@sulala/agent-os 0.1.15 → 0.1.18

package/dist/index.js

@@ -43,14 +43,18 @@ __export(exports_config, {
   getSkillsDir: () => getSkillsDir,
   getSkillConfigPath: () => getSkillConfigPath,
   getSeedSkillsDir: () => getSeedSkillsDir,
+  getDashboardSecretFromConfig: () => getDashboardSecretFromConfig,
+  getDashboardSecret: () => getDashboardSecret,
   getConfigsDir: () => getConfigsDir,
   getConfigPath: () => getConfigPath,
   getAgentOsHome: () => getAgentOsHome,
+  generateDashboardSecret: () => generateDashboardSecret,
   ensureWorkspace: () => ensureWorkspace
 });
 import { readFile, writeFile, mkdir } from "fs/promises";
 import { existsSync } from "fs";
 import { join, resolve, relative } from "path";
+import { randomBytes } from "crypto";
 function getAgentOsHome() {
   return process.env.AGENT_OS_HOME || DEFAULT_HOME;
 }
@@ -84,6 +88,7 @@ async function readConfig() {
       const viber_default_agent_id = o.viber_default_agent_id;
       const onboarding_completed = o.onboarding_completed;
       const skills_registry_url = o.skills_registry_url;
+      const dashboard_secret = o.dashboard_secret;
       return {
         provider: provider === "openrouter" || provider === "openai" ? provider : undefined,
         api_key: typeof api_key === "string" ? api_key : undefined,
@@ -104,7 +109,8 @@ async function readConfig() {
         viber_auth_token: typeof viber_auth_token === "string" ? viber_auth_token : undefined,
         viber_default_agent_id: typeof viber_default_agent_id === "string" ? viber_default_agent_id : undefined,
         onboarding_completed: onboarding_completed === true ? true : undefined,
-        skills_registry_url: typeof skills_registry_url === "string" ? skills_registry_url.trim() || undefined : undefined
+        skills_registry_url: typeof skills_registry_url === "string" ? skills_registry_url.trim() || undefined : undefined,
+        dashboard_secret: typeof dashboard_secret === "string" ? dashboard_secret.trim() || undefined : undefined
       };
     }
   } catch (err) {
@@ -136,7 +142,8 @@ async function writeConfig(updates) {
     viber_auth_token: updates.viber_auth_token !== undefined ? updates.viber_auth_token : current.viber_auth_token,
     viber_default_agent_id: updates.viber_default_agent_id !== undefined ? updates.viber_default_agent_id : current.viber_default_agent_id,
     onboarding_completed: updates.onboarding_completed !== undefined ? updates.onboarding_completed : current.onboarding_completed,
-    skills_registry_url: updates.skills_registry_url !== undefined ? updates.skills_registry_url : current.skills_registry_url
+    skills_registry_url: updates.skills_registry_url !== undefined ? updates.skills_registry_url : current.skills_registry_url,
+    dashboard_secret: updates.dashboard_secret !== undefined ? updates.dashboard_secret : current.dashboard_secret
   };
   const home = getAgentOsHome();
   const path = getConfigPath();
@@ -161,7 +168,8 @@ async function writeConfig(updates) {
     viber_auth_token: merged.viber_auth_token ?? null,
     viber_default_agent_id: merged.viber_default_agent_id ?? null,
     onboarding_completed: merged.onboarding_completed ?? null,
-    skills_registry_url: merged.skills_registry_url ?? null
+    skills_registry_url: merged.skills_registry_url ?? null,
+    dashboard_secret: merged.dashboard_secret ?? null
   }, null, 2), "utf-8");
 }
 async function getSkillsRegistryUrl() {
@@ -174,6 +182,25 @@ async function getSkillsRegistryUrl() {
     return fromConfig;
   return DEFAULT_SKILLS_REGISTRY_URL;
 }
+function generateDashboardSecret() {
+  return randomBytes(32).toString("base64url");
+}
+async function getDashboardSecret() {
+  const env = process.env.DASHBOARD_SECRET?.trim();
+  if (env)
+    return env;
+  let config = await readConfig();
+  let secret = config.dashboard_secret?.trim();
+  if (secret)
+    return secret;
+  secret = generateDashboardSecret();
+  await writeConfig({ dashboard_secret: secret });
+  return secret;
+}
+async function getDashboardSecretFromConfig() {
+  const config = await readConfig();
