@wolpertingerlabs/drawlatch 1.0.0-alpha.15.2 → 1.0.0-alpha.19

package/CONNECTIONS.md

@@ -23,6 +23,7 @@ Connection templates are loaded when a caller's session is established. Custom c
 
 | Connection      | API                                                                                           | Required Environment Variable(s)           | Auth Method                           |
 | --------------- | --------------------------------------------------------------------------------------------- | ------------------------------------------ | ------------------------------------- |
+| `agentmail`     | [AgentMail API](https://docs.agentmail.to/api-reference)                                      | `AGENTMAIL_API_KEY`                        | Bearer token header (see note)        |
 | `anthropic`     | [Anthropic Claude API](https://docs.anthropic.com/en/api)                                     | `ANTHROPIC_API_KEY`                        | x-api-key header (see note)           |
 | `bluesky`       | [Bluesky API (AT Protocol)](https://docs.bsky.app/)                                           | `BLUESKY_ACCESS_TOKEN`                     | Bearer token header (see note)        |
 | `devin`         | [Devin AI API](https://docs.devin.ai/api-reference/overview)                                  | `DEVIN_API_KEY`                            | Bearer token header                   |
@@ -46,6 +47,8 @@ Connection templates are loaded when a caller's session is established. Custom c
 | `twitch`        | [Twitch Helix API](https://dev.twitch.tv/docs/api/reference/)                                 | `TWITCH_ACCESS_TOKEN`, `TWITCH_CLIENT_ID`  | Bearer + Client-Id headers (see note) |
 | `x`             | [X (Twitter) API v2](https://developer.x.com/en/docs/x-api)                                   | `X_BEARER_TOKEN`                           | Bearer token header (see note)        |
 
+> **AgentMail note:** AgentMail provides email infrastructure for AI agents (inboxes, messages, threads, drafts). All endpoints live under the `/v0` path on `api.agentmail.to` and use a standard `Authorization: Bearer ${AGENTMAIL_API_KEY}` header. Create an API key in the [AgentMail Console](https://console.agentmail.to). AgentMail can deliver inbound email in real time via Svix-signed webhooks, but that is not yet wired up as a drawlatch ingestor — this connection currently covers the REST API only.
+
 > **Anthropic note:** The Anthropic API uses a custom `x-api-key` header instead of the standard `Authorization: Bearer` pattern. The `anthropic-version` header is pinned to `2023-06-01`. To use a different API version, override with a custom route.
 
 > **GitHub note:** The `github` connection includes a **webhook ingestor** for real-time events (push, pull_request, issues, etc.). Set `GITHUB_WEBHOOK_SECRET` to the webhook signing secret configured in your GitHub repository's webhook settings, then point the webhook URL to `https://<your-server>/webhooks/github`. Events are buffered and retrievable via `poll_events`. The server must be publicly accessible (or behind a tunnel like ngrok/Cloudflare Tunnel) to receive webhook POSTs. If you don't need webhook ingestion, the `GITHUB_WEBHOOK_SECRET` env var can be left unset — the REST API functionality works independently.

package/README.md

@@ -2,13 +2,13 @@
 
 > **Alpha Software:** Expect breaking changes between updates.
 
-Drawlatch is a config-driven proxy that gives AI agents authenticated access to external APIs. Define your connections and secrets in a single config file — agents get structured, allowlisted access to 22 pre-built APIs without ever seeing your credentials.
+Drawlatch is a config-driven proxy that gives AI agents authenticated access to external APIs. Define your connections and secrets in a single config file — agents get structured, allowlisted access to 23 pre-built APIs without ever seeing your credentials.
 
 **Using [Callboard](https://github.com/WolpertingerLabs/callboard)?** Drawlatch is built in — Callboard manages connections, secrets, and agent identities through its UI. You don't need to set up drawlatch separately.
 
