@nordbyte/nordrelay 0.5.1 → 0.6.0

package/dist/web-dashboard.js

@@ -1,4 +1,5 @@
 import { createServer } from "node:http";
+import { randomBytes } from "node:crypto";
 import os from "node:os";
 import path from "node:path";
 import { URL } from "node:url";
@@ -17,7 +18,7 @@ import { handleDashboardAccessRoute } from "./web-dashboard-access-routes.js";
 import { handleDashboardArtifactRoute } from "./web-dashboard-artifact-routes.js";
 import { dashboardCss, dashboardJs } from "./web-dashboard-assets.js";
 import { objectRecord, optionalStringField, parseCookies, readJsonBody, sendJson, sendText, } from "./web-dashboard-http.js";
-import { renderDashboardApp, renderLoginPage } from "./web-dashboard-pages.js";
+import { renderDashboardApp, renderFirstRunSetupPage, renderLoginPage } from "./web-dashboard-pages.js";
 import { handleDashboardRuntimeRoute } from "./web-dashboard-runtime-routes.js";
 import { handleDashboardSessionRoute } from "./web-dashboard-session-routes.js";
 const DEFAULT_HOME = path.join(os.homedir(), ".nordrelay");
@@ -28,6 +29,11 @@ const settings = new SettingsService(resolveDashboardEnvPath(options.home));
 const users = new UserStore(options.home);
 const auditLog = new AuditLogStore(config.workspace, config.stateBackend, config.auditMaxEvents);
 const loginAttempts = new Map();
+const firstRunSetupToken = users.hasAdminUser() ? undefined : randomBytes(18).toString("base64url");
+const firstRunSetupRequiresToken = !isLoopbackHost(options.host);
+if (firstRunSetupToken) {
+    console.log(`NordRelay first-run setup token: ${firstRunSetupToken}`);
+}
 class AccessDeniedError extends Error {
 }
 const server = createServer((req, res) => {
@@ -45,6 +51,10 @@ async function handleRequest(req, res) {
         await handleLogin(req, res);
         return;
     }
+    if (url.pathname === "/api/setup/admin" && req.method === "POST") {
+        await handleFirstRunSetup(req, res);
+        return;
+    }
     if (url.pathname === "/api/dashboard/logout" && req.method === "POST") {
         handleLogout(req, res);
         return;
@@ -60,6 +70,10 @@ async function handleRequest(req, res) {
     }
     if (!authenticated) {
         if (url.pathname === "/" || url.pathname === "/index.html") {
+            if (!users.hasAdminUser()) {
+                sendText(res, 200, renderFirstRunSetupPage({ tokenRequired: firstRunSetupRequiresToken || !isLoopbackRequest(req) }), "text/html; charset=utf-8");
+                return;
+            }
             sendText(res, 200, renderLoginPage({ adminConfigured: users.hasAdminUser() }), "text/html; charset=utf-8");
             return;
         }
@@ -104,6 +118,7 @@ async function handleApi(req, res, url, authUser) {
             status: "denied",
             channelId: "web",
             contextKey: "web",
+            actor: webActivityActor(authUser),
             actorId: authUser.user.id,
             actorRole: authUser.groups.map((group) => group.name).join(", "),
             description: `Denied unknown endpoint ${req.method ?? "GET"} ${url.pathname}`,
@@ -117,6 +132,7 @@ async function handleApi(req, res, url, authUser) {
             status: "denied",
             channelId: "web",
             contextKey: "web",
+            actor: webActivityActor(authUser),
             actorId: authUser.user.id,
             actorRole: authUser.groups.map((group) => group.name).join(", "),
             description: `${permission} required for ${req.method ?? "GET"} ${url.pathname}`,
@@ -133,6 +149,8 @@ async function handleApi(req, res, url, authUser) {
         assertAgentUpdateJobScope,
         assertCurrentSessionScope,
         scopedTasks,
+        scopedActiveSessions,
+        activityActor: webActivityActor(authUser),
     })) {
         return;
     }
@@ -182,6 +200,7 @@ async function handleApi(req, res, url, authUser) {
         assertSessionDetailScope,
         scopedSessionPage,
         filterActivityByScope,
+        activityActor: webActivityActor(authUser),
     })) {
         return;
     }
@@ -189,6 +208,7 @@ async function handleApi(req, res, url, authUser) {
         runtime,
