@myrialabs/clopen 0.1.10 → 0.2.1

package/backend/lib/auth/rate-limiter.ts

@@ -0,0 +1,145 @@
+/**
+ * Auth Rate Limiter
+ *
+ * Protects auth endpoints against brute-force and credential stuffing attacks.
+ * Tracks failed attempts per IP with progressive lockout.
+ *
+ * Thresholds:
+ *   5 failures  → 30 second lockout
+ *   10 failures → 2 minute lockout
+ *   20 failures → 10 minute lockout
+ *
+ * Attempts decay after the lockout window expires.
+ */
+
+import { debug } from '$shared/utils/logger';
+
+/** Routes that should be rate-limited */
+const RATE_LIMITED_ROUTES = new Set([
+	'auth:login',
+	'auth:accept-invite',
+	'auth:validate-invite',
+	'auth:setup'
+]);
+
+interface AttemptRecord {
+	failures: number;
+	lastFailure: number;
+	lockedUntil: number;
+}
+
+/** Lockout tiers: [maxFailures, lockoutMs] */
+const LOCKOUT_TIERS: [number, number][] = [
+	[5, 30_000],       // 5 failures  → 30 seconds
+	[10, 2 * 60_000],  // 10 failures → 2 minutes
+	[20, 10 * 60_000], // 20 failures → 10 minutes
+];
+
+/** After this duration of no failures, the record is considered stale and cleaned up */
+const STALE_AFTER_MS = 15 * 60_000; // 15 minutes
+
+/** How often to run cleanup (ms) */
+const CLEANUP_INTERVAL_MS = 5 * 60_000; // 5 minutes
+
+class AuthRateLimiter {
+	private attempts = new Map<string, AttemptRecord>();
+	private cleanupTimer: ReturnType<typeof setInterval> | null = null;
+
+	constructor() {
+		// Periodic cleanup of stale entries
+		this.cleanupTimer = setInterval(() => this.cleanup(), CLEANUP_INTERVAL_MS);
+	}
+
+	/**
+	 * Check if an action is rate-limited for the given identifier.
+	 * Returns null if allowed, or an error message if blocked.
+	 */
+	check(identifier: string, action: string): string | null {
+		if (!RATE_LIMITED_ROUTES.has(action)) {
+			return null; // Not a rate-limited route
+		}
+
+		const record = this.attempts.get(identifier);
+		if (!record) {
+			return null; // No previous failures
+		}
+
+		const now = Date.now();
+
+		// Check if currently locked out
+		if (record.lockedUntil > now) {
+			const remainingSec = Math.ceil((record.lockedUntil - now) / 1000);
+			debug.warn('auth', `Rate limited: ${identifier} (${remainingSec}s remaining, ${record.failures} failures)`);
+			return `Too many failed attempts. Try again in ${remainingSec} seconds.`;
+		}
+
+		return null;
+	}
+
+	/**
+	 * Record a failed auth attempt for the given identifier.
+	 */
+	recordFailure(identifier: string, action: string): void {
+		if (!RATE_LIMITED_ROUTES.has(action)) return;
+
+		const now = Date.now();
+		const record = this.attempts.get(identifier) ?? { failures: 0, lastFailure: 0, lockedUntil: 0 };
+
+		record.failures += 1;
+		record.lastFailure = now;
+
+		// Determine lockout duration based on failure count
+		let lockoutMs = 0;
+		for (const [threshold, duration] of LOCKOUT_TIERS) {
+			if (record.failures >= threshold) {
+				lockoutMs = duration;
+			}
+		}
+
+		if (lockoutMs > 0) {
+			record.lockedUntil = now + lockoutMs;
+			debug.warn('auth', `Lockout triggered: ${identifier} — ${record.failures} failures, locked for ${lockoutMs / 1000}s`);
+		}
+
+		this.attempts.set(identifier, record);
+	}
+
+	/**
+	 * Clear failure record on successful auth (e.g., successful login).
+	 */
+	recordSuccess(identifier: string): void {
+		this.attempts.delete(identifier);
+	}
+
+	/**
+	 * Remove stale entries to prevent memory leaks.
+	 */
+	private cleanup(): void {
+		const now = Date.now();
+		let removed = 0;
+
+		for (const [key, record] of this.attempts) {
+			if (now - record.lastFailure > STALE_AFTER_MS && record.lockedUntil < now) {
+				this.attempts.delete(key);
+				removed++;
+			}
+		}
+
+		if (removed > 0) {
+			debug.log('auth', `Rate limiter cleanup: removed ${removed} stale entries`);
+		}
+	}
+
+	/**
+	 * Dispose — stop cleanup timer.
+	 */
+	dispose(): void {
+		if (this.cleanupTimer) {
+			clearInterval(this.cleanupTimer);
+			this.cleanupTimer = null;
+		}
+	}
+}
+
+/** Singleton rate limiter instance */
+export const authRateLimiter = new AuthRateLimiter();

