@qnote/q-ai-note 1.0.5 → 1.0.7

package/README.md

@@ -2,6 +2,15 @@
 
 AI-assisted personal work sandbox and diary system.
 
+## Documentation
+
+Project specs and development guides are organized under `docs/`:
+
+- `docs/spec/functional-spec.md`
+- `docs/spec/design-spec.md`
+- `docs/spec/ui-spec.md`
+- `docs/process/development-guide.md`
+
 ## Install
 
 Use without global install:
@@ -23,16 +32,23 @@ q-ai-note-server
 ```bash
 q-ai-note --port 3200
 q-ai-note .
+q-ai-note --readonly
 ```
 
 Then open `http://localhost:3200`.
 
+### Command differences
+
+- `q-ai-note`: local-first, defaults `127.0.0.1:3000`
+- `q-ai-note-server`: public server, defaults `0.0.0.0:8614`
+
 ### Public server mode
 
 If you need external access, use:
 
 ```bash
 q-ai-note-server
+q-ai-note-server --readonly
 ```
 
 Defaults:
@@ -41,10 +57,35 @@ Defaults:
 
 Then open `http://<server-ip>:8614`.
 
+### Access control model
+
+The app now uses two-level configuration:
+
+- system config (`~/.q-ai-note/config.json`): model settings + `editable_ip_allowlist`
+- project config (`<data-dir>/project-config.json`): `users` / `profiles` / `bindings`
+
+Rules:
+- IP matching is exact match only (no CIDR)
+- local loopback and local NIC IPs are system-admin by default
+- system-admin IPs can access all pages and full read/write (unless global `--readonly`)
+- non-admin IPs are controlled by project profiles (page visibility + sandbox-level read/write)
+- `/api/settings` (system settings) is only accessible to system-admin IPs
+
+### Readonly mode
+
+Use `--readonly` (or env `Q_AI_NOTE_READONLY=true`) to start in readonly mode:
+
+- hide chat UI and chat buttons
+- hide settings page
+- hide add/edit/delete operations
+- reject all write API requests (`403`)
+- reject settings API (`/api/settings`) for readonly requests (`403`)
+
 ## Data and config paths
 
 - Config: `~/.q-ai-note/config.json`
 - Data dir: `~/.q-ai-note/data/`
+  - `project-config.json`
   - `sandboxes.json`
   - `work-items.json`
   - `diaries.json`

package/dist/cli.js

@@ -1,10 +1,22 @@
 #!/usr/bin/env node
 import path from 'path';
+import { basename } from 'path';
 import { startServer } from './server/index.js';
-function parseArgs(argv) {
+function resolveCliDefaults(argv0) {
+    const commandName = basename(argv0 || 'q-ai-note');
+    const isServerMode = commandName === 'q-ai-note-server';
+    return {
+        commandName,
+        defaultPort: isServerMode ? 8614 : 3000,
+        defaultHost: isServerMode ? '0.0.0.0' : '127.0.0.1',
+        localWriteOnly: false,
+    };
+}
+function parseArgs(argv, defaults) {
     const options = {
-        port: Number(process.env.PORT || 3000),
-        host: String(process.env.HOST || '127.0.0.1'),
+        port: Number(process.env.PORT || defaults.defaultPort),
+        host: String(process.env.HOST || defaults.defaultHost),
+        readonly: String(process.env.Q_AI_NOTE_READONLY || '').toLowerCase() === 'true',
         help: false,
         dataDir: undefined,
     };
@@ -33,46 +45,71 @@ function parseArgs(argv) {
             }
             continue;
         }
+        if (arg === '--readonly') {
+            options.readonly = true;
+            continue;
+        }
         if (!arg.startsWith('-') && !options.dataDir) {
             options.dataDir = path.resolve(arg);
         }
     }
     return options;
 }
-function printHelp() {
+function printHelp(defaults) {
+    const isServerMode = defaults.commandName === 'q-ai-note-server';
+    const defaultPortText = isServerMode ? '8614' : '3000 or PORT env';
+    const examples = isServerMode
+        ? [
+            '  q-ai-note-server',
+            '  q-ai-note-server --port 8614',
+            '  q-ai-note-server --host 0.0.0.0 --port 8614',
+            '  q-ai-note-server ./my-data --port 8614',
+        ]
+        : [
+            '  npx @qnote/q-ai-note',
+            '  q-ai-note .',
+            '  q-ai-note --port 3200',
+            '  q-ai-note --host 127.0.0.1 --port 3200',
+            '  q-ai-note ./my-data --port 3200',
+            '  PORT=3200 q-ai-note',
+        ];
     console.log(`
-q-ai-note
+${defaults.commandName}
 
