@nordbyte/nordrelay 0.5.0 → 0.5.1

package/dist/web-dashboard.js

@@ -1,4 +1,3 @@
-import { createReadStream } from "node:fs";
 import { createServer } from "node:http";
 import os from "node:os";
 import path from "node:path";
@@ -8,17 +7,20 @@ import { listAgentAdapterDescriptors } from "./agent-adapter.js";
 import { isAgentId } from "./agent.js";
 import { AuditLogStore } from "./audit-log.js";
 import { listChannelDescriptors } from "./channel-adapter.js";
-import { ALL_PERMISSIONS, permissionForWebRequest } from "./access-control.js";
+import { permissionForWebRequest } from "./access-control.js";
 import { loadConfig } from "./config.js";
 import { friendlyErrorText } from "./error-messages.js";
-import { escapeHTML } from "./format.js";
 import { RelayRuntime } from "./relay-runtime.js";
 import { resolveDashboardEnvPath, SettingsService } from "./settings-service.js";
-import { UserStore, publicUser, publicUserSnapshot } from "./user-management.js";
+import { UserStore, publicUser } from "./user-management.js";
+import { handleDashboardAccessRoute } from "./web-dashboard-access-routes.js";
+import { handleDashboardArtifactRoute } from "./web-dashboard-artifact-routes.js";
 import { dashboardCss, dashboardJs } from "./web-dashboard-assets.js";
-import { renderDashboardNav } from "./web-dashboard-ui.js";
+import { objectRecord, optionalStringField, parseCookies, readJsonBody, sendJson, sendText, } from "./web-dashboard-http.js";
+import { renderDashboardApp, renderLoginPage } from "./web-dashboard-pages.js";
+import { handleDashboardRuntimeRoute } from "./web-dashboard-runtime-routes.js";
+import { handleDashboardSessionRoute } from "./web-dashboard-session-routes.js";
 const DEFAULT_HOME = path.join(os.homedir(), ".nordrelay");
-const JSON_HEADERS = { "content-type": "application/json; charset=utf-8", "cache-control": "no-store" };
 const options = parseOptions(process.argv.slice(2));
 const config = loadConfig();
 const runtime = new RelayRuntime(config);
@@ -122,6 +124,18 @@ async function handleApi(req, res, url, authUser) {
         sendJson(res, 403, { error: `Access denied: ${permission} permission required.` });
         return;
     }
+    if (await handleDashboardRuntimeRoute(req, res, url, {
+        runtime,
+        users,
+        authUser,
+        parseAgentIdRequired,
+        assertScopedAgent,
+        assertAgentUpdateJobScope,
+        assertCurrentSessionScope,
+        scopedTasks,
+    })) {
+        return;
+    }
     if (req.method === "GET" && url.pathname === "/api/bootstrap") {
         await assertCurrentSessionScope(authUser);
         sendJson(res, 200, {
@@ -140,256 +154,12 @@ async function handleApi(req, res, url, authUser) {
         sendJson(res, 200, scopedControlOptions(authUser, await runtime.controlOptions(agentId)));
         return;
     }
-    if (req.method === "GET" && url.pathname === "/api/health") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, await runtime.status());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/version") {
-        sendJson(res, 200, await runtime.version());
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/update") {
-        sendJson(res, 202, runtime.updateConnector());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/agent-updates") {
-        sendJson(res, 200, { jobs: runtime.agentUpdateJobs().filter((job) => users.canUseAgent(authUser, job.agentId)) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/agent-update") {
-        const body = await readJsonBody(req);
-        const agentId = parseAgentIdRequired(stringField(body, "agentId"));
-        assertScopedAgent(authUser, agentId);
-        sendJson(res, 202, { job: runtime.startAgentUpdate(agentId) });
-        return;
-    }
-    const agentUpdateLogMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/log$/);
-    if (req.method === "GET" && agentUpdateLogMatch?.[1]) {
-        const id = decodeURIComponent(agentUpdateLogMatch[1]);
-        assertAgentUpdateJobScope(authUser, id);
-        sendJson(res, 200, runtime.agentUpdateLog(id));
-        return;
-    }
-    if (req.method === "DELETE" && agentUpdateLogMatch?.[1]) {
-        const id = decodeURIComponent(agentUpdateLogMatch[1]);
-        assertAgentUpdateJobScope(authUser, id);
-        sendJson(res, 200, { deletedId: id, job: runtime.deleteAgentUpdateLog(id) });
-        return;
-    }
-    const agentUpdateInputMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/input$/);
-    if (req.method === "POST" && agentUpdateInputMatch?.[1]) {
-        const body = await readJsonBody(req);
-        const id = decodeURIComponent(agentUpdateInputMatch[1]);
-        assertAgentUpdateJobScope(authUser, id);
-        sendJson(res, 200, { job: runtime.sendAgentUpdateInput(id, stringField(body, "input")) });
-        return;
-    }
-    const agentUpdateCancelMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/cancel$/);
-    if (req.method === "POST" && agentUpdateCancelMatch?.[1]) {
-        const id = decodeURIComponent(agentUpdateCancelMatch[1]);
-        assertAgentUpdateJobScope(authUser, id);
-        sendJson(res, 200, { job: runtime.cancelAgentUpdate(id) });
-        return;
-    }
-    if (req.method === "GET" && (url.pathname === "/api/tasks" || url.pathname === "/api/progress")) {
-        sendJson(res, 200, await scopedTasks(authUser, runtime.tasks()));
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/adapters/health") {
-        sendJson(res, 200, { adapters: (await runtime.adapterHealth()).filter((adapter) => users.canUseAgent(authUser, adapter.id)) });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/permissions") {
