npm - @blackbelt-technology/pi-agent-dashboard - Versions diffs - 0.2.0 - Mend

@blackbelt-technology/pi-agent-dashboard 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

package/AGENTS.md +342 -0
package/README.md +619 -0
package/docs/architecture.md +646 -0
package/package.json +92 -0
package/packages/extension/package.json +33 -0
package/packages/extension/src/__tests__/ask-user-tool.test.ts +85 -0
package/packages/extension/src/__tests__/command-handler.test.ts +712 -0
package/packages/extension/src/__tests__/connection.test.ts +344 -0
package/packages/extension/src/__tests__/credentials-updated.test.ts +26 -0
package/packages/extension/src/__tests__/dev-build.test.ts +79 -0
package/packages/extension/src/__tests__/event-forwarder.test.ts +89 -0
package/packages/extension/src/__tests__/git-info.test.ts +112 -0
package/packages/extension/src/__tests__/git-link-builder.test.ts +102 -0
package/packages/extension/src/__tests__/openspec-activity-detector.test.ts +232 -0
package/packages/extension/src/__tests__/openspec-poller.test.ts +119 -0
package/packages/extension/src/__tests__/process-metrics.test.ts +47 -0
package/packages/extension/src/__tests__/process-scanner.test.ts +202 -0
package/packages/extension/src/__tests__/prompt-expander.test.ts +54 -0
package/packages/extension/src/__tests__/server-auto-start.test.ts +167 -0
package/packages/extension/src/__tests__/server-launcher.test.ts +44 -0
package/packages/extension/src/__tests__/server-probe.test.ts +25 -0
package/packages/extension/src/__tests__/session-switch.test.ts +139 -0
package/packages/extension/src/__tests__/session-sync.test.ts +55 -0
package/packages/extension/src/__tests__/source-detector.test.ts +73 -0
package/packages/extension/src/__tests__/stats-extractor.test.ts +92 -0
package/packages/extension/src/__tests__/ui-proxy.test.ts +583 -0
package/packages/extension/src/__tests__/watchdog.test.ts +161 -0
package/packages/extension/src/ask-user-tool.ts +63 -0
package/packages/extension/src/bridge-context.ts +64 -0
package/packages/extension/src/bridge.ts +926 -0
package/packages/extension/src/command-handler.ts +538 -0
package/packages/extension/src/connection.ts +204 -0
package/packages/extension/src/dev-build.ts +39 -0
package/packages/extension/src/event-forwarder.ts +40 -0
package/packages/extension/src/flow-event-wiring.ts +102 -0
package/packages/extension/src/git-info.ts +65 -0
package/packages/extension/src/git-link-builder.ts +112 -0
package/packages/extension/src/model-tracker.ts +56 -0
package/packages/extension/src/pi-env.d.ts +23 -0
package/packages/extension/src/process-metrics.ts +70 -0
package/packages/extension/src/process-scanner.ts +396 -0
package/packages/extension/src/prompt-expander.ts +87 -0
package/packages/extension/src/provider-register.ts +276 -0
package/packages/extension/src/server-auto-start.ts +87 -0
package/packages/extension/src/server-launcher.ts +82 -0
package/packages/extension/src/server-probe.ts +33 -0
package/packages/extension/src/session-sync.ts +154 -0
package/packages/extension/src/source-detector.ts +26 -0
package/packages/extension/src/ui-proxy.ts +269 -0
package/packages/extension/tsconfig.json +11 -0
package/packages/server/package.json +37 -0
package/packages/server/src/__tests__/auth-plugin.test.ts +117 -0
package/packages/server/src/__tests__/auth.test.ts +224 -0
package/packages/server/src/__tests__/auto-attach.test.ts +246 -0
package/packages/server/src/__tests__/auto-resume.test.ts +135 -0
package/packages/server/src/__tests__/auto-shutdown.test.ts +136 -0
package/packages/server/src/__tests__/browse-endpoint.test.ts +104 -0
package/packages/server/src/__tests__/bulk-archive-handler.test.ts +15 -0
package/packages/server/src/__tests__/cli-parse.test.ts +73 -0
package/packages/server/src/__tests__/client-discovery.test.ts +39 -0
package/packages/server/src/__tests__/config-api.test.ts +104 -0
package/packages/server/src/__tests__/cors.test.ts +48 -0
package/packages/server/src/__tests__/directory-service.test.ts +240 -0
package/packages/server/src/__tests__/editor-detection.test.ts +60 -0
package/packages/server/src/__tests__/editor-endpoints.test.ts +26 -0
package/packages/server/src/__tests__/editor-manager.test.ts +73 -0
package/packages/server/src/__tests__/editor-registry.test.ts +151 -0
package/packages/server/src/__tests__/event-status-extraction-flow.test.ts +55 -0
package/packages/server/src/__tests__/event-status-extraction.test.ts +58 -0
package/packages/server/src/__tests__/extension-register.test.ts +61 -0
package/packages/server/src/__tests__/file-endpoint.test.ts +49 -0
