trycompai
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 1 deletion b/‎.gitignore‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎apps/api/package.json‎
Lines changed: 49 additions & 2 deletions b/‎apps/api/package.json‎
Lines changed: 49 additions & 2 deletions
diff --git a/‎apps/api/src/app/s3.ts‎
Lines changed: 14 additions & 0 deletions b/‎apps/api/src/app/s3.ts‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎apps/api/src/attachments/attachments.service.ts‎
Lines changed: 1 addition & 2 deletions b/‎apps/api/src/attachments/attachments.service.ts‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎apps/api/src/auth/auth-context.decorator.ts‎
Lines changed: 4 additions & 0 deletions b/‎apps/api/src/auth/auth-context.decorator.ts‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apps/api/src/auth/hybrid-auth.guard.ts‎
Lines changed: 15 additions & 0 deletions b/‎apps/api/src/auth/hybrid-auth.guard.ts‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎apps/api/src/browserbase/browserbase.service.ts‎
Lines changed: 1 addition & 1 deletion b/‎apps/api/src/browserbase/browserbase.service.ts‎
Lines changed: 1 addition & 1 deletion
@@ -95,4 +95,5 @@ scripts/sync-release-branch.sh
 
 .claude/audit-findings.md
 
-.superpowers/*
+.superpowers/*
+.claude/worktrees/
@@ -8,10 +8,57 @@
         "@ai-sdk/groq": "^2.0.32",
         "@ai-sdk/openai": "^2.0.65",
         "@aws-sdk/client-ec2": "^3.911.0",
-        "@aws-sdk/client-s3": "^3.859.0",
+        "@aws-sdk/client-s3": "3.1013.0",
+        "@aws-sdk/client-acm": "^3.948.0",
+        "@aws-sdk/client-backup": "^3.948.0",
+        "@aws-sdk/client-cloudtrail": "^3.948.0",
+        "@aws-sdk/client-cloudwatch": "^3.948.0",
+        "@aws-sdk/client-cost-explorer": "^3.948.0",
+        "@aws-sdk/client-cloudwatch-logs": "^3.948.0",
+        "@aws-sdk/client-config-service": "^3.948.0",
+        "@aws-sdk/client-dynamodb": "^3.948.0",
+        "@aws-sdk/client-ecr": "^3.948.0",
+        "@aws-sdk/client-ecs": "^3.948.0",
+        "@aws-sdk/client-efs": "^3.948.0",
+        "@aws-sdk/client-eks": "^3.948.0",
+        "@aws-sdk/client-elastic-load-balancing-v2": "^3.948.0",
+        "@aws-sdk/client-guardduty": "^3.948.0",
+        "@aws-sdk/client-iam": "^3.948.0",
+        "@aws-sdk/client-inspector2": "^3.948.0",
+        "@aws-sdk/client-kms": "^3.948.0",
+        "@aws-sdk/client-lambda": "^3.948.0",
+        "@aws-sdk/client-macie2": "^3.948.0",
+        "@aws-sdk/client-opensearch": "^3.948.0",
+        "@aws-sdk/client-rds": "^3.948.0",
+        "@aws-sdk/client-redshift": "^3.948.0",
+        "@aws-sdk/client-route-53": "^3.948.0",
+        "@aws-sdk/client-secrets-manager": "^3.948.0",
         "@aws-sdk/client-securityhub": "^3.948.0",
+        "@aws-sdk/client-sns": "^3.948.0",
+        "@aws-sdk/client-sqs": "^3.948.0",
+        "@aws-sdk/client-wafv2": "^3.948.0",
+        "@aws-sdk/client-api-gateway": "^3.948.0",
+        "@aws-sdk/client-apigatewayv2": "^3.948.0",
+        "@aws-sdk/client-appflow": "^3.948.0",
+        "@aws-sdk/client-athena": "^3.948.0",
+        "@aws-sdk/client-cloudfront": "^3.948.0",
+        "@aws-sdk/client-codebuild": "^3.948.0",
+        "@aws-sdk/client-cognito-identity-provider": "^3.948.0",
+        "@aws-sdk/client-elastic-beanstalk": "^3.948.0",
+        "@aws-sdk/client-elasticache": "^3.948.0",
+        "@aws-sdk/client-emr": "^3.948.0",
+        "@aws-sdk/client-eventbridge": "^3.948.0",
+        "@aws-sdk/client-glue": "^3.948.0",
+        "@aws-sdk/client-kafka": "^3.948.0",
+        "@aws-sdk/client-kinesis": "^3.948.0",
+        "@aws-sdk/client-network-firewall": "^3.948.0",
+        "@aws-sdk/client-sagemaker": "^3.948.0",
+        "@aws-sdk/client-sfn": "^3.948.0",
+        "@aws-sdk/client-shield": "^3.948.0",
+        "@aws-sdk/client-ssm": "^3.948.0",
         "@aws-sdk/client-sts": "^3.948.0",
-        "@aws-sdk/s3-request-presigner": "^3.859.0",
+        "@aws-sdk/client-transfer": "^3.948.0",
+        "@aws-sdk/s3-request-presigner": "3.1013.0",
         "@browserbasehq/sdk": "2.6.0",
         "@browserbasehq/stagehand": "^3.0.5",
         "@mendable/firecrawl-js": "^4.9.3",
 
