whale-code 6.4.0 → 6.5.0

package/dist/server/local-agent-gateway.js

@@ -13,6 +13,7 @@
 import { WebSocketServer, WebSocket } from "ws";
 import { randomUUID, createHash } from "node:crypto";
 import { createClient } from "@supabase/supabase-js";
+import { queueSpan, auditRowToSpan } from "./lib/clickhouse-buffer.js";
 // ============================================================================
 // CONNECTION POOL
 // ============================================================================
@@ -20,7 +21,12 @@ import { createClient } from "@supabase/supabase-js";
 const agentPool = new Map();
 /** Map<requestId, pending request> */
 const pendingRequests = new Map();
-const MAX_AGENTS_PER_STORE = 5;
+/** Map<sessionId, RemoteDesktopSession> — active remote desktop relay sessions */
+const rdSessions = new Map();
+/** Map<sessionId, PortalRelaySession> — active portal sessions */
+const portalSessions = new Map();
+const PORTAL_MARKER = 0x01;
+const MAX_AGENTS_PER_STORE = 25;
 const HEARTBEAT_INTERVAL_MS = 30_000;
 const PONG_TIMEOUT_MS = 45_000;
 const MAX_OUTPUT_CHARS = 500 * 1024; // 500KB safety cap — context_management handles limits
@@ -72,6 +78,7 @@ export function initLocalAgentGateway(server) {
 function handleConnection(ws, _req) {
     let authenticated = false;
     let agent = null;
+    let viewerSession = null;
     // Auth timeout — must authenticate within 10 seconds
     const authTimer = setTimeout(() => {
         if (!authenticated) {
@@ -80,6 +87,45 @@ function handleConnection(ws, _req) {
         }
     }, 10_000);
     ws.on("message", async (raw) => {
+        // Handle binary messages — forward to paired viewer/agent in RD/portal sessions
+        if (typeof raw !== "string" && !isJsonString(raw)) {
+            const buf = Buffer.isBuffer(raw) ? raw : Buffer.from(raw);
+            // Portal binary frames (marker 0x01) — route by session UUID
+            if (buf.length > 17 && buf[0] === PORTAL_MARKER) {
+                const sessionUuid = buf.subarray(1, 17).toString("hex");
+                const sessionId = `${sessionUuid.slice(0, 8)}-${sessionUuid.slice(8, 12)}-${sessionUuid.slice(12, 16)}-${sessionUuid.slice(16, 20)}-${sessionUuid.slice(20)}`;
+                const portalSession = portalSessions.get(sessionId);
+                if (portalSession && agent) {
+                    // Forward to the other side
+                    const targetAgentId = agent.agentId === portalSession.initiatorAgentId
+                        ? portalSession.targetAgentId
+                        : portalSession.initiatorAgentId;
+                    const target = pickAgentById(targetAgentId);
+                    if (target?.ws.readyState === WebSocket.OPEN) {
+                        target.ws.send(buf);
+                        portalSession.bytesRelayed += buf.length;
+                    }
+                }
+                return;
+            }
+            // Remote desktop binary frames (no marker or 0x00) — existing behavior
+            if (agent) {
+                for (const [, session] of rdSessions) {
+                    if (session.agentId === agent.agentId && session.viewerWs.readyState === WebSocket.OPEN) {
+                        session.viewerWs.send(buf);
+                        session.framesRelayed++;
+                        session.bytesRelayed += buf.length;
+                    }
+                }
+            }
+            if (viewerSession) {
+                const target = pickAgentById(viewerSession.agentId);
+                if (target?.ws.readyState === WebSocket.OPEN) {
+                    target.ws.send(buf);
+                }
+            }
+            return;
+        }
         let msg;
         try {
             msg = JSON.parse(raw.toString());
@@ -88,6 +134,54 @@ function handleConnection(ws, _req) {
             send(ws, { type: "error", error: "Invalid JSON" });
             return;
         }
+        // Handle viewer auth (remote desktop relay)
+        if (msg.type === "auth" && msg.role === "viewer") {
+            clearTimeout(authTimer);
+            const viewerAuth = msg;
+            const authResult = await authenticateViewer(viewerAuth);
+            if (!authResult) {
+                send(ws, { type: "error", error: "Invalid token or unauthorized" });
+                ws.close(4003, "Authentication failed");
+                return;
+            }
+            authenticated = true;
+            // Find target agent with remote_desktop capability
+            const targetAgent = pickAgent(authResult.storeId, undefined, viewerAuth.target_node_id);
+            if (!targetAgent || !targetAgent.capabilities.includes("remote_desktop")) {
+                send(ws, { type: "remote_desktop_response", success: false, error: "No remote desktop capable node online" });
