upfynai-code 3.0.2 → 3.0.4

package/server/routes/browser.js

@@ -0,0 +1,419 @@
+/**
+ * Browser Routes — REST API for Steel browser sessions + Stagehand AI.
+ * Cloud-only (browser service runs on Railway).
+ */
+
+import { Router } from 'express';
+import { browserClient } from '../browser.js';
+
+const router = Router();
+
+// ── SSRF protection ─────────────────────────────────────────────────────────
+
+function isUrlSafe(url) {
+  try {
+    const parsed = new URL(url);
+    if (!['http:', 'https:'].includes(parsed.protocol)) return false;
+    // Strip brackets from IPv6 literals
+    const hostname = parsed.hostname.toLowerCase().replace(/^\[|\]$/g, '');
+    // Block localhost and loopback (IPv4 + IPv6)
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '0.0.0.0') return false;
+    if (hostname === '::1' || hostname === '0000:0000:0000:0000:0000:0000:0000:0001') return false;
+    if (hostname.startsWith('::ffff:127.') || hostname.startsWith('::ffff:0.')) return false;
+    // Block metadata endpoints (IPv4 + IPv6-mapped)
+    if (hostname === '169.254.169.254' || hostname === '::ffff:a9fe:a9fe') return false;
+    // Block RFC1918 private ranges
+    if (hostname.startsWith('10.') || hostname.startsWith('192.168.')) return false;
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(hostname)) return false;
+    // Block IPv6 private ranges (fc00::/7, fe80::/10)
+    if (/^f[cd][0-9a-f]{2}:/.test(hostname)) return false; // fc00::/7 unique local
+    if (/^fe[89ab][0-9a-f]:/.test(hostname)) return false; // fe80::/10 link-local
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// Allow sandbox-internal URLs (these are safe — same Railway network)
+function isUrlSafeOrSandbox(url) {
+  if (isUrlSafe(url)) return true;
+  // Allow sandbox service URLs — compare origins, not string prefix
+  const sandboxUrl = process.env.SANDBOX_SERVICE_URL || '';
+  if (sandboxUrl) {
+    try {
+      const parsedUrl = new URL(url);
+      const parsedSandbox = new URL(sandboxUrl);
+      if (parsedUrl.origin === parsedSandbox.origin) return true;
+    } catch { /* invalid URL */ }
+  }
+  return false;
+}
+
+// ── Lazy imports for cloud-only deps ─────────────────────────────────────────
+
+let browserAI = null;
+const loadBrowserAI = async () => {
+  if (browserAI) return browserAI;
+  try {
+    browserAI = await import('../services/browser-ai.js');
+    return browserAI;
+  } catch {
+    return null;
+  }
+};
+
+let browserSessionDb = null;
+const loadDb = async () => {
+  if (browserSessionDb) return browserSessionDb;
+  try {
+    const mod = await import('../database/db.js');
+    browserSessionDb = mod.browserSessionDb;
+    return browserSessionDb;
+  } catch {
+    return null;
+  }
+};
+
+// ── Status ──────────────────────────────────────────────────────────────────
+
+router.get('/status', async (req, res) => {
+  const available = await browserClient.isAvailable();
+  const ai = await loadBrowserAI();
+  const aiAvailable = ai ? await ai.isAvailable() : false;
+
+  res.json({
+    available,
+    aiAvailable,
+    serviceUrl: available ? '(connected)' : '(not reachable)',
+  });
+});
+
+// ── Session Management ──────────────────────────────────────────────────────
+
+// POST /api/browser/sessions — create a new browser session
+router.post('/sessions', async (req, res) => {
+  const userId = req.user.id;
+  const db = await loadDb();
+
+  try {
+    // Check for existing active session
+    if (db) {
+      const existing = await db.getActive(userId);
+      if (existing) {
+        // Return existing session instead of creating new one
+        return res.json({
+          sessionId: existing.steel_session_id,
+          viewerUrl: existing.viewer_url,
+          cdpUrl: existing.cdp_url,
+          status: 'active',
+          reused: true,
+        });
+      }
+    }
+
+    const { blockAds, dimensions, timeout } = req.body || {};
+    const session = await browserClient.createSession(userId, {
+      blockAds,
+      dimensions,
+      timeout,
+    });
+
+    const viewerUrl = browserClient.getSessionViewerUrl(session.id);
+    const cdpUrl = browserClient.getCdpWsUrl(session.id);
+
+    // Save to DB
+    if (db) {
+      await db.create(userId, session.id, viewerUrl, cdpUrl);
+    }
+
+    res.json({
+      sessionId: session.id,
+      viewerUrl,
+      cdpUrl,
+      status: 'active',
+    });
+  } catch {
+    res.status(500).json({ error: 'Failed to create browser session' });
