npm - quoroom - Versions diffs - 0.1.8 → 0.1.9 - Mend

quoroom 0.1.8 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/out/mcp/api-server.js CHANGED Viewed

@@ -9382,7 +9382,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "quoroom",
-      version: "0.1.8",
+      version: "0.1.9",
       description: "Autonomous AI agent collective engine \u2014 Queen, Workers, Quorum",
       main: "./out/mcp/server.js",
       bin: {
@@ -9405,7 +9405,11 @@ var require_package = __commonJS({
         "build:mcp": "node scripts/build-mcp.js",
         "build:ui": "vite build --config src/ui/vite.config.ts",
         dev: `sh -c 'trap "kill 0" INT TERM EXIT; npm run dev:room & npm run dev:cloud & wait'`,
-        "dev:room": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
+        "dev:room": "QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1 npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700",
+        "dev:room:isolated": "QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1 npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700",
+        "dev:room:shared": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
+        "doctor:split": "node scripts/doctor-split.js",
+        "dev:isolated": `sh -c 'trap "kill 0" INT TERM EXIT; npm run dev:room:isolated & npm run dev:cloud & wait'`,
         "dev:cloud": "cd ../cloud && PORT=3710 CLOUD_PUBLIC_URL=http://127.0.0.1:3710 CLOUD_ALLOWED_ORIGINS='http://127.0.0.1:3710,http://localhost:3710,http://localhost:5173,http://127.0.0.1:5173,https://quoroom.ai,https://www.quoroom.ai,https://app.quoroom.ai' npm start",
         "dev:ui": "vite --config src/ui/vite.config.ts",
         "seed:style-demo": "node scripts/seed-style-demo.js",
@@ -10453,9 +10457,6 @@ function getCloudAllowedOrigins() {
   const origins = configured.length > 0 ? configured : DEFAULT_CLOUD_ALLOWED_ORIGINS;
   return new Set(origins.map(normalizeOrigin).filter(Boolean));
 }
-function getCloudUserToken() {
-  return (process.env.QUOROOM_CLOUD_USER_TOKEN || "").trim();
-}
 function getCloudJwtSecret() {
   return (process.env.QUOROOM_CLOUD_JWT_SECRET || "").trim();
 }
@@ -10554,9 +10555,9 @@ function generateToken(dataDir) {
       return agentToken;
     }
   }
-  agentToken = dataDir ? readLegacyAgentToken(dataDir) ?? import_node_crypto.default.randomBytes(32).toString("hex") : import_node_crypto.default.randomBytes(32).toString("hex");
+  agentToken = dataDir && !isCloudDeployment() ? readLegacyAgentToken(dataDir) ?? import_node_crypto.default.randomBytes(32).toString("hex") : import_node_crypto.default.randomBytes(32).toString("hex");
   userToken = import_node_crypto.default.randomBytes(32).toString("hex");
-  if (dataDir) writePersistedTokens(dataDir, agentToken, userToken);
+  if (dataDir && !isCloudDeployment()) writePersistedTokens(dataDir, agentToken, userToken);
   return agentToken;
 }
 function getUserToken() {
@@ -10572,10 +10573,10 @@ function validateToken(authHeader) {
     const cloudRole = validateCloudJwt(provided);
     if (cloudRole) return cloudRole;
   }
-  if (isCloudDeployment() && tokenEquals(getCloudUserToken(), provided)) return "user";
   return null;
 }
 function writeTokenFile(dataDir, token, port) {
+  if (isCloudDeployment()) return;
   (0, import_node_fs.mkdirSync)(dataDir, { recursive: true });
   (0, import_node_fs.writeFileSync)((0, import_node_path.join)(dataDir, "api.token"), token, { mode: 384 });
   (0, import_node_fs.writeFileSync)((0, import_node_path.join)(dataDir, "api.port"), String(port));
@@ -26227,12 +26228,12 @@ function registerStatusRoutes(router) {
     const ollama = await checkOllama();
     const resources = getResources();
     const deploymentMode = getDeploymentMode();
+    const isCloud = deploymentMode === "cloud";
     return {
       data: {
         version: getVersion3(),
         uptime: Math.floor((Date.now() - startedAt) / 1e3),
