@nordbyte/nordrelay 0.5.2 → 0.7.0

package/dist/web-dashboard-pages.js

@@ -44,6 +44,58 @@ export function renderLoginPage(options) {
 </body>
 </html>`;
 }
+export function renderFirstRunSetupPage(options) {
+    return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>NordRelay First Run</title>
+  <style>
+    body{margin:0;min-height:100vh;display:grid;place-items:center;background:#f4f5f2;color:#181c19;font-family:Inter,system-ui,-apple-system,Segoe UI,sans-serif}
+    form{width:min(460px,calc(100vw - 32px));background:white;border:1px solid #dfe3dc;border-radius:8px;padding:24px;box-shadow:0 20px 60px rgba(20,30,24,.08)}
+    h1{font-size:24px;margin:0 0 8px}
+    p{color:#5d665d;margin:0 0 18px;line-height:1.45}
+    label{display:block;font-size:13px;color:#4b544d;margin:14px 0 6px}
+    input{box-sizing:border-box;width:100%;height:40px;border:1px solid #cfd6ce;border-radius:6px;padding:0 10px;font:inherit}
+    button{margin-top:18px;width:100%;height:42px;border:0;border-radius:6px;background:#205c43;color:white;font-weight:650;cursor:pointer}
+    .error{color:#9b1c1c;min-height:22px;margin-top:12px}
+    small{display:block;color:#667267;margin-top:8px;line-height:1.4}
+  </style>
+</head>
+<body>
+  <form id="setup">
+    <h1>NordRelay Setup</h1>
+    <p>Create the first admin account. After this, every dashboard page and API route requires login.</p>
+    <label>Email</label><input id="email" name="email" type="email" autocomplete="username" required>
+    <label>Name</label><input id="displayName" name="displayName" autocomplete="name" required>
+    <label>Password</label><input id="password" name="password" type="password" autocomplete="new-password" minlength="12" required>
+    <label>Setup token</label><input id="setupToken" name="setupToken" autocomplete="one-time-code" ${options.tokenRequired ? "required" : ""}>
+    <small>${options.tokenRequired ? "Use the token printed in the NordRelay console." : "Local setup does not require the token, but the console token also works."}</small>
+    <button>Create admin</button>
+    <div class="error" id="error"></div>
+  </form>
+  <script>
+    document.getElementById('setup').addEventListener('submit', async (event) => {
+      event.preventDefault();
+      const payload = {
+        email: document.getElementById('email')?.value || undefined,
+        displayName: document.getElementById('displayName')?.value || undefined,
+        password: document.getElementById('password')?.value || undefined,
+        setupToken: document.getElementById('setupToken')?.value || undefined,
+      };
+      const res = await fetch('/api/setup/admin', { method:'POST', headers:{'content-type':'application/json'}, body: JSON.stringify(payload) });
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        document.getElementById('error').textContent = data.error || 'Setup failed';
+        return;
+      }
+      location.href = '/';
+    });
+  </script>
+</body>
+</html>`;
+}
 export function renderDashboardApp() {
     return `<!doctype html>
 <html lang="en">
@@ -71,6 +123,7 @@ export function renderDashboardApp() {
         </div>
         <div class="header-actions">
           <span id="connectionStatus" class="badge">Connecting</span>
+          <select id="peerSelect" title="NordRelay target"></select>
           <select id="agentSelect"></select>
           <button id="themeBtn" class="secondary" title="Toggle dark theme">Dark</button>
           <button id="refreshBtn">Refresh</button>
@@ -81,7 +134,7 @@ export function renderDashboardApp() {
       <section class="page active" id="page-overview">
         <div class="metrics" id="metrics"></div>
         <div class="stack">
-          <div class="panel"><h2>Current Session</h2><pre id="sessionText"></pre></div>
+          <div class="panel"><h2>Active Sessions</h2><div id="activeSessions" class="list"></div></div>
           <div class="overview-adapter-grid">
             <div class="panel"><h2>Agent Adapters</h2><div id="agentAdapters"></div></div>
             <div class="panel"><h2>Chat Adapters</h2><div id="chatAdapters"></div></div>
@@ -129,6 +182,13 @@ export function renderDashboardApp() {
         </div>
       </section>
 
+      <section class="page" id="page-metrics">
+        <div class="panel">
+          <div class="row"><button id="reloadMetricsBtn">Reload metrics</button></div>
+          <div id="metricsPanel" class="list"></div>
+        </div>
+      </section>
+
       <section class="page" id="page-sessions">
         <div class="panel">
           <div class="sessions-toolbar">
@@ -149,7 +209,7 @@ export function renderDashboardApp() {
 
       <section class="page" id="page-activity">