+  }
+});
+
+// GET /api/browser/sessions — list user's sessions
+router.get('/sessions', async (req, res) => {
+  const db = await loadDb();
+  if (!db) return res.json({ sessions: [] });
+
+  try {
+    const sessions = await db.listByUser(req.user.id);
+    res.json({ sessions });
+  } catch {
+    res.status(500).json({ error: 'Failed to list sessions' });
+  }
+});
+
+// GET /api/browser/sessions/:id — get session details
+router.get('/sessions/:id', async (req, res) => {
+  const db = await loadDb();
+  if (!db) return res.status(404).json({ error: 'Session not found' });
+
+  try {
+    const session = await db.getBySessionId(req.user.id, req.params.id);
+    if (!session) return res.status(404).json({ error: 'Session not found' });
+
+    await db.updateAccess(req.user.id, req.params.id);
+
+    res.json({
+      sessionId: session.steel_session_id,
+      viewerUrl: session.viewer_url,
+      cdpUrl: session.cdp_url,
+      status: session.status,
+      createdAt: session.created_at,
+      lastAccessed: session.last_accessed,
+    });
+  } catch {
+    res.status(500).json({ error: 'Failed to get session' });
+  }
+});
+
+// DELETE /api/browser/sessions/:id — release session
+router.delete('/sessions/:id', async (req, res) => {
+  const userId = req.user.id;
+  const sessionId = req.params.id;
+
+  try {
+    // Verify ownership first
+    const db = await loadDb();
+    if (db) {
+      const session = await db.getBySessionId(userId, sessionId);
+      if (!session) return res.status(404).json({ error: 'Session not found' });
+    }
+
+    // Release Stagehand instance
+    const ai = await loadBrowserAI();
+    if (ai) await ai.release(sessionId);
+
+    // Release Steel session
+    await browserClient.releaseSession(userId, sessionId).catch(() => {});
+
+    // Deactivate in DB (user-scoped)
+    if (db) await db.deactivate(userId, sessionId);
+
+    res.json({ success: true });
+  } catch {
+    res.status(500).json({ error: 'Failed to close session' });
+  }
+});
+
+// ── Navigation ──────────────────────────────────────────────────────────────
+
+// POST /api/browser/sessions/:id/navigate
+router.post('/sessions/:id/navigate', async (req, res) => {
+  const { url } = req.body;
+  if (!url || !isUrlSafeOrSandbox(url)) {
+    return res.status(400).json({ error: 'Invalid or blocked URL' });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (db && !session) return res.status(404).json({ error: 'Session not found' });
+
+    if (db) await db.updateAccess(req.user.id, req.params.id);
+
+    // Use Stagehand/Playwright to navigate
+    const ai = await loadBrowserAI();
+    if (ai && await ai.isAvailable() && session?.cdp_url) {
+      await ai.act(req.params.id, session.cdp_url, `Navigate to ${url}`);
+      return res.json({ success: true, url });
+    }
+
+    res.json({ success: true, url, note: 'Navigation sent — viewer will update' });
+  } catch {
+    res.status(500).json({ error: 'Navigation failed' });
+  }
+});
+
+// POST /api/browser/sessions/:id/sandbox-preview — open sandbox dev server
+router.post('/sessions/:id/sandbox-preview', async (req, res) => {
+  const portNum = parseInt(req.body?.port, 10);
+  if (!portNum || portNum < 1 || portNum > 65535) {
+    return res.status(400).json({ error: 'Invalid port number' });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (db && !session) return res.status(404).json({ error: 'Session not found' });
+
+    const sandboxUrl = browserClient.getSandboxPreviewUrl(req.user.id, portNum);
+
+    const ai = await loadBrowserAI();
+    if (ai && await ai.isAvailable() && session?.cdp_url) {
+      await ai.act(req.params.id, session.cdp_url, `Navigate to ${sandboxUrl}`);
+    }
+
+    if (db) await db.updateAccess(req.user.id, req.params.id);
+
+    res.json({ success: true, url: sandboxUrl, port: portNum });
+  } catch {
+    res.status(500).json({ error: 'Failed to open sandbox preview' });
+  }
+});
+
+// POST /api/browser/sessions/:id/screenshot
+router.post('/sessions/:id/screenshot', async (req, res) => {
+  try {
+    // Verify ownership
+    const db = await loadDb();
+    if (db) {
+      const session = await db.getBySessionId(req.user.id, req.params.id);
+      if (!session) return res.status(404).json({ error: 'Session not found' });
+    }
+    const result = await browserClient.screenshot(req.user.id, req.params.id);
+    res.json(result);
+  } catch {
