heyio 0.1.29 → 0.1.31

package/README.md

@@ -115,6 +115,9 @@ IO stores its configuration at `~/.io/config.json`. The setup wizard (`io setup`
 | `modelTiers.medium` | `string[]` | `["claude-sonnet-4.6", "gpt-5.5", "claude-opus-4.5"]` | Models for standard tasks (features, tests, reviews) |
 | `modelTiers.low` | `string[]` | `["claude-haiku-4.5", "gpt-5.4-mini"]` | Models for simple tasks (reads, formatting, lookups) |
 | `port` | `number` | `3170` | Port for the HTTP server (API + web frontend) |
+| `supabaseUrl` | `string` | — | Supabase project URL (enables web portal authentication) |
+| `supabaseAnonKey` | `string` | — | Supabase anon/public API key |
+| `authorizedEmail` | `string` | — | Email address allowed to access the web portal |
 
 Each `modelTiers` list is a ranked preference — IO picks the first available model at startup.
 
@@ -130,6 +133,9 @@ Each `modelTiers` list is a ranked preference — IO picks the first available m
   "selfEditEnabled": false,
   "defaultModel": "claude-sonnet-4.6",
   "port": 3170,
+  "supabaseUrl": "https://your-project.supabase.co",
+  "supabaseAnonKey": "eyJhbGciOiJIUzI1NiIs...",
+  "authorizedEmail": "you@example.com",
   "modelTiers": {
     "high": ["claude-opus-4.7", "claude-opus-4.6"],
     "medium": ["claude-sonnet-4.6", "gpt-5.5", "claude-opus-4.5"],
@@ -211,6 +217,29 @@ IO includes a Vue 3 web dashboard served directly from the daemon on the same po
 
 Access the web UI at `http://your-server:3170/` when running in daemon mode.
 
