gitspace 0.2.0-rc.1

package/src/lib/remote-session/session-handler.ts

@@ -0,0 +1,581 @@
+/**
+ * Remote session handler - processes browse and PTY commands
+ *
+ * Handles the encrypted messages between client and machine after X3DH handshake.
+ */
+
+import { createFrame, openFrame } from "../tmux-lite/crypto/frames";
+import { scanWorkspaces } from "./workspace-scanner";
+import {
+  parseRemoteMessage,
+  serializeRemoteMessage,
+  type ClientToMachineMessage,
+  type MachineToClientMessage,
+  type SessionInfo,
+} from "./protocol";
+import type { SessionKeys, AccessType } from "../../types/identity.js";
+
+// Import tmux-lite API for session management
+import {
+  listSessions,
+  createSession,
+  killSession,
+  isServerRunning,
+  ensureServer,
+  getInbox,
+  clearInbox,
+  markInboxRead,
+  type Session,
+} from "../tmux-lite/cli";
+
+// Import project loading
+import { loadProjects } from "../../tui/state";
+
+// Import workspace removal
+import { removeWorktree, deleteLocalBranch, getWorktreeInfo } from "../../core/git";
+import { getProjectWorkspacesDir, getProjectBaseDir } from "../../core/config";
+
+/**
+ * Session state for a connected client
+ */
+export type ClientState = "browsing" | "attached";
+
+export interface RemoteClientSession {
+  connectionId: string;
+  state: ClientState;
+  sessionKeys: SessionKeys;
+  /** Access type granted to this client */
+  accessType?: AccessType;
+  /** For session-invite: the specific session ID access was granted to */
+  grantedSessionId?: string;
+  /** Attached tmux-lite session ID (set after attach_session) */
+  attachedSessionId?: string;
+  /** Path to tmux-lite session socket (set after attach_session) */
+  sessionSocketPath?: string;
+}
+
+// ============================================================================
+// Permission Helpers
+// ============================================================================
+
+/**
+ * Check if access type grants management permission
+ */
+function canManage(accessType: AccessType | undefined): boolean {
+  return accessType === 'full';
+}
+
+/**
+ * Check if client can attach to a specific session
+ */
+function canAttachSession(
+  accessType: AccessType | undefined,
+  grantedSessionId: string | undefined,
+  targetSessionId: string
+): boolean {
+  if (accessType === 'full') return true;
+  if (accessType === 'session-invite') {
+    return grantedSessionId === targetSessionId;
+  }
+  return false;
+}
+
+/**
+ * Remote session handler
+ */
+export class RemoteSessionHandler {
+  private tmuxLiteAvailable = false;
+
+  /**
+   * Initialize - check if tmux-lite is available
+   */
+  async initialize(): Promise<void> {
+    try {
+      this.tmuxLiteAvailable = await isServerRunning();
+      if (!this.tmuxLiteAvailable) {
+        // Try to start the server
+        await ensureServer();
+        this.tmuxLiteAvailable = true;
+      }
+    } catch (e) {
+      console.warn("[remote-session] tmux-lite not available:", e);
+      this.tmuxLiteAvailable = false;
+    }
+  }
+
+  /**
+   * Handle an encrypted message from a client
+   *
+   * @param session - Client session info
+   * @param encryptedData - Encrypted frame data
+   * @param sendResponse - Callback to send encrypted response
+   */
+  async handleMessage(
+    session: RemoteClientSession,
+    encryptedData: Uint8Array,
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    try {
+      // Decrypt the frame
+      const frame = await openFrame(encryptedData, session.sessionKeys.receiveKey);
+      if (!frame) {
+        console.error("[remote-session] Failed to decrypt frame");
+        return;
+      }
+
+      // Parse as JSON message
+      const json = new TextDecoder().decode(frame.data);
+      const msg = parseRemoteMessage(json);
+
+      if (!msg) {
+        console.error("[remote-session] Failed to parse message");
+        return;
+      }
+
+      // Handle based on message type
+      await this.processMessage(session, msg as ClientToMachineMessage, sendResponse);
+    } catch (e) {
+      console.error("[remote-session] Error handling message:", e);
+      await this.sendError(session, sendResponse, "INTERNAL_ERROR", "Failed to process message");
+    }
+  }
+
+  /**
+   * Process a client message
+   */
+  private async processMessage(
+    session: RemoteClientSession,
+    msg: ClientToMachineMessage,
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    switch (msg.type) {
+      case "list_workspaces":
+        await this.handleListWorkspaces(session, sendResponse);
+        break;
+
+      case "list_sessions":
+        await this.handleListSessions(session, msg.workspaceId, sendResponse);
+        break;
+
+      case "attach_session":
+        // Permission check for attach_session is done in handleAttachSession
+        // because it depends on whether creating new session or attaching existing
+        await this.handleAttachSession(session, msg, sendResponse);
+        break;
+
+      // Note: resize, detach, and pty_input are handled in attached mode
+      // via client-session-manager using tmux-lite's SessionCtrl protocol,
+      // not through this JSON-RPC handler.
