agent-relay 1.2.3 → 1.3.0

package/dist/cloud/api/workspaces.js

@@ -2,6 +2,7 @@
  * Workspaces API Routes
  *
  * One-click workspace provisioning and management.
+ * Includes auto-access based on GitHub repo permissions.
  */
 import { Router } from 'express';
 import { requireAuth } from './auth.js';
@@ -9,19 +10,359 @@ import { db } from '../db/index.js';
 import { getProvisioner, getProvisioningStage } from '../provisioner/index.js';
 import { checkWorkspaceLimit } from './middleware/planLimits.js';
 import { getConfig } from '../config.js';
+import { nangoService } from '../services/nango.js';
+// Simple in-memory cache for workspace access checks
+// Key: `${userId}:${workspaceId}`
+const workspaceAccessCache = new Map();
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+function getCachedAccess(userId, workspaceId) {
+    const key = `${userId}:${workspaceId}`;
+    const cached = workspaceAccessCache.get(key);
+    if (!cached)
+        return null;
+    // Check if expired
+    if (Date.now() - cached.cachedAt > CACHE_TTL_MS) {
+        workspaceAccessCache.delete(key);
+        return null;
+    }
+    return cached;
+}
+function setCachedAccess(userId, workspaceId, access) {
+    const key = `${userId}:${workspaceId}`;
+    workspaceAccessCache.set(key, { ...access, cachedAt: Date.now() });
+}
+function _invalidateCachedAccess(userId, workspaceId) {
+    if (workspaceId) {
+        workspaceAccessCache.delete(`${userId}:${workspaceId}`);
+    }
+    else {
+        // Invalidate all cache entries for this user
+        for (const key of workspaceAccessCache.keys()) {
+            if (key.startsWith(`${userId}:`)) {
+                workspaceAccessCache.delete(key);
+            }
+        }
+    }
+}
+// Cache keyed by nangoConnectionId
+const userReposCache = new Map();
+const USER_REPOS_CACHE_TTL_MS = 10 * 60 * 1000; // 10 minutes - hard expiry
+const STALE_WHILE_REVALIDATE_MS = 5 * 60 * 1000; // Trigger background refresh after 5 minutes
+const MAX_CACHE_ENTRIES = 500; // Prevent unbounded growth
+/**
+ * Evict oldest cache entries if we exceed the limit
+ */
+function evictOldestCacheEntries() {
+    if (userReposCache.size <= MAX_CACHE_ENTRIES)
+        return;
+    // Convert to array, sort by cachedAt (oldest first), delete oldest entries
+    const entries = Array.from(userReposCache.entries())
+        .sort((a, b) => a[1].cachedAt - b[1].cachedAt);
+    const toEvict = entries.slice(0, entries.length - MAX_CACHE_ENTRIES);
+    for (const [key] of toEvict) {
+        console.log(`[repos-cache] Evicting oldest cache entry: ${key.substring(0, 8)}`);
+        userReposCache.delete(key);
+    }
+}
+/**
+ * Background refresh function that paginates through ALL user repos
+ */
+async function refreshUserReposInBackground(nangoConnectionId) {
+    const cached = userReposCache.get(nangoConnectionId);
+    // Don't start if refresh already in progress
+    if (cached?.refreshInProgress) {
+        console.log(`[repos-cache] Background refresh already in progress for ${nangoConnectionId.substring(0, 8)}`);
+        return;
+    }
+    // Mark as refreshing
+    if (cached) {
+        cached.refreshInProgress = true;
+    }
+    else {
+        // Create placeholder entry
+        userReposCache.set(nangoConnectionId, {
+            repositories: [],
+            cachedAt: Date.now(),
+            isComplete: false,
+            refreshInProgress: true,
+        });
+    }
+    console.log(`[repos-cache] Starting background refresh for ${nangoConnectionId.substring(0, 8)}`);
+    try {
+        const allRepos = [];
+        let page = 1;
+        let hasMore = true;
+        const MAX_PAGES = 20; // Safety limit: 20 pages * 100 repos = 2000 repos max
+        while (hasMore && page <= MAX_PAGES) {
+            const result = await nangoService.listUserAccessibleRepos(nangoConnectionId, {
+                perPage: 100,
+                page,
+                type: 'all',
+            });
+            allRepos.push(...result.repositories.map(r => ({
+                fullName: r.fullName,
+                permissions: r.permissions,
+            })));
+            hasMore = result.hasMore;
+            page++;
+            // Small delay between pages to avoid rate limiting
+            if (hasMore) {
+                await new Promise(resolve => setTimeout(resolve, 100));
+            }
+        }
+        console.log(`[repos-cache] Background refresh complete for ${nangoConnectionId.substring(0, 8)}: ${allRepos.length} repos across ${page - 1} pages`);
+        userReposCache.set(nangoConnectionId, {
+            repositories: allRepos,
+            cachedAt: Date.now(),
+            isComplete: true,
+            refreshInProgress: false,
+        });
+        evictOldestCacheEntries();
+    }
+    catch (err) {
+        console.error(`[repos-cache] Background refresh failed for ${nangoConnectionId.substring(0, 8)}:`, err);
+        // Mark refresh as done even on error, keep existing data if any
+        const existing = userReposCache.get(nangoConnectionId);
+        if (existing) {
+            existing.refreshInProgress = false;
+        }
+    }
+}
+/**
+ * Get cached user repos, triggering background refresh if stale
+ * Returns null if no cache exists (caller should fetch first page synchronously)
+ */
+function getCachedUserRepos(nangoConnectionId) {
+    const cached = userReposCache.get(nangoConnectionId);
+    if (!cached)
+        return null;
+    const age = Date.now() - cached.cachedAt;
+    // If expired, delete and return null
+    if (age > USER_REPOS_CACHE_TTL_MS) {
+        console.log(`[repos-cache] Cache expired for ${nangoConnectionId.substring(0, 8)}`);
+        userReposCache.delete(nangoConnectionId);
+        return null;
+    }
+    // If stale but valid, trigger background refresh
+    if (age > STALE_WHILE_REVALIDATE_MS && !cached.refreshInProgress) {
+        console.log(`[repos-cache] Cache stale for ${nangoConnectionId.substring(0, 8)}, triggering background refresh`);
+        // Fire and forget - don't await
+        refreshUserReposInBackground(nangoConnectionId).catch(() => { });
+    }
+    return cached;
+}
+// Track in-flight initializations to prevent duplicate API calls
+const initializingConnections = new Set();
+/**
+ * Initialize cache with first page and trigger background refresh for rest
+ * Returns the first page of repos immediately
+ */
+async function initializeUserReposCache(nangoConnectionId) {
+    // Check if another request is already initializing this connection
+    if (initializingConnections.has(nangoConnectionId)) {
+        console.log(`[repos-cache] Another request is initializing ${nangoConnectionId.substring(0, 8)}, waiting...`);
