palmier 0.4.4 → 0.4.6

package/src/transports/http-transport.ts

@@ -1,23 +1,29 @@
 import * as http from "node:http";
 import * as os from "os";
+import { StringCodec, type NatsConnection } from "nats";
 import { validateSession, addSession } from "../session-store.js";
-import type { HostConfig, RpcMessage } from "../types.js";
+import { registerPending } from "../pending-requests.js";
+import { getTaskDir, parseTaskFile, appendRunMessage } from "../task.js";
+import type { HostConfig, RpcMessage, RequiredPermission } from "../types.js";
 
 const PWA_ORIGIN = "https://app.palmier.me";
 
-// ── In-memory PWA asset cache ──────────────────────────────────────────
+// ── On-the-fly PWA asset cache ──────────────────────────────────────────
 
 interface CachedAsset {
   data: Buffer;
   contentType: string;
 }
 
+const assetCache = new Map<string, CachedAsset>();
+/** Paths currently being fetched (dedup concurrent requests). */
+const assetInflight = new Map<string, Promise<CachedAsset | null>>();
+
 const CONTENT_TYPES: Record<string, string> = {
   ".html": "text/html; charset=utf-8",
   ".js": "application/javascript",
   ".css": "text/css",
   ".json": "application/json",
-
   ".png": "image/png",
   ".ico": "image/x-icon",
   ".woff2": "font/woff2",
@@ -26,6 +32,7 @@ const CONTENT_TYPES: Record<string, string> = {
 };
 
 function guessContentType(urlPath: string): string {
+  if (urlPath === "/") return "text/html; charset=utf-8";
   const ext = urlPath.match(/\.[^.]+$/)?.[0] ?? "";
   return CONTENT_TYPES[ext] ?? "application/octet-stream";
 }
@@ -37,59 +44,38 @@ async function fetchBuffer(url: string): Promise<Buffer> {
 }
 
 /**
- * Download the PWA from palmier.me into memory.
- * Parses index.html for asset references, then fetches each one.
+ * Fetch a PWA asset on-the-fly, caching in memory.
+ * Returns null if the asset cannot be fetched.
  */
-async function downloadPwaAssets(): Promise<Map<string, CachedAsset>> {
-  const assets = new Map<string, CachedAsset>();
-
-  // 1. Fetch index.html
-  const html = await fetchBuffer(`${PWA_ORIGIN}/`);
-  assets.set("/", { data: html, contentType: "text/html; charset=utf-8" });
-
-  const htmlStr = html.toString("utf-8");
-
-  // 2. Extract references from HTML (src="..." and href="...")
-  // Skip service worker and manifest — they require HTTPS which LAN mode doesn't use
-  const SKIP = new Set(["/registerSW.js", "/service-worker.js", "/manifest.webmanifest"]);
-  const refRegex = /(?:src|href)="([^"]+)"/g;
-  const htmlRefs = new Set<string>();
-  let match;
-  while ((match = refRegex.exec(htmlStr)) !== null) {
-    const ref = match[1];
-    if (ref.startsWith("/") && !ref.startsWith("//") && !SKIP.has(ref)) {
-      htmlRefs.add(ref);
-    }
-  }
+async function getAsset(urlPath: string): Promise<CachedAsset | null> {
+  const cached = assetCache.get(urlPath);
+  if (cached) return cached;
 
