@agent-relay/cloud 0.1.0

package/dist/api/workspaces.js

@@ -0,0 +1,1799 @@
+/**
+ * Workspaces API Routes
+ *
+ * One-click workspace provisioning and management.
+ * Includes auto-access based on GitHub repo permissions.
+ */
+import { Router } from 'express';
+import { requireAuth } from './auth.js';
+import { db } from '../db/index.js';
+import { getProvisioner, getProvisioningStage } from '../provisioner/index.js';
+import { checkWorkspaceLimit } from './middleware/planLimits.js';
+import { getConfig } from '../config.js';
+import { nangoService } from '../services/nango.js';
+// Simple in-memory cache for workspace access checks
+// Key: `${userId}:${workspaceId}`
+const workspaceAccessCache = new Map();
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+function getCachedAccess(userId, workspaceId) {
+    const key = `${userId}:${workspaceId}`;
+    const cached = workspaceAccessCache.get(key);
+    if (!cached)
+        return null;
+    // Check if expired
+    if (Date.now() - cached.cachedAt > CACHE_TTL_MS) {
+        workspaceAccessCache.delete(key);
+        return null;
+    }
+    return cached;
+}
+function setCachedAccess(userId, workspaceId, access) {
+    const key = `${userId}:${workspaceId}`;
+    workspaceAccessCache.set(key, { ...access, cachedAt: Date.now() });
+}
+function _invalidateCachedAccess(userId, workspaceId) {
+    if (workspaceId) {
+        workspaceAccessCache.delete(`${userId}:${workspaceId}`);
+    }
+    else {
+        // Invalidate all cache entries for this user
+        for (const key of workspaceAccessCache.keys()) {
+            if (key.startsWith(`${userId}:`)) {
+                workspaceAccessCache.delete(key);
+            }
+        }
+    }
+}
+// Cache keyed by nangoConnectionId
+const userReposCache = new Map();
+const USER_REPOS_CACHE_TTL_MS = 10 * 60 * 1000; // 10 minutes - hard expiry
+const STALE_WHILE_REVALIDATE_MS = 5 * 60 * 1000; // Trigger background refresh after 5 minutes
+const MAX_CACHE_ENTRIES = 500; // Prevent unbounded growth
+/**
+ * Evict oldest cache entries if we exceed the limit
+ */
+function evictOldestCacheEntries() {
+    if (userReposCache.size <= MAX_CACHE_ENTRIES)
+        return;
+    // Convert to array, sort by cachedAt (oldest first), delete oldest entries
+    const entries = Array.from(userReposCache.entries())
+        .sort((a, b) => a[1].cachedAt - b[1].cachedAt);
+    const toEvict = entries.slice(0, entries.length - MAX_CACHE_ENTRIES);
+    for (const [key] of toEvict) {
+        console.log(`[repos-cache] Evicting oldest cache entry: ${key.substring(0, 8)}`);
+        userReposCache.delete(key);
+    }
+}
+/**
+ * Background refresh function that paginates through ALL user repos
+ */
+async function refreshUserReposInBackground(nangoConnectionId) {
+    const cached = userReposCache.get(nangoConnectionId);
+    // Don't start if refresh already in progress
+    if (cached?.refreshInProgress) {
+        console.log(`[repos-cache] Background refresh already in progress for ${nangoConnectionId.substring(0, 8)}`);
+        return;
+    }
+    // Mark as refreshing
+    if (cached) {
+        cached.refreshInProgress = true;
+    }
+    else {
+        // Create placeholder entry
+        userReposCache.set(nangoConnectionId, {
+            repositories: [],
+            cachedAt: Date.now(),
+            isComplete: false,
+            refreshInProgress: true,
+        });
+    }
+    console.log(`[repos-cache] Starting background refresh for ${nangoConnectionId.substring(0, 8)}`);
+    try {
+        const allRepos = [];
+        let page = 1;
+        let hasMore = true;
+        const MAX_PAGES = 20; // Safety limit: 20 pages * 100 repos = 2000 repos max
+        while (hasMore && page <= MAX_PAGES) {
+            const result = await nangoService.listUserAccessibleRepos(nangoConnectionId, {
+                perPage: 100,
+                page,
+                type: 'all',
+            });
+            allRepos.push(...result.repositories.map(r => ({
+                fullName: r.fullName,
+                permissions: r.permissions,
+            })));
+            hasMore = result.hasMore;
+            page++;
+            // Small delay between pages to avoid rate limiting
+            if (hasMore) {
+                await new Promise(resolve => setTimeout(resolve, 100));
+            }
+        }
+        console.log(`[repos-cache] Background refresh complete for ${nangoConnectionId.substring(0, 8)}: ${allRepos.length} repos across ${page - 1} pages`);
+        userReposCache.set(nangoConnectionId, {
+            repositories: allRepos,
+            cachedAt: Date.now(),
+            isComplete: true,
+            refreshInProgress: false,
+        });
+        evictOldestCacheEntries();
+    }
+    catch (err) {
+        console.error(`[repos-cache] Background refresh failed for ${nangoConnectionId.substring(0, 8)}:`, err);
+        // Mark refresh as done even on error, keep existing data if any
+        const existing = userReposCache.get(nangoConnectionId);
+        if (existing) {
+            existing.refreshInProgress = false;
+        }
+    }
+}
+/**
+ * Get cached user repos, triggering background refresh if stale
+ * Returns null if no cache exists (caller should fetch first page synchronously)
+ */
+function getCachedUserRepos(nangoConnectionId) {
+    const cached = userReposCache.get(nangoConnectionId);
+    if (!cached)
+        return null;
+    const age = Date.now() - cached.cachedAt;
+    // If expired, delete and return null
+    if (age > USER_REPOS_CACHE_TTL_MS) {
+        console.log(`[repos-cache] Cache expired for ${nangoConnectionId.substring(0, 8)}`);
+        userReposCache.delete(nangoConnectionId);
+        return null;
+    }
+    // If stale but valid, trigger background refresh
+    if (age > STALE_WHILE_REVALIDATE_MS && !cached.refreshInProgress) {
+        console.log(`[repos-cache] Cache stale for ${nangoConnectionId.substring(0, 8)}, triggering background refresh`);
+        // Fire and forget - don't await
+        refreshUserReposInBackground(nangoConnectionId).catch(() => { });
+    }
+    return cached;
+}
+// Track in-flight initializations to prevent duplicate API calls
+const initializingConnections = new Set();
+/**
+ * Initialize cache with first page and trigger background refresh for rest
+ * Returns the first page of repos immediately
+ */
+async function initializeUserReposCache(nangoConnectionId) {
+    // Check if another request is already initializing this connection
+    if (initializingConnections.has(nangoConnectionId)) {
+        console.log(`[repos-cache] Another request is initializing ${nangoConnectionId.substring(0, 8)}, waiting...`);
+        // Wait a bit and check cache again
+        await new Promise(resolve => setTimeout(resolve, 500));
+        const cached = userReposCache.get(nangoConnectionId);
+        if (cached) {
+            return cached.repositories;
+        }
+        // Still no cache, fall through to initialize (previous request may have failed)
+    }
+    initializingConnections.add(nangoConnectionId);
+    try {
+        // Fetch first page synchronously
+        const firstPage = await nangoService.listUserAccessibleRepos(nangoConnectionId, {
+            perPage: 100,
+            page: 1,
+            type: 'all',
+        });
+        const repos = firstPage.repositories.map(r => ({
+            fullName: r.fullName,
+            permissions: r.permissions,
+        }));
+        // Store first page immediately
+        userReposCache.set(nangoConnectionId, {
+            repositories: repos,
+            cachedAt: Date.now(),
+            isComplete: !firstPage.hasMore,
+            refreshInProgress: firstPage.hasMore, // Will be refreshing if there's more
+        });
+        evictOldestCacheEntries();
+        // If there are more pages, trigger background refresh to get the rest
+        if (firstPage.hasMore) {
+            console.log(`[repos-cache] First page has ${repos.length} repos, more available - triggering background pagination`);
+            // Fire and forget - reuse the shared background refresh function
+            // But start from page 2 with the existing repos
+            (async () => {
+                try {
+                    const allRepos = [...repos];
+                    let page = 2;
+                    let hasMore = true;
+                    const MAX_PAGES = 20;
+                    while (hasMore && page <= MAX_PAGES) {
+                        const result = await nangoService.listUserAccessibleRepos(nangoConnectionId, {
+                            perPage: 100,
+                            page,