-        dataDir,
-        dbPath,
+        ...!isCloud && { dataDir, dbPath },
         claude,
         codex,
         ollama,
@@ -27745,6 +27746,39 @@ function serveStatic(staticDir, pathname, res) {
     res.end("Not Found");
   }
 }
+var RATE_LIMIT_WINDOW_MS = 6e4;
+var RATE_LIMIT_READ = 300;
+var RATE_LIMIT_WRITE = 120;
+var rateBuckets = /* @__PURE__ */ new Map();
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, bucket] of rateBuckets) {
+    if (now >= bucket.resetAt) rateBuckets.delete(key);
+  }
+}, 12e4).unref();
+function checkRateLimit2(ip, method) {
+  const isWrite = method !== "GET" && method !== "HEAD" && method !== "OPTIONS";
+  const limit = isWrite ? RATE_LIMIT_WRITE : RATE_LIMIT_READ;
+  const key = `${ip}:${isWrite ? "w" : "r"}`;
+  const now = Date.now();
+  let bucket = rateBuckets.get(key);
+  if (!bucket || now >= bucket.resetAt) {
+    bucket = { count: 0, resetAt: now + RATE_LIMIT_WINDOW_MS };
+    rateBuckets.set(key, bucket);
+  }
+  bucket.count++;
+  if (bucket.count > limit) {
+    const retryAfter = Math.ceil((bucket.resetAt - now) / 1e3);
+    return { allowed: false, retryAfter };
+  }
+  return { allowed: true, retryAfter: 0 };
+}
+var CLOUD_SECURITY_HEADERS = {
+  "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+  "X-Content-Type-Options": "nosniff",
+  "X-Frame-Options": "DENY",
+  "Referrer-Policy": "strict-origin-when-cross-origin"
+};
 function createApiServer(options = {}) {
   const db2 = options.db ?? getServerDatabase();
   const port = options.port ?? DEFAULT_PORT;
@@ -27769,7 +27803,20 @@ function createApiServer(options = {}) {
     const responseHeaders = {
       "Content-Type": "application/json"
     };
+    if (isCloudDeployment()) {
+      Object.assign(responseHeaders, CLOUD_SECURITY_HEADERS);
+    }
     setCorsHeaders(origin, responseHeaders);
+    if (isCloudDeployment() && pathname.startsWith("/api/")) {
+      const clientIp = req.socket.remoteAddress || "unknown";
+      const rl = checkRateLimit2(clientIp, req.method || "GET");
+      if (!rl.allowed) {
+        responseHeaders["Retry-After"] = String(rl.retryAfter);
+        res.writeHead(429, responseHeaders);
+        res.end(JSON.stringify({ error: "Too many requests" }));
+        return;
+      }
+    }
     const isSameOrigin = origin && req.headers.host && (() => {
       try {
         return new import_node_url.URL(origin).host === req.headers.host;

package/out/mcp/cli.js CHANGED Viewed

@@ -49800,7 +49800,7 @@ var server_exports = {};
 async function main() {
   const server = new McpServer({
     name: "quoroom",
-    version: true ? "0.1.8" : "0.0.0"
+    version: true ? "0.1.9" : "0.0.0"
   });
   registerMemoryTools(server);
   registerSchedulerTools(server);
@@ -49934,9 +49934,6 @@ function getCloudAllowedOrigins() {
   const origins = configured.length > 0 ? configured : DEFAULT_CLOUD_ALLOWED_ORIGINS;
   return new Set(origins.map(normalizeOrigin).filter(Boolean));
 }
-function getCloudUserToken() {
-  return (process.env.QUOROOM_CLOUD_USER_TOKEN || "").trim();
-}
 function getCloudJwtSecret() {
   return (process.env.QUOROOM_CLOUD_JWT_SECRET || "").trim();
 }
@@ -50035,9 +50032,9 @@ function generateToken(dataDir) {
       return agentToken;
     }
   }
-  agentToken = dataDir ? readLegacyAgentToken(dataDir) ?? import_node_crypto2.default.randomBytes(32).toString("hex") : import_node_crypto2.default.randomBytes(32).toString("hex");
+  agentToken = dataDir && !isCloudDeployment() ? readLegacyAgentToken(dataDir) ?? import_node_crypto2.default.randomBytes(32).toString("hex") : import_node_crypto2.default.randomBytes(32).toString("hex");
   userToken = import_node_crypto2.default.randomBytes(32).toString("hex");
-  if (dataDir) writePersistedTokens(dataDir, agentToken, userToken);
+  if (dataDir && !isCloudDeployment()) writePersistedTokens(dataDir, agentToken, userToken);
