@naisys/supervisor 3.0.0-beta.10

package/client-dist/index.html

@@ -0,0 +1,49 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+
+    <link rel="icon" type="image/x-icon" href="/supervisor/favicon.ico" />
+    <link
+      rel="apple-touch-icon"
+      sizes="180x180"
+      href="/supervisor/apple-touch-icon.png"
+    />
+
+    <link
+      rel="manifest"
+      crossorigin="use-credentials"
+      href="/supervisor/site.webmanifest"
+    />
+    <meta
+      name="viewport"
+      content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"
+    />
+
+    <meta name="theme-color" content="#1a1b1e" />
+    <meta name="mobile-web-app-capable" content="yes" />
+    <meta
+      name="apple-mobile-web-app-status-bar-style"
+      content="black-translucent"
+    />
+    <meta name="apple-mobile-web-app-title" content="NAISYS Supervisor" />
+
+    <meta
+      name="description"
+      content="NAISYS Supervisor - Multi-agent system management interface"
+    />
+    <meta
+      name="keywords"
+      content="NAISYS, AI, agents, management, supervisor"
+    />
+    <meta name="robots" content="noindex, nofollow" />
+    <meta name="format-detection" content="telephone=no" />
+
+    <title>NAISYS Supervisor</title>
+    <script type="module" crossorigin src="/supervisor/assets/index-WzoDF0aQ.js"></script>
+    <link rel="stylesheet" crossorigin href="/supervisor/assets/index-CKg0vgt5.css">
+  </head>
+  <body>
+    <div id="root"></div>
+  </body>
+</html>

package/client-dist/site.webmanifest

@@ -0,0 +1,22 @@
+{
+  "name": "NAISYS Supervisor",
+  "short_name": "Supervisor",
+  "icons": [
+    {
+      "src": "/supervisor/android-chrome-192x192.png",
+      "sizes": "192x192",
+      "type": "image/png"
+    },
+    {
+      "src": "/supervisor/android-chrome-512x512.png",
+      "sizes": "512x512",
+      "type": "image/png"
+    }
+  ],
+  "theme_color": "#1a1b1e",
+  "background_color": "#1a1b1e",
+  "display": "standalone",
+  "start_url": "/supervisor/",
+  "scope": "/supervisor/",
+  "orientation": "portrait-primary"
+}

package/dist/api-reference.js

@@ -0,0 +1,54 @@
+import scalarReference from "@scalar/fastify-api-reference";
+import { registerAuthMiddleware } from "./auth-middleware.js";
+/**
+ * Registers Scalar API reference and the filtered OpenAPI spec endpoint
+ * for the Supervisor service.
+ */
+export async function registerApiReference(fastify) {
+    // Both the reference page and spec endpoint are inside the auth scope.
+    // isPublicRoute treats /supervisor/api-reference as non-public (starts
+    // with /supervisor/api), so PUBLIC_READ=true allows GET access while
+    // PUBLIC_READ=false requires authentication.
+    await fastify.register(async (scope) => {
+        registerAuthMiddleware(scope);
+        await scope.register(scalarReference, {
+            routePrefix: "/supervisor/api-reference",
+            configuration: {
+                spec: { url: "/supervisor/api/openapi.json" },
+                theme: "kepler",
+            },
+        });
+        scope.get("/supervisor/api/openapi.json", () => {
+            const spec = fastify.swagger();
+            const filteredPaths = {};
+            for (const [path, value] of Object.entries(spec.paths || {})) {
+                if (path.startsWith("/supervisor/api/")) {
+                    filteredPaths[path] = value;
+                }
+            }
+            return {
+                ...spec,
+                paths: filteredPaths,
+                "x-tagGroups": [
+                    {
+                        name: "General",
+                        tags: ["Discovery", "Authentication", "Hosts", "Status", "Users"],
+                    },
+                    {
+                        name: "Agents",
+                        tags: ["Agents", "Chat", "Mail", "Runs", "Attachments", "Costs"],
+                    },
+                    {
+                        name: "Configuration",
+                        tags: ["Models", "Variables"],
+                    },
+                    {
+                        name: "Administration",
+                        tags: ["Admin"],
+                    },
+                ],
+            };
+        });
+    });
+}
+//# sourceMappingURL=api-reference.js.map

