@nordbyte/nordrelay 0.5.0 → 0.5.1

package/dist/telegram-queue-commands.js

@@ -0,0 +1,278 @@
+import { InlineKeyboard } from "grammy";
+import { renderQueueListAction, renderQueuedPromptDetailAction, } from "./channel-actions.js";
+import { contextKeyFromCtx } from "./context-key.js";
+import { friendlyErrorText } from "./error-messages.js";
+import { escapeHTML } from "./format.js";
+import { PromptStore, toPromptEnvelope } from "./prompt-store.js";
+import { formatLocalDateTime } from "./bot-rendering.js";
+import { safeEditMessage, safeReply, } from "./telegram-output.js";
+export function queueCancelCallbackData(action, contextKey, queueId) {
+    return `queue_${action}:${contextKey}:${queueId}`;
+}
+export function createQueuedPromptCancelKeyboard(contextKey, queueId, label = "Cancel queued message") {
+    return new InlineKeyboard().text(label, queueCancelCallbackData("cancel", contextKey, queueId));
+}
+export function renderQueueList(promptStore, contextKey, queue) {
+    const paused = promptStore.isPaused(contextKey);
+    const rendered = renderQueueListAction(queue, paused);
+    if (queue.length === 0) {
+        return rendered;
+    }
+    const keyboard = new InlineKeyboard();
+    queue.forEach((item, index) => {
+        keyboard
+            .text(`Run ${index + 1}`, queueCancelCallbackData("run", contextKey, item.id))
+            .text("Top", queueCancelCallbackData("top", contextKey, item.id))
+            .text("Cancel", queueCancelCallbackData("remove", contextKey, item.id))
+            .row();
+        keyboard
+            .text("Up", queueCancelCallbackData("up", contextKey, item.id))
+            .text("Down", queueCancelCallbackData("down", contextKey, item.id))
+            .row();
+    });
+    return { ...rendered, keyboard };
+}
+export function registerTelegramQueueCommands(options) {
+    const { bot, promptStore } = options;
+    bot.command("queue", async (ctx) => {
+        const contextSession = await options.getContextSession(ctx, { deferThreadStart: true });
+        if (!contextSession) {
+            return;
+        }
+        const chatId = ctx.chat?.id;
+        const { contextKey, session } = contextSession;
+        const rawText = ctx.message?.text ?? "";
+        const argument = rawText.replace(/^\/queue(?:@\w+)?\s*/i, "").trim();
+        const laterMatch = argument.match(/^later\s+(\d+)(?:m|min|minutes?)?\s+([\s\S]+)$/i);
+        if (laterMatch) {
+            const minutes = Math.min(7 * 24 * 60, Math.max(1, Number(laterMatch[1])));
+            const text = laterMatch[2].trim();
+            const notBefore = Date.now() + minutes * 60 * 1000;
+            const item = promptStore.enqueue(contextKey, toPromptEnvelope(text), { notBefore });
+            const message = `Queued prompt ${item.id} for ${formatLocalDateTime(new Date(notBefore))}.`;
+            await safeReply(ctx, escapeHTML(message), {
+                fallbackText: message,
+                replyMarkup: createQueuedPromptCancelKeyboard(contextKey, item.id),
+            });
+            options.auditContext(ctx, contextKey, session, {
+                action: "prompt_queued",
+                status: "ok",
+                promptId: item.id,
+                description: item.description,
+                detail: "scheduled",
+            });
+            return;
+        }
+        const inspectMatch = argument.match(/^inspect\s+([a-z0-9]+)$/i);
+        if (inspectMatch) {
+            const item = promptStore.get(contextKey, inspectMatch[1]);
+            if (!item) {
+                await safeReply(ctx, escapeHTML(`No queued prompt found with id ${inspectMatch[1]}.`), {
+                    fallbackText: `No queued prompt found with id ${inspectMatch[1]}.`,
+                });
+                return;
+            }
+            const rendered = renderQueuedPromptDetailAction(item);
+            await safeReply(ctx, rendered.html, { fallbackText: rendered.plain });
+            return;
+        }
+        if (/^pause$/i.test(argument)) {
+            promptStore.pause(contextKey);
+            const message = `Queue paused. ${promptStore.list(contextKey).length} queued.`;
+            await safeReply(ctx, escapeHTML(message), { fallbackText: message });
+            await options.updateQueueStatusMessage(contextKey, message);
