npm - crewx - Versions diffs - 0.8.8-rc.2 → 0.8.8-rc.21 - Mend

crewx 0.8.8-rc.2 → 0.8.8-rc.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/dist-server/domain/token/token.controller.js ADDED Viewed

@@ -0,0 +1,73 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenController = void 0;
+const common_1 = require("@nestjs/common");
+const token_service_js_1 = require("./token.service.js");
+const token_dto_js_1 = require("./token.dto.js");
+let TokenController = class TokenController {
+    tokenService;
+    constructor(tokenService) {
+        this.tokenService = tokenService;
+    }
+    listTokens() {
+        return { success: true, data: this.tokenService.listTokens() };
+    }
+    async createToken(dto) {
+        const { token, meta } = await this.tokenService.createToken(dto, 'direct');
+        const response = new token_dto_js_1.CreateTokenResponseDto();
+        Object.assign(response, meta);
+        response.token = token;
+        return { success: true, data: response };
+    }
+    getToken(id) {
+        return { success: true, data: this.tokenService.getToken(id) };
+    }
+    async revokeToken(id) {
+        await this.tokenService.revokeToken(id);
+    }
+};
+exports.TokenController = TokenController;
+__decorate([
+    (0, common_1.Get)(),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", Object)
+], TokenController.prototype, "listTokens", null);
+__decorate([
+    (0, common_1.Post)(),
+    __param(0, (0, common_1.Body)(new common_1.ValidationPipe({ whitelist: true }))),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [token_dto_js_1.CreateTokenDto]),
+    __metadata("design:returntype", Promise)
+], TokenController.prototype, "createToken", null);
+__decorate([
+    (0, common_1.Get)(':id'),
+    __param(0, (0, common_1.Param)('id')),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String]),
+    __metadata("design:returntype", Object)
+], TokenController.prototype, "getToken", null);
+__decorate([
+    (0, common_1.Delete)(':id'),
+    (0, common_1.HttpCode)(common_1.HttpStatus.NO_CONTENT),
+    __param(0, (0, common_1.Param)('id')),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String]),
+    __metadata("design:returntype", Promise)
+], TokenController.prototype, "revokeToken", null);
+exports.TokenController = TokenController = __decorate([
+    (0, common_1.Controller)('tokens'),
+    __metadata("design:paramtypes", [token_service_js_1.TokenService])
+], TokenController);

package/dist-server/domain/token/token.dto.js ADDED Viewed

@@ -0,0 +1,56 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreateTokenResponseDto = exports.TokenMetaResponseDto = exports.CreateTokenDto = void 0;
+const class_validator_1 = require("class-validator");
+class CreateTokenDto {
+    name;
+    expiresIn;
+    agentScope;
+    browserScope;
+}
+exports.CreateTokenDto = CreateTokenDto;
+__decorate([
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1),
+    (0, class_validator_1.MaxLength)(50),
+    __metadata("design:type", String)
+], CreateTokenDto.prototype, "name", void 0);
+__decorate([
+    (0, class_validator_1.IsIn)(['30d', '90d', '1y']),
+    __metadata("design:type", String)
+], CreateTokenDto.prototype, "expiresIn", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], CreateTokenDto.prototype, "agentScope", void 0);
+__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], CreateTokenDto.prototype, "browserScope", void 0);
+class TokenMetaResponseDto {
+    id;
+    name;
+    jti;
+    agentScope;
+    source;
+    expiresAt;
+    createdAt;
+    revokedAt;
+    lastUsedAt;
+}
+exports.TokenMetaResponseDto = TokenMetaResponseDto;
+class CreateTokenResponseDto extends TokenMetaResponseDto {
+    token;
+}
+exports.CreateTokenResponseDto = CreateTokenResponseDto;

package/dist-server/domain/token/token.module.js ADDED Viewed

@@ -0,0 +1,22 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenModule = void 0;
+const common_1 = require("@nestjs/common");
+const token_controller_js_1 = require("./token.controller.js");
+const token_service_js_1 = require("./token.service.js");
+let TokenModule = class TokenModule {
+};
+exports.TokenModule = TokenModule;
+exports.TokenModule = TokenModule = __decorate([
+    (0, common_1.Module)({
+        controllers: [token_controller_js_1.TokenController],
+        providers: [token_service_js_1.TokenService],
+        exports: [token_service_js_1.TokenService],
+    })
+], TokenModule);

package/dist-server/domain/token/token.service.js ADDED Viewed

@@ -0,0 +1,228 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenService = void 0;
+exports.readJwtSecret = readJwtSecret;
+exports.ensureJwtSecret = ensureJwtSecret;
+const common_1 = require("@nestjs/common");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const crypto_1 = require("crypto");
+const jose_1 = require("jose");
+const nanoid_1 = require("nanoid");
+const limits_provider_js_1 = require("../../common/limits/limits-provider.js");
+const token_dto_js_1 = require("./token.dto.js");
+function resolveDbPath() {
+    if (process.env.CREWX_DB)
+        return process.env.CREWX_DB;
+    return (0, path_1.join)((0, os_1.homedir)(), '.crewx', 'crewx.db');
+}
+function hashToken(rawToken) {
+    return (0, crypto_1.createHash)('sha256').update(rawToken).digest('hex');
+}
+function calcExpiresAt(expiresIn) {
+    const now = new Date();
+    if (expiresIn === '30d')
+        return new Date(now.getTime() + 30 * 86400000);
+    if (expiresIn === '90d')
+        return new Date(now.getTime() + 90 * 86400000);
+    return new Date(now.getTime() + 365 * 86400000);
+}
+function rowToDto(row) {
+    const dto = new token_dto_js_1.TokenMetaResponseDto();
+    dto.id = row.id;
+    dto.name = row.name;
+    dto.jti = row.jti;
+    dto.agentScope = row.agent_scope;
+    dto.source = row.source;
+    dto.expiresAt = row.expires_at;
+    dto.createdAt = row.created_at;
+    dto.revokedAt = row.revoked_at;
+    dto.lastUsedAt = row.last_used_at;
+    return dto;
+}
+let TokenService = class TokenService {
+    limitsProvider;
+    db;
+    secretBytes;
+    constructor(limitsProvider) {
+        this.limitsProvider = limitsProvider;
+    }
+    onModuleInit() {
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        const Database = require('better-sqlite3');
+        const dbPath = resolveDbPath();
+        this.db = new Database(dbPath);
+        this.db.exec('PRAGMA journal_mode = WAL');
+        this.db.exec('PRAGMA busy_timeout = 5000');
+        this.ensureSchema();
+        const secretStr = readJwtSecret();
+        this.secretBytes = new Uint8Array(Buffer.from(secretStr, 'hex'));
+    }
+    onModuleDestroy() {
+        try {
+            this.db?.close();
+        }
+        catch {
+            // ignore close errors during shutdown
+        }
+    }
+    async createToken(dto, source = 'direct') {
+        if (source === 'negotiate' && !dto.agentScope) {
+            throw new common_1.BadRequestException('agentScope is required for negotiate tokens');
+        }
+        const limits = await this.limitsProvider.resolve();
+        if (limits.tier === 'FREE') {
+            const row = this.db
+                .prepare('SELECT COUNT(*) as cnt FROM api_tokens WHERE revoked_at IS NULL')
+                .get();
+            const activeCount = row?.cnt ?? 0;
+            if (activeCount >= limits.apiTokens) {
+                throw new common_1.HttpException({ code: 'TOKEN_LIMIT_EXCEEDED', limit: limits.apiTokens }, 412);
+            }
+        }
+        const id = 'tok_' + (0, nanoid_1.nanoid)(21);
+        const jti = 'jti_' + (0, nanoid_1.nanoid)(21);
+        const expiresAt = calcExpiresAt(dto.expiresIn);
+        const createdAt = new Date().toISOString();
+        const jwt = await new jose_1.SignJWT({
+            sub: dto.name,
+            jti,
+            scope: dto.agentScope ?? null,
+            browser_scope: dto.browserScope ?? null,
+            source,
+        })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setExpirationTime(Math.floor(expiresAt.getTime() / 1000))
+            .sign(this.secretBytes);
+        const rawToken = 'crewx_' + jwt;
+        const tokenHash = hashToken(rawToken);
+        this.db
+            .prepare(`INSERT INTO api_tokens (id, name, token_hash, jti, agent_scope, source, expires_at, created_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`)
+            .run(id, dto.name, tokenHash, jti, dto.agentScope ?? null, source, expiresAt.toISOString(), createdAt);
+        const row = this.db
+            .prepare('SELECT * FROM api_tokens WHERE id = ?')
