upfynai-code 2.4.0 → 2.5.0

package/server/routes/dashboard.js

@@ -0,0 +1,52 @@
+import { Router } from 'express';
+import { getProjects, getSessions } from '../projects.js';
+
+const router = Router();
+
+/**
+ * GET /api/dashboard/stats — Dashboard usage analytics
+ * Returns session counts, provider breakdown, and today's activity.
+ */
+router.get('/stats', async (req, res) => {
+  try {
+    const projects = await getProjects();
+    let totalSessions = 0;
+    let todaySessions = 0;
+    const providers = {};
+    const today = new Date().toISOString().slice(0, 10);
+
+    for (const project of projects) {
+      // Count sessions per provider
+      for (const provider of ['claude', 'cursor', 'codex']) {
+        try {
+          const sessions = await getSessions(project.name, provider);
+          if (sessions && sessions.length) {
+            totalSessions += sessions.length;
+            providers[provider] = (providers[provider] || 0) + sessions.length;
+
+            // Count today's sessions
+            for (const s of sessions) {
+              const created = s.created_at || s.createdAt || '';
+              if (created.startsWith(today)) {
+                todaySessions++;
+              }
+            }
+          }
+        } catch (e) {
+          // Provider not available for this project
+        }
+      }
+    }
+
+    res.json({
+      total: totalSessions,
+      today: todaySessions,
+      providers,
+      projectCount: projects.length,
+    });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch dashboard stats' });
+  }
+});
+
+export default router;

package/server/routes/projects.js

@@ -12,8 +12,11 @@ function sanitizeGitError(message, token) {
   return message.replace(new RegExp(token.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'g'), '***');
 }
 
-// Configure allowed workspace root (defaults to user's home directory)
-export const WORKSPACES_ROOT = process.env.WORKSPACES_ROOT || os.homedir();
+// Configure allowed workspace root.
+// In local/platform mode, allow any path (no root restriction) unless explicitly set.
+// In hosted mode, default to user's home directory for security.
+const IS_LOCAL = !process.env.RAILWAY_ENVIRONMENT && !process.env.VERCEL && !process.env.RENDER;
+export const WORKSPACES_ROOT = process.env.WORKSPACES_ROOT || (IS_LOCAL ? null : os.homedir());
 
 // System-critical paths that should never be used as workspace directories
 export const FORBIDDEN_PATHS = [
@@ -110,42 +113,41 @@ export async function validateWorkspacePath(requestedPath) {
       }
     }
 
-    // Resolve the workspace root to its real path
-    const resolvedWorkspaceRoot = await fs.realpath(WORKSPACES_ROOT);
+    // If a workspace root is configured, enforce containment
+    if (WORKSPACES_ROOT) {
+      const resolvedWorkspaceRoot = await fs.realpath(WORKSPACES_ROOT);
 
-    // Ensure the resolved path is contained within the allowed workspace root
-    if (!realPath.startsWith(resolvedWorkspaceRoot + path.sep) &&
-        realPath !== resolvedWorkspaceRoot) {
-      return {
-        valid: false,
-        error: `Workspace path must be within the allowed workspace root: ${WORKSPACES_ROOT}`
-      };
-    }
+      if (!realPath.startsWith(resolvedWorkspaceRoot + path.sep) &&
+          realPath !== resolvedWorkspaceRoot) {
+        return {
+          valid: false,
+          error: `Workspace path must be within the allowed workspace root: ${WORKSPACES_ROOT}`
+        };
+      }
 
-    // Additional symlink check for existing paths
-    try {
-      await fs.access(absolutePath);
-      const stats = await fs.lstat(absolutePath);
-
-      if (stats.isSymbolicLink()) {
-        // Verify symlink target is also within allowed root
-        const linkTarget = await fs.readlink(absolutePath);
-        const resolvedTarget = path.resolve(path.dirname(absolutePath), linkTarget);
-        const realTarget = await fs.realpath(resolvedTarget);
-
-        if (!realTarget.startsWith(resolvedWorkspaceRoot + path.sep) &&
-            realTarget !== resolvedWorkspaceRoot) {
-          return {
-            valid: false,
-            error: 'Symlink target is outside the allowed workspace root'
-          };
+      // Additional symlink check for existing paths
+      try {
+        await fs.access(absolutePath);
+        const stats = await fs.lstat(absolutePath);
+
+        if (stats.isSymbolicLink()) {
+          const linkTarget = await fs.readlink(absolutePath);
+          const resolvedTarget = path.resolve(path.dirname(absolutePath), linkTarget);
+          const realTarget = await fs.realpath(resolvedTarget);
+
+          if (!realTarget.startsWith(resolvedWorkspaceRoot + path.sep) &&
+              realTarget !== resolvedWorkspaceRoot) {
+            return {
+              valid: false,
+              error: 'Symlink target is outside the allowed workspace root'
+            };
+          }
+        }
+      } catch (error) {
+        if (error.code !== 'ENOENT') {
+          throw error;
         }
       }
-    } catch (error) {
-      if (error.code !== 'ENOENT') {
-        throw error;
-      }
-      // Path doesn't exist - that's fine for new workspace creation
     }
 