 Usage:
-  q-ai-note [data-dir] [--port <port>] [--host <host>]
+  ${defaults.commandName} [data-dir] [--port <port>] [--host <host>] [--readonly]
 
 Options:
   data-dir      Directory for JSON data files (optional)
-  -p, --port   Set server port (default: 3000 or PORT env)
-  --host       Set listen host (default: 127.0.0.1)
+  -p, --port   Set server port (default: ${defaultPortText})
+  --host       Set listen host (default: ${defaults.defaultHost})
+  --readonly   Start in readonly mode
   -h, --help   Show this help message
 
 Examples:
-  npx @qnote/q-ai-note
-  q-ai-note .
-  q-ai-note --port 3200
-  q-ai-note --host 127.0.0.1 --port 3200
-  q-ai-note ./my-data --port 3200
-  PORT=3200 q-ai-note
+${examples.join('\n')}
 `);
 }
 function bootstrap() {
-    const options = parseArgs(process.argv.slice(2));
+    const defaults = resolveCliDefaults(process.argv[1]);
+    const options = parseArgs(process.argv.slice(2), defaults);
     if (options.help) {
-        printHelp();
+        printHelp(defaults);
         return;
     }
     if (options.dataDir) {
         process.env.Q_AI_NOTE_DATA_DIR = options.dataDir;
     }
-    startServer(options.port, options.host);
-    console.log(`q-ai-note is ready at http://localhost:${options.port}`);
+    startServer(options.port, options.host, {
+        readonly: options.readonly,
+        localWriteOnly: defaults.localWriteOnly && !options.readonly,
+    });
+    console.log(`${defaults.commandName} is ready at http://localhost:${options.port}`);
     console.log(`listen: ${options.host}:${options.port}`);
+    const modeText = options.readonly
+        ? 'readonly'
+        : 'readwrite';
+    console.log(`mode: ${modeText}`);
     if (options.dataDir) {
         console.log(`data dir: ${options.dataDir}`);
     }

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAShD,SAAS,SAAS,CAAC,IAAc;IAC/B,MAAM,OAAO,GAAe;QAC1B,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC;QACtC,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,WAAW,CAAC;QAC7C,IAAI,EAAE,KAAK;QACX,OAAO,EAAE,SAAS;KACnB,CAAC;IAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;YACpB,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC1B,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;oBACtC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;oBACpB,CAAC,IAAI,CAAC,CAAC;gBACT,CAAC;YACH,CAAC;YACD,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,IAAI,IAAI,EAAE,CAAC;gBACT,OAAO,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC5B,CAAC,IAAI,CAAC,CAAC;YACT,CAAC;YACD,SAAS;QACX,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YAC7C,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;CAmBb,CAAC,CAAC;AACH,CAAC;AAED,SAAS,SAAS;IAChB,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,SAAS,EAAE,CAAC;QACZ,OAAO;IACT,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC;IACnD,CAAC;IAED,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,0CAA0C,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACtE,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACvD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC9C,CAAC;AACH,CAAC;AAED,SAAS,EAAE,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,QAAQ,EAAE,MAAM,MAAM,CAAC;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAiBhD,SAAS,kBAAkB,CAAC,KAAyB;IACnD,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,IAAI,WAAW,CAAC,CAAC;IACnD,MAAM,YAAY,GAAG,WAAW,KAAK,kBAAkB,CAAC;IACxD,OAAO;QACL,WAAW;QACX,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;QACvC,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW;QACnD,cAAc,EAAE,KAAK;KACtB,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,IAAc,EAAE,QAAqB;IACtD,MAAM,OAAO,GAAe;QAC1B,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,QAAQ,CAAC,WAAW,CAAC;QACtD,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,QAAQ,CAAC,WAAW,CAAC;QACtD,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM;QAC/E,IAAI,EAAE,KAAK;QACX,OAAO,EAAE,SAAS;KACnB,CAAC;IAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;YACpB,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC1B,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;oBACtC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;oBACpB,CAAC,IAAI,CAAC,CAAC;gBACT,CAAC;YACH,CAAC;YACD,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,IAAI,IAAI,EAAE,CAAC;gBACT,OAAO,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC5B,CAAC,IAAI,CAAC,CAAC;YACT,CAAC;YACD,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,YAAY,EAAE,CAAC;YACzB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;YACxB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YAC7C,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,SAAS,CAAC,QAAqB;IACtC,MAAM,YAAY,GAAG,QAAQ,CAAC,WAAW,KAAK,kBAAkB,CAAC;IACjE,MAAM,eAAe,GAAG,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC;IACnE,MAAM,QAAQ,GAAG,YAAY;QAC3B,CAAC,CAAC;YACE,oBAAoB;YACpB,gCAAgC;YAChC,+CAA+C;YAC/C,0CAA0C;SAC3C;QACH,CAAC,CAAC;YACE,wBAAwB;YACxB,eAAe;YACf,yBAAyB;YACzB,0CAA0C;YAC1C,mCAAmC;YACnC,uBAAuB;SACxB,CAAC;IACN,OAAO,CAAC,GAAG,CAAC;EACZ,QAAQ,CAAC,WAAW;;;IAGlB,QAAQ,CAAC,WAAW;;;;2CAImB,eAAe;2CACf,QAAQ,CAAC,WAAW;;;;;EAK7D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC;CACpB,CAAC,CAAC;AACH,CAAC;AAED,SAAS,SAAS;IAChB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAC3D,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,SAAS,CAAC,QAAQ,CAAC,CAAC;QACpB,OAAO;IACT,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC;IACnD,CAAC;IAED,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE;QACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,cAAc,EAAE,QAAQ,CAAC,cAAc,IAAI,CAAC,OAAO,CAAC,QAAQ;KAC7D,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,WAAW,iCAAiC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACpF,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ;QAC/B,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,WAAW,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,SAAS,QAAQ,EAAE,CAAC,CAAC;IACjC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC9C,CAAC;AACH,CAAC;AAED,SAAS,EAAE,CAAC"}