 ## Key Features
 
-- **22 pre-built connections** — GitHub, Slack, Discord, Stripe, Notion, Linear, OpenAI, and [more](CONNECTIONS.md)
+- **23 pre-built connections** — GitHub, Slack, Discord, Stripe, Notion, Linear, OpenAI, and [more](CONNECTIONS.md)
 - **Endpoint allowlisting** — agents can only reach explicitly configured URL patterns
 - **Per-caller access control** — each agent identity sees only its assigned connections
 - **Real-time event ingestion** — WebSocket, webhook, and polling listeners for incoming events ([details](INGESTORS.md))
@@ -286,7 +286,7 @@ Useful for CI environments or running multiple independent setups on the same ma
 
 ## Connections
 
-22 pre-built connection templates ship with drawlatch. Reference them by name in a caller's `connections` list:
+23 pre-built connection templates ship with drawlatch. Reference them by name in a caller's `connections` list:
 
 | Connection | API | Required Env Var(s) |
 |------------|-----|---------------------|
@@ -486,7 +486,7 @@ npm run dev:mcp           # MCP proxy with hot reload
 ```
 src/
 ├── cli/                     # Key generation CLI
-├── connections/             # 22 pre-built route templates (JSON)
+├── connections/             # 23 pre-built route templates (JSON)
 ├── mcp/server.ts            # Local MCP proxy (stdio transport)
 ├── remote/
 │   ├── server.ts            # Remote secure server (Express)

package/dist/connections/messaging/agentmail.json

@@ -0,0 +1,21 @@
+{
+  "name": "AgentMail API",
+  "stability": "beta",
+  "category": "messaging",
+  "description": "AgentMail API — email infrastructure for AI agents. Create and manage inboxes, send and reply to messages, browse threads, and manage drafts and attachments. Auth is handled automatically via the AGENTMAIL_API_KEY environment variable using a Bearer token. All endpoints are under the /v0 path. Create an API key in the AgentMail Console (https://console.agentmail.to).",
+  "docsUrl": "https://docs.agentmail.to/api-reference",
+  "headers": {
+    "Authorization": "Bearer ${AGENTMAIL_API_KEY}",
+    "Content-Type": "application/json"
+  },
+  "secrets": {
+    "AGENTMAIL_API_KEY": "${AGENTMAIL_API_KEY}"
+  },
+  "allowedEndpoints": [
+    "https://api.agentmail.to/**"
+  ],
+  "testConnection": {
+    "url": "https://api.agentmail.to/v0/inboxes",
+    "description": "Lists inboxes to verify the API key"
+  }
+}

package/dist/remote/admin.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Loopback-only, read-only admin HTTP API for the drawlatch-ui dashboard.
+ *
+ * SECURITY non-negotiables (mirrored in /admin.test.ts):
+ *   - Never serializes Session.channel (AES keys) or ResolvedRoute.secrets.
+ *   - Never returns process.env values; only key names. Secret presence is
+ *     reported via `isSecretSetForCaller()` (booleans only).
+ *   - Caller `env` mappings (e.g. "GITHUB_TOKEN": "${ACME_GITHUB_TOKEN}") are
+ *     reduced to key-name lists — the value strings are NOT returned.
+ *   - No mutations: every endpoint is GET.
+ *   - No CORS. Loopback IS the trust boundary; the UI's local backend proxies.
+ */
+import express from 'express';
+import { type RemoteServerConfig } from '../shared/config.js';
+import type { IngestorManager } from './ingestors/index.js';
+import type { SessionSnapshot } from './server.js';
+export interface AdminRouterDeps {
+    /** Sanitized session snapshot — see Session in server.ts. */
+    getSessionsSnapshot: () => SessionSnapshot[];
+    /** Late-bound so tests can swap the manager without rebuilding the router. */
+    ingestorManager: () => IngestorManager;
+    /** Late-bound so changes to disk config are picked up between requests. */
+    loadConfig: () => RemoteServerConfig;
+    version: string;
+    port: number;
+    startedAt: number;
+}
+export declare function createAdminRouter(deps: AdminRouterDeps): express.Router;
+//# sourceMappingURL=admin.d.ts.map

package/dist/remote/admin.js

@@ -0,0 +1,232 @@
+/**
+ * Loopback-only, read-only admin HTTP API for the drawlatch-ui dashboard.
+ *
+ * SECURITY non-negotiables (mirrored in /admin.test.ts):
+ *   - Never serializes Session.channel (AES keys) or ResolvedRoute.secrets.
+ *   - Never returns process.env values; only key names. Secret presence is
+ *     reported via `isSecretSetForCaller()` (booleans only).
