ai-cli-online 2.9.9 → 3.0.2

package/server/dist/middleware/auth.d.ts

@@ -0,0 +1,9 @@
+import type { Request, Response } from 'express';
+/** Extract Bearer token from Authorization header */
+export declare function extractToken(req: Request): string | undefined;
+/** Check auth — reads AUTH_TOKEN lazily from env (dotenv loads before route handlers run) */
+export declare function checkAuth(req: Request, res: Response): boolean;
+/** Resolve session: auth check + sessionId validation + build tmux session name */
+export declare function resolveSession(req: Request, res: Response): string | null;
+/** Hash token for settings storage (same prefix as tmux session names) */
+export declare function tokenHash(token: string): string;

package/server/dist/middleware/auth.js

@@ -0,0 +1,39 @@
+import { createHash } from 'crypto';
+import { safeTokenCompare } from '../auth.js';
+import { buildSessionName, isValidSessionId } from '../tmux.js';
+/** Extract Bearer token from Authorization header */
+export function extractToken(req) {
+    const authHeader = req.headers.authorization;
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+        return authHeader.slice(7);
+    }
+    return undefined;
+}
+/** Check auth — reads AUTH_TOKEN lazily from env (dotenv loads before route handlers run) */
+export function checkAuth(req, res) {
+    const authToken = process.env.AUTH_TOKEN || '';
+    if (!authToken)
+        return true;
+    const token = extractToken(req);
+    if (!token || !safeTokenCompare(token, authToken)) {
+        res.status(401).json({ error: 'Unauthorized' });
+        return false;
+    }
+    return true;
+}
+/** Resolve session: auth check + sessionId validation + build tmux session name */
+export function resolveSession(req, res) {
+    if (!checkAuth(req, res))
+        return null;
+    const sessionId = req.params.sessionId;
+    if (!isValidSessionId(sessionId)) {
+        res.status(400).json({ error: 'Invalid sessionId' });
+        return null;
+    }
+    const token = extractToken(req) || 'default';
+    return buildSessionName(token, sessionId);
+}
+/** Hash token for settings storage (same prefix as tmux session names) */
+export function tokenHash(token) {
+    return createHash('sha256').update(token).digest('hex').slice(0, 8);
+}

package/server/dist/routes/editor.d.ts

@@ -0,0 +1,2 @@
+declare const router: import("express-serve-static-core").Router;
+export default router;

package/server/dist/routes/editor.js

@@ -0,0 +1,94 @@
+import { Router } from 'express';
+import { writeFile } from 'fs/promises';
+import { join, basename } from 'path';
+import { resolveSession } from '../middleware/auth.js';
+import { getCwd } from '../tmux.js';
+import { getDraft, saveDraft as saveDraftDb, getAnnotation, saveAnnotation } from '../db.js';
+import { validateNewPath } from '../files.js';
+const router = Router();
+// Get draft for a session
+router.get('/api/sessions/:sessionId/draft', (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    const content = getDraft(sessionName);
+    res.json({ content });
+});
+// Save (upsert) draft for a session
+router.put('/api/sessions/:sessionId/draft', (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    const { content } = req.body;
+    if (typeof content !== 'string') {
+        res.status(400).json({ error: 'content must be a string' });
+        return;
+    }
+    saveDraftDb(sessionName, content);
+    res.json({ ok: true });
+});
+// Get annotation for a file
+router.get('/api/sessions/:sessionId/annotations', (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    const filePath = req.query.path;
+    if (!filePath) {
+        res.status(400).json({ error: 'path query parameter required' });
+        return;
+    }
+    const result = getAnnotation(sessionName, filePath);
+    res.json(result || { content: null, updatedAt: 0 });
+});
+// Save (upsert) annotation for a file
+router.put('/api/sessions/:sessionId/annotations', (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    const { path: filePath, content, updatedAt } = req.body;
+    if (!filePath || typeof filePath !== 'string') {
+        res.status(400).json({ error: 'path must be a string' });
+        return;
+    }
+    if (typeof content !== 'string') {
+        res.status(400).json({ error: 'content must be a string' });
+        return;
+    }
+    saveAnnotation(sessionName, filePath, content, updatedAt || Date.now());
+    res.json({ ok: true });
+});
+// Write .tmp-annotations.json for ai-cli-task plan
+router.post('/api/sessions/:sessionId/task-annotations', async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    try {
+        const { modulePath, content } = req.body;
+        if (!modulePath || typeof modulePath !== 'string') {
+            res.status(400).json({ error: 'modulePath must be a string' });
+            return;
+        }
+        if (!content || typeof content !== 'object') {
+            res.status(400).json({ error: 'content must be an object' });
+            return;
+        }
+        const cwd = await getCwd(sessionName);
+        const targetFile = join(modulePath, '.tmp-annotations.json');
+        const resolved = await validateNewPath(targetFile, cwd);
+        if (!resolved) {
+            res.status(400).json({ error: 'Invalid path' });
+            return;
+        }
+        if (basename(resolved) !== '.tmp-annotations.json') {
+            res.status(400).json({ error: 'Only .tmp-annotations.json is allowed' });
+            return;
+        }
+        await writeFile(resolved, JSON.stringify(content, null, 2), 'utf-8');
+        res.json({ ok: true, path: resolved });
+    }
+    catch (err) {
+        console.error(`[api:task-annotations] ${sessionName}:`, err);
+        res.status(500).json({ error: 'Failed to write annotation file' });
+    }
+});
+export default router;