+                ws.close(4004, "No target node");
+                return;
+            }
+            // Create relay session
+            const sessionId = randomUUID();
+            viewerSession = {
+                sessionId,
+                viewerWs: ws,
+                agentId: targetAgent.agentId,
+                storeId: authResult.storeId,
+                userId: authResult.userId,
+                startedAt: new Date(),
+                framesRelayed: 0,
+                bytesRelayed: 0,
+            };
+            rdSessions.set(sessionId, viewerSession);
+            // Tell the agent to start a remote desktop session
+            send(targetAgent.ws, {
+                type: "remote_desktop",
+                request_id: randomUUID(),
+                type_inner: "remote_desktop_request",
+                session_id: sessionId,
+                viewer_user_id: authResult.userId,
+            });
+            send(ws, {
+                type: "remote_desktop_response",
+                success: true,
+                session_id: sessionId,
+                agent_hostname: targetAgent.hostname,
+            });
+            console.log(`[remote-desktop] Relay session ${sessionId}: viewer=${authResult.userId} → agent=${targetAgent.agentId}`);
+            return;
+        }
         // Handle auth
         if (msg.type === "auth") {
             clearTimeout(authTimer);
@@ -101,6 +195,7 @@ function handleConnection(ws, _req) {
                 ws,
                 storeId: authResult.storeId.toLowerCase(),
                 userId: authResult.userId,
+                nodeId: authResult.nodeId,
                 capabilities: msg.capabilities || [],
                 connectedAt: new Date(),
                 lastPong: Date.now(),
@@ -125,25 +220,34 @@ function handleConnection(ws, _req) {
                 message: `Connected to SwagManager. ${agent.capabilities.length} local tools registered.`,
             });
             console.log(`[local-agent] Agent connected: store=${agent.storeId} platform=${agent.platform} hostname=${agent.hostname} tools=${agent.capabilities.length}`);
-            // Audit log
-            if (supabaseClient) {
-                supabaseClient.from("audit_logs").insert({
-                    action: "local_agent.connected",
-                    severity: "info",
-                    store_id: agent.storeId,
-                    resource_type: "local_agent",
-                    resource_id: agent.agentId,
-                    source: "local_agent",
-                    details: {
-                        platform: agent.platform,
-                        hostname: agent.hostname,
-                        capabilities: agent.capabilities,
-                    },
-                    user_id: agent.userId,
-                }).then(({ error }) => {
-                    if (error)
-                        console.error("[local-agent] audit insert failed:", error.message);
-                });
+            // Telemetry → ClickHouse
+            queueSpan(auditRowToSpan({
+                action: "local_agent.connected",
+                severity: "info",
+                store_id: agent.storeId,
+                resource_type: "local_agent",
+                resource_id: agent.agentId,
+                source: "local_agent",
+                service_name: "agent-server",
+                span_kind: "INTERNAL",
+                status_code: "OK",
+                start_time: new Date().toISOString(),
+                end_time: new Date().toISOString(),
+                details: {
+                    platform: agent.platform,
+                    hostname: agent.hostname,
+                    capabilities: agent.capabilities,
+                },
+                user_id: agent.userId,
+            }));
+            return;
+        }
+        // Handle viewer input forwarding (after auth)
+        if (authenticated && viewerSession && !agent) {
+            // Forward input events from viewer to the target agent
+            const target = pickAgentById(viewerSession.agentId);
+            if (target?.ws.readyState === WebSocket.OPEN) {
+                send(target.ws, { type: "remote_desktop", ...msg });
             }
             return;
         }
@@ -156,6 +260,72 @@ function handleConnection(ws, _req) {
             agent.lastPong = Date.now();
             return;
         }
+        // Handle portal messages
+        if (msg.type === "portal_request" && agent) {
+            // Initiator wants to connect to a target node
+            const targetAgent = pickAgent(agent.storeId, undefined, msg.target_node_id);
+            if (!targetAgent) {
+                send(ws, { type: "portal_reject", session_id: msg.session_id, reason: "Target node not online" });
