npm - @nordbyte/nordrelay - Versions diffs - 0.8.1 → 0.8.3 - Mend

@nordbyte/nordrelay 0.8.1 → 0.8.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (179) hide show

package/dist/{web-dashboard-peer-routes.js → web/web-dashboard-peer-routes.js} RENAMED Viewed

@@ -1,10 +1,11 @@
-import { isPermission } from "./access-control.js";
-import { AGENT_IDS, isAgentId } from "./agent.js";
-import { ensurePeerTlsFiles, loadOrCreatePeerIdentity, } from "./peer-identity.js";
-import { checkPeerEndpoint, pairPeer, RemoteRelayClient } from "./peer-client.js";
-import { buildPeerReadiness, peerListenUrl } from "./peer-readiness.js";
-import { PeerStore } from "./peer-store.js";
-import { publicPeer } from "./peer-types.js";
+import { isPermission } from "../access/access-control.js";
+import { AGENT_IDS, isAgentId } from "../agents/shared/agent.js";
+import { exportPeerIdentityBackup, ensurePeerTlsFiles, loadOrCreatePeerIdentity, restorePeerIdentityBackup, } from "../peers/peer-identity.js";
+import { checkPeerEndpoint, checkPeerIdentityEndpoint, pairPeer, RemoteRelayClient } from "../peers/peer-client.js";
+import { buildPeerReadiness, peerListenUrl } from "../peers/peer-readiness.js";
+import { discoverLanPeers } from "../peers/peer-discovery.js";
+import { PeerStore } from "../peers/peer-store.js";
+import { publicPeer } from "../peers/peer-types.js";
 import { arrayStringField, objectRecord, optionalBooleanField, optionalNumberField, optionalStringField, readJsonBody, sendJson, } from "./web-dashboard-http.js";
 export async function handleDashboardPeerRoute(req, res, url, options) {
     const store = new PeerStore(options.home);
@@ -25,6 +26,7 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
         const readiness = await buildPeerReadiness(options.config);
         const created = store.createInvitation({
             name: optionalStringField(body, "name"),
+            group: optionalStringField(body, "group"),
             expiresInMs: (optionalNumberField(body, "expiresMinutes") ?? 10) * 60 * 1000,
             scopes: parseScopes(arrayStringField(body, "scopes")),
             allowedAgents: parseAgents(arrayStringField(body, "allowedAgents")),
@@ -53,11 +55,63 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
         if (peerId) {
             const probe = await new RemoteRelayClient(store).rpc(peerId, "peer.probe", {}, options.activityActor);
             sendJson(res, 200, { type: "remote", peerId, readiness, probe });
+            options.auditPeerAction?.("peer_probe", peerId);
             return true;
         }
         const expectedTlsFingerprint = options.config.peerPublicUrl ? undefined : tls?.fingerprint;
         const probe = await checkPeerEndpoint(readiness.listenUrl, { expectedTlsFingerprint });
         sendJson(res, 200, { type: "local", readiness, probe });
+        options.auditPeerAction?.("peer_probe", readiness.listenUrl);
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/peers/discover") {
+        const result = await discoverLanPeers(options.config, discoveryOptionsFromQuery(url));
+        sendJson(res, 200, result);
+        options.auditPeerAction?.("peer_discovery_started", `sync scan ${result.scanned} targets`);
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/peers/discovery-jobs") {
+        sendJson(res, 200, { jobs: options.discoveryJobs?.list() ?? [] });
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/peers/discovery-jobs") {
+        const body = await readJsonBody(req);
+        const job = await options.discoveryJobs.start(discoveryOptionsFromBody(body));
+        sendJson(res, 202, { job });
+        options.auditPeerAction?.("peer_discovery_started", job.id);
+        return true;
+    }
+    const discoveryJobMatch = url.pathname.match(/^\/api\/peers\/discovery-jobs\/([^/]+)(?:\/(cancel|log))?$/);
+    if (discoveryJobMatch?.[1]) {
+        const id = decodeURIComponent(discoveryJobMatch[1]);
+        const action = discoveryJobMatch[2];
+        if (req.method === "GET" && action === "log") {
+            sendJson(res, 200, { id, plain: options.discoveryJobs?.log(id) ?? "" });
+            return true;
+        }
+        if (req.method === "POST" && action === "cancel") {
+            const job = options.discoveryJobs?.cancel(id);
