npm - @nordbyte/nordrelay - Versions diffs - 0.4.0 → 0.5.0 - Mend

@nordbyte/nordrelay 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/.env.example +155 -64
package/README.md +80 -58
package/dist/access-control.js +126 -114
package/dist/agent-feature-matrix.js +42 -0
package/dist/agent-updates.js +312 -0
package/dist/bot-rendering.js +838 -0
package/dist/bot.js +130 -1371
package/dist/channel-actions.js +372 -0
package/dist/channel-runtime.js +89 -0
package/dist/config-metadata.js +238 -0
package/dist/config.js +0 -58
package/dist/index.js +8 -0
package/dist/operations.js +33 -8
package/dist/relay-runtime.js +159 -31
package/dist/session-format.js +72 -3
package/dist/settings-service.js +2 -117
package/dist/telegram-access-commands.js +123 -0
package/dist/telegram-access-middleware.js +129 -0
package/dist/telegram-channel-runtime.js +132 -0
package/dist/telegram-command-menu.js +54 -0
package/dist/telegram-output.js +216 -0
package/dist/telegram-update-commands.js +88 -0
package/dist/user-management.js +708 -0
package/dist/web-api-contract.js +56 -0
package/dist/web-dashboard-assets.js +33 -0
package/dist/web-dashboard-ui.js +14 -14
package/dist/web-dashboard.js +649 -369
package/dist/webui-assets/dashboard.css +919 -0
package/dist/webui-assets/dashboard.js +1611 -0
package/package.json +6 -3
package/plugins/nordrelay/.codex-plugin/plugin.json +1 -1
package/plugins/nordrelay/commands/remote.md +1 -1
package/plugins/nordrelay/scripts/nordrelay.mjs +283 -87
package/plugins/nordrelay/skills/telegram-remote/SKILL.md +1 -1

package/dist/user-management.js ADDED Viewed

@@ -0,0 +1,708 @@
+import { createHash, randomBytes, randomUUID, scryptSync, timingSafeEqual } from "node:crypto";
+import { closeSync, mkdirSync, openSync, rmSync, statSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { ADMIN_GROUP_ID, BUILTIN_GROUPS, READONLY_GROUP_ID, USER_GROUP_ID, isPermission, } from "./access-control.js";
+import { readJsonFileWithBackup, writeJsonFileAtomic } from "./persistence.js";
+const SESSION_TTL_MS = 7 * 24 * 60 * 60 * 1000;
+const LINK_CODE_TTL_MS = 15 * 60 * 1000;
+const PASSWORD_KEYLEN = 64;
+const WRITE_LOCK_TIMEOUT_MS = 5_000;
+const STALE_LOCK_MS = 30_000;
+export class UserStore {
+    filePath;
+    constructor(home = process.env.NORDRELAY_HOME || path.join(os.homedir(), ".nordrelay")) {
+        this.filePath = path.join(home, "users.json");
+    }
+    hasAdminUser() {
+        const payload = this.readPayload();
+        return payload.users.some((user) => user.active && this.groupIdsForUser(payload, user.id).includes(ADMIN_GROUP_ID));
+    }
+    snapshot() {
+        const payload = this.readPayload();
+        return {
+            users: payload.users.map((user) => ({
+                ...user,
+                groups: this.groupsForUser(payload, user.id),
+                telegramIdentities: payload.telegramIdentities.filter((identity) => identity.userId === user.id),
+                webSessions: payload.webSessions
+                    .filter((session) => session.userId === user.id)
+                    .map(publicWebSession),
+            })),
+            groups: payload.groups,
+            telegramChats: payload.telegramChats,
+            adminConfigured: payload.users.some((user) => user.active && this.groupIdsForUser(payload, user.id).includes(ADMIN_GROUP_ID)),
+        };
+    }
+    listGroups() {
+        return this.readPayload().groups;
+    }
+    listWebSessions(userId) {
+        const payload = this.readPayload();
+        return payload.webSessions
+            .filter((session) => !userId || session.userId === userId)
+            .map(publicWebSession);
+    }
+    getUser(id) {
+        const payload = this.readPayload();
+        const user = payload.users.find((candidate) => candidate.id === id);
+        return user ? this.authenticatedUser(payload, user) : null;
+    }
+    getUserByEmail(email) {
+        const payload = this.readPayload();
+        const normalized = normalizeEmail(email);
+        const user = payload.users.find((candidate) => candidate.email === normalized);
+        return user ? this.authenticatedUser(payload, user) : null;
+    }
+    createUser(input) {
+        return this.mutatePayload((payload) => {
+            const email = normalizeEmail(input.email);
+            if (!email) {
+                throw new Error("Email is required.");
+            }
+            if (payload.users.some((user) => user.email === email)) {
+                throw new Error(`User already exists: ${email}`);
+            }
