@blackbelt-technology/pi-agent-dashboard 0.2.0

package/packages/server/src/routes/provider-auth-routes.ts

@@ -0,0 +1,244 @@
+/**
+ * REST routes for browser-based pi provider authentication.
+ */
+import { exec } from "node:child_process";
+import type { FastifyInstance } from "fastify";
+import {
+  getProviderHandler,
+  generatePKCE,
+  generateState,
+  type AuthCodeHandler,
+  type DeviceCodeHandler,
+  type PKCEPair,
+} from "../provider-auth-handlers.js";
+import {
+  writeCredential,
+  removeCredential,
+  getAuthStatus,
+  getOAuthProvidersMeta,
+  resolveAuthJsonKey,
+  type ApiKeyCredential,
+} from "../provider-auth-storage.js";
+import { startCallbackServer } from "../oauth-callback-server.js";
+import type { PiGateway } from "../pi-gateway.js";
+
+// ── In-memory flow store (short-lived PKCE + device code state) ──────────────
+
+interface AuthCodeFlow {
+  providerId: string;
+  pkce: PKCEPair;
+  state: string;
+  redirectUri: string;
+  createdAt: number;
+}
+
+interface DeviceCodeFlow {
+  providerId: string;
+  deviceCode: string;
+  interval: number;
+  expiresIn: number;
+  extra?: Record<string, unknown>;
+  status: "pending" | "complete" | "error" | "expired";
+  error?: string;
+  createdAt: number;
+}
+
+const authCodeFlows = new Map<string, AuthCodeFlow>();
+const deviceCodeFlows = new Map<string, DeviceCodeFlow>();
+
+// Expire flows after 10 minutes
+const FLOW_TTL_MS = 10 * 60 * 1000;
+
+function pruneFlows() {
+  const now = Date.now();
+  for (const [id, f] of authCodeFlows) {
+    if (now - f.createdAt > FLOW_TTL_MS) authCodeFlows.delete(id);
+  }
+  for (const [id, f] of deviceCodeFlows) {
+    if (now - f.createdAt > FLOW_TTL_MS) deviceCodeFlows.delete(id);
+  }
+}
+
+function makeFlowId(): string {
+  return Math.random().toString(36).slice(2) + Date.now().toString(36);
+}
+
+// ── Helpers ──────────────────────────────────────────────────────────────────
+
+/** Open a URL in the system's default browser */
+function openInBrowser(url: string): void {
+  const cmd = process.platform === "darwin"
+    ? `open ${JSON.stringify(url)}`
+    : process.platform === "win32"
+      ? `start "" ${JSON.stringify(url)}`
+      : `xdg-open ${JSON.stringify(url)}`;
+  exec(cmd, (err) => {
+    if (err) console.error("[provider-auth] Failed to open browser:", err.message);
+  });
+}
+
+// ── Route registration ───────────────────────────────────────────────────────
+
+export function registerProviderAuthRoutes(
+  fastify: FastifyInstance,
+  deps: { piGateway: PiGateway },
+) {
+  const { piGateway } = deps;
+
+  function notifyBridges() {
+    piGateway.broadcast({ type: "credentials_updated" });
+  }
+
+  // List OAuth providers
+  fastify.get("/api/provider-auth/providers", async () => {
+    return getOAuthProvidersMeta();
+  });
+
+  // Full status (OAuth + API key)
+  fastify.get("/api/provider-auth/status", async () => {
+    return getAuthStatus();
+  });
+
+  // Start auth-code flow — opens system browser, starts temp callback server
+  fastify.post<{ Body: { provider: string } }>("/api/provider-auth/authorize", async (request, reply) => {
+    pruneFlows();
+    const { provider } = request.body ?? {};
+    const handler = getProviderHandler(provider);
+    if (!handler || handler.flowType !== "auth_code") {
+      return reply.code(400).send({ error: `Unknown auth-code provider: ${provider}` });
+    }
+    const h = handler as AuthCodeHandler;
+    const pkce = await generatePKCE();
+    const state = generateState();
+    const redirectUri = `http://localhost:${h.callbackPort}${h.callbackPath}`;
+    const authUrl = h.buildAuthUrl(redirectUri, state, pkce);
+    const flowId = makeFlowId();
+    authCodeFlows.set(flowId, { providerId: provider, pkce, state, redirectUri, createdAt: Date.now() });
+
+    // Start temp callback server to receive the OAuth redirect
+    try {
+      await startCallbackServer({
+        providerId: provider,
+        port: h.callbackPort,
+        path: h.callbackPath,
+        onCode: async (code, cbState) => {
+          const flow = Array.from(authCodeFlows.values()).find(
+            (f) => f.providerId === provider && f.state === (cbState || state),
