feat: refactor agent endpoint for token

[tipusinghaw]

What

• Removed routes for the dedicated agent
• Changed the shell script based on the updated token approach

Summary by CodeRabbit

• New Features

  • Introduced unified agent URL construction using a shared utility, simplifying integration across connection, issuance, and verification services.
  • Added support for agent and tenant wallet token retrieval, enhancing authentication and token management.
  • Expanded error messages for improved clarity on agent configuration and endpoint validation.

• Refactor

  • Updated multiple services to use a centralized agent URL utility, removing redundant code and streamlining URL handling.
  • Adjusted agent API key handling and token management for more consistent and secure operations.
  • Updated endpoint paths to reflect new routing structures for agent, issuance, and proof services.

• Chores

  • Improved code formatting, indentation, and minor style consistency across several files and scripts.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This change introduces a new apiKey parameter throughout the agent provisioning and management workflow, updating shell scripts, service methods, and configuration files to handle this parameter. It also refactors agent URL construction by removing internal methods and adopting a new shared getAgentUrl utility, with related updates to constants and error messages. Several new agent token management methods are added, and some redundant code is removed or simplified.

Changes

Cohort / File(s)	Change Summary
Agent Provisioning Shell Scripts apps/agent-provisioning/AFJ/scripts/start_agent.sh, apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh	Added support for an AGENT_API_KEY parameter, updated config file generation, log parsing, and token extraction logic. ECS script now includes CloudWatch log configuration and improved token retrieval with retries.
Agent Provisioning Service apps/agent-provisioning/src/agent-provisioning.service.ts	Added ESLint directive, destructured new apiKey from payload, and updated shell command to pass this parameter. Minor formatting changes.
Agent Service Core Logic apps/agent-service/src/agent-service.service.ts	Refactored to use external getAgentUrl utility, unified token management, added/updated methods for agent/tenant token handling, simplified DID logic, and removed redundant code.
Agent Service Controller apps/api-gateway/src/agent-service/agent-service.controller.ts	Removed a redundant blank line; no logic changes.
Connection Service apps/connection/src/connection.service.ts	Replaced internal getAgentUrl with shared utility, adjusted imports, and improved formatting.
Issuance Service apps/issuance/src/issuance.service.ts	Removed internal URL construction, now uses shared getAgentUrl. Cleaned up related imports and logic.
Verification Service apps/verification/src/verification.service.ts	Removed internal URL construction, now uses shared getAgentUrl. Adjusted imports.
Common Constants libs/common/src/common.constant.ts	Updated URL paths to include new prefixes, added new URL/action flag constants, and introduced new agent token-related constants.
Common Service libs/common/src/common.service.ts	Added methods to fetch base agent and tenant wallet tokens via HTTP requests. Minor formatting changes.
Common Utilities libs/common/src/common.utils.ts	Added new async getAgentUrl function for consistent agent URL construction; minor formatting updates elsewhere.
Response Messages libs/common/src/response-messages/index.ts	Added new error messages for agent configuration and common URL/endpoint validation.
ESLint Config .eslintrc.js	Added a trailing newline for formatting consistency.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant API_Gateway
    participant AgentService
    participant CommonService
    participant AgentProvisioning
    participant ShellScript

    User->>API_Gateway: Request agent provisioning (with apiKey)
    API_Gateway->>AgentService: createTenant / walletProvision (payload includes apiKey)
    AgentService->>AgentProvisioning: Calls provisioning script with apiKey
    AgentProvisioning->>ShellScript: Executes start_agent.sh/start_agent_ecs.sh with apiKey
    ShellScript->>ShellScript: Writes config with apiKey, starts agent
    ShellScript->>AgentProvisioning: Returns agent info (including apiKey)
    AgentProvisioning->>AgentService: Returns provisioning result
    AgentService->>CommonService: getBaseAgentToken / getTenantWalletToken as needed
    CommonService->>AgentService: Returns token
    AgentService->>API_Gateway: Returns agent details (with apiKey/token)
    API_Gateway->>User: Responds with agent info

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

• Qa - Sign and verify feature #1286: Introduces new sign/verify agent methods and DTOs, as well as related agent service and URL handling changes, overlapping with this PR's refactoring of agent URL utilities and API key management.

Suggested reviewers

• shitrerohit
• GHkrishna
• KambleSahil3
• ankita-p17

Poem

In the warren of code, a new key appears,
For agents provisioned, the logic now clears.
URLs refactored, constants aligned,
Tokens and endpoints so neatly combined.
With scripts and services hopping in tune,
This rabbit declares: new features soon! 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/refactor-agent-endpoint-for-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

To fix this problem, we should avoid constructing a shell command string and passing it to exec. Instead, we should use execFile (or execFileSync/spawn), which allows us to specify the command and its arguments as an array, so that each argument is passed as-is to the underlying process without shell interpretation. This prevents shell injection and issues with spaces or special characters in arguments.

