@nordbyte/nordrelay 0.5.1 → 0.6.0

package/dist/web-dashboard-access-routes.js

@@ -20,6 +20,7 @@ export async function handleDashboardAccessRoute(req, res, url, options) {
             groupIds: arrayStringField(body, "groupIds"),
             active: optionalBooleanField(body, "active") ?? true,
             telegramUserId: optionalNumberField(body, "telegramUserId"),
+            discordUserId: optionalStringField(body, "discordUserId"),
         });
         options.auditUserAction(authUser, "user_created", user.user.email);
         sendJson(res, 201, { user: publicUser(user.user), groups: user.groups });
@@ -93,6 +94,33 @@ export async function handleDashboardAccessRoute(req, res, url, options) {
         sendJson(res, 200, { removed });
         return true;
     }
+    const discordLinkMatch = url.pathname.match(/^\/api\/users\/([^/]+)\/discord$/);
+    if (discordLinkMatch?.[1] && req.method === "POST") {
+        const body = await readJsonBody(req);
+        if (body.createCode === true) {
+            const userId = decodeURIComponent(discordLinkMatch[1]);
+            const linkCode = users.createDiscordLinkCode(userId);
+            options.auditUserAction(authUser, "discord_link_created", userId);
+            sendJson(res, 201, { linkCode });
+            return true;
+        }
+        const identity = users.linkDiscordUser(decodeURIComponent(discordLinkMatch[1]), {
+            discordUserId: stringField(body, "discordUserId"),
+            username: optionalStringField(body, "username"),
+            globalName: optionalStringField(body, "globalName"),
+        });
+        options.auditUserAction(authUser, "discord_linked", identity.discordUserId);
+        sendJson(res, 201, { identity });
+        return true;
+    }
+    const discordUnlinkMatch = url.pathname.match(/^\/api\/users\/[^/]+\/discord\/([^/]+)$/);
+    if (discordUnlinkMatch?.[1] && req.method === "DELETE") {
+        const identityId = decodeURIComponent(discordUnlinkMatch[1]);
+        const removed = users.unlinkDiscordIdentity(identityId);
+        options.auditUserAction(authUser, "discord_unlinked", identityId);
+        sendJson(res, 200, { removed });
+        return true;
+    }
     if (req.method === "GET" && url.pathname === "/api/groups") {
         sendJson(res, 200, { groups: users.listGroups() });
         return true;
@@ -106,6 +134,7 @@ export async function handleDashboardAccessRoute(req, res, url, options) {
             agentIds: arrayStringField(body, "agentIds"),
             workspaceRoots: arrayStringField(body, "workspaceRoots"),
             telegramChatIds: arrayNumberField(body, "telegramChatIds"),
+            discordChannelIds: arrayStringField(body, "discordChannelIds"),
         });
         options.auditUserAction(authUser, "group_created", group.id);
         sendJson(res, 201, { group });
@@ -121,6 +150,7 @@ export async function handleDashboardAccessRoute(req, res, url, options) {
             agentIds: body.agentIds === undefined ? undefined : arrayStringField(body, "agentIds"),
             workspaceRoots: body.workspaceRoots === undefined ? undefined : arrayStringField(body, "workspaceRoots"),
             telegramChatIds: body.telegramChatIds === undefined ? undefined : arrayNumberField(body, "telegramChatIds"),
+            discordChannelIds: body.discordChannelIds === undefined ? undefined : arrayStringField(body, "discordChannelIds"),
         });
         options.auditUserAction(authUser, "group_updated", group.id);
         sendJson(res, 200, { group });
@@ -155,8 +185,51 @@ export async function handleDashboardAccessRoute(req, res, url, options) {
         sendJson(res, 200, { chat });
         return true;
     }
+    if (req.method === "GET" && url.pathname === "/api/discord-channels") {
+        sendJson(res, 200, { channels: users.snapshot().discordChannels });
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/discord-channels") {
+        const body = await readJsonBody(req);
+        const channel = users.registerDiscordChannel({
+            guildId: optionalStringField(body, "guildId"),
+            channelId: stringField(body, "channelId"),
+            title: optionalStringField(body, "title"),
+            type: optionalStringField(body, "type"),
+            enabled: optionalBooleanField(body, "enabled") ?? true,
+            allowedGroupIds: arrayStringField(body, "allowedGroupIds"),
+        });
+        options.auditUserAction(authUser, "discord_channel_updated", channel.channelId);
+        sendJson(res, 201, { channel });
+        return true;
+    }
+    const discordChannelMatch = url.pathname.match(/^\/api\/discord-channels\/([^/]+)$/);
+    if (discordChannelMatch?.[1] && req.method === "PATCH") {
+        const body = await readJsonBody(req);
+        const channel = users.updateDiscordChannel(decodeURIComponent(discordChannelMatch[1]), {
+            enabled: optionalBooleanField(body, "enabled"),
+            title: optionalStringField(body, "title"),
+            allowedGroupIds: body.allowedGroupIds === undefined ? undefined : arrayStringField(body, "allowedGroupIds"),
+        });
+        options.auditUserAction(authUser, "discord_channel_updated", channel.channelId);
+        sendJson(res, 200, { channel });
+        return true;
+    }
     if (req.method === "GET" && url.pathname === "/api/audit") {
-        sendJson(res, 200, { events: runtime.audit(numberParam(url, "limit", 50)) });
+        sendJson(res, 200, {
+            events: runtime.audit({
+                limit: numberParam(url, "limit", 50),
+                channelId: (url.searchParams.get("channel") || "all"),
+                category: (url.searchParams.get("category") || "all"),
+                status: (url.searchParams.get("status") || "all"),
+                action: url.searchParams.get("action") || "all",
+                actor: url.searchParams.get("actor") || undefined,
+                agentId: url.searchParams.get("agent") || "all",
+                threadId: url.searchParams.get("thread") || undefined,
+                workspace: url.searchParams.get("workspace") || undefined,
+                since: url.searchParams.get("since") || undefined,
+            }),
+        });
         return true;
     }
     return false;

