@wrongstack/webui 0.31.1 → 0.41.0

package/dist/server/index.js

@@ -1,7 +1,89 @@
 // src/server/index.ts
-import * as fs2 from "fs/promises";
+import * as fs3 from "fs/promises";
+import * as path2 from "path";
+
+// src/server/http-server.ts
+import * as fs from "fs/promises";
 import * as http from "http";
 import * as path from "path";
+var MIME_TYPES = {
+  ".html": "text/html",
+  ".js": "application/javascript",
+  ".css": "text/css",
+  ".json": "application/json",
+  ".svg": "image/svg+xml",
+  ".png": "image/png",
+  ".ico": "image/x-icon"
+};
+function buildCspHeader(wsPort) {
+  return `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort} wss://127.0.0.1:${wsPort} ws://[::1]:${wsPort} wss://[::1]:${wsPort}; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`;
+}
+function isInsideDist(candidate, distDir) {
+  const root = path.resolve(distDir);
+  const resolved = path.resolve(candidate);
+  return resolved === root || resolved.startsWith(root + path.sep);
+}
+function createHttpServer(opts) {
+  const port = opts.port ?? Number.parseInt(process.env["PORT"] ?? "3456", 10);
+  const distDir = path.resolve(opts.distDir);
+  const wsPort = opts.wsPort;
+  return http.createServer(async (req, res) => {
+    try {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+      let filePath;
+      if (url.pathname === "/" || url.pathname === "") {
+        filePath = path.join(distDir, "index.html");
+      } else if (url.pathname.startsWith("/assets/")) {
+        filePath = path.join(distDir, url.pathname);
+      } else if (url.pathname.startsWith("/")) {
+        filePath = path.join(distDir, url.pathname);
+      } else {
+        filePath = path.join(distDir, "index.html");
+      }
+      const resolvedPath = path.resolve(filePath);
+      if (!isInsideDist(resolvedPath, distDir)) {
+        res.writeHead(403, { "Content-Type": "text/plain" });
+        res.end("Forbidden");
+        return;
+      }
+      const ext = path.extname(resolvedPath);
+      const contentType = MIME_TYPES[ext] ?? "application/octet-stream";
+      res.setHeader("Content-Type", contentType);
+      res.setHeader("X-Content-Type-Options", "nosniff");
+      res.setHeader("X-Frame-Options", "DENY");
+      res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+      if (ext === ".html") {
+        res.setHeader("Cache-Control", "no-cache");
+        res.setHeader("Content-Security-Policy", buildCspHeader(wsPort));
+      }
+      const fileContent = await fs.readFile(resolvedPath);
+      res.writeHead(200);
+      res.end(fileContent);
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        try {
+          const fileContent = await fs.readFile(path.join(distDir, "index.html"));
+          res.writeHead(200, {
+            "Content-Type": "text/html",
+            "X-Content-Type-Options": "nosniff",
+            "X-Frame-Options": "DENY",
+            "Referrer-Policy": "strict-origin-when-cross-origin",
+            "Content-Security-Policy": buildCspHeader(wsPort)
+          });
+          res.end(fileContent);
+        } catch {
+          res.writeHead(404);
+          res.end("Not found");
+        }
+      } else {
+        res.writeHead(500);
+        res.end("Server error");
+      }
+    }
+  });
+}
+
+// src/server/index.ts
 import {
   Agent,
   AutoCompactionMiddleware,
@@ -111,7 +193,7 @@ function createDefaultContainer(opts) {
 }
 
 // src/server/boot.ts
-import * as fs from "fs/promises";
+import * as fs2 from "fs/promises";
 import * as os from "os";
 import {
   DefaultConfigLoader,
@@ -119,7 +201,8 @@ import {
   DefaultPathResolver,
   DefaultSecretVault,
   migratePlaintextSecrets,
-  resolveWstackPaths
+  resolveWstackPaths,
+  writeErr
 } from "@wrongstack/core";
 async function bootConfig() {
   const cwd = process.cwd();
@@ -127,15 +210,15 @@ async function bootConfig() {
   const projectRoot = pathResolver.projectRoot;
