@vibe80/vibe80 0.1.1

package/server/src/routes/sessions.js

@@ -0,0 +1,407 @@
+import { Router } from "express";
+import os from "os";
+import storage from "../storage/index.js";
+import {
+  createMessageId,
+  classifySessionCreationError,
+  toIsoDateTime,
+} from "../helpers.js";
+import { debugApiWsLog } from "../middleware/debug.js";
+import {
+  handoffTokens,
+  createHandoffToken,
+  issueWorkspaceTokens,
+} from "../services/auth.js";
+import {
+  ensureWorkspaceUserExists,
+  readWorkspaceConfig,
+  listEnabledProviders,
+} from "../services/workspace.js";
+import {
+  getSession,
+  touchSession,
+  createSession,
+  cleanupSession,
+  getRepoDiff,
+  getCurrentBranch,
+  getLastCommit,
+  resolveDefaultDenyGitCredentialsAccess,
+  broadcastToSession,
+} from "../services/session.js";
+import {
+  getWorktree,
+  clearWorktreeMessages,
+} from "../worktreeManager.js";
+
+const terminalEnabled = /^(1|true|yes|on)$/i.test(process.env.TERMINAL_ENABLED || "1");
+const instanceHostname = process.env.HOSTNAME || os.hostname();
+
+export default function sessionRoutes(deps) {
+  const {
+    getOrCreateClient,
+    attachClientEvents,
+    attachClaudeEvents,
+    getActiveClient,
+    deploymentMode,
+  } = deps;
+
+  const router = Router();
+  const resolveEnabledProviders = async (workspaceId) => {
+    try {
+      const workspaceConfig = await readWorkspaceConfig(workspaceId);
+      return listEnabledProviders(workspaceConfig?.providers || {});
+    } catch {
+      return [];
+    }
+  };
+
+  router.get("/sessions", (req, res) => {
+    const workspaceId = req.workspaceId;
+    storage
+      .listSessions(workspaceId)
+      .then(async (sessions) => {
+        const enabledProviders = await resolveEnabledProviders(workspaceId);
+        const payload = sessions.map((session) => ({
+          sessionId: session.sessionId,
+          repoUrl: session.repoUrl || "",
+          name: session.name || "",
+          createdAt: toIsoDateTime(session.createdAt),
+          lastActivityAt: toIsoDateTime(session.lastActivityAt),
+          activeProvider: session.activeProvider || null,
+          providers: enabledProviders,
+        }));
+        payload.sort((a, b) => {
+          const aTime = Date.parse(a.lastActivityAt || a.createdAt || "") || 0;
+          const bTime = Date.parse(b.lastActivityAt || b.createdAt || "") || 0;
+          return bTime - aTime;
+        });
+        res.json({ sessions: payload });
+      })
+      .catch((error) => {
+        res.status(500).json({ error: error?.message || "Failed to list sessions." });
+      });
+  });
+
+  router.post("/sessions/handoff", async (req, res) => {
+    const sessionId = req.body?.sessionId;
+    if (!sessionId || typeof sessionId !== "string") {
+      res.status(400).json({ error: "Session ID required.", error_type: "SESSION_ID_REQUIRED" });
+      return;
+    }
+    const session = await getSession(sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found.", error_type: "SESSION_NOT_FOUND" });
+      return;
+    }
+    const record = createHandoffToken(session);
+    res.json({
+      handoffToken: record.token,
+      expiresAt: toIsoDateTime(record.expiresAt),
+    });
+  });
+
+  router.post("/sessions/handoff/consume", async (req, res) => {
+    const handoffToken = req.body?.handoffToken;
+    if (!handoffToken || typeof handoffToken !== "string") {
+      res.status(400).json({ error: "Handoff token required.", error_type: "HANDOFF_TOKEN_REQUIRED" });
+      return;
+    }
+    const record = handoffTokens.get(handoffToken);
+    if (!record) {
+      res.status(404).json({ error: "Handoff token not found.", error_type: "HANDOFF_TOKEN_INVALID" });
+      return;
+    }
+    if (record.usedAt) {
+      res.status(409).json({ error: "Handoff token already used.", error_type: "HANDOFF_TOKEN_USED" });