package/dist/auth-middleware.js

@@ -0,0 +1,116 @@
+import { AuthCache } from "@naisys/common";
+import { extractBearerToken, hashToken, SESSION_COOKIE_NAME, } from "@naisys/common-node";
+import { findAgentByApiKey } from "@naisys/hub-database";
+import { findSession, findUserByApiKey } from "@naisys/supervisor-database";
+import { createUserForAgent, getUserByUuid, getUserPermissions, } from "./services/userService.js";
+const PUBLIC_PREFIXES = ["/supervisor/api/auth/login"];
+export const authCache = new AuthCache();
+function isPublicRoute(url) {
+    if (url === "/supervisor/api/" || url === "/supervisor/api")
+        return true;
+    for (const prefix of PUBLIC_PREFIXES) {
+        if (url.startsWith(prefix))
+            return true;
+    }
+    // Non-supervisor-API paths (static files, ERP routes, etc.)
+    if (!url.startsWith("/supervisor/api"))
+        return true;
+    return false;
+}
+async function buildSupervisorUser(id, username, uuid) {
+    const permissions = await getUserPermissions(id);
+    return { id, username, uuid, permissions };
+}
+export async function resolveUserFromToken(token) {
+    const tokenHash = hashToken(token);
+    const cacheKey = `cookie:${tokenHash}`;
+    const cached = authCache.get(cacheKey);
+    if (cached !== undefined)
+        return cached;
+    const session = await findSession(tokenHash);
+    if (!session) {
+        authCache.set(cacheKey, null);
+        return null;
+    }
+    const user = await buildSupervisorUser(session.userId, session.username, session.uuid);
+    authCache.set(cacheKey, user);
+    return user;
+}
+export async function resolveUserFromApiKey(apiKey) {
+    const apiKeyHash = hashToken(apiKey);
+    const cacheKey = `apikey:${apiKeyHash}`;
+    const cached = authCache.get(cacheKey);
+    if (cached !== undefined)
+        return cached;
+    // Try supervisor DB first (human users), then hub DB (agents)
+    const match = (await findUserByApiKey(apiKey)) ?? (await findAgentByApiKey(apiKey));
+    if (!match) {
+        authCache.set(cacheKey, null);
+        return null;
+    }
+    let localUser = await getUserByUuid(match.uuid);
+    if (!localUser) {
+        localUser = await createUserForAgent(match.username, match.uuid);
+    }
+    const user = await buildSupervisorUser(localUser.id, localUser.username, localUser.uuid);
+    authCache.set(cacheKey, user);
+    return user;
+}
+export function registerAuthMiddleware(fastify) {
+    const publicRead = process.env.PUBLIC_READ === "true";
+    fastify.decorateRequest("supervisorUser", undefined);
+    fastify.addHook("onRequest", async (request, reply) => {
+        const token = request.cookies?.[SESSION_COOKIE_NAME];
+        if (token) {
+            const user = await resolveUserFromToken(token);
+            if (user)
+                request.supervisorUser = user;
+        }
+        // API key auth (for agents / machine-to-machine)
+        if (!request.supervisorUser) {
+            const apiKey = extractBearerToken(request.headers.authorization);
+            if (apiKey) {
+                const user = await resolveUserFromApiKey(apiKey);
+                if (user)
+                    request.supervisorUser = user;
+            }
+        }
+        if (request.supervisorUser)
+            return; // Authenticated
+        if (isPublicRoute(request.url))
+            return; // Public route
+        if (publicRead && request.method === "GET")
+            return; // Public read mode
+        reply.status(401).send({
+            statusCode: 401,
+            error: "Unauthorized",
+            message: "Authentication required",
+        });
+    });
+}
+export function hasPermission(user, permission) {
+    return ((user?.permissions.includes(permission) ||
+        user?.permissions.includes("supervisor_admin")) ??
+        false);
+}
+export function requirePermission(permission) {
+    return async (request, reply) => {
+        if (!request.supervisorUser) {
+            reply.status(401).send({
+                statusCode: 401,
+                error: "Unauthorized",
+                message: "Authentication required",
+            });
+            return;
+        }
+        if (!hasPermission(request.supervisorUser, permission)) {
+            reply.status(403).send({
+                statusCode: 403,
+                error: "Forbidden",
+                message: `Permission '${permission}' required`,
+            });
+            return;
+        }
+    };
+}
+//# sourceMappingURL=auth-middleware.js.map

