@thevinci/web 1.0.0

package/server/lib/notifications/push-runtime.js

@@ -0,0 +1,304 @@
+const PUSH_SUBSCRIPTIONS_VERSION = 1;
+
+const isLoopbackHttpOrigin = (value) => {
+  if (typeof value !== 'string') {
+    return false;
+  }
+
+  return value.startsWith('http://localhost')
+    || value.startsWith('http://127.0.0.1')
+    || value.startsWith('http://[::1]');
+};
+
+export const createPushRuntime = (deps) => {
+  const {
+    fsPromises,
+    path,
+    webPush,
+    PUSH_SUBSCRIPTIONS_FILE_PATH,
+    readSettingsFromDiskMigrated,
+    writeSettingsToDisk,
+  } = deps;
+
+  let persistPushSubscriptionsLock = Promise.resolve();
+  let pushInitialized = false;
+
+  const uiVisibilityByToken = new Map();
+  let globalVisibilityState = false;
+
+  const readPushSubscriptionsFromDisk = async () => {
+    try {
+      const raw = await fsPromises.readFile(PUSH_SUBSCRIPTIONS_FILE_PATH, 'utf8');
+      const parsed = JSON.parse(raw);
+      if (!parsed || typeof parsed !== 'object') {
+        return { version: PUSH_SUBSCRIPTIONS_VERSION, subscriptionsBySession: {} };
+      }
+      if (typeof parsed.version !== 'number' || parsed.version !== PUSH_SUBSCRIPTIONS_VERSION) {
+        return { version: PUSH_SUBSCRIPTIONS_VERSION, subscriptionsBySession: {} };
+      }
+
+      const subscriptionsBySession =
+        parsed.subscriptionsBySession && typeof parsed.subscriptionsBySession === 'object'
+          ? parsed.subscriptionsBySession
+          : {};
+
+      return { version: PUSH_SUBSCRIPTIONS_VERSION, subscriptionsBySession };
+    } catch (error) {
+      if (error && typeof error === 'object' && error.code === 'ENOENT') {
+        return { version: PUSH_SUBSCRIPTIONS_VERSION, subscriptionsBySession: {} };
+      }
+      console.warn('Failed to read push subscriptions file:', error);
+      return { version: PUSH_SUBSCRIPTIONS_VERSION, subscriptionsBySession: {} };
+    }
+  };
+
+  const writePushSubscriptionsToDisk = async (data) => {
+    await fsPromises.mkdir(path.dirname(PUSH_SUBSCRIPTIONS_FILE_PATH), { recursive: true });
+    await fsPromises.writeFile(PUSH_SUBSCRIPTIONS_FILE_PATH, JSON.stringify(data, null, 2), 'utf8');
+  };
+
+  const persistPushSubscriptionUpdate = async (mutate) => {
+    persistPushSubscriptionsLock = persistPushSubscriptionsLock.then(async () => {
+      await fsPromises.mkdir(path.dirname(PUSH_SUBSCRIPTIONS_FILE_PATH), { recursive: true });
+      const current = await readPushSubscriptionsFromDisk();
+      const next = mutate({
+        version: PUSH_SUBSCRIPTIONS_VERSION,
+        subscriptionsBySession: current.subscriptionsBySession || {},
+      });
+      await writePushSubscriptionsToDisk(next);
+      return next;
+    });
+
+    return persistPushSubscriptionsLock;
+  };
+
+  const getOrCreateVapidKeys = async () => {
+    const settings = await readSettingsFromDiskMigrated();
+    const existing = settings?.vapidKeys;
+    if (existing && typeof existing.publicKey === 'string' && typeof existing.privateKey === 'string') {
+      return { publicKey: existing.publicKey, privateKey: existing.privateKey };
+    }
+
+    const generated = webPush.generateVAPIDKeys();
+    const next = {
+      ...settings,
+      vapidKeys: {
+        publicKey: generated.publicKey,
+        privateKey: generated.privateKey,
+      },
+    };
+
+    await writeSettingsToDisk(next);
+    return { publicKey: generated.publicKey, privateKey: generated.privateKey };
+  };
+
+  const normalizePushSubscriptions = (record) => {
+    if (!Array.isArray(record)) return [];
+    return record
+      .map((entry) => {
+        if (!entry || typeof entry !== 'object') return null;
+        const endpoint = entry.endpoint;
+        const p256dh = entry.p256dh;
+        const auth = entry.auth;
+        if (typeof endpoint !== 'string' || typeof p256dh !== 'string' || typeof auth !== 'string') {
+          return null;
+        }
+        return {
+          endpoint,
+          p256dh,
+          auth,
