@naisys/supervisor 3.0.0-beta.6

package/dist/services/modelService.js

@@ -0,0 +1,92 @@
+import { builtInImageModels, builtInLlmModels, imageModelToDbFields, llmModelToDbFields, } from "@naisys/common";
+import { hubDb } from "../database/hubDb.js";
+export async function getAllModelsFromDb() {
+    return hubDb.models.findMany();
+}
+export async function saveLlmModel(model) {
+    const fields = llmModelToDbFields(model, false, true);
+    const existing = await hubDb.models.findUnique({
+        where: { key: model.key },
+    });
+    if (existing) {
+        await hubDb.models.update({
+            where: { key: model.key },
+            data: { ...fields, is_builtin: existing.is_builtin, is_custom: true },
+        });
+    }
+    else {
+        await hubDb.models.create({ data: fields });
+    }
+    return { success: true, message: "LLM model saved" };
+}
+export async function saveImageModel(model) {
+    const fields = imageModelToDbFields(model, false, true);
+    const existing = await hubDb.models.findUnique({
+        where: { key: model.key },
+    });
+    if (existing) {
+        await hubDb.models.update({
+            where: { key: model.key },
+            data: { ...fields, is_builtin: existing.is_builtin, is_custom: true },
+        });
+    }
+    else {
+        await hubDb.models.create({ data: fields });
+    }
+    return { success: true, message: "Image model saved" };
+}
+export async function deleteLlmModel(key) {
+    const existing = await hubDb.models.findUnique({ where: { key } });
+    if (!existing || existing.type !== "llm") {
+        return {
+            success: false,
+            message: "Model not found",
+            revertedToBuiltIn: false,
+        };
+    }
+    if (existing.is_builtin) {
+        // Reset to built-in defaults
+        const builtIn = builtInLlmModels.find((m) => m.key === key);
+        const fields = llmModelToDbFields(builtIn, true, false);
+        await hubDb.models.update({ where: { key }, data: fields });
+        return {
+            success: true,
+            message: "Custom override removed, reverted to built-in",
+            revertedToBuiltIn: true,
+        };
+    }
+    await hubDb.models.delete({ where: { key } });
+    return {
+        success: true,
+        message: "Custom model deleted",
+        revertedToBuiltIn: false,
+    };
+}
+export async function deleteImageModel(key) {
+    const existing = await hubDb.models.findUnique({ where: { key } });
+    if (!existing || existing.type !== "image") {
+        return {
+            success: false,
+            message: "Model not found",
+            revertedToBuiltIn: false,
+        };
+    }
+    if (existing.is_builtin) {
+        // Reset to built-in defaults
+        const builtIn = builtInImageModels.find((m) => m.key === key);
+        const fields = imageModelToDbFields(builtIn, true, false);
+        await hubDb.models.update({ where: { key }, data: fields });
+        return {
+            success: true,
+            message: "Custom override removed, reverted to built-in",
+            revertedToBuiltIn: true,
+        };
+    }
+    await hubDb.models.delete({ where: { key } });
+    return {
+        success: true,
+        message: "Custom model deleted",
+        revertedToBuiltIn: false,
+    };
+}
+//# sourceMappingURL=modelService.js.map

