bloby-bot 0.53.9 → 0.54.10

package/supervisor/index.ts

@@ -11,7 +11,7 @@ import { log } from '../shared/logger.js';
 import { startTunnel, stopTunnel, isTunnelAlive, restartTunnel, startNamedTunnel, restartNamedTunnel } from './tunnel.js';
 import { createWorkerApp } from '../worker/index.js';
 import { closeDb, getSession, getSetting } from '../worker/db.js';
-import { spawnBackend, stopBackend, restartBackend, getBackendPort, isBackendAlive, isBackendStopping, isBackendDead, readBackendLogTail, setBackendEnv } from './backend.js';
+import { spawnBackend, stopBackend, restartBackend, getBackendPort, isBackendAlive, isBackendStopping, isBackendDead, readBackendLogTail, setBackendEnv, setBackendGiveUpHandler } from './backend.js';
 import { handleAgentQuery, type AgentQueryRequest } from './agent-api.js';
 import { updateTunnelUrl, startHeartbeat, stopHeartbeat, disconnect } from '../shared/relay.js';
 import {
@@ -406,10 +406,21 @@ export async function startSupervisor() {
   // The request handler is set up later via server.on('request')
   const server = http.createServer();
 
-  // Start Vite dev server — pass supervisor server so Vite attaches HMR WebSocket directly
+  // Start Vite dev server — pass supervisor server so Vite attaches HMR WebSocket directly.
+  // A Vite boot failure must NOT take down the supervisor (G1): chat is served independently and
+  // is the lifeline the user needs to ask the agent to fix things. On failure we fall back to a
+  // sentinel port — the dashboard proxy then serves the branded "Reconnecting" page (which polls
+  // and carries the chat widget) while chat, the worker API, channels, and the tunnel all still
+  // come up. Previously this throw reached the top-level catch → process.exit before chat listened.
   console.log('[supervisor] Starting Vite dev server...');
-  const vitePorts = await startViteDevServers(config.port, server);
-  console.log(`[supervisor] Vite ready — dashboard :${vitePorts.dashboard}`);
+  let vitePorts: { dashboard: number };
+  try {
+    vitePorts = await startViteDevServers(config.port, server);
+    console.log(`[supervisor] Vite ready — dashboard :${vitePorts.dashboard}`);
+  } catch (err) {
+    log.error(`Vite dev server failed to start — dashboard degraded, chat still available: ${err instanceof Error ? err.message : err}`);
+    vitePorts = { dashboard: -1 }; // sentinel → dashboard proxy serves RECOVERING_HTML
+  }
   console.log(`[supervisor] Upgrade listeners on server: ${server.listenerCount('upgrade')}`);
 
   // Ensure file storage dirs exist
@@ -504,36 +515,31 @@ export async function startSupervisor() {
     }
   }
 
-  const AUTH_EXEMPT_ROUTES = [
-    'POST /api/portal/login',
-    'GET /api/portal/login',
-    'POST /api/portal/validate-token',
-    'GET /api/portal/validate-token',
-    'GET /api/onboard/status',
+  // SECURITY MODEL — public allowlist (secure by default). When a portal password is set, EVERY
+  // /api/* route requires a valid Bearer token EXCEPT the ones listed here (the pre-login surface:
+  // login/onboarding/health/non-secret config). A new /api route is therefore GATED by default —
+  // it can only leak if someone explicitly adds it here. (Previously the gate skipped ALL GET/HEAD,
+  // so every data read — conversations, context, wallet, devices — was readable with no token.)
+  // Note: /api/agent/* (agent secret) and /api/channels/* are intercepted + returned BEFORE this
+  // gate, so they're unaffected; the channel entries below are belt-and-suspenders.
+  const PUBLIC_PRELOGIN_ROUTES = [
     'GET /api/health',
-    // NOTE: 'POST /api/onboard' is intentionally NOT blanket-exempt. It is gated in the
-    // request handler below: open on genuine first run (no portal_pass yet), token-required
-    // afterward. Re-onboard from the dashboard uses the internal x-internal WS path.
+    'GET /api/onboard/status',
+    'GET /api/settings',                 // secrets already stripped (worker denylist); widget + onboard read flags pre-login
     'GET /api/push/vapid-public-key',
-    'GET /api/push/status',
-    'POST /api/auth/claude/start',
-    'POST /api/auth/claude/exchange',
-    'GET /api/auth/claude/status',
-    'POST /api/auth/codex/start',
-    'POST /api/auth/codex/cancel',
-    'GET /api/auth/codex/status',
-    'GET /api/auth/pi/providers',
-    'GET /api/auth/pi/status',
-    'POST /api/auth/pi/test',
-    'POST /api/auth/pi/save',
-    'DELETE /api/auth/pi',
-    'POST /api/auth/pi/completion',
-    'POST /api/portal/totp/setup',
-    'POST /api/portal/totp/verify-setup',
-    'POST /api/portal/totp/disable',
-    'GET /api/portal/totp/status',
+    'GET /api/portal/login',
+    'POST /api/portal/login',
+    'GET /api/portal/validate-token',
+    'POST /api/portal/validate-token',
     'GET /api/portal/login/totp',
-    'POST /api/portal/devices/revoke',
+    'GET /api/portal/totp/status',
+    'POST /api/portal/totp/setup',        // self-protected in-handler (Bearer OR password OR first-run)
+    'POST /api/portal/totp/verify-setup', // self-protected in-handler
+    'POST /api/portal/totp/disable',      // self-protected (requires password + valid code)
+    'POST /api/portal/verify-password',   // verifies the password itself — cannot require a token
+    // NOTE: 'POST /api/onboard' is NOT public — gated below: open only on genuine first run
+    // (no portal_pass yet), token-required afterward. Dashboard re-onboard uses the x-internal WS path.
+    // Channel onboarding (also intercepted earlier; kept for completeness/safety):
     'GET /api/channels/status',
     'GET /api/channels/whatsapp/qr',
     'GET /api/channels/whatsapp/qr-page',
@@ -546,12 +552,23 @@ export async function startSupervisor() {
     'POST /api/channels/send',
     'POST /api/channels/alexa/handle',
   ];
+  // Method-specific public PREFIXES — onboarding namespaces with sub-paths / params that carry no
+  // private chat data: provider OAuth setup/status (all of /api/auth/*), and handle availability
+  // (GET /api/handle/* only — handle register/change are POSTs and stay gated).
+  const PUBLIC_PRELOGIN_PREFIXES = [
+    'POST /api/auth/',
+    'GET /api/auth/',
+    'DELETE /api/auth/',
+    'GET /api/handle/',
+  ];
 
-  function isExemptRoute(method: string, url: string): boolean {
+  function isPublicRoute(method: string, url: string): boolean {
+    const m = method === 'HEAD' ? 'GET' : method; // a HEAD to a public GET route is public
     const path = url.split('?')[0];
-    return AUTH_EXEMPT_ROUTES.some((r) => {
-      const [m, p] = r.split(' ');
-      return method === m && path === p;
+    if (PUBLIC_PRELOGIN_ROUTES.includes(`${m} ${path}`)) return true;
+    return PUBLIC_PRELOGIN_PREFIXES.some((r) => {
+      const sp = r.indexOf(' ');
+      return m === r.slice(0, sp) && path.startsWith(r.slice(sp + 1));
     });
   }
 
@@ -645,6 +662,32 @@ export async function startSupervisor() {
       res.setHeader('Content-Type', 'application/json');
       res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
 
+      // ── Loopback-only guard for channel MUTATION endpoints ──
+      // These are only ever called by the local agent over loopback (curl localhost:7400),
+      // never legitimately from the public Cloudflare tunnel. Without this, an unauthenticated
+      // remote request could set mode/admins or flip allowOthersToTrigger and seize the agent
+      // (it can run Bash/edit files). Same guard the Agent API uses: cloudflared forwards over
+      // loopback so the IP check alone is a no-op behind the relay — we also reject any request
+      // carrying cloudflared's cf-connecting-ip/cf-ray (tunnel-origin) headers. Reads (status,
+      // qr, qr-page) and alexa/handle (relay-origin, secret-gated) deliberately stay public.
+      const WA_MUTATION_ROUTES = new Set([
+        'POST /api/channels/whatsapp/configure',
+        'POST /api/channels/whatsapp/connect',
+        'POST /api/channels/whatsapp/disconnect',
+        'POST /api/channels/whatsapp/logout',
+        'POST /api/channels/whatsapp/pairing-code',
+        'POST /api/channels/send',
+      ]);
+      if (WA_MUTATION_ROUTES.has(`${req.method} ${channelPath}`)) {
+        const remoteIp = req.socket.remoteAddress || '';
+        const isLoopback = remoteIp === '127.0.0.1' || remoteIp === '::1' || remoteIp === '::ffff:127.0.0.1';
+        if (!isLoopback || req.headers['cf-connecting-ip'] || req.headers['cf-ray']) {
+          res.writeHead(403);
+          res.end(JSON.stringify({ ok: false, error: 'This channel endpoint is localhost-only.' }));
+          return;
+        }
+      }
+
       // GET /api/channels/status — all channel statuses
       if (req.method === 'GET' && channelPath === '/api/channels/status') {
         res.writeHead(200);
@@ -935,6 +978,7 @@ ${!connected ? `<script>
             if (data.admins !== undefined) cfg.channels.whatsapp.admins = data.admins;
             if (data.skill !== undefined) cfg.channels.whatsapp.skill = data.skill;
             if (data.allowGroups !== undefined) cfg.channels.whatsapp.allowGroups = !!data.allowGroups;
+            if (data.allowOthersToTrigger !== undefined) cfg.channels.whatsapp.allowOthersToTrigger = !!data.allowOthersToTrigger;
             saveConfig(cfg);
             res.writeHead(200);
             res.end(JSON.stringify({ ok: true, config: cfg.channels.whatsapp }));
@@ -1310,11 +1354,31 @@ mint();
       return;
     }
 
-    // POST /api/env — write env vars to workspace .env (used by chat EnvForm)
+    // POST /api/env — write env vars to workspace .env (used by chat EnvForm).
     if (req.method === 'POST' && req.url === '/api/env') {
+      // This route is intercepted before the /api worker gate, so gate it here: writing the
+      // workspace .env (which the backend loads) is a privileged action — require the portal token
+      // when a password is set. Internal supervisor calls (x-internal) bypass. The chat EnvForm
+      // sends the token via authFetch.
+      if (req.headers['x-internal'] !== internalSecret && await isAuthRequired()) {
+        const authHeader = req.headers['authorization'];
+        const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : null;
+        if (!token || !(await validateToken(token))) {
+          res.writeHead(401, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Unauthorized' }));
+          return;
+        }
+      }
       let body = '';
-      req.on('data', (chunk: Buffer) => { body += chunk.toString(); });
+      let bodyBytes = 0;
+      let tooLarge = false;
+      req.on('data', (chunk: Buffer) => {
+        bodyBytes += chunk.length;
+        if (bodyBytes > 1_000_000) { tooLarge = true; req.destroy(); return; } // .env is tiny; 1MB is generous
+        body += chunk.toString();
+      });
       req.on('end', () => {
+        if (tooLarge) return;
         try {
           const { vars } = JSON.parse(body) as { vars: Record<string, string> };
           if (!vars || typeof vars !== 'object') {
@@ -1331,7 +1395,20 @@ mint();
 
           for (const [rawKey, rawValue] of Object.entries(vars)) {
             const key = rawKey.trim();
+            // Validate the key as a real env var name; reject anything that could inject extra
+            // lines or break .env parsing.
+            if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
+              res.writeHead(400, { 'Content-Type': 'application/json' });
+              res.end(JSON.stringify({ error: `Invalid env var name: ${rawKey}` }));
+              return;
+            }
             const value = typeof rawValue === 'string' ? rawValue.trim() : rawValue;
+            // Reject embedded newlines/CR in the value — they'd inject arbitrary extra .env lines.
+            if (typeof value === 'string' && /[\r\n]/.test(value)) {
+              res.writeHead(400, { 'Content-Type': 'application/json' });
+              res.end(JSON.stringify({ error: `Invalid value for ${key}: must not contain newlines` }));
+              return;
+            }
             // Find existing line for this key (supports KEY=val, KEY="val", KEY='val')
             const idx = lines.findIndex((l) => {
               const trimmed = l.trim();
@@ -1363,20 +1440,29 @@ mint();
     if (req.url?.startsWith('/api/agent/')) {
       const agentPath = req.url.split('?')[0];
 
-      // Localhost-only guard
+      // Localhost-only guard. NOTE: cloudflared connects over loopback, so a tunneled request also
+      // arrives as 127.0.0.1 — this IP check alone is a no-op behind the relay. We additionally
+      // reject any request carrying cloudflared's cf-connecting-ip header (tunnel-origin traffic);
+      // the real defense is the 256-bit agent secret below. The Agent API is only ever called by
+      // the local workspace backend (loopback), never legitimately from the public tunnel.
       const remoteIp = req.socket.remoteAddress || '';
-      if (remoteIp !== '127.0.0.1' && remoteIp !== '::1' && remoteIp !== '::ffff:127.0.0.1') {
+      const isLoopback = remoteIp === '127.0.0.1' || remoteIp === '::1' || remoteIp === '::ffff:127.0.0.1';
+      if (!isLoopback || req.headers['cf-connecting-ip'] || req.headers['cf-ray']) {
         res.setHeader('Content-Type', 'application/json');
         res.writeHead(403);
         res.end(JSON.stringify({ ok: false, error: 'Agent API is localhost-only.' }));
         return;
       }
 
-      // Auth: x-agent-secret header (query param fallback for EventSource which cannot set headers)
+      // Auth: x-agent-secret header (query param fallback for EventSource which cannot set headers).
+      // Constant-time compare (length-guarded) so the secret can't be recovered via timing.
       const urlObj = new URL(req.url, `http://${req.headers.host}`);
       const headerSecret = req.headers['x-agent-secret'];
       const querySecret = urlObj.searchParams.get('secret');
-      if (headerSecret !== agentSecret && querySecret !== agentSecret) {
+      const presented = typeof headerSecret === 'string' ? headerSecret : (querySecret || '');
+      const secretOk = presented.length === agentSecret.length &&
+        crypto.timingSafeEqual(Buffer.from(presented), Buffer.from(agentSecret));
+      if (!secretOk) {
         res.setHeader('Content-Type', 'application/json');
         res.writeHead(401);
         res.end(JSON.stringify({ ok: false, error: 'Invalid or missing x-agent-secret.' }));
@@ -1728,9 +1814,11 @@ mint();
       const isInternal = req.headers['x-internal'] === internalSecret;
 
       if (!isInternal) {
-        // Auth check for mutation routes (POST/PUT/DELETE) — GET/HEAD are read-only, skip auth
+        // Require a token for EVERY /api route except the public pre-login allowlist. This now
+        // covers GET data reads (conversations, context, wallet, devices, push status) that
+        // previously skipped auth and leaked over the public relay.
         const method = req.method || 'GET';
-        if (method !== 'GET' && method !== 'HEAD' && !isExemptRoute(method, req.url || '')) {
+        if (!isPublicRoute(method, req.url || '')) {
           // POST /api/onboard is open only on genuine first run (no portal_pass yet). Read the
           // setting DIRECTLY rather than the 30s-cached isAuthRequired() so the gate closes the
           // instant onboarding sets a password — no stale-cache window for a takeover. The
@@ -1848,6 +1936,14 @@ mint();
       return;
     }
 
+    // Vite failed to boot (sentinel port) → serve the recovering page directly instead of
+    // proxying to a dead port. Chat (/bloby/*) is served earlier, so the lifeline stays up.
+    if (vitePorts.dashboard < 0) {
+      res.writeHead(503, { 'Content-Type': 'text/html', 'Cache-Control': 'no-store, no-cache, must-revalidate' });
+      res.end(RECOVERING_HTML);
+      return;
+    }
+
     // Everything else → proxy to dashboard Vite dev server
     console.log(`[supervisor] → dashboard Vite :${vitePorts.dashboard} | ${req.method} ${(req.url || '').split('?')[0]}`);
     const GUARD_TAG = '<script defer src="/bloby/workspace-guard.js"></script>';
@@ -1902,6 +1998,11 @@ mint();
     // An 'error' event with no listener is rethrown by Node as an uncaught exception,
     // which would crash the whole supervisor. ws still tears down + fires 'close'.
     ws.on('error', (err: any) => console.warn(`[app-ws] socket error: ${err?.message || err}`));
+    // Liveness: a half-open socket (mobile/Wi-Fi drop behind the tunnel) never fires 'close', so
+    // its chat subscription + maps would leak and broadcastBloby would keep writing to it. The
+    // heartbeat below pings; a peer that misses a pong is terminated (which fires 'close' → cleanup).
+    (ws as any).isAlive = true;
+    ws.on('pong', () => { (ws as any).isAlive = true; });
 
     // Per-WS chat subscription: when the client opts in, this WS joins chatSubscribers
     // and receives every bot:* / chat:* event the dashboard widget does. SSE through the
@@ -2176,6 +2277,8 @@ mint();
     // See appWss above: a listener-less 'error' event would crash the supervisor and kill
     // chat for everyone (G1). ws still fires 'close' afterward, so map cleanup still runs.
     ws.on('error', (err: any) => log.warn(`[bloby-ws] socket error: ${err?.message || err}`));
+    (ws as any).isAlive = true;
+    ws.on('pong', () => { (ws as any).isAlive = true; });
     let convId = Math.random().toString(36).slice(2) + Date.now().toString(36);
     conversations.set(ws, []);
 
@@ -2703,6 +2806,12 @@ mint();
     }
   }
 
+  // Tell the live chat when the backend gives up — the dashboard interstitial covers page loads,
+  // but an already-open chat client gets an explicit event it can surface ("ask me to fix the backend").
+  setBackendGiveUpHandler(() => {
+    broadcastBloby('backend:failed', { message: 'The workspace backend crashed and could not restart. Ask Bloby to fix it.' });
+  });
+
   // Spawn backend (worker runs in-process)
   spawnBackend(backendPort);
 