+
+      case "list_projects":
+        await this.handleListProjects(session, sendResponse);
+        break;
+
+      case "kill_session":
+        // Security: Requires management permission
+        if (!canManage(session.accessType)) {
+          await this.sendError(session, sendResponse, "PERMISSION_DENIED", "Requires full access to kill sessions");
+          return;
+        }
+        await this.handleKillSession(session, msg.sessionId, sendResponse);
+        break;
+
+      case "delete_workspace":
+        // Security: Requires management permission
+        if (!canManage(session.accessType)) {
+          await this.sendError(session, sendResponse, "PERMISSION_DENIED", "Requires full access to delete workspaces");
+          return;
+        }
+        await this.handleDeleteWorkspace(session, msg.projectName, msg.workspaceId, sendResponse);
+        break;
+
+      case "get_inbox":
+        await this.handleGetInbox(session, sendResponse);
+        break;
+
+      case "clear_inbox":
+        await this.handleClearInbox(session, msg.id, sendResponse);
+        break;
+
+      case "mark_inbox_read":
+        await this.handleMarkInboxRead(session, msg.id, sendResponse);
+        break;
+
+      default: {
+        // Exhaustiveness check - log unknown message types
+        const unknownMsg = msg as { type: string };
+        console.warn("[remote-session] Unknown message type:", unknownMsg.type);
+      }
+    }
+  }
+
+  /**
+   * Handle list_workspaces request
+   */
+  private async handleListWorkspaces(
+    session: RemoteClientSession,
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    const workspaces = await scanWorkspaces();
+
+    // Add session counts from tmux-lite
+    if (this.tmuxLiteAvailable) {
+      try {
+        const sessions = await listSessions();
+        for (const workspace of workspaces) {
+          // Count sessions for this workspace by matching cwd.
+          // Note: Session cwd is set once at creation time and does NOT change
+          // as users navigate within the shell. This is intentional - we want to
+          // show sessions that were *created for* this workspace.
+          workspace.sessionCount = sessions.filter(s => s.cwd === workspace.path).length;
+        }
+      } catch {
+        // Ignore errors - just use 0 session counts
+      }
+    }
+
+    await this.sendMessage(session, sendResponse, {
+      type: "workspace_list",
+      workspaces,
+    });
+  }
+
+  /**
+   * Handle list_sessions request
+   */
+  private async handleListSessions(
+    session: RemoteClientSession,
+    workspaceId: string | undefined,
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    let sessions: SessionInfo[] = [];
+
+    if (this.tmuxLiteAvailable) {
+      try {
+        const allSessions = await listSessions();
+        const workspaces = await scanWorkspaces();
+
+        // Build a map of workspace path -> workspace info
+        const workspacePathMap = new Map(workspaces.map(w => [w.path, w]));
+
+        sessions = allSessions
+          .filter(s => {
+            if (!workspaceId) return true;
+            // Filter by workspace using cwd matching
+            // Note: Session cwd is set once at creation time and does NOT change
+            // as users navigate within the shell.