         <div class="panel">
-          <div class="row"><select id="activitySource"><option value="all">All sources</option><option value="web">Web</option><option value="cli">CLI</option></select><select id="activityStatus"><option value="all">All statuses</option><option value="queued">Queued</option><option value="running">Running</option><option value="completed">Completed</option><option value="failed">Failed</option><option value="aborted">Aborted</option><option value="info">Info</option></select><input id="activitySince" type="datetime-local"><input id="activityLimit" type="number" value="100" min="1" max="500"><button id="loadActivityBtn">Load activity</button><button id="exportActivityBtn" class="secondary">Export</button></div>
+          <div class="row"><select id="activitySource"><option value="all">All sources</option><option value="web">Web</option><option value="telegram">Telegram</option><option value="discord">Discord</option><option value="cli">CLI</option></select><select id="activityCategory"><option value="all">All categories</option><option value="prompt">Prompt</option><option value="session">Session</option><option value="queue">Queue</option><option value="agent-update">Agent update</option><option value="artifact">Artifact</option><option value="system">System</option><option value="auth">Auth</option><option value="security">Security</option><option value="tool">Tool</option></select><select id="activityStatus"><option value="all">All statuses</option><option value="queued">Queued</option><option value="running">Running</option><option value="completed">Completed</option><option value="failed">Failed</option><option value="aborted">Aborted</option><option value="info">Info</option></select><input id="activityActor" placeholder="Actor"><input id="activityAgent" placeholder="Agent"><input id="activityThread" placeholder="Thread ID"><input id="activityWorkspace" placeholder="Workspace"><input id="activityType" placeholder="Type"><input id="activitySince" type="datetime-local"><input id="activityLimit" type="number" value="100" min="1" max="500"><button id="loadActivityBtn">Load activity</button><button id="exportActivityBtn" class="secondary">Export</button></div>
           <div id="activityList" class="list"></div>
         </div>
       </section>
@@ -169,19 +229,55 @@ export function renderDashboardApp() {
         </div>
       </section>
 
+      <section class="page" id="page-peers">
+        <div class="panel">
+          <div class="row"><button id="loadPeersBtn">Reload peers</button><button id="createPeerInviteBtn">Create invite</button><button id="addPeerBtn" class="secondary">Add peer</button></div>
+          <div id="peerStatus" class="list"></div>
+          <h2>Configured peers</h2>
+          <div id="peersList" class="list"></div>
+          <h2>Open invitations</h2>
+          <div id="peerInvites" class="list"></div>
+        </div>
+      </section>
+
       <section class="page" id="page-access">
         <div class="panel">
-          <div class="row"><button id="loadAccessBtn">Reload users</button><button id="createUserBtn">Create user</button><button id="createGroupBtn" class="secondary">Create group</button><button id="createChatBtn" class="secondary">Add Telegram chat</button><button id="lockSessionBtn" class="secondary">Lock web session</button><button id="unlockSessionBtn" class="secondary">Unlock web session</button></div>
-          <div id="accessPanel" class="settings-grid"></div>
-          <h2>Groups</h2>
-          <div id="groupsList" class="list"></div>
-          <h2>Telegram chats</h2>
-          <div id="telegramChatsList" class="list"></div>
-          <h2>Locks</h2>
-          <div id="locksList" class="list"></div>
-          <h2>Audit</h2>
-          <div class="row"><input id="auditLimit" type="number" value="50" min="1" max="200"><button id="loadAuditBtn">Load audit</button></div>
-          <div id="auditList" class="list"></div>
+          <div class="row"><button id="loadAccessBtn">Reload users</button><button id="createUserBtn">Create user</button><button id="createGroupBtn" class="secondary">Create group</button><button id="createChatBtn" class="secondary">Add Telegram chat</button><button id="createDiscordChannelBtn" class="secondary">Add Discord channel</button><button id="lockSessionBtn" class="secondary">Lock web session</button><button id="unlockSessionBtn" class="secondary">Unlock web session</button></div>
+          <div id="accessTabs" class="tabs access-tabs">
+            <button type="button" data-access-tab="users" class="active">Users</button>
+            <button type="button" data-access-tab="groups">Groups</button>
