@naisys/erp 3.0.0-beta.37 → 3.0.0-beta.39

package/client-dist/assets/{index-jH5OYerq.js → index-CBngjRDx.js}

@@ -47,7 +47,7 @@ object({
 	chatEnabled: boolean().optional().describe("Show chat commands to the agent. Chat encourages more concise communication"),
 	webEnabled: boolean().optional().describe("Allow agent to browse the web with a context-optimized text browser built on Lynx. Javascript not supported. Requires `lynx` on the host (e.g. `apt install lynx`)"),
 	browserEnabled: boolean().optional().describe("Allow agent to browse the web with a real headless Chromium browser via Playwright. Vision-capable models see screenshots; others fall back to a text/selector mode. Requires `npx playwright install chromium` on the host"),
-	completeSessionEnabled: boolean().optional().describe("Allow the agent to end its session. Once ended, it can only be restarted explicitly or via mail if wakeOnMessage is enabled. Disable on root agents to prevent the system from going unresponsive"),
+	completeSessionEnabled: boolean().optional().describe("Allow the agent to end its session. Once ended, it can only be restarted explicitly or via chat/mail if wakeOnMessage is enabled. Disable on root agents to prevent the system from going unresponsive"),
 	debugPauseSeconds: number().int("Must be a whole number").min(0, "Must be non-negative").optional().describe("Seconds to wait at the debug prompt before auto-continuing, only applies when the agent's console is in focus. Set to 0 to continue immediately. Unset waits indefinitely for manual input"),
 	wakeOnMessage: boolean().optional().describe("When mail or chat is received, start the agent automatically, or wake it from its wait state"),
 	commandProtection: _enum([
@@ -724,7 +724,7 @@ var CompactMarkdown = ({ children }) => (0, import_jsx_runtime.jsx)(Markdown, {
 });
 //#endregion
 //#region ../../../packages/common-browser/dist/SecretField.js
-var SecretField = ({ value, onRotate, rotating }) => {
+var SecretField = ({ value, onRotate, rotating, emptyLabel = "Not set" }) => {
 	const [visible, setVisible] = (0, import_react.useState)(false);
 	return (0, import_jsx_runtime.jsxs)(Group, {
 		gap: "xs",
@@ -759,7 +759,7 @@ var SecretField = ({ value, onRotate, rotating }) => {
 		] }) : (0, import_jsx_runtime.jsx)(Text, {
 			c: "dimmed",
 			size: "sm",
-			children: "Not set"
+			children: emptyLabel
 		}), onRotate && (0, import_jsx_runtime.jsx)(Tooltip, {
 			label: value ? "Rotate key" : "Generate API key",
 			children: (0, import_jsx_runtime.jsx)(ActionIcon, {
@@ -1691,7 +1691,6 @@ CreateResponseSchema.extend({ runNo: number$2() });
 object$1({
 	id: number$2(),
 	username: string$1(),
-	apiKey: string$1().nullable().optional(),
 	_links: array$1(HateoasLinkSchema).optional(),
 	_actions: array$1(HateoasActionSchema).optional()
 });
@@ -1953,7 +1952,7 @@ object$1({
 	isAgent: boolean$1(),
 	createdAt: string$1(),
 	updatedAt: string$1(),
-	apiKey: string$1().nullable().optional(),
+	hasApiKey: boolean$1(),
 	permissions: array$1(UserPermissionSchema),
 	_links: array$1(any()).optional(),
 	_actions: array$1(any()).optional()
@@ -9731,6 +9730,7 @@ var UserDetail = () => {
 	const [editError, setEditError] = (0, import_react.useState)("");
 	const [grantPerm, setGrantPerm] = (0, import_react.useState)(null);
 	const [rotating, setRotating] = (0, import_react.useState)(false);
+	const [apiKey, setApiKey] = (0, import_react.useState)(null);
 	const [pwOpened, { open: openPw, close: closePw }] = useDisclosure();
 	const [newPassword, setNewPassword] = (0, import_react.useState)("");
 	const [pwSaving, setPwSaving] = (0, import_react.useState)(false);
@@ -9740,6 +9740,7 @@ var UserDetail = () => {
 		setLoading(true);
 		try {
 			setUser(await api.get(apiEndpoints.user(routeUsername)));
+			setApiKey(null);
 		} catch {} finally {
 			setLoading(false);
 		}
@@ -9806,11 +9807,15 @@ var UserDetail = () => {
 	};
 	const handleRotateKey = async () => {
 		if (!routeUsername) return;
-		if (!confirm("Rotate this user's API key? The old key will stop working immediately.")) return;
+		if (!confirm("Generate a new API key? The old key will stop working immediately.")) return;
 		setRotating(true);
 		try {
-			await api.post(apiEndpoints.userRotateKey(routeUsername), {});
-			fetchUser();
+			const result = await api.post(apiEndpoints.userRotateKey(routeUsername), {});
+			setApiKey(result.apiKey ?? null);
+			setUser((current) => current ? {
+				...current,
+				hasApiKey: !!result.apiKey
+			} : current);
 		} catch (err) {
 			showErrorNotification(err);
 		} finally {
@@ -9912,12 +9917,28 @@ var UserDetail = () => {
 							w: 120,
 							children: "Type:"
 						}), /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Text, { children: user.isAgent ? "Agent" : "User" })] }),
-						(user.apiKey || hasAction(user._actions, "rotate-key")) && /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Group, { children: [/* @__PURE__ */ (0, import_jsx_runtime.jsx)(Text, {
+						supervisorAuth ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Group, { children: [/* @__PURE__ */ (0, import_jsx_runtime.jsx)(Text, {
+							fw: 600,
+							w: 120,
+							children: "Credentials:"
+						}), /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Text, {
+							size: "sm",
+							children: [
+								"Password and API key are managed in the",
+								" ",
+								/* @__PURE__ */ (0, import_jsx_runtime.jsx)(Anchor, {
+									href: `/supervisor/users/${user.username}`,
+									children: "supervisor"
+								}),
+								"."
+							]
+						})] }) : (user.hasApiKey || hasAction(user._actions, "rotate-key")) && /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Group, { children: [/* @__PURE__ */ (0, import_jsx_runtime.jsx)(Text, {
 							fw: 600,
 							w: 120,
 							children: "API Key:"
 						}), /* @__PURE__ */ (0, import_jsx_runtime.jsx)(SecretField, {
-							value: user.apiKey ?? null,
+							value: apiKey,
+							emptyLabel: user.hasApiKey ? "Generated (hidden)" : "Not set",
 							onRotate: hasAction(user._actions, "rotate-key") ? handleRotateKey : void 0,
 							rotating
 						})] })

