@assistkick/create 1.9.0 → 1.11.0

package/templates/assistkick-product-system/packages/backend/src/services/permission_service.ts

@@ -0,0 +1,259 @@
+/**
+ * PermissionService — manages Chat v2 tool permission rules.
+ *
+ * Three permission decision types:
+ *   - "allow_once"   → ephemeral, not stored
+ *   - "allow_session" → held in memory for the Claude session lifetime
+ *   - "allow_always"  → persisted in DB across sessions
+ *   - "deny"          → reject the tool call
+ *
+ * Also manages pending permission requests: the MCP server posts a request,
+ * which is held until the frontend user responds via WebSocket.
+ */
+
+import { eq, and } from 'drizzle-orm';
+import { chatPermissionRules } from '@assistkick/shared/db/schema.js';
+
+export type PermissionDecision = 'allow_once' | 'allow_session' | 'allow_always' | 'deny';
+
+export interface PermissionRequest {
+  requestId: string;
+  claudeSessionId: string;
+  toolName: string;
+  input: Record<string, unknown>;
+}
+
+export interface PermissionResponse {
+  decision: PermissionDecision;
+}
+
+export interface PendingRequest {
+  request: PermissionRequest;
+  resolve: (response: PermissionResponse) => void;
+  reject: (err: Error) => void;
+  timeoutHandle: ReturnType<typeof setTimeout>;
+}
+
+export interface PermissionServiceDeps {
+  getDb: () => any;
+  log: (tag: string, ...args: unknown[]) => void;
+}
+
+const PERMISSION_TIMEOUT_MS = 120_000; // 2 minutes
+
+export class PermissionService {
+  private readonly getDb: PermissionServiceDeps['getDb'];
+  private readonly log: PermissionServiceDeps['log'];
+
+  /** In-memory session-scoped permissions: Map<claudeSessionId, Set<toolName>> */
+  private readonly sessionPermissions = new Map<string, Set<string>>();
+
+  /** Pending permission requests: Map<requestId, PendingRequest> */
+  private readonly pendingRequests = new Map<string, PendingRequest>();
+
+  /** Callback invoked when a new permission request needs to reach the frontend */
+  private onPermissionRequest: ((request: PermissionRequest) => void) | null = null;
+
+  constructor({ getDb, log }: PermissionServiceDeps) {
+    this.getDb = getDb;
+    this.log = log;
+  }
+
+  /**
+   * Register a callback that is invoked when a permission request arrives
+   * from the MCP server and needs to be forwarded to the frontend.
+   */
+  setPermissionRequestHandler = (handler: (request: PermissionRequest) => void): void => {
+    this.onPermissionRequest = handler;
+  };
+
+  /**
+   * Check if a tool is already allowed (via DB "always" rules or session memory).
+   */
+  isToolAllowed = async (projectId: string, claudeSessionId: string, toolName: string): Promise<boolean> => {
+    // Check session-scoped permissions first (fast, in-memory)
+    const sessionTools = this.sessionPermissions.get(claudeSessionId);
+    if (sessionTools?.has(toolName)) return true;
+
+    // Check DB for "always allow" rules
+    const db = this.getDb();
+    const rows = await db
+      .select()
+      .from(chatPermissionRules)
+      .where(and(
+        eq(chatPermissionRules.projectId, projectId),
+        eq(chatPermissionRules.toolName, toolName),
+      ))
+      .limit(1);
+
+    return rows.length > 0;
+  };
+
+  /**
+   * Request permission from the user for a tool invocation.
+   * If the tool is already allowed, resolves immediately.
+   * Otherwise, queues a pending request and waits for user response.
