@mooncompany/uplink-chat 0.5.0

package/server/runtime-config.js

@@ -0,0 +1,336 @@
+/**
+ * Runtime Config Module
+ * 
+ * Manages runtime configuration stored in config.json.
+ * Falls back to environment variables for backwards compatibility.
+ */
+
+import fs from 'fs/promises';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import lockfile from 'proper-lockfile';
+import { isEdgeTTSAvailable } from './tts.js';
+import { discoverGateway, getConfigPath } from './openclaw-discover.js';
+import { createLogger } from './logger.js';
+
+const log = createLogger('Config');
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const CONFIG_PATH = path.join(__dirname, '..', 'config.json');
+
+// Default configuration
+const DEFAULTS = {
+  // Identity
+  userName: '',
+  assistantName: 'Assistant',
+  
+  // Gateway
+  gatewayUrl: 'http://127.0.0.1:18789',
+  gatewayToken: '',
+  
+  // Session
+  sessionUser: 'uplink-user',
+  
+  // TTS
+  ttsProvider: 'none', // 'none', 'elevenlabs', 'openai', 'edge', 'piper', 'local'
+  elevenLabsApiKey: '',
+  elevenLabsVoiceId: '',
+  ttsVoiceName: 'Assistant',
+  
+  // OpenAI TTS
+  openaiApiKey: '',
+  openaiTtsVoice: 'nova', // alloy, echo, fable, onyx, nova, shimmer
+  openaiTtsModel: 'tts-1', // tts-1, tts-1-hd
+  
+  // Edge TTS
+  edgeTtsVoice: 'en-US-AriaNeural',
+  
+  // XTTS (Local GPU)
+  localTtsUrl: '', // e.g. http://localhost:8020
+  
+  // STT
+  sttProvider: 'none', // 'none', 'openai', 'groq', 'faster-whisper'
+  openaiSttModel: 'whisper-1',
+  groqApiKey: '',
+  groqSttModel: 'whisper-large-v3-turbo',
+  fasterWhisperUrl: '', // e.g. http://localhost:8000
+
+  // Real-time Voice
+  realtimeVoiceEnabled: false,
+  realtimeVoice: 'marin',
+  realtimeModel: 'gpt-realtime',
+
+  // Voice Mode
+  voiceMode: 'push-to-talk', // 'push-to-talk', 'live-voice', 'agent-voice'
+  agentVoiceTtsEngine: 'openai', // 'openai', 'edge'
+  agentVoiceTtsVoice: 'alloy',
+  voiceModel: '', // Model override for voice sessions (empty = use gateway default)
+  vadSilenceDurationMs: 400, // How long silence before VAD triggers (200-1500ms)
+
+  // Security
+  encryptHistory: false,
+  
+  // UI
+  wakeWord: 'uplink',
+  
+  // Server
+  port: 3456,
+  allowedOrigins: ['http://localhost:3456'],
+  
+  // Premium
+  licenseKey: '',
+  
+  // State
+  onboardingComplete: false,
+};
+
+let cachedConfig = null;
+let cacheTimestamp = 0;
+const CACHE_TTL_MS = 5000; // Cache for 5 seconds to detect external changes
+
+// Cached auto-discovery result (only runs once at startup)
+let discoveryResult = null;
+let discoveryAttempted = false;
+
+/**
+ * Load configuration from file, with env fallbacks
+ */
+export async function loadConfig() {
+  // Check if cache is still fresh
+  const now = Date.now();
+  if (cachedConfig && (now - cacheTimestamp) < CACHE_TTL_MS) {
+    return cachedConfig;
+  }
+  
+  let fileConfig = {};
+  
+  try {
+    const data = await fs.readFile(CONFIG_PATH, 'utf8');
+    fileConfig = JSON.parse(data);
+  } catch (err) {
+    // File doesn't exist or is invalid - that's fine, use defaults
+    if (err.code !== 'ENOENT') {
+      log.warn('Failed to parse config.json:', err.message);
+    }
+  }
+  
+  // Merge with defaults and env overrides
+  cachedConfig = {
+    ...DEFAULTS,
+    ...fileConfig,
+    // Env vars take precedence if set (for backwards compat)
+    ...(process.env.GATEWAY_URL && { gatewayUrl: process.env.GATEWAY_URL }),
+    ...(process.env.GATEWAY_TOKEN && { gatewayToken: process.env.GATEWAY_TOKEN }),
+    ...(process.env.SESSION_USER && { sessionUser: process.env.SESSION_USER }),
