@axlsdk/studio 0.9.1 → 0.10.1

package/dist/server/index.cjs

@@ -25,6 +25,8 @@ __export(server_exports, {
   createServer: () => createServer
 });
 module.exports = __toCommonJS(server_exports);
+var import_node_fs = require("fs");
+var import_node_path = require("path");
 var import_hono12 = require("hono");
 var import_cors = require("hono/cors");
 var import_serve_static = require("@hono/node-server/serve-static");
@@ -61,8 +63,13 @@ var ConnectionManager = class {
   channels = /* @__PURE__ */ new Map();
   /** ws -> set of subscribed channels (for cleanup) */
   connections = /* @__PURE__ */ new Map();
+  maxConnections = 100;
   /** Register a new WS connection. */
   add(ws) {
+    if (this.connections.size >= this.maxConnections) {
+      ws.close?.();
+      return;
+    }
     this.connections.set(ws, /* @__PURE__ */ new Set());
   }
   /** Remove a WS connection and all its subscriptions. */
@@ -78,15 +85,16 @@ var ConnectionManager = class {
     }
     this.connections.delete(ws);
   }
-  /** Subscribe a connection to a channel. */
+  /** Subscribe a connection to a channel. No-op if the connection was not added. */
   subscribe(ws, channel) {
+    if (!this.connections.has(ws)) return;
     let subs = this.channels.get(channel);
     if (!subs) {
       subs = /* @__PURE__ */ new Set();
       this.channels.set(channel, subs);
     }
     subs.add(ws);
-    this.connections.get(ws)?.add(channel);
+    this.connections.get(ws).add(channel);
   }
   /** Unsubscribe a connection from a channel. */
   unsubscribe(ws, channel) {
@@ -127,6 +135,14 @@ var ConnectionManager = class {
       }
     }
   }
+  /** Close all connections and clear all state. Used during shutdown. */
+  closeAll() {
+    for (const ws of this.connections.keys()) {
+      ws.close?.();
+    }
+    this.connections.clear();
+    this.channels.clear();
+  }
   /** Get the number of active connections. */
   get connectionCount() {
     return this.connections.size;
@@ -137,6 +153,52 @@ var ConnectionManager = class {
   }
 };
 
