loki-mode 5.7.2 → 5.7.3

package/api/middleware/auth.ts

@@ -0,0 +1,129 @@
+/**
+ * Authentication Middleware
+ *
+ * Provides optional token-based authentication for the API.
+ * By default, only allows localhost connections.
+ */
+
+export interface AuthConfig {
+  // Allow localhost without auth (default: true)
+  allowLocalhost: boolean;
+
+  // API token for remote access (optional)
+  apiToken?: string;
+
+  // Allowed origins for CORS
+  allowedOrigins: string[];
+}
+
+const defaultConfig: AuthConfig = {
+  allowLocalhost: true,
+  apiToken: Deno.env.get("LOKI_API_TOKEN"),
+  allowedOrigins: ["http://localhost:*", "http://127.0.0.1:*"],
+};
+
+let config = { ...defaultConfig };
+
+/**
+ * Configure authentication
+ */
+export function configureAuth(newConfig: Partial<AuthConfig>): void {
+  config = { ...config, ...newConfig };
+}
+
+/**
+ * Authentication middleware
+ */
+export function authMiddleware(
+  handler: (req: Request) => Promise<Response> | Response
+): (req: Request) => Promise<Response> {
+  return async (req: Request): Promise<Response> => {
+    const authResult = checkAuth(req);
+
+    if (!authResult.allowed) {
+      return new Response(
+        JSON.stringify({
+          error: authResult.reason,
+          code: "AUTH_FAILED",
+        }),
+        {
+          status: 401,
+          headers: {
+            "Content-Type": "application/json",
+          },
+        }
+      );
+    }
+
+    return handler(req);
+  };
+}
+
+/**
+ * Check if request is authenticated
+ */
+export function checkAuth(req: Request): { allowed: boolean; reason?: string } {
+  const url = new URL(req.url);
+  const host = url.hostname;
+
+  // Allow localhost connections if enabled
+  if (config.allowLocalhost) {
+    if (host === "localhost" || host === "127.0.0.1" || host === "::1") {
+      return { allowed: true };
+    }
+  }
+
+  // Check API token
+  if (config.apiToken) {
+    const authHeader = req.headers.get("Authorization");
+
+    if (authHeader) {
+      // Support Bearer token format
+      const match = authHeader.match(/^Bearer\s+(.+)$/i);
+      if (match && match[1] === config.apiToken) {
+        return { allowed: true };
+      }
+
+      // Support X-API-Key header
+      const apiKey = req.headers.get("X-API-Key");
+      if (apiKey === config.apiToken) {
+        return { allowed: true };
+      }
+    }
+
+    return {
+      allowed: false,
+      reason: "Invalid or missing API token",
+    };
+  }
+
+  // No token configured, deny remote access
+  return {
+    allowed: false,
+    reason: "Remote access not configured. Set LOKI_API_TOKEN to enable.",
+  };
+}
+
+/**
+ * Generate a secure random token
+ */
+export function generateToken(): string {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes)
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+}
+
+/**
+ * Get current auth config (for debugging)
+ */
+export function getAuthConfig(): Omit<AuthConfig, "apiToken"> & {
+  hasToken: boolean;
+} {
+  return {
+    allowLocalhost: config.allowLocalhost,
+    allowedOrigins: config.allowedOrigins,
+    hasToken: !!config.apiToken,
+  };
+}

