mobygate 0.7.2 → 0.8.0

package/lib/platform.js

@@ -110,6 +110,80 @@ export function writeMacServerPlist({ installPath, nodeBin, port, logsDir }) {
   return plistPath;
 }
 
+/**
+ * Generate the macOS auth-refresh plist with the user's actual paths
+ * baked in. Earlier we shipped a static plist template and sed-replaced
+ * Farhan's hardcoded paths inside it — anyone who installed without an
+ * EXACT path match (different username, different fnm version, etc.)
+ * ended up with a plist pointing at /Users/farhan/... and the cron
+ * silently failed forever. This generator mirrors writeMacServerPlist
+ * and uses the same nodeBin / installPath / logsDir resolution so the
+ * resulting plist is portable across any user's machine.
+ */
+export function writeMacAuthRefreshPlist({ installPath, nodeBin, logsDir, intervalHours = 4 }) {
+  if (!IS_MAC) throw new Error('writeMacAuthRefreshPlist called on non-macOS');
+  if (!existsSync(LAUNCH_AGENTS_DIR)) mkdirSync(LAUNCH_AGENTS_DIR, { recursive: true });
+  const plistPath = join(LAUNCH_AGENTS_DIR, `${AUTH_LABEL}.plist`);
+  const intervalSec = Math.max(60, parseInt(intervalHours, 10) * 3600);
+  const pathChain = [
+    dirname(nodeBin),
+    '/usr/local/bin', '/usr/bin', '/bin', '/opt/homebrew/bin',
+    join(homedir(), '.local/bin'),
+  ].join(':');
+  const xml = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+  Generated by \`mobygate init\` on ${new Date().toISOString()}.
+  Proactive Claude Max OAuth refresh cron.
+    - Runs scripts/auth-refresh.js every ${intervalHours}h via launchd
+    - Anthropic OAuth tokens last ~8h, so ${intervalHours}h cadence keeps
+      us inside the valid window even if one run fails
+
+  Install:   launchctl load ~/Library/LaunchAgents/${AUTH_LABEL}.plist
+  Uninstall: launchctl unload ~/Library/LaunchAgents/${AUTH_LABEL}.plist
+-->
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>${AUTH_LABEL}</string>
+
+    <key>ProgramArguments</key>
+    <array>
+        <string>${nodeBin}</string>
+        <string>scripts/auth-refresh.js</string>
+    </array>
+
+    <key>WorkingDirectory</key>
+    <string>${installPath}</string>
+
+    <key>EnvironmentVariables</key>
+    <dict>
+        <key>PATH</key>
+        <string>${pathChain}</string>
+        <key>HOME</key>
+        <string>${homedir()}</string>
+    </dict>
+
+    <key>StartInterval</key>
+    <integer>${intervalSec}</integer>
+
+    <key>RunAtLoad</key>
+    <true/>
+
+    <key>StandardOutPath</key>
+    <string>${logsDir}/auth-refresh.log</string>
+    <key>StandardErrorPath</key>
+    <string>${logsDir}/auth-refresh.err.log</string>
+
+    <key>KeepAlive</key>
+    <false/>
+</dict>
+</plist>
+`;
+  writeFileSync(plistPath, xml);
+  return plistPath;
+}
+
 /**
  * Install (copy + load) a plist. Returns {installed: true, path}.
  * Safe to call when already loaded — we unload first.

package/lib/updater.js

@@ -26,6 +26,12 @@ import { readFileSync, writeFileSync, existsSync, mkdirSync, openSync } from 'fs
 import { join, sep, dirname } from 'path';
 import { fileURLToPath } from 'url';
 import { LOGS_DIR } from './config.js';
+// Single-source service labels from platform.js — earlier we duplicated
+// these constants here and they drifted (WIN_SERVER_TASK was 'ai.mobygate.server'
+// while platform.js registered 'mobygate-server'), so the dashboard's
+// "Update now" silently no-op'd on Windows because the schtasks /End in the
+// update chain failed and short-circuited the rest via &&.
+import { WIN_LABELS, LINUX_UNITS } from './platform.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const REPO_ROOT = dirname(dirname(__filename)); // lib/updater.js → repo root
@@ -35,8 +41,7 @@ const IS_MAC = process.platform === 'darwin';
 const IS_LINUX = process.platform === 'linux';
 
