agent-relay-server 0.9.0 → 0.10.1

package/src/security.ts

@@ -1,4 +1,9 @@
 import { AUTH_TOKEN, CORS_ORIGINS, getIntegrationTokens, type IntegrationTokenConfig } from "./config";
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { getDb } from "./db";
+import type { ComponentToken } from "./types";
 
 const LOOPBACK_HOSTS = new Set(["127.0.0.1", "::1", "localhost"]);
 
@@ -65,9 +70,11 @@ export function corsPreflight(req: Request): Response {
 
 export function isAuthorized(req: Request): boolean {
   const token = authToken();
-  if (!token) return true;
+  if (!token && !extractToken(req)) return true;
 
-  return extractToken(req) === token;
+  const presented = extractToken(req);
+  if (token && presented === token) return true;
+  return Boolean(presented && verifyComponentToken(presented));
 }
 
 type IntegrationAuth = IntegrationTokenConfig;
@@ -98,10 +105,14 @@ export function requiredScopeFor(method: string, pathname: string): string | nul
   if (pathname === "/api/connectors" || pathname.startsWith("/api/connectors/")) return method === "GET" ? "connectors:read" : "system:write";
   if (pathname.startsWith("/api/channels") || pathname.startsWith("/api/channel-bindings")) return method === "GET" ? "channels:read" : "channels:write";
   if (pathname === "/api/integrations" || pathname.startsWith("/api/integrations/")) return method === "GET" ? "integrations:read" : "integrations:write";
+  if (pathname.startsWith("/api/automations") || pathname.startsWith("/api/automation-runs")) return method === "GET" ? "automations:read" : "automations:write";
   if (pathname.startsWith("/api/agents")) return method === "GET" ? "agents:read" : "agents:write";
   if (pathname.startsWith("/api/activity")) return method === "GET" ? "activity:read" : "activity:write";
   if (pathname.startsWith("/api/inbox")) return method === "GET" ? "messages:read" : "messages:write";
   if (pathname.startsWith("/api/messages")) return method === "GET" ? "messages:read" : "messages:write";
+  if (pathname.startsWith("/api/commands")) return method === "GET" ? "commands:read" : "commands:write";
+  if (pathname.startsWith("/api/recipes")) return method === "GET" ? "recipes:read" : "recipes:write";
+  if (pathname.startsWith("/api/tokens")) return "system:write";
   if (pathname.startsWith("/api/tasks")) return method === "GET" ? "tasks:read" : "tasks:write";
   if (pathname.startsWith("/api/pairs")) return method === "GET" ? "pairs:read" : "pairs:write";
   if (pathname.startsWith("/api/system/")) return "system:write";
@@ -109,6 +120,12 @@ export function requiredScopeFor(method: string, pathname: string): string | nul
 }
 
 export function isScopedRequestAuthorized(req: Request): boolean {
+  const component = getComponentAuth(req);
+  if (component) {
+    const required = requiredComponentScopeFor(req.method, new URL(req.url).pathname);
+    return required ? hasComponentScope(component, required) : false;
+  }
+
   const auth = getIntegrationAuth(req);
   if (!auth) return false;
   const pathname = new URL(req.url).pathname;
@@ -121,6 +138,61 @@ export function isScopedRequestAuthorized(req: Request): boolean {
   return scope ? hasIntegrationScope(auth, scope) : false;
 }
 