package/dist/server/accessControl.d.ts

@@ -0,0 +1,29 @@
+import type { AccessPolicy } from './index.js';
+import { type PageKey, type SandboxAccessLevel } from './projectConfig.js';
+export interface RequestAccessContext {
+    ip: string;
+    readonly: boolean;
+    full_access: boolean;
+    can_access_system_settings: boolean;
+    page_access: Record<PageKey, boolean>;
+    sandbox_access_all: SandboxAccessLevel;
+    sandbox_read_ids: string[];
+    sandbox_write_ids: string[];
+    project_config_version: number;
+}
+export declare function invalidateAccessCache(): void;
+export declare function normalizeIpAddress(ip: string): string;
+export declare function computeAccessContext(params: {
+    ip: string;
+    policy: Required<AccessPolicy>;
+    localIpSet: Set<string>;
+}): RequestAccessContext;
+export declare function getAccessContext(params: {
+    ip: string;
+    policy: Required<AccessPolicy>;
+    localIpSet: Set<string>;
+}): RequestAccessContext;
+export declare function canReadSandbox(ctx: RequestAccessContext, sandboxId: string): boolean;
+export declare function canWriteSandbox(ctx: RequestAccessContext, sandboxId: string): boolean;
+export declare function canCreateSandbox(ctx: RequestAccessContext): boolean;
+//# sourceMappingURL=accessControl.d.ts.map

package/dist/server/accessControl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessControl.d.ts","sourceRoot":"","sources":["../../src/server/accessControl.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,OAAO,EAAqB,KAAK,OAAO,EAAsB,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAElH,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,OAAO,CAAC;IACrB,0BAA0B,EAAE,OAAO,CAAC;IACpC,WAAW,EAAE,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACtC,kBAAkB,EAAE,kBAAkB,CAAC;IACvC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,sBAAsB,EAAE,MAAM,CAAC;CAChC;AASD,wBAAgB,qBAAqB,SAEpC;AAED,wBAAgB,kBAAkB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAIrD;AA0ED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE;IAC3C,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,QAAQ,CAAC,YAAY,CAAC,CAAC;IAC/B,UAAU,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CACzB,GAAG,oBAAoB,CA0DvB;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE;IACvC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,QAAQ,CAAC,YAAY,CAAC,CAAC;IAC/B,UAAU,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CACzB,GAAG,oBAAoB,CASvB;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,oBAAoB,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAIpF;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,oBAAoB,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAKrF;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,oBAAoB,GAAG,OAAO,CAEnE"}