+            .get(id);
+        return { token: rawToken, meta: rowToDto(row) };
+    }
+    async validateToken(rawToken) {
+        if (!rawToken.startsWith('crewx_'))
+            return null;
+        const jwt = rawToken.slice(6);
+        let jti;
+        let agentScope;
+        let browserScope;
+        let source;
+        let sub;
+        try {
+            const { payload } = await (0, jose_1.jwtVerify)(jwt, this.secretBytes);
+            jti = payload.jti ?? '';
+            sub = payload.sub ?? '';
+            agentScope = payload['scope'] ?? null;
+            browserScope = payload['browser_scope'] ?? null;
+            source = payload['source'] === 'negotiate' ? 'negotiate' : 'direct';
+        }
+        catch {
+            return null;
+        }
+        const tokenHash = hashToken(rawToken);
+        const row = this.db
+            .prepare('SELECT * FROM api_tokens WHERE token_hash = ?')
+            .get(tokenHash);
+        if (!row)
+            return null;
+        if (row.revoked_at)
+            return null;
+        if (row.jti !== jti)
+            return null;
+        if (row.source !== source)
+            return null;
+        // best-effort update, non-blocking
+        try {
+            this.db
+                .prepare("UPDATE api_tokens SET last_used_at = datetime('now') WHERE id = ?")
+                .run(row.id);
+        }
+        catch {
+            // ignore
+        }
+        return { sub, jti, agentScope, browserScope, source };
+    }
+    async revokeToken(id) {
+        const existing = this.db
+            .prepare('SELECT id FROM api_tokens WHERE id = ?')
+            .get(id);
+        if (!existing)
+            throw new common_1.NotFoundException(`Token ${id} not found`);
+        this.db
+            .prepare("UPDATE api_tokens SET revoked_at = datetime('now') WHERE id = ?")
+            .run(id);
+    }
+    listTokens() {
+        const rows = this.db
+            .prepare('SELECT * FROM api_tokens ORDER BY created_at DESC')
+            .all();
+        return rows.map(rowToDto);
+    }
+    getToken(id) {
+        const row = this.db
+            .prepare('SELECT * FROM api_tokens WHERE id = ?')
+            .get(id);
+        if (!row)
+            throw new common_1.NotFoundException(`Token ${id} not found`);
+        return rowToDto(row);
+    }
+    ensureSchema() {
+        this.db.exec(`
+      CREATE TABLE IF NOT EXISTS api_tokens (
+        id           TEXT PRIMARY KEY,
+        name         TEXT NOT NULL,
+        token_hash   TEXT NOT NULL UNIQUE,
+        jti          TEXT NOT NULL UNIQUE,
+        agent_scope  TEXT,
+        source       TEXT NOT NULL DEFAULT 'direct',
+        expires_at   TEXT NOT NULL,
+        created_at   TEXT NOT NULL DEFAULT (datetime('now')),
+        revoked_at   TEXT,
+        last_used_at TEXT
+      )
+    `);
+    }
+};
+exports.TokenService = TokenService;
+exports.TokenService = TokenService = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [limits_provider_js_1.LimitsProvider])
+], TokenService);
+// --- jwt_secret helpers ---
+function readJwtSecret() {
+    const secretPath = getJwtSecretPath();
+    if (!(0, fs_1.existsSync)(secretPath)) {
+        throw new Error('[crewx] jwt_secret file not found. Call ensureJwtSecret() at bootstrap.');
+    }
+    return (0, fs_1.readFileSync)(secretPath, 'utf8').trim();
+}
+function ensureJwtSecret() {
+    const secretPath = getJwtSecretPath();
+    if (!(0, fs_1.existsSync)(secretPath)) {
+        (0, fs_1.mkdirSync)((0, path_1.dirname)(secretPath), { recursive: true });
+        const secret = (0, crypto_1.randomBytes)(32).toString('hex');
+        // mode: 0o600 — POSIX only; Windows relies on NTFS ACL from parent dir
+        (0, fs_1.writeFileSync)(secretPath, secret, { mode: 0o600, encoding: 'utf8' });
+    }
+    return (0, fs_1.readFileSync)(secretPath, 'utf8').trim();
+}
+function getJwtSecretPath() {
+    const crewxHome = process.env.CREWX_HOME ?? (0, path_1.join)((0, os_1.homedir)(), '.crewx');
+    return (0, path_1.join)(crewxHome, 'jwt_secret');
+}