+                return;
+            }
+            // Forward request to target agent
+            send(targetAgent.ws, {
+                type: "portal_request",
+                session_id: msg.session_id,
+                capabilities: msg.capabilities,
+                requester_node_id: agent.nodeId,
+                requester_hostname: agent.hostname,
+                requester_role: msg.requester_role || "admin",
+            });
+            // Pre-register session so binary routing works once accepted
+            portalSessions.set(msg.session_id, {
+                sessionId: msg.session_id,
+                initiatorAgentId: agent.agentId,
+                targetAgentId: targetAgent.agentId,
+                storeId: agent.storeId,
+                capabilities: msg.capabilities || [],
+                startedAt: new Date(),
+                bytesRelayed: 0,
+            });
+            console.log(`[portal] Session ${msg.session_id}: ${agent.hostname} → ${targetAgent.hostname}`);
+            return;
+        }
+        if (msg.type === "portal_accept" && agent) {
+            const session = portalSessions.get(msg.session_id);
+            if (session) {
+                const initiator = pickAgentById(session.initiatorAgentId);
+                if (initiator) {
+                    send(initiator.ws, { type: "portal_accept", session_id: msg.session_id, hostname: agent.hostname });
+                }
+            }
+            return;
+        }
+        if (msg.type === "portal_reject" && agent) {
+            const session = portalSessions.get(msg.session_id);
+            if (session) {
+                const initiator = pickAgentById(session.initiatorAgentId);
+                if (initiator) {
+                    send(initiator.ws, { type: "portal_reject", session_id: msg.session_id, reason: msg.reason });
+                }
+                portalSessions.delete(msg.session_id);
+            }
+            return;
+        }
+        if (msg.type === "portal_close" && agent) {
+            const session = portalSessions.get(msg.session_id);
+            if (session) {
+                // Notify the other side
+                const otherAgentId = agent.agentId === session.initiatorAgentId
+                    ? session.targetAgentId : session.initiatorAgentId;
+                const other = pickAgentById(otherAgentId);
+                if (other) {
+                    send(other.ws, { type: "portal_close", session_id: msg.session_id });
+                }
+                portalSessions.delete(msg.session_id);
+                console.log(`[portal] Session ${msg.session_id} closed (${session.bytesRelayed} bytes relayed)`);
+            }
+            return;
+        }
         // Handle tool discovery response
         if (msg.type === "tools") {
             agent.capabilities = msg.tools;
@@ -196,7 +366,36 @@ function handleConnection(ws, _req) {
                     agentPool.delete(agent.storeId);
             }
             console.log(`[local-agent] Agent disconnected: ${agent.agentId} (store=${agent.storeId})`);
-            // Pending requests for this agent will be cleaned up by their timeouts
+            // Immediately fail all pending requests for this agent
+            failPendingRequestsForAgent(agent.agentId, `Agent disconnected (${agent.hostname})`);
+            // End any portal sessions through this agent
+            for (const [sessionId, session] of portalSessions) {
+                if (session.initiatorAgentId === agent.agentId || session.targetAgentId === agent.agentId) {
+                    const otherAgentId = agent.agentId === session.initiatorAgentId
+                        ? session.targetAgentId : session.initiatorAgentId;
+                    const other = pickAgentById(otherAgentId);
+                    if (other) {
+                        send(other.ws, { type: "portal_close", session_id: sessionId });
+                    }
+                    portalSessions.delete(sessionId);
+                    console.log(`[portal] Session ${sessionId} ended (agent disconnected)`);
+                }
+            }
+            // End any remote desktop sessions through this agent
+            for (const [sessionId, session] of rdSessions) {
+                if (session.agentId === agent.agentId) {
+                    send(session.viewerWs, { type: "session_end", reason: "agent_disconnected" });
+                    session.viewerWs.close(1001, "Agent disconnected");
+                    rdSessions.delete(sessionId);
+                    console.log(`[remote-desktop] Session ${sessionId} ended (agent disconnected)`);
+                }
+            }
+        }
+        // Clean up viewer sessions
+        if (viewerSession) {
+            rdSessions.delete(viewerSession.sessionId);
+            console.log(`[remote-desktop] Session ${viewerSession.sessionId} ended (viewer disconnected)`);
+            viewerSession = null;
         }
     });
     ws.on("error", (err) => {
@@ -210,21 +409,62 @@ async function authenticateAgent(msg) {
     if (!supabaseClient || !msg.api_key)
         return null;
     const keyHash = createHash("sha256").update(msg.api_key).digest("hex");
-    // Look up API key by hash in api_keys table
+    // 1. Try api_keys table first (standard API keys)
     const { data, error } = await supabaseClient
         .from("api_keys")
         .select("id, store_id, owner_user_id")
         .eq("key_hash", keyHash)
         .eq("is_active", true)
         .single();
-    if (error || !data)
+    if (data && !error) {
+        // Update last_used_at
+        supabaseClient.from("api_keys")
+            .update({ last_used_at: new Date().toISOString() })
+            .eq("id", data.id)
+            .then(() => { });
+        return { storeId: data.store_id, userId: data.owner_user_id || null, nodeId: null };
+    }
+    // 2. Fall back to nodes table (node daemon API keys)
+    const { data: nodeData, error: nodeErr } = await supabaseClient
+        .from("nodes")
+        .select("id, store_id")
+        .eq("api_key_hash", keyHash)
+        .single();
+    if (nodeData && !nodeErr) {
+        // Update node last_heartbeat on gateway connect
+        supabaseClient.from("nodes")
+            .update({ status: "online", last_heartbeat: new Date().toISOString() })
+            .eq("id", nodeData.id)
+            .then(() => { });
+        return { storeId: nodeData.store_id, userId: null, nodeId: nodeData.id };
+    }
+    return null;
+}
+/**
+ * Authenticate a viewer connection using Supabase JWT.
+ */
+async function authenticateViewer(msg) {
+    if (!supabaseClient || !msg.token)
         return null;
-    // Update last_used_at
-    supabaseClient.from("api_keys")
-        .update({ last_used_at: new Date().toISOString() })
-        .eq("id", data.id)
-        .then(() => { });
-    return { storeId: data.store_id, userId: data.owner_user_id || null };
+    try {
+        // Verify JWT with Supabase auth
+        const { data: { user }, error } = await supabaseClient.auth.getUser(msg.token);
+        if (error || !user)
+            return null;
+        // Verify user has access to the requested store
+        const { data: storeAccess } = await supabaseClient
+            .from("store_users")
+            .select("store_id")
+            .eq("user_id", user.id)
+            .eq("store_id", msg.store_id)
+            .single();
+        if (!storeAccess)
+            return null;
+        return { storeId: msg.store_id, userId: user.id };
+    }
+    catch {
+        return null;
+    }
 }
 // ============================================================================
 // PUBLIC API — used by local-agent handler
@@ -250,6 +490,7 @@ export function getAgentInfo(storeId) {
         capabilities: a.capabilities,
         connected_at: a.connectedAt.toISOString(),
         uptime_seconds: Math.floor((Date.now() - a.connectedAt.getTime()) / 1000),
+        node_id: a.nodeId,
     }));
 }
 /**
@@ -265,6 +506,16 @@ export async function executeOnLocalAgent(storeId, command, options = {}) {
     }
     const requestId = randomUUID();
     const timeout = Math.min(options.timeout || 30000, 600000);
+    const msg = {
+        type: "exec",
+        request_id: requestId,
+        command,
+        session_id: options.session_id,
+        timeout,
+    };
+    const sent = send(agent.ws, msg);
+    if (!sent)
+        return { success: false, error: "Agent connection closed" };
     return new Promise((resolve, reject) => {
         const timer = setTimeout(() => {
             pendingRequests.delete(requestId);
@@ -273,15 +524,7 @@ export async function executeOnLocalAgent(storeId, command, options = {}) {
                 error: `Local agent command timed out after ${timeout}ms`,
             });
         }, timeout + 5000); // 5s buffer over command timeout
-        pendingRequests.set(requestId, { resolve, reject, timer });
-        const msg = {
-            type: "exec",
-            request_id: requestId,
-            command,
-            session_id: options.session_id,
-            timeout,
-        };
-        send(agent.ws, msg);
+        pendingRequests.set(requestId, { resolve, reject, timer, agentId: agent.agentId });
     });
 }
 /**
@@ -304,6 +547,16 @@ export async function executeToolOnLocalAgent(storeId, tool, args, options = {})
     }
     const requestId = randomUUID();
     const timeout = Math.min(options.timeout || 30000, 600000);
+    const msg = {
