agent-relay 1.2.3 → 1.3.0

package/dist/cloud/server.js

@@ -8,13 +8,14 @@ import helmet from 'helmet';
 import crypto from 'crypto';
 import path from 'node:path';
 import http from 'node:http';
+import fs from 'node:fs';
 import { fileURLToPath } from 'node:url';
 import { createClient } from 'redis';
 import { RedisStore } from 'connect-redis';
 import { WebSocketServer, WebSocket } from 'ws';
 import { getConfig } from './config.js';
 import { runMigrations } from './db/index.js';
-import { getScalingOrchestrator } from './services/index.js';
+import { getScalingOrchestrator, getComputeEnforcementService, getIntroExpirationService } from './services/index.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 // API routers
@@ -35,7 +36,9 @@ import { githubAppRouter } from './api/github-app.js';
 import { nangoAuthRouter } from './api/nango-auth.js';
 import { gitRouter } from './api/git.js';
 import { codexAuthHelperRouter } from './api/codex-auth-helper.js';
+import { adminRouter } from './api/admin.js';
 import { db } from './db/index.js';
+import { validateSshSecurityConfig } from './services/ssh-security.js';
 /**
  * Proxy a request to the user's primary running workspace
  */
@@ -66,6 +69,8 @@ async function proxyToUserWorkspace(req, res, path) {
 }
 export async function createServer() {
     const config = getConfig();
+    // Validate security configuration at startup
+    validateSshSecurityConfig();
     const app = express();
     app.set('trust proxy', 1);
     // Redis client for sessions
@@ -226,27 +231,37 @@ export async function createServer() {
         res.json({ status: 'ok', timestamp: new Date().toISOString() });
     });
     // API routes
-    app.use('/api/auth', authRouter);
+    //
+    // IMPORTANT: Route order matters! Routes with non-session auth (webhooks, API keys, tokens)
+    // must be mounted BEFORE teamsRouter, which catches all /api/* with requireAuth.
+    //
+    // --- Routes with alternative auth (must be before teamsRouter) ---
+    app.use('/api/auth', authRouter); // Login endpoints (public)
+    app.use('/api/auth/nango', nangoAuthRouter); // Nango webhook (signature verification)
+    app.use('/api/auth/codex-helper', codexAuthHelperRouter);
+    app.use('/api/git', gitRouter); // Workspace token auth
+    app.use('/api/webhooks', webhooksRouter); // GitHub webhooks (signature verification)
+    app.use('/api/monitoring', monitoringRouter); // Daemon API key auth endpoints
+    app.use('/api/daemons', daemonsRouter); // Daemon API key auth endpoints
+    app.use('/api/admin', adminRouter); // Admin API secret auth
+    // --- Routes with session auth ---
     app.use('/api/providers', providersRouter);
     app.use('/api/workspaces', workspacesRouter);
     app.use('/api/repos', reposRouter);
     app.use('/api/onboarding', onboardingRouter);
-    app.use('/api/teams', teamsRouter);
     app.use('/api/billing', billingRouter);
     app.use('/api/usage', usageRouter);
     app.use('/api/project-groups', coordinatorsRouter);
-    app.use('/api/daemons', daemonsRouter);
-    app.use('/api/monitoring', monitoringRouter);
-    app.use('/api/webhooks', webhooksRouter);
     app.use('/api/github-app', githubAppRouter);
-    app.use('/api/auth/nango', nangoAuthRouter);
-    app.use('/api/auth/codex-helper', codexAuthHelperRouter);
-    app.use('/api/git', gitRouter);
     // Test helper routes (only available in non-production)
+    // MUST be before teamsRouter to avoid auth interception
     if (process.env.NODE_ENV !== 'production') {
         app.use('/api/test', testHelpersRouter);
         console.log('[cloud] Test helper routes enabled (non-production mode)');
     }
+    // Teams router - MUST BE LAST among /api routes
+    // Handles /workspaces/:id/members and /invites with requireAuth on all routes
+    app.use('/api', teamsRouter);
     // Trajectory proxy routes - auto-detect user's workspace and forward
     // These are convenience routes so the dashboard doesn't need to know the workspace ID
     app.get('/api/trajectory', requireAuth, async (req, res) => {
@@ -264,17 +279,29 @@ export async function createServer() {
     // Serve static dashboard files (Next.js static export)
     // Path: dist/cloud/server.js -> ../../src/dashboard/out
     const dashboardPath = path.join(__dirname, '../../src/dashboard/out');
-    // Serve static files with .html extension fallback for clean URLs
-    // e.g., /signup will try /signup.html
-    app.use(express.static(dashboardPath, { extensions: ['html'] }));
-    // SPA fallback - serve index.html for all non-API routes that don't match static files
-    // Express 5 requires named wildcard params instead of bare '*'
+    // Serve static files (JS, CSS, images, etc.)
