claudedesk 1.0.0

package/dist/api/docker-routes.js

@@ -0,0 +1,167 @@
+import { Router } from 'express';
+import net from 'net';
+import { sharedDockerManager } from '../core/shared-docker-manager.js';
+import { settingsManager } from '../config/settings.js';
+export const dockerRouter = Router();
+// Get Docker availability
+dockerRouter.get('/availability', async (_req, res) => {
+    try {
+        const dockerAvailable = await sharedDockerManager.isDockerAvailable();
+        const composeAvailable = await sharedDockerManager.isComposeAvailable();
+        res.json({
+            success: true,
+            data: {
+                docker: dockerAvailable,
+                compose: composeAvailable,
+                available: dockerAvailable && composeAvailable,
+            },
+        });
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        res.status(500).json({ success: false, error: errorMsg });
+    }
+});
+// Get Docker environment status
+dockerRouter.get('/status', async (_req, res) => {
+    try {
+        const status = await sharedDockerManager.getStatus();
+        res.json({ success: true, data: status });
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        res.status(500).json({ success: false, error: errorMsg });
+    }
+});
+// Start Docker environment
+dockerRouter.post('/start', async (_req, res) => {
+    try {
+        const status = await sharedDockerManager.start();
+        res.json({ success: true, data: status });
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        res.status(500).json({ success: false, error: errorMsg });
+    }
+});
+// Stop Docker environment
+dockerRouter.post('/stop', async (_req, res) => {
+    try {
+        const status = await sharedDockerManager.stop();
+        res.json({ success: true, data: status });
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        res.status(500).json({ success: false, error: errorMsg });
+    }
+});
+// Restart Docker environment
+dockerRouter.post('/restart', async (_req, res) => {
+    try {
+        const status = await sharedDockerManager.restart();
+        res.json({ success: true, data: status });
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        res.status(500).json({ success: false, error: errorMsg });
+    }
+});
+// Get logs for a specific service
+dockerRouter.get('/logs/:service', async (req, res) => {
+    try {
+        const { service } = req.params;
+        const { tail } = req.query;
+        const logs = await sharedDockerManager.getServiceLogs(service, tail ? parseInt(tail) : 100);
+        res.json({ success: true, data: { service, logs } });
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        res.status(500).json({ success: false, error: errorMsg });
+    }
+});
+// Get connection info for all services
+dockerRouter.get('/connections', async (_req, res) => {
+    try {
+        const connections = sharedDockerManager.getConnectionInfo();
+        res.json({ success: true, data: connections });
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        res.status(500).json({ success: false, error: errorMsg });
+    }
+});
+// Get Docker settings
+dockerRouter.get('/settings', (_req, res) => {
+    try {
+        const settings = settingsManager.getDocker();
+        res.json({ success: true, data: settings });
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        res.status(500).json({ success: false, error: errorMsg });
+    }
+});
+// Update Docker settings
+dockerRouter.put('/settings', (req, res) => {
+    try {
+        const updates = req.body;
+        const settings = settingsManager.updateDocker(updates);
+        res.json({ success: true, data: settings });
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        res.status(400).json({ success: false, error: errorMsg });
+    }
+});
+// ============================================
+// Port Conflict Detection
+// ============================================
+/**
+ * Helper to check if a port is in use
+ */
+function checkPortInUse(port) {
+    return new Promise((resolve) => {
+        const server = net.createServer();
+        server.once('error', (err) => {
+            if (err.code === 'EADDRINUSE') {
+                resolve(true);
+            }
+            else {
+                resolve(false);
+            }
+        });
+        server.once('listening', () => {
+            server.close();
+            resolve(false);
