@myrialabs/clopen 0.1.9 → 0.2.0

package/backend/lib/auth/rate-limiter.ts

@@ -0,0 +1,145 @@
+/**
+ * Auth Rate Limiter
+ *
+ * Protects auth endpoints against brute-force and credential stuffing attacks.
+ * Tracks failed attempts per IP with progressive lockout.
+ *
+ * Thresholds:
+ *   5 failures  → 30 second lockout
+ *   10 failures → 2 minute lockout
+ *   20 failures → 10 minute lockout
+ *
+ * Attempts decay after the lockout window expires.
+ */
+
+import { debug } from '$shared/utils/logger';
+
+/** Routes that should be rate-limited */
+const RATE_LIMITED_ROUTES = new Set([
+	'auth:login',
+	'auth:accept-invite',
+	'auth:validate-invite',
+	'auth:setup'
+]);
+
+interface AttemptRecord {
+	failures: number;
+	lastFailure: number;
+	lockedUntil: number;
+}
+
+/** Lockout tiers: [maxFailures, lockoutMs] */
+const LOCKOUT_TIERS: [number, number][] = [
+	[5, 30_000],       // 5 failures  → 30 seconds
+	[10, 2 * 60_000],  // 10 failures → 2 minutes
+	[20, 10 * 60_000], // 20 failures → 10 minutes
+];
+
+/** After this duration of no failures, the record is considered stale and cleaned up */
+const STALE_AFTER_MS = 15 * 60_000; // 15 minutes
+
+/** How often to run cleanup (ms) */
+const CLEANUP_INTERVAL_MS = 5 * 60_000; // 5 minutes
+
+class AuthRateLimiter {
+	private attempts = new Map<string, AttemptRecord>();
+	private cleanupTimer: ReturnType<typeof setInterval> | null = null;
+
+	constructor() {
+		// Periodic cleanup of stale entries
+		this.cleanupTimer = setInterval(() => this.cleanup(), CLEANUP_INTERVAL_MS);
+	}
+
+	/**
+	 * Check if an action is rate-limited for the given identifier.
+	 * Returns null if allowed, or an error message if blocked.
+	 */
+	check(identifier: string, action: string): string | null {
+		if (!RATE_LIMITED_ROUTES.has(action)) {
+			return null; // Not a rate-limited route
+		}
+
+		const record = this.attempts.get(identifier);
+		if (!record) {
+			return null; // No previous failures
+		}
+
+		const now = Date.now();
+
+		// Check if currently locked out
+		if (record.lockedUntil > now) {
+			const remainingSec = Math.ceil((record.lockedUntil - now) / 1000);
+			debug.warn('auth', `Rate limited: ${identifier} (${remainingSec}s remaining, ${record.failures} failures)`);
+			return `Too many failed attempts. Try again in ${remainingSec} seconds.`;
+		}
+
+		return null;
+	}
+
+	/**
+	 * Record a failed auth attempt for the given identifier.
+	 */
+	recordFailure(identifier: string, action: string): void {
+		if (!RATE_LIMITED_ROUTES.has(action)) return;
+
+		const now = Date.now();
+		const record = this.attempts.get(identifier) ?? { failures: 0, lastFailure: 0, lockedUntil: 0 };
+
+		record.failures += 1;
+		record.lastFailure = now;
+
+		// Determine lockout duration based on failure count
+		let lockoutMs = 0;
+		for (const [threshold, duration] of LOCKOUT_TIERS) {
+			if (record.failures >= threshold) {
+				lockoutMs = duration;
+			}
+		}
+
+		if (lockoutMs > 0) {
+			record.lockedUntil = now + lockoutMs;
+			debug.warn('auth', `Lockout triggered: ${identifier} — ${record.failures} failures, locked for ${lockoutMs / 1000}s`);
+		}
+
+		this.attempts.set(identifier, record);
+	}
+
+	/**
+	 * Clear failure record on successful auth (e.g., successful login).
+	 */
+	recordSuccess(identifier: string): void {
+		this.attempts.delete(identifier);
+	}
+
+	/**
+	 * Remove stale entries to prevent memory leaks.
+	 */
+	private cleanup(): void {
+		const now = Date.now();
+		let removed = 0;
+
+		for (const [key, record] of this.attempts) {
+			if (now - record.lastFailure > STALE_AFTER_MS && record.lockedUntil < now) {
+				this.attempts.delete(key);
+				removed++;
+			}
+		}
+
+		if (removed > 0) {
+			debug.log('auth', `Rate limiter cleanup: removed ${removed} stale entries`);
+		}
+	}
+
+	/**
+	 * Dispose — stop cleanup timer.
+	 */
+	dispose(): void {
+		if (this.cleanupTimer) {
+			clearInterval(this.cleanupTimer);
+			this.cleanupTimer = null;
+		}
+	}
+}
+
+/** Singleton rate limiter instance */
+export const authRateLimiter = new AuthRateLimiter();