     return {
@@ -301,7 +303,8 @@ router.post('/create-workspace', async (req, res) => {
   } catch (error) {
     // workspace creation error
     res.status(500).json({
-      error: 'Failed to create workspace'
+      error: 'Failed to create workspace',
+      details: error.message
     });
   }
 });

package/server/routes/voice.js

@@ -0,0 +1,198 @@
+import express from 'express';
+import multer from 'multer';
+import path from 'path';
+import os from 'os';
+import { promises as fs } from 'fs';
+import { isWhisperAvailable, transcribeLocal } from '../services/whisperService.js';
+
+const router = express.Router();
+const upload = multer({ storage: multer.memoryStorage(), limits: { fileSize: 25 * 1024 * 1024 } }); // 25MB max
+
+/**
+ * Helper: Get user's OpenAI key (BYOK) or server env key.
+ * Imported lazily to avoid circular deps.
+ */
+async function getOpenAIKey(userId) {
+  try {
+    const { credentialsDb } = await import('../database/db.js');
+    const creds = await credentialsDb.getCredentials(userId, 'openai_key');
+    const active = creds.find(c => c.is_active);
+    return active?.credential_value || process.env.OPENAI_API_KEY || null;
+  } catch {
+    return process.env.OPENAI_API_KEY || null;
+  }
+}
+
+/**
+ * POST /api/voice/stt — Speech-to-text
+ * Primary: OpenAI Whisper API (cloud)
+ * Fallback: nodejs-whisper (local, when no API key)
+ */
+router.post('/stt', upload.single('audio'), async (req, res) => {
+  try {
+    if (!req.file) {
+      return res.status(400).json({ error: 'No audio file provided' });
+    }
+
+    const mode = req.body?.mode || 'default';
+    const apiKey = await getOpenAIKey(req.user?.id);
+
+    // Try OpenAI Whisper API first
+    if (apiKey) {
+      try {
+        const FormData = (await import('form-data')).default;
+        const formData = new FormData();
+        formData.append('file', req.file.buffer, {
+          filename: req.file.originalname || 'audio.webm',
+          contentType: req.file.mimetype || 'audio/webm'
+        });
+        formData.append('model', 'whisper-1');
+        formData.append('response_format', 'json');
+        formData.append('language', 'en');
+
+        const response = await fetch('https://api.openai.com/v1/audio/transcriptions', {
+          method: 'POST',
+          headers: {
+            'Authorization': `Bearer ${apiKey}`,
+            ...formData.getHeaders()
+          },
+          body: formData
+        });
+
+        if (!response.ok) {
+          const errorData = await response.json().catch(() => ({}));
+          throw new Error(errorData.error?.message || `Whisper API error: ${response.status}`);
+        }
+
+        const data = await response.json();
+        let text = data.text || '';
+
+        // Enhancement modes (prompt, vibe, architect)
+        if (text && mode !== 'default') {
+          text = await enhanceTranscription(text, mode, apiKey);
+        }
+
+        return res.json({ text, source: 'openai' });
+      } catch (err) {
+        // If cloud fails, try local fallback
+        console.warn('[Voice STT] OpenAI API failed, trying local:', err.message);
+      }
+    }
+
+    // Fallback: local nodejs-whisper
+    const localAvailable = await isWhisperAvailable();
+    if (localAvailable) {
+      // Write buffer to temp file for nodejs-whisper
+      const tmpFile = path.join(os.tmpdir(), `stt-${Date.now()}.webm`);
+      await fs.writeFile(tmpFile, req.file.buffer);
+      try {
+        const text = await transcribeLocal(tmpFile);
+        if (text) return res.json({ text, source: 'local' });
+      } finally {
+        await fs.unlink(tmpFile).catch(() => {});
+      }
+    }
+
+    return res.status(500).json({ error: 'No STT engine available. Add your OpenAI key in Settings > AI Providers, or install nodejs-whisper + ffmpeg for local transcription.' });
+  } catch (error) {
