npm - @intranefr/superbackend - Versions diffs - 1.4.4 → 1.5.1 - Mend

@intranefr/superbackend 1.4.4 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/.env.example +5 -0
package/README.md +11 -0
package/index.js +39 -1
package/package.json +11 -3
package/public/sdk/ui-components.iife.js +191 -0
package/sdk/ui-components/browser/src/index.js +228 -0
package/src/admin/endpointRegistry.js +120 -0
package/src/controllers/admin.controller.js +111 -5
package/src/controllers/adminBlockDefinitions.controller.js +127 -0
package/src/controllers/adminBlockDefinitionsAi.controller.js +54 -0
package/src/controllers/adminCache.controller.js +342 -0
package/src/controllers/adminContextBlockDefinitions.controller.js +141 -0
package/src/controllers/adminCrons.controller.js +388 -0
package/src/controllers/adminDbBrowser.controller.js +124 -0
package/src/controllers/adminEjsVirtual.controller.js +13 -3
package/src/controllers/adminHeadless.controller.js +91 -2
package/src/controllers/adminHealthChecks.controller.js +570 -0
package/src/controllers/adminI18n.controller.js +51 -29
package/src/controllers/adminLlm.controller.js +126 -2
package/src/controllers/adminPages.controller.js +720 -0
package/src/controllers/adminPagesContextBlocksAi.controller.js +54 -0
package/src/controllers/adminProxy.controller.js +113 -0
package/src/controllers/adminRateLimits.controller.js +138 -0
package/src/controllers/adminRbac.controller.js +803 -0
package/src/controllers/adminScripts.controller.js +320 -0
package/src/controllers/adminSeoConfig.controller.js +71 -48
package/src/controllers/adminTerminals.controller.js +39 -0
package/src/controllers/adminUiComponents.controller.js +315 -0
package/src/controllers/adminUiComponentsAi.controller.js +34 -0
package/src/controllers/blogAdmin.controller.js +279 -0
package/src/controllers/blogAiAdmin.controller.js +224 -0
package/src/controllers/blogAutomationAdmin.controller.js +141 -0
package/src/controllers/blogInternal.controller.js +26 -0
package/src/controllers/blogPublic.controller.js +89 -0
package/src/controllers/fileManager.controller.js +190 -0
package/src/controllers/fileManagerStoragePolicy.controller.js +23 -0
package/src/controllers/healthChecksPublic.controller.js +196 -0
package/src/controllers/metrics.controller.js +64 -4
package/src/controllers/orgAdmin.controller.js +366 -0
package/src/controllers/uiComponentsPublic.controller.js +118 -0
package/src/middleware/auth.js +7 -0
package/src/middleware/internalCronAuth.js +29 -0
package/src/middleware/rbac.js +62 -0
package/src/middleware.js +879 -56
package/src/models/BlockDefinition.js +27 -0
package/src/models/BlogAutomationLock.js +14 -0
package/src/models/BlogAutomationRun.js +39 -0
package/src/models/BlogPost.js +42 -0
package/src/models/CacheEntry.js +26 -0
package/src/models/ConsoleEntry.js +32 -0
package/src/models/ConsoleLog.js +23 -0
package/src/models/ContextBlockDefinition.js +33 -0
package/src/models/CronExecution.js +47 -0
package/src/models/CronJob.js +70 -0
package/src/models/ExternalDbConnection.js +49 -0
package/src/models/FileEntry.js +22 -0
package/src/models/HeadlessModelDefinition.js +10 -0
package/src/models/HealthAutoHealAttempt.js +57 -0
package/src/models/HealthCheck.js +132 -0
package/src/models/HealthCheckRun.js +51 -0
package/src/models/HealthIncident.js +49 -0
package/src/models/Page.js +95 -0
package/src/models/PageCollection.js +42 -0
package/src/models/ProxyEntry.js +66 -0
package/src/models/RateLimitCounter.js +19 -0