+          createdAt: typeof entry.createdAt === 'number' ? entry.createdAt : null,
+        };
+      })
+      .filter(Boolean);
+  };
+
+  const addOrUpdatePushSubscription = async (uiSessionToken, subscription, userAgent) => {
+    if (!uiSessionToken) {
+      return;
+    }
+
+    await ensurePushInitialized();
+
+    const now = Date.now();
+
+    await persistPushSubscriptionUpdate((current) => {
+      const subsBySession = { ...(current.subscriptionsBySession || {}) };
+      const existing = Array.isArray(subsBySession[uiSessionToken]) ? subsBySession[uiSessionToken] : [];
+
+      const filtered = existing.filter((entry) => entry && typeof entry.endpoint === 'string' && entry.endpoint !== subscription.endpoint);
+
+      filtered.unshift({
+        endpoint: subscription.endpoint,
+        p256dh: subscription.p256dh,
+        auth: subscription.auth,
+        createdAt: now,
+        lastSeenAt: now,
+        userAgent: typeof userAgent === 'string' && userAgent.length > 0 ? userAgent : undefined,
+      });
+
+      subsBySession[uiSessionToken] = filtered.slice(0, 10);
+
+      return { version: PUSH_SUBSCRIPTIONS_VERSION, subscriptionsBySession: subsBySession };
+    });
+  };
+
+  const removePushSubscription = async (uiSessionToken, endpoint) => {
+    if (!uiSessionToken || !endpoint) return;
+
+    await ensurePushInitialized();
+
+    await persistPushSubscriptionUpdate((current) => {
+      const subsBySession = { ...(current.subscriptionsBySession || {}) };
+      const existing = Array.isArray(subsBySession[uiSessionToken]) ? subsBySession[uiSessionToken] : [];
+      const filtered = existing.filter((entry) => entry && typeof entry.endpoint === 'string' && entry.endpoint !== endpoint);
+      if (filtered.length === 0) {
+        delete subsBySession[uiSessionToken];
+      } else {
+        subsBySession[uiSessionToken] = filtered;
+      }
+      return { version: PUSH_SUBSCRIPTIONS_VERSION, subscriptionsBySession: subsBySession };
+    });
+  };
+
+  const removePushSubscriptionFromAllSessions = async (endpoint) => {
+    if (!endpoint) return;
+
+    await ensurePushInitialized();
+
+    await persistPushSubscriptionUpdate((current) => {
+      const subsBySession = { ...(current.subscriptionsBySession || {}) };
+      for (const [token, entries] of Object.entries(subsBySession)) {
+        if (!Array.isArray(entries)) continue;
+        const filtered = entries.filter((entry) => entry && typeof entry.endpoint === 'string' && entry.endpoint !== endpoint);
+        if (filtered.length === 0) {
+          delete subsBySession[token];
+        } else {
+          subsBySession[token] = filtered;
+        }
+      }
+      return { version: PUSH_SUBSCRIPTIONS_VERSION, subscriptionsBySession: subsBySession };
+    });
+  };
+
+  const sendPushToSubscription = async (sub, payload) => {
+    await ensurePushInitialized();
+    const body = JSON.stringify(payload);
+
+    const pushSubscription = {
+      endpoint: sub.endpoint,
+      keys: {
+        p256dh: sub.p256dh,
+        auth: sub.auth,
+      },
+    };
+
+    try {
+      await webPush.sendNotification(pushSubscription, body);
+    } catch (error) {
+      const statusCode = typeof error?.statusCode === 'number' ? error.statusCode : null;
+      if (statusCode === 410 || statusCode === 404) {
+        await removePushSubscriptionFromAllSessions(sub.endpoint);
+        return;
+      }
+      console.warn('[Push] Failed to send notification:', error);
+    }
+  };
+
+  const sendPushToAllUiSessions = async (payload, options = {}) => {
+    const requireNoSse = options.requireNoSse === true;
+    const store = await readPushSubscriptionsFromDisk();
+    const sessions = store.subscriptionsBySession || {};
+    const subscriptionsByEndpoint = new Map();
+
+    for (const record of Object.values(sessions)) {
+      const subscriptions = normalizePushSubscriptions(record);
+      if (subscriptions.length === 0) continue;
+