+    app.use(express.static(dashboardPath));
+    // Handle clean URLs for Next.js static export
+    // When a directory exists (e.g., /app/), express.static won't serve app.html
+    // So we need to explicitly check for .html files
     app.get('/{*splat}', (req, res, next) => {
-        // Don't serve index.html for API routes
+        // Don't handle API routes
         if (req.path.startsWith('/api/')) {
             return next();
         }
-        res.sendFile(path.join(dashboardPath, 'index.html'));
+        // Clean the path (remove trailing slash)
+        const cleanPath = req.path.replace(/\/$/, '') || '/';
+        // Try to serve the corresponding .html file
+        const htmlFile = cleanPath === '/' ? 'index.html' : `${cleanPath}.html`;
+        const htmlPath = path.join(dashboardPath, htmlFile);
+        // Check if the HTML file exists
+        if (fs.existsSync(htmlPath)) {
+            res.sendFile(htmlPath);
+        }
+        else {
+            // Fallback to index.html for SPA-style routing
+            res.sendFile(path.join(dashboardPath, 'index.html'));
+        }
     });
     // Error handler
     app.use((err, req, res, _next) => {
@@ -287,6 +314,8 @@ export async function createServer() {
     // Server lifecycle
     let server = null;
     let scalingOrchestrator = null;
+    let computeEnforcement = null;
+    let introExpiration = null;
     // Create HTTP server for WebSocket upgrade handling
     const httpServer = http.createServer(app);
     // ===== Presence WebSocket =====
@@ -318,6 +347,77 @@ export async function createServer() {
             return false;
         }
     };
+    // WebSocket server for agent logs (proxied to workspace daemon)
+    const wssLogs = new WebSocketServer({ noServer: true, perMessageDeflate: false });
+    // Handle agent logs WebSocket connections
+    wssLogs.on('connection', async (clientWs, workspaceId, agentName) => {
+        console.log(`[ws/logs] Client connected for workspace=${workspaceId} agent=${agentName}`);
+        let daemonWs = null;
+        try {
+            // Find the workspace
+            const workspace = await db.workspaces.findById(workspaceId);
+            if (!workspace || !workspace.publicUrl) {
+                clientWs.send(JSON.stringify({ type: 'error', message: 'Workspace not found or not running' }));
+                clientWs.close();
+                return;
+            }
+            // Connect to workspace daemon WebSocket
+            // The workspace runs the dashboard server which expects /ws/logs path
+            const baseUrl = workspace.publicUrl.replace(/^http/, 'ws').replace(/\/$/, '');
+            const daemonWsUrl = `${baseUrl}/ws/logs/${encodeURIComponent(agentName)}`;
+            console.log(`[ws/logs] Connecting to daemon: ${daemonWsUrl}`);
+            daemonWs = new WebSocket(daemonWsUrl, { perMessageDeflate: false });
+            daemonWs.on('open', () => {
+                console.log(`[ws/logs] Connected to daemon for ${agentName}`);
+                // Note: No need to send subscribe message - the agent name in the URL path
+                // triggers auto-subscription in the dashboard server
+            });
+            daemonWs.on('message', (data) => {
+                // Forward daemon messages to client
+                if (clientWs.readyState === WebSocket.OPEN) {
+                    clientWs.send(data.toString());
+                }
+            });
+            daemonWs.on('close', () => {
+                console.log(`[ws/logs] Daemon connection closed for ${agentName}`);
+                if (clientWs.readyState === WebSocket.OPEN) {
+                    clientWs.close();
+                }
+            });
+            daemonWs.on('error', (err) => {
+                console.error(`[ws/logs] Daemon WebSocket error:`, err);
+                if (clientWs.readyState === WebSocket.OPEN) {
+                    clientWs.send(JSON.stringify({ type: 'error', message: 'Daemon connection error' }));
+                    clientWs.close();
+                }
+            });
+            // Forward client messages to daemon (for user input)
+            clientWs.on('message', (data) => {