+            const now = new Date().toISOString();
+            const password = hashPassword(input.password);
+            const user = {
+                id: randomId(),
+                email,
+                displayName: input.displayName.trim() || email,
+                passwordHash: password.hash,
+                passwordSalt: password.salt,
+                active: input.active ?? true,
+                createdAt: now,
+                updatedAt: now,
+            };
+            const groupIds = normalizeGroupIds(payload, input.groupIds?.length ? input.groupIds : [USER_GROUP_ID]);
+            payload.users.push(user);
+            payload.userGroups.push(...groupIds.map((groupId) => ({ userId: user.id, groupId })));
+            if (input.telegramUserId !== undefined) {
+                this.upsertTelegramIdentityInPayload(payload, user.id, {
+                    telegramUserId: input.telegramUserId,
+                });
+            }
+            return this.authenticatedUser(payload, user);
+        });
+    }
+    createAdmin(input) {
+        return this.createUser({
+            ...input,
+            groupIds: [ADMIN_GROUP_ID],
+            active: true,
+        });
+    }
+    updateUser(id, patch) {
+        return this.mutatePayload((payload) => {
+            const user = payload.users.find((candidate) => candidate.id === id);
+            if (!user) {
+                throw new Error("User not found.");
+            }
+            const shouldRevokeSessions = patch.active === false || patch.groupIds !== undefined;
+            if (patch.email !== undefined) {
+                const email = normalizeEmail(patch.email);
+                if (!email) {
+                    throw new Error("Email is required.");
+                }
+                if (payload.users.some((candidate) => candidate.id !== id && candidate.email === email)) {
+                    throw new Error(`User already exists: ${email}`);
+                }
+                user.email = email;
+            }
+            if (patch.displayName !== undefined) {
+                user.displayName = patch.displayName.trim() || user.email;
+            }
+            if (patch.active !== undefined) {
+                user.active = patch.active;
+            }
+            if (patch.groupIds !== undefined) {
+                const groupIds = normalizeGroupIds(payload, patch.groupIds);
+                payload.userGroups = payload.userGroups.filter((item) => item.userId !== id);
+                payload.userGroups.push(...groupIds.map((groupId) => ({ userId: id, groupId })));
+            }
+            assertActiveAdminExists(payload);
+            if (shouldRevokeSessions) {
+                this.revokeUserSessionsInPayload(payload, id);
+            }
+            user.updatedAt = new Date().toISOString();
+            return this.authenticatedUser(payload, user);
+        });
+    }
+    setPassword(id, password) {
+        this.mutatePayload((payload) => {
+            const user = payload.users.find((candidate) => candidate.id === id);
+            if (!user) {
+                throw new Error("User not found.");
+            }
+            const next = hashPassword(password);
+            user.passwordHash = next.hash;
+            user.passwordSalt = next.salt;
+            user.updatedAt = new Date().toISOString();
+            this.revokeUserSessionsInPayload(payload, id);
+        });
+    }
+    verifyPassword(email, password) {
+        return this.mutatePayload((payload) => {
+            const user = payload.users.find((candidate) => candidate.email === normalizeEmail(email));
+            if (!user || !user.active || !verifyPasswordHash(password, user.passwordSalt, user.passwordHash)) {
+                return null;
+            }
+            user.lastLoginAt = new Date().toISOString();
+            user.updatedAt = user.lastLoginAt;
+            return this.authenticatedUser(payload, user);
+        });
+    }
+    createWebSession(userId) {
+        return this.mutatePayload((payload) => {
+            const user = payload.users.find((candidate) => candidate.id === userId && candidate.active);
+            if (!user) {
+                throw new Error("Active user not found.");
+            }
+            const token = randomBytes(32).toString("hex");
+            const now = new Date();
+            const session = {
+                id: randomId(),
+                userId,
+                tokenHash: hashToken(token),
+                createdAt: now.toISOString(),
