miladyai 2.0.0-alpha.27

package/dist/api/agent-lifecycle-routes.js

@@ -0,0 +1,79 @@
+import { getAutonomySvc } from "./autonomy-routes.js";
+
+//#region src/api/agent-lifecycle-routes.ts
+function detectModel(runtime) {
+	if (!runtime) return "unknown";
+	return runtime.plugins.find((plugin) => plugin.name.includes("anthropic") || plugin.name.includes("openai") || plugin.name.includes("groq"))?.name ?? "unknown";
+}
+async function handleAgentLifecycleRoutes(ctx) {
+	const { res, method, pathname, state, json } = ctx;
+	if (method === "POST" && pathname === "/api/agent/start") {
+		state.agentState = "running";
+		state.startedAt = Date.now();
+		state.model = detectModel(state.runtime);
+		const svc = getAutonomySvc(state.runtime);
+		if (svc) await svc.enableAutonomy();
+		json(res, {
+			ok: true,
+			status: {
+				state: state.agentState,
+				agentName: state.agentName,
+				model: state.model,
+				uptime: 0,
+				startedAt: state.startedAt
+			}
+		});
+		return true;
+	}
+	if (method === "POST" && pathname === "/api/agent/stop") {
+		const svc = getAutonomySvc(state.runtime);
+		if (svc) await svc.disableAutonomy();
+		state.agentState = "stopped";
+		state.startedAt = void 0;
+		state.model = void 0;
+		json(res, {
+			ok: true,
+			status: {
+				state: state.agentState,
+				agentName: state.agentName
+			}
+		});
+		return true;
+	}
+	if (method === "POST" && pathname === "/api/agent/pause") {
+		const svc = getAutonomySvc(state.runtime);
+		if (svc) await svc.disableAutonomy();
+		state.agentState = "paused";
+		json(res, {
+			ok: true,
+			status: {
+				state: state.agentState,
+				agentName: state.agentName,
+				model: state.model,
+				uptime: state.startedAt ? Date.now() - state.startedAt : void 0,
+				startedAt: state.startedAt
+			}
+		});
+		return true;
+	}
+	if (method === "POST" && pathname === "/api/agent/resume") {
+		const svc = getAutonomySvc(state.runtime);
+		if (svc) await svc.enableAutonomy();
+		state.agentState = "running";
+		json(res, {
+			ok: true,
+			status: {
+				state: state.agentState,
+				agentName: state.agentName,
+				model: state.model,
+				uptime: state.startedAt ? Date.now() - state.startedAt : void 0,
+				startedAt: state.startedAt
+			}
+		});
+		return true;
+	}
+	return false;
+}
+
+//#endregion
+export { handleAgentLifecycleRoutes };