+    console.error('[Voice STT] Error:', error.message);
+    res.status(500).json({ error: 'Transcription failed' });
+  }
+});
+
+/**
+ * POST /api/voice/tts — Text-to-speech using Edge-TTS
+ * Returns audio/mp3 blob
+ */
+router.post('/tts', async (req, res) => {
+  try {
+    const { text, voice = 'en-US-AriaNeural' } = req.body;
+    if (!text || typeof text !== 'string') {
+      return res.status(400).json({ error: 'Text is required' });
+    }
+
+    // Truncate very long text to avoid excessive audio generation
+    const truncated = text.length > 5000 ? text.slice(0, 5000) : text;
+
+    const { EdgeTTS } = await import('edge-tts-universal');
+    const tts = new EdgeTTS(truncated, voice);
+    const result = await tts.synthesize();
+    const audioBuffer = Buffer.from(await result.audio.arrayBuffer());
+
+    res.setHeader('Content-Type', 'audio/mp3');
+    res.setHeader('Content-Length', audioBuffer.length);
+    res.send(audioBuffer);
+  } catch (error) {
+    console.error('[Voice TTS] Error:', error.message);
+    res.status(500).json({ error: 'TTS synthesis failed' });
+  }
+});
+
+/**
+ * GET /api/voice/voices — List available TTS voices
+ */
+router.get('/voices', async (req, res) => {
+  try {
+    const { listVoices } = await import('edge-tts-universal');
+    const voices = await listVoices();
+
+    // Filter to English voices and simplify the response
+    const englishVoices = voices
+      .filter(v => v.Locale?.startsWith('en-'))
+      .map(v => ({
+        id: v.ShortName,
+        name: v.FriendlyName || v.ShortName,
+        locale: v.Locale,
+        gender: v.Gender
+      }));
+
+    res.json({ voices: englishVoices });
+  } catch (error) {
+    console.error('[Voice Voices] Error:', error.message);
+    res.status(500).json({ error: 'Failed to fetch voices' });
+  }
+});
+
+/**
+ * Enhance transcribed text using GPT (prompt engineering, vibe coding, etc.)
+ */
+async function enhanceTranscription(text, mode, apiKey) {
+  try {
+    const OpenAI = (await import('openai')).default;
+    const openai = new OpenAI({ apiKey });
+
+    let systemMessage, prompt, temperature = 0.7, maxTokens = 800;
+
+    switch (mode) {
+      case 'prompt':
+        systemMessage = 'You are an expert prompt engineer who creates clear, detailed, and effective prompts.';
+        prompt = `Transform the following rough instruction into a clear, detailed, and context-aware AI prompt.\n\nYour enhanced prompt should:\n1. Be specific and unambiguous\n2. Include relevant context and constraints\n3. Specify the desired output format\n4. Use clear, actionable language\n\nRough instruction: "${text}"\n\nEnhanced prompt:`;
+        break;
+      case 'vibe':
+      case 'instructions':
+      case 'architect':
+        systemMessage = 'You are a helpful assistant that formats ideas into clear, actionable instructions for AI agents.';
+        temperature = 0.5;
+        prompt = `Transform the following idea into clear, well-structured instructions that an AI agent can easily understand and execute.\n\nIMPORTANT RULES:\n- Format as clear, step-by-step instructions\n- Add reasonable implementation details based on common patterns\n- Only include details directly related to what was asked\n- Do NOT add features or functionality not mentioned\n- Keep the original intent and scope intact\n\nIdea: "${text}"\n\nAgent instructions:`;
+        break;
+      default:
+        return text;
+    }
+
+    const completion = await openai.chat.completions.create({
+      model: 'gpt-4o-mini',
+      messages: [
+        { role: 'system', content: systemMessage },
+        { role: 'user', content: prompt }
+      ],
+      temperature,
+      max_tokens: maxTokens
+    });
+
+    return completion.choices[0]?.message?.content || text;
+  } catch {
+    return text; // Fallback to original on error
+  }
+}
+
+export default router;