package/backend/lib/auth/tokens.ts

@@ -0,0 +1,53 @@
+/**
+ * Token Generation & Hashing Utilities
+ *
+ * Token types:
+ * - clp_ses_* — Session tokens (login sessions, 30 day expiry)
+ * - clp_pat_* — Personal Access Tokens (cross-device login, permanent)
+ * - clp_inv_* — Invite tokens (for inviting new users)
+ */
+
+const SESSION_PREFIX = 'clp_ses_';
+const PAT_PREFIX = 'clp_pat_';
+const INVITE_PREFIX = 'clp_inv_';
+
+function randomHex(bytes: number): string {
+	const arr = new Uint8Array(bytes);
+	crypto.getRandomValues(arr);
+	return Array.from(arr).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+
+/** All token types use the same random length for consistency */
+const TOKEN_BYTES = 24; // 48 hex chars
+
+export function generateSessionToken(): string {
+	return SESSION_PREFIX + randomHex(TOKEN_BYTES);
+}
+
+export function generatePAT(): string {
+	return PAT_PREFIX + randomHex(TOKEN_BYTES);
+}
+
+export function generateInviteToken(): string {
+	return INVITE_PREFIX + randomHex(TOKEN_BYTES);
+}
+
+/**
+ * SHA-256 hash a token string.
+ * Uses Bun native CryptoHasher for performance.
+ */
+export function hashToken(token: string): string {
+	const hasher = new Bun.CryptoHasher('sha256');
+	hasher.update(token);
+	return hasher.digest('hex');
+}
+
+/**
+ * Determine token type from prefix
+ */
+export function getTokenType(token: string): 'session' | 'pat' | 'invite' | 'unknown' {
+	if (token.startsWith(SESSION_PREFIX)) return 'session';
+	if (token.startsWith(PAT_PREFIX)) return 'pat';
+	if (token.startsWith(INVITE_PREFIX)) return 'invite';
+	return 'unknown';
+}

package/backend/lib/chat/stream-manager.ts

@@ -891,7 +891,10 @@ class StreamManager extends EventEmitter {
 			const { projectPath, projectId, chatSessionId } = requestData;
 			if (projectPath && projectId && chatSessionId && userMessageId) {
 				snapshotService.captureSnapshot(projectPath, projectId, chatSessionId, userMessageId)
-					.then(() => debug.log('chat', `Stream-end snapshot captured for message: ${userMessageId}`))
+					.then(() => {
+						debug.log('chat', `Stream-end snapshot captured for message: ${userMessageId}`);
+						this.emit('snapshot:captured', { projectId, chatSessionId });
+					})
 					.catch(err => debug.error('chat', 'Failed to capture stream-end snapshot:', err));
 			}
 		}

package/backend/lib/database/migrations/024_create_users_table.ts

@@ -0,0 +1,29 @@
+import type { DatabaseConnection } from '$shared/types/database/connection';
+import { debug } from '$shared/utils/logger';
+
+export const description = 'Create users table for authentication';
+
+export const up = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Creating users table...');
+
+	db.exec(`
+		CREATE TABLE IF NOT EXISTS users (
+			id TEXT PRIMARY KEY,
+			name TEXT NOT NULL,
+			color TEXT NOT NULL,
+			avatar TEXT NOT NULL,
+			role TEXT NOT NULL CHECK(role IN ('admin', 'member')),
+			personal_access_token_hash TEXT UNIQUE,
+			created_at TEXT NOT NULL,
+			updated_at TEXT NOT NULL
+		)
+	`);
+
+	debug.log('migration', 'users table created');
+};
+
+export const down = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Dropping users table...');
+	db.exec('DROP TABLE IF EXISTS users');
+	debug.log('migration', 'users table dropped');
+};

