@nordbyte/nordrelay 0.6.0 → 0.7.0

package/dist/remote-prompt.js

@@ -0,0 +1,98 @@
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+export async function peerPromptProxyPayload(prompt) {
+    if (typeof prompt.input === "string") {
+        return {
+            method: "POST",
+            path: "/api/prompt",
+            body: { text: prompt.input },
+        };
+    }
+    const files = await remoteUploadFiles(prompt);
+    if (files.length > 0) {
+        return {
+            method: "POST",
+            path: "/api/prompt/upload",
+            body: {
+                text: prompt.input.text ?? "",
+                files,
+            },
+        };
+    }
+    return {
+        method: "POST",
+        path: "/api/prompt",
+        body: { text: prompt.input.text || prompt.description },
+    };
+}
+async function remoteUploadFiles(prompt) {
+    if (typeof prompt.input === "string") {
+        return [];
+    }
+    const candidates = new Map();
+    for (const imagePath of prompt.input.imagePaths ?? []) {
+        candidates.set(imagePath, {
+            name: path.basename(imagePath),
+            mimeType: mimeTypeFromPath(imagePath),
+            localPath: imagePath,
+        });
+    }
+    for (const file of parseStagedFileInstructions(prompt.input.stagedFileInstructions)) {
+        candidates.set(file.localPath, file);
+    }
+    const files = [];
+    for (const file of candidates.values()) {
+        const data = await readFile(file.localPath);
+        files.push({
+            name: file.name,
+            mimeType: file.mimeType,
+            dataBase64: data.toString("base64"),
+        });
+    }
+    return files;
+}
+function parseStagedFileInstructions(text) {
+    if (!text) {
+        return [];
+    }
+    const files = [];
+    for (const line of text.split(/\r?\n/)) {
+        const match = line.match(/^- (.+?) \(([^,]+), [^)]+\) → (.+)$/);
+        if (!match)
+            continue;
+        files.push({
+            name: match[1] || path.basename(match[3] ?? "upload"),
+            mimeType: match[2],
+            localPath: match[3] ?? "",
+        });
+    }
+    return files.filter((file) => file.localPath);
+}
+function mimeTypeFromPath(filePath) {
+    const ext = path.extname(filePath).toLowerCase();
+    if (ext === ".jpg" || ext === ".jpeg")
+        return "image/jpeg";
+    if (ext === ".png")
+        return "image/png";
+    if (ext === ".gif")
+        return "image/gif";
+    if (ext === ".webp")
+        return "image/webp";
+    if (ext === ".pdf")
+        return "application/pdf";
+    if (ext === ".txt" || ext === ".md" || ext === ".log")
+        return "text/plain";
+    if (ext === ".json")
+        return "application/json";
+    if (ext === ".csv")
+        return "text/csv";
+    if (ext === ".mp3")
+        return "audio/mpeg";
+    if (ext === ".wav")
+        return "audio/wav";
+    if (ext === ".ogg")
+        return "audio/ogg";
+    if (ext === ".webm")
+        return "audio/webm";
+    return undefined;
+}