+    ...(process.env.ASSISTANT_NAME && { assistantName: process.env.ASSISTANT_NAME }),
+    ...(process.env.ELEVENLABS_API_KEY && { elevenLabsApiKey: process.env.ELEVENLABS_API_KEY }),
+    ...(process.env.ELEVENLABS_VOICE_ID && { elevenLabsVoiceId: process.env.ELEVENLABS_VOICE_ID }),
+    ...(process.env.TTS_VOICE_NAME && { ttsVoiceName: process.env.TTS_VOICE_NAME }),
+    ...(process.env.OPENAI_API_KEY && process.env.OPENAI_API_KEY.startsWith('sk-') && { openaiApiKey: process.env.OPENAI_API_KEY }),
+    ...(process.env.OPENAI_TTS_VOICE && { openaiTtsVoice: process.env.OPENAI_TTS_VOICE }),
+    ...(process.env.OPENAI_TTS_MODEL && { openaiTtsModel: process.env.OPENAI_TTS_MODEL }),
+    ...(process.env.EDGE_TTS_VOICE && { edgeTtsVoice: process.env.EDGE_TTS_VOICE }),
+    ...(process.env.LOCAL_TTS_URL && { localTtsUrl: process.env.LOCAL_TTS_URL }),
+    // STT env overrides
+    ...(process.env.STT_PROVIDER && { sttProvider: process.env.STT_PROVIDER }),
+    ...(process.env.GROQ_API_KEY && { groqApiKey: process.env.GROQ_API_KEY }),
+    ...(process.env.GROQ_STT_MODEL && { groqSttModel: process.env.GROQ_STT_MODEL }),
+    ...(process.env.FASTER_WHISPER_URL && { fasterWhisperUrl: process.env.FASTER_WHISPER_URL }),
+    ...(process.env.WAKE_WORD && { wakeWord: process.env.WAKE_WORD.toLowerCase() }),
+    ...(process.env.PORT && { port: parseInt(process.env.PORT, 10) }),
+    ...(process.env.ALLOWED_ORIGINS && { 
+      allowedOrigins: process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
+    }),
+  };
+  
+  // Auto-discover OpenClaw gateway if not explicitly configured
+  // Priority: env vars > config.json > auto-discovery > defaults
+  const hasGatewayConfig = process.env.GATEWAY_URL || process.env.GATEWAY_TOKEN || 
+    fileConfig.gatewayUrl || fileConfig.gatewayToken;
+  
+  if (!hasGatewayConfig && !discoveryAttempted) {
+    discoveryAttempted = true;
+    try {
+      discoveryResult = await discoverGateway();
+      if (discoveryResult) {
+        log.info(`Auto-discovered OpenClaw gateway: ${discoveryResult.url} (source: ${discoveryResult.source})`);
+      }
+    } catch (err) {
+      log.warn('Gateway auto-discovery failed:', err.message);
+    }
+  }
+
+  // Apply discovered values if no explicit config exists
+  if (discoveryResult && !hasGatewayConfig) {
+    if (discoveryResult.url && cachedConfig.gatewayUrl === DEFAULTS.gatewayUrl) {
+      cachedConfig.gatewayUrl = discoveryResult.url;
+    }
+    if (discoveryResult.token && !cachedConfig.gatewayToken) {
+      cachedConfig.gatewayToken = discoveryResult.token;
+    }
+    // Mark onboarding as complete if we have both URL and token
+    if (discoveryResult.url && discoveryResult.token && discoveryResult.verified) {
+      cachedConfig.onboardingComplete = true;
+      cachedConfig._autoDiscovered = true; // Flag for UI to show discovery status
+    }
+  }
+
+  // Auto-detect TTS provider only if not explicitly set
+  // (undefined means not configured, 'none' means user explicitly disabled)
+  if (cachedConfig.ttsProvider === undefined) {
+    if (cachedConfig.elevenLabsApiKey) {
+      cachedConfig.ttsProvider = 'elevenlabs';
+    } else {
+      cachedConfig.ttsProvider = 'none';
+    }
+  }
+  
+  // Update cache timestamp
+  cacheTimestamp = Date.now();
+  
+  return cachedConfig;
+}
+
+/**
+ * Save configuration to file (with file locking to prevent race conditions)
+ */
+export async function saveConfig(updates) {
+  // Acquire lock before read-modify-write
+  let release;
+  try {