package/backend/lib/database/migrations/025_create_auth_sessions_table.ts

@@ -0,0 +1,38 @@
+import type { DatabaseConnection } from '$shared/types/database/connection';
+import { debug } from '$shared/utils/logger';
+
+export const description = 'Create auth_sessions table for login session management';
+
+export const up = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Creating auth_sessions table...');
+
+	db.exec(`
+		CREATE TABLE IF NOT EXISTS auth_sessions (
+			id TEXT PRIMARY KEY,
+			user_id TEXT NOT NULL,
+			token_hash TEXT NOT NULL UNIQUE,
+			expires_at TEXT NOT NULL,
+			created_at TEXT NOT NULL,
+			last_active_at TEXT NOT NULL,
+			FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+		)
+	`);
+
+	db.exec(`
+		CREATE INDEX IF NOT EXISTS idx_auth_sessions_token_hash
+		ON auth_sessions(token_hash)
+	`);
+
+	db.exec(`
+		CREATE INDEX IF NOT EXISTS idx_auth_sessions_user_id
+		ON auth_sessions(user_id)
+	`);
+
+	debug.log('migration', 'auth_sessions table created');
+};
+
+export const down = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Dropping auth_sessions table...');
+	db.exec('DROP TABLE IF EXISTS auth_sessions');
+	debug.log('migration', 'auth_sessions table dropped');
+};

package/backend/lib/database/migrations/026_create_invite_tokens_table.ts

@@ -0,0 +1,31 @@
+import type { DatabaseConnection } from '$shared/types/database/connection';
+import { debug } from '$shared/utils/logger';
+
+export const description = 'Create invite_tokens table for invite link management';
+
+export const up = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Creating invite_tokens table...');
+
+	db.exec(`
+		CREATE TABLE IF NOT EXISTS invite_tokens (
+			id TEXT PRIMARY KEY,
+			token_hash TEXT NOT NULL UNIQUE,
+			role TEXT NOT NULL CHECK(role IN ('admin', 'member')),
+			label TEXT,
+			created_by TEXT NOT NULL,
+			max_uses INTEGER NOT NULL DEFAULT 1,
+			use_count INTEGER NOT NULL DEFAULT 0,
+			expires_at TEXT,
+			created_at TEXT NOT NULL,
+			FOREIGN KEY (created_by) REFERENCES users(id) ON DELETE CASCADE
+		)
+	`);
+
+	debug.log('migration', 'invite_tokens table created');
+};
+
+export const down = (db: DatabaseConnection): void => {
+	debug.log('migration', 'Dropping invite_tokens table...');
+	db.exec('DROP TABLE IF EXISTS invite_tokens');
+	debug.log('migration', 'invite_tokens table dropped');
+};

package/backend/lib/database/migrations/index.ts

@@ -22,6 +22,9 @@ import * as migration020 from './020_add_snapshot_tree_hash';
 import * as migration021 from './021_drop_prompt_templates_table';
 import * as migration022 from './022_add_snapshot_changes_column';
 import * as migration023 from './023_create_user_unread_sessions_table';
+import * as migration024 from './024_create_users_table';
+import * as migration025 from './025_create_auth_sessions_table';
+import * as migration026 from './026_create_invite_tokens_table';
 
 // Export all migrations in order
 export const migrations = [
@@ -162,6 +165,24 @@ export const migrations = [
 		description: migration023.description,
 		up: migration023.up,
 		down: migration023.down
+	},
+	{
+		id: '024',
+		description: migration024.description,
+		up: migration024.up,
+		down: migration024.down
+	},
+	{
+		id: '025',
+		description: migration025.description,
+		up: migration025.up,
+		down: migration025.down
+	},
+	{
+		id: '026',
+		description: migration026.description,
+		up: migration026.up,
+		down: migration026.down
 	}
 ];
 