+        });
+        server.listen(port, '127.0.0.1');
+    });
+}
+/**
+ * GET /check-port
+ * Checks if a port is in use (for port conflict detection)
+ */
+dockerRouter.get('/check-port', async (req, res) => {
+    try {
+        const port = parseInt(req.query.port, 10);
+        if (isNaN(port) || port < 1 || port > 65535) {
+            return res.status(400).json({
+                success: false,
+                error: 'Valid port number (1-65535) is required',
+            });
+        }
+        const inUse = await checkPortInUse(port);
+        res.json({
+            success: true,
+            data: {
+                port,
+                inUse,
+            },
+        });
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        res.status(500).json({ success: false, error: errorMsg });
+    }
+});
+//# sourceMappingURL=docker-routes.js.map

package/dist/api/docker-routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"docker-routes.js","sourceRoot":"","sources":["../../src/api/docker-routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAqB,MAAM,SAAS,CAAC;AACpD,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AACvE,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAExD,MAAM,CAAC,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC;AAErC,0BAA0B;AAC1B,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAE,EAAE;IACvE,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,mBAAmB,CAAC,iBAAiB,EAAE,CAAC;QACtE,MAAM,gBAAgB,GAAG,MAAM,mBAAmB,CAAC,kBAAkB,EAAE,CAAC;QAExE,GAAG,CAAC,IAAI,CAAC;YACP,OAAO,EAAE,IAAI;YACb,IAAI,EAAE;gBACJ,MAAM,EAAE,eAAe;gBACvB,OAAO,EAAE,gBAAgB;gBACzB,SAAS,EAAE,eAAe,IAAI,gBAAgB;aAC/C;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,gCAAgC;AAChC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAE,EAAE;IACjE,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,SAAS,EAAE,CAAC;QACrD,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,2BAA2B;AAC3B,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAE,EAAE;IACjE,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,KAAK,EAAE,CAAC;QACjD,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,0BAA0B;AAC1B,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAE,EAAE;IAChE,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,CAAC;QAChD,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,6BAA6B;AAC7B,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAE,EAAE;IACnE,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,OAAO,EAAE,CAAC;QACnD,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,kCAAkC;AAClC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;IACvE,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;QAC/B,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC;QAE3B,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,cAAc,CACnD,OAAO,EACP,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAc,CAAC,CAAC,CAAC,CAAC,GAAG,CACtC,CAAC;QAEF,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,uCAAuC;AACvC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAE,EAAE;IACtE,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,mBAAmB,CAAC,iBAAiB,EAAE,CAAC;QAC5D,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,sBAAsB;AACtB,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;IAC7D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,eAAe,CAAC,SAAS,EAAE,CAAC;QAC7C,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,yBAAyB;AACzB,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;IAC5D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC;QACzB,MAAM,QAAQ,GAAG,eAAe,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACvD,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,+CAA+C;AAC/C,0BAA0B;AAC1B,+CAA+C;AAE/C;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC;QAClC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAA0B,EAAE,EAAE;YAClD,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC9B,OAAO,CAAC,IAAI,CAAC,CAAC;YAChB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,CAAC;YACjB,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE;YAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,CAAC;QACjB,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;IACpE,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,IAAc,EAAE,EAAE,CAAC,CAAC;QAEpD,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;YAC5C,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,yCAAyC;aACjD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,CAAC;QAEzC,GAAG,CAAC,IAAI,CAAC;YACP,OAAO,EAAE,IAAI;YACb,IAAI,EAAE;gBACJ,IAAI;gBACJ,KAAK;aACN;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC"}