 const SERVER_LABEL = 'ai.mobygate.server';
-const WIN_SERVER_TASK = 'ai.mobygate.server';
-const LINUX_SERVER_UNIT = 'mobygate-server.service';
+const AUTH_LABEL = 'ai.mobygate.auth-refresh';
 
 const UPDATE_LOG = join(LOGS_DIR, 'update.log');
 const UPDATE_MARKER = join(LOGS_DIR, 'update.state.json');
@@ -174,14 +179,17 @@ function writeUpdateState(patch) {
 function buildUpdateCommand({ mode, repoRoot, logPath }) {
   if (IS_WIN) {
     // cmd.exe — `>>` for append, `2>&1` to merge. Each step on its own
-    // line so failures short-circuit via `||`.
+    // line so failures short-circuit via `&&`. The auth-refresh task is
+    // also stopped because it's a separate scheduled task that imports
+    // mobygate code; if it fires mid-install it grabs file handles in
+    // node_modules\mobygate and we hit EBUSY just like the server task.
+    // Note: trailing 2>nul on End calls so "task not found" doesn't
+    // short-circuit the chain — the start steps will surface real errors.
     const steps = [];
     steps.push(`echo [mobygate-update] start at %DATE% %TIME%`);
-    // Stop FIRST so npm can replace files without EBUSY. /F forces close
-    // even if the process is mid-request; the SDK session map writes are
-    // synchronous and the SIGTERM handler flushes before exit.
-    steps.push(`echo [mobygate-update] stopping service`);
-    steps.push(`schtasks /End /TN "${WIN_SERVER_TASK}"`);
+    steps.push(`echo [mobygate-update] stopping services`);
+    steps.push(`(schtasks /End /TN "${WIN_LABELS.server}" 2>nul) | rem`);
+    steps.push(`(schtasks /End /TN "${WIN_LABELS.auth}"   2>nul) | rem`);
     if (mode === 'npm') {
       steps.push(`npm install -g mobygate@latest`);
     } else if (mode === 'git') {
@@ -189,22 +197,29 @@ function buildUpdateCommand({ mode, repoRoot, logPath }) {
       steps.push(`git pull --ff-only`);
       steps.push(`npm install`);
     }
-    steps.push(`echo [mobygate-update] restarting service`);
-    steps.push(`schtasks /Run /TN "${WIN_SERVER_TASK}"`);
+    steps.push(`echo [mobygate-update] starting services on new build`);
+    steps.push(`schtasks /Run /TN "${WIN_LABELS.server}"`);
+    steps.push(`(schtasks /Run /TN "${WIN_LABELS.auth}" 2>nul) | rem`);
     steps.push(`echo [mobygate-update] done`);
     // Join with && so any failure stops the chain. Final redirect to log.
     const inner = steps.map((s) => `(${s})`).join(' && ');
     return { shell: 'cmd', cmd: `${inner} >> "${logPath}" 2>&1` };
   }
-  // POSIX: sh -c, bail-on-first-failure via set -e. Stop service first
-  // for the same reason — symmetry, cleaner restart, no harm.
+  // POSIX: sh -c, bail-on-first-failure via set -e. Same dual-task stop
+  // applies — auth-refresh runs on its own launchd plist / systemd timer