package/dist/telegram-command-menu.js

@@ -1,55 +1,5 @@
+import { telegramCommandCatalog } from "./channel-command-catalog.js";
+export const TELEGRAM_COMMANDS = telegramCommandCatalog();
 export async function registerCommands(bot) {
-    await bot.api.setMyCommands([
-        { command: "start", description: "Welcome & status" },
-        { command: "help", description: "Command reference" },
-        { command: "link", description: "Link Telegram to NordRelay user" },
-        { command: "whoami", description: "Show your NordRelay user" },
-        { command: "register_chat", description: "Admin: enable this group chat" },
-        { command: "channels", description: "Messaging adapter status" },
-        { command: "agents", description: "Agent adapter status" },
-        { command: "agent", description: "Select agent" },
-        { command: "new", description: "Start a new thread" },
-        { command: "session", description: "Current thread details" },
-        { command: "sessions", description: "Browse & switch threads" },
-        { command: "sync", description: "Sync active session from CLI state" },
-        { command: "pinned", description: "Show pinned threads" },
-        { command: "pin", description: "Pin current or given thread" },
-        { command: "unpin", description: "Unpin current or given thread" },
-        { command: "retry", description: "Resend the last prompt" },
-        { command: "queue", description: "Show queued prompts" },
-        { command: "cancel", description: "Cancel a queued prompt" },
-        { command: "clearqueue", description: "Clear queued prompts" },
-        { command: "artifacts", description: "List or resend generated files" },
-        { command: "workspaces", description: "List allowed workspaces" },
-        { command: "abort", description: "Cancel current operation" },
-        { command: "stop", description: "Cancel current operation" },
-        { command: "launch_profiles", description: "Select launch profile" },
-        { command: "fast", description: "Toggle fast mode" },
-        { command: "model", description: "View & change model" },
-        { command: "reasoning", description: "Set reasoning effort" },
-        { command: "mirror", description: "Control CLI mirroring" },
-        { command: "notify", description: "Control notifications" },
-        { command: "auth", description: "Check auth status" },
-        { command: "login", description: "Start authentication" },
-        { command: "logout", description: "Sign out" },
-        { command: "voice", description: "Voice transcription status" },
-        { command: "tasks", description: "Current turn progress" },
-        { command: "progress", description: "Current turn progress" },
-        { command: "activity", description: "Thread activity timeline" },
-        { command: "audit", description: "Admin: recent audit events" },
-        { command: "status", description: "Connector runtime status" },
-        { command: "health", description: "Connector health report" },
-        { command: "version", description: "Connector version" },
-        { command: "logs", description: "Admin: show connector logs" },
-        { command: "diagnostics", description: "Admin: connector diagnostics" },
-        { command: "support", description: "Admin: export diagnostics bundle" },
-        { command: "lock", description: "Lock session writes to you" },
-        { command: "unlock", description: "Release session write lock" },
-        { command: "locks", description: "List session write locks" },
-        { command: "restart", description: "Admin: restart connector" },
-        { command: "update", description: "Admin: update connector or agents" },
-        { command: "handback", description: "Hand session back to CLI" },
-        { command: "attach", description: "Bind a session to this topic" },
-        { command: "switch", description: "Switch to a thread by ID" },
-    ]);
+    await bot.api.setMyCommands([...TELEGRAM_COMMANDS]);
 }

package/dist/telegram-general-commands.js

@@ -37,6 +37,20 @@ export function registerTelegramGeneralCommands(options) {
     options.bot.command("agents", async (ctx) => {
         await options.replyChannelAction(ctx, options.commandService.renderAgents());
     });
+    options.bot.command("peers", async (ctx) => {
+        await options.replyChannelAction(ctx, options.commandService.renderPeers());
+    });
+    options.bot.command("target", async (ctx) => {
+        const contextSession = await options.getContextSession(ctx, { deferThreadStart: true });
+        if (!contextSession)
+            return;
+        await options.replyChannelAction(ctx, options.commandService.renderTargetPreference({
+            source: "telegram",
+            contextKey: contextSession.contextKey,
+            argument: ctx.match?.toString() ?? "",
+            preferencesStore: options.preferencesStore,
+        }));
+    });
     options.bot.command("restart", async (ctx) => {
         await safeReply(ctx, escapeHTML("Restarting connector..."), {
             fallbackText: "Restarting connector...",