Detailed steps:

• Parse the script path and all arguments as separate elements.
• Build an array of arguments, ensuring each value is passed as a separate argument.
• Replace exec(walletProvision, ...) with execFile(scriptPath, args, ...).
• Import execFile from child_process.
• Update the code to extract the script path and arguments from the original string.
• No change to the rest of the logic.

Files/regions to change:

• In apps/agent-provisioning/src/agent-provisioning.service.ts, lines 43–45: refactor the command construction and execution.
• Add import for execFile if not already present.

---

[tipusinghaw]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (4)

apps/agent-provisioning/src/agent-provisioning.service.ts (1)

1-1: Consider structured logging instead of console statements.

While the ESLint disable is acceptable for a provisioning service that needs console output, consider using the existing Logger instance for consistency with the rest of the application.

apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh (2)

40-40: Consider potential service name conflicts.

The change from a dynamic random string to a fixed pattern ${CONTAINER_NAME}-service-test could lead to conflicts if multiple services are created with the same container name. Ensure that container names are unique in your deployment environment.

---

197-204: Consider making the AWS region configurable.

The CloudWatch logging configuration is correctly structured, but the region is hardcoded to ap-south-1. Consider using an environment variable like $AWS_REGION or $AWS_PUBLIC_REGION for better flexibility across different deployment regions.

-          "awslogs-region": "ap-south-1",
+          "awslogs-region": "$AWS_PUBLIC_REGION",

apps/agent-service/src/agent-service.service.ts (1)

1908-1930: Well-implemented tenant token retrieval method.

The method has proper parameter validation and error handling. Note the TODO comment on line 1924 about adding the tenant wallet token to the database - this should be tracked for future implementation.

The comment on line 1924 suggests storing the tenant wallet token in the database. Would you like me to create an issue to track this enhancement?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 38005c5 and ad0cfa3.

📒 Files selected for processing (13)

• .eslintrc.js (1 hunks)
• apps/agent-provisioning/AFJ/scripts/start_agent.sh (4 hunks)
• apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh (5 hunks)
• apps/agent-provisioning/src/agent-provisioning.service.ts (2 hunks)
• apps/agent-service/src/agent-service.service.ts (13 hunks)
• apps/api-gateway/src/agent-service/agent-service.controller.ts (0 hunks)
• apps/connection/src/connection.service.ts (10 hunks)
• apps/issuance/src/issuance.service.ts (5 hunks)
• apps/verification/src/verification.service.ts (7 hunks)
• libs/common/src/common.constant.ts (5 hunks)
• libs/common/src/common.service.ts (2 hunks)
• libs/common/src/common.utils.ts (3 hunks)
• libs/common/src/response-messages/index.ts (3 hunks)

💤 Files with no reviewable changes (1)

• apps/api-gateway/src/agent-service/agent-service.controller.ts

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: in the credebl/platform repository, the team prefers to create utilities for validating required env...

Learnt from: tipusinghaw
PR: credebl/platform#1297
File: apps/api-gateway/src/tracer.ts:24-28
Timestamp: 2025-06-24T11:15:29.468Z
Learning: In the credebl/platform repository, the team prefers to create utilities for validating required environment variables rather than implementing inline validation. This approach promotes reusability across different parts of the application.

Applied to files:

• apps/agent-provisioning/src/agent-provisioning.service.ts

🧬 Code Graph Analysis (3)

libs/common/src/common.service.ts (1)

libs/common/src/response-messages/index.ts (1)

• ResponseMessages (1-505)

apps/issuance/src/issuance.service.ts (1)

libs/common/src/common.utils.ts (1)

• getAgentUrl (70-113)

libs/common/src/common.utils.ts (1)

libs/common/src/response-messages/index.ts (1)

• ResponseMessages (1-505)

🪛 GitHub Check: CodeQL

apps/agent-provisioning/src/agent-provisioning.service.ts

[warning] 31-31: Shell command built from environment values
This shell command depends on an uncontrolled absolute path.

🪛 Shellcheck (0.10.0)

apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh

[warning] 283-283: This is interpreted as a command name ending with '.'. Double check syntax.

(SC2288)

🪛 ESLint

libs/common/src/common.utils.ts

[error] 107-107: Unexpected console statement.

(no-console)

---

[error] 110-110: Unexpected console statement.

(no-console)

🔇 Additional comments (38)

.eslintrc.js (1)

104-104: Good practice: newline at EOF retained

The trailing newline keeps editors, formatters, and some POSIX tools happy. No further action required.

libs/common/src/response-messages/index.ts (2)

243-243: LGTM! Well-structured error messages for enhanced agent functionality.

The new error messages appropriately support the enhanced agent configuration and token management features. They follow the existing naming conventions and provide clear descriptions for the failure scenarios.

