@cluesmith/codev 2.0.18 → 2.1.0-rc.2

package/dist/agent-farm/servers/tower-routes.js

@@ -31,9 +31,10 @@ import { formatArchitectMessage, formatBuilderMessage } from '../utils/message-f
 import { SendBuffer } from './send-buffer.js';
 import { getKnownWorkspacePaths, getInstances, getDirectorySuggestions, launchInstance, killTerminalWithShellper, stopInstance, } from './tower-instances.js';
 import { OverviewCache } from './overview.js';
+import { computeAnalytics } from './analytics.js';
 import { getAllTasks, executeTask, getTaskId } from './tower-cron.js';
 import { getGlobalDb } from '../db/index.js';
-import { getWorkspaceTerminals, getTerminalManager, getWorkspaceTerminalsEntry, getNextShellId, saveTerminalSession, isSessionPersistent, deleteTerminalSession, removeTerminalFromRegistry, deleteWorkspaceTerminalSessions, saveFileTab, deleteFileTab, getTerminalsForWorkspace, } from './tower-terminals.js';
+import { getWorkspaceTerminals, getTerminalManager, getWorkspaceTerminalsEntry, getNextShellId, saveTerminalSession, isSessionPersistent, deleteTerminalSession, removeTerminalFromRegistry, deleteWorkspaceTerminalSessions, deleteFileTabsForWorkspace, saveFileTab, deleteFileTab, getTerminalsForWorkspace, getTerminalSessionById, getActiveShellLabels, updateTerminalLabel, } from './tower-terminals.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 // Singleton cache for overview endpoint (Spec 0126 Phase 4)
@@ -42,10 +43,10 @@ const overviewCache = new OverviewCache();
 const sendBuffer = new SendBuffer();
 /** Deliver a buffered message to a session (write + broadcast + log). */
 function deliverBufferedMessage(session, msg) {
-    session.write(msg.formattedMessage);
-    if (!msg.noEnter) {
-        session.write('\r');
-    }
+    // Combine message + Enter into a single write for atomic delivery through
+    // the shellper protocol (Bugfix #481: split writes can arrive as separate
+    // DATA frames, allowing the Enter to be lost between frames).
+    session.write(msg.noEnter ? msg.formattedMessage : msg.formattedMessage + '\r');
     broadcastMessage(msg.broadcastPayload);
 }
 /** Start the send buffer flush timer (called from tower-server during init). */
@@ -63,6 +64,7 @@ const ROUTES = {
     'GET /api/terminals': (_req, res) => handleTerminalList(res),
     'GET /api/status': (_req, res) => handleStatus(res),
     'GET /api/overview': (_req, res, url) => handleOverview(res, url),
+    'GET /api/analytics': (_req, res, url) => handleAnalytics(res, url),
     'POST /api/overview/refresh': (_req, res, _url, ctx) => handleOverviewRefresh(res, ctx),
     'GET /api/events': (req, res, _url, ctx) => handleSSEEvents(req, res, ctx),
     'POST /api/notify': (req, res, _url, ctx) => handleNotify(req, res, ctx),
@@ -92,7 +94,7 @@ export async function handleRequest(req, res, ctx) {
         origin.startsWith('https://'))) {
         res.setHeader('Access-Control-Allow-Origin', origin);
     }
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PATCH, DELETE, OPTIONS');
     res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
     res.setHeader('Cache-Control', 'no-store');
     if (req.method === 'OPTIONS') {
@@ -297,7 +299,7 @@ async function handleTerminalCreate(req, res, ctx) {
                     else {
                         entry.shells.set(roleId, session.id);
                     }
-                    saveTerminalSession(session.id, workspacePath, termType, roleId, shellperInfo.pid, shellperInfo.socketPath, shellperInfo.pid, shellperInfo.startTime);
+                    saveTerminalSession(session.id, workspacePath, termType, roleId, shellperInfo.pid, shellperInfo.socketPath, shellperInfo.pid, shellperInfo.startTime, label ?? null, cwd ?? null);