+    // Create file if it doesn't exist (lockfile needs the file to exist)
+    try {
+      await fs.access(CONFIG_PATH);
+    } catch {
+      await fs.writeFile(CONFIG_PATH, JSON.stringify(DEFAULTS, null, 2), { mode: 0o600 });
+    }
+    
+    release = await lockfile.lock(CONFIG_PATH, { 
+      retries: { retries: 5, minTimeout: 100, maxTimeout: 1000 }
+    });
+    
+    const current = await loadConfig();
+    
+    // Merge updates
+    const newConfig = {
+      ...current,
+      ...updates,
+    };
+    
+    // Don't save sensitive env-provided values to file
+    const toSave = { ...newConfig };
+    
+    // If the value came from env or auto-discovery, don't persist it to file
+    if (process.env.GATEWAY_TOKEN === toSave.gatewayToken) {
+      delete toSave.gatewayToken;
+    }
+    if (discoveryResult?.token === toSave.gatewayToken && !toSave.onboardingComplete) {
+      delete toSave.gatewayToken; // Don't duplicate OpenClaw's token into Uplink config
+    }
+    if (discoveryResult?.url === toSave.gatewayUrl && !toSave.onboardingComplete) {
+      delete toSave.gatewayUrl; // Don't duplicate OpenClaw's URL into Uplink config
+    }
+    if (process.env.ELEVENLABS_API_KEY === toSave.elevenLabsApiKey) {
+      delete toSave.elevenLabsApiKey;
+    }
+    if (process.env.OPENAI_API_KEY === toSave.openaiApiKey) {
+      delete toSave.openaiApiKey;
+    }
+    if (process.env.GROQ_API_KEY === toSave.groqApiKey) {
+      delete toSave.groqApiKey;
+    }
+    
+    // Remove internal flags before persisting
+    delete toSave._autoDiscovered;
+    
+    await fs.writeFile(CONFIG_PATH, JSON.stringify(toSave, null, 2), { mode: 0o600 });
+    
+    // Clear cache to reload
+    cachedConfig = null;
+    cacheTimestamp = 0;
+    
+    return await loadConfig();
+  } finally {
+    // Always release lock
+    if (release) {
+      await release();
+    }
+  }
+}
+
+/**
+ * Get config for client (hides sensitive values)
+ */
+export async function getClientConfig() {
+  const config = await loadConfig();
+  const { detectLocalSTT } = await import('./stt/index.js');
+  const localSTT = await detectLocalSTT();
+  
+  return {
+    userName: config.userName,
+    assistantName: config.assistantName,
+    gatewayUrl: config.gatewayUrl,
+    hasGatewayToken: !!config.gatewayToken,
+    sessionUser: config.sessionUser,
+    ttsProvider: config.ttsProvider,
+    hasElevenLabsKey: !!config.elevenLabsApiKey,
+    elevenLabsVoiceId: config.elevenLabsVoiceId,
+    ttsVoiceName: config.ttsVoiceName,
+    edgeTtsAvailable: isEdgeTTSAvailable(),
+    encryptHistory: config.encryptHistory,
+    wakeWord: config.wakeWord,
+    onboardingComplete: config.onboardingComplete,
+    autoDiscovered: !!config._autoDiscovered, // True if gateway was found via OpenClaw config
+    // OpenAI TTS
+    openaiTtsVoice: config.openaiTtsVoice,
+    openaiTtsModel: config.openaiTtsModel,
+    hasOpenaiKey: !!(config.openaiApiKey || process.env.OPENAI_API_KEY),
+    // Edge TTS
+    edgeTtsVoice: config.edgeTtsVoice,
+    // XTTS
+    localTtsUrl: config.localTtsUrl,
+    // Piper
+    piperConfigured: !!(process.env.PIPER_MODEL),
+    // STT
+    sttProvider: config.sttProvider,
+    hasGroqKey: !!config.groqApiKey,
+    groqSttModel: config.groqSttModel,
+    openaiSttModel: config.openaiSttModel,
+    fasterWhisperUrl: config.fasterWhisperUrl,
+    fasterWhisperDetected: localSTT.fasterWhisperAvailable,
+    // Real-time Voice
+    realtimeVoiceEnabled: config.realtimeVoiceEnabled,
+    realtimeVoice: config.realtimeVoice,
+    realtimeModel: config.realtimeModel,
+    // Voice Mode