         authUser,
         assertCurrentSessionScope,
+        activityActor: webActivityActor(authUser),
     })) {
         return;
     }
@@ -239,6 +259,58 @@ async function handleEvents(req, res) {
         unsubscribe();
     });
 }
+async function handleFirstRunSetup(req, res) {
+    if (users.hasAdminUser()) {
+        sendJson(res, 409, { error: "Admin user already exists." });
+        return;
+    }
+    const body = await readJsonBody(req);
+    const email = optionalStringField(body, "email") ?? "";
+    const displayName = optionalStringField(body, "displayName") ?? email;
+    const password = optionalStringField(body, "password") ?? "";
+    const setupToken = optionalStringField(body, "setupToken") ?? "";
+    if ((firstRunSetupRequiresToken || !isLoopbackRequest(req)) && setupToken !== firstRunSetupToken) {
+        audit({
+            action: "auth_login_failed",
+            status: "denied",
+            channelId: "web",
+            contextKey: "web",
+            description: `Rejected remote first-run setup for ${email || "unknown"}`,
+        });
+        sendJson(res, 403, { error: "Setup token required." });
+        return;
+    }
+    if (setupToken && setupToken !== firstRunSetupToken) {
+        sendJson(res, 403, { error: "Invalid setup token." });
+        return;
+    }
+    if (!email || !password || password.length < 12) {
+        sendJson(res, 400, { error: "Email and a password with at least 12 characters are required." });
+        return;
+    }
+    const authUser = users.createAdmin({ email, displayName, password });
+    const session = users.createWebSession(authUser.user.id);
+    audit({
+        action: "user_created",
+        status: "ok",
+        channelId: "web",
+        contextKey: "web",
+        actor: webActivityActor(authUser),
+        actorId: authUser.user.id,
+        actorRole: authUser.groups.map((group) => group.name).join(", "),
+        description: `First admin created: ${authUser.user.email}`,
+    });
+    runtime.recordActivity({
+        source: "web",
+        status: "info",
+        type: "first_run_admin_created",
+        threadId: null,
+        actor: webActivityActor(authUser),
+        detail: authUser.user.email,
+    });
+    setSessionCookie(res, session.token);
+    sendJson(res, 201, currentUserDto(authUser));
+}
 async function handleLogin(req, res) {
     const body = await readJsonBody(req);
     const email = optionalStringField(body, "email");
@@ -280,13 +352,32 @@ async function handleLogin(req, res) {
         status: "ok",
         channelId: "web",
         contextKey: "web",
+        actor: webActivityActor(authUser),
         actorId: authUser.user.id,
         actorRole: authUser.groups.map((group) => group.name).join(", "),
         description: `Login ${authUser.user.email}`,
     });
+    runtime.recordActivity({
+        source: "web",
+        status: "info",
+        type: "auth_login",
+        threadId: null,
+        actor: webActivityActor(authUser),
+        detail: authUser.user.email,
+    });
     setSessionCookie(res, session.token);
     sendJson(res, 200, currentUserDto(authUser));
 }
+function isLoopbackRequest(req) {
+    const address = req.socket.remoteAddress ?? "";
+    return address === "127.0.0.1" ||
+        address === "::1" ||
+        address === "::ffff:127.0.0.1" ||
+        address === "localhost";
+}
+function isLoopbackHost(host) {
+    return host === "127.0.0.1" || host === "::1" || host === "localhost";
+}
 function handleLogout(req, res) {
     const authUser = authenticateRequest(req);
     users.destroyWebSession(parseCookies(req.headers.cookie ?? "").nr_session);
@@ -345,10 +436,27 @@ function auditUserAction(authUser, action, description) {
         status: "ok",
         channelId: "web",
         contextKey: "web",
+        actor: webActivityActor(authUser),
         actorId: authUser.user.id,
         actorRole: authUser.groups.map((group) => group.name).join(", "),
         description,
     });
+    runtime.recordActivity({
+        source: "web",
+        status: "info",
+        type: action,
