@promptbook/cli 0.112.0-93 → 0.112.0-95

package/apps/agents-server/src/app/api/admin/servers/route.ts

@@ -1,12 +1,24 @@
 import { NextResponse } from 'next/server';
+import { isAgentsServerSqliteMode } from '../../../../database/agentsServerDatabaseMode';
 import { resolveCurrentServerRegistryContext } from '../../../../utils/currentServerRegistryContext';
+import { isUserAdmin } from '../../../../utils/isUserAdmin';
 import { isUserGlobalAdmin } from '../../../../utils/isUserGlobalAdmin';
+import {
+    createServerPublicUrl,
+    listEnvironmentRegisteredServers,
+    normalizeServerDomain,
+} from '../../../../utils/serverRegistry';
 import {
     assertGlobalAdminAccess,
     createManagedServer,
     resolveManagedServerErrorStatus,
     type CreateServerInput,
 } from '../../../../utils/serverManagement';
+import {
+    applyVpsRuntimeConfiguration,
+    listConfiguredVpsDomains,
+    updateConfiguredVpsDomains,
+} from '../../../../utils/vpsConfiguration';
 
 /**
  * Lists all registered servers together with the server resolved from the current domain.
@@ -15,12 +27,15 @@ import {
  */
 export async function GET() {
     try {
-        assertGlobalAdminAccess(await isUserGlobalAdmin());
+        if (!(await isUserAdmin())) {
+            return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+        }
 
         const context = await resolveCurrentServerRegistryContext();
         return NextResponse.json({
             servers: context.registeredServers,
             currentServerId: context.currentServer?.id ?? null,
+            canEdit: await isUserGlobalAdmin(),
         });
     } catch (error) {
         return NextResponse.json(
@@ -43,6 +58,26 @@ export async function POST(request: Request) {
         assertGlobalAdminAccess(await isUserGlobalAdmin());
 
         const body = (await request.json()) as CreateServerInput;
+        if (isAgentsServerSqliteMode()) {
+            const normalizedDomain = normalizeServerDomain(body.domain);
+            if (!normalizedDomain) {
+                return NextResponse.json({ error: 'A valid domain is required.' }, { status: 400 });
+            }
+
+            const existingDomains = await listConfiguredVpsDomains();
+            await updateConfiguredVpsDomains([...existingDomains, normalizedDomain]);
+            await applyVpsRuntimeConfiguration();
+            const createdServer = listEnvironmentRegisteredServers().find((server) => server.domain === normalizedDomain);
+
+            return NextResponse.json(
+                {
+                    server: createdServer ?? null,
+                    publicUrl: createServerPublicUrl(normalizedDomain).href,
+                },
+                { status: 201 },
+            );
+        }
+
         const result = await createManagedServer(body);
 
         if (!result.ok) {

package/apps/agents-server/src/app/page.tsx

@@ -1,15 +1,39 @@
 import { headers } from 'next/headers';
+import Link from 'next/link';
+import { redirect } from 'next/navigation';
 import { $sideEffect } from '../../../../src/utils/organization/$sideEffect';
+import { ForbiddenPage } from '../components/ForbiddenPage/ForbiddenPage';
 import { HomepagePrimarySections } from '../components/Homepage/HomepagePrimarySections';
 import { $provideServer } from '../tools/$provideServer';
 import { isUserAdmin } from '../utils/isUserAdmin';
+import { isUserGlobalAdmin } from '../utils/isUserGlobalAdmin';
+import {
+    createServerPublicUrl,
+    listRegisteredServersUsingServiceRole,
+    resolveRegisteredServerByHost,
+    type ServerRecord,
+} from '../utils/serverRegistry';
 import { getHomePageAgents } from './_data/getHomePageAgents';
 