+// src/server/ws/protocol.ts
+var VALID_CHANNEL_PREFIXES = ["execution:", "trace:"];
+var VALID_EXACT_CHANNELS = ["costs", "decisions"];
+var MAX_CHANNEL_LENGTH = 256;
+function handleWsMessage(raw, socket, connMgr) {
+  if (raw.length > 65536) {
+    return JSON.stringify({ type: "error", message: "Message too large" });
+  }
+  let msg;
+  try {
+    msg = JSON.parse(raw);
+  } catch {
+    return JSON.stringify({ type: "error", message: "Invalid JSON" });
+  }
+  switch (msg.type) {
+    case "subscribe": {
+      const error = validateChannel(msg.channel);
+      if (error) return JSON.stringify({ type: "error", message: error });
+      connMgr.subscribe(socket, msg.channel);
+      return JSON.stringify({ type: "subscribed", channel: msg.channel });
+    }
+    case "unsubscribe": {
+      const error = validateChannel(msg.channel);
+      if (error) return JSON.stringify({ type: "error", message: error });
+      connMgr.unsubscribe(socket, msg.channel);
+      return JSON.stringify({ type: "unsubscribed", channel: msg.channel });
+    }
+    case "ping":
+      return JSON.stringify({ type: "pong" });
+    default:
+      return JSON.stringify({ type: "error", message: "Unknown message type" });
+  }
+}
+function validateChannel(channel) {
+  if (typeof channel !== "string" || !channel) {
+    return "Missing or invalid channel";
+  }
+  if (channel.length > MAX_CHANNEL_LENGTH) {
+    return `Channel name exceeds ${MAX_CHANNEL_LENGTH} characters`;
+  }
+  if (!VALID_EXACT_CHANNELS.includes(channel) && !VALID_CHANNEL_PREFIXES.some((p) => channel.startsWith(p))) {
+    return `Invalid channel: ${channel}`;
+  }
+  return null;
+}
+
 // src/server/ws/handler.ts
 function createWsHandlers(connMgr) {
   return {
@@ -144,37 +206,8 @@ function createWsHandlers(connMgr) {
       connMgr.add(ws);
     },
     onMessage(event, ws) {
-      let msg;
-      try {
-        msg = JSON.parse(String(event.data));
-      } catch {
-        const err = { type: "error", message: "Invalid JSON" };
-        ws.send(JSON.stringify(err));
-        return;
-      }
-      switch (msg.type) {
-        case "subscribe": {
-          connMgr.subscribe(ws, msg.channel);
-          const reply = { type: "subscribed", channel: msg.channel };
-          ws.send(JSON.stringify(reply));
-          break;
-        }
-        case "unsubscribe": {
-          connMgr.unsubscribe(ws, msg.channel);
-          const reply = { type: "unsubscribed", channel: msg.channel };
-          ws.send(JSON.stringify(reply));
-          break;
-        }
-        case "ping": {
-          const reply = { type: "pong" };
-          ws.send(JSON.stringify(reply));
-          break;
-        }
-        default: {
-          const err = { type: "error", message: `Unknown message type` };
-          ws.send(JSON.stringify(err));
-        }
-      }
+      const reply = handleWsMessage(String(event.data), ws, connMgr);
+      if (reply) ws.send(reply);
     },
     onClose(_event, ws) {
       connMgr.remove(ws);
@@ -269,8 +302,8 @@ var health_default = app;
 var import_hono2 = require("hono");
 var import_axl = require("@axlsdk/axl");
 function createWorkflowRoutes(connMgr) {
-  const app8 = new import_hono2.Hono();
-  app8.get("/workflows", (c) => {
+  const app7 = new import_hono2.Hono();
+  app7.get("/workflows", (c) => {
     const runtime = c.get("runtime");
     const workflows = runtime.getWorkflows().map((w) => ({
       name: w.name,
@@ -279,7 +312,7 @@ function createWorkflowRoutes(connMgr) {
     }));
     return c.json({ ok: true, data: workflows });
   });
-  app8.get("/workflows/:name", (c) => {
+  app7.get("/workflows/:name", (c) => {
     const runtime = c.get("runtime");
     const name = c.req.param("name");
     const workflow = runtime.getWorkflow(name);
@@ -298,7 +331,7 @@ function createWorkflowRoutes(connMgr) {
       }
     });
   });
-  app8.post("/workflows/:name/execute", async (c) => {
+  app7.post("/workflows/:name/execute", async (c) => {
     const runtime = c.get("runtime");
     const name = c.req.param("name");
     const workflow = runtime.getWorkflow(name);
@@ -329,7 +362,7 @@ function createWorkflowRoutes(connMgr) {
     const result = await runtime.execute(name, body.input ?? {}, { metadata: body.metadata });
     return c.json({ ok: true, data: { result } });
   });
-  return app8;
+  return app7;
 }
 
 // src/server/routes/executions.ts
@@ -363,8 +396,8 @@ var executions_default = app2;
 // src/server/routes/sessions.ts
 var import_hono4 = require("hono");
 function createSessionRoutes(connMgr) {
-  const app8 = new import_hono4.Hono();
-  app8.get("/sessions", async (c) => {
+  const app7 = new import_hono4.Hono();
+  app7.get("/sessions", async (c) => {
     const runtime = c.get("runtime");
     const store = runtime.getStateStore();
     if (!store.listSessions) {
@@ -378,7 +411,7 @@ function createSessionRoutes(connMgr) {
     }
     return c.json({ ok: true, data: sessions });
   });
-  app8.get("/sessions/:id", async (c) => {
+  app7.get("/sessions/:id", async (c) => {
     const runtime = c.get("runtime");
     const store = runtime.getStateStore();
     const id = c.req.param("id");
@@ -386,7 +419,7 @@ function createSessionRoutes(connMgr) {
     const handoffHistory = await store.getSessionMeta(id, "handoffHistory");
     return c.json({ ok: true, data: { id, history, handoffHistory: handoffHistory ?? [] } });
   });
-  app8.post("/sessions/:id/send", async (c) => {
+  app7.post("/sessions/:id/send", async (c) => {
     const runtime = c.get("runtime");
     const id = c.req.param("id");
     const body = await c.req.json();
@@ -394,7 +427,7 @@ function createSessionRoutes(connMgr) {
     const result = await session.send(body.workflow, body.message);
     return c.json({ ok: true, data: { result } });
   });
-  app8.post("/sessions/:id/stream", async (c) => {
+  app7.post("/sessions/:id/stream", async (c) => {
     const runtime = c.get("runtime");
     const id = c.req.param("id");
     const body = await c.req.json();
@@ -415,14 +448,14 @@ function createSessionRoutes(connMgr) {
     })();
     return c.json({ ok: true, data: { executionId, streaming: true } });
   });
-  app8.delete("/sessions/:id", async (c) => {
+  app7.delete("/sessions/:id", async (c) => {
     const runtime = c.get("runtime");
     const store = runtime.getStateStore();
     const id = c.req.param("id");
     await store.deleteSession(id);
     return c.json({ ok: true, data: { deleted: true } });
   });
-  return app8;
+  return app7;
 }
 
