@shawnstack/quickforge 1.2.4 → 1.2.6

package/server/routes/lan-access.mjs

@@ -0,0 +1,201 @@
+import { sendJson, readJsonBody } from '../utils/response.mjs'
+import { getLanUrls } from '../utils/network.mjs'
+import { logger } from '../utils/logger.mjs'
+import {
+  issueLanAccessToken,
+  lanAccessCookieName,
+  readLanAccessStatus,
+  revokeLanAccessTokens,
+  updateLanAccessSettings,
+} from '../lan-access-store.mjs'
+
+const MAX_FAILED_ATTEMPTS = 5
+const ATTEMPT_WINDOW_MS = 5 * 60 * 1000
+const LOCK_MS = 5 * 60 * 1000
+const attempts = new Map()
+
+function remoteKey(req) {
+  return String(req.socket.remoteAddress || 'unknown')
+}
+
+function attemptState(req) {
+  const key = remoteKey(req)
+  const now = Date.now()
+  const state = attempts.get(key)
+  if (!state || state.resetAt <= now) {
+    const fresh = { count: 0, resetAt: now + ATTEMPT_WINDOW_MS, lockedUntil: 0 }
+    attempts.set(key, fresh)
+    return fresh
+  }
+  return state
+}
+
+function assertNotLocked(req) {
+  const state = attemptState(req)
+  if (state.lockedUntil > Date.now()) {
+    const error = new Error('Too many failed attempts. Please try again later.')
+    error.statusCode = 429
+    throw error
+  }
+}
+
+function recordFailure(req) {
+  const state = attemptState(req)
+  state.count += 1
+  if (state.count >= MAX_FAILED_ATTEMPTS) {
+    state.lockedUntil = Date.now() + LOCK_MS
+    state.count = 0
+    state.resetAt = Date.now() + ATTEMPT_WINDOW_MS
+  }
+}
+
+function clearFailures(req) {
+  attempts.delete(remoteKey(req))
+}
+
+function setLanCookie(res, token, maxAge) {
+  const cookie = [
+    `${lanAccessCookieName()}=${encodeURIComponent(token)}`,
+    'HttpOnly',
+    'SameSite=Lax',
+    `Max-Age=${Math.max(1, Number(maxAge) || 1)}`,
+    'Path=/',
+  ].join('; ')
+  res.setHeader('Set-Cookie', cookie)
+}
+
+function clearLanCookie(res) {
+  res.setHeader('Set-Cookie', `${lanAccessCookieName()}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/`)
+}
+
+function requireLocal(context) {
+  if (!context.isLocalRequest) {
+    const error = new Error('LAN access settings can only be changed from this machine.')
+    error.statusCode = 403
+    throw error
+  }
+}
+
+export function renderLanUnlockPage(res) {
+  const html = `<!doctype html>
+<html lang="zh-CN">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>QuickForge 局域网访问</title>
+  <style>
+    :root { color-scheme: light dark; font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; }
+    body { margin: 0; min-height: 100vh; display: grid; place-items: center; background: #0f172a; color: #e5e7eb; }
+    main { width: min(420px, calc(100vw - 32px)); border: 1px solid rgba(148,163,184,.3); border-radius: 20px; padding: 28px; background: rgba(15,23,42,.92); box-shadow: 0 24px 80px rgba(0,0,0,.35); }
+    h1 { margin: 0 0 8px; font-size: 22px; }
+    p { margin: 0 0 18px; color: #94a3b8; line-height: 1.6; }
+    label { display: block; margin-bottom: 8px; font-size: 14px; font-weight: 600; }
+    input { width: 100%; box-sizing: border-box; height: 42px; border-radius: 10px; border: 1px solid #334155; background: #020617; color: #f8fafc; padding: 0 12px; font-size: 15px; }
+    button { width: 100%; height: 42px; margin-top: 14px; border: 0; border-radius: 10px; background: #2563eb; color: white; font-weight: 700; cursor: pointer; }
+    button:disabled { opacity: .6; cursor: default; }
+    .error { min-height: 20px; margin-top: 12px; color: #fca5a5; font-size: 13px; }
+  </style>
+</head>
+<body>
+  <main>
+    <h1>QuickForge 局域网访问</h1>
+    <p>请输入本机设置中配置的局域网访问密码。</p>
+    <label for="password">访问密码</label>
