agentflow-dashboard 0.8.3 → 0.8.4

package/dist/client/index.html

@@ -4,8 +4,8 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>AgentFlow Dashboard</title>
-    <script type="module" crossorigin src="/assets/index-BgEw2MGK.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-DHcSpTgM.css">
+    <script type="module" crossorigin src="/assets/index-DA9m90ZC.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-BQBa4cES.css">
   </head>
   <body>
     <div id="root"></div>

package/dist/index.cjs

@@ -42,6 +42,11 @@ var fs3 = __toESM(require("fs"), 1);
 var import_node_http = require("http");
 var path3 = __toESM(require("path"), 1);
 var import_node_url2 = require("url");
+var import_agentflow_core3 = require("agentflow-core");
+var import_chokidar2 = __toESM(require("chokidar"), 1);
+var import_express = __toESM(require("express"), 1);
+var import_express_rate_limit = __toESM(require("express-rate-limit"), 1);
+var import_ws = require("ws");
 
 // src/config.ts
 var import_node_fs = require("fs");
@@ -114,12 +119,6 @@ function getProcessPreference(config) {
   return config.processPreference ?? null;
 }
 
-// src/server.ts
-var import_agentflow_core3 = require("agentflow-core");
-var import_chokidar2 = __toESM(require("chokidar"), 1);
-var import_express = __toESM(require("express"), 1);
-var import_ws = require("ws");
-
 // src/adapters/agentflow.ts
 var SKIP_FILES = /* @__PURE__ */ new Set([
   "workers.json",
@@ -131,7 +130,14 @@ var SKIP_FILES = /* @__PURE__ */ new Set([
   "models.json",
   "config.json"
 ]);
-var SKIP_SUFFIXES = ["-state.json", "-config.json", "-watch-state.json", ".tmp", ".bak", ".backup"];
+var SKIP_SUFFIXES = [
+  "-state.json",
+  "-config.json",
+  "-watch-state.json",
+  ".tmp",
+  ".bak",
+  ".backup"
+];
 var AgentFlowAdapter = class {
   name = "agentflow";
   detect(_dirPath) {
@@ -408,8 +414,14 @@ registerAdapter(new AgentFlowAdapter());
 var PURPOSE_KEYWORDS = [
   { keywords: ["email", "mail", "inbox", "smtp"], group: "Email Processors" },
   { keywords: ["monitor", "watch", "alert", "surveillance"], group: "Monitors" },
-  { keywords: ["digest", "newsletter", "summary", "report", "briefing"], group: "Digests & Reports" },
-  { keywords: ["curator", "janitor", "distiller", "surveyor", "worker", "indexer"], group: "Workers" },
+  {
+    keywords: ["digest", "newsletter", "summary", "report", "briefing"],
+    group: "Digests & Reports"
+  },
+  {
+    keywords: ["curator", "janitor", "distiller", "surveyor", "worker", "indexer"],
+    group: "Workers"
+  },
   { keywords: ["cron", "schedule", "timer", "periodic"], group: "Scheduled Jobs" },
   { keywords: ["search", "scrape", "crawl", "fetch"], group: "Data Collection" },
   { keywords: ["embed", "vector", "index"], group: "Embeddings" }
@@ -441,6 +453,7 @@ function capitalize(s) {
   return s.charAt(0).toUpperCase() + s.slice(1);
 }
 function deduplicateAgents(agents) {
+  var _a, _b, _c, _d;
   const tagged = agents.map((a) => ({
     ...a,
     ...extractSource(a.agentId)
@@ -457,14 +470,14 @@ function deduplicateAgents(agents) {
   const mergedIds = /* @__PURE__ */ new Set();
   const mergedAgents = [];
   for (const [_key, group] of suffixGroups) {
-    const suffix = extractSuffix(group[0].localId);
+    const suffix = extractSuffix((_a = group[0]) == null ? void 0 : _a.localId);
     if (group.length < 2) continue;
     const prefixes = new Set(group.map((a) => a.localId.split("-")[0]));
     if (prefixes.size < 2) continue;
     const longPrefixes = [...prefixes].filter((p) => p !== suffix && p.length > 2);
     if (longPrefixes.length >= 2) continue;
     const merged = {
-      agentId: group[0].source === "agentflow" ? suffix : `${group[0].source}:${suffix}`,
+      agentId: ((_b = group[0]) == null ? void 0 : _b.source) === "agentflow" ? suffix : `${(_c = group[0]) == null ? void 0 : _c.source}:${suffix}`,
