npm - agent-relay - Versions diffs - 1.2.3 → 1.3.1 - Mend

agent-relay 1.2.3 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (189) hide show

package/.trajectories/agent-relay-322-324.md +17 -0
package/.trajectories/completed/2026-01/traj_03zupyv1s7b9.json +49 -0
package/.trajectories/completed/2026-01/traj_03zupyv1s7b9.md +31 -0
package/.trajectories/completed/2026-01/traj_0zacdjl1g4ht.json +125 -0
package/.trajectories/completed/2026-01/traj_0zacdjl1g4ht.md +62 -0
package/.trajectories/completed/2026-01/traj_33iuy72sezbk.json +49 -0
package/.trajectories/completed/2026-01/traj_33iuy72sezbk.md +31 -0
package/.trajectories/completed/2026-01/traj_5ammh5qtvklq.json +77 -0
package/.trajectories/completed/2026-01/traj_5ammh5qtvklq.md +42 -0
package/.trajectories/completed/2026-01/traj_6mieijqyvaag.json +77 -0
package/.trajectories/completed/2026-01/traj_6mieijqyvaag.md +42 -0
package/.trajectories/completed/2026-01/traj_78ffm31jn3uk.json +77 -0
package/.trajectories/completed/2026-01/traj_78ffm31jn3uk.md +42 -0
package/.trajectories/completed/2026-01/traj_94gnp3k30goq.json +66 -0
package/.trajectories/completed/2026-01/traj_94gnp3k30goq.md +36 -0
package/.trajectories/completed/2026-01/traj_avqeghu6pz5a.json +40 -0
package/.trajectories/completed/2026-01/traj_avqeghu6pz5a.md +22 -0
package/.trajectories/completed/2026-01/traj_dcsp9s8y01ra.json +121 -0
package/.trajectories/completed/2026-01/traj_dcsp9s8y01ra.md +29 -0
package/.trajectories/completed/2026-01/traj_fhx9irlckht6.json +53 -0
package/.trajectories/completed/2026-01/traj_fhx9irlckht6.md +32 -0
package/.trajectories/completed/2026-01/traj_fqduidx3xbtp.json +101 -0
package/.trajectories/completed/2026-01/traj_fqduidx3xbtp.md +52 -0
package/.trajectories/completed/2026-01/traj_hf81ey93uz6t.json +49 -0
package/.trajectories/completed/2026-01/traj_hf81ey93uz6t.md +31 -0
package/.trajectories/completed/2026-01/traj_hfmki2jr9d4r.json +65 -0
package/.trajectories/completed/2026-01/traj_hfmki2jr9d4r.md +37 -0
package/.trajectories/completed/2026-01/traj_lq450ly148uw.json +49 -0
package/.trajectories/completed/2026-01/traj_lq450ly148uw.md +31 -0
package/.trajectories/completed/2026-01/traj_multi_server_arch.md +101 -0
package/.trajectories/completed/2026-01/traj_psd9ob0j2ru3.json +27 -0
package/.trajectories/completed/2026-01/traj_psd9ob0j2ru3.md +14 -0
package/.trajectories/completed/2026-01/traj_ub8csuv3lcv4.json +53 -0
package/.trajectories/completed/2026-01/traj_ub8csuv3lcv4.md +32 -0
package/.trajectories/completed/2026-01/traj_uc29tlso8i9s.json +186 -0
package/.trajectories/completed/2026-01/traj_uc29tlso8i9s.md +86 -0
package/.trajectories/completed/2026-01/traj_ui9b4tqxoa7j.json +77 -0
package/.trajectories/completed/2026-01/traj_ui9b4tqxoa7j.md +42 -0
package/.trajectories/completed/2026-01/traj_v9dkdoxylyid.json +89 -0
package/.trajectories/completed/2026-01/traj_v9dkdoxylyid.md +47 -0
package/.trajectories/completed/2026-01/traj_xy9vifpqet80.json +65 -0
package/.trajectories/completed/2026-01/traj_xy9vifpqet80.md +37 -0
package/.trajectories/completed/2026-01/traj_y7aiwijyfmmv.json +49 -0
package/.trajectories/completed/2026-01/traj_y7aiwijyfmmv.md +31 -0
package/.trajectories/consolidate-settings-panel.md +24 -0
package/.trajectories/gh-cli-user-token.md +26 -0
package/.trajectories/index.json +155 -1
package/deploy/workspace/codex.config.toml +15 -0
package/deploy/workspace/entrypoint.sh +167 -7
package/deploy/workspace/git-credential-relay +17 -2
package/dist/bridge/spawner.d.ts +7 -0
package/dist/bridge/spawner.js +40 -9
package/dist/bridge/types.d.ts +2 -0
package/dist/cli/index.js +210 -168
package/dist/cloud/api/admin.d.ts +8 -0
package/dist/cloud/api/admin.js +212 -0
package/dist/cloud/api/auth.js +8 -0
package/dist/cloud/api/billing.d.ts +0 -10
package/dist/cloud/api/billing.js +248 -58
package/dist/cloud/api/codex-auth-helper.d.ts +10 -4