 // src/server/routes/agents.ts
@@ -655,61 +688,65 @@ var decisions_default = app6;
 // src/server/routes/costs.ts
 var import_hono9 = require("hono");
 function createCostRoutes(costAggregator) {
-  const app8 = new import_hono9.Hono();
-  app8.get("/costs", (c) => {
+  const app7 = new import_hono9.Hono();
+  app7.get("/costs", (c) => {
     return c.json({ ok: true, data: costAggregator.getData() });
   });
-  app8.post("/costs/reset", (c) => {
+  app7.post("/costs/reset", (c) => {
     costAggregator.reset();
     return c.json({ ok: true, data: { reset: true } });
   });
-  return app8;
+  return app7;
 }
 
 // src/server/routes/evals.ts
 var import_hono10 = require("hono");
-var app7 = new import_hono10.Hono();
-app7.get("/evals", async (c) => {
-  const runtime = c.get("runtime");
-  const evals = runtime.getRegisteredEvals();
-  return c.json({ ok: true, data: evals });
-});
-app7.post("/evals/:name/run", async (c) => {
-  const runtime = c.get("runtime");
-  const name = c.req.param("name");
-  const entry = runtime.getRegisteredEval(name);
-  if (!entry) {
-    return c.json(
-      { ok: false, error: { code: "NOT_FOUND", message: `Eval "${name}" not found` } },
-      404
-    );
-  }
-  try {
-    const result = await runtime.runRegisteredEval(name);
-    return c.json({ ok: true, data: result });
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    return c.json({ ok: false, error: { code: "EVAL_ERROR", message } }, 400);
-  }
-});
-app7.post("/evals/compare", async (c) => {
-  const runtime = c.get("runtime");
-  const body = await c.req.json();
-  try {
-    const result = await runtime.evalCompare(body.baseline, body.candidate);
-    return c.json({ ok: true, data: result });
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    return c.json({ ok: false, error: { code: "EVAL_ERROR", message } }, 400);
-  }
-});
-var evals_default = app7;
+function createEvalRoutes(evalLoader) {
+  const app7 = new import_hono10.Hono();
+  app7.get("/evals", async (c) => {
+    if (evalLoader) await evalLoader();
+    const runtime = c.get("runtime");
+    const evals = runtime.getRegisteredEvals();
+    return c.json({ ok: true, data: evals });
+  });
+  app7.post("/evals/:name/run", async (c) => {
+    if (evalLoader) await evalLoader();
+    const runtime = c.get("runtime");
+    const name = c.req.param("name");
+    const entry = runtime.getRegisteredEval(name);
+    if (!entry) {
+      return c.json(
+        { ok: false, error: { code: "NOT_FOUND", message: `Eval "${name}" not found` } },
+        404
+      );
+    }
+    try {
+      const result = await runtime.runRegisteredEval(name);
+      return c.json({ ok: true, data: result });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ ok: false, error: { code: "EVAL_ERROR", message } }, 400);
+    }
+  });
+  app7.post("/evals/compare", async (c) => {
+    const runtime = c.get("runtime");
+    const body = await c.req.json();
+    try {
+      const result = await runtime.evalCompare(body.baseline, body.candidate);
+      return c.json({ ok: true, data: result });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ ok: false, error: { code: "EVAL_ERROR", message } }, 400);
+    }
+  });
+  return app7;
+}
 
 // src/server/routes/playground.ts
 var import_hono11 = require("hono");
 function createPlaygroundRoutes(connMgr) {
-  const app8 = new import_hono11.Hono();
-  app8.post("/playground/chat", async (c) => {
+  const app7 = new import_hono11.Hono();
+  app7.post("/playground/chat", async (c) => {
     const runtime = c.get("runtime");
     const body = await c.req.json();
     const workflowName = body.workflow ?? runtime.getWorkflowNames()[0];
@@ -740,21 +777,53 @@ function createPlaygroundRoutes(connMgr) {
       data: { sessionId, executionId, streaming: true }
     });
   });
-  return app8;
+  return app7;
 }
 
