@ijfw/memory-server 1.3.0 → 1.4.1

package/src/dashboard-server.js

@@ -20,6 +20,8 @@ import { computeValueDelivered } from './cost/savings.js';
 import { listMemoryFiles, listKnownProjects } from './memory/reader.js';
 import { searchMemory } from './memory/search.js';
 import { buildRecallCounts, mergeRecallCounts, topRecalled } from './memory/recall-counter.js';
+import { PLACEHOLDER_HTML } from './design-companion.js';
+import { listExtensions } from './extension-installer.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 // REPO_ROOT: IJFW_PROJECT_ROOT override > user's interactive shell cwd (PWD) > process.cwd() fallback.
@@ -132,6 +134,24 @@ const PORT_WALK_MAX    = 10;  // walk up to 37891+PORT_WALK_MAX (37900)
 const BACKFILL_DEFAULT = 200;
 const BACKFILL_CAP     = 50;  // max observations sent on fresh connect (W4.6)
 
+const DESIGN_LIVE_RELOAD_SCRIPT = `
+<script>
+(function(){
+  if (window.__ijfwDesignLiveReload) return;
+  window.__ijfwDesignLiveReload = true;
+  try {
+    var events = new EventSource('/design/stream');
+    events.addEventListener('reload', function(){ window.location.reload(); });
+  } catch (_) {}
+})();
+</script>`;
+
+function injectDesignLiveReload(html) {
+  if (typeof html !== 'string' || html.includes('__ijfwDesignLiveReload')) return html;
+  if (/<\/body>/i.test(html)) return html.replace(/<\/body>/i, DESIGN_LIVE_RELOAD_SCRIPT + '\n</body>');
+  return html + DESIGN_LIVE_RELOAD_SCRIPT;
+}
+
 // ---------- integer param validator ----------
 // Rejects numeric-prefix garbage like "10xyz" that parseInt accepts (W9-M2).
 // Returns null on invalid input; caller should respond with 400.
@@ -668,6 +688,278 @@ export async function startServer(options = {}) {
       res.end(JSON.stringify(config));
     }],
 
+    // ---------- extensions: installed (B9) ----------
+    // Enumerate ~/.ijfw/state-org/extension-registry.json,
+    // ~/.ijfw/state-user/extension-registry.json, and project-scope registry.
+    // Returns JSON list with name, scope, version, publisher_keyId, permissions,
+    // last_activated_time. Path-traversal defence: resolve + assert under HOME.
+    ['/api/extensions/installed', async (req, res) => {
+      try {
+        const home = homedir();
+        // realpath both sides — on macOS /var/folders -> /private/var/folders is a symlink,
+        // so the registry's realpathed path won't show as under un-realpathed HOME.
+        let homeCanon;
+        try { homeCanon = realpathSync(home); } catch { homeCanon = home; }
+        function isUnderHome(p) {
+          try {
+            const canon = realpathSync(p);
+            const rel = relative(homeCanon, canon);
+            return rel !== '' && !rel.startsWith('..') && !isAbsolute(rel);
+          } catch { return false; }
+        }
+
+        const REGISTRY_FILENAME = 'extension-registry.json';
+        const registryPaths = [
+          { scope: 'org',  path: join(home, '.ijfw', 'state-org',  REGISTRY_FILENAME) },
+          { scope: 'user', path: join(home, '.ijfw', 'state-user', REGISTRY_FILENAME) },
+          { scope: 'project', path: join(REPO_ROOT, '.ijfw', 'state', REGISTRY_FILENAME) },
+        ];
+
+        const seen = new Map();
+        for (const { scope, path: regPath } of registryPaths) {
+          // Path-traversal check on each registry path.