+            <button type="button" data-access-tab="telegram">Telegram</button>
+            <button type="button" data-access-tab="discord">Discord</button>
+            <button type="button" data-access-tab="locks">Locks</button>
+            <button type="button" data-access-tab="audit">Audit</button>
+          </div>
+          <div class="access-tab active" data-access-tab-panel="users">
+            <div id="accessPanel" class="settings-grid"></div>
+          </div>
+          <div class="access-tab" data-access-tab-panel="groups">
+            <h2>Groups</h2>
+            <div id="groupsList" class="list"></div>
+          </div>
+          <div class="access-tab" data-access-tab-panel="telegram">
+            <h2>Telegram chats</h2>
+            <div id="telegramChatsList" class="list"></div>
+          </div>
+          <div class="access-tab" data-access-tab-panel="discord">
+            <div class="access-tab-heading">
+              <h2>Discord channels</h2>
+              <input id="discordChannelSearch" placeholder="Search Discord channels">
+            </div>
+            <div id="discordChannelsList" class="list"></div>
+          </div>
+          <div class="access-tab" data-access-tab-panel="locks">
+            <h2>Locks</h2>
+            <div id="locksList" class="list"></div>
+          </div>
+          <div class="access-tab" data-access-tab-panel="audit">
+            <h2>Audit</h2>
+            <div class="row"><select id="auditChannel"><option value="all">All channels</option><option value="web">Web</option><option value="telegram">Telegram</option><option value="discord">Discord</option></select><select id="auditCategory"><option value="all">All categories</option><option value="prompt">Prompt</option><option value="session">Session</option><option value="queue">Queue</option><option value="agent-update">Agent update</option><option value="artifact">Artifact</option><option value="system">System</option><option value="auth">Auth</option><option value="security">Security</option><option value="tool">Tool</option></select><select id="auditStatus"><option value="all">All statuses</option><option value="ok">OK</option><option value="failed">Failed</option><option value="denied">Denied</option></select><input id="auditActor" placeholder="Actor"><input id="auditAgent" placeholder="Agent"><input id="auditThread" placeholder="Thread ID"><input id="auditWorkspace" placeholder="Workspace"><input id="auditSince" type="datetime-local"><input id="auditLimit" type="number" value="50" min="1" max="500"><button id="loadAuditBtn">Load audit</button><button id="exportAuditBtn" class="secondary">Export</button></div>
+            <div id="auditList" class="list"></div>
+          </div>
         </div>
       </section>
 

package/dist/web-dashboard-peer-routes.js

@@ -0,0 +1,204 @@
+import { isPermission } from "./access-control.js";
+import { AGENT_IDS, isAgentId } from "./agent.js";
+import { ensurePeerTlsFiles, loadOrCreatePeerIdentity, } from "./peer-identity.js";
+import { pairPeer, RemoteRelayClient } from "./peer-client.js";
+import { PeerStore } from "./peer-store.js";
+import { publicPeer } from "./peer-types.js";
+import { arrayStringField, objectRecord, optionalBooleanField, optionalNumberField, optionalStringField, readJsonBody, sendJson, } from "./web-dashboard-http.js";
+export async function handleDashboardPeerRoute(req, res, url, options) {
+    const store = new PeerStore(options.home);
+    const identity = loadOrCreatePeerIdentity(options.home, options.config.peerName);
+    const tls = options.config.peerTlsEnabled ? ensurePeerTlsFiles(options.home, identity.public) : null;
+    if (req.method === "GET" && url.pathname === "/api/peers") {
+        sendJson(res, 200, store.snapshot(identity.public, {
+            enabled: options.config.peerEnabled,
+            listenUrl: peerListenUrl(options.config),
+            requireTls: options.config.peerRequireTls,
+        }));
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/peers/invite") {
+        const body = await readJsonBody(req);
+        const created = store.createInvitation({
+            name: optionalStringField(body, "name"),
+            expiresInMs: (optionalNumberField(body, "expiresMinutes") ?? 10) * 60 * 1000,
+            scopes: parseScopes(arrayStringField(body, "scopes")),
+            allowedAgents: parseAgents(arrayStringField(body, "allowedAgents")),
+            allowedWorkspaceRoots: arrayStringField(body, "allowedWorkspaceRoots"),
+            workspaceAliases: parseWorkspaceAliases(body.workspaceAliases),
+        });
+        const listenUrl = peerListenUrl(options.config);
+        const command = `nordrelay peer add ${listenUrl} --code ${created.code}`;