-        sendJson(res, 200, { ...publicUserSnapshot(users.snapshot()), permissions: ALL_PERMISSIONS });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/users") {
-        sendJson(res, 200, { ...publicUserSnapshot(users.snapshot()), permissions: ALL_PERMISSIONS });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/users") {
-        const body = await readJsonBody(req);
-        const user = users.createUser({
-            email: stringField(body, "email"),
-            displayName: optionalStringField(body, "displayName") ?? stringField(body, "email"),
-            password: stringField(body, "password"),
-            groupIds: arrayStringField(body, "groupIds"),
-            active: optionalBooleanField(body, "active") ?? true,
-            telegramUserId: optionalNumberField(body, "telegramUserId"),
-        });
-        auditUserAction(authUser, "user_created", user.user.email);
-        sendJson(res, 201, { user: publicUser(user.user), groups: user.groups });
-        return;
-    }
-    const userMatch = url.pathname.match(/^\/api\/users\/([^/]+)$/);
-    if (userMatch?.[1] && req.method === "PATCH") {
-        const body = await readJsonBody(req);
-        const user = users.updateUser(decodeURIComponent(userMatch[1]), {
-            email: optionalStringField(body, "email"),
-            displayName: optionalStringField(body, "displayName"),
-            active: optionalBooleanField(body, "active"),
-            groupIds: body.groupIds === undefined ? undefined : arrayStringField(body, "groupIds"),
-        });
-        auditUserAction(authUser, "user_updated", user.user.email);
-        sendJson(res, 200, { user: publicUser(user.user), groups: user.groups });
-        return;
-    }
-    const passwordMatch = url.pathname.match(/^\/api\/users\/([^/]+)\/password$/);
-    if (passwordMatch?.[1] && req.method === "POST") {
-        const body = await readJsonBody(req);
-        const userId = decodeURIComponent(passwordMatch[1]);
-        users.setPassword(userId, stringField(body, "password"));
-        auditUserAction(authUser, "user_password_changed", userId);
-        sendJson(res, 200, { ok: true });
-        return;
-    }
-    const userSessionsMatch = url.pathname.match(/^\/api\/users\/([^/]+)\/sessions$/);
-    if (userSessionsMatch?.[1] && req.method === "GET") {
-        sendJson(res, 200, { sessions: users.listWebSessions(decodeURIComponent(userSessionsMatch[1])) });
-        return;
-    }
-    if (userSessionsMatch?.[1] && req.method === "DELETE") {
-        const userId = decodeURIComponent(userSessionsMatch[1]);
-        const revoked = users.revokeUserSessions(userId);
-        auditUserAction(authUser, "user_session_revoked", `${userId}: ${revoked} sessions`);
-        sendJson(res, 200, { revoked });
-        return;
-    }
-    const userSessionMatch = url.pathname.match(/^\/api\/users\/[^/]+\/sessions\/([^/]+)$/);
-    if (userSessionMatch?.[1] && req.method === "DELETE") {
-        const sessionId = decodeURIComponent(userSessionMatch[1]);
-        const revoked = users.revokeWebSession(sessionId);
-        auditUserAction(authUser, "user_session_revoked", sessionId);
-        sendJson(res, 200, { revoked });
-        return;
-    }
-    const telegramLinkMatch = url.pathname.match(/^\/api\/users\/([^/]+)\/telegram$/);
-    if (telegramLinkMatch?.[1] && req.method === "POST") {
-        const body = await readJsonBody(req);
-        if (body.createCode === true) {
-            const userId = decodeURIComponent(telegramLinkMatch[1]);
-            const linkCode = users.createTelegramLinkCode(userId);
-            auditUserAction(authUser, "telegram_link_created", userId);
-            sendJson(res, 201, { linkCode });
-            return;
-        }
-        const identity = users.linkTelegramUser(decodeURIComponent(telegramLinkMatch[1]), {
-            telegramUserId: numberField(body, "telegramUserId"),
-            username: optionalStringField(body, "username"),
-        });
-        auditUserAction(authUser, "telegram_linked", String(identity.telegramUserId));
-        sendJson(res, 201, { identity });
-        return;
-    }
-    const telegramUnlinkMatch = url.pathname.match(/^\/api\/users\/[^/]+\/telegram\/([^/]+)$/);
-    if (telegramUnlinkMatch?.[1] && req.method === "DELETE") {
-        const identityId = decodeURIComponent(telegramUnlinkMatch[1]);
-        const removed = users.unlinkTelegramIdentity(identityId);
-        auditUserAction(authUser, "telegram_unlinked", identityId);
-        sendJson(res, 200, { removed });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/groups") {
-        sendJson(res, 200, { groups: users.listGroups() });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/groups") {
-        const body = await readJsonBody(req);
-        const group = users.createGroup({
-            name: stringField(body, "name"),
-            description: optionalStringField(body, "description"),
-            permissions: arrayStringField(body, "permissions"),
-            agentIds: arrayStringField(body, "agentIds"),
-            workspaceRoots: arrayStringField(body, "workspaceRoots"),
-            telegramChatIds: arrayNumberField(body, "telegramChatIds"),
-        });
-        auditUserAction(authUser, "group_created", group.id);
-        sendJson(res, 201, { group });
-        return;
-    }
-    const groupMatch = url.pathname.match(/^\/api\/groups\/([^/]+)$/);
-    if (groupMatch?.[1] && req.method === "PATCH") {
