remote-codex 0.11.2 → 0.11.4

package/packages/db/src/schema.ts

@@ -1,4 +1,4 @@
-import { integer, sqliteTable, text, uniqueIndex } from 'drizzle-orm/sqlite-core';
+import { integer, real, sqliteTable, text, uniqueIndex } from 'drizzle-orm/sqlite-core';
 
 export const hosts = sqliteTable('hosts', {
   id: text('id').primaryKey(),
@@ -176,3 +176,307 @@ export const policies = sqliteTable('policies', {
   createdAt: text('created_at').notNull(),
   updatedAt: text('updated_at').notNull()
 });
+
+export const controlUsers = sqliteTable(
+  'control_users',
+  {
+    id: text('id').primaryKey(),
+    authProvider: text('auth_provider').notNull(),
+    authSubject: text('auth_subject').notNull(),
+    email: text('email').notNull(),
+    displayName: text('display_name'),
+    status: text('status').notNull().default('active'),
+    plan: text('plan').notNull().default('developer'),
+    billingCustomerId: text('billing_customer_id'),
+    quotaProfile: text('quota_profile').notNull().default('developer'),
+    createdAt: text('created_at').notNull(),
+    updatedAt: text('updated_at').notNull(),
+    lastSeenAt: text('last_seen_at'),
+  },
+  (table) => ({
+    authSubjectUnique: uniqueIndex('control_users_auth_subject_idx').on(
+      table.authProvider,
+      table.authSubject,
+    ),
+  }),
+);
+
+export const controlAuthIdentities = sqliteTable(
+  'control_auth_identities',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    authProvider: text('auth_provider').notNull(),
+    authSubject: text('auth_subject').notNull(),
+    email: text('email'),
+    displayName: text('display_name'),
+    createdAt: text('created_at').notNull(),
+    updatedAt: text('updated_at').notNull(),
+  },
+  (table) => ({
+    authSubjectUnique: uniqueIndex('control_auth_identities_subject_idx').on(
+      table.authProvider,
+      table.authSubject,
+    ),
+  }),
+);
+
+export const controlPasswordCredentials = sqliteTable(
+  'control_password_credentials',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    email: text('email').notNull(),
+    passwordHash: text('password_hash').notNull(),
+    createdAt: text('created_at').notNull(),
+    updatedAt: text('updated_at').notNull(),
+    lastUsedAt: text('last_used_at'),
+  },
+  (table) => ({
+    emailUnique: uniqueIndex('control_password_credentials_email_idx').on(table.email),
+    userUnique: uniqueIndex('control_password_credentials_user_idx').on(table.userId),
+  }),
+);
+
+export const controlProjects = sqliteTable('control_projects', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull(),
+  name: text('name').notNull(),
+  slug: text('slug').notNull(),
+  status: text('status').notNull().default('active'),
+  createdAt: text('created_at').notNull(),
+  updatedAt: text('updated_at').notNull(),
+});
+
+export const controlSandboxes = sqliteTable('control_sandboxes', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull().unique(),
+  state: text('state').notNull(),
+  image: text('image').notNull(),
+  region: text('region').notNull(),
+  resourceProfile: text('resource_profile').notNull().default('standard'),
+  k8sNamespace: text('k8s_namespace'),
+  k8sPodName: text('k8s_pod_name'),
+  routerBaseUrl: text('router_base_url'),
+  workerServiceName: text('worker_service_name'),
+  s3Prefix: text('s3_prefix').notNull(),
+  gatewayKeyId: text('gateway_key_id'),
+  lastStartedAt: text('last_started_at'),
+  lastSeenAt: text('last_seen_at'),
+  idleTimeoutAt: text('idle_timeout_at'),
+  statusReason: text('status_reason'),
+  startupProgress: integer('startup_progress').notNull().default(0),
+  lastFailureCode: text('last_failure_code'),
