npm - @myrialabs/clopen - Versions diffs - 0.1.9 → 0.2.0 - Mend

@myrialabs/clopen 0.1.9 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/README.md +23 -1
package/backend/index.ts +25 -1
package/backend/lib/auth/auth-service.ts +484 -0
package/backend/lib/auth/index.ts +4 -0
package/backend/lib/auth/permissions.ts +63 -0
package/backend/lib/auth/rate-limiter.ts +145 -0
package/backend/lib/auth/tokens.ts +53 -0
package/backend/lib/chat/stream-manager.ts +4 -1
package/backend/lib/database/migrations/024_create_users_table.ts +29 -0
package/backend/lib/database/migrations/025_create_auth_sessions_table.ts +38 -0
package/backend/lib/database/migrations/026_create_invite_tokens_table.ts +31 -0
package/backend/lib/database/migrations/index.ts +21 -0
package/backend/lib/database/queries/auth-queries.ts +201 -0
package/backend/lib/database/queries/index.ts +2 -1
package/backend/lib/database/queries/session-queries.ts +13 -0
package/backend/lib/database/queries/snapshot-queries.ts +1 -1
package/backend/lib/engine/adapters/opencode/server.ts +9 -1
package/backend/lib/engine/adapters/opencode/stream.ts +175 -1
package/backend/lib/mcp/config.ts +13 -18
package/backend/lib/mcp/index.ts +9 -0
package/backend/lib/mcp/remote-server.ts +132 -0
package/backend/lib/mcp/servers/helper.ts +49 -3
package/backend/lib/mcp/servers/index.ts +3 -2
package/backend/lib/preview/browser/browser-audio-capture.ts +20 -3
package/backend/lib/preview/browser/browser-navigation-tracker.ts +3 -0
package/backend/lib/preview/browser/browser-pool.ts +73 -176
package/backend/lib/preview/browser/browser-preview-service.ts +3 -2
package/backend/lib/preview/browser/browser-tab-manager.ts +261 -23
package/backend/lib/preview/browser/browser-video-capture.ts +36 -1
package/backend/lib/snapshot/helpers.ts +22 -49
package/backend/lib/snapshot/snapshot-service.ts +148 -83
package/backend/lib/utils/ws.ts +65 -1
package/backend/ws/auth/index.ts +17 -0
package/backend/ws/auth/invites.ts +84 -0
package/backend/ws/auth/login.ts +269 -0
package/backend/ws/auth/status.ts +41 -0
package/backend/ws/auth/users.ts +32 -0
package/backend/ws/chat/stream.ts +13 -0
package/backend/ws/engine/claude/accounts.ts +3 -1
package/backend/ws/engine/utils.ts +38 -6
package/backend/ws/index.ts +4 -4
package/backend/ws/preview/browser/interact.ts +27 -5
package/backend/ws/snapshot/restore.ts +111 -12
package/backend/ws/snapshot/timeline.ts +56 -29
package/bin/clopen.ts +56 -1
package/bun.lock +113 -51
package/frontend/App.svelte +47 -29
package/frontend/lib/components/auth/InvitePage.svelte +215 -0
package/frontend/lib/components/auth/LoginPage.svelte +129 -0
package/frontend/lib/components/auth/SetupPage.svelte +1022 -0
package/frontend/lib/components/chat/input/ChatInput.svelte +1 -2
package/frontend/lib/components/chat/input/components/EngineModelPicker.svelte +2 -2
package/frontend/lib/components/chat/input/composables/use-chat-actions.svelte.ts +4 -4
package/frontend/lib/components/chat/input/composables/use-textarea-resize.svelte.ts +11 -19
package/frontend/lib/components/checkpoint/TimelineModal.svelte +15 -3
package/frontend/lib/components/checkpoint/timeline/TimelineNode.svelte +30 -19
package/frontend/lib/components/checkpoint/timeline/types.ts +4 -0
package/frontend/lib/components/common/FolderBrowser.svelte +9 -9
package/frontend/lib/components/common/UpdateBanner.svelte +2 -2
package/frontend/lib/components/git/CommitForm.svelte +6 -4
package/frontend/lib/components/history/HistoryModal.svelte +1 -1
package/frontend/lib/components/history/HistoryView.svelte +1 -1
package/frontend/lib/components/preview/browser/BrowserPreview.svelte +1 -1
package/frontend/lib/components/preview/browser/core/mcp-handlers.svelte.ts +12 -4
package/frontend/lib/components/settings/SettingsModal.svelte +50 -15
package/frontend/lib/components/settings/SettingsView.svelte +21 -7
package/frontend/lib/components/settings/account/AccountSettings.svelte +5 -0
package/frontend/lib/components/settings/admin/InviteManagement.svelte +239 -0
package/frontend/lib/components/settings/admin/UserManagement.svelte +127 -0
package/frontend/lib/components/settings/general/AdvancedSettings.svelte +10 -4
package/frontend/lib/components/settings/general/AuthModeSettings.svelte +229 -0
package/frontend/lib/components/settings/general/GeneralSettings.svelte +6 -1
package/frontend/lib/components/settings/general/UpdateSettings.svelte +5 -5
package/frontend/lib/components/settings/security/SecuritySettings.svelte +10 -0
package/frontend/lib/components/settings/system/SystemSettings.svelte +10 -0
package/frontend/lib/components/settings/user/UserSettings.svelte +147 -74
package/frontend/lib/components/workspace/PanelHeader.svelte +1 -1
package/frontend/lib/components/workspace/WorkspaceLayout.svelte +5 -10
package/frontend/lib/components/workspace/panels/ChatPanel.svelte +3 -2
package/frontend/lib/services/preview/browser/browser-webcodecs.service.ts +31 -8
package/frontend/lib/stores/core/sessions.svelte.ts +15 -1
package/frontend/lib/stores/features/auth.svelte.ts +296 -0
package/frontend/lib/stores/features/settings.svelte.ts +53 -9
package/frontend/lib/stores/features/user.svelte.ts +26 -68
package/frontend/lib/stores/ui/settings-modal.svelte.ts +42 -21
package/frontend/lib/stores/ui/update.svelte.ts +2 -14
package/frontend/lib/stores/ui/workspace.svelte.ts +4 -4
package/package.json +8 -6
package/shared/types/stores/settings.ts +16 -2
package/shared/utils/logger.ts +1 -0
package/shared/utils/ws-client.ts +30 -13
package/shared/utils/ws-server.ts +42 -4
package/backend/lib/mcp/stdio-server.ts +0 -103
package/backend/ws/mcp/index.ts +0 -61

