npm - @myrialabs/clopen - Versions diffs - 0.1.10 → 0.2.0 - Mend

@myrialabs/clopen 0.1.10 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/README.md +23 -1
package/backend/index.ts +20 -0
package/backend/lib/auth/auth-service.ts +484 -0
package/backend/lib/auth/index.ts +4 -0
package/backend/lib/auth/permissions.ts +63 -0
package/backend/lib/auth/rate-limiter.ts +145 -0
package/backend/lib/auth/tokens.ts +53 -0
package/backend/lib/database/migrations/024_create_users_table.ts +29 -0
package/backend/lib/database/migrations/025_create_auth_sessions_table.ts +38 -0
package/backend/lib/database/migrations/026_create_invite_tokens_table.ts +31 -0
package/backend/lib/database/migrations/index.ts +21 -0
package/backend/lib/database/queries/auth-queries.ts +201 -0
package/backend/lib/database/queries/index.ts +2 -1
package/backend/lib/engine/adapters/opencode/server.ts +1 -1
package/backend/lib/mcp/config.ts +13 -18
package/backend/lib/mcp/index.ts +9 -0
package/backend/lib/mcp/remote-server.ts +132 -0
package/backend/lib/mcp/servers/helper.ts +49 -3
package/backend/lib/mcp/servers/index.ts +3 -2
package/backend/lib/preview/browser/browser-audio-capture.ts +20 -3
package/backend/lib/preview/browser/browser-navigation-tracker.ts +3 -0
package/backend/lib/preview/browser/browser-pool.ts +73 -176
package/backend/lib/preview/browser/browser-preview-service.ts +3 -2
package/backend/lib/preview/browser/browser-tab-manager.ts +261 -23
package/backend/lib/preview/browser/browser-video-capture.ts +36 -1
package/backend/lib/utils/ws.ts +65 -1
package/backend/ws/auth/index.ts +17 -0
package/backend/ws/auth/invites.ts +84 -0
package/backend/ws/auth/login.ts +269 -0
package/backend/ws/auth/status.ts +41 -0
package/backend/ws/auth/users.ts +32 -0
package/backend/ws/engine/claude/accounts.ts +3 -1
package/backend/ws/engine/utils.ts +38 -6
package/backend/ws/index.ts +4 -4
package/backend/ws/preview/browser/interact.ts +27 -5
package/bin/clopen.ts +39 -0
package/bun.lock +113 -51
package/frontend/App.svelte +47 -29
package/frontend/lib/components/auth/InvitePage.svelte +215 -0
package/frontend/lib/components/auth/LoginPage.svelte +129 -0
package/frontend/lib/components/auth/SetupPage.svelte +1022 -0
package/frontend/lib/components/common/FolderBrowser.svelte +9 -9
package/frontend/lib/components/common/UpdateBanner.svelte +2 -2
package/frontend/lib/components/preview/browser/BrowserPreview.svelte +1 -1
package/frontend/lib/components/preview/browser/core/mcp-handlers.svelte.ts +12 -4
package/frontend/lib/components/settings/SettingsModal.svelte +50 -15
package/frontend/lib/components/settings/SettingsView.svelte +21 -7
package/frontend/lib/components/settings/account/AccountSettings.svelte +5 -0
package/frontend/lib/components/settings/admin/InviteManagement.svelte +239 -0
package/frontend/lib/components/settings/admin/UserManagement.svelte +127 -0
package/frontend/lib/components/settings/general/AdvancedSettings.svelte +10 -4
package/frontend/lib/components/settings/general/AuthModeSettings.svelte +229 -0
package/frontend/lib/components/settings/general/GeneralSettings.svelte +6 -1
package/frontend/lib/components/settings/general/UpdateSettings.svelte +5 -5
package/frontend/lib/components/settings/security/SecuritySettings.svelte +10 -0
package/frontend/lib/components/settings/system/SystemSettings.svelte +10 -0
package/frontend/lib/components/settings/user/UserSettings.svelte +147 -74
package/frontend/lib/components/workspace/WorkspaceLayout.svelte +5 -10
package/frontend/lib/services/preview/browser/browser-webcodecs.service.ts +31 -8
package/frontend/lib/stores/features/auth.svelte.ts +296 -0
package/frontend/lib/stores/features/settings.svelte.ts +53 -9
package/frontend/lib/stores/features/user.svelte.ts +26 -68
package/frontend/lib/stores/ui/settings-modal.svelte.ts +42 -21