package/dist/api/agent-transfer-routes.js

@@ -0,0 +1,102 @@
+import { AgentExportError, estimateExportSize, exportAgent, importAgent } from "../services/agent-export.js";
+import { readRequestBodyBuffer } from "./http-helpers.js";
+
+//#region src/api/agent-transfer-routes.ts
+const MAX_IMPORT_BYTES = 512 * 1048576;
+const AGENT_TRANSFER_MIN_PASSWORD_LENGTH = 4;
+const AGENT_TRANSFER_MAX_PASSWORD_LENGTH = 1024;
+function readRawBody(req, maxBytes) {
+	return readRequestBodyBuffer(req, { maxBytes }).then((body) => {
+		if (body === null) throw new Error(`Request body exceeds maximum size (${maxBytes} bytes)`);
+		return body;
+	});
+}
+async function handleAgentTransferRoutes(ctx) {
+	const { req, res, method, pathname, state, readJsonBody, json, error } = ctx;
+	if (method === "POST" && pathname === "/api/agent/export") {
+		if (!state.runtime) {
+			error(res, "Agent is not running — start it before exporting.", 503);
+			return true;
+		}
+		const body = await readJsonBody(req, res);
+		if (!body) return true;
+		if (!body.password || typeof body.password !== "string") {
+			error(res, `A password of at least ${AGENT_TRANSFER_MIN_PASSWORD_LENGTH} characters is required.`, 400);
+			return true;
+		}
+		if (body.password.length < AGENT_TRANSFER_MIN_PASSWORD_LENGTH) {
+			error(res, `A password of at least ${AGENT_TRANSFER_MIN_PASSWORD_LENGTH} characters is required.`, 400);
+			return true;
+		}
+		try {
+			const fileBuffer = await exportAgent(state.runtime, body.password, { includeLogs: body.includeLogs === true });
+			const filename = `${(state.runtime.character.name ?? "agent").replace(/[^a-zA-Z0-9_-]/g, "_").toLowerCase()}-${(/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19)}.eliza-agent`;
+			res.statusCode = 200;
+			res.setHeader("Content-Type", "application/octet-stream");
+			res.setHeader("Content-Disposition", `attachment; filename="${filename}"`);
+			res.setHeader("Content-Length", fileBuffer.length);
+			res.end(fileBuffer);
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			if (err instanceof AgentExportError) error(res, message, 400);
+			else error(res, `Export failed: ${message}`, 500);
+		}
+		return true;
+	}
+	if (method === "GET" && pathname === "/api/agent/export/estimate") {
+		if (!state.runtime) {
+			error(res, "Agent is not running.", 503);
+			return true;
+		}
+		try {
+			json(res, await estimateExportSize(state.runtime));
+		} catch (err) {
+			error(res, `Estimate failed: ${err instanceof Error ? err.message : String(err)}`, 500);
+		}
+		return true;
+	}
+	if (method === "POST" && pathname === "/api/agent/import") {
+		if (!state.runtime) {
+			error(res, "Agent is not running — start it before importing.", 503);
+			return true;
+		}
+		let rawBody;
+		try {
+			rawBody = await readRawBody(req, MAX_IMPORT_BYTES);
+		} catch (err) {
+			error(res, err instanceof Error ? err.message : String(err), 413);
+			return true;
+		}
+		if (rawBody.length < 5) {
+			error(res, "Request body is too small — expected password + file data.", 400);
+			return true;
+		}
+		const passwordLength = rawBody.readUInt32BE(0);
+		if (passwordLength < AGENT_TRANSFER_MIN_PASSWORD_LENGTH) {
+			error(res, `Password must be at least ${AGENT_TRANSFER_MIN_PASSWORD_LENGTH} characters.`, 400);
+			return true;
+		}
+		if (passwordLength > AGENT_TRANSFER_MAX_PASSWORD_LENGTH) {
+			error(res, `Password is too long (max ${AGENT_TRANSFER_MAX_PASSWORD_LENGTH} bytes).`, 400);
+			return true;
+		}
+		if (rawBody.length < 4 + passwordLength + 1) {
+			error(res, "Request body is incomplete — missing file data after password.", 400);
+			return true;
+		}
+		const password = rawBody.subarray(4, 4 + passwordLength).toString("utf-8");
+		const fileBuffer = rawBody.subarray(4 + passwordLength);
+		try {
+			json(res, await importAgent(state.runtime, fileBuffer, password));
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			if (err instanceof AgentExportError) error(res, message, 400);
+			else error(res, `Import failed: ${message}`, 500);
+		}
+		return true;
+	}
+	return false;
+}
+
+//#endregion
+export { handleAgentTransferRoutes };