-        const body = await readJsonBody(req);
-        const group = users.updateGroup(decodeURIComponent(groupMatch[1]), {
-            name: optionalStringField(body, "name"),
-            description: optionalStringField(body, "description"),
-            permissions: body.permissions === undefined ? undefined : arrayStringField(body, "permissions"),
-            agentIds: body.agentIds === undefined ? undefined : arrayStringField(body, "agentIds"),
-            workspaceRoots: body.workspaceRoots === undefined ? undefined : arrayStringField(body, "workspaceRoots"),
-            telegramChatIds: body.telegramChatIds === undefined ? undefined : arrayNumberField(body, "telegramChatIds"),
-        });
-        auditUserAction(authUser, "group_updated", group.id);
-        sendJson(res, 200, { group });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/telegram-chats") {
-        sendJson(res, 200, { chats: users.snapshot().telegramChats });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/telegram-chats") {
-        const body = await readJsonBody(req);
-        const chat = users.registerTelegramChat({
-            chatId: numberField(body, "chatId"),
-            title: optionalStringField(body, "title"),
-            type: optionalStringField(body, "type"),
-            enabled: optionalBooleanField(body, "enabled") ?? true,
-            allowedGroupIds: arrayStringField(body, "allowedGroupIds"),
-        });
-        auditUserAction(authUser, "telegram_chat_updated", String(chat.chatId));
-        sendJson(res, 201, { chat });
-        return;
-    }
-    const chatMatch = url.pathname.match(/^\/api\/telegram-chats\/([^/]+)$/);
-    if (chatMatch?.[1] && req.method === "PATCH") {
-        const body = await readJsonBody(req);
-        const chat = users.updateTelegramChat(decodeURIComponent(chatMatch[1]), {
-            enabled: optionalBooleanField(body, "enabled"),
-            title: optionalStringField(body, "title"),
-            allowedGroupIds: body.allowedGroupIds === undefined ? undefined : arrayStringField(body, "allowedGroupIds"),
-        });
-        auditUserAction(authUser, "telegram_chat_updated", String(chat.chatId));
-        sendJson(res, 200, { chat });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/audit") {
-        sendJson(res, 200, { events: runtime.audit(numberParam(url, "limit", 50)) });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/locks") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { locks: runtime.locks() });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/locks") {
-        const body = await readJsonBody(req);
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { lock: runtime.lockWebSession(optionalStringField(body, "ownerName")), locks: runtime.locks() });
-        return;
-    }
-    if (req.method === "DELETE" && url.pathname === "/api/locks") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, runtime.unlockWebSession());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/auth/status") {
-        const agentId = parseAgentId(url.searchParams.get("agent") ?? undefined);
-        assertScopedAgent(authUser, agentId);
-        sendJson(res, 200, await runtime.authStatus(agentId));
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/auth/login") {
-        const body = await readJsonBody(req);
-        const agentId = parseAgentId(optionalStringField(body, "agentId"));
-        assertScopedAgent(authUser, agentId);
-        sendJson(res, 200, await runtime.login(agentId));
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/auth/logout") {
-        const body = await readJsonBody(req);
-        const agentId = parseAgentId(optionalStringField(body, "agentId"));
-        assertScopedAgent(authUser, agentId);
-        sendJson(res, 200, await runtime.logout(agentId));
+    if (await handleDashboardAccessRoute(req, res, url, {
+        users,
+        runtime,
+        authUser,
+        auditUserAction,
+    })) {
         return;
     }
     if (req.method === "GET" && url.pathname === "/api/settings") {
@@ -401,249 +171,25 @@ async function handleApi(req, res, url, authUser) {
         sendJson(res, 200, await settings.update(objectRecord(body?.settings)));
         return;
     }
-    if (req.method === "GET" && url.pathname === "/api/snapshot") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, await runtime.snapshot());
+    if (await handleDashboardSessionRoute(req, res, url, {
+        runtime,
+        authUser,
+        parseAgentId,
+        assertScopedAgent,
+        assertScopedWorkspace,
+        assertCurrentSessionScope,
+        assertSessionScope,
+        assertSessionDetailScope,
+        scopedSessionPage,
+        filterActivityByScope,
+    })) {
         return;
     }
-    if (req.method === "GET" && url.pathname === "/api/sessions") {
-        const agentId = parseAgentId(url.searchParams.get("agent") ?? undefined);
-        if (agentId) {
-            assertScopedAgent(authUser, agentId);
-        }
-        else {
-            await assertCurrentSessionScope(authUser);
-        }
-        const page = await runtime.listSessionsPage(numberParam(url, "page", 1), numberParam(url, "limit", 50), url.searchParams.get("query") ?? "", agentId);
-        sendJson(res, 200, scopedSessionPage(authUser, page));
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/agent") {
-        const body = await readJsonBody(req);
-        const agentId = stringField(body, "agentId");
-        if (!isAgentId(agentId)) {
-            throw new Error(`Invalid agent: ${agentId}`);
-        }