                     ctx.log('INFO', `Registered shellper terminal ${session.id} as ${termType} "${roleId}" for workspace ${workspacePath}`);
                 }
             }
@@ -318,7 +320,7 @@ async function handleTerminalCreate(req, res, ctx) {
                 else {
                     entry.shells.set(roleId, info.id);
                 }
-                saveTerminalSession(info.id, workspacePath, termType, roleId, info.pid);
+                saveTerminalSession(info.id, workspacePath, termType, roleId, info.pid, null, null, null, null, cwd ?? null);
                 ctx.log('WARN', `Terminal ${info.id} for ${workspacePath} is non-persistent (shellper unavailable)`);
             }
         }
@@ -432,6 +434,73 @@ async function handleTerminalRoutes(req, res, url, match) {
         res.end(JSON.stringify(output));
         return;
     }
+    // PATCH /api/terminals/:id/rename - Rename terminal session (Spec 468)
+    if (req.method === 'PATCH' && subpath === '/rename') {
+        try {
+            const body = await parseJsonBody(req);
+            let name = body.name;
+            if (typeof name !== 'string') {
+                res.writeHead(400, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Name must be 1-100 characters' }));
+                return;
+            }
+            // Strip control characters
+            name = name.replace(/[\x00-\x1f\x7f]/g, '');
+            if (name.length === 0 || name.length > 100) {
+                res.writeHead(400, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Name must be 1-100 characters' }));
+                return;
+            }
+            // Two-step ID lookup: direct PtySession ID match, then shellperSessionId match
+            let session = manager.getSession(terminalId);
+            if (!session) {
+                for (const info of manager.listSessions()) {
+                    const candidate = manager.getSession(info.id);
+                    if (candidate?.shellperSessionId === terminalId) {
+                        session = candidate;
+                        break;
+                    }
+                }
+            }
+            if (!session) {
+                res.writeHead(404, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Session not found' }));
+                return;
+            }
+            // Look up terminal_sessions row to check type
+            const dbSession = getTerminalSessionById(session.id);
+            if (!dbSession) {
+                res.writeHead(404, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Session not found' }));
+                return;
+            }
+            if (dbSession.type !== 'shell') {
+                res.writeHead(403, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Cannot rename builder/architect terminals' }));
+                return;
+            }
+            // Dedup: check active shell labels in the same workspace, excluding current session
+            const otherLabels = new Set(getActiveShellLabels(dbSession.workspace_path, session.id));
+            let finalName = name;
+            if (otherLabels.has(name)) {
+                let suffix = 1;
+                while (otherLabels.has(`${name}-${suffix}`)) {
+                    suffix++;
+                }
+                finalName = `${name}-${suffix}`;
+            }
+            // Update SQLite and in-memory
+            updateTerminalLabel(session.id, finalName);
+            session.label = finalName;
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ id: terminalId, name: finalName }));
+        }
+        catch {
+            res.writeHead(400, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'Invalid JSON body' }));
+        }