+        threadId: null,
+        actor: webActivityActor(authUser),
+        detail: description,
+    });
+}
+function webActivityActor(authUser) {
+    return {
+        channel: "web",
+        id: authUser.user.id,
+        label: authUser.user.displayName || authUser.user.email,
+        username: authUser.user.email,
+    };
 }
 function scopedControlOptions(authUser, options) {
     return {
@@ -372,6 +480,12 @@ async function scopedTasks(authUser, tasks) {
         recent: filterActivityByScope(authUser, tasks.recent),
     };
 }
+function scopedActiveSessions(authUser, active) {
+    return {
+        ...active,
+        sessions: active.sessions.filter((session) => canUseSession(authUser, session)),
+    };
+}
 async function scopeRelayEvent(authUser, event, canUseCurrentSession = () => canUseCurrentSessionScope(authUser)) {
     switch (event.type) {
         case "snapshot":
@@ -504,6 +618,7 @@ function optionalEnv(key) {
 }
 function activeSettingsValues(current) {
     return {
+        TELEGRAM_ENABLED: boolValue(current.telegramEnabled),
         TELEGRAM_BOT_TOKEN: current.telegramBotToken,
         TELEGRAM_TRANSPORT: current.telegramTransport,
         TELEGRAM_WEBHOOK_URL: current.telegramWebhookUrl,
@@ -511,6 +626,20 @@ function activeSettingsValues(current) {
         TELEGRAM_WEBHOOK_PORT: String(current.telegramWebhookPort),
         TELEGRAM_WEBHOOK_PATH: current.telegramWebhookPath,
         TELEGRAM_WEBHOOK_SECRET: current.telegramWebhookSecret,
+        DISCORD_ENABLED: boolValue(current.discordEnabled),
+        DISCORD_BOT_TOKEN: current.discordBotToken,
+        DISCORD_CLIENT_ID: current.discordClientId,
+        DISCORD_GUILD_IDS: current.discordGuildIds.join(","),
+        DISCORD_ALLOWED_GUILD_IDS: current.discordAllowedGuildIds.join(","),
+        DISCORD_ALLOWED_CHANNEL_IDS: current.discordAllowedChannelIds.join(","),
+        DISCORD_MESSAGE_CONTENT_ENABLED: boolValue(current.discordMessageContentEnabled),
+        DISCORD_COMMAND_MODE: current.discordCommandMode,
+        DISCORD_AUTO_REGISTER_COMMANDS: boolValue(current.discordAutoRegisterCommands),
+        DISCORD_CLI_MIRROR_MODE: current.discordMirrorMode === current.mirrorMode ? "" : current.discordMirrorMode,
+        DISCORD_CLI_MIRROR_MIN_UPDATE_MS: current.discordMirrorMinUpdateMs === current.mirrorMinUpdateMs ? "" : String(current.discordMirrorMinUpdateMs),
+        DISCORD_NOTIFY_MODE: current.discordNotifyMode === current.notifyMode ? "" : current.discordNotifyMode,
+        DISCORD_QUIET_HOURS: quietOverrideValue(current.discordQuietHours, current.quietHours),
+        DISCORD_AUTO_SEND_ARTIFACTS: current.discordAutoSendArtifacts === current.autoSendArtifacts ? "" : boolValue(current.discordAutoSendArtifacts),
         NORDRELAY_CODEX_ENABLED: boolValue(current.codexEnabled),
         NORDRELAY_PI_ENABLED: boolValue(current.piEnabled),
         NORDRELAY_HERMES_ENABLED: boolValue(current.hermesEnabled),
@@ -565,10 +694,15 @@ function activeSettingsValues(current) {
         ENABLE_TELEGRAM_REACTIONS: boolValue(current.enableTelegramReactions),
         TELEGRAM_RATE_LIMIT_MIN_INTERVAL_MS: String(current.telegramRateLimitMinIntervalMs),
         TELEGRAM_EDIT_MIN_INTERVAL_MS: String(current.telegramEditMinIntervalMs),
-        TELEGRAM_CLI_MIRROR_MODE: current.telegramMirrorMode,
-        TELEGRAM_CLI_MIRROR_MIN_UPDATE_MS: String(current.telegramMirrorMinUpdateMs),
-        TELEGRAM_NOTIFY_MODE: current.telegramNotifyMode,
-        TELEGRAM_QUIET_HOURS: current.telegramQuietHours ? `${current.telegramQuietHours.startHour}-${current.telegramQuietHours.endHour}` : "",
+        NORDRELAY_CLI_MIRROR_MODE: current.mirrorMode,
+        NORDRELAY_CLI_MIRROR_MIN_UPDATE_MS: String(current.mirrorMinUpdateMs),
+        NORDRELAY_NOTIFY_MODE: current.notifyMode,
+        NORDRELAY_QUIET_HOURS: quietValue(current.quietHours),
+        NORDRELAY_AUTO_SEND_ARTIFACTS: boolValue(current.autoSendArtifacts),
+        TELEGRAM_CLI_MIRROR_MODE: current.telegramMirrorMode === current.mirrorMode ? "" : current.telegramMirrorMode,