package/dist/api/middleware.d.ts

@@ -0,0 +1,6 @@
+import { Request, Response, NextFunction } from 'express';
+export declare function getAuthToken(): string;
+export declare function authMiddleware(req: Request, res: Response, next: NextFunction): void;
+export declare function rateLimitMiddleware(req: Request, res: Response, next: NextFunction): void;
+export declare function errorHandler(err: Error, _req: Request, res: Response, _next: NextFunction): void;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/api/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/api/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAe1D,wBAAgB,YAAY,IAAI,MAAM,CAerC;AAoKD,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI,CAiHpF;AAED,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI,CAgCzF;AAGD,wBAAgB,YAAY,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,GAAG,IAAI,CAMhG"}

package/dist/api/middleware.js

@@ -0,0 +1,293 @@
+import { settingsManager } from '../config/settings.js';
+// Default token for local development (as documented in SECURITY.md)
+const DEFAULT_LOCAL_TOKEN = 'claudedesk-local';
+// Cookie name for persistent sessions
+const AUTH_COOKIE_NAME = 'claudedesk_session';
+const COOKIE_MAX_AGE = 30 * 24 * 60 * 60 * 1000; // 30 days
+// Rate limiting for failed auth attempts (remote access security)
+const failedAuthAttempts = new Map();
+const MAX_FAILED_ATTEMPTS = 5;
+const BLOCK_DURATION = 15 * 60 * 1000; // 15 minutes
+export function getAuthToken() {
+    // For remote access, use tunnel token if enabled
+    const tunnelSettings = settingsManager.getTunnel();
+    if (tunnelSettings.enabled && tunnelSettings.authToken) {
+        return tunnelSettings.authToken;
+    }
+    // Environment variable takes precedence
+    if (process.env.CLAUDEDESK_TOKEN) {
+        return process.env.CLAUDEDESK_TOKEN;
+    }
+    // Default to 'claudedesk-local' for local development
+    // As documented in SECURITY.md - suitable only for local development
+    return DEFAULT_LOCAL_TOKEN;
+}
+/**
+ * Check if request is from remote (via Cloudflare Tunnel)
+ */
+function isRemoteRequest(req) {
+    // Cloudflare adds X-Forwarded-For header
+    const forwardedFor = req.headers['x-forwarded-for'];
+    return !!forwardedFor;
+}
+/**
+ * Get client IP for rate limiting
+ */
+function getClientIp(req) {
+    const forwardedFor = req.headers['x-forwarded-for'];
+    if (forwardedFor) {
+        // X-Forwarded-For can be a comma-separated list, take the first IP
+        const ips = typeof forwardedFor === 'string' ? forwardedFor.split(',') : forwardedFor;
+        return ips[0].trim();
+    }
+    return req.ip || req.socket.remoteAddress || 'unknown';
+}
+/**
+ * Check if IP is blocked due to failed auth attempts
+ */
+function isIpBlocked(ip) {
+    const record = failedAuthAttempts.get(ip);
+    if (!record)
+        return false;
+    if (record.blockedUntil && Date.now() < record.blockedUntil) {
+        return true;
+    }
+    // Block expired, reset
+    if (record.blockedUntil && Date.now() >= record.blockedUntil) {
+        failedAuthAttempts.delete(ip);
+        return false;
+    }
+    return false;
+}
+/**
+ * Record failed auth attempt
+ */
+function recordFailedAuth(ip) {
+    const record = failedAuthAttempts.get(ip) || { count: 0, blockedUntil: null };
+    record.count++;
+    if (record.count >= MAX_FAILED_ATTEMPTS) {
+        record.blockedUntil = Date.now() + BLOCK_DURATION;
+        console.warn(`[Auth] IP ${ip} blocked for ${BLOCK_DURATION / 1000}s after ${MAX_FAILED_ATTEMPTS} failed attempts`);
+    }
+    failedAuthAttempts.set(ip, record);
+}
+/**
+ * Clear failed auth attempts for IP (on successful auth)
+ */
+function clearFailedAuth(ip) {
+    failedAuthAttempts.delete(ip);
+}
+/**
+ * Extract token from various sources (header, cookie, query param)
+ */
+function extractToken(req) {
+    // 1. Check Authorization header
+    const authHeader = req.headers.authorization;
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+        return authHeader.slice(7);
+    }
+    // 2. Check cookie
+    const cookies = req.headers.cookie;
+    if (cookies) {
+        const match = cookies.match(new RegExp(`${AUTH_COOKIE_NAME}=([^;]+)`));
+        if (match) {
+            return match[1];
+        }
+    }