package/dist/telegram-preference-commands.js

@@ -1,8 +1,5 @@
-import { formatQuietHours, isQuietNow, parseMirrorMode, parseNotifyMode, parseQuietHours, parseVoiceBackendPreference, } from "./bot-preferences.js";
-import { capabilitiesOf, idOf, labelOf, parseToggle, } from "./bot-rendering.js";
-import { friendlyErrorText } from "./error-messages.js";
+import { capabilitiesOf, labelOf, } from "./bot-rendering.js";
 import { escapeHTML } from "./format.js";
-import { getAvailableBackends } from "./voice.js";
 import { evaluateWorkspacePolicy, filterAllowedWorkspaces, renderWorkspacePolicyLine, } from "./workspace-policy.js";
 import { safeReply } from "./telegram-output.js";
 export function registerTelegramPreferenceCommands(options) {
@@ -18,28 +15,15 @@ export function registerTelegramPreferenceCommands(options) {
             return;
         }
         const argument = (ctx.message?.text ?? "").replace(/^\/mirror(?:@\w+)?\s*/i, "").trim();
-        if (argument) {
-            const mode = parseMirrorMode(argument, options.getEffectiveMirrorMode(contextKey));
-            if (!["off", "status", "final", "full"].includes(argument.toLowerCase())) {
-                await safeReply(ctx, escapeHTML("Usage: /mirror [off|status|final|full]"), {
-                    fallbackText: "Usage: /mirror [off|status|final|full]",
-                });
-                return;
-            }
-            options.preferencesStore.update(contextKey, { mirrorMode: mode });
-        }
-        const mode = options.getEffectiveMirrorMode(contextKey);
-        const plain = [
-            `CLI mirroring: ${mode}`,
-            `Minimum update interval: ${options.config.telegramMirrorMinUpdateMs} ms`,
-            "Modes: off, status, final, full",
-        ].join("\n");
-        const html = [
-            `<b>CLI mirroring:</b> <code>${escapeHTML(mode)}</code>`,
-            `<b>Minimum update interval:</b> <code>${options.config.telegramMirrorMinUpdateMs} ms</code>`,
-            "<b>Modes:</b> <code>off</code>, <code>status</code>, <code>final</code>, <code>full</code>",
-        ].join("\n");
-        await safeReply(ctx, html, { fallbackText: plain });
+        const response = options.commandService.renderMirrorPreference({
+            source: "telegram",
+            contextKey,
+            argument,
+            preferencesStore: options.preferencesStore,
+            cliMirrorSupported: capabilitiesOf(session.getInfo()).cliMirror,
+            agentLabel: labelOf(session.getInfo()),
+        });
+        await safeReply(ctx, response.html, { fallbackText: response.plain });
     });
     options.bot.command("notify", async (ctx) => {
         const contextSession = await options.getContextSession(ctx, { deferThreadStart: true });
@@ -48,45 +32,13 @@ export function registerTelegramPreferenceCommands(options) {
         }
         const { contextKey } = contextSession;
         const argument = (ctx.message?.text ?? "").replace(/^\/notify(?:@\w+)?\s*/i, "").trim();
-        if (argument) {
-            const quietMatch = argument.match(/^quiet\s+(.+)$/i);
-            if (quietMatch) {
-                let quietHours;
-                try {
-                    quietHours = quietMatch[1].toLowerCase() === "off" ? null : parseQuietHours(quietMatch[1]);
-                }
-                catch (error) {
-                    await safeReply(ctx, escapeHTML(`Invalid quiet hours: ${friendlyErrorText(error)}`), {
-                        fallbackText: `Invalid quiet hours: ${friendlyErrorText(error)}`,
-                    });
-                    return;
-                }
-                options.preferencesStore.update(contextKey, { quietHours });
-            }
-            else {
-                const mode = parseNotifyMode(argument, options.getEffectiveNotifyMode(contextKey));
-                if (!["off", "minimal", "all"].includes(argument.toLowerCase())) {
-                    await safeReply(ctx, escapeHTML("Usage: /notify [off|minimal|all] or /notify quiet HH-HH"), {
-                        fallbackText: "Usage: /notify [off|minimal|all] or /notify quiet HH-HH",
-                    });
-                    return;
-                }
-                options.preferencesStore.update(contextKey, { notifyMode: mode });
-            }
-        }
-        const mode = options.getEffectiveNotifyMode(contextKey);
-        const quietHours = options.getEffectiveQuietHours(contextKey);
-        const plain = [
-            `Notifications: ${mode}`,
-            `Quiet hours: ${formatQuietHours(quietHours)}`,
-            `Currently quiet: ${isQuietNow(quietHours) ? "yes" : "no"}`,
-        ].join("\n");
-        const html = [
-            `<b>Notifications:</b> <code>${escapeHTML(mode)}</code>`,