   const userHome = os.homedir();
   const wpaths = resolveWstackPaths({ projectRoot, userHome });
-  await fs.mkdir(wpaths.globalRoot, { recursive: true });
-  await fs.mkdir(wpaths.projectDir, { recursive: true });
-  await fs.mkdir(wpaths.projectSessions, { recursive: true });
+  await fs2.mkdir(wpaths.globalRoot, { recursive: true });
+  await fs2.mkdir(wpaths.projectDir, { recursive: true });
+  await fs2.mkdir(wpaths.projectSessions, { recursive: true });
   const vault = new DefaultSecretVault({ keyFile: wpaths.secretsKey });
   for (const file of [wpaths.globalConfig, wpaths.projectLocalConfig]) {
     try {
       const { migrated } = await migratePlaintextSecrets(file, vault);
       if (migrated > 0) {
-        process.stderr.write(`[WebUI] Encrypted ${migrated} plaintext secret(s) in ${file}
+        writeErr(`[WebUI] Encrypted ${migrated} plaintext secret(s) in ${file}
 `);
       }
     } catch {
@@ -1527,7 +1610,7 @@ async function startWebUI(opts = {}) {
       inputCost,
       outputCost,
       cacheReadCost,
-      projectName: path.basename(projectRoot) || projectRoot,
+      projectName: path2.basename(projectRoot) || projectRoot,
       cwd: projectRoot,
       mode: modeId,
       contextMode: String(context.meta["contextWindowMode"] ?? DEFAULT_CONTEXT_WINDOW_MODE_ID),
@@ -1761,8 +1844,8 @@ async function startWebUI(opts = {}) {
       rateLimits.delete(String(ws));
       console.log("[WebUI] Client disconnected, total:", clients.size);
       if (pendingConfirms.size > 0) {
-        for (const [id, resolve2] of pendingConfirms) {
-          resolve2("no");
+        for (const [id, resolve3] of pendingConfirms) {
+          resolve3("no");
           pendingConfirms.delete(id);
         }
       }
@@ -1852,10 +1935,10 @@ async function startWebUI(opts = {}) {
       }
       case "tool.confirm_result": {
         const { id, decision } = msg.payload;
-        const resolve2 = pendingConfirms.get(id);
-        if (resolve2) {
+        const resolve3 = pendingConfirms.get(id);
+        if (resolve3) {
           pendingConfirms.delete(id);
-          resolve2(decision);
+          resolve3(decision);
         }
         break;
       }
@@ -2117,7 +2200,7 @@ async function startWebUI(opts = {}) {
           updateAutoCompactionMaxContext?.(newProv);
           try {
             configWriteLock = configWriteLock.then(async () => {
-              const raw = await fs2.readFile(globalConfigPath, "utf8");
+              const raw = await fs3.readFile(globalConfigPath, "utf8");
               const parsed = JSON.parse(raw);
               parsed.provider = newProvider;
               parsed.model = newModel;
@@ -2450,7 +2533,7 @@ async function startWebUI(opts = {}) {
           if (depth > 8 || results.length >= 600) return;
           let entries = [];
           try {
-            entries = await fs2.readdir(dir, { withFileTypes: true });
+            entries = await fs3.readdir(dir, { withFileTypes: true });
           } catch {
             return;
           }
@@ -2463,7 +2546,7 @@ async function startWebUI(opts = {}) {
             const childRel = rel ? `${rel}/${e.name}` : e.name;
             if (e.isDirectory()) {
               if (SKIP_DIRS.has(e.name)) continue;
-              await walk(path.join(dir, e.name), childRel, depth + 1);
+              await walk(path2.join(dir, e.name), childRel, depth + 1);
             } else if (e.isFile()) {
               results.push(childRel);
             }
@@ -2593,7 +2676,7 @@ async function startWebUI(opts = {}) {
   }
   async function loadSavedProviders() {
     try {
-      const raw = await fs2.readFile(globalConfigPath, "utf8");
+      const raw = await fs3.readFile(globalConfigPath, "utf8");
       const parsed = JSON.parse(raw);
       if (!parsed.providers) return {};
       return decryptConfigSecrets(parsed.providers, vault);
@@ -2605,7 +2688,7 @@ async function startWebUI(opts = {}) {
