@naisys/supervisor 3.0.0-beta.6

package/dist/auth-middleware.js

@@ -0,0 +1,116 @@
+import { AuthCache } from "@naisys/common";
+import { extractBearerToken, hashToken, SESSION_COOKIE_NAME, } from "@naisys/common-node";
+import { findAgentByApiKey } from "@naisys/hub-database";
+import { findSession, findUserByApiKey } from "@naisys/supervisor-database";
+import { createUserForAgent, getUserByUuid, getUserPermissions, } from "./services/userService.js";
+const PUBLIC_PREFIXES = ["/api/supervisor/auth/login"];
+export const authCache = new AuthCache();
+function isPublicRoute(url) {
+    if (url === "/api/supervisor/" || url === "/api/supervisor")
+        return true;
+    for (const prefix of PUBLIC_PREFIXES) {
+        if (url.startsWith(prefix))
+            return true;
+    }
+    // Non-supervisor-API paths (static files, ERP routes, etc.)
+    if (!url.startsWith("/api/supervisor"))
+        return true;
+    return false;
+}
+async function buildSupervisorUser(id, username, uuid) {
+    const permissions = await getUserPermissions(id);
+    return { id, username, uuid, permissions };
+}
+export async function resolveUserFromToken(token) {
+    const tokenHash = hashToken(token);
+    const cacheKey = `cookie:${tokenHash}`;
+    const cached = authCache.get(cacheKey);
+    if (cached !== undefined)
+        return cached;
+    const session = await findSession(tokenHash);
+    if (!session) {
+        authCache.set(cacheKey, null);
+        return null;
+    }
+    const user = await buildSupervisorUser(session.userId, session.username, session.uuid);
+    authCache.set(cacheKey, user);
+    return user;
+}
+export async function resolveUserFromApiKey(apiKey) {
+    const apiKeyHash = hashToken(apiKey);
+    const cacheKey = `apikey:${apiKeyHash}`;
+    const cached = authCache.get(cacheKey);
+    if (cached !== undefined)
+        return cached;
+    // Try supervisor DB first (human users), then hub DB (agents)
+    const match = (await findUserByApiKey(apiKey)) ?? (await findAgentByApiKey(apiKey));
+    if (!match) {
+        authCache.set(cacheKey, null);
+        return null;
+    }
+    let localUser = await getUserByUuid(match.uuid);
+    if (!localUser) {
+        localUser = await createUserForAgent(match.username, match.uuid);
+    }
+    const user = await buildSupervisorUser(localUser.id, localUser.username, localUser.uuid);
+    authCache.set(cacheKey, user);
+    return user;
+}
+export function registerAuthMiddleware(fastify) {
+    const publicRead = process.env.PUBLIC_READ === "true";
+    fastify.decorateRequest("supervisorUser", undefined);
+    fastify.addHook("onRequest", async (request, reply) => {
+        const token = request.cookies?.[SESSION_COOKIE_NAME];
+        if (token) {
+            const user = await resolveUserFromToken(token);
+            if (user)
+                request.supervisorUser = user;
+        }
+        // API key auth (for agents / machine-to-machine)
+        if (!request.supervisorUser) {
+            const apiKey = extractBearerToken(request.headers.authorization);
+            if (apiKey) {
+                const user = await resolveUserFromApiKey(apiKey);
+                if (user)
+                    request.supervisorUser = user;
+            }
+        }
+        if (request.supervisorUser)
+            return; // Authenticated
+        if (isPublicRoute(request.url))
+            return; // Public route
+        if (publicRead && request.method === "GET")
+            return; // Public read mode
+        reply.status(401).send({
+            statusCode: 401,
+            error: "Unauthorized",
+            message: "Authentication required",
+        });
+    });
+}
+export function hasPermission(user, permission) {
+    return ((user?.permissions.includes(permission) ||
+        user?.permissions.includes("supervisor_admin")) ??
+        false);
+}
+export function requirePermission(permission) {
+    return async (request, reply) => {
+        if (!request.supervisorUser) {
+            reply.status(401).send({
+                statusCode: 401,
+                error: "Unauthorized",
+                message: "Authentication required",
+            });
+            return;
+        }
+        if (!hasPermission(request.supervisorUser, permission)) {
+            reply.status(403).send({
+                statusCode: 403,
+                error: "Forbidden",
+                message: `Permission '${permission}' required`,
+            });
+            return;
+        }
+    };
+}
+//# sourceMappingURL=auth-middleware.js.map