-            `<b>Quiet hours:</b> <code>${escapeHTML(formatQuietHours(quietHours))}</code>`,
-            `<b>Currently quiet:</b> <code>${isQuietNow(quietHours) ? "yes" : "no"}</code>`,
-        ].join("\n");
-        await safeReply(ctx, html, { fallbackText: plain });
+        const response = options.commandService.renderNotifyPreference({
+            source: "telegram",
+            contextKey,
+            argument,
+            preferencesStore: options.preferencesStore,
+        });
+        await safeReply(ctx, response.html, { fallbackText: response.plain });
     });
     options.bot.command("workspaces", async (ctx) => {
         const contextSession = await options.getContextSession(ctx, { deferThreadStart: true });
@@ -131,68 +83,12 @@ export function registerTelegramPreferenceCommands(options) {
         }
         const { contextKey } = contextSession;
         const argument = (ctx.message?.text ?? "").replace(/^\/voice(?:@\w+)?\s*/i, "").trim();
-        if (argument) {
-            const parts = argument.split(/\s+/);
-            const key = parts[0]?.toLowerCase();
-            const value = parts.slice(1).join(" ").trim();
-            if (key === "backend" && value) {
-                options.preferencesStore.update(contextKey, { voiceBackend: parseVoiceBackendPreference(value) });
-            }
-            else if (key === "language") {
-                options.preferencesStore.update(contextKey, { voiceLanguage: value && value.toLowerCase() !== "auto" ? value : null });
-            }
-            else if (key === "transcribe_only" || key === "transcribe-only") {
-                const enabled = parseToggle(value);
-                if (enabled === undefined) {
-                    await safeReply(ctx, escapeHTML("Usage: /voice transcribe_only on|off"), {
-                        fallbackText: "Usage: /voice transcribe_only on|off",
-                    });
-                    return;
-                }
-                options.preferencesStore.update(contextKey, { voiceTranscribeOnly: enabled });
-            }
-            else {
-                await safeReply(ctx, escapeHTML("Usage: /voice, /voice backend auto|parakeet|faster-whisper|openai, /voice language auto|<code>, /voice transcribe_only on|off"), {
-                    fallbackText: "Usage: /voice, /voice backend auto|parakeet|faster-whisper|openai, /voice language auto|<code>, /voice transcribe_only on|off",
-                });
-                return;
-            }
-        }
-        const backends = await getAvailableBackends().catch(() => []);
-        if (backends.length === 0) {
-            await safeReply(ctx, [
-                "<b>Voice transcription is not available.</b>",
-                "",
-                "Install <code>faster-whisper</code> + ffmpeg, install <code>parakeet-coreml</code> on macOS Apple Silicon, or set <code>OPENAI_API_KEY</code>.",
-                "<i>Cloud transcription uses OPENAI_API_KEY, not CODEX_API_KEY.</i>",
-            ].join("\n"), {
-                fallbackText: [
-                    "Voice transcription is not available.",
-                    "",
-                    "Install faster-whisper + ffmpeg, install parakeet-coreml on macOS Apple Silicon, or set OPENAI_API_KEY.",
-                    "Cloud transcription uses OPENAI_API_KEY, not CODEX_API_KEY.",
-                ].join("\n"),
-            });
-            return;
-        }
-        const joined = backends.join(" + ");
-        const backendPreference = options.getEffectiveVoiceBackend(contextKey);
-        const language = options.getEffectiveVoiceLanguage(contextKey);
-        const transcribeOnly = options.isVoiceTranscribeOnly(contextKey);
-        const plain = [
-            `Voice backends: ${joined}`,
-            `Preferred backend: ${backendPreference}`,
-            `Language: ${language ?? "auto"}`,
-            `Transcribe only: ${transcribeOnly ? "on" : "off"}`,
-        ].join("\n");
-        const html = [
-            `<b>Voice backends:</b> <code>${escapeHTML(joined)}</code>`,
-            `<b>Preferred backend:</b> <code>${escapeHTML(backendPreference)}</code>`,
-            `<b>Language:</b> <code>${escapeHTML(language ?? "auto")}</code>`,
-            `<b>Transcribe only:</b> <code>${transcribeOnly ? "on" : "off"}</code>`,
-        ].join("\n");
-        await safeReply(ctx, html, {
-            fallbackText: plain,
+        const response = await options.commandService.renderVoicePreference({
+            source: "telegram",
+            contextKey,
+            argument,
+            preferencesStore: options.preferencesStore,
         });
+        await safeReply(ctx, response.html, { fallbackText: response.plain });
     });
 }

