agentgui 1.0.935 → 1.0.936

package/AGENTS.md

@@ -2,7 +2,9 @@
 
 ## Architecture (2026-05-19 pivot — single surface)
 
-One surface. `server.js` serves `site/app/` at `/` and mounts `ccsniff`'s `/v1/history/*` Express router in-process. The legacy `static/` tree and the legacy `lib/routes-*`/`lib/db-queries-*`/`lib/jsonl-watcher.js` modules are gone. `acptoapi` is no longer used by this project.
+One surface. `server.js` serves `site/app/` under `BASE_URL` (default `/gm`) and mounts `ccsniff`'s `/v1/history/*` Express router in-process at both `/` and `BASE_URL`. The legacy `static/` tree and the legacy `lib/routes-*`/`lib/db-queries-*`/`lib/jsonl-watcher.js` modules are gone. `acptoapi` is no longer used by this project.
+
+When `PASSWORD` env var is set, every HTTP route is gated by `lib/http-handler.js` accepting **Basic auth**, **`Authorization: Bearer <pwd>`**, OR **`?token=<pwd>`** query param (added 2026-05-26 so `EventSource` and direct deep-links work — neither can set headers). WS `/sync` requires `?token=` only. The HTML head script injects `window.__BASE_URL`, `window.__SERVER_VERSION`, and `window.__WS_TOKEN`; `site/app/js/backend.js` reads `__WS_TOKEN` and threads it onto every fetch (Bearer header) / EventSource (qs) / WebSocket (qs).
 
 - `site/app/index.html` — shell + CSS, imports `anentrypoint-design` from unpkg
 - `site/app/js/backend.js` — same-origin client (`DEFAULT_BACKEND = ''`); `?backend=` query override for cross-origin debugging

package/lib/asset-server.js

@@ -96,7 +96,7 @@ export function serveFile(filePath, res, req, { compressAndSend, acceptsEncoding
       content = content.replace(/(href|src)="vendor\//g, `$1="${BASE_URL}/vendor/`);
       content = content.replace(/(src)="\/gm\/js\//g, `$1="${BASE_URL}/js/`);
       if (watch) {
-        content += `\n<script>(function(){const ws=new WebSocket((location.protocol==='https:'?'wss://':'ws://')+location.host+'${BASE_URL}/hot-reload');ws.onmessage=e=>{if(JSON.parse(e.data).type==='reload')location.reload()};})();</script>`;
+        content += `\n<script>(function(){const tok=window.__WS_TOKEN?'?token='+encodeURIComponent(window.__WS_TOKEN):'';const ws=new WebSocket((location.protocol==='https:'?'wss://':'ws://')+location.host+'${BASE_URL}/hot-reload'+tok);ws.onmessage=e=>{if(JSON.parse(e.data).type==='reload')location.reload()};})();</script>`;
       }
       compressAndSend(req, res, 200, contentType, content);
       if (!watch && acceptsEncoding(req, 'gzip')) {

package/lib/http-handler.js

@@ -23,18 +23,31 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
     if (_pwd) {
       const _auth = req.headers['authorization'] || '';
       let _ok = false;
+      const _checkToken = (tok) => {
+        try { return tok.length === _pwd.length && crypto.timingSafeEqual(Buffer.from(tok), Buffer.from(_pwd)); }
+        catch { return false; }
+      };
       if (_auth.startsWith('Basic ')) {
         try {
           const _decoded = Buffer.from(_auth.slice(6), 'base64').toString('utf8');
           const _ci = _decoded.indexOf(':');
-          if (_ci !== -1) { const _p = _decoded.slice(_ci + 1); try { _ok = _p.length === _pwd.length && crypto.timingSafeEqual(Buffer.from(_p), Buffer.from(_pwd)); } catch { _ok = false; } }
+          if (_ci !== -1) _ok = _checkToken(_decoded.slice(_ci + 1));
+        } catch (_) {}
+      } else if (_auth.startsWith('Bearer ')) {
+        _ok = _checkToken(_auth.slice(7));
+      }
+      // EventSource and same-origin links can't set headers — accept ?token= as fallback.
+      if (!_ok) {
+        try {
+          const _qsTok = new URL(req.url, 'http://localhost').searchParams.get('token');
+          if (_qsTok) _ok = _checkToken(_qsTok);
         } catch (_) {}
       }
       if (!_ok) { res.writeHead(401, { 'WWW-Authenticate': 'Basic realm="agentgui"' }); res.end('Unauthorized'); return; }
     }
 