+   */
+  requestPermission = async (
+    projectId: string,
+    claudeSessionId: string,
+    toolName: string,
+    input: Record<string, unknown>,
+  ): Promise<PermissionResponse> => {
+    // Check if already allowed
+    const allowed = await this.isToolAllowed(projectId, claudeSessionId, toolName);
+    if (allowed) {
+      this.log('PERMISSION', `Tool "${toolName}" already allowed for session ${claudeSessionId}`);
+      return { decision: 'allow_always' };
+    }
+
+    // Create a pending request
+    const requestId = `perm_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+    const request: PermissionRequest = { requestId, claudeSessionId, toolName, input };
+
+    return new Promise<PermissionResponse>((resolve, reject) => {
+      const timeoutHandle = setTimeout(() => {
+        this.pendingRequests.delete(requestId);
+        this.log('PERMISSION', `Permission request ${requestId} timed out`);
+        reject(new Error('Permission request timed out'));
+      }, PERMISSION_TIMEOUT_MS);
+
+      this.pendingRequests.set(requestId, { request, resolve, reject, timeoutHandle });
+
+      // Notify the frontend
+      if (this.onPermissionRequest) {
+        this.onPermissionRequest(request);
+      } else {
+        clearTimeout(timeoutHandle);
+        this.pendingRequests.delete(requestId);
+        reject(new Error('No permission request handler registered'));
+      }
+    });
+  };
+
+  /**
+   * Resolve a pending permission request with the user's decision.
+   * Called when the frontend sends a permission_response via WebSocket.
+   */
+  resolvePermission = async (
+    requestId: string,
+    projectId: string,
+    decision: PermissionDecision,
+  ): Promise<boolean> => {
+    const pending = this.pendingRequests.get(requestId);
+    if (!pending) {
+      this.log('PERMISSION', `No pending request found for ${requestId}`);
+      return false;
+    }
+
+    clearTimeout(pending.timeoutHandle);
+    this.pendingRequests.delete(requestId);
+
+    const { claudeSessionId, toolName } = pending.request;
+    this.log('PERMISSION', `Permission for "${toolName}": ${decision} (session ${claudeSessionId})`);
+
+    // Persist based on decision
+    if (decision === 'allow_always') {
+      await this.addAlwaysRule(projectId, toolName);
+    } else if (decision === 'allow_session') {
+      this.addSessionRule(claudeSessionId, toolName);
+    }
+
+    pending.resolve({ decision });
+    return true;
+  };
+
+  /**
+   * Cancel all pending requests for a given Claude session.
+   * Called when the WebSocket disconnects or CLI process ends.
+   */
+  cancelPendingRequests = (claudeSessionId: string): void => {
+    for (const [requestId, pending] of this.pendingRequests) {
+      if (pending.request.claudeSessionId === claudeSessionId) {
+        clearTimeout(pending.timeoutHandle);
+        pending.reject(new Error('Permission request cancelled — session ended'));
+        this.pendingRequests.delete(requestId);
+        this.log('PERMISSION', `Cancelled pending request ${requestId} for session ${claudeSessionId}`);
+      }
+    }
+  };
+
+  /**
+   * Clear session-scoped permissions for a Claude session.
+   */
+  clearSessionPermissions = (claudeSessionId: string): void => {
+    this.sessionPermissions.delete(claudeSessionId);
+  };
+
+  /**
+   * Get all "always allow" rules for a project.
+   */
+  getAlwaysRules = async (projectId: string): Promise<string[]> => {
+    const db = this.getDb();
+    const rows = await db
+      .select({ toolName: chatPermissionRules.toolName })
+      .from(chatPermissionRules)
+      .where(eq(chatPermissionRules.projectId, projectId));
+    return rows.map((r: { toolName: string }) => r.toolName);
+  };
+
+  /**
+   * Add an "always allow" rule for a tool in a project.
+   */
+  addAlwaysRule = async (projectId: string, toolName: string): Promise<void> => {
+    const db = this.getDb();
+    const id = `cpr_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+    const existing = await db
+      .select()
+      .from(chatPermissionRules)
+      .where(and(
+        eq(chatPermissionRules.projectId, projectId),
+        eq(chatPermissionRules.toolName, toolName),
+      ))
+      .limit(1);
+
+    if (existing.length === 0) {
+      await db.insert(chatPermissionRules).values({
+        id,
+        projectId,
+        toolName,
+        createdAt: new Date().toISOString(),
+      });
+      this.log('PERMISSION', `Added "always allow" rule for "${toolName}" in project ${projectId}`);
+    }
+  };
+
+  /**
+   * Remove an "always allow" rule for a tool in a project.
