upfynai-code 2.4.0 → 2.5.0

package/server/index.js

@@ -1,9 +1,15 @@
 #!/usr/bin/env node
 // Load environment variables before other imports execute
 import './load-env.js';
+
+// Strip Claude Code session markers so spawned CLI processes don't fail with
+// "cannot be launched inside another Claude Code session" errors.
+delete process.env.CLAUDECODE;
+delete process.env.CLAUDE_CODE;
 import crypto from 'crypto';
 import fs from 'fs';
 import path from 'path';
+import jwt from 'jsonwebtoken';
 import { fileURLToPath } from 'url';
 import { dirname } from 'path';
 
@@ -70,9 +76,15 @@ import cliAuthRoutes from './routes/cli-auth.js';
 import userRoutes from './routes/user.js';
 import codexRoutes from './routes/codex.js';
 import paymentRoutes from './routes/payments.js';
-import { initializeDatabase, relayTokensDb, subscriptionDb, credentialsDb } from './database/db.js';
-import { validateApiKey, authenticateToken, authenticateWebSocket } from './middleware/auth.js';
-import { IS_PLATFORM } from './constants/config.js';
+import webhookRoutes from './routes/webhooks.js';
+import workflowRoutes from './routes/workflows.js';
+import voiceRoutes from './routes/voice.js';
+import dashboardRoutes from './routes/dashboard.js';
+import { initScheduler } from './services/workflowScheduler.js';
+import { initializeDatabase, relayTokensDb, subscriptionDb, credentialsDb, userDb } from './database/db.js';
+import { validateApiKey, authenticateToken, authenticateWebSocket, JWT_SECRET } from './middleware/auth.js';
+import { IS_PLATFORM, IS_LOCAL } from './constants/config.js';
+import { execSync } from 'child_process';
 
 // File system watchers for provider project/session folders
 const PROVIDER_WATCH_PATHS = [
@@ -352,7 +364,13 @@ app.locals.wss = wss;
 // Security headers — protect against common web attacks
 app.use((req, res, next) => {
   res.setHeader('X-Content-Type-Options', 'nosniff');
-  res.setHeader('X-Frame-Options', 'DENY');
+  // Allow framing from our own frontend domains (Vercel embeds Railway in an iframe)
+  const allowedFrameOrigins = (process.env.CORS_ORIGINS || '').split(',').map(s => s.trim()).filter(Boolean);
+  if (allowedFrameOrigins.length > 0) {
+    res.setHeader('Content-Security-Policy', `frame-ancestors 'self' ${allowedFrameOrigins.join(' ')}`);
+  } else {
+    res.setHeader('X-Frame-Options', 'SAMEORIGIN');
+  }
   res.setHeader('X-XSS-Protection', '1; mode=block');
   res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
   if (process.env.NODE_ENV === 'production') {
@@ -498,6 +516,10 @@ app.use('/api/codex', authenticateToken, codexRoutes);
 
 // Payment & Subscription Routes (protected)
 app.use('/api/payments', authenticateToken, paymentRoutes);
+app.use('/api/webhooks', authenticateToken, webhookRoutes);
+app.use('/api/workflows', authenticateToken, workflowRoutes);
+app.use('/api/voice', authenticateToken, voiceRoutes);
+app.use('/api/dashboard', authenticateToken, dashboardRoutes);
 
 // Agent API Routes (uses API key authentication)
 app.use('/api/agent', agentRoutes);
@@ -532,6 +554,10 @@ app.delete('/api/relay/tokens/:id', authenticateToken, async (req, res) => {
 });
 
 app.get('/api/relay/status', authenticateToken, (req, res) => {
+    // In local mode, always connected — SDK runs directly on this machine
+    if (IS_LOCAL) {
+        return res.json({ connected: true, local: true, connectedAt: Date.now() });
+    }
     const relay = relayConnections.get(Number(req.user.id));
     res.json({
         connected: !!(relay && relay.ws.readyState === 1),
@@ -539,12 +565,70 @@ app.get('/api/relay/status', authenticateToken, (req, res) => {
     });
 });
 