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@myrialabs/clopen",
-  "version": "0.1.9",
+  "version": "0.2.0",
   "description": "All-in-one web workspace for Claude Code & OpenCode — chat, terminal, git, browser preview, checkpoints, and real-time collaboration",
   "author": "Myria Labs",
   "license": "MIT",
@@ -62,6 +62,7 @@
     "@types/bun": "^1.2.18",
     "@types/node": "^24.0.14",
     "@types/qrcode": "^1.5.6",
+    "@types/random-useragent": "^0.3.3",
     "concurrently": "^9.2.1",
     "eslint": "^9.31.0",
     "eslint-plugin-svelte": "^3.10.1",
@@ -74,14 +75,14 @@
     "vite": "^7.0.4"
   },
   "dependencies": {
-    "@anthropic-ai/claude-agent-sdk": "^0.2.63",
-    "@anthropic-ai/sdk": "^0.78.0",
+    "@anthropic-ai/claude-agent-sdk": "0.2.63",
+    "@anthropic-ai/sdk": "0.78.0",
+    "@opencode-ai/sdk": "1.2.15",
     "@elysiajs/cors": "^1.4.0",
     "@iconify-json/lucide": "^1.2.57",
     "@iconify-json/material-icon-theme": "^1.2.16",
     "@modelcontextprotocol/sdk": "^1.26.0",
     "@monaco-editor/loader": "^1.5.0",
-    "@opencode-ai/sdk": "^1.2.15",
     "@xterm/addon-clipboard": "^0.2.0",
     "@xterm/addon-fit": "^0.11.0",
     "@xterm/addon-ligatures": "^0.10.0",
@@ -96,8 +97,9 @@
     "marked": "^16.1.1",
     "monaco-editor": "^0.52.2",
     "nanoid": "^5.1.6",
-    "puppeteer": "^24.33.0",
-    "puppeteer-cluster": "^0.25.0",
+    "puppeteer": "^24.37.5",
+    "puppeteer-extra": "^3.3.6",
+    "puppeteer-extra-plugin-stealth": "^2.11.2",
     "qrcode": "^1.5.4"
   },
   "trustedDependencies": [