package/client-dist/index.html

@@ -45,7 +45,7 @@
     <meta name="format-detection" content="telephone=no" />
 
     <title>NAISYS ERP</title>
-    <script type="module" crossorigin src="/erp/assets/index-jH5OYerq.js"></script>
+    <script type="module" crossorigin src="/erp/assets/index-CBngjRDx.js"></script>
     <link rel="modulepreload" crossorigin href="/erp/assets/rolldown-runtime-CvHMtSRF.js">
     <link rel="modulepreload" crossorigin href="/erp/assets/vendor-DFaFIeiT.js">
     <link rel="stylesheet" crossorigin href="/erp/assets/vendor-CLUPjUnv.css">

package/dist/auth-middleware.js

@@ -1,4 +1,4 @@
-import { AuthCache } from "@naisys/common";
+import { AuthCache, urlMatchesPrefix } from "@naisys/common";
 import { extractBearerToken, hashToken, SESSION_COOKIE_NAME, } from "@naisys/common-node";
 import { findAgentByApiKey } from "@naisys/hub-database";
 import { findSession, findUserByApiKey } from "@naisys/supervisor-database";
@@ -13,6 +13,63 @@ async function loadPermissions(userId) {
     });
     return perms.map((p) => p.permission);
 }
+async function materializeErpUser(localUser) {
+    return {
+        id: localUser.id,
+        username: localUser.username,
+        permissions: await loadPermissions(localUser.id),
+    };
+}
+async function resolveCookie(token) {
+    const tokenHash = hashToken(token);
+    return authCache.getOrLoad(`cookie:${tokenHash}`, async () => {
+        const localUser = isSupervisorAuth()
+            ? await loadCookieUserSso(tokenHash)
+            : await loadCookieUserStandalone(tokenHash);
+        return localUser ? materializeErpUser(localUser) : null;
+    });
+}
+async function loadCookieUserSso(tokenHash) {
+    const session = await findSession(tokenHash);
+    if (!session)
+        return null;
+    return erpDb.user.upsert({
+        where: { uuid: session.uuid },
+        create: { uuid: session.uuid, username: session.username },
+        update: {},
+    });
+}
+async function loadCookieUserStandalone(tokenHash) {
+    const session = await erpDb.session.findUnique({
+        where: { tokenHash, expiresAt: { gt: new Date() } },
+        include: { user: true },
+    });
+    return session?.user ?? null;
+}
+async function resolveApiKey(apiKey) {
+    const apiKeyHash = hashToken(apiKey);
+    return authCache.getOrLoad(`apikey:${apiKeyHash}`, async () => {
+        const localUser = isSupervisorAuth()
+            ? await loadApiKeyUserSso(apiKey)
+            : await erpDb.user.findUnique({ where: { apiKeyHash } });
+        return localUser ? materializeErpUser(localUser) : null;
+    });
+}
+async function loadApiKeyUserSso(apiKey) {
+    // Try supervisor DB (humans + agents with external keys),
+    // then hub DB (agents matching their hub-issued runtime key).
+    const supervisorUser = await findUserByApiKey(apiKey);
+    const hubAgent = supervisorUser ? null : await findAgentByApiKey(apiKey);
+    const match = supervisorUser ?? hubAgent;
+    if (!match)
+        return null;
+    const isAgent = supervisorUser?.isAgent ?? !!hubAgent;
+    return erpDb.user.upsert({
+        where: { uuid: match.uuid },
+        create: { uuid: match.uuid, username: match.username, isAgent },
+        update: {},
+    });
+}
 export function hasPermission(user, permission) {
     if (!user)
         return false;
@@ -44,13 +101,11 @@ function isPublicRoute(url) {
     // Exact match: API root
     if (url === "/erp/api/" || url === "/erp/api")
         return true;
-    // Prefix matches
     for (const prefix of PUBLIC_PREFIXES) {
-        if (url.startsWith(prefix))
+        if (urlMatchesPrefix(url, prefix))
             return true;
     }
-    // Schema routes
-    if (url.startsWith("/erp/api/schemas"))
+    if (urlMatchesPrefix(url, "/erp/api/schemas"))
         return true;
     // Non-ERP-API paths (static files, supervisor routes, etc.)
     if (!url.startsWith("/erp/api"))
@@ -63,131 +118,18 @@ export function registerAuthMiddleware(fastify) {
     fastify.addHook("onRequest", async (request, reply) => {
         const token = request.cookies?.[SESSION_COOKIE_NAME];
         if (token) {
-            const tokenHash = hashToken(token);
-            const cacheKey = `cookie:${tokenHash}`;
-            const cached = authCache.get(cacheKey);
-            if (cached !== undefined) {
-                // Cache hit (valid or negative)
-                if (cached)
-                    request.erpUser = cached;
-            }
-            else if (isSupervisorAuth()) {
-                // SSO mode: supervisor DB is source of truth for sessions
-                const session = await findSession(tokenHash);
-                if (session) {
-                    let localUser = await erpDb.user.findUnique({
-                        where: { uuid: session.uuid },
-                    });
-                    if (!localUser) {
-                        localUser = await erpDb.user.create({
-                            data: {
