@wingman-ai/gateway 0.4.0 → 0.4.2

package/dist/gateway/server.d.ts

@@ -1,5 +1,14 @@
 import { GatewayAuth } from "./auth.js";
 import type { AgentRequestPayload, GatewayConfig } from "./types.js";
+export declare function isLoopbackHostname(hostname: string): boolean;
+export declare function isGatewayOriginAllowed(params: {
+    origin: string;
+    requestUrl: string | URL;
+    gatewayHost: string;
+    gatewayPort: number;
+    controlUiEnabled: boolean;
+    controlUiPort: number;
+}): boolean;
 export declare function resolveExecutionWorkspaceOverride(payload: AgentRequestPayload | undefined): string | null;
 export declare function resolveExecutionConfigDirOverride(payload: AgentRequestPayload | undefined): string | null;
 /**
@@ -31,6 +40,7 @@ export declare class GatewayServer {
     private browserRelayServer;
     private webhookStore;
     private routineStore;
+    private nodeApprovalStore;
     private internalHooks;
     private discordAdapter;
     private sessionSubscriptions;
@@ -40,7 +50,9 @@ export declare class GatewayServer {
     private activeSessionRequests;
     private queuedSessionRequests;
     private requestSessionKeys;
+    private pendingNodeRequests;
     private terminalSessionManager;
+    private nodePairingRequired;
     private bridgeQueues;
     private bridgePollWaiters;
     constructor(config?: Partial<GatewayConfig>);
@@ -120,6 +132,14 @@ export declare class GatewayServer {
      * Handle direct message
      */
     private handleDirect;
+    /**
+     * Handle node tool invocation request
+     */
+    private handleNodeRequest;
+    /**
+     * Route node stream/response messages back to the original requester
+     */
+    private handleNodeResponse;
     /**
      * Handle ping message
      */
@@ -128,6 +148,15 @@ export declare class GatewayServer {
      * Handle pong message
      */
     private handlePong;
+    private cleanupPendingNodeRequestsForSocket;
+    private clearPendingNodeRequest;
+    private extractNodeErrorMessage;
+    private isNodeApprovedForExecution;
+    private listConnectedNodeIdsForRequester;
+    private listConnectedNodeTargetsForRequester;
+    private resolveNodeRequestTimeout;
+    private resolveNodeTarget;
+    private invokeNodeTool;
     /**
      * Send a message to a WebSocket
      */
@@ -179,6 +208,11 @@ export declare class GatewayServer {
      * Log a message
      */
     private log;
+    private isRequestOriginAllowed;
+    private withApiCors;
+    private resolveTrustedTailscaleUser;
+    private resolveHttpAuthPayload;
+    private requireHttpAuth;
     private handleUiRequest;
     /**
      * Get the auth instance

package/dist/gateway/server.js

@@ -11,13 +11,14 @@ import { createLogger } from "../logger.js";
 import { ensureUvAvailableForFeature } from "../utils/uv.js";
 import { DiscordGatewayAdapter } from "./adapters/discord.js";
 import { GatewayAuth } from "./auth.js";
-import { BrowserRelayServer } from "./browserRelayServer.js";
 import { BroadcastGroupManager } from "./broadcast.js";
+import { BrowserRelayServer } from "./browserRelayServer.js";
 import { MDNSDiscoveryService, TailscaleDiscoveryService } from "./discovery/index.js";
 import { getGatewayTokenFromEnv } from "./env.js";
 import { InternalHookRegistry } from "./hooks/registry.js";
 import { handleAgentsApi } from "./http/agents.js";
 import { handleFsApi } from "./http/fs.js";
+import { createNodeApprovalStore, handleNodesApi } from "./http/nodes.js";
 import { handleProvidersApi } from "./http/providers.js";
 import { createRoutineStore, handleRoutinesApi } from "./http/routines.js";
 import { handleSessionsApi } from "./http/sessions.js";
@@ -37,19 +38,72 @@ function _define_property(obj, key, value) {
     return obj;
 }
 const API_CORS_HEADERS = {
-    "Access-Control-Allow-Origin": "*",
     "Access-Control-Allow-Methods": "GET,POST,PUT,DELETE,OPTIONS",
     "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Wingman-Token, X-Wingman-Password",
     "Access-Control-Max-Age": "600"
 };
-function withApiCors(response) {
-    const headers = new Headers(response.headers);
-    for (const [key, value] of Object.entries(API_CORS_HEADERS))headers.set(key, value);
-    return new Response(response.body, {
-        status: response.status,
-        statusText: response.statusText,