+        return;
+    }
 }
 async function handleStatus(res) {
     const instances = await getInstances();
@@ -473,6 +542,35 @@ function handleOverviewRefresh(res, ctx) {
     res.writeHead(200, { 'Content-Type': 'application/json' });
     res.end(JSON.stringify({ ok: true }));
 }
+async function handleAnalytics(res, url, workspaceOverride) {
+    let workspaceRoot = workspaceOverride || url.searchParams.get('workspace');
+    if (!workspaceRoot) {
+        const knownPaths = getKnownWorkspacePaths();
+        workspaceRoot = knownPaths.find(p => !p.includes('/.builders/')) || null;
+    }
+    // Validate range parameter (before workspace check so fallback uses correct range)
+    const rangeParam = url.searchParams.get('range') ?? '7';
+    if (!['1', '7', '30', 'all'].includes(rangeParam)) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Invalid range. Must be 1, 7, 30, or all.' }));
+        return;
+    }
+    const rangeLabel = rangeParam === 'all' ? 'all' : rangeParam === '1' ? '24h' : `${rangeParam}d`;
+    if (!workspaceRoot) {
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ timeRange: rangeLabel, github: { prsMerged: 0, avgTimeToMergeHours: null, bugBacklog: 0, nonBugBacklog: 0, issuesClosed: 0, avgTimeToCloseBugsHours: null }, builders: { projectsCompleted: 0, throughputPerWeek: 0, activeBuilders: 0 }, consultation: { totalCount: 0, totalCostUsd: null, costByModel: {}, avgLatencySeconds: null, successRate: null, byModel: [], byReviewType: {}, byProtocol: {}, costByProject: [] } }));
+        return;
+    }
+    const range = rangeParam;
+    const refresh = url.searchParams.get('refresh') === '1';
+    // Get active builder count from workspace terminals
+    const wsTerminals = getWorkspaceTerminals();
+    const entry = wsTerminals.get(normalizeWorkspacePath(workspaceRoot));
+    const activeBuilders = entry?.builders.size ?? 0;
+    const data = await computeAnalytics(workspaceRoot, range, activeBuilders, refresh);
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify(data));
+}
 function handleSSEEvents(req, res, ctx) {
     const clientId = crypto.randomBytes(8).toString('hex');
     res.writeHead(200, {
@@ -602,8 +700,10 @@ async function handleSend(req, res, ctx) {
         await new Promise(resolve => setTimeout(resolve, 100));
     }
     // Check if user is idle — deliver immediately or buffer (Spec 403, Bugfix #450)
-    // Defer when composing (typed but not submitted) OR recently typed (idle threshold)
-    const shouldDefer = !interrupt && (session.composing || !session.isUserIdle(sendBuffer.idleThresholdMs));
+    // Defer only when user has typed recently (within idle threshold).
+    // Bugfix #492: removed session.composing check — composing gets stuck true
+    // after non-Enter keystrokes (Ctrl+C, arrows, Tab), causing 60s delays.
+    const shouldDefer = !interrupt && !session.isUserIdle(sendBuffer.idleThresholdMs);
     if (shouldDefer) {
         // User is actively typing — buffer for deferred delivery
         sendBuffer.enqueue({
@@ -617,11 +717,11 @@ async function handleSend(req, res, ctx) {
         ctx.log('INFO', `Message deferred (user typing): ${from ?? 'unknown'} → ${result.agent} (terminal ${result.terminalId.slice(0, 8)}...)`);
     }
     else {
-        // User is idle (or interrupt) — deliver immediately
-        session.write(formattedMessage);
-        if (!noEnter) {
-            session.write('\r');
-        }
+        // User is idle (or interrupt) — deliver immediately.
+        // Combine message + Enter into a single write for atomic delivery through
+        // the shellper protocol (Bugfix #481: split writes can arrive as separate
+        // DATA frames, allowing the Enter to be lost between frames).