-  // 3. Fetch all HTML-referenced assets
-  for (const ref of htmlRefs) {
+  // Dedup concurrent requests for the same path
+  const inflight = assetInflight.get(urlPath);
+  if (inflight) return inflight;
+
+  const promise = (async () => {
     try {
-      const data = await fetchBuffer(`${PWA_ORIGIN}${ref}`);
-      assets.set(ref, { data, contentType: guessContentType(ref) });
-
-      // 4. Parse CSS for font url() references
-      if (ref.endsWith(".css")) {
-        const cssStr = data.toString("utf-8");
-        const urlRegex = /url\(["']?([^"')]+)["']?\)/g;
-        let cssMatch;
-        while ((cssMatch = urlRegex.exec(cssStr)) !== null) {
-          let fontRef = cssMatch[1];
-          if (fontRef.startsWith("data:")) continue;
-          // Resolve relative URLs against the CSS file's directory
-          if (!fontRef.startsWith("/")) {
-            const cssDir = ref.substring(0, ref.lastIndexOf("/") + 1);
-            fontRef = cssDir + fontRef;
-          }
-          htmlRefs.add(fontRef);
-        }
+      let data = await fetchBuffer(`${PWA_ORIGIN}${urlPath}`);
+      // Inject LAN mode marker into index HTML so the PWA can detect it's served by palmier
+      if (urlPath === "/") {
+        const html = data.toString("utf-8").replace("</head>", "<script>window.__PALMIER_SERVE__=true</script></head>");
+        data = Buffer.from(html, "utf-8");
       }
+      const asset: CachedAsset = { data, contentType: guessContentType(urlPath) };
+      assetCache.set(urlPath, asset);
+      return asset;
     } catch (err) {
-      console.warn(`[pwa] Failed to fetch ${ref}: ${err}`);
+      console.warn(`[pwa] Failed to fetch ${urlPath}: ${err}`);
+      return null;
+    } finally {
+      assetInflight.delete(urlPath);
     }
-  }
+  })();
 
-  return assets;
+  assetInflight.set(urlPath, promise);
+  return promise;
 }
 
 type SseClient = http.ServerResponse;
@@ -114,30 +100,26 @@ export function detectLanIp(): string {
 }
 
 /**
- * Start the HTTP transport: Express-like server with RPC, SSE, and health endpoints.
+ * Start the HTTP transport: server with RPC, SSE, PWA proxy, pairing, and
+ * localhost-only agent endpoints (notify, request-input, confirmation, permission).
  */
 export async function startHttpTransport(
   config: HostConfig,
   handleRpc: (req: RpcMessage) => Promise<unknown>,
   port: number,
+  nc: NatsConnection | undefined,
   pairingCode?: string,
   onReady?: () => void,
 ): Promise<void> {
-  // Download PWA assets into memory before starting the server
-  console.log("[http] Downloading PWA assets...");
-  const pwaAssets = await downloadPwaAssets();
-  console.log(`[http] Cached ${pwaAssets.size} PWA assets in memory.`);
-
   const sseClients = new Set<SseClient>();
+  const lanEnabled = config.lanEnabled ?? false;
+  const bindAddress = lanEnabled ? "0.0.0.0" : "127.0.0.1";
 
-  // If a pairing code is provided (from `palmier lan`), pre-register it
+  // If a pairing code is provided, pre-register it
   if (pairingCode) {
-    const EXPIRY_MS = 24 * 60 * 60 * 1000; // 24 hours — stays valid while lan server runs
+    const EXPIRY_MS = 24 * 60 * 60 * 1000;
     const timer = setTimeout(() => { pendingPairs.delete(pairingCode); }, EXPIRY_MS);
-    pendingPairs.set(pairingCode, {
-      resolve: () => {},
-      timer,
-    });
+    pendingPairs.set(pairingCode, { resolve: () => {}, timer });
   }
 
   function broadcastSseEvent(data: unknown) {
@@ -147,12 +129,10 @@ export async function startHttpTransport(
     }
   }
 
-
   function checkAuth(req: http.IncomingMessage): boolean {
     const auth = req.headers.authorization;
     if (!auth || !auth.startsWith("Bearer ")) return false;
-    const token = auth.slice(7);
-    return validateSession(token);
+    return validateSession(auth.slice(7));
   }
 
   function extractSessionToken(req: http.IncomingMessage): string | undefined {
@@ -180,50 +160,42 @@ export async function startHttpTransport(
     return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1";
   }
 
+  /**
+   * Publish an event via NATS and SSE.
+   */
+  async function publishEvent(taskId: string, payload: Record<string, unknown>): Promise<void> {
+    const sc = StringCodec();
+    const subject = `host-event.${config.hostId}.${taskId}`;
+    if (nc) {
+      nc.publish(subject, sc.encode(JSON.stringify(payload)));
+    }
+    broadcastSseEvent({ task_id: taskId, ...payload });
+  }
+
   const server = http.createServer(async (req, res) => {
     const url = new URL(req.url ?? "/", `http://localhost:${port}`);
     const pathname = url.pathname;
 