package/src/models/RateLimitMetricBucket.js +20 -0
package/src/models/RbacGrant.js +25 -0
package/src/models/RbacGroup.js +16 -0
package/src/models/RbacGroupMember.js +13 -0
package/src/models/RbacGroupRole.js +13 -0
package/src/models/RbacRole.js +25 -0
package/src/models/RbacUserRole.js +13 -0
package/src/models/ScriptDefinition.js +42 -0
package/src/models/ScriptRun.js +22 -0
package/src/models/UiComponent.js +29 -0
package/src/models/UiComponentProject.js +26 -0
package/src/models/UiComponentProjectComponent.js +18 -0
package/src/routes/admin.routes.js +1 -0
package/src/routes/adminBlog.routes.js +21 -0
package/src/routes/adminBlogAi.routes.js +16 -0
package/src/routes/adminBlogAutomation.routes.js +27 -0
package/src/routes/adminCache.routes.js +20 -0
package/src/routes/adminConsoleManager.routes.js +302 -0
package/src/routes/adminCrons.routes.js +25 -0
package/src/routes/adminDbBrowser.routes.js +65 -0
package/src/routes/adminEjsVirtual.routes.js +2 -1
package/src/routes/adminHeadless.routes.js +8 -1
package/src/routes/adminHealthChecks.routes.js +28 -0
package/src/routes/adminI18n.routes.js +4 -3
package/src/routes/adminLlm.routes.js +4 -2
package/src/routes/adminPages.routes.js +55 -0
package/src/routes/adminProxy.routes.js +15 -0
package/src/routes/adminRateLimits.routes.js +17 -0
package/src/routes/adminRbac.routes.js +38 -0
package/src/routes/adminScripts.routes.js +21 -0
package/src/routes/adminSeoConfig.routes.js +5 -4
package/src/routes/adminTerminals.routes.js +13 -0
package/src/routes/adminUiComponents.routes.js +30 -0
package/src/routes/blogInternal.routes.js +14 -0
package/src/routes/blogPublic.routes.js +9 -0
package/src/routes/fileManager.routes.js +62 -0
package/src/routes/fileManagerStoragePolicy.routes.js +9 -0
package/src/routes/healthChecksPublic.routes.js +9 -0
package/src/routes/log.routes.js +43 -60
package/src/routes/metrics.routes.js +4 -2
package/src/routes/orgAdmin.routes.js +6 -0
package/src/routes/pages.routes.js +123 -0
package/src/routes/proxy.routes.js +46 -0
package/src/routes/rbac.routes.js +47 -0
package/src/routes/uiComponentsPublic.routes.js +9 -0
package/src/routes/webhook.routes.js +2 -1
package/src/routes/workflows.routes.js +4 -0
package/src/services/blockDefinitionsAi.service.js +247 -0
package/src/services/blog.service.js +99 -0
package/src/services/blogAutomation.service.js +978 -0
package/src/services/blogCronsBootstrap.service.js +184 -0
package/src/services/blogPublishing.service.js +58 -0
package/src/services/cacheLayer.service.js +696 -0
package/src/services/consoleManager.service.js +700 -0
package/src/services/consoleOverride.service.js +6 -1
package/src/services/cronScheduler.service.js +350 -0
package/src/services/dbBrowser.service.js +536 -0
package/src/services/ejsVirtual.service.js +102 -32
package/src/services/fileManager.service.js +475 -0
package/src/services/fileManagerStoragePolicy.service.js +285 -0
package/src/services/headlessExternalModels.service.js +292 -0
package/src/services/headlessModels.service.js +26 -6
package/src/services/healthChecks.service.js +650 -0
package/src/services/healthChecksBootstrap.service.js +109 -0
package/src/services/healthChecksScheduler.service.js +106 -0
package/src/services/llmDefaults.service.js +190 -0
package/src/services/migrationAssets/s3.js +2 -2
package/src/services/pages.service.js +602 -0
package/src/services/pagesContext.service.js +331 -0
package/src/services/pagesContextBlocksAi.service.js +349 -0
package/src/services/proxy.service.js +535 -0