+      return;
+    }
+    if (record.expiresAt && record.expiresAt <= Date.now()) {
+      handoffTokens.delete(handoffToken);
+      res.status(410).json({ error: "Handoff token expired.", error_type: "HANDOFF_TOKEN_EXPIRED" });
+      return;
+    }
+    const session = await getSession(record.sessionId, record.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found.", error_type: "SESSION_NOT_FOUND" });
+      return;
+    }
+    record.usedAt = Date.now();
+    const tokens = await issueWorkspaceTokens(record.workspaceId);
+    res.json({
+      workspaceId: record.workspaceId,
+      workspaceToken: tokens.workspaceToken,
+      refreshToken: tokens.refreshToken,
+      expiresIn: tokens.expiresIn,
+      refreshExpiresIn: tokens.refreshExpiresIn,
+      sessionId: record.sessionId,
+    });
+  });
+
+  router.get("/sessions/:sessionId", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    await touchSession(session);
+    const repoDiff = await getRepoDiff(session);
+    const activeProvider = session.activeProvider || "codex";
+    const enabledProviders = await resolveEnabledProviders(session.workspaceId);
+    res.json({
+      sessionId: req.params.sessionId,
+      workspaceId: session.workspaceId,
+      path: session.dir,
+      repoUrl: session.repoUrl,
+      name: session.name || "",
+      defaultProvider: activeProvider,
+      providers: enabledProviders,
+      defaultInternetAccess:
+        typeof session.defaultInternetAccess === "boolean"
+          ? session.defaultInternetAccess
+          : true,
+      defaultDenyGitCredentialsAccess: resolveDefaultDenyGitCredentialsAccess(session),
+      repoDiff,
+      rpcLogsEnabled: debugApiWsLog,
+      rpcLogs: debugApiWsLog ? session.rpcLogs || [] : [],
+      terminalEnabled,
+    });
+  });
+
+  router.delete("/sessions/:sessionId", async (req, res) => {
+    const sessionId = req.params.sessionId;
+    const session = await getSession(sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    try {
+      await cleanupSession(sessionId, "user_request");
+      res.json({ ok: true, sessionId });
+    } catch (error) {
+      res.status(500).json({ error: "Failed to delete session." });
+    }
+  });
+
+  router.get("/sessions/:sessionId/health", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    await touchSession(session);
+    const activeClient = getActiveClient(session);
+    res.json({
+      ok: true,
+      ready: activeClient?.ready || false,
+      threadId: activeClient?.threadId || null,
+      provider: session.activeProvider || "codex",
+      deploymentMode,
+      instance: instanceHostname,
+    });
+  });
+
+  router.get("/sessions/:sessionId/last-commit", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    await touchSession(session);
+    try {
+      const [branch, commit] = await Promise.all([
+        getCurrentBranch(session),
+        getLastCommit(session, session.repoDir),
+      ]);
+      res.json({ branch, commit });
+    } catch (error) {
+      res.status(500).json({ error: "Failed to load last commit." });
+    }
+  });
+
+  router.get("/sessions/:sessionId/rpc-logs", async (req, res) => {
+    if (!debugApiWsLog) {
+      res.status(403).json({ error: "Forbidden." });
+      return;
+    }
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    await touchSession(session);
+    res.json({ rpcLogs: session.rpcLogs || [] });
+  });
+
+  router.post("/sessions/:sessionId/clear", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    await touchSession(session);
+    const worktreeId = req.body?.worktreeId;
+    if (worktreeId) {
+      const worktree = await getWorktree(session, worktreeId);
+      if (!worktree) {
+        res.status(404).json({ error: "Worktree not found." });
+        return;
+      }
+      await clearWorktreeMessages(session, worktreeId);