+  // and would lock files mid-install if not stopped. `|| true` because
+  // a not-loaded service shouldn't kill the chain.
   const parts = [`set -e`, `echo "[mobygate-update] start $(date)"`];
-  parts.push(`echo "[mobygate-update] stopping service"`);
+  parts.push(`echo "[mobygate-update] stopping services"`);
   if (IS_MAC) {
-    const plist = join(process.env.HOME || '~', 'Library', 'LaunchAgents', `${SERVER_LABEL}.plist`);
-    parts.push(`launchctl unload "${plist}" 2>/dev/null || true`);
+    const serverPlist = join(process.env.HOME || '~', 'Library', 'LaunchAgents', `${SERVER_LABEL}.plist`);
+    const authPlist   = join(process.env.HOME || '~', 'Library', 'LaunchAgents', `${AUTH_LABEL}.plist`);
+    parts.push(`launchctl unload "${serverPlist}" 2>/dev/null || true`);
+    parts.push(`launchctl unload "${authPlist}"   2>/dev/null || true`);
   } else if (IS_LINUX) {
-    parts.push(`systemctl --user stop ${LINUX_SERVER_UNIT} 2>/dev/null || true`);
+    parts.push(`systemctl --user stop ${LINUX_UNITS.server} 2>/dev/null || true`);
+    if (LINUX_UNITS.timer) parts.push(`systemctl --user stop ${LINUX_UNITS.timer} 2>/dev/null || true`);
+    if (LINUX_UNITS.auth)  parts.push(`systemctl --user stop ${LINUX_UNITS.auth}  2>/dev/null || true`);
   }
   if (mode === 'npm') {
     parts.push(`npm install -g mobygate@latest`);
@@ -213,12 +228,15 @@ function buildUpdateCommand({ mode, repoRoot, logPath }) {
     parts.push(`git pull --ff-only`);
     parts.push(`npm install`);
   }
-  parts.push(`echo "[mobygate-update] starting service on new build"`);
+  parts.push(`echo "[mobygate-update] starting services on new build"`);
   if (IS_MAC) {
-    const plist = join(process.env.HOME || '~', 'Library', 'LaunchAgents', `${SERVER_LABEL}.plist`);
-    parts.push(`launchctl load "${plist}"`);
+    const serverPlist = join(process.env.HOME || '~', 'Library', 'LaunchAgents', `${SERVER_LABEL}.plist`);
+    const authPlist   = join(process.env.HOME || '~', 'Library', 'LaunchAgents', `${AUTH_LABEL}.plist`);
+    parts.push(`launchctl load "${serverPlist}"`);
+    parts.push(`launchctl load "${authPlist}" 2>/dev/null || true`);
   } else if (IS_LINUX) {
-    parts.push(`systemctl --user start ${LINUX_SERVER_UNIT}`);
+    parts.push(`systemctl --user start ${LINUX_UNITS.server}`);
+    if (LINUX_UNITS.timer) parts.push(`systemctl --user start ${LINUX_UNITS.timer} 2>/dev/null || true`);
   }
   parts.push(`echo "[mobygate-update] done"`);
   const script = parts.join('\n');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobygate",
-  "version": "0.7.2",
+  "version": "0.8.0",
   "description": "OpenAI-compatible local proxy for Claude Max. The Möbius-strip gateway: OpenAI shape in, Claude Max out.",
   "type": "module",
   "main": "server.js",

