@intranefr/superbackend 1.4.4 → 1.5.1

package/src/services/terminalsWs.service.js

@@ -0,0 +1,100 @@
+const { WebSocketServer } = require('ws');
+const url = require('url');
+
+const { createSession, getSession, writeSession, resizeSession, touch } = require('./terminals.service');
+
+function isBasicAuthValid(req, options) {
+  const authHeader = req.headers['authorization'] || '';
+  if (!String(authHeader).startsWith('Basic ')) return false;
+
+  const decoded = Buffer.from(String(authHeader).slice(6), 'base64').toString('utf-8');
+  const parts = decoded.split(':');
+  const username = parts[0] || '';
+  const password = parts.slice(1).join(':') || '';
+
+  const adminUsername = (options && options.adminUsername) || process.env.ADMIN_USERNAME || 'admin';
+  const adminPassword = (options && options.adminPassword) || process.env.ADMIN_PASSWORD || 'admin';
+
+  return username === adminUsername && password === adminPassword;
+}
+
+function attachTerminalWebsocketServer(server, options = {}) {
+  const wsPath = '/api/admin/terminals/ws';
+
+  const wss = new WebSocketServer({ noServer: true });
+
+  console.log(`[Terminals] WebSocket upgrade path: ${wsPath}`);
+
+  server.on('upgrade', (req, socket, head) => {
+    const parsed = url.parse(req.url, true);
+    if (!parsed || parsed.pathname !== wsPath) return;
+
+    console.log(`[Terminals] WebSocket upgrade request for ${parsed.pathname}`);
+    wss.handleUpgrade(req, socket, head, (ws) => {
+      wss.emit('connection', ws, req, parsed);
+    });
+  });
+
+  wss.on('connection', (ws, req, parsed) => {
+    const q = parsed && parsed.query ? parsed.query : {};
+    let sessionId = q.sessionId ? String(q.sessionId) : null;
+
+    if (!sessionId) {
+      const created = createSession({ cols: 120, rows: 30 });
+      sessionId = created.sessionId;
+      ws.send(JSON.stringify({ type: 'session', sessionId }));
+    }
+
+    const s = getSession(sessionId);
+    if (!s || s.status !== 'running') {
+      ws.send(JSON.stringify({ type: 'error', error: 'Session not found' }));
+      ws.close();
+      return;
+    }
+
+    ws.send(JSON.stringify({ type: 'status', status: 'running', sessionId }));
+
+    const onData = (data) => {
+      try {
+        ws.send(JSON.stringify({ type: 'output', data: String(data || '') }));
+      } catch {}
+    };
+
+    s.pty.onData(onData);
+
+    ws.on('message', (raw) => {
+      touch(sessionId);
+      let msg;
+      try {
+        msg = JSON.parse(String(raw || ''));
+      } catch {
+        return;
+      }
+      if (!msg || typeof msg !== 'object') return;
+
+      if (msg.type === 'input') {
+        writeSession(sessionId, msg.data);
+      }
+
+      if (msg.type === 'resize') {
+        resizeSession(sessionId, msg.cols, msg.rows);
+      }
+    });
+
+    ws.on('close', () => {
+      try {
+        s.pty.offData(onData);
+      } catch {}
+    });
+
+    ws.on('error', () => {
+      try {
+        s.pty.offData(onData);
+      } catch {}
+    });
+  });
+
+  return { wss, wsPath };
+}
+
+module.exports = { attachTerminalWebsocketServer };