package/server/routes/webhooks.js

@@ -0,0 +1,166 @@
+import express from 'express';
+import { webhookDb } from '../database/db.js';
+
+const router = express.Router();
+
+// GET /api/webhooks — list all webhooks for the user
+router.get('/', async (req, res) => {
+  try {
+    const webhooks = await webhookDb.getAll(req.user.id);
+    res.json({ webhooks });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch webhooks' });
+  }
+});
+
+// POST /api/webhooks — create a webhook
+router.post('/', async (req, res) => {
+  try {
+    const { name, url, method, headers, description } = req.body;
+    if (!name || !name.trim()) return res.status(400).json({ error: 'Name is required' });
+    if (!url || !url.trim()) return res.status(400).json({ error: 'URL is required' });
+
+    try { new URL(url); } catch { return res.status(400).json({ error: 'Invalid URL' }); }
+
+    const allowedMethods = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'];
+    const m = (method || 'POST').toUpperCase();
+    if (!allowedMethods.includes(m)) return res.status(400).json({ error: 'Invalid HTTP method' });
+
+    // Validate headers is valid JSON if provided
+    let headersStr = '{}';
+    if (headers) {
+      if (typeof headers === 'string') {
+        try { JSON.parse(headers); headersStr = headers; } catch { return res.status(400).json({ error: 'Headers must be valid JSON' }); }
+      } else {
+        headersStr = JSON.stringify(headers);
+      }
+    }
+
+    const webhook = await webhookDb.create(req.user.id, {
+      name: name.trim(),
+      url: url.trim(),
+      method: m,
+      headers: headersStr,
+      description: description?.trim() || null
+    });
+    res.json({ success: true, webhook });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to create webhook' });
+  }
+});
+
+// PUT /api/webhooks/:id — update a webhook
+router.put('/:id', async (req, res) => {
+  try {
+    const { name, url, method, headers, description } = req.body;
+    if (!name || !name.trim()) return res.status(400).json({ error: 'Name is required' });
+    if (!url || !url.trim()) return res.status(400).json({ error: 'URL is required' });
+
+    try { new URL(url); } catch { return res.status(400).json({ error: 'Invalid URL' }); }
+
+    let headersStr = '{}';
+    if (headers) {
+      if (typeof headers === 'string') {
+        try { JSON.parse(headers); headersStr = headers; } catch { return res.status(400).json({ error: 'Headers must be valid JSON' }); }
+      } else {
+        headersStr = JSON.stringify(headers);
+      }
+    }
+
+    const updated = await webhookDb.update(Number(req.params.id), req.user.id, {
+      name: name.trim(),
+      url: url.trim(),
+      method: (method || 'POST').toUpperCase(),
+      headers: headersStr,
+      description: description?.trim() || null
+    });
+
+    if (!updated) return res.status(404).json({ error: 'Webhook not found' });
+    res.json({ success: true });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to update webhook' });
+  }
+});
+
+// DELETE /api/webhooks/:id — delete a webhook
+router.delete('/:id', async (req, res) => {
+  try {
+    const deleted = await webhookDb.delete(Number(req.params.id), req.user.id);
+    if (!deleted) return res.status(404).json({ error: 'Webhook not found' });
+    res.json({ success: true });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to delete webhook' });
+  }
+});
+
+// POST /api/webhooks/:id/test — fire a test request to the webhook
+router.post('/:id/test', async (req, res) => {
+  try {
+    const webhook = await webhookDb.getById(Number(req.params.id), req.user.id);
+    if (!webhook) return res.status(404).json({ error: 'Webhook not found' });
+
+    let parsedHeaders = {};
+    try { parsedHeaders = JSON.parse(webhook.headers || '{}'); } catch { /* ignore */ }
+
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 10000);
+
+    try {
+      const fetchOptions = {
+        method: webhook.method,
+        headers: {
+          'Content-Type': 'application/json',
+          'User-Agent': 'UpfynAI-Webhook/1.0',
+          ...parsedHeaders
+        },
+        signal: controller.signal
+      };
+
+      // Add test body for methods that support it
+      if (['POST', 'PUT', 'PATCH'].includes(webhook.method)) {
+        fetchOptions.body = JSON.stringify({
+          event: 'test',
+          webhook_id: webhook.id,
+          webhook_name: webhook.name,
+          timestamp: new Date().toISOString()
+        });
+      }
+
+      const response = await fetch(webhook.url, fetchOptions);
+      clearTimeout(timeout);
+
+      let body;
+      const contentType = response.headers.get('content-type') || '';
+      if (contentType.includes('application/json')) {
+        body = await response.json();
+      } else {
+        body = await response.text();
+        if (body.length > 2000) body = body.slice(0, 2000) + '...';
+      }
+
+      await webhookDb.updateLastTriggered(webhook.id);
+
+      res.json({
+        success: true,
+        result: {
+          status: response.status,
+          statusText: response.statusText,
+          body,
+          headers: Object.fromEntries(response.headers.entries())
+        }
+      });
+    } catch (fetchError) {
+      clearTimeout(timeout);
+      res.json({
+        success: false,
+        result: {
+          error: fetchError.name === 'AbortError' ? 'Request timed out (10s)' : fetchError.message
+        }
+      });
+    }
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to test webhook' });
+  }
+});
+
+export default router;