+/**
+ * Detect installed AI CLI agents on the local machine (server-side).
+ * Used in self-hosted/local mode where no relay is needed.
+ */
+let cachedLocalAgents = null;
+let localAgentsCacheTime = 0;
+function detectLocalAgents() {
+    // Cache for 60 seconds
+    if (cachedLocalAgents && Date.now() - localAgentsCacheTime < 60000) {
+        return cachedLocalAgents;
+    }
+    const isWindows = process.platform === 'win32';
+    const whichCmd = isWindows ? 'where' : 'which';
+    const agents = [
+        { name: 'claude', binary: 'claude', label: 'Claude Code' },
+        { name: 'codex', binary: 'codex', label: 'OpenAI Codex' },
+        { name: 'cursor', binary: 'cursor-agent', label: 'Cursor Agent' },
+    ];
+    const detected = {};
+    for (const agent of agents) {
+        try {
+            const result = execSync(`${whichCmd} ${agent.binary}`, { stdio: 'pipe', timeout: 5000 }).toString().trim();
+            detected[agent.name] = { installed: true, path: result.split('\n')[0].trim(), label: agent.label };
+        } catch {
+            detected[agent.name] = { installed: false, label: agent.label };
+        }
+    }
+    cachedLocalAgents = detected;
+    localAgentsCacheTime = Date.now();
+    return detected;
+}
+
 // Connection status — alias at path the frontend expects
 app.get('/api/auth/connection-status', authenticateToken, (req, res) => {
     const relay = relayConnections.get(Number(req.user.id));
+    const connected = !!(relay && relay.ws.readyState === 1);
+
+    // In local mode, always "connected" — SDK runs directly on this machine
+    if (IS_LOCAL) {
+        const agents = detectLocalAgents();
+        return res.json({
+            connected: true,
+            local: true,
+            connectedAt: Date.now(),
+            agents,
+            machine: {
+                hostname: os.hostname(),
+                platform: process.platform,
+                cwd: process.cwd(),
+            }
+        });
+    }
+
     res.json({
-        connected: !!(relay && relay.ws.readyState === 1),
-        connectedAt: relay?.connectedAt || null
+        connected,
+        local: false,
+        connectedAt: relay?.connectedAt || null,
+        agents: connected ? (relay.agents || null) : null,
+        machine: connected ? {
+            hostname: relay.machine,
+            platform: relay.platform,
+            cwd: relay.cwd,
+            version: relay.version,
+        } : null
     });
 });
 
@@ -1128,35 +1212,51 @@ function handleChatConnection(ws, request) {
                 }
                 if (sid) lockedSessionsForThisWs.add(sid);
 