+export function getComponentAuth(req: Request): ComponentToken | null {
+  const token = extractToken(req);
+  return token ? verifyComponentToken(token) : null;
+}
+
+export function hasComponentScope(auth: ComponentToken, requiredScope: string): boolean {
+  if (auth.scope.includes("admin:*")) return true;
+  if (auth.scope.includes(requiredScope)) return true;
+  const [category] = requiredScope.split(":");
+  return Boolean(category && auth.scope.includes(`${category}:*`));
+}
+
+export function requiredComponentScopeFor(method: string, pathname: string): string | null {
+  if (pathname === "/api/stats" || pathname === "/api/health") return "agent:read";
+  if (pathname === "/api/events") return "message:read";
+  if (pathname.startsWith("/api/commands")) {
+    if (method === "GET") return "command:*";
+    return "command:*";
+  }
+  if (pathname.startsWith("/api/tokens")) return "admin:*";
+  if (pathname === "/api/recipes/start") return "recipe:start";
+  if (pathname.startsWith("/api/recipes/") && pathname.endsWith("/stop")) return "recipe:stop";
+  if (pathname.startsWith("/api/recipes")) return method === "GET" ? "agent:read" : "recipe:start";
+  if (pathname.startsWith("/api/automations") || pathname.startsWith("/api/automation-runs")) return method === "GET" ? "automation:read" : "automation:write";
+  if (pathname.startsWith("/api/agents")) return method === "GET" ? "agent:read" : "agent:write";
+  if (pathname.startsWith("/api/messages") || pathname.startsWith("/api/inbox")) return method === "GET" ? "message:read" : "message:send";
+  if (pathname.startsWith("/api/tasks")) return method === "GET" ? "task:read" : "task:write";
+  if (pathname.startsWith("/api/orchestrators")) return method === "GET" ? "agent:read" : "command:*";
+  if (pathname.startsWith("/api/system/")) return "admin:*";
+  return "admin:*";
+}
+
+export function signComponentToken(payload: Omit<ComponentToken, "iat"> & { iat?: number }): string {
+  const header = { alg: "HS256", typ: "JWT" };
+  const body: ComponentToken = {
+    ...payload,
+    iat: payload.iat ?? Math.floor(Date.now() / 1000),
+  };
+  const signingInput = `${base64urlJson(header)}.${base64urlJson(body)}`;
+  return `${signingInput}.${hmac(signingInput)}`;
+}
+
+export function verifyComponentToken(token: string, nowSeconds = Math.floor(Date.now() / 1000)): ComponentToken | null {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  const [headerRaw, payloadRaw, signature] = parts as [string, string, string];
+  const expected = hmac(`${headerRaw}.${payloadRaw}`);
+  if (!safeEqual(signature, expected)) return null;
+  const payload = parseBase64urlJson(payloadRaw);
+  if (!isComponentToken(payload)) return null;
+  if (payload.exp !== undefined && payload.exp <= nowSeconds) return null;
+  if (payload.jti && isTokenRevoked(payload.jti)) return null;
+  return payload;
+}
+
 export function forbidden(req: Request): Response {
   return applyCors(req, Response.json({ error: "forbidden" }, { status: 403 }));
 }
@@ -141,6 +213,60 @@ function extractToken(req: Request): string | null {
   return bearer ?? req.headers.get("x-agent-relay-token") ?? new URL(req.url).searchParams.get("token");
 }
 
+function tokenSecret(): string {
+  const env = process.env.AGENT_RELAY_TOKEN_SECRET;
+  if (env) return env;
+  const path = join(process.env.HOME || ".", ".agent-relay", "token-secret");
+  if (existsSync(path)) return readFileSync(path, "utf8").trim();
+  const secret = randomBytes(32).toString("base64url");
+  mkdirSync(dirname(path), { recursive: true });
+  writeFileSync(path, `${secret}\n`, { mode: 0o600 });
+  return secret;
+}
+
+function hmac(input: string): string {
+  return createHmac("sha256", tokenSecret()).update(input).digest("base64url");
+}
+
+function base64urlJson(value: unknown): string {
+  return Buffer.from(JSON.stringify(value)).toString("base64url");
+}
+
+function parseBase64urlJson(raw: string): unknown {
+  try {
+    return JSON.parse(Buffer.from(raw, "base64url").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+
+function safeEqual(a: string, b: string): boolean {
+  const left = Buffer.from(a);
+  const right = Buffer.from(b);
+  return left.length === right.length && timingSafeEqual(left, right);
+}
+
+function isComponentToken(value: unknown): value is ComponentToken {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return false;
+  const record = value as Record<string, unknown>;
+  return typeof record.sub === "string" &&
+    typeof record.role === "string" &&
+    Array.isArray(record.scope) &&
+    record.scope.every((scope) => typeof scope === "string") &&
+    typeof record.iat === "number" &&
+    (record.exp === undefined || typeof record.exp === "number") &&
+    (record.jti === undefined || typeof record.jti === "string");
+}
+
+function isTokenRevoked(jti: string): boolean {
+  try {
+    const row = getDb().prepare("SELECT revoked_at FROM tokens WHERE jti = ?").get(jti) as { revoked_at?: number | null } | undefined;
+    return Boolean(row?.revoked_at);
+  } catch {
+    return false;
+  }
+}
+
 function corsOrigins(): string[] {
   const raw = process.env.AGENT_RELAY_CORS_ORIGINS;
   if (raw === undefined) return CORS_ORIGINS;

package/src/sse.ts

@@ -1,4 +1,5 @@
 import { getAgent, getOrchestrator } from "./db";
+import { emitRelayEvent, subscribeRelayEvents, type RelayEvent } from "./events";
 import type { Message, Task } from "./types";
 
 interface Connection {
@@ -10,6 +11,10 @@ interface Connection {
 
 const connections = new Map<string, Connection>();
 const encoder = new TextEncoder();
+const SSE_KEEPALIVE_MS = 15_000;
+const SSE_RETRY_MS = 5_000;
+
+subscribeRelayEvents((event) => fanout(event));
 