package/dist/web-api-contract.js

@@ -20,6 +20,14 @@ export const WEB_API_ROUTE_DEFINITIONS = [
     dynamic("/api/agent-update/:id/input", "^/api/agent-update/[^/]+/input$", ["POST"], "updates.run", `/api/agent-update/${stringToken}/input`),
     dynamic("/api/agent-update/:id/cancel", "^/api/agent-update/[^/]+/cancel$", ["POST"], "updates.run", `/api/agent-update/${stringToken}/cancel`),
     exact("/api/adapters/health", ["GET"], "inspect"),
+    exact("/api/peers", ["GET", "POST"], readWrite("peers.read", "peers.write")),
+    exact("/api/peers/invite", ["POST"], "peers.write"),
+    exact("/api/peers/pair", ["POST"], "peers.write"),
+    exact("/api/peers/global-sessions", ["GET"], "sessions.read"),
+    dynamic("/api/peers/:id/health", "^/api/peers/[^/]+/health$", ["GET"], "peers.connect", `/api/peers/${stringToken}/health`),
+    dynamic("/api/peers/:id", "^/api/peers/[^/]+$", ["PATCH", "DELETE"], "peers.write", `/api/peers/${stringToken}`),
+    dynamic("/api/peers/:id/proxy", "^/api/peers/[^/]+/proxy$", ["POST"], "peers.connect", `/api/peers/${stringToken}/proxy`),
+    dynamic("/api/peers/:id/events", "^/api/peers/[^/]+/events$", ["GET"], "peers.connect", `/api/peers/${stringToken}/events`),
     exact("/api/permissions", ["GET"], "users.read"),
     exact("/api/users", ["GET", "POST"], readWrite("users.read", "users.write")),
     dynamic("/api/users/:id", "^/api/users/[^/]+$", ["PATCH"], "users.write", `/api/users/${stringToken}`),

package/dist/web-dashboard-pages.js

@@ -123,6 +123,7 @@ export function renderDashboardApp() {
         </div>
         <div class="header-actions">
           <span id="connectionStatus" class="badge">Connecting</span>
+          <select id="peerSelect" title="NordRelay target"></select>
           <select id="agentSelect"></select>
           <button id="themeBtn" class="secondary" title="Toggle dark theme">Dark</button>
           <button id="refreshBtn">Refresh</button>
@@ -228,6 +229,17 @@ export function renderDashboardApp() {
         </div>
       </section>
 
+      <section class="page" id="page-peers">
+        <div class="panel">
+          <div class="row"><button id="loadPeersBtn">Reload peers</button><button id="createPeerInviteBtn">Create invite</button><button id="addPeerBtn" class="secondary">Add peer</button></div>
+          <div id="peerStatus" class="list"></div>
+          <h2>Configured peers</h2>
+          <div id="peersList" class="list"></div>
+          <h2>Open invitations</h2>
+          <div id="peerInvites" class="list"></div>
+        </div>
+      </section>
+
       <section class="page" id="page-access">
         <div class="panel">
           <div class="row"><button id="loadAccessBtn">Reload users</button><button id="createUserBtn">Create user</button><button id="createGroupBtn" class="secondary">Create group</button><button id="createChatBtn" class="secondary">Add Telegram chat</button><button id="createDiscordChannelBtn" class="secondary">Add Discord channel</button><button id="lockSessionBtn" class="secondary">Lock web session</button><button id="unlockSessionBtn" class="secondary">Unlock web session</button></div>