+      res.json({ ok: true, worktreeId });
+      return;
+    }
+    await clearWorktreeMessages(session, "main");
+    res.json({ ok: true, worktreeId: "main" });
+  });
+
+  router.post("/sessions/:sessionId/backlog-items", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    const text = typeof req.body?.text === "string" ? req.body.text.trim() : "";
+    if (!text) {
+      res.status(400).json({ error: "text is required." });
+      return;
+    }
+    await touchSession(session);
+    const item = {
+      id: createMessageId(),
+      text,
+      createdAt: Date.now(),
+      done: false,
+    };
+    const backlog = Array.isArray(session.backlog) ? session.backlog : [];
+    const updated = {
+      ...session,
+      backlog: [item, ...backlog],
+      lastActivityAt: Date.now(),
+    };
+    await storage.saveSession(session.sessionId, updated);
+    res.json({
+      ok: true,
+      item: {
+        ...item,
+        createdAt: toIsoDateTime(item.createdAt),
+      },
+    });
+  });
+
+  router.get("/sessions/:sessionId/backlog-items", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    await touchSession(session);
+    const backlog = Array.isArray(session.backlog) ? session.backlog : [];
+    const serializedItems = backlog.map((item) => ({
+      ...item,
+      createdAt: toIsoDateTime(item?.createdAt),
+      doneAt: toIsoDateTime(item?.doneAt),
+    }));
+    res.json({ items: serializedItems });
+  });
+
+  router.patch("/sessions/:sessionId/backlog-items/:itemId", async (req, res) => {
+    const session = await getSession(req.params.sessionId, req.workspaceId);
+    if (!session) {
+      res.status(404).json({ error: "Session not found." });
+      return;
+    }
+    const itemId =
+      typeof req.params.itemId === "string" ? req.params.itemId.trim() : "";
+    if (!itemId) {
+      res.status(400).json({ error: "itemId is required." });
+      return;
+    }
+    if (typeof req.body?.done !== "boolean") {
+      res.status(400).json({ error: "done is required." });
+      return;
+    }
+    await touchSession(session);
+    const backlog = Array.isArray(session.backlog) ? session.backlog : [];
+    const index = backlog.findIndex((item) => item?.id === itemId);
+    if (index === -1) {
+      res.status(404).json({ error: "Backlog item not found." });
+      return;
+    }
+    const updatedItem = {
+      ...backlog[index],
+      done: req.body.done,
+      doneAt: req.body.done ? Date.now() : null,
+    };
+    const updatedBacklog = [...backlog];
+    updatedBacklog[index] = updatedItem;
+    const updatedSession = {
+      ...session,
+      backlog: updatedBacklog,
+      lastActivityAt: Date.now(),
+    };
+    await storage.saveSession(session.sessionId, updatedSession);
+    res.json({
+      ok: true,
+      item: {
+        ...updatedItem,
+        createdAt: toIsoDateTime(updatedItem.createdAt),
+        doneAt: toIsoDateTime(updatedItem.doneAt),
+      },
+    });
+  });
+
+  router.post("/sessions", async (req, res) => {
+    const repoUrl = req.body?.repoUrl;
+    if (!repoUrl) {
+      res.status(400).json({ error: "repoUrl is required." });
+      return;
+    }
+    try {
+      await ensureWorkspaceUserExists(req.workspaceId);
+      const auth = req.body?.auth || null;
+      const defaultInternetAccess = req.body?.defaultInternetAccess;
+      const defaultDenyGitCredentialsAccess =
+        typeof req.body?.defaultDenyGitCredentialsAccess === "boolean"
+          ? req.body.defaultDenyGitCredentialsAccess
+          : undefined;
+      const name = req.body?.name;
+      const session = await createSession(
+        req.workspaceId,
+        repoUrl,
+        auth,
+        defaultInternetAccess,
+        defaultDenyGitCredentialsAccess,
+        name,
+        { getOrCreateClient, attachClientEvents, attachClaudeEvents, broadcastToSession }
