codepiper 0.1.0

package/packages/daemon/src/api/analyticsRoutes.ts

@@ -0,0 +1,343 @@
+/**
+ * Analytics API routes for web dashboard
+ *
+ * Shows token consumption, cache efficiency, activity patterns,
+ * and estimated equivalent API cost (useful for Max plan users
+ * to understand the value of their subscription).
+ */
+
+import type { EventBus } from "@codepiper/core";
+import { calculateCost, getPricingForModel } from "../config/pricing";
+import type { Database } from "../db/db";
+import type { AuditLogger } from "../sessions/auditLogger";
+import type { PolicyEngine } from "../sessions/policyEngine";
+import type { SessionManager } from "../sessions/sessionManager";
+
+export interface RouteContext {
+  sessionManager: SessionManager;
+  db: Database;
+  eventBus: EventBus;
+  policyEngine: PolicyEngine;
+  auditLogger: AuditLogger;
+}
+
+interface TimeRange {
+  start: number;
+  end: number;
+}
+
+function parseTimeRange(url: URL): TimeRange {
+  const range = url.searchParams.get("range") || "7d";
+  const now = Date.now();
+
+  switch (range) {
+    case "today":
+      return {
+        start: new Date(new Date().setHours(0, 0, 0, 0)).getTime(),
+        end: now,
+      };
+    case "7d":
+      return { start: now - 7 * 24 * 60 * 60 * 1000, end: now };
+    case "30d":
+      return { start: now - 30 * 24 * 60 * 60 * 1000, end: now };
+    case "all":
+      return { start: 0, end: now };
+    default:
+      return { start: now - 7 * 24 * 60 * 60 * 1000, end: now };
+  }
+}
+
+/**
+ * GET /analytics/overview
+ */
+export async function handleAnalyticsOverview(req: Request, ctx: RouteContext): Promise<Response> {
+  const url = new URL(req.url);
+  const { start, end } = parseTimeRange(url);
+
+  const sessionsCount = ctx.db.db
+    .prepare("SELECT COUNT(*) as count FROM sessions WHERE created_at >= ? AND created_at <= ?")
+    .get(start, end) as { count: number };
+
+  const activeSessions = ctx.db.db
+    .prepare(
+      "SELECT COUNT(*) as count FROM sessions WHERE status IN ('RUNNING','STARTING','NEEDS_INPUT','NEEDS_PERMISSION')"
+    )
+    .get() as { count: number };
+
+  const totalTokens = ctx.db.db
+    .prepare(
+      "SELECT COALESCE(SUM(total_tokens), 0) as tokens FROM token_usage WHERE timestamp >= ? AND timestamp <= ?"
+    )
+    .get(start, end) as { tokens: number };
+
+  const tokenBreakdown = ctx.db.db
+    .prepare(
+      `SELECT
+        COALESCE(SUM(prompt_tokens), 0) as inputTokens,
+        COALESCE(SUM(completion_tokens), 0) as outputTokens,
+        COALESCE(SUM(cache_read_input_tokens), 0) as cacheReadTokens,
+        COALESCE(SUM(cache_creation_input_tokens), 0) as cacheCreationTokens
+      FROM token_usage WHERE timestamp >= ? AND timestamp <= ?`
+    )
+    .get(start, end) as {
+    inputTokens: number;
+    outputTokens: number;
+    cacheReadTokens: number;
+    cacheCreationTokens: number;
+  };
+
+  // Total messages (user + assistant transcript events)
+  const totalMessages = ctx.db.db
+    .prepare(
+      `SELECT COUNT(*) as count FROM events
+       WHERE source = 'transcript' AND type IN ('user', 'assistant')
+       AND ts >= ? AND ts <= ?`
+    )
+    .get(start, end) as { count: number };
+
+  // Cache hit rate
+  const cacheStats = ctx.db.db
+    .prepare(
+      `SELECT
+        COALESCE(SUM(cache_read_input_tokens), 0) as cache_hits,
+        COALESCE(SUM(prompt_tokens + cache_creation_input_tokens + cache_read_input_tokens), 0) as total_input
+      FROM token_usage
+      WHERE timestamp >= ? AND timestamp <= ?`
+    )
+    .get(start, end) as { cache_hits: number; total_input: number };
+
+  const cacheHitRate =
+    cacheStats.total_input > 0 ? (cacheStats.cache_hits / cacheStats.total_input) * 100 : 0;
+
+  // Compute estimated equivalent API cost
+  const costRows = ctx.db.db
+    .prepare(
+      `SELECT model,
+        COALESCE(SUM(prompt_tokens), 0) as prompt,
+        COALESCE(SUM(completion_tokens), 0) as completion,
+        COALESCE(SUM(cache_creation_input_tokens), 0) as cache_creation,
+        COALESCE(SUM(cache_read_input_tokens), 0) as cache_read
+      FROM token_usage
+      WHERE timestamp >= ? AND timestamp <= ?
