teamcopilot 0.0.1

package/.env.example

@@ -0,0 +1,10 @@
+# Workspace directory (absolute path or relative to project root)
+WORKSPACE_DIR=./my_workspaces
+
+# Server Configuration
+TEAMCOPILOT_HOST=0.0.0.0
+TEAMCOPILOT_PORT=5124
+
+# Opencode Server Configuration
+OPENCODE_PORT=4096
+OPENCODE_MODEL=openai/gpt-5.3-codex

package/LICENSE.md

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020-2026 Rishabh Poddar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

package/README.md

@@ -0,0 +1,131 @@
+<div align="center">
+  <img src="frontend/public/logo.svg" alt="TeamCopilot Logo" width="220" align="middle" />
+</div>
+
+# TeamCopilot
+TeamCopilot helps technical and non-technical teams become more productive by enabling safe sharing of custom AI agent skills and tools.
+
+## What makes TeamCopilot different
+
+It's like Claude code / OpenAI Codex, except that:
+- Multi-user environment: everyone uses the same agent setup. Configure once, the whole team can use it.
+- Skill & tool permissions: control who can use which skills and tools through the agent. Example: allow only certain people in the team to use a skill for making server config changes.
+- Approval workflow: anyone can create tools/skills, but engineers in the team must approve them before the agent can even see them.
+- Fully auditable: chat sessions can’t be deleted by users and are stored on your server.
+- Use it anywhere: web UI lets you talk to the agent even when you're away from your work machine.
+- You can pick either OpenAI or Anthropic as your AI provider.
+
+## Dashboard View
+
+![TeamCopilot Dashboard](/assets/dashboard.webp)
+
+## Quick Start (npm)
+
+### Prerequisites
+
+- Node.js 20+
+- npm
+- Python 3.10+
+
+### 1) Initialize in the folder you want to use
+
+```bash
+npx teamcopilot init
+```
+
+This writes or updates a local `.env` in the current directory. `WORKSPACE_DIR` defaults to the current directory as an absolute path. You can also provide values up front:
+
+```bash
+npx teamcopilot init \
+  --workspace-dir /absolute/path/to/workspace \
+  --teamcopilot-port 5124 \
+  --opencode-port 4096 \
+  --opencode-model openai/gpt-5.3-codex
+```
+
+### 2) Start the server
+
+```bash
+npx teamcopilot start
+```
+
+Open: **http://localhost:5124**
+
+### 3) Run admin commands from the same directory
+
+```bash
+npx teamcopilot create-user
+npx teamcopilot change-user-role
+npx teamcopilot delete-user
+npx teamcopilot reset-password
+npx teamcopilot rotate-jwt-secret
+```
+
+If `.env` is missing or incomplete, TeamCopilot will ask you to run `npx teamcopilot init` first.
+
+## Docker Setup
+
+```bash
+git clone https://github.com/rishabhpoddar/teamcopilot
+cd teamcopilot
+docker build -t teamcopilot .
+docker run -d \
+  --name teamcopilot \
+  -p 5124:5124 \
+  -v /path/to/some/folder:/app/workspaces \
+  teamcopilot
+```
+
+Open: **http://localhost:5124**
+
+## Common Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `WORKSPACE_DIR` | Directory where workflows are stored | `./my_workspaces` |
+| `TEAMCOPILOT_HOST` | Server host | `0.0.0.0` |
+| `TEAMCOPILOT_PORT` | Server port | `5124` |
+| `OPENCODE_PORT` | Internal OpenCode server port | `4096` |
+| `OPENCODE_MODEL` | Model used by OpenCode | `openai/gpt-5.3-codex` |
+
+## User Management (CLI)
+
+Create user:
+
+```bash
+npx teamcopilot create-user
+```
+
+Change user role:
+
+```bash
+npx teamcopilot change-user-role
+```
+
+Delete user:
+
+```bash
+npx teamcopilot delete-user
+```
+
+Reset password:
+
+```bash
+npx teamcopilot reset-password
+```
+
+Rotate JWT secret (invalidates existing tokens causing everyone to get logged out):
+
+```bash
+npx teamcopilot rotate-jwt-secret
+```
+
+Users sign in at `/login`.
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md).
+
+## License
+
+MIT

