@vibe80/vibe80 0.1.1

package/server/src/middleware/auth.js

@@ -0,0 +1,93 @@
+import crypto from "crypto";
+import fs from "fs";
+import path from "path";
+import jwt from "jsonwebtoken";
+
+const jwtKeyPath = process.env.JWT_KEY_PATH || "/var/lib/vibe80/jwt.key";
+const jwtIssuer = process.env.JWT_ISSUER || "vibe80";
+const jwtAudience = process.env.JWT_AUDIENCE || "workspace";
+const accessTokenTtlSeconds =
+  Number(process.env.ACCESS_TOKEN_TTL_SECONDS) || 60 * 60;
+
+const loadJwtKey = () => {
+  if (process.env.JWT_KEY) {
+    return process.env.JWT_KEY;
+  }
+  if (fs.existsSync(jwtKeyPath)) {
+    return fs.readFileSync(jwtKeyPath, "utf8").trim();
+  }
+  fs.mkdirSync(path.dirname(jwtKeyPath), { recursive: true, mode: 0o700 });
+  const key = crypto.randomBytes(32).toString("hex");
+  fs.writeFileSync(jwtKeyPath, key, { mode: 0o600 });
+  return key;
+};
+
+const jwtKey = loadJwtKey();
+
+export const createWorkspaceToken = (workspaceId) =>
+  jwt.sign({}, jwtKey, {
+    algorithm: "HS256",
+    expiresIn: `${accessTokenTtlSeconds}s`,
+    subject: workspaceId,
+    issuer: jwtIssuer,
+    audience: jwtAudience,
+    jwtid:
+      typeof crypto.randomUUID === "function"
+        ? crypto.randomUUID()
+        : crypto.randomBytes(8).toString("hex"),
+  });
+
+export const verifyWorkspaceToken = (token) => {
+  const payload = jwt.verify(token, jwtKey, {
+    issuer: jwtIssuer,
+    audience: jwtAudience,
+  });
+  const workspaceId = payload?.sub;
+  if (typeof workspaceId !== "string") {
+    throw new Error("Invalid token subject.");
+  }
+  return workspaceId;
+};
+
+export { accessTokenTtlSeconds };
+
+export const isPublicApiRequest = (req) => {
+  if (req.method === "POST" && req.path === "/workspaces") {
+    return true;
+  }
+  if (req.method === "POST" && req.path === "/workspaces/login") {
+    return true;
+  }
+  if (req.method === "POST" && req.path === "/workspaces/refresh") {
+    return true;
+  }
+  if (req.method === "POST" && req.path === "/sessions/handoff/consume") {
+    return true;
+  }
+  if (req.method === "GET" && req.path === "/health") {
+    return true;
+  }
+  return false;
+};
+
+export function authMiddleware(req, res, next) {
+  if (req.method === "OPTIONS" || isPublicApiRequest(req)) {
+    next();
+    return;
+  }
+  const header = req.headers.authorization || "";
+  const bearerToken = header.startsWith("Bearer ") ? header.slice(7).trim() : "";
+  const queryToken = typeof req.query.token === "string" ? req.query.token : "";
+  const token = bearerToken || queryToken;
+  if (!token) {
+    res.status(401).json({ error: "Missing workspace token." });
+    return;
+  }
+  try {
+    req.workspaceId = verifyWorkspaceToken(token);
+  } catch (error) {
+    res.status(401).json({ error: "Invalid workspace token." });
+    return;
+  }
+  next();
+}