package/dist/database/hubDb.js

@@ -0,0 +1,26 @@
+import { createPrismaClient } from "@naisys/hub-database";
+import path from "path";
+import { env } from "process";
+export function getNaisysDatabasePath() {
+    if (!env.NAISYS_FOLDER) {
+        throw new Error("NAISYS_FOLDER environment variable is not set.");
+    }
+    const dbFilename = "naisys_hub.db";
+    return path.join(env.NAISYS_FOLDER, "database", dbFilename);
+}
+let _db;
+/** Lazily initialized Prisma client. First access creates the connection. */
+export const hubDb = new Proxy({}, {
+    get(_target, prop, receiver) {
+        if (!_db) {
+            throw new Error("hubDb accessed before initialization. Ensure migrations have completed first.");
+        }
+        return Reflect.get(_db, prop, receiver);
+    },
+});
+export async function initHubDb() {
+    if (!_db) {
+        _db = await createPrismaClient(getNaisysDatabasePath());
+    }
+}
+//# sourceMappingURL=hubDb.js.map

package/dist/database/supervisorDb.js

@@ -0,0 +1,18 @@
+import { createPrismaClient, supervisorDbPath, } from "@naisys/supervisor-database";
+let _db;
+/** Lazily initialized Prisma client. First access creates the connection. */
+const supervisorDb = new Proxy({}, {
+    get(_target, prop, receiver) {
+        if (!_db) {
+            throw new Error("supervisorDb accessed before initialization. Ensure migrations have completed first.");
+        }
+        return Reflect.get(_db, prop, receiver);
+    },
+});
+export async function initSupervisorDb() {
+    if (!_db) {
+        _db = await createPrismaClient(supervisorDbPath());
+    }
+}
+export default supervisorDb;
+//# sourceMappingURL=supervisorDb.js.map

package/dist/error-helpers.js

@@ -0,0 +1,13 @@
+export function notFound(reply, message) {
+    reply.status(404);
+    return { success: false, message };
+}
+export function badRequest(reply, message) {
+    reply.status(400);
+    return { success: false, message };
+}
+export function conflict(reply, message) {
+    reply.status(409);
+    return { success: false, message };
+}
+//# sourceMappingURL=error-helpers.js.map

package/dist/hateoas.js

@@ -0,0 +1,61 @@
+export const API_PREFIX = "/api/supervisor";
+export function selfLink(path, title) {
+    return { rel: "self", href: `${API_PREFIX}${path}`, title };
+}
+export function collectionLink(resource) {
+    return {
+        rel: "collection",
+        href: `${API_PREFIX}/${resource}`,
+        title: resource,
+    };
+}
+export function schemaLink(schemaName) {
+    return {
+        rel: "schema",
+        href: `${API_PREFIX}/schemas/${schemaName}`,
+    };
+}
+function buildQuery(page, pageSize, filters) {
+    const params = new URLSearchParams();
+    params.set("page", String(page));
+    params.set("pageSize", String(pageSize));
+    if (filters) {
+        for (const [key, value] of Object.entries(filters)) {
+            if (value !== undefined)
+                params.set(key, value);
+        }
+    }
+    return params.toString();
+}
+export function paginationLinks(basePath, page, pageSize, total, filters) {
+    const fullPath = `${API_PREFIX}/${basePath}`;
+    const totalPages = Math.ceil(total / pageSize);
+    const links = [
+        {
+            rel: "self",
+            href: `${fullPath}?${buildQuery(page, pageSize, filters)}`,
+        },
+        {
+            rel: "first",
+            href: `${fullPath}?${buildQuery(1, pageSize, filters)}`,
+        },
+        {
+            rel: "last",
+            href: `${fullPath}?${buildQuery(Math.max(1, totalPages), pageSize, filters)}`,
+        },
+    ];
+    if (page > 1) {
+        links.push({
+            rel: "prev",
+            href: `${fullPath}?${buildQuery(page - 1, pageSize, filters)}`,
+        });
+    }
+    if (page < totalPages) {
+        links.push({
+            rel: "next",
+            href: `${fullPath}?${buildQuery(page + 1, pageSize, filters)}`,
+        });
+    }
+    return links;
+}
+//# sourceMappingURL=hateoas.js.map

package/dist/logger.js

@@ -0,0 +1,11 @@
+let _logger;
+export function initLogger(logger) {
+    _logger = logger;
+}
+export function getLogger() {
+    if (!_logger) {
+        throw new Error("Logger not initialized. Call initLogger() first.");
+    }
+    return _logger;
+}
+//# sourceMappingURL=logger.js.map