package/server/dist/routes/files.d.ts

@@ -0,0 +1,2 @@
+declare const router: import("express-serve-static-core").Router;
+export default router;

package/server/dist/routes/files.js

@@ -0,0 +1,312 @@
+import { Router } from 'express';
+import multer from 'multer';
+import { createReadStream, mkdirSync } from 'fs';
+import { copyFile, unlink, stat, mkdir, readFile, writeFile, rm } from 'fs/promises';
+import { join, dirname, basename, extname } from 'path';
+import { spawn } from 'child_process';
+import { resolveSession } from '../middleware/auth.js';
+import { getCwd } from '../tmux.js';
+import { listFiles, validatePath, validatePathNoSymlink, validateNewPath, MAX_DOWNLOAD_SIZE, MAX_UPLOAD_SIZE } from '../files.js';
+const router = Router();
+// Multer setup for file uploads
+const UPLOAD_TMP_DIR = '/tmp/ai-cli-online-uploads';
+mkdirSync(UPLOAD_TMP_DIR, { recursive: true, mode: 0o700 });
+const upload = multer({
+    dest: UPLOAD_TMP_DIR,
+    limits: { fileSize: MAX_UPLOAD_SIZE, files: 10 },
+});
+// List files in directory
+router.get('/api/sessions/:sessionId/files', async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    try {
+        const cwd = await getCwd(sessionName);
+        const subPath = req.query.path || '';
+        let targetDir = null;
+        if (subPath) {
+            targetDir = await validatePath(subPath, cwd);
+            if (!targetDir) {
+                const home = process.env.HOME || '/root';
+                targetDir = await validatePath(subPath, home);
+            }
+        }
+        else {
+            targetDir = cwd;
+        }
+        if (!targetDir) {
+            res.status(400).json({ error: 'Invalid path' });
+            return;
+        }
+        const { files, truncated } = await listFiles(targetDir);
+        res.json({ cwd: targetDir, home: process.env.HOME || '/root', files, truncated });
+    }
+    catch (err) {
+        console.error(`[api:files] ${sessionName}:`, err);
+        res.status(404).json({ error: 'Session not found or directory not accessible' });
+    }
+});
+// Upload files to CWD
+router.post('/api/sessions/:sessionId/upload', upload.array('files', 10), async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    try {
+        const cwd = await getCwd(sessionName);
+        const uploadedFiles = req.files;
+        if (!uploadedFiles || uploadedFiles.length === 0) {
+            res.status(400).json({ error: 'No files provided' });
+            return;
+        }
+        const results = [];
+        for (const file of uploadedFiles) {
+            const safeName = basename(file.originalname);
+            if (!safeName || safeName === '.' || safeName === '..') {
+                await unlink(file.path).catch(() => { });
+                continue;
+            }
+            const destPath = join(cwd, safeName);
+            await copyFile(file.path, destPath);
+            await unlink(file.path).catch(() => { });
+            results.push({ name: safeName, size: file.size });
+        }
+        res.json({ uploaded: results });
+    }
+    catch (err) {
+        console.error('[upload] Failed:', err);
+        const files = req.files;
+        if (files) {
+            for (const f of files) {
+                await unlink(f.path).catch(() => { });
+            }
+        }
+        res.status(500).json({ error: 'Upload failed' });
+    }
+});
+// Download a file
+router.get('/api/sessions/:sessionId/download', async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    try {
+        const cwd = await getCwd(sessionName);
+        const filePath = req.query.path;
+        if (!filePath) {
+            res.status(400).json({ error: 'path query parameter required' });
+            return;
+        }
+        const resolved = await validatePathNoSymlink(filePath, cwd);
+        if (!resolved) {
+            res.status(400).json({ error: 'Invalid path' });