+      );
+      const enabledProviders = await resolveEnabledProviders(req.workspaceId);
+      const defaultProvider = session.activeProvider
+        || (enabledProviders.includes("codex") ? "codex" : enabledProviders[0] || "codex");
+      res.status(201).location(`/api/sessions/${session.sessionId}`).json({
+        sessionId: session.sessionId,
+        workspaceId: session.workspaceId || req.workspaceId,
+        path: session.dir,
+        repoUrl,
+        name: session.name || "",
+        defaultProvider,
+        providers: enabledProviders,
+        defaultInternetAccess:
+          typeof session.defaultInternetAccess === "boolean"
+            ? session.defaultInternetAccess
+            : true,
+        defaultDenyGitCredentialsAccess: resolveDefaultDenyGitCredentialsAccess(session),
+        rpcLogsEnabled: debugApiWsLog,
+        terminalEnabled,
+      });
+    } catch (error) {
+      console.error("Failed to create session for repo:", {
+        repoUrl,
+        error: error?.message || error,
+      });
+      const classified = classifySessionCreationError(error);
+      res.status(classified.status).json({ error: classified.error });
+    }
+  });
+
+  return router;
+}

package/server/src/routes/workspaces.js

@@ -0,0 +1,296 @@
+import { Router } from "express";
+import storage from "../storage/index.js";
+import {
+  consumeMonoAuthToken,
+  issueWorkspaceTokens,
+  rotateWorkspaceRefreshToken,
+} from "../services/auth.js";
+import {
+  workspaceIdPattern,
+  createWorkspace,
+  updateWorkspace,
+  readWorkspaceConfig,
+  verifyWorkspaceSecret,
+  getWorkspaceUserIds,
+  sanitizeProvidersForResponse,
+  mergeProvidersForUpdate,
+  appendAuditLog,
+} from "../services/workspace.js";
+import { getExistingSessionRuntime } from "../runtimeStore.js";
+
+const isObject = (value) =>
+  value != null && typeof value === "object" && !Array.isArray(value);
+
+const stableStringify = (value) => {
+  if (Array.isArray(value)) {
+    return `[${value.map(stableStringify).join(",")}]`;
+  }
+  if (!isObject(value)) {
+    return JSON.stringify(value);
+  }
+  const keys = Object.keys(value).sort();
+  const entries = keys.map((key) => `${JSON.stringify(key)}:${stableStringify(value[key])}`);
+  return `{${entries.join(",")}}`;
+};
+
+const providersConfigChanged = (beforeConfig, afterConfig) =>
+  stableStringify(beforeConfig ?? null) !== stableStringify(afterConfig ?? null);
+
+const sessionUsesProvider = (session, provider) => {
+  if (!session || !provider) {
+    return false;
+  }
+  if (Array.isArray(session.providers) && session.providers.length) {
+    return session.providers.includes(provider);
+  }
+  if (typeof session.activeProvider === "string") {
+    return session.activeProvider === provider;
+  }
+  return false;
+};
+
+const providerHasActiveSessions = async (workspaceId, provider) => {
+  const sessions = await storage.listSessions(workspaceId);
+  return sessions.some((session) => sessionUsesProvider(session, provider));
+};
+
+const restartCodexClientsForWorkspace = async (workspaceId) => {
+  const sessions = await storage.listSessions(workspaceId);
+  for (const session of sessions) {
+    if (!session?.sessionId) {
+      continue;
+    }
+    const runtime = getExistingSessionRuntime(session.sessionId);
+    if (!runtime) {
+      continue;
+    }
+    const codexClient = runtime?.clients?.codex;
+    if (codexClient) {
+      if (codexClient.getStatus?.() === "idle") {
+        await codexClient.restart?.();
+      } else {
+        codexClient.requestRestart?.();
+      }
+    }
+    if (runtime?.worktreeClients instanceof Map) {
+      for (const client of runtime.worktreeClients.values()) {
+        if (!client || client?.constructor?.name !== "CodexAppServerClient") {
+          continue;
+        }