package/dist-server/main.js CHANGED Viewed

@@ -66,6 +66,20 @@ async function bootstrap() {
     }
     // Cookie parser must come before Guards that read req.cookies
     app.use((0, cookie_parser_1.default)());
+    // CSRF Double Submit Cookie — issue on first visit (httpOnly:false so JS can read it)
+    app.use((req, res, next) => {
+        if (!req.cookies?.['crewx_csrf']) {
+            const { randomBytes } = require('crypto');
+            const token = randomBytes(32).toString('hex');
+            res.cookie('crewx_csrf', token, {
+                httpOnly: false,
+                sameSite: 'strict',
+                path: '/',
+                secure: req.secure || req.headers['x-forwarded-proto'] === 'https',
+            });
+        }
+        next();
+    });
     // Conditional JSON body parser: skip for /adapters/* (raw body needed for webhook signatures),
     // apply express.json() for all other routes so DTOs receive parsed bodies.
     app.use((req, res, next) => {
@@ -86,14 +100,21 @@ async function bootstrap() {
             callback(null, (0, cors_js_1.isAllowedOrigin)(origin, allowedExtensionIds));
         },
         credentials: true,
-        allowedHeaders: ['Content-Type', 'Authorization', 'Mcp-Session-Id', 'Accept'],
+        allowedHeaders: ['Content-Type', 'Authorization', 'Mcp-Session-Id', 'Accept', 'X-CSRF-Token'],
         exposedHeaders: ['Mcp-Session-Id'],
     });
     // Enable class-validator DTO validation
     app.useGlobalPipes(new common_1.ValidationPipe({ whitelist: true, transform: true }));
     // Global prefix for API routes (exclude MCP and auth login/logout — they live at /mcp, /auth/*)
     app.setGlobalPrefix('api/v1', {
-        exclude: ['mcp', 'mcp/health', 'auth/login', 'auth/logout'],
+        exclude: [
+            { path: 'mcp', method: common_1.RequestMethod.ALL },
+            { path: 'mcp/health', method: common_1.RequestMethod.ALL },
+            { path: 'auth/login', method: common_1.RequestMethod.ALL },
+            { path: 'auth/logout', method: common_1.RequestMethod.ALL },
+            { path: 'api/chromex', method: common_1.RequestMethod.ALL },
+            { path: 'api/chromex/(.*)', method: common_1.RequestMethod.ALL },
+        ],
     });
     // Swagger documentation setup
     const swaggerConfig = new swagger_1.DocumentBuilder()