package/dist/route-helpers.js

@@ -0,0 +1,7 @@
+import { permGate, resolveActions as resolveActionsBase, } from "@naisys/common";
+import { hasPermission } from "./auth-middleware.js";
+export { permGate };
+export function resolveActions(defs, baseHref, ctx) {
+    return resolveActionsBase(defs, baseHref, ctx, (perm) => hasPermission(ctx.user, perm));
+}
+//# sourceMappingURL=route-helpers.js.map

package/dist/routes/admin.js

@@ -0,0 +1,209 @@
+import fs from "node:fs/promises";
+import { supervisorDbPath } from "@naisys/supervisor-database";
+import { AdminAttachmentListRequestSchema, AdminAttachmentListResponseSchema, AdminInfoResponseSchema, ErrorResponseSchema, RotateAccessKeyResultSchema, ServerLogRequestSchema, ServerLogResponseSchema, } from "@naisys/supervisor-shared";
+import archiver from "archiver";
+import { hasPermission, requirePermission } from "../auth-middleware.js";
+import { getNaisysDatabasePath, hubDb } from "../database/hubDb.js";
+import { API_PREFIX, paginationLinks } from "../hateoas.js";
+import { buildExportFiles, } from "../services/configExportService.js";
+import { getHubAccessKey, isHubConnected, sendRotateAccessKey, } from "../services/hubConnectionService.js";
+import { getLogFilePath, tailLogFile } from "../services/logFileService.js";
+function adminActions(hasAdminPermission) {
+    const actions = [];
+    if (hasAdminPermission) {
+        actions.push({
+            rel: "export-config",
+            href: `${API_PREFIX}/admin/export-config`,
+            method: "GET",
+            title: "Export Config",
+        }, {
+            rel: "view-logs",
+            href: `${API_PREFIX}/admin/logs`,
+            method: "GET",
+            title: "View Logs",
+        }, {
+            rel: "view-attachments",
+            href: `${API_PREFIX}/admin/attachments`,
+            method: "GET",
+            title: "View Attachments",
+        });
+        if (getHubAccessKey()) {
+            actions.push({
+                rel: "rotate-access-key",
+                href: `${API_PREFIX}/admin/rotate-access-key`,
+                method: "POST",
+                title: "Rotate Hub Access Key",
+            });
+        }
+    }
+    return actions;
+}
+export default function adminRoutes(fastify, _options) {
+    // GET / — Admin info
+    fastify.get("/", {
+        preHandler: [requirePermission("supervisor_admin")],
+        schema: {
+            description: "Get admin system info",
+            tags: ["Admin"],
+            response: {
+                200: AdminInfoResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, _reply) => {
+        const hasAdminPermission = hasPermission(request.supervisorUser, "supervisor_admin");
+        const actions = adminActions(hasAdminPermission);
+        const [supervisorDbSize, hubDbSize] = await Promise.all([
+            fs
+                .stat(supervisorDbPath())
+                .then((s) => s.size)
+                .catch(() => undefined),
+            fs
+                .stat(getNaisysDatabasePath())
+                .then((s) => s.size)
+                .catch(() => undefined),
+        ]);
+        return {
+            supervisorDbPath: supervisorDbPath(),
+            supervisorDbSize,
+            hubDbPath: getNaisysDatabasePath(),
+            hubDbSize,
+            hubConnected: isHubConnected(),
+            hubAccessKey: getHubAccessKey(),
+            _actions: actions.length > 0 ? actions : undefined,
+        };
+    });
+    // GET /export-config — Download config zip
+    fastify.get("/export-config", {
+        preHandler: [requirePermission("supervisor_admin")],
+        schema: {
+            description: "Export configuration as a zip file",
+            tags: ["Admin"],
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (_request, reply) => {
+        const users = (await hubDb.users.findMany({
+            select: {
+                id: true,
+                username: true,
+                title: true,
+                config: true,
+                lead_user_id: true,