 export function createSSEStream(agentId: string | null): Response {
   let connId: string;
@@ -20,12 +25,12 @@ export function createSSEStream(agentId: string | null): Response {
       const keepalive = setInterval(() => {
         try { controller.enqueue(encoder.encode(": keepalive\n\n")); }
         catch { removeConnection(connId); }
-      }, 30_000);
+      }, SSE_KEEPALIVE_MS);
 
       connections.set(connId, { id: connId, agentId, controller, keepalive });
 
       controller.enqueue(encoder.encode(
-        `event: connected\ndata: ${JSON.stringify({ connectionId: connId })}\n\n`
+        `retry: ${SSE_RETRY_MS}\nevent: connected\ndata: ${JSON.stringify({ connectionId: connId })}\n\n`
       ));
     },
     cancel() {
@@ -37,6 +42,8 @@ export function createSSEStream(agentId: string | null): Response {
     headers: {
       "Content-Type": "text/event-stream",
       "Cache-Control": "no-cache, no-transform",
+      "Pragma": "no-cache",
+      "Vary": "Accept",
       "X-Accel-Buffering": "no",
     },
   });
@@ -71,7 +78,21 @@ function messageMatchesAgent(msg: Message, agentId: string): boolean {
   return false;
 }
 
-export function emitNewMessage(msg: Message) {
+function fanout(event: RelayEvent): void {
+  if (event.type === "message.new") {
+    sendNewMessage(event.data as unknown as Message);
+    return;
+  }
+  if (event.type === "task.updated" || event.type === "task.created" || event.type === "task.claimed" || event.type === "task.status") {
+    sendTaskChanged(event.data as unknown as Task, event.type);
+    return;
+  }
+  for (const conn of connections.values()) {
+    send(conn, event.type, event.data);
+  }
+}
+
+function sendNewMessage(msg: Message): void {
   for (const conn of connections.values()) {
     if (!conn.agentId) {
       send(conn, "message.new", msg);
@@ -83,49 +104,45 @@ export function emitNewMessage(msg: Message) {
   }
 }
 
+export function emitNewMessage(msg: Message) {
+  emitRelayEvent({ type: "message.new", source: msg.from, subject: String(msg.id), data: msg as unknown as Record<string, unknown> });
+}
+
 export function emitAgentStatus(agentId: string) {
   const agent = getAgent(agentId);
   const data = agent ?? { id: agentId, status: "offline" };
-  for (const conn of connections.values()) {
-    send(conn, "agent.status", data);
-  }
+  emitRelayEvent({ type: "agent.status", source: "server", subject: agentId, data: data as unknown as Record<string, unknown> });
 }
 
 export function emitAgentRemoved(agentId: string) {
-  for (const conn of connections.values()) {
-    send(conn, "agent.removed", { id: agentId });
-  }
+  emitRelayEvent({ type: "agent.removed", source: "server", subject: agentId, data: { id: agentId } });
 }
 
 export function emitMessageClaimed(messageId: number, claimedBy: string, claimExpiresAt?: number) {
-  for (const conn of connections.values()) {
-    send(conn, "message.claimed", { messageId, claimedBy, claimExpiresAt });
-  }
+  emitRelayEvent({ type: "message.claimed", source: "server", subject: String(messageId), data: { messageId, claimedBy, claimExpiresAt } });
 }
 
 export function emitMessageClaimReleased(messageId: number) {
-  for (const conn of connections.values()) {
-    send(conn, "message.claim_released", { messageId });
-  }
+  emitRelayEvent({ type: "message.claim_released", source: "server", subject: String(messageId), data: { messageId } });
 }
 
 export function emitMessageDeleted(messageId: number) {
-  for (const conn of connections.values()) {
-    send(conn, "message.deleted", { messageId });
-  }
+  emitRelayEvent({ type: "message.deleted", source: "server", subject: String(messageId), data: { messageId } });
 }
 
-export function emitTaskChanged(task: Task, eventType = "task.updated") {
+function sendTaskChanged(task: Task, eventType = "task.updated"): void {
   for (const conn of connections.values()) {
     if (conn.agentId && !targetMatchesAgent(task.target, conn.agentId)) continue;
     send(conn, eventType, task);
   }
 }
 