-        assertScopedAgent(authUser, agentId);
-        sendJson(res, 200, { session: await runtime.setAgent(agentId) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/sessions/new") {
-        const body = await readJsonBody(req);
-        const agentId = parseAgentId(optionalStringField(body, "agentId"));
-        const workspace = optionalStringField(body, "workspace");
-        assertScopedAgent(authUser, agentId);
-        assertScopedWorkspace(authUser, workspace);
-        sendJson(res, 200, {
-            session: await runtime.newSession({
-                agentId,
-                workspace,
-                model: optionalStringField(body, "model"),
-                reasoningEffort: optionalStringField(body, "reasoningEffort"),
-                launchProfileId: optionalStringField(body, "launchProfileId"),
-                fastMode: optionalBooleanField(body, "fastMode"),
-            }),
-        });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/sessions/switch") {
-        const body = await readJsonBody(req);
-        const threadId = stringField(body, "threadId");
-        const detail = await runtime.sessionDetail(threadId);
-        if (detail.record && typeof detail.record === "object") {
-            assertSessionScope(authUser, detail.record);
-        }
-        const session = await runtime.switchSession(threadId);
-        assertSessionScope(authUser, session);
-        sendJson(res, 200, { session });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/sessions/attach") {
-        const body = await readJsonBody(req);
-        const session = await runtime.attachSession(stringField(body, "threadId"));
-        assertSessionScope(authUser, session);
-        sendJson(res, 200, { session });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/sessions/detail") {
-        const threadId = requiredSearch(url, "threadId");
-        const detail = await runtime.sessionDetail(threadId);
-        assertSessionDetailScope(authUser, threadId, detail);
-        sendJson(res, 200, detail);
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/models") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { models: await runtime.listModels() });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/session/model") {
-        const body = await readJsonBody(req);
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { session: await runtime.setModel(stringField(body, "model")) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/session/reasoning") {
-        const body = await readJsonBody(req);
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { session: await runtime.setReasoningEffort(stringField(body, "reasoning")) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/session/fast") {
-        const body = await readJsonBody(req);
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { session: await runtime.setFastMode(Boolean(body?.enabled)) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/session/launch") {
-        const body = await readJsonBody(req);
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { session: await runtime.setLaunchProfile(stringField(body, "profileId")) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/prompt") {
-        const body = await readJsonBody(req);
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 202, await runtime.sendPrompt(stringField(body, "text")));
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/prompt/upload") {
-        const body = await readJsonBody(req);
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 202, await runtime.sendUploadPrompt({
-            text: optionalStringField(body, "text"),
-            files: parseUploadFiles(body.files),
-        }));
-        return;
-    }
-    if (req.method === "POST" && (url.pathname === "/api/abort" || url.pathname === "/api/stop")) {
-        await assertCurrentSessionScope(authUser);
-        await runtime.abort();
-        sendJson(res, 200, { ok: true });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/handback") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, await runtime.handback());
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/retry") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 202, await runtime.retry());
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/sync") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, await runtime.sync());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/queue") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { queue: runtime.queue(), paused: runtime.queuePaused() });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/queue") {
-        const body = await readJsonBody(req);
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { queue: runtime.queueAction(stringField(body, "action"), optionalStringField(body, "id")), paused: runtime.queuePaused() });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/chat/history") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { messages: await runtime.chatHistory(numberParam(url, "limit", 200)) });
-        return;
-    }
-    if (req.method === "DELETE" && url.pathname === "/api/chat/history") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, await runtime.clearChatHistory());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/activity") {
-        sendJson(res, 200, {
-            events: filterActivityByScope(authUser, runtime.activity({
-                limit: numberParam(url, "limit", 100),
-                source: (url.searchParams.get("source") || "all"),
-                status: (url.searchParams.get("status") || "all"),