+                            type: 'all',
+                        });
+                        allRepos.push(...result.repositories.map(r => ({
+                            fullName: r.fullName,
+                            permissions: r.permissions,
+                        })));
+                        hasMore = result.hasMore;
+                        page++;
+                        if (hasMore) {
+                            await new Promise(resolve => setTimeout(resolve, 100));
+                        }
+                    }
+                    console.log(`[repos-cache] Background pagination complete: ${allRepos.length} total repos`);
+                    userReposCache.set(nangoConnectionId, {
+                        repositories: allRepos,
+                        cachedAt: Date.now(),
+                        isComplete: true,
+                        refreshInProgress: false,
+                    });
+                    evictOldestCacheEntries();
+                }
+                catch (err) {
+                    console.error('[repos-cache] Background pagination failed:', err);
+                    const existing = userReposCache.get(nangoConnectionId);
+                    if (existing) {
+                        existing.refreshInProgress = false;
+                    }
+                }
+            })();
+        }
+        return repos;
+    }
+    finally {
+        initializingConnections.delete(nangoConnectionId);
+    }
+}
+// ============================================================================
+// Workspace Access Middleware
+// ============================================================================
+/**
+ * Check if user has access to a workspace via:
+ * 1. Workspace ownership (userId matches)
+ * 2. Explicit workspace_members record
+ * 3. GitHub repo access (just-in-time check via Nango)
+ */
+export async function checkWorkspaceAccess(userId, workspaceId) {
+    // Check cache first
+    const cached = getCachedAccess(userId, workspaceId);
+    if (cached) {
+        return { hasAccess: cached.hasAccess, accessType: cached.accessType, permission: cached.permission };
+    }
+    // 1. Check if user is workspace owner
+    const workspace = await db.workspaces.findById(workspaceId);
+    if (!workspace) {
+        return { hasAccess: false, accessType: 'none' };
+    }
+    if (workspace.userId === userId) {
+        setCachedAccess(userId, workspaceId, { hasAccess: true, accessType: 'owner', permission: 'admin' });
+        return { hasAccess: true, accessType: 'owner', permission: 'admin' };
+    }
+    // 2. Check explicit workspace_members
+    const member = await db.workspaceMembers.findMembership(workspaceId, userId);
+    if (member && member.acceptedAt) {
+        const permission = member.role === 'admin' ? 'admin' : member.role === 'member' ? 'write' : 'read';
+        setCachedAccess(userId, workspaceId, { hasAccess: true, accessType: 'member', permission });
+        return { hasAccess: true, accessType: 'member', permission };
+    }
+    // 3. Check GitHub repo access (just-in-time)
+    const user = await db.users.findById(userId);
+    if (!user?.nangoConnectionId) {
+        setCachedAccess(userId, workspaceId, { hasAccess: false, accessType: 'none' });
+        return { hasAccess: false, accessType: 'none' };
+    }
+    const repos = await db.repositories.findByWorkspaceId(workspaceId);
+    if (repos.length === 0) {
+        setCachedAccess(userId, workspaceId, { hasAccess: false, accessType: 'none' });
+        return { hasAccess: false, accessType: 'none' };
+    }
+    // Check if user has access to ANY repo in this workspace
+    for (const repo of repos) {
+        try {
+            const [owner, repoName] = repo.githubFullName.split('/');
+            const accessResult = await nangoService.checkUserRepoAccess(user.nangoConnectionId, owner, repoName);
+            if (accessResult.hasAccess && accessResult.permission && accessResult.permission !== 'none') {
+                setCachedAccess(userId, workspaceId, {
+                    hasAccess: true,
+                    accessType: 'contributor',
+                    permission: accessResult.permission
+                });
+                return { hasAccess: true, accessType: 'contributor', permission: accessResult.permission };
+            }
+        }
+        catch (err) {
+            // Continue to next repo on error
+            console.warn(`[workspace-access] Failed to check repo access for ${repo.githubFullName}:`, err);
+        }
+    }
+    // No access found
+    setCachedAccess(userId, workspaceId, { hasAccess: false, accessType: 'none' });
+    return { hasAccess: false, accessType: 'none' };
+}
+/**
+ * Middleware to require workspace access.
+ * Checks ownership, membership, or GitHub repo access.
+ */
+export function requireWorkspaceAccess(req, res, next) {
+    const userId = req.session.userId;
+    const workspaceId = (req.params.id || req.params.workspaceId);
+    if (!userId) {
+        res.status(401).json({ error: 'Authentication required' });
+        return;
+    }
+    if (!workspaceId) {
+        res.status(400).json({ error: 'Workspace ID required' });
+        return;
+    }
+    checkWorkspaceAccess(userId, workspaceId)
+        .then((result) => {
+        if (result.hasAccess) {
+            // Attach access info to request for downstream use
+            req.workspaceAccess = {
+                accessType: result.accessType,
+                permission: result.permission,
+            };
+            next();
+        }
+        else {
+            res.status(403).json({ error: 'No access to this workspace' });
+        }
+    })
+        .catch((err) => {
+        console.error('[workspace-access] Error checking access:', err);
+        res.status(500).json({ error: 'Failed to check workspace access' });
+    });
+}
+export const workspacesRouter = Router();
+// All routes require authentication
+workspacesRouter.use(requireAuth);
+/**
+ * GET /api/workspaces
+ * List user's workspaces (owned + member workspaces)
+ */
+workspacesRouter.get('/', async (req, res) => {
+    const userId = req.session.userId;
+    try {
+        // Get owned workspaces
+        const ownedWorkspaces = await db.workspaces.findByUserId(userId);
+        // Get workspaces where user is a member
+        const memberships = await db.workspaceMembers.findByUserId(userId);
+        const ownedWorkspaceIds = new Set(ownedWorkspaces.map((w) => w.id));
+        const memberWorkspaceIds = memberships
+            .map((m) => m.workspaceId)
+            .filter((wsId) => !ownedWorkspaceIds.has(wsId)); // Exclude owned to prevent duplicates
+        // Fetch member workspaces (optimize with Promise.all instead of loop)
+        const memberWorkspaces = (await Promise.all(memberWorkspaceIds.map((wsId) => db.workspaces.findById(wsId)))).filter((ws) => ws !== null);
+        // Combine and sort by creation date
+        const allWorkspaces = [...ownedWorkspaces, ...memberWorkspaces].sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime());
+        res.json({
+            workspaces: allWorkspaces.map((w) => ({
+                id: w.id,
+                name: w.name,
+                status: w.status,
+                publicUrl: w.publicUrl,
+                providers: w.config.providers,
+                repositories: w.config.repositories,
+                createdAt: w.createdAt,
+                isOwner: w.userId === userId, // Flag to indicate ownership
+            })),
+        });
+    }
+    catch (error) {
+        console.error('Error listing workspaces:', error);
+        res.status(500).json({ error: 'Failed to list workspaces' });
+    }
+});
+/**
+ * POST /api/workspaces
+ * Create (provision) a new workspace
+ */
+workspacesRouter.post('/', checkWorkspaceLimit, async (req, res) => {
+    const userId = req.session.userId;
+    const { name, providers, repositories, supervisorEnabled, maxAgents } = req.body;
+    // Validation
+    if (!name || typeof name !== 'string') {
+        return res.status(400).json({ error: 'Name is required' });
+    }
+    if (!providers || !Array.isArray(providers) || providers.length === 0) {
+        return res.status(400).json({ error: 'At least one provider is required' });
+    }
+    if (!repositories || !Array.isArray(repositories)) {
+        return res.status(400).json({ error: 'Repositories array is required' });
+    }
+    // Check if any of the repos already have a workspace the user can access
+    // This prevents creating duplicate workspaces for the same repo
+    for (const repoFullName of repositories) {