+        TELEGRAM_CLI_MIRROR_MIN_UPDATE_MS: current.telegramMirrorMinUpdateMs === current.mirrorMinUpdateMs ? "" : String(current.telegramMirrorMinUpdateMs),
+        TELEGRAM_NOTIFY_MODE: current.telegramNotifyMode === current.notifyMode ? "" : current.telegramNotifyMode,
+        TELEGRAM_QUIET_HOURS: quietOverrideValue(current.telegramQuietHours, current.quietHours),
         TELEGRAM_REDACT_PATTERNS: current.telegramRedactPatterns.join(","),
         NORDRELAY_UPDATE_METHOD: process.env.NORDRELAY_UPDATE_METHOD || "auto",
         MAX_FILE_SIZE: String(current.maxFileSize),
@@ -577,13 +711,16 @@ function activeSettingsValues(current) {
         ARTIFACT_MAX_INBOX_DIRS: String(current.artifactMaxInboxDirs),
         ARTIFACT_IGNORE_DIRS: current.artifactIgnoreDirs.join(","),
         ARTIFACT_IGNORE_GLOBS: current.artifactIgnoreGlobs.join(","),
-        TELEGRAM_AUTO_SEND_ARTIFACTS: boolValue(current.telegramAutoSendArtifacts),
+        TELEGRAM_AUTO_SEND_ARTIFACTS: current.telegramAutoSendArtifacts === current.autoSendArtifacts ? "" : boolValue(current.telegramAutoSendArtifacts),
         WORKSPACE_ALLOWED_ROOTS: current.workspaceAllowedRoots.join(","),
         WORKSPACE_WARN_ROOTS: current.workspaceWarnRoots.join(","),
         NORDRELAY_STATE_BACKEND: current.stateBackend,
         NORDRELAY_AUDIT_MAX_EVENTS: String(current.auditMaxEvents),
         NORDRELAY_SESSION_LOCK_TTL_MS: String(current.sessionLockTtlMs),
+        NORDRELAY_DASHBOARD_CACHE_TTL_MS: String(current.dashboardCacheTtlMs),
+        NORDRELAY_UNIFIED_JOB_MAX_ITEMS: String(current.unifiedJobMaxItems),
         NORDRELAY_VERSION_CACHE_TTL_MS: process.env.NORDRELAY_VERSION_CACHE_TTL_MS,
+        NORDRELAY_CLI_VERSION_CACHE_TTL_MS: process.env.NORDRELAY_CLI_VERSION_CACHE_TTL_MS,
         VOICE_PREFERRED_BACKEND: current.voicePreferredBackend,
         VOICE_DEFAULT_LANGUAGE: current.voiceDefaultLanguage,
         VOICE_TRANSCRIBE_ONLY: boolValue(current.voiceTranscribeOnly),
@@ -600,6 +737,12 @@ function activeSettingsValues(current) {
 function boolValue(value) {
     return value ? "true" : "false";
 }
+function quietValue(value) {
+    return value ? `${value.startHour}-${value.endHour}` : "";
+}
+function quietOverrideValue(channelValue, defaultValue) {
+    return quietValue(channelValue) === quietValue(defaultValue) ? "" : quietValue(channelValue);
+}
 function requireArg(argv, index, flag) {
     const value = argv[index];
     if (!value || value.startsWith("--")) {

package/dist/web-state.js

@@ -1,4 +1,5 @@
 import { randomUUID } from "node:crypto";
+import { activityActorLabel, activityCategoryForType, } from "./activity-events.js";
 import { createDocumentStore } from "./state-backend.js";
 const DEFAULT_CHAT_LIMIT = 300;
 const DEFAULT_ACTIVITY_LIMIT = 1000;
@@ -76,6 +77,7 @@ export class WebActivityStore {
             id: randomId(),
             timestamp: input.timestamp ?? new Date().toISOString(),
             ...input,
+            category: input.category ?? activityCategoryForType(input.type),
         };
         payload.events.push(event);
         if (payload.events.length > this.maxEvents) {
@@ -86,9 +88,17 @@ export class WebActivityStore {
     }
     list(options = {}) {
         const limit = Math.max(1, Math.min(500, options.limit ?? 100));
+        const since = normalizeSince(options.since);
         return this.readPayload().events
             .filter((event) => !options.source || options.source === "all" || event.source === options.source)
             .filter((event) => !options.status || options.status === "all" || event.status === options.status)
+            .filter((event) => !options.category || options.category === "all" || (event.category ?? activityCategoryForType(event.type)) === options.category)
+            .filter((event) => !options.agentId || options.agentId === "all" || event.agentId === options.agentId)
+            .filter((event) => !options.threadId || event.threadId === options.threadId)
+            .filter((event) => !options.workspace || event.workspace === options.workspace)
+            .filter((event) => !options.type || event.type.toLowerCase().includes(options.type.toLowerCase()))