package/dist/cloud/api/codex-auth-helper.js +215 -8
package/dist/cloud/api/coordinators.js +402 -0
package/dist/cloud/api/daemons.js +15 -11
package/dist/cloud/api/git.js +104 -17
package/dist/cloud/api/github-app.js +42 -8
package/dist/cloud/api/nango-auth.js +297 -16
package/dist/cloud/api/onboarding.js +97 -33
package/dist/cloud/api/providers.js +12 -16
package/dist/cloud/api/repos.js +200 -124
package/dist/cloud/api/test-helpers.js +40 -0
package/dist/cloud/api/usage.js +13 -0
package/dist/cloud/api/webhooks.js +1 -1
package/dist/cloud/api/workspaces.d.ts +18 -0
package/dist/cloud/api/workspaces.js +945 -15
package/dist/cloud/config.d.ts +8 -0
package/dist/cloud/config.js +15 -0
package/dist/cloud/db/drizzle.d.ts +5 -2
package/dist/cloud/db/drizzle.js +27 -20
package/dist/cloud/db/schema.d.ts +19 -51
package/dist/cloud/db/schema.js +5 -4
package/dist/cloud/index.d.ts +0 -1
package/dist/cloud/index.js +0 -1
package/dist/cloud/provisioner/index.d.ts +93 -1
package/dist/cloud/provisioner/index.js +608 -63
package/dist/cloud/server.js +156 -16
package/dist/cloud/services/compute-enforcement.d.ts +57 -0
package/dist/cloud/services/compute-enforcement.js +175 -0
package/dist/cloud/services/index.d.ts +2 -0
package/dist/cloud/services/index.js +4 -0
package/dist/cloud/services/intro-expiration.d.ts +55 -0
package/dist/cloud/services/intro-expiration.js +211 -0
package/dist/cloud/services/nango.d.ts +14 -0
package/dist/cloud/services/nango.js +74 -14
package/dist/cloud/services/ssh-security.d.ts +31 -0
package/dist/cloud/services/ssh-security.js +63 -0
package/dist/continuity/manager.d.ts +5 -0
package/dist/continuity/manager.js +56 -2
package/dist/daemon/api.d.ts +2 -0
package/dist/daemon/api.js +214 -5
package/dist/daemon/cli-auth.d.ts +13 -1
package/dist/daemon/cli-auth.js +166 -47
package/dist/daemon/connection.d.ts +7 -1
package/dist/daemon/connection.js +15 -0
package/dist/daemon/orchestrator.d.ts +2 -0
package/dist/daemon/orchestrator.js +26 -0
package/dist/daemon/repo-manager.d.ts +116 -0
package/dist/daemon/repo-manager.js +384 -0
package/dist/daemon/router.d.ts +60 -1
package/dist/daemon/router.js +281 -20
package/dist/daemon/user-directory.d.ts +111 -0
package/dist/daemon/user-directory.js +233 -0
package/dist/dashboard/out/404.html +1 -1
package/dist/dashboard/out/_next/static/chunks/532-bace199897eeab37.js +9 -0
package/dist/dashboard/out/_next/static/chunks/766-b54f0853794b78c3.js +1 -0
package/dist/dashboard/out/_next/static/chunks/83-b51836037078006c.js +1 -0
package/dist/dashboard/out/_next/static/chunks/891-6cd50de1224f70bb.js +1 -0
package/dist/dashboard/out/_next/static/chunks/899-fc02ed79e3de4302.js +1 -0
package/dist/dashboard/out/_next/static/chunks/app/app/onboarding/{page-3fdfa60e53f2810d.js → page-8553743baca53a00.js} +1 -1
package/dist/dashboard/out/_next/static/chunks/app/app/page-c617745b81344f4f.js +1 -0
package/dist/dashboard/out/_next/static/chunks/app/metrics/page-f829604fb75a831a.js +1 -0
package/dist/dashboard/out/_next/static/chunks/app/{page-77e9c65420a06cfb.js → page-dc786c183425c2ac.js} +1 -1
package/dist/dashboard/out/_next/static/chunks/app/providers/page-84322991d7244499.js +1 -0
package/dist/dashboard/out/_next/static/chunks/app/providers/setup/[provider]/page-05606941a8e2be83.js +1 -0
package/dist/dashboard/out/_next/static/chunks/{main-ed4e1fb6f29c34cf.js → main-2ee6beb2ae96d210.js} +1 -1
package/dist/dashboard/out/_next/static/css/48a8fbe3e659080e.css +1 -0
package/dist/dashboard/out/_next/static/css/fe4b28883eeff359.css +1 -0
package/dist/dashboard/out/_next/static/sDcbGRTYLcpPvyTs_rsNb/_ssgManifest.js +1 -0
package/dist/dashboard/out/app/onboarding.html +1 -1
package/dist/dashboard/out/app/onboarding.txt +3 -3
package/dist/dashboard/out/app.html +1 -1
package/dist/dashboard/out/app.txt +3 -3
package/dist/dashboard/out/apple-icon.png +0 -0