+          const resolvedReg = resolve(regPath);
+          const underHome = isUnderHome(resolvedReg) ||
+            resolvedReg.startsWith(resolve(REPO_ROOT));
+          if (!underHome) continue;
+          if (!existsSync(resolvedReg)) continue;
+          let registry;
+          try {
+            const raw = readFileSync(resolvedReg, 'utf8');
+            const parsed = JSON.parse(raw);
+            registry = Array.isArray(parsed.extensions) ? parsed.extensions : [];
+          } catch { continue; }
+
+          for (const e of registry) {
+            if (!e || !e.name || !e.version) continue;
+            const key = `${e.name}@${e.version}`;
+            if (seen.has(key)) continue;
+            const manifest = (e.manifest && typeof e.manifest === 'object') ? e.manifest : null;
+            seen.set(key, {
+              name: e.name,
+              scope,
+              version: e.version,
+              publisher_keyId: manifest ? (manifest.publisher_keyId || null) : null,
+              permissions: manifest ? (manifest.permissions || null) : null,
+              last_activated_time: e.last_activated_time || null,
+            });
+          }
+        }
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ extensions: Array.from(seen.values()) }));
+      } catch (err) {
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ extensions: [], error: err.message }));
+      }
+    }],
+
+    // ---------- extensions: active (B9) ----------
+    ['/api/extensions/active', async (req, res) => {
+      try {
+        const home = homedir();
+        const activePath = join(home, '.ijfw', 'state', 'active-extension.json');
+        const resolvedActive = resolve(activePath);
+        // Return {active:null} BEFORE realpath — realpathSync throws on non-existent paths.
+        if (!existsSync(resolvedActive)) {
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ active: null }));
+          return;
+        }
+        // Path-traversal: realpath BOTH home and target so macOS /private symlinks
+        // (e.g. /var/folders -> /private/var/folders) resolve correctly AND symlinks
+        // pointing outside HOME are rejected.
+        let homeCanon;
+        try { homeCanon = realpathSync(home); } catch { homeCanon = home; }
+        let activeCanon;
+        try {
+          activeCanon = realpathSync(resolvedActive);
+        } catch {
+          res.writeHead(403, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'path traversal rejected' }));
+          return;
+        }
+        const rel = relative(homeCanon, activeCanon);
+        if (rel.startsWith('..') || isAbsolute(rel)) {
+          res.writeHead(403, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'path traversal rejected' }));
+          return;
+        }
+        const raw = readFileSync(activeCanon, 'utf8');
+        const parsed = JSON.parse(raw);
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ active: parsed }));
+      } catch (err) {
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ active: null, error: err.message }));
+      }
+    }],
+
+    // ---------- extensions: events (B9) ----------
+    // Tail-streams ~/.ijfw/state/permission-events.jsonl with optional filters.
+    // Allowlisted query params: limit, extension, tool, denied.
+    // SSE mode: Accept: text/event-stream. JSON array otherwise.
+    // Never reads full file into memory: streams line-by-line.
+    ['/api/extensions/events', async (req, res, url) => {
+      const ALLOWED_FILTER_KEYS = new Set(['limit', 'extension', 'tool', 'denied']);
+      // Reject any non-allowlisted filter key.
+      for (const key of url.searchParams.keys()) {
+        if (!ALLOWED_FILTER_KEYS.has(key)) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: `unknown filter parameter: ${key}` }));
+          return;
+        }
+      }
+
+      const home = homedir();
+      const eventsPath = join(home, '.ijfw', 'state', 'permission-events.jsonl');
+
+      const rawLimit = url.searchParams.get('limit');
+      let limit = 200;
+      if (rawLimit !== null) {
+        const n = safeIntegerParam(rawLimit, 10_000);
+        if (n === null) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'invalid limit' }));
+          return;
+        }
+        limit = n;
+      }
+      const filterExtension = url.searchParams.get('extension') || null;
+      const filterTool      = url.searchParams.get('tool') || null;
+      const filterDenied    = url.searchParams.has('denied')
+        ? (url.searchParams.get('denied') !== 'false')
+        : null;
+
+      // Stream-tail: read only the last TAIL_CHUNK bytes, never slurp the full file.
+      // For permission-events.jsonl which rotates at 10_000 lines, 2MB covers
+      // many thousands of events without loading the entire file into memory.
