tide-commander 1.87.0 → 1.89.0

package/dist/src/packages/server/routes/files.js

@@ -41,6 +41,202 @@ export function resolveAndValidateFilePath(rawPath, baseDir, fallbackBaseDir = p
     }
     return { ok: true, path: path.resolve(effectiveBase, rawPath) };
 }
+// Cache of (requested path → resolved absolute path) for successful fallback
+// resolutions. Avoids repeating the walk-up search for the same stale path.
+const resolvedPathCache = new Map();
+const RESOLVED_CACHE_MAX = 500;
+function rememberResolution(key, found, strategy) {
+    if (resolvedPathCache.size >= RESOLVED_CACHE_MAX) {
+        const firstKey = resolvedPathCache.keys().next().value;
+        if (firstKey !== undefined)
+            resolvedPathCache.delete(firstKey);
+    }
+    resolvedPathCache.set(key, { path: found, strategy });
+}
+// Recursive-walk cache for suffix-match: rooted at an absolute directory, value
+// is the flat list of file absolute paths under that root. TTL keeps it warm
+// across rapid clicks but lets edits propagate. Keys evict on TTL only — small
+// LRU cap as a memory ceiling.
+const SUFFIX_WALK_TTL_MS = 30_000;
+const SUFFIX_WALK_MAX_ROOTS = 16;
+const SUFFIX_WALK_MAX_DEPTH = 6;
+const SUFFIX_WALK_IGNORE = new Set([
+    'node_modules', '.git', 'dist', 'build', 'vendor', '.next', 'target',
+    '.cache', '.turbo', '.venv', '__pycache__',
+]);
+const suffixWalkCache = new Map();
+export function _resetSuffixWalkCacheForTests() {
+    suffixWalkCache.clear();
+}
+function listFilesShallow(root, depth) {
+    if (depth > SUFFIX_WALK_MAX_DEPTH)
+        return [];
+    let entries;
+    try {
+        entries = fs.readdirSync(root, { withFileTypes: true });
+    }
+    catch {
+        return [];
+    }
+    const out = [];
+    for (const e of entries) {
+        if (e.name.startsWith('.') && SUFFIX_WALK_IGNORE.has(e.name))
+            continue;
+        if (SUFFIX_WALK_IGNORE.has(e.name))
+            continue;
+        const full = path.join(root, e.name);
+        if (e.isDirectory()) {
+            out.push(...listFilesShallow(full, depth + 1));
+        }
+        else if (e.isFile()) {
+            out.push(full);
+        }
+    }
+    return out;
+}
+function getWalkedFiles(root, now = Date.now()) {
+    const cached = suffixWalkCache.get(root);
+    if (cached && cached.expiresAt > now)
+        return cached.files;
+    const files = listFilesShallow(root, 0);
+    if (suffixWalkCache.size >= SUFFIX_WALK_MAX_ROOTS) {
+        const firstKey = suffixWalkCache.keys().next().value;
+        if (firstKey !== undefined)
+            suffixWalkCache.delete(firstKey);
+    }
+    suffixWalkCache.set(root, { files, expiresAt: now + SUFFIX_WALK_TTL_MS });
+    return files;
+}
+function findBySuffixMatch(rawPath, walkRoot) {
+    const segments = rawPath.replace(/^\/+/, '').split(path.sep).filter(Boolean);
+    if (segments.length === 0)
+        return null;
+    const files = getWalkedFiles(walkRoot);
+    if (files.length === 0)
+        return null;
+    // Try the longest possible suffix first (most specific), shrinking down to
+    // basename. The first suffix length with a UNIQUE hit wins — ambiguous suffix
+    // means we'd guess wrong, so fall through.
+    for (let take = Math.min(segments.length, 4); take >= 1; take--) {
+        const suffix = path.sep + segments.slice(-take).join(path.sep);
+        const matches = files.filter(f => f.endsWith(suffix));
+        if (matches.length === 1)
+            return matches[0];
+        if (matches.length > 1)
+            continue;
+    }
+    return null;
+}
+/**
+ * Resolve a requested file path to an existing file on disk, with fallbacks.
+ * Tries (in order):
+ *   1. exact         — resolved by resolveAndValidateFilePath() (absolute or baseDir+path)
+ *   2. cached        — previously-resolved entry for the same requested key
+ *   3. parent-walk   — tail slices anchored at baseDir AND each ancestor up to /
+ *   4. git-root      — tail slices anchored at the git toplevel from baseDir
+ *   5. suffix-match  — last-resort: unique trailing-segment match within a
+ *                      depth-limited walk of baseDir, ignoring vendored dirs