+      for (const sub of subscriptions) {
+        if (!subscriptionsByEndpoint.has(sub.endpoint)) {
+          subscriptionsByEndpoint.set(sub.endpoint, sub);
+        }
+      }
+    }
+
+    await Promise.all(Array.from(subscriptionsByEndpoint.values()).map(async (sub) => {
+      if (requireNoSse && isAnyUiVisible()) {
+        return;
+      }
+      await sendPushToSubscription(sub, payload);
+    }));
+  };
+
+  const updateUiVisibility = (token, visible) => {
+    if (!token) return;
+    const now = Date.now();
+    const nextVisible = Boolean(visible);
+    uiVisibilityByToken.set(token, { visible: nextVisible, updatedAt: now });
+    globalVisibilityState = nextVisible;
+  };
+
+  const isAnyUiVisible = () => globalVisibilityState === true;
+
+  const isUiVisible = (token) => uiVisibilityByToken.get(token)?.visible === true;
+
+  const resolveVapidSubject = async () => {
+    const configured = process.env.VINCI_VAPID_SUBJECT;
+    if (typeof configured === 'string' && configured.trim().length > 0) {
+      return configured.trim();
+    }
+
+    const originEnv = process.env.VINCI_PUBLIC_ORIGIN;
+    if (typeof originEnv === 'string' && originEnv.trim().length > 0) {
+      const trimmed = originEnv.trim();
+      if (isLoopbackHttpOrigin(trimmed)) {
+        return 'mailto:vinci@localhost';
+      }
+      return trimmed;
+    }
+
+    try {
+      const settings = await readSettingsFromDiskMigrated();
+      const stored = settings?.publicOrigin;
+      if (typeof stored === 'string' && stored.trim().length > 0) {
+        const trimmed = stored.trim();
+        if (isLoopbackHttpOrigin(trimmed)) {
+          return 'mailto:vinci@localhost';
+        }
+        return trimmed;
+      }
+    } catch {
+    }
+
+    return 'mailto:vinci@localhost';
+  };
+
+  const ensurePushInitialized = async () => {
+    if (pushInitialized) return;
+    const keys = await getOrCreateVapidKeys();
+    const subject = await resolveVapidSubject();
+
+    if (subject === 'mailto:vinci@localhost') {
+      console.warn('[Push] No public origin configured for VAPID; set VINCI_VAPID_SUBJECT or enable push once from a real origin.');
+    }
+
+    webPush.setVapidDetails(subject, keys.publicKey, keys.privateKey);
+    pushInitialized = true;
+  };
+
+  const setPushInitialized = (value) => {
+    pushInitialized = value === true;
+  };
+
+  return {
+    getOrCreateVapidKeys,
+    addOrUpdatePushSubscription,
+    removePushSubscription,
+    sendPushToAllUiSessions,
+    updateUiVisibility,
+    isAnyUiVisible,
+    isUiVisible,
+    ensurePushInitialized,
+    setPushInitialized,
+  };
+};

package/server/lib/notifications/routes.js

@@ -0,0 +1,315 @@
+const parsePushSubscribeBody = (body) => {
+  if (!body || typeof body !== 'object') return null;
+  const endpoint = body.endpoint;
+  const keys = body.keys;
+  const p256dh = keys?.p256dh;
+  const auth = keys?.auth;
+
+  if (typeof endpoint !== 'string' || endpoint.trim().length === 0) return null;
+  if (typeof p256dh !== 'string' || p256dh.trim().length === 0) return null;
+  if (typeof auth !== 'string' || auth.trim().length === 0) return null;
+
+  return {
+    endpoint: endpoint.trim(),
+    keys: { p256dh: p256dh.trim(), auth: auth.trim() },
+  };
+};
+
+const parsePushUnsubscribeBody = (body) => {
+  if (!body || typeof body !== 'object') return null;
+  const endpoint = body.endpoint;
+  if (typeof endpoint !== 'string' || endpoint.trim().length === 0) return null;
+  return { endpoint: endpoint.trim() };
+};
+
+export const registerNotificationRoutes = (app, dependencies) => {
+  const {
+    uiAuthController,
+    ensurePushInitialized,
+    ensureGlobalWatcherStarted,
+    getOrCreateVapidKeys,
+    getUiSessionTokenFromRequest,
+    readSettingsFromDiskMigrated,
+    writeSettingsToDisk,
+    addOrUpdatePushSubscription,
+    removePushSubscription,
+    updateUiVisibility,
+    isUiVisible,
+    getUiNotificationClients,
+    writeSseEvent,
+    getSessionActivitySnapshot,