package/server/src/middleware/debug.js

@@ -0,0 +1,89 @@
+import { createDebugId, formatDebugPayload } from "../helpers.js";
+
+const debugApiWsLog = /^(1|true|yes|on)$/i.test(
+  process.env.DEBUG_API_WS_LOG || ""
+);
+const debugLogMaxBody = Number.isFinite(Number(process.env.DEBUG_API_WS_LOG_MAX_BODY))
+  ? Number(process.env.DEBUG_API_WS_LOG_MAX_BODY)
+  : 2000;
+
+export { debugApiWsLog };
+
+export const logDebug = (...args) => {
+  if (!debugApiWsLog) return;
+  console.log(...args);
+};
+
+export const attachWebSocketDebug = (socket, req, label) => {
+  if (!debugApiWsLog) return;
+  const connectionId = createDebugId();
+  const url = req?.url || "";
+  console.log("[debug] ws connected", { id: connectionId, label, url });
+
+  socket.on("message", (data) => {
+    console.log("[debug] ws recv", {
+      id: connectionId,
+      label,
+      data: formatDebugPayload(data, debugLogMaxBody),
+    });
+  });
+
+  const originalSend = socket.send.bind(socket);
+  socket.send = (data, ...args) => {
+    console.log("[debug] ws send", {
+      id: connectionId,
+      label,
+      data: formatDebugPayload(data, debugLogMaxBody),
+    });
+    return originalSend(data, ...args);
+  };
+
+  socket.on("close", (code, reason) => {
+    console.log("[debug] ws closed", {
+      id: connectionId,
+      label,
+      code,
+      reason: formatDebugPayload(reason, debugLogMaxBody),
+    });
+  });
+};
+
+export function debugMiddleware(req, res, next) {
+  if (!debugApiWsLog || !req.path.startsWith("/api")) {
+    next();
+    return;
+  }
+  const requestId = createDebugId();
+  const startedAt = Date.now();
+
+  console.log("[debug] api request", {
+    id: requestId,
+    method: req.method,
+    url: req.originalUrl,
+    query: req.query,
+    body: formatDebugPayload(req.body, debugLogMaxBody),
+  });
+
+  let responseBody;
+  const originalSend = res.send.bind(res);
+  res.send = (body) => {
+    responseBody = body;
+    return originalSend(body);
+  };
+
+  res.on("finish", () => {
+    const durationMs = Date.now() - startedAt;
+    const formattedBody =
+      responseBody === undefined && res.statusCode !== 204
+        ? "<streamed or empty>"
+        : formatDebugPayload(responseBody, debugLogMaxBody);
+    console.log("[debug] api response", {
+      id: requestId,
+      status: res.statusCode,
+      durationMs,
+      body: formattedBody,
+    });
+  });
+
+  next();
+}

package/server/src/middleware/errorTypes.js

@@ -0,0 +1,60 @@
+export function errorTypesMiddleware(req, res, next) {
+  const originalJson = res.json.bind(res);
+  res.json = (body) => {
+    if (
+      res.statusCode >= 400 &&
+      body &&
+      typeof body === "object" &&
+      !Array.isArray(body) &&
+      !body.error_type
+    ) {
+      const message = String(body.error || body.message || "");
+      const normalized = message.toLowerCase();
+      let errorType = `HTTP_${res.statusCode}`;
+      if (res.statusCode === 401) {
+        if (normalized.includes("missing workspace token")) {
+          errorType = "WORKSPACE_TOKEN_MISSING";
+        } else if (normalized.includes("invalid workspace token")) {
+          errorType = "WORKSPACE_TOKEN_INVALID";
+        } else {
+          errorType = "UNAUTHORIZED";
+        }
+      } else if (res.statusCode === 403) {
+        if (normalized.includes("invalid workspace credentials")) {
+          errorType = "WORKSPACE_CREDENTIALS_INVALID";
+        } else if (normalized.includes("provider not enabled")) {
+          errorType = "PROVIDER_NOT_ENABLED";
+        } else {
+          errorType = "FORBIDDEN";
+        }
+      } else if (res.statusCode === 404) {
+        if (normalized.includes("session not found")) {
+          errorType = "SESSION_NOT_FOUND";
+        } else if (normalized.includes("worktree not found")) {
+          errorType = "WORKTREE_NOT_FOUND";
+        } else {
+          errorType = "NOT_FOUND";
+        }
+      } else if (res.statusCode === 400) {
+        if (normalized.includes("invalid workspaceid")) {
+          errorType = "WORKSPACE_ID_INVALID";
+        } else if (normalized.includes("repourl is required")) {
+          errorType = "REPO_URL_REQUIRED";
+        } else if (normalized.includes("invalid provider")) {
+          errorType = "PROVIDER_INVALID";
+        } else if (normalized.includes("invalid session")) {
+          errorType = "SESSION_INVALID";
+        } else if (normalized.includes("branch is required")) {
+          errorType = "BRANCH_REQUIRED";
+        } else {
+          errorType = "BAD_REQUEST";
+        }
+      } else if (res.statusCode >= 500) {
+        errorType = "INTERNAL_ERROR";
+      }
+      body = { ...body, error_type: errorType };
+    }
+    return originalJson(body);
+  };
+  next();
+}