+            return;
+        }
+        if (/^resume$/i.test(argument)) {
+            promptStore.resume(contextKey);
+            const message = `Queue resumed. ${promptStore.list(contextKey).length} queued.`;
+            await safeReply(ctx, escapeHTML(message), { fallbackText: message });
+            if (chatId) {
+                void options.drainQueuedPrompts(ctx, contextKey, chatId, session).catch((error) => {
+                    console.error("Failed to drain queue after resume:", error);
+                });
+            }
+            return;
+        }
+        const moveMatch = argument.match(/^move\s+([a-z0-9]+)\s+(top|up|down)$/i);
+        if (moveMatch) {
+            const direction = moveMatch[2].toLowerCase();
+            const item = direction === "top"
+                ? promptStore.moveToTop(contextKey, moveMatch[1])
+                : direction === "up"
+                    ? promptStore.moveUp(contextKey, moveMatch[1])
+                    : promptStore.moveDown(contextKey, moveMatch[1]);
+            if (!item) {
+                await safeReply(ctx, escapeHTML(`No queued prompt found with id ${moveMatch[1]}.`), {
+                    fallbackText: `No queued prompt found with id ${moveMatch[1]}.`,
+                });
+                return;
+            }
+            const message = `Moved queued prompt ${item.id} ${direction}.`;
+            await safeReply(ctx, escapeHTML(message), { fallbackText: message });
+            return;
+        }
+        const runMatch = argument.match(/^run\s+([a-z0-9]+)$/i);
+        if (runMatch) {
+            const item = promptStore.remove(contextKey, runMatch[1]);
+            if (!item) {
+                await safeReply(ctx, escapeHTML(`No queued prompt found with id ${runMatch[1]}.`), {
+                    fallbackText: `No queued prompt found with id ${runMatch[1]}.`,
+                });
+                return;
+            }
+            promptStore.enqueueFront(contextKey, item);
+            promptStore.resume(contextKey);
+            if (!chatId) {
+                return;
+            }
+            const busy = options.getBusyReason(contextKey);
+            if (busy.busy) {
+                const message = `Queued prompt ${item.id} moved to top and will run when the current task finishes.`;
+                await safeReply(ctx, escapeHTML(message), { fallbackText: message });
+                if (busy.kind === "external") {
+                    options.scheduleExternalQueueDrain(ctx, contextKey, chatId, session);
+                }
+                return;
+            }
+            const next = promptStore.dequeue(contextKey);
+            if (next) {
+                await options.handleUserPrompt(ctx, contextKey, chatId, session, next, { fromQueue: true });
+            }
+            return;
+        }
+        if (argument) {
+            await safeReply(ctx, escapeHTML("Usage: /queue, /queue pause, /queue resume, /queue later <minutes> <prompt>, /queue inspect <id>, /queue move <id> top|up|down, /queue run <id>"), {
+                fallbackText: "Usage: /queue, /queue pause, /queue resume, /queue later <minutes> <prompt>, /queue inspect <id>, /queue move <id> top|up|down, /queue run <id>",
+            });
+            return;
+        }
+        const queue = promptStore.list(contextKey);
+        const rendered = renderQueueList(promptStore, contextKey, queue);
+        await safeReply(ctx, rendered.html, {
+            fallbackText: rendered.plain,
+            replyMarkup: rendered.keyboard,
+        });
+    });
+    bot.command("clearqueue", async (ctx) => {
+        const contextSession = await options.getContextSession(ctx, { deferThreadStart: true });
+        if (!contextSession) {
+            return;
+        }
+        const count = promptStore.clear(contextSession.contextKey);
+        const message = `Cleared ${count} queued prompt${count === 1 ? "" : "s"}.`;
+        await safeReply(ctx, escapeHTML(message), { fallbackText: message });
+    });
+    bot.command("cancel", async (ctx) => {
+        const contextSession = await options.getContextSession(ctx, { deferThreadStart: true });
+        if (!contextSession) {
+            return;
+        }
+        const rawText = ctx.message?.text ?? "";