package/src/services/rateLimiter.service.js +623 -0
package/src/services/rbac.service.js +212 -0
package/src/services/scriptsRunner.service.js +259 -0
package/src/services/terminals.service.js +152 -0
package/src/services/terminalsWs.service.js +100 -0
package/src/services/uiComponentsAi.service.js +299 -0
package/src/services/uiComponentsCrypto.service.js +39 -0
package/src/services/workflow.service.js +23 -8
package/src/utils/orgRoles.js +14 -0
package/src/utils/rbac/engine.js +60 -0
package/src/utils/rbac/rightsRegistry.js +29 -0
package/views/admin-blog-automation.ejs +877 -0
package/views/admin-blog-edit.ejs +542 -0
package/views/admin-blog.ejs +399 -0
package/views/admin-cache.ejs +681 -0
package/views/admin-console-manager.ejs +680 -0
package/views/admin-crons.ejs +645 -0
package/views/admin-db-browser.ejs +445 -0
package/views/admin-ejs-virtual.ejs +16 -10
package/views/admin-file-manager.ejs +942 -0
package/views/admin-headless.ejs +294 -24
package/views/admin-health-checks.ejs +725 -0
package/views/admin-i18n.ejs +59 -5
package/views/admin-llm.ejs +99 -1
package/views/admin-organizations.ejs +528 -10
package/views/admin-pages.ejs +2424 -0
package/views/admin-proxy.ejs +491 -0
package/views/admin-rate-limiter.ejs +625 -0
package/views/admin-rbac.ejs +1331 -0
package/views/admin-scripts.ejs +497 -0
package/views/admin-seo-config.ejs +61 -7
package/views/admin-terminals.ejs +328 -0
package/views/admin-ui-components.ejs +741 -0
package/views/admin-users.ejs +261 -4
package/views/admin-workflows.ejs +7 -7
package/views/file-manager.ejs +866 -0
package/views/pages/blocks/contact.ejs +27 -0
package/views/pages/blocks/cta.ejs +18 -0
package/views/pages/blocks/faq.ejs +20 -0
package/views/pages/blocks/features.ejs +19 -0
package/views/pages/blocks/hero.ejs +13 -0
package/views/pages/blocks/html.ejs +5 -0
package/views/pages/blocks/image.ejs +14 -0
package/views/pages/blocks/testimonials.ejs +26 -0
package/views/pages/blocks/text.ejs +10 -0
package/views/pages/layouts/default.ejs +51 -0
package/views/pages/layouts/minimal.ejs +42 -0
package/views/pages/layouts/sidebar.ejs +54 -0
package/views/pages/partials/footer.ejs +13 -0
package/views/pages/partials/header.ejs +12 -0
package/views/pages/partials/sidebar.ejs +8 -0
package/views/pages/runtime/page.ejs +10 -0
package/views/pages/templates/article.ejs +20 -0
package/views/pages/templates/default.ejs +12 -0
package/views/pages/templates/landing.ejs +14 -0
package/views/pages/templates/listing.ejs +15 -0
package/views/partials/admin-image-upload-modal.ejs +221 -0
package/views/partials/dashboard/nav-items.ejs +14 -0
package/views/partials/llm-provider-model-picker.ejs +183 -0

package/src/services/rbac.service.js ADDED Viewed

@@ -0,0 +1,212 @@
+const mongoose = require('mongoose');
+const OrganizationMember = require('../models/OrganizationMember');
+const RbacUserRole = require('../models/RbacUserRole');
+const RbacGroup = require('../models/RbacGroup');
+const RbacGroupMember = require('../models/RbacGroupMember');
+const RbacGroupRole = require('../models/RbacGroupRole');
+const RbacGrant = require('../models/RbacGrant');
+const { matches } = require('../utils/rbac/engine');
+function normalizeId(input) {
+  if (!input) return null;
+  const str = String(input);
+  if (!mongoose.Types.ObjectId.isValid(str)) return null;
+  return new mongoose.Types.ObjectId(str);
+}
+function normalizeRight(input) {
+  return String(input || '').trim();
+}
+function buildExplainItem(grant, source) {
