@nordbyte/nordrelay 0.4.1 → 0.5.1

package/dist/settings-service.js

@@ -1,119 +1,7 @@
 import { mkdir, readFile, writeFile } from "node:fs/promises";
 import path from "node:path";
-const SECRET_KEYS = new Set([
-    "TELEGRAM_BOT_TOKEN",
-    "CODEX_API_KEY",
-    "HERMES_API_KEY",
-    "OPENCLAW_GATEWAY_TOKEN",
-    "OPENCLAW_GATEWAY_PASSWORD",
-    "OPENAI_API_KEY",
-    "TELEGRAM_WEBHOOK_SECRET",
-    "NORDRELAY_DASHBOARD_TOKEN",
-    "NORDRELAY_DASHBOARD_PASSWORD",
-]);
-export const SETTING_DEFINITIONS = [
-    setting("TELEGRAM_BOT_TOKEN", "Telegram bot token", "Telegram", "secret", "BotFather token.", true),
-    setting("TELEGRAM_ADMIN_USER_IDS", "Telegram admin user IDs", "Telegram", "list", "Comma-separated Telegram users allowed to administer and use the bot.", true),
-    setting("TELEGRAM_ALLOWED_USER_IDS", "Allowed operator user IDs", "Telegram", "list", "Optional non-admin operators.", true),
-    setting("TELEGRAM_READONLY_USER_IDS", "Readonly user IDs", "Telegram", "list", "Users allowed to inspect but not mutate.", true),
-    setting("TELEGRAM_ALLOWED_CHAT_IDS", "Allowed chat IDs", "Telegram", "list", "Optional chat allowlist.", true),
-    setting("TELEGRAM_ALLOW_ANY_CHAT", "Allow any Telegram chat", "Telegram", "boolean", "Unsafe override; keep off for normal use.", true),
-    setting("TELEGRAM_ROLE_POLICIES_JSON", "Role policy JSON", "Telegram", "json", "Granular Telegram permission policy.", true),
-    setting("TELEGRAM_TRANSPORT", "Telegram transport", "Telegram", "string", "polling or webhook.", true, ["polling", "webhook"]),
-    setting("TELEGRAM_WEBHOOK_URL", "Webhook public URL", "Telegram", "string", "Public base URL for webhook mode.", true),
-    setting("TELEGRAM_WEBHOOK_HOST", "Webhook bind host", "Telegram", "string", "Local webhook bind host.", true),
-    setting("TELEGRAM_WEBHOOK_PORT", "Webhook bind port", "Telegram", "number", "Local webhook bind port.", true),
-    setting("TELEGRAM_WEBHOOK_PATH", "Webhook path", "Telegram", "string", "Webhook request path.", true),
-    setting("TELEGRAM_WEBHOOK_SECRET", "Webhook secret", "Telegram", "secret", "Optional Telegram webhook secret token.", true),
-    setting("NORDRELAY_CODEX_ENABLED", "Enable Codex", "Agents", "boolean", "Allow Codex sessions.", true),
-    setting("NORDRELAY_PI_ENABLED", "Enable Pi", "Agents", "boolean", "Allow Pi sessions.", true),
-    setting("NORDRELAY_HERMES_ENABLED", "Enable Hermes", "Agents", "boolean", "Allow Hermes sessions through the Hermes API Server.", true),
-    setting("NORDRELAY_OPENCLAW_ENABLED", "Enable OpenClaw", "Agents", "boolean", "Allow OpenClaw sessions through the OpenClaw Gateway.", true),
-    setting("NORDRELAY_CLAUDE_CODE_ENABLED", "Enable Claude Code", "Agents", "boolean", "Allow Claude Code sessions through the Claude Agent SDK.", true),
-    setting("NORDRELAY_DEFAULT_AGENT", "Default agent", "Agents", "string", "codex, pi, hermes, openclaw, or claude-code.", true, ["codex", "pi", "hermes", "openclaw", "claude-code"]),
-    setting("CODEX_API_KEY", "Codex API key", "Codex", "secret", "Optional Codex SDK API key.", true),
-    setting("CODEX_CLI_PATH", "Codex CLI path", "Codex", "string", "Optional explicit Codex executable path.", true),
-    setting("CODEX_USE_BUNDLED_CLI", "Use bundled Codex CLI", "Codex", "boolean", "Force SDK-bundled CLI instead of host CLI.", true),
-    setting("CODEX_MODEL", "Default Codex model", "Codex", "string", "Default model for new Codex threads.", false),
-    setting("CODEX_SYNC_INTERVAL_MS", "Codex sync interval", "Codex", "number", "Local state sync interval.", true),
-    setting("CODEX_EXTERNAL_BUSY_CHECK_MS", "External busy check", "Codex", "number", "External CLI busy polling interval.", true),
-    setting("CODEX_EXTERNAL_BUSY_STALE_MS", "External busy stale timeout", "Codex", "number", "External CLI stale timeout.", true),
-    setting("CODEX_SANDBOX_MODE", "Codex sandbox mode", "Codex", "string", "read-only, workspace-write, or danger-full-access.", true, ["read-only", "workspace-write", "danger-full-access"]),
-    setting("CODEX_APPROVAL_POLICY", "Codex approval policy", "Codex", "string", "never, on-request, on-failure, or untrusted.", true, ["never", "on-request", "on-failure", "untrusted"]),