package/bin/teamcopilot.js

@@ -0,0 +1,281 @@
+#!/usr/bin/env node
+
+const fs = require("fs");
+const path = require("path");
+const { spawn } = require("child_process");
+const { createInterface } = require("node:readline/promises");
+const dotenv = require("dotenv");
+
+const packageRoot = path.resolve(__dirname, "..");
+const currentDirectory = process.cwd();
+const envExamplePath = path.join(packageRoot, ".env.example");
+const envFilePath = path.join(currentDirectory, ".env");
+
+const commandToScript = {
+    start: "index.js",
+    "create-user": "create-user.js",
+    "delete-user": "delete-user.js",
+    "change-user-role": "change-user-role.js",
+    "reset-password": "reset-password.js",
+    "rotate-jwt-secret": "rotate-jwt-secret.js",
+    prisma: path.join("scripts", "prisma-workspace.js"),
+};
+
+function printHelp() {
+    console.error(`Usage:
+  npx teamcopilot init [options]
+  npx teamcopilot start
+  npx teamcopilot create-user [args]
+  npx teamcopilot delete-user [args]
+  npx teamcopilot change-user-role [args]
+  npx teamcopilot reset-password [args]
+  npx teamcopilot rotate-jwt-secret
+  npx teamcopilot prisma -- <prisma args>
+
+Init options:
+  --workspace-dir <path>
+  --teamcopilot-host <host>
+  --teamcopilot-port <port>
+  --opencode-port <port>
+  --opencode-model <model>
+`);
+}
+
+function loadEnvExample() {
+    const parsed = dotenv.parse(fs.readFileSync(envExamplePath, "utf-8"));
+    return parsed;
+}
+
+function normalizeInitFlag(flagName) {
+    return flagName.replace(/^--/, "").trim().toUpperCase().replace(/-/g, "_");
+}
+
+function serializeEnvValue(value) {
+    if (/^[A-Za-z0-9_./:@+-]+$/.test(value)) {
+        return value;
+    }
+    return JSON.stringify(value);
+}
+
+function parseFlags(argv) {
+    const flags = new Map();
+    const passthrough = [];
+
+    for (let index = 0; index < argv.length; index += 1) {
+        const value = argv[index];
+        if (!value.startsWith("--")) {
+            passthrough.push(value);
+            continue;
+        }
+
+        if (value === "--") {
+            passthrough.push(...argv.slice(index));
+            break;
+        }
+
+        const equalsIndex = value.indexOf("=");
+        if (equalsIndex >= 0) {
+            const key = normalizeInitFlag(value.slice(0, equalsIndex));
+            flags.set(key, value.slice(equalsIndex + 1));
+            continue;
+        }
+
+        const nextValue = argv[index + 1];
+        if (!nextValue || nextValue.startsWith("--")) {
+            throw new Error(`Missing value for ${value}`);
+        }
+        flags.set(normalizeInitFlag(value), nextValue);
+        index += 1;
+    }
+
+    return { flags, passthrough };
+}
+
+function validateInitValue(key, rawValue) {
+    const value = rawValue.trim();
+    if (value.length === 0) {
+        throw new Error(`${key} cannot be empty`);
+    }
+
+    if (key === "WORKSPACE_DIR") {
+        return path.resolve(currentDirectory, value);
+    }
+
+    if (key === "TEAMCOPILOT_PORT" || key === "OPENCODE_PORT") {
+        const parsedPort = Number(value);
+        if (!Number.isInteger(parsedPort) || parsedPort <= 0 || parsedPort > 65535) {
+            throw new Error(`${key} must be an integer between 1 and 65535`);
+        }
+        return String(parsedPort);
+    }
+
+    return value;
+}
+
+function parseExistingEnv() {
+    if (!fs.existsSync(envFilePath)) {
+        return {};
+    }
+    return dotenv.parse(fs.readFileSync(envFilePath, "utf-8"));
+}
+
+async function promptForEnvValues(defaultValues, existingValues, providedFlags) {
+    const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout,
+    });
+
+    try {
+        const resolvedValues = {};
+        for (const key of Object.keys(defaultValues)) {
+            const providedValue = providedFlags.get(key);
+            if (providedValue !== undefined) {
+                resolvedValues[key] = validateInitValue(key, providedValue);
+                continue;
+            }
+
+            const displayedDefault = existingValues[key] ?? defaultValues[key];
+            while (true) {
+                const answer = await rl.question(`${key} [${displayedDefault}]: `);
+                const candidate = answer.trim().length === 0 ? displayedDefault : answer;
+                try {
+                    resolvedValues[key] = validateInitValue(key, candidate);