package/dist/dashboard/out/connect-repos.html +1 -1
package/dist/dashboard/out/connect-repos.txt +2 -2
package/dist/dashboard/out/history.html +1 -1
package/dist/dashboard/out/history.txt +2 -2
package/dist/dashboard/out/index.html +1 -1
package/dist/dashboard/out/index.txt +3 -3
package/dist/dashboard/out/login.html +2 -2
package/dist/dashboard/out/login.txt +2 -2
package/dist/dashboard/out/metrics.html +1 -1
package/dist/dashboard/out/metrics.txt +3 -3
package/dist/dashboard/out/pricing.html +2 -2
package/dist/dashboard/out/pricing.txt +3 -3
package/dist/dashboard/out/providers/setup/claude.html +1 -0
package/dist/dashboard/out/providers/setup/claude.txt +8 -0
package/dist/dashboard/out/providers/setup/codex.html +1 -0
package/dist/dashboard/out/providers/setup/codex.txt +8 -0
package/dist/dashboard/out/providers.html +1 -1
package/dist/dashboard/out/providers.txt +3 -3
package/dist/dashboard/out/signup.html +2 -2
package/dist/dashboard/out/signup.txt +2 -2
package/dist/dashboard-server/server.js +316 -12
package/dist/dashboard-server/user-bridge.d.ts +103 -0
package/dist/dashboard-server/user-bridge.js +189 -0
package/dist/protocol/channels.d.ts +205 -0
package/dist/protocol/channels.js +154 -0
package/dist/protocol/types.d.ts +13 -1
package/dist/resiliency/provider-context.js +2 -0
package/dist/shared/cli-auth-config.d.ts +19 -0
package/dist/shared/cli-auth-config.js +58 -2
package/dist/utils/agent-config.js +1 -1
package/dist/wrapper/auth-detection.d.ts +49 -0
package/dist/wrapper/auth-detection.js +192 -0
package/dist/wrapper/base-wrapper.d.ts +153 -0
package/dist/wrapper/base-wrapper.js +393 -0
package/dist/wrapper/client.d.ts +7 -1
package/dist/wrapper/client.js +3 -0
package/dist/wrapper/index.d.ts +1 -0
package/dist/wrapper/index.js +4 -3
package/dist/wrapper/pty-wrapper.d.ts +62 -84
package/dist/wrapper/pty-wrapper.js +154 -180
package/dist/wrapper/tmux-wrapper.d.ts +41 -66
package/dist/wrapper/tmux-wrapper.js +90 -134
package/package.json +4 -2
package/scripts/postinstall.js +11 -155
package/scripts/test-interactive-terminal.sh +248 -0
package/dist/cloud/vault/index.d.ts +0 -76
package/dist/cloud/vault/index.js +0 -219
package/dist/dashboard/out/_next/static/chunks/699-3b1cd6618a45d259.js +0 -1
package/dist/dashboard/out/_next/static/chunks/724-2dae7627550ab88f.js +0 -9
package/dist/dashboard/out/_next/static/chunks/766-1f2dd8cb7f766b0b.js +0 -1
package/dist/dashboard/out/_next/static/chunks/app/app/page-e6381e5a6e1fbcfd.js +0 -1
package/dist/dashboard/out/_next/static/chunks/app/metrics/page-67a3e98d9a43a6ed.js +0 -1
package/dist/dashboard/out/_next/static/chunks/app/providers/page-e88bc117ef7671c3.js +0 -1
package/dist/dashboard/out/_next/static/css/29852f26181969a0.css +0 -1
package/dist/dashboard/out/_next/static/css/7c3ae9e8617d42a5.css +0 -1
package/dist/dashboard/out/_next/static/wPgKJtcOmTFLpUncDg16A/_ssgManifest.js +0 -1
/package/dist/dashboard/out/_next/static/{wPgKJtcOmTFLpUncDg16A → sDcbGRTYLcpPvyTs_rsNb}/_buildManifest.js +0 -0

package/dist/cloud/server.js CHANGED Viewed

@@ -8,13 +8,14 @@ import helmet from 'helmet';
 import crypto from 'crypto';
 import path from 'node:path';
 import http from 'node:http';
+import fs from 'node:fs';
 import { fileURLToPath } from 'node:url';
 import { createClient } from 'redis';
 import { RedisStore } from 'connect-redis';
 import { WebSocketServer, WebSocket } from 'ws';
 import { getConfig } from './config.js';
 import { runMigrations } from './db/index.js';
-import { getScalingOrchestrator } from './services/index.js';
+import { getScalingOrchestrator, getComputeEnforcementService, getIntroExpirationService } from './services/index.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 // API routers
@@ -35,7 +36,9 @@ import { githubAppRouter } from './api/github-app.js';
 import { nangoAuthRouter } from './api/nango-auth.js';
