volt-addon-logs 0.1.0

package/README.md

@@ -0,0 +1,34 @@
+# volt-addon-logs
+
+A gated **log viewer** for [Volt](https://voltjs.com): tail your app's pm2
+stdout/stderr, and — with [`mir-sentinel`](https://www.npmjs.com/package/mir-sentinel) —
+parse Apache/nginx access logs (or request lines in pm2 stdout) into analytics.
+
+## Install
+
+```
+npm install volt-addon-logs            # tail pm2 logs
+npm install mir-sentinel               # optional: enables the Analytics tab
+```
+
+Enable it by adding `logs` to `VOLT_ADDONS` in `.env`.
+
+## Security (same model as the editor)
+
+Mounts **only** if `ADMIN_PATH` is set (fail-closed), behind magic-link auth + an
+`ADMIN_EMAILS` allowlist. Logs leak information — never expose them
+unauthenticated. The viewer lives at `/<ADMIN_PATH>/logs`.
+
+## Log sources (fixed — no arbitrary paths)
+
+| Source | File |
+| --- | --- |
+| `app` | `~/.pm2/logs/<app>-out.log` (pm2 stdout) |
+| `error` | `~/.pm2/logs/<app>-error.log` (pm2 stderr) |
+| `access` | `ACCESS_LOG` env (an Apache/nginx access log), if set |
+
+- **Raw tail** — last N lines, with a filter box and a "follow" toggle.
+- **Analytics** — runs lines through `mir-sentinel`'s `parseLine` → top paths,
+  status codes, IPs, and bot/attack counts. The parser is format-tolerant, so it
+  handles Apache combined, nginx, and request lines in pm2 stdout. The tab is
+  hidden until `mir-sentinel` is installed.

package/index.js

@@ -0,0 +1,119 @@
+// volt-addon-logs — a gated log viewer for Volt.
+//
+// Sources (no arbitrary paths — fixed, safe set):
+//   app    → ~/.pm2/logs/<app>-out.log   (pm2 stdout)
+//   error  → ~/.pm2/logs/<app>-error.log (pm2 stderr)
+//   access → process.env.ACCESS_LOG       (an Apache/nginx access log, if set)
+//
+// "App"/"error" tail raw lines. "Analytics" runs lines through mir-sentinel's
+// parseLine (optional dependency) → top paths / status / IPs + bot/attack counts;
+// works for access logs AND request lines in pm2 stdout, since the parser is
+// format-tolerant.
+//
+// Security: mounts ONLY if ADMIN_PATH is set (fail-closed), behind magic-link auth
+// + an ADMIN_EMAILS allowlist. Logs leak info — never expose them unauthenticated.
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { fileURLToPath } from "node:url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+function appName() {
+  try {
+    return JSON.parse(fs.readFileSync(path.join(process.cwd(), "package.json"), "utf8")).name || "app";
+  } catch {
+    return "app";
+  }
+}
+function sources(env) {
+  const logs = path.join(os.homedir(), ".pm2", "logs");
+  const name = appName();
+  const out = { app: path.join(logs, `${name}-out.log`), error: path.join(logs, `${name}-error.log`) };
+  if (env.ACCESS_LOG) out.access = env.ACCESS_LOG;
+  return out;
+}
+function tail(file, n) {
+  if (!file || !fs.existsSync(file)) return [];
+  return fs.readFileSync(file, "utf8").split(/\r?\n/).filter(Boolean).slice(-n);
+}
+
+// optional: mir-sentinel's parseLine (Apache/nginx/pm2 request-line analytics)
+let parserCache;
+async function getParser() {
+  if (parserCache !== undefined) return parserCache;
+  try {
+    parserCache = (await import("mir-sentinel")).parseLine || null;
+  } catch {
+    parserCache = null;
+  }
+  return parserCache;
+}
+function rollup(parsed) {
+  const top = (key) => {
+    const m = {};
+    for (const p of parsed) if (p && p[key]) m[p[key]] = (m[p[key]] || 0) + 1;
+    return Object.entries(m).sort((a, b) => b[1] - a[1]).slice(0, 10);
+  };
+  return {
+    total: parsed.length,
+    paths: top("path"),
+    statuses: top("status"),
+    ips: top("ip"),
+    bots: parsed.filter((p) => p && p.bot).length,
+    attacks: parsed.filter((p) => p && p.attack).length,
+  };
+}
+
+const HTML = (base, hasParser) => `<!doctype html><html lang="en"><head>
+<meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>Logs — Volt</title><meta name="robots" content="noindex" /><link rel="icon" href="/favicon.webp" />
+<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css" rel="stylesheet" />
+<style>body{background:#0f1115;color:#e7e9ee}pre{background:#0b0d11;color:#cfe3ff;border:1px solid #232a36;border-radius:8px;padding:12px;max-height:70vh;overflow:auto;font-size:12.5px}</style>
+<script>window.__LOGS_BASE=${JSON.stringify(base)};window.__HAS_PARSER=${hasParser};</script>
+</head><body><div class="container-fluid py-3">
+  <div class="d-flex gap-2 align-items-center mb-2">
+    <strong class="me-2">Logs</strong>
+    <select id="src" class="form-select form-select-sm" style="max-width:200px"></select>
+    <select id="view" class="form-select form-select-sm" style="max-width:160px"><option value="tail">Raw tail</option><option value="analytics">Analytics</option></select>
+    <button id="refresh" class="btn btn-sm btn-outline-secondary">Refresh</button>
+    <label class="form-check-label small ms-2"><input id="follow" type="checkbox" class="form-check-input" /> follow</label>
+    <input id="filter" class="form-control form-control-sm ms-auto" style="max-width:240px" placeholder="filter…" />
+  </div>
+  <div id="out"></div>
+</div>
+<script type="module" src="${base}/logs.js"></script>
+</body></html>`;
+
+export function register({ app, env, requireAuth, log }) {
+  const raw = (env.ADMIN_PATH || "").trim();
+  if (!raw) return log("ADMIN_PATH not set — logs viewer disabled (fail-closed).");
+  if (!requireAuth) return log("auth add-on is required for the logs viewer — disabled.");
+  const base = "/" + raw.replace(/^\/+|\/+$/g, "") + "/logs";
+  const allow = new Set(String(env.ADMIN_EMAILS || "").split(",").map((s) => s.trim().toLowerCase()).filter(Boolean));
+  const gate = [
+    requireAuth,
+    (req, res, next) => {
+      if (allow.size && !allow.has(String(req.user?.email || "").toLowerCase())) return res.status(403).type("html").send("Not authorized.");
+      next();
+    },
+  ];
+
+  app.get(base, gate, async (_req, res) => res.type("html").send(HTML(base, !!(await getParser()))));
+  app.get(base + "/logs.js", gate, (_req, res) => res.type("js").sendFile(path.join(__dirname, "public", "logs.js")));
+  app.get(base + "/api/sources", gate, async (_req, res) => res.json({ sources: Object.keys(sources(env)), analytics: !!(await getParser()) }));
+  app.get(base + "/api/tail", gate, (req, res) => {
+    const file = sources(env)[req.query.source];
+    if (!file) return res.status(400).json({ ok: false, error: "unknown source" });
+    res.json({ ok: true, lines: tail(file, Math.min(2000, Number(req.query.lines) || 300)) });
+  });
+  app.get(base + "/api/analytics", gate, async (req, res) => {
+    const parseLine = await getParser();
+    if (!parseLine) return res.json({ ok: false, error: "install mir-sentinel for analytics" });
+    const file = sources(env)[req.query.source];
+    if (!file) return res.status(400).json({ ok: false, error: "unknown source" });
+    res.json({ ok: true, ...rollup(tail(file, 5000).map((l) => parseLine(l))) });
+  });
+
+  log(`logs viewer at ${base} — analytics: ${parserCache ? "on" : "install mir-sentinel"}; allowlist: ${allow.size ? [...allow].join(", ") : "(any signed-in user — set ADMIN_EMAILS!)"}`);
+}