+  return config.dashboard_secret?.trim() || undefined;
+}
 function getConfigsDir() {
   return join(getAgentOsHome(), "configs");
 }
@@ -11069,7 +11096,7 @@ function errorMessage(err) {
 var CORS_HEADERS = {
   "Access-Control-Allow-Origin": "*",
   "Access-Control-Allow-Methods": "GET,POST,PUT,PATCH,DELETE,OPTIONS",
-  "Access-Control-Allow-Headers": "Content-Type"
+  "Access-Control-Allow-Headers": "Content-Type, Authorization"
 };
 function jsonResponse(data, status = 200) {
   return Response.json(data, {
@@ -15505,6 +15532,63 @@ var DASHBOARD_DIST = (() => {
   return b;
 })();
 var HOST = process.env.HOST ?? "127.0.0.1";
+function isAuthExempt(pathname, method) {
+  if (method === "OPTIONS")
+    return true;
+  if (method === "GET" && pathname === "/health")
+    return true;
+  if (method === "POST" && pathname === "/api/channels/telegram/webhook")
+    return true;
+  if (method === "POST" && pathname === "/api/channels/slack/webhook")
+    return true;
+  if (method === "POST" && pathname === "/api/channels/discord/webhook")
+    return true;
+  if (method === "POST" && pathname === "/api/channels/signal/webhook")
+    return true;
+  if (method === "POST" && pathname === "/api/channels/viber/webhook")
+    return true;
+  return false;
+}
+function getTokenFromRequest(req) {
+  const auth = req.headers.get("Authorization");
+  if (auth?.startsWith("Bearer "))
+    return auth.slice(7).trim();
+  const url = new URL(req.url);
+  return url.searchParams.get("token")?.trim() ?? null;
+}
+function authUnauthorizedResponse() {
+  return Response.json({ error: "Unauthorized" }, { status: 401, headers: CORS_HEADERS });
+}
+function wrapWithAuth(fn, secret) {
+  if (!secret)
+    return fn;
+  return (req) => {
+    const url = new URL(req.url);
+    if (isAuthExempt(url.pathname, req.method))
+      return fn(req);
+    const token = getTokenFromRequest(req);
+    if (token !== secret)
+      return authUnauthorizedResponse();
+    return fn(req);
+  };
+}
+function wrapRouteHandlers(routes, secret) {
+  const out = {};
+  for (const [path, value] of Object.entries(routes)) {
+    if (typeof value === "function") {
+      out[path] = wrapWithAuth(value, secret);
+    } else if (value !== null && typeof value === "object" && !Array.isArray(value)) {
+      const methods = {};
+      for (const [method, handler] of Object.entries(value)) {
+        methods[method] = typeof handler === "function" ? wrapWithAuth(handler, secret) : handler;
+      }
+      out[path] = methods;
+    } else {
+      out[path] = value;
+    }
+  }
+  return out;
+}
 var EVENT_TYPES = [
   "task.created",
   "task.started",
@@ -15938,6 +16022,7 @@ async function startServer() {
   startScheduler();
   await loadPlugins();
   await seedAgentsIfEmpty();
+  const dashboardSecret = await getDashboardSecret();
   const dashboardMissing = !existsSync3(DASHBOARD_DIST) || !existsSync3(join13(DASHBOARD_DIST, "index.html"));
   if (dashboardMissing) {
     console.warn(`[sulala] Dashboard not found at ${DASHBOARD_DIST}. From package root run: cd dashboard && npm run build. If using a global install, reinstall: bun install -g @sulala/agent-os@latest`);
@@ -15946,10 +16031,16 @@ async function startServer() {
     port: PORT,
     hostname: HOST,
     idleTimeout: 120,
-    routes: createRoutes(),
+    routes: wrapRouteHandlers(createRoutes(), dashboardSecret),
     fetch(req, server2) {
       const url = new URL(req.url);
       if (req.method === "GET" && url.pathname === "/api/events") {
+        if (dashboardSecret) {
+          const token = url.searchParams.get("token")?.trim() ?? getTokenFromRequest(req);
+          if (token !== dashboardSecret) {
+            return authUnauthorizedResponse();
+          }
+        }
         if (server2.upgrade(req, { data: undefined }))
           return;
         return Response.json({ error: "Upgrade failed" }, { status: 500, headers: CORS_HEADERS });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sulala/agent-os",
-  "version": "0.1.15",
+  "version": "0.1.18",
   "publishConfig": {
     "access": "public"
   },