   return agentToken;
 }
 function getUserToken() {
@@ -50053,10 +50050,10 @@ function validateToken(authHeader) {
     const cloudRole = validateCloudJwt(provided);
     if (cloudRole) return cloudRole;
   }
-  if (isCloudDeployment() && tokenEquals(getCloudUserToken(), provided)) return "user";
   return null;
 }
 function writeTokenFile(dataDir, token, port) {
+  if (isCloudDeployment()) return;
   (0, import_node_fs.mkdirSync)(dataDir, { recursive: true });
   (0, import_node_fs.writeFileSync)((0, import_node_path.join)(dataDir, "api.token"), token, { mode: 384 });
   (0, import_node_fs.writeFileSync)((0, import_node_path.join)(dataDir, "api.port"), String(port));
@@ -50744,7 +50741,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "quoroom",
-      version: "0.1.8",
+      version: "0.1.9",
       description: "Autonomous AI agent collective engine \u2014 Queen, Workers, Quorum",
       main: "./out/mcp/server.js",
       bin: {
@@ -50767,7 +50764,11 @@ var require_package = __commonJS({
         "build:mcp": "node scripts/build-mcp.js",
         "build:ui": "vite build --config src/ui/vite.config.ts",
         dev: `sh -c 'trap "kill 0" INT TERM EXIT; npm run dev:room & npm run dev:cloud & wait'`,
-        "dev:room": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
+        "dev:room": "QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1 npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700",
+        "dev:room:isolated": "QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1 npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700",
+        "dev:room:shared": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
+        "doctor:split": "node scripts/doctor-split.js",
+        "dev:isolated": `sh -c 'trap "kill 0" INT TERM EXIT; npm run dev:room:isolated & npm run dev:cloud & wait'`,
         "dev:cloud": "cd ../cloud && PORT=3710 CLOUD_PUBLIC_URL=http://127.0.0.1:3710 CLOUD_ALLOWED_ORIGINS='http://127.0.0.1:3710,http://localhost:3710,http://localhost:5173,http://127.0.0.1:5173,https://quoroom.ai,https://www.quoroom.ai,https://app.quoroom.ai' npm start",
         "dev:ui": "vite --config src/ui/vite.config.ts",
         "seed:style-demo": "node scripts/seed-style-demo.js",
@@ -52713,12 +52714,12 @@ function registerStatusRoutes(router) {
     const ollama = await checkOllama();
     const resources = getResources();
     const deploymentMode = getDeploymentMode();
+    const isCloud = deploymentMode === "cloud";
     return {
       data: {
         version: getVersion3(),
         uptime: Math.floor((Date.now() - startedAt) / 1e3),
-        dataDir,
-        dbPath,
+        ...!isCloud && { dataDir, dbPath },
         claude,
         codex,
         ollama,
@@ -57952,6 +57953,23 @@ function serveStatic(staticDir, pathname, res) {
     res.end("Not Found");
   }
 }
+function checkRateLimit2(ip, method) {
+  const isWrite = method !== "GET" && method !== "HEAD" && method !== "OPTIONS";
+  const limit = isWrite ? RATE_LIMIT_WRITE : RATE_LIMIT_READ;
+  const key = `${ip}:${isWrite ? "w" : "r"}`;
+  const now = Date.now();
+  let bucket = rateBuckets.get(key);
+  if (!bucket || now >= bucket.resetAt) {
+    bucket = { count: 0, resetAt: now + RATE_LIMIT_WINDOW_MS };
+    rateBuckets.set(key, bucket);
+  }
+  bucket.count++;
+  if (bucket.count > limit) {
+    const retryAfter = Math.ceil((bucket.resetAt - now) / 1e3);
+    return { allowed: false, retryAfter };
+  }
+  return { allowed: true, retryAfter: 0 };
+}
 function createApiServer(options = {}) {
   const db3 = options.db ?? getServerDatabase();
   const port = options.port ?? DEFAULT_PORT;
@@ -57976,7 +57994,20 @@ function createApiServer(options = {}) {
     const responseHeaders = {
       "Content-Type": "application/json"
     };
+    if (isCloudDeployment()) {