package/dist/web-dashboard-artifact-routes.js

@@ -8,7 +8,7 @@ export async function handleDashboardArtifactRoute(req, res, url, options) {
     }
     if (req.method === "DELETE" && url.pathname === "/api/artifacts") {
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { removed: await runtime.deleteArtifact(requiredSearch(url, "turnId")) });
+        sendJson(res, 200, { removed: await runtime.deleteArtifact(requiredSearch(url, "turnId"), options.activityActor) });
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/artifacts/bulk") {
@@ -21,7 +21,7 @@ export async function handleDashboardArtifactRoute(req, res, url, options) {
         }
         const removed = [];
         for (const turnId of turnIds) {
-            if (await runtime.deleteArtifact(turnId)) {
+            if (await runtime.deleteArtifact(turnId, options.activityActor)) {
                 removed.push(turnId);
             }
         }
@@ -30,7 +30,7 @@ export async function handleDashboardArtifactRoute(req, res, url, options) {
     }
     if (req.method === "GET" && url.pathname === "/api/artifacts/zip") {
         await options.assertCurrentSessionScope(authUser);
-        const bundle = await runtime.createArtifactZip(requiredSearch(url, "turnId"));
+        const bundle = await runtime.createArtifactZip(requiredSearch(url, "turnId"), options.activityActor);
         if (!bundle) {
             sendJson(res, 404, { error: "Artifact turn not found or ZIP could not be created" });
             return true;

package/dist/web-dashboard-assets.js

@@ -9,6 +9,8 @@ const clientSources = [
     "client/overview.js",
     "client/events.js",
     "client/workflows.js",
+    "client/jobs.js",
+    "client/metrics.js",
     "client/admin.js",
 ];
 const styleSources = [