+        // Wait a bit and check cache again
+        await new Promise(resolve => setTimeout(resolve, 500));
+        const cached = userReposCache.get(nangoConnectionId);
+        if (cached) {
+            return cached.repositories;
+        }
+        // Still no cache, fall through to initialize (previous request may have failed)
+    }
+    initializingConnections.add(nangoConnectionId);
+    try {
+        // Fetch first page synchronously
+        const firstPage = await nangoService.listUserAccessibleRepos(nangoConnectionId, {
+            perPage: 100,
+            page: 1,
+            type: 'all',
+        });
+        const repos = firstPage.repositories.map(r => ({
+            fullName: r.fullName,
+            permissions: r.permissions,
+        }));
+        // Store first page immediately
+        userReposCache.set(nangoConnectionId, {
+            repositories: repos,
+            cachedAt: Date.now(),
+            isComplete: !firstPage.hasMore,
+            refreshInProgress: firstPage.hasMore, // Will be refreshing if there's more
+        });
+        evictOldestCacheEntries();
+        // If there are more pages, trigger background refresh to get the rest
+        if (firstPage.hasMore) {
+            console.log(`[repos-cache] First page has ${repos.length} repos, more available - triggering background pagination`);
+            // Fire and forget - reuse the shared background refresh function
+            // But start from page 2 with the existing repos
+            (async () => {
+                try {
+                    const allRepos = [...repos];
+                    let page = 2;
+                    let hasMore = true;
+                    const MAX_PAGES = 20;
+                    while (hasMore && page <= MAX_PAGES) {
+                        const result = await nangoService.listUserAccessibleRepos(nangoConnectionId, {
+                            perPage: 100,
+                            page,
+                            type: 'all',
+                        });
+                        allRepos.push(...result.repositories.map(r => ({
+                            fullName: r.fullName,
+                            permissions: r.permissions,
+                        })));
+                        hasMore = result.hasMore;
+                        page++;
+                        if (hasMore) {
+                            await new Promise(resolve => setTimeout(resolve, 100));
+                        }
+                    }
+                    console.log(`[repos-cache] Background pagination complete: ${allRepos.length} total repos`);
+                    userReposCache.set(nangoConnectionId, {
+                        repositories: allRepos,
+                        cachedAt: Date.now(),
+                        isComplete: true,
+                        refreshInProgress: false,
+                    });
+                    evictOldestCacheEntries();
+                }
+                catch (err) {
+                    console.error('[repos-cache] Background pagination failed:', err);
+                    const existing = userReposCache.get(nangoConnectionId);
+                    if (existing) {
+                        existing.refreshInProgress = false;
+                    }
+                }
+            })();
+        }
+        return repos;
+    }
+    finally {
+        initializingConnections.delete(nangoConnectionId);
+    }
+}
+// ============================================================================
+// Workspace Access Middleware
+// ============================================================================
+/**
+ * Check if user has access to a workspace via:
+ * 1. Workspace ownership (userId matches)
+ * 2. Explicit workspace_members record
+ * 3. GitHub repo access (just-in-time check via Nango)
+ */
+export async function checkWorkspaceAccess(userId, workspaceId) {
+    // Check cache first
+    const cached = getCachedAccess(userId, workspaceId);
+    if (cached) {
+        return { hasAccess: cached.hasAccess, accessType: cached.accessType, permission: cached.permission };
+    }
+    // 1. Check if user is workspace owner
+    const workspace = await db.workspaces.findById(workspaceId);
+    if (!workspace) {
+        return { hasAccess: false, accessType: 'none' };
+    }
+    if (workspace.userId === userId) {
+        setCachedAccess(userId, workspaceId, { hasAccess: true, accessType: 'owner', permission: 'admin' });
+        return { hasAccess: true, accessType: 'owner', permission: 'admin' };
+    }
+    // 2. Check explicit workspace_members
+    const member = await db.workspaceMembers.findMembership(workspaceId, userId);
+    if (member && member.acceptedAt) {
+        const permission = member.role === 'admin' ? 'admin' : member.role === 'member' ? 'write' : 'read';
+        setCachedAccess(userId, workspaceId, { hasAccess: true, accessType: 'member', permission });
+        return { hasAccess: true, accessType: 'member', permission };
+    }
+    // 3. Check GitHub repo access (just-in-time)
+    const user = await db.users.findById(userId);
+    if (!user?.nangoConnectionId) {
+        setCachedAccess(userId, workspaceId, { hasAccess: false, accessType: 'none' });
+        return { hasAccess: false, accessType: 'none' };
+    }
+    const repos = await db.repositories.findByWorkspaceId(workspaceId);
+    if (repos.length === 0) {
+        setCachedAccess(userId, workspaceId, { hasAccess: false, accessType: 'none' });
+        return { hasAccess: false, accessType: 'none' };
+    }
+    // Check if user has access to ANY repo in this workspace
+    for (const repo of repos) {
+        try {
+            const [owner, repoName] = repo.githubFullName.split('/');
+            const accessResult = await nangoService.checkUserRepoAccess(user.nangoConnectionId, owner, repoName);
+            if (accessResult.hasAccess && accessResult.permission && accessResult.permission !== 'none') {
+                setCachedAccess(userId, workspaceId, {
+                    hasAccess: true,
+                    accessType: 'contributor',
+                    permission: accessResult.permission
+                });
+                return { hasAccess: true, accessType: 'contributor', permission: accessResult.permission };
+            }
+        }
+        catch (err) {
+            // Continue to next repo on error
+            console.warn(`[workspace-access] Failed to check repo access for ${repo.githubFullName}:`, err);
+        }
+    }
+    // No access found
+    setCachedAccess(userId, workspaceId, { hasAccess: false, accessType: 'none' });
+    return { hasAccess: false, accessType: 'none' };
+}
+/**
+ * Middleware to require workspace access.