+                    break;
+                } catch (error) {
+                    console.error(error.message);
+                }
+            }
+        }
+        return resolvedValues;
+    } finally {
+        rl.close();
+    }
+}
+
+function upsertEnvFile(values) {
+    const existingContent = fs.existsSync(envFilePath) ? fs.readFileSync(envFilePath, "utf-8") : "";
+    const lines = existingContent.length > 0 ? existingContent.split(/\r?\n/) : [];
+    const nextLines = [...lines];
+    const updatedKeys = new Set();
+
+    for (let index = 0; index < nextLines.length; index += 1) {
+        const line = nextLines[index];
+        const match = /^([A-Z0-9_]+)=.*$/.exec(line);
+        if (!match) {
+            continue;
+        }
+
+        const key = match[1];
+        if (!(key in values)) {
+            continue;
+        }
+
+        nextLines[index] = `${key}=${serializeEnvValue(values[key])}`;
+        updatedKeys.add(key);
+    }
+
+    for (const [key, value] of Object.entries(values)) {
+        if (!updatedKeys.has(key)) {
+            nextLines.push(`${key}=${serializeEnvValue(value)}`);
+        }
+    }
+
+    const serialized = `${nextLines.join("\n").replace(/\n*$/, "\n")}`;
+    fs.writeFileSync(envFilePath, serialized, "utf-8");
+}
+
+function loadAndValidateLocalEnv() {
+    if (!fs.existsSync(envFilePath)) {
+        throw new Error(`No .env file found in ${currentDirectory}. Run \`npx teamcopilot init\` first.`);
+    }
+
+    const parsedEnv = dotenv.parse(fs.readFileSync(envFilePath, "utf-8"));
+    const requiredKeys = Object.keys(loadEnvExample());
+    const missingKeys = requiredKeys.filter((key) => {
+        const value = parsedEnv[key];
+        return typeof value !== "string" || value.trim().length === 0;
+    });
+
+    if (missingKeys.length > 0) {
+        throw new Error(`Missing required variables in .env: ${missingKeys.join(", ")}. Run \`npx teamcopilot init\` first.`);
+    }
+
+    return parsedEnv;
+}
+
+function runCompiledCommand(command, argv, envValues) {
+    const relativeScriptPath = commandToScript[command];
+    if (!relativeScriptPath) {
+        throw new Error(`Unknown command: ${command}`);
+    }
+
+    const scriptPath = path.join(packageRoot, "dist", relativeScriptPath);
+    if (!fs.existsSync(scriptPath)) {
+        throw new Error(`Built script not found: ${scriptPath}. Rebuild the package before publishing.`);
+    }
+
+    const child = spawn(process.execPath, [scriptPath, ...argv], {
+        cwd: currentDirectory,
+        stdio: "inherit",
+        env: {
+            ...process.env,
+            ...envValues,
+        },
+    });
+
+    child.on("exit", (code, signal) => {
+        if (signal) {
+            process.kill(process.pid, signal);
+            return;
+        }
+        process.exit(code ?? 1);
+    });
+}
+
+async function runInit(argv) {
+    const { flags, passthrough } = parseFlags(argv);
+    if (passthrough.length > 0) {
+        throw new Error(`Unexpected positional arguments for init: ${passthrough.join(" ")}`);
+    }
+    const defaultValues = {
+        ...loadEnvExample(),
+        WORKSPACE_DIR: currentDirectory,
+    };
+    const allowedKeys = new Set(Object.keys(defaultValues));
+    for (const key of flags.keys()) {
+        if (!allowedKeys.has(key)) {
+            throw new Error(`Unknown init option: --${key.toLowerCase().replace(/_/g, "-")}`);
+        }
+    }
+    const existingValues = parseExistingEnv();
+    const values = await promptForEnvValues(defaultValues, existingValues, flags);
+    upsertEnvFile(values);
+    console.log(`Init completed. Please run "npx teamcopilot start" to start the service`);
+}
+
+async function main() {
+    const [command, ...argv] = process.argv.slice(2);
+
+    if (!command || command === "--help" || command === "-h" || command === "help") {
+        printHelp();
+        process.exit(command ? 0 : 1);
+    }
+
+    if (command === "init") {
+        await runInit(argv);
+        return;
+    }
+
+    if (!(command in commandToScript)) {
+        printHelp();
+        throw new Error(`Unknown command: ${command}`);
+    }
+
+    const envValues = loadAndValidateLocalEnv();
+    runCompiledCommand(command, argv, envValues);
+}
+
+main().catch((error) => {
+    console.error(error.message);
+    process.exit(1);
+});