package/dist/database/hubDb.js

@@ -0,0 +1,26 @@
+import { createPrismaClient } from "@naisys/hub-database";
+import path from "path";
+import { env } from "process";
+export function getNaisysDatabasePath() {
+    if (!env.NAISYS_FOLDER) {
+        throw new Error("NAISYS_FOLDER environment variable is not set.");
+    }
+    const dbFilename = "naisys_hub.db";
+    return path.join(env.NAISYS_FOLDER, "database", dbFilename);
+}
+let _db;
+/** Lazily initialized Prisma client. First access creates the connection. */
+export const hubDb = new Proxy({}, {
+    get(_target, prop, receiver) {
+        if (!_db) {
+            throw new Error("hubDb accessed before initialization. Ensure migrations have completed first.");
+        }
+        return Reflect.get(_db, prop, receiver);
+    },
+});
+export async function initHubDb() {
+    if (!_db) {
+        _db = await createPrismaClient(getNaisysDatabasePath());
+    }
+}
+//# sourceMappingURL=hubDb.js.map

package/dist/database/supervisorDb.js

@@ -0,0 +1,18 @@
+import { createPrismaClient, supervisorDbPath, } from "@naisys/supervisor-database";
+let _db;
+/** Lazily initialized Prisma client. First access creates the connection. */
+const supervisorDb = new Proxy({}, {
+    get(_target, prop, receiver) {
+        if (!_db) {
+            throw new Error("supervisorDb accessed before initialization. Ensure migrations have completed first.");
+        }
+        return Reflect.get(_db, prop, receiver);
+    },
+});
+export async function initSupervisorDb() {
+    if (!_db) {
+        _db = await createPrismaClient(supervisorDbPath());
+    }
+}
+export default supervisorDb;
+//# sourceMappingURL=supervisorDb.js.map

package/dist/error-helpers.js

@@ -0,0 +1,13 @@
+export function notFound(reply, message) {
+    reply.status(404);
+    return { success: false, message };
+}
+export function badRequest(reply, message) {
+    reply.status(400);
+    return { success: false, message };
+}
+export function conflict(reply, message) {
+    reply.status(409);
+    return { success: false, message };
+}
+//# sourceMappingURL=error-helpers.js.map

package/dist/hateoas.js

@@ -0,0 +1,61 @@
+export const API_PREFIX = "/supervisor/api";
+export function selfLink(path, title) {
+    return { rel: "self", href: `${API_PREFIX}${path}`, title };
+}
+export function collectionLink(resource) {
+    return {
+        rel: "collection",
+        href: `${API_PREFIX}/${resource}`,
+        title: resource,
+    };
+}
+export function schemaLink(schemaName) {
+    return {
+        rel: "schema",
+        href: `${API_PREFIX}/schemas/${schemaName}`,
+    };
+}
+function buildQuery(page, pageSize, filters) {
+    const params = new URLSearchParams();
+    params.set("page", String(page));
+    params.set("pageSize", String(pageSize));
+    if (filters) {
+        for (const [key, value] of Object.entries(filters)) {
+            if (value !== undefined)
+                params.set(key, value);
+        }
+    }
+    return params.toString();
+}
+export function paginationLinks(basePath, page, pageSize, total, filters) {
+    const fullPath = `${API_PREFIX}/${basePath}`;
+    const totalPages = Math.ceil(total / pageSize);
+    const links = [
+        {
+            rel: "self",
+            href: `${fullPath}?${buildQuery(page, pageSize, filters)}`,
+        },
+        {
+            rel: "first",
+            href: `${fullPath}?${buildQuery(1, pageSize, filters)}`,
+        },
+        {
+            rel: "last",
+            href: `${fullPath}?${buildQuery(Math.max(1, totalPages), pageSize, filters)}`,
+        },
+    ];
+    if (page > 1) {
+        links.push({
+            rel: "prev",
+            href: `${fullPath}?${buildQuery(page - 1, pageSize, filters)}`,
+        });
+    }
+    if (page < totalPages) {
+        links.push({
+            rel: "next",
+            href: `${fullPath}?${buildQuery(page + 1, pageSize, filters)}`,
+        });
+    }
+    return links;
+}
+//# sourceMappingURL=hateoas.js.map