+          );
+          if (!flow) throw new Error("Unknown or expired flow");
+          // Remove the flow
+          for (const [id, f] of authCodeFlows) {
+            if (f === flow) { authCodeFlows.delete(id); break; }
+          }
+          const credential = await h.exchangeCode(code, flow.redirectUri, flow.pkce, flow.state);
+          writeCredential(flow.providerId, credential);
+          notifyBridges();
+        },
+      });
+    } catch (err: any) {
+      return reply.code(500).send({ error: err.message });
+    }
+
+    // Open the auth URL in the system browser
+    openInBrowser(authUrl);
+
+    return { flowId, authUrl };
+  });
+
+  // Start device-code flow
+  fastify.post<{ Body: { provider: string; enterpriseDomain?: string } }>(
+    "/api/provider-auth/device-code",
+    async (request, reply) => {
+      pruneFlows();
+      const { provider, enterpriseDomain } = request.body ?? {};
+      const handler = getProviderHandler(provider);
+      if (!handler || handler.flowType !== "device_code") {
+        return reply.code(400).send({ error: `Unknown device-code provider: ${provider}` });
+      }
+      const h = handler as DeviceCodeHandler;
+      try {
+        const dc = await h.requestDeviceCode(enterpriseDomain);
+        const flowId = makeFlowId();
+        deviceCodeFlows.set(flowId, {
+          providerId: provider,
+          deviceCode: dc.deviceCode,
+          interval: dc.interval,
+          expiresIn: dc.expiresIn,
+          extra: dc.extra,
+          status: "pending",
+          createdAt: Date.now(),
+        });
+        // Start polling in background
+        pollDeviceCode(flowId, h).catch(() => {});
+        return {
+          flowId,
+          userCode: dc.userCode,
+          verificationUri: dc.verificationUri,
+          expiresIn: dc.expiresIn,
+          interval: dc.interval,
+        };
+      } catch (err: any) {
+        return reply.code(400).send({ error: err.message });
+      }
+    },
+  );
+
+  // Poll device-code status
+  fastify.get<{ Params: { flowId: string } }>(
+    "/api/provider-auth/device-status/:flowId",
+    async (request, reply) => {
+      const flow = deviceCodeFlows.get(request.params.flowId);
+      if (!flow) return reply.code(404).send({ error: "Unknown flow" });
+      return { status: flow.status, error: flow.error };
+    },
+  );
+
+  // Save API key
+  fastify.put<{ Body: { provider: string; key: string } }>(
+    "/api/provider-auth/api-key",
+    async (request, reply) => {
+      const { provider, key } = request.body ?? {};
+      if (!provider || !key) return reply.code(400).send({ error: "provider and key required" });
+      try {
+        // Resolve the authJsonKey for API key providers (e.g., "anthropic-api" → "anthropic")
+        const authJsonKey = resolveAuthJsonKey(provider);
+        const credential: ApiKeyCredential = { type: "api_key", key };
+        writeCredential(authJsonKey, credential);
+        notifyBridges();
+        return { ok: true };
+      } catch (err: any) {
+        request.log.error(err, "Failed to save API key");
+        return reply.code(500).send({ error: err.message || "Failed to save API key" });
+      }
+    },
+  );
+
+  // Remove credential
+  fastify.delete<{ Params: { provider: string } }>(
+    "/api/provider-auth/:provider",
+    async (request) => {
+      const authJsonKey = resolveAuthJsonKey(request.params.provider);
+      removeCredential(authJsonKey);
+      notifyBridges();
+      return { ok: true };
+    },
+  );
+
+  // ── Device-code background poller ──────────────────────────────────────────
+
+  async function pollDeviceCode(flowId: string, handler: DeviceCodeHandler) {
+    const flow = deviceCodeFlows.get(flowId);
+    if (!flow) return;
+    try {
+      const credential = await handler.pollForToken(
+        flow.deviceCode, flow.interval, flow.expiresIn, flow.extra,
+      );
+      writeCredential(flow.providerId, credential);
+      notifyBridges();
+      flow.status = "complete";
+    } catch (err: any) {
+      flow.status = err.message?.includes("expired") ? "expired" : "error";
+      flow.error = err.message;
+    }
+  }
+}