@@ -2788,14 +2897,36 @@ mint();
     }, 1000);
   }
 
-  // Watch backend/ for code changes
-  const backendWatcher = fs.watch(backendDir, { recursive: true }, (_event, filename) => {
-    if (!filename || !filename.match(/\.(ts|js|json)$/)) return;
-    scheduleBackendRestart(`Backend file changed: ${filename}`);
-  });
+  // Self-healing file watchers. Two failure modes the audit flagged, both of which would hurt G3
+  // (auto-heal) or G1 (chat): (a) fs.watch throws synchronously if its target is missing — at boot
+  // that reached the top-level catch → process.exit before chat listened; (b) a watcher 'error'
+  // event (EMFILE under load, the watched inode removed during a workspace swap) has no listener,
+  // so it crashes the supervisor AND leaves a silently-dead watcher (auto-heal stops with no
+  // signal). Fix: ensure the dir exists, attach an 'error' listener, and re-arm with backoff.
+  let backendWatcher: fs.FSWatcher | null = null;
+  let workspaceWatcher: fs.FSWatcher | null = null;
 
-  // Watch workspace root for .env, dependency, and .restart/.update changes
-  const workspaceWatcher = fs.watch(workspaceDir, (_event, filename) => {
+  function armBackendWatcher() {
+    try {
+      fs.mkdirSync(backendDir, { recursive: true }); // fs.watch throws if the target is missing
+      const w = fs.watch(backendDir, { recursive: true }, (_event, filename) => {
+        if (!filename || !filename.toString().match(/\.(ts|js|json)$/)) return;
+        scheduleBackendRestart(`Backend file changed: ${filename}`);
+      });
+      w.on('error', (err: any) => {
+        log.warn(`[watcher] backend watcher error: ${err?.message || err} — re-arming in 2s`);
+        try { w.close(); } catch {}
+        backendWatcher = null;
+        setTimeout(armBackendWatcher, 2000);
+      });
+      backendWatcher = w;
+    } catch (err: any) {
+      log.warn(`[watcher] backend watcher failed to arm: ${err?.message || err} — retry in 5s`);
+      setTimeout(armBackendWatcher, 5000);
+    }
+  }
+
+  function onWorkspaceChange(_event: fs.WatchEventType, filename: string | Buffer | null) {
     if (!filename) return;
     if (filename === '.env') {
       scheduleBackendRestart('.env changed');
@@ -2832,7 +2963,40 @@ mint();
         runDeferredUpdate();
       }
     }
-  });
+  }
+
+  function armWorkspaceWatcher() {
+    try {
+      const w = fs.watch(workspaceDir, onWorkspaceChange);
+      w.on('error', (err: any) => {
+        log.warn(`[watcher] workspace watcher error: ${err?.message || err} — re-arming in 2s`);
+        try { w.close(); } catch {}
+        workspaceWatcher = null;
+        setTimeout(armWorkspaceWatcher, 2000);
+      });
+      workspaceWatcher = w;
+    } catch (err: any) {
+      log.warn(`[watcher] workspace watcher failed to arm: ${err?.message || err} — retry in 5s`);
+      setTimeout(armWorkspaceWatcher, 5000);
+    }
+  }
+
+  armBackendWatcher();
+  armWorkspaceWatcher();
+
+  // WebSocket liveness heartbeat — ping the app + chat WS clients every 30s and terminate any
+  // that missed the previous pong (half-open sockets that never fired 'close'). Terminating fires
+  // 'close', which runs the existing map/subscription cleanup. Scoped to our two WSS only (Vite's
+  // HMR socket is separate and managed by Vite). Cleared in shutdown().
+  const wsHeartbeat = setInterval(() => {
+    for (const wss of [blobyWss, appWss]) {
+      for (const ws of wss.clients) {
+        if ((ws as any).isAlive === false) { try { ws.terminate(); } catch {} continue; }
+        (ws as any).isAlive = false;
+        try { ws.ping(); } catch {}
+      }
+    }
+  }, 30_000);
 
   // Tunnel
   let tunnelUrl: string | null = null;
@@ -2994,8 +3158,9 @@ mint();
     log.info('Shutting down...');
     await channelManager.disconnectAll();
     stopScheduler();
-    backendWatcher.close();
-    workspaceWatcher.close();
+    backendWatcher?.close();
+    workspaceWatcher?.close();
+    clearInterval(wsHeartbeat);
     if (backendRestartTimer) clearTimeout(backendRestartTimer);
     if (watchdogInterval) clearInterval(watchdogInterval);
     stopHeartbeat();