package/shared/types/stores/settings.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import type { EngineType } from '$shared/types/engine';
+/** Per-user settings (stored per user) */
 export interface AppSettings {
 	selectedEngine: EngineType;
 	selectedModel: string;
@@ -10,10 +11,23 @@ export interface AppSettings {
 	soundNotifications: boolean;
 	pushNotifications: boolean;
 	layoutPresetVisibility: Record<string, boolean>;
-	/** Restrict folder browser to only these base paths. Empty = no restriction. */
-	allowedBasePaths: string[];
 	/** Base font size in pixels (10–20). Default: 13. */
 	fontSize: number;
+}
+/** Authentication mode */
+export type AuthMode = 'none' | 'required';
+/** System-wide settings (admin-only, shared across all users) */
+export interface SystemSettings {
+	/** Authentication mode: 'none' = single user no login, 'required' = multi-user with login. Default: 'required'. */
+	authMode: AuthMode;
+	/** Whether the initial setup wizard has been completed. Default: false. */
+	onboardingComplete: boolean;
+	/** Restrict folder browser to only these base paths. Empty = no restriction. */
+	allowedBasePaths: string[];
 	/** Automatically update to the latest version when available. Default: false. */
 	autoUpdate: boolean;
+	/** Session lifetime in days. Default: 30. */
+	sessionLifetimeDays: number;
 }

package/shared/utils/logger.ts CHANGED Viewed

@@ -39,6 +39,7 @@ export type LogLabel =
 	// User
 	| 'user'
 	| 'session'
+	| 'auth'
 	// System
 	| 'server'

package/shared/utils/ws-client.ts CHANGED Viewed

@@ -221,6 +221,9 @@ export class WSClient<TAPI extends { client: any; server: any }> {
 		projectId: null
 	};
+	/** Session token for re-authentication on reconnection */
+	private sessionToken: string | null = null;
 	/** Pending context sync (for reconnection) */
 	private pendingContextSync = false;
@@ -272,8 +275,18 @@ export class WSClient<TAPI extends { client: any; server: any }> {
 				this.reconnectAttempts = 0;
 				this.options.onStatusChange?.('connected', 0);
-				// Sync context on reconnection - MUST await before flushing queue
-				if (this.context.userId || this.context.projectId) {
+				// Re-authenticate on reconnection using stored session token
+				if (this.sessionToken) {
+					try {
+						await this.http('auth:login' as any, { token: this.sessionToken } as any);
+						debug.log('websocket', 'Re-authenticated after reconnection');
+					} catch (err) {
+						debug.error('websocket', 'Failed to re-authenticate on reconnection:', err);
+					}
+				}
+				// Sync project context on reconnection (userId set by auth above)
+				if (this.context.projectId) {
 					try {
 						await this.syncContext();
 						debug.log('websocket', 'Context synced after reconnection');
@@ -570,18 +583,23 @@ export class WSClient<TAPI extends { client: any; server: any }> {
 	private contextSyncPromise: Promise<void> | null = null;
 	/**
-	 * Set user context (auto-syncs with server)
-	 * @returns Promise that resolves when context is synced with server
+	 * Set session token for reconnection auth.
+	 * Called by auth store after successful login.
+	 */
+	setSessionToken(token: string | null): void {
+		this.sessionToken = token;
+		debug.log('websocket', 'Session token set for reconnection auth');
+	}
+	/**
+	 * Set user context locally (for reconnection tracking).
+	 * userId is now set server-side by auth handlers — this only updates the local cache.
 	 */
 	async setUser(userId: string | null): Promise<void> {
 		if (this.context.userId === userId) return;
 		this.context.userId = userId;
-		debug.log('websocket', 'Context: user set to', userId);
-		if (this.isConnected) {
-			await this.syncContext();
-		}
+		debug.log('websocket', 'Context: user set locally to', userId);
+		// Note: userId is NOT synced via ws:set-context — it's set server-side by auth handlers
 	}
 	/**
@@ -679,16 +697,15 @@ export class WSClient<TAPI extends { client: any; server: any }> {
 			// Register response listener
 			unsubResponse = this.on('ws:set-context:response' as any, handleResponse);
-			// Send context sync request
+			// Send context sync request (only projectId — userId is set server-side by auth)
 			this.emit('ws:set-context' as any, {
 				requestId,
 				data: {
-					userId: this.context.userId,
 					projectId: this.context.projectId
 				}
 			} as any);
-			debug.log('websocket', 'Context sync sent:', this.context);
+			debug.log('websocket', 'Context sync sent: projectId=', this.context.projectId);
 		});
 	}