+  lastFailureMessage: text('last_failure_message'),
+  createdAt: text('created_at').notNull(),
+  updatedAt: text('updated_at').notNull(),
+});
+
+export const controlWorkspaces = sqliteTable(
+  'control_workspaces',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    projectId: text('project_id'),
+    sandboxId: text('sandbox_id').notNull(),
+    name: text('name').notNull(),
+    slug: text('slug').notNull(),
+    status: text('status').notNull().default('active'),
+    path: text('path').notNull(),
+    sourceType: text('source_type').notNull(),
+    gitUrl: text('git_url'),
+    defaultBranch: text('default_branch'),
+    createdAt: text('created_at').notNull(),
+    updatedAt: text('updated_at').notNull(),
+  },
+  (table) => ({
+    sandboxSlugUnique: uniqueIndex('control_workspaces_sandbox_slug_idx').on(
+      table.sandboxId,
+      table.slug,
+    ),
+  }),
+);
+
+export const controlSessions = sqliteTable('control_sessions', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull(),
+  sandboxId: text('sandbox_id').notNull(),
+  workspaceId: text('workspace_id').notNull(),
+  provider: text('provider').notNull(),
+  workerSessionId: text('worker_session_id'),
+  title: text('title').notNull(),
+  status: text('status').notNull(),
+  lastActivityAt: text('last_activity_at'),
+  createdAt: text('created_at').notNull(),
+  updatedAt: text('updated_at').notNull(),
+});
+
+export const controlGatewayUsers = sqliteTable(
+  'control_gateway_users',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    provider: text('provider').notNull(),
+    externalUserId: text('external_user_id').notNull(),
+    createdAt: text('created_at').notNull(),
+  },
+  (table) => ({
+    userProviderUnique: uniqueIndex('control_gateway_users_user_provider_idx').on(
+      table.userId,
+      table.provider,
+    ),
+    providerExternalUnique: uniqueIndex('control_gateway_users_provider_external_idx').on(
+      table.provider,
+      table.externalUserId,
+    ),
+  }),
+);
+
+export const controlGatewayKeys = sqliteTable(
+  'control_gateway_keys',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    sandboxId: text('sandbox_id').notNull(),
+    provider: text('provider').notNull(),
+    externalKeyId: text('external_key_id').notNull(),
+    keyCiphertext: text('key_ciphertext'),
+    status: text('status').notNull(),
+    createdAt: text('created_at').notNull(),
+    rotatedAt: text('rotated_at'),
+    revokedAt: text('revoked_at'),
+  },
+  (table) => ({
+    sandboxProviderUnique: uniqueIndex('control_gateway_keys_sandbox_provider_idx').on(
+      table.sandboxId,
+      table.provider,
+    ),
+    providerExternalUnique: uniqueIndex('control_gateway_keys_provider_external_idx').on(
+      table.provider,
+      table.externalKeyId,
+    ),
+  }),
+);
+
+export const controlHarnessUsers = sqliteTable(
+  'control_harness_users',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    provider: text('provider').notNull(),
+    externalUserId: text('external_user_id').notNull(),
+    createdAt: text('created_at').notNull(),
+  },
+  (table) => ({
+    userProviderUnique: uniqueIndex('control_harness_users_user_provider_idx').on(
+      table.userId,
+      table.provider,
+    ),
+    providerExternalUnique: uniqueIndex('control_harness_users_provider_external_idx').on(
+      table.provider,
+      table.externalUserId,
+    ),
+  }),
+);
+
+export const controlHarnessKeys = sqliteTable(
+  'control_harness_keys',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    sandboxId: text('sandbox_id').notNull(),
+    provider: text('provider').notNull(),