+        const id = rawText.replace(/^\/cancel(?:@\w+)?\s*/i, "").trim();
+        if (!id) {
+            await safeReply(ctx, escapeHTML("Usage: /cancel <queue-id>"), {
+                fallbackText: "Usage: /cancel <queue-id>",
+            });
+            return;
+        }
+        const removed = promptStore.remove(contextSession.contextKey, id);
+        if (!removed) {
+            await safeReply(ctx, escapeHTML(`No queued prompt found with id ${id}.`), {
+                fallbackText: `No queued prompt found with id ${id}.`,
+            });
+            return;
+        }
+        await safeReply(ctx, escapeHTML(`Cancelled queued prompt ${removed.id}.`), {
+            fallbackText: `Cancelled queued prompt ${removed.id}.`,
+        });
+    });
+    bot.callbackQuery(/^queue_(cancel|remove|top|up|down|run):(-?\d+(?::\d+)?):([a-z0-9]+)$/, async (ctx) => {
+        const action = ctx.match?.[1];
+        const contextKey = ctx.match?.[2];
+        const queueId = ctx.match?.[3];
+        if (!action || !contextKey || !queueId) {
+            await ctx.answerCallbackQuery();
+            return;
+        }
+        const currentContextKey = contextKeyFromCtx(ctx);
+        if (currentContextKey && currentContextKey !== contextKey) {
+            await ctx.answerCallbackQuery({ text: "This queue button belongs to another chat or topic." });
+            return;
+        }
+        const chatId = ctx.chat?.id;
+        const messageId = ctx.callbackQuery.message?.message_id;
+        if (action === "top" || action === "up" || action === "down") {
+            const item = action === "top"
+                ? promptStore.moveToTop(contextKey, queueId)
+                : action === "up"
+                    ? promptStore.moveUp(contextKey, queueId)
+                    : promptStore.moveDown(contextKey, queueId);
+            await ctx.answerCallbackQuery({ text: item ? `Moved ${queueId} ${action}.` : "Queued prompt not found." });
+            if (chatId && messageId) {
+                const rendered = renderQueueList(promptStore, contextKey, promptStore.list(contextKey));
+                await safeEditMessage(bot, chatId, messageId, rendered.html, {
+                    fallbackText: rendered.plain,
+                    replyMarkup: rendered.keyboard,
+                });
+            }
+            return;
+        }
+        if (action === "run") {
+            const item = promptStore.remove(contextKey, queueId);
+            if (!item) {
+                await ctx.answerCallbackQuery({ text: "Queued prompt already started or was cancelled." });
+                return;
+            }
+            promptStore.enqueueFront(contextKey, item);
+            promptStore.resume(contextKey);
+            await ctx.answerCallbackQuery({ text: `Queued prompt ${queueId} moved to next.` });
+            if (chatId && messageId) {
+                const rendered = renderQueueList(promptStore, contextKey, promptStore.list(contextKey));
+                await safeEditMessage(bot, chatId, messageId, rendered.html, {
+                    fallbackText: rendered.plain,
+                    replyMarkup: rendered.keyboard,
+                });
+            }
+            const session = options.getSession(contextKey);
+            if (chatId && session && !options.getBusyReason(contextKey).busy) {
+                void options.drainQueuedPrompts(ctx, contextKey, chatId, session).catch((error) => {
+                    console.error("Failed to drain queue after run-now callback:", error);
+                });
+            }
+            return;
+        }
+        const removed = promptStore.remove(contextKey, queueId);
+        if (!removed) {
+            await ctx.answerCallbackQuery({ text: "Queued prompt already started or was cancelled." });
+            if (chatId && messageId) {
+                if (action === "remove") {
+                    const rendered = renderQueueList(promptStore, contextKey, promptStore.list(contextKey));
+                    await safeEditMessage(bot, chatId, messageId, rendered.html, {
+                        fallbackText: rendered.plain,
+                        replyMarkup: rendered.keyboard,
+                    });
+                }
+                else {