package/dist/web-dashboard-pages.js

@@ -44,6 +44,58 @@ export function renderLoginPage(options) {
 </body>
 </html>`;
 }
+export function renderFirstRunSetupPage(options) {
+    return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>NordRelay First Run</title>
+  <style>
+    body{margin:0;min-height:100vh;display:grid;place-items:center;background:#f4f5f2;color:#181c19;font-family:Inter,system-ui,-apple-system,Segoe UI,sans-serif}
+    form{width:min(460px,calc(100vw - 32px));background:white;border:1px solid #dfe3dc;border-radius:8px;padding:24px;box-shadow:0 20px 60px rgba(20,30,24,.08)}
+    h1{font-size:24px;margin:0 0 8px}
+    p{color:#5d665d;margin:0 0 18px;line-height:1.45}
+    label{display:block;font-size:13px;color:#4b544d;margin:14px 0 6px}
+    input{box-sizing:border-box;width:100%;height:40px;border:1px solid #cfd6ce;border-radius:6px;padding:0 10px;font:inherit}
+    button{margin-top:18px;width:100%;height:42px;border:0;border-radius:6px;background:#205c43;color:white;font-weight:650;cursor:pointer}
+    .error{color:#9b1c1c;min-height:22px;margin-top:12px}
+    small{display:block;color:#667267;margin-top:8px;line-height:1.4}
+  </style>
+</head>
+<body>
+  <form id="setup">
+    <h1>NordRelay Setup</h1>
+    <p>Create the first admin account. After this, every dashboard page and API route requires login.</p>
+    <label>Email</label><input id="email" name="email" type="email" autocomplete="username" required>
+    <label>Name</label><input id="displayName" name="displayName" autocomplete="name" required>
+    <label>Password</label><input id="password" name="password" type="password" autocomplete="new-password" minlength="12" required>
+    <label>Setup token</label><input id="setupToken" name="setupToken" autocomplete="one-time-code" ${options.tokenRequired ? "required" : ""}>
+    <small>${options.tokenRequired ? "Use the token printed in the NordRelay console." : "Local setup does not require the token, but the console token also works."}</small>
+    <button>Create admin</button>
+    <div class="error" id="error"></div>
+  </form>
+  <script>
+    document.getElementById('setup').addEventListener('submit', async (event) => {
+      event.preventDefault();
+      const payload = {
+        email: document.getElementById('email')?.value || undefined,
+        displayName: document.getElementById('displayName')?.value || undefined,
+        password: document.getElementById('password')?.value || undefined,
+        setupToken: document.getElementById('setupToken')?.value || undefined,
+      };
+      const res = await fetch('/api/setup/admin', { method:'POST', headers:{'content-type':'application/json'}, body: JSON.stringify(payload) });
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        document.getElementById('error').textContent = data.error || 'Setup failed';
+        return;
+      }
+      location.href = '/';
+    });
+  </script>
+</body>
+</html>`;
+}
 export function renderDashboardApp() {
     return `<!doctype html>
 <html lang="en">
@@ -81,7 +133,7 @@ export function renderDashboardApp() {
       <section class="page active" id="page-overview">
         <div class="metrics" id="metrics"></div>
         <div class="stack">
-          <div class="panel"><h2>Current Session</h2><pre id="sessionText"></pre></div>
+          <div class="panel"><h2>Active Sessions</h2><div id="activeSessions" class="list"></div></div>
           <div class="overview-adapter-grid">
             <div class="panel"><h2>Agent Adapters</h2><div id="agentAdapters"></div></div>
             <div class="panel"><h2>Chat Adapters</h2><div id="chatAdapters"></div></div>
@@ -129,6 +181,13 @@ export function renderDashboardApp() {
         </div>
       </section>
 
+      <section class="page" id="page-metrics">
+        <div class="panel">
+          <div class="row"><button id="reloadMetricsBtn">Reload metrics</button></div>
+          <div id="metricsPanel" class="list"></div>
+        </div>
+      </section>
+
       <section class="page" id="page-sessions">
         <div class="panel">
           <div class="sessions-toolbar">
@@ -149,7 +208,7 @@ export function renderDashboardApp() {
 
       <section class="page" id="page-activity">
         <div class="panel">
-          <div class="row"><select id="activitySource"><option value="all">All sources</option><option value="web">Web</option><option value="cli">CLI</option></select><select id="activityStatus"><option value="all">All statuses</option><option value="queued">Queued</option><option value="running">Running</option><option value="completed">Completed</option><option value="failed">Failed</option><option value="aborted">Aborted</option><option value="info">Info</option></select><input id="activitySince" type="datetime-local"><input id="activityLimit" type="number" value="100" min="1" max="500"><button id="loadActivityBtn">Load activity</button><button id="exportActivityBtn" class="secondary">Export</button></div>
+          <div class="row"><select id="activitySource"><option value="all">All sources</option><option value="web">Web</option><option value="telegram">Telegram</option><option value="discord">Discord</option><option value="cli">CLI</option></select><select id="activityCategory"><option value="all">All categories</option><option value="prompt">Prompt</option><option value="session">Session</option><option value="queue">Queue</option><option value="agent-update">Agent update</option><option value="artifact">Artifact</option><option value="system">System</option><option value="auth">Auth</option><option value="security">Security</option><option value="tool">Tool</option></select><select id="activityStatus"><option value="all">All statuses</option><option value="queued">Queued</option><option value="running">Running</option><option value="completed">Completed</option><option value="failed">Failed</option><option value="aborted">Aborted</option><option value="info">Info</option></select><input id="activityActor" placeholder="Actor"><input id="activityAgent" placeholder="Agent"><input id="activityThread" placeholder="Thread ID"><input id="activityWorkspace" placeholder="Workspace"><input id="activityType" placeholder="Type"><input id="activitySince" type="datetime-local"><input id="activityLimit" type="number" value="100" min="1" max="500"><button id="loadActivityBtn">Load activity</button><button id="exportActivityBtn" class="secondary">Export</button></div>
           <div id="activityList" class="list"></div>
         </div>
       </section>
@@ -171,17 +230,42 @@ export function renderDashboardApp() {
 
