conductor-oss 0.18.2 → 0.18.4

package/web/.next/standalone/packages/web/.next/static/chunks/a8cd591e904d769e.js

@@ -1 +0,0 @@
-(globalThis.TURBOPACK||(globalThis.TURBOPACK=[])).push(["object"==typeof document?document.currentScript:void 0,61766,e=>{"use strict";var c=e.i(95187);let r=(0,c.createServerReference)("00c489341bec725518180a01caf1fa64413a4c4d6c",c.callServer,void 0,c.findSourceMapURL,"createOrReadKeylessAction");e.s(["createOrReadKeylessAction",()=>r])},23151,e=>{"use strict";e.s([],29135),e.i(29135);var c=e.i(95187);let r=(0,c.createServerReference)("40445bd28d7a736859660d7057c8c48b8ec362ec73",c.callServer,void 0,c.findSourceMapURL,"syncKeylessConfigAction");var t=e.i(61766);let s=(0,c.createServerReference)("00cc4dda20652bb1f29681e8287b1ca5afe99700b6",c.callServer,void 0,c.findSourceMapURL,"deleteKeylessAction");var a=e.i(45070);e.s(["createOrReadKeylessAction",()=>t.createOrReadKeylessAction,"deleteKeylessAction",()=>s,"detectKeylessEnvDriftAction",()=>a.detectKeylessEnvDriftAction,"syncKeylessConfigAction",()=>r],23151)}]);

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/feed/stream/route.ts

@@ -1,80 +0,0 @@
-import { getDashboardAccess, guardApiAccess } from "@/lib/auth";
-import { forwardedAccessAuthenticated } from "@/lib/guardedRustProxy";
-import { hasRustBackend } from "@/lib/rustBackendProxy";
-import { NextResponse } from "next/server";
-
-export const dynamic = "force-dynamic";
-export const runtime = "nodejs";
-
-/**
- * SSE streaming endpoint.
- *
- * In Next.js standalone mode, the default route-handler pipeline may buffer
- * the entire Response body (via blob()) before sending, which kills SSE.
- *
- * We handle SSE manually here: open a fetch to the Rust backend, then pipe
- * the raw readable stream back with the correct headers so Next.js treats it
- * as an unbuffered passthrough.
- */
-export async function GET(
-  request: Request,
-  context: { params: Promise<{ id: string }> },
-): Promise<Response> {
-  const denied = await guardApiAccess(request, "viewer");
-  if (denied) return denied;
-
-  if (!hasRustBackend()) {
-    return NextResponse.json(
-      { error: "Rust backend URL is not configured" },
-      { status: 503 },
-    );
-  }
-
-  const { id } = await context.params;
-  const backendUrl = process.env.CONDUCTOR_BACKEND_URL?.trim() ?? "";
-  const target = new URL(
-    `/api/sessions/${encodeURIComponent(id)}/feed/stream`,
-    backendUrl,
-  );
-
-  // Forward query params (e.g. ?since=)
-  const incomingUrl = new URL(request.url);
-  target.search = incomingUrl.search;
-
-  const access = await getDashboardAccess(request);
-  const headers = new Headers({
-    "Accept": "text/event-stream",
-    "Cache-Control": "no-cache",
-    "x-conductor-proxy-authorized": "true",
-    "x-conductor-access-authenticated": forwardedAccessAuthenticated(access) ? "true" : "false",
-  });
-  if (access.role) headers.set("x-conductor-access-role", access.role);
-  if (access.email) headers.set("x-conductor-access-email", access.email);
-  if (access.provider) headers.set("x-conductor-access-provider", access.provider);
-
-  const upstream = await fetch(target, {
-    method: "GET",
-    headers,
-    cache: "no-store",
-    signal: request.signal,
-  });
-
-  if (!upstream.ok || !upstream.body) {
-    return new Response(upstream.body, {
-      status: upstream.status,
-      statusText: upstream.statusText,
-    });
-  }
-
-  // Return the raw stream with SSE headers.
