mob-coordinator 0.2.1

package/dist/client/index.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Mob — Claude Instance Dashboard</title>
+  <link rel="icon" href="/favicon.png" />
+  <script type="module" crossorigin src="/assets/index-DkdPImCW.js"></script>
+  <link rel="stylesheet" crossorigin href="/assets/index-BE5nxcXU.css">
+</head>
+<body>
+  <div id="app"></div>
+</body>
+</html>

package/dist/server/server/__tests__/sanitize.test.js

@@ -0,0 +1,154 @@
+import { describe, it, expect } from 'vitest';
+import { shellQuote, isValidModel, isValidPermissionMode, isValidSessionId, isValidCwd, stripControlChars, validateLaunchPayload, validateHookPayload, } from '../util/sanitize.js';
+describe('shellQuote', () => {
+    it('wraps simple string in single quotes', () => {
+        expect(shellQuote('hello')).toBe("'hello'");
+    });
+    it('escapes single quotes', () => {
+        expect(shellQuote("it's")).toBe("'it'\\''s'");
+    });
+    it('handles empty string', () => {
+        expect(shellQuote('')).toBe("''");
+    });
+    it('neutralizes command injection attempts', () => {
+        const malicious = '$(rm -rf /)';
+        const quoted = shellQuote(malicious);
+        expect(quoted).toBe("'$(rm -rf /)'");
+        // Inside single quotes, $() is literal — not executed by the shell
+        expect(quoted.startsWith("'")).toBe(true);
+        expect(quoted.endsWith("'")).toBe(true);
+    });
+    it('neutralizes backtick injection', () => {
+        expect(shellQuote('`whoami`')).toBe("'`whoami`'");
+    });
+});
+describe('isValidModel', () => {
+    it('accepts valid model names', () => {
+        expect(isValidModel('claude-opus-4-6')).toBe(true);
+        expect(isValidModel('claude-sonnet-4-6')).toBe(true);
+        expect(isValidModel('claude-haiku-4-5-20251001')).toBe(true);
+        expect(isValidModel('gpt-4o')).toBe(true);
+        expect(isValidModel('model/v1.0')).toBe(true);
+    });
+    it('rejects injection attempts', () => {
+        expect(isValidModel('$(rm -rf /)')).toBe(false);
+        expect(isValidModel('model; echo pwned')).toBe(false);
+        expect(isValidModel('model`whoami`')).toBe(false);
+        expect(isValidModel('')).toBe(false);
+    });
+    it('rejects overly long values', () => {
+        expect(isValidModel('a'.repeat(101))).toBe(false);
+    });
+});
+describe('isValidPermissionMode', () => {
+    it('accepts valid modes', () => {
+        expect(isValidPermissionMode('default')).toBe(true);
+        expect(isValidPermissionMode('plan')).toBe(true);
+        expect(isValidPermissionMode('bypassPermissions')).toBe(true);
+        expect(isValidPermissionMode('full')).toBe(true);
+    });
+    it('rejects invalid modes', () => {
+        expect(isValidPermissionMode('$(evil)')).toBe(false);
+        expect(isValidPermissionMode('admin')).toBe(false);
+        expect(isValidPermissionMode('')).toBe(false);
+    });
+});
+describe('isValidSessionId', () => {
+    it('accepts valid session IDs', () => {
+        expect(isValidSessionId('abc-123_def')).toBe(true);
+        expect(isValidSessionId('session-id-001')).toBe(true);
+    });
+    it('rejects injection attempts', () => {
+        expect(isValidSessionId('$(whoami)')).toBe(false);
+        expect(isValidSessionId('id; rm -rf /')).toBe(false);
+    });
+});
+describe('isValidCwd', () => {
+    it('accepts absolute paths', () => {
+        expect(isValidCwd('/home/user/project')).toBe(true);
+        expect(isValidCwd('~/project')).toBe(true);
+    });
+    it('rejects relative paths', () => {
+        expect(isValidCwd('relative/path')).toBe(false);
+        expect(isValidCwd('../escape')).toBe(false);
+    });
+    it('rejects null bytes', () => {
+        expect(isValidCwd('/home/user\0/evil')).toBe(false);
+    });
+    it('rejects overly long paths', () => {
+        expect(isValidCwd('/' + 'a'.repeat(1024))).toBe(false);
+    });
+    it('rejects empty', () => {
+        expect(isValidCwd('')).toBe(false);
+    });
+});
+describe('stripControlChars', () => {
+    it('removes control characters', () => {
+        expect(stripControlChars('hello\x00world')).toBe('helloworld');
+        expect(stripControlChars('test\x1B[31m')).toBe('test[31m');
+    });
+    it('preserves newlines and tabs', () => {
+        expect(stripControlChars('hello\nworld\ttab')).toBe('hello\nworld\ttab');
+    });
+});
+describe('validateLaunchPayload', () => {
+    it('accepts valid payload', () => {
+        const result = validateLaunchPayload({
+            cwd: '~/project',
+            name: 'my-instance',
+            model: 'claude-opus-4-6',
+            permissionMode: 'default',
+        });
+        expect(result.valid).toBe(true);
+    });
+    it('accepts minimal payload', () => {
+        const result = validateLaunchPayload({ cwd: '/home/user' });
+        expect(result.valid).toBe(true);
+    });
+    it('rejects missing cwd', () => {
+        const result = validateLaunchPayload({ name: 'test' });
+        expect(result.valid).toBe(false);
+    });
+    it('rejects invalid model', () => {
+        const result = validateLaunchPayload({ cwd: '/home', model: '$(evil)' });
+        expect(result.valid).toBe(false);
+    });
+    it('rejects invalid permissionMode', () => {
+        const result = validateLaunchPayload({ cwd: '/home', permissionMode: 'hacker' });
+        expect(result.valid).toBe(false);
+    });
+    it('rejects non-object payload', () => {
+        expect(validateLaunchPayload(null).valid).toBe(false);
+        expect(validateLaunchPayload('string').valid).toBe(false);
+        expect(validateLaunchPayload(42).valid).toBe(false);
+    });
+});
+describe('validateHookPayload', () => {
+    it('accepts valid hook data', () => {
+        const result = validateHookPayload({
+            id: 'mob-abc123',
+            cwd: '/home/user',
+            state: 'running',
+        });
+        expect(result.valid).toBe(true);
+    });
+    it('rejects missing id', () => {
+        const result = validateHookPayload({ cwd: '/home', state: 'running' });
+        expect(result.valid).toBe(false);
+    });
+    it('rejects overly long id', () => {
+        const result = validateHookPayload({ id: 'a'.repeat(201) });
+        expect(result.valid).toBe(false);
+    });
+    it('rejects null bytes in cwd', () => {
+        const result = validateHookPayload({ id: 'test', cwd: '/home\0/evil' });
+        expect(result.valid).toBe(false);
+    });
+    it('strips control chars from name', () => {
+        const result = validateHookPayload({ id: 'test', name: 'hello\x00world' });
+        expect(result.valid).toBe(true);
+        if (result.valid) {
+            expect(result.data.name).toBe('helloworld');
+        }
+    });
+});

