@pixelbyte-software/pixcode 1.35.2 → 1.35.3

package/server/load-env.js

@@ -1,34 +1,34 @@
-// Load environment variables from .env before other imports execute.
-import fs from 'fs';
-import os from 'os';
-import path from 'path';
-import { findAppRoot, getModuleDir } from './utils/runtime-paths.js';
-
-const __dirname = getModuleDir(import.meta.url);
-// Resolve the repo/app root via the nearest /server folder so this file keeps finding the
-// same top-level .env file from both /server/load-env.js and /dist-server/server/load-env.js.
-const APP_ROOT = findAppRoot(__dirname);
-
-try {
-  const envPath = path.join(APP_ROOT, '.env');
-  const envFile = fs.readFileSync(envPath, 'utf8');
-  envFile.split('\n').forEach(line => {
-    const trimmedLine = line.trim();
-    if (trimmedLine && !trimmedLine.startsWith('#')) {
-      const [key, ...valueParts] = trimmedLine.split('=');
-      if (key && valueParts.length > 0 && !process.env[key]) {
-        process.env[key] = valueParts.join('=').trim();
-      }
-    }
-  });
-} catch (e) {
-  console.log('No .env file found or error reading it:', e.message);
-}
-
-// Keep the default database in a stable user-level location so rebuilding dist-server
-// never changes where the backend stores auth.db when DATABASE_PATH is not set explicitly.
-const DEFAULT_DATABASE_PATH = path.join(os.homedir(), '.pixcode', 'auth.db');
-
-if (!process.env.DATABASE_PATH) {
-  process.env.DATABASE_PATH = DEFAULT_DATABASE_PATH;
-}
+// Load environment variables from .env before other imports execute.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { findAppRoot, getModuleDir } from './utils/runtime-paths.js';
+
+const __dirname = getModuleDir(import.meta.url);
+// Resolve the repo/app root via the nearest /server folder so this file keeps finding the
+// same top-level .env file from both /server/load-env.js and /dist-server/server/load-env.js.
+const APP_ROOT = findAppRoot(__dirname);
+
+try {
+  const envPath = path.join(APP_ROOT, '.env');
+  const envFile = fs.readFileSync(envPath, 'utf8');
+  envFile.split('\n').forEach(line => {
+    const trimmedLine = line.trim();
+    if (trimmedLine && !trimmedLine.startsWith('#')) {
+      const [key, ...valueParts] = trimmedLine.split('=');
+      if (key && valueParts.length > 0 && !process.env[key]) {
+        process.env[key] = valueParts.join('=').trim();
+      }
+    }
+  });
+} catch (e) {
+  console.log('No .env file found or error reading it:', e.message);
+}
+
+// Keep the default database in a stable user-level location so rebuilding dist-server
+// never changes where the backend stores auth.db when DATABASE_PATH is not set explicitly.
+const DEFAULT_DATABASE_PATH = path.join(os.homedir(), '.pixcode', 'auth.db');
+
+if (!process.env.DATABASE_PATH) {
+  process.env.DATABASE_PATH = DEFAULT_DATABASE_PATH;
+}

package/server/middleware/auth.js

@@ -1,173 +1,173 @@
-import jwt from 'jsonwebtoken';
-import { userDb, appConfigDb, apiKeysDb } from '../database/db.js';
-import { IS_PLATFORM } from '../constants/config.js';
-
-// Use env var if set, otherwise auto-generate a unique secret per installation
-const JWT_SECRET = process.env.JWT_SECRET || appConfigDb.getOrCreateJwtSecret();
-
-// Optional API key middleware
-const validateApiKey = (req, res, next) => {
-  // Skip API key validation if not configured
-  if (!process.env.API_KEY) {
-    return next();
-  }
-  
-  const apiKey = req.headers['x-api-key'];
-  if (apiKey !== process.env.API_KEY) {
-    return res.status(401).json({ error: 'Invalid API key' });
-  }
-  next();
-};
-
-// JWT authentication middleware
-const authenticateToken = async (req, res, next) => {
-  // Platform mode:  use single database user
-  if (IS_PLATFORM) {
-    try {
-      const user = userDb.getFirstUser();
-      if (!user) {
-        return res.status(500).json({ error: 'Platform mode: No user found in database' });
-      }
-      req.user = user;
-      return next();
-    } catch (error) {
-      console.error('Platform mode error:', error);
-      return res.status(500).json({ error: 'Platform mode: Failed to fetch user' });
-    }
-  }
-
-  // Pull credentials from any of the supported transports.
