upfynai-code 2.6.0 → 2.6.1

package/server/sandbox.js

@@ -1,120 +0,0 @@
-/**
- * Sandbox Client — connects the backend to the separate sandbox-service on Railway.
- * All sandbox operations are proxied to the sandbox service via HTTP.
- */
-
-const SANDBOX_SERVICE_URL = process.env.SANDBOX_SERVICE_URL || 'http://localhost:4300';
-const SANDBOX_SERVICE_SECRET = process.env.SANDBOX_SERVICE_SECRET || 'dev-sandbox-secret';
-
-async function sandboxFetch(path, userId, body = null) {
-  const opts = {
-    method: body ? 'POST' : 'GET',
-    headers: {
-      'Content-Type': 'application/json',
-      'x-sandbox-secret': SANDBOX_SERVICE_SECRET,
-      'x-user-id': String(userId),
-    },
-  };
-  if (body) opts.body = JSON.stringify(body);
-
-  const res = await fetch(`${SANDBOX_SERVICE_URL}${path}`, opts);
-  const data = await res.json();
-  if (!res.ok) throw new Error(data.error || `Sandbox service error: ${res.status}`);
-  return data;
-}
-
-const sandboxClient = {
-
-  /**
-   * Check if the sandbox service is reachable.
-   */
-  async isAvailable() {
-    try {
-      const res = await fetch(`${SANDBOX_SERVICE_URL}/health`, { signal: AbortSignal.timeout(3000) });
-      return res.ok;
-    } catch {
-      return false;
-    }
-  },
-
-  /**
-   * Initialize a user's sandbox (creates if doesn't exist).
-   */
-  async initSandbox(userId) {
-    return sandboxFetch('/api/sandbox/init', userId, {});
-  },
-
-  /**
-   * Get sandbox status.
-   */
-  async getStatus(userId) {
-    return sandboxFetch('/api/sandbox/status', userId);
-  },
-
-  /**
-   * Destroy a user's sandbox.
-   */
-  async destroySandbox(userId) {
-    const res = await fetch(`${SANDBOX_SERVICE_URL}/api/sandbox`, {
-      method: 'DELETE',
-      headers: {
-        'Content-Type': 'application/json',
-        'x-sandbox-secret': SANDBOX_SERVICE_SECRET,
-        'x-user-id': String(userId),
-      },
-    });
-    const data = await res.json();
-    if (!res.ok) throw new Error(data.error || 'Failed to destroy sandbox');
-    return data;
-  },
-
-  /**
-   * Execute a command in the user's sandbox.
-   */
-  async exec(userId, command, opts = {}) {
-    return sandboxFetch('/api/exec', userId, {
-      command,
-      cwd: opts.cwd,
-      timeout: opts.timeout,
-      userKeys: opts.userKeys,
-    });
-  },
-
-  /**
-   * Read a file from the user's sandbox.
-   */
-  async readFile(userId, filePath) {
-    return sandboxFetch('/api/file/read', userId, { filePath });
-  },
-
-  /**
-   * Write a file to the user's sandbox.
-   */
-  async writeFile(userId, filePath, content) {
-    return sandboxFetch('/api/file/write', userId, { filePath, content });
-  },
-
-  /**
-   * Get file tree from the user's sandbox.
-   */
-  async getFileTree(userId, dirPath, depth = 3) {
-    return sandboxFetch('/api/file/tree', userId, { dirPath, depth });
-  },
-
-  /**
-   * Run a git command in the user's sandbox.
-   */
-  async gitOperation(userId, gitCommand, cwd) {
-    return sandboxFetch('/api/git', userId, { gitCommand, cwd });
-  },
-
-  /**
-   * Get the WebSocket URL for an interactive shell session.
-   */
-  getShellWsUrl(userId, sessionId) {
-    const wsBase = SANDBOX_SERVICE_URL.replace(/^http/, 'ws');
-    return `${wsBase}/shell?secret=${encodeURIComponent(SANDBOX_SERVICE_SECRET)}&userId=${userId}&sessionId=${sessionId || 'default'}`;
-  },
-};
-
-export { sandboxClient, SANDBOX_SERVICE_URL };

package/server/services/whisperService.js

@@ -1,84 +0,0 @@
-/**
- * Local Whisper STT service using nodejs-whisper.
- * Used as a fallback when no OpenAI API key is configured (local mode).
- * Requires ffmpeg to be installed on the system.
- */
-
-let whisperAvailable = null; // null = unchecked, true/false
-let modelReady = false;
-
-/**
- * Check if nodejs-whisper and ffmpeg are available.