package/dist/logger.js

@@ -0,0 +1,11 @@
+let _logger;
+export function initLogger(logger) {
+    _logger = logger;
+}
+export function getLogger() {
+    if (!_logger) {
+        throw new Error("Logger not initialized. Call initLogger() first.");
+    }
+    return _logger;
+}
+//# sourceMappingURL=logger.js.map

package/dist/route-helpers.js

@@ -0,0 +1,7 @@
+import { permGate, resolveActions as resolveActionsBase, } from "@naisys/common";
+import { hasPermission } from "./auth-middleware.js";
+export { permGate };
+export function resolveActions(defs, baseHref, ctx) {
+    return resolveActionsBase(defs, baseHref, ctx, (perm) => hasPermission(ctx.user, perm));
+}
+//# sourceMappingURL=route-helpers.js.map

package/dist/routes/admin.js

@@ -0,0 +1,209 @@
+import fs from "node:fs/promises";
+import { supervisorDbPath } from "@naisys/supervisor-database";
+import { AdminAttachmentListRequestSchema, AdminAttachmentListResponseSchema, AdminInfoResponseSchema, ErrorResponseSchema, RotateAccessKeyResultSchema, ServerLogRequestSchema, ServerLogResponseSchema, } from "@naisys/supervisor-shared";
+import archiver from "archiver";
+import { hasPermission, requirePermission } from "../auth-middleware.js";
+import { getNaisysDatabasePath, hubDb } from "../database/hubDb.js";
+import { API_PREFIX, paginationLinks } from "../hateoas.js";
+import { buildExportFiles, } from "../services/configExportService.js";
+import { getHubAccessKey, isHubConnected, sendRotateAccessKey, } from "../services/hubConnectionService.js";
+import { getLogFilePath, tailLogFile } from "../services/logFileService.js";
+function adminActions(hasAdminPermission) {
+    const actions = [];
+    if (hasAdminPermission) {
+        actions.push({
+            rel: "export-config",
+            href: `${API_PREFIX}/admin/export-config`,
+            method: "GET",
+            title: "Export Config",
+        }, {
+            rel: "view-logs",
+            href: `${API_PREFIX}/admin/logs`,
+            method: "GET",
+            title: "View Logs",
+        }, {
+            rel: "view-attachments",
+            href: `${API_PREFIX}/admin/attachments`,
+            method: "GET",
+            title: "View Attachments",
+        });
+        if (getHubAccessKey()) {
+            actions.push({
+                rel: "rotate-access-key",
+                href: `${API_PREFIX}/admin/rotate-access-key`,
+                method: "POST",
+                title: "Rotate Hub Access Key",
+            });
+        }
+    }
+    return actions;
+}
+export default function adminRoutes(fastify, _options) {
+    // GET / — Admin info
+    fastify.get("/", {
+        preHandler: [requirePermission("supervisor_admin")],
+        schema: {
+            description: "Get admin system info",
+            tags: ["Admin"],
+            response: {
+                200: AdminInfoResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, _reply) => {
+        const hasAdminPermission = hasPermission(request.supervisorUser, "supervisor_admin");
+        const actions = adminActions(hasAdminPermission);
+        const [supervisorDbSize, hubDbSize] = await Promise.all([
+            fs
+                .stat(supervisorDbPath())
+                .then((s) => s.size)
+                .catch(() => undefined),
+            fs
+                .stat(getNaisysDatabasePath())
+                .then((s) => s.size)
+                .catch(() => undefined),
+        ]);
+        return {
+            supervisorDbPath: supervisorDbPath(),
+            supervisorDbSize,
+            hubDbPath: getNaisysDatabasePath(),
+            hubDbSize,
+            hubConnected: isHubConnected(),
+            hubAccessKey: getHubAccessKey(),
+            _actions: actions.length > 0 ? actions : undefined,
+        };
+    });
+    // GET /export-config — Download config zip
+    fastify.get("/export-config", {
+        preHandler: [requirePermission("supervisor_admin")],
+        schema: {
+            description: "Export configuration as a zip file",
+            tags: ["Admin"],
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (_request, reply) => {
+        const users = (await hubDb.users.findMany({