+    voiceMode: config.voiceMode,
+    voiceModel: config.voiceModel,
+    agentVoiceTtsEngine: config.agentVoiceTtsEngine,
+    agentVoiceTtsVoice: config.agentVoiceTtsVoice,
+    vadSilenceDurationMs: config.vadSilenceDurationMs,
+  };
+}
+
+/**
+ * Check if onboarding is needed
+ */
+export async function needsOnboarding() {
+  const config = await loadConfig();
+  return !config.onboardingComplete || !config.gatewayToken;
+}
+
+/**
+ * Clear cached config (for testing or hot reload)
+ */
+export function clearConfigCache() {
+  cachedConfig = null;
+  cacheTimestamp = 0;
+}
+
+export default {
+  loadConfig,
+  saveConfig,
+  getClientConfig,
+  needsOnboarding,
+  clearConfigCache,
+};

package/server/share.js

@@ -0,0 +1,305 @@
+/**
+ * Share Module - Public share links for conversations
+ */
+
+import { randomUUID } from 'crypto';
+import fs from 'fs/promises';
+import path from 'path';
+import { log } from './utils.js';
+import { escapeHtml, escapeForJS } from '../utils/html-escape.js';
+import { sanitizeShareId, parseNumericParam } from '../utils/id-sanitize.js';
+import { sendSuccess, sendError } from '../utils/response.js';
+import { errors } from '../utils/errors.js';
+import { strictLimiter } from './middleware.js';
+
+// Share configuration constants
+const DEFAULT_EXPIRY_HOURS = 168; // 7 days
+const MIN_EXPIRY_HOURS = 1;
+const MAX_EXPIRY_HOURS = 8760; // 1 year
+const MAX_MESSAGE_TEXT_LENGTH = 10000;
+const MAX_MESSAGES_PER_SHARE = 500;
+
+/**
+ * Sanitize message content for safe storage and display
+ * Strips potential XSS vectors while preserving legitimate content
+ * @param {string} text - Raw message text
+ * @returns {string} Sanitized text
+ */
+function sanitizeMessageText(text) {
+  if (!text || typeof text !== 'string') {
+    return '';
+  }
+  
+  // Truncate to max length
+  let sanitized = text.substring(0, MAX_MESSAGE_TEXT_LENGTH);
+  
+  // Remove null bytes and control characters (except newlines/tabs)
+  sanitized = sanitized.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '');
+  
+  // Note: HTML escaping happens at render time in the client
+  // We store the raw text but ensure it doesn't contain script injection vectors
+  
+  return sanitized;
+}
+
+/**
+ * Validate and sanitize message type
+ * @param {string} type - Message type
+ * @returns {string} Validated type
+ */
+function sanitizeMessageType(type) {
+  const validTypes = ['user', 'assistant', 'system'];
+  if (typeof type === 'string' && validTypes.includes(type)) {
+    return type;
+  }
+  return 'user'; // Default to user if invalid
+}
+
+/**
+ * Setup share routes
+ * @param {Express} app - Express app instance
+ * @param {string} sharesDir - Directory to store shares
+ */
+export function setupShareRoutes(app, sharesDir) {
+  // Ensure shares directory exists
+  fs.mkdir(sharesDir, { recursive: true }).catch(() => {});
+
+  // Create a shareable link for a conversation
+  app.post('/api/share/create', strictLimiter, async (req, res) => {
+    try {
+      const { title, messages, expiresInHours: rawExpiry } = req.body;
+      
+      // Validate expiresInHours as number
+      const expiryResult = parseNumericParam(rawExpiry, {
+        min: MIN_EXPIRY_HOURS,
+        max: MAX_EXPIRY_HOURS,
+        defaultValue: DEFAULT_EXPIRY_HOURS,
+        paramName: 'expiresInHours'
+      });
+      
+      if (!expiryResult.valid) {
+        return errors.badRequest(res, expiryResult.error);
+      }
+      const expiresInHours = expiryResult.value;
+      
+      // Validate messages array