package/dist/services/runsService.js

@@ -0,0 +1,164 @@
+import { hubDb } from "../database/hubDb.js";
+const VOWELS = "aeiou";
+const CONSONANTS = "bcdfghjklmnpqrstvwxyz";
+const DIGITS = "0123456789";
+function randomChar(pool) {
+    return pool[Math.floor(Math.random() * pool.length)];
+}
+/** Replace each letter/digit with a random one of the same class (vowel/consonant/digit), preserving case and all other characters. */
+function obfuscateText(text) {
+    let result = "";
+    for (const ch of text) {
+        const lower = ch.toLowerCase();
+        if (DIGITS.includes(lower)) {
+            result += randomChar(DIGITS);
+        }
+        else if (VOWELS.includes(lower)) {
+            const r = randomChar(VOWELS);
+            result += ch === lower ? r : r.toUpperCase();
+        }
+        else if (CONSONANTS.includes(lower)) {
+            const r = randomChar(CONSONANTS);
+            result += ch === lower ? r : r.toUpperCase();
+        }
+        else {
+            result += ch;
+        }
+    }
+    return result;
+}
+function obfuscateFilename(filename) {
+    const dotIndex = filename.lastIndexOf(".");
+    if (dotIndex <= 0)
+        return "attachment";
+    return `attachment${filename.slice(dotIndex)}`;
+}
+/** Obfuscate all log message text for public preview. */
+export function obfuscateLogs(data) {
+    return {
+        ...data,
+        logs: data.logs.map((log) => ({
+            ...log,
+            message: obfuscateText(log.message),
+            attachment: log.attachment
+                ? { id: "no-access", filename: obfuscateFilename(log.attachment.filename), fileSize: 0 }
+                : undefined,
+        })),
+    };
+}
+/** Obfuscate log push entries for WebSocket broadcast to unprivileged clients. */
+export function obfuscatePushEntries(entries) {
+    return entries.map((entry) => ({
+        ...entry,
+        message: obfuscateText(entry.message),
+        attachmentId: entry.attachmentId ? "no-access" : undefined,
+        attachmentFilename: entry.attachmentFilename
+            ? obfuscateFilename(entry.attachmentFilename)
+            : undefined,
+        attachmentFileSize: entry.attachmentId ? 0 : undefined,
+    }));
+}
+export async function getRunsData(userId, updatedSince, page = 1, count = 50) {
+    // Build the where clause
+    const where = {
+        user_id: userId,
+    };
+    // If updatedSince is provided, only fetch runs that were updated after that time
+    if (updatedSince) {
+        where.last_active = {
+            gt: updatedSince,
+        };
+    }
+    // Only get total count on initial fetch (when updatedSince is not set)
+    const total = updatedSince
+        ? undefined
+        : await hubDb.run_session.count({ where });
+    // Get paginated runs
+    const runSessions = await hubDb.run_session.findMany({
+        where,
+        orderBy: {
+            last_active: "desc",
+        },
+        skip: (page - 1) * count,
+        take: count,
+    });
+    // Map database records to our API format
+    const runs = runSessions.map((session) => {
+        return {
+            userId: session.user_id,
+            runId: session.run_id,
+            sessionId: session.session_id,
+            createdAt: session.created_at.toISOString(),
+            lastActive: session.last_active.toISOString(),
+            modelName: session.model_name,
+            latestLogId: session.latest_log_id,
+            totalLines: session.total_lines,
+            totalCost: session.total_cost,
+        };
+    });
+    return {
+        runs,
+        timestamp: new Date().toISOString(),
+        total,
+    };
+}
+export async function getContextLog(userId, runId, sessionId, logsAfter, logsBefore) {
+    const where = {
+        user_id: userId,
+        run_id: runId,
+        session_id: sessionId,
+    };
+    // Build ID range filter for incremental fetches / gap recovery
+    if (logsAfter !== undefined || logsBefore !== undefined) {
+        where.id = {};
+        if (logsAfter !== undefined)
+            where.id.gt = logsAfter;
+        if (logsBefore !== undefined)
+            where.id.lt = logsBefore;
+    }
+    const dbLogs = await hubDb.context_log.findMany({
+        where,
+        orderBy: { id: "desc" },
+        select: {
+            id: true,
+            role: true,
+            source: true,
+            type: true,
+            message: true,
+            created_at: true,
+            users: {
+                select: {
+                    username: true,
+                },
+            },
+            attachment: {
+                select: {
+                    public_id: true,
+                    filename: true,
+                    file_size: true,
+                },
+            },
+        },
+    });
+    const logs = dbLogs.map((log) => ({
+        id: log.id,
+        username: log.users.username,
+        role: log.role,
+        source: log.source,
+        type: log.type,
+        message: log.message,
+        createdAt: log.created_at.toISOString(),
+        ...(log.attachment && {
+            attachment: {
+                id: log.attachment.public_id,
+                filename: log.attachment.filename,
+                fileSize: log.attachment.file_size,
+            },
+        }),
+    }));
+    return {
+        logs,
+        timestamp: new Date().toISOString(),
+    };
+}
+//# sourceMappingURL=runsService.js.map