     const pathOnly = req.url.split('?')[0];
-    if (pathOnly.startsWith(BASE_URL + '/api/upload/') || pathOnly.startsWith(BASE_URL + '/files/') || pathOnly.startsWith('/v1/history')) return expressApp(req, res);
+    if (pathOnly.startsWith(BASE_URL + '/api/upload/') || pathOnly.startsWith(BASE_URL + '/files/') || pathOnly.startsWith('/v1/history') || (BASE_URL && pathOnly.startsWith(BASE_URL + '/v1/history'))) return expressApp(req, res);
 
     if (req.url === '/favicon.ico' || req.url === BASE_URL + '/favicon.ico') {
       const svg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><rect width="100" height="100" rx="20" fill="#3b82f6"/><text x="50" y="68" font-size="50" font-family="sans-serif" font-weight="bold" fill="white" text-anchor="middle">G</text></svg>';
@@ -45,13 +58,14 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
     // serve index.html at root directly (no redirect)
 
     let routePath = req.url;
-    if (req.url.startsWith(BASE_URL + '/')) { routePath = req.url.slice(BASE_URL.length); }
-    else if (req.url === BASE_URL) { routePath = '/'; }
-    else if (req.url.startsWith('/api/') || req.url.startsWith('/js/') || req.url.startsWith('/css/') ||
-             req.url.startsWith('/vendor/') || req.url.startsWith('/sync') || req.url === '/' ||
-             req.url === '/health' || req.url.startsWith('/v1/') ||
-             req.url.startsWith('/api/terminal/') ||
-             req.url.startsWith('/conversations/')) { routePath = req.url; }
+    const _bareUrl = req.url.split('?')[0];
+    if (_bareUrl.startsWith(BASE_URL + '/')) { routePath = req.url.slice(BASE_URL.length); }
+    else if (_bareUrl === BASE_URL) { routePath = '/'; }
+    else if (_bareUrl.startsWith('/api/') || _bareUrl.startsWith('/js/') || _bareUrl.startsWith('/css/') ||
+             _bareUrl.startsWith('/vendor/') || _bareUrl.startsWith('/sync') || _bareUrl === '/' ||
+             _bareUrl === '/health' || _bareUrl.startsWith('/v1/') ||
+             _bareUrl.startsWith('/api/terminal/') ||
+             _bareUrl.startsWith('/conversations/')) { routePath = req.url; }
     else { res.writeHead(404); res.end('Not found'); return; }
 
     routePath = routePath || '/';
@@ -120,7 +134,8 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
 
       if (pathOnly.match(/^\/conversations\/[^\/]+$/)) { serveFile(path.join(staticDir, 'index.html'), res, req); return; }
 
-      let filePath = routePath === '/' ? '/index.html' : routePath;
+      const routePathBare = routePath.split('?')[0];
+      let filePath = routePathBare === '/' ? '/index.html' : routePathBare;
       filePath = path.join(staticDir, filePath);
       const normalizedPath = path.normalize(filePath);
       if (!normalizedPath.startsWith(staticDir)) { res.writeHead(403); res.end('Forbidden'); return; }

package/lib/server-startup2.js

@@ -28,7 +28,7 @@ export function createAutoImport({ queries, broadcastSync }) {
     try {
       if (process.env.AGENTGUI_SKIP_AUTO_IMPORT === '1') return;
       if (!hasIndexFilesChanged()) return;
-      const imported = queries.importClaudeCodeConversations();
+      const imported = queries.importClaudeCodeConversations() || [];
       if (imported.length > 0) {
         const importedCount = imported.filter(i => i.status === 'imported').length;
         if (importedCount > 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.935",
+  "version": "1.0.936",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "electron/main.js",