+        sendJson(res, 201, {
+            invitation: created.invitation,
+            code: created.code,
+            url: listenUrl,
+            fingerprint: identity.public.fingerprint,
+            tlsFingerprint: tls?.fingerprint,
+            command,
+        });
+        options.auditPeerAction?.("peer_invite_created", created.invitation.name);
+        return true;
+    }
+    if (req.method === "POST" && (url.pathname === "/api/peers" || url.pathname === "/api/peers/pair")) {
+        const body = await readJsonBody(req);
+        const result = await pairPeer({
+            url: requiredString(body, "url"),
+            code: requiredString(body, "code"),
+            name: optionalStringField(body, "name"),
+            publicUrl: optionalStringField(body, "publicUrl"),
+        }, identity, store);
+        sendJson(res, 201, { peer: publicPeer(result.peer), tlsFingerprint: result.tlsFingerprint });
+        options.auditPeerAction?.("peer_paired", `${result.peer.name} (${result.peer.id})`);
+        return true;
+    }
+    const peerMatch = url.pathname.match(/^\/api\/peers\/([^/]+)$/);
+    if (peerMatch?.[1] && req.method === "PATCH") {
+        const body = await readJsonBody(req);
+        const peer = store.updatePeer(decodeURIComponent(peerMatch[1]), {
+            name: optionalStringField(body, "name"),
+            url: optionalStringField(body, "url"),
+            enabled: optionalBooleanField(body, "enabled"),
+            scopes: body.scopes === undefined ? undefined : parseScopes(arrayStringField(body, "scopes")),
+            allowedAgents: body.allowedAgents === undefined ? undefined : parseAgents(arrayStringField(body, "allowedAgents")),
+            allowedWorkspaceRoots: body.allowedWorkspaceRoots === undefined ? undefined : arrayStringField(body, "allowedWorkspaceRoots"),
+            workspaceAliases: body.workspaceAliases === undefined ? undefined : parseWorkspaceAliases(body.workspaceAliases),
+        });
+        sendJson(res, 200, { peer: publicPeer(peer) });
+        options.auditPeerAction?.("peer_updated", `${peer.name} (${peer.id})`);
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/peers/global-sessions") {
+        const query = optionalStringField(Object.fromEntries(url.searchParams), "query") ?? "";
+        const agent = parseAgent(optionalStringField(Object.fromEntries(url.searchParams), "agent"));
+        const limit = Math.min(Math.max(Number(url.searchParams.get("limit") ?? 50), 1), 50);
+        const client = new RemoteRelayClient(store);
+        const targets = [];
+        if (options.runtime) {
+            targets.push({
+                peerId: "local",
+                peerName: "Local",
+                ok: true,
+                data: await options.runtime.listSessionsPage(1, limit, query, agent),
+            });
+        }
+        const peers = store.listPublic().filter((peer) => peer.enabled && peer.url);
+        const remoteTargets = await Promise.all(peers.map(async (peer) => {
+            try {
+                const data = await client.webProxy(peer.id, {
+                    method: "GET",
+                    path: "/api/sessions",
+                    query: { query, page: 1, limit, agent },
+                    body: {},
+                    contextKey: "web:dashboard",
+                }, options.activityActor, "web:dashboard");
+                return { peerId: peer.id, peerName: peer.name, ok: true, data };
+            }
+            catch (error) {
+                return { peerId: peer.id, peerName: peer.name, ok: false, error: error instanceof Error ? error.message : String(error) };
+            }
+        }));
+        sendJson(res, 200, { targets: [...targets, ...remoteTargets] });
+        return true;
+    }
+    if (peerMatch?.[1] && req.method === "DELETE") {
+        const peerId = decodeURIComponent(peerMatch[1]);
+        const removed = store.revokePeer(peerId);
+        sendJson(res, 200, { removed });
+        if (removed) {
+            options.auditPeerAction?.("peer_revoked", peerId);
+        }
+        return true;
+    }
+    const proxyMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/proxy$/);
+    if (proxyMatch?.[1] && req.method === "POST") {
+        const body = await readJsonBody(req);
+        const payload = parseProxyPayload(body);
+        const data = await new RemoteRelayClient(store).webProxy(decodeURIComponent(proxyMatch[1]), payload, options.activityActor, payload.contextKey);
+        sendJson(res, 200, data);
+        return true;
+    }
+    const healthMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/health$/);
+    if (healthMatch?.[1] && req.method === "GET") {