Also applies to: 275-277

---

499-504: LGTM! Appropriate addition of common error messages.

The new common.error section provides necessary error messages for URL and endpoint validation. The messages are clear and follow the established pattern in the file.

apps/agent-provisioning/src/agent-provisioning.service.ts (2)

13-13: LGTM! Clean constructor formatting.

The simplified constructor format improves readability.

---

22-44: LGTM! Proper integration of API key parameter.

The addition of the apiKey parameter and its integration into the shell script execution is implemented correctly and aligns with the enhanced token management approach.

The static analysis warning about shell command construction is noted, but this follows the existing pattern in the codebase for agent provisioning.

apps/agent-provisioning/AFJ/scripts/start_agent.sh (3)

22-22: LGTM! Proper API key parameter integration.

The addition of the AGENT_API_KEY parameter as the 18th argument is correctly implemented with appropriate debugging output.

Also applies to: 119-123

---

130-130: LGTM! Proper JSON configuration updates.

The quoted filename in the heredoc prevents shell expansion issues, and the apiKey field is correctly added to the agent configuration JSON with proper formatting.

Also applies to: 162-164

---

247-247: LGTM! Updated log parsing for new agent output format.

The change from "API Token:" to "API Key:" in the log parsing correctly reflects the updated agent output format.

apps/verification/src/verification.service.ts (3)

30-30: LGTM! Proper import updates for shared utility usage.

The removal of unused enum imports and addition of the getAgentUrl utility import correctly supports the refactoring to use shared URL construction logic.

Also applies to: 52-52

---

228-232: LGTM! Effective refactoring to shared URL utility.

The replacement of the internal URL construction with the shared getAgentUrl utility simplifies the code and centralizes URL handling logic. The use of constants for URL flags improves maintainability.

---

284-284: LGTM! Consistent refactoring across all URL construction points.

All calls to the shared getAgentUrl utility are consistently implemented with appropriate constant flags. This refactoring successfully centralizes URL construction logic while maintaining the same functionality.

Also applies to: 405-405, 483-486, 765-765

libs/common/src/common.service.ts (3)

329-332: LGTM! Minor formatting improvement.

The indentation adjustment improves code readability without changing functionality.

---

351-366: LGTM! Well-implemented base agent token retrieval.

The getBaseAgentToken method is properly structured with:

• Appropriate HTTP POST request to the agent endpoint
• Proper authorization header handling
• Clear error handling with descriptive error messages
• Consistent return pattern

---

368-382: LGTM! Consistent tenant wallet token retrieval implementation.

The getTenantWalletToken method follows the same solid pattern as getBaseAgentToken with appropriate adaptations for tenant-specific token retrieval:

• Proper tenantId parameter integration in URL
• Consistent error handling approach
• Clear method signature and return type

apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh (2)

156-156: Verify the container image reference change.

The change from ${AFJ_IMAGE_URL} to ${AFJ_VERSION} suggests the image registry/repository is now implied. Ensure that the container runtime can resolve the image correctly with just the version identifier.

---

273-332: Verify region usage and log stream naming

Please ensure the following before merging:

• Region consistency
  Replace any hard-coded region (e.g. ap-southeast-1) with $AWS_PUBLIC_REGION so all AWS CLI calls target the same region.

       token=$(aws logs get-log-events \
       --log-group-name "$log_group" \
       --log-stream-name "$log_stream" \
  -    --region ap-southeast-1 \
  +    --region "$AWS_PUBLIC_REGION" \
       | grep -o '*** API Key: [^ ]*' \
       | cut -d ' ' -f 3
  )

• Log stream format validation
  Verify in your AWS account that your CloudWatch log streams follow the assumed naming convention (ecs/<containerName>/<taskId>) under the /ecs/<taskDefinitionFamily> log group. For example:

  aws logs describe-log-groups \
    --log-group-name-prefix "/ecs/${TASK_DEFINITION_FAMILY}" \
    --region "$AWS_PUBLIC_REGION"

  And then check streams:

  aws logs describe-log-streams \
    --log-group-name "/ecs/${TASK_DEFINITION_FAMILY}" \
    --log-stream-name-prefix "ecs/${CONTAINER_NAME}/" \
    --region "$AWS_PUBLIC_REGION"

• Token-pattern robustness
  The grep pattern ('*** API Key: [^ ]*') may break if logs change format. Consider using jq on structured logs or a more flexible regex.

apps/issuance/src/issuance.service.ts (5)

65-65: LGTM! Import statement correctly updated.

The addition of getAgentUrl to the imports from the common utils module is consistent with the refactoring to use shared utility functions.

---

187-187: LGTM! URL construction properly refactored.

The replacement of the internal getAgentUrl method with the shared utility function is correctly implemented. The parameters align with the utility's interface.

