vibe-forge 0.4.0 → 0.8.1

package/bin/dashboard/server.js

@@ -0,0 +1,645 @@
+#!/usr/bin/env node
+/**
+ * Vibe Forge Dashboard Server
+ *
+ * HTTP + WebSocket server for the dashboard web UI.
+ * Serves static files, REST API, and real-time WebSocket updates.
+ *
+ * Usage:
+ *   node bin/dashboard/server.js [--port PORT] [--host HOST]
+ *   DASHBOARD_PORT=5555 node bin/dashboard/server.js
+ */
+
+const http = require('http');
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const url = require('url');
+
+// Configuration
+const DEFAULT_PORT = 2800;  // Forge temperature in °F 🔥
+// SECURITY: Do not change to '0.0.0.0' without reviewing all unauthenticated
+// endpoints (/api/token, /api/health). The loopback gate on /api/token assumes
+// the server is only reachable from localhost (RT-20260405-001).
+const DEFAULT_HOST = 'localhost';
+const MAX_TTS_TEXT_LENGTH = 2000;
+
+// Resolve paths relative to project root
+const PROJECT_ROOT = path.resolve(__dirname, '../..');
+const PUBLIC_DIR = path.join(__dirname, 'public');
+
+// Session token for API authentication (RT-20260405-001 Chain 1 fix)
+const SESSION_TOKEN = crypto.randomBytes(32).toString('hex');
+const TOKEN_FILE = path.join(PROJECT_ROOT, '.forge', 'dashboard.token');
+
+// Import API handlers
+const tasksApi = require('./api/tasks');
+const agentsApi = require('./api/agents');
+const dispatchApi = require('./api/dispatch');
+
+// TTS - lazy-loaded so server still starts if msedge-tts is absent
+let MsEdgeTTS, TTS_OUTPUT_FORMAT;
+try {
+    ({ MsEdgeTTS, OUTPUT_FORMAT: TTS_OUTPUT_FORMAT } = require('msedge-tts'));
+} catch (_) {
+    console.warn('[TTS] msedge-tts not installed — /api/tts will return 503');
+}
+
+// Agent → Edge TTS voice mapping
+const AGENT_VOICES = {
+    'planning-hub': 'en-US-GuyNeural',
+    'planning-hub':  'en-US-GuyNeural',
+    'oracle':        'en-US-AriaNeural',
+    'architect':     'en-GB-RyanNeural',
+    'aegis':         'en-US-JennyNeural',
+    'pixel':         'en-US-MichelleNeural',
+    'ember':         'en-US-ChristopherNeural',
+    'anvil':         'en-US-EricNeural',
+    'furnace':       'en-US-RogerNeural',
+    'crucible':      'en-US-MonicaNeural',
+    'temper':        'en-GB-ThomasNeural',
+    'scribe':        'en-AU-NatashaNeural',
+    'herald':        'en-US-SteffanNeural',
+    'loki':          'en-IE-ConnorNeural',
+    'crucible-x':    'en-US-DavisNeural',
+    'system':        'en-US-AriaNeural',
+};
+
+// =============================================================================
+// WebSocket Setup (lazy-loaded)
+// =============================================================================
+
+let WebSocketServer = null;
+let wss = null;
+
+/**
+ * Initialize WebSocket server
+ * @param {http.Server} server - HTTP server to attach to
+ */
+function initWebSocket(server) {
+    try {
+        const { WebSocketServer: WSServer } = require('ws');
+        WebSocketServer = WSServer;
+
+        wss = new WebSocketServer({ server, path: '/ws' });
+
+        wss.on('connection', (ws, req) => {
+            const clientIp = req.socket.remoteAddress;
+
+            // Authenticate WebSocket connections via token query param
+            const wsUrl = new url.URL(req.url, `http://${req.headers.host}`);
+            if (wsUrl.searchParams.get('token') !== SESSION_TOKEN) {
+                ws.close(4001, 'Unauthorized');
+                console.log(`[WS] Rejected unauthenticated connection from ${clientIp}`);
+                return;
+            }
+
+            console.log(`[WS] Client connected: ${clientIp}`);
+
+            // Send initial connection confirmation
+            ws.send(JSON.stringify({
+                type: 'connected',
+                timestamp: new Date().toISOString(),
+                message: 'Connected to Vibe Forge Dashboard'
+            }));
+
+            ws.on('message', (message) => {
+                try {
+                    const data = JSON.parse(message);
+                    handleWebSocketMessage(ws, data);
+                } catch (err) {
+                    ws.send(JSON.stringify({
+                        type: 'error',
+                        message: 'Invalid JSON message'
+                    }));
+                }
+            });
+
+            ws.on('close', () => {
+                console.log(`[WS] Client disconnected: ${clientIp}`);