+            const ws = workspacePathMap.get(s.cwd);
+            return ws?.id === workspaceId;
+          })
+          .map(s => {
+            // Find workspace info by cwd
+            const ws = workspacePathMap.get(s.cwd);
+            return {
+              id: s.id,
+              name: s.name,
+              workspaceId: ws?.id ?? "unknown",
+              attached: s.attached,
+              createdAt: s.createdAt,
+              processTitle: s.processTitle,
+              exitCode: s.exitCode,
+            };
+          });
+      } catch (e) {
+        console.error("[remote-session] Failed to list sessions:", e);
+      }
+    }
+
+    await this.sendMessage(session, sendResponse, {
+      type: "session_list",
+      sessions,
+    });
+  }
+
+  /**
+   * Handle attach_session request
+   */
+  private async handleAttachSession(
+    session: RemoteClientSession,
+    msg: { sessionId?: string; workspaceId?: string; sessionName?: string; cols?: number; rows?: number },
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    console.log("[remote-session] handleAttachSession:", JSON.stringify(msg));
+
+    if (!this.tmuxLiteAvailable) {
+      await this.sendError(session, sendResponse, "UNAVAILABLE", "Session manager not available");
+      return;
+    }
+
+    try {
+      let targetSession: Session | null = null;
+
+      // If no session ID, create new session in workspace
+      if (!msg.sessionId && msg.workspaceId) {
+        // Security: Creating new sessions requires full/manage access
+        if (!canManage(session.accessType)) {
+          await this.sendError(session, sendResponse, "PERMISSION_DENIED", "Requires full access to create sessions");
+          return;
+        }
+
+        // Find the workspace path
+        const workspaces = await scanWorkspaces();
+        const workspace = workspaces.find(w => w.id === msg.workspaceId);
+
+        if (!workspace) {
+          await this.sendError(session, sendResponse, "NOT_FOUND", "Workspace not found");
+          return;
+        }
+
+        // Create session name: use provided name or auto-generate
+        let sessionName: string;
+        if (msg.sessionName) {
+          // Use provided name with project:workspace prefix
+          sessionName = `${workspace.projectName}:${workspace.id}:${msg.sessionName}`;
+          console.log(`[remote-session] Using provided session name: ${sessionName}`);
+        } else {
+          // Auto-generate: project:workspace:N
+          const sessions = await listSessions();
+          const existingCount = sessions.filter(s =>
+            s.name.startsWith(`${workspace.projectName}:${workspace.id}:`)
+          ).length;
+          sessionName = `${workspace.projectName}:${workspace.id}:${existingCount + 1}`;
+          console.log(`[remote-session] Auto-generated session name: ${sessionName}`);
+        }
+
+        targetSession = await createSession(sessionName, workspace.path);
+        console.log(`[remote-session] Created session: ${targetSession.name} (id: ${targetSession.id})`)
+      } else if (msg.sessionId) {
+        // Security: Check if client can attach to this session
+        if (!canAttachSession(session.accessType, session.grantedSessionId, msg.sessionId)) {
+          await this.sendError(session, sendResponse, "PERMISSION_DENIED", "Not authorized to attach to this session");
+          return;
+        }
+
+        // Find existing session
+        const sessions = await listSessions();
+        targetSession = sessions.find(s => s.id === msg.sessionId) ?? null;
+      }
+
+      if (!targetSession) {
+        await this.sendError(session, sendResponse, "NOT_FOUND", "Session not found");
+        return;
+      }
+
+      session.state = "attached";
+      session.attachedSessionId = targetSession.id;
+      session.sessionSocketPath = targetSession.socketPath;
+
+      // Send confirmation - ClientSessionManager will connect to the socket
+      await this.sendMessage(session, sendResponse, {
+        type: "attached",
+        sessionId: targetSession.id,
+        sessionName: targetSession.name,
+        cols: msg.cols ?? 80,
+        rows: msg.rows ?? 24,
+      });
+    } catch (e) {
+      console.error("[remote-session] Failed to attach session:", e);
+      await this.sendError(session, sendResponse, "ATTACH_FAILED", "Failed to attach to session");
+    }
+  }
+
+  /**
+   * Handle list_projects request
+   */
+  private async handleListProjects(
+    session: RemoteClientSession,
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    try {
+      const projects = loadProjects();
+      await this.sendMessage(session, sendResponse, {
+        type: "project_list",
+        projects: projects.map(p => ({
+          name: p.name,
+          repository: p.repository,
+          workspaceCount: p.workspaceCount,
+          isCurrent: p.isCurrent,
+        })),
+      });
+    } catch (e) {
+      console.error("[remote-session] Failed to list projects:", e);
+      await this.sendError(session, sendResponse, "LIST_FAILED", "Failed to list projects");
+    }
+  }
+
+  /**
+   * Handle kill_session request
+   */
+  private async handleKillSession(