+            sendJson(res, 200, { job });
+            options.auditPeerAction?.("peer_discovery_cancelled", id);
+            return true;
+        }
+        if (req.method === "GET" && !action) {
+            sendJson(res, 200, { job: options.discoveryJobs?.get(id) ?? null });
+            return true;
+        }
+    }
+    if (req.method === "GET" && url.pathname === "/api/peers/identity/backup") {
+        const backup = exportPeerIdentityBackup(options.home, options.config.peerName);
+        sendJson(res, 200, { backup });
+        options.auditPeerAction?.("peer_identity_backup_exported", backup.identity.nodeId);
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/peers/identity/restore") {
+        const body = await readJsonBody(req);
+        const backup = objectRecord(body.backup);
+        const restored = restorePeerIdentityBackup(backup, options.home);
+        sendJson(res, 200, { identity: restored.public });
+        options.auditPeerAction?.("peer_identity_restored", restored.public.nodeId);
         return true;
     }
     const invitationMatch = url.pathname.match(/^\/api\/peers\/invitations\/([^/]+)$/);
@@ -86,6 +140,7 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
         const body = await readJsonBody(req);
         const peer = store.updatePeer(decodeURIComponent(peerMatch[1]), {
             name: optionalStringField(body, "name"),
+            group: optionalStringField(body, "group"),
             url: optionalStringField(body, "url"),
             enabled: optionalBooleanField(body, "enabled"),
             scopes: body.scopes === undefined ? undefined : parseScopes(arrayStringField(body, "scopes")),
@@ -97,6 +152,44 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
         options.auditPeerAction?.("peer_updated", `${peer.name} (${peer.id})`);
         return true;
     }
+    const repinMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/repin$/);
+    if (repinMatch?.[1] && req.method === "POST") {
+        const peerId = decodeURIComponent(repinMatch[1]);
+        const peer = store.get(peerId);
+        if (!peer?.url) {
+            throw new Error("Peer URL is required before TLS re-pin.");
+        }
+        const probe = await checkPeerIdentityEndpoint(peer.url, { timeoutMs: options.config.peerDiscoveryTimeoutMs });
+        if (!probe.ok || !probe.identity) {
+            throw new Error(`Peer identity could not be verified: ${probe.detail}`);
+        }
+        if (probe.identity.nodeId !== peer.nodeId || probe.identity.publicKey !== peer.publicKey || probe.identity.fingerprint !== peer.fingerprint) {
+            throw new Error("Peer identity changed. Re-pair this peer instead of re-pinning TLS.");
+        }
+        const updated = store.updatePeerTlsFingerprint(peer.id, probe.tlsFingerprint);
+        sendJson(res, 200, { peer: publicPeer(updated), probe });
+        options.auditPeerAction?.("peer_tls_repinned", `${updated.name} (${updated.id})`);
+        return true;
+    }
+    const rotateMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/rotate$/);
+    if (rotateMatch?.[1] && req.method === "POST") {
+        const body = await readJsonBody(req);
+        const readiness = await buildPeerReadiness(options.config);
+        const created = store.createRotationInvitation(decodeURIComponent(rotateMatch[1]), {
+            expiresInMs: (optionalNumberField(body, "expiresMinutes") ?? 10) * 60 * 1000,
+        });
+        const command = `nordrelay peer add ${readiness.listenUrl} --code ${created.code}`;
+        sendJson(res, 201, {
+            peer: created.peer,
+            invitation: created.invitation,
+            code: created.code,
+            command,
+            readiness,
+            warnings: readiness.warnings,
+        });
+        options.auditPeerAction?.("peer_rotation_invite_created", `${created.peer.name} (${created.peer.id})`);
+        return true;
+    }
     if (req.method === "GET" && url.pathname === "/api/peers/global-sessions") {
         const query = optionalStringField(Object.fromEntries(url.searchParams), "query") ?? "";
         const agent = parseAgent(optionalStringField(Object.fromEntries(url.searchParams), "agent"));
