npm - conductor-oss - Versions diffs - 0.2.4 → 0.2.6 - Mend

conductor-oss 0.2.4 → 0.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (502) hide show

package/web/.next/standalone/packages/web/src/app/api/access/route.ts ADDED Viewed

@@ -0,0 +1,214 @@
+import { type NextRequest, NextResponse } from "next/server";
+import { readFile, writeFile } from "node:fs/promises";
+import { parse, stringify } from "yaml";
+import type { DashboardAccessConfig, DashboardRoleBindings } from "@conductor-oss/core/types";
+import { getDashboardAccess, guardApiAccess, guardApiActionAccess } from "@/lib/auth";
+import { getServices, invalidateServicesCache } from "@/lib/services";
+import { normalizeRootProjectPaths } from "@/lib/projectConfigSync";
+export const dynamic = "force-dynamic";
+type MutableConfig = Record<string, unknown>;
+type AccessPatchBody = {
+  requireAuth?: unknown;
+  defaultRole?: unknown;
+  trustedHeaders?: unknown;
+  roles?: unknown;
+};
+function toObject(value: unknown): Record<string, unknown> {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return {};
+  return { ...(value as Record<string, unknown>) };
+}
+function asOptionalRole(value: unknown): DashboardAccessConfig["defaultRole"] | undefined {
+  if (value === "viewer" || value === "operator" || value === "admin") {
+    return value;
+  }
+  return undefined;
+}
+function normalizeStringList(value: unknown): string[] {
+  if (Array.isArray(value)) {
+    return value
+      .filter((item): item is string => typeof item === "string")
+      .map((item) => item.trim())
+      .filter(Boolean);
+  }
+  if (typeof value !== "string") return [];
+  return value
+    .split(/[\n,]+/g)
+    .map((item) => item.trim())
+    .filter(Boolean);
+}
+function normalizeRoles(value: unknown): DashboardRoleBindings | undefined {
+  const root = toObject(value);
+  const next: DashboardRoleBindings = {};
+  const viewers = normalizeStringList(root["viewers"]);
+  const operators = normalizeStringList(root["operators"]);
+  const admins = normalizeStringList(root["admins"]);
+  const viewerDomains = normalizeStringList(root["viewerDomains"]);
+  const operatorDomains = normalizeStringList(root["operatorDomains"]);
+  const adminDomains = normalizeStringList(root["adminDomains"]);
+  if (viewers.length > 0) next.viewers = viewers;
+  if (operators.length > 0) next.operators = operators;
+  if (admins.length > 0) next.admins = admins;
+  if (viewerDomains.length > 0) next.viewerDomains = viewerDomains;
+  if (operatorDomains.length > 0) next.operatorDomains = operatorDomains;
+  if (adminDomains.length > 0) next.adminDomains = adminDomains;
+  return Object.keys(next).length > 0 ? next : undefined;
+}
+function normalizeAccessConfig(value: unknown): DashboardAccessConfig {
+  const root = toObject(value);
+  const trustedHeaders = toObject(root["trustedHeaders"]);
+  const defaultRole = asOptionalRole(root["defaultRole"]);
+  const next: DashboardAccessConfig = {
+    requireAuth: root["requireAuth"] === true,
+    trustedHeaders: {
+      enabled: trustedHeaders["enabled"] === true,
+      provider:
+        trustedHeaders["provider"] === "generic"
+          ? "generic"
+          : "cloudflare-access",
+      emailHeader:
+        (typeof trustedHeaders["emailHeader"] === "string" && trustedHeaders["emailHeader"].trim().length > 0
+          ? trustedHeaders["emailHeader"].trim()
+          : "Cf-Access-Authenticated-User-Email"),
+      jwtHeader:
+        (typeof trustedHeaders["jwtHeader"] === "string" && trustedHeaders["jwtHeader"].trim().length > 0
+          ? trustedHeaders["jwtHeader"].trim()
+          : "Cf-Access-Jwt-Assertion"),
+    },
+  };
+  if (typeof trustedHeaders["teamDomain"] === "string" && trustedHeaders["teamDomain"].trim().length > 0) {
+    next.trustedHeaders!.teamDomain = trustedHeaders["teamDomain"].trim();