-  // Do NOT use NextResponse — it may buffer.
-  return new Response(upstream.body, {
-    status: 200,
-    headers: {
-      "Content-Type": "text/event-stream",
-      "Cache-Control": "no-cache, no-transform",
-      "Connection": "keep-alive",
-      "X-Accel-Buffering": "no",
-    },
-  });
-}

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/output/stream/route.ts

@@ -1,80 +0,0 @@
-import { getDashboardAccess, guardApiAccess } from "@/lib/auth";
-import { forwardedAccessAuthenticated } from "@/lib/guardedRustProxy";
-import { hasRustBackend } from "@/lib/rustBackendProxy";
-import { NextResponse } from "next/server";
-
-export const dynamic = "force-dynamic";
-export const runtime = "nodejs";
-
-/**
- * SSE streaming endpoint for session output.
- *
- * In Next.js standalone mode, the default route-handler pipeline may buffer
- * the entire Response body (via blob()) before sending, which kills SSE.
- *
- * We handle SSE manually here: open a fetch to the Rust backend, then pipe
- * the raw readable stream back with the correct headers so Next.js treats it
- * as an unbuffered passthrough.
- */
-export async function GET(
-  request: Request,
-  context: { params: Promise<{ id: string }> },
-): Promise<Response> {
-  const denied = await guardApiAccess(request, "viewer");
-  if (denied) return denied;
-
-  if (!hasRustBackend()) {
-    return NextResponse.json(
-      { error: "Rust backend URL is not configured" },
-      { status: 503 },
-    );
-  }
-
-  const { id } = await context.params;
-  const backendUrl = process.env.CONDUCTOR_BACKEND_URL?.trim() ?? "";
-  const target = new URL(
-    `/api/sessions/${encodeURIComponent(id)}/output/stream`,
-    backendUrl,
-  );
-
-  // Forward query params
-  const incomingUrl = new URL(request.url);
-  target.search = incomingUrl.search;
-
-  const access = await getDashboardAccess(request);
-  const headers = new Headers({
-    "Accept": "text/event-stream",
-    "Cache-Control": "no-cache",
-    "x-conductor-proxy-authorized": "true",
-    "x-conductor-access-authenticated": forwardedAccessAuthenticated(access) ? "true" : "false",
-  });
-  if (access.role) headers.set("x-conductor-access-role", access.role);
-  if (access.email) headers.set("x-conductor-access-email", access.email);
-  if (access.provider) headers.set("x-conductor-access-provider", access.provider);
-
-  const upstream = await fetch(target, {
-    method: "GET",
-    headers,
-    cache: "no-store",
-    signal: request.signal,
-  });
-
-  if (!upstream.ok || !upstream.body) {
-    return new Response(upstream.body, {
-      status: upstream.status,
-      statusText: upstream.statusText,
-    });
-  }
-
-  // Return the raw stream with SSE headers.
-  // Do NOT use NextResponse — it may buffer.