 import { gitRouter } from './api/git.js';
 import { codexAuthHelperRouter } from './api/codex-auth-helper.js';
+import { adminRouter } from './api/admin.js';
 import { db } from './db/index.js';
+import { validateSshSecurityConfig } from './services/ssh-security.js';
 /**
  * Proxy a request to the user's primary running workspace
  */
@@ -66,6 +69,8 @@ async function proxyToUserWorkspace(req, res, path) {
 }
 export async function createServer() {
     const config = getConfig();
+    // Validate security configuration at startup
+    validateSshSecurityConfig();
     const app = express();
     app.set('trust proxy', 1);
     // Redis client for sessions
@@ -226,27 +231,37 @@ export async function createServer() {
         res.json({ status: 'ok', timestamp: new Date().toISOString() });
     });
     // API routes
-    app.use('/api/auth', authRouter);
+    //
+    // IMPORTANT: Route order matters! Routes with non-session auth (webhooks, API keys, tokens)
+    // must be mounted BEFORE teamsRouter, which catches all /api/* with requireAuth.
+    //
+    // --- Routes with alternative auth (must be before teamsRouter) ---
+    app.use('/api/auth', authRouter); // Login endpoints (public)
+    app.use('/api/auth/nango', nangoAuthRouter); // Nango webhook (signature verification)
+    app.use('/api/auth/codex-helper', codexAuthHelperRouter);
+    app.use('/api/git', gitRouter); // Workspace token auth
+    app.use('/api/webhooks', webhooksRouter); // GitHub webhooks (signature verification)
+    app.use('/api/monitoring', monitoringRouter); // Daemon API key auth endpoints
+    app.use('/api/daemons', daemonsRouter); // Daemon API key auth endpoints
+    app.use('/api/admin', adminRouter); // Admin API secret auth
+    // --- Routes with session auth ---
     app.use('/api/providers', providersRouter);
     app.use('/api/workspaces', workspacesRouter);
     app.use('/api/repos', reposRouter);
     app.use('/api/onboarding', onboardingRouter);
-    app.use('/api/teams', teamsRouter);
     app.use('/api/billing', billingRouter);
     app.use('/api/usage', usageRouter);
     app.use('/api/project-groups', coordinatorsRouter);
-    app.use('/api/daemons', daemonsRouter);
-    app.use('/api/monitoring', monitoringRouter);
-    app.use('/api/webhooks', webhooksRouter);
     app.use('/api/github-app', githubAppRouter);
-    app.use('/api/auth/nango', nangoAuthRouter);
-    app.use('/api/auth/codex-helper', codexAuthHelperRouter);
-    app.use('/api/git', gitRouter);
     // Test helper routes (only available in non-production)
+    // MUST be before teamsRouter to avoid auth interception
     if (process.env.NODE_ENV !== 'production') {
         app.use('/api/test', testHelpersRouter);
         console.log('[cloud] Test helper routes enabled (non-production mode)');
     }
+    // Teams router - MUST BE LAST among /api routes
+    // Handles /workspaces/:id/members and /invites with requireAuth on all routes
+    app.use('/api', teamsRouter);
     // Trajectory proxy routes - auto-detect user's workspace and forward
     // These are convenience routes so the dashboard doesn't need to know the workspace ID
     app.get('/api/trajectory', requireAuth, async (req, res) => {
@@ -264,17 +279,29 @@ export async function createServer() {
     // Serve static dashboard files (Next.js static export)
     // Path: dist/cloud/server.js -> ../../src/dashboard/out
     const dashboardPath = path.join(__dirname, '../../src/dashboard/out');
-    // Serve static files with .html extension fallback for clean URLs
-    // e.g., /signup will try /signup.html
-    app.use(express.static(dashboardPath, { extensions: ['html'] }));
-    // SPA fallback - serve index.html for all non-API routes that don't match static files
-    // Express 5 requires named wildcard params instead of bare '*'
+    // Serve static files (JS, CSS, images, etc.)