     configWriteLock = configWriteLock.then(async () => {
       let parsed;
       try {
-        const raw = await fs2.readFile(globalConfigPath, "utf8");
+        const raw = await fs3.readFile(globalConfigPath, "utf8");
         parsed = JSON.parse(raw);
       } catch {
         parsed = {};
@@ -2746,77 +2829,12 @@ async function startWebUI(opts = {}) {
       sendResult(ws, false, err instanceof Error ? err.message : String(err));
     }
   }
-  const httpPort = Number.parseInt(process.env["PORT"] ?? "3456", 10);
-  const DIST_DIR = path.resolve(import.meta.dirname, "../../dist");
-  const mimeTypes = {
-    ".html": "text/html",
-    ".js": "application/javascript",
-    ".css": "text/css",
-    ".json": "application/json",
-    ".svg": "image/svg+xml",
-    ".png": "image/png",
-    ".ico": "image/x-icon"
-  };
-  const httpServer = http.createServer(async (req, res) => {
-    try {
-      const url = new URL(req.url ?? "/", `http://127.0.0.1:${httpPort}`);
-      let filePath;
-      if (url.pathname === "/" || url.pathname === "") {
-        filePath = path.join(DIST_DIR, "index.html");
-      } else if (url.pathname.startsWith("/assets/")) {
-        filePath = path.join(DIST_DIR, url.pathname);
-      } else if (url.pathname.startsWith("/")) {
-        filePath = path.join(DIST_DIR, url.pathname);
-      } else {
-        filePath = path.join(DIST_DIR, "index.html");
-      }
-      const resolvedPath = path.resolve(filePath);
-      const resolvedRoot = path.resolve(DIST_DIR);
-      if (!resolvedPath.startsWith(resolvedRoot + path.sep) && resolvedPath !== resolvedRoot) {
-        res.writeHead(403, { "Content-Type": "text/plain" });
-        res.end("Forbidden");
-        return;
-      }
-      const ext = path.extname(resolvedPath);
-      const contentType = mimeTypes[ext] ?? "application/octet-stream";
-      res.setHeader("Content-Type", contentType);
-      res.setHeader("X-Content-Type-Options", "nosniff");
-      res.setHeader("X-Frame-Options", "DENY");
-      res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
-      if (ext === ".html") {
-        res.setHeader("Cache-Control", "no-cache");
-        res.setHeader(
-          "Content-Security-Policy",
-          `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort} wss://127.0.0.1:${wsPort} ws://[::1]:${wsPort} wss://[::1]:${wsPort}; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`
-        );
-      }
-      const fileContent = await fs2.readFile(resolvedPath);
-      res.writeHead(200);
-      res.end(fileContent);
-    } catch (err) {
-      if (err.code === "ENOENT") {
-        try {
-          const fileContent = await fs2.readFile(path.join(DIST_DIR, "index.html"));
-          res.writeHead(200, {
-            "Content-Type": "text/html",
-            "X-Content-Type-Options": "nosniff",
-            "X-Frame-Options": "DENY",
-            "Referrer-Policy": "strict-origin-when-cross-origin",
-            // SPA fallback previously shipped no CSP — apply the same policy as
-            // the direct .html branch so deep-linked routes aren't unprotected.
-            "Content-Security-Policy": `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort} wss://127.0.0.1:${wsPort} ws://[::1]:${wsPort} wss://[::1]:${wsPort}; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`
-          });
-          res.end(fileContent);
-        } catch {
-          res.writeHead(404);
-          res.end("Not found");
-        }
-      } else {
-        res.writeHead(500);
-        res.end("Server error");
-      }
-    }
+  const httpServer = createHttpServer({
+    host: wsHost,
+    distDir: path2.resolve(import.meta.dirname, "../../dist"),
+    wsPort
   });
+  const httpPort = Number.parseInt(process.env["PORT"] ?? "3456", 10);
   httpServer.listen(httpPort, wsHost, () => {
     console.log(`[WebUI] HTTP server running on http://${wsHost}:${httpPort}`);
   });