+                expiresAt: new Date(now.getTime() + SESSION_TTL_MS).toISOString(),
+                lastSeenAt: now.toISOString(),
+            };
+            payload.webSessions.push(session);
+            this.pruneExpiredSessionsInPayload(payload);
+            return { token, session };
+        });
+    }
+    resolveWebSession(token) {
+        if (!token) {
+            return null;
+        }
+        return this.mutatePayload((payload) => {
+            this.pruneExpiredSessionsInPayload(payload);
+            const tokenHash = hashToken(token);
+            const session = payload.webSessions.find((candidate) => constantTimeStringEqual(candidate.tokenHash, tokenHash));
+            if (!session) {
+                return null;
+            }
+            const user = payload.users.find((candidate) => candidate.id === session.userId && candidate.active);
+            if (!user) {
+                payload.webSessions = payload.webSessions.filter((candidate) => candidate.id !== session.id);
+                return null;
+            }
+            session.lastSeenAt = new Date().toISOString();
+            return this.authenticatedUser(payload, user);
+        });
+    }
+    destroyWebSession(token) {
+        if (!token) {
+            return;
+        }
+        this.mutatePayload((payload) => {
+            const tokenHash = hashToken(token);
+            payload.webSessions = payload.webSessions.filter((session) => !constantTimeStringEqual(session.tokenHash, tokenHash));
+        });
+    }
+    revokeWebSession(sessionId) {
+        return this.mutatePayload((payload) => {
+            const before = payload.webSessions.length;
+            payload.webSessions = payload.webSessions.filter((session) => session.id !== sessionId);
+            return payload.webSessions.length !== before;
+        });
+    }
+    revokeUserSessions(userId) {
+        return this.mutatePayload((payload) => {
+            const before = payload.webSessions.length;
+            this.revokeUserSessionsInPayload(payload, userId);
+            return before - payload.webSessions.length;
+        });
+    }
+    resolveTelegramUser(telegramUserId) {
+        if (telegramUserId === undefined) {
+            return null;
+        }
+        const payload = this.readPayload();
+        const identity = payload.telegramIdentities.find((candidate) => candidate.telegramUserId === telegramUserId && candidate.active);
+        if (!identity) {
+            return null;
+        }
+        const user = payload.users.find((candidate) => candidate.id === identity.userId && candidate.active);
+        return user ? this.authenticatedUser(payload, user) : null;
+    }
+    linkTelegramUser(userId, input) {
+        return this.mutatePayload((payload) => {
+            const user = payload.users.find((candidate) => candidate.id === userId);
+            if (!user) {
+                throw new Error("User not found.");
+            }
+            return this.upsertTelegramIdentityInPayload(payload, userId, input);
+        });
+    }
+    unlinkTelegramIdentity(identityId) {
+        return this.mutatePayload((payload) => {
+            const before = payload.telegramIdentities.length;
+            payload.telegramIdentities = payload.telegramIdentities.filter((identity) => identity.id !== identityId);
+            return payload.telegramIdentities.length !== before;
+        });
+    }
+    createTelegramLinkCode(userId) {
+        return this.mutatePayload((payload) => {
+            if (!payload.users.some((user) => user.id === userId && user.active)) {
+                throw new Error("Active user not found.");
+            }
+            const now = Date.now();
+            payload.telegramLinkCodes = payload.telegramLinkCodes.filter((code) => new Date(code.expiresAt).getTime() > now);
+            const code = {
+                code: randomLinkCode(),
+                userId,
+                createdAt: new Date(now).toISOString(),
+                expiresAt: new Date(now + LINK_CODE_TTL_MS).toISOString(),
+            };
+            payload.telegramLinkCodes.push(code);
+            return code;
+        });
+    }
+    consumeTelegramLinkCode(code, input) {
+        return this.mutatePayload((payload) => {
+            const normalized = code.trim().toUpperCase();
+            const now = Date.now();
+            const link = payload.telegramLinkCodes.find((candidate) => candidate.code === normalized && new Date(candidate.expiresAt).getTime() > now);
+            if (!link) {
+                throw new Error("Invalid or expired link code.");
