agim-cli 1.0.8 → 1.0.10

package/dist/web/server.js

@@ -431,6 +431,19 @@ export async function startWebServer(options) {
         if (url.pathname === '/api/service/restart' && req.method === 'POST') {
             return handleServiceRestart(res);
         }
+        // Admin allowlist — list + add/remove via the Safety card. Locally
+        // gated: only allowed when bound to 127.0.0.1, since the page has
+        // no auth and we don't want random LAN visitors granting themselves
+        // admin. See `bindHost` upthread.
+        if (url.pathname === '/api/admin-allowlist' && req.method === 'GET') {
+            return handleAdminAllowlistGet(res);
+        }
+        if (url.pathname === '/api/admin-allowlist' && req.method === 'POST') {
+            return handleAdminAllowlistAdd(req, res, bindHost);
+        }
+        if (url.pathname === '/api/admin-allowlist' && req.method === 'DELETE') {
+            return handleAdminAllowlistRemove(req, res, bindHost);
+        }
         res.writeHead(404);
         res.end('Not found');
     });
@@ -1039,7 +1052,7 @@ async function handleServiceStop(res) {
     }, 200);
 }
 async function handleServiceRestart(res) {
-    const { detectService, PID_FILE, LOG_FILE } = await import('../cli-ui/service.js');
+    const { detectService } = await import('../cli-ui/service.js');
     const st = detectService();
     if (st.mode === 'systemd') {
         try {
@@ -1060,44 +1073,104 @@ async function handleServiceRestart(res) {
         sendJson(res, 409, { error: 'foreground service is running in another terminal; restart it manually (Ctrl-C + re-run)' });
         return;
     }
-    // background or 'none': spawn a detached node -e helper that waits
-    // for our PID to die, then starts a fresh daemon. Then SIGTERM self
-    // so the helper's wait-loop unblocks and the new daemon takes over.
-    const __dn = dirname(fileURLToPath(import.meta.url));
-    const cliJs = join(__dn, '..', 'cli.js');
-    const parentPid = process.pid;
-    const helperCode = 'const{spawn}=require("child_process");' +
-        'const fs=require("fs");' +
-        `const pid=${parentPid};` +
-        'let n=0;' +
-        'const t=setInterval(()=>{' +
-        '  try{process.kill(pid,0)}catch{' +
-        '    clearInterval(t);' +
-        `    const fd=fs.openSync(${JSON.stringify(LOG_FILE)},"a");` +
-        `    const c=spawn(${JSON.stringify(process.execPath)},[${JSON.stringify(cliJs)},"start"],{detached:true,stdio:["ignore",fd,fd],env:process.env});` +
-        '    c.unref();' +
-        `    fs.writeFileSync(${JSON.stringify(PID_FILE)},String(c.pid)+"\\n");` +
-        '    fs.closeSync(fd);' +
-        '    process.exit(0);' +
-        '  }' +
-        '  if(++n>150){clearInterval(t);process.exit(1)}' +
-        '},200);';
-    const { spawn: spawnChild } = await import('node:child_process');
-    const helper = spawnChild(process.execPath, ['-e', helperCode], {
-        detached: true,
-        stdio: 'ignore',
-        env: process.env,
-    });
-    helper.unref();
-    sendJson(res, 200, { ok: true, mode: st.mode, restarting: true });
-    setTimeout(() => {
-        try {
-            process.kill(process.pid, 'SIGTERM');
+    // background or 'none': delegate to the shared restart-flow. The flow
+    // runs pre-flight checks, writes restart-pending.json with source='web'
+    // (so the new daemon doesn't try to push an IM completion message —
+    // browser polling handles that), and spawns the detached helper.
+    const { initiateRestart } = await import('../core/restart-flow.js');
+    const result = await initiateRestart({ source: 'web' });
+    if (!result.ok) {
+        sendJson(res, 409, { error: result.message, details: result.errors });
+        return;
+    }
+    sendJson(res, 200, { ok: true, mode: st.mode, restarting: true, message: result.message });
+}
+// ============================================================
+// Admin allowlist endpoints (Safety card → Admin Users)
+// ============================================================
+//
+// All three are gated on the server's bindHost being a loopback address.