-        headers
-    });
+const LOOPBACK_HOSTNAMES = new Set([
+    "127.0.0.1",
+    "localhost",
+    "::1"
+]);
+const CLIENT_ID_PATTERN = /^[a-zA-Z0-9._:-]{1,128}$/;
+const CLIENT_TYPE_PATTERN = /^[a-zA-Z0-9._:-]{1,64}$/;
+const NODE_EXECUTION_CAPABILITIES = new Set([
+    "system.notify",
+    "system.run"
+]);
+const DEFAULT_NODE_REQUEST_TIMEOUT_MS = 30000;
+const MIN_NODE_REQUEST_TIMEOUT_MS = 1000;
+const MAX_NODE_REQUEST_TIMEOUT_MS = 120000;
+const MAX_PENDING_NODE_REQUESTS = 2000;
+function normalizeHostname(hostname) {
+    const trimmed = hostname.trim().toLowerCase();
+    if (!trimmed) return "";
+    if (trimmed.startsWith("[") && trimmed.endsWith("]")) return trimmed.slice(1, -1);
+    return trimmed;
+}
+function defaultPortForProtocol(protocol) {
+    return "https:" === protocol ? "443" : "80";
+}
+function normalizeClientIdentifier(raw, pattern) {
+    const trimmed = raw.trim();
+    if (!trimmed) return null;
+    if (trimmed.length > 128) return null;
+    if (!pattern.test(trimmed)) return null;
+    return trimmed;
+}
+function includesNodeExecutionCapability(capabilities) {
+    if (!Array.isArray(capabilities)) return false;
+    for (const capability of capabilities)if ("string" == typeof capability && NODE_EXECUTION_CAPABILITIES.has(capability.trim())) return true;
+    return false;
+}
+function isLoopbackHostname(hostname) {
+    return LOOPBACK_HOSTNAMES.has(normalizeHostname(hostname));
+}
+function isGatewayOriginAllowed(params) {
+    let originUrl;
+    let requestUrl;
+    try {
+        originUrl = new URL(params.origin);
+        requestUrl = "string" == typeof params.requestUrl ? new URL(params.requestUrl) : params.requestUrl;
+    } catch  {
+        return false;
+    }
+    if ("http:" !== originUrl.protocol && "https:" !== originUrl.protocol) return false;
+    const originHost = normalizeHostname(originUrl.hostname);
+    const requestHost = normalizeHostname(requestUrl.hostname);
+    const configHost = normalizeHostname(params.gatewayHost);
+    if (isLoopbackHostname(originHost) && isLoopbackHostname(requestHost)) return true;
+    if (!originHost || originHost !== requestHost) return false;
+    const originPort = originUrl.port || defaultPortForProtocol(originUrl.protocol);
+    const allowedPorts = new Set([
+        String(params.gatewayPort)
+    ]);
+    if (params.controlUiEnabled) allowedPorts.add(String(params.controlUiPort));
+    if ("0.0.0.0" === configHost || "::" === configHost) return allowedPorts.has(originPort);
+    if (originHost !== configHost) return false;
+    return allowedPorts.has(originPort);
 }
 function resolveExecutionWorkspaceOverride(payload) {
     const rawWorkspace = payload?.execution?.workspace;
@@ -72,6 +126,7 @@ class GatewayServer {
         this.startedAt = Date.now();
         this.internalHooks = new InternalHookRegistry(this.getHttpContext(), this.wingmanConfig.hooks);
         await this.internalHooks.load();
+        if (this.config.auth?.allowTailscale && !isLoopbackHostname(this.config.host)) this.log("warn", "Tailscale header-based auth bypass is disabled on non-loopback gateway hosts; use token/password auth instead.");
         this.server = Bun.serve({
             port: this.config.port,
             hostname: this.config.host,
@@ -79,10 +134,21 @@ class GatewayServer {
                 const url = new URL(req.url);
                 if ("/health" === url.pathname) return this.handleHealthCheck();
                 if ("/stats" === url.pathname) return this.handleStats();
-                if ("/bridge/send" === url.pathname) return this.handleBridgeSend(req);
-                if ("/bridge/poll" === url.pathname) return this.handleBridgePoll(req);
+                if ("/bridge/send" === url.pathname) {
+                    const authFailure = this.requireHttpAuth(req);
+                    if (authFailure) return authFailure;
+                    return this.handleBridgeSend(req);
+                }
+                if ("/bridge/poll" === url.pathname) {
+                    const authFailure = this.requireHttpAuth(req);
+                    if (authFailure) return authFailure;
+                    return this.handleBridgePoll(req);
+                }
                 if ("/ws" === url.pathname) {
