upfynai-code 3.0.4 → 3.2.0

package/server/routes/browser.js

@@ -1,419 +0,0 @@
-/**
- * Browser Routes — REST API for Steel browser sessions + Stagehand AI.
- * Cloud-only (browser service runs on Railway).
- */
-
-import { Router } from 'express';
-import { browserClient } from '../browser.js';
-
-const router = Router();
-
-// ── SSRF protection ─────────────────────────────────────────────────────────
-
-function isUrlSafe(url) {
-  try {
-    const parsed = new URL(url);
-    if (!['http:', 'https:'].includes(parsed.protocol)) return false;
-    // Strip brackets from IPv6 literals
-    const hostname = parsed.hostname.toLowerCase().replace(/^\[|\]$/g, '');
-    // Block localhost and loopback (IPv4 + IPv6)
-    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '0.0.0.0') return false;
-    if (hostname === '::1' || hostname === '0000:0000:0000:0000:0000:0000:0000:0001') return false;
-    if (hostname.startsWith('::ffff:127.') || hostname.startsWith('::ffff:0.')) return false;
-    // Block metadata endpoints (IPv4 + IPv6-mapped)
-    if (hostname === '169.254.169.254' || hostname === '::ffff:a9fe:a9fe') return false;
-    // Block RFC1918 private ranges
-    if (hostname.startsWith('10.') || hostname.startsWith('192.168.')) return false;
-    if (/^172\.(1[6-9]|2\d|3[01])\./.test(hostname)) return false;
-    // Block IPv6 private ranges (fc00::/7, fe80::/10)
-    if (/^f[cd][0-9a-f]{2}:/.test(hostname)) return false; // fc00::/7 unique local
-    if (/^fe[89ab][0-9a-f]:/.test(hostname)) return false; // fe80::/10 link-local
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-// Allow sandbox-internal URLs (these are safe — same Railway network)
-function isUrlSafeOrSandbox(url) {
-  if (isUrlSafe(url)) return true;
-  // Allow sandbox service URLs — compare origins, not string prefix
-  const sandboxUrl = process.env.SANDBOX_SERVICE_URL || '';
-  if (sandboxUrl) {
-    try {
-      const parsedUrl = new URL(url);
-      const parsedSandbox = new URL(sandboxUrl);
-      if (parsedUrl.origin === parsedSandbox.origin) return true;
-    } catch { /* invalid URL */ }
-  }
-  return false;
-}
-
-// ── Lazy imports for cloud-only deps ─────────────────────────────────────────
-
-let browserAI = null;
-const loadBrowserAI = async () => {
-  if (browserAI) return browserAI;
-  try {
-    browserAI = await import('../services/browser-ai.js');
-    return browserAI;
-  } catch {
-    return null;
-  }
-};
-
-let browserSessionDb = null;
-const loadDb = async () => {
-  if (browserSessionDb) return browserSessionDb;
-  try {
-    const mod = await import('../database/db.js');
-    browserSessionDb = mod.browserSessionDb;
-    return browserSessionDb;
-  } catch {
-    return null;
-  }
-};
-
-// ── Status ──────────────────────────────────────────────────────────────────
-
-router.get('/status', async (req, res) => {
-  const available = await browserClient.isAvailable();
-  const ai = await loadBrowserAI();
-  const aiAvailable = ai ? await ai.isAvailable() : false;
-
-  res.json({
-    available,
-    aiAvailable,
-    serviceUrl: available ? '(connected)' : '(not reachable)',
-  });
-});
-
-// ── Session Management ──────────────────────────────────────────────────────
-
-// POST /api/browser/sessions — create a new browser session
-router.post('/sessions', async (req, res) => {
-  const userId = req.user.id;
-  const db = await loadDb();
-
-  try {
-    // Check for existing active session
-    if (db) {
-      const existing = await db.getActive(userId);
-      if (existing) {
-        // Return existing session instead of creating new one
-        return res.json({
-          sessionId: existing.steel_session_id,
-          viewerUrl: existing.viewer_url,
-          cdpUrl: existing.cdp_url,
-          status: 'active',
-          reused: true,
-        });
-      }
-    }