-                console.log('[DEBUG] User message:', data.command || '[Continue/Resume]');
-                console.log('📁 Project:', data.options?.projectPath || 'Unknown');
-
-                // BYOK: look up user's Anthropic API key, inject if available
-                const userAnthropicKey = wsUser?.userId
-                    ? await getUserProviderKey(wsUser.userId, 'anthropic_key')
-                    : null;
-
-                await withUserApiKey('ANTHROPIC_API_KEY', userAnthropicKey, () =>
-                    queryClaudeSDK(data.command, data.options, writer)
-                );
+                // Check if user has active relay → route to local machine
+                if (hasActiveRelay(wsUser?.userId)) {
+                    await routeViaRelay(wsUser.userId, 'claude-query', data, writer, {
+                        response: 'claude-response',
+                        complete: 'claude-complete',
+                        error: 'claude-error'
+                    });
+                } else {
+                    // Fall back to server-side SDK
+                    const userAnthropicKey = wsUser?.userId
+                        ? await getUserProviderKey(wsUser.userId, 'anthropic_key')
+                        : null;
+
+                    await withUserApiKey('ANTHROPIC_API_KEY', userAnthropicKey, () =>
+                        queryClaudeSDK(data.command, data.options, writer)
+                    );
+                }
             } else if (data.type === 'cursor-command') {
-                console.log('[DEBUG] Cursor message:', data.command || '[Continue/Resume]');
-                console.log('📁 Project:', data.options?.cwd || 'Unknown');
-                console.log('🤖 Model:', data.options?.model || 'default');
-                await spawnCursor(data.command, data.options, writer);
+                // Check if user has active relay → route to local machine
+                if (hasActiveRelay(wsUser?.userId)) {
+                    await routeViaRelay(wsUser.userId, 'cursor-query', data, writer, {
+                        response: 'cursor-response',
+                        complete: 'cursor-complete',
+                        error: 'cursor-error'
+                    });
+                } else {
+                    await spawnCursor(data.command, data.options, writer);
+                }
             } else if (data.type === 'codex-command') {
-                console.log('[DEBUG] Codex message:', data.command || '[Continue/Resume]');
-                console.log('📁 Project:', data.options?.projectPath || data.options?.cwd || 'Unknown');
-                console.log('🤖 Model:', data.options?.model || 'default');
-
-                // BYOK: look up user's OpenAI API key, inject if available
-                const userOpenaiKey = wsUser?.userId
-                    ? await getUserProviderKey(wsUser.userId, 'openai_key')
-                    : null;
+                // Check if user has active relay → route to local machine
+                if (hasActiveRelay(wsUser?.userId)) {
+                    await routeViaRelay(wsUser.userId, 'codex-query', data, writer, {
+                        response: 'codex-response',
+                        complete: 'codex-complete',
+                        error: 'codex-error'
+                    });
+                } else {
+                    const userOpenaiKey = wsUser?.userId
+                        ? await getUserProviderKey(wsUser.userId, 'openai_key')
+                        : null;
 
-                await withUserApiKey('OPENAI_API_KEY', userOpenaiKey, () =>
-                    queryCodex(data.command, data.options, writer)
-                );
+                    await withUserApiKey('OPENAI_API_KEY', userOpenaiKey, () =>
+                        queryCodex(data.command, data.options, writer)
+                    );
+                }
             } else if (data.type === 'openrouter-command') {
                 console.log('[DEBUG] OpenRouter message:', data.command?.slice(0, 60) || '[empty]');
                 console.log('🤖 Model:', data.options?.model || OPENROUTER_MODELS.DEFAULT);
@@ -1288,12 +1388,21 @@ async function handleRelayConnection(ws, token, request) {
     const userId = Number(tokenData.user_id);
     const username = tokenData.username;
 
-    // Extract optional Anthropic API key from relay handshake headers
+    // Extract optional headers from relay handshake
     const anthropicApiKey = request?.headers?.['x-anthropic-api-key'] || null;
+    const relayVersion = request?.headers?.['x-upfyn-version'] || null;
+    const relayMachine = request?.headers?.['x-upfyn-machine'] || null;
+    const relayPlatform = request?.headers?.['x-upfyn-platform'] || null;
+    const relayCwd = request?.headers?.['x-upfyn-cwd'] || null;
 
     // Store relay connection with API key in memory only (use Number() for consistent Map key type)
     // API key is held per-user in the relay connection, NOT in process.env
-    relayConnections.set(userId, { ws, user: tokenData, connectedAt: Date.now(), anthropicApiKey });
+    relayConnections.set(userId, {
+        ws, user: tokenData, connectedAt: Date.now(), anthropicApiKey,
+        version: relayVersion, machine: relayMachine, platform: relayPlatform, cwd: relayCwd,
+        agents: null, // populated when client sends agent-capabilities
+        lastPong: Date.now(),
+    });
 
     ws.send(JSON.stringify({
         type: 'relay-connected',
@@ -1344,8 +1453,33 @@ async function handleRelayConnection(ws, token, request) {
                 return;
             }
 
+            // Agent capabilities report from relay client
+            if (data.type === 'agent-capabilities') {
+                const relay = relayConnections.get(userId);
+                if (relay) {
+                    relay.agents = data.agents || {};
+                    relay.machine = data.machine || relay.machine;
+                }
+                // Broadcast agent info to browser clients
+                for (const client of connectedClients) {
+                    try {
+                        if (client.readyState === 1) {
+                            client.send(JSON.stringify({
+                                type: 'relay-agents',
+                                userId,
+                                agents: data.agents || {},
+                                machine: data.machine || {}
+                            }));
+                        }
+                    } catch (e) { /* ignore */ }
+                }
+                return;
+            }
+
             // Heartbeat
             if (data.type === 'ping') {
+                const relay = relayConnections.get(userId);
+                if (relay) relay.lastPong = Date.now();
                 ws.send(JSON.stringify({ type: 'pong' }));
                 return;
             }
@@ -1354,7 +1488,29 @@ async function handleRelayConnection(ws, token, request) {
         }
     });
 
+    // Server-side heartbeat: ping relay client every 45s, terminate if no pong in 90s
+    const relayHeartbeat = setInterval(() => {
+        const relay = relayConnections.get(userId);
+        if (!relay || relay.ws !== ws) {
+            clearInterval(relayHeartbeat);
+            return;
+        }
+        // If no ping received from client in 90s, consider connection stale
+        if (Date.now() - relay.lastPong > 90000) {
+            clearInterval(relayHeartbeat);
+            ws.terminate();
+            return;
+        }
+        // Send server-side ping to keep connection alive through proxies
+        try {
+            if (ws.readyState === 1) {
+                ws.send(JSON.stringify({ type: 'server-ping' }));
+            }
+        } catch { /* ignore */ }
+    }, 45000);
+
     ws.on('close', () => {
+        clearInterval(relayHeartbeat);
         relayConnections.delete(userId);
         // Clean up pending requests for this user
         for (const [reqId, pending] of pendingRelayRequests) {
@@ -1364,7 +1520,6 @@ async function handleRelayConnection(ws, token, request) {
                 pendingRelayRequests.delete(reqId);
             }
         }
-        // relay disconnected
 
         // Broadcast relay status
         for (const client of connectedClients) {
@@ -1376,8 +1531,8 @@ async function handleRelayConnection(ws, token, request) {
         }
     });
 
-    ws.on('error', (err) => {
-        // relay error
+    ws.on('error', () => {
+        clearInterval(relayHeartbeat);
     });
 }
 
@@ -1394,7 +1549,7 @@ function sendRelayCommand(userId, action, payload, onStream = null, timeoutMs =
     return new Promise((resolve, reject) => {
         const relay = relayConnections.get(userId);
         if (!relay || relay.ws.readyState !== 1) {
-            reject(new Error('No relay connection. Run "upfynai-code connect" on your local machine.'));
+            reject(new Error('No relay connection. Run "uc connect" on your local machine.'));
             return;
         }
 
@@ -1415,6 +1570,99 @@ function sendRelayCommand(userId, action, payload, onStream = null, timeoutMs =
     });
 }
 