+      if (!messages || !Array.isArray(messages) || messages.length === 0) {
+        return errors.badRequest(res, 'messages array required');
+      }
+      
+      if (messages.length > MAX_MESSAGES_PER_SHARE) {
+        return errors.badRequest(res, `Too many messages (max ${MAX_MESSAGES_PER_SHARE})`);
+      }
+      
+      const shareId = randomUUID().replace(/-/g, '').substring(0, 12);
+      const shareFile = path.join(sharesDir, `${shareId}.json`);
+      
+      // Sanitize title
+      const safeTitle = typeof title === 'string' 
+        ? title.substring(0, 200).replace(/[\x00-\x1F\x7F]/g, '')
+        : 'Shared Conversation';
+      
+      // Sanitize messages with server-side validation
+      const sanitizedMessages = messages.map(m => ({
+        type: sanitizeMessageType(m.type),
+        text: sanitizeMessageText(m.text),
+        timestamp: typeof m.timestamp === 'number' ? m.timestamp : Date.now()
+      }));
+      
+      const shareData = {
+        id: shareId,
+        title: safeTitle,
+        messages: sanitizedMessages,
+        createdAt: Date.now(),
+        expiresAt: Date.now() + (expiresInHours * 60 * 60 * 1000),
+        viewCount: 0
+      };
+      
+      // Atomic write: write to temp file first, then rename
+      const tempShareFile = path.join(sharesDir, `.tmp-${shareId}-${randomUUID()}.json`);
+      await fs.writeFile(tempShareFile, JSON.stringify(shareData, null, 2));
+      await fs.rename(tempShareFile, shareFile);
+      
+      log('info', `[Share] Created share: ${shareId}`);
+      
+      return sendSuccess(res, {
+        shareId,
+        shareUrl: `/share/${shareId}`,
+        expiresAt: shareData.expiresAt
+      });
+    } catch (e) {
+      log('error', '[Share] Create error:', e.message);
+      return errors.serverError(res, 'Failed to create share');
+    }
+  });
+
+  // Get shared conversation
+  app.get('/api/share/:shareId', async (req, res) => {
+    try {
+      const { shareId } = req.params;
+      
+      // Validate shareId using centralized utility
+      const shareIdResult = sanitizeShareId(shareId);
+      if (!shareIdResult.valid) {
+        return errors.badRequest(res, shareIdResult.error);
+      }
+      const safeShareId = shareIdResult.sanitized;
+      
+      const shareFile = path.join(sharesDir, `${safeShareId}.json`);
+      
+      try {
+        const data = await fs.readFile(shareFile, 'utf8');
+        const shareData = JSON.parse(data);
+        
+        if (Date.now() > shareData.expiresAt) {
+          await fs.unlink(shareFile).catch(() => {});
+          return errors.notFound(res, 'Share link has expired');
+        }
+        
+        shareData.viewCount++;
+        await fs.writeFile(shareFile, JSON.stringify(shareData, null, 2));
+        
+        return sendSuccess(res, shareData);
+      } catch (e) {
+        return errors.notFound(res, 'Share not found');
+      }
+    } catch (e) {
+      log('error', '[Share] Get error:', e.message);
+      return errors.serverError(res, 'Failed to get share');
+    }
+  });
+
+  // Delete a share
+  app.delete('/api/share/:shareId', strictLimiter, async (req, res) => {
+    try {
+      const { shareId } = req.params;
+      
+      // Validate shareId using centralized utility
+      const shareIdResult = sanitizeShareId(shareId);
+      if (!shareIdResult.valid) {
+        return errors.badRequest(res, shareIdResult.error);
+      }
+      const safeShareId = shareIdResult.sanitized;
+      
+      const shareFile = path.join(sharesDir, `${safeShareId}.json`);
+      
+      await fs.unlink(shareFile);