package/packages/server/src/__tests__/force-kill-handler.test.ts +109 -0
package/packages/server/src/__tests__/git-operations.test.ts +251 -0
package/packages/server/src/__tests__/headless-pid-registry.test.ts +233 -0
package/packages/server/src/__tests__/headless-shutdown-fallback.test.ts +109 -0
package/packages/server/src/__tests__/health-endpoint.test.ts +35 -0
package/packages/server/src/__tests__/heartbeat-ack.test.ts +63 -0
package/packages/server/src/__tests__/json-store.test.ts +70 -0
package/packages/server/src/__tests__/localhost-guard.test.ts +149 -0
package/packages/server/src/__tests__/memory-event-store.test.ts +260 -0
package/packages/server/src/__tests__/memory-session-manager.test.ts +80 -0
package/packages/server/src/__tests__/meta-persistence.test.ts +107 -0
package/packages/server/src/__tests__/migrate-persistence.test.ts +180 -0
package/packages/server/src/__tests__/npm-search-proxy.test.ts +153 -0
package/packages/server/src/__tests__/oauth-callback-server.test.ts +165 -0
package/packages/server/src/__tests__/openspec-archive.test.ts +87 -0
package/packages/server/src/__tests__/package-manager-wrapper.test.ts +163 -0
package/packages/server/src/__tests__/package-routes.test.ts +172 -0
package/packages/server/src/__tests__/pending-fork-registry.test.ts +69 -0
package/packages/server/src/__tests__/pending-load-manager.test.ts +144 -0
package/packages/server/src/__tests__/pending-resume-registry.test.ts +130 -0
package/packages/server/src/__tests__/pi-resource-scanner.test.ts +235 -0
package/packages/server/src/__tests__/preferences-store.test.ts +108 -0
package/packages/server/src/__tests__/process-manager.test.ts +184 -0
package/packages/server/src/__tests__/provider-auth-handlers.test.ts +93 -0
package/packages/server/src/__tests__/provider-auth-routes.test.ts +143 -0
package/packages/server/src/__tests__/provider-auth-storage.test.ts +114 -0
package/packages/server/src/__tests__/resolve-path.test.ts +38 -0
package/packages/server/src/__tests__/ring-buffer.test.ts +45 -0
package/packages/server/src/__tests__/server-pid.test.ts +89 -0
package/packages/server/src/__tests__/session-api.test.ts +244 -0
package/packages/server/src/__tests__/session-diff.test.ts +138 -0
package/packages/server/src/__tests__/session-file-dedup.test.ts +102 -0
package/packages/server/src/__tests__/session-file-reader.test.ts +85 -0
package/packages/server/src/__tests__/session-lifecycle-logging.test.ts +138 -0
package/packages/server/src/__tests__/session-order-manager.test.ts +135 -0
package/packages/server/src/__tests__/session-ordering-integration.test.ts +102 -0
package/packages/server/src/__tests__/session-scanner.test.ts +199 -0
package/packages/server/src/__tests__/shutdown-endpoint.test.ts +42 -0
package/packages/server/src/__tests__/skip-wipe.test.ts +123 -0
package/packages/server/src/__tests__/sleep-aware-heartbeat.test.ts +126 -0
package/packages/server/src/__tests__/smoke-integration.test.ts +175 -0
package/packages/server/src/__tests__/spa-fallback.test.ts +68 -0
package/packages/server/src/__tests__/subscription-handler.test.ts +155 -0
package/packages/server/src/__tests__/terminal-gateway.test.ts +61 -0
package/packages/server/src/__tests__/terminal-manager.test.ts +257 -0
package/packages/server/src/__tests__/trusted-networks-config.test.ts +84 -0
package/packages/server/src/__tests__/tunnel.test.ts +206 -0
package/packages/server/src/__tests__/ws-ping-pong.test.ts +112 -0
package/packages/server/src/auth-plugin.ts +302 -0
package/packages/server/src/auth.ts +323 -0
package/packages/server/src/browse.ts +55 -0
package/packages/server/src/browser-gateway.ts +495 -0
package/packages/server/src/browser-handlers/directory-handler.ts +137 -0
package/packages/server/src/browser-handlers/handler-context.ts +45 -0
package/packages/server/src/browser-handlers/session-action-handler.ts +271 -0
package/packages/server/src/browser-handlers/session-meta-handler.ts +95 -0
package/packages/server/src/browser-handlers/subscription-handler.ts +154 -0
package/packages/server/src/browser-handlers/terminal-handler.ts +37 -0
package/packages/server/src/cli.ts +347 -0
package/packages/server/src/config-api.ts +130 -0
package/packages/server/src/directory-service.ts +162 -0
package/packages/server/src/editor-detection.ts +60 -0
package/packages/server/src/editor-manager.ts +352 -0
package/packages/server/src/editor-proxy.ts +134 -0
package/packages/server/src/editor-registry.ts +108 -0
package/packages/server/src/event-status-extraction.ts +131 -0
package/packages/server/src/event-wiring.ts +589 -0