 /**
  * Renders the simplified agents home page with local and federated agents.
  */
 export default async function HomePage() {
-    $sideEffect(/* Note: [??] This will ensure dynamic rendering of page and avoid Next.js pre-render */ headers());
+    const headerStore = await headers();
+    $sideEffect(/* Note: [??] This will ensure dynamic rendering of page and avoid Next.js pre-render */ headerStore);
+
+    const ipAddressRouting = await resolveIpAddressRouting(headerStore.get('host'));
+    if (ipAddressRouting === 'LOGIN') {
+        return <ForbiddenPage />;
+    }
+
+    if (ipAddressRouting === 'CONFIGURE') {
+        redirect('/admin/servers?setup=1');
+    }
+
+    if (Array.isArray(ipAddressRouting)) {
+        return <IpAddressDomainChooser servers={ipAddressRouting} />;
+    }
 
     const [{ publicUrl }, isAdmin, { agents, folders, homepageMessage, currentUser }] = await Promise.all([
         $provideServer(),
@@ -32,3 +56,79 @@ export default async function HomePage() {
         </div>
     );
 }
+
+/**
+ * Resolves special raw-IP behavior for standalone VPS access.
+ *
+ * @param host - Request host header.
+ * @returns Routing instruction or `null` when normal homepage rendering should continue.
+ */
+async function resolveIpAddressRouting(host: string | null): Promise<'LOGIN' | 'CONFIGURE' | ReadonlyArray<ServerRecord> | null> {
+    if (!host || !isIpAddressHost(host)) {
+        return null;
+    }
+
+    const registeredServers = await listRegisteredServersUsingServiceRole().catch(() => []);
+    if (resolveRegisteredServerByHost(host, registeredServers)) {
+        return null;
+    }
+
+    if (registeredServers.length === 0) {
+        return (await isUserGlobalAdmin()) ? 'CONFIGURE' : 'LOGIN';
+    }
+
+    if (registeredServers.length === 1) {
+        redirect(createServerPublicUrl(registeredServers[0]!.domain).href);
+    }
+
+    return registeredServers;
+}
+
+/**
+ * Checks whether the request host is a raw IPv4 or IPv6 address.
+ *
+ * @param host - Raw host header.
+ * @returns `true` for IP-address access.
+ */
+function isIpAddressHost(host: string): boolean {
+    const hostname = host
+        .trim()
+        .replace(/^\[(.+)\](?::\d+)?$/u, '$1')
+        .replace(/:\d+$/u, '');
+
+    return /^\d{1,3}(?:\.\d{1,3}){3}$/u.test(hostname) || hostname.includes(':');
+}
+
+/**
+ * Simple domain chooser shown when a raw IP has multiple configured domains.
+ *
+ * @param props - Configured server list.
+ */
+function IpAddressDomainChooser(props: { readonly servers: ReadonlyArray<ServerRecord> }) {
+    return (
+        <div className="min-h-screen bg-slate-50 px-4 py-24">
+            <div className="mx-auto max-w-2xl space-y-6">
+                <div>
+                    <h1 className="text-3xl font-light text-slate-900">Choose a domain</h1>
+                    <p className="mt-2 text-sm text-slate-600">
+                        This VPS has multiple Agents Server domains configured. Open the domain you want to use.
+                    </p>
+                </div>
+                <div className="grid gap-3">
+                    {props.servers.map((server) => {
+                        const url = createServerPublicUrl(server.domain).href;
+                        return (
+                            <Link
+                                key={server.id}
+                                href={url}
+                                className="rounded-xl border border-slate-200 bg-white px-4 py-3 text-sm font-semibold text-slate-800 shadow-sm transition hover:border-blue-300 hover:text-blue-700"
+                            >
+                                {server.domain}
+                            </Link>
+                        );
+                    })}
+                </div>
+            </div>
+        </div>
+    );
+}

package/apps/agents-server/src/components/Header/buildHeaderSystemMenuItems.ts

@@ -28,6 +28,7 @@ type HeaderTranslate = (key: ServerTranslationKey, variables?: Readonly<Record<s
 type SystemCategoryLabel =
     | 'My Account'
     | 'Utilities'
+    | 'Super Admin'
     | 'Administration'
     | 'Monitoring & Usage'
     | 'Integrations & Keys'
@@ -54,6 +55,7 @@ type BuildHeaderSystemMenuItemsOptions = {
 const SYSTEM_CATEGORY_ICON_MAP: Record<SystemCategoryLabel, LucideIcon> = {
     'My Account': UserRound,
     Utilities: Wrench,
+    'Super Admin': Settings2,
     Administration: Settings2,
     'Monitoring & Usage': BarChart3,
     'Integrations & Keys': KeyRound,
@@ -67,6 +69,7 @@ const SYSTEM_CATEGORY_ICON_MAP: Record<SystemCategoryLabel, LucideIcon> = {
 const SYSTEM_CATEGORY_TRANSLATION_KEY_MAP: Record<SystemCategoryLabel, ServerTranslationKey> = {
     'My Account': 'header.myAccount',
     Utilities: 'header.utilities',
+    'Super Admin': 'header.superAdmin',
     Administration: 'header.administration',
     'Monitoring & Usage': 'header.monitoringAndUsage',
     'Integrations & Keys': 'header.integrationsAndKeys',
@@ -187,16 +190,31 @@ export function buildHeaderSystemMenuItems({
         ];
     }
 
