agim-cli 1.0.1 → 1.0.3

package/dist/web/public/settings.html

@@ -3,7 +3,7 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>im-hub-pro — Settings</title>
+  <title>Agim — Settings</title>
   <!-- Shared utilities: theme manager (applies before first paint), error
        boundary (surfaces silent script failures), i18n + api helpers. -->
   <script src="/_app.js"></script>
@@ -16,9 +16,9 @@
 
     const T = {
       en: {
-        title: 'im-hub-pro — Settings',
+        title: 'Agim — Settings',
         backToChat: 'Back to Chat',
-        settingsTitle: 'im-hub-pro Settings',
+        settingsTitle: 'Agim Settings',
         loading: 'Loading configuration...',
         loadFailed: 'Failed to load config',
         h1: 'Settings',
@@ -28,7 +28,7 @@
         messengers: 'Messengers (Channels)',
         wechat: 'WeChat',
         wechatHint: 'iLink QR scan login',
-        wechatBox: 'WeChat requires QR scan login. Run <code>im-hub-pro config wechat</code> in terminal to set up.',
+        wechatBox: 'WeChat requires QR scan login. Run <code>agim config wechat</code> in terminal to set up.',
         telegram: 'Telegram',
         telegramHint: 'Bot token from @BotFather',
         botToken: 'Bot Token',
@@ -91,9 +91,9 @@
         workspaceDefaultLocked: 'default (locked)',
       },
       zh: {
-        title: 'im-hub-pro — 设置',
+        title: 'Agim — 设置',
         backToChat: '返回对话',
-        settingsTitle: 'im-hub-pro 设置',
+        settingsTitle: 'Agim 设置',
         loading: '加载配置中...',
         loadFailed: '加载配置失败',
         h1: '设置',
@@ -103,7 +103,7 @@
         messengers: '消息通道 (Channels)',
         wechat: '微信',
         wechatHint: 'iLink 扫码登录',
-        wechatBox: '微信需要扫码登录。在终端运行 <code>im-hub-pro config wechat</code> 进行配置。',
+        wechatBox: '微信需要扫码登录。在终端运行 <code>agim config wechat</code> 进行配置。',
         telegram: 'Telegram',
         telegramHint: '从 @BotFather 获取 Bot Token',
         botToken: 'Bot Token',
@@ -562,12 +562,10 @@
       'opencode': { aliases: ['oc'], pkg: 'opencode-ai', cmd: 'opencode' },
     };
 
-    // Helper: add auth token to all API requests (uses session cookie;
-    // falls back to IMHUB_TOKEN header if set for backward compat).
+    // Helper: API requests share the page origin so the session cookie
+    // (if any reverse-proxy added one) is sent automatically.
     function authFetch(url, init = {}) {
-      const token = window.IMHUB_TOKEN || '';
       const headers = { ...(init.headers || {}) };
-      if (token) headers['X-IM-Hub-Token'] = token;
       return fetch(url, { ...init, headers, credentials: 'same-origin' });
     }
 

package/dist/web/public/tasks.html

@@ -3,7 +3,7 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>im-hub-pro — Tasks</title>
+  <title>Agim — Tasks</title>
   <!-- Shared utilities: theme manager applies before first paint, error
        boundary surfaces silent script failures, i18n + api helpers are
        used by the page-specific script below. -->
@@ -24,7 +24,7 @@
 
     const T = {
       en: {
-        title: 'im-hub-pro — Tasks',
+        title: 'Agim — Tasks',
         h1: 'Tasks & Schedules',
         backToChat: 'Chat',
         toSettings: 'Settings',
@@ -151,7 +151,7 @@
         jobsBatchResult: 'Batch result: {ok} ok, {fail} failed',
       },
       zh: {
-        title: 'im-hub-pro — 任务',
+        title: 'Agim — 任务',
         h1: '任务与定时',
         backToChat: '对话',
         toSettings: '设置',
@@ -697,7 +697,6 @@
 
