@mooncompany/uplink-chat 0.5.0

package/server/routes/media.js

@@ -0,0 +1,451 @@
+/**
+ * Media Routes - Image and video upload endpoints
+ */
+
+// Sharp is optional — skip image compression if not installed
+let sharp;
+try {
+  sharp = (await import('sharp')).default;
+} catch {
+  // sharp not available — images will be sent at original size
+}
+import fs from 'fs/promises';
+import path from 'path';
+import { fileTypeFromBuffer } from 'file-type';
+import { randomUUID } from 'crypto';
+import { badRequest, internalError, ErrorCodes } from '../../utils/errors.js';
+import { IMAGE_COMPRESSION_THRESHOLD, AGENT_MEDIA_DIRS, AGENT_MEDIA_ALLOWED_EXTENSIONS, AGENT_MEDIA_MAX_SIZE } from '../config.js';
+
+/**
+ * Sanitize user-provided caption to prevent prompt injection
+ * @param {string} caption - Raw user caption
+ * @returns {string} - Sanitized caption safe for AI prompts
+ */
+function sanitizeCaption(caption) {
+  if (!caption || typeof caption !== 'string') {
+    return '';
+  }
+  
+  let sanitized = caption;
+  
+  // 1. Limit length to prevent token abuse
+  const MAX_CAPTION_LENGTH = 500;
+  sanitized = sanitized.slice(0, MAX_CAPTION_LENGTH);
+  
+  // 2. Remove markdown code blocks that could confuse AI
+  sanitized = sanitized.replace(/```[\s\S]*?```/g, '[code removed]');
+  sanitized = sanitized.replace(/`[^`]+`/g, '[code removed]');
+  
+  // 3. Remove potential instruction patterns (prompt injection attempts)
+  // Patterns like "ignore previous instructions", "system:", "assistant:", etc.
+  const injectionPatterns = [
+    /\b(ignore|disregard|forget)\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|context)/gi,
+    /\b(you\s+are\s+now|act\s+as|pretend\s+(to\s+be|you('re)?))\b/gi,
+    /\b(system|assistant|user)\s*:/gi,
+    /\[\s*(system|assistant|user)\s*\]/gi,
+    /<\s*(system|assistant|user)\s*>/gi,
+  ];
+  
+  for (const pattern of injectionPatterns) {
+    sanitized = sanitized.replace(pattern, '[removed]');
+  }
+  
+  // 4. Escape special characters that could be interpreted as delimiters
+  // Replace characters that might be used to break out of context
+  sanitized = sanitized
+    .replace(/[<>]/g, '') // Remove angle brackets
+    .replace(/\[{2,}/g, '[') // Collapse multiple brackets
+    .replace(/\]{2,}/g, ']')
+    .replace(/\n{3,}/g, '\n\n') // Collapse excessive newlines
+    .trim();
+  
+  return sanitized;
+}
+
+/**
+ * Setup media routes
+ * @param {Express} app - Express app instance
+ * @param {Object} context - Request context
+ */
+export function setupMediaRoutes(app, context) {
+  const {
+    imageUpload,
+    videoUpload,
+    fetch: fetchWithTimeout,
+    generateTTS,
+    log,
+    config,
+    uploadsDir,
+  } = context;
+
+  const { ALLOWED_IMAGE_TYPES, GATEWAY_URL, GATEWAY_TOKEN, SESSION_USER, REQUEST_TIMEOUT } = config;
+
+  // ===========================================
+  // Image Upload
+  // ===========================================
+
+  app.post('/api/image', (req, res) => {
+    imageUpload(req, res, async (err) => {
+      if (err) {
+        log('error', '[Image] Upload error:', err);
+        // Always return generic error to client; detailed error logged server-side
+        return badRequest(res, 'Upload failed', ErrorCodes.UPLOAD_FAILED);
+      }
+
+      try {
+        if (!req.file) {
+          return badRequest(res, 'No image provided', ErrorCodes.MISSING_FIELD);
+        }
+
+        log('debug', `[Image] Received: ${req.file.size} bytes, ${req.file.mimetype}`);
+
+        // Validate file type
+        const fileBuffer = await fs.readFile(req.file.path);
+        const detectedType = await fileTypeFromBuffer(fileBuffer);