+    externalKeyId: text('external_key_id').notNull(),
+    keyCiphertext: text('key_ciphertext'),
+    secretName: text('secret_name'),
+    secretKey: text('secret_key'),
+    status: text('status').notNull(),
+    createdAt: text('created_at').notNull(),
+    rotatedAt: text('rotated_at'),
+    revokedAt: text('revoked_at'),
+  },
+  (table) => ({
+    sandboxProviderUnique: uniqueIndex('control_harness_keys_sandbox_provider_idx').on(
+      table.sandboxId,
+      table.provider,
+    ),
+    providerExternalUnique: uniqueIndex('control_harness_keys_provider_external_idx').on(
+      table.provider,
+      table.externalKeyId,
+    ),
+  }),
+);
+
+export const controlUsageEvents = sqliteTable('control_usage_events', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull(),
+  sandboxId: text('sandbox_id').notNull(),
+  workspaceId: text('workspace_id'),
+  sessionId: text('session_id'),
+  gatewayKeyId: text('gateway_key_id'),
+  provider: text('provider').notNull(),
+  model: text('model').notNull(),
+  inputTokens: integer('input_tokens').notNull().default(0),
+  outputTokens: integer('output_tokens').notNull().default(0),
+  cachedTokens: integer('cached_tokens').notNull().default(0),
+  costUsd: real('cost_usd').notNull().default(0),
+  externalRequestId: text('external_request_id'),
+  occurredAt: text('occurred_at').notNull(),
+  importedAt: text('imported_at').notNull(),
+});
+
+export const controlHarnessUsageEvents = sqliteTable(
+  'control_harness_usage_events',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id').notNull(),
+    sandboxId: text('sandbox_id').notNull(),
+    workspaceId: text('workspace_id'),
+    sessionId: text('session_id'),
+    provider: text('provider').notNull(),
+    module: text('module').notNull(),
+    tool: text('tool'),
+    runId: text('run_id'),
+    jobId: text('job_id'),
+    externalEventId: text('external_event_id'),
+    computeUnits: real('compute_units').notNull().default(0),
+    costUsd: real('cost_usd').notNull().default(0),
+    status: text('status').notNull().default('unknown'),
+    metadataJson: text('metadata_json').notNull().default('{}'),
+    occurredAt: text('occurred_at').notNull(),
+    importedAt: text('imported_at').notNull(),
+  },
+  (table) => ({
+    providerExternalEventUnique: uniqueIndex('control_harness_usage_provider_event_idx')
+      .on(table.provider, table.externalEventId),
+  }),
+);
+
+export const controlUsageImportState = sqliteTable('control_usage_import_state', {
+  id: text('id').primaryKey(),
+  provider: text('provider').notNull(),
+  source: text('source').notNull(),
+  cursor: text('cursor'),
+  lastStartedAt: text('last_started_at'),
+  lastSucceededAt: text('last_succeeded_at'),
+  lastFailedAt: text('last_failed_at'),
+  lastFailureMessage: text('last_failure_message'),
+  lastSourceCount: integer('last_source_count').notNull().default(0),
+  lastImportedCount: integer('last_imported_count').notNull().default(0),
+  lastDuplicateCount: integer('last_duplicate_count').notNull().default(0),
+  lastFailureCount: integer('last_failure_count').notNull().default(0),
+  updatedAt: text('updated_at').notNull(),
+}, (table) => ({
+  providerSourceIdx: uniqueIndex('control_usage_import_state_provider_source_idx')
+    .on(table.provider, table.source),
+}));
+
+export const controlAuditLogs = sqliteTable('control_audit_logs', {
+  id: text('id').primaryKey(),
+  userId: text('user_id'),
+  action: text('action').notNull(),
+  resourceType: text('resource_type').notNull(),
+  resourceId: text('resource_id'),
+  metadataJson: text('metadata_json').notNull(),
+  createdAt: text('created_at').notNull(),
+});