-  return new Response(upstream.body, {
-    status: 200,
-    headers: {
-      "Content-Type": "text/event-stream",
-      "Cache-Control": "no-cache, no-transform",
-      "Connection": "keep-alive",
-      "X-Accel-Buffering": "no",
-    },
-  });
-}

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/terminal/connection/route.test.ts

@@ -1,343 +0,0 @@
-import assert from "node:assert/strict";
-import test from "node:test";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { NextRequest } from "next/server";
-import {
-  clearRemoteAccessRuntimeState,
-  writeRemoteAccessRuntimeState,
-} from "@/lib/remoteAccessRuntime";
-import { GET } from "./route";
-
-const originalBackendUrl = process.env.CONDUCTOR_BACKEND_URL;
-const originalConfigPath = process.env.CO_CONFIG_PATH;
-const originalWorkspace = process.env.CONDUCTOR_WORKSPACE;
-const originalRequireAuth = process.env.CONDUCTOR_REQUIRE_AUTH;
-const originalDefaultRole = process.env.CONDUCTOR_ACCESS_DEFAULT_ROLE;
-const originalRemoteAccessRuntimePath =
-  process.env.CONDUCTOR_REMOTE_ACCESS_RUNTIME_PATH;
-const originalRemoteAccessToken = process.env.CONDUCTOR_REMOTE_ACCESS_TOKEN;
-const originalRemoteSessionSecret = process.env.CONDUCTOR_REMOTE_SESSION_SECRET;
-const originalFetch = global.fetch;
-
-type TerminalConnectionPayload = {
-  ptyWsUrl: string | null;
-  interactive: boolean;
-};
-
-function resetEnv(): void {
-  delete process.env.CONDUCTOR_BACKEND_URL;
-  process.env.CO_CONFIG_PATH =
-    "/tmp/conductor-terminal-connection-route-test-config-does-not-exist.yaml";
-  process.env.CONDUCTOR_WORKSPACE = "terminal-connection-route-test-workspace";
-  process.env.CONDUCTOR_REQUIRE_AUTH = "";
-  delete process.env.CONDUCTOR_ACCESS_DEFAULT_ROLE;
-  delete process.env.CONDUCTOR_REMOTE_ACCESS_TOKEN;
-  delete process.env.CONDUCTOR_REMOTE_SESSION_SECRET;
-  process.env.CONDUCTOR_REMOTE_ACCESS_RUNTIME_PATH = join(
-    tmpdir(),
-    "conductor-terminal-connection-route-runtime.json"
-  );
-  clearRemoteAccessRuntimeState();
-}
-
-type MockSessionConnectionFetchOptions = {
-  id: string;
-  token?: {
-    token?: string | null;
-    required?: boolean;
-    expiresInSeconds?: number | null;
-    error?: string;
-  };
-};
-
-function setMockSessionConnectionFetch({
-  id,
-  token,
-}: MockSessionConnectionFetchOptions): void {
-  const terminalTokenUrl = `/api/sessions/${encodeURIComponent(
-    id
-  )}/terminal/token`;
-  global.fetch = (async (input: string | Request | URL) => {
-    const url =
-      typeof input === "string" || input instanceof URL
-        ? new URL(input)
-        : new URL(input.url);
-    if (url.pathname === terminalTokenUrl) {
-      if (token === undefined) {
-        throw new Error("terminal token lookup should not run for this test");
-      }
-      return new Response(JSON.stringify(token), {
-        status: 200,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
-
-    throw new Error(
-      `Unexpected fetch in terminal connection route test: ${url.pathname}`
-    );
-  }) as typeof fetch;
-}
-
-function assertJsonResponse(
-  response: Response
-): Promise<TerminalConnectionPayload> {
-  return response.json() as Promise<TerminalConnectionPayload>;
-}
-
-test.afterEach(() => {
-  resetEnv();
-});
-
-test.after(() => {
-  if (originalBackendUrl === undefined) {
-    delete process.env.CONDUCTOR_BACKEND_URL;
-  } else {
-    process.env.CONDUCTOR_BACKEND_URL = originalBackendUrl;
-  }
-
-  if (originalConfigPath === undefined) {
-    delete process.env.CO_CONFIG_PATH;
-  } else {
-    process.env.CO_CONFIG_PATH = originalConfigPath;
-  }
-
-  if (originalWorkspace === undefined) {
-    delete process.env.CONDUCTOR_WORKSPACE;
-  } else {
-    process.env.CONDUCTOR_WORKSPACE = originalWorkspace;
-  }
-
-  if (originalRequireAuth === undefined) {
-    delete process.env.CONDUCTOR_REQUIRE_AUTH;
-  } else {
