khal-os 1.260324.2

package/src/lib/ws-bridge.ts

@@ -0,0 +1,288 @@
+// @ts-nocheck
+import { extractTrace, injectTrace, newSpan } from '@genie-os/sdk/service/trace';
+import type { NatsConnection, Subscription } from '@nats-io/transport-node';
+import { headers } from '@nats-io/transport-node';
+import type { ServerWebSocket } from 'bun';
+import { SUBJECT_PERMISSIONS } from '@/components/apps/app-manifest';
+import type { Session } from './auth/types';
+import { getNatsConnection } from './nats';
+import type { ErrorFrame, ReplyFrame } from './ws-protocol';
+
+const MAX_SUBSCRIPTIONS = 100;
+const REQUEST_TIMEOUT_MS = 5000;
+const ALLOWED_PREFIX = 'khal.';
+const MAX_MESSAGES_PER_SECOND = 100;
+const RATE_LIMIT_WINDOW_MS = 1000;
+
+export class NatsBridge {
+	private subscriptions = new Map<string, Subscription>();
+	private nc: NatsConnection | null = null;
+	private closed = false;
+	private ready: Promise<void>;
+	private resolveReady!: () => void;
+	private messageCount = 0;
+	private rateLimitResetAt = Date.now() + RATE_LIMIT_WINDOW_MS;
+
+	readonly orgId: string;
+	readonly userId: string;
+	readonly role: string;
+	readonly permissions: string[];
+
+	constructor(session: Session) {
+		this.orgId = session.orgId;
+		this.userId = session.userId;
+		this.role = session.role;
+		this.permissions = session.permissions;
+
+		this.ready = new Promise<void>((resolve) => {
+			this.resolveReady = resolve;
+		});
+	}
+
+	/**
+	 * Inject server-verified userId into outbound payloads.
+	 * Services must read `_authUserId` instead of client-supplied `userId`.
+	 */
+	private enrichPayload(data: unknown): string {
+		if (data === undefined || data === null) {
+			return JSON.stringify({ _authUserId: this.userId });
+		}
+		if (typeof data === 'object' && data !== null) {
+			return JSON.stringify({ ...(data as Record<string, unknown>), _authUserId: this.userId });
+		}
+		// Wrap primitives so _authUserId is always present
+		return JSON.stringify({ data, _authUserId: this.userId });
+	}
+
+	private checkRateLimit(): boolean {
+		const now = Date.now();
+		if (now > this.rateLimitResetAt) {
+			this.messageCount = 0;
+			this.rateLimitResetAt = now + RATE_LIMIT_WINDOW_MS;
+		}
+		this.messageCount++;
+		return this.messageCount <= MAX_MESSAGES_PER_SECOND;
+	}
+
+	async init(): Promise<void> {
+		this.nc = await getNatsConnection();
+		this.resolveReady();
+	}
+
+	async handleMessage(ws: ServerWebSocket<unknown>, raw: string | Buffer): Promise<void> {
+		await this.ready;
+
+		if (!this.checkRateLimit()) {
+			this.sendError(ws, 'rate limit exceeded');
+			return;
+		}
+
+		const text = typeof raw === 'string' ? raw : raw.toString();
+
+		const frame = this.parseFrame(text);
+		if (!frame) {
+			this.sendError(ws, 'invalid JSON');
+			return;
+		}
+
+		if (!frame.op || typeof frame.op !== 'string') {
+			this.sendError(ws, 'missing or invalid "op" field');
+			return;
+		}
+
+		if (frame.subject && !this.isAllowedSubject(frame.subject)) {
+			this.sendError(ws, 'subject not allowed', frame.subject);
+			return;
+		}
+
+		await this.dispatch(ws, frame);
+	}
+
+	private parseFrame(
+		text: string
+	): { op?: string; subject?: string; data?: unknown; id?: string; _trace?: { traceId?: string } } | null {