-    setting("CODEX_LAUNCH_PROFILES_JSON", "Launch profiles JSON", "Codex", "json", "Additional launch profile definitions.", true),
-    setting("CODEX_DEFAULT_LAUNCH_PROFILE", "Default launch profile", "Codex", "string", "Launch profile ID used by default.", true),
-    setting("ENABLE_UNSAFE_LAUNCH_PROFILES", "Enable unsafe profiles", "Codex", "boolean", "Expose danger-full-access profiles.", true),
-    setting("PI_CLI_PATH", "Pi CLI path", "Pi", "string", "Optional Pi executable path.", true),
-    setting("PI_SESSION_DIR", "Pi session dir", "Pi", "string", "Optional Pi session directory.", true),
-    setting("PI_DEFAULT_MODEL", "Default Pi model", "Pi", "string", "Default Pi model slug.", false),
-    setting("PI_DEFAULT_THINKING", "Default Pi thinking", "Pi", "string", "off, minimal, low, medium, high, or xhigh.", false, ["off", "minimal", "low", "medium", "high", "xhigh"]),
-    setting("PI_DEFAULT_PROFILE", "Default Pi profile", "Pi", "string", "default, readonly, no-tools, offline, or safe-offline.", true, ["default", "readonly", "no-tools", "offline", "safe-offline"]),
-    setting("HERMES_CLI_PATH", "Hermes CLI path", "Hermes", "string", "Optional Hermes executable path.", true),
-    setting("HERMES_HOME", "Hermes home", "Hermes", "string", "Optional Hermes home directory. Defaults to ~/.hermes.", true),
-    setting("HERMES_STATE_DB_PATH", "Hermes state DB path", "Hermes", "string", "Optional explicit Hermes state.db path.", true),
-    setting("HERMES_API_BASE_URL", "Hermes API base URL", "Hermes", "string", "Hermes API Server base URL.", true),
-    setting("HERMES_API_KEY", "Hermes API key", "Hermes", "secret", "Bearer token for the Hermes API Server.", true),
-    setting("HERMES_DEFAULT_MODEL", "Default Hermes model", "Hermes", "string", "Default model label sent to Hermes API runs.", false),
-    setting("HERMES_DEFAULT_REASONING", "Default Hermes reasoning", "Hermes", "string", "none, minimal, low, medium, high, or xhigh.", false, ["none", "minimal", "low", "medium", "high", "xhigh"]),
-    setting("HERMES_DEFAULT_PROFILE", "Default Hermes profile", "Hermes", "string", "default, safe, readonly, or yolo.", true, ["default", "safe", "readonly", "yolo"]),
-    setting("OPENCLAW_CLI_PATH", "OpenClaw CLI path", "OpenClaw", "string", "Optional OpenClaw executable path.", true),
-    setting("OPENCLAW_GATEWAY_URL", "OpenClaw Gateway URL", "OpenClaw", "string", "OpenClaw Gateway WebSocket URL.", true),
-    setting("OPENCLAW_GATEWAY_TOKEN", "OpenClaw Gateway token", "OpenClaw", "secret", "Shared-secret token for the OpenClaw Gateway.", true),
-    setting("OPENCLAW_GATEWAY_PASSWORD", "OpenClaw Gateway password", "OpenClaw", "secret", "Shared-secret password for the OpenClaw Gateway.", true),
-    setting("OPENCLAW_AGENT_ID", "OpenClaw agent ID", "OpenClaw", "string", "Configured OpenClaw agent id, for example main or work.", false),
-    setting("OPENCLAW_HOME", "OpenClaw home", "OpenClaw", "string", "Optional OpenClaw home directory. Defaults to ~/.openclaw.", true),
-    setting("OPENCLAW_STATE_DIR", "OpenClaw state dir", "OpenClaw", "string", "Optional OpenClaw state directory.", true),
-    setting("OPENCLAW_DEFAULT_MODEL", "Default OpenClaw model", "OpenClaw", "string", "Default OpenClaw model id.", false),
-    setting("OPENCLAW_DEFAULT_THINKING", "Default OpenClaw thinking", "OpenClaw", "string", "off, minimal, low, medium, high, or xhigh.", false, ["off", "minimal", "low", "medium", "high", "xhigh"]),
-    setting("OPENCLAW_DEFAULT_PROFILE", "Default OpenClaw profile", "OpenClaw", "string", "default, safe, readonly, local, or deliver.", true, ["default", "safe", "readonly", "local", "deliver"]),
-    setting("CLAUDE_CODE_CLI_PATH", "Claude Code CLI path", "Claude Code", "string", "Optional Claude Code executable path. Defaults to claude on PATH or the SDK bundled runtime.", true),
-    setting("CLAUDE_CONFIG_DIR", "Claude config dir", "Claude Code", "string", "Optional Claude config directory. Defaults to ~/.claude.", true),
-    setting("CLAUDE_CODE_DEFAULT_MODEL", "Default Claude Code model", "Claude Code", "string", "Default Claude Code model alias or model id.", false),
-    setting("CLAUDE_CODE_DEFAULT_EFFORT", "Default Claude Code effort", "Claude Code", "string", "off, low, medium, high, or xhigh.", false, ["off", "low", "medium", "high", "xhigh"]),