package/backend/lib/auth/tokens.ts

@@ -0,0 +1,53 @@
+/**
+ * Token Generation & Hashing Utilities
+ *
+ * Token types:
+ * - clp_ses_* — Session tokens (login sessions, 30 day expiry)
+ * - clp_pat_* — Personal Access Tokens (cross-device login, permanent)
+ * - clp_inv_* — Invite tokens (for inviting new users)
+ */
+
+const SESSION_PREFIX = 'clp_ses_';
+const PAT_PREFIX = 'clp_pat_';
+const INVITE_PREFIX = 'clp_inv_';
+
+function randomHex(bytes: number): string {
+	const arr = new Uint8Array(bytes);
+	crypto.getRandomValues(arr);
+	return Array.from(arr).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+
+/** All token types use the same random length for consistency */
+const TOKEN_BYTES = 24; // 48 hex chars
+
+export function generateSessionToken(): string {
+	return SESSION_PREFIX + randomHex(TOKEN_BYTES);
+}
+
+export function generatePAT(): string {
+	return PAT_PREFIX + randomHex(TOKEN_BYTES);
+}
+
+export function generateInviteToken(): string {
+	return INVITE_PREFIX + randomHex(TOKEN_BYTES);
+}
+
+/**
+ * SHA-256 hash a token string.
+ * Uses Bun native CryptoHasher for performance.
+ */
+export function hashToken(token: string): string {
+	const hasher = new Bun.CryptoHasher('sha256');
+	hasher.update(token);
+	return hasher.digest('hex');
+}
+
+/**
+ * Determine token type from prefix
+ */
+export function getTokenType(token: string): 'session' | 'pat' | 'invite' | 'unknown' {
+	if (token.startsWith(SESSION_PREFIX)) return 'session';
+	if (token.startsWith(PAT_PREFIX)) return 'pat';
+	if (token.startsWith(INVITE_PREFIX)) return 'invite';
+	return 'unknown';
+}

package/backend/lib/database/migrations/024_create_users_table.ts

@@ -0,0 +1,29 @@
+import type { DatabaseConnection } from '$shared/types/database/connection';
+import { debug } from '$shared/utils/logger';
+
+export const description = 'Create users table for authentication';
+
+export const up = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Creating users table...');
+
+	db.exec(`
+		CREATE TABLE IF NOT EXISTS users (
+			id TEXT PRIMARY KEY,
+			name TEXT NOT NULL,
+			color TEXT NOT NULL,
+			avatar TEXT NOT NULL,
+			role TEXT NOT NULL CHECK(role IN ('admin', 'member')),
+			personal_access_token_hash TEXT UNIQUE,
+			created_at TEXT NOT NULL,
+			updated_at TEXT NOT NULL
+		)
+	`);
+
+	debug.log('migration', 'users table created');
+};
+
+export const down = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Dropping users table...');
+	db.exec('DROP TABLE IF EXISTS users');
+	debug.log('migration', 'users table dropped');
+};