package/frontend/lib/stores/ui/update.svelte.ts +2 -2
package/package.json +8 -6
package/shared/types/stores/settings.ts +16 -2
package/shared/utils/logger.ts +1 -0
package/shared/utils/ws-client.ts +30 -13
package/shared/utils/ws-server.ts +42 -4
package/backend/lib/mcp/stdio-server.ts +0 -103
package/backend/ws/mcp/index.ts +0 -61

package/backend/lib/preview/browser/browser-tab-manager.ts CHANGED Viewed

@@ -623,41 +623,115 @@ export class BrowserTabManager extends EventEmitter {
 		page.setDefaultNavigationTimeout(30000);
 		// Configure page for stability
-		await page.setExtraHTTPHeaders({
-			'Accept-Language': 'en-US,en;q=0.9',
-			'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
-		});
-		// Optimize font loading to prevent screenshot timeouts
-		await page.evaluateOnNewDocument(() => {
-			// Disable font loading wait
-			Object.defineProperty(document, 'fonts', {
-				value: {
-					ready: Promise.resolve(),
-					load: () => Promise.resolve([]),
-					check: () => true,
-					addEventListener: () => {},
-					removeEventListener: () => {}
-				}
-			});
-		});
+		// Note: Do NOT set HTTP headers manually here (like Accept-Language).
+		// Setting extra headers alters the HTTP/2 pseudo-header order and capitalization
+		// which immediately gets flagged by Cloudflare's TLS/Fingerprint matching algorithms.
-		// Inject audio capture script BEFORE page loads to intercept AudioContext
-		await this.audioCapture.setupAudioCapture(page, DEFAULT_STREAMING_CONFIG.audio);
+		// Audio capture is injected post-navigation in BrowserVideoCapture.startStreaming()
+		// to avoid Cloudflare fingerprint detection of AudioContext constructor patching.
 		// Simplified cursor tracking for visual feedback only
 		await this.injectCursorTracking(page);
+		// Suppress Cloudflare Turnstile error callbacks to prevent sites from showing
+		// "CAPTCHA verification failed" popups in headless Chrome (error 600010).
+		//
+		// Strategy: Let the real Turnstile script load and define window.turnstile normally
+		// (needed for CF Managed Challenge auto-pass via StealthPlugin fingerprinting).
+		// Intercept window.turnstile assignment via getter/setter and patch render()/execute()
+		// to replace error-callback/expired-callback with no-ops before they are registered.
+		// Also strip data-error-callback attributes from DOM elements via MutationObserver
+		// to cover implicit render (data-sitekey) usage.
+		//
+		// This does NOT block challenges.cloudflare.com — CF Managed Challenge needs that
+		// URL to run its JS verification. Only the error reporting path is suppressed.
+		await page.evaluateOnNewDocument(function () {
+			(function () {
+				let _turnstile: any;
+				function patchOptions(options: Record<string, unknown>) {
+					return Object.assign({}, options, {
+						'error-callback': function () {},
+						'expired-callback': function () {}
+					});
+				}
+				function patchApi(api: any) {
+					if (!api || typeof api !== 'object') return api;
+					['render', 'execute'].forEach(function (method: string) {
+						if (typeof api[method] === 'function') {
+							const orig = api[method].bind(api);
+							api[method] = function (container: unknown, opts: Record<string, unknown>) {
+								return orig(container, patchOptions(opts || {}));
+							};
+						}
+					});
+					return api;
+				}
+				try {
+					Object.defineProperty(window, 'turnstile', {
+						configurable: true,
+						enumerable: true,
+						get() { return _turnstile; },
+						set(val: any) { _turnstile = patchApi(val); }
+					});
+				} catch {
+					// Property already defined or can't be intercepted
+				}
+				// Strip data-error-callback / data-expired-callback from Turnstile elements
+				// before implicit render reads them, so no error handler is registered.
+				function stripErrorAttrs(el: Element) {
+					el.removeAttribute('data-error-callback');
+					el.removeAttribute('data-expired-callback');
+				}
+				const mo = new MutationObserver(function (mutations) {
+					mutations.forEach(function (m) {
+						m.addedNodes.forEach(function (node) {
+							if (!(node instanceof Element)) return;
+							if (node.hasAttribute('data-error-callback') || node.hasAttribute('data-expired-callback')) {
+								stripErrorAttrs(node);
+							}
+							node.querySelectorAll('[data-error-callback],[data-expired-callback]').forEach(stripErrorAttrs);
+						});
+					});
+				});
+				if (document.documentElement) {
+					mo.observe(document.documentElement, { childList: true, subtree: true });
+				}
+			})();
+		});
+		// Auto-dismiss native browser dialogs to prevent page hang in headless mode.
+		// alert() → accept (one-way informational, safe to dismiss)
+		// confirm()/prompt() → dismiss/cancel (avoid unintended side effects)
+		// CAPTCHA-related alerts are silently dismissed.
+		page.on('dialog', async (dialog) => {
+			const type = dialog.type();
+			if (type === 'alert') {
+				await dialog.accept().catch(() => {});
+			} else {
+				await dialog.dismiss().catch(() => {});
+			}
+		});
 	}
 	/**
 	 * Inject cursor tracking script
 	 */
 	private async injectCursorTracking(page: Page) {
-		await page.evaluateOnNewDocument(cursorTrackingScript);
+		// Temporarily disabled mapping logic as CloudFlare frequently flags evaluateOnNewDocument injected tracking events
+		// await page.evaluateOnNewDocument(cursorTrackingScript);
 	}
 	/**
-	 * Navigate with retry
+	 * Navigate with retry, including Cloudflare auto-pass detection and CAPTCHA popup dismissal.
 	 */
 	private async navigateWithRetry(page: Page, url: string): Promise<string> {
 		let retries = 3;
@@ -669,7 +743,9 @@ export class BrowserTabManager extends EventEmitter {
 					waitUntil: 'domcontentloaded',
 					timeout: 30000
 				});
-				actualUrl = page.url();
+				actualUrl = await this.waitForCloudflareIfPresent(page);
+				// Dismiss any CAPTCHA failure popups from embedded Turnstile widgets
+				await this.dismissCaptchaPopupsIfPresent(page);
 				break;
 			} catch (error) {
 				retries--;
@@ -684,6 +760,168 @@ export class BrowserTabManager extends EventEmitter {
 		return actualUrl;
 	}
+	/**
+	 * Detect Cloudflare challenge page and wait for auto-pass redirect.
+	 * Loops up to MAX_CF_RETRIES times to handle infinite verify loops where
+	 * Cloudflare keeps redirecting back to a new challenge after each pass.