+                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
+                    daemonWs.send(data.toString());
+                }
+            });
+            clientWs.on('close', () => {
+                console.log(`[ws/logs] Client disconnected for ${agentName}`);
+                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
+                    daemonWs.close();
+                }
+            });
+            clientWs.on('error', (err) => {
+                console.error(`[ws/logs] Client WebSocket error:`, err);
+                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
+                    daemonWs.close();
+                }
+            });
+        }
+        catch (err) {
+            console.error(`[ws/logs] Setup error:`, err);
+            if (clientWs.readyState === WebSocket.OPEN) {
+                clientWs.send(JSON.stringify({ type: 'error', message: 'Failed to connect to workspace' }));
+                clientWs.close();
+            }
+        }
+    });
     // Handle HTTP upgrade for WebSocket
     httpServer.on('upgrade', (request, socket, head) => {
         const pathname = new URL(request.url || '', `http://${request.headers.host}`).pathname;
@@ -326,6 +426,20 @@ export async function createServer() {
                 wssPresence.emit('connection', ws, request);
             });
         }
+        else if (pathname.startsWith('/ws/logs/')) {
+            // Parse /ws/logs/:workspaceId/:agentName
+            const parts = pathname.split('/').filter(Boolean);
+            if (parts.length >= 4) {
+                const workspaceId = decodeURIComponent(parts[2]);
+                const agentName = decodeURIComponent(parts[3]);
+                wssLogs.handleUpgrade(request, socket, head, (ws) => {
+                    wssLogs.emit('connection', ws, workspaceId, agentName);
+                });
+            }
+            else {
+                socket.destroy();
+            }
+        }
         else {
             // Unknown WebSocket path - destroy socket
             socket.destroy();
@@ -512,6 +626,24 @@ export async function createServer() {
                     console.warn('[cloud] Failed to initialize scaling orchestrator:', error);
                     // Non-fatal - server can run without auto-scaling
                 }
+                // Start compute enforcement service (checks every 15 min)
+                try {
+                    computeEnforcement = getComputeEnforcementService();
+                    computeEnforcement.start();
+                    console.log('[cloud] Compute enforcement service started');
+                }
+                catch (error) {
+                    console.warn('[cloud] Failed to start compute enforcement:', error);
+                }
+                // Start intro expiration service (checks every hour for expired intro periods)
+                try {
+                    introExpiration = getIntroExpirationService();
+                    introExpiration.start();
+                    console.log('[cloud] Intro expiration service started');
+                }
+                catch (error) {
+                    console.warn('[cloud] Failed to start intro expiration:', error);
+                }
             }
             return new Promise((resolve) => {
                 server = httpServer.listen(config.port, () => {
@@ -527,6 +659,14 @@ export async function createServer() {
             if (scalingOrchestrator) {
                 await scalingOrchestrator.shutdown();
             }
+            // Stop compute enforcement service
+            if (computeEnforcement) {
+                computeEnforcement.stop();
+            }
+            // Stop intro expiration service
+            if (introExpiration) {
+                introExpiration.stop();
+            }
             // Close WebSocket server
             wssPresence.close();
             if (server) {

package/dist/cloud/services/compute-enforcement.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Compute Enforcement Service
+ *
+ * Enforces compute hour limits for free tier users.
+ * Runs periodically to check usage and stop workspaces that have exceeded limits.