package/backend/lib/database/migrations/025_create_auth_sessions_table.ts

@@ -0,0 +1,38 @@
+import type { DatabaseConnection } from '$shared/types/database/connection';
+import { debug } from '$shared/utils/logger';
+
+export const description = 'Create auth_sessions table for login session management';
+
+export const up = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Creating auth_sessions table...');
+
+	db.exec(`
+		CREATE TABLE IF NOT EXISTS auth_sessions (
+			id TEXT PRIMARY KEY,
+			user_id TEXT NOT NULL,
+			token_hash TEXT NOT NULL UNIQUE,
+			expires_at TEXT NOT NULL,
+			created_at TEXT NOT NULL,
+			last_active_at TEXT NOT NULL,
+			FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+		)
+	`);
+
+	db.exec(`
+		CREATE INDEX IF NOT EXISTS idx_auth_sessions_token_hash
+		ON auth_sessions(token_hash)
+	`);
+
+	db.exec(`
+		CREATE INDEX IF NOT EXISTS idx_auth_sessions_user_id
+		ON auth_sessions(user_id)
+	`);
+
+	debug.log('migration', 'auth_sessions table created');
+};
+
+export const down = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Dropping auth_sessions table...');
+	db.exec('DROP TABLE IF EXISTS auth_sessions');
+	debug.log('migration', 'auth_sessions table dropped');
+};

package/backend/lib/database/migrations/026_create_invite_tokens_table.ts

@@ -0,0 +1,31 @@
+import type { DatabaseConnection } from '$shared/types/database/connection';
+import { debug } from '$shared/utils/logger';
+
+export const description = 'Create invite_tokens table for invite link management';
+
+export const up = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Creating invite_tokens table...');
+
+	db.exec(`
+		CREATE TABLE IF NOT EXISTS invite_tokens (
+			id TEXT PRIMARY KEY,
+			token_hash TEXT NOT NULL UNIQUE,
+			role TEXT NOT NULL CHECK(role IN ('admin', 'member')),
+			label TEXT,
+			created_by TEXT NOT NULL,
+			max_uses INTEGER NOT NULL DEFAULT 1,
+			use_count INTEGER NOT NULL DEFAULT 0,
+			expires_at TEXT,
+			created_at TEXT NOT NULL,
+			FOREIGN KEY (created_by) REFERENCES users(id) ON DELETE CASCADE
+		)
+	`);
+
+	debug.log('migration', 'invite_tokens table created');
+};
+
+export const down = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Dropping invite_tokens table...');
+	db.exec('DROP TABLE IF EXISTS invite_tokens');
+	debug.log('migration', 'invite_tokens table dropped');
+};

package/backend/lib/database/migrations/index.ts

@@ -22,6 +22,9 @@ import * as migration020 from './020_add_snapshot_tree_hash';
 import * as migration021 from './021_drop_prompt_templates_table';
 import * as migration022 from './022_add_snapshot_changes_column';
 import * as migration023 from './023_create_user_unread_sessions_table';
+import * as migration024 from './024_create_users_table';
+import * as migration025 from './025_create_auth_sessions_table';
+import * as migration026 from './026_create_invite_tokens_table';
 
 // Export all migrations in order
 export const migrations = [
@@ -162,6 +165,24 @@ export const migrations = [
 		description: migration023.description,
 		up: migration023.up,
 		down: migration023.down
+	},
+	{
+		id: '024',
+		description: migration024.description,
+		up: migration024.up,
+		down: migration024.down
+	},
+	{
+		id: '025',
+		description: migration025.description,
+		up: migration025.up,
+		down: migration025.down
+	},
+	{
+		id: '026',
+		description: migration026.description,
+		up: migration026.up,
+		down: migration026.down
 	}
 ];
 