---

372-372: LGTM! Consistent URL construction refactoring.

The refactoring to use the shared getAgentUrl utility with CommonConstants.CREATE_OFFER_OUT_OF_BAND is correctly implemented.

---

685-685: LGTM! Parameterized URL construction correctly implemented.

The refactoring correctly uses the shared utility with the credentialRecordId parameter, which should replace the placeholder in the URL suffix as intended.

---

827-827: LGTM! Final URL construction refactoring completed.

The last usage of the shared getAgentUrl utility is correctly implemented, completing the refactoring to centralize URL construction logic.

libs/common/src/common.utils.ts (3)

8-8: LGTM! Parameter formatting improved.

The single-line parameter formatting improves code readability.

---

50-52: LGTM! Code formatting improved.

The formatting improvements enhance code readability and consistency.

---

61-68: LGTM! Style consistency improved.

The addition of parentheses to arrow function parameters and trailing semicolon improves code style consistency.

apps/connection/src/connection.service.ts (4)

35-35: LGTM! Good refactoring to centralize URL construction.

The import of the shared getAgentUrl utility promotes code reuse and consistency across services.

---

671-671: Correct usage of the centralized URL utility.

The migration to use the shared getAgentUrl function with the CONNECTION_INVITATION flag is implemented correctly.

---

781-819: Good formatting improvements for better readability.

The reformatting of the deleteConnectionRecords method improves code clarity without changing functionality. The status counts object and Promise.all block are now more readable.

---

743-743: Clean formatting of method chain.

The single-line formatting of the natsCall chain is appropriate for this simple operation.

libs/common/src/common.constant.ts (3)

26-32: URL path refactoring looks good.

The addition of /didcomm/ prefix to connection and OOB URLs follows a clear routing structure. The new token-related URLs (URL_AGENT_TOKEN and URL_SHARED_WALLET_TOKEN) support the enhanced token management functionality.

---

72-77: Consistent URL path updates for credential operations.

The /didcomm/ prefix has been correctly applied to credential issuance URLs, maintaining consistency with the new routing structure.

---

400-414: Well-structured agent URL action flags.

The new constants provide a clean way to identify different agent operations for URL construction. The naming convention is clear and self-documenting.

apps/agent-service/src/agent-service.service.ts (7)

81-81: Good consolidation of URL construction logic.

The import of the shared getAgentUrl utility aligns with the refactoring across other services.

---

424-424: Appropriate addition of API key to provisioning payload.

Adding the API key from environment variables to the wallet provision payload supports the enhanced token management.

---

528-538: Well-implemented token retrieval with proper validation.

The code correctly retrieves the base agent token, validates it, and encrypts it before storage. The error handling provides a clear message if the token is not obtained.

---

876-891: Excellent implementation of dynamic token retrieval for shared agents.

The code properly handles the case where shared agents have no stored API key by fetching the tenant wallet token from the platform admin. This ensures shared agents can always obtain valid tokens.

---

1551-1551: Correct usage of centralized URL construction for signing operations.

The code properly uses the shared getAgentUrl utility with appropriate action flags for sign and verify operations.

Also applies to: 1611-1611

---

1775-1776: Clean refactoring of variable destructuring.

The updated destructuring assignment improves code readability.

---

623-624: No references to did/verkey found – ‘NA’ placeholders are safe

We searched the repository for any reads or validations of the .did or .verkey fields (including in org_agents) and found no occurrences. There are no downstream consumers relying on those values, so using "NA" here will not break existing functionality.

[coderabbitai]

⚠️ Potential issue

Fix the placeholder text that could be misinterpreted as a command.

The line with dots is flagged by shellcheck as potentially being interpreted as a command. Replace with a proper comment.

-# to fetch log group of container 
-.............................................................
+# to fetch log group of container

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 Shellcheck (0.10.0)

[warning] 283-283: This is interpreted as a command name ending with '.'. Double check syntax.

(SC2288)

🤖 Prompt for AI Agents

In apps/agent-provisioning/AFJ/scripts/start_agent_ecs.sh at line 283, replace
the line containing only dots with a proper shell comment to avoid it being
misinterpreted as a command by shellcheck. Use a hash symbol (#) followed by a
descriptive comment or leave it as an empty comment line.

[GHkrishna]

@KambleSahil3 Can you please have a look at this

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[GHkrishna]

Do we want to revert this?

[GHkrishna]

We might need some ENV changes in this case for ecs?

[tipusinghaw]

@KambleSahil3 Please have a look

[GHkrishna]

@KambleSahil3 Can you please have a look at this

[GHkrishna]

Can we also take agent details in common?
If not used afterwards

[GHkrishna]

Similarly to mentioned below, can we have fetching of agentEndPoint in a common function for all occurrences?

[GHkrishna]

Let's fix and deploy

Great work @tipusinghaw

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud