@opentrust/dashboard 7.1.0

package/dist/index.js

@@ -0,0 +1,84 @@
+import express from "express";
+import cors from "cors";
+import helmet from "helmet";
+import morgan from "morgan";
+import { existsSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { sessionAuth } from "./middleware/session-auth.js";
+import { authRouter } from "./routes/auth.js";
+import { settingsRouter } from "./routes/settings.js";
+import { agentsRouter } from "./routes/agents.js";
+import { scannersRouter } from "./routes/scanners.js";
+import { policiesRouter } from "./routes/policies.js";
+import { detectionRouter } from "./routes/detection.js";
+import { usageRouter } from "./routes/usage.js";
+import { resultsRouter } from "./routes/results.js";
+import { discoveryRouter } from "./routes/discovery.js";
+import { observationsRouter } from "./routes/observations.js";
+import { errorHandler } from "./middleware/error-handler.js";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const app = express();
+const PORT = parseInt(process.env.PORT || process.env.API_PORT || "53667", 10);
+const DASHBOARD_MODE = (process.env.DASHBOARD_MODE || "selfhosted");
+app.use(helmet({ contentSecurityPolicy: false }));
+app.use(cors({
+    origin: DASHBOARD_MODE === "embedded" ? true : (process.env.WEB_ORIGIN || "http://localhost:53668"),
+    credentials: true,
+}));
+app.use(morgan("short"));
+app.use(express.json());
+// Public routes
+app.get("/health", (_req, res) => {
+    res.json({ status: "ok", service: "opentrust-api", timestamp: new Date().toISOString() });
+});
+app.use("/api/auth", authRouter); // /request, /verify/:token, /me, /logout
+// Serve static web app in embedded mode (before auth middleware)
+if (DASHBOARD_MODE === "embedded") {
+    const webOutPaths = [
+        join(__dirname, "..", "..", "web", "out"), // monorepo: apps/api/dist → apps/web/out
+        join(__dirname, "..", "public"), // npm package: dist → public
+    ];
+    const webOutDir = webOutPaths.find((p) => existsSync(p));
+    if (webOutDir) {
+        // 挂载到 /dashboard/ 以匹配 Vite base 配置
+        app.use("/dashboard", express.static(webOutDir, { extensions: ["html"] }));
+        // 根路径重定向到 /dashboard/
+        app.get("/", (_req, res) => res.redirect("/dashboard/"));
+        // SPA fallback: /dashboard/ 下非静态文件路由返回 index.html
+        app.use("/dashboard", (req, res, next) => {
+            // 跳过已匹配的静态文件（有扩展名的路径）
+            if (req.path.match(/\.\w+$/))
+                return next();
+            const indexPath = join(webOutDir, "index.html");
+            if (existsSync(indexPath)) {
+                res.sendFile(indexPath);
+            }
+            else {
+                next();
+            }
+        });
+    }
+}
+// Session-protected routes
+app.use(sessionAuth);
+app.use("/api/settings", settingsRouter);
+app.use("/api/agents", agentsRouter);
+app.use("/api/scanners", scannersRouter);
+app.use("/api/policies", policiesRouter);
+app.use("/api/detect", detectionRouter);
+app.use("/api/usage", usageRouter);
+app.use("/api/results", resultsRouter);
+app.use("/api/discovery", discoveryRouter);
+app.use("/api/observations", observationsRouter);
+app.use(errorHandler);
+app.listen(PORT, () => {
+    console.log(`OpenTrust API running on port ${PORT}`);
+    console.log(`DashboardMode: ${DASHBOARD_MODE}`);
+    if (process.env.DEV_MODE === "true") {
+        console.log(`DevMode: ON — authentication disabled`);
+    }
+    else {
+        console.log(`Auth: POST /api/auth/request — send magic link`);
+    }
+});

package/dist/middleware/error-handler.js

@@ -0,0 +1,7 @@
+export function errorHandler(err, _req, res, _next) {
+    console.error("Unhandled error:", err);
+    res.status(500).json({
+        success: false,
+        error: "Internal server error",
+    });
+}