+        const peerId = decodeURIComponent(healthMatch[1]);
+        const data = await new RemoteRelayClient(store).rpc(peerId, "peer.ping", undefined, options.activityActor);
+        sendJson(res, 200, { data, peer: publicPeer(store.get(peerId)) });
+        return true;
+    }
+    const eventsMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/events$/);
+    if (eventsMatch?.[1] && req.method === "GET") {
+        res.writeHead(200, {
+            "content-type": "text/event-stream; charset=utf-8",
+            "cache-control": "no-cache, no-transform",
+            connection: "keep-alive",
+        });
+        const sourceContextKey = url.searchParams.get("contextKey") || undefined;
+        const subscription = new RemoteRelayClient(store).subscribe(decodeURIComponent(eventsMatch[1]), (event) => {
+            if (res.destroyed || res.writableEnded)
+                return;
+            res.write(`event: ${event.type}\n`);
+            res.write(`data: ${JSON.stringify(event)}\n\n`);
+        }, (error) => {
+            if (!res.destroyed && !res.writableEnded) {
+                res.write("event: status\n");
+                res.write(`data: ${JSON.stringify({ type: "status", level: "error", message: error.message, at: new Date().toISOString() })}\n\n`);
+            }
+        }, sourceContextKey);
+        const heartbeat = setInterval(() => {
+            if (!res.destroyed && !res.writableEnded)
+                res.write(": heartbeat\n\n");
+        }, 25_000);
+        heartbeat.unref?.();
+        req.on("close", () => {
+            clearInterval(heartbeat);
+            subscription.close();
+        });
+        return true;
+    }
+    return false;
+}
+function peerListenUrl(config) {
+    if (config.peerPublicUrl)
+        return config.peerPublicUrl;
+    const scheme = config.peerTlsEnabled ? "https" : "http";
+    const host = config.peerHost === "0.0.0.0" || config.peerHost === "::" ? "127.0.0.1" : config.peerHost;
+    const displayHost = host.includes(":") && !host.startsWith("[") ? `[${host}]` : host;
+    return `${scheme}://${displayHost}:${config.peerPort}`;
+}
+function parseScopes(values) {
+    return values.filter(isPermission);
+}
+function parseAgents(values) {
+    const parsed = values.filter(isAgentId);
+    return parsed.length > 0 ? parsed : [...AGENT_IDS];
+}
+function parseAgent(value) {
+    return value && isAgentId(value) ? value : undefined;
+}
+function parseProxyPayload(body) {
+    return {
+        method: requiredString(body, "method"),
+        path: requiredString(body, "path"),
+        query: objectRecord(body.query),
+        body: objectRecord(body.body),
+        contextKey: optionalStringField(body, "contextKey"),
+    };
+}
+function parseWorkspaceAliases(value) {
+    if (typeof value === "string") {
+        return Object.fromEntries(value.split(",").map((item) => {
+            const [alias, workspace] = item.split("=", 2);
+            return [alias?.trim() ?? "", workspace?.trim() ?? ""];
+        }).filter(([alias, workspace]) => alias && workspace));
+    }
+    const record = objectRecord(value);
+    return Object.fromEntries(Object.entries(record).filter((entry) => typeof entry[1] === "string" && entry[0].trim().length > 0 && entry[1].trim().length > 0));
+}
+function requiredString(body, key) {
+    const value = body[key];
+    const text = typeof value === "string" ? value.trim() : "";
+    if (!text) {
+        throw new Error(`${key} is required.`);
+    }
+    return text;
+}

package/dist/web-dashboard-runtime-routes.js

@@ -11,7 +11,7 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/update") {
-        sendJson(res, 202, runtime.updateConnector());
+        sendJson(res, 202, runtime.updateConnector(options.activityActor));
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/agent-updates") {
@@ -23,7 +23,7 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
         const agentId = options.parseAgentIdRequired(stringField(body, "agentId"));
         const operation = parseAgentUpdateOperation(optionalStringField(body, "operation"));
         options.assertScopedAgent(authUser, agentId);
-        sendJson(res, 202, { job: runtime.startAgentUpdate(agentId, operation) });
+        sendJson(res, 202, { job: runtime.startAgentUpdate(agentId, operation, options.activityActor) });
         return true;
     }
     const agentUpdateLogMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/log$/);
@@ -36,7 +36,7 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
     if (req.method === "DELETE" && agentUpdateLogMatch?.[1]) {
         const id = decodeURIComponent(agentUpdateLogMatch[1]);
         options.assertAgentUpdateJobScope(authUser, id);
