tlc-claude-code 1.4.4 → 1.4.6

package/server/index.js

@@ -12,6 +12,14 @@ const chokidar = require('chokidar');
 const { detectProject } = require('./lib/project-detector');
 const { parsePlan, parseBugs } = require('./lib/plan-parser');
 const { autoProvision, stopDatabase } = require('./lib/auto-database');
+const {
+  createUserStore,
+  createAuthMiddleware,
+  generateJWT,
+  verifyJWT,
+  hashPassword,
+  verifyPassword,
+} = require('./lib/auth-system');
 
 // Handle PGlite WASM crashes gracefully
 process.on('uncaughtException', (err) => {
@@ -48,6 +56,150 @@ const wss = new WebSocketServer({ server });
 
 // Middleware
 app.use(express.json());
+const cookieParser = require('cookie-parser');
+app.use(cookieParser());
+
+// ============================================
+// Authentication Setup
+// ============================================
+const userStore = createUserStore();
+const JWT_SECRET = process.env.TLC_JWT_SECRET || 'tlc-dashboard-secret-change-in-production';
+const AUTH_ENABLED = process.env.TLC_AUTH !== 'false';
+
+// Initialize admin user from config or environment
+async function initializeAuth() {
+  const tlcConfigPath = path.join(PROJECT_DIR, '.tlc.json');
+  let adminEmail = process.env.TLC_ADMIN_EMAIL || 'admin@localhost';
+  let adminPassword = process.env.TLC_ADMIN_PASSWORD;
+
+  // Try to read from .tlc.json
+  if (fs.existsSync(tlcConfigPath)) {
+    try {
+      const config = JSON.parse(fs.readFileSync(tlcConfigPath, 'utf-8'));
+      if (config.auth?.adminEmail) adminEmail = config.auth.adminEmail;
+      if (config.auth?.adminPassword) adminPassword = config.auth.adminPassword;
+    } catch (e) {
+      // Ignore parse errors
+    }
+  }
+
+  // Create admin user if password is set
+  if (adminPassword) {
+    try {
+      await userStore.createUser({
+        email: adminEmail,
+        password: adminPassword,
+        name: 'Admin',
+        role: 'admin',
+      });
+      console.log(`[TLC] Admin user initialized: ${adminEmail}`);
+    } catch (e) {
+      // User may already exist
+      if (!e.message.includes('already registered')) {
+        console.error('[TLC] Failed to create admin user:', e.message);
+      }
+    }
+  }
+}
+
+// Auth middleware for protected routes
+const authMiddleware = createAuthMiddleware({
+  userStore,
+  jwtSecret: JWT_SECRET,
+  requireAuth: true,
+});
+
+// Public paths that don't require auth
+const publicPaths = ['/api/auth/login', '/api/auth/status', '/login.html', '/login'];
+
+// Apply auth to API routes (except public paths)
+app.use((req, res, next) => {
+  // Skip auth if disabled
+  if (!AUTH_ENABLED) return next();
+
+  // Allow public paths
+  if (publicPaths.some(p => req.path === p || req.path.startsWith(p))) {
+    return next();
+  }
+
+  // Allow static assets
+  if (req.path.match(/\.(js|css|png|jpg|ico|svg|woff|woff2)$/)) {
+    return next();
+  }
+
+  // Check for auth cookie or header
+  const token = req.cookies?.tlc_token || req.headers.authorization?.replace('Bearer ', '');
+
+  if (!token) {
+    // Redirect browser requests to login, return 401 for API
+    if (req.path.startsWith('/api/')) {
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+    return res.redirect('/login.html');
+  }
+
+  // Verify token
+  const payload = verifyJWT(token, JWT_SECRET);
+  if (!payload) {
+    if (req.path.startsWith('/api/')) {
+      return res.status(401).json({ error: 'Invalid or expired token' });
+    }
+    return res.redirect('/login.html');
+  }
+
+  // Attach user to request
+  req.user = payload;
+  next();
+});
+
+// Auth routes
+app.get('/api/auth/status', (req, res) => {
+  res.json({ authEnabled: AUTH_ENABLED });
+});
+
+app.post('/api/auth/login', async (req, res) => {
+  const { email, password } = req.body;
+
+  if (!email || !password) {
+    return res.status(400).json({ error: 'Email and password required' });
+  }
+
+  const user = await userStore.authenticate(email, password);
+  if (!user) {
+    return res.status(401).json({ error: 'Invalid credentials' });
+  }
+
+  // Generate JWT
+  const token = generateJWT(
+    { sub: user.id, email: user.email, role: user.role, name: user.name },
+    JWT_SECRET,
+    { expiresIn: 86400 * 7 } // 7 days
+  );
+
+  // Set cookie
+  res.cookie('tlc_token', token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    maxAge: 86400 * 7 * 1000, // 7 days
+  });
+
+  res.json({ success: true, user: { email: user.email, name: user.name, role: user.role } });
+});
+
+app.post('/api/auth/logout', (req, res) => {
+  res.clearCookie('tlc_token');
+  res.json({ success: true });
+});
+
+app.get('/api/auth/me', (req, res) => {
+  if (!req.user) {
+    return res.status(401).json({ error: 'Not authenticated' });
+  }
+  res.json({ user: req.user });
+});
+
+// Serve static files (after auth middleware)
 app.use(express.static(path.join(__dirname, 'dashboard')));
 