+
+        if (!detectedType || !ALLOWED_IMAGE_TYPES.includes(detectedType.mime)) {
+          await fs.unlink(req.file.path).catch(err => log('warn', 'Image: Failed to cleanup invalid file:', err.message));
+          log('warn', `[Image] Rejected invalid file type: ${detectedType?.mime || 'unknown'}`);
+          return badRequest(res, 'Invalid image type. Allowed: JPEG, PNG, WebP, GIF', ErrorCodes.INVALID_FILE_TYPE);
+        }
+
+        // Sanitize caption to prevent prompt injection
+        const caption = sanitizeCaption(req.body?.caption);
+
+        // Resize if needed (skip if sharp not installed)
+        let imageBuffer = fileBuffer;
+        if (sharp && imageBuffer.length > IMAGE_COMPRESSION_THRESHOLD) {
+          imageBuffer = await sharp(imageBuffer)
+            .resize(1024, 1024, { fit: 'inside', withoutEnlargement: true })
+            .jpeg({ quality: 80 })
+            .toBuffer();
+        }
+
+        // Save image
+        await fs.mkdir(uploadsDir, { recursive: true });
+        const imageFilename = `upload-${randomUUID()}.jpg`;
+        const imagePath = path.join(uploadsDir, imageFilename);
+        await fs.writeFile(imagePath, imageBuffer);
+
+        // Send to OpenClaw
+        const imagePathForAgent = `uplink/uploads/${imageFilename}`;
+        const prompt = caption
+          ? `[Voice chat - keep response brief] [Image attached at: ${imagePathForAgent}] ${caption}`
+          : `[Voice chat - keep response brief] [Image attached at: ${imagePathForAgent}] What do you see in this image? Use the image tool to view it.`;
+
+        // Use SSE to prevent Cloudflare timeout (sends keepalives while waiting)
+        res.setHeader('Content-Type', 'text/event-stream; charset=utf-8');
+        res.setHeader('Cache-Control', 'no-cache');
+        res.setHeader('Connection', 'keep-alive');
+        res.setHeader('X-Accel-Buffering', 'no');
+        res.flushHeaders();
+
+        // Send keepalive every 15s to prevent Cloudflare 524 timeout
+        const keepalive = setInterval(() => {
+          res.write(': keepalive\n\n');
+        }, 15000);
+
+        let reply = 'I could not process the image.';
+        let audioUrl = null;
+
+        try {
+          const response = await fetchWithTimeout(`${GATEWAY_URL}/v1/chat/completions`, {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'Authorization': `Bearer ${GATEWAY_TOKEN}`,
+              'x-openclaw-session-key': 'agent:main:main'
+            },
+            body: JSON.stringify({
+              model: 'openclaw',
+              user: SESSION_USER,
+              messages: [{ role: 'user', content: prompt }]
+            })
+          }, REQUEST_TIMEOUT);
+
+          if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`Chat API error: ${response.status} - ${text}`);
+          }
+
+          const data = await response.json();
+          reply = data.choices?.[0]?.message?.content || reply;
+
+          try {
+            audioUrl = await generateTTS(reply);
+          } catch (e) {
+            log('error', 'TTS failed:', e.message);
+          }
+        } finally {
+          clearInterval(keepalive);
+        }
+        
+        // Keep uploaded image for history (24h cleanup job handles expiry)
+        // Clean up the temp multer file if it differs from our saved path
+        if (req.file.path !== imagePath) {
+          await fs.unlink(req.file.path).catch(err => log('warn', 'Image: Failed to cleanup temp file:', err.message));
+        }
+        
+        // Send final result as SSE event — include imageUrl for client-side history
+        const imageUrl = `/uploads/${imageFilename}`;