-    setting("CLAUDE_CODE_DEFAULT_PROFILE", "Default Claude Code profile", "Claude Code", "string", "default, accept-edits, plan, readonly, no-tools, or bypass-permissions.", true, ["default", "accept-edits", "plan", "readonly", "no-tools", "bypass-permissions"]),
-    setting("CLAUDE_CODE_MAX_TURNS", "Claude Code max turns", "Claude Code", "number", "Maximum agentic turns for each Claude Code prompt.", false),
-    setting("CONNECTOR_LOG_FORMAT", "Log format", "Operations", "string", "text or json.", true, ["text", "json"]),
-    setting("TOOL_VERBOSITY", "Tool verbosity", "Operations", "string", "all, summary, errors-only, or none.", false, ["all", "summary", "errors-only", "none"]),
-    setting("SHOW_TURN_TOKEN_USAGE", "Show turn token usage", "Operations", "boolean", "Append per-turn token usage.", false),
-    setting("ENABLE_TELEGRAM_LOGIN", "Enable Telegram login", "Operations", "boolean", "Allow /login and /logout.", true),
-    setting("ENABLE_TELEGRAM_REACTIONS", "Enable Telegram reactions", "Operations", "boolean", "Send Telegram reactions.", true),
-    setting("TELEGRAM_RATE_LIMIT_MIN_INTERVAL_MS", "Telegram send interval", "Operations", "number", "Minimum send interval.", true),
-    setting("TELEGRAM_EDIT_MIN_INTERVAL_MS", "Telegram edit interval", "Operations", "number", "Minimum edit interval.", true),
-    setting("TELEGRAM_CLI_MIRROR_MODE", "CLI mirror mode", "Operations", "string", "off, status, final, or full.", false, ["off", "status", "final", "full"]),
-    setting("TELEGRAM_CLI_MIRROR_MIN_UPDATE_MS", "CLI mirror update interval", "Operations", "number", "Minimum mirrored edit interval.", true),
-    setting("TELEGRAM_NOTIFY_MODE", "Notify mode", "Operations", "string", "off, minimal, or all.", false, ["off", "minimal", "all"]),
-    setting("TELEGRAM_QUIET_HOURS", "Quiet hours", "Operations", "string", "HH-HH or blank.", false),
-    setting("TELEGRAM_REDACT_PATTERNS", "Redaction patterns", "Operations", "list", "Additional comma-separated regex patterns.", true),
-    setting("NORDRELAY_UPDATE_METHOD", "Update method", "Operations", "string", "auto, npm, or git.", true, ["auto", "npm", "git"]),
-    setting("MAX_FILE_SIZE", "Max file size", "Artifacts", "number", "Max inbound/outbound file size.", true),
-    setting("ARTIFACT_RETENTION_DAYS", "Artifact retention days", "Artifacts", "number", "Days before pruning.", true),
-    setting("ARTIFACT_MAX_TURNS", "Max artifact turns", "Artifacts", "number", "Maximum artifact turns retained.", true),
-    setting("ARTIFACT_MAX_INBOX_DIRS", "Max inbox dirs", "Artifacts", "number", "Maximum inbox dirs retained.", true),
-    setting("ARTIFACT_IGNORE_DIRS", "Artifact ignore dirs", "Artifacts", "list", "Extra ignored dirs or relative paths.", true),
-    setting("ARTIFACT_IGNORE_GLOBS", "Artifact ignore globs", "Artifacts", "list", "Extra ignored glob patterns.", true),
-    setting("TELEGRAM_AUTO_SEND_ARTIFACTS", "Auto-send artifacts", "Artifacts", "boolean", "Automatically send artifact files.", false),
-    setting("WORKSPACE_ALLOWED_ROOTS", "Workspace allowed roots", "Workspace", "list", "Restrict selectable workspaces.", true),
-    setting("WORKSPACE_WARN_ROOTS", "Workspace warn roots", "Workspace", "list", "Warn for broad workspace roots.", true),
-    setting("NORDRELAY_STATE_BACKEND", "State backend", "Workspace", "string", "json or sqlite.", true, ["json", "sqlite"]),
-    setting("NORDRELAY_AUDIT_MAX_EVENTS", "Audit max events", "Workspace", "number", "Retained audit events.", true),
-    setting("NORDRELAY_SESSION_LOCK_TTL_MS", "Session lock TTL", "Workspace", "number", "Write-lock TTL.", true),
-    setting("NORDRELAY_VERSION_CACHE_TTL_MS", "Version cache TTL", "Workspace", "number", "NPM version cache TTL.", true),
-    setting("OPENAI_API_KEY", "OpenAI API key", "Voice", "secret", "Whisper fallback API key.", true),
-    setting("VOICE_PREFERRED_BACKEND", "Voice backend", "Voice", "string", "auto, parakeet, faster-whisper, or openai.", false, ["auto", "parakeet", "faster-whisper", "openai"]),
-    setting("VOICE_DEFAULT_LANGUAGE", "Voice language", "Voice", "string", "Default transcription language.", false),
-    setting("VOICE_TRANSCRIBE_ONLY", "Voice transcribe only", "Voice", "boolean", "Do not send voice transcripts as prompts.", false),