package/api/middleware/cors.ts

@@ -0,0 +1,145 @@
+/**
+ * CORS Middleware
+ *
+ * Handles Cross-Origin Resource Sharing for browser clients.
+ */
+
+export interface CorsConfig {
+  allowedOrigins: string[];
+  allowedMethods: string[];
+  allowedHeaders: string[];
+  exposeHeaders: string[];
+  maxAge: number;
+  credentials: boolean;
+}
+
+const defaultConfig: CorsConfig = {
+  allowedOrigins: ["*"],
+  allowedMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+  allowedHeaders: [
+    "Content-Type",
+    "Authorization",
+    "X-API-Key",
+    "X-Request-ID",
+    "Accept",
+    "Cache-Control",
+  ],
+  exposeHeaders: ["X-Request-ID", "X-Session-ID"],
+  maxAge: 86400, // 24 hours
+  credentials: true,
+};
+
+let config = { ...defaultConfig };
+
+/**
+ * Configure CORS
+ */
+export function configureCors(newConfig: Partial<CorsConfig>): void {
+  config = { ...config, ...newConfig };
+}
+
+/**
+ * Get CORS headers for a request
+ */
+export function getCorsHeaders(req: Request): Headers {
+  const headers = new Headers();
+  const origin = req.headers.get("Origin");
+
+  // Check if origin is allowed
+  const allowedOrigin = isOriginAllowed(origin);
+
+  if (allowedOrigin) {
+    headers.set("Access-Control-Allow-Origin", allowedOrigin);
+  }
+
+  headers.set(
+    "Access-Control-Allow-Methods",
+    config.allowedMethods.join(", ")
+  );
+
+  headers.set(
+    "Access-Control-Allow-Headers",
+    config.allowedHeaders.join(", ")
+  );
+
+  headers.set(
+    "Access-Control-Expose-Headers",
+    config.exposeHeaders.join(", ")
+  );
+
+  headers.set("Access-Control-Max-Age", config.maxAge.toString());
+
+  if (config.credentials) {
+    headers.set("Access-Control-Allow-Credentials", "true");
+  }
+
+  return headers;
+}
+
+/**
+ * Check if origin is allowed
+ */
+function isOriginAllowed(origin: string | null): string | null {
+  if (!origin) {
+    return null;
+  }
+
+  for (const allowed of config.allowedOrigins) {
+    // Wildcard match all
+    if (allowed === "*") {
+      return origin;
+    }
+
+    // Exact match
+    if (allowed === origin) {
+      return origin;
+    }
+
+    // Wildcard pattern (e.g., "http://localhost:*")
+    if (allowed.includes("*")) {
+      const pattern = allowed
+        .replace(/\./g, "\\.")
+        .replace(/\*/g, ".*");
+      const regex = new RegExp(`^${pattern}$`);
+      if (regex.test(origin)) {
+        return origin;
+      }
+    }
+  }
+
+  return null;
+}
+
+/**
+ * CORS middleware
+ */
+export function corsMiddleware(
+  handler: (req: Request) => Promise<Response> | Response
+): (req: Request) => Promise<Response> {
+  return async (req: Request): Promise<Response> => {
+    const corsHeaders = getCorsHeaders(req);
+
+    // Handle preflight requests
+    if (req.method === "OPTIONS") {
+      return new Response(null, {
+        status: 204,
+        headers: corsHeaders,
+      });
+    }
+
+    // Handle actual request
+    const response = await handler(req);
+
+    // Add CORS headers to response
+    const newHeaders = new Headers(response.headers);
+    for (const [key, value] of corsHeaders) {
+      newHeaders.set(key, value);
+    }
+
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: newHeaders,
+    });
+  };
+}