+ * Checks ownership, membership, or GitHub repo access.
+ */
+export function requireWorkspaceAccess(req, res, next) {
+    const userId = req.session.userId;
+    const workspaceId = req.params.id || req.params.workspaceId;
+    if (!userId) {
+        res.status(401).json({ error: 'Authentication required' });
+        return;
+    }
+    if (!workspaceId) {
+        res.status(400).json({ error: 'Workspace ID required' });
+        return;
+    }
+    checkWorkspaceAccess(userId, workspaceId)
+        .then((result) => {
+        if (result.hasAccess) {
+            // Attach access info to request for downstream use
+            req.workspaceAccess = {
+                accessType: result.accessType,
+                permission: result.permission,
+            };
+            next();
+        }
+        else {
+            res.status(403).json({ error: 'No access to this workspace' });
+        }
+    })
+        .catch((err) => {
+        console.error('[workspace-access] Error checking access:', err);
+        res.status(500).json({ error: 'Failed to check workspace access' });
+    });
+}
 export const workspacesRouter = Router();
 // All routes require authentication
 workspacesRouter.use(requireAuth);
 /**
  * GET /api/workspaces
- * List user's workspaces
+ * List user's workspaces (owned + member workspaces)
  */
 workspacesRouter.get('/', async (req, res) => {
     const userId = req.session.userId;
     try {
-        const workspaces = await db.workspaces.findByUserId(userId);
+        // Get owned workspaces
+        const ownedWorkspaces = await db.workspaces.findByUserId(userId);
+        // Get workspaces where user is a member
+        const memberships = await db.workspaceMembers.findByUserId(userId);
+        const ownedWorkspaceIds = new Set(ownedWorkspaces.map((w) => w.id));
+        const memberWorkspaceIds = memberships
+            .map((m) => m.workspaceId)
+            .filter((wsId) => !ownedWorkspaceIds.has(wsId)); // Exclude owned to prevent duplicates
+        // Fetch member workspaces (optimize with Promise.all instead of loop)
+        const memberWorkspaces = (await Promise.all(memberWorkspaceIds.map((wsId) => db.workspaces.findById(wsId)))).filter((ws) => ws !== null);
+        // Combine and sort by creation date
+        const allWorkspaces = [...ownedWorkspaces, ...memberWorkspaces].sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime());
         res.json({
-            workspaces: workspaces.map((w) => ({
+            workspaces: allWorkspaces.map((w) => ({
                 id: w.id,
                 name: w.name,
                 status: w.status,
@@ -29,6 +370,7 @@ workspacesRouter.get('/', async (req, res) => {
                 providers: w.config.providers,
                 repositories: w.config.repositories,
                 createdAt: w.createdAt,
+                isOwner: w.userId === userId, // Flag to indicate ownership
             })),
         });
     }
@@ -54,6 +396,33 @@ workspacesRouter.post('/', checkWorkspaceLimit, async (req, res) => {
     if (!repositories || !Array.isArray(repositories)) {
         return res.status(400).json({ error: 'Repositories array is required' });
     }
+    // Check if any of the repos already have a workspace the user can access
+    // This prevents creating duplicate workspaces for the same repo
+    for (const repoFullName of repositories) {
+        const existingRepos = await db.repositories.findByGithubFullName(repoFullName);
+        for (const existingRepo of existingRepos) {
+            if (existingRepo.workspaceId) {
+                const accessResult = await checkWorkspaceAccess(userId, existingRepo.workspaceId);
+                if (accessResult.hasAccess) {
+                    const existingWorkspace = await db.workspaces.findById(existingRepo.workspaceId);
+                    if (existingWorkspace) {
+                        console.log(`[workspaces/create] User ${userId.substring(0, 8)} has access to existing workspace ${existingWorkspace.id.substring(0, 8)} for repo ${repoFullName}`);
+                        return res.status(409).json({
+                            error: 'A workspace already exists for one of these repositories',
+                            existingWorkspace: {
+                                id: existingWorkspace.id,
+                                name: existingWorkspace.name,
+                                publicUrl: existingWorkspace.publicUrl,
+                                accessType: accessResult.accessType,
+                            },
+                            conflictingRepo: repoFullName,
+                            message: `You already have ${accessResult.accessType} access to workspace "${existingWorkspace.name}" which includes ${repoFullName}.`,
+                        });
+                    }
+                }
+            }
+        }
+    }
     // Verify user has credentials for all providers
     const credentials = await db.credentials.findByUserId(userId);
     const connectedProviders = new Set(credentials.map((c) => c.provider));
@@ -93,13 +462,23 @@ workspacesRouter.post('/', checkWorkspaceLimit, async (req, res) => {
 });
 /**
  * GET /api/workspaces/summary
- * Get summary of all user workspaces for dashboard status indicator
+ * Get summary of all user workspaces for dashboard status indicator (owned + member workspaces)
  * NOTE: This route MUST be before /:id to avoid being caught by parameterized route
  */
 workspacesRouter.get('/summary', async (req, res) => {
     const userId = req.session.userId;
     try {
-        const workspaces = await db.workspaces.findByUserId(userId);
+        // Get owned workspaces
+        const ownedWorkspaces = await db.workspaces.findByUserId(userId);
+        // Get workspaces where user is a member
+        const memberships = await db.workspaceMembers.findByUserId(userId);
+        const ownedWorkspaceIds = new Set(ownedWorkspaces.map((w) => w.id));
+        const memberWorkspaceIds = memberships
+            .map((m) => m.workspaceId)
+            .filter((wsId) => !ownedWorkspaceIds.has(wsId));
+        // Fetch member workspaces (optimize with Promise.all)
+        const memberWorkspaces = (await Promise.all(memberWorkspaceIds.map((wsId) => db.workspaces.findById(wsId)))).filter((ws) => ws !== null);
+        const workspaces = [...ownedWorkspaces, ...memberWorkspaces];
         const provisioner = getProvisioner();
         // Get live status for each workspace
         const workspaceSummaries = await Promise.all(workspaces.map(async (w) => {
@@ -152,14 +531,24 @@ workspacesRouter.get('/summary', async (req, res) => {
 });
 /**
  * GET /api/workspaces/primary
- * Get the user's primary workspace (first/default) with live status
+ * Get the user's primary workspace (first/default) with live status (owned + member workspaces)
  * Used by dashboard to show quick status indicator
  * NOTE: This route MUST be before /:id to avoid being caught by parameterized route
  */
 workspacesRouter.get('/primary', async (req, res) => {
     const userId = req.session.userId;
     try {
-        const workspaces = await db.workspaces.findByUserId(userId);
+        // Get owned workspaces
+        const ownedWorkspaces = await db.workspaces.findByUserId(userId);
+        // Get workspaces where user is a member
+        const memberships = await db.workspaceMembers.findByUserId(userId);
+        const ownedWorkspaceIds = new Set(ownedWorkspaces.map((w) => w.id));
+        const memberWorkspaceIds = memberships
+            .map((m) => m.workspaceId)
+            .filter((wsId) => !ownedWorkspaceIds.has(wsId));
+        // Fetch member workspaces (optimize with Promise.all)
+        const memberWorkspaces = (await Promise.all(memberWorkspaceIds.map((wsId) => db.workspaces.findById(wsId)))).filter((ws) => ws !== null);
+        const workspaces = [...ownedWorkspaces, ...memberWorkspaces];
         if (workspaces.length === 0) {
             return res.json({
                 exists: false,
@@ -211,21 +600,147 @@ workspacesRouter.get('/primary', async (req, res) => {
         res.status(500).json({ error: 'Failed to get primary workspace' });
     }
 });
+/**
+ * GET /api/workspaces/accessible
+ * List all workspaces the user can access:
+ * - Owned workspaces
+ * - Workspaces where user is a member
+ * - Workspaces with repos the user has GitHub access to
+ * NOTE: This route MUST be before /:id to avoid being caught by parameterized route
+ */
+workspacesRouter.get('/accessible', async (req, res) => {
+    const userId = req.session.userId;
+    try {
+        const user = await db.users.findById(userId);
+        if (!user) {
+            return res.status(404).json({ error: 'User not found' });
+        }
+        // 1. Get owned workspaces
+        const ownedWorkspaces = await db.workspaces.findByUserId(userId);
+        // 2. Get workspaces where user is a member (excluding owned ones to prevent duplicates)
+        const ownedWorkspaceIds = new Set(ownedWorkspaces.map((w) => w.id));
+        const memberships = await db.workspaceMembers.findByUserId(userId);
+        const memberWorkspaceIds = memberships
+            .map((m) => m.workspaceId)
+            .filter((wsId) => !ownedWorkspaceIds.has(wsId)); // Exclude owned workspaces
+        // Fetch member workspaces
+        const memberWorkspaces = [];
+        for (const wsId of memberWorkspaceIds) {
+            const ws = await db.workspaces.findById(wsId);
+            if (ws)
+                memberWorkspaces.push(ws);
+        }
+        // 3. Get workspaces via GitHub repo access (if user has Nango connection)
+        // Uses background caching to handle users with many repos (>100)
+        const contributorWorkspaces = [];
+        let cacheStatus = 'miss';
+        if (user.nangoConnectionId) {
+            try {
+                console.log(`[workspaces/accessible] Checking GitHub repo access for user ${userId.substring(0, 8)} with nangoConnectionId ${user.nangoConnectionId.substring(0, 8)}...`);
+                // Try to get cached repos first
+                let userRepos;
+                const cached = getCachedUserRepos(user.nangoConnectionId);
+                if (cached) {
+                    userRepos = cached.repositories;
+                    cacheStatus = 'hit';
+                    console.log(`[workspaces/accessible] Cache ${cached.isComplete ? 'hit (complete)' : 'hit (partial)'}: ${userRepos.length} repos`);
+                }
+                else {
+                    // No cache - initialize with first page and trigger background refresh
+                    userRepos = await initializeUserReposCache(user.nangoConnectionId);
+                    cacheStatus = 'initializing';
+                    console.log(`[workspaces/accessible] Cache miss - initialized with ${userRepos.length} repos (background refresh may add more)`);
+                }
+                // Get workspaces that aren't owned or membered
+                // Reuse ownedWorkspaceIds and add member workspace IDs
+                const knownWorkspaceIds = new Set([
+                    ...ownedWorkspaceIds,
+                    ...memberWorkspaceIds,
+                ]);
+                // Get all repo full names from user's accessible repos
+                for (const repo of userRepos) {
+                    // Find repos in our DB that match this full name (case-insensitive)
+                    const dbRepos = await db.repositories.findByGithubFullName(repo.fullName);
+                    if (dbRepos.length > 0) {
+                        console.log(`[workspaces/accessible] Found ${dbRepos.length} DB records for repo ${repo.fullName}`);
+                    }
+                    for (const dbRepo of dbRepos) {
+                        if (dbRepo.workspaceId && !knownWorkspaceIds.has(dbRepo.workspaceId)) {
+                            const ws = await db.workspaces.findById(dbRepo.workspaceId);
+                            if (ws) {