+    <input id="password" type="password" autocomplete="current-password" autofocus />
+    <button id="submit" type="button">进入 QuickForge</button>
+    <div id="error" class="error" role="alert"></div>
+  </main>
+  <script>
+    const password = document.getElementById('password')
+    const button = document.getElementById('submit')
+    const error = document.getElementById('error')
+    async function unlock() {
+      error.textContent = ''
+      button.disabled = true
+      try {
+        const response = await fetch('/api/lan-access/unlock', {
+          method: 'POST',
+          headers: { 'content-type': 'application/json' },
+          body: JSON.stringify({ password: password.value })
+        })
+        const payload = await response.json().catch(() => null)
+        if (!response.ok) throw new Error(payload && payload.error ? payload.error : '密码错误')
+        window.location.reload()
+      } catch (err) {
+        error.textContent = err instanceof Error ? err.message : '密码错误'
+      } finally {
+        button.disabled = false
+      }
+    }
+    button.addEventListener('click', unlock)
+    password.addEventListener('keydown', (event) => { if (event.key === 'Enter') unlock() })
+  </script>
+</body>
+</html>`
+  res.writeHead(200, { 'content-type': 'text/html; charset=utf-8', 'cache-control': 'no-store' })
+  res.end(html)
+}
+
+export async function handleLanAccessApi(req, res, url, context = {}) {
+  const pathname = url.pathname
+
+  if (req.method === 'GET' && pathname === '/api/lan-access/status') {
+    const status = await readLanAccessStatus()
+    if (context.isLocalRequest) {
+      sendJson(res, 200, { ...status, lanUrls: getLanUrls(context.port) })
+    } else {
+      sendJson(res, 200, { enabled: status.enabled, requiresPassword: status.enabled && status.hasPassword })
+    }
+    return
+  }
+
+  if (req.method === 'PUT' && pathname === '/api/lan-access/settings') {
+    requireLocal(context)
+    const body = await readJsonBody(req)
+    const status = await updateLanAccessSettings({
+      enabled: Boolean(body?.enabled),
+      password: typeof body?.password === 'string' ? body.password : undefined,
+      sessionTtlHours: body?.sessionTtlHours,
+    })
+    logger.info('LAN access settings updated.', { enabled: status.enabled })
+    sendJson(res, 200, { ok: true, ...status, lanUrls: getLanUrls(context.port) })
+    return
+  }
+
+  if (req.method === 'POST' && pathname === '/api/lan-access/unlock') {
+    assertNotLocked(req)
+    const body = await readJsonBody(req, 1024)
+    try {
+      const result = await issueLanAccessToken(body?.password)
+      setLanCookie(res, result.token, result.maxAge)
+      clearFailures(req)
+      logger.info('LAN access unlock succeeded.', { remoteAddress: req.socket.remoteAddress })
+      sendJson(res, 200, { ok: true, expiresAt: result.expiresAt })
+    } catch (error) {
+      if (error?.statusCode === 401) {
+        recordFailure(req)
+        logger.warn('LAN access unlock failed.', { remoteAddress: req.socket.remoteAddress })
+      }
+      throw error
+    }
+    return
+  }
+
+  if (req.method === 'POST' && pathname === '/api/lan-access/logout') {
+    clearLanCookie(res)
+    sendJson(res, 200, { ok: true })
+    return
+  }
+
+  if (req.method === 'POST' && pathname === '/api/lan-access/revoke-all') {
+    requireLocal(context)
+    const status = await revokeLanAccessTokens()
+    logger.info('LAN access tokens revoked.')
+    sendJson(res, 200, { ok: true, ...status })
+    return
+  }
+
+  const error = new Error('Not found')
+  error.statusCode = 404
+  throw error
+}