- */
-async function isWhisperAvailable() {
-  if (whisperAvailable !== null) return whisperAvailable;
-
-  try {
-    // Check if nodejs-whisper can be imported
-    await import('nodejs-whisper');
-
-    // Check if ffmpeg is available
-    const { execSync } = await import('child_process');
-    execSync('ffmpeg -version', { stdio: 'pipe', timeout: 5000 });
-
-    whisperAvailable = true;
-  } catch {
-    whisperAvailable = false;
-  }
-
-  return whisperAvailable;
-}
-
-/**
- * Ensure the whisper model is downloaded.
- * Downloads the tiny.en model (~75MB) on first use.
- */
-async function ensureWhisperModel() {
-  if (modelReady) return true;
-
-  const available = await isWhisperAvailable();
-  if (!available) return false;
-
-  try {
-    const { nodeWhisper } = await import('nodejs-whisper');
-    // Attempt to download model if not present
-    await nodeWhisper.downloadModel('tiny.en');
-    modelReady = true;
-    return true;
-  } catch (err) {
-    console.warn('[WhisperService] Failed to download model:', err.message);
-    return false;
-  }
-}
-
-/**
- * Transcribe audio using local nodejs-whisper.
- * @param {string} audioFilePath - Path to the audio file (WAV, MP3, etc.)
- * @returns {Promise<string|null>} Transcribed text, or null if failed
- */
-async function transcribeLocal(audioFilePath) {
-  const ready = await ensureWhisperModel();
-  if (!ready) return null;
-
-  try {
-    const { nodeWhisper } = await import('nodejs-whisper');
-    const result = await nodeWhisper(audioFilePath, {
-      modelName: 'tiny.en',
-      autoDownloadModelName: 'tiny.en',
-      whisperOptions: {
-        outputInText: true,
-        language: 'en',
-      }
-    });
-
-    // nodejs-whisper returns array of segments or text
-    if (typeof result === 'string') return result.trim();
-    if (Array.isArray(result)) return result.map(s => s.speech || s.text || '').join(' ').trim();
-    return null;
-  } catch (err) {
-    console.error('[WhisperService] Transcription error:', err.message);
-    return null;
-  }
-}
-
-export { isWhisperAvailable, ensureWhisperModel, transcribeLocal };

package/server/services/workflowScheduler.js

@@ -1,186 +0,0 @@
-import cron from 'node-cron';
-import { workflowDb, webhookDb } from '../database/db.js';
-
-const activeJobs = new Map(); // workflowId -> cron task
-
-/**
- * Execute a single workflow's steps (same logic as the /run endpoint).
- * Returns { success, results, error }
- */
-async function executeWorkflow(workflow) {
-  const steps = typeof workflow.steps === 'string' ? JSON.parse(workflow.steps) : workflow.steps;
-  if (!steps.length) return { success: false, error: 'No steps' };
-
-  const run = await workflowDb.createRun(workflow.id, workflow.user_id, steps.length);
-  const results = [];
-  let lastOutput = null;
-
-  for (let i = 0; i < steps.length; i++) {
-    const step = steps[i];
-    try {
-      let stepResult;
-
-      if (step.type === 'webhook') {
-        const webhookId = step.config?.webhookId;
-        if (!webhookId) throw new Error('No webhook configured');
-
-        const webhook = await webhookDb.getById(Number(webhookId), workflow.user_id);
-        if (!webhook) throw new Error('Webhook not found');
-
-        let parsedHeaders = {};
-        try { parsedHeaders = JSON.parse(webhook.headers || '{}'); } catch { /* ignore */ }
-
-        const controller = new AbortController();
-        const timeout = setTimeout(() => controller.abort(), 15000);
-
-        const fetchOptions = {
-          method: webhook.method,
-          headers: {
-            'Content-Type': 'application/json',
-            'User-Agent': 'UpfynAI-Scheduler/1.0',
-            ...parsedHeaders
-          },
-          signal: controller.signal
-        };
-
-        if (['POST', 'PUT', 'PATCH'].includes(webhook.method)) {
-          const payload = {
-            workflow_id: workflow.id,
-            workflow_name: workflow.name,
-            step_index: i,
-            step_label: step.label,
-            previous_output: lastOutput,
-            scheduled: true,
-            timestamp: new Date().toISOString()
-          };
-          if (step.config?.payloadTemplate) {