package/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "volt-addon-logs",
+  "version": "0.1.0",
+  "description": "A gated log viewer for Volt: tail pm2 stdout/stderr, and (with mir-sentinel) parse Apache/nginx access logs into analytics. Behind a secret ADMIN_PATH + magic-link auth + an allowlist.",
+  "type": "module",
+  "main": "index.js",
+  "keywords": ["volt", "volt-addon", "logs", "pm2", "log-viewer", "mir-sentinel"],
+  "files": ["index.js", "public"],
+  "optionalDependencies": {
+    "mir-sentinel": "^1.0.0"
+  },
+  "license": "MIT"
+}

package/public/logs.js

@@ -0,0 +1,43 @@
+// logs.js — the log viewer client (raw tail + mir-sentinel analytics).
+const base = window.__LOGS_BASE || "";
+const $ = (s) => document.querySelector(s);
+const esc = (s) => String(s).replace(/[&<>]/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;" })[c]);
+let timer = null;
+
+async function loadSources() {
+  const { sources = [] } = await (await fetch(base + "/api/sources")).json();
+  $("#src").innerHTML = sources.map((s) => `<option value="${esc(s)}">${esc(s)}</option>`).join("") || `<option>(no logs found)</option>`;
+}
+
+async function render() {
+  const src = $("#src").value;
+  if (!src) return;
+  if ($("#view").value === "analytics") {
+    const a = await (await fetch(`${base}/api/analytics?source=${encodeURIComponent(src)}`)).json();
+    if (!a.ok) {
+      $("#out").innerHTML = `<div class="text-muted small">${esc(a.error || "no analytics")}</div>`;
+      return;
+    }
+    const tbl = (title, rows) => `<h6 class="mt-3">${title}</h6><table class="table table-dark table-sm mb-0"><tbody>${(rows || []).map(([k, v]) => `<tr><td>${esc(String(k))}</td><td class="text-end">${v}</td></tr>`).join("")}</tbody></table>`;
+    $("#out").innerHTML = `<div class="small text-muted mb-2">${a.total} lines · ${a.bots} bot · ${a.attacks} attack</div>` + tbl("Top paths", a.paths) + tbl("Status codes", a.statuses) + tbl("Top IPs", a.ips);
+  } else {
+    const { lines = [] } = await (await fetch(`${base}/api/tail?source=${encodeURIComponent(src)}&lines=400`)).json();
+    const filter = $("#filter").value.toLowerCase();
+    const shown = filter ? lines.filter((l) => l.toLowerCase().includes(filter)) : lines;
+    const pre = document.createElement("pre");
+    pre.textContent = shown.join("\n") || "(empty)";
+    $("#out").innerHTML = "";
+    $("#out").appendChild(pre);
+    pre.scrollTop = pre.scrollHeight;
+  }
+}
+
+$("#refresh").onclick = render;
+$("#src").onchange = render;
+$("#view").onchange = render;
+$("#filter").oninput = render;
+$("#follow").onchange = (e) => {
+  clearInterval(timer);
+  if (e.target.checked) timer = setInterval(render, 3000);
+};
+loadSources().then(render);