package/dist/server/server/discovery.js

@@ -0,0 +1,36 @@
+import chokidar from 'chokidar';
+import path from 'path';
+import { EventEmitter } from 'events';
+import { readStatusFile } from './status-reader.js';
+import { getInstancesDir } from './util/platform.js';
+import { ensureDir } from './util/platform.js';
+export class DiscoveryService extends EventEmitter {
+    watcher = null;
+    dir;
+    constructor() {
+        super();
+        this.dir = getInstancesDir();
+    }
+    start() {
+        ensureDir(this.dir);
+        this.watcher = chokidar.watch(path.join(this.dir, '*.json'), {
+            ignoreInitial: false,
+            awaitWriteFinish: { stabilityThreshold: 100, pollInterval: 50 },
+        });
+        this.watcher.on('add', (fp) => this.handleFileChange(fp));
+        this.watcher.on('change', (fp) => this.handleFileChange(fp));
+        this.watcher.on('unlink', (fp) => {
+            const id = path.basename(fp, '.json');
+            this.emit('remove', id);
+        });
+    }
+    handleFileChange(filePath) {
+        const status = readStatusFile(filePath);
+        if (status) {
+            this.emit('update', status, filePath);
+        }
+    }
+    stop() {
+        this.watcher?.close();
+    }
+}