+                    const message = `Queued prompt ${queueId} is no longer queued.`;
+                    await safeEditMessage(bot, chatId, messageId, escapeHTML(message), { fallbackText: message });
+                }
+            }
+            return;
+        }
+        const message = `Cancelled queued prompt ${removed.id}.`;
+        await ctx.answerCallbackQuery({ text: message });
+        if (!chatId || !messageId) {
+            return;
+        }
+        if (action === "remove") {
+            const rendered = renderQueueList(promptStore, contextKey, promptStore.list(contextKey));
+            await safeEditMessage(bot, chatId, messageId, rendered.html, {
+                fallbackText: rendered.plain,
+                replyMarkup: rendered.keyboard,
+            });
+            return;
+        }
+        await safeEditMessage(bot, chatId, messageId, escapeHTML(message), { fallbackText: message });
+    });
+}

package/dist/telegram-support-command.js

@@ -0,0 +1,53 @@
+import { InputFile } from "grammy";
+import { contextKeyFromCtx } from "./context-key.js";
+import { getConnectorHealth, getVersionChecks } from "./operations.js";
+import { formatLocalDateTime } from "./bot-rendering.js";
+import { createSupportBundle } from "./support-bundle.js";
+import { chatBucket } from "./telegram-output.js";
+import { telegramRateLimiter } from "./telegram-rate-limit.js";
+export function registerTelegramSupportCommands(options) {
+    options.bot.command(["support", "diagnostics_bundle"], async (ctx) => {
+        if (!ctx.chat) {
+            return;
+        }
+        const health = await getConnectorHealth(cliPathOptions(options.config));
+        const versionChecks = await getVersionChecks(cliPathOptions(options.config));
+        const bundle = await createSupportBundle({
+            config: options.config,
+            health,
+            versionChecks,
+            auditEvents: options.auditLog.list(100),
+            agentUpdateJobs: options.agentUpdates.list(),
+            source: "telegram",
+        });
+        const contextKey = contextKeyFromCtx(ctx);
+        if (contextKey) {
+            options.audit({
+                action: "command",
+                status: "ok",
+                contextKey,
+                actorId: ctx.from?.id,
+                actorRole: options.getUserRole(ctx),
+                description: "export diagnostics bundle",
+                detail: bundle.path,
+            });
+        }
+        await telegramRateLimiter.run(chatBucket(ctx.chat.id), "sendDocument", () => ctx.api.sendDocument(ctx.chat.id, new InputFile(bundle.path, bundle.name), {
+            caption: [
+                "Diagnostics bundle exported.",
+                `Created: ${formatLocalDateTime(new Date(bundle.createdAt))}`,
+                `Files: ${bundle.includedFiles.length}`,
+                `Size: ${bundle.sizeBytes} bytes`,
+            ].join("\n"),
+            ...(ctx.message?.message_thread_id ? { message_thread_id: ctx.message.message_thread_id } : {}),
+        }));
+    });
+}
+function cliPathOptions(config) {
+    return {
+        piCliPath: config.piCliPath,
+        hermesCliPath: config.hermesCliPath,
+        openClawCliPath: config.openClawCliPath,
+        claudeCodeCliPath: config.claudeCodeCliPath,
+    };
+}

package/dist/telegram-update-commands.js

@@ -11,6 +11,11 @@ export function registerTelegramUpdateCommands(deps) {
         const argument = rawText.replace(/^\/update(?:@\w+)?\s*/i, "").trim();
         const tokens = argument.split(/\s+/).filter(Boolean);
         const subcommand = tokens[0]?.toLowerCase();
+        const installTarget = subcommand === "install" ? parseAgentUpdateId(tokens[1]) : null;
+        if (installTarget) {
+            await startTelegramAgentUpdate(ctx, installTarget, "install");
+            return;
+        }
         if (subcommand === "agents" || subcommand === "agent") {
             const rendered = renderAgentUpdatePickerAction(listAgentAdapterDescriptors());
             await replyChannelAction(ctx, rendered);
@@ -44,7 +49,7 @@ export function registerTelegramUpdateCommands(deps) {
             return;
         }
         if (subcommand) {
-            const usage = "Unknown update target. Use /update, /update agents, /update jobs, /update <agent>, /update log <id>, /update cancel <id>, or /update input <id> <text>.";