+ * On miss, returns the absolute path requested AND the list of paths tried so
+ * the caller can surface a clear, debuggable error.
+ */
+export function findFileWithFallbacks(rawPath, baseDir) {
+    if (!rawPath) {
+        return { ok: false, status: 400, error: 'Missing path parameter' };
+    }
+    const resolution = resolveAndValidateFilePath(rawPath, baseDir);
+    if (!resolution.ok) {
+        return resolution;
+    }
+    const tried = [];
+    const seen = new Set();
+    const tryCandidate = (p) => {
+        if (seen.has(p))
+            return null;
+        seen.add(p);
+        tried.push(p);
+        try {
+            if (fs.existsSync(p) && !fs.statSync(p).isDirectory())
+                return p;
+        }
+        catch { /* permission denied, broken symlink — keep trying */ }
+        return null;
+    };
+    const direct = tryCandidate(resolution.path);
+    if (direct)
+        return { ok: true, path: direct, strategy: 'exact' };
+    const cached = resolvedPathCache.get(rawPath);
+    if (cached) {
+        const hit = tryCandidate(cached.path);
+        if (hit)
+            return { ok: true, path: hit, strategy: 'cached' };
+        resolvedPathCache.delete(rawPath);
+    }
+    const absBase = baseDir && path.isAbsolute(baseDir) ? baseDir : null;
+    if (absBase) {
+        // Strip leading slashes so absolute and relative requested paths share one
+        // segment list. Walking the tail anchors `<a>/<b>/<c>` not just at baseDir
+        // but also at `<b>/<c>` and `<c>` against each ancestor — the file is
+        // found regardless of which slice of the path moved.
+        const tailSegments = rawPath.replace(/^\/+/, '').split(path.sep).filter(Boolean);
+        let cur = absBase;
+        // Bound the climb so a deep baseDir doesn't search the whole filesystem.
+        for (let depth = 0; depth < 12; depth++) {
+            for (let i = 0; i < tailSegments.length; i++) {
+                const candidate = path.join(cur, ...tailSegments.slice(i));
+                const hit = tryCandidate(candidate);
+                if (hit) {
+                    rememberResolution(rawPath, hit, 'parent-walk');
+                    return { ok: true, path: hit, strategy: 'parent-walk' };
+                }
+            }
+            const parent = path.dirname(cur);
+            if (parent === cur)
+                break;
+            cur = parent;
+        }
+        try {
+            if (fs.existsSync(absBase)) {
+                const gitTop = execSync('git rev-parse --show-toplevel', {
+                    cwd: absBase,
+                    encoding: 'utf-8',
+                    stdio: ['pipe', 'pipe', 'pipe'],
+                }).trim();
+                if (gitTop) {
+                    for (let i = 0; i < tailSegments.length; i++) {
+                        const candidate = path.join(gitTop, ...tailSegments.slice(i));
+                        const hit = tryCandidate(candidate);
+                        if (hit) {
+                            rememberResolution(rawPath, hit, 'git-root');
+                            return { ok: true, path: hit, strategy: 'git-root' };
+                        }
+                    }
+                }
+            }
+        }
+        catch { /* baseDir is not in a git repo — skip */ }
+        // Last-resort suffix match: cheap depth-limited recursive walk, cached for
+        // 30s. Helps when the requested path's segments don't anchor anywhere via
+        // parent-walk (e.g. file moved between dirs while UI still cites old path).
+        try {
+            if (fs.existsSync(absBase)) {
+                const suffixHit = findBySuffixMatch(rawPath, absBase);
+                if (suffixHit) {
+                    tried.push(`<suffix-match in ${absBase}>`);
+                    rememberResolution(rawPath, suffixHit, 'suffix-match');
+                    return { ok: true, path: suffixHit, strategy: 'suffix-match' };
+                }
+            }
+        }
+        catch { /* walk failed entirely — fall through to 404 */ }
+    }
+    return {
+        ok: false,
+        status: 404,
+        error: 'File not found',
+        requested: resolution.path,
+        tried,
+    };