@@ -152,6 +245,7 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
         const peerId = decodeURIComponent(healthMatch[1]);
         const data = await new RemoteRelayClient(store).rpc(peerId, "peer.ping", undefined, options.activityActor);
         sendJson(res, 200, { data, peer: publicPeer(store.get(peerId)) });
+        options.auditPeerAction?.("peer_health_checked", peerId);
         return true;
     }
     const eventsMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/events$/);
@@ -189,6 +283,26 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
 function parseScopes(values) {
     return values.filter(isPermission);
 }
+function discoveryOptionsFromQuery(url) {
+    return {
+        targets: url.searchParams.getAll("target").concat((url.searchParams.get("targets") ?? "").split(/[\n,]/)).map((value) => value.trim()).filter(Boolean),
+        timeoutMs: optionalPositiveNumber(url.searchParams.get("timeoutMs")),
+        concurrency: optionalPositiveNumber(url.searchParams.get("concurrency")),
+        maxHosts: optionalPositiveNumber(url.searchParams.get("maxHosts")),
+    };
+}
+function discoveryOptionsFromBody(body) {
+    return {
+        targets: arrayStringField(body, "targets"),
+        timeoutMs: optionalNumberField(body, "timeoutMs"),
+        concurrency: optionalNumberField(body, "concurrency"),
+        maxHosts: optionalNumberField(body, "maxHosts"),
+    };
+}
+function optionalPositiveNumber(value) {
+    const parsed = Number(value);
+    return Number.isInteger(parsed) && parsed > 0 ? parsed : undefined;
+}
 function parseAgents(values) {
     const parsed = values.filter(isAgentId);
     return parsed.length > 0 ? parsed : [...AGENT_IDS];

package/dist/{web-dashboard-runtime-routes.js → web/web-dashboard-runtime-routes.js} RENAMED Viewed

@@ -63,7 +63,14 @@ export async function handleDashboardRuntimeRoute(req, res, url, options) {
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/jobs") {
-        sendJson(res, 200, await runtime.jobs());
+        sendJson(res, 200, await runtime.jobs({
+            limit: numberParam(url, "limit", 100),
+            cursor: url.searchParams.get("cursor") || undefined,
+        }));
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/trace") {
+        sendJson(res, 200, await runtime.trace(stringField(Object.fromEntries(url.searchParams), "correlationId")));
         return true;
     }
     const jobLogMatch = url.pathname.match(/^\/api\/jobs\/([^/]+)\/log$/);

package/dist/web/web-dashboard-security.js ADDED Viewed

@@ -0,0 +1,14 @@
+import { randomBytes } from "node:crypto";
+export function createCspNonce() {
+    return randomBytes(16).toString("base64url");
+}
+export function requiresWebCsrf(method, pathname) {
+    const verb = (method ?? "GET").toUpperCase();
+    if (verb === "GET" || verb === "HEAD" || verb === "OPTIONS") {
+        return false;
+    }
+    return pathname.startsWith("/api/");
+}
+export function isMutatingWebApiRequest(method, pathname) {
+    return requiresWebCsrf(method, pathname);
+}

package/dist/{web-dashboard-session-routes.js → web/web-dashboard-session-routes.js} RENAMED Viewed

@@ -1,5 +1,6 @@
-import { isAgentId } from "./agent.js";
+import { isAgentId } from "../agents/shared/agent.js";
 import { numberParam, optionalBooleanField, optionalStringField, parseUploadFiles, readJsonBody, requiredSearch, sendJson, stringField, } from "./web-dashboard-http.js";
+import { cursorPage, normalizeCursorLimit } from "../core/pagination.js";
 export async function handleDashboardSessionRoute(req, res, url, options) {
     const { runtime, authUser } = options;
     if (req.method === "GET" && url.pathname === "/api/locks") {
@@ -190,25 +191,40 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
         sendJson(res, 200, { messages: await runtime.chatHistory(numberParam(url, "limit", 200)) });
         return true;
     }
+    if (req.method === "GET" && url.pathname === "/api/chat/mirror") {
+        await options.assertCurrentSessionScope(authUser);
+        sendJson(res, 200, await runtime.webMirrorPreference(""));
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/chat/mirror") {
+        const body = await readJsonBody(req);
+        await options.assertCurrentSessionScope(authUser);