+            });
+
+            ws.on('error', (err) => {
+                console.error(`[WS] Error: ${err.message}`);
+            });
+        });
+
+        console.log('[WS] WebSocket server initialized at /ws');
+        return true;
+    } catch (err) {
+        console.warn('[WS] WebSocket disabled - ws package not installed');
+        console.warn('[WS] Run: npm install ws --save-dev');
+        return false;
+    }
+}
+
+/**
+ * Handle incoming WebSocket messages
+ * @param {WebSocket} ws - WebSocket connection
+ * @param {Object} data - Parsed message data
+ */
+function handleWebSocketMessage(ws, data) {
+    switch (data.type) {
+        case 'ping':
+            ws.send(JSON.stringify({ type: 'pong', timestamp: new Date().toISOString() }));
+            break;
+        case 'subscribe':
+            // Future: subscribe to specific events
+            ws.send(JSON.stringify({
+                type: 'subscribed',
+                channel: data.channel || 'all'
+            }));
+            break;
+        default:
+            ws.send(JSON.stringify({
+                type: 'unknown',
+                message: `Unknown message type: ${data.type}`
+            }));
+    }
+}
+
+/**
+ * Broadcast message to all connected WebSocket clients
+ * @param {Object} data - Data to broadcast
+ */
+function broadcast(data) {
+    if (!wss) return;
+
+    const message = JSON.stringify(data);
+    wss.clients.forEach((client) => {
+        if (client.readyState === 1) { // WebSocket.OPEN
+            client.send(message);
+        }
+    });
+}
+
+// Export broadcast for use by API handlers
+module.exports = { broadcast };
+
+// =============================================================================
+// Static File Server
+// =============================================================================
+
+const MIME_TYPES = {
+    '.html': 'text/html',
+    '.css': 'text/css',
+    '.js': 'application/javascript',
+    '.json': 'application/json',
+    '.png': 'image/png',
+    '.jpg': 'image/jpeg',
+    '.jpeg': 'image/jpeg',
+    '.gif': 'image/gif',
+    '.svg': 'image/svg+xml',
+    '.ico': 'image/x-icon',
+    '.woff': 'font/woff',
+    '.woff2': 'font/woff2',
+    '.ttf': 'font/ttf'
+};
+
+/**
+ * Serve static file from public directory
+ * @param {string} reqPath - Requested path
+ * @param {http.ServerResponse} res - Response object
+ */
+function serveStatic(reqPath, res) {
+    // Security: prevent directory traversal
+    const safePath = path.normalize(reqPath).replace(/^(\.\.[\/\\])+/, '');
+    let filePath = path.join(PUBLIC_DIR, safePath);
+
+    // Default to index.html for root
+    if (safePath === '/' || safePath === '') {
+        filePath = path.join(PUBLIC_DIR, 'index.html');
+    }
+
+    // Verify file is within PUBLIC_DIR
+    if (!filePath.startsWith(PUBLIC_DIR)) {
+        sendError(res, 403, 'Forbidden');
+        return;
+    }
+
+    fs.stat(filePath, (err, stats) => {
+        if (err || !stats.isFile()) {
+            // Try index.html for SPA routing
+            if (!filePath.endsWith('.html') && !path.extname(filePath)) {
+                serveStatic('/index.html', res);
+                return;
+            }
+            sendError(res, 404, 'Not Found');
+            return;
+        }
+
+        const ext = path.extname(filePath).toLowerCase();
+        const contentType = MIME_TYPES[ext] || 'application/octet-stream';
+
+        res.writeHead(200, { 'Content-Type': contentType });
+        fs.createReadStream(filePath).pipe(res);
+    });
+}
+
+// =============================================================================
+// API Router
+// =============================================================================
+
+/**
+ * Parse JSON body from request
+ * @param {http.IncomingMessage} req - Request object
+ * @returns {Promise<Object>} Parsed JSON body
+ */
+function parseBody(req) {
+    return new Promise((resolve, reject) => {
+        let body = '';
+        req.on('data', chunk => {
+            body += chunk;
+            // Limit body size to 1MB
+            if (body.length > 1024 * 1024) {
+                reject(new Error('Request body too large'));
+            }
+        });
+        req.on('end', () => {
+            if (!body) {
+                resolve({});
+                return;
+            }