+            }
+            const user = payload.users.find((candidate) => candidate.id === link.userId && candidate.active);
+            if (!user) {
+                throw new Error("Linked user is not active.");
+            }
+            this.upsertTelegramIdentityInPayload(payload, user.id, input);
+            payload.telegramLinkCodes = payload.telegramLinkCodes.filter((candidate) => candidate.code !== normalized);
+            return this.authenticatedUser(payload, user);
+        });
+    }
+    registerTelegramChat(input) {
+        return this.mutatePayload((payload) => {
+            const now = new Date().toISOString();
+            const existing = payload.telegramChats.find((chat) => chat.chatId === input.chatId);
+            const allowedGroupIds = normalizeGroupIds(payload, input.allowedGroupIds ?? [], null);
+            if (existing) {
+                existing.title = input.title ?? existing.title;
+                existing.type = input.type ?? existing.type;
+                existing.enabled = input.enabled ?? existing.enabled;
+                existing.allowedGroupIds = allowedGroupIds;
+                existing.updatedAt = now;
+                return existing;
+            }
+            const chat = {
+                id: randomId(),
+                chatId: input.chatId,
+                title: input.title,
+                type: input.type,
+                enabled: input.enabled ?? true,
+                allowedGroupIds,
+                createdAt: now,
+                updatedAt: now,
+            };
+            payload.telegramChats.push(chat);
+            return chat;
+        });
+    }
+    updateTelegramChat(id, patch) {
+        return this.mutatePayload((payload) => {
+            const chat = payload.telegramChats.find((candidate) => candidate.id === id);
+            if (!chat) {
+                throw new Error("Telegram chat not found.");
+            }
+            if (patch.enabled !== undefined)
+                chat.enabled = patch.enabled;
+            if (patch.title !== undefined)
+                chat.title = patch.title;
+            if (patch.allowedGroupIds !== undefined)
+                chat.allowedGroupIds = normalizeGroupIds(payload, patch.allowedGroupIds, null);
+            chat.updatedAt = new Date().toISOString();
+            return chat;
+        });
+    }
+    isTelegramChatAllowed(chatId, chatType, user) {
+        if (chatId === undefined) {
+            return false;
+        }
+        if (chatType === "private") {
+            return this.canUseTelegramChat(user, chatId);
+        }
+        const payload = this.readPayload();
+        const access = payload.telegramChats.find((chat) => chat.chatId === chatId);
+        if (!access?.enabled) {
+            return false;
+        }
+        if (access.allowedGroupIds.length === 0) {
+            return this.canUseTelegramChat(user, chatId);
+        }
+        const userGroupIds = new Set(user.groups.map((group) => group.id));
+        return access.allowedGroupIds.some((groupId) => userGroupIds.has(groupId)) && this.canUseTelegramChat(user, chatId);
+    }
+    hasPermission(user, permission) {
+        return Boolean(permission && user?.permissions.includes(permission));
+    }
+    canUseAgent(user, agentId) {
+        if (!user || !agentId) {
+            return true;
+        }
+        return user.groups.some((group) => group.agentIds.length === 0 || group.agentIds.includes(agentId));
+    }
+    canUseWorkspace(user, workspace) {
+        if (!user || !workspace) {
+            return true;
+        }
+        const normalizedWorkspace = normalizeWorkspacePath(workspace);
+        return user.groups.some((group) => group.workspaceRoots.length === 0 ||
+            group.workspaceRoots.some((root) => isPathInside(normalizedWorkspace, normalizeWorkspacePath(root))));
+    }
+    canUseTelegramChat(user, chatId) {
+        if (!user || chatId === undefined) {
+            return true;
+        }
+        return user.groups.some((group) => group.telegramChatIds.length === 0 || group.telegramChatIds.includes(chatId));
+    }
+    createGroup(input) {
+        return this.mutatePayload((payload) => {
+            const now = new Date().toISOString();
+            const id = slugify(input.name);
+            if (!id) {
+                throw new Error("Group name is required.");
+            }
+            if (payload.groups.some((group) => group.id === id)) {
+                throw new Error(`Group already exists: ${id}`);
+            }
+            const group = {