+	 */
+	private async waitForCloudflareIfPresent(page: Page): Promise<string> {
+		const MAX_CF_RETRIES = 5;
+		for (let attempt = 0; attempt < MAX_CF_RETRIES; attempt++) {
+			let isChallenge = false;
+			try {
+				isChallenge = await page.evaluate(() => {
+					const title = document.title;
+					const bodyText = (document.body?.innerText || '').slice(0, 500).toLowerCase();
+					return (
+						// Old automated CF challenge
+						title === 'Just a moment...' ||
+						// Newer interactive CF challenge ("Performing security verification")
+						title.toLowerCase().includes('security verification') ||
+						bodyText.includes('verify you are human') ||
+						bodyText.includes('performing security verification') ||
+						// CF challenge DOM elements (reliable, present on challenge pages only)
+						document.getElementById('challenge-running') !== null ||
+						document.getElementById('cf-challenge-running') !== null ||
+						document.getElementById('challenge-form') !== null ||
+						document.querySelector('#challenge-stage') !== null
+					);
+				});
+			} catch {
+				// Page not evaluable (navigating, closed) — not a CF challenge
+				break;
+			}
+			if (!isChallenge) {
+				break;
+			}
+			debug.log('preview', `🛡️ Cloudflare challenge detected (attempt ${attempt + 1}/${MAX_CF_RETRIES}), waiting for auto-pass...`);
+			try {
+				await page.waitForNavigation({
+					waitUntil: 'domcontentloaded',
+					timeout: 20000
+				});
+				debug.log('preview', `✅ Cloudflare navigation → ${page.url()}`);
+			} catch {
+				debug.warn('preview', `⚠️ Cloudflare auto-pass timed out on attempt ${attempt + 1}, proceeding`);
+				break;
+			}
+		}
+		return page.url();
+	}
+	/**
+	 * Inject a persistent non-blocking watcher into the page that auto-dismisses
+	 * CAPTCHA failure popups whenever they appear (Cloudflare Turnstile error 600010,
+	 * reCAPTCHA failures, etc.).
+	 *
+	 * Uses MutationObserver + setInterval so it catches popups regardless of when they
+	 * appear after page load. Returns immediately — the watcher runs inside the page.
+	 */
+	private async dismissCaptchaPopupsIfPresent(page: Page): Promise<void> {
+		try {
+			await page.evaluate(() => {
+				const CAPTCHA_WORDS = ['captcha', 'turnstile', 'human verification', 'robot', 'bot detected'];
+				const FAIL_WORDS = ['failed', 'error', 'invalid', 'verification failed', 'try again', 'unable to verify'];
+				const DISMISS_LABELS = ['ok', 'close', 'dismiss', 'cancel', 'retry', 'try again', 'continue', 'got it'];
+				const isCaptchaText = (text: string): boolean => {
+					const t = text.toLowerCase();
+					return (
+						CAPTCHA_WORDS.some(w => t.includes(w)) &&
+						FAIL_WORDS.some(w => t.includes(w))
+					);
+				};
+				const tryDismiss = (): boolean => {
+					// Strategy 1: click a dismiss button whose ancestor contains CAPTCHA failure text
+					const buttons = Array.from(document.querySelectorAll<HTMLElement>(
+						'button, input[type="button"], input[type="submit"], a[role="button"]'
+					));
+					for (const btn of buttons) {
+						const label = (
+							btn instanceof HTMLInputElement ? btn.value : btn.innerText || btn.textContent || ''
+						).trim().toLowerCase();
+						if (!DISMISS_LABELS.includes(label)) continue;
+						let el: Element | null = btn.parentElement;
+						while (el && el !== document.body) {
+							if (isCaptchaText((el as HTMLElement).innerText || '')) {
+								(btn as HTMLElement).click();
+								return true;
+							}
+							el = el.parentElement;
+						}