+}
 // Prevent browser from caching git-related GET responses (status, diff, branch, etc.)
 // Without this, browsers may serve stale cached data — e.g. deleted files still appearing.
 router.use('/git-*path', (_req, res, next) => {
@@ -51,16 +247,17 @@ router.use('/git-*path', (_req, res, next) => {
 // GET /api/files/read - Read file contents
 router.get('/read', async (req, res) => {
     try {
-        const resolution = resolveAndValidateFilePath(req.query.path, req.query.baseDir);
+        const resolution = findFileWithFallbacks(req.query.path, req.query.baseDir);
         if (!resolution.ok) {
-            res.status(resolution.status).json({ error: resolution.error });
+            const body = { error: resolution.error };
+            if (resolution.requested)
+                body.path = resolution.requested;
+            if (resolution.tried)
+                body.triedRoots = resolution.tried;
+            res.status(resolution.status).json(body);
             return;
         }
         const filePath = resolution.path;
-        if (!fs.existsSync(filePath)) {
-            res.status(404).json({ error: 'File not found', path: filePath });
-            return;
-        }
         const stats = fs.statSync(filePath);
         if (stats.isDirectory()) {
             res.status(400).json({ error: 'Path is a directory', path: filePath });
@@ -81,6 +278,7 @@ router.get('/read', async (req, res) => {
             content,
             size: stats.size,
             modified: stats.mtime,
+            strategy: resolution.strategy,
         });
     }
     catch (err) {
@@ -190,16 +388,17 @@ router.get('/exists', async (req, res) => {
 // GET /api/files/info - Get file info without content
 router.get('/info', async (req, res) => {
     try {
-        const resolution = resolveAndValidateFilePath(req.query.path, req.query.baseDir);
+        const resolution = findFileWithFallbacks(req.query.path, req.query.baseDir);
         if (!resolution.ok) {
-            res.status(resolution.status).json({ error: resolution.error });
+            const body = { error: resolution.error };
+            if (resolution.requested)
+                body.path = resolution.requested;
+            if (resolution.tried)
+                body.triedRoots = resolution.tried;
+            res.status(resolution.status).json(body);
             return;
         }
         const filePath = resolution.path;
-        if (!fs.existsSync(filePath)) {
-            res.status(404).json({ error: 'File not found', path: filePath });
-            return;
-        }
         const stats = fs.statSync(filePath);
         if (stats.isDirectory()) {
             res.status(400).json({ error: 'Path is a directory', path: filePath });
@@ -213,6 +412,7 @@ router.get('/info', async (req, res) => {
             extension,
             size: stats.size,
             modified: stats.mtime,
+            strategy: resolution.strategy,
         });
     }
     catch (err) {
@@ -223,17 +423,18 @@ router.get('/info', async (req, res) => {
 // GET /api/files/binary - Read binary file (for images, PDFs, downloads)
 router.get('/binary', async (req, res) => {
     try {
-        const resolution = resolveAndValidateFilePath(req.query.path, req.query.baseDir);
+        const resolution = findFileWithFallbacks(req.query.path, req.query.baseDir);
         if (!resolution.ok) {
-            res.status(resolution.status).json({ error: resolution.error });
+            const body = { error: resolution.error };
+            if (resolution.requested)
+                body.path = resolution.requested;
+            if (resolution.tried)
+                body.triedRoots = resolution.tried;
+            res.status(resolution.status).json(body);
             return;
         }
         const filePath = resolution.path;
         const download = req.query.download === 'true';
-        if (!fs.existsSync(filePath)) {
-            res.status(404).json({ error: 'File not found', path: filePath });
-            return;
-        }
         const stats = fs.statSync(filePath);
         if (stats.isDirectory()) {
             res.status(400).json({ error: 'Path is a directory', path: filePath });