-    process.env.CONDUCTOR_REQUIRE_AUTH = originalRequireAuth;
-  }
-
-  if (originalDefaultRole === undefined) {
-    delete process.env.CONDUCTOR_ACCESS_DEFAULT_ROLE;
-  } else {
-    process.env.CONDUCTOR_ACCESS_DEFAULT_ROLE = originalDefaultRole;
-  }
-
-  if (originalRemoteAccessRuntimePath === undefined) {
-    delete process.env.CONDUCTOR_REMOTE_ACCESS_RUNTIME_PATH;
-  } else {
-    process.env.CONDUCTOR_REMOTE_ACCESS_RUNTIME_PATH =
-      originalRemoteAccessRuntimePath;
-  }
-
-  if (originalRemoteAccessToken === undefined) {
-    delete process.env.CONDUCTOR_REMOTE_ACCESS_TOKEN;
-  } else {
-    process.env.CONDUCTOR_REMOTE_ACCESS_TOKEN = originalRemoteAccessToken;
-  }
-
-  if (originalRemoteSessionSecret === undefined) {
-    delete process.env.CONDUCTOR_REMOTE_SESSION_SECRET;
-  } else {
-    process.env.CONDUCTOR_REMOTE_SESSION_SECRET = originalRemoteSessionSecret;
-  }
-
-  global.fetch = originalFetch;
-  clearRemoteAccessRuntimeState();
-});
-
-test("GET returns ptyWsUrl and interactive for loopback dashboard requests", async () => {
-  resetEnv();
-  process.env.CONDUCTOR_BACKEND_URL = "http://127.0.0.1:4749";
-
-  global.fetch = (async (input: string | Request | URL) => {
-    const url =
-      typeof input === "string" || input instanceof URL
-        ? new URL(input)
-        : new URL(input.url);
-    if (url.pathname.includes("/terminal/token")) {
-      return new Response(JSON.stringify({ required: false }), {
-        status: 200,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
-    throw new Error(`Unexpected fetch: ${url.pathname}`);
-  }) as typeof fetch;
-
-  try {
-    const response = await GET(
-      new NextRequest(
-        "http://127.0.0.1:3000/api/sessions/session-1/terminal/connection"
-      ),
-      { params: Promise.resolve({ id: "session-1" }) }
-    );
-
-    assert.equal(response.status, 200);
-    const payload = await assertJsonResponse(response);
-
-    assert.equal(
-      payload.ptyWsUrl,
-      "ws://127.0.0.1:4749/api/sessions/session-1/terminal/ws?protocol=ttyd"
-    );
-    assert.equal(payload.interactive, true);
-  } finally {
-    global.fetch = originalFetch;
-  }
-});
-
-test("GET returns null ptyWsUrl for viewers without operator access", async () => {
-  resetEnv();
-  process.env.CONDUCTOR_BACKEND_URL = "http://127.0.0.1:4749";
-  process.env.CONDUCTOR_ACCESS_DEFAULT_ROLE = "viewer";
-
-  writeRemoteAccessRuntimeState({
-    status: "ready",
-    provider: "tailscale",
-    publicUrl: "https://laptop.tailnet.ts.net",
-    localUrl: "http://127.0.0.1:3000",
-    accessToken: null,
-    sessionSecret: null,
-    tunnelPid: null,
-    logPath: null,
-    lastError: null,
-    startedAt: new Date().toISOString(),
-  });
-
-  try {
-    const request = new NextRequest(
-      "https://laptop.tailnet.ts.net/api/sessions/session-1/terminal/connection",
-      {
-        headers: {
-          "Tailscale-User-Login": "viewer@example.com",
-        },
-      }
-    );
-    const response = await GET(request, {
-      params: Promise.resolve({ id: "session-1" }),
-    });
-
-    assert.equal(response.status, 200);
-    const payload = await assertJsonResponse(response);
-
-    assert.equal(payload.ptyWsUrl, null);
-    assert.equal(payload.interactive, false);
-  } finally {
-    global.fetch = originalFetch;
-  }
-});
-
-test("GET appends a control token to the direct PTY websocket when auth is required", async () => {
-  resetEnv();
-  process.env.CONDUCTOR_BACKEND_URL = "http://127.0.0.1:4749";
-  process.env.CONDUCTOR_REQUIRE_AUTH = "true";
-
-  setMockSessionConnectionFetch({
-    id: "session-1",
-    token: {
-      required: true,
-      token: "signed-terminal-token",
-      expiresInSeconds: 60,
-    },
-  });
-
-  try {
-    const response = await GET(
-      new NextRequest(
-        "http://127.0.0.1:3000/api/sessions/session-1/terminal/connection"