+					}
+					// Strategy 2: hide any visible modal/overlay containing CAPTCHA failure text
+					const overlaySelectors = [
+						'[class*="modal"]', '[class*="popup"]', '[class*="dialog"]',
+						'[class*="overlay"]', '[class*="alert"]', '[class*="notification"]',
+						'[role="dialog"]', '[role="alertdialog"]', '[role="alert"]'
+					];
+					const overlays = document.querySelectorAll<HTMLElement>(overlaySelectors.join(','));
+					for (const overlay of overlays) {
+						if (!isCaptchaText(overlay.innerText || '')) continue;
+						const style = overlay.style;
+						if (style.display === 'none' || style.visibility === 'hidden') continue;
+						// Try clicking a close button first
+						const closeBtn = overlay.querySelector<HTMLElement>(
+							'button, [class*="close"], [aria-label*="lose"], [aria-label*="ismiss"]'
+						);
+						if (closeBtn) {
+							closeBtn.click();
+						} else {
+							style.display = 'none';
+						}
+						return true;
+					}
+					return false;
+				};
+				// Run immediately in case popup is already present
+				if (tryDismiss()) return;
+				// Set up persistent watcher — fires on any DOM mutation
+				const observer = new MutationObserver(() => {
+					if (tryDismiss()) {
+						observer.disconnect();
+						clearInterval(ticker);
+					}
+				});
+				// Also poll via interval as safety net (MutationObserver may miss text changes)
+				const ticker = setInterval(() => {
+					if (tryDismiss()) {
+						clearInterval(ticker);
+						observer.disconnect();
+					}
+				}, 400);
+				if (document.body) {
+					observer.observe(document.body, { childList: true, subtree: true, characterData: true });
+				}
+				// Self-cleanup after 30 seconds to avoid memory leaks
+				setTimeout(() => {
+					observer.disconnect();
+					clearInterval(ticker);
+				}, 30000);
+			});
+			debug.log('preview', '🔔 CAPTCHA auto-dismiss watcher injected into page');
+		} catch {
+			// Page closed or navigated away — ignore
+		}
+	}
 	/**
 	 * Setup browser event handlers
 	 */

package/backend/lib/preview/browser/browser-video-capture.ts CHANGED Viewed

@@ -31,6 +31,7 @@ import type { Page } from 'puppeteer';
 import type { BrowserTab, StreamingConfig } from './types';
 import { DEFAULT_STREAMING_CONFIG } from './types';
 import { videoEncoderScript } from './scripts/video-stream';
+import { audioCaptureScript } from './scripts/audio-stream';
 import { debug } from '$shared/utils/logger';
 interface VideoStreamSession {
@@ -157,7 +158,8 @@ export class BrowserVideoCapture extends EventEmitter {
 			// Inject persistent video encoder script (survives navigation)
 			// Only inject once per page instance
 			if (!videoSession.scriptInjected) {
-				await page.evaluateOnNewDocument(videoEncoderScript, videoConfig);
+				// Temporarily disable evaluateOnNewDocument for evasion test
+				// await page.evaluateOnNewDocument(videoEncoderScript, videoConfig);
 				videoSession.scriptInjected = true;
 				debug.log('webcodecs', `Persistent video encoder script injected for ${sessionId}`);
 			}
@@ -166,6 +168,12 @@ export class BrowserVideoCapture extends EventEmitter {
 			// (evaluateOnNewDocument only runs on NEXT navigation)
 			await page.evaluate(videoEncoderScript, videoConfig);
+			// Inject audio capture script post-navigation to avoid CF detection.
+			// Using page.evaluate() instead of evaluateOnNewDocument() ensures
+			// AudioContext patching happens AFTER Cloudflare challenges pass,
+			// preventing fingerprint detection of constructor interception.