package/server/share-store.mjs

@@ -1,12 +1,9 @@
-import { createHash, randomBytes, scrypt as scryptCallback, timingSafeEqual } from 'node:crypto'
+import { randomBytes } from 'node:crypto'
 import { promises as fs } from 'node:fs'
 import path from 'node:path'
-import { promisify } from 'node:util'
 import { ensureStorage, storageDir } from './storage.mjs'
-
-const scrypt = promisify(scryptCallback)
+import { hashPassword, safeHashEqual, sha256Base64Url, verifyPassword } from './utils/password-auth.mjs'
 const SHARE_ID_PREFIX = 'qfs_'
-const PASSWORD_VERSION = 1
 const SHARE_TOKEN_MAX_AGE_MS = 7 * 24 * 60 * 60 * 1000
 const MAX_SHARE_TOKENS = 50
 const SHARES_DIR = path.join(storageDir, 'shares')
@@ -98,32 +95,21 @@ export function generateSharePassword() {
   return `${randomToken(4).slice(0, 6).toUpperCase()}-${randomToken(4).slice(0, 6).toUpperCase()}`
 }
 
-export async function hashSharePassword(password, salt = randomToken(16)) {
+export async function hashSharePassword(password, salt) {
   if (password === undefined || password === null || typeof password !== 'string') return {}
   if (!password) return { passwordHash: undefined, passwordSalt: undefined, passwordVersion: undefined }
-
-  const derived = await scrypt(password, salt, 32)
-  return {
-    passwordHash: derived.toString('base64url'),
-    passwordSalt: salt,
-    passwordVersion: PASSWORD_VERSION,
-  }
+  return hashPassword(password, salt)
 }
 
 export async function verifySharePassword(record, password) {
   if (!record?.passwordHash || !record?.passwordSalt) return !password
-  if (!password) return false
-  const { passwordHash } = await hashSharePassword(password, record.passwordSalt)
-  const expected = Buffer.from(record.passwordHash, 'base64url')
-  const actual = Buffer.from(passwordHash, 'base64url')
-  if (expected.length !== actual.length) return false
-  return timingSafeEqual(expected, actual)
+  return verifyPassword(record, password)
 }
 
 export function createShareToken(shareId) {
   assertSafeShareId(shareId)
   const secret = randomToken(32)
-  const secretHash = createHash('sha256').update(secret).digest('base64url')
+  const secretHash = sha256Base64Url(secret)
   return {
     token: `${shareId}.${secret}`,
     tokenHash: secretHash,
@@ -140,19 +126,11 @@ function pruneShareTokens(tokens, now = Date.now()) {
     .slice(-MAX_SHARE_TOKENS)
 }
 
-function safeHashEqual(expectedHash, actualHash) {
-  if (!expectedHash || !actualHash) return false
-  const expected = Buffer.from(expectedHash)
-  const actual = Buffer.from(actualHash)
-  if (expected.length !== actual.length) return false
-  return timingSafeEqual(expected, actual)
-}
-
 export function verifyShareToken(record, token) {
   if (!record || !token || typeof token !== 'string') return false
   const [tokenShareId, secret] = token.split('.')
   if (tokenShareId !== record.id || !secret) return false
-  const actualHash = createHash('sha256').update(secret).digest('base64url')
+  const actualHash = sha256Base64Url(secret)
   const authVersion = record.authVersion || 1
   const tokenRecords = pruneShareTokens(record.tokens)
 

package/server/system-prompt.mjs

@@ -6,6 +6,8 @@ For project tasks:
 - Prefer dedicated workspace tools for reading, editing, and searching files.
 - If dedicated tools are unavailable or insufficient, use the shell/command tool.
 - Use Python through the shell for reliable scripting, data processing, or file transformations.
+- When falling back to shell for file edits, do not create temporary helper scripts such as modify.py, patch.py, edit.js, or update.sh. Use inline shell commands only, such as python -c, python - <<'PY', node -e, sed, awk, cat > target <<'EOF', or git apply <<'PATCH'. Never write a helper script to disk just to execute it for code modification.
+- If a file edit tool fails, re-read the relevant file context and retry the dedicated edit tool when practical before using shell fallback.
 - Stay within the current workspace unless the user explicitly asks otherwise.
 - Verify changes with relevant tests, build, lint, or targeted checks.
 - If no suitable tool is available, say so clearly.`

package/server/tools/index.mjs

@@ -304,7 +304,22 @@ export async function toolReadSkillResource(params, context) {
 }
 
 // --- run_command ---
-export async function toolRunCommand(params, context) {
+function formatCommandOutput(command, stdout, stderr, meta = {}) {
+  return [
+    `Command: ${command}`,
+    meta.running
+      ? 'Status: running'
+      : `Exit code: ${meta.code ?? 'unknown'}${meta.signal ? `, signal: ${meta.signal}` : ''}${meta.timedOut ? ' (timed out)' : ''}`,
+    '',
+    'STDOUT:',
+    stdout || '(empty)',
+    '',
+    'STDERR:',
+    stderr || '(empty)',
+  ].join('\n')
+}
+
+export async function toolRunCommand(params, context, runtime = {}) {
   const command = String(params?.command || '')
   if (!command.trim()) {
     const error = new Error('command is required')
@@ -315,8 +330,9 @@ export async function toolRunCommand(params, context) {
   const timeoutMs = Math.min(10 * 60, Math.max(1, Number(params?.timeoutSeconds || 60))) * 1000
 
   return new Promise((resolve) => {
+    const cwd = getToolWorkspaceRoot(context)
     const child = spawn(command, {
-      cwd: getToolWorkspaceRoot(context),
+      cwd,
       shell: true,
       stdio: ['ignore', 'pipe', 'pipe'],
       windowsHide: true,
@@ -325,6 +341,21 @@ export async function toolRunCommand(params, context) {
     let stdout = ''
     let stderr = ''
     let timedOut = false
+    let updateTimer = null
+    let updatePending = false
+    const emitUpdate = () => {
+      updateTimer = null
+      if (!updatePending) return
+      updatePending = false
+      runtime.onUpdate?.({
+        content: [{ type: 'text', text: truncateText(formatCommandOutput(command, stdout, stderr, { running: true })) }],
+        details: { command, project: context?.project, cwd, running: true, stdout, stderr },
+      })
+    }
+    const scheduleUpdate = () => {
+      updatePending = true
+      if (!updateTimer) updateTimer = setTimeout(emitUpdate, 150)
+    }
     const timer = setTimeout(() => {
       timedOut = true
       child.kill('SIGTERM')
@@ -332,26 +363,21 @@ export async function toolRunCommand(params, context) {
 
     child.stdout.on('data', (chunk) => {
       stdout = truncateText(stdout + chunk.toString())
+      scheduleUpdate()
     })
     child.stderr.on('data', (chunk) => {
       stderr = truncateText(stderr + chunk.toString())
+      scheduleUpdate()
     })
     child.on('close', (code, signal) => {
       clearTimeout(timer)
-      const content = [
-        `Command: ${command}`,
-        `Exit code: ${code ?? 'unknown'}${signal ? `, signal: ${signal}` : ''}${timedOut ? ' (timed out)' : ''}`,
-        '',
-        'STDOUT:',
-        stdout || '(empty)',
-        '',
-        'STDERR:',
-        stderr || '(empty)',
-      ].join('\n')
-      resolve({ content: truncateText(content), details: { command, project: context?.project, cwd: getToolWorkspaceRoot(context), code, signal, timedOut } })
+      if (updateTimer) clearTimeout(updateTimer)
+      const content = formatCommandOutput(command, stdout, stderr, { code, signal, timedOut })
+      resolve({ content: truncateText(content), details: { command, project: context?.project, cwd, code, signal, timedOut } })
     })
     child.on('error', (err) => {
       clearTimeout(timer)
+      if (updateTimer) clearTimeout(updateTimer)
       resolve({
         isError: true,
         content: truncateText(`Error running command: ${err.message}`),

package/server/utils/password-auth.mjs

@@ -0,0 +1,44 @@
+import { createHash, randomBytes, scrypt as scryptCallback, timingSafeEqual } from 'node:crypto'
+import { promisify } from 'node:util'
+
+const scrypt = promisify(scryptCallback)
+const PASSWORD_VERSION = 1
+
+function randomToken(bytes = 24) {
+  return randomBytes(bytes).toString('base64url')
+}
+
+export function createRandomToken(bytes = 24) {
+  return randomToken(bytes)
+}
+
+export async function hashPassword(password, salt = randomToken(16)) {
+  if (typeof password !== 'string' || !password) return {}
+  const derived = await scrypt(password, salt, 32)
+  return {
+    passwordHash: derived.toString('base64url'),
+    passwordSalt: salt,
+    passwordVersion: PASSWORD_VERSION,
+  }
+}
+
+export async function verifyPassword(record, password) {
+  if (!record?.passwordHash || !record?.passwordSalt || typeof password !== 'string' || !password) return false
+  const { passwordHash } = await hashPassword(password, record.passwordSalt)
+  const expected = Buffer.from(record.passwordHash, 'base64url')
+  const actual = Buffer.from(passwordHash, 'base64url')
+  if (expected.length !== actual.length) return false
+  return timingSafeEqual(expected, actual)
+}
+
+export function sha256Base64Url(value) {
+  return createHash('sha256').update(String(value)).digest('base64url')
+}
+
+export function safeHashEqual(expectedHash, actualHash) {
+  if (!expectedHash || !actualHash) return false
+  const expected = Buffer.from(expectedHash)
+  const actual = Buffer.from(actualHash)
+  if (expected.length !== actual.length) return false
+  return timingSafeEqual(expected, actual)
+}