       displayName: suffix,
       totalExecutions: group.reduce((s, a) => s + a.totalExecutions, 0),
       successfulExecutions: group.reduce((s, a) => s + a.successfulExecutions, 0),
@@ -475,7 +488,7 @@ function deduplicateAgents(agents) {
       triggers: {},
       recentActivity: group.flatMap((a) => a.recentActivity).sort((a, b) => b.timestamp - a.timestamp).slice(0, 50),
       sources: group.map((a) => a.agentId),
-      adapterSource: group[0].source
+      adapterSource: (_d = group[0]) == null ? void 0 : _d.source
     };
     merged.successRate = merged.totalExecutions > 0 ? merged.successfulExecutions / merged.totalExecutions * 100 : 0;
     const totalExecTime = group.reduce((s, a) => s + a.avgExecutionTime * a.totalExecutions, 0);
@@ -891,7 +904,9 @@ var TraceWatcher = class _TraceWatcher extends import_node_events.EventEmitter {
       ...getSkipFiles(this.userConfig)
     ]);
     this.userSkipDirs = new Set(getSkipDirectories(this.userConfig));
-    this.allWatchDirs = [...new Set([this.tracesDir, ...this.dataDirs].map((d) => path.resolve(d)))];
+    this.allWatchDirs = [
+      ...new Set([this.tracesDir, ...this.dataDirs].map((d) => path.resolve(d)))
+    ];
     this.ensureTracesDir();
     this.loadExistingFiles();
     this.archiveOldTraces();
@@ -901,7 +916,7 @@ var TraceWatcher = class _TraceWatcher extends import_node_events.EventEmitter {
   /** Move trace files older than maxAgeMs into archive/YYYY-MM/ subdirectories. */
   archiveOldTraces() {
     const cutoff = Date.now() - this.maxAgeMs;
-    let archived = 0;
+    const _archived = 0;
     for (const dir of this.allWatchDirs) {
       if (!fs.existsSync(dir)) continue;
       try {
@@ -918,7 +933,8 @@ var TraceWatcher = class _TraceWatcher extends import_node_events.EventEmitter {
     try {
       const entries = fs.readdirSync(dir, { withFileTypes: true });
       for (const entry of entries) {
-        if (entry.name.startsWith(".") || entry.name === "archive" || this.userSkipDirs.has(entry.name)) continue;
+        if (entry.name.startsWith(".") || entry.name === "archive" || this.userSkipDirs.has(entry.name))
+          continue;
         const fullPath = path.join(dir, entry.name);
         if (entry.isDirectory()) {
           archived += this.archiveDirectory(fullPath, cutoff, depth + 1);
@@ -2165,7 +2181,9 @@ var path2 = __toESM(require("path"), 1);
 var import_node_url = require("url");
 var import_meta = {};
 var __cliDirname = path2.dirname((0, import_node_url.fileURLToPath)(import_meta.url));
-var VERSION = JSON.parse(fs2.readFileSync(path2.resolve(__cliDirname, "../package.json"), "utf-8")).version;
+var VERSION = JSON.parse(
+  fs2.readFileSync(path2.resolve(__cliDirname, "../package.json"), "utf-8")
+).version;
 function getLanAddress() {
   const interfaces = os.networkInterfaces();
   for (const name of Object.keys(interfaces)) {
@@ -2423,6 +2441,17 @@ var DashboardServer = class {
   userConfig;
   configPath;
   setupExpress() {
+    this.app.use(
+      "/api/",
+      (0, import_express_rate_limit.default)({
+        windowMs: 60 * 1e3,
+        // 1 minute
+        max: 300,
+        // 300 requests per minute per IP
+        standardHeaders: true,
+        legacyHeaders: false
+      })
+    );
     if (this.config.enableCors) {
       this.app.use((_req, res, next) => {
         res.header("Access-Control-Allow-Origin", "*");
@@ -2665,6 +2694,7 @@ var DashboardServer = class {
       }
     });
     this.app.get("/api/process-model/:agentId", (req, res) => {
+      var _a, _b;
       try {
         const agentId = req.params.agentId;
         const allTraces = this.watcher.getTracesByAgent(agentId);
@@ -2682,8 +2712,8 @@ var DashboardServer = class {
           const nodeArr = Object.values(nodes);