 // Broadcast to all WebSocket clients
@@ -158,6 +310,7 @@ async function startApp() {
 
 // Run tests
 function runTests() {
+  broadcast('test-start', { timestamp: Date.now() });
   addLog('test', '--- Running tests ---', 'info');
 
   // Try to detect test command
@@ -202,6 +355,86 @@ function runTests() {
 }
 
 // API Routes
+
+// Project info endpoint - returns real project data
+app.get('/api/project', (req, res) => {
+  try {
+    const { execSync } = require('child_process');
+
+    // Get project name and description from package.json or .tlc.json
+    let projectName = 'Unknown Project';
+    let projectDesc = '';
+    let version = '';
+
+    const pkgPath = path.join(PROJECT_DIR, 'package.json');
+    if (fs.existsSync(pkgPath)) {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+      projectName = pkg.name || projectName;
+      projectDesc = pkg.description || '';
+      version = pkg.version || '';
+    }
+
+    const tlcPath = path.join(PROJECT_DIR, '.tlc.json');
+    if (fs.existsSync(tlcPath)) {
+      const tlc = JSON.parse(fs.readFileSync(tlcPath, 'utf-8'));
+      if (tlc.project) projectName = tlc.project;
+      if (tlc.description) projectDesc = tlc.description;
+    }
+
+    // Get git info
+    let branch = 'unknown';
+    let lastCommit = null;
+    try {
+      branch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: PROJECT_DIR, encoding: 'utf-8' }).trim();
+      const commitInfo = execSync('git log -1 --pretty=format:"%h|%s|%ar"', { cwd: PROJECT_DIR, encoding: 'utf-8' }).trim();
+      const [hash, message, time] = commitInfo.split('|');
+      lastCommit = { hash, message, time };
+    } catch (e) {
+      // Not a git repo
+    }
+
+    // Get phase info
+    const plan = parsePlan(PROJECT_DIR);
+
+    // Count phases from roadmap
+    let totalPhases = 0;
+    let completedPhases = 0;
+    const roadmapPath = path.join(PROJECT_DIR, '.planning', 'ROADMAP.md');
+    if (fs.existsSync(roadmapPath)) {
+      const content = fs.readFileSync(roadmapPath, 'utf-8');
+      const phases = content.match(/##\s+Phase\s+\d+/g) || [];
+      totalPhases = phases.length;
+      const completed = content.match(/##\s+Phase\s+\d+[^[]*\[x\]/gi) || [];
+      completedPhases = completed.length;
+    }
+
+    // Calculate progress
+    const tasksDone = plan.tasks?.filter(t => t.status === 'done' || t.status === 'complete').length || 0;
+    const tasksTotal = plan.tasks?.length || 0;
+    const progress = tasksTotal > 0 ? Math.round((tasksDone / tasksTotal) * 100) : 0;
+
+    res.json({
+      name: projectName,
+      description: projectDesc,
+      version,
+      branch,
+      lastCommit,
+      phase: plan.currentPhase,
+      phaseName: plan.currentPhaseName,
+      totalPhases,
+      completedPhases,
+      tasks: {
+        total: tasksTotal,
+        done: tasksDone,
+        progress
+      },
+      projectDir: PROJECT_DIR
+    });
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
 app.get('/api/status', (req, res) => {
   const bugs = parseBugs(PROJECT_DIR);
   const plan = parsePlan(PROJECT_DIR);
@@ -372,6 +605,32 @@ app.post('/api/playwright', (req, res) => {
   res.json({ success: true });
 });
 