+ */
+import { PlanType } from '../db/index.js';
+export interface ComputeEnforcementConfig {
+    enabled: boolean;
+    checkIntervalMs: number;
+    warningThresholdPercent: number;
+}
+export interface EnforcementResult {
+    userId: string;
+    plan: PlanType;
+    computeHoursUsed: number;
+    computeHoursLimit: number;
+    action: 'none' | 'warning' | 'stopped';
+    workspacesStopped: string[];
+}
+export declare class ComputeEnforcementService {
+    private config;
+    private checkTimer;
+    private isRunning;
+    constructor(config?: Partial<ComputeEnforcementConfig>);
+    /**
+     * Start the enforcement service
+     */
+    start(): void;
+    /**
+     * Stop the enforcement service
+     */
+    stop(): void;
+    /**
+     * Run enforcement check for all free tier users
+     */
+    runEnforcement(): Promise<EnforcementResult[]>;
+    /**
+     * Enforce limits for a specific user
+     */
+    enforceUserLimits(userId: string): Promise<EnforcementResult>;
+    /**
+     * Manually trigger enforcement for a specific user
+     */
+    enforceUser(userId: string): Promise<EnforcementResult>;
+    /**
+     * Get service status
+     */
+    getStatus(): {
+        enabled: boolean;
+        isRunning: boolean;
+        checkIntervalMs: number;
+    };
+}
+export declare function getComputeEnforcementService(): ComputeEnforcementService;
+export declare function createComputeEnforcementService(config?: Partial<ComputeEnforcementConfig>): ComputeEnforcementService;
+//# sourceMappingURL=compute-enforcement.d.ts.map

package/dist/cloud/services/compute-enforcement.js

@@ -0,0 +1,175 @@
+/**
+ * Compute Enforcement Service
+ *
+ * Enforces compute hour limits for free tier users.
+ * Runs periodically to check usage and stop workspaces that have exceeded limits.
+ */
+import { db } from '../db/index.js';
+import { getProvisioner } from '../provisioner/index.js';
+import { getUserUsage, PLAN_LIMITS } from './planLimits.js';
+const DEFAULT_CONFIG = {
+    enabled: true,
+    checkIntervalMs: 15 * 60 * 1000, // 15 minutes
+    warningThresholdPercent: 80,
+};
+export class ComputeEnforcementService {
+    config;
+    checkTimer = null;
+    isRunning = false;
+    constructor(config = {}) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+    }
+    /**
+     * Start the enforcement service
+     */
+    start() {
+        if (!this.config.enabled) {
+            console.log('[compute-enforcement] Service disabled');
+            return;
+        }
+        if (this.isRunning) {
+            console.warn('[compute-enforcement] Service already running');
+            return;
+        }
+        this.isRunning = true;
+        console.log(`[compute-enforcement] Started (checking every ${this.config.checkIntervalMs / 1000}s)`);
+        // Run immediately on start
+        this.runEnforcement().catch((err) => {
+            console.error('[compute-enforcement] Initial run failed:', err);
+        });
+        // Then run periodically
+        this.checkTimer = setInterval(() => {
+            this.runEnforcement().catch((err) => {
+                console.error('[compute-enforcement] Periodic run failed:', err);
+            });
+        }, this.config.checkIntervalMs);
+    }
+    /**
+     * Stop the enforcement service
+     */
+    stop() {
+        if (this.checkTimer) {
+            clearInterval(this.checkTimer);
+            this.checkTimer = null;
+        }
+        this.isRunning = false;
+        console.log('[compute-enforcement] Stopped');
+    }
+    /**
+     * Run enforcement check for all free tier users
+     */
+    async runEnforcement() {
+        const results = [];
+        try {
+            // Get all users on free tier
+            const freeUsers = await db.users.findByPlan('free');
+            console.log(`[compute-enforcement] Checking ${freeUsers.length} free tier users`);
+            for (const user of freeUsers) {
+                try {
+                    const result = await this.enforceUserLimits(user.id);
+                    results.push(result);
+                    if (result.action !== 'none') {