+    res.status(500).json({ error: 'Screenshot failed' });
+  }
+});
+
+// ── AI Actions ──────────────────────────────────────────────────────────────
+
+// POST /api/browser/sessions/:id/ai/act — single AI action (chat mode)
+router.post('/sessions/:id/ai/act', async (req, res) => {
+  const { instruction } = req.body;
+  if (!instruction) return res.status(400).json({ error: 'instruction is required' });
+
+  const ai = await loadBrowserAI();
+  if (!ai || !(await ai.isAvailable())) {
+    return res.status(503).json({ error: 'Browser AI not available' });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (!session?.cdp_url) return res.status(404).json({ error: 'Session not found or missing CDP URL' });
+
+    if (db) await db.updateAccess(req.user.id, req.params.id);
+
+    const result = await ai.act(req.params.id, session.cdp_url, instruction);
+    res.json(result);
+  } catch {
+    res.status(500).json({ error: 'AI action failed' });
+  }
+});
+
+// POST /api/browser/sessions/:id/ai/extract
+router.post('/sessions/:id/ai/extract', async (req, res) => {
+  const { instruction, schema } = req.body;
+  if (!instruction) return res.status(400).json({ error: 'instruction is required' });
+
+  const ai = await loadBrowserAI();
+  if (!ai || !(await ai.isAvailable())) {
+    return res.status(503).json({ error: 'Browser AI not available' });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (!session?.cdp_url) return res.status(404).json({ error: 'Session not found' });
+
+    if (db) await db.updateAccess(req.user.id, req.params.id);
+
+    const result = await ai.extract(req.params.id, session.cdp_url, instruction, schema);
+    res.json(result);
+  } catch {
+    res.status(500).json({ error: 'AI extraction failed' });
+  }
+});
+
+// POST /api/browser/sessions/:id/ai/observe
+router.post('/sessions/:id/ai/observe', async (req, res) => {
+  const { instruction } = req.body;
+
+  const ai = await loadBrowserAI();
+  if (!ai || !(await ai.isAvailable())) {
+    return res.status(503).json({ error: 'Browser AI not available' });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (!session?.cdp_url) return res.status(404).json({ error: 'Session not found' });
+
+    const result = await ai.observe(req.params.id, session.cdp_url, instruction);
+    res.json(result);
+  } catch {
+    res.status(500).json({ error: 'AI observation failed' });
+  }
+});
+
+// GET /api/browser/sessions/:id/ai/autonomous — autonomous agent with SSE streaming
+router.get('/sessions/:id/ai/autonomous', async (req, res) => {
+  const { goal, maxSteps } = req.query;
+  if (!goal) {
+    res.status(400).json({ error: 'goal is required' });
+    return;
+  }
+
+  const ai = await loadBrowserAI();
+  if (!ai || !(await ai.isAvailable())) {
+    res.status(503).json({ error: 'Browser AI not available' });
+    return;
+  }
+
+  const db = await loadDb();
+  const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+  if (!session?.cdp_url) {
+    res.status(404).json({ error: 'Session not found' });
+    return;
+  }
+
+  // SSE setup
+  res.setHeader('Content-Type', 'text/event-stream');
+  res.setHeader('Cache-Control', 'no-cache');
+  res.setHeader('Connection', 'keep-alive');
+  res.flushHeaders();
+
+  const sendEvent = (data) => {
+    res.write(`data: ${JSON.stringify(data)}\n\n`);
+  };
+
+  try {
+    if (db) await db.updateAccess(req.user.id, req.params.id);
+
+    const steps = Math.min(Math.max(parseInt(maxSteps) || 10, 1), 25);
+    await ai.autonomousGoal(
+      req.params.id,
+      session.cdp_url,
+      goal.slice(0, 500), // Truncate goal to prevent prompt injection via excessively long input
+      steps,
+      (stepData) => sendEvent(stepData)
+    );
+
+    sendEvent({ type: 'done' });
+  } catch {
+    sendEvent({ type: 'error', message: 'Autonomous run failed' });
+  }
+
+  res.end();
+});
+
+// GET /api/browser/sessions/:id/console-errors — get browser console errors
+router.get('/sessions/:id/console-errors', async (req, res) => {
+  const ai = await loadBrowserAI();
+  if (!ai || !(await ai.isAvailable())) {
+    return res.json({ errors: [] });
+  }
+
+  try {
+    const db = await loadDb();
+    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
+    if (!session?.cdp_url) return res.json({ errors: [] });
+
+    const errors = await ai.getConsoleErrors(req.params.id, session.cdp_url);
+    res.json({ errors });
+  } catch {
+    res.json({ errors: [] });
+  }
+});
+
+export default router;