+                                console.log(`[workspaces/accessible] Granting contributor access to workspace ${ws.id.substring(0, 8)} via repo ${repo.fullName}`);
+                                // Determine permission level
+                                const permission = repo.permissions.admin
+                                    ? 'admin'
+                                    : repo.permissions.push
+                                        ? 'write'
+                                        : 'read';
+                                contributorWorkspaces.push({ ...ws, accessPermission: permission });
+                                knownWorkspaceIds.add(ws.id);
+                            }
+                        }
+                        else if (!dbRepo.workspaceId) {
+                            console.log(`[workspaces/accessible] Repo ${repo.fullName} found in DB but has no workspaceId`);
+                        }
+                    }
+                }
+                console.log(`[workspaces/accessible] Found ${contributorWorkspaces.length} contributor workspaces (cache: ${cacheStatus})`);
+            }
+            catch (err) {
+                console.warn('[workspaces/accessible] Failed to check GitHub repo access:', err);
+                // Continue without contributor workspaces
+            }
+        }
+        else {
+            console.log(`[workspaces/accessible] User ${userId.substring(0, 8)} has no nangoConnectionId - skipping GitHub repo access check`);
+        }
+        // Format response - include all fields the dashboard expects
+        const formatWorkspace = (ws, accessType, permission) => ({
+            id: ws.id,
+            name: ws.name,
+            status: ws.status,
+            publicUrl: ws.publicUrl,
+            providers: ws.config?.providers,
+            repositories: ws.config?.repositories,
+            accessType,
+            permission: permission || (accessType === 'owner' ? 'admin' : 'read'),
+            createdAt: ws.createdAt,
+        });
+        res.json({
+            workspaces: [
+                ...ownedWorkspaces.map((w) => formatWorkspace(w, 'owner', 'admin')),
+                ...memberWorkspaces.map((w) => {
+                    const membership = memberships.find((m) => m.workspaceId === w.id);
+                    return formatWorkspace(w, 'member', membership?.role);
+                }),
+                ...contributorWorkspaces.map((w) => formatWorkspace(w, 'contributor', w.accessPermission)),
+            ],
+            summary: {
+                owned: ownedWorkspaces.length,
+                member: memberWorkspaces.length,
+                contributor: contributorWorkspaces.length,
+                total: ownedWorkspaces.length + memberWorkspaces.length + contributorWorkspaces.length,
+            },
+        });
+    }
+    catch (error) {
+        console.error('Error getting accessible workspaces:', error);
+        res.status(500).json({ error: 'Failed to get accessible workspaces' });
+    }
+});
 /**
  * GET /api/workspaces/:id
  * Get workspace details
+ * Uses requireWorkspaceAccess middleware for auto-access via GitHub repos
  */
-workspacesRouter.get('/:id', async (req, res) => {
-    const userId = req.session.userId;
+workspacesRouter.get('/:id', requireWorkspaceAccess, async (req, res) => {
     const { id } = req.params;
+    const _workspaceAccess = req.workspaceAccess;
     try {
         const workspace = await db.workspaces.findById(id);
         if (!workspace) {
             return res.status(404).json({ error: 'Workspace not found' });
         }
-        if (workspace.userId !== userId) {
-            return res.status(403).json({ error: 'Unauthorized' });
-        }
         // Get repositories assigned to this workspace
         const repositories = await db.repositories.findByWorkspaceId(id);
         res.json({
@@ -387,6 +902,236 @@ workspacesRouter.post('/:id/repos', async (req, res) => {
         res.status(500).json({ error: 'Failed to add repositories' });
     }
 });
+/**
+ * GET /api/workspaces/:id/repos
+ * List repositories linked to a workspace
+ */
+workspacesRouter.get('/:id/repos', async (req, res) => {
+    const userId = req.session.userId;
+    const { id } = req.params;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Check access (owner, member, or contributor)
+        const accessResult = await checkWorkspaceAccess(userId, id);
+        if (!accessResult.hasAccess) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        // Get repos linked to this workspace
+        const repos = await db.repositories.findByWorkspaceId(id);
+        res.json({
+            repositories: repos.map(r => ({
+                id: r.id,
+                githubFullName: r.githubFullName,
+                defaultBranch: r.defaultBranch,
+                isPrivate: r.isPrivate,
+                syncStatus: r.syncStatus,
+                lastSyncedAt: r.lastSyncedAt,
+            })),
+        });
+    }
+    catch (error) {
+        console.error('Error listing workspace repos:', error);
+        res.status(500).json({ error: 'Failed to list repositories' });
+    }
+});
+/**
+ * GET /api/workspaces/:id/repo-collaborators
+ * Get all collaborators from repos linked to this workspace
+ * These are users who have access via GitHub repo permissions (grandfathered in)
+ */
+workspacesRouter.get('/:id/repo-collaborators', async (req, res) => {
+    const userId = req.session.userId;
+    const { id } = req.params;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Check access (owner, member, or contributor)
+        const accessResult = await checkWorkspaceAccess(userId, id);
+        if (!accessResult.hasAccess) {
+            return res.status(403).json({ error: 'Unauthorized' });
+        }
+        // Get repos linked to this workspace
+        const repos = await db.repositories.findByWorkspaceId(id);
+        if (repos.length === 0) {