+  }
+  if (typeof trustedHeaders["audience"] === "string" && trustedHeaders["audience"].trim().length > 0) {
+    next.trustedHeaders!.audience = trustedHeaders["audience"].trim();
+  }
+  if (defaultRole) {
+    next.defaultRole = defaultRole;
+  }
+  const roles = normalizeRoles(root["roles"]);
+  if (roles) {
+    next.roles = roles;
+  }
+  return next;
+}
+export async function GET(request: NextRequest) {
+  const denied = await guardApiAccess(request, "viewer");
+  if (denied) return denied;
+  try {
+    const { config } = await getServices();
+    const access = normalizeAccessConfig(config.access);
+    const current = await getDashboardAccess(request);
+    return NextResponse.json({
+      access,
+      current: {
+        authenticated: current.authenticated,
+        role: current.role ?? null,
+        email: current.email ?? null,
+        provider: current.provider ?? null,
+      },
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "Failed to load access settings";
+    return NextResponse.json({ error: message }, { status: 500 });
+  }
+}
+export async function PUT(request: NextRequest) {
+  const denied = await guardApiAccess(request, "admin");
+  if (denied) return denied;
+  const deniedAction = guardApiActionAccess(request);
+  if (deniedAction) return deniedAction;
+  const body = (await request.json().catch(() => null)) as AccessPatchBody | null;
+  if (!body || typeof body !== "object") {
+    return NextResponse.json({ error: "Invalid JSON body" }, { status: 400 });
+  }
+  try {
+    const { config } = await getServices();
+    const configPath = config.configPath;
+    if (!configPath) {
+      return NextResponse.json({ error: "Unable to resolve conductor config path" }, { status: 500 });
+    }
+    const originalConfigRaw = await readFile(configPath, "utf8");
+    const parsed = (parse(originalConfigRaw) ?? {}) as MutableConfig;
+    const nextRoot: MutableConfig =
+      parsed && typeof parsed === "object" && !Array.isArray(parsed)
+        ? { ...parsed }
+        : {};
+    const nextAccess = normalizeAccessConfig(nextRoot["access"]);
+    if (typeof body.requireAuth === "boolean") {
+      nextAccess.requireAuth = body.requireAuth;
+    }
+    if (body.defaultRole !== undefined) {
+      nextAccess.defaultRole = asOptionalRole(body.defaultRole);
+    }
+    if (body.trustedHeaders !== undefined) {
+      const nextTrusted = toObject(body.trustedHeaders);
+      nextAccess.trustedHeaders = {
+        enabled: nextTrusted["enabled"] === true,
+        emailHeader:
+          (typeof nextTrusted["emailHeader"] === "string" && nextTrusted["emailHeader"].trim().length > 0
+            ? nextTrusted["emailHeader"].trim()
+            : "Cf-Access-Authenticated-User-Email"),
+      };
+    }
+    if (body.roles !== undefined) {
+      nextAccess.roles = normalizeRoles(body.roles);
+    }
+    nextRoot["access"] = nextAccess;
+    await normalizeRootProjectPaths(nextRoot);
+    const updatedYaml = stringify(nextRoot, { lineWidth: 0 });
+    await writeFile(configPath, updatedYaml, "utf8");
+    try {
+      invalidateServicesCache("access updated");
+      await getServices();
+    } catch (err) {
+      await writeFile(configPath, originalConfigRaw, "utf8");
+      invalidateServicesCache("access update rollback");
+      throw err;
+    }
+    const current = await getDashboardAccess(request);
+    return NextResponse.json({
+      access: nextAccess,
+      current: {
+        authenticated: current.authenticated,
+        role: current.role ?? null,
+        email: current.email ?? null,
+        provider: current.provider ?? null,
+      },
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "Failed to update access settings";
+    return NextResponse.json({ error: message }, { status: 500 });
+  }
+}