           const sorted = nodeArr.filter((n) => n.name && typeof n.startTime === "number" && n.startTime > 0).sort((a, b) => (a.startTime ?? 0) - (b.startTime ?? 0));
           for (let i = 0; i < sorted.length - 1; i++) {
-            const from = sorted[i].name;
-            const to = sorted[i + 1].name;
+            const from = (_a = sorted[i]) == null ? void 0 : _a.name;
+            const to = (_b = sorted[i + 1]) == null ? void 0 : _b.name;
             const key = `${from}|||${to}`;
             transMap.set(key, (transMap.get(key) ?? 0) + 1);
           }
@@ -2782,7 +2812,11 @@ var DashboardServer = class {
       try {
         const reportPath = path3.join(somaVault, "..", "soma-report.json");
         if (!fs3.existsSync(reportPath)) {
-          return res.json({ available: false, teaser: false, message: "No report file yet. Run soma watch." });
+          return res.json({
+            available: false,
+            teaser: false,
+            message: "No report file yet. Run soma watch."
+          });
         }
         const report = JSON.parse(fs3.readFileSync(reportPath, "utf-8"));
         res.json(report);
@@ -2806,7 +2840,9 @@ var DashboardServer = class {
           available: true,
           layers: report.layers ?? { archive: 0, working: 0, emerging: 0, canon: 0 },
           governance: report.governance ?? { pending: 0, promoted: 0, rejected: 0 },
-          insights: (report.insights ?? []).filter((i) => i.layer === "emerging" && i.proposal_status === "pending"),
+          insights: (report.insights ?? []).filter(
+            (i) => i.layer === "emerging" && i.proposal_status === "pending"
+          ),
           canon: (report.insights ?? []).filter((i) => i.layer === "canon"),
           generatedAt: report.generatedAt
         });
@@ -2815,21 +2851,23 @@ var DashboardServer = class {
         res.status(500).json({ available: false, message: "Failed to read governance data" });
       }
     });
-    const sanitizeArg = (s) => s.replace(/[^a-zA-Z0-9_\-.:]/g, "");
-    const sanitizeReason = (s) => s.replace(/["`$\\]/g, "").slice(0, 500);
+    const isValidId = (s) => /^[a-zA-Z0-9_\-.:]+$/.test(s);
     this.app.post("/api/soma/governance/promote", (req, res) => {
       var _a;
       const somaVault = this.config.somaVault;
       if (!somaVault) return res.status(400).json({ error: "Soma vault not configured" });
       const { entryId } = req.body ?? {};
-      if (!entryId) return res.status(400).json({ error: "entryId required" });
+      if (!entryId || !isValidId(String(entryId)))
+        return res.status(400).json({ error: "Invalid entryId" });
       try {
-        const { execSync: execSync2 } = require("child_process");
-        const safeId = sanitizeArg(String(entryId));
-        const result = execSync2(`npx soma governance promote ${safeId} --vault "${somaVault}"`, {
-          encoding: "utf-8",
-          timeout: 1e4
-        });
+        const result = (0, import_node_child_process.execFileSync)(
+          "npx",
+          ["soma", "governance", "promote", String(entryId), "--vault", somaVault],
+          {
+            encoding: "utf-8",
+            timeout: 1e4
+          }
+        );
         res.json({ success: true, message: result.trim() });
       } catch (error) {
         res.status(400).json({ error: ((_a = error.stderr) == null ? void 0 : _a.trim()) || error.message });
@@ -2840,15 +2878,27 @@ var DashboardServer = class {
       const somaVault = this.config.somaVault;
       if (!somaVault) return res.status(400).json({ error: "Soma vault not configured" });
       const { entryId, reason } = req.body ?? {};
-      if (!entryId || !reason) return res.status(400).json({ error: "entryId and reason required" });
+      if (!entryId || !isValidId(String(entryId)))
+        return res.status(400).json({ error: "Invalid entryId" });