+    // 3. Check query param (for QR code login)
+    const queryToken = req.query.token;
+    if (queryToken && typeof queryToken === 'string') {
+        return queryToken;
+    }
+    return null;
+}
+const rateLimitBuckets = new Map();
+// Rate limit configurations by endpoint pattern
+const RATE_LIMITS = {
+    // Expensive operations - strict limits
+    'POST:/api/terminal/sessions': { window: 60000, max: 10 }, // Terminal session creation
+    'POST:/api/terminal/sessions/*/send': { window: 60000, max: 60 }, // Claude messages
+    'POST:/api/repos/*/publish': { window: 60000, max: 5 }, // GitHub repo creation
+    'POST:/api/terminal/sessions/*/create-pr': { window: 60000, max: 10 }, // PR creation
+    'POST:/api/terminal/sessions/*/ship': { window: 60000, max: 10 }, // Ship (commit+push+PR)
+    // Docker operations
+    'POST:/api/docker/start': { window: 60000, max: 5 },
+    'POST:/api/docker/stop': { window: 60000, max: 5 },
+    // Default for all other API routes
+    'default': { window: 60000, max: 200 }, // 200 requests per minute
+};
+/**
+ * Get the rate limit configuration for a given request
+ */
+function getRateLimitConfig(method, path) {
+    // Try exact match first
+    const exactKey = `${method}:${path}`;
+    if (RATE_LIMITS[exactKey]) {
+        return { key: exactKey, config: RATE_LIMITS[exactKey] };
+    }
+    // Try pattern match (replace UUIDs/IDs with *)
+    const normalizedPath = path.replace(/\/[a-f0-9-]{36}/gi, '/*').replace(/\/\d+/g, '/*');
+    const patternKey = `${method}:${normalizedPath}`;
+    if (RATE_LIMITS[patternKey]) {
+        return { key: patternKey, config: RATE_LIMITS[patternKey] };
+    }
+    // Fall back to default
+    return { key: 'default', config: RATE_LIMITS['default'] };
+}
+/**
+ * Check if request is rate limited
+ */
+function isRateLimited(bucketKey, config) {
+    const now = Date.now();
+    let timestamps = rateLimitBuckets.get(bucketKey);
+    if (!timestamps) {
+        timestamps = [];
+        rateLimitBuckets.set(bucketKey, timestamps);
+    }
+    // Remove timestamps outside the window
+    while (timestamps.length > 0 && timestamps[0] < now - config.window) {
+        timestamps.shift();
+    }
+    if (timestamps.length >= config.max) {
+        return true;
+    }
+    timestamps.push(now);
+    return false;
+}
+export function authMiddleware(req, res, next) {
+    // Allow health check without auth
+    if (req.path === '/api/health') {
+        next();
+        return;
+    }
+    // Allow health status endpoint without auth (for setup wizard)
+    if (req.path === '/api/health/status') {
+        next();
+        return;
+    }
+    // Allow session check without auth (for PWA cookie restore)
+    if (req.path === '/api/auth/session') {
+        next();
+        return;
+    }
+    // Allow PIN validation without auth (it's the auth entry point)
+    if (req.path === '/api/auth/pin/validate') {
+        next();
+        return;
+    }
+    // Allow static files without auth (UI assets)
+    if (!req.path.startsWith('/api/')) {
+        // Check for token in query param for initial page load (QR code login)
+        const queryToken = req.query.token;
+        if (queryToken && typeof queryToken === 'string') {
+            const expectedToken = getAuthToken();
+            if (queryToken === expectedToken) {
+                // Set auth cookie for persistent session
+                res.cookie(AUTH_COOKIE_NAME, queryToken, {
+                    httpOnly: true,
+                    secure: req.secure || req.headers['x-forwarded-proto'] === 'https',
+                    sameSite: 'lax',
+                    maxAge: COOKIE_MAX_AGE,
+                });
+            }
+        }
+        next();
+        return;
+    }
+    // Allow screenshot artifacts without auth (job ID is already a hard-to-guess UUID)
+    if (req.path.match(/^\/api\/jobs\/[^/]+\/artifacts\/screenshot$/)) {
+        next();
+        return;
+    }
+    const expectedToken = getAuthToken();
+    const providedToken = extractToken(req);
+    const clientIp = getClientIp(req);
+    const isRemote = isRemoteRequest(req);
+    // Check if IP is blocked
+    if (isIpBlocked(clientIp)) {
+        res.status(429).json({
+            success: false,
+            error: 'Too many failed authentication attempts. Please try again later.',
+        });
+        return;
+    }
+    // Security: For remote requests, reject default local token