package/web/.next/standalone/packages/web/src/app/api/agents/route.ts CHANGED Viewed

@@ -108,7 +108,7 @@ const PATH_AGENT_HINTS: AgentHint[] = [
   },
   {
     name: "qwen-code",
-    commands: ["qwen-code"],
+    commands: ["qwen", "qwen-code"],
     aliases: ["qwen", "qwen code", "qwen-code-cli", "qwen_code", "qwen-code"],
     description: "Qwen Code CLI",
     homepage: "https://qwenlm.github.io/announcements/",
@@ -445,7 +445,7 @@ async function collectBinaryAgents(candidates: string[]): Promise<AgentInfo[]> {
 }
 export async function GET() {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   try {

package/web/.next/standalone/packages/web/src/app/api/attachments/route.ts CHANGED Viewed

@@ -87,7 +87,7 @@ function isImagePath(path: string): boolean {
 }
 export async function POST(request: NextRequest) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "operator");
   if (denied) return denied;
   const deniedAction = guardApiActionAccess(request);
   if (deniedAction) return deniedAction;

package/web/.next/standalone/packages/web/src/app/api/auth/session/route.ts ADDED Viewed

@@ -0,0 +1,54 @@
+import { type NextRequest, NextResponse } from "next/server";
+import {
+  BUILTIN_REMOTE_SESSION_COOKIE,
+  createBuiltinRemoteSessionValue,
+  getBuiltinRemoteSessionCookieOptions,
+  isBuiltinRemoteAuthEnabled,
+  isValidBuiltinAccessToken,
+} from "@/lib/remoteAuth";
+type SessionRequestBody = {
+  token?: unknown;
+};
+function clearSession(response: NextResponse): void {
+  response.cookies.set(BUILTIN_REMOTE_SESSION_COOKIE, "", {
+    ...getBuiltinRemoteSessionCookieOptions(false),
+    maxAge: 0,
+  });
+}
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  if (!isBuiltinRemoteAuthEnabled()) {
+    return NextResponse.json({ error: "Built-in remote auth is not enabled" }, { status: 404 });
+  }
+  const body = (await request.json().catch(() => null)) as SessionRequestBody | null;
+  const token = typeof body?.token === "string" ? body.token.trim() : "";
+  if (!isValidBuiltinAccessToken(token)) {
+    return NextResponse.json({ error: "Invalid access token" }, { status: 403 });
+  }
+  const response = NextResponse.json({ ok: true });
+  response.cookies.set(
+    BUILTIN_REMOTE_SESSION_COOKIE,
+    await createBuiltinRemoteSessionValue(),
+    getBuiltinRemoteSessionCookieOptions(request.nextUrl.protocol === "https:"),
+  );
+  return response;
+}
+export async function DELETE(request: NextRequest): Promise<NextResponse> {
+  const response = NextResponse.json({ ok: true });
+  clearSession(response);
+  if (!isBuiltinRemoteAuthEnabled()) {
+    return response;
+  }
+  response.cookies.set(BUILTIN_REMOTE_SESSION_COOKIE, "", {
+    ...getBuiltinRemoteSessionCookieOptions(request.nextUrl.protocol === "https:"),
+    maxAge: 0,
+  });
+  return response;
+}

package/web/.next/standalone/packages/web/src/app/api/boards/route.ts CHANGED Viewed

@@ -383,7 +383,7 @@ function buildTaskLine(params: {
 /** GET /api/boards?projectId=<id> -- Return parsed kanban board for a project. */
 export async function GET(request: NextRequest) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   const projectId = asNonEmptyString(request.nextUrl.searchParams.get("projectId"));
@@ -436,7 +436,7 @@ export async function GET(request: NextRequest) {
  * Body: { projectId, title, description?, contextNotes?, attachments?, agent, role?, type?, priority? }
  */
 export async function POST(request: NextRequest) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "operator");
   if (denied) return denied;
   const deniedAction = guardApiActionAccess(request);
   if (deniedAction) return deniedAction;

package/web/.next/standalone/packages/web/src/app/api/config/route.ts CHANGED Viewed

@@ -44,7 +44,7 @@ function resolveBoardFile(
 /** GET /api/config -- Return configured projects and their board paths. */
 export async function GET() {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   try {
     const { config } = await getServices();
@@ -67,6 +67,7 @@ export async function GET() {
         ),
         description: (project as { description?: string }).description ?? null,
         agent: (project as { agent?: string }).agent ?? "claude-code",
+        agentModel: (project as { agentConfig?: { model?: string } }).agentConfig?.model ?? null,
       };
     });
     return NextResponse.json({ projects });

package/web/.next/standalone/packages/web/src/app/api/context-files/route.ts CHANGED Viewed