+        if (client.getStatus?.() === "idle") {
+          await client.restart?.();
+        } else {
+          client.requestRestart?.();
+        }
+      }
+    }
+  }
+};
+
+export default function workspaceRoutes() {
+  const router = Router();
+  const deploymentMode = process.env.DEPLOYMENT_MODE;
+
+  router.post("/workspaces", async (req, res) => {
+    if (deploymentMode === "mono_user") {
+      res.status(403).json({
+        error: "Workspace creation is forbidden in mono_user mode.",
+        error_type: "WORKSPACE_CREATE_FORBIDDEN",
+      });
+      return;
+    }
+    try {
+      const providers = req.body?.providers;
+      const result = await createWorkspace(providers);
+      res.status(201).location(`/api/workspaces/${result.workspaceId}`).json(result);
+    } catch (error) {
+      res.status(400).json({ error: error.message || "Failed to create workspace." });
+    }
+  });
+
+  router.post("/workspaces/login", async (req, res) => {
+    const grantType = typeof req.body?.grantType === "string"
+      ? req.body.grantType.trim()
+      : "";
+    if (grantType === "mono_auth_token") {
+      if (deploymentMode !== "mono_user") {
+        res.status(403).json({
+          error: "Mono auth token grant is only available in mono_user mode.",
+          error_type: "MONO_AUTH_FORBIDDEN",
+        });
+        return;
+      }
+      const monoAuthToken = typeof req.body?.monoAuthToken === "string"
+        ? req.body.monoAuthToken.trim()
+        : "";
+      if (!monoAuthToken) {
+        res.status(400).json({
+          error: "monoAuthToken is required.",
+          error_type: "MONO_AUTH_TOKEN_REQUIRED",
+        });
+        return;
+      }
+      const consumed = consumeMonoAuthToken(monoAuthToken);
+      if (!consumed.ok || !consumed.workspaceId) {
+        res.status(401).json({
+          error: "Invalid mono auth token.",
+          error_type: consumed.code || "MONO_AUTH_TOKEN_INVALID",
+        });
+        return;
+      }
+      try {
+        await getWorkspaceUserIds(consumed.workspaceId);
+        const tokens = await issueWorkspaceTokens(consumed.workspaceId);
+        await appendAuditLog(consumed.workspaceId, "workspace_login_success", {
+          grantType: "mono_auth_token",
+        });
+        res.json(tokens);
+      } catch {
+        await appendAuditLog(consumed.workspaceId, "workspace_login_failed", {
+          grantType: "mono_auth_token",
+        });
+        res.status(401).json({
+          error: "Invalid mono auth token.",
+          error_type: "MONO_AUTH_TOKEN_INVALID",
+        });
+      }
+      return;
+    }
+
+    if (deploymentMode === "mono_user") {
+      res.status(403).json({
+        error: "Workspace credentials login is forbidden in mono_user mode.",
+        error_type: "WORKSPACE_LOGIN_FORBIDDEN",
+      });
+      return;
+    }
+
+    const workspaceId = req.body?.workspaceId;
+    const workspaceSecret = req.body?.workspaceSecret;
+    if (!workspaceId || !workspaceSecret) {
+      res.status(401).json({ error: "Invalid workspace credentials." });
+      return;
+    }
+    if (!workspaceIdPattern.test(workspaceId)) {
+      res.status(401).json({ error: "Invalid workspace credentials." });
+      return;
+    }
+    try {
+      const matches = await verifyWorkspaceSecret(workspaceId, workspaceSecret);
+      if (!matches) {
+        await appendAuditLog(workspaceId, "workspace_login_failed");
+        res.status(401).json({ error: "Invalid workspace credentials." });
+        return;
+      }
+      await getWorkspaceUserIds(workspaceId);
+      const tokens = await issueWorkspaceTokens(workspaceId);
+      await appendAuditLog(workspaceId, "workspace_login_success");
+      res.json(tokens);
+    } catch (error) {
+      await appendAuditLog(workspaceId, "workspace_login_failed");