+        session.write(noEnter ? formattedMessage : formattedMessage + '\r');
         broadcastMessage(broadcastPayload);
         ctx.log('INFO', logMessage);
     }
@@ -804,23 +904,10 @@ async function handleWorkspaceRoutes(req, res, ctx, url) {
         await handleTunnelEndpoint(req, res, tunnelSub);
         return;
     }
-    // GET /file?path=<relative-path> — Read workspace file by path
+    // GET /file?path=<relative-path> — Read file by path (allows files outside workspace — see issue #502)
     if (req.method === 'GET' && subPath === 'file' && url.searchParams.has('path')) {
         const relPath = url.searchParams.get('path');
         const fullPath = path.resolve(workspacePath, relPath);
-        // Security: symlink-aware containment check (consistent with POST /tabs/file)
-        let resolvedFilePath;
-        try {
-            resolvedFilePath = fs.realpathSync(fullPath);
-        }
-        catch {
-            resolvedFilePath = path.resolve(fullPath);
-        }
-        if (!resolvedFilePath.startsWith(workspacePath + path.sep) && resolvedFilePath !== workspacePath) {
-            res.writeHead(403, { 'Content-Type': 'text/plain' });
-            res.end('Forbidden');
-            return;
-        }
         try {
             const content = fs.readFileSync(fullPath, 'utf-8');
             res.writeHead(200, { 'Content-Type': 'text/plain; charset=utf-8' });
@@ -972,6 +1059,10 @@ async function handleWorkspaceRoutes(req, res, ctx, url) {
         if (req.method === 'POST' && apiPath === 'overview/refresh') {
             return handleOverviewRefresh(res, ctx);
         }
+        // GET /api/analytics - Dashboard analytics (Spec 456)
+        if (req.method === 'GET' && apiPath === 'analytics') {
+            return handleAnalytics(res, url, workspacePath);
+        }
         // GET /api/events - SSE push notifications (Bugfix #388)
         if (req.method === 'GET' && apiPath === 'events') {
             return handleSSEEvents(req, res, ctx);
@@ -991,7 +1082,7 @@ async function handleWorkspaceRoutes(req, res, ctx, url) {
     // If we get here for non-API, non-WS paths and React dashboard is not available
     if (!ctx.hasReactDashboard) {
         res.writeHead(404, { 'Content-Type': 'text/plain' });
-        res.end('Dashboard not available');
+        res.end('Overview not available');
         return;
     }
     // Fallback for unmatched paths
@@ -1042,11 +1133,12 @@ async function handleWorkspaceState(res, workspacePath) {
         if (session) {
             state.utils.push({
                 id: shellId,
-                name: `Shell ${shellId.replace('shell-', '')}`,
+                name: session.label,
                 port: 0,
                 pid: session.pid || 0,
                 terminalId,
                 persistent: isSessionPersistent(terminalId, session),
+                lastDataAt: session.lastDataAt,
             });
         }
     }
@@ -1096,6 +1188,9 @@ async function handleWorkspaceShellCreate(res, ctx, workspacePath) {
                 // Strip CLAUDECODE so spawned Claude processes don't detect nesting
                 const shellEnv = { ...process.env };
                 delete shellEnv['CLAUDECODE'];
+                // Inject session identity for af rename (Spec 468)
+                shellEnv['SHELLPER_SESSION_ID'] = sessionId;
+                shellEnv['TOWER_PORT'] = String(ctx.port);
                 const client = await shellperManager.createSession({
                     sessionId,
                     command: shellCmd,
@@ -1116,13 +1211,13 @@ async function handleWorkspaceShellCreate(res, ctx, workspacePath) {
                 }
                 const entry = getWorkspaceTerminalsEntry(workspacePath);
                 entry.shells.set(shellId, session.id);
-                saveTerminalSession(session.id, workspacePath, 'shell', shellId, shellperInfo.pid, shellperInfo.socketPath, shellperInfo.pid, shellperInfo.startTime);
+                saveTerminalSession(session.id, workspacePath, 'shell', shellId, shellperInfo.pid, shellperInfo.socketPath, shellperInfo.pid, shellperInfo.startTime, session.label, workspacePath);
                 shellCreated = true;
                 res.writeHead(200, { 'Content-Type': 'application/json' });
                 res.end(JSON.stringify({
                     id: shellId,
                     port: 0,
-                    name: `Shell ${shellId.replace('shell-', '')}`,
+                    name: session.label,
                     terminalId: session.id,
                     persistent: true,
                 }));
@@ -1133,6 +1228,8 @@ async function handleWorkspaceShellCreate(res, ctx, workspacePath) {
         }
         // Fallback: non-persistent session (graceful degradation per plan)
         // Shellper is the only persistence backend for new sessions.