package/dist/api/apps-hyperscape-routes.js

@@ -0,0 +1,58 @@
+//#region src/api/apps-hyperscape-routes.ts
+async function handleAppsHyperscapeRoutes(ctx) {
+	const { req, res, method, pathname, relayHyperscapeApi, readJsonBody, error } = ctx;
+	if (method === "GET" && pathname === "/api/apps/hyperscape/embedded-agents") {
+		await relayHyperscapeApi("GET", "/api/embedded-agents");
+		return true;
+	}
+	if (method === "POST" && pathname === "/api/apps/hyperscape/embedded-agents") {
+		await relayHyperscapeApi("POST", "/api/embedded-agents");
+		return true;
+	}
+	if (method === "POST") {
+		const embeddedActionMatch = pathname.match(/^\/api\/apps\/hyperscape\/embedded-agents\/([^/]+)\/(start|stop|pause|resume|command)$/);
+		if (embeddedActionMatch) {
+			const characterId = decodeURIComponent(embeddedActionMatch[1]);
+			const action = embeddedActionMatch[2];
+			await relayHyperscapeApi("POST", `/api/embedded-agents/${encodeURIComponent(characterId)}/${action}`);
+			return true;
+		}
+		const messageMatch = pathname.match(/^\/api\/apps\/hyperscape\/agents\/([^/]+)\/message$/);
+		if (messageMatch) {
+			const agentId = decodeURIComponent(messageMatch[1]);
+			const body = await readJsonBody(req, res);
+			if (!body) return true;
+			const content = body.content?.trim();
+			if (!content) {
+				error(res, "content is required");
+				return true;
+			}
+			await relayHyperscapeApi("POST", `/api/embedded-agents/${encodeURIComponent(agentId)}/command`, {
+				rawBodyOverride: JSON.stringify({
+					command: "chat",
+					data: { message: content }
+				}),
+				contentTypeOverride: "application/json"
+			});
+			return true;
+		}
+	}
+	if (method === "GET") {
+		const goalMatch = pathname.match(/^\/api\/apps\/hyperscape\/agents\/([^/]+)\/goal$/);
+		if (goalMatch) {
+			const agentId = decodeURIComponent(goalMatch[1]);
+			await relayHyperscapeApi("GET", `/api/agents/${encodeURIComponent(agentId)}/goal`);
+			return true;
+		}
+		const quickActionsMatch = pathname.match(/^\/api\/apps\/hyperscape\/agents\/([^/]+)\/quick-actions$/);
+		if (quickActionsMatch) {
+			const agentId = decodeURIComponent(quickActionsMatch[1]);
+			await relayHyperscapeApi("GET", `/api/agents/${encodeURIComponent(agentId)}/quick-actions`);
+			return true;
+		}
+	}
+	return false;
+}
+
+//#endregion
+export { handleAppsHyperscapeRoutes };