+    getSessionStateSnapshot,
+    getSessionAttentionSnapshot,
+    getSessionState,
+    getSessionAttentionState,
+    markSessionViewed,
+    markSessionUnviewed,
+    markUserMessageSent,
+    setPushInitialized,
+    setAutoAcceptSession,
+  } = dependencies;
+
+  const ensureSessionWatcher = async () => {
+    if (typeof ensureGlobalWatcherStarted !== 'function') {
+      return;
+    }
+    try {
+      await ensureGlobalWatcherStarted();
+    } catch (error) {
+      console.warn('[OpenCodeWatcher] lazy start failed:', error?.message ?? error);
+    }
+  };
+
+  app.get('/api/push/vapid-public-key', async (_req, res) => {
+    try {
+      await ensurePushInitialized();
+      const keys = await getOrCreateVapidKeys();
+      res.json({ publicKey: keys.publicKey });
+    } catch (error) {
+      console.warn('[Push] Failed to load VAPID key:', error);
+      res.status(500).json({ error: 'Failed to load push key' });
+    }
+  });
+
+  app.post('/api/push/subscribe', async (req, res) => {
+    await ensurePushInitialized();
+    await ensureSessionWatcher();
+
+    const uiToken = uiAuthController?.ensureSessionToken
+      ? await uiAuthController.ensureSessionToken(req, res)
+      : getUiSessionTokenFromRequest(req);
+    if (!uiToken) {
+      return res.status(401).json({ error: 'UI session missing' });
+    }
+
+    const parsed = parsePushSubscribeBody(req.body);
+    if (!parsed) {
+      return res.status(400).json({ error: 'Invalid body' });
+    }
+
+    const { endpoint, keys } = parsed;
+
+    const origin = typeof req.body?.origin === 'string' ? req.body.origin.trim() : '';
+    if (origin.startsWith('http://') || origin.startsWith('https://')) {
+      try {
+        const settings = await readSettingsFromDiskMigrated();
+        if (typeof settings?.publicOrigin !== 'string' || settings.publicOrigin.trim().length === 0) {
+          await writeSettingsToDisk({
+            ...settings,
+            publicOrigin: origin,
+          });
+          setPushInitialized(false);
+        }
+      } catch {
+      }
+    }
+
+    await addOrUpdatePushSubscription(
+      uiToken,
+      {
+        endpoint,
+        p256dh: keys.p256dh,
+        auth: keys.auth,
+      },
+      req.headers['user-agent']
+    );
+
+    return res.json({ ok: true });
+  });
+
+  app.delete('/api/push/subscribe', async (req, res) => {
+    await ensurePushInitialized();
+
+    const uiToken = uiAuthController?.ensureSessionToken
+      ? await uiAuthController.ensureSessionToken(req, res)
+      : getUiSessionTokenFromRequest(req);
+    if (!uiToken) {
+      return res.status(401).json({ error: 'UI session missing' });
+    }
+
+    const parsed = parsePushUnsubscribeBody(req.body);
+    if (!parsed) {
+      return res.status(400).json({ error: 'Invalid body' });
+    }
+
+    await removePushSubscription(uiToken, parsed.endpoint);
+    return res.json({ ok: true });
+  });
+
+  app.post('/api/push/visibility', async (req, res) => {
+    const uiToken = uiAuthController?.ensureSessionToken
+      ? await uiAuthController.ensureSessionToken(req, res)
+      : getUiSessionTokenFromRequest(req);
+    if (!uiToken) {
+      return res.status(401).json({ error: 'UI session missing' });
+    }
+
+    const visible = req.body && typeof req.body === 'object' ? req.body.visible : null;
+    updateUiVisibility(uiToken, visible === true);
+    return res.json({ ok: true });
+  });
+
+  app.get('/api/push/visibility', (req, res) => {
+    const uiToken = getUiSessionTokenFromRequest(req);
+    if (!uiToken) {
+      return res.status(401).json({ error: 'UI session missing' });
+    }
+
+    return res.json({
+      ok: true,
+      visible: isUiVisible(uiToken),
+    });
+  });
+
+  app.get('/api/notifications/stream', async (req, res) => {
+    const uiToken = uiAuthController?.ensureSessionToken
+      ? await uiAuthController.ensureSessionToken(req, res)
+      : getUiSessionTokenFromRequest(req);
+    if (!uiToken) {