+   */
+  removeAlwaysRule = async (projectId: string, toolName: string): Promise<void> => {
+    const db = this.getDb();
+    await db
+      .delete(chatPermissionRules)
+      .where(and(
+        eq(chatPermissionRules.projectId, projectId),
+        eq(chatPermissionRules.toolName, toolName),
+      ));
+    this.log('PERMISSION', `Removed "always allow" rule for "${toolName}" in project ${projectId}`);
+  };
+
+  /**
+   * Add a session-scoped permission.
+   */
+  private addSessionRule = (claudeSessionId: string, toolName: string): void => {
+    let tools = this.sessionPermissions.get(claudeSessionId);
+    if (!tools) {
+      tools = new Set();
+      this.sessionPermissions.set(claudeSessionId, tools);
+    }
+    tools.add(toolName);
+    this.log('PERMISSION', `Added session rule for "${toolName}" in session ${claudeSessionId}`);
+  };
+
+  /**
+   * Get count of pending requests (for diagnostics).
+   */
+  getPendingCount = (): number => {
+    return this.pendingRequests.size;
+  };
+}

package/templates/assistkick-product-system/packages/backend/src/services/preview_server_manager.test.ts

@@ -0,0 +1,172 @@
+import { describe, it, mock, beforeEach } from 'node:test';
+import assert from 'node:assert/strict';
+import { PreviewServerManager } from './preview_server_manager.ts';
+import type { DevCommandDetector, DetectedCommand } from './dev_command_detector.ts';
+
+const createMockDetector = (result: DetectedCommand | null = { scriptName: 'dev', command: 'vite' }): DevCommandDetector => {
+  return {
+    detect: mock.fn(async () => result),
+    log: () => {},
+  } as any;
+};
+
+describe('PreviewServerManager', () => {
+  let manager: PreviewServerManager;
+  let mockDetector: DevCommandDetector;
+
+  beforeEach(() => {
+    mockDetector = createMockDetector();
+    manager = new PreviewServerManager({ devCommandDetector: mockDetector, log: () => {} });
+  });
+
+  describe('start', () => {
+    it('rejects duplicate app names', async () => {
+      // Start a server with a custom command that exits quickly
+      await manager.start('test-app', '/tmp', 'echo hello');
+
+      await assert.rejects(
+        () => manager.start('test-app', '/tmp', 'echo hello'),
+        { message: 'Preview app "test-app" is already running' },
+      );
+
+      manager.stopAll();
+    });
+
+    it('throws when no dev script is detected and no custom command provided', async () => {
+      const nullDetector = createMockDetector(null);
+      const mgr = new PreviewServerManager({ devCommandDetector: nullDetector, log: () => {} });
+
+      await assert.rejects(
+        () => mgr.start('no-scripts', '/tmp'),
+        { message: /No dev server script found/ },
+      );
+    });
+
+    it('starts a preview app with custom command', async () => {
+      const app = await manager.start('my-app', '/tmp', 'echo started');
+
+      assert.equal(app.appName, 'my-app');
+      assert.equal(app.command, 'echo started');
+      assert.equal(app.scriptName, 'custom');
+      assert.equal(app.isPublic, false);
+      assert.ok(app.port >= 4100 && app.port <= 4999);
+
+      manager.stopAll();
+    });
+
+    it('auto-detects command when none provided', async () => {
+      const app = await manager.start('detect-app', '/tmp');
+
+      assert.equal(app.scriptName, 'dev');
+      assert.equal(app.command, 'vite');
+
+      manager.stopAll();
+    });
+  });
+
+  describe('stop', () => {
+    it('returns false for unknown app', () => {