+      if (!reason || typeof reason !== "string")
+        return res.status(400).json({ error: "reason required" });
       try {
-        const { execSync: execSync2 } = require("child_process");
-        const safeId = sanitizeArg(String(entryId));
-        const safeReason = sanitizeReason(String(reason));
-        const result = execSync2(`npx soma governance reject ${safeId} "${safeReason}" --vault "${somaVault}"`, {
-          encoding: "utf-8",
-          timeout: 1e4
-        });
+        const result = (0, import_node_child_process.execFileSync)(
+          "npx",
+          [
+            "soma",
+            "governance",
+            "reject",
+            String(entryId),
+            String(reason).slice(0, 500),
+            "--vault",
+            somaVault
+          ],
+          {
+            encoding: "utf-8",
+            timeout: 1e4
+          }
+        );
         res.json({ success: true, message: result.trim() });
       } catch (error) {
         res.status(400).json({ error: ((_a = error.stderr) == null ? void 0 : _a.trim()) || error.message });
@@ -2858,13 +2908,16 @@ var DashboardServer = class {
       var _a;
       const somaVault = this.config.somaVault;
       if (!somaVault) return res.status(400).json({ error: "Soma vault not configured" });
+      if (!isValidId(String(req.params.id))) return res.status(400).json({ error: "Invalid id" });
       try {
-        const { execSync: execSync2 } = require("child_process");
-        const safeId = sanitizeArg(String(req.params.id));
-        const result = execSync2(`npx soma governance show ${safeId} --vault "${somaVault}"`, {
-          encoding: "utf-8",
-          timeout: 1e4
-        });
+        const result = (0, import_node_child_process.execFileSync)(
+          "npx",
+          ["soma", "governance", "show", String(req.params.id), "--vault", somaVault],
+          {
+            encoding: "utf-8",
+            timeout: 1e4
+          }
+        );
         res.json({ available: true, output: result.trim() });
       } catch (error) {
         res.status(404).json({ error: ((_a = error.stderr) == null ? void 0 : _a.trim()) || error.message });
@@ -2887,16 +2940,24 @@ var DashboardServer = class {
       const somaVault = this.config.somaVault;
       if (!somaVault) return res.status(400).json({ error: "Soma vault not configured" });
       const { name, enforcement, scope, conditions } = req.body ?? {};
-      if (!name) return res.status(400).json({ error: "name required" });
+      if (!name || !isValidId(String(name)))
+        return res.status(400).json({ error: "Invalid policy name" });
+      const enf = String(enforcement || "warn");
+      if (!isValidId(enf)) return res.status(400).json({ error: "Invalid enforcement value" });
       try {
-        const safeName = sanitizeArg(String(name));
-        const safeEnf = sanitizeArg(String(enforcement || "warn"));
-        const safeScope = sanitizeReason(String(scope || "all"));
-        const safeCond = sanitizeReason(String(conditions || ""));
-        const result = (0, import_node_child_process.execSync)(
-          `npx soma policy create "${safeName}" --enforcement ${safeEnf} --scope "${safeScope}" --conditions "${safeCond}" --vault "${somaVault}"`,
-          { encoding: "utf-8", timeout: 1e4 }
-        );
+        const args = [
+          "soma",
+          "policy",
+          "create",
+          String(name),
+          "--enforcement",
+          enf,
+          "--vault",
+          somaVault
+        ];
+        if (scope) args.push("--scope", String(scope).slice(0, 500));
+        if (conditions) args.push("--conditions", String(conditions).slice(0, 500));
+        const result = (0, import_node_child_process.execFileSync)("npx", args, { encoding: "utf-8", timeout: 1e4 });