+ *   - Caller `env` mappings (e.g. "GITHUB_TOKEN": "${ACME_GITHUB_TOKEN}") are
+ *     reduced to key-name lists — the value strings are NOT returned.
+ *   - No mutations: every endpoint is GET.
+ *   - No CORS. Loopback IS the trust boundary; the UI's local backend proxies.
+ */
+import express from 'express';
+import fs from 'node:fs';
+import { getCallerKeysDir, getServerKeysDir, getEnvFilePath, getRemoteConfigPath, } from '../shared/config.js';
+import { listConnectionTemplates, loadConnection } from '../shared/connections.js';
+import { isSecretSetForCaller } from '../shared/env-utils.js';
+import { callerFingerprint } from '../shared/crypto/key-manager.js';
+import path from 'node:path';
+export function createAdminRouter(deps) {
+    const router = express.Router();
+    // ── /admin/meta ────────────────────────────────────────────────────────
+    router.get('/meta', (_req, res) => {
+        res.json({
+            version: deps.version,
+            port: deps.port,
+            pid: process.pid,
+            startedAt: deps.startedAt,
+            uptimeSec: Math.floor((Date.now() - deps.startedAt) / 1000),
+            configPath: getRemoteConfigPath(),
+            callerKeysDir: getCallerKeysDir(),
+            serverKeysDir: getServerKeysDir(),
+            envFilePath: getEnvFilePath(),
+        });
+    });
+    // ── /admin/health ──────────────────────────────────────────────────────
+    router.get('/health', (_req, res) => {
+        const statuses = deps.ingestorManager().getAllStatuses();
+        const counts = { connected: 0, error: 0, starting: 0, stopped: 0 };
+        for (const s of statuses) {
+            if (s.state === 'connected')
+                counts.connected++;
+            else if (s.state === 'error')
+                counts.error++;
+            else if (s.state === 'starting' || s.state === 'reconnecting')
+                counts.starting++;
+            else
+                counts.stopped++;
+        }
+        res.json({
+            status: 'ok',
+            activeSessions: deps.getSessionsSnapshot().length,
+            ingestorCounts: counts,
+            uptimeSec: Math.floor((Date.now() - deps.startedAt) / 1000),
+        });
+    });
+    // ── /admin/callers ─────────────────────────────────────────────────────
+    // Returns caller config metadata only — env values are reduced to key names.
+    router.get('/callers', (_req, res) => {
+        const config = deps.loadConfig();
+        const callersKeysDir = getCallerKeysDir();
+        const out = Object.entries(config.callers).map(([alias, caller]) => {
+            const keysDirExists = fs.existsSync(path.join(callersKeysDir, alias));
+            let fingerprint = null;
+            try {
+                fingerprint = keysDirExists ? callerFingerprint(alias) : null;
+            }
+            catch {
+                fingerprint = null;
+            }
+            return {
+                alias,
+                name: caller.name ?? null,
+                connections: caller.connections,
+                // Key names ONLY — never the mapping value strings.
+                envKeys: Object.keys(caller.env ?? {}),
+                fingerprint,
+                keysDirExists,
+            };
+        });
+        res.json(out);
+    });
+    // ── /admin/connections ─────────────────────────────────────────────────
+    // listConnectionTemplates already returns names-only — safe as-is.
+    router.get('/connections', (_req, res) => {
+        res.json(listConnectionTemplates());
+    });
+    // ── /admin/callers/:alias/connections ──────────────────────────────────
+    router.get('/callers/:alias/connections', (req, res) => {
+        const config = deps.loadConfig();
+        if (!(req.params.alias in config.callers)) {
+            res.status(404).json({ error: `Unknown caller: ${req.params.alias}` });
+            return;
+        }
+        const caller = config.callers[req.params.alias];
+        const templates = listConnectionTemplates();
+        const tplMap = new Map(templates.map((t) => [t.alias, t]));
+        const customMap = new Map((config.connectors ?? []).map((c) => [c.alias, c]));
+        const out = caller.connections.map((connectionAlias) => {
+            const tpl = tplMap.get(connectionAlias);
+            const customRoute = customMap.get(connectionAlias);
+            const isCustom = !tpl;
