@nordbyte/nordrelay 0.4.1 → 0.5.0

package/dist/access-control.js

@@ -1,11 +1,68 @@
-const ALL_PERMISSIONS = [
+import { permissionForWebRequestFromContract } from "./web-api-contract.js";
+export const ALL_PERMISSIONS = [
     "inspect",
-    "sessions",
-    "prompt",
-    "files",
-    "settings",
-    "auth",
-    "admin",
+    "sessions.read",
+    "sessions.write",
+    "prompt.send",
+    "prompt.abort",
+    "files.read",
+    "files.write",
+    "settings.read",
+    "settings.write",
+    "auth.manage",
+    "diagnostics.read",
+    "logs.read",
+    "logs.clear",
+    "queue.read",
+    "queue.write",
+    "updates.run",
+    "system.restart",
+    "users.read",
+    "users.write",
+    "audit.read",
+];
+export const ADMIN_GROUP_ID = "admin";
+export const USER_GROUP_ID = "user";
+export const READONLY_GROUP_ID = "readonly";
+export const BUILTIN_GROUPS = [
+    {
+        id: ADMIN_GROUP_ID,
+        name: "Admin",
+        description: "Full access to every NordRelay feature, user management, updates, and system controls.",
+        permissions: ALL_PERMISSIONS,
+        system: true,
+    },
+    {
+        id: USER_GROUP_ID,
+        name: "User",
+        description: "Normal read/write use of agents, sessions, prompts, files, and personal agent auth.",
+        permissions: [
+            "inspect",
+            "sessions.read",
+            "sessions.write",
+            "prompt.send",
+            "prompt.abort",
+            "files.read",
+            "files.write",
+            "settings.read",
+            "auth.manage",
+            "queue.read",
+            "queue.write",
+        ],
+        system: true,
+    },
+    {
+        id: READONLY_GROUP_ID,
+        name: "Read Only",
+        description: "Read-only access to status, sessions, activity, and artifacts.",
+        permissions: [
+            "inspect",
+            "sessions.read",
+            "files.read",
+            "settings.read",
+        ],
+        system: true,
+    },
 ];
 const COMMAND_PERMISSIONS = new Map([
     ["start", "inspect"],
@@ -15,141 +72,93 @@ const COMMAND_PERMISSIONS = new Map([
     ["version", "inspect"],
     ["channels", "inspect"],
     ["agents", "inspect"],
-    ["diagnostics", "admin"],
     ["tasks", "inspect"],
     ["progress", "inspect"],
-    ["activity", "inspect"],
-    ["audit", "admin"],
-    ["mirror", "settings"],
-    ["notify", "settings"],
-    ["workspaces", "sessions"],
-    ["voice", "inspect"],
-    ["agent", "settings"],
-    ["session", "sessions"],
-    ["sessions", "sessions"],
-    ["switch", "sessions"],
-    ["pinned", "sessions"],
-    ["pin", "sessions"],
-    ["unpin", "sessions"],
-    ["attach", "sessions"],
-    ["handback", "sessions"],
-    ["new", "sessions"],
-    ["sync", "sessions"],
-    ["lock", "sessions"],
-    ["unlock", "sessions"],
-    ["locks", "sessions"],
-    ["queue", "inspect"],
-    ["cancel", "prompt"],
-    ["clearqueue", "prompt"],
-    ["retry", "prompt"],
-    ["abort", "prompt"],
-    ["stop", "prompt"],
-    ["artifacts", "files"],
-    ["launch", "settings"],
-    ["launch_profiles", "settings"],
-    ["launch-profiles", "settings"],
-    ["fast", "settings"],
-    ["model", "settings"],
-    ["reasoning", "settings"],
-    ["effort", "settings"],
+    ["activity", "sessions.read"],
     ["auth", "inspect"],
-    ["login", "auth"],
-    ["logout", "auth"],
-    ["logs", "admin"],
-    ["restart", "admin"],
-    ["update", "admin"],
+    ["voice", "inspect"],
+    ["whoami", "inspect"],
+    ["diagnostics", "diagnostics.read"],
+    ["logs", "logs.read"],
+    ["audit", "audit.read"],
+    ["restart", "system.restart"],
+    ["update", "updates.run"],
+    ["workspaces", "sessions.read"],
+    ["session", "sessions.read"],
+    ["sessions", "sessions.read"],
+    ["pinned", "sessions.read"],
+    ["locks", "sessions.read"],
+    ["queue", "queue.read"],
+    ["artifacts", "files.read"],
+    ["agent", "settings.write"],
+    ["mirror", "settings.write"],
+    ["notify", "settings.write"],
+    ["launch", "settings.write"],
+    ["launch_profiles", "settings.write"],
+    ["launch-profiles", "settings.write"],
+    ["fast", "settings.write"],
+    ["model", "settings.write"],
+    ["reasoning", "settings.write"],
+    ["effort", "settings.write"],
+    ["login", "auth.manage"],
+    ["logout", "auth.manage"],
+    ["new", "sessions.write"],
+    ["switch", "sessions.write"],
+    ["attach", "sessions.write"],
+    ["handback", "sessions.write"],
+    ["sync", "sessions.write"],
+    ["pin", "sessions.write"],
+    ["unpin", "sessions.write"],
+    ["lock", "sessions.write"],
+    ["unlock", "sessions.write"],
+    ["retry", "prompt.send"],
+    ["clearqueue", "queue.write"],
+    ["cancel", "queue.write"],
+    ["abort", "prompt.abort"],
+    ["stop", "prompt.abort"],
+    ["register_chat", "users.write"],
+    ["chat_access", "users.write"],
+    ["link", "inspect"],
 ]);
-export function createDefaultRolePolicies() {
-    return {
-        admin: new Set(ALL_PERMISSIONS),
-        operator: new Set(["inspect", "sessions", "prompt", "files", "settings", "auth"]),
-        readonly: new Set(["inspect", "sessions"]),
-    };
-}
-export function parseRolePoliciesJson(raw) {
-    const policies = createDefaultRolePolicies();
-    if (!raw) {
-        return policies;
-    }
-    let parsed;
-    try {
-        parsed = JSON.parse(raw);
-    }
-    catch (error) {
-        throw new Error(`Invalid TELEGRAM_ROLE_POLICIES_JSON: ${error instanceof Error ? error.message : String(error)}`);
-    }
-    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-        throw new Error("TELEGRAM_ROLE_POLICIES_JSON must be an object keyed by role");
-    }
-    for (const [role, rawPermissions] of Object.entries(parsed)) {
-        if (!isTelegramRole(role)) {
-            throw new Error(`Invalid TELEGRAM_ROLE_POLICIES_JSON role: ${role}`);
-        }
-        policies[role] = parsePermissionList(rawPermissions, role);
-    }
-    if (!policies.admin.has("admin")) {
-        policies.admin.add("admin");
-    }
-    return policies;
-}
-export function hasTelegramPermission(policies, role, permission) {
-    return policies[role].has(permission) || policies[role].has("admin");
-}
 export function permissionForCommand(command) {
     if (!command) {
-        return "inspect";
+        return null;
     }
-    return COMMAND_PERMISSIONS.get(command.toLowerCase()) ?? "inspect";
+    return COMMAND_PERMISSIONS.get(command.toLowerCase()) ?? null;
 }
 export function permissionForCallbackData(callbackData) {
     if (!callbackData) {
-        return "inspect";
+        return null;
     }
     if (callbackData === "noop_page") {
         return "inspect";
     }
     if (/^(sess_|ws_)/.test(callbackData)) {
-        return "sessions";
+        return "sessions.write";
     }
     if (/^(launch_|launchconfirm_|model_|effort_|agent_)/.test(callbackData)) {
-        return "settings";
+        return "settings.write";
     }
     if (callbackData.startsWith("upd_")) {
-        return "admin";
+        return "updates.run";
     }
     if (callbackData.startsWith("approval_") || callbackData.startsWith("codex_abort:") || callbackData.startsWith("agent_abort:")) {
-        return "prompt";
+        return "prompt.abort";
     }
     if (callbackData.startsWith("queue_")) {
-        return "prompt";
+        return "queue.write";
+    }
+    if (callbackData.startsWith("artifact_delete")) {
+        return "files.write";
     }
     if (callbackData.startsWith("artifact_")) {
-        return "files";
+        return "files.read";
     }
-    return "inspect";
+    return null;
 }
-export function isTelegramRole(value) {
-    return value === "admin" || value === "operator" || value === "readonly";
-}
-function parsePermissionList(rawPermissions, role) {
-    if (rawPermissions === "*") {
-        return new Set(ALL_PERMISSIONS);
-    }
-    if (!Array.isArray(rawPermissions)) {
-        throw new Error(`TELEGRAM_ROLE_POLICIES_JSON.${role} must be an array or "*"`);
-    }
-    const permissions = new Set();
-    for (const rawPermission of rawPermissions) {
-        if (rawPermission === "*") {
-            return new Set(ALL_PERMISSIONS);
-        }
-        if (typeof rawPermission !== "string" || !isTelegramPermission(rawPermission)) {
-            throw new Error(`Invalid TELEGRAM_ROLE_POLICIES_JSON permission for ${role}: ${String(rawPermission)}`);
-        }
-        permissions.add(rawPermission);
-    }
-    return permissions;
+export function permissionForWebRequest(method, pathname) {
+    return permissionForWebRequestFromContract(method, pathname);
 }
-function isTelegramPermission(value) {
+export function isPermission(value) {
     return ALL_PERMISSIONS.includes(value);
 }