package/dist/services/userService.js

@@ -0,0 +1,147 @@
+import { assertUrlSafeKey } from "@naisys/common";
+import { hashToken } from "@naisys/common-node";
+import { getAgentApiKeyByUuid, rotateAgentApiKeyByUuid, } from "@naisys/hub-database";
+import { updateUserPassword } from "@naisys/supervisor-database";
+import bcrypt from "bcryptjs";
+import { randomBytes, randomUUID } from "crypto";
+import supervisorDb from "../database/supervisorDb.js";
+export { hashToken };
+const SALT_ROUNDS = 10;
+export async function getUserByUsername(username) {
+    return supervisorDb.user.findUnique({ where: { username } });
+}
+export async function getUserByUsernameWithPermissions(username) {
+    return supervisorDb.user.findUnique({
+        where: { username },
+        include: { permissions: true },
+    });
+}
+export async function getUserByUuid(uuid) {
+    return supervisorDb.user.findFirst({ where: { uuid } });
+}
+export async function createUserForAgent(username, uuid) {
+    assertUrlSafeKey(username, "Username");
+    return supervisorDb.user.create({
+        data: {
+            username,
+            uuid,
+            isAgent: true,
+        },
+        include: { permissions: true },
+    });
+}
+// --- User CRUD ---
+export async function listUsers(options) {
+    const { page, pageSize, search } = options;
+    const where = search ? { username: { contains: search } } : {};
+    const [items, total] = await Promise.all([
+        supervisorDb.user.findMany({
+            where,
+            include: { permissions: true },
+            orderBy: { createdAt: "desc" },
+            skip: (page - 1) * pageSize,
+            take: pageSize,
+        }),
+        supervisorDb.user.count({ where }),
+    ]);
+    return { items, total, pageSize };
+}
+export async function getUserById(id) {
+    return supervisorDb.user.findUnique({
+        where: { id },
+        include: { permissions: true },
+    });
+}
+export async function createUserWithPassword(data) {
+    assertUrlSafeKey(data.username, "Username");
+    const passwordHash = await bcrypt.hash(data.password, SALT_ROUNDS);
+    const uuid = randomUUID();
+    const user = await supervisorDb.user.create({
+        data: {
+            username: data.username,
+            uuid,
+            passwordHash,
+            isAgent: false,
+            apiKey: randomBytes(32).toString("hex"),
+        },
+        include: { permissions: true },
+    });
+    return user;
+}
+export async function updateUser(id, data) {
+    const updateData = {};
+    if (data.username !== undefined) {
+        assertUrlSafeKey(data.username, "Username");
+        updateData.username = data.username;
+    }
+    const updated = await supervisorDb.user.update({
+        where: { id },
+        data: updateData,
+        include: { permissions: true },
+    });
+    if (data.password !== undefined) {
+        const newHash = await bcrypt.hash(data.password, SALT_ROUNDS);
+        await updateUserPassword(updated.username, newHash);
+    }
+    return updated;
+}
+export async function deleteUser(id) {
+    return supervisorDb.user.delete({ where: { id } });
+}
+export async function grantPermission(userId, permission, grantedBy) {
+    return supervisorDb.userPermission.create({
+        data: { userId, permission, grantedBy },
+    });
+}
+export async function revokePermission(userId, permission) {
+    await supervisorDb.userPermission.deleteMany({
+        where: { userId, permission },
+    });
+}
+export async function getUserPermissions(userId) {
+    const perms = await supervisorDb.userPermission.findMany({
+        where: { userId },
+        select: { permission: true },
+    });
+    return perms.map((p) => p.permission);
+}
+export async function checkUserPermission(userId, permission) {
+    const perm = await supervisorDb.userPermission.findFirst({
+        where: { userId, permission },
+    });
+    return perm !== null;
+}
+export async function getUserApiKey(id) {
+    const user = await supervisorDb.user.findUnique({
+        where: { id },
+        select: { isAgent: true, uuid: true, apiKey: true },
+    });
+    if (!user)
+        return null;
+    if (user.isAgent) {
+        return getAgentApiKeyByUuid(user.uuid);
+    }
+    else {
+        return user.apiKey ?? null;
+    }
+}
+export async function rotateUserApiKey(id) {
+    const newKey = randomBytes(32).toString("hex");
+    const user = await supervisorDb.user.findUnique({
+        where: { id },
+        select: { isAgent: true, uuid: true },
+    });
+    if (!user)
+        throw new Error("User not found");
+    if (user.isAgent) {
+        await rotateAgentApiKeyByUuid(user.uuid, newKey);
+    }
+    else {
+        await supervisorDb.user.update({
+            where: { id },
+            data: { apiKey: newKey },
+        });
+    }
+    return newKey;
+}
+//# sourceMappingURL=userService.js.map

package/dist/services/variableService.js

@@ -0,0 +1,23 @@
+import { hubDb } from "../database/hubDb.js";
+export async function getVariables() {
+    return hubDb.variables.findMany({ orderBy: { key: "asc" } });
+}
+export async function saveVariable(key, value, exportToShell, userUuid) {
+    await hubDb.variables.upsert({
+        where: { key },
+        update: { value, export_to_shell: exportToShell, updated_by: userUuid },
+        create: {
+            key,
+            value,
+            export_to_shell: exportToShell,
+            created_by: userUuid,
+            updated_by: userUuid,
+        },
+    });
+    return { success: true, message: "Variable saved" };
+}
+export async function deleteVariable(key) {
+    await hubDb.variables.delete({ where: { key } });
+    return { success: true, message: "Variable deleted" };
+}
+//# sourceMappingURL=variableService.js.map