+    session: RemoteClientSession,
+    sessionId: string,
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    if (!this.tmuxLiteAvailable) {
+      await this.sendError(session, sendResponse, "UNAVAILABLE", "Session manager not available");
+      return;
+    }
+
+    try {
+      // Look up the session's workspaceId before killing
+      const sessions = await listSessions();
+      const workspaces = await scanWorkspaces();
+      const workspacePathMap = new Map(workspaces.map(w => [w.path, w]));
+      const targetSession = sessions.find(s => s.id === sessionId);
+      const workspace = targetSession ? workspacePathMap.get(targetSession.cwd) : undefined;
+      const workspaceId = workspace?.id ?? "unknown";
+
+      await killSession(sessionId);
+      // Wait a bit for the server to process the kill
+      await new Promise(resolve => setTimeout(resolve, 100));
+      await this.sendMessage(session, sendResponse, {
+        type: "session_killed",
+        sessionId,
+        workspaceId,
+      });
+    } catch (e) {
+      console.error("[remote-session] Failed to kill session:", e);
+      await this.sendError(session, sendResponse, "KILL_FAILED", "Failed to kill session");
+    }
+  }
+
+  /**
+   * Handle delete_workspace request
+   */
+  private async handleDeleteWorkspace(
+    session: RemoteClientSession,
+    projectName: string,
+    workspaceId: string,
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    try {
+      const workspacesDir = getProjectWorkspacesDir(projectName);
+      const baseDir = getProjectBaseDir(projectName);
+      const workspacePath = `${workspacesDir}/${workspaceId}`;
+
+      // Get workspace info for branch name
+      const info = await getWorktreeInfo(workspacePath);
+      if (!info) {
+        await this.sendError(session, sendResponse, "NOT_FOUND", "Workspace not found");
+        return;
+      }
+
+      // Remove worktree
+      await removeWorktree(baseDir, workspacePath, true);
+
+      // Try to delete the local branch
+      try {
+        await deleteLocalBranch(baseDir, info.branch, true);
+      } catch {
+        // Branch deletion is best-effort
+      }
+
+      await this.sendMessage(session, sendResponse, {
+        type: "workspace_deleted",
+        workspaceId,
+      });
+    } catch (e) {
+      console.error("[remote-session] Failed to delete workspace:", e);
+      await this.sendError(session, sendResponse, "DELETE_FAILED", "Failed to delete workspace");
+    }
+  }
+
+  /**
+   * Handle get_inbox request
+   */
+  private async handleGetInbox(
+    session: RemoteClientSession,
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    try {
+      const items = await getInbox();
+      const unreadCount = items.filter(i => !i.read).length;
+      await this.sendMessage(session, sendResponse, {
+        type: "inbox_list",
+        items,
+        unreadCount,
+      });
+    } catch (e) {
+      console.error("[remote-session] Failed to get inbox:", e);
+      await this.sendError(session, sendResponse, "INBOX_FAILED", "Failed to get inbox");
+    }
+  }
+
+  /**
+   * Handle clear_inbox request
+   */
+  private async handleClearInbox(
+    session: RemoteClientSession,
+    id: string | undefined,
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    try {
+      await clearInbox(id);
+      await this.sendMessage(session, sendResponse, {
+        type: "inbox_cleared",
+        id,
+      });
+    } catch (e) {
+      console.error("[remote-session] Failed to clear inbox:", e);
+      await this.sendError(session, sendResponse, "INBOX_FAILED", "Failed to clear inbox");
+    }
+  }
+
+  /**
+   * Handle mark_inbox_read request
+   */
+  private async handleMarkInboxRead(
+    session: RemoteClientSession,
+    id: string,
+    sendResponse: (data: Uint8Array) => void
+  ): Promise<void> {
+    try {
+      await markInboxRead(id);
+      await this.sendMessage(session, sendResponse, {
+        type: "inbox_marked_read",
+        id,
+      });
+    } catch (e) {
+      console.error("[remote-session] Failed to mark inbox read:", e);
+      await this.sendError(session, sendResponse, "INBOX_FAILED", "Failed to mark inbox item as read");
+    }
+  }
+
+  /**
+   * Send an encrypted message to client
+   */
+  private async sendMessage(
+    session: RemoteClientSession,
+    sendResponse: (data: Uint8Array) => void,
+    msg: MachineToClientMessage
+  ): Promise<void> {
+    const json = serializeRemoteMessage(msg);
+    const data = new TextEncoder().encode(json);
+    const frame = await createFrame(0, data, session.sessionKeys.sendKey);
+    sendResponse(frame);
+  }
+
+  /**
+   * Send an error message to client
+   */
+  private async sendError(
+    session: RemoteClientSession,
+    sendResponse: (data: Uint8Array) => void,
+    code: string,
+    message: string
+  ): Promise<void> {
+    await this.sendMessage(session, sendResponse, {
+      type: "error",
+      code,
+      message,
+    });
+  }
+
+  /**
+   * Cleanup
+   */
+  async cleanup(): Promise<void> {
+    // No persistent connection to clean up with the new API
+    this.tmuxLiteAvailable = false;
+  }
+}