-                    const tailscaleUser = req.headers.get("tailscale-user-login") || req.headers.get("ts-user-login") || void 0;
+                    if (!this.isRequestOriginAllowed(req, url)) return new Response("Forbidden origin", {
+                        status: 403
+                    });
+                    const tailscaleUser = this.resolveTrustedTailscaleUser(req);
                     const upgraded = server.upgrade(req, {
                         data: {
                             nodeId: "",
@@ -272,6 +338,18 @@ class GatewayServer {
                 case "direct":
                     this.handleDirect(ws, msg);
                     break;
+                case "req:node":
+                    this.handleNodeRequest(ws, msg);
+                    break;
+                case "event:node":
+                    this.handleNodeResponse(ws, msg);
+                    break;
+                case "res":
+                    this.handleNodeResponse(ws, msg);
+                    break;
+                case "error":
+                    this.handleNodeResponse(ws, msg);
+                    break;
                 case "ping":
                     this.handlePing(ws, msg);
                     break;
@@ -293,6 +371,7 @@ class GatewayServer {
             this.nodeManager.unregisterNode(nodeId);
             this.log("info", `Node disconnected: ${nodeId}`);
         }
+        this.cleanupPendingNodeRequestsForSocket(ws);
         this.connectedClients.delete(ws);
         this.clearSessionSubscriptions(ws);
         this.cancelSocketAgentRequests(ws);
@@ -321,8 +400,21 @@ class GatewayServer {
             ws.close();
             return;
         }
-        ws.data.clientId = msg.client.instanceId;
-        ws.data.clientType = msg.client.clientType;
+        const clientId = normalizeClientIdentifier(msg.client.instanceId, CLIENT_ID_PATTERN);
+        const clientType = normalizeClientIdentifier(msg.client.clientType, CLIENT_TYPE_PATTERN);
+        if (!clientId || !clientType) {
+            this.sendMessage(ws, {
+                type: "res",
+                id: msg.id,
+                ok: false,
+                payload: "invalid client info",
+                timestamp: Date.now()
+            });
+            ws.close();
+            return;
+        }
+        ws.data.clientId = clientId;
+        ws.data.clientType = clientType;
         ws.data.authenticated = true;
         this.connectedClients.add(ws);
         this.sendMessage(ws, {
@@ -517,7 +609,11 @@ class GatewayServer {
             terminalSessionManager: this.terminalSessionManager,
             workdir,
             defaultOutputDir,
-            mcpProxyConfig: this.wingmanConfig.gateway?.mcpProxy
+            mcpProxyConfig: this.wingmanConfig.gateway?.mcpProxy,
+            nodeInvoker: (request)=>this.invokeNodeTool(ws, request),
+            nodeDefaultTargetClientId: "desktop" === ws.data.clientType ? ws.data.clientId : void 0,
+            nodeConnectedIdsProvider: ()=>this.listConnectedNodeIdsForRequester(ws),
+            nodeConnectedTargetsProvider: ()=>this.listConnectedNodeTargetsForRequester(ws)
         });
         const abortController = new AbortController();
         this.activeAgentRequests.set(msg.id, {
@@ -673,14 +769,19 @@ class GatewayServer {
     }
     handleRegister(ws, msg) {
         const payload = msg.payload;
-        if (!this.auth.validate({
+        const hasSessionAuth = true === ws.data.authenticated;
+        const hasPayloadAuth = this.auth.validate({
             token: payload.token
-        }, ws.data.tailscaleUser)) {
+        }, ws.data.tailscaleUser);
+        if (!hasSessionAuth && !hasPayloadAuth) {
             this.sendError(ws, "AUTH_FAILED", "Authentication failed");
             ws.close();
             return;
         }
-        const node = this.nodeManager.registerNode(ws, payload.name, payload.capabilities, payload.sessionId, payload.agentName);
+        const clientId = ws.data.clientId?.trim();
+        const requiresNodeApproval = this.nodePairingRequired && includesNodeExecutionCapability(payload.capabilities);
+        if (requiresNodeApproval && (!clientId || !this.nodeApprovalStore.isEnabled(clientId))) return void this.sendError(ws, "NODE_NOT_ENABLED", "This client is not approved for node execution");