package/packages/server/src/extension-register.ts +92 -0
package/packages/server/src/git-operations.ts +200 -0
package/packages/server/src/headless-pid-registry.ts +207 -0
package/packages/server/src/idle-timer.ts +61 -0
package/packages/server/src/json-store.ts +32 -0
package/packages/server/src/localhost-guard.ts +117 -0
package/packages/server/src/memory-event-store.ts +193 -0
package/packages/server/src/memory-session-manager.ts +123 -0
package/packages/server/src/meta-persistence.ts +64 -0
package/packages/server/src/migrate-persistence.ts +195 -0
package/packages/server/src/npm-search-proxy.ts +143 -0
package/packages/server/src/oauth-callback-server.ts +177 -0
package/packages/server/src/openspec-archive.ts +60 -0
package/packages/server/src/package-manager-wrapper.ts +200 -0
package/packages/server/src/pending-fork-registry.ts +53 -0
package/packages/server/src/pending-load-manager.ts +110 -0
package/packages/server/src/pending-resume-registry.ts +69 -0
package/packages/server/src/pi-gateway.ts +419 -0
package/packages/server/src/pi-resource-scanner.ts +369 -0
package/packages/server/src/preferences-store.ts +116 -0
package/packages/server/src/process-manager.ts +311 -0
package/packages/server/src/provider-auth-handlers.ts +438 -0
package/packages/server/src/provider-auth-storage.ts +200 -0
package/packages/server/src/resolve-path.ts +12 -0
package/packages/server/src/routes/editor-routes.ts +86 -0
package/packages/server/src/routes/file-routes.ts +116 -0
package/packages/server/src/routes/git-routes.ts +89 -0
package/packages/server/src/routes/openspec-routes.ts +99 -0
package/packages/server/src/routes/package-routes.ts +172 -0
package/packages/server/src/routes/provider-auth-routes.ts +244 -0
package/packages/server/src/routes/provider-routes.ts +101 -0
package/packages/server/src/routes/route-deps.ts +23 -0
package/packages/server/src/routes/session-routes.ts +91 -0
package/packages/server/src/routes/system-routes.ts +271 -0
package/packages/server/src/server-pid.ts +84 -0
package/packages/server/src/server.ts +554 -0
package/packages/server/src/session-api.ts +330 -0
package/packages/server/src/session-bootstrap.ts +80 -0
package/packages/server/src/session-diff.ts +178 -0
package/packages/server/src/session-discovery.ts +134 -0
package/packages/server/src/session-file-reader.ts +135 -0
package/packages/server/src/session-order-manager.ts +73 -0
package/packages/server/src/session-scanner.ts +233 -0
package/packages/server/src/session-stats-reader.ts +99 -0
package/packages/server/src/terminal-gateway.ts +51 -0
package/packages/server/src/terminal-manager.ts +241 -0
package/packages/server/src/tunnel.ts +329 -0
package/packages/server/tsconfig.json +11 -0
package/packages/shared/package.json +15 -0
package/packages/shared/src/__tests__/config.test.ts +358 -0
package/packages/shared/src/__tests__/deriveChangeState.test.ts +95 -0
package/packages/shared/src/__tests__/mdns-discovery.test.ts +80 -0
package/packages/shared/src/__tests__/protocol.test.ts +243 -0
package/packages/shared/src/__tests__/resolve-jiti.test.ts +17 -0
package/packages/shared/src/__tests__/server-identity.test.ts +73 -0
package/packages/shared/src/__tests__/session-meta.test.ts +125 -0
package/packages/shared/src/archive-types.ts +11 -0
package/packages/shared/src/browser-protocol.ts +534 -0
package/packages/shared/src/config.ts +245 -0
package/packages/shared/src/diff-types.ts +41 -0
package/packages/shared/src/editor-types.ts +18 -0
package/packages/shared/src/mdns-discovery.ts +248 -0
package/packages/shared/src/openspec-activity-detector.ts +109 -0
package/packages/shared/src/openspec-poller.ts +96 -0
package/packages/shared/src/protocol.ts +369 -0
package/packages/shared/src/resolve-jiti.ts +43 -0
package/packages/shared/src/rest-api.ts +255 -0
package/packages/shared/src/server-identity.ts +51 -0
package/packages/shared/src/session-meta.ts +86 -0
package/packages/shared/src/state-replay.ts +174 -0
package/packages/shared/src/stats-extractor.ts +54 -0
package/packages/shared/src/terminal-types.ts +18 -0
package/packages/shared/src/types.ts +351 -0
package/packages/shared/tsconfig.json +8 -0

package/packages/extension/src/ui-proxy.ts ADDED Viewed

@@ -0,0 +1,269 @@
+/**
+ * UI Proxy for the dashboard bridge extension.
+ *
+ * Wraps ctx.ui dialog methods (confirm, select, input, editor) to forward
+ * them to the dashboard server. For TUI sessions, races the original method
+ * against the dashboard response. For headless sessions, only the dashboard
+ * can respond.
+ *
+ * Fire-and-forget methods (notify) are forwarded alongside the original call.