@@ -1,11 +1,25 @@
 import {
   GetObjectCommand,
+  PutObjectCommand,
   S3Client,
   type GetObjectCommandOutput,
 } from '@aws-sdk/client-s3';
+import { getSignedUrl as _getSignedUrl } from '@aws-sdk/s3-request-presigner';
 import { Logger } from '@nestjs/common';
 import '../config/load-env';
 
+/**
+ * Re-export getSignedUrl with a type workaround for duplicate @smithy/types.
+ * Bun/Docker installs separate @smithy/types copies for @aws-sdk/client-s3
+ * and @aws-sdk/s3-request-presigner even when pinned to the same version.
+ * The runtime types are fully compatible — only the TypeScript class identity differs.
+ */
+export const getSignedUrl = _getSignedUrl as unknown as (
+  client: S3Client,
+  command: GetObjectCommand | PutObjectCommand,
+  options?: { expiresIn?: number },
+) => Promise<string>;
+
 const logger = new Logger('S3');
 
 const APP_AWS_REGION = process.env.APP_AWS_REGION;
 
@@ -5,7 +5,7 @@ import {
   PutObjectCommand,
   S3Client,
 } from '@aws-sdk/client-s3';
-import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
+import { getSignedUrl, s3Client } from '@/app/s3';
 import { AttachmentEntityType, AttachmentType, db } from '@db';
 import {
   BadRequestException,
@@ -15,7 +15,6 @@ import {
 import { randomBytes } from 'crypto';
 import { AttachmentResponseDto } from '../tasks/dto/task-responses.dto';
 import { UploadAttachmentDto } from './upload-attachment.dto';
-import { s3Client } from '@/app/s3';
 import { validateFileContent } from '../utils/file-type-validation';
 
 @Injectable()
 
@@ -76,6 +76,10 @@ export const UserId = createParamDecorator(
     }
 
     if (!userId) {
+      // For service tokens: allow if no user context needed (return a system identifier)
+      if (authType === 'service') {
+        return 'system';
+      }
       throw new Error(
         'User ID not found. Ensure HybridAuthGuard is applied and using session auth.',
       );
 
@@ -112,6 +112,21 @@ export class HybridAuthGuard implements CanActivate {
     request.isPlatformAdmin = false;
     request.userRoles = null;
 
+    // Service tokens can pass x-user-id to act on behalf of a user
+    // Validate that the user exists and belongs to the organization
+    const actingUserId = request.headers['x-user-id'] as string;
+    if (actingUserId) {
+      const member = await db.member.findFirst({
+        where: { userId: actingUserId, organizationId },
+        select: { userId: true },
+      });
+      if (member) {
+        request.userId = actingUserId;
+      } else {
+        this.logger.warn(`Service token x-user-id "${actingUserId}" not found in org ${organizationId}`);
+      }
+    }
+
     this.logger.log(
       `Service "${service.definition.name}" authenticated for org ${organizationId}`,
     );
 
@@ -10,7 +10,7 @@ import {
   PutObjectCommand,
   S3Client,
 } from '@aws-sdk/client-s3';
-import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
+import { getSignedUrl } from '@/app/s3';
 
 const BROWSER_WIDTH = 1440;
 const BROWSER_HEIGHT = 900;