package/dist/server/server/express-app.js

@@ -0,0 +1,173 @@
+import express from 'express';
+import { execFile } from 'child_process';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { isPathWithinHome, validateHookPayload } from './util/sanitize.js';
+import { createLogger } from './util/logger.js';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const log = createLogger('http');
+export function createApp(instanceManager, settingsManager) {
+    const app = express();
+    app.use(express.json());
+    // Request logging for API routes
+    app.use('/api', (req, _res, next) => {
+        log.info(`${req.method} ${req.originalUrl}`);
+        next();
+    });
+    // Serve static frontend in production (only if built)
+    const clientDir = path.join(__dirname, '..', 'client');
+    const indexHtml = path.join(clientDir, 'index.html');
+    const hasBuiltClient = fs.existsSync(indexHtml);
+    if (hasBuiltClient) {
+        app.use(express.static(clientDir));
+    }
+    // Directory autocomplete for launch dialog (restricted to home directory)
+    app.get('/api/completions/dirs', (req, res) => {
+        const partial = req.query.q || '';
+        if (!partial) {
+            res.json([]);
+            return;
+        }
+        // Expand ~ to home dir
+        const home = os.homedir();
+        const expanded = partial.startsWith('~')
+            ? path.join(home, partial.slice(1))
+            : partial;
+        // Restrict to home directory tree
+        const resolved = path.resolve(expanded);
+        if (!isPathWithinHome(resolved)) {
+            res.json([]);
+            return;
+        }
+        const dir = expanded.endsWith('/') ? expanded : path.dirname(expanded);
+        const prefix = expanded.endsWith('/') ? '' : path.basename(expanded);
+        // Verify dir is also within home
+        const resolvedDir = path.resolve(dir);
+        if (!isPathWithinHome(resolvedDir)) {
+            res.json([]);
+            return;
+        }
+        try {
+            const entries = fs.readdirSync(resolvedDir, { withFileTypes: true });
+            const matches = entries
+                .filter((e) => e.isDirectory() && !e.name.startsWith('.') && e.name.toLowerCase().startsWith(prefix.toLowerCase()))
+                .slice(0, 20)
+                .map((e) => {
+                const full = path.join(resolvedDir, e.name);
+                const display = full.startsWith(home) ? '~' + full.slice(home.length) : full;
+                return { path: full, display: display + '/' };
+            });
+            res.json(matches);
+        }
+        catch {
+            res.json([]);
+        }
+    });
+    // Browse for directory — opens native folder picker
+    app.post('/api/browse-dir', (req, res) => {
+        const startDir = req.body?.startDir || process.env.HOME || 'C:\\';
+        const expanded = startDir.startsWith('~')
+            ? path.join(process.env.HOME || 'C:\\', startDir.slice(1))
+            : startDir;
+        // Validate path has no null bytes or newlines
+        if (expanded.includes('\0') || expanded.includes('\n') || expanded.includes('\r')) {
+            res.status(400).json({ error: 'Invalid path' });
+            return;
+        }
+        log.info('browse-dir requested, startDir:', expanded);
+        if (process.platform === 'win32') {
+            const psPath = path.join(process.env.SystemRoot || 'C:\\Windows', 'System32', 'WindowsPowerShell', 'v1.0', 'powershell.exe');
+            const scriptPath = path.join(__dirname, '..', '..', 'scripts', 'browse-dir.ps1');
+            execFile(psPath, ['-NoProfile', '-ExecutionPolicy', 'Bypass', '-File', scriptPath, '-StartPath', expanded], { timeout: 60000, windowsHide: false }, (err, stdout, stderr) => {
+                if (err) {
+                    log.error('browse-dir error:', err.message, stderr);
+                    res.json({ cancelled: true });
+                    return;
+                }
+                const selected = stdout.trim();
+                log.info('browse-dir result:', selected || '(cancelled)');
+                if (selected) {
+                    res.json({ path: selected });
+                }
+                else {
+                    res.json({ cancelled: true });
+                }
+            });
+        }
+        else if (process.platform === 'darwin') {
+            // Shell-quote the path within the AppleScript string to prevent injection
+            const escapedPath = expanded.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+            execFile('osascript', ['-e', `choose folder with prompt "Select working directory" default location POSIX file "${escapedPath}"`], { timeout: 60000 }, (err, stdout) => {
+                if (err) {
+                    res.json({ cancelled: true });
+                    return;
+                }
+                const alias = stdout.trim();
+                const posix = alias.replace(/^alias [^:]+:/, '/').replace(/:/g, '/');
+                res.json({ path: posix });
+            });
+        }
+        else {
+            execFile('zenity', ['--file-selection', '--directory', `--filename=${expanded}/`], { timeout: 60000 }, (err, stdout) => {
+                if (err) {
+                    res.json({ cancelled: true });
+                    return;
+                }
+                res.json({ path: stdout.trim() });
+            });
+        }
+    });
+    // Platform info for client feature detection
+    app.get('/api/platform', (_req, res) => {
+        res.json({ platform: process.platform });
+    });
+    // Settings API
+    app.get('/api/settings', (_req, res) => {
+        res.json(settingsManager.getRedacted());
+    });
+    app.put('/api/settings', (req, res) => {
+        try {
+            settingsManager.update(req.body);
+            instanceManager.refreshTicketFields();
+            res.json(settingsManager.getRedacted());
+        }
+        catch (err) {
+            res.status(400).json({ error: err.message || 'Invalid settings' });
+        }
+    });
+    // Hook endpoint — receives status updates from hook scripts
+    app.post('/api/hook', (req, res) => {
+        const result = validateHookPayload(req.body);
+        if (!result.valid) {
+            res.status(400).json({ error: result.error });
+            return;
+        }
+        const data = result.data;
+        log.info(`hook update: id=${data.id} state=${data.state} topic=${data.topic || '(none)'}`);
+        data.lastUpdated = data.lastUpdated || Date.now();
+        instanceManager.handleHookUpdate(data);
+        res.json({ ok: true });
+    });
+    // REST: list instances
+    app.get('/api/instances', (_req, res) => {
+        res.json(instanceManager.getAll());
+    });
+    // REST: get single instance
+    app.get('/api/instances/:id', (req, res) => {
+        const info = instanceManager.get(req.params.id);
+        if (!info) {
+            res.status(404).json({ error: 'Not found' });
+            return;
+        }
+        res.json(info);
+    });
+    // Fallback to index.html for SPA routing (production only)
+    if (hasBuiltClient) {
+        app.get('*', (_req, res) => {
+            res.sendFile(indexHtml);
+        });
+    }
+    return app;
+}