package/src/services/uiComponentsAi.service.js

@@ -0,0 +1,299 @@
+const UiComponent = require('../models/UiComponent');
+const llmService = require('./llm.service');
+const { resolveLlmProviderModel } = require('./llmDefaults.service');
+const { createAuditEvent } = require('./audit.service');
+
+const ALLOWED_FIELDS = new Set(['html', 'css', 'js', 'usageMarkdown']);
+
+function normalizeTargets(targets) {
+  const t = targets && typeof targets === 'object' ? targets : {};
+  const out = {};
+  for (const f of ALLOWED_FIELDS) out[f] = Boolean(t[f]);
+  if (!Object.values(out).some(Boolean)) {
+    // default: all
+    for (const f of ALLOWED_FIELDS) out[f] = true;
+  }
+  return out;
+}
+
+function parseFieldPatches(raw) {
+  const text = String(raw || '');
+  const lines = text.split(/\r?\n/);
+  const result = [];
+
+  let current = null;
+  for (const line of lines) {
+    const m = line.match(/^FIELD:\s*(.+)$/);
+    if (m) {
+      if (current) result.push(current);
+      current = { field: String(m[1] || '').trim(), content: '' };
+      continue;
+    }
+    if (!current) continue;
+    current.content += (current.content ? '\n' : '') + line;
+  }
+  if (current) result.push(current);
+
+  return result;
+}
+
+function parseDiffBlocks(patchText) {
+  const raw = String(patchText || '');
+  const blocks = [];
+
+  const re = /<<<<<<< SEARCH\n([\s\S]*?)\n=======\n([\s\S]*?)\n>>>>>>> REPLACE/g;
+  let m;
+  while ((m = re.exec(raw)) !== null) {
+    blocks.push({ search: m[1], replace: m[2] });
+  }
+  return blocks;
+}
+
+function applyBlocks(currentValue, blocks) {
+  let next = String(currentValue || '');
+
+  for (const b of blocks) {
+    const search = String(b.search);
+    const replace = String(b.replace);
+
+    if (search === '__FULL__') {
+      next = replace;
+      continue;
+    }
+
+    const idx = next.indexOf(search);
+    if (idx === -1) {
+      const err = new Error('SEARCH block did not match current content');
+      err.code = 'AI_INVALID';
+      err.meta = { searchPreview: search.slice(0, 120) };
+      throw err;
+    }
+
+    next = next.replace(search, replace);
+  }
+
+  return next;
+}
+
+function computeWarnings(nextFields) {
+  const warnings = [];
+  const js = String(nextFields.js || '');
+
+  const checks = [
+    { token: 'eval(', msg: 'JS contains eval( which is unsafe.' },
+    { token: 'document.cookie', msg: 'JS references document.cookie.' },
+    { token: 'Function(', msg: 'JS contains Function( which may indicate dynamic code execution.' },
+    { token: 'fetch(', msg: 'JS uses fetch(. Consider origin allowlists and error handling.' },
+  ];
+
+  for (const c of checks) {
+    if (js.includes(c.token)) warnings.push(c.msg);
+  }
+
+  return warnings;
+}
+
+async function resolveLlmDefaults({ providerKey, model }) {
+  return resolveLlmProviderModel({
+    systemKey: 'uiComponents.proposeEdit',
+    providerKey,
+    model,
+  });
+}
+
+function buildSystemPrompt({ targets }) {
+  const allowed = Array.from(ALLOWED_FIELDS).filter((f) => targets[f]);
+
+  return [
+    'You are a code editor assistant modifying a UI component stored in a database.',
+    `You may edit ONLY these fields: ${allowed.join(', ')}.`,
+    'Return ONLY changes using FIELD-based SEARCH/REPLACE patches.',
+    '',
+    'Format:',
+    'FIELD: <fieldName>',
+    '<<<<<<< SEARCH',
+    '[exact text to find - must match character-by-character including whitespace]',
+    '=======',
+    '[replacement text]',
+    '>>>>>>> REPLACE',
+    '',
+    'Rules:',
+    '- You can include multiple FIELD sections.',
+    '- SEARCH must match exactly (whitespace matters).',
+    '- Include enough context (5-10 lines) for unique matching.',
+    '- Do not include any text outside FIELD sections and SEARCH/REPLACE blocks.',
+    "- If you cannot reliably match the existing text, use SEARCH content '__FULL__' to replace the entire field.",
+    '',
+    'JS contract:',
+    "- The component JS is executed as new Function('api','templateRootEl','props', js).",
+    '- Your JS must return an object with methods.',
+    '- Use templateRootEl for DOM queries (do not use document.querySelector without scoping).',
+  ].join('\n');
+}
+
+async function proposeComponentEdit({
+  code,