-                                uuid: session.uuid,
-                                username: session.username,
-                                passwordHash: "!sso-passkey-only",
-                            },
-                        });
-                    }
-                    const permissions = await loadPermissions(localUser.id);
-                    const erpUser = {
-                        id: localUser.id,
-                        username: localUser.username,
-                        permissions,
-                    };
-                    authCache.set(cacheKey, erpUser);
-                    request.erpUser = erpUser;
-                }
-                else {
-                    authCache.set(cacheKey, null);
-                }
-            }
-            else {
-                // Standalone mode: local session only
-                const session = await erpDb.session.findUnique({
-                    where: {
-                        tokenHash,
-                        expiresAt: { gt: new Date() },
-                    },
-                    include: { user: true },
-                });
-                if (session) {
-                    const permissions = await loadPermissions(session.user.id);
-                    const erpUser = {
-                        id: session.user.id,
-                        username: session.user.username,
-                        permissions,
-                    };
-                    authCache.set(cacheKey, erpUser);
-                    request.erpUser = erpUser;
-                }
-                else {
-                    authCache.set(cacheKey, null);
-                }
-            }
+            const user = await resolveCookie(token);
+            if (user)
+                request.erpUser = user;
         }
-        // API key auth (for agents / machine-to-machine)
         if (!request.erpUser) {
             const apiKey = extractBearerToken(request.headers.authorization);
             if (apiKey) {
-                const apiKeyHash = hashToken(apiKey);
-                const cacheKey = `apikey:${apiKeyHash}`;
-                const cached = authCache.get(cacheKey);
-                if (cached !== undefined) {
-                    if (cached)
-                        request.erpUser = cached;
-                }
-                else if (isSupervisorAuth()) {
-                    // SSO mode: try supervisor DB (human users), then hub DB (agents)
-                    const match = (await findUserByApiKey(apiKey)) ??
-                        (await findAgentByApiKey(apiKey));
-                    if (match) {
-                        let localUser = await erpDb.user.findUnique({
-                            where: { uuid: match.uuid },
-                        });
-                        if (!localUser) {
-                            localUser = await erpDb.user.create({
-                                data: {
-                                    uuid: match.uuid,
-                                    username: match.username,
-                                    passwordHash: "!api-key-only",
-                                    isAgent: true,
-                                },
-                            });
-                        }
-                        const permissions = await loadPermissions(localUser.id);
-                        const erpUser = {
-                            id: localUser.id,
-                            username: localUser.username,
-                            permissions,
-                        };
-                        authCache.set(cacheKey, erpUser);
-                        request.erpUser = erpUser;
-                    }
-                    else {
-                        authCache.set(cacheKey, null);
-                    }
-                }
-                else {
-                    // Standalone mode: check local ERP user table
-                    const localUser = await erpDb.user.findUnique({
-                        where: { apiKey },
-                    });
-                    if (localUser) {
-                        const permissions = await loadPermissions(localUser.id);
-                        const erpUser = {
-                            id: localUser.id,
-                            username: localUser.username,
-                            permissions,
-                        };
-                        authCache.set(cacheKey, erpUser);
-                        request.erpUser = erpUser;
-                    }
-                    else {
-                        authCache.set(cacheKey, null);
-                    }
-                }
+                const user = await resolveApiKey(apiKey);
+                if (user)
+                    request.erpUser = user;
             }
         }
-        // Check if auth is required
         if (request.erpUser)
             return; // Authenticated, always allowed
         if (isPublicRoute(request.url))