package/dist/server/server/index.js

@@ -0,0 +1,54 @@
+import http from 'http';
+import { createApp } from './express-app.js';
+import { createWsServer } from './ws-server.js';
+import { InstanceManager } from './instance-manager.js';
+import { PtyManager } from './pty-manager.js';
+import { DiscoveryService } from './discovery.js';
+import { SessionStore } from './session-store.js';
+import { ScrollbackBuffer } from './scrollback-buffer.js';
+import { SettingsManager } from './settings-manager.js';
+import { ensureDir, getMobDir, getInstancesDir, getSessionsDir, getScrollbackDir } from './util/platform.js';
+import { DEFAULT_PORT } from '../shared/constants.js';
+const port = parseInt(process.env.MOB_PORT || '', 10) || DEFAULT_PORT;
+const host = process.env.MOB_HOST || '127.0.0.1';
+// Ensure directories exist
+ensureDir(getMobDir());
+ensureDir(getInstancesDir());
+ensureDir(getSessionsDir());
+ensureDir(getScrollbackDir());
+const settingsManager = new SettingsManager();
+const ptyManager = new PtyManager();
+const discovery = new DiscoveryService();
+const sessionStore = new SessionStore();
+const scrollbackBuffer = new ScrollbackBuffer();
+scrollbackBuffer.start();
+sessionStore.pruneExpired();
+const instanceManager = new InstanceManager(ptyManager, discovery, sessionStore, scrollbackBuffer, settingsManager);
+const app = createApp(instanceManager, settingsManager);
+const server = http.createServer(app);
+createWsServer(server, instanceManager, ptyManager);
+discovery.start();
+instanceManager.startStaleCheck();
+server.listen(port, host, () => {
+    console.log(`Mob dashboard running at http://${host}:${port}`);
+    console.log(`WebSocket endpoint: ws://${host}:${port}/mob-ws`);
+});
+// Graceful shutdown
+function shutdown() {
+    console.log('\nShutting down...');
+    instanceManager.saveAllAsStopped();
+    // Kill all PTY processes
+    for (const [id] of ptyManager.getAll()) {
+        console.log(`Killing PTY: ${id}`);
+        ptyManager.kill(id);
+    }
+    scrollbackBuffer.stop();
+    instanceManager.stop();
+    // Brief grace period for clean exit
+    setTimeout(() => {
+        server.close();
+        process.exit(0);
+    }, 500);
+}
+process.on('SIGINT', shutdown);
+process.on('SIGTERM', shutdown);