+            const requiredNames = tpl?.requiredSecrets ?? [];
+            const optionalNames = tpl?.optionalSecrets ?? [];
+            const requiredSecrets = requiredNames.map((name) => ({
+                name,
+                present: isSecretSetForCaller(name, req.params.alias, caller.env),
+            }));
+            const optionalSecrets = optionalNames.map((name) => ({
+                name,
+                present: isSecretSetForCaller(name, req.params.alias, caller.env),
+            }));
+            // Resolve listenerConfig so we can identify ListenerConfigField.type === 'secret'
+            // fields and strip them from the params projection. Without this, a future
+            // template that declares a 'secret' field would silently leak the value via
+            // the ...ov.params spread below.
+            let listenerConfig;
+            if (customRoute) {
+                listenerConfig = customRoute.listenerConfig;
+            }
+            else if (tpl) {
+                try {
+                    listenerConfig = loadConnection(connectionAlias).listenerConfig;
+                }
+                catch {
+                    listenerConfig = undefined;
+                }
+            }
+            const secretFieldKeys = new Set((listenerConfig?.fields ?? []).filter((f) => f.type === 'secret').map((f) => f.key));
+            // Multi-instance projection — drop anything that could carry secrets.
+            const instancesMap = caller.listenerInstances?.[connectionAlias] ?? {};
+            const instances = Object.entries(instancesMap).map(([instanceId, ov]) => {
+                const safeParams = ov.params !== undefined
+                    ? Object.fromEntries(Object.entries(ov.params).filter(([k]) => !secretFieldKeys.has(k)))
+                    : undefined;
+                return {
+                    instanceId,
+                    enabled: ov.disabled !== true,
+                    params: {
+                        ...(ov.intents !== undefined && { intents: ov.intents }),
+                        ...(ov.eventFilter !== undefined && { eventFilter: ov.eventFilter }),
+                        ...(ov.guildIds !== undefined && { guildIds: ov.guildIds }),
+                        ...(ov.channelIds !== undefined && { channelIds: ov.channelIds }),
+                        ...(ov.userIds !== undefined && { userIds: ov.userIds }),
+                        ...(ov.bufferSize !== undefined && { bufferSize: ov.bufferSize }),
+                        ...(ov.intervalMs !== undefined && { intervalMs: ov.intervalMs }),
+                        ...(ov.disabled !== undefined && { disabled: ov.disabled }),
+                        // Listener params (board IDs, subreddit names, etc.) are user-set
+                        // configuration, not secrets. Pass through verbatim — except for any
+                        // field whose schema marks it as type: 'secret', which is filtered above.
+                        ...(safeParams !== undefined && safeParams),
+                    },
+                };
+            });
+            // `enabled`: a connection is enabled by default; explicit disabled
+            // override (single-instance) toggles it off.
+            const overrideDisabled = caller.ingestorOverrides?.[connectionAlias]?.disabled === true;
+            return {
+                connectionAlias,
+                enabled: !overrideDisabled,
+                isCustom,
+                requiredSecrets,
+                optionalSecrets,
+                hasIngestor: tpl?.hasIngestor ?? customMap.get(connectionAlias)?.ingestor !== undefined,
+                instances,
+            };
+        });
+        res.json(out);
+    });
+    // ── /admin/ingestors ───────────────────────────────────────────────────
+    router.get('/ingestors', (_req, res) => {
+        const statuses = deps.ingestorManager().getAllStatuses();
+        // getAllStatuses already augments with callerAlias; connection and
+        // instanceId come from base IngestorStatus.
+        const out = statuses.map((s) => ({
+            callerAlias: s.callerAlias,
+            connection: s.connection,
+            ...(s.instanceId !== undefined && { instanceId: s.instanceId }),
+            type: s.type,
+            state: s.state,
+            bufferedEvents: s.bufferedEvents,