+        const node = this.nodeManager.registerNode(ws, payload.name, payload.capabilities, payload.sessionId, payload.agentName, clientId);
         if (!node) {
             this.sendError(ws, "MAX_NODES_REACHED", "Maximum nodes reached");
             ws.close();
@@ -697,6 +798,7 @@ class GatewayServer {
             },
             timestamp: Date.now()
         });
+        if (clientId) this.nodeApprovalStore.markSeen(clientId, payload.name);
         const sessionInfo = node.sessionId ? ` (session: ${node.sessionId})` : "";
         this.log("info", `Node registered: ${node.id} (${node.name})${sessionInfo}`);
     }
@@ -737,6 +839,7 @@ class GatewayServer {
             this.nodeManager.unregisterNode(nodeId);
             this.log("info", `Node unregistered: ${nodeId}`);
         }
+        this.cleanupPendingNodeRequestsForSocket(ws);
     }
     handleJoinGroup(ws, msg) {
         const nodeId = ws.data.nodeId;
@@ -803,6 +906,77 @@ class GatewayServer {
         const sent = this.nodeManager.sendToNode(payload.targetNodeId, directMsg);
         if (!sent) this.sendError(ws, "NODE_NOT_FOUND", "Target node not found");
     }
+    handleNodeRequest(ws, msg) {
+        if (!ws.data.authenticated) return void this.sendError(ws, "AUTH_REQUIRED", "Client is not authenticated");
+        if (!msg.id) return void this.sendError(ws, "INVALID_REQUEST", "Node request id is required");
+        const targetNodeId = "string" == typeof msg.targetNodeId ? msg.targetNodeId.trim() : "";
+        if (!targetNodeId) return void this.sendError(ws, "INVALID_REQUEST", "targetNodeId is required");
+        const target = this.nodeManager.getNode(targetNodeId);
+        if (!target) return void this.sendError(ws, "NODE_NOT_FOUND", "Target node not found");
+        if (!this.isNodeApprovedForExecution(target.clientId)) return void this.sendError(ws, "NODE_REVOKED", "Target node has been revoked");
+        if (this.pendingNodeRequests.has(msg.id)) return void this.sendError(ws, "DUPLICATE_REQUEST_ID", "Node request id is already in use");
+        if (this.pendingNodeRequests.size >= MAX_PENDING_NODE_REQUESTS) return void this.sendError(ws, "NODE_REQUEST_OVERLOADED", "Too many pending node requests");
+        const timeoutMs = this.resolveNodeRequestTimeout(msg.payload);
+        const pendingRequest = {
+            id: msg.id,
+            requester: ws,
+            targetNodeId,
+            createdAt: Date.now()
+        };
+        pendingRequest.timeoutHandle = setTimeout(()=>{
+            if (!this.pendingNodeRequests.has(msg.id)) return;
+            this.clearPendingNodeRequest(msg.id, new Error(`Node request timed out after ${timeoutMs}ms`));
+            this.sendMessageWithRetry(ws, {
+                type: "error",
+                id: msg.id,
+                payload: {
+                    code: "NODE_TIMEOUT",
+                    message: `Node request timed out after ${timeoutMs}ms`
+                },
+                timestamp: Date.now()
+            });
+        }, timeoutMs);
+        this.pendingNodeRequests.set(msg.id, pendingRequest);
+        const forwarded = {
+            type: "req:node",
+            id: msg.id,
+            clientId: ws.data.clientId || ws.data.nodeId || "gateway",
+            targetNodeId,
+            payload: msg.payload,
+            timestamp: Date.now()
+        };
+        const sent = this.nodeManager.sendToNode(targetNodeId, forwarded);
+        if (!sent) {
+            this.clearPendingNodeRequest(msg.id);
+            this.sendError(ws, "NODE_NOT_FOUND", "Target node not found");
+        }
+    }
+    handleNodeResponse(ws, msg) {
+        if (!msg.id) return;
+        const pending = this.pendingNodeRequests.get(msg.id);
+        if (!pending) return;
+        const sourceNodeId = ws.data.nodeId;
+        if (!sourceNodeId || sourceNodeId !== pending.targetNodeId) return void this.sendError(ws, "NODE_RESPONSE_REJECTED", "Only the target node may respond to this request");
+        const forwarded = {
+            ...msg,
+            nodeId: sourceNodeId,
+            timestamp: Date.now()
+        };
+        if (pending.requester) this.sendMessageWithRetry(pending.requester, forwarded);
+        if ("res" === msg.type) {
+            if (false === msg.ok) pending.reject?.(new Error(this.extractNodeErrorMessage(msg)));