+      GROUP BY model`
+    )
+    .all(start, end) as Array<{
+    model: string;
+    prompt: number;
+    completion: number;
+    cache_creation: number;
+    cache_read: number;
+  }>;
+
+  let costEstimate = 0;
+  for (const row of costRows) {
+    const pricing = getPricingForModel(row.model);
+    costEstimate += calculateCost(
+      row.prompt,
+      row.completion,
+      row.cache_creation,
+      row.cache_read,
+      pricing
+    );
+  }
+
+  return Response.json({
+    sessionsCount: sessionsCount.count,
+    activeSessions: activeSessions.count,
+    totalTokens: totalTokens.tokens,
+    inputTokens: tokenBreakdown.inputTokens,
+    outputTokens: tokenBreakdown.outputTokens,
+    cacheReadTokens: tokenBreakdown.cacheReadTokens,
+    cacheCreationTokens: tokenBreakdown.cacheCreationTokens,
+    totalMessages: totalMessages.count,
+    cacheHitRate: Math.round(cacheHitRate * 10) / 10,
+    costEstimate: Math.round(costEstimate * 100) / 100,
+  });
+}
+
+/**
+ * GET /analytics/activity-timeline
+ * Messages per day (user + assistant)
+ */
+export async function handleActivityTimeline(req: Request, ctx: RouteContext): Promise<Response> {
+  const url = new URL(req.url);
+  const { start, end } = parseTimeRange(url);
+
+  const data = ctx.db.db
+    .prepare(
+      `SELECT
+        DATE(ts / 1000, 'unixepoch') as date,
+        SUM(CASE WHEN type = 'user' THEN 1 ELSE 0 END) as user_messages,
+        SUM(CASE WHEN type = 'assistant' THEN 1 ELSE 0 END) as assistant_messages,
+        COUNT(*) as total
+      FROM events
+      WHERE source = 'transcript' AND type IN ('user', 'assistant')
+      AND ts >= ? AND ts <= ?
+      GROUP BY date
+      ORDER BY date`
+    )
+    .all(start, end);
+
+  return Response.json(data);
+}
+
+/**
+ * GET /analytics/tokens-by-model
+ * Token distribution by model
+ */
+export async function handleTokensByModel(req: Request, ctx: RouteContext): Promise<Response> {
+  const url = new URL(req.url);
+  const { start, end } = parseTimeRange(url);
+
+  const rows = ctx.db.db
+    .prepare(
+      `SELECT
+        model,
+        SUM(total_tokens) as tokens,
+        SUM(prompt_tokens) as prompt_tokens,
+        SUM(completion_tokens) as completion_tokens,
+        SUM(cache_read_input_tokens) as cache_read,
+        SUM(cache_creation_input_tokens) as cache_creation,
+        COUNT(*) as requests
+      FROM token_usage
+      WHERE timestamp >= ? AND timestamp <= ?