+            select: {
+                id: true,
+                username: true,
+                title: true,
+                config: true,
+                lead_user_id: true,
+                archived: true,
+            },
+        }));
+        const variables = await hubDb.variables.findMany({
+            select: { key: true, value: true },
+            orderBy: { key: "asc" },
+        });
+        const modelRows = (await hubDb.models.findMany());
+        const exportFiles = buildExportFiles(users, variables, modelRows);
+        reply.header("Content-Disposition", 'attachment; filename="naisys-config.zip"');
+        reply.type("application/zip");
+        const archive = archiver("zip", { zlib: { level: 9 } });
+        archive.on("error", (err) => {
+            reply.log.error(err, "Archiver error");
+        });
+        for (const file of exportFiles) {
+            archive.append(file.content, { name: file.path });
+        }
+        await archive.finalize();
+        return reply.send(archive);
+    });
+    // POST /rotate-access-key — Rotate hub access key
+    fastify.post("/rotate-access-key", {
+        preHandler: [requirePermission("supervisor_admin")],
+        schema: {
+            description: "Rotate the hub access key",
+            tags: ["Admin"],
+            response: {
+                200: RotateAccessKeyResultSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (_request, reply) => {
+        try {
+            const result = await sendRotateAccessKey();
+            return result;
+        }
+        catch (error) {
+            reply.log.error(error, "Error in POST /admin/rotate-access-key route");
+            return reply.status(500).send({
+                success: false,
+                message: error instanceof Error
+                    ? error.message
+                    : "Failed to rotate access key",
+            });
+        }
+    });
+    // GET /logs — Tail server log files
+    fastify.get("/logs", {
+        preHandler: [requirePermission("supervisor_admin")],
+        schema: {
+            description: "Get tail of a server log file",
+            tags: ["Admin"],
+            querystring: ServerLogRequestSchema,
+            response: {
+                200: ServerLogResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, _reply) => {
+        const { file, lines, minLevel } = request.query;
+        const cappedLines = Math.min(lines, 1000);
+        const filePath = getLogFilePath(file);
+        const { entries, fileSize } = await tailLogFile(filePath, cappedLines, minLevel);
+        return {
+            entries,
+            fileName: `${file}.log`,
+            fileSize,
+        };
+    });
+    // GET /attachments — List all attachments
+    fastify.get("/attachments", {
+        preHandler: [requirePermission("supervisor_admin")],
+        schema: {
+            description: "List all uploaded attachments",
+            tags: ["Admin"],
+            querystring: AdminAttachmentListRequestSchema,
+            response: {
+                200: AdminAttachmentListResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, _reply) => {
+        const { page, pageSize } = request.query;
+        const skip = (page - 1) * pageSize;
+        const [rows, total] = await Promise.all([
+            hubDb.attachments.findMany({
+                orderBy: { created_at: "desc" },
+                include: {
+                    uploader: { select: { username: true } },
+                },
+                skip,
+                take: pageSize,
+            }),
+            hubDb.attachments.count(),
+        ]);
+        return {
+            attachments: rows.map((r) => ({
+                id: r.public_id,
+                filename: r.filename,
+                fileSize: r.file_size,
+                fileHash: r.file_hash,
+                purpose: r.purpose,
+                uploadedBy: r.uploader.username,
+                createdAt: r.created_at.toISOString(),
+            })),
+            total,
+            page,
+            pageSize,
+            _links: paginationLinks("admin/attachments", page, pageSize, total),
+        };
+    });
+}
+//# sourceMappingURL=admin.js.map