@@ -147,7 +147,7 @@ async function collectContextFiles(params: {
 /** GET /api/context-files?projectId=<id> -- List likely context/attachment files for task composer. */
 export async function GET(request: Request) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   try {

package/web/.next/standalone/packages/web/src/app/api/events/route.ts CHANGED Viewed

@@ -17,7 +17,7 @@ export const dynamic = "force-dynamic";
  *   - Closed flag prevents enqueue-after-close errors
  */
 export async function GET(request: Request): Promise<Response> {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "viewer");
   if (denied) return denied;
   const encoder = new TextEncoder();

package/web/.next/standalone/packages/web/src/app/api/filesystem/directory/route.ts CHANGED Viewed

@@ -36,7 +36,7 @@ async function isGitRepo(path: string): Promise<boolean> {
 }
 export async function GET(request: NextRequest) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "operator");
   if (denied) return denied;
   const rawPath = request.nextUrl.searchParams.get("path");

package/web/.next/standalone/packages/web/src/app/api/github/repos/route.ts CHANGED Viewed

@@ -44,7 +44,7 @@ async function assertGhAuthenticated(): Promise<void> {
 }
 export async function GET(request: NextRequest) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "operator");
   if (denied) return denied;
   const query = request.nextUrl.searchParams.get("q")?.trim().toLowerCase() ?? "";

package/web/.next/standalone/packages/web/src/app/api/health/boards/route.ts CHANGED Viewed

@@ -7,7 +7,7 @@ export const dynamic = "force-dynamic";
 /** GET /api/health/boards -- watcher board parse/health snapshot. */
 export async function GET() {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   try {

package/web/.next/standalone/packages/web/src/app/api/preferences/route.ts CHANGED Viewed

@@ -4,7 +4,8 @@ import { parse, stringify } from "yaml";
 import { syncWorkspaceSupportFiles, type UserPreferences } from "@conductor-oss/core";
 import { getServices, invalidateServicesCache } from "@/lib/services";
 import { guardApiAccess, guardApiActionAccess } from "@/lib/auth";
-import { syncAllProjectLocalConfigs } from "@/lib/projectConfigSync";
+import { normalizeModelAccessPreferences } from "@/lib/modelAccess";
+import { normalizeRootProjectPaths, syncAllProjectLocalConfigs } from "@/lib/projectConfigSync";
 export const dynamic = "force-dynamic";
@@ -17,6 +18,7 @@ type PreferencesPatchBody = {
   remoteSshHost?: unknown;
   remoteSshUser?: unknown;
   markdownEditor?: unknown;
+  modelAccess?: unknown;
   notifications?: unknown;
 };
@@ -48,6 +50,7 @@ function normalizePreferences(
     ...(remoteSshHost ? { remoteSshHost } : {}),
     ...(remoteSshUser ? { remoteSshUser } : {}),
     markdownEditor: asNonEmptyString(root["markdownEditor"]) ?? "obsidian",
+    modelAccess: normalizeModelAccessPreferences(root["modelAccess"]),
     notifications: {
       soundEnabled: notifications["soundEnabled"] !== false,
       soundFile: soundFile === null
@@ -58,7 +61,7 @@ function normalizePreferences(
 }
 export async function GET() {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   try {
@@ -73,7 +76,7 @@ export async function GET() {
 }
 export async function PUT(request: NextRequest) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "operator");
   if (denied) return denied;
   const deniedAction = guardApiActionAccess(request);
   if (deniedAction) return deniedAction;
@@ -142,6 +145,10 @@ export async function PUT(request: NextRequest) {
       if (value) nextPreferences.markdownEditor = value;
     }
+    if (body.modelAccess !== undefined) {
+      nextPreferences.modelAccess = normalizeModelAccessPreferences(body.modelAccess);
+    }
     if (body.notifications !== undefined) {
       const notificationsPatch = toObject(body.notifications);
       if (typeof notificationsPatch["soundEnabled"] === "boolean") {
@@ -158,6 +165,7 @@ export async function PUT(request: NextRequest) {
     }
     nextRoot["preferences"] = nextPreferences;
+    await normalizeRootProjectPaths(nextRoot);
     const updatedYaml = stringify(nextRoot, {
       lineWidth: 0,

package/web/.next/standalone/packages/web/src/app/api/repositories/route.ts CHANGED Viewed