+      GROUP BY model
+      ORDER BY tokens DESC`
+    )
+    .all(start, end) as Array<{
+    model: string;
+    tokens: number;
+    prompt_tokens: number;
+    completion_tokens: number;
+    cache_read: number;
+    cache_creation: number;
+    requests: number;
+  }>;
+
+  const data = rows.map((row) => {
+    const pricing = getPricingForModel(row.model);
+    const cost = calculateCost(
+      row.prompt_tokens,
+      row.completion_tokens,
+      row.cache_creation,
+      row.cache_read,
+      pricing
+    );
+    return { ...row, costEstimate: Math.round(cost * 100) / 100 };
+  });
+
+  return Response.json(data);
+}
+
+/**
+ * GET /analytics/token-usage
+ * Token usage breakdown over time
+ */
+export async function handleTokenUsage(req: Request, ctx: RouteContext): Promise<Response> {
+  const url = new URL(req.url);
+  const { start, end } = parseTimeRange(url);
+
+  const data = ctx.db.db
+    .prepare(
+      `SELECT
+        DATE(timestamp / 1000, 'unixepoch') as date,
+        COALESCE(SUM(prompt_tokens), 0) as prompt,
+        COALESCE(SUM(completion_tokens), 0) as completion,
+        COALESCE(SUM(cache_creation_input_tokens), 0) as cacheCreation,
+        COALESCE(SUM(cache_read_input_tokens), 0) as cacheRead
+      FROM token_usage
+      WHERE timestamp >= ? AND timestamp <= ?
+      GROUP BY date
+      ORDER BY date`
+    )
+    .all(start, end);
+
+  return Response.json(data);
+}
+
+/**
+ * GET /analytics/sessions-by-provider
+ */
+export async function handleSessionsByProvider(req: Request, ctx: RouteContext): Promise<Response> {
+  const url = new URL(req.url);
+  const { start, end } = parseTimeRange(url);
+
+  const data = ctx.db.db
+    .prepare(
+      `SELECT provider, COUNT(*) as count
+      FROM sessions
+      WHERE created_at >= ? AND created_at <= ?
+      GROUP BY provider
+      ORDER BY count DESC`
+    )
+    .all(start, end);
+
+  return Response.json(data);
+}
+
+/**
+ * GET /analytics/tool-usage
+ * Top tools used across sessions
+ */
+export async function handleToolUsage(req: Request, ctx: RouteContext): Promise<Response> {
+  const url = new URL(req.url);
+  const { start, end } = parseTimeRange(url);
+
+  // Tool uses are stored as assistant events with content arrays containing tool_use blocks.
+  // We extract tool names from the payload JSON.
+  const rows = ctx.db.db
+    .prepare(
+      `SELECT payload_json FROM events
+       WHERE source = 'transcript' AND type = 'assistant'
+       AND ts >= ? AND ts <= ?`
+    )
+    .all(start, end) as Array<{ payload_json: string }>;
+
+  const toolCounts: Record<string, number> = {};
+
+  for (const row of rows) {
+    try {
+      const parsed = JSON.parse(row.payload_json);
+      const content = parsed.message?.content;
+      if (Array.isArray(content)) {
+        for (const block of content) {
+          if (block.type === "tool_use" && block.name) {
+            toolCounts[block.name] = (toolCounts[block.name] || 0) + 1;
+          }
+        }
+      }
+    } catch {
+      // skip
+    }
+  }
+
+  const data = Object.entries(toolCounts)
+    .map(([tool, count]) => ({ tool, count }))
+    .sort((a, b) => b.count - a.count)
+    .slice(0, 15);
+
+  return Response.json(data);
+}
+
+/**
+ * GET /analytics/policy-decisions
+ */
+export async function handlePolicyDecisions(req: Request, ctx: RouteContext): Promise<Response> {
+  const url = new URL(req.url);
+  const { start, end } = parseTimeRange(url);
+
+  const data = ctx.db.db
+    .prepare(
+      `SELECT
+        DATE(timestamp / 1000, 'unixepoch') as date,
+        decision,
+        COUNT(*) as count
+      FROM policy_decisions
+      WHERE timestamp >= ? AND timestamp <= ?