+                id,
+                name: input.name.trim(),
+                description: input.description?.trim() ?? "",
+                permissions: normalizePermissions(input.permissions ?? [], true),
+                system: false,
+                agentIds: normalizeStringList(input.agentIds ?? []),
+                workspaceRoots: normalizeStringList(input.workspaceRoots ?? []),
+                telegramChatIds: normalizeNumberList(input.telegramChatIds ?? []),
+                createdAt: now,
+                updatedAt: now,
+            };
+            payload.groups.push(group);
+            return group;
+        });
+    }
+    updateGroup(id, patch) {
+        return this.mutatePayload((payload) => {
+            const group = payload.groups.find((candidate) => candidate.id === id);
+            if (!group) {
+                throw new Error("Group not found.");
+            }
+            if (group.system && id === ADMIN_GROUP_ID && patch.permissions) {
+                group.permissions = ALL_PERMISSIONS_SAFE();
+            }
+            else if (patch.permissions !== undefined) {
+                group.permissions = normalizePermissions(patch.permissions, true);
+            }
+            if (!group.system && patch.name !== undefined)
+                group.name = patch.name.trim() || group.name;
+            if (patch.description !== undefined)
+                group.description = patch.description.trim();
+            if (patch.agentIds !== undefined)
+                group.agentIds = normalizeStringList(patch.agentIds);
+            if (patch.workspaceRoots !== undefined)
+                group.workspaceRoots = normalizeStringList(patch.workspaceRoots);
+            if (patch.telegramChatIds !== undefined)
+                group.telegramChatIds = normalizeNumberList(patch.telegramChatIds);
+            group.updatedAt = new Date().toISOString();
+            return group;
+        });
+    }
+    authenticatedUser(payload, user) {
+        const groups = this.groupsForUser(payload, user.id);
+        const permissions = Array.from(new Set(groups.flatMap((group) => group.permissions)));
+        return { user, groups, permissions };
+    }
+    groupIdsForUser(payload, userId) {
+        return payload.userGroups.filter((item) => item.userId === userId).map((item) => item.groupId);
+    }
+    groupsForUser(payload, userId) {
+        const groupIds = new Set(this.groupIdsForUser(payload, userId));
+        return payload.groups.filter((group) => groupIds.has(group.id));
+    }
+    upsertTelegramIdentityInPayload(payload, userId, input) {
+        if (!Number.isInteger(input.telegramUserId) || input.telegramUserId <= 0) {
+            throw new Error("Telegram user id must be a positive integer.");
+        }
+        const now = new Date().toISOString();
+        for (const identity of payload.telegramIdentities) {
+            if (identity.telegramUserId === input.telegramUserId && identity.userId !== userId) {
+                identity.active = false;
+            }
+        }
+        const existing = payload.telegramIdentities.find((identity) => identity.userId === userId && identity.telegramUserId === input.telegramUserId);
+        if (existing) {
+            existing.username = input.username ?? existing.username;
+            existing.firstName = input.firstName ?? existing.firstName;
+            existing.lastName = input.lastName ?? existing.lastName;
+            existing.active = true;
+            existing.updatedAt = now;
+            return existing;
+        }
+        const identity = {
+            id: randomId(),
+            userId,
+            telegramUserId: input.telegramUserId,
+            username: input.username,
+            firstName: input.firstName,
+            lastName: input.lastName,
+            active: true,
+            linkedAt: now,
+            updatedAt: now,
+        };
+        payload.telegramIdentities.push(identity);
+        return identity;
+    }
+    pruneExpiredSessionsInPayload(payload) {
+        const now = Date.now();
+        payload.webSessions = payload.webSessions.filter((session) => new Date(session.expiresAt).getTime() > now);
+    }
+    revokeUserSessionsInPayload(payload, userId) {
+        payload.webSessions = payload.webSessions.filter((session) => session.userId !== userId);
+    }
+    mutatePayload(updater) {
+        return this.withWriteLock(() => {
+            const payload = this.readPayload();
+            const result = updater(payload);
+            this.writePayload(payload);