+export function emitTaskChanged(task: Task, eventType = "task.updated") {
+  emitRelayEvent({ type: eventType, source: task.source, subject: String(task.id), data: task as unknown as Record<string, unknown> });
+}
+
 export function emitChannelActivity(activity: Record<string, unknown>) {
-  for (const conn of connections.values()) {
-    send(conn, "channel.activity", activity);
-  }
+  emitRelayEvent({ type: "channel.activity", source: "server", data: activity });
 }
 
 export function getConnectionCount(): number {
@@ -145,19 +162,13 @@ function targetMatchesAgent(target: string, agentId: string): boolean {
 export function emitOrchestratorStatus(orchestratorId: string) {
   const orch = getOrchestrator(orchestratorId);
   const data = orch ?? { id: orchestratorId, status: "offline" };
-  for (const conn of connections.values()) {
-    send(conn, "orchestrator.status", data);
-  }
+  emitRelayEvent({ type: "orchestrator.status", source: "server", subject: orchestratorId, data: data as unknown as Record<string, unknown> });
 }
 
 export function emitOrchestratorRemoved(orchestratorId: string) {
-  for (const conn of connections.values()) {
-    send(conn, "orchestrator.removed", { id: orchestratorId });
-  }
+  emitRelayEvent({ type: "orchestrator.removed", source: "server", subject: orchestratorId, data: { id: orchestratorId } });
 }
 
 export function emitPoolBindingChanged(bindingId: string, channelId: string, previousAgentId: string | null, newAgentId: string | null) {
-  for (const conn of connections.values()) {
-    send(conn, "channel.pool.changed", { bindingId, channelId, previousAgentId, newAgentId, at: Date.now() });
-  }
+  emitRelayEvent({ type: "channel.pool.changed", source: "server", subject: bindingId, data: { bindingId, channelId, previousAgentId, newAgentId, at: Date.now() } });
 }

package/src/token-db.ts

@@ -0,0 +1,96 @@
+import { randomUUID } from "node:crypto";
+import { getDb } from "./db";
+import { signComponentToken } from "./security";
+import type { ComponentToken } from "./types";
+
+interface TokenRecord {
+  jti: string;
+  sub: string;
+  role: string;
+  scope: string[];
+  issuedAt: number;
+  expiresAt?: number;
+  revokedAt?: number;
+  createdBy?: string;
+}
+
+interface TokenRow {
+  jti: string;
+  sub: string;
+  role: string;
+  scope: string;
+  issued_at: number;
+  expires_at: number | null;
+  revoked_at: number | null;
+  created_by: string | null;
+}
+
+export function createToken(input: {
+  sub: string;
+  role: string;
+  scope?: string[];
+  ttlSeconds?: number;
+  createdBy?: string;
+}): { token: string; record: TokenRecord } {
+  const now = Math.floor(Date.now() / 1000);
+  const jti = randomUUID();
+  const scope = input.scope?.length ? input.scope : defaultScopes(input.role);
+  const expiresAt = input.ttlSeconds ? now + input.ttlSeconds : undefined;
+  const payload: ComponentToken = {
+    sub: input.sub,
+    role: input.role,
+    scope,
+    iat: now,
+    exp: expiresAt,
+    jti,
+  };
+  const token = signComponentToken(payload);
+  getDb().prepare(`
+    INSERT INTO tokens (jti, sub, role, scope, issued_at, expires_at, created_by)
+    VALUES (?, ?, ?, ?, ?, ?, ?)
+  `).run(jti, input.sub, input.role, JSON.stringify(scope), now, expiresAt ?? null, input.createdBy ?? null);
+  return { token, record: getToken(jti)! };
+}
+
+export function listTokens(): TokenRecord[] {
+  const rows = getDb().prepare("SELECT * FROM tokens ORDER BY issued_at DESC").all() as TokenRow[];
+  return rows.map(rowToToken);
+}
+
+export function getToken(jti: string): TokenRecord | null {
+  const row = getDb().prepare("SELECT * FROM tokens WHERE jti = ?").get(jti) as TokenRow | undefined;
+  return row ? rowToToken(row) : null;
+}
+
+export function revokeToken(jti: string): boolean {
+  return getDb().prepare("UPDATE tokens SET revoked_at = ? WHERE jti = ? AND revoked_at IS NULL").run(Math.floor(Date.now() / 1000), jti).changes > 0;
+}
+
+function defaultScopes(role: string): string[] {
+  if (role === "provider" || role === "channel") return ["agent:read", "agent:write", "message:send", "message:read"];
+  if (role === "orchestrator") return ["agent:read", "agent:write", "command:*", "task:read", "task:write"];
+  if (role === "admin" || role === "dashboard") return ["admin:*"];
+  return ["agent:read"];
+}
+
+function rowToToken(row: TokenRow): TokenRecord {
+  return {
+    jti: row.jti,
+    sub: row.sub,
+    role: row.role,
+    scope: parseScope(row.scope),
+    issuedAt: row.issued_at,
+    expiresAt: row.expires_at ?? undefined,
+    revokedAt: row.revoked_at ?? undefined,
+    createdBy: row.created_by ?? undefined,
+  };
+}
+
+function parseScope(raw: string): string[] {
+  try {
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed) ? parsed.filter((item): item is string => typeof item === "string") : [];
+  } catch {
+    return [];
+  }
+}