+                        console.log(`[compute-enforcement] User ${user.id.substring(0, 8)}: ${result.action} ` +
+                            `(${result.computeHoursUsed.toFixed(2)}/${result.computeHoursLimit}h)`);
+                    }
+                }
+                catch (err) {
+                    console.error(`[compute-enforcement] Error for user ${user.id}:`, err);
+                }
+            }
+            const stopped = results.filter((r) => r.action === 'stopped').length;
+            const warned = results.filter((r) => r.action === 'warning').length;
+            if (stopped > 0 || warned > 0) {
+                console.log(`[compute-enforcement] Summary: ${stopped} stopped, ${warned} warned, ` +
+                    `${results.length - stopped - warned} ok`);
+            }
+        }
+        catch (err) {
+            console.error('[compute-enforcement] Failed to run enforcement:', err);
+        }
+        return results;
+    }
+    /**
+     * Enforce limits for a specific user
+     */
+    async enforceUserLimits(userId) {
+        const user = await db.users.findById(userId);
+        const plan = user?.plan || 'free';
+        const limits = PLAN_LIMITS[plan];
+        const usage = await getUserUsage(userId);
+        const result = {
+            userId,
+            plan,
+            computeHoursUsed: usage.computeHoursThisMonth,
+            computeHoursLimit: limits.maxComputeHoursPerMonth,
+            action: 'none',
+            workspacesStopped: [],
+        };
+        // Skip if user has unlimited compute (paid plans may have high limits)
+        if (limits.maxComputeHoursPerMonth === Infinity) {
+            return result;
+        }
+        // Check if user has exceeded limit
+        if (usage.computeHoursThisMonth >= limits.maxComputeHoursPerMonth) {
+            // Stop all running workspaces
+            const workspaces = await db.workspaces.findByUserId(userId);
+            const runningWorkspaces = workspaces.filter((w) => w.status === 'running');
+            if (runningWorkspaces.length > 0) {
+                const provisioner = getProvisioner();
+                for (const workspace of runningWorkspaces) {
+                    try {
+                        await provisioner.stop(workspace.id);
+                        result.workspacesStopped.push(workspace.id);
+                        console.log(`[compute-enforcement] Stopped workspace ${workspace.id.substring(0, 8)} ` +
+                            `for user ${userId.substring(0, 8)} (limit exceeded)`);
+                    }
+                    catch (err) {
+                        console.error(`[compute-enforcement] Failed to stop workspace ${workspace.id}:`, err);
+                    }
+                }
+                result.action = 'stopped';
+                // TODO: Send notification email to user
+                // await sendLimitReachedEmail(userId, usage.computeHoursThisMonth, limits.maxComputeHoursPerMonth);
+            }
+        }
+        else {
+            // Check if approaching limit (warning)
+            const usagePercent = (usage.computeHoursThisMonth / limits.maxComputeHoursPerMonth) * 100;
+            if (usagePercent >= this.config.warningThresholdPercent) {
+                result.action = 'warning';
+                // TODO: Send warning email to user (once per day)
+                // await sendLimitWarningEmail(userId, usage.computeHoursThisMonth, limits.maxComputeHoursPerMonth);
+            }
+        }
+        return result;
+    }
+    /**
+     * Manually trigger enforcement for a specific user
+     */
+    async enforceUser(userId) {
+        return this.enforceUserLimits(userId);
+    }
+    /**
+     * Get service status
+     */
+    getStatus() {
+        return {
+            enabled: this.config.enabled,
+            isRunning: this.isRunning,
+            checkIntervalMs: this.config.checkIntervalMs,
+        };
+    }
+}
+// Singleton instance
+let _computeEnforcement = null;
+export function getComputeEnforcementService() {
+    if (!_computeEnforcement) {
+        _computeEnforcement = new ComputeEnforcementService();
+    }
+    return _computeEnforcement;
+}