-      ),
-      { params: Promise.resolve({ id: "session-1" }) }
-    );
-
-    assert.equal(response.status, 200);
-    const payload = await assertJsonResponse(response);
-    assert.equal(
-      payload.ptyWsUrl,
-      "ws://127.0.0.1:4749/api/sessions/session-1/terminal/ws?protocol=ttyd&token=signed-terminal-token"
-    );
-    assert.equal(payload.interactive, true);
-  } finally {
-    global.fetch = originalFetch;
-  }
-});
-
-test("GET falls back to ptyWsUrl without token when token fetch fails", async () => {
-  resetEnv();
-  process.env.CONDUCTOR_BACKEND_URL = "http://127.0.0.1:4749";
-
-  global.fetch = (async () => {
-    throw new Error("token endpoint unreachable");
-  }) as typeof fetch;
-
-  try {
-    const response = await GET(
-      new NextRequest(
-        "http://127.0.0.1:3000/api/sessions/session-1/terminal/connection"
-      ),
-      { params: Promise.resolve({ id: "session-1" }) }
-    );
-
-    assert.equal(response.status, 200);
-    const payload = await assertJsonResponse(response);
-
-    assert.equal(
-      payload.ptyWsUrl,
-      "ws://127.0.0.1:4749/api/sessions/session-1/terminal/ws?protocol=ttyd"
-    );
-    assert.equal(payload.interactive, true);
-  } finally {
-    global.fetch = originalFetch;
-  }
-});
-
-test("GET uses wss: protocol when backend URL is https", async () => {
-  resetEnv();
-  process.env.CONDUCTOR_BACKEND_URL = "https://backend.example.com:4749";
-
-  writeRemoteAccessRuntimeState({
-    status: "ready",
-    provider: "tailscale",
-    publicUrl: "https://dashboard.example.com",
-    localUrl: "http://127.0.0.1:3000",
-    accessToken: null,
-    sessionSecret: null,
-    tunnelPid: null,
-    logPath: null,
-    lastError: null,
-    startedAt: new Date().toISOString(),
-  });
-
-  global.fetch = (async (input: string | Request | URL) => {
-    const url =
-      typeof input === "string" || input instanceof URL
-        ? new URL(input)
-        : new URL(input.url);
-    if (url.pathname.includes("/terminal/token")) {
-      return new Response(JSON.stringify({ required: false }), {
-        status: 200,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
-    throw new Error(`Unexpected fetch: ${url.pathname}`);
-  }) as typeof fetch;
-
-  try {
-    const response = await GET(
-      new NextRequest(
-        "https://dashboard.example.com/api/sessions/session-1/terminal/connection",
-        {
-          headers: {
-            "Tailscale-User-Login": "dev@example.com",
-          },
-        }
-      ),
-      { params: Promise.resolve({ id: "session-1" }) }
-    );
-
-    assert.equal(response.status, 200);
-    const payload = await assertJsonResponse(response);
-    assert.equal(
-      payload.ptyWsUrl,
-      "wss://backend.example.com:4749/api/sessions/session-1/terminal/ws?protocol=ttyd"
-    );
-    assert.equal(payload.interactive, true);
-  } finally {
-    global.fetch = originalFetch;
-  }
-});

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/terminal/connection/route.ts

@@ -1,120 +0,0 @@
-import { roleMeetsRequirement } from "@/lib/accessControl";
-import {
-  getDashboardAccess,
-  guardApiAccess,
-} from "@/lib/auth";
-import { buildForwardedAccessHeaders } from "@/lib/guardedRustProxy";
-import { NextResponse } from "next/server";
-
-export const dynamic = "force-dynamic";
-export const runtime = "nodejs";
-
-type TerminalTokenPayload = {
-  token?: string | null;
-  required?: boolean;
-  expiresInSeconds?: number | null;
-  error?: string;
-};
-
-function resolveBackendTerminalWsUrl(backendUrl: string, id: string): URL {
-  const wsUrl = new URL(backendUrl);
-  wsUrl.protocol = wsUrl.protocol === "https:" ? "wss:" : "ws:";
-  wsUrl.pathname = `/api/sessions/${encodeURIComponent(id)}/terminal/ws`;
-  wsUrl.search = "";
-  return wsUrl;
-}
-
-/**
- * Resolve the direct ttyd WebSocket URL for a session.