package/dist-server/modules/crewx-pool.service.js CHANGED Viewed

@@ -5,6 +5,12 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CrewxPoolService = void 0;
 const common_1 = require("@nestjs/common");
@@ -12,6 +18,7 @@ const path_1 = require("path");
 const fs_1 = require("fs");
 const crewx_server_js_1 = require("../bootstrap/crewx-server.js");
 const workspace_context_store_js_1 = require("../common/workspace-context.store.js");
+const workspace_event_bus_js_1 = require("../domain/events/workspace-event.bus.js");
 /**
  * CrewxPoolService — per-workspace Crewx instance pool.
  *
@@ -26,7 +33,12 @@ const workspace_context_store_js_1 = require("../common/workspace-context.store.
  * Services must NEVER call crewx.close() themselves.
  */
 let CrewxPoolService = class CrewxPoolService {
+    eventBus;
     pool = new Map();
+    poolMeta = new Map();
+    constructor(eventBus) {
+        this.eventBus = eventBus;
+    }
     /**
      * Return the Crewx instance for the current request's workspace.
      * Uses AsyncLocalStorage-backed getWorkspacePath().
@@ -40,9 +52,14 @@ let CrewxPoolService = class CrewxPoolService {
     }
     /**
      * Return the Crewx instance for an explicit workspace path.
-     * Workspace yaml takes precedence; CREWX_CONFIG is used as fallback only.
+     * When CREWX_CONFIG is set, all paths resolve to a single shared instance
+     * keyed by '__crewx_config__'. Otherwise, workspace yaml is used per path.
      */
     getForPath(workspacePath) {
+        const configPath = process.env.CREWX_CONFIG;
+        if (configPath) {
+            return this.getOrCreate('__crewx_config__', configPath);
+        }
         const candidates = [
             (0, path_1.join)(workspacePath, 'crewx.yaml'),
             (0, path_1.join)(workspacePath, 'crewx.yml'),
@@ -52,24 +69,131 @@ let CrewxPoolService = class CrewxPoolService {
         return this.getOrCreate(workspacePath, yamlPath);
     }
     invalidate(workspacePath) {
-        const key = workspacePath;
+        const key = process.env.CREWX_CONFIG ? '__crewx_config__' : workspacePath;
+        this.evict(key);
+    }
+    evict(key) {
+        const meta = this.poolMeta.get(key);
+        if (meta) {
+            meta.unsub();
+            this.poolMeta.delete(key);
+        }
         const existing = this.pool.get(key);
         if (existing) {
-            existing.then(c => c.close()).catch(() => { });
+            existing.then((c) => c.close()).catch(() => { });
             this.pool.delete(key);
         }
     }
     getOrCreate(key, configPath) {
         if (!this.pool.has(key)) {
-            this.pool.set(key, (0, crewx_server_js_1.createServerCrewx)(configPath));
+            const instancePromise = (0, crewx_server_js_1.createServerCrewx)(configPath, this.eventBus);
+            this.pool.set(key, instancePromise);
+            // Wire up SDK event subscriptions after the instance resolves.
+            instancePromise.then((crewx) => this.wireEvents(key, crewx)).catch(() => { });
         }
         return this.pool.get(key);
     }
+    /**
+     * Subscribe to task:start / task:end / task:output on a newly created Crewx instance and
+     * fan-out task.created / task.updated / task.logged events to WorkspaceEventBus.
+     * thread.* and message.* events are emitted by ServerConversationPlugin instead.
+     * threadId for task.updated is read from task:end metadata (propagated by SDK from task:start).
+     * threadId for task.logged is enriched from threadIdByTask (task:output has no threadId).
+     */
+    wireEvents(key, crewx) {
+        if (!this.eventBus)
+            return;
+        const bus = this.eventBus;
+        const wsId = crewx.workspaceId;
+        // task.logged: taskId → threadId (populated on task:start, cleared on task:end)
+        const threadIdByTask = new Map();
+        // task.logged throttle: taskId → pending setTimeout handle (200ms window)
+        const throttleByTask = new Map();
+        const THROTTLE_MS = 200;
+        // Hard cap: evict oldest entry when exceeded (guards against missed task:end on crash)
+        const MAX_TASK_ENTRIES = 500;
+        const unsubStart = crewx.on('task:start', (e) => {
+            threadIdByTask.set(e.traceId, e.threadId ?? '');
+            if (threadIdByTask.size > MAX_TASK_ENTRIES) {
+                const oldest = threadIdByTask.keys().next().value;
+                if (oldest !== undefined)
+                    threadIdByTask.delete(oldest);
+            }
+            bus.emit(wsId, {
+                type: 'task.created',
+                data: {
+                    taskId: e.traceId,
+                    threadId: e.threadId ?? '',
+                    agent: e.agentRef,
+                    status: 'running',
+                    updatedAt: e.timestamp.toISOString(),
+                },
+            });
+        });
+        const unsubOutput = crewx.on('task:output', (e) => {
+            const taskId = e.traceId;
+            if (throttleByTask.has(taskId))
+                return; // absorb within 200ms window
+            const timer = setTimeout(() => {
+                throttleByTask.delete(taskId);
+                bus.emit(wsId, {
+                    type: 'task.logged',
+                    data: { taskId, threadId: threadIdByTask.get(taskId) ?? '' },
+                });
+            }, THROTTLE_MS);
+            throttleByTask.set(taskId, timer);
+        });
+        const unsubEnd = crewx.on('task:end', (e) => {
+            const taskId = e.traceId;
+            // flush pending task.logged before emitting task.updated
+            const timer = throttleByTask.get(taskId);
+            if (timer !== undefined) {
+                clearTimeout(timer);
+                throttleByTask.delete(taskId);
+                bus.emit(wsId, {
+                    type: 'task.logged',
+                    data: { taskId, threadId: threadIdByTask.get(taskId) ?? '' },
+                });
+            }
+            threadIdByTask.delete(taskId);
+            const threadId = e.metadata?.threadId ?? '';
+            bus.emit(wsId, {
+                type: 'task.updated',
+                data: {
+                    taskId: e.traceId,
+                    threadId,
+                    agent: e.agentRef,
+                    status: e.error ? 'failed' : 'success',
+                    ...(e.error ? { error: e.error.message } : {}),
+                    ...(e.costUsd != null ? { costUsd: e.costUsd } : {}),
+                    updatedAt: e.timestamp.toISOString(),
+                },
+            });
+        });
+        this.poolMeta.set(key, {
+            unsub: () => {
+                unsubStart();
+                unsubOutput();
+                unsubEnd();
+                for (const t of throttleByTask.values())
+                    clearTimeout(t);
+                throttleByTask.clear();
+                threadIdByTask.clear();
+            },
+        });
+    }
     async onApplicationShutdown() {
+        // Unsubscribe all SDK listeners before closing instances.
+        for (const meta of this.poolMeta.values()) {
+            meta.unsub();
+        }
+        this.poolMeta.clear();
         await Promise.all([...this.pool.values()].map((p) => p.then((c) => c.close()).catch(() => { })));
     }
 };
 exports.CrewxPoolService = CrewxPoolService;
 exports.CrewxPoolService = CrewxPoolService = __decorate([
-    (0, common_1.Injectable)()
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Optional)()),
+    __metadata("design:paramtypes", [workspace_event_bus_js_1.WorkspaceEventBus])
 ], CrewxPoolService);