+ */
+import type { ExtensionUiResponseMessage } from "@blackbelt-technology/pi-dashboard-shared/protocol.js";
+export interface UiProxyOptions {
+  /** The original ctx.ui object to wrap */
+  ui: {
+    confirm(title: string, message: string, opts?: any): Promise<boolean>;
+    select(title: string, options: string[], opts?: any): Promise<string | undefined>;
+    input(title: string, placeholder?: string, opts?: any): Promise<string | undefined>;
+    editor?(title: string, prefill?: string, opts?: any): Promise<string | undefined>;
+    notify(message: string, type?: string): void;
+  };
+  /** Whether TUI is available (race mode vs dashboard-only) */
+  hasUI: boolean;
+  /** Get current session ID */
+  getSessionId: () => string;
+  /** Send a message to the dashboard server */
+  send: (msg: any) => void;
+}
+interface PendingRequest {
+  method: string;
+  params: Record<string, unknown>;
+  resolve: (value: any) => void;
+}
+export function createUiProxy(options: UiProxyOptions) {
+  const { ui, hasUI, getSessionId, send } = options;
+  const pending = new Map<string, PendingRequest>();
+  // Capture original method references BEFORE ctx.ui is patched in-place.
+  // Without this, the proxy's call to ui.notify() would recurse into itself
+  // because bridge.ts overwrites ctx.ui.notify with the proxy's own method.
+  const originalConfirm = ui.confirm.bind(ui);
+  const originalSelect = ui.select.bind(ui);
+  const originalInput = ui.input.bind(ui);
+  const originalEditor = ui.editor?.bind(ui);
+  const originalNotify = ui.notify.bind(ui);
+  function generateRequestId(): string {
+    return crypto.randomUUID();
+  }
+  function sendRequest(method: string, params: Record<string, unknown>): string {
+    const requestId = generateRequestId();
+    send({
+      type: "extension_ui_request",
+      sessionId: getSessionId(),
+      requestId,
+      method,
+      params,
+    });
+    return requestId;
+  }
+  function createDashboardPromise<T>(requestId: string, method: string, params: Record<string, unknown>): Promise<T> {
+    return new Promise<T>((resolve) => {
+      pending.set(requestId, { method, params, resolve });
+    });
+  }
+  /** Re-send all pending UI requests (e.g. after server reconnect) */
+  function resendPending(): void {
+    for (const [requestId, entry] of pending) {
+      send({
+        type: "extension_ui_request",
+        sessionId: getSessionId(),
+        requestId,
+        method: entry.method,
+        params: entry.params,
+      });
+    }
+  }
+  /** Extract the result for a specific dialog method from the response */
+  function extractResult(method: string, response: ExtensionUiResponseMessage): any {
+    if (response.cancelled) {
+      switch (method) {
+        case "confirm":
+          return false;
+        case "multiselect":
+          return [];
+        default:
+          return undefined;
+      }
+    }
+    const result = response.result as Record<string, unknown> | undefined;
+    switch (method) {
+      case "confirm":
+        return result?.confirmed ?? false;
+      case "select":
+      case "input":
+      case "editor":
+        return result?.value;
+      case "multiselect":
+        return (result?.values as string[]) ?? [];
+      default:
+        return result;
+    }
+  }
+  // Recursion guard: if ui.confirm/select/etc is actually our own proxy
+  // (e.g. ctx.ui was already patched from a previous /reload), skip the
+  // TUI race to avoid infinite recursion.
+  let inProxy = false;
+  /** Send a dismiss message to the server so dashboard can close the stale dialog */
+  function sendDismiss(requestId: string): void {
+    send({
+      type: "extension_ui_dismiss",
+      sessionId: getSessionId(),
+      requestId,
+    });
+  }
+  /**
+   * Race TUI promise against dashboard promise with proper cancellation.
+   * When TUI wins: clean up pending Map entry + send dismiss to server.
+   * When dashboard wins: abort TUI dialog via AbortController.