+            return result;
+        });
+    }
+    withWriteLock(operation) {
+        const lockPath = `${this.filePath}.lock`;
+        mkdirSync(path.dirname(lockPath), { recursive: true });
+        const deadline = Date.now() + WRITE_LOCK_TIMEOUT_MS;
+        let fd;
+        for (;;) {
+            try {
+                fd = openSync(lockPath, "wx");
+                break;
+            }
+            catch (error) {
+                const code = error.code;
+                if (code !== "EEXIST") {
+                    throw error;
+                }
+                try {
+                    const stat = statSync(lockPath);
+                    if (Date.now() - stat.mtimeMs > STALE_LOCK_MS) {
+                        rmSync(lockPath, { force: true });
+                        continue;
+                    }
+                }
+                catch {
+                    continue;
+                }
+                if (Date.now() > deadline) {
+                    throw new Error("User store is busy. Try again shortly.");
+                }
+                sleepSync(25);
+            }
+        }
+        try {
+            return operation();
+        }
+        finally {
+            if (fd !== undefined) {
+                closeSync(fd);
+            }
+            rmSync(lockPath, { force: true });
+        }
+    }
+    readPayload() {
+        const payload = readJsonFileWithBackup(this.filePath).value;
+        return normalizePayload(payload);
+    }
+    writePayload(payload) {
+        writeJsonFileAtomic(this.filePath, normalizePayload(payload));
+    }
+}
+export function publicUser(user) {
+    const { passwordHash: _passwordHash, passwordSalt: _passwordSalt, ...rest } = user;
+    return rest;
+}
+export function publicWebSession(session) {
+    const { tokenHash: _tokenHash, ...rest } = session;
+    return rest;
+}
+export function publicUserSnapshot(snapshot) {
+    return {
+        ...snapshot,
+        users: snapshot.users.map((user) => {
+            const { passwordHash: _passwordHash, passwordSalt: _passwordSalt, ...rest } = user;
+            return rest;
+        }),
+    };
+}
+function normalizePayload(payload) {
+    const now = new Date().toISOString();
+    const groupsById = new Map();
+    for (const group of BUILTIN_GROUPS) {
+        groupsById.set(group.id, {
+            ...group,
+            permissions: group.id === ADMIN_GROUP_ID ? ALL_PERMISSIONS_SAFE() : group.permissions,
+            agentIds: [],
+            workspaceRoots: [],
+            telegramChatIds: [],
+            createdAt: now,
+            updatedAt: now,
+        });
+    }
+    for (const group of payload?.groups ?? []) {
+        if (!isGroupRecord(group))
+            continue;
+        groupsById.set(group.id, {
+            ...group,
+            permissions: group.id === ADMIN_GROUP_ID ? ALL_PERMISSIONS_SAFE() : normalizePermissions(group.permissions),
+            system: BUILTIN_GROUPS.some((builtin) => builtin.id === group.id) || group.system,
+            agentIds: normalizeStringList(group.agentIds),
+            workspaceRoots: normalizeStringList(group.workspaceRoots),
+            telegramChatIds: normalizeNumberList(group.telegramChatIds),
+        });
+    }
+    const groups = Array.from(groupsById.values());
+    const groupIds = new Set(groups.map((group) => group.id));
+    const users = (payload?.users ?? []).filter(isUserRecord);
+    const userIds = new Set(users.map((user) => user.id));
+    return {
+        version: 1,
+        users,
+        groups,
+        userGroups: (payload?.userGroups ?? []).filter((item) => isUserGroupRecord(item) && userIds.has(item.userId) && groupIds.has(item.groupId)),
+        telegramIdentities: (payload?.telegramIdentities ?? []).filter((item) => isTelegramIdentityRecord(item) && userIds.has(item.userId)),
+        telegramChats: (payload?.telegramChats ?? []).filter(isTelegramChatAccessRecord).map((chat) => ({
+            ...chat,
+            allowedGroupIds: chat.allowedGroupIds.filter((groupId) => groupIds.has(groupId)),
+        })),
+        webSessions: (payload?.webSessions ?? []).filter((item) => isWebSessionRecord(item) && userIds.has(item.userId)),
+        telegramLinkCodes: (payload?.telegramLinkCodes ?? []).filter((item) => isTelegramLinkCodeRecord(item) && userIds.has(item.userId)),
+    };
+}
+function normalizeEmail(email) {
+    return email.trim().toLowerCase();
+}
+function normalizeGroupIds(payload, values, emptyFallback = READONLY_GROUP_ID) {
+    const available = new Set(payload.groups.map((group) => group.id));