+        const existingRepos = await db.repositories.findByGithubFullName(repoFullName);
+        for (const existingRepo of existingRepos) {
+            if (existingRepo.workspaceId) {
+                const accessResult = await checkWorkspaceAccess(userId, existingRepo.workspaceId);
+                if (accessResult.hasAccess) {
+                    const existingWorkspace = await db.workspaces.findById(existingRepo.workspaceId);
+                    if (existingWorkspace) {
+                        console.log(`[workspaces/create] User ${userId.substring(0, 8)} has access to existing workspace ${existingWorkspace.id.substring(0, 8)} for repo ${repoFullName}`);
+                        return res.status(409).json({
+                            error: 'A workspace already exists for one of these repositories',
+                            existingWorkspace: {
+                                id: existingWorkspace.id,
+                                name: existingWorkspace.name,
+                                publicUrl: existingWorkspace.publicUrl,
+                                accessType: accessResult.accessType,
+                            },
+                            conflictingRepo: repoFullName,
+                            message: `You already have ${accessResult.accessType} access to workspace "${existingWorkspace.name}" which includes ${repoFullName}.`,
+                        });
+                    }
+                }
+            }
+        }
+    }
+    // Verify user has credentials for all providers
+    const credentials = await db.credentials.findByUserId(userId);
+    const connectedProviders = new Set(credentials.map((c) => c.provider));
+    for (const provider of providers) {
+        if (!connectedProviders.has(provider)) {
+            return res.status(400).json({
+                error: `Provider ${provider} not connected. Please connect it first.`,
+            });
+        }
+    }
+    try {
+        const provisioner = getProvisioner();
+        const result = await provisioner.provision({
+            userId,
+            name,
+            providers,
+            repositories,
+            supervisorEnabled,
+            maxAgents,
+        });
+        if (result.status === 'error') {
+            return res.status(500).json({
+                error: 'Failed to provision workspace',
+                details: result.error,
+            });
+        }
+        res.status(201).json({
+            workspaceId: result.workspaceId,
+            status: result.status,
+            publicUrl: result.publicUrl,
+        });
+    }
+    catch (error) {
+        console.error('Error creating workspace:', error);
+        res.status(500).json({ error: 'Failed to create workspace' });
+    }
+});
+/**
+ * GET /api/workspaces/summary
+ * Get summary of all user workspaces for dashboard status indicator (owned + member workspaces)
+ * NOTE: This route MUST be before /:id to avoid being caught by parameterized route
+ */
+workspacesRouter.get('/summary', async (req, res) => {
+    const userId = req.session.userId;
+    try {
+        // Get owned workspaces
+        const ownedWorkspaces = await db.workspaces.findByUserId(userId);
+        // Get workspaces where user is a member
+        const memberships = await db.workspaceMembers.findByUserId(userId);
+        const ownedWorkspaceIds = new Set(ownedWorkspaces.map((w) => w.id));
+        const memberWorkspaceIds = memberships
+            .map((m) => m.workspaceId)
+            .filter((wsId) => !ownedWorkspaceIds.has(wsId));
+        // Fetch member workspaces (optimize with Promise.all)
+        const memberWorkspaces = (await Promise.all(memberWorkspaceIds.map((wsId) => db.workspaces.findById(wsId)))).filter((ws) => ws !== null);
+        const workspaces = [...ownedWorkspaces, ...memberWorkspaces];
+        const provisioner = getProvisioner();
+        // Get live status for each workspace
+        const workspaceSummaries = await Promise.all(workspaces.map(async (w) => {
+            let liveStatus = w.status;
+            try {
+                liveStatus = await provisioner.getStatus(w.id);
+            }
+            catch {
+                // Fall back to DB status
+            }
+            return {
+                id: w.id,
+                name: w.name,
+                status: liveStatus,
+                publicUrl: w.publicUrl,
+                isStopped: liveStatus === 'stopped',
+                isRunning: liveStatus === 'running',
+                isProvisioning: liveStatus === 'provisioning',
+                hasError: liveStatus === 'error',
+            };
+        }));
+        // Overall status for quick dashboard indicator
+        const hasRunningWorkspace = workspaceSummaries.some(w => w.isRunning);
+        const hasStoppedWorkspace = workspaceSummaries.some(w => w.isStopped);
+        const hasProvisioningWorkspace = workspaceSummaries.some(w => w.isProvisioning);
+        res.json({
+            workspaces: workspaceSummaries,
+            summary: {
+                total: workspaceSummaries.length,
+                running: workspaceSummaries.filter(w => w.isRunning).length,
+                stopped: workspaceSummaries.filter(w => w.isStopped).length,
+                provisioning: workspaceSummaries.filter(w => w.isProvisioning).length,
+                error: workspaceSummaries.filter(w => w.hasError).length,
+            },
+            overallStatus: hasRunningWorkspace
+                ? 'ready'
+                : hasProvisioningWorkspace
+                    ? 'provisioning'
+                    : hasStoppedWorkspace
+                        ? 'stopped'
+                        : workspaceSummaries.length === 0
+                            ? 'none'
+                            : 'error',
+        });
+    }
+    catch (error) {
+        console.error('Error getting workspace summary:', error);
+        res.status(500).json({ error: 'Failed to get workspace summary' });
+    }
+});
+/**
+ * GET /api/workspaces/primary
+ * Get the user's primary workspace (first/default) with live status (owned + member workspaces)
+ * Used by dashboard to show quick status indicator
+ * NOTE: This route MUST be before /:id to avoid being caught by parameterized route
+ */
+workspacesRouter.get('/primary', async (req, res) => {
+    const userId = req.session.userId;
+    try {
+        // Get owned workspaces
+        const ownedWorkspaces = await db.workspaces.findByUserId(userId);
+        // Get workspaces where user is a member
+        const memberships = await db.workspaceMembers.findByUserId(userId);
+        const ownedWorkspaceIds = new Set(ownedWorkspaces.map((w) => w.id));
+        const memberWorkspaceIds = memberships
+            .map((m) => m.workspaceId)
+            .filter((wsId) => !ownedWorkspaceIds.has(wsId));
+        // Fetch member workspaces (optimize with Promise.all)
+        const memberWorkspaces = (await Promise.all(memberWorkspaceIds.map((wsId) => db.workspaces.findById(wsId)))).filter((ws) => ws !== null);
+        const workspaces = [...ownedWorkspaces, ...memberWorkspaces];
+        if (workspaces.length === 0) {
+            return res.json({
+                exists: false,
+                message: 'No workspace found. Connect a repository to auto-provision one.',
+            });
+        }
+        const primary = workspaces[0];
+        const provisioner = getProvisioner();
+        let liveStatus = primary.status;
+        try {
+            liveStatus = await provisioner.getStatus(primary.id);
+        }
+        catch {
+            // Fall back to DB status
+        }
+        res.json({
+            exists: true,
+            workspace: {
+                id: primary.id,
+                name: primary.name,
+                status: liveStatus,
+                publicUrl: primary.publicUrl,
+                isStopped: liveStatus === 'stopped',
+                isRunning: liveStatus === 'running',
+                isProvisioning: liveStatus === 'provisioning',
+                hasError: liveStatus === 'error',
+                config: {
+                    providers: primary.config.providers || [],
+                    repositories: primary.config.repositories || [],
+                },
+            },
+            // Quick messages for UI
+            statusMessage: liveStatus === 'running'
+                ? 'Workspace is running'
+                : liveStatus === 'stopped'
+                    ? 'Workspace is idle (will start automatically when needed)'
+                    : liveStatus === 'provisioning'
+                        ? 'Workspace is being provisioned...'