+		try {
+			return JSON.parse(text);
+		} catch {
+			return null;
+		}
+	}
+
+	private async dispatch(
+		ws: ServerWebSocket<unknown>,
+		frame: { op?: string; subject?: string; data?: unknown; id?: string; _trace?: { traceId?: string } }
+	): Promise<void> {
+		switch (frame.op) {
+			case 'sub':
+				if (!frame.subject) return this.sendError(ws, 'sub: missing "subject"');
+				await this.handleSub(ws, frame.subject);
+				break;
+			case 'unsub':
+				if (!frame.subject) return this.sendError(ws, 'unsub: missing "subject"');
+				this.handleUnsub(ws, frame.subject);
+				break;
+			case 'pub':
+				if (!frame.subject) return this.sendError(ws, 'pub: missing "subject"');
+				this.handlePub(ws, frame.subject, frame.data, frame._trace);
+				break;
+			case 'req':
+				if (!frame.subject || !frame.id) return this.sendError(ws, 'req: missing "subject" or "id"');
+				await this.handleReq(ws, frame.id, frame.subject, frame.data, frame._trace);
+				break;
+			default:
+				this.sendError(ws, `unknown op: ${frame.op}`);
+		}
+	}
+
+	private async handleSub(ws: ServerWebSocket<unknown>, subject: string): Promise<void> {
+		if (this.subscriptions.has(subject)) {
+			this.sendError(ws, `already subscribed to ${subject}`, subject);
+			return;
+		}
+
+		if (this.subscriptions.size >= MAX_SUBSCRIPTIONS) {
+			this.sendError(ws, `max subscriptions (${MAX_SUBSCRIPTIONS}) reached`, subject);
+			return;
+		}
+
+		if (!this.nc) {
+			this.sendError(ws, 'NATS not connected', subject);
+			return;
+		}
+
+		console.log(`[ws-bridge] sub ${subject} (org=${this.orgId})`);
+		const sub = this.nc.subscribe(subject);
+		this.subscriptions.set(subject, sub);
+
+		// Forward messages to WS in background
+		(async () => {
+			for await (const msg of sub) {
+				if (this.closed) break;
+				try {
+					ws.send(JSON.stringify(this.buildMsgFrame(msg)));
+				} catch {
+					// WS already closed
+					break;
+				}
+			}
+		})();
+	}
+
+	private handleUnsub(ws: ServerWebSocket<unknown>, subject: string): void {
+		const sub = this.subscriptions.get(subject);
+		if (!sub) {
+			this.sendError(ws, `not subscribed to ${subject}`, subject);
+			return;
+		}
+		console.log(`[ws-bridge] unsub ${subject} (org=${this.orgId})`);
+		sub.unsubscribe();
+		this.subscriptions.delete(subject);
+	}
+
+	/** Build a WS MsgFrame from a NATS message, enriching with trace context from headers. */
+	private buildMsgFrame(
+		msg: Parameters<typeof extractTrace>[0] & { data: Uint8Array; subject: string }
+	): Record<string, unknown> {
+		let data: unknown;
+		try {
+			data = msg.data.length > 0 ? (msg as { json(): unknown }).json() : null;
+		} catch {
+			data = (msg as { string(): string }).string();
+		}
+		const trace = extractTrace(msg);
+		const frame: Record<string, unknown> = { subject: msg.subject, data };
+		if (trace.traceId) {
+			frame._trace = { traceId: trace.traceId, spanId: trace.spanId };
+		}
+		return frame;
+	}
+
+	private handlePub(
+		_ws: ServerWebSocket<unknown>,
+		subject: string,
+		data: unknown,
+		wsTrace?: { traceId?: string }
+	): void {
+		if (!this.nc) return;
+		console.log(`[ws-bridge] pub ${subject} (org=${this.orgId})`);
+		const trace = newSpan(wsTrace?.traceId);