+// POST /api/tasks - Create a new task
+app.post('/api/tasks', (req, res) => {
+  const { title, phase, owner } = req.body;
+
+  if (!title) {
+    return res.status(400).json({ error: 'Title required' });
+  }
+
+  const plan = parsePlan(PROJECT_DIR);
+  const taskId = `task-${Date.now()}`;
+  const task = {
+    id: taskId,
+    title,
+    status: 'pending',
+    phase: phase || plan.currentPhase || 1,
+    owner: owner || null,
+    createdAt: new Date().toISOString()
+  };
+
+  // Broadcast to all connected clients
+  broadcast('task-created', task);
+  addLog('app', `Task created: ${title}`, 'info');
+
+  res.status(201).json(task);
+});
+
 app.post('/api/bug', (req, res) => {
   const { description, url, screenshot, severity, images } = req.body;
 
@@ -570,6 +829,11 @@ app.post('/api/agents', (req, res) => {
     });
 
     const agent = registry.getAgent(agentId);
+
+    // Broadcast agent creation
+    broadcast('agent-created', formatAgent(agent));
+    addLog('app', `Agent registered: ${name}`, 'info');
+
     res.status(201).json({ success: true, agent: formatAgent(agent) });
   } catch (err) {
     res.status(500).json({ success: false, error: err.message });
@@ -604,6 +868,9 @@ app.patch('/api/agents/:id', (req, res) => {
       });
     }
 
+    // Broadcast agent update
+    broadcast('agent-updated', formatAgent(agent));
+
     res.json({ success: true, agent: formatAgent(agent) });
   } catch (err) {
     res.status(500).json({ success: false, error: err.message });
@@ -758,6 +1025,34 @@ async function shutdown() {
 process.on('SIGINT', shutdown);
 process.on('SIGTERM', shutdown);
 
+// Get health data for broadcasting
+function getHealthData() {
+  const os = require('os');
+  const memUsed = process.memoryUsage().heapUsed;
+  const memTotal = os.totalmem();
+  const loadAvg = os.loadavg()[0];
+  const cpuCount = os.cpus().length;
+  const cpuPercent = Math.round((loadAvg / cpuCount) * 100);
+
+  return {
+    status: appProcess ? 'healthy' : 'degraded',
+    memory: memUsed,
+    cpu: Math.min(cpuPercent, 100),
+    uptime: process.uptime(),
+    appRunning: appProcess !== null,
+    appPort: appPort
+  };
+}
+
+// Periodic health broadcast
+let healthInterval = null;
+function startHealthBroadcast() {
+  if (healthInterval) clearInterval(healthInterval);
+  healthInterval = setInterval(() => {
+    broadcast('health-update', getHealthData());
+  }, 30000); // Every 30 seconds
+}
+
 // Start server
 async function main() {
   console.log(`
@@ -771,13 +1066,22 @@ async function main() {
   TLC Dev Server
 `);
 