package/backend/lib/database/queries/auth-queries.ts

@@ -0,0 +1,201 @@
+import { getDatabase } from '../index';
+
+export interface DBUser {
+	id: string;
+	name: string;
+	color: string;
+	avatar: string;
+	role: 'admin' | 'member';
+	personal_access_token_hash: string | null;
+	created_at: string;
+	updated_at: string;
+}
+
+export interface DBAuthSession {
+	id: string;
+	user_id: string;
+	token_hash: string;
+	expires_at: string;
+	created_at: string;
+	last_active_at: string;
+}
+
+export interface DBInviteToken {
+	id: string;
+	token_hash: string;
+	role: 'admin' | 'member';
+	label: string | null;
+	created_by: string;
+	max_uses: number;
+	use_count: number;
+	expires_at: string | null;
+	created_at: string;
+}
+
+export const authQueries = {
+	// ===================== Users =====================
+
+	createUser(user: Omit<DBUser, 'updated_at'> & { updated_at?: string }): DBUser {
+		const db = getDatabase();
+		const now = new Date().toISOString();
+		db.prepare(`
+			INSERT INTO users (id, name, color, avatar, role, personal_access_token_hash, created_at, updated_at)
+			VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+		`).run(
+			user.id,
+			user.name,
+			user.color,
+			user.avatar,
+			user.role,
+			user.personal_access_token_hash,
+			user.created_at,
+			user.updated_at ?? now
+		);
+		return db.prepare('SELECT * FROM users WHERE id = ?').get(user.id) as DBUser;
+	},
+
+	getUserById(id: string): DBUser | null {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM users WHERE id = ?').get(id) as DBUser | null;
+	},
+
+	getUserByPatHash(hash: string): DBUser | null {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM users WHERE personal_access_token_hash = ?').get(hash) as DBUser | null;
+	},
+
+	getAllUsers(): DBUser[] {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM users ORDER BY created_at ASC').all() as DBUser[];
+	},
+
+	countUsers(): number {
+		const db = getDatabase();
+		const result = db.prepare('SELECT COUNT(*) as count FROM users').get() as { count: number };
+		return result.count;
+	},
+
+	countAdmins(): number {
+		const db = getDatabase();
+		const result = db.prepare("SELECT COUNT(*) as count FROM users WHERE role = 'admin'").get() as { count: number };
+		return result.count;
+	},
+
+	updateUser(id: string, fields: Partial<Pick<DBUser, 'name' | 'color' | 'avatar' | 'personal_access_token_hash'>>): void {
+		const db = getDatabase();
+		const now = new Date().toISOString();
+		const sets: string[] = ['updated_at = ?'];
+		const values: any[] = [now];
+
+		if (fields.name !== undefined) { sets.push('name = ?'); values.push(fields.name); }
+		if (fields.color !== undefined) { sets.push('color = ?'); values.push(fields.color); }
+		if (fields.avatar !== undefined) { sets.push('avatar = ?'); values.push(fields.avatar); }
+		if (fields.personal_access_token_hash !== undefined) { sets.push('personal_access_token_hash = ?'); values.push(fields.personal_access_token_hash); }
+
+		values.push(id);
+		db.prepare(`UPDATE users SET ${sets.join(', ')} WHERE id = ?`).run(...values);
+	},
+
+	deleteUser(id: string): void {
+		const db = getDatabase();
+		db.prepare('DELETE FROM users WHERE id = ?').run(id);
+	},
+
+	// ===================== Auth Sessions =====================
+
+	createSession(session: DBAuthSession): DBAuthSession {
+		const db = getDatabase();
+		db.prepare(`
+			INSERT INTO auth_sessions (id, user_id, token_hash, expires_at, created_at, last_active_at)
+			VALUES (?, ?, ?, ?, ?, ?)
+		`).run(
+			session.id,
+			session.user_id,
+			session.token_hash,
+			session.expires_at,
+			session.created_at,
+			session.last_active_at
+		);
+		return db.prepare('SELECT * FROM auth_sessions WHERE id = ?').get(session.id) as DBAuthSession;
+	},
+
+	getSessionByTokenHash(hash: string): DBAuthSession | null {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM auth_sessions WHERE token_hash = ?').get(hash) as DBAuthSession | null;
+	},
+
+	updateLastActive(id: string): void {
+		const db = getDatabase();
+		const now = new Date().toISOString();
+		db.prepare('UPDATE auth_sessions SET last_active_at = ? WHERE id = ?').run(now, id);
+	},
+
+	deleteSession(id: string): void {
+		const db = getDatabase();
+		db.prepare('DELETE FROM auth_sessions WHERE id = ?').run(id);
+	},
+
+	deleteSessionByTokenHash(hash: string): void {
+		const db = getDatabase();
+		db.prepare('DELETE FROM auth_sessions WHERE token_hash = ?').run(hash);
+	},
+
+	deleteSessionsByUserId(userId: string): void {
+		const db = getDatabase();
+		db.prepare('DELETE FROM auth_sessions WHERE user_id = ?').run(userId);
+	},
+
+	deleteExpiredSessions(): number {
+		const db = getDatabase();
+		const now = new Date().toISOString();
+		const result = db.prepare('DELETE FROM auth_sessions WHERE expires_at < ?').run(now) as { changes: number };
+		return result.changes;
+	},
+
+	// ===================== Invite Tokens =====================
+
+	createInvite(invite: DBInviteToken): DBInviteToken {
+		const db = getDatabase();
+		db.prepare(`
+			INSERT INTO invite_tokens (id, token_hash, role, label, created_by, max_uses, use_count, expires_at, created_at)
+			VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+		`).run(
+			invite.id,
+			invite.token_hash,
+			invite.role,
+			invite.label,
+			invite.created_by,
+			invite.max_uses,
+			invite.use_count,
+			invite.expires_at,
+			invite.created_at
+		);
+		return db.prepare('SELECT * FROM invite_tokens WHERE id = ?').get(invite.id) as DBInviteToken;
+	},
+
+	getInviteByTokenHash(hash: string): DBInviteToken | null {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM invite_tokens WHERE token_hash = ?').get(hash) as DBInviteToken | null;
+	},
+
+	incrementUseCount(id: string): void {
+		const db = getDatabase();
+		db.prepare('UPDATE invite_tokens SET use_count = use_count + 1 WHERE id = ?').run(id);
+	},
+
+	getAllInvites(): DBInviteToken[] {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM invite_tokens ORDER BY created_at DESC').all() as DBInviteToken[];
+	},
+
+	revokeInvite(id: string): void {
+		const db = getDatabase();
+		db.prepare('DELETE FROM invite_tokens WHERE id = ?').run(id);
+	},
+
+	deleteAllSessions(): number {
+		const db = getDatabase();
+		const result = db.prepare('DELETE FROM auth_sessions').run() as { changes: number };
+		return result.changes;
+	}
+};