package/server.js

@@ -73,7 +73,8 @@ const expressApp = createExpressApp({ queries, BASE_URL });
 try {
   const historyRouter = await createHistoryRouter({ projectsDir: process.env.CLAUDE_PROJECTS_DIR });
   expressApp.use('/', historyRouter);
-  console.log('[ccsniff] /v1/history/* mounted');
+  if (BASE_URL && BASE_URL !== '/') expressApp.use(BASE_URL, historyRouter);
+  console.log('[ccsniff] /v1/history/* mounted at / and ' + (BASE_URL || '/'));
 } catch (e) { console.error('[ccsniff] mount failed:', e.message); }
 
 let discoveredAgents = [];

package/site/app/js/app.js

@@ -18,9 +18,28 @@ const state = {
   events: [],
   searchQ: '',
   searchHits: null,
+  historyError: null,
+  showSubagents: false,
   live: { es: null, connected: false, lastEventTs: 0, error: null, eventCount: 0 },
 };
 
+function readHash() {
+  const m = (location.hash || '').match(/sid=([^&]+)/);
+  return m ? decodeURIComponent(m[1]) : null;
+}
+function writeHash(sid) {
+  const h = sid ? '#sid=' + encodeURIComponent(sid) : '';
+  if (location.hash !== h) history.replaceState(null, '', location.pathname + location.search + h);
+}
+function fmtRelTime(ts) {
+  if (!ts) return '';
+  const s = Math.round((Date.now() - ts) / 1000);
+  if (s < 60) return s + 's ago';
+  if (s < 3600) return Math.round(s/60) + 'm ago';
+  if (s < 86400) return Math.round(s/3600) + 'h ago';
+  return Math.round(s/86400) + 'd ago';
+}
+
 let render;
 let renderScheduled = false;
 function scheduleRender() {
@@ -242,34 +261,72 @@ async function sendChat() {
 
 // ── history ────────────────────────────────────────────────────────────────
 function historyMain() {
+  if (!state.selectedSid) {
+    return [PageHeader({
+      title: '§ history',
+      lede: 'pick a session from the sidebar — events stream live from ccsniff /v1/history.',
+    })];
+  }
+
+  const sess = (Array.isArray(state.sessions) ? state.sessions : []).find(s => s.sid === state.selectedSid);
+  const lede = sess
+    ? (sess.project || sess.cwd || '?') + ' · ' + (sess.events || 0) + ' events · ' + (sess.userTurns || 0) + ' turns · ' + fmtRelTime(sess.last)
+    : state.selectedSid;
+
   const head = PageHeader({
-    title: '§ history',
-    lede: state.selectedSid
-      ? 'session ' + state.selectedSid
-      : 'pick a session from the sidebar — events stream from ccsniff /v1/history.',
+    title: '§ ' + (sess?.title || state.selectedSid).slice(0, 80),
+    lede,
   });
 
-  if (!state.selectedSid)            return [head];
-  if (state.events.length === 0)     return [head, Panel({ title: 'events', children: h('p', { class: 'lede' }, '◌ loading…') })];
+  const actions = h('div', { key: 'acts', style: 'display:flex;gap:.5em;padding:0 0 .75em 0' },
+    Btn({ key: 'resume', primary: true, onClick: () => resumeInChat(sess || { sid: state.selectedSid }), children: '▶ open in chat' }),
+    Btn({ key: 'copy', onClick: () => { try { navigator.clipboard.writeText(state.selectedSid); } catch {} }, children: '⎘ copy sid' }),
+  );
+
+  if (state.events.length === 0) {
+    return [head, actions, Panel({ title: 'events', children: h('p', { class: 'lede' }, '◌ loading…') })];
+  }
 