+/**
+ * Check if a user has an active relay connection
+ */
+function hasActiveRelay(userId) {
+    if (!userId) return false;
+    const relay = relayConnections.get(Number(userId));
+    return relay && relay.ws.readyState === 1;
+}
+
+/**
+ * Route a chat command through the user's relay connection to their local machine.
+ * Translates relay-stream/relay-complete events into the format the frontend expects.
+ *
+ * @param {number} userId - User ID
+ * @param {string} action - Relay action (claude-query, codex-query, cursor-query)
+ * @param {object} data - Original command data from the browser
+ * @param {object} writer - WebSocket writer to send events to browser
+ * @param {object} eventMap - Maps relay stream data types to chat event types
+ */
+async function routeViaRelay(userId, action, data, writer, eventMap = {}) {
+    const sessionId = data.options?.sessionId || `relay-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+
+    // Send session-created so the frontend can track this query
+    writer.send({ type: 'session-created', sessionId });
+
+    // Determine event types from the provider
+    const responseType = eventMap.response || 'claude-response';
+    const completeType = eventMap.complete || 'claude-complete';
+    const errorType = eventMap.error || 'claude-error';
+
+    let fullContent = '';
+
+    try {
+        const result = await sendRelayCommand(
+            Number(userId),
+            action,
+            {
+                command: data.command,
+                options: data.options || {}
+            },
+            // onStream callback — translates relay events to chat events
+            (streamData) => {
+                if (streamData.type === 'claude-response' || streamData.type === 'codex-response' || streamData.type === 'cursor-response') {
+                    fullContent += streamData.content || '';
+                    writer.send({
+                        type: responseType,
+                        data: {
+                            type: 'assistant',
+                            message: {
+                                type: 'text',
+                                text: streamData.content || ''
+                            }
+                        },
+                        sessionId
+                    });
+                } else if (streamData.type === 'claude-error' || streamData.type === 'codex-error' || streamData.type === 'cursor-error') {
+                    writer.send({
+                        type: responseType,
+                        data: {
+                            type: 'assistant',
+                            message: {
+                                type: 'text',
+                                text: streamData.content || ''
+                            }
+                        },
+                        sessionId
+                    });
+                }
+            },
+            600000 // 10 minute timeout for AI queries
+        );
+
+        // Send completion event
+        writer.send({
+            type: completeType,
+            sessionId,
+            exitCode: result?.exitCode ?? 0,
+            isNewSession: !data.options?.sessionId,
+            viaRelay: true
+        });
+    } catch (error) {
+        const isRelayLost = error.message?.includes('Relay disconnected') || error.message?.includes('No relay connection') || error.message?.includes('Relay request timed out');
+        writer.send({
+            type: errorType,
+            error: isRelayLost
+                ? 'Your machine disconnected. Please reconnect with "uc connect" and try again.'
+                : error.message,
+            sessionId,
+            relayDisconnected: isRelayLost
+        });
+    }
+}
+
 // Handle shell WebSocket connections
 function handleShellConnection(ws) {
     if (!pty) {
@@ -1440,6 +1688,7 @@ function handleShellConnection(ws) {
                 const provider = data.provider || 'claude';
                 const initialCommand = data.initialCommand;
                 const isPlainShell = data.isPlainShell || (!!initialCommand && !hasSession) || provider === 'plain-shell';
+                const shellType = data.shellType || null;
                 urlDetectionBuffer = '';
                 announcedAuthUrls.clear();
 
@@ -1521,11 +1770,17 @@ function handleShellConnection(ws) {
                     // Prepare the shell command adapted to the platform and provider
                     let shellCommand;
                     if (isPlainShell) {
-                        // Plain shell mode - just run the initial command in the project directory
-                        if (os.platform() === 'win32') {
-                            shellCommand = `Set-Location -Path "${projectPath}"; ${initialCommand}`;
+                        // Plain shell mode - run initial command or open interactive shell
+                        const usesPowerShell = !shellType || shellType === 'powershell';
+                        if (initialCommand) {
+                            if (usesPowerShell) {
+                                shellCommand = `Set-Location -Path "${projectPath}"; ${initialCommand}`;
+                            } else {
+                                shellCommand = `cd "${projectPath}" && ${initialCommand}`;
+                            }
                         } else {
-                            shellCommand = `cd "${projectPath}" && ${initialCommand}`;
+                            // Interactive shell tab — spawn shell directly (no command wrapper)
+                            shellCommand = null;
                         }
                     } else if (provider === 'cursor') {
                         // Use cursor-agent command
@@ -1563,9 +1818,19 @@ function handleShellConnection(ws) {
 
                     console.log('🔧 Executing shell command:', shellCommand);
 