package/backend/lib/database/queries/index.ts

@@ -6,4 +6,5 @@ export { settingsQueries } from './settings-queries';
 export { dbUtils } from './utils-queries';
 export { snapshotQueries } from './snapshot-queries';
 export { checkpointQueries } from './checkpoint-queries';
-export { engineQueries } from './engine-queries';
+export { engineQueries } from './engine-queries';
+export { authQueries } from './auth-queries';

package/backend/lib/engine/adapters/opencode/server.ts

@@ -54,7 +54,7 @@ async function init(): Promise<void> {
 	if (Object.keys(mcpConfig).length > 0) {
 		debug.log('engine', `Open Code server: injecting ${Object.keys(mcpConfig).length} MCP server(s)`);
 		for (const [name, config] of Object.entries(mcpConfig)) {
-			debug.log('engine', `  → ${name}: ${config.type} (${(config as any).command?.join(' ') || (config as any).url})`);
+			debug.log('engine', `  → ${name}: ${config.type} (${(config as any).url || (config as any).command?.join(' ')})`);
 		}
 	}
 

package/backend/lib/mcp/config.ts

@@ -6,11 +6,10 @@
  */
 
 import type { McpSdkServerConfigWithInstance, McpServerConfig } from "@anthropic-ai/claude-agent-sdk";
-import type { McpLocalConfig } from '@opencode-ai/sdk';
+import type { McpRemoteConfig } from '@opencode-ai/sdk';
 import type { ServerConfig, ParsedMcpToolName, ServerName } from './types';
 import { serverRegistry, serverFactories } from './servers';
 import { debug } from '$shared/utils/logger';
-import { resolve } from 'path';
 import { SERVER_ENV } from '../shared/env';
 