+            else pending.resolve?.({
+                nodeId: sourceNodeId,
+                payload: msg.payload
+            });
+            this.clearPendingNodeRequest(msg.id);
+            return;
+        }
+        if ("error" === msg.type) {
+            pending.reject?.(new Error(this.extractNodeErrorMessage(msg)));
+            this.clearPendingNodeRequest(msg.id);
+        }
+    }
     handlePing(ws, msg) {
         const nodeId = ws.data.nodeId;
         if (nodeId) this.nodeManager.updatePing(nodeId);
@@ -815,6 +989,127 @@ class GatewayServer {
         const nodeId = ws.data.nodeId;
         if (nodeId) this.nodeManager.updatePing(nodeId);
     }
+    cleanupPendingNodeRequestsForSocket(ws) {
+        for (const [requestId, pending] of this.pendingNodeRequests)if (pending.requester === ws || pending.targetNodeId === ws.data.nodeId) this.clearPendingNodeRequest(requestId, new Error("Node request cancelled due to disconnect"));
+    }
+    clearPendingNodeRequest(requestId, error) {
+        const pending = this.pendingNodeRequests.get(requestId);
+        if (!pending) return;
+        this.pendingNodeRequests.delete(requestId);
+        if (pending.timeoutHandle) clearTimeout(pending.timeoutHandle);
+        if (error) pending.reject?.(error);
+    }
+    extractNodeErrorMessage(msg) {
+        const payload = msg.payload;
+        if (payload && "object" == typeof payload && !Array.isArray(payload) && "string" == typeof payload.message) return String(payload.message);
+        if ("string" == typeof payload && payload.trim()) return payload;
+        return "Node invocation failed";
+    }
+    isNodeApprovedForExecution(clientId) {
+        if (!this.nodePairingRequired) return true;
+        const trimmed = "string" == typeof clientId ? clientId.trim() : "";
+        if (!trimmed) return false;
+        return this.nodeApprovalStore.isEnabled(trimmed);
+    }
+    listConnectedNodeIdsForRequester(requester) {
+        return this.listConnectedNodeTargetsForRequester(requester).map((node)=>node.nodeId);
+    }
+    listConnectedNodeTargetsForRequester(requester) {
+        const requesterClientId = "desktop" === requester.data.clientType ? requester.data.clientId?.trim() || "" : "";
+        const nodes = this.nodeManager.getAllNodes().filter((node)=>{
+            if (!this.isNodeApprovedForExecution(node.clientId)) return false;
+            if (!includesNodeExecutionCapability(node.capabilities)) return false;
+            return true;
+        }).sort((a, b)=>b.connectedAt - a.connectedAt);
+        const preferred = requesterClientId ? nodes.filter((node)=>node.clientId === requesterClientId) : [];
+        const others = requesterClientId ? nodes.filter((node)=>node.clientId !== requesterClientId) : nodes;
+        return [
+            ...preferred,
+            ...others
+        ].map((node)=>({
+                nodeId: node.id,
+                clientId: node.clientId,
+                name: node.name,
+                capabilities: Array.isArray(node.capabilities) ? node.capabilities.filter((capability)=>"string" == typeof capability) : void 0
+            }));
+    }
+    resolveNodeRequestTimeout(payload) {
+        let requestedTimeout;
+        if (payload && "object" == typeof payload && !Array.isArray(payload)) {
+            const timeoutValue = payload.timeoutMs;
+            if ("number" == typeof timeoutValue && Number.isFinite(timeoutValue)) requestedTimeout = Math.trunc(timeoutValue);
+        }
+        const timeout = requestedTimeout ?? DEFAULT_NODE_REQUEST_TIMEOUT_MS;
+        return Math.min(Math.max(timeout, MIN_NODE_REQUEST_TIMEOUT_MS), MAX_NODE_REQUEST_TIMEOUT_MS);
+    }
+    resolveNodeTarget(request, defaultTargetClientId) {
+        const requiredCapability = "string" == typeof request.capability ? request.capability.trim() : "";
+        const targetNodeId = "string" == typeof request.targetNodeId ? request.targetNodeId.trim() : "";
+        const targetClientId = ("string" == typeof request.targetClientId ? request.targetClientId.trim() : "") || defaultTargetClientId?.trim() || "";
+        const canUseNode = (node)=>{
+            if (!this.isNodeApprovedForExecution(node.clientId)) return false;
+            if (!requiredCapability) return true;
+            return Array.isArray(node.capabilities) && node.capabilities.includes(requiredCapability);