         res.json({ success: true, message: result.trim() });
       } catch (error) {
         res.status(400).json({ error: ((_a = error.stderr) == null ? void 0 : _a.trim()) || error.message });
@@ -2906,11 +2967,16 @@ var DashboardServer = class {
       var _a;
       const somaVault = this.config.somaVault;
       if (!somaVault) return res.status(400).json({ error: "Soma vault not configured" });
+      if (!isValidId(String(req.params.name)))
+        return res.status(400).json({ error: "Invalid policy name" });
       try {
-        const safeName = sanitizeArg(String(req.params.name));
-        const result = (0, import_node_child_process.execSync)(
-          `npx soma policy delete "${safeName}" --vault "${somaVault}"`,
-          { encoding: "utf-8", timeout: 1e4 }
+        const result = (0, import_node_child_process.execFileSync)(
+          "npx",
+          ["soma", "policy", "delete", String(req.params.name), "--vault", somaVault],
+          {
+            encoding: "utf-8",
+            timeout: 1e4
+          }
         );
         res.json({ success: true, message: result.trim() });
       } catch (error) {
@@ -2928,16 +2994,28 @@ var DashboardServer = class {
           ...(report.agents ?? []).map((a) => ({ ...a, type: "agent", id: a.name })),
           ...(report.insights ?? []).map((i, idx) => {
             var _a;
-            return { ...i, type: i.type || "insight", id: ((_a = i.title) == null ? void 0 : _a.replace(/\s+/g, "-").toLowerCase()) || `insight-${idx}` };
+            return {
+              ...i,
+              type: i.type || "insight",
+              id: ((_a = i.title) == null ? void 0 : _a.replace(/\s+/g, "-").toLowerCase()) || `insight-${idx}`
+            };
           }),
           ...(report.policies ?? []).map((p) => ({ ...p, type: "policy", id: p.name }))
         ];
-        const { type, layer, q, limit: limitStr, offset: offsetStr } = req.query;
+        const {
+          type,
+          layer,
+          q,
+          limit: limitStr,
+          offset: offsetStr
+        } = req.query;
         if (type) entities = entities.filter((e) => e.type === type);
         if (layer) entities = entities.filter((e) => e.layer === layer);
         if (q) {
           const lq = q.toLowerCase();
-          entities = entities.filter((e) => (e.name || e.title || "").toLowerCase().includes(lq) || (e.claim || e.body || "").toLowerCase().includes(lq));
+          entities = entities.filter(
+            (e) => (e.name || e.title || "").toLowerCase().includes(lq) || (e.claim || e.body || "").toLowerCase().includes(lq)
+          );
         }
         const total = entities.length;
         const offset = parseInt(offsetStr || "0", 10);
@@ -3028,9 +3106,7 @@ var DashboardServer = class {
         const orphans = uniqueProcesses.filter(
           (p) => !allKnownPids.has(p.pid) && p.pid !== process.pid && p.pid !== process.ppid
         );
-        const problems = services.flatMap(
-          (s) => s.audit.problems.map((p) => `[${s.name}] ${p}`)
-        );
+        const problems = services.flatMap((s) => s.audit.problems.map((p) => `[${s.name}] ${p}`));
         const result = {
           // Backward-compatible fields from primary service
           pidFile: (primary == null ? void 0 : primary.audit.pidFile) ?? null,
@@ -3085,19 +3161,24 @@ var DashboardServer = class {
           }
         } catch {
         }
-        const watched = [...new Set([
-          this.config.tracesDir,
-          ...this.config.dataDirs || [],
-          ...extraDirs
-        ].map((w) => path3.resolve(w)))];
+        const watched = [
+          ...new Set(
+            [this.config.tracesDir, ...this.config.dataDirs || [], ...extraDirs].map(
+              (w) => path3.resolve(w)
+            )
+          )
+        ];
         const discovered = [];