+        res.write(`data: ${JSON.stringify({ response: reply, audioUrl, imageUrl })}\n\n`);
+        res.end();
+      } catch (error) {
+        log('error', 'Image error:', error);
+        if (res.headersSent) {
+          res.write(`data: ${JSON.stringify({ error: true, message: 'Image processing failed' })}\n\n`);
+          res.end();
+        } else {
+          internalError(res, 'Image processing failed', ErrorCodes.INTERNAL_ERROR);
+        }
+      }
+    });
+  });
+
+  // ===========================================
+  // Video Upload
+  // ===========================================
+
+  const { ALLOWED_VIDEO_TYPES } = config;
+
+  app.post('/api/video', (req, res) => {
+    videoUpload(req, res, async (err) => {
+      if (err) {
+        log('error', '[Video] Upload error:', err);
+        // Always return generic error to client; detailed error logged server-side
+        return badRequest(res, 'Upload failed', ErrorCodes.UPLOAD_FAILED);
+      }
+
+      try {
+        if (!req.file) {
+          return badRequest(res, 'No video provided', ErrorCodes.MISSING_FIELD);
+        }
+
+        // Validate video file type via magic bytes
+        const fileBuffer = await fs.readFile(req.file.path);
+        const detectedType = await fileTypeFromBuffer(fileBuffer);
+        
+        if (!detectedType || !ALLOWED_VIDEO_TYPES.includes(detectedType.mime)) {
+          await fs.unlink(req.file.path).catch(err => log('warn', 'Video: Failed to cleanup invalid file:', err.message));
+          log('warn', `[Video] Rejected invalid type: ${detectedType?.mime || 'unknown'}`);
+          return badRequest(res, 'Invalid video type', ErrorCodes.INVALID_FILE_TYPE);
+        }
+
+        // Sanitize caption to prevent prompt injection
+        const caption = sanitizeCaption(req.body?.caption);
+        
+        await fs.mkdir(uploadsDir, { recursive: true });
+        
+        // Use detected extension for proper file type
+        const ext = detectedType.ext || 'webm';
+        const videoFilename = `video-${randomUUID()}.${ext}`;
+        const videoPath = path.join(uploadsDir, videoFilename);
+        
+        await fs.writeFile(videoPath, fileBuffer);
+        await fs.unlink(req.file.path).catch(err => log('warn', 'Video: Failed to cleanup file:', err.message));
+
+        const videoPathForAgent = `uplink/uploads/${videoFilename}`;
+        const prompt = caption
+          ? `[Voice chat - keep response brief] [Video attached at: ${videoPathForAgent}] ${caption}`
+          : `[Voice chat - keep response brief] [Video attached at: ${videoPathForAgent}] A short video was recorded. Please acknowledge it.`;
+
+        // Use SSE to prevent Cloudflare timeout (sends keepalives while waiting)
+        res.setHeader('Content-Type', 'text/event-stream; charset=utf-8');
+        res.setHeader('Cache-Control', 'no-cache');
+        res.setHeader('Connection', 'keep-alive');
+        res.setHeader('X-Accel-Buffering', 'no');
+        res.flushHeaders();
+
+        // Send keepalive every 15s to prevent Cloudflare 524 timeout
+        const keepalive = setInterval(() => {
+          res.write(': keepalive\n\n');
+        }, 15000);
+
+        let reply = 'I received your video.';
+        let audioUrl = null;
+
+        try {
+          const response = await fetchWithTimeout(`${GATEWAY_URL}/v1/chat/completions`, {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'Authorization': `Bearer ${GATEWAY_TOKEN}`
+            },
+            body: JSON.stringify({
+              model: 'openclaw',
+              user: SESSION_USER,
+              messages: [{ role: 'user', content: prompt }]
+            })