package/server/src/providerLogger.js

@@ -0,0 +1,60 @@
+import fs from "fs";
+import os from "os";
+import path from "path";
+
+const isLoggingEnabled = () => {
+  const value = process.env.ACTIVATE_PROVIDER_LOG;
+  if (!value) {
+    return false;
+  }
+  return !["0", "false", "off"].includes(String(value).toLowerCase());
+};
+
+export const createProviderLogger = ({ provider, sessionId, worktreeId }) => {
+  if (!isLoggingEnabled()) {
+    return null;
+  }
+  if (!sessionId) {
+    return null;
+  }
+  const safeWorktreeId = worktreeId || "main";
+  const baseDir =
+    process.env.PROVIDER_LOG_DIRECTORY || path.join(os.homedir(), "logs");
+  try {
+    fs.mkdirSync(baseDir, { recursive: true, mode: 0o700 });
+    const filePath = path.join(
+      baseDir,
+      `${provider}_${sessionId}_${safeWorktreeId}.log`
+    );
+    const stream = fs.createWriteStream(filePath, { flags: "a" });
+    stream.on("error", (error) => {
+      console.warn(
+        `[provider-log] Failed to write ${provider} log: ${error?.message || error}`
+      );
+    });
+    return {
+      filePath,
+      writeLine: (prefix, line) => {
+        const text = line == null ? "" : String(line);
+        if (!text) {
+          return;
+        }
+        const lines = text.split(/\r?\n/);
+        for (const entry of lines) {
+          if (entry === "") {
+            continue;
+          }
+          stream.write(`${prefix}::${entry}\n`);
+        }
+      },
+      close: () => {
+        stream.end();
+      },
+    };
+  } catch (error) {
+    console.warn(
+      `[provider-log] Failed to initialize ${provider} log: ${error?.message || error}`
+    );
+    return null;
+  }
+};