+            const usage = "Unknown update target. Use /update, /update agents, /update jobs, /update <agent>, /update install <agent>, /update log <id>, /update cancel <id>, or /update input <id> <text>.";
             await safeReply(ctx, escapeHTML(usage), { fallbackText: usage });
             return;
         }

package/dist/web-api-contract.js

@@ -1,42 +1,90 @@
-export const WEB_API_ROUTES = [
-    ...exact(["/api/bootstrap", "/api/health", "/api/snapshot", "/api/tasks", "/api/progress"], "inspect"),
-    ...exact(["/api/version", "/api/adapters/health"], "inspect"),
-    ...exact(["/api/diagnostics"], "diagnostics.read"),
-    ...prefix(["/api/users", "/api/groups", "/api/telegram-chats"], readWrite("users.read", "users.write")),
-    ...exact(["/api/permissions"], "users.read"),
-    ...exact(["/api/audit"], "audit.read"),
-    ...exact(["/api/control-options"], "settings.read"),
-    ...exact(["/api/settings"], readWrite("settings.read", "settings.write")),
-    ...exact(["/api/update"], "updates.run"),
-    ...prefix(["/api/agent-update"], "updates.run"),
-    ...exact(["/api/logs"], "logs.read"),
-    ...exact(["/api/logs/clear"], "logs.clear"),
-    ...exact(["/api/runtime/restart"], "system.restart"),
-    ...prefix(["/api/sessions"], readWrite("sessions.read", "sessions.write")),
-    ...exact(["/api/agent", "/api/sync", "/api/handback", "/api/locks"], readWrite("sessions.read", "sessions.write")),
-    ...prefix(["/api/auth/"], readWrite("inspect", "auth.manage")),
-    ...prefix(["/api/models", "/api/session/"], readWrite("settings.read", "settings.write")),
-    ...exact(["/api/queue"], readWrite("queue.read", "queue.write")),
-    ...exact(["/api/prompt", "/api/prompt/upload", "/api/retry"], readWrite("inspect", "prompt.send")),
-    ...exact(["/api/abort", "/api/stop"], "prompt.abort"),
-    ...prefix(["/api/chat"], readWrite("sessions.read", "sessions.write")),
-    ...prefix(["/api/activity"], "sessions.read"),
-    ...prefix(["/api/artifacts"], readWrite("files.read", "files.write")),
+const stringToken = "${string}";
+export const WEB_API_ROUTE_DEFINITIONS = [
+    exact("/api/auth/me", ["GET"], "inspect"),
+    exact("/api/dashboard/logout", ["POST"], "inspect"),
+    exact("/api/bootstrap", ["GET"], "inspect"),
+    exact("/api/health", ["GET"], "inspect"),
+    exact("/api/snapshot", ["GET"], "inspect"),
+    exact("/api/tasks", ["GET"], "inspect"),
+    exact("/api/progress", ["GET"], "inspect"),
+    exact("/api/version", ["GET"], "inspect"),
+    exact("/api/update", ["POST"], "updates.run"),
+    exact("/api/agent-updates", ["GET"], "updates.run"),
+    exact("/api/agent-update", ["POST"], "updates.run"),
+    dynamic("/api/agent-update/:id/log", "^/api/agent-update/[^/]+/log$", ["GET", "DELETE"], "updates.run", `/api/agent-update/${stringToken}/log`),
+    dynamic("/api/agent-update/:id/input", "^/api/agent-update/[^/]+/input$", ["POST"], "updates.run", `/api/agent-update/${stringToken}/input`),
+    dynamic("/api/agent-update/:id/cancel", "^/api/agent-update/[^/]+/cancel$", ["POST"], "updates.run", `/api/agent-update/${stringToken}/cancel`),
+    exact("/api/adapters/health", ["GET"], "inspect"),
+    exact("/api/permissions", ["GET"], "users.read"),
+    exact("/api/users", ["GET", "POST"], readWrite("users.read", "users.write")),
+    dynamic("/api/users/:id", "^/api/users/[^/]+$", ["PATCH"], "users.write", `/api/users/${stringToken}`),
+    dynamic("/api/users/:id/password", "^/api/users/[^/]+/password$", ["POST"], "users.write", `/api/users/${stringToken}/password`),
+    dynamic("/api/users/:id/sessions", "^/api/users/[^/]+/sessions$", ["GET", "DELETE"], readWrite("users.read", "users.write"), `/api/users/${stringToken}/sessions`),
+    dynamic("/api/users/:id/sessions/:sessionId", "^/api/users/[^/]+/sessions/[^/]+$", ["DELETE"], "users.write", `/api/users/${stringToken}/sessions/${stringToken}`),
+    dynamic("/api/users/:id/telegram", "^/api/users/[^/]+/telegram$", ["POST"], "users.write", `/api/users/${stringToken}/telegram`),
+    dynamic("/api/users/:id/telegram/:identityId", "^/api/users/[^/]+/telegram/[^/]+$", ["DELETE"], "users.write", `/api/users/${stringToken}/telegram/${stringToken}`),
+    exact("/api/groups", ["GET", "POST"], readWrite("users.read", "users.write")),