+        type: "tool_exec",
+        request_id: requestId,
+        tool,
+        args,
+        timeout,
+    };
+    const sent = send(agent.ws, msg);
+    if (!sent)
+        return { success: false, error: "Agent connection closed" };
     return new Promise((resolve, reject) => {
         const timer = setTimeout(() => {
             pendingRequests.delete(requestId);
@@ -312,15 +565,7 @@ export async function executeToolOnLocalAgent(storeId, tool, args, options = {})
                 error: `Local tool "${tool}" timed out after ${timeout}ms`,
             });
         }, timeout + 5000);
-        pendingRequests.set(requestId, { resolve, reject, timer });
-        const msg = {
-            type: "tool_exec",
-            request_id: requestId,
-            tool,
-            args,
-            timeout,
-        };
-        send(agent.ws, msg);
+        pendingRequests.set(requestId, { resolve, reject, timer, agentId: agent.agentId });
     });
 }
 /**
@@ -335,6 +580,9 @@ export async function discoverLocalTools(storeId) {
         };
     }
     const requestId = randomUUID();
+    const sent = send(agent.ws, { type: "discover", request_id: requestId });
+    if (!sent)
+        return { success: false, error: "Agent connection closed" };
     return new Promise((resolve) => {
         const timer = setTimeout(() => {
             pendingRequests.delete(requestId);
@@ -344,8 +592,8 @@ export async function discoverLocalTools(storeId) {
             resolve,
             reject: () => resolve({ success: false, error: "Discovery failed" }),
             timer,
+            agentId: agent.agentId,
         });
-        send(agent.ws, { type: "discover", request_id: requestId });
     });
 }
 /**
@@ -368,10 +616,38 @@ export function getGatewayStats() {
         agents_by_store: agentsByStore,
     };
 }
+/**
+ * Get active remote desktop sessions.
+ */
+export function getRemoteDesktopSessions() {
+    return Array.from(rdSessions.values()).map(s => ({
+        session_id: s.sessionId,
+        store_id: s.storeId,
+        user_id: s.userId,
+        agent_id: s.agentId,
+        started_at: s.startedAt.toISOString(),
+        frames_relayed: s.framesRelayed,
+        bytes_relayed: s.bytesRelayed,
+    }));
+}
+/**
+ * Get active portal sessions.
+ */
+export function getPortalSessions() {
+    return Array.from(portalSessions.values()).map(s => ({
+        session_id: s.sessionId,
+        store_id: s.storeId,
+        initiator_agent_id: s.initiatorAgentId,
+        target_agent_id: s.targetAgentId,
+        capabilities: s.capabilities,
+        started_at: s.startedAt.toISOString(),
+        bytes_relayed: s.bytesRelayed,
+    }));
+}
 // ============================================================================
 // INTERNALS
 // ============================================================================
-function pickAgent(storeId, agentId) {
+function pickAgent(storeId, agentId, nodeId) {
     const agents = agentPool.get(storeId.toLowerCase());
     if (!agents?.length)
         return null;
@@ -383,12 +659,44 @@ function pickAgent(storeId, agentId) {
     if (agentId) {
         return open.find(a => a.agentId === agentId) || null;
     }
+    // Target specific node if requested
+    if (nodeId) {
+        return open.find(a => a.nodeId === nodeId) || null;
+    }
     // Pick agent with most recent pong (most responsive)
     return open.reduce((best, a) => a.lastPong > best.lastPong ? a : best);
 }
+function pickAgentById(agentId) {
+    for (const [, agents] of agentPool) {
+        const found = agents.find(a => a.agentId === agentId && a.ws.readyState === WebSocket.OPEN);
+        if (found)
+            return found;
+    }
+    return null;
+}
+function isJsonString(data) {
+    if (typeof data === "string")
+        return true;
+    if (Buffer.isBuffer(data)) {
+        // Quick check: JSON starts with { or [
+        return data.length > 0 && (data[0] === 0x7b || data[0] === 0x5b);
+    }
+    return false;
+}
 function send(ws, data) {
     if (ws.readyState === WebSocket.OPEN) {
         ws.send(JSON.stringify(data));
+        return true;
+    }
+    return false;
+}
+function failPendingRequestsForAgent(agentId, reason) {
+    for (const [requestId, pending] of pendingRequests) {
+        if (pending.agentId === agentId) {
+            clearTimeout(pending.timer);
+            pendingRequests.delete(requestId);
+            pending.resolve({ success: false, error: reason });
+        }
     }
 }
 function truncate(text) {
@@ -396,6 +704,38 @@ function truncate(text) {
         return text;
     return text.substring(0, MAX_OUTPUT_CHARS) + `\n...[truncated, ${text.length} total chars]`;
 }
+/**
+ * Execute a cluster command on the connected whale-node.
