heyhank 0.1.0

package/server/auth-manager.ts

@@ -0,0 +1,150 @@
+import { randomBytes, timingSafeEqual } from "node:crypto";
+import { mkdirSync, readFileSync, writeFileSync, existsSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { homedir } from "node:os";
+import { networkInterfaces } from "node:os";
+
+const AUTH_FILE = join(homedir(), ".heyhank", "auth.json");
+const TOKEN_BYTES = 32; // 64 hex characters
+
+interface AuthData {
+  token: string;
+  createdAt: number;
+}
+
+let cachedToken: string | null = null;
+
+/**
+ * Get the auth token. Priority:
+ * 1. HEYHANK_AUTH_TOKEN env var (falls back to COMPANION_AUTH_TOKEN)
+ * 2. Persisted token from ~/.heyhank/auth.json
+ * 3. Auto-generate and persist a new token
+ */
+export function getToken(): string {
+  // Env var override (always takes priority)
+  const envToken = process.env.HEYHANK_AUTH_TOKEN || process.env.COMPANION_AUTH_TOKEN;
+  if (envToken && envToken.trim()) {
+    cachedToken = envToken.trim();
+    return cachedToken;
+  }
+
+  // Return cached token if available
+  if (cachedToken) return cachedToken;
+
+  // Try reading from file
+  try {
+    if (existsSync(AUTH_FILE)) {
+      const raw = readFileSync(AUTH_FILE, "utf-8");
+      const data = JSON.parse(raw) as Partial<AuthData>;
+      if (typeof data.token === "string" && data.token.length >= 32) {
+        cachedToken = data.token;
+        return cachedToken;
+      }
+    }
+  } catch {
+    // File corrupt or unreadable — generate new
+  }
+
+  // Generate new token
+  const token = randomBytes(TOKEN_BYTES).toString("hex");
+  const data: AuthData = { token, createdAt: Date.now() };
+  try {
+    mkdirSync(dirname(AUTH_FILE), { recursive: true });
+    writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });
+  } catch (err) {
+    console.error("[auth] Failed to persist auth token:", err);
+  }
+  cachedToken = token;
+  return token;
+}
+
+/**
+ * Verify a candidate token using constant-time comparison.
+ */
+export function verifyToken(candidate: string | null | undefined): boolean {
+  if (!candidate) return false;
+  const expected = getToken();
+  const candidateBuf = Buffer.from(candidate);
+  const expectedBuf = Buffer.from(expected);
+  if (candidateBuf.length !== expectedBuf.length) return false;
+  return timingSafeEqual(candidateBuf, expectedBuf);
+}
+
+/**
+ * Get the primary LAN IP address for QR code URL generation.
+ * Falls back to "localhost" if no LAN IP is found.
+ */
+export function getLanAddress(): string {
+  const interfaces = networkInterfaces();
+  for (const name of Object.keys(interfaces)) {
+    const addrs = interfaces[name];
+    if (!addrs) continue;
+    for (const addr of addrs) {
+      if (addr.family === "IPv4" && !addr.internal) {
+        return addr.address;
+      }
+    }
+  }
+  return "localhost";
+}
+
+/**
+ * Get all available access addresses: localhost, LAN IP, and Tailscale IP.
+ * Tailscale uses 100.x.x.x addresses (CGNAT range) on utun / tailscale interfaces.
+ */
+export function getAllAddresses(): { label: string; ip: string }[] {
+  const result: { label: string; ip: string }[] = [
+    { label: "Localhost", ip: "localhost" },
+  ];
+
+  const interfaces = networkInterfaces();
+  let lanIp: string | null = null;
+  let tailscaleIp: string | null = null;
+
+  for (const name of Object.keys(interfaces)) {
+    const addrs = interfaces[name];
+    if (!addrs) continue;
+    for (const addr of addrs) {
+      if (addr.family !== "IPv4" || addr.internal) continue;
+
+      // Tailscale uses 100.64.0.0/10 (CGNAT) — detect by IP range
+      if (addr.address.startsWith("100.")) {
+        const second = parseInt(addr.address.split(".")[1], 10);
+        if (second >= 64 && second <= 127) {
+          tailscaleIp = addr.address;
+          continue;
+        }
+      }
+
+      if (!lanIp) lanIp = addr.address;
+    }
+  }
+
+  if (lanIp) result.push({ label: "LAN", ip: lanIp });
+  if (tailscaleIp) result.push({ label: "Tailscale", ip: tailscaleIp });
+
+  return result;
+}
+
+/**
+ * Regenerate the auth token — creates a new random token, persists it,
+ * and returns the new value.  Existing sessions using the old token will
+ * be invalidated on their next request.
+ */
+export function regenerateToken(): string {
+  const token = randomBytes(TOKEN_BYTES).toString("hex");
+  const data: AuthData = { token, createdAt: Date.now() };
+  try {
+    mkdirSync(dirname(AUTH_FILE), { recursive: true });
+    writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });
+  } catch (err) {
+    console.error("[auth] Failed to persist regenerated token:", err);
+  }
+  cachedToken = token;
+  return token;
+}
+
+/** Reset cached state — for testing only */
+export function _resetForTest(): void {
+  cachedToken = null;
+}