+		const hdrs = injectTrace(headers(), trace);
+		this.nc.publish(subject, this.enrichPayload(data), { headers: hdrs });
+	}
+
+	private async handleReq(
+		ws: ServerWebSocket<unknown>,
+		id: string,
+		subject: string,
+		data: unknown,
+		wsTrace?: { traceId?: string }
+	): Promise<void> {
+		if (!this.nc) {
+			this.sendError(ws, 'NATS not connected', subject);
+			return;
+		}
+		console.log(`[ws-bridge] req ${subject} id=${id} (org=${this.orgId})`);
+		const trace = newSpan(wsTrace?.traceId);
+		const hdrs = injectTrace(headers(), trace);
+		try {
+			const reply = await this.nc.request(subject, this.enrichPayload(data), {
+				timeout: REQUEST_TIMEOUT_MS,
+				headers: hdrs,
+			});
+			let replyData: unknown;
+			try {
+				replyData = reply.data.length > 0 ? reply.json() : null;
+			} catch {
+				replyData = reply.string();
+			}
+			// Propagate trace context back to the browser
+			const replyTrace = extractTrace(reply);
+			const frame: ReplyFrame & { _trace?: { traceId: string; spanId?: string } } = { id, data: replyData };
+			frame._trace = {
+				traceId: replyTrace.traceId || trace.traceId,
+				spanId: replyTrace.spanId || trace.spanId,
+			};
+			ws.send(JSON.stringify(frame));
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			this.sendError(ws, `req failed: ${message}`, subject);
+		}
+	}
+
+	async cleanup(): Promise<void> {
+		this.closed = true;
+		console.log(`[ws-bridge] cleanup: ${this.subscriptions.size} subscription(s)`);
+		for (const [subject, sub] of this.subscriptions) {
+			console.log(`[ws-bridge] unsubscribing ${subject}`);
+			sub.unsubscribe();
+		}
+		this.subscriptions.clear();
+	}
+
+	private isAllowedSubject(subject: string): boolean {
+		if (!subject.startsWith(ALLOWED_PREFIX)) {
+			return false;
+		}
+		// Enforce org-scoped access: subject must be khal.<orgId>.*
+		const orgPrefix = `khal.${this.orgId}.`;
+		if (!subject.startsWith(orgPrefix)) {
+			return false;
+		}
+		// Enforce app-level permissions (defined per-app in subjects.ts)
+		const segment = subject.slice(orgPrefix.length).split('.')[0];
+		const requiredPermission = SUBJECT_PERMISSIONS[segment];
+		if (requiredPermission && !this.permissions.includes(requiredPermission)) {
+			return false;
+		}
+		return true;
+	}
+
+	private sendError(ws: ServerWebSocket<unknown>, error: string, subject?: string): void {
+		const frame: ErrorFrame = { error, ...(subject ? { subject } : {}) };
+		try {
+			ws.send(JSON.stringify(frame));
+		} catch {
+			// WS already closed
+		}
+	}
+}

package/src/lib/ws-protocol.ts

@@ -0,0 +1,53 @@
+import { Static, Type } from '@sinclair/typebox';
+
+// Client -> Server frames
+
+export const SubFrame = Type.Object({
+	op: Type.Literal('sub'),
+	subject: Type.String(),
+});
+export type SubFrame = Static<typeof SubFrame>;
+
+export const UnsubFrame = Type.Object({
+	op: Type.Literal('unsub'),
+	subject: Type.String(),
+});
+export type UnsubFrame = Static<typeof UnsubFrame>;
+
+export const PubFrame = Type.Object({
+	op: Type.Literal('pub'),
+	subject: Type.String(),
+	data: Type.Optional(Type.Unknown()),
+});
+export type PubFrame = Static<typeof PubFrame>;
+
+export const ReqFrame = Type.Object({
+	op: Type.Literal('req'),