+  prompt,
+  providerKey,
+  model,
+  targets,
+  mode,
+  actor,
+}) {
+  const componentCode = String(code || '').trim().toLowerCase();
+  if (!componentCode) {
+    const err = new Error('code is required');
+    err.code = 'VALIDATION';
+    throw err;
+  }
+
+  const instruction = String(prompt || '').trim();
+  if (!instruction) {
+    const err = new Error('prompt is required');
+    err.code = 'VALIDATION';
+    throw err;
+  }
+
+  const targetFlags = normalizeTargets(targets);
+  const allowedTargets = Object.entries(targetFlags)
+    .filter(([, v]) => v)
+    .map(([k]) => k);
+
+  const doc = await UiComponent.findOne({ code: componentCode });
+  if (!doc) {
+    const err = new Error('Component not found');
+    err.code = 'NOT_FOUND';
+    throw err;
+  }
+
+  const current = doc.toObject();
+
+  const llmDefaults = await resolveLlmDefaults({ providerKey, model });
+
+  const systemPrompt = buildSystemPrompt({ targets: targetFlags });
+
+  const context = {
+    code: current.code,
+    name: current.name,
+    version: current.version,
+    html: String(current.html || ''),
+    css: String(current.css || ''),
+    js: String(current.js || ''),
+    usageMarkdown: String(current.usageMarkdown || ''),
+  };
+
+  const userContextLines = [
+    `Component code: ${context.code}`,
+    `Component name: ${context.name}`,
+    `Component version: ${context.version}`,
+    `Target fields: ${allowedTargets.join(', ')}`,
+    `Mode: ${String(mode || 'minimal')}`,
+    '',
+    'Current fields:',
+    '',
+    `FIELD: html\n${context.html}`,
+    '',
+    `FIELD: css\n${context.css}`,
+    '',
+    `FIELD: js\n${context.js}`,
+    '',
+    `FIELD: usageMarkdown\n${context.usageMarkdown}`,
+  ];
+
+  const result = await llmService.callAdhoc(
+    {
+      providerKey: llmDefaults.providerKey,
+      model: llmDefaults.model,
+      messages: [
+        { role: 'system', content: systemPrompt },
+        { role: 'user', content: `Instruction:\n${instruction}` },
+        { role: 'user', content: userContextLines.join('\n') },
+      ],
+      promptKeyForAudit: 'uiComponents.ai.propose',
+    },
+    {
+      temperature: String(mode || '').toLowerCase() === 'rewrite' ? 0.6 : 0.3,
+    },
+  );
+
+  const raw = String(result.content || '');
+  const fieldPatches = parseFieldPatches(raw);
+
+  const patchByField = new Map();
+  for (const fp of fieldPatches) {
+    patchByField.set(String(fp.field || '').trim(), fp.content);
+  }
+
+  const nextFields = {
+    html: context.html,
+    css: context.css,
+    js: context.js,
+    usageMarkdown: context.usageMarkdown,
+  };
+
+  const appliedFields = [];
+
+  for (const field of ALLOWED_FIELDS) {
+    if (!targetFlags[field]) continue;
+    const patchText = patchByField.get(field);
+    if (!patchText) continue;
+
+    const blocks = parseDiffBlocks(patchText);
+    if (!blocks.length) {
+      const err = new Error(`No diff blocks found for field ${field}`);
+      err.code = 'AI_INVALID';
+      throw err;
+    }
+
+    nextFields[field] = applyBlocks(nextFields[field], blocks);
+    appliedFields.push(field);
+  }
+
+  if (!appliedFields.length) {
+    const err = new Error('No applicable field patches returned');
+    err.code = 'AI_INVALID';
+    throw err;
+  }
+
+  const warnings = computeWarnings(nextFields);
+
+  await createAuditEvent({
+    ...(actor || { actorType: 'system', actorId: null }),
+    action: 'uiComponents.ai.propose',
+    entityType: 'UiComponent',
+    entityId: componentCode,
+    before: {
+      code: current.code,
+      version: current.version,
+    },
+    after: {
+      code: current.code,
+      version: current.version,
+      appliedFields,
+    },
+    meta: {
+      providerKey: llmDefaults.providerKey,
+      model: llmDefaults.model,
+      targets: targetFlags,
+      mode: String(mode || 'minimal'),
+      warnings,
+      patchPreview: raw.slice(0, 4000),
+    },
+  });
+
+  return {
+    component: { code: current.code, version: current.version },
+    proposal: {
+      patch: raw,
+      fields: nextFields,
+      appliedFields,
+      warnings,
+    },
+    providerKey: llmDefaults.providerKey,
+    model: llmDefaults.model,
+  };
+}
+
+module.exports = {
+  proposeComponentEdit,
+};