   <script>
     const T = window.__t;
-    const TOKEN = window.IMHUB_TOKEN || '';
 
     // Theme toggle (light / dark / system). _app.js applied the theme
     // synchronously in <head>; here we wire the button so clicks cycle
@@ -773,7 +772,6 @@
     // API helper
     async function api(path, init) {
       const headers = { 'Content-Type': 'application/json', ...(init?.headers) };
-      if (TOKEN) headers['X-IM-Hub-Token'] = TOKEN;
       const res = await fetch(path, { ...init, headers, credentials: 'same-origin' });
       if (!res.ok) throw new Error(`${res.status} ${res.statusText}`);
       return res.json();
@@ -961,10 +959,8 @@
 
     // New job modal
     document.getElementById('btn-new').onclick = async () => {
-      const agentHeaders = {};
-      if (TOKEN) agentHeaders['X-IM-Hub-Token'] = TOKEN;
       const agentsRes = await fetch('/api/agents/status', {
-        headers: agentHeaders, credentials: 'same-origin',
+        credentials: 'same-origin',
       }).then(r => r.json());
       const agents = Object.keys(agentsRes);
 
@@ -1528,10 +1524,8 @@
       if (filesAgentsLoaded) return;
       filesAgentsLoaded = true;
       try {
-        const fHeaders = {};
-        if (TOKEN) fHeaders['X-IM-Hub-Token'] = TOKEN;
         const agentsRes = await fetch('/api/agents/status', {
-          headers: fHeaders, credentials: 'same-origin',
+          credentials: 'same-origin',
         }).then(r => r.json());
         const names = Object.keys(agentsRes);
         const sel = document.getElementById('files-agent');
@@ -1694,11 +1688,10 @@
           // structured error body (e.g. "Content exceeds 1 MiB cap")
           // rather than just the HTTP statusText.
           const qs = new URLSearchParams({ agent: data.agent, path: data.path });
-          const wHeaders = { 'Content-Type': 'application/json' };
-          if (TOKEN) wHeaders['X-IM-Hub-Token'] = TOKEN;
           const res = await fetch(`/api/workspace-files?${qs.toString()}`, {
             method: 'PUT',
-            headers: wHeaders, credentials: 'same-origin',
+            headers: { 'Content-Type': 'application/json' },
+            credentials: 'same-origin',
             body: JSON.stringify({ content: newContent }),
           });
           if (!res.ok) {
@@ -1753,11 +1746,7 @@
     function setupSSE() {
       try {
         if (evtSource) try { evtSource.close(); } catch {}
-        // Session cookie is sent automatically. For backward compat,
-        // also include the token in the query if available (EventSource
-        // does not support custom headers).
-        const sseUrl = TOKEN ? `/events?token=${encodeURIComponent(TOKEN)}` : '/events';
-        evtSource = new EventSource(sseUrl, { withCredentials: true });
+        evtSource = new EventSource('/events', { withCredentials: true });
       } catch (err) {
         console.warn('[sse] init failed', err);
         return;

package/dist/web/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/web/server.ts"],"names":[],"mappings":"AAwEA,wBAAgB,iBAAiB,IAAI,CAAC,EAAE,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAOrE;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;CACrB,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,IAAI,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CA2sB/C"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/web/server.ts"],"names":[],"mappings":"AAqDA,wBAAgB,iBAAiB,IAAI,CAAC,EAAE,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,IAAI,CAOrE;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;CACrB,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,IAAI,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAmlB/C"}