package/packages/server/src/routes/provider-routes.ts

@@ -0,0 +1,101 @@
+/**
+ * Provider REST API routes: read/write custom LLM providers (~/.pi/agent/providers.json).
+ */
+import type { FastifyInstance } from "fastify";
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, dirname } from "node:path";
+import type { NetworkGuard } from "./route-deps.js";
+
+const REDACTED = "***";
+const CONFIG_PATH = join(homedir(), ".pi", "agent", "providers.json");
+
+interface ProviderEntry {
+  baseUrl: string;
+  apiKey: string;
+  api?: string;
+}
+
+function readProvidersRaw(): Record<string, ProviderEntry> {
+  if (!existsSync(CONFIG_PATH)) return {};
+  try {
+    const raw = JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
+    return raw.providers ?? {};
+  } catch {
+    return {};
+  }
+}
+
+function redactProviders(
+  providers: Record<string, ProviderEntry>,
+): Record<string, ProviderEntry> {
+  const redacted: Record<string, ProviderEntry> = {};
+  for (const [name, entry] of Object.entries(providers)) {
+    redacted[name] = {
+      ...entry,
+      apiKey:
+        entry.apiKey && entry.apiKey.startsWith("$")
+          ? entry.apiKey
+          : entry.apiKey
+            ? REDACTED
+            : "",
+    };
+  }
+  return redacted;
+}
+
+export function registerProviderRoutes(fastify: FastifyInstance, deps: { networkGuard: NetworkGuard }): void {
+  const { networkGuard } = deps;
+  fastify.get(
+    "/api/providers",
+    { preHandler: networkGuard },
+    async () => {
+      const providers = readProvidersRaw();
+      return { success: true, providers: redactProviders(providers) };
+    },
+  );
+
+  fastify.put(
+    "/api/providers",
+    { preHandler: networkGuard },
+    async (request, reply) => {
+      const body = request.body as Record<string, any> | null;
+      if (!body || typeof body !== "object" || !body.providers || typeof body.providers !== "object") {
+        return reply.code(400).send({ success: false, error: "Invalid body" });
+      }
+
+      const incoming = body.providers as Record<string, ProviderEntry>;
+      const existing = readProvidersRaw();
+
+      // Merge: preserve redacted apiKey values from existing file
+      const merged: Record<string, ProviderEntry> = {};
+      for (const [name, entry] of Object.entries(incoming)) {
+        merged[name] = {
+          baseUrl: entry.baseUrl,
+          apiKey:
+            entry.apiKey === REDACTED && existing[name]
+              ? existing[name].apiKey
+              : entry.apiKey,
+          api: entry.api,
+        };
+      }
+
+      // Read raw file to preserve any non-providers fields
+      let fileData: Record<string, any> = {};
+      if (existsSync(CONFIG_PATH)) {
+        try {
+          fileData = JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
+        } catch {
+          // start fresh
+        }
+      }
+      fileData.providers = merged;
+
+      const dir = dirname(CONFIG_PATH);
+      mkdirSync(dir, { recursive: true });
+      writeFileSync(CONFIG_PATH, JSON.stringify(fileData, null, 2) + "\n", "utf-8");
+
+      return { success: true };
+    },
+  );
+}

package/packages/server/src/routes/route-deps.ts

@@ -0,0 +1,23 @@
+/**
+ * Shared dependency types for route modules.
+ * Each route module receives only the deps it needs.
+ */
+import type { SessionManager } from "../memory-session-manager.js";
+import type { EventStore } from "../memory-event-store.js";
+import type { PreferencesStore } from "../preferences-store.js";
+import type { MetaPersistence } from "../meta-persistence.js";
+import type { DirectoryService } from "../directory-service.js";
+import type { ServerConfig } from "../server.js";
+import type { FastifyRequest, FastifyReply } from "fastify";
+
+export type NetworkGuard = (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+
+export interface RouteDeps {
+  sessionManager: SessionManager;
+  eventStore: EventStore;
+  preferencesStore: PreferencesStore;
+  metaPersistence: MetaPersistence;
+  directoryService: DirectoryService;
+  config: ServerConfig;
+  networkGuard: NetworkGuard;
+}