+        sendJson(res, 200, await runtime.webMirrorPreference(optionalStringField(body, "argument") ?? optionalStringField(body, "mode") ?? "", options.activityActor));
+        return true;
+    }
     if (req.method === "DELETE" && url.pathname === "/api/chat/history") {
         await options.assertCurrentSessionScope(authUser);
         sendJson(res, 200, await runtime.clearChatHistory(options.activityActor));
         return true;
     }
     if (req.method === "GET" && url.pathname === "/api/activity") {
+        const limit = normalizeCursorLimit(numberParam(url, "limit", 100), 100, 500);
+        const scoped = options.filterActivityByScope(authUser, runtime.activity({
+            limit: 500,
+            source: (url.searchParams.get("source") || "all"),
+            status: (url.searchParams.get("status") || "all"),
+            category: (url.searchParams.get("category") || "all"),
+            actor: url.searchParams.get("actor") || undefined,
+            agentId: url.searchParams.get("agent") || "all",
+            threadId: url.searchParams.get("thread") || undefined,
+            workspace: url.searchParams.get("workspace") || undefined,
+            type: url.searchParams.get("type") || undefined,
+            since: url.searchParams.get("since") || undefined,
+        }));
+        const scopedPage = cursorPage(scoped, url.searchParams.get("cursor") || undefined, limit, (event) => event.id);
         sendJson(res, 200, {
-            events: options.filterActivityByScope(authUser, runtime.activity({
-                limit: numberParam(url, "limit", 100),
-                source: (url.searchParams.get("source") || "all"),
-                status: (url.searchParams.get("status") || "all"),
-                category: (url.searchParams.get("category") || "all"),
-                actor: url.searchParams.get("actor") || undefined,
-                agentId: url.searchParams.get("agent") || "all",
-                threadId: url.searchParams.get("thread") || undefined,
-                workspace: url.searchParams.get("workspace") || undefined,
-                type: url.searchParams.get("type") || undefined,
-                since: url.searchParams.get("since") || undefined,
-            })),
+            events: scopedPage.items,
+            pagination: scopedPage.pagination,
         });
         return true;
     }

package/dist/web/web-dashboard-ui.js ADDED Viewed

@@ -0,0 +1,56 @@
+export const DASHBOARD_PRIMARY_NAV_PAGES = [
+    { id: "overview", label: "Overview", permission: "inspect" },
+    { id: "chat", label: "Chat", permission: "sessions.read" },
+    { id: "sessions", label: "Sessions", permission: "sessions.read" },
+    { id: "queue", label: "Queue", permission: "queue.read" },
+    { id: "tasks", label: "Tasks", permission: "inspect" },
+    { id: "activity", label: "Activity", permission: "sessions.read" },
+    { id: "trace", label: "Trace", permission: "sessions.read" },
+    { id: "artifacts", label: "Artifacts", permission: "files.read" },
+];
+export const DASHBOARD_NAV_SECTIONS = [
+    {
+        id: "operations",
+        label: "Operations",
+        pages: [
+            { id: "metrics", label: "Metrics", permission: "inspect" },
+            { id: "adapters", label: "Adapters", permission: "inspect" },
+            { id: "version", label: "Version", permission: "inspect" },
+            { id: "logs", label: "Logs", permission: "logs.read" },
+            { id: "diagnostics", label: "Diagnostics", permission: "diagnostics.read" },
+        ],
+    },
+    {
+        id: "administration",
+        label: "Administration",
+        pages: [
+            { id: "access", label: "Users", permission: "users.read" },
+            { id: "settings", label: "Settings", permission: "settings.read" },
+            { id: "peers", label: "Peers", permission: "peers.read" },
+        ],
+    },
+];
+export const DASHBOARD_PAGES = [
+    ...DASHBOARD_PRIMARY_NAV_PAGES,
+    ...DASHBOARD_NAV_SECTIONS.flatMap((section) => section.pages),
+];
+function renderDashboardPageButton(page, activePage) {
+    return `<button type="button" data-page="${page.id}" data-permission="${page.permission}"${page.id === activePage ? ' class="active"' : ""}>${page.label}</button>`;
+}