+            totalEventsReceived: s.totalEventsReceived,
+            lastEventAt: s.lastEventAt,
+            ...(s.error !== undefined && { error: s.error }),
+            ...(s.webhookRegistration !== undefined && {
+                webhookRegistration: s.webhookRegistration,
+            }),
+        }));
+        res.json(out);
+    });
+    // ── /admin/sessions ────────────────────────────────────────────────────
+    // SessionSnapshot already strips channel + resolvedRoutes — pass it through.
+    router.get('/sessions', (_req, res) => {
+        res.json(deps.getSessionsSnapshot());
+    });
+    // ── /admin/secrets ─────────────────────────────────────────────────────
+    // Flat join of (caller × connection × secret), with `present` computed via
+    // isSecretSetForCaller() — never the actual env value.
+    router.get('/secrets', (_req, res) => {
+        const config = deps.loadConfig();
+        const tplMap = new Map(listConnectionTemplates().map((t) => [t.alias, t]));
+        const out = [];
+        for (const [callerAlias, caller] of Object.entries(config.callers)) {
+            for (const connectionAlias of caller.connections) {
+                const tpl = tplMap.get(connectionAlias);
+                if (!tpl)
+                    continue; // custom connector — no template-defined secrets to enumerate
+                for (const name of tpl.requiredSecrets) {
+                    out.push({
+                        callerAlias,
+                        connection: connectionAlias,
+                        name,
+                        required: true,
+                        present: isSecretSetForCaller(name, callerAlias, caller.env),
+                    });
+                }
+                for (const name of tpl.optionalSecrets) {
+                    out.push({
+                        callerAlias,
+                        connection: connectionAlias,
+                        name,
+                        required: false,
+                        present: isSecretSetForCaller(name, callerAlias, caller.env),
+                    });
+                }
+            }
+        }
+        res.json(out);
+    });
+    return router;
+}
+//# sourceMappingURL=admin.js.map

package/dist/remote/ingestors/manager.d.ts

@@ -92,6 +92,14 @@ export declare class IngestorManager {
      * Get status of all ingestors for a caller.
      */
     getStatuses(callerAlias: string): IngestorStatus[];
+    /**
+     * Get status of every ingestor across all callers, augmented with the
+     * owning caller alias. Used by the read-only /admin API to render a global
+     * dashboard view without iterating per-caller.
+     */
+    getAllStatuses(): (IngestorStatus & {
+        callerAlias: string;
+    })[];
     /**
      * Subscribe to all events from all ingestors (current and future).
      * Used by the SSE /events/stream endpoint to fan out events to CLI watchers.

package/dist/remote/ingestors/manager.js

@@ -257,6 +257,19 @@ export class IngestorManager {
         }
         return statuses;
     }
+    /**
+     * Get status of every ingestor across all callers, augmented with the
+     * owning caller alias. Used by the read-only /admin API to render a global
+     * dashboard view without iterating per-caller.
+     */
+    getAllStatuses() {
+        const out = [];
+        for (const [key, ingestor] of this.ingestors) {
+            const { caller } = parseKey(key);
+            out.push({ ...ingestor.getStatus(), callerAlias: caller });
+        }
+        return out;
+    }
     /**
      * Subscribe to all events from all ingestors (current and future).
      * Used by the SSE /events/stream endpoint to fan out events to CLI watchers.

package/dist/remote/server.d.ts

@@ -12,6 +12,7 @@
  *   - Maintains an audit log of all operations
  *   - Rate-limits requests per session
  */
+import express from 'express';
 import { type RemoteServerConfig, type ResolvedRoute } from '../shared/config.js';
 import { EncryptedChannel, type PublicKeyBundle } from '../shared/crypto/index.js';
 import { HandshakeResponder, type HandshakeInit } from '../shared/protocol/index.js';
@@ -43,6 +44,23 @@ export interface PendingHandshake {
     init: HandshakeInit;
     createdAt: number;
 }
+/** Sanitized session projection — never includes channel keys or resolved