package/server/routes/projects.js

@@ -399,14 +399,8 @@ router.get('/clone-progress', async (req, res) => {
 
     const IS_CLOUD_ENV = !!(process.env.RAILWAY_ENVIRONMENT || process.env.VERCEL || process.env.RENDER);
 
-    // Cloud mode: clone via relay on user's machine
+    // Cloud mode: clone via relay on user's machine, or sandbox if no relay
     if (IS_CLOUD_ENV) {
-      if (!req.hasRelay || !req.hasRelay()) {
-        sendEvent('error', { message: 'Machine not connected. Run "uc connect" on your local machine.' });
-        res.end();
-        return;
-      }
-
       let githubToken = null;
       if (githubTokenId) {
         const token = await getGithubTokenById(parseInt(githubTokenId), req.user.id);
@@ -420,13 +414,10 @@ router.get('/clone-progress', async (req, res) => {
         githubToken = newGithubToken;
       }
 
-      sendEvent('progress', { message: 'Creating directory...' });
-      await req.sendRelay('create-folder', { folderPath: workspacePath }, 15000);
-
       const normalizedUrl = githubUrl.replace(/\/+$/, '').replace(/\.git$/, '');
       const repoName = normalizedUrl.split('/').pop() || 'repository';
-      const clonePath = `${workspacePath}/${repoName}`;
 
+      // Build authenticated clone URL
       let cloneUrl = githubUrl;
       if (githubToken) {
         try {
@@ -439,19 +430,64 @@ router.get('/clone-progress', async (req, res) => {
         }
       }
 
-      sendEvent('progress', { message: `Cloning into '${repoName}'...` });
+      // Option A: Relay connected — clone on user's machine
+      if (req.hasRelay && req.hasRelay()) {
+        const clonePath = `${workspacePath}/${repoName}`;
+
+        sendEvent('progress', { message: 'Creating directory...' });
+        await req.sendRelay('create-folder', { folderPath: workspacePath }, 15000);
+
+        sendEvent('progress', { message: `Cloning into '${repoName}'...` });
+
+        try {
+          await req.sendRelay('shell-command', {
+            command: `git clone "${cloneUrl}" "${clonePath}"`,
+            cwd: workspacePath
+          }, 120000);
+
+          const project = await addProjectManually(clonePath);
+          sendEvent('complete', { project, message: 'Repository cloned successfully' });
+        } catch (error) {
+          const sanitized = sanitizeGitError(error.message, githubToken);
+          sendEvent('error', { message: sanitized || 'Git clone failed' });
+        }
+
+        res.end();
+        return;
+      }
 
+      // Option B: No relay — clone into per-user sandbox
       try {
-        await req.sendRelay('shell-command', {
-          command: `git clone "${cloneUrl}" "${clonePath}"`,
-          cwd: workspacePath
-        }, 120000);
+        const { sandboxClient } = await import('../sandbox.js');
+        const sandboxAvailable = await sandboxClient.isAvailable();
+        if (!sandboxAvailable) {
+          sendEvent('error', { message: 'No machine connected and sandbox unavailable. Run "uc web connect" to connect your machine.' });
+          res.end();
+          return;
+        }
 