-            try { Object.assign(payload, JSON.parse(step.config.payloadTemplate)); } catch { /* ignore */ }
-          }
-          fetchOptions.body = JSON.stringify(payload);
-        }
-
-        const response = await fetch(webhook.url, fetchOptions);
-        clearTimeout(timeout);
-
-        const contentType = response.headers.get('content-type') || '';
-        let body;
-        if (contentType.includes('application/json')) {
-          body = await response.json();
-        } else {
-          body = await response.text();
-          if (body.length > 5000) body = body.slice(0, 5000) + '...';
-        }
-
-        await webhookDb.updateLastTriggered(webhook.id);
-        stepResult = { status: response.status, body };
-        lastOutput = body;
-
-      } else if (step.type === 'ai-prompt') {
-        stepResult = { type: 'ai-prompt', prompt: step.config?.prompt || '', note: 'Scheduled AI prompts require active session' };
-        lastOutput = step.config?.prompt;
-
-      } else if (step.type === 'delay') {
-        const seconds = Math.min(step.config?.seconds || 1, 30);
-        await new Promise(resolve => setTimeout(resolve, seconds * 1000));
-        stepResult = { delayed: seconds };
-
-      } else {
-        stepResult = { type: step.type, note: 'Unknown step type' };
-      }
-
-      results.push({ step: i, label: step.label, type: step.type, success: true, result: stepResult });
-      await workflowDb.updateRun(run.id, { status: 'running', stepsCompleted: i + 1 });
-
-    } catch (stepError) {
-      results.push({ step: i, label: step.label, type: step.type, success: false, error: stepError.message });
-      await workflowDb.updateRun(run.id, { status: 'failed', stepsCompleted: i, error: `Step ${i + 1} (${step.label}): ${stepError.message}` });
-      await workflowDb.updateLastRun(workflow.id);
-      return { success: false, run_id: run.id, results, error: `Step ${i + 1} failed: ${stepError.message}` };
-    }
-  }
-
-  await workflowDb.updateRun(run.id, { status: 'completed', stepsCompleted: steps.length, result: results });
-  await workflowDb.updateLastRun(workflow.id);
-  return { success: true, run_id: run.id, results };
-}
-
-/**
- * Schedule a single workflow's cron job.
- */
-function scheduleWorkflow(workflow) {
-  const id = workflow.id;
-
-  // Stop existing job if any
-  if (activeJobs.has(id)) {
-    activeJobs.get(id).stop();
-    activeJobs.delete(id);
-  }
-
-  if (!workflow.schedule || !workflow.schedule_enabled) return;
-
-  // Validate cron expression
-  if (!cron.validate(workflow.schedule)) {
-    console.warn(`[Scheduler] Invalid cron for workflow ${id}: ${workflow.schedule}`);
-    return;
-  }
-
-  const task = cron.schedule(workflow.schedule, async () => {
-    console.log(`[Scheduler] Running workflow ${id}: ${workflow.name}`);
-    try {
-      await executeWorkflow(workflow);
-    } catch (err) {
-      console.error(`[Scheduler] Workflow ${id} execution error:`, err.message);
-    }
-  }, {
-    timezone: workflow.schedule_timezone || 'UTC'
-  });
-
-  activeJobs.set(id, task);
-  console.log(`[Scheduler] Scheduled workflow ${id} (${workflow.name}): ${workflow.schedule}`);
-}
-
-/**
- * Load all scheduled workflows from DB and start their cron jobs.
- * Call this once at server startup.
- */
-async function initScheduler() {
-  try {
-    const workflows = await workflowDb.getScheduled();
-    console.log(`[Scheduler] Found ${workflows.length} scheduled workflow(s)`);
-    for (const wf of workflows) {
-      scheduleWorkflow(wf);
-    }
-  } catch (err) {
-    console.error('[Scheduler] Init error:', err.message);
-  }
-}
-
-/**
- * Re-sync a specific workflow's schedule (call after create/update).
- */
-async function refreshWorkflowSchedule(workflowId, userId) {
-  try {
-    const wf = await workflowDb.getById(workflowId, userId);
-    if (wf) {
-      scheduleWorkflow(wf);
-    } else {
-      // Workflow deleted — stop its job
-      if (activeJobs.has(workflowId)) {
-        activeJobs.get(workflowId).stop();
-        activeJobs.delete(workflowId);
-      }
-    }
-  } catch { /* ignore */ }
-}
-
-/**
- * Stop a workflow's cron job.