package/packages/shared/src/index.ts

@@ -16,10 +16,17 @@ export type {
 
 export type ApiErrorCode =
   | 'bad_request'
+  | 'unauthorized'
   | 'not_found'
   | 'conflict'
   | 'provider_goal_error'
   | 'forbidden'
+  | 'unauthorized'
+  | 'invalid_route_token'
+  | 'gateway_unavailable'
+  | 'account_inactive'
+  | 'quota_exceeded'
+  | 'harness_unavailable'
   | 'goal_feature_disabled'
   | 'internal_error'
   | 'service_unavailable';
@@ -53,12 +60,165 @@ export function truncateAutoThreadTitle(value: string) {
 export interface RuntimeConfigDto {
   appName: string;
   appVersion: string;
+  mode: 'local' | 'server' | 'relay';
   host: string;
   port: number;
   workspaceRoot: string;
   environment: string;
 }
 
+export interface AuthSessionDto {
+  authenticated: boolean;
+  username: string | null;
+  expiresAt: string | null;
+  mode: 'local' | 'server' | 'relay';
+  authRequired: boolean;
+}
+
+export interface AuthLoginResultDto {
+  token: string | null;
+  session: AuthSessionDto;
+}
+
+export interface RelayHealthDto {
+  status: 'ok';
+  supervisorConnected: boolean;
+  supervisorConnectedAt: string | null;
+  lastSupervisorHeartbeatAt: string | null;
+  supervisorCount?: number;
+}
+
+export type RelayUserRoleDto = 'admin' | 'user';
+
+export interface RelayUserDto {
+  id: string;
+  email: string;
+  username: string;
+  role: RelayUserRoleDto;
+  enabled: boolean;
+  createdAt: string;
+}
+
+export interface RelayDeviceDto {
+  id: string;
+  ownerUserId: string;
+  name: string;
+  tokenPreview: string;
+  connected: boolean;
+  connectedAt: string | null;
+  lastHeartbeatAt: string | null;
+  createdAt: string;
+}
+
+export interface RelaySessionShareDto {
+  id: string;
+  ownerUserId: string;
+  ownerUsername: string;
+  targetUsername: string;
+  targetUserId: string;
+  deviceId: string;
+  deviceName: string;
+  threadId: string;
+  label: string | null;
+  createdAt: string;
+  revokedAt: string | null;
+}
+
+export interface RelaySessionDto {
+  authenticated: boolean;
+  user: RelayUserDto | null;
+  registrationEnabled: boolean;
+}
+
+export interface RelayLoginResultDto {
+  token: string;
+  session: RelaySessionDto;
+}
+
+export interface RelayRegisterResultDto {
+  token: string;
+  session: RelaySessionDto;
+}
+
+export interface RelayCreateDeviceResultDto {
+  device: RelayDeviceDto;
+  token: string;
+}
+
+export interface RelayPortalSummaryDto {
+  user: RelayUserDto;
+  devices: RelayDeviceDto[];
+  sharedWithMe: RelaySessionShareDto[];
+  sharedByMe: RelaySessionShareDto[];
+}
+
+export interface RelayAdminSummaryDto {
+  users: RelayUserDto[];
+  devices: RelayDeviceDto[];
+  registrationEnabled: boolean;
+}
+
+export type RelaySupervisorEnvelope =
+  | {
+      type: 'relay.connected';
+      timestamp: string;
+      deviceId?: string;
+    }
+  | {
+      type: 'relay.heartbeat';
+      timestamp: string;
+      deviceId?: string;
+    }
+  | {
+      type: 'relay.request';
+      timestamp: string;
+      requestId: string;
+      deviceId?: string;
+      payload: RelayHttpRequestPayload;
+    }
+  | {
+      type: 'relay.response';
+      timestamp: string;
+      requestId: string;
+      deviceId?: string;
+      payload: RelayHttpResponsePayload;
+    }
+  | {
+      type: 'relay.client.connected';
+      timestamp: string;
+      clientId: string;
+    }
+  | {
+      type: 'relay.client.disconnected';
+      timestamp: string;
+      clientId: string;
+    }
+  | {
+      type: 'relay.client.message';
+      timestamp: string;
+      clientId: string;
+      payload: SupervisorSocketClientEnvelope;
+    }
+  | {
+      type: 'relay.server.message';
+      timestamp: string;
+      clientId: string;
+      payload: SupervisorSocketServerEnvelope;
+    };
+
+export interface RelayHttpRequestPayload {
+  method: string;
+  path: string;
+  headers: Record<string, string>;
+  body: string | null;
+}
+
+export interface RelayHttpResponsePayload {
+  statusCode: number;
+  headers: Record<string, string>;
+  body: string;
+}
+
 export interface AgentRuntimeStatusDto {
   state: 'starting' | 'ready' | 'degraded' | 'stopped' | 'failed';
   transport: 'stdio' | 'sdk' | 'none';
@@ -290,6 +450,30 @@ export interface WorkspaceTreeDto {
   nodes: WorkspaceTreeNodeDto[];
 }
 
+export interface WorkspaceFileDto {
+  path: string;
+  absPath: string;
+  kind: 'file' | 'directory';
+  size: number;
+  updatedAt: string;
+}
+
+export interface WriteWorkspaceFileInput {
+  path: string;
+  content: string;
+}
+
+export interface MoveWorkspaceFileInput {
+  fromPath: string;
+  toPath: string;
+  overwrite?: boolean;
+}
+
+export interface DeleteWorkspaceFileInput {
+  path: string;
+  recursive?: boolean;
+}
+
 export interface ThreadWorkspaceTreeNodeDto {
   name: string;
   path: string;
@@ -508,6 +692,7 @@ export interface UpdatePluginInput {
 export interface ImportPluginInput {
   manifest?: unknown;
   manifestJson?: string;
+  manifestUrl?: string;
   enabled?: boolean;
 }
 