+            return res.json({ collaborators: [] });
+        }
+        // Find a repo with a Nango connection (GitHub App)
+        const repoWithConnection = repos.find(r => r.nangoConnectionId);
+        if (!repoWithConnection?.nangoConnectionId) {
+            return res.json({
+                collaborators: [],
+                message: 'GitHub App not connected for this workspace',
+            });
+        }
+        // Get the workspace owner for filtering
+        const owner = await db.users.findById(workspace.userId);
+        // Fetch collaborators for each repo and deduplicate
+        const collaboratorsMap = new Map();
+        // Get existing workspace members to exclude them
+        const existingMembers = await db.workspaceMembers.findByWorkspaceId(id);
+        // Also get the workspace owner's GitHub ID to exclude
+        const ownerGithubId = owner?.githubId ? Number(owner.githubId) : null;
+        for (const repo of repos) {
+            // Use this repo's connection if it has one, otherwise use the shared connection
+            const connectionId = repo.nangoConnectionId || repoWithConnection.nangoConnectionId;
+            if (!connectionId)
+                continue;
+            try {
+                const [repoOwner, repoName] = repo.githubFullName.split('/');
+                const collabs = await nangoService.listRepoCollaborators(connectionId, repoOwner, repoName);
+                for (const collab of collabs) {
+                    // Skip the workspace owner
+                    if (ownerGithubId && collab.id === ownerGithubId) {
+                        continue;
+                    }
+                    const existing = collaboratorsMap.get(collab.id);
+                    if (existing) {
+                        // Add this repo to their list
+                        if (!existing.repos.includes(repo.githubFullName)) {
+                            existing.repos.push(repo.githubFullName);
+                        }
+                        // Upgrade permission if this repo gives higher access
+                        if (collab.permission === 'admin' && existing.permission !== 'admin') {
+                            existing.permission = 'admin';
+                        }
+                        else if (collab.permission === 'write' && existing.permission === 'read') {
+                            existing.permission = 'write';
+                        }
+                    }
+                    else {
+                        collaboratorsMap.set(collab.id, {
+                            id: collab.id,
+                            login: collab.login,
+                            avatarUrl: collab.avatarUrl,
+                            permission: collab.permission,
+                            repos: [repo.githubFullName],
+                        });
+                    }
+                }
+            }
+            catch (err) {
+                console.warn(`[workspace-collaborators] Failed to fetch collaborators for ${repo.githubFullName}:`, err);
+                // Continue with other repos
+            }
+        }
+        // Filter out users who are already workspace members
+        // We need to check by GitHub username since we don't have their user IDs
+        const workspaceMemberUsernames = new Set();
+        for (const member of existingMembers) {
+            const memberUser = await db.users.findById(member.userId);
+            if (memberUser?.githubUsername) {
+                workspaceMemberUsernames.add(memberUser.githubUsername.toLowerCase());
+            }
+        }
+        // Also add workspace owner
+        if (owner?.githubUsername) {
+            workspaceMemberUsernames.add(owner.githubUsername.toLowerCase());
+        }
+        const collaborators = Array.from(collaboratorsMap.values())
+            .filter(c => !workspaceMemberUsernames.has(c.login.toLowerCase()))
+            .sort((a, b) => {
+            // Sort by permission level (admin > write > read), then by username
+            const permOrder = { admin: 0, write: 1, read: 2, none: 3 };
+            if (permOrder[a.permission] !== permOrder[b.permission]) {
+                return permOrder[a.permission] - permOrder[b.permission];
+            }
+            return a.login.localeCompare(b.login);
+        });
+        res.json({
+            collaborators,
+            totalRepos: repos.length,
+        });
+    }
+    catch (error) {
+        console.error('Error fetching repo collaborators:', error);
+        res.status(500).json({ error: 'Failed to fetch collaborators' });
+    }
+});
+/**
+ * DELETE /api/workspaces/:id/repos/:repoId
+ * Remove a repository from a workspace
+ */
+workspacesRouter.delete('/:id/repos/:repoId', async (req, res) => {
+    const userId = req.session.userId;
+    const { id, repoId } = req.params;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Only owner can remove repos
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Only workspace owner can remove repositories' });
+        }
+        // Unlink repo from workspace (set workspaceId to null)
+        await db.repositories.assignToWorkspace(repoId, null);
+        // Also update workspace config to remove from repositories array
+        const currentRepos = workspace.config.repositories || [];
+        const repo = await db.repositories.findById(repoId);
+        if (repo) {
+            const updatedRepos = currentRepos.filter(r => r.toLowerCase() !== repo.githubFullName.toLowerCase());
+            await db.workspaces.update(id, {
+                config: { ...workspace.config, repositories: updatedRepos },
+            });
+        }
+        res.json({ success: true, message: 'Repository removed from workspace' });
+    }
+    catch (error) {
+        console.error('Error removing repo from workspace:', error);
+        res.status(500).json({ error: 'Failed to remove repository' });
+    }
+});
+/**
+ * PATCH /api/workspaces/:id
+ * Update workspace settings (name, etc.)