package/dist-server/modules/crewx.module.js CHANGED Viewed

@@ -10,6 +10,7 @@ exports.CrewxModule = void 0;
 const common_1 = require("@nestjs/common");
 const sdk_1 = require("@crewx/sdk");
 const crewx_pool_service_js_1 = require("./crewx-pool.service.js");
+const events_module_js_1 = require("../domain/events/events.module.js");
 /**
  * CrewxModule — NestJS DI providers for the Crewx facade.
  *
@@ -25,12 +26,17 @@ const crewx_pool_service_js_1 = require("./crewx-pool.service.js");
  *
  * Lifecycle: CrewxPoolService implements OnApplicationShutdown and closes
  * all pooled instances automatically. Do NOT call crewx.close() from call sites.
+ *
+ * EventsModule is imported here so WorkspaceEventBus can be injected into
+ * CrewxPoolService for SDK-event → SSE fan-out. EventsModule does NOT import
+ * CrewxModule, avoiding a circular dependency.
  */
 let CrewxModule = class CrewxModule {
 };
 exports.CrewxModule = CrewxModule;
 exports.CrewxModule = CrewxModule = __decorate([
     (0, common_1.Module)({
+        imports: [events_module_js_1.EventsModule],
         providers: [
             crewx_pool_service_js_1.CrewxPoolService,
             {