@lamalibre/portlama-agent 1.0.21 → 1.0.23

package/src/lib/panel-api-routes.js

@@ -17,6 +17,17 @@ import {
   retractPanelTunnel,
   fetchPanelTunnelStatus,
 } from './panel-api.js';
+import {
+  readAgentPluginRegistry,
+  installAgentPlugin,
+  uninstallAgentPlugin,
+  enableAgentPlugin,
+  disableAgentPlugin,
+  updateAgentPlugin,
+  checkAgentPluginUpdate,
+  readAgentPluginBundle,
+} from './agent-plugins.js';
+import { unloadPanelService, loadPanelService } from './panel-service.js';
 
 // UUID regex for validating :id params before proxying to panel server
 const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
@@ -257,4 +268,123 @@ export default async function panelApiRoutes(fastify, opts) {
     await unloadAgent(label);
     return { ok: true, message: 'Agent stopped. Run portlama-agent uninstall for full removal.' };
   });
+
+  // --- Plugins ---
+
+  const PLUGIN_NAME_RE = /^[a-z0-9-]+$/;
+
+  fastify.get('/plugins', async () => {
+    return readAgentPluginRegistry(label);
+  });
+
+  fastify.post('/plugins/install', async (request, reply) => {
+    const { packageName } = request.body || {};
+    if (!packageName || typeof packageName !== 'string') {
+      return reply.code(400).send({ error: 'packageName is required' });
+    }
+    try {
+      const entry = await installAgentPlugin(label, packageName);
+      return { ok: true, plugin: entry };
+    } catch (err) {
+      return reply.code(400).send({ error: err.message });
+    }
+  });
+
+  fastify.post('/plugins/:name/enable', async (request, reply) => {
+    const { name } = request.params;
+    if (!PLUGIN_NAME_RE.test(name)) {
+      return reply.code(400).send({ error: 'Invalid plugin name' });
+    }
+    try {
+      await enableAgentPlugin(label, name);
+      // Restart panel service to mount newly enabled plugin routes.
+      // The response is sent before the process exits — launchd/systemd
+      // will restart the process with the updated registry.
+      setTimeout(async () => {
+        try {
+          await unloadPanelService(label);
+          await loadPanelService(label);
+        } catch (err) {
+          fastify.log.error({ err: err.message }, 'Failed to restart panel service');
+        }
+      }, 500);
+      return { ok: true, name, status: 'enabled', restarting: true };
+    } catch (err) {
+      return reply.code(400).send({ error: err.message });
+    }
+  });
+
+  fastify.post('/plugins/:name/disable', async (request, reply) => {
+    const { name } = request.params;
+    if (!PLUGIN_NAME_RE.test(name)) {
+      return reply.code(400).send({ error: 'Invalid plugin name' });
+    }
+    try {
+      await disableAgentPlugin(label, name);
+      // Restart panel service to unmount disabled plugin routes.
+      // Use setTimeout to flush the response before the process exits.
+      setTimeout(async () => {
+        try {
+          await unloadPanelService(label);
+          await loadPanelService(label);
+        } catch (err) {
+          fastify.log.error({ err: err.message }, 'Failed to restart panel service after disable');
+        }
+      }, 500);
+      return { ok: true, name, status: 'disabled', restarting: true };
+    } catch (err) {
+      return reply.code(400).send({ error: err.message });
+    }
+  });
+
+  fastify.delete('/plugins/:name', async (request, reply) => {
+    const { name } = request.params;
+    if (!PLUGIN_NAME_RE.test(name)) {
+      return reply.code(400).send({ error: 'Invalid plugin name' });
+    }
+    try {
+      await uninstallAgentPlugin(label, name);
+      return { ok: true, name };
+    } catch (err) {
+      return reply.code(400).send({ error: err.message });
+    }
+  });
+
+  fastify.post('/plugins/:name/update', async (request, reply) => {
+    const { name } = request.params;
+    if (!PLUGIN_NAME_RE.test(name)) {
+      return reply.code(400).send({ error: 'Invalid plugin name' });
+    }
+    try {
+      const plugin = await updateAgentPlugin(label, name);
+      return { ok: true, plugin };
+    } catch (err) {
+      return reply.code(400).send({ error: err.message });
+    }
+  });
+
+  fastify.get('/plugins/:name/check-update', async (request, reply) => {
+    const { name } = request.params;
+    if (!PLUGIN_NAME_RE.test(name)) {
+      return reply.code(400).send({ error: 'Invalid plugin name' });
+    }
+    try {
+      return await checkAgentPluginUpdate(label, name);
+    } catch (err) {
+      return reply.code(400).send({ error: err.message });
+    }
+  });
+
+  fastify.get('/plugins/:name/bundle', async (request, reply) => {
+    const { name } = request.params;
+    if (!PLUGIN_NAME_RE.test(name)) {
+      return reply.code(400).send({ error: 'Invalid plugin name' });
+    }
+    try {
+      const source = await readAgentPluginBundle(label, name);
+      return { source };
+    } catch (err) {
+      return reply.code(404).send({ error: err.message });
+    }
+  });
 }

package/src/lib/panel-server.js

@@ -11,11 +11,14 @@
  */
 
 import Fastify from 'fastify';
+import cors from '@fastify/cors';
 import rateLimit from '@fastify/rate-limit';
 import fastifyStatic from '@fastify/static';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import panelApiRoutes from './panel-api-routes.js';
+import agentPluginRouter from './agent-plugin-router.js';
+import { readAgentPluginBundle } from './agent-plugins.js';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
@@ -33,6 +36,18 @@ export async function startPanelServer(label, { port = 9393 } = {}) {
     },
   });
 