package/api/middleware/error.ts

@@ -0,0 +1,226 @@
+/**
+ * Error Handling Middleware
+ *
+ * Provides consistent error responses and logging.
+ */
+
+import type { ApiError } from "../types/api.ts";
+
+// Error codes
+export const ErrorCodes = {
+  // Client errors (4xx)
+  BAD_REQUEST: "BAD_REQUEST",
+  UNAUTHORIZED: "UNAUTHORIZED",
+  FORBIDDEN: "FORBIDDEN",
+  NOT_FOUND: "NOT_FOUND",
+  METHOD_NOT_ALLOWED: "METHOD_NOT_ALLOWED",
+  CONFLICT: "CONFLICT",
+  VALIDATION_ERROR: "VALIDATION_ERROR",
+
+  // Server errors (5xx)
+  INTERNAL_ERROR: "INTERNAL_ERROR",
+  NOT_IMPLEMENTED: "NOT_IMPLEMENTED",
+  SERVICE_UNAVAILABLE: "SERVICE_UNAVAILABLE",
+  TIMEOUT: "TIMEOUT",
+
+  // Loki-specific errors
+  SESSION_NOT_FOUND: "SESSION_NOT_FOUND",
+  SESSION_ALREADY_RUNNING: "SESSION_ALREADY_RUNNING",
+  PROVIDER_NOT_AVAILABLE: "PROVIDER_NOT_AVAILABLE",
+  CLI_ERROR: "CLI_ERROR",
+} as const;
+
+type ErrorCode = (typeof ErrorCodes)[keyof typeof ErrorCodes];
+
+// HTTP status codes for error codes
+const errorStatusMap: Record<ErrorCode, number> = {
+  BAD_REQUEST: 400,
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403,
+  NOT_FOUND: 404,
+  METHOD_NOT_ALLOWED: 405,
+  CONFLICT: 409,
+  VALIDATION_ERROR: 422,
+  INTERNAL_ERROR: 500,
+  NOT_IMPLEMENTED: 501,
+  SERVICE_UNAVAILABLE: 503,
+  TIMEOUT: 504,
+  SESSION_NOT_FOUND: 404,
+  SESSION_ALREADY_RUNNING: 409,
+  PROVIDER_NOT_AVAILABLE: 503,
+  CLI_ERROR: 500,
+};
+
+/**
+ * Custom API error class
+ */
+export class LokiApiError extends Error {
+  code: ErrorCode;
+  status: number;
+  details?: Record<string, unknown>;
+
+  constructor(
+    message: string,
+    code: ErrorCode,
+    details?: Record<string, unknown>
+  ) {
+    super(message);
+    this.name = "LokiApiError";
+    this.code = code;
+    this.status = errorStatusMap[code] || 500;
+    this.details = details;
+  }
+
+  toJSON(): ApiError {
+    return {
+      error: this.message,
+      code: this.code,
+      details: this.details,
+    };
+  }
+
+  toResponse(): Response {
+    return new Response(JSON.stringify(this.toJSON()), {
+      status: this.status,
+      headers: {
+        "Content-Type": "application/json",
+      },
+    });
+  }
+}
+
+/**
+ * Error middleware wrapper
+ */
+export function errorMiddleware(
+  handler: (req: Request) => Promise<Response> | Response
+): (req: Request) => Promise<Response> {
+  return async (req: Request): Promise<Response> => {
+    try {
+      return await handler(req);
+    } catch (err) {
+      return handleError(err, req);
+    }
+  };
+}
+
+/**
+ * Handle an error and return appropriate response
+ */
+export function handleError(err: unknown, req?: Request): Response {
+  // Log error for debugging
+  const requestInfo = req
+    ? `${req.method} ${new URL(req.url).pathname}`
+    : "unknown request";
+
+  console.error(`Error handling ${requestInfo}:`, err);
+
+  // Handle known API errors
+  if (err instanceof LokiApiError) {
+    return err.toResponse();
+  }
+
+  // Handle Deno-specific errors
+  if (err instanceof Deno.errors.NotFound) {
+    return new LokiApiError("Resource not found", ErrorCodes.NOT_FOUND).toResponse();
+  }
+
+  if (err instanceof Deno.errors.PermissionDenied) {
+    return new LokiApiError(
+      "Permission denied",
+      ErrorCodes.FORBIDDEN
+    ).toResponse();
+  }
+
+  // Handle JSON parsing errors
+  if (err instanceof SyntaxError && err.message.includes("JSON")) {
+    return new LokiApiError(
+      "Invalid JSON in request body",
+      ErrorCodes.BAD_REQUEST
+    ).toResponse();
+  }
+
+  // Handle timeout errors
+  if (err instanceof Error && err.name === "AbortError") {
+    return new LokiApiError(
+      "Request timed out",
+      ErrorCodes.TIMEOUT
+    ).toResponse();
+  }
+
+  // Default to internal error
+  const message =
+    err instanceof Error ? err.message : "An unexpected error occurred";
+
+  return new LokiApiError(
+    message,
+    ErrorCodes.INTERNAL_ERROR,
+    Deno.env.get("LOKI_DEBUG") ? { stack: (err as Error).stack } : undefined
+  ).toResponse();
+}
+
+/**
+ * Validate request body against expected fields
+ */
+export function validateBody<T extends Record<string, unknown>>(
+  body: unknown,
+  required: (keyof T)[],
+  optional: (keyof T)[] = []
+): T {
+  if (!body || typeof body !== "object") {
+    throw new LokiApiError(
+      "Request body must be a JSON object",
+      ErrorCodes.BAD_REQUEST
+    );
+  }
+
+  const obj = body as Record<string, unknown>;
+
+  // Check required fields
+  for (const field of required) {
+    if (!(field in obj)) {
+      throw new LokiApiError(
+        `Missing required field: ${String(field)}`,
+        ErrorCodes.VALIDATION_ERROR,
+        { field: String(field) }
+      );
+    }
+  }
+
+  // Check for unknown fields
+  const allowedFields = new Set([...required, ...optional]);
+  for (const field of Object.keys(obj)) {
+    if (!allowedFields.has(field)) {
+      throw new LokiApiError(
+        `Unknown field: ${field}`,
+        ErrorCodes.VALIDATION_ERROR,
+        { field }
+      );
+    }
+  }
+
+  return obj as T;
+}
+
+/**
+ * Create a simple error response
+ */
+export function errorResponse(
+  message: string,
+  code: ErrorCode = ErrorCodes.INTERNAL_ERROR,
+  details?: Record<string, unknown>
+): Response {
+  return new LokiApiError(message, code, details).toResponse();
+}
+
+/**
+ * Create a success response
+ */
+export function successResponse<T>(data: T, status = 200): Response {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: {
+      "Content-Type": "application/json",
+    },
+  });
+}

package/api/mod.ts

@@ -0,0 +1,58 @@
+/**
+ * Loki Mode API Module
+ *
+ * Exports for programmatic use
+ */
+
+// Types
+export type {
+  Session,
+  SessionStatus,
+  Phase,
+  Task,
+  TaskStatus,
+  StartSessionRequest,
+  StartSessionResponse,
+  SessionStatusResponse,
+  TaskSummary,
+  AgentSummary,
+  InjectInputRequest,
+  ApiError,
+  HealthResponse,
+} from "./types/api.ts";
+
+export type {
+  SSEEvent,
+  EventType,
+  EventFilter,
+  SessionEventData,
+  PhaseEventData,
+  TaskEventData,
+  AgentEventData,
+  LogEventData,
+  MetricsEventData,
+  InputRequestedEventData,
+  HeartbeatEventData,
+  AnySSEEvent,
+} from "./types/events.ts";
+
+// Services
+export { eventBus } from "./services/event-bus.ts";
+export { cliBridge } from "./services/cli-bridge.ts";
+export { stateWatcher } from "./services/state-watcher.ts";
+
+// Middleware
+export { authMiddleware, configureAuth, generateToken } from "./middleware/auth.ts";
+export { corsMiddleware, configureCors } from "./middleware/cors.ts";
+export {
+  errorMiddleware,
+  LokiApiError,
+  ErrorCodes,
+  handleError,
+  validateBody,
+  errorResponse,
+  successResponse,
+} from "./middleware/error.ts";
+
+// Server
+export { createHandler, routeRequest, parseArgs } from "./server.ts";