package/server.js

@@ -286,12 +286,20 @@ function messagesToPrompt(messages, { resuming = false } = {}) {
       }
     }
     const toolResultsText = toolMessagesToText(trailingToolMessages);
+    if (!userText && !toolResultsText) {
+      // Earlier code fell back to extracting whatever was at messages[-1],
+      // which on an assistant-terminated history sent the assistant's own
+      // previous reply back to the SDK as the new user prompt — and the
+      // model would "respond to its own reply." Catch this clearly instead.
+      return {
+        promptText: '',
+        error: 'Resume mode requires the request to end with a user message or tool result. Last message has role "' + (messages[messages.length - 1]?.role || 'unknown') + '".',
+      };
+    }
     const parts = [];
     if (toolResultsText) parts.push(toolResultsText);
     if (userText) parts.push(userText);
-    return {
-      promptText: parts.join('\n\n') || extractContent(messages[messages.length - 1]?.content || ''),
-    };
+    return { promptText: parts.join('\n\n') };
   }
 
   // Fresh request: serialize visible history as XML-wrapped text. No
@@ -396,9 +404,20 @@ async function handleStreaming(req, res, body, requestId, sessionKey) {
   const existing = getSession(sessionKey);
   const resuming = !!existing?.sdkSessionId;
   const toolsEnabled = hasTools(body);
-  const { promptText } = messagesToPrompt(body.messages, { resuming });
+  const { promptText, error: promptError } = messagesToPrompt(body.messages, { resuming });
+  if (promptError) {
+    return res.status(400).json({
+      error: { message: promptError, type: 'invalid_request_error', code: 'invalid_resume_messages' },
+    });
+  }
   const images = collectImages(body.messages);
-  const prompt = buildQueryPrompt(promptText, images);
+  // NOTE: `prompt` is built inside runQuery (not here) when images are
+  // present, because buildQueryPrompt returns a single-use async iterator
+  // for multimodal requests. If we built it here and the SDK call hit a
+  // 401, runWithAuthRetry would invoke runQuery a second time with the
+  // same exhausted iterator → SDK gets an empty user message → silent
+  // empty response. Lazy construction inside runQuery rebuilds the
+  // iterator per attempt.
   const model = resolveModel(body.model);
   // Build the in-process MCP server exposing client tools to the SDK.
   // null when toolsEnabled is false (or all tools are malformed).
@@ -450,6 +469,9 @@ async function handleStreaming(req, res, body, requestId, sessionKey) {
     resolvedModel = model;
     capturedSessionId = existing?.sdkSessionId || null;
 
+    // Build the prompt lazily on each attempt — multimodal returns a
+    // single-use async iterator. Keeps 401 auth-retries safe.
+    const prompt = buildQueryPrompt(promptText, images);
     for await (const message of query({
       prompt,
       options: {
@@ -623,9 +645,20 @@ async function handleNonStreaming(res, body, requestId, sessionKey) {
   const existing = getSession(sessionKey);
   const resuming = !!existing?.sdkSessionId;
   const toolsEnabled = hasTools(body);
-  const { promptText } = messagesToPrompt(body.messages, { resuming });
+  const { promptText, error: promptError } = messagesToPrompt(body.messages, { resuming });
+  if (promptError) {
+    return res.status(400).json({
+      error: { message: promptError, type: 'invalid_request_error', code: 'invalid_resume_messages' },
+    });
+  }
   const images = collectImages(body.messages);
-  const prompt = buildQueryPrompt(promptText, images);
+  // NOTE: `prompt` is built inside runQuery (not here) when images are
+  // present, because buildQueryPrompt returns a single-use async iterator
+  // for multimodal requests. If we built it here and the SDK call hit a
+  // 401, runWithAuthRetry would invoke runQuery a second time with the
+  // same exhausted iterator → SDK gets an empty user message → silent
+  // empty response. Lazy construction inside runQuery rebuilds the
+  // iterator per attempt.
   const model = resolveModel(body.model);
   const clientToolsServer = toolsEnabled ? buildClientToolsServer(body.tools) : null;
   const toolsGuidance = clientToolsServer ? buildToolUsageGuidance(body.tools) : null;
@@ -653,6 +686,9 @@ async function handleNonStreaming(res, body, requestId, sessionKey) {
     outputTokens = 0;
     capturedSessionId = existing?.sdkSessionId || null;
 
+    // Build the prompt lazily on each attempt — multimodal returns a
+    // single-use async iterator. Keeps 401 auth-retries safe.
+    const prompt = buildQueryPrompt(promptText, images);
     for await (const message of query({
       prompt,
       options: {
@@ -801,9 +837,17 @@ async function handleAnthropicNonStreaming(res, body, requestId, sessionKey) {
   const existing = getSession(sessionKey);
   const resuming = !!existing?.sdkSessionId;
   const toolsEnabled = hasAnthropicTools(body);
-  const promptText = anthropicMessagesToPrompt(body, { resuming });
+  const { promptText, error: promptError } = anthropicMessagesToPrompt(body, { resuming });
+  if (promptError) {
+    return res.status(400).json({
+      type: 'error',
+      error: { type: 'invalid_request_error', message: promptError },
+    });
+  }
   const images = collectAnthropicImages(body.messages || []);
-  const prompt = buildQueryPrompt(promptText, images);
+  // See note in handleStreaming — `prompt` is built lazily inside runQuery
+  // because the multimodal path returns a single-use async iterator that
+  // a 401-retry would exhaust on the first attempt.
   const model = resolveModel(body.model);
   // Translate Anthropic tool defs → OpenAI shape that buildClientToolsServer
   // expects. Both go through the same JSON-Schema → Zod path on the way to
@@ -843,6 +887,9 @@ async function handleAnthropicNonStreaming(res, body, requestId, sessionKey) {
     capturedSessionId = existing?.sdkSessionId || null;
     stopReason = 'end_turn';
 