+          }, REQUEST_TIMEOUT);
+
+          if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`Chat API error: ${response.status} - ${text}`);
+          }
+
+          const data = await response.json();
+          reply = data.choices?.[0]?.message?.content || reply;
+
+          try {
+            audioUrl = await generateTTS(reply);
+          } catch (e) {
+            log('error', 'TTS failed:', e.message);
+          }
+        } finally {
+          clearInterval(keepalive);
+        }
+
+        // Send final result as SSE event
+        res.write(`data: ${JSON.stringify({ response: reply, audioUrl })}\n\n`);
+        res.end();
+      } catch (error) {
+        log('error', 'Video error:', error);
+        if (res.headersSent) {
+          res.write(`data: ${JSON.stringify({ error: true, message: 'Video processing failed' })}\n\n`);
+          res.end();
+        } else {
+          internalError(res, 'Video processing failed', ErrorCodes.INTERNAL_ERROR);
+        }
+      }
+    });
+  });
+
+  // ===========================================
+  // Agent Media Endpoint
+  // Serves agent-generated files (screenshots, charts, TTS, etc.)
+  // ===========================================
+
+  // Registry: maps random IDs to file paths (in-memory for now)
+  const agentMediaRegistry = new Map();
+
+  /**
+   * Register an agent media file and return a secure URL
+   * @param {string} filePath - Absolute path to the file
+   * @returns {string|null} - Proxy URL or null if registration failed
+   */
+  function registerAgentMedia(filePath) {
+    if (!filePath || typeof filePath !== 'string') {
+      log('warn', '[AgentMedia] Invalid file path');
+      return null;
+    }
+
+    try {
+      // Normalize path for consistent comparison
+      const normalizedPath = path.normalize(path.resolve(filePath));
+      
+      // Security: Validate file path is within allowed directories
+      const isAllowed = AGENT_MEDIA_DIRS.some(dir => {
+        const normalizedDir = path.normalize(path.resolve(dir));
+        return normalizedPath.startsWith(normalizedDir);
+      });
+
+      if (!isAllowed) {
+        log('warn', `[AgentMedia] Path not in allowed directories: ${filePath}`);
+        return null;
+      }
+
+      // Security: Validate file extension
+      const ext = path.extname(normalizedPath).toLowerCase();
+      if (!AGENT_MEDIA_ALLOWED_EXTENSIONS.includes(ext)) {
+        log('warn', `[AgentMedia] Extension not allowed: ${ext}`);
+        return null;
+      }
+
+      // Generate random ID
+      const id = randomUUID();
+      agentMediaRegistry.set(id, normalizedPath);
+
+      // Auto-cleanup after 10 minutes
+      setTimeout(() => agentMediaRegistry.delete(id), 10 * 60 * 1000);
+
+      return `/api/media/agent/${id}`;
+    } catch (error) {
+      log('error', '[AgentMedia] Registration failed:', error);
+      return null;
+    }
+  }
+
+  /**
+   * Serve agent-generated media file
+   * GET /api/media/agent/:id
+   */
+  app.get('/api/media/agent/:id', async (req, res) => {
+    try {
+      const { id } = req.params;
+
+      // Validate ID format (UUID)
+      if (!id || !/^[a-f0-9-]{36}$/i.test(id)) {
+        return badRequest(res, 'Invalid media ID', ErrorCodes.INVALID_FILE_TYPE);
+      }
+
+      // Lookup file path
+      const filePath = agentMediaRegistry.get(id);
+      if (!filePath) {
+        log('warn', `[AgentMedia] ID not found or expired: ${id}`);
+        return res.status(404).json({ error: 'Media not found or expired' });
+      }
+
+      // Security: Double-check path is still within allowed directories
+      const normalizedPath = path.normalize(path.resolve(filePath));