+      const result = manager.stop('nonexistent');
+      assert.equal(result, false);
+    });
+
+    it('stops a running app and removes it from the list', async () => {
+      await manager.start('stop-me', '/tmp', 'sleep 60');
+
+      assert.equal(manager.list().length, 1);
+      const result = manager.stop('stop-me');
+      assert.equal(result, true);
+      assert.equal(manager.list().length, 0);
+    });
+  });
+
+  describe('toggleAccess', () => {
+    it('toggles an app to public', async () => {
+      await manager.start('toggle-app', '/tmp', 'sleep 60');
+
+      assert.equal(manager.get('toggle-app')?.isPublic, false);
+      manager.toggleAccess('toggle-app', true);
+      assert.equal(manager.get('toggle-app')?.isPublic, true);
+
+      manager.stopAll();
+    });
+
+    it('returns false for unknown app', () => {
+      const result = manager.toggleAccess('nonexistent', true);
+      assert.equal(result, false);
+    });
+  });
+
+  describe('list', () => {
+    it('returns empty array when no apps running', () => {
+      assert.deepEqual(manager.list(), []);
+    });
+
+    it('lists all running apps', async () => {
+      await manager.start('app-1', '/tmp', 'sleep 60');
+      await manager.start('app-2', '/tmp', 'sleep 60');
+
+      const apps = manager.list();
+      assert.equal(apps.length, 2);
+      const names = apps.map(a => a.appName).sort();
+      assert.deepEqual(names, ['app-1', 'app-2']);
+
+      manager.stopAll();
+    });
+  });
+
+  describe('get', () => {
+    it('returns undefined for unknown app', () => {
+      assert.equal(manager.get('unknown'), undefined);
+    });
+
+    it('returns app info for running app', async () => {
+      await manager.start('info-app', '/tmp', 'sleep 60');
+
+      const app = manager.get('info-app');
+      assert.ok(app);
+      assert.equal(app.appName, 'info-app');
+
+      manager.stopAll();
+    });
+  });
+
+  describe('port allocation', () => {
+    it('assigns different ports to different apps', async () => {
+      await manager.start('port-1', '/tmp', 'sleep 60');
+      await manager.start('port-2', '/tmp', 'sleep 60');
+
+      const ports = manager.list().map(a => a.port);
+      assert.notEqual(ports[0], ports[1]);
+
+      manager.stopAll();
+    });
+  });
+
+  describe('resetIdleTimer', () => {
+    it('updates lastAccessedAt', async () => {
+      await manager.start('idle-app', '/tmp', 'sleep 60');
+
+      const before = manager.get('idle-app')!.lastAccessedAt;
+      // Small delay to ensure timestamp differs
+      await new Promise(r => setTimeout(r, 10));
+      manager.resetIdleTimer('idle-app');
+      const after = manager.get('idle-app')!.lastAccessedAt;
+
+      assert.ok(after.getTime() >= before.getTime());
+
+      manager.stopAll();
+    });
+  });
+
+  describe('stopAll', () => {
+    it('stops all running apps', async () => {
+      await manager.start('all-1', '/tmp', 'sleep 60');
+      await manager.start('all-2', '/tmp', 'sleep 60');
+
+      assert.equal(manager.list().length, 2);
+      manager.stopAll();
+      assert.equal(manager.list().length, 0);
+    });
+  });
+});

package/templates/assistkick-product-system/packages/backend/src/services/preview_server_manager.ts

@@ -0,0 +1,225 @@
+/**
+ * PreviewServerManager — manages lifecycle of dev preview servers.
+ * Spawns dev servers as child processes, tracks them by app name,
+ * handles idle timeout shutdown, and port allocation.