+	id: Type.String(),
+	subject: Type.String(),
+	data: Type.Optional(Type.Unknown()),
+});
+export type ReqFrame = Static<typeof ReqFrame>;
+
+export const ClientFrame = Type.Union([SubFrame, UnsubFrame, PubFrame, ReqFrame]);
+export type ClientFrame = Static<typeof ClientFrame>;
+
+// Server -> Client frames
+
+export const MsgFrame = Type.Object({
+	subject: Type.String(),
+	data: Type.Unknown(),
+});
+export type MsgFrame = Static<typeof MsgFrame>;
+
+export const ReplyFrame = Type.Object({
+	id: Type.String(),
+	data: Type.Unknown(),
+});
+export type ReplyFrame = Static<typeof ReplyFrame>;
+
+export const ErrorFrame = Type.Object({
+	error: Type.String(),
+	subject: Type.Optional(Type.String()),
+});
+export type ErrorFrame = Static<typeof ErrorFrame>;

package/src/lib/ws-server.ts

@@ -0,0 +1,167 @@
+// @ts-nocheck
+import type { ServerWebSocket } from 'bun';
+import { unsealData } from 'iron-session';
+import { decodeJwt } from 'jose';
+import { DEFAULT_ROLE_PERMISSIONS } from '@/components/apps/app-manifest';
+import { normalizeRole } from './auth/roles';
+import type { Session } from './auth/types';
+import { NatsBridge } from './ws-bridge';
+
+const PORT = Number(process.env.WS_BRIDGE_PORT) || 4280;
+const COOKIE_NAME = process.env.WORKOS_COOKIE_NAME || 'wos-session';
+const COOKIE_PASSWORD = process.env.WORKOS_COOKIE_PASSWORD || '';
+
+const INSTANCE_ID = process.env.KHAL_INSTANCE_ID;
+if (!INSTANCE_ID || INSTANCE_ID.trim() === '') {
+	console.error('[ws-server] FATAL: KHAL_INSTANCE_ID env var is required and must be non-empty');
+	process.exit(1);
+}
+
+interface WsData {
+	session: Session;
+}
+
+const bridges = new WeakMap<ServerWebSocket<WsData>, NatsBridge>();
+
+/**
+ * Parse a specific cookie value from a Cookie header string.
+ */
+function parseCookie(cookieHeader: string, name: string): string | undefined {
+	const cookies = cookieHeader.split(';');
+	for (const cookie of cookies) {
+		const [key, ...rest] = cookie.split('=');
+		if (key.trim() === name) {
+			return rest.join('=').trim();
+		}
+	}
+	return undefined;
+}
+
+/**
+ * Verify the WorkOS AuthKit session cookie and extract session data.
+ *
+ * The cookie is sealed with iron-session using WORKOS_COOKIE_PASSWORD.
+ * Inside is a WorkOS Session containing an accessToken JWT with org_id, role, and permissions.
+ */
+async function verifySessionCookie(cookieHeader: string | null): Promise<Session | null> {
+	if (!cookieHeader) return null;
+	if (!COOKIE_PASSWORD) {
+		console.error('[ws-server] WORKOS_COOKIE_PASSWORD not set, cannot verify session');
+		return null;
+	}
+
+	const sealedValue = parseCookie(cookieHeader, COOKIE_NAME);
+	if (!sealedValue) return null;
+
+	try {
+		// Unseal the iron-session encrypted cookie
+		const workosSession = await unsealData<{ accessToken: string; refreshToken: string }>(sealedValue, {
+			password: COOKIE_PASSWORD,
+		});
+
+		if (!workosSession.accessToken) return null;
+
+		// Decode the JWT to extract org_id, role, permissions
+		// Note: We decode (not verify) here. The cookie was already authenticated
+		// via iron-session's encryption — the JWT signature provides additional
+		// integrity but the HMAC seal is the primary trust boundary.