+                archived: true,
+            },
+        }));
+        const variables = await hubDb.variables.findMany({
+            select: { key: true, value: true },
+            orderBy: { key: "asc" },
+        });
+        const modelRows = (await hubDb.models.findMany());
+        const exportFiles = buildExportFiles(users, variables, modelRows);
+        reply.header("Content-Disposition", 'attachment; filename="naisys-config.zip"');
+        reply.type("application/zip");
+        const archive = archiver("zip", { zlib: { level: 9 } });
+        archive.on("error", (err) => {
+            reply.log.error(err, "Archiver error");
+        });
+        for (const file of exportFiles) {
+            archive.append(file.content, { name: file.path });
+        }
+        await archive.finalize();
+        return reply.send(archive);
+    });
+    // POST /rotate-access-key — Rotate hub access key
+    fastify.post("/rotate-access-key", {
+        preHandler: [requirePermission("supervisor_admin")],
+        schema: {
+            description: "Rotate the hub access key",
+            tags: ["Admin"],
+            response: {
+                200: RotateAccessKeyResultSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (_request, reply) => {
+        try {
+            const result = await sendRotateAccessKey();
+            return result;
+        }
+        catch (error) {
+            reply.log.error(error, "Error in POST /admin/rotate-access-key route");
+            return reply.status(500).send({
+                success: false,
+                message: error instanceof Error
+                    ? error.message
+                    : "Failed to rotate access key",
+            });
+        }
+    });
+    // GET /logs — Tail server log files
+    fastify.get("/logs", {
+        preHandler: [requirePermission("supervisor_admin")],
+        schema: {
+            description: "Get tail of a server log file",
+            tags: ["Admin"],
+            querystring: ServerLogRequestSchema,
+            response: {
+                200: ServerLogResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, _reply) => {
+        const { file, lines, minLevel } = request.query;
+        const cappedLines = Math.min(lines, 1000);
+        const filePath = getLogFilePath(file);
+        const { entries, fileSize } = await tailLogFile(filePath, cappedLines, minLevel);
+        return {
+            entries,
+            fileName: `${file}.log`,
+            fileSize,
+        };
+    });
+    // GET /attachments — List all attachments
+    fastify.get("/attachments", {
+        preHandler: [requirePermission("supervisor_admin")],
+        schema: {
+            description: "List all uploaded attachments",
+            tags: ["Admin"],
+            querystring: AdminAttachmentListRequestSchema,
+            response: {
+                200: AdminAttachmentListResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, _reply) => {
+        const { page, pageSize } = request.query;
+        const skip = (page - 1) * pageSize;
+        const [rows, total] = await Promise.all([
+            hubDb.attachments.findMany({
+                orderBy: { created_at: "desc" },
+                include: {
+                    uploader: { select: { username: true } },
+                },
+                skip,
+                take: pageSize,
+            }),
+            hubDb.attachments.count(),
+        ]);
+        return {
+            attachments: rows.map((r) => ({
+                id: r.public_id,
+                filename: r.filename,
+                fileSize: r.file_size,
+                fileHash: r.file_hash,
+                purpose: r.purpose,
+                uploadedBy: r.uploader.username,
+                createdAt: r.created_at.toISOString(),
+            })),
+            total,
+            page,
+            pageSize,
+            _links: paginationLinks("admin/attachments", page, pageSize, total),
+        };
+    });
+}
+//# sourceMappingURL=admin.js.map