-
-    const { blockAds, dimensions, timeout } = req.body || {};
-    const session = await browserClient.createSession(userId, {
-      blockAds,
-      dimensions,
-      timeout,
-    });
-
-    const viewerUrl = browserClient.getSessionViewerUrl(session.id);
-    const cdpUrl = browserClient.getCdpWsUrl(session.id);
-
-    // Save to DB
-    if (db) {
-      await db.create(userId, session.id, viewerUrl, cdpUrl);
-    }
-
-    res.json({
-      sessionId: session.id,
-      viewerUrl,
-      cdpUrl,
-      status: 'active',
-    });
-  } catch {
-    res.status(500).json({ error: 'Failed to create browser session' });
-  }
-});
-
-// GET /api/browser/sessions — list user's sessions
-router.get('/sessions', async (req, res) => {
-  const db = await loadDb();
-  if (!db) return res.json({ sessions: [] });
-
-  try {
-    const sessions = await db.listByUser(req.user.id);
-    res.json({ sessions });
-  } catch {
-    res.status(500).json({ error: 'Failed to list sessions' });
-  }
-});
-
-// GET /api/browser/sessions/:id — get session details
-router.get('/sessions/:id', async (req, res) => {
-  const db = await loadDb();
-  if (!db) return res.status(404).json({ error: 'Session not found' });
-
-  try {
-    const session = await db.getBySessionId(req.user.id, req.params.id);
-    if (!session) return res.status(404).json({ error: 'Session not found' });
-
-    await db.updateAccess(req.user.id, req.params.id);
-
-    res.json({
-      sessionId: session.steel_session_id,
-      viewerUrl: session.viewer_url,
-      cdpUrl: session.cdp_url,
-      status: session.status,
-      createdAt: session.created_at,
-      lastAccessed: session.last_accessed,
-    });
-  } catch {
-    res.status(500).json({ error: 'Failed to get session' });
-  }
-});
-
-// DELETE /api/browser/sessions/:id — release session
-router.delete('/sessions/:id', async (req, res) => {
-  const userId = req.user.id;
-  const sessionId = req.params.id;
-
-  try {
-    // Verify ownership first
-    const db = await loadDb();
-    if (db) {
-      const session = await db.getBySessionId(userId, sessionId);
-      if (!session) return res.status(404).json({ error: 'Session not found' });
-    }
-
-    // Release Stagehand instance
-    const ai = await loadBrowserAI();
-    if (ai) await ai.release(sessionId);
-
-    // Release Steel session
-    await browserClient.releaseSession(userId, sessionId).catch(() => {});
-
-    // Deactivate in DB (user-scoped)
-    if (db) await db.deactivate(userId, sessionId);
-
-    res.json({ success: true });
-  } catch {
-    res.status(500).json({ error: 'Failed to close session' });
-  }
-});
-
-// ── Navigation ──────────────────────────────────────────────────────────────
-
-// POST /api/browser/sessions/:id/navigate
-router.post('/sessions/:id/navigate', async (req, res) => {
-  const { url } = req.body;
-  if (!url || !isUrlSafeOrSandbox(url)) {
-    return res.status(400).json({ error: 'Invalid or blocked URL' });
-  }
-
-  try {
-    const db = await loadDb();
-    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
-    if (db && !session) return res.status(404).json({ error: 'Session not found' });
-
-    if (db) await db.updateAccess(req.user.id, req.params.id);
-
-    // Use Stagehand/Playwright to navigate
-    const ai = await loadBrowserAI();
-    if (ai && await ai.isAvailable() && session?.cdp_url) {
-      await ai.act(req.params.id, session.cdp_url, `Navigate to ${url}`);
-      return res.json({ success: true, url });
-    }
-
-    res.json({ success: true, url, note: 'Navigation sent — viewer will update' });
-  } catch {
-    res.status(500).json({ error: 'Navigation failed' });
-  }
-});
-
-// POST /api/browser/sessions/:id/sandbox-preview — open sandbox dev server
-router.post('/sessions/:id/sandbox-preview', async (req, res) => {