package/dist/middleware/session-auth.js

@@ -0,0 +1,58 @@
+const IS_DEV_MODE = process.env.DEV_MODE === "true";
+const CORE_URL = process.env.OG_CORE_URL || "http://localhost:53666";
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const DEV_TENANT_ID = "default";
+const DEV_EMAIL = "dev@localhost";
+const DEV_API_KEY = "sk-og-dev";
+const sessionCache = new Map();
+/**
+ * Session authentication middleware for OpenTrust.
+ *
+ * When DEV_MODE=true, skips all validation and uses default dev identity.
+ * Otherwise validates the API key against the core (cached for 5 minutes).
+ * Sets res.locals.tenantId, res.locals.userEmail, and res.locals.coreApiKey.
+ */
+export async function sessionAuth(req, res, next) {
+    if (IS_DEV_MODE) {
+        res.locals.tenantId = DEV_TENANT_ID;
+        res.locals.userEmail = DEV_EMAIL;
+        res.locals.coreApiKey = DEV_API_KEY;
+        next();
+        return;
+    }
+    const apiKey = req.headers.authorization?.replace("Bearer ", "");
+    if (!apiKey?.startsWith("sk-og-")) {
+        res.status(401).json({ success: false, error: "Not authenticated" });
+        return;
+    }
+    const cached = sessionCache.get(apiKey);
+    if (cached && Date.now() - cached.cachedAt < CACHE_TTL_MS) {
+        res.locals.tenantId = cached.email;
+        res.locals.userEmail = cached.email;
+        res.locals.coreApiKey = apiKey;
+        next();
+        return;
+    }
+    try {
+        const coreRes = await fetch(`${CORE_URL}/api/v1/account`, {
+            headers: { Authorization: `Bearer ${apiKey}` },
+        });
+        if (!coreRes.ok) {
+            res.status(401).json({ success: false, error: "Invalid or inactive API key" });
+            return;
+        }
+        const data = await coreRes.json();
+        if (!data.success || !data.email) {
+            res.status(401).json({ success: false, error: "Agent not activated" });
+            return;
+        }
+        sessionCache.set(apiKey, { email: data.email, agentId: data.agentId, cachedAt: Date.now() });
+        res.locals.tenantId = data.email;
+        res.locals.userEmail = data.email;
+        res.locals.coreApiKey = apiKey;
+        next();
+    }
+    catch {
+        res.status(503).json({ success: false, error: "Core service unavailable" });
+    }
+}

package/dist/routes/agents.js

@@ -0,0 +1,90 @@
+import { Router } from "express";
+import { db, agentQueries } from "@opentrust/db";
+import { MAX_AGENTS } from "@opentrust/shared";
+const agents = agentQueries(db);
+export const agentsRouter = Router();
+// GET /api/agents
+agentsRouter.get("/", async (_req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const data = await agents.findAll(tenantId);
+        res.json({ success: true, data });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// POST /api/agents
+agentsRouter.post("/", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const { name, description, provider, metadata } = req.body;
+        if (!name) {
+            res.status(400).json({ success: false, error: "name is required" });
+            return;
+        }
+        const currentCount = await agents.countAll(tenantId);
+        if (currentCount >= MAX_AGENTS) {
+            res.status(403).json({
+                success: false,
+                error: `Agent limit reached (${MAX_AGENTS}).`,
+            });
+            return;
+        }
+        const agent = await agents.create({
+            name,
+            description: description || null,
+            provider: provider || "custom",
+            metadata: metadata || {},
+            tenantId,
+        });
+        res.status(201).json({ success: true, data: agent });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// PUT /api/agents/:id
+agentsRouter.put("/:id", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const { name, description, provider, status, metadata } = req.body;
+        const agent = await agents.update(req.params.id, {
+            ...(name && { name }),
+            ...(description !== undefined && { description }),
+            ...(provider && { provider }),
+            ...(status && { status }),
+            ...(metadata && { metadata }),
+        }, tenantId);
+        if (!agent) {
+            res.status(404).json({ success: false, error: "Agent not found" });
+            return;
+        }
+        res.json({ success: true, data: agent });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// DELETE /api/agents/:id
+agentsRouter.delete("/:id", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        await agents.delete(req.params.id, tenantId);
+        res.json({ success: true });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// POST /api/agents/:id/heartbeat
+agentsRouter.post("/:id/heartbeat", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        await agents.heartbeat(req.params.id, tenantId);
+        res.json({ success: true });
+    }
+    catch (err) {
+        next(err);
+    }
+});