+        // Note: SHELLPER_SESSION_ID is not set for non-persistent sessions since
+        // they don't survive Tower restarts and rename wouldn't persist.
         if (!shellCreated) {
             const session = await manager.createSession({
                 command: shellCmd,
@@ -1143,13 +1240,13 @@ async function handleWorkspaceShellCreate(res, ctx, workspacePath) {
             });
             const entry = getWorkspaceTerminalsEntry(workspacePath);
             entry.shells.set(shellId, session.id);
-            saveTerminalSession(session.id, workspacePath, 'shell', shellId, session.pid);
+            saveTerminalSession(session.id, workspacePath, 'shell', shellId, session.pid, null, null, null, session.label, workspacePath);
             ctx.log('WARN', `Shell ${shellId} for ${workspacePath} is non-persistent (shellper unavailable)`);
             res.writeHead(200, { 'Content-Type': 'application/json' });
             res.end(JSON.stringify({
                 id: shellId,
                 port: 0,
-                name: `Shell ${shellId.replace('shell-', '')}`,
+                name: session.label,
                 terminalId: session.id,
                 persistent: false,
             }));
@@ -1191,35 +1288,18 @@ async function handleWorkspaceFileTabCreate(req, res, ctx, workspacePath) {
         else {
             fullPath = path.join(workspacePath, filePath);
         }
-        // Security: symlink-aware containment check
-        // For non-existent files, resolve the parent directory to handle
-        // intermediate symlinks (e.g., /tmp -> /private/tmp on macOS).
-        let resolvedPath;
+        // Resolve symlinks for canonical path (but allow files outside workspace — see issue #502)
         try {
-            resolvedPath = fs.realpathSync(fullPath);
+            fullPath = fs.realpathSync(fullPath);
         }
         catch {
             try {
-                resolvedPath = path.join(fs.realpathSync(path.dirname(fullPath)), path.basename(fullPath));
+                fullPath = path.join(fs.realpathSync(path.dirname(fullPath)), path.basename(fullPath));
             }
             catch {
-                resolvedPath = path.resolve(fullPath);
+                fullPath = path.resolve(fullPath);
             }
         }
-        let normalizedWorkspace;
-        try {
-            normalizedWorkspace = fs.realpathSync(workspacePath);
-        }
-        catch {
-            normalizedWorkspace = path.resolve(workspacePath);
-        }
-        const isWithinWorkspace = resolvedPath.startsWith(normalizedWorkspace + path.sep)
-            || resolvedPath === normalizedWorkspace;
-        if (!isWithinWorkspace) {
-            res.writeHead(403, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ error: 'Path outside workspace' }));
-            return;
-        }
         // Non-existent files still create a tab (spec 0101: file viewer shows "File not found")
         const fileExists = fs.existsSync(fullPath);
         const entry = getWorkspaceTerminalsEntry(workspacePath);
@@ -1349,17 +1429,12 @@ async function handleWorkspaceTabDelete(res, ctx, workspacePath, tabId) {
     const manager = getTerminalManager();
     // Check if it's a file tab first (Spec 0092, write-through: in-memory + SQLite)
     if (tabId.startsWith('file-')) {
-        if (entry.fileTabs.has(tabId)) {
-            entry.fileTabs.delete(tabId);
-            deleteFileTab(tabId);
-            ctx.log('INFO', `Deleted file tab: ${tabId}`);
-            res.writeHead(204);
-            res.end();
-        }
-        else {
-            res.writeHead(404, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ error: 'File tab not found' }));
-        }
+        // Bugfix #474: Always attempt DB deletion even if not in memory (stale tab recovery)
+        entry.fileTabs.delete(tabId);
+        deleteFileTab(tabId);
+        ctx.log('INFO', `Deleted file tab: ${tabId}`);
+        res.writeHead(204);
+        res.end();
         return;
     }
     // Find and delete the terminal
@@ -1412,6 +1487,8 @@ async function handleWorkspaceStopAll(res, workspacePath) {
     getWorkspaceTerminals().delete(workspacePath);
     // TICK-001: Delete all terminal sessions from SQLite
     deleteWorkspaceTerminalSessions(workspacePath);
+    // Bugfix #474: Delete all file tabs for this workspace
+    deleteFileTabsForWorkspace(workspacePath);
     res.writeHead(200, { 'Content-Type': 'application/json' });
     res.end(JSON.stringify({ ok: true }));
 }