package/dist/api/apps-routes.js

@@ -0,0 +1,114 @@
+//#region src/api/apps-routes.ts
+function isNonAppRegistryPlugin(plugin) {
+	if (plugin.kind === "app") return false;
+	const name = plugin.name.toLowerCase();
+	const npmPackage = plugin.npm.package.toLowerCase();
+	return !name.includes("/app-") && !npmPackage.includes("/app-");
+}
+function isNonAppSearchResult(plugin) {
+	const name = plugin.name.toLowerCase();
+	const npmPackage = plugin.npmPackage.toLowerCase();
+	return !name.includes("/app-") && !npmPackage.includes("/app-");
+}
+async function handleAppsRoutes(ctx) {
+	const { req, res, method, pathname, url, appManager, getPluginManager, parseBoundedLimit, readJsonBody, json, error, runtime } = ctx;
+	if (method === "GET" && pathname === "/api/apps") {
+		const pluginManager = getPluginManager();
+		json(res, await appManager.listAvailable(pluginManager));
+		return true;
+	}
+	if (method === "GET" && pathname === "/api/apps/search") {
+		const query = url.searchParams.get("q") ?? "";
+		if (!query.trim()) {
+			json(res, []);
+			return true;
+		}
+		const limit = parseBoundedLimit(url.searchParams.get("limit"));
+		const pluginManager = getPluginManager();
+		json(res, await appManager.search(pluginManager, query, limit));
+		return true;
+	}
+	if (method === "GET" && pathname === "/api/apps/installed") {
+		const pluginManager = getPluginManager();
+		json(res, await appManager.listInstalled(pluginManager));
+		return true;
+	}
+	if (method === "POST" && pathname === "/api/apps/launch") {
+		const body = await readJsonBody(req, res);
+		if (!body) return true;
+		if (!body.name?.trim()) {
+			error(res, "name is required");
+			return true;
+		}
+		const pluginManager = getPluginManager();
+		json(res, await appManager.launch(pluginManager, body.name.trim(), (_progress) => {}, runtime));
+		return true;
+	}
+	if (method === "POST" && pathname === "/api/apps/stop") {
+		const body = await readJsonBody(req, res);
+		if (!body) return true;
+		if (!body.name?.trim()) {
+			error(res, "name is required");
+			return true;
+		}
+		const appName = body.name.trim();
+		const pluginManager = getPluginManager();
+		json(res, await appManager.stop(pluginManager, appName));
+		return true;
+	}
+	if (method === "GET" && pathname.startsWith("/api/apps/info/")) {
+		const appName = decodeURIComponent(pathname.slice(15));
+		if (!appName) {
+			error(res, "app name is required");
+			return true;
+		}
+		const pluginManager = getPluginManager();
+		const info = await appManager.getInfo(pluginManager, appName);
+		if (!info) {
+			error(res, `App "${appName}" not found in registry`, 404);
+			return true;
+		}
+		json(res, info);
+		return true;
+	}
+	if (method === "GET" && pathname === "/api/apps/plugins") {
+		try {
+			const registry = await getPluginManager().refreshRegistry();
+			json(res, Array.from(registry.values()).filter(isNonAppRegistryPlugin));
+		} catch (err) {
+			error(res, `Failed to list plugins: ${err instanceof Error ? err.message : String(err)}`, 502);
+		}
+		return true;
+	}
+	if (method === "GET" && pathname === "/api/apps/plugins/search") {
+		const query = url.searchParams.get("q") ?? "";
+		if (!query.trim()) {
+			json(res, []);
+			return true;
+		}
+		try {
+			const limit = parseBoundedLimit(url.searchParams.get("limit"));
+			json(res, (await getPluginManager().searchRegistry(query, limit)).filter(isNonAppSearchResult));
+		} catch (err) {
+			error(res, `Plugin search failed: ${err instanceof Error ? err.message : String(err)}`, 502);
+		}
+		return true;
+	}
+	if (method === "POST" && pathname === "/api/apps/refresh") {
+		try {
+			const registry = await getPluginManager().refreshRegistry();
+			const count = Array.from(registry.values()).filter(isNonAppRegistryPlugin).length;
+			json(res, {
+				ok: true,
+				count
+			});
+		} catch (err) {
+			error(res, `Refresh failed: ${err instanceof Error ? err.message : String(err)}`, 502);
+		}
+		return true;
+	}
+	return false;
+}
+
+//#endregion
+export { handleAppsRoutes };

package/dist/api/auth-routes.js

@@ -0,0 +1,56 @@
+import crypto from "node:crypto";
+
+//#region src/api/auth-routes.ts
+async function handleAuthRoutes(ctx) {
+	const { req, res, method, pathname, readJsonBody, json, error, pairingEnabled, ensurePairingCode, normalizePairingCode, rateLimitPairing, getPairingExpiresAt, clearPairing } = ctx;
+	if (!pathname.startsWith("/api/auth/")) return false;
+	if (method === "GET" && pathname === "/api/auth/status") {
+		const required = Boolean(process.env.MILADY_API_TOKEN?.trim());
+		const enabled = pairingEnabled();
+		if (enabled) ensurePairingCode();
+		json(res, {
+			required,
+			pairingEnabled: enabled,
+			expiresAt: enabled ? getPairingExpiresAt() : null
+		});
+		return true;
+	}
+	if (method === "POST" && pathname === "/api/auth/pair") {
+		const body = await readJsonBody(req, res);
+		if (!body) return true;
+		const token = process.env.MILADY_API_TOKEN?.trim();
+		if (!token) {
+			error(res, "Pairing not enabled", 400);
+			return true;
+		}
+		if (!pairingEnabled()) {
+			error(res, "Pairing disabled", 403);
+			return true;
+		}
+		if (!rateLimitPairing(req.socket.remoteAddress ?? null)) {
+			error(res, "Too many attempts. Try again later.", 429);
+			return true;
+		}
+		const provided = normalizePairingCode(body.code ?? "");
+		const current = ensurePairingCode();
+		if (!current || Date.now() > getPairingExpiresAt()) {
+			ensurePairingCode();
+			error(res, "Pairing code expired. Check server logs for a new code.", 410);
+			return true;
+		}
+		const expected = normalizePairingCode(current);
+		const a = Buffer.from(expected, "utf8");
+		const b = Buffer.from(provided, "utf8");
+		if (a.length !== b.length || !crypto.timingSafeEqual(a, b)) {
+			error(res, "Invalid pairing code", 403);
+			return true;
+		}
+		clearPairing();
+		json(res, { token });
+		return true;
+	}
+	return false;
+}
+
+//#endregion
+export { handleAuthRoutes };