-    // Internal event endpoint — localhost only, no auth
-    if (req.method === "POST" && pathname === "/internal/event") {
-      if (!isLocalhost(req)) {
-        sendJson(res, 403, { error: "localhost only" });
-        return;
-      }
+    // ── Localhost-only endpoints (no auth) ─────────────────────────────
+
+    if (req.method === "POST" && pathname === "/event") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
       try {
         const body = await readBody(req);
         const event = JSON.parse(body);
         broadcastSseEvent(event);
         sendJson(res, 200, { ok: true });
-      } catch {
-        sendJson(res, 400, { error: "Invalid JSON" });
-      }
+      } catch { sendJson(res, 400, { error: "Invalid JSON" }); }
       return;
     }
 
-    // Internal pair-register endpoint — localhost only, long-poll
-    // The pair CLI posts here and blocks until paired or expired.
-    if (req.method === "POST" && pathname === "/internal/pair-register") {
-      if (!isLocalhost(req)) {
-        sendJson(res, 403, { error: "localhost only" });
-        return;
-      }
+    if (req.method === "POST" && pathname === "/pair-register") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
       try {
         const body = await readBody(req);
-        const { code, expiryMs } = JSON.parse(body) as {
-          code: string;
-          expiryMs: number;
-        };
-
-        if (!code) {
-          sendJson(res, 400, { error: "Missing code" });
-          return;
-        }
-
-        if (pendingPairs.has(code)) {
-          sendJson(res, 409, { error: "Code already registered" });
-          return;
-        }
+        const { code, expiryMs } = JSON.parse(body) as { code: string; expiryMs: number };
+        if (!code) { sendJson(res, 400, { error: "Missing code" }); return; }
+        if (pendingPairs.has(code)) { sendJson(res, 409, { error: "Code already registered" }); return; }
 
         const result = await new Promise<{ paired: boolean }>((resolve) => {
           const timer = setTimeout(() => {
@@ -232,8 +204,6 @@ export async function startHttpTransport(
           }, expiryMs ?? 5 * 60 * 1000);
 
           pendingPairs.set(code, { resolve, timer });
-
-          // Clean up if the CLI disconnects early
           req.on("close", () => {
             if (pendingPairs.has(code)) {
               clearTimeout(timer);
@@ -243,33 +213,163 @@ export async function startHttpTransport(
         });
 
         sendJson(res, 200, result);
-      } catch {
-        sendJson(res, 400, { error: "Invalid JSON" });
-      }
+      } catch { sendJson(res, 400, { error: "Invalid JSON" }); }
       return;
     }
 
-    // Public pair endpoint — no auth required, PWA posts OTP code here
-    if (req.method === "POST" && pathname === "/pair") {
+    // ── GET /notify — send push notification via NATS ──────────────────
+
+    if (req.method === "GET" && pathname === "/notify") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
+      if (!nc) { sendJson(res, 503, { error: "NATS not connected — push notifications require server mode" }); return; }
+
       try {
-        const body = await readBody(req);
-        const { code, label } = JSON.parse(body) as {
-          code: string;
-          label?: string;
-        };
+        const title = url.searchParams.get("title");
+        const notifBody = url.searchParams.get("body");
+        if (!title || !notifBody) { sendJson(res, 400, { error: "title and body query params are required" }); return; }
+
+        const sc = StringCodec();
+        const payload = { hostId: config.hostId, title, body: notifBody };
+        const subject = `host.${config.hostId}.push.send`;
+        const reply = await nc.request(subject, sc.encode(JSON.stringify(payload)), { timeout: 15_000 });
+        const result = JSON.parse(sc.decode(reply.data)) as { ok?: boolean; error?: string };
+
+        if (result.ok) {
+          sendJson(res, 200, { ok: true });
+        } else {
+          sendJson(res, 502, { error: result.error ?? "Push notification failed" });
+        }
+      } catch (err) {
+        sendJson(res, 500, { error: `Failed to send notification: ${err}` });
+      }
+      return;
+    }
 