+                        : 'Workspace has an error',
+            actionNeeded: liveStatus === 'stopped'
+                ? 'wakeup'
+                : liveStatus === 'error'
+                    ? 'check_error'
+                    : null,
+        });
+    }
+    catch (error) {
+        console.error('Error getting primary workspace:', error);
+        res.status(500).json({ error: 'Failed to get primary workspace' });
+    }
+});
+/**
+ * GET /api/workspaces/accessible
+ * List all workspaces the user can access:
+ * - Owned workspaces
+ * - Workspaces where user is a member
+ * - Workspaces with repos the user has GitHub access to
+ * NOTE: This route MUST be before /:id to avoid being caught by parameterized route
+ */
+workspacesRouter.get('/accessible', async (req, res) => {
+    const userId = req.session.userId;
+    try {
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        // 1. Get owned workspaces
+        const ownedWorkspaces = await db.workspaces.findByUserId(userId);
+        // 2. Get workspaces where user is a member (excluding owned ones to prevent duplicates)
+        const ownedWorkspaceIds = new Set(ownedWorkspaces.map((w) => w.id));
+        const memberships = await db.workspaceMembers.findByUserId(userId);
+        const memberWorkspaceIds = memberships
+            .map((m) => m.workspaceId)
+            .filter((wsId) => !ownedWorkspaceIds.has(wsId)); // Exclude owned workspaces
+        // Fetch member workspaces
+        const memberWorkspaces = [];
+        for (const wsId of memberWorkspaceIds) {
+            const ws = await db.workspaces.findById(wsId);
+            if (ws)
+                memberWorkspaces.push(ws);
+        }
+        // 3. Get workspaces via GitHub repo access (if user has Nango connection)
+        // Uses background caching to handle users with many repos (>100)
+        const contributorWorkspaces = [];
+        let cacheStatus = 'miss';
+        if (user.nangoConnectionId) {
+            try {
+                console.log(`[workspaces/accessible] Checking GitHub repo access for user ${userId.substring(0, 8)} with nangoConnectionId ${user.nangoConnectionId.substring(0, 8)}...`);
+                // Try to get cached repos first
+                let userRepos;
+                const cached = getCachedUserRepos(user.nangoConnectionId);
+                if (cached) {
+                    userRepos = cached.repositories;
+                    cacheStatus = 'hit';
+                    console.log(`[workspaces/accessible] Cache ${cached.isComplete ? 'hit (complete)' : 'hit (partial)'}: ${userRepos.length} repos`);
+                }
+                else {
+                    // No cache - initialize with first page and trigger background refresh
+                    userRepos = await initializeUserReposCache(user.nangoConnectionId);
+                    cacheStatus = 'initializing';
+                    console.log(`[workspaces/accessible] Cache miss - initialized with ${userRepos.length} repos (background refresh may add more)`);
+                }
+                // Get workspaces that aren't owned or membered
+                // Reuse ownedWorkspaceIds and add member workspace IDs
+                const knownWorkspaceIds = new Set([
+                    ...ownedWorkspaceIds,
+                    ...memberWorkspaceIds,
+                ]);
+                // Get all repo full names from user's accessible repos
+                for (const repo of userRepos) {
+                    // Find repos in our DB that match this full name (case-insensitive)
+                    const dbRepos = await db.repositories.findByGithubFullName(repo.fullName);
+                    if (dbRepos.length > 0) {
+                        console.log(`[workspaces/accessible] Found ${dbRepos.length} DB records for repo ${repo.fullName}`);
+                    }
+                    for (const dbRepo of dbRepos) {
+                        if (dbRepo.workspaceId && !knownWorkspaceIds.has(dbRepo.workspaceId)) {
+                            const ws = await db.workspaces.findById(dbRepo.workspaceId);
+                            if (ws) {
+                                console.log(`[workspaces/accessible] Granting contributor access to workspace ${ws.id.substring(0, 8)} via repo ${repo.fullName}`);
+                                // Determine permission level
+                                const permission = repo.permissions.admin
+                                    ? 'admin'
+                                    : repo.permissions.push
+                                        ? 'write'
+                                        : 'read';
+                                contributorWorkspaces.push({ ...ws, accessPermission: permission });
+                                knownWorkspaceIds.add(ws.id);
+                            }
+                        }
+                        else if (!dbRepo.workspaceId) {
+                            console.log(`[workspaces/accessible] Repo ${repo.fullName} found in DB but has no workspaceId`);
+                        }
+                    }
+                }
+                console.log(`[workspaces/accessible] Found ${contributorWorkspaces.length} contributor workspaces (cache: ${cacheStatus})`);
+            }
+            catch (err) {
+                console.warn('[workspaces/accessible] Failed to check GitHub repo access:', err);
+                // Continue without contributor workspaces
+            }
+        }
+        else {
+            console.log(`[workspaces/accessible] User ${userId.substring(0, 8)} has no nangoConnectionId - skipping GitHub repo access check`);
+        }
+        // Format response - include all fields the dashboard expects
+        const formatWorkspace = (ws, accessType, permission) => ({
+            id: ws.id,
+            name: ws.name,
+            status: ws.status,
+            publicUrl: ws.publicUrl,
+            providers: ws.config?.providers,
+            repositories: ws.config?.repositories,
+            accessType,
+            permission: permission || (accessType === 'owner' ? 'admin' : 'read'),
+            createdAt: ws.createdAt,
+        });
+        res.json({
+            workspaces: [
+                ...ownedWorkspaces.map((w) => formatWorkspace(w, 'owner', 'admin')),
+                ...memberWorkspaces.map((w) => {
+                    const membership = memberships.find((m) => m.workspaceId === w.id);
+                    return formatWorkspace(w, 'member', membership?.role);
+                }),
+                ...contributorWorkspaces.map((w) => formatWorkspace(w, 'contributor', w.accessPermission)),
+            ],
+            summary: {
+                owned: ownedWorkspaces.length,
+                member: memberWorkspaces.length,
+                contributor: contributorWorkspaces.length,
+                total: ownedWorkspaces.length + memberWorkspaces.length + contributorWorkspaces.length,
+            },
+        });
+    }
+    catch (error) {
+        console.error('Error getting accessible workspaces:', error);
+        res.status(500).json({ error: 'Failed to get accessible workspaces' });
+    }
+});
+/**
+ * GET /api/workspaces/:id
+ * Get workspace details
+ * Uses requireWorkspaceAccess middleware for auto-access via GitHub repos
+ */
+workspacesRouter.get('/:id', requireWorkspaceAccess, async (req, res) => {
+    const id = req.params.id;
+    const _workspaceAccess = req.workspaceAccess;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Get repositories assigned to this workspace
+        const repositories = await db.repositories.findByWorkspaceId(id);
+        res.json({
+            id: workspace.id,
+            name: workspace.name,
+            status: workspace.status,
+            publicUrl: workspace.publicUrl,
+            computeProvider: workspace.computeProvider,
+            config: workspace.config,
+            errorMessage: workspace.errorMessage,
+            repositories: repositories.map((r) => ({
+                id: r.id,
+                fullName: r.githubFullName,
+                syncStatus: r.syncStatus,
+                lastSyncedAt: r.lastSyncedAt,
+            })),
+            createdAt: workspace.createdAt,
+            updatedAt: workspace.updatedAt,
+        });
+    }
+    catch (error) {
+        console.error('Error getting workspace:', error);
+        res.status(500).json({ error: 'Failed to get workspace' });
+    }
+});
+/**
+ * GET /api/workspaces/:id/status
+ * Get current workspace status (polls compute provider)
+ */
+workspacesRouter.get('/:id/status', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        const provisioner = getProvisioner();
+        const status = await provisioner.getStatus(id);
+        // Include provisioning progress info if it exists (even after status changes to 'running')
+        // This allows the frontend to see all stages including 'complete'
+        const provisioningProgress = getProvisioningStage(id);
+        res.json({
+            status,
+            provisioning: provisioningProgress ? {
+                stage: provisioningProgress.stage,
+                startedAt: provisioningProgress.startedAt,
+                elapsedMs: Date.now() - provisioningProgress.startedAt,
+            } : null,
+        });
+    }
+    catch (error) {
+        console.error('Error getting workspace status:', error);
+        res.status(500).json({ error: 'Failed to get status' });
+    }
+});
+/**
+ * POST /api/workspaces/:id/restart
+ * Restart a workspace
+ */
+workspacesRouter.post('/:id/restart', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        const provisioner = getProvisioner();
+        await provisioner.restart(id);
+        res.json({ success: true, message: 'Workspace restarting' });
+    }
+    catch (error) {
+        console.error('Error restarting workspace:', error);
+        res.status(500).json({ error: 'Failed to restart workspace' });
+    }
+});
+/**
+ * POST /api/workspaces/:id/stop
+ * Stop a workspace
+ */
+workspacesRouter.post('/:id/stop', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        const provisioner = getProvisioner();
+        await provisioner.stop(id);
+        res.json({ success: true, message: 'Workspace stopped' });
+    }
+    catch (error) {
+        console.error('Error stopping workspace:', error);
+        res.status(500).json({ error: 'Failed to stop workspace' });
+    }
+});