package/dist/server/accessControl.js

@@ -0,0 +1,161 @@
+import { getSetting } from './config.js';
+import { readProjectConfig } from './projectConfig.js';
+let accessCache = new Map();
+export function invalidateAccessCache() {
+    accessCache = new Map();
+}
+export function normalizeIpAddress(ip) {
+    const raw = String(ip || '').trim();
+    if (!raw)
+        return '';
+    return raw.startsWith('::ffff:') ? raw.slice(7) : raw;
+}
+function normalizeIpList(values) {
+    if (!Array.isArray(values))
+        return [];
+    return values
+        .map((value) => normalizeIpAddress(String(value || '').trim()))
+        .filter((value) => Boolean(value) && !value.includes('/'));
+}
+function buildSystemEditableIps(localIps) {
+    const configured = normalizeIpList(getSetting('editable_ip_allowlist'));
+    const result = new Set(Array.from(localIps).map((ip) => normalizeIpAddress(ip)));
+    configured.forEach((ip) => result.add(ip));
+    return result;
+}
+function mergeLevel(a, b) {
+    const rank = { none: 0, read: 1, write: 2 };
+    return rank[b] > rank[a] ? b : a;
+}
+function resolveProfileContext(ip, projectConfig) {
+    const normalizedIp = normalizeIpAddress(ip);
+    const matchedUserIds = projectConfig.users
+        .filter((user) => user.ips.includes(normalizedIp))
+        .map((user) => user.id);
+    const boundProfileIds = new Set();
+    projectConfig.bindings.forEach((binding) => {
+        if (matchedUserIds.includes(binding.user_id)) {
+            binding.profile_ids.forEach((id) => boundProfileIds.add(id));
+        }
+    });
+    const selectedProfiles = projectConfig.profiles.filter((profile) => {
+        if (profile.apply_to_all_users)
+            return true;
+        return boundProfileIds.has(profile.id);
+    });
+    const pages = {
+        sandboxes: false,
+        diaries: false,
+        changes: false,
+        settings: false,
+    };
+    let sandboxAll = 'none';
+    const sandboxItemAccess = new Map();
+    selectedProfiles.forEach((profile) => {
+        pages.sandboxes = pages.sandboxes || profile.page_access.sandboxes;
+        pages.diaries = pages.diaries || profile.page_access.diaries;
+        pages.changes = pages.changes || profile.page_access.changes;
+        pages.settings = pages.settings || profile.page_access.settings;
+        sandboxAll = mergeLevel(sandboxAll, profile.sandbox_access.all);
+        profile.sandbox_access.items.forEach((item) => {
+            const prev = sandboxItemAccess.get(item.sandbox_id) || 'none';
+            sandboxItemAccess.set(item.sandbox_id, mergeLevel(prev, item.access));
+        });
+    });
+    const readSet = new Set();
+    const writeSet = new Set();
+    sandboxItemAccess.forEach((access, sandboxId) => {
+        if (access === 'read' || access === 'write')
+            readSet.add(sandboxId);
+        if (access === 'write')
+            writeSet.add(sandboxId);
+    });
+    return { pages, sandboxAll, readSet, writeSet };
+}
+export function computeAccessContext(params) {
+    const normalizedIp = normalizeIpAddress(params.ip);
+    const projectConfig = readProjectConfig();
+    const systemEditableIps = buildSystemEditableIps(params.localIpSet);
+    const canAccessSystemSettings = !params.policy.readonly && systemEditableIps.has(normalizedIp);
+    const fullAccess = canAccessSystemSettings;
+    if (params.policy.readonly) {
+        return {
+            ip: normalizedIp,
+            readonly: true,
+            full_access: false,
+            can_access_system_settings: false,
+            page_access: {
+                sandboxes: true,
+                diaries: true,
+                changes: true,
+                settings: false,
+            },
+            sandbox_access_all: 'read',
+            sandbox_read_ids: [],
+            sandbox_write_ids: [],
+            project_config_version: projectConfig.version,
+        };
+    }
+    if (fullAccess) {
+        return {
+            ip: normalizedIp,
+            readonly: false,
+            full_access: true,
+            can_access_system_settings: true,
+            page_access: {
+                sandboxes: true,
+                diaries: true,
+                changes: true,
+                settings: true,
+            },
+            sandbox_access_all: 'write',
+            sandbox_read_ids: [],
+            sandbox_write_ids: [],
+            project_config_version: projectConfig.version,
+        };
+    }
+    const profileContext = resolveProfileContext(normalizedIp, projectConfig);
+    const readonly = profileContext.sandboxAll !== 'write' && profileContext.writeSet.size === 0;
+    return {
+        ip: normalizedIp,
+        readonly,
+        full_access: false,
+        can_access_system_settings: false,
+        page_access: profileContext.pages,
+        sandbox_access_all: profileContext.sandboxAll,
+        sandbox_read_ids: Array.from(profileContext.readSet),
+        sandbox_write_ids: Array.from(profileContext.writeSet),
+        project_config_version: projectConfig.version,
+    };
+}
+export function getAccessContext(params) {
+    const normalizedIp = normalizeIpAddress(params.ip);
+    const projectVersion = readProjectConfig().version;
+    const cacheKey = `${normalizedIp}|${params.policy.readonly ? '1' : '0'}|${params.policy.localWriteOnly ? '1' : '0'}|${projectVersion}`;
+    const cached = accessCache.get(cacheKey);
+    if (cached)
+        return cached.context;
+    const context = computeAccessContext(params);
+    accessCache.set(cacheKey, { key: cacheKey, context });
+    return context;
+}
+export function canReadSandbox(ctx, sandboxId) {
+    if (ctx.full_access)
+        return true;
+    if (ctx.sandbox_access_all === 'read' || ctx.sandbox_access_all === 'write')
+        return true;
+    return ctx.sandbox_read_ids.includes(sandboxId) || ctx.sandbox_write_ids.includes(sandboxId);
+}
+export function canWriteSandbox(ctx, sandboxId) {
+    if (ctx.readonly)
+        return false;
+    if (ctx.full_access)
+        return true;
+    if (ctx.sandbox_access_all === 'write')
+        return true;
+    return ctx.sandbox_write_ids.includes(sandboxId);
+}
+export function canCreateSandbox(ctx) {
+    return !ctx.readonly && ctx.full_access;
+}
+//# sourceMappingURL=accessControl.js.map