package/backend/lib/database/queries/auth-queries.ts

@@ -0,0 +1,201 @@
+import { getDatabase } from '../index';
+
+export interface DBUser {
+	id: string;
+	name: string;
+	color: string;
+	avatar: string;
+	role: 'admin' | 'member';
+	personal_access_token_hash: string | null;
+	created_at: string;
+	updated_at: string;
+}
+
+export interface DBAuthSession {
+	id: string;
+	user_id: string;
+	token_hash: string;
+	expires_at: string;
+	created_at: string;
+	last_active_at: string;
+}
+
+export interface DBInviteToken {
+	id: string;
+	token_hash: string;
+	role: 'admin' | 'member';
+	label: string | null;
+	created_by: string;
+	max_uses: number;
+	use_count: number;
+	expires_at: string | null;
+	created_at: string;
+}
+
+export const authQueries = {
+	// ===================== Users =====================
+
+	createUser(user: Omit<DBUser, 'updated_at'> & { updated_at?: string }): DBUser {
+		const db = getDatabase();
+		const now = new Date().toISOString();
+		db.prepare(`
+			INSERT INTO users (id, name, color, avatar, role, personal_access_token_hash, created_at, updated_at)
+			VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+		`).run(
+			user.id,
+			user.name,
+			user.color,
+			user.avatar,
+			user.role,
+			user.personal_access_token_hash,
+			user.created_at,
+			user.updated_at ?? now
+		);
+		return db.prepare('SELECT * FROM users WHERE id = ?').get(user.id) as DBUser;
+	},
+
+	getUserById(id: string): DBUser | null {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM users WHERE id = ?').get(id) as DBUser | null;
+	},
+
+	getUserByPatHash(hash: string): DBUser | null {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM users WHERE personal_access_token_hash = ?').get(hash) as DBUser | null;
+	},
+
+	getAllUsers(): DBUser[] {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM users ORDER BY created_at ASC').all() as DBUser[];
+	},
+
+	countUsers(): number {
+		const db = getDatabase();
+		const result = db.prepare('SELECT COUNT(*) as count FROM users').get() as { count: number };
+		return result.count;
+	},
+
+	countAdmins(): number {
+		const db = getDatabase();
+		const result = db.prepare("SELECT COUNT(*) as count FROM users WHERE role = 'admin'").get() as { count: number };
+		return result.count;
+	},
+
+	updateUser(id: string, fields: Partial<Pick<DBUser, 'name' | 'color' | 'avatar' | 'personal_access_token_hash'>>): void {
+		const db = getDatabase();
+		const now = new Date().toISOString();
+		const sets: string[] = ['updated_at = ?'];
+		const values: any[] = [now];
+
+		if (fields.name !== undefined) { sets.push('name = ?'); values.push(fields.name); }
+		if (fields.color !== undefined) { sets.push('color = ?'); values.push(fields.color); }
+		if (fields.avatar !== undefined) { sets.push('avatar = ?'); values.push(fields.avatar); }
+		if (fields.personal_access_token_hash !== undefined) { sets.push('personal_access_token_hash = ?'); values.push(fields.personal_access_token_hash); }
+
+		values.push(id);
+		db.prepare(`UPDATE users SET ${sets.join(', ')} WHERE id = ?`).run(...values);
+	},
+
+	deleteUser(id: string): void {
+		const db = getDatabase();
+		db.prepare('DELETE FROM users WHERE id = ?').run(id);
+	},
+
+	// ===================== Auth Sessions =====================
+
+	createSession(session: DBAuthSession): DBAuthSession {
+		const db = getDatabase();
+		db.prepare(`
+			INSERT INTO auth_sessions (id, user_id, token_hash, expires_at, created_at, last_active_at)
+			VALUES (?, ?, ?, ?, ?, ?)
+		`).run(
+			session.id,
+			session.user_id,
+			session.token_hash,
+			session.expires_at,
+			session.created_at,
+			session.last_active_at
+		);
+		return db.prepare('SELECT * FROM auth_sessions WHERE id = ?').get(session.id) as DBAuthSession;
+	},
+
+	getSessionByTokenHash(hash: string): DBAuthSession | null {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM auth_sessions WHERE token_hash = ?').get(hash) as DBAuthSession | null;
+	},
+
+	updateLastActive(id: string): void {
+		const db = getDatabase();
+		const now = new Date().toISOString();
+		db.prepare('UPDATE auth_sessions SET last_active_at = ? WHERE id = ?').run(now, id);
+	},
+
+	deleteSession(id: string): void {
+		const db = getDatabase();
+		db.prepare('DELETE FROM auth_sessions WHERE id = ?').run(id);
+	},
+
+	deleteSessionByTokenHash(hash: string): void {
+		const db = getDatabase();
+		db.prepare('DELETE FROM auth_sessions WHERE token_hash = ?').run(hash);
+	},
+
+	deleteSessionsByUserId(userId: string): void {
+		const db = getDatabase();
+		db.prepare('DELETE FROM auth_sessions WHERE user_id = ?').run(userId);
+	},
+
+	deleteExpiredSessions(): number {
+		const db = getDatabase();
+		const now = new Date().toISOString();
+		const result = db.prepare('DELETE FROM auth_sessions WHERE expires_at < ?').run(now) as { changes: number };
+		return result.changes;
+	},
+
+	// ===================== Invite Tokens =====================
+
+	createInvite(invite: DBInviteToken): DBInviteToken {
+		const db = getDatabase();
+		db.prepare(`
+			INSERT INTO invite_tokens (id, token_hash, role, label, created_by, max_uses, use_count, expires_at, created_at)
+			VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+		`).run(
+			invite.id,
+			invite.token_hash,
+			invite.role,
+			invite.label,
+			invite.created_by,
+			invite.max_uses,
+			invite.use_count,
+			invite.expires_at,
+			invite.created_at
+		);
+		return db.prepare('SELECT * FROM invite_tokens WHERE id = ?').get(invite.id) as DBInviteToken;
+	},
+
+	getInviteByTokenHash(hash: string): DBInviteToken | null {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM invite_tokens WHERE token_hash = ?').get(hash) as DBInviteToken | null;
+	},
+
+	incrementUseCount(id: string): void {
+		const db = getDatabase();
+		db.prepare('UPDATE invite_tokens SET use_count = use_count + 1 WHERE id = ?').run(id);
+	},
+
+	getAllInvites(): DBInviteToken[] {
+		const db = getDatabase();
+		return db.prepare('SELECT * FROM invite_tokens ORDER BY created_at DESC').all() as DBInviteToken[];
+	},
+
+	revokeInvite(id: string): void {
+		const db = getDatabase();
+		db.prepare('DELETE FROM invite_tokens WHERE id = ?').run(id);
+	},
+
+	deleteAllSessions(): number {
+		const db = getDatabase();
+		const result = db.prepare('DELETE FROM auth_sessions').run() as { changes: number };
+		return result.changes;
+	}
+};