package/server/routes/workflows.js

@@ -0,0 +1,118 @@
+import express from 'express';
+import { workflowDb, webhookDb } from '../database/db.js';
+import { refreshWorkflowSchedule, stopWorkflowSchedule, executeWorkflow } from '../services/workflowScheduler.js';
+
+const router = express.Router();
+
+// GET /api/workflows — list all workflows for the user
+router.get('/', async (req, res) => {
+  try {
+    const workflows = await workflowDb.getAll(req.user.id);
+    const parsed = workflows.map(w => ({
+      ...w,
+      steps: typeof w.steps === 'string' ? JSON.parse(w.steps) : w.steps
+    }));
+    res.json({ workflows: parsed });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch workflows' });
+  }
+});
+
+// POST /api/workflows — create a workflow
+router.post('/', async (req, res) => {
+  try {
+    const { name, description, steps, schedule, schedule_enabled, schedule_timezone } = req.body;
+    if (!name || !name.trim()) return res.status(400).json({ error: 'Name is required' });
+    if (!Array.isArray(steps)) return res.status(400).json({ error: 'Steps must be an array' });
+
+    const workflow = await workflowDb.create(req.user.id, {
+      name: name.trim(),
+      description: description?.trim() || null,
+      steps,
+      schedule: schedule || null,
+      schedule_enabled: !!schedule_enabled,
+      schedule_timezone: schedule_timezone || 'UTC'
+    });
+
+    // Sync cron scheduler
+    if (workflow.id) refreshWorkflowSchedule(workflow.id, req.user.id);
+
+    res.json({ success: true, workflow });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to create workflow' });
+  }
+});
+
+// PUT /api/workflows/:id — update a workflow
+router.put('/:id', async (req, res) => {
+  try {
+    const { name, description, steps, schedule, schedule_enabled, schedule_timezone } = req.body;
+    if (!name || !name.trim()) return res.status(400).json({ error: 'Name is required' });
+
+    const wfId = Number(req.params.id);
+    const updated = await workflowDb.update(wfId, req.user.id, {
+      name: name.trim(),
+      description: description?.trim() || null,
+      steps: steps || [],
+      schedule: schedule || null,
+      schedule_enabled: !!schedule_enabled,
+      schedule_timezone: schedule_timezone || 'UTC'
+    });
+
+    if (!updated) return res.status(404).json({ error: 'Workflow not found' });
+
+    // Sync cron scheduler
+    refreshWorkflowSchedule(wfId, req.user.id);
+
+    res.json({ success: true });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to update workflow' });
+  }
+});
+
+// DELETE /api/workflows/:id — delete a workflow
+router.delete('/:id', async (req, res) => {
+  try {
+    const wfId = Number(req.params.id);
+    const deleted = await workflowDb.delete(wfId, req.user.id);
+    if (!deleted) return res.status(404).json({ error: 'Workflow not found' });
+
+    stopWorkflowSchedule(wfId);
+
+    res.json({ success: true });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to delete workflow' });
+  }
+});
+
+// POST /api/workflows/:id/run — execute a workflow (manual trigger)
+router.post('/:id/run', async (req, res) => {
+  try {
+    const workflow = await workflowDb.getById(Number(req.params.id), req.user.id);
+    if (!workflow) return res.status(404).json({ error: 'Workflow not found' });
+
+    const steps = typeof workflow.steps === 'string' ? JSON.parse(workflow.steps) : workflow.steps;
+    if (!steps.length) return res.status(400).json({ error: 'Workflow has no steps' });
+
+    const result = await executeWorkflow({ ...workflow, steps });
+    res.json(result);
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to run workflow' });
+  }
+});
+
+// GET /api/workflows/:id/runs — list execution history for a workflow
+router.get('/:id/runs', async (req, res) => {
+  try {
+    const runs = await workflowDb.getRuns(Number(req.params.id), req.user.id);
+    const parsed = runs.map(r => ({
+      ...r,
+      result: typeof r.result === 'string' ? (() => { try { return JSON.parse(r.result); } catch { return r.result; } })() : r.result
+    }));
+    res.json({ runs: parsed });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to fetch workflow runs' });
+  }
+});
+
+export default router;