package/dist/web-dashboard-peer-routes.js

@@ -0,0 +1,204 @@
+import { isPermission } from "./access-control.js";
+import { AGENT_IDS, isAgentId } from "./agent.js";
+import { ensurePeerTlsFiles, loadOrCreatePeerIdentity, } from "./peer-identity.js";
+import { pairPeer, RemoteRelayClient } from "./peer-client.js";
+import { PeerStore } from "./peer-store.js";
+import { publicPeer } from "./peer-types.js";
+import { arrayStringField, objectRecord, optionalBooleanField, optionalNumberField, optionalStringField, readJsonBody, sendJson, } from "./web-dashboard-http.js";
+export async function handleDashboardPeerRoute(req, res, url, options) {
+    const store = new PeerStore(options.home);
+    const identity = loadOrCreatePeerIdentity(options.home, options.config.peerName);
+    const tls = options.config.peerTlsEnabled ? ensurePeerTlsFiles(options.home, identity.public) : null;
+    if (req.method === "GET" && url.pathname === "/api/peers") {
+        sendJson(res, 200, store.snapshot(identity.public, {
+            enabled: options.config.peerEnabled,
+            listenUrl: peerListenUrl(options.config),
+            requireTls: options.config.peerRequireTls,
+        }));
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/peers/invite") {
+        const body = await readJsonBody(req);
+        const created = store.createInvitation({
+            name: optionalStringField(body, "name"),
+            expiresInMs: (optionalNumberField(body, "expiresMinutes") ?? 10) * 60 * 1000,
+            scopes: parseScopes(arrayStringField(body, "scopes")),
+            allowedAgents: parseAgents(arrayStringField(body, "allowedAgents")),
+            allowedWorkspaceRoots: arrayStringField(body, "allowedWorkspaceRoots"),
+            workspaceAliases: parseWorkspaceAliases(body.workspaceAliases),
+        });
+        const listenUrl = peerListenUrl(options.config);
+        const command = `nordrelay peer add ${listenUrl} --code ${created.code}`;
+        sendJson(res, 201, {
+            invitation: created.invitation,
+            code: created.code,
+            url: listenUrl,
+            fingerprint: identity.public.fingerprint,
+            tlsFingerprint: tls?.fingerprint,
+            command,
+        });
+        options.auditPeerAction?.("peer_invite_created", created.invitation.name);
+        return true;
+    }
+    if (req.method === "POST" && (url.pathname === "/api/peers" || url.pathname === "/api/peers/pair")) {
+        const body = await readJsonBody(req);
+        const result = await pairPeer({
+            url: requiredString(body, "url"),
+            code: requiredString(body, "code"),
+            name: optionalStringField(body, "name"),
+            publicUrl: optionalStringField(body, "publicUrl"),
+        }, identity, store);
+        sendJson(res, 201, { peer: publicPeer(result.peer), tlsFingerprint: result.tlsFingerprint });
+        options.auditPeerAction?.("peer_paired", `${result.peer.name} (${result.peer.id})`);
+        return true;
+    }
+    const peerMatch = url.pathname.match(/^\/api\/peers\/([^/]+)$/);
+    if (peerMatch?.[1] && req.method === "PATCH") {
+        const body = await readJsonBody(req);
+        const peer = store.updatePeer(decodeURIComponent(peerMatch[1]), {
+            name: optionalStringField(body, "name"),
+            url: optionalStringField(body, "url"),
+            enabled: optionalBooleanField(body, "enabled"),
+            scopes: body.scopes === undefined ? undefined : parseScopes(arrayStringField(body, "scopes")),
+            allowedAgents: body.allowedAgents === undefined ? undefined : parseAgents(arrayStringField(body, "allowedAgents")),
+            allowedWorkspaceRoots: body.allowedWorkspaceRoots === undefined ? undefined : arrayStringField(body, "allowedWorkspaceRoots"),
+            workspaceAliases: body.workspaceAliases === undefined ? undefined : parseWorkspaceAliases(body.workspaceAliases),
+        });
+        sendJson(res, 200, { peer: publicPeer(peer) });
+        options.auditPeerAction?.("peer_updated", `${peer.name} (${peer.id})`);
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/peers/global-sessions") {
+        const query = optionalStringField(Object.fromEntries(url.searchParams), "query") ?? "";
+        const agent = parseAgent(optionalStringField(Object.fromEntries(url.searchParams), "agent"));
+        const limit = Math.min(Math.max(Number(url.searchParams.get("limit") ?? 50), 1), 50);
+        const client = new RemoteRelayClient(store);
+        const targets = [];
+        if (options.runtime) {
+            targets.push({
+                peerId: "local",
+                peerName: "Local",
+                ok: true,
+                data: await options.runtime.listSessionsPage(1, limit, query, agent),
+            });
+        }
+        const peers = store.listPublic().filter((peer) => peer.enabled && peer.url);
+        const remoteTargets = await Promise.all(peers.map(async (peer) => {
+            try {
+                const data = await client.webProxy(peer.id, {
+                    method: "GET",