package/dist/routes/auth.js

@@ -0,0 +1,122 @@
+import { Router } from "express";
+export const authRouter = Router();
+const IS_DEV_MODE = process.env.DEV_MODE === "true";
+const CORE_URL = process.env.OG_CORE_URL || "http://localhost:53666";
+const DEV_EMAIL = "dev@localhost";
+const DEV_RESPONSE = {
+    success: true,
+    email: DEV_EMAIL,
+    agentId: "dev-agent",
+    name: "Dev Agent",
+    quotaTotal: 999999,
+    quotaUsed: 0,
+    quotaRemaining: 999999,
+    agents: [],
+};
+async function fetchCoreAccount(apiKey) {
+    try {
+        const res = await fetch(`${CORE_URL}/api/v1/account`, {
+            headers: { Authorization: `Bearer ${apiKey}` },
+        });
+        if (!res.ok)
+            return null;
+        return res.json();
+    }
+    catch {
+        return null;
+    }
+}
+async function fetchCoreAccounts(apiKey) {
+    try {
+        const res = await fetch(`${CORE_URL}/api/v1/accounts`, {
+            headers: { Authorization: `Bearer ${apiKey}` },
+        });
+        if (!res.ok)
+            return null;
+        return res.json();
+    }
+    catch {
+        return null;
+    }
+}
+authRouter.post("/login", async (req, res, next) => {
+    if (IS_DEV_MODE) {
+        res.json(DEV_RESPONSE);
+        return;
+    }
+    try {
+        const { apiKey, email } = req.body;
+        if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+            res.status(400).json({ success: false, error: "Valid email required" });
+            return;
+        }
+        if (!apiKey || !apiKey.startsWith("sk-og-")) {
+            res.status(400).json({ success: false, error: "Valid API key required (sk-og-...)" });
+            return;
+        }
+        const account = await fetchCoreAccount(apiKey);
+        if (!account?.success) {
+            res.status(401).json({ success: false, error: "Invalid API key" });
+            return;
+        }
+        if (!account.email) {
+            res.status(403).json({ success: false, error: "Agent not yet activated. Complete email verification first." });
+            return;
+        }
+        if (account.email.toLowerCase() !== email.toLowerCase()) {
+            res.status(401).json({ success: false, error: "Email does not match this API key" });
+            return;
+        }
+        const accounts = await fetchCoreAccounts(apiKey);
+        const agents = accounts?.agents ?? [];
+        res.json({
+            success: true,
+            email: account.email,
+            agentId: account.agentId,
+            name: account.name,
+            quotaTotal: account.quotaTotal,
+            quotaUsed: account.quotaUsed,
+            quotaRemaining: account.quotaRemaining,
+            agents,
+        });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+authRouter.get("/me", async (req, res, next) => {
+    if (IS_DEV_MODE) {
+        res.json(DEV_RESPONSE);
+        return;
+    }
+    try {
+        const apiKey = req.headers.authorization?.replace("Bearer ", "");
+        if (!apiKey?.startsWith("sk-og-")) {
+            res.status(401).json({ success: false, error: "Not authenticated" });
+            return;
+        }
+        const account = await fetchCoreAccount(apiKey);
+        if (!account?.success || !account.email) {
+            res.status(401).json({ success: false, error: "Invalid or inactive API key" });
+            return;
+        }
+        const accounts = await fetchCoreAccounts(apiKey);
+        const agents = accounts?.agents ?? [];
+        res.json({
+            success: true,
+            email: account.email,
+            agentId: account.agentId,
+            name: account.name,
+            quotaTotal: account.quotaTotal,
+            quotaUsed: account.quotaUsed,
+            quotaRemaining: account.quotaRemaining,
+            agents,
+        });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+authRouter.post("/logout", (_req, res) => {
+    res.json({ success: true });
+});