package/server/auto-approve.ts

@@ -0,0 +1,153 @@
+// ─── Auto-Approve System ─────────────────────────────────────────────────────
+// Agent Max 2.0 can automatically approve/deny permission requests
+// for trusted agents based on risk assessment rules.
+
+import type { AgentConfig } from "./agent-types.js";
+import * as agentStore from "./agent-store.js";
+import { isKilled } from "./kill-switch.js";
+
+// ─── Types ───────────────────────────────────────────────────────────────────
+
+export interface AutoApproveRule {
+  /** Agent ID this rule applies to ("*" for all) */
+  agentId: string;
+  /** Tool names to auto-approve (empty = all) */
+  allowedTools: string[];
+  /** Tool names to always deny */
+  deniedTools: string[];
+  /** Whether to auto-approve all safe verdicts */
+  autoApproveSafe: boolean;
+  /** Whether to auto-deny all dangerous verdicts */
+  autoDenyDangerous: boolean;
+  /** Max cost per action before requiring manual approval (USD) */
+  maxCostPerAction?: number;
+}
+
+export interface PermissionEvaluation {
+  action: "approve" | "deny" | "manual";
+  reason: string;
+}
+
+// ─── Default Rules ───────────────────────────────────────────────────────────
+
+const DEFAULT_RULES: AutoApproveRule[] = [
+  {
+    // Monitoring Agent: read-only, always approve
+    agentId: "monitoring-agent",
+    allowedTools: ["bash", "read", "glob", "grep"],
+    deniedTools: ["write", "edit"],
+    autoApproveSafe: true,
+    autoDenyDangerous: true,
+  },
+  {
+    // Coding Agent: full access, approve safe, manual for dangerous
+    agentId: "coding-agent",
+    allowedTools: [],
+    deniedTools: [],
+    autoApproveSafe: true,
+    autoDenyDangerous: false,
+  },
+  {
+    // Default: approve safe, deny dangerous
+    agentId: "*",
+    allowedTools: [],
+    deniedTools: [],
+    autoApproveSafe: true,
+    autoDenyDangerous: true,
+  },
+];
+
+// ─── Dangerous Patterns ──────────────────────────────────────────────────────
+
+const DANGEROUS_BASH_PATTERNS = [
+  /rm\s+-rf?\s+\//,       // rm -rf /
+  /mkfs/,                   // format disk
+  /dd\s+if=/,              // dd
+  />\s*\/dev\/sd/,         // write to disk device
+  /chmod\s+777/,           // world-writable
+  /curl.*\|\s*(ba)?sh/,    // curl | bash
+  /wget.*\|\s*(ba)?sh/,    // wget | bash
+  /:(){ :\|:& };:/,       // fork bomb
+  /--force.*push/,         // force push
+  /git\s+push.*--force/,   // git force push
+  /DROP\s+(TABLE|DATABASE)/i, // SQL drop
+  /DELETE\s+FROM.*WHERE\s+1/i, // SQL mass delete
+];
+
+const SAFE_READ_ONLY_TOOLS = new Set([
+  "Read", "Glob", "Grep", "WebSearch", "WebFetch",