+  if (!grant) return null;
+  return {
+    source,
+    effect: grant.effect,
+    right: grant.right,
+    subjectType: grant.subjectType,
+    subjectId: String(grant.subjectId),
+    scopeType: grant.scopeType,
+    scopeId: grant.scopeId ? String(grant.scopeId) : null,
+    id: String(grant._id),
+  };
+}
+function extractMatches(grants, requiredRight) {
+  const denies = [];
+  const allows = [];
+  for (const g of grants || []) {
+    if (!g) continue;
+    if (!matches(requiredRight, g.right)) continue;
+    if (g.effect === 'deny') {
+      denies.push(g);
+    } else {
+      allows.push(g);
+    }
+  }
+  return { denies, allows };
+}
+async function getUserOrgIds(userId) {
+  const uid = normalizeId(userId);
+  if (!uid) return [];
+  const rows = await OrganizationMember.find({ userId: uid, status: 'active' }).select('orgId').lean();
+  return rows.map((r) => String(r.orgId));
+}
+async function getEffectiveGrants({ userId, orgId }) {
+  const uid = normalizeId(userId);
+  const oid = normalizeId(orgId);
+  if (!uid || !oid) {
+    return {
+      grants: [],
+      layers: { org: [], group: [], role: [], user: [] },
+      explain: [],
+      context: { roles: [], groups: [] },
+      orgMember: null,
+    };
+  }
+  const orgMember = await OrganizationMember.findOne({ userId: uid, orgId: oid, status: 'active' }).lean();
+  if (!orgMember) {
+    return {
+      grants: [],
+      layers: { org: [], group: [], role: [], user: [] },
+      explain: [],
+      context: { roles: [], groups: [] },
+      orgMember: null,
+    };
+  }
+  const [userRoleLinks, groupLinks, orgGrantsGlobal, orgGrantsOrg] = await Promise.all([
+    RbacUserRole.find({ userId: uid }).select('roleId').lean(),
+    RbacGroupMember.find({ userId: uid }).select('groupId').lean(),
+    RbacGrant.find({ subjectType: 'org', subjectId: oid, scopeType: 'global' }).lean(),
+    RbacGrant.find({ subjectType: 'org', subjectId: oid, scopeType: 'org', scopeId: oid }).lean(),
+  ]);
+  const directRoleIds = userRoleLinks.map((r) => r.roleId).filter(Boolean);
+  const groupIds = groupLinks.map((g) => g.groupId).filter(Boolean);
+  const groups = groupIds.length
+    ? await RbacGroup.find({ _id: { $in: groupIds }, status: 'active' }).select('_id isGlobal orgId').lean()
+    : [];
+  const allowedGroupIds = [];
+  for (const g of groups) {
+    if (g.isGlobal) {
+      allowedGroupIds.push(g._id);
+      continue;
+    }
+    if (g.orgId && String(g.orgId) === String(oid)) {
+      allowedGroupIds.push(g._id);
+    }
+  }
+  const groupRoleLinks = allowedGroupIds.length
+    ? await RbacGroupRole.find({ groupId: { $in: allowedGroupIds } }).select('groupId roleId').lean()
+    : [];
+  const groupRoleIds = groupRoleLinks.map((l) => l.roleId).filter(Boolean);
+  const effectiveRoleIds = Array.from(new Set([...directRoleIds, ...groupRoleIds]));
+  const [userGrantsGlobal, userGrantsOrg, roleGrantsGlobal, roleGrantsOrg, groupGrantsGlobal, groupGrantsOrg] = await Promise.all([
+    RbacGrant.find({ subjectType: 'user', subjectId: uid, scopeType: 'global' }).lean(),
+    RbacGrant.find({ subjectType: 'user', subjectId: uid, scopeType: 'org', scopeId: oid }).lean(),
+    effectiveRoleIds.length ? RbacGrant.find({ subjectType: 'role', subjectId: { $in: effectiveRoleIds }, scopeType: 'global' }).lean() : [],
+    effectiveRoleIds.length ? RbacGrant.find({ subjectType: 'role', subjectId: { $in: effectiveRoleIds }, scopeType: 'org', scopeId: oid }).lean() : [],
