, AgentExecutionError) with proper HTTP status codes
• Integrated agent server into main.ts alongside existing MCP and controller servers

Issues:

• Debug console.log statement in GeminiAgent.ts:98 should be removed

Confidence Score: 4/5

• This PR is safe to merge with one minor cleanup needed
• The refactoring is well-architected, removes significant complexity, and follows proper patterns. The HTTP/SSE approach is more standard than WebSocket for this use case. Session management is simplified without losing functionality. The only issue is a debug console.log that should be removed. Score reduced from 5 to 4 due to the debug statement.
• Pay attention to packages/agent/src/agent/GeminiAgent.ts to remove the debug console.log statement

Important Files Changed

File Analysis

Filename	Score	Overview
packages/agent/src/session/SessionManager.ts	4/5	Simplified session manager to store GeminiAgent instances, removed complex WebSocket management
packages/agent/src/http/HttpServer.ts	4/5	New HTTP server using Hono with /chat endpoint for streaming, /health check, session management integration
packages/agent/src/agent/GeminiAgent.ts	3/5	New agent implementation using Gemini CLI core with Vercel AI adapter, includes debug console.log
packages/agent/src/errors.ts	5/5	New error hierarchy for HTTP agent errors with proper status codes and JSON serialization
packages/agent/src/agent/gemini-vercel-sdk-adapter/index.ts	5/5	Refactored to single provider instance per config instead of multi-provider registry, added setHonoStream() method
packages/server/src/main.ts	4/5	Integrated new HTTP agent server alongside existing MCP and controller servers

Sequence Diagram

sequenceDiagram
    participant Client as HTTP Client
    participant Server as HttpServer (Hono)
    participant SM as SessionManager
    participant Agent as GeminiAgent
    participant Adapter as VercelAIContentGenerator
    participant MCP as MCP Server
    participant LLM as LLM Provider

    Client->>Server: POST /chat (conversationId, message, provider, model)
    Server->>Server: validateRequest(ChatRequestSchema)
    Server->>SM: getOrCreate(config)
    alt Session exists
        SM-->>Server: Return existing GeminiAgent
    else New session
        SM->>Agent: GeminiAgent.create(config)
        Agent->>Adapter: new VercelAIContentGenerator(config)
        Adapter->>Adapter: createProvider(config)
        Agent->>Agent: initialize GeminiConfig with MCP
        SM->>SM: sessions.set(conversationId, agent)
        SM-->>Server: Return new GeminiAgent
    end
    
    Server->>Agent: execute(message, honoStream)
    Agent->>Adapter: setHonoStream(honoStream)
    
    loop Multi-turn agentic loop (max 100 turns)
        Agent->>Agent: sendMessageStream(parts)
        Agent->>Adapter: generateContentStream()
        Adapter->>LLM: streamText(messages, tools)
        LLM-->>Adapter: Stream chunks (text-delta, tool-call, finish)
        Adapter->>Server: honoStream.write(SSE data)
        Server-->>Client: Stream SSE response
        
        alt Tool calls requested
            Agent->>Agent: Collect tool call requests
            loop For each tool call
                Agent->>MCP: executeToolCall(requestInfo)
                MCP-->>Agent: Tool response
            end
            Agent->>Agent: Prepare tool response parts for next turn
        else No tool calls
            Agent->>Agent: Break loop (execution complete)
        end
    end
    
    Server-->>Client: End stream
    
    Note over Client,Server: DELETE /chat/:conversationId
    Client->>Server: DELETE /chat/:conversationId
    Server->>SM: delete(conversationId)
    SM->>SM: sessions.delete(conversationId)
    Server-->>Client: {success: true, sessionCount}

Loading

[greptile-apps]

_{33 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[felarof99]

LGTM!

[felarof99]

@greptileai review the security vulnerability aspect and suggest any fixes.

[greptile-apps]

Looking at the security aspects of this HTTP server implementation, I can identify several potential vulnerabilities and areas for improvement:

Security Vulnerabilities Identified:

1. Overly Permissive CORS Configuration: The CORS setup accepts any origins from config without validation
2. Missing Rate Limiting: No protection against abuse or DoS attacks
3. Sensitive Data Exposure: API keys and credentials are logged and passed around without proper sanitization
4. No Authentication/Authorization: The /chat endpoint is completely open
5. Missing Input Validation: Beyond schema validation, no additional security checks
6. Error Information Disclosure: Stack traces and detailed errors could leak sensitive information
7. Missing Security Headers: No security-related HTTP headers

Suggested Fixes:

For the CORS configuration specifically (since that's the line your comment is on), here's a more secure approach:

Suggested change

	app.use(
	app.use(
	'/*',
	cors({
	origin: (origin) => {
	// Validate origins against a whitelist
	const allowedOrigins = validatedConfig.corsOrigins || [];
	if (!origin) return true; // Allow requests with no origin (e.g., mobile apps)
	return allowedOrigins.some(allowed => {
	if (allowed === '*') return true;
	if (typeof allowed === 'string') return allowed === origin;
	if (allowed instanceof RegExp) return allowed.test(origin);
	return false;
	});
	},
	allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
	allowHeaders: ['Content-Type', 'Authorization'],
	credentials: false, // Explicitly disable credentials unless needed
	maxAge: 86400, // Cache preflight requests for 24 hours
	}),
	);

Additional Security Recommendations:

1. Add Rate Limiting: Implement rate limiting middleware to prevent abuse
2. Sanitize Logging: Remove sensitive data from logs (API keys, credentials)
3. Add Authentication: Consider implementing API key authentication or JWT tokens
4. Security Headers: Add security headers like X-Frame-Options, X-Content-Type-Options, etc.
5. Input Sanitization: Add additional validation beyond schema parsing
6. Error Handling: Sanitize error responses to prevent information disclosure

Would you like me to provide implementations for any of these additional security measures?