-    setting("FASTER_WHISPER_PYTHON", "faster-whisper Python", "Voice", "string", "Python executable.", true),
-    setting("FASTER_WHISPER_MODEL", "faster-whisper model", "Voice", "string", "Model name.", true),
-    setting("FASTER_WHISPER_DEVICE", "faster-whisper device", "Voice", "string", "cpu, cuda, etc.", true),
-    setting("FASTER_WHISPER_COMPUTE_TYPE", "faster-whisper compute type", "Voice", "string", "int8, float16, etc.", true),
-    setting("FASTER_WHISPER_LANGUAGE", "faster-whisper language", "Voice", "string", "Fixed transcription language.", true),
-    setting("FASTER_WHISPER_TIMEOUT_MS", "faster-whisper timeout", "Voice", "number", "Transcription timeout.", true),
-    setting("NORDRELAY_DASHBOARD_TOKEN", "Dashboard token", "Dashboard", "secret", "Bearer/login token for WebUI.", true),
-    setting("NORDRELAY_DASHBOARD_USER", "Dashboard user", "Dashboard", "string", "Optional Basic Auth user.", true),
-    setting("NORDRELAY_DASHBOARD_PASSWORD", "Dashboard password", "Dashboard", "secret", "Optional Basic Auth password.", true),
-    setting("NORDRELAY_DASHBOARD_HOST", "Dashboard host", "Dashboard", "string", "WebUI bind host.", true),
-    setting("NORDRELAY_DASHBOARD_PORT", "Dashboard port", "Dashboard", "number", "WebUI bind port.", true),
-];
+import { SECRET_KEYS, SETTING_DEFINITIONS } from "./config-metadata.js";
+export { SETTING_DEFINITIONS } from "./config-metadata.js";
 export class SettingsService {
     envPath;
     constructor(envPath) {
@@ -193,9 +81,6 @@ export function maskSecret(value) {
     }
     return `${value.slice(0, 4)}...${value.slice(-4)}`;
 }
-function setting(key, label, group, kind, description, restartRequired, options) {
-    return { key, label, group, kind, description, restartRequired, options };
-}
 function validateSettingValue(definition, value) {
     if (definition.kind === "number" && !Number.isFinite(Number(value))) {
         return "Must be a number.";

package/dist/support-bundle.js

@@ -0,0 +1,205 @@
+import { spawnSync } from "node:child_process";
+import { mkdir, stat, writeFile } from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { getAgentUpdateLogPath, getConnectorHealth, getConnectorHome, getConnectorLogPath, getConnectorStatePath, getSourceRoot, getUpdateLogPath, getVersionChecks, readFormattedLogTail, resolveNpmSpawnCommand, } from "./operations.js";
+import { redactText } from "./redaction.js";
+import { createZipBuffer } from "./zip-writer.js";
+export async function createSupportBundle(options) {
+    const createdAt = new Date();
+    const health = options.health ?? await getConnectorHealth(cliPathOptions(options.config));
+    const versionChecks = options.versionChecks ?? await getVersionChecks(cliPathOptions(options.config));
+    const entries = [];
+    addJson(entries, "manifest.json", {
+        createdAt: createdAt.toISOString(),
+        source: options.source ?? "web",
+        package: "@nordbyte/nordrelay",
+        includedFiles: [],
+    });
+    addJson(entries, "config/redacted-config.json", redactValue(options.config));
+    addJson(entries, "config/relevant-env.json", redactValue(relevantEnvironment()));
+    addJson(entries, "runtime/health.json", redactValue(health));
+    addJson(entries, "runtime/version-checks.json", redactValue(versionChecks));
+    addJson(entries, "runtime/state-backend.json", {
+        stateBackend: options.config.stateBackend,
+        stateFile: getConnectorStatePath(),
+        connectorHome: getConnectorHome(),
+        sourceRoot: getSourceRoot(),
+        workspace: options.config.workspace,
+        databasePath: health.databasePath,
+    });
+    addJson(entries, "runtime/agent-paths.json", agentPaths(health));
+    addJson(entries, "system/info.json", systemInfo());
+    if (options.diagnostics) {
+        addJson(entries, "runtime/diagnostics.json", redactValue(options.diagnostics));
+    }
+    if (options.adapterHealth) {
+        addJson(entries, "runtime/adapter-health.json", redactValue(options.adapterHealth));
+    }
+    if (options.auditEvents) {
+        addJson(entries, "audit/recent-events.json", redactValue(options.auditEvents));
+    }
+    if (options.agentUpdateJobs) {
+        addJson(entries, "updates/jobs.json", redactValue(options.agentUpdateJobs));
+    }