+    if (isRemote && providedToken === DEFAULT_LOCAL_TOKEN) {
+        console.warn('[Auth] Remote request attempted with default local token - rejecting');
+        recordFailedAuth(clientIp);
+        res.status(403).json({
+            success: false,
+            error: 'Remote access requires a secure authentication token. Please enable remote access in settings.',
+        });
+        return;
+    }
+    if (!providedToken) {
+        if (isRemote) {
+            recordFailedAuth(clientIp);
+        }
+        res.status(401).json({ success: false, error: 'Missing authorization' });
+        return;
+    }
+    // For local requests: accept either the default token OR the secure token
+    // For remote requests: only accept the secure token (default already rejected above)
+    const isValidToken = providedToken === expectedToken ||
+        (!isRemote && providedToken === DEFAULT_LOCAL_TOKEN);
+    if (!isValidToken) {
+        if (isRemote) {
+            recordFailedAuth(clientIp);
+        }
+        res.status(403).json({ success: false, error: 'Invalid token' });
+        return;
+    }
+    // Successful auth - clear failed attempts
+    if (isRemote) {
+        clearFailedAuth(clientIp);
+    }
+    // If token came from query param, set cookie for future requests
+    if (req.query.token && typeof req.query.token === 'string') {
+        res.cookie(AUTH_COOKIE_NAME, providedToken, {
+            httpOnly: true,
+            secure: req.secure || req.headers['x-forwarded-proto'] === 'https',
+            sameSite: 'lax',
+            maxAge: COOKIE_MAX_AGE,
+        });
+    }
+    next();
+}
+export function rateLimitMiddleware(req, res, next) {
+    // Only rate limit API routes
+    if (!req.path.startsWith('/api/')) {
+        next();
+        return;
+    }
+    // Skip rate limiting for read-only health checks
+    if (req.path === '/api/health' || req.path === '/api/health/status') {
+        next();
+        return;
+    }
+    // Get rate limit configuration for this endpoint
+    const { key, config } = getRateLimitConfig(req.method, req.path);
+    // Check if rate limited
+    // Use IP address as additional bucketing for global limits
+    const clientIp = req.ip || req.socket.remoteAddress || 'unknown';
+    const bucketKey = key === 'default' ? `${key}:${clientIp}` : key;
+    if (isRateLimited(bucketKey, config)) {
+        const retryAfter = Math.ceil(config.window / 1000);
+        res.setHeader('Retry-After', retryAfter.toString());
+        res.status(429).json({
+            success: false,
+            error: `Rate limit exceeded. Max ${config.max} requests per ${config.window / 1000}s for this endpoint.`,
+        });
+        return;
+    }
+    next();
+}
+// Error handler
+export function errorHandler(err, _req, res, _next) {
+    console.error('API Error:', err);
+    res.status(500).json({
+        success: false,
+        error: err.message || 'Internal server error',
+    });
+}
+//# sourceMappingURL=middleware.js.map

package/dist/api/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/api/middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAExD,qEAAqE;AACrE,MAAM,mBAAmB,GAAG,kBAAkB,CAAC;AAE/C,sCAAsC;AACtC,MAAM,gBAAgB,GAAG,oBAAoB,CAAC;AAC9C,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;AAE3D,kEAAkE;AAClE,MAAM,kBAAkB,GAAgE,IAAI,GAAG,EAAE,CAAC;AAClG,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;AAEpD,MAAM,UAAU,YAAY;IAC1B,iDAAiD;IACjD,MAAM,cAAc,GAAG,eAAe,CAAC,SAAS,EAAE,CAAC;IACnD,IAAI,cAAc,CAAC,OAAO,IAAI,cAAc,CAAC,SAAS,EAAE,CAAC;QACvD,OAAO,cAAc,CAAC,SAAS,CAAC;IAClC,CAAC;IAED,wCAAwC;IACxC,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACjC,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACtC,CAAC;IAED,sDAAsD;IACtD,qEAAqE;IACrE,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,GAAY;IACnC,yCAAyC;IACzC,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACpD,OAAO,CAAC,CAAC,YAAY,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACpD,IAAI,YAAY,EAAE,CAAC;QACjB,mEAAmE;QACnE,MAAM,GAAG,GAAG,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;QACtF,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACvB,CAAC;IACD,OAAO,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,SAAS,CAAC;AACzD,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,EAAU;IAC7B,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B,IAAI,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uBAAuB;IACvB,IAAI,