+### Authentication
+
+The web portal supports optional Supabase email authentication. When enabled, users must sign in with email and password before accessing the dashboard. Only the configured `authorizedEmail` is allowed access.
+
+**Setup:**
+
+1. Create a [Supabase](https://supabase.com) project (or use an existing one)
+2. Enable the **Email** auth provider in Supabase → Authentication → Providers
+3. Create your user account in Supabase → Authentication → Users
+4. Add the following to `~/.io/config.json`:
+
+```jsonc
+{
+  "supabaseUrl": "https://your-project.supabase.co",
+  "supabaseAnonKey": "eyJhbGciOiJIUzI1NiIs...",
+  "authorizedEmail": "you@example.com"
+}
+```
+
+5. Restart IO — the web portal will now require login
+
+> **Note:** Auth is completely optional. If `supabaseUrl` is not configured, the portal runs without authentication (open access).
+
 ## 🏗️ Project Structure
 
 ```
@@ -241,12 +270,15 @@ src/
 ├── tui/
 │   └── index.ts          # Terminal UI
 └── api/
+    ├── auth.ts           # Supabase JWT auth middleware
     └── server.ts         # Express HTTP + SSE + static frontend
 
 web/                        # Vue 3 frontend (built to web-dist/)
 ├── src/
-│   ├── views/            # ChatView, SquadsView, SkillsView, AgentActivityView
-│   ├── router/           # Vue Router config
+│   ├── lib/              # supabase.ts, api.ts (auth helpers)
+│   ├── stores/           # Pinia stores (chat, auth)
+│   ├── views/            # ChatView, SquadsView, SkillsView, AgentActivityView, LoginView
+│   ├── router/           # Vue Router config + auth guard
 │   └── main.ts           # App entry
 ├── vite.config.ts        # Vite config (builds to ../web-dist/)
 └── package.json

package/dist/api/auth.js

@@ -0,0 +1,44 @@
+import { config } from "../config.js";
+/**
+ * Express middleware that validates Supabase JWT tokens.
+ * If auth is not configured (no supabaseUrl), all requests pass through.
+ */
+export function requireAuth(req, res, next) {
+    // Auth not configured — pass through
+    if (!config.supabaseUrl || !config.supabaseAnonKey) {
+        next();
+        return;
+    }
+    const authHeader = req.headers.authorization;
+    const queryToken = req.query.token;
+    const bearerToken = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : undefined;
+    const token = bearerToken ?? queryToken;
+    if (!token) {
+        res.status(401).json({ error: "Missing or invalid authorization" });
+        return;
+    }
+    // Verify token by calling Supabase's /auth/v1/user endpoint
+    fetch(`${config.supabaseUrl}/auth/v1/user`, {
+        headers: {
+            Authorization: `Bearer ${token}`,
+            apikey: config.supabaseAnonKey,
+        },
+    })
+        .then(async (resp) => {
+        if (!resp.ok) {
+            res.status(401).json({ error: "Invalid or expired token" });
+            return;
+        }
+        const user = (await resp.json());
+        // Check authorized email if configured
+        if (config.authorizedEmail && user.email !== config.authorizedEmail) {
+            res.status(403).json({ error: "Unauthorized user" });
+            return;
+        }
+        next();
+    })
+        .catch(() => {
+        res.status(500).json({ error: "Auth verification failed" });
+    });
+}
+//# sourceMappingURL=auth.js.map

package/dist/api/server.js

@@ -7,6 +7,7 @@ import { listSkills } from "../copilot/skills.js";
 import { listSquads, createSquad } from "../store/squads.js";
 import { getAgentInfo } from "../copilot/agents.js";
 import { IO_VERSION } from "../paths.js";
+import { requireAuth } from "./auth.js";
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const WEB_DIST = path.resolve(__dirname, "../../web-dist");
 let messageHandler;
@@ -31,9 +32,20 @@ export async function startApiServer() {
     });
     // Build API router
     const api = express.Router();
+    // Public endpoints (no auth required)
     api.get("/health", (_req, res) => {
         res.json({ status: "ok" });
     });
+    api.get("/auth/config", (_req, res) => {
+        const authEnabled = !!(config.supabaseUrl && config.supabaseAnonKey);
+        res.json({
+            authEnabled,
+            supabaseUrl: config.supabaseUrl ?? null,
+            supabaseAnonKey: config.supabaseAnonKey ?? null,
+        });
+    });
+    // Apply auth middleware to all subsequent routes
+    api.use(requireAuth);
     api.get("/status", (_req, res) => {
         res.json({ version: IO_VERSION, uptime: process.uptime() });
     });
@@ -120,17 +132,20 @@ export async function startApiServer() {
             sseConnections.delete(res);
         });
     });
-    // Mount API at /api (for frontend) and / (backward compat)
+    // Mount API at /api (for frontend)
     app.use("/api", api);
-    app.use("/", api);
-    // Serve Vue frontend if built assets exist
+    // Serve Vue frontend if built assets exist (before backward-compat API mount)
     if (existsSync(WEB_DIST)) {
         app.use(express.static(WEB_DIST));
-        // SPA fallback — serve index.html for any non-API route
+        console.log("[io] Web frontend enabled");
+    }
+    // Backward-compat: mount API at / (after static files so HTML/CSS/JS are served first)
+    app.use("/", api);
+    // SPA fallback — serve index.html for any unmatched route
+    if (existsSync(WEB_DIST)) {
         app.get("/{*splat}", (_req, res) => {
             res.sendFile(path.join(WEB_DIST, "index.html"));
         });
-        console.log("[io] Web frontend enabled");
     }
     return new Promise((resolve) => {
         app.listen(config.port, () => {

package/dist/copilot/tools.js

@@ -292,7 +292,7 @@ export function createTools(deps) {
         skipPermission: true,
         parameters: z.object({
             key: z
-                .enum(["defaultModel", "telegramEnabled", "selfEditEnabled", "port"])
+                .enum(["defaultModel", "telegramEnabled", "selfEditEnabled", "port", "authorizedEmail"])
                 .describe("Config key to update"),
             value: z
                 .union([z.string(), z.number(), z.boolean()])

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "heyio",
-  "version": "0.1.29",
+  "version": "0.1.31",
   "description": "IO — a personal AI assistant built on the GitHub Copilot SDK",
   "bin": {
     "io": "dist/index.js"