+/**
+ * DELETE /api/workspaces/:id
+ * Delete (deprovision) a workspace
+ */
+workspacesRouter.delete('/:id', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        const provisioner = getProvisioner();
+        await provisioner.deprovision(id);
+        res.json({ success: true, message: 'Workspace deleted' });
+    }
+    catch (error) {
+        console.error('Error deleting workspace:', error);
+        res.status(500).json({ error: 'Failed to delete workspace' });
+    }
+});
+/**
+ * POST /api/workspaces/:id/repos
+ * Add repositories to a workspace
+ */
+workspacesRouter.post('/:id/repos', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    const { repositoryIds } = req.body;
+    if (!repositoryIds || !Array.isArray(repositoryIds)) {
+        return res.status(400).json({ error: 'repositoryIds array is required' });
+    }
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        const reposToAssign = [];
+        const repoFullNames = [];
+        for (const repoId of repositoryIds) {
+            const repo = await db.repositories.findById(repoId);
+            if (!repo || repo.userId !== userId) {
+                return res.status(404).json({ error: 'Repository not found' });
+            }
+            if (repo.workspaceId && repo.workspaceId !== id) {
+                return res.status(409).json({
+                    error: 'Repository already linked to another workspace',
+                    workspaceId: repo.workspaceId,
+                });
+            }
+            if (!repo.installationId) {
+                return res.status(400).json({
+                    error: 'Repository not authorized via GitHub App',
+                    message: 'Install the GitHub App for this repository before adding it to a workspace.',
+                });
+            }
+            reposToAssign.push(repo.id);
+            repoFullNames.push(repo.githubFullName);
+        }
+        // Assign repositories to workspace
+        for (const repoId of reposToAssign) {
+            await db.repositories.assignToWorkspace(repoId, id);
+        }
+        // Update workspace config repositories list
+        const existingRepos = workspace.config.repositories ?? [];
+        const updatedRepos = Array.from(new Set([...existingRepos, ...repoFullNames]));
+        if (updatedRepos.length !== existingRepos.length) {
+            await db.workspaces.updateConfig(id, {
+                ...workspace.config,
+                repositories: updatedRepos,
+            });
+        }
+        res.json({ success: true, message: 'Repositories added' });
+    }
+    catch (error) {
+        console.error('Error adding repos to workspace:', error);
+        res.status(500).json({ error: 'Failed to add repositories' });
+    }
+});
+/**
+ * GET /api/workspaces/:id/repos
+ * List repositories linked to a workspace
+ */
+workspacesRouter.get('/:id/repos', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Check access (owner, member, or contributor)
+        const accessResult = await checkWorkspaceAccess(userId, id);
+        if (!accessResult.hasAccess) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        // Get repos linked to this workspace
+        const repos = await db.repositories.findByWorkspaceId(id);
+        res.json({
+            repositories: repos.map(r => ({
+                id: r.id,
+                githubFullName: r.githubFullName,
+                defaultBranch: r.defaultBranch,
+                isPrivate: r.isPrivate,
+                syncStatus: r.syncStatus,
+                lastSyncedAt: r.lastSyncedAt,
+            })),
+        });
+    }
+    catch (error) {
+        console.error('Error listing workspace repos:', error);
+        res.status(500).json({ error: 'Failed to list repositories' });
+    }
+});
+/**
+ * GET /api/workspaces/:id/repo-collaborators
+ * Get all collaborators from repos linked to this workspace
+ * These are users who have access via GitHub repo permissions (grandfathered in)
+ */
+workspacesRouter.get('/:id/repo-collaborators', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Check access (owner, member, or contributor)
+        const accessResult = await checkWorkspaceAccess(userId, id);
+        if (!accessResult.hasAccess) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        // Get repos linked to this workspace
+        const repos = await db.repositories.findByWorkspaceId(id);
+        if (repos.length === 0) {
+            return res.json({ collaborators: [] });
+        }
+        // Find a repo with a Nango connection (GitHub App)
+        const repoWithConnection = repos.find(r => r.nangoConnectionId);
+        if (!repoWithConnection?.nangoConnectionId) {
+            return res.json({
+                collaborators: [],
+                message: 'GitHub App not connected for this workspace',
+            });
+        }
+        // Get the workspace owner for filtering
+        const owner = await db.users.findById(workspace.userId);
+        // Fetch collaborators for each repo and deduplicate
+        const collaboratorsMap = new Map();
+        // Get existing workspace members to exclude them
+        const existingMembers = await db.workspaceMembers.findByWorkspaceId(id);
+        // Also get the workspace owner's GitHub ID to exclude
+        const ownerGithubId = owner?.githubId ? Number(owner.githubId) : null;
+        for (const repo of repos) {
+            // Use this repo's connection if it has one, otherwise use the shared connection
+            const connectionId = repo.nangoConnectionId || repoWithConnection.nangoConnectionId;
+            if (!connectionId)
+                continue;
+            try {
+                const [repoOwner, repoName] = repo.githubFullName.split('/');
+                const collabs = await nangoService.listRepoCollaborators(connectionId, repoOwner, repoName);
+                for (const collab of collabs) {
+                    // Skip the workspace owner
+                    if (ownerGithubId && collab.id === ownerGithubId) {
+                        continue;
+                    }
+                    const existing = collaboratorsMap.get(collab.id);
+                    if (existing) {
+                        // Add this repo to their list
+                        if (!existing.repos.includes(repo.githubFullName)) {
+                            existing.repos.push(repo.githubFullName);
+                        }
+                        // Upgrade permission if this repo gives higher access
+                        if (collab.permission === 'admin' && existing.permission !== 'admin') {
+                            existing.permission = 'admin';
+                        }
+                        else if (collab.permission === 'write' && existing.permission === 'read') {
+                            existing.permission = 'write';
+                        }
+                    }
+                    else {
+                        collaboratorsMap.set(collab.id, {
+                            id: collab.id,
+                            login: collab.login,
+                            avatarUrl: collab.avatarUrl,
+                            permission: collab.permission,
+                            repos: [repo.githubFullName],
+                        });
+                    }
+                }
+            }
+            catch (err) {
+                console.warn(`[workspace-collaborators] Failed to fetch collaborators for ${repo.githubFullName}:`, err);
+                // Continue with other repos
+            }
+        }
+        // Filter out users who are already workspace members
+        // We need to check by GitHub username since we don't have their user IDs
+        const workspaceMemberUsernames = new Set();
+        for (const member of existingMembers) {
+            const memberUser = await db.users.findById(member.userId);
+            if (memberUser?.githubUsername) {
+                workspaceMemberUsernames.add(memberUser.githubUsername.toLowerCase());
+            }
+        }
+        // Also add workspace owner
+        if (owner?.githubUsername) {
+            workspaceMemberUsernames.add(owner.githubUsername.toLowerCase());
+        }
+        const collaborators = Array.from(collaboratorsMap.values())
+            .filter(c => !workspaceMemberUsernames.has(c.login.toLowerCase()))
+            .sort((a, b) => {
+            // Sort by permission level (admin > write > read), then by username
+            const permOrder = { admin: 0, write: 1, read: 2, none: 3 };
+            if (permOrder[a.permission] !== permOrder[b.permission]) {
+                return permOrder[a.permission] - permOrder[b.permission];
+            }
+            return a.login.localeCompare(b.login);
+        });
+        res.json({
+            collaborators,
+            totalRepos: repos.length,
+        });
+    }
+    catch (error) {
+        console.error('Error fetching repo collaborators:', error);
+        res.status(500).json({ error: 'Failed to fetch collaborators' });
+    }
+});
+/**
+ * DELETE /api/workspaces/:id/repos/:repoId
+ * Remove a repository from a workspace
+ */
+workspacesRouter.delete('/:id/repos/:repoId', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    const repoId = req.params.repoId;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Only owner can remove repos
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Only workspace owner can remove repositories' });
+        }
+        // Unlink repo from workspace (set workspaceId to null)
+        await db.repositories.assignToWorkspace(repoId, null);
+        // Also update workspace config to remove from repositories array
+        const currentRepos = workspace.config.repositories || [];
+        const repo = await db.repositories.findById(repoId);
+        if (repo) {
+            const updatedRepos = currentRepos.filter(r => r.toLowerCase() !== repo.githubFullName.toLowerCase());
+            await db.workspaces.update(id, {
+                config: { ...workspace.config, repositories: updatedRepos },
+            });
+        }
+        res.json({ success: true, message: 'Repository removed from workspace' });
+    }
+    catch (error) {
+        console.error('Error removing repo from workspace:', error);
+        res.status(500).json({ error: 'Failed to remove repository' });
+    }
+});
+/**
+ * PATCH /api/workspaces/:id
+ * Update workspace settings (name, etc.)