   return [
     head,
+    actions,
     Panel({
       title: state.events.length + ' events',
       children: EventList({
-        items: state.events.map((e, i) => ({
-          key: 'ev' + i,
-          code: String(i + 1).padStart(3, '0'),
-          title: (e.text || '').slice(0, 200) || '(empty)',
-          sub: new Date(e.ts).toLocaleString() + ' · ' + (e.role || '?') + ' · ' + (e.type || '?') + (e.tool ? ' · ⌘ ' + e.tool : ''),
-        })),
+        items: state.events.slice(-300).map((e, i) => {
+          const role = e.role || '?';
+          const type = e.type || '?';
+          const tool = e.tool ? ' · ⌘ ' + e.tool : '';
+          const errMark = e.isError ? ' · ⚠' : '';
+          const text = (e.text || '').replace(/\s+/g, ' ').trim();
+          return {
+            key: 'ev' + (e.i ?? i),
+            code: String((e.i ?? i) + 1).padStart(4, '0'),
+            title: text.slice(0, 220) || '(' + type + ')',
+            sub: new Date(e.ts).toLocaleString() + ' · ' + role + ' · ' + type + tool + errMark,
+          };
+        }),
       }),
     }),
   ];
 }
 
+function resumeInChat(sess) {
+  state.tab = 'chat';
+  closeLiveStream();
+  state.chat.draft = '/resume ' + (sess?.sid || state.selectedSid);
+  render();
+}
+
+function visibleSessions() {
+  const arr = Array.isArray(state.sessions) ? state.sessions : [];
+  const filtered = state.showSubagents ? arr : arr.filter(s => !s.isSubagent);
+  return filtered.slice().sort((a, b) => (b.last || 0) - (a.last || 0));
+}
+
 function historySide() {
   const searching = !!state.searchHits;
+  const sessionsView = visibleSessions();
   const rows = searching
     ? state.searchHits.results.slice(0, 60).map((r, i) =>
         Row({
@@ -281,17 +338,18 @@ function historySide() {
           onClick: () => loadSession(r.sid),
         })
       )
-    : state.sessions.slice(0, 120).map((s, i) =>
+    : sessionsView.slice(0, 120).map((s, i) =>
         Row({
-          key: 'sess' + i,
+          key: 'sess' + s.sid,
           rank: String(i + 1).padStart(3, '0'),
-          title: s.title || s.project || s.sid,
-          sub: s.events + ' ev · ' + s.tools + ' tools' + (s.errors ? ' · ' + s.errors + ' err' : ''),
-          rail: s.errors ? 'flame' : 'green',
+          title: (s.isSubagent ? '↳ ' : '') + (s.title || s.project || s.sid),
+          sub: fmtRelTime(s.last) + ' · ' + (s.events || 0) + ' ev · ' + (s.tools || 0) + ' tools' + (s.errors ? ' · ' + s.errors + ' err' : ''),
+          rail: s.errors ? 'flame' : (s.isSubagent ? 'purple' : 'green'),
           active: s.sid === state.selectedSid,
           onClick: () => loadSession(s.sid),
         })
       );
+  const subagentCount = (Array.isArray(state.sessions) ? state.sessions : []).filter(s => s.isSubagent).length;
 