+		const claims = decodeJwt<{
+			sub?: string;
+			org_id?: string;
+			role?: string;
+			permissions?: string[];
+			exp?: number;
+		}>(workosSession.accessToken);
+
+		// Reject tokens without exp claim or expired tokens
+		if (!claims.exp || claims.exp < Date.now() / 1000) {
+			console.warn('[ws-server] session token expired or missing exp claim');
+			return null;
+		}
+
+		const userId = claims.sub ?? '';
+		const orgId = INSTANCE_ID;
+
+		if (!userId) {
+			console.warn('[ws-server] session cookie missing userId');
+			return null;
+		}
+
+		const effectiveRole = normalizeRole(claims.role);
+		const effectivePermissions =
+			claims.permissions && claims.permissions.length > 0
+				? claims.permissions
+				: (DEFAULT_ROLE_PERMISSIONS[effectiveRole] ?? []);
+
+		return {
+			userId,
+			orgId,
+			role: effectiveRole,
+			permissions: effectivePermissions,
+		};
+	} catch (err) {
+		console.warn('[ws-server] failed to verify session cookie:', err);
+		return null;
+	}
+}
+
+const server = Bun.serve<WsData>({
+	port: PORT,
+	async fetch(req, server) {
+		const cookieHeader = req.headers.get('cookie');
+		let session = await verifySessionCookie(cookieHeader);
+
+		// Bypass auth for d3k's headless Chrome when OS_SECRET is configured
+		if (!session && process.env.OS_SECRET) {
+			const ua = req.headers.get('user-agent') ?? '';
+			if (ua.includes('HeadlessChrome')) {
+				session = {
+					userId: 'machine',
+					orgId: INSTANCE_ID,
+					role: 'platform-owner',
+					permissions: DEFAULT_ROLE_PERMISSIONS['platform-owner'] ?? [],
+				};
+			}
+		}
+
+		if (!session) {
+			console.log('[ws-server] rejected WS upgrade: invalid or missing session cookie');
+			return new Response(null, { status: 401 });
+		}
+
+		if (server.upgrade(req, { data: { session } })) {
+			return undefined;
+		}
+
+		return new Response('khal ws-bridge', { status: 200 });
+	},
+	websocket: {
+		async open(ws: ServerWebSocket<WsData>) {
+			const { session } = ws.data;
+			console.log(`[ws-server] client connected (org=${session.orgId} user=${session.userId})`);
+			const bridge = new NatsBridge(session);
+			bridges.set(ws, bridge);
+			try {
+				await bridge.init();
+			} catch (err) {
+				console.error('[ws-server] failed to init bridge:', err);
+				ws.close(1011, 'NATS connection failed');
+			}
+		},
+		async message(ws: ServerWebSocket<WsData>, message: string | Buffer) {
+			const bridge = bridges.get(ws);
+			if (!bridge) return;
+			await bridge.handleMessage(ws, message);
+		},
+		async close(ws: ServerWebSocket<WsData>) {
+			console.log('[ws-server] client disconnected');
+			const bridge = bridges.get(ws);
+			if (bridge) {
+				await bridge.cleanup();
+				bridges.delete(ws);
+			}
+		},
+	},
+});
+
+console.log(`[ws-server] listening on port ${server.port}`);

package/src/middleware.ts

@@ -0,0 +1,57 @@
+import { authkitMiddleware } from '@workos-inc/authkit-nextjs';
+import type { NextFetchEvent, NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+
+/**
+ * AuthKit middleware — protects /desktop routes and allows public paths.
+ *
+ * When middlewareAuth.enabled is true, all routes are protected by default
+ * except those listed in unauthenticatedPaths. Unauthenticated requests
+ * to protected routes are redirected to the AuthKit hosted login page.
+ *
+ * Headless Chrome bypass: when OS_SECRET is set, requests from d3k's
+ * headless Chrome skip auth so the desktop renders for monitoring.