-        sendJson(res, 200, { deletedId: id, job: runtime.deleteAgentUpdateLog(id) });
+        sendJson(res, 200, { deletedId: id, job: runtime.deleteAgentUpdateLog(id, options.activityActor) });
         return true;
     }
     const agentUpdateInputMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/input$/);
@@ -44,20 +44,53 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
         const body = await readJsonBody(req);
         const id = decodeURIComponent(agentUpdateInputMatch[1]);
         options.assertAgentUpdateJobScope(authUser, id);
-        sendJson(res, 200, { job: runtime.sendAgentUpdateInput(id, stringField(body, "input")) });
+        sendJson(res, 200, { job: runtime.sendAgentUpdateInput(id, stringField(body, "input"), options.activityActor) });
         return true;
     }
     const agentUpdateCancelMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/cancel$/);
     if (req.method === "POST" && agentUpdateCancelMatch?.[1]) {
         const id = decodeURIComponent(agentUpdateCancelMatch[1]);
         options.assertAgentUpdateJobScope(authUser, id);
-        sendJson(res, 200, { job: runtime.cancelAgentUpdate(id) });
+        sendJson(res, 200, { job: runtime.cancelAgentUpdate(id, options.activityActor) });
         return true;
     }
     if (req.method === "GET" && (url.pathname === "/api/tasks" || url.pathname === "/api/progress")) {
         sendJson(res, 200, await options.scopedTasks(authUser, runtime.tasks()));
         return true;
     }
+    if (req.method === "GET" && url.pathname === "/api/metrics") {
+        sendJson(res, 200, await runtime.metrics());
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/jobs") {
+        sendJson(res, 200, await runtime.jobs());
+        return true;
+    }
+    const jobLogMatch = url.pathname.match(/^\/api\/jobs\/([^/]+)\/log$/);
+    if (req.method === "GET" && jobLogMatch?.[1]) {
+        sendJson(res, 200, await runtime.jobLog(decodeURIComponent(jobLogMatch[1])));
+        return true;
+    }
+    const jobActionMatch = url.pathname.match(/^\/api\/jobs\/([^/]+)\/action$/);
+    if (req.method === "POST" && jobActionMatch?.[1]) {
+        const body = await readJsonBody(req);
+        const id = decodeURIComponent(jobActionMatch[1]);
+        const action = stringField(body, "action");
+        if (action !== "cancel" && action !== "retry") {
+            throw new Error("Unsupported job action.");
+        }
+        const permission = permissionForJobAction(id, action);
+        if (!users.hasPermission(authUser, permission)) {
+            sendJson(res, 403, { error: `Access denied: ${permission} permission required.` });
+            return true;
+        }
+        sendJson(res, 200, await runtime.jobAction(id, action, options.activityActor));
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/active-sessions") {
+        sendJson(res, 200, options.scopedActiveSessions(authUser, await runtime.activeSessions()));
+        return true;
+    }
     if (req.method === "GET" && url.pathname === "/api/adapters/health") {
         sendJson(res, 200, { adapters: (await runtime.adapterHealth()).filter((adapter) => users.canUseAgent(authUser, adapter.id)) });
         return true;
@@ -70,7 +103,7 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
     if (req.method === "POST" && url.pathname === "/api/logs/clear") {
         const body = await readJsonBody(req);
         const target = parseLogTarget(optionalStringField(body, "target"));
-        sendJson(res, 200, runtime.clearLogs(target));
+        sendJson(res, 200, runtime.clearLogs(target, options.activityActor));
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/diagnostics") {
@@ -80,13 +113,25 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
     }
     if (req.method === "GET" && url.pathname === "/api/diagnostics/bundle") {
         await options.assertCurrentSessionScope(authUser);
-        const bundle = await runtime.supportBundle();
+        const bundle = await runtime.supportBundle(options.activityActor);
         sendFile(res, bundle.path, bundle.name);
         return true;
     }
     if (req.method === "POST" && url.pathname === "/api/runtime/restart") {
-        sendJson(res, 202, runtime.restartConnector());
+        sendJson(res, 202, runtime.restartConnector(options.activityActor));
         return true;
     }
     return false;
 }
+function permissionForJobAction(id, action) {
+    if (id === "web:current" && action === "cancel") {
+        return "prompt.abort";
+    }
+    if (id.startsWith("queue:")) {
+        return "queue.write";
+    }
+    if (id.startsWith("support-bundle:")) {
+        return "diagnostics.read";
+    }
+    return "updates.run";
+}