+			await page.evaluate(audioCaptureScript, config.audio);
 			// Verify peer was created
 			const peerExists = await page.evaluate(() => {
 				return typeof (window as any).__webCodecsPeer?.startStreaming === 'function';
@@ -570,6 +578,9 @@ export class BrowserVideoCapture extends EventEmitter {
 			await page.evaluate(videoEncoderScript, videoConfig);
+			// Re-inject audio capture script for new page context (post-navigation)
+			await page.evaluate(audioCaptureScript, config.audio);
 			// Verify peer was re-created
 			const peerExists = await page.evaluate(() => {
 				return typeof (window as any).__webCodecsPeer?.startStreaming === 'function';
@@ -590,6 +601,25 @@ export class BrowserVideoCapture extends EventEmitter {
 				return false;
 			}
+			// Re-initialize and start audio capture after navigation
+			try {
+				const audioReady = await page.evaluate(async () => {
+					const encoder = (window as any).__audioEncoder;
+					if (!encoder) return false;
+					const initiated = await encoder.init();
+					if (initiated) return encoder.start();
+					return false;
+				});
+				if (audioReady) {
+					debug.log('webcodecs', 'Audio re-initialized after navigation');
+				} else {
+					debug.warn('webcodecs', 'Audio not available after navigation, continuing with video only');
+				}
+			} catch {
+				debug.warn('webcodecs', 'Audio re-init failed after navigation, continuing with video only');
+			}
 			// Restart CDP screencast
 			const cdp = (session as any).__webCodecsCdp;
 			if (cdp) {
@@ -631,6 +661,11 @@ export class BrowserVideoCapture extends EventEmitter {
 		if (session?.page && !session.page.isClosed()) {
 			try {
+				// Stop audio encoder
+				await session.page.evaluate(() => {
+					(window as any).__audioEncoder?.stop();
+				}).catch(() => {});
 				// Stop peer
 				await session.page.evaluate(() => {
 					(window as any).__webCodecsPeer?.stopStreaming();

package/backend/lib/utils/ws.ts CHANGED Viewed

@@ -67,6 +67,12 @@ interface ConnectionState {
 	chatSessionIds: Set<string>;
 	/** Cleanup functions called automatically on unregister (connection close) */
 	cleanups: Set<() => void>;
+	/** Whether this connection has been authenticated */
+	authenticated: boolean;
+	/** User role (admin or member) — set by auth handler */
+	role: 'admin' | 'member' | null;
+	/** Hash of the session token used for this connection */
+	sessionTokenHash: string | null;
 }
 /**
@@ -140,7 +146,7 @@ class WSServer {
 		const id = crypto.randomUUID();
 		this.rawToId.set(raw, id);
 		this.connections.set(id, conn);
-		this.connectionState.set(id, { userId: null, projectId: null, chatSessionIds: new Set(), cleanups: new Set() });
+		this.connectionState.set(id, { userId: null, projectId: null, chatSessionIds: new Set(), cleanups: new Set(), authenticated: false, role: null, sessionTokenHash: null });
 		this.metrics.totalConnections = this.connections.size;
 		debug.log('websocket', `Connection registered: ${id} (total: ${this.connections.size})`);
@@ -516,6 +522,64 @@ class WSServer {
 		return this.connectionState.get(id);
 	}
+	/**
+	 * Set authentication state for a connection.
+	 * Called by auth handlers after successful login/setup/invite.
+	 */
+	setAuth(conn: WSConnection, userId: string, role: 'admin' | 'member', sessionTokenHash: string): void {
+		const wsId = this.ensureRegistered(conn);
+		const state = this.connectionState.get(wsId);
+		if (state) {
+			state.authenticated = true;
+			state.role = role;
+			state.sessionTokenHash = sessionTokenHash;
+		}
+		// Also set userId via existing method (handles room management)
+		this.setUser(conn, userId);
+		debug.log('websocket', `Connection ${wsId} authenticated: userId=${userId}, role=${role}`);
+	}
+	/**
+	 * Get the role for a connection.
+	 */
+	getRole(conn: WSConnection): 'admin' | 'member' | null {
+		const id = this.resolveId(conn);
+		if (!id) return null;
+		return this.connectionState.get(id)?.role ?? null;
+	}
+	/**
+	 * Check if a connection is authenticated.
+	 */
+	isAuthenticated(conn: WSConnection): boolean {
+		const id = this.resolveId(conn);
+		if (!id) return false;
+		return this.connectionState.get(id)?.authenticated ?? false;
+	}
+	/**
+	 * Get remote IP address of a connection.
+	 */
+	getRemoteAddress(conn: WSConnection): string {
+		const raw = (conn as any).raw;
+		return raw?.remoteAddress ?? 'unknown';
+	}
+	/**
+	 * Clear authentication state for a connection (logout).