package/src/services/uiComponentsCrypto.service.js

@@ -0,0 +1,39 @@
+const crypto = require('crypto');
+
+function base64UrlEncode(buf) {
+  return buf
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+function generateProjectApiKeyPlaintext() {
+  const raw = crypto.randomBytes(32);
+  return `uk_${base64UrlEncode(raw)}`;
+}
+
+function hashKey(plaintext) {
+  return crypto.createHash('sha256').update(String(plaintext)).digest('hex');
+}
+
+function timingSafeEqualHex(a, b) {
+  const aBuf = Buffer.from(String(a), 'hex');
+  const bBuf = Buffer.from(String(b), 'hex');
+  if (aBuf.length !== bBuf.length) return false;
+  return crypto.timingSafeEqual(aBuf, bBuf);
+}
+
+function verifyKey(plaintext, expectedHash) {
+  const provided = String(plaintext || '').trim();
+  if (!provided) return false;
+  const providedHash = hashKey(provided);
+  return timingSafeEqualHex(providedHash, expectedHash);
+}
+
+module.exports = {
+  generateProjectApiKeyPlaintext,
+  hashKey,
+  timingSafeEqualHex,
+  verifyKey,
+};

package/src/services/workflow.service.js

@@ -1,7 +1,8 @@
 const Workflow = require('../models/Workflow');
 const WorkflowExecution = require('../models/WorkflowExecution');
-const llmService = require('./llm.service');
 const { NodeVM } = require('vm2');
+const llmService = require('./llm.service');
+const { resolveLlmProviderModel } = require('./llmDefaults.service');
 
 /**
  * Workflow Service
@@ -163,13 +164,27 @@ class WorkflowService {
 
   async handleLLM(node) {
     const prompt = this.interpolate(node.prompt);
-    const response = await llmService.callAdhoc({
-      providerKey: node.provider || 'openrouter',
-      messages: [{ role: 'user', content: prompt }]
-    }, { 
-      model: node.model || 'minimax/minimax-m2.1',
-      temperature: node.temperature !== undefined ? parseFloat(node.temperature) : 0.7
-    });
+    const providerKeyRaw = node.provider;
+    const modelRaw = node.model;
+
+    const resolved = (!providerKeyRaw || !String(providerKeyRaw).trim() || !modelRaw || !String(modelRaw).trim())
+      ? await resolveLlmProviderModel({
+        systemKey: 'workflow.node.llm',
+        providerKey: providerKeyRaw,
+        model: modelRaw,
+      })
+      : { providerKey: String(providerKeyRaw).trim(), model: String(modelRaw || '').trim() };
+
+    const response = await llmService.callAdhoc(
+      {
+        providerKey: resolved.providerKey,
+        messages: [{ role: 'user', content: prompt }],
+      },
+      {
+        model: resolved.model || undefined,
+        temperature: node.temperature !== undefined ? parseFloat(node.temperature) : 0.7,
+      },
+    );
     return response.content;
   }
 

package/src/utils/orgRoles.js

@@ -142,6 +142,18 @@ async function getOrgRoleLevel(role) {
   return hierarchy[r] || 0;
 }
 