   return [
     Side({
@@ -307,7 +365,7 @@ function historySide() {
       ],
     }),
     Panel({
-      title: searching ? 'matches' : 'sessions',
+      title: searching ? 'matches' : ('sessions · ' + sessionsView.length + (subagentCount && !state.showSubagents ? ' (+'+subagentCount+' sub)' : '')),
       children: [
         SearchInput({
           key: 'searchInput',
@@ -315,7 +373,14 @@ function historySide() {
           value: state.searchQ,
           onInput: (v) => { state.searchQ = v; runSearch(); },
         }),
-        rows.length ? h('div', { key: 'rows' }, ...rows) : h('p', { key: 'empty', class: 'lede' }, 'no sessions yet'),
+        !searching && subagentCount
+          ? h('label', { key: 'subtog', class: 'lede', style: 'display:flex;gap:.5em;align-items:center;padding:.25em 0' },
+              h('input', { type: 'checkbox', checked: state.showSubagents, onChange: (e) => { state.showSubagents = e.target.checked; render(); } }),
+              'show subagents (' + subagentCount + ')')
+          : null,
+        state.historyError
+          ? h('p', { key: 'err', class: 'lede' }, '⚠ ' + state.historyError)
+          : (rows.length ? h('div', { key: 'rows' }, ...rows) : h('p', { key: 'empty', class: 'lede' }, 'no sessions yet')),
       ],
     }),
   ];
@@ -363,7 +428,7 @@ function settingsMain() {
               key: 'm' + i,
               rank: String(i + 1).padStart(3, '0'),
               title: m.id,
-              sub: m.owned_by || m.object || 'model',
+              sub: m.name ? (m.name + ' · ' + (m.protocol || 'agent')) : (m.protocol || 'agent'),
               rail: m.id === state.selectedModel ? 'green' : 'purple',
               onClick: () => { state.selectedModel = m.id; render(); },
             })
@@ -375,8 +440,15 @@ function settingsMain() {
 
 // ── data ──────────────────────────────────────────────────────────────────
 async function refreshHistory() {
-  try { state.sessions = await B.listSessions(state.backend); render(); }
-  catch (e) { console.warn('history fetch failed:', e.message); }
+  try {
+    state.sessions = await B.listSessions(state.backend);
+    state.historyError = null;
+    render();
+  } catch (e) {
+    state.historyError = e.message;
+    console.warn('history fetch failed:', e.message);
+    render();
+  }
 }
 
 async function runSearch() {
@@ -393,6 +465,7 @@ async function runSearch() {
 async function loadSession(sid) {
   state.selectedSid = sid;
   state.events = [];
+  writeHash(sid);
   render();
   try { state.events = await B.getSessionEvents(state.backend, sid); render(); }
   catch (e) {
@@ -414,6 +487,21 @@ async function init() {
     if (!state.selectedModel && state.models[0]) state.selectedModel = state.models[0].id;
     render();
   } catch (e) { console.warn('models fetch failed:', e.message); }
+
+  const initialSid = readHash();
+  if (initialSid) {
+    navTo('history');
+    await refreshHistory();
+    await loadSession(initialSid);
+  }
+
+  B.onWsStatus?.((s) => {
+    if (s === 'closed' || s === 'error') {
+      if (state.health.status === 'ok') { state.health = { ...state.health, ws: 'reconnecting' }; render(); }
+    } else if (s === 'open') {
+      if (state.health.ws) { delete state.health.ws; render(); }
+    }
+  });
 }
 
 render = mount(document.getElementById('app'), view);

package/site/app/js/backend.js

@@ -9,6 +9,24 @@ import { encode, decode } from './codec.js';
 const KEY = 'agentgui.backend';
 const DEFAULT_BACKEND = '';
 
+function authToken() {
+  try { return (typeof window !== 'undefined' && window.__WS_TOKEN) || ''; } catch { return ''; }
+}
+
+function authedFetch(url, opts = {}) {
+  const tok = authToken();
+  if (!tok) return fetch(url, opts);
+  const h = new Headers(opts.headers || {});
+  h.set('Authorization', 'Bearer ' + tok);
+  return fetch(url, { ...opts, headers: h });
+}
+
+function withToken(url) {
+  const tok = authToken();
+  if (!tok) return url;
+  return url + (url.includes('?') ? '&' : '?') + 'token=' + encodeURIComponent(tok);
+}
+
 export function getBackend() {
   const u = new URL(location.href);
   const fromQs = u.searchParams.get('backend');
@@ -20,7 +38,7 @@ export function setBackend(url) { localStorage.setItem(KEY, url); }
 