-  //  - Authorization: Bearer <jwt-or-apikey>
-  //  - X-API-Key: <apikey>            (legacy, kept for /api/agent compatibility)
-  //  - ?token=<jwt>                    (EventSource workaround — can't set headers)
-  //  - ?apiKey=<apikey>                (EventSource workaround)
-  // Auth-token mode is decided by the prefix: keys generated by Pixcode start
-  // with `ck_` (see apiKeysDb.generateApiKey) — anything else falls through
-  // to JWT verification.
-  const authHeader = req.headers['authorization'];
-  const bearerToken = authHeader && authHeader.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
-  const apiKeyHeader = req.headers['x-api-key'];
-  const queryToken = typeof req.query.token === 'string' ? req.query.token : null;
-  const queryApiKey = typeof req.query.apiKey === 'string' ? req.query.apiKey : null;
-
-  // Try API-key paths first when the credential is unambiguously an API key.
-  const explicitApiKey = apiKeyHeader || queryApiKey
-    || (bearerToken && bearerToken.startsWith('ck_') ? bearerToken : null)
-    || (queryToken && queryToken.startsWith('ck_') ? queryToken : null);
-
-  if (explicitApiKey) {
-    try {
-      const user = apiKeysDb.validateApiKey(explicitApiKey);
-      if (!user) {
-        return res.status(401).json({ error: 'Invalid or inactive API key' });
-      }
-      req.user = user;
-      return next();
-    } catch (error) {
-      console.error('API key validation error:', error);
-      return res.status(500).json({ error: 'Authentication backend error' });
-    }
-  }
-
-  // Otherwise fall back to JWT.
-  const jwtToken = bearerToken || queryToken;
-  if (!jwtToken) {
-    return res.status(401).json({ error: 'Access denied. No token provided.' });
-  }
-
-  try {
-    const decoded = jwt.verify(jwtToken, JWT_SECRET);
-
-    // Verify user still exists and is active
-    const user = userDb.getUserById(decoded.userId);
-    if (!user) {
-      return res.status(401).json({ error: 'Invalid token. User not found.' });
-    }
-
-    // Auto-refresh: if token is past halfway through its lifetime, issue a new one
-    if (decoded.exp && decoded.iat) {
-      const now = Math.floor(Date.now() / 1000);
-      const halfLife = (decoded.exp - decoded.iat) / 2;
-      if (now > decoded.iat + halfLife) {
-        const newToken = generateToken(user);
-        res.setHeader('X-Refreshed-Token', newToken);
-      }
-    }
-
-    req.user = user;
-    next();
-  } catch (error) {
-    console.error('Token verification error:', error);
-    return res.status(403).json({ error: 'Invalid token' });
-  }
-};
-
-// Generate JWT token
-const generateToken = (user) => {
-  return jwt.sign(
-    {
-      userId: user.id,
-      username: user.username
-    },
-    JWT_SECRET,
-    { expiresIn: '7d' }
-  );
-};
-
-// WebSocket authentication function
-const authenticateWebSocket = (token) => {
-  // Platform mode: bypass token validation, return first user
-  if (IS_PLATFORM) {
-    try {
-      const user = userDb.getFirstUser();
-      if (user) {
-        return { id: user.id, userId: user.id, username: user.username };
-      }
-      return null;
-    } catch (error) {
-      console.error('Platform mode WebSocket error:', error);
-      return null;
-    }
-  }
-
-  // Normal OSS validation — accept either an API key (`ck_…`) or a JWT.
-  // Mirrors the REST `authenticateToken` middleware so any tool that has
-  // a `ck_` key (CI scripts, the api-tester subagent, the user's own
-  // automation, ...) can also open a WebSocket without first exchanging
-  // the key for a JWT.