-            })),
-        });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/artifacts") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { reports: await runtime.artifacts() });
-        return;
-    }
-    if (req.method === "DELETE" && url.pathname === "/api/artifacts") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { removed: await runtime.deleteArtifact(requiredSearch(url, "turnId")) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/artifacts/bulk") {
-        const body = await readJsonBody(req);
-        await assertCurrentSessionScope(authUser);
-        const action = stringField(body, "action");
-        const turnIds = Array.isArray(body.turnIds) ? body.turnIds.filter((item) => typeof item === "string") : [];
-        if (action !== "delete") {
-            throw new Error("Unsupported artifact bulk action.");
-        }
-        const removed = [];
-        for (const turnId of turnIds) {
-            if (await runtime.deleteArtifact(turnId)) {
-                removed.push(turnId);
-            }
-        }
-        sendJson(res, 200, { removed });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/artifacts/zip") {
-        await assertCurrentSessionScope(authUser);
-        const bundle = await runtime.createArtifactZip(requiredSearch(url, "turnId"));
-        if (!bundle) {
-            sendJson(res, 404, { error: "Artifact turn not found or ZIP could not be created" });
-            return;
-        }
-        sendFile(res, bundle.path, bundle.name);
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/artifacts/file") {
-        await assertCurrentSessionScope(authUser);
-        const turnId = requiredSearch(url, "turnId");
-        const relativePath = requiredSearch(url, "path");
-        const report = await runtime.artifact(turnId);
-        const artifact = report?.artifacts.find((candidate) => candidate.relativePath === relativePath);
-        if (!artifact) {
-            sendJson(res, 404, { error: "Artifact not found" });
-            return;
-        }
-        sendFile(res, artifact.localPath, artifact.name);
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/artifacts/preview") {
-        await assertCurrentSessionScope(authUser);
-        const preview = await runtime.artifactPreview(requiredSearch(url, "turnId"), requiredSearch(url, "path"));
-        if (!preview) {
-            sendJson(res, 404, { error: "Artifact not found" });
-            return;
-        }
-        sendJson(res, 200, preview);
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/logs") {
-        sendJson(res, 200, await runtime.logs(parseLogTarget(url.searchParams.get("target") ?? undefined), numberParam(url, "lines", 120)));
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/logs/clear") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, runtime.clearLogs(parseLogTarget(optionalStringField(body, "target"))));
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/diagnostics") {
-        await assertCurrentSessionScope(authUser);
-        sendJson(res, 200, await runtime.diagnostics());
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/runtime/restart") {
-        sendJson(res, 202, runtime.restartConnector());
+    if (await handleDashboardArtifactRoute(req, res, url, {
+        runtime,
+        authUser,
+        assertCurrentSessionScope,
+    })) {
         return;
     }
     sendJson(res, 404, { error: "Unknown endpoint" });
@@ -940,96 +486,6 @@ function consumeRateLimit(buckets, key, limit, windowMs, blockMs) {
 function resetRateLimit(buckets, key) {
     buckets.delete(key);
 }
-function parseCookies(cookieHeader) {
-    const cookies = {};
-    for (const part of cookieHeader.split(";")) {
-        const [key, ...valueParts] = part.trim().split("=");
-        if (key)
-            cookies[key] = decodeURIComponent(valueParts.join("=") ?? "");
-    }
-    return cookies;
-}
-async function readJsonBody(req) {
-    const chunks = [];
-    for await (const chunk of req) {
-        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
-    }
-    const text = Buffer.concat(chunks).toString("utf8").trim();
-    if (!text) {
-        return {};
-    }
-    return JSON.parse(text);
-}
-function sendJson(res, status, value) {
-    res.writeHead(status, JSON_HEADERS);
-    res.end(`${JSON.stringify(value)}\n`);
-}
-function sendText(res, status, text, contentType) {
-    res.writeHead(status, { "content-type": contentType, "cache-control": "no-store" });
-    res.end(text);
-}
-function sendFile(res, filePath, filename) {
-    res.writeHead(200, {
-        "content-type": "application/octet-stream",
-        "content-disposition": `attachment; filename="${filename.replace(/"/g, "")}"`,
-    });
-    createReadStream(filePath).pipe(res);
-}
-function stringField(value, key) {
-    const field = value[key];
-    if (typeof field !== "string" || !field.trim()) {
-        throw new Error(`${key} is required`);
-    }
-    return field.trim();
-}
-function optionalStringField(value, key) {
-    const field = value[key];
-    return typeof field === "string" && field.trim() ? field.trim() : undefined;
-}
-function optionalBooleanField(value, key) {
-    const field = value[key];
-    return typeof field === "boolean" ? field : undefined;
-}
-function numberField(value, key) {
-    const field = value[key];
-    const parsed = typeof field === "number" ? field : typeof field === "string" ? Number(field) : Number.NaN;
-    if (!Number.isInteger(parsed)) {
-        throw new Error(`${key} must be an integer`);