         const svcNames = getSystemdServices(this.userConfig);
         if (svcNames.length > 0) {
           try {
-            const { execSync: execSync2 } = require("child_process");
-            const raw = execSync2(
-              `systemctl --user show --property=ExecStart --no-pager ${svcNames.join(" ")} 2>/dev/null`,
-              { encoding: "utf8", timeout: 5e3 }
+            const raw = (0, import_node_child_process.execFileSync)(
+              "systemctl",
+              ["--user", "show", "--property=ExecStart", "--no-pager", ...svcNames],
+              {
+                encoding: "utf8",
+                timeout: 5e3
+              }
             );
             for (const line of raw.split("\n")) {
               const match = line.match(/path=([^\s;]+)/);
@@ -3129,10 +3210,19 @@ var DashboardServer = class {
     this.app.post("/api/directories", import_express.default.json(), (req, res) => {
       try {
         const { add, remove } = req.body;
-        if (add && !fs3.existsSync(add)) {
-          return res.status(400).json({ error: `Directory does not exist: ${add}` });
+        if (add) {
+          const resolved = path3.resolve(add);
+          if (resolved !== add || add.includes("..")) {
+            return res.status(400).json({ error: "Invalid directory path" });
+          }
+          if (!fs3.existsSync(resolved)) {
+            return res.status(400).json({ error: `Directory does not exist: ${add}` });
+          }
         }
-        const configPath = path3.join(process.env.HOME ?? "/home/trader", ".agentflow/dashboard-config.json");
+        const configPath = path3.join(
+          process.env.HOME ?? "/home/trader",
+          ".agentflow/dashboard-config.json"
+        );
         let config = {};
         try {
           if (fs3.existsSync(configPath)) {
@@ -3342,13 +3432,31 @@ var DashboardServer = class {
         isVirtual: false
       });
     }
-    const rootSteps = new Set(model.steps);
-    const childSteps = new Set(model.transitions.map((t) => t.to));
-    const leafSteps = new Set(model.steps);
-    for (const t of model.transitions) {
-    }
-    nodes.push({ id: "[START]", label: "[START]", count: model.totalGraphs, frequency: 1, avgDuration: 0, failRate: 0, p95Duration: 0, isVirtual: true });
-    nodes.push({ id: "[END]", label: "[END]", count: model.totalGraphs, frequency: 1, avgDuration: 0, failRate: 0, p95Duration: 0, isVirtual: true });
+    const _rootSteps = new Set(model.steps);
+    const _childSteps = new Set(model.transitions.map((t) => t.to));
+    const _leafSteps = new Set(model.steps);
+    for (const _t of model.transitions) {
+    }
+    nodes.push({
+      id: "[START]",
+      label: "[START]",
+      count: model.totalGraphs,
+      frequency: 1,
+      avgDuration: 0,
+      failRate: 0,
+      p95Duration: 0,
+      isVirtual: true
+    });
+    nodes.push({
+      id: "[END]",
+      label: "[END]",
+      count: model.totalGraphs,
+      frequency: 1,
+      avgDuration: 0,
+      failRate: 0,
+      p95Duration: 0,
+      isVirtual: true
+    });
     const edges = model.transitions.map((t) => ({
       source: t.from,
       target: t.to,
@@ -3368,7 +3476,10 @@ var DashboardServer = class {
       }
     }
     const maxEdgeCount = Math.max(...edges.map((e) => e.count), 1);
-    const maxNodeCount = Math.max(...nodes.filter((n) => !n.isVirtual).map((n) => n.count), 1);
+    const maxNodeCount = Math.max(
+      ...nodes.filter((n) => !n.isVirtual).map((n) => n.count),
+      1
+    );
     return { agentId, totalTraces: model.totalGraphs, nodes, edges, maxEdgeCount, maxNodeCount };
   }
   /**

package/dist/index.js

@@ -3,7 +3,7 @@ import {
   AgentStats,
   DashboardServer,
   TraceWatcher
-} from "./chunk-E5RJCBK2.js";
+} from "./chunk-YLQ5MVCW.js";
 export {
   AgentStats,
   DashboardServer,