-  if (!token) {
-    return null;
-  }
-
-  if (typeof token === 'string' && token.startsWith('ck_')) {
-    try {
-      const user = apiKeysDb.validateApiKey(token);
-      if (!user) return null;
-      return { userId: user.id, username: user.username };
-    } catch (error) {
-      console.error('WebSocket API key validation error:', error);
-      return null;
-    }
-  }
-
-  try {
-    const decoded = jwt.verify(token, JWT_SECRET);
-    // Verify user actually exists in database (matches REST authenticateToken behavior)
-    const user = userDb.getUserById(decoded.userId);
-    if (!user) {
-      return null;
-    }
-    return { userId: user.id, username: user.username };
-  } catch (error) {
-    console.error('WebSocket token verification error:', error);
-    return null;
-  }
-};
-
-export {
-  validateApiKey,
-  authenticateToken,
-  generateToken,
-  authenticateWebSocket,
-  JWT_SECRET
-};
+import jwt from 'jsonwebtoken';
+import { userDb, appConfigDb, apiKeysDb } from '../database/db.js';
+import { IS_PLATFORM } from '../constants/config.js';
+
+// Use env var if set, otherwise auto-generate a unique secret per installation
+const JWT_SECRET = process.env.JWT_SECRET || appConfigDb.getOrCreateJwtSecret();
+
+// Optional API key middleware
+const validateApiKey = (req, res, next) => {
+  // Skip API key validation if not configured
+  if (!process.env.API_KEY) {
+    return next();
+  }
+  
+  const apiKey = req.headers['x-api-key'];
+  if (apiKey !== process.env.API_KEY) {
+    return res.status(401).json({ error: 'Invalid API key' });
+  }
+  next();
+};
+
+// JWT authentication middleware
+const authenticateToken = async (req, res, next) => {
+  // Platform mode:  use single database user
+  if (IS_PLATFORM) {
+    try {
+      const user = userDb.getFirstUser();
+      if (!user) {
+        return res.status(500).json({ error: 'Platform mode: No user found in database' });
+      }
+      req.user = user;
+      return next();
+    } catch (error) {
+      console.error('Platform mode error:', error);
+      return res.status(500).json({ error: 'Platform mode: Failed to fetch user' });
+    }
+  }
+
+  // Pull credentials from any of the supported transports.
+  //  - Authorization: Bearer <jwt-or-apikey>
+  //  - X-API-Key: <apikey>            (legacy, kept for /api/agent compatibility)
+  //  - ?token=<jwt>                    (EventSource workaround — can't set headers)
+  //  - ?apiKey=<apikey>                (EventSource workaround)
+  // Auth-token mode is decided by the prefix: keys generated by Pixcode start
+  // with `ck_` (see apiKeysDb.generateApiKey) — anything else falls through
+  // to JWT verification.
+  const authHeader = req.headers['authorization'];
+  const bearerToken = authHeader && authHeader.startsWith('Bearer ') ? authHeader.slice(7).trim() : null;
+  const apiKeyHeader = req.headers['x-api-key'];
+  const queryToken = typeof req.query.token === 'string' ? req.query.token : null;
+  const queryApiKey = typeof req.query.apiKey === 'string' ? req.query.apiKey : null;
+
+  // Try API-key paths first when the credential is unambiguously an API key.
+  const explicitApiKey = apiKeyHeader || queryApiKey
+    || (bearerToken && bearerToken.startsWith('ck_') ? bearerToken : null)
+    || (queryToken && queryToken.startsWith('ck_') ? queryToken : null);
+
+  if (explicitApiKey) {
+    try {
+      const user = apiKeysDb.validateApiKey(explicitApiKey);
+      if (!user) {
+        return res.status(401).json({ error: 'Invalid or inactive API key' });
+      }
+      req.user = user;
+      return next();
+    } catch (error) {
+      console.error('API key validation error:', error);
+      return res.status(500).json({ error: 'Authentication backend error' });
+    }
+  }
+
+  // Otherwise fall back to JWT.
+  const jwtToken = bearerToken || queryToken;
+  if (!jwtToken) {
+    return res.status(401).json({ error: 'Access denied. No token provided.' });
+  }
+
+  try {
+    const decoded = jwt.verify(jwtToken, JWT_SECRET);
+
+    // Verify user still exists and is active
+    const user = userDb.getUserById(decoded.userId);
+    if (!user) {
+      return res.status(401).json({ error: 'Invalid token. User not found.' });
+    }
+
+    // Auto-refresh: if token is past halfway through its lifetime, issue a new one
+    if (decoded.exp && decoded.iat) {
+      const now = Math.floor(Date.now() / 1000);
+      const halfLife = (decoded.exp - decoded.iat) / 2;
+      if (now > decoded.iat + halfLife) {
+        const newToken = generateToken(user);
+        res.setHeader('X-Refreshed-Token', newToken);
+      }
+    }
+
+    req.user = user;
+    next();
+  } catch (error) {
+    console.error('Token verification error:', error);
+    return res.status(403).json({ error: 'Invalid token' });
+  }
+};
+
+// Generate JWT token
+const generateToken = (user) => {
+  return jwt.sign(
+    {
+      userId: user.id,
+      username: user.username
+    },
+    JWT_SECRET,
+    { expiresIn: '7d' }
+  );
+};
+
+// WebSocket authentication function
+const authenticateWebSocket = (token) => {
+  // Platform mode: bypass token validation, return first user
+  if (IS_PLATFORM) {
+    try {
+      const user = userDb.getFirstUser();
+      if (user) {
+        return { id: user.id, userId: user.id, username: user.username };
+      }
+      return null;
+    } catch (error) {
+      console.error('Platform mode WebSocket error:', error);
+      return null;
+    }
+  }
+
+  // Normal OSS validation — accept either an API key (`ck_…`) or a JWT.