+    allowedGroupIds.length ? RbacGrant.find({ subjectType: 'group', subjectId: { $in: allowedGroupIds }, scopeType: 'global' }).lean() : [],
+    allowedGroupIds.length ? RbacGrant.find({ subjectType: 'group', subjectId: { $in: allowedGroupIds }, scopeType: 'org', scopeId: oid }).lean() : [],
+  ]);
+  const layers = {
+    org: [...orgGrantsGlobal, ...orgGrantsOrg],
+    group: [...groupGrantsGlobal, ...groupGrantsOrg],
+    role: [...roleGrantsGlobal, ...roleGrantsOrg],
+    user: [...userGrantsGlobal, ...userGrantsOrg],
+  };
+  const all = [...layers.org, ...layers.group, ...layers.role, ...layers.user];
+  const explain = [];
+  for (const g of userGrantsGlobal) explain.push(buildExplainItem(g, 'user:global'));
+  for (const g of userGrantsOrg) explain.push(buildExplainItem(g, 'user:org'));
+  for (const g of roleGrantsGlobal) explain.push(buildExplainItem(g, 'role:global'));
+  for (const g of roleGrantsOrg) explain.push(buildExplainItem(g, 'role:org'));
+  for (const g of groupGrantsGlobal) explain.push(buildExplainItem(g, 'group:global'));
+  for (const g of groupGrantsOrg) explain.push(buildExplainItem(g, 'group:org'));
+  for (const g of orgGrantsGlobal) explain.push(buildExplainItem(g, 'org:global'));
+  for (const g of orgGrantsOrg) explain.push(buildExplainItem(g, 'org:org'));
+  const context = {
+    groups: groups.map((g) => ({
+      id: String(g._id),
+      isGlobal: !!g.isGlobal,
+      orgId: g.orgId ? String(g.orgId) : null,
+    })),
+    roles: [
+      ...directRoleIds.map((rid) => ({ roleId: String(rid), source: 'user' })),
+      ...groupRoleLinks.map((l) => ({ roleId: String(l.roleId), source: 'group', groupId: String(l.groupId) })),
+    ],
+  };
+  return { grants: all, layers, explain: explain.filter(Boolean), context, orgMember };
+}
+async function checkRight({ userId, orgId, right }) {
+  const r = normalizeRight(right);
+  if (!r) {
+    return { allowed: false, reason: 'invalid_right', explain: [], context: null, decisionLayer: null };
+  }
+  const { layers, explain, context, orgMember } = await getEffectiveGrants({ userId, orgId });
+  if (!orgMember) {
+    return { allowed: false, reason: 'not_org_member', explain: [], context: null, decisionLayer: null };
+  }
+  const denyMatches = [];
+  for (const [layerName, grants] of Object.entries(layers || {})) {
+    const { denies } = extractMatches(grants, r);
+    for (const d of denies) denyMatches.push({ layerName, grant: d });
+  }
+  if (denyMatches.length) {
+    const matchedIds = new Set(denyMatches.map((m) => String(m.grant._id)));
+    const filteredExplain = explain.filter((e) => matchedIds.has(String(e.id)));
+    return {
+      allowed: false,
+      reason: 'denied',
+      decisionLayer: 'deny',
+      explain: filteredExplain,
+      context,
+    };
+  }
+  const allowPriority = ['org', 'group', 'role', 'user'];
+  for (const layer of allowPriority) {
+    const { allows } = extractMatches(layers?.[layer] || [], r);
+    if (!allows.length) continue;
+    const matchedIds = new Set(allows.map((a) => String(a._id)));
+    const filteredExplain = explain.filter((e) => matchedIds.has(String(e.id)));
+    return {
+      allowed: true,
+      reason: 'allowed',
+      decisionLayer: layer,
+      explain: filteredExplain,
+      context,
+    };
+  }
+  return { allowed: false, reason: 'no_match', explain: [], context, decisionLayer: null };
+}
+module.exports = {
+  getUserOrgIds,
+  getEffectiveGrants,
+  checkRight,
+};