+      return sendSuccess(res);
+    } catch (e) {
+      return errors.notFound(res, 'Share not found');
+    }
+  });
+
+  // Serve shared conversation page
+  app.get('/share/:shareId', async (req, res) => {
+    res.send(getSharePageHTML(req.params.shareId));
+  });
+}
+
+/**
+ * Generate HTML for share page
+ */
+function getSharePageHTML(shareId) {
+  // Sanitize shareId to prevent XSS - only allow alphanumeric
+  const safeShareId = escapeForJS(shareId.replace(/[^a-zA-Z0-9]/g, '').substring(0, 12));
+  
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Shared Conversation - Uplink</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body { 
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+      background: #0f0f1a; 
+      color: #fff;
+      min-height: 100vh;
+      padding: 20px;
+    }
+    .container { max-width: 700px; margin: 0 auto; }
+    .header { 
+      text-align: center; 
+      padding: 20px 0 30px;
+      border-bottom: 1px solid #333;
+      margin-bottom: 20px;
+    }
+    .logo { font-size: 2em; margin-bottom: 8px; }
+    .title { font-size: 1.2em; color: #888; }
+    .messages { display: flex; flex-direction: column; gap: 12px; }
+    .message { 
+      padding: 12px 16px; 
+      border-radius: 12px; 
+      max-width: 85%;
+    }
+    .message.user { 
+      background: #6366f1; 
+      align-self: flex-end;
+      border-bottom-right-radius: 4px;
+    }
+    .message.assistant { 
+      background: #1e1e2e; 
+      align-self: flex-start;
+      border-bottom-left-radius: 4px;
+    }
+    .footer {
+      text-align: center;
+      margin-top: 30px;
+      padding-top: 20px;
+      border-top: 1px solid #333;
+      color: #666;
+      font-size: 0.9em;
+    }
+    .footer a { color: #6366f1; text-decoration: none; }
+    .error { text-align: center; padding: 40px; color: #ef4444; }
+    .loading { text-align: center; padding: 40px; color: #888; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="header">
+      <div class="logo">🛰️ Uplink</div>
+      <div class="title" id="shareTitle">Loading...</div>
+    </div>
+    <div class="messages" id="messages">
+      <div class="loading">Loading conversation...</div>
+    </div>
+    <div class="footer">
+      Shared via <a href="/">Uplink</a>
+    </div>
+  </div>
+  <script>
+    function esc(s) { var d = document.createElement('div'); d.textContent = s; return d.innerHTML; }
+    const shareId = '${safeShareId}';
+    fetch('/api/share/' + shareId)
+      .then(r => r.json())
+      .then(data => {
+        if (!data.ok || data.error) {
+          document.getElementById('shareTitle').textContent = 'Error';
+          document.getElementById('messages').innerHTML = '<div class="error">' + esc(data.error || 'Unknown error') + '</div>';
+          return;
+        }
+        document.getElementById('shareTitle').textContent = data.title;
+        document.getElementById('messages').innerHTML = data.messages
+          .filter(m => m.type !== 'system')
+          .map(m => '<div class="message ' + m.type + '">' + escapeHtml(m.text) + '</div>')
+          .join('');
+      })
+      .catch(e => {
+        document.getElementById('shareTitle').textContent = 'Error';
+        document.getElementById('messages').innerHTML = '<div class="error">Failed to load</div>';
+      });
+    function escapeHtml(text) {
+      const div = document.createElement('div');
+      div.textContent = text;
+      return div.innerHTML.replace(/\\n/g, '<br>');
+    }
+  </script>
+</body>
+</html>
+  `;
+}
+
+export default { setupShareRoutes };