+        };
+        if (targetNodeId) {
+            const node = this.nodeManager.getNode(targetNodeId);
+            if (!node) throw new Error("Target node not found");
+            if (!canUseNode(node)) throw new Error(requiredCapability ? `Target node does not support capability ${requiredCapability}` : "Target node is not available");
+            return {
+                nodeId: node.id
+            };
+        }
+        let candidates = this.nodeManager.getAllNodes().filter((node)=>canUseNode(node));
+        if (targetClientId) {
+            candidates = candidates.filter((node)=>node.clientId === targetClientId);
+            if (0 === candidates.length) throw new Error(`No available node found for client ${targetClientId}`);
+        }
+        if (0 === candidates.length) throw new Error(requiredCapability ? `No available node supports capability ${requiredCapability}` : "No available node found");
+        candidates.sort((a, b)=>b.connectedAt - a.connectedAt);
+        const selected = candidates[0];
+        return {
+            nodeId: selected.id
+        };
+    }
+    async invokeNodeTool(requester, request) {
+        if (!requester.data.authenticated) throw new Error("Client is not authenticated");
+        const toolName = request.tool;
+        if ("system.notify" !== toolName && "system.run" !== toolName) throw new Error(`Unsupported node tool: ${toolName}`);
+        const timeoutMsRaw = "number" == typeof request.timeoutMs ? Math.trunc(request.timeoutMs) : DEFAULT_NODE_REQUEST_TIMEOUT_MS;
+        const timeoutMs = Math.min(Math.max(timeoutMsRaw, MIN_NODE_REQUEST_TIMEOUT_MS), MAX_NODE_REQUEST_TIMEOUT_MS);
+        if (this.pendingNodeRequests.size >= MAX_PENDING_NODE_REQUESTS) throw new Error("Too many pending node requests");
+        const target = this.resolveNodeTarget(request, "desktop" === requester.data.clientType ? requester.data.clientId : void 0);
+        let requestId = "";
+        do requestId = `node-tool-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        while (this.pendingNodeRequests.has(requestId));
+        return await new Promise((resolve, reject)=>{
+            const pending = {
+                id: requestId,
+                targetNodeId: target.nodeId,
+                createdAt: Date.now(),
+                resolve,
+                reject
+            };
+            pending.timeoutHandle = setTimeout(()=>{
+                this.clearPendingNodeRequest(requestId, new Error(`Node invocation timed out after ${timeoutMs}ms`));
+            }, timeoutMs);
+            this.pendingNodeRequests.set(requestId, pending);
+            const forwarded = {
+                type: "req:node",
+                id: requestId,
+                clientId: requester.data.clientId || requester.data.nodeId || "gateway",
+                targetNodeId: target.nodeId,
+                payload: {
+                    tool: toolName,
+                    args: request.args || {},
+                    timeoutMs
+                },
+                timestamp: Date.now()
+            };
+            const sent = this.nodeManager.sendToNode(target.nodeId, forwarded);
+            if (!sent) this.clearPendingNodeRequest(requestId, new Error("Target node not found"));
+        });
+    }
     sendMessage(ws, message) {
         try {
             const result = ws.send(JSON.stringify(message));
@@ -1179,15 +1474,87 @@ class GatewayServer {
                 break;
         }
     }
+    isRequestOriginAllowed(req, url) {
+        const origin = req.headers.get("origin");
+        if (!origin) return true;
+        return isGatewayOriginAllowed({
+            origin,
+            requestUrl: url,
+            gatewayHost: this.config.host,
+            gatewayPort: this.config.port,
+            controlUiEnabled: this.controlUiEnabled,
+            controlUiPort: this.controlUiPort
+        });
+    }
+    withApiCors(req, url, response) {
+        const headers = new Headers(response.headers);
+        for (const [key, value] of Object.entries(API_CORS_HEADERS))headers.set(key, value);
+        const existingVary = headers.get("Vary");
+        if (existingVary) {
+            if (!existingVary.toLowerCase().includes("origin")) headers.set("Vary", `${existingVary}, Origin`);