package/dist/routes/agentChat.js

@@ -0,0 +1,194 @@
+import { AgentUsernameParamsSchema, ArchiveChatResponseSchema, ChatConversationsRequestSchema, ChatConversationsResponseSchema, ChatMessagesRequestSchema, ChatMessagesResponseSchema, ErrorResponseSchema, SendChatRequestSchema, SendChatResponseSchema, } from "@naisys/supervisor-shared";
+import { hasPermission, requirePermission } from "../auth-middleware.js";
+import { badRequest, notFound } from "../error-helpers.js";
+import { API_PREFIX } from "../hateoas.js";
+import { resolveAgentId } from "../services/agentService.js";
+import { uploadToHub } from "../services/attachmentProxyService.js";
+import { archiveAllChatMessages, getConversations, getMessages, sendChatMessage, } from "../services/chatService.js";
+function sendChatAction(username) {
+    return {
+        rel: "send",
+        href: `${API_PREFIX}/agents/${username}/chat`,
+        method: "POST",
+        title: "Send Chat Message",
+        schema: `${API_PREFIX}/schemas/SendChat`,
+        body: { fromId: 0, toIds: [0], message: "" },
+        alternateEncoding: {
+            contentType: "multipart/form-data",
+            description: "Send as multipart to include file attachments",
+            fileFields: ["attachments"],
+        },
+    };
+}
+function archiveChatAction(username) {
+    return {
+        rel: "archive",
+        href: `${API_PREFIX}/agents/${username}/chat/archive`,
+        method: "POST",
+        title: "Archive All Chat Messages",
+    };
+}
+export default function agentChatRoutes(fastify, _options) {
+    // GET /:username/chat — List conversations for agent
+    fastify.get("/:username/chat", {
+        schema: {
+            description: "Get chat conversations for a specific agent",
+            tags: ["Chat"],
+            params: AgentUsernameParamsSchema,
+            querystring: ChatConversationsRequestSchema,
+            response: {
+                200: ChatConversationsResponseSchema,
+                500: ErrorResponseSchema,
+            },
+        },
+    }, async (request, reply) => {
+        const { username } = request.params;
+        const { page, count } = request.query;
+        const id = resolveAgentId(username);
+        if (!id) {
+            return notFound(reply, `Agent '${username}' not found`);
+        }
+        const { conversations, total } = await getConversations(id, page, count);
+        const canSend = hasPermission(request.supervisorUser, "agent_communication");
+        return {
+            success: true,
+            conversations,
+            total,
+            _actions: canSend
+                ? [sendChatAction(username), archiveChatAction(username)]
+                : undefined,
+        };
+    });
+    // GET /:username/chat/:participants — Messages in a conversation
+    fastify.get("/:username/chat/:participants", {
+        schema: {
+            description: "Get chat messages for a specific conversation",
+            tags: ["Chat"],
+            querystring: ChatMessagesRequestSchema,
+            response: {
+                200: ChatMessagesResponseSchema,
+                500: ErrorResponseSchema,
+            },
+        },
+    }, async (request, _reply) => {
+        const { username, participants } = request.params;
+        const { updatedSince, page, count } = request.query;
+        const data = await getMessages(participants, updatedSince, page, count);
+        const canSend = hasPermission(request.supervisorUser, "agent_communication");
+        return {
+            success: true,
+            messages: data.messages,
+            total: data.total,
+            timestamp: data.timestamp,
+            _actions: canSend ? [sendChatAction(username)] : undefined,
+        };
+    });
+    // POST /:username/chat/archive — Archive all chat messages
+    fastify.post("/:username/chat/archive", {
+        preHandler: [requirePermission("agent_communication")],
+        schema: {
+            description: "Archive all chat messages for an agent",
+            tags: ["Chat"],
+            params: AgentUsernameParamsSchema,
+            response: {
+                200: ArchiveChatResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        const { username } = request.params;
+        const id = resolveAgentId(username);
+        if (!id) {
+            return notFound(reply, `Agent '${username}' not found`);
+        }
+        const archivedCount = await archiveAllChatMessages(id);
+        return { success: true, archivedCount };
+    });
+    // POST /:username/chat — Send chat message
+    fastify.post("/:username/chat", {
+        preHandler: [requirePermission("agent_communication")],
+        schema: {
+            description: "Send a chat message as an agent with optional attachments. Supports JSON and multipart/form-data",
+            tags: ["Chat"],
+            params: AgentUsernameParamsSchema,
+            // No body schema — multipart requests are parsed manually via request.parts()
+            response: {
+                200: SendChatResponseSchema,
+                400: ErrorResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, reply) => {
+        const contentType = request.headers["content-type"];
+        let fromId = 0, toIds = [], message = "";
+        let attachmentBuffers = [];
+        if (contentType?.includes("multipart/form-data")) {
+            const parts = request.parts();
+            for await (const part of parts) {
+                if (part.type === "field") {
+                    const field = part;
+                    switch (field.fieldname) {
+                        case "fromId":
+                            fromId = Number(field.value);
+                            break;
+                        case "toIds":
+                            try {
+                                toIds = JSON.parse(field.value);
+                            }
+                            catch {
+                                return badRequest(reply, "toIds must be valid JSON array");
+                            }
+                            break;
+                        case "message":
+                            message = field.value;
+                            break;
+                    }
+                }
+                else if (part.type === "file") {
+                    const file = part;
+                    if (file.fieldname === "attachments") {
+                        const buffer = await file.toBuffer();
+                        attachmentBuffers.push({
+                            filename: file.filename || "unnamed_file",
+                            data: buffer,
+                        });
+                    }
+                }
+            }
+        }
+        else {
+            const body = request.body;
+            fromId = body.fromId;
+            toIds = body.toIds;
+            message = body.message;
+        }
+        const parsed = SendChatRequestSchema.safeParse({
+            fromId,
+            toIds,
+            message,
+        });
+        if (!parsed.success) {
+            return badRequest(reply, parsed.error.message);
+        }
+        ({ fromId, toIds, message } = parsed.data);
+        // Upload attachments to hub and collect IDs
+        let attachmentIds;
+        if (attachmentBuffers.length > 0) {
+            attachmentIds = [];
+            for (const att of attachmentBuffers) {
+                const id = await uploadToHub(att.data, att.filename, fromId, "mail");
+                attachmentIds.push(id);
+            }
+        }
+        const result = await sendChatMessage(fromId, toIds, message, attachmentIds);
+        if (result.success) {
+            return reply.code(200).send(result);
+        }
+        else {
+            return reply.code(500).send(result);
+        }
+    });
+}
+//# sourceMappingURL=agentChat.js.map