package/dist/src/packages/server/routes/index.js

@@ -23,6 +23,7 @@ import integrationRouter from './integration-routes.js';
 import eventRouter from './event-routes.js';
 import workflowRouter from './workflow-routes.js';
 import sessionsRouter from './sessions.js';
+import databaseRouter from './database.js';
 import { getPlugins } from '../integrations/integration-registry.js';
 const router = Router();
 // Health check
@@ -48,6 +49,7 @@ router.use('/integrations', integrationRouter);
 router.use('/events', eventRouter);
 router.use('/workflows', workflowRouter);
 router.use('/sessions', sessionsRouter);
+router.use('/database', databaseRouter);
 // Integration plugin routes (e.g. /api/slack/*, /api/documents/*, /api/jira/*)
 // Uses lazy lookup so plugins can be registered after route setup
 router.use((req, res, next) => {

package/dist/src/packages/server/services/building-service.js

@@ -10,6 +10,7 @@ import { createLogger } from '../utils/index.js';
 import * as pm2Service from './pm2-service.js';
 import * as dockerService from './docker-service.js';
 import * as terminalService from './terminal-service.js';
+import * as databaseService from './database-service.js';
 const log = createLogger('BuildingService');
 const execAsync = promisify(exec);
 /**
@@ -945,7 +946,18 @@ export function cleanupAllTerminals() {
 export async function handleBuildingSync(newBuildings, _broadcast) {
     const oldBuildings = loadBuildings();
     const oldBuildingsMap = new Map(oldBuildings.map(b => [b.id, b]));
+    const newBuildingIds = new Set(newBuildings.map(b => b.id));
     log.log(`handleBuildingSync called with ${newBuildings.length} buildings`);
+    // Tear down database tunnels for buildings that were entirely deleted.
+    for (const oldBuilding of oldBuildings) {
+        if (newBuildingIds.has(oldBuilding.id))
+            continue;
+        if (oldBuilding.type !== 'database')
+            continue;
+        for (const conn of oldBuilding.database?.connections || []) {
+            await databaseService.closeConnection(conn.id);
+        }
+    }
     for (const newBuilding of newBuildings) {
         const oldBuilding = oldBuildingsMap.get(newBuilding.id);
         // Check if this is a PM2-enabled building
@@ -978,6 +990,35 @@ export async function handleBuildingSync(newBuildings, _broadcast) {
                 }
             }
         }
+        // Database connection changes — tear down tunnels for connections that
+        // were removed or whose SSH config materially changed.
+        if (oldBuilding && oldBuilding.type === 'database') {
+            const oldConns = oldBuilding.database?.connections || [];
+            const newConns = newBuilding.type === 'database'
+                ? (newBuilding.database?.connections || [])
+                : [];
+            const newConnsById = new Map(newConns.map(c => [c.id, c]));
+            for (const oldConn of oldConns) {
+                const fresh = newConnsById.get(oldConn.id);
+                if (!fresh) {
+                    await databaseService.closeConnection(oldConn.id);
+                    continue;
+                }
+                const oldKey = JSON.stringify({
+                    ssh: oldConn.ssh ?? null,
+                    host: oldConn.host,
+                    port: oldConn.port,
+                });
+                const newKey = JSON.stringify({
+                    ssh: fresh.ssh ?? null,
+                    host: fresh.host,
+                    port: fresh.port,
+                });
+                if (oldKey !== newKey) {
+                    await databaseService.closeConnection(oldConn.id);
+                }
+            }
+        }
         // Check if this is a Docker-enabled building
         if (oldBuilding && newBuilding.docker?.enabled && oldBuilding.docker?.enabled) {
             const oldContainerName = dockerService.getContainerName(oldBuilding);