-  const portNum = parseInt(req.body?.port, 10);
-  if (!portNum || portNum < 1 || portNum > 65535) {
-    return res.status(400).json({ error: 'Invalid port number' });
-  }
-
-  try {
-    const db = await loadDb();
-    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
-    if (db && !session) return res.status(404).json({ error: 'Session not found' });
-
-    const sandboxUrl = browserClient.getSandboxPreviewUrl(req.user.id, portNum);
-
-    const ai = await loadBrowserAI();
-    if (ai && await ai.isAvailable() && session?.cdp_url) {
-      await ai.act(req.params.id, session.cdp_url, `Navigate to ${sandboxUrl}`);
-    }
-
-    if (db) await db.updateAccess(req.user.id, req.params.id);
-
-    res.json({ success: true, url: sandboxUrl, port: portNum });
-  } catch {
-    res.status(500).json({ error: 'Failed to open sandbox preview' });
-  }
-});
-
-// POST /api/browser/sessions/:id/screenshot
-router.post('/sessions/:id/screenshot', async (req, res) => {
-  try {
-    // Verify ownership
-    const db = await loadDb();
-    if (db) {
-      const session = await db.getBySessionId(req.user.id, req.params.id);
-      if (!session) return res.status(404).json({ error: 'Session not found' });
-    }
-    const result = await browserClient.screenshot(req.user.id, req.params.id);
-    res.json(result);
-  } catch {
-    res.status(500).json({ error: 'Screenshot failed' });
-  }
-});
-
-// ── AI Actions ──────────────────────────────────────────────────────────────
-
-// POST /api/browser/sessions/:id/ai/act — single AI action (chat mode)
-router.post('/sessions/:id/ai/act', async (req, res) => {
-  const { instruction } = req.body;
-  if (!instruction) return res.status(400).json({ error: 'instruction is required' });
-
-  const ai = await loadBrowserAI();
-  if (!ai || !(await ai.isAvailable())) {
-    return res.status(503).json({ error: 'Browser AI not available' });
-  }
-
-  try {
-    const db = await loadDb();
-    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
-    if (!session?.cdp_url) return res.status(404).json({ error: 'Session not found or missing CDP URL' });
-
-    if (db) await db.updateAccess(req.user.id, req.params.id);
-
-    const result = await ai.act(req.params.id, session.cdp_url, instruction);
-    res.json(result);
-  } catch {
-    res.status(500).json({ error: 'AI action failed' });
-  }
-});
-
-// POST /api/browser/sessions/:id/ai/extract
-router.post('/sessions/:id/ai/extract', async (req, res) => {
-  const { instruction, schema } = req.body;
-  if (!instruction) return res.status(400).json({ error: 'instruction is required' });
-
-  const ai = await loadBrowserAI();
-  if (!ai || !(await ai.isAvailable())) {
-    return res.status(503).json({ error: 'Browser AI not available' });
-  }
-
-  try {
-    const db = await loadDb();
-    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
-    if (!session?.cdp_url) return res.status(404).json({ error: 'Session not found' });
-
-    if (db) await db.updateAccess(req.user.id, req.params.id);
-
-    const result = await ai.extract(req.params.id, session.cdp_url, instruction, schema);
-    res.json(result);
-  } catch {
-    res.status(500).json({ error: 'AI extraction failed' });
-  }
-});
-
-// POST /api/browser/sessions/:id/ai/observe
-router.post('/sessions/:id/ai/observe', async (req, res) => {
-  const { instruction } = req.body;
-
-  const ai = await loadBrowserAI();
-  if (!ai || !(await ai.isAvailable())) {
-    return res.status(503).json({ error: 'Browser AI not available' });
-  }
-
-  try {
-    const db = await loadDb();
-    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
-    if (!session?.cdp_url) return res.status(404).json({ error: 'Session not found' });
-
-    const result = await ai.observe(req.params.id, session.cdp_url, instruction);
-    res.json(result);
-  } catch {