+    dynamic("/api/groups/:id", "^/api/groups/[^/]+$", ["PATCH"], "users.write", `/api/groups/${stringToken}`),
+    exact("/api/telegram-chats", ["GET", "POST"], readWrite("users.read", "users.write")),
+    dynamic("/api/telegram-chats/:id", "^/api/telegram-chats/[^/]+$", ["PATCH"], "users.write", `/api/telegram-chats/${stringToken}`),
+    exact("/api/audit", ["GET"], "audit.read"),
+    exact("/api/locks", ["GET", "POST", "DELETE"], readWrite("sessions.read", "sessions.write")),
+    exact("/api/auth/status", ["GET"], "inspect"),
+    exact("/api/auth/login", ["POST"], "auth.manage"),
+    exact("/api/auth/logout", ["POST"], "auth.manage"),
+    exact("/api/settings", ["GET", "PATCH"], readWrite("settings.read", "settings.write")),
+    exact("/api/control-options", ["GET"], "settings.read"),
+    exact("/api/sessions", ["GET"], "sessions.read"),
+    exact("/api/sessions/new", ["POST"], "sessions.write"),
+    exact("/api/sessions/switch", ["POST"], "sessions.write"),
+    exact("/api/sessions/attach", ["POST"], "sessions.write"),
+    exact("/api/sessions/detail", ["GET"], "sessions.read"),
+    exact("/api/agent", ["POST"], "sessions.write"),
+    exact("/api/models", ["GET"], "settings.read"),
+    exact("/api/session/model", ["POST"], "settings.write"),
+    exact("/api/session/reasoning", ["POST"], "settings.write"),
+    exact("/api/session/fast", ["POST"], "settings.write"),
+    exact("/api/session/launch", ["POST"], "settings.write"),
+    exact("/api/prompt", ["POST"], "prompt.send"),
+    exact("/api/prompt/upload", ["POST"], "prompt.send"),
+    exact("/api/abort", ["POST"], "prompt.abort"),
+    exact("/api/stop", ["POST"], "prompt.abort"),
+    exact("/api/handback", ["POST"], "sessions.write"),
+    exact("/api/retry", ["POST"], "prompt.send"),
+    exact("/api/sync", ["POST"], "sessions.write"),
+    exact("/api/queue", ["GET", "POST"], readWrite("queue.read", "queue.write")),
+    exact("/api/chat/history", ["GET", "DELETE"], readWrite("sessions.read", "sessions.write")),
+    exact("/api/activity", ["GET"], "sessions.read"),
+    exact("/api/artifacts", ["GET", "DELETE"], readWrite("files.read", "files.write")),
+    exact("/api/artifacts/bulk", ["POST"], "files.write"),
+    exact("/api/artifacts/zip", ["GET"], "files.read"),
+    exact("/api/artifacts/file", ["GET"], "files.read"),
+    exact("/api/artifacts/preview", ["GET"], "files.read"),
+    exact("/api/logs", ["GET"], "logs.read"),
+    exact("/api/logs/clear", ["POST"], "logs.clear"),
+    exact("/api/diagnostics", ["GET"], "diagnostics.read"),
+    exact("/api/diagnostics/bundle", ["GET"], "diagnostics.read"),
+    exact("/api/runtime/restart", ["POST"], "system.restart"),
 ];
+export const WEB_API_STATIC_PATHS = WEB_API_ROUTE_DEFINITIONS
+    .filter((route) => !route.pattern)
+    .map((route) => route.path);
+export const WEB_API_DYNAMIC_TYPE_PATHS = WEB_API_ROUTE_DEFINITIONS
+    .flatMap((route) => route.dynamicType ? [route.dynamicType] : []);
 export function permissionForWebRequestFromContract(method, pathname) {
     const verb = normalizeMethod(method);
-    const rule = WEB_API_ROUTES.find((candidate) => (candidate.path !== undefined && candidate.path === pathname) ||
-        (candidate.prefix !== undefined && pathname.startsWith(candidate.prefix)));
-    if (!rule) {
+    const rule = WEB_API_ROUTE_DEFINITIONS.find((candidate) => (candidate.pattern ? new RegExp(candidate.pattern).test(pathname) : candidate.path === pathname));
+    const methods = rule?.methods ?? [];
+    if (!rule || !methods.includes(verb)) {
         return null;
     }
     return resolvePermission(rule.permissions, verb);
 }
-function exact(paths, permissions) {
-    return paths.map((path) => ({ path, permissions }));
+function exact(path, methods, permissions) {
+    return { path, methods, permissions };
 }
-function prefix(prefixes, permissions) {
-    return prefixes.map((pathPrefix) => ({ prefix: pathPrefix, permissions }));
+function dynamic(path, pattern, methods, permissions, dynamicType) {
+    return { path, pattern, methods, permissions, dynamicType };
 }
 function readWrite(read, write) {
     return { read, write };

package/dist/web-api-types.js

@@ -0,0 +1 @@
+export {};

package/dist/web-dashboard-access-routes.js