@@ -918,6 +1103,7 @@ export interface CreateThreadInput {
   title?: string;
   provider?: AgentBackendIdDto;
   model: string;
+  reasoningEffort?: ReasoningEffortDto | null;
   approvalMode: ApprovalMode;
 }
 

package/packages/shared/src/tokens.ts

@@ -0,0 +1,137 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+
+function base64UrlEncode(value: Buffer | string): string {
+  return Buffer.from(value)
+    .toString('base64')
+    .replaceAll('+', '-')
+    .replaceAll('/', '_')
+    .replaceAll('=', '');
+}
+
+function base64UrlDecode(value: string): Buffer {
+  const normalized = value.replaceAll('-', '+').replaceAll('_', '/');
+  const padding = '='.repeat((4 - (normalized.length % 4)) % 4);
+  return Buffer.from(`${normalized}${padding}`, 'base64');
+}
+
+function sign(input: string, secret: string): string {
+  return base64UrlEncode(createHmac('sha256', secret).update(input).digest());
+}
+
+export interface RouteTokenPayload extends SignedTokenPayload {
+  sandbox_id: string;
+  project_id?: string;
+  workspace_id?: string;
+  session_id?: string;
+  scopes: string[];
+  iat: number;
+  jti: string;
+}
+
+export interface SignedTokenPayload {
+  sub: string;
+  iat?: number;
+  exp: number;
+  jti?: string;
+  [key: string]: unknown;
+}
+
+export interface SigningKey {
+  id: string;
+  secret: string;
+}
+
+export function createSignedToken(
+  payload: SignedTokenPayload,
+  secret: string,
+  options: { kid?: string } = {},
+): string {
+  const header = {
+    alg: 'HS256',
+    typ: 'JWT',
+    ...(options.kid ? { kid: options.kid } : {}),
+  };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  return `${signingInput}.${sign(signingInput, secret)}`;
+}
+
+function decodeHeader(token: string) {
+  const [encodedHeader] = token.split('.');
+  if (!encodedHeader) {
+    throw new Error('Invalid token shape.');
+  }
+  return JSON.parse(base64UrlDecode(encodedHeader).toString('utf8')) as {
+    alg?: string;
+    typ?: string;
+    kid?: string;
+  };
+}
+
+export function verifySignedToken<
+  TPayload extends { sub: string; exp: number } = RouteTokenPayload,
+>(
+  token: string,
+  secret: string,
+  nowSeconds = Math.floor(Date.now() / 1000),
+) {
+  const parts = token.split('.');
+  if (parts.length !== 3 || !parts[0] || !parts[1] || !parts[2]) {
+    throw new Error('Invalid token shape.');
+  }
+
+  const signingInput = `${parts[0]}.${parts[1]}`;
+  const expected = sign(signingInput, secret);
+  const actualBuffer = Buffer.from(parts[2]);
+  const expectedBuffer = Buffer.from(expected);
+  if (
+    actualBuffer.length !== expectedBuffer.length ||
+    !timingSafeEqual(actualBuffer, expectedBuffer)
+  ) {
+    throw new Error('Invalid token signature.');
+  }
+
+  const payload = JSON.parse(base64UrlDecode(parts[1]).toString('utf8')) as TPayload;
+  if (payload.exp <= nowSeconds) {
+    throw new Error('Token expired.');
+  }
+
+  return payload;
+}
+
+export function verifySignedTokenWithKeys<
+  TPayload extends { sub: string; exp: number } = RouteTokenPayload,
+>(
+  token: string,
+  keys: SigningKey[],
+  nowSeconds = Math.floor(Date.now() / 1000),
+) {
+  if (keys.length === 0) {
+    throw new Error('No signing keys configured.');
+  }
+
+  const header = decodeHeader(token);
+  if (header.alg !== 'HS256') {
+    throw new Error('Unsupported token algorithm.');
+  }
+
+  if (header.kid) {
+    const key = keys.find((candidate) => candidate.id === header.kid);
+    if (!key) {
+      throw new Error('Unknown token key id.');
+    }
+    return verifySignedToken<TPayload>(token, key.secret, nowSeconds);
+  }
+
+  let lastError: unknown = null;
+  for (const key of keys) {
+    try {
+      return verifySignedToken<TPayload>(token, key.secret, nowSeconds);
+    } catch (error) {
+      lastError = error;
+    }
+  }
+
+  throw lastError instanceof Error ? lastError : new Error('Invalid token.');
+}