+  // Mirrors the REST `authenticateToken` middleware so any tool that has
+  // a `ck_` key (CI scripts, the api-tester subagent, the user's own
+  // automation, ...) can also open a WebSocket without first exchanging
+  // the key for a JWT.
+  if (!token) {
+    return null;
+  }
+
+  if (typeof token === 'string' && token.startsWith('ck_')) {
+    try {
+      const user = apiKeysDb.validateApiKey(token);
+      if (!user) return null;
+      return { userId: user.id, username: user.username };
+    } catch (error) {
+      console.error('WebSocket API key validation error:', error);
+      return null;
+    }
+  }
+
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET);
+    // Verify user actually exists in database (matches REST authenticateToken behavior)
+    const user = userDb.getUserById(decoded.userId);
+    if (!user) {
+      return null;
+    }
+    return { userId: user.id, username: user.username };
+  } catch (error) {
+    console.error('WebSocket token verification error:', error);
+    return null;
+  }
+};
+
+export {
+  validateApiKey,
+  authenticateToken,
+  generateToken,
+  authenticateWebSocket,
+  JWT_SECRET
+};

package/server/modules/orchestration/a2a/adapter-registry.ts

@@ -1,108 +1,108 @@
-// server/modules/orchestration/a2a/adapter-registry.ts
-// In-process registry mapping adapter ids to AbstractA2AAdapter
-// instances. Resolution supports three id forms:
-//   - "claude-code"        explicit
-//   - "skill:<skillId>"    first REGISTERED adapter advertising that skill
-//                          (Map iteration is insertion-ordered per ES spec).
-//   - "auto"               first registered adapter (deterministic fallback
-//                          until smarter routing arrives in a later plan)
-
-import type { AbstractA2AAdapter } from '@/modules/orchestration/a2a/adapters/abstract-a2a.adapter.js';
-import type { AgentCard } from '@/modules/orchestration/a2a/types.js';
-
-interface ResolveAdapterOptions {
-  preferredAdapterId?: string;
-  preferredProvider?: string;
-  preferredSkillId?: string;
-}
-
-class AdapterRegistry {
-  // Map iteration order is insertion-ordered (ES spec); auto and skill: resolution depend on this.
-  private readonly byId = new Map<string, AbstractA2AAdapter>();
-
-  register(adapter: AbstractA2AAdapter): void {
-    if (this.byId.has(adapter.id)) {
-      throw new Error(`A2A adapter already registered: ${adapter.id}`);
-    }
-    this.byId.set(adapter.id, adapter);
-  }
-
-  get(id: string): AbstractA2AAdapter | undefined {
-    return this.byId.get(id);
-  }
-
-  resolve(idOrSelector: string, options: ResolveAdapterOptions = {}): AbstractA2AAdapter | undefined {
-    const normalizedSelector = idOrSelector.trim();
-    if (!normalizedSelector) {
-      return undefined;
-    }
-
-    if (normalizedSelector === 'auto') {
-      return this.pickPreferred(this.list(), options);
-    }
-
-    if (normalizedSelector.startsWith('skill:')) {
-      const skill = normalizedSelector.slice('skill:'.length);
-      const matches = this.list().filter((adapter) =>
-        adapter.agentCard.skills.some((s) => s.id === skill),
-      );
-      if (matches.length === 0) {
-        return undefined;
-      }
-      return this.pickPreferred(matches, {
-        ...options,
-        preferredSkillId: options.preferredSkillId ?? skill,
-      });
-    }
-
-    return this.byId.get(normalizedSelector);
-  }
-
-  list(): AbstractA2AAdapter[] {
-    return [...this.byId.values()];
-  }
-
-  agentCards(): AgentCard[] {
-    return this.list().map((a) => a.agentCard);
-  }
-
-  private pickPreferred(
-    adapters: AbstractA2AAdapter[],
-    options: ResolveAdapterOptions,
-  ): AbstractA2AAdapter | undefined {
-    const {
-      preferredAdapterId,
-      preferredProvider,
-      preferredSkillId,
-    } = options;
-
-    if (preferredAdapterId) {
-      const byAdapterId = adapters.find((adapter) => adapter.id === preferredAdapterId);
-      if (byAdapterId) {
-        return byAdapterId;
-      }
-    }
-
-    if (preferredProvider) {
-      const normalizedProvider = preferredProvider.trim().toLowerCase();
-      const byProvider = adapters.find((adapter) => adapter.id === normalizedProvider);
-      if (byProvider) {
-        return byProvider;
-      }
-    }
-
-    if (preferredSkillId) {
-      const bySkill = adapters.find((adapter) =>
-        adapter.agentCard.skills.some((skill) => skill.id === preferredSkillId),
-      );
-      if (bySkill) {
-        return bySkill;
-      }
-    }
-
-    return adapters[0];
-  }
-}
-
-export const adapterRegistry = new AdapterRegistry();
-export type { AdapterRegistry, ResolveAdapterOptions };
+// server/modules/orchestration/a2a/adapter-registry.ts
+// In-process registry mapping adapter ids to AbstractA2AAdapter
+// instances. Resolution supports three id forms:
+//   - "claude-code"        explicit
+//   - "skill:<skillId>"    first REGISTERED adapter advertising that skill
+//                          (Map iteration is insertion-ordered per ES spec).