+      GROUP BY date, decision
+      ORDER BY date`
+    )
+    .all(start, end);
+
+  return Response.json(data);
+}

package/packages/daemon/src/api/authRoutes.ts

@@ -0,0 +1,344 @@
+/**
+ * Authentication API route handlers.
+ */
+
+import {
+  buildClearOnboardingCookie,
+  buildClearSessionCookie,
+  buildOnboardingCookie,
+  buildSessionCookie,
+  extractAndHashOnboardingToken,
+  extractAndHashToken,
+  getClientIp,
+  shouldUseSecureCookies,
+} from "../auth/authMiddleware";
+import { AuthError } from "../auth/authService";
+import type { RouteContext } from "./routes";
+
+const SESSION_MAX_AGE_SECONDS = 7 * 24 * 60 * 60; // 7 days
+const ONBOARDING_MAX_AGE_SECONDS = 24 * 60 * 60; // 24 hours
+
+function getStringField(body: Record<string, unknown>, field: string): string | undefined {
+  const value = body[field];
+  return typeof value === "string" ? value : undefined;
+}
+
+function jsonWithCookies(
+  payload: Record<string, unknown>,
+  status: number,
+  cookies: string[]
+): Response {
+  const headers = new Headers({
+    "Content-Type": "application/json",
+  });
+  for (const cookie of cookies) {
+    headers.append("Set-Cookie", cookie);
+  }
+  return new Response(JSON.stringify(payload), { status, headers });
+}
+
+// ─── Public Routes ──────────────────────────────────────────────────
+
+export async function handleAuthStatus(req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  if (!authService) {
+    // Auth not configured — report disabled, NOT authenticated
+    return Response.json({
+      setupRequired: false,
+      mfaEnabled: false,
+      authenticated: false,
+      authEnabled: false,
+    });
+  }
+
+  const setupRequired = authService.isSetupRequired();
+  const mfaSetupRequired = !setupRequired && authService.isMfaSetupPending();
+  const tokenHash = extractAndHashToken(req);
+  const authenticated = tokenHash ? authService.validateSession(tokenHash) : false;
+
+  let mfaEnabled = false;
+  if (!setupRequired) {
+    const config = ctx.db.getAuthConfig();
+    mfaEnabled = config?.totpEnabled ?? false;
+  }
+
+  return Response.json({ setupRequired, mfaEnabled, mfaSetupRequired, authenticated });
+}
+
+export async function handleAuthSetup(req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  if (!authService) {
+    return Response.json({ error: "Auth not configured" }, { status: 500 });
+  }
+
+  if (!authService.isSetupRequired()) {
+    return Response.json({ error: "Password is already configured" }, { status: 400 });
+  }
+
+  try {
+    const body = (await req.json()) as Record<string, unknown>;
+    const password = getStringField(body, "password");
+    if (!password) {
+      return Response.json({ error: "Password is required" }, { status: 400 });
+    }
+
+    const ip = getClientIp(req);
+    const ua = req.headers.get("User-Agent");
+    const result = await authService.setupPassword(password, ip, ua);
+    const secureCookie = shouldUseSecureCookies(req);
+
+    return jsonWithCookies({ ok: true, mfaSetupRequired: true }, 200, [
+      buildOnboardingCookie(result.onboardingToken, ONBOARDING_MAX_AGE_SECONDS, secureCookie),
+      buildClearSessionCookie(secureCookie),
+    ]);
+  } catch (error) {
+    if (error instanceof AuthError) {
+      return Response.json({ error: error.message, code: error.code }, { status: 400 });
+    }
+    throw error;
+  }
+}
+
+export async function handleAuthLogin(req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  const rateLimiter = ctx.rateLimiter;
+  if (!authService) {
+    return Response.json({ error: "Auth not configured" }, { status: 500 });
+  }
+
+  const ip = getClientIp(req);
+  const secureCookie = shouldUseSecureCookies(req);
+
+  // Rate limit check
+  if (rateLimiter) {
+    const check = rateLimiter.check(ip);
+    if (!check.allowed) {