+  // Initialize authentication
+  await initializeAuth();
+
   server.listen(TLC_PORT, () => {
     console.log(`  Dashboard: http://localhost:${TLC_PORT}`);
     console.log(`  Share:     http://${getLocalIP()}:${TLC_PORT}`);
+    if (AUTH_ENABLED) {
+      console.log(`  Auth:      ENABLED (set TLC_AUTH=false to disable)`);
+    } else {
+      console.log(`  Auth:      DISABLED`);
+    }
     console.log('');
   });
 
   setupWatchers();
+  startHealthBroadcast();
 
   if (PROXY_ONLY) {
     // In proxy-only mode, just set the app port for proxying

package/server/lib/api-provider.js

@@ -1,186 +1,104 @@
-/**
- * API Provider - Provider implementation for REST API endpoints
- *
- * Supports OpenAI-compatible endpoints:
- * - DeepSeek
- * - Mistral
- * - Any OpenAI-compatible API
- */
-
-import { createProvider, PROVIDER_TYPES } from './provider-interface.js';
-
-/**
- * API pricing per 1K tokens (USD)
- */
-export const API_PRICING = {
-  deepseek: { input: 0.0001, output: 0.0002 },
-  'deepseek-coder': { input: 0.0001, output: 0.0002 },
-  mistral: { input: 0.0002, output: 0.0006 },
-  'mistral-large': { input: 0.002, output: 0.006 },
-  groq: { input: 0.0001, output: 0.0001 },
-  default: { input: 0.001, output: 0.002 },
-};
-
-/**
- * Calculate cost from token usage
- * @param {Object} tokenUsage - { input, output }
- * @param {Object} pricing - { input, output } per 1K tokens
- * @returns {number|null} Cost in USD
- */
-export function calculateCost(tokenUsage, pricing) {
-  if (!tokenUsage || !pricing) return null;
-
-  const inputCost = (tokenUsage.input * pricing.input) / 1000;
-  const outputCost = (tokenUsage.output * pricing.output) / 1000;
-
-  return inputCost + outputCost;
-}
-
-/**
- * Parse API response
- * @param {Object} response - API response
- * @returns {Object} Parsed result
- */
-export function parseResponse(response) {
-  const content = response.choices?.[0]?.message?.content || '';
-  const usage = response.usage || {};
-
-  let parsed = null;
-  try {
-    parsed = JSON.parse(content);
-  } catch (e) {
-    // Not JSON, that's ok
-  }
-
-  return {
-    raw: content,
-    parsed,
-    tokenUsage: {
-      input: usage.prompt_tokens || 0,
-      output: usage.completion_tokens || 0,
-    },
-  };
-}
-
-/**
- * Call an OpenAI-compatible API
- * @param {Object} params - Parameters
- * @param {string} params.baseUrl - API base URL
- * @param {string} params.model - Model name
- * @param {string} params.prompt - The prompt
- * @param {string} params.apiKey - API key
- * @param {Object} [params.outputSchema] - JSON schema for output
- * @param {number} [params.maxRetries=3] - Max retry attempts
- * @param {number} [params.retryDelay=1000] - Retry delay in ms
- * @returns {Promise<Object>} ProviderResult
- */
-export async function callAPI({
-  baseUrl,
-  model,
-  prompt,
-  apiKey,
-  outputSchema,
-  maxRetries = 3,
-  retryDelay = 1000,
-}) {
-  const url = `${baseUrl}/v1/chat/completions`;
-
-  const body = {
-    model,
-    messages: [{ role: 'user', content: prompt }],
-  };
-
-  if (outputSchema) {
-    body.response_format = {
-      type: 'json_schema',
-      json_schema: {
-        name: 'response',
-        schema: outputSchema,
-      },
-    };
-  }
-
-  let lastError = null;
-
-  for (let attempt = 0; attempt < maxRetries; attempt++) {
-    try {
-      const response = await fetch(url, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'Authorization': `Bearer ${apiKey}`,
-        },
-        body: JSON.stringify(body),
-      });
-
-      // Handle rate limiting
-      if (response.status === 429) {
-        const retryAfter = parseInt(response.headers.get('Retry-After') || '1', 10);
-        await new Promise(r => setTimeout(r, retryAfter * 1000 || retryDelay));
-        continue;
-      }
-
-      if (!response.ok) {
-        const errorBody = await response.json().catch(() => ({}));
-        lastError = new Error(errorBody.error?.message || response.statusText);
-        continue;
-      }
-
-      const data = await response.json();
-      const parsed = parseResponse(data);