+        } else headers.set("Vary", "Origin");
+        const origin = req.headers.get("origin");
+        if (origin && this.isRequestOriginAllowed(req, url)) headers.set("Access-Control-Allow-Origin", origin);
+        return new Response(response.body, {
+            status: response.status,
+            statusText: response.statusText,
+            headers
+        });
+    }
+    resolveTrustedTailscaleUser(req) {
+        if (!this.config.auth?.allowTailscale) return;
+        if (!isLoopbackHostname(this.config.host)) return;
+        const raw = req.headers.get("tailscale-user-login") || req.headers.get("ts-user-login") || "";
+        const normalized = raw.trim();
+        if (!normalized) return;
+        if (normalized.length > 256) return;
+        if (!/^[a-zA-Z0-9._:@+-]+$/.test(normalized)) return;
+        return normalized;
+    }
+    resolveHttpAuthPayload(req) {
+        const authorization = req.headers.get("authorization") || "";
+        let bearerToken;
+        if (authorization.toLowerCase().startsWith("bearer ")) {
+            const value = authorization.slice(7).trim();
+            bearerToken = value || void 0;
+        }
+        const headerToken = req.headers.get("x-wingman-token")?.trim();
+        const password = req.headers.get("x-wingman-password")?.trim();
+        return {
+            token: headerToken || bearerToken,
+            password: password || void 0
+        };
+    }
+    requireHttpAuth(req) {
+        if (!this.auth.isAuthRequired()) return null;
+        const tailscaleUser = this.resolveTrustedTailscaleUser(req);
+        const authPayload = this.resolveHttpAuthPayload(req);
+        const allowed = this.auth.validate(authPayload, tailscaleUser);
+        if (allowed) return null;
+        return new Response("Unauthorized", {
+            status: 401,
+            headers: {
+                "WWW-Authenticate": 'Bearer realm="wingman-gateway"'
+            }
+        });
+    }
     async handleUiRequest(req) {
         const url = new URL(req.url);
         const ctx = this.getHttpContext();
         const webhookResponse = await handleWebhookInvoke(ctx, this.webhookStore, req, url);
         if (webhookResponse) return webhookResponse;
         if (url.pathname.startsWith("/api/")) {
-            if ("OPTIONS" === req.method) return withApiCors(new Response(null, {
+            if (!this.isRequestOriginAllowed(req, url)) return this.withApiCors(req, url, new Response("Forbidden origin", {
+                status: 403
+            }));
+            if ("OPTIONS" === req.method) return this.withApiCors(req, url, new Response(null, {
                 status: 204
             }));
+            const publicApiRoute = "/api/config" === url.pathname || "/api/health" === url.pathname;
+            if (!publicApiRoute) {
+                const authFailure = this.requireHttpAuth(req);
+                if (authFailure) return this.withApiCors(req, url, authFailure);
+            }
             if ("/api/config" === url.pathname) {
                 const agents = this.wingmanConfig.agents?.list?.map((agent)=>({
                         id: agent.id,
@@ -1195,7 +1562,7 @@ class GatewayServer {
                         default: agent.default
                     })) || [];
                 const defaultAgentId = this.router.selectAgent();
-                return withApiCors(new Response(JSON.stringify({
+                return this.withApiCors(req, url, new Response(JSON.stringify({
                     gatewayHost: this.config.host,
                     gatewayPort: this.config.port,
                     requireAuth: this.auth.isAuthRequired(),
@@ -1210,11 +1577,11 @@ class GatewayServer {
                     }
                 }));
             }
-            const apiResponse = await handleWebhooksApi(ctx, this.webhookStore, req, url) || await handleRoutinesApi(ctx, this.routineStore, req, url) || await handleAgentsApi(ctx, req, url) || await handleProvidersApi(ctx, req, url) || await handleVoiceApi(ctx, req, url) || await handleFsApi(ctx, req, url) || await handleSessionsApi(ctx, req, url);
-            if (apiResponse) return withApiCors(apiResponse);
-            if ("/api/health" === url.pathname) return withApiCors(this.handleHealthCheck());
-            if ("/api/stats" === url.pathname) return withApiCors(this.handleStats());