package/packages/server/src/routes/session-routes.ts

@@ -0,0 +1,91 @@
+/**
+ * Session-related REST API routes.
+ */
+import { readFile } from "node:fs/promises";
+import { resolve, relative, isAbsolute } from "node:path";
+import type { FastifyInstance } from "fastify";
+import type { SessionManager } from "../memory-session-manager.js";
+import type { EventStore } from "../memory-event-store.js";
+import type { ApiResponse } from "@blackbelt-technology/pi-dashboard-shared/types.js";
+import type { NetworkGuard } from "./route-deps.js";
+import { extractFileChanges, enrichWithGitDiff } from "../session-diff.js";
+
+export function registerSessionRoutes(
+  fastify: FastifyInstance,
+  deps: {
+    sessionManager: SessionManager;
+    eventStore: EventStore;
+    networkGuard: NetworkGuard;
+  },
+) {
+  const { sessionManager, eventStore, networkGuard } = deps;
+
+  fastify.get("/api/sessions", async () => {
+    const sessions = sessionManager.listAll();
+    return { success: true, data: sessions } satisfies ApiResponse;
+  });
+
+  fastify.get<{ Params: { sessionId: string; seq: string } }>(
+    "/api/events/:sessionId/:seq",
+    async (request) => {
+      const { sessionId, seq } = request.params;
+      const event = eventStore.getEvent(sessionId, parseInt(seq, 10));
+      if (!event) {
+        return { success: false, error: "Event not found" } satisfies ApiResponse;
+      }
+      return { success: true, data: event } satisfies ApiResponse;
+    },
+  );
+
+  // Session file diff endpoint (localhost-only)
+  fastify.get<{ Querystring: { sessionId?: string } }>(
+    "/api/session-diff",
+    { preHandler: networkGuard },
+    async (request) => {
+      const { sessionId } = request.query;
+      if (!sessionId) {
+        return { success: false, error: "sessionId required" } satisfies ApiResponse;
+      }
+      const session = sessionManager.get(sessionId);
+      if (!session) {
+        return { success: false, error: "session not found" } satisfies ApiResponse;
+      }
+      const events = eventStore.getEvents(sessionId, 0).map((e) => e.event);
+      const files = extractFileChanges(events, session.cwd);
+      const { enrichedFiles, isGitRepo: isGit } = enrichWithGitDiff(session.cwd, files);
+      return { success: true, data: { files: enrichedFiles, isGitRepo: isGit } } satisfies ApiResponse;
+    },
+  );
+
+  // Read a file within a session's cwd (localhost-only)
+  fastify.get<{ Querystring: { sessionId?: string; path?: string } }>(
+    "/api/session-file",
+    { preHandler: networkGuard },
+    async (request, reply) => {
+      const { sessionId, path: filePath } = request.query;
+      if (!sessionId || !filePath) {
+        reply.code(400);
+        return { success: false, error: "sessionId and path required" } satisfies ApiResponse;
+      }
+      const session = sessionManager.get(sessionId);
+      if (!session) {
+        reply.code(404);
+        return { success: false, error: "session not found" } satisfies ApiResponse;
+      }
+      // Resolve and ensure path is within cwd
+      const absPath = isAbsolute(filePath) ? filePath : resolve(session.cwd, filePath);
+      const rel = relative(session.cwd, absPath);
+      if (rel.startsWith("..") || isAbsolute(rel)) {
+        reply.code(403);
+        return { success: false, error: "path outside session directory" } satisfies ApiResponse;
+      }
+      try {
+        const content = await readFile(absPath, "utf-8");
+        return { success: true, data: { content } } satisfies ApiResponse;
+      } catch {
+        reply.code(404);
+        return { success: false, error: "file not found" } satisfies ApiResponse;
+      }
+    },
+  );
+}