+      const retryAfter = Math.ceil((check.retryAfterMs || 0) / 1000);
+      return new Response(JSON.stringify({ error: "Too many login attempts", retryAfter }), {
+        status: 429,
+        headers: {
+          "Content-Type": "application/json",
+          "Retry-After": String(retryAfter),
+        },
+      });
+    }
+  }
+
+  try {
+    const body = (await req.json()) as Record<string, unknown>;
+    const password = getStringField(body, "password");
+    const totpCode = getStringField(body, "totpCode");
+    if (!password) {
+      return Response.json({ error: "Password is required" }, { status: 400 });
+    }
+
+    const ua = req.headers.get("User-Agent");
+    const result = await authService.login(password, totpCode, ip, ua);
+
+    if ("mfaSetupRequired" in result) {
+      rateLimiter?.recordSuccess(ip);
+      return jsonWithCookies({ mfaSetupRequired: true }, 401, [
+        buildOnboardingCookie(result.onboardingToken, ONBOARDING_MAX_AGE_SECONDS, secureCookie),
+        buildClearSessionCookie(secureCookie),
+      ]);
+    }
+
+    if ("mfaRequired" in result) {
+      return Response.json({ mfaRequired: true }, { status: 401 });
+    }
+
+    // Success — reset rate limiter
+    rateLimiter?.recordSuccess(ip);
+
+    return new Response(JSON.stringify({ ok: true, token: result.token }), {
+      status: 200,
+      headers: {
+        "Content-Type": "application/json",
+        "Set-Cookie": buildSessionCookie(result.token, SESSION_MAX_AGE_SECONDS, secureCookie),
+      },
+    });
+  } catch (error) {
+    if (error instanceof AuthError) {
+      rateLimiter?.recordFailure(ip);
+      // Return generic message — don't reveal whether password or TOTP failed
+      if (error.code === "INVALID_CREDENTIALS" || error.code === "INVALID_TOTP") {
+        return Response.json(
+          { error: "Invalid credentials", code: "INVALID_CREDENTIALS" },
+          { status: 401 }
+        );
+      }
+      return Response.json({ error: error.message, code: error.code }, { status: 400 });
+    }
+    throw error;
+  }
+}
+
+// ─── Authenticated Routes ───────────────────────────────────────────
+
+export async function handleAuthLogout(req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  if (!authService) {
+    return Response.json({ error: "Auth not configured" }, { status: 500 });
+  }
+
+  const tokenHash = extractAndHashToken(req);
+  if (tokenHash) {
+    authService.revokeSession(tokenHash);
+  }
+  const secureCookie = shouldUseSecureCookies(req);
+
+  return jsonWithCookies({ ok: true }, 200, [
+    buildClearSessionCookie(secureCookie),
+    buildClearOnboardingCookie(secureCookie),
+  ]);
+}
+
+export async function handleAuthChangePassword(req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  if (!authService) {
+    return Response.json({ error: "Auth not configured" }, { status: 500 });
+  }
+
+  try {
+    const body = (await req.json()) as Record<string, unknown>;
+    const currentPassword = getStringField(body, "currentPassword");
+    const newPassword = getStringField(body, "newPassword");
+    if (!(currentPassword && newPassword)) {
+      return Response.json(
+        { error: "Both currentPassword and newPassword are required" },
+        { status: 400 }
+      );
+    }
+
+    await authService.changePassword(currentPassword, newPassword);
+    const secureCookie = shouldUseSecureCookies(req);
+
+    return jsonWithCookies({ ok: true }, 200, [
+      buildClearSessionCookie(secureCookie),
+      buildClearOnboardingCookie(secureCookie),
+    ]);
+  } catch (error) {
+    if (error instanceof AuthError) {
+      return Response.json({ error: error.message, code: error.code }, { status: 400 });
+    }
+    throw error;
+  }
+}
+
+// ─── MFA Routes ─────────────────────────────────────────────────────
+