+      const isAllowed = AGENT_MEDIA_DIRS.some(dir => {
+        const normalizedDir = path.normalize(path.resolve(dir));
+        return normalizedPath.startsWith(normalizedDir);
+      });
+
+      if (!isAllowed) {
+        log('error', `[AgentMedia] Security violation: path outside allowed dirs: ${filePath}`);
+        agentMediaRegistry.delete(id);
+        return res.status(403).json({ error: 'Access denied' });
+      }
+
+      // Check file exists
+      const stat = await fs.stat(filePath).catch(() => null);
+      if (!stat || !stat.isFile()) {
+        log('warn', `[AgentMedia] File not found: ${filePath}`);
+        agentMediaRegistry.delete(id);
+        return res.status(404).json({ error: 'File not found' });
+      }
+
+      // Security: Check file size
+      if (stat.size > AGENT_MEDIA_MAX_SIZE) {
+        log('warn', `[AgentMedia] File too large: ${stat.size} bytes`);
+        return res.status(413).json({ error: 'File too large' });
+      }
+
+      // Detect MIME type
+      const buffer = await fs.readFile(filePath);
+      const detected = await fileTypeFromBuffer(buffer);
+      const contentType = detected?.mime || 'application/octet-stream';
+
+      // Set headers
+      res.setHeader('Content-Type', contentType);
+      res.setHeader('Content-Length', stat.size);
+      res.setHeader('Cache-Control', 'public, max-age=3600'); // 1 hour cache
+      
+      // Security: Prevent inline rendering for untrusted types
+      const safeInlineTypes = [
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp', 'image/svg+xml',
+        'audio/mpeg', 'audio/wav', 'audio/ogg',
+      ];
+      if (!safeInlineTypes.includes(contentType)) {
+        res.setHeader('Content-Disposition', `attachment; filename="${path.basename(filePath)}"`);
+      }
+
+      // Send file
+      res.send(buffer);
+      log('debug', `[AgentMedia] Served: ${filePath} (${contentType}, ${stat.size} bytes)`);
+
+    } catch (error) {
+      log('error', '[AgentMedia] Serve error:', error);
+      if (!res.headersSent) {
+        internalError(res, 'Failed to serve media', ErrorCodes.INTERNAL_ERROR);
+      }
+    }
+  });
+
+  // Export the registration function for use by other modules
+  app.registerAgentMedia = registerAgentMedia;
+  
+  // Also expose globally for channel.js to access
+  globalThis.registerAgentMedia = registerAgentMedia;
+}

package/server/routes/missed-messages.js

@@ -0,0 +1,107 @@
+/**
+ * Missed Messages Routes - Simple polling fallback for when tab is closed
+ */
+
+import fs from 'fs/promises';
+import path from 'path';
+import { createLogger } from '../logger.js';
+// Auth handled by requireAuth middleware on /api/ routes (server.js)
+
+const log = createLogger('Missed Messages');
+
+const MISSED_MESSAGES_FILE = path.join(process.cwd(), 'missed-messages.json');
+
+// In-memory queue for missed messages
+let missedMessages = [];
+
+/**
+ * Load missed messages from file on startup
+ */
+async function loadMissedMessages() {
+  try {
+    const data = await fs.readFile(MISSED_MESSAGES_FILE, 'utf8');
+    missedMessages = JSON.parse(data);
+    log.info(`Loaded ${missedMessages.length} missed messages`);
+  } catch (error) {
+    log.debug('No existing missed messages file');
+    missedMessages = [];
+  }
+}
+
+/**
+ * Save missed messages to file
+ */
+async function saveMissedMessages() {
+  try {
+    await fs.writeFile(MISSED_MESSAGES_FILE, JSON.stringify(missedMessages, null, 2));
+  } catch (error) {
+    log.error('Error saving to file:', error.message);
+  }
+}
+
+/**
+ * Add a message to the missed messages queue
+ */