package/dist/supervisorServer.js

@@ -0,0 +1,221 @@
+import "dotenv/config";
+import "./schema-registry.js";
+import { expandNaisysFolder } from "@naisys/common-node";
+expandNaisysFolder();
+// Important to load dotenv before any other imports, to ensure environment variables are available
+import cookie from "@fastify/cookie";
+import cors from "@fastify/cors";
+import multipart from "@fastify/multipart";
+import { fastifyRateLimit as rateLimit } from "@fastify/rate-limit";
+import staticFiles from "@fastify/static";
+import swagger from "@fastify/swagger";
+import { commonErrorHandler, MAX_ATTACHMENT_SIZE, registerLenientJsonParser, registerSecurityHeaders, SUPER_ADMIN_USERNAME, } from "@naisys/common";
+import { createHubDatabaseClient } from "@naisys/hub-database";
+import { createSupervisorDatabaseClient, deploySupervisorMigrations, ensureSuperAdmin, handleResetPassword, } from "@naisys/supervisor-database";
+import { PermissionEnum } from "@naisys/supervisor-shared";
+import Fastify from "fastify";
+import { jsonSchemaTransform, jsonSchemaTransformObject, serializerCompiler, validatorCompiler, } from "fastify-type-provider-zod";
+import path from "path";
+import { fileURLToPath } from "url";
+import { registerApiReference } from "./api-reference.js";
+import { initHubDb } from "./database/hubDb.js";
+import { initSupervisorDb } from "./database/supervisorDb.js";
+import { initLogger } from "./logger.js";
+import apiRoutes from "./routes/api.js";
+import { refreshUserLookup } from "./services/agentService.js";
+import { initBrowserSocket } from "./services/browserSocketService.js";
+import { initHubConnection } from "./services/hubConnectionService.js";
+import { getUserByUsername } from "./services/userService.js";
+export const startServer = async (startupType, plugins = [], hubPort) => {
+    if (startupType === "hosted") {
+        process.env.NODE_ENV = "production";
+    }
+    const isProd = process.env.NODE_ENV === "production";
+    // Auto-migrate supervisor database
+    await deploySupervisorMigrations();
+    if (!(await createSupervisorDatabaseClient())) {
+        console.error("[Supervisor] Supervisor database not found. Cannot start without it.");
+        process.exit(1);
+    }
+    // Hub DB still needed for agent API key auth
+    await createHubDatabaseClient();
+    // Initialize local Prisma clients (after migrations so they don't lock the DB)
+    await initSupervisorDb();
+    await initHubDb();
+    // Populate in-memory user lookup for username ↔ id resolution
+    await refreshUserLookup();
+    const superAdminResult = await ensureSuperAdmin();
+    if (superAdminResult.created) {
+        console.log(`\n  ${SUPER_ADMIN_USERNAME} user created. Password: ${superAdminResult.generatedPassword}`);
+        console.log(`  Change it via the web UI or ns-admin-pw command\n`);
+    }
+    const __filename = fileURLToPath(import.meta.url);
+    const __dirname = path.dirname(__filename);
+    const fastify = Fastify({
+        logger: 
+        // Log to file in hosted mode
+        startupType === "hosted"
+            ? {
+                level: "info",
+                transport: {
+                    target: "pino/file",
+                    options: {
+                        destination: path.join(process.env.NAISYS_FOLDER || "", "logs", "supervisor.log"),
+                        mkdir: true,
+                    },
+                },
+            }
+            : // Log to console in standalone mode
+                {
+                    level: "info",
+                    transport: {
+                        target: "pino-pretty",
+                        options: {
+                            colorize: true,
+                        },
+                    },
+                },
+    }).withTypeProvider();
+    initLogger(fastify.log);
+    // Connect to hub via Socket.IO for agent management
+    const hubUrl = hubPort ? `https://localhost:${hubPort}` : process.env.HUB_URL;
+    if (hubUrl) {
+        initHubConnection(hubUrl);
+    }
+    // Set Zod validator and serializer compilers
+    fastify.setValidatorCompiler(validatorCompiler);
+    fastify.setSerializerCompiler(serializerCompiler);
+    registerLenientJsonParser(fastify);
+    fastify.setErrorHandler(commonErrorHandler);
+    await fastify.register(cors, {
+        origin: isProd ? false : ["http://localhost:3002"],
+    });
+    registerSecurityHeaders(fastify, { enforceHsts: isProd });
+    await fastify.register(cookie);
+    // Rate limiting
+    await fastify.register(rateLimit, {
+        max: 500,
+        timeWindow: "1 minute",
+        allowList: (request) => !request.url.startsWith("/api/"),
+    });