@@ -9,7 +9,7 @@ import { parse, stringify } from "yaml";
 import { syncWorkspaceSupportFiles } from "@conductor-oss/core";
 import { getServices, invalidateServicesCache } from "@/lib/services";
 import { guardApiAccess, guardApiActionAccess } from "@/lib/auth";
-import { syncProjectLocalConfig } from "@/lib/projectConfigSync";
+import { normalizeRootProjectPaths, syncProjectLocalConfig } from "@/lib/projectConfigSync";
 export const dynamic = "force-dynamic";
@@ -24,6 +24,7 @@ type RepositoryPatchBody = {
   repo?: unknown;
   path?: unknown;
   agent?: unknown;
+  agentModel?: unknown;
   defaultWorkingDirectory?: unknown;
   defaultBranch?: unknown;
   devServerScript?: unknown;
@@ -208,6 +209,7 @@ async function suggestRepoPath(projectPath: string, repoValue?: string | null):
 async function serializeRepository(projectId: string, project: Record<string, unknown>) {
   const path = asNonEmptyString(project["path"]) ?? "";
   const repo = asNonEmptyString(project["repo"]) ?? "";
+  const agentConfig = toObject(project["agentConfig"]);
   const expandedPath = path ? expandHome(path) : "";
   const pathExists = expandedPath ? existsSync(expandedPath) : false;
   const gitRepository = expandedPath ? await isGitRepository(expandedPath) : false;
@@ -221,6 +223,7 @@ async function serializeRepository(projectId: string, project: Record<string, un
     repo,
     path,
     agent: asNonEmptyString(project["agent"]) ?? "claude-code",
+    agentModel: asNonEmptyString(agentConfig["model"]) ?? "",
     workspaceMode: asNonEmptyString(project["workspace"]) ?? "worktree",
     runtimeMode: asNonEmptyString(project["runtime"]) ?? "tmux",
     scmMode: asNonEmptyString(project["scm"]) ?? "github",
@@ -241,7 +244,7 @@ async function serializeRepository(projectId: string, project: Record<string, un
 }
 export async function GET() {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   try {
@@ -262,7 +265,7 @@ export async function GET() {
 }
 export async function PUT(request: NextRequest) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "operator");
   if (denied) return denied;
   const deniedAction = guardApiActionAccess(request);
   if (deniedAction) return deniedAction;
@@ -303,6 +306,7 @@ export async function PUT(request: NextRequest) {
     const repo = asNonEmptyString(body.repo);
     const path = asNonEmptyString(body.path);
     const agent = asNonEmptyString(body.agent) ?? asNonEmptyString(existingProject["agent"]) ?? "claude-code";
+    const agentModel = asNonEmptyString(body.agentModel);
     const defaultBranch = asNonEmptyString(body.defaultBranch) ?? "main";
     const defaultWorkingDirectory = normalizeWorkingDirectory(asNonEmptyString(body.defaultWorkingDirectory));
@@ -318,6 +322,19 @@ export async function PUT(request: NextRequest) {
     nextProject["path"] = expandHome(path);
     nextProject["agent"] = agent;
     nextProject["defaultBranch"] = defaultBranch;
+    const nextAgentConfig = toObject(nextProject["agentConfig"]);
+    if (agentModel) {
+      nextProject["agentConfig"] = {
+        ...nextAgentConfig,
+        model: agentModel,
+      };
+    } else if ("model" in nextAgentConfig) {
+      const { model: _removedModel, ...rest } = nextAgentConfig;
+      nextProject["agentConfig"] = rest;
+      if (Object.keys(rest).length === 0) {
+        delete nextProject["agentConfig"];
+      }
+    }
     if (defaultWorkingDirectory) {
       nextProject["defaultWorkingDirectory"] = defaultWorkingDirectory;
@@ -371,6 +388,7 @@ export async function PUT(request: NextRequest) {
     nextProjects[id] = nextProject;
     nextRoot["projects"] = nextProjects;
+    await normalizeRootProjectPaths(nextRoot);
     const updatedYaml = stringify(nextRoot, { lineWidth: 0 });
     await writeFile(configPath, updatedYaml, "utf8");