+    app.use(express.static(dashboardPath));
+    // Handle clean URLs for Next.js static export
+    // When a directory exists (e.g., /app/), express.static won't serve app.html
+    // So we need to explicitly check for .html files
     app.get('/{*splat}', (req, res, next) => {
-        // Don't serve index.html for API routes
+        // Don't handle API routes
         if (req.path.startsWith('/api/')) {
             return next();
         }
-        res.sendFile(path.join(dashboardPath, 'index.html'));
+        // Clean the path (remove trailing slash)
+        const cleanPath = req.path.replace(/\/$/, '') || '/';
+        // Try to serve the corresponding .html file
+        const htmlFile = cleanPath === '/' ? 'index.html' : `${cleanPath}.html`;
+        const htmlPath = path.join(dashboardPath, htmlFile);
+        // Check if the HTML file exists
+        if (fs.existsSync(htmlPath)) {
+            res.sendFile(htmlPath);
+        }
+        else {
+            // Fallback to index.html for SPA-style routing
+            res.sendFile(path.join(dashboardPath, 'index.html'));
+        }
     });
     // Error handler
     app.use((err, req, res, _next) => {
@@ -287,6 +314,8 @@ export async function createServer() {
     // Server lifecycle
     let server = null;
     let scalingOrchestrator = null;
+    let computeEnforcement = null;
+    let introExpiration = null;
     // Create HTTP server for WebSocket upgrade handling
     const httpServer = http.createServer(app);
     // ===== Presence WebSocket =====
@@ -318,6 +347,77 @@ export async function createServer() {
             return false;
         }
     };
+    // WebSocket server for agent logs (proxied to workspace daemon)
+    const wssLogs = new WebSocketServer({ noServer: true, perMessageDeflate: false });
+    // Handle agent logs WebSocket connections
+    wssLogs.on('connection', async (clientWs, workspaceId, agentName) => {
+        console.log(`[ws/logs] Client connected for workspace=${workspaceId} agent=${agentName}`);
+        let daemonWs = null;
+        try {
+            // Find the workspace
+            const workspace = await db.workspaces.findById(workspaceId);
+            if (!workspace || !workspace.publicUrl) {
+                clientWs.send(JSON.stringify({ type: 'error', message: 'Workspace not found or not running' }));
+                clientWs.close();
+                return;
+            }
+            // Connect to workspace daemon WebSocket
+            // The workspace runs the dashboard server which expects /ws/logs path
+            const baseUrl = workspace.publicUrl.replace(/^http/, 'ws').replace(/\/$/, '');
+            const daemonWsUrl = `${baseUrl}/ws/logs/${encodeURIComponent(agentName)}`;
+            console.log(`[ws/logs] Connecting to daemon: ${daemonWsUrl}`);
+            daemonWs = new WebSocket(daemonWsUrl, { perMessageDeflate: false });
+            daemonWs.on('open', () => {
+                console.log(`[ws/logs] Connected to daemon for ${agentName}`);
+                // Note: No need to send subscribe message - the agent name in the URL path
+                // triggers auto-subscription in the dashboard server
+            });
+            daemonWs.on('message', (data) => {
+                // Forward daemon messages to client
+                if (clientWs.readyState === WebSocket.OPEN) {
+                    clientWs.send(data.toString());
+                }
+            });
+            daemonWs.on('close', () => {
+                console.log(`[ws/logs] Daemon connection closed for ${agentName}`);
+                if (clientWs.readyState === WebSocket.OPEN) {
+                    clientWs.close();
+                }
+            });
+            daemonWs.on('error', (err) => {
+                console.error(`[ws/logs] Daemon WebSocket error:`, err);
+                if (clientWs.readyState === WebSocket.OPEN) {
+                    clientWs.send(JSON.stringify({ type: 'error', message: 'Daemon connection error' }));
+                    clientWs.close();
+                }
+            });
+            // Forward client messages to daemon (for user input)
+            clientWs.on('message', (data) => {
+                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
+                    daemonWs.send(data.toString());
+                }
+            });
+            clientWs.on('close', () => {
+                console.log(`[ws/logs] Client disconnected for ${agentName}`);
+                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
+                    daemonWs.close();
+                }
+            });
+            clientWs.on('error', (err) => {
+                console.error(`[ws/logs] Client WebSocket error:`, err);
+                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
+                    daemonWs.close();
+                }
+            });
+        }
+        catch (err) {
+            console.error(`[ws/logs] Setup error:`, err);
+            if (clientWs.readyState === WebSocket.OPEN) {
+                clientWs.send(JSON.stringify({ type: 'error', message: 'Failed to connect to workspace' }));