+      res.status(401).json({ error: "Invalid workspace credentials." });
+    }
+  });
+
+  router.post("/workspaces/refresh", async (req, res) => {
+    const refreshToken = req.body?.refreshToken;
+    if (!refreshToken || typeof refreshToken !== "string") {
+      res.status(400).json({ error: "refreshToken is required." });
+      return;
+    }
+    try {
+      const rotated = await rotateWorkspaceRefreshToken(refreshToken);
+      if (!rotated?.ok) {
+        res.status(rotated?.status || 401).json(
+          rotated?.payload || { error: "Invalid refresh token.", code: "invalid_refresh_token" }
+        );
+        return;
+      }
+      res.json(rotated.payload);
+    } catch (error) {
+      res.status(500).json({ error: "Failed to refresh workspace token." });
+    }
+  });
+
+  router.get("/workspaces/:workspaceId", async (req, res) => {
+    const workspaceId = req.params.workspaceId;
+    if (!workspaceIdPattern.test(workspaceId)) {
+      res.status(400).json({ error: "Invalid workspaceId." });
+      return;
+    }
+    if (req.workspaceId && req.workspaceId !== workspaceId) {
+      res.status(403).json({ error: "Forbidden." });
+      return;
+    }
+    try {
+      const config = await readWorkspaceConfig(workspaceId);
+      res.json({ workspaceId, providers: sanitizeProvidersForResponse(config?.providers) });
+    } catch (error) {
+      res.status(400).json({ error: error.message || "Failed to load workspace." });
+    }
+  });
+
+  router.patch("/workspaces/:workspaceId", async (req, res) => {
+    const workspaceId = req.params.workspaceId;
+    if (!workspaceIdPattern.test(workspaceId)) {
+      res.status(400).json({ error: "Invalid workspaceId." });
+      return;
+    }
+    if (req.workspaceId && req.workspaceId !== workspaceId) {
+      res.status(403).json({ error: "Forbidden." });
+      return;
+    }
+    try {
+      const existing = await readWorkspaceConfig(workspaceId).catch(() => null);
+      const mergedProviders = mergeProvidersForUpdate(
+        existing?.providers || {},
+        req.body?.providers || {}
+      );
+      const providersToDisable = Object.entries(mergedProviders)
+        .filter(([provider, config]) => {
+          if (!config || typeof config !== "object") {
+            return false;
+          }
+          const wasEnabled = Boolean(existing?.providers?.[provider]?.enabled);
+          return wasEnabled && config.enabled === false;
+        })
+        .map(([provider]) => provider);
+      if (providersToDisable.length) {
+        for (const provider of providersToDisable) {
+          if (await providerHasActiveSessions(workspaceId, provider)) {
+            res.status(403).json({
+              error: "Provider cannot be disabled: active sessions use it.",
+            });
+            return;
+          }
+        }
+      }
+      const codexChanged = providersConfigChanged(
+        existing?.providers?.codex,
+        mergedProviders?.codex
+      );
+      const payload = await updateWorkspace(workspaceId, mergedProviders);
+      if (codexChanged) {
+        await restartCodexClientsForWorkspace(workspaceId);
+      }
+      res.json({ workspaceId, providers: sanitizeProvidersForResponse(payload.providers) });
+    } catch (error) {
+      res.status(400).json({ error: error.message || "Failed to update workspace." });
+    }
+  });
+
+  router.delete("/workspaces/:workspaceId", async (req, res) => {
+    const workspaceId = req.params.workspaceId;
+    if (!workspaceIdPattern.test(workspaceId)) {
+      res.status(400).json({ error: "Invalid workspaceId." });
+      return;
+    }
+    if (req.workspaceId && req.workspaceId !== workspaceId) {
+      res.status(403).json({ error: "Forbidden." });
+      return;
+    }
+    res.status(405).json({ error: "Workspace deletion is currently disabled." });
+  });
+
+  return router;
+}