@wipcomputer/wip-ldm-os 0.4.85-alpha.3 → 0.4.85-alpha.30

package/src/hosted-mcp/README.md

@@ -0,0 +1,37 @@
+# Hosted MCP And Relay
+
+This directory contains the public source for the hosted WIP relay that serves `wip.computer`.
+
+It includes:
+
+- OAuth, passkey, and hosted MCP routes in `server.mjs`;
+- Codex Remote Control relay routes under `/api/codex-relay/*`;
+- nginx snippets for the relay, MCP, and site proxy;
+- Prisma schema and migrations for Postgres-backed account, API key, passkey, device, and wallet state;
+- PM2 and deploy helpers for the WIP-operated VPS.
+
+WIP runs the production hosted relay so user setup is easy and works across networks. The source is public so users can inspect the relay path and build their own infrastructure.
+
+## Codex Remote Control WebSocket Abuse Limits
+
+The browser relay path enforces app-layer limits after a Remote Control ticket attaches:
+
+- max browser frame bytes;
+- max messages per rate window;
+- max browser bytes per rate window;
+- max malformed browser frames;
+- max pending bytes on the daemon socket before forwarding;
+- max browser sockets per `(tenant id, thread id)`;
+- idle connection TTL;
+- env-driven operator kill switch for all tenants or selected tenant ids.
+
+Violation logs are metadata-only: reason, tenant id, thread id, and a generated connection id. The relay does not inspect decrypted Remote Control payloads.
+
+Operational notes:
+
+- rate windows are tumbling windows, not sliding windows, so short bursts can straddle a window boundary;
+- kill switch environment changes take effect after the hosted relay process reloads;
+- idle close runs on a timer, so the close can happen up to one polling interval after the configured TTL;
+- daemon-to-browser Codex output is intentionally not throughput-limited in this browser-abuse slice.
+
+For the self-hosting shape, read [docs/self-host.md](docs/self-host.md).

package/src/hosted-mcp/app/footer.js

@@ -0,0 +1,74 @@
+// Shared footer for all Kaleidoscope pages (production-owned).
+// Include with: <div id="kscope-footer"></div><script src="/app/footer.js"></script>
+(function() {
+  var container = document.getElementById('kscope-footer');
+  if (!container) return;
+
+  var mobile = navigator.maxTouchPoints > 0 && window.innerWidth < 768;
+
+  // Desktop: fixed at bottom. Mobile: in page flow (below fold).
+  if (mobile) {
+    container.style.cssText = 'background:#FFFDF5;padding:16px 0;';
+  } else {
+    container.style.cssText = 'position:fixed;bottom:0;left:0;right:0;background:#FFFDF5;padding:16px 0;';
+  }
+
+  var inner = document.createElement('div');
+  inner.style.cssText = 'max-width:980px;margin:0 auto;padding:0 24px;border-top:1px solid rgba(0,0,0,0.06);padding-top:16px;text-align:left;font-size:13px;color:#a8a4a0;line-height:1.6;';
+
+  // On mobile, copyright and links on separate lines (like Apple)
+  if (mobile) {
+    inner.innerHTML = '<p style="margin:0;">WIP Computer, Inc.</p>'
+      + '<p style="margin:2px 0 0;">Learning Dreaming Machines</p>'
+      + '<p style="margin:8px 0 0;">Copyright &copy; 2026 WIP Computer, Inc. All rights reserved.</p>'
+      + '<p style="margin:4px 0 0;">'
+      + '<a href="/legal/privacy/en-ww/" style="color:#a8a4a0;text-decoration:none;">Privacy Policy</a> &nbsp;|&nbsp; '
+      + '<a href="/legal/internet-services/terms/site.html" style="color:#a8a4a0;text-decoration:none;">Terms of Use</a></p>'
+      + '<p style="margin:4px 0 0;">'
+      + '<a href="/agent.txt" style="color:#a8a4a0;text-decoration:none;">Are you an AI Agent?</a></p>'
+      + '<p style="margin:4px 0 0;">Made in California.</p>';
+  } else {
+    inner.innerHTML = '<p style="margin:0;">WIP Computer, Inc.</p>'
+      + '<p style="margin:2px 0 0;">Learning Dreaming Machines</p>'
+      + '<p style="margin:8px 0 0;">Copyright &copy; 2026 WIP Computer, Inc. All rights reserved. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'
+      + '<a href="/legal/privacy/en-ww/" style="color:#a8a4a0;text-decoration:none;">Privacy Policy</a> &nbsp;|&nbsp; '
+      + '<a href="/legal/internet-services/terms/site.html" style="color:#a8a4a0;text-decoration:none;">Terms of Use</a></p>'
+      + '<p style="margin:4px 0 0;">'
+      + '<a href="/agent.txt" style="color:#a8a4a0;text-decoration:none;">Are you an AI Agent?</a> &nbsp;|&nbsp; '
+      + '<a id="localPasskeysToggle" onclick="toggleLocalPasskeys()" style="color:#a8a4a0;text-decoration:none;cursor:pointer;display:inline-flex;align-items:center;gap:4px;vertical-align:middle;">'
+      + '<span id="passkeys-dot" style="display:inline-block;width:8px;height:8px;border-radius:50%;"></span> '
+      + '<span id="passkeys-label">Local passkeys off</span></a></p>'
+      + '<p style="margin:4px 0 0;">Made in California.</p>';
+  }
+
+  container.appendChild(inner);
+
+  // Local passkeys toggle
+  if (!window.isLocalPasskeysOn) {
+    window.isLocalPasskeysOn = function() { return localStorage.getItem('localPasskeys') === 'on'; };
+  }
+  if (!window.toggleLocalPasskeys) {
+    window.toggleLocalPasskeys = function() {
+      var on = isLocalPasskeysOn();
+      localStorage.setItem('localPasskeys', on ? 'off' : 'on');
+      updatePasskeysDot();
+    };
+  }
+  if (!window.updatePasskeysDot) {
+    window.updatePasskeysDot = function() {
+      var dot = document.getElementById('passkeys-dot');
+      var label = document.getElementById('passkeys-label');
+      if (!dot) return;
+      if (isLocalPasskeysOn()) {
+        dot.style.background = '#2E7D32';
+        dot.style.opacity = '1';
+        if (label) label.textContent = 'Local passkeys on';
+      } else {
+        dot.style.background = '#D32F2F';
+        dot.style.opacity = '0.4';
+        if (label) label.textContent = 'Local passkeys off';
+      }
+    };
+  }
+  updatePasskeysDot();
+})();