@@ -0,0 +1,163 @@
+import { ALL_PERMISSIONS } from "./access-control.js";
+import { publicUser, publicUserSnapshot, } from "./user-management.js";
+import { arrayNumberField, arrayStringField, numberField, numberParam, optionalBooleanField, optionalNumberField, optionalStringField, readJsonBody, sendJson, stringField, } from "./web-dashboard-http.js";
+export async function handleDashboardAccessRoute(req, res, url, options) {
+    const { users, runtime, authUser } = options;
+    if (req.method === "GET" && url.pathname === "/api/permissions") {
+        sendJson(res, 200, { ...publicUserSnapshot(users.snapshot()), permissions: ALL_PERMISSIONS });
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/users") {
+        sendJson(res, 200, { ...publicUserSnapshot(users.snapshot()), permissions: ALL_PERMISSIONS });
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/users") {
+        const body = await readJsonBody(req);
+        const user = users.createUser({
+            email: stringField(body, "email"),
+            displayName: optionalStringField(body, "displayName") ?? stringField(body, "email"),
+            password: stringField(body, "password"),
+            groupIds: arrayStringField(body, "groupIds"),
+            active: optionalBooleanField(body, "active") ?? true,
+            telegramUserId: optionalNumberField(body, "telegramUserId"),
+        });
+        options.auditUserAction(authUser, "user_created", user.user.email);
+        sendJson(res, 201, { user: publicUser(user.user), groups: user.groups });
+        return true;
+    }
+    const userMatch = url.pathname.match(/^\/api\/users\/([^/]+)$/);
+    if (userMatch?.[1] && req.method === "PATCH") {
+        const body = await readJsonBody(req);
+        const user = users.updateUser(decodeURIComponent(userMatch[1]), {
+            email: optionalStringField(body, "email"),
+            displayName: optionalStringField(body, "displayName"),
+            active: optionalBooleanField(body, "active"),
+            groupIds: body.groupIds === undefined ? undefined : arrayStringField(body, "groupIds"),
+        });
+        options.auditUserAction(authUser, "user_updated", user.user.email);
+        sendJson(res, 200, { user: publicUser(user.user), groups: user.groups });
+        return true;
+    }
+    const passwordMatch = url.pathname.match(/^\/api\/users\/([^/]+)\/password$/);
+    if (passwordMatch?.[1] && req.method === "POST") {
+        const body = await readJsonBody(req);
+        const userId = decodeURIComponent(passwordMatch[1]);
+        users.setPassword(userId, stringField(body, "password"));
+        options.auditUserAction(authUser, "user_password_changed", userId);
+        sendJson(res, 200, { ok: true });
+        return true;
+    }
+    const userSessionsMatch = url.pathname.match(/^\/api\/users\/([^/]+)\/sessions$/);
+    if (userSessionsMatch?.[1] && req.method === "GET") {
+        sendJson(res, 200, { sessions: users.listWebSessions(decodeURIComponent(userSessionsMatch[1])) });
+        return true;
+    }
+    if (userSessionsMatch?.[1] && req.method === "DELETE") {
+        const userId = decodeURIComponent(userSessionsMatch[1]);
+        const revoked = users.revokeUserSessions(userId);
+        options.auditUserAction(authUser, "user_session_revoked", `${userId}: ${revoked} sessions`);
+        sendJson(res, 200, { revoked });
+        return true;
+    }
+    const userSessionMatch = url.pathname.match(/^\/api\/users\/[^/]+\/sessions\/([^/]+)$/);
+    if (userSessionMatch?.[1] && req.method === "DELETE") {
+        const sessionId = decodeURIComponent(userSessionMatch[1]);
+        const revoked = users.revokeWebSession(sessionId);
+        options.auditUserAction(authUser, "user_session_revoked", sessionId);
+        sendJson(res, 200, { revoked });
+        return true;
+    }
+    const telegramLinkMatch = url.pathname.match(/^\/api\/users\/([^/]+)\/telegram$/);
+    if (telegramLinkMatch?.[1] && req.method === "POST") {
+        const body = await readJsonBody(req);
+        if (body.createCode === true) {
+            const userId = decodeURIComponent(telegramLinkMatch[1]);
+            const linkCode = users.createTelegramLinkCode(userId);
+            options.auditUserAction(authUser, "telegram_link_created", userId);