- */
-function stopWorkflowSchedule(workflowId) {
-  if (activeJobs.has(workflowId)) {
-    activeJobs.get(workflowId).stop();
-    activeJobs.delete(workflowId);
-  }
-}
-
-export { initScheduler, refreshWorkflowSchedule, stopWorkflowSchedule, executeWorkflow };

package/server/utils/commandParser.js

@@ -1,303 +0,0 @@
-import matter from 'gray-matter';
-import { promises as fs } from 'fs';
-import path from 'path';
-import { execFile } from 'child_process';
-import { promisify } from 'util';
-import { parse as parseShellCommand } from 'shell-quote';
-
-const execFileAsync = promisify(execFile);
-
-// Configuration
-const MAX_INCLUDE_DEPTH = 3;
-const BASH_TIMEOUT = 30000; // 30 seconds
-const BASH_COMMAND_ALLOWLIST = [
-  'echo',
-  'ls',
-  'pwd',
-  'date',
-  'whoami',
-  'git',
-  'npm',
-  'node',
-  'cat',
-  'grep',
-  'find',
-  'task-master'
-];
-
-/**
- * Parse a markdown command file and extract frontmatter and content
- * @param {string} content - Raw markdown content
- * @returns {object} Parsed command with data (frontmatter) and content
- */
-export function parseCommand(content) {
-  try {
-    const parsed = matter(content);
-    return {
-      data: parsed.data || {},
-      content: parsed.content || '',
-      raw: content
-    };
-  } catch (error) {
-    throw new Error(`Failed to parse command: ${error.message}`);
-  }
-}
-
-/**
- * Replace argument placeholders in content
- * @param {string} content - Content with placeholders
- * @param {string|array} args - Arguments to replace (string or array)
- * @returns {string} Content with replaced arguments
- */
-export function replaceArguments(content, args) {
-  if (!content) return content;
-
-  let result = content;
-
-  // Convert args to array if it's a string
-  const argsArray = Array.isArray(args) ? args : (args ? [args] : []);
-
-  // Replace $ARGUMENTS with all arguments joined by space
-  const allArgs = argsArray.join(' ');
-  result = result.replace(/\$ARGUMENTS/g, allArgs);
-
-  // Replace positional arguments $1-$9
-  for (let i = 1; i <= 9; i++) {
-    const regex = new RegExp(`\\$${i}`, 'g');
-    const value = argsArray[i - 1] || '';
-    result = result.replace(regex, value);
-  }
-
-  return result;
-}
-
-/**
- * Validate file path to prevent directory traversal
- * @param {string} filePath - Path to validate
- * @param {string} basePath - Base directory path
- * @returns {boolean} True if path is safe
- */
-export function isPathSafe(filePath, basePath) {
-  const resolvedPath = path.resolve(basePath, filePath);
-  const resolvedBase = path.resolve(basePath);
-  const relative = path.relative(resolvedBase, resolvedPath);
-  return (
-    relative !== '' &&
-    !relative.startsWith('..') &&
-    !path.isAbsolute(relative)
-  );
-}
-
-/**
- * Process file includes in content (@filename syntax)
- * @param {string} content - Content with @filename includes
- * @param {string} basePath - Base directory for resolving file paths
- * @param {number} depth - Current recursion depth
- * @returns {Promise<string>} Content with includes resolved
- */
-export async function processFileIncludes(content, basePath, depth = 0) {
-  if (!content) return content;
-
-  // Prevent infinite recursion
-  if (depth >= MAX_INCLUDE_DEPTH) {
-    throw new Error(`Maximum include depth (${MAX_INCLUDE_DEPTH}) exceeded`);
-  }
-
-  // Match @filename patterns (at start of line or after whitespace)
-  const includePattern = /(?:^|\s)@([^\s]+)/gm;
-  const matches = [...content.matchAll(includePattern)];
-
-  if (matches.length === 0) {
-    return content;
-  }
-
-  let result = content;
-
-  for (const match of matches) {
-    const fullMatch = match[0];
-    const filename = match[1];
-
-    // Security: prevent directory traversal
-    if (!isPathSafe(filename, basePath)) {
-      throw new Error(`Invalid file path (directory traversal detected): ${filename}`);
-    }
-
-    try {
-      const filePath = path.resolve(basePath, filename);
-      const fileContent = await fs.readFile(filePath, 'utf-8');
-
-      // Recursively process includes in the included file
-      const processedContent = await processFileIncludes(fileContent, basePath, depth + 1);
-
-      // Replace the @filename with the file content
-      result = result.replace(fullMatch, fullMatch.startsWith(' ') ? ' ' + processedContent : processedContent);
-    } catch (error) {
-      if (error.code === 'ENOENT') {
-        throw new Error(`File not found: ${filename}`);
-      }
-      throw error;
-    }
-  }
-
-  return result;
-}
-
-/**
- * Validate that a command and its arguments are safe
- * @param {string} commandString - Command string to validate