+export function createComputeEnforcementService(config = {}) {
+    _computeEnforcement = new ComputeEnforcementService(config);
+    return _computeEnforcement;
+}
+//# sourceMappingURL=compute-enforcement.js.map

package/dist/cloud/services/index.d.ts

@@ -9,4 +9,6 @@ export { CapacityManager, CapacityManagerConfig, WorkspaceCapacity, PlacementRec
 export { ScalingOrchestrator, OrchestratorConfig, ScalingEvent, getScalingOrchestrator, createScalingOrchestrator, } from './scaling-orchestrator.js';
 export { spawnCIFixAgent, notifyAgentOfCIFailure, completeFixAttempt, getFailureHistory, getPRFailureHistory, } from './ci-agent-spawner.js';
 export { handleMention, handleIssueAssignment, getPendingMentions, getPendingIssueAssignments, processPendingMentions, processPendingIssueAssignments, KNOWN_AGENTS, isKnownAgent, } from './mention-handler.js';
+export { ComputeEnforcementService, ComputeEnforcementConfig, EnforcementResult, getComputeEnforcementService, createComputeEnforcementService, } from './compute-enforcement.js';
+export { IntroExpirationService, IntroExpirationConfig, IntroStatus, ExpirationResult as IntroExpirationResult, INTRO_PERIOD_DAYS, getIntroStatus, getIntroExpirationService, startIntroExpirationService, stopIntroExpirationService, } from './intro-expiration.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/cloud/services/index.js

@@ -12,4 +12,8 @@ export { ScalingOrchestrator, getScalingOrchestrator, createScalingOrchestrator,
 export { spawnCIFixAgent, notifyAgentOfCIFailure, completeFixAttempt, getFailureHistory, getPRFailureHistory, } from './ci-agent-spawner.js';
 // Issue and mention handling
 export { handleMention, handleIssueAssignment, getPendingMentions, getPendingIssueAssignments, processPendingMentions, processPendingIssueAssignments, KNOWN_AGENTS, isKnownAgent, } from './mention-handler.js';
+// Compute enforcement (free tier limits)
+export { ComputeEnforcementService, getComputeEnforcementService, createComputeEnforcementService, } from './compute-enforcement.js';
+// Intro expiration (auto-resize after free tier intro period)
+export { IntroExpirationService, INTRO_PERIOD_DAYS, getIntroStatus, getIntroExpirationService, startIntroExpirationService, stopIntroExpirationService, } from './intro-expiration.js';
 //# sourceMappingURL=index.js.map

package/dist/cloud/services/intro-expiration.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Intro Expiration Service
+ *
+ * Handles auto-resize of workspaces when the free tier introductory period expires.
+ * Free users get Pro-level resources (2 CPU / 4GB) for the first 14 days,
+ * then get automatically downsized to standard free tier (1 CPU / 2GB).
+ */
+export declare const INTRO_PERIOD_DAYS = 14;
+export interface IntroExpirationConfig {
+    enabled: boolean;
+    checkIntervalMs: number;
+}
+export interface IntroStatus {
+    isIntroPeriod: boolean;
+    daysRemaining: number;
+    introPeriodDays: number;
+    expiresAt: Date | null;
+}
+export interface ExpirationResult {
+    userId: string;
+    workspaceId: string;
+    workspaceName: string;
+    action: 'resized' | 'skipped' | 'error';
+    reason?: string;
+}
+/**
+ * Get intro period status for a user
+ */
+export declare function getIntroStatus(userCreatedAt: Date | string | null, plan: string): IntroStatus;
+export declare class IntroExpirationService {
+    private config;
+    private checkTimer;
+    private isRunning;
+    constructor(config?: Partial<IntroExpirationConfig>);
+    /**
+     * Start the expiration service
+     */
+    start(): void;
+    /**
+     * Stop the expiration service
+     */
+    stop(): void;
+    /**
+     * Run expiration check for all free tier users with expired intro periods
+     */
+    runExpirationCheck(): Promise<ExpirationResult[]>;
+    /**
+     * Check and resize workspaces for a user whose intro period has expired
+     */
+    private checkAndResizeUserWorkspaces;
+}
+export declare function getIntroExpirationService(): IntroExpirationService;
+export declare function startIntroExpirationService(): void;
+export declare function stopIntroExpirationService(): void;
+//# sourceMappingURL=intro-expiration.d.ts.map