-    const administrationSystemItems: SubMenuItem[] = [
+    const superAdminSystemItems: SubMenuItem[] = [
+        {
+            label: translate('header.servers'),
+            href: '/admin/servers',
+            isBold: true,
+        },
+        {
+            label: translate('header.environmentVariables'),
+            href: '/admin/environment',
+        },
         ...(isGlobalAdmin
             ? [
                   {
-                      label: translate('header.servers'),
-                      href: '/admin/servers',
-                      isBold: true,
+                      label: translate('header.logs'),
+                      href: '/admin/logs',
+                  } as SubMenuItem,
+                  {
+                      label: translate('header.codeRunners'),
+                      href: '/admin/code-runners',
                   } as SubMenuItem,
               ]
             : []),
+    ];
+
+    const administrationSystemItems: SubMenuItem[] = [
         {
             label: translate('header.models'),
             href: '/admin/models',
@@ -311,6 +329,7 @@ export function buildHeaderSystemMenuItems({
     return [
         ...createSystemCategory('My Account', userAccountSystemItems, translate),
         ...createSystemCategory('Utilities', utilitiesSystemItems, translate),
+        ...createSystemCategory('Super Admin', superAdminSystemItems, translate),
         ...createSystemCategory('Administration', administrationSystemItems, translate),
         ...createSystemCategory('Monitoring & Usage', monitoringAndUsageSystemItems, translate),
         ...createSystemCategory('Integrations & Keys', integrationsAndKeysSystemItems, translate),

package/apps/agents-server/src/languages/ServerTranslationKeys.ts

@@ -126,6 +126,7 @@ export const SERVER_TRANSLATION_KEYS = [
     'header.changePassword',
     'header.menuLabel',
     'header.myAccount',
+    'header.superAdmin',
     'header.administration',
     'header.monitoringAndUsage',
     'header.integrationsAndKeys',
@@ -140,6 +141,9 @@ export const SERVER_TRANSLATION_KEYS = [
     'header.viewAllUsers',
     'header.createNewUser',
     'header.servers',
+    'header.environmentVariables',
+    'header.logs',
+    'header.codeRunners',
     'header.models',
     'header.openApiDocumentation',
     'header.apiTokens',

package/apps/agents-server/src/languages/translations/czech.yaml

@@ -120,6 +120,7 @@ header.logOut: Odhlásit se
 header.changePassword: Změnit heslo
 header.menuLabel: Nabídka
 header.myAccount: Můj účet
+header.superAdmin: Super administrace
 header.administration: Administrace
 header.monitoringAndUsage: Monitoring a využití
 header.integrationsAndKeys: Integrace a klíče
@@ -134,6 +135,9 @@ header.mockedChats: Ukázkové chaty
 header.viewAllUsers: Zobrazit všechny uživatele
 header.createNewUser: Vytvořit nového uživatele
 header.servers: Servery
+header.environmentVariables: Proměnné prostředí
+header.logs: Logy
+header.codeRunners: Code runnery
 header.models: Modely
 header.openApiDocumentation: Dokumentace OpenAPI
 header.apiTokens: API tokeny

package/apps/agents-server/src/languages/translations/english.yaml

@@ -122,6 +122,7 @@ header.logOut: Log out
 header.changePassword: Change Password
 header.menuLabel: Menu
 header.myAccount: My Account
+header.superAdmin: Super Admin
 header.administration: Administration
 header.monitoringAndUsage: Monitoring & Usage
 header.integrationsAndKeys: Integrations & Keys
@@ -136,6 +137,9 @@ header.mockedChats: Mocked Chats
 header.viewAllUsers: View all users
 header.createNewUser: Create new user
 header.servers: Servers
+header.environmentVariables: Environment variables
+header.logs: Logs
+header.codeRunners: Code runners
 header.models: Models
 header.openApiDocumentation: OpenAPI Documentation
 header.apiTokens: API Tokens