+    // Build the prompt lazily on each attempt — multimodal returns a
+    // single-use async iterator. Keeps 401 auth-retries safe.
+    const prompt = buildQueryPrompt(promptText, images);
     for await (const message of query({
       prompt,
       options: {
@@ -949,9 +996,17 @@ async function handleAnthropicStreaming(req, res, body, requestId, sessionKey) {
   const existing = getSession(sessionKey);
   const resuming = !!existing?.sdkSessionId;
   const toolsEnabled = hasAnthropicTools(body);
-  const promptText = anthropicMessagesToPrompt(body, { resuming });
+  const { promptText, error: promptError } = anthropicMessagesToPrompt(body, { resuming });
+  if (promptError) {
+    return res.status(400).json({
+      type: 'error',
+      error: { type: 'invalid_request_error', message: promptError },
+    });
+  }
   const images = collectAnthropicImages(body.messages || []);
-  const prompt = buildQueryPrompt(promptText, images);
+  // See note in handleStreaming — `prompt` is built lazily inside runQuery
+  // because the multimodal path returns a single-use async iterator that
+  // a 401-retry would exhaust on the first attempt.
   const model = resolveModel(body.model);
   const toolsForBridge = toolsEnabled
     ? body.tools.map((t) => ({
@@ -1005,6 +1060,9 @@ async function handleAnthropicStreaming(req, res, body, requestId, sessionKey) {
     textEmittedSoFar = '';
     toolUseEmitted = false;
 
+    // Build the prompt lazily on each attempt — multimodal returns a
+    // single-use async iterator. Keeps 401 auth-retries safe.
+    const prompt = buildQueryPrompt(promptText, images);
     for await (const message of query({
       prompt,
       options: {
@@ -1165,6 +1223,62 @@ async function handleAnthropicStreaming(req, res, body, requestId, sessionKey) {
 const app = express();
 app.use(express.json({ limit: '10mb' }));
 
+// ---------------------------------------------------------------------------
+// Same-origin gate for control-plane endpoints
+// ---------------------------------------------------------------------------
+// The proxy endpoints (/v1/chat/completions, /v1/messages, /v1/models,
+// /health) are intentionally open: clients from other localhost processes
+// (Hermes, OpenClaw, etc.) need to hit them. But the *control-plane*
+// endpoints — anything that triggers privileged actions (npm install,
+// auth refresh, session deletion) or exposes sensitive data (server log
+// containing prompt text, live event metadata) — must NOT be reachable
+// from a browser tab on a malicious site (DNS-rebinding) or a LAN
+// attacker (when bind: 0.0.0.0).
+//
+// Defense:
+//   - Host header must resolve to localhost. DNS rebinding makes the
+//     network connect to 127.0.0.1, but the browser still sends the
+//     attacker's hostname in the Host header — block it.
+//   - If Origin is present (browsers always send it on POST), the
+//     hostname must also be local. Catches cross-origin fetches.
+//   - Non-browser clients (curl, the dashboard's own JS from same
+//     origin, programmatic callers) sail through fine.
+//
+// Limitation: this is NOT a substitute for real auth on a LAN-exposed
+// proxy. With bind: 0.0.0.0, anyone on the LAN can still hit endpoints
+// directly with a faked Host header. For v0.7.3 we accept that and warn
+// in the startup banner; a real `MOBYGATE_TOKEN` for LAN use is a
+// follow-up.
+
+function isLocalHostname(name) {
+  if (!name) return false;
+  const lower = String(name).toLowerCase();
+  // Strip optional brackets (IPv6) and port suffix.
+  const stripped = lower.replace(/^\[|\]$/g, '').replace(/:[0-9]+$/, '');
+  return stripped === '127.0.0.1' || stripped === 'localhost' || stripped === '::1';
+}
+
+function requireLocalOrigin(req, res, next) {
+  if (!isLocalHostname(req.headers.host)) {
+    return res.status(403).json({
+      error: { type: 'forbidden', message: 'Host header is not localhost. Mobygate refuses non-local origins on control-plane endpoints (DNS-rebinding protection).' },
+    });
+  }
+  const origin = req.headers.origin;
+  if (origin) {
+    try {
+      if (!isLocalHostname(new URL(origin).hostname)) {
+        return res.status(403).json({
+          error: { type: 'forbidden', message: 'Origin header is not localhost. Cross-origin fetch refused on control-plane endpoint.' },
+        });
+      }
+    } catch {
+      return res.status(403).json({ error: { type: 'forbidden', message: 'Invalid Origin header.' } });
+    }
+  }
+  next();
+}
+
 // GET / — serve dashboard. No-cache headers so browsers always re-fetch
 // after a mobygate upgrade; otherwise they keep serving the old index.html
 // from cache and users see a stale dashboard long after the service updated.
@@ -1388,7 +1502,7 @@ app.get('/sessions/:key', (req, res) => {
 });
 