+  "TaskGet", "TaskList",
+]);
+
+// ─── Evaluation ──────────────────────────────────────────────────────────────
+
+/** Evaluate whether to auto-approve a permission request. */
+export function evaluate(
+  agentId: string,
+  toolName: string,
+  toolInput: Record<string, unknown>,
+  aiVerdict?: "safe" | "dangerous" | "uncertain",
+): PermissionEvaluation {
+  // Kill switch overrides everything
+  if (isKilled()) {
+    return { action: "deny", reason: "Kill switch active" };
+  }
+
+  // Find matching rule (specific agent first, then wildcard)
+  const rule =
+    DEFAULT_RULES.find((r) => r.agentId === agentId) ||
+    DEFAULT_RULES.find((r) => r.agentId === "*");
+
+  if (!rule) {
+    return { action: "manual", reason: "No matching rule" };
+  }
+
+  // Check denied tools
+  if (rule.deniedTools.length > 0 && rule.deniedTools.includes(toolName.toLowerCase())) {
+    return { action: "deny", reason: `Tool "${toolName}" is denied for agent` };
+  }
+
+  // Check allowed tools (if specified, only these are allowed)
+  if (rule.allowedTools.length > 0 && !rule.allowedTools.includes(toolName.toLowerCase())) {
+    return { action: "deny", reason: `Tool "${toolName}" not in allowed list` };
+  }
+
+  // Read-only tools are always safe
+  if (SAFE_READ_ONLY_TOOLS.has(toolName)) {
+    return { action: "approve", reason: "Read-only tool" };
+  }
+
+  // Check bash commands for dangerous patterns
+  if (toolName.toLowerCase() === "bash" || toolName === "Bash") {
+    const command = String(toolInput?.command || toolInput?.cmd || "");
+    for (const pattern of DANGEROUS_BASH_PATTERNS) {
+      if (pattern.test(command)) {
+        return { action: "deny", reason: `Dangerous bash pattern: ${pattern}` };
+      }
+    }
+  }
+
+  // Use AI verdict if available
+  if (aiVerdict === "safe" && rule.autoApproveSafe) {
+    return { action: "approve", reason: "AI verdict: safe" };
+  }
+  if (aiVerdict === "dangerous" && rule.autoDenyDangerous) {
+    return { action: "deny", reason: "AI verdict: dangerous" };
+  }
+
+  // Default to manual review
+  return { action: "manual", reason: "Requires manual review" };
+}
+
+/** Check if an agent session should use auto-approve. */
+export function shouldAutoApprove(agentId: string): boolean {
+  const agent = agentStore.getAgent(agentId);
+  if (!agent) return false;
+  // Auto-approve for agents running with bypassPermissions
+  return agent.permissionMode === "bypassPermissions";
+}
+
+/** Get all rules (for admin UI). */
+export function getRules(): AutoApproveRule[] {
+  return [...DEFAULT_RULES];
+}