- * @returns {{ allowed: boolean, command: string, args: string[], error?: string }} Validation result
- */
-export function validateCommand(commandString) {
-  const trimmedCommand = commandString.trim();
-  if (!trimmedCommand) {
-    return { allowed: false, command: '', args: [], error: 'Empty command' };
-  }
-
-  // Parse the command using shell-quote to handle quotes properly
-  const parsed = parseShellCommand(trimmedCommand);
-
-  // Check for shell operators or control structures
-  const hasOperators = parsed.some(token =>
-    typeof token === 'object' && token.op
-  );
-
-  if (hasOperators) {
-    return {
-      allowed: false,
-      command: '',
-      args: [],
-      error: 'Shell operators (&&, ||, |, ;, etc.) are not allowed'
-    };
-  }
-
-  // Extract command and args (all should be strings after validation)
-  const tokens = parsed.filter(token => typeof token === 'string');
-
-  if (tokens.length === 0) {
-    return { allowed: false, command: '', args: [], error: 'No valid command found' };
-  }
-
-  const [command, ...args] = tokens;
-
-  // Extract just the command name (remove path if present)
-  const commandName = path.basename(command);
-
-  // Check if command exactly matches allowlist (no prefix matching)
-  const isAllowed = BASH_COMMAND_ALLOWLIST.includes(commandName);
-
-  if (!isAllowed) {
-    return {
-      allowed: false,
-      command: commandName,
-      args,
-      error: `Command '${commandName}' is not in the allowlist`
-    };
-  }
-
-  // Validate arguments don't contain dangerous metacharacters
-  const dangerousPattern = /[;&|`$()<>{}[\]\\]/;
-  for (const arg of args) {
-    if (dangerousPattern.test(arg)) {
-      return {
-        allowed: false,
-        command: commandName,
-        args,
-        error: `Argument contains dangerous characters: ${arg}`
-      };
-    }
-  }
-
-  return { allowed: true, command: commandName, args };
-}
-
-/**
- * Backward compatibility: Check if command is allowed (deprecated)
- * @deprecated Use validateCommand() instead for better security
- * @param {string} command - Command to validate
- * @returns {boolean} True if command is allowed
- */
-export function isBashCommandAllowed(command) {
-  const result = validateCommand(command);
-  return result.allowed;
-}
-
-/**
- * Sanitize bash command output
- * @param {string} output - Raw command output
- * @returns {string} Sanitized output
- */
-export function sanitizeOutput(output) {
-  if (!output) return '';
-
-  // Remove control characters except \t, \n, \r
-  return [...output]
-    .filter(ch => {
-      const code = ch.charCodeAt(0);
-      return code === 9  // \t
-          || code === 10 // \n
-          || code === 13 // \r
-          || (code >= 32 && code !== 127);
-    })
-    .join('');
-}
-
-/**
- * Process bash commands in content (!command syntax)
- * @param {string} content - Content with !command syntax
- * @param {object} options - Options for bash execution
- * @returns {Promise<string>} Content with bash commands executed and replaced
- */
-export async function processBashCommands(content, options = {}) {
-  if (!content) return content;
-
-  const { cwd = process.cwd(), timeout = BASH_TIMEOUT } = options;
-
-  // Match !command patterns (at start of line or after whitespace)
-  const commandPattern = /(?:^|\n)!(.+?)(?=\n|$)/g;
-  const matches = [...content.matchAll(commandPattern)];
-
-  if (matches.length === 0) {
-    return content;
-  }
-
-  let result = content;
-
-  for (const match of matches) {
-    const fullMatch = match[0];
-    const commandString = match[1].trim();
-
-    // Security: validate command and parse args
-    const validation = validateCommand(commandString);
-
-    if (!validation.allowed) {
-      throw new Error(`Command not allowed: ${commandString} - ${validation.error}`);
-    }
-
-    try {
-      // Execute without shell using execFile with parsed args
-      const { stdout, stderr } = await execFileAsync(
-        validation.command,
-        validation.args,
-        {
-          cwd,
-          timeout,
-          maxBuffer: 1024 * 1024, // 1MB max output
-          shell: false, // IMPORTANT: No shell interpretation
-          env: { ...process.env, PATH: process.env.PATH } // Inherit PATH for finding commands
-        }
-      );
-
-      const output = sanitizeOutput(stdout || stderr || '');
-
-      // Replace the !command with the output
-      result = result.replace(fullMatch, fullMatch.startsWith('\n') ? '\n' + output : output);
-    } catch (error) {
-      if (error.killed) {
-        throw new Error(`Command timeout: ${commandString}`);
-      }
-      throw new Error(`Command failed: ${commandString} - ${error.message}`);
-    }
-  }
-
-  return result;
-}