+    await addLog(entries, "logs/connector.log", getConnectorLogPath());
+    await addLog(entries, "logs/nordrelay-update.log", getUpdateLogPath());
+    await addLog(entries, "logs/agent-updates.log", getAgentUpdateLogPath());
+    const includedFiles = entries.map((entry) => entry.name);
+    entries[0] = {
+        name: "manifest.json",
+        data: jsonText({
+            createdAt: createdAt.toISOString(),
+            source: options.source ?? "web",
+            package: "@nordbyte/nordrelay",
+            includedFiles,
+        }),
+        date: createdAt,
+    };
+    const buffer = createZipBuffer(entries);
+    const name = `nordrelay-diagnostics-${formatTimestamp(createdAt)}.zip`;
+    const supportDir = path.join(getConnectorHome(), "support");
+    await mkdir(supportDir, { recursive: true });
+    const bundlePath = path.join(supportDir, name);
+    await writeFile(bundlePath, buffer);
+    const stats = await stat(bundlePath);
+    return {
+        path: bundlePath,
+        name,
+        sizeBytes: stats.size,
+        createdAt: createdAt.toISOString(),
+        includedFiles,
+    };
+}
+function cliPathOptions(config) {
+    return {
+        piCliPath: config.piCliPath,
+        hermesCliPath: config.hermesCliPath,
+        openClawCliPath: config.openClawCliPath,
+        claudeCodeCliPath: config.claudeCodeCliPath,
+    };
+}
+function addJson(entries, name, value) {
+    entries.push({ name, data: jsonText(value) });
+}
+async function addLog(entries, name, filePath) {
+    const tail = await readFormattedLogTail(300, filePath);
+    entries.push({
+        name,
+        data: [
+            `File: ${tail.filePath}`,
+            `Updated: ${tail.updatedAt ? tail.updatedAt.toISOString() : "-"}`,
+            `Lines: ${tail.lineCount}/${tail.requestedLines}`,
+            "",
+            tail.plain || "(empty)",
+        ].join("\n"),
+    });
+}
+function jsonText(value) {
+    return `${JSON.stringify(value, null, 2)}\n`;
+}
+function redactValue(value) {
+    if (Array.isArray(value)) {
+        return value.map((item) => redactValue(item));
+    }
+    if (!value || typeof value !== "object") {
+        return typeof value === "string" ? redactText(value) : value;
+    }
+    const output = {};
+    for (const [key, rawValue] of Object.entries(value)) {
+        output[key] = isSecretKey(key) ? "[REDACTED]" : redactValue(rawValue);
+    }
+    return output;
+}
+function isSecretKey(key) {
+    return /(token|secret|password|authorization|api[_-]?key|apikey|botToken|webhookSecret|gatewayPassword)/i.test(key);
+}
+function relevantEnvironment() {
+    const prefixes = [
+        "NORDRELAY_",
+        "TELEGRAM_",
+        "CODEX_",
+        "PI_",
+        "HERMES_",
+        "OPENCLAW_",
+        "CLAUDE_",
+        "WORKSPACE_",
+        "ARTIFACT_",
+        "VOICE_",
+        "FASTER_WHISPER_",
+    ];
+    const exact = new Set(["MAX_FILE_SIZE", "TOOL_VERBOSITY", "CONNECTOR_LOG_FORMAT", "NODE_ENV"]);
+    return Object.fromEntries(Object.entries(process.env)
+        .filter(([key, value]) => value !== undefined && (exact.has(key) || prefixes.some((prefix) => key.startsWith(prefix))))
+        .sort(([left], [right]) => left.localeCompare(right))
+        .map(([key, value]) => [key, value ?? ""]));
+}
+function agentPaths(health) {
+    return {
+        codex: { label: health.codexCli, path: health.codexCliPath, version: health.codexCliVersion },
+        pi: { label: health.piCli, path: health.piCliPath, version: health.piCliVersion },
+        hermes: { label: health.hermesCli, path: health.hermesCliPath, version: health.hermesCliVersion },
+        openclaw: { label: health.openClawCli, path: health.openClawCliPath, version: health.openClawCliVersion },
+        "claude-code": { label: health.claudeCodeCli, path: health.claudeCodeCliPath, version: health.claudeCodeCliVersion },
+    };
+}
+function systemInfo() {
+    const npm = resolveNpmSpawnCommand();
+    return {
+        os: {
+            platform: os.platform(),
+            release: os.release(),
+            arch: os.arch(),
+            type: os.type(),
+            homedir: os.homedir(),
+            tmpdir: os.tmpdir(),
+            cpus: os.cpus().length,
+            totalMemoryBytes: os.totalmem(),
+            freeMemoryBytes: os.freemem(),