-                    // Use appropriate shell based on platform
-                    const shell = os.platform() === 'win32' ? 'powershell.exe' : 'bash';
-                    const shellArgs = os.platform() === 'win32' ? ['-Command', shellCommand] : ['-c', shellCommand];
+                    // Use appropriate shell based on platform and requested shellType
+                    const shellMap = {
+                        'powershell': { cmd: 'powershell.exe', args: ['-Command'] },
+                        'cmd': { cmd: 'cmd.exe', args: ['/c'] },
+                        'bash': { cmd: 'bash', args: ['-c'] },
+                    };
+                    const defaultShell = os.platform() === 'win32'
+                        ? { cmd: 'powershell.exe', args: ['-Command'] }
+                        : { cmd: 'bash', args: ['-c'] };
+                    const selectedShell = (shellType && shellMap[shellType]) || defaultShell;
+                    const shell = selectedShell.cmd;
+                    // If shellCommand is null, spawn an interactive shell with no args
+                    const shellArgs = shellCommand ? [...selectedShell.args, shellCommand] : [];
 
                     // Use terminal dimensions from client if provided, otherwise use defaults
                     const termCols = data.cols || 80;
@@ -1576,7 +1841,7 @@ function handleShellConnection(ws) {
                         name: 'xterm-256color',
                         cols: termCols,
                         rows: termRows,
-                        cwd: os.homedir(),
+                        cwd: shellCommand ? os.homedir() : projectPath,
                         env: {
                             ...process.env,
                             TERM: 'xterm-256color',
@@ -2165,9 +2430,29 @@ app.get('*', (req, res) => {
     return res.status(404).send('Not found');
   }
 
+  // If a JWT token is in the query param and no session cookie exists,
+  // set the cookie now so the client-side AuthContext can authenticate on subsequent API calls.
+  if (req.query?.token && !req.cookies?.session) {
+    try {
+      const decoded = jwt.verify(req.query.token, JWT_SECRET);
+      if (decoded?.userId) {
+        const isSecure = process.env.NODE_ENV === 'production' || !!process.env.RAILWAY_ENVIRONMENT;
+        res.cookie('session', req.query.token, {
+          httpOnly: true,
+          secure: isSecure,
+          sameSite: isSecure ? 'none' : 'strict',
+          maxAge: 30 * 24 * 60 * 60 * 1000,
+          path: '/',
+        });
+      }
+    } catch (e) {
+      // Invalid token — just serve the page without setting cookie
+    }
+  }
+
   // Only serve index.html for HTML routes, not for static assets
   // Static assets should already be handled by express.static middleware above
-  const indexPath = path.join(__dirname, '../dist/index.html');
+  const indexPath = path.join(__dirname, '../client/dist/index.html');
 
   // Check if dist/index.html exists (production build available)
   if (fs.existsSync(indexPath)) {
@@ -2274,8 +2559,20 @@ async function startServer() {
         // Initialize authentication database
         await initializeDatabase();
 
+        // In local mode, ensure a default user exists (no signup needed)
+        if (IS_LOCAL) {
+            const hasUsers = await userDb.hasUsers();
+            if (!hasUsers) {
+                const localUsername = os.userInfo().username || 'local';
+                const dummyHash = crypto.randomBytes(32).toString('hex');
+                await userDb.createUser(localUsername, dummyHash);
+                console.log(`${c.ok('[LOCAL]')} Created local user: ${c.bright(localUsername)}`);
+            }
+            console.log(`${c.info('[MODE]')} Running in ${c.bright('LOCAL')} mode (no login required)`);
+        }
+
         // Check if running in production mode (dist folder exists OR NODE_ENV/RAILWAY set)
-        const distIndexPath = path.join(__dirname, '../dist/index.html');
+        const distIndexPath = path.join(__dirname, '../client/dist/index.html');
         const isProduction = fs.existsSync(distIndexPath) || process.env.NODE_ENV === 'production' || !!process.env.RAILWAY_ENVIRONMENT;
 
         // Log Claude implementation mode
@@ -2298,6 +2595,9 @@ async function startServer() {
             console.log(`${c.info('[INFO]')} MCP Server:  ${c.bright('http://0.0.0.0:' + PORT + '/mcp')}`);
             console.log(`${c.info('[INFO]')} Installed at: ${c.dim(appInstallPath)}`);
             console.log(`${c.tip('[TIP]')}  Run "uc status" for full configuration details`);
+
+            // Start workflow cron scheduler
+            initScheduler().catch(err => console.warn('[Scheduler]', err.message));
             console.log('');
 