-    }
-    return parsed;
-}
-function optionalNumberField(value, key) {
-    if (value[key] === undefined || value[key] === "") {
-        return undefined;
-    }
-    return numberField(value, key);
-}
-function arrayStringField(value, key) {
-    const field = value[key];
-    if (field === undefined || field === null || field === "") {
-        return [];
-    }
-    if (Array.isArray(field)) {
-        return field.filter((item) => typeof item === "string");
-    }
-    if (typeof field === "string") {
-        return field.split(",").map((item) => item.trim()).filter(Boolean);
-    }
-    throw new Error(`${key} must be a string list`);
-}
-function arrayNumberField(value, key) {
-    const field = value[key];
-    if (field === undefined || field === null || field === "") {
-        return [];
-    }
-    if (Array.isArray(field)) {
-        return field.map((item) => typeof item === "number" ? item : Number(item)).filter((item) => Number.isInteger(item));
-    }
-    if (typeof field === "string") {
-        return field.split(",").map((item) => Number(item.trim())).filter((item) => Number.isInteger(item));
-    }
-    throw new Error(`${key} must be a number list`);
-}
 function parseAgentId(value) {
     if (!value) {
         return undefined;
@@ -1042,48 +498,6 @@ function parseAgentIdRequired(value) {
     }
     return value;
 }
-function parseLogTarget(value) {
-    return value === "update" || value === "agent-updates" ? value : "connector";
-}
-function objectRecord(value) {
-    if (!value || typeof value !== "object" || Array.isArray(value)) {
-        return {};
-    }
-    return value;
-}
-function parseUploadFiles(value) {
-    if (!Array.isArray(value)) {
-        return [];
-    }
-    return value.map((item, index) => {
-        if (!item || typeof item !== "object" || Array.isArray(item)) {
-            throw new Error(`files[${index}] must be an object`);
-        }
-        const record = item;
-        const name = typeof record.name === "string" && record.name.trim() ? record.name.trim() : `upload-${index + 1}`;
-        const mimeType = typeof record.mimeType === "string" ? record.mimeType.trim() : undefined;
-        const dataBase64 = typeof record.dataBase64 === "string" ? record.dataBase64 : "";
-        if (!dataBase64) {
-            throw new Error(`files[${index}].dataBase64 is required`);
-        }
-        return { name, mimeType, data: Buffer.from(stripDataUrlPrefix(dataBase64), "base64") };
-    });
-}
-function stripDataUrlPrefix(value) {
-    const comma = value.indexOf(",");
-    return value.startsWith("data:") && comma !== -1 ? value.slice(comma + 1) : value;
-}
-function numberParam(url, key, fallback) {
-    const value = Number(url.searchParams.get(key));
-    return Number.isFinite(value) && value > 0 ? Math.floor(value) : fallback;
-}
-function requiredSearch(url, key) {
-    const value = url.searchParams.get(key);
-    if (!value) {
-        throw new Error(`${key} is required`);
-    }
-    return value;
-}
 function optionalEnv(key) {
     const value = process.env[key]?.trim();
     return value || undefined;
@@ -1197,256 +611,3 @@ function shutdown() {
     runtime.dispose();
     server.close(() => process.exit(0));
 }
-function renderLoginPage(options) {
-    return `<!doctype html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>NordRelay Login</title>
-  <style>
-    body{margin:0;min-height:100vh;display:grid;place-items:center;background:#f4f5f2;color:#181c19;font-family:Inter,system-ui,-apple-system,Segoe UI,sans-serif}
-    form{width:min(420px,calc(100vw - 32px));background:white;border:1px solid #dfe3dc;border-radius:8px;padding:24px;box-shadow:0 20px 60px rgba(20,30,24,.08)}
-    h1{font-size:24px;margin:0 0 8px}
-    p{color:#5d665d;margin:0 0 18px}
-    label{display:block;font-size:13px;color:#4b544d;margin:14px 0 6px}
-    input{box-sizing:border-box;width:100%;height:40px;border:1px solid #cfd6ce;border-radius:6px;padding:0 10px;font:inherit}
-    button{margin-top:18px;width:100%;height:42px;border:0;border-radius:6px;background:#205c43;color:white;font-weight:650;cursor:pointer}
-    .error{color:#9b1c1c;min-height:22px;margin-top:12px}
-  </style>
-</head>
-<body>
-  <form id="login">
-    <h1>NordRelay Dashboard</h1>
-    <p>${options.adminConfigured ? "Sign in with your NordRelay user account." : "No admin user exists. Run nordrelay user create-admin on this host first."}</p>
-    <label>Email</label><input id="email" name="email" type="email" autocomplete="username" ${options.adminConfigured ? "" : "disabled"}>
-    <label>Password</label><input id="password" name="password" type="password" autocomplete="current-password" ${options.adminConfigured ? "" : "disabled"}>
-    <button ${options.adminConfigured ? "" : "disabled"}>Sign in</button>
-    <div class="error" id="error"></div>
-  </form>
-  <script>
-    document.getElementById('login').addEventListener('submit', async (event) => {
-      event.preventDefault();
-      const payload = {
-        email: document.getElementById('email')?.value || undefined,
-        password: document.getElementById('password')?.value || undefined,
-      };
-      const res = await fetch('/api/auth', { method:'POST', headers:{'content-type':'application/json'}, body: JSON.stringify(payload) });
-      if (!res.ok) {
-        document.getElementById('error').textContent = 'Invalid credentials';
-        return;
-      }
-      location.href = '/';
-    });
-  </script>
-</body>
-</html>`;
-}
-function renderDashboardApp() {