+            sendJson(res, 201, { linkCode });
+            return true;
+        }
+        const identity = users.linkTelegramUser(decodeURIComponent(telegramLinkMatch[1]), {
+            telegramUserId: numberField(body, "telegramUserId"),
+            username: optionalStringField(body, "username"),
+        });
+        options.auditUserAction(authUser, "telegram_linked", String(identity.telegramUserId));
+        sendJson(res, 201, { identity });
+        return true;
+    }
+    const telegramUnlinkMatch = url.pathname.match(/^\/api\/users\/[^/]+\/telegram\/([^/]+)$/);
+    if (telegramUnlinkMatch?.[1] && req.method === "DELETE") {
+        const identityId = decodeURIComponent(telegramUnlinkMatch[1]);
+        const removed = users.unlinkTelegramIdentity(identityId);
+        options.auditUserAction(authUser, "telegram_unlinked", identityId);
+        sendJson(res, 200, { removed });
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/groups") {
+        sendJson(res, 200, { groups: users.listGroups() });
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/groups") {
+        const body = await readJsonBody(req);
+        const group = users.createGroup({
+            name: stringField(body, "name"),
+            description: optionalStringField(body, "description"),
+            permissions: arrayStringField(body, "permissions"),
+            agentIds: arrayStringField(body, "agentIds"),
+            workspaceRoots: arrayStringField(body, "workspaceRoots"),
+            telegramChatIds: arrayNumberField(body, "telegramChatIds"),
+        });
+        options.auditUserAction(authUser, "group_created", group.id);
+        sendJson(res, 201, { group });
+        return true;
+    }
+    const groupMatch = url.pathname.match(/^\/api\/groups\/([^/]+)$/);
+    if (groupMatch?.[1] && req.method === "PATCH") {
+        const body = await readJsonBody(req);
+        const group = users.updateGroup(decodeURIComponent(groupMatch[1]), {
+            name: optionalStringField(body, "name"),
+            description: optionalStringField(body, "description"),
+            permissions: body.permissions === undefined ? undefined : arrayStringField(body, "permissions"),
+            agentIds: body.agentIds === undefined ? undefined : arrayStringField(body, "agentIds"),
+            workspaceRoots: body.workspaceRoots === undefined ? undefined : arrayStringField(body, "workspaceRoots"),
+            telegramChatIds: body.telegramChatIds === undefined ? undefined : arrayNumberField(body, "telegramChatIds"),
+        });
+        options.auditUserAction(authUser, "group_updated", group.id);
+        sendJson(res, 200, { group });
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/telegram-chats") {
+        sendJson(res, 200, { chats: users.snapshot().telegramChats });
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/telegram-chats") {
+        const body = await readJsonBody(req);
+        const chat = users.registerTelegramChat({
+            chatId: numberField(body, "chatId"),
+            title: optionalStringField(body, "title"),
+            type: optionalStringField(body, "type"),
+            enabled: optionalBooleanField(body, "enabled") ?? true,
+            allowedGroupIds: arrayStringField(body, "allowedGroupIds"),
+        });
+        options.auditUserAction(authUser, "telegram_chat_updated", String(chat.chatId));
+        sendJson(res, 201, { chat });
+        return true;
+    }
+    const chatMatch = url.pathname.match(/^\/api\/telegram-chats\/([^/]+)$/);
+    if (chatMatch?.[1] && req.method === "PATCH") {
+        const body = await readJsonBody(req);
+        const chat = users.updateTelegramChat(decodeURIComponent(chatMatch[1]), {
+            enabled: optionalBooleanField(body, "enabled"),
+            title: optionalStringField(body, "title"),
+            allowedGroupIds: body.allowedGroupIds === undefined ? undefined : arrayStringField(body, "allowedGroupIds"),
+        });
+        options.auditUserAction(authUser, "telegram_chat_updated", String(chat.chatId));
+        sendJson(res, 200, { chat });
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/audit") {
+        sendJson(res, 200, { events: runtime.audit(numberParam(url, "limit", 50)) });
+        return true;
+    }
+    return false;
+}