+            try {
+                resolve(JSON.parse(body));
+            } catch (err) {
+                reject(new Error('Invalid JSON'));
+            }
+        });
+        req.on('error', reject);
+    });
+}
+
+/**
+ * Send JSON response
+ * @param {http.ServerResponse} res - Response object
+ * @param {number} status - HTTP status code
+ * @param {Object} data - Response data
+ */
+function sendJson(res, status, data) {
+    res.writeHead(status, {
+        'Content-Type': 'application/json'
+    });
+    res.end(JSON.stringify(data));
+}
+
+/**
+ * Send error response
+ * @param {http.ServerResponse} res - Response object
+ * @param {number} status - HTTP status code
+ * @param {string} message - Error message
+ */
+function sendError(res, status, message) {
+    sendJson(res, status, { error: message });
+}
+
+/**
+ * Route API requests
+ * @param {http.IncomingMessage} req - Request object
+ * @param {http.ServerResponse} res - Response object
+ * @param {string} pathname - Request pathname
+ */
+async function routeApi(req, res, pathname) {
+    const method = req.method.toUpperCase();
+
+    // Handle preflight (same-origin only, no CORS)
+    if (method === 'OPTIONS') {
+        res.writeHead(204);
+        res.end();
+        return;
+    }
+
+    // Token bootstrap endpoint - same-origin only (no CORS headers = browsers
+    // block cross-origin reads). Dashboard UI fetches this on load.
+    // RT-20260405-001: Gate to loopback so changing DEFAULT_HOST won't expose it.
+    if (pathname === '/api/token' && method === 'GET') {
+        const remote = req.socket.remoteAddress;
+        if (remote !== '127.0.0.1' && remote !== '::1' && remote !== '::ffff:127.0.0.1') {
+            sendError(res, 403, 'Forbidden');
+            return;
+        }
+        sendJson(res, 200, { token: SESSION_TOKEN });
+        return;
+    }
+
+    // Authenticate all other API requests (RT-20260405-001 Chain 1 fix)
+    // Health check is exempt (monitoring/readiness probes)
+    if (pathname !== '/api/health') {
+        const token = req.headers['x-forge-token'];
+        if (token !== SESSION_TOKEN) {
+            sendError(res, 401, 'Unauthorized');
+            return;
+        }
+    }
+
+    try {
+        // Parse request body for POST/PUT
+        let body = {};
+        if (method === 'POST' || method === 'PUT') {
+            body = await parseBody(req);
+        }
+
+        // Tasks API
+        if (pathname === '/api/tasks') {
+            if (method === 'GET') {
+                const result = await tasksApi.listTasks(PROJECT_ROOT);
+                sendJson(res, 200, result);
+                return;
+            }
+            if (method === 'POST') {
+                const result = await tasksApi.createTask(PROJECT_ROOT, body);
+                broadcast({ type: 'task-created', task: result });
+                sendJson(res, 201, result);
+                return;
+            }
+        }
+
+        // Single task by ID
+        const taskMatch = pathname.match(/^\/api\/tasks\/([a-zA-Z0-9_-]+)$/);
+        if (taskMatch) {
+            const taskId = taskMatch[1];
+            if (method === 'GET') {
+                const result = await tasksApi.getTask(PROJECT_ROOT, taskId);
+                if (!result) {
+                    sendError(res, 404, `Task not found: ${taskId}`);
+                    return;
+                }
+                sendJson(res, 200, result);
+                return;
+            }
+        }
+
+        // Agents API
+        if (pathname === '/api/agents') {
+            if (method === 'GET') {
+                const result = await agentsApi.listAgents(PROJECT_ROOT);
+                sendJson(res, 200, result);
+                return;
+            }
+        }
+
+        // Dispatch API
+        if (pathname === '/api/dispatch') {
+            if (method === 'POST') {
+                try {
+                    const result = await dispatchApi.dispatch(PROJECT_ROOT, body, broadcast);
+                    sendJson(res, 201, result);
+                } catch (err) {
+                    // Validation errors → 400; runtime errors bubble to outer catch → 500
+                    // RT-20260405-001: Whitelist known validation messages to prevent
+                    // leaking internal error details if dispatch.js adds unguarded throws.