+            uptimeSeconds: os.uptime(),
+        },
+        node: {
+            executable: process.execPath,
+            version: process.version,
+            versions: process.versions,
+            argv: process.argv,
+            cwd: process.cwd(),
+            pid: process.pid,
+            uptimeSeconds: process.uptime(),
+        },
+        npm: npm ? {
+            command: npm.display,
+            version: detectNpmVersion(npm),
+        } : {
+            command: null,
+            version: null,
+            error: "npm not found",
+        },
+    };
+}
+function detectNpmVersion(npm) {
+    const result = spawnSync(npm.command, [...npm.argsPrefix, "--version"], {
+        encoding: "utf8",
+        shell: npm.shell,
+        timeout: 3000,
+        windowsHide: true,
+    });
+    if (result.error || result.status !== 0) {
+        return null;
+    }
+    return String(result.stdout || "").trim() || null;
+}
+function formatTimestamp(date) {
+    return [
+        date.getFullYear(),
+        pad2(date.getMonth() + 1),
+        pad2(date.getDate()),
+        "-",
+        pad2(date.getHours()),
+        pad2(date.getMinutes()),
+        pad2(date.getSeconds()),
+    ].join("");
+}
+function pad2(value) {
+    return String(value).padStart(2, "0");
+}

package/dist/telegram-access-commands.js

@@ -0,0 +1,123 @@
+import { consumeRateLimit, resetRateLimit } from "./bot-rendering.js";
+import { friendlyErrorText } from "./error-messages.js";
+import { escapeHTML } from "./format.js";
+import { safeReply } from "./telegram-output.js";
+export function registerTelegramAccessCommands(deps) {
+    const { bot, userStore, contextUsers, linkAttempts, audit, getUserRole } = deps;
+    bot.command("link", async (ctx) => {
+        if (ctx.chat?.type !== "private") {
+            await safeReply(ctx, escapeHTML("Use /link in a private chat with the bot."), {
+                fallbackText: "Use /link in a private chat with the bot.",
+            });
+            return;
+        }
+        const code = (ctx.message?.text ?? "").replace(/^\/link(?:@\w+)?\s*/i, "").trim();
+        if (!code) {
+            await safeReply(ctx, escapeHTML("Send /link <code> after creating a Telegram link code in the WebUI or CLI."), {
+                fallbackText: "Send /link <code> after creating a Telegram link code in the WebUI or CLI.",
+            });
+            return;
+        }
+        if (!ctx.from?.id) {
+            return;
+        }
+        const limitKey = String(ctx.from.id);
+        const limited = consumeRateLimit(linkAttempts, limitKey, 5, 15 * 60 * 1000, 15 * 60 * 1000);
+        if (limited.limited) {
+            const seconds = Math.ceil((limited.retryAfterMs ?? 0) / 1000);
+            audit({
+                action: "auth_login_failed",
+                status: "denied",
+                contextKey: String(ctx.chat.id),
+                actorId: ctx.from.id,
+                description: "Telegram link rate limited",
+                detail: `${seconds}s retry-after`,
+            });
+            await safeReply(ctx, escapeHTML(`Too many link attempts. Try again in ${seconds}s.`), {
+                fallbackText: `Too many link attempts. Try again in ${seconds}s.`,
+            });
+            return;
+        }
+        try {
+            const linked = userStore.consumeTelegramLinkCode(code, {
+                telegramUserId: ctx.from.id,
+                username: ctx.from.username,
+                firstName: ctx.from.first_name,
+                lastName: ctx.from.last_name,
+            });
+            resetRateLimit(linkAttempts, limitKey);
+            contextUsers.set(ctx, linked);
+            audit({
+                action: "telegram_linked",
+                status: "ok",
+                contextKey: String(ctx.chat.id),
+                actorId: ctx.from.id,
+                actorRole: linked.groups.map((group) => group.name).join(", "),
+                description: `Linked ${linked.user.email}`,
+            });
+            await safeReply(ctx, escapeHTML(`Linked Telegram account to ${linked.user.email}.`), {
+                fallbackText: `Linked Telegram account to ${linked.user.email}.`,
+            });
+        }
+        catch (error) {
+            const message = friendlyErrorText(error);