-        const project = await addProjectManually(clonePath);
-        sendEvent('complete', { project, message: 'Repository cloned successfully' });
+        const userId = req.user.id;
+        sendEvent('progress', { message: 'Initializing sandbox...' });
+        await sandboxClient.initSandbox(userId);
+
+        const sandboxPath = `/workspace/${repoName}`;
+        sendEvent('progress', { message: `Cloning into '${repoName}' (sandbox)...` });
+
+        await sandboxClient.exec(userId, `git clone "${cloneUrl}" "${sandboxPath}"`, { timeout: 120000 });
+
+        sendEvent('progress', { message: 'Registering project...' });
+
+        // Save project with github_origin
+        const { projectDb } = await import('../database/db.js');
+        const project = await projectDb.upsert(userId, sandboxPath, repoName, githubUrl);
+
+        sendEvent('complete', {
+          project: { ...project, displayName: repoName, originalPath: sandboxPath, githubOrigin: githubUrl },
+          message: 'Repository cloned into sandbox'
+        });
       } catch (error) {
         const sanitized = sanitizeGitError(error.message, githubToken);
-        sendEvent('error', { message: sanitized || 'Git clone failed' });
+        sendEvent('error', { message: sanitized || 'Sandbox clone failed' });
       }
 
       res.end();
@@ -652,4 +688,67 @@ function cloneGitHubRepository(githubUrl, destinationPath, githubToken = null) {
   });
 }
 
+/**
+ * Push sandbox changes back to GitHub
+ * POST /api/projects/:projectName/push
+ */
+router.post('/:projectName/push', async (req, res) => {
+  const { branch, commitMessage } = req.body;
+  const userId = req.user.id;
+
+  try {
+    const { projectDb } = await import('../database/db.js');
+    const project = await projectDb.getByName(userId, req.params.projectName);
+
+    if (!project) {
+      return res.status(404).json({ error: 'Project not found' });
+    }
+    if (!project.github_origin) {
+      return res.status(400).json({ error: 'Not a GitHub project — no origin to push to' });
+    }
+
+    // Get user's GitHub token
+    const { getDatabase } = await import('../database/db.js');
+    const db = await getDatabase();
+    const cred = await db.execute({
+      sql: 'SELECT credential_value FROM user_credentials WHERE user_id = ? AND credential_type = ? AND is_active = 1 LIMIT 1',
+      args: [userId, 'github_token']
+    });
+
+    const githubToken = cred.rows[0]?.credential_value;
+    if (!githubToken) {
+      return res.status(400).json({ error: 'No GitHub token configured. Add one in Settings > AI Providers.' });
+    }
+
+    // Set remote URL with token for auth
+    const originUrl = new URL(project.github_origin.endsWith('.git') ? project.github_origin : `${project.github_origin}.git`);
+    originUrl.username = githubToken;
+    originUrl.password = 'x-oauth-basic';
+
+    const { sandboxClient } = await import('../sandbox.js');
+    const cwd = project.original_path;
+    const targetBranch = branch || 'main';
+    const msg = commitMessage || 'Update from Upfyn Code';
+
+    // Set remote, stage, commit, push
+    await sandboxClient.exec(userId, `git remote set-url origin "${originUrl.toString()}"`, { cwd });
+    await sandboxClient.exec(userId, 'git add -A', { cwd });
+
+    try {
+      await sandboxClient.exec(userId, `git commit -m "${msg.replace(/"/g, '\\"')}"`, { cwd });
+    } catch {
+      return res.json({ success: true, message: 'No changes to commit' });
+    }
+
+    await sandboxClient.exec(userId, `git push origin ${targetBranch}`, { cwd, timeout: 60000 });
+
+    // Clean the token from the remote URL after push
+    await sandboxClient.exec(userId, `git remote set-url origin "${project.github_origin}"`, { cwd });
+
+    res.json({ success: true, message: `Pushed to ${targetBranch}` });
+  } catch (error) {
+    res.status(500).json({ error: error.message || 'Push failed' });
+  }
+});
+
 export default router;

package/server/routes/vapi-chat.js

@@ -488,7 +488,7 @@ async function handleTroubleshootConnection(metadata) {
       connected: false,
       message: 'Machine is NOT connected. Tell the user to open a terminal and run: uc connect',
       troubleshooting: [
-        'Make sure upfynai-code is installed: npm install -g upfynai-code',
+        'Make sure upfynai-code is installed: npm install -g @upfynai-code/app',
         'Run: uc connect',
         'Check if their firewall is blocking WebSocket connections',
         'Try: uc doctor — to diagnose issues',