+            return;
+        }
+        const fileStat = await stat(resolved);
+        if (!fileStat.isFile()) {
+            res.status(400).json({ error: 'Not a file' });
+            return;
+        }
+        if (fileStat.size > MAX_DOWNLOAD_SIZE) {
+            res.status(413).json({ error: 'File too large (max 100MB)' });
+            return;
+        }
+        res.setHeader('Content-Disposition', `attachment; filename="${encodeURIComponent(basename(resolved))}"`);
+        res.setHeader('Content-Length', fileStat.size);
+        const stream = createReadStream(resolved);
+        let bytesWritten = 0;
+        stream.on('data', (chunk) => {
+            const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
+            bytesWritten += buf.length;
+            if (bytesWritten > MAX_DOWNLOAD_SIZE) {
+                stream.destroy();
+                if (!res.writableEnded)
+                    res.end();
+                return;
+            }
+            if (!res.writableEnded)
+                res.write(chunk);
+        });
+        stream.on('end', () => { if (!res.writableEnded)
+            res.end(); });
+        stream.on('error', () => { if (!res.writableEnded)
+            res.end(); });
+    }
+    catch (err) {
+        console.error(`[api:download] ${sessionName}:`, err);
+        res.status(404).json({ error: 'File not found' });
+    }
+});
+// Download CWD as tar.gz
+router.get('/api/sessions/:sessionId/download-cwd', async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    try {
+        const cwd = await getCwd(sessionName);
+        if (!cwd.startsWith('/') || cwd.includes('\0')) {
+            res.status(400).json({ error: 'Invalid working directory' });
+            return;
+        }
+        const dirName = basename(cwd);
+        res.setHeader('Content-Type', 'application/gzip');
+        res.setHeader('Content-Disposition', `attachment; filename="${encodeURIComponent(dirName)}.tar.gz"`);
+        const tar = spawn('tar', ['czf', '-', '-C', cwd, '.'], { stdio: ['ignore', 'pipe', 'pipe'] });
+        tar.stdout.pipe(res);
+        tar.stderr.on('data', (data) => console.error(`[tar stderr] ${data}`));
+        tar.on('error', (err) => {
+            console.error('[api:download-cwd] tar error:', err);
+            if (!res.headersSent)
+                res.status(500).json({ error: 'Failed to create archive' });
+        });
+        tar.on('close', (code) => {
+            if (code !== 0 && !res.headersSent) {
+                res.status(500).json({ error: 'Archive creation failed' });
+            }
+        });
+    }
+    catch (err) {
+        console.error(`[api:download-cwd] ${sessionName}:`, err);
+        if (!res.headersSent)
+            res.status(500).json({ error: 'Failed to download' });
+    }
+});
+// Create empty file
+router.post('/api/sessions/:sessionId/touch', async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    try {
+        const { name } = req.body;
+        if (!name || typeof name !== 'string' || name.includes('..')) {
+            res.status(400).json({ error: 'Invalid filename' });
+            return;
+        }
+        const cwd = await getCwd(sessionName);
+        const resolved = await validateNewPath(join(cwd, name), cwd);
+        if (!resolved) {
+            res.status(400).json({ error: 'Invalid path' });
+            return;
+        }
+        await mkdir(dirname(resolved), { recursive: true });
+        await writeFile(resolved, '', { flag: 'wx' });
+        res.json({ ok: true, path: resolved });
+    }
+    catch (err) {
+        if (err && typeof err === 'object' && 'code' in err && err.code === 'EEXIST') {
+            const cwd = await getCwd(sessionName).catch(() => '');
+            res.json({ ok: true, existed: true, path: cwd ? join(cwd, String(req.body.name)) : '' });
+        }
+        else {
+            console.error(`[api:touch] ${sessionName}:`, err);
+            res.status(500).json({ error: 'Failed to create file' });
+        }
+    }
+});
+// Create directory
+router.post('/api/sessions/:sessionId/mkdir', async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    try {
+        const { path: dirPath } = req.body;
+        if (!dirPath || typeof dirPath !== 'string' || dirPath.includes('..')) {
+            res.status(400).json({ error: 'Invalid path' });
+            return;
+        }
+        const cwd = await getCwd(sessionName);
+        const resolved = await validateNewPath(join(cwd, dirPath), cwd);
+        if (!resolved) {
+            res.status(400).json({ error: 'Invalid path' });
+            return;
+        }
+        await mkdir(resolved, { recursive: true });
+        res.json({ ok: true, path: resolved });
+    }
+    catch (err) {
+        console.error(`[api:mkdir] ${sessionName}:`, err);
+        res.status(500).json({ error: 'Failed to create directory' });
+    }
+});
+// Delete file or directory
+router.delete('/api/sessions/:sessionId/rm', async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    try {
+        const { path: rmPath } = req.body;
+        if (!rmPath || typeof rmPath !== 'string' || rmPath.includes('..')) {
+            res.status(400).json({ error: 'Invalid path' });
+            return;
+        }
+        const cwd = await getCwd(sessionName);
+        const resolved = await validatePath(rmPath, cwd);
+        if (!resolved) {
+            res.status(400).json({ error: 'Invalid path' });
+            return;
+        }
+        const fileStat = await stat(resolved);
+        if (fileStat.isDirectory()) {
+            await rm(resolved, { recursive: true });
+        }
+        else {
+            await unlink(resolved);
+        }
+        res.json({ ok: true });
+    }
+    catch (err) {
+        console.error(`[api:rm] ${sessionName}:`, err);
+        res.status(500).json({ error: 'Failed to delete' });
+    }
+});
+// Read file content (for document viewer)
+const MAX_DOC_SIZE = 10 * 1024 * 1024; // 10MB
+const PDF_EXTENSIONS = new Set(['.pdf']);
+router.get('/api/sessions/:sessionId/file-content', async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    const filePath = req.query.path;
+    if (!filePath) {
+        res.status(400).json({ error: 'path query parameter required' });
+        return;
+    }
+    try {
+        const cwd = await getCwd(sessionName);
+        let resolved = await validatePathNoSymlink(filePath, cwd);
+        if (!resolved) {
+            const home = process.env.HOME || '/root';
+            resolved = await validatePathNoSymlink(filePath, home);
+        }
+        if (!resolved) {
+            res.status(400).json({ error: 'Invalid path' });
+            return;
+        }
+        const fileStat = await stat(resolved);
+        if (!fileStat.isFile()) {
+            res.status(400).json({ error: 'Not a file' });
+            return;
+        }
+        if (fileStat.size > MAX_DOC_SIZE) {
+            res.status(413).json({ error: 'File too large (max 10MB)' });
+            return;
+        }
+        const since = parseFloat(req.query.since) || 0;
+        if (since > 0 && fileStat.mtimeMs <= since) {
+            res.status(304).end();
+            return;
+        }
+        const ext = extname(resolved).toLowerCase();
+        const isPdf = PDF_EXTENSIONS.has(ext);
+        const content = await readFile(resolved, isPdf ? undefined : 'utf-8');
+        res.json({
+            content: isPdf ? content.toString('base64') : content,
+            mtime: fileStat.mtimeMs,
+            size: fileStat.size,
+            encoding: isPdf ? 'base64' : 'utf-8',
+        });
+    }
+    catch (err) {
+        console.error(`[api:file-content] ${sessionName}:`, err);
+        res.status(404).json({ error: 'File not found' });
+    }
+});
+export default router;