package/dist/api/autonomy-routes.js

@@ -0,0 +1,44 @@
+//#region src/api/autonomy-routes.ts
+/** Helper to retrieve the AutonomyService from a runtime (may be null). */
+function getAutonomySvc(runtime) {
+	if (!runtime) return null;
+	return runtime.getService("AUTONOMY");
+}
+function getAutonomyState(runtime) {
+	const svc = getAutonomySvc(runtime);
+	const statusEnabled = svc?.getStatus?.().enabled;
+	const runtimeEnabled = runtime?.enableAutonomy === true;
+	return {
+		enabled: typeof statusEnabled === "boolean" ? statusEnabled : runtimeEnabled || Boolean(svc),
+		thinking: svc?.isLoopRunning() ?? false
+	};
+}
+async function handleAutonomyRoutes(ctx) {
+	const { req, res, method, pathname, runtime, readJsonBody, json } = ctx;
+	if (method === "POST" && pathname === "/api/agent/autonomy") {
+		const body = await readJsonBody(req, res);
+		if (!body) return true;
+		const svc = getAutonomySvc(runtime);
+		if (typeof body.enabled === "boolean" && svc) if (body.enabled) await svc.enableAutonomy();
+		else await svc.disableAutonomy();
+		const autonomy = getAutonomyState(runtime);
+		json(res, {
+			ok: true,
+			autonomy: autonomy.enabled,
+			thinking: autonomy.thinking
+		});
+		return true;
+	}
+	if (method === "GET" && pathname === "/api/agent/autonomy") {
+		const autonomy = getAutonomyState(runtime);
+		json(res, {
+			enabled: autonomy.enabled,
+			thinking: autonomy.thinking
+		});
+		return true;
+	}
+	return false;
+}
+
+//#endregion
+export { getAutonomyState, getAutonomySvc, handleAutonomyRoutes };