 /**
@@ -21,7 +20,7 @@ import { SERVER_ENV } from '../shared/env';
  *
  * Type-safe: Server names and tool names are validated at compile time!
  */
-const mcpServersConfig: Record<ServerName, ServerConfig> = {
+export const mcpServersConfig: Record<ServerName, ServerConfig> = {
 	"weather-service": {
 		enabled: true,
 		tools: [
@@ -256,6 +255,8 @@ export function getMcpStats() {
  * This function strips the prefix and maps back using the mcpServers
  * registry — the SAME source that defines which tools exist.
  *
+ * Works for both remote HTTP MCP and legacy stdio MCP (same naming convention).
+ *
  * Returns null if the tool name is not one of our custom MCP tools.
  */
 export function resolveOpenCodeToolName(toolName: string): string | null {
@@ -263,7 +264,7 @@ export function resolveOpenCodeToolName(toolName: string): string | null {
 	if (toolName.startsWith('mcp__')) return toolName;
 
 	// Strip Open Code MCP server prefix if present
-	// Open Code prefixes with the stdio server name: "clopen-mcp_<tool>"
+	// Open Code prefixes with the server config key: "clopen-mcp_<tool>"
 	let rawName = toolName;
 	const ocPrefix = 'clopen-mcp_';
 	if (rawName.startsWith(ocPrefix)) {
@@ -288,32 +289,26 @@ export function resolveOpenCodeToolName(toolName: string): string | null {
 /**
  * Get MCP configuration for Open Code engine.
  *
- * Open Code expects MCP servers as local (stdio subprocess) or remote (HTTP URL).
- * We provide a single local MCP server that wraps all our custom tools.
- * The server communicates with the main Clopen process via an HTTP bridge
- * for tools that need in-process access (browser-automation).
+ * Open Code connects to a remote MCP HTTP server running in the main Clopen
+ * process. Tool handlers execute in-process — no subprocess, no bridge.
+ *
+ * This is the Open Code equivalent of Claude Code's in-process MCP servers.
  */
-export function getOpenCodeMcpConfig(): Record<string, McpLocalConfig> {
+export function getOpenCodeMcpConfig(): Record<string, McpRemoteConfig> {
 	// Check if any servers are enabled
 	const enabledServers = getEnabledServerNames();
 	if (enabledServers.length === 0) {
 		return {};
 	}
 
-	// Resolve path to the stdio server script
-	const stdioServerPath = resolve(import.meta.dir, 'stdio-server.ts');
 	const port = SERVER_ENV.PORT;
 
-	debug.log('mcp', `📦 Open Code MCP: stdio server at ${stdioServerPath}`);
-	debug.log('mcp', `📦 Open Code MCP: bridge port ${port}`);
+	debug.log('mcp', `📦 Open Code MCP: remote server at http://localhost:${port}/mcp`);
 
 	return {
 		'clopen-mcp': {
-			type: 'local',
-			command: ['bun', 'run', stdioServerPath],
-			environment: {
-				CLOPEN_PORT: String(port),
-			},
+			type: 'remote',
+			url: `http://localhost:${port}/mcp`,
 			enabled: true,
 			timeout: 10000,
 		},

package/backend/lib/mcp/index.ts

@@ -2,6 +2,11 @@
  * MCP (Model Context Protocol) Custom Tools
  *
  * Main export point for the custom MCP tools system.
+ *
+ * Claude Code: in-process MCP servers via createSdkMcpServer()
+ * Open Code:   remote HTTP MCP server via createRemoteMcpServer()
+ *
+ * Both use the same tool definitions from defineServer() in servers/helper.ts.
  */
 
 // Type definitions
@@ -13,6 +18,7 @@ export type {
 // Main configuration and all utilities
 export {
 	mcpServers,
+	mcpServersConfig,
 	getEnabledMcpServers,
 	getAllowedMcpTools,
 	getServerConfig,
@@ -31,5 +37,8 @@ export {
 // Server implementations
 export * from './servers';
 
+// Remote MCP HTTP server for Open Code
+export { handleMcpRequest, closeMcpServer } from './remote-server';
+
 // Project context service for MCP tool handlers
 export { projectContextService } from './project-context';