+ */
+const workosAuth = authkitMiddleware({
+	middlewareAuth: {
+		enabled: true,
+		unauthenticatedPaths: [
+			'/',
+			'/offline',
+			'/auth/callback',
+			'/auth/:path*',
+			'/standalone/:path*',
+			'/api/webhooks/:path*',
+		],
+	},
+});
+
+export default async function middleware(req: NextRequest, event: NextFetchEvent) {
+	const ua = req.headers.get('user-agent') ?? '';
+	if (process.env.OS_SECRET && ua.includes('HeadlessChrome')) {
+		const cookieName = process.env.WORKOS_COOKIE_NAME || 'wos-session';
+		if (!req.cookies.has(cookieName)) {
+			// No session cookie — d3k monitoring mode, bypass auth entirely
+			const headers = new Headers(req.headers);
+			headers.set('x-workos-middleware', 'true');
+			headers.set('x-url', req.url);
+			return NextResponse.next({ request: { headers } });
+		}
+		// Has session cookie — let authkitMiddleware process it normally
+		// (authenticated agent-browser sessions should get full user context)
+	}
+	return workosAuth(req, event);
+}
+
+export const config = {
+	matcher: [
+		/*
+		 * Match all request paths except:
+		 * - _next/static (static files)
+		 * - _next/image (image optimization files)
+		 * - favicon.ico, sitemap.xml, robots.txt (metadata files)
+		 * - public assets
+		 */
+		'/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico)$).*)',
+	],
+};

package/src/stores/desktop-store.ts

@@ -0,0 +1,112 @@
+import { useMemo } from 'react';
+import { create } from 'zustand';
+import type { AppId } from '@/components/apps/app-registry';
+import { APP_REGISTRY } from '@/components/apps/app-registry';
+import type { DesktopEntry } from '@/types/desktop-entry';
+
+const BUILTIN_APPS: DesktopEntry[] = [
+	{
+		id: 'terminal',
+		name: 'Terminal',
+		icon: '/icons/dusk/terminal.svg',
+		exec: null,
+		type: 'builtin',
+		component: 'terminal',
+		categories: ['System'],
+		comment: 'Terminal emulator',
+		onDesktop: true,
+	},
+	{
+		id: 'files',
+		name: 'Files',
+		icon: '/icons/dusk/finder.svg',
+		exec: null,
+		type: 'builtin',
+		component: 'files',
+		categories: ['System'],
+		comment: 'File browser',
+		onDesktop: true,
+	},
+	{
+		id: 'settings',
+		name: 'Settings',
+		icon: '/icons/dusk/system_preferences.svg',
+		exec: null,
+		type: 'builtin',
+		component: 'settings',
+		categories: ['System'],
+		comment: 'Desktop settings',
+		onDesktop: true,
+	},
+	{
+		id: 'nats-viewer',
+		name: 'NATS Viewer',
+		icon: '/icons/dusk/activity_monitor.svg',
+		exec: null,
+		type: 'builtin',
+		component: 'nats-viewer',
+		categories: ['Development'],
+		comment: 'NATS message viewer and debugger',
+		onDesktop: true,
+	},
+	{
+		id: 'dev3000',
+		name: 'dev3000',
+		icon: '/icons/dusk/dashboard.svg',
+		exec: null,
+		type: 'builtin',
+		component: 'dev3000',
+		categories: ['Development'],
+		comment: 'dev3000 unified development logs',
+		onDesktop: true,
+	},
+];
+
+interface DesktopStore {
+	apps: DesktopEntry[];
+	desktopIcons: DesktopEntry[];
+	wallpaper: string;
+	pinnedApps: string[];
+
+	setApps: (apps: DesktopEntry[]) => void;
+	setWallpaper: (url: string) => void;
+	pinApp: (appId: string) => void;
+	unpinApp: (appId: string) => void;
+}
+
+export const useDesktopStore = create<DesktopStore>((set) => ({
+	apps: BUILTIN_APPS,
+	desktopIcons: BUILTIN_APPS,
+	wallpaper: '/wallpapers/default.svg',
+	pinnedApps: [],
+
+	setApps: (apps) => set({ apps }),
+	setWallpaper: (url) => set({ wallpaper: url }),
+	pinApp: (appId) =>
+		set((state) => ({
+			pinnedApps: state.pinnedApps.includes(appId) ? state.pinnedApps : [...state.pinnedApps, appId],
+		})),
+	unpinApp: (appId) =>
+		set((state) => ({
+			pinnedApps: state.pinnedApps.filter((id) => id !== appId),
+		})),
+}));
+
+/**
+ * Returns desktop apps filtered by the given permissions array.
+ * An app is included if:
+ * - It has no requiredPermission in the registry, OR
+ * - Its requiredPermission is in the user's permissions list
+ */
+export function useFilteredDesktopApps(permissions: string[]): DesktopEntry[] {
+	const desktopIcons = useDesktopStore((s) => s.desktopIcons);
+
+	return useMemo(() => {
+		return desktopIcons.filter((entry) => {
+			const appId = entry.component ?? entry.id;
+			const registryEntry = APP_REGISTRY[appId as AppId];
+			if (!registryEntry?.requiredPermission) return true;
+			return permissions.includes(registryEntry.requiredPermission);
+		});
+	}, [desktopIcons, permissions]);
+}