             // Start watching the projects folder for changes (skip on Vercel)

package/server/mcp-server.js

@@ -31,7 +31,8 @@ import crypto from 'crypto';
 import jwt from 'jsonwebtoken';
 import { userDb, apiKeysDb, relayTokensDb } from './database/db.js';
 
-const JWT_SECRET = process.env.JWT_SECRET?.trim() || (() => { throw new Error('JWT_SECRET required'); })();
+import { IS_PLATFORM } from './constants/config.js';
+const JWT_SECRET = process.env.JWT_SECRET?.trim() || (IS_PLATFORM ? crypto.randomBytes(32).toString('hex') : (() => { throw new Error('JWT_SECRET required'); })());
 
 // In-memory canvas state (Excalidraw elements, synced via WebSocket with browser clients)
 let canvasElements = [];

package/server/middleware/auth.js

@@ -1,11 +1,17 @@
 import jwt from 'jsonwebtoken';
+import crypto from 'crypto';
 import { userDb, relayTokensDb } from '../database/db.js';
 import { IS_PLATFORM } from '../constants/config.js';
 
-const JWT_SECRET = process.env.JWT_SECRET?.trim();
+let JWT_SECRET = process.env.JWT_SECRET?.trim();
 if (!JWT_SECRET) {
-  console.error('[SECURITY] JWT_SECRET environment variable is required. Server cannot start without it.');
-  process.exit(1);
+  if (IS_PLATFORM) {
+    // In local/self-hosted mode, generate a random secret (auth is bypassed anyway)
+    JWT_SECRET = crypto.randomBytes(32).toString('hex');
+  } else {
+    console.error('[SECURITY] JWT_SECRET environment variable is required. Server cannot start without it.');
+    process.exit(1);
+  }
 }
 
 // Optional static API key middleware
@@ -27,10 +33,8 @@ const extractToken = (req) => {
   const authHeader = req.headers['authorization'];
   if (authHeader?.startsWith('Bearer ')) return authHeader.slice(7);
 
-  // 3. Query param — ONLY for SSE EventSource (which cannot set custom headers)
-  // Restricted to GET requests with Accept: text/event-stream to minimize exposure
-  if (req.query?.token && req.method === 'GET' &&
-      (req.headers.accept || '').includes('text/event-stream')) {
+  // 3. Query param — for GET requests (SSE EventSource + iframe embedding)
+  if (req.query?.token && req.method === 'GET') {
     return req.query.token;
   }
 
@@ -62,6 +66,10 @@ const authenticateToken = async (req, res, next) => {
     const user = await userDb.getUserById(decoded.userId);
     if (!user) return res.status(401).json({ error: 'Invalid token. User not found.' });
     req.user = user;
+    // If token came from query param, set session cookie for subsequent requests (iframe auto-auth)
+    if (req.query?.token && !req.cookies?.session) {
+      res.cookie('session', token, COOKIE_OPTIONS);
+    }
     next();
   } catch (error) {
     return res.status(403).json({ error: 'Invalid or expired token' });
@@ -79,10 +87,13 @@ const generateToken = (user) => {
 
 // Cookie config for httpOnly session
 // Works for both self-hosted (same origin) and split deploy (Vercel proxy → Railway)
+const isSecureEnv = process.env.NODE_ENV === 'production' || !!process.env.VERCEL || !!process.env.RAILWAY_ENVIRONMENT;
 const COOKIE_OPTIONS = {
   httpOnly: true,
-  secure: process.env.NODE_ENV === 'production' || !!process.env.VERCEL || !!process.env.RAILWAY_ENVIRONMENT,
-  sameSite: 'strict',
+  secure: isSecureEnv,
+  // 'none' required for cross-origin iframe embedding (Vercel frontend → Railway backend)
+  // 'strict' used in local/dev mode where everything is same-origin
+  sameSite: isSecureEnv ? 'none' : 'strict',
   maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
   path: '/',
 };