+                    if (err.statusCode === 400 && err.name === 'DispatchValidationError') {
+                        sendError(res, 400, err.message);
+                    } else if (err.statusCode === 400) {
+                        sendError(res, 400, 'Invalid dispatch request');
+                    } else {
+                        throw err;
+                    }
+                }
+                return;
+            }
+        }
+
+        // TTS API — synthesize speech via msedge-tts and stream MP3
+        if (pathname === '/api/tts') {
+            if (method === 'GET') {
+                if (!MsEdgeTTS) {
+                    res.writeHead(503, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: 'TTS not available — install msedge-tts' }));
+                    return;
+                }
+                const parsedQuery = new url.URL(req.url, `http://${req.headers.host}`).searchParams;
+                const text  = parsedQuery.get('text')  || '';
+                const agent = (parsedQuery.get('agent') || 'system').toLowerCase();
+                if (!text.trim()) {
+                    res.writeHead(400, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: 'text is required' }));
+                    return;
+                }
+                if (text.length > MAX_TTS_TEXT_LENGTH) {
+                    res.writeHead(400, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: `text too long (max ${MAX_TTS_TEXT_LENGTH} chars)` }));
+                    return;
+                }
+                const voiceName = AGENT_VOICES[agent] || AGENT_VOICES['system'];
+                try {
+                    const tts = new MsEdgeTTS();
+                    await tts.setMetadata(voiceName, TTS_OUTPUT_FORMAT.AUDIO_24KHZ_48KBITRATE_MONO_MP3);
+                    const { audioStream } = tts.toStream(text);
+                    res.writeHead(200, {
+                        'Content-Type': 'audio/mpeg',
+                        'Cache-Control': 'no-store'
+                    });
+                    audioStream.pipe(res);
+                } catch (err) {
+                    console.error('[TTS] Synthesis error:', err.message);
+                    if (!res.headersSent) {
+                        res.writeHead(500, { 'Content-Type': 'application/json' });
+                        res.end(JSON.stringify({ error: 'TTS synthesis failed' }));
+                    }
+                }
+                return;
+            }
+        }
+
+        // Issues API — placeholder, returns empty list (detection not yet implemented)
+        if (pathname === '/api/issues') {
+            if (method === 'GET') {
+                sendJson(res, 200, { issues: [], summary: { total: 0 } });
+                return;
+            }
+        }
+
+        // Config endpoint — exposes safe, UI-relevant config fields
+        if (pathname === '/api/config') {
+            if (method === 'GET') {
+                const configPath = path.join(PROJECT_ROOT, '.forge', 'config.json');
+                let cfg = {};
+                try { cfg = JSON.parse(fs.readFileSync(configPath, 'utf8')); } catch (_) {}
+                sendJson(res, 200, {
+                    dashboard_enabled: cfg.dashboard_enabled ?? false,
+                    dashboard_voice:   cfg.dashboard_voice   ?? false,
+                    dashboard_port:    cfg.dashboard_port    ?? 2800,
+                });
+                return;
+            }
+        }
+
+        // Activity feed - chronological stream of agent events (T2-G2)
+        if (pathname === '/api/activity') {
+            if (method === 'GET') {
+                const dbPath = path.join(PROJECT_ROOT, '.forge', 'forge.db');
+                try {
+                    const { execSync } = require('child_process');
+                    const limit = Math.min(parseInt(new url.URL(req.url, `http://${req.headers.host}`).searchParams.get('limit')) || 50, 200);
+                    const raw = execSync(
+                        `sqlite3 "${dbPath}" "SELECT id, agent, status, task, recorded_at FROM status_history ORDER BY recorded_at DESC LIMIT ${limit};"`,
+                        { encoding: 'utf8', timeout: 5000 }
+                    ).trim();
+                    const events = raw ? raw.split('\n').map(row => {
+                        const [id, agent, status, task, recorded_at] = row.split('|');
+                        return { id: +id, agent, status, task: task || null, recorded_at };
+                    }) : [];
+                    sendJson(res, 200, { events });
+                } catch (_) {
+                    sendJson(res, 200, { events: [] });
+                }
+                return;
+            }
+        }
+
+        // Health check
+        if (pathname === '/api/health') {
+            sendJson(res, 200, {
+                status: 'ok',
+                timestamp: new Date().toISOString(),
+                version: require(path.join(PROJECT_ROOT, 'package.json')).version