+      const TAIL_CHUNK = 2 * 1024 * 1024; // 2MB
+      function tailEvents() {
+        if (!existsSync(eventsPath)) return [];
+        let st;
+        try { st = statSync(eventsPath); } catch { return []; }
+        if (st.size === 0) return [];
+        let lines = [];
+        try {
+          const fullBuf = readFileSync(eventsPath);
+          const slice = fullBuf.subarray(Math.max(0, fullBuf.length - TAIL_CHUNK));
+          const text = slice.toString('utf8');
+          lines = text.split('\n').filter(Boolean);
+          // If we sliced mid-line, the first element may be truncated — drop it.
+          if (fullBuf.length > TAIL_CHUNK) lines = lines.slice(1);
+        } catch { return []; }
+
+        const results = [];
+        for (let i = lines.length - 1; i >= 0 && results.length < limit; i--) {
+          let obj;
+          try { obj = JSON.parse(lines[i]); } catch { continue; }
+          if (filterExtension !== null && obj.extension !== filterExtension) continue;
+          if (filterTool !== null && obj.tool !== filterTool) continue;
+          if (filterDenied !== null && Boolean(!obj.allowed) !== filterDenied) continue;
+          results.unshift(obj);
+        }
+        return results;
+      }
+
+      const isSSE = (req.headers['accept'] || '').includes('text/event-stream');
+      if (isSSE) {
+        res.writeHead(200, {
+          'Content-Type': 'text/event-stream',
+          'Cache-Control': 'no-cache',
+          'Connection': 'keep-alive',
+          'X-Accel-Buffering': 'no',
+        });
+        res.write(': connected\n\n');
+        // Send current tail as initial batch.
+        const initial = tailEvents();
+        for (const evt of initial) {
+          try { res.write(`data: ${JSON.stringify(evt)}\n\n`); } catch { break; }
+        }
+        // Watch for new events. lastLineCount must match what the watcher
+        // measures (tail-chunk lines), NOT the limited initial batch length —
+        // mismatching them causes a replay storm when the file is bigger than
+        // the limit.
+        let evtWatcher = null;
+        let lastLineCount = 0;
+        try {
+          const buf0 = readFileSync(eventsPath);
+          const slice0 = buf0.subarray(Math.max(0, buf0.length - TAIL_CHUNK));
+          let lines0 = slice0.toString('utf8').split('\n').filter(Boolean);
+          if (buf0.length > TAIL_CHUNK) lines0 = lines0.slice(1);
+          lastLineCount = lines0.length;
+        } catch { /* eventsPath missing or unreadable — start from 0 */ }
+        try {
+          evtWatcher = watch(existsSync(eventsPath) ? eventsPath : join(home, '.ijfw', 'state'), () => {
+            if (!existsSync(eventsPath)) return;
+            try {
+              // Use the tail-chunk reader (bounded read) rather than slurping the
+              // full file. At 10K lines × ~1-2KB each = 10-20MB sync read per watch
+              // event, which is unacceptable for a long-lived SSE connection.
+              try { statSync(eventsPath); } catch { return; }
+              const buf = (() => {
+                try { return readFileSync(eventsPath); } catch { return null; }
+              })();
+              if (!buf) return;
+              const slice = buf.subarray(Math.max(0, buf.length - TAIL_CHUNK));
+              const text = slice.toString('utf8');
+              let lines = text.split('\n').filter(Boolean);
+              if (buf.length > TAIL_CHUNK) lines = lines.slice(1);
+              if (lines.length > lastLineCount) {
+                const newLines = lines.slice(lastLineCount);
+                lastLineCount = lines.length;
+                for (const line of newLines) {
+                  let obj; try { obj = JSON.parse(line); } catch { continue; }
+                  if (filterExtension !== null && obj.extension !== filterExtension) continue;
+                  if (filterTool !== null && obj.tool !== filterTool) continue;
+                  if (filterDenied !== null && Boolean(!obj.allowed) !== filterDenied) continue;
+                  try { res.write(`data: ${JSON.stringify(obj)}\n\n`); } catch {}
+                }
+              }
+            } catch {}
+          });
+          if (evtWatcher) evtWatcher.on('error', () => {});
+        } catch {}
+        req.on('close', () => {
+          if (evtWatcher) { try { evtWatcher.close(); } catch {} }
+        });
+        return;
+      }
+
+      // JSON array response.