package/src/services/scriptsRunner.service.js ADDED Viewed

@@ -0,0 +1,259 @@
+const { EventEmitter } = require('events');
+const { spawn } = require('child_process');
+const { NodeVM } = require('vm2');
+const ScriptRun = require('../models/ScriptRun');
+const MAX_TAIL_BYTES = 64 * 1024;
+function nowIso() {
+  return new Date().toISOString();
+}
+function appendTail(prev, chunk) {
+  const next = String(prev || '') + String(chunk || '');
+  const buf = Buffer.from(next, 'utf8');
+  if (buf.length <= MAX_TAIL_BYTES) return next;
+  return buf.slice(buf.length - MAX_TAIL_BYTES).toString('utf8');
+}
+function safeJsonParse(str) {
+  try {
+    return JSON.parse(String(str || ''));
+  } catch {
+    return null;
+  }
+}
+function buildEnvPairs(env) {
+  const pairs = Array.isArray(env) ? env : [];
+  const out = {};
+  for (const item of pairs) {
+    if (!item || typeof item !== 'object') continue;
+    const key = String(item.key || '').trim();
+    if (!key) continue;
+    const value = String(item.value || '');
+    out[key] = value;
+  }
+  return out;
+}
+class RunBus {
+  constructor(runId) {
+    this.runId = String(runId);
+    this.emitter = new EventEmitter();
+    this.seq = 0;
+    this.buffer = [];
+    this.closed = false;
+  }
+  push(event) {
+    if (this.closed) return;
+    this.seq += 1;
+    const payload = { seq: this.seq, ...event };
+    this.buffer.push(payload);
+    if (this.buffer.length > 2000) this.buffer.shift();
+    this.emitter.emit('event', payload);
+  }
+  close() {
+    this.closed = true;
+    this.emitter.emit('close');
+  }
+  snapshot(sinceSeq) {
+    const since = Number(sinceSeq || 0);
+    return this.buffer.filter((e) => Number(e.seq) > since);
+  }
+}
+const runs = new Map();
+function getRunBus(runId) {
+  return runs.get(String(runId)) || null;
+}
+async function startRun(scriptDef, options) {
+  const trigger = options?.trigger || 'manual';
+  const meta = options?.meta || null;
+  const runDoc = await ScriptRun.create({
+    scriptId: scriptDef._id,
+    status: 'queued',
+    trigger,
+    startedAt: null,
+    finishedAt: null,
+    exitCode: null,
+    outputTail: '',
+    meta,
+  });
+  const bus = new RunBus(runDoc._id);
+  runs.set(String(runDoc._id), bus);
+  setImmediate(async () => {
+    try {
+      await ScriptRun.updateOne(
+        { _id: runDoc._id },
+        { $set: { status: 'running', startedAt: new Date() } },
+      );
+      bus.push({ type: 'status', ts: nowIso(), status: 'running' });
+      const timeoutMs = Number(scriptDef.timeoutMs || 0) || 5 * 60 * 1000;
+      const env = { ...process.env, ...buildEnvPairs(scriptDef.env) };
+      const cwd = String(scriptDef.defaultWorkingDirectory || '').trim() || undefined;
+      let exitCode = 0;
+      if (scriptDef.type === 'bash') {
+        if (scriptDef.runner !== 'host') {
+          throw Object.assign(new Error('bash scripts only support host runner'), { code: 'VALIDATION' });
+        }
+        exitCode = await runSpawned({
+          runId: runDoc._id,
+          bus,
+          command: 'bash',
+          args: ['-lc', scriptDef.script],
+          env,
+          cwd,
+          timeoutMs,
+        });
+      } else if (scriptDef.type === 'node') {
+        if (scriptDef.runner === 'vm2') {
+          exitCode = await runVm2({ runId: runDoc._id, bus, code: scriptDef.script, timeoutMs });
+        } else if (scriptDef.runner === 'host') {
+          exitCode = await runSpawned({
+            runId: runDoc._id,
+            bus,