package/dist/web/server.js

@@ -1,18 +1,16 @@
 // Web chat server — HTTP + WebSocket for browser-based agent interaction
 import { createServer } from 'node:http';
-import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'node:fs';
+import { readFileSync, existsSync } from 'node:fs';
 import { readdir, stat, readFile, writeFile, rename, unlink, realpath, open } from 'node:fs/promises';
 import { join, dirname, resolve as resolvePath, sep as pathSep, relative as relativePath } from 'node:path';
 import { fileURLToPath } from 'node:url';
-import { AGIM_HOME } from '../core/agim-paths.js';
-import { randomBytes, createHmac, timingSafeEqual } from 'node:crypto';
+import { randomBytes } from 'node:crypto';
 import { WebSocketServer } from 'ws';
 import { parseMessage, routeMessage } from '../core/router.js';
 import { sessionManager } from '../core/session.js';
 import { registry } from '../core/registry.js';
 import { generateTraceId, createLogger, logger as rootLogger } from '../core/logger.js';
 import { validateConfig } from '../core/config-schema.js';
-import { safeEqual } from '../utils/safe-equal.js';
 import { consumeToken, peekToken } from '../core/location-token.js';
 import { createMemo, updateMemo, getMemo, mapUrls } from '../core/memos.js';
 import { normalizeIncomingCoords } from '../core/coord-systems.js';
@@ -31,22 +29,6 @@ import { isAgentAvailableCached, loadConfig, saveConfig, } from '../core/onboard
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PUBLIC_DIR = join(__dirname, 'public');
 const DEFAULT_PORT = 3000;
-const WEB_TOKEN_DIR = AGIM_HOME;
-const WEB_TOKEN_FILE = join(WEB_TOKEN_DIR, 'web-token');
-function generateToken() {
-    return randomBytes(32).toString('hex');
-}
-function getOrCreateWebToken() {
-    try {
-        return readFileSync(WEB_TOKEN_FILE, 'utf-8').trim();
-    }
-    catch {
-        const token = generateToken();
-        mkdirSync(WEB_TOKEN_DIR, { recursive: true });
-        writeFileSync(WEB_TOKEN_FILE, token, { mode: 0o600 });
-        return token;
-    }
-}
 function isMasked(value) {
     if (!value)
         return false;
@@ -66,130 +48,31 @@ export function createSerialQueue() {
 export async function startWebServer(options) {
     const port = options.port || DEFAULT_PORT;
     const bindHost = process.env.IMHUB_WEB_BIND || '127.0.0.1';
-    const webToken = getOrCreateWebToken();
     const clients = new Map();
-    // Auth-required mode is now scoped to public binds. When listening on
-    // 127.0.0.1 / ::1 / localhost the web console is wide open — whoever has
-    // shell on this host already owns it, and asking small users to paste a
-    // token they don't understand was the biggest friction point in onboarding.
-    // For 0.0.0.0 / LAN / WAN binds we keep the token requirement so a
-    // copy-pasted IMHUB_WEB_BIND=0.0.0.0 doesn't expose memos/reminders/config.
-    //
-    // Escape hatches via env:
-    //   IMHUB_WEB_REQUIRE_AUTH=1 — force token even on localhost (legacy / paranoid)
-    //   IMHUB_WEB_REQUIRE_AUTH=0 — force NO token even on public bind (you know
-    //                              what you're doing — proxy + HTTPS + external auth)
+    // Agim's web console intentionally ships with NO built-in auth — neither
+    // for localhost nor for public binds. Operators putting it on 0.0.0.0 are
+    // responsible for fronting it with a reverse proxy / firewall / SSH tunnel
+    // / VPN of their choice. See README "Web console exposure".
     const isPublicBind = bindHost !== '127.0.0.1' && bindHost !== '::1' && bindHost !== 'localhost';
-    const requireAuth = (() => {
-        const forced = process.env.IMHUB_WEB_REQUIRE_AUTH;
-        if (forced === '1')
-            return true;
-        if (forced === '0')
-            return false;
-        return isPublicBind;
-    })();
-    // Per-process secret for signing session cookies. Not persisted — browser
-    // sessions expire on restart, which is acceptable for a dev tool.
-    const cookieSecret = randomBytes(32).toString('hex');
-    const COOKIE_NAME = 'imhub_session';
-    function makeSessionCookie() {
-        return createHmac('sha256', cookieSecret).update(webToken).digest('hex');
-    }