       <section class="page" id="page-access">
         <div class="panel">
-          <div class="row"><button id="loadAccessBtn">Reload users</button><button id="createUserBtn">Create user</button><button id="createGroupBtn" class="secondary">Create group</button><button id="createChatBtn" class="secondary">Add Telegram chat</button><button id="lockSessionBtn" class="secondary">Lock web session</button><button id="unlockSessionBtn" class="secondary">Unlock web session</button></div>
-          <div id="accessPanel" class="settings-grid"></div>
-          <h2>Groups</h2>
-          <div id="groupsList" class="list"></div>
-          <h2>Telegram chats</h2>
-          <div id="telegramChatsList" class="list"></div>
-          <h2>Locks</h2>
-          <div id="locksList" class="list"></div>
-          <h2>Audit</h2>
-          <div class="row"><input id="auditLimit" type="number" value="50" min="1" max="200"><button id="loadAuditBtn">Load audit</button></div>
-          <div id="auditList" class="list"></div>
+          <div class="row"><button id="loadAccessBtn">Reload users</button><button id="createUserBtn">Create user</button><button id="createGroupBtn" class="secondary">Create group</button><button id="createChatBtn" class="secondary">Add Telegram chat</button><button id="createDiscordChannelBtn" class="secondary">Add Discord channel</button><button id="lockSessionBtn" class="secondary">Lock web session</button><button id="unlockSessionBtn" class="secondary">Unlock web session</button></div>
+          <div id="accessTabs" class="tabs access-tabs">
+            <button type="button" data-access-tab="users" class="active">Users</button>
+            <button type="button" data-access-tab="groups">Groups</button>
+            <button type="button" data-access-tab="telegram">Telegram</button>
+            <button type="button" data-access-tab="discord">Discord</button>
+            <button type="button" data-access-tab="locks">Locks</button>
+            <button type="button" data-access-tab="audit">Audit</button>
+          </div>
+          <div class="access-tab active" data-access-tab-panel="users">
+            <div id="accessPanel" class="settings-grid"></div>
+          </div>
+          <div class="access-tab" data-access-tab-panel="groups">
+            <h2>Groups</h2>
+            <div id="groupsList" class="list"></div>
+          </div>
+          <div class="access-tab" data-access-tab-panel="telegram">
+            <h2>Telegram chats</h2>
+            <div id="telegramChatsList" class="list"></div>
+          </div>
+          <div class="access-tab" data-access-tab-panel="discord">
+            <div class="access-tab-heading">
+              <h2>Discord channels</h2>
+              <input id="discordChannelSearch" placeholder="Search Discord channels">
+            </div>
+            <div id="discordChannelsList" class="list"></div>
+          </div>
+          <div class="access-tab" data-access-tab-panel="locks">
+            <h2>Locks</h2>
+            <div id="locksList" class="list"></div>
+          </div>
+          <div class="access-tab" data-access-tab-panel="audit">
+            <h2>Audit</h2>
+            <div class="row"><select id="auditChannel"><option value="all">All channels</option><option value="web">Web</option><option value="telegram">Telegram</option><option value="discord">Discord</option></select><select id="auditCategory"><option value="all">All categories</option><option value="prompt">Prompt</option><option value="session">Session</option><option value="queue">Queue</option><option value="agent-update">Agent update</option><option value="artifact">Artifact</option><option value="system">System</option><option value="auth">Auth</option><option value="security">Security</option><option value="tool">Tool</option></select><select id="auditStatus"><option value="all">All statuses</option><option value="ok">OK</option><option value="failed">Failed</option><option value="denied">Denied</option></select><input id="auditActor" placeholder="Actor"><input id="auditAgent" placeholder="Agent"><input id="auditThread" placeholder="Thread ID"><input id="auditWorkspace" placeholder="Workspace"><input id="auditSince" type="datetime-local"><input id="auditLimit" type="number" value="50" min="1" max="500"><button id="loadAuditBtn">Load audit</button><button id="exportAuditBtn" class="secondary">Export</button></div>
+            <div id="auditList" class="list"></div>
+          </div>
         </div>
       </section>
 