-        if (!code) {
-          sendJson(res, 400, { error: "Missing code" });
+    // ── GET /request-input — held connection until user responds ────────
+
+    if (req.method === "GET" && pathname === "/request-input") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
+      try {
+        const taskId = url.searchParams.get("taskId");
+        const runId = url.searchParams.get("runId");
+        const descriptions = url.searchParams.getAll("descriptions");
+        if (!taskId || !descriptions.length) {
+          sendJson(res, 400, { error: "taskId and descriptions query params are required" });
           return;
         }
 
-        const pending = pendingPairs.get(code);
-        if (!pending) {
-          sendJson(res, 401, { error: "Invalid code" });
+        const taskDir = getTaskDir(config.projectRoot, taskId);
+        const task = parseTaskFile(taskDir);
+
+        await publishEvent(taskId, {
+          event_type: "input-request",
+          host_id: config.hostId,
+          input_descriptions: descriptions,
+          name: task.frontmatter.name,
+        });
+
+        const response = await registerPending(taskId, "input", descriptions);
+
+        if (response.length === 1 && response[0] === "aborted") {
+          await publishEvent(taskId, { event_type: "input-resolved", host_id: config.hostId, status: "aborted" });
+          if (runId) {
+            appendRunMessage(taskDir, runId, { role: "user", time: Date.now(), content: "Input request aborted.", type: "input" });
+          }
+          sendJson(res, 200, { aborted: true });
+        } else {
+          await publishEvent(taskId, { event_type: "input-resolved", host_id: config.hostId, status: "provided" });
+          if (runId) {
+            const lines = descriptions.map((desc, i) => `**${desc}** ${response[i]}`);
+            appendRunMessage(taskDir, runId, { role: "user", time: Date.now(), content: lines.join("\n"), type: "input" });
+          }
+          sendJson(res, 200, { values: response });
+        }
+      } catch (err) {
+        sendJson(res, 500, { error: String(err) });
+      }
+      return;
+    }
+
+    // ── GET /request-confirmation — held connection ─────────────────────
+
+    if (req.method === "GET" && pathname === "/request-confirmation") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
+      try {
+        const taskId = url.searchParams.get("taskId");
+        if (!taskId) { sendJson(res, 400, { error: "taskId query param is required" }); return; }
+
+        await publishEvent(taskId, {
+          event_type: "confirm-request",
+          host_id: config.hostId,
+        });
+
+        const response = await registerPending(taskId, "confirmation");
+        const confirmed = response[0] === "confirmed";
+
+        await publishEvent(taskId, {
+          event_type: "confirm-resolved",
+          host_id: config.hostId,
+          status: confirmed ? "confirmed" : "aborted",
+        });
+
+        sendJson(res, 200, { confirmed });
+      } catch (err) {
+        sendJson(res, 500, { error: String(err) });
+      }
+      return;
+    }
+
+    // ── GET /request-permission — held connection ───────────────────────
+
+    if (req.method === "GET" && pathname === "/request-permission") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
+      try {
+        const taskId = url.searchParams.get("taskId");
+        const taskName = url.searchParams.get("taskName");
+        const permissionsRaw = url.searchParams.get("permissions");
+        let permissions: RequiredPermission[] = [];
+        if (permissionsRaw) {
+          try { permissions = JSON.parse(permissionsRaw) as RequiredPermission[]; } catch { /* ignore */ }
+        }
+        if (!taskId || !permissions.length) {
+          sendJson(res, 400, { error: "taskId and permissions query params are required" });
           return;
         }
 
-        // Create session and build response
+        await publishEvent(taskId, {
+          event_type: "permission-request",
+          host_id: config.hostId,
+          required_permissions: permissions,
+          name: taskName,
+        });
+
+        const response = await registerPending(taskId, "permission", permissions);
+        const status = response[0] as "granted" | "granted_all" | "aborted";
+
+        await publishEvent(taskId, {
+          event_type: "permission-resolved",
+          host_id: config.hostId,
+          status,
+        });
+
+        sendJson(res, 200, { response: status });
+      } catch (err) {
+        sendJson(res, 500, { error: String(err) });
+      }
+      return;
+    }
+
+    // ── Public pair endpoint — no auth, PWA posts OTP code here ────────
+
+    if (req.method === "POST" && pathname === "/pair") {
+      try {
+        const body = await readBody(req);
+        const { code, label } = JSON.parse(body) as { code: string; label?: string };
+        if (!code) { sendJson(res, 400, { error: "Missing code" }); return; }
+
+        const pending = pendingPairs.get(code);
+        if (!pending) { sendJson(res, 401, { error: "Invalid code" }); return; }
+
         const session = addSession(label);
         const ip = detectLanIp();
         const response: Record<string, unknown> = {
@@ -278,34 +378,42 @@ export async function startHttpTransport(
           directUrl: `http://${ip}:${port}`,
         };
 