 export async function probeBackend(base) {
   try {
-    const r = await fetch(base + '/health', { method: 'GET' });
+    const r = await authedFetch(base + '/health', { method: 'GET' });
     if (!r.ok) return { ok: false, status: r.status };
     return { ok: true, info: await r.json() };
   } catch (e) {
@@ -31,26 +49,27 @@ export async function probeBackend(base) {
 // ---------- History (HTTP, served by ccsniff) ----------
 
 export async function listSessions(base) {
-  const r = await fetch(base + '/v1/history/sessions');
+  const r = await authedFetch(base + '/v1/history/sessions');
   if (!r.ok) throw new Error('sessions: ' + r.status);
-  return r.json();
+  const j = await r.json();
+  return Array.isArray(j) ? j : (j.sessions || []);
 }
 
 export async function getSessionEvents(base, sid) {
-  const r = await fetch(base + '/v1/history/sessions/' + encodeURIComponent(sid) + '/events');
+  const r = await authedFetch(base + '/v1/history/sessions/' + encodeURIComponent(sid) + '/events');
   if (!r.ok) throw new Error('events: ' + r.status);
   const j = await r.json();
   return j.events || [];
 }
 
 export async function searchHistory(base, q, limit = 50) {
-  const r = await fetch(base + '/v1/history/search?q=' + encodeURIComponent(q) + '&limit=' + limit);
+  const r = await authedFetch(base + '/v1/history/search?q=' + encodeURIComponent(q) + '&limit=' + limit);
   if (!r.ok) throw new Error('search: ' + r.status);
   return r.json();
 }
 
 export function streamHistory(base, onEvent) {
-  const es = new EventSource(base + '/v1/history/stream');
+  const es = new EventSource(withToken(base + '/v1/history/stream'));
   for (const k of ['hello', 'event', 'error', 'start', 'complete', 'conversation']) {
     es.addEventListener(k, ev => {
       let data; try { data = JSON.parse(ev.data); } catch { data = null; }
@@ -68,19 +87,26 @@ let _wsReady = null;       // Promise that resolves when ws is OPEN
 let _nextReqId = 1;
 const _pending = new Map();          // requestId → { resolve, reject }
 const _sessionListeners = new Map(); // sessionId → Set<(event)=>void>
+const _statusListeners = new Set();  // fn(state) where state in 'open'|'closed'|'error'
+
+export function onWsStatus(fn) { _statusListeners.add(fn); return () => _statusListeners.delete(fn); }
+function emitStatus(s) { for (const fn of _statusListeners) { try { fn(s); } catch {} } }
 
 function wsUrl(base) {
+  let proto, host;
   if (base) {
-    // Absolute base like http://host:port → ws(s)://host:port/sync
     try {
       const u = new URL(base);
-      const proto = u.protocol === 'https:' ? 'wss:' : 'ws:';
-      return proto + '//' + u.host + SYNC_PATH;
+      proto = u.protocol === 'https:' ? 'wss:' : 'ws:';
+      host = u.host;
     } catch {}
   }
-  // Same-origin
-  const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
-  return proto + '//' + location.host + SYNC_PATH;
+  if (!host) {
+    proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
+    host = location.host;
+  }
+  const tok = authToken();
+  return proto + '//' + host + SYNC_PATH + (tok ? '?token=' + encodeURIComponent(tok) : '');
 }
 
 function ensureWs(base) {
@@ -88,10 +114,10 @@ function ensureWs(base) {
   if (_ws && _ws.readyState === 0) return _wsReady;
   _ws = new WebSocket(wsUrl(base));
   _wsReady = new Promise((resolve, reject) => {
-    _ws.addEventListener('open', () => resolve(_ws));
-    _ws.addEventListener('error', (e) => reject(e));
+    _ws.addEventListener('open', () => { emitStatus('open'); resolve(_ws); });
+    _ws.addEventListener('error', (e) => { emitStatus('error'); reject(e); });
     _ws.addEventListener('close', () => {
-      // Reject all pending requests on close so callers can recover.
+      emitStatus('closed');
       for (const [, p] of _pending) p.reject(new Error('ws closed'));
       _pending.clear();
       _ws = null;