-
-      // Get pricing for cost calculation
-      const pricing = API_PRICING[model] || API_PRICING.default;
-      const cost = calculateCost(parsed.tokenUsage, pricing);
-
-      return {
-        ...parsed,
-        exitCode: 0,
-        cost,
-      };
-    } catch (err) {
-      lastError = err;
-
-      if (attempt < maxRetries - 1) {
-        await new Promise(r => setTimeout(r, retryDelay));
-      }
-    }
-  }
-
-  return {
-    raw: '',
-    parsed: null,
-    exitCode: 1,
-    error: lastError?.message || 'API call failed',
-    tokenUsage: null,
-    cost: null,
-  };
-}
-
-/**
- * Create an API provider instance
- * @param {Object} config - Provider configuration
- * @returns {Object} Provider instance
- */
-export function createAPIProvider(config) {
-  const runner = async (prompt, opts) => {
-    if (!config.apiKey && !process.env[`${config.name.toUpperCase()}_API_KEY`]) {
-      throw new Error(`API key not configured for ${config.name}`);
-    }
-
-    return callAPI({
-      baseUrl: config.baseUrl,
-      model: config.model || config.name,
-      prompt,
-      apiKey: config.apiKey || process.env[`${config.name.toUpperCase()}_API_KEY`],
-      outputSchema: opts.outputSchema,
-    });
-  };
-
-  return createProvider({
-    ...config,
-    type: PROVIDER_TYPES.API,
-    devserverOnly: config.devserverOnly ?? true,
-    runner,
-  });
-}
+/**
+ * API Provider - Provider implementation for REST API endpoints
+ * Phase 33, Task 4
+ */
+
+export function calculateCost(tokenUsage, pricing) {
+  const inputCost = (tokenUsage.input / 1000) * pricing.inputPer1k;
+  const outputCost = (tokenUsage.output / 1000) * pricing.outputPer1k;
+  return inputCost + outputCost;
+}
+
+export class APIProvider {
+  constructor(config) {
+    this.name = config.name;
+    this.baseUrl = config.baseUrl;
+    this.model = config.model;
+    this.apiKey = config.apiKey;
+    this.pricing = config.pricing || { inputPer1k: 0, outputPer1k: 0 };
+    this.maxRetries = config.maxRetries || 3;
+    this._fetch = null;
+  }
+
+  async run(prompt, options = {}) {
+    const fetch = this._fetch || globalThis.fetch;
+    const url = this.baseUrl + '/v1/chat/completions';
+
+    const body = {
+      model: this.model,
+      messages: [{ role: 'user', content: prompt }],
+    };
+
+    if (options.outputSchema) {
+      body.response_format = {
+        type: 'json_schema',
+        json_schema: {
+          name: 'response',
+          schema: options.outputSchema,
+        },
+      };
+    }
+
+    let lastError;
+    for (let attempt = 0; attempt < this.maxRetries; attempt++) {
+      try {
+        const response = await fetch(url, {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            Authorization: 'Bearer ' + this.apiKey,
+          },
+          body: JSON.stringify(body),
+        });
+
+        if (response.status === 429) {
+          // Rate limited, wait and retry
+          await new Promise(r => setTimeout(r, 1000 * (attempt + 1)));
+          continue;
+        }
+
+        if (!response.ok) {
+          const error = await response.json();
+          throw new Error(error.error?.message || 'API error');
+        }
+
+        const data = await response.json();
+        return this._parseResponse(data);
+      } catch (err) {
+        lastError = err;
+        if (err.message.includes('network') || err.message.includes('Network')) {
+          throw err;
+        }
+      }
+    }
+
+    throw lastError || new Error('Max retries exceeded');
+  }
+
+  _parseResponse(data) {
+    const content = data.choices?.[0]?.message?.content || '';
+    const usage = data.usage || {};
+
+    let parsed = null;
+    try {
+      parsed = JSON.parse(content);
+    } catch {
+      // Not JSON
+    }
+
+    const tokenUsage = {
+      input: usage.prompt_tokens || 0,
+      output: usage.completion_tokens || 0,
+    };
+
+    return {
+      raw: content,
+      parsed,
+      exitCode: 0,
+      tokenUsage,
+      cost: calculateCost(tokenUsage, this.pricing),
+    };
+  }
+}
+
+export default { APIProvider, calculateCost };