+function renderDashboardNavSection(section, activePage) {
+    const isOpen = section.defaultOpen === true || section.pages.some((page) => page.id === activePage);
+    const itemsId = `nav-section-${section.id}`;
+    return `<div class="nav-section" data-nav-section="${section.id}" data-nav-open="${isOpen ? "true" : "false"}" data-nav-default-open="${section.defaultOpen === true ? "true" : "false"}">
+          <button type="button" class="nav-section-toggle" data-nav-toggle="${section.id}" aria-expanded="${isOpen ? "true" : "false"}" aria-controls="${itemsId}">${section.label}</button>
+          <div class="nav-section-items" id="${itemsId}"${isOpen ? "" : " hidden"}>
+            ${section.pages.map((page) => renderDashboardPageButton(page, activePage)).join("\n            ")}
+          </div>
+        </div>`;
+}
+export function renderDashboardNav(activePage = "overview") {
+    const primary = `<div class="nav-primary">
+            ${DASHBOARD_PRIMARY_NAV_PAGES.map((page) => renderDashboardPageButton(page, activePage)).join("\n            ")}
+          </div>`;
+    const sections = DASHBOARD_NAV_SECTIONS.map((section) => renderDashboardNavSection(section, activePage)).join("\n        ");
+    return `${primary}\n        ${sections}`;
+}

package/dist/{web-dashboard.js → web/web-dashboard.js} RENAMED Viewed

@@ -1,47 +1,68 @@
 import { createServer } from "node:http";
-import { randomBytes } from "node:crypto";
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
 import os from "node:os";
 import path from "node:path";
 import { URL } from "node:url";
-import { enabledAgents } from "./agent-factory.js";
-import { buildAdapterConformanceMatrix } from "./adapter-conformance.js";
-import { listAgentAdapterDescriptors } from "./agent-adapter.js";
-import { isAgentId } from "./agent.js";
-import { AuditLogStore } from "./audit-log.js";
-import { listChannelDescriptors } from "./channel-adapter.js";
-import { permissionForWebRequest } from "./access-control.js";
-import { loadConfig } from "./config.js";
-import { friendlyErrorText } from "./error-messages.js";
-import { RelayRuntime } from "./relay-runtime.js";
-import { resolveDashboardEnvPath, SettingsService } from "./settings-service.js";
-import { mergeSettingsWizardTestSettings, runSettingsWizardTest } from "./settings-wizard-test.js";
-import { UserStore, publicUser } from "./user-management.js";
+import { enabledAgents } from "../agents/shared/agent-factory.js";
+import { buildAdapterConformanceMatrix } from "../agents/shared/adapter-conformance.js";
+import { listAgentAdapterDescriptors } from "../agents/shared/agent-adapter.js";
+import { isAgentId } from "../agents/shared/agent.js";
+import { AuditLogStore } from "../access/audit-log.js";
+import { listChannelDescriptors } from "../channels/shared/channel-adapter.js";
+import { permissionForWebRequest } from "../access/access-control.js";
+import { loadConfig } from "../core/config.js";
+import { friendlyErrorText } from "../core/error-messages.js";
+import { RelayRuntime } from "../runtime/relay-runtime.js";
+import { resolveDashboardEnvPath, SettingsService } from "../core/settings-service.js";
+import { mergeSettingsWizardTestSettings, runSettingsWizardTest } from "../core/settings-wizard-test.js";
+import { UserStore, publicUser } from "../access/user-management.js";
 import { handleDashboardAccessRoute } from "./web-dashboard-access-routes.js";
 import { handleDashboardArtifactRoute } from "./web-dashboard-artifact-routes.js";
-import { dashboardCss, dashboardJs } from "./web-dashboard-assets.js";
-import { objectRecord, optionalStringField, parseCookies, readJsonBody, sendJson, sendText, } from "./web-dashboard-http.js";
+import { dashboardCss, dashboardJs, dashboardStaticAsset } from "./web-dashboard-assets.js";
+import { objectRecord, optionalStringField, parseCookies, readJsonBody, sendJson, sendText, sendStaticFile, isRequestBodyTooLargeError, } from "./web-dashboard-http.js";
 import { renderDashboardApp, renderFirstRunSetupPage, renderLoginPage } from "./web-dashboard-pages.js";
 import { handleDashboardRuntimeRoute } from "./web-dashboard-runtime-routes.js";
 import { handleDashboardSessionRoute } from "./web-dashboard-session-routes.js";