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QAC7D,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,EAAU;IAClC,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IAC9E,MAAM,CAAC,KAAK,EAAE,CAAC;IAEf,IAAI,MAAM,CAAC,KAAK,IAAI,mBAAmB,EAAE,CAAC;QACxC,MAAM,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,gBAAgB,cAAc,GAAG,IAAI,WAAW,mBAAmB,kBAAkB,CAAC,CAAC;IACrH,CAAC;IAED,kBAAkB,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,EAAU;IACjC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,GAAY;IAChC,gCAAgC;IAChC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7C,IAAI,UAAU,IAAI,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACnD,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,kBAAkB;IAClB,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;IACnC,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,GAAG,gBAAgB,UAAU,CAAC,CAAC,CAAC;QACvE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC;IACnC,IAAI,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QACjD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AASD,MAAM,gBAAgB,GAA0B,IAAI,GAAG,EAAE,CAAC;AAE1D,gDAAgD;AAChD,MAAM,WAAW,GAAoC;IACnD,uCAAuC;IACvC,6BAA6B,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE,EAAS,4BAA4B;IAC9F,oCAAoC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,kBAAkB;IACpF,2BAA2B,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,EAAE,EAAY,uBAAuB;IACzF,yCAAyC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,cAAc;IACrF,oCAAoC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,wBAAwB;IAC1F,oBAAoB;IACpB,wBAAwB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,EAAE;IACnD,uBAAuB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,EAAE;IAClD,mCAAmC;IACnC,SAAS,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAG,0BAA0B;CACpE,CAAC;AAEF;;GAEG;AACH,SAAS,kBAAkB,CAAC,MAAc,EAAE,IAAY;IACtD,wBAAwB;IACxB,MAAM,QAAQ,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;IACrC,IAAI,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,+CAA+C;IAC/C,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACvF,MAAM,UAAU,GAAG,GAAG,MAAM,IAAI,cAAc,EAAE,CAAC;IACjD,IAAI,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;IAC9D,CAAC;IAED,uBAAuB;IACvB,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,SAAiB,EAAE,MAAuB;IAC/D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEjD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,UAAU,GAAG,EAAE,CAAC;QAChB,gBAAgB,CAAC,GAAG,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAC9C,CAAC;IAED,uCAAuC;IACvC,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACpE,UAAU,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IAC5E,kCAAkC;IAClC,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QAC/B,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,+DAA+D;IAC/D,IAAI,GAAG,CAAC,IAAI,KAAK,oBAAoB,EAAE,CAAC;QACtC,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,4DAA4D;IAC5D,IAAI,GAAG,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACrC,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,gEAAgE;IAChE,IAAI,GAAG,CAAC,IAAI,KAAK,wBAAwB,EAAE,CAAC;QAC1C,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,8CAA8C;IAC9C,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,uEAAuE;QACvE,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC;QACnC,IAAI,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YACjD,MAAM,aAAa,GAAG,YAAY,EAAE,CAAC;YACrC,IAAI,UAAU,KAAK,aAAa,EAAE,CAAC;gBACjC,yCAAyC;gBACzC,GAAG,CAAC,MAAM,CAAC,gBAAgB,EAAE,UAAU,EAAE;oBACvC,QAAQ,EAAE,IAAI;oBACd,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,KAAK,OAAO;oBAClE,QAAQ,EAAE,KAAK;oBACf,MAAM,EAAE,cAAc;iBACvB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,mFAAmF;IACnF,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,6CAA6C,CAAC,EAAE,CAAC;QAClE,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,MAAM,aAAa,GAAG,YAAY,EAAE,CAAC;IACrC,MAAM,aAAa,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IAEtC,yBAAyB;IACzB,IAAI,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,kEAAkE;SAC1E,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,4DAA4D;IAC5D,IAAI,QAAQ,IAAI,aAAa,KAAK,mBAAmB,EAAE,CAAC;QACtD,OAAO,CAAC,IAAI,CAAC,sEAAsE,CAAC,CAAC;QACrF,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,gGAAgG;SACxG,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,IAAI,QAAQ,EAAE,CAAC;YACb,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACzE,OAAO;IACT,CAAC;IAED,0EAA0E;IAC1E,qFAAqF;IACrF,MAAM,YAAY,GAAG,aAAa,KAAK,aAAa;QAC/B,CAAC,CAAC,QAAQ,IAAI,aAAa,KAAK,mBAAmB,CAAC,CAAC;IAE1E,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,IAAI,QAAQ,EAAE,CAAC;YACb,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC7B,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;QACjE,OAAO;IACT,CAAC;IAED,0CAA0C;IAC1C,IAAI,QAAQ,EAAE,CAAC;QACb,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC5B,CAAC;IAED,iEAAiE;IACjE,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,OAAO,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC3D,GAAG,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,EAAE;YAC1C,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,KAAK,OAAO;YAClE,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,cAAc;SACvB,CAAC,CAAC;IACL,CAAC;IAED,IAAI,EAAE,CAAC;AACT,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IACjF,6BAA6B;IAC7B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,iDAAiD;IACjD,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,IAAI,GAAG,CAAC,IAAI,KAAK,oBAAoB,EAAE,CAAC;QACpE,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,iDAAiD;IACjD,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;IAEjE,wBAAwB;IACxB,2DAA2D;IAC3D,MAAM,QAAQ,GAAG,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,SAAS,CAAC;IACjE,MAAM,SAAS,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,QAAQ,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;IAEjE,IAAI,aAAa,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACnD,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC;QACpD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,4BAA4B,MAAM,CAAC,GAAG,iBAAiB,MAAM,CAAC,MAAM,GAAG,IAAI,sBAAsB;SACzG,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,EAAE,CAAC;AACT,CAAC;AAED,gBAAgB;AAChB,MAAM,UAAU,YAAY,CAAC,GAAU,EAAE,IAAa,EAAE,GAAa,EAAE,KAAmB;IACxF,OAAO,CAAC,KAAK,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IACjC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,uBAAuB;KAC9C,CAAC,CAAC;AACL,CAAC"}

package/dist/api/pin-auth.d.ts

@@ -0,0 +1,65 @@
+export interface PairingPin {
+    pin: string;
+    token: string;
+    createdAt: number;
+    expiresAt: number;
+    attempts: number;
+}
+declare class PinAuthManager {
+    private activePin;
+    private rateLimitMap;
+    private cleanupInterval;
+    constructor();
+    /**
+     * Generate a cryptographically secure 6-digit PIN
+     */
+    private generatePin;
+    /**
+     * Generate a new pairing PIN
+     * Invalidates any existing PIN
+     */
+    generatePairingPin(authToken: string): {
+        pin: string;
+        expiresAt: number;
+        expiresInSeconds: number;
+    };
+    /**
+     * Get status of active PIN
+     */
+    getPinStatus(): {
+        hasActivePin: boolean;
+        expiresAt?: number;
+        expiresInSeconds?: number;
+    };
+    /**
+     * Invalidate the current PIN
+     */
+    invalidatePin(): boolean;
+    /**
+     * Check rate limiting for IP
+     */
+    checkRateLimit(ip: string): {
+        allowed: boolean;
+        attemptsRemaining?: number;
+    };
+    /**
+     * Validate a PIN with constant-time comparison
+     */
+    validatePin(pin: string, clientIp: string): {
+        success: boolean;
+        token?: string;
+        error?: string;
+        attemptsRemaining?: number;
+    };
+    /**
+     * Start periodic cleanup of expired data
+     */
+    private startCleanup;
+    /**
+     * Stop cleanup interval (for graceful shutdown)
+     */
+    stopCleanup(): void;
+}
+export declare const pinAuthManager: PinAuthManager;
+export {};
+//# sourceMappingURL=pin-auth.d.ts.map

package/dist/api/pin-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pin-auth.d.ts","sourceRoot":"","sources":["../../src/api/pin-auth.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAiBD,cAAM,cAAc;IAClB,OAAO,CAAC,SAAS,CAA2B;IAC5C,OAAO,CAAC,YAAY,CAA0C;IAC9D,OAAO,CAAC,eAAe,CAA+B;;IAOtD;;OAEG;IACH,OAAO,CAAC,WAAW;IAOnB;;;OAGG;IACH,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,gBAAgB,EAAE,MAAM,CAAA;KAAE;IAsBnG;;OAEG;IACH,YAAY,IAAI;QAAE,YAAY,EAAE,OAAO,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;KAAE;IAmBxF;;OAEG;IACH,aAAa,IAAI,OAAO;IASxB;;OAEG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,iBAAiB,CAAC,EAAE,MAAM,CAAA;KAAE;IA6B5E;;OAEG;IACH,WAAW,CACT,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,MAAM,GACf;QACD,OAAO,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC5B;IA2FD;;OAEG;IACH,OAAO,CAAC,YAAY;IAoBpB;;OAEG;IACH,WAAW,IAAI,IAAI;CAMpB;AAGD,eAAO,MAAM,cAAc,gBAAuB,CAAC"}