+ *  routes (which carry decrypted secrets). Returned by getSessionsSnapshot()
+ *  for the read-only /admin API. */
+export interface SessionSnapshot {
+    /** First 12 chars of the session ID — enough to disambiguate, doesn't
+     *  expose enough material to forge or replay encrypted requests. */
+    sessionIdShort: string;
+    callerAlias: string;
+    createdAt: number;
+    lastActivity: number;
+    requestCount: number;
+    windowRequests: number;
+    windowStart: number;
+}
+/** Loopback guard — used by /sync/listen, /sync/status, /events/stream, /admin.
+ *  Hoisted to module scope so the admin router and its tests can reuse it. */
+export declare function requireLoopback(req: express.Request, res: express.Response, next: express.NextFunction): void;
 export declare function isEndpointAllowed(url: string, patterns: string[]): boolean;
 export { resolvePlaceholders } from '../shared/config.js';
 /**
@@ -57,6 +75,13 @@ export declare function cleanupSessions(sessionsMap: Map<string, Pick<Session, '
     expiredSessions: string[];
     expiredHandshakes: string[];
 };
+/**
+ * Project the active sessions into a sanitized snapshot for read-only use.
+ *
+ * Drops `channel` (holds AES keys) and `resolvedRoutes` (carry decrypted
+ * secrets). Used by the loopback /admin API; never call res.json(session).
+ */
+export declare function getSessionsSnapshot(): SessionSnapshot[];
 /** A file attachment transmitted as base64 data through the encrypted channel. */
 export interface FileAttachment {
     /** Form field name (e.g., "files[0]", "file", "attachment") */

package/dist/remote/server.js

@@ -25,6 +25,7 @@ import { getCallerKeysDir, getServerKeysDir } from '../shared/config.js';
 import { IngestorManager } from './ingestors/index.js';
 import { listConnectionTemplates } from '../shared/connections.js';
 import { isSecretSetForCaller, setCallerSecrets } from '../shared/env-utils.js';
+import { createAdminRouter } from './admin.js';
 // ── Environment loading ─────────────────────────────────────────────────────
 /** Load environment from ~/.drawlatch/.env, falling back to cwd .env (legacy). */
 function loadEnvFile() {
@@ -45,6 +46,40 @@ loadEnvFile();
 const sessions = new Map();
 const pendingHandshakes = new Map();
 let rateLimitPerMinute = 60;
+/** Read package.json version once at module load. */
+const PKG_VERSION = (() => {
+    try {
+        const raw = fs.readFileSync(new URL('../../package.json', import.meta.url), 'utf8');
+        return JSON.parse(raw).version ?? 'unknown';
+    }
+    catch {
+        return 'unknown';
+    }
+})();
+/** Resolve the listen port from DRAWLATCH_PORT (env override) or fall back to
+ *  the configured port. Guards against non-numeric env values that would
+ *  otherwise be silently coerced to NaN by parseInt. */
+function resolvePort(envValue, fallback) {
+    if (envValue === undefined)
+        return fallback;
+    const parsed = parseInt(envValue, 10);
+    if (Number.isNaN(parsed)) {
+        console.warn(`[remote] Ignoring DRAWLATCH_PORT="${envValue}" (not a number); falling back to configured port ${fallback}`);
+        return fallback;
+    }
+    return parsed;
+}
+/** Loopback guard — used by /sync/listen, /sync/status, /events/stream, /admin.
+ *  Hoisted to module scope so the admin router and its tests can reuse it. */
+export function requireLoopback(req, res, next) {
+    const addr = req.socket.remoteAddress;
+    if (addr === '127.0.0.1' || addr === '::1' || addr === '::ffff:127.0.0.1') {
+        next();
+    }
+    else {
+        res.status(403).json({ error: 'Forbidden: local access only' });
+    }
+}
 /** Active sync session (at most one at a time). */
 let activeSyncSession = null;
 // ── Helpers ────────────────────────────────────────────────────────────────
@@ -148,6 +183,27 @@ export function cleanupSessions(sessionsMap, pendingMap, now = Date.now()) {
 setInterval(() => {
     cleanupSessions(sessions, pendingHandshakes);
 }, 60_000);
+/**
+ * Project the active sessions into a sanitized snapshot for read-only use.
+ *
+ * Drops `channel` (holds AES keys) and `resolvedRoutes` (carry decrypted
+ * secrets). Used by the loopback /admin API; never call res.json(session).
+ */
+export function getSessionsSnapshot() {
+    const out = [];
+    for (const [id, s] of sessions) {
+        out.push({