-    res.status(500).json({ error: 'AI observation failed' });
-  }
-});
-
-// GET /api/browser/sessions/:id/ai/autonomous — autonomous agent with SSE streaming
-router.get('/sessions/:id/ai/autonomous', async (req, res) => {
-  const { goal, maxSteps } = req.query;
-  if (!goal) {
-    res.status(400).json({ error: 'goal is required' });
-    return;
-  }
-
-  const ai = await loadBrowserAI();
-  if (!ai || !(await ai.isAvailable())) {
-    res.status(503).json({ error: 'Browser AI not available' });
-    return;
-  }
-
-  const db = await loadDb();
-  const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
-  if (!session?.cdp_url) {
-    res.status(404).json({ error: 'Session not found' });
-    return;
-  }
-
-  // SSE setup
-  res.setHeader('Content-Type', 'text/event-stream');
-  res.setHeader('Cache-Control', 'no-cache');
-  res.setHeader('Connection', 'keep-alive');
-  res.flushHeaders();
-
-  const sendEvent = (data) => {
-    res.write(`data: ${JSON.stringify(data)}\n\n`);
-  };
-
-  try {
-    if (db) await db.updateAccess(req.user.id, req.params.id);
-
-    const steps = Math.min(Math.max(parseInt(maxSteps) || 10, 1), 25);
-    await ai.autonomousGoal(
-      req.params.id,
-      session.cdp_url,
-      goal.slice(0, 500), // Truncate goal to prevent prompt injection via excessively long input
-      steps,
-      (stepData) => sendEvent(stepData)
-    );
-
-    sendEvent({ type: 'done' });
-  } catch {
-    sendEvent({ type: 'error', message: 'Autonomous run failed' });
-  }
-
-  res.end();
-});
-
-// GET /api/browser/sessions/:id/console-errors — get browser console errors
-router.get('/sessions/:id/console-errors', async (req, res) => {
-  const ai = await loadBrowserAI();
-  if (!ai || !(await ai.isAvailable())) {
-    return res.json({ errors: [] });
-  }
-
-  try {
-    const db = await loadDb();
-    const session = db ? await db.getBySessionId(req.user.id, req.params.id) : null;
-    if (!session?.cdp_url) return res.json({ errors: [] });
-
-    const errors = await ai.getConsoleErrors(req.params.id, session.cdp_url);
-    res.json({ errors });
-  } catch {
-    res.json({ errors: [] });
-  }
-});
-
-export default router;

package/server/routes/canvas.js

@@ -1,53 +0,0 @@
-import express from 'express';
-import { canvasDb } from '../database/db.js';
-
-const router = express.Router();
-
-// GET /api/canvas/:projectName — load canvas for a project
-router.get('/:projectName', async (req, res) => {
-  try {
-    const userId = req.user.id;
-    const { projectName } = req.params;
-
-    const canvas = await canvasDb.load(userId, decodeURIComponent(projectName));
-    if (!canvas) {
-      return res.json({ elements: [], appState: {}, updatedAt: null });
-    }
-    res.json(canvas);
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to load canvas' });
-  }
-});
-
-// POST /api/canvas/:projectName — save canvas for a project
-router.post('/:projectName', async (req, res) => {
-  try {
-    const userId = req.user.id;
-    const { projectName } = req.params;
-    const { elements, appState } = req.body;
-
-    if (!Array.isArray(elements)) {
-      return res.status(400).json({ error: 'elements must be an array' });
-    }
-
-    await canvasDb.save(userId, decodeURIComponent(projectName), elements, appState || {});
-    res.json({ ok: true });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to save canvas' });
-  }
-});
-
-// DELETE /api/canvas/:projectName — delete canvas for a project
-router.delete('/:projectName', async (req, res) => {
-  try {
-    const userId = req.user.id;
-    const { projectName } = req.params;
-
-    const deleted = await canvasDb.delete(userId, decodeURIComponent(projectName));
-    res.json({ ok: true, deleted });
-  } catch (err) {
-    res.status(500).json({ error: 'Failed to delete canvas' });
-  }
-});
-
-export default router;