package/server/dist/routes/sessions.d.ts

@@ -0,0 +1,2 @@
+declare const router: import("express-serve-static-core").Router;
+export default router;

package/server/dist/routes/sessions.js

@@ -0,0 +1,64 @@
+import { Router } from 'express';
+import { extractToken, checkAuth, resolveSession } from '../middleware/auth.js';
+import { listSessions, killSession, buildSessionName, getCwd, getPaneCommand } from '../tmux.js';
+import { getActiveSessionNames } from '../websocket.js';
+import { deleteDraft } from '../db.js';
+const router = Router();
+// List sessions for a token
+router.get('/api/sessions', async (req, res) => {
+    if (!checkAuth(req, res))
+        return;
+    const token = extractToken(req) || 'default';
+    const sessions = await listSessions(token);
+    const activeNames = getActiveSessionNames();
+    const result = sessions.map((s) => ({
+        sessionId: s.sessionId,
+        sessionName: s.sessionName,
+        createdAt: s.createdAt,
+        active: activeNames.has(s.sessionName),
+    }));
+    res.json(result);
+});
+// Kill a specific session
+router.delete('/api/sessions/:sessionId', async (req, res) => {
+    if (!checkAuth(req, res))
+        return;
+    const { sessionId } = req.params;
+    if (!/^[\w-]+$/.test(sessionId)) {
+        res.status(400).json({ error: 'Invalid sessionId' });
+        return;
+    }
+    const token = extractToken(req) || 'default';
+    const sessionName = buildSessionName(token, sessionId);
+    await killSession(sessionName);
+    deleteDraft(sessionName);
+    res.json({ ok: true });
+});
+// Get current working directory
+router.get('/api/sessions/:sessionId/cwd', async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    try {
+        const cwd = await getCwd(sessionName);
+        res.json({ cwd });
+    }
+    catch (err) {
+        console.error(`[api:cwd] ${sessionName}:`, err);
+        res.status(404).json({ error: 'Session not found or not running' });
+    }
+});
+// Get current pane command (to detect if claude is running)
+router.get('/api/sessions/:sessionId/pane-command', async (req, res) => {
+    const sessionName = resolveSession(req, res);
+    if (!sessionName)
+        return;
+    try {
+        const command = await getPaneCommand(sessionName);
+        res.json({ command });
+    }
+    catch {
+        res.json({ command: '' });
+    }
+});
+export default router;

package/server/dist/routes/settings.d.ts

@@ -0,0 +1,2 @@
+declare const router: import("express-serve-static-core").Router;
+export default router;

package/server/dist/routes/settings.js

@@ -0,0 +1,72 @@
+import { Router } from 'express';
+import { checkAuth, extractToken, tokenHash } from '../middleware/auth.js';
+import { getSetting, saveSetting } from '../db.js';
+import { safeTokenCompare } from '../auth.js';
+const router = Router();
+// Get font size
+router.get('/api/settings/font-size', (req, res) => {
+    if (!checkAuth(req, res))
+        return;
+    const token = extractToken(req) || 'default';
+    const value = getSetting(tokenHash(token), 'font-size');
+    const fontSize = value !== null ? parseInt(value, 10) : 14;
+    res.json({ fontSize: isNaN(fontSize) ? 14 : fontSize });
+});
+// Save font size
+router.put('/api/settings/font-size', (req, res) => {
+    if (!checkAuth(req, res))
+        return;
+    const token = extractToken(req) || 'default';
+    const { fontSize } = req.body;
+    if (typeof fontSize !== 'number' || fontSize < 10 || fontSize > 24) {
+        res.status(400).json({ error: 'fontSize must be a number between 10 and 24' });
+        return;
+    }
+    saveSetting(tokenHash(token), 'font-size', String(fontSize));
+    res.json({ ok: true });
+});
+// Get tabs layout
+router.get('/api/settings/tabs-layout', (req, res) => {
+    if (!checkAuth(req, res))
+        return;
+    const token = extractToken(req) || 'default';
+    const value = getSetting(tokenHash(token), 'tabs-layout');
+    let layout = null;
+    if (value) {
+        try {
+            layout = JSON.parse(value);
+        }
+        catch { /* corrupt data */ }
+    }
+    res.json({ layout });
+});
+// Save tabs layout (supports both Authorization header and body token for sendBeacon)
+router.put('/api/settings/tabs-layout', (req, res) => {
+    const { layout, token: bodyToken } = req.body;
+    const authToken = process.env.AUTH_TOKEN || '';
+    let token;
+    if (authToken) {
+        token = extractToken(req);
+        if (!token && bodyToken) {
+            if (!safeTokenCompare(bodyToken, authToken)) {
+                res.status(401).json({ error: 'Unauthorized' });
+                return;
+            }
+            token = bodyToken;
+        }
+        if (!token) {
+            res.status(401).json({ error: 'Unauthorized' });
+            return;
+        }
+    }
+    else {
+        token = extractToken(req) || bodyToken || 'default';
+    }
+    if (!layout || typeof layout !== 'object') {
+        res.status(400).json({ error: 'layout must be an object' });
+        return;
+    }
+    saveSetting(tokenHash(token), 'tabs-layout', JSON.stringify(layout));
+    res.json({ ok: true });
+});
+export default router;

package/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-cli-online-server",
-  "version": "2.9.9",
+  "version": "3.0.2",
   "description": "CLI-Online Backend Server",
   "main": "dist/index.js",
   "type": "module",

package/shared/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-cli-online-shared",
-  "version": "2.9.9",
+  "version": "3.0.2",
   "description": "Shared types for CLI-Online",
   "type": "module",
   "main": "dist/types.js",