+  // Allow Tauri webview and localhost origins to call plugin APIs.
+  // credentials: true is required because plugin microfrontends use
+  // fetch(..., { credentials: 'include' }) for session cookies.
+  await server.register(cors, {
+    origin: [
+      'tauri://localhost',
+      'https://tauri.localhost',
+      /^http:\/\/(?:localhost|127\.0\.0\.1)(?::\d+)?$/,
+    ],
+    credentials: true,
+  });
+
   await server.register(rateLimit, {
     max: 100,
     timeWindow: '1 minute',
@@ -52,11 +67,30 @@ export async function startPanelServer(label, { port = 9393 } = {}) {
     // Allow health check without auth
     if (request.url === '/api/health') return;
 
-    // Static assets don't need API-level auth (nginx already verified mTLS)
-    if (!request.url.startsWith('/api')) return;
+    // Plugin bundles are intentionally public (loaded via <script> tag)
+    if (request.url.startsWith('/plugin-bundles/')) return;
+
+    // Auth is required for /api/* routes AND plugin server routes (/<pluginName>/api/...).
+    // Static assets (SPA files) are served by fastify-static and don't need auth.
+    const needsAuth = request.url.startsWith('/api') ||
+      /^\/[a-z0-9-]+\/api\//.test(request.url);
+    if (!needsAuth) return;
 
     const verify = request.headers['x-ssl-client-verify'];
     if (verify !== 'SUCCESS') {
+      // Allow localhost browser requests (desktop app plugin microfrontends).
+      // The server binds 127.0.0.1 only, so only local processes can reach it.
+      // The Origin header is browser-enforced and cannot be forged by web pages.
+      const origin = request.headers.origin || '';
+      const isLocalOrigin =
+        /^http:\/\/(?:localhost|127\.0\.0\.1)(?::\d+)?$/.test(origin) ||
+        origin === 'tauri://localhost' ||
+        origin === 'https://tauri.localhost';
+      if (isLocalOrigin) {
+        request.certCN = `agent:${label}`;
+        request.certRole = 'agent';
+        return;
+      }
       return reply.code(403).send({ error: 'Valid mTLS certificate required' });
     }
 
@@ -82,6 +116,33 @@ export async function startPanelServer(label, { port = 9393 } = {}) {
   // --- REST API routes ---
   await server.register(panelApiRoutes, { prefix: '/api', label });
 
+  // --- Agent plugin routes ---
+  // Mounts enabled plugin server routes at /<name>/... (root level),
+  // matching the local plugin host pattern that plugins expect.
+  // Plugins construct URLs as ${panelUrl}/${pluginName}/api/${pluginName}/...
+  await server.register(agentPluginRouter, { label });
+
+  // --- Public plugin bundle endpoint (outside /api — no mTLS required) ---
+  // Desktop app loads bundles via <script> tag to bypass Tauri IPC JSON size limits.
+  // Script tags are not subject to CORS, so cross-origin loading works.
+  const PLUGIN_NAME_RE = /^[a-z0-9-]+$/;
+  server.get('/plugin-bundles/:name/panel.js', async (request, reply) => {
+    const { name } = request.params;
+    if (!PLUGIN_NAME_RE.test(name)) {
+      reply.type('application/javascript');
+      return reply.code(400).send('// invalid plugin name');
+    }
+    try {
+      const source = await readAgentPluginBundle(label, name);
+      reply.type('application/javascript');
+      reply.header('Cache-Control', 'public, max-age=3600');
+      return source;
+    } catch {
+      reply.type('application/javascript');
+      return reply.code(404).send(`// plugin bundle not found: ${name}`);
+    }
+  });
+
   // --- Static SPA files ---
   const staticRoot = path.resolve(__dirname, '..', 'panel-dist');
   try {

package/src/lib/panel-service.js

@@ -19,6 +19,7 @@ import {
   panelLogFile,
   panelErrorLogFile,
   agentLogsDir,
+  agentDataDir,
 } from './platform.js';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
@@ -218,6 +219,7 @@ function generatePanelSystemdUnit(label, port) {
   const logFile = panelLogFile(label);
   const errorLogFile = panelErrorLogFile(label);
   const logsDir = agentLogsDir(label);
+  const dataDir = agentDataDir(label);
 
   const execStart = [nodePath, entryPath, '--label', label, '--port', String(port)]
     .map(systemdQuote)
@@ -238,7 +240,7 @@ StandardError=append:${errorLogFile}
 Environment=PATH=/usr/local/bin:/usr/bin:/bin
 NoNewPrivileges=true
 ProtectSystem=strict
-ReadWritePaths=${logsDir}
+ReadWritePaths=${logsDir} ${dataDir}
 
 [Install]
 WantedBy=multi-user.target