+ */
+
+import { spawn, type ChildProcess } from 'node:child_process';
+import type { DevCommandDetector, DetectedCommand } from './dev_command_detector.js';
+
+const IDLE_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
+const PORT_RANGE_START = 4100;
+const PORT_RANGE_END = 4999;
+
+export interface PreviewApp {
+  appName: string;
+  port: number;
+  projectDir: string;
+  command: string;
+  scriptName: string;
+  isPublic: boolean;
+  startedAt: Date;
+  lastAccessedAt: Date;
+  pid: number | undefined;
+}
+
+interface PreviewServerManagerDeps {
+  devCommandDetector: DevCommandDetector;
+  log: (tag: string, ...args: unknown[]) => void;
+}
+
+export class PreviewServerManager {
+  private readonly devCommandDetector: DevCommandDetector;
+  private readonly log: PreviewServerManagerDeps['log'];
+  private readonly apps: Map<string, PreviewApp> = new Map();
+  private readonly processes: Map<string, ChildProcess> = new Map();
+  private readonly idleTimers: Map<string, ReturnType<typeof setTimeout>> = new Map();
+  private nextPort: number = PORT_RANGE_START;
+
+  constructor({ devCommandDetector, log }: PreviewServerManagerDeps) {
+    this.devCommandDetector = devCommandDetector;
+    this.log = log;
+  }
+
+  /** Allocate the next available port. */
+  private allocatePort = (): number => {
+    const usedPorts = new Set([...this.apps.values()].map(a => a.port));
+    let port = this.nextPort;
+    while (usedPorts.has(port) && port <= PORT_RANGE_END) {
+      port++;
+    }
+    if (port > PORT_RANGE_END) {
+      // Wrap around and search from start
+      port = PORT_RANGE_START;
+      while (usedPorts.has(port) && port <= PORT_RANGE_END) {
+        port++;
+      }
+    }
+    this.nextPort = port + 1;
+    if (this.nextPort > PORT_RANGE_END) {
+      this.nextPort = PORT_RANGE_START;
+    }
+    return port;
+  };
+
+  /** Reset the idle timer for an app. */
+  resetIdleTimer = (appName: string): void => {
+    const existing = this.idleTimers.get(appName);
+    if (existing) {
+      clearTimeout(existing);
+    }
+
+    const app = this.apps.get(appName);
+    if (app) {
+      app.lastAccessedAt = new Date();
+    }
+
+    const timer = setTimeout(() => {
+      this.log('PREVIEW', `App "${appName}" idle for ${IDLE_TIMEOUT_MS / 1000}s — shutting down`);
+      this.stop(appName);
+    }, IDLE_TIMEOUT_MS);
+
+    this.idleTimers.set(appName, timer);
+  };
+
+  /**
+   * Start a preview dev server for the given app name and project directory.
+   * Auto-detects the dev command from package.json.
+   * Returns the preview app info or throws on failure.
+   */
+  start = async (appName: string, projectDir: string, customCommand?: string): Promise<PreviewApp> => {
+    if (this.apps.has(appName)) {
+      throw new Error(`Preview app "${appName}" is already running`);
+    }
+
+    let detected: DetectedCommand | null = null;
+    let command: string;
+    let scriptName: string;
+
+    if (customCommand) {
+      command = customCommand;
+      scriptName = 'custom';
+    } else {
+      detected = await this.devCommandDetector.detect(projectDir);
+      if (!detected) {
+        throw new Error(`No dev server script found in ${projectDir}/package.json`);
+      }
+      command = detected.command;
+      scriptName = detected.scriptName;
+    }
+
+    const port = this.allocatePort();
+
+    this.log('PREVIEW', `Starting "${appName}" on port ${port}: ${command} (cwd: ${projectDir})`);
+
+    // Spawn the dev server with PORT env var set
+    const child = spawn('sh', ['-c', command], {
+      cwd: projectDir,
+      env: {
+        ...process.env,
+        PORT: String(port),
+        BROWSER: 'none', // Prevent auto-opening browser
+        HOST: '0.0.0.0',
+      },
+      stdio: ['ignore', 'pipe', 'pipe'],
+      detached: false,
+    });
+
+    const app: PreviewApp = {
+      appName,
+      port,
+      projectDir,
+      command,
+      scriptName,
+      isPublic: false,
+      startedAt: new Date(),
+      lastAccessedAt: new Date(),
+      pid: child.pid,