+            command: 'node',
+            args: ['-e', scriptDef.script],
+            env,
+            cwd,
+            timeoutMs,
+          });
+        } else {
+          throw Object.assign(new Error('Invalid runner for node script'), { code: 'VALIDATION' });
+        }
+      } else if (scriptDef.type === 'browser') {
+        throw Object.assign(new Error('browser scripts run in the UI only'), { code: 'VALIDATION' });
+      } else {
+        throw Object.assign(new Error('Unsupported script type'), { code: 'VALIDATION' });
+      }
+      const finalStatus = exitCode === 0 ? 'succeeded' : 'failed';
+      await ScriptRun.updateOne(
+        { _id: runDoc._id },
+        { $set: { status: finalStatus, finishedAt: new Date(), exitCode } },
+      );
+      bus.push({ type: 'status', ts: nowIso(), status: finalStatus, exitCode });
+      bus.push({ type: 'done', ts: nowIso(), status: finalStatus, exitCode });
+      bus.close();
+      setTimeout(() => {
+        runs.delete(String(runDoc._id));
+      }, 5 * 60 * 1000).unref();
+    } catch (err) {
+      const msg = err?.message || 'Run failed';
+      await ScriptRun.updateOne(
+        { _id: runDoc._id },
+        { $set: { status: 'failed', finishedAt: new Date(), exitCode: 1 }, $setOnInsert: {} },
+      );
+      bus.push({ type: 'log', ts: nowIso(), stream: 'stderr', line: msg + '\n' });
+      bus.push({ type: 'status', ts: nowIso(), status: 'failed', exitCode: 1 });
+      bus.push({ type: 'done', ts: nowIso(), status: 'failed', exitCode: 1 });
+      bus.close();
+      setTimeout(() => {
+        runs.delete(String(runDoc._id));
+      }, 5 * 60 * 1000).unref();
+    }
+  });
+  return runDoc;
+}
+async function runSpawned({ runId, bus, command, args, env, cwd, timeoutMs }) {
+  return await new Promise((resolve, reject) => {
+    const child = spawn(command, args, {
+      env,
+      cwd,
+      stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    let tail = '';
+    const killTimer = setTimeout(() => {
+      try {
+        child.kill('SIGKILL');
+      } catch {}
+    }, timeoutMs);
+    killTimer.unref();
+    const onData = async (stream, chunk) => {
+      const s = chunk.toString('utf8');
+      tail = appendTail(tail, s);
+      bus.push({ type: 'log', ts: nowIso(), stream, line: s });
+      await ScriptRun.updateOne({ _id: runId }, { $set: { outputTail: tail } });
+    };
+    child.stdout.on('data', (c) => onData('stdout', c));
+    child.stderr.on('data', (c) => onData('stderr', c));
+    child.on('error', (err) => {
+      clearTimeout(killTimer);
+      reject(err);
+    });
+    child.on('close', (code) => {
+      clearTimeout(killTimer);
+      resolve(Number(code || 0));
+    });
+  });
+}
+async function runVm2({ runId, bus, code, timeoutMs }) {
+  let tail = '';
+  function pushLog(stream, line) {
+    const s = String(line || '');
+    tail = appendTail(tail, s);
+    bus.push({ type: 'log', ts: nowIso(), stream, line: s });
+    return ScriptRun.updateOne({ _id: runId }, { $set: { outputTail: tail } });
+  }
+  const vm = new NodeVM({
+    console: 'redirect',
+    sandbox: {},
+    require: {
+      external: false,
+      builtin: [],
+    },
+    timeout: timeoutMs,
+    eval: false,
+    wasm: false,
+  });
+  vm.on('console.log', (...args) => {
+    pushLog('stdout', args.map((a) => (typeof a === 'string' ? a : JSON.stringify(a))).join(' ') + '\n');
+  });
+  vm.on('console.error', (...args) => {