package/server/src/routes/files.js

@@ -0,0 +1,114 @@
+import path from "path";
+import fs from "fs";
+import { Router } from "express";
+import { runAsCommand } from "../runAs.js";
+import { sanitizeFilename } from "../helpers.js";
+import {
+  getSession,
+  touchSession,
+  runSessionCommandOutput,
+  upload,
+} from "../services/session.js";
+
+export default function fileRoutes() {
+  const router = Router();
+
+  router.get("/sessions/:sessionId/attachments/file", async (req, res) => {
+    const sessionId = req.params.sessionId;
+    const session = await getSession(sessionId, req.workspaceId);
+    if (!session) {
+      res.status(400).json({ error: "Invalid session." });
+      return;
+    }
+    await touchSession(session);
+    const rawPath = req.query.path;
+    const rawName = req.query.name;
+    if (!rawPath && !rawName) {
+      res.status(400).json({ error: "Attachment path is required." });
+      return;
+    }
+    const candidatePath = rawPath
+      ? path.resolve(rawPath)
+      : path.resolve(session.attachmentsDir, sanitizeFilename(rawName));
+    const relative = path.relative(session.attachmentsDir, candidatePath);
+    if (relative.startsWith("..") || path.isAbsolute(relative)) {
+      res.status(400).json({ error: "Invalid attachment path." });
+      return;
+    }
+    try {
+      const data = await runSessionCommandOutput(session, "/bin/cat", [candidatePath], {
+        binary: true,
+      });
+      if (rawName) {
+        res.setHeader("Content-Disposition", `attachment; filename="${sanitizeFilename(rawName)}"`);
+      }
+      res.send(data);
+    } catch (error) {
+      res.status(404).json({ error: "Attachment not found." });
+    }
+  });
+
+  router.get("/sessions/:sessionId/attachments", async (req, res) => {
+    const sessionId = req.params.sessionId;
+    const session = await getSession(sessionId, req.workspaceId);
+    if (!session) {
+      res.status(400).json({ error: "Invalid session." });
+      return;
+    }
+    await touchSession(session);
+    try {
+      const output = await runSessionCommandOutput(
+        session,
+        "/usr/bin/find",
+        [session.attachmentsDir, "-maxdepth", "1", "-mindepth", "1", "-type", "f", "-printf", "%f\t%s\0"],
+        { binary: true }
+      );
+      const files = output
+        .toString("utf8")
+        .split("\0")
+        .filter(Boolean)
+        .map((line) => {
+          const [name, sizeRaw] = line.split("\t");
+          return {
+            name,
+            path: path.join(session.attachmentsDir, name),
+            size: Number.parseInt(sizeRaw, 10),
+          };
+        });
+      res.json({ files });
+    } catch (error) {
+      res.status(500).json({ error: "Failed to list attachments." });
+    }
+  });
+
+  router.post(
+    "/sessions/:sessionId/attachments/upload",
+    upload.array("files"),
+    async (req, res) => {
+      const sessionId = req.params.sessionId;
+      const session = await getSession(sessionId, req.workspaceId);
+      if (!session) {
+        res.status(400).json({ error: "Invalid session." });
+        return;
+      }
+      await touchSession(session);
+      const uploaded = [];
+      for (const file of req.files || []) {
+        const targetPath = path.join(session.attachmentsDir, file.filename);
+        const inputStream = fs.createReadStream(file.path);
+        await runAsCommand(session.workspaceId, "/usr/bin/tee", [targetPath], {
+          input: inputStream,
+        });
+        await fs.promises.rm(file.path, { force: true });
+        uploaded.push({
+          name: file.filename,
+          path: targetPath,
+          size: file.size,
+        });
+      }
+      res.json({ files: uploaded });
+    }
+  );
+
+  return router;
+}