+            sessionIdShort: id.substring(0, 12),
+            callerAlias: s.callerAlias,
+            createdAt: s.createdAt,
+            lastActivity: s.lastActivity,
+            requestCount: s.requestCount,
+            windowRequests: s.windowRequests,
+            windowStart: s.windowStart,
+        });
+    }
+    return out;
+}
 // ── Session route invalidation ────────────────────────────────────────────
 /**
  * Re-resolve routes for all active sessions belonging to a caller.
@@ -1061,22 +1117,15 @@ export function createApp(options = {}) {
         app.use('/sync', ipRateLimiter(60_000, 10));
         app.use('/webhooks', ipRateLimiter(60_000, 120));
         app.use('/health', ipRateLimiter(60_000, 60));
-    }
-    // ── Loopback guard for local-only endpoints ──────────────────────────────
-    // /sync/listen and /sync/status are intended for local CLI use only.
-    // Reject requests from non-loopback addresses to prevent remote abuse.
-    function requireLoopback(req, res, next) {
-        const addr = req.socket.remoteAddress;
-        if (addr === '127.0.0.1' || addr === '::1' || addr === '::ffff:127.0.0.1') {
-            next();
-        }
-        else {
-            res.status(403).json({ error: 'Forbidden: local access only' });
-        }
+        // /admin is loopback-only but the dashboard polls — give it more headroom than /health
+        app.use('/admin', ipRateLimiter(60_000, 300));
     }
     const config = options.config ?? loadRemoteConfig();
     const ownKeys = options.ownKeys ?? loadKeyBundle(getServerKeysDir());
     const authorizedPeers = options.authorizedPeers ?? loadCallerPeers(config.callers);
+    // Capture for /admin/meta. Resolves the same way main() picks the listen port.
+    const startedAt = Date.now();
+    const port = resolvePort(process.env.DRAWLATCH_PORT, config.port);
     rateLimitPerMinute = config.rateLimitPerMinute;
     // Create or use the provided ingestor manager.
     // When config is loaded from disk (production), pass loadRemoteConfig as the
@@ -1444,6 +1493,16 @@ export function createApp(options = {}) {
             mgr.offEvent(listener);
         });
     });
+    // ── Admin API (loopback-only, read-only) ─────────────────────────────
+    // Powers the drawlatch-ui dashboard. No mutations, no secrets, no CORS.
+    app.use('/admin', requireLoopback, createAdminRouter({
+        getSessionsSnapshot,
+        ingestorManager: () => app.locals.ingestorManager,
+        loadConfig: () => options.config ?? loadRemoteConfig(),
+        version: PKG_VERSION,
+        port,
+        startedAt,
+    }));
     // ── Webhook receiver ─────────────────────────────────────────────────
     // Trello (and potentially other services) send a HEAD request to the
     // callback URL to verify it is reachable before activating the webhook.
@@ -1507,7 +1566,12 @@ export function main() {
     }
     const config = loadRemoteConfig();
     const serverKeysDirPath = getServerKeysDir();
-    const requiredKeyFiles = ['signing.key.pem', 'signing.pub.pem', 'exchange.key.pem', 'exchange.pub.pem'];
+    const requiredKeyFiles = [
+        'signing.key.pem',
+        'signing.pub.pem',
+        'exchange.key.pem',
+        'exchange.pub.pem',
+    ];
     const missingKeyFiles = requiredKeyFiles.filter((f) => !fs.existsSync(path.join(serverKeysDirPath, f)));
     if (missingKeyFiles.length > 0) {
         if (!fs.existsSync(serverKeysDirPath)) {
@@ -1524,7 +1588,7 @@ export function main() {
         console.log('[remote] No callers configured — server will accept sync requests.');
         console.log('[remote] To add callers, run: drawlatch sync');
     }
-    const port = process.env.DRAWLATCH_PORT ? parseInt(process.env.DRAWLATCH_PORT, 10) : config.port;
+    const port = resolvePort(process.env.DRAWLATCH_PORT, config.port);
     const host = process.env.DRAWLATCH_HOST ?? config.host;
     const useTunnel = process.env.DRAWLATCH_TUNNEL === '1';
     const app = createApp();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wolpertingerlabs/drawlatch",
-  "version": "1.0.0-alpha.15.2",
+  "version": "1.0.0-alpha.19",
   "description": "Encrypted MCP proxy with mutual authentication. Local MCP server forwards requests through an encrypted channel to a remote secrets-holding server.",
   "type": "module",
   "main": "./dist/mcp/server.js",