package/dist/web-dashboard-runtime-routes.js

@@ -11,7 +11,7 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/update") {
-        sendJson(res, 202, runtime.updateConnector());
+        sendJson(res, 202, runtime.updateConnector(options.activityActor));
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/agent-updates") {
@@ -23,7 +23,7 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
         const agentId = options.parseAgentIdRequired(stringField(body, "agentId"));
         const operation = parseAgentUpdateOperation(optionalStringField(body, "operation"));
         options.assertScopedAgent(authUser, agentId);
-        sendJson(res, 202, { job: runtime.startAgentUpdate(agentId, operation) });
+        sendJson(res, 202, { job: runtime.startAgentUpdate(agentId, operation, options.activityActor) });
         return true;
     }
     const agentUpdateLogMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/log$/);
@@ -36,7 +36,7 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
     if (req.method === "DELETE" && agentUpdateLogMatch?.[1]) {
         const id = decodeURIComponent(agentUpdateLogMatch[1]);
         options.assertAgentUpdateJobScope(authUser, id);
-        sendJson(res, 200, { deletedId: id, job: runtime.deleteAgentUpdateLog(id) });
+        sendJson(res, 200, { deletedId: id, job: runtime.deleteAgentUpdateLog(id, options.activityActor) });
         return true;
     }
     const agentUpdateInputMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/input$/);
@@ -44,20 +44,53 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
         const body = await readJsonBody(req);
         const id = decodeURIComponent(agentUpdateInputMatch[1]);
         options.assertAgentUpdateJobScope(authUser, id);
-        sendJson(res, 200, { job: runtime.sendAgentUpdateInput(id, stringField(body, "input")) });
+        sendJson(res, 200, { job: runtime.sendAgentUpdateInput(id, stringField(body, "input"), options.activityActor) });
         return true;
     }
     const agentUpdateCancelMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/cancel$/);
     if (req.method === "POST" && agentUpdateCancelMatch?.[1]) {
         const id = decodeURIComponent(agentUpdateCancelMatch[1]);
         options.assertAgentUpdateJobScope(authUser, id);
-        sendJson(res, 200, { job: runtime.cancelAgentUpdate(id) });
+        sendJson(res, 200, { job: runtime.cancelAgentUpdate(id, options.activityActor) });
         return true;
     }
     if (req.method === "GET" && (url.pathname === "/api/tasks" || url.pathname === "/api/progress")) {
         sendJson(res, 200, await options.scopedTasks(authUser, runtime.tasks()));
         return true;
     }
+    if (req.method === "GET" && url.pathname === "/api/metrics") {
+        sendJson(res, 200, await runtime.metrics());
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/jobs") {
+        sendJson(res, 200, await runtime.jobs());
+        return true;
+    }
+    const jobLogMatch = url.pathname.match(/^\/api\/jobs\/([^/]+)\/log$/);
+    if (req.method === "GET" && jobLogMatch?.[1]) {
+        sendJson(res, 200, await runtime.jobLog(decodeURIComponent(jobLogMatch[1])));
+        return true;
+    }
+    const jobActionMatch = url.pathname.match(/^\/api\/jobs\/([^/]+)\/action$/);
+    if (req.method === "POST" && jobActionMatch?.[1]) {
+        const body = await readJsonBody(req);
+        const id = decodeURIComponent(jobActionMatch[1]);
+        const action = stringField(body, "action");
+        if (action !== "cancel" && action !== "retry") {
+            throw new Error("Unsupported job action.");
+        }
+        const permission = permissionForJobAction(id, action);
+        if (!users.hasPermission(authUser, permission)) {
+            sendJson(res, 403, { error: `Access denied: ${permission} permission required.` });
+            return true;
+        }
+        sendJson(res, 200, await runtime.jobAction(id, action, options.activityActor));
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/active-sessions") {
+        sendJson(res, 200, options.scopedActiveSessions(authUser, await runtime.activeSessions()));
+        return true;
+    }
     if (req.method === "GET" && url.pathname === "/api/adapters/health") {
         sendJson(res, 200, { adapters: (await runtime.adapterHealth()).filter((adapter) => users.canUseAgent(authUser, adapter.id)) });
         return true;
@@ -70,7 +103,7 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
     if (req.method === "POST" && url.pathname === "/api/logs/clear") {
         const body = await readJsonBody(req);
         const target = parseLogTarget(optionalStringField(body, "target"));
-        sendJson(res, 200, runtime.clearLogs(target));
+        sendJson(res, 200, runtime.clearLogs(target, options.activityActor));
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/diagnostics") {
@@ -80,13 +113,25 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
     }
     if (req.method === "GET" && url.pathname === "/api/diagnostics/bundle") {
         await options.assertCurrentSessionScope(authUser);
-        const bundle = await runtime.supportBundle();
+        const bundle = await runtime.supportBundle(options.activityActor);
         sendFile(res, bundle.path, bundle.name);
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/runtime/restart") {
-        sendJson(res, 202, runtime.restartConnector());
+        sendJson(res, 202, runtime.restartConnector(options.activityActor));
         return true;
     }
     return false;
 }
+function permissionForJobAction(id, action) {
+    if (id === "web:current" && action === "cancel") {
+        return "prompt.abort";
+    }
+    if (id.startsWith("queue:")) {
+        return "queue.write";
+    }
+    if (id.startsWith("support-bundle:")) {
+        return "diagnostics.read";
+    }
+    return "updates.run";
+}