+   */
+  function raceWithCancellation<T>(requestId: string, tuiPromise: Promise<T>, dashPromise: Promise<T>, ac: AbortController): Promise<T> {
+    // Wire up cross-cancellation before racing
+    tuiPromise.then(() => {
+      // TUI won — clean up dashboard side
+      pending.delete(requestId);
+      sendDismiss(requestId);
+    }).catch(() => {});
+    dashPromise.then(() => {
+      // Dashboard won — abort TUI dialog
+      ac.abort();
+    }).catch(() => {});
+    return Promise.race([tuiPromise, dashPromise]);
+  }
+  const wrappedUi = {
+    confirm: (title: string, message: string, opts?: any): Promise<boolean> => {
+      const params = { title, message };
+      const requestId = sendRequest("confirm", params);
+      const dashPromise = createDashboardPromise<boolean>(requestId, "confirm", params);
+      if (hasUI && !inProxy) {
+        const ac = new AbortController();
+        inProxy = true;
+        const originalPromise = originalConfirm(title, message, { ...opts, signal: ac.signal }).finally(() => { inProxy = false; });
+        return raceWithCancellation(requestId, originalPromise, dashPromise, ac);
+      }
+      return dashPromise;
+    },
+    select: (title: string, selectOptions: string[], opts?: any): Promise<string | undefined> => {
+      const message = opts?.message as string | undefined;
+      const params = { title, options: selectOptions, ...(message ? { message } : {}) };
+      const requestId = sendRequest("select", params);
+      const dashPromise = createDashboardPromise<string | undefined>(requestId, "select", params);
+      if (hasUI && !inProxy) {
+        const ac = new AbortController();
+        inProxy = true;
+        const tuiTitle = message ? `${title}\n\n${message}` : title;
+        const originalPromise = originalSelect(tuiTitle, selectOptions, { ...opts, signal: ac.signal }).finally(() => { inProxy = false; });
+        return raceWithCancellation(requestId, originalPromise, dashPromise, ac);
+      }
+      return dashPromise;
+    },
+    input: (title: string, placeholder?: string, opts?: any): Promise<string | undefined> => {
+      const message = opts?.message as string | undefined;
+      const params = { title, placeholder, ...(message ? { message } : {}) };
+      const requestId = sendRequest("input", params);
+      const dashPromise = createDashboardPromise<string | undefined>(requestId, "input", params);
+      if (hasUI && !inProxy) {
+        const ac = new AbortController();
+        inProxy = true;
+        const tuiTitle = message ? `${title}\n\n${message}` : title;
+        const originalPromise = originalInput(tuiTitle, placeholder, { ...opts, signal: ac.signal }).finally(() => { inProxy = false; });
+        return raceWithCancellation(requestId, originalPromise, dashPromise, ac);
+      }
+      return dashPromise;
+    },
+    editor: (title: string, prefill?: string, opts?: any): Promise<string | undefined> => {
+      const params = { title, prefill };
+      const requestId = sendRequest("editor", params);
+      const dashPromise = createDashboardPromise<string | undefined>(requestId, "editor", params);
+      if (hasUI && !inProxy && originalEditor) {
+        const ac = new AbortController();
+        inProxy = true;
+        const originalPromise = originalEditor(title, prefill, { ...opts, signal: ac.signal }).finally(() => { inProxy = false; });
+        return raceWithCancellation(requestId, originalPromise, dashPromise, ac);
+      }
+      return dashPromise;
+    },
+    multiselect: (title: string, selectOptions: string[], opts?: any): Promise<string[]> => {
+      const message = opts?.message as string | undefined;
+      const params = { title, options: selectOptions, ...(message ? { message } : {}) };
+      const requestId = sendRequest("multiselect", params);
+      const dashPromise = createDashboardPromise<string[]>(requestId, "multiselect", params);
+      if (hasUI && !inProxy) {
+        const ac = new AbortController();
+        inProxy = true;
+        const numbered = selectOptions.map((o, i) => `${i + 1}. ${o}`).join("\n");
+        const tuiBase = message ? `${title}\n\n${message}` : title;
+        const tuiPromise = originalInput(`${tuiBase}\n${numbered}`, "e.g. 1,3", { signal: ac.signal }).then((raw) => {
+          if (!raw) return [] as string[];
+          return raw
+            .split(",")
+            .map((s) => parseInt(s.trim(), 10))
+            .filter((n) => !isNaN(n) && n >= 1 && n <= selectOptions.length)
+            .map((n) => selectOptions[n - 1]);
+        }).finally(() => { inProxy = false; });
+        return raceWithCancellation(requestId, tuiPromise, dashPromise, ac);
+      }
+      return dashPromise;
+    },
+    notify: (message: string, type?: string): void => {
+      originalNotify(message, type);
+      sendRequest("notify", { message, level: type });
+    },
+  };
+  function handleResponse(response: ExtensionUiResponseMessage): void {
+    const entry = pending.get(response.requestId);
+    if (!entry) return;
+    pending.delete(response.requestId);
+    entry.resolve(extractResult(entry.method, response));
+  }
+  /**
+   * Cancel all pending UI requests. Resolves each pending promise with a
+   * "cancelled" result so the TUI dialogs are dismissed.
+   *
+   * Used when an external channel (e.g. architect_prompt_response) answers a
+   * question that was also forwarded through the ui-proxy. Without this, the
+   * TUI dialog would stay open forever because the proxy’s dashPromise never
+   * resolves.