+ */
+workspacesRouter.patch('/:id', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    const { name } = req.body;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Only owner can rename
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Only workspace owner can update settings' });
+        }
+        // Validate name if provided
+        if (name !== undefined) {
+            if (typeof name !== 'string' || name.trim().length === 0) {
+                return res.status(400).json({ error: 'Name must be a non-empty string' });
+            }
+            if (name.length > 100) {
+                return res.status(400).json({ error: 'Name must be 100 characters or less' });
+            }
+        }
+        // Update workspace
+        await db.workspaces.update(id, {
+            ...(name && { name: name.trim() }),
+        });
+        const updated = await db.workspaces.findById(id);
+        res.json({
+            success: true,
+            workspace: {
+                id: updated.id,
+                name: updated.name,
+                status: updated.status,
+                publicUrl: updated.publicUrl,
+            },
+        });
+    }
+    catch (error) {
+        console.error('Error updating workspace:', error);
+        res.status(500).json({ error: 'Failed to update workspace' });
+    }
+});
+/**
+ * POST /api/workspaces/:id/autoscale
+ * Trigger auto-scaling based on current agent count
+ * Supports both user session auth and workspace token auth
+ * Called by workspace container when spawning new agents
+ */
+workspacesRouter.post('/:id/autoscale', async (req, res) => {
+    const id = req.params.id;
+    const { agentCount } = req.body;
+    if (typeof agentCount !== 'number' || agentCount < 0) {
+        return res.status(400).json({ error: 'agentCount must be a non-negative number' });
+    }
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Verify auth: either user session or workspace token
+        const userId = req.session?.userId;
+        const authHeader = req.get('authorization');
+        if (userId) {
+            // User session auth
+            if (workspace.userId !== userId) {
+                return res.status(403).json({ error: 'Unauthorized' });
+            }
+        }
+        else if (authHeader?.startsWith('Bearer ')) {
+            // Workspace token auth (for calls from within the workspace)
+            const crypto = await import('crypto');
+            const config = getConfig();
+            const providedToken = authHeader.slice(7);
+            const expectedToken = crypto.default
+                .createHmac('sha256', config.sessionSecret)
+                .update(`workspace:${id}`)
+                .digest('hex');
+            const isValid = crypto.default.timingSafeEqual(Buffer.from(providedToken), Buffer.from(expectedToken));
+            if (!isValid) {
+                return res.status(401).json({ error: 'Invalid workspace token' });
+            }
+        }
+        else {
+            return res.status(401).json({ error: 'Authentication required' });
+        }
+        const provisioner = getProvisioner();
+        const currentTier = await provisioner.getCurrentTier(id);
+        const recommendedTier = provisioner.getRecommendedTier(agentCount);
+        // Check if scaling is needed
+        if (recommendedTier.memoryMb <= currentTier.memoryMb) {
+            return res.json({
+                scaled: false,
+                currentTier: currentTier.name,
+                message: 'Current tier is sufficient',
+            });
+        }
+        // Perform the scale-up (respects plan limits)
+        const result = await provisioner.autoScale(id, agentCount);
+        res.json({
+            scaled: result.scaled,
+            previousTier: result.currentTier || currentTier.name,
+            newTier: result.targetTier || currentTier.name,
+            reason: result.reason,
+            message: result.scaled
+                ? `Scaled up to ${result.targetTier} tier`
+                : result.reason || 'Scaling not required',
+        });
+    }
+    catch (error) {
+        console.error('Error auto-scaling workspace:', error);
+        res.status(500).json({ error: 'Failed to auto-scale workspace' });
+    }
+});
+/**
+ * POST /api/workspaces/:id/domain
+ * Add or update custom domain (Premium feature - Team/Enterprise only)
+ */
+workspacesRouter.post('/:id/domain', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    const { domain } = req.body;
+    if (!domain || typeof domain !== 'string') {
+        return res.status(400).json({ error: 'Domain is required' });
+    }
+    // Basic domain validation
+    const domainRegex = /^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/;
+    if (!domainRegex.test(domain)) {
+        return res.status(400).json({ error: 'Invalid domain format' });
+    }
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        // Check if user has premium plan (Team/Enterprise)
+        const user = await db.users.findById(userId);
+        const hasPremium = user?.plan === 'team' || user?.plan === 'enterprise';
+        if (!hasPremium) {
+            return res.status(402).json({
+                error: 'Custom domains require Team or Enterprise plan',
+                upgrade: '/settings/billing',
+            });
+        }
+        // Check if domain is already in use
+        const existing = await db.workspaces.findByCustomDomain(domain);
+        if (existing && existing.id !== id) {
+            return res.status(409).json({ error: 'Domain already in use' });
+        }
+        // Set the custom domain (pending verification)
+        await db.workspaces.setCustomDomain(id, domain, 'pending');
+        // Return DNS instructions
+        res.json({
+            success: true,
+            domain,
+            status: 'pending',
+            instructions: {
+                type: 'CNAME',
+                name: domain,
+                value: workspace.publicUrl?.replace('https://', '') || `${id}.agent-relay.com`,
+                ttl: 300,
+            },
+            verifyEndpoint: `/api/workspaces/${id}/domain/verify`,
+            message: 'Add the CNAME record to your DNS, then call the verify endpoint',
+        });
+    }
+    catch (error) {
+        console.error('Error setting custom domain:', error);
+        res.status(500).json({ error: 'Failed to set custom domain' });
+    }
+});
+/**
+ * POST /api/workspaces/:id/domain/verify
+ * Verify custom domain DNS is configured correctly
+ */
+workspacesRouter.post('/:id/domain/verify', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        if (!workspace.customDomain) {
+            return res.status(400).json({ error: 'No custom domain configured' });
+        }
+        // Verify DNS resolution
+        const dns = await import('dns').then(m => m.promises);
+        try {
+            const records = await dns.resolveCname(workspace.customDomain);
+            const expectedTarget = workspace.publicUrl?.replace('https://', '') || `${id}.agent-relay.com`;
+            if (records.some(r => r.includes(expectedTarget) || r.includes('agentrelay'))) {
+                // DNS is configured, now provision SSL cert
+                await db.workspaces.updateCustomDomainStatus(id, 'verifying');
+                // Trigger SSL cert provisioning on compute provider
+                // For Railway/Fly, this is automatic once domain is added
+                await provisionDomainSSL(workspace);
+                await db.workspaces.updateCustomDomainStatus(id, 'active');
+                res.json({
+                    success: true,
+                    status: 'active',
+                    domain: workspace.customDomain,
+                    message: 'Custom domain verified and SSL certificate provisioned',
+                });
+            }
+            else {
+                res.status(400).json({
+                    success: false,
+                    status: 'pending',
+                    error: 'DNS not configured correctly',
+                    expected: expectedTarget,
+                    found: records,
+                });
+            }
+        }
+        catch (_dnsError) {
+            res.status(400).json({
+                success: false,
+                status: 'pending',
+                error: 'Could not resolve domain. DNS may not be configured yet.',
+            });
+        }
+    }
+    catch (error) {
+        console.error('Error verifying domain:', error);
+        res.status(500).json({ error: 'Failed to verify domain' });
+    }
+});
+/**
+ * DELETE /api/workspaces/:id/domain
+ * Remove custom domain
+ */
+workspacesRouter.delete('/:id/domain', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        // Remove from compute provider
+        if (workspace.customDomain) {