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/checks/route.ts CHANGED Viewed

@@ -98,7 +98,7 @@ export async function GET(
   _request: NextRequest,
   context: { params: Promise<{ id: string }> },
 ) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   const { id } = await context.params;
   if (denied) return denied;

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/diff/route.ts CHANGED Viewed

@@ -362,7 +362,7 @@ export async function GET(
   _request: NextRequest,
   context: { params: Promise<{ id: string }> },
 ) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   const { id } = await context.params;

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/feedback/route.ts CHANGED Viewed

@@ -11,7 +11,7 @@ export async function POST(
   request: NextRequest,
   context: { params: Promise<{ id: string }> },
 ) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "operator");
   if (denied) return denied;
   const deniedAction = guardApiActionAccess(request);
   if (deniedAction) return deniedAction;

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/files/route.ts CHANGED Viewed

@@ -158,7 +158,7 @@ export async function GET(
   request: NextRequest,
   context: { params: Promise<unknown> },
 ) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   const params = await context.params as { id?: unknown } | null;

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/keys/route.ts CHANGED Viewed

@@ -89,7 +89,7 @@ export async function POST(
   request: NextRequest,
   { params }: { params: Promise<{ id: string }> },
 ): Promise<NextResponse> {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "operator");
   if (denied) return denied;
   const deniedAction = guardApiActionAccess(request);
   if (deniedAction) return deniedAction;

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/kill/route.ts CHANGED Viewed

@@ -9,7 +9,7 @@ export async function POST(
   request: NextRequest,
   context: { params: Promise<{ id: string }> },
 ) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "operator");
   if (denied) return denied;
   const deniedAction = guardApiActionAccess(request);
   if (deniedAction) return deniedAction;

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/output/route.ts CHANGED Viewed

@@ -221,7 +221,7 @@ export async function GET(
   request: NextRequest,
   context: { params: Promise<{ id: string }> },
 ) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   const params = await context.params;

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/output/stream/route.ts CHANGED Viewed

@@ -14,7 +14,7 @@ export async function GET(
   request: NextRequest,
   context: { params: Promise<{ id: string }> },
 ): Promise<Response> {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "viewer");
   if (denied) return denied;
   const params = await context.params;

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/restore/route.ts CHANGED Viewed

@@ -10,7 +10,7 @@ export async function POST(
   request: NextRequest,
   context: { params: Promise<{ id: string }> },
 ) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "operator");
   if (denied) return denied;
   const deniedAction = guardApiActionAccess(request);
   if (deniedAction) return deniedAction;

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/route.ts CHANGED Viewed

@@ -173,7 +173,7 @@ export async function GET(
   { params }: { params: Promise<{ id: string }> },
 ) {
   try {
-    const denied = await guardApiAccess();
+    const denied = await guardApiAccess(undefined, "viewer");
     if (denied) return denied;
     const { id } = await params;
     const sessionId = id.trim();

package/web/.next/standalone/packages/web/src/app/api/sessions/[id]/send/route.ts CHANGED Viewed

@@ -11,7 +11,7 @@ export async function POST(
   request: NextRequest,
   context: { params: Promise<{ id: string }> },
 ) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(request, "operator");
   if (denied) return denied;
   const deniedAction = guardApiActionAccess(request);
   if (deniedAction) return deniedAction;

package/web/.next/standalone/packages/web/src/app/api/sessions/route.ts CHANGED Viewed

@@ -8,7 +8,7 @@ export const dynamic = "force-dynamic";
 /** GET /api/sessions -- list current sessions for the dashboard. */
 export async function GET(request: NextRequest) {
-  const denied = await guardApiAccess();
+  const denied = await guardApiAccess(undefined, "viewer");
   if (denied) return denied;
   try {