-    return `<!doctype html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>NordRelay Dashboard</title>
-  <script>document.documentElement.dataset.theme = localStorage.getItem('nordrelayTheme') || 'light';</script>
-  <link rel="stylesheet" href="/assets/dashboard.css">
-</head>
-<body>
-  <div class="app">
-    <aside class="sidebar" id="sidebar">
-      <div class="brand"><span class="mark">NR</span><div><strong>NordRelay</strong><small>Remote control</small></div></div>
-      <nav>
-        ${renderDashboardNav()}
-      </nav>
-    </aside>
-    <main>
-      <header>
-        <button class="menu" id="menuBtn">Menu</button>
-        <div>
-          <h1 id="pageTitle">Overview</h1>
-          <p id="sessionLine">Loading session...</p>
-        </div>
-        <div class="header-actions">
-          <span id="connectionStatus" class="badge">Connecting</span>
-          <select id="agentSelect"></select>
-          <button id="themeBtn" class="secondary" title="Toggle dark theme">Dark</button>
-          <button id="refreshBtn">Refresh</button>
-          <button id="logoutBtn" class="secondary">Logout</button>
-        </div>
-      </header>
-
-      <section class="page active" id="page-overview">
-        <div class="metrics" id="metrics"></div>
-        <div class="stack">
-          <div class="panel"><h2>Current Session</h2><pre id="sessionText"></pre></div>
-          <div class="overview-adapter-grid">
-            <div class="panel"><h2>Agent Adapters</h2><div id="agentAdapters"></div></div>
-            <div class="panel"><h2>Chat Adapters</h2><div id="chatAdapters"></div></div>
-          </div>
-        </div>
-      </section>
-
-      <section class="page" id="page-chat">
-        <div class="chat-layout">
-          <div class="panel chat-panel">
-            <div class="chat-toolbar">
-              <button id="newSessionBtn">New session</button>
-              <button id="retryBtn" class="secondary">Retry</button>
-              <button id="editLastBtn" class="secondary">Edit last</button>
-              <button id="syncBtn" class="secondary">Sync</button>
-              <button id="notifyBtn" class="secondary">Notify</button>
-              <button id="clearChatBtn" class="secondary">Clear history</button>
-              <button id="abortBtn">Abort</button>
-              <button id="handbackBtn">Handback</button>
-            </div>
-            <div class="control-grid" id="sessionControls"></div>
-            <div id="messages" class="messages"></div>
-            <form id="promptForm" class="composer">
-              <div class="composer-fields">
-                <textarea id="promptInput" placeholder="Send a message to the active coding agent..." rows="3"></textarea>
-                <div class="attachment-row">
-                  <label class="file-button" for="fileInput">Attach files</label>
-                  <input id="fileInput" type="file" multiple>
-                  <button type="button" id="recordBtn" class="secondary">Record voice</button>
-                  <span id="fileSummary">No files selected</span>
-                  <button type="button" id="clearFilesBtn" class="secondary">Clear</button>
-                </div>
-              </div>
-              <button>Send</button>
-            </form>
-          </div>
-          <div class="panel side-panel"><h2>Tools / Plan</h2><div id="toolStream" class="tool-stream"></div></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-tasks">
-        <div class="panel">
-          <div class="row"><button id="reloadTasksBtn">Reload tasks</button></div>
-          <div id="tasksList" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-sessions">
-        <div class="panel">
-          <div class="sessions-toolbar">
-            <div class="row search-row"><input id="sessionSearch" placeholder="Search sessions"><button id="sessionSearchBtn">Search</button></div>
-            <div class="row attach-row"><input id="attachInput" placeholder="Thread ID to attach/switch"><button id="attachBtn">Attach</button></div>
-          </div>
-          <div id="sessionsList" class="list"></div>
-          <div id="sessionsPager" class="pager"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-queue">
-        <div class="panel">
-          <div class="row"><button data-queue="pause">Pause</button><button data-queue="resume">Resume</button><button data-queue="clear" class="danger">Clear</button><span id="queueStatus"></span></div>
-          <div id="queueList" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-activity">
-        <div class="panel">
-          <div class="row"><select id="activitySource"><option value="all">All sources</option><option value="web">Web</option><option value="cli">CLI</option></select><select id="activityStatus"><option value="all">All statuses</option><option value="queued">Queued</option><option value="running">Running</option><option value="completed">Completed</option><option value="failed">Failed</option><option value="aborted">Aborted</option><option value="info">Info</option></select><input id="activitySince" type="datetime-local"><input id="activityLimit" type="number" value="100" min="1" max="500"><button id="loadActivityBtn">Load activity</button><button id="exportActivityBtn" class="secondary">Export</button></div>
-          <div id="activityList" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-artifacts">
-        <div class="panel">