+export async function addMissedMessage(message) {
+  const missedMessage = {
+    id: Date.now() + '_' + Math.random().toString(36),
+    timestamp: Date.now(),
+    type: message.type,
+    message: message.message,
+    satelliteId: message.satelliteId,
+    author: message.author || 'Assistant'
+  };
+
+  missedMessages.push(missedMessage);
+  
+  // Keep only last 50 missed messages to prevent unbounded growth
+  if (missedMessages.length > 50) {
+    missedMessages = missedMessages.slice(-50);
+  }
+  
+  await saveMissedMessages();
+  log.debug(`Added message for satellite ${message.satelliteId}`);
+}
+
+/**
+ * Get and clear missed messages for a user
+ */
+function getMissedMessages(userId = 'default') {
+  const messages = [...missedMessages]; // Copy the array
+  missedMessages = []; // Clear the queue
+  saveMissedMessages(); // Save empty queue
+  log.debug(`Retrieved ${messages.length} messages for ${userId}`);
+  return messages;
+}
+
+/**
+ * Setup missed messages routes
+ */
+export function setupMissedMessagesRoutes(app, context) {
+  const { log } = context;
+
+  // Load missed messages on startup
+  loadMissedMessages();
+
+  // GET /api/missed-messages - Get and clear missed messages
+  app.get('/api/missed-messages', (req, res) => {
+    const userId = req.query.userId || 'default';
+    const messages = getMissedMessages(userId);
+    
+    res.json({
+      ok: true,
+      messages,
+      count: messages.length
+    });
+  });
+
+  // GET /api/missed-messages/count - Just get count without clearing
+  app.get('/api/missed-messages/count', (req, res) => {
+    res.json({
+      ok: true,
+      count: missedMessages.length
+    });
+  });
+
+  log('info', '[Missed Messages] Routes initialized');
+}

package/server/routes/premium.js

@@ -0,0 +1,75 @@
+/**
+ * Premium Routes — License activation and status
+ */
+
+import { activateLicense, deactivateLicense, getPremiumStatus } from '../premium/index.js';
+
+export function setupPremiumRoutes(app, context) {
+  const { log, saveConfig, loadConfig } = context;
+
+  /**
+   * GET /api/premium/status
+   * Returns current premium status and feature flags
+   */
+  app.get('/api/premium/status', (req, res) => {
+    res.json(getPremiumStatus());
+  });
+
+  /**
+   * POST /api/premium/activate
+   * Activate a license key
+   * Body: { key: "UPL-XXXXX-XXXXX-XXXXX-XXXXX" }
+   */
+  app.post('/api/premium/activate', async (req, res) => {
+    const { key } = req.body || {};
+
+    if (!key || typeof key !== 'string') {
+      return res.status(400).json({
+        error: true,
+        message: 'License key is required',
+      });
+    }
+
+    const result = activateLicense(key.trim());
+
+    if (result.success) {
+      // Persist the key to config
+      try {
+        await saveConfig({ licenseKey: key.trim() });
+      } catch (err) {
+        log('error', 'Failed to save license key:', err.message);
+      }
+
+      return res.json({
+        success: true,
+        message: 'Uplink Premium activated! 🎉',
+        ...getPremiumStatus(),
+      });
+    }
+
+    return res.status(400).json({
+      error: true,
+      message: result.error || 'Invalid license key',
+    });
+  });
+
+  /**
+   * POST /api/premium/deactivate
+   * Remove license key and revert to free mode
+   */
+  app.post('/api/premium/deactivate', async (req, res) => {
+    deactivateLicense();
+
+    try {
+      await saveConfig({ licenseKey: '' });
+    } catch (err) {
+      log('error', 'Failed to remove license key:', err.message);
+    }
+
+    return res.json({
+      success: true,
+      message: 'License deactivated',
+      ...getPremiumStatus(),
+    });
+  });
+}