+   */
+  function cancelAllPending(): void {
+    for (const [requestId, entry] of pending) {
+      const cancelled: ExtensionUiResponseMessage = {
+        type: "extension_ui_response",
+        sessionId: getSessionId(),
+        requestId,
+        cancelled: true,
+      };
+      entry.resolve(extractResult(entry.method, cancelled));
+      sendDismiss(requestId);
+    }
+    pending.clear();
+  }
+  return { wrappedUi, handleResponse, resendPending, cancelAllPending };
+}

package/packages/extension/tsconfig.json ADDED Viewed

@@ -0,0 +1,11 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist"
+  },
+  "references": [
+    { "path": "../shared" }
+  ],
+  "include": ["src"]
+}

package/packages/server/package.json ADDED Viewed

@@ -0,0 +1,37 @@
+{
+  "name": "@blackbelt-technology/pi-dashboard-server",
+  "version": "0.2.0",
+  "description": "Dashboard server for monitoring and interacting with pi agent sessions",
+  "type": "module",
+  "main": "src/cli.ts",
+  "bin": {
+    "pi-dashboard": "src/cli.ts"
+  },
+  "files": [
+    "src/",
+    "scripts/"
+  ],
+  "scripts": {
+    "postinstall": "node scripts/fix-pty-permissions.cjs"
+  },
+  "dependencies": {
+    "@blackbelt-technology/pi-dashboard-shared": "*",
+    "@fastify/cookie": "^11.0.2",
+    "@fastify/cors": "^11.0.0",
+    "@fastify/http-proxy": "^11.4.3",
+    "@fastify/reply-from": "^12.6.1",
+    "@fastify/static": "^8.0.0",
+    "@fastify/websocket": "^11.0.0",
+    "bonjour-service": "^1.3.0",
+    "diff": "^8.0.3",
+    "fastify": "^5.0.0",
+    "jsonwebtoken": "^9.0.3",
+    "node-pty": "^1.1.0",
+    "ws": "^8.18.0"
+  },
+  "devDependencies": {
+    "@types/diff": "^7.0.0",
+    "@types/jsonwebtoken": "^9.0.9",
+    "@types/ws": "^8.18.1"
+  }
+}

package/packages/server/src/__tests__/auth-plugin.test.ts ADDED Viewed

@@ -0,0 +1,117 @@
+import { describe, it, expect } from "vitest";
+import { validateWsUpgrade, escapeHtml, isBypassed } from "../auth-plugin.js";
+import { isBypassedHost } from "../localhost-guard.js";
+import { signToken, COOKIE_NAME } from "../auth.js";
+const SECRET = "test-secret-for-ws-auth-testing";
+describe("validateWsUpgrade", () => {
+  it("should allow localhost without cookie", () => {
+    expect(validateWsUpgrade(undefined, "127.0.0.1", SECRET)).toBe(true);
+    expect(validateWsUpgrade(undefined, "::1", SECRET)).toBe(true);
+    expect(validateWsUpgrade(undefined, "::ffff:127.0.0.1", SECRET)).toBe(true);
+  });
+  it("should reject external request without cookie", () => {
+    expect(validateWsUpgrade(undefined, "1.2.3.4", SECRET)).toBe(false);
+  });
+  it("should reject external request with invalid cookie", () => {
+    expect(validateWsUpgrade(`${COOKIE_NAME}=invalidtoken`, "1.2.3.4", SECRET)).toBe(false);
+  });
+  it("should allow external request with valid cookie", () => {
+    const token = signToken({ sub: "user@example.com", name: "User", username: "user", provider: "github" }, SECRET);
+    expect(validateWsUpgrade(`${COOKIE_NAME}=${token}`, "1.2.3.4", SECRET)).toBe(true);
+  });
+  it("should reject external request with wrong secret", () => {
+    const token = signToken({ sub: "user@example.com", name: "User", username: "user", provider: "github" }, "other-secret");
+    expect(validateWsUpgrade(`${COOKIE_NAME}=${token}`, "1.2.3.4", SECRET)).toBe(false);
+  });
+});
+describe("isBypassed", () => {
+  it("should return false for empty bypassUrls list", () => {
+    expect(isBypassed("/api/sessions", [])).toBe(false);
+  });
+  it("should return true when URL starts with a bypass prefix", () => {
+    expect(isBypassed("/webhooks/github", ["/webhooks/"])).toBe(true);
+  });
+  it("should return false when URL does not start with any bypass prefix", () => {
+    expect(isBypassed("/api/sessions", ["/webhooks/"])).toBe(false);
+  });
+  it("should match multiple prefixes", () => {
+    expect(isBypassed("/metrics", ["/webhooks/", "/metrics"])).toBe(true);
+    expect(isBypassed("/healthz/ready", ["/healthz", "/metrics"])).toBe(true);
+  });
+  it("should match because startsWith is a prefix check (not word-boundary)", () => {
+    // /api/public IS a prefix of /api/publications — this is expected, documented behaviour
+    expect(isBypassed("/api/publications", ["/api/public"])).toBe(true);
+  });
+  it("should not match when prefix is only a substring in the middle", () => {
+    expect(isBypassed("/v1/webhooks/data", ["/webhooks/"])).toBe(false);
+  });
+  it("should return false when no prefix matches", () => {
+    expect(isBypassed("/secure/data", ["/webhooks/", "/metrics"])).toBe(false);
+  });
+});
+describe("isBypassedHost", () => {
+  it("should return false for empty bypass list", () => {
+    expect(isBypassedHost("10.0.0.5", [])).toBe(false);
+  });
+  it("should match exact IP", () => {
+    expect(isBypassedHost("10.0.0.5", ["10.0.0.5"])).toBe(true);
+  });
+  it("should match exact hostname", () => {