-    function isValidSessionCookie(cookie) {
-        const expected = makeSessionCookie();
-        if (cookie.length !== expected.length)
-            return false;
-        try {
-            return timingSafeEqual(Buffer.from(cookie, 'utf8'), Buffer.from(expected, 'utf8'));
-        }
-        catch {
-            return false;
-        }
-    }
-    function parseCookies(req) {
-        const hdr = req.headers.cookie || '';
-        const out = {};
-        for (const pair of hdr.split(';')) {
-            const eq = pair.indexOf('=');
-            if (eq < 0)
-                continue;
-            out[pair.slice(0, eq).trim()] = pair.slice(eq + 1).trim();
-        }
-        return out;
-    }
-    function hasValidSession(req) {
-        const cookies = parseCookies(req);
-        return isValidSessionCookie(cookies[COOKIE_NAME] || '');
-    }
-    function setSessionCookie(req, res) {
-        const val = makeSessionCookie();
-        const parts = [`${COOKIE_NAME}=${val}`, 'HttpOnly', 'SameSite=Strict', 'Path=/'];
-        // Mark Secure when we have any signal we're served over TLS:
-        //  - public bind (assume reverse proxy will/should terminate TLS)
-        //  - X-Forwarded-Proto: https from a trusted reverse proxy
-        // For pure localhost dev (no proxy) we omit Secure so plain HTTP works.
-        const isPublicBind = bindHost !== '127.0.0.1' && bindHost !== '::1' && bindHost !== 'localhost';
-        const xfp = String(req.headers['x-forwarded-proto'] || '').split(',')[0].trim().toLowerCase();
-        if (isPublicBind || xfp === 'https')
-            parts.push('Secure');
-        res.setHeader('Set-Cookie', parts.join('; '));
-    }
     if (isPublicBind) {
         webLog.warn({
             event: 'web.public_bind_warning',
             bind: bindHost,
-            requireAuth,
-        }, requireAuth
-            ? 'Web server bound to a non-localhost address — token auth REQUIRED; front it with a reverse proxy that terminates TLS'
-            : 'Web server bound publicly with IMHUB_WEB_REQUIRE_AUTH=0 — caller assumes responsibility for upstream auth');
+        }, 'Web server bound to a non-localhost address with NO built-in auth — front it with a reverse proxy / firewall / VPN');
     }
     webLog.info({
         event: 'web.auth_mode',
         bind: bindHost,
-        requireAuth,
-    }, requireAuth
-        ? 'Web console: token auth REQUIRED (login page at /login)'
-        : 'Web console: token auth DISABLED (localhost bind — open access)');
+    }, 'Web console: open access (no built-in auth — access control is upstream)');
     // HTTP request handler — static files + REST API
     const httpServer = createServer(async (req, res) => {
         const url = new URL(req.url || '/', `http://localhost:${port}`);
-        // Login page — always accessible
-        if (url.pathname === '/login' || url.pathname === '/login.html') {
-            return serveStatic(res, join(PUBLIC_DIR, 'login.html'), 'text/html; charset=utf-8');
-        }
-        // POST /api/auth/login — validate token, set session cookie
-        if (url.pathname === '/api/auth/login' && req.method === 'POST') {
-            const body = await readBody(req, res);
-            let parsed;
-            try {
-                parsed = JSON.parse(body);
-            }
-            catch {
-                sendJson(res, 400, { error: 'Invalid JSON' });
-                return;
-            }
-            if (typeof parsed.token === 'string' && safeEqual(parsed.token, webToken)) {
-                setSessionCookie(req, res);
-                sendJson(res, 200, { ok: true });
-            }
-            else {
-                sendJson(res, 401, { error: 'Invalid token' });
-            }
-            return;
-        }
-        // Static pages — gated by session cookie ONLY when requireAuth is on
-        // (i.e. the server is bound publicly). Localhost binds skip the gate
-        // entirely so small users don't need to know what a token is.
+        // Static pages — direct serve, no auth gate.
         if (url.pathname === '/' || url.pathname === '/index.html' ||
             url.pathname === '/settings' || url.pathname === '/settings.html' ||