package/dist/server/accessControl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessControl.js","sourceRoot":"","sources":["../../src/server/accessControl.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAA6D,MAAM,oBAAoB,CAAC;AAmBlH,IAAI,WAAW,GAAG,IAAI,GAAG,EAA4B,CAAC;AAEtD,MAAM,UAAU,qBAAqB;IACnC,WAAW,GAAG,IAAI,GAAG,EAA4B,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,EAAU;IAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACpC,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,OAAO,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AACxD,CAAC;AAED,SAAS,eAAe,CAAC,MAAe;IACtC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAC;IACtC,OAAO,MAAM;SACV,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;SAC9D,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,sBAAsB,CAAC,QAAqB;IACnD,MAAM,UAAU,GAAG,eAAe,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,IAAI,GAAG,CAAS,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,kBAAkB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACzF,UAAU,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,UAAU,CAAC,CAAqB,EAAE,CAAqB;IAC9D,MAAM,IAAI,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAC5C,OAAO,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,qBAAqB,CAAC,EAAU,EAAE,aAA4B;IAMrE,MAAM,YAAY,GAAG,kBAAkB,CAAC,EAAE,CAAC,CAAC;IAC5C,MAAM,cAAc,GAAG,aAAa,CAAC,KAAK;SACvC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;SACjD,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAE1B,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;IAC1C,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QACzC,IAAI,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7C,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE;QACjE,IAAI,OAAO,CAAC,kBAAkB;YAAE,OAAO,IAAI,CAAC;QAC5C,OAAO,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,MAAM,KAAK,GAA6B;QACtC,SAAS,EAAE,KAAK;QAChB,OAAO,EAAE,KAAK;QACd,OAAO,EAAE,KAAK;QACd,QAAQ,EAAE,KAAK;KAChB,CAAC;IACF,IAAI,UAAU,GAAuB,MAAM,CAAC;IAC5C,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAA8B,CAAC;IAEhE,gBAAgB,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QACnC,KAAK,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC;QACnE,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC;QAC7D,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC;QAC7D,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC;QAChE,UAAU,GAAG,UAAU,CAAC,UAAU,EAAE,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAChE,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YAC5C,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC;YAC9D,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,iBAAiB,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE;QAC9C,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACpE,IAAI,MAAM,KAAK,OAAO;YAAE,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IACH,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,MAIpC;IACC,MAAM,YAAY,GAAG,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACnD,MAAM,aAAa,GAAG,iBAAiB,EAAE,CAAC;IAC1C,MAAM,iBAAiB,GAAG,sBAAsB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACpE,MAAM,uBAAuB,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,IAAI,iBAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC/F,MAAM,UAAU,GAAG,uBAAuB,CAAC;IAE3C,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC3B,OAAO;YACL,EAAE,EAAE,YAAY;YAChB,QAAQ,EAAE,IAAI;YACd,WAAW,EAAE,KAAK;YAClB,0BAA0B,EAAE,KAAK;YACjC,WAAW,EAAE;gBACX,SAAS,EAAE,IAAI;gBACf,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,KAAK;aAChB;YACD,kBAAkB,EAAE,MAAM;YAC1B,gBAAgB,EAAE,EAAE;YACpB,iBAAiB,EAAE,EAAE;YACrB,sBAAsB,EAAE,aAAa,CAAC,OAAO;SAC9C,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,OAAO;YACL,EAAE,EAAE,YAAY;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,IAAI;YACjB,0BAA0B,EAAE,IAAI;YAChC,WAAW,EAAE;gBACX,SAAS,EAAE,IAAI;gBACf,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,IAAI;aACf;YACD,kBAAkB,EAAE,OAAO;YAC3B,gBAAgB,EAAE,EAAE;YACpB,iBAAiB,EAAE,EAAE;YACrB,sBAAsB,EAAE,aAAa,CAAC,OAAO;SAC9C,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,qBAAqB,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;IAC1E,MAAM,QAAQ,GAAG,cAAc,CAAC,UAAU,KAAK,OAAO,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,CAAC;IAC7F,OAAO;QACL,EAAE,EAAE,YAAY;QAChB,QAAQ;QACR,WAAW,EAAE,KAAK;QAClB,0BAA0B,EAAE,KAAK;QACjC,WAAW,EAAE,cAAc,CAAC,KAAK;QACjC,kBAAkB,EAAE,cAAc,CAAC,UAAU;QAC7C,gBAAgB,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC;QACpD,iBAAiB,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC;QACtD,sBAAsB,EAAE,aAAa,CAAC,OAAO;KAC9C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAIhC;IACC,MAAM,YAAY,GAAG,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACnD,MAAM,cAAc,GAAG,iBAAiB,EAAE,CAAC,OAAO,CAAC;IACnD,MAAM,QAAQ,GAAG,GAAG,YAAY,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,cAAc,EAAE,CAAC;IACvI,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC;IAClC,MAAM,OAAO,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAC7C,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IACtD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAyB,EAAE,SAAiB;IACzE,IAAI,GAAG,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,GAAG,CAAC,kBAAkB,KAAK,MAAM,IAAI,GAAG,CAAC,kBAAkB,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IACzF,OAAO,GAAG,CAAC,gBAAgB,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC/F,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAAyB,EAAE,SAAiB;IAC1E,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,GAAG,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,GAAG,CAAC,kBAAkB,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,GAAG,CAAC,iBAAiB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAyB;IACxD,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,WAAW,CAAC;AAC1C,CAAC"}