+                clientWs.close();
+            }
+        }
+    });
     // Handle HTTP upgrade for WebSocket
     httpServer.on('upgrade', (request, socket, head) => {
         const pathname = new URL(request.url || '', `http://${request.headers.host}`).pathname;
@@ -326,6 +426,20 @@ export async function createServer() {
                 wssPresence.emit('connection', ws, request);
             });
         }
+        else if (pathname.startsWith('/ws/logs/')) {
+            // Parse /ws/logs/:workspaceId/:agentName
+            const parts = pathname.split('/').filter(Boolean);
+            if (parts.length >= 4) {
+                const workspaceId = decodeURIComponent(parts[2]);
+                const agentName = decodeURIComponent(parts[3]);
+                wssLogs.handleUpgrade(request, socket, head, (ws) => {
+                    wssLogs.emit('connection', ws, workspaceId, agentName);
+                });
+            }
+            else {
+                socket.destroy();
+            }
+        }
         else {
             // Unknown WebSocket path - destroy socket
             socket.destroy();
@@ -512,6 +626,24 @@ export async function createServer() {
                     console.warn('[cloud] Failed to initialize scaling orchestrator:', error);
                     // Non-fatal - server can run without auto-scaling
                 }
+                // Start compute enforcement service (checks every 15 min)
+                try {
+                    computeEnforcement = getComputeEnforcementService();
+                    computeEnforcement.start();
+                    console.log('[cloud] Compute enforcement service started');
+                }
+                catch (error) {
+                    console.warn('[cloud] Failed to start compute enforcement:', error);
+                }
+                // Start intro expiration service (checks every hour for expired intro periods)
+                try {
+                    introExpiration = getIntroExpirationService();
+                    introExpiration.start();
+                    console.log('[cloud] Intro expiration service started');
+                }
+                catch (error) {
+                    console.warn('[cloud] Failed to start intro expiration:', error);
+                }
             }
             return new Promise((resolve) => {
                 server = httpServer.listen(config.port, () => {
@@ -527,6 +659,14 @@ export async function createServer() {
             if (scalingOrchestrator) {
                 await scalingOrchestrator.shutdown();
             }
+            // Stop compute enforcement service
+            if (computeEnforcement) {
+                computeEnforcement.stop();
+            }
+            // Stop intro expiration service
+            if (introExpiration) {
+                introExpiration.stop();
+            }
             // Close WebSocket server
             wssPresence.close();
             if (server) {

package/dist/cloud/services/compute-enforcement.d.ts ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Compute Enforcement Service
+ *
+ * Enforces compute hour limits for free tier users.
+ * Runs periodically to check usage and stop workspaces that have exceeded limits.
+ */
+import { PlanType } from '../db/index.js';
+export interface ComputeEnforcementConfig {
+    enabled: boolean;
+    checkIntervalMs: number;
+    warningThresholdPercent: number;
+}
+export interface EnforcementResult {
+    userId: string;
+    plan: PlanType;
+    computeHoursUsed: number;
+    computeHoursLimit: number;
+    action: 'none' | 'warning' | 'stopped';
+    workspacesStopped: string[];
+}
+export declare class ComputeEnforcementService {
+    private config;
+    private checkTimer;
+    private isRunning;
+    constructor(config?: Partial<ComputeEnforcementConfig>);
+    /**
+     * Start the enforcement service
+     */
+    start(): void;
+    /**
+     * Stop the enforcement service
+     */
+    stop(): void;
+    /**
+     * Run enforcement check for all free tier users
+     */
+    runEnforcement(): Promise<EnforcementResult[]>;
+    /**
+     * Enforce limits for a specific user
+     */
+    enforceUserLimits(userId: string): Promise<EnforcementResult>;
+    /**
+     * Manually trigger enforcement for a specific user
+     */
+    enforceUser(userId: string): Promise<EnforcementResult>;
+    /**
+     * Get service status
+     */
+    getStatus(): {
+        enabled: boolean;
+        isRunning: boolean;
+        checkIntervalMs: number;
+    };
+}
+export declare function getComputeEnforcementService(): ComputeEnforcementService;
+export declare function createComputeEnforcementService(config?: Partial<ComputeEnforcementConfig>): ComputeEnforcementService;
+//# sourceMappingURL=compute-enforcement.d.ts.map

package/dist/cloud/services/compute-enforcement.js ADDED Viewed

@@ -0,0 +1,175 @@
+/**
+ * Compute Enforcement Service
+ *
+ * Enforces compute hour limits for free tier users.
+ * Runs periodically to check usage and stop workspaces that have exceeded limits.