+    await fastify.register(multipart, {
+        limits: { fileSize: MAX_ATTACHMENT_SIZE },
+    });
+    // Register Swagger + Scalar
+    await fastify.register(swagger, {
+        openapi: {
+            info: {
+                title: "NAISYS Supervisor API",
+                description: "API documentation for NAISYS Supervisor server",
+                version: "1.0.0",
+            },
+            components: {
+                securitySchemes: {
+                    cookieAuth: {
+                        type: "apiKey",
+                        in: "cookie",
+                        name: "naisys_session",
+                    },
+                },
+            },
+        },
+        transform: jsonSchemaTransform,
+        transformObject: jsonSchemaTransformObject,
+    });
+    await registerApiReference(fastify);
+    fastify.get("/", { schema: { hide: true } }, async (_request, reply) => {
+        return reply.redirect("/supervisor/");
+    });
+    fastify.register(apiRoutes, { prefix: "/api/supervisor" });
+    // Public endpoint to expose client configuration (plugins, publicRead, etc.)
+    fastify.get("/api/supervisor/client-config", { schema: { hide: true } }, () => ({
+        plugins,
+        publicRead: process.env.PUBLIC_READ === "true",
+        permissions: PermissionEnum.options,
+    }));
+    // Conditionally load ERP plugin
+    if (plugins.includes("erp")) {
+        // Use variable to avoid compile-time type dependency on @naisys/erp (allows parallel builds)
+        const erpModule = "@naisys/erp";
+        const { erpPlugin, enableSupervisorAuth } = (await import(erpModule));
+        enableSupervisorAuth();
+        await fastify.register(erpPlugin);
+    }
+    if (isProd) {
+        const clientDistPath = path.join(__dirname, "../client-dist");
+        await fastify.register(staticFiles, {
+            root: clientDistPath,
+            prefix: "/supervisor/",
+        });
+        fastify.setNotFoundHandler((request, reply) => {
+            if (request.url.startsWith("/api/")) {
+                reply.code(404).send({ error: "API endpoint not found" });
+            }
+            else if (request.url.startsWith("/supervisor")) {
+                reply.sendFile("index.html");
+            }
+            else {
+                reply.sendFile("index.html");
+            }
+        });
+    }
+    try {
+        let port = Number(process.env.SUPERVISOR_PORT) || 3001;
+        const host = isProd ? "0.0.0.0" : "localhost";
+        const maxAttempts = 100;
+        let attempts = 0;
+        while (attempts < maxAttempts) {
+            try {
+                await fastify.listen({ port, host });
+                initBrowserSocket(fastify.server, isProd);
+                fastify.log.info(`[Supervisor] Running on http://${host}:${port}/supervisor`);
+                return port;
+            }
+            catch (err) {
+                if (err.code === "EADDRINUSE") {
+                    fastify.log.warn(`[Supervisor] Port ${port} is in use, trying port ${port + 1}...`);
+                    port++;
+                    attempts++;
+                    if (attempts >= maxAttempts) {
+                        throw new Error(`Unable to find available port after ${maxAttempts} attempts`);
+                    }
+                }
+                else {
+                    throw err;
+                }
+            }
+        }
+        // Unreachable — the loop either returns or throws
+        throw new Error("Unreachable");
+    }
+    catch (err) {
+        console.error("[Supervisor] Failed to start:", err);
+        fastify.log.error(err);
+        process.exit(1);
+    }
+};
+// Start server if this file is run directly
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+    if (process.argv.includes("--reset-password")) {
+        const usernameIdx = process.argv.indexOf("--username");
+        const passwordIdx = process.argv.indexOf("--password");
+        const username = usernameIdx !== -1 ? process.argv[usernameIdx + 1] : undefined;
+        const password = passwordIdx !== -1 ? process.argv[passwordIdx + 1] : undefined;
+        await initSupervisorDb();
+        void handleResetPassword({
+            findLocalUser: async (username) => {
+                const user = await getUserByUsername(username);
+                return user
+                    ? { id: user.id, username: user.username, uuid: user.uuid }
+                    : null;
+            },
+            updateLocalPassword: async () => { },
+            username,
+            password,
+        });
+    }
+    else {
+        void startServer("standalone");
+    }
+}
+//# sourceMappingURL=supervisorServer.js.map