+            await removeDomainFromCompute(workspace);
+        }
+        await db.workspaces.removeCustomDomain(id);
+        res.json({ success: true, message: 'Custom domain removed' });
+    }
+    catch (error) {
+        console.error('Error removing domain:', error);
+        res.status(500).json({ error: 'Failed to remove domain' });
+    }
+});
+/**
+ * Helper: Provision SSL for custom domain on compute provider
+ */
+async function provisionDomainSSL(workspace) {
+    const config = (await import('../config.js')).getConfig();
+    if (workspace.computeProvider === 'fly' && config.compute.fly) {
+        // Fly.io: Add certificate
+        await fetch(`https://api.machines.dev/v1/apps/ar-${workspace.id.substring(0, 8)}/certificates`, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${config.compute.fly.apiToken}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({ hostname: workspace.customDomain }),
+        });
+    }
+    else if (workspace.computeProvider === 'railway' && config.compute.railway) {
+        // Railway: Add custom domain via GraphQL
+        await fetch('https://backboard.railway.app/graphql/v2', {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${config.compute.railway.apiToken}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                query: `
+          mutation AddCustomDomain($input: CustomDomainCreateInput!) {
+            customDomainCreate(input: $input) { id }
+          }
+        `,
+                variables: {
+                    input: {
+                        projectId: workspace.computeId,
+                        domain: workspace.customDomain,
+                    },
+                },
+            }),
+        });
+    }
+    // Docker: Would need reverse proxy config (Caddy/nginx)
+}
+/**
+ * Helper: Remove custom domain from compute provider
+ */
+async function removeDomainFromCompute(workspace) {
+    const config = (await import('../config.js')).getConfig();
+    if (workspace.computeProvider === 'fly' && config.compute.fly) {
+        await fetch(`https://api.machines.dev/v1/apps/ar-${workspace.id.substring(0, 8)}/certificates/${workspace.customDomain}`, {
+            method: 'DELETE',
+            headers: { Authorization: `Bearer ${config.compute.fly.apiToken}` },
+        });
+    }
+    // Railway and Docker: similar cleanup
+}
+/**
+ * POST /api/workspaces/:id/proxy/*
+ * Proxy API requests to the workspace container
+ * This allows the dashboard to make REST calls through the cloud server
+ */
+workspacesRouter.all('/:id/proxy/{*proxyPath}', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    // Express 5 wildcard params return an array of path segments, not a slash-separated string
+    const proxyPathParam = req.params.proxyPath;
+    const proxyPath = Array.isArray(proxyPathParam) ? proxyPathParam.join('/') : proxyPathParam;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Check if user is owner or has workspace membership
+        if (workspace.userId !== userId) {
+            // Check workspace membership
+            const membership = await db.workspaceMembers.findMembership(id, userId);
+            if (!membership || !membership.acceptedAt) {
+                return res.status(403).json({ error: 'Unauthorized - not a workspace member' });
+            }
+            // Viewers can only proxy read-only requests
+            if (membership.role === 'viewer' && req.method !== 'GET') {
+                return res.status(403).json({ error: 'Viewers can only make read-only requests' });
+            }
+            // Members and admins can read and write
+            // For now, allow all proxy requests for members and admins
+        }
+        if (workspace.status !== 'running' || !workspace.publicUrl) {
+            return res.status(400).json({ error: 'Workspace is not running' });
+        }
+        // Determine the internal URL for proxying
+        // When running inside Docker or Fly.io, use internal networking
+        let targetBaseUrl = workspace.publicUrl;
+        const runningInDocker = process.env.RUNNING_IN_DOCKER === 'true';
+        const runningOnFly = !!process.env.FLY_APP_NAME;
+        if (runningOnFly && targetBaseUrl.includes('.fly.dev')) {
+            // Use Fly.io internal networking (.internal uses IPv6, works by default)
+            // ar-583f273b.fly.dev -> http://ar-583f273b.internal:3888
+            const appName = targetBaseUrl.match(/https?:\/\/([^.]+)\.fly\.dev/)?.[1];
+            if (appName) {
+                targetBaseUrl = `http://${appName}.internal:3888`;
+            }
+        }
+        else if (runningInDocker && workspace.computeId && targetBaseUrl.includes('localhost')) {
+            // Replace localhost URL with container name for Docker networking
+            // workspace.computeId is the container name (e.g., "ar-abc12345")
+            // The workspace port is 3888 inside the container
+            targetBaseUrl = `http://${workspace.computeId}:3888`;
+        }
+        // Preserve query string when proxying - this is critical for API calls like
+        // /trajectory/steps?trajectoryId=xxx which need the query params forwarded
+        const queryString = req.url.includes('?') ? req.url.substring(req.url.indexOf('?')) : '';
+        const targetUrl = `${targetBaseUrl}/api/${proxyPath}${queryString}`;
+        console.log(`[workspace-proxy] ${req.method} ${targetUrl}`);
+        // Store targetUrl for error handling
+        req._proxyTargetUrl = targetUrl;
+        // Add timeout to prevent hanging requests
+        // 45s timeout to accommodate Fly.io machine cold starts (can take 20-30s)
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 45000);
+        const fetchOptions = {
+            method: req.method,
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            signal: controller.signal,
+        };
+        if (req.method !== 'GET' && req.method !== 'HEAD') {
+            fetchOptions.body = JSON.stringify(req.body);
+        }
+        let proxyRes;
+        try {
+            proxyRes = await fetch(targetUrl, fetchOptions);
+        }
+        finally {
+            clearTimeout(timeout);
+        }
+        console.log(`[workspace-proxy] Response: ${proxyRes.status} ${proxyRes.statusText}`);
+        // Handle non-JSON responses gracefully
+        const contentType = proxyRes.headers.get('content-type');
+        if (contentType?.includes('application/json')) {
+            const data = await proxyRes.json();
+            res.status(proxyRes.status).json(data);
+        }
+        else {
+            const text = await proxyRes.text();
+            res.status(proxyRes.status).send(text);
+        }
+    }
+    catch (error) {
+        const targetUrl = req._proxyTargetUrl || 'unknown';
+        console.error('[workspace-proxy] Error proxying to:', targetUrl);
+        console.error('[workspace-proxy] Error details:', error);
+        // Check for timeout/abort errors
+        if (error instanceof Error && error.name === 'AbortError') {
+            res.status(504).json({
+                error: 'Workspace request timed out',
+                details: 'The workspace did not respond within 45 seconds',
+                targetUrl: targetUrl,
+            });
+            return;
+        }
+        // Check for connection refused (workspace not running)
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+        if (errorMessage.includes('ECONNREFUSED') || errorMessage.includes('fetch failed')) {
+            res.status(503).json({
+                error: 'Workspace is not reachable',
+                details: 'The workspace container may not be running or accepting connections',
+                targetUrl: targetUrl,
+            });
+            return;
+        }
+        res.status(500).json({
+            error: 'Failed to proxy request to workspace',
+            details: errorMessage,
+            targetUrl: targetUrl, // Include target URL for debugging
+        });
+    }
+});
+// ============================================================================
+// Agent Management (proxied to workspace daemon)
+// ============================================================================
+/**
+ * POST /api/workspaces/:id/agents
+ * Spawn an agent in the workspace
+ * Proxies to workspace daemon's /workspaces/:id/agents endpoint
+ */
+workspacesRouter.post('/:id/agents', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    const { name, provider, task, temporary: _temporary, interactive } = req.body;
+    if (!userId) {
+        return res.status(401).json({ error: 'Not authenticated' });
+    }
+    if (!name) {
+        return res.status(400).json({ error: 'Agent name is required' });
+    }
+    try {
+        // Find workspace and verify access
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Check access