package/dist/web-dashboard-session-routes.js

@@ -10,12 +10,12 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
     if (req.method === "POST" && url.pathname === "/api/locks") {
         const body = await readJsonBody(req);
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { lock: runtime.lockWebSession(optionalStringField(body, "ownerName")), locks: runtime.locks() });
+        sendJson(res, 200, { lock: runtime.lockWebSession(optionalStringField(body, "ownerName"), options.activityActor), locks: runtime.locks() });
         return true;
     }
     if (req.method === "DELETE" && url.pathname === "/api/locks") {
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, runtime.unlockWebSession());
+        sendJson(res, 200, runtime.unlockWebSession(options.activityActor));
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/auth/status") {
@@ -28,14 +28,14 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
         const body = await readJsonBody(req);
         const agentId = options.parseAgentId(optionalStringField(body, "agentId"));
         options.assertScopedAgent(authUser, agentId);
-        sendJson(res, 200, await runtime.login(agentId));
+        sendJson(res, 200, await runtime.login(agentId, options.activityActor));
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/auth/logout") {
         const body = await readJsonBody(req);
         const agentId = options.parseAgentId(optionalStringField(body, "agentId"));
         options.assertScopedAgent(authUser, agentId);
-        sendJson(res, 200, await runtime.logout(agentId));
+        sendJson(res, 200, await runtime.logout(agentId, options.activityActor));
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/snapshot") {
@@ -62,7 +62,7 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
             throw new Error(`Invalid agent: ${agentId}`);
         }
         options.assertScopedAgent(authUser, agentId);
-        sendJson(res, 200, { session: await runtime.setAgent(agentId) });
+        sendJson(res, 200, { session: await runtime.setAgent(agentId, options.activityActor) });
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/sessions/new") {
@@ -79,7 +79,7 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
                 reasoningEffort: optionalStringField(body, "reasoningEffort"),
                 launchProfileId: optionalStringField(body, "launchProfileId"),
                 fastMode: optionalBooleanField(body, "fastMode"),
-            }),
+            }, options.activityActor),
         });
         return true;
     }
@@ -90,14 +90,14 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
         if (detail.record && typeof detail.record === "object") {
             options.assertSessionScope(authUser, detail.record);
         }
-        const session = await runtime.switchSession(threadId);
+        const session = await runtime.switchSession(threadId, options.activityActor);
         options.assertSessionScope(authUser, session);
         sendJson(res, 200, { session });
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/sessions/attach") {
         const body = await readJsonBody(req);
-        const session = await runtime.attachSession(stringField(body, "threadId"));
+        const session = await runtime.attachSession(stringField(body, "threadId"), options.activityActor);
         options.assertSessionScope(authUser, session);
         sendJson(res, 200, { session });
         return true;
@@ -117,31 +117,31 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
     if (req.method === "POST" && url.pathname === "/api/session/model") {
         const body = await readJsonBody(req);
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { session: await runtime.setModel(stringField(body, "model")) });
+        sendJson(res, 200, { session: await runtime.setModel(stringField(body, "model"), options.activityActor) });
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/session/reasoning") {
         const body = await readJsonBody(req);
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { session: await runtime.setReasoningEffort(stringField(body, "reasoning")) });
+        sendJson(res, 200, { session: await runtime.setReasoningEffort(stringField(body, "reasoning"), options.activityActor) });
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/session/fast") {
         const body = await readJsonBody(req);
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { session: await runtime.setFastMode(Boolean(body?.enabled)) });
+        sendJson(res, 200, { session: await runtime.setFastMode(Boolean(body?.enabled), options.activityActor) });