+                    path: "/api/sessions",
+                    query: { query, page: 1, limit, agent },
+                    body: {},
+                    contextKey: "web:dashboard",
+                }, options.activityActor, "web:dashboard");
+                return { peerId: peer.id, peerName: peer.name, ok: true, data };
+            }
+            catch (error) {
+                return { peerId: peer.id, peerName: peer.name, ok: false, error: error instanceof Error ? error.message : String(error) };
+            }
+        }));
+        sendJson(res, 200, { targets: [...targets, ...remoteTargets] });
+        return true;
+    }
+    if (peerMatch?.[1] && req.method === "DELETE") {
+        const peerId = decodeURIComponent(peerMatch[1]);
+        const removed = store.revokePeer(peerId);
+        sendJson(res, 200, { removed });
+        if (removed) {
+            options.auditPeerAction?.("peer_revoked", peerId);
+        }
+        return true;
+    }
+    const proxyMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/proxy$/);
+    if (proxyMatch?.[1] && req.method === "POST") {
+        const body = await readJsonBody(req);
+        const payload = parseProxyPayload(body);
+        const data = await new RemoteRelayClient(store).webProxy(decodeURIComponent(proxyMatch[1]), payload, options.activityActor, payload.contextKey);
+        sendJson(res, 200, data);
+        return true;
+    }
+    const healthMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/health$/);
+    if (healthMatch?.[1] && req.method === "GET") {
+        const peerId = decodeURIComponent(healthMatch[1]);
+        const data = await new RemoteRelayClient(store).rpc(peerId, "peer.ping", undefined, options.activityActor);
+        sendJson(res, 200, { data, peer: publicPeer(store.get(peerId)) });
+        return true;
+    }
+    const eventsMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/events$/);
+    if (eventsMatch?.[1] && req.method === "GET") {
+        res.writeHead(200, {
+            "content-type": "text/event-stream; charset=utf-8",
+            "cache-control": "no-cache, no-transform",
+            connection: "keep-alive",
+        });
+        const sourceContextKey = url.searchParams.get("contextKey") || undefined;
+        const subscription = new RemoteRelayClient(store).subscribe(decodeURIComponent(eventsMatch[1]), (event) => {
+            if (res.destroyed || res.writableEnded)
+                return;
+            res.write(`event: ${event.type}\n`);
+            res.write(`data: ${JSON.stringify(event)}\n\n`);
+        }, (error) => {
+            if (!res.destroyed && !res.writableEnded) {
+                res.write("event: status\n");
+                res.write(`data: ${JSON.stringify({ type: "status", level: "error", message: error.message, at: new Date().toISOString() })}\n\n`);
+            }
+        }, sourceContextKey);
+        const heartbeat = setInterval(() => {
+            if (!res.destroyed && !res.writableEnded)
+                res.write(": heartbeat\n\n");
+        }, 25_000);
+        heartbeat.unref?.();
+        req.on("close", () => {
+            clearInterval(heartbeat);
+            subscription.close();
+        });
+        return true;
+    }
+    return false;
+}
+function peerListenUrl(config) {
+    if (config.peerPublicUrl)
+        return config.peerPublicUrl;
+    const scheme = config.peerTlsEnabled ? "https" : "http";
+    const host = config.peerHost === "0.0.0.0" || config.peerHost === "::" ? "127.0.0.1" : config.peerHost;
+    const displayHost = host.includes(":") && !host.startsWith("[") ? `[${host}]` : host;
+    return `${scheme}://${displayHost}:${config.peerPort}`;
+}
+function parseScopes(values) {
+    return values.filter(isPermission);
+}
+function parseAgents(values) {
+    const parsed = values.filter(isAgentId);
+    return parsed.length > 0 ? parsed : [...AGENT_IDS];
+}
+function parseAgent(value) {
+    return value && isAgentId(value) ? value : undefined;
+}
+function parseProxyPayload(body) {
+    return {
+        method: requiredString(body, "method"),
+        path: requiredString(body, "path"),
+        query: objectRecord(body.query),
+        body: objectRecord(body.body),
+        contextKey: optionalStringField(body, "contextKey"),
+    };
+}
+function parseWorkspaceAliases(value) {
+    if (typeof value === "string") {
+        return Object.fromEntries(value.split(",").map((item) => {
+            const [alias, workspace] = item.split("=", 2);
+            return [alias?.trim() ?? "", workspace?.trim() ?? ""];
+        }).filter(([alias, workspace]) => alias && workspace));
+    }
+    const record = objectRecord(value);
+    return Object.fromEntries(Object.entries(record).filter((entry) => typeof entry[1] === "string" && entry[0].trim().length > 0 && entry[1].trim().length > 0));
+}
+function requiredString(body, key) {
+    const value = body[key];
+    const text = typeof value === "string" ? value.trim() : "";
+    if (!text) {
+        throw new Error(`${key} is required.`);
+    }
+    return text;
+}