+            audit({
+                action: "auth_login_failed",
+                status: "failed",
+                contextKey: String(ctx.chat.id),
+                actorId: ctx.from.id,
+                description: "Telegram link failed",
+                detail: message,
+            });
+            await safeReply(ctx, `<b>Link failed:</b> ${escapeHTML(message)}`, { fallbackText: `Link failed: ${message}` });
+        }
+    });
+    bot.command("whoami", async (ctx) => {
+        const authUser = contextUsers.get(ctx);
+        if (!authUser) {
+            await safeReply(ctx, escapeHTML("Not linked."), { fallbackText: "Not linked." });
+            return;
+        }
+        const text = [
+            `User: ${authUser.user.displayName} <${authUser.user.email}>`,
+            `Groups: ${authUser.groups.map((group) => group.name).join(", ") || "-"}`,
+            `Permissions: ${authUser.permissions.join(", ") || "-"}`,
+        ].join("\n");
+        await safeReply(ctx, `<b>User:</b> ${escapeHTML(authUser.user.displayName)}\n<b>Email:</b> <code>${escapeHTML(authUser.user.email)}</code>\n<b>Groups:</b> <code>${escapeHTML(authUser.groups.map((group) => group.name).join(", ") || "-")}</code>`, {
+            fallbackText: text,
+        });
+    });
+    bot.command("register_chat", async (ctx) => {
+        const authUser = contextUsers.get(ctx);
+        if (!authUser || !userStore.hasPermission(authUser, "users.write")) {
+            await safeReply(ctx, escapeHTML("Access denied: users.write permission required."), {
+                fallbackText: "Access denied: users.write permission required.",
+            });
+            return;
+        }
+        if (!ctx.chat?.id || ctx.chat.type === "private") {
+            await safeReply(ctx, escapeHTML("Run /register_chat inside a Telegram group or supergroup."), {
+                fallbackText: "Run /register_chat inside a Telegram group or supergroup.",
+            });
+            return;
+        }
+        const chat = userStore.registerTelegramChat({
+            chatId: ctx.chat.id,
+            title: "title" in ctx.chat ? ctx.chat.title : undefined,
+            type: ctx.chat.type,
+            enabled: true,
+            allowedGroupIds: [],
+        });
+        audit({
+            action: "telegram_chat_updated",
+            status: "ok",
+            contextKey: String(ctx.chat.id),
+            actorId: ctx.from?.id,
+            actorRole: getUserRole(ctx),
+            description: `Registered Telegram chat ${chat.chatId}`,
+        });
+        await safeReply(ctx, escapeHTML(`Telegram chat enabled for NordRelay.\nChat ID: ${chat.chatId}`), {
+            fallbackText: `Telegram chat enabled for NordRelay.\nChat ID: ${chat.chatId}`,
+        });
+    });
+}

package/dist/telegram-access-middleware.js

@@ -0,0 +1,129 @@
+import { permissionForCallbackData, permissionForCommand } from "./access-control.js";
+import { extractCommandName } from "./bot-rendering.js";
+import { escapeHTML } from "./format.js";
+import { safeReply } from "./telegram-output.js";
+import { UserStore } from "./user-management.js";
+export function createTelegramAccessMiddleware(options) {
+    const { userStore, contextUsers, audit } = options;
+    return async (ctx, next) => {
+        const fromId = ctx.from?.id;
+        const chatId = ctx.chat?.id;
+        const chatType = ctx.chat?.type;
+        const commandName = ctx.message?.text?.startsWith("/") ? extractCommandName(ctx.message.text) : undefined;
+        if (commandName === "link") {
+            await next();
+            return;
+        }
+        if (!userStore.hasAdminUser()) {
+            const message = "NordRelay has no admin user yet. Run `nordrelay user create-admin` on the host.";
+            if (ctx.callbackQuery) {
+                await ctx.answerCallbackQuery({ text: "No admin user configured" }).catch(() => { });
+            }
+            else if (ctx.chat) {
+                await safeReply(ctx, escapeHTML(message), { fallbackText: message });
+            }
+            return;
+        }
+        const authUser = userStore.resolveTelegramUser(fromId);
+        if (!authUser) {
+            const message = "Unauthorized. Link this Telegram account to a NordRelay user first.";