package/dist/server/api/accessHelpers.d.ts

@@ -0,0 +1,11 @@
+import type { Response } from 'express';
+import type { RequestAccessContext } from '../accessControl.js';
+export declare function getAccessContextFromResponse(res: Response): RequestAccessContext;
+export declare function getSandboxIdByWorkItemId(workItemId: string): string | null;
+export declare function getSandboxIdByDiaryId(diaryId: string): string | null;
+export declare function getSandboxIdByOperationId(operationId: string): string | null;
+export declare function forbid(res: Response, message?: string): Response<any, Record<string, any>>;
+export declare function ensurePageAccess(res: Response, page: 'sandboxes' | 'diaries' | 'changes' | 'settings'): boolean;
+export declare function ensureSandboxReadAccess(res: Response, sandboxId: string): boolean;
+export declare function ensureSandboxWriteAccess(res: Response, sandboxId: string): boolean;
+//# sourceMappingURL=accessHelpers.d.ts.map

package/dist/server/api/accessHelpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessHelpers.d.ts","sourceRoot":"","sources":["../../../src/server/api/accessHelpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAExC,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAGhE,wBAAgB,4BAA4B,CAAC,GAAG,EAAE,QAAQ,GAAG,oBAAoB,CAYhF;AAED,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAG1E;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAIpE;AAED,wBAAgB,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAG5E;AAED,wBAAgB,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,SAAc,sCAE1D;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,GAAG,SAAS,GAAG,SAAS,GAAG,UAAU,GAAG,OAAO,CAG/G;AAED,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAGjF;AAED,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAGlF"}