package/dist/routes/detection.js

@@ -0,0 +1,101 @@
+import { Router } from "express";
+import { db, scannerQueries, policyQueries, usageQueries, detectionResultQueries, settingsQueries } from "@opentrust/db";
+import { callCoreDetect } from "../services/core-client.js";
+const scanners = scannerQueries(db);
+const policies = policyQueries(db);
+const usage = usageQueries(db);
+const detectionResults = detectionResultQueries(db);
+const settings = settingsQueries(db);
+export const detectionRouter = Router();
+/**
+ * POST /api/detect
+ * Detection proxy endpoint.
+ * Flow:
+ * 1. Check core key is configured
+ * 2. Get scanner config
+ * 3. Call core /v1/detect
+ * 4. Evaluate policies
+ * 5. Record usage + detection result
+ * 6. Return response
+ */
+detectionRouter.post("/", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        // 1. Check core key (skip in dev mode)
+        const coreKey = await settings.get("og_core_key");
+        if (!coreKey && process.env.DEV_MODE !== "true") {
+            res.status(503).json({
+                success: false,
+                error: "core key not configured. Go to Settings to add your key.",
+            });
+            return;
+        }
+        // 2. Get scanner config
+        const allScanners = await scanners.getAll(tenantId);
+        const coreScanners = allScanners.map((s) => ({
+            scannerId: s.scannerId,
+            name: s.name,
+            description: s.description,
+            isEnabled: s.isEnabled,
+        }));
+        // Validate request body
+        const { messages, format, role, agentId } = req.body;
+        if (!messages || !Array.isArray(messages) || messages.length === 0) {
+            res.status(400).json({ success: false, error: "messages array is required and must not be empty" });
+            return;
+        }
+        // 3. Call core
+        const coreResult = await callCoreDetect(messages, coreScanners, { format, role });
+        // 4. Evaluate policies
+        let policyAction = null;
+        if (!coreResult.safe) {
+            const enabledPolicies = await policies.getEnabled(tenantId);
+            for (const policy of enabledPolicies) {
+                const policyScannerIds = policy.scannerIds;
+                const matchesCategory = coreResult.categories.some((c) => policyScannerIds.includes(c));
+                if (matchesCategory && coreResult.sensitivity_score >= policy.sensitivityThreshold) {
+                    policyAction = policy.action;
+                    break;
+                }
+            }
+        }
+        // 5. Record usage + detection result
+        await usage.log({
+            agentId: agentId || null,
+            endpoint: "/api/detect",
+            statusCode: 200,
+            responseSafe: coreResult.safe,
+            categories: coreResult.categories,
+            latencyMs: coreResult.latency_ms,
+            requestId: coreResult.request_id,
+            tenantId,
+        });
+        await detectionResults.create({
+            agentId: agentId || null,
+            safe: coreResult.safe,
+            categories: coreResult.categories,
+            sensitivityScore: coreResult.sensitivity_score,
+            findings: coreResult.findings,
+            latencyMs: coreResult.latency_ms,
+            requestId: coreResult.request_id,
+            tenantId,
+        });
+        // 6. Return response with policy action
+        const response = {
+            ...coreResult,
+            ...(policyAction && { policy_action: policyAction }),
+        };
+        if (policyAction === "block") {
+            res.status(403).json({ success: true, data: response, blocked: true });
+            return;
+        }
+        res.json({ success: true, data: response });
+    }
+    catch (err) {
+        if (err instanceof Error && (err.message.includes("ECONNREFUSED") || err.message.includes("fetch failed"))) {
+            res.status(503).json({ success: false, error: "Detection service is temporarily unavailable. Please try again later." });
+            return;
+        }
+        next(err);
+    }
+});