package/server/auto-namer.ts

@@ -0,0 +1,36 @@
+import { callInternalAI } from "./internal-ai.js";
+
+function sanitizeTitle(raw: string): string | null {
+  const title = raw.replace(/^"|"$/g, "").replace(/^'|'$/g, "").trim();
+  if (!title || title.length >= 100) return null;
+  return title;
+}
+
+/**
+ * Generates a short session title using the configured internal AI provider.
+ * Returns null if no provider is configured or if generation fails.
+ */
+export async function generateSessionTitle(
+  firstUserMessage: string,
+  _model: string,
+  options?: {
+    timeoutMs?: number;
+  },
+): Promise<string | null> {
+  const truncated = firstUserMessage.slice(0, 500);
+  const userPrompt = `Generate a concise 3-5 word session title for this user request. Output only the title.\n\nRequest: ${truncated}`;
+
+  const result = await callInternalAI({
+    userPrompt,
+    maxTokens: 256,
+    temperature: 0.2,
+    timeoutMs: options?.timeoutMs || 15_000,
+  });
+
+  if (!result.ok) {
+    console.warn(`[auto-namer] Failed to generate title: ${result.error}`);
+    return null;
+  }
+
+  return sanitizeTitle(result.text);
+}

package/server/backend-adapter.ts

@@ -0,0 +1,54 @@
+import type { BrowserIncomingMessage, BrowserOutgoingMessage } from "./session-types.js";
+
+// ─── Unified Backend Adapter Interface ───────────────────────────────────────
+// Both Claude Code (NDJSON WebSocket) and Codex (JSON-RPC stdio/WS) implement
+// this so that application code never branches on BackendType for message routing.
+
+/**
+ * Unified interface for backend communication.
+ *
+ * Adapters translate between the backend-native protocol and the common
+ * BrowserIncomingMessage / BrowserOutgoingMessage types used by the bridge
+ * and the frontend.
+ */
+export interface IBackendAdapter {
+  /** Send a browser-originated message to the backend. Returns true if accepted. */
+  send(msg: BrowserOutgoingMessage): boolean;
+
+  /** Whether the backend transport is currently connected and ready. */
+  isConnected(): boolean;
+
+  /** Gracefully disconnect the backend transport. */
+  disconnect(): Promise<void>;
+
+  // ── Event registration (called once at attachment time) ──
+
+  /**
+   * Register callback for messages to forward to browsers.
+   * The adapter translates backend-native protocol into BrowserIncomingMessage.
+   */
+  onBrowserMessage(cb: (msg: BrowserIncomingMessage) => void): void;
+
+  /**
+   * Register callback for session metadata updates (CLI session ID, model, cwd).
+   * Used for --resume tracking and state synchronization.
+   */
+  onSessionMeta(cb: (meta: { cliSessionId?: string; model?: string; cwd?: string }) => void): void;
+
+  /** Register callback for transport disconnection. */
+  onDisconnect(cb: () => void): void;
+
+  /** Register callback for initialization errors. */
+  onInitError?(cb: (error: string) => void): void;
+
+  // ── Optional capabilities (not all backends support these) ──
+
+  /** Return backend-specific rate limits, if available (Codex only). */
+  getRateLimits?(): {
+    primary: { usedPercent: number; windowDurationMins: number; resetsAt: number } | null;
+    secondary: { usedPercent: number; windowDurationMins: number; resetsAt: number } | null;
+  } | null;
+
+  /** Handle transport-level close (used when WS proxy drops). */
+  handleTransportClose?(): void;
+}

package/server/cache-headers.ts

@@ -0,0 +1,61 @@
+import type { MiddlewareHandler } from "hono";
+
+/**
+ * Hono middleware that sets Cache-Control headers for production static assets.
+ *
+ * Must be registered BEFORE serveStatic so it can modify the response headers
+ * after the static file is served (via await next()).
+ *
+ * Header strategy:
+ * - sw.js / workbox-*.js: no-cache (browser must revalidate on each load)
+ * - index.html: no-cache (fresh HTML triggers SW update detection)
+ * - manifest.json: no-cache (browser checks on each visit)
+ * - /assets/*: immutable, 1 year (Vite content-hashed filenames)
+ * - /fonts/*.woff2: immutable, 1 year (stable font files)
+ * - Icons/images: 1 day cache
+ */
+export function cacheControlMiddleware(): MiddlewareHandler {
+  return async (c, next) => {
+    await next();
+
+    // Only set cache headers on successful responses
+    if (c.res.status !== 200) return;
+
+    const path = c.req.path;
+
+    // Service worker files: browsers must always revalidate
+    if (path === "/sw.js" || path.startsWith("/workbox-")) {
+      c.header("Cache-Control", "no-cache");
+      return;
+    }
+
+    // index.html (served for / and /index.html): must be fresh
+    if (path === "/" || path === "/index.html") {
+      c.header("Cache-Control", "no-cache");
+      return;
+    }
+
+    // manifest.json: must be fresh
+    if (path === "/manifest.json") {
+      c.header("Cache-Control", "no-cache");
+      return;
+    }
+
+    // Vite hashed assets: immutable (filename changes on content change)
+    if (path.startsWith("/assets/")) {
+      c.header("Cache-Control", "public, max-age=31536000, immutable");
+      return;
+    }
+
+    // Font files: immutable
+    if (path.startsWith("/fonts/") && path.endsWith(".woff2")) {
+      c.header("Cache-Control", "public, max-age=31536000, immutable");
+      return;
+    }
+
+    // Other static files (icons, images): cache for 1 day
+    if (path.endsWith(".png") || path.endsWith(".svg") || path.endsWith(".ico")) {
+      c.header("Cache-Control", "public, max-age=86400");
+    }
+  };
+}