+      return;
+    }
+
+    res.setHeader('Content-Type', 'text/event-stream; charset=utf-8');
+    res.setHeader('Cache-Control', 'no-cache, no-transform');
+    res.setHeader('Connection', 'keep-alive');
+    res.setHeader('X-Accel-Buffering', 'no');
+    res.flushHeaders?.();
+
+    const clients = getUiNotificationClients();
+    clients.add(res);
+
+    try {
+      writeSseEvent(res, {
+        type: 'vinci:notification-stream-ready',
+        properties: { uiToken },
+      });
+    } catch {
+    }
+
+    req.on('close', () => {
+      clients.delete(res);
+    });
+  });
+
+  app.get('/api/session-activity', (_req, res) => {
+    void ensureSessionWatcher();
+    res.json(getSessionActivitySnapshot());
+  });
+
+  app.get('/api/sessions/snapshot', async (_req, res) => {
+    await ensureSessionWatcher();
+    res.json({
+      statusSessions: getSessionStateSnapshot(),
+      attentionSessions: getSessionAttentionSnapshot(),
+      serverTime: Date.now(),
+    });
+  });
+
+  app.get('/api/sessions/status', async (_req, res) => {
+    await ensureSessionWatcher();
+    const snapshot = getSessionStateSnapshot();
+    res.json({
+      sessions: snapshot,
+      serverTime: Date.now(),
+    });
+  });
+
+  app.get('/api/sessions/:id/status', async (req, res) => {
+    await ensureSessionWatcher();
+    const sessionId = req.params.id;
+    const state = getSessionState(sessionId);
+
+    if (!state) {
+      return res.status(404).json({
+        error: 'Session not found or no state available',
+        sessionId,
+      });
+    }
+
+    return res.json({
+      sessionId,
+      ...state,
+    });
+  });
+
+  app.get('/api/sessions/attention', async (_req, res) => {
+    await ensureSessionWatcher();
+    const snapshot = getSessionAttentionSnapshot();
+    res.json({
+      sessions: snapshot,
+      serverTime: Date.now(),
+    });
+  });
+
+  app.get('/api/sessions/:id/attention', async (req, res) => {
+    await ensureSessionWatcher();
+    const sessionId = req.params.id;
+    const state = getSessionAttentionState(sessionId);
+
+    if (!state) {
+      return res.status(404).json({
+        error: 'Session not found or no attention state available',
+        sessionId,
+      });
+    }
+
+    return res.json({
+      sessionId,
+      ...state,
+    });
+  });
+
+  app.post('/api/sessions/:id/view', (req, res) => {
+    const sessionId = req.params.id;
+    const clientId = req.headers['x-client-id'] || req.ip || 'anonymous';
+
+    markSessionViewed(sessionId, clientId);
+
+    return res.json({
+      success: true,
+      sessionId,
+      viewed: true,
+    });
+  });
+
+  app.post('/api/sessions/:id/unview', (req, res) => {
+    const sessionId = req.params.id;
+    const clientId = req.headers['x-client-id'] || req.ip || 'anonymous';
+
+    markSessionUnviewed(sessionId, clientId);
+
+    return res.json({
+      success: true,
+      sessionId,
+      viewed: false,
+    });
+  });
+
+  app.post('/api/sessions/:id/message-sent', (req, res) => {
+    const sessionId = req.params.id;
+
+    markUserMessageSent(sessionId);
+
+    return res.json({
+      success: true,
+      sessionId,
+      messageSent: true,
+    });
+  });
+
+  // Mirror client-side Permission Auto-Accept state to the server so it can
+  // suppress permission notifications at the source (the 500ms debounce race
+  // otherwise leaks notifications for auto-accepted permissions).
+  app.post('/api/notifications/auto-accept', (req, res) => {
+    const body = req.body && typeof req.body === 'object' ? req.body : {};
+    const sessionId = typeof body.sessionId === 'string' ? body.sessionId.trim() : '';
+    const enabled = body.enabled === true;
+    if (!sessionId) {
+      return res.status(400).json({ error: 'sessionId required' });
+    }
+    if (typeof setAutoAcceptSession === 'function') {
+      setAutoAcceptSession(sessionId, enabled);
+    }
+    return res.json({ success: true, sessionId, enabled });
+  });
+};