+    pushLog('stderr', args.map((a) => (typeof a === 'string' ? a : JSON.stringify(a))).join(' ') + '\n');
+  });
+  try {
+    vm.run(code, 'script.vm2.js');
+    return 0;
+  } catch (err) {
+    const msg = err?.message || 'vm2 error';
+    await pushLog('stderr', msg + '\n');
+    return 1;
+  }
+}
+module.exports = {
+  startRun,
+  getRunBus,
+  safeJsonParse,
+};

package/src/services/terminals.service.js ADDED Viewed

@@ -0,0 +1,152 @@
+const crypto = require('crypto');
+const pty = require('node-pty');
+const sessions = new Map();
+const MAX_SESSIONS = 20;
+const IDLE_TTL_MS = 15 * 60 * 1000;
+function now() {
+  return Date.now();
+}
+function newId() {
+  return crypto.randomBytes(16).toString('hex');
+}
+function listSessions() {
+  return Array.from(sessions.values())
+    .map((s) => ({
+      sessionId: s.sessionId,
+      status: s.status,
+      createdAt: s.createdAt,
+      lastActivityAt: s.lastActivityAt,
+      cols: s.cols,
+      rows: s.rows,
+    }))
+    .sort((a, b) => b.createdAt - a.createdAt);
+}
+function getSession(sessionId) {
+  return sessions.get(String(sessionId)) || null;
+}
+function createSession(options = {}) {
+  if (sessions.size >= MAX_SESSIONS) {
+    const err = new Error('Too many active terminal sessions');
+    err.code = 'LIMIT';
+    throw err;
+  }
+  const cols = Number(options.cols || 120);
+  const rows = Number(options.rows || 30);
+  const shell = process.env.SHELL || 'bash';
+  const p = pty.spawn(shell, [], {
+    name: 'xterm-256color',
+    cols,
+    rows,
+    cwd: process.cwd(),
+    env: process.env,
+  });
+  const sessionId = newId();
+  const s = {
+    sessionId,
+    pty: p,
+    status: 'running',
+    createdAt: now(),
+    lastActivityAt: now(),
+    cols,
+    rows,
+  };
+  p.onExit(() => {
+    const cur = sessions.get(sessionId);
+    if (cur) {
+      cur.status = 'closed';
+      cur.lastActivityAt = now();
+    }
+  });
+  sessions.set(sessionId, s);
+  return { sessionId };
+}
+function touch(sessionId) {
+  const s = sessions.get(String(sessionId));
+  if (!s) return;
+  s.lastActivityAt = now();
+}
+function resizeSession(sessionId, cols, rows) {
+  const s = getSession(sessionId);
+  if (!s || s.status !== 'running') return;
+  const c = Number(cols || 0);
+  const r = Number(rows || 0);
+  if (!c || !r) return;
+  s.cols = c;
+  s.rows = r;
+  s.lastActivityAt = now();
+  try {
+    s.pty.resize(c, r);
+  } catch {}
+}
+function writeSession(sessionId, data) {
+  const s = getSession(sessionId);
+  if (!s || s.status !== 'running') return;
+  s.lastActivityAt = now();
+  try {
+    s.pty.write(String(data || ''));
+  } catch {}
+}
+function killSession(sessionId) {
+  const s = getSession(sessionId);
+  if (!s) {
+    const err = new Error('Session not found');
+    err.code = 'NOT_FOUND';
+    throw err;
+  }
+  try {
+    s.pty.kill();
+  } catch {}
+  sessions.delete(String(sessionId));
+  return { ok: true };
+}
+function cleanupIdleSessions() {
+  const cutoff = now() - IDLE_TTL_MS;
+  for (const [id, s] of sessions.entries()) {
+    if (s.lastActivityAt < cutoff) {
+      try {
+        s.pty.kill();
+      } catch {}
+      sessions.delete(id);
+    }
+  }
+}
+let cleanupTimer = null;
+function ensureCleanupTimer() {
+  if (cleanupTimer) return;
+  cleanupTimer = setInterval(cleanupIdleSessions, 60 * 1000);
+  cleanupTimer.unref();
+}
+ensureCleanupTimer();
+module.exports = {
+  createSession,
+  listSessions,
+  getSession,
+  killSession,
+  writeSession,
+  resizeSession,
+  touch,
+};