+async function isRoleAtLeast(role, requiredRole) {
+  const level = await getOrgRoleLevel(role);
+  const requiredLevel = await getOrgRoleLevel(requiredRole);
+  return level >= requiredLevel;
+}
+
+async function isRoleHigherThan(role, otherRole) {
+  const level = await getOrgRoleLevel(role);
+  const otherLevel = await getOrgRoleLevel(otherRole);
+  return level > otherLevel;
+}
+
 function clearOrgRolesCache() {
   cached = null;
 }
@@ -152,5 +164,7 @@ module.exports = {
   getDefaultOrgRole,
   isValidOrgRole,
   getOrgRoleLevel,
+  isRoleAtLeast,
+  isRoleHigherThan,
   clearOrgRolesCache,
 };

package/src/utils/rbac/engine.js

@@ -0,0 +1,60 @@
+function normalizeRight(input) {
+  return String(input || '').trim();
+}
+
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+function patternToRegex(pattern) {
+  const parts = normalizeRight(pattern).split('*').map(escapeRegex);
+  return new RegExp('^' + parts.join('.*') + '$');
+}
+
+function matches(requiredRight, grantedPattern) {
+  const required = normalizeRight(requiredRight);
+  const pattern = normalizeRight(grantedPattern);
+  if (!required || !pattern) return false;
+  if (pattern === required) return true;
+  if (!pattern.includes('*')) return false;
+  return patternToRegex(pattern).test(required);
+}
+
+function evaluateEffects(entries, requiredRight) {
+  const required = normalizeRight(requiredRight);
+  if (!required) {
+    return { allowed: false, reason: 'invalid_required_right' };
+  }
+
+  const denies = [];
+  const allows = [];
+
+  for (const e of entries || []) {
+    if (!e) continue;
+    const right = normalizeRight(e.right);
+    const effect = normalizeRight(e.effect || 'allow');
+    if (!right) continue;
+    if (!matches(required, right)) continue;
+
+    if (effect === 'deny') {
+      denies.push(e);
+    } else {
+      allows.push(e);
+    }
+  }
+
+  if (denies.length) {
+    return { allowed: false, reason: 'denied', matched: denies };
+  }
+
+  if (allows.length) {
+    return { allowed: true, reason: 'allowed', matched: allows };
+  }
+
+  return { allowed: false, reason: 'no_match' };
+}
+
+module.exports = {
+  matches,
+  evaluateEffects,
+};

package/src/utils/rbac/rightsRegistry.js

@@ -0,0 +1,29 @@
+const DEFAULT_RIGHTS = [
+  'rbac:roles:read',
+  'rbac:roles:write',
+  'rbac:groups:read',
+  'rbac:groups:write',
+  'rbac:grants:read',
+  'rbac:grants:write',
+  'rbac:test',
+  'file_manager:*',
+  'file_manager:access',
+  'file_manager:drives:read',
+  'file_manager:files:read',
+  'file_manager:files:upload',
+  'file_manager:files:download',
+  'file_manager:files:update',
+  'file_manager:files:delete',
+  'file_manager:files:share',
+  'backoffice:*',
+  'backoffice:dashboard:access',
+  '*',
+];
+
+function listRights() {
+  return Array.from(new Set(DEFAULT_RIGHTS)).sort();
+}
+
+module.exports = {
+  listRights,
+};