 import { handleDashboardPeerRoute } from "./web-dashboard-peer-routes.js";
+import { PeerDiscoveryJobManager } from "../peers/peer-discovery-jobs.js";
+import { recordWebApiMetric } from "./web-performance.js";
+import { createCspNonce, isMutatingWebApiRequest, requiresWebCsrf } from "./web-dashboard-security.js";
+import { consumeRateLimit, resetRateLimit } from "./web-rate-limit.js";
 const DEFAULT_HOME = path.join(os.homedir(), ".nordrelay");
+const WEB_API_MUTATION_LIMIT = 240;
+const WEB_API_MUTATION_WINDOW_MS = 60_000;
+const WEB_API_MUTATION_BLOCK_MS = 60_000;
 const options = parseOptions(process.argv.slice(2));
 const config = loadConfig();
 const runtime = new RelayRuntime(config);
 const settings = new SettingsService(resolveDashboardEnvPath(options.home));
 const users = new UserStore(options.home);
 const auditLog = new AuditLogStore(config.workspace, config.stateBackend, config.auditMaxEvents);
+const peerDiscoveryJobs = new PeerDiscoveryJobManager(config, options.home);
 const loginAttempts = new Map();
+const apiMutationAttempts = new Map();
 const firstRunSetupToken = users.hasAdminUser() ? undefined : randomBytes(18).toString("base64url");
 const firstRunSetupRequiresToken = !isLoopbackHost(options.host);
+const csrfSecret = randomBytes(32).toString("base64url");
 if (firstRunSetupToken) {
     console.log(`NordRelay first-run setup token: ${firstRunSetupToken}`);
 }
 class AccessDeniedError extends Error {
 }
 const server = createServer((req, res) => {
+    const startedAt = Date.now();
+    const pathName = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`).pathname;
+    res.on("finish", () => {
+        recordWebApiMetric({
+            method: req.method ?? "GET",
+            path: pathName,
+            statusCode: res.statusCode,
+            durationMs: Date.now() - startedAt,
+        });
+    });
     void handleRequest(req, res).catch((error) => {
-        sendJson(res, error instanceof AccessDeniedError ? 403 : 500, { error: friendlyErrorText(error) });
+        const status = error instanceof AccessDeniedError ? 403 : isRequestBodyTooLargeError(error) ? 413 : 500;
+        sendJson(res, status, { error: friendlyErrorText(error) });
     });
 });
 await new Promise((resolve) => server.listen(options.port, options.host, resolve));
@@ -62,27 +83,52 @@ async function handleRequest(req, res) {
         handleLogout(req, res);
         return;
     }
+    if (servePublicDashboardAsset(url.pathname, res)) {
+        return;
+    }
     const authenticated = authenticateRequest(req);
     if (url.pathname === "/api/auth/me" && req.method === "GET") {
         if (!authenticated) {
             sendJson(res, 401, { error: "Authentication required", adminConfigured: users.hasAdminUser() });
             return;
         }
-        sendJson(res, 200, currentUserDto(authenticated));
+        sendJson(res, 200, currentUserDto(authenticated, req));
         return;
     }
     if (!authenticated) {
         if (url.pathname === "/" || url.pathname === "/index.html") {
+            const cspNonce = createCspNonce();
             if (!users.hasAdminUser()) {
-                sendText(res, 200, renderFirstRunSetupPage({ tokenRequired: firstRunSetupRequiresToken || !isLoopbackRequest(req) }), "text/html; charset=utf-8");
+                sendText(res, 200, renderFirstRunSetupPage({ tokenRequired: firstRunSetupRequiresToken || !isLoopbackRequest(req), cspNonce }), "text/html; charset=utf-8", { cspNonce });
                 return;
             }
-            sendText(res, 200, renderLoginPage({ adminConfigured: users.hasAdminUser() }), "text/html; charset=utf-8");
+            sendText(res, 200, renderLoginPage({ adminConfigured: users.hasAdminUser(), cspNonce }), "text/html; charset=utf-8", { cspNonce });
             return;
         }
         sendJson(res, 401, { error: "Authentication required", adminConfigured: users.hasAdminUser() });
         return;
     }
+    if (isMutatingWebApiRequest(req.method, url.pathname)) {
+        const limited = consumeRateLimit(apiMutationAttempts, `${req.socket.remoteAddress ?? "unknown"}:${authenticated.user.id}`, WEB_API_MUTATION_LIMIT, WEB_API_MUTATION_WINDOW_MS, WEB_API_MUTATION_BLOCK_MS);
+        if (limited.limited) {