 // src/server/index.ts
 function createServer(options) {
-  const { runtime, staticRoot } = options;
-  const app8 = new import_hono12.Hono();
+  const { runtime, staticRoot, basePath = "", readOnly = false } = options;
+  const app7 = new import_hono12.Hono();
   const connMgr = new ConnectionManager();
   const costAggregator = new CostAggregator(connMgr);
-  app8.use("*", (0, import_cors.cors)());
-  app8.use("*", errorHandler);
-  app8.use("*", async (c, next) => {
+  if (options.cors !== false) {
+    app7.use("*", (0, import_cors.cors)());
+  }
+  app7.use("*", errorHandler);
+  app7.use("*", async (c, next) => {
     c.set("runtime", runtime);
     await next();
   });
+  if (readOnly) {
+    const blocked = [
+      "POST /api/workflows",
+      "POST /api/executions",
+      "POST /api/sessions",
+      "DELETE /api/sessions",
+      "PUT /api/memory",
+      "DELETE /api/memory",
+      "POST /api/decisions",
+      "POST /api/costs",
+      "POST /api/tools",
+      "POST /api/evals",
+      "POST /api/playground"
+    ];
+    app7.use("/api/*", async (c, next) => {
+      const apiIdx = c.req.path.indexOf("/api/");
+      const apiPath = apiIdx >= 0 ? c.req.path.slice(apiIdx) : c.req.path;
+      const key = `${c.req.method} ${apiPath}`;
+      if (blocked.some((b) => key.startsWith(b))) {
+        return c.json(
+          {
+            ok: false,
+            error: { code: "READ_ONLY", message: "Studio is mounted in read-only mode" }
+          },
+          405
+        );
+      }
+      await next();
+    });
+  }
   const api = new import_hono12.Hono();
   api.route("/", health_default);
   api.route("/", createWorkflowRoutes(connMgr));
@@ -765,10 +834,10 @@ function createServer(options) {
   api.route("/", memory_default);
   api.route("/", decisions_default);
   api.route("/", createCostRoutes(costAggregator));
-  api.route("/", evals_default);
+  api.route("/", createEvalRoutes(options.evalLoader));
   api.route("/", createPlaygroundRoutes(connMgr));
-  app8.route("/api", api);
-  runtime.on("trace", (event) => {
+  app7.route("/api", api);
+  const traceListener = (event) => {
     const traceEvent = event;
     if (traceEvent.executionId) {
       connMgr.broadcastWithWildcard(`trace:${traceEvent.executionId}`, traceEvent);
@@ -777,12 +846,47 @@ function createServer(options) {
     if (traceEvent.type === "await_human") {
       connMgr.broadcast("decisions", traceEvent);
     }
-  });
+  };
+  runtime.on("trace", traceListener);
   if (staticRoot) {
-    app8.use("/*", (0, import_serve_static.serveStatic)({ root: staticRoot }));
-    app8.get("*", (0, import_serve_static.serveStatic)({ root: staticRoot, path: "/index.html" }));
+    app7.use(
+      "/*",
+      (0, import_serve_static.serveStatic)({
+        root: staticRoot,
+        rewriteRequestPath: basePath ? (path) => path.startsWith(basePath) ? path.slice(basePath.length) || "/" : path : void 0
+      })
+    );
+    if (basePath) {
+      const indexPath = (0, import_node_path.resolve)(staticRoot, "index.html");
+      if (!(0, import_node_fs.existsSync)(indexPath)) {
+        console.warn(`[axl-studio] index.html not found at ${indexPath}`);
+      } else {
+        const indexHtml = (0, import_node_fs.readFileSync)(indexPath, "utf-8");
+        const safeBasePath = JSON.stringify(basePath).replace(/</g, "\\u003c");
+        const injectedHtml = indexHtml.replace(
+          "</head>",
+          `<base href="${basePath}/">
+<script>window.__AXL_STUDIO_BASE__=${safeBasePath}</script>
+</head>`
+        );
+        if (injectedHtml === indexHtml) {
+          console.warn(
+            "[axl-studio] Could not inject basePath into index.html \u2014 </head> tag not found. The SPA may not route correctly."
+          );
+        }
+        app7.get("*", (c) => c.html(injectedHtml));
+      }
+    } else {
+      app7.get("*", (0, import_serve_static.serveStatic)({ root: staticRoot, path: "/index.html" }));
+    }
   }
-  return { app: app8, connMgr, costAggregator, createWsHandlers: () => createWsHandlers(connMgr) };
+  return {
+    app: app7,
+    connMgr,
+    costAggregator,
+    createWsHandlers: () => createWsHandlers(connMgr),
+    traceListener
+  };
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {