claude-world-studio 1.0.0

package/server/mcp-config.ts

@@ -0,0 +1,85 @@
+import { existsSync } from "fs";
+import { isAbsolute } from "path";
+import type { Settings, Language } from "./types.js";
+import store from "./db.js";
+
+/** Validate a path setting: must be absolute and exist on disk */
+function isValidPath(p: string): boolean {
+  return !!p && isAbsolute(p) && existsSync(p);
+}
+
+export function getSettings(): Settings {
+  const all = store.getAllSettings();
+  return {
+    language: (all.language as Language) || "zh-TW",
+    trendPulseVenvPython:
+      all.trendPulseVenvPython || process.env.TREND_PULSE_PYTHON || "",
+    cfBrowserVenvPython:
+      all.cfBrowserVenvPython || process.env.CF_BROWSER_PYTHON || "",
+    notebooklmServerPath:
+      all.notebooklmServerPath || process.env.NOTEBOOKLM_SERVER_PATH || "",
+    cfBrowserUrl:
+      all.cfBrowserUrl || process.env.CF_BROWSER_URL || "",
+    cfBrowserApiKey:
+      all.cfBrowserApiKey || process.env.CF_BROWSER_API_KEY || "",
+    defaultWorkspace:
+      all.defaultWorkspace || process.env.DEFAULT_WORKSPACE || process.cwd(),
+  };
+}
+
+interface McpServerConfig {
+  name: string;
+  path: string;
+  build: () => Record<string, any>;
+}
+
+export function buildMcpServers(settings: Settings) {
+  const servers: Record<string, any> = {};
+
+  const configs: McpServerConfig[] = [
+    {
+      name: "trend-pulse",
+      path: settings.trendPulseVenvPython,
+      build: () => ({
+        command: settings.trendPulseVenvPython,
+        args: ["-m", "trend_pulse.server"],
+        env: {},
+      }),
+    },
+    {
+      name: "cf-browser",
+      path: settings.cfBrowserVenvPython,
+      build: () => ({
+        command: settings.cfBrowserVenvPython,
+        args: ["-m", "cf_browser_mcp.server"],
+        env: {
+          CF_BROWSER_URL: settings.cfBrowserUrl,
+          CF_BROWSER_API_KEY: settings.cfBrowserApiKey,
+        },
+      }),
+    },
+    {
+      name: "notebooklm",
+      path: settings.notebooklmServerPath,
+      build: () => ({
+        command: "python3",
+        args: [settings.notebooklmServerPath],
+        env: {},
+      }),
+    },
+  ];
+
+  for (const cfg of configs) {
+    if (!cfg.path) continue;
+
+    if (!isValidPath(cfg.path)) {
+      console.warn(`[MCP] ${cfg.name} skipped: path not found → ${cfg.path}`);
+      continue;
+    }
+
+    servers[cfg.name] = cfg.build();
+    console.log(`[MCP] ${cfg.name} enabled → ${cfg.path}`);
+  }
+
+  return servers;
+}

package/server/routes/accounts.ts

@@ -0,0 +1,88 @@
+import { Router } from "express";
+import store from "../db.js";
+
+const VALID_PLATFORMS = ["threads", "instagram"] as const;
+
+function maskToken(token: string): string {
+  if (!token || token.length < 12) return token ? "***" : "";
+  return token.slice(0, 8) + "..." + token.slice(-4);
+}
+
+const router = Router();
+
+// List all accounts (tokens masked)
+router.get("/", (_req, res) => {
+  const accounts = store.getAllAccounts().map((a) => ({
+    ...a,
+    token: maskToken(a.token),
+  }));
+  res.json(accounts);
+});
+
+// Get single account (token masked)
+router.get("/:id", (req, res) => {
+  const account = store.getAccount(req.params.id);
+  if (!account) {
+    return res.status(404).json({ error: "Account not found" });
+  }
+  res.json({ ...account, token: maskToken(account.token) });
+});
+
+// Create account
+router.post("/", (req, res) => {
+  const { name, handle, platform, token, user_id, style, persona_prompt } = req.body || {};
+
+  if (!name || !handle || !platform) {
+    return res.status(400).json({ error: "name, handle, and platform are required" });
+  }
+  if (!VALID_PLATFORMS.includes(platform)) {
+    return res.status(400).json({ error: `platform must be one of: ${VALID_PLATFORMS.join(", ")}` });
+  }
+
+  const account = store.createAccount({
+    name, handle, platform, token, user_id, style, persona_prompt,
+  });
+  res.status(201).json({ ...account, token: maskToken(account.token) });
+});
+
+// Update account
+router.put("/:id", (req, res) => {
+  const existing = store.getAccount(req.params.id);
+  if (!existing) {
+    return res.status(404).json({ error: "Account not found" });
+  }
+
+  const { name, handle, platform, token, user_id, style, persona_prompt } = req.body || {};
+
+  if (platform && !VALID_PLATFORMS.includes(platform)) {
+    return res.status(400).json({ error: `platform must be one of: ${VALID_PLATFORMS.join(", ")}` });
+  }
+
+  store.updateAccount(req.params.id, {
+    name: name ?? existing.name,
+    handle: handle ?? existing.handle,
+    platform: platform ?? existing.platform,
+    user_id: user_id ?? existing.user_id,
+    style: style ?? existing.style,
+    persona_prompt: persona_prompt ?? existing.persona_prompt,
+  });
+
+  // Only update token if a non-empty value is provided
+  if (token) {
+    store.updateAccountToken(req.params.id, token);
+  }
+
+  const updated = store.getAccount(req.params.id)!;
+  res.json({ ...updated, token: maskToken(updated.token) });
+});
+
+// Delete account
+router.delete("/:id", (req, res) => {
+  const deleted = store.deleteAccount(req.params.id);
+  if (!deleted) {
+    return res.status(404).json({ error: "Account not found" });
+  }
+  res.json({ success: true });
+});
+
+export default router;

package/server/routes/files.ts

@@ -0,0 +1,175 @@
+import { Router } from "express";
+import fs from "fs";
+import fsp from "fs/promises";
+import path from "path";
+import store from "../db.js";
+
+const MAX_DEPTH = 5;
+const MAX_TEXT_BYTES = 100 * 1024;
+
+/**
+ * Check that `target` is strictly within `base` directory.
+ * Both paths must exist on disk so realpathSync can resolve symlinks.
+ * Returns false if either path doesn't exist (deny by default).
+ */
+function isWithinWorkspace(base: string, target: string): boolean {
+  try {
+    const resolvedBase = fs.realpathSync(base);
+    const resolvedTarget = fs.realpathSync(target);
+    return (
+      resolvedTarget === resolvedBase ||
+      resolvedTarget.startsWith(resolvedBase + path.sep)
+    );
+  } catch {
+    return false;
+  }
+}
+
+const router = Router();
+
+interface FileEntry {
+  name: string;
+  path: string;
+  type: "file" | "directory";
+  size?: number;
+  modified?: string;
+  children?: FileEntry[];
+}
+
+async function buildFileTree(
+  dirPath: string,
+  basePath: string,
+  depth = 0,
+  maxDepth = 3
+): Promise<FileEntry[]> {
+  if (depth >= maxDepth) return [];
+
+  try {
+    const entries = await fsp.readdir(dirPath, { withFileTypes: true });
+    const result: FileEntry[] = [];
+
+    for (const entry of entries) {
+      // Skip hidden files and common non-useful dirs
+      if (
+        entry.name.startsWith(".") ||
+        entry.name === "node_modules" ||
+        entry.name === "__pycache__"
+      ) {
+        continue;
+      }
+
+      const fullPath = path.join(dirPath, entry.name);
+      const relativePath = path.relative(basePath, fullPath);
+
+      if (entry.isDirectory()) {
+        result.push({
+          name: entry.name,
+          path: relativePath,
+          type: "directory",
+          children: await buildFileTree(fullPath, basePath, depth + 1, maxDepth),
+        });
+      } else {
+        try {
+          const stat = await fsp.stat(fullPath);
+          result.push({
+            name: entry.name,
+            path: relativePath,
+            type: "file",
+            size: stat.size,
+            modified: stat.mtime.toISOString(),
+          });
+        } catch {
+          // Skip files we can't stat (broken symlinks, permission issues)
+        }
+      }
+    }
+
+    // Sort: directories first, then alphabetical
+    return result.sort((a, b) => {
+      if (a.type !== b.type) return a.type === "directory" ? -1 : 1;
+      return a.name.localeCompare(b.name);
+    });
+  } catch {
+    return [];
+  }
+}
+
+// List workspace file tree
+router.get("/:sessionId/files", async (req, res) => {
+  const session = store.getSession(req.params.sessionId);
+  if (!session) {
+    return res.status(404).json({ error: "Session not found" });
+  }
+
+  const rawDepth = parseInt(req.query.depth as string) || 3;
+  const depth = Math.min(Math.max(rawDepth, 1), MAX_DEPTH);
+  const tree = await buildFileTree(session.workspace_path, session.workspace_path, 0, depth);
+
+  res.json({
+    workspace: session.workspace_path,
+    tree,
+  });
+});
+
+// Read file content
+router.get("/:sessionId/files/*", async (req, res) => {
+  const session = store.getSession(req.params.sessionId);
+  if (!session) {
+    return res.status(404).json({ error: "Session not found" });
+  }
+
+  // Extract the file path from the wildcard params
+  const filePath = (req.params as Record<string, string>)[0] as string | undefined;
+  if (!filePath) {
+    return res.status(400).json({ error: "File path required" });
+  }
+
+  const requestedPath = path.resolve(session.workspace_path, filePath);
+
+  try {
+    // Resolve symlinks FIRST, then use the resolved path for all ops (eliminates TOCTOU)
+    const resolvedPath = await fsp.realpath(requestedPath);
+    const resolvedBase = await fsp.realpath(session.workspace_path);
+
+    // Security: verify resolved path is within workspace
+    if (resolvedPath !== resolvedBase && !resolvedPath.startsWith(resolvedBase + path.sep)) {
+      return res.status(403).json({ error: "Path traversal not allowed" });
+    }
+
+    const stat = await fsp.stat(resolvedPath);
+    if (stat.isDirectory()) {
+      return res.status(400).json({ error: "Path is a directory" });
+    }
+
+    // For binary files, send raw; for text, send JSON
+    const ext = path.extname(resolvedPath).toLowerCase();
+    const binaryExts = [".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg", ".pdf", ".mp3", ".mp4", ".wav", ".m4a", ".webm", ".ogg"];
+
+    if (binaryExts.includes(ext)) {
+      res.sendFile(resolvedPath);
+    } else {
+      // Text file - limit by byte size, then decode
+      if (stat.size > MAX_TEXT_BYTES) {
+        const fh = await fsp.open(resolvedPath, "r");
+        try {
+          const buf = Buffer.alloc(MAX_TEXT_BYTES);
+          await fh.read(buf, 0, MAX_TEXT_BYTES, 0);
+          const content = buf.toString("utf-8");
+          res.json({ path: filePath, content, truncated: true, size: stat.size });
+        } finally {
+          await fh.close();
+        }
+      } else {
+        const content = await fsp.readFile(resolvedPath, "utf-8");
+        res.json({ path: filePath, content, truncated: false, size: stat.size });
+      }
+    }
+  } catch (err) {
+    const code = (err as NodeJS.ErrnoException).code;
+    if (code === "ENOENT") return res.status(404).json({ error: "File not found" });
+    if (code === "EACCES") return res.status(403).json({ error: "Permission denied" });
+    return res.status(500).json({ error: "Failed to read file" });
+  }
+});
+
+export default router;

package/server/routes/publish.ts

@@ -0,0 +1,77 @@
+import { Router } from "express";
+import store from "../db.js";
+import { publishToThreads } from "../services/social-publisher.js";
+
+const MAX_HISTORY_LIMIT = 500;
+
+const router = Router();
+
+// Publish content to a specific account
+router.post("/", async (req, res) => {
+  const { accountId, text, sessionId, score, imageUrl, pollOptions, linkComment, tag } = req.body;
+
+  if (!accountId || !text) {
+    return res.status(400).json({ error: "accountId and text are required" });
+  }
+
+  const account = store.getAccount(accountId);
+  if (!account) {
+    return res.status(400).json({ error: `Account not found: ${accountId}` });
+  }
+  if (!account.token) {
+    return res.status(400).json({ error: `No token configured for account: ${account.name}` });
+  }
+
+  const record = store.addPublish({
+    session_id: sessionId || null,
+    platform: account.platform,
+    account: accountId,
+    content: text,
+    post_id: null,
+    post_url: null,
+    status: "pending",
+  });
+
+  try {
+    let result: any;
+
+    if (account.platform === "threads") {
+      result = await publishToThreads({
+        text,
+        token: account.token,
+        score,
+        imageUrl,
+        pollOptions,
+        linkComment,
+        tag,
+      });
+    } else {
+      throw new Error(`Publishing to ${account.platform} is not yet supported`);
+    }
+
+    store.updatePublishStatus(record.id, "published", result?.id, result?.permalink);
+
+    res.json({
+      success: true,
+      id: record.id,
+      postId: result?.id,
+      postUrl: result?.permalink,
+    });
+  } catch (error) {
+    store.updatePublishStatus(record.id, "failed");
+    res.status(500).json({
+      error: (error as Error).message,
+      id: record.id,
+    });
+  }
+});
+
+// Get publish history
+router.get("/history", (req, res) => {
+  const rawLimit = parseInt(req.query.limit as string) || 50;
+  const limit = Math.min(Math.max(rawLimit, 1), MAX_HISTORY_LIMIT);
+  const history = store.getPublishHistory(limit);
+  res.json(history);
+});
+
+export default router;

package/server/routes/sessions.ts

@@ -0,0 +1,59 @@
+import { Router } from "express";
+import store from "../db.js";
+import { removeSession } from "../server.js";
+
+const router = Router();
+
+// List all sessions
+router.get("/", (_req, res) => {
+  const sessions = store.getAllSessions();
+  res.json(sessions);
+});
+
+// Create new session
+router.post("/", (req, res) => {
+  const { title, workspacePath } = req.body || {};
+  const session = store.createSession(title, workspacePath);
+  res.status(201).json(session);
+});
+
+// Get single session
+router.get("/:id", (req, res) => {
+  const session = store.getSession(req.params.id);
+  if (!session) {
+    return res.status(404).json({ error: "Session not found" });
+  }
+  res.json(session);
+});
+
+// Update session title
+router.patch("/:id", (req, res) => {
+  const { title } = req.body || {};
+  if (!title || typeof title !== "string") {
+    return res.status(400).json({ error: "Title required" });
+  }
+  const session = store.getSession(req.params.id);
+  if (!session) {
+    return res.status(404).json({ error: "Session not found" });
+  }
+  store.updateSessionTitle(req.params.id, title.slice(0, 200));
+  res.json({ success: true });
+});
+
+// Delete session (also clean up in-memory agent session)
+router.delete("/:id", (req, res) => {
+  removeSession(req.params.id);
+  const deleted = store.deleteSession(req.params.id);
+  if (!deleted) {
+    return res.status(404).json({ error: "Session not found" });
+  }
+  res.json({ success: true });
+});
+
+// Get session messages
+router.get("/:id/messages", (req, res) => {
+  const messages = store.getMessages(req.params.id);
+  res.json(messages);
+});
+
+export default router;