package/dist/auth/index.js

@@ -0,0 +1,189 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = __importDefault(require("express"));
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const client_1 = __importDefault(require("../prisma/client"));
+const index_1 = require("../utils/index");
+const jwt_secret_1 = require("../utils/jwt-secret");
+const password_policy_1 = require("../utils/password-policy");
+const router = express_1.default.Router({ mergeParams: true });
+function issueAccessToken(user) {
+    return jsonwebtoken_1.default.sign({ sub: user.id, email: user.email, name: user.name }, (0, jwt_secret_1.getJwtSecret)(), { expiresIn: '365d' });
+}
+function issuePasswordChangeToken(user) {
+    return jsonwebtoken_1.default.sign({ sub: user.id, email: user.email, name: user.name, token_use: 'password_change' }, (0, jwt_secret_1.getJwtSecret)(), { expiresIn: '10m' });
+}
+function parsePasswordChangeToken(rawToken) {
+    const decoded = jsonwebtoken_1.default.verify(rawToken, (0, jwt_secret_1.getJwtSecret)());
+    if (typeof decoded !== 'object' || decoded === null) {
+        throw {
+            status: 401,
+            message: 'Invalid password change challenge token'
+        };
+    }
+    const payload = decoded;
+    if (typeof payload.sub !== 'string' || typeof payload.email !== 'string' || typeof payload.name !== 'string' || payload.token_use !== 'password_change') {
+        throw {
+            status: 401,
+            message: 'Invalid password change challenge token'
+        };
+    }
+    return {
+        sub: payload.sub,
+        email: payload.email,
+        name: payload.name,
+        token_use: 'password_change'
+    };
+}
+router.post('/signin', (async (req, res, next) => {
+    try {
+        const { email, password } = req.body;
+        if (!email || !password) {
+            throw {
+                status: 400,
+                message: 'Email and password are required'
+            };
+        }
+        const user = await client_1.default.users.findUnique({ where: { email } });
+        if (!user) {
+            throw {
+                status: 401,
+                message: 'Invalid email or password'
+            };
+        }
+        const valid = await bcryptjs_1.default.compare(password, user.password_hash);
+        if (!valid) {
+            throw {
+                status: 401,
+                message: 'Invalid email or password'
+            };
+        }
+        if (user.must_change_password) {
+            const challengeToken = issuePasswordChangeToken(user);
+            res.json({
+                requires_password_change: true,
+                challenge_token: challengeToken
+            });
+            return;
+        }
+        const token = issueAccessToken(user);
+        res.json({ token });
+    }
+    catch (err) {
+        next(err);
+    }
+}));
+router.post('/complete-password-change', (async (req, res, next) => {
+    try {
+        const { challengeToken, newPassword } = req.body;
+        if (!challengeToken || !newPassword) {
+            throw {
+                status: 400,
+                message: 'challengeToken and newPassword are required'
+            };
+        }
+        if (typeof newPassword !== 'string' || !(0, password_policy_1.isPasswordValid)(newPassword)) {
+            throw {
+                status: 400,
+                message: (0, password_policy_1.getPasswordPolicyErrorMessage)()
+            };
+        }
+        let payload;
+        try {
+            payload = parsePasswordChangeToken(challengeToken);
+        }
+        catch (error) {
+            if (error instanceof jsonwebtoken_1.default.JsonWebTokenError || error instanceof jsonwebtoken_1.default.TokenExpiredError) {
+                throw {
+                    status: 401,
+                    message: 'Invalid or expired password change challenge token'
+                };
+            }
+            throw error;
+        }
+        const user = await client_1.default.users.findUnique({ where: { id: payload.sub } });
+        if (!user || user.email !== payload.email) {
+            throw {
+                status: 401,
+                message: 'Invalid password change challenge token'
+            };
+        }
+        if (!user.must_change_password) {
+            throw {
+                status: 400,
+                message: 'Password change is not required for this user'
+            };
+        }
+        const password_hash = await bcryptjs_1.default.hash(newPassword, 12);
+        await client_1.default.users.update({
+            where: { id: user.id },
+            data: {
+                password_hash,
+                must_change_password: false,
+                reset_token: null,
+                reset_token_expires_at: null
+            }
+        });
+        const token = issueAccessToken(user);
+        res.json({ token });
+    }
+    catch (err) {
+        next(err);
+    }
+}));
+router.post('/reset-password', (async (req, res, next) => {
+    try {
+        const { token, newPassword } = req.body;
+        if (!token || !newPassword) {
+            throw {
+                status: 400,
+                message: 'Token and newPassword are required'
+            };
+        }
+        if (typeof newPassword !== 'string' || !(0, password_policy_1.isPasswordValid)(newPassword)) {
+            throw {
+                status: 400,
+                message: (0, password_policy_1.getPasswordPolicyErrorMessage)()
+            };
+        }
+        const user = await client_1.default.users.findFirst({
+            where: {
+                reset_token: token,
+                reset_token_expires_at: { gt: Date.now() }
+            }
+        });
+        if (!user) {
+            throw {
+                status: 400,
+                message: 'Invalid or expired reset token'
+            };
+        }
+        const password_hash = await bcryptjs_1.default.hash(newPassword, 12);
+        await client_1.default.users.update({
+            where: { id: user.id },
+            data: {
+                password_hash,
+                must_change_password: false,
+                reset_token: null,
+                reset_token_expires_at: null
+            }
+        });
+        res.json({ message: 'Password reset successfully' });
+    }
+    catch (err) {
+        next(err);
+    }
+}));
+router.get('/me', (0, index_1.apiHandler)(async (req, res) => {
+    res.json({
+        userId: req.userId,
+        email: req.email,
+        name: req.name,
+        role: req.role
+    });
+}, true));
+exports.default = router;