+    expect(isBypassedHost("build-server.local", ["build-server.local"])).toBe(true);
+  });
+  it("should not match different IP", () => {
+    expect(isBypassedHost("10.0.0.6", ["10.0.0.5"])).toBe(false);
+  });
+  it("should match CIDR notation", () => {
+    expect(isBypassedHost("192.168.1.50", ["192.168.1.0/24"])).toBe(true);
+    expect(isBypassedHost("192.168.2.50", ["192.168.1.0/24"])).toBe(false);
+  });
+  it("should match wildcard subnet", () => {
+    expect(isBypassedHost("10.0.0.99", ["10.0.0.*"])).toBe(true);
+    expect(isBypassedHost("10.0.1.99", ["10.0.0.*"])).toBe(false);
+  });
+  it("should match multiple entries", () => {
+    expect(isBypassedHost("10.0.0.5", ["192.168.1.1", "10.0.0.5"])).toBe(true);
+  });
+});
+describe("escapeHtml", () => {
+  it("should escape all HTML special characters", () => {
+    expect(escapeHtml('&<>"\'')).toBe("&amp;&lt;&gt;&quot;&#39;");
+  });
+  it("should escape script tags to prevent XSS", () => {
+    expect(escapeHtml('<script>alert(1)</script>')).toBe("&lt;script&gt;alert(1)&lt;/script&gt;");
+  });
+  it("should escape crafted email addresses", () => {
+    expect(escapeHtml('<img onerror="alert(1)" src=x>@evil.com')).toBe(
+      '&lt;img onerror=&quot;alert(1)&quot; src=x&gt;@evil.com',
+    );
+  });
+  it("should pass through safe strings unchanged", () => {
+    expect(escapeHtml("user@example.com")).toBe("user@example.com");
+    expect(escapeHtml("hello world")).toBe("hello world");
+  });
+});

package/packages/server/src/__tests__/auth.test.ts ADDED Viewed

@@ -0,0 +1,224 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import {
+  signToken,
+  verifyToken,
+  parseAuthCookie,
+  isUserAllowed,
+  ensureAuthSecret,
+  buildAuthorizeUrl,
+  buildProviderRegistry,
+  COOKIE_NAME,
+  type AuthUser,
+  type ResolvedProvider,
+} from "../auth.js";
+import type { AuthConfig } from "@blackbelt-technology/pi-dashboard-shared/config.js";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+// ─── JWT Token Tests ────────────────────────────────────────────────────────
+describe("signToken / verifyToken", () => {
+  const secret = "test-secret-32-chars-long-abcdef";
+  const user: AuthUser = { sub: "user@example.com", name: "Test User", username: "testuser", provider: "github" };
+  it("should sign and verify a token", () => {
+    const token = signToken(user, secret);
+    const payload = verifyToken(token, secret);
+    expect(payload).not.toBeNull();
+    expect(payload!.sub).toBe("user@example.com");
+    expect(payload!.name).toBe("Test User");
+    expect(payload!.provider).toBe("github");
+    expect(payload!.exp).toBeGreaterThan(Math.floor(Date.now() / 1000));
+  });
+  it("should return null for tampered token", () => {
+    const token = signToken(user, secret);
+    const tampered = token.slice(0, -5) + "XXXXX";
+    expect(verifyToken(tampered, secret)).toBeNull();
+  });
+  it("should return null for wrong secret", () => {
+    const token = signToken(user, secret);
+    expect(verifyToken(token, "wrong-secret")).toBeNull();
+  });
+  it("should return null for garbage string", () => {
+    expect(verifyToken("not.a.jwt", secret)).toBeNull();
+  });
+});
+// ─── Cookie Parsing Tests ───────────────────────────────────────────────────
+describe("parseAuthCookie", () => {
+  it("should parse cookie from header", () => {
+    const header = `other=abc; ${COOKIE_NAME}=mytoken123; another=def`;
+    expect(parseAuthCookie(header)).toBe("mytoken123");
+  });
+  it("should return null when cookie not present", () => {
+    expect(parseAuthCookie("other=abc")).toBeNull();
+  });
+  it("should return null for undefined header", () => {
+    expect(parseAuthCookie(undefined)).toBeNull();
+  });
+  it("should parse when cookie is first", () => {
+    expect(parseAuthCookie(`${COOKIE_NAME}=token1; other=x`)).toBe("token1");
+  });
+  it("should parse when cookie is only value", () => {
+    expect(parseAuthCookie(`${COOKIE_NAME}=singletoken`)).toBe("singletoken");
+  });
+});
+// ─── Email Allowlist Tests ──────────────────────────────────────────────────
+describe("isUserAllowed", () => {
+  it("should allow any user when allowedUsers is undefined", () => {
+    expect(isUserAllowed("anyone@example.com", "anyone")).toBe(true);
+  });
+  it("should allow any user when allowedUsers is empty", () => {
+    expect(isUserAllowed("anyone@example.com", "anyone", [])).toBe(true);
+  });
+  it("should allow exact email match", () => {
+    expect(isUserAllowed("user@example.com", "user", ["user@example.com"])).toBe(true);
+  });
+  it("should allow exact username match", () => {
+    expect(isUserAllowed("other@example.com", "octocat", ["octocat"])).toBe(true);
+  });
+  it("should reject non-matching email and username", () => {
+    expect(isUserAllowed("other@example.com", "other", ["user@example.com"])).toBe(false);
+  });
+  it("should support domain wildcard", () => {