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/session/launch") {
         const body = await readJsonBody(req);
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { session: await runtime.setLaunchProfile(stringField(body, "profileId")) });
+        sendJson(res, 200, { session: await runtime.setLaunchProfile(stringField(body, "profileId"), options.activityActor) });
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/prompt") {
         const body = await readJsonBody(req);
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 202, await runtime.sendPrompt(stringField(body, "text")));
+        sendJson(res, 202, await runtime.sendPrompt(stringField(body, "text"), options.activityActor));
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/prompt/upload") {
@@ -150,28 +150,28 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
         sendJson(res, 202, await runtime.sendUploadPrompt({
             text: optionalStringField(body, "text"),
             files: parseUploadFiles(body.files),
-        }));
+        }, options.activityActor));
         return true;
     }
     if (req.method === "POST" && (url.pathname === "/api/abort" || url.pathname === "/api/stop")) {
         await options.assertCurrentSessionScope(authUser);
-        await runtime.abort();
+        await runtime.abort(options.activityActor);
         sendJson(res, 200, { ok: true });
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/handback") {
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, await runtime.handback());
+        sendJson(res, 200, await runtime.handback(options.activityActor));
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/retry") {
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 202, await runtime.retry());
+        sendJson(res, 202, await runtime.retry(options.activityActor));
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/sync") {
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, await runtime.sync());
+        sendJson(res, 200, await runtime.sync(options.activityActor));
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/queue") {
@@ -182,7 +182,7 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
     if (req.method === "POST" && url.pathname === "/api/queue") {
         const body = await readJsonBody(req);
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, { queue: runtime.queueAction(stringField(body, "action"), optionalStringField(body, "id")), paused: runtime.queuePaused() });
+        sendJson(res, 200, { queue: runtime.queueAction(stringField(body, "action"), optionalStringField(body, "id"), options.activityActor), paused: runtime.queuePaused() });
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/chat/history") {
@@ -192,7 +192,7 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
     }
     if (req.method === "DELETE" && url.pathname === "/api/chat/history") {
         await options.assertCurrentSessionScope(authUser);
-        sendJson(res, 200, await runtime.clearChatHistory());
+        sendJson(res, 200, await runtime.clearChatHistory(options.activityActor));
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/activity") {
@@ -201,6 +201,13 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
                 limit: numberParam(url, "limit", 100),
                 source: (url.searchParams.get("source") || "all"),
                 status: (url.searchParams.get("status") || "all"),
+                category: (url.searchParams.get("category") || "all"),
+                actor: url.searchParams.get("actor") || undefined,
+                agentId: url.searchParams.get("agent") || "all",
+                threadId: url.searchParams.get("thread") || undefined,
+                workspace: url.searchParams.get("workspace") || undefined,
+                type: url.searchParams.get("type") || undefined,
+                since: url.searchParams.get("since") || undefined,
             })),
         });
         return true;

package/dist/web-dashboard-ui.js

@@ -4,6 +4,7 @@ export const DASHBOARD_PAGES = [
     { id: "sessions", label: "Sessions", permission: "sessions.read" },
     { id: "queue", label: "Queue", permission: "queue.read" },
     { id: "tasks", label: "Tasks", permission: "inspect" },
+    { id: "metrics", label: "Metrics", permission: "inspect" },
     { id: "activity", label: "Activity", permission: "sessions.read" },
     { id: "artifacts", label: "Artifacts", permission: "files.read" },
     { id: "adapters", label: "Adapters", permission: "inspect" },