package/shared/utils/ws-server.ts CHANGED Viewed

@@ -279,11 +279,23 @@ export class WSRouter<
 	private httpRoutes = new Map<string, HTTPRoute>();
 	private eventSchemas = new Map<string, TSchema>();
+	/** Optional auth middleware — called before every route handler */
+	private authMiddleware: ((conn: WSConnection, action: string) => Promise<{ allowed: boolean; error?: string }>) | null = null;
 	constructor() {
 		// Register built-in context management route
 		this.registerContextHandler();
 	}
+	/**
+	 * Set an auth middleware function that gates all route handlers.
+	 * The middleware receives the connection and action, and returns { allowed, error? }.
+	 * If not allowed, the handler is not called and an auth:error event is sent to the client.
+	 */
+	setAuthMiddleware(fn: (conn: WSConnection, action: string) => Promise<{ allowed: boolean; error?: string }>): void {
+		this.authMiddleware = fn;
+	}
 	/**
 	 * Register built-in ws:set-context handler
 	 * Allows frontend to sync user/project context
@@ -292,7 +304,6 @@ export class WSRouter<
 		this.httpRoutes.set('ws:set-context', {
 			action: 'ws:set-context',
 			dataSchema: t.Object({
-				userId: t.Optional(t.Union([t.String(), t.Null()])),
 				projectId: t.Optional(t.Union([t.String(), t.Null()]))
 			}),
 			responseSchema: t.Object({
@@ -303,9 +314,8 @@ export class WSRouter<
 				// Import ws server to update context
 				const { ws: wsServer } = await import('$backend/lib/utils/ws');
-				if (data.userId !== undefined) {
-					wsServer.setUser(conn, data.userId);
-				}
+				// userId is set exclusively by auth handlers (auth:login, auth:setup, auth:accept-invite)
+				// ws:set-context only handles projectId
 				if (data.projectId !== undefined) {
 					wsServer.setProject(conn, data.projectId);
 				}
@@ -576,6 +586,34 @@ export class WSRouter<
 				return;
 			}
+			// ═══ AUTH GATE ═══
+			if (this.authMiddleware) {
+				const authResult = await this.authMiddleware(conn, action);
+				if (!authResult.allowed) {
+					try {
+						// If this is an HTTP route, send error as HTTP-style response
+						// so ws.http() on the client receives it instead of timing out
+						if (this.httpRoutes.has(action)) {
+							const requestId = payload?.requestId;
+							conn.send(JSON.stringify({
+								action: `${action}:response`,
+								payload: { success: false, error: authResult.error, requestId }
+							}));
+						} else {
+							conn.send(JSON.stringify({
+								action: 'auth:error',
+								payload: { error: authResult.error, blockedAction: action }
+							}));
+						}
+					} catch {
+						// Connection may be closed
+					}
+					debug.warn('websocket', `Auth blocked: ${action} — ${authResult.error}`);
+					return;
+				}
+			}
+			// ═══ END AUTH GATE ═══
 			// Check if this is an HTTP route
 			const httpRoute = this.httpRoutes.get(action);
 			if (httpRoute) {