+            sendJson(res, 429, { error: "Too many API changes. Try again later.", retryAfterMs: limited.retryAfterMs });
+            return;
+        }
+    }
+    if (requiresCsrf(req, url) && !verifyCsrf(req)) {
+        audit({
+            action: "permission_denied",
+            status: "denied",
+            channelId: "web",
+            contextKey: "web",
+            actor: webActivityActor(authenticated),
+            actorId: authenticated.user.id,
+            actorRole: authenticated.groups.map((group) => group.name).join(", "),
+            description: `Invalid CSRF token for ${req.method ?? "GET"} ${url.pathname}`,
+        });
+        sendJson(res, 403, { error: "Invalid CSRF token." });
+        return;
+    }
     if (url.pathname === "/healthz") {
         if (!users.hasPermission(authenticated, "inspect")) {
             sendText(res, 403, "access denied\n", "text/plain; charset=utf-8");
@@ -92,7 +138,8 @@ async function handleRequest(req, res) {
         return;
     }
     if (url.pathname === "/" || url.pathname === "/index.html") {
-        sendText(res, 200, renderDashboardApp(), "text/html; charset=utf-8");
+        const cspNonce = createCspNonce();
+        sendText(res, 200, renderDashboardApp({ cspNonce }), "text/html; charset=utf-8", { cspNonce });
         return;
     }
     if (url.pathname === "/assets/dashboard.css") {
@@ -113,6 +160,25 @@ async function handleRequest(req, res) {
     }
     await handleApi(req, res, url, authenticated);
 }
+function servePublicDashboardAsset(pathname, res) {
+    const assetName = pathname === "/favicon.ico"
+        ? "favicon.ico"
+        : pathname === "/assets/favicon.png"
+            ? "favicon.png"
+            : pathname === "/assets/logo.png"
+                ? "logo.png"
+                : null;
+    if (!assetName) {
+        return false;
+    }
+    const asset = dashboardStaticAsset(assetName);
+    if (!asset) {
+        sendText(res, 404, "not found\n", "text/plain; charset=utf-8");
+        return true;
+    }
+    sendStaticFile(res, asset.filePath, asset.contentType);
+    return true;
+}
 async function handleApi(req, res, url, authUser) {
     const permission = permissionForWebRequest(req.method, url.pathname);
     if (!permission) {
@@ -160,7 +226,7 @@ async function handleApi(req, res, url, authUser) {
     if (req.method === "GET" && url.pathname === "/api/bootstrap") {
         await assertCurrentSessionScope(authUser);
         sendJson(res, 200, {
-            auth: currentUserDto(authUser),
+            auth: currentUserDto(authUser, req),
             channels: listChannelDescriptors(),
             agentAdapters: listAgentAdapterDescriptors().filter((adapter) => users.canUseAgent(authUser, adapter.id)),
             adapterConformance: scopedAdapterConformance(authUser),
@@ -192,6 +258,7 @@ async function handleApi(req, res, url, authUser) {
         config,
         home: options.home,
         runtime,
+        discoveryJobs: peerDiscoveryJobs,
         activityActor: webActivityActor(authUser),
         auditPeerAction: (action, description) => auditUserAction(authUser, action, description),
     })) {
@@ -330,8 +397,8 @@ async function handleFirstRunSetup(req, res) {
         actor: webActivityActor(authUser),
         detail: authUser.user.email,
     });
-    setSessionCookie(res, session.token);
-    sendJson(res, 201, currentUserDto(authUser));
+    setSessionCookie(res, session.token, req);
+    sendJson(res, 201, currentUserDto(authUser, undefined, session.token));
 }
 async function handleLogin(req, res) {
     const body = await readJsonBody(req);
@@ -387,8 +454,8 @@ async function handleLogin(req, res) {
         actor: webActivityActor(authUser),
         detail: authUser.user.email,
     });
-    setSessionCookie(res, session.token);
-    sendJson(res, 200, currentUserDto(authUser));
+    setSessionCookie(res, session.token, req);
+    sendJson(res, 200, currentUserDto(authUser, undefined, session.token));
 }
 function isLoopbackRequest(req) {
     const address = req.socket.remoteAddress ?? "";
@@ -402,6 +469,10 @@ function isLoopbackHost(host) {
 }
 function handleLogout(req, res) {
     const authUser = authenticateRequest(req);
+    if (authUser && !verifyCsrf(req)) {