-          <div class="row"><button id="reloadArtifactsBtn">Reload artifacts</button><input id="artifactSearch" placeholder="Search artifacts"><select id="artifactKind"><option value="all">All files</option><option value="images">Images</option><option value="docs">Docs/code</option></select><button id="zipSelectedArtifactsBtn" class="secondary">ZIP selected</button><button id="deleteSelectedArtifactsBtn" class="danger">Delete selected</button></div>
-          <div id="artifactPreview" class="preview"></div>
-          <div id="artifactList" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-adapters">
-        <div class="panel">
-          <div class="row"><button id="reloadAdaptersBtn">Reload adapters</button></div>
-          <div id="adapterHealth" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-access">
-        <div class="panel">
-          <div class="row"><button id="loadAccessBtn">Reload users</button><button id="createUserBtn">Create user</button><button id="createGroupBtn" class="secondary">Create group</button><button id="createChatBtn" class="secondary">Add Telegram chat</button><button id="lockSessionBtn" class="secondary">Lock web session</button><button id="unlockSessionBtn" class="secondary">Unlock web session</button></div>
-          <div id="accessPanel" class="settings-grid"></div>
-          <h2>Groups</h2>
-          <div id="groupsList" class="list"></div>
-          <h2>Telegram chats</h2>
-          <div id="telegramChatsList" class="list"></div>
-          <h2>Locks</h2>
-          <div id="locksList" class="list"></div>
-          <h2>Audit</h2>
-          <div class="row"><input id="auditLimit" type="number" value="50" min="1" max="200"><button id="loadAuditBtn">Load audit</button></div>
-          <div id="auditList" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-version">
-        <div class="panel">
-          <div class="row version-actions"><button id="loadVersionBtn">Check versions</button><button id="updateBtn" class="secondary">Update NordRelay</button></div>
-          <div id="versionPanel" class="list"></div>
-          <h2 class="version-update-title">Agent update jobs</h2>
-          <div id="agentUpdateJobs" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-settings">
-        <div class="panel">
-          <div class="row"><button id="saveSettingsBtn">Save settings</button><button id="restartBtn" class="secondary">Restart NordRelay</button><span id="settingsStatus"></span></div>
-          <div id="settingsTabs" class="tabs"></div>
-          <div id="settingsForm" class="settings-grid"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-logs">
-        <div class="panel">
-          <div class="row"><select id="logTarget"><option value="connector">Connector</option><option value="update">NordRelay Update</option><option value="agent-updates">Agent Updates</option></select><select id="logLevel"><option value="all">All levels</option><option value="ERROR">Error</option><option value="WARN">Warn</option><option value="INFO">Info</option></select><input id="logSearch" placeholder="Search logs"><input id="logSince" type="datetime-local" title="Show entries after this time"><input id="logLines" type="number" value="120" min="1" max="300"><label class="checkbox"><input id="logAutoRefresh" type="checkbox"> Auto</label><label class="checkbox"><input id="logFollow" type="checkbox"> Follow</label><button id="loadLogsBtn">Load logs</button><button id="downloadLogsBtn" class="secondary">Download</button><button id="clearLogsBtn" class="danger">Clear</button></div>
-          <pre id="logs" class="log-view"></pre>
-        </div>
-      </section>
-
-      <section class="page" id="page-diagnostics">
-        <div class="panel"><div id="diagnostics" class="list"></div></div>
-      </section>
-
-      <footer>
-        <span id="footerVersion">NordRelay</span>
-        <span id="footerHealth">Health: loading</span>
-        <span id="footerUser">User: loading</span>
-      </footer>
-    </main>
-  </div>
-  <dialog id="newSessionDialog">
-    <form method="dialog" id="newSessionForm">
-      <h2>New Session</h2>
-      <div class="form-grid">
-        <label>Agent<select id="newAgent"></select></label>
-        <label>Workspace<input id="newWorkspace" list="workspaceOptions" placeholder="Current workspace"></label>
-        <label>Model<select id="newModel"></select></label>
-        <label id="newReasoningWrap">Reasoning<select id="newReasoning"></select></label>
-        <label id="newLaunchWrap">Launch profile<select id="newLaunch"></select></label>
-        <label id="newFastWrap" class="checkbox"><input id="newFast" type="checkbox"> Fast mode</label>
-      </div>
-      <datalist id="workspaceOptions"></datalist>
-      <div class="row dialog-actions"><button type="button" id="cancelSessionBtn" class="secondary">Cancel</button><button id="createSessionBtn" value="default">Create session</button></div>
-    </form>
-  </dialog>
-  <dialog id="sessionDetailDialog">
-    <div id="sessionDetail"></div>
-    <div class="row dialog-actions"><button id="closeSessionDetailBtn" class="secondary">Close</button></div>
-  </dialog>
-  <dialog id="adminDialog">
-    <form method="dialog" id="adminDialogForm">
-      <h2 id="adminDialogTitle">Edit</h2>
-      <div id="adminDialogBody" class="form-grid"></div>
-      <div class="row dialog-actions"><button type="button" id="adminDialogCancel" class="secondary">Cancel</button><button id="adminDialogSubmit" value="default">Save</button></div>
-    </form>
-  </dialog>
-  <div id="toolTooltip" class="tool-tooltip"></div>
-  <div id="toast"></div>
-  <script src="/assets/dashboard.js"></script>
-</body>
-</html>`;
-}