package/backend/lib/mcp/stdio-server.ts DELETED Viewed

@@ -1,103 +0,0 @@
-#!/usr/bin/env bun
-/**
- * MCP Stdio Server for Open Code
- *
- * Standalone subprocess that exposes our custom MCP tools via stdio transport.
- * Open Code spawns this process and communicates over stdin/stdout (JSON-RPC 2.0).
- *
- * Tool definitions (schema, description) are loaded from the SAME source as
- * Claude Code — the `serverMetadata` registry in `./servers/index.ts`.
- *
- * ALL tool calls are proxied to the main Clopen server via WSClient bridge,
- * because handlers need in-process access to browser instances, project context, etc.
- */
-import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import { WSClient } from '$shared/utils/ws-client';
-import { serverMetadata } from './servers/index';
-import { mcpServers } from './config';
-// ============================================================================
-// WebSocket Bridge — proxies tool calls to the main Clopen server via WSClient
-// ============================================================================
-const BRIDGE_PORT = process.env.CLOPEN_PORT || '9141';
-const WS_URL = `ws://localhost:${BRIDGE_PORT}/ws`;
-/**
- * WSClient instance for communicating with the main Clopen server.
- * Uses the same protocol as the frontend (JSON messages with action/payload).
- */
-const wsClient = new WSClient<any>(WS_URL, {
-	autoReconnect: true,
-	maxReconnectAttempts: 10,
-	reconnectDelay: 1000,
-	maxReconnectDelay: 10000,
-});
-/**
- * Call a tool handler on the main Clopen server via the WS bridge.
- * Uses WSClient.http() which follows the standard request-response pattern.
- */
-async function callBridge(
-	serverName: string,
-	toolName: string,
-	args: Record<string, unknown>
-): Promise<{ content: Array<{ type: string; text?: string; data?: string; mimeType?: string }>; isError?: boolean }> {
-	try {
-		return await wsClient.http('mcp:execute' as any, {
-			server: serverName,
-			tool: toolName,
-			args,
-		} as any, 30000);
-	} catch (error) {
-		const msg = error instanceof Error ? error.message : String(error);
-		return {
-			content: [{ type: 'text', text: `Bridge connection failed: ${msg}` }],
-			isError: true,
-		};
-	}
-}
-// ============================================================================
-// Build MCP server from existing server metadata (single source of truth)
-// ============================================================================
-const server = new McpServer({
-	name: 'clopen-mcp',
-	version: '1.0.0',
-});
-// Iterate over all configured servers and register their enabled tools
-for (const [serverName, serverConfig] of Object.entries(mcpServers)) {
-	if (!serverConfig.enabled) continue;
-	// Get tool definitions from the metadata registry
-	const meta = (serverMetadata as Record<string, { toolDefs: Record<string, { description: string; schema: Record<string, any> }> }>)[serverName];
-	if (!meta) continue;
-	for (const toolName of serverConfig.tools) {
-		const toolDef = meta.toolDefs[toolName];
-		if (!toolDef) continue;
-		// Register tool with the same schema/description, but handler goes through bridge
-		server.registerTool(
-			toolName,
-			{
-				description: toolDef.description,
-				inputSchema: toolDef.schema,
-			},
-			async (args: Record<string, unknown>) => {
-				return await callBridge(serverName, toolName, args) as any;
-			}
-		);
-	}
-}
-// ============================================================================
-// Connect via stdio transport
-// ============================================================================
-const transport = new StdioServerTransport();
-await server.connect(transport);

package/backend/ws/mcp/index.ts DELETED Viewed

@@ -1,61 +0,0 @@
-/**
- * MCP Bridge — WebSocket HTTP-like route for the stdio MCP server
- *
- * Provides a WS route that the MCP stdio server (spawned by Open Code)
- * uses to execute tool handlers in-process.
- *
- * Handlers are loaded from the SAME serverMetadata registry —
- * no duplication of tool names or handler imports.
- *
- * Route: mcp:execute (WS http-like request-response)
- */
-import { createRouter } from '$shared/utils/ws-server';
-import { t } from 'elysia';
-import { debug } from '$shared/utils/logger';
-import { serverMetadata } from '../../lib/mcp/servers/index';
-import { mcpServers } from '../../lib/mcp/config';
-export const mcpRouter = createRouter()
-	.http('mcp:execute', {
-		data: t.Object({
-			server: t.String(),
-			tool: t.String(),
-			args: t.Record(t.String(), t.Unknown()),
-		}),
-		response: t.Any(),
-	}, async ({ data }) => {
-		const { server, tool, args } = data;
-		debug.log('mcp', `🌉 Bridge: ${server}/${tool}`);
-		// Validate server exists and is enabled
-		const serverConfig = mcpServers[server];
-		if (!serverConfig?.enabled) {
-			return {
-				content: [{ type: 'text', text: `Unknown or disabled MCP server: ${server}` }],
-				isError: true,
-			};
-		}
-		// Get handler from the single-source metadata registry
-		const meta = (serverMetadata as Record<string, { toolDefs: Record<string, { handler: (args: any) => Promise<any> }> }>)[server];
-		const toolDef = meta?.toolDefs[tool];
-		if (!toolDef) {
-			return {
-				content: [{ type: 'text', text: `Unknown tool: ${tool} in server ${server}` }],
-				isError: true,
-			};
-		}
-		try {
-			return await toolDef.handler(args);
-		} catch (error) {
-			const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-			debug.error('mcp', `🌉 Bridge error: ${server}/${tool}: ${errorMessage}`);
-			return {
-				content: [{ type: 'text', text: `Tool execution error: ${errorMessage}` }],
-				isError: true,
-			};
-		}
-	});