+            });
+            return;
+        }
+
+        // Not found (RT-20260405-001: static message, don't reflect pathname)
+        sendError(res, 404, 'Not found');
+
+    } catch (err) {
+        console.error(`[API] Error: ${err.message}`);
+        sendError(res, 500, 'Internal server error');
+    }
+}
+
+// =============================================================================
+// HTTP Server
+// =============================================================================
+
+/**
+ * Main request handler
+ * @param {http.IncomingMessage} req - Request object
+ * @param {http.ServerResponse} res - Response object
+ */
+function requestHandler(req, res) {
+    const parsedUrl = url.parse(req.url, true);
+    const pathname = parsedUrl.pathname;
+
+    // Log request
+    console.log(`[HTTP] ${req.method} ${pathname}`);
+
+    // Route to API or static files
+    if (pathname.startsWith('/api/')) {
+        routeApi(req, res, pathname);
+    } else if (pathname === '/ws') {
+        // WebSocket handled by ws library, ignore here
+        res.writeHead(426, { 'Content-Type': 'text/plain' });
+        res.end('Upgrade Required');
+    } else {
+        serveStatic(pathname, res);
+    }
+}
+
+/**
+ * Start the dashboard server
+ * @param {Object} options - Server options
+ * @param {number} options.port - Port to listen on
+ * @param {string} options.host - Host to bind to
+ */
+function startServer(options = {}) {
+    const port = options.port || process.env.DASHBOARD_PORT || DEFAULT_PORT;
+    const host = options.host || process.env.DASHBOARD_HOST || DEFAULT_HOST;
+
+    const server = http.createServer(requestHandler);
+
+    // Write session token to file for dashboard UI to read
+    const forgeDir = path.join(PROJECT_ROOT, '.forge');
+    if (!fs.existsSync(forgeDir)) fs.mkdirSync(forgeDir, { recursive: true });
+    fs.writeFileSync(TOKEN_FILE, SESSION_TOKEN, { mode: 0o600 });
+
+    // Initialize WebSocket
+    initWebSocket(server);
+
+    server.listen(port, host, () => {
+        console.log('');
+        console.log('='.repeat(50));
+        console.log('  🔥 VIBE FORGE DASHBOARD');
+        console.log('='.repeat(50));
+        console.log(`  URL:       http://${host}:${port}`);
+        console.log(`  API:       http://${host}:${port}/api/`);
+        console.log(`  WebSocket: ws://${host}:${port}/ws`);
+        console.log('');
+        console.log(`  Forge temperature: ${port}°F`);
+        console.log('='.repeat(50));
+        console.log('');
+    });
+
+    server.on('error', (err) => {
+        if (err.code === 'EADDRINUSE') {
+            console.error(`[ERROR] Port ${port} is already in use`);
+            console.error(`[ERROR] Try: DASHBOARD_PORT=${parseInt(port) + 1} node bin/dashboard/server.js`);
+            process.exit(1);
+        }
+        throw err;
+    });
+
+    // Graceful shutdown - clean up token file
+    function cleanup() {
+        try { fs.unlinkSync(TOKEN_FILE); } catch (_) {}
+    }
+
+    process.on('SIGTERM', () => {
+        console.log('[Server] Shutting down...');
+        cleanup();
+        server.close(() => {
+            console.log('[Server] Closed');
+            process.exit(0);
+        });
+    });
+
+    process.on('SIGINT', () => {
+        console.log('\n[Server] Interrupted, shutting down...');
+        cleanup();
+        server.close(() => {
+            console.log('[Server] Closed');
+            process.exit(0);
+        });
+    });
+
+    process.on('exit', cleanup);
+
+    return server;
+}
+
+// =============================================================================
+// CLI
+// =============================================================================
+
+if (require.main === module) {
+    // Parse CLI arguments
+    const args = process.argv.slice(2);
+    const options = {};
+
+    for (let i = 0; i < args.length; i++) {
+        if (args[i] === '--port' && args[i + 1]) {
+            options.port = parseInt(args[i + 1], 10);
+            i++;
+        } else if (args[i] === '--host' && args[i + 1]) {
+            options.host = args[i + 1];
+            i++;
+        } else if (args[i] === '--help' || args[i] === '-h') {
+            console.log('Vibe Forge Dashboard Server');
+            console.log('');
+            console.log('Usage: node server.js [options]');
+            console.log('');
+            console.log('Options:');
+            console.log('  --port PORT    Port to listen on (default: 2800)');
+            console.log('  --host HOST    Host to bind to (default: localhost)');
+            console.log('  --help, -h     Show this help message');
+            console.log('');
+            console.log('Environment:');
+            console.log('  DASHBOARD_PORT    Port to listen on');
+            console.log('  DASHBOARD_HOST    Host to bind to');
+            process.exit(0);
+        }
+    }
+
+    startServer(options);
+}
+
+module.exports = { startServer, broadcast };