             url.pathname === '/tasks' || url.pathname === '/tasks.html' ||
             url.pathname === '/reminders' || url.pathname === '/reminders.html' ||
             url.pathname === '/memos' || url.pathname === '/memos.html') {
-            if (requireAuth && !hasValidSession(req)) {
-                res.writeHead(302, { Location: `/login?next=${encodeURIComponent(url.pathname)}` });
-                res.end();
-                return;
-            }
             const fileMap = {
                 '/': 'index.html', '/index.html': 'index.html',
                 '/settings': 'settings.html', '/settings.html': 'settings.html',
@@ -370,17 +253,7 @@ export async function startWebServer(options) {
             sendJson(res, 200, { ok: true, id: memoId, lat, lng });
             return;
         }
-        // REST API — gated by header token OR session cookie ONLY when
-        // requireAuth is on. Localhost binds let the call through; same
-        // trust model as the static pages above.
-        if (requireAuth && url.pathname.startsWith('/api/')) {
-            const token = req.headers['x-im-hub-token'] || '';
-            if (!safeEqual(token, webToken) && !hasValidSession(req)) {
-                res.writeHead(401);
-                res.end(JSON.stringify({ error: 'Unauthorized' }));
-                return;
-            }
-        }
+        // REST API — open access (no built-in auth). See top-of-function note.
         // REST API
         if (url.pathname === '/api/config' && req.method === 'GET') {
             return handleGetConfig(req, res);
@@ -518,21 +391,11 @@ export async function startWebServer(options) {
             return handleBatchJob(req, res, 'run', options.defaultAgent);
         }
         // PR-C: SSE event stream — audit / approval / job / metrics events
-        // pushed real-time so the dashboard stops polling. EventSource has no
-        // header API, so the token rides in `?token=<webToken>` (same shape
-        // the WS upgrade uses). Auth is validated inside the handler since
-        // /events is outside the /api/* token gate above.
+        // pushed real-time so the dashboard stops polling. Open access; same
+        // trust model as the REST API.
         if (url.pathname === '/events' && req.method === 'GET') {
-            const evToken = url.searchParams.get('token') || '';
-            if (requireAuth && !safeEqual(evToken, webToken) && !hasValidSession(req)) {
-                res.writeHead(401, { 'Content-Type': 'text/plain' });
-                res.end('Unauthorized');
-                return;
-            }
             return handleEventsSSE(req, res);
         }
-        // /api/health handled above the token gate (M4) — keep this comment so
-        // future contributors don't re-add the route inside the auth block.
         if (url.pathname === '/api/notify' && req.method === 'POST') {
             return handleNotify(req, res);
         }
@@ -569,14 +432,7 @@ export async function startWebServer(options) {
             ws.close(1013, 'Server too busy');
             return;
         }
-        // Verify token from URL query or session cookie before accepting connection
-        // — only when requireAuth (public bind). Localhost connections are trusted.
-        const wsUrl = new URL(req.url || '/', `http://localhost:${port}`);
-        const wsToken = wsUrl.searchParams.get('token') || '';
-        if (requireAuth && !safeEqual(wsToken, webToken) && !hasValidSession(req)) {
-            ws.close(1008, 'Unauthorized');
-            return;
-        }
+        // No auth gate — access control is upstream (reverse proxy / firewall).
         const clientId = `web-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
         const client = { ws, id: clientId, agent: options.defaultAgent };
         clients.set(clientId, client);
@@ -2366,8 +2222,7 @@ function serveStatic(res, filePath, contentType) {
     res.end(content);
 }
 /**
- * Serve HTML pages with security headers. Token is no longer injected —
- * the browser authenticates via httpOnly session cookie set at /login.
+ * Serve HTML pages with security headers.
  */
 function servePageHtml(res, filePath) {
     if (!existsSync(filePath)) {