package/dist/src/packages/server/services/database-service.js

@@ -8,6 +8,7 @@ import oracledb from 'oracledb';
 import Database from 'better-sqlite3';
 import mssql from 'mssql';
 import { loadQueryHistory, saveQueryHistory } from '../data/index.js';
+import { getOrCreateTunnel, closeTunnel, closeAllTunnels, openTransientTunnel, closeTunnelHandle, } from './ssh-tunnel-service.js';
 // Connection pool storage
 const mysqlPools = new Map();
 const pgPools = new Map();
@@ -23,6 +24,18 @@ const queryHistoryCache = new Map();
 function getConnectionKey(connection, database) {
     return `${connection.id}:${database || connection.database || 'default'}`;
 }
+/**
+ * Resolve the effective network endpoint for a connection. When an SSH tunnel
+ * is enabled, this brings up (or reuses) the tunnel and returns the local
+ * forwarded host:port. Otherwise it returns the connection's own host:port.
+ */
+async function resolveEndpoint(connection) {
+    if (!connection.ssh?.enabled) {
+        return { host: connection.host, port: connection.port };
+    }
+    const tunnel = await getOrCreateTunnel(connection.id, connection.ssh, connection.host, connection.port);
+    return { host: tunnel.localHost, port: tunnel.localPort };
+}
 /**
  * Get or create a MySQL connection pool
  */
@@ -31,9 +44,10 @@ async function getMySQLPool(connection, database) {
     if (mysqlPools.has(key)) {
         return mysqlPools.get(key);
     }
+    const endpoint = await resolveEndpoint(connection);
     const pool = mysql.createPool({
-        host: connection.host,
-        port: connection.port,
+        host: endpoint.host,
+        port: endpoint.port,
         user: connection.username,
         password: connection.password,
         database: database || connection.database,
@@ -60,9 +74,10 @@ async function getPgPool(connection, database) {
     if (pgPools.has(key)) {
         return pgPools.get(key);
     }
+    const endpoint = await resolveEndpoint(connection);
     const pool = new pg.Pool({
-        host: connection.host,
-        port: connection.port,
+        host: endpoint.host,
+        port: endpoint.port,
         user: connection.username,
         password: connection.password,
         database: database || connection.database || 'postgres',
@@ -96,7 +111,8 @@ async function getOraclePool(connection) {
     // Format: host:port/serviceName
     // The service name comes from connection.database (e.g., ORCLPDB1)
     const serviceName = connection.database || 'ORCL';
-    const connectString = `${connection.host}:${connection.port}/${serviceName}`;
+    const endpoint = await resolveEndpoint(connection);
+    const connectString = `${endpoint.host}:${endpoint.port}/${serviceName}`;
     const pool = await oracledb.createPool({
         user: connection.username,
         password: connection.password,
@@ -138,9 +154,10 @@ async function getMSSQLPool(connection, database) {
         // Pool disconnected, remove and recreate
         mssqlPools.delete(key);
     }
+    const endpoint = await resolveEndpoint(connection);
     const config = {
-        server: connection.host,
-        port: connection.port,
+        server: endpoint.host,
+        port: endpoint.port,
         user: connection.username,
         password: connection.password,
         database: database || connection.database,
@@ -159,9 +176,39 @@ async function getMSSQLPool(connection, database) {
     return pool;
 }
 /**
- * Test a database connection
+ * Test a database connection. If the connection is transient (no persisted
+ * building owns it yet) any SSH tunnel opened during the test is torn down
+ * before returning.
  */
-export async function testConnection(connection) {
+export async function testConnection(connection, options = {}) {
+    // When transient + SSH-enabled, run the entire test through a one-shot
+    // tunnel that's discarded immediately. Avoids leaving a tunnel open for an
+    // unsaved building.
+    if (options.transient && connection.ssh?.enabled) {
+        let handle;
+        try {
+            handle = await openTransientTunnel(connection.ssh, connection.host, connection.port);
+            const localizedConnection = {
+                ...connection,
+                host: handle.localHost,
+                port: handle.localPort,
+                ssh: undefined,
+            };
+            return await testConnection(localizedConnection, { transient: false });
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : 'Unknown SSH error';
+            return { success: false, error: `SSH tunnel failed: ${message}` };
+        }
+        finally {
+            if (handle) {
+                try {
+                    await closeTunnelHandle(handle);
+                }
+                catch { /* ignore */ }
+            }
+        }
+    }
     try {
         if (connection.engine === 'mysql') {
             const pool = await getMySQLPool(connection);
@@ -1072,6 +1119,8 @@ export function clearHistory(buildingId) {
  * Close all connection pools for a building/connection
  */
 export async function closeConnection(connectionId) {
+    // Tear down SSH tunnel first so subsequent pool ends don't try to reuse it
+    await closeTunnel(connectionId);
     // Close all pools that match this connection ID
     for (const [key, pool] of mysqlPools.entries()) {
         if (key.startsWith(connectionId + ':')) {
@@ -1128,6 +1177,9 @@ export async function closeAllConnections() {
         await pool.close();
     }
     mssqlPools.clear();
+    // Tear down all active SSH tunnels last so pool .end()/close() can
+    // complete cleanly even if they need to talk to the server.
+    await closeAllTunnels();
 }
 /**
  * Get MSSQL type name from declaration

package/dist/src/packages/server/services/index.js

@@ -16,6 +16,7 @@ export * as subordinateContextService from './subordinate-context-service.js';
 export * as workPlanService from './work-plan-service.js';
 export * as secretsService from './secrets-service.js';
 export * as databaseService from './database-service.js';
+export * as sshTunnelService from './ssh-tunnel-service.js';
 export * as eventRetentionService from './event-retention-service.js';
 export * as triggerService from './trigger-service.js';
 export * as workflowService from './workflow-service.js';