+ * Sends via WebSocket and waits for the result.
+ */
+export async function executeClusterCommand(storeId, args, options = {}) {
+    const agent = pickAgent(storeId, options.agent_id, options.node_id);
+    if (!agent) {
+        return {
+            success: false,
+            error: "No local agent connected for cluster commands.",
+        };
+    }
+    const requestId = randomUUID();
+    const timeout = Math.min(options.timeout || 60000, 600000);
+    const sent = send(agent.ws, {
+        type: "cluster_command",
+        request_id: requestId,
+        args,
+    });
+    if (!sent)
+        return { success: false, error: "Agent connection closed" };
+    return new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+            pendingRequests.delete(requestId);
+            resolve({
+                success: false,
+                error: `Cluster command timed out after ${timeout}ms`,
+            });
+        }, timeout + 5000);
+        pendingRequests.set(requestId, { resolve, reject, timer, agentId: agent.agentId });
+    });
+}
 // ============================================================================
 // SHUTDOWN
 // ============================================================================

package/dist/server/providers/anthropic.js

@@ -67,8 +67,18 @@ export class AnthropicAdapter {
         }
         if (effectiveBetas.length)
             apiParams.betas = effectiveBetas;
-        if (context_management?.edits?.length)
-            apiParams.context_management = context_management;
+        // Safety: strip clear_thinking_20251015 edits when thinking is not enabled.
+        // Anthropic returns 400 if this strategy is present without thinking=enabled/adaptive.
+        let safeContextMgmt = context_management;
+        if (safeContextMgmt?.edits?.length && !thinking) {
+            const filtered = safeContextMgmt.edits.filter((e) => e.type !== "clear_thinking_20251015");
+            if (filtered.length !== safeContextMgmt.edits.length) {
+                console.log(`[proxy] Stripped ${safeContextMgmt.edits.length - filtered.length} clear_thinking edit(s) — thinking not enabled`);
+                safeContextMgmt = { ...safeContextMgmt, edits: filtered };
+            }
+        }
+        if (safeContextMgmt?.edits?.length)
+            apiParams.context_management = safeContextMgmt;
         if (thinking)
             apiParams.thinking = thinking;
         // Map tool_choice to Anthropic format

package/dist/server/providers/gemini.js

@@ -34,7 +34,7 @@ const MODEL_MAX_OUTPUT_TOKENS = {
 // ============================================================================
 /** Convert Anthropic messages to Gemini Content format */
 function anthropicToGeminiMessages(messages) {
-    const contents = [];
+    const raw = [];
     // Track tool_use_id → name for tool_result conversion
     const toolIdMap = new Map();
     for (const msg of messages) {
@@ -86,7 +86,22 @@ function anthropicToGeminiMessages(messages) {
             }
         }
         if (parts.length > 0) {
-            contents.push({ role, parts });
+            raw.push({ role, parts });
+        }
+    }
+    // Gemini requires strictly alternating user/model turns.
+    // After context compaction or multi-step tool use, consecutive same-role turns
+    // can appear — Gemini rejects these with INVALID_ARGUMENT.
+    // Fix: merge consecutive same-role turns by concatenating their parts.
+    const contents = [];
+    for (const turn of raw) {
+        const prev = contents[contents.length - 1];
+        if (prev && prev.role === turn.role) {
+            // Merge into the previous turn
+            prev.parts = [...(prev.parts || []), ...(turn.parts || [])];
+        }
+        else {
+            contents.push({ role: turn.role, parts: turn.parts });
         }
     }
     return contents;