+      const events = tailEvents();
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(events));
+    }],
+
+    // ---------- extensions health (W3/t15) ----------
+    // Reads .ijfw/state/extension-registry.json (project) plus org/user via
+    // listExtensions(). Missing or malformed registry yields {extensions: []}
+    // (day-1 protection). ENOENT and JSON.parse errors are swallowed inside
+    // readRegistry(); this handler adds an outer try/catch as a final safety
+    // net so a malformed registry can never crash the dashboard.
+    ['/api/extensions/health', async (req, res) => {
+      try {
+        const extensions = await listExtensions(REPO_ROOT);
+        // Strip embedded manifest blobs -- the dashboard only needs the
+        // status summary fields, not the full manifest.
+        const out = (Array.isArray(extensions) ? extensions : []).map((e) => ({
+          name: e.name,
+          version: e.version,
+          scope: e.scope,
+          installed_at: e.installed_at || null,
+          status: e.status || 'stale',
+          last_trident_verdict: e.last_trident_verdict ?? null,
+        }));
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ extensions: out }));
+      } catch (err) {
+        // ENOENT / missing / malformed -> 200 with empty list (day-1).
+        process.stderr.write(`[ijfw-mcp] /api/extensions/health: ${err && err.message ? err.message : err}\n`);
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ extensions: [], error: 'malformed registry' }));
+      }
+    }],
+
     ['/api/value-delivered', (req, res, url) => {
       try {
         const platform   = url.searchParams.get('platform') || 'claude';
@@ -699,6 +991,29 @@ export async function startServer(options = {}) {
     }],
 
     // ---------- design companion ----------
+    [/^\/design\/files\/[^/]+\.html$/, async (req, res, url) => {
+      const contentDir = join(homedir(), '.ijfw', 'design-companion', 'content');
+      mkdirSync(contentDir, { recursive: true });
+      const name = url.pathname.split('/').pop();
+      const filePath = join(contentDir, name);
+      let html = null;
+      try {
+        if (existsSync(filePath)) html = readFileSync(filePath, 'utf8');
+      } catch {}
+      if (!html) {
+        res.writeHead(404, { 'Content-Type': 'text/plain' });
+        res.end('404 Not Found');
+        return;
+      }
+      html = injectDesignLiveReload(html);
+      res.writeHead(200, {
+        'Content-Type': 'text/html; charset=utf-8',
+        'Cache-Control': 'no-store',
+        'Content-Security-Policy': "default-src 'self' https: data:; style-src 'self' 'unsafe-inline' https:; script-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' data: https:; connect-src 'self'",
+      });
+      res.end(html);
+    }],
+
     ['/design', async (req, res) => {
       const contentDir = join(homedir(), '.ijfw', 'design-companion', 'content');
       mkdirSync(contentDir, { recursive: true });
@@ -714,12 +1029,13 @@ export async function startServer(options = {}) {
         }
       } catch {}
       if (!html) {
-        html = `<!doctype html><html><body><pre>Design companion active. Push a design with: ijfw design push file.html</pre></body></html>`;
+        html = PLACEHOLDER_HTML;
       }
+      html = injectDesignLiveReload(html);
       res.writeHead(200, {
         'Content-Type': 'text/html; charset=utf-8',
         'Cache-Control': 'no-store',
-        'Content-Security-Policy': "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'",
+        'Content-Security-Policy': "default-src 'self' https: data:; style-src 'self' 'unsafe-inline' https:; script-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' data: https:; connect-src 'self'",
       });
       res.end(html);
     }],