-        // Resolve the long-poll and clean up
         clearTimeout(pending.timer);
         pendingPairs.delete(code);
         pending.resolve({ paired: true });
 
         sendJson(res, 200, response);
-      } catch {
-        sendJson(res, 400, { error: "Invalid JSON" });
-      }
+      } catch { sendJson(res, 400, { error: "Invalid JSON" }); }
       return;
     }
 
-    // Serve cached PWA assets for non-API routes (no auth required)
+    // ── PWA assets (on-the-fly, cached) ────────────────────────────────
+
+    // Skip service worker and manifest — they require HTTPS which LAN mode doesn't use
+    const SKIP = new Set(["/registerSW.js", "/service-worker.js", "/manifest.webmanifest"]);
+
     const isApiRoute = pathname === "/events" || pathname.startsWith("/rpc/");
     if (!isApiRoute) {
-      // SPA fallback: serve index.html for unrecognized paths
-      const asset = pwaAssets.get(pathname) ?? (pathname !== "/" ? pwaAssets.get("/") : undefined);
+      if (SKIP.has(pathname)) { sendJson(res, 404, { error: "Not found" }); return; }
+
+      // Try exact path, then fall back to index.html (SPA routing)
+      let asset = await getAsset(pathname);
+      if (!asset && pathname !== "/") {
+        asset = await getAsset("/");
+      }
+
       if (asset) {
         res.writeHead(200, { "Content-Type": asset.contentType });
         res.end(asset.data);
       } else {
-        sendJson(res, 404, { error: "Not found" });
+        sendJson(res, 502, { error: "Failed to fetch PWA assets" });
       }
       return;
     }
 
-    // API endpoints require auth
-    if (!checkAuth(req)) {
+    // ── API endpoints require auth (localhost is trusted) ───────────────
+
+    if (!isLocalhost(req) && !checkAuth(req)) {
       sendJson(res, 401, { error: "Unauthorized" });
       return;
     }
@@ -319,7 +427,6 @@ export async function startHttpTransport(
       });
       res.write(":ok\n\n");
 
-      // Send heartbeat every 5 seconds
       const heartbeat = setInterval(() => {
         res.write("data: {\"heartbeat\":true}\n\n");
       }, 5000);
@@ -335,10 +442,7 @@ export async function startHttpTransport(
     // RPC endpoint: POST /rpc/<method>
     if (req.method === "POST" && pathname.startsWith("/rpc/")) {
       const method = pathname.slice("/rpc/".length);
-      if (!method) {
-        sendJson(res, 400, { error: "Missing RPC method" });
-        return;
-      }
+      if (!method) { sendJson(res, 400, { error: "Missing RPC method" }); return; }
 
       let params: Record<string, unknown> = {};
       try {
@@ -346,16 +450,13 @@ export async function startHttpTransport(
         if (body.trim().length > 0) {
           params = JSON.parse(body);
         }
-      } catch {
-        sendJson(res, 400, { error: "Invalid JSON" });
-        return;
-      }
+      } catch { sendJson(res, 400, { error: "Invalid JSON" }); return; }
 
       const sessionToken = extractSessionToken(req);
       console.log(`[http] RPC: ${method}`);
 
       try {
-        const response = await handleRpc({ method, params, sessionToken });
+        const response = await handleRpc({ method, params, sessionToken, localhost: isLocalhost(req) });
         console.log(`[http] RPC done: ${method}`, JSON.stringify(response).slice(0, 200));
         sendJson(res, 200, response);
       } catch (err) {
@@ -369,11 +470,10 @@ export async function startHttpTransport(
   });
 
   return new Promise<void>((resolve, reject) => {
-    server.listen(port, () => {
-      console.log(`[http] Listening on port ${port}`);
+    server.listen(port, bindAddress, () => {
+      console.log(`[http] Listening on ${bindAddress}:${port}`);
       onReady?.();
 