package/apps/agents-server/src/tools/$provideServer.ts

@@ -55,6 +55,14 @@ const getCachedProvidedServer = cache(async (): Promise<ProvidedServer> => {
             });
 
             if (!resolvedSqliteServer) {
+                if (isIpAddressHost(requestHost)) {
+                    return {
+                        id: null,
+                        publicUrl: resolveFallbackPublicUrl(requestHost),
+                        tablePrefix: SUPABASE_TABLE_PREFIX,
+                    };
+                }
+
                 throw new Error(`Server with host "${requestHost}" is not registered in SERVERS`);
             }
 
@@ -156,3 +164,22 @@ function isLocalDevelopmentHost(host: string | null): boolean {
         normalizedHost.startsWith('[::1]:')
     );
 }
+
+/**
+ * Checks whether the current request host is a raw IP address.
+ *
+ * @param host - Raw request host.
+ * @returns `true` when the host is IPv4 or IPv6.
+ */
+function isIpAddressHost(host: string | null): boolean {
+    if (!host) {
+        return false;
+    }
+
+    const hostname = host
+        .trim()
+        .replace(/^\[(.+)\](?::\d+)?$/u, '$1')
+        .replace(/:\d+$/u, '');
+
+    return /^\d{1,3}(?:\.\d{1,3}){3}$/u.test(hostname) || hostname.includes(':');
+}

package/apps/agents-server/src/utils/serverRegistry.ts

@@ -241,7 +241,11 @@ export function createServerPublicUrl(domain: string): URL {
     }
 
     const protocol =
-        normalizedDomain.startsWith('localhost') || normalizedDomain.startsWith('127.0.0.1') ? 'http' : 'https';
+        normalizedDomain.startsWith('localhost') ||
+        normalizedDomain.startsWith('127.0.0.1') ||
+        isIpAddressHost(normalizedDomain)
+            ? 'http'
+            : 'https';
     return new URL(`${protocol}://${normalizedDomain}`);
 }
 
@@ -435,6 +439,21 @@ function hasHttpProtocol(value: string): boolean {
     return value.startsWith('http://') || value.startsWith('https://');
 }
 
+/**
+ * Checks whether a normalized host is a raw IPv4 or IPv6 address.
+ *
+ * @param host - Normalized host or host with port.
+ * @returns `true` for raw IP hosts.
+ */
+function isIpAddressHost(host: string): boolean {
+    const hostname = host
+        .trim()
+        .replace(/^\[(.+)\](?::\d+)?$/u, '$1')
+        .replace(/:\d+$/u, '');
+
+    return /^\d{1,3}(?:\.\d{1,3}){3}$/u.test(hostname) || hostname.includes(':');
+}
+
 /**
  * Checks whether a port is implicit for the given protocol and can be omitted.
  *

package/apps/agents-server/src/utils/session.ts

@@ -1,5 +1,5 @@
 import { createHmac } from 'crypto';
-import { cookies } from 'next/headers';
+import { cookies, headers } from 'next/headers';
 import { cache } from 'react';
 
 /**
@@ -30,6 +30,36 @@ export type SessionUser = {
     readonly isGlobalAdmin?: boolean;
 };
 
+/**
+ * Request details used to decide whether the auth cookie may require HTTPS.
+ */
+export type SessionCookieSecurityContext = {
+    /**
+     * Current deployment mode.
+     */
+    readonly isProduction: boolean;
+    /**
+     * Raw `Host` header.
+     */
+    readonly host: string | null;
+    /**
+     * Raw forwarded host header emitted by the reverse proxy.
+     */
+    readonly forwardedHost: string | null;
+    /**
+     * Raw forwarded protocol header emitted by the reverse proxy.
+     */
+    readonly forwardedProto: string | null;
+    /**
+     * Comma-separated configured domain list from `SERVERS`.
+     */
+    readonly configuredServers: string | null | undefined;
+    /**
+     * Known standalone VPS public IP address.
+     */
+    readonly publicIpAddress: string | null | undefined;
+};
+
 /**
  * Signs a session payload and serializes it into the cookie token format.
  *
@@ -77,6 +107,42 @@ export function parseSessionToken(token: string | null | undefined): SessionUser
     }
 }
 