package/dist/web-dashboard-ui.js

@@ -8,6 +8,7 @@ export const DASHBOARD_PAGES = [
     { id: "activity", label: "Activity", permission: "sessions.read" },
     { id: "artifacts", label: "Artifacts", permission: "files.read" },
     { id: "adapters", label: "Adapters", permission: "inspect" },
+    { id: "peers", label: "Peers", permission: "peers.read" },
     { id: "access", label: "Users", permission: "users.read" },
     { id: "version", label: "Version", permission: "inspect" },
     { id: "settings", label: "Settings", permission: "settings.read" },

package/dist/web-dashboard.js

@@ -21,6 +21,7 @@ import { objectRecord, optionalStringField, parseCookies, readJsonBody, sendJson
 import { renderDashboardApp, renderFirstRunSetupPage, renderLoginPage } from "./web-dashboard-pages.js";
 import { handleDashboardRuntimeRoute } from "./web-dashboard-runtime-routes.js";
 import { handleDashboardSessionRoute } from "./web-dashboard-session-routes.js";
+import { handleDashboardPeerRoute } from "./web-dashboard-peer-routes.js";
 const DEFAULT_HOME = path.join(os.homedir(), ".nordrelay");
 const options = parseOptions(process.argv.slice(2));
 const config = loadConfig();
@@ -180,6 +181,15 @@ async function handleApi(req, res, url, authUser) {
     })) {
         return;
     }
+    if (await handleDashboardPeerRoute(req, res, url, {
+        config,
+        home: options.home,
+        runtime,
+        activityActor: webActivityActor(authUser),
+        auditPeerAction: (action, description) => auditUserAction(authUser, action, description),
+    })) {
+        return;
+    }
     if (req.method === "GET" && url.pathname === "/api/settings") {
         sendJson(res, 200, await settings.snapshot(process.env, activeSettingsValues(config)));
         return;
@@ -494,6 +504,8 @@ async function scopeRelayEvent(authUser, event, canUseCurrentSession = () => can
             return canUseSession(authUser, event.session) ? event : null;
         case "activity_update":
             return { ...event, events: filterActivityByScope(authUser, event.events) };
+        case "active_sessions_update":
+            return { ...event, active: scopedActiveSessions(authUser, event.active) };
         case "agent_update":
             return users.canUseAgent(authUser, event.job.agentId) ? event : null;
         case "status":