+            audit({
+                action: "permission_denied",
+                status: "denied",
+                contextKey: typeof chatId === "number" ? String(chatId) : "telegram",
+                actorId: fromId,
+                description: "Telegram account is not linked",
+            });
+            if (ctx.callbackQuery) {
+                await ctx.answerCallbackQuery({ text: "Unauthorized" }).catch(() => { });
+            }
+            else if (ctx.chat?.type === "private") {
+                await safeReply(ctx, escapeHTML(message), { fallbackText: message });
+            }
+            return;
+        }
+        contextUsers.set(ctx, authUser);
+        const chatAllowed = userStore.isTelegramChatAllowed(typeof chatId === "number" ? chatId : undefined, chatType, authUser);
+        if (!chatAllowed && commandName !== "register_chat") {
+            const message = "This Telegram chat is not enabled for NordRelay. An admin can run /register_chat in this chat.";
+            audit({
+                action: "permission_denied",
+                status: "denied",
+                contextKey: typeof chatId === "number" ? String(chatId) : "telegram",
+                actorId: fromId,
+                actorRole: getUserRole(contextUsers, ctx),
+                description: "Telegram chat is not enabled or outside user scope",
+            });
+            if (ctx.callbackQuery) {
+                await ctx.answerCallbackQuery({ text: "Chat not enabled" }).catch(() => { });
+            }
+            else if (ctx.chat?.type === "private") {
+                await safeReply(ctx, escapeHTML(message), { fallbackText: message });
+            }
+            return;
+        }
+        const permission = getRequiredPermission(ctx);
+        if (!permission) {
+            const message = "Unsupported command or action.";
+            audit({
+                action: "permission_denied",
+                status: "denied",
+                contextKey: typeof chatId === "number" ? String(chatId) : "telegram",
+                actorId: fromId,
+                actorRole: getUserRole(contextUsers, ctx),
+                description: commandName ? `Unsupported command /${commandName}` : "Unsupported callback",
+            });
+            if (ctx.callbackQuery) {
+                await ctx.answerCallbackQuery({ text: message }).catch(() => { });
+            }
+            else {
+                await safeReply(ctx, escapeHTML(message), { fallbackText: message });
+            }
+            return;
+        }
+        if (!userStore.hasPermission(authUser, permission)) {
+            const message = `Access denied: ${permission} permission required.`;
+            audit({
+                action: "permission_denied",
+                status: "denied",
+                contextKey: typeof chatId === "number" ? String(chatId) : "telegram",
+                actorId: fromId,
+                actorRole: getUserRole(contextUsers, ctx),
+                description: `${permission} required`,
+            });
+            if (ctx.callbackQuery) {
+                await ctx.answerCallbackQuery({ text: message }).catch(() => { });
+            }
+            else {
+                await safeReply(ctx, escapeHTML(message), { fallbackText: message });
+            }
+            return;
+        }
+        await next();
+    };
+}
+function getUserRole(contextUsers, ctx) {
+    const authUser = contextUsers.get(ctx);
+    return authUser?.groups.map((group) => group.name).join(", ") || "unauthenticated";
+}
+function getRequiredPermission(ctx) {
+    if (ctx.callbackQuery?.data) {
+        return permissionForCallbackData(ctx.callbackQuery.data);
+    }
+    if (ctx.message?.voice || ctx.message?.audio || ctx.message?.photo || ctx.message?.document) {
+        return "files.write";
+    }
+    const text = ctx.message?.text?.trim();
+    if (!text) {
+        return "inspect";
+    }
+    if (!text.startsWith("/")) {
+        return "prompt.send";
+    }
+    const command = extractCommandName(text);
+    if (command === "queue") {
+        const argument = text.replace(/^\/queue(?:@\w+)?\s*/i, "").trim();
+        return argument ? "queue.write" : "queue.read";
+    }
+    return permissionForCommand(command);
+}