-      // Graceful shutdown
       const shutdown = () => {
         console.log("[http] Shutting down...");
         for (const client of sseClients) {

package/src/types.ts

@@ -8,6 +8,11 @@ export interface HostConfig {
 
   // Detected agent CLIs
   agents?: Array<{ key: string; label: string }>;
+
+  // HTTP server port (default 7400)
+  httpPort?: number;
+  // Whether to accept non-localhost HTTP connections
+  lanEnabled?: boolean;
 }
 
 export interface TaskFrontmatter {
@@ -33,8 +38,6 @@ export interface ParsedTask {
 }
 
 /**
- * State machine: started → (pending_confirmation | pending_permission | pending_input) → finished | aborted | failed
- *
  * - `started`: task is actively running
  * - `finished`: agent completed successfully
  * - `aborted`: user declined confirmation, permission, or input
@@ -43,26 +46,15 @@ export interface ParsedTask {
 export type TaskRunningState = "started" | "finished" | "aborted" | "failed";
 
 /**
- * Persisted to `status.json` in the task directory. Updated by the run process
- * and read by the RPC handler + PWA to track live task state.
- *
- * Interactive request flow: the run process sets a `pending_*` field and waits
- * for `user_input` to be populated by an RPC call (task.user_input). Only one
- * `pending_*` field is set at a time.
+ * Persisted to `status.json` in the task directory. Used for crash detection
+ * (checkStaleTasks) and abort signalling. Interactive request flows (confirmation,
+ * permission, input) are handled via held HTTP connections on the serve daemon.
  */
 export interface TaskStatus {
   running_state: TaskRunningState;
   time_stamp: number;
   /** PID of the palmier run process (used on Windows to kill the process tree). */
   pid?: number;
-  /** Set when the task has `requires_confirmation` and is awaiting user approval. */
-  pending_confirmation?: boolean;
-  /** Set when the agent requests permissions not yet granted. Contains the permissions needed. */
-  pending_permission?: RequiredPermission[];
-  /** Set when the agent requests user input. Contains descriptions of each requested value. */
-  pending_input?: string[];
-  /** Written by the RPC handler to deliver the user's response to the waiting run process. */
-  user_input?: string[];
 }
 
 export interface HistoryEntry {
@@ -87,4 +79,6 @@ export interface RpcMessage {
   method: string;
   params: Record<string, unknown>;
   sessionToken?: string;
+  /** Trusted localhost request — skip session validation. */
+  localhost?: boolean;
 }

package/test/agent-output-parsing.test.ts

@@ -1,6 +1,6 @@
 import { describe, it } from "node:test";
 import assert from "node:assert/strict";
-import { parseTaskOutcome, parseReportFiles, parsePermissions, parseInputRequests } from "../src/commands/run.js";
+import { parseTaskOutcome, parseReportFiles, parsePermissions } from "../src/commands/run.js";
 
 describe("parseTaskOutcome", () => {
   it("returns 'finished' for success marker", () => {
@@ -59,16 +59,3 @@ describe("parsePermissions", () => {
   });
 });
 
-describe("parseInputRequests", () => {
-  it("extracts input descriptions", () => {
-    const output = "[PALMIER_INPUT] What is the API key?\n[PALMIER_INPUT] Database connection string?";
-    assert.deepEqual(parseInputRequests(output), [
-      "What is the API key?",
-      "Database connection string?",
-    ]);
-  });
-
-  it("returns empty array when no inputs", () => {
-    assert.deepEqual(parseInputRequests("no inputs"), []);
-  });
-});

package/dist/commands/lan.d.ts

@@ -1,8 +0,0 @@
-/**
- * Start an on-demand LAN server for direct HTTP connections.
- * Generates a pairing code and displays it — no separate `palmier pair` needed.
- */
-export declare function lanCommand(opts: {
-    port: number;
-}): Promise<void>;
-//# sourceMappingURL=lan.d.ts.map