package/dist/server/api/accessHelpers.js

@@ -0,0 +1,45 @@
+import { db } from '../db.js';
+import { canReadSandbox, canWriteSandbox } from '../accessControl.js';
+export function getAccessContextFromResponse(res) {
+    return (res.locals.accessContext || {
+        readonly: true,
+        full_access: false,
+        page_access: { sandboxes: false, diaries: false, changes: false, settings: false },
+        sandbox_access_all: 'none',
+        sandbox_read_ids: [],
+        sandbox_write_ids: [],
+        can_access_system_settings: false,
+        project_config_version: 0,
+        ip: '',
+    });
+}
+export function getSandboxIdByWorkItemId(workItemId) {
+    const row = db.prepare('SELECT * FROM work_items WHERE id = ?').get(workItemId);
+    return row?.sandbox_id ? String(row.sandbox_id) : null;
+}
+export function getSandboxIdByDiaryId(diaryId) {
+    const row = db.prepare('SELECT * FROM diaries WHERE id = ?').get(diaryId);
+    if (!row)
+        return null;
+    return row.sandbox_id ? String(row.sandbox_id) : '';
+}
+export function getSandboxIdByOperationId(operationId) {
+    const row = db.prepare('SELECT * FROM operations WHERE id = ?').get(operationId);
+    return row?.sandbox_id ? String(row.sandbox_id) : null;
+}
+export function forbid(res, message = 'Forbidden') {
+    return res.status(403).json({ success: false, error: message });
+}
+export function ensurePageAccess(res, page) {
+    const access = getAccessContextFromResponse(res);
+    return access.full_access || Boolean(access.page_access?.[page]);
+}
+export function ensureSandboxReadAccess(res, sandboxId) {
+    const access = getAccessContextFromResponse(res);
+    return canReadSandbox(access, sandboxId);
+}
+export function ensureSandboxWriteAccess(res, sandboxId) {
+    const access = getAccessContextFromResponse(res);
+    return canWriteSandbox(access, sandboxId);
+}
+//# sourceMappingURL=accessHelpers.js.map

package/dist/server/api/accessHelpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessHelpers.js","sourceRoot":"","sources":["../../../src/server/api/accessHelpers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,EAAE,EAAE,MAAM,UAAU,CAAC;AAE9B,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtE,MAAM,UAAU,4BAA4B,CAAC,GAAa;IACxD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI;QAClC,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE;QAClF,kBAAkB,EAAE,MAAM;QAC1B,gBAAgB,EAAE,EAAE;QACpB,iBAAiB,EAAE,EAAE;QACrB,0BAA0B,EAAE,KAAK;QACjC,sBAAsB,EAAE,CAAC;QACzB,EAAE,EAAE,EAAE;KACP,CAAyB,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,UAAkB;IACzD,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAwC,CAAC;IACvH,OAAO,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC,GAAG,CAAC,OAAO,CAA+C,CAAC;IACxH,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,OAAO,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,WAAmB;IAC3D,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC,CAAC,GAAG,CAAC,WAAW,CAAwC,CAAC;IACxH,OAAO,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,GAAa,EAAE,OAAO,GAAG,WAAW;IACzD,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAa,EAAE,IAAsD;IACpG,MAAM,MAAM,GAAG,4BAA4B,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,GAAa,EAAE,SAAiB;IACtE,MAAM,MAAM,GAAG,4BAA4B,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,cAAc,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,GAAa,EAAE,SAAiB;IACvE,MAAM,MAAM,GAAG,4BAA4B,CAAC,GAAG,CAAC,CAAC;IACjD,OAAO,eAAe,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;AAC5C,CAAC"}

package/dist/server/api/chat.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"chat.d.ts","sourceRoot":"","sources":["../../../src/server/api/chat.ts"],"names":[],"mappings":"AAQA,QAAA,MAAM,MAAM,4CAAW,CAAC;AAkaxB,eAAe,MAAM,CAAC"}
+{"version":3,"file":"chat.d.ts","sourceRoot":"","sources":["../../../src/server/api/chat.ts"],"names":[],"mappings":"AASA,QAAA,MAAM,MAAM,4CAAW,CAAC;AAgcxB,eAAe,MAAM,CAAC"}