+            .filter((event) => !options.actor || activityActorMatches(event.actor, options.actor))
+            .filter((event) => !since || Date.parse(event.timestamp) >= since)
             .slice(-limit)
             .reverse();
     }
@@ -113,7 +123,7 @@ function isWebChatMessage(value) {
         typeof candidate.text === "string" &&
         typeof candidate.timestamp === "string" &&
         ["user", "agent", "system", "tool"].includes(candidate.role) &&
-        ["web", "cli"].includes(candidate.source);
+        ["web", "telegram", "discord", "cli"].includes(candidate.source);
 }
 function isWebActivityEvent(value) {
     if (!value || typeof value !== "object" || Array.isArray(value)) {
@@ -123,9 +133,30 @@ function isWebActivityEvent(value) {
     return typeof candidate.id === "string" &&
         typeof candidate.timestamp === "string" &&
         typeof candidate.type === "string" &&
-        ["web", "cli"].includes(candidate.source) &&
+        ["web", "telegram", "discord", "cli"].includes(candidate.source) &&
         ["queued", "running", "completed", "failed", "aborted", "info"].includes(candidate.status);
 }
+function normalizeSince(value) {
+    if (value === undefined || value === null || value === "") {
+        return null;
+    }
+    const time = typeof value === "number" ? value : Date.parse(value);
+    return Number.isFinite(time) ? time : null;
+}
+function activityActorMatches(actor, query) {
+    const needle = query.trim().toLowerCase();
+    if (!needle) {
+        return true;
+    }
+    return [
+        activityActorLabel(actor),
+        actor?.id,
+        actor?.username,
+        actor?.channelUserId,
+        actor?.channel,
+    ].some((value) => String(value ?? "").toLowerCase().includes(needle));
+}
 function randomId() {
     return randomUUID().replace(/-/g, "").slice(0, 12);
 }
+export { activityActorLabel, activityCategoryForType, auditCategoryForAction, } from "./activity-events.js";

package/dist/webui-assets/dashboard.css

@@ -79,6 +79,41 @@
     width: 100%;
   }
 }
+.access-tab {
+  display: none;
+}
+.access-tab.active {
+  display: block;
+}
+.access-tab-heading {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 12px;
+  margin: 0 0 10px;
+}
+.access-tab-heading h2 {
+  margin: 0;
+}
+.access-tab-heading input {
+  max-width: 320px;
+}
+.access-id-row {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  flex-wrap: wrap;
+}
+@media (max-width: 560px) {
+  .access-tab-heading {
+    align-items: stretch;
+    flex-direction: column;
+  }
+  .access-tab-heading input {
+    max-width: none;
+    width: 100%;
+  }
+}
 .drop-active {
   outline: 2px dashed var(--accent);
   outline-offset: -8px;
@@ -132,6 +167,16 @@
   text-overflow: ellipsis;
   white-space: nowrap;
 }
+#activeSessions {
+  display: grid;
+  grid-template-columns: repeat(2, minmax(0, 1fr));
+  gap: 8px;
+}
+@media (min-width: 1320px) {
+  #activeSessions {
+    grid-template-columns: repeat(3, minmax(0, 1fr));
+  }
+}
 .overview-adapter-grid {
   display: grid;
   grid-template-columns: repeat(2, minmax(0, 1fr));
@@ -152,6 +197,31 @@
 .setting.dirty {
   border-color: var(--accent);
 }
+.setting-label {
+  display: flex !important;
+  align-items: center;
+  gap: 6px;
+}
+.setting-info {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  width: 18px;
+  height: 18px;
+  border: 1px solid var(--border);
+  border-radius: 50%;
+  color: var(--muted);
+  background: var(--surface);
+  font-size: 12px;
+  line-height: 1;
+  cursor: help;
+  font-weight: 700;
+  flex: 0 0 auto;
+}
+.setting-info:focus {
+  outline: 2px solid var(--accent);
+  outline-offset: 2px;
+}
 .setting-actions {
   display: flex;
   gap: 8px;
@@ -169,7 +239,8 @@
   padding: 10px;
   margin: 0 0 12px;
 }
-.task-grid {
+.task-grid,
+.metrics-grid {
   display: grid;
   grid-template-columns: repeat(auto-fit, minmax(240px, 1fr));
   gap: 10px;
@@ -914,6 +985,9 @@ dialog::backdrop {
   .page {
     padding: 14px;
   }
+  #activeSessions {
+    grid-template-columns: 1fr;
+  }
   .overview-adapter-grid {
     grid-template-columns: 1fr;
   }