package/dist/dbConfig.js

@@ -6,5 +6,5 @@ export function erpDbUrl() {
     return "file:" + erpDbPath();
 }
 /** We run migration scripts if this is greater than what's in the schema_version table */
-export const ERP_DB_VERSION = 43;
+export const ERP_DB_VERSION = 44;
 //# sourceMappingURL=dbConfig.js.map

package/dist/erpServer.js

@@ -17,6 +17,7 @@ import Fastify from "fastify";
 import { jsonSchemaTransform, jsonSchemaTransformObject, serializerCompiler, validatorCompiler, } from "fastify-type-provider-zod";
 import path from "path";
 import { fileURLToPath } from "url";
+import { takeCoverage } from "v8";
 import { registerApiReference } from "./api-reference.js";
 import { registerAuthMiddleware } from "./auth-middleware.js";
 import { ERP_DB_VERSION, erpDbPath } from "./dbConfig.js";
@@ -129,6 +130,9 @@ async function startServer(wizardRan) {
     const isProd = process.env.NODE_ENV === "production";
     const fastify = Fastify({
         pluginTimeout: 60_000,
+        // trustProxy: TLS terminates at the reverse proxy, so honor X-Forwarded-*
+        // headers — otherwise request.protocol reads the internal http hop.
+        trustProxy: true,
         logger: {
             transport: {
                 target: "pino-pretty",
@@ -159,6 +163,12 @@ async function startServer(wizardRan) {
     fastify.get("/", { schema: { hide: true } }, async (_request, reply) => {
         return reply.redirect("/erp/");
     });
+    if (process.env.NODE_V8_COVERAGE) {
+        fastify.post("/erp/api/__coverage/flush", { schema: { hide: true } }, () => {
+            takeCoverage();
+            return { ok: true };
+        });
+    }
     const superAdminPassword = wizardRan && !isSupervisorAuth()
         ? await promptSuperAdminPassword("ERP Setup")
         : undefined;
@@ -196,7 +206,6 @@ if (process.argv[1] === fileURLToPath(import.meta.url)) {
                     },
                     { key: "SERVER_PORT", label: "Server Port" },
                     { key: "SUPERVISOR_AUTH", label: "Use Supervisor for Auth" },
-                    { key: "PUBLIC_READ", label: "Public Read Access" },
                 ],
             },
         ],
@@ -207,7 +216,10 @@ if (process.argv[1] === fileURLToPath(import.meta.url)) {
         wizardRan = await runSetupWizard(path.resolve(".env"), erpExampleUrl, erpWizardConfig);
         expandNaisysFolder();
     }
-    wizardRan = (await ensureDotEnv(erpExampleUrl, erpWizardConfig)) || wizardRan;
+    if (process.env.NAISYS_SKIP_DOTENV_CHECK !== "1") {
+        wizardRan =
+            (await ensureDotEnv(erpExampleUrl, erpWizardConfig)) || wizardRan;
+    }
     const fastify = await startServer(wizardRan);
     let shuttingDown = false;
     const handleShutdown = async (signal) => {