package/dist/server/api/chat.js

@@ -4,6 +4,7 @@ import { db } from '../db.js';
 import { processMessage } from '../react/agent.js';
 import { callAiText } from '../aiClient.js';
 import { supplementBatchCreateActionsByContent } from './batchRecovery.js';
+import { ensurePageAccess, ensureSandboxReadAccess, ensureSandboxWriteAccess, forbid } from './accessHelpers.js';
 const router = Router();
 function isExecuteIntent(text) {
     const normalized = text.trim().toLowerCase();
@@ -30,11 +31,17 @@ router.post('/', (_req, res) => {
 });
 router.post('/react', async (req, res) => {
     try {
+        if (!ensurePageAccess(res, 'sandboxes')) {
+            return forbid(res, 'No permission to use sandbox chat');
+        }
         const { content, sandbox_id, history, pending_action } = req.body;
         if (!content) {
             const response = { success: false, error: 'Content is required' };
             return res.status(400).json(response);
         }
+        if (!sandbox_id || !ensureSandboxWriteAccess(res, String(sandbox_id))) {
+            return forbid(res, 'No permission to write sandbox chat');
+        }
         const timestamp = now();
         const chatId = uuidv4();
         db.prepare('INSERT INTO chats (id, role, content, created_at) VALUES (?, ?, ?, ?)').run(chatId, 'user', content, timestamp);
@@ -202,11 +209,17 @@ router.post('/react', async (req, res) => {
 });
 router.post('/confirm', async (req, res) => {
     try {
+        if (!ensurePageAccess(res, 'sandboxes')) {
+            return forbid(res, 'No permission to confirm sandbox actions');
+        }
         const { sandbox_id, confirm_items } = req.body;
         if (!sandbox_id || !confirm_items || !Array.isArray(confirm_items)) {
             const response = { success: false, error: 'Invalid parameters' };
             return res.status(400).json(response);
         }
+        if (!ensureSandboxWriteAccess(res, String(sandbox_id))) {
+            return forbid(res, 'No permission to confirm sandbox actions');
+        }
         const { executeTool } = await import('../react/tools.js');
         const results = [];
         for (const item of confirm_items) {
@@ -258,11 +271,17 @@ router.post('/confirm', async (req, res) => {
 });
 router.post('/execute', async (req, res) => {
     try {
+        if (!ensurePageAccess(res, 'sandboxes')) {
+            return forbid(res, 'No permission to execute sandbox actions');
+        }
         const { sandbox_id, operations } = req.body;
         if (!sandbox_id || !operations || !Array.isArray(operations)) {
             const response = { success: false, error: 'Invalid parameters' };
             return res.status(400).json(response);
         }
+        if (!ensureSandboxWriteAccess(res, String(sandbox_id))) {
+            return forbid(res, 'No permission to execute sandbox actions');
+        }
         const timestamp = now();
         const results = [];
         for (const op of operations) {
@@ -305,7 +324,13 @@ router.post('/execute', async (req, res) => {
 });
 router.get('/sandbox/:sandboxId/insight', async (req, res) => {
     try {
+        if (!ensurePageAccess(res, 'sandboxes')) {
+            return forbid(res, 'No permission to view sandbox insight');
+        }
         const { sandboxId } = req.params;
+        if (!ensureSandboxReadAccess(res, sandboxId)) {
+            return forbid(res, 'No permission to view sandbox insight');
+        }
         const sandbox = db.prepare('SELECT id, name FROM sandboxes WHERE id = ?').get(sandboxId);
         if (!sandbox) {
             const response = { success: false, error: 'Sandbox not found' };
@@ -347,7 +372,13 @@ router.get('/sandbox/:sandboxId/insight', async (req, res) => {
 });
 router.get('/sandbox/:sandboxId', (req, res) => {
     try {
+        if (!ensurePageAccess(res, 'sandboxes')) {
+            return forbid(res, 'No permission to view sandbox chat');
+        }
         const { sandboxId } = req.params;
+        if (!ensureSandboxReadAccess(res, sandboxId)) {
+            return forbid(res, 'No permission to view sandbox chat');
+        }
         const relations = db.prepare('SELECT chat_id FROM chat_sandbox_relations WHERE sandbox_id = ?').all(sandboxId);
         const chatIds = relations.map(r => r.chat_id);
         if (chatIds.length === 0) {