package/server/routes/settings.ts

@@ -0,0 +1,220 @@
+import { Router } from "express";
+import { existsSync, readFileSync, readdirSync } from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+import store from "../db.js";
+import { getSettings } from "../mcp-config.js";
+
+const { join, isAbsolute } = path;
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+const router = Router();
+
+const SENSITIVE_KEYS = ["cfBrowserApiKey"] as const;
+
+function maskValue(value: string): string {
+  if (!value || value.length < 12) return value ? "***" : "";
+  return value.slice(0, 8) + "..." + value.slice(-4);
+}
+
+// Get all settings (tokens masked)
+router.get("/", (_req, res) => {
+  const settings = getSettings();
+  const masked: Record<string, string> = { ...settings };
+
+  for (const key of SENSITIVE_KEYS) {
+    if (masked[key]) {
+      masked[key] = maskValue(masked[key]);
+    }
+  }
+
+  res.json(masked);
+});
+
+// Auto-detect installed MCP tools
+router.get("/detect", (_req, res) => {
+  const home = process.env.HOME || "";
+  const workspace =
+    getSettings().defaultWorkspace ||
+    process.env.DEFAULT_WORKSPACE ||
+    process.cwd();
+
+  const searchRoots = [
+    workspace,
+    join(home, "github"),
+    join(home, "projects"),
+    join(home, "dev"),
+    join(home, "code"),
+  ].filter((p) => isAbsolute(p) && existsSync(p));
+
+  // trend-pulse
+  const tpCandidates = searchRoots.flatMap((root) => [
+    join(root, "trend-pulse/.venv/bin/python"),
+    join(root, "trend-pulse/.venv/bin/python3"),
+  ]);
+  const trendPulsePython = tpCandidates.find(existsSync) || "";
+
+  // cf-browser
+  const cbCandidates = searchRoots.flatMap((root) => [
+    join(root, "cf-browser/mcp-server/.venv/bin/python"),
+    join(root, "cf-browser/mcp-server/.venv/bin/python3"),
+  ]);
+  const cfBrowserPython = cbCandidates.find(existsSync) || "";
+
+  // notebooklm-skill
+  const nlmCandidates = [
+    ...searchRoots.flatMap((root) => [
+      join(root, "notebooklm-skill/mcp-server/server.py"),
+      join(root, "notebooklm-skill/mcp_server.py"),
+    ]),
+    ...searchRoots.flatMap((root) => {
+      try {
+        return readdirSync(root, { withFileTypes: true })
+          .filter((e) => e.isDirectory() && !e.name.startsWith("."))
+          .flatMap((e) => [
+            join(root, e.name, "notebooklm-skill/mcp-server/server.py"),
+          ]);
+      } catch { return []; }
+    }),
+  ];
+  const notebooklmPath = nlmCandidates.find(existsSync) || "";
+
+  // cf-browser URL/Key
+  let cfBrowserUrl = "";
+  let cfBrowserApiKeyFound = false;
+  const cfEnvCandidates = [
+    ...searchRoots.flatMap((root) => [
+      join(root, "cf-browser/.env"),
+      join(root, "cf-browser/worker/.env"),
+    ]),
+    join(__dirname, "../../.env"),
+  ];
+  for (const envPath of cfEnvCandidates) {
+    if (existsSync(envPath)) {
+      try {
+        const content = readFileSync(envPath, "utf-8");
+        const urlMatch = content.match(/^CF_BROWSER_URL=(.+)/m);
+        const keyMatch = content.match(/^CF_BROWSER_API_KEY=(.+)/m);
+        if (urlMatch && !cfBrowserUrl) cfBrowserUrl = urlMatch[1].trim();
+        if (keyMatch && !cfBrowserApiKeyFound) cfBrowserApiKeyFound = true;
+      } catch {}
+    }
+  }
+
+  const detected: Record<string, { value: string; found: boolean }> = {
+    trendPulseVenvPython: { value: trendPulsePython, found: !!trendPulsePython },
+    cfBrowserVenvPython: { value: cfBrowserPython, found: !!cfBrowserPython },
+    notebooklmServerPath: { value: notebooklmPath, found: !!notebooklmPath },
+    cfBrowserUrl: { value: cfBrowserUrl, found: !!cfBrowserUrl },
+    cfBrowserApiKey: { value: "", found: cfBrowserApiKeyFound },
+    defaultWorkspace: { value: workspace, found: existsSync(workspace) },
+  };
+
+  res.json(detected);
+});
+
+// Apply detected values to DB
+router.post("/detect/apply", (_req, res) => {
+  const home = process.env.HOME || "";
+  const workspace =
+    getSettings().defaultWorkspace ||
+    process.env.DEFAULT_WORKSPACE ||
+    process.cwd();
+
+  let applied = 0;
+
+  // cf-browser .env
+  const searchRoots = [workspace, join(home, "github")]
+    .filter((p) => isAbsolute(p) && existsSync(p));
+
+  const cfEnvCandidates = [
+    ...searchRoots.flatMap((root) => [
+      join(root, "cf-browser/.env"),
+      join(root, "cf-browser/worker/.env"),
+    ]),
+    join(__dirname, "../../.env"),
+  ];
+  for (const envPath of cfEnvCandidates) {
+    if (existsSync(envPath)) {
+      try {
+        const content = readFileSync(envPath, "utf-8");
+        const urlMatch = content.match(/^CF_BROWSER_URL=(.+)/m);
+        const keyMatch = content.match(/^CF_BROWSER_API_KEY=(.+)/m);
+        if (urlMatch) { store.setSetting("cfBrowserUrl", urlMatch[1].trim()); applied++; }
+        if (keyMatch) { store.setSetting("cfBrowserApiKey", keyMatch[1].trim()); applied++; }
+      } catch (err) {
+        console.warn("[Settings] Error reading cf-browser .env:", err);
+      }
+    }
+  }
+
+  // MCP paths
+  const mcpRoots = [workspace, join(home, "github"), join(home, "projects")]
+    .filter((p) => isAbsolute(p) && existsSync(p));
+
+  const tpPath = mcpRoots.flatMap((r) => [
+    join(r, "trend-pulse/.venv/bin/python"),
+    join(r, "trend-pulse/.venv/bin/python3"),
+  ]).find(existsSync);
+  if (tpPath) { store.setSetting("trendPulseVenvPython", tpPath); applied++; }
+
+  const cbPath = mcpRoots.flatMap((r) => [
+    join(r, "cf-browser/mcp-server/.venv/bin/python"),
+    join(r, "cf-browser/mcp-server/.venv/bin/python3"),
+  ]).find(existsSync);
+  if (cbPath) { store.setSetting("cfBrowserVenvPython", cbPath); applied++; }
+
+  const nlmPath = [
+    ...mcpRoots.flatMap((r) => [join(r, "notebooklm-skill/mcp-server/server.py")]),
+    ...mcpRoots.flatMap((r) => {
+      try {
+        return readdirSync(r, { withFileTypes: true })
+          .filter((e) => e.isDirectory() && !e.name.startsWith("."))
+          .map((e) => join(r, e.name, "notebooklm-skill/mcp-server/server.py"));
+      } catch { return []; }
+    }),
+  ].find(existsSync);
+  if (nlmPath) { store.setSetting("notebooklmServerPath", nlmPath); applied++; }
+
+  res.json({ success: true, applied });
+});
+
+// Update settings
+router.put("/", (req, res) => {
+  const updates = req.body;
+  if (!updates || typeof updates !== "object") {
+    return res.status(400).json({ error: "Invalid settings" });
+  }
+
+  const allowedKeys = [
+    "language",
+    "trendPulseVenvPython",
+    "cfBrowserVenvPython",
+    "notebooklmServerPath",
+    "cfBrowserUrl",
+    "cfBrowserApiKey",
+    "defaultWorkspace",
+  ];
+
+  const pathKeys = [
+    "trendPulseVenvPython",
+    "cfBrowserVenvPython",
+    "notebooklmServerPath",
+    "defaultWorkspace",
+  ];
+
+  for (const [key, value] of Object.entries(updates)) {
+    if (!allowedKeys.includes(key) || typeof value !== "string") continue;
+
+    if (pathKeys.includes(key) && value) {
+      if (!isAbsolute(value) || /[;&|`$(){}]/.test(value)) continue;
+    }
+
+    store.setSetting(key, value);
+  }
+
+  res.json({ success: true });
+});
+
+export default router;