+        sendJson(res, 403, { error: "Invalid CSRF token." });
+        return;
+    }
     users.destroyWebSession(parseCookies(req.headers.cookie ?? "").nr_session);
     if (authUser) {
         auditUserAction(authUser, "auth_logout", authUser.user.email);
@@ -431,19 +502,49 @@ function authenticateRequest(req) {
     const cookies = parseCookies(req.headers.cookie ?? "");
     return users.resolveWebSession(cookies.nr_session);
 }
-function setSessionCookie(res, token) {
-    res.setHeader("set-cookie", `nr_session=${encodeURIComponent(token)}; HttpOnly; SameSite=Strict; Path=/`);
+function setSessionCookie(res, token, req) {
+    const secure = req && isHttpsRequest(req) ? "; Secure" : "";
+    res.setHeader("set-cookie", `nr_session=${encodeURIComponent(token)}; HttpOnly; SameSite=Strict; Path=/${secure}`);
 }
 function clearSessionCookie(res) {
     res.setHeader("set-cookie", "nr_session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0");
 }
-function currentUserDto(authUser) {
+function isHttpsRequest(req) {
+    return Boolean(req.socket.encrypted) ||
+        String(req.headers["x-forwarded-proto"] ?? "").split(",")[0]?.trim().toLowerCase() === "https";
+}
+function currentUserDto(authUser, req, sessionToken) {
+    const token = sessionToken ?? (req ? parseCookies(req.headers.cookie ?? "").nr_session : undefined);
     return {
         user: publicUser(authUser.user),
         groups: authUser.groups,
         permissions: authUser.permissions,
+        csrfToken: token ? csrfTokenForSession(token) : undefined,
     };
 }
+function requiresCsrf(req, url) {
+    return requiresWebCsrf(req.method, url.pathname);
+}
+function verifyCsrf(req) {
+    const sessionToken = parseCookies(req.headers.cookie ?? "").nr_session;
+    const supplied = headerValue(req, "x-nordrelay-csrf");
+    if (!sessionToken || !supplied) {
+        return false;
+    }
+    return safeEqualString(supplied, csrfTokenForSession(sessionToken));
+}
+function csrfTokenForSession(sessionToken) {
+    return createHmac("sha256", csrfSecret).update(sessionToken).digest("base64url");
+}
+function headerValue(req, name) {
+    const value = req.headers[name.toLowerCase()];
+    return Array.isArray(value) ? value[0] ?? "" : value ?? "";
+}
+function safeEqualString(left, right) {
+    const leftBuffer = Buffer.from(left);
+    const rightBuffer = Buffer.from(right);
+    return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
 function audit(event) {
     try {
         auditLog.append(event);
@@ -612,25 +713,6 @@ async function assertCurrentSessionScope(authUser) {
 function objectValue(value) {
     return value && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
-function consumeRateLimit(buckets, key, limit, windowMs, blockMs) {
-    const now = Date.now();
-    const existing = buckets.get(key);
-    if (existing?.blockedUntil && existing.blockedUntil > now) {
-        return { limited: true, retryAfterMs: existing.blockedUntil - now };
-    }
-    const bucket = !existing || existing.resetAt <= now ? { count: 0, resetAt: now + windowMs } : existing;
-    bucket.count += 1;
-    if (bucket.count > limit) {
-        bucket.blockedUntil = now + blockMs;
-        buckets.set(key, bucket);
-        return { limited: true, retryAfterMs: blockMs };
-    }
-    buckets.set(key, bucket);
-    return { limited: false };
-}
-function resetRateLimit(buckets, key) {
-    buckets.delete(key);
-}
 function parseAgentId(value) {
     if (!value) {
         return undefined;
@@ -742,6 +824,8 @@ function activeSettingsValues(current) {
         TELEGRAM_EDIT_MIN_INTERVAL_MS: String(current.telegramEditMinIntervalMs),
         NORDRELAY_CLI_MIRROR_MODE: current.mirrorMode,
         NORDRELAY_CLI_MIRROR_MIN_UPDATE_MS: String(current.mirrorMinUpdateMs),
+        NORDRELAY_WEB_CLI_MIRROR_MODE: current.webMirrorMode === current.mirrorMode ? "" : current.webMirrorMode,
+        NORDRELAY_WEB_CLI_MIRROR_MIN_UPDATE_MS: current.webMirrorMinUpdateMs === current.mirrorMinUpdateMs ? "" : String(current.webMirrorMinUpdateMs),
         NORDRELAY_NOTIFY_MODE: current.notifyMode,
         NORDRELAY_QUIET_HOURS: quietValue(current.quietHours),
         NORDRELAY_AUTO_SEND_ARTIFACTS: boolValue(current.autoSendArtifacts),