+ */
+import { db } from '../db/index.js';
+import { getProvisioner } from '../provisioner/index.js';
+import { getUserUsage, PLAN_LIMITS } from './planLimits.js';
+const DEFAULT_CONFIG = {
+    enabled: true,
+    checkIntervalMs: 15 * 60 * 1000, // 15 minutes
+    warningThresholdPercent: 80,
+};
+export class ComputeEnforcementService {
+    config;
+    checkTimer = null;
+    isRunning = false;
+    constructor(config = {}) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+    }
+    /**
+     * Start the enforcement service
+     */
+    start() {
+        if (!this.config.enabled) {
+            console.log('[compute-enforcement] Service disabled');
+            return;
+        }
+        if (this.isRunning) {
+            console.warn('[compute-enforcement] Service already running');
+            return;
+        }
+        this.isRunning = true;
+        console.log(`[compute-enforcement] Started (checking every ${this.config.checkIntervalMs / 1000}s)`);
+        // Run immediately on start
+        this.runEnforcement().catch((err) => {
+            console.error('[compute-enforcement] Initial run failed:', err);
+        });
+        // Then run periodically
+        this.checkTimer = setInterval(() => {
+            this.runEnforcement().catch((err) => {
+                console.error('[compute-enforcement] Periodic run failed:', err);
+            });
+        }, this.config.checkIntervalMs);
+    }
+    /**
+     * Stop the enforcement service
+     */
+    stop() {
+        if (this.checkTimer) {
+            clearInterval(this.checkTimer);
+            this.checkTimer = null;
+        }
+        this.isRunning = false;
+        console.log('[compute-enforcement] Stopped');
+    }
+    /**
+     * Run enforcement check for all free tier users
+     */
+    async runEnforcement() {
+        const results = [];
+        try {
+            // Get all users on free tier
+            const freeUsers = await db.users.findByPlan('free');
+            console.log(`[compute-enforcement] Checking ${freeUsers.length} free tier users`);
+            for (const user of freeUsers) {
+                try {
+                    const result = await this.enforceUserLimits(user.id);
+                    results.push(result);
+                    if (result.action !== 'none') {
+                        console.log(`[compute-enforcement] User ${user.id.substring(0, 8)}: ${result.action} ` +
+                            `(${result.computeHoursUsed.toFixed(2)}/${result.computeHoursLimit}h)`);
+                    }
+                }
+                catch (err) {
+                    console.error(`[compute-enforcement] Error for user ${user.id}:`, err);
+                }
+            }
+            const stopped = results.filter((r) => r.action === 'stopped').length;
+            const warned = results.filter((r) => r.action === 'warning').length;
+            if (stopped > 0 || warned > 0) {
+                console.log(`[compute-enforcement] Summary: ${stopped} stopped, ${warned} warned, ` +
+                    `${results.length - stopped - warned} ok`);
+            }
+        }
+        catch (err) {
+            console.error('[compute-enforcement] Failed to run enforcement:', err);
+        }
+        return results;
+    }
+    /**
+     * Enforce limits for a specific user
+     */
+    async enforceUserLimits(userId) {
+        const user = await db.users.findById(userId);
+        const plan = user?.plan || 'free';
+        const limits = PLAN_LIMITS[plan];
+        const usage = await getUserUsage(userId);
+        const result = {
+            userId,
+            plan,
+            computeHoursUsed: usage.computeHoursThisMonth,
+            computeHoursLimit: limits.maxComputeHoursPerMonth,
+            action: 'none',
+            workspacesStopped: [],
+        };
+        // Skip if user has unlimited compute (paid plans may have high limits)
+        if (limits.maxComputeHoursPerMonth === Infinity) {
+            return result;
+        }
+        // Check if user has exceeded limit
+        if (usage.computeHoursThisMonth >= limits.maxComputeHoursPerMonth) {
+            // Stop all running workspaces
+            const workspaces = await db.workspaces.findByUserId(userId);
+            const runningWorkspaces = workspaces.filter((w) => w.status === 'running');
+            if (runningWorkspaces.length > 0) {
+                const provisioner = getProvisioner();
+                for (const workspace of runningWorkspaces) {
+                    try {
+                        await provisioner.stop(workspace.id);
+                        result.workspacesStopped.push(workspace.id);
+                        console.log(`[compute-enforcement] Stopped workspace ${workspace.id.substring(0, 8)} ` +
+                            `for user ${userId.substring(0, 8)} (limit exceeded)`);
+                    }
+                    catch (err) {
+                        console.error(`[compute-enforcement] Failed to stop workspace ${workspace.id}:`, err);
+                    }
+                }
+                result.action = 'stopped';
+                // TODO: Send notification email to user
+                // await sendLimitReachedEmail(userId, usage.computeHoursThisMonth, limits.maxComputeHoursPerMonth);
+            }
+        }
+        else {