package/dist/api/bug-report-routes.js

@@ -0,0 +1,111 @@
+import { sweepExpiredEntries } from "./memory-bounds.js";
+import os from "node:os";
+
+//#region src/api/bug-report-routes.ts
+const BUG_REPORT_REPO = "milady-ai/milady";
+const GITHUB_ISSUES_URL = `https://api.github.com/repos/${BUG_REPORT_REPO}/issues`;
+const GITHUB_NEW_ISSUE_URL = `https://github.com/${BUG_REPORT_REPO}/issues/new?template=bug_report.yml`;
+const BUG_REPORT_WINDOW_MS = 600 * 1e3;
+const BUG_REPORT_MAX_SUBMISSIONS = 5;
+const bugReportAttempts = /* @__PURE__ */ new Map();
+function rateLimitBugReport(ip) {
+	const key = ip ?? "unknown";
+	const now = Date.now();
+	sweepExpiredEntries(bugReportAttempts, now, 100);
+	const current = bugReportAttempts.get(key);
+	if (!current || now > current.resetAt) {
+		bugReportAttempts.set(key, {
+			count: 1,
+			resetAt: now + BUG_REPORT_WINDOW_MS
+		});
+		return true;
+	}
+	if (current.count >= BUG_REPORT_MAX_SUBMISSIONS) return false;
+	current.count += 1;
+	return true;
+}
+/**
+* Strip HTML tags and limit length to prevent markdown injection.
+* GitHub's renderer already sanitizes HTML, but we defensively strip
+* tags and cap field length to reduce abuse surface.
+*/
+function sanitize(input, maxLen = 1e4) {
+	return input.replace(/<[^>]*>/g, "").slice(0, maxLen);
+}
+function formatIssueBody(body) {
+	const sections = [];
+	sections.push(`### Description\n\n${sanitize(body.description)}`);
+	sections.push(`### Steps to Reproduce\n\n${sanitize(body.stepsToReproduce)}`);
+	if (body.expectedBehavior) sections.push(`### Expected Behavior\n\n${sanitize(body.expectedBehavior)}`);
+	if (body.actualBehavior) sections.push(`### Actual Behavior\n\n${sanitize(body.actualBehavior)}`);
+	if (body.environment) sections.push(`### Environment\n\n${sanitize(body.environment, 200)}`);
+	if (body.nodeVersion) sections.push(`### Node Version\n\n${sanitize(body.nodeVersion, 200)}`);
+	if (body.modelProvider) sections.push(`### Model Provider\n\n${sanitize(body.modelProvider, 200)}`);
+	if (body.logs) sections.push(`### Logs\n\n\`\`\`\n${sanitize(body.logs, 5e4)}\n\`\`\``);
+	return sections.join("\n\n");
+}
+async function handleBugReportRoutes(ctx) {
+	const { req, res, method, pathname, json, error, readJsonBody } = ctx;
+	if (method === "GET" && pathname === "/api/bug-report/info") {
+		json(res, {
+			nodeVersion: process.version,
+			platform: os.platform()
+		});
+		return true;
+	}
+	if (method === "POST" && pathname === "/api/bug-report") {
+		if (!rateLimitBugReport(req.socket.remoteAddress ?? null)) {
+			error(res, "Too many bug reports. Try again later.", 429);
+			return true;
+		}
+		const body = await readJsonBody(req, res);
+		if (!body) return true;
+		if (!body.description?.trim() || !body.stepsToReproduce?.trim()) {
+			error(res, "description and stepsToReproduce are required", 400);
+			return true;
+		}
+		const githubToken = process.env.GITHUB_TOKEN;
+		if (!githubToken) {
+			json(res, { fallback: GITHUB_NEW_ISSUE_URL });
+			return true;
+		}
+		try {
+			const sanitizedTitle = sanitize(body.description, 80).replace(/[\r\n]+/g, " ");
+			const issueBody = formatIssueBody(body);
+			const issueRes = await fetch(GITHUB_ISSUES_URL, {
+				method: "POST",
+				headers: {
+					Authorization: `Bearer ${githubToken}`,
+					Accept: "application/vnd.github.v3+json",
+					"Content-Type": "application/json"
+				},
+				body: JSON.stringify({
+					title: `[Bug] ${sanitizedTitle}`,
+					body: issueBody,
+					labels: [
+						"bug",
+						"triage",
+						"user-reported"
+					]
+				})
+			});
+			if (!issueRes.ok) {
+				error(res, `GitHub API error (${issueRes.status})`, 502);
+				return true;
+			}
+			const url = (await issueRes.json()).html_url;
+			if (typeof url !== "string" || !url.startsWith(`https://github.com/${BUG_REPORT_REPO}/issues/`)) {
+				error(res, "Unexpected response from GitHub API", 502);
+				return true;
+			}
+			json(res, { url });
+		} catch (_err) {
+			error(res, "Failed to create GitHub issue", 500);
+		}
+		return true;
+	}
+	return false;
+}
+
+//#endregion
+export { handleBugReportRoutes };