+      Object.assign(responseHeaders, CLOUD_SECURITY_HEADERS);
+    }
     setCorsHeaders(origin, responseHeaders);
+    if (isCloudDeployment() && pathname.startsWith("/api/")) {
+      const clientIp = req.socket.remoteAddress || "unknown";
+      const rl = checkRateLimit2(clientIp, req.method || "GET");
+      if (!rl.allowed) {
+        responseHeaders["Retry-After"] = String(rl.retryAfter);
+        res.writeHead(429, responseHeaders);
+        res.end(JSON.stringify({ error: "Too many requests" }));
+        return;
+      }
+    }
     const isSameOrigin = origin && req.headers.host && (() => {
       try {
         return new import_node_url.URL(origin).host === req.headers.host;
@@ -58210,7 +58241,7 @@ function startServer(options = {}) {
     process.exit(0);
   });
 }
-var import_node_http, import_node_https2, import_node_url, import_node_fs3, import_node_path4, import_node_os5, import_node_child_process6, DEFAULT_PORT, DEFAULT_BIND_HOST_LOCAL, DEFAULT_BIND_HOST_CLOUD, MIME_TYPES;
+var import_node_http, import_node_https2, import_node_url, import_node_fs3, import_node_path4, import_node_os5, import_node_child_process6, DEFAULT_PORT, DEFAULT_BIND_HOST_LOCAL, DEFAULT_BIND_HOST_CLOUD, MIME_TYPES, RATE_LIMIT_WINDOW_MS, RATE_LIMIT_READ, RATE_LIMIT_WRITE, rateBuckets, CLOUD_SECURITY_HEADERS;
 var init_server4 = __esm({
   "src/server/index.ts"() {
     "use strict";
@@ -58254,6 +58285,22 @@ var init_server4 = __esm({
       ".webp": "image/webp",
       ".webmanifest": "application/manifest+json"
     };
+    RATE_LIMIT_WINDOW_MS = 6e4;
+    RATE_LIMIT_READ = 300;
+    RATE_LIMIT_WRITE = 120;
+    rateBuckets = /* @__PURE__ */ new Map();
+    setInterval(() => {
+      const now = Date.now();
+      for (const [key, bucket] of rateBuckets) {
+        if (now >= bucket.resetAt) rateBuckets.delete(key);
+      }
+    }, 12e4).unref();
+    CLOUD_SECURITY_HEADERS = {
+      "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+      "X-Content-Type-Options": "nosniff",
+      "X-Frame-Options": "DENY",
+      "Referrer-Policy": "strict-origin-when-cross-origin"
+    };
   }
 });

package/out/mcp/server.js CHANGED Viewed

@@ -47101,7 +47101,7 @@ function registerResourceTools(server) {
 async function main() {
   const server = new McpServer({
     name: "quoroom",
-    version: true ? "0.1.8" : "0.0.0"
+    version: true ? "0.1.9" : "0.0.0"
   });
   registerMemoryTools(server);
   registerSchedulerTools(server);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "quoroom",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "Autonomous AI agent collective engine — Queen, Workers, Quorum",
   "main": "./out/mcp/server.js",
   "bin": {
@@ -23,7 +23,11 @@
     "build:mcp": "node scripts/build-mcp.js",
     "build:ui": "vite build --config src/ui/vite.config.ts",
     "dev": "sh -c 'trap \"kill 0\" INT TERM EXIT; npm run dev:room & npm run dev:cloud & wait'",
-    "dev:room": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
+    "dev:room": "QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1 npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700",
+    "dev:room:isolated": "QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1 npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700",
+    "dev:room:shared": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
+    "doctor:split": "node scripts/doctor-split.js",
+    "dev:isolated": "sh -c 'trap \"kill 0\" INT TERM EXIT; npm run dev:room:isolated & npm run dev:cloud & wait'",
     "dev:cloud": "cd ../cloud && PORT=3710 CLOUD_PUBLIC_URL=http://127.0.0.1:3710 CLOUD_ALLOWED_ORIGINS='http://127.0.0.1:3710,http://localhost:3710,http://localhost:5173,http://127.0.0.1:5173,https://quoroom.ai,https://www.quoroom.ai,https://app.quoroom.ai' npm start",
     "dev:ui": "vite --config src/ui/vite.config.ts",
     "seed:style-demo": "node scripts/seed-style-demo.js",