+            // Check if approaching limit (warning)
+            const usagePercent = (usage.computeHoursThisMonth / limits.maxComputeHoursPerMonth) * 100;
+            if (usagePercent >= this.config.warningThresholdPercent) {
+                result.action = 'warning';
+                // TODO: Send warning email to user (once per day)
+                // await sendLimitWarningEmail(userId, usage.computeHoursThisMonth, limits.maxComputeHoursPerMonth);
+            }
+        }
+        return result;
+    }
+    /**
+     * Manually trigger enforcement for a specific user
+     */
+    async enforceUser(userId) {
+        return this.enforceUserLimits(userId);
+    }
+    /**
+     * Get service status
+     */
+    getStatus() {
+        return {
+            enabled: this.config.enabled,
+            isRunning: this.isRunning,
+            checkIntervalMs: this.config.checkIntervalMs,
+        };
+    }
+}
+// Singleton instance
+let _computeEnforcement = null;
+export function getComputeEnforcementService() {
+    if (!_computeEnforcement) {
+        _computeEnforcement = new ComputeEnforcementService();
+    }
+    return _computeEnforcement;
+}
+export function createComputeEnforcementService(config = {}) {
+    _computeEnforcement = new ComputeEnforcementService(config);
+    return _computeEnforcement;
+}
+//# sourceMappingURL=compute-enforcement.js.map

package/dist/cloud/services/index.d.ts CHANGED Viewed

@@ -9,4 +9,6 @@ export { CapacityManager, CapacityManagerConfig, WorkspaceCapacity, PlacementRec
 export { ScalingOrchestrator, OrchestratorConfig, ScalingEvent, getScalingOrchestrator, createScalingOrchestrator, } from './scaling-orchestrator.js';
 export { spawnCIFixAgent, notifyAgentOfCIFailure, completeFixAttempt, getFailureHistory, getPRFailureHistory, } from './ci-agent-spawner.js';
 export { handleMention, handleIssueAssignment, getPendingMentions, getPendingIssueAssignments, processPendingMentions, processPendingIssueAssignments, KNOWN_AGENTS, isKnownAgent, } from './mention-handler.js';
+export { ComputeEnforcementService, ComputeEnforcementConfig, EnforcementResult, getComputeEnforcementService, createComputeEnforcementService, } from './compute-enforcement.js';
+export { IntroExpirationService, IntroExpirationConfig, IntroStatus, ExpirationResult as IntroExpirationResult, INTRO_PERIOD_DAYS, getIntroStatus, getIntroExpirationService, startIntroExpirationService, stopIntroExpirationService, } from './intro-expiration.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/cloud/services/index.js CHANGED Viewed

@@ -12,4 +12,8 @@ export { ScalingOrchestrator, getScalingOrchestrator, createScalingOrchestrator,
 export { spawnCIFixAgent, notifyAgentOfCIFailure, completeFixAttempt, getFailureHistory, getPRFailureHistory, } from './ci-agent-spawner.js';
 // Issue and mention handling
 export { handleMention, handleIssueAssignment, getPendingMentions, getPendingIssueAssignments, processPendingMentions, processPendingIssueAssignments, KNOWN_AGENTS, isKnownAgent, } from './mention-handler.js';
+// Compute enforcement (free tier limits)
+export { ComputeEnforcementService, getComputeEnforcementService, createComputeEnforcementService, } from './compute-enforcement.js';
+// Intro expiration (auto-resize after free tier intro period)
+export { IntroExpirationService, INTRO_PERIOD_DAYS, getIntroStatus, getIntroExpirationService, startIntroExpirationService, stopIntroExpirationService, } from './intro-expiration.js';
 //# sourceMappingURL=index.js.map

package/dist/cloud/services/intro-expiration.d.ts ADDED Viewed

@@ -0,0 +1,55 @@
+/**
+ * Intro Expiration Service
+ *
+ * Handles auto-resize of workspaces when the free tier introductory period expires.
+ * Free users get Pro-level resources (2 CPU / 4GB) for the first 14 days,
+ * then get automatically downsized to standard free tier (1 CPU / 2GB).
+ */
+export declare const INTRO_PERIOD_DAYS = 14;
+export interface IntroExpirationConfig {
+    enabled: boolean;
+    checkIntervalMs: number;
+}
+export interface IntroStatus {
+    isIntroPeriod: boolean;
+    daysRemaining: number;
+    introPeriodDays: number;
+    expiresAt: Date | null;
+}
+export interface ExpirationResult {
+    userId: string;
+    workspaceId: string;
+    workspaceName: string;
+    action: 'resized' | 'skipped' | 'error';
+    reason?: string;
+}
+/**
+ * Get intro period status for a user
+ */
+export declare function getIntroStatus(userCreatedAt: Date | string | null, plan: string): IntroStatus;
+export declare class IntroExpirationService {
+    private config;
+    private checkTimer;
+    private isRunning;
+    constructor(config?: Partial<IntroExpirationConfig>);
+    /**
+     * Start the expiration service
+     */
+    start(): void;
+    /**
+     * Stop the expiration service
+     */
+    stop(): void;
+    /**
+     * Run expiration check for all free tier users with expired intro periods
+     */
+    runExpirationCheck(): Promise<ExpirationResult[]>;
+    /**
+     * Check and resize workspaces for a user whose intro period has expired
+     */
+    private checkAndResizeUserWorkspaces;
+}
+export declare function getIntroExpirationService(): IntroExpirationService;
+export declare function startIntroExpirationService(): void;
+export declare function stopIntroExpirationService(): void;
+//# sourceMappingURL=intro-expiration.d.ts.map