+    expect(isUserAllowed("anyone@company.com", "anyone", ["*@company.com"])).toBe(true);
+    expect(isUserAllowed("anyone@other.com", "anyone", ["*@company.com"])).toBe(false);
+  });
+  it("should be case-insensitive for email", () => {
+    expect(isUserAllowed("User@Example.COM", "user", ["user@example.com"])).toBe(true);
+    expect(isUserAllowed("test@Company.Com", "test", ["*@company.com"])).toBe(true);
+  });
+  it("should be case-insensitive for username", () => {
+    expect(isUserAllowed("x@y.com", "OctoCat", ["octocat"])).toBe(true);
+  });
+});
+// ─── Auth Secret Management Tests ───────────────────────────────────────────
+describe("ensureAuthSecret", () => {
+  let testDir: string;
+  let configFile: string;
+  let origHome: string;
+  beforeEach(() => {
+    testDir = path.join(os.tmpdir(), `test-auth-secret-${Date.now()}`);
+    fs.mkdirSync(path.join(testDir, ".pi", "dashboard"), { recursive: true });
+    configFile = path.join(testDir, ".pi", "dashboard", "config.json");
+    origHome = process.env.HOME!;
+    process.env.HOME = testDir;
+  });
+  afterEach(() => {
+    process.env.HOME = origHome;
+    if (fs.existsSync(testDir)) fs.rmSync(testDir, { recursive: true });
+  });
+  it("should return existing secret when present", () => {
+    const config: AuthConfig = {
+      secret: "existing-secret",
+      providers: { github: { clientId: "id", clientSecret: "sec" } },
+    };
+    expect(ensureAuthSecret(config)).toBe("existing-secret");
+  });
+  it("should generate secret when missing and update config object", () => {
+    // Note: persistence to file depends on CONFIG_FILE which is resolved at module load.
+    // We test the in-memory behavior here.
+    const config: AuthConfig = {
+      secret: "",
+      providers: { github: { clientId: "id", clientSecret: "sec" } },
+    };
+    const secret = ensureAuthSecret(config);
+    expect(secret).toHaveLength(32);
+    expect(config.secret).toBe(secret);
+    // Secret should be hex
+    expect(/^[0-9a-f]{32}$/.test(secret)).toBe(true);
+  });
+  it("should generate different secrets each time", () => {
+    const config1: AuthConfig = { secret: "", providers: {} };
+    const config2: AuthConfig = { secret: "", providers: {} };
+    const s1 = ensureAuthSecret(config1);
+    const s2 = ensureAuthSecret(config2);
+    expect(s1).not.toBe(s2);
+  });
+});
+// ─── Provider Registry Tests ────────────────────────────────────────────────
+describe("buildProviderRegistry", () => {
+  // We test buildProviderRegistry indirectly through the resolved provider for GitHub
+  // (since Google/Keycloak/OIDC require OIDC discovery which needs network)
+  it("should resolve GitHub provider with hardcoded endpoints", async () => {
+    const registry = await buildProviderRegistry({
+      github: { clientId: "gh-id", clientSecret: "gh-secret" },
+    });
+    expect(registry.size).toBe(1);
+    const gh = registry.get("github")!;
+    expect(gh.name).toBe("GitHub");
+    expect(gh.authorizeUrl).toBe("https://github.com/login/oauth/authorize");
+    expect(gh.tokenUrl).toBe("https://github.com/login/oauth/access_token");
+    expect(gh.userInfoUrl).toBe("https://api.github.com/user");
+    expect(gh.scopes).toBe("user:email");
+    expect(gh.clientId).toBe("gh-id");
+  });
+  it("should return empty registry for empty providers", async () => {
+    const registry = await buildProviderRegistry({});
+    expect(registry.size).toBe(0);
+  });
+  it("should skip providers that fail to resolve (e.g. OIDC without issuerUrl)", async () => {
+    const registry = await buildProviderRegistry({
+      keycloak: { clientId: "kc", clientSecret: "ks" }, // missing issuerUrl
+      github: { clientId: "gh", clientSecret: "gs" },
+    });
+    // keycloak should be skipped (no issuerUrl), github should resolve
+    expect(registry.size).toBe(1);
+    expect(registry.has("github")).toBe(true);
+  });
+});
+// ─── Authorize URL Builder Tests ────────────────────────────────────────────
+describe("buildAuthorizeUrl", () => {
+  it("should build correct authorize URL", () => {
+    const provider: ResolvedProvider = {
+      key: "github",
+      name: "GitHub",
+      authorizeUrl: "https://github.com/login/oauth/authorize",
+      tokenUrl: "https://github.com/login/oauth/access_token",
+      userInfoUrl: "https://api.github.com/user",
+      scopes: "user:email",
+      clientId: "my-client-id",
+      clientSecret: "secret",
+    };
+    const url = buildAuthorizeUrl(provider, "http://localhost:8000/auth/callback/github", "state123");
+    expect(url).toContain("https://github.com/login/oauth/authorize?");
+    expect(url).toContain("client_id=my-client-id");
+    expect(url).toContain("redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fauth%2Fcallback%2Fgithub");
+    expect(url).toContain("scope=user%3Aemail");
+    expect(url).toContain("state=state123");
+    expect(url).toContain("response_type=code");
+  });
+});