package/server/src/routes/git.js

@@ -0,0 +1,183 @@
+import { Router } from "express";
+import {
+  getSession,
+  touchSession,
+  runSessionCommand,
+  runSessionCommandOutput,
+  getBranchInfo,
+  broadcastRepoDiff,
+  getRepoDiff,
+  isValidProvider,
+  modelCache,
+  modelCacheTtlMs,
+} from "../services/session.js";
+
+export default function gitRoutes(deps) {
+  const { getOrCreateClient } = deps;
+
+  const router = Router();
+
+  const readGitConfigValue = async (session, args) => {
+    try {
+      const output = await runSessionCommandOutput(session, "git", args);
+      return output.trim();
+    } catch (error) {
+      return "";
+    }
+  };
+
+  router.get("/sessions/:sessionId/git-identity", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    await touchSession(session);
+    try {
+      const [globalName, globalEmail, repoName, repoEmail] = await Promise.all([
+        readGitConfigValue(session, ["config", "--global", "--get", "user.name"]),
+        readGitConfigValue(session, ["config", "--global", "--get", "user.email"]),
+        readGitConfigValue(session, [
+          "-C",
+          session.repoDir,
+          "config",
+          "--get",
+          "user.name",
+        ]),
+        readGitConfigValue(session, [
+          "-C",
+          session.repoDir,
+          "config",
+          "--get",
+          "user.email",
+        ]),
+      ]);
+      const effectiveName = repoName || globalName;
+      const effectiveEmail = repoEmail || globalEmail;
+      res.json({
+        global: { name: globalName || "", email: globalEmail || "" },
+        repo: { name: repoName || "", email: repoEmail || "" },
+        effective: { name: effectiveName || "", email: effectiveEmail || "" },
+      });
+    } catch (error) {
+      res.status(500).json({ error: "Failed to read git identity." });
+    }
+  });
+
+  router.post("/sessions/:sessionId/git-identity", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    await touchSession(session);
+    const name = typeof req.body?.name === "string" ? req.body.name.trim() : "";
+    const email = typeof req.body?.email === "string" ? req.body.email.trim() : "";
+    if (!name || !email) {
+      res.status(400).json({ error: "name and email are required." });
+      return;
+    }
+    try {
+      await runSessionCommand(session, "git", [
+        "-C",
+        session.repoDir,
+        "config",
+        "user.name",
+        name,
+      ]);
+      await runSessionCommand(session, "git", [
+        "-C",
+        session.repoDir,
+        "config",
+        "user.email",
+        email,
+      ]);
+      res.json({ ok: true, repo: { name, email } });
+    } catch (error) {
+      res.status(500).json({ error: "Failed to update git identity." });
+    }
+  });
+
+  router.get("/sessions/:sessionId/diff", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    await touchSession(session);
+    const repoDiff = await getRepoDiff(session);
+    res.json(repoDiff);
+  });
+
+  router.get("/sessions/:sessionId/branches", async (req, res) => {
+    const sessionId = req.params.sessionId;
+    const session = await getSession(sessionId, req.workspaceId);
+    if (!session) {
+      res.status(400).json({ error: "Invalid session." });
+      return;
+    }
+    await touchSession(session);
+    try {
+      const info = await getBranchInfo(session);
+      res.json(info);
+    } catch (error) {
+      console.error("Failed to list branches:", {
+        sessionId,
+        error: error?.message || error,
+      });
+      res.status(500).json({ error: "Failed to list branches." });
+    }
+  });
+
+  router.get("/sessions/:sessionId/models", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    const provider = req.query?.provider;
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    await touchSession(session);
+    if (!isValidProvider(provider)) {
+      res.status(400).json({ error: "Invalid provider. Must be 'codex' or 'claude'." });
+      return;
+    }
+    if (
+      Array.isArray(session.providers) &&
+      session.providers.length &&
+      !session.providers.includes(provider)
+    ) {
+      res.status(403).json({ error: "Provider not enabled for this session." });
+      return;
+    }
+
+    try {
+      const cached = modelCache.get(provider);
+      if (cached && cached.expiresAt > Date.now()) {
+        res.json({ models: cached.models, provider });
+        return;
+      }
+      const client = await getOrCreateClient(session, provider);
+      if (!client.ready) {
+        await client.start();
+      }
+      let cursor = null;
+      const models = [];
+      do {
+        const result = await client.listModels(cursor, 200);
+        if (Array.isArray(result?.data)) {
+          models.push(...result.data);
+        }
+        cursor = result?.nextCursor ?? null;
+      } while (cursor);
+      modelCache.set(provider, {
+        models,
+        expiresAt: Date.now() + modelCacheTtlMs,
+      });
+      res.json({ models, provider });
+    } catch (error) {
+      res.status(500).json({ error: error.message || "Failed to list models." });
+    }
+  });
+
+  return router;
+}

package/server/src/routes/health.js

@@ -0,0 +1,13 @@
+import { Router } from "express";
+
+export default function healthRoutes(deps) {
+  const { deploymentMode } = deps;
+
+  const router = Router();
+
+  router.get("/health", async (req, res) => {
+    res.json({ ok: true, ready: true, deploymentMode });
+  });
+
+  return router;
+}