+// The web console has no auth, so we MUST not let a LAN visitor add
+// themselves as admin. When bindHost is 0.0.0.0 we hide the editor on
+// the frontend AND refuse here as a defense-in-depth.
+function isLocalBind(bindHost) {
+    return bindHost === '127.0.0.1' || bindHost === '::1' || bindHost === 'localhost';
+}
+async function handleAdminAllowlistGet(res) {
+    try {
+        const { listAdmins, isAllowlistConfigured } = await import('../core/admin-allowlist.js');
+        const { BOOTSTRAP_TOKEN_FILE } = await import('../core/admin-bootstrap.js');
+        const hasBootstrap = existsSync(BOOTSTRAP_TOKEN_FILE);
+        sendJson(res, 200, {
+            admins: listAdmins(),
+            configured: isAllowlistConfigured(),
+            bootstrapAvailable: hasBootstrap,
+            bootstrapTokenPath: BOOTSTRAP_TOKEN_FILE,
+        });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err instanceof Error ? err.message : String(err) });
+    }
+}
+async function handleAdminAllowlistAdd(req, res, bindHost) {
+    if (!isLocalBind(bindHost)) {
+        sendJson(res, 403, {
+            error: 'admin editor disabled when web is bound publicly (no auth on this endpoint).',
+        });
+        return;
+    }
+    try {
+        const body = await readBody(req, res);
+        const parsed = JSON.parse(body || '{}');
+        const platform = (parsed.platform || '').trim();
+        const userId = (parsed.userId || '').trim();
+        if (!platform || !userId) {
+            sendJson(res, 400, { error: 'platform and userId required' });
+            return;
         }
-        catch {
-            process.exit(0);
+        const { promoteAdmin, listAdmins } = await import('../core/admin-allowlist.js');
+        const added = await promoteAdmin(platform, userId);
+        sendJson(res, 200, { ok: true, added, admins: listAdmins() });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err instanceof Error ? err.message : String(err) });
+    }
+}
+async function handleAdminAllowlistRemove(req, res, bindHost) {
+    if (!isLocalBind(bindHost)) {
+        sendJson(res, 403, { error: 'admin editor disabled on public binds' });
+        return;
+    }
+    try {
+        const body = await readBody(req, res);
+        const parsed = JSON.parse(body || '{}');
+        const platform = (parsed.platform || '').trim().toLowerCase();
+        const userId = (parsed.userId || '').trim();
+        if (!platform || !userId) {
+            sendJson(res, 400, { error: 'platform and userId required' });
+            return;
         }
-    }, 300);
+        const { listAdmins } = await import('../core/admin-allowlist.js');
+        const remaining = listAdmins().filter((a) => !(a.platform === platform && a.userId === userId));
+        const newRaw = remaining.map((a) => `${a.platform}:${a.userId}`).join(',');
+        // Persist to env file. Note this nukes both runtime + env-derived
+        // entries — fine for the editor's use case (it round-trips through
+        // the full list).
+        const { updateEnvFile } = await import('../cli-ui/env-file.js');
+        updateEnvFile({ IMHUB_ADMIN_USERS: newRaw || null });
+        // Update process.env so getEntries() picks it up next call.
+        if (newRaw)
+            process.env.IMHUB_ADMIN_USERS = newRaw;
+        else
+            delete process.env.IMHUB_ADMIN_USERS;
+        // Reset the parse cache so the change is visible immediately.
+        const { _resetCache } = await import('../core/admin-allowlist.js');
+        _resetCache();
+        sendJson(res, 200, { ok: true, admins: remaining });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err instanceof Error ? err.message : String(err) });
+    }
 }
 /**
  * POST /api/notify  → push a message to an IM thread.