+    };
+
+    this.apps.set(appName, app);
+    this.processes.set(appName, child);
+
+    // Log stdout/stderr from the dev server
+    child.stdout?.on('data', (data: Buffer) => {
+      this.log('PREVIEW', `[${appName}] ${data.toString().trimEnd()}`);
+    });
+    child.stderr?.on('data', (data: Buffer) => {
+      this.log('PREVIEW', `[${appName}] ${data.toString().trimEnd()}`);
+    });
+
+    // Clean up on unexpected exit
+    child.on('exit', (code, signal) => {
+      this.log('PREVIEW', `App "${appName}" exited (code=${code}, signal=${signal})`);
+      this.cleanup(appName);
+    });
+
+    // Start idle timer
+    this.resetIdleTimer(appName);
+
+    return app;
+  };
+
+  /** Stop a running preview app. */
+  stop = (appName: string): boolean => {
+    const child = this.processes.get(appName);
+    if (!child) {
+      return false;
+    }
+
+    this.log('PREVIEW', `Stopping app "${appName}" (pid=${child.pid})`);
+
+    // Kill the process group if possible
+    try {
+      if (child.pid) {
+        process.kill(-child.pid, 'SIGTERM');
+      }
+    } catch {
+      // Process group kill failed, try direct kill
+      child.kill('SIGTERM');
+    }
+
+    this.cleanup(appName);
+    return true;
+  };
+
+  /** Clean up tracking state for an app. */
+  private cleanup = (appName: string): void => {
+    this.apps.delete(appName);
+    this.processes.delete(appName);
+
+    const timer = this.idleTimers.get(appName);
+    if (timer) {
+      clearTimeout(timer);
+      this.idleTimers.delete(appName);
+    }
+  };
+
+  /** Toggle an app between public and private access. */
+  toggleAccess = (appName: string, isPublic: boolean): boolean => {
+    const app = this.apps.get(appName);
+    if (!app) {
+      return false;
+    }
+    app.isPublic = isPublic;
+    this.log('PREVIEW', `App "${appName}" access set to ${isPublic ? 'public' : 'private'}`);
+    return true;
+  };
+
+  /** Get info about a specific app. */
+  get = (appName: string): PreviewApp | undefined => {
+    return this.apps.get(appName);
+  };
+
+  /** List all running preview apps. */
+  list = (): PreviewApp[] => {
+    return [...this.apps.values()];
+  };
+
+  /** Stop all running preview apps (for server shutdown). */
+  stopAll = (): void => {
+    for (const appName of [...this.apps.keys()]) {
+      this.stop(appName);
+    }
+  };
+}

package/templates/assistkick-product-system/packages/backend/src/services/project_service.test.ts

@@ -200,6 +200,35 @@ describe('ProjectService', () => {
     });
   });
 
+  describe('updatePreviewCommand', () => {
+    it('updates preview command for an existing project', async () => {
+      db._setSelectResults([[{ id: 'proj_001', name: 'Test', isDefault: 0, archivedAt: null, previewCommand: null, createdAt: '2024-01-01T00:00:00Z', updatedAt: '2024-01-01T00:00:00Z' }]]);
+
+      const result = await service.updatePreviewCommand('proj_001', 'npm run dev');
+
+      assert.equal(result.previewCommand, 'npm run dev');
+      assert.equal(db.update.mock.calls.length, 1);
+    });
+
+    it('clears preview command when set to null', async () => {
+      db._setSelectResults([[{ id: 'proj_001', name: 'Test', isDefault: 0, archivedAt: null, previewCommand: 'npm run dev', createdAt: '2024-01-01T00:00:00Z', updatedAt: '2024-01-01T00:00:00Z' }]]);
+
+      const result = await service.updatePreviewCommand('proj_001', null);
+
+      assert.equal(result.previewCommand, null);
+      assert.equal(db.update.mock.calls.length, 1);
+    });
+
+    it('throws when project not found', async () => {
+      db._setSelectResults([[]]);
+
+      await assert.rejects(
+        () => service.updatePreviewCommand('proj_999', 'npm run dev'),
+        { message: 'Project not found' },
+      );
+    });
+  });
+
   describe('restore', () => {
     it('restores an archived project', async () => {
       db._setSelectResults([[{ id: 'proj_001', name: 'Test', isDefault: 0, archivedAt: '2024-01-01T00:00:00Z', createdAt: '2024-01-01T00:00:00Z', updatedAt: '2024-01-01T00:00:00Z' }]]);