@agent-relay/dashboard-server 2.0.70 → 2.0.72

package/dist/server.js

@@ -989,6 +989,8 @@ export async function startDashboard(portOrOptions, dataDirArg, teamDirArg, dbPa
             };
             // Set up direct message handler to forward messages to presence WebSocket
             // This enables agents to send replies that appear in the dashboard UI
+            // Note: the relay daemon already persists messages authoritatively, so we
+            // only need to broadcast the real-time event here (no storage.saveMessage).
             client.onMessage = (from, payload, messageId) => {
                 const body = typeof payload === 'object' && payload !== null && 'body' in payload
                     ? payload.body
@@ -1000,28 +1002,9 @@ export async function startDashboard(portOrOptions, dataDirArg, teamDirArg, dbPa
                 // Determine entity type: user if they have presence state, agent otherwise
                 const fromEntityType = senderPresence ? 'user' : 'agent';
                 const timestamp = new Date().toISOString();
-                // Persist the message to storage so it survives page refresh
-                if (storage) {
-                    storage.saveMessage({
-                        id: messageId || `dm-${crypto.randomUUID()}`,
-                        ts: Date.now(),
-                        from,
-                        to: senderName,
-                        topic: undefined,
-                        kind: 'message',
-                        body,
-                        data: {
-                            fromAvatarUrl,
-                            fromEntityType,
-                        },
-                        status: 'unread',
-                        is_urgent: false,
-                        is_broadcast: false,
-                    }).catch((err) => {
-                        console.error('[dashboard] Failed to persist direct message', err);
-                    });
-                }
-                // Broadcast to presence WebSocket clients so cloud/dashboard can display the message
+                // Broadcast real-time event so the dashboard UI updates immediately.
+                // Pass id (= messageId) so the client has a stable identifier and
+                // doesn't need to fabricate one from Date.now().
                 broadcastDirectMessage({
                     type: 'direct_message',
                     targetUser: senderName,
@@ -1029,6 +1012,7 @@ export async function startDashboard(portOrOptions, dataDirArg, teamDirArg, dbPa
                     fromAvatarUrl,
                     fromEntityType,
                     body,
+                    id: messageId,
                     messageId,
                     timestamp,
                 });
@@ -2650,7 +2634,6 @@ export async function startDashboard(portOrOptions, dataDirArg, teamDirArg, dbPa
     };
     // Helper to broadcast direct messages to all connected clients
     // This enables agent replies to appear in the dashboard UI
-    // Broadcasts to both main wss (local mode) and wssPresence (cloud mode)
     const broadcastDirectMessage = (message) => {
         // Push into buffer and wrap with sequence ID for replay support
         const rawPayload = JSON.stringify(message);
@@ -2664,15 +2647,20 @@ export async function startDashboard(portOrOptions, dataDirArg, teamDirArg, dbPa
                 client.send(payload);
             }
         });
-        // Also broadcast to presence WebSocket clients (cloud mode)
-        const presenceClients = Array.from(wssPresence.clients).filter(c => c.readyState === WebSocket.OPEN);
-        if (presenceClients.length > 0) {
-            debug(`[dashboard] Broadcasting direct_message to ${presenceClients.length} presence clients`);
-            wssPresence.clients.forEach((client) => {
-                if (client.readyState === WebSocket.OPEN) {
-                    client.send(payload);
-                }
-            });
+        // Only broadcast to presence WS if UserBridge does NOT have a session for
+        // the target user. When UserBridge is active it already delivers the DM
+        // directly to the user's WebSocket(s), so broadcasting here would duplicate.
+        const targetHandledByBridge = userBridge?.isUserRegistered(message.targetUser) ?? false;
+        if (!targetHandledByBridge) {
+            const presenceClients = Array.from(wssPresence.clients).filter(c => c.readyState === WebSocket.OPEN);
+            if (presenceClients.length > 0) {
+                debug(`[dashboard] Broadcasting direct_message to ${presenceClients.length} presence clients (no bridge session)`);
+                wssPresence.clients.forEach((client) => {
+                    if (client.readyState === WebSocket.OPEN) {
+                        client.send(payload);
+                    }
+                });
+            }
         }
     };
     // Helper to get online users list (without ws references)
@@ -4827,10 +4815,22 @@ export async function startDashboard(portOrOptions, dataDirArg, teamDirArg, dbPa
         const repoName = fullName.split('/').pop();
         const workspaceDir = process.env.WORKSPACE_DIR || path.dirname(projectRoot || dataDir);
         const targetDir = path.join(workspaceDir, repoName);
-        // Idempotent: skip if already cloned
-        if (fs.existsSync(targetDir)) {
+        // Prevent path traversal (e.g., repoName = ".." or ".")
+        const resolvedTarget = path.resolve(targetDir);
+        const resolvedWorkspace = path.resolve(workspaceDir);
+        if (!resolvedTarget.startsWith(resolvedWorkspace + path.sep)) {
+            return res.status(400).json({ success: false, error: 'Invalid path' });
+        }
+        // Idempotent: skip if already cloned (check for .git to avoid false positives
+        // from empty directories left behind by previous failed clone attempts)
+        if (fs.existsSync(path.join(targetDir, '.git'))) {
             return res.json({ success: true, message: 'Already cloned', path: targetDir });
         }
+        // Clean up stale directory from a previous failed clone (no .git = incomplete)
+        if (fs.existsSync(targetDir)) {
+            console.log(`[api/repos/clone] Removing stale directory ${targetDir} (no .git found)`);
+            fs.rmSync(targetDir, { recursive: true, force: true });
+        }
         // Use plain HTTPS URL - git credential helper handles authentication.
         // The credential helper (git-credential-relay) fetches per-repo tokens from
         // the cloud API, which correctly resolves installation tokens for private repos.
@@ -4854,6 +4854,11 @@ export async function startDashboard(portOrOptions, dataDirArg, teamDirArg, dbPa
         catch (err) {
             const safeMessage = (err.message || 'Clone failed');
             console.error('[api/repos/clone] Clone failed:', safeMessage);
+            // Clean up failed clone directory so future attempts aren't blocked
+            try {
+                fs.rmSync(targetDir, { recursive: true, force: true });
+            }
+            catch { /* ignore */ }
             res.status(500).json({ success: false, error: safeMessage });
         }
     });