+	 */
+	clearAuth(conn: WSConnection): void {
+		const id = this.resolveId(conn);
+		if (!id) return;
+		const state = this.connectionState.get(id);
+		if (state) {
+			state.authenticated = false;
+			state.role = null;
+			state.sessionTokenHash = null;
+		}
+		debug.log('websocket', `Connection ${id} auth cleared`);
+	}
 	/**
 	 * Check if connection can receive data (backpressure check)
 	 */

package/backend/ws/auth/index.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { createRouter } from '$shared/utils/ws-server';
+import { t } from 'elysia';
+import { statusHandler } from './status';
+import { loginHandler } from './login';
+import { inviteHandler } from './invites';
+import { usersHandler } from './users';
+export const authRouter = createRouter()
+	.merge(statusHandler)
+	.merge(loginHandler)
+	.merge(inviteHandler)
+	.merge(usersHandler)
+	// Declare auth:error event (emitted by auth gate in WSRouter)
+	.emit('auth:error', t.Object({
+		error: t.String(),
+		blockedAction: t.String()
+	}));

package/backend/ws/auth/invites.ts ADDED Viewed

@@ -0,0 +1,84 @@
+import { t } from 'elysia';
+import { createRouter } from '$shared/utils/ws-server';
+import { createInvite, listInvites, revokeInvite } from '$backend/lib/auth/auth-service';
+import { ws } from '$backend/lib/utils/ws';
+export const inviteHandler = createRouter()
+	// Create invite token (admin only — enforced by auth gate)
+	.http('auth:create-invite', {
+		data: t.Object({
+			label: t.Optional(t.String()),
+			maxUses: t.Optional(t.Number({ minimum: 0 })),
+			expiresInMinutes: t.Optional(t.Number({ minimum: 1 }))
+		}),
+		response: t.Object({
+			inviteToken: t.String(),
+			invite: t.Object({
+				id: t.String(),
+				role: t.String(),
+				label: t.Union([t.String(), t.Null()]),
+				max_uses: t.Number(),
+				use_count: t.Number(),
+				expires_at: t.Union([t.String(), t.Null()]),
+				created_at: t.String()
+			})
+		})
+	}, async ({ data, conn }) => {
+		const userId = ws.getUserId(conn);
+		const result = createInvite(userId, {
+			label: data.label,
+			maxUses: data.maxUses,
+			expiresInMinutes: data.expiresInMinutes
+		});
+		return {
+			inviteToken: result.inviteToken,
+			invite: {
+				id: result.invite!.id,
+				role: result.invite!.role,
+				label: result.invite!.label,
+				max_uses: result.invite!.max_uses,
+				use_count: result.invite!.use_count,
+				expires_at: result.invite!.expires_at,
+				created_at: result.invite!.created_at
+			}
+		};
+	})
+	// List all invites (admin only)
+	.http('auth:list-invites', {
+		data: t.Object({}),
+		response: t.Array(t.Object({
+			id: t.String(),
+			role: t.String(),
+			label: t.Union([t.String(), t.Null()]),
+			max_uses: t.Number(),
+			use_count: t.Number(),
+			expires_at: t.Union([t.String(), t.Null()]),
+			created_at: t.String()
+		}))
+	}, async () => {
+		const invites = listInvites();
+		return invites.map(inv => ({
+			id: inv.id,
+			role: inv.role,
+			label: inv.label,
+			max_uses: inv.max_uses,
+			use_count: inv.use_count,
+			expires_at: inv.expires_at,
+			created_at: inv.created_at
+		}));
+	})
+	// Revoke invite (admin only)
+	.http('auth:revoke-invite', {
+		data: t.Object({
+			id: t.String({ minLength: 1 })
+		}),
+		response: t.Object({
+			success: t.Boolean()
+		})
+	}, async ({ data }) => {
+		revokeInvite(data.id);
+		return { success: true };
+	});