- * Always asks the backend whether a terminal token is required — the backend
- * is the single source of truth for access-control decisions.
- */
-async function resolvePtyWsUrl(
-  request: Request,
-  backendUrl: string,
-  id: string
-): Promise<string> {
-  const wsUrl = resolveBackendTerminalWsUrl(backendUrl, id);
-  wsUrl.searchParams.set("protocol", "ttyd");
-
-  const tokenUrl = new URL(
-    `/api/sessions/${encodeURIComponent(id)}/terminal/token`,
-    backendUrl
-  );
-
-  let payload: TerminalTokenPayload | null = null;
-  try {
-    const response = await fetch(tokenUrl, {
-      method: "GET",
-      headers: await buildForwardedAccessHeaders(request),
-      cache: "no-store",
-      signal: request.signal,
-    });
-    payload = (await response.json().catch(() => null)) as
-      | TerminalTokenPayload
-      | null;
-    if (!response.ok) {
-      throw new Error(
-        payload?.error ?? `Failed to resolve terminal token: ${response.status}`
-      );
-    }
-  } catch (err) {
-    console.warn("[Terminal Connection] Token fetch failed, proceeding without token:", {
-      error: err instanceof Error ? err.message : String(err),
-    });
-    return wsUrl.toString();
-  }
-
-  if (payload?.required !== true) {
-    return wsUrl.toString();
-  }
-
-  const token =
-    typeof payload.token === "string" ? payload.token.trim() : "";
-  if (!token) {
-    throw new Error("Terminal token response did not include a control token");
-  }
-
-  wsUrl.searchParams.set("token", token);
-  return wsUrl.toString();
-}
-
-export async function GET(
-  request: Request,
-  context: { params: Promise<{ id: string }> }
-): Promise<Response> {
-  const denied = await guardApiAccess(request, "viewer");
-  if (denied) return denied;
-
-  const { id } = await context.params;
-  const access = await getDashboardAccess(request);
-  const interactive = access.role
-    ? roleMeetsRequirement(access.role, "operator")
-    : false;
-
-  if (!interactive) {
-    return NextResponse.json({
-      ptyWsUrl: null,
-      interactive: false,
-    });
-  }
-
-  const configuredBackendUrl = process.env.CONDUCTOR_BACKEND_URL?.trim();
-  const backendUrl = configuredBackendUrl || "http://127.0.0.1:4749";
-
-  let ptyWsUrl: string | null = null;
-  try {
-    ptyWsUrl = await resolvePtyWsUrl(request, backendUrl, id);
-  } catch (error) {
-    console.warn("[Terminal Connection] Failed to resolve direct terminal websocket URL", {
-      error: error instanceof Error ? error.message : String(error),
-      backendUrl,
-      sessionId: id,
-    });
-  }
-
-  return NextResponse.json({
-    ptyWsUrl,
-    interactive: true,
-  });
-}