+    const groupIds = Array.from(new Set(values.map((value) => value.trim()).filter(Boolean)));
+    for (const groupId of groupIds) {
+        if (!available.has(groupId)) {
+            throw new Error(`Unknown group: ${groupId}`);
+        }
+    }
+    return groupIds.length > 0 ? groupIds : (emptyFallback ? [emptyFallback] : []);
+}
+function normalizePermissions(values, strict = false) {
+    const permissions = [];
+    for (const value of values ?? []) {
+        if (isPermission(value)) {
+            if (!permissions.includes(value)) {
+                permissions.push(value);
+            }
+            continue;
+        }
+        if (strict && value.trim()) {
+            throw new Error(`Unknown permission: ${value}`);
+        }
+    }
+    return permissions;
+}
+function normalizeStringList(values) {
+    return Array.from(new Set((values ?? []).map((value) => value.trim()).filter(Boolean)));
+}
+function normalizeNumberList(values) {
+    return Array.from(new Set((values ?? []).filter((value) => Number.isInteger(value))));
+}
+function assertActiveAdminExists(payload) {
+    const hasAdmin = payload.users.some((user) => user.active && payload.userGroups.some((item) => item.userId === user.id && item.groupId === ADMIN_GROUP_ID));
+    if (!hasAdmin) {
+        throw new Error("Cannot remove or disable the last active admin user.");
+    }
+}
+function normalizeWorkspacePath(value) {
+    return path.resolve(value);
+}
+function isPathInside(candidate, root) {
+    const relative = path.relative(root, candidate);
+    return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
+}
+function sleepSync(ms) {
+    const end = Date.now() + ms;
+    while (Date.now() < end) {
+        // The lock is only held around tiny JSON mutations; a short spin keeps the implementation dependency-free.
+    }
+}
+function hashPassword(password) {
+    if (password.length < 8) {
+        throw new Error("Password must be at least 8 characters.");
+    }
+    const salt = randomBytes(16).toString("hex");
+    const hash = scryptSync(password, salt, PASSWORD_KEYLEN).toString("hex");
+    return { salt, hash };
+}
+function verifyPasswordHash(password, salt, expectedHash) {
+    const actual = scryptSync(password, salt, PASSWORD_KEYLEN);
+    const expected = Buffer.from(expectedHash, "hex");
+    return actual.length === expected.length && timingSafeEqual(actual, expected);
+}
+function hashToken(token) {
+    return createHash("sha256").update(token).digest("hex");
+}
+function constantTimeStringEqual(left, right) {
+    const leftBuffer = Buffer.from(left);
+    const rightBuffer = Buffer.from(right);
+    return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+function randomId() {
+    return randomUUID().replace(/-/g, "").slice(0, 12);
+}
+function randomLinkCode() {
+    return `NR-${randomBytes(4).toString("hex").toUpperCase()}`;
+}
+function slugify(value) {
+    return value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
+}
+function ALL_PERMISSIONS_SAFE() {
+    return [...BUILTIN_GROUPS.find((group) => group.id === ADMIN_GROUP_ID).permissions];
+}
+function isUserRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.email === "string" &&
+        typeof candidate.displayName === "string" && typeof candidate.passwordHash === "string" &&
+        typeof candidate.passwordSalt === "string" && typeof candidate.active === "boolean";
+}
+function isGroupRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.name === "string" &&
+        Array.isArray(candidate.permissions);
+}
+function isUserGroupRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.userId === "string" && typeof candidate.groupId === "string";
+}
+function isTelegramIdentityRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
+        Number.isInteger(candidate.telegramUserId) && typeof candidate.active === "boolean";
+}
+function isTelegramChatAccessRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && Number.isInteger(candidate.chatId) &&
+        typeof candidate.enabled === "boolean" && Array.isArray(candidate.allowedGroupIds);
+}
+function isWebSessionRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.id === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.tokenHash === "string" && typeof candidate.expiresAt === "string";
+}
+function isTelegramLinkCodeRecord(value) {
+    const candidate = value;
+    return Boolean(candidate) && typeof candidate.code === "string" && typeof candidate.userId === "string" &&
+        typeof candidate.expiresAt === "string";
+}