 // DELETE /sessions/:key — clear a session
-app.delete('/sessions/:key', (req, res) => {
+app.delete('/sessions/:key', requireLocalOrigin, (req, res) => {
   const existed = sessions.delete(req.params.key);
   if (existed) {
     dashboardBus.emitEvent({ type: 'session.expired', key: req.params.key, reason: 'manual' });
@@ -1398,7 +1512,7 @@ app.delete('/sessions/:key', (req, res) => {
 });
 
 // DELETE /sessions — clear all sessions
-app.delete('/sessions', (_req, res) => {
+app.delete('/sessions', requireLocalOrigin, (_req, res) => {
   const keys = [...sessions.keys()];
   const count = sessions.size;
   sessions.clear();
@@ -1439,7 +1553,7 @@ app.get('/auth/status', async (req, res) => {
 
 // POST /auth/refresh
 // Fires the refresh probe. Intended for use by cron / launchd.
-app.post('/auth/refresh', async (_req, res) => {
+app.post('/auth/refresh', requireLocalOrigin, async (_req, res) => {
   const probe = await forceRefresh();
   dashboardBus.emitEvent({ type: 'auth.refresh', ok: probe.ok, durationMs: probe.durationMs, error: probe.error });
   res.status(probe.ok ? 200 : 502).json({
@@ -1453,7 +1567,7 @@ app.post('/auth/refresh', async (_req, res) => {
 // ---------------------------------------------------------------------------
 
 // GET /events — SSE stream of dashboard events
-app.get('/events', (req, res) => {
+app.get('/events', requireLocalOrigin, (req, res) => {
   res.setHeader('Content-Type', 'text/event-stream');
   res.setHeader('Cache-Control', 'no-cache, no-transform');
   res.setHeader('Connection', 'keep-alive');
@@ -1528,7 +1642,7 @@ app.get('/dashboard/sessions', (_req, res) => {
 });
 
 // GET /dashboard/logs — tail the server log file
-app.get('/dashboard/logs', async (req, res) => {
+app.get('/dashboard/logs', requireLocalOrigin, async (req, res) => {
   const lines = Math.min(2000, parseInt(req.query.lines || '200', 10));
   const logPath = join(LOGS_DIR, 'server.log');
   try {
@@ -1567,7 +1681,7 @@ app.get('/update/check', async (req, res) => {
 // `npm install -g mobygate@latest` (or `git pull && npm install`), then
 // restarts the service — which kills us. The dashboard polls
 // /update/status to show progress and reconnects once the new server is up.
-app.post('/update/apply', (_req, res) => {
+app.post('/update/apply', requireLocalOrigin, (_req, res) => {
   try {
     const result = applyUpdate({});
     const status = result.started ? 202 : 409;