+ */
+workspacesRouter.patch('/:id', async (req, res) => {
+    const userId = req.session.userId;
+    const { id } = req.params;
+    const { name } = req.body;
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Only owner can rename
+        if (workspace.userId !== userId) {
+            return res.status(403).json({ error: 'Only workspace owner can update settings' });
+        }
+        // Validate name if provided
+        if (name !== undefined) {
+            if (typeof name !== 'string' || name.trim().length === 0) {
+                return res.status(400).json({ error: 'Name must be a non-empty string' });
+            }
+            if (name.length > 100) {
+                return res.status(400).json({ error: 'Name must be 100 characters or less' });
+            }
+        }
+        // Update workspace
+        await db.workspaces.update(id, {
+            ...(name && { name: name.trim() }),
+        });
+        const updated = await db.workspaces.findById(id);
+        res.json({
+            success: true,
+            workspace: {
+                id: updated.id,
+                name: updated.name,
+                status: updated.status,
+                publicUrl: updated.publicUrl,
+            },
+        });
+    }
+    catch (error) {
+        console.error('Error updating workspace:', error);
+        res.status(500).json({ error: 'Failed to update workspace' });
+    }
+});
 /**
  * POST /api/workspaces/:id/autoscale
  * Trigger auto-scaling based on current agent count
@@ -675,8 +1420,19 @@ workspacesRouter.all('/:id/proxy/{*proxyPath}', async (req, res) => {
         if (!workspace) {
             return res.status(404).json({ error: 'Workspace not found' });
         }
+        // Check if user is owner or has workspace membership
         if (workspace.userId !== userId) {
-            return res.status(403).json({ error: 'Unauthorized' });
+            // Check workspace membership
+            const membership = await db.workspaceMembers.findMembership(id, userId);
+            if (!membership || !membership.acceptedAt) {
+                return res.status(403).json({ error: 'Unauthorized - not a workspace member' });
+            }
+            // Viewers can only proxy read-only requests
+            if (membership.role === 'viewer' && req.method !== 'GET') {
+                return res.status(403).json({ error: 'Viewers can only make read-only requests' });
+            }
+            // Members and admins can read and write
+            // For now, allow all proxy requests for members and admins
         }
         if (workspace.status !== 'running' || !workspace.publicUrl) {
             return res.status(400).json({ error: 'Workspace is not running' });
@@ -705,8 +1461,9 @@ workspacesRouter.all('/:id/proxy/{*proxyPath}', async (req, res) => {
         // Store targetUrl for error handling
         req._proxyTargetUrl = targetUrl;
         // Add timeout to prevent hanging requests
+        // 45s timeout to accommodate Fly.io machine cold starts (can take 20-30s)
         const controller = new AbortController();
-        const timeout = setTimeout(() => controller.abort(), 15000); // 15s timeout
+        const timeout = setTimeout(() => controller.abort(), 45000);
         const fetchOptions = {
             method: req.method,
             headers: {
@@ -744,7 +1501,7 @@ workspacesRouter.all('/:id/proxy/{*proxyPath}', async (req, res) => {
         if (error instanceof Error && error.name === 'AbortError') {
             res.status(504).json({
                 error: 'Workspace request timed out',
-                details: 'The workspace did not respond within 15 seconds',
+                details: 'The workspace did not respond within 45 seconds',
                 targetUrl: targetUrl,
             });
             return;
@@ -766,6 +1523,156 @@ workspacesRouter.all('/:id/proxy/{*proxyPath}', async (req, res) => {
         });
     }
 });
+// ============================================================================
+// Agent Management (proxied to workspace daemon)
+// ============================================================================
+/**
+ * POST /api/workspaces/:id/agents
+ * Spawn an agent in the workspace
+ * Proxies to workspace daemon's /workspaces/:id/agents endpoint
+ */
+workspacesRouter.post('/:id/agents', async (req, res) => {
+    const userId = req.session.userId;
+    const { id } = req.params;
+    const { name, provider, task, temporary, interactive } = req.body;
+    if (!userId) {
+        return res.status(401).json({ error: 'Not authenticated' });
+    }
+    if (!name) {
+        return res.status(400).json({ error: 'Agent name is required' });
+    }
+    try {
+        // Find workspace and verify access
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        // Check access
+        const accessResult = await checkWorkspaceAccess(userId, id);
+        if (!accessResult.hasAccess) {
+            return res.status(403).json({ error: 'Access denied to this workspace' });
+        }
+        // Ensure workspace is running
+        if (workspace.status !== 'running' || !workspace.publicUrl) {
+            return res.status(400).json({
+                error: 'Workspace is not running',
+                status: workspace.status,
+            });
+        }
+        // Proxy to workspace dashboard server's /api/spawn endpoint
+        // The dashboard server expects 'cli' field (not 'provider')
+        const targetUrl = `${workspace.publicUrl.replace(/\/$/, '')}/api/spawn`;
+        console.log(`[workspaces] Proxying agent spawn to: ${targetUrl}`);
+        const response = await fetch(targetUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                name,
+                cli: provider || 'claude', // Map provider to cli