-            return withApiCors(new Response("Not Found", {
+            const apiResponse = await handleWebhooksApi(ctx, this.webhookStore, req, url) || await handleRoutinesApi(ctx, this.routineStore, req, url) || await handleNodesApi(ctx, this.nodeManager, this.nodeApprovalStore, req, url) || await handleAgentsApi(ctx, req, url) || await handleProvidersApi(ctx, req, url) || await handleVoiceApi(ctx, req, url) || await handleFsApi(ctx, req, url) || await handleSessionsApi(ctx, req, url);
+            if (apiResponse) return this.withApiCors(req, url, apiResponse);
+            if ("/api/health" === url.pathname) return this.withApiCors(req, url, this.handleHealthCheck());
+            if ("/api/stats" === url.pathname) return this.withApiCors(req, url, this.handleStats());
+            return this.withApiCors(req, url, new Response("Not Found", {
                 status: 404
             }));
         }
@@ -1280,6 +1647,15 @@ class GatewayServer {
             const validatedMessage = validation.data;
             if ("register" === validatedMessage.type) {
                 const payload = validatedMessage.payload;
+                const maxBridgeNodes = this.config.maxNodes || 1000;
+                if (this.bridgeQueues.size >= maxBridgeNodes) return new Response(JSON.stringify({
+                    error: "Bridge capacity reached"
+                }), {
+                    status: 429,
+                    headers: {
+                        "Content-Type": "application/json"
+                    }
+                });
                 const nodeId = this.generateNodeId();
                 this.bridgeQueues.set(nodeId, []);
                 const response = {
@@ -1411,6 +1787,7 @@ class GatewayServer {
         _define_property(this, "browserRelayServer", null);
         _define_property(this, "webhookStore", void 0);
         _define_property(this, "routineStore", void 0);
+        _define_property(this, "nodeApprovalStore", void 0);
         _define_property(this, "internalHooks", null);
         _define_property(this, "discordAdapter", null);
         _define_property(this, "sessionSubscriptions", new Map());
@@ -1420,7 +1797,9 @@ class GatewayServer {
         _define_property(this, "activeSessionRequests", new Map());
         _define_property(this, "queuedSessionRequests", new Map());
         _define_property(this, "requestSessionKeys", new Map());
+        _define_property(this, "pendingNodeRequests", new Map());
         _define_property(this, "terminalSessionManager", void 0);
+        _define_property(this, "nodePairingRequired", void 0);
         _define_property(this, "bridgeQueues", new Map());
         _define_property(this, "bridgePollWaiters", new Map());
         this.workspace = config.workspace || process.cwd();
@@ -1430,6 +1809,7 @@ class GatewayServer {
         this.router = new GatewayRouter(this.wingmanConfig);
         this.webhookStore = createWebhookStore(()=>this.resolveConfigDirPath());
         this.routineStore = createRoutineStore(()=>this.resolveConfigDirPath());
+        this.nodeApprovalStore = createNodeApprovalStore(()=>this.resolveConfigDirPath());
         const gatewayDefaults = this.wingmanConfig.gateway;
         const envToken = getGatewayTokenFromEnv();
         const authFromConfig = config.auth?.mode === "token" ? {
@@ -1469,6 +1849,7 @@ class GatewayServer {
         const controlUi = this.wingmanConfig.gateway?.controlUi;
         this.controlUiEnabled = controlUi?.enabled ?? false;
         this.controlUiPort = controlUi?.port || 18790;
+        this.nodePairingRequired = controlUi?.pairingRequired ?? true;
         this.controlUiSamePort = this.controlUiEnabled && this.controlUiPort === this.config.port;
         this.uiDistDir = this.controlUiEnabled ? this.resolveControlUiDir() : null;
         const relayConfig = this.wingmanConfig.browser?.relay;
@@ -1525,4 +1906,4 @@ function isFileAttachment(attachment) {
     if ("file" === attachment.kind) return true;
     return "string" == typeof attachment.textContent;
 }
-export { GatewayServer, resolveExecutionConfigDirOverride, resolveExecutionWorkspaceOverride };
+export { GatewayServer, isGatewayOriginAllowed, isLoopbackHostname, resolveExecutionConfigDirOverride, resolveExecutionWorkspaceOverride };