+//   - "auto"               first registered adapter (deterministic fallback
+//                          until smarter routing arrives in a later plan)
+
+import type { AbstractA2AAdapter } from '@/modules/orchestration/a2a/adapters/abstract-a2a.adapter.js';
+import type { AgentCard } from '@/modules/orchestration/a2a/types.js';
+
+interface ResolveAdapterOptions {
+  preferredAdapterId?: string;
+  preferredProvider?: string;
+  preferredSkillId?: string;
+}
+
+class AdapterRegistry {
+  // Map iteration order is insertion-ordered (ES spec); auto and skill: resolution depend on this.
+  private readonly byId = new Map<string, AbstractA2AAdapter>();
+
+  register(adapter: AbstractA2AAdapter): void {
+    if (this.byId.has(adapter.id)) {
+      throw new Error(`A2A adapter already registered: ${adapter.id}`);
+    }
+    this.byId.set(adapter.id, adapter);
+  }
+
+  get(id: string): AbstractA2AAdapter | undefined {
+    return this.byId.get(id);
+  }
+
+  resolve(idOrSelector: string, options: ResolveAdapterOptions = {}): AbstractA2AAdapter | undefined {
+    const normalizedSelector = idOrSelector.trim();
+    if (!normalizedSelector) {
+      return undefined;
+    }
+
+    if (normalizedSelector === 'auto') {
+      return this.pickPreferred(this.list(), options);
+    }
+
+    if (normalizedSelector.startsWith('skill:')) {
+      const skill = normalizedSelector.slice('skill:'.length);
+      const matches = this.list().filter((adapter) =>
+        adapter.agentCard.skills.some((s) => s.id === skill),
+      );
+      if (matches.length === 0) {
+        return undefined;
+      }
+      return this.pickPreferred(matches, {
+        ...options,
+        preferredSkillId: options.preferredSkillId ?? skill,
+      });
+    }
+
+    return this.byId.get(normalizedSelector);
+  }
+
+  list(): AbstractA2AAdapter[] {
+    return [...this.byId.values()];
+  }
+
+  agentCards(): AgentCard[] {
+    return this.list().map((a) => a.agentCard);
+  }
+
+  private pickPreferred(
+    adapters: AbstractA2AAdapter[],
+    options: ResolveAdapterOptions,
+  ): AbstractA2AAdapter | undefined {
+    const {
+      preferredAdapterId,
+      preferredProvider,
+      preferredSkillId,
+    } = options;
+
+    if (preferredAdapterId) {
+      const byAdapterId = adapters.find((adapter) => adapter.id === preferredAdapterId);
+      if (byAdapterId) {
+        return byAdapterId;
+      }
+    }
+
+    if (preferredProvider) {
+      const normalizedProvider = preferredProvider.trim().toLowerCase();
+      const byProvider = adapters.find((adapter) => adapter.id === normalizedProvider);
+      if (byProvider) {
+        return byProvider;
+      }
+    }
+
+    if (preferredSkillId) {
+      const bySkill = adapters.find((adapter) =>
+        adapter.agentCard.skills.some((skill) => skill.id === preferredSkillId),
+      );
+      if (bySkill) {
+        return bySkill;
+      }
+    }
+
+    return adapters[0];
+  }
+}
+
+export const adapterRegistry = new AdapterRegistry();
+export type { AdapterRegistry, ResolveAdapterOptions };