+                task: task || '', // Empty task = interactive mode, user responds to prompts
+                interactive: interactive ?? true, // Default to interactive for setup flows
+            }),
+            signal: AbortSignal.timeout(30000),
+        });
+        const data = await response.json();
+        if (!response.ok) {
+            return res.status(response.status).json(data);
+        }
+        res.status(201).json(data);
+    }
+    catch (error) {
+        console.error('[workspaces] Agent spawn error:', error);
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+        if (errorMessage.includes('ECONNREFUSED') || errorMessage.includes('fetch failed')) {
+            return res.status(503).json({
+                error: 'Workspace is not reachable',
+                details: 'The workspace container may not be running',
+            });
+        }
+        res.status(500).json({
+            error: 'Failed to spawn agent',
+            details: errorMessage,
+        });
+    }
+});
+/**
+ * GET /api/workspaces/:id/agents
+ * List agents in the workspace
+ */
+workspacesRouter.get('/:id/agents', async (req, res) => {
+    const userId = req.session.userId;
+    const { id } = req.params;
+    if (!userId) {
+        return res.status(401).json({ error: 'Not authenticated' });
+    }
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        const accessResult = await checkWorkspaceAccess(userId, id);
+        if (!accessResult.hasAccess) {
+            return res.status(403).json({ error: 'Access denied' });
+        }
+        if (workspace.status !== 'running' || !workspace.publicUrl) {
+            return res.status(200).json({ agents: [], workspaceId: id });
+        }
+        // Use dashboard server's /api/spawned endpoint
+        const targetUrl = `${workspace.publicUrl.replace(/\/$/, '')}/api/spawned`;
+        const response = await fetch(targetUrl, {
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            return res.status(200).json({ agents: [], workspaceId: id });
+        }
+        const data = await response.json();
+        // Transform to expected format
+        res.json({ agents: data.agents || [], workspaceId: id });
+    }
+    catch (error) {
+        console.error('[workspaces] List agents error:', error);
+        res.status(200).json({ agents: [], workspaceId: id });
+    }
+});
+/**
+ * DELETE /api/workspaces/:id/agents/:agentName
+ * Stop an agent in the workspace
+ */
+workspacesRouter.delete('/:id/agents/:agentName', async (req, res) => {
+    const userId = req.session.userId;
+    const { id, agentName } = req.params;
+    if (!userId) {
+        return res.status(401).json({ error: 'Not authenticated' });
+    }
+    try {
+        const workspace = await db.workspaces.findById(id);
+        if (!workspace) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        const accessResult = await checkWorkspaceAccess(userId, id);
+        if (!accessResult.hasAccess) {
+            return res.status(403).json({ error: 'Access denied' });
+        }
+        if (workspace.status !== 'running' || !workspace.publicUrl) {
+            return res.status(400).json({ error: 'Workspace is not running' });
+        }
+        // Use dashboard server's /api/spawned/:name endpoint
+        const targetUrl = `${workspace.publicUrl.replace(/\/$/, '')}/api/spawned/${encodeURIComponent(agentName)}`;
+        const response = await fetch(targetUrl, {
+            method: 'DELETE',
+            signal: AbortSignal.timeout(10000),
+        });
+        if (response.status === 204) {
+            return res.status(204).send();
+        }
+        const data = await response.json();
+        res.status(response.status).json(data);
+    }
+    catch (error) {
+        console.error('[workspaces] Stop agent error:', error);
+        res.status(500).json({ error: 'Failed to stop agent' });
+    }
+});
 /**
  * POST /api/workspaces/quick
  * Quick provision: one-click with defaults
@@ -778,6 +1685,29 @@ workspacesRouter.post('/quick', checkWorkspaceLimit, async (req, res) => {
         return res.status(400).json({ error: 'Repository name is required' });
     }
     try {
+        // Check if a workspace already exists for this repo
+        // If so, check if user has access and return it instead of creating a duplicate
+        const existingRepos = await db.repositories.findByGithubFullName(repositoryFullName);
+        for (const existingRepo of existingRepos) {
+            if (existingRepo.workspaceId) {
+                // Check if user has access to this workspace
+                const accessResult = await checkWorkspaceAccess(userId, existingRepo.workspaceId);
+                if (accessResult.hasAccess) {
+                    const existingWorkspace = await db.workspaces.findById(existingRepo.workspaceId);
+                    if (existingWorkspace) {
+                        console.log(`[workspaces/quick] User ${userId.substring(0, 8)} has access to existing workspace ${existingWorkspace.id.substring(0, 8)} for repo ${repositoryFullName}`);
+                        return res.status(200).json({
+                            workspaceId: existingWorkspace.id,
+                            status: existingWorkspace.status,
+                            publicUrl: existingWorkspace.publicUrl,
+                            existingWorkspace: true,
+                            accessType: accessResult.accessType,
+                            message: `You already have ${accessResult.accessType} access to a workspace for this repository.`,
+                        });
+                    }
+                }
+            }
+        }
         // Get user's connected providers (optional now)
         const credentials = await db.credentials.findByUserId(userId);
         const providers = credentials