package/dist/routes/discovery.js

@@ -0,0 +1,171 @@
+import { Router } from "express";
+import { db, agentQueries } from "@opentrust/db";
+const agentsDb = agentQueries(db);
+export const discoveryRouter = Router();
+function registeredToDiscovered(a) {
+    const m = (a.metadata ?? {});
+    return {
+        id: m.openclawId ?? a.id,
+        name: a.name,
+        status: a.status,
+        emoji: m.emoji ?? "🤖",
+        creature: m.creature ?? "",
+        vibe: m.vibe ?? "",
+        model: m.model ?? "",
+        provider: m.provider ?? a.provider,
+        workspacePath: "",
+        ownerName: m.ownerName ?? "",
+        avatarUrl: null,
+        skills: m.skills ?? [],
+        connectedSystems: m.connectedSystems ?? [],
+        channels: m.channels ?? [],
+        plugins: m.plugins ?? [],
+        hooks: m.hooks ?? [],
+        sessionCount: m.sessionCount ?? 0,
+        lastActive: m.lastActive ?? a.lastSeenAt,
+    };
+}
+function registeredToProfile(a) {
+    const m = (a.metadata ?? {});
+    const wf = m.workspaceFiles ?? {};
+    return {
+        ...registeredToDiscovered(a),
+        workspaceFiles: {
+            soul: wf.soul ?? "",
+            identity: wf.identity ?? "",
+            user: wf.user ?? "",
+            agents: wf.agents ?? "",
+            tools: wf.tools ?? "",
+            heartbeat: wf.heartbeat ?? "",
+        },
+        bootstrapExists: m.bootstrapExists ?? false,
+        cronJobs: m.cronJobs ?? [],
+        allSkills: (m.skills ?? []).map((s) => ({ ...s, source: "workspace" })),
+        bundledExtensions: [],
+    };
+}
+// ── Routes ───────────────────────────────────────────────────────────────────
+// GET /api/discovery/agents — list all agents (DB only)
+discoveryRouter.get("/agents", async (_req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const registered = await agentsDb.findAll(tenantId);
+        res.json({ success: true, data: registered.map(registeredToDiscovered) });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// GET /api/discovery/agents/:id — single agent (DB only)
+discoveryRouter.get("/agents/:id", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const id = req.params.id;
+        const registered = await agentsDb.findAll(tenantId);
+        const match = registered.find((a) => {
+            const meta = (a.metadata ?? {});
+            return meta.openclawId === id || a.id === id;
+        });
+        if (!match) {
+            res.status(404).json({ success: false, error: "Agent not found" });
+            return;
+        }
+        res.json({ success: true, data: registeredToDiscovered(match) });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// GET /api/discovery/agents/:id/profile — enriched profile (DB only)
+discoveryRouter.get("/agents/:id/profile", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const id = req.params.id;
+        const registered = await agentsDb.findAll(tenantId);
+        const match = registered.find((a) => {
+            const meta = (a.metadata ?? {});
+            return meta.openclawId === id || a.id === id;
+        });
+        if (!match) {
+            res.status(404).json({ success: false, error: "Agent not found" });
+            return;
+        }
+        const profile = registeredToProfile(match);
+        res.json({ success: true, data: { ...profile, registeredAgentId: match.id } });
+    }
+    catch (err) {
+        next(err);
+    }
+});
+// GET /api/discovery/agents/:id/summary — LLM-generated summary
+discoveryRouter.get("/agents/:id/summary", async (req, res, next) => {
+    try {
+        const tenantId = res.locals.tenantId;
+        const id = req.params.id;
+        const registered = await agentsDb.findAll(tenantId);
+        const match = registered.find((a) => {
+            const meta = (a.metadata ?? {});
+            return meta.openclawId === id || a.id === id;
+        });
+        if (!match) {
+            res.status(404).json({ success: false, error: "Agent not found" });
+            return;
+        }
+        const agent = registeredToDiscovered(match);
+        const prompt = `Summarize this AI agent in 2-3 concise paragraphs for a security dashboard:
+
+Name: ${agent.name} ${agent.emoji}
+Creature: ${agent.creature}
+Vibe: ${agent.vibe}
+Model: ${agent.provider}/${agent.model}
+Skills: ${agent.skills.map((s) => s.name).join(", ") || "none"}
+Connected Systems: ${agent.connectedSystems.join(", ") || "none"}
+Channels: ${agent.channels.join(", ") || "none"}
+Plugins: ${agent.plugins.map((p) => `${p.name}${p.enabled ? "" : " (disabled)"}`).join(", ") || "none"}
+Hooks: ${agent.hooks.map((h) => `${h.name}${h.enabled ? "" : " (disabled)"}`).join(", ") || "none"}
+Sessions: ${agent.sessionCount}
+Last Active: ${agent.lastActive || "unknown"}
+
+Focus on: what this agent does, its capabilities, connected systems and potential security surface area. Keep it factual and useful for a security team.`;
+        const gatewayPort = process.env.GATEWAY_PORT || "8900";
+        try {
+            const apiKey = process.env.ANTHROPIC_API_KEY || "not-set";
+            const response = await fetch(`http://localhost:${gatewayPort}/v1/messages`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "x-api-key": apiKey,
+                    "anthropic-version": "2023-06-01",
+                },
+                body: JSON.stringify({
+                    model: "claude-sonnet-4-5-20250929",
+                    max_tokens: 500,
+                    messages: [{ role: "user", content: prompt }],
+                }),
+                signal: AbortSignal.timeout(30000),
+            });
+            if (response.ok) {
+                const data = await response.json();
+                const text = data.content?.find((c) => c.type === "text")?.text;
+                if (text) {
+                    res.json({ success: true, data: { summary: text } });
+                    return;
+                }
+            }
+        }
+        catch {
+            // Gateway not available, fall through to static summary
+        }
+        const skillList = agent.skills.map((s) => s.name).join(", ");
+        const systemList = agent.connectedSystems.join(", ");
+        const summary = `${agent.name} is an AI agent running on ${agent.provider}/${agent.model}. ` +
+            (skillList ? `It has ${agent.skills.length} skill(s): ${skillList}. ` : "It has no registered skills. ") +
+            (systemList ? `Connected systems: ${systemList}. ` : "") +
+            `It has ${agent.sessionCount} recorded session(s)` +
+            (agent.lastActive ? `, last active ${new Date(agent.lastActive).toLocaleDateString()}.` : ".");
+        res.json({ success: true, data: { summary } });
+    }
+    catch (err) {
+        next(err);
+    }
+});