package/dist/agent-updates.js

@@ -1,5 +1,5 @@
 import { spawn } from "node:child_process";
-import { appendFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { appendFileSync, existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { agentLabel } from "./agent.js";
@@ -34,6 +34,9 @@ export class AgentUpdateManager {
     }
     readLog(id) {
         const job = this.requireJob(id);
+        if (job.logDeletedAt) {
+            return { job: this.snapshot(job), plain: `Update log was deleted at ${job.logDeletedAt}.` };
+        }
         try {
             return { job: this.snapshot(job), plain: redactText(readFileSync(job.logPath, "utf8")) };
         }
@@ -44,6 +47,17 @@ export class AgentUpdateManager {
             };
         }
     }
+    deleteLog(id) {
+        const job = this.requireJob(id);
+        if (job.status === "running") {
+            throw new Error("Cannot delete the update log while the update job is still running.");
+        }
+        const snapshot = this.snapshot(job);
+        rmSync(job.logPath, { force: true });
+        this.jobs.delete(id);
+        this.persistJobs();
+        return snapshot;
+    }
     start(agentId, context = {}) {
         const running = [...this.jobs.values()].find((job) => job.agentId === agentId && job.status === "running");
         if (running) {
@@ -181,6 +195,10 @@ export class AgentUpdateManager {
             const parsed = JSON.parse(readFileSync(this.manifestPath, "utf8"));
             let changed = false;
             for (const snapshot of parsed) {
+                if (snapshot.logDeletedAt) {
+                    changed = true;
+                    continue;
+                }
                 const staleRunning = snapshot.status === "running" && !isProcessRunning(snapshot.ownerPid);
                 if (staleRunning) {
                     changed = true;