package/backend/lib/database/queries/index.ts

@@ -6,4 +6,5 @@ export { settingsQueries } from './settings-queries';
 export { dbUtils } from './utils-queries';
 export { snapshotQueries } from './snapshot-queries';
 export { checkpointQueries } from './checkpoint-queries';
-export { engineQueries } from './engine-queries';
+export { engineQueries } from './engine-queries';
+export { authQueries } from './auth-queries';

package/backend/lib/database/queries/session-queries.ts

@@ -188,6 +188,19 @@ export const sessionQueries = {
 		`).run(messageId, sessionId);
 	},
 
+	/**
+	 * Clear the HEAD pointer (set to NULL).
+	 * Used when restoring to the initial state (before any messages).
+	 */
+	clearHead(sessionId: string): void {
+		const db = getDatabase();
+		db.prepare(`
+			UPDATE chat_sessions
+			SET current_head_message_id = NULL
+			WHERE id = ?
+		`).run(sessionId);
+	},
+
 	/**
 	 * Get current HEAD message ID for a session
 	 */

package/backend/lib/database/queries/snapshot-queries.ts

@@ -114,7 +114,7 @@ export const snapshotQueries = {
 		const db = getDatabase();
 		const snapshots = db.prepare(`
 			SELECT * FROM message_snapshots
-			WHERE session_id = ?
+			WHERE session_id = ? AND (is_deleted IS NULL OR is_deleted = 0)
 			ORDER BY created_at ASC
 		`).all(sessionId) as MessageSnapshot[];
 

package/backend/lib/engine/adapters/opencode/server.ts

@@ -54,7 +54,7 @@ async function init(): Promise<void> {
 	if (Object.keys(mcpConfig).length > 0) {
 		debug.log('engine', `Open Code server: injecting ${Object.keys(mcpConfig).length} MCP server(s)`);
 		for (const [name, config] of Object.entries(mcpConfig)) {
-			debug.log('engine', `  → ${name}: ${config.type} (${(config as any).command?.join(' ') || (config as any).url})`);
+			debug.log('engine', `  → ${name}: ${config.type} (${(config as any).url || (config as any).command?.join(' ')})`);
 		}
 	}
 
@@ -81,6 +81,14 @@ export function getClient(): OpencodeClient | null {
 	return ready ? client : null;
 }
 
+/**
+ * Get the OpenCode server base URL (e.g. "http://127.0.0.1:4096").
+ * Used for direct HTTP calls to v2 endpoints not available on the v1 client.
+ */
+export function getServerUrl(): string | null {
+	return serverHandle?.url ?? null;
+}
+
 /**
  * Dispose the OpenCode client and stop the server.
  * Called during full server shutdown (disposeAllEngines).