+/**
+ * Decides whether the session cookie should keep the `Secure` flag for the current request.
+ *
+ * This keeps production-domain logins protected by HTTPS while allowing the standalone
+ * VPS bootstrap flow to authenticate over `http://<IP_ADDRESS>` before any domain exists.
+ *
+ * @param context - Request and deployment details used for the decision.
+ * @returns `true` when the cookie should require HTTPS.
+ */
+export function shouldUseSecureSessionCookieForRequest(context: SessionCookieSecurityContext): boolean {
+    if (!context.isProduction) {
+        return false;
+    }
+
+    if (parseConfiguredServers(context.configuredServers).length > 0) {
+        return true;
+    }
+
+    const requestHost = normalizeHost(context.forwardedHost ?? context.host);
+    if (!requestHost || !isIpAddressHost(requestHost)) {
+        return true;
+    }
+
+    const forwardedProtocol = (context.forwardedProto || '').split(',')[0]?.trim().toLowerCase() || '';
+    if (forwardedProtocol === 'https') {
+        return true;
+    }
+
+    const configuredPublicIpAddress = normalizeHost(context.publicIpAddress || '');
+    if (configuredPublicIpAddress && requestHost !== configuredPublicIpAddress) {
+        return true;
+    }
+
+    return false;
+}
+
 /**
  * Persists the provided session payload into the signed session cookie.
  *
@@ -84,10 +150,11 @@ export function parseSessionToken(token: string | null | undefined): SessionUser
  */
 export async function setSession(user: SessionUser) {
     const token = serializeSessionToken(user);
+    const secure = await shouldUseSecureSessionCookie();
 
     (await cookies()).set(SESSION_COOKIE_NAME, token, {
         httpOnly: true,
-        secure: process.env.NODE_ENV === 'production',
+        secure,
         path: '/',
         maxAge: 60 * 60 * 24 * 365 * 2, // 2 years
     });
@@ -120,3 +187,57 @@ const getCachedSession = cache(async (): Promise<SessionUser | null> => {
 export async function getSession(): Promise<SessionUser | null> {
     return getCachedSession();
 }
+
+/**
+ * Resolves the runtime cookie security decision from the current request headers.
+ *
+ * @returns `true` when the session cookie should keep the `Secure` flag.
+ */
+async function shouldUseSecureSessionCookie(): Promise<boolean> {
+    const headerStore = await headers();
+
+    return shouldUseSecureSessionCookieForRequest({
+        isProduction: process.env.NODE_ENV === 'production',
+        host: headerStore.get('host'),
+        forwardedHost: headerStore.get('x-forwarded-host'),
+        forwardedProto: headerStore.get('x-forwarded-proto'),
+        configuredServers: process.env.SERVERS,
+        publicIpAddress: process.env.PTBK_PUBLIC_IP_ADDRESS,
+    });
+}
+
+/**
+ * Parses the configured `SERVERS` CSV into non-empty entries.
+ *
+ * @param configuredServers - Raw environment value.
+ * @returns Normalized list of configured domains.
+ */
+function parseConfiguredServers(configuredServers: string | null | undefined): Array<string> {
+    return (configuredServers || '')
+        .split(',')
+        .map((server) => server.trim())
+        .filter(Boolean);
+}
+
+/**
+ * Checks whether a host string points to a raw IPv4 or IPv6 address.
+ *
+ * @param host - Host header or hostname.
+ * @returns `true` when the host is a raw IP address.
+ */
+function isIpAddressHost(host: string): boolean {
+    return /^\d{1,3}(?:\.\d{1,3}){3}$/u.test(host) || host.includes(':');
+}
+
+/**
+ * Removes ports and IPv6 brackets from host-like strings.
+ *
+ * @param host - Raw host header value.
+ * @returns Normalized bare hostname or IP address.
+ */
+function normalizeHost(host: string | null | undefined): string {
+    return (host || '')
+        .trim()
+        .replace(/^\[(.+)\](?::\d+)?$/u, '$1')
+        .replace(/:\d+$/u, '');
+}