+export async function handleMfaSetup(_req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  if (!authService) {
+    return Response.json({ error: "Auth not configured" }, { status: 500 });
+  }
+
+  const result = await authService.generateTotpSetup();
+  return Response.json(result);
+}
+
+export async function handleMfaVerify(req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  if (!authService) {
+    return Response.json({ error: "Auth not configured" }, { status: 500 });
+  }
+
+  try {
+    const body = (await req.json()) as Record<string, unknown>;
+    const totpCode = getStringField(body, "totpCode");
+    if (!totpCode) {
+      return Response.json({ error: "TOTP code is required" }, { status: 400 });
+    }
+
+    const onboardingTokenHash = extractAndHashOnboardingToken(req);
+    const isOnboardingRequest =
+      onboardingTokenHash !== null && authService.validateOnboardingToken(onboardingTokenHash);
+
+    if (isOnboardingRequest) {
+      const ip = getClientIp(req);
+      const ua = req.headers.get("User-Agent");
+      const result = await authService.completeOnboardingMfa(totpCode, ip, ua);
+      const secureCookie = shouldUseSecureCookies(req);
+      return jsonWithCookies({ recoveryCodes: result.recoveryCodes, token: result.token }, 200, [
+        buildSessionCookie(result.token, SESSION_MAX_AGE_SECONDS, secureCookie),
+        buildClearOnboardingCookie(secureCookie),
+      ]);
+    }
+
+    const result = await authService.verifyAndEnableTotp(totpCode);
+    return Response.json(result);
+  } catch (error) {
+    if (error instanceof AuthError) {
+      return Response.json({ error: error.message, code: error.code }, { status: 400 });
+    }
+    throw error;
+  }
+}
+
+// ─── Session Management Routes ──────────────────────────────────────
+
+export async function handleAuthSessions(_req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  if (!authService) {
+    return Response.json({ error: "Auth not configured" }, { status: 500 });
+  }
+
+  const sessions = authService.listSessions();
+  // Redact token hashes — only show metadata
+  const redacted = sessions.map((s) => ({
+    createdAt: s.createdAt,
+    expiresAt: s.expiresAt,
+    lastUsedAt: s.lastUsedAt,
+    ipAddress: s.ipAddress,
+    userAgent: s.userAgent,
+  }));
+
+  return Response.json({ sessions: redacted });
+}
+
+export async function handleAuthRevokeAll(req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  if (!authService) {
+    return Response.json({ error: "Auth not configured" }, { status: 500 });
+  }
+
+  const currentTokenHash = extractAndHashToken(req);
+  authService.revokeAllSessions(currentTokenHash ?? undefined);
+
+  return Response.json({ ok: true });
+}
+
+// ─── CLI-Only Routes (Unix socket access only) ──────────────────────
+
+export async function handleCliResetPassword(req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  if (!authService) {
+    return Response.json({ error: "Auth not configured" }, { status: 500 });
+  }
+
+  try {
+    const body = (await req.json()) as Record<string, unknown>;
+    const password = getStringField(body, "password");
+    if (!password) {
+      return Response.json({ error: "Password is required" }, { status: 400 });
+    }
+
+    await authService.resetPassword(password);
+    return Response.json({ ok: true });
+  } catch (error) {
+    if (error instanceof AuthError) {
+      return Response.json({ error: error.message, code: error.code }, { status: 400 });
+    }
+    throw error;
+  }
+}
+
+export async function handleCliResetMfa(_req: Request, ctx: RouteContext): Promise<Response> {
+  const authService = ctx.authService;
+  if (!authService) {
+    return Response.json({ error: "Auth not configured" }, { status: 500 });
+  }
+
+  authService.resetMfa();
+  return Response.json({ ok: true });
+}