+        const accessResult = await checkWorkspaceAccess(userId, id);
+        if (!accessResult.hasAccess) {
+            return res.status(403).json({ error: 'Access denied to this workspace' });
+        }
+        // Ensure workspace is running
+        if (workspace.status !== 'running' || !workspace.publicUrl) {
+            return res.status(400).json({
+                error: 'Workspace is not running',
+                status: workspace.status,
+            });
+        }
+        // Proxy to workspace dashboard server's /api/spawn endpoint
+        // The dashboard server expects 'cli' field (not 'provider')
+        const targetUrl = `${workspace.publicUrl.replace(/\/$/, '')}/api/spawn`;
+        console.log(`[workspaces] Proxying agent spawn to: ${targetUrl}`);
+        // Map provider ID to CLI command
+        // Some providers have different CLI names than their provider ID
+        const PROVIDER_CLI_MAP = {
+            anthropic: 'claude',
+            claude: 'claude',
+            codex: 'codex',
+            openai: 'codex',
+            cursor: 'agent', // Cursor CLI installs as 'agent'
+            droid: 'droid',
+            opencode: 'opencode',
+            gemini: 'gemini',
+            google: 'gemini',
+        };
+        const cli = PROVIDER_CLI_MAP[provider || ''] || provider || 'claude';
+        const response = await fetch(targetUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                name,
+                cli, // Use mapped CLI command
+                task: task || '', // Empty task = interactive mode, user responds to prompts
+                interactive: interactive ?? true, // Default to interactive for setup flows
+                userId,
+            }),
+            signal: AbortSignal.timeout(30000),
+        });
+        const data = await response.json();
+        if (!response.ok) {
+            return res.status(response.status).json(data);
+        }
+        res.status(201).json(data);
+    }
+    catch (error) {
+        console.error('[workspaces] Agent spawn error:', error);
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+        if (errorMessage.includes('ECONNREFUSED') || errorMessage.includes('fetch failed')) {
+            return res.status(503).json({
+                error: 'Workspace is not reachable',
+                details: 'The workspace container may not be running',
+            });
+        }
+        res.status(500).json({
+            error: 'Failed to spawn agent',
+            details: errorMessage,
+        });
+    }
+});
+/**
+ * GET /api/workspaces/:id/agents
+ * List agents in the workspace
+ */
+workspacesRouter.get('/:id/agents', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    if (!userId) {
+        return res.status(401).json({ error: 'Not authenticated' });
+    }
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        const accessResult = await checkWorkspaceAccess(userId, id);
+        if (!accessResult.hasAccess) {
+            return res.status(403).json({ error: 'Access denied' });
+        }
+        if (workspace.status !== 'running' || !workspace.publicUrl) {
+            return res.status(200).json({ agents: [], workspaceId: id });
+        }
+        // Use dashboard server's /api/spawned endpoint
+        const targetUrl = `${workspace.publicUrl.replace(/\/$/, '')}/api/spawned`;
+        const response = await fetch(targetUrl, {
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            return res.status(200).json({ agents: [], workspaceId: id });
+        }
+        const data = await response.json();
+        // Transform to expected format
+        res.json({ agents: data.agents || [], workspaceId: id });
+    }
+    catch (error) {
+        console.error('[workspaces] List agents error:', error);
+        res.status(200).json({ agents: [], workspaceId: id });
+    }
+});
+/**
+ * DELETE /api/workspaces/:id/agents/:agentName
+ * Stop an agent in the workspace
+ */
+workspacesRouter.delete('/:id/agents/:agentName', async (req, res) => {
+    const userId = req.session.userId;
+    const id = req.params.id;
+    const agentName = req.params.agentName;
+    if (!userId) {
+        return res.status(401).json({ error: 'Not authenticated' });
+    }
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        const accessResult = await checkWorkspaceAccess(userId, id);
+        if (!accessResult.hasAccess) {
+            return res.status(403).json({ error: 'Access denied' });
+        }
+        if (workspace.status !== 'running' || !workspace.publicUrl) {
+            return res.status(400).json({ error: 'Workspace is not running' });
+        }
+        // Use dashboard server's /api/spawned/:name endpoint
+        const targetUrl = `${workspace.publicUrl.replace(/\/$/, '')}/api/spawned/${encodeURIComponent(agentName)}`;
+        const response = await fetch(targetUrl, {
+            method: 'DELETE',
+            signal: AbortSignal.timeout(10000),
+        });
+        if (response.status === 204) {
+            return res.status(204).send();
+        }
+        const data = await response.json();
+        res.status(response.status).json(data);
+    }
+    catch (error) {
+        console.error('[workspaces] Stop agent error:', error);
+        res.status(500).json({ error: 'Failed to stop agent' });
+    }
+});
+/**
+ * POST /api/workspaces/quick
+ * Quick provision: one-click with defaults
+ * Providers are optional - can be connected after workspace creation via CLI login
+ */
+workspacesRouter.post('/quick', checkWorkspaceLimit, async (req, res) => {
+    const userId = req.session.userId;
+    const { name, repositoryFullName } = req.body;
+    if (!repositoryFullName) {
+        return res.status(400).json({ error: 'Repository name is required' });
+    }
+    try {
+        // Check if a workspace already exists for this repo
+        // If so, check if user has access and return it instead of creating a duplicate
+        const existingRepos = await db.repositories.findByGithubFullName(repositoryFullName);
+        for (const existingRepo of existingRepos) {
+            if (existingRepo.workspaceId) {
+                // Check if user has access to this workspace
+                const accessResult = await checkWorkspaceAccess(userId, existingRepo.workspaceId);
+                if (accessResult.hasAccess) {
+                    const existingWorkspace = await db.workspaces.findById(existingRepo.workspaceId);
+                    if (existingWorkspace) {
+                        console.log(`[workspaces/quick] User ${userId.substring(0, 8)} has access to existing workspace ${existingWorkspace.id.substring(0, 8)} for repo ${repositoryFullName}`);
+                        return res.status(200).json({
+                            workspaceId: existingWorkspace.id,
+                            status: existingWorkspace.status,
+                            publicUrl: existingWorkspace.publicUrl,
+                            existingWorkspace: true,
+                            accessType: accessResult.accessType,
+                            message: `You already have ${accessResult.accessType} access to a workspace for this repository.`,
+                        });
+                    }
+                }
+            }
+        }
+        // Get user's connected providers (optional now)
+        const credentials = await db.credentials.findByUserId(userId);
+        const providers = credentials
+            .filter((c) => c.provider !== 'github')
+            .map((c) => c.provider);
+        // Create workspace with defaults
+        const provisioner = getProvisioner();
+        const workspaceName = name || `Workspace for ${repositoryFullName}`;
+        const result = await provisioner.provision({
+            userId,
+            name: workspaceName,
+            providers: providers.length > 0 ? providers : [], // Empty is OK now
+            repositories: [repositoryFullName],
+            supervisorEnabled: true,
+            maxAgents: 10,
+        });
+        if (result.status === 'error') {
+            return res.status(500).json({
+                error: 'Failed to provision workspace',
+                details: result.error,
+            });
+        }
+        res.status(201).json({
+            workspaceId: result.workspaceId,
+            status: result.status,
+            publicUrl: result.publicUrl,
+            providersConnected: providers.length > 0,
+            message: providers.length > 0
+                ? 'Workspace provisioned successfully!'
+                : 'Workspace provisioned! Connect an AI provider to start using agents.',
+        });
+    }
+    